hxxps://tinyurl[.]com/YAZLS3

Analysis

max time kernel
151s
max time network
153s
platform
windows11-21h2_x64
resource
win11-20240709-en
resource tags

arch:x64arch:x86image:win11-20240709-enlocale:en-usos:windows11-21h2-x64system
submitted
11/07/2024, 00:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://tinyurl.com/YAZLS3

Score

7^/10

execution persistence pyinstaller ransomware

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
5068	CQClient2.exe

Loads dropped DLL 64 IoCs

pid	Process
5068	CQClient2.exe
5068	CQClient2.exe
5068	CQClient2.exe
5068	CQClient2.exe
5068	CQClient2.exe
5068	CQClient2.exe
5068	CQClient2.exe
5068	CQClient2.exe
5068	CQClient2.exe
5068	CQClient2.exe
5068	CQClient2.exe
5068	CQClient2.exe
5068	CQClient2.exe
5068	CQClient2.exe
5068	CQClient2.exe
5068	CQClient2.exe
5068	CQClient2.exe
5068	CQClient2.exe
5068	CQClient2.exe
5068	CQClient2.exe
5068	CQClient2.exe
5068	CQClient2.exe
5068	CQClient2.exe
5068	CQClient2.exe
5068	CQClient2.exe
5068	CQClient2.exe
5068	CQClient2.exe
5068	CQClient2.exe
5068	CQClient2.exe
5068	CQClient2.exe
5068	CQClient2.exe
5068	CQClient2.exe
5068	CQClient2.exe
5068	CQClient2.exe
5068	CQClient2.exe
5068	CQClient2.exe
5068	CQClient2.exe
5068	CQClient2.exe
5068	CQClient2.exe
5068	CQClient2.exe
5068	CQClient2.exe
5068	CQClient2.exe
5068	CQClient2.exe
5068	CQClient2.exe
5068	CQClient2.exe
5068	CQClient2.exe
5068	CQClient2.exe
5068	CQClient2.exe
5068	CQClient2.exe
5068	CQClient2.exe
5068	CQClient2.exe
5068	CQClient2.exe
5068	CQClient2.exe
5068	CQClient2.exe
5068	CQClient2.exe
5068	CQClient2.exe
5068	CQClient2.exe
5068	CQClient2.exe
5068	CQClient2.exe
5068	CQClient2.exe
5068	CQClient2.exe
5068	CQClient2.exe
5068	CQClient2.exe
5068	CQClient2.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3766757357-1293853516-507035944-1000\Software\Microsoft\Windows\CurrentVersion\Run\WindowsEasyScreensaver = "C:\\Windows\\EasySCRN.scr"	CQClient2.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
3	drive.google.com
6	drive.google.com

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\System32\CQHost.exe	CQClient2.exe
File opened for modification	C:\Windows\System32\CQHost.exe	CQClient2.exe
File created	C:\Windows\System32\alg_backup.exe	CQClient2.exe
File opened for modification	C:\Windows\System32\alg_backup.exe	CQClient2.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3766757357-1293853516-507035944-1000\Control Panel\Desktop\Wallpaper = "_Internal\\DontRUN.jpg"	CQClient2.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Logs\CQHost.exe	CQClient2.exe
File opened for modification	C:\Windows\SystemTemp	chrome.exe
File created	C:\Windows\CQHost.exe	CQClient2.exe
File created	C:\Windows\EasySCRN.scr	CQClient2.exe
File opened for modification	C:\Windows\CQHost.exe	CQClient2.exe
File created	C:\Windows\Logs\CQHost.exe	CQClient2.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2068	powershell.exe

Detects Pyinstaller 1 IoCs

pyinstaller

resource	yara_rule
behavioral1/files/0x000200000002a8f9-428.dat	pyinstaller

Checks SCSI registry key(s) 3 TTPs 4 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	CQClient2.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	CQClient2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	CQClient2.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	CQClient2.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
4452	taskkill.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133651330301897628"	chrome.exe

