laplas | hxxps://telegra[.]ph/MultiHack-Launcher-05-19

Analysis

max time kernel
120s
max time network
174s
platform
windows10-1703_x64
resource
win10-20230220-en
resource tags

arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
submitted
12-06-2023 12:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://telegra.ph/MultiHack-Launcher-05-19

Score

10^/10

laplas lobshot redline @hesoyamnew backdoor clipper discovery infostealer persistence spyware stealer

Malware Config

Extracted

Family

redline

Botnet

@hesoyamnew

94.142.138.4:80

Attributes

auth_value
d0a2897a24ba814f01b36a0b2873bdd1

Extracted

Family

laplas

http://185.223.93.251

Attributes

api_key
f0cd0c3938331a84425c6e784f577ccd87bb667cfdb44cc24f97f402ac5e15b7

Signatures

Detects Lobshot family 5 IoCs

resource	yara_rule
behavioral1/files/0x000400000001ae51-451.dat	family_lobshot
behavioral1/files/0x000400000001ae51-452.dat	family_lobshot
behavioral1/files/0x000600000001afcb-497.dat	family_lobshot
behavioral1/files/0x000600000001afcb-499.dat	family_lobshot
behavioral1/files/0x000600000001afcb-498.dat	family_lobshot

Laplas Clipper
Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.
stealer clipper laplas
Lobshot
Lobshot is a backdoor module written in c++.
backdoor lobshot
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
Downloads MZ/PE file

Executes dropped EXE 6 IoCs

pid	Process
3332	Launcher.exe
1084	conhost.exe
4332	svchost.exe
224	service.exe
4968	ntlhost.exe
2860	Launcher.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Windows\CurrentVersion\Run\Shell Extension = "C:\\ProgramData\\service.exe"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Windows\CurrentVersion\Run\NTSystem = "C:\\Users\\Admin\\AppData\\Roaming\\NTSystem\\ntlhost.exe"	conhost.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

GoLang User-Agent 1 IoCs

Uses default user-agent string defined by GoLang HTTP packages.

description	flow	ioc
HTTP User-Agent header	90	Go-http-client/1.1

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133310453085246710"	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000_Classes\Local Settings	chrome.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
1448	PING.EXE

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
1920	chrome.exe
1920	chrome.exe
3332	Launcher.exe
3332	Launcher.exe
4332	svchost.exe
4332	svchost.exe
224	service.exe
224	service.exe
2860	Launcher.exe
2860	Launcher.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1920	chrome.exe
Token: SeCreatePagefilePrivilege	1920	chrome.exe
Token: SeShutdownPrivilege	1920	chrome.exe
Token: SeCreatePagefilePrivilege	1920	chrome.exe
Token: SeShutdownPrivilege	1920	chrome.exe
Token: SeCreatePagefilePrivilege	1920	chrome.exe
Token: SeShutdownPrivilege	1920	chrome.exe
Token: SeCreatePagefilePrivilege	1920	chrome.exe
Token: SeShutdownPrivilege	1920	chrome.exe
Token: SeCreatePagefilePrivilege	1920	chrome.exe
Token: SeShutdownPrivilege	1920	chrome.exe
Token: SeCreatePagefilePrivilege	1920	chrome.exe
Token: SeShutdownPrivilege	1920	chrome.exe
Token: SeCreatePagefilePrivilege	1920	chrome.exe
Token: SeShutdownPrivilege	1920	chrome.exe
Token: SeCreatePagefilePrivilege	1920	chrome.exe
Token: SeShutdownPrivilege	1920	chrome.exe
Token: SeCreatePagefilePrivilege	1920	chrome.exe
Token: SeShutdownPrivilege	1920	chrome.exe
Token: SeCreatePagefilePrivilege	1920	chrome.exe
Token: SeShutdownPrivilege	1920	chrome.exe
Token: SeCreatePagefilePrivilege	1920	chrome.exe
Token: SeShutdownPrivilege	1920	chrome.exe
Token: SeCreatePagefilePrivilege	1920	chrome.exe
Token: SeShutdownPrivilege	1920	chrome.exe
Token: SeCreatePagefilePrivilege	1920	chrome.exe
Token: SeShutdownPrivilege	1920	chrome.exe
Token: SeCreatePagefilePrivilege	1920	chrome.exe
Token: SeShutdownPrivilege	1920	chrome.exe
Token: SeCreatePagefilePrivilege	1920	chrome.exe
Token: SeShutdownPrivilege	1920	chrome.exe
Token: SeCreatePagefilePrivilege	1920	chrome.exe
Token: SeShutdownPrivilege	1920	chrome.exe
Token: SeCreatePagefilePrivilege	1920	chrome.exe
Token: SeShutdownPrivilege	1920	chrome.exe
Token: SeCreatePagefilePrivilege	1920	chrome.exe
Token: SeShutdownPrivilege	1920	chrome.exe
Token: SeCreatePagefilePrivilege	1920	chrome.exe
Token: SeShutdownPrivilege	1920	chrome.exe
Token: SeCreatePagefilePrivilege	1920	chrome.exe
Token: SeShutdownPrivilege	1920	chrome.exe
Token: SeCreatePagefilePrivilege	1920	chrome.exe
Token: SeShutdownPrivilege	1920	chrome.exe
Token: SeCreatePagefilePrivilege	1920	chrome.exe
Token: SeShutdownPrivilege	1920	chrome.exe
Token: SeCreatePagefilePrivilege	1920	chrome.exe
Token: SeShutdownPrivilege	1920	chrome.exe
Token: SeCreatePagefilePrivilege	1920	chrome.exe
Token: SeShutdownPrivilege	1920	chrome.exe
Token: SeCreatePagefilePrivilege	1920	chrome.exe
Token: SeShutdownPrivilege	1920	chrome.exe
Token: SeCreatePagefilePrivilege	1920	chrome.exe
Token: SeShutdownPrivilege	1920	chrome.exe
Token: SeCreatePagefilePrivilege	1920	chrome.exe
Token: SeShutdownPrivilege	1920	chrome.exe
Token: SeCreatePagefilePrivilege	1920	chrome.exe
Token: 33	272	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	272	AUDIODG.EXE
Token: SeShutdownPrivilege	1920	chrome.exe
Token: SeCreatePagefilePrivilege	1920	chrome.exe
Token: SeShutdownPrivilege	1920	chrome.exe
Token: SeCreatePagefilePrivilege	1920	chrome.exe
Token: SeShutdownPrivilege	1920	chrome.exe
Token: SeCreatePagefilePrivilege	1920	chrome.exe

