zingo | hxxps://disk[.]yandex[.]ru/d/eXgayqBQiu3pNA

Analysis

max time kernel
150s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
05-04-2023 18:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://disk.yandex.ru/d/eXgayqBQiu3pNA

Score

10^/10

zingo persistence spyware stealer trojan

Malware Config

Signatures

Zingo stealer
Zingo is an info stealer first seen in March 2022.
stealer trojan zingo

Zingo stealer payload 15 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\Downloads\Script Ware (CRACKED) (4)\ScriptWare.exe	family_zingo
C:\Users\Admin\Downloads\Script Ware (CRACKED) (4)\ScriptWare.exe	family_zingo
C:\Users\Admin\Downloads\Script Ware (CRACKED) (4)\ScriptWare.exe	family_zingo
behavioral1/memory/1984-261-0x0000000000DE0000-0x0000000000DF4000-memory.dmp	family_zingo
C:\Users\Admin\Downloads\Script Ware (CRACKED) (4)\ScriptWare.exe	family_zingo
behavioral1/memory/3184-295-0x0000000001580000-0x0000000001590000-memory.dmp	family_zingo
C:\Users\Admin\Downloads\Script Ware (CRACKED) (4)\ScriptWare.exe	family_zingo
C:\Users\Admin\Downloads\Script Ware (CRACKED) (4)\ScriptWare.exe	family_zingo
behavioral1/memory/4240-330-0x0000000005640000-0x0000000005650000-memory.dmp	family_zingo
C:\Users\Admin\Downloads\Script Ware (CRACKED) (4)\ScriptWare.exe	family_zingo
behavioral1/memory/1248-339-0x0000000004EA0000-0x0000000004EB0000-memory.dmp	family_zingo
C:\Users\Admin\Downloads\Script Ware (CRACKED) (4)\ScriptWare.exe	family_zingo
behavioral1/memory/1276-351-0x0000000005200000-0x0000000005210000-memory.dmp	family_zingo
C:\Users\Admin\Downloads\Script Ware (CRACKED) (4)\ScriptWare.exe	family_zingo
behavioral1/memory/4072-380-0x0000000002390000-0x00000000023A0000-memory.dmp	family_zingo

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

ScriptWare(CRACKED).exeScriptWare(CRACKED).exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Control Panel\International\Geo\Nation	ScriptWare(CRACKED).exe
Key value queried	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Control Panel\International\Geo\Nation	ScriptWare(CRACKED).exe

Executes dropped EXE 11 IoCs

Processes:

ScriptWare(CRACKED).exeScriptWare.exeScriptWare.exeScriptWare.exeScriptWare.exeScriptWare(CRACKED).exeScriptWare.exeScriptWare.exeScriptWare.exeScriptWare(CRACKED).exeScriptWare(CRACKED).exe

pid	process
4040	ScriptWare(CRACKED).exe
1984	ScriptWare.exe
3184	ScriptWare.exe
4316	ScriptWare.exe
4240	ScriptWare.exe
4204	ScriptWare(CRACKED).exe
1248	ScriptWare.exe
1276	ScriptWare.exe
4072	ScriptWare.exe
4836	ScriptWare(CRACKED).exe
1780	ScriptWare(CRACKED).exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Adds Run key to start application 2 TTPs 1 IoCs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

Processes:

chrome.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Software\Microsoft\Windows\CurrentVersion\Run chrome.exe
Looks up external IP address via web service 8 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

80 freegeoip.app
86 freegeoip.app
93 freegeoip.app
100 freegeoip.app
103 freegeoip.app
106 freegeoip.app
124 freegeoip.app
79 freegeoip.app
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Software\Microsoft\Windows\CurrentVersion\Run	chrome.exe

flow	ioc
80	freegeoip.app
86	freegeoip.app
93	freegeoip.app
100	freegeoip.app
103	freegeoip.app
106	freegeoip.app
124	freegeoip.app
79	freegeoip.app

Program crash 7 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
2656	1984	WerFault.exe	ScriptWare.exe
3732	3184	WerFault.exe	ScriptWare.exe
2308	4316	WerFault.exe	ScriptWare.exe
4664	4240	WerFault.exe	ScriptWare.exe
3564	1248	WerFault.exe	ScriptWare.exe
4468	1276	WerFault.exe	ScriptWare.exe
4260	4072	WerFault.exe	ScriptWare.exe

Checks processor information in registry 2 TTPs 14 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

ScriptWare.exeScriptWare.exeScriptWare.exeScriptWare.exeScriptWare.exeScriptWare.exeScriptWare.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	ScriptWare.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	ScriptWare.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	ScriptWare.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	ScriptWare.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	ScriptWare.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	ScriptWare.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	ScriptWare.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	ScriptWare.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	ScriptWare.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	ScriptWare.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	ScriptWare.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	ScriptWare.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	ScriptWare.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	ScriptWare.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies Internet Explorer Phishing Filter 1 TTPs 2 IoCs

Modify Registry

T1112

Processes:

iexplore.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Software\Microsoft\Internet Explorer\PhishingFilter	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Internet Explorer\PhishingFilter\ClientSupported_MigrationTime = 9731bf4db045d901	iexplore.exe

