laplas | hxxps://www[.]dropbox[.]com/s/zj7cz5633tszjk3/Zafiro%20EA%20MFF%20v1[.]13%20%2B%20Zafiro%20EA%20FTMO%20v1[.]13[.]zip?dl=0

max time kernel
188s
max time network
200s
platform
windows10-1703_x64
resource
win10-20230220-en
resource tags

arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
submitted
08-06-2023 08:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://www.dropbox.com/s/zj7cz5633tszjk3/Zafiro%20EA%20MFF%20v1.13%20%2B%20Zafiro%20EA%20FTMO%20v1.13.zip?dl=0

Score

10^/10

laplas vidar 2ca19830ec2c67b5159166c89d3ebb74 clipper evasion persistence spyware stealer trojan

Malware Config

Extracted

Family

vidar

Version

4.2

Botnet

2ca19830ec2c67b5159166c89d3ebb74

https://steamcommunity.com/profiles/76561199511129510

https://t.me/rechnungsbetrag

Attributes

profile_id_v2
2ca19830ec2c67b5159166c89d3ebb74
user_agent
Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.38 Safari/537.36 Brave/75

Extracted

Family

laplas

http://45.159.189.105

Attributes

api_key
7ee57b1f6d4aff08f9755119b18cf0754b677addcb6a3063066112b10a357a8e

Signatures

Laplas Clipper
Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.
stealer clipper laplas
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	48340512273141776155.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	ntlhost.exe

Downloads MZ/PE file

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	ntlhost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	48340512273141776155.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	48340512273141776155.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	ntlhost.exe

Executes dropped EXE 2 IoCs

pid	Process
4260	48340512273141776155.exe
2984	ntlhost.exe

Loads dropped DLL 4 IoCs

pid	Process
4020	Zafiro EA MFF v1.13 + Zafiro EA FTMO v1.13.exe
4020	Zafiro EA MFF v1.13 + Zafiro EA FTMO v1.13.exe
2052	Zafiro EA MFF v1.13 + Zafiro EA FTMO v1.13.exe
2052	Zafiro EA MFF v1.13 + Zafiro EA FTMO v1.13.exe

Accesses 2FA software files, possible credential harvesting 2 TTPs
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000\Software\Microsoft\Windows\CurrentVersion\Run\NTSystem = "C:\\Users\\Admin\\AppData\\Roaming\\NTSystem\\ntlhost.exe"	48340512273141776155.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	48340512273141776155.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ntlhost.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
4260	48340512273141776155.exe
2984	ntlhost.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Zafiro EA MFF v1.13 + Zafiro EA FTMO v1.13.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Zafiro EA MFF v1.13 + Zafiro EA FTMO v1.13.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

GoLang User-Agent 1 IoCs

Uses default user-agent string defined by GoLang HTTP packages.

description	flow	ioc
HTTP User-Agent header	106	Go-http-client/1.1

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133306877201291233"	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\Local Settings	chrome.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
4452	chrome.exe
4452	chrome.exe
4452	chrome.exe
4452	chrome.exe
2372	chrome.exe
2372	chrome.exe
4020	Zafiro EA MFF v1.13 + Zafiro EA FTMO v1.13.exe
4020	Zafiro EA MFF v1.13 + Zafiro EA FTMO v1.13.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
4452	chrome.exe
4452	chrome.exe
4452	chrome.exe
4452	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4452	chrome.exe
Token: SeCreatePagefilePrivilege	4452	chrome.exe
Token: SeShutdownPrivilege	4452	chrome.exe
Token: SeCreatePagefilePrivilege	4452	chrome.exe
Token: SeShutdownPrivilege	4452	chrome.exe
Token: SeCreatePagefilePrivilege	4452	chrome.exe
Token: SeShutdownPrivilege	4452	chrome.exe
Token: SeCreatePagefilePrivilege	4452	chrome.exe
Token: SeShutdownPrivilege	4452	chrome.exe
Token: SeCreatePagefilePrivilege	4452	chrome.exe
Token: SeShutdownPrivilege	4452	chrome.exe
Token: SeCreatePagefilePrivilege	4452	chrome.exe
Token: SeShutdownPrivilege	4452	chrome.exe
Token: SeCreatePagefilePrivilege	4452	chrome.exe
Token: SeShutdownPrivilege	4452	chrome.exe
Token: SeCreatePagefilePrivilege	4452	chrome.exe
Token: SeShutdownPrivilege	4452	chrome.exe
Token: SeCreatePagefilePrivilege	4452	chrome.exe
Token: SeShutdownPrivilege	4452	chrome.exe
Token: SeCreatePagefilePrivilege	4452	chrome.exe
Token: SeShutdownPrivilege	4452	chrome.exe
Token: SeCreatePagefilePrivilege	4452	chrome.exe
Token: SeShutdownPrivilege	4452	chrome.exe
Token: SeCreatePagefilePrivilege	4452	chrome.exe
Token: SeShutdownPrivilege	4452	chrome.exe
Token: SeCreatePagefilePrivilege	4452	chrome.exe
Token: SeShutdownPrivilege	4452	chrome.exe
Token: SeCreatePagefilePrivilege	4452	chrome.exe
Token: SeShutdownPrivilege	4452	chrome.exe
Token: SeCreatePagefilePrivilege	4452	chrome.exe
Token: SeShutdownPrivilege	4452	chrome.exe
Token: SeCreatePagefilePrivilege	4452	chrome.exe
Token: SeShutdownPrivilege	4452	chrome.exe
Token: SeCreatePagefilePrivilege	4452	chrome.exe
Token: SeShutdownPrivilege	4452	chrome.exe
Token: SeCreatePagefilePrivilege	4452	chrome.exe
Token: SeShutdownPrivilege	4452	chrome.exe
Token: SeCreatePagefilePrivilege	4452	chrome.exe
Token: SeShutdownPrivilege	4452	chrome.exe
Token: SeCreatePagefilePrivilege	4452	chrome.exe
Token: SeShutdownPrivilege	4452	chrome.exe
Token: SeCreatePagefilePrivilege	4452	chrome.exe
Token: SeShutdownPrivilege	4452	chrome.exe
Token: SeCreatePagefilePrivilege	4452	chrome.exe
Token: SeShutdownPrivilege	4452	chrome.exe
Token: SeCreatePagefilePrivilege	4452	chrome.exe
Token: SeShutdownPrivilege	4452	chrome.exe
Token: SeCreatePagefilePrivilege	4452	chrome.exe
Token: SeShutdownPrivilege	4452	chrome.exe
Token: SeCreatePagefilePrivilege	4452	chrome.exe
Token: SeShutdownPrivilege	4452	chrome.exe
Token: SeCreatePagefilePrivilege	4452	chrome.exe
Token: SeShutdownPrivilege	4452	chrome.exe
Token: SeCreatePagefilePrivilege	4452	chrome.exe
Token: SeShutdownPrivilege	4452	chrome.exe
Token: SeCreatePagefilePrivilege	4452	chrome.exe
Token: SeShutdownPrivilege	4452	chrome.exe
Token: SeCreatePagefilePrivilege	4452	chrome.exe
Token: SeShutdownPrivilege	4452	chrome.exe
Token: SeCreatePagefilePrivilege	4452	chrome.exe
Token: SeShutdownPrivilege	4452	chrome.exe
Token: SeCreatePagefilePrivilege	4452	chrome.exe
Token: SeShutdownPrivilege	4452	chrome.exe
Token: SeCreatePagefilePrivilege	4452	chrome.exe

