xmrig | 8753515f422c81bf9bf921d9857f5f7ee0b3f47573e84129092e095147eebd63

Analysis

max time kernel
90s
max time network
150s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
02-02-2025 04:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8753515f422c81bf9bf921d9857f5f7ee0b3f47573e84129092e095147eebd63.exe
Size

15.9MB
MD5

a1a51313f8d07d2eb4ca0123108094e1
SHA1

4024e60d52e4c992596b73cb205ea7b4a1a91ae0
SHA256

8753515f422c81bf9bf921d9857f5f7ee0b3f47573e84129092e095147eebd63
SHA512

3a43cdaae6d988f935f4092d5a9a4eb3cf2f2230d438858a3dc24eec6b050c21c1844f899b60fc69ed3d34b76f2f4057b82e8730f149b0103628af7219392e4d
SSDEEP

196608:aCKQL8cEkOxtSKvkMOuuuq5Pglc+dpncgka6qXy2pqVrjcitXiwB3Sdy3YK19Xsc:xacFIouuuq5PPY34PcitXiwh0y3Bc6y

Score

10^/10

xmrig discovery miner

Malware Config

Signatures

Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 2 IoCs

miner

resource	yara_rule
behavioral1/memory/1872-3137-0x00000000001F0000-0x0000000000D01000-memory.dmp	xmrig
behavioral1/memory/1872-3139-0x00000000001F0000-0x0000000000D01000-memory.dmp	xmrig

Executes dropped EXE 7 IoCs

pid	Process
2808	CL_Debug_Log.txt
2264	Antimalware Service Executable.exe
2576	Antimalware Service Executable.exe
1572	Antimalware Service Executable.exe
2908	Antimalware Service Executable.exe
1568	tor.exe
1724	Antimalware Service Executable.exe

Loads dropped DLL 13 IoCs

pid	Process
2916	8753515f422c81bf9bf921d9857f5f7ee0b3f47573e84129092e095147eebd63.exe
2676	taskeng.exe
2676	taskeng.exe
1116	Process not Found
1572	Antimalware Service Executable.exe
1572	Antimalware Service Executable.exe
1568	tor.exe
1568	tor.exe
1568	tor.exe
1568	tor.exe
1568	tor.exe
1568	tor.exe
2576	Process not Found

AutoIT Executable 2 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/files/0x0007000000018bf3-26.dat	autoit_exe
behavioral1/files/0x0009000000018710-29.dat	autoit_exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 1572 set thread context of 2908	1572	Antimalware Service Executable.exe	41
PID 1572 set thread context of 1724	1572	Antimalware Service Executable.exe	44
PID 1572 set thread context of 1872	1572	Antimalware Service Executable.exe	46

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CL_Debug_Log.txt
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8753515f422c81bf9bf921d9857f5f7ee0b3f47573e84129092e095147eebd63.exe

NTFS ADS 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Local\Temp\winmgmts:\XECUDNCD\root\CIMV2	8753515f422c81bf9bf921d9857f5f7ee0b3f47573e84129092e095147eebd63.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\winmgmts:\XECUDNCD\root\CIMV2	Antimalware Service Executable.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2644	schtasks.exe

