laplas | hxxps://www[.]dropbox[.]com/s/zj7cz5633tszjk3/Zafiro%20EA%20MFF%20v1[.]13%20%2B%20Zafiro%20EA%20FTMO%20v1[.]13[.]zip?dl=0

max time kernel
147s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
08-06-2023 09:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://www.dropbox.com/s/zj7cz5633tszjk3/Zafiro%20EA%20MFF%20v1.13%20%2B%20Zafiro%20EA%20FTMO%20v1.13.zip?dl=0

Score

10^/10

laplas vidar 2ca19830ec2c67b5159166c89d3ebb74 clipper evasion persistence spyware stealer trojan

Malware Config

Extracted

Family

vidar

Version

4.2

Botnet

2ca19830ec2c67b5159166c89d3ebb74

https://steamcommunity.com/profiles/76561199511129510

https://t.me/rechnungsbetrag

Attributes

profile_id_v2
2ca19830ec2c67b5159166c89d3ebb74
user_agent
Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.38 Safari/537.36 Brave/75

Extracted

Family

laplas

http://45.159.189.105

Attributes

api_key
7ee57b1f6d4aff08f9755119b18cf0754b677addcb6a3063066112b10a357a8e

Signatures

Laplas Clipper
Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.
stealer clipper laplas
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	03299758655827282013.exe

Downloads MZ/PE file

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	03299758655827282013.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	03299758655827282013.exe

Executes dropped EXE 2 IoCs

pid	Process
4456	03299758655827282013.exe
548	ntlhost.exe

Loads dropped DLL 4 IoCs

pid	Process
1572	zalupa.exe
1572	zalupa.exe
4496	zalupa.exe
4496	zalupa.exe

Accesses 2FA software files, possible credential harvesting 2 TTPs
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NTSystem = "C:\\Users\\Admin\\AppData\\Roaming\\NTSystem\\ntlhost.exe"	03299758655827282013.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	03299758655827282013.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
4456	03299758655827282013.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1588	1552	WerFault.exe	119

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	zalupa.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	zalupa.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	zalupa.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	zalupa.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

GoLang User-Agent 1 IoCs

Uses default user-agent string defined by GoLang HTTP packages.

description	flow	ioc
HTTP User-Agent header	192	Go-http-client/1.1

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2275444769-3691835758-4097679484-1000\{3D5DCF49-C170-4B18-AC7F-35DAC7F5032C}	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings	chrome.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
1632	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
4292	chrome.exe
4292	chrome.exe
3836	chrome.exe
3836	chrome.exe
1572	zalupa.exe
1572	zalupa.exe
4496	zalupa.exe
4496	zalupa.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
4292	chrome.exe
4292	chrome.exe
4292	chrome.exe
4292	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4292	chrome.exe
Token: SeCreatePagefilePrivilege	4292	chrome.exe
Token: SeShutdownPrivilege	4292	chrome.exe
Token: SeCreatePagefilePrivilege	4292	chrome.exe
Token: SeShutdownPrivilege	4292	chrome.exe
Token: SeCreatePagefilePrivilege	4292	chrome.exe
Token: SeShutdownPrivilege	4292	chrome.exe
Token: SeCreatePagefilePrivilege	4292	chrome.exe
Token: SeShutdownPrivilege	4292	chrome.exe
Token: SeCreatePagefilePrivilege	4292	chrome.exe
Token: SeShutdownPrivilege	4292	chrome.exe
Token: SeCreatePagefilePrivilege	4292	chrome.exe
Token: SeShutdownPrivilege	4292	chrome.exe
Token: SeCreatePagefilePrivilege	4292	chrome.exe
Token: SeShutdownPrivilege	4292	chrome.exe
Token: SeCreatePagefilePrivilege	4292	chrome.exe
Token: SeShutdownPrivilege	4292	chrome.exe
Token: SeCreatePagefilePrivilege	4292	chrome.exe
Token: SeShutdownPrivilege	4292	chrome.exe
Token: SeCreatePagefilePrivilege	4292	chrome.exe
Token: SeShutdownPrivilege	4292	chrome.exe
Token: SeCreatePagefilePrivilege	4292	chrome.exe
Token: SeShutdownPrivilege	4292	chrome.exe
Token: SeCreatePagefilePrivilege	4292	chrome.exe
Token: SeShutdownPrivilege	4292	chrome.exe
Token: SeCreatePagefilePrivilege	4292	chrome.exe
Token: SeShutdownPrivilege	4292	chrome.exe
Token: SeCreatePagefilePrivilege	4292	chrome.exe
Token: SeShutdownPrivilege	4292	chrome.exe
Token: SeCreatePagefilePrivilege	4292	chrome.exe
Token: SeShutdownPrivilege	4292	chrome.exe
Token: SeCreatePagefilePrivilege	4292	chrome.exe
Token: SeShutdownPrivilege	4292	chrome.exe
Token: SeCreatePagefilePrivilege	4292	chrome.exe
Token: SeShutdownPrivilege	4292	chrome.exe
Token: SeCreatePagefilePrivilege	4292	chrome.exe
Token: SeShutdownPrivilege	4292	chrome.exe
Token: SeCreatePagefilePrivilege	4292	chrome.exe
Token: SeShutdownPrivilege	4292	chrome.exe
Token: SeCreatePagefilePrivilege	4292	chrome.exe
Token: SeShutdownPrivilege	4292	chrome.exe
Token: SeCreatePagefilePrivilege	4292	chrome.exe
Token: SeShutdownPrivilege	4292	chrome.exe
Token: SeCreatePagefilePrivilege	4292	chrome.exe
Token: SeShutdownPrivilege	4292	chrome.exe
Token: SeCreatePagefilePrivilege	4292	chrome.exe
Token: SeShutdownPrivilege	4292	chrome.exe
Token: SeCreatePagefilePrivilege	4292	chrome.exe
Token: SeShutdownPrivilege	4292	chrome.exe
Token: SeCreatePagefilePrivilege	4292	chrome.exe
Token: SeShutdownPrivilege	4292	chrome.exe
Token: SeCreatePagefilePrivilege	4292	chrome.exe
Token: SeShutdownPrivilege	4292	chrome.exe
Token: SeCreatePagefilePrivilege	4292	chrome.exe
Token: SeShutdownPrivilege	4292	chrome.exe
Token: SeCreatePagefilePrivilege	4292	chrome.exe
Token: SeShutdownPrivilege	4292	chrome.exe
Token: SeCreatePagefilePrivilege	4292	chrome.exe
Token: SeShutdownPrivilege	4292	chrome.exe
Token: SeCreatePagefilePrivilege	4292	chrome.exe
Token: SeShutdownPrivilege	4292	chrome.exe
Token: SeCreatePagefilePrivilege	4292	chrome.exe
Token: SeShutdownPrivilege	4292	chrome.exe
Token: SeCreatePagefilePrivilege	4292	chrome.exe