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3766757357-1293853516-507035944-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3766757357-1293853516-507035944-1000_Classes\Local Settings	chrome.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	7zFM.exe
Key created	\REGISTRY\USER\S-1-5-21-3766757357-1293853516-507035944-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	7zFM.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\CQClient2.zip:Zone.Identifier	chrome.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
5028	chrome.exe
5028	chrome.exe
5068	CQClient2.exe
5068	CQClient2.exe
5068	CQClient2.exe
5068	CQClient2.exe
2068	powershell.exe
2068	powershell.exe
5068	CQClient2.exe
5068	CQClient2.exe
5068	CQClient2.exe
5068	CQClient2.exe
5068	CQClient2.exe
5068	CQClient2.exe
5068	CQClient2.exe
5068	CQClient2.exe
5068	CQClient2.exe
5068	CQClient2.exe
5068	CQClient2.exe
5068	CQClient2.exe
5068	CQClient2.exe
5068	CQClient2.exe
5068	CQClient2.exe
5068	CQClient2.exe
5068	CQClient2.exe
5068	CQClient2.exe
5068	CQClient2.exe
5068	CQClient2.exe
5068	CQClient2.exe
5068	CQClient2.exe
5068	CQClient2.exe
5068	CQClient2.exe
5068	CQClient2.exe
5068	CQClient2.exe
5068	CQClient2.exe
5068	CQClient2.exe
5068	CQClient2.exe
5068	CQClient2.exe
5068	CQClient2.exe
5068	CQClient2.exe
5068	CQClient2.exe
5068	CQClient2.exe
5068	CQClient2.exe
5068	CQClient2.exe
5068	CQClient2.exe
5068	CQClient2.exe
5068	CQClient2.exe
5068	CQClient2.exe
5068	CQClient2.exe
5068	CQClient2.exe
5068	CQClient2.exe
5068	CQClient2.exe
5068	CQClient2.exe
5068	CQClient2.exe
5068	CQClient2.exe
5068	CQClient2.exe
5068	CQClient2.exe
5068	CQClient2.exe
5068	CQClient2.exe
5068	CQClient2.exe
5068	CQClient2.exe
5068	CQClient2.exe
5068	CQClient2.exe
5068	CQClient2.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2824	7zFM.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs

pid	Process
5028	chrome.exe
5028	chrome.exe
5028	chrome.exe
5028	chrome.exe
5028	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	5028	chrome.exe
Token: SeCreatePagefilePrivilege	5028	chrome.exe
Token: SeShutdownPrivilege	5028	chrome.exe
Token: SeCreatePagefilePrivilege	5028	chrome.exe
Token: SeShutdownPrivilege	5028	chrome.exe
Token: SeCreatePagefilePrivilege	5028	chrome.exe
Token: SeShutdownPrivilege	5028	chrome.exe
Token: SeCreatePagefilePrivilege	5028	chrome.exe
Token: SeShutdownPrivilege	5028	chrome.exe
Token: SeCreatePagefilePrivilege	5028	chrome.exe