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "9"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31025147"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "12"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Software\Microsoft\Internet Explorer\RepId	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\disk.yandex.ru\ = "74"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "387"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 3048b9cbfb67d901	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "33"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\disk.yandex.ru\ = "360"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\yandex.ru\Total = "12"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "360"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\disk.yandex.ru\ = "408"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "1158"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\disk.yandex.ru\ = "1158"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "3326987929"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\disk.yandex.ru\ = "33"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\yandex.ru\Total = "33"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\yandex.ru\Total = "74"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31025147"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000000eb827cf93ddd146af8365c0e3ca130200000000020000000000106600000001000020000000c7243da4be9c5a8449c1bb4297263d06b2859c0ec1390ed6dac2f1c53f26cda7000000000e800000000200002000000011e6df841af792c5cf76471677537c385ccce727b4c8a00ac00157622096db8320000000cb8a242506156c2be07d8fc31973efc062edbb47528f19aae713109a83659c7840000000e1a75427962ac0c0a408122aedb5f92eee50a66598f51946e82ac90e85b6b07f0fdcc9bc43545b050bccfcad8a361ad728ecf40c8941c654dcf8af59eff4e35c	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\yandex.ru\Total = "387"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "408"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\yandex.ru\Total = "1158"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3377300617"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "74"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\disk.yandex.ru\ = "423"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Internet Explorer\RepId\PublicId = "{2EA41210-83C5-4E7B-B50A-52ACFAE01EDB}"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{F143134F-D3EE-11ED-BDA1-C2E0088FA829} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\yandex.ru\Total = "9"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\disk.yandex.ru\ = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\yandex.ru\Total = "423"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\disk.yandex.ru\ = "47"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\yandex.ru\Total = "47"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "423"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\yandex.ru\NumberOfSubdomains = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Software\Microsoft\Internet Explorer\DOMStorage\disk.yandex.ru	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3326987929"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000000eb827cf93ddd146af8365c0e3ca130200000000020000000000106600000001000020000000e745e5e6119401625106a335c1b6ace5912733d8607678f4db0b1cf57d6705b3000000000e80000000020000200000001b7413f51099da2dd4d23b8c4b4d0d32258bde2570192dde99d55e036256521d200000006ead5460fb066dbce5d0a8dfa767d7cd7a3b76318110e14b6e9ec5832bea6a2240000000eb5e60e5c8e59302c9b68e5b3f52dcd1ab210b1ffee45c2831dd121388f8d58e46a062a5c24d3c315df936cad7619e27a7cb496511330bffef0e9d364fef41c4	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "0"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\disk.yandex.ru\ = "387"	IEXPLORE.EXE

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133251995935417381"	chrome.exe

Modifies registry class 1 IoCs

Processes:

iexplore.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings iexplore.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

chrome.exe

pid process

2172 chrome.exe
2172 chrome.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

Processes:

chrome.exe

pid process

2172 chrome.exe
2172 chrome.exe
2172 chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings	iexplore.exe

Suspicious use of AdjustPrivilegeToken 27 IoCs

Processes:

7zG.exeScriptWare.exeScriptWare.exeScriptWare.exeScriptWare.exeScriptWare.exeScriptWare.exechrome.exeScriptWare.exe

description	pid	process
Token: SeRestorePrivilege	4120	7zG.exe
Token: 35	4120	7zG.exe
Token: SeSecurityPrivilege	4120	7zG.exe
Token: SeSecurityPrivilege	4120	7zG.exe
Token: SeDebugPrivilege	1984	ScriptWare.exe
Token: SeDebugPrivilege	3184	ScriptWare.exe
Token: SeDebugPrivilege	4316	ScriptWare.exe
Token: SeDebugPrivilege	4240	ScriptWare.exe
Token: SeDebugPrivilege	1248	ScriptWare.exe
Token: SeDebugPrivilege	1276	ScriptWare.exe
Token: SeShutdownPrivilege	2172	chrome.exe
Token: SeCreatePagefilePrivilege	2172	chrome.exe
Token: SeShutdownPrivilege	2172	chrome.exe
Token: SeCreatePagefilePrivilege	2172	chrome.exe
Token: SeShutdownPrivilege	2172	chrome.exe
Token: SeCreatePagefilePrivilege	2172	chrome.exe
Token: SeShutdownPrivilege	2172	chrome.exe
Token: SeCreatePagefilePrivilege	2172	chrome.exe
Token: SeShutdownPrivilege	2172	chrome.exe
Token: SeCreatePagefilePrivilege	2172	chrome.exe
Token: SeShutdownPrivilege	2172	chrome.exe
Token: SeCreatePagefilePrivilege	2172	chrome.exe
Token: SeDebugPrivilege	4072	ScriptWare.exe
Token: SeShutdownPrivilege	2172	chrome.exe
Token: SeCreatePagefilePrivilege	2172	chrome.exe
Token: SeShutdownPrivilege	2172	chrome.exe
Token: SeCreatePagefilePrivilege	2172	chrome.exe

Suspicious use of FindShellTrayWindow 30 IoCs

Processes:

iexplore.exe7zG.exechrome.exe

pid	process
1784	iexplore.exe
1784	iexplore.exe
4120	7zG.exe
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

chrome.exe

pid	process
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe

Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

1784 iexplore.exe
1784 iexplore.exe
2240 IEXPLORE.EXE
2240 IEXPLORE.EXE
2240 IEXPLORE.EXE
2240 IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

