sectoprat | hxxps://mega[.]nz/file/ySRVQQLK#uh3ZeEy_ABXNVFN8uzwmzeZVReKUK1HN2lODUowUHJM

Analysis

max time kernel
1199s
max time network
1200s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
01-07-2024 16:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://mega.nz/file/ySRVQQLK#uh3ZeEy_ABXNVFN8uzwmzeZVReKUK1HN2lODUowUHJM

Score

10^/10

sectoprat evasion rat themida trojan

Malware Config

Signatures

SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 12 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1780-229-0x0000000000CC0000-0x0000000001894000-memory.dmp	family_sectoprat
behavioral1/memory/1780-230-0x0000000000CC0000-0x0000000001894000-memory.dmp	family_sectoprat
behavioral1/memory/5088-268-0x0000000000CC0000-0x0000000001894000-memory.dmp	family_sectoprat
behavioral1/memory/5088-269-0x0000000000CC0000-0x0000000001894000-memory.dmp	family_sectoprat
behavioral1/memory/4984-275-0x0000000000CC0000-0x0000000001894000-memory.dmp	family_sectoprat
behavioral1/memory/4984-276-0x0000000000CC0000-0x0000000001894000-memory.dmp	family_sectoprat
behavioral1/memory/4472-285-0x0000000000CC0000-0x0000000001894000-memory.dmp	family_sectoprat
behavioral1/memory/4472-286-0x0000000000CC0000-0x0000000001894000-memory.dmp	family_sectoprat
behavioral1/memory/3124-293-0x0000000000CC0000-0x0000000001894000-memory.dmp	family_sectoprat
behavioral1/memory/3124-294-0x0000000000CC0000-0x0000000001894000-memory.dmp	family_sectoprat
behavioral1/memory/4400-300-0x0000000000CC0000-0x0000000001894000-memory.dmp	family_sectoprat
behavioral1/memory/4400-301-0x0000000000CC0000-0x0000000001894000-memory.dmp	family_sectoprat

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 6 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

Diamond.exeDiamond.exeDiamond.exeDiamond.exeDiamond.exeDiamond.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Diamond.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Diamond.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Diamond.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Diamond.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Diamond.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Diamond.exe

Checks BIOS information in registry 2 TTPs 12 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Diamond.exeDiamond.exeDiamond.exeDiamond.exeDiamond.exeDiamond.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Diamond.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Diamond.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Diamond.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Diamond.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Diamond.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Diamond.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Diamond.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Diamond.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Diamond.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Diamond.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Diamond.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Diamond.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

rundll32.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation	rundll32.exe

Executes dropped EXE 6 IoCs

Processes:

Diamond.exeDiamond.exeDiamond.exeDiamond.exeDiamond.exeDiamond.exe

pid process

1780 Diamond.exe
5088 Diamond.exe
4984 Diamond.exe
4472 Diamond.exe
3124 Diamond.exe
4400 Diamond.exe

pid	process
1780	Diamond.exe
5088	Diamond.exe
4984	Diamond.exe
4472	Diamond.exe
3124	Diamond.exe
4400	Diamond.exe

Themida packer 13 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
C:\Users\Admin\Desktop\Diamond\Diamond.exe	themida
behavioral1/memory/1780-229-0x0000000000CC0000-0x0000000001894000-memory.dmp	themida
behavioral1/memory/1780-230-0x0000000000CC0000-0x0000000001894000-memory.dmp	themida
behavioral1/memory/5088-268-0x0000000000CC0000-0x0000000001894000-memory.dmp	themida
behavioral1/memory/5088-269-0x0000000000CC0000-0x0000000001894000-memory.dmp	themida
behavioral1/memory/4984-275-0x0000000000CC0000-0x0000000001894000-memory.dmp	themida
behavioral1/memory/4984-276-0x0000000000CC0000-0x0000000001894000-memory.dmp	themida
behavioral1/memory/4472-285-0x0000000000CC0000-0x0000000001894000-memory.dmp	themida
behavioral1/memory/4472-286-0x0000000000CC0000-0x0000000001894000-memory.dmp	themida
behavioral1/memory/3124-293-0x0000000000CC0000-0x0000000001894000-memory.dmp	themida
behavioral1/memory/3124-294-0x0000000000CC0000-0x0000000001894000-memory.dmp	themida
behavioral1/memory/4400-300-0x0000000000CC0000-0x0000000001894000-memory.dmp	themida
behavioral1/memory/4400-301-0x0000000000CC0000-0x0000000001894000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 6 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

Diamond.exeDiamond.exeDiamond.exeDiamond.exeDiamond.exeDiamond.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Diamond.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Diamond.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Diamond.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Diamond.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Diamond.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Diamond.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs

Processes:

Diamond.exeDiamond.exeDiamond.exeDiamond.exeDiamond.exeDiamond.exe

pid process

1780 Diamond.exe
5088 Diamond.exe
4984 Diamond.exe
4472 Diamond.exe
3124 Diamond.exe
4400 Diamond.exe
Drops file in Windows directory 1 IoCs

Processes:

DeviceProperties.exe

description ioc process

File created C:\Windows\INF\c_display.PNF DeviceProperties.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
1780	Diamond.exe
5088	Diamond.exe
4984	Diamond.exe
4472	Diamond.exe
3124	Diamond.exe
4400	Diamond.exe

description	ioc	process
File created	C:\Windows\INF\c_display.PNF	DeviceProperties.exe

Checks processor information in registry 2 TTPs 12 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

firefox.exefirefox.exeAcroRd32.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

AcroRd32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133643243271082807"	chrome.exe

Modifies registry class 4 IoCs

Processes:

OpenWith.exeOpenWith.exechrome.exefirefox.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings	firefox.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

chrome.exechrome.exemsedge.exemsedge.exe

pid process

4940 chrome.exe
4940 chrome.exe
6048 chrome.exe
6048 chrome.exe
7056 msedge.exe
7056 msedge.exe
1204 msedge.exe
1204 msedge.exe
Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