Script User-Agent 1 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	20	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2916	8753515f422c81bf9bf921d9857f5f7ee0b3f47573e84129092e095147eebd63.exe
2916	8753515f422c81bf9bf921d9857f5f7ee0b3f47573e84129092e095147eebd63.exe
2916	8753515f422c81bf9bf921d9857f5f7ee0b3f47573e84129092e095147eebd63.exe
2916	8753515f422c81bf9bf921d9857f5f7ee0b3f47573e84129092e095147eebd63.exe
2916	8753515f422c81bf9bf921d9857f5f7ee0b3f47573e84129092e095147eebd63.exe
2916	8753515f422c81bf9bf921d9857f5f7ee0b3f47573e84129092e095147eebd63.exe
2916	8753515f422c81bf9bf921d9857f5f7ee0b3f47573e84129092e095147eebd63.exe
2916	8753515f422c81bf9bf921d9857f5f7ee0b3f47573e84129092e095147eebd63.exe
2916	8753515f422c81bf9bf921d9857f5f7ee0b3f47573e84129092e095147eebd63.exe
2916	8753515f422c81bf9bf921d9857f5f7ee0b3f47573e84129092e095147eebd63.exe
2916	8753515f422c81bf9bf921d9857f5f7ee0b3f47573e84129092e095147eebd63.exe
2916	8753515f422c81bf9bf921d9857f5f7ee0b3f47573e84129092e095147eebd63.exe
2916	8753515f422c81bf9bf921d9857f5f7ee0b3f47573e84129092e095147eebd63.exe
2916	8753515f422c81bf9bf921d9857f5f7ee0b3f47573e84129092e095147eebd63.exe
2916	8753515f422c81bf9bf921d9857f5f7ee0b3f47573e84129092e095147eebd63.exe
2916	8753515f422c81bf9bf921d9857f5f7ee0b3f47573e84129092e095147eebd63.exe
2916	8753515f422c81bf9bf921d9857f5f7ee0b3f47573e84129092e095147eebd63.exe
2916	8753515f422c81bf9bf921d9857f5f7ee0b3f47573e84129092e095147eebd63.exe
2916	8753515f422c81bf9bf921d9857f5f7ee0b3f47573e84129092e095147eebd63.exe
2916	8753515f422c81bf9bf921d9857f5f7ee0b3f47573e84129092e095147eebd63.exe
2916	8753515f422c81bf9bf921d9857f5f7ee0b3f47573e84129092e095147eebd63.exe
2916	8753515f422c81bf9bf921d9857f5f7ee0b3f47573e84129092e095147eebd63.exe
2916	8753515f422c81bf9bf921d9857f5f7ee0b3f47573e84129092e095147eebd63.exe
2916	8753515f422c81bf9bf921d9857f5f7ee0b3f47573e84129092e095147eebd63.exe
2916	8753515f422c81bf9bf921d9857f5f7ee0b3f47573e84129092e095147eebd63.exe
2916	8753515f422c81bf9bf921d9857f5f7ee0b3f47573e84129092e095147eebd63.exe
2916	8753515f422c81bf9bf921d9857f5f7ee0b3f47573e84129092e095147eebd63.exe
2916	8753515f422c81bf9bf921d9857f5f7ee0b3f47573e84129092e095147eebd63.exe
2916	8753515f422c81bf9bf921d9857f5f7ee0b3f47573e84129092e095147eebd63.exe
2916	8753515f422c81bf9bf921d9857f5f7ee0b3f47573e84129092e095147eebd63.exe
2916	8753515f422c81bf9bf921d9857f5f7ee0b3f47573e84129092e095147eebd63.exe
2916	8753515f422c81bf9bf921d9857f5f7ee0b3f47573e84129092e095147eebd63.exe
2916	8753515f422c81bf9bf921d9857f5f7ee0b3f47573e84129092e095147eebd63.exe
2916	8753515f422c81bf9bf921d9857f5f7ee0b3f47573e84129092e095147eebd63.exe
2916	8753515f422c81bf9bf921d9857f5f7ee0b3f47573e84129092e095147eebd63.exe
2916	8753515f422c81bf9bf921d9857f5f7ee0b3f47573e84129092e095147eebd63.exe
2916	8753515f422c81bf9bf921d9857f5f7ee0b3f47573e84129092e095147eebd63.exe
2916	8753515f422c81bf9bf921d9857f5f7ee0b3f47573e84129092e095147eebd63.exe
2916	8753515f422c81bf9bf921d9857f5f7ee0b3f47573e84129092e095147eebd63.exe
2916	8753515f422c81bf9bf921d9857f5f7ee0b3f47573e84129092e095147eebd63.exe
2916	8753515f422c81bf9bf921d9857f5f7ee0b3f47573e84129092e095147eebd63.exe
2916	8753515f422c81bf9bf921d9857f5f7ee0b3f47573e84129092e095147eebd63.exe
2916	8753515f422c81bf9bf921d9857f5f7ee0b3f47573e84129092e095147eebd63.exe
2916	8753515f422c81bf9bf921d9857f5f7ee0b3f47573e84129092e095147eebd63.exe
2916	8753515f422c81bf9bf921d9857f5f7ee0b3f47573e84129092e095147eebd63.exe
2916	8753515f422c81bf9bf921d9857f5f7ee0b3f47573e84129092e095147eebd63.exe
2916	8753515f422c81bf9bf921d9857f5f7ee0b3f47573e84129092e095147eebd63.exe
2916	8753515f422c81bf9bf921d9857f5f7ee0b3f47573e84129092e095147eebd63.exe
2916	8753515f422c81bf9bf921d9857f5f7ee0b3f47573e84129092e095147eebd63.exe
2916	8753515f422c81bf9bf921d9857f5f7ee0b3f47573e84129092e095147eebd63.exe
2916	8753515f422c81bf9bf921d9857f5f7ee0b3f47573e84129092e095147eebd63.exe
2916	8753515f422c81bf9bf921d9857f5f7ee0b3f47573e84129092e095147eebd63.exe
2916	8753515f422c81bf9bf921d9857f5f7ee0b3f47573e84129092e095147eebd63.exe
2916	8753515f422c81bf9bf921d9857f5f7ee0b3f47573e84129092e095147eebd63.exe
2916	8753515f422c81bf9bf921d9857f5f7ee0b3f47573e84129092e095147eebd63.exe
2916	8753515f422c81bf9bf921d9857f5f7ee0b3f47573e84129092e095147eebd63.exe
2916	8753515f422c81bf9bf921d9857f5f7ee0b3f47573e84129092e095147eebd63.exe
2916	8753515f422c81bf9bf921d9857f5f7ee0b3f47573e84129092e095147eebd63.exe
2916	8753515f422c81bf9bf921d9857f5f7ee0b3f47573e84129092e095147eebd63.exe
2916	8753515f422c81bf9bf921d9857f5f7ee0b3f47573e84129092e095147eebd63.exe
2916	8753515f422c81bf9bf921d9857f5f7ee0b3f47573e84129092e095147eebd63.exe
2916	8753515f422c81bf9bf921d9857f5f7ee0b3f47573e84129092e095147eebd63.exe
2916	8753515f422c81bf9bf921d9857f5f7ee0b3f47573e84129092e095147eebd63.exe
2916	8753515f422c81bf9bf921d9857f5f7ee0b3f47573e84129092e095147eebd63.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

