hxxp://oxy[.]st/d/qsNh

Analysis

max time kernel
163s
max time network
181s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
18-04-2024 14:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://oxy.st/d/qsNh

Score

10^/10

evasion trojan

Malware Config

Signatures

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Downloads MZ/PE file

Executes dropped EXE 4 IoCs

pid	Process
2296	GolovaExlona.exe
2208	AuthSystem.exe
4584	javaw.exe
3192	GolovaExlona.exe

Loads dropped DLL 5 IoCs

pid	Process
4584	javaw.exe
4584	javaw.exe
4584	javaw.exe
4584	javaw.exe
4584	javaw.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\PisyaPopa\jre\lib\deploy	GolovaExlona.exe
File created	C:\Program Files (x86)\PisyaPopa\jre\lib\deploy\messages_fr.properties	GolovaExlona.exe
File opened for modification	C:\Program Files (x86)\PisyaPopa\jre\lib\ext\access-bridge-32.jar	GolovaExlona.exe
File opened for modification	C:\Program Files (x86)\PisyaPopa\dll\jvm.pdb	javaw.exe
File created	C:\Program Files (x86)\PisyaPopa\jre\bin\javafx_font_t2k.dll	GolovaExlona.exe
File created	C:\Program Files (x86)\PisyaPopa\jre\bin\msvcr100.dll	GolovaExlona.exe
File created	C:\Program Files (x86)\PisyaPopa\jre\lib\deploy\[email protected]	GolovaExlona.exe
File created	C:\Program Files (x86)\PisyaPopa\jre\lib\images\cursors\win32_MoveNoDrop32x32.gif	GolovaExlona.exe
File opened for modification	C:\Program Files (x86)\PisyaPopa\jre\lib\tzmappings	GolovaExlona.exe
File opened for modification	C:\Program Files (x86)\PisyaPopa\symbols\dll\jvm.pdb	javaw.exe
File opened for modification	C:\Program Files (x86)\PisyaPopa\jre\bin\fxplugins.dll	GolovaExlona.exe
File opened for modification	C:\Program Files (x86)\PisyaPopa\jre\bin\jfr.dll	GolovaExlona.exe
File opened for modification	C:\Program Files (x86)\PisyaPopa\jre\lib\deploy\messages_sv.properties	GolovaExlona.exe
File created	C:\Program Files (x86)\PisyaPopa\jre\lib\jfr\default.jfc	GolovaExlona.exe
File opened for modification	C:\Program Files (x86)\PisyaPopa\jre\bin\jawt.dll	GolovaExlona.exe
File opened for modification	C:\Program Files (x86)\PisyaPopa\jre\bin\jdwp.dll	GolovaExlona.exe
File created	C:\Program Files (x86)\PisyaPopa\jre\lib\ext\zipfs.jar	GolovaExlona.exe
File opened for modification	C:\Program Files (x86)\PisyaPopa\jre\lib\management\management.properties	GolovaExlona.exe
File opened for modification	C:\Program Files (x86)\PisyaPopa\jre\bin\dt_shmem.dll	GolovaExlona.exe
File opened for modification	C:\Program Files (x86)\PisyaPopa\jre\lib\cmm\sRGB.pf	GolovaExlona.exe
File opened for modification	C:\Program Files (x86)\PisyaPopa\jre\lib\classlist	GolovaExlona.exe
File opened for modification	C:\Program Files (x86)\PisyaPopa\jre\lib\cmm\GRAY.pf	GolovaExlona.exe
File opened for modification	C:\Program Files (x86)\PisyaPopa\jre\lib\ext\jaccess.jar	GolovaExlona.exe
File opened for modification	C:\Program Files (x86)\PisyaPopa\jre\lib\tzdb.dat	GolovaExlona.exe
File created	C:\Program Files (x86)\PisyaPopa\jre\lib\tzmappings	GolovaExlona.exe
File opened for modification	C:\Program Files (x86)\PisyaPopa\imisstherage.exe	GolovaExlona.exe
File opened for modification	C:\Program Files (x86)\PisyaPopa\jre\bin\java.dll	GolovaExlona.exe
File opened for modification	C:\Program Files (x86)\PisyaPopa\jre\lib\security	GolovaExlona.exe
File opened for modification	C:\Program Files (x86)\PisyaPopa\dll\java.pdb	javaw.exe
File opened for modification	C:\Program Files (x86)\PisyaPopa\jre\bin\keytool.exe	GolovaExlona.exe
File opened for modification	C:\Program Files (x86)\PisyaPopa\jre\lib\deploy\splash.gif	GolovaExlona.exe
File opened for modification	C:\Program Files (x86)\PisyaPopa\jre\lib\images\cursors\win32_CopyNoDrop32x32.gif	GolovaExlona.exe
File created	C:\Program Files (x86)\PisyaPopa\jre\lib\jce.jar	GolovaExlona.exe
File opened for modification	C:\Program Files (x86)\PisyaPopa\jre\bin\client\wkernel32.pdb	javaw.exe
File opened for modification	C:\Program Files (x86)\PisyaPopa\wntdll.pdb	javaw.exe
File opened for modification	C:\Program Files (x86)\PisyaPopa\jre\bin\prism_d3d.dll	GolovaExlona.exe
File created	C:\Program Files (x86)\PisyaPopa\jre\lib\deploy\messages_zh_CN.properties	GolovaExlona.exe
File created	C:\Program Files (x86)\PisyaPopa\jre\lib\deploy\messages_de.properties	GolovaExlona.exe
File created	C:\Program Files (x86)\PisyaPopa\jre\lib\psfontj2d.properties	GolovaExlona.exe
File created	C:\Program Files (x86)\PisyaPopa\jre\bin\java.dll	GolovaExlona.exe
File opened for modification	C:\Program Files (x86)\PisyaPopa\jre\bin\jsound.dll	GolovaExlona.exe
File opened for modification	C:\Program Files (x86)\PisyaPopa\jre\bin\javaws.exe	GolovaExlona.exe
File opened for modification	C:\Program Files (x86)\PisyaPopa\jre\bin\nio.dll	GolovaExlona.exe
File opened for modification	C:\Program Files (x86)\PisyaPopa\jre\bin\jaas_nt.dll	GolovaExlona.exe
File created	C:\Program Files (x86)\PisyaPopa\jre\bin\javafx_iio.dll	GolovaExlona.exe
File created	C:\Program Files (x86)\PisyaPopa\jre\lib\management\management.properties	GolovaExlona.exe
File created	C:\Program Files (x86)\PisyaPopa\__tmp_rar_sfx_access_check_240787968	GolovaExlona.exe
File created	C:\Program Files (x86)\PisyaPopa\jre\bin\w2k_lsa_auth.dll	GolovaExlona.exe
File created	C:\Program Files (x86)\PisyaPopa\jre\lib\deploy\messages_ja.properties	GolovaExlona.exe
File created	C:\Program Files (x86)\PisyaPopa\jre\lib\meta-index	GolovaExlona.exe
File opened for modification	C:\Program Files (x86)\PisyaPopa\jre\bin\java_crw_demo.dll	GolovaExlona.exe
File created	C:\Program Files (x86)\PisyaPopa\jre\lib\fonts\LucidaBrightDemiBold.ttf	GolovaExlona.exe
File opened for modification	C:\Program Files (x86)\PisyaPopa\jre\release	GolovaExlona.exe
File created	C:\Program Files (x86)\PisyaPopa\jre\lib\ext\sunpkcs11.jar	GolovaExlona.exe
File created	C:\Program Files (x86)\PisyaPopa\jre\lib\images\cursors\win32_LinkNoDrop32x32.gif	GolovaExlona.exe
File opened for modification	C:\Program Files (x86)\PisyaPopa\jre\lib\deploy\[email protected]	GolovaExlona.exe
File opened for modification	C:\Program Files (x86)\PisyaPopa\jre\bin\fontmanager.dll	GolovaExlona.exe
File opened for modification	C:\Program Files (x86)\PisyaPopa\jre\lib\deploy\messages_it.properties	GolovaExlona.exe
File opened for modification	C:\Program Files (x86)\PisyaPopa\jre\bin\javafx_iio.dll	GolovaExlona.exe
File created	C:\Program Files (x86)\PisyaPopa\jre\bin\ssvagent.exe	GolovaExlona.exe
File created	C:\Program Files (x86)\PisyaPopa\jre\lib\deploy\messages_es.properties	GolovaExlona.exe
File created	C:\Program Files (x86)\PisyaPopa\jre\lib\fonts\LucidaBrightDemiItalic.ttf	GolovaExlona.exe
File opened for modification	C:\Program Files (x86)\PisyaPopa\jre\lib\hijrah-config-umalqura.properties	GolovaExlona.exe
File opened for modification	C:\Program Files (x86)\PisyaPopa\jre\lib\jfr\profile.jfc	GolovaExlona.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\rescache\_merged\4183903823\2290032291.pri	taskmgr.exe
File created	C:\Windows\rescache\_merged\3720402701\1568373884.pri	7zFM.exe
File created	C:\Windows\rescache\_merged\1601268389\715946058.pri	taskmgr.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133579237076925174"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Suspicious behavior: EnumeratesProcesses 46 IoCs

