Overview

overview

10

Static

static

3

miner.exe

windows10-2004-x64

10

miner.exe

windows10-2004-x64

10

miner.exe

windows10-ltsc 2021-x64

10

miner.exe

windows11-21h2-x64

10

Analysis

  • max time kernel
    900s
  • max time network
    902s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250217-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03/03/2025, 17:23

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    miner.exe

  • Size

    104KB

  • MD5

    4a9f5b7664e2ebf47aa5fc4240dc8a22

  • SHA1

    d0fc11aab0181df38d193cf8dfd1843fe06c844a

  • SHA256

    5c5374eb9054e48c5ab9c6ef21c2bd228fe2e63eaa0ae83dbdb65dd1a7429369

  • SHA512

    f45224b584b64d4ac32d4e6303ad87b2902ea310ac332ed0a0c7a706df2441eb0ef1f5076fe2716d004e59aa6a8e9e5e5e3a8f012008f05aef05064ad1e1eed6

  • SSDEEP

    192:xjZaDMFEa4ajXPeeZnXwqXTyE1hEjjTyXfan55tfMcePLiZmGhTuRY9SRXiKqiRh:hp4ajGCnXGMsGXfwldJ99Sjvb99Sjv

Score
10/10
xmrigxwormdefense_evasionexecutionminerpersistencerattrojan

Malware Config

Extracted

Family

xworm

Mutex

yNحكـX8ٍبAGLWِF6Jo2DiObلٍLZا3ا

Attributes
  • Install_directory

    %Port%

  • install_file

    MicrosoftEdgeUpdateTaskMachineUAC.exe

aes.plain

Signatures

  • Detect Xworm Payload 1 IoCs
  • XMRig Miner payload 6 IoCs
    miner
  • Xmrig family
    xmrig
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Xworm family
    xworm
  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    minerxmrig
  • Sets service image path in registry 2 TTPs 1 IoCs
    persistence
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • Indicator Removal: Clear Windows Event Logs 1 TTPs 2 IoCs

    Clear Windows Event Logs to hide the activity of an intrusion.

    defense_evasion
  • Drops file in System32 directory 13 IoCs
  • Drops file in Windows directory 1 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Using powershell.exe command.

