babbleloader | hxxp://185[.]215[.]113[.]66/r[.]exe

Analysis

max time kernel
414s
max time network
415s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20250217-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20250217-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
05/03/2025, 05:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://185.215.113.66/r.exe

Score

10^/10

babbleloader phorphiex stealc xmrig xworm reno defense_evasion discovery execution loader miner persistence rat stealer trojan upx worm

Malware Config

Extracted

Family

stealc

Botnet

reno

http://185.215.113.115

Attributes

url_path
/c4becf79229cb002.php

Extracted

Family

xworm

Version

3.1

Attributes

Install_directory
%Port%
install_file
USB.exe

Extracted

Family

phorphiex

http://185.215.113.66/

http://91.202.233.141/

Wallets

TRuGGXNDM1cavQ1AqMQHG8yfxP4QWVSMN6

qph44jx8r9k5xeq5cuf958krv3ewrnp5vc6hhdjd3r

rsXCXBf9SagxV8JfC12d8Bybk84oPdMNN9

AULzfBuUAPfCGAXoG5Vq14aP9s6fx3AH4Z

LdgchXq1sKbAaAJ1EXAPSRBzLb8jnTZstT

MP8GEm8QpYgQYaMo8oM5NQhRBgDGiLZW5Q

4AtjkCVKbtEC3UEN77SQHuH9i1XkzNiRi5VCbA2XGsJh46nJSXfGQn4GjLuupCqmC57Lo7LvKmFUyRfhtJSvKvuw3h9ReKK

XryzFMFVpDUvU7famUGf214EXD3xNUSmQf

0xCa90599132C4D88907Bd8E046540284aa468a035

15TssKwtjMtwy4vDLcLsQUZUD2B9f7eDjw85sBNVC5LRPPnC

1BzmrjmKPKSR2hH5BeJySfiVA676E8DYaK

ltc1qt0n3f0t7vz9k0mvcswk477shrxwjhf9sj5ykrp

3PMiLynrGVZ8oEqvoqC4hXD67B1WoALR4pc

3ESHude8zUHksQg1h6hHmzY79BS36L91Yn

CSLKveRL2zqkbV2TqiFVuW6twtpqgFajoUZLAJQTTQk2

DLUzwvyxN1RrwjByUPPzVMdfxNRPGVRMMA

t1J6GCPCiHW1eRdjJgDDu6b1vSVmL5U7Twh

stars125f3mw4xd9htpsq4zj5w5ezm5gags37yxxh6mj

bnb1msyt0djx4ecspfxg5en0ye465kg3kmv9utzml2

bc1ppypcmu3684n648gyj62gjp2rw0xy7w3vwfamatlg29ajp4z52desafa0sr

Attributes

mutex
h8k9k4f6g5s
user_agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36

Signatures

BabbleLoader
BabbleLoader is a malware loader written in C++.
loader babbleloader
Babbleloader family
babbleloader

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral1/files/0x000b000000027e72-219.dat	family_xworm
behavioral1/memory/1416-233-0x0000000000410000-0x0000000000426000-memory.dmp	family_xworm

Detects BabbleLoader Payload 1 IoCs

resource	yara_rule
behavioral1/files/0x000c000000027e37-107.dat	family_babbleloader

Phorphiex family
phorphiex

Phorphiex payload 2 IoCs

resource	yara_rule
behavioral1/files/0x0010000000027dfd-28.dat	family_phorphiex
behavioral1/files/0x0013000000027e7e-373.dat	family_phorphiex

Phorphiex, Phorpiex
Phorphiex or Phorpiex Malware family which infects systems to distribute other malicious payloads such as ransomware, stealers and cryptominers.
worm trojan loader phorphiex
Stealc
Stealc is an infostealer written in C++.
stealer stealc
Stealc family
stealc
Xmrig family
xmrig
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

defense_evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	random.exe

XMRig Miner payload 7 IoCs

miner

resource	yara_rule
behavioral1/memory/5016-422-0x0000000140000000-0x0000000140835000-memory.dmp	xmrig
behavioral1/memory/5016-424-0x0000000140000000-0x0000000140835000-memory.dmp	xmrig
behavioral1/memory/5016-428-0x0000000140000000-0x0000000140835000-memory.dmp	xmrig
behavioral1/memory/5016-427-0x0000000140000000-0x0000000140835000-memory.dmp	xmrig
behavioral1/memory/5016-426-0x0000000140000000-0x0000000140835000-memory.dmp	xmrig
behavioral1/memory/5016-425-0x0000000140000000-0x0000000140835000-memory.dmp	xmrig
behavioral1/memory/5016-421-0x0000000140000000-0x0000000140835000-memory.dmp	xmrig

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002

Downloads MZ/PE file 3 IoCs

flow	pid	Process
6	2428	chrome.exe
45	2428	chrome.exe
45	2428	chrome.exe

Stops running service(s) 4 TTPs
defense_evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	random.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	random.exe

Executes dropped EXE 9 IoCs

pid	Process
2272	r.exe
4964	sysnldcvmr.exe
4276	major.exe
2944	random.exe
1416	taskhost.exe
5048	1301211013.exe
388	sysdlpukvs.exe
4116	xmrminer.exe
4736	wincsupdt.exe

Identifies Wine through registry keys 2 TTPs 1 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

defense_evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1639757381-2759246526-4253643256-1000\Software\Wine	random.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Settings = "C:\\Windows\\sysnldcvmr.exe"	r.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Settings = "C:\\Windows\\sysdlpukvs.exe"	1301211013.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
105	ip-api.com

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
2944	random.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 4736 set thread context of 4080	4736	wincsupdt.exe	144
PID 4736 set thread context of 5016	4736	wincsupdt.exe	145