description	pid	Process
Token: SeRestorePrivilege	2808	CL_Debug_Log.txt
Token: 35	2808	CL_Debug_Log.txt
Token: SeSecurityPrivilege	2808	CL_Debug_Log.txt
Token: SeSecurityPrivilege	2808	CL_Debug_Log.txt
Token: SeRestorePrivilege	2908	Antimalware Service Executable.exe
Token: 35	2908	Antimalware Service Executable.exe
Token: SeSecurityPrivilege	2908	Antimalware Service Executable.exe
Token: SeSecurityPrivilege	2908	Antimalware Service Executable.exe
Token: SeRestorePrivilege	1724	Antimalware Service Executable.exe
Token: 35	1724	Antimalware Service Executable.exe
Token: SeSecurityPrivilege	1724	Antimalware Service Executable.exe
Token: SeSecurityPrivilege	1724	Antimalware Service Executable.exe
Token: SeLockMemoryPrivilege	1872	attrib.exe
Token: SeLockMemoryPrivilege	1872	attrib.exe

Suspicious use of FindShellTrayWindow 13 IoCs

pid	Process
2916	8753515f422c81bf9bf921d9857f5f7ee0b3f47573e84129092e095147eebd63.exe
2916	8753515f422c81bf9bf921d9857f5f7ee0b3f47573e84129092e095147eebd63.exe
2916	8753515f422c81bf9bf921d9857f5f7ee0b3f47573e84129092e095147eebd63.exe
2264	Antimalware Service Executable.exe
2264	Antimalware Service Executable.exe
2264	Antimalware Service Executable.exe
2576	Antimalware Service Executable.exe
2576	Antimalware Service Executable.exe
2576	Antimalware Service Executable.exe
1572	Antimalware Service Executable.exe
1572	Antimalware Service Executable.exe
1572	Antimalware Service Executable.exe
1872	attrib.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
2916	8753515f422c81bf9bf921d9857f5f7ee0b3f47573e84129092e095147eebd63.exe
2916	8753515f422c81bf9bf921d9857f5f7ee0b3f47573e84129092e095147eebd63.exe
2916	8753515f422c81bf9bf921d9857f5f7ee0b3f47573e84129092e095147eebd63.exe
2264	Antimalware Service Executable.exe
2264	Antimalware Service Executable.exe
2264	Antimalware Service Executable.exe
2576	Antimalware Service Executable.exe
2576	Antimalware Service Executable.exe
2576	Antimalware Service Executable.exe
1572	Antimalware Service Executable.exe
1572	Antimalware Service Executable.exe
1572	Antimalware Service Executable.exe

