laplas | bae427e9391d1bc744b12cb517ca67a2becd386d4b61dab7eff043b33960b8cc

Analysis

max time kernel
42s
max time network
145s
platform
windows7_x64
resource
win7-20230703-en
resource tags

arch:x64arch:x86image:win7-20230703-enlocale:en-usos:windows7-x64system
submitted
06/07/2023, 16:52

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

Setup.exe
Size

1.1MB
MD5

18e79403815bcb2831d9383c9135edbf
SHA1

cd49506de380658119a1fff1745a98316152f9e6
SHA256

15dc5f309732a5d78c6f0ad0bb77baea4f6dbab4ce7d7bcad655c2ceb6de06fa
SHA512

3a0f2fe4e5445ba0e633da5b3c7832e4af4e2de907a81b0d05cfbf348a41404a83682db86710825215bbfed96cb49ef2e594f973bf37a8abfc499039b1e8e7bb
SSDEEP

6144:9hvWGad/1VqBFJlXdvaIBNJtJSeAOagS5pUGtiHjzk1In/yP3:jG/1VqBfdSedSYGszI

Score

10^/10

laplas redline @kkkllsttnnn clipper infostealer persistence spyware stealer

Malware Config

Extracted

Family

redline

Botnet

@kkkllsttnnn

94.142.138.4:80

Attributes

auth_value
c82524415ee633c9f508c7d4bf1d0d29

Extracted

Family

laplas

http://185.209.161.189

Attributes

api_key
f0cd0c3938331a84425c6e784f577ccd87bb667cfdb44cc24f97f402ac5e15b7

Signatures

Laplas Clipper
Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.
stealer clipper laplas
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
Downloads MZ/PE file

Executes dropped EXE 10 IoCs

pid	Process
2292	svchost.exe
268	conhost.exe
2796	7z.exe
2632	7z.exe
2256	7z.exe
2472	7z.exe
2548	7z.exe
2388	7z.exe
1720	BuildMiner.exe
2224	ntlhost.exe

Loads dropped DLL 21 IoCs

pid	Process
2324	AppLaunch.exe
2324	AppLaunch.exe
2324	AppLaunch.exe
268	conhost.exe
268	conhost.exe
2760	cmd.exe
2796	7z.exe
2760	cmd.exe
2632	7z.exe
2760	cmd.exe
2256	7z.exe
2760	cmd.exe
2472	7z.exe
2760	cmd.exe
2548	7z.exe
2760	cmd.exe
2388	7z.exe
1720	BuildMiner.exe
1720	BuildMiner.exe
2292	svchost.exe
2292	svchost.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3891603265-141683679-4067940827-1000\Software\Microsoft\Windows\CurrentVersion\Run\NTSystem = "C:\\Users\\Admin\\AppData\\Roaming\\NTSystem\\ntlhost.exe"	svchost.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2304 set thread context of 2324	2304	Setup.exe	29

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

GoLang User-Agent 1 IoCs

Uses default user-agent string defined by GoLang HTTP packages.

description	flow	ioc
HTTP User-Agent header	8	Go-http-client/1.1

Modifies Internet Explorer settings 1 TTPs 24 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3891603265-141683679-4067940827-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3891603265-141683679-4067940827-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3891603265-141683679-4067940827-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3891603265-141683679-4067940827-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3891603265-141683679-4067940827-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3891603265-141683679-4067940827-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3891603265-141683679-4067940827-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3891603265-141683679-4067940827-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3891603265-141683679-4067940827-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3891603265-141683679-4067940827-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3891603265-141683679-4067940827-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3891603265-141683679-4067940827-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3891603265-141683679-4067940827-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3891603265-141683679-4067940827-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3891603265-141683679-4067940827-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3891603265-141683679-4067940827-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3891603265-141683679-4067940827-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3891603265-141683679-4067940827-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3891603265-141683679-4067940827-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{93163701-1C1D-11EE-93A5-FE0085380BD4} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3891603265-141683679-4067940827-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3891603265-141683679-4067940827-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3891603265-141683679-4067940827-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3891603265-141683679-4067940827-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3891603265-141683679-4067940827-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe

Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

pid	Process
1720	BuildMiner.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2324	AppLaunch.exe
2324	AppLaunch.exe
1720	BuildMiner.exe

