xmrig | 5c5374eb9054e48c5ab9c6ef21c2bd228fe2e63eaa0ae83dbdb65dd1a7429369

Analysis

max time kernel
900s
max time network
900s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20250217-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20250217-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
03/03/2025, 17:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

miner.exe
Size

104KB
MD5

4a9f5b7664e2ebf47aa5fc4240dc8a22
SHA1

d0fc11aab0181df38d193cf8dfd1843fe06c844a
SHA256

5c5374eb9054e48c5ab9c6ef21c2bd228fe2e63eaa0ae83dbdb65dd1a7429369
SHA512

f45224b584b64d4ac32d4e6303ad87b2902ea310ac332ed0a0c7a706df2441eb0ef1f5076fe2716d004e59aa6a8e9e5e5e3a8f012008f05aef05064ad1e1eed6
SSDEEP

192:xjZaDMFEa4ajXPeeZnXwqXTyE1hEjjTyXfan55tfMcePLiZmGhTuRY9SRXiKqiRh:hp4ajGCnXGMsGXfwldJ99Sjvb99Sjv

Score

10^/10

xmrig xworm defense_evasion execution miner rat trojan

Malware Config

Extracted

Family

xworm

Mutex

yNحكـX8ٍبAGLWِF6Jo2DiObلٍLZا3ا

Attributes

Install_directory
%Port%
install_file
MicrosoftEdgeUpdateTaskMachineUAC.exe

aes.plain

Signatures

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral3/memory/3508-390-0x000001D5EB490000-0x000001D5EB49E000-memory.dmp	family_xworm

XMRig Miner payload 6 IoCs

miner

resource	yara_rule
behavioral3/files/0x0008000000027e6b-72.dat	family_xmrig
behavioral3/files/0x0008000000027e6b-72.dat	xmrig
behavioral3/memory/3508-73-0x000001D5D0140000-0x000001D5D0A86000-memory.dmp	xmrig
behavioral3/memory/3508-88-0x000001D5EB2A0000-0x000001D5EBED4000-memory.dmp	xmrig
behavioral3/files/0x0008000000027ec0-149.dat	family_xmrig
behavioral3/files/0x0008000000027ec0-149.dat	xmrig

Xmrig family
xmrig
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	wmiprvse.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3996797005-1442104920-3698332314-1000\Control Panel\International\Geo\Nation	miner.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3996797005-1442104920-3698332314-1000\Control Panel\International\Geo\Nation	xmrig.exe

Executes dropped EXE 3 IoCs

pid	Process
3508	xmrig.exe
2316	jkzkq4hf.pw1.exe
928	auywuvpk.jr1.exe

Indicator Removal: Clear Windows Event Logs 1 TTPs 1 IoCs

Clear Windows Event Logs to hide the activity of an intrusion.

defense_evasion

Clear Windows Event Logs

T1070.001

description	ioc	Process
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-BackgroundTaskInfrastructure%4Operational.evtx	svchost.exe

Drops file in System32 directory 12 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_363582827213C09529A76F35FB615187	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules.xml	OfficeClickToRun.exe
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Wake To Work	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Maintenance Work	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\WindowsUpdate\Scheduled Start	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Scan	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Work	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776	svchost.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk	svchost.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
1440	powershell.exe
3268	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	mousocoreworker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	mousocoreworker.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	mousocoreworker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	mousocoreworker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	mousocoreworker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	mousocoreworker.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	wmiprvse.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	mousocoreworker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	mousocoreworker.exe