Suspicious use of FindShellTrayWindow 36 IoCs

pid	Process
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
4692	7zG.exe
1920	chrome.exe
1920	chrome.exe

Suspicious use of SendNotifyMessage 26 IoCs

pid	Process
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1920 wrote to memory of 1476	1920	chrome.exe	66
PID 1920 wrote to memory of 1476	1920	chrome.exe	66
PID 1920 wrote to memory of 4300	1920	chrome.exe	68
PID 1920 wrote to memory of 4300	1920	chrome.exe	68
PID 1920 wrote to memory of 4300	1920	chrome.exe	68
PID 1920 wrote to memory of 4300	1920	chrome.exe	68
PID 1920 wrote to memory of 4300	1920	chrome.exe	68
PID 1920 wrote to memory of 4300	1920	chrome.exe	68
PID 1920 wrote to memory of 4300	1920	chrome.exe	68
PID 1920 wrote to memory of 4300	1920	chrome.exe	68
PID 1920 wrote to memory of 4300	1920	chrome.exe	68
PID 1920 wrote to memory of 4300	1920	chrome.exe	68
PID 1920 wrote to memory of 4300	1920	chrome.exe	68
PID 1920 wrote to memory of 4300	1920	chrome.exe	68
PID 1920 wrote to memory of 4300	1920	chrome.exe	68
PID 1920 wrote to memory of 4300	1920	chrome.exe	68
PID 1920 wrote to memory of 4300	1920	chrome.exe	68
PID 1920 wrote to memory of 4300	1920	chrome.exe	68
PID 1920 wrote to memory of 4300	1920	chrome.exe	68
PID 1920 wrote to memory of 4300	1920	chrome.exe	68
PID 1920 wrote to memory of 4300	1920	chrome.exe	68
PID 1920 wrote to memory of 4300	1920	chrome.exe	68
PID 1920 wrote to memory of 4300	1920	chrome.exe	68
PID 1920 wrote to memory of 4300	1920	chrome.exe	68
PID 1920 wrote to memory of 4300	1920	chrome.exe	68
PID 1920 wrote to memory of 4300	1920	chrome.exe	68
PID 1920 wrote to memory of 4300	1920	chrome.exe	68
PID 1920 wrote to memory of 4300	1920	chrome.exe	68
PID 1920 wrote to memory of 4300	1920	chrome.exe	68
PID 1920 wrote to memory of 4300	1920	chrome.exe	68
PID 1920 wrote to memory of 4300	1920	chrome.exe	68
PID 1920 wrote to memory of 4300	1920	chrome.exe	68
PID 1920 wrote to memory of 4300	1920	chrome.exe	68
PID 1920 wrote to memory of 4300	1920	chrome.exe	68
PID 1920 wrote to memory of 4300	1920	chrome.exe	68
PID 1920 wrote to memory of 4300	1920	chrome.exe	68
PID 1920 wrote to memory of 4300	1920	chrome.exe	68
PID 1920 wrote to memory of 4300	1920	chrome.exe	68
PID 1920 wrote to memory of 4300	1920	chrome.exe	68
PID 1920 wrote to memory of 4300	1920	chrome.exe	68
PID 1920 wrote to memory of 3560	1920	chrome.exe	69
PID 1920 wrote to memory of 3560	1920	chrome.exe	69
PID 1920 wrote to memory of 3552	1920	chrome.exe	70
PID 1920 wrote to memory of 3552	1920	chrome.exe	70
PID 1920 wrote to memory of 3552	1920	chrome.exe	70
PID 1920 wrote to memory of 3552	1920	chrome.exe	70
PID 1920 wrote to memory of 3552	1920	chrome.exe	70
PID 1920 wrote to memory of 3552	1920	chrome.exe	70
PID 1920 wrote to memory of 3552	1920	chrome.exe	70
PID 1920 wrote to memory of 3552	1920	chrome.exe	70
PID 1920 wrote to memory of 3552	1920	chrome.exe	70
PID 1920 wrote to memory of 3552	1920	chrome.exe	70
PID 1920 wrote to memory of 3552	1920	chrome.exe	70
PID 1920 wrote to memory of 3552	1920	chrome.exe	70
PID 1920 wrote to memory of 3552	1920	chrome.exe	70
PID 1920 wrote to memory of 3552	1920	chrome.exe	70
PID 1920 wrote to memory of 3552	1920	chrome.exe	70
PID 1920 wrote to memory of 3552	1920	chrome.exe	70
PID 1920 wrote to memory of 3552	1920	chrome.exe	70
PID 1920 wrote to memory of 3552	1920	chrome.exe	70
PID 1920 wrote to memory of 3552	1920	chrome.exe	70
PID 1920 wrote to memory of 3552	1920	chrome.exe	70
PID 1920 wrote to memory of 3552	1920	chrome.exe	70
PID 1920 wrote to memory of 3552	1920	chrome.exe	70