iexplore.exeScriptWare(CRACKED).exeScriptWare(CRACKED).exechrome.exe

description	pid	process	target process
PID 1784 wrote to memory of 2240	1784	iexplore.exe	IEXPLORE.EXE
PID 1784 wrote to memory of 2240	1784	iexplore.exe	IEXPLORE.EXE
PID 1784 wrote to memory of 2240	1784	iexplore.exe	IEXPLORE.EXE
PID 4040 wrote to memory of 1984	4040	ScriptWare(CRACKED).exe	ScriptWare.exe
PID 4040 wrote to memory of 1984	4040	ScriptWare(CRACKED).exe	ScriptWare.exe
PID 4040 wrote to memory of 1984	4040	ScriptWare(CRACKED).exe	ScriptWare.exe
PID 4204 wrote to memory of 1248	4204	ScriptWare(CRACKED).exe	ScriptWare.exe
PID 4204 wrote to memory of 1248	4204	ScriptWare(CRACKED).exe	ScriptWare.exe
PID 4204 wrote to memory of 1248	4204	ScriptWare(CRACKED).exe	ScriptWare.exe
PID 2172 wrote to memory of 1468	2172	chrome.exe	chrome.exe
PID 2172 wrote to memory of 1468	2172	chrome.exe	chrome.exe
PID 2172 wrote to memory of 4776	2172	chrome.exe	chrome.exe
PID 2172 wrote to memory of 4776	2172	chrome.exe	chrome.exe
PID 2172 wrote to memory of 4776	2172	chrome.exe	chrome.exe
PID 2172 wrote to memory of 4776	2172	chrome.exe	chrome.exe
PID 2172 wrote to memory of 4776	2172	chrome.exe	chrome.exe
PID 2172 wrote to memory of 4776	2172	chrome.exe	chrome.exe
PID 2172 wrote to memory of 4776	2172	chrome.exe	chrome.exe
PID 2172 wrote to memory of 4776	2172	chrome.exe	chrome.exe
PID 2172 wrote to memory of 4776	2172	chrome.exe	chrome.exe
PID 2172 wrote to memory of 4776	2172	chrome.exe	chrome.exe
PID 2172 wrote to memory of 4776	2172	chrome.exe	chrome.exe
PID 2172 wrote to memory of 4776	2172	chrome.exe	chrome.exe
PID 2172 wrote to memory of 4776	2172	chrome.exe	chrome.exe
PID 2172 wrote to memory of 4776	2172	chrome.exe	chrome.exe
PID 2172 wrote to memory of 4776	2172	chrome.exe	chrome.exe
PID 2172 wrote to memory of 4776	2172	chrome.exe	chrome.exe
PID 2172 wrote to memory of 4776	2172	chrome.exe	chrome.exe
PID 2172 wrote to memory of 4776	2172	chrome.exe	chrome.exe
PID 2172 wrote to memory of 4776	2172	chrome.exe	chrome.exe
PID 2172 wrote to memory of 4776	2172	chrome.exe	chrome.exe
PID 2172 wrote to memory of 4776	2172	chrome.exe	chrome.exe
PID 2172 wrote to memory of 4776	2172	chrome.exe	chrome.exe
PID 2172 wrote to memory of 4776	2172	chrome.exe	chrome.exe
PID 2172 wrote to memory of 4776	2172	chrome.exe	chrome.exe
PID 2172 wrote to memory of 4776	2172	chrome.exe	chrome.exe
PID 2172 wrote to memory of 4776	2172	chrome.exe	chrome.exe
PID 2172 wrote to memory of 4776	2172	chrome.exe	chrome.exe
PID 2172 wrote to memory of 4776	2172	chrome.exe	chrome.exe
PID 2172 wrote to memory of 4776	2172	chrome.exe	chrome.exe
PID 2172 wrote to memory of 4776	2172	chrome.exe	chrome.exe
PID 2172 wrote to memory of 4776	2172	chrome.exe	chrome.exe
PID 2172 wrote to memory of 4776	2172	chrome.exe	chrome.exe
PID 2172 wrote to memory of 4776	2172	chrome.exe	chrome.exe
PID 2172 wrote to memory of 4776	2172	chrome.exe	chrome.exe
PID 2172 wrote to memory of 4776	2172	chrome.exe	chrome.exe
PID 2172 wrote to memory of 4776	2172	chrome.exe	chrome.exe
PID 2172 wrote to memory of 4776	2172	chrome.exe	chrome.exe
PID 2172 wrote to memory of 4776	2172	chrome.exe	chrome.exe
PID 2172 wrote to memory of 4224	2172	chrome.exe	chrome.exe
PID 2172 wrote to memory of 4224	2172	chrome.exe	chrome.exe
PID 2172 wrote to memory of 2212	2172	chrome.exe	chrome.exe
PID 2172 wrote to memory of 2212	2172	chrome.exe	chrome.exe
PID 2172 wrote to memory of 2212	2172	chrome.exe	chrome.exe
PID 2172 wrote to memory of 2212	2172	chrome.exe	chrome.exe
PID 2172 wrote to memory of 2212	2172	chrome.exe	chrome.exe
PID 2172 wrote to memory of 2212	2172	chrome.exe	chrome.exe
PID 2172 wrote to memory of 2212	2172	chrome.exe	chrome.exe
PID 2172 wrote to memory of 2212	2172	chrome.exe	chrome.exe
PID 2172 wrote to memory of 2212	2172	chrome.exe	chrome.exe
PID 2172 wrote to memory of 2212	2172	chrome.exe	chrome.exe
PID 2172 wrote to memory of 2212	2172	chrome.exe	chrome.exe
PID 2172 wrote to memory of 2212	2172	chrome.exe	chrome.exe
PID 2172 wrote to memory of 2212	2172	chrome.exe	chrome.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://disk.yandex.ru/d/eXgayqBQiu3pNA
1⤵
- Modifies Internet Explorer Phishing Filter
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1784

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1784 CREDAT:17410 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2240

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3360

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\Script Ware (CRACKED) (4)\" -spe -an -ai#7zMap2448:112:7zEvent668
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4120

C:\Users\Admin\Downloads\Script Ware (CRACKED) (4)\ScriptWare(CRACKED).exe
"C:\Users\Admin\Downloads\Script Ware (CRACKED) (4)\ScriptWare(CRACKED).exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4040

C:\Users\Admin\Downloads\Script Ware (CRACKED) (4)\ScriptWare.exe
"C:\Users\Admin\Downloads\Script Ware (CRACKED) (4)\ScriptWare.exe"
2⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1984

