xmrig | 5c5374eb9054e48c5ab9c6ef21c2bd228fe2e63eaa0ae83dbdb65dd1a7429369

Analysis

max time kernel
900s
max time network
900s
platform
windows11-21h2_x64
resource
win11-20250217-en
resource tags

arch:x64arch:x86image:win11-20250217-enlocale:en-usos:windows11-21h2-x64system
submitted
03/03/2025, 17:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

miner.exe
Size

104KB
MD5

4a9f5b7664e2ebf47aa5fc4240dc8a22
SHA1

d0fc11aab0181df38d193cf8dfd1843fe06c844a
SHA256

5c5374eb9054e48c5ab9c6ef21c2bd228fe2e63eaa0ae83dbdb65dd1a7429369
SHA512

f45224b584b64d4ac32d4e6303ad87b2902ea310ac332ed0a0c7a706df2441eb0ef1f5076fe2716d004e59aa6a8e9e5e5e3a8f012008f05aef05064ad1e1eed6
SSDEEP

192:xjZaDMFEa4ajXPeeZnXwqXTyE1hEjjTyXfan55tfMcePLiZmGhTuRY9SRXiKqiRh:hp4ajGCnXGMsGXfwldJ99Sjvb99Sjv

Score

10^/10

xmrig xworm defense_evasion execution miner rat trojan

Malware Config

Extracted

Family

xworm

Mutex

yNحكـX8ٍبAGLWِF6Jo2DiObلٍLZا3ا

Attributes

Install_directory
%Port%
install_file
MicrosoftEdgeUpdateTaskMachineUAC.exe

aes.plain

Signatures

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral4/memory/540-342-0x000002117D330000-0x000002117D33E000-memory.dmp	family_xworm

XMRig Miner payload 6 IoCs

miner

resource	yara_rule
behavioral4/files/0x001c00000002aecd-70.dat	family_xmrig
behavioral4/files/0x001c00000002aecd-70.dat	xmrig
behavioral4/memory/540-71-0x0000021179620000-0x0000021179F66000-memory.dmp	xmrig
behavioral4/files/0x001900000002aecf-128.dat	family_xmrig
behavioral4/files/0x001900000002aecf-128.dat	xmrig
behavioral4/memory/540-83-0x000002117C7E0000-0x000002117D414000-memory.dmp	xmrig

Xmrig family
xmrig
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Executes dropped EXE 3 IoCs

pid	Process
540	xmrig.exe
776	ga5mx5q5.1uv.exe
3188	npumxfoe.vdn.exe

Indicator Removal: Clear Windows Event Logs 1 TTPs 1 IoCs

Clear Windows Event Logs to hide the activity of an intrusion.

defense_evasion

Clear Windows Event Logs

T1070.001

description	ioc	Process
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-CloudStore%4Operational.evtx	svchost.exe

Drops file in System32 directory 9 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules.xml	OfficeClickToRun.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_363582827213C09529A76F35FB615187	OfficeClickToRun.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_363582827213C09529A76F35FB615187	OfficeClickToRun.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_363582827213C09529A76F35FB615187	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04	svchost.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
4288	powershell.exe
5072	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	Taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	Taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	Taskmgr.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2250935964-4080446702-2776729278-1000\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2250935964-4080446702-2776729278-1000\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-2250935964-4080446702-2776729278-1000\Software\Microsoft\Internet Explorer\Toolbar	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2250935964-4080446702-2776729278-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	Explorer.EXE