UPX packed file 12 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/5016-416-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral1/memory/5016-422-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral1/memory/5016-424-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral1/memory/5016-428-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral1/memory/5016-427-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral1/memory/5016-426-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral1/memory/5016-425-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral1/memory/5016-421-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral1/memory/5016-420-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral1/memory/5016-419-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral1/memory/5016-417-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral1/memory/5016-418-0x0000000140000000-0x0000000140835000-memory.dmp	upx

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\sysdlpukvs.exe	1301211013.exe
File opened for modification	C:\Windows\sysdlpukvs.exe	1301211013.exe
File opened for modification	C:\Windows\SystemTemp	chrome.exe
File created	C:\Windows\sysnldcvmr.exe	r.exe
File opened for modification	C:\Windows\sysnldcvmr.exe	r.exe

Launches sc.exe 4 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1164	sc.exe
3360	sc.exe
3828	sc.exe
3216	sc.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	r.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sysnldcvmr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	random.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1301211013.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sysdlpukvs.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133856244340332449"	chrome.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
2424	chrome.exe
2424	chrome.exe
4276	major.exe
4276	major.exe
4276	major.exe
4276	major.exe
2944	random.exe
2944	random.exe
1180	chrome.exe
1180	chrome.exe
1180	chrome.exe
1180	chrome.exe
4116	xmrminer.exe
4116	xmrminer.exe
4116	xmrminer.exe
4116	xmrminer.exe
4736	wincsupdt.exe
4736	wincsupdt.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
2424	chrome.exe
2424	chrome.exe
2424	chrome.exe
2424	chrome.exe
2424	chrome.exe
2424	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2424	chrome.exe
Token: SeCreatePagefilePrivilege	2424	chrome.exe
Token: SeShutdownPrivilege	2424	chrome.exe
Token: SeCreatePagefilePrivilege	2424	chrome.exe
Token: SeShutdownPrivilege	2424	chrome.exe
Token: SeCreatePagefilePrivilege	2424	chrome.exe
Token: SeShutdownPrivilege	2424	chrome.exe
Token: SeCreatePagefilePrivilege	2424	chrome.exe
Token: SeShutdownPrivilege	2424	chrome.exe
Token: SeCreatePagefilePrivilege	2424	chrome.exe
Token: SeShutdownPrivilege	2424	chrome.exe
Token: SeCreatePagefilePrivilege	2424	chrome.exe
Token: SeShutdownPrivilege	2424	chrome.exe
Token: SeCreatePagefilePrivilege	2424	chrome.exe
Token: SeShutdownPrivilege	2424	chrome.exe
Token: SeCreatePagefilePrivilege	2424	chrome.exe
Token: SeShutdownPrivilege	2424	chrome.exe
Token: SeCreatePagefilePrivilege	2424	chrome.exe
Token: SeShutdownPrivilege	2424	chrome.exe
Token: SeCreatePagefilePrivilege	2424	chrome.exe
Token: SeShutdownPrivilege	2424	chrome.exe
Token: SeCreatePagefilePrivilege	2424	chrome.exe
Token: SeShutdownPrivilege	2424	chrome.exe
Token: SeCreatePagefilePrivilege	2424	chrome.exe
Token: SeShutdownPrivilege	2424	chrome.exe
Token: SeCreatePagefilePrivilege	2424	chrome.exe
Token: SeShutdownPrivilege	2424	chrome.exe
Token: SeCreatePagefilePrivilege	2424	chrome.exe
Token: SeShutdownPrivilege	2424	chrome.exe
Token: SeCreatePagefilePrivilege	2424	chrome.exe
Token: SeShutdownPrivilege	2424	chrome.exe
Token: SeCreatePagefilePrivilege	2424	chrome.exe
Token: SeShutdownPrivilege	2424	chrome.exe
Token: SeCreatePagefilePrivilege	2424	chrome.exe
Token: SeShutdownPrivilege	2424	chrome.exe
Token: SeCreatePagefilePrivilege	2424	chrome.exe
Token: SeShutdownPrivilege	2424	chrome.exe
Token: SeCreatePagefilePrivilege	2424	chrome.exe
Token: SeShutdownPrivilege	2424	chrome.exe
Token: SeCreatePagefilePrivilege	2424	chrome.exe
Token: SeShutdownPrivilege	2424	chrome.exe
Token: SeCreatePagefilePrivilege	2424	chrome.exe
Token: SeShutdownPrivilege	2424	chrome.exe
Token: SeCreatePagefilePrivilege	2424	chrome.exe
Token: SeShutdownPrivilege	2424	chrome.exe
Token: SeCreatePagefilePrivilege	2424	chrome.exe
Token: SeShutdownPrivilege	2424	chrome.exe
Token: SeCreatePagefilePrivilege	2424	chrome.exe
Token: SeShutdownPrivilege	2424	chrome.exe
Token: SeCreatePagefilePrivilege	2424	chrome.exe
Token: SeShutdownPrivilege	2424	chrome.exe
Token: SeCreatePagefilePrivilege	2424	chrome.exe
Token: SeShutdownPrivilege	2424	chrome.exe
Token: SeCreatePagefilePrivilege	2424	chrome.exe
Token: SeShutdownPrivilege	2424	chrome.exe
Token: SeCreatePagefilePrivilege	2424	chrome.exe
Token: SeShutdownPrivilege	2424	chrome.exe
Token: SeCreatePagefilePrivilege	2424	chrome.exe
Token: SeShutdownPrivilege	2424	chrome.exe
Token: SeCreatePagefilePrivilege	2424	chrome.exe
Token: SeShutdownPrivilege	2424	chrome.exe
Token: SeCreatePagefilePrivilege	2424	chrome.exe
Token: SeShutdownPrivilege	2424	chrome.exe
Token: SeCreatePagefilePrivilege	2424	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2424	chrome.exe
2424	chrome.exe
2424	chrome.exe
2424	chrome.exe
2424	chrome.exe
2424	chrome.exe
2424	chrome.exe
2424	chrome.exe
2424	chrome.exe
2424	chrome.exe
2424	chrome.exe
2424	chrome.exe
2424	chrome.exe
2424	chrome.exe
2424	chrome.exe
2424	chrome.exe
2424	chrome.exe
2424	chrome.exe
2424	chrome.exe
2424	chrome.exe
2424	chrome.exe
2424	chrome.exe
2424	chrome.exe
2424	chrome.exe
2424	chrome.exe
2424	chrome.exe
2424	chrome.exe
2424	chrome.exe
2424	chrome.exe
2424	chrome.exe
2424	chrome.exe
2424	chrome.exe
2424	chrome.exe
2424	chrome.exe
2424	chrome.exe
2424	chrome.exe
2424	chrome.exe
2424	chrome.exe
2424	chrome.exe
2424	chrome.exe
2424	chrome.exe
2424	chrome.exe
2424	chrome.exe
2424	chrome.exe
2424	chrome.exe
2424	chrome.exe
2424	chrome.exe
2424	chrome.exe
2424	chrome.exe
2424	chrome.exe
2424	chrome.exe
2424	chrome.exe
2424	chrome.exe
2424	chrome.exe
2424	chrome.exe
2424	chrome.exe
2424	chrome.exe
2424	chrome.exe
2424	chrome.exe
2424	chrome.exe
2424	chrome.exe
2424	chrome.exe
2424	chrome.exe
2424	chrome.exe