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1984 -s 1992
3⤵
- Program crash
PID:2656

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1984 -ip 1984
1⤵
PID:3960

C:\Users\Admin\Downloads\Script Ware (CRACKED) (4)\ScriptWare.exe
"C:\Users\Admin\Downloads\Script Ware (CRACKED) (4)\ScriptWare.exe"
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3184

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3184 -s 1988
2⤵
- Program crash
PID:3732

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 3184 -ip 3184
1⤵
PID:4112

C:\Users\Admin\Downloads\Script Ware (CRACKED) (4)\ScriptWare.exe
"C:\Users\Admin\Downloads\Script Ware (CRACKED) (4)\ScriptWare.exe"
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4316

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4316 -s 1952
2⤵
- Program crash
PID:2308

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4316 -ip 4316
1⤵
PID:3804

C:\Users\Admin\Downloads\Script Ware (CRACKED) (4)\ScriptWare.exe
"C:\Users\Admin\Downloads\Script Ware (CRACKED) (4)\ScriptWare.exe"
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4240

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4240 -s 1948
2⤵
- Program crash
PID:4664

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 4240 -ip 4240
1⤵
PID:2336

C:\Users\Admin\Downloads\Script Ware (CRACKED) (4)\ScriptWare(CRACKED).exe
"C:\Users\Admin\Downloads\Script Ware (CRACKED) (4)\ScriptWare(CRACKED).exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4204

C:\Users\Admin\Downloads\Script Ware (CRACKED) (4)\ScriptWare.exe
"C:\Users\Admin\Downloads\Script Ware (CRACKED) (4)\ScriptWare.exe"
2⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1248

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1248 -s 1960
3⤵
- Program crash
PID:3564

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1248 -ip 1248
1⤵
PID:524

C:\Users\Admin\Downloads\Script Ware (CRACKED) (4)\ScriptWare.exe
"C:\Users\Admin\Downloads\Script Ware (CRACKED) (4)\ScriptWare.exe"
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1276

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1276 -s 1952
2⤵
- Program crash
PID:4468

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 1276 -ip 1276
1⤵
PID:1484

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Adds Run key to start application
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2172

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xd0,0x120,0x124,0xfc,0x128,0x7ff896ca9758,0x7ff896ca9768,0x7ff896ca9778
2⤵
PID:1468

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1820 --field-trial-handle=1780,i,11177109388511316563,17412174472629643576,131072 /prefetch:2
2⤵
PID:4776

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2172 --field-trial-handle=1780,i,11177109388511316563,17412174472629643576,131072 /prefetch:8
2⤵
PID:4224

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2232 --field-trial-handle=1780,i,11177109388511316563,17412174472629643576,131072 /prefetch:8
2⤵
PID:2212

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=1832 --field-trial-handle=1780,i,11177109388511316563,17412174472629643576,131072 /prefetch:1
2⤵
PID:3724

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3292 --field-trial-handle=1780,i,11177109388511316563,17412174472629643576,131072 /prefetch:1
2⤵
PID:636

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4524 --field-trial-handle=1780,i,11177109388511316563,17412174472629643576,131072 /prefetch:1
2⤵
PID:4580

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4688 --field-trial-handle=1780,i,11177109388511316563,17412174472629643576,131072 /prefetch:8
2⤵
PID:3244

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4828 --field-trial-handle=1780,i,11177109388511316563,17412174472629643576,131072 /prefetch:8
2⤵
PID:5004

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2820

C:\Users\Admin\Downloads\Script Ware (CRACKED) (4)\ScriptWare.exe
"C:\Users\Admin\Downloads\Script Ware (CRACKED) (4)\ScriptWare.exe"
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4072

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4072 -s 1952
2⤵
- Program crash
PID:4260

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4072 -ip 4072
1⤵
PID:3348

C:\Users\Admin\Downloads\Script Ware (CRACKED) (4)\ScriptWare(CRACKED).exe
"C:\Users\Admin\Downloads\Script Ware (CRACKED) (4)\ScriptWare(CRACKED).exe"
1⤵
- Executes dropped EXE
PID:4836

C:\Users\Admin\Downloads\Script Ware (CRACKED) (4)\ScriptWare(CRACKED).exe
"C:\Users\Admin\Downloads\Script Ware (CRACKED) (4)\ScriptWare(CRACKED).exe"
1⤵
- Executes dropped EXE
PID:1780

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
Filesize
471B

MD5
a3df8adfd4993a4a11a6af615ef215d0

SHA1
779d9ddf1a3b79ffe17c2e25c1e33ad196cb2404

SHA256
efb4aac0e14bce339ea3c24ba25d5be8374cdd606ef57a578b383ca6ad71faf6

SHA512
4c17c71ae48b4bd109f60531aaf3f78e061285eb8262e8f32b24a1d7af9377c5f2400e0f61e8bd8e2e7b5057a1fd538fcd1eb6ea1888c0603c4d58b5301ef013

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
Filesize
434B

MD5
3b5ab2e2bd8f374cc85396d7e7fbe173

SHA1
69230d489d76eb50b275a870163f14f017cbe224

SHA256
e7f2bb6c0a9cad957d5c26655c655565ee6392c6c84d2c8fd6428e6509f5f606

SHA512
067ea0647abbb4178fed3dd912ba62423e593ef7f800aeb0e9a727c09c49f5371da98606d79b0bb111cef066b93de96de91f9f7cec70e81abaaaaec18a229450

Download Submit
C:\Users\Admin\AppData\Local\GinzoFolder\Screenshot.png
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\GinzoFolder\Screenshot.png
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\GinzoFolder\Screenshot.png
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\GinzoFolder\Screenshot.png
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\GinzoFolder\Screenshot.png
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\GinzoFolder\Screenshot.png
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\GinzoFolder\System.txt
Filesize
772B

