xmrig | 5c5374eb9054e48c5ab9c6ef21c2bd228fe2e63eaa0ae83dbdb65dd1a7429369

Analysis

max time kernel
150s
max time network
151s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20250217-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20250217-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
03/03/2025, 17:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

miner.exe
Size

104KB
MD5

4a9f5b7664e2ebf47aa5fc4240dc8a22
SHA1

d0fc11aab0181df38d193cf8dfd1843fe06c844a
SHA256

5c5374eb9054e48c5ab9c6ef21c2bd228fe2e63eaa0ae83dbdb65dd1a7429369
SHA512

f45224b584b64d4ac32d4e6303ad87b2902ea310ac332ed0a0c7a706df2441eb0ef1f5076fe2716d004e59aa6a8e9e5e5e3a8f012008f05aef05064ad1e1eed6
SSDEEP

192:xjZaDMFEa4ajXPeeZnXwqXTyE1hEjjTyXfan55tfMcePLiZmGhTuRY9SRXiKqiRh:hp4ajGCnXGMsGXfwldJ99Sjvb99Sjv

Score

10^/10

xmrig xworm execution miner rat trojan

Malware Config

Extracted

Family

xworm

Mutex

yNحكـX8ٍبAGLWِF6Jo2DiObلٍLZا3ا

Attributes

Install_directory
%Port%
install_file
MicrosoftEdgeUpdateTaskMachineUAC.exe

aes.plain

Signatures

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral1/memory/3392-381-0x000001F47E450000-0x000001F47E45E000-memory.dmp	family_xworm

XMRig Miner payload 7 IoCs

miner

resource	yara_rule
behavioral1/files/0x0007000000027f15-71.dat	family_xmrig
behavioral1/files/0x0007000000027f15-71.dat	xmrig
behavioral1/memory/3392-73-0x000001F4628B0000-0x000001F4631F6000-memory.dmp	xmrig
behavioral1/files/0x0007000000027f17-93.dat	family_xmrig
behavioral1/files/0x0007000000027f17-93.dat	xmrig
behavioral1/memory/3392-88-0x000001F47DA10000-0x000001F47E644000-memory.dmp	xmrig
behavioral1/memory/1260-103-0x00007FF74C900000-0x00007FF74D534000-memory.dmp	xmrig

Xmrig family
xmrig
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	wmiprvse.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3996797005-1442104920-3698332314-1000\Control Panel\International\Geo\Nation	miner.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3996797005-1442104920-3698332314-1000\Control Panel\International\Geo\Nation	xmrig.exe

Executes dropped EXE 3 IoCs

pid	Process
3392	xmrig.exe
4712	cuweb4ee.ci4.exe
1260	re4zojq0.o00.exe

Drops file in System32 directory 7 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules.xml	OfficeClickToRun.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_363582827213C09529A76F35FB615187	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506	svchost.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
4104	powershell.exe
3712	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	wmiprvse.exe