Suspicious use of SendNotifyMessage 32 IoCs

pid	Process
2424	chrome.exe
2424	chrome.exe
2424	chrome.exe
2424	chrome.exe
2424	chrome.exe
2424	chrome.exe
2424	chrome.exe
2424	chrome.exe
2424	chrome.exe
2424	chrome.exe
2424	chrome.exe
2424	chrome.exe
2424	chrome.exe
2424	chrome.exe
2424	chrome.exe
2424	chrome.exe
2424	chrome.exe
2424	chrome.exe
2424	chrome.exe
2424	chrome.exe
2424	chrome.exe
2424	chrome.exe
2424	chrome.exe
2424	chrome.exe
2424	chrome.exe
2424	chrome.exe
2424	chrome.exe
2424	chrome.exe
2424	chrome.exe
2424	chrome.exe
2424	chrome.exe
2424	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2424 wrote to memory of 3952	2424	chrome.exe	84
PID 2424 wrote to memory of 3952	2424	chrome.exe	84
PID 2424 wrote to memory of 4988	2424	chrome.exe	85
PID 2424 wrote to memory of 4988	2424	chrome.exe	85
PID 2424 wrote to memory of 4988	2424	chrome.exe	85
PID 2424 wrote to memory of 4988	2424	chrome.exe	85
PID 2424 wrote to memory of 4988	2424	chrome.exe	85
PID 2424 wrote to memory of 4988	2424	chrome.exe	85
PID 2424 wrote to memory of 4988	2424	chrome.exe	85
PID 2424 wrote to memory of 4988	2424	chrome.exe	85
PID 2424 wrote to memory of 4988	2424	chrome.exe	85
PID 2424 wrote to memory of 4988	2424	chrome.exe	85
PID 2424 wrote to memory of 4988	2424	chrome.exe	85
PID 2424 wrote to memory of 4988	2424	chrome.exe	85
PID 2424 wrote to memory of 4988	2424	chrome.exe	85
PID 2424 wrote to memory of 4988	2424	chrome.exe	85
PID 2424 wrote to memory of 4988	2424	chrome.exe	85
PID 2424 wrote to memory of 4988	2424	chrome.exe	85
PID 2424 wrote to memory of 4988	2424	chrome.exe	85
PID 2424 wrote to memory of 4988	2424	chrome.exe	85
PID 2424 wrote to memory of 4988	2424	chrome.exe	85
PID 2424 wrote to memory of 4988	2424	chrome.exe	85
PID 2424 wrote to memory of 4988	2424	chrome.exe	85
PID 2424 wrote to memory of 4988	2424	chrome.exe	85
PID 2424 wrote to memory of 4988	2424	chrome.exe	85
PID 2424 wrote to memory of 4988	2424	chrome.exe	85
PID 2424 wrote to memory of 4988	2424	chrome.exe	85
PID 2424 wrote to memory of 4988	2424	chrome.exe	85
PID 2424 wrote to memory of 4988	2424	chrome.exe	85
PID 2424 wrote to memory of 4988	2424	chrome.exe	85
PID 2424 wrote to memory of 4988	2424	chrome.exe	85
PID 2424 wrote to memory of 4988	2424	chrome.exe	85
PID 2424 wrote to memory of 2428	2424	chrome.exe	86
PID 2424 wrote to memory of 2428	2424	chrome.exe	86
PID 2424 wrote to memory of 3280	2424	chrome.exe	87
PID 2424 wrote to memory of 3280	2424	chrome.exe	87
PID 2424 wrote to memory of 3280	2424	chrome.exe	87
PID 2424 wrote to memory of 3280	2424	chrome.exe	87
PID 2424 wrote to memory of 3280	2424	chrome.exe	87
PID 2424 wrote to memory of 3280	2424	chrome.exe	87
PID 2424 wrote to memory of 3280	2424	chrome.exe	87
PID 2424 wrote to memory of 3280	2424	chrome.exe	87
PID 2424 wrote to memory of 3280	2424	chrome.exe	87
PID 2424 wrote to memory of 3280	2424	chrome.exe	87
PID 2424 wrote to memory of 3280	2424	chrome.exe	87
PID 2424 wrote to memory of 3280	2424	chrome.exe	87
PID 2424 wrote to memory of 3280	2424	chrome.exe	87
PID 2424 wrote to memory of 3280	2424	chrome.exe	87
PID 2424 wrote to memory of 3280	2424	chrome.exe	87
PID 2424 wrote to memory of 3280	2424	chrome.exe	87
PID 2424 wrote to memory of 3280	2424	chrome.exe	87
PID 2424 wrote to memory of 3280	2424	chrome.exe	87
PID 2424 wrote to memory of 3280	2424	chrome.exe	87
PID 2424 wrote to memory of 3280	2424	chrome.exe	87
PID 2424 wrote to memory of 3280	2424	chrome.exe	87
PID 2424 wrote to memory of 3280	2424	chrome.exe	87
PID 2424 wrote to memory of 3280	2424	chrome.exe	87
PID 2424 wrote to memory of 3280	2424	chrome.exe	87
PID 2424 wrote to memory of 3280	2424	chrome.exe	87
PID 2424 wrote to memory of 3280	2424	chrome.exe	87
PID 2424 wrote to memory of 3280	2424	chrome.exe	87
PID 2424 wrote to memory of 3280	2424	chrome.exe	87
PID 2424 wrote to memory of 3280	2424	chrome.exe	87
PID 2424 wrote to memory of 3280	2424	chrome.exe	87