pid	Process
4620	chrome.exe
4620	chrome.exe
4620	chrome.exe
4620	chrome.exe
2708	taskmgr.exe
2708	taskmgr.exe
2708	taskmgr.exe
2708	taskmgr.exe
2708	taskmgr.exe
2708	taskmgr.exe
2708	taskmgr.exe
2708	taskmgr.exe
2708	taskmgr.exe
2708	taskmgr.exe
2708	taskmgr.exe
2708	taskmgr.exe
2708	taskmgr.exe
2708	taskmgr.exe
2708	taskmgr.exe
2708	taskmgr.exe
2708	taskmgr.exe
2708	taskmgr.exe
2708	taskmgr.exe
2708	taskmgr.exe
4604	chrome.exe
4604	chrome.exe
2708	taskmgr.exe
2708	taskmgr.exe
2708	taskmgr.exe
2708	taskmgr.exe
2708	taskmgr.exe
2708	taskmgr.exe
2708	taskmgr.exe
2708	taskmgr.exe
2708	taskmgr.exe
2708	taskmgr.exe
2708	taskmgr.exe
2708	taskmgr.exe
2708	taskmgr.exe
2708	taskmgr.exe
2708	taskmgr.exe
2708	taskmgr.exe
2708	taskmgr.exe
2708	taskmgr.exe
2708	taskmgr.exe
2708	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1792	7zFM.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
4620	chrome.exe
4620	chrome.exe
4620	chrome.exe
4620	chrome.exe
4620	chrome.exe
4620	chrome.exe
4620	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4620	chrome.exe
Token: SeCreatePagefilePrivilege	4620	chrome.exe
Token: SeShutdownPrivilege	4620	chrome.exe
Token: SeCreatePagefilePrivilege	4620	chrome.exe
Token: SeShutdownPrivilege	4620	chrome.exe
Token: SeCreatePagefilePrivilege	4620	chrome.exe
Token: SeShutdownPrivilege	4620	chrome.exe
Token: SeCreatePagefilePrivilege	4620	chrome.exe
Token: SeShutdownPrivilege	4620	chrome.exe
Token: SeCreatePagefilePrivilege	4620	chrome.exe
Token: SeShutdownPrivilege	4620	chrome.exe
Token: SeCreatePagefilePrivilege	4620	chrome.exe
Token: SeShutdownPrivilege	4620	chrome.exe
Token: SeCreatePagefilePrivilege	4620	chrome.exe
Token: SeShutdownPrivilege	4620	chrome.exe
Token: SeCreatePagefilePrivilege	4620	chrome.exe
Token: SeShutdownPrivilege	4620	chrome.exe
Token: SeCreatePagefilePrivilege	4620	chrome.exe
Token: SeShutdownPrivilege	4620	chrome.exe
Token: SeCreatePagefilePrivilege	4620	chrome.exe
Token: SeShutdownPrivilege	4620	chrome.exe
Token: SeCreatePagefilePrivilege	4620	chrome.exe
Token: SeShutdownPrivilege	4620	chrome.exe
Token: SeCreatePagefilePrivilege	4620	chrome.exe
Token: SeShutdownPrivilege	4620	chrome.exe
Token: SeCreatePagefilePrivilege	4620	chrome.exe
Token: SeShutdownPrivilege	4620	chrome.exe
Token: SeCreatePagefilePrivilege	4620	chrome.exe
Token: SeShutdownPrivilege	4620	chrome.exe
Token: SeCreatePagefilePrivilege	4620	chrome.exe
Token: SeShutdownPrivilege	4620	chrome.exe
Token: SeCreatePagefilePrivilege	4620	chrome.exe
Token: SeShutdownPrivilege	4620	chrome.exe
Token: SeCreatePagefilePrivilege	4620	chrome.exe
Token: SeShutdownPrivilege	4620	chrome.exe
Token: SeCreatePagefilePrivilege	4620	chrome.exe
Token: SeShutdownPrivilege	4620	chrome.exe
Token: SeCreatePagefilePrivilege	4620	chrome.exe
Token: SeShutdownPrivilege	4620	chrome.exe
Token: SeCreatePagefilePrivilege	4620	chrome.exe
Token: SeShutdownPrivilege	4620	chrome.exe
Token: SeCreatePagefilePrivilege	4620	chrome.exe
Token: SeShutdownPrivilege	4620	chrome.exe
Token: SeCreatePagefilePrivilege	4620	chrome.exe
Token: SeShutdownPrivilege	4620	chrome.exe
Token: SeCreatePagefilePrivilege	4620	chrome.exe
Token: SeShutdownPrivilege	4620	chrome.exe
Token: SeCreatePagefilePrivilege	4620	chrome.exe
Token: SeShutdownPrivilege	4620	chrome.exe
Token: SeCreatePagefilePrivilege	4620	chrome.exe
Token: SeShutdownPrivilege	4620	chrome.exe
Token: SeCreatePagefilePrivilege	4620	chrome.exe
Token: SeShutdownPrivilege	4620	chrome.exe
Token: SeCreatePagefilePrivilege	4620	chrome.exe
Token: SeShutdownPrivilege	4620	chrome.exe
Token: SeCreatePagefilePrivilege	4620	chrome.exe
Token: SeShutdownPrivilege	4620	chrome.exe
Token: SeCreatePagefilePrivilege	4620	chrome.exe
Token: SeShutdownPrivilege	4620	chrome.exe
Token: SeCreatePagefilePrivilege	4620	chrome.exe
Token: SeShutdownPrivilege	4620	chrome.exe
Token: SeCreatePagefilePrivilege	4620	chrome.exe
Token: SeShutdownPrivilege	4620	chrome.exe
Token: SeCreatePagefilePrivilege	4620	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4620	chrome.exe
4620	chrome.exe
4620	chrome.exe
4620	chrome.exe
4620	chrome.exe
4620	chrome.exe
4620	chrome.exe
4620	chrome.exe
4620	chrome.exe
4620	chrome.exe
4620	chrome.exe
4620	chrome.exe
4620	chrome.exe
4620	chrome.exe
4620	chrome.exe
4620	chrome.exe
4620	chrome.exe
4620	chrome.exe
4620	chrome.exe
4620	chrome.exe
4620	chrome.exe
4620	chrome.exe
4620	chrome.exe
4620	chrome.exe
4620	chrome.exe
4620	chrome.exe
4620	chrome.exe
4620	chrome.exe
4620	chrome.exe
4620	chrome.exe
4620	chrome.exe
4620	chrome.exe
4620	chrome.exe
4620	chrome.exe
4620	chrome.exe
1792	7zFM.exe
2708	taskmgr.exe
2708	taskmgr.exe
2708	taskmgr.exe
2708	taskmgr.exe
2708	taskmgr.exe
2708	taskmgr.exe
2708	taskmgr.exe
2708	taskmgr.exe
2708	taskmgr.exe
2708	taskmgr.exe
2708	taskmgr.exe
2708	taskmgr.exe
2708	taskmgr.exe
2708	taskmgr.exe