Modifies data under HKEY_USERS 17 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe_queried = "1741022716"	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe = "Mon, 03 Mar 2025 17:25:17 GMT"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\RulesEndpoint = "https://nexusrules.officeapps.live.com/nexus/rules?Application=officeclicktorun.exe&Version=16.0.12527.20470&ClientId={A40615EE-2B32-4CF4-AC68-36B2B28C2780}&OSEnvironment=10&MsoAppId=37&AudienceName=Production&AudienceGroup=Production&AppVersion=16.0.12527.20470&"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	OfficeClickToRun.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSCategoriesSeverities = "1329 50,1329 10,1329 15,1329 100,1329 6"	OfficeClickToRun.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\MICROSOFT\OFFICE\16.0\COMMON\CLIENTTELEMETRY\RULESMETADATA\OFFICECLICKTORUN.EXE\ULSMONITOR	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds0 = "5804129,17110992,7202269,41484365,17110988,7153487,39965824,17962391,508368333,17962392,3462423,3702920,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617"	OfficeClickToRun.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe	OfficeClickToRun.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2250935964-4080446702-2776729278-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\LogicalViewMode = "2"	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-2250935964-4080446702-2776729278-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Extensible Cache\BackgroundTransferApiGrou	DllHost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2250935964-4080446702-2776729278-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	BackgroundTransferHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2250935964-4080446702-2776729278-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\PersistedStorageItemTable\System\f3cf2b54-27d6-424b-a658-1b59f95 = "MicrosoftWindows.Client.CBS_cw5n1h2txyewy"	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2250935964-4080446702-2776729278-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\PersistedStorageItemTable\System\f3cf2b54-27d6-424b-a658-1b59f95 = "8324"	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2250935964-4080446702-2776729278-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f80cb859f6720028040b29b5540cc05aab60000	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2250935964-4080446702-2776729278-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\Rev = "0"	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2250935964-4080446702-2776729278-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2250935964-4080446702-2776729278-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Extensible Cache\BackgroundTransferApi\Cac = "0"	DllHost.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2250935964-4080446702-2776729278-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\PersistedStorageItemTable\System\f3cf2b54-27d6-424b-a658-1b59f95 = 46a09abb618cdb01	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-2250935964-4080446702-2776729278-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-2250935964-4080446702-2776729278-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2250935964-4080446702-2776729278-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Extensible Cache\BackgroundTransferApi\Cac = "INetHistory\\BackgroundTransferApi"	DllHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2250935964-4080446702-2776729278-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2250935964-4080446702-2776729278-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2250935964-4080446702-2776729278-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\FFlags = "1092616193"	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2250935964-4080446702-2776729278-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2250935964-4080446702-2776729278-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Extensible Cache\BackgroundTransferApiGrou = "0"	DllHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2250935964-4080446702-2776729278-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Extensible Cache\BackgroundTransferApiGrou = "1"	DllHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2250935964-4080446702-2776729278-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\WorkFolders	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2250935964-4080446702-2776729278-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2250935964-4080446702-2776729278-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Extensible Cache\BackgroundTransferApi\Cac = ":BackgroundTransferApi:"	DllHost.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2250935964-4080446702-2776729278-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = ffffffff	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2250935964-4080446702-2776729278-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\IconSize = "48"	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2250935964-4080446702-2776729278-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\GroupByKey:FMTID = "{30C8EEF4-A832-41E2-AB32-E3C3CA28FD29}"	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2250935964-4080446702-2776729278-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 00000000ffffffff	Explorer.EXE
Key created	\Registry\User\S-1-5-21-2250935964-4080446702-2776729278-1000_Classes\NotificationData	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2250935964-4080446702-2776729278-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-2250935964-4080446702-2776729278-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2250935964-4080446702-2776729278-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\SniffedFolderType = "Downloads"	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2250935964-4080446702-2776729278-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	BackgroundTransferHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2250935964-4080446702-2776729278-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\PersistedStorageItemTable\System\f3cf2b54-27d6-424b-a658-1b59f95 = "\\\\?\\Volume{8151365E-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\\LocalState\\ConstraintIndex\\Input_{548c2be5-364e-4e20-96ac-df84fee310b1}\\ConstraintIndex.cab"	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2250935964-4080446702-2776729278-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\PersistedStorageItemTable\System\f3cf2b54-27d6-424b-a658-1b59f95 = 0114020000000000c0000000000000464c0000000114020000000000c0000000000000468300000020000000b44288bb618cdb01b44288bb618cdb01b44288bb618cdb01000000000000000001000000000000000000000000000000280514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800bc003100000000000000000010004d6963726f736f667457696e646f77732e436c69656e742e4342535f6377356e31683274787965777900840009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f0066007400570069006e0064006f00770073002e0043006c00690065006e0074002e004300420053005f006300770035006e003100680032007400780079006500770079000000380060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a006e00310000000000000000001000436f6e73747261696e74496e64657800500009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000043006f006e00730074007200610069006e00740049006e0064006500780000001e00c600310000000000000000001000496e7075745f7b35343863326265352d333634652d346532302d393661632d6466383466656533313062317d00008a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000049006e007000750074005f007b00350034003800630032006200650035002d0033003600340065002d0034006500320030002d0039003600610063002d006400660038003400660065006500330031003000620031007d0000003c000901320000000000635a9b8b2000436f6e73747261696e74496e6465782e63616200580009000400efbe635a9b8b635a9b8b2e000000000000000000000000000000000000000000000000004c0cfb0043006f006e00730074007200610069006e00740049006e006400650078002e00630061006200000022008f0000002700efbe8100000031535053b79daeff8d1cff43818c84403aa3732d6500000064000000001f0000002a0000004d006900630072006f0073006f0066007400570069006e0064006f00770073002e0043006c00690065006e0074002e004300420053005f006300770035006e003100680032007400780079006500770079000000000000000000000022000000e10000001c000000010000001c0000003400000000000000e00000001800000003000000b25c46a51000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f667457696e646f77732e436c69656e742e4342535f6377356e3168327478796577795c4c6f63616c53746174655c436f6e73747261696e74496e6465785c496e7075745f7b35343863326265352d333634652d346532302d393661632d6466383466656533313062317d5c436f6e73747261696e74496e6465782e636162000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a0580000000000000068657a6f74666d6600000000000000004c1321b8bfffd244b9f8b777537cede315ed2fec76edef118a9fcea7bfe93e584c1321b8bfffd244b9f8b777537cede315ed2fec76edef118a9fcea7bfe93e58d2000000090000a08d00000031535053e28a5846bc4c3843bbfc139326986dce7100000004000000001f0000002f00000053002d0031002d0035002d00320031002d0032003200350030003900330035003900360034002d0034003000380030003400340036003700300032002d0032003700370036003700320039003200370038002d00310030003000300000000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d0000006800000000480000005e365181000000000000d01200000000000000000000000000000000	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2250935964-4080446702-2776729278-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\Sort = 0000000000000000000000000000000002000000f4eec83032a8e241ab32e3c3ca28fd29030000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-2250935964-4080446702-2776729278-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2250935964-4080446702-2776729278-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\MRUListEx = ffffffff	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-2250935964-4080446702-2776729278-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2250935964-4080446702-2776729278-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Extensible Cache\BackgroundTransferApi\Cac = "1"	DllHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2250935964-4080446702-2776729278-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Extensible Cache\BackgroundTransferApiGrou = "C:\\Users\\Admin\\AppData\\Local\\Packages\\microsoftwindows.client.cbs_cw5n1h2txyewy\\AC\\INetHistory\\BackgroundTransferApiGroup"	DllHost.