    execution
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 21 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 15 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 5 IoCs
  • Modifies Internet Explorer settings 1 TTPs 4 IoCs
    adwarespyware
  • Modifies data under HKEY_USERS 23 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of SetWindowsHookEx 23 IoCs
  • Suspicious use of UnmapMainImage 7 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\winlogon.exe
    winlogon.exe
    1⤵
      PID:612
      • C:\Windows\system32\dwm.exe
        "dwm.exe"
        2⤵
          PID:316
      • C:\Windows\system32\lsass.exe
        C:\Windows\system32\lsass.exe
        1⤵
          PID:676
        • C:\Windows\system32\svchost.exe
          C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
          1⤵
            PID:960
          • C:\Windows\system32\svchost.exe
            C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
            1⤵
              PID:428
            • C:\Windows\System32\svchost.exe
              C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
              1⤵
                PID:1052
              • C:\Windows\system32\svchost.exe
                C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
                1⤵
                • Drops file in System32 directory
                PID:1136
                • C:\Windows\system32\taskhostw.exe
                  taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
                  2⤵
                    PID:2688
                • C:\Windows\System32\svchost.exe
                  C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
                  1⤵
                    PID:1144
                  • C:\Windows\system32\svchost.exe
                    C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
                    1⤵
                      PID:1172
                    • C:\Windows\System32\svchost.exe
                      C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
                      1⤵
                      • Indicator Removal: Clear Windows Event Logs
                      PID:1180
                    • C:\Windows\system32\svchost.exe
                      C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
                      1⤵
                        PID:1264
                      • C:\Windows\system32\svchost.exe
                        C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
                        1⤵
                          PID:1312
                        • C:\Windows\system32\svchost.exe
                          C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
                          1⤵
                            PID:1340
                          • C:\Windows\system32\svchost.exe
                            C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
                            1⤵
                              PID:1424
                              • C:\Windows\system32\sihost.exe
                                sihost.exe
                                2⤵
                                  PID:2572
                              • C:\Windows\system32\svchost.exe
                                C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
                                1⤵
                                  PID:1440
                                • C:\Windows\system32\svchost.exe
                                  C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
                                  1⤵
                                    PID:1592
                                  • C:\Windows\System32\svchost.exe
                                    C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
                                    1⤵
                                      PID:1600
                                    • C:\Windows\System32\svchost.exe
                                      C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
                                      1⤵
                                        PID:1656
                                      • C:\Windows\system32\svchost.exe
                                        C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
                                        1⤵
                                          PID:1716
                                        • C:\Windows\System32\svchost.exe
                                          C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
                                          1⤵
                                            PID:1764
                                          • C:\Windows\System32\svchost.exe
                                            C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
                                            1⤵
                                              PID:1796
                                            • C:\Windows\System32\svchost.exe
                                              C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
                                              1⤵
                                                PID:1884
                                              • C:\Windows\system32\svchost.exe
                                                C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
                                                1⤵
                                                  PID:2028
                                                • C:\Windows\System32\svchost.exe
                                                  C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
                                                  1⤵
                                                    PID:2040
                                                  • C:\Windows\System32\svchost.exe
                                                    C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
                                                    1⤵
                                                      PID:1724
                                                    • C:\Windows\system32\svchost.exe
                                                      C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
                                                      1⤵
                                                        PID:1812
                                                      • C:\Windows\system32\svchost.exe
                                                        C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
                                                        1⤵
                                                        • Suspicious use of AdjustPrivilegeToken
                                                        PID:2024
                                                      • C:\Windows\System32\spoolsv.exe
                                                        C:\Windows\System32\spoolsv.exe
                                                        1⤵
                                                          PID:2132
                                                        • C:\Windows\System32\svchost.exe
                                                          C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
                                                          1⤵
                                                            PID:2264
                                                          • C:\Windows\System32\svchost.exe
                                                            C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
                                                            1⤵
                                                              PID:2280
                                                            • C:\Windows\system32\svchost.exe
                                                              C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
                                                              1⤵
                                                                PID:2588
                                                              • C:\Windows\system32\svchost.exe
                                                                C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
                                                                1⤵
                                                                  PID:2720
                                                                • C:\Windows\system32\svchost.exe
                                                                  C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
                                                                  1⤵
                                                                    PID:2728
                                                                  • C:\Windows\system32\svchost.exe
                                                                    C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker
                                                                    1⤵
                                                                      PID:2776
                                                                    • C:\Windows\system32\svchost.exe
                                                                      C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
                                                                      1⤵
                                                                      • Drops file in System32 directory
                                                                      • Suspicious use of UnmapMainImage
                                                                      PID:2924
                                                                    • C:\Windows\system32\svchost.exe
                                                                      C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
                                                                      1⤵
                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                      PID:2940
                                                                    • C:\Windows\sysmon.exe
                                                                      C:\Windows\sysmon.exe
                                                                      1⤵
                                                                        PID:2980
                                                                      • C:\Windows\System32\svchost.exe
                                                                        C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
                                                                        1⤵
                                                                          PID:2992
                                                                        • C:\Windows\system32\svchost.exe
                                                                          C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
                                                                          1⤵
                                                                            PID:3004
                                                                          • C:\Windows\system32\wbem\unsecapp.exe
                                                                            C:\Windows\system32\wbem\unsecapp.exe -Embedding
                                                                            1⤵
                                                                              PID:3256
                                                                            • C:\Windows\system32\svchost.exe
                                                                              C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
                                                                              1⤵
                                                                                PID:3404
                                                                              • C:\Windows\Explorer.EXE
                                                                                C:\Windows\Explorer.EXE
                                                                                1⤵
                                                                                • Modifies Internet Explorer settings
                                                                                • Modifies registry class
                                                                                • Suspicious behavior: AddClipboardFormatListener
                                                                                • Suspicious behavior: GetForegroundWindowSpam
                                                                                • Suspicious use of AdjustPrivilegeToken
                                                                                • Suspicious use of FindShellTrayWindow
                                                                                • Suspicious use of SendNotifyMessage
                                                                                • Suspicious use of SetWindowsHookEx
                                                                                • Suspicious use of UnmapMainImage
                                                                                PID:3416
                                                                                • C:\Users\Admin\AppData\Local\Temp\miner.exe
                                                                                  "C:\Users\Admin\AppData\Local\Temp\miner.exe"
                                                                                  2⤵
                                                                                  • Checks computer location settings
                                                                                  • Suspicious use of WriteProcessMemory
                                                                                  PID:1776
                                                                                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" powershell -Command "Expand-Archive -Path 'C:\Users\Admin\AppData\Roaming\xmrig.zip' -DestinationPath 'C:\Users\Admin\AppData\Roaming\xmrig' -Force"
                                                                                    3⤵
                                                                                    • Command and Scripting Interpreter: PowerShell
                                                                                    • Suspicious behavior: EnumeratesProcesses
                                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                                    • Suspicious use of WriteProcessMemory
                                                                                    PID:3396
                                                                                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Expand-Archive -Path C:\Users\Admin\AppData\Roaming\xmrig.zip -DestinationPath C:\Users\Admin\AppData\Roaming\xmrig -Force
                                                                                      4⤵
                                                                                      • Command and Scripting Interpreter: PowerShell
                                                                                      • Suspicious behavior: EnumeratesProcesses
                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                      PID:2500
                                                                                  • C:\Users\Admin\AppData\Roaming\xmrig\xmrig.exe
                                                                                    "C:\Users\Admin\AppData\Roaming\xmrig\xmrig.exe"
                                                                                    3⤵
                                                                                    • Checks computer location settings
                                                                                    • Executes dropped EXE
                                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                                    • Suspicious use of WriteProcessMemory
                                                                                    PID:3168
                                                                                    • C:\Users\Admin\AppData\Local\Temp\w51qamgl.a2l.exe
                                                                                      "C:\Users\Admin\AppData\Local\Temp\w51qamgl.a2l.exe"
                                                                                      4⤵
                                                                                      • Executes dropped EXE
                                                                                      • Suspicious behavior: EnumeratesProcesses
                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                      • Suspicious use of WriteProcessMemory
                                                                                      PID:4236
                                                                                    • C:\Users\Admin\AppData\Local\Temp\nfxcb5sr.vkp.exe
                                                                                      "C:\Users\Admin\AppData\Local\Temp\nfxcb5sr.vkp.exe"
                                                                                      4⤵
                                                                                      • Executes dropped EXE
                                                                                      PID:5084
                                                                                      • C:\Windows\System32\Conhost.exe
                                                                                        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                        5⤵
                                                                                          PID:2200
                                                                                  • C:\Windows\system32\taskmgr.exe
                                                                                    "C:\Windows\system32\taskmgr.exe" /7
                                                                                    2⤵
                                                                                    • Checks SCSI registry key(s)
                                                                                    • Checks processor information in registry
                                                                                    • Suspicious behavior: GetForegroundWindowSpam
                                                                                    • Suspicious use of FindShellTrayWindow
                                                                                    • Suspicious use of SendNotifyMessage
                                                                                    PID:3224
                                                                                  • C:\Windows\system32\cmd.exe
                                                                                    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\xmrig\start.cmd" "
                                                                                    2⤵
                                                                                      PID:2564
                                                                                      • C:\Windows\System32\Conhost.exe
                                                                                        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                        3⤵
                                                                                        • Suspicious use of SetWindowsHookEx
                                                                                        PID:4596
                                                                                  • C:\Windows\system32\svchost.exe
                                                                                    C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
                                                                                    1⤵
                                                                                      PID:3716
                                                                                    • C:\Windows\system32\DllHost.exe