Suspicious use of WriteProcessMemory 45 IoCs

description	pid	Process	procid_target
PID 2916 wrote to memory of 2808	2916	8753515f422c81bf9bf921d9857f5f7ee0b3f47573e84129092e095147eebd63.exe	31
PID 2916 wrote to memory of 2808	2916	8753515f422c81bf9bf921d9857f5f7ee0b3f47573e84129092e095147eebd63.exe	31
PID 2916 wrote to memory of 2808	2916	8753515f422c81bf9bf921d9857f5f7ee0b3f47573e84129092e095147eebd63.exe	31
PID 2916 wrote to memory of 2808	2916	8753515f422c81bf9bf921d9857f5f7ee0b3f47573e84129092e095147eebd63.exe	31
PID 2916 wrote to memory of 2928	2916	8753515f422c81bf9bf921d9857f5f7ee0b3f47573e84129092e095147eebd63.exe	33
PID 2916 wrote to memory of 2928	2916	8753515f422c81bf9bf921d9857f5f7ee0b3f47573e84129092e095147eebd63.exe	33
PID 2916 wrote to memory of 2928	2916	8753515f422c81bf9bf921d9857f5f7ee0b3f47573e84129092e095147eebd63.exe	33
PID 2916 wrote to memory of 2928	2916	8753515f422c81bf9bf921d9857f5f7ee0b3f47573e84129092e095147eebd63.exe	33
PID 2928 wrote to memory of 2644	2928	cmd.exe	35
PID 2928 wrote to memory of 2644	2928	cmd.exe	35
PID 2928 wrote to memory of 2644	2928	cmd.exe	35
PID 2928 wrote to memory of 2644	2928	cmd.exe	35
PID 2676 wrote to memory of 2264	2676	taskeng.exe	38
PID 2676 wrote to memory of 2576	2676	taskeng.exe	39
PID 2676 wrote to memory of 2264	2676	taskeng.exe	38
PID 2676 wrote to memory of 2576	2676	taskeng.exe	39
PID 2676 wrote to memory of 2576	2676	taskeng.exe	39
PID 2676 wrote to memory of 2264	2676	taskeng.exe	38
PID 2264 wrote to memory of 1572	2264	Antimalware Service Executable.exe	40
PID 2264 wrote to memory of 1572	2264	Antimalware Service Executable.exe	40
PID 2264 wrote to memory of 1572	2264	Antimalware Service Executable.exe	40
PID 1572 wrote to memory of 2908	1572	Antimalware Service Executable.exe	41
PID 1572 wrote to memory of 2908	1572	Antimalware Service Executable.exe	41
PID 1572 wrote to memory of 2908	1572	Antimalware Service Executable.exe	41
PID 1572 wrote to memory of 2908	1572	Antimalware Service Executable.exe	41
PID 1572 wrote to memory of 2908	1572	Antimalware Service Executable.exe	41
PID 1572 wrote to memory of 1568	1572	Antimalware Service Executable.exe	43
PID 1572 wrote to memory of 1568	1572	Antimalware Service Executable.exe	43
PID 1572 wrote to memory of 1568	1572	Antimalware Service Executable.exe	43
PID 1572 wrote to memory of 1724	1572	Antimalware Service Executable.exe	44
PID 1572 wrote to memory of 1724	1572	Antimalware Service Executable.exe	44
PID 1572 wrote to memory of 1724	1572	Antimalware Service Executable.exe	44
PID 1572 wrote to memory of 1724	1572	Antimalware Service Executable.exe	44
PID 1572 wrote to memory of 1724	1572	Antimalware Service Executable.exe	44
PID 1572 wrote to memory of 1872	1572	Antimalware Service Executable.exe	46
PID 1572 wrote to memory of 1872	1572	Antimalware Service Executable.exe	46
PID 1572 wrote to memory of 1872	1572	Antimalware Service Executable.exe	46
PID 1572 wrote to memory of 1872	1572	Antimalware Service Executable.exe	46
PID 1572 wrote to memory of 1872	1572	Antimalware Service Executable.exe	46
PID 2676 wrote to memory of 764	2676	taskeng.exe	48
PID 2676 wrote to memory of 764	2676	taskeng.exe	48
PID 2676 wrote to memory of 764	2676	taskeng.exe	48
PID 2676 wrote to memory of 1784	2676	taskeng.exe	49
PID 2676 wrote to memory of 1784	2676	taskeng.exe	49
PID 2676 wrote to memory of 1784	2676	taskeng.exe	49

Views/modifies file attributes 1 TTPs 1 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
1872	attrib.exe

C:\Users\Admin\AppData\Local\Temp\8753515f422c81bf9bf921d9857f5f7ee0b3f47573e84129092e095147eebd63.exe
"C:\Users\Admin\AppData\Local\Temp\8753515f422c81bf9bf921d9857f5f7ee0b3f47573e84129092e095147eebd63.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2916
- C:\Users\Admin\AppData\Local\Temp\CL_Debug_Log.txt
  C:\Users\Admin\AppData\Local\Temp\CL_Debug_Log.txt e -p"JDQJndnqwdnqw2139dn21n3b312idDQDB" "C:\Users\Admin\AppData\Local\Temp\CR_Debug_Log.txt" -o"C:\Users\Admin\AppData\Local\Temp\"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2808
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c schtasks.exe /Create /XML "C:\Users\Admin\AppData\Local\Temp\SystemCheck.xml" /TN "System\SystemCheck"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2928
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /Create /XML "C:\Users\Admin\AppData\Local\Temp\SystemCheck.xml" /TN "System\SystemCheck"
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:2644