Suspicious use of FindShellTrayWindow 40 IoCs

pid	Process
4452	chrome.exe
4452	chrome.exe
4452	chrome.exe
4452	chrome.exe
4452	chrome.exe
4452	chrome.exe
4452	chrome.exe
4452	chrome.exe
4452	chrome.exe
4452	chrome.exe
4452	chrome.exe
4452	chrome.exe
4452	chrome.exe
4452	chrome.exe
4452	chrome.exe
4452	chrome.exe
4452	chrome.exe
4452	chrome.exe
4452	chrome.exe
4452	chrome.exe
4452	chrome.exe
4452	chrome.exe
4452	chrome.exe
4452	chrome.exe
4452	chrome.exe
4452	chrome.exe
4452	chrome.exe
4452	chrome.exe
4452	chrome.exe
4452	chrome.exe
4452	chrome.exe
4452	chrome.exe
4452	chrome.exe
4452	chrome.exe
4452	chrome.exe
4452	chrome.exe
4452	chrome.exe
4452	chrome.exe
4452	chrome.exe
4452	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4452	chrome.exe
4452	chrome.exe
4452	chrome.exe
4452	chrome.exe
4452	chrome.exe
4452	chrome.exe
4452	chrome.exe
4452	chrome.exe
4452	chrome.exe
4452	chrome.exe
4452	chrome.exe
4452	chrome.exe
4452	chrome.exe
4452	chrome.exe
4452	chrome.exe
4452	chrome.exe
4452	chrome.exe
4452	chrome.exe
4452	chrome.exe
4452	chrome.exe
4452	chrome.exe
4452	chrome.exe
4452	chrome.exe
4452	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4452 wrote to memory of 4512	4452	chrome.exe	66
PID 4452 wrote to memory of 4512	4452	chrome.exe	66
PID 4452 wrote to memory of 2568	4452	chrome.exe	68
PID 4452 wrote to memory of 2568	4452	chrome.exe	68
PID 4452 wrote to memory of 2568	4452	chrome.exe	68
PID 4452 wrote to memory of 2568	4452	chrome.exe	68
PID 4452 wrote to memory of 2568	4452	chrome.exe	68
PID 4452 wrote to memory of 2568	4452	chrome.exe	68
PID 4452 wrote to memory of 2568	4452	chrome.exe	68
PID 4452 wrote to memory of 2568	4452	chrome.exe	68
PID 4452 wrote to memory of 2568	4452	chrome.exe	68
PID 4452 wrote to memory of 2568	4452	chrome.exe	68
PID 4452 wrote to memory of 2568	4452	chrome.exe	68
PID 4452 wrote to memory of 2568	4452	chrome.exe	68
PID 4452 wrote to memory of 2568	4452	chrome.exe	68
PID 4452 wrote to memory of 2568	4452	chrome.exe	68
PID 4452 wrote to memory of 2568	4452	chrome.exe	68
PID 4452 wrote to memory of 2568	4452	chrome.exe	68
PID 4452 wrote to memory of 2568	4452	chrome.exe	68
PID 4452 wrote to memory of 2568	4452	chrome.exe	68
PID 4452 wrote to memory of 2568	4452	chrome.exe	68
PID 4452 wrote to memory of 2568	4452	chrome.exe	68
PID 4452 wrote to memory of 2568	4452	chrome.exe	68
PID 4452 wrote to memory of 2568	4452	chrome.exe	68
PID 4452 wrote to memory of 2568	4452	chrome.exe	68
PID 4452 wrote to memory of 2568	4452	chrome.exe	68
PID 4452 wrote to memory of 2568	4452	chrome.exe	68
PID 4452 wrote to memory of 2568	4452	chrome.exe	68
PID 4452 wrote to memory of 2568	4452	chrome.exe	68
PID 4452 wrote to memory of 2568	4452	chrome.exe	68
PID 4452 wrote to memory of 2568	4452	chrome.exe	68
PID 4452 wrote to memory of 2568	4452	chrome.exe	68
PID 4452 wrote to memory of 2568	4452	chrome.exe	68
PID 4452 wrote to memory of 2568	4452	chrome.exe	68
PID 4452 wrote to memory of 2568	4452	chrome.exe	68
PID 4452 wrote to memory of 2568	4452	chrome.exe	68
PID 4452 wrote to memory of 2568	4452	chrome.exe	68
PID 4452 wrote to memory of 2568	4452	chrome.exe	68
PID 4452 wrote to memory of 2568	4452	chrome.exe	68
PID 4452 wrote to memory of 2568	4452	chrome.exe	68
PID 4452 wrote to memory of 1812	4452	chrome.exe	69
PID 4452 wrote to memory of 1812	4452	chrome.exe	69
PID 4452 wrote to memory of 3720	4452	chrome.exe	70
PID 4452 wrote to memory of 3720	4452	chrome.exe	70
PID 4452 wrote to memory of 3720	4452	chrome.exe	70
PID 4452 wrote to memory of 3720	4452	chrome.exe	70
PID 4452 wrote to memory of 3720	4452	chrome.exe	70
PID 4452 wrote to memory of 3720	4452	chrome.exe	70
PID 4452 wrote to memory of 3720	4452	chrome.exe	70
PID 4452 wrote to memory of 3720	4452	chrome.exe	70
PID 4452 wrote to memory of 3720	4452	chrome.exe	70
PID 4452 wrote to memory of 3720	4452	chrome.exe	70
PID 4452 wrote to memory of 3720	4452	chrome.exe	70
PID 4452 wrote to memory of 3720	4452	chrome.exe	70
PID 4452 wrote to memory of 3720	4452	chrome.exe	70
PID 4452 wrote to memory of 3720	4452	chrome.exe	70
PID 4452 wrote to memory of 3720	4452	chrome.exe	70
PID 4452 wrote to memory of 3720	4452	chrome.exe	70
PID 4452 wrote to memory of 3720	4452	chrome.exe	70
PID 4452 wrote to memory of 3720	4452	chrome.exe	70
PID 4452 wrote to memory of 3720	4452	chrome.exe	70
PID 4452 wrote to memory of 3720	4452	chrome.exe	70
PID 4452 wrote to memory of 3720	4452	chrome.exe	70
PID 4452 wrote to memory of 3720	4452	chrome.exe	70