OpenWith.exeOpenWith.exe

pid process

7820 OpenWith.exe
5616 OpenWith.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

Processes:

chrome.exe

pid process

4940 chrome.exe
4940 chrome.exe

pid	process
7820	OpenWith.exe
5616	OpenWith.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exeAUDIODG.EXE7zG.exe

description	pid	process
Token: SeShutdownPrivilege	4940	chrome.exe
Token: SeCreatePagefilePrivilege	4940	chrome.exe
Token: SeShutdownPrivilege	4940	chrome.exe
Token: SeCreatePagefilePrivilege	4940	chrome.exe
Token: SeShutdownPrivilege	4940	chrome.exe
Token: SeCreatePagefilePrivilege	4940	chrome.exe
Token: SeShutdownPrivilege	4940	chrome.exe
Token: SeCreatePagefilePrivilege	4940	chrome.exe
Token: SeShutdownPrivilege	4940	chrome.exe
Token: SeCreatePagefilePrivilege	4940	chrome.exe
Token: 33	2296	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2296	AUDIODG.EXE
Token: SeShutdownPrivilege	4940	chrome.exe
Token: SeCreatePagefilePrivilege	4940	chrome.exe
Token: SeShutdownPrivilege	4940	chrome.exe
Token: SeCreatePagefilePrivilege	4940	chrome.exe
Token: SeShutdownPrivilege	4940	chrome.exe
Token: SeCreatePagefilePrivilege	4940	chrome.exe
Token: SeShutdownPrivilege	4940	chrome.exe
Token: SeCreatePagefilePrivilege	4940	chrome.exe
Token: SeShutdownPrivilege	4940	chrome.exe
Token: SeCreatePagefilePrivilege	4940	chrome.exe
Token: SeShutdownPrivilege	4940	chrome.exe
Token: SeCreatePagefilePrivilege	4940	chrome.exe
Token: SeShutdownPrivilege	4940	chrome.exe
Token: SeCreatePagefilePrivilege	4940	chrome.exe
Token: SeShutdownPrivilege	4940	chrome.exe
Token: SeCreatePagefilePrivilege	4940	chrome.exe
Token: SeShutdownPrivilege	4940	chrome.exe
Token: SeCreatePagefilePrivilege	4940	chrome.exe
Token: SeShutdownPrivilege	4940	chrome.exe
Token: SeCreatePagefilePrivilege	4940	chrome.exe
Token: SeShutdownPrivilege	4940	chrome.exe
Token: SeCreatePagefilePrivilege	4940	chrome.exe
Token: SeShutdownPrivilege	4940	chrome.exe
Token: SeCreatePagefilePrivilege	4940	chrome.exe
Token: SeShutdownPrivilege	4940	chrome.exe
Token: SeCreatePagefilePrivilege	4940	chrome.exe
Token: SeShutdownPrivilege	4940	chrome.exe
Token: SeCreatePagefilePrivilege	4940	chrome.exe
Token: SeShutdownPrivilege	4940	chrome.exe
Token: SeCreatePagefilePrivilege	4940	chrome.exe
Token: SeShutdownPrivilege	4940	chrome.exe
Token: SeCreatePagefilePrivilege	4940	chrome.exe
Token: SeShutdownPrivilege	4940	chrome.exe
Token: SeCreatePagefilePrivilege	4940	chrome.exe
Token: SeShutdownPrivilege	4940	chrome.exe
Token: SeCreatePagefilePrivilege	4940	chrome.exe
Token: SeShutdownPrivilege	4940	chrome.exe
Token: SeCreatePagefilePrivilege	4940	chrome.exe
Token: SeShutdownPrivilege	4940	chrome.exe
Token: SeCreatePagefilePrivilege	4940	chrome.exe
Token: SeRestorePrivilege	1028	7zG.exe
Token: 35	1028	7zG.exe
Token: SeSecurityPrivilege	1028	7zG.exe
Token: SeSecurityPrivilege	1028	7zG.exe
Token: SeShutdownPrivilege	4940	chrome.exe
Token: SeCreatePagefilePrivilege	4940	chrome.exe
Token: SeShutdownPrivilege	4940	chrome.exe
Token: SeCreatePagefilePrivilege	4940	chrome.exe
Token: SeShutdownPrivilege	4940	chrome.exe
Token: SeCreatePagefilePrivilege	4940	chrome.exe
Token: SeShutdownPrivilege	4940	chrome.exe
Token: SeCreatePagefilePrivilege	4940	chrome.exe

Suspicious use of FindShellTrayWindow 43 IoCs

Processes:

chrome.exe7zG.exefirefox.exeNOTEPAD.EXE

pid	process
4940	chrome.exe
4940	chrome.exe
4940	chrome.exe
4940	chrome.exe
4940	chrome.exe
4940	chrome.exe
4940	chrome.exe
4940	chrome.exe
4940	chrome.exe
4940	chrome.exe
4940	chrome.exe
4940	chrome.exe
4940	chrome.exe
4940	chrome.exe
4940	chrome.exe
4940	chrome.exe
4940	chrome.exe
4940	chrome.exe
4940	chrome.exe
4940	chrome.exe
4940	chrome.exe
4940	chrome.exe
4940	chrome.exe
4940	chrome.exe
4940	chrome.exe
4940	chrome.exe
4940	chrome.exe
4940	chrome.exe
4940	chrome.exe
4940	chrome.exe
4940	chrome.exe
4940	chrome.exe
4940	chrome.exe
1028	7zG.exe
2904	firefox.exe
2904	firefox.exe
2904	firefox.exe
2904	firefox.exe
2904	firefox.exe
2904	firefox.exe
2904	firefox.exe
2904	firefox.exe
7468	NOTEPAD.EXE