Suspicious use of FindShellTrayWindow 38 IoCs

pid	Process
4292	chrome.exe
4292	chrome.exe
4292	chrome.exe
4292	chrome.exe
4292	chrome.exe
4292	chrome.exe
4292	chrome.exe
4292	chrome.exe
4292	chrome.exe
4292	chrome.exe
4292	chrome.exe
4292	chrome.exe
4292	chrome.exe
4292	chrome.exe
4292	chrome.exe
4292	chrome.exe
4292	chrome.exe
4292	chrome.exe
4292	chrome.exe
4292	chrome.exe
4292	chrome.exe
4292	chrome.exe
4292	chrome.exe
4292	chrome.exe
4292	chrome.exe
4292	chrome.exe
4292	chrome.exe
4292	chrome.exe
4292	chrome.exe
4292	chrome.exe
4292	chrome.exe
4292	chrome.exe
4292	chrome.exe
4292	chrome.exe
4292	chrome.exe
4292	chrome.exe
4292	chrome.exe
4292	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4292	chrome.exe
4292	chrome.exe
4292	chrome.exe
4292	chrome.exe
4292	chrome.exe
4292	chrome.exe
4292	chrome.exe
4292	chrome.exe
4292	chrome.exe
4292	chrome.exe
4292	chrome.exe
4292	chrome.exe
4292	chrome.exe
4292	chrome.exe
4292	chrome.exe
4292	chrome.exe
4292	chrome.exe
4292	chrome.exe
4292	chrome.exe
4292	chrome.exe
4292	chrome.exe
4292	chrome.exe
4292	chrome.exe
4292	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4292 wrote to memory of 1768	4292	chrome.exe	85
PID 4292 wrote to memory of 1768	4292	chrome.exe	85
PID 4292 wrote to memory of 3016	4292	chrome.exe	86
PID 4292 wrote to memory of 3016	4292	chrome.exe	86
PID 4292 wrote to memory of 3016	4292	chrome.exe	86
PID 4292 wrote to memory of 3016	4292	chrome.exe	86
PID 4292 wrote to memory of 3016	4292	chrome.exe	86
PID 4292 wrote to memory of 3016	4292	chrome.exe	86
PID 4292 wrote to memory of 3016	4292	chrome.exe	86
PID 4292 wrote to memory of 3016	4292	chrome.exe	86
PID 4292 wrote to memory of 3016	4292	chrome.exe	86
PID 4292 wrote to memory of 3016	4292	chrome.exe	86
PID 4292 wrote to memory of 3016	4292	chrome.exe	86
PID 4292 wrote to memory of 3016	4292	chrome.exe	86
PID 4292 wrote to memory of 3016	4292	chrome.exe	86
PID 4292 wrote to memory of 3016	4292	chrome.exe	86
PID 4292 wrote to memory of 3016	4292	chrome.exe	86
PID 4292 wrote to memory of 3016	4292	chrome.exe	86
PID 4292 wrote to memory of 3016	4292	chrome.exe	86
PID 4292 wrote to memory of 3016	4292	chrome.exe	86
PID 4292 wrote to memory of 3016	4292	chrome.exe	86
PID 4292 wrote to memory of 3016	4292	chrome.exe	86
PID 4292 wrote to memory of 3016	4292	chrome.exe	86
PID 4292 wrote to memory of 3016	4292	chrome.exe	86
PID 4292 wrote to memory of 3016	4292	chrome.exe	86
PID 4292 wrote to memory of 3016	4292	chrome.exe	86
PID 4292 wrote to memory of 3016	4292	chrome.exe	86
PID 4292 wrote to memory of 3016	4292	chrome.exe	86
PID 4292 wrote to memory of 3016	4292	chrome.exe	86
PID 4292 wrote to memory of 3016	4292	chrome.exe	86
PID 4292 wrote to memory of 3016	4292	chrome.exe	86
PID 4292 wrote to memory of 3016	4292	chrome.exe	86
PID 4292 wrote to memory of 3016	4292	chrome.exe	86
PID 4292 wrote to memory of 3016	4292	chrome.exe	86
PID 4292 wrote to memory of 3016	4292	chrome.exe	86
PID 4292 wrote to memory of 3016	4292	chrome.exe	86
PID 4292 wrote to memory of 3016	4292	chrome.exe	86
PID 4292 wrote to memory of 3016	4292	chrome.exe	86
PID 4292 wrote to memory of 3016	4292	chrome.exe	86
PID 4292 wrote to memory of 3016	4292	chrome.exe	86
PID 4292 wrote to memory of 4352	4292	chrome.exe	87
PID 4292 wrote to memory of 4352	4292	chrome.exe	87
PID 4292 wrote to memory of 2380	4292	chrome.exe	88