Modifies data under HKEY_USERS 23 IoCs

description	ioc	Process
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\MICROSOFT\OFFICE\16.0\COMMON\CLIENTTELEMETRY\RULESMETADATA\OFFICECLICKTORUN.EXE\ULSMONITOR	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\Immersive\production\Token\{0CB4A94A-6E8C-477B-88C8-A3799FC97414}\DeviceTicket = 0100000001000000d08c9ddf0115d1118c7a00c04fc297eb010000002aece7de8f8cad4d92e7631a111adc570000000002000000000010660000000100002000000061f1ff6b9a860b6b409b830101eee2dc18b436f9a05574a2878e2a0e05776d7d000000000e8000000002000020000000a0fe8759f7556ae6a552550d00f5c974a59ff00da462e29baeb5625f57524fcf10060000cff436d8f033e80224e87f87beda6e1c8128b5bf6521b073e21629a4dc5d97dd3d07e4ab3e28bf2d5427cabc6923fd7e9f8f51f81bbc4e3a1c3ca4a94074dc3840dcc6961e06e870998f3e4453db4a5b4ba30160d14cdfd0cf0aa5a96cc6c90a4e92569f228e832c47be38fc733ab6988e6f99d719a657e599b5c4aa73c4360e9cfd7665371e51f6e6d857556f16394e47a5c04cea507a9045e47683ea634cfaea89aa6bf9048b9cdf0bcf64fe8f699712718fa301f3192f257b792d98c10435b3cd29c3669721022f0585dc508c3ee84c7dbc3ca464ef751e1e9b1601d23fc7e4c6142d43805c4fde672f3ab1d515f683b146cd6a4910cb08aa6799b2ed24ddeb653acb058f5640ca68b62373d43708c559ff1ea9256a5abf9baf8281d570c7e1b9931ba66aeb4aff331d738db3778878c31833fbc6a2b14a8eb3440d6a745f0a925c10daefe6502d91073b801d7ea5fdd50a66a4c6c25349caaf524682d6829550252c93d5b260e6067e8c662387324f146b27cac7f9b91e91966ccadbedd41141231ffd56735bdbc80a440beaa87a600743c83c80d3d4cb5575a7c5acbd76a24bb43f40ea0b47fe485d5ef0788606b819a52e18063d9dc9283196847c836b680154087a2c5ed35a703d8a697a5d5f16d01c2cce5e2fffc09fc83811001cc5c5b3abebc054055fb20c9f97fade2e5dedefdbc17c23fb2f0b884fbfed58a309994a5c06a2cbec65349d3f2342d1aafe6d2ef1d94b7805af3c6d95a95244ea16886b8c6c90e4ac9a070696b89b474f84bb0c56905f89c404a305f1732dce166d194f85549c81e029d27c3d037102c68f36ab30d5ee1690758436039b3d6be63a9f2db77df18d9adc4fbf6d3c292e17d5ea2f676aa3d9c7a4de9580402791e7b85f52cf7ad2a1c319b865bda16b4018d7c94b86b8df9b64ceca6830f211acd6166f390276f8ce0c9a3d4eedda6b91327a82a16ce69feafcd191e1779b90a16dc3bb6feb810b8dc4e1d27eb24c2c45e9513af86562c1b2e638bf2559b94ded7671bf77e6e99e39a3bd415eb2664b886dbccf48de04941ef607485d410a78727eee8a9c96768549d7af1083d15c85e01db1275c56f2adbf2346bb553d2cf139820c64ed7ea361c317878315b68ccf3d7434431d8fec17844be17c9b6af2826869ebb25fcd21e069b1039b0dd5de91f31bf8aff9490f1091da6ccd983fec8cce4d186f0e65a37ccf581e222d6845ba8ffda7e441091b22dd3c592d05fdc0be468b903b4ac01c22b3ade1bb0b35defebc21db7d619bd1249e5809475b727628110ef246af4ad3fac5159c421d3be6674caf1e4e5696885cce9d2b87f6d5fb7b97120f8530b03083825e5acdcaf8ba7d7e91aa6be9cec279a8573f41e99fb67fb11dca4df98745a5b358d4fb5b071c3af9288d9794a7dc2c91f2ab6fec91a155a65c1656cbf84998167b3906f46549b2f6bb080fb3f5c9dcc585cb6a284897fbf9617ee0086bc4d80cbb3d9e813216703cce5514b3739df06e984705250e0b3aa6900c4f7f68bf1eee760c78e228534e49b6da87cf92f5c54f19d3aa9a0bee73614d4db965187481b7a37e997727f695c3f275bad5bb4773aae6236f09369b5f1597c9f8daeb41537fbaf8e5fb82f3c8ab26deff497b7b4c287f66b8c33c45ad8389a923891ef370feeb466f121609a7aa23ba4f2790f251fe3ec0e8dfca2b908d4076852f5438095e721d788e08bea6f8b3eb514df51e7c9a58634cbc2414346a4733f63e6b2b8bf8b07d9a2719299fc906622d81cde8a276eea2611398d59dd21eb5ce9cbf8414468fa7bc425ff82f6b826f84080c4e229c95e11d901784c842ab807c58097633b5257272a753fe7176e2d6e25d72e02a3606150e37a6b6bd94fbe3010e0272352488e7e0d13d044122d9f15323b304a4ab46954cfaf061a82a222c93323011da55b36d71bc8b2eda83303f59136669e98136b4cc1274434ced418123eb433c444384e50497259c8b8866a2ce5213f9ea2447999ad9bef851a08ba2f7ad1bf4ee5fecbdef73f2146bba4cf3250bb68e7c5dac619585a595317f82275e38f4eca8570bf761b467235419701d6f197b76b68421505bd3f29136eddd38b8f26cd7ae1c4ad2db33ba1855f2cbfa0624ed2a2af7e7a4ac6ba0be7f717ab47477e131e98a296acb0e8774ef43a4b440000000b5c9c962890a8f96ccd993c7833df390dc91735a15e198c3b3e9b5054673e6b96fd41fe388783120d906637cbb46f3f8c786e85197e4c96aa659ac4db55e8278	mousocoreworker.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\Immersive\production\Token\{0CB4A94A-6E8C-477B-88C8-A3799FC97414}\DeviceId = "001880114EC37D39"	mousocoreworker.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe = "Mon, 03 Mar 2025 17:25:19 GMT"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe	OfficeClickToRun.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds0 = "5804129,17110992,7202269,41484365,17110988,7153487,39965824,17962391,508368333,17962392,3462423,3702920,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\Immersive\production\Property	mousocoreworker.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\Immersive\production\Token\{0CB4A94A-6E8C-477B-88C8-A3799FC97414}	mousocoreworker.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\Immersive\production\Token\{0CB4A94A-6E8C-477B-88C8-A3799FC97414}\ApplicationFlags = "1"	mousocoreworker.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata	OfficeClickToRun.