Suspicious use of SendNotifyMessage 31 IoCs

Processes:

chrome.exefirefox.exe

pid	process
4940	chrome.exe
4940	chrome.exe
4940	chrome.exe
4940	chrome.exe
4940	chrome.exe
4940	chrome.exe
4940	chrome.exe
4940	chrome.exe
4940	chrome.exe
4940	chrome.exe
4940	chrome.exe
4940	chrome.exe
4940	chrome.exe
4940	chrome.exe
4940	chrome.exe
4940	chrome.exe
4940	chrome.exe
4940	chrome.exe
4940	chrome.exe
4940	chrome.exe
4940	chrome.exe
4940	chrome.exe
4940	chrome.exe
4940	chrome.exe
2904	firefox.exe
2904	firefox.exe
2904	firefox.exe
2904	firefox.exe
2904	firefox.exe
2904	firefox.exe
2904	firefox.exe

Suspicious use of SetWindowsHookEx 64 IoCs

Processes:

firefox.exeOpenWith.exeAcroRd32.exeOpenWith.exe

pid	process
2904	firefox.exe
7820	OpenWith.exe
7820	OpenWith.exe
7820	OpenWith.exe
7820	OpenWith.exe
7820	OpenWith.exe
7820	OpenWith.exe
7820	OpenWith.exe
7820	OpenWith.exe
7820	OpenWith.exe
7820	OpenWith.exe
7820	OpenWith.exe
7820	OpenWith.exe
7820	OpenWith.exe
7820	OpenWith.exe
7820	OpenWith.exe
7924	AcroRd32.exe
7924	AcroRd32.exe
7924	AcroRd32.exe
7924	AcroRd32.exe
5616	OpenWith.exe
5616	OpenWith.exe
5616	OpenWith.exe
5616	OpenWith.exe
5616	OpenWith.exe
5616	OpenWith.exe
5616	OpenWith.exe
5616	OpenWith.exe
5616	OpenWith.exe
5616	OpenWith.exe
5616	OpenWith.exe
5616	OpenWith.exe
5616	OpenWith.exe
5616	OpenWith.exe
5616	OpenWith.exe
5616	OpenWith.exe
5616	OpenWith.exe
5616	OpenWith.exe
5616	OpenWith.exe
5616	OpenWith.exe
5616	OpenWith.exe
5616	OpenWith.exe
5616	OpenWith.exe
5616	OpenWith.exe
5616	OpenWith.exe
5616	OpenWith.exe
5616	OpenWith.exe
5616	OpenWith.exe
5616	OpenWith.exe
5616	OpenWith.exe
5616	OpenWith.exe
5616	OpenWith.exe
5616	OpenWith.exe
5616	OpenWith.exe
5616	OpenWith.exe
5616	OpenWith.exe
5616	OpenWith.exe
5616	OpenWith.exe
5616	OpenWith.exe
5616	OpenWith.exe
5616	OpenWith.exe
5616	OpenWith.exe
5616	OpenWith.exe
5616	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 4940 wrote to memory of 4164	4940	chrome.exe	chrome.exe
PID 4940 wrote to memory of 4164	4940	chrome.exe	chrome.exe
PID 4940 wrote to memory of 4584	4940	chrome.exe	chrome.exe
PID 4940 wrote to memory of 4584	4940	chrome.exe	chrome.exe
PID 4940 wrote to memory of 4584	4940	chrome.exe	chrome.exe
PID 4940 wrote to memory of 4584	4940	chrome.exe	chrome.exe
PID 4940 wrote to memory of 4584	4940	chrome.exe	chrome.exe
PID 4940 wrote to memory of 4584	4940	chrome.exe	chrome.exe
PID 4940 wrote to memory of 4584	4940	chrome.exe	chrome.exe
PID 4940 wrote to memory of 4584	4940	chrome.exe	chrome.exe
PID 4940 wrote to memory of 4584	4940	chrome.exe	chrome.exe
PID 4940 wrote to memory of 4584	4940	chrome.exe	chrome.exe
PID 4940 wrote to memory of 4584	4940	chrome.exe	chrome.exe
PID 4940 wrote to memory of 4584	4940	chrome.exe	chrome.exe
PID 4940 wrote to memory of 4584	4940	chrome.exe	chrome.exe
PID 4940 wrote to memory of 4584	4940	chrome.exe	chrome.exe
PID 4940 wrote to memory of 4584	4940	chrome.exe	chrome.exe
PID 4940 wrote to memory of 4584	4940	chrome.exe	chrome.exe
PID 4940 wrote to memory of 4584	4940	chrome.exe	chrome.exe
PID 4940 wrote to memory of 4584	4940	chrome.exe	chrome.exe
PID 4940 wrote to memory of 4584	4940	chrome.exe	chrome.exe
PID 4940 wrote to memory of 4584	4940	chrome.exe	chrome.exe
PID 4940 wrote to memory of 4584	4940	chrome.exe	chrome.exe
PID 4940 wrote to memory of 4584	4940	chrome.exe	chrome.exe
PID 4940 wrote to memory of 4584	4940	chrome.exe	chrome.exe
PID 4940 wrote to memory of 4584	4940	chrome.exe	chrome.exe
PID 4940 wrote to memory of 4584	4940	chrome.exe	chrome.exe
PID 4940 wrote to memory of 4584	4940	chrome.exe	chrome.exe
PID 4940 wrote to memory of 4584	4940	chrome.exe	chrome.exe
PID 4940 wrote to memory of 4584	4940	chrome.exe	chrome.exe
PID 4940 wrote to memory of 4584	4940	chrome.exe	chrome.exe
PID 4940 wrote to memory of 4584	4940	chrome.exe	chrome.exe
PID 4940 wrote to memory of 4584	4940	chrome.exe	chrome.exe
PID 4940 wrote to memory of 3264	4940	chrome.exe	chrome.exe
PID 4940 wrote to memory of 3264	4940	chrome.exe	chrome.exe
PID 4940 wrote to memory of 3428	4940	chrome.exe	chrome.exe
PID 4940 wrote to memory of 3428	4940	chrome.exe	chrome.exe
PID 4940 wrote to memory of 3428	4940	chrome.exe	chrome.exe
PID 4940 wrote to memory of 3428	4940	chrome.exe	chrome.exe
PID 4940 wrote to memory of 3428	4940	chrome.exe	chrome.exe
PID 4940 wrote to memory of 3428	4940	chrome.exe	chrome.exe
PID 4940 wrote to memory of 3428	4940	chrome.exe	chrome.exe
PID 4940 wrote to memory of 3428	4940	chrome.exe	chrome.exe
PID 4940 wrote to memory of 3428	4940	chrome.exe	chrome.exe
PID 4940 wrote to memory of 3428	4940	chrome.exe	chrome.exe
PID 4940 wrote to memory of 3428	4940	chrome.exe	chrome.exe
PID 4940 wrote to memory of 3428	4940	chrome.exe	chrome.exe
PID 4940 wrote to memory of 3428	4940	chrome.exe	chrome.exe
PID 4940 wrote to memory of 3428	4940	chrome.exe	chrome.exe
PID 4940 wrote to memory of 3428	4940	chrome.exe	chrome.exe
PID 4940 wrote to memory of 3428	4940	chrome.exe	chrome.exe
PID 4940 wrote to memory of 3428	4940	chrome.exe	chrome.exe
PID 4940 wrote to memory of 3428	4940	chrome.exe	chrome.exe
PID 4940 wrote to memory of 3428	4940	chrome.exe	chrome.exe
PID 4940 wrote to memory of 3428	4940	chrome.exe	chrome.exe
PID 4940 wrote to memory of 3428	4940	chrome.exe	chrome.exe
PID 4940 wrote to memory of 3428	4940	chrome.exe	chrome.exe
PID 4940 wrote to memory of 3428	4940	chrome.exe	chrome.exe
PID 4940 wrote to memory of 3428	4940	chrome.exe	chrome.exe
PID 4940 wrote to memory of 3428	4940	chrome.exe	chrome.exe
PID 4940 wrote to memory of 3428	4940	chrome.exe	chrome.exe
PID 4940 wrote to memory of 3428	4940	chrome.exe	chrome.exe
PID 4940 wrote to memory of 3428	4940	chrome.exe	chrome.exe
PID 4940 wrote to memory of 3428	4940	chrome.exe	chrome.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://mega.nz/file/ySRVQQLK#uh3ZeEy_ABXNVFN8uzwmzeZVReKUK1HN2lODUowUHJM
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4940

