xmrig | hxxp://94[.]156[.]66[.]151/

Resubmissions

18-03-2024 18:43

240318-xddhfafd78 10

18-03-2024 18:31

240318-w6jz9afh4s 10

18-03-2024 18:08

240318-wqytgaeg87 10

Analysis

max time kernel
149s
max time network
147s
platform
windows10-1703_x64
resource
win10-20240214-en
resource tags

arch:x64arch:x86image:win10-20240214-enlocale:en-usos:windows10-1703-x64system
submitted
18-03-2024 18:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://94.156.66.151/

Score

10^/10

xmrig miner upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 8 IoCs

miner

Processes:

resource	yara_rule
behavioral1/memory/2476-116-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/2476-117-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/2476-119-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/2476-120-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/2476-121-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/2476-122-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/2476-123-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/2476-155-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig

Downloads MZ/PE file
Executes dropped EXE 8 IoCs

Processes:

gfgghdhwhatsup.exeghghghg.exefgfdgd.exeghghghg.exefgfdgd.exeghghghg.exegfgghdhwhatsup.exeghghghg.exe

pid process

2416 gfgghdhwhatsup.exe
3876 ghghghg.exe
4216 fgfdgd.exe
4100 ghghghg.exe
916 fgfdgd.exe
4256 ghghghg.exe
2748 gfgghdhwhatsup.exe
4352 ghghghg.exe

pid	process
2416	gfgghdhwhatsup.exe
3876	ghghghg.exe
4216	fgfdgd.exe
4100	ghghghg.exe
916	fgfdgd.exe
4256	ghghghg.exe
2748	gfgghdhwhatsup.exe
4352	ghghghg.exe

UPX packed file 13 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2476-111-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2476-112-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2476-113-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2476-114-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2476-115-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2476-116-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2476-117-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2476-119-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2476-120-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2476-121-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2476-122-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2476-123-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2476-155-0x0000000140000000-0x0000000140848000-memory.dmp	upx

Suspicious use of SetThreadContext 1 IoCs

Processes:

ghghghg.exe

description pid process target process

PID 3876 set thread context of 2476 3876 ghghghg.exe explorer.exe

description	pid	process	target process
PID 3876 set thread context of 2476	3876	ghghghg.exe	explorer.exe

Drops file in Windows directory 2 IoCs

Processes:

taskmgr.exe

description	ioc	process
File created	C:\Windows\rescache\_merged\1601268389\3877292338.pri	taskmgr.exe
File created	C:\Windows\rescache\_merged\4183903823\810424605.pri	taskmgr.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

taskmgr.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Creates scheduled task(s) 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

4128 schtasks.exe
4720 schtasks.exe
2176 schtasks.exe
1136 schtasks.exe

pid	process
4128	schtasks.exe
4720	schtasks.exe
2176	schtasks.exe
1136	schtasks.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133552610467114229"	chrome.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

chrome.exeghghghg.exeexplorer.exeghghghg.exetaskmgr.exe

pid	process
352	chrome.exe
352	chrome.exe
3876	ghghghg.exe
3876	ghghghg.exe
3876	ghghghg.exe
3876	ghghghg.exe
3876	ghghghg.exe
2476	explorer.exe
2476	explorer.exe
2476	explorer.exe
2476	explorer.exe
2476	explorer.exe
2476	explorer.exe
2476	explorer.exe
2476	explorer.exe
2476	explorer.exe
2476	explorer.exe
2476	explorer.exe
2476	explorer.exe
2476	explorer.exe
2476	explorer.exe
2476	explorer.exe
2476	explorer.exe
2476	explorer.exe
2476	explorer.exe
2476	explorer.exe
2476	explorer.exe
2476	explorer.exe
2476	explorer.exe
2476	explorer.exe
2476	explorer.exe
2476	explorer.exe
2476	explorer.exe
2476	explorer.exe
2476	explorer.exe
2476	explorer.exe
2476	explorer.exe
4100	ghghghg.exe
4100	ghghghg.exe
4100	ghghghg.exe
4100	ghghghg.exe
2476	explorer.exe
2476	explorer.exe
2476	explorer.exe
2476	explorer.exe
2476	explorer.exe
2476	explorer.exe
2476	explorer.exe
2476	explorer.exe
2476	explorer.exe
2476	explorer.exe
2476	explorer.exe
2476	explorer.exe
2476	explorer.exe
2476	explorer.exe
2716	taskmgr.exe
2716	taskmgr.exe
2716	taskmgr.exe
2716	taskmgr.exe
2476	explorer.exe
2476	explorer.exe
2716	taskmgr.exe
2716	taskmgr.exe
2716	taskmgr.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