Modifies data under HKEY_USERS 14 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe	OfficeClickToRun.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSCategoriesSeverities = "1329 50,1329 10,1329 15,1329 100,1329 6"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe_queried = "1741023194"	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\RulesEndpoint = "https://nexusrules.officeapps.live.com/nexus/rules?Application=officeclicktorun.exe&Version=16.0.12527.20470&ClientId={8945037F-5DED-4D40-945D-771D6688CDD9}&OSEnvironment=10&MsoAppId=37&AudienceName=Production&AudienceGroup=Production&AppVersion=16.0.12527.20470&"	OfficeClickToRun.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\MICROSOFT\OFFICE\16.0\COMMON\CLIENTTELEMETRY\RULESMETADATA\OFFICECLICKTORUN.EXE\ULSMONITOR	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds0 = "5804129,17110992,7202269,41484365,17110988,7153487,39965824,17962391,508368333,17962392,3462423,3702920,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe = "Mon, 03 Mar 2025 17:33:15 GMT"	OfficeClickToRun.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4104	powershell.exe
4104	powershell.exe
3712	powershell.exe
3712	powershell.exe
4712	cuweb4ee.ci4.exe
4712	cuweb4ee.ci4.exe
4712	cuweb4ee.ci4.exe
4712	cuweb4ee.ci4.exe
4712	cuweb4ee.ci4.exe
4712	cuweb4ee.ci4.exe
4712	cuweb4ee.ci4.exe
4712	cuweb4ee.ci4.exe
4712	cuweb4ee.ci4.exe
4712	cuweb4ee.ci4.exe
4712	cuweb4ee.ci4.exe
4712	cuweb4ee.ci4.exe
4712	cuweb4ee.ci4.exe
4712	cuweb4ee.ci4.exe
4712	cuweb4ee.ci4.exe
4712	cuweb4ee.ci4.exe
4712	cuweb4ee.ci4.exe
4712	cuweb4ee.ci4.exe
4712	cuweb4ee.ci4.exe
4712	cuweb4ee.ci4.exe
4712	cuweb4ee.ci4.exe
4712	cuweb4ee.ci4.exe
4712	cuweb4ee.ci4.exe
4712	cuweb4ee.ci4.exe
4712	cuweb4ee.ci4.exe
4712	cuweb4ee.ci4.exe
4712	cuweb4ee.ci4.exe
4712	cuweb4ee.ci4.exe
4712	cuweb4ee.ci4.exe
4712	cuweb4ee.ci4.exe
4712	cuweb4ee.ci4.exe
4712	cuweb4ee.ci4.exe
4712	cuweb4ee.ci4.exe
4712	cuweb4ee.ci4.exe
4712	cuweb4ee.ci4.exe
4712	cuweb4ee.ci4.exe
4712	cuweb4ee.ci4.exe
4712	cuweb4ee.ci4.exe
4712	cuweb4ee.ci4.exe
4712	cuweb4ee.ci4.exe
4712	cuweb4ee.ci4.exe
4712	cuweb4ee.ci4.exe
4712	cuweb4ee.ci4.exe
4712	cuweb4ee.ci4.exe
4712	cuweb4ee.ci4.exe
4712	cuweb4ee.ci4.exe
4712	cuweb4ee.ci4.exe
4712	cuweb4ee.ci4.exe
4712	cuweb4ee.ci4.exe
4712	cuweb4ee.ci4.exe
4712	cuweb4ee.ci4.exe
4712	cuweb4ee.ci4.exe
4712	cuweb4ee.ci4.exe
4712	cuweb4ee.ci4.exe
4712	cuweb4ee.ci4.exe
4712	cuweb4ee.ci4.exe
4712	cuweb4ee.ci4.exe
4712	cuweb4ee.ci4.exe
4712	cuweb4ee.ci4.exe
4712	cuweb4ee.ci4.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4104	powershell.exe
Token: SeDebugPrivilege	3712	powershell.exe
Token: SeDebugPrivilege	3392	xmrig.exe
Token: SeDebugPrivilege	4712	cuweb4ee.ci4.exe
Token: SeAssignPrimaryTokenPrivilege	2244	svchost.exe
Token: SeIncreaseQuotaPrivilege	2244	svchost.exe
Token: SeSecurityPrivilege	2244	svchost.exe
Token: SeTakeOwnershipPrivilege	2244	svchost.exe
Token: SeLoadDriverPrivilege	2244	svchost.exe
Token: SeSystemtimePrivilege	2244	svchost.exe
Token: SeBackupPrivilege	2244	svchost.exe