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2250935964-4080446702-2776729278-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0 = 3a002e8005398e082303024b98265d99428e115f260001002600efbe110000006b7eec267b81db01ff30b6b98381db01ff30b6b98381db0114000000	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2250935964-4080446702-2776729278-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\NodeSlot = "2"	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2250935964-4080446702-2776729278-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Extensible Cache\BackgroundTransferApiGrou = ":BackgroundTransferApiGroup:"	DllHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2250935964-4080446702-2776729278-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Extensible Cache\BackgroundTransferApiGrou = "INetHistory\\BackgroundTransferApiGroup"	DllHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2250935964-4080446702-2776729278-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Extensible Cache\BackgroundTransferApiGrou = "9"	DllHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2250935964-4080446702-2776729278-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\PersistedStorageItemTable\System	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2250935964-4080446702-2776729278-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1 = 14001f50e04fd020ea3a6910a2d808002b30309d0000	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-2250935964-4080446702-2776729278-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\PersistedStorageItemTable	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-2250935964-4080446702-2776729278-1000_Classes\Local Settings\MuiCache	BackgroundTransferHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2250935964-4080446702-2776729278-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2250935964-4080446702-2776729278-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\GroupByKey:PID = "2"	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2250935964-4080446702-2776729278-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\KnownFolderDerivedFolderType = "{885A186E-A440-4ADA-812B-DB871B942259}"	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-2250935964-4080446702-2776729278-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2250935964-4080446702-2776729278-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Extensible Cache\BackgroundTransferApi\Cac = "C:\\Users\\Admin\\AppData\\Local\\Packages\\microsoftwindows.client.cbs_cw5n1h2txyewy\\AC\\INetHistory\\BackgroundTransferApi"	DllHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2250935964-4080446702-2776729278-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\PersistedStorageItemTable\System\f3cf2b54-27d6-424b-a658-1b59f95	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2250935964-4080446702-2776729278-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	BackgroundTransferHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2250935964-4080446702-2776729278-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\FFlags = "1092616209"	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2250935964-4080446702-2776729278-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2250935964-4080446702-2776729278-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\PersistedStorageItemTable\System\f3cf2b54-27d6-424b-a658-1b59f95	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-2250935964-4080446702-2776729278-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2250935964-4080446702-2776729278-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\GroupView = "4294967295"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2250935964-4080446702-2776729278-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\GroupByDirection = "1"	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-2250935964-4080446702-2776729278-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-2250935964-4080446702-2776729278-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.WindowsTerminal_8wekyb3d8bbwe\StartTerminalOnLoginTask	Taskmgr.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
3252	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4288	powershell.exe
4288	powershell.exe
5072	powershell.exe
5072	powershell.exe
776	ga5mx5q5.1uv.exe
776	ga5mx5q5.1uv.exe
776	ga5mx5q5.1uv.exe
776	ga5mx5q5.1uv.exe
776	ga5mx5q5.1uv.exe
776	ga5mx5q5.1uv.exe
776	ga5mx5q5.1uv.exe
776	ga5mx5q5.1uv.exe
776	ga5mx5q5.1uv.exe
776	ga5mx5q5.1uv.exe
776	ga5mx5q5.1uv.exe
776	ga5mx5q5.1uv.exe
776	ga5mx5q5.1uv.exe
776	ga5mx5q5.1uv.exe
776	ga5mx5q5.1uv.exe
776	ga5mx5q5.1uv.exe
776	ga5mx5q5.1uv.exe
776	ga5mx5q5.1uv.exe
776	ga5mx5q5.1uv.exe
776	ga5mx5q5.1uv.exe
776	ga5mx5q5.1uv.exe
776	ga5mx5q5.1uv.exe
776	ga5mx5q5.1uv.exe
776	ga5mx5q5.1uv.exe
776	ga5mx5q5.1uv.exe
776	ga5mx5q5.1uv.exe
776	ga5mx5q5.1uv.exe
776	ga5mx5q5.1uv.exe
776	ga5mx5q5.1uv.exe
776	ga5mx5q5.1uv.exe
776	ga5mx5q5.1uv.exe
776	ga5mx5q5.1uv.exe
776	ga5mx5q5.1uv.exe
776	ga5mx5q5.1uv.exe
776	ga5mx5q5.1uv.exe
776	ga5mx5q5.1uv.exe
776	ga5mx5q5.1uv.exe
776	ga5mx5q5.1uv.exe
776	ga5mx5q5.1uv.exe
776	ga5mx5q5.1uv.exe
776	ga5mx5q5.1uv.exe
776	ga5mx5q5.1uv.exe
776	ga5mx5q5.1uv.exe
776	ga5mx5q5.1uv.exe
776	ga5mx5q5.1uv.exe
776	ga5mx5q5.1uv.exe
776	ga5mx5q5.1uv.exe
776	ga5mx5q5.1uv.exe
776	ga5mx5q5.1uv.exe
776	ga5mx5q5.1uv.exe
776	ga5mx5q5.1uv.exe
776	ga5mx5q5.1uv.exe
776	ga5mx5q5.1uv.exe
776	ga5mx5q5.1uv.exe
776	ga5mx5q5.1uv.exe
776	ga5mx5q5.1uv.exe
776	ga5mx5q5.1uv.exe
776	ga5mx5q5.1uv.exe
776	ga5mx5q5.1uv.exe
776	ga5mx5q5.1uv.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
3252	Explorer.EXE
2364	Taskmgr.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4288	powershell.exe
Token: SeDebugPrivilege	5072	powershell.exe
Token: SeDebugPrivilege	540	xmrig.exe
Token: SeDebugPrivilege	776	ga5mx5q5.1uv.exe
Token: SeShutdownPrivilege	3252	Explorer.EXE
Token: SeCreatePagefilePrivilege	3252	Explorer.EXE
Token: SeShutdownPrivilege	3252	Explorer.EXE
Token: SeCreatePagefilePrivilege	3252	Explorer.EXE
Token: SeShutdownPrivilege	3252	Explorer.EXE
Token: SeCreatePagefilePrivilege	3252	Explorer.EXE
Token: SeShutdownPrivilege	3252	Explorer.EXE
Token: SeCreatePagefilePrivilege	3252	Explorer.EXE
Token: SeShutdownPrivilege	3252	Explorer.EXE
Token: SeCreatePagefilePrivilege	3252	Explorer.EXE
Token: SeShutdownPrivilege	3252	Explorer.EXE
Token: SeCreatePagefilePrivilege	3252	Explorer.EXE
Token: SeShutdownPrivilege	3252	Explorer.EXE
Token: SeCreatePagefilePrivilege	3252	Explorer.EXE
Token: SeShutdownPrivilege	3252	Explorer.EXE
Token: SeCreatePagefilePrivilege	3252	Explorer.EXE
Token: SeShutdownPrivilege	3252	Explorer.EXE
Token: SeCreatePagefilePrivilege	3252	Explorer.EXE
Token: SeShutdownPrivilege	3252	Explorer.EXE
Token: SeCreatePagefilePrivilege	3252	Explorer.EXE
Token: SeShutdownPrivilege	3252	Explorer.EXE
Token: SeCreatePagefilePrivilege	3252	Explorer.EXE
Token: SeShutdownPrivilege	3252	Explorer.EXE
Token: SeCreatePagefilePrivilege	3252	Explorer.EXE
Token: SeShutdownPrivilege	3252	Explorer.EXE
Token: SeCreatePagefilePrivilege	3252	Explorer.EXE
Token: SeShutdownPrivilege	3252	Explorer.EXE
Token: SeCreatePagefilePrivilege	3252	Explorer.EXE
Token: SeShutdownPrivilege	3252	Explorer.EXE
Token: SeCreatePagefilePrivilege	3252	Explorer.EXE
Token: SeShutdownPrivilege	3252	Explorer.EXE
Token: SeCreatePagefilePrivilege	3252	Explorer.EXE
Token: SeShutdownPrivilege	3252	Explorer.EXE
Token: SeCreatePagefilePrivilege	3252	Explorer.EXE
Token: SeShutdownPrivilege	3252	Explorer.EXE
Token: SeCreatePagefilePrivilege	3252	Explorer.EXE
Token: SeShutdownPrivilege	3252	Explorer.EXE
Token: SeCreatePagefilePrivilege	3252	Explorer.EXE
Token: SeShutdownPrivilege	3252	Explorer.EXE
Token: SeCreatePagefilePrivilege	3252	Explorer.EXE
Token: SeShutdownPrivilege	3252	Explorer.EXE
Token: SeCreatePagefilePrivilege	3252	Explorer.EXE
Token: SeShutdownPrivilege	3252	Explorer.EXE
Token: SeCreatePagefilePrivilege	3252	Explorer.EXE
Token: SeShutdownPrivilege	3252	Explorer.EXE
Token: SeCreatePagefilePrivilege	3252	Explorer.EXE
Token: SeShutdownPrivilege	3252	Explorer.EXE
Token: SeCreatePagefilePrivilege	3252	Explorer.EXE
Token: SeShutdownPrivilege	3252	Explorer.EXE
Token: SeCreatePagefilePrivilege	3252	Explorer.EXE
Token: SeShutdownPrivilege	3252	Explorer.EXE
Token: SeCreatePagefilePrivilege	3252	Explorer.EXE
Token: SeShutdownPrivilege	3252	Explorer.EXE
Token: SeCreatePagefilePrivilege	3252	Explorer.EXE
Token: SeShutdownPrivilege	424	dwm.exe
Token: SeCreatePagefilePrivilege	424	dwm.exe
Token: SeShutdownPrivilege	3252	Explorer.EXE
Token: SeCreatePagefilePrivilege	3252	Explorer.EXE
Token: SeShutdownPrivilege	3252	Explorer.EXE
Token: SeCreatePagefilePrivilege	3252	Explorer.EXE