MD5
d9c2856c192af665b0bd4374cd7affb4

SHA1
52ca82bfa32dfbdb5699b0f184ea9ae74fb5df8f

SHA256
afdecf41da3dbf75ce4c5790d51952a180c66590779b4ccabaee33dc15d3a19c

SHA512
a33c1a9c6da8981134180c97c3b23b431baab021846968208e0547a23015e6c788a73e9ce7aa30d43bd4fe8af6ec058bb2100036a2ea305a0d829c03432d6c52

Download Submit
C:\Users\Admin\AppData\Local\GinzoFolder\System.txt
Filesize
772B

MD5
7a7d4e3fd0aae4101479215a6cc3e140

SHA1
58e903876fb649a0b7d811c2e553801eb31750b3

SHA256
ca3318b4599ec77cb9411d37c9b9b9581eed4c348937a3957086ca8a7dd99fc7

SHA512
774a4cdd1a54c613982032320ebf491bf223e39b5eec0e5fa0fa2f787874b07b3e9f82ebabe1d6209e47cf2b8ad953d6f3c0fcf331ec5f5642b40df1c5b9af77

Download Submit
C:\Users\Admin\AppData\Local\GinzoFolder\System.txt
Filesize
772B

MD5
f76cec6677df0058f9807f375e672e66

SHA1
ba7f5d7c48c3664edc7139ce3800d83446a1b896

SHA256
c0a23fdbc95e8ff1287c6ee3a73072c48887620728dfa7de98800c3dd75a26f7

SHA512
f46b8c6870d73f1b1a17572235a5668c9e4136c521ebbe4958209a37c71463ca4c25be94766ead4de675cf4494ead62c671fa13c8937c379652997cad4ca92f3

Download Submit
C:\Users\Admin\AppData\Local\GinzoFolder\System.txt
Filesize
772B

MD5
ecc38774459a3e721b34080d89ad3659

SHA1
84f779f5479f8362718d2962845bc9d573ce140f

SHA256
7b96b48c6841a50673ca6cdfea6283f1d1197dc0feba5a12c526f8feeb42d320

SHA512
a346204e1ec60b2bd3b38ab0c8b1ad7511477f989f940a86a5697f6ab28562f46217508d0cef523ab793322b187b9cced95420d004d72bdb9ae88915674c93e0

Download Submit
C:\Users\Admin\AppData\Local\GinzoFolder\System.txt
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\GinzoFolder\System.txt
Filesize
772B

MD5
b4f69063bfea27a2756c2bea7ffbaf7e

SHA1
704ce68f360892838fc63cd410a8e0c2c257a7e0

SHA256
400599440b457be6896c49708112ae6f081ca47a972f03ee0ec940151b318b98

SHA512
3e32e9c2ed5dc6ab785b5b044cbac621f139d4740f47947f0c3d61883cd308661f77fb4754f20a7c5225a0a560d66e9ab7044e435ef54683f707ede370f8c542

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\3d958a85-f4a8-49eb-b51b-73da06ad57fb.tmp
Filesize
199KB

MD5
bd36db447acafb1887a1b71c3b521806

SHA1
6c3b8aa4997e4fb50cfe1797ad1f134ca7b13ddb

SHA256
f23153144161e94c1576f38513f5f6a1e746ca04a2ecdbb8f8d29f305a77aff2

SHA512
7aa56e44b58b74aa36fb16b64226f71ce98a8db93c7dea186eec39f20b4daf9d9d55b4f64064daa52e8cf3487c710c493d5d9a4f42191fca8c54810f19f13971

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\DawnCache\data_1
Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
1014B

MD5
cf1c2372287ca291885b064e39b912ef

SHA1
a25acfe71905ae43f2bcedda39c8fc0c1c2f7f6d

SHA256
0e8bebd33479f4b1c3819013e98a6e107009cd479fcbc3e6ae83d1d8e1240540

SHA512
a1bfdba775474b8b73b456eb231de562dd5840bd9dfcf6b16ae3fa14e9168cfb27a6dd15ca2c3f2a8af518f6e95e7a812bfd75f81c04e9601fb7626441831e8f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
369B

MD5
d64fb9633f847a7caf3375f3bb0bc778

SHA1
bec835aef187b50e7debbdf959abd47c02882f6f

SHA256
8e3be939b225a4d969bc688dc2749611999b024fd5c5df115e3746a9a060e5d6

SHA512
e4242fdfc288c6e5923e4fa33c278d77c998f4beac0ae05dc23f73c6fe96b1763e5108c85fd70adf0662de9c33d165ef3936ced584e6e9512b6488375d2dfb64

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
4KB

MD5
6455e97e895c31dc648212c3c0eced8e

SHA1
521d641786d9e079953d85f4fa5fdcd121cb292f

SHA256
30c0bfaa6cd4042bf014be90958bed288f4d0f4e151a609edf9848ba878bdcd3

SHA512
b0d65cf087dea114ecfae0526be5ac62b68b973b04e123e96116d5a308da62f7953d9252d98db9dd043309c1292038f50d104ea79d824d99936c5e6e8bbd3d90

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DOMStore\2J8MFLGR\disk.yandex[1].xml
Filesize
341B

MD5
abc5997491e71739398e622fa39e2b64

SHA1
5eca8818f8c8fc23a755bf6a6e520afdf9700f90

SHA256
c44a32806becc06eadc3cc37d8ebf6a49f7a0b8861c929370c288b82319475ea

SHA512
38948eafd6a799040a0f57b31fbdd204682b18b7c848881f161c80925c56813a354fe1fa06aada2cdeaecdad56014e28814ce2cc5e507c2f788d15054878ed38