Suspicious use of AdjustPrivilegeToken 26 IoCs

description	pid	Process
Token: SeDebugPrivilege	2324	AppLaunch.exe
Token: SeRestorePrivilege	2796	7z.exe
Token: 35	2796	7z.exe
Token: SeSecurityPrivilege	2796	7z.exe
Token: SeSecurityPrivilege	2796	7z.exe
Token: SeRestorePrivilege	2632	7z.exe
Token: 35	2632	7z.exe
Token: SeSecurityPrivilege	2632	7z.exe
Token: SeSecurityPrivilege	2632	7z.exe
Token: SeRestorePrivilege	2256	7z.exe
Token: 35	2256	7z.exe
Token: SeSecurityPrivilege	2256	7z.exe
Token: SeSecurityPrivilege	2256	7z.exe
Token: SeRestorePrivilege	2472	7z.exe
Token: 35	2472	7z.exe
Token: SeSecurityPrivilege	2472	7z.exe
Token: SeSecurityPrivilege	2472	7z.exe
Token: SeRestorePrivilege	2548	7z.exe
Token: 35	2548	7z.exe
Token: SeSecurityPrivilege	2548	7z.exe
Token: SeSecurityPrivilege	2548	7z.exe
Token: SeRestorePrivilege	2388	7z.exe
Token: 35	2388	7z.exe
Token: SeSecurityPrivilege	2388	7z.exe
Token: SeSecurityPrivilege	2388	7z.exe
Token: SeDebugPrivilege	1720	BuildMiner.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2028	iexplore.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2028	iexplore.exe
2028	iexplore.exe
1600	IEXPLORE.EXE
1600	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2304 wrote to memory of 2324	2304	Setup.exe	29
PID 2304 wrote to memory of 2324	2304	Setup.exe	29
PID 2304 wrote to memory of 2324	2304	Setup.exe	29
PID 2304 wrote to memory of 2324	2304	Setup.exe	29
PID 2304 wrote to memory of 2324	2304	Setup.exe	29
PID 2304 wrote to memory of 2324	2304	Setup.exe	29
PID 2304 wrote to memory of 2324	2304	Setup.exe	29
PID 2304 wrote to memory of 2324	2304	Setup.exe	29
PID 2304 wrote to memory of 2324	2304	Setup.exe	29
PID 2324 wrote to memory of 2292	2324	AppLaunch.exe	31
PID 2324 wrote to memory of 2292	2324	AppLaunch.exe	31
PID 2324 wrote to memory of 2292	2324	AppLaunch.exe	31
PID 2324 wrote to memory of 2292	2324	AppLaunch.exe	31
PID 2324 wrote to memory of 268	2324	AppLaunch.exe	32
PID 2324 wrote to memory of 268	2324	AppLaunch.exe	32
PID 2324 wrote to memory of 268	2324	AppLaunch.exe	32
PID 2324 wrote to memory of 268	2324	AppLaunch.exe	32
PID 2324 wrote to memory of 268	2324	AppLaunch.exe	32
PID 2324 wrote to memory of 268	2324	AppLaunch.exe	32
PID 2324 wrote to memory of 268	2324	AppLaunch.exe	32
PID 268 wrote to memory of 2760	268	conhost.exe	33
PID 268 wrote to memory of 2760	268	conhost.exe	33
PID 268 wrote to memory of 2760	268	conhost.exe	33
PID 268 wrote to memory of 2760	268	conhost.exe	33
PID 268 wrote to memory of 2760	268	conhost.exe	33
PID 268 wrote to memory of 2760	268	conhost.exe	33
PID 268 wrote to memory of 2760	268	conhost.exe	33
PID 2760 wrote to memory of 2596	2760	cmd.exe	35
PID 2760 wrote to memory of 2596	2760	cmd.exe	35
PID 2760 wrote to memory of 2596	2760	cmd.exe	35
PID 2760 wrote to memory of 2796	2760	cmd.exe	36
PID 2760 wrote to memory of 2796	2760	cmd.exe	36
PID 2760 wrote to memory of 2796	2760	cmd.exe	36
PID 2760 wrote to memory of 2632	2760	cmd.exe	37
PID 2760 wrote to memory of 2632	2760	cmd.exe	37
PID 2760 wrote to memory of 2632	2760	cmd.exe	37
PID 2760 wrote to memory of 2256	2760	cmd.exe	38
PID 2760 wrote to memory of 2256	2760	cmd.exe	38
PID 2760 wrote to memory of 2256	2760	cmd.exe	38
PID 2760 wrote to memory of 2472	2760	cmd.exe	39
PID 2760 wrote to memory of 2472	2760	cmd.exe	39
PID 2760 wrote to memory of 2472	2760	cmd.exe	39
PID 2760 wrote to memory of 2548	2760	cmd.exe	40
PID 2760 wrote to memory of 2548	2760	cmd.exe	40
PID 2760 wrote to memory of 2548	2760	cmd.exe	40
PID 2760 wrote to memory of 2388	2760	cmd.exe	41
PID 2760 wrote to memory of 2388	2760	cmd.exe	41
PID 2760 wrote to memory of 2388	2760	cmd.exe	41
PID 2760 wrote to memory of 1376	2760	cmd.exe	42
PID 2760 wrote to memory of 1376	2760	cmd.exe	42
PID 2760 wrote to memory of 1376	2760	cmd.exe	42
PID 2760 wrote to memory of 1720	2760	cmd.exe	43
PID 2760 wrote to memory of 1720	2760	cmd.exe	43
PID 2760 wrote to memory of 1720	2760	cmd.exe	43
PID 2760 wrote to memory of 1720	2760	cmd.exe	43
PID 2760 wrote to memory of 1720	2760	cmd.exe	43
PID 2760 wrote to memory of 1720	2760	cmd.exe	43
PID 2760 wrote to memory of 1720	2760	cmd.exe	43
PID 2292 wrote to memory of 2224	2292	svchost.exe	44
PID 2292 wrote to memory of 2224	2292	svchost.exe	44
PID 2292 wrote to memory of 2224	2292	svchost.exe	44
PID 2460 wrote to memory of 1808	2460	chrome.exe	46
PID 2460 wrote to memory of 1808	2460	chrome.exe	46
PID 2460 wrote to memory of 1808	2460	chrome.exe	46