PID 4292 wrote to memory of 2380	4292	chrome.exe	88
PID 4292 wrote to memory of 2380	4292	chrome.exe	88
PID 4292 wrote to memory of 2380	4292	chrome.exe	88
PID 4292 wrote to memory of 2380	4292	chrome.exe	88
PID 4292 wrote to memory of 2380	4292	chrome.exe	88
PID 4292 wrote to memory of 2380	4292	chrome.exe	88
PID 4292 wrote to memory of 2380	4292	chrome.exe	88
PID 4292 wrote to memory of 2380	4292	chrome.exe	88
PID 4292 wrote to memory of 2380	4292	chrome.exe	88
PID 4292 wrote to memory of 2380	4292	chrome.exe	88
PID 4292 wrote to memory of 2380	4292	chrome.exe	88
PID 4292 wrote to memory of 2380	4292	chrome.exe	88
PID 4292 wrote to memory of 2380	4292	chrome.exe	88
PID 4292 wrote to memory of 2380	4292	chrome.exe	88
PID 4292 wrote to memory of 2380	4292	chrome.exe	88
PID 4292 wrote to memory of 2380	4292	chrome.exe	88
PID 4292 wrote to memory of 2380	4292	chrome.exe	88
PID 4292 wrote to memory of 2380	4292	chrome.exe	88
PID 4292 wrote to memory of 2380	4292	chrome.exe	88
PID 4292 wrote to memory of 2380	4292	chrome.exe	88
PID 4292 wrote to memory of 2380	4292	chrome.exe	88

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" "--simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT'" https://www.dropbox.com/s/zj7cz5633tszjk3/Zafiro%20EA%20MFF%20v1.13%20%2B%20Zafiro%20EA%20FTMO%20v1.13.zip?dl=0
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4292
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffdec439758,0x7ffdec439768,0x7ffdec439778
  2⤵
  PID:1768
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1816 --field-trial-handle=1796,i,6799234523222811625,16193463131686645667,131072 /prefetch:2
  2⤵
  PID:3016
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2168 --field-trial-handle=1796,i,6799234523222811625,16193463131686645667,131072 /prefetch:8
  2⤵
  PID:4352
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1320 --field-trial-handle=1796,i,6799234523222811625,16193463131686645667,131072 /prefetch:8
  2⤵
  PID:2380
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3136 --field-trial-handle=1796,i,6799234523222811625,16193463131686645667,131072 /prefetch:1
  2⤵
  PID:3476
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3144 --field-trial-handle=1796,i,6799234523222811625,16193463131686645667,131072 /prefetch:1
  2⤵
  PID:3316
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4728 --field-trial-handle=1796,i,6799234523222811625,16193463131686645667,131072 /prefetch:8
  2⤵
  - Modifies registry class
  PID:2356
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4704 --field-trial-handle=1796,i,6799234523222811625,16193463131686645667,131072 /prefetch:8
  2⤵
  PID:3216
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=4696 --field-trial-handle=1796,i,6799234523222811625,16193463131686645667,131072 /prefetch:1
  2⤵
  PID:2264
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=5356 --field-trial-handle=1796,i,6799234523222811625,16193463131686645667,131072 /prefetch:1
  2⤵
  PID:2968
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3164 --field-trial-handle=1796,i,6799234523222811625,16193463131686645667,131072 /prefetch:8
  2⤵
  PID:3748
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5224 --field-trial-handle=1796,i,6799234523222811625,16193463131686645667,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3836