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument http://185.215.113.66/r.exe
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2424
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x21c,0x220,0x224,0x1fc,0x228,0x7ffee776cc40,0x7ffee776cc4c,0x7ffee776cc58
  2⤵
  PID:3952
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2044,i,12314645514813196536,10983561465098899595,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=2040 /prefetch:2
  2⤵
  PID:4988
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1844,i,12314645514813196536,10983561465098899595,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=2268 /prefetch:3
  2⤵
  - Downloads MZ/PE file
  PID:2428
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2316,i,12314645514813196536,10983561465098899595,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=2492 /prefetch:8
  2⤵
  PID:3280
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3048,i,12314645514813196536,10983561465098899595,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=3068 /prefetch:1
  2⤵
  PID:4684
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3052,i,12314645514813196536,10983561465098899595,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=3184 /prefetch:1
  2⤵
  PID:3404
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4464,i,12314645514813196536,10983561465098899595,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4708 /prefetch:8
  2⤵
  PID:2616
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5044,i,12314645514813196536,10983561465098899595,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5076 /prefetch:8
  2⤵
  PID:3216
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5056,i,12314645514813196536,10983561465098899595,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5100 /prefetch:8
  2⤵
  PID:4624
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5304,i,12314645514813196536,10983561465098899595,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4920 /prefetch:8
  2⤵
  PID:2848
- C:\Users\Admin\Downloads\r.exe
  "C:\Users\Admin\Downloads\r.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:2272
- - C:\Windows\sysnldcvmr.exe
    C:\Windows\sysnldcvmr.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4964
  - - C:\Users\Admin\AppData\Local\Temp\1301211013.exe
      C:\Users\Admin\AppData\Local\Temp\1301211013.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      PID:5048
    - - C:\Windows\sysdlpukvs.exe
        
        C:\Windows\sysdlpukvs.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:388
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --field-trial-handle=3804,i,12314645514813196536,10983561465098899595,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4296 /prefetch:1
  2⤵
  PID:4416
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=4488,i,12314645514813196536,10983561465098899595,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=3264 /prefetch:8
  2⤵
  PID:1400
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5116,i,12314645514813196536,10983561465098899595,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5148 /prefetch:8
  2⤵
  PID:2236
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5092,i,12314645514813196536,10983561465098899595,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5356 /prefetch:8
  2⤵
  PID:3356
- C:\Users\Admin\Downloads\major.exe
  "C:\Users\Admin\Downloads\major.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:4276
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --field-trial-handle=4000,i,12314645514813196536,10983561465098899595,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5136 /prefetch:1
  2⤵
  PID:4656
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5156,i,12314645514813196536,10983561465098899595,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=3996 /prefetch:8
  2⤵
  PID:4188
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5100,i,12314645514813196536,10983561465098899595,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5172 /prefetch:8
  2⤵
  PID:1396
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5564,i,12314645514813196536,10983561465098899595,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5576 /prefetch:8
  2⤵
  PID:4404
- C:\Users\Admin\Downloads\random.exe
  "C:\Users\Admin\Downloads\random.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2944
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --field-trial-handle=5520,i,12314645514813196536,10983561465098899595,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4872 /prefetch:1
  2⤵
  PID:4364
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=3340,i,12314645514813196536,10983561465098899595,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=3316 /prefetch:8
  2⤵
  PID:3608
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=3348,i,12314645514813196536,10983561465098899595,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=3276 /prefetch:8
  2⤵
  PID:1536
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.4355 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=3320,i,12314645514813196536,10983561465098899595,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4852 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1180
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=3288,i,12314645514813196536,10983561465098899595,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5660 /prefetch:8
  2⤵
  PID:4440
- C:\Users\Admin\Downloads\taskhost.exe
  "C:\Users\Admin\Downloads\taskhost.exe"
  2⤵
  - Executes dropped EXE
  PID:1416
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --field-trial-handle=3520,i,12314645514813196536,10983561465098899595,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5668 /prefetch:1
  2⤵
  PID:2288
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=3304,i,12314645514813196536,10983561465098899595,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=3100 /prefetch:8
  2⤵
  PID:4056
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=3380,i,12314645514813196536,10983561465098899595,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5780 /prefetch:8
  2⤵
  PID:636
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5140,i,12314645514813196536,10983561465098899595,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=3240 /prefetch:8
  2⤵
  PID:2892
- C:\Users\Admin\Downloads\xmrminer.exe
  "C:\Users\Admin\Downloads\xmrminer.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:4116
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe delete "WinUpdt"
    3⤵
    - Launches sc.exe
    PID:1164
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe create "WinUpdt" binpath= "C:\ProgramData\WinUpdt\wincsupdt.exe" start= "auto"
    3⤵
    - Launches sc.exe
    PID:3360
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop eventlog
    3⤵
    - Launches sc.exe
    PID:3828
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe start "WinUpdt"
    3⤵
    - Launches sc.exe
    PID:3216