                                                                                      C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
                                                                                      1⤵
                                                                                        PID:3888
                                                                                      • C:\Windows\System32\RuntimeBroker.exe
                                                                                        C:\Windows\System32\RuntimeBroker.exe -Embedding
                                                                                        1⤵
                                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                                        PID:2092
                                                                                      • C:\Windows\System32\RuntimeBroker.exe
                                                                                        C:\Windows\System32\RuntimeBroker.exe -Embedding
                                                                                        1⤵
                                                                                        • Modifies registry class
                                                                                        • Suspicious use of UnmapMainImage
                                                                                        PID:4184
                                                                                      • C:\Windows\System32\svchost.exe
                                                                                        C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
                                                                                        1⤵
                                                                                          PID:3600
                                                                                        • C:\Windows\system32\svchost.exe
                                                                                          C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
                                                                                          1⤵
                                                                                            PID:3728
                                                                                          • C:\Windows\system32\svchost.exe
                                                                                            C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
                                                                                            1⤵
                                                                                            • Modifies data under HKEY_USERS
                                                                                            PID:3264
                                                                                          • C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
                                                                                            "C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
                                                                                            1⤵
                                                                                            • Drops file in System32 directory
                                                                                            • Modifies data under HKEY_USERS
                                                                                            PID:2396
                                                                                          • C:\Windows\system32\SppExtComObj.exe
                                                                                            C:\Windows\system32\SppExtComObj.exe -Embedding
                                                                                            1⤵
                                                                                              PID:1076
                                                                                            • C:\Windows\System32\svchost.exe
                                                                                              C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
                                                                                              1⤵
                                                                                                PID:4216
                                                                                              • C:\Windows\system32\svchost.exe
                                                                                                C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
                                                                                                1⤵
                                                                                                • Modifies data under HKEY_USERS
                                                                                                PID:632
                                                                                              • C:\Windows\system32\DllHost.exe
                                                                                                C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
                                                                                                1⤵
                                                                                                  PID:2752
                                                                                                • C:\Windows\system32\svchost.exe
                                                                                                  C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc
                                                                                                  1⤵
                                                                                                    PID:4920
                                                                                                  • C:\Windows\System32\RuntimeBroker.exe
                                                                                                    C:\Windows\System32\RuntimeBroker.exe -Embedding
                                                                                                    1⤵
                                                                                                    • Suspicious use of UnmapMainImage
                                                                                                    PID:3148
                                                                                                  • C:\Windows\System32\RuntimeBroker.exe
                                                                                                    C:\Windows\System32\RuntimeBroker.exe -Embedding
                                                                                                    1⤵
                                                                                                    • Modifies registry class
                                                                                                    • Suspicious use of UnmapMainImage
                                                                                                    PID:2912
                                                                                                  • C:\Windows\System32\RuntimeBroker.exe
                                                                                                    C:\Windows\System32\RuntimeBroker.exe -Embedding
                                                                                                    1⤵
                                                                                                      PID:4108
                                                                                                    • C:\Windows\System32\WaaSMedicAgent.exe
                                                                                                      C:\Windows\System32\WaaSMedicAgent.exe fbaa6f3d9349ea287b510969c535d185 Ym/rjLg2rkmNPCkomLvVKQ.0.1.0.0.0
                                                                                                      1⤵
                                                                                                      • Sets service image path in registry
                                                                                                      PID:1364
                                                                                                      • C:\Windows\System32\Conhost.exe
                                                                                                        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                        2⤵
                                                                                                          PID:1744
                                                                                                      • C:\Windows\system32\svchost.exe
                                                                                                        C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
                                                                                                        1⤵
                                                                                                        • Drops file in Windows directory
                                                                                                        PID:3616
                                                                                                      • C:\Windows\system32\wbem\wmiprvse.exe
                                                                                                        C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                                                                                                        1⤵
                                                                                                        • Checks BIOS information in registry
                                                                                                        • Checks SCSI registry key(s)
                                                                                                        • Enumerates system info in registry
                                                                                                        PID:3240
                                                                                                      • C:\Windows\servicing\TrustedInstaller.exe
                                                                                                        C:\Windows\servicing\TrustedInstaller.exe
                                                                                                        1⤵
                                                                                                          PID:3784
                                                                                                        • C:\Windows\system32\svchost.exe
                                                                                                          C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
                                                                                                          1⤵
                                                                                                          • Checks processor information in registry
                                                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                                                          PID:1476
                                                                                                        • C:\Windows\System32\mousocoreworker.exe
                                                                                                          C:\Windows\System32\mousocoreworker.exe -Embedding
                                                                                                          1⤵
                                                                                                          • Checks processor information in registry
                                                                                                          • Enumerates system info in registry
                                                                                                          • Modifies data under HKEY_USERS
                                                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                                                          PID:1952
                                                                                                        • C:\Windows\system32\backgroundTaskHost.exe
                                                                                                          "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
                                                                                                          1⤵
                                                                                                            PID:1380
                                                                                                          • C:\Windows\system32\BackgroundTransferHost.exe
                                                                                                            "BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
                                                                                                            1⤵
                                                                                                              PID:4036
                                                                                                            • C:\Windows\system32\backgroundTaskHost.exe
                                                                                                              "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:ShellFeedsUI.AppXnj65k2d1a1rnztt2t2nng5ctmk3e76pn.mca
                                                                                                              1⤵
                                                                                                                PID:3668
                                                                                                              • C:\Windows\system32\backgroundTaskHost.exe
                                                                                                                "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
                                                                                                                1⤵
                                                                                                                  PID:4904
                                                                                                                • C:\Windows\system32\svchost.exe
                                                                                                                  C:\Windows\system32\svchost.exe -k appmodel -p -s camsvc
                                                                                                                  1⤵
                                                                                                                    PID:2916
                                                                                                                  • C:\Windows\system32\DllHost.exe
                                                                                                                    C:\Windows\system32\DllHost.exe /Processid:{7966B4D8-4FDC-4126-A10B-39A3209AD251}
                                                                                                                    1⤵
                                                                                                                      PID:4244
                                                                                                                    • C:\Windows\system32\DllHost.exe
                                                                                                                      C:\Windows\system32\DllHost.exe /Processid:{973D20D7-562D-44B9-B70B-5A0F49CCDF3F}
                                                                                                                      1⤵
                                                                                                                        PID:1836
                                                                                                                      • C:\Windows\system32\DllHost.exe
                                                                                                                        C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
                                                                                                                        1⤵
                                                                                                                          PID:1512
                                                                                                                        • C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
                                                                                                                          C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
                                                                                                                          1⤵
                                                                                                                            PID:4212
                                                                                                                          • C:\Windows\system32\DllHost.exe
                                                                                                                            C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
                                                                                                                            1⤵
                                                                                                                              PID:4004
                                                                                                                            • C:\Windows\System32\rundll32.exe
                                                                                                                              C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
                                                                                                                              1⤵
                                                                                                                                PID:4972
                                                                                                                              • C:\Windows\system32\svchost.exe
                                                                                                                                C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s PcaSvc
                                                                                                                                1⤵
                                                                                                                                  PID:1068
                                                                                                                                • C:\Windows\System32\mousocoreworker.exe
                                                                                                                                  C:\Windows\System32\mousocoreworker.exe -Embedding
                                                                                                                                  1⤵
                                                                                                                                  • Checks processor information in registry
                                                                                                                                  • Enumerates system info in registry
                                                                                                                                  PID:1028

