hawkeye | hxxps://oxy[.]st/d/BNQh

Resubmissions

18-05-2024 07:56

240518-js2a6aaf51 10

17-05-2024 19:50

240517-ykrjbaga59 10

17-05-2024 19:47

240517-yhmscaff8t 10

Analysis

max time kernel
338s
max time network
332s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
18-05-2024 07:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://oxy.st/d/BNQh

Score

10^/10

hawkeye xmrig xworm execution keylogger miner persistence rat spyware stealer trojan

Malware Config

Extracted

Family

xworm

pacific-ambient.gl.at.ply.gg:44633

Attributes

Install_directory
%AppData%
install_file
WindowsUpdate.exe

Signatures

Detect Xworm Payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\Downloads\Nitama External.exe	family_xworm
behavioral1/memory/1812-216-0x00000000000E0000-0x000000000012E000-memory.dmp	family_xworm

HawkEye
HawkEye is a malware kit that has seen continuous development since at least 2013.
keylogger trojan stealer spyware hawkeye

XMRig Miner payload 2 IoCs

miner

Processes:

resource	yara_rule
C:\Users\Admin\Downloads\xmrig-6.21.3\xmrig.exe	family_xmrig
C:\Users\Admin\Downloads\xmrig-6.21.3\xmrig.exe	xmrig

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe

pid process

4996 powershell.exe
4404 powershell.exe
4400 powershell.exe
2976 powershell.exe
Downloads MZ/PE file

pid	process
4996	powershell.exe
4404	powershell.exe
4400	powershell.exe
2976	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Nitama External.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	Nitama External.exe

Drops startup file 2 IoCs

Processes:

Nitama External.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WindowsUpdate.lnk	Nitama External.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WindowsUpdate.lnk	Nitama External.exe

Executes dropped EXE 8 IoCs

Processes:

Nitama External.exeWindowsUpdate.exeWindowsUpdate.exeWindowsUpdate.exexmrig.exexmrig.exeWindowsUpdate.exeWindowsUpdate.exe

pid	process
1812	Nitama External.exe
4348	WindowsUpdate.exe
3164	WindowsUpdate.exe
3776	WindowsUpdate.exe
2328	xmrig.exe
4324	xmrig.exe
3564	WindowsUpdate.exe
4860	WindowsUpdate.exe

Loads dropped DLL 1 IoCs

Processes:

taskmgr.exe

pid process

2868 taskmgr.exe

pid	process
2868	taskmgr.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Nitama External.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\WindowsUpdate.exe"	Nitama External.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

355 raw.githubusercontent.com
354 raw.githubusercontent.com
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

161 ip-api.com
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

flow	ioc
355	raw.githubusercontent.com
354	raw.githubusercontent.com

flow	ioc
161	ip-api.com

Checks SCSI registry key(s) 3 TTPs 9 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

taskmgr.exemsinfo32.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	msinfo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	msinfo32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	msinfo32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs	msinfo32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	msinfo32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	msinfo32.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

taskmgr.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	taskmgr.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

2568 schtasks.exe

pid	process
2568	schtasks.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msinfo32.exechrome.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\ECFirmwareMajorRelease	msinfo32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msinfo32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	msinfo32.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133604926121055350"	chrome.exe

Modifies registry class 1 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1162180587-977231257-2194346871-1000\{A82863A6-C598-45A0-BD4C-5AD21CF4B44E}	chrome.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

Nitama External.exe

pid process

1812 Nitama External.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

chrome.exepowershell.exepowershell.exepowershell.exepowershell.exeNitama External.exetaskmgr.exe

pid	process
4572	chrome.exe
4572	chrome.exe
4996	powershell.exe
4996	powershell.exe
4996	powershell.exe
4404	powershell.exe
4404	powershell.exe
4404	powershell.exe
4400	powershell.exe
4400	powershell.exe
4400	powershell.exe
2976	powershell.exe
2976	powershell.exe
2976	powershell.exe
1812	Nitama External.exe
1812	Nitama External.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 3 IoCs

Processes:

taskmgr.exeNitama External.exemsinfo32.exe

pid process

2868 taskmgr.exe
1812 Nitama External.exe
4400 msinfo32.exe

pid	process
2868	taskmgr.exe
1812	Nitama External.exe
4400	msinfo32.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 18 IoCs

Processes:

chrome.exe

pid	process
4572	chrome.exe
4572	chrome.exe
4572	chrome.exe
4572	chrome.exe
4572	chrome.exe
4572	chrome.exe
4572	chrome.exe
4572	chrome.exe
4572	chrome.exe
4572	chrome.exe
4572	chrome.exe
4572	chrome.exe
4572	chrome.exe
4572	chrome.exe
4572	chrome.exe
4572	chrome.exe
4572	chrome.exe
4572	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exeNitama External.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeShutdownPrivilege	4572	chrome.exe
Token: SeCreatePagefilePrivilege	4572	chrome.exe
Token: SeShutdownPrivilege	4572	chrome.exe
Token: SeCreatePagefilePrivilege	4572	chrome.exe
Token: SeShutdownPrivilege	4572	chrome.exe
Token: SeCreatePagefilePrivilege	4572	chrome.exe
Token: SeShutdownPrivilege	4572	chrome.exe
Token: SeCreatePagefilePrivilege	4572	chrome.exe
Token: SeShutdownPrivilege	4572	chrome.exe
Token: SeCreatePagefilePrivilege	4572	chrome.exe
Token: SeShutdownPrivilege	4572	chrome.exe
Token: SeCreatePagefilePrivilege	4572	chrome.exe
Token: SeShutdownPrivilege	4572	chrome.exe
Token: SeCreatePagefilePrivilege	4572	chrome.exe
Token: SeShutdownPrivilege	4572	chrome.exe
Token: SeCreatePagefilePrivilege	4572	chrome.exe
Token: SeShutdownPrivilege	4572	chrome.exe
Token: SeCreatePagefilePrivilege	4572	chrome.exe
Token: SeShutdownPrivilege	4572	chrome.exe
Token: SeCreatePagefilePrivilege	4572	chrome.exe
Token: SeShutdownPrivilege	4572	chrome.exe
Token: SeCreatePagefilePrivilege	4572	chrome.exe
Token: SeShutdownPrivilege	4572	chrome.exe
Token: SeCreatePagefilePrivilege	4572	chrome.exe
Token: SeShutdownPrivilege	4572	chrome.exe
Token: SeCreatePagefilePrivilege	4572	chrome.exe
Token: SeShutdownPrivilege	4572	chrome.exe
Token: SeCreatePagefilePrivilege	4572	chrome.exe
Token: SeShutdownPrivilege	4572	chrome.exe
Token: SeCreatePagefilePrivilege	4572	chrome.exe
Token: SeDebugPrivilege	1812	Nitama External.exe
Token: SeShutdownPrivilege	4572	chrome.exe
Token: SeCreatePagefilePrivilege	4572	chrome.exe
Token: SeShutdownPrivilege	4572	chrome.exe
Token: SeCreatePagefilePrivilege	4572	chrome.exe
Token: SeShutdownPrivilege	4572	chrome.exe
Token: SeCreatePagefilePrivilege	4572	chrome.exe
Token: SeShutdownPrivilege	4572	chrome.exe
Token: SeCreatePagefilePrivilege	4572	chrome.exe
Token: SeDebugPrivilege	4996	powershell.exe
Token: SeDebugPrivilege	4404	powershell.exe
Token: SeDebugPrivilege	4400	powershell.exe
Token: SeShutdownPrivilege	4572	chrome.exe
Token: SeCreatePagefilePrivilege	4572	chrome.exe
Token: SeDebugPrivilege	2976	powershell.exe
Token: SeShutdownPrivilege	4572	chrome.exe
Token: SeCreatePagefilePrivilege	4572	chrome.exe
Token: SeDebugPrivilege	1812	Nitama External.exe
Token: SeShutdownPrivilege	4572	chrome.exe
Token: SeCreatePagefilePrivilege	4572	chrome.exe
Token: SeShutdownPrivilege	4572	chrome.exe
Token: SeCreatePagefilePrivilege	4572	chrome.exe
Token: SeShutdownPrivilege	4572	chrome.exe
Token: SeCreatePagefilePrivilege	4572	chrome.exe
Token: SeShutdownPrivilege	4572	chrome.exe
Token: SeCreatePagefilePrivilege	4572	chrome.exe
Token: SeShutdownPrivilege	4572	chrome.exe
Token: SeCreatePagefilePrivilege	4572	chrome.exe
Token: SeShutdownPrivilege	4572	chrome.exe
Token: SeCreatePagefilePrivilege	4572	chrome.exe
Token: SeShutdownPrivilege	4572	chrome.exe
Token: SeCreatePagefilePrivilege	4572	chrome.exe
Token: SeShutdownPrivilege	4572	chrome.exe
Token: SeCreatePagefilePrivilege	4572	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

chrome.exetaskmgr.exe

pid	process
4572	chrome.exe
4572	chrome.exe
4572	chrome.exe
4572	chrome.exe
4572	chrome.exe
4572	chrome.exe
4572	chrome.exe
4572	chrome.exe
4572	chrome.exe
4572	chrome.exe
4572	chrome.exe
4572	chrome.exe
4572	chrome.exe
4572	chrome.exe
4572	chrome.exe
4572	chrome.exe
4572	chrome.exe
4572	chrome.exe
4572	chrome.exe
4572	chrome.exe
4572	chrome.exe
4572	chrome.exe
4572	chrome.exe
4572	chrome.exe
4572	chrome.exe
4572	chrome.exe
4572	chrome.exe
4572	chrome.exe
4572	chrome.exe
4572	chrome.exe
4572	chrome.exe
4572	chrome.exe
4572	chrome.exe
4572	chrome.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

chrome.exetaskmgr.exe

pid	process
4572	chrome.exe
4572	chrome.exe
4572	chrome.exe
4572	chrome.exe
4572	chrome.exe
4572	chrome.exe
4572	chrome.exe
4572	chrome.exe
4572	chrome.exe
4572	chrome.exe
4572	chrome.exe
4572	chrome.exe
4572	chrome.exe
4572	chrome.exe
4572	chrome.exe
4572	chrome.exe
4572	chrome.exe
4572	chrome.exe
4572	chrome.exe
4572	chrome.exe
4572	chrome.exe
4572	chrome.exe
4572	chrome.exe
4572	chrome.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Nitama External.exe