2708	taskmgr.exe
2708	taskmgr.exe
2708	taskmgr.exe
2708	taskmgr.exe
2708	taskmgr.exe
2708	taskmgr.exe
2708	taskmgr.exe
2708	taskmgr.exe
2708	taskmgr.exe
2708	taskmgr.exe
2708	taskmgr.exe
2708	taskmgr.exe
2708	taskmgr.exe
2708	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
4620	chrome.exe
4620	chrome.exe
4620	chrome.exe
4620	chrome.exe
4620	chrome.exe
4620	chrome.exe
4620	chrome.exe
4620	chrome.exe
4620	chrome.exe
4620	chrome.exe
4620	chrome.exe
4620	chrome.exe
4620	chrome.exe
4620	chrome.exe
4620	chrome.exe
4620	chrome.exe
4620	chrome.exe
4620	chrome.exe
4620	chrome.exe
4620	chrome.exe
4620	chrome.exe
4620	chrome.exe
4620	chrome.exe
4620	chrome.exe
2708	taskmgr.exe
2708	taskmgr.exe
2708	taskmgr.exe
2708	taskmgr.exe
2708	taskmgr.exe
2708	taskmgr.exe
2708	taskmgr.exe
2708	taskmgr.exe
2708	taskmgr.exe
2708	taskmgr.exe
2708	taskmgr.exe
2708	taskmgr.exe
2708	taskmgr.exe
2708	taskmgr.exe
2708	taskmgr.exe
2708	taskmgr.exe
2708	taskmgr.exe
2708	taskmgr.exe
2708	taskmgr.exe
2708	taskmgr.exe
2708	taskmgr.exe
2708	taskmgr.exe
2708	taskmgr.exe
2708	taskmgr.exe
2708	taskmgr.exe
2708	taskmgr.exe
2708	taskmgr.exe
2708	taskmgr.exe
2708	taskmgr.exe
2708	taskmgr.exe
2708	taskmgr.exe
2708	taskmgr.exe
2708	taskmgr.exe
2708	taskmgr.exe
2708	taskmgr.exe
2708	taskmgr.exe
2708	taskmgr.exe
2708	taskmgr.exe
2708	taskmgr.exe
2708	taskmgr.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2296	GolovaExlona.exe
2208	AuthSystem.exe
4584	javaw.exe
3192	GolovaExlona.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4620 wrote to memory of 4624	4620	chrome.exe	71
PID 4620 wrote to memory of 4624	4620	chrome.exe	71
PID 4620 wrote to memory of 940	4620	chrome.exe	73
PID 4620 wrote to memory of 940	4620	chrome.exe	73
PID 4620 wrote to memory of 940	4620	chrome.exe	73
PID 4620 wrote to memory of 940	4620	chrome.exe	73
PID 4620 wrote to memory of 940	4620	chrome.exe	73
PID 4620 wrote to memory of 940	4620	chrome.exe	73
PID 4620 wrote to memory of 940	4620	chrome.exe	73
PID 4620 wrote to memory of 940	4620	chrome.exe	73
PID 4620 wrote to memory of 940	4620	chrome.exe	73
PID 4620 wrote to memory of 940	4620	chrome.exe	73
PID 4620 wrote to memory of 940	4620	chrome.exe	73
PID 4620 wrote to memory of 940	4620	chrome.exe	73
PID 4620 wrote to memory of 940	4620	chrome.exe	73
PID 4620 wrote to memory of 940	4620	chrome.exe	73
PID 4620 wrote to memory of 940	4620	chrome.exe	73
PID 4620 wrote to memory of 940	4620	chrome.exe	73
PID 4620 wrote to memory of 940	4620	chrome.exe	73
PID 4620 wrote to memory of 940	4620	chrome.exe	73
PID 4620 wrote to memory of 940	4620	chrome.exe	73
PID 4620 wrote to memory of 940	4620	chrome.exe	73
PID 4620 wrote to memory of 940	4620	chrome.exe	73
PID 4620 wrote to memory of 940	4620	chrome.exe	73
PID 4620 wrote to memory of 940	4620	chrome.exe	73
PID 4620 wrote to memory of 940	4620	chrome.exe	73
PID 4620 wrote to memory of 940	4620	chrome.exe	73
PID 4620 wrote to memory of 940	4620	chrome.exe	73
PID 4620 wrote to memory of 940	4620	chrome.exe	73
PID 4620 wrote to memory of 940	4620	chrome.exe	73
PID 4620 wrote to memory of 940	4620	chrome.exe	73
PID 4620 wrote to memory of 940	4620	chrome.exe	73
PID 4620 wrote to memory of 940	4620	chrome.exe	73
PID 4620 wrote to memory of 940	4620	chrome.exe	73
PID 4620 wrote to memory of 940	4620	chrome.exe	73
PID 4620 wrote to memory of 940	4620	chrome.exe	73
PID 4620 wrote to memory of 940	4620	chrome.exe	73
PID 4620 wrote to memory of 940	4620	chrome.exe	73
PID 4620 wrote to memory of 940	4620	chrome.exe	73
PID 4620 wrote to memory of 940	4620	chrome.exe	73
PID 4620 wrote to memory of 1420	4620	chrome.exe	74
PID 4620 wrote to memory of 1420	4620	chrome.exe	74
PID 4620 wrote to memory of 1080	4620	chrome.exe	75
PID 4620 wrote to memory of 1080	4620	chrome.exe	75
PID 4620 wrote to memory of 1080	4620	chrome.exe	75
PID 4620 wrote to memory of 1080	4620	chrome.exe	75
PID 4620 wrote to memory of 1080	4620	chrome.exe	75
PID 4620 wrote to memory of 1080	4620	chrome.exe	75
PID 4620 wrote to memory of 1080	4620	chrome.exe	75
PID 4620 wrote to memory of 1080	4620	chrome.exe	75
PID 4620 wrote to memory of 1080	4620	chrome.exe	75
PID 4620 wrote to memory of 1080	4620	chrome.exe	75
PID 4620 wrote to memory of 1080	4620	chrome.exe	75
PID 4620 wrote to memory of 1080	4620	chrome.exe	75
PID 4620 wrote to memory of 1080	4620	chrome.exe	75
PID 4620 wrote to memory of 1080	4620	chrome.exe	75
PID 4620 wrote to memory of 1080	4620	chrome.exe	75
PID 4620 wrote to memory of 1080	4620	chrome.exe	75
PID 4620 wrote to memory of 1080	4620	chrome.exe	75
PID 4620 wrote to memory of 1080	4620	chrome.exe	75
PID 4620 wrote to memory of 1080	4620	chrome.exe	75
PID 4620 wrote to memory of 1080	4620	chrome.exe	75
PID 4620 wrote to memory of 1080	4620	chrome.exe	75
PID 4620 wrote to memory of 1080	4620	chrome.exe	75