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\Immersive\production\Property\001880114EC37D39 = 0100000001000000d08c9ddf0115d1118c7a00c04fc297eb010000002aece7de8f8cad4d92e7631a111adc57000000000200000000001066000000010000200000002b3df8dfb894b45998df377fd7c639de61d0433cdff9e12d9b03e056c333f152000000000e8000000002000020000000f9b10d706aa4088f38c5d175ac70c74cdba50291da80bbc6b7d468fa39fa6f8680000000c579eb3182e86530fb986b38a666d29b73f9276d4ee098aed831a42521b68aa3edc5d9576a69c5eec957955fb21c48cf999c9c57a4ae89eca0cb84d4d93d3ca02b2eeea55fbe84a3de3e9c17d67b1ec8ac0563b178c6c118dbbc0c0b6c779a1acb58bcb24bba17475866432833a97f979b38cc4104bd5c93d3fee7a741db9e894000000094e0ee2a003d9f86119b4667834f1b06e76b914625d214ad663e97150feeb090968fcc7726f4f96ed867e6a98a57ef95c5a59f693f4f7232ac6c388d590cba91	mousocoreworker.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSCategoriesSeverities = "1329 50,1329 10,1329 15,1329 100,1329 6"	OfficeClickToRun.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\ExtendedProperties\LID = "001880114EC37D39"	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe_queried = "1741022718"	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\RulesEndpoint = "https://nexusrules.officeapps.live.com/nexus/rules?Application=officeclicktorun.exe&Version=16.0.12527.20470&ClientId={8945037F-5DED-4D40-945D-771D6688CDD9}&OSEnvironment=10&MsoAppId=37&AudienceName=Production&AudienceGroup=Production&AppVersion=16.0.12527.20470&"	OfficeClickToRun.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1440	powershell.exe
1440	powershell.exe
3268	powershell.exe
3268	powershell.exe
2316	jkzkq4hf.pw1.exe
2316	jkzkq4hf.pw1.exe
2316	jkzkq4hf.pw1.exe
2316	jkzkq4hf.pw1.exe
2316	jkzkq4hf.pw1.exe
2316	jkzkq4hf.pw1.exe
2316	jkzkq4hf.pw1.exe
2316	jkzkq4hf.pw1.exe
2316	jkzkq4hf.pw1.exe
2316	jkzkq4hf.pw1.exe
2316	jkzkq4hf.pw1.exe
2316	jkzkq4hf.pw1.exe
2316	jkzkq4hf.pw1.exe
2316	jkzkq4hf.pw1.exe
2316	jkzkq4hf.pw1.exe
2316	jkzkq4hf.pw1.exe
2316	jkzkq4hf.pw1.exe
2316	jkzkq4hf.pw1.exe
2316	jkzkq4hf.pw1.exe
2316	jkzkq4hf.pw1.exe
2316	jkzkq4hf.pw1.exe
2316	jkzkq4hf.pw1.exe
2316	jkzkq4hf.pw1.exe
2316	jkzkq4hf.pw1.exe
2316	jkzkq4hf.pw1.exe
2316	jkzkq4hf.pw1.exe
2316	jkzkq4hf.pw1.exe
2316	jkzkq4hf.pw1.exe
2316	jkzkq4hf.pw1.exe
2316	jkzkq4hf.pw1.exe
2316	jkzkq4hf.pw1.exe
2316	jkzkq4hf.pw1.exe
2316	jkzkq4hf.pw1.exe
2316	jkzkq4hf.pw1.exe
2316	jkzkq4hf.pw1.exe
2316	jkzkq4hf.pw1.exe
2316	jkzkq4hf.pw1.exe
2316	jkzkq4hf.pw1.exe
2316	jkzkq4hf.pw1.exe
2316	jkzkq4hf.pw1.exe
2316	jkzkq4hf.pw1.exe
2316	jkzkq4hf.pw1.exe
2316	jkzkq4hf.pw1.exe
2316	jkzkq4hf.pw1.exe
2316	jkzkq4hf.pw1.exe
2316	jkzkq4hf.pw1.exe
2316	jkzkq4hf.pw1.exe
2316	jkzkq4hf.pw1.exe
2316	jkzkq4hf.pw1.exe
2316	jkzkq4hf.pw1.exe
2316	jkzkq4hf.pw1.exe
2316	jkzkq4hf.pw1.exe
2316	jkzkq4hf.pw1.exe
2316	jkzkq4hf.pw1.exe
2316	jkzkq4hf.pw1.exe
2316	jkzkq4hf.pw1.exe
2316	jkzkq4hf.pw1.exe
2316	jkzkq4hf.pw1.exe
2316	jkzkq4hf.pw1.exe
2316	jkzkq4hf.pw1.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1440	powershell.exe
Token: SeDebugPrivilege	3268	powershell.exe
Token: SeDebugPrivilege	3508	xmrig.exe
Token: SeDebugPrivilege	2316	jkzkq4hf.pw1.exe
Token: SeShutdownPrivilege	3564	Explorer.EXE
Token: SeCreatePagefilePrivilege	3564	Explorer.EXE
Token: SeShutdownPrivilege	3564	Explorer.EXE
Token: SeCreatePagefilePrivilege	3564	Explorer.EXE
Token: SeShutdownPrivilege	232	mousocoreworker.exe
Token: SeCreatePagefilePrivilege	232	mousocoreworker.exe
Token: SeShutdownPrivilege	3960	RuntimeBroker.exe
Token: SeShutdownPrivilege	232	mousocoreworker.exe
Token: SeCreatePagefilePrivilege	232	mousocoreworker.exe
Token: SeShutdownPrivilege	3960	RuntimeBroker.exe
Token: SeShutdownPrivilege	232	mousocoreworker.exe
Token: SeCreatePagefilePrivilege	232	mousocoreworker.exe
Token: SeShutdownPrivilege	3960	RuntimeBroker.exe
Token: SeShutdownPrivilege	232	mousocoreworker.exe
Token: SeCreatePagefilePrivilege	232	mousocoreworker.exe
Token: SeAssignPrimaryTokenPrivilege	1764	svchost.exe
Token: SeIncreaseQuotaPrivilege	1764	svchost.exe
Token: SeSecurityPrivilege	1764	svchost.exe
Token: SeTakeOwnershipPrivilege	1764	svchost.exe
Token: SeLoadDriverPrivilege	1764	svchost.exe
Token: SeSystemtimePrivilege	1764	svchost.exe
Token: SeBackupPrivilege	1764	svchost.exe
Token: SeRestorePrivilege	1764	svchost.exe
Token: SeShutdownPrivilege	1764	svchost.exe
Token: SeSystemEnvironmentPrivilege	1764	svchost.exe
Token: SeUndockPrivilege	1764	svchost.exe
Token: SeManageVolumePrivilege	1764	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	1764	svchost.exe
Token: SeIncreaseQuotaPrivilege	1764	svchost.exe
Token: SeSecurityPrivilege	1764	svchost.exe
Token: SeTakeOwnershipPrivilege	1764	svchost.exe
Token: SeLoadDriverPrivilege	1764	svchost.exe
Token: SeSystemtimePrivilege	1764	svchost.exe
Token: SeBackupPrivilege	1764	svchost.exe
Token: SeRestorePrivilege	1764	svchost.exe
Token: SeShutdownPrivilege	1764	svchost.exe