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" "--simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT'" https://www.dropbox.com/s/zj7cz5633tszjk3/Zafiro%20EA%20MFF%20v1.13%20%2B%20Zafiro%20EA%20FTMO%20v1.13.zip?dl=0
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4452
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ffb83109758,0x7ffb83109768,0x7ffb83109778
  2⤵
  PID:4512
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1524 --field-trial-handle=1716,i,3407261513339403102,6372863356383146579,131072 /prefetch:2
  2⤵
  PID:2568
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1844 --field-trial-handle=1716,i,3407261513339403102,6372863356383146579,131072 /prefetch:8
  2⤵
  PID:1812
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2100 --field-trial-handle=1716,i,3407261513339403102,6372863356383146579,131072 /prefetch:8
  2⤵
  PID:3720
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2964 --field-trial-handle=1716,i,3407261513339403102,6372863356383146579,131072 /prefetch:1
  2⤵
  PID:2092
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2972 --field-trial-handle=1716,i,3407261513339403102,6372863356383146579,131072 /prefetch:1
  2⤵
  PID:4920
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4552 --field-trial-handle=1716,i,3407261513339403102,6372863356383146579,131072 /prefetch:8
  2⤵
  PID:5032
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4540 --field-trial-handle=1716,i,3407261513339403102,6372863356383146579,131072 /prefetch:8
  2⤵
  PID:3488
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=5112 --field-trial-handle=1716,i,3407261513339403102,6372863356383146579,131072 /prefetch:1
  2⤵
  PID:1868
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5692 --field-trial-handle=1716,i,3407261513339403102,6372863356383146579,131072 /prefetch:8
  2⤵
  PID:2360
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5348 --field-trial-handle=1716,i,3407261513339403102,6372863356383146579,131072 /prefetch:8
  2⤵
  PID:8
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=5640 --field-trial-handle=1716,i,3407261513339403102,6372863356383146579,131072 /prefetch:1
  2⤵
  PID:4908
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5848 --field-trial-handle=1716,i,3407261513339403102,6372863356383146579,131072 /prefetch:8
  2⤵
  PID:4300
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5900 --field-trial-handle=1716,i,3407261513339403102,6372863356383146579,131072 /prefetch:8
  2⤵
  PID:2068
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6064 --field-trial-handle=1716,i,3407261513339403102,6372863356383146579,131072 /prefetch:8
  2⤵
  PID:592
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5348 --field-trial-handle=1716,i,3407261513339403102,6372863356383146579,131072 /prefetch:8
  2⤵
  PID:596
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1756 --field-trial-handle=1716,i,3407261513339403102,6372863356383146579,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2372

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:4412

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:404

C:\Users\Admin\Desktop\Zafiro EA MFF v1.13 + Zafiro EA FTMO v1.13.exe
"C:\Users\Admin\Desktop\Zafiro EA MFF v1.13 + Zafiro EA FTMO v1.13.exe"
1⤵
PID:2356

C:\Users\Admin\Desktop\Zafiro EA MFF v1.13 + Zafiro EA FTMO v1.13.exe
"C:\Users\Admin\Desktop\Zafiro EA MFF v1.13 + Zafiro EA FTMO v1.13.exe"
1⤵
PID:1640

C:\Users\Admin\Desktop\Zafiro EA MFF v1.13 + Zafiro EA FTMO v1.13.exe
"C:\Users\Admin\Desktop\Zafiro EA MFF v1.13 + Zafiro EA FTMO v1.13.exe"
1⤵
PID:3656