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" "--simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT'" https://telegra.ph/MultiHack-Launcher-05-19
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1920
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ffc54139758,0x7ffc54139768,0x7ffc54139778
  2⤵
  PID:1476
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1612 --field-trial-handle=1856,i,11010878681262111516,17896356510846123059,131072 /prefetch:2
  2⤵
  PID:4300
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1808 --field-trial-handle=1856,i,11010878681262111516,17896356510846123059,131072 /prefetch:8
  2⤵
  PID:3560
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2116 --field-trial-handle=1856,i,11010878681262111516,17896356510846123059,131072 /prefetch:8
  2⤵
  PID:3552
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2964 --field-trial-handle=1856,i,11010878681262111516,17896356510846123059,131072 /prefetch:1
  2⤵
  PID:2328
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2960 --field-trial-handle=1856,i,11010878681262111516,17896356510846123059,131072 /prefetch:1
  2⤵
  PID:3868
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4852 --field-trial-handle=1856,i,11010878681262111516,17896356510846123059,131072 /prefetch:8
  2⤵
  PID:4884
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4944 --field-trial-handle=1856,i,11010878681262111516,17896356510846123059,131072 /prefetch:8
  2⤵
  PID:5076
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=4944 --field-trial-handle=1856,i,11010878681262111516,17896356510846123059,131072 /prefetch:1
  2⤵
  PID:5064
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5292 --field-trial-handle=1856,i,11010878681262111516,17896356510846123059,131072 /prefetch:8
  2⤵
  PID:684
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5684 --field-trial-handle=1856,i,11010878681262111516,17896356510846123059,131072 /prefetch:8
  2⤵
  PID:3948
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5836 --field-trial-handle=1856,i,11010878681262111516,17896356510846123059,131072 /prefetch:8
  2⤵
  PID:1172
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=5836 --field-trial-handle=1856,i,11010878681262111516,17896356510846123059,131072 /prefetch:1
  2⤵
  PID:2508
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=4852 --field-trial-handle=1856,i,11010878681262111516,17896356510846123059,131072 /prefetch:1
  2⤵
  PID:4272
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=5116 --field-trial-handle=1856,i,11010878681262111516,17896356510846123059,131072 /prefetch:1
  2⤵
  PID:2524
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5044 --field-trial-handle=1856,i,11010878681262111516,17896356510846123059,131072 /prefetch:8
  2⤵
  PID:4712
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4472 --field-trial-handle=1856,i,11010878681262111516,17896356510846123059,131072 /prefetch:2
  2⤵
  PID:4852

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1364

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0xf8
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:272

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4780

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\" -an -ai#7zMap14244:78:7zEvent16578
1⤵
- Suspicious use of FindShellTrayWindow
PID:4692

C:\Users\Admin\Downloads\Launcher.exe
"C:\Users\Admin\Downloads\Launcher.exe"
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3332
- C:\Users\Admin\AppData\Local\Temp\conhost.exe
  "C:\Users\Admin\AppData\Local\Temp\conhost.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:1084
- - C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
    C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
    3⤵
    - Executes dropped EXE
    PID:4968
- C:\Users\Admin\AppData\Local\Temp\svchost.exe
  "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  PID:4332
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c (ping 127.0.0.1) & (del /F /Q "C:\Users\Admin\AppData\Local\Temp\svchost.exe") & (start "" "C:\ProgramData\service.exe")
    3⤵
    PID:4776
  - - C:\Windows\SysWOW64\PING.EXE
      ping 127.0.0.1
      4⤵
      Runs ping.exe
      PID:1448
  - - C:\ProgramData\service.exe
      "C:\ProgramData\service.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:224