C:\Windows\system32\taskeng.exe
taskeng.exe {B24016FB-B001-4C2B-BF53-535DA3C67D22} S-1-5-21-2703099537-420551529-3771253338-1000:XECUDNCD\Admin:Interactive:[1]
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2676
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Antimalware Service Executable.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Antimalware Service Executable.exe" -SystemCheck
  2⤵
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:2264
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Antimalware Service Executable.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Antimalware Service Executable.exe" -SystemCheck38142
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - NTFS ADS
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:1572
  - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Antimalware Service Executable.exe
      7z e -p"DxSqsNKKOxqPrM4Y3xeK" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor.tmp" -o"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:2908
  - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\tor.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\tor.exe" -f TorConfig
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:1568
  - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Antimalware Service Executable.exe
      7z e -p"DxSqsNKKOxqPrM4Y3xeK" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SysBackup.tmp" -o"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:1724
  - - C:\Windows\System32\attrib.exe
      -o stratum+tcp://pool.supportxmr.com:3333 -u 428jMEBAdSKHQGHrnDMJzK16oJ1irAGkEgLZrhkJjNSxfsHQ8cpLn8QBAQWcpodf7bjFLt1wQHbJ8JNg3Em5EspB1MsE9zY -p x -t 4
      4⤵
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      Views/modifies file attributes
      PID:1872
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Antimalware Service Executable.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Antimalware Service Executable.exe" -SystemCheck
  2⤵
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2576
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Antimalware Service Executable.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Antimalware Service Executable.exe" -SystemCheck
  2⤵
  PID:764
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Antimalware Service Executable.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Antimalware Service Executable.exe" -SystemCheck38142
    3⤵
    PID:1716
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Antimalware Service Executable.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Antimalware Service Executable.exe" -SystemCheck
  2⤵
  PID:1784
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Antimalware Service Executable.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Antimalware Service Executable.exe" -SystemCheck
  2⤵
  PID:1776
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Antimalware Service Executable.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Antimalware Service Executable.exe" -SystemCheck
  2⤵
  PID:904

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\32.exe

Filesize
7.4MB

MD5
f71859e5750415fb32eb045e58635cae

SHA1
fa70d2a35caeb0c12214775cad8cdd8ff0583b59

SHA256
8d668f74825fd8cf5809d9c63e36084bd04d672585fb1f5cdda429e052b8488e

SHA512
423bc36ec4d2b811aa54685a70d5b9daad21d31e95759b1437b7b1966bcdd05d322a76c4288dc647b35bd4b1f6acc0c692fa4ba365715e55671da4edef65df1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\64.exe

Filesize
8.4MB

MD5
4f19535079b64da77ce91d429cfbcfdc

SHA1
68b4d4679024111b246c45328db9478f3a67a709

SHA256
fc02c6319cc5b32536a4b1773a5aba82c213fed6de3249d117b2c8ffe5c82b58

SHA512
fcea894e6a00384c4af0d5abd8143a72b122c6e3052b602ee4a150c89b538e4ac5f76dcbc01770548dba6ef67dd13420450d368bfb42ddcf4fd11995181382dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\CR_Debug_Log.txt

Filesize
14.6MB

MD5
053bd8fa3b586bd5b8ee60970c6cae44

SHA1
ada9b5270e7025a5438bc0066f68286243db15c7

SHA256
e0e342cd6302970770d542d516a02a445c13f1f6a77799342ced658ca4e3f8ad

SHA512
0bc717c9bc09ee019662ee3cee795ad5510981d36ca706872f776385b4b98826768c5a5136e592e997383690a0d1634d72d4462a05120550a6e5a3295e5a587c

Download Submit
C:\Users\Admin\AppData\Local\Temp\SystemCheck.xml

Filesize
2KB

MD5
46f2f154060d639b1f5f1ceb47ba9574

SHA1
6bdee2c266f48415b9d580801fea16a9d43faa25

SHA256
a08b36bde4948ac2878d5aaaad2e2cacf0ed2b1fde097b9c6ae2d777843b1d4f

SHA512
752e3042d9e3b50748d4075aca84ab61a975dad6be1d5c1ef6d807e8933048e75221ea0babf935b1aee778bad3f51374ca3984418cb4587d5f2e1de45b07f7a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\asacpiex.dll

Filesize
14.6MB

MD5
5aa219d1ea73f71f39e2b4cf09f84787

SHA1
66c996348e41aa32686d5eb9389dfc4dcbdf6acb

SHA256
48e152a15e74d7d397fe6f51a9b183091352930e695b56d3a0d3ee80197664b0

SHA512
77426e81f92479c930d221c4e6c5397027b2f1036895eb42a374674cd73d7ed8c1df59ec7adbdbff2ce67c15a8ded2f59db9349804df59921daab15cd1bbbe72

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SysBackup.tmp

Filesize
10KB

MD5
f6e8bc3ce1b23a0a96b739844405900d

SHA1
e84ef284044ddf34515ed6f2fe9729fc08a41241

SHA256
e5abefe863249c1ce2d8ab98b83acebf3a9a709060fb3bbdbac571213f7f5921

SHA512
24ce8445eb2eaeb78d713cb3932a8efc62fee65a28cec628a585d5d9883078e416dee39f97a172fcf2658b302a3af4dcf296cc5078831128bdf1c39762cc29e0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SysBackup.tmp