Processes:

chrome.exe

pid process

352 chrome.exe
352 chrome.exe
352 chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exe

description	pid	process
Token: SeShutdownPrivilege	352	chrome.exe
Token: SeCreatePagefilePrivilege	352	chrome.exe
Token: SeShutdownPrivilege	352	chrome.exe
Token: SeCreatePagefilePrivilege	352	chrome.exe
Token: SeShutdownPrivilege	352	chrome.exe
Token: SeCreatePagefilePrivilege	352	chrome.exe
Token: SeShutdownPrivilege	352	chrome.exe
Token: SeCreatePagefilePrivilege	352	chrome.exe
Token: SeShutdownPrivilege	352	chrome.exe
Token: SeCreatePagefilePrivilege	352	chrome.exe
Token: SeShutdownPrivilege	352	chrome.exe
Token: SeCreatePagefilePrivilege	352	chrome.exe
Token: SeShutdownPrivilege	352	chrome.exe
Token: SeCreatePagefilePrivilege	352	chrome.exe
Token: SeShutdownPrivilege	352	chrome.exe
Token: SeCreatePagefilePrivilege	352	chrome.exe
Token: SeShutdownPrivilege	352	chrome.exe
Token: SeCreatePagefilePrivilege	352	chrome.exe
Token: SeShutdownPrivilege	352	chrome.exe
Token: SeCreatePagefilePrivilege	352	chrome.exe
Token: SeShutdownPrivilege	352	chrome.exe
Token: SeCreatePagefilePrivilege	352	chrome.exe
Token: SeShutdownPrivilege	352	chrome.exe
Token: SeCreatePagefilePrivilege	352	chrome.exe
Token: SeShutdownPrivilege	352	chrome.exe
Token: SeCreatePagefilePrivilege	352	chrome.exe
Token: SeShutdownPrivilege	352	chrome.exe
Token: SeCreatePagefilePrivilege	352	chrome.exe
Token: SeShutdownPrivilege	352	chrome.exe
Token: SeCreatePagefilePrivilege	352	chrome.exe
Token: SeShutdownPrivilege	352	chrome.exe
Token: SeCreatePagefilePrivilege	352	chrome.exe
Token: SeShutdownPrivilege	352	chrome.exe
Token: SeCreatePagefilePrivilege	352	chrome.exe
Token: SeShutdownPrivilege	352	chrome.exe
Token: SeCreatePagefilePrivilege	352	chrome.exe
Token: SeShutdownPrivilege	352	chrome.exe
Token: SeCreatePagefilePrivilege	352	chrome.exe
Token: SeShutdownPrivilege	352	chrome.exe
Token: SeCreatePagefilePrivilege	352	chrome.exe
Token: SeShutdownPrivilege	352	chrome.exe
Token: SeCreatePagefilePrivilege	352	chrome.exe
Token: SeShutdownPrivilege	352	chrome.exe
Token: SeCreatePagefilePrivilege	352	chrome.exe
Token: SeShutdownPrivilege	352	chrome.exe
Token: SeCreatePagefilePrivilege	352	chrome.exe
Token: SeShutdownPrivilege	352	chrome.exe
Token: SeCreatePagefilePrivilege	352	chrome.exe
Token: SeShutdownPrivilege	352	chrome.exe
Token: SeCreatePagefilePrivilege	352	chrome.exe
Token: SeShutdownPrivilege	352	chrome.exe
Token: SeCreatePagefilePrivilege	352	chrome.exe
Token: SeShutdownPrivilege	352	chrome.exe
Token: SeCreatePagefilePrivilege	352	chrome.exe
Token: SeShutdownPrivilege	352	chrome.exe
Token: SeCreatePagefilePrivilege	352	chrome.exe
Token: SeShutdownPrivilege	352	chrome.exe
Token: SeCreatePagefilePrivilege	352	chrome.exe
Token: SeShutdownPrivilege	352	chrome.exe
Token: SeCreatePagefilePrivilege	352	chrome.exe
Token: SeShutdownPrivilege	352	chrome.exe
Token: SeCreatePagefilePrivilege	352	chrome.exe
Token: SeShutdownPrivilege	352	chrome.exe
Token: SeCreatePagefilePrivilege	352	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