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument http://oxy.st/d/qsNh
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4620
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xd0,0xd4,0xd8,0xac,0xdc,0x7ffdef739758,0x7ffdef739768,0x7ffdef739778
  2⤵
  PID:4624
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=236 --field-trial-handle=1780,i,4431499149563366864,2020927735015195533,131072 /prefetch:2
  2⤵
  PID:940
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2028 --field-trial-handle=1780,i,4431499149563366864,2020927735015195533,131072 /prefetch:8
  2⤵
  PID:1420
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2112 --field-trial-handle=1780,i,4431499149563366864,2020927735015195533,131072 /prefetch:8
  2⤵
  PID:1080
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2620 --field-trial-handle=1780,i,4431499149563366864,2020927735015195533,131072 /prefetch:1
  2⤵
  PID:4400
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2628 --field-trial-handle=1780,i,4431499149563366864,2020927735015195533,131072 /prefetch:1
  2⤵
  PID:396
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4276 --field-trial-handle=1780,i,4431499149563366864,2020927735015195533,131072 /prefetch:1
  2⤵
  PID:4380
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=3060 --field-trial-handle=1780,i,4431499149563366864,2020927735015195533,131072 /prefetch:1
  2⤵
  PID:4816
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=5168 --field-trial-handle=1780,i,4431499149563366864,2020927735015195533,131072 /prefetch:1
  2⤵
  PID:3336
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=5428 --field-trial-handle=1780,i,4431499149563366864,2020927735015195533,131072 /prefetch:1
  2⤵
  PID:500
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=5312 --field-trial-handle=1780,i,4431499149563366864,2020927735015195533,131072 /prefetch:1
  2⤵
  PID:4572
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5380 --field-trial-handle=1780,i,4431499149563366864,2020927735015195533,131072 /prefetch:8
  2⤵
  PID:3712
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5980 --field-trial-handle=1780,i,4431499149563366864,2020927735015195533,131072 /prefetch:8
  2⤵
  PID:4060
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3032 --field-trial-handle=1780,i,4431499149563366864,2020927735015195533,131072 /prefetch:8
  2⤵
  PID:3596
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5492 --field-trial-handle=1780,i,4431499149563366864,2020927735015195533,131072 /prefetch:8
  2⤵
  PID:3360
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4932 --field-trial-handle=1780,i,4431499149563366864,2020927735015195533,131072 /prefetch:8
  2⤵
  PID:1796
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4632 --field-trial-handle=1780,i,4431499149563366864,2020927735015195533,131072 /prefetch:8
  2⤵
  PID:1688
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3392 --field-trial-handle=1780,i,4431499149563366864,2020927735015195533,131072 /prefetch:8
  2⤵
  PID:4500
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4396 --field-trial-handle=1780,i,4431499149563366864,2020927735015195533,131072 /prefetch:8
  2⤵
  PID:4556
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5640 --field-trial-handle=1780,i,4431499149563366864,2020927735015195533,131072 /prefetch:8
  2⤵
  PID:4892
- C:\Users\Admin\Downloads\GolovaExlona.exe
  "C:\Users\Admin\Downloads\GolovaExlona.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Suspicious use of SetWindowsHookEx
  PID:2296
- - C:\Windows\System32\reg.exe
    "C:\Windows\System32\reg.exe" add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v EnableLUA /t REG_DWORD /d 0 /f
    3⤵
    - UAC bypass
    PID:792
- - C:\Program Files (x86)\PisyaPopa\AuthSystem.exe
    "C:\Program Files (x86)\PisyaPopa\AuthSystem.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2208
  - - C:\Program Files (x86)\PisyaPopa\jre\bin\javaw.exe
      "C:\Program Files (x86)\PisyaPopa\jre\bin\javaw.exe" -Dfile.encoding=UTF-8 -classpath "C:\Program Files (x86)\PisyaPopa\AuthSystem.exe" org.develnext.jphp.ext.javafx.FXLauncher
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Program Files directory
      Suspicious use of SetWindowsHookEx
      PID:4584
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3760 --field-trial-handle=1780,i,4431499149563366864,2020927735015195533,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4604