                                                                                                                                Network

                                                                                                                                MITRE ATT&CK Enterprise v15

                                                                                                                                Replay Monitor

                                                                                                                                Loading Replay Monitor...

                                                                                                                                Downloads

                                                                                                                                • C:\ProgramData\Microsoft\Windows\OneSettings\config.json
                                                                                                                                  Filesize

                                                                                                                                  5KB

                                                                                                                                  MD5

                                                                                                                                  cfa15d48af384510f69cdc66cc4bbbc1

                                                                                                                                  SHA1

                                                                                                                                  fc9d90052c0d2f8efa12e89ccb9fd469d569a01e

                                                                                                                                  SHA256

                                                                                                                                  8a1b4471575c8e690629164847ce42f8c213d8654328430a56ca2b9243256c85

                                                                                                                                  SHA512

                                                                                                                                  bb343d592a5c650ea962b0bb8446dcf1c3b86d2b913141f6df7a7d99516a7084c375e0e4006ce35f39268c58cd46a6fc527aaf5bbc36be68a7e917128cef298d

                                                                                                                                  Download Submit

                                                                                                                                • C:\ProgramData\USOPrivate\UpdateStore\store.db
                                                                                                                                  Filesize

                                                                                                                                  60KB

                                                                                                                                  MD5

                                                                                                                                  f8b85175c13ededa2d625a5f1172983b

                                                                                                                                  SHA1

                                                                                                                                  5352108fcf113ab196b948fa4909226ea92a2285

                                                                                                                                  SHA256

                                                                                                                                  7ee5f646c4806b8fd89d1fe624b5b84dba0ff239f19e61441f78ed1fc1e534ac

                                                                                                                                  SHA512

                                                                                                                                  f8128884a3de74b062555eff76d54796587e1f35214d9394f97800a57b3456f24dd736f42cf0a5efb6fb71f1d32175bdfa3ffdc94fb46b19d82ae0fac7eaa89c

                                                                                                                                  Download Submit

                                                                                                                                • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157
                                                                                                                                  Filesize

                                                                                                                                  340B

                                                                                                                                  MD5

                                                                                                                                  a4c5e5932fda4bf0b2f887a15bcd8dd6

                                                                                                                                  SHA1

                                                                                                                                  6d3b053b69b3260280361732740a3b5adaceca78

                                                                                                                                  SHA256

                                                                                                                                  e81944bc046149690cc082f353ee40671a8654c45101d2cbc2d8ea00534cbc9d

                                                                                                                                  SHA512

                                                                                                                                  18024746b1482b3563299664ae95bf1f8af99804030b350f3d550c865d6b9c589ab328a353a7b89bc236427c718d74735bf8d82541706391439d9c6107a8702b

                                                                                                                                  Download Submit

                                                                                                                                • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_89854CA6A0F0936A4D2ECA78845CEA25
                                                                                                                                  Filesize

                                                                                                                                  482B

                                                                                                                                  MD5

                                                                                                                                  4540b90145b209dcdd6aabfb102b5b36

                                                                                                                                  SHA1

                                                                                                                                  10f5c5abb4ff8ca4bb5aaa7f1e8342d34531363a

                                                                                                                                  SHA256

                                                                                                                                  2f60f9f02949194dc5c4f13f2a8ab0ba3cb023b79fc0dc16b7b1f2e202e29a89

                                                                                                                                  SHA512

                                                                                                                                  eb5111dbff3b834377b8528c4265ec4fa2c916265ad5dcb0a1f5ab94c894eb2f02de2c6b25ffa2a79979326eaac789f00927e6e6f2558679de95606c5d64f6a2

                                                                                                                                  Download Submit

                                                                                                                                • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\D0E1C4B6144E7ECAB3F020E4A19EFC29_B5F77004C894173A10E3A199871D2D90
                                                                                                                                  Filesize

                                                                                                                                  480B

                                                                                                                                  MD5

                                                                                                                                  87737a497dc8858763f33a0d9e68d3f4

                                                                                                                                  SHA1

                                                                                                                                  964b69314f45334a84ad93cbcae9fef64b819001

                                                                                                                                  SHA256

                                                                                                                                  6d4c22fd0c9e40c9da406afef8c04643fb15ae0becfa691a753c040e43128482

                                                                                                                                  SHA512

                                                                                                                                  313c7be7569771de3d062806bf5064f55675f115b9b57daaf021a1ce164b1dad684cb12d849895437ff49a8919e5fc02a9798879bf65e79fb67cbb44ae5386fc

                                                                                                                                  Download Submit

                                                                                                                                • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\D9CA54E0FA212456E1DB00704A97658E
                                                                                                                                  Filesize

                                                                                                                                  476B

                                                                                                                                  MD5

                                                                                                                                  3fbd92676f9850c33be125eb849c6ced

                                                                                                                                  SHA1

                                                                                                                                  424a848f4b967993ef083a5a731317c084451c46

                                                                                                                                  SHA256

                                                                                                                                  6115db644ca6d9c73f21db1ff5635a970bc454ea512bdd34e540e1acb422a999

                                                                                                                                  SHA512

                                                                                                                                  d5d8a2b4c2c81e2a8af99dcb11ad1ebeffa13f9bd335c4f4194cd534193ceeb956e934b4708b49a31ce0c8b608535f3f5e0732d3322abd0c4cf6aa3a4cfd81a7