Token: SeShutdownPrivilege	5028	chrome.exe
Token: SeCreatePagefilePrivilege	5028	chrome.exe
Token: SeShutdownPrivilege	5028	chrome.exe
Token: SeCreatePagefilePrivilege	5028	chrome.exe
Token: SeShutdownPrivilege	5028	chrome.exe
Token: SeCreatePagefilePrivilege	5028	chrome.exe
Token: SeShutdownPrivilege	5028	chrome.exe
Token: SeCreatePagefilePrivilege	5028	chrome.exe
Token: SeShutdownPrivilege	5028	chrome.exe
Token: SeCreatePagefilePrivilege	5028	chrome.exe
Token: SeShutdownPrivilege	5028	chrome.exe
Token: SeCreatePagefilePrivilege	5028	chrome.exe
Token: SeShutdownPrivilege	5028	chrome.exe
Token: SeCreatePagefilePrivilege	5028	chrome.exe
Token: SeShutdownPrivilege	5028	chrome.exe
Token: SeCreatePagefilePrivilege	5028	chrome.exe
Token: SeShutdownPrivilege	5028	chrome.exe
Token: SeCreatePagefilePrivilege	5028	chrome.exe
Token: SeShutdownPrivilege	5028	chrome.exe
Token: SeCreatePagefilePrivilege	5028	chrome.exe
Token: SeShutdownPrivilege	5028	chrome.exe
Token: SeCreatePagefilePrivilege	5028	chrome.exe
Token: SeShutdownPrivilege	5028	chrome.exe
Token: SeCreatePagefilePrivilege	5028	chrome.exe
Token: SeShutdownPrivilege	5028	chrome.exe
Token: SeCreatePagefilePrivilege	5028	chrome.exe
Token: SeShutdownPrivilege	5028	chrome.exe
Token: SeCreatePagefilePrivilege	5028	chrome.exe
Token: SeShutdownPrivilege	5028	chrome.exe
Token: SeCreatePagefilePrivilege	5028	chrome.exe
Token: SeShutdownPrivilege	5028	chrome.exe
Token: SeCreatePagefilePrivilege	5028	chrome.exe
Token: SeShutdownPrivilege	5028	chrome.exe
Token: SeCreatePagefilePrivilege	5028	chrome.exe
Token: SeRestorePrivilege	2824	7zFM.exe
Token: 35	2824	7zFM.exe
Token: SeShutdownPrivilege	5028	chrome.exe
Token: SeCreatePagefilePrivilege	5028	chrome.exe
Token: SeShutdownPrivilege	5028	chrome.exe
Token: SeCreatePagefilePrivilege	5028	chrome.exe
Token: SeShutdownPrivilege	5028	chrome.exe
Token: SeCreatePagefilePrivilege	5028	chrome.exe
Token: SeShutdownPrivilege	5028	chrome.exe
Token: SeCreatePagefilePrivilege	5028	chrome.exe
Token: SeShutdownPrivilege	5028	chrome.exe
Token: SeCreatePagefilePrivilege	5028	chrome.exe
Token: SeShutdownPrivilege	5028	chrome.exe
Token: SeCreatePagefilePrivilege	5028	chrome.exe
Token: SeShutdownPrivilege	5028	chrome.exe
Token: SeCreatePagefilePrivilege	5028	chrome.exe
Token: SeShutdownPrivilege	5028	chrome.exe
Token: SeCreatePagefilePrivilege	5028	chrome.exe
Token: SeSecurityPrivilege	2824	7zFM.exe
Token: SeShutdownPrivilege	5028	chrome.exe