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:4848

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4280

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\GolovaExlona.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
PID:1792

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2708

C:\Users\Admin\Downloads\GolovaExlona.exe
"C:\Users\Admin\Downloads\GolovaExlona.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
PID:3192
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v EnableLUA /t REG_DWORD /d 0 /f
  2⤵
  PID:1292
- C:\Program Files (x86)\PisyaPopa\AuthSystem.exe
  "C:\Program Files (x86)\PisyaPopa\AuthSystem.exe"
  2⤵
  PID:2296
- - C:\Program Files (x86)\PisyaPopa\jre\bin\javaw.exe
    "C:\Program Files (x86)\PisyaPopa\jre\bin\javaw.exe" -Dfile.encoding=UTF-8 -classpath "C:\Program Files (x86)\PisyaPopa\AuthSystem.exe" org.develnext.jphp.ext.javafx.FXLauncher
    3⤵
    PID:2836

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\PisyaPopa\AuthSystem.exe

Filesize
9.4MB

MD5
f2719031f0a502553cf203686bb6adad

SHA1
64c084b723fb2c27e924e52017dcaa70e14d6ec3

SHA256
c2b645981ab34d5b5b80aa6c2234c2c0cf6fcf2a8a42bfb9286ff4d4102f3b6d

SHA512
060bbb40ba3d2bc83ca76ae8f88115924020b4fdb365de61116f1b70ea44c617297d0fc46b84623b5df2d02b4fb429ab2fea4a05b7632cedd8153b94a7333f08

Download Submit
C:\Program Files (x86)\PisyaPopa\jre\bin\javaw.exe

Filesize
187KB

MD5
48c96771106dbdd5d42bba3772e4b414

SHA1
e84749b99eb491e40a62ed2e92e4d7a790d09273

SHA256
a96d26428942065411b1b32811afd4c5557c21f1d9430f3696aa2ba4c4ac5f22

SHA512
9f891c787eb8ceed30a4e16d8e54208fa9b19f72eeec55b9f12d30dc8b63e5a798a16b1ccc8cea3e986191822c4d37aedb556e534d2eb24e4a02259555d56a2c

Download Submit
C:\Program Files (x86)\PisyaPopa\jre\lib\currency.data

Filesize
4KB

MD5
f6258230b51220609a60aa6ba70d68f3

SHA1
b5b95dd1ddcd3a433db14976e3b7f92664043536

SHA256
22458853da2415f7775652a7f57bb6665f83a9ae9fb8bd3cf05e29aac24c8441

SHA512
b2dfcfdebf9596f2bb05f021a24335f1eb2a094dca02b2d7dd1b7c871d5eecda7d50da7943b9f85edb5e92d9be6b6adfd24673ce816df3960e4d68c7f894563f