C:\Users\Admin\Desktop\Zafiro EA MFF v1.13 + Zafiro EA FTMO v1.13.exe
"C:\Users\Admin\Desktop\Zafiro EA MFF v1.13 + Zafiro EA FTMO v1.13.exe"
1⤵
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:4020
- C:\ProgramData\48340512273141776155.exe
  "C:\ProgramData\48340512273141776155.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  PID:4260
- - C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
    C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    PID:2984

C:\Users\Admin\Desktop\Zafiro EA MFF v1.13 + Zafiro EA FTMO v1.13.exe
"C:\Users\Admin\Desktop\Zafiro EA MFF v1.13 + Zafiro EA FTMO v1.13.exe"
1⤵
PID:3284

C:\Users\Admin\Desktop\Zafiro EA MFF v1.13 + Zafiro EA FTMO v1.13.exe
"C:\Users\Admin\Desktop\Zafiro EA MFF v1.13 + Zafiro EA FTMO v1.13.exe"
1⤵
PID:3576

C:\Users\Admin\Desktop\Zafiro EA MFF v1.13 + Zafiro EA FTMO v1.13.exe
"C:\Users\Admin\Desktop\Zafiro EA MFF v1.13 + Zafiro EA FTMO v1.13.exe"
1⤵
PID:596

C:\Users\Admin\Desktop\Zafiro EA MFF v1.13 + Zafiro EA FTMO v1.13.exe
"C:\Users\Admin\Desktop\Zafiro EA MFF v1.13 + Zafiro EA FTMO v1.13.exe"
1⤵
PID:376

C:\Users\Admin\Desktop\Zafiro EA MFF v1.13 + Zafiro EA FTMO v1.13.exe
"C:\Users\Admin\Desktop\Zafiro EA MFF v1.13 + Zafiro EA FTMO v1.13.exe"
1⤵
- Loads dropped DLL
PID:2052
- C:\ProgramData\60657395198898677419.exe
  "C:\ProgramData\60657395198898677419.exe"
  2⤵
  PID:4032

C:\Users\Admin\Desktop\Zafiro EA MFF v1.13 + Zafiro EA FTMO v1.13.exe
"C:\Users\Admin\Desktop\Zafiro EA MFF v1.13 + Zafiro EA FTMO v1.13.exe"
1⤵
PID:4632

C:\Users\Admin\Desktop\Zafiro EA MFF v1.13 + Zafiro EA FTMO v1.13.exe
"C:\Users\Admin\Desktop\Zafiro EA MFF v1.13 + Zafiro EA FTMO v1.13.exe"
1⤵
PID:3328

C:\Users\Admin\Desktop\sosihui.exe
"C:\Users\Admin\Desktop\sosihui.exe"
1⤵
PID:4748

C:\Users\Admin\Desktop\sosihui.exe
"C:\Users\Admin\Desktop\sosihui.exe"
1⤵
PID:4904

C:\Users\Admin\Desktop\sosihui.exe
"C:\Users\Admin\Desktop\sosihui.exe"
1⤵
PID:4844

C:\Users\Admin\Desktop\sosihui.exe
"C:\Users\Admin\Desktop\sosihui.exe"
1⤵
PID:3204

C:\Users\Admin\Desktop\sosihui.exe
"C:\Users\Admin\Desktop\sosihui.exe"
1⤵
PID:4848

C:\Users\Admin\Desktop\sosihui.exe
"C:\Users\Admin\Desktop\sosihui.exe"
1⤵
PID:4412

C:\Users\Admin\Desktop\sosihui.exe
"C:\Users\Admin\Desktop\sosihui.exe"
1⤵
PID:4164

C:\Users\Admin\Desktop\sosihui.exe
"C:\Users\Admin\Desktop\sosihui.exe"
1⤵
PID:3672

C:\Users\Admin\Desktop\sosihui.exe
"C:\Users\Admin\Desktop\sosihui.exe"
1⤵
PID:4840

C:\Users\Admin\Desktop\sosihui.exe
"C:\Users\Admin\Desktop\sosihui.exe"
1⤵
PID:1176

C:\Users\Admin\Desktop\sosihui.exe
"C:\Users\Admin\Desktop\sosihui.exe"
1⤵
PID:2148

C:\Users\Admin\Desktop\sosihui.exe
"C:\Users\Admin\Desktop\sosihui.exe"
1⤵
PID:4928

C:\Users\Admin\Desktop\sosihui.exe
"C:\Users\Admin\Desktop\sosihui.exe"
1⤵
PID:2196

C:\Users\Admin\Desktop\sosihui.exe
"C:\Users\Admin\Desktop\sosihui.exe"
1⤵
PID:4252

C:\Users\Admin\Desktop\sosihui.exe
"C:\Users\Admin\Desktop\sosihui.exe"
1⤵
PID:4220

C:\Users\Admin\Desktop\sosihui.exe
"C:\Users\Admin\Desktop\sosihui.exe"
1⤵
PID:3756

C:\Users\Admin\Desktop\sosihui.exe
"C:\Users\Admin\Desktop\sosihui.exe"
1⤵
PID:4264

C:\Users\Admin\Desktop\sosihui.exe
"C:\Users\Admin\Desktop\sosihui.exe"
1⤵
PID:2920

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Web Service

T1102

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\48340512273141776155.exe

Filesize
3.7MB

MD5
ccf4763882256111f713d881ad7d9aa9

SHA1
507297f20fd3fbda9a8cd426bbcffdeb8e4e8ab1

SHA256
59d9b80d021e8dc40f387d759ce6f77c56330a07352c0238f1768116cf80ebf7

SHA512
53d20ba5739d1205be1b16966d981881ea8c9b0b8c9880b1e407f354e025b6ccae61e653b78d6a9e3d9c5023ff09143b365545c411809b645ac24f8620580416