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

pid	Process
1376	attrib.exe

C:\Users\Admin\AppData\Local\Temp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\Setup.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2304
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2324
- - C:\Users\Admin\AppData\Local\Temp\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:2292
  - - C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
      C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
      4⤵
      Executes dropped EXE
      PID:2224
- - C:\Users\Admin\AppData\Local\Temp\conhost.exe
    "C:\Users\Admin\AppData\Local\Temp\conhost.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:268
  - - C:\Windows\system32\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\main\main.bat" /S"
      4⤵
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2760
    - - C:\Windows\system32\mode.com
        
        mode 65,10
        5⤵
        
        PID:2596
    - - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
        
        7z.exe e file.zip -p14686162772176726463601229733 -oextracted
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:2796
    - - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
        
        7z.exe e extracted/file_5.zip -oextracted
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:2632
    - - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
        
        7z.exe e extracted/file_4.zip -oextracted
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:2256
    - - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
        
        7z.exe e extracted/file_3.zip -oextracted
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:2472
    - - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
        
        7z.exe e extracted/file_2.zip -oextracted
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:2548
    - - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
        
        7z.exe e extracted/file_1.zip -oextracted
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:2388
    - - C:\Windows\system32\attrib.exe
        
        attrib +H "BuildMiner.exe"
        5⤵
        Views/modifies file attributes
        
        PID:1376
    - - C:\Users\Admin\AppData\Local\Temp\main\BuildMiner.exe
        
        "BuildMiner.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1720

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious use of WriteProcessMemory
PID:2460
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef7229758,0x7fef7229768,0x7fef7229778
  2⤵
  PID:1808
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1064 --field-trial-handle=1272,i,16008641333180774848,13620379825816209647,131072 /prefetch:2
  2⤵
  PID:1680
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1592 --field-trial-handle=1272,i,16008641333180774848,13620379825816209647,131072 /prefetch:8
  2⤵
  PID:2436
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1500 --field-trial-handle=1272,i,16008641333180774848,13620379825816209647,131072 /prefetch:8
  2⤵
  PID:888
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2320 --field-trial-handle=1272,i,16008641333180774848,13620379825816209647,131072 /prefetch:1
  2⤵
  PID:1988
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2332 --field-trial-handle=1272,i,16008641333180774848,13620379825816209647,131072 /prefetch:1
  2⤵
  PID:1080
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1304 --field-trial-handle=1272,i,16008641333180774848,13620379825816209647,131072 /prefetch:2
  2⤵
  PID:2884
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=1328 --field-trial-handle=1272,i,16008641333180774848,13620379825816209647,131072 /prefetch:1
  2⤵
  PID:2484
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3808 --field-trial-handle=1272,i,16008641333180774848,13620379825816209647,131072 /prefetch:8
  2⤵
  PID:2516
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3932 --field-trial-handle=1272,i,16008641333180774848,13620379825816209647,131072 /prefetch:8
  2⤵
  PID:1728

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\SyncDeny.htm
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:2028
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2028 CREDAT:275457 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:1600

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1520

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
cc5f82a443c2f590f5590e96a06d76c0

SHA1
df2edca47b74585380c79db3a93bcbd3b56151ee

SHA256
ec1bf4cdf76e71d449c8eb0be9730329eb7eff3c2dbb5212faa208eca0c4e497

SHA512
7ccef680ae3b4d6564e16913500995092d5d0c951c49b542d393fdc14504dfb08043cb572795eea3d66ac9c5a9a068c7a3105a6599be436fb0acc2ee835fa841

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
14a82deb2aa3d2507a688156df52b832

SHA1
567b527b25ce5d41e9383037f69c6743bcfbfecf

SHA256
e9e04ca4a5fccc54349157ce1f7f4833e7e68583a6d851bab7b94200d1c4e2fb

SHA512
e87f961a76d5f4d1ec38e9fb9ccf729739140fe221edb3b2cd487fcf9e13494980e0c0a8be2bdc306e67842793208ea41391b2b6e7a0456e3540c5c52ab85249

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
2899b66035a7bf0bd4d3903162f312a3

SHA1
d5fd87b719eeaa963bd05aaf04c314b1a38bc21c

SHA256
d7bf44ba91b0d4efd34ef1e3297832eb759c69ede7508c220379970c1e932dbc

SHA512
6d67f574b9062cb68cc34f59ae77f9006800d8bddb5e56460a7a354288617a68a70d8aad5b04ca1e9fdf27e4f5db5b3df9e210b2dfae6e5cce440dcea939d593

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
30cc6e3fd3b093407c38bd1271c0378d

SHA1
095d7015d25dfc3e77efed7e45d3128881a7b87c

SHA256
8bdeb4b4c3bedae783ba4e81d0bbdd23c1f3516dc253e87ec05d54b5a447b15a

SHA512
cfb8b2cf8ec95d487f6f147698fbd893e624d6221b81a2be1383cf6dbefa5ee70d772a6f4831c27dafe570d91109df60c32d21383492a51e233b85a4fc9c62d1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
30cc6e3fd3b093407c38bd1271c0378d

SHA1
095d7015d25dfc3e77efed7e45d3128881a7b87c

SHA256
8bdeb4b4c3bedae783ba4e81d0bbdd23c1f3516dc253e87ec05d54b5a447b15a

SHA512
cfb8b2cf8ec95d487f6f147698fbd893e624d6221b81a2be1383cf6dbefa5ee70d772a6f4831c27dafe570d91109df60c32d21383492a51e233b85a4fc9c62d1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
392534f4816c222ed2a27d4cd9fddc29