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3252	Explorer.EXE
3252	Explorer.EXE
3252	Explorer.EXE
3252	Explorer.EXE
2364	Taskmgr.exe
2364	Taskmgr.exe
2364	Taskmgr.exe
2364	Taskmgr.exe
2364	Taskmgr.exe
2364	Taskmgr.exe
2364	Taskmgr.exe
2364	Taskmgr.exe
2364	Taskmgr.exe
2364	Taskmgr.exe
2364	Taskmgr.exe
2364	Taskmgr.exe
2364	Taskmgr.exe
2364	Taskmgr.exe
2364	Taskmgr.exe
2364	Taskmgr.exe
2364	Taskmgr.exe
2364	Taskmgr.exe
2364	Taskmgr.exe
2364	Taskmgr.exe
2364	Taskmgr.exe
2364	Taskmgr.exe
2364	Taskmgr.exe
2364	Taskmgr.exe
2364	Taskmgr.exe
2364	Taskmgr.exe
2364	Taskmgr.exe
2364	Taskmgr.exe
2364	Taskmgr.exe
2364	Taskmgr.exe
2364	Taskmgr.exe
2364	Taskmgr.exe
2364	Taskmgr.exe
2364	Taskmgr.exe
2364	Taskmgr.exe
2364	Taskmgr.exe
2364	Taskmgr.exe
2364	Taskmgr.exe
2364	Taskmgr.exe
2364	Taskmgr.exe
2364	Taskmgr.exe
2364	Taskmgr.exe
2364	Taskmgr.exe
2364	Taskmgr.exe
2364	Taskmgr.exe
2364	Taskmgr.exe
2364	Taskmgr.exe
2364	Taskmgr.exe
2364	Taskmgr.exe
2364	Taskmgr.exe
2364	Taskmgr.exe
2364	Taskmgr.exe
2364	Taskmgr.exe
2364	Taskmgr.exe
2364	Taskmgr.exe
2364	Taskmgr.exe
2364	Taskmgr.exe
2364	Taskmgr.exe
2364	Taskmgr.exe
2364	Taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
3252	Explorer.EXE
3252	Explorer.EXE
3252	Explorer.EXE
3252	Explorer.EXE
3252	Explorer.EXE
3252	Explorer.EXE
3252	Explorer.EXE
3252	Explorer.EXE
3252	Explorer.EXE
3252	Explorer.EXE
3252	Explorer.EXE
3252	Explorer.EXE
3252	Explorer.EXE
3252	Explorer.EXE
3252	Explorer.EXE
3252	Explorer.EXE
3252	Explorer.EXE
3252	Explorer.EXE
3252	Explorer.EXE
2364	Taskmgr.exe
3252	Explorer.EXE
3252	Explorer.EXE
3252	Explorer.EXE
3252	Explorer.EXE
3252	Explorer.EXE
3252	Explorer.EXE
3252	Explorer.EXE
2364	Taskmgr.exe
3252	Explorer.EXE
3252	Explorer.EXE
3252	Explorer.EXE
3252	Explorer.EXE
3252	Explorer.EXE
3252	Explorer.EXE
3252	Explorer.EXE
2364	Taskmgr.exe
3252	Explorer.EXE
3252	Explorer.EXE
3252	Explorer.EXE
3252	Explorer.EXE
3252	Explorer.EXE
3252	Explorer.EXE
3252	Explorer.EXE
2364	Taskmgr.exe
3252	Explorer.EXE
3252	Explorer.EXE
3252	Explorer.EXE
3252	Explorer.EXE
3252	Explorer.EXE
3252	Explorer.EXE
3252	Explorer.EXE
2364	Taskmgr.exe
3252	Explorer.EXE
3252	Explorer.EXE
3252	Explorer.EXE
3252	Explorer.EXE
3252	Explorer.EXE
3252	Explorer.EXE
3252	Explorer.EXE
3252	Explorer.EXE
2364	Taskmgr.exe
3252	Explorer.EXE
3252	Explorer.EXE
3252	Explorer.EXE