pid process

1812 Nitama External.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 4572 wrote to memory of 5028	4572	chrome.exe	chrome.exe
PID 4572 wrote to memory of 5028	4572	chrome.exe	chrome.exe
PID 4572 wrote to memory of 4628	4572	chrome.exe	chrome.exe
PID 4572 wrote to memory of 4628	4572	chrome.exe	chrome.exe
PID 4572 wrote to memory of 4628	4572	chrome.exe	chrome.exe
PID 4572 wrote to memory of 4628	4572	chrome.exe	chrome.exe
PID 4572 wrote to memory of 4628	4572	chrome.exe	chrome.exe
PID 4572 wrote to memory of 4628	4572	chrome.exe	chrome.exe
PID 4572 wrote to memory of 4628	4572	chrome.exe	chrome.exe
PID 4572 wrote to memory of 4628	4572	chrome.exe	chrome.exe
PID 4572 wrote to memory of 4628	4572	chrome.exe	chrome.exe
PID 4572 wrote to memory of 4628	4572	chrome.exe	chrome.exe
PID 4572 wrote to memory of 4628	4572	chrome.exe	chrome.exe
PID 4572 wrote to memory of 4628	4572	chrome.exe	chrome.exe
PID 4572 wrote to memory of 4628	4572	chrome.exe	chrome.exe
PID 4572 wrote to memory of 4628	4572	chrome.exe	chrome.exe
PID 4572 wrote to memory of 4628	4572	chrome.exe	chrome.exe
PID 4572 wrote to memory of 4628	4572	chrome.exe	chrome.exe
PID 4572 wrote to memory of 4628	4572	chrome.exe	chrome.exe
PID 4572 wrote to memory of 4628	4572	chrome.exe	chrome.exe
PID 4572 wrote to memory of 4628	4572	chrome.exe	chrome.exe
PID 4572 wrote to memory of 4628	4572	chrome.exe	chrome.exe
PID 4572 wrote to memory of 4628	4572	chrome.exe	chrome.exe
PID 4572 wrote to memory of 4628	4572	chrome.exe	chrome.exe
PID 4572 wrote to memory of 4628	4572	chrome.exe	chrome.exe
PID 4572 wrote to memory of 4628	4572	chrome.exe	chrome.exe
PID 4572 wrote to memory of 4628	4572	chrome.exe	chrome.exe
PID 4572 wrote to memory of 4628	4572	chrome.exe	chrome.exe
PID 4572 wrote to memory of 4628	4572	chrome.exe	chrome.exe
PID 4572 wrote to memory of 4628	4572	chrome.exe	chrome.exe
PID 4572 wrote to memory of 4628	4572	chrome.exe	chrome.exe
PID 4572 wrote to memory of 4628	4572	chrome.exe	chrome.exe
PID 4572 wrote to memory of 4628	4572	chrome.exe	chrome.exe
PID 4572 wrote to memory of 4208	4572	chrome.exe	chrome.exe
PID 4572 wrote to memory of 4208	4572	chrome.exe	chrome.exe
PID 4572 wrote to memory of 3124	4572	chrome.exe	chrome.exe
PID 4572 wrote to memory of 3124	4572	chrome.exe	chrome.exe
PID 4572 wrote to memory of 3124	4572	chrome.exe	chrome.exe
PID 4572 wrote to memory of 3124	4572	chrome.exe	chrome.exe
PID 4572 wrote to memory of 3124	4572	chrome.exe	chrome.exe
PID 4572 wrote to memory of 3124	4572	chrome.exe	chrome.exe
PID 4572 wrote to memory of 3124	4572	chrome.exe	chrome.exe
PID 4572 wrote to memory of 3124	4572	chrome.exe	chrome.exe
PID 4572 wrote to memory of 3124	4572	chrome.exe	chrome.exe
PID 4572 wrote to memory of 3124	4572	chrome.exe	chrome.exe
PID 4572 wrote to memory of 3124	4572	chrome.exe	chrome.exe
PID 4572 wrote to memory of 3124	4572	chrome.exe	chrome.exe
PID 4572 wrote to memory of 3124	4572	chrome.exe	chrome.exe
PID 4572 wrote to memory of 3124	4572	chrome.exe	chrome.exe
PID 4572 wrote to memory of 3124	4572	chrome.exe	chrome.exe
PID 4572 wrote to memory of 3124	4572	chrome.exe	chrome.exe
PID 4572 wrote to memory of 3124	4572	chrome.exe	chrome.exe
PID 4572 wrote to memory of 3124	4572	chrome.exe	chrome.exe
PID 4572 wrote to memory of 3124	4572	chrome.exe	chrome.exe
PID 4572 wrote to memory of 3124	4572	chrome.exe	chrome.exe
PID 4572 wrote to memory of 3124	4572	chrome.exe	chrome.exe
PID 4572 wrote to memory of 3124	4572	chrome.exe	chrome.exe
PID 4572 wrote to memory of 3124	4572	chrome.exe	chrome.exe
PID 4572 wrote to memory of 3124	4572	chrome.exe	chrome.exe
PID 4572 wrote to memory of 3124	4572	chrome.exe	chrome.exe
PID 4572 wrote to memory of 3124	4572	chrome.exe	chrome.exe
PID 4572 wrote to memory of 3124	4572	chrome.exe	chrome.exe
PID 4572 wrote to memory of 3124	4572	chrome.exe	chrome.exe
PID 4572 wrote to memory of 3124	4572	chrome.exe	chrome.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://oxy.st/d/BNQh
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4572

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa443cab58,0x7ffa443cab68,0x7ffa443cab78
2⤵
PID:5028

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1680 --field-trial-handle=1924,i,15016069795975761632,12115026051432115817,131072 /prefetch:2
2⤵
PID:4628

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2176 --field-trial-handle=1924,i,15016069795975761632,12115026051432115817,131072 /prefetch:8
2⤵
PID:4208

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2196 --field-trial-handle=1924,i,15016069795975761632,12115026051432115817,131072 /prefetch:8
2⤵
PID:3124

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3012 --field-trial-handle=1924,i,15016069795975761632,12115026051432115817,131072 /prefetch:1
2⤵
PID:2312

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3020 --field-trial-handle=1924,i,15016069795975761632,12115026051432115817,131072 /prefetch:1
2⤵
PID:3624

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3776 --field-trial-handle=1924,i,15016069795975761632,12115026051432115817,131072 /prefetch:1
2⤵
PID:4484

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=4320 --field-trial-handle=1924,i,15016069795975761632,12115026051432115817,131072 /prefetch:1
2⤵
PID:2404

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=4124 --field-trial-handle=1924,i,15016069795975761632,12115026051432115817,131072 /prefetch:1
2⤵
PID:3200

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3088 --field-trial-handle=1924,i,15016069795975761632,12115026051432115817,131072 /prefetch:8
2⤵
PID:808

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4836 --field-trial-handle=1924,i,15016069795975761632,12115026051432115817,131072 /prefetch:8
2⤵
PID:3992