Download Submit
C:\ProgramData\48340512273141776155.exe

Filesize
3.7MB

MD5
ccf4763882256111f713d881ad7d9aa9

SHA1
507297f20fd3fbda9a8cd426bbcffdeb8e4e8ab1

SHA256
59d9b80d021e8dc40f387d759ce6f77c56330a07352c0238f1768116cf80ebf7

SHA512
53d20ba5739d1205be1b16966d981881ea8c9b0b8c9880b1e407f354e025b6ccae61e653b78d6a9e3d9c5023ff09143b365545c411809b645ac24f8620580416

Download Submit
C:\ProgramData\60657395198898677419.exe

Filesize
2.3MB

MD5
167721f196f42ca21da6731e14c402ae

SHA1
ebb526f9489721dc1aa55f11e33f8217ee407a21

SHA256
4abae859645098d9f5b54b1363326b42ede38f0c6feae450849adc6f0b25a348

SHA512
005595e546c5481d61801168efea352fe568ecb8d0621182cb4815958a5369bbc32e5c40acb921eaac1962d27dac5d0f4e1c005be93adeb152dad09ae6743748

Download Submit
C:\ProgramData\60657395198898677419.exe

Filesize
2.6MB

MD5
fff0cb3f4c0f319b9c3cc4d793a80aec

SHA1
d3742fcd7eb45236dda060bb9f6c0de4faf0649f

SHA256
9b9adfa4300a74376af0cb0f503237e19dcd5aeaee57126428007de0f3595fdf

SHA512
90e97c7400d5acd6c59ff846051fcad3db401ca509c6123d957954527ad00bd912563e600309fef95af99adedf792a60f89e003d34a206eab70fc6c65b3a4f3c

Download Submit
C:\ProgramData\freebl3.dll

Filesize
669KB

MD5
550686c0ee48c386dfcb40199bd076ac

SHA1
ee5134da4d3efcb466081fb6197be5e12a5b22ab

SHA256
edd043f2005dbd5902fc421eabb9472a7266950c5cbaca34e2d590b17d12f5fa

SHA512
0b7f47af883b99f9fbdc08020446b58f2f3fa55292fd9bc78fc967dd35bdd8bd549802722de37668cc89ede61b20359190efbfdf026ae2bdc854f4740a54649e

Download Submit
C:\ProgramData\mozglue.dll

Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
C:\ProgramData\mozglue.dll

Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
C:\ProgramData\msvcp140.dll

Filesize
439KB

MD5
5ff1fca37c466d6723ec67be93b51442

SHA1
34cc4e158092083b13d67d6d2bc9e57b798a303b

SHA256
5136a49a682ac8d7f1ce71b211de8688fce42ed57210af087a8e2dbc8a934062

SHA512
4802ef62630c521d83a1d333969593fb00c9b38f82b4d07f70fbd21f495fea9b3f67676064573d2c71c42bc6f701992989742213501b16087bb6110e337c7546

Download Submit
C:\ProgramData\nss3.dll

Filesize
2.0MB

MD5
1cc453cdf74f31e4d913ff9c10acdde2

SHA1
6e85eae544d6e965f15fa5c39700fa7202f3aafe

SHA256
ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

SHA512
dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

Download Submit
C:\ProgramData\softokn3.dll

Filesize
251KB

MD5
4e52d739c324db8225bd9ab2695f262f

SHA1
71c3da43dc5a0d2a1941e874a6d015a071783889

SHA256
74ebbac956e519e16923abdc5ab8912098a4f64e38ddcb2eae23969f306afe5a

SHA512
2d4168a69082a9192b9248f7331bd806c260478ff817567df54f997d7c3c7d640776131355401e4bdb9744e246c36d658cb24b18de67d8f23f10066e5fe445f6

Download Submit
C:\ProgramData\vcruntime140.dll

Filesize
78KB

MD5
a37ee36b536409056a86f50e67777dd7

SHA1
1cafa159292aa736fc595fc04e16325b27cd6750

SHA256
8934aaeb65b6e6d253dfe72dea5d65856bd871e989d5d3a2a35edfe867bb4825

SHA512
3a7c260646315cf8c01f44b2ec60974017496bd0d80dd055c7e43b707cadba2d63aab5e0efd435670aa77886ed86368390d42c4017fc433c3c4b9d1c47d0f356

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\223DE96EE265046957A660ED7C9DD9E7_EFF9B9BA98DEAA773F261FA85A0B1771

Filesize
1KB

MD5
965e643d41d2bc128e3bcd222b366534

SHA1
a580ba9f4551dcb826fd64df155e84441ab3d38f

SHA256
646fe5ec9d6610c10506e3010199e474439ff35d4ea3b978b8b0aa768f3c94b0

SHA512
410f71e75046b52ec5f22aa49660f75f75593b79c050c8ce8eed9e7e7d00b6938f2f784a1007be9618c8bb30b15fb1ee855845ef91303f2c69e7b09299fe3153

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\70C71DBB8B7D2BBCA12DF82826D851E0_278EAB15C57802B8465F5CA2986E9B30

Filesize
1KB

MD5
fc9db7199a674e2dfebc7e727d99a9d9

SHA1
fc5223fb3a5aac2efc351a2e88bd21da775e011c

SHA256
6ed39986a4c889fde041b1a1a765a9c9010afbbea45be0ae01b0e54008e7a8a1

SHA512
518b5b1b8438387dd48c98b141221b33fca64cf1407e007c04f395607c6eb59d3df203290015e40b87767dd4c9f66c50de5b94b8e841808cbecfc48dea085d4b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\EB2C4AB8B68FFA4B7733A9139239A396_D76DB901EE986B889F30D8CC06229E2D