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
3252	Explorer.EXE
3252	Explorer.EXE
3252	Explorer.EXE
3924	Conhost.exe

Suspicious use of UnmapMainImage 5 IoCs

pid	Process
3812	RuntimeBroker.exe
3252	Explorer.EXE
3812	RuntimeBroker.exe
3908	RuntimeBroker.exe
3252	Explorer.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2556 wrote to memory of 4288	2556	miner.exe	83
PID 2556 wrote to memory of 4288	2556	miner.exe	83
PID 4288 wrote to memory of 5072	4288	powershell.exe	85
PID 4288 wrote to memory of 5072	4288	powershell.exe	85
PID 2556 wrote to memory of 540	2556	miner.exe	86
PID 2556 wrote to memory of 540	2556	miner.exe	86
PID 540 wrote to memory of 776	540	xmrig.exe	87
PID 540 wrote to memory of 776	540	xmrig.exe	87
PID 776 wrote to memory of 636	776	ga5mx5q5.1uv.exe	5
PID 776 wrote to memory of 692	776	ga5mx5q5.1uv.exe	7
PID 776 wrote to memory of 996	776	ga5mx5q5.1uv.exe	12
PID 776 wrote to memory of 424	776	ga5mx5q5.1uv.exe	13
PID 776 wrote to memory of 536	776	ga5mx5q5.1uv.exe	14
PID 776 wrote to memory of 928	776	ga5mx5q5.1uv.exe	15
PID 776 wrote to memory of 1072	776	ga5mx5q5.1uv.exe	17
PID 776 wrote to memory of 1108	776	ga5mx5q5.1uv.exe	18
PID 776 wrote to memory of 1152	776	ga5mx5q5.1uv.exe	19
PID 776 wrote to memory of 1228	776	ga5mx5q5.1uv.exe	20
PID 776 wrote to memory of 1264	776	ga5mx5q5.1uv.exe	21
PID 540 wrote to memory of 3188	540	xmrig.exe	88
PID 540 wrote to memory of 3188	540	xmrig.exe	88
PID 692 wrote to memory of 2752	692	lsass.exe	47
PID 776 wrote to memory of 1304	776	ga5mx5q5.1uv.exe	22
PID 692 wrote to memory of 2752	692	lsass.exe	47
PID 776 wrote to memory of 1348	776	ga5mx5q5.1uv.exe	23
PID 776 wrote to memory of 1356	776	ga5mx5q5.1uv.exe	24
PID 776 wrote to memory of 1456	776	ga5mx5q5.1uv.exe	25
PID 776 wrote to memory of 1544	776	ga5mx5q5.1uv.exe	26
PID 776 wrote to memory of 1552	776	ga5mx5q5.1uv.exe	27
PID 776 wrote to memory of 1668	776	ga5mx5q5.1uv.exe	28
PID 776 wrote to memory of 1704	776	ga5mx5q5.1uv.exe	29
PID 776 wrote to memory of 1720	776	ga5mx5q5.1uv.exe	30
PID 776 wrote to memory of 1804	776	ga5mx5q5.1uv.exe	31
PID 776 wrote to memory of 1832	776	ga5mx5q5.1uv.exe	32
PID 776 wrote to memory of 1884	776	ga5mx5q5.1uv.exe	33
PID 776 wrote to memory of 1892	776	ga5mx5q5.1uv.exe	34
PID 776 wrote to memory of 1988	776	ga5mx5q5.1uv.exe	35
PID 776 wrote to memory of 2036	776	ga5mx5q5.1uv.exe	36
PID 776 wrote to memory of 2076	776	ga5mx5q5.1uv.exe	37
PID 776 wrote to memory of 2276	776	ga5mx5q5.1uv.exe	39
PID 776 wrote to memory of 2380	776	ga5mx5q5.1uv.exe	40
PID 776 wrote to memory of 2572	776	ga5mx5q5.1uv.exe	41
PID 776 wrote to memory of 2580	776	ga5mx5q5.1uv.exe	42
PID 776 wrote to memory of 2632	776	ga5mx5q5.1uv.exe	43
PID 776 wrote to memory of 2652	776	ga5mx5q5.1uv.exe	44
PID 776 wrote to memory of 2664	776	ga5mx5q5.1uv.exe	45
PID 776 wrote to memory of 2720	776	ga5mx5q5.1uv.exe	46
PID 776 wrote to memory of 2752	776	ga5mx5q5.1uv.exe	47
PID 776 wrote to memory of 2784	776	ga5mx5q5.1uv.exe	48
PID 776 wrote to memory of 2800	776	ga5mx5q5.1uv.exe	49
PID 776 wrote to memory of 2820	776	ga5mx5q5.1uv.exe	50
PID 776 wrote to memory of 3108	776	ga5mx5q5.1uv.exe	51
PID 776 wrote to memory of 3252	776	ga5mx5q5.1uv.exe	52
PID 776 wrote to memory of 3444	776	ga5mx5q5.1uv.exe	53
PID 776 wrote to memory of 3488	776	ga5mx5q5.1uv.exe	54
PID 776 wrote to memory of 3812	776	ga5mx5q5.1uv.exe	57
PID 776 wrote to memory of 3908	776	ga5mx5q5.1uv.exe	58
PID 776 wrote to memory of 3988	776	ga5mx5q5.1uv.exe	59
PID 776 wrote to memory of 4012	776	ga5mx5q5.1uv.exe	60
PID 776 wrote to memory of 4264	776	ga5mx5q5.1uv.exe	61
PID 776 wrote to memory of 4356	776	ga5mx5q5.1uv.exe	62
PID 776 wrote to memory of 2520	776	ga5mx5q5.1uv.exe	65
PID 776 wrote to memory of 1476	776	ga5mx5q5.1uv.exe	66
PID 776 wrote to memory of 4076	776	ga5mx5q5.1uv.exe	68