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\q7s3h6i\imagestore.dat
Filesize
23KB

MD5
23196fbc9bd202a7903b74555f1c667c

SHA1
b26248d5ea0a591c1893eefcac179cfa58e13731

SHA256
f002059025aec7dc3dea46190dcc9bb3f35174ec9367ab34e6f6fd6be055c3bc

SHA512
16c051b3ec91e2aa2800f64c870b962c83ee3b9f459208fa9b8a7975f9a02743ec2552483e068aedba0ab7bfbc65026349a1dd734704afc55059d9298a3ad14e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\0BMP3ERH\Script%20Ware%20(CRACKED)%20(4)[1].zip
Filesize
6.0MB

MD5
a00207c4127fc030c9bcc3f6ff253231

SHA1
f5a6b7826647cf90364ff73aec149f3b3a216f6b

SHA256
a8df0d460480bcba2eda5e43441e17f6ff8deecfaa4486b43cebfa82d33abeec

SHA512
b50e7b72af2792019ba32debe8af82e738f9c94d228d33d78f95077d1daebdc04e82a375c860bcad1c347e430192b53bb363dd0419d340e34243a3b6e5110c33

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\0BMP3ERH\suggestions[1].en-US
Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\Y624AVVJ\favicon[1].ico
Filesize
32KB

MD5
bb797e3d12d7c484b76b807efa2cf3b3

SHA1
5ef5e20be499b7b92abb8881633425a4188aff17

SHA256
44b11bc4be4a9c3f47ca27011c460707a9355deceaae1db98d166caad8d5f527

SHA512
b67f34caff4fc24c1543a284b0bd36a31a7a9ebed84c95ef3d953312de3898aeff1754587d3c372e8cc528e4a1d3516a7ba27fee7cb16d3591a86a4eb393b017

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\Y624AVVJ\favicon[1].ico
Filesize
32KB

MD5
bb797e3d12d7c484b76b807efa2cf3b3

SHA1
5ef5e20be499b7b92abb8881633425a4188aff17

SHA256
44b11bc4be4a9c3f47ca27011c460707a9355deceaae1db98d166caad8d5f527

SHA512
b67f34caff4fc24c1543a284b0bd36a31a7a9ebed84c95ef3d953312de3898aeff1754587d3c372e8cc528e4a1d3516a7ba27fee7cb16d3591a86a4eb393b017

Download Submit
C:\Users\Admin\Downloads\Script Ware (CRACKED) (4).zip.t7oeg8u.partial
Filesize
6.0MB

MD5
a00207c4127fc030c9bcc3f6ff253231

SHA1
f5a6b7826647cf90364ff73aec149f3b3a216f6b

SHA256
a8df0d460480bcba2eda5e43441e17f6ff8deecfaa4486b43cebfa82d33abeec

SHA512
b50e7b72af2792019ba32debe8af82e738f9c94d228d33d78f95077d1daebdc04e82a375c860bcad1c347e430192b53bb363dd0419d340e34243a3b6e5110c33

Download Submit
C:\Users\Admin\Downloads\Script Ware (CRACKED) (4)\DotNetZip.dll
Filesize
274B

MD5
dde72ae232dc63298465861482d7bb93

SHA1
557c5dbebc35bc82280e2a744a03ce5e78b3e6fb

SHA256
0032588b8d93a807cf0f48a806ccf125677503a6fabe4105a6dc69e81ace6091

SHA512
389eb8f7b18fcdd1a6f275ff8acad211a10445ff412221796cd645c9a6458719cced553561e2b4d438783459d02e494d5140c0d85f2b3df617b7b2e031d234b2

Download Submit
C:\Users\Admin\Downloads\Script Ware (CRACKED) (4)\Newtonsoft.Json.dll
Filesize
274B

MD5
dde72ae232dc63298465861482d7bb93

SHA1
557c5dbebc35bc82280e2a744a03ce5e78b3e6fb

SHA256
0032588b8d93a807cf0f48a806ccf125677503a6fabe4105a6dc69e81ace6091

SHA512
389eb8f7b18fcdd1a6f275ff8acad211a10445ff412221796cd645c9a6458719cced553561e2b4d438783459d02e494d5140c0d85f2b3df617b7b2e031d234b2

Download Submit
C:\Users\Admin\Downloads\Script Ware (CRACKED) (4)\Newtonsoft.Json.dll
Filesize
274B

MD5
dde72ae232dc63298465861482d7bb93

SHA1
557c5dbebc35bc82280e2a744a03ce5e78b3e6fb

SHA256
0032588b8d93a807cf0f48a806ccf125677503a6fabe4105a6dc69e81ace6091

SHA512
389eb8f7b18fcdd1a6f275ff8acad211a10445ff412221796cd645c9a6458719cced553561e2b4d438783459d02e494d5140c0d85f2b3df617b7b2e031d234b2

Download Submit
C:\Users\Admin\Downloads\Script Ware (CRACKED) (4)\ScriptWare(CRACKED).exe
Filesize
416KB

MD5
822d1a2d74c0203a44b70d4b82cee28c

SHA1
71c5d5b3b1f6a489a33b8cf3a99d78ac33d329d1

SHA256
2366c7d9f66024b6fa1e27712324e91a89399d981166ed20b081402434549a90

SHA512
088d8de53451853ad3845467b015863a18bf9ccdf589b2fe7d8413665ead98c4699f296ca1d50da1fcc54e475bb54cfe594600ccbaabe32f401c674f4bd079a3

Download Submit
C:\Users\Admin\Downloads\Script Ware (CRACKED) (4)\ScriptWare(CRACKED).exe
Filesize
416KB