chrome.exe

pid	process
352	chrome.exe
352	chrome.exe
352	chrome.exe
352	chrome.exe
352	chrome.exe
352	chrome.exe
352	chrome.exe
352	chrome.exe
352	chrome.exe
352	chrome.exe
352	chrome.exe
352	chrome.exe
352	chrome.exe
352	chrome.exe
352	chrome.exe
352	chrome.exe
352	chrome.exe
352	chrome.exe
352	chrome.exe
352	chrome.exe
352	chrome.exe
352	chrome.exe
352	chrome.exe
352	chrome.exe
352	chrome.exe
352	chrome.exe
352	chrome.exe
352	chrome.exe
352	chrome.exe
352	chrome.exe
352	chrome.exe
352	chrome.exe
352	chrome.exe
352	chrome.exe
352	chrome.exe
352	chrome.exe
352	chrome.exe
352	chrome.exe
352	chrome.exe
352	chrome.exe
352	chrome.exe
352	chrome.exe
352	chrome.exe
352	chrome.exe
352	chrome.exe
352	chrome.exe
352	chrome.exe
352	chrome.exe
352	chrome.exe
352	chrome.exe
352	chrome.exe
352	chrome.exe
352	chrome.exe
352	chrome.exe
352	chrome.exe
352	chrome.exe
352	chrome.exe
352	chrome.exe
352	chrome.exe
352	chrome.exe
352	chrome.exe
352	chrome.exe
352	chrome.exe
352	chrome.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

chrome.exeexplorer.exetaskmgr.exe

pid	process
352	chrome.exe
352	chrome.exe
352	chrome.exe
352	chrome.exe
352	chrome.exe
352	chrome.exe
352	chrome.exe
352	chrome.exe
352	chrome.exe
352	chrome.exe
352	chrome.exe
352	chrome.exe
352	chrome.exe
352	chrome.exe
352	chrome.exe
352	chrome.exe
352	chrome.exe
352	chrome.exe
352	chrome.exe
352	chrome.exe
352	chrome.exe
352	chrome.exe
352	chrome.exe
352	chrome.exe
2476	explorer.exe
2476	explorer.exe
2476	explorer.exe
2476	explorer.exe
2476	explorer.exe
2476	explorer.exe
2476	explorer.exe
2476	explorer.exe
2476	explorer.exe
2476	explorer.exe
2476	explorer.exe
2476	explorer.exe
2476	explorer.exe
2476	explorer.exe
2476	explorer.exe
2476	explorer.exe
2476	explorer.exe
2476	explorer.exe
2476	explorer.exe
2476	explorer.exe
2476	explorer.exe
2476	explorer.exe
2716	taskmgr.exe
2716	taskmgr.exe
2716	taskmgr.exe
2716	taskmgr.exe
2716	taskmgr.exe
2716	taskmgr.exe
2716	taskmgr.exe
2716	taskmgr.exe
2716	taskmgr.exe
2716	taskmgr.exe
2716	taskmgr.exe
2716	taskmgr.exe
2716	taskmgr.exe
2716	taskmgr.exe
2716	taskmgr.exe
2476	explorer.exe
2716	taskmgr.exe
2716	taskmgr.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 352 wrote to memory of 2628	352	chrome.exe	chrome.exe
PID 352 wrote to memory of 2628	352	chrome.exe	chrome.exe
PID 352 wrote to memory of 372	352	chrome.exe	chrome.exe
PID 352 wrote to memory of 372	352	chrome.exe	chrome.exe
PID 352 wrote to memory of 372	352	chrome.exe	chrome.exe
PID 352 wrote to memory of 372	352	chrome.exe	chrome.exe
PID 352 wrote to memory of 372	352	chrome.exe	chrome.exe
PID 352 wrote to memory of 372	352	chrome.exe	chrome.exe
PID 352 wrote to memory of 372	352	chrome.exe	chrome.exe
PID 352 wrote to memory of 372	352	chrome.exe	chrome.exe
PID 352 wrote to memory of 372	352	chrome.exe	chrome.exe
PID 352 wrote to memory of 372	352	chrome.exe	chrome.exe
PID 352 wrote to memory of 372	352	chrome.exe	chrome.exe
PID 352 wrote to memory of 372	352	chrome.exe	chrome.exe
PID 352 wrote to memory of 372	352	chrome.exe	chrome.exe
PID 352 wrote to memory of 372	352	chrome.exe	chrome.exe
PID 352 wrote to memory of 372	352	chrome.exe	chrome.exe
PID 352 wrote to memory of 372	352	chrome.exe	chrome.exe
PID 352 wrote to memory of 372	352	chrome.exe	chrome.exe
PID 352 wrote to memory of 372	352	chrome.exe	chrome.exe
PID 352 wrote to memory of 372	352	chrome.exe	chrome.exe
PID 352 wrote to memory of 372	352	chrome.exe	chrome.exe
PID 352 wrote to memory of 372	352	chrome.exe	chrome.exe
PID 352 wrote to memory of 372	352	chrome.exe	chrome.exe
PID 352 wrote to memory of 372	352	chrome.exe	chrome.exe
PID 352 wrote to memory of 372	352	chrome.exe	chrome.exe
PID 352 wrote to memory of 372	352	chrome.exe	chrome.exe
PID 352 wrote to memory of 372	352	chrome.exe	chrome.exe
PID 352 wrote to memory of 372	352	chrome.exe	chrome.exe
PID 352 wrote to memory of 372	352	chrome.exe	chrome.exe
PID 352 wrote to memory of 372	352	chrome.exe	chrome.exe
PID 352 wrote to memory of 372	352	chrome.exe	chrome.exe
PID 352 wrote to memory of 372	352	chrome.exe	chrome.exe
PID 352 wrote to memory of 372	352	chrome.exe	chrome.exe
PID 352 wrote to memory of 372	352	chrome.exe	chrome.exe
PID 352 wrote to memory of 372	352	chrome.exe	chrome.exe
PID 352 wrote to memory of 372	352	chrome.exe	chrome.exe
PID 352 wrote to memory of 372	352	chrome.exe	chrome.exe
PID 352 wrote to memory of 372	352	chrome.exe	chrome.exe
PID 352 wrote to memory of 372	352	chrome.exe	chrome.exe
PID 352 wrote to memory of 1780	352	chrome.exe	chrome.exe
PID 352 wrote to memory of 1780	352	chrome.exe	chrome.exe
PID 352 wrote to memory of 1104	352	chrome.exe	chrome.exe
PID 352 wrote to memory of 1104	352	chrome.exe	chrome.exe
PID 352 wrote to memory of 1104	352	chrome.exe	chrome.exe
PID 352 wrote to memory of 1104	352	chrome.exe	chrome.exe
PID 352 wrote to memory of 1104	352	chrome.exe	chrome.exe
PID 352 wrote to memory of 1104	352	chrome.exe	chrome.exe
PID 352 wrote to memory of 1104	352	chrome.exe	chrome.exe
PID 352 wrote to memory of 1104	352	chrome.exe	chrome.exe
PID 352 wrote to memory of 1104	352	chrome.exe	chrome.exe
PID 352 wrote to memory of 1104	352	chrome.exe	chrome.exe
PID 352 wrote to memory of 1104	352	chrome.exe	chrome.exe
PID 352 wrote to memory of 1104	352	chrome.exe	chrome.exe
PID 352 wrote to memory of 1104	352	chrome.exe	chrome.exe
PID 352 wrote to memory of 1104	352	chrome.exe	chrome.exe
PID 352 wrote to memory of 1104	352	chrome.exe	chrome.exe
PID 352 wrote to memory of 1104	352	chrome.exe	chrome.exe
PID 352 wrote to memory of 1104	352	chrome.exe	chrome.exe
PID 352 wrote to memory of 1104	352	chrome.exe	chrome.exe
PID 352 wrote to memory of 1104	352	chrome.exe	chrome.exe
PID 352 wrote to memory of 1104	352	chrome.exe	chrome.exe
PID 352 wrote to memory of 1104	352	chrome.exe	chrome.exe
PID 352 wrote to memory of 1104	352	chrome.exe	chrome.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument http://94.156.66.151/
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:352