Filesize
1KB

MD5
dc9cff177000842f2a6012e44187a7ac

SHA1
d21b0e775cc8da0aa8ff411a9fca7d824d9c9d9e

SHA256
42ec597f23785bd1abab286493d81952a9484684bca351c01e711cca2fae0d40

SHA512
7631b223d6af02e592630e758fa368bc1fd6895f9f0bbe611bffd9df73bcfb7c8c0b0b03f87c727809e24174c88b7b40648da45426dce33e36576b4490a6b652

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\223DE96EE265046957A660ED7C9DD9E7_EFF9B9BA98DEAA773F261FA85A0B1771

Filesize
450B

MD5
ca0be0064e5c509a8b83102846851a41

SHA1
ae553c0f7a59a0cde5aaa8993c86b7499f7418e4

SHA256
55b64e6fbfbe97c08034afda831c3123cb0f66d06a6a7504bf32adef7d028867

SHA512
921795e9b1a89e86037dccd3af17f841a730105d0849a894f79f213ce18fe182f80eb7cdfe02991e055440cceddef651369642ee8d76a19394369959caeaf619

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\70C71DBB8B7D2BBCA12DF82826D851E0_278EAB15C57802B8465F5CA2986E9B30

Filesize
474B

MD5
0035dc96ff15a4f322d890279fa64785

SHA1
6011aa2838eabe9ccb8797cb80942fd084a9513f

SHA256
7aec1b67b0f272345dd10b83743ae502a538d601cb7538712e42a8c06570b85e

SHA512
5c899951ce1b36dc485cacd4ac9d6c8f654b737fb16971c3384146823a0cc4792f14646f93e847ccf9f6254ad10dcf4fa00a2fcaf53d5169cf0ff5a1e88feae1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EB2C4AB8B68FFA4B7733A9139239A396_D76DB901EE986B889F30D8CC06229E2D

Filesize
458B

MD5
bc1d05a70add6f23377985d30a22223b

SHA1
15892d07dba5e2be584388cb8a7d33305eb19488

SHA256
5e7cfa00dcb43d6304f1d0e7c9bf9dc3d449fb2390b21e7f549ac6f6f0a8cd69

SHA512
eb70b38a580ba6db7ff47e2891b8ffffcdc917c3178c8da8c4a95d6cec0b364067e81e139c3b437490b9b39ee3c96c90870a38abf97891c5c88c6dda9c4cd567

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
26e9b9b3bbdd4ffd3830c4200afab358

SHA1
69ec59656ae77a54f5c3cb6b011a927f805033e4

SHA256
a6a5b21e53a63c71156ee4cc1b5bb39f62d2af9e97fe4c5d606419b97f754866

SHA512
a3f84562b755838decf20cb2f4f4cbb65f01f5191dab4c41067b80ed57caf691a5c5a5ff42cbed1e557cd86579feaaefd32b0d27d9eff2953d3f154bed493e8e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies

Filesize
20KB

MD5
8c48367b755f9e28aeddb8f8d38bc1a8

SHA1
42faeda85274ae0e5cd3bb42d4e091189d802a44

SHA256
58cfea24ef47ba74801319e7f2aebeb7bce610506931874088db1a833fe42928

SHA512
9e4cc6f916142f245fc0b509f6a46bd7016cc09379aadcce5963bb97b6787e364a668d8f78a1e616020e24894a0455286d158f20ee5e407c1aefb1dc351d060e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
83ee4f1620a055c493e19e56f9eb1227

SHA1
d27f813da67e6c4ed28b20f93ce51c0926c9f614

SHA256
d07d6e7242b85a382234a92ffe92030d2d5690f5938c84d6eb56a7c0add6fea5

SHA512
a80b130a80447f448067dd3bb46f289fc3cc439c92439d5f64f3fe22890471ee4fa449b00437651976b0782a459e3937f4f3b4d73fed590f34d38092867c6818

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
28780e793521351293568e958f091dc1

SHA1
460be8288b6982763d6e7ab493e46eee3666fa26

SHA256
9d5602c8333e80362343b6c131dc888d6631d64aca882be40705d151ce28b882

SHA512
55659224ed16e39bc2f4c830d84b5de3b61371556af683722f42c0a6a7d3f1c665edf4793e96dbc5a871473eebaf3ab63689b89b35f3edfc1a882e49e51891fe

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
731819952e61dd3f375445d5c5fce583

SHA1
11da52159a55d6841458a15bdc7fc274c73ef501

SHA256
791d0a0a5ba1d8c09b3f8ad6e8e7ceed0f818377dd72a9ff1df4ad929c1bcb91

SHA512
4a8f07db6c29d3016c64947108db928ec5fa40166b77ed9eb4a27f2519d0c1294a917d8dd2bbf20f1abdc660733fabc9469d116a7a36ae98fb32f723a40d60ff

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
87a699287d5efa3c12a667cfb54478ae

SHA1
9ed891aabc6f1809450d6b8ee07e9fa8041c623e

SHA256
5e2fbd37d22f3aab96f801358a99daf596d4676dc4f43ef586baec5dd4b3efd0

SHA512
9631d03a7061420ef1fa5b5700fc5fce7319dc14ffc2044b3817d36e3f714262f5e38120ff1b62344c8c7ea6d30fff0f8f6db0cd68130f6be09aa2aa19b06211

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
25a64b60edb7fd2037174ee55498d8b9

SHA1
4c906e2b057a8ff24451ecd00333bc3200ab5c5c

SHA256
58d71ac332fceb7903613e83cf95dac3099651647c883ec8085ae26510a9af67

SHA512
dc71648f4917e92529dfa9195baa5661ff121b1921e8e307e2382395aa979f7dbd02dccb341c6b8baf65b1c7842c0fd4e4060400615b61c40e701d63284e9fe9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
5fcca03e3b81922a02baf379f02bab14