C:\Users\Admin\Downloads\Launcher.exe
"C:\Users\Admin\Downloads\Launcher.exe"
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2860

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\service.exe

Filesize
80KB

MD5
b8d23f55d8924b617a57035db1cd3eb0

SHA1
94f84b29f47762afa6f44b39dea910286381f296

SHA256
921db56e4de5605b3759de43727f62be0f4c158a2837cf08ff376c427b85bec8

SHA512
656c74a552e068e20f234a7f66fd49a2c2477b991385c563443856d0b1e7668cb79f839f06f846eed14cfb009dd0fb4b1ad9f96fd1d0313d38cfb6d213e68099

Download Submit
C:\ProgramData\service.exe

Filesize
80KB

MD5
b8d23f55d8924b617a57035db1cd3eb0

SHA1
94f84b29f47762afa6f44b39dea910286381f296

SHA256
921db56e4de5605b3759de43727f62be0f4c158a2837cf08ff376c427b85bec8

SHA512
656c74a552e068e20f234a7f66fd49a2c2477b991385c563443856d0b1e7668cb79f839f06f846eed14cfb009dd0fb4b1ad9f96fd1d0313d38cfb6d213e68099

Download Submit
C:\ProgramData\service.exe

Filesize
80KB

MD5
b8d23f55d8924b617a57035db1cd3eb0

SHA1
94f84b29f47762afa6f44b39dea910286381f296

SHA256
921db56e4de5605b3759de43727f62be0f4c158a2837cf08ff376c427b85bec8

SHA512
656c74a552e068e20f234a7f66fd49a2c2477b991385c563443856d0b1e7668cb79f839f06f846eed14cfb009dd0fb4b1ad9f96fd1d0313d38cfb6d213e68099

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000034

Filesize
162KB

MD5
5d1325194ab19e5446660cfba923e18d

SHA1
1e3c2ca9abbedc852231c72f321207c4cee69276

SHA256
54ad7e76fb07c695cdf95f30ebb6047a552b61ece067cc50b74c2f755722bc03

SHA512
0aee70c35a38942cf88cc655f7f19cb858549cf4e883eb249dbdf70274c96e24c552a187ea0eb44b2943ffb3f9b8be968e066ce9619a43c55004b52419c735bc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000043

Filesize
41KB

MD5
c3caddeb651c1d038c7370b27df2e99e

SHA1
7ea326c1d39710faef10925d5ae111f9cea72f6c

SHA256
e89de5d62fdd466570d2a7d0228164aeb2e8590c35a7c9ed1a3bab32a67880fe

SHA512
c3da84dd2aea427842ed881b9fd53fe7a417d7173e88572eaed6b48139f93d6e5b33e781d8b921c9448f15359253ad004d036354a60a442423663b47ca54e155

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
216B

MD5
107be3dd776f2dfd0d69824930bad114

SHA1
4c422cf680d6a85aedbe74d51da002c67c955ea2

SHA256
5ac6a7249f69beeeaae68fa72b8cd36e3e64959e3c2e8a712d27b3541fdd2d84

SHA512
a8d77cb3bc25cd5aac7a6c154138c431f34690c08fd78c5785766760f91e5fc4b2ba9ef5e901a4b20db47810a326b875a8bd02ebc901f6b3ee8b0cebbb0af4a1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
fdb8adfbca9ea139a031a737861d810a

SHA1
52185135de4f8a233b5d8e78a786d9fcb233dc46

SHA256
f42bce9290ac6f800fac67dae03615d693cf9d595a63e7b8237b9e2e2b708a2c

SHA512
d53150f1308a5cd9ea21da6f2d4462df655992409b071aecb5bf3ca7c20670f9e5c893a7efc3b697767cab3e9b9b1535088177378463320d51256e46811a2893

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\File System\000\t\Paths\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\https_mega.nz_0.indexeddb.leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies

Filesize
20KB

MD5
552469cca35c80f8a722f955ecff90ed

SHA1
249a2222eb0e3706c89392d797b2b1a2bdbbaa1c

SHA256
5e3ab45d037ce375733309a6e2b431b7ab2f0e6fcfdb7fade466a5d22dccc52f

SHA512
cdb81e168908ed7ae2165a6ec5935d3a6c8d3fb4ff47e6bc05896e326b05682be7da452bea6b1502a25022b79ee17c5d5ebc0062f36b14a68d1fb7021622b57d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies

Filesize
20KB

MD5
6d05aebf279295da608860e72de30447

SHA1
e3062910432fef859eeea3eefaa47f71d70e2b5e

SHA256
2d6d281cbe1c383edc386de92691772472bf2466b5b3be190d908b40ecb44a9d

SHA512
1c8ef87852d064cc5688a779255d2b4baf11d44f16ea5ea67662ce196932e3d520187b3d48182204163910182ceacc2881a8fa141412cb80ffc5ced2bc22a63b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
6186a593bf375a4e13597dcd34bd1824

SHA1
7f5a9223444309d6660e9b9b3d9c64582e625dee

SHA256
14545761d3913d4f120b8efaee707045038f5f716afa135a41952d7fff512630

SHA512
ffd83246abce479e1698ff9a3018b6b7c080ab5de8fd484f998ce1de2b57268e30a3f418ac0b6f19d5930e0606ddb9598b5ea53b09b58c2a30b131652edd7e3e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
b2b921c0c47af848d274b483ec534a15

SHA1
83f1bd820d50b3bc204b0401be02c01923c41a4d

SHA256
af23021b3f2e35a54fa51f085a61d102b9fb140368643e0d628bc65ddbeeae37

SHA512
320307ece67cd0ceefc2ef83a676c3febd25367d66ba208d4787c50616f05afaa60a828e4a14f6fc2612879aa538bbe0aa315c6ba261315676da8400ef325f79

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
874B

MD5
6b60d967d5d1e9368bbc3f6b29faadf4

SHA1
2f54d031054f4193e1712c39631363531e028f37

SHA256
dbcee393caf812d85e7f7bde2cc37f0e349f35b2a1bf5ffa1ec5b4e826fab257

SHA512
ac9e8af2e1e700b9bc608f6142dd4bd4631444c6a46548fe83ba508f38b0248ce2b7cd43287e72ab53ba6995bb375a52042d8d969d6b6d28a0963c8dfac8fa5a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
7eca6eac6e886b700ee6538802a4ae41

SHA1
db787759a0efd28e7e25d1a9a617f7af71937909

SHA256
26524d6c90816f4b79f507ccff99fc97b89ba038ce95cfc2d2bce5bc34045b57

SHA512
2552efbed89e335b6a93529eed947f79f5c5418e8d200b6d8dc57001f077797cb73c3460039af90a9fca1d20b5c0add35828b8d1c595fcb730dfd4a28d25b167

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
74a2df93fa0c853d50957a845eab9068

SHA1
8b794c734296f86d4c9e6054313e3cefb0778322

SHA256
8fc6e5e209f835eef36458e07390da67bda2fc2ea4a5183543a14a285dae265d

SHA512
d51f6289cd544c32058f0a4e6378a22a7a0656439fc23f8f92cae774a7fc907cd0aed7345c8a6c132776d37751262e8857d6830b9e1e900908894f24610475a5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
1abbba35b73b7716891eb0a065eb3b3e

SHA1
2daa1312bb9759ee2c3665a4971b14ae9ae058c4

SHA256
fee1913b48ed568ce8bd8d139ba6c1b76d9358a050d0be63b2ba18712f6e0ae8

SHA512
c570b667e0df47eb3fedcc7462434d9e801fa62974def8c654e40047e59293e903682f39473f35ae6051b7be2334e6f7c21c6e17c4c66110917f9a52bfb4af6c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
7c31abfa108435ec1eb127d23643f51b

SHA1
898e998d162ec25cd9c78e2eee50f12ea4ee8d89

SHA256
b63f986a2c50feb3249cdc381ccf7c0671f6d753725e77e6f9b568f14c7a1ef2

SHA512
5419f8d025ca226036371c726222d1f16403166270a601b17f6a1b019f0169c1d88ad058806390a7c485a7fdb4cf3cd7f67312626c0e7bc28cf6bd83d9aa8b2a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
38a89bf92184f513a6aa878c7b891328

SHA1
681b9e95f8e2bec416d6a677590d085490144646

SHA256
4dc6155a8c94f7dfcb90f6276aad9cea1af1bc01434f04856bf30ecbcada9a12

SHA512
cf1aabad2e0d8d9182e03e974b5e070aca7cac419970e918e1ad70df9a0d447654c8a5ff17a7b134699849d4cd8c0651dedcf1eaf66b9a33273b8c825f118c85

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
4c2dc0e0cb0206b51f662a9e931069b5

SHA1
aeef909f3ff2b6c1a8a7a2f4388e5b8e28d79253

SHA256
9a2882ea49a22c1e70091e656abb884d9b0d9243970aefd9e6cc6630e5bbcbbe

SHA512
7918ffdbb85e6fbdc169297a4f682e43be97990ceec13bb71793bff17280c700682c7d633fccf5981c28bf5895d9c4ae477108add9e8cf0ffea28fe29ebcdeae

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
214a19fc82a4bbccd25554aa136bb42e