Filesize
2.6MB

MD5
21e3778b11e03ced442a1ac73d8949ee

SHA1
9e416a029a3c6e6738cba0d1f69253ca283b73ea

SHA256
03b7f47481eaf1f2c942f4a41a3a6411e22493c2d5b25ab1cab38ffe11cccb76

SHA512
20b91dea4e9f8f9dc8b672be51fb161f1b7a60fac9523921bc084f64c684f688070ec0e01c93f57294a7b13f5ecd33f9eac0eb22acd65b528162bfb08d0bd1a9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SysBackup.txt

Filesize
15.8MB

MD5
7268eb05d51294219569569ea006da2a

SHA1
ade2c0a248f6aae9ff00f42e04dd3d1de242b289

SHA256
188b7e3f0135cf683c393ab88930e93f29d4a0c31c08841237afaf543ecb2e12

SHA512
0056df445e950fc3a76dcb64c4ab8c8b187436d18e95b916b7e83e7e215fa8371bae91501252b1a6e15dbc5414ae674381b758c84a2814d4c88bd856e3deef46

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor.tmp

Filesize
2.5MB

MD5
54183220aa6c777f8228474ff5b5df01

SHA1
ed438f17bffb37d42afd61d8dcef0c50d554c65c

SHA256
9a78c80e93bd1ed3d71eb090465e39a69470cd1812fc5e169d8b412e8c665963

SHA512
70b1e22449c5264bed46b62595206e3ad36e2a9c33fa9589acb792d499dcbbae5ebdbf3b35c140e72a7d594f807a6ce1ab925736b5e1a07c17a26445a2591987

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\TorDataSocksListenAddress 127.0.0.1\cached-certs

Filesize
20KB

MD5
5056ac89e73e78e1dfa3e1216016f44f

SHA1
fd7aa7d92f4e7d05533d5fa6683bba7f31d501f4

SHA256
c3457049393a28ddb8f5856a37dd06938de061fd35a439f5ecc8a3b6d86a7071

SHA512
25e29566087b5a47b47321ddf39bb49a6038c116be0b93918cbf92ed50d4e5d4f7b27caa4e8b06661a85d84880dad42afaad7717bdd9a8bc779e2f847af01c58

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\TorDataSocksListenAddress 127.0.0.1\cached-microdesc-consensus.tmp

Filesize
2.7MB

MD5
fa84a8d3e2c563124306002e5a2bb10a

SHA1
46470f5e8183b4b9a607fd7f9a52e77d71afa09d

SHA256
23536a9900fb86772f58ab1c36ecc167454405817c1850f23f13b2eef9806d42

SHA512
d0856b5e904b8e0cd1cf8089b4ec38055417f89a955b99ef780c5617e9d92fdd561350cda080d487e9120ffa62e524c041441ad8c83f48ca9984139bbd9a4374

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\TorDataSocksListenAddress 127.0.0.1\cached-microdescs.new

Filesize
15.9MB

MD5
9ede62e6ac95386b1e0883e597a6effc

SHA1
f05c27a575f9658e9e0494c8d3e4472e31137cf5

SHA256
5d19385cbd13ce8e003ff8ff9ec2414cda96d696881ffea5ed54a54d0b838bf9

SHA512
2aa4431cf2169814233301ac4f34010d6e0d5abe187725fa975aced532fd70095c8be972d198a45a755cd4596f91a9522f237aa05a73882b4c6a8d572c03a4b6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\TorDataSocksListenAddress 127.0.0.1\cached-microdescs.new

Filesize
21.3MB

MD5
2cfc7ab825c0b611430d6648e4127718

SHA1
9ec58f715ac96845531bb05e2fc36fccd250bcd9

SHA256
6dcae56904de86286b823233534b6ecc3c6ae4c8f71105fd599008ee1d725410

SHA512
adc6b1e4cc2c7629a3152220615b5a66ad76e1c36cb33a2c668ea0f77fb1aaf4f636ba16c5aeccf8f906d3fe565d74103a1528fdda6c0c1b27bda2dd57d3e7cf

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\TorDataSocksListenAddress 127.0.0.1\state

Filesize
3KB

MD5
6baf8f3a321e8773ba457377e8341cf1

SHA1
e036618ed746f0babc0b80a3a3701879bcd1f7e8

SHA256
0bd2dbfc6a7ba87ebd8d34ce35081c4eee4f01776c640ab3541a19e1f7492706

SHA512
e2c05b7a332fa480f205f666df5b2ed7bf3365f1d3425bcbd70ce849ebae5bf32abf806f23cc0220ab3bc46b5007bd9e8f21940742740d78c1051752c32e62e8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\TorData\Tor.pid

Filesize
6B

MD5
139f4fecd4b1731ccbba80b9f4c4fc52

SHA1
2a36f5767cf2671ce54302f3ab1a9e6805faf266

SHA256
e2d8a73881087ef7838850362f02b10da44391687aed33cb1ae1d9afdd248565

SHA512
661e8060a2a16ff2b633f5232839319905741035eaecd8a18bd36fa74814ab89236041b6bca7ca40755a75e9daadc5b59a2c9c6fd916823640272e5de649d82a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\TorData\TorConfig