SHA1
161e1e982a1a1ffcc68114198878c9903fd3bcd0

SHA256
5dbf36942184221826a62a907fe77788525f3505cd86b46dc69cd2214682c670

SHA512
15207628ff25357fba0b94732a424179ac696e5483394dd7955f0439a5ffb6d54383866e0ccbe8d9c04a7dc53239c7f582723c238bfdc988a21d1c400783657c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
c93a2d25bd302effc71d99bcb13b331e

SHA1
8435a3908cdb7a0f8ea525ad08c5f3f6e07a5bc4

SHA256
39676707cb6166118bcfc2278a963380aebdc7184fe0c51c740299ec4005421b

SHA512
ac56538fc2d7514696e048d188feeaa5003da451d7f4ec49b18b949effa491d97c552df5e296c3a0dec4157ac7ceea7bd0d43c961f43ddf7c829058eb9de4426

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
1f6793ac88106123cdbff9da7cc1db73

SHA1
111bdd4bffa1f7cfa8de0b9ab9c920acb9e4e052

SHA256
18a9c6e18c4884cb62a4f306acd67e436ae1cc44c97e6dc9d9a58ec32ea0a79d

SHA512
32f4f64cefaf3440c104b255e6a21baf150da5e1bf88116299ec8b31e57a2b06e4fbe8c49ba1fb424d2f4acd608ea7ef210b2c7bb06fe4d445265a5cee0e3306

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
1f6793ac88106123cdbff9da7cc1db73

SHA1
111bdd4bffa1f7cfa8de0b9ab9c920acb9e4e052

SHA256
18a9c6e18c4884cb62a4f306acd67e436ae1cc44c97e6dc9d9a58ec32ea0a79d

SHA512
32f4f64cefaf3440c104b255e6a21baf150da5e1bf88116299ec8b31e57a2b06e4fbe8c49ba1fb424d2f4acd608ea7ef210b2c7bb06fe4d445265a5cee0e3306

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
f58e70594fa9ec07c6c93a7c52b94ed8

SHA1
0246668f8a14c0473dfc3d229d61ce3a33275046

SHA256
56525a64657316b5a35964f2bac5bb39b56520b7d33647db4b7ce3b4e2678276

SHA512
36816683ee1d1c9e520213cc26575481422943622d17f0e059a319c0ec64ab0cdf925a62fe25baf156407f39d5f1e854f2a30fb185cd30bfcb8ff1cfe95906dc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
37582b8be04a7f1e37adb92b94e60c72

SHA1
b9dd3d3582fdbbe2f0101fa3eb740ca75d706b2a

SHA256
01a924f076c4199846af1cfa9ebbe0077069e60997298fafeb116b36b1c2de06

SHA512
0ef8478432da6d222a6e667239484c16dd855f75b068319b0cdf5b09c6044739bdd3146d13deed2ac9743975171832523c3086c4707b465fbffcd1fcd0e9c923

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
5655a4a336ed15878907f186790a09fd

SHA1
f2af0d1121cbafac4e52302a47bec3112ad2938c

SHA256
fd5391dcda3d8a92f282ac79b99d9271d1f7d1d8ac8424d2100abe4cb58d79ca

SHA512
006a7d9351c72be08fcbb810a0e25166c7b06cbfdf0d8bf844c47f270886c7101efd29c6b1ff2c24856d82373ec62104fed78bd6e7aeaec6c712b2850d5ea807

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
eebdde3c8e6da2af8b23268c5be53c05

SHA1
d8eb35a27137ac99cf5e7334e338b328a732e5c0

SHA256
4ecef6224424e7121f6fbaea55c8d266aeaaf6d881963a245db921224ec6fb76

SHA512
23369a4147726efcc8938ebc4ac6ce73c8e044afa2e14791628d892c3d427028584b7d6edb07fe41e26c21456d0af9c563b517e71a44e384adf773bdd7022ad9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
fcd9f8d36eba38e286868845f449510a

SHA1
f60f9dfcd7a688077ad1ec7078adea5dda96ce71

SHA256
ea14be13d04286aa6bc17a6bf5eb4fa6550c7fd5ac893c1243322ab9f5e100ce

SHA512
8875dd568cc2ac477d0cc4714607a60b5ebaab984fc1dadb3a4be7634bcf495b0be5e05d7fe78bed08a8ea3115be096082e2f8a57251c97b0bd845b7a7b58706

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
94469c14b5c39ba78e53d3d0f4ee7f0a

SHA1
bed50f8541f84107cd35edc98a8ba7ddae93fc70

SHA256
9ac147e68494090127aa6b74646ec78dc06bff7ec37ccd5ba8870d081bec89e6

SHA512
575422536a9db7832567d3829c2df1567488138dcb78e20641b7233bd955ce7f6b5c4e6f3b7e39b5f7fd290ff63a20a2b5035e5834bc0d19f4490795a640d6a5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000007.dbtmp