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ffe731c9758,0x7ffe731c9768,0x7ffe731c9778
2⤵
PID:2628

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1520 --field-trial-handle=1836,i,5806307511046897817,13271493412309901969,131072 /prefetch:2
2⤵
PID:372

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1776 --field-trial-handle=1836,i,5806307511046897817,13271493412309901969,131072 /prefetch:8
2⤵
PID:1780

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2092 --field-trial-handle=1836,i,5806307511046897817,13271493412309901969,131072 /prefetch:8
2⤵
PID:1104

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2640 --field-trial-handle=1836,i,5806307511046897817,13271493412309901969,131072 /prefetch:1
2⤵
PID:2644

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2648 --field-trial-handle=1836,i,5806307511046897817,13271493412309901969,131072 /prefetch:1
2⤵
PID:3536

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4184 --field-trial-handle=1836,i,5806307511046897817,13271493412309901969,131072 /prefetch:8
2⤵
PID:2840

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4220 --field-trial-handle=1836,i,5806307511046897817,13271493412309901969,131072 /prefetch:8
2⤵
PID:4304

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4248 --field-trial-handle=1836,i,5806307511046897817,13271493412309901969,131072 /prefetch:8
2⤵
PID:2784

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4680 --field-trial-handle=1836,i,5806307511046897817,13271493412309901969,131072 /prefetch:8
2⤵
PID:3032

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4728 --field-trial-handle=1836,i,5806307511046897817,13271493412309901969,131072 /prefetch:8
2⤵
PID:4904