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=4868 --field-trial-handle=1924,i,15016069795975761632,12115026051432115817,131072 /prefetch:1
2⤵
PID:1596

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=3576 --field-trial-handle=1924,i,15016069795975761632,12115026051432115817,131072 /prefetch:1
2⤵
PID:1952

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4632 --field-trial-handle=1924,i,15016069795975761632,12115026051432115817,131072 /prefetch:8
2⤵
PID:4348

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5328 --field-trial-handle=1924,i,15016069795975761632,12115026051432115817,131072 /prefetch:8
2⤵
PID:1812

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4920 --field-trial-handle=1924,i,15016069795975761632,12115026051432115817,131072 /prefetch:8
2⤵
PID:3248

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4692 --field-trial-handle=1924,i,15016069795975761632,12115026051432115817,131072 /prefetch:8
2⤵
PID:4820

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4308 --field-trial-handle=1924,i,15016069795975761632,12115026051432115817,131072 /prefetch:8
2⤵
PID:2336

C:\Users\Admin\Downloads\Nitama External.exe
"C:\Users\Admin\Downloads\Nitama External.exe"
2⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1812

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\Downloads\Nitama External.exe'
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4996

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Nitama External.exe'
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4404

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe'
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4400

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'WindowsUpdate.exe'
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2976

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "WindowsUpdate" /tr "C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe"
3⤵
- Creates scheduled task(s)
PID:2568

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1912 --field-trial-handle=1924,i,15016069795975761632,12115026051432115817,131072 /prefetch:2
2⤵
PID:4224

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --mojo-platform-channel-handle=2756 --field-trial-handle=1924,i,15016069795975761632,12115026051432115817,131072 /prefetch:1
2⤵
PID:3680

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --mojo-platform-channel-handle=2400 --field-trial-handle=1924,i,15016069795975761632,12115026051432115817,131072 /prefetch:1
2⤵
PID:1540

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5344 --field-trial-handle=1924,i,15016069795975761632,12115026051432115817,131072 /prefetch:8
2⤵
PID:1476

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5532 --field-trial-handle=1924,i,15016069795975761632,12115026051432115817,131072 /prefetch:8
2⤵
PID:1988

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --mojo-platform-channel-handle=5592 --field-trial-handle=1924,i,15016069795975761632,12115026051432115817,131072 /prefetch:1
2⤵
PID:4348

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --mojo-platform-channel-handle=2396 --field-trial-handle=1924,i,15016069795975761632,12115026051432115817,131072 /prefetch:1
2⤵
PID:4452

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --mojo-platform-channel-handle=1524 --field-trial-handle=1924,i,15016069795975761632,12115026051432115817,131072 /prefetch:1
2⤵
PID:2392

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4980 --field-trial-handle=1924,i,15016069795975761632,12115026051432115817,131072 /prefetch:8
2⤵
PID:1040

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5160 --field-trial-handle=1924,i,15016069795975761632,12115026051432115817,131072 /prefetch:8
2⤵
- Modifies registry class
PID:5052

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --mojo-platform-channel-handle=5152 --field-trial-handle=1924,i,15016069795975761632,12115026051432115817,131072 /prefetch:1
2⤵
PID:3024

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --mojo-platform-channel-handle=4928 --field-trial-handle=1924,i,15016069795975761632,12115026051432115817,131072 /prefetch:1
2⤵
PID:4624

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --mojo-platform-channel-handle=5508 --field-trial-handle=1924,i,15016069795975761632,12115026051432115817,131072 /prefetch:1
2⤵
PID:3788

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5332 --field-trial-handle=1924,i,15016069795975761632,12115026051432115817,131072 /prefetch:8
2⤵
PID:4424

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --mojo-platform-channel-handle=5700 --field-trial-handle=1924,i,15016069795975761632,12115026051432115817,131072 /prefetch:1
2⤵
PID:808

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5144 --field-trial-handle=1924,i,15016069795975761632,12115026051432115817,131072 /prefetch:8
2⤵
PID:512

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4628 --field-trial-handle=1924,i,15016069795975761632,12115026051432115817,131072 /prefetch:8
2⤵
PID:1836

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --mojo-platform-channel-handle=5108 --field-trial-handle=1924,i,15016069795975761632,12115026051432115817,131072 /prefetch:1
2⤵
PID:4580

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --mojo-platform-channel-handle=3152 --field-trial-handle=1924,i,15016069795975761632,12115026051432115817,131072 /prefetch:1
2⤵
PID:4584

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4360 --field-trial-handle=1924,i,15016069795975761632,12115026051432115817,131072 /prefetch:8
2⤵
PID:3280

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:4704

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Loads dropped DLL
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2868

C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
1⤵
- Executes dropped EXE
PID:4348

C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
1⤵
- Executes dropped EXE
PID:3164

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2136

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\" -an -ai#7zMap29249:108:7zEvent4890
1⤵
PID:4224

C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
1⤵
- Executes dropped EXE
PID:3776

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\Downloads\xmrig-6.21.3\benchmark_10M.cmd"
1⤵
PID:684

C:\Users\Admin\Downloads\xmrig-6.21.3\xmrig.exe
xmrig.exe --bench=10M --submit
2⤵
- Executes dropped EXE
PID:2328

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\xmrig-6.21.3\start.cmd" "
1⤵
PID:2696

C:\Users\Admin\Downloads\xmrig-6.21.3\xmrig.exe
xmrig.exe
2⤵
- Executes dropped EXE
PID:4324

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
PID:3992

C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
1⤵
- Executes dropped EXE
PID:3564

C:\Windows\system32\msinfo32.exe
"C:\Windows\system32\msinfo32.exe"
1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Suspicious behavior: GetForegroundWindowSpam
PID:4400

C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
1⤵
- Executes dropped EXE
PID:4860