Suspicious use of FindShellTrayWindow 45 IoCs

pid	Process
5028	chrome.exe
5028	chrome.exe
5028	chrome.exe
5028	chrome.exe
5028	chrome.exe
5028	chrome.exe
5028	chrome.exe
5028	chrome.exe
5028	chrome.exe
5028	chrome.exe
5028	chrome.exe
5028	chrome.exe
5028	chrome.exe
5028	chrome.exe
5028	chrome.exe
5028	chrome.exe
5028	chrome.exe
5028	chrome.exe
5028	chrome.exe
5028	chrome.exe
5028	chrome.exe
5028	chrome.exe
5028	chrome.exe
5028	chrome.exe
5028	chrome.exe
5028	chrome.exe
5028	chrome.exe
5028	chrome.exe
5028	chrome.exe
5028	chrome.exe
5028	chrome.exe
5028	chrome.exe
5028	chrome.exe
5028	chrome.exe
5028	chrome.exe
5028	chrome.exe
5028	chrome.exe
5028	chrome.exe
5028	chrome.exe
5028	chrome.exe
5028	chrome.exe
5028	chrome.exe
2824	7zFM.exe
2824	7zFM.exe
5028	chrome.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
5028	chrome.exe
5028	chrome.exe
5028	chrome.exe
5028	chrome.exe
5028	chrome.exe
5028	chrome.exe
5028	chrome.exe
5028	chrome.exe
5028	chrome.exe
5028	chrome.exe
5028	chrome.exe
5028	chrome.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
5068	CQClient2.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5028 wrote to memory of 224	5028	chrome.exe	81
PID 5028 wrote to memory of 224	5028	chrome.exe	81
PID 5028 wrote to memory of 4872	5028	chrome.exe	82
PID 5028 wrote to memory of 4872	5028	chrome.exe	82
PID 5028 wrote to memory of 4872	5028	chrome.exe	82
PID 5028 wrote to memory of 4872	5028	chrome.exe	82
PID 5028 wrote to memory of 4872	5028	chrome.exe	82
PID 5028 wrote to memory of 4872	5028	chrome.exe	82
PID 5028 wrote to memory of 4872	5028	chrome.exe	82
PID 5028 wrote to memory of 4872	5028	chrome.exe	82
PID 5028 wrote to memory of 4872	5028	chrome.exe	82
PID 5028 wrote to memory of 4872	5028	chrome.exe	82
PID 5028 wrote to memory of 4872	5028	chrome.exe	82
PID 5028 wrote to memory of 4872	5028	chrome.exe	82
PID 5028 wrote to memory of 4872	5028	chrome.exe	82
PID 5028 wrote to memory of 4872	5028	chrome.exe	82
PID 5028 wrote to memory of 4872	5028	chrome.exe	82
PID 5028 wrote to memory of 4872	5028	chrome.exe	82
PID 5028 wrote to memory of 4872	5028	chrome.exe	82
PID 5028 wrote to memory of 4872	5028	chrome.exe	82
PID 5028 wrote to memory of 4872	5028	chrome.exe	82
PID 5028 wrote to memory of 4872	5028	chrome.exe	82
PID 5028 wrote to memory of 4872	5028	chrome.exe	82
PID 5028 wrote to memory of 4872	5028	chrome.exe	82
PID 5028 wrote to memory of 4872	5028	chrome.exe	82
PID 5028 wrote to memory of 4872	5028	chrome.exe	82
PID 5028 wrote to memory of 4872	5028	chrome.exe	82
PID 5028 wrote to memory of 4872	5028	chrome.exe	82
PID 5028 wrote to memory of 4872	5028	chrome.exe	82
PID 5028 wrote to memory of 4872	5028	chrome.exe	82
PID 5028 wrote to memory of 4872	5028	chrome.exe	82
PID 5028 wrote to memory of 4872	5028	chrome.exe	82
PID 5028 wrote to memory of 2676	5028	chrome.exe	83
PID 5028 wrote to memory of 2676	5028	chrome.exe	83
PID 5028 wrote to memory of 4488	5028	chrome.exe	84
PID 5028 wrote to memory of 4488	5028	chrome.exe	84
PID 5028 wrote to memory of 4488	5028	chrome.exe	84
PID 5028 wrote to memory of 4488	5028	chrome.exe	84
PID 5028 wrote to memory of 4488	5028	chrome.exe	84
PID 5028 wrote to memory of 4488	5028	chrome.exe	84
PID 5028 wrote to memory of 4488	5028	chrome.exe	84
PID 5028 wrote to memory of 4488	5028	chrome.exe	84
PID 5028 wrote to memory of 4488	5028	chrome.exe	84
PID 5028 wrote to memory of 4488	5028	chrome.exe	84
PID 5028 wrote to memory of 4488	5028	chrome.exe	84
PID 5028 wrote to memory of 4488	5028	chrome.exe	84
PID 5028 wrote to memory of 4488	5028	chrome.exe	84
PID 5028 wrote to memory of 4488	5028	chrome.exe	84
PID 5028 wrote to memory of 4488	5028	chrome.exe	84
PID 5028 wrote to memory of 4488	5028	chrome.exe	84
PID 5028 wrote to memory of 4488	5028	chrome.exe	84
PID 5028 wrote to memory of 4488	5028	chrome.exe	84
PID 5028 wrote to memory of 4488	5028	chrome.exe	84
PID 5028 wrote to memory of 4488	5028	chrome.exe	84
PID 5028 wrote to memory of 4488	5028	chrome.exe	84
PID 5028 wrote to memory of 4488	5028	chrome.exe	84
PID 5028 wrote to memory of 4488	5028	chrome.exe	84
PID 5028 wrote to memory of 4488	5028	chrome.exe	84
PID 5028 wrote to memory of 4488	5028	chrome.exe	84
PID 5028 wrote to memory of 4488	5028	chrome.exe	84
PID 5028 wrote to memory of 4488	5028	chrome.exe	84
PID 5028 wrote to memory of 4488	5028	chrome.exe	84
PID 5028 wrote to memory of 4488	5028	chrome.exe	84
PID 5028 wrote to memory of 4488	5028	chrome.exe	84