SHA1
748f7d40bab20d205f3a679ad52dfcfa64df584b

SHA256
31380782515a4f8ffc8deff0e13b1dc147bc8662b0ebd73bcb01cd492c6e5905

SHA512
d83f0c74007e0ff85a8832f56a324e2cd2df1c208afabe1d9287affbbb01608859133acf88c943d0623ed90968c546e551442fb124c02c49741bdee60de5e6db

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
7452f2b81b046743c9f8bfaf02edf508

SHA1
44c701c2a2ad1e96cc56d9c641f84dcf49a12964

SHA256
70066408c2b6ff7f05b51384cf658358c21d50332fd0e3edbeda8162b6017e3a

SHA512
95990abba09417a016005be7065fa9708eccd7870f1a2976c3604966a8c252748478ce33620652260e1c5ac9335b34d44d2a10c9e5f78b257acf6030bb2a2744

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
e46224ebc23a8bba7b9d7c223bc70f79

SHA1
be100459d1475ade42966b5f8c2d05ef42156369

SHA256
3e54665c6d1814395c6cda6bf75f6e0e07addf7d16da9a3b5b9d6d73dbd38fa2

SHA512
8e08d75c1a49eaf6ae4627455aa222b9c77e639e86dd765d63758f7daef1c63ae30f6dadb3af4329cb84e6f55ff6e3bc07039ca884b9a8d9123faa3fd8d9695f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
a1316abc645570198764226e704369b3

SHA1
0cf86d77172f5c3a2cd6fe1a69810f3c04ebd492

SHA256
bb6c3c510f0ec20dc19e14a461fc8db5f3f070cbdcd76d9e87fa375553036cbd

SHA512
95395b6f25115bf25b5966b591a6805d11acfbf760c430fdcc4092090c93b10fc19ff24003e75c2b9537c45f01e29c2158c9c48343338b3179caa80f2a1d0cf8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
1451e6149345d62e86c32af5f7538083

SHA1
f7f913d4e60eb13d7c0018d6a81a020d15fa1438

SHA256
b8a10fa42f131c6207884a4c045191a7c9e8c9643a94c04bc0e3f890ae90f7dd

SHA512
2e654aba681780dac1a2f634e8a045585158f610978a79751e12da2c2ce0199a4e352d0255f3a64f1e0038a8383932647b5fa575d9e3bc5e9b883dd27a6c31f1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
83b37477c36836103053987935ba4e04

SHA1
ec679c1315c41fd99215a75c73b1ced6fda9d808

SHA256
506005c4a5b6c02477a9134e15b3169f13240239636855fb2545f7c7b6d69f50

SHA512
983ac95620b9afc8b7fa375ae88adcf3c631fddeb3b643b0c6933666cee25f411f953c94a4ee0bf3f901df243f1aeac613188567b2bb891aafb5f71ce59ef6b2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
160KB

MD5
1c56907a2f0c98bfc8417715e27661ff

SHA1
20abc81cda8792b158a194973f6ebed738293e30

SHA256
3dafa2e434de7a1576b533783cb8dc07576f6da381fe06b4a1a798b958a5f53a

SHA512
e20f0dfe5bbec6893f0777929b02e5a0bd41eecf0a448c2ea0b67fc835f441d50e728acf6c28694f33beb3b2c6e26985308f71e2f14c84008b78f7bf1e7a7660

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
159KB

MD5
e56f1f625927cd81c41ad53599f97933

SHA1
fa1162ec463811e2b7c0752b48b878ae366d24be

SHA256
a91487ee53d446c5906aec96c00ddba99242fb3fcc4c87912b943a3885e5296f

SHA512
29310789167867c1272c8596f55808bd9306112634514f5d81552bb4b1bb12c8c47f19b77deabd0be9c0624ffc17645c5a3907dd34982be66413c0200229fcec

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
160KB

MD5
f396811dea6198dd5c11f429d82b023c

SHA1
efedd7e6310157ed84ddd833cf81e7f4dedfbc1c

SHA256
0ebe6b0bfc5075618400e4fa2bf858f4755d354fe1cb58a6427f25cea9d02c0c

SHA512
91708332343bfce150b95ca605541e7c41b707162908dabd49ca883c7b08c60326468f7a93319742fd0b8da05b11cc912dd43b9fcf49685ff68d6778d3780d35

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
160KB

MD5
f396811dea6198dd5c11f429d82b023c

SHA1
efedd7e6310157ed84ddd833cf81e7f4dedfbc1c

SHA256
0ebe6b0bfc5075618400e4fa2bf858f4755d354fe1cb58a6427f25cea9d02c0c

SHA512
91708332343bfce150b95ca605541e7c41b707162908dabd49ca883c7b08c60326468f7a93319742fd0b8da05b11cc912dd43b9fcf49685ff68d6778d3780d35

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
72KB

MD5
711b534b08e678d55029c3829f2b3837

SHA1
9906ac127d85124bb12d79170283e113874d4da9

SHA256
102779bd2836c34a300d155ef2f6332769f47b466c867b609e8e47a6b9a7fbd5

SHA512
0702580cc4c419d8c8b2a3191fa025b3f0bea104e3a54aed422ae093eabc865af776a5c4ff5155525f37c854c5d377a3fa14d8d23186371e1e20bf19ebfc9e5d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\U7C7NM5X.cookie

Filesize
102B

MD5
20df7f212391893c68b88511b61cf136

SHA1
d409cea8b44bf99a640ba8d5c4c57b4093559391

SHA256
b0092d2f9b475944eef4b191b018a4a46e14603c58e944ebaf0f1928ae5e6590

SHA512
5598d550b22c5b8fe9a5bfe11850538280d314902ddda1a76a2bf071418db734b8b586e47d876c172dd88a267ebf247780bd72dce8f31f850156fc5f56e2be92