Token: SeRestorePrivilege	2244	svchost.exe
Token: SeShutdownPrivilege	2244	svchost.exe
Token: SeSystemEnvironmentPrivilege	2244	svchost.exe
Token: SeUndockPrivilege	2244	svchost.exe
Token: SeManageVolumePrivilege	2244	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2244	svchost.exe
Token: SeIncreaseQuotaPrivilege	2244	svchost.exe
Token: SeSecurityPrivilege	2244	svchost.exe
Token: SeTakeOwnershipPrivilege	2244	svchost.exe
Token: SeLoadDriverPrivilege	2244	svchost.exe
Token: SeSystemtimePrivilege	2244	svchost.exe
Token: SeBackupPrivilege	2244	svchost.exe
Token: SeRestorePrivilege	2244	svchost.exe
Token: SeShutdownPrivilege	2244	svchost.exe
Token: SeSystemEnvironmentPrivilege	2244	svchost.exe
Token: SeUndockPrivilege	2244	svchost.exe
Token: SeManageVolumePrivilege	2244	svchost.exe
Token: SeAuditPrivilege	3076	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2244	svchost.exe
Token: SeIncreaseQuotaPrivilege	2244	svchost.exe
Token: SeSecurityPrivilege	2244	svchost.exe
Token: SeTakeOwnershipPrivilege	2244	svchost.exe
Token: SeLoadDriverPrivilege	2244	svchost.exe
Token: SeSystemtimePrivilege	2244	svchost.exe
Token: SeBackupPrivilege	2244	svchost.exe
Token: SeRestorePrivilege	2244	svchost.exe
Token: SeShutdownPrivilege	2244	svchost.exe
Token: SeSystemEnvironmentPrivilege	2244	svchost.exe
Token: SeUndockPrivilege	2244	svchost.exe
Token: SeManageVolumePrivilege	2244	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2244	svchost.exe
Token: SeIncreaseQuotaPrivilege	2244	svchost.exe
Token: SeSecurityPrivilege	2244	svchost.exe
Token: SeTakeOwnershipPrivilege	2244	svchost.exe
Token: SeLoadDriverPrivilege	2244	svchost.exe
Token: SeSystemtimePrivilege	2244	svchost.exe
Token: SeBackupPrivilege	2244	svchost.exe
Token: SeRestorePrivilege	2244	svchost.exe
Token: SeShutdownPrivilege	2244	svchost.exe
Token: SeSystemEnvironmentPrivilege	2244	svchost.exe
Token: SeUndockPrivilege	2244	svchost.exe
Token: SeManageVolumePrivilege	2244	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2244	svchost.exe
Token: SeIncreaseQuotaPrivilege	2244	svchost.exe
Token: SeSecurityPrivilege	2244	svchost.exe
Token: SeTakeOwnershipPrivilege	2244	svchost.exe
Token: SeLoadDriverPrivilege	2244	svchost.exe
Token: SeSystemtimePrivilege	2244	svchost.exe
Token: SeBackupPrivilege	2244	svchost.exe
Token: SeRestorePrivilege	2244	svchost.exe
Token: SeShutdownPrivilege	2244	svchost.exe
Token: SeSystemEnvironmentPrivilege	2244	svchost.exe
Token: SeUndockPrivilege	2244	svchost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3984 wrote to memory of 4104	3984	miner.exe	91
PID 3984 wrote to memory of 4104	3984	miner.exe	91
PID 4104 wrote to memory of 3712	4104	powershell.exe	93
PID 4104 wrote to memory of 3712	4104	powershell.exe	93
PID 3984 wrote to memory of 3392	3984	miner.exe	94
PID 3984 wrote to memory of 3392	3984	miner.exe	94
PID 3392 wrote to memory of 4712	3392	xmrig.exe	95
PID 3392 wrote to memory of 4712	3392	xmrig.exe	95
PID 3392 wrote to memory of 1260	3392	xmrig.exe	96
PID 3392 wrote to memory of 1260	3392	xmrig.exe	96