Filesize
16B

MD5
18e723571b00fb1694a3bad6c78e4054

SHA1
afcc0ef32d46fe59e0483f9a3c891d3034d12f32

SHA256
8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

SHA512
43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab30C5.tmp

Filesize
62KB

MD5
3ac860860707baaf32469fa7cc7c0192

SHA1
c33c2acdaba0e6fa41fd2f00f186804722477639

SHA256
d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904

SHA512
d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar4A21.tmp

Filesize
164KB

MD5
4ff65ad929cd9a367680e0e5b1c08166

SHA1
c0af0d4396bd1f15c45f39d3b849ba444233b3a2

SHA256
c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6

SHA512
f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27

Download Submit
C:\Users\Admin\AppData\Local\Temp\conhost.exe

Filesize
2.5MB

MD5
e80403324a8d1bdb20efb9621185b50c

SHA1
1205f8a688cb6fc00c59dc69ca11e40ccc327aeb

SHA256
8a5e05e3862d00091656ca87d8a89ee9c954cd4c596177c681357686cf6b9e52

SHA512
6ffad08e2bdf08d74849048765f91fac957209db4903c7ece7cb2168eb02eb3f50c44a9f59ecbcaeec64f8465f186b2bf26ceafd81fdf84960f2be3aebe2246b

Download Submit
C:\Users\Admin\AppData\Local\Temp\conhost.exe

Filesize
2.5MB

MD5
e80403324a8d1bdb20efb9621185b50c

SHA1
1205f8a688cb6fc00c59dc69ca11e40ccc327aeb

SHA256
8a5e05e3862d00091656ca87d8a89ee9c954cd4c596177c681357686cf6b9e52

SHA512
6ffad08e2bdf08d74849048765f91fac957209db4903c7ece7cb2168eb02eb3f50c44a9f59ecbcaeec64f8465f186b2bf26ceafd81fdf84960f2be3aebe2246b

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\7z.dll

Filesize
1.6MB

MD5
72491c7b87a7c2dd350b727444f13bb4

SHA1
1e9338d56db7ded386878eab7bb44b8934ab1bc7

SHA256
34ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891

SHA512
583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\7z.exe

Filesize
458KB

MD5
619f7135621b50fd1900ff24aade1524

SHA1
6c7ea8bbd435163ae3945cbef30ef6b9872a4591

SHA256
344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2

SHA512
2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\7z.exe

Filesize
458KB

MD5
619f7135621b50fd1900ff24aade1524

SHA1
6c7ea8bbd435163ae3945cbef30ef6b9872a4591

SHA256
344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2

SHA512
2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\7z.exe

Filesize
458KB

MD5
619f7135621b50fd1900ff24aade1524

SHA1
6c7ea8bbd435163ae3945cbef30ef6b9872a4591

SHA256
344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2

SHA512
2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\7z.exe

Filesize
458KB

MD5
619f7135621b50fd1900ff24aade1524

SHA1
6c7ea8bbd435163ae3945cbef30ef6b9872a4591

SHA256
344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2

SHA512
2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\7z.exe

Filesize
458KB

MD5
619f7135621b50fd1900ff24aade1524

SHA1
6c7ea8bbd435163ae3945cbef30ef6b9872a4591

SHA256
344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2

SHA512
2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\7z.exe

Filesize
458KB

MD5
619f7135621b50fd1900ff24aade1524

SHA1
6c7ea8bbd435163ae3945cbef30ef6b9872a4591

SHA256
344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2

SHA512
2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\7z.exe

Filesize
458KB

MD5
619f7135621b50fd1900ff24aade1524

SHA1
6c7ea8bbd435163ae3945cbef30ef6b9872a4591

SHA256
344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2

SHA512
2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\BuildMiner.exe

Filesize
21KB

MD5
f07360684834c1bf57e6cd110dc463f9

SHA1
3be7e427451db1f9b9f6ea69909c2bd9c6c208b6

SHA256
15f6fb4c87fd23e2981871ca9336b45a0b7e1fbc22bd881a588b57305864f728

SHA512
7657241670c65fe07c50b1b8aed5701c4fd5870e9695a0b474e6107bf483affbbfc22d9dda342675ffe872906ea16596d88dbbce5f3a2c32ddd5df5110636b5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\ANTIAV~1.DAT

Filesize
2.1MB

MD5
b1835c881ee1c4fb1779e024ce44740e

SHA1
db7305c6cc5dacb6ccd83a4b34ffbbe9171630af

SHA256
17433d5a57620a0c29679b2001dd3cd68f03d16061c3b58466808b7d308483c9

SHA512
4ae6b1049c51e9c7fd6cd76fa26b6b72475afcbeed53da0a37669f32e029a8079254c78b5949b4c5394d3e5efaec68006ac3782c36f3b0edcd586b9793e08ac8

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\BuildMiner.exe

Filesize
21KB

MD5
f07360684834c1bf57e6cd110dc463f9

SHA1
3be7e427451db1f9b9f6ea69909c2bd9c6c208b6

SHA256
15f6fb4c87fd23e2981871ca9336b45a0b7e1fbc22bd881a588b57305864f728

SHA512
7657241670c65fe07c50b1b8aed5701c4fd5870e9695a0b474e6107bf483affbbfc22d9dda342675ffe872906ea16596d88dbbce5f3a2c32ddd5df5110636b5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_1.zip

Filesize
9KB

MD5
25988fb02c1bd6c5860328a216eeb95c

SHA1
286959e5587f441719c8f406f774b8b5bc3bf08d

SHA256
30d2fd0544d4b60f99d4149f6307aff4ca0d9ccb360cf49e07fd5f04f5131073

SHA512
b0f2f04be00126e0e375b7714dd9b33944a7953fe370411bc7ba651d3a75f5893a2fb16207c8da082b9102ca377b12c6432ab8a5c4e0a8756244647fd880450f