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:636
- C:\Windows\system32\dwm.exe
  "dwm.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:424

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:692

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:996

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
1⤵
PID:536

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:928

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:1072

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:1108

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
PID:1152

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
PID:1228

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
PID:1264

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
PID:1304

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netprofm -p -s netprofm
1⤵
PID:1348

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
PID:1356
- C:\Windows\system32\sihost.exe
  sihost.exe
  2⤵
  PID:2652

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
1⤵
- Indicator Removal: Clear Windows Event Logs
PID:1456

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
1⤵
PID:1544

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
1⤵
PID:1552

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
1⤵
PID:1668

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:1704

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p
1⤵
PID:1720

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1804

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
1⤵
PID:1832

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1884

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1892

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
1⤵
PID:1988

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:2036

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:2076

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
1⤵
PID:2276

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
1⤵
PID:2380

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
1⤵
PID:2572

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
1⤵
PID:2580

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p
1⤵
- Drops file in System32 directory
PID:2632

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2664

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
PID:2720

C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
1⤵
PID:2752

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
1⤵
PID:2784

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
PID:2800

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
1⤵
PID:2820

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:3108

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of UnmapMainImage
PID:3252
- C:\Users\Admin\AppData\Local\Temp\miner.exe
  "C:\Users\Admin\AppData\Local\Temp\miner.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2556
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" powershell -Command "Expand-Archive -Path 'C:\Users\Admin\AppData\Roaming\xmrig.zip' -DestinationPath 'C:\Users\Admin\AppData\Roaming\xmrig' -Force"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4288
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Expand-Archive -Path C:\Users\Admin\AppData\Roaming\xmrig.zip -DestinationPath C:\Users\Admin\AppData\Roaming\xmrig -Force
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:5072
- - C:\Users\Admin\AppData\Roaming\xmrig\xmrig.exe
    "C:\Users\Admin\AppData\Roaming\xmrig\xmrig.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:540
  - - C:\Users\Admin\AppData\Local\Temp\ga5mx5q5.1uv.exe
      "C:\Users\Admin\AppData\Local\Temp\ga5mx5q5.1uv.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:776
  - - C:\Users\Admin\AppData\Local\Temp\npumxfoe.vdn.exe
      "C:\Users\Admin\AppData\Local\Temp\npumxfoe.vdn.exe"
      4⤵
      Executes dropped EXE
      PID:3188
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:1864
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:3924
- - C:\Windows\system32\Taskmgr.exe
    taskmgr.exe
    3⤵
    - Checks SCSI registry key(s)
    - Modifies registry class
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:2364

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3444

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo
1⤵
PID:3488

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of UnmapMainImage
PID:3812

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
- Suspicious use of UnmapMainImage
PID:3908

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
- Modifies registry class
PID:3988

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UdkSvcGroup -s UdkUserSvc
1⤵
PID:4012

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{973D20D7-562D-44B9-B70B-5A0F49CCDF3F}
1⤵
PID:4264

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k osprivacy -p -s camsvc
1⤵
PID:4356

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
1⤵
PID:2520

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
1⤵
PID:1476

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
1⤵
- Modifies data under HKEY_USERS
PID:4076

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1284

C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
1⤵
PID:1640

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
PID:1600

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
1⤵
PID:2180

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:2120

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc
1⤵
PID:4756

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:2212

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4872

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{7966B4D8-4FDC-4126-A10B-39A3209AD251}
1⤵
PID:3496

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
1⤵
PID:1164

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
PID:2760

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.13
1⤵
- Modifies registry class
PID:1416

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5064

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

T1070

Clear Windows Event Logs

T1070.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157

Filesize
340B

MD5
fe22afd24356e7c5039c041b7b67d494

SHA1
abe2f56e1606af53a5a855812bb774bf0444bfc0

SHA256
d45ec5b048954855c360cbab5d24ccbaf96d4ffdc9cbc9c4c33873205e4f92a0

SHA512
de2358cba8cce08c87650efb7598ab352c66c71eccbb3773a7fc8430ec01f5dd24e2c51404217e9d40626dfb1d285a1e2c5c821f3c65d71f2361818341ab7dc4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
404B

MD5
0698ac046ff026f0bf6ac9427ef1ae14

SHA1
07a2dcf0d64d1828c08549d15f7aefff842a0fa8

SHA256
2575a928914373a93675279548eec055ce31922375e6ac731efb2cec09e80f3e

SHA512
a012a641a3a4830bb2a325c9ddfe3a2c97fad74d9bf93b56db9c770df7fd85591b5fc92dcf6ff6ee7b0cc481e107a4a45c0b2d450a6dae45702e5635395f991f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

Filesize
330B

MD5
e5dc8422854bfbfc01b3b3310b3fb75d

SHA1
317bb01e61f9b8f1dec3c28bea26af4858212393

SHA256
58e3394770912e04f6e8a2eb688818be705d92ca53a98b25f3770a5cae3e9f6f

SHA512
3dabd019daa06db66a7796cbb9631fa60f3b47ca0f4c0ba02dd17054c1a4e448655f7c145327b5d2b1ae5c3fc76c92ed7dac6dc94886bae6a71406e281495810

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_89854CA6A0F0936A4D2ECA78845CEA25