Filesize
201B

MD5
b9d2fe9cfa840518fa39039c928d4938

SHA1
0561516b7cfa784cf400349983817c8b18817256

SHA256
69d57bfb46ef8097c1cfca65885790421d0e0965b7778f165cd7df9368807776

SHA512
894510d39a044a37325d73b8348860960b3a78c54e7cdf81357f4b50e8dcf5d47ab98c768e6439949ba835802b2a5e98314441127d9655b027caf246e09e013d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\libevent-2-1-7.dll

Filesize
974KB

MD5
be51ba4bea2d731dacf974c43941e457

SHA1
51fc479fd8ee9a2b72e6aa020ce5bb1c7a28f621

SHA256
98d06628e3d9c8097d239722e83ad78eb0b41b1e2f54d50a500da6d9292ff747

SHA512
6184accd206aa466278c2f4b514fd5c85820d47cf3a148904e93927621ac386890e657f09547b694c32ef23c355ae738b7c7d039fcd6c791529198c7b0b6bd1e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\libevent_core-2-1-7.dll

Filesize
646KB

MD5
c1507e234ff7f11a259d87a57af740be

SHA1
7478ba561c9f478ede650561867ebd2db58da42f

SHA256
d6a7d46f6fc803b50460d03c0bc14f2f128ee2becabcf1713715bcebf13ee75b

SHA512
64d0657050028d846097429ad1268844038059279e1256329716b937338de5fc1b5f50f420b8aa781c5e2a19f15158f564569db639981fef10fa5e57dfd4717b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\libevent_extra-2-1-7.dll

Filesize
657KB

MD5
7cb2f0f4bba8d16c3200e9ac2a25b7c0

SHA1
63cf39682bf6876f563e1567df3c55fd5939e6ea

SHA256
ec52e90c68dd0e7603df3f9fe6c909d019a7e94dc3ce0efd8baf67864a43b74b

SHA512
7a660d87739914c68cadb56a4acbf27d68fd145b3bb65b957b4c767dfabe0762c40d58faa3a2df3b3453083ea658411c79d53be5166dda844782a9cd2617a264

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\libgcc_s_seh-1.dll

Filesize
1.1MB

MD5
ead6d4a87041e13b9041f78be1cb84d1

SHA1
896a336e08a1904537ee5a4a86eb0e885a18e17a

SHA256
b94b8981f8110944c5b03c9cba4066e9d0daa13687dead387bcbc772132c6d24

SHA512
34054ec79691145a8d511f9425f9ad44e07f8bfb38bd0b3251a5db3358c0055344615990fb770d4bdcbf04c9461847dfd4f6d2bac1e43ec815426a94d065c580

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\libssl-1_1-x64.dll

Filesize
965KB

MD5
7847c7b13b3414e8e7652880b4609205

SHA1
930670acc16157f56aaf69423e5d7705441764ba

SHA256
38200438cf0c9c20d17e5b9030d2ad2e4a1b6b9dc41c287bc603dd50d22e67bb

SHA512
c3c81dc3eb546c40b3606338deadbd63331659645dd24b5fd0d4fb3170b053fef528ee3fe005c9446176a5c049e9412ea8193ad2f8b9a7301ff67b088f1bbb6e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\tor.exe

Filesize
4.3MB

MD5
9f2d86da7d58a70b0003307d9cfc2438

SHA1
bd69ad6ea837e309232d7c4fd0e87e22c3266ac5

SHA256
7052619814a614a1b157c5c94a92dbec22b425a0977ac8b21958b8db81e2dd65

SHA512
ce345ff77d8043f416a04b782be8e7b0d5fdea933f3ac79abb88648a9fca23d7a69f537a825d0b636ba64f80afe70f758114ddbf412bd9398800ba4b6e359a99

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\zlib1.dll

Filesize
107KB

MD5
d490b6c224e332a706dd3cd210f32aa8

SHA1
1f0769e1fffddac3d14eb79f16508cb6cc272347

SHA256
da9185e45fdcbee17fcd9292979b20f32aa4c82bc2cb356b4c7278029e247557

SHA512
43ce8d4ee07d437aaca3f345af129ff5401f1f08b1292d1e320096ba41e2529f41ce9105e3901cb4ecb1e8fde12c9298819961b0e6896c69b62f5983df9b0da3

Download Submit
\Users\Admin\AppData\Local\Temp\CL_Debug_Log.txt

Filesize
722KB

MD5
43141e85e7c36e31b52b22ab94d5e574

SHA1
cfd7079a9b268d84b856dc668edbb9ab9ef35312

SHA256
ea308c76a2f927b160a143d94072b0dce232e04b751f0c6432a94e05164e716d

SHA512
9119ae7500aa5cccf26a0f18fd8454245347e3c01dabba56a93dbaaab86535e62b1357170758f3b3445b8359e7dd5d37737318a5d8a6047c499d32d5b64126fc