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://tinyurl.com/YAZLS3
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5028
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.106 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc8abacc40,0x7ffc8abacc4c,0x7ffc8abacc58
  2⤵
  PID:224
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1800,i,9105685199515429610,414822673093738711,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=1792 /prefetch:2
  2⤵
  PID:4872
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2076,i,9105685199515429610,414822673093738711,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=2084 /prefetch:3
  2⤵
  PID:2676
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2172,i,9105685199515429610,414822673093738711,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=2396 /prefetch:8
  2⤵
  PID:4488
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3064,i,9105685199515429610,414822673093738711,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=3112 /prefetch:1
  2⤵
  PID:4708
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3076,i,9105685199515429610,414822673093738711,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=3132 /prefetch:1
  2⤵
  PID:2572
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3508,i,9105685199515429610,414822673093738711,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=4372 /prefetch:1
  2⤵
  PID:4216
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=3260,i,9105685199515429610,414822673093738711,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=3748 /prefetch:1
  2⤵
  PID:4748
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4776,i,9105685199515429610,414822673093738711,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=4788 /prefetch:8
  2⤵
  PID:4776
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=4816,i,9105685199515429610,414822673093738711,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=3328 /prefetch:1
  2⤵
  PID:3912
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=3084,i,9105685199515429610,414822673093738711,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=3116 /prefetch:8
  2⤵
  - NTFS ADS
  PID:3352

C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"
1⤵
PID:1932

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:3548

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5020

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\CQClient2.zip"
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2824

C:\Users\Admin\Desktop\CQClient2\CQClient2.exe
"C:\Users\Admin\Desktop\CQClient2\CQClient2.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:5068
- C:\Windows\SYSTEM32\taskkill.exe
  taskkill /f /im explorer.exe
  2⤵
  - Kills process with taskkill
  PID:4452
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "net user RUN ESCAPE /add"
  2⤵
  PID:3748
- - C:\Windows\system32\net.exe
    net user RUN ESCAPE /add
    3⤵
    PID:2024
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 user RUN ESCAPE /add
      4⤵
      PID:3424
- C:\Windows\explorer.exe
  explorer.exe
  2⤵
  - Modifies registry class
  PID:2392
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "powershell -command "& {Set-ItemProperty -Path HKCU:\Software\Microsoft\Windows\CurrentVersion\Themes\Personalize -Name ColorizationColor -Value 16711680}""
  2⤵
  PID:4924
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -command "& {Set-ItemProperty -Path HKCU:\Software\Microsoft\Windows\CurrentVersion\Themes\Personalize -Name ColorizationColor -Value 16711680}"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:2068
- C:\Windows\SYSTEM32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
  2⤵
  PID:4164
- C:\Windows\SYSTEM32\reg.exe
  reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableRealtimeMonitoring /f
  2⤵
  PID:236
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "net user FROM ESCAPE /add"
  2⤵
  PID:2328
- - C:\Windows\system32\net.exe
    net user FROM ESCAPE /add
    3⤵
    PID:3108
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 user FROM ESCAPE /add
      4⤵
      PID:2884
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "net user ME ESCAPE /add"
  2⤵
  PID:2844
- - C:\Windows\system32\net.exe
    net user ME ESCAPE /add
    3⤵
    PID:4696
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 user ME ESCAPE /add
      4⤵
      PID:796
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "net user CAnt ESCAPE /add"
  2⤵
  PID:4028
- - C:\Windows\system32\net.exe
    net user CAnt ESCAPE /add
    3⤵
    PID:5000
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 user CAnt ESCAPE /add
      4⤵
      PID:772
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "net user YOU ESCAPE /add"
  2⤵
  PID:4936
- - C:\Windows\system32\net.exe
    net user YOU ESCAPE /add
    3⤵
    PID:492
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 user YOU ESCAPE /add
      4⤵
      PID:2836
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "net user SEE ESCAPE /add"
  2⤵
  PID:2816
- - C:\Windows\system32\net.exe
    net user SEE ESCAPE /add
    3⤵
    PID:4308
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 user SEE ESCAPE /add
      4⤵
      PID:3416
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "net user IT ESCAPE /add"
  2⤵
  PID:956
- - C:\Windows\system32\net.exe
    net user IT ESCAPE /add
    3⤵
    PID:3736
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 user IT ESCAPE /add
      4⤵
      PID:2088

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004E0 0x00000000000004E8
1⤵
PID:1192