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:3384

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4072

C:\Windows\System32\NOTEPAD.EXE
"C:\Windows\System32\NOTEPAD.EXE" C:\Users\Admin\Desktop\adsafsafsa.cmd
1⤵
- Opens file in notepad (likely ransom note)
PID:1632

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\adsafsafsa.cmd" "
1⤵
PID:1564
- C:\Users\Admin\Desktop\zalupa.exe
  zalupa.exe
  2⤵
  - Loads dropped DLL
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  PID:1572
- - C:\ProgramData\03299758655827282013.exe
    "C:\ProgramData\03299758655827282013.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    PID:4456
  - - C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
      C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
      4⤵
      Executes dropped EXE
      PID:548
- C:\Users\Admin\Desktop\zalupa.exe
  zalupa.exe
  2⤵
  PID:4276

C:\Users\Admin\Desktop\zalupa.exe
"C:\Users\Admin\Desktop\zalupa.exe"
1⤵
PID:3608

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\adsafsafsa.cmd" "
1⤵
PID:4384
- C:\Users\Admin\Desktop\zalupa.exe
  zalupa.exe
  2⤵
  PID:1552
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1552 -s 1604
    3⤵
    - Program crash
    PID:1588
- C:\Users\Admin\Desktop\zalupa.exe
  zalupa.exe
  2⤵
  PID:4944

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\adsafsafsa.cmd" "
1⤵
PID:4964
- C:\Users\Admin\Desktop\zalupa.exe
  zalupa.exe
  2⤵
  - Loads dropped DLL
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  PID:4496

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\adsafsafsa.cmd" "
1⤵
PID:4544
- C:\Users\Admin\Desktop\zalupa.exe
  zalupa.exe
  2⤵
  PID:4808

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1552 -ip 1552
1⤵
PID:4892

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\adsafsafsa.cmd" "
1⤵
PID:2884
- C:\Users\Admin\Desktop\zalupa.exe
  zalupa.exe
  2⤵
  PID:2280

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Web Service

T1102

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\03299758655827282013.exe

Filesize
3.7MB

MD5
ccf4763882256111f713d881ad7d9aa9

SHA1
507297f20fd3fbda9a8cd426bbcffdeb8e4e8ab1

SHA256
59d9b80d021e8dc40f387d759ce6f77c56330a07352c0238f1768116cf80ebf7

SHA512
53d20ba5739d1205be1b16966d981881ea8c9b0b8c9880b1e407f354e025b6ccae61e653b78d6a9e3d9c5023ff09143b365545c411809b645ac24f8620580416

Download Submit
C:\ProgramData\03299758655827282013.exe

Filesize
3.7MB

MD5
ccf4763882256111f713d881ad7d9aa9

SHA1
507297f20fd3fbda9a8cd426bbcffdeb8e4e8ab1

SHA256
59d9b80d021e8dc40f387d759ce6f77c56330a07352c0238f1768116cf80ebf7

SHA512
53d20ba5739d1205be1b16966d981881ea8c9b0b8c9880b1e407f354e025b6ccae61e653b78d6a9e3d9c5023ff09143b365545c411809b645ac24f8620580416

Download Submit
C:\ProgramData\03299758655827282013.exe

Filesize
3.7MB

MD5
ccf4763882256111f713d881ad7d9aa9

SHA1
507297f20fd3fbda9a8cd426bbcffdeb8e4e8ab1

SHA256
59d9b80d021e8dc40f387d759ce6f77c56330a07352c0238f1768116cf80ebf7

SHA512
53d20ba5739d1205be1b16966d981881ea8c9b0b8c9880b1e407f354e025b6ccae61e653b78d6a9e3d9c5023ff09143b365545c411809b645ac24f8620580416

Download Submit
C:\ProgramData\06639151280682776263467221

Filesize
112KB

MD5
780853cddeaee8de70f28a4b255a600b

SHA1
ad7a5da33f7ad12946153c497e990720b09005ed

SHA256
1055ff62de3dea7645c732583242adf4164bdcfb9dd37d9b35bbb9510d59b0a3

SHA512
e422863112084bb8d11c682482e780cd63c2f20c8e3a93ed3b9efd1b04d53eb5d3c8081851ca89b74d66f3d9ab48eb5f6c74550484f46e7c6e460a8250c9b1d8