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffeefbdab58,0x7ffeefbdab68,0x7ffeefbdab78
2⤵
PID:4164

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1688 --field-trial-handle=1912,i,15876883550126958205,17658712475993233793,131072 /prefetch:2
2⤵
PID:4584

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2152 --field-trial-handle=1912,i,15876883550126958205,17658712475993233793,131072 /prefetch:8
2⤵
PID:3264

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2244 --field-trial-handle=1912,i,15876883550126958205,17658712475993233793,131072 /prefetch:8
2⤵
PID:3428

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3040 --field-trial-handle=1912,i,15876883550126958205,17658712475993233793,131072 /prefetch:1
2⤵
PID:2204

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3056 --field-trial-handle=1912,i,15876883550126958205,17658712475993233793,131072 /prefetch:1
2⤵
PID:3292

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=3940 --field-trial-handle=1912,i,15876883550126958205,17658712475993233793,131072 /prefetch:8
2⤵
PID:5104

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4668 --field-trial-handle=1912,i,15876883550126958205,17658712475993233793,131072 /prefetch:8
2⤵
PID:3324

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5020 --field-trial-handle=1912,i,15876883550126958205,17658712475993233793,131072 /prefetch:8
2⤵
PID:2280

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4840 --field-trial-handle=1912,i,15876883550126958205,17658712475993233793,131072 /prefetch:8
2⤵
PID:3084

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=984 --field-trial-handle=1912,i,15876883550126958205,17658712475993233793,131072 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:6048

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:2548

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4f4 0x4ec
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2296

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1572

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\Diamond\" -spe -an -ai#7zMap27542:72:7zEvent4065
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1028

C:\Users\Admin\Desktop\Diamond\Diamond.exe
"C:\Users\Admin\Desktop\Diamond\Diamond.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1780

C:\Users\Admin\Desktop\Diamond\Diamond.exe
"C:\Users\Admin\Desktop\Diamond\Diamond.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:5088

C:\Users\Admin\Desktop\Diamond\Diamond.exe
"C:\Users\Admin\Desktop\Diamond\Diamond.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:4984

C:\Users\Admin\Desktop\Diamond\Diamond.exe
"C:\Users\Admin\Desktop\Diamond\Diamond.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:4472

C:\Users\Admin\Desktop\Diamond\Diamond.exe
"C:\Users\Admin\Desktop\Diamond\Diamond.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:3124

C:\Users\Admin\Desktop\Diamond\Diamond.exe
"C:\Users\Admin\Desktop\Diamond\Diamond.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:4400

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:3212

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
2⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2904

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2904.0.1452657216\1827831724" -parentBuildID 20230214051806 -prefsHandle 1800 -prefMapHandle 1792 -prefsLen 22076 -prefMapSize 235121 -appDir "C:\Program Files\Mozilla Firefox\browser" - {6274f4b1-f825-4eca-846c-032665c0fc45} 2904 "\\.\pipe\gecko-crash-server-pipe.2904" 1892 1fb25b25b58 gpu
3⤵
PID:2324

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2904.1.1853150603\1251249673" -parentBuildID 20230214051806 -prefsHandle 2440 -prefMapHandle 2428 -prefsLen 22112 -prefMapSize 235121 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7d527715-0a31-4585-9d8e-977fa0ebb55d} 2904 "\\.\pipe\gecko-crash-server-pipe.2904" 2468 1fb11789358 socket
3⤵
- Checks processor information in registry
PID:3872