PID 4712 wrote to memory of 632	4712	cuweb4ee.ci4.exe	5
PID 4712 wrote to memory of 684	4712	cuweb4ee.ci4.exe	7
PID 4712 wrote to memory of 964	4712	cuweb4ee.ci4.exe	12
PID 4712 wrote to memory of 476	4712	cuweb4ee.ci4.exe	13
PID 4712 wrote to memory of 436	4712	cuweb4ee.ci4.exe	14
PID 4712 wrote to memory of 960	4712	cuweb4ee.ci4.exe	15
PID 4712 wrote to memory of 1044	4712	cuweb4ee.ci4.exe	16
PID 4712 wrote to memory of 1052	4712	cuweb4ee.ci4.exe	17
PID 4712 wrote to memory of 1060	4712	cuweb4ee.ci4.exe	18
PID 4712 wrote to memory of 1112	4712	cuweb4ee.ci4.exe	19
PID 4712 wrote to memory of 1208	4712	cuweb4ee.ci4.exe	20
PID 4712 wrote to memory of 1288	4712	cuweb4ee.ci4.exe	22
PID 4712 wrote to memory of 1440	4712	cuweb4ee.ci4.exe	23
PID 4712 wrote to memory of 1468	4712	cuweb4ee.ci4.exe	24
PID 4712 wrote to memory of 1508	4712	cuweb4ee.ci4.exe	25
PID 4712 wrote to memory of 1516	4712	cuweb4ee.ci4.exe	26
PID 4712 wrote to memory of 1540	4712	cuweb4ee.ci4.exe	27
PID 4712 wrote to memory of 1636	4712	cuweb4ee.ci4.exe	28
PID 684 wrote to memory of 3392	684	lsass.exe	94
PID 684 wrote to memory of 3392	684	lsass.exe	94
PID 684 wrote to memory of 3392	684	lsass.exe	94
PID 684 wrote to memory of 3392	684	lsass.exe	94
PID 684 wrote to memory of 3392	684	lsass.exe	94
PID 684 wrote to memory of 3392	684	lsass.exe	94
PID 684 wrote to memory of 3392	684	lsass.exe	94
PID 684 wrote to memory of 3392	684	lsass.exe	94
PID 684 wrote to memory of 3392	684	lsass.exe	94
PID 684 wrote to memory of 3392	684	lsass.exe	94
PID 684 wrote to memory of 3392	684	lsass.exe	94
PID 4712 wrote to memory of 1708	4712	cuweb4ee.ci4.exe	29
PID 4712 wrote to memory of 1760	4712	cuweb4ee.ci4.exe	30
PID 4712 wrote to memory of 1820	4712	cuweb4ee.ci4.exe	31
PID 4712 wrote to memory of 1872	4712	cuweb4ee.ci4.exe	32
PID 4712 wrote to memory of 1936	4712	cuweb4ee.ci4.exe	33
PID 4712 wrote to memory of 1944	4712	cuweb4ee.ci4.exe	34
PID 4712 wrote to memory of 1964	4712	cuweb4ee.ci4.exe	35
PID 4712 wrote to memory of 1180	4712	cuweb4ee.ci4.exe	36
PID 4712 wrote to memory of 2096	4712	cuweb4ee.ci4.exe	37
PID 4712 wrote to memory of 2228	4712	cuweb4ee.ci4.exe	38
PID 4712 wrote to memory of 2244	4712	cuweb4ee.ci4.exe	39
PID 4712 wrote to memory of 2360	4712	cuweb4ee.ci4.exe	41
PID 4712 wrote to memory of 2392	4712	cuweb4ee.ci4.exe	42
PID 4712 wrote to memory of 2656	4712	cuweb4ee.ci4.exe	43
PID 4712 wrote to memory of 2684	4712	cuweb4ee.ci4.exe	44
PID 4712 wrote to memory of 2812	4712	cuweb4ee.ci4.exe	45
PID 4712 wrote to memory of 2836	4712	cuweb4ee.ci4.exe	46
PID 4712 wrote to memory of 2844	4712	cuweb4ee.ci4.exe	47
PID 4712 wrote to memory of 2940	4712	cuweb4ee.ci4.exe	48
PID 4712 wrote to memory of 3064	4712	cuweb4ee.ci4.exe	50
PID 4712 wrote to memory of 3076	4712	cuweb4ee.ci4.exe	51
PID 4712 wrote to memory of 3092	4712	cuweb4ee.ci4.exe	52
PID 4712 wrote to memory of 3116	4712	cuweb4ee.ci4.exe	53
PID 4712 wrote to memory of 3124	4712	cuweb4ee.ci4.exe	54
PID 4712 wrote to memory of 3360	4712	cuweb4ee.ci4.exe	55