Download Submit
C:\Program Files (x86)\PisyaPopa\jre\lib\ext\jfxrt.jar

Filesize
17.3MB

MD5
042b3675517d6a637b95014523b1fd7d

SHA1
82161caf5f0a4112686e4889a9e207c7ba62a880

SHA256
a570f20f8410f9b1b7e093957bf0ae53cae4731afaea624339aa2a897a635f22

SHA512
7672d0b50a92e854d3bd3724d01084cc10a90678b768e9a627baf761993e56a0c6c62c19155649fe9a8ceeabf845d86cbbb606554872ae789018a8b66e5a2b35

Download Submit
C:\Program Files (x86)\PisyaPopa\jre\lib\ext\meta-index

Filesize
1KB

MD5
77abe2551c7a5931b70f78962ac5a3c7

SHA1
a8bb53a505d7002def70c7a8788b9a2ea8a1d7bc

SHA256
c557f0c9053301703798e01dc0f65e290b0ae69075fb49fcc0e68c14b21d87f4

SHA512
9fe671380335804d4416e26c1e00cded200687db484f770ebbdb8631a9c769f0a449c661cb38f49c41463e822beb5248e69fd63562c3d8c508154c5d64421935

Download Submit
C:\Program Files (x86)\PisyaPopa\jre\lib\i386\jvm.cfg

Filesize
657B

MD5
9fd47c1a487b79a12e90e7506469477b

SHA1
7814df0ff2ea1827c75dcd73844ca7f025998cc6

SHA256
a73aea3074360cf62adedc0c82bc9c0c36c6a777c70da6c544d0fba7b2d8529e

SHA512
97b9d4c68ac4b534f86efa9af947763ee61aee6086581d96cbf7b3dbd6fd5d9db4b4d16772dce6f347b44085cef8a6ea3bfd3b84fbd9d4ef763cef39255fbce3

Download Submit
C:\Program Files (x86)\PisyaPopa\jre\lib\images\cursors\win32_LinkNoDrop32x32.gif

Filesize
153B

MD5
1e9d8f133a442da6b0c74d49bc84a341

SHA1
259edc45b4569427e8319895a444f4295d54348f

SHA256
1a1d3079d49583837662b84e11d8c0870698511d9110e710eb8e7eb20df7ae3b

SHA512
63d6f70c8cab9735f0f857f5bf99e319f6ae98238dc7829dd706b7d6855c70be206e32e3e55df884402483cf8bebad00d139283af5c0b85dc1c5bf8f253acd37

Download Submit
C:\Program Files (x86)\PisyaPopa\jre\lib\meta-index

Filesize
2KB

MD5
91aa6ea7320140f30379f758d626e59d

SHA1
3be2febe28723b1033ccdaa110eaf59bbd6d1f96

SHA256
4af21954cdf398d1eae795b6886ca2581dac9f2f1d41c98c6ed9b5dbc3e3c1d4

SHA512
03428803f1d644d89eb4c0dcbdea93acaac366d35fc1356ccabf83473f4fef7924edb771e44c721103cec22d94a179f092d1bfd1c0a62130f076eb82a826d7cb

Download Submit
C:\Program Files (x86)\PisyaPopa\jre\lib\rt.jar

Filesize
60.7MB

MD5
edb5b5b3ef4565e4e86bffe647fb1aa2

SHA1
11f5b1b2d729309059b1bd1fe2922251d9451d5f

SHA256
d00351bd39de7dbf9e9fdbb9ee1fd82189189f9bc82e988b58e1e950d1d4bdc8

SHA512
05e7f9ed915610b70664eb7cb68f3f0bba5bd5cf208bbdb54007da5ff6311a6ddbbf057e0df5a346c9042333c29e5c766b2c0a686628f8655c2e75061a9179c1

Download Submit
C:\Users\Admin\.oracle_jre_usage\3f2009563a1975c8.timestamp

Filesize
53B

MD5
561bde805eb708ba849692475aa1db33

SHA1
138e22984d307de85392f5d7b197cab5dfe0ee90

SHA256
830a6d771f09f01f55e72760162df738d3864ff222517c8280604baa70fe1d06

SHA512
152e32d70870340c003f4f7f2d032be6786915671c9f8b1de55e0c8795e39aa5264c72b6c7eefe49e5d87f522a438ec876fb1f982848226d92ae86d0fd7e19f9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
768B

MD5
f7610dc7aa23d0d74c44ed1c2f9405e2

SHA1
007d6f3c69d0015b088cff3902d22872ca4b2267

SHA256
7073aea083ed8afd0d04a98d74e181ab3aaf9fa39252d7d0b661fa4af5ec5f7c

SHA512
cdcecdc297647341740c8a61e1e9b1509120a96a13aa423d7d73ebf69c5fc4847c8308b82984863100d1fe5f035e595d0c4b117dd939f841102d11eecc4e17c4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\https_download.oxy.st_0.indexeddb.leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\https_oxy.st_0.indexeddb.leveldb\MANIFEST-000001

Filesize
23B

MD5
3fd11ff447c1ee23538dc4d9724427a3

SHA1
1335e6f71cc4e3cf7025233523b4760f8893e9c9

SHA256
720a78803b84cbcc8eb204d5cf8ea6ee2f693be0ab2124ddf2b81455de02a3ed

SHA512
10a3bd3813014eb6f8c2993182e1fa382d745372f8921519e1d25f70d76f08640e84cb8d0b554ccd329a6b4e6de6872328650fefa91f98c3c0cfc204899ee824

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
1f81e5e31f7fe1189ee401df133864e9

SHA1
fdfba69dcf3a5cf6b6b5b463872cefacf4039265

SHA256
eba9f51ea4188e236ff03d8c14ef5594a964965e142728fab2608afe669f11be

SHA512
3450a6b913b1de5420b93feda8d9e43a907646bb0c1d1407582f3f2e847d0dc1e1c5d7233c5c882dfb0d553b96230736e4a44e6e54a444c25c275b9bce13d1d7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
90c7d85cc17b24c8b4fe6e1ec47378f2