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2904.2.1842957272\1314077028" -childID 1 -isForBrowser -prefsHandle 3080 -prefMapHandle 3116 -prefsLen 22215 -prefMapSize 235121 -jsInitHandle 1252 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a233a9bb-1d8e-4d8e-b3a1-2e3acdd77b6b} 2904 "\\.\pipe\gecko-crash-server-pipe.2904" 2864 1fb283dd558 tab
3⤵
PID:5028

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2904.3.1263826830\696573617" -childID 2 -isForBrowser -prefsHandle 3676 -prefMapHandle 3672 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1252 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {54d5f65f-ea4f-4db7-b6ec-e8c0545d5dad} 2904 "\\.\pipe\gecko-crash-server-pipe.2904" 3688 1fb2aa6a558 tab
3⤵
PID:5268

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2904.4.1975152672\992402873" -childID 3 -isForBrowser -prefsHandle 4852 -prefMapHandle 5072 -prefsLen 27697 -prefMapSize 235121 -jsInitHandle 1252 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {807f5167-d46b-46d9-a204-330ba7ad98b6} 2904 "\\.\pipe\gecko-crash-server-pipe.2904" 5108 1fb2d67d258 tab
3⤵
PID:5728

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2904.5.862509988\676790186" -childID 4 -isForBrowser -prefsHandle 5248 -prefMapHandle 5252 -prefsLen 27697 -prefMapSize 235121 -jsInitHandle 1252 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {486cff21-f0f6-4509-8fa2-b62e75529b0d} 2904 "\\.\pipe\gecko-crash-server-pipe.2904" 5236 1fb2d67ea58 tab
3⤵
PID:5736

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2904.6.596469216\1905647973" -childID 5 -isForBrowser -prefsHandle 5440 -prefMapHandle 5444 -prefsLen 27697 -prefMapSize 235121 -jsInitHandle 1252 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5e2b6072-7972-424d-a2c2-35f73d84bd0b} 2904 "\\.\pipe\gecko-crash-server-pipe.2904" 5428 1fb2d67e458 tab
3⤵
PID:5744

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --default-search-provider=? --out-pipe-name=MSEdgeDefault363507f7h75c3h484bh9a79hb6ecf3f1adc6
1⤵
PID:6692

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ffeda3646f8,0x7ffeda364708,0x7ffeda364718
2⤵
PID:6728

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2160,5780424260912688520,10727886397984052204,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2168 /prefetch:2
2⤵
PID:7048

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2160,5780424260912688520,10727886397984052204,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2236 /prefetch:3
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:7056

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2160,5780424260912688520,10727886397984052204,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2636 /prefetch:8
2⤵
PID:7068

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5084

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1272

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DisplayEnhancementService
1⤵
PID:6464

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" display.dll,ShowAdapterSettings 0
1⤵
- Checks computer location settings
PID:3968

C:\Windows\System32\DeviceProperties.exe
"C:\Windows\System32\DeviceProperties.exe" 197880 "PCI\VEN_1234&DEV_1111&SUBSYS_11001AF4&REV_02\3&11583659&0&08"
2⤵
- Drops file in Windows directory
PID:1204

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --default-search-provider=? --out-pipe-name=MSEdgeDefaultb48dcff5h4efah42acha511h5524e55404a9
1⤵
PID:4872

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffeda3646f8,0x7ffeda364708,0x7ffeda364718
2⤵
PID:4804

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2248,2602089210062547317,1130772369502652688,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2276 /prefetch:2
2⤵
PID:6164

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2248,2602089210062547317,1130772369502652688,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2348 /prefetch:3
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1204

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2248,2602089210062547317,1130772369502652688,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2868 /prefetch:8
2⤵
PID:184

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:7184

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:7820

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\Desktop\Diamond\wh directx11 32.dll"
2⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:7924

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
3⤵
PID:736

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=3865AB2402C014F4E650C101F58B91AA --mojo-platform-channel-handle=1764 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
4⤵
PID:7240

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=774A162807731A0DBC4CE82DAA74E9DC --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1.25 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=774A162807731A0DBC4CE82DAA74E9DC --renderer-client-id=2 --mojo-platform-channel-handle=1772 --allow-no-sandbox-job /prefetch:1
4⤵
PID:6456

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=E9384FD3B89FCF9B8DFABFA7A2F900A9 --mojo-platform-channel-handle=2304 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
4⤵
PID:6784

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=5BB2DADE94443D1BD632470BA1DC4CEE --mojo-platform-channel-handle=1932 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
4⤵
PID:7324

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=D9C9A83A3E2812E7D391B4DEA8993ACC --mojo-platform-channel-handle=1756 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
4⤵
PID:6560

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:5616

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\Diamond\wh directx11 32.dll
2⤵
- Suspicious use of FindShellTrayWindow
PID:7468

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\23da87d4-2c40-4512-a3ec-4650154df07b.tmp
Filesize
138KB

MD5
06423a2917ded7c9aebcf8ff232f4954

SHA1
a64b7409840df0265f5583b2698d1f87a8f43257

SHA256
9bdc37e6b43a9ee734a38291a733f73ae5f9cb61c5ceb5b99f05201135b39a7a

SHA512
6d20433a24c6ba4f2b40fb53120efc685bc242ad8ec47d3ecc4062e70a17868e58d3deaac49effc86c9f74ae795465985bb609e2119773c6d4a31517b38b8756

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000028
Filesize
17KB

MD5
950eca48e414acbe2c3b5d046dcb8521

SHA1
1731f264e979f18cdf08c405c7b7d32789a6fb59

SHA256
c0bbe530abfce19e06697bc4358eb426e076ccdb9113e22df4a6f32085da67a2

SHA512
27e55525ade4d099a6881011f6e2e0d5d3a9ca7181f4f014dc231d40b3b1907d0d437b0c44d336c25dd7b73209cd773b8563675ac260c43c7752e2d2d694d4d9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
72B