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:4744

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:4864

C:\ProgramData\WinUpdt\wincsupdt.exe
C:\ProgramData\WinUpdt\wincsupdt.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:4736
- C:\Windows\system32\conhost.exe
  C:\Windows\system32\conhost.exe
  2⤵
  PID:4080
- C:\Windows\system32\notepad.exe
  notepad.exe
  2⤵
  PID:5016

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
85b778276358244815adec0a2f44b1cb

SHA1
9f6217a38d8f4504603a63698ea21d02ae2b9507

SHA256
b6fdbbe5607da28a2ec00a0ec69b73d055d66c474b9391e8c3edf7d20c8fd5d9

SHA512
e8ad22efa0ec9c86320933b860bd339323f8e576dec116817e5f78d25de79334d71c27c4f0a8d217e9c29e92da88fd4150a23596a89f820f253b6da99f3a943f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
d78e89f1b2e840826d74731a8418becb

SHA1
683a9324390eda957770570c3ff341d8835a9a55

SHA256
cafcd35db74692206372c7c96907a1be44d62355e72fc8e8e2d3a683464fbe49

SHA512
b4f93ac74a82e62497ff16a2676725ac324c2b2bfe638a3eaad9d722ee409bd281325fa3896f150a67d0cfa16154af38cfbb67d47137ffa8bdecc73cfb04d09b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
6a38b243edd15cb07ad87dfd816a1c93

SHA1
2738cd7b734d227234bc407810e139c960fb6d3a

SHA256
e27646272402b550c7ee83be66706235847986915520ccab2cd0c07ad07f1bf4

SHA512
0fe93950eaac6c9f0e1d781d7d80ed7b228785130bcde06f93fb82d8bf0b8909aff0a9b2c30c989b05d224880725bbd538ecc8b9a23ea729b3b5012e7499ceb7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
5bf9968ad94440fd2bb3fc5e42e29c42

SHA1
c436f6257b0c94cbbf066c4585cbbe3afaf50a09

SHA256
5a0d6d3f0c2eaa87d2029ab862e41b98bbf64024ff9249bbad00a5d353602352

SHA512
54f07c287c58ddb83e8fcfa65fdd577587ce8007c067b1509f3e71f3a721161416b9a182647150c8e7eecc28454b7706034796f514e94a68bf4a6bb7bfd3ca33

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
4d25ac05fe5164820950ad48f5ea6443

SHA1
b6a4e5f83859542fc57c91406633a573f2c33161

SHA256
4ce5c8e7cf064ae82d571016de4b8dfe161aa63851c78b79524cc3f5cc0ab1ca

SHA512
acf7304c5301a60b03818c4ff4de047170ff9b2799565a948f363c52fc82272a84aed78dc2c478f1f90f21e71a7c82e26dcaad78572083c60f4db01f7d7649ac

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
757fccb6e62f1b6a81a725d0df88aa51

SHA1
86a1b6ec9cd59e27d9ad031ced36a163d6c8b1df

SHA256
23ac8568e61dd135d4b863b1ce9dfa3e7f963ad297eafab7c4c15df34c807817

SHA512
93f4224ebfe0bafcbc07c398cb0e129b1179380e01ce0aae22b262bcc6be1c5e65b9a174c6749ee587126434b1f43b24303289b1e9760bc3610ea784e33ee60a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
8f08c3bc5e222eb2f137785395f10803

SHA1
98da36a4dd5c7baeec22c220c3a18c6d115960b2

SHA256
df055bd75f62ce4695199dd17bd023a4897d0dc155e3ee257c6ad40024250b78

SHA512
3e9328a8c2827345c2ab17e3ac22f4e601727a560e2ddc364ebec2522f7248194b4c4127c5b9979dcec323b36d8ceb2206fa94fce7d3432dfa0b2281c84ba7ba

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
696bd456b168d4f99caeb89ae6d8ffd1

SHA1
21898a177762bcf071fc12ac54b9028379ae4883

SHA256
a97cecef44535b050da53da5673102dd0290034a054fff89cb9465d227508bed

SHA512
c1ff8a424a99ef9456ae4bdedc7f289c0f010cb19e7dd4b24391809092454cf044618ab9de954caed5460b2c3fe9a9031c1606723dbd9a91ef8eb586611c8047

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
6009836fb305afdb2e4d67650aee5fa5

SHA1
613dc6684be9c3c5f2acb2714bb0d09a805cb21c

SHA256
24cb336e3d414b8fd352f58254114c15296833fd4fb4e1fdcb0ab865718d1a3d

SHA512
2405bfcbc8b383cdf5c63da156014ea911e7688439ae885446df3e886585fb6adab01f6956e90fb3350add81f0a237c105b43c1f64e75f29211d3ab72f4bdc3e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
2c5beac70a773f922fb977a2f68d0123