SHA1
3f8f8ddc790e605b9666edef19e7b627caf075a6

SHA256
7d6d54e65c3c006bdb960d2e86a16b17c876a7525622a56f8ff4129fc7fe32f9

SHA512
923bc6db936812a90d26459e695fca6c94123869d26cb830c53e1323c4fa3ed5a40441fe934c9edf3f77262b6b4e86717c1f1acc32b6820c1274e789b9ecd799

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
2KB

MD5
399e5071c2506fcac83cc334c002fbc7

SHA1
dce7414a2954cda66d14048fe5a3c91cae6713e5

SHA256
166bd9f8dd3ed669ebd4fffd730c2fc69696a3deba5996ca496ba8224a74ca6b

SHA512
e51fd7eb124d611e5028e7390d4bf681bedb9390e72cbdf2c21be9650fa6d6c09491079402997dcf3d5dd78523ce13cf67086931b6fc57c8d296921962ae9767

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
a3bdd2c9f48ec5983793a0b13d10eebb

SHA1
9809998977267315c3bf4402474baa202a601d3b

SHA256
1ebdfbb6e926165cc08305a805553f710bccf2bac61006a872bde6e4e30acd5c

SHA512
cf432c88f52c323b49de97f60c4cfaa2c16d993bee4f1f26a3bd725c904157918a93500c14b3a7ca33105cb8f6399f51e0eb93afb0f23eba9d55ef2d15b65169

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
17f76d6818e8c4404917b7d0259ce281

SHA1
7be9d0a42ad7fee3bae644bbe285435c3ef8220a

SHA256
5f32f8e718479919614124196b12e14e34e17fcf4a2cc35988e4535cb59cc44d

SHA512
e9927c1f84cb0c4992f2e6dcf7091845ff3df7a79b70596427e30e2eb74ef253a9bfd71e7b358a87dc4eca34dcd65ae5401f0f01f7dee28c490a0591de4cac4d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
adfaf91201da255405837a2c0301a488

SHA1
1b1751e06f0319537c447434ac655b432e009963

SHA256
5c56fef5b283aee3b34f09c663f51f3ac8a5ddbcb4dcc4fb671d986750fca752

SHA512
bb0c25c44806b5330eb538c6986f45f47c92835aa2a3fa93990719cdca8d9e66d89aa8ee8e8a150c1b05830aceb0de988940fff28f32e8be6e24546d200db0fb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
1d41a9fddcd32ac2f26ecff79691defe

SHA1
8e183cc4f57d6a8d3f05b32f14c261f5fa4a48dc

SHA256
a7f56a2ae3701ae4e413c4a013bb537bced854d707c12f01056e69a082136983

SHA512
17e9ed2a81341a1ddd81a5f382b2a1ddcef6beb3eb56982f85c447377008957c05d4b92ad35b96b08e31d61a09a7c8e71f9cc7b8e9bef389e26420443e14f630

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
137KB

MD5
004321cdd2c1d7534117e1668537c25d

SHA1
465f1420854eb15df327bb4925126ced6f3fcff0

SHA256
5cebde77868d41385691c03bc4648724adef48d2cff1e2fe72c0c81c8253cf07

SHA512
cd97a5cdeaf2bfe94ce22f534d5517086e6ba32eb625281486fd80f76d292aeced0ffbbbe735863ab12802397592e92878ef7836ebc2944ec12a0095e056216e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
138KB

MD5
bf43101957b13a5f570e51b6e9d4d931

SHA1
9cfae8a390984232deddf024b48faf8d5defd5f6

SHA256
1b95c1cd2a201c1ecba034dc77eaf6b69075a335d886efcfb32e27d97856dba0

SHA512
0ec62c828a20b5059b9a71fb4b61c5565676a67968040fe4df89ff7e2f24c5f7c0917f6d22c440bdcc6c8f46e85a40d40738b32353d70509fdbbced1987ffe2d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
157KB

MD5
91b98523724bd740b9194af63bae9f60

SHA1
0d3d48d4de418fb7e53f2e09fcdde4cbff5ffa80

SHA256
88dc0f952abee13b9d178140c6a7711c1cb87a21e73a7c7b727b18a17bf2f671

SHA512
962fcfbab2a84d151af98d93c88e2c43bab662afd19838fab9946f5e32acf78648b895aa158558905f66135d4f0f6d79f62525b19ef0925a358ccd5f61cdcec6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
137KB

MD5
e88e3737075b8f322b704d29a6c36ff3

SHA1
ddf4709d46e497c6cadfacce2517634130fe9425

SHA256
e1ff8ec82b3bfc6d70f0b11bb8c3a6d6d51d3442da5a21de3248337b4b072c66

SHA512
63d72ae294ecf9f8d9b71e0432a8a4082b70a58ad5d1d77614d9daffd5b79ce1b7dd36beb2e0992642977238d401f2375c636369afba8cf706b8268dd83f99f5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\Downloads\GolovaExlona.exe

Filesize
52.4MB

MD5
ac3556062dddafcbcae7f74e5cb80d9e

SHA1
a72afa80d2b60883e79a2b1e5bc6823ba097f351

SHA256
eed7fed321147cf344ad1c3171e8ecb9542eb28bd54e7af2ae44aff1909cf82a

SHA512
cbbac764e9a62d2c68fcc15295851cfc4a554377157b6724b734496dffcf56e62ebf86867b8af7e69e9824b88d819a64947df8f2c3fda3a85c14480369749b9b

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 976771.crdownload

Filesize
72.5MB

MD5
60be299b5f056e415665a5e1ecbda639

SHA1
a67eb1cd6a28aad78639f14a3dc5c6a020167834

SHA256
c53dfc7a87d0c78534ddd738c6f608f81eb696a0e7d1e9833688ad6958397c5e

SHA512
d08471767bd495fbbd8cb465c87756342d972ead62f195bd2910fa5d5c980e78ef586750e814f981f4480c4d03c3df64ea80bcbefb191da111cae24acef5c83a