MD5
8bff4349c60d7ed79a50d9cb9f23363c

SHA1
dc1e3a3c1cea93d49014f72e8893bdadd3e87653

SHA256
7738bea8b6031d45ef56428458554cd9e9b2c53076752040606cd5c583e65036

SHA512
7a1cc009ce69885d1709b5599d279d3c3f97aa4ef62a30cf0cdaf707f3504961f8adccbfd8119a5d35a1d176e4e469bea92cfb8f5d344b4bc022414cbd7003cf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\File System\000\p\Paths\MANIFEST-000001
Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\https_mega.nz_0.indexeddb.leveldb\CURRENT
Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
2KB

MD5
d4ef5b6d5be8507cc3838c5117dd562d

SHA1
565b19192475f24e7f8f2875460f4f7c91e7ca38

SHA256
e82cdf3b37d8c7082dff6fca635fabc57de06450791171c22cafc6c171bac147

SHA512
086c02bc4b72291e380b077dc26bfdc1b35db56138d8c7fd6efcb42fa5fe65ffe811694a4aa8ac4fe417f807d2a0c83d423fe969cc5efb937a993446eb0ba3f7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
523B

MD5
2b32b502657144a3e886a673e5900219

SHA1
4cd73844d9f484118e41be5c122d00dde5f8c0bc

SHA256
0ebddcc50a38a80090720f812436540f194b9a57cd8d7beb505b2030b2c72642

SHA512
02f3d8f14872d9340c0570790f4dc0ada8264fd63aa5acf0564c7d755bd3dfad416ab63cf5a3a85881e5c0fae1bc52242375fa68bccda1f5d5c5c787f6fc63b2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
2daebdfb7b8fd9d06c9ac88d5086a44b

SHA1
fcfa299ff1f60809b52bcdeafe5cd59d5216b6df

SHA256
68cfcbd3754bb244b3a2c6fcbe39f6dcea433b32bbfd42431905edb3d18ce660

SHA512
27e8be2e4fb1d82ba2176b162780754c8c4fe257609ae3ad6cfe62f3c12f1fb378d49cb53832e4fcede41e99daffc07dab8cf61aec7ae640ef5234352cc82adb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
b97bc63a9535b91b67e11bef878d27d5

SHA1
196951337136f26fe55a3352943e7b74c388a5fe

SHA256
750e816579c5af35019ba7612c60c6a7055458165d36fa1d5b42616f038f6617

SHA512
b22a1acc7702599413d9cf9a4c5da8ce9e3c3789a45505e4f14085d217456e37d0ef8846dd27dbd1c30866256a05f22540fe492f61c37cc8e6d345a0d7d289c6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
57da05ebb3d6a5da4a39d002bfae68f7

SHA1
5aaddba72cf0899857ef3d031e1a77cbecec4755

SHA256
8adb8ed8c7352e63eaa933977a3fc83c50f9d9b579d44b7a109dc26ad18eb9ea

SHA512
aa8d4b512b27ee0e73152c8a30e94f9719f5b570fe1b67fff5bb69edfb2a682118d5ef58c40eb60e9f7b5281adbff057e51ec1fa6d383d395c13151815577877

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index
Filesize
96B

MD5
ba442cd183edbdaca84f73ef08dc93eb

SHA1
fd3ab7996d419f72cf68db67301dde044578c91f

SHA256
2b888512b49809e4c3cdb53813f7f503465244313f2d4f4ace8bb1251331db8d

SHA512
e175306cf7ee9354cb8577502fad90c6ab920767119e6e77a039555a97b59d934173e07916c1f109d14a4edb7c5e14509f1baf0b69b15298c1f38554f1481cc6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
56067634f68231081c4bd5bdbfcc202f

SHA1
5582776da6ffc75bb0973840fc3d15598bc09eb1

SHA256
8c08b0cbceb301c8f960aa674c6e7f6dbf40b4a1c2684e6fb0456ec5ff0e56b4

SHA512
c4657393e0b9ec682570d7e251644a858d33e056ccd0f3eebffd0fde25244b3a699b8d9244bcdac00d6f74b49833629b270e099c2b557f729a9066922583f784

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
81e892ca5c5683efdf9135fe0f2adb15

SHA1
39159b30226d98a465ece1da28dc87088b20ecad

SHA256
830f394548cff6eed3608476190a7ee7d65fe651adc638c5b27ce58639a91e17

SHA512
c943f4cfe8615ac159cfac13c10b67e6c0c9093851dd3ac6dda3b82e195d3554e3c37962010a2d0ae5074828d376402624f0dda5499c9997e962e4cfd26444c0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\LOG
Filesize
334B

MD5
acf2a6db6bf0ad9447c1b0c0d11e0628

SHA1
5891dcc43a46be2aa32c9a635035e6b683acff60

SHA256
7e63da0326732fd911b449c8388a54fb63815e7c0b2fade1f5e3e7cbb2ee9a0b

SHA512
0d448477d0833cfe177c922f2bc37d38d6fcfe01c273b98536e67c95d515a3aedb1f068741c76bf483808041f0bc37ef313ede5329661b16f268d86f9a00e4b5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
61B

MD5
4df4574bfbb7e0b0bc56c2c9b12b6c47

SHA1
81efcbd3e3da8221444a21f45305af6fa4b71907

SHA256
e1b77550222c2451772c958e44026abe518a2c8766862f331765788ddd196377

SHA512
78b14f60f2d80400fe50360cf303a961685396b7697775d078825a29b717081442d357c2039ad0984d4b622976b0314ede8f478cde320daec118da546cb0682a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
5KB