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3888 --field-trial-handle=1836,i,5806307511046897817,13271493412309901969,131072 /prefetch:8
2⤵
PID:1276

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3992 --field-trial-handle=1836,i,5806307511046897817,13271493412309901969,131072 /prefetch:8
2⤵
PID:4724

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4968 --field-trial-handle=1836,i,5806307511046897817,13271493412309901969,131072 /prefetch:8
2⤵
PID:908

C:\Users\Admin\Downloads\gfgghdhwhatsup.exe
"C:\Users\Admin\Downloads\gfgghdhwhatsup.exe"
2⤵
- Executes dropped EXE
PID:2416

C:\Users\Admin\AppData\Local\Temp\ghghghg.exe
"C:\Users\Admin\AppData\Local\Temp\ghghghg.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:3876

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
4⤵
PID:592

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
4⤵
PID:4892

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
4⤵
PID:4652

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
4⤵
PID:4380

C:\Windows\explorer.exe
explorer.exe
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SendNotifyMessage
PID:2476

C:\Windows\SYSTEM32\cmd.exe
"cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\fgfdgd"
3⤵
PID:4112

C:\Windows\SYSTEM32\cmd.exe
"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\fgfdgd\fgfdgd.exe'" /f
3⤵
PID:3644

C:\Windows\system32\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\fgfdgd\fgfdgd.exe'" /f
4⤵
- Creates scheduled task(s)
PID:4128

C:\Windows\SYSTEM32\cmd.exe
"cmd" /c copy "C:\Users\Admin\Downloads\gfgghdhwhatsup.exe" "C:\Users\Admin\AppData\Roaming\fgfdgd\fgfdgd.exe"
3⤵
PID:4656

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=764 --field-trial-handle=1836,i,5806307511046897817,13271493412309901969,131072 /prefetch:8
2⤵
PID:2748

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3212 --field-trial-handle=1836,i,5806307511046897817,13271493412309901969,131072 /prefetch:2
2⤵
PID:1472

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --mojo-platform-channel-handle=688 --field-trial-handle=1836,i,5806307511046897817,13271493412309901969,131072 /prefetch:1
2⤵
PID:1352

C:\Users\Admin\Downloads\gfgghdhwhatsup.exe
"C:\Users\Admin\Downloads\gfgghdhwhatsup.exe"
2⤵
- Executes dropped EXE
PID:2748

C:\Users\Admin\AppData\Local\Temp\ghghghg.exe
"C:\Users\Admin\AppData\Local\Temp\ghghghg.exe"
3⤵
- Executes dropped EXE
PID:4352

C:\Windows\SYSTEM32\cmd.exe
"cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\fgfdgd"
3⤵
PID:4824

C:\Windows\SYSTEM32\cmd.exe
"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\fgfdgd\fgfdgd.exe'" /f
3⤵
PID:4172

C:\Windows\system32\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\fgfdgd\fgfdgd.exe'" /f
4⤵
- Creates scheduled task(s)
PID:1136

C:\Windows\SYSTEM32\cmd.exe
"cmd" /c copy "C:\Users\Admin\Downloads\gfgghdhwhatsup.exe" "C:\Users\Admin\AppData\Roaming\fgfdgd\fgfdgd.exe"
3⤵
PID:2708

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1648

C:\Users\Admin\AppData\Roaming\fgfdgd\fgfdgd.exe
C:\Users\Admin\AppData\Roaming\fgfdgd\fgfdgd.exe
1⤵
- Executes dropped EXE
PID:4216

C:\Users\Admin\AppData\Local\Temp\ghghghg.exe
"C:\Users\Admin\AppData\Local\Temp\ghghghg.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4100

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
3⤵
PID:4200

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
3⤵
PID:3552

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
3⤵
PID:2836

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
3⤵
PID:4220

C:\Windows\system32\cmd.exe
"cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\fgfdgd"
2⤵
PID:3752

C:\Windows\system32\cmd.exe
"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\fgfdgd\fgfdgd.exe'" /f
2⤵
PID:2844

C:\Windows\system32\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\fgfdgd\fgfdgd.exe'" /f
3⤵
- Creates scheduled task(s)
PID:4720

C:\Windows\system32\cmd.exe
"cmd" /c copy "C:\Users\Admin\AppData\Roaming\fgfdgd\fgfdgd.exe" "C:\Users\Admin\AppData\Roaming\fgfdgd\fgfdgd.exe"
2⤵
PID:3924

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SendNotifyMessage
PID:2716

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2708

C:\Users\Admin\AppData\Roaming\fgfdgd\fgfdgd.exe
C:\Users\Admin\AppData\Roaming\fgfdgd\fgfdgd.exe
1⤵
- Executes dropped EXE
PID:916