Token: SeSystemEnvironmentPrivilege	1764	svchost.exe
Token: SeUndockPrivilege	1764	svchost.exe
Token: SeManageVolumePrivilege	1764	svchost.exe
Token: SeAuditPrivilege	2808	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	1764	svchost.exe
Token: SeIncreaseQuotaPrivilege	1764	svchost.exe
Token: SeSecurityPrivilege	1764	svchost.exe
Token: SeTakeOwnershipPrivilege	1764	svchost.exe
Token: SeLoadDriverPrivilege	1764	svchost.exe
Token: SeSystemtimePrivilege	1764	svchost.exe
Token: SeBackupPrivilege	1764	svchost.exe
Token: SeRestorePrivilege	1764	svchost.exe
Token: SeShutdownPrivilege	1764	svchost.exe
Token: SeSystemEnvironmentPrivilege	1764	svchost.exe
Token: SeUndockPrivilege	1764	svchost.exe
Token: SeManageVolumePrivilege	1764	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	1764	svchost.exe
Token: SeIncreaseQuotaPrivilege	1764	svchost.exe
Token: SeSecurityPrivilege	1764	svchost.exe
Token: SeTakeOwnershipPrivilege	1764	svchost.exe
Token: SeLoadDriverPrivilege	1764	svchost.exe
Token: SeSystemtimePrivilege	1764	svchost.exe
Token: SeBackupPrivilege	1764	svchost.exe
Token: SeRestorePrivilege	1764	svchost.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
1336	TextInputHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5052 wrote to memory of 1440	5052	miner.exe	89
PID 5052 wrote to memory of 1440	5052	miner.exe	89
PID 1440 wrote to memory of 3268	1440	powershell.exe	91
PID 1440 wrote to memory of 3268	1440	powershell.exe	91
PID 5052 wrote to memory of 3508	5052	miner.exe	94
PID 5052 wrote to memory of 3508	5052	miner.exe	94
PID 3508 wrote to memory of 2316	3508	xmrig.exe	95
PID 3508 wrote to memory of 2316	3508	xmrig.exe	95
PID 2316 wrote to memory of 632	2316	jkzkq4hf.pw1.exe	5
PID 2316 wrote to memory of 680	2316	jkzkq4hf.pw1.exe	7
PID 2316 wrote to memory of 964	2316	jkzkq4hf.pw1.exe	12
PID 2316 wrote to memory of 428	2316	jkzkq4hf.pw1.exe	13
PID 2316 wrote to memory of 752	2316	jkzkq4hf.pw1.exe	14
PID 2316 wrote to memory of 732	2316	jkzkq4hf.pw1.exe	15
PID 2316 wrote to memory of 628	2316	jkzkq4hf.pw1.exe	16
PID 2316 wrote to memory of 960	2316	jkzkq4hf.pw1.exe	17
PID 2316 wrote to memory of 1116	2316	jkzkq4hf.pw1.exe	18
PID 2316 wrote to memory of 1124	2316	jkzkq4hf.pw1.exe	19
PID 2316 wrote to memory of 1188	2316	jkzkq4hf.pw1.exe	20
PID 2316 wrote to memory of 1276	2316	jkzkq4hf.pw1.exe	22
PID 2316 wrote to memory of 1420	2316	jkzkq4hf.pw1.exe	23
PID 3508 wrote to memory of 928	3508	xmrig.exe	96
PID 3508 wrote to memory of 928	3508	xmrig.exe	96
PID 680 wrote to memory of 2788	680	lsass.exe	46
PID 680 wrote to memory of 2788	680	lsass.exe	46
PID 2316 wrote to memory of 1428	2316	jkzkq4hf.pw1.exe	24
PID 2316 wrote to memory of 1552	2316	jkzkq4hf.pw1.exe	25
PID 2316 wrote to memory of 1560	2316	jkzkq4hf.pw1.exe	26
PID 2316 wrote to memory of 1580	2316	jkzkq4hf.pw1.exe	27
PID 2316 wrote to memory of 1596	2316	jkzkq4hf.pw1.exe	28
PID 2316 wrote to memory of 1728	2316	jkzkq4hf.pw1.exe	29
PID 2316 wrote to memory of 1772	2316	jkzkq4hf.pw1.exe	30
PID 2316 wrote to memory of 1780	2316	jkzkq4hf.pw1.exe	31
PID 2316 wrote to memory of 1920	2316	jkzkq4hf.pw1.exe	32
PID 2316 wrote to memory of 1988	2316	jkzkq4hf.pw1.exe	33
PID 2316 wrote to memory of 2008	2316	jkzkq4hf.pw1.exe	34
PID 2316 wrote to memory of 2016	2316	jkzkq4hf.pw1.exe	35
PID 2316 wrote to memory of 1764	2316	jkzkq4hf.pw1.exe	36
PID 2316 wrote to memory of 2084	2316	jkzkq4hf.pw1.exe	37
PID 2316 wrote to memory of 2104	2316	jkzkq4hf.pw1.exe	38
PID 2316 wrote to memory of 2220	2316	jkzkq4hf.pw1.exe	39
PID 2316 wrote to memory of 2364	2316	jkzkq4hf.pw1.exe	41
PID 2316 wrote to memory of 2468	2316	jkzkq4hf.pw1.exe	42
PID 2316 wrote to memory of 2480	2316	jkzkq4hf.pw1.exe	43
PID 2316 wrote to memory of 2572	2316	jkzkq4hf.pw1.exe	44
PID 2316 wrote to memory of 2732	2316	jkzkq4hf.pw1.exe	45
PID 2316 wrote to memory of 2788	2316	jkzkq4hf.pw1.exe	46
PID 2316 wrote to memory of 2808	2316	jkzkq4hf.pw1.exe	47
PID 2316 wrote to memory of 2832	2316	jkzkq4hf.pw1.exe	48
PID 2316 wrote to memory of 2852	2316	jkzkq4hf.pw1.exe	49
PID 2316 wrote to memory of 2720	2316	jkzkq4hf.pw1.exe	51
PID 2316 wrote to memory of 688	2316	jkzkq4hf.pw1.exe	52
PID 2316 wrote to memory of 3116	2316	jkzkq4hf.pw1.exe	53
PID 2316 wrote to memory of 3180	2316	jkzkq4hf.pw1.exe	54
PID 2316 wrote to memory of 3220	2316	jkzkq4hf.pw1.exe	55
PID 2316 wrote to memory of 3464	2316	jkzkq4hf.pw1.exe	56
PID 2316 wrote to memory of 3564	2316	jkzkq4hf.pw1.exe	57
PID 2316 wrote to memory of 3688	2316	jkzkq4hf.pw1.exe	58
PID 2316 wrote to memory of 3960	2316	jkzkq4hf.pw1.exe	60
PID 2316 wrote to memory of 3796	2316	jkzkq4hf.pw1.exe	62
PID 2316 wrote to memory of 4360	2316	jkzkq4hf.pw1.exe	63
PID 2316 wrote to memory of 4652	2316	jkzkq4hf.pw1.exe	65
PID 2316 wrote to memory of 64	2316	jkzkq4hf.pw1.exe	67
PID 2316 wrote to memory of 2376	2316	jkzkq4hf.pw1.exe	69