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:632
- C:\Windows\system32\dwm.exe
  "dwm.exe"
  2⤵
  PID:1052

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:684

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:964

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:476

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
1⤵
PID:436

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:960

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:1044

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
PID:1060

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
1⤵
PID:1112

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
1⤵
PID:1208

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
PID:1288
- C:\Windows\system32\taskhostw.exe
  taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
  2⤵
  PID:2812

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
PID:1440

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
PID:1468

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
1⤵
PID:1508

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
1⤵
PID:1516

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
1⤵
PID:1540

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
PID:1636
- C:\Windows\system32\sihost.exe
  sihost.exe
  2⤵
  PID:2656

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
1⤵
PID:1708

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:1760

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
1⤵
PID:1820

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1872

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
1⤵
PID:1936

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1944

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1964

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:1180

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
1⤵
PID:2096

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:2228

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2244

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
1⤵
PID:2360

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
1⤵
PID:2392

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2684

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
1⤵
PID:2836

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
1⤵
PID:2844

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker
1⤵
PID:2940

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
1⤵
- Drops file in System32 directory
PID:3064

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3076

C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
1⤵
PID:3092

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
1⤵
PID:3116

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
1⤵
PID:3124

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:3360

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
1⤵
PID:3576

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3632
- C:\Users\Admin\AppData\Local\Temp\miner.exe
  "C:\Users\Admin\AppData\Local\Temp\miner.exe"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:3984
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" powershell -Command "Expand-Archive -Path 'C:\Users\Admin\AppData\Roaming\xmrig.zip' -DestinationPath 'C:\Users\Admin\AppData\Roaming\xmrig' -Force"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4104
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Expand-Archive -Path C:\Users\Admin\AppData\Roaming\xmrig.zip -DestinationPath C:\Users\Admin\AppData\Roaming\xmrig -Force
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3712
- - C:\Users\Admin\AppData\Roaming\xmrig\xmrig.exe
    "C:\Users\Admin\AppData\Roaming\xmrig\xmrig.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3392
  - - C:\Users\Admin\AppData\Local\Temp\cuweb4ee.ci4.exe
      "C:\Users\Admin\AppData\Local\Temp\cuweb4ee.ci4.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4712
  - - C:\Users\Admin\AppData\Local\Temp\re4zojq0.o00.exe
      "C:\Users\Admin\AppData\Local\Temp\re4zojq0.o00.exe"
      4⤵
      Executes dropped EXE
      PID:1260

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3840

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3168

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4120

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:4348

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
1⤵
PID:3924

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
1⤵
PID:4952

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
1⤵
- Modifies data under HKEY_USERS
PID:2712

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:892

C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
1⤵
PID:2820

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
PID:3708

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
1⤵
PID:4324

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:4092

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc
1⤵
PID:440

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe" -ServerName:InputApp.AppXk0k6mrh4r2q0ct33a9wgbez0x7v9cz5y.mca
1⤵
PID:1168

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo
1⤵
PID:1992

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s camsvc
1⤵
PID:1704

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3836

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
PID:3608

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
- Checks BIOS information in registry
- Enumerates system info in registry
PID:3380

C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\servicing\TrustedInstaller.exe
1⤵
PID:4452

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
1⤵
PID:5000

C:\Windows\System32\mousocoreworker.exe
C:\Windows\System32\mousocoreworker.exe -Embedding
1⤵
PID:2480