MD5
80dd5b8d4a22ad2b2359427cd346f3e3

SHA1
bd2bfe69c62359b32e2c1740d2a0d3a146943cce

SHA256
877d1c33f6c701f6aea19b4e53348b48229a0f6ec09a31897f0227a6ab665c0f

SHA512
25c5fc291d29b4137d340b4487578d108b529498c6b20de89cd05c95c948be1fa86f604656086e3a104d60c42f3f7c012f56c64ec600642d885fdf6ca8b6af43

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\LOG
Filesize
350B

MD5
b57cfb7bb272a866eb40648c8bd6517b

SHA1
9eb230d40959b2cdfaa11392c573483205fecf75

SHA256
432863d8801a5e7e516afb3a632f8f487e0b3c0c451844be2cfdbdf7008bd7ef

SHA512
b08dcd429fa59b422df584ef61fc2f6e27e661f9a6b9e0e41015ac67c0fde3e0c16fdc4408620164886ccf0ab190e918ef7afe0018434ed59f907c9c89108e42

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB\LOG
Filesize
326B

MD5
5f004869e1ec64f55db6467ea0ac0f7d

SHA1
72a72bd98c004c8788ccf7bba84cb5060e24e361

SHA256
8deb4a6c5018047680557adf418eb4bc4621890aca8c8031f9fe2e8c4fa478f2

SHA512
fdd01fb4892bf000194897af7a7e9be375f67c4fb65532d46e3e05a970fc17afcbd38ba5ea880008f95c7fc9716891842e60bf3953852f2511b0e48f2012367c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\b55d586b-02a9-429e-944f-5b7c2f696062.tmp
Filesize
1B

MD5
5058f1af8388633f609cadb75a75dc9d

SHA1
3a52ce780950d4d969792a2559cd519d7ee8c727

SHA256
cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8

SHA512
0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Last Version
Filesize
11B

MD5
838a7b32aefb618130392bc7d006aa2e

SHA1
5159e0f18c9e68f0e75e2239875aa994847b8290

SHA256
ac3dd2221d90b09b795f1f72e72e4860342a4508fe336c4b822476eb25a55eaa

SHA512
9e350f0565cc726f66146838f9cebaaa38dd01892ffab9a45fe4f72e5be5459c0442e99107293a7c6f2412c71f668242c5e5a502124bc57cbf3b6ad8940cb3e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
8KB

MD5
29db7b72d3d1ed41b568f0f075e4a3e2

SHA1
efed4f117e7857026abd69cad78af36f4fa2a1ed

SHA256
0da1e0cf4b033eafde3c0b4de93aaff5d70b8430b08a5a979cd19f05fd687ca0

SHA512
02a22132d095d398e0d372bbac36041b0ae4e7cb20dcebe2371c46ec37aa1a64a3da5512d27096c25a0555455cd736ddef2de470e7528804245f4f0eb470b910

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1
Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\kvgg58fx.default-release\activity-stream.discovery_stream.json.tmp
Filesize
23KB

MD5
9664f7b08912e934e38b8cd32db5c54a

SHA1
ab18d1583c0bf53a8e966cf6968c90ed98b5b0c3

SHA256
3bc32d1ee7d2182f64f4e3fd20e58a44a58916460da871b389c65ef555ddf6d3

SHA512
431a9622e1acdc1e7cb0caaf435ae8fcbac59a80e50aa7e6bf00fb4886df318823c6642229cb491e57d31c9c9ce6f046fc3e234d69ca586a29292e848d1e7cd5

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\kvgg58fx.default-release\prefs-1.js
Filesize
7KB

MD5
b1dee854b25c3fb211618e4bc9df25fe

SHA1
f82e696332381af6f3df3cff5dec9d94617daa4e

SHA256
6548e44c635fa4942ec08eef59f59d2747d1e9efda1c284fc636c611b32f3e2f

SHA512
afa99080518fbdd4cfedbef32f075e3d686918efcd362f82f1d7aafcb3ccf33b30f7f8e3b646ce3a2cbaf863c3f544628434e98e7dda6835cb109636ec3b3b12

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\kvgg58fx.default-release\prefs-1.js
Filesize
7KB

MD5
6b093f4265e3b9d2bd70015db33d8bff

SHA1
dcbb0f17ada06ad0efe5239228421dcfbba4f834

SHA256
2866459e69922b9f14557f780ec55791f1348f1d4d61790bc03d8d19d20196ba

SHA512
efb2d9606c4e257d3aaf50dccb9a9f81d0740323518742c81d5b3c0f71d411e2784d28d52a54e5d0977f3da720c0115eeb9f7dfa5fb7eb03e84b3ece71e33d83

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\kvgg58fx.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
1KB

MD5
cb01ed93a0f199670ac17395bffa63ba

SHA1
6a48c0f08888aaa930bf52fd272324f3bb392cfb

SHA256
deaf22e2e8011aa95f71a461f0fd8df3e09245c8f58c0c1bbdc02c327ad443eb

SHA512
52cdea3a975339535ed5dfc2575a06c12df4d20251f39c79b3b2679e8a304c1c635c7694e67107fd532e4bbd516533ead1995a2f6a304c1113a53fa606965db5

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\kvgg58fx.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
1KB

MD5
0a06c67f6140df13bb752fd4af3775d0

SHA1
fe8125c39094a74904dd8a08660e96996bda05a7

SHA256
999e21d6a849debfbb0a1255f13f8e762bf0047dad1b5807419e787d3a83caab

SHA512
c9bc9334f5383c99daf05ed4e7e6cb47a974d45fd6bee81c204676ba477a2847d4fc55028583e8d6c8180e5840697a0f767d406630953159c312c4f47e47c2fc

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\kvgg58fx.default-release\sessionstore.jsonlz4
Filesize
911B

MD5
317532017d70e476f062743c9a227f0f

SHA1
980979d0431321d4ad823c9e16f2ebb5f8897b75

SHA256
369f2e08d1afa9fa42e2a6355e8d4d6697a1c24480cd6d679104d3e8b21e614a

SHA512
c745f2dbd48330fb1d82b644d94642fcb0526ec0a3bf64df6db33c79b0f20a9bbe28da78fb775861bb62f49b5f77b49adde65cf8d6536df52d5589e342e67d38