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:632
- C:\Windows\system32\dwm.exe
  "dwm.exe"
  2⤵
  PID:960

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:680

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:964

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:428

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
1⤵
- Indicator Removal: Clear Windows Event Logs
PID:752

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:732

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:628

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
PID:1116

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
1⤵
PID:1124

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
1⤵
PID:1188

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
- Drops file in System32 directory
PID:1276
- C:\Windows\system32\taskhostw.exe
  taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
  2⤵
  PID:3180

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
PID:1420

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
PID:1428

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
1⤵
PID:1552

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
1⤵
PID:1560

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
1⤵
PID:1580

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
PID:1596
- C:\Windows\system32\sihost.exe
  sihost.exe
  2⤵
  PID:688

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
1⤵
PID:1728

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:1772

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
1⤵
PID:1780

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1920

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
1⤵
PID:1988

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:2008

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:2016

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1764

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
1⤵
PID:2084

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:2104

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:2220

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
1⤵
PID:2364

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
1⤵
PID:2468

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
1⤵
PID:2480

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
1⤵
PID:2572

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
1⤵
- Drops file in System32 directory
PID:2732

C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
1⤵
PID:2788

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2808

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
1⤵
PID:2832

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
1⤵
PID:2852

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:2720

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:3116

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker
1⤵
PID:3220

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
1⤵
PID:3464

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3564
- C:\Users\Admin\AppData\Local\Temp\miner.exe
  "C:\Users\Admin\AppData\Local\Temp\miner.exe"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:5052
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" powershell -Command "Expand-Archive -Path 'C:\Users\Admin\AppData\Roaming\xmrig.zip' -DestinationPath 'C:\Users\Admin\AppData\Roaming\xmrig' -Force"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1440
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Expand-Archive -Path C:\Users\Admin\AppData\Roaming\xmrig.zip -DestinationPath C:\Users\Admin\AppData\Roaming\xmrig -Force
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3268
- - C:\Users\Admin\AppData\Roaming\xmrig\xmrig.exe
    "C:\Users\Admin\AppData\Roaming\xmrig\xmrig.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3508
  - - C:\Users\Admin\AppData\Local\Temp\jkzkq4hf.pw1.exe
      "C:\Users\Admin\AppData\Local\Temp\jkzkq4hf.pw1.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2316
  - - C:\Users\Admin\AppData\Local\Temp\auywuvpk.jr1.exe
      "C:\Users\Admin\AppData\Local\Temp\auywuvpk.jr1.exe"
      4⤵
      Executes dropped EXE
      PID:928