                                                                                                                                  Download Submit

                                                                                                                                • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_49536AB5156BDD74EFF881D01C36A419
                                                                                                                                  Filesize

                                                                                                                                  412B

                                                                                                                                  MD5

                                                                                                                                  51615cde62061ddab1af658c8b2c1ad3

                                                                                                                                  SHA1

                                                                                                                                  ad74c7dbef96909ad696fea379f5465c38377130

                                                                                                                                  SHA256

                                                                                                                                  8cd63fb701fe74d327583bd4a23055bcc8080f491c006b796d6712a22af5e3a7

                                                                                                                                  SHA512

                                                                                                                                  65699ef085a88b66a19fc95b5be7194922d5b761b9f62837e0f50c19161d14c56d93a21ff0342d8b499e975aba532b91706660f6098d4327286bf614b0bb4e4e

                                                                                                                                  Download Submit

                                                                                                                                • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
                                                                                                                                  Filesize

                                                                                                                                  3KB

                                                                                                                                  MD5

                                                                                                                                  fe3aab3ae544a134b68e881b82b70169

                                                                                                                                  SHA1

                                                                                                                                  926e9b4e527ae1bd9b3b25726e1f59d5a34d36a6

                                                                                                                                  SHA256

                                                                                                                                  bda499e3f69d8fe0227e734bbb935dc5bf0050d37adf03bc41356dfcb5bcca0b

                                                                                                                                  SHA512

                                                                                                                                  3fbd3499d98280b6c79c67b0ee183b27692dbc31acf103b4f8ca4dcdf392afff2b3aad500037f4288581ed37e85f45c3bbb5dcde11cddf3ef0609f44b2ecb280

                                                                                                                                  Download Submit

                                                                                                                                • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\CacheStorage\edb.chk
                                                                                                                                  Filesize

                                                                                                                                  8KB

                                                                                                                                  MD5

                                                                                                                                  ed115fd9b7695a1d733201d811c3ce71

                                                                                                                                  SHA1

                                                                                                                                  9164ca71f21c3a47193969a33999c03eb4db9e8b

                                                                                                                                  SHA256

                                                                                                                                  fa6fefd6bcd669ce2d7a6a61c44c551e4257afc364287677e113617dbf98c353

                                                                                                                                  SHA512

                                                                                                                                  04c58cff34e890bd7a3bc4994f1f88160466683f9288eb4eaf2b6911b9f688649a7514a144d16c4a4ed3ef4d6f167c109f9bbef7fa9e47149e2135d1f09f3608

                                                                                                                                  Download Submit

                                                                                                                                • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                                                                                                  Filesize

                                                                                                                                  64B

                                                                                                                                  MD5

                                                                                                                                  5caad758326454b5788ec35315c4c304

                                                                                                                                  SHA1

                                                                                                                                  3aef8dba8042662a7fcf97e51047dc636b4d4724

                                                                                                                                  SHA256

                                                                                                                                  83e613b6dc8d70e3bb67c58535e014f58f3e8b2921e93b55137d799fc8c56391

                                                                                                                                  SHA512

                                                                                                                                  4e0d443cf81e2f49829b0a458a08294bf1bdc0e38d3a938fb8274eeb637d9a688b14c7999dd6b86a31fcec839a9e8c1a9611ed0bbae8bd59caa9dba1e8253693

                                                                                                                                  Download Submit

                                                                                                                                • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AppData\Indexed DB\edb.chk
                                                                                                                                  Filesize

                                                                                                                                  8KB

                                                                                                                                  MD5

                                                                                                                                  e86fae99ba3a13ea951b849e4eaca60b

                                                                                                                                  SHA1

                                                                                                                                  b9a93de06f0f3bd36d44dda7c0e39578c09e2bc2

                                                                                                                                  SHA256

                                                                                                                                  9da9e93754f3a46318bf136b24ad868c21918b518c25924ad52e0f5aad69bd2e

                                                                                                                                  SHA512

                                                                                                                                  0efa18dd6d2162eef2ecd633a8547bcf9059718cfaac5a288552cde62e13b9452f43cc25ad9f253f62cb0a3b08c34087c3364a0bdb04619290a5d8bc111f8e4e

                                                                                                                                  Download Submit

                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_yhyk5wh0.hsk.ps1
                                                                                                                                  Filesize

                                                                                                                                  60B

                                                                                                                                  MD5

                                                                                                                                  d17fe0a3f47be24a6453e9ef58c94641

                                                                                                                                  SHA1

                                                                                                                                  6ab83620379fc69f80c0242105ddffd7d98d5d9d

                                                                                                                                  SHA256

                                                                                                                                  96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                                                                                                                                  SHA512

                                                                                                                                  5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                                                                                                                                  Download Submit

                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\nfxcb5sr.vkp.exe
                                                                                                                                  Filesize

                                                                                                                                  9.1MB

                                                                                                                                  MD5

                                                                                                                                  cb166d49ce846727ed70134b589b0142

                                                                                                                                  SHA1

                                                                                                                                  8f5e1c7792e9580f2b10d7bef6dc7e63ea044688

                                                                                                                                  SHA256

                                                                                                                                  49da580656e51214d59702a1d983eff143af3560a344f524fe86326c53fb5ddb

                                                                                                                                  SHA512

                                                                                                                                  a39bd86a148af26fd31a0d171078fb7bce0951bb8ea63658d87f6bde97dbc214c62e8bd7152d1e621051de8a0ba77ffd7bda7c1106afb740584c80e68e1912ed

                                                                                                                                  Download Submit

                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\w51qamgl.a2l.exe
                                                                                                                                  Filesize

                                                                                                                                  161KB

                                                                                                                                  MD5

                                                                                                                                  94f1ab3a068f83b32639579ec9c5d025

                                                                                                                                  SHA1

                                                                                                                                  38f3d5bc5de46feb8de093d11329766b8e2054ae

                                                                                                                                  SHA256

                                                                                                                                  879cc20b41635709bb304e315aaa5ca4708b480a1bfc2f4935fcf2215188efb0

                                                                                                                                  SHA512

                                                                                                                                  44d5236a804d63302b21ca25ebc148a64605508d03c990a244c44ceb8630849da0510b7b2d0bee72e01ca6681e2d86d7e6aee8847674a26f0028d149b9abee0c