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\libcrypto-1_1-x64.dll

Filesize
3.4MB

MD5
791a48e7cf84ec1532d20127556f6300

SHA1
774f71e595cfc7e24dc941839566bc9edd9156c5

SHA256
af682ad107cf0e9d9f11adeaf88f817610988b56577c4020897debc0f98e26ff

SHA512
ecbb4a07bb68fec5258be0adc91b89d179b5668bbab3be3bd72d5339f8bf3b32a1860b38693a304029fe989bd92adb020cf755f673b1e59966dfc75e4f958cfa

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\libssp-0.dll

Filesize
313KB

MD5
97d89dec5f6a236b6832a5f3f43ab625

SHA1
18f2696a3bf4d19cac3b677d58ff5e51bf54b9e8

SHA256
c6dca12e0e896df5f9b2db7a502a50d80d4fb014d7ec2f2ceb897b1a81f46ead

SHA512
7e82d1e37dc822a67e08bd1d624d5492f5813a33ec64f13d22caef9db35ebb9bb9913582289ebdecad00e6b6148d750ae0b4437364ef056d732734255498be54

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\libwinpthread-1.dll

Filesize
608KB

MD5
624304f2ba253b33c265ff2738a10eb9

SHA1
5a337e49dd07f0b6f7fc6341755dc9a298e8b220

SHA256
27b857131977106c4a71ce626225d52a3d6e2932cb6243cb83e47b8d592d0d4f

SHA512
163820961a64b3fda33969cbb320aa743edc7a6bacebe033054c942e7a1d063f096290a59fad1569c607666429e2f3133fcfe31ef37649f9da71b453ef775e5a

Download Submit
memory/1568-93-0x0000000075530000-0x00000000755C8000-memory.dmp

Filesize
608KB

Download
memory/1568-91-0x0000000075630000-0x0000000075713000-memory.dmp

Filesize
908KB

Download
memory/1568-97-0x0000000000F50000-0x00000000013B1000-memory.dmp

Filesize
4.4MB

Download
memory/1568-92-0x00000000755D0000-0x0000000075624000-memory.dmp

Filesize
336KB

Download
memory/1568-94-0x0000000075240000-0x000000007552D000-memory.dmp

Filesize
2.9MB

Download
memory/1568-128-0x0000000000F50000-0x00000000013B1000-memory.dmp

Filesize
4.4MB

Download
memory/1568-96-0x0000000075130000-0x0000000075153000-memory.dmp

Filesize
140KB

Download
memory/1568-2291-0x0000000000F50000-0x00000000013B1000-memory.dmp

Filesize
4.4MB

Download
memory/1568-95-0x0000000075160000-0x0000000075233000-memory.dmp

Filesize
844KB

Download
memory/1568-90-0x0000000000F50000-0x00000000013B1000-memory.dmp

Filesize
4.4MB

Download
memory/1568-3115-0x0000000000F50000-0x00000000013B1000-memory.dmp

Filesize
4.4MB

Download
memory/1724-3106-0x0000000000510000-0x0000000000633000-memory.dmp

Filesize
1.1MB

Download
memory/1724-3105-0x000007FFFFFDF000-0x000007FFFFFE0000-memory.dmp

Filesize
4KB

Download
memory/1724-3109-0x0000000000510000-0x0000000000633000-memory.dmp

Filesize
1.1MB

Download
memory/1872-3140-0x0000000000D10000-0x0000000000D30000-memory.dmp

Filesize
128KB

Download
memory/1872-3139-0x00000000001F0000-0x0000000000D01000-memory.dmp

Filesize
11.1MB

Download
memory/1872-3137-0x00000000001F0000-0x0000000000D01000-memory.dmp

Filesize
11.1MB

Download
memory/1872-3136-0x000007FFFFFDF000-0x000007FFFFFE0000-memory.dmp

Filesize
4KB

Download
memory/1872-3134-0x00000000001F0000-0x0000000000D01000-memory.dmp

Filesize
11.1MB

Download
memory/2908-44-0x00000000004F0000-0x0000000000613000-memory.dmp

Filesize
1.1MB

Download
memory/2908-43-0x000007FFFFFD5000-0x000007FFFFFD6000-memory.dmp

Filesize
4KB

Download
memory/2908-41-0x00000000004F0000-0x0000000000613000-memory.dmp

Filesize
1.1MB

Download
memory/2908-47-0x00000000004F0000-0x0000000000613000-memory.dmp

Filesize
1.1MB

Download
memory/2916-24-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/2916-23-0x0000000000210000-0x0000000000211000-memory.dmp

Filesize
4KB

Download
memory/2916-25-0x0000000000AA0000-0x0000000000AA1000-memory.dmp

Filesize
4KB

Download