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_2.zip

Filesize
9KB

MD5
c5a0af267e18b9dfc00147a44ba646ee

SHA1
5a3bef653ba78146789662a60aeccdef40136a8f

SHA256
486799e877e35e2c68670f5fc9c98fe3bd520b415ee56a03320600d051b4e7fc

SHA512
c0ae17b1ffa6198186e7047c734fe28d8596d24a3bfd75de7db8ff1966878da33084868ac74719501bcfa7e7983ff1ec212577e3fc5ae76ea7169479f049aa07

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_3.zip

Filesize
9KB

MD5
c5d5e934a79b72442bbfb2d7f7ba41f3

SHA1
0dc49d100ba9868aa5ec9bc80214312deb5935b1

SHA256
8ea7f54761b7c9fe7ee666aa7d75745eb16de3be97baea296a5ad8510fe044ed

SHA512
268cf5d3f5a7bd1551f681325a22e77b2851bd6dc47138addddd00176b381804f0d814c2afc93de16a738c9730b92f581681ea4f426aa2992dcaa2b0fec1e26f

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_4.zip

Filesize
9KB

MD5
fbc59d7680f17050c3a6ffb627473e3a

SHA1
95ea63eb12f337a6cfd703c525e43c075ddc6727

SHA256
d71989e150caa37e6d2dde351a2c10deeb9f04d93197df46ddca802e98797136

SHA512
35bc0e2ef79ee472f278ebdf6591b80123a8ebba1f8f3b2f9d7da8292362a5f2c6ea3908fed15e15e20d5eba8eeff1e32d83dad63a44a7b433dd264d037f97cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_5.zip

Filesize
1.5MB

MD5
44c969bf0b7030d8ada1df901c23f82c

SHA1
6a5363c6c5926a8be702680490365bd5b2512f54

SHA256
339216c0801b39f7e2ae10160a399d8697eb19d291e4d026c152e83df4566bdd

SHA512
9659e705627d92504f0dc4624d2ffd3a188451eac6380121ec431b5f56f4c3f7647d8e42b8c0b59d0f1e1d7b49f6c76737d35de3c04bd1df6ecfcd1824e40850

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\file.bin

Filesize
1.5MB

MD5
29db030a9fd4beeaadb30ef7327c3c84

SHA1
142dbcdb7b233b2052e21f80bd7fe4573fef3317

SHA256
14c01f01b3db41d0e4645bc32580fdba320d80cf851383ba6d9e6956e7869648

SHA512
89f8ab37794602d8ff807fda5cc18d511b5935b4fb335d10751b49cac40ec7ea492e439af321963a5ef7c62d1c523f341a677a9e00e09a3cb0099a9ef4c66fab

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\main.bat

Filesize
480B

MD5
e158d52a35f0c4f9787ac74b71acd22c

SHA1
e908178e1bb0a891ab65bc89f57e41112759c0c7

SHA256
93ff638486b9acb3e07a34b54e2efb4ac6d690c2e4303287b159692e38b71e24

SHA512
cb0e29d05786a0351d5d5f0fdeadc53f2ebf2748b311897e064ad8ec9756cd34b5d190fc0aad9abdd6ac880fdb37a93bc4c0f6c86d3ea29d672b5880d7d333f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\main.bat

Filesize
480B

MD5
e158d52a35f0c4f9787ac74b71acd22c

SHA1
e908178e1bb0a891ab65bc89f57e41112759c0c7

SHA256
93ff638486b9acb3e07a34b54e2efb4ac6d690c2e4303287b159692e38b71e24

SHA512
cb0e29d05786a0351d5d5f0fdeadc53f2ebf2748b311897e064ad8ec9756cd34b5d190fc0aad9abdd6ac880fdb37a93bc4c0f6c86d3ea29d672b5880d7d333f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost.exe

Filesize
4.0MB

MD5
d076c4b5f5c42b44d583c534f78adbe7

SHA1
c35478e67d490145520be73277cd72cd4e837090

SHA256
2c63c61e0adaaf669c9c674edfc9081d415c05b834611944a682f120ab9559d8

SHA512
b2dfcf98695e7e40578f02a104a1c2fa1de29d13b0056d3dc4a5689168546f437bfd6acbc99e3766f94efb01bac5c908f3e80795f017e1629c97b6b1026ce638

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost.exe

Filesize
4.0MB

MD5
d076c4b5f5c42b44d583c534f78adbe7

SHA1
c35478e67d490145520be73277cd72cd4e837090

SHA256
2c63c61e0adaaf669c9c674edfc9081d415c05b834611944a682f120ab9559d8

SHA512
b2dfcf98695e7e40578f02a104a1c2fa1de29d13b0056d3dc4a5689168546f437bfd6acbc99e3766f94efb01bac5c908f3e80795f017e1629c97b6b1026ce638

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost.exe

Filesize
4.0MB

MD5
d076c4b5f5c42b44d583c534f78adbe7

SHA1
c35478e67d490145520be73277cd72cd4e837090

SHA256
2c63c61e0adaaf669c9c674edfc9081d415c05b834611944a682f120ab9559d8

SHA512
b2dfcf98695e7e40578f02a104a1c2fa1de29d13b0056d3dc4a5689168546f437bfd6acbc99e3766f94efb01bac5c908f3e80795f017e1629c97b6b1026ce638