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000026
Filesize
65KB

MD5
56d57bc655526551f217536f19195495

SHA1
28b430886d1220855a805d78dc5d6414aeee6995

SHA256
f12de7e272171cda36389813df4ba68eb2b8b23c58e515391614284e7b03c4d4

SHA512
7814c60dc377e400bbbcc2000e48b617e577a21045a0f5c79af163faa0087c6203d9f667e531bbb049c9bd8fb296678e6a5cdcad149498d7f22ffa11236b51cb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000028
Filesize
84KB

MD5
74e33b4b54f4d1f3da06ab47c5936a13

SHA1
6e5976d593b6ee3dca3c4dbbb90071b76e1cd85c

SHA256
535fc48679c38decd459ad656bdd6914e539754265244d0cc7b1da6bddf3e287

SHA512
79218e8ee50484af968480ff9b211815c97c3f3035414e685aa5d15d9b4152682d87b66202339f212bf3b463a074bf7a4431107b50303f28e2eb4b17843991c2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
4KB

MD5
bc35d5e7c41acc40584abe83e2ee0992

SHA1
5757ae9e1b7c94dd9c845461be42ae9615373171

SHA256
e6792b60c98b4b1be1ac16ddd9a7d4631b13913cbdf4b2d5e30e95859eccb15b

SHA512
9f5acf949d4ee0c206edddc405d1ded652ee712545e28edeecae186c19fe524bdda2484cc0546a577cc38aa426146926a52aa57b43556b768c9108a08d2a4148

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
864B

MD5
18f14cf4ebeafd5631eaec758b19fd56

SHA1
47222d1365a4f603b71320bc74906d9fe09447e2

SHA256
5befec75ebc9ce0ebe5a298c223e5609cc5b8f666e5e26828df4fd4c6609a355

SHA512
9defb5813301e3e477cf742f2ca824980bbe238980fc318338b4f25214cd19a843653643b02a8ea9dcebb28968d1979dbf8f9b4f0ef34db0baab1e074c15d4ae

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
2KB

MD5
28d3393809291bba8a59fee414e093ec

SHA1
bac8aead7ed9415026a958432cc30a97bc2d36e6

SHA256
d87c7a68efb9e166cbbe4f69a0017f15478be7d0153b89cd92e680fc24bfe28e

SHA512
fda14392f7912c6ebf430a410cc0e1192f28b3335126e30c56bf92560c7398b54e69563d1f356a4e1e2860a7f4527b5a2aa7e4e7d797e174b4bed3aceab5347b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\https_download.oxy.st_0.indexeddb.leveldb\CURRENT
Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\https_oxy.st_0.indexeddb.leveldb\MANIFEST-000001
Filesize
23B

MD5
3fd11ff447c1ee23538dc4d9724427a3

SHA1
1335e6f71cc4e3cf7025233523b4760f8893e9c9

SHA256
720a78803b84cbcc8eb204d5cf8ea6ee2f693be0ab2124ddf2b81455de02a3ed

SHA512
10a3bd3813014eb6f8c2993182e1fa382d745372f8921519e1d25f70d76f08640e84cb8d0b554ccd329a6b4e6de6872328650fefa91f98c3c0cfc204899ee824

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
7KB

MD5
d7f2db0c5feaaefb9674155242428071

SHA1
d50da3651bced58772db060f0a21e5b140e498a3

SHA256
c05cacc9e70cc7b6c3420606231e8b1a45c2701742daf7076087c35853f6d207

SHA512
4ffdd8f9e17371104eb53b505b4ab8525a3acbe84b9d80e4e27ff887a3b74e8b85a82be0dd5c2db252b922e9badfffa53b1ee66e175dd6e2351eb0bb49540030

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
7KB

MD5
2787834245ba1f33c33504489b85547b

SHA1
58f0dcb63ab73e2a2acec230c99caf51c08a372d

SHA256
eaba270c5531635169caa6591b16952d8bcaceb1e4e2da2d1a57b67654c0d993

SHA512
2e6f9838d06e1520581887ed05a8384f70e824b95c459b53f65d5208ff1ff4a8cdf19963fe24151ea742e5009528504ecc8f946a68fbb5ddf3fe900f76b76beb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
7KB

MD5
3f5cb804ebd8cc3bfd7476dd874aaa58

SHA1
2fd5ced9411a59efaf44d3ae382991a0aec5458e

SHA256
b07d7a2975fd94810ff137997b1b4a49d2d0d32592b1c7561b0779026b2f4f6c

SHA512
85b635b993fdbe5d7361f85f8e8b61bd63d6a074846cc21aa6f5604bd4b83e802027ead4707d137e896a3bfdeec0ff40ab101f939a5674c24fac94013869afd6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
4KB

MD5
304cff57f84b93408340da5d6cb82aa2

SHA1
b1862042fdf3f0e7f1812a0d4526a2c22d08f71e

SHA256
1fccb0feec772cef5c745d4ca2d141714e967d0ec55803a0ae4ca1f56119c565

SHA512
0275e43799a52b014f738eebd2efa42b9f175e600b793e844226c5d51cc0bc4091e4ea87863443163e1abaf000abe39ee8f69ab48826ced47e2ebc507426a29e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
402dd309639be3667f6238235b8da1c9

SHA1
26df2c0c0bb386abc9f7c06da63ba7420419c859

SHA256
6f244685be6f4c717dc4cb2534ce65bf3e55a12b8be93c8c91361ae107bbf525

SHA512
0f0f754b68eff5d81614e0fae15ba96ace692e5a2d5d843535456f0065c5561e33de48e8423051ee1ebe1f1cd7278c19aabab8243d55b39e56e6d4e355a3b44c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
3KB

MD5
07fa4fe40e4ac1a859de36ee08b8bd20

SHA1
5dee8342141138000f79eeff16a2ee5db342b138

SHA256
fa35eb3b85f8934da857de26f5f29b5795a76beb92790b28fba6e821f26f88b5

SHA512
d9dd6c08c620519d668cc77502782f0d83edebc19e271626e8c1a7d1a6f0c75fc4aed2571f960bcd9b49428f5aafe93075aa7db98c6aec265f54a3435771c1f9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
3KB