SHA1
35f8a5c2486cfa013dc92e47920ffc1a8b02bb84

SHA256
f4dc4ff54de955c45869dc34597361e4eeb6b9b2cab9bfbd315503d6eafcfc39

SHA512
ffbea4b3d32681e597d1ecc9f9559603298253d7fcd509264a70bf1baf66d77c760290d41f6daa444064d1520bdbc097d2388a6a823bc6245e4977c057238b91

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
a442824382bb6a24f03f115103a72fbc

SHA1
c71ea6c482286db21f706bd2885c2048ba46665a

SHA256
a70316662b2a9c6aead182235ef6a55c34188bf113f73df8e05c304a8269653d

SHA512
2e0db2ca102169315464e66043ad8e3d1f92118c59f886117504b30f9fd6f1dd0dbe138d78c00bc8c115ecd4c78a5bdd536c4b45aa802bd6aae66cd492b59bf6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
96B

MD5
30a96ea2d2b8d04866926641fb16ed78

SHA1
e8974a27274fc8e27ef6d7a578086f86a1fbc982

SHA256
86552156446a2f471542a02369d69a11ee302868e05da469ffcaa20e903daf2f

SHA512
437fef15d275b3735d2780594be5e484eb437f12f13640a629b47ff893126896bb37b20bc8451ae38ba2e45343ea6d82fcb7bf5ddba4963890c7718993150fca

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe575004.TMP

Filesize
48B

MD5
9071b1c57138c57f0f4b4b814a05ffe4

SHA1
4b034bd886053561e6b1a603d8fe71bab201b9ec

SHA256
61158fcb5e989940ff615a83eba7d924d8ee95d237cf41852744b48276ebc559

SHA512
37cf52f958d75763fd8e9b411bfa6f00e00b42d7eb8c0551fbfc25a1d34f784a08ad503e0a5d05dc3f137a18bee8822809caf25faa551b95bb85769d3595ce07

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Data

Filesize
92KB

MD5
c7a88cd6971d6c63cbe3f170bb23e641

SHA1
e8daa471225310f43de1b57204399f5b32e2ceb8

SHA256
837cc49a3ff5d4477b490e2afb65fd211fcc0410cd1083701d956a570f87b467

SHA512
10539e0db02fb5a741939419bbaf37bfeb8d0c00ef2abb5d2d49eb07712a42725458394ee401826896d0544dd7b163a24cee5f48c20ec6aca972b884085cefc2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
159KB

MD5
5d35936a5519bd88938abcda79eb0d8c

SHA1
2970206086d08f725c6de50eac232fb777fa351a

SHA256
8edc607dccf66bcb0c233ce779f1401787958ce3779c66b582595e228ee3f1e4

SHA512
e8b844cdcba8938d6260e25aa4d25f7efa22708c69b11ae439d168614bf0b0b1912d1eac013350f45d9323dabaf99a37bb57cd1e6e36d65ecfe394010f7c2237

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
159KB

MD5
769bb8c4a2c59204473011180368c86b

SHA1
65c0fd6a72a695c73d92ba9c453676b3241803d7

SHA256
7721fef9bac5094328ccc3c8dfe7c200788d31fc0046e97e35921bbe1305728a

SHA512
97ec9ecccc4261fe543dd914f61b86af97d1675b29d0a9a7b939840ee93a844ac26375a45b13753648b718b1f5257c7ae4a8c113a9fa5046fad88b8b0ae37fd1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
159KB

MD5
769bb8c4a2c59204473011180368c86b

SHA1
65c0fd6a72a695c73d92ba9c453676b3241803d7

SHA256
7721fef9bac5094328ccc3c8dfe7c200788d31fc0046e97e35921bbe1305728a

SHA512
97ec9ecccc4261fe543dd914f61b86af97d1675b29d0a9a7b939840ee93a844ac26375a45b13753648b718b1f5257c7ae4a8c113a9fa5046fad88b8b0ae37fd1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
159KB

MD5
824c2eb6291a8d46d51e9ed1d8d4a11e

SHA1
d9c4c3f2c0380c1b66d2f1524baf29bc6d964ef1

SHA256
1ea38945f6da0a07067fd231e6bc15fd0eeaffb946d0045784835e6a7b5f925e

SHA512
b94b2146fdc701e5860b38a4574a7583de1d524c883045c19610c3af032bfd85734520e7e1516b52bca399df4ad9cbf9e8f78a2d9461fbfc7b9b48869ec8b12d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
159KB

MD5
824c2eb6291a8d46d51e9ed1d8d4a11e

SHA1
d9c4c3f2c0380c1b66d2f1524baf29bc6d964ef1

SHA256
1ea38945f6da0a07067fd231e6bc15fd0eeaffb946d0045784835e6a7b5f925e

SHA512
b94b2146fdc701e5860b38a4574a7583de1d524c883045c19610c3af032bfd85734520e7e1516b52bca399df4ad9cbf9e8f78a2d9461fbfc7b9b48869ec8b12d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
109KB