MD5
822d1a2d74c0203a44b70d4b82cee28c

SHA1
71c5d5b3b1f6a489a33b8cf3a99d78ac33d329d1

SHA256
2366c7d9f66024b6fa1e27712324e91a89399d981166ed20b081402434549a90

SHA512
088d8de53451853ad3845467b015863a18bf9ccdf589b2fe7d8413665ead98c4699f296ca1d50da1fcc54e475bb54cfe594600ccbaabe32f401c674f4bd079a3

Download Submit
C:\Users\Admin\Downloads\Script Ware (CRACKED) (4)\ScriptWare(CRACKED).exe
Filesize
416KB

MD5
822d1a2d74c0203a44b70d4b82cee28c

SHA1
71c5d5b3b1f6a489a33b8cf3a99d78ac33d329d1

SHA256
2366c7d9f66024b6fa1e27712324e91a89399d981166ed20b081402434549a90

SHA512
088d8de53451853ad3845467b015863a18bf9ccdf589b2fe7d8413665ead98c4699f296ca1d50da1fcc54e475bb54cfe594600ccbaabe32f401c674f4bd079a3

Download Submit
C:\Users\Admin\Downloads\Script Ware (CRACKED) (4)\ScriptWare(CRACKED).exe
Filesize
416KB

MD5
822d1a2d74c0203a44b70d4b82cee28c

SHA1
71c5d5b3b1f6a489a33b8cf3a99d78ac33d329d1

SHA256
2366c7d9f66024b6fa1e27712324e91a89399d981166ed20b081402434549a90

SHA512
088d8de53451853ad3845467b015863a18bf9ccdf589b2fe7d8413665ead98c4699f296ca1d50da1fcc54e475bb54cfe594600ccbaabe32f401c674f4bd079a3

Download Submit
C:\Users\Admin\Downloads\Script Ware (CRACKED) (4)\ScriptWare(CRACKED).exe
Filesize
416KB

MD5
822d1a2d74c0203a44b70d4b82cee28c

SHA1
71c5d5b3b1f6a489a33b8cf3a99d78ac33d329d1

SHA256
2366c7d9f66024b6fa1e27712324e91a89399d981166ed20b081402434549a90

SHA512
088d8de53451853ad3845467b015863a18bf9ccdf589b2fe7d8413665ead98c4699f296ca1d50da1fcc54e475bb54cfe594600ccbaabe32f401c674f4bd079a3

Download Submit
C:\Users\Admin\Downloads\Script Ware (CRACKED) (4)\ScriptWare.exe
Filesize
54KB

MD5
cadc4962b0181669e013d459003af85f

SHA1
f7ece4725f5c9b9fdd223847f7d351fdbe172d22

SHA256
ed8c4461ed51b9b641b48a06edff967760984c673c47dadd0ad918d06959a1ed

SHA512
81b131e355ae1f8cbe55eb15024dfa96c76782b660da8ca19f55a26ebc5bf91a240c60612493a87ffc7e6a98de840695e47e7042f853a9c55f8ec6ad47ee6a6b

Download Submit
C:\Users\Admin\Downloads\Script Ware (CRACKED) (4)\ScriptWare.exe
Filesize
54KB

MD5
cadc4962b0181669e013d459003af85f

SHA1
f7ece4725f5c9b9fdd223847f7d351fdbe172d22

SHA256
ed8c4461ed51b9b641b48a06edff967760984c673c47dadd0ad918d06959a1ed

SHA512
81b131e355ae1f8cbe55eb15024dfa96c76782b660da8ca19f55a26ebc5bf91a240c60612493a87ffc7e6a98de840695e47e7042f853a9c55f8ec6ad47ee6a6b

Download Submit
C:\Users\Admin\Downloads\Script Ware (CRACKED) (4)\ScriptWare.exe
Filesize
54KB

MD5
cadc4962b0181669e013d459003af85f

SHA1
f7ece4725f5c9b9fdd223847f7d351fdbe172d22

SHA256
ed8c4461ed51b9b641b48a06edff967760984c673c47dadd0ad918d06959a1ed

SHA512
81b131e355ae1f8cbe55eb15024dfa96c76782b660da8ca19f55a26ebc5bf91a240c60612493a87ffc7e6a98de840695e47e7042f853a9c55f8ec6ad47ee6a6b

Download Submit
C:\Users\Admin\Downloads\Script Ware (CRACKED) (4)\ScriptWare.exe
Filesize
54KB

MD5
cadc4962b0181669e013d459003af85f

SHA1
f7ece4725f5c9b9fdd223847f7d351fdbe172d22

SHA256
ed8c4461ed51b9b641b48a06edff967760984c673c47dadd0ad918d06959a1ed

SHA512
81b131e355ae1f8cbe55eb15024dfa96c76782b660da8ca19f55a26ebc5bf91a240c60612493a87ffc7e6a98de840695e47e7042f853a9c55f8ec6ad47ee6a6b

Download Submit
C:\Users\Admin\Downloads\Script Ware (CRACKED) (4)\ScriptWare.exe
Filesize
54KB

MD5
cadc4962b0181669e013d459003af85f

SHA1
f7ece4725f5c9b9fdd223847f7d351fdbe172d22

SHA256
ed8c4461ed51b9b641b48a06edff967760984c673c47dadd0ad918d06959a1ed

SHA512
81b131e355ae1f8cbe55eb15024dfa96c76782b660da8ca19f55a26ebc5bf91a240c60612493a87ffc7e6a98de840695e47e7042f853a9c55f8ec6ad47ee6a6b

Download Submit
C:\Users\Admin\Downloads\Script Ware (CRACKED) (4)\ScriptWare.exe
Filesize
54KB