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3688

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3960

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3796

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:4360

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4652

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
1⤵
PID:64

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
1⤵
PID:2376

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
1⤵
- Modifies data under HKEY_USERS
PID:5028

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:896

C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
1⤵
PID:4448

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
PID:3020

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
1⤵
- Modifies data under HKEY_USERS
PID:3548

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3320

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe" -ServerName:InputApp.AppXk0k6mrh4r2q0ct33a9wgbez0x7v9cz5y.mca
1⤵
- Suspicious use of UnmapMainImage
PID:1336

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc
1⤵
PID:3928

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo
1⤵
PID:1800

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s camsvc
1⤵
PID:656

C:\Windows\System32\WaaSMedicAgent.exe
C:\Windows\System32\WaaSMedicAgent.exe ba9783ffe28e8e1fdcce0398d5ac9f8b 5XSSbKnd/UK3pa+QXsM70A.0.1.0.0.0
1⤵
PID:3996
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4032

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
- Drops file in Windows directory
PID:4952

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
- Checks BIOS information in registry
- Enumerates system info in registry
PID:4724

C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\servicing\TrustedInstaller.exe
1⤵
PID:1164

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
1⤵
PID:4516

C:\Windows\System32\mousocoreworker.exe
C:\Windows\System32\mousocoreworker.exe -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:232

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:2232

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
1⤵
PID:4344

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

T1070

Clear Windows Event Logs

T1070.001

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157

Filesize
340B

MD5
09bba13a979206e7af8a5ae31dd0c9c7

SHA1
b15658ced94fa8ef71b2f155026103f04007a20f

SHA256
5ee5474da83a48dd03da714aa14206a9c40051be86d200ed4012598d82c4cf7a

SHA512
802c6a034cb5b8de9e3977d2884ad1e08ed1a73a64225bf8157af7cb105bee795e3671f35d7d3fad47f15542fe5ba142e3531fee66fe819de68a539170e9c9f8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
404B

MD5
8153c4381862f8a740c1e9f1dc422bfe

SHA1
b6c1eb67f144535c810f924c9dd48ae088c60b22

SHA256
42e01db1454ba295d9a215791d6a0714fd61f4ee176bc335a657df4e99d7e9ca

SHA512
88d14436cd2b004fdacd19442399b95b2c902a876401c40029cb5b6d4632843d7c7cddfdaaf62d61b79f892dcb2d565ba1c1ff688c5352cd1b500beba34042d4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

Filesize
330B

MD5
9e331577bdd657c194f7f5af45d8243e

SHA1
6a493f741d3ee2263094269f2071f54a0bc94c83

SHA256
12c65653b4e00703a0a6a52b0a1df21a09570157e27eb47a9919853825b0305a

SHA512
f50fb69b8e8e207fb3ea38e292718546c84b10af44318362439f34ebe2fcf92ea52540923f28265c2ecb04c4a137b5f71eb33046ab443d4c770b91732f497e2f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_89854CA6A0F0936A4D2ECA78845CEA25

Filesize
482B

MD5
2376ac99f04405b4d5fe8c55fb4105fe

SHA1
eab55df736dfc3031d33e370ae851c6ba2534d07

SHA256
6332299c3159a8e21a1ddf9a1c90b113cc1746b00cb549d0a7ddfebbaaed37af

SHA512
a6bcad66ad4da306a0d64876758f5318b89f741e04d723d53c44c81142120c3c193c785d2ebf29b7980ee1a17630e0932d37a2a0b99149187e5982590f2f2258

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\D0E1C4B6144E7ECAB3F020E4A19EFC29_B5F77004C894173A10E3A199871D2D90

Filesize
480B

MD5
bc0295746348785bd19b49851dfbb583

SHA1
8335e8228267cb010743db57dba6536716596ed1

SHA256
07246ade95ae6362aacdc07f8d78a258f2e6460034da1c0847318a34483e9143

SHA512
beb17fdad04e305d6e8114c4bc53ee3317460ac1466b7b536a8dd3ce8a10858faf253f7f472db8f9db6c68f163a56420ebafa6bca6c5948fd3c8a1279ac8314c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\D9CA54E0FA212456E1DB00704A97658E

Filesize
476B

MD5
7f29d8418532d62b0a9b399028a2d4b3

SHA1
9d02a18f52385de7f62e645209f6e67e2ded5566

SHA256
88c87929e43460fb04d177d47b8feef0b8ed73836b6e39a1c0490a4878d2ca27

SHA512
ed24f66ad16e116242204734742117f6d5af10f59ca52364a5a9bca08bbaa6f6f0a4e1a23da5237c017d65aadc31a0f04c24238e1a1054090c35c5df974fa6dd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_49536AB5156BDD74EFF881D01C36A419

Filesize
412B

MD5
af7f3efd561977b35d93138c3dbab4f4

SHA1
12f7c9aab9f80f67f3bf703e6ddb04f219c77c33

SHA256
204f52addd7344932b2da42f3a3bab28cd7976c1af315f09ebaa7e8451d4aac2

SHA512
15d455a6b5439c3340cf8e678c4fb5f61b9633b317b66a66679ab21a2700d22a51b0e90d77004b4a1bdc39f1d286ecca3a74aeb734ae972aa72ac3debcf4d0b7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749