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157

Filesize
340B

MD5
6a1fd592cfd57ac5955d7be62bcd50b0

SHA1
0d1dc6b0ab255a16151023db40c2a6cd591224aa

SHA256
f17f29e8b4e328f9cd515f3dfb3b805e52a29d9e5035bcc3ce20b5bc33fcedcb

SHA512
18f32b522d2dec15cdd508635853b2c2c7f9085529f133e45b2305f3462b7271c21177fbb3754f8164a9d474e2f6b6124dd3fc326bf41201ba99f041eca50b58

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_89854CA6A0F0936A4D2ECA78845CEA25

Filesize
482B

MD5
a0bccf26f41c07c4cb1dd676c84d142b

SHA1
d432c4747772a5c2e6604e1af3663ebfec7208bf

SHA256
0619b5d32c033afff6f23352ff3599d9d792827c184f482bcb1d93a281ca584a

SHA512
6df46cc09aae5d4bfcf0c991c14e2ba216f91773896430ab36cdd936e1d21aa194d0de2a433bc5631609aab1d3ef5027eb21ba0559130067739ed5496c11c883

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\D0E1C4B6144E7ECAB3F020E4A19EFC29_B5F77004C894173A10E3A199871D2D90

Filesize
480B

MD5
e78be8358c05a902370e30ec9abf4ac7

SHA1
200f205bbddb0236af391ab805c7d0728ae7b9f4

SHA256
aa9b0070f969bbc547657411e254d401c2935c11b543eed210385b1d9c863fc5

SHA512
207820199efa3972eda5048c23412a4a929a15d532013af9fcb16349577be1e360554b6ab9eb8621b7a6171ca102290214802a642404f084dc508189b4c31da3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\D9CA54E0FA212456E1DB00704A97658E

Filesize
476B

MD5
ec0da80c2fe44660b81aa7fad0a90860

SHA1
1839fd4db6ad95dc7e41a5b2719f9a6da92394e7

SHA256
4f886ce758f782e1619295273b40bf0b25d4176860c994900fc1fa50097abca2

SHA512
0c1cfe23685fb80340eaf87f3ed25bdc44431f074f07d4b5939a1f79881346ddb6c3d7d762cc37ddb2ea13dc2b07830c27ef8df486b627d01d3dde6941fc90df

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_49536AB5156BDD74EFF881D01C36A419

Filesize
412B

MD5
38b7cd0dab79b280995cd284390f7be3

SHA1
4f9147cd1fb81456677abda8db75273525af4285

SHA256
893d2cbd56b45a5848fbf3ab75ffa4cfeddba7fc0de4e872239818502746fceb

SHA512
890fadbfc8d7aa4f869f555e37bd591c218416ae8b262c6a4bea416c44d3a028ec219c9d493ef29e16300048c9a104048a783db3175a9d8833b08c9274cb062c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
68885a588c3a18af3231775c1ce60817

SHA1
decf1b996efb13f99861bd3d95eccd1beba975b2

SHA256
03ef59b8353eae626d77544758a4336849dac47a7afa30668ca67b48efd8d6ed

SHA512
b07ed2e47ac7850fa22eca8c5584532ab7c3a49f871bc5d4214bf879d5e2a1b1895ae55e7ea792023fcf1f462b8c14ee22d0e1dc993d28fab9c48c328a8f782a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
5caad758326454b5788ec35315c4c304

SHA1
3aef8dba8042662a7fcf97e51047dc636b4d4724

SHA256
83e613b6dc8d70e3bb67c58535e014f58f3e8b2921e93b55137d799fc8c56391

SHA512
4e0d443cf81e2f49829b0a458a08294bf1bdc0e38d3a938fb8274eeb637d9a688b14c7999dd6b86a31fcec839a9e8c1a9611ed0bbae8bd59caa9dba1e8253693

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_kweg533x.dhg.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\cuweb4ee.ci4.exe