MD5
ceed8d88ce70b36af14ce2a8fa31d052

SHA1
76c96a1462a5714990edcfcbd1b2b15a4ff39ff3

SHA256
a1d1770bad97a3dabef38967bdc67d4caf3433f0fb407644bfefb775ba2caa33

SHA512
89106ce6902d5d2e04c4be7236561d48597de8c712dcecc5b9327b057c2b6256f03625c59a306d19506ed86b2472c54e6f5010d0e0e509c8f62f143aa067b397

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
3KB

MD5
77764eb1725a0fcfc19c6cd019bfc9fa

SHA1
7cceea11b3ec9ea697a4662a6330436b923fe6ab

SHA256
bf001fae5779fcfb77bc25f5f1ef02cd6b2d1ff225a02ac8299c45a1c5bce84b

SHA512
d17b7762be165f06ec3f3ae6a780e46e7f9296b153b9620fef3c1f02e8800a4c0446b74258b95deba875afa62d983b74f6957dd6b750f2b004dba22643b62407

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
2KB

MD5
52cd85530d732871670e4d8c555004e0

SHA1
3652bac98d37dbebe22ae672826ee3a25289923e

SHA256
cbb51eedc1c46d60c0603cb2a834a269de84f3a422da602737fbc57e925985ec

SHA512
61d2583e301b0e09e5b1009a615c787d96493179fccdc57fba429607a0b75044878da1fd40a6e0bd4343cc1f0bc07571456b3f21beb23f6fff369f4b6890a659

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
2KB

MD5
3465a7e32ad3056def1a480822b9a72a

SHA1
588b972e7a362f4e13056fe2241e429343eb2817

SHA256
c5325816880e21752194ccab631f5b916d1983fdd97f38b7e808c6714c3a76f6

SHA512
34fe60c2b57d5c4e800e1d5fc4166ac7b4f784ba15d2687a7a2eebd467c10e73ef4ebe5dae2bd6d4f519b1acbb191cdecffa529410af480fed0a670b6aa1fb2f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
d74261212b0168ecbe41b17ec0b3459f

SHA1
cbd846e8badf5b7f303e8cb074ae939bd036f17d

SHA256
f076e3fc02fc10898024e671a99b25a6e1184fabe9ea1e0fc97d168fb990adc3

SHA512
6ca4419123e95340f191889ac647f520666fae90b2d5c65ea0429bda8f4f87dc4beb92e18944133afdc14932c16ab703e17f02899a3d24ffe48af7671bfc3b4b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
3KB

MD5
b494e3bfba9680b2715af4be2640e3b4

SHA1
3f9e7de22ece31905d714bf4ce2db26d3596b61e

SHA256
de56a7ac7a09552c6784729fcd692bd5fcbd6bdb96913171236ee05bc4bbb729

SHA512
568afe109d9012a9babd6541b4a9156b4eb394e87e5a5d2f1ad57e1172d1f513da0951aaa1dbd417598578e60a135eaf6e13e6aa8c9c6241857decf9142ff76f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
3KB

MD5
54da9c0707d2360d74f146f05f5abc76

SHA1
4aa22a1dcec33067146cde04cbb908935a9098ab

SHA256
bf5eff27abe46ba859d775282d15cfed73bf324b1aff718bd74e86513aa1d98a

SHA512
b48c1173261351f4992684dc816ecb4a5bf99eec36c1897590aa439b0a63b8d227daa30e7329b59a6abf9022fe94a30712afd164e086a841d075f628d4aeda2a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
3KB

MD5
e31fc2fd1588be94177065319833a2b6

SHA1
384b77f0e9f68399bb1539806a8e156916438be7

SHA256
a95561ca960b1b5c4d5afa203f4627900c612bd50e929cf3ad3384bba3ed1255

SHA512
0e87f1bd18ca29eb5bfc565a90066a8c54a638b94b5692002f5cfa94ee647ba65ef44690a88dd0c341dcfe9afa3485c7b2ed7edf24fd223b40f432dfabd3dd7c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
519a1a4ef1ed926ab92a7fd38d56b2fa

SHA1
61cf986d6cf9bfffdcc81268c3728961d1901b47

SHA256
f189b49898b961c53ed09c81667a74b147fa9fbeba6f1b4a93a9559d4e4fe87b

SHA512
281c3a54f8ec85fcfc7329423f5dde53062faac641a467ebbb5d4a9fd8cb19f42ac6f26dd883d3f8ee670dca7b7d7a51ecd272444adb32f9f3cfd8f74f7d878a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
8KB

MD5
75244e64ba8338a6797aa8e34c6c98ea

SHA1
8a9c4d50de572e3f95de9eeea6c82cbc702f0857

SHA256
04ce74b28e4ca048e3c9c182a03e7634b9ce2b9c8ca93e06c8c95a3668cefcfe

SHA512
4669599c9b6d1a1a7935c03bd504df43c9c040296a59b3aa683f2e658f92c578fec7465f671894e1f3922eaf36970ed67f31c8fdf2fc2eb49c17a587335b2dd5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
8KB

MD5
f7d945dfe0e4993f28bf410d4d7cc50b

SHA1
103b69d1037e1e44960b6d936243ca40256b6a40

SHA256
7a7147c584dacf7b89454b0380d162b4368e2cebce22d0ade01ecfac79d999ae

SHA512
a9ce920fdeccbc625a897ad6a65280f8e81f3f747f1489c73fa33e09fcd575490fe1b6784bec152119458cbcd62ae8c4312fd7549eb23c8ce341110b07555148