Filesize
330B

MD5
5d8fb9e727c7d2359cfc1b7592b3939b

SHA1
ee7a9872cc35e9ef0a0f4d4cf799c3cf0219f45b

SHA256
15c8026cd0a90d4626dee88e1811d128d7767fd2cb08c5c042738b12f3ecf67f

SHA512
87c1975c96c381c635712121aa7dfad0bd5cd5ee4634ee57b19aef0e6beb6c9608f98e4f6499d67902155ecaf2bba42c85e60ed25a141ecf3b735eae6aaa05ed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
68885a588c3a18af3231775c1ce60817

SHA1
decf1b996efb13f99861bd3d95eccd1beba975b2

SHA256
03ef59b8353eae626d77544758a4336849dac47a7afa30668ca67b48efd8d6ed

SHA512
b07ed2e47ac7850fa22eca8c5584532ab7c3a49f871bc5d4214bf879d5e2a1b1895ae55e7ea792023fcf1f462b8c14ee22d0e1dc993d28fab9c48c328a8f782a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
235a8eb126d835efb2e253459ab8b089

SHA1
293fbf68e6726a5a230c3a42624c01899e35a89f

SHA256
5ffd4a816ae5d1c1a8bdc51d2872b7dd99e9c383c88001d303a6f64a77773686

SHA512
a83d17203b581491e47d65131e1efc8060ff04d1852e3415fc0a341c6a9691ef9f4cf4dd29d2f6d0032a49f2ba4bd36c35b3f472f0ce5f78f4bb139124760e92

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_swkgxgrh.qn3.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\auywuvpk.jr1.exe

Filesize
9.1MB

MD5
cb166d49ce846727ed70134b589b0142

SHA1
8f5e1c7792e9580f2b10d7bef6dc7e63ea044688

SHA256
49da580656e51214d59702a1d983eff143af3560a344f524fe86326c53fb5ddb

SHA512
a39bd86a148af26fd31a0d171078fb7bce0951bb8ea63658d87f6bde97dbc214c62e8bd7152d1e621051de8a0ba77ffd7bda7c1106afb740584c80e68e1912ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\jkzkq4hf.pw1.exe

Filesize
161KB

MD5
94f1ab3a068f83b32639579ec9c5d025

SHA1
38f3d5bc5de46feb8de093d11329766b8e2054ae

SHA256
879cc20b41635709bb304e315aaa5ca4708b480a1bfc2f4935fcf2215188efb0

SHA512
44d5236a804d63302b21ca25ebc148a64605508d03c990a244c44ceb8630849da0510b7b2d0bee72e01ca6681e2d86d7e6aee8847674a26f0028d149b9abee0c

Download Submit
C:\Users\Admin\AppData\Roaming\xmrig.zip

Filesize
3.8MB

MD5
9895805962f3b439c3eb845cd30303c6

SHA1
d488cfa52f17c60432813e7906ee812e0ae37fec

SHA256
e30b7057712cdb8760a87b44eb2db03879f4ff54344aaf562e927814b5ce7e5b

SHA512
ec526ca0cc850d03d220c46f9b592045983c392edc30a5cdee5157fe1ea38711f49a475e566c7e2017956f1aa6b1c64a9a4565a26bd466f5ac679aae728c98ce

Download Submit
C:\Users\Admin\AppData\Roaming\xmrig\xmrig.exe

Filesize
9.3MB

MD5
72107c3009343491bdbd5a2bf27e0d17

SHA1
79ae9dd4ffc65810342c093fb3dd1413a830660d

SHA256
9af0d7469bffba8aea58c666b94ae68e34373f554ba8a145ec5fcc78baf0e6c6

SHA512
eab28e887aeb275527f4d4fa9a7ccd69dfaf21d249005eb9c9a9c098ca062cfabed02da2133e84c0b6109fbd4b6358e905199c24cdc9bb41799e63ccfbe3768e

Download Submit
C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Work

Filesize
2KB

MD5
4ac1741ceb19f5a983079b2c5f344f5d

SHA1
f1ebd93fbade2e035cd59e970787b8042cdd0f3b

SHA256
7df73f71214cdd2f2d477d6c2c65f6e4c2f5955fc669cde9c583b0ff9553ecdc

SHA512
583706069a7c0b22926fa22fc7bedcca9d6750d1542a1125b688fbb0595baf6cefc76e7b6e49c1415c782a21d0dd504c78fa36efad5f29f2fd5d69cc45ad8dcd

Download Submit
C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Work

Filesize
2KB

MD5
a9124c4c97cba8a07a8204fac1696c8e

SHA1
1f27d80280e03762c7b16781608786f5a98ff434

SHA256
8ad3d28aeff847bc5fb8035cbc7c71e88a4ee547821a8e1a3ea6661ee6014b21

SHA512
537caaa75ac1e257c6b247f9680c3b9e79156ea1bcb3f1326e969a774db33b3c906800813ca6f79369c799a62f4260c91c6dd9a6cace3af25b7dbea5a73e0392