Download Submit
C:\Users\Admin\Desktop\Diamond.rar
Filesize
4.6MB

MD5
287e3d1f581d4c80a26e3675d43c4776

SHA1
105526010f4fe138447a826366413ef5c0ea8c2d

SHA256
b5c081952b6c2bafdbc35001539e606d55365054358c2b63325de4dbc4594094

SHA512
f07040f005cc37533c5ecd1e66023e0a931d9dad05fd1276da0030443a3ff3a7d12a4b66a650e1a5556d2174604dd856c0f0f738a7ebfbaa3fb915c22cf376fa

Download Submit
C:\Users\Admin\Desktop\Diamond\Diamond.exe
Filesize
4.3MB

MD5
ace1b114fe2d50e7b236bb0c4bb67409

SHA1
c46b4e89410a0e014e5a3d985d9fac19dd1fc3bb

SHA256
e35b2a2a441c54acfbd028067515e898894d8df4b4b2b30bcc2f350dd89be34f

SHA512
67c8cddda8307763690d9b13ff6fd4f436535ad3646b51d5ba2e416d773043e3c1ef7e361a9abfb86c881fca5734fd43de7f8d859d1340d213c51697b98b6d5e

Download Submit
C:\Users\Admin\Desktop\Diamond\wh directx11 32.dll
Filesize
261KB

MD5
8c5717762741d21e22701b4b81f89f27

SHA1
fd26b5b60d08082716c26e363edec72c9adf0cd7

SHA256
c637d2c32f5884549fdd8f895a258703c3acdbef2fddba3f94612e035aeaf6b6

SHA512
e3cb3812a67098ec249fe4d7d60f71a2c7aa91ebc74257b8db99040319b40956b919281dc6fccf4f184eb10f1765862ea54acff2eeae44082c2e09dcc6527afc

Download Submit
\??\pipe\crashpad_4940_AAWHEVBXUHFDARDU
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1780-230-0x0000000000CC0000-0x0000000001894000-memory.dmp

Filesize
11.8MB

Download
memory/1780-247-0x0000000000CC0000-0x0000000001894000-memory.dmp

Filesize
11.8MB

Download
memory/1780-235-0x0000000005B70000-0x0000000005BBC000-memory.dmp

Filesize
304KB

Download
memory/1780-234-0x0000000005B30000-0x0000000005B6C000-memory.dmp

Filesize
240KB

Download
memory/1780-233-0x0000000005BC0000-0x0000000005CCA000-memory.dmp

Filesize
1.0MB

Download
memory/1780-232-0x0000000005A90000-0x0000000005AA2000-memory.dmp

Filesize
72KB

Download
memory/1780-225-0x0000000000CC0000-0x0000000001894000-memory.dmp

Filesize
11.8MB

Download
memory/1780-231-0x0000000006020000-0x0000000006638000-memory.dmp

Filesize
6.1MB

Download
memory/1780-229-0x0000000000CC0000-0x0000000001894000-memory.dmp

Filesize
11.8MB

Download
memory/3124-377-0x0000000000CC0000-0x0000000001894000-memory.dmp

Filesize
11.8MB

Download
memory/3124-293-0x0000000000CC0000-0x0000000001894000-memory.dmp

Filesize
11.8MB

Download
memory/3124-290-0x0000000000CC0000-0x0000000001894000-memory.dmp

Filesize
11.8MB

Download
memory/3124-294-0x0000000000CC0000-0x0000000001894000-memory.dmp

Filesize
11.8MB

Download
memory/4400-380-0x0000000000CC0000-0x0000000001894000-memory.dmp

Filesize
11.8MB

Download
memory/4400-301-0x0000000000CC0000-0x0000000001894000-memory.dmp

Filesize
11.8MB

Download
memory/4400-300-0x0000000000CC0000-0x0000000001894000-memory.dmp

Filesize
11.8MB

Download
memory/4400-297-0x0000000000CC0000-0x0000000001894000-memory.dmp

Filesize
11.8MB

Download
memory/4472-365-0x0000000000CC0000-0x0000000001894000-memory.dmp

Filesize
11.8MB

Download
memory/4472-281-0x0000000000CC0000-0x0000000001894000-memory.dmp

Filesize
11.8MB

Download
memory/4472-285-0x0000000000CC0000-0x0000000001894000-memory.dmp

Filesize
11.8MB

Download
memory/4472-286-0x0000000000CC0000-0x0000000001894000-memory.dmp

Filesize
11.8MB

Download
memory/4984-272-0x0000000000CC0000-0x0000000001894000-memory.dmp

Filesize
11.8MB

Download
memory/4984-275-0x0000000000CC0000-0x0000000001894000-memory.dmp

Filesize
11.8MB

Download
memory/4984-276-0x0000000000CC0000-0x0000000001894000-memory.dmp

Filesize
11.8MB

Download
memory/4984-304-0x0000000000CC0000-0x0000000001894000-memory.dmp

Filesize
11.8MB

Download
memory/5088-269-0x0000000000CC0000-0x0000000001894000-memory.dmp

Filesize
11.8MB

Download
memory/5088-268-0x0000000000CC0000-0x0000000001894000-memory.dmp

Filesize
11.8MB

Download
memory/5088-265-0x0000000000CC0000-0x0000000001894000-memory.dmp

Filesize
11.8MB

Download
memory/5088-288-0x0000000000CC0000-0x0000000001894000-memory.dmp

Filesize
11.8MB

Download

pid	process
4940	chrome.exe
4940	chrome.exe
6048	chrome.exe
6048	chrome.exe
7056	msedge.exe
7056	msedge.exe
1204	msedge.exe
1204	msedge.exe