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
8KB

MD5
422db26944d94549def570b46063b5fb

SHA1
563cd2e327b831fe9a57237c9d17be0df9af8b5a

SHA256
1e915f153b9102049b21f2da74c3805a22dda2b369905e13153c762f67c9c2e4

SHA512
c9cbca91740e1c175a45b220a95f185a510b34fba4fe886ce910e52148de4bb6f2e16b62c334d7e44a1135abcbc57f136c03f709226bfdd9e92d01d04e758920

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
554710174714b2ac7117c5bcf69da13f

SHA1
8c9f46e590b95051c02b36208b6148fb302ae02f

SHA256
03ea0f0069af9520022a10d1e7b7424225beec82461327de892fc554f7ded4e5

SHA512
c398eb5e8c54651b3bb23597b2ce31848552314a88e1eb71b774b321e5e7e70004d81c9a677641d1374e47930d7d047841f5391dd1482bb2acf18cdbd5f66596

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
8KB

MD5
ee2ea3657f0f887e390c0edc8c4aead6

SHA1
0d1d968ae4fde57ac834666529c43e1adfb58bfa

SHA256
e2ab8d617322d2aa04399dc97d870a8a6ae0dd299f412528bf16326fe6ee260f

SHA512
d29ef4de57eba3f5a54cdc5036616ff1a6532e90ab6777ee004b93485a7bd71662a0a87ea88a158d65cc310a413af9a3d471a62f4b172e294bc34129b6f49c82

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
130KB

MD5
980be0cc0573aef15cc33e770b42f59b

SHA1
8a4832b1c60177460c0eea684faa536651f4c550

SHA256
b90d5de4425475a8ba38eb313c766b11222d85eac33fa8dd6ae787883f1c9865

SHA512
1c3da1b5324c6d0584974d250fa1376dacb40b3e4227075138d4ba1bf5b79189ab10146c4d935b1d34ca565366ddfda17991f7e6968f49e6d98fe44215cb8dc6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
130KB

MD5
a5f0d282fe6ea2aea76ca17e6a5ed896

SHA1
3cb6fa17a5cf796559559fb8da49b06dfcc8f390

SHA256
d67370834655a1e59c547c79243a05fc9a69239a53f4f86cb12ddbdc0efba32d

SHA512
6d281b5cc3ea79e330f1506e1c149d28f048d278c0c84ede1b002a27e99b34f13cf9548979e2566e2386cb5f512f0484ea9e5b947a324835b5e93cbaaa98f475

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
130KB

MD5
98e809670688798551219258d29c72f4

SHA1
3cd3aca2de7c72be8ade166fd33802142dad1c9f

SHA256
09832884acbfd85d96e24930649e122e33fed0bafb56017ff8fccf939e95241a

SHA512
7e081e315f73aa482d9204271da9fcb44995a1cd9e4ef934e0ac1ae879e2136312d871d7e6123767a270500d0a18679772709ed3f4a4dcc7c1cf6c215e044f98

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\WindowsUpdate.exe.log
Filesize
654B

MD5
2ff39f6c7249774be85fd60a8f9a245e

SHA1
684ff36b31aedc1e587c8496c02722c6698c1c4e

SHA256
e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced

SHA512
1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
6d3e9c29fe44e90aae6ed30ccf799ca8

SHA1
c7974ef72264bbdf13a2793ccf1aed11bc565dce

SHA256
2360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d

SHA512
60c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
d81a2c2874bbf24d30e051f4afb358c6

SHA1
3712d23c90915249af49b94dcf1a721ec5aea09a

SHA256
4f8549a3eb3dd68100c00f7f84bbd2ece45bf146638ce883ee81908bd282ce9b

SHA512
f34490ddf5cc85abb71543612522192a88dfe2bcfad473038c49a48aa095b1ef8f49e49b17e9efe7e4a28cea3d1af4dcbdbc4c232121e90545239c19c768c0b6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
e70d51b7df8fa37bc73c0e70b4e82d34

SHA1
b342ac333afab91ec92ce0ab690f17e43d87d661

SHA256
1bd613817d479000e6e248c022b3521a8d64484b0e755ded0a2d043c32945730

SHA512
6cd05079ba29b479347cac367987c12e97cdb78f547ac3f95f5e84575e7df2bbe4f721fa3c9cda48fb7194f7f765cdbd3898b4c3b9fe646d90549ec726f1cff8

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ts2hxkx0.n1u.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WindowsUpdate.lnk
Filesize
803B

MD5
098a4d2f0cd389fba73e1d6c3af141b1

SHA1
037159c15da97fc78ff31bc26398d31329e4522c

SHA256
17fe59c7611d9fb2a5d3d7cfaaa31276f06b19ec0bac3c3fd2721bad4981da1f

SHA512
b5b6b3fb71f236826f192653929ab6aad007fdc35cef936470eaa86f7bdf20e5265e6ecda2d4b8357b40a1057da285b1ce77eecc8ee2b7885899a4cc64cb2c26

Download Submit
C:\Users\Admin\Downloads\Nitama External.exe
Filesize
289KB

MD5
b0cc9c8ebff00267407dbe987c1afa16

SHA1
03602c8e30331fb298e93e3a509d10e143cb79d4

SHA256
9af52592476aef1e492a4ddea56cf6be617ee60b82c673bea29f4ee7a7d83718

SHA512
7e3510442d889a87f819e811c5f55c08667ee05bd020c8e422fae3a095779dfc8b011730bc82900216e0478fbcf3c6221a31ec41994ef2efacbc5404a71dc9d2

Download Submit
C:\Users\Admin\Downloads\xmrig-6.21.3-msvc-win64.zip.crdownload
Filesize
2.5MB

MD5
cef0ae1ab544e40b659261a4e07fe48f

SHA1
e5ff855ce3c7726a50eb50a634ff9f406b3df093

SHA256
713263085499ae626a6148fab67932c9a69611b21ac3d04cf52a5e23495f902e

SHA512
1fb23b385e6cff3653f0b4b397d092c7be4df62899c97e18f675df2024e5f06ef2596fb626b85ae2ef7d7583c5bf54b00dba1a5ad566c2707a669a48d9814ba8