Download Submit
memory/428-114-0x00000155AF3D0000-0x00000155AF3FB000-memory.dmp

Filesize
172KB

Download
memory/428-115-0x00007FFFA70D0000-0x00007FFFA70E0000-memory.dmp

Filesize
64KB

Download
memory/628-130-0x000002360A530000-0x000002360A55B000-memory.dmp

Filesize
172KB

Download
memory/628-131-0x00007FFFA70D0000-0x00007FFFA70E0000-memory.dmp

Filesize
64KB

Download
memory/632-100-0x0000021CBBA50000-0x0000021CBBA75000-memory.dmp

Filesize
148KB

Download
memory/632-101-0x0000021CBBA90000-0x0000021CBBABB000-memory.dmp

Filesize
172KB

Download
memory/632-102-0x00007FFFA70D0000-0x00007FFFA70E0000-memory.dmp

Filesize
64KB

Download
memory/680-106-0x00007FFFA70D0000-0x00007FFFA70E0000-memory.dmp

Filesize
64KB

Download
memory/680-105-0x000001B35DAF0000-0x000001B35DB1B000-memory.dmp

Filesize
172KB

Download
memory/732-128-0x00007FFFA70D0000-0x00007FFFA70E0000-memory.dmp

Filesize
64KB

Download
memory/732-127-0x000001E5136E0000-0x000001E51370B000-memory.dmp

Filesize
172KB

Download
memory/752-117-0x000001D4F7920000-0x000001D4F794B000-memory.dmp

Filesize
172KB

Download
memory/752-118-0x00007FFFA70D0000-0x00007FFFA70E0000-memory.dmp

Filesize
64KB

Download
memory/960-145-0x000001A2012D0000-0x000001A2012FB000-memory.dmp

Filesize
172KB

Download
memory/960-146-0x00007FFFA70D0000-0x00007FFFA70E0000-memory.dmp

Filesize
64KB

Download
memory/964-110-0x00007FFFA70D0000-0x00007FFFA70E0000-memory.dmp

Filesize
64KB

Download
memory/964-109-0x000001D04CC40000-0x000001D04CC6B000-memory.dmp

Filesize
172KB

Download
memory/1116-134-0x00007FFFA70D0000-0x00007FFFA70E0000-memory.dmp

Filesize
64KB

Download
memory/1116-133-0x0000021EAE000000-0x0000021EAE02B000-memory.dmp

Filesize
172KB

Download
memory/1124-137-0x00007FFFA70D0000-0x00007FFFA70E0000-memory.dmp

Filesize
64KB

Download
memory/1124-136-0x0000015018F80000-0x0000015018FAB000-memory.dmp

Filesize
172KB

Download
memory/1188-140-0x00007FFFA70D0000-0x00007FFFA70E0000-memory.dmp

Filesize
64KB

Download
memory/1188-139-0x00000283877C0000-0x00000283877EB000-memory.dmp

Filesize
172KB

Download
memory/1276-143-0x00007FFFA70D0000-0x00007FFFA70E0000-memory.dmp

Filesize
64KB

Download
memory/1276-142-0x0000018639780000-0x00000186397AB000-memory.dmp

Filesize
172KB

Download
memory/1420-151-0x000001D35CB40000-0x000001D35CB6B000-memory.dmp

Filesize
172KB

Download
memory/1420-152-0x00007FFFA70D0000-0x00007FFFA70E0000-memory.dmp

Filesize
64KB

Download
memory/1440-69-0x00007FFFC7EE0000-0x00007FFFC89A2000-memory.dmp

Filesize
10.8MB

Download
memory/1440-18-0x00007FFFC7EE3000-0x00007FFFC7EE5000-memory.dmp

Filesize
8KB

Download
memory/1440-28-0x000001DA42B60000-0x000001DA42B82000-memory.dmp

Filesize
136KB

Download
memory/1440-29-0x00007FFFC7EE0000-0x00007FFFC89A2000-memory.dmp

Filesize
10.8MB

Download
memory/1440-30-0x00007FFFC7EE0000-0x00007FFFC89A2000-memory.dmp

Filesize
10.8MB

Download
memory/1440-31-0x00007FFFC7EE0000-0x00007FFFC89A2000-memory.dmp

Filesize
10.8MB

Download
memory/1552-160-0x0000028050470000-0x000002805049B000-memory.dmp

Filesize
172KB

Download
memory/1552-161-0x00007FFFA70D0000-0x00007FFFA70E0000-memory.dmp

Filesize
64KB

Download
memory/1560-163-0x000001845A9C0000-0x000001845A9EB000-memory.dmp

Filesize
172KB

Download
memory/2316-87-0x00007FFFE56C0000-0x00007FFFE577D000-memory.dmp

Filesize
756KB

Download
memory/2316-86-0x00007FFFE7050000-0x00007FFFE7248000-memory.dmp

Filesize
2.0MB

Download
memory/3268-42-0x0000025FF8C90000-0x0000025FF8C9A000-memory.dmp

Filesize
40KB

Download
memory/3268-41-0x0000025FF8CA0000-0x0000025FF8CB2000-memory.dmp

Filesize
72KB

Download
memory/3508-73-0x000001D5D0140000-0x000001D5D0A86000-memory.dmp

Filesize
9.3MB

Download
memory/3508-74-0x000001D5D0E50000-0x000001D5D0E7C000-memory.dmp

Filesize
176KB

Download
memory/3508-390-0x000001D5EB490000-0x000001D5EB49E000-memory.dmp

Filesize
56KB

Download
memory/3508-88-0x000001D5EB2A0000-0x000001D5EBED4000-memory.dmp

Filesize
12.2MB

Download