SHA1
9dc44873ea5819d0720ce80ff7e65d30b33c4758

SHA256
2bd4c88966dfc377201967b75d716643c7b575badb0f71ef0b962039f0e79980

SHA512
a8a859803a2098a7d1a85098445f240c18087220130f7ca9740b94438485499627fba7c166d5d6e6a5501f22e1271788f80e1d063158695442d49885a6fb6ce6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
74d7cf3bebf37fe0b1507f7fc79c71f0

SHA1
9a15ce44f33484173fb6a9af1b229aeaa277255b

SHA256
74f9f3431b8b62353899a6264442be9b432eb0e601ffbd36e0da3103819fe3f9

SHA512
428816d212c39597a798ea876476b766ea86921723273c53846967aefd357828ac90f1d839416a97b04acbd15daed5b75ccdb3edc0a7956711fd577a68b1e0a1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
ad995dd77c777a5fd669431dee8b578d

SHA1
b5aad37f258e12c7e38e36e043145a9874e1c465

SHA256
402075f7007947e33a12f285f961ee37f1ee519e3ff7e7b8a690be9f427d41a4

SHA512
181b8693b30da42e819d6649f9f2567b58c92211ee0f53897cf8ef42f7bd99fea4963154819b4d43a75adb0cee2861ca892ab09127f59d2f6fd07933358d1fb6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
6ca044529643adf387c029786b6bcad2

SHA1
8c35f465a9f27571f59bea9d703972c196146701

SHA256
fd56eb26724a0ef343e4c75cfa45f8630afd03703f4529b5bad23d973bf68390

SHA512
d8635829006ad2243522f6f577d67f937a56a2a24f2f60a6712341cd992b1504d2ebb27030031bf979a014c6a771c5799aa26dc404bb00bc240fbb824ee3dac2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
0ba3017a368abca87058980d0ef762b2

SHA1
ff680b13763457564e298a5cbe86c4de4744b34c

SHA256
aecf00a8e040dd349c4b82e908086bbaa037433a3c71404a82eece72fa0ac2c9

SHA512
bafb54750166fd8dfc740b01bac5fd18b12e3adf68f9f32dee8462762467339fbef1bd1183b383f072e8b770be50691be1163c66fa5a25345083d1af6f0d9703

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
bf994420a6d5324cfaf69001bc028216

SHA1
a96c8604907e633eba0765d1f1ded8a69cc8e046

SHA256
e0755be7f02b64ae34856cf6ea576d38ea94ba7741f3c1ba24119bd29a39b9ed

SHA512
5eb2b8672246396ae2dd507962e8a433e2caa605fb506cc71dfea60c5a610000b39b68f97a564302d8eb7c71331a3b724f00b956d529638539bcfbf4695707d5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
7093dc05aa3e9271be4d7cce65878f10

SHA1
e739615313aaacd2fb8922c843ec6009a0e93afa

SHA256
be477c1edb6a9acef38cdc1565e9980262aaf673572c96d19712105f85d317bd

SHA512
bc23534059eb6a82b7c919d3b50cf3020d957da59d95e3472edb917421be5f676194e67f4a708f91020773b3b1c3d456f5eb526212b74225a2c5c680cec32b58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
345871e3efdc05818c8412514fdd96ba

SHA1
19df4b0297dc20a3f17aebdc485dca6a54583860

SHA256
64ff1683dded97f0c0474ae5f0a65678f7f9f9048156ecd18df62877f7641784

SHA512
3ad05c96b581be40f7eba35988dbfa02dab93c25aa7ac497daf43b89b6f172b0d004a5a9ef53f9a697938e75648d67da6463ced84d63187bb9495c488788bc71

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
b86d1e761b198a612d2f4472af1391dc

SHA1
100deb3a9331bf154418b368b9c713e0ff6c9c53

SHA256
96ac056d057fa93d1679421622db54ad12a619113dbb8392c1abcc4d2e0f652f

SHA512
5b9a8192eb4de540825fe610619099c79a845deef9b7e6f758f2f4bb352173912b3379b2c95150c39099e3b10e5ec1354d2e05c103e67d60267d704bf165340f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
ec317a0696341bbde8509fb82da9b5ad

SHA1
b257981226a3d89f1ab7032c18e0dbf7ba7c77ab

SHA256
f4764833be07e36abbd94bbf5e2b5bb0367166a8bfc20c5d4c9ec5899ba5cecf

SHA512
ecfdcee9c6921ae520ba2e42d741e27b9b4e74f01b24539b8c8b667a7dd02e1f4416301b3e1fe3dcf56c129860dbff4bcd70fb218b94a3e60fd70cc278df6e17

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
9d1249942c8074603a8ef0ea0e7ab666

SHA1
a3c34ee79415fe86bd5f97ea816a7841841af7e1

SHA256
ee180d942ae8fee02538a2353f68966c8802d39cc8d0084eb544745a5a98147a

SHA512
98e38860336011773d079a64f40efb48b1f64d57c1d34b4dde40e9885241d4859866a1b62aca86220a9517fc39f3e4f080718698959327c14a9e919db3c1882f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
bf0b6e492f29571893d2b4166435689a

SHA1
6b3bb15b9c4f03511b9cf3f6081ad19b23bdca98

SHA256
059a2588a112d57abd7eeccaffef12e0ccab94f76a036468548909f92259e755

SHA512
5d52f383879f3192a14d4cec07d9b7c78759fe35d3aa074323f52a68961cc86c96380a92d4028ca1ca46e0f12f98b0bf6529c96b459e066bec8411e0f3e6de3a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
44531b6d226d95c08a2fc1f3ca8f526a

SHA1
d9a03b87d00e69e93d5f006d26d8a7f1c5dd3fe5

SHA256
a9f19b18cfe54b95b86a1e59c175ebc71193f43d1e5406e752693473202f5045

SHA512
1bfeaa60fde57b36d49fc1cc043017b36e3555711cde0a6bd6844fba220e8cc41e8a9baf030691bfe99ceaf47371bd33a4bafb1cbae899238f55f8fd206f1c97