Filesize
482B

MD5
64e5ef55d652c643664aeab4aeb4dc95

SHA1
3a68ef0e40eb272af58449c1812e9895709bc4d1

SHA256
d4a60e00e43e57681744fc9fe417c25f2fa8d6d392ed18fef559cc97ef18a6fc

SHA512
6eac94778c56263680fe8b59a698e4cef6f366917f85b90a299b1fef1f8dd62a9cd6f46d1497dada13c4e4ebacb389cfa8287cdf3741efb64db53d7bc0d7093a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\D0E1C4B6144E7ECAB3F020E4A19EFC29_B5F77004C894173A10E3A199871D2D90

Filesize
480B

MD5
31c19e1bf2fdd19f9d6efc0745694827

SHA1
57a9d95a11dc2fa5750bf2ad4663e0060fd6ba94

SHA256
66f97776dfe691e43a68f9e9ff17a8b34f151d13ec03048e151f3347f1baeaaa

SHA512
88933d26e88e728a4babcd04f35799f7166bbe0d0a7012f1cdf93c94245473bd2617163b25f401a596d22537f9b0258efcc8965bc7f7bb499b8fb406d0420e51

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\D9CA54E0FA212456E1DB00704A97658E

Filesize
476B

MD5
5ec892655a9100177bdc06f00a461070

SHA1
2a6ec1e4a8d162efe31bbb292c530d133942142b

SHA256
3cb9b32a16fc85bff76f8f2d3b215ed3752d6f1c7d76d204f535ec9f40a89bf9

SHA512
53d1ad3714c0d28774cc3496d00a84ca8fac298e69abde03ec21c5f0886e7e8723bae09c8bd1f447b0a0e3bf13894b6f9522af06e11d010e08c0363dea506d82

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_49536AB5156BDD74EFF881D01C36A419

Filesize
412B

MD5
36152afb4c2c1744f863e65261c258d5

SHA1
73aec1472caa1737f7d9647b6dda2f8a1cad6bc8

SHA256
a8b2fa071fcbcffc7bf098a4c44cd76781ef58a764a2850f30cb0b37db28cd02

SHA512
0a76f13bd62c4ee29532301e4192ac41164e3de32ac4ac15fef35c375ad711c7bf5c958a95c28ea9b2d7da87fa6e84e13c5f8d2ee8a843e38dc1982b95494938

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749

Filesize
330B

MD5
8edf8a5f402f8571f9f3678afc97d191

SHA1
c4281ff62fdd91ba6d91e7ff1b34a2f99db20fba

SHA256
3efd8da5108eec6f1e9934f4f4e07ef7a0246a22e0aae8fd624ff544055014e3

SHA512
2e693604d46030c4eea12c2ae48227f90f3fa223a5ca4f260c1a589de7ff7d78b94519eecc9487b6b79b6eb8ee8f870df7609dff27c246a8f8774b25b7e98f8d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
ae626d9a72417b14570daa8fcd5d34a4

SHA1
c103ebaf4d760df722d620df87e6f07c0486439f

SHA256
52cc3f3028fab0d347a4a3fffef570b42f85748176d81a3344996d42fd1de32a

SHA512
a0690bda318bdf43d6f292f88d4ea2ebeec83b95e9ebca80083dbb08e7ddcdb9735cc58b89d369a34f10acf8a114d4a207ed8d0f070c5baf87c5798e9f35bc14

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
50a8221b93fbd2628ac460dd408a9fc1

SHA1
7e99fe16a9b14079b6f0316c37cc473e1f83a7e6

SHA256
46e488628e5348c9c4dfcdeed5a91747eae3b3aa49ae1b94d37173b6609efa0e

SHA512
27dda53e7edcc1a12c61234e850fe73bf3923f5c3c19826b67f2faf9e0a14ba6658001a9d6a56a7036409feb9238dd452406e88e318919127b4a06c64dba86f0

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\BackgroundTransferApi\f3cf2b54-27d6-424b-a658-1b59f956e4eb.down_data

Filesize
555KB

MD5
5683c0028832cae4ef93ca39c8ac5029

SHA1
248755e4e1db552e0b6f8651b04ca6d1b31a86fb

SHA256
855abd360d8a8d6974eba92b70cbd09ce519bc8773439993f9ab37cb6847309e

SHA512
aba434bd29be191c823b02ea9b639beb10647bbe7759bbffdaa790dfb1ec2c58d74c525ef11aacda209e4effe322d1d3a07b115446c8914b07a3bce4d8a0e2c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_uyepnlzt.bvp.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\ga5mx5q5.1uv.exe

Filesize
161KB

MD5
94f1ab3a068f83b32639579ec9c5d025

SHA1
38f3d5bc5de46feb8de093d11329766b8e2054ae

SHA256
879cc20b41635709bb304e315aaa5ca4708b480a1bfc2f4935fcf2215188efb0

SHA512
44d5236a804d63302b21ca25ebc148a64605508d03c990a244c44ceb8630849da0510b7b2d0bee72e01ca6681e2d86d7e6aee8847674a26f0028d149b9abee0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\npumxfoe.vdn.exe

Filesize
9.1MB

MD5
cb166d49ce846727ed70134b589b0142

SHA1
8f5e1c7792e9580f2b10d7bef6dc7e63ea044688

SHA256
49da580656e51214d59702a1d983eff143af3560a344f524fe86326c53fb5ddb

SHA512
a39bd86a148af26fd31a0d171078fb7bce0951bb8ea63658d87f6bde97dbc214c62e8bd7152d1e621051de8a0ba77ffd7bda7c1106afb740584c80e68e1912ed

Download Submit
C:\Users\Admin\AppData\Roaming\xmrig.zip

Filesize
3.8MB

MD5
9895805962f3b439c3eb845cd30303c6

SHA1
d488cfa52f17c60432813e7906ee812e0ae37fec

SHA256
e30b7057712cdb8760a87b44eb2db03879f4ff54344aaf562e927814b5ce7e5b

SHA512
ec526ca0cc850d03d220c46f9b592045983c392edc30a5cdee5157fe1ea38711f49a475e566c7e2017956f1aa6b1c64a9a4565a26bd466f5ac679aae728c98ce