Download Submit
C:\ProgramData\44521392808120529359395685

Filesize
92KB

MD5
721d9e468a6d6d0276d8d0e060e4e57b

SHA1
62c635bf0c173012301f195a7d0e430270715613

SHA256
0be20bbaa9d80dfefd3038e5c7904d4b426719607c563254ec42500d704021f0

SHA512
0af08f0f5ecda8cdaaaba317f16e835032797e4e6e64f3f4e5b0bb8fd20f1afd9e8e2ca50b549e1c1a48a26ff02f59bc8212deb354b095294c97016a3c9dbb12

Download Submit
C:\ProgramData\freebl3.dll

Filesize
669KB

MD5
550686c0ee48c386dfcb40199bd076ac

SHA1
ee5134da4d3efcb466081fb6197be5e12a5b22ab

SHA256
edd043f2005dbd5902fc421eabb9472a7266950c5cbaca34e2d590b17d12f5fa

SHA512
0b7f47af883b99f9fbdc08020446b58f2f3fa55292fd9bc78fc967dd35bdd8bd549802722de37668cc89ede61b20359190efbfdf026ae2bdc854f4740a54649e

Download Submit
C:\ProgramData\mozglue.dll

Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
C:\ProgramData\mozglue.dll

Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
C:\ProgramData\mozglue.dll

Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
C:\ProgramData\mozglue.dll

Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
C:\ProgramData\msvcp140.dll

Filesize
439KB

MD5
5ff1fca37c466d6723ec67be93b51442

SHA1
34cc4e158092083b13d67d6d2bc9e57b798a303b

SHA256
5136a49a682ac8d7f1ce71b211de8688fce42ed57210af087a8e2dbc8a934062

SHA512
4802ef62630c521d83a1d333969593fb00c9b38f82b4d07f70fbd21f495fea9b3f67676064573d2c71c42bc6f701992989742213501b16087bb6110e337c7546

Download Submit
C:\ProgramData\nss3.dll

Filesize
2.0MB

MD5
1cc453cdf74f31e4d913ff9c10acdde2

SHA1
6e85eae544d6e965f15fa5c39700fa7202f3aafe

SHA256
ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

SHA512
dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

Download Submit
C:\ProgramData\nss3.dll

Filesize
2.0MB

MD5
1cc453cdf74f31e4d913ff9c10acdde2

SHA1
6e85eae544d6e965f15fa5c39700fa7202f3aafe

SHA256
ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

SHA512
dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

Download Submit
C:\ProgramData\nss3.dll

Filesize
2.0MB

MD5
1cc453cdf74f31e4d913ff9c10acdde2

SHA1
6e85eae544d6e965f15fa5c39700fa7202f3aafe

SHA256
ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

SHA512
dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

Download Submit
C:\ProgramData\nss3.dll

Filesize
2.0MB

MD5
1cc453cdf74f31e4d913ff9c10acdde2

SHA1
6e85eae544d6e965f15fa5c39700fa7202f3aafe

SHA256
ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

SHA512
dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

Download Submit
C:\ProgramData\softokn3.dll

Filesize
251KB

MD5
4e52d739c324db8225bd9ab2695f262f

SHA1
71c3da43dc5a0d2a1941e874a6d015a071783889

SHA256
74ebbac956e519e16923abdc5ab8912098a4f64e38ddcb2eae23969f306afe5a

SHA512
2d4168a69082a9192b9248f7331bd806c260478ff817567df54f997d7c3c7d640776131355401e4bdb9744e246c36d658cb24b18de67d8f23f10066e5fe445f6

Download Submit
C:\ProgramData\vcruntime140.dll

Filesize
78KB

MD5
a37ee36b536409056a86f50e67777dd7

SHA1
1cafa159292aa736fc595fc04e16325b27cd6750

SHA256
8934aaeb65b6e6d253dfe72dea5d65856bd871e989d5d3a2a35edfe867bb4825

SHA512
3a7c260646315cf8c01f44b2ec60974017496bd0d80dd055c7e43b707cadba2d63aab5e0efd435670aa77886ed86368390d42c4017fc433c3c4b9d1c47d0f356

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\223DE96EE265046957A660ED7C9DD9E7_EFF9B9BA98DEAA773F261FA85A0B1771

Filesize
1KB

MD5
965e643d41d2bc128e3bcd222b366534

SHA1
a580ba9f4551dcb826fd64df155e84441ab3d38f

SHA256
646fe5ec9d6610c10506e3010199e474439ff35d4ea3b978b8b0aa768f3c94b0

SHA512
410f71e75046b52ec5f22aa49660f75f75593b79c050c8ce8eed9e7e7d00b6938f2f784a1007be9618c8bb30b15fb1ee855845ef91303f2c69e7b09299fe3153

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\70C71DBB8B7D2BBCA12DF82826D851E0_278EAB15C57802B8465F5CA2986E9B30