                                                                                                                                  Download Submit

                                                                                                                                • C:\Users\Admin\AppData\Roaming\xmrig.zip
                                                                                                                                  Filesize

                                                                                                                                  3.8MB

                                                                                                                                  MD5

                                                                                                                                  9895805962f3b439c3eb845cd30303c6

                                                                                                                                  SHA1

                                                                                                                                  d488cfa52f17c60432813e7906ee812e0ae37fec

                                                                                                                                  SHA256

                                                                                                                                  e30b7057712cdb8760a87b44eb2db03879f4ff54344aaf562e927814b5ce7e5b

                                                                                                                                  SHA512

                                                                                                                                  ec526ca0cc850d03d220c46f9b592045983c392edc30a5cdee5157fe1ea38711f49a475e566c7e2017956f1aa6b1c64a9a4565a26bd466f5ac679aae728c98ce

                                                                                                                                  Download Submit

                                                                                                                                • C:\Users\Admin\AppData\Roaming\xmrig\WinRing0x64.sys
                                                                                                                                  Filesize

                                                                                                                                  14KB

                                                                                                                                  MD5

                                                                                                                                  0c0195c48b6b8582fa6f6373032118da

                                                                                                                                  SHA1

                                                                                                                                  d25340ae8e92a6d29f599fef426a2bc1b5217299

                                                                                                                                  SHA256

                                                                                                                                  11bd2c9f9e2397c9a16e0990e4ed2cf0679498fe0fd418a3dfdac60b5c160ee5

                                                                                                                                  SHA512

                                                                                                                                  ab28e99659f219fec553155a0810de90f0c5b07dc9b66bda86d7686499fb0ec5fddeb7cd7a3c5b77dccb5e865f2715c2d81f4d40df4431c92ac7860c7e01720d

                                                                                                                                  Download Submit

                                                                                                                                • C:\Users\Admin\AppData\Roaming\xmrig\start.cmd
                                                                                                                                  Filesize

                                                                                                                                  44B

                                                                                                                                  MD5

                                                                                                                                  eaf3a00cc0465f8af471b849ada29843

                                                                                                                                  SHA1

                                                                                                                                  3042e97874706189aa9704d77c9e74a94e519106

                                                                                                                                  SHA256

                                                                                                                                  8e70ef38fe14a2ee2848df3d6f7e260d1caf8cfc15de694d678b8af151d62333

                                                                                                                                  SHA512

                                                                                                                                  56b9f3991ae4bad5e06097d095931e746e6b2ac955649a5c793d9f4f6861c6ffc9316b063c34d7a8079af201354c87bf3008bc0fd4321e59b27e1d8120b078cf

                                                                                                                                  Download Submit

                                                                                                                                • C:\Users\Admin\AppData\Roaming\xmrig\xmrig.exe
                                                                                                                                  Filesize

                                                                                                                                  9.3MB

                                                                                                                                  MD5

                                                                                                                                  72107c3009343491bdbd5a2bf27e0d17

                                                                                                                                  SHA1

                                                                                                                                  79ae9dd4ffc65810342c093fb3dd1413a830660d

                                                                                                                                  SHA256

                                                                                                                                  9af0d7469bffba8aea58c666b94ae68e34373f554ba8a145ec5fcc78baf0e6c6

                                                                                                                                  SHA512

                                                                                                                                  eab28e887aeb275527f4d4fa9a7ccd69dfaf21d249005eb9c9a9c098ca062cfabed02da2133e84c0b6109fbd4b6358e905199c24cdc9bb41799e63ccfbe3768e

                                                                                                                                  Download Submit

                                                                                                                                • C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Maintenance Work
                                                                                                                                  Filesize

                                                                                                                                  2KB

                                                                                                                                  MD5

                                                                                                                                  8abf2d6067c6f3191a015f84aa9b6efe

                                                                                                                                  SHA1

                                                                                                                                  98f2b0a5cdb13cd3d82dc17bd43741bf0b3496f7

                                                                                                                                  SHA256

                                                                                                                                  ee18bd3259f220c41062abcbe71a421da3e910df11b9f86308a16cdc3a66fbea

                                                                                                                                  SHA512

                                                                                                                                  c2d686a6373efcff583c1ef50c144c59addb8b9c4857ccd8565cd8be3c94b0ac0273945167eb04ebd40dfb0351e4b66cffe4c4e478fb7733714630a11f765b63

                                                                                                                                  Download Submit

                                                                                                                                • C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Maintenance Work
                                                                                                                                  Filesize

                                                                                                                                  2KB

                                                                                                                                  MD5

                                                                                                                                  f313c5b4f95605026428425586317353

                                                                                                                                  SHA1

                                                                                                                                  06be66fa06e1cffc54459c38d3d258f46669d01a

                                                                                                                                  SHA256

                                                                                                                                  129d0b993cd3858af5b7e87fdf74d8e59e6f2110184b5c905df8f5f6f2c39d8b

                                                                                                                                  SHA512

                                                                                                                                  b87a829c86eff1d10e1590b18a9909f05101a535e5f4cef914a4192956eb35a8bfef614c9f95d53783d77571687f3eb3c4e8ee2f24d23ad24e0976d8266b8890

                                                                                                                                  Download Submit

                                                                                                                                • C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Wake To Work
                                                                                                                                  Filesize

                                                                                                                                  2KB

                                                                                                                                  MD5

                                                                                                                                  ceb7caa4e9c4b8d760dbf7e9e5ca44c5

                                                                                                                                  SHA1

                                                                                                                                  a3879621f9493414d497ea6d70fbf17e283d5c08

                                                                                                                                  SHA256

                                                                                                                                  98c054088df4957e8d6361fd2539c219bcf35f8a524aad8f5d1a95f218e990e9

                                                                                                                                  SHA512

                                                                                                                                  1eddfbf4cb62d3c5b4755a371316304aaeabb00f01bad03fb4f925a98a2f0824f613537d86deddd648a74d694dc13ed5183e761fdc1ec92589f6fa28beb7fbff