MD5
f9f36aa40dd8ac531bf6c5cc3267fc33

SHA1
0c8d619eab49071dc8ed2fe461d3ecd54f7d35f9

SHA256
d1b00fba98f32e29c8cb685cbe8001e8dbd6fede77a44092655fd3c644c8847c

SHA512
386d8768a50547dd5946922c4f3c42d2951b2465e15694c78caf7d36b1e7cc98d8ce92829955c9053a4e5e210d7ab75b35dc24e6d254275fad743915515ea716

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe574c8a.TMP

Filesize
98KB

MD5
7064fddda5c4b551424df9175b0757a0

SHA1
f788a330ec0fa1f3109d11520dd1a036ed1f8019

SHA256
1b24130e0eaf8daccf29e53eb55e97c445466518582441be4258488afd83cb11

SHA512
fb818a71ef5ae5c9a6835dfebaaa5f9f09de828c53780556181048b8a631cce1403e905ba9f91df48b1657a9888d58d770fc095dc37a5807ebbfd6e1838656e1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\System.dll.log

Filesize
2KB

MD5
e49363be96a39de62876e4b1adcc0087

SHA1
298c43845f3ede76589c47495e2e7a2918ccc684

SHA256
ec17de230ef7dd522a828d76352ac9d2b98d9fb01122c0b19386e0ebd2e2459f

SHA512
869ad2034367c3bd7d096a1163950d29acd68a76769e56d5aaf4113005335e034d1cf1db3f27c75f960559629df58833104921a3afb885c92ce684e14af90b92

Download Submit
C:\Users\Admin\AppData\Local\Temp\conhost.exe

Filesize
4.0MB

MD5
feccda803ece2e7a3b7e9798714ad47e

SHA1
e97182adccf8a7692e6ad2614b0fb7fd3898a1a2

SHA256
14529dca41abfea65abb51c84ec34ba0a951581586f98cef60213ae949a78320

SHA512
dec5fd4d184772ca590333b2382706c6e5a7b5050f9ae98af813192e06500424870e8332a1406c763e5cc6d266ddd7e09280b6bf118392fa6edea6fab5843287

Download Submit
C:\Users\Admin\AppData\Local\Temp\conhost.exe

Filesize
4.0MB

MD5
feccda803ece2e7a3b7e9798714ad47e

SHA1
e97182adccf8a7692e6ad2614b0fb7fd3898a1a2

SHA256
14529dca41abfea65abb51c84ec34ba0a951581586f98cef60213ae949a78320

SHA512
dec5fd4d184772ca590333b2382706c6e5a7b5050f9ae98af813192e06500424870e8332a1406c763e5cc6d266ddd7e09280b6bf118392fa6edea6fab5843287

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost.exe

Filesize
80KB

MD5
b8d23f55d8924b617a57035db1cd3eb0

SHA1
94f84b29f47762afa6f44b39dea910286381f296

SHA256
921db56e4de5605b3759de43727f62be0f4c158a2837cf08ff376c427b85bec8

SHA512
656c74a552e068e20f234a7f66fd49a2c2477b991385c563443856d0b1e7668cb79f839f06f846eed14cfb009dd0fb4b1ad9f96fd1d0313d38cfb6d213e68099

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost.exe

Filesize
80KB

MD5
b8d23f55d8924b617a57035db1cd3eb0

SHA1
94f84b29f47762afa6f44b39dea910286381f296

SHA256
921db56e4de5605b3759de43727f62be0f4c158a2837cf08ff376c427b85bec8

SHA512
656c74a552e068e20f234a7f66fd49a2c2477b991385c563443856d0b1e7668cb79f839f06f846eed14cfb009dd0fb4b1ad9f96fd1d0313d38cfb6d213e68099

Download Submit
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
298.1MB

MD5
dc3a5cbe2f1e4924825276392e3f6241

SHA1
89ea576d6a406920d26ab5135107d4f580e65f61

SHA256
37f6d69527049a07ca1ebb19891bbd2f97a08c8ab9d98078695dc14ecf10c9be

SHA512
d99c7cc631cee7088ce02fed91387b3cab7683ee237e706346f5cd499e4554b1e3b7844286ba56225e794b93d054bbdb91c5ae7853872eb0e5aca5ac326f7333

Download Submit
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
281.9MB

MD5
71894e41dcf7183786cf96078c0df88b

SHA1
52f5c2e08d1db80252c1009e8c79f38c44f0cb18

SHA256
2f8aa3521187b2f04b9273bb3efd021943fbc1bb898caf778a24e601a13a891d

SHA512
68321e54f6a537df890fbfe84af323d0d1f478c016743580cf1f88c8d144c9c627ce2985388134883bdfc771aaa0d1fd41f4091fdb40e071a0d6d09fe877c99f