C:\Users\Admin\AppData\Local\Temp\ghghghg.exe
"C:\Users\Admin\AppData\Local\Temp\ghghghg.exe"
2⤵
- Executes dropped EXE
PID:4256

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
3⤵
PID:1812

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
3⤵
PID:3128

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
3⤵
PID:4408

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
3⤵
PID:4436

C:\Windows\system32\cmd.exe
"cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\fgfdgd"
2⤵
PID:596

C:\Windows\system32\cmd.exe
"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\fgfdgd\fgfdgd.exe'" /f
2⤵
PID:4576

C:\Windows\system32\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\fgfdgd\fgfdgd.exe'" /f
3⤵
- Creates scheduled task(s)
PID:2176

C:\Windows\system32\cmd.exe
"cmd" /c copy "C:\Users\Admin\AppData\Roaming\fgfdgd\fgfdgd.exe" "C:\Users\Admin\AppData\Roaming\fgfdgd\fgfdgd.exe"
2⤵
PID:4136

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Query Registry

T1012

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\4bc7e0dc-a588-400c-839a-a8753daf7e09.tmp
Filesize
6KB

MD5
94cf397048aa26a569b99f16640c42dd

SHA1
05273eabc598163010f28e41da6c83c319ffd4d1

SHA256
b3e24d4488f05639ea44185a0bd6d7d119958efe495de0875b656fbe0ba05e48

SHA512
00b615c6bb9857c74b1748ed2f2a56137883c76f938a80e070320cfce60447011a64737f38ebdfc5bea4753706d8d19ccc1511eeee57924e82b3753e686ee919

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
55ec5fe65f737d580147972d80b99c87

SHA1
ff45ef4bfdfafc58f06e62349d582d0f4cde0544

SHA256
5ae2312b9c2c34ea1368f1e795e3af643d1ca91f98421cd57362fbe416c23d49

SHA512
26a21cfdddd51e1019958649ebdf515ac581fe8d9f2e06277c19cbbd5f85c1c18803985043070764888d566e1ed5d1d7274a2168b64a26664e3575c73f4f74ac

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
4a0e5458dddd476ba8d30b8f03250fbb

SHA1
4696037d1429baa54e36a2c11d6bf6e67b879a5b

SHA256
cc3e766b9a1335e82fd7646340e3a595c4da4aec949ce3a7f5c19c26deb8078b

SHA512
6981c4ae3947b2527da4854614b4bb71c8dbae5cbf1a474950dae0f5ff6730931c60d608d25e714de1d959d9b62a16792f5b54ff9ff88c01c7c150e0fa5497f5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
a2b85e1c14f1fea926d5a24d09ca6a8d

SHA1
0e3da39fe45515a54da6ca3c9905cc0569a7b85c

SHA256
dad36fdacbd2b73ee21785229a1d58f1945e182be6346fef39ed19c6767c8c48

SHA512
50c3f5a403af4a664a48c73aa18bd72827b6fcc5fdd08212583ce047ff1581701a8369a34d6eb1c5a3a1d1c9026e28c44b1e2b3b3fe2c03dce1f26957c31c36f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
c8d0e0139d0c28a8e1c4d6f915fbe1b0

SHA1
7c67a257ead0e93d2e16efe0e9bb9b8d5c6f2cb4

SHA256
ba171ccbcf2be9dbdf7dd5b46f32936bd444d254d80af4a2e4a55f15ba81de7f

SHA512
f165f7eccf61210ff06f1540891228944501d4a8759ad6f568a76972a42915d1829c5e7575897b1b1ec4b9902d9ad53341dce22165927961df07a2f37eda5b06

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
129KB

MD5
eea68235016f8367a1392cd128470f44

SHA1
1178dec305caa1c2919956fa247dd3d459b4bd5a

SHA256
1f13c8c75b764bfec280dd5d041000e3a78658f86819b07743a3d8ebad2d9c9b

SHA512
ed4278b5e3bc674f95832dc29bf7b93c7a2d2ca2300a834c1ef5c3956922a3828812573f9b49108d964907efe2628f7493309e2d2df907d6b43367bd110f50aa

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
129KB

MD5
e037acc6c17bad94b0f2abdb026b2cee

SHA1
de9334136765a9dfbd64d8204611f8f693f0a464

SHA256
e5946b269b65b6584d663695d6e7981f1dc0d505518594d825ded70f9c094057

SHA512
dd058919e232820be72499bc53c3494820f88d33aea382f4264a055dcfa4eb00a24cf042fdf2ccc7e7255dd8e2521c69b9f1a0521bcf429e78f9fd6d574ebff9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache
Filesize
98KB