                                                                                                                                  Download Submit

                                                                                                                                • C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Wake To Work
                                                                                                                                  Filesize

                                                                                                                                  2KB

                                                                                                                                  MD5

                                                                                                                                  7d612892b20e70250dbd00d0cdd4f09b

                                                                                                                                  SHA1

                                                                                                                                  63251cfa4e5d6cbf6fb14f6d8a7407dbe763d3f5

                                                                                                                                  SHA256

                                                                                                                                  727c9e7b91e144e453d5b32e18f12508ee84dabe71bc852941d9c9b4923f9e02

                                                                                                                                  SHA512

                                                                                                                                  f8d481f3300947d49ce5ab988a9d4e3154746afccc97081cbed1135ffb24fc107203d485dda2d5d714e74e752c614d8cfd16781ea93450fe782ffae3f77066d1

                                                                                                                                  Download Submit

                                                                                                                                • C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Work
                                                                                                                                  Filesize

                                                                                                                                  2KB

                                                                                                                                  MD5

                                                                                                                                  1e8e2076314d54dd72e7ee09ff8a52ab

                                                                                                                                  SHA1

                                                                                                                                  5fd0a67671430f66237f483eef39ff599b892272

                                                                                                                                  SHA256

                                                                                                                                  55f203d6b40a39a6beba9dd3a2cb9034284f49578009835dd4f0f8e1db6ebe2f

                                                                                                                                  SHA512

                                                                                                                                  5b0c97284923c4619d9c00cba20ce1c6d65d1826abe664c390b04283f7a663256b4a6efe51f794cb5ec82ccea80307729addde841469da8d041cbcfd94feb0f6

                                                                                                                                  Download Submit

                                                                                                                                • C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Work
                                                                                                                                  Filesize

                                                                                                                                  2KB

                                                                                                                                  MD5

                                                                                                                                  0b990e24f1e839462c0ac35fef1d119e

                                                                                                                                  SHA1

                                                                                                                                  9e17905f8f68f9ce0a2024d57b537aa8b39c6708

                                                                                                                                  SHA256

                                                                                                                                  a1106ed0845cd438e074344e0fe296dc10ee121a0179e09398eaaea2357c614a

                                                                                                                                  SHA512

                                                                                                                                  c65ba42fc0a2cb0b70888beb8ca334f7d5a8eaf954a5ef7adaecbcb4ce8d61b34858dfd9560954f95f59b4d8110a79ceaa39088b6a0caf8b42ceda41b46ec4a4

                                                                                                                                  Download Submit

                                                                                                                                • C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506
                                                                                                                                  Filesize

                                                                                                                                  330B

                                                                                                                                  MD5

                                                                                                                                  30c307cc3215014af55ff57b7f7f3d3a

                                                                                                                                  SHA1

                                                                                                                                  9a9eef3e79aa44a0728325db5a728afa507e7060

                                                                                                                                  SHA256

                                                                                                                                  d1b5e350c8c870e9aa76247a5b9690d067fca4c5cc8d75f286794e4ba89c1a14

                                                                                                                                  SHA512

                                                                                                                                  7a872c600f96c71b482f848e26c28c57b3198db679f2e636873e5122dca7e9fe50f9565d370622fa72df4f776bbb0ba64a285a0644ce0acff38d3487635fcbdf

                                                                                                                                  Download Submit

                                                                                                                                • C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749
                                                                                                                                  Filesize

                                                                                                                                  330B

                                                                                                                                  MD5

                                                                                                                                  354cd49a231524bc72bd0aea931a722d

                                                                                                                                  SHA1

                                                                                                                                  4eb78c0fe318c6107bf15fa250e27d4b5f33e119

                                                                                                                                  SHA256

                                                                                                                                  86b7cd482381b33a36d9cf2ae91946e73ad492b5c863440e60e09692d64130b5

                                                                                                                                  SHA512

                                                                                                                                  62432bb8b3e4e8ba8ff3deb783a0a9e9269db12cebc6194bdffa85a2cf1c958f36ab711825a08551a43fe1a73fe38b0019eb45f4e7ecac5629475521f161c683