Filesize
1KB

MD5
fc9db7199a674e2dfebc7e727d99a9d9

SHA1
fc5223fb3a5aac2efc351a2e88bd21da775e011c

SHA256
6ed39986a4c889fde041b1a1a765a9c9010afbbea45be0ae01b0e54008e7a8a1

SHA512
518b5b1b8438387dd48c98b141221b33fca64cf1407e007c04f395607c6eb59d3df203290015e40b87767dd4c9f66c50de5b94b8e841808cbecfc48dea085d4b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\EB2C4AB8B68FFA4B7733A9139239A396_D76DB901EE986B889F30D8CC06229E2D

Filesize
1KB

MD5
dc9cff177000842f2a6012e44187a7ac

SHA1
d21b0e775cc8da0aa8ff411a9fca7d824d9c9d9e

SHA256
42ec597f23785bd1abab286493d81952a9484684bca351c01e711cca2fae0d40

SHA512
7631b223d6af02e592630e758fa368bc1fd6895f9f0bbe611bffd9df73bcfb7c8c0b0b03f87c727809e24174c88b7b40648da45426dce33e36576b4490a6b652

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\223DE96EE265046957A660ED7C9DD9E7_EFF9B9BA98DEAA773F261FA85A0B1771

Filesize
450B

MD5
99eb45cf8bed2cd1f263df529978e5ab

SHA1
cd9901154f9bd6d6f075f79268f48e436602474d

SHA256
6d43edda5e8061409e81256063be9b1bde0fe10d41668c0559b3727e6e897fd2

SHA512
b7536a3520ea091accd48d5514aa7675481937f107b2c23fce9467394df0dad8d0f7d10f02ed11dae0138f700a9181c30a3fae9c25c4bf3cb095d786b19332dc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\70C71DBB8B7D2BBCA12DF82826D851E0_278EAB15C57802B8465F5CA2986E9B30

Filesize
474B

MD5
09a85045c26ad4cb65e3b47718b64b7f

SHA1
7d24dfce476eca6e9bd116605050fa3989b8777c

SHA256
0bccd8d40905caf965707197b5a44ca2f89645b33d33229e92583f4e1663d173

SHA512
3d9b305243fdfe7997fe2bb3d02507322a1de014dcf714ddb4907b499fa794875c2cb8b825005153aa17b55ba4037f90ad5d6a7bdedb1b94dbd6442f0ede950f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EB2C4AB8B68FFA4B7733A9139239A396_D76DB901EE986B889F30D8CC06229E2D

Filesize
458B

MD5
ed8de70305d2e49239db90c725d127c8

SHA1
f4e16ec2c7c5513460954598aba1ce2da2f9badd

SHA256
0dd0c8a071d862fd8b2e3bb04a77237895787e8e1cb6d6358fb534821c4fb994

SHA512
8e88f65cdbcc5068f3843219cb36791ac2d94ebe73ca6fc03bf6e68e93ab7539fcd203fd1fbdcfae32f69fd0f588508cbb8afa9ec3ecd7010942b7b3a7ba649a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
a6b079ca7bc4d6d401aeccb60ccd5942

SHA1
67d5e4eae04c6695654be123490f9542bfba3cd7

SHA256
7e55496a47585116f7620b2c92b023b05b6e67537657d1940de05bdbd57c184e

SHA512
6947df02b1ccd7c41bf6b9a0884b2017cafe11fb8dc7303575cd687d226ce869cad50917dce51ce55bc5a9bb4abc7f21694a2aba54f18fb1686660c80dedcbcf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies

Filesize
20KB

MD5
fd2af40db19a237362d44f14d657166a

SHA1
213a4618e9220ef2f8a2f2d7080a1ecdee017c8f

SHA256
77877971958c2877c2d2d5fe955b6bd2fdf39726a747ce814bbedda40339d62b

SHA512
abecaee485b7cae9eccdbe5dda5f3b0fdfd5dd3a73246cf8214c8f940b5eab992b6597b8c2b3dabb3b6702e5fd6221e183ea53967a8340f01606aaf7d3d61833

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
e6b3dd118b243e2314e97fed26008f1b

SHA1
320de4e23c05cc39a2070a3579f911a85a77514f

SHA256
4ba87e95d77190b4d0cd4082e4df5e90bafdc9dd25a8a57ad51cefecc93244b5

SHA512
4cb175598554e10ab214fc4471ec2f5ba5675a710d63629891fb303d7fca6128c50529be4f79248a014dc2cdff8e37b4067c99a44ce92693a3119362e95b7818

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
d31160a7ba055ec42a384d6436db39ac