MD5
fa79620b58fb062c599192072876fa91

SHA1
276343c89a953d4ca0a1b97b3350c18ad3eb6611

SHA256
3ec45efd547904dd0a2637fe7fb2bf186c7c3bf3270ebc6ace3f9f655a1eb27f

SHA512
df93b16cebcac669d093e5a92c5712ea0fe0bc4a9f99fca37038daced0671a39a6042b78d420bc4dcc01af73b1a45485bf53049e633e1c4ff4ef5e7004233e56

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache
Filesize
104KB

MD5
1537fcb58b183e24b04e567e3b74a541

SHA1
3dc0ed14c351c0a253a155192912daf9a21bddbf

SHA256
0af6fb8f6e258a75c88ed92e19bbb42a449567f13fe541a3e8358dbf8cd5a081

SHA512
221964721ba075fb1d59b7d0342dfb5d47305de0f5acf449bad73c06bf3ee5aeee5ae506470bf1821f6da149518ca7ded4e5283303d222bb452d65d595048cc2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe57cce5.TMP
Filesize
91KB

MD5
c6ba09d94dbecf05a6d0ebf97a01373c

SHA1
2c46e5df1bd25f01b7762acfa1141cb1889e0a52

SHA256
631e9c3e81f07d55aa3355b596d34e9a7886d77d9ce1b479b7e722a56e07edc1

SHA512
d00b1e6a7d3c8dbc6cb7de53c4edae2b668b76f699d59998d5fe3a7fb68462597cc7bbc07afc7a81ec5778c719f0d229332a48360093a3d4c7afa1474839f7eb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json
Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\fgfdgd.exe.log
Filesize
660B

MD5
6f8201778bb230fb0ac7c8b78a134a12

SHA1
06570db78997747dd80e558a483d29af167f43c5

SHA256
984fcdb20fcd38e921511def1e720e36c7a20887010f4f5035b0a6b24c75148f

SHA512
86ebbb74d94c382073f4481bb3a4c0747b801753adba15ee36c97dc8b09827e7a29b46209b559c1ab4fa836fbbe6a90b0339e97ed9d5d4856179604e380f2254

Download Submit
C:\Users\Admin\AppData\Local\Temp\ghghghg.exe
Filesize
5.0MB

MD5
d3cd8232d7097dc4953b61b86afd7fd2

SHA1
e1733674bc7c3c7aa5b156b66049dbfd3191bd11

SHA256
6fd8206d1f38ac41c23a6c9dead21eb3ff7421200f6185edf63c70da8fbb398c

SHA512
2404a989b0d400d621056e7326d465c6a5646cac175920d0cb9bc2e7c0aa6d5b08996c42db963c2b5e5c7d14814616986d985a15f3ea1d84f4ca23720ff1e95c

Download Submit
C:\Users\Admin\AppData\Local\Temp\ghghghg.exe
Filesize
2.3MB

MD5
e05d5b109c38b801d060a726d38f872a

SHA1
ea6f012c4020e6e28e9b1c2df35ffcd6be34f12f

SHA256
f03de857b70fd344dbd26902abd00950bdb16974d90ecd6f4e095cd2c1131a6e

SHA512
0822c81d2bb4d1992d762ea70589d32f0c9e064b18ab8348acf8302f56af69f477312868d21fe7550b2fdfce1640c93f87ed653f513e514051890503cf8689b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\ghghghg.exe
Filesize
1.1MB

MD5
d078475a5347f73fdc95fecd67a3fcdb

SHA1
c85650be419fdd4696832bbbce874964f084f90a

SHA256
dd04bbdecef0b21795c434130eeee2bc1ef179e1bb6333d00167b56225a04cf6

SHA512
e6484710a57076e0b1e0a4c131e9ac83b7b05daeb1efa358fe5b6f7cee46d5f4dc6b1b0f577ac7118a75499438478f0bb34f0485bb4e6b2c4bbdd2006900cda1

Download Submit
C:\Users\Admin\AppData\Local\Temp\ghghghg.exe
Filesize
2.2MB

MD5
96b737f5b37356eeb5834dfb6fe8f98f

SHA1
0c16abdc67e745d4cd02ef9e111f7b83070c5f95

SHA256
b5ad7536d20fe3a427dfb7793fbb9b662887be0b31359549583ced91df7a6581

SHA512
c5c0db928316f0c752cfdc84db6f48bae8b4f4da4d6022045ee86049b9a7a7ebe81ab28c63c5c14aabbf1002646c15427312103fe7c0f926f6cf455b8b313739