Download Submit
C:\Users\Admin\AppData\Roaming\xmrig\xmrig.exe

Filesize
9.3MB

MD5
72107c3009343491bdbd5a2bf27e0d17

SHA1
79ae9dd4ffc65810342c093fb3dd1413a830660d

SHA256
9af0d7469bffba8aea58c666b94ae68e34373f554ba8a145ec5fcc78baf0e6c6

SHA512
eab28e887aeb275527f4d4fa9a7ccd69dfaf21d249005eb9c9a9c098ca062cfabed02da2133e84c0b6109fbd4b6358e905199c24cdc9bb41799e63ccfbe3768e

Download Submit
C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_363582827213C09529A76F35FB615187

Filesize
412B

MD5
7483885d41f79b98a8e2b9bacc3d2dd1

SHA1
40884e49183af92641369f4e0a42df620e8f09ac

SHA256
68ddd71fac7071e4d9cfa747e40c711c53c025f635f38547f6856cd245f6c4a7

SHA512
0d4f091bc9900b2e0b16a62c6c4ee4f3e2382341958605cf235f01f439f635d7421f60099e798c9948d4be6e1841daae97c6403064e827c678156b4e4aea2f6b

Download Submit
memory/424-97-0x000002245FD50000-0x000002245FD7B000-memory.dmp

Filesize
172KB

Download
memory/424-98-0x00007FFB08250000-0x00007FFB08260000-memory.dmp

Filesize
64KB

Download
memory/536-109-0x000001B578990000-0x000001B5789BB000-memory.dmp

Filesize
172KB

Download
memory/536-110-0x00007FFB08250000-0x00007FFB08260000-memory.dmp

Filesize
64KB

Download
memory/540-71-0x0000021179620000-0x0000021179F66000-memory.dmp

Filesize
9.3MB

Download
memory/540-72-0x000002117BB30000-0x000002117BB5C000-memory.dmp

Filesize
176KB

Download
memory/540-342-0x000002117D330000-0x000002117D33E000-memory.dmp

Filesize
56KB

Download
memory/540-83-0x000002117C7E0000-0x000002117D414000-memory.dmp

Filesize
12.2MB

Download
memory/636-88-0x000001C70F2D0000-0x000001C70F2FB000-memory.dmp

Filesize
172KB

Download
memory/636-87-0x000001C70F2A0000-0x000001C70F2C5000-memory.dmp

Filesize
148KB

Download
memory/636-89-0x00007FFB08250000-0x00007FFB08260000-memory.dmp

Filesize
64KB

Download
memory/692-92-0x000001AE74D90000-0x000001AE74DBB000-memory.dmp

Filesize
172KB

Download
memory/692-93-0x00007FFB08250000-0x00007FFB08260000-memory.dmp

Filesize
64KB

Download
memory/776-82-0x00007FFB46060000-0x00007FFB4611D000-memory.dmp

Filesize
756KB

Download
memory/776-81-0x00007FFB481C0000-0x00007FFB483C9000-memory.dmp

Filesize
2.0MB

Download
memory/928-118-0x000001F835BD0000-0x000001F835BFB000-memory.dmp

Filesize
172KB

Download
memory/928-119-0x00007FFB08250000-0x00007FFB08260000-memory.dmp

Filesize
64KB

Download
memory/996-106-0x00007FFB08250000-0x00007FFB08260000-memory.dmp

Filesize
64KB

Download
memory/996-105-0x0000019E1F540000-0x0000019E1F56B000-memory.dmp

Filesize
172KB

Download
memory/1072-121-0x0000017CB1980000-0x0000017CB19AB000-memory.dmp

Filesize
172KB

Download
memory/1072-122-0x00007FFB08250000-0x00007FFB08260000-memory.dmp

Filesize
64KB

Download
memory/1108-130-0x00007FFB08250000-0x00007FFB08260000-memory.dmp

Filesize
64KB

Download
memory/1108-129-0x000002A1568D0000-0x000002A1568FB000-memory.dmp

Filesize
172KB

Download
memory/1152-133-0x00007FFB08250000-0x00007FFB08260000-memory.dmp

Filesize
64KB

Download
memory/1152-132-0x000001E733990000-0x000001E7339BB000-memory.dmp

Filesize
172KB

Download
memory/1228-136-0x00007FFB08250000-0x00007FFB08260000-memory.dmp

Filesize
64KB

Download
memory/1228-135-0x00000145DA0A0000-0x00000145DA0CB000-memory.dmp

Filesize
172KB

Download
memory/1264-126-0x00007FFB08250000-0x00007FFB08260000-memory.dmp

Filesize
64KB

Download
memory/1264-125-0x00000210DBAB0000-0x00000210DBADB000-memory.dmp

Filesize
172KB

Download
memory/1304-140-0x00007FFB08250000-0x00007FFB08260000-memory.dmp

Filesize
64KB

Download
memory/1304-139-0x000001A0CD370000-0x000001A0CD39B000-memory.dmp

Filesize
172KB

Download
memory/4288-18-0x00007FFB27373000-0x00007FFB27375000-memory.dmp

Filesize
8KB

Download
memory/4288-67-0x00007FFB27370000-0x00007FFB27E32000-memory.dmp

Filesize
10.8MB

Download
memory/4288-30-0x00007FFB27370000-0x00007FFB27E32000-memory.dmp

Filesize
10.8MB

Download
memory/4288-29-0x00007FFB27370000-0x00007FFB27E32000-memory.dmp

Filesize
10.8MB

Download
memory/4288-28-0x00007FFB27370000-0x00007FFB27E32000-memory.dmp

Filesize
10.8MB

Download
memory/4288-27-0x00000203FBB60000-0x00000203FBB82000-memory.dmp

Filesize
136KB

Download
memory/5072-39-0x0000025CC3170000-0x0000025CC3182000-memory.dmp

Filesize
72KB

Download
memory/5072-40-0x0000025CC3150000-0x0000025CC315A000-memory.dmp

Filesize
40KB

Download