SHA1
3f5fee24043bf79fb8afc27163586f66c064d573

SHA256
f0353308ee5266fe88b5036c6fca6a08d1819e9a4be2dc354f559dda92c95b7a

SHA512
a7eb4ddb62d8f010108702ced64176b54ca694ed264123228f6b96f9fc140efe19c1515e019ec1c68b358976790f1f54a4e0a8a3ce7cfe83fec2bbb68e216d9f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
634fee7c213a2b499c16fb26eeb0f64a

SHA1
ae1ec026f3502e3b6b6e1cc47fc83fd321de31f0

SHA256
bd0717a3c6cb660ddcfa2124af054c12a65e95c11713d81d73a80b2da5e7f78d

SHA512
cecf64d9b6acd3e5f5710913dcb0d86e72f1e8ab69f31f3bad995ef5a854aa4c4d5fe6b689d2db3078b5c420caa05ef42e26fa1a4df81cef597b49eb72595614

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
a8524edfbe0b3229dc0a3a8569d31b92

SHA1
26da51a1e59f3b052f092c3e36fa250718acccf8

SHA256
a63f938ee18a56a5c10df2033172e20df27411a122121244821888be3ff69ca4

SHA512
3e32f31c72ed7eb04feb4bb08fd41351cbc19eaa5ea55fc47cc57d3d9b684beb2fdbef3dbd57790dbc3ed903a860230fd148b1705295dad1f5ff3c8da5a5e36a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
3bd27385b394a4f853fda67a0b53c9e1

SHA1
c0730c7b28c063c39af86267e536ec7bc6a7d6e1

SHA256
e80a5f1fb26747c7110ae8963fe310e430498e7585d882ba3785b54db4e7e443

SHA512
3c085b110ba0aa66666ea32d6db720bc17bb5c23e48e117a1455e6f0cf71f3048174ae7f8405b898c85d0f43dd5afdc6f167ff153a67bec2a73fe754d8304665

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
7d3963e5e1832d08ca6864fba83ffcab

SHA1
59e52c9da46496514f6d65f93d260f90defecc11

SHA256
db59b30c477da85037a603d4e8c6e8c7cf0bc9f4e6cc66bfeb1fbbecdcd76daf

SHA512
c904cc711fd409ca96b6527c61a7130d27f95a2e8736e8da2df8da49546265c1c6e67e2189e00471ffcfb57d4028e6480140ad7f1af26bff4490d0fa33e8925a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
9092072eb94be20529132018d3bbbd81

SHA1
bd8f3a61a869beb9c42001ccd31caa710401779d

SHA256
40037193915451d875cdc667f8c2850be44f8b1e25b27f76f712a5d05cf9044a

SHA512
bdb29798dbc4adfbc4a8e1170d50d4fd869972e17ad51a3f0b67dafa3956fd84a2d9cf31c5ab97335e2d1a8207e6e55ff7d9846820ee1d123284b4f69173ede7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
8a6f875b27c93d1b4752785b694eda76

SHA1
ccd58320e108d7fbec97203cbd13534331673cab

SHA256
9d97c2ba6577cc44d4e8e6feb20790390e17914ec3b695a11bfa7aef63f71aff

SHA512
f0102cda03abdb762d6ec09fa25e41049ce3653a52b58afc25d259580ad55b4ade5752e9b752f39de445ee97e30865ad3c29fd8a8f3dca939c5610296cdeb62a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
b7cbcda66f8c56ea6fc794e0ed0fcfc1

SHA1
b096942ef639555376b7ff6cdd7f57e251d426ca

SHA256
b232b945d8f2cf2147adf9e845dd62e1cc075a2c32b7571860077924240310d4

SHA512
8a1fd91d02ba298c78867a0375984cf2aeabae9ca6afbc6f3bf012587b1c8f6374d49cf68bbda329adf1d4129628fe0ead2f36142a936994278742cc29f291bd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
b8572be53b8533e086a3718de020c553

SHA1
48a2aadaf170d9cf1fe480632d8d8171f84350f0

SHA256
e56122a5ede0f8e9e6c03d520a4385c210708fac83f9064b56effa511771c319

SHA512
a975b2619a1f8b243f284baedb1106ca94c32b643587f0419059ce19366b5ba0290330602b80fe5f313d13a32a5a37ca7eb081b10d21ba9373fdcaa44b5b03d0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
158KB

MD5
d915a397de179eecef275c392cfeb105

SHA1
26fb0070193df025441cdce059e55e54c3f285b2

SHA256
12c31488d8d5d06489be3ae46d8927a51d0e766abe00b775d5f02582a8188e13

SHA512
e3f39c00fa2752d91d15c3752311def91a690282e94697a5dd40439f652f32ae88fd1303c30a220c7e79cd2f5995e1b3e02c5ed79932dff48bcde176360f6386