                                                                                                                                  Download Submit

                                                                                                                                • memory/316-95-0x00007FFF48570000-0x00007FFF48580000-memory.dmp

                                                                                                                                  Filesize

                                                                                                                                  64KB

                                                                                                                                  Download

                                                                                                                                • memory/316-94-0x0000013F52D00000-0x0000013F52D2B000-memory.dmp

                                                                                                                                  Filesize

                                                                                                                                  172KB

                                                                                                                                  Download

                                                                                                                                • memory/428-102-0x00007FFF48570000-0x00007FFF48580000-memory.dmp

                                                                                                                                  Filesize

                                                                                                                                  64KB

                                                                                                                                  Download

                                                                                                                                • memory/428-101-0x000001582A2F0000-0x000001582A31B000-memory.dmp

                                                                                                                                  Filesize

                                                                                                                                  172KB

                                                                                                                                  Download

                                                                                                                                • memory/612-86-0x00007FFF48570000-0x00007FFF48580000-memory.dmp

                                                                                                                                  Filesize

                                                                                                                                  64KB

                                                                                                                                  Download

                                                                                                                                • memory/612-85-0x0000023180110000-0x000002318013B000-memory.dmp

                                                                                                                                  Filesize

                                                                                                                                  172KB

                                                                                                                                  Download

                                                                                                                                • memory/612-84-0x00000231800E0000-0x0000023180105000-memory.dmp

                                                                                                                                  Filesize

                                                                                                                                  148KB

                                                                                                                                  Download

                                                                                                                                • memory/676-89-0x0000016638CF0000-0x0000016638D1B000-memory.dmp

                                                                                                                                  Filesize

                                                                                                                                  172KB

                                                                                                                                  Download

                                                                                                                                • memory/676-90-0x00007FFF48570000-0x00007FFF48580000-memory.dmp

                                                                                                                                  Filesize

                                                                                                                                  64KB

                                                                                                                                  Download

                                                                                                                                • memory/960-99-0x00007FFF48570000-0x00007FFF48580000-memory.dmp

                                                                                                                                  Filesize

                                                                                                                                  64KB

                                                                                                                                  Download

                                                                                                                                • memory/960-98-0x0000016ADE3A0000-0x0000016ADE3CB000-memory.dmp

                                                                                                                                  Filesize

                                                                                                                                  172KB

                                                                                                                                  Download

                                                                                                                                • memory/1052-110-0x00007FFF48570000-0x00007FFF48580000-memory.dmp

                                                                                                                                  Filesize

                                                                                                                                  64KB

                                                                                                                                  Download

                                                                                                                                • memory/1052-109-0x0000017EB9F30000-0x0000017EB9F5B000-memory.dmp

                                                                                                                                  Filesize

                                                                                                                                  172KB

                                                                                                                                  Download

                                                                                                                                • memory/1136-113-0x00007FFF48570000-0x00007FFF48580000-memory.dmp

                                                                                                                                  Filesize

                                                                                                                                  64KB

                                                                                                                                  Download

                                                                                                                                • memory/1136-112-0x0000018F384F0000-0x0000018F3851B000-memory.dmp

                                                                                                                                  Filesize

                                                                                                                                  172KB

                                                                                                                                  Download

                                                                                                                                • memory/1144-115-0x00000267E6B70000-0x00000267E6B9B000-memory.dmp

                                                                                                                                  Filesize

                                                                                                                                  172KB

                                                                                                                                  Download

                                                                                                                                • memory/1144-116-0x00007FFF48570000-0x00007FFF48580000-memory.dmp

                                                                                                                                  Filesize

                                                                                                                                  64KB

                                                                                                                                  Download

                                                                                                                                • memory/1172-118-0x0000019E4B4C0000-0x0000019E4B4EB000-memory.dmp

                                                                                                                                  Filesize

                                                                                                                                  172KB

                                                                                                                                  Download

                                                                                                                                • memory/1172-119-0x00007FFF48570000-0x00007FFF48580000-memory.dmp

                                                                                                                                  Filesize

                                                                                                                                  64KB

                                                                                                                                  Download

                                                                                                                                • memory/1180-121-0x0000019F9BD40000-0x0000019F9BD6B000-memory.dmp

                                                                                                                                  Filesize

                                                                                                                                  172KB

                                                                                                                                  Download

                                                                                                                                • memory/1180-122-0x00007FFF48570000-0x00007FFF48580000-memory.dmp

                                                                                                                                  Filesize

                                                                                                                                  64KB

                                                                                                                                  Download

                                                                                                                                • memory/1264-126-0x000002B2C4730000-0x000002B2C475B000-memory.dmp

                                                                                                                                  Filesize

                                                                                                                                  172KB

                                                                                                                                  Download

                                                                                                                                • memory/1264-127-0x00007FFF48570000-0x00007FFF48580000-memory.dmp

                                                                                                                                  Filesize

                                                                                                                                  64KB

                                                                                                                                  Download

                                                                                                                                • memory/1312-130-0x00007FFF48570000-0x00007FFF48580000-memory.dmp

                                                                                                                                  Filesize

                                                                                                                                  64KB

                                                                                                                                  Download

                                                                                                                                • memory/1312-129-0x000001CC28990000-0x000001CC289BB000-memory.dmp

                                                                                                                                  Filesize

                                                                                                                                  172KB

                                                                                                                                  Download

                                                                                                                                • memory/2500-41-0x000002D2CD650000-0x000002D2CD65A000-memory.dmp

                                                                                                                                  Filesize

                                                                                                                                  40KB

                                                                                                                                  Download

                                                                                                                                • memory/2500-40-0x000002D2CD670000-0x000002D2CD682000-memory.dmp

                                                                                                                                  Filesize

                                                                                                                                  72KB

                                                                                                                                  Download

                                                                                                                                • memory/3168-73-0x0000012E3A9F0000-0x0000012E3AA1C000-memory.dmp

                                                                                                                                  Filesize

                                                                                                                                  176KB

                                                                                                                                  Download

                                                                                                                                • memory/3168-244-0x0000012E54EC0000-0x0000012E55AF4000-memory.dmp

                                                                                                                                  Filesize

                                                                                                                                  12.2MB

                                                                                                                                  Download

                                                                                                                                • memory/3168-72-0x0000012E39D20000-0x0000012E3A666000-memory.dmp

                                                                                                                                  Filesize

                                                                                                                                  9.3MB

                                                                                                                                  Download

                                                                                                                                • memory/3168-382-0x0000012E55020000-0x0000012E5502E000-memory.dmp

                                                                                                                                  Filesize

                                                                                                                                  56KB

                                                                                                                                  Download

                                                                                                                                • memory/3396-68-0x00007FFF698D0000-0x00007FFF6A391000-memory.dmp

                                                                                                                                  Filesize

                                                                                                                                  10.8MB

                                                                                                                                  Download

                                                                                                                                • memory/3396-18-0x00007FFF698D3000-0x00007FFF698D5000-memory.dmp

                                                                                                                                  Filesize

                                                                                                                                  8KB

                                                                                                                                  Download

                                                                                                                                • memory/3396-30-0x00007FFF698D0000-0x00007FFF6A391000-memory.dmp

                                                                                                                                  Filesize

                                                                                                                                  10.8MB

                                                                                                                                  Download

                                                                                                                                • memory/3396-29-0x00007FFF698D0000-0x00007FFF6A391000-memory.dmp

                                                                                                                                  Filesize

                                                                                                                                  10.8MB

                                                                                                                                  Download

                                                                                                                                • memory/3396-25-0x0000028EB9460000-0x0000028EB9482000-memory.dmp

                                                                                                                                  Filesize

                                                                                                                                  136KB

                                                                                                                                  Download

                                                                                                                                • memory/4236-82-0x00007FFF884F0000-0x00007FFF886E5000-memory.dmp

                                                                                                                                  Filesize

                                                                                                                                  2.0MB

                                                                                                                                  Download

                                                                                                                                • memory/4236-83-0x00007FFF883F0000-0x00007FFF884AE000-memory.dmp

                                                                                                                                  Filesize

                                                                                                                                  760KB

                                                                                                                                  Download