Download Submit
C:\Users\Admin\AppData\Local\Temp\ghghghg.exe
Filesize
1.9MB

MD5
099289d6cbfb5bc6c246d8455d7f9503

SHA1
c71828598baa38428f778e07961c1a44f7e3960e

SHA256
fd93dda21c9a8557efd63b5b2a1f8bca912903df7ff6e073ef3cc505edf68126

SHA512
cc3a50648af13e4765fda4baffca8ff308f35acce6cdd57f064cd487a077a77d3ca09a24ee0dcad4d7d909c84e0b9ffa2c6bf8b85214a44b383f3437dc0105ee

Download Submit
C:\Users\Admin\AppData\Roaming\fgfdgd\fgfdgd.exe
Filesize
4.5MB

MD5
faa01f37233c78762b1809aa11dcdf2d

SHA1
ee2ab40b75b3b9f3379638378099c39b8abf2ca6

SHA256
1473ad05afefa4a147ead07b2042f4a561cb96440ff42eafdc0d1e52579cdd75

SHA512
289bac4e521b19f808ee6dd7b4a19de44fdb0433606a773a7aad065ac152bb402612b24af2e297ce1d3e45a7c65b436b8d1100e79d2f81b564baccd3fb3d190c

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 917257.crdownload
Filesize
5.0MB

MD5
b03c2d7df7eabc44f36397cb66ac3e77

SHA1
486f521d16d96878a74ff9212cf2da5b184e0430

SHA256
4489ff33e7a91c7485a1c1dd8a6102868e385f74fd8b5dbdbf4b505bbe9193b3

SHA512
5cffc7a0ba01e5db793a62a3fc1dc2454cbd5b768f66959adac11e1523958bc48ef4c1dd5ff074988c04b6269853671ab480074a117d30184631d9936c154051

Download Submit
C:\Users\Admin\Downloads\gfgghdhwhatsup.exe
Filesize
4.2MB

MD5
c59f34b1dc4f15f7d3cb3ad8bfa83c65

SHA1
b6cc7155185a4aeb6de48cd2705e98288ff5c55b

SHA256
4510267e2235b3c21231682f78936310044096f44a5534dd0d1acc6f936a3494

SHA512
ca21f456cdd8f4703c30bb04e3c4e9a632a906e4fbfc22ab82c22314c59671ddd82665bb5c397ad828cd5c26f4d19c1021f7dcf58fc8ae471bdfbb4783cc00dc

Download Submit
\??\pipe\crashpad_352_DQEULGUKJVKOEIWG
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/916-174-0x00007FFE5D1B0000-0x00007FFE5DB9C000-memory.dmp

Filesize
9.9MB

Download
memory/916-168-0x0000000002570000-0x0000000002580000-memory.dmp

Filesize
64KB

Download
memory/916-167-0x00007FFE5D1B0000-0x00007FFE5DB9C000-memory.dmp

Filesize
9.9MB

Download
memory/2416-87-0x00007FFE6E210000-0x00007FFE6EBFC000-memory.dmp

Filesize
9.9MB

Download
memory/2416-80-0x000000001B210000-0x000000001B220000-memory.dmp

Filesize
64KB

Download
memory/2416-79-0x00007FFE6E210000-0x00007FFE6EBFC000-memory.dmp

Filesize
9.9MB

Download
memory/2416-78-0x00000000000D0000-0x00000000005D0000-memory.dmp

Filesize
5.0MB

Download
memory/2476-118-0x00000000001E0000-0x0000000000200000-memory.dmp

Filesize
128KB

Download
memory/2476-121-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2476-126-0x0000000000760000-0x0000000000780000-memory.dmp

Filesize
128KB

Download
memory/2476-111-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2476-112-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2476-122-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2476-123-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2476-113-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2476-155-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2476-120-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2476-119-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2476-117-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2476-116-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2476-115-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2476-114-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2748-192-0x00007FFE5D1B0000-0x00007FFE5DB9C000-memory.dmp

Filesize
9.9MB

Download
memory/2748-193-0x000000001BE80000-0x000000001BE90000-memory.dmp

Filesize
64KB

Download
memory/2748-198-0x00007FFE5D1B0000-0x00007FFE5DB9C000-memory.dmp

Filesize
9.9MB

Download
memory/4216-136-0x00007FFE6E210000-0x00007FFE6EBFC000-memory.dmp

Filesize
9.9MB

Download
memory/4216-130-0x0000000001600000-0x0000000001610000-memory.dmp

Filesize
64KB

Download
memory/4216-129-0x00007FFE6E210000-0x00007FFE6EBFC000-memory.dmp

Filesize
9.9MB

Download