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DF210FD453C6F99102.TMP

Filesize
16KB

MD5
16a7e291d277b9b9765e0428d855c75b

SHA1
d5be1156affed1f5c79faa19cd2c12b0c045eac6

SHA256
b02eecbd629de9875e5a7ed75d3dc2dd16e7a543c12cc6816d2dc14275cabe13

SHA512
74b60202b5548ad59d1c4d960a11a813677d81bc8d85f9fba43936c92306a117873e6f7eeaa3d1b87ac8d0bfb43f41b48424c4fe2758590c9c0cbf11cf6542ae

Download Submit
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
603.3MB

MD5
3d005c22cf5a28df830e0d01288b919c

SHA1
6bd68409f9ce27cb1178c9f706a7b055a705585d

SHA256
e841d2a30d74b5c7f561dfca72507f6413c3099909f2f1893c24023733a48d5f

SHA512
c2539c32a42ec77c37336f2215c1bb4c007326f0ae8a425b6f6ddf3cbca929f22a983b510330ce2bd2d235d060ef13c9de7b64c2fe99699b4ccaa47514823358

Download Submit
\Users\Admin\AppData\Local\Temp\conhost.exe

Filesize
2.5MB

MD5
e80403324a8d1bdb20efb9621185b50c

SHA1
1205f8a688cb6fc00c59dc69ca11e40ccc327aeb

SHA256
8a5e05e3862d00091656ca87d8a89ee9c954cd4c596177c681357686cf6b9e52

SHA512
6ffad08e2bdf08d74849048765f91fac957209db4903c7ece7cb2168eb02eb3f50c44a9f59ecbcaeec64f8465f186b2bf26ceafd81fdf84960f2be3aebe2246b

Download Submit
\Users\Admin\AppData\Local\Temp\conhost.exe

Filesize
2.5MB

MD5
e80403324a8d1bdb20efb9621185b50c

SHA1
1205f8a688cb6fc00c59dc69ca11e40ccc327aeb

SHA256
8a5e05e3862d00091656ca87d8a89ee9c954cd4c596177c681357686cf6b9e52

SHA512
6ffad08e2bdf08d74849048765f91fac957209db4903c7ece7cb2168eb02eb3f50c44a9f59ecbcaeec64f8465f186b2bf26ceafd81fdf84960f2be3aebe2246b

Download Submit
\Users\Admin\AppData\Local\Temp\conhost.exe

Filesize
2.5MB

MD5
e80403324a8d1bdb20efb9621185b50c

SHA1
1205f8a688cb6fc00c59dc69ca11e40ccc327aeb

SHA256
8a5e05e3862d00091656ca87d8a89ee9c954cd4c596177c681357686cf6b9e52

SHA512
6ffad08e2bdf08d74849048765f91fac957209db4903c7ece7cb2168eb02eb3f50c44a9f59ecbcaeec64f8465f186b2bf26ceafd81fdf84960f2be3aebe2246b