Filesize
161KB

MD5
94f1ab3a068f83b32639579ec9c5d025

SHA1
38f3d5bc5de46feb8de093d11329766b8e2054ae

SHA256
879cc20b41635709bb304e315aaa5ca4708b480a1bfc2f4935fcf2215188efb0

SHA512
44d5236a804d63302b21ca25ebc148a64605508d03c990a244c44ceb8630849da0510b7b2d0bee72e01ca6681e2d86d7e6aee8847674a26f0028d149b9abee0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\re4zojq0.o00.exe

Filesize
9.1MB

MD5
cb166d49ce846727ed70134b589b0142

SHA1
8f5e1c7792e9580f2b10d7bef6dc7e63ea044688

SHA256
49da580656e51214d59702a1d983eff143af3560a344f524fe86326c53fb5ddb

SHA512
a39bd86a148af26fd31a0d171078fb7bce0951bb8ea63658d87f6bde97dbc214c62e8bd7152d1e621051de8a0ba77ffd7bda7c1106afb740584c80e68e1912ed

Download Submit
C:\Users\Admin\AppData\Roaming\xmrig.zip

Filesize
3.8MB

MD5
9895805962f3b439c3eb845cd30303c6

SHA1
d488cfa52f17c60432813e7906ee812e0ae37fec

SHA256
e30b7057712cdb8760a87b44eb2db03879f4ff54344aaf562e927814b5ce7e5b

SHA512
ec526ca0cc850d03d220c46f9b592045983c392edc30a5cdee5157fe1ea38711f49a475e566c7e2017956f1aa6b1c64a9a4565a26bd466f5ac679aae728c98ce

Download Submit
C:\Users\Admin\AppData\Roaming\xmrig\xmrig.exe

Filesize
9.3MB

MD5
72107c3009343491bdbd5a2bf27e0d17

SHA1
79ae9dd4ffc65810342c093fb3dd1413a830660d

SHA256
9af0d7469bffba8aea58c666b94ae68e34373f554ba8a145ec5fcc78baf0e6c6

SHA512
eab28e887aeb275527f4d4fa9a7ccd69dfaf21d249005eb9c9a9c098ca062cfabed02da2133e84c0b6109fbd4b6358e905199c24cdc9bb41799e63ccfbe3768e