MD5
cadc4962b0181669e013d459003af85f

SHA1
f7ece4725f5c9b9fdd223847f7d351fdbe172d22

SHA256
ed8c4461ed51b9b641b48a06edff967760984c673c47dadd0ad918d06959a1ed

SHA512
81b131e355ae1f8cbe55eb15024dfa96c76782b660da8ca19f55a26ebc5bf91a240c60612493a87ffc7e6a98de840695e47e7042f853a9c55f8ec6ad47ee6a6b

Download Submit
C:\Users\Admin\Downloads\Script Ware (CRACKED) (4)\ScriptWare.exe
Filesize
54KB

MD5
cadc4962b0181669e013d459003af85f

SHA1
f7ece4725f5c9b9fdd223847f7d351fdbe172d22

SHA256
ed8c4461ed51b9b641b48a06edff967760984c673c47dadd0ad918d06959a1ed

SHA512
81b131e355ae1f8cbe55eb15024dfa96c76782b660da8ca19f55a26ebc5bf91a240c60612493a87ffc7e6a98de840695e47e7042f853a9c55f8ec6ad47ee6a6b

Download Submit
C:\Users\Admin\Downloads\Script Ware (CRACKED) (4)\ScriptWare.exe
Filesize
54KB

MD5
cadc4962b0181669e013d459003af85f

SHA1
f7ece4725f5c9b9fdd223847f7d351fdbe172d22

SHA256
ed8c4461ed51b9b641b48a06edff967760984c673c47dadd0ad918d06959a1ed

SHA512
81b131e355ae1f8cbe55eb15024dfa96c76782b660da8ca19f55a26ebc5bf91a240c60612493a87ffc7e6a98de840695e47e7042f853a9c55f8ec6ad47ee6a6b

Download Submit
C:\Users\Admin\Downloads\Script Ware (CRACKED) (4)\ScriptWare.exe
Filesize
54KB

MD5
cadc4962b0181669e013d459003af85f

SHA1
f7ece4725f5c9b9fdd223847f7d351fdbe172d22

SHA256
ed8c4461ed51b9b641b48a06edff967760984c673c47dadd0ad918d06959a1ed

SHA512
81b131e355ae1f8cbe55eb15024dfa96c76782b660da8ca19f55a26ebc5bf91a240c60612493a87ffc7e6a98de840695e47e7042f853a9c55f8ec6ad47ee6a6b

Download Submit
C:\Users\Admin\Downloads\Script Ware (CRACKED) (4)\System.Data.SQLite.dll
Filesize
274B

MD5
dde72ae232dc63298465861482d7bb93

SHA1
557c5dbebc35bc82280e2a744a03ce5e78b3e6fb

SHA256
0032588b8d93a807cf0f48a806ccf125677503a6fabe4105a6dc69e81ace6091

SHA512
389eb8f7b18fcdd1a6f275ff8acad211a10445ff412221796cd645c9a6458719cced553561e2b4d438783459d02e494d5140c0d85f2b3df617b7b2e031d234b2

Download Submit
C:\Users\Admin\Downloads\Script Ware (CRACKED) (4)\x64\SQLite.Interop.dll
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\Downloads\Script Ware (CRACKED) (4)\x64\SQLite.Interop.dll
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\Downloads\Script Ware (CRACKED) (4)\x64\SQLite.Interop.dll
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\Downloads\Script Ware (CRACKED) (4)\x64\SQLite.Interop.dll
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\Downloads\Script Ware (CRACKED) (4)\x64\SQLite.Interop.dll
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\Downloads\Script Ware (CRACKED) (4)\x64\SQLite.Interop.dll
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\Downloads\Script Ware (CRACKED) (4)\x64\SQLite.Interop.dll
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\Downloads\Script Ware (CRACKED) (4)\x86\SQLite.Interop.dll
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\Downloads\Script Ware (CRACKED) (4)\x86\SQLite.Interop.dll
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\Downloads\Script Ware (CRACKED) (4)\x86\SQLite.Interop.dll
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\Downloads\Script Ware (CRACKED) (4)\x86\SQLite.Interop.dll
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\Downloads\Script Ware (CRACKED) (4)\x86\SQLite.Interop.dll
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\Downloads\Script Ware (CRACKED) (4)\x86\SQLite.Interop.dll
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\Downloads\Script Ware (CRACKED) (4)\x86\SQLite.Interop.dll
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\pipe\crashpad_2172_AECLPHCIGBECZRXZ
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1248-339-0x0000000004EA0000-0x0000000004EB0000-memory.dmp

Filesize
64KB

Download
memory/1276-351-0x0000000005200000-0x0000000005210000-memory.dmp

Filesize
64KB

Download
memory/1984-287-0x00000000075A0000-0x0000000007606000-memory.dmp

Filesize
408KB

Download
memory/1984-282-0x0000000007700000-0x00000000078C2000-memory.dmp

Filesize
1.8MB

Download
memory/1984-276-0x0000000006860000-0x0000000006E04000-memory.dmp

Filesize
5.6MB

Download
memory/1984-275-0x0000000006210000-0x00000000062A2000-memory.dmp

Filesize
584KB

Download
memory/1984-262-0x0000000005820000-0x0000000005830000-memory.dmp

Filesize
64KB

Download
memory/1984-261-0x0000000000DE0000-0x0000000000DF4000-memory.dmp

Filesize
80KB

Download
memory/3184-295-0x0000000001580000-0x0000000001590000-memory.dmp

Filesize
64KB

Download
memory/4072-380-0x0000000002390000-0x00000000023A0000-memory.dmp

Filesize
64KB

Download
memory/4240-330-0x0000000005640000-0x0000000005650000-memory.dmp

Filesize
64KB

Download
memory/4316-313-0x0000000002EA0000-0x0000000002EB0000-memory.dmp

Filesize
64KB

Download