Download Submit
\Users\Admin\AppData\Local\Temp\main\7z.dll

Filesize
1.6MB

MD5
72491c7b87a7c2dd350b727444f13bb4

SHA1
1e9338d56db7ded386878eab7bb44b8934ab1bc7

SHA256
34ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891

SHA512
583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511

Download Submit
\Users\Admin\AppData\Local\Temp\main\7z.dll

Filesize
1.6MB

MD5
72491c7b87a7c2dd350b727444f13bb4

SHA1
1e9338d56db7ded386878eab7bb44b8934ab1bc7

SHA256
34ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891

SHA512
583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511

Download Submit
\Users\Admin\AppData\Local\Temp\main\7z.dll

Filesize
1.6MB

MD5
72491c7b87a7c2dd350b727444f13bb4

SHA1
1e9338d56db7ded386878eab7bb44b8934ab1bc7

SHA256
34ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891

SHA512
583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511

Download Submit
\Users\Admin\AppData\Local\Temp\main\7z.dll

Filesize
1.6MB

MD5
72491c7b87a7c2dd350b727444f13bb4

SHA1
1e9338d56db7ded386878eab7bb44b8934ab1bc7

SHA256
34ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891

SHA512
583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511

Download Submit
\Users\Admin\AppData\Local\Temp\main\7z.dll

Filesize
1.6MB

MD5
72491c7b87a7c2dd350b727444f13bb4

SHA1
1e9338d56db7ded386878eab7bb44b8934ab1bc7

SHA256
34ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891

SHA512
583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511

Download Submit
\Users\Admin\AppData\Local\Temp\main\7z.dll

Filesize
1.6MB

MD5
72491c7b87a7c2dd350b727444f13bb4

SHA1
1e9338d56db7ded386878eab7bb44b8934ab1bc7

SHA256
34ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891

SHA512
583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511

Download Submit
\Users\Admin\AppData\Local\Temp\main\7z.exe

Filesize
458KB

MD5
619f7135621b50fd1900ff24aade1524

SHA1
6c7ea8bbd435163ae3945cbef30ef6b9872a4591

SHA256
344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2

SHA512
2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

Download Submit
\Users\Admin\AppData\Local\Temp\main\7z.exe

Filesize
458KB

MD5
619f7135621b50fd1900ff24aade1524

SHA1
6c7ea8bbd435163ae3945cbef30ef6b9872a4591

SHA256
344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2

SHA512
2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

Download Submit
\Users\Admin\AppData\Local\Temp\main\7z.exe

Filesize
458KB

MD5
619f7135621b50fd1900ff24aade1524

SHA1
6c7ea8bbd435163ae3945cbef30ef6b9872a4591

SHA256
344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2

SHA512
2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

Download Submit
\Users\Admin\AppData\Local\Temp\main\7z.exe

Filesize
458KB

MD5
619f7135621b50fd1900ff24aade1524

SHA1
6c7ea8bbd435163ae3945cbef30ef6b9872a4591

SHA256
344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2

SHA512
2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

Download Submit
\Users\Admin\AppData\Local\Temp\main\7z.exe

Filesize
458KB

MD5
619f7135621b50fd1900ff24aade1524

SHA1
6c7ea8bbd435163ae3945cbef30ef6b9872a4591

SHA256
344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2

SHA512
2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

Download Submit
\Users\Admin\AppData\Local\Temp\main\7z.exe

Filesize
458KB

MD5
619f7135621b50fd1900ff24aade1524

SHA1
6c7ea8bbd435163ae3945cbef30ef6b9872a4591

SHA256
344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2

SHA512
2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

Download Submit
\Users\Admin\AppData\Local\Temp\main\BuildMiner.exe

Filesize
21KB

MD5
f07360684834c1bf57e6cd110dc463f9

SHA1
3be7e427451db1f9b9f6ea69909c2bd9c6c208b6

SHA256
15f6fb4c87fd23e2981871ca9336b45a0b7e1fbc22bd881a588b57305864f728

SHA512
7657241670c65fe07c50b1b8aed5701c4fd5870e9695a0b474e6107bf483affbbfc22d9dda342675ffe872906ea16596d88dbbce5f3a2c32ddd5df5110636b5e

Download Submit
\Users\Admin\AppData\Local\Temp\main\BuildMiner.exe

Filesize
21KB

MD5
f07360684834c1bf57e6cd110dc463f9

SHA1
3be7e427451db1f9b9f6ea69909c2bd9c6c208b6

SHA256
15f6fb4c87fd23e2981871ca9336b45a0b7e1fbc22bd881a588b57305864f728

SHA512
7657241670c65fe07c50b1b8aed5701c4fd5870e9695a0b474e6107bf483affbbfc22d9dda342675ffe872906ea16596d88dbbce5f3a2c32ddd5df5110636b5e

Download Submit
\Users\Admin\AppData\Local\Temp\svchost.exe

Filesize
4.0MB

MD5
d076c4b5f5c42b44d583c534f78adbe7

SHA1
c35478e67d490145520be73277cd72cd4e837090

SHA256
2c63c61e0adaaf669c9c674edfc9081d415c05b834611944a682f120ab9559d8

SHA512
b2dfcf98695e7e40578f02a104a1c2fa1de29d13b0056d3dc4a5689168546f437bfd6acbc99e3766f94efb01bac5c908f3e80795f017e1629c97b6b1026ce638

Download Submit
\Users\Admin\AppData\Local\Temp\svchost.exe

Filesize
4.0MB

MD5
d076c4b5f5c42b44d583c534f78adbe7

SHA1
c35478e67d490145520be73277cd72cd4e837090

SHA256
2c63c61e0adaaf669c9c674edfc9081d415c05b834611944a682f120ab9559d8

SHA512
b2dfcf98695e7e40578f02a104a1c2fa1de29d13b0056d3dc4a5689168546f437bfd6acbc99e3766f94efb01bac5c908f3e80795f017e1629c97b6b1026ce638

Download Submit
\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
492.4MB

MD5
c8fbe97b3cb29ca34cbb9de2bc768540

SHA1
ccc144fec7e040551ae5783fe22222d1220573ce

SHA256
372329e2a2d3f1d5a9266e7eea1c7f89a331f665a856ad5f8241300b73faa787

SHA512
9406accdd3778f0fc38d9e96d887199d3cc0e7df1d3c8d4ee30268cfbaaccb9ccb8966bb2a89c23b15901d2b6d3f6f87de2ccc4b955ad84a2e84f28d6f22e124

Download Submit
\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
587.2MB

MD5
85728172d8f87bc2859b9cdf90fcbc06

SHA1
2228fddd78c834fb4dbdaa93bbd162a271c290b8

SHA256
04137fe60b869204ede4764ca130402b5c5531bee894056fccdf00cbf7af0f22

SHA512
7f56e1357af0353134d190a2a67eeff8d7af7739480235ecf70bc520d8c667f8e9714c0b258c631b7c44dfa5fa0b55dc757e53379031874f7fd25bc6e35b1792

Download Submit
memory/1720-153-0x0000000005000000-0x0000000005040000-memory.dmp

Filesize
256KB

Download
memory/1720-152-0x0000000000310000-0x000000000031C000-memory.dmp

Filesize
48KB

Download
memory/2324-54-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2324-65-0x0000000000B40000-0x0000000000B80000-memory.dmp

Filesize
256KB

Download
memory/2324-64-0x0000000000B40000-0x0000000000B80000-memory.dmp

Filesize
256KB

Download
memory/2324-63-0x0000000000490000-0x0000000000496000-memory.dmp

Filesize
24KB

Download
memory/2324-62-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2324-61-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2324-59-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/2324-55-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download