Download Submit
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
212.2MB

MD5
6c883627da5b2652d4f7cecd2a16d9f6

SHA1
106f165f4c8d5dddf5fcb29621c90e70b0969189

SHA256
4adc7df183bc5763ac8a20dd4fdb55c0b5de1eac57d9a8d497a5cb7451de0ef1

SHA512
c7290cda665a4dac7c291b79a228b1527aa72e349c607f143708f09c1cef34abfe5a6af2bca09aac580d693e330c03a7ede79d1fb6d849617ac967adab1094c2

Download Submit
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
110.8MB

MD5
34875d33946b51e6b36256e3308038b5

SHA1
36bf852b4b16a90cf2493f4afafa276f77187283

SHA256
94fbe94155aabcc84653a41fd3cd55a8c969a4438cc0ff7fec1b1d84e7a52021

SHA512
2f028b8ea183d81c6304dd22e0b0c306e821326e56630ce3b08326740ab13a42aba955f2096ce87a5fc6328cf1a7826f1a60dfbf16a0c899a80821dfd34af3cd

Download Submit
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
111.7MB

MD5
6c159185a9362a2ca3eb9568cdf93e14

SHA1
9541324c82de0c699ecff30d3a805ba3a21e17e4

SHA256
4e95fce683fd713dd0f7b50ed551a8184a71adc50dc804a8def93ed2c8a86178

SHA512
fdf6e4f0477be232d565205986dd3689774bc5e01de366a4fb36231187fd603897e4dc35757ce63d5c384faf55ed922f33299ba3254d0172334b53dcca087fc2

Download Submit
C:\Users\Admin\Downloads\Zafiro EA MFF v1.13 + Zafiro EA FTMO v1.13.zip

Filesize
7.9MB

MD5
a0638548ba0b039ef86cab79b7d6a925

SHA1
e6b84bc5eaf1e7a505e2bd34536e3cd491422a15

SHA256
a063e4a346ef47f4c739515e005fe1bb2d3f887e093408775f0479c29c5bfbea

SHA512
e863f8b4a20e5cb7f91d33b41ca1356e2fcf3bca50b252a23902a208284b5c5c05e65b7f1977220766ae7440944f908b156f58edf4b6354ebffcb192fbee17e5

Download Submit
\ProgramData\mozglue.dll

Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
\ProgramData\mozglue.dll

Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
\ProgramData\nss3.dll

Filesize
2.0MB

MD5
1cc453cdf74f31e4d913ff9c10acdde2

SHA1
6e85eae544d6e965f15fa5c39700fa7202f3aafe

SHA256
ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

SHA512
dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

Download Submit
\ProgramData\nss3.dll

Filesize
2.0MB

MD5
1cc453cdf74f31e4d913ff9c10acdde2

SHA1
6e85eae544d6e965f15fa5c39700fa7202f3aafe

SHA256
ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

SHA512
dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

Download Submit
memory/376-550-0x0000000000D00000-0x0000000001451000-memory.dmp

Filesize
7.3MB

Download
memory/596-547-0x0000000000D00000-0x0000000001451000-memory.dmp

Filesize
7.3MB

Download
memory/1640-468-0x0000000000D00000-0x0000000001451000-memory.dmp

Filesize
7.3MB

Download
memory/2052-553-0x0000000000D00000-0x0000000001451000-memory.dmp

Filesize
7.3MB

Download
memory/2356-470-0x0000000000D00000-0x0000000001451000-memory.dmp

Filesize
7.3MB

Download
memory/2984-696-0x0000000001250000-0x0000000001A9C000-memory.dmp

Filesize
8.3MB

Download
memory/3284-476-0x0000000000D00000-0x0000000001451000-memory.dmp

Filesize
7.3MB

Download
memory/3328-559-0x0000000000D00000-0x0000000001451000-memory.dmp

Filesize
7.3MB

Download
memory/3576-466-0x0000000000D00000-0x0000000001451000-memory.dmp

Filesize
7.3MB

Download
memory/3656-465-0x0000000000D00000-0x0000000001451000-memory.dmp

Filesize
7.3MB

Download
memory/4020-472-0x0000000000D00000-0x0000000001451000-memory.dmp

Filesize
7.3MB

Download
memory/4020-504-0x0000000061E00000-0x0000000061EF3000-memory.dmp

Filesize
972KB

Download
memory/4260-578-0x0000000000D70000-0x00000000015BC000-memory.dmp

Filesize
8.3MB

Download
memory/4260-577-0x0000000000D70000-0x00000000015BC000-memory.dmp

Filesize
8.3MB

Download
memory/4260-576-0x0000000000D70000-0x00000000015BC000-memory.dmp

Filesize
8.3MB

Download
memory/4260-575-0x0000000000D70000-0x00000000015BC000-memory.dmp

Filesize
8.3MB

Download
memory/4260-681-0x0000000000D70000-0x00000000015BC000-memory.dmp

Filesize
8.3MB

Download
memory/4260-574-0x0000000000D70000-0x00000000015BC000-memory.dmp

Filesize
8.3MB

Download
memory/4260-573-0x0000000000D70000-0x00000000015BC000-memory.dmp

Filesize
8.3MB

Download
memory/4260-694-0x0000000000D70000-0x00000000015BC000-memory.dmp

Filesize
8.3MB

Download
memory/4260-572-0x0000000000D70000-0x00000000015BC000-memory.dmp

Filesize
8.3MB

Download
memory/4260-571-0x0000000000D70000-0x00000000015BC000-memory.dmp

Filesize
8.3MB

Download
memory/4632-556-0x0000000000D00000-0x0000000001451000-memory.dmp

Filesize
7.3MB

Download