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
90a232a3cc29d9a8430b07922b36457b

SHA1
a7a11fc85d8a604c29b6f083ed39711d33e7c98b

SHA256
7ffb98a9fe1ef55bc3fba7ceecd4e085d0ac1d4d54a9dc4278bd25a01b4c3b46

SHA512
5ebc95b321faae2d1d7549894cd338813623c42c4569ed8a06c30bb4755eb7d50a236b1e04eab201b9fe2e7071a13dc5ea3befd1faf073acfb98b4f69739dcf0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
c2f001ee002412b19e6c3c26edecbe15

SHA1
519cdeffe3e1cbe392d76ceb92b496e86a7aa64d

SHA256
f010bd3abb2d75d0b76f20b35e57da92339ff3d677abeed1189ffbf7caed965c

SHA512
9391269db1f7826276e842306290476028103d702d17982c167eeae9379069adfc5c2c63f815a3556db53b26ea8128aa4c33d1a4a96db40811c0ebe369339487

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
758801934004bea7e8a85cca61646e79

SHA1
ecbc0a6bd83eef4b8c1124d997a39a0481fe0908

SHA256
79efba776d5aa8fe14107f112cb4ed96c4cd1c6a946eafd7f54bd812701997b7

SHA512
c2ebe2da1e121b785de6d5a80b76bae7afdeff8e4ad347d182a8e7c1ee84d0ea13d48cdad83c393554baa068fa318e41ccf62c1b1fc7fdaf8e90d518c9ef4e05

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
d5c2d216d39118c8beb00e587e1b1477

SHA1
5e63d75386110b403928bc32b58c986875628bc0

SHA256
43225e60d2619aaba152baecf64fb82bdc88e5332f5bb45434baae915b7c8af2

SHA512
548b469806973616008b347ea66b6890049e398b0621fe3dc3bc2cc695430372e4522a1b154938543fe5e2c50d1aca6583cc8ba544edf1dca2470e208f3a4707

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
4249a0080fde8a21026f84944b88bcbb

SHA1
42928f74c9c92e3329180092b9636c59fcfb4277

SHA256
bfd21eb166403e91ed0bcf77edd86a23d89f9814b632b09e3923bf8361979b7c

SHA512
0da919d7e0ce7e0ad8aca3eac86c28039a8fb6fcea8b7a2a1db1ee7c79d967d076b06915ae7ce4bf885e43fc07c35854ac695031b0823378556aba22b673b856

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
7e50e85196c2fc4d05246ebd625913fb

SHA1
d2e1146f4f940cfe999ea3a71a4403b72311433b

SHA256
4ca03461dbf2b89e6866650ce0bff43ca2fe9c05e6646f9a00e5902c7f6d15dc

SHA512
ba3e267c7689302e6f1aa67d1b0181f4fe710c1701ef3e15c21b9e581ff4cd0eb2367681f0103f93281c0614c20e0a01ed6c5e5b1f5fe8df5a49399c92f02f64

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
123KB

MD5
b0192cd797a94c798db42935b051f210

SHA1
f75a2fdd687b5156eb3c42d527b7381913cf109c

SHA256
0213689387444dea06c88bca8238975b2234a06253433a01dd7cbd3daf170541

SHA512
e32656e86a309b008371a84267845b979a67671e36253d16eea53030d6526316780d6ed5fc59d4a1282e7e176d822fc7ef08930053a6ad1b59fd0db53eb093d7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
123KB

MD5
3d4375e7f7a9da37aeae2e8e7b5ad588

SHA1
9edb85cb899f66f8273bb8c669e1127ce6083b19

SHA256
0f16a1e65115da52061f00e67e74b2226572dcd0e08490e037c4bd9e5ec6e9a8

SHA512
c3d8954c7bf669642632a6be494ecec99d431d50edee5f34bdbabd2ebd09c2ad27277d323da6adcb6aba4c1b88833d6dfd8541e18d13f5be01cc26e8922a9692

Download Submit
C:\Users\Admin\AppData\Local\Temp\1301211013.exe

Filesize
79KB

MD5
f2a62df8133748a9e03b183e28dd6f5f

SHA1
9ab9f374ac9bed2adf1f59220c784458956d8c47

SHA256
6d944d07f316c97a416a9b9ad75e2f8ac9feed901e72fa8f4ad6733baf7d716a

SHA512
732b61af3b2fe502a87550a07585bf607ca2f6154e3fb76e6450725fbb95c0b4ec32ebc6433072c797970b5abd19be74c32906cf44b13ad58969b10eb9fcae99

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 26308.crdownload

Filesize
79KB

MD5
0c883b1d66afce606d9830f48d69d74b

SHA1
fe431fe73a4749722496f19b3b3ca0b629b50131

SHA256
d921fc993574c8be76553bcf4296d2851e48ee39b958205e69bdfd7cf661d2b1

SHA512
c047452a23efad4262479fbfeb5e23f9497d7cefd4cbb58e869801206669c2a0759698c70d18050316798d5d939b989537fdce3842aa742449f5e08ed7fa60a5

Download Submit
C:\Users\Admin\Downloads\major.exe.crdownload

Filesize
1.6MB

MD5
fa3d03c319a7597712eeff1338dabf92

SHA1
f055ba8a644f68989edc21357c0b17fdf0ead77f

SHA256
a08db4c7b7bacc2bacd1e9a0ac7fbb91306bf83c279582f5ac3570a90e8b0f87

SHA512
80226bb11d56e4dc2dbc4fc6aade47db4ca4c539b25ee70b81465e984df0287d5efcadb6ec8bfc418228c61bd164447d62c4444030d31655aaeed342e2507ea1