Download Submit
memory/436-122-0x00007FFCF2650000-0x00007FFCF2660000-memory.dmp

Filesize
64KB

Download
memory/436-121-0x00000229EB650000-0x00000229EB67B000-memory.dmp

Filesize
172KB

Download
memory/476-118-0x0000023F299D0000-0x0000023F299FB000-memory.dmp

Filesize
172KB

Download
memory/476-119-0x00007FFCF2650000-0x00007FFCF2660000-memory.dmp

Filesize
64KB

Download
memory/632-106-0x0000025F4BE70000-0x0000025F4BE9B000-memory.dmp

Filesize
172KB

Download
memory/632-104-0x0000025F4BE40000-0x0000025F4BE65000-memory.dmp

Filesize
148KB

Download
memory/632-107-0x00007FFCF2650000-0x00007FFCF2660000-memory.dmp

Filesize
64KB

Download
memory/684-110-0x0000021A7EAF0000-0x0000021A7EB1B000-memory.dmp

Filesize
172KB

Download
memory/684-111-0x00007FFCF2650000-0x00007FFCF2660000-memory.dmp

Filesize
64KB

Download
memory/960-134-0x000001EBE46F0000-0x000001EBE471B000-memory.dmp

Filesize
172KB

Download
memory/960-135-0x00007FFCF2650000-0x00007FFCF2660000-memory.dmp

Filesize
64KB

Download
memory/964-114-0x00007FFCF2650000-0x00007FFCF2660000-memory.dmp

Filesize
64KB

Download
memory/964-113-0x000001AFE8E00000-0x000001AFE8E2B000-memory.dmp

Filesize
172KB

Download
memory/1044-137-0x000002092D860000-0x000002092D88B000-memory.dmp

Filesize
172KB

Download
memory/1044-138-0x00007FFCF2650000-0x00007FFCF2660000-memory.dmp

Filesize
64KB

Download
memory/1052-128-0x00007FFCF2650000-0x00007FFCF2660000-memory.dmp

Filesize
64KB

Download
memory/1052-127-0x000001A666F10000-0x000001A666F3B000-memory.dmp

Filesize
172KB

Download
memory/1060-140-0x000002325E7C0000-0x000002325E7EB000-memory.dmp

Filesize
172KB

Download
memory/1060-141-0x00007FFCF2650000-0x00007FFCF2660000-memory.dmp

Filesize
64KB

Download
memory/1112-143-0x000001A513290000-0x000001A5132BB000-memory.dmp

Filesize
172KB

Download
memory/1112-144-0x00007FFCF2650000-0x00007FFCF2660000-memory.dmp

Filesize
64KB

Download
memory/1208-146-0x000002429C490000-0x000002429C4BB000-memory.dmp

Filesize
172KB

Download
memory/1208-147-0x00007FFCF2650000-0x00007FFCF2660000-memory.dmp

Filesize
64KB

Download
memory/1260-103-0x00007FF74C900000-0x00007FF74D534000-memory.dmp

Filesize
12.2MB

Download
memory/1260-102-0x0000017731E60000-0x0000017731E80000-memory.dmp

Filesize
128KB

Download
memory/1288-149-0x0000025DD2860000-0x0000025DD288B000-memory.dmp

Filesize
172KB

Download
memory/1288-150-0x00007FFCF2650000-0x00007FFCF2660000-memory.dmp

Filesize
64KB

Download
memory/1440-153-0x000001A8F8340000-0x000001A8F836B000-memory.dmp

Filesize
172KB

Download
memory/1440-154-0x00007FFCF2650000-0x00007FFCF2660000-memory.dmp

Filesize
64KB

Download
memory/1468-163-0x00007FFCF2650000-0x00007FFCF2660000-memory.dmp

Filesize
64KB

Download
memory/1468-162-0x0000027CE3970000-0x0000027CE399B000-memory.dmp

Filesize
172KB

Download
memory/3392-88-0x000001F47DA10000-0x000001F47E644000-memory.dmp

Filesize
12.2MB

Download
memory/3392-73-0x000001F4628B0000-0x000001F4631F6000-memory.dmp

Filesize
9.3MB

Download
memory/3392-381-0x000001F47E450000-0x000001F47E45E000-memory.dmp

Filesize
56KB

Download
memory/3392-74-0x000001F464E60000-0x000001F464E8C000-memory.dmp

Filesize
176KB

Download
memory/3712-41-0x0000015A54D30000-0x0000015A54D42000-memory.dmp

Filesize
72KB

Download
memory/3712-42-0x0000015A52660000-0x0000015A5266A000-memory.dmp

Filesize
40KB

Download
memory/4104-31-0x00007FFD12E50000-0x00007FFD13912000-memory.dmp

Filesize
10.8MB

Download
memory/4104-69-0x00007FFD12E50000-0x00007FFD13912000-memory.dmp

Filesize
10.8MB

Download
memory/4104-18-0x00007FFD12E53000-0x00007FFD12E55000-memory.dmp

Filesize
8KB

Download
memory/4104-30-0x00007FFD12E50000-0x00007FFD13912000-memory.dmp

Filesize
10.8MB

Download
memory/4104-29-0x00007FFD12E50000-0x00007FFD13912000-memory.dmp

Filesize
10.8MB

Download
memory/4104-24-0x000002517E490000-0x000002517E4B2000-memory.dmp

Filesize
136KB

Download
memory/4712-87-0x00007FFD31B90000-0x00007FFD31C4D000-memory.dmp

Filesize
756KB

Download
memory/4712-86-0x00007FFD325D0000-0x00007FFD327C8000-memory.dmp

Filesize
2.0MB

Download