Download Submit
C:\Users\Admin\Downloads\xmrig-6.21.3\benchmark_10M.cmd
Filesize
61B

MD5
5be1c4cacb5ae37c43527e99a097dc7a

SHA1
1b2f00fefde9d601764d5d26d5e0fb2b9f58074c

SHA256
235a64e3520b1c2c27763122b303f78aee8d7c083dfd9f1eb936cd5174383609

SHA512
20a9e18bc397fe86514875af4213a02a5831a27671370849f05c2f3ba048bc29fc41ca96f0cb1cc08aaff27bbebf637f30d2ee798cb80ed03080e8c7d8f2d9a1

Download Submit
C:\Users\Admin\Downloads\xmrig-6.21.3\config.json
Filesize
2KB

MD5
66f38c96a4901e7b345787c447842b3e

SHA1
2aa9b4d1bd2edd5d81bd9725e9318edaee67531f

SHA256
2b03943244871ca75e44513e4d20470b8f3e0f209d185395de82b447022437ec

SHA512
71757fad29d6d2a257362ed28cde9f249cc8a14e646dee666c9029ea97c72de689cdf8ed5cf0365195a6a6831fe77d82efe5e2fa555c6cc5078f1f29ae8dd68f

Download Submit
C:\Users\Admin\Downloads\xmrig-6.21.3\start.cmd
Filesize
44B

MD5
eaf3a00cc0465f8af471b849ada29843

SHA1
3042e97874706189aa9704d77c9e74a94e519106

SHA256
8e70ef38fe14a2ee2848df3d6f7e260d1caf8cfc15de694d678b8af151d62333

SHA512
56b9f3991ae4bad5e06097d095931e746e6b2ac955649a5c793d9f4f6861c6ffc9316b063c34d7a8079af201354c87bf3008bc0fd4321e59b27e1d8120b078cf

Download Submit
C:\Users\Admin\Downloads\xmrig-6.21.3\xmrig.exe
Filesize
6.1MB

MD5
c0f8959614ae06561216158d78a787e5

SHA1
73167d1fd0cee1c96a6505606d21cbfe4369eb00

SHA256
e199d88569fb54346d5fa20ee7b59b2ea6f16f4ecca3ea1e1c937b11aab7b2b0

SHA512
a24fcf344d08c64ac301d5e4979f062b5e28e8e4acf1d2790916149ffe7726b0c4a11e0775aeba6b841d2d5081e1bd13e2b80390bf9bfbc44d67e54ec07cd746

Download Submit
\??\pipe\crashpad_4572_GTPMHWCMBFLTEVET
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1812-220-0x00007FFA321C0000-0x00007FFA32C81000-memory.dmp

Filesize
10.8MB

Download
memory/1812-216-0x00000000000E0000-0x000000000012E000-memory.dmp

Filesize
312KB

Download
memory/1812-215-0x00007FFA321C3000-0x00007FFA321C5000-memory.dmp

Filesize
8KB

Download
memory/1812-310-0x00007FFA321C0000-0x00007FFA32C81000-memory.dmp

Filesize
10.8MB

Download
memory/1812-304-0x00007FFA321C3000-0x00007FFA321C5000-memory.dmp

Filesize
8KB

Download
memory/2328-732-0x0000029FE7240000-0x0000029FE7260000-memory.dmp

Filesize
128KB

Download
memory/2868-332-0x0000017C4B160000-0x0000017C4B161000-memory.dmp

Filesize
4KB

Download
memory/2868-327-0x0000017C4B160000-0x0000017C4B161000-memory.dmp

Filesize
4KB

Download
memory/2868-328-0x0000017C4B160000-0x0000017C4B161000-memory.dmp

Filesize
4KB

Download
memory/2868-329-0x0000017C4B160000-0x0000017C4B161000-memory.dmp

Filesize
4KB

Download
memory/2868-330-0x0000017C4B160000-0x0000017C4B161000-memory.dmp

Filesize
4KB

Download
memory/2868-331-0x0000017C4B160000-0x0000017C4B161000-memory.dmp

Filesize
4KB

Download
memory/2868-333-0x0000017C4B160000-0x0000017C4B161000-memory.dmp

Filesize
4KB

Download
memory/2868-323-0x0000017C4B160000-0x0000017C4B161000-memory.dmp

Filesize
4KB

Download
memory/2868-322-0x0000017C4B160000-0x0000017C4B161000-memory.dmp

Filesize
4KB

Download
memory/2868-321-0x0000017C4B160000-0x0000017C4B161000-memory.dmp

Filesize
4KB

Download
memory/2976-279-0x0000019777970000-0x0000019777ABE000-memory.dmp

Filesize
1.3MB

Download
memory/4400-265-0x000001A473330000-0x000001A47347E000-memory.dmp

Filesize
1.3MB

Download
memory/4404-253-0x00000212E9670000-0x00000212E97BE000-memory.dmp

Filesize
1.3MB

Download
memory/4996-240-0x00007FFA321C0000-0x00007FFA32C81000-memory.dmp

Filesize
10.8MB

Download
memory/4996-239-0x00000203FA790000-0x00000203FA8DE000-memory.dmp

Filesize
1.3MB

Download
memory/4996-236-0x00007FFA321C0000-0x00007FFA32C81000-memory.dmp

Filesize
10.8MB

Download
memory/4996-222-0x00000203E21F0000-0x00000203E2212000-memory.dmp

Filesize
136KB

Download
memory/4996-235-0x00007FFA321C0000-0x00007FFA32C81000-memory.dmp

Filesize
10.8MB

Download
memory/4996-221-0x00007FFA321C0000-0x00007FFA32C81000-memory.dmp

Filesize
10.8MB

Download