C:\Windows\system32\werfault.exe
werfault.exe /h /shared Global\be4736c0b8ca4a50aec9a2bad74e44d2 /t 1440 /p 5068
1⤵
PID:1648

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\8ad18d78-4c74-4ffd-ad69-175858b05af3.tmp

Filesize
92KB

MD5
8bb860c003f71babc0a0337444fa126e

SHA1
00cd3f4eca25b199b21eeaab802334cd96bb538d

SHA256
19bf0574e0e142bc2295f8c087c1e988d89d8c7a8a6db46f1d078cecfff8614c

SHA512
b5e82888c6a0f45c7db55e24a96b4a7e558b9e645d5308822b7a80e9c017578ab5b42961ee8b18e4a3b6c8add29f5f3287b3526ed3de0fa4a65ced43327e233d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
336B

MD5
da459561ceed1fe9b3253f86b1c85273

SHA1
4d26c16f75d1dae64a6245a0553b3f3b956f17c6

SHA256
e1c3cd2aea2b5058f46f9d0d64ea66d3d67932195179213a918f11408b5c1c34

SHA512
bd7b57500afb5c872c579d91924c0a739e1be60208755ca9d062793ab7fb7a9edc5db27fe4fd2c3cc810f1653e445029b8716a78f6d7ba7b22557fc5b7cdfdb1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
5KB

MD5
c6a7b1b18c2290f520f5e51c07ba4852

SHA1
2caba6b630a6be34cff0760ac12b15b20bbf0264

SHA256
a1b981bd2a25520651f30595e28cbf960b3d00cda54b92e944643a9f4df12572

SHA512
9c166d7c5340f9248e673b4acfb17edf00e9f80d280b71173eed4d446bc9c5409c86e4f2a01164a327cf6a0700c2c0bbc7d2e70c90112cf7aff7751522908896

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
dcd26368b947171abc6a52a0eb9c3998

SHA1
adbb1edc57028dd5ac66f3972a95885b02b00fee

SHA256
31312ed2e7deedd51cc1488d2a755c4abcdc06d9c34c9bc731ad10124cf66ec1

SHA512
59b8511570bf17f68db4890b23ddbb8e94192f6bf00f45915fb7c62146982ddeea53c3a3fb6a6a3ed8a25dfcf0dddd6368194692e8438cb52fa69fd0971e59fb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
a573f8732d7feec814ab7dfa99f76a84

SHA1
ada6a719e85177e02e09c949370bfab4d40a9970

SHA256
9c8f5577f10163a7a33bbc9a5cc2782d57642a0713a5abcf5b3a30f030ee6809

SHA512
56cc705ed4ec617e596d108fa3fd9cae513239b9313f378dd4dc64b79a0b6ebcaf18143a3e300aec1ae59229daf729ae8088815467f49d3f6e09263336388730

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
4816f7ff3896e3f00236edc7590a7009

SHA1
cddae7a3abdbf80c302f9d7f2329b52d0b7a375b

SHA256
551eeda13b256859494d753834dc13bfa12a0d601587752f714bfe964df55270

SHA512
60f63e4a7759132b2a02eec84a410568b1288531f5a541e1db7ede38de2ed905c05184d36cd9644e71d796df9d2d13fc973f6505f81eabf88855e6a0df1d91ac

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
f978e630e018287243fc7e7597ef8149

SHA1
3f8b5f31d84a0df8d069badcacb65c88ba2ee14d

SHA256
1f66b0dd2cfcfa4db9cf337ed025ce9a256466bb63754d3bd7c3be7619b669f3

SHA512
031d31df5f2b185dd08eda05f5b541ed764c47021cdc46b64ccde0f7907144f7a93bfb4f9b0cd7f7aa52dcb84596cb6cd74217b9da0883191b56bb62b52feab3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
f0714efb1a6dae9e17168d8690b682c1

SHA1
b46f1195c8a479889d07acc22d1b7ff027f9e327

SHA256
f8ad7a9d5a4f293238164b52f070c57496d33fdc8fd68de91dd98969c3c53404

SHA512
62cb5fa284a8b94dd46ce144532c8014d2937eee2c5aab41c40e085f888a1f1b351cd88331d931b258fe309fcc0ddff0e9bf9f38729bc50614cb0eae486dc769