Download Submit
C:\Users\Admin\Downloads\random.exe.crdownload

Filesize
1.7MB

MD5
1e95dc10fef7079a5d3fa793732a7cce

SHA1
8e9ccb511e76c921c6ddf2a2615a2e3c86ea4113

SHA256
81ac77037e15e56a6cdc0ba7e2af38e3e5a9f7a353054276c763e57d03db5ec1

SHA512
c35cb0cc0cc9046acab79fc70e26c28fa32f86e79dc36d44f938efada6bd45b190746d6f966552aa3eba45967b7f3ba7e113d8593576b7bb7f7fcaf670a23773

Download Submit
C:\Users\Admin\Downloads\taskhost.exe

Filesize
62KB

MD5
3296704171fe01c0fc4fcdd02f2695ca

SHA1
e0bd82f06d94c0e32d7f6bb9f80f57f8e73a84be

SHA256
b8c65f4588d2d9b76823e7ad22b71a3717792a505a4048314cb2ccba9a976e26

SHA512
8d1583be1930e1f819149a1a5b57ec5187b08eefe8dc306f6dc74506dd25c85a60b2b282c420060d1854c36fc8642f0754708fd87dd97ed19f2229c76334837b

Download Submit
C:\Users\Admin\Downloads\xmrminer.exe.crdownload

Filesize
2.5MB

MD5
e4cb5bfa8e6503fdc52e9c064157ee47

SHA1
de8469308518e3d3f994367f098f9c1adfddd05b

SHA256
ae6623a2477a055841ad7bb60198a92d80c2befd651c3b33cdcfcf1bde398120

SHA512
aec219be26f8fddcf036def3256b41de62e17ad24cd315edee4981a40dda7586701b3d9dc8ea1e8dc148aa86c0678235b0380f88a7d117098ca552e8656d6770

Download Submit
C:\Users\Admin\tbtcmds.dat

Filesize
286B

MD5
8d6b8f585539efdac2dc88b84a527786

SHA1
6bab5786614ef5d9bcc0d729e184385ae4c7f0f0

SHA256
7a010daaec8b19449184fc8b2273a88d3ee4e36f8843507e152ab3018d4c0eb3

SHA512
eb35aa680057d665030c0669285bcb49d4542dc5919e16c45943b3a6a37da10de1c95f4f92c3e93ec1cc0118e4c09717a20a8e9a66cea328b64efa10889bf0c0

Download Submit
C:\Users\Admin\tbtnds.dat

Filesize
4KB

MD5
7673c3e1a1fcc7151cd275ad7439675d

SHA1
319c1ac6c5f41481e5ace1335ba72c46a7c079cc

SHA256
41ffb7f91d799073f2e956a594bb2a1b3de3f275d28b3c8ba1efb706f88ac7d9

SHA512
3fd3d1baef4be52e3b6e7b2fb6d6c089aeeac44e5c909e47f9d7f36e2864d55d48cf585609602f930044018eeeeb779161fcd9fc3abe07f696610487efb8e59f

Download Submit
memory/1416-233-0x0000000000410000-0x0000000000426000-memory.dmp

Filesize
88KB

Download
memory/2944-170-0x0000000000EF0000-0x0000000001599000-memory.dmp

Filesize
6.7MB

Download
memory/2944-171-0x0000000000EF0000-0x0000000001599000-memory.dmp

Filesize
6.7MB

Download
memory/4080-410-0x0000000140000000-0x000000014000D000-memory.dmp

Filesize
52KB

Download
memory/4080-408-0x0000000140000000-0x000000014000D000-memory.dmp

Filesize
52KB

Download
memory/4080-415-0x0000000140000000-0x000000014000D000-memory.dmp

Filesize
52KB

Download
memory/4080-412-0x0000000140000000-0x000000014000D000-memory.dmp

Filesize
52KB

Download
memory/4080-409-0x0000000140000000-0x000000014000D000-memory.dmp

Filesize
52KB

Download
memory/4080-411-0x0000000140000000-0x000000014000D000-memory.dmp

Filesize
52KB

Download
memory/5016-424-0x0000000140000000-0x0000000140835000-memory.dmp

Filesize
8.2MB

Download
memory/5016-426-0x0000000140000000-0x0000000140835000-memory.dmp

Filesize
8.2MB

Download
memory/5016-425-0x0000000140000000-0x0000000140835000-memory.dmp

Filesize
8.2MB

Download
memory/5016-421-0x0000000140000000-0x0000000140835000-memory.dmp

Filesize
8.2MB

Download
memory/5016-420-0x0000000140000000-0x0000000140835000-memory.dmp

Filesize
8.2MB

Download
memory/5016-419-0x0000000140000000-0x0000000140835000-memory.dmp

Filesize
8.2MB

Download
memory/5016-417-0x0000000140000000-0x0000000140835000-memory.dmp

Filesize
8.2MB

Download
memory/5016-418-0x0000000140000000-0x0000000140835000-memory.dmp

Filesize
8.2MB

Download
memory/5016-427-0x0000000140000000-0x0000000140835000-memory.dmp

Filesize
8.2MB

Download
memory/5016-428-0x0000000140000000-0x0000000140835000-memory.dmp

Filesize
8.2MB

Download
memory/5016-422-0x0000000140000000-0x0000000140835000-memory.dmp

Filesize
8.2MB

Download
memory/5016-423-0x0000021B9C490000-0x0000021B9C4B0000-memory.dmp

Filesize
128KB

Download
memory/5016-416-0x0000000140000000-0x0000000140835000-memory.dmp

Filesize
8.2MB

Download