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
158KB

MD5
d915a397de179eecef275c392cfeb105

SHA1
26fb0070193df025441cdce059e55e54c3f285b2

SHA256
12c31488d8d5d06489be3ae46d8927a51d0e766abe00b775d5f02582a8188e13

SHA512
e3f39c00fa2752d91d15c3752311def91a690282e94697a5dd40439f652f32ae88fd1303c30a220c7e79cd2f5995e1b3e02c5ed79932dff48bcde176360f6386

Download Submit
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
20.6MB

MD5
fb1e9a6f3f9fcf0e4a60d750ef8eb81d

SHA1
6390ca74bfeb81a92e73a9a8c71b161602f55bce

SHA256
504fcdf4d67efb8642b297d147c310145c0205c9ce3eafc25e989db586299ce6

SHA512
ac3cb276694a0bef93f0ba3917e4d3c14470df3cd556f6c09e8ad1e4de29122cf3b1067c8239524b29374cc5aba96a340932e0d9cb161220214f9d4461f2d421

Download Submit
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
20.4MB

MD5
b43360a078802ce8e0c3915952633d28

SHA1
e982dbccda35835b7425f59a268c416b69dbd639

SHA256
f3eecca34ead66af5df598e02cd5d4f331681ed6960a8c429b2e783d853743eb

SHA512
114d97d97ddc0d71fd4fa03adc6c0954573fbc0b87abd64642466b30e45ba5c352692d1cbbfbe952e81fdab880abb8c205bb5711399aed66764ad31696e50b1f

Download Submit
C:\Users\Admin\Desktop\adsafsafsa.cmd

Filesize
173B

MD5
d164c87456b65dfce274f3417059407b

SHA1
e00b7d7a1eca0ceaadda7079a028c625d624d986

SHA256
1cc6981db13bd367b4fbc408ca181a1f4938ecd6e9522a07fab564405dd73bac

SHA512
963a631717ca94603430164d3629c74f747789f4f9eca87b29d22df8566c801231e807f7888eecaf93038d5bd48e434278037d30c7729cccab24c3822baf7896

Download Submit
C:\Users\Admin\Downloads\Zafiro EA MFF v1.13 + Zafiro EA FTMO v1.13.zip

Filesize
7.9MB

MD5
a0638548ba0b039ef86cab79b7d6a925

SHA1
e6b84bc5eaf1e7a505e2bd34536e3cd491422a15

SHA256
a063e4a346ef47f4c739515e005fe1bb2d3f887e093408775f0479c29c5bfbea

SHA512
e863f8b4a20e5cb7f91d33b41ca1356e2fcf3bca50b252a23902a208284b5c5c05e65b7f1977220766ae7440944f908b156f58edf4b6354ebffcb192fbee17e5

Download Submit
memory/548-620-0x0000000000670000-0x0000000000EBC000-memory.dmp

Filesize
8.3MB

Download
memory/1552-443-0x0000000000760000-0x0000000000EB1000-memory.dmp

Filesize
7.3MB

Download
memory/1572-428-0x0000000000760000-0x0000000000EB1000-memory.dmp

Filesize
7.3MB

Download
memory/1572-446-0x0000000061E00000-0x0000000061EF3000-memory.dmp

Filesize
972KB

Download
memory/3608-431-0x0000000000760000-0x0000000000EB1000-memory.dmp

Filesize
7.3MB

Download
memory/4276-527-0x0000000000760000-0x0000000000EB1000-memory.dmp

Filesize
7.3MB

Download
memory/4456-526-0x0000000000240000-0x0000000000A8C000-memory.dmp

Filesize
8.3MB

Download
memory/4456-532-0x0000000000240000-0x0000000000A8C000-memory.dmp

Filesize
8.3MB

Download
memory/4456-530-0x0000000000240000-0x0000000000A8C000-memory.dmp

Filesize
8.3MB

Download
memory/4456-533-0x0000000000240000-0x0000000000A8C000-memory.dmp

Filesize
8.3MB

Download
memory/4456-528-0x0000000000240000-0x0000000000A8C000-memory.dmp

Filesize
8.3MB

Download
memory/4456-525-0x0000000000240000-0x0000000000A8C000-memory.dmp

Filesize
8.3MB

Download
memory/4456-611-0x0000000000240000-0x0000000000A8C000-memory.dmp

Filesize
8.3MB

Download
memory/4456-524-0x0000000000240000-0x0000000000A8C000-memory.dmp

Filesize
8.3MB

Download
memory/4456-616-0x0000000000240000-0x0000000000A8C000-memory.dmp

Filesize
8.3MB

Download
memory/4456-534-0x0000000000240000-0x0000000000A8C000-memory.dmp

Filesize
8.3MB

Download
memory/4496-508-0x0000000000760000-0x0000000000EB1000-memory.dmp

Filesize
7.3MB

Download
memory/4808-541-0x0000000000760000-0x0000000000EB1000-memory.dmp

Filesize
7.3MB

Download
memory/4944-545-0x0000000000760000-0x0000000000EB1000-memory.dmp

Filesize
7.3MB

Download