Download Submit
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
302.6MB

MD5
7e6bcf95a00e9e3739b12d5b21a15e31

SHA1
bc9923bb11f0669e6c133d972fff968d5e9a05f2

SHA256
2315ad9015fc3d675469a2a9c76d5841aa4b94f4f14bfc593da3559348e5c7ad

SHA512
ef6da4f1313fa50cd1d4841f382623afea4c310a26e65b1f9d603295cab2085a7aba310e148330f4c5274a4eeb33382be0f69cc76f340f095b7f39cee880b7db

Download Submit
C:\Users\Admin\Downloads\Launcher.exe

Filesize
259KB

MD5
16fe10ca5919274cae064315c522fce4

SHA1
783db8e5e0ede251b5a9c3e356871557d14ca050

SHA256
7dad901953a41334a56e41c4c23e4ac93914c2b31a5962e69ac212d12fbb6091

SHA512
c20004726ba07b887d1c078680e0f6f971099b078405fcbc7154ec0b870e7972729b4429126f5f76976105cd68a0f38ab6dd7af47c02d20b22f39dca1f32bd92

Download Submit
C:\Users\Admin\Downloads\Launcher.exe

Filesize
259KB

MD5
16fe10ca5919274cae064315c522fce4

SHA1
783db8e5e0ede251b5a9c3e356871557d14ca050

SHA256
7dad901953a41334a56e41c4c23e4ac93914c2b31a5962e69ac212d12fbb6091

SHA512
c20004726ba07b887d1c078680e0f6f971099b078405fcbc7154ec0b870e7972729b4429126f5f76976105cd68a0f38ab6dd7af47c02d20b22f39dca1f32bd92

Download Submit
C:\Users\Admin\Downloads\Launcher.exe

Filesize
259KB

MD5
16fe10ca5919274cae064315c522fce4

SHA1
783db8e5e0ede251b5a9c3e356871557d14ca050

SHA256
7dad901953a41334a56e41c4c23e4ac93914c2b31a5962e69ac212d12fbb6091

SHA512
c20004726ba07b887d1c078680e0f6f971099b078405fcbc7154ec0b870e7972729b4429126f5f76976105cd68a0f38ab6dd7af47c02d20b22f39dca1f32bd92

Download Submit
C:\Users\Admin\Downloads\Launcher.rar

Filesize
107KB

MD5
2a08e083ddf0f55d845e3eeebe8e4569

SHA1
72d6d2364525c4fe112e89f4af0c0a512c3e954a

SHA256
708be62d988870de4a6ef63b4f007a271bf6a1a76b64ccacc96f8568389f5f86

SHA512
587f71eb36c749658fecfa4339a490cc56b36bbac8ffe3bcd355e5392b12038285b9b20bb56776c79a66a999560bfbeb269dabe397ea4934d99d9004447ad86c

Download Submit
memory/2860-579-0x0000000004900000-0x0000000004910000-memory.dmp

Filesize
64KB

Download
memory/2860-575-0x000000000C450000-0x000000000C49B000-memory.dmp

Filesize
300KB

Download
memory/2860-574-0x0000000004900000-0x0000000004910000-memory.dmp

Filesize
64KB

Download
memory/2860-569-0x00000000001D0000-0x0000000000200000-memory.dmp

Filesize
192KB

Download
memory/3332-365-0x000000000ADC0000-0x000000000AE52000-memory.dmp

Filesize
584KB

Download
memory/3332-364-0x000000000AD40000-0x000000000ADB6000-memory.dmp

Filesize
472KB

Download
memory/3332-359-0x000000000C270000-0x000000000C37A000-memory.dmp

Filesize
1.0MB

Download
memory/3332-358-0x000000000A540000-0x000000000AB46000-memory.dmp

Filesize
6.0MB

Download
memory/3332-361-0x000000000C3B0000-0x000000000C3EE000-memory.dmp

Filesize
248KB

Download
memory/3332-362-0x000000000C560000-0x000000000C5AB000-memory.dmp

Filesize
300KB

Download
memory/3332-357-0x00000000049B0000-0x00000000049C0000-memory.dmp

Filesize
64KB

Download
memory/3332-360-0x000000000C390000-0x000000000C3A2000-memory.dmp

Filesize
72KB

Download
memory/3332-371-0x000000000DE70000-0x000000000E39C000-memory.dmp

Filesize
5.2MB

Download
memory/3332-356-0x00000000021C0000-0x00000000021C6000-memory.dmp

Filesize
24KB

Download
memory/3332-352-0x00000000001D0000-0x0000000000200000-memory.dmp

Filesize
192KB

Download
memory/3332-366-0x000000000D3E0000-0x000000000D8DE000-memory.dmp

Filesize
5.0MB

Download
memory/3332-367-0x000000000D920000-0x000000000D986000-memory.dmp

Filesize
408KB

Download
memory/3332-368-0x000000000DB10000-0x000000000DB60000-memory.dmp

Filesize
320KB

Download
memory/3332-370-0x000000000DCA0000-0x000000000DE62000-memory.dmp

Filesize
1.8MB

Download