Download Submit
\Program Files (x86)\PisyaPopa\jre\bin\client\jvm.dll

Filesize
3.7MB

MD5
39c302fe0781e5af6d007e55f509606a

SHA1
23690a52e8c6578de6a7980bb78aae69d0f31780

SHA256
b1fbdbb1e4c692b34d3b9f28f8188fc6105b05d311c266d59aa5e5ec531966bc

SHA512
67f91a75e16c02ca245233b820df985bd8290a2a50480dff4b2fd2695e3cf0b4534eb1bf0d357d0b14f15ce8bd13c82d2748b5edd9cc38dc9e713f5dc383ed77

Download Submit
\Program Files (x86)\PisyaPopa\jre\bin\java.dll

Filesize
123KB

MD5
73bd0b62b158c5a8d0ce92064600620d

SHA1
63c74250c17f75fe6356b649c484ad5936c3e871

SHA256
e7b870deb08bc864fa7fd4dec67cef15896fe802fafb3009e1b7724625d7da30

SHA512
eba1cf977365446b35740471882c5209773a313de653404a8d603245417d32a4e9f23e3b6cd85721143d2f9a0e46ed330c3d8ba8c24aee390d137f9b5cd68d8f

Download Submit
\Program Files (x86)\PisyaPopa\jre\bin\msvcr100.dll

Filesize
755KB

MD5
bf38660a9125935658cfa3e53fdc7d65

SHA1
0b51fb415ec89848f339f8989d323bea722bfd70

SHA256
60c06e0fa4449314da3a0a87c1a9d9577df99226f943637e06f61188e5862efa

SHA512
25f521ffe25a950d0f1a4de63b04cb62e2a3b0e72e7405799586913208bf8f8fa52aa34e96a9cc6ee47afcd41870f3aa0cd8289c53461d1b6e792d19b750c9a1

Download Submit
\Program Files (x86)\PisyaPopa\jre\bin\verify.dll

Filesize
38KB

MD5
de2167a880207bbf7464bcd1f8bc8657

SHA1
0ff7a5ea29c0364a1162a090dffc13d29bc3d3c7

SHA256
fd856ea783ad60215ce2f920fcb6bb4e416562d3c037c06d047f1ec103cd10b3

SHA512
bb83377c5cff6117cec6fbadf6d40989ce1ee3f37e4ceba17562a59ea903d8962091146e2aa5cc44cfdddf280da7928001eea98abf0c0942d69819b2433f1322

Download Submit
\Program Files (x86)\PisyaPopa\jre\bin\zip.dll

Filesize
68KB

MD5
cb99b83bbc19cd0e1c2ec6031d0a80bc

SHA1
927e1e24fd19f9ca8b5191ef3cc746b74ab68bcd

SHA256
68148243e3a03a3a1aaf4637f054993cb174c04f6bd77894fe84d74af5833bec

SHA512
29c4978fa56f15025355ce26a52bdf8197b8d8073a441425df3dfc93c7d80d36755cc05b6485dd2e1f168df2941315f883960b81368e742c4ea8e69dd82fa2ba

Download Submit
memory/2208-750-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2296-837-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2836-878-0x0000000000B20000-0x0000000000B21000-memory.dmp

Filesize
4KB

Download
memory/2836-879-0x0000000002800000-0x0000000004800000-memory.dmp

Filesize
32.0MB

Download
memory/2836-876-0x0000000002800000-0x0000000004800000-memory.dmp

Filesize
32.0MB

Download
memory/2836-869-0x0000000002800000-0x0000000004800000-memory.dmp

Filesize
32.0MB

Download
memory/2836-863-0x0000000002800000-0x0000000004800000-memory.dmp

Filesize
32.0MB

Download
memory/2836-850-0x0000000002800000-0x0000000004800000-memory.dmp

Filesize
32.0MB

Download
memory/4584-825-0x00000000028E8000-0x00000000028F0000-memory.dmp

Filesize
32KB

Download
memory/4584-828-0x0000000002800000-0x0000000004800000-memory.dmp

Filesize
32.0MB

Download
memory/4584-810-0x0000000002800000-0x0000000004800000-memory.dmp

Filesize
32.0MB

Download
memory/4584-784-0x0000000002800000-0x0000000004800000-memory.dmp

Filesize
32.0MB

Download
memory/4584-822-0x0000000002800000-0x0000000004800000-memory.dmp

Filesize
32.0MB

Download
memory/4584-824-0x00000000028E0000-0x00000000028E8000-memory.dmp

Filesize
32KB

Download
memory/4584-793-0x0000000002800000-0x0000000004800000-memory.dmp

Filesize
32.0MB

Download
memory/4584-826-0x00000000028D8000-0x00000000028E0000-memory.dmp

Filesize
32KB

Download
memory/4584-827-0x0000000002898000-0x00000000028A0000-memory.dmp

Filesize
32KB

Download
memory/4584-811-0x0000000002800000-0x0000000004800000-memory.dmp

Filesize
32.0MB

Download
memory/4584-819-0x0000000002800000-0x0000000004800000-memory.dmp

Filesize
32.0MB

Download
memory/4584-809-0x0000000002800000-0x0000000004800000-memory.dmp

Filesize
32.0MB

Download
memory/4584-807-0x0000000002800000-0x0000000004800000-memory.dmp

Filesize
32.0MB

Download
memory/4584-855-0x0000000002800000-0x0000000004800000-memory.dmp

Filesize
32.0MB

Download
memory/4584-805-0x0000000002800000-0x0000000004800000-memory.dmp

Filesize
32.0MB

Download
memory/4584-802-0x0000000000780000-0x0000000000781000-memory.dmp

Filesize
4KB

Download
memory/4584-815-0x0000000002800000-0x0000000004800000-memory.dmp

Filesize
32.0MB

Download
memory/4584-800-0x0000000000780000-0x0000000000781000-memory.dmp

Filesize
4KB

Download
memory/4584-764-0x0000000002800000-0x0000000004800000-memory.dmp

Filesize
32.0MB

Download
memory/4584-799-0x0000000002800000-0x0000000004800000-memory.dmp

Filesize
32.0MB

Download