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
92KB

MD5
e80cc6e466d4fa9dfd815f91f0931ee0

SHA1
2f4530df349fdf939dd4e86462b766b6496aa446

SHA256
281ce2525047969201794c2af3d47b90e5908afc04a98febdfb545675156657e

SHA512
c68c7d1e4744b52fad7b633a7c54d17e5c2181bf4b5ed722ffe3c86656d88b0001961cd6f8b76b654da9945d36cd52dd31b00ca9d8f82000d848df76a2f3f520

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
92KB

MD5
74ae275d7369516477cea5c19f024eeb

SHA1
4505d03c9663e894b60192cd3a7136eaf96dcc48

SHA256
09e54392ceef5e9920fed1ad8da163f3b1bf86c4fcf0cf79034c1fdfd87963a9

SHA512
9364e8efd7b887a918bead0da1946b221c9e0e05289a0a3dae4caed31f3aa6786ad5bb60c15df225e7ec6a7bd118ce026ead78f53a6d92750d3b440d9ffd5e69

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
92KB

MD5
8a7abc79fe9a83245d0b50119e5bc453

SHA1
87e8c18c6b9bbb8ce8a80a0c892ffbb2f3669619

SHA256
28e59f0833ba6f3ad876551653f1a8b7a7b6f989e1803a7a9ab689ad0cb55fe0

SHA512
274ccb231c674a88a51b4383d0359be85f23cedcf1192eb9aca53189451770630ece6e4b924ef73a5fdc7c285b5f65cd4f267c71cfb5b19de5e52a1ec881390b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1

Filesize
264KB

MD5
ae747cf606bf06574f130f6b5e185200

SHA1
f7f9416bee2fa3f7f06989281c6385b7b82f4929

SHA256
8d35c69ebf695d1da8c3481c6877fb22926d22f5ef202e3840490e15f23a707a

SHA512
334c857921a2583b1d915a627fac809f3341e455f2bfce309f78f90a6a00eaf5574cf81b947cecdc7ffd32ac1faf98e69189b7202c3dbe0e6e39971f85b6a892

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_sanb2sjq.x0h.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\Desktop\CQClient2\CQClient2.exe

Filesize
4.6MB

MD5
c2c6396216ad811a1f14121242a39898

SHA1
ce72ee4ed10bf92c1a73af35bf782923589234fc

SHA256
841740acc24f737b4923c8fd05607a7b2605f4ed8942f661542230d0bb77ede9

SHA512
b1c011b4d4c89c3d860ed8a18e7356b7fe1e26d08559318499b76c8ec47c40643c65e0d647cd06626451ef506dd8a804414159850002bd4a2ba17b37dc7204bf

Download Submit
C:\Users\Admin\Desktop\CQClient2\_internal\DontRUN.jpg

Filesize
17KB

MD5
5e5f7a16c295bf6338e2704effbb5163

SHA1
768dea6cae12533d888a00c7e7a8badcb73b9fd5

SHA256
30eb29f8f3bc4acf07775bacdb9b7c9c0b4ab9533bf988c778731468204de24d

SHA512
875a07c749c4058d6ddf3ca24f0b8c0d7ef77ec5e000710054d4fd771df5ccea199090c0a8922edae28cf345ff6ea0e39c450775b8bdeed406ab6956dd44e11b

Download Submit
C:\Users\Admin\Desktop\CQClient2\_internal\NOescape.jpg

Filesize
125KB

MD5
ef5d3cc723f68a560caae78fe0c78aba

SHA1
d7f7abaf8d07998cfaa828ae921e8d30c1374261

SHA256
1f30fa62de2334efd12f1db61435db7645b8aa251c644bfb8e4b853951695b04

SHA512
6a28307d58f0ec5429a6644cf12821cf3f5304613f91ae8961e6aba72b4497de9aa5a2cf1889b062b20dc7c6ff0ff8c04599516c50d4f090b785c0f4370ee5fa

Download Submit
C:\Users\Admin\Desktop\CQClient2\_internal\SDL2.dll

Filesize
2.4MB

MD5
0293f98e4ae63f376f293c95f197b9ce

SHA1
6e6ae66a791001399d7dde625de50799decfbe9c

SHA256
2e4e823b46e95a29ad4ce4e7134417b0cd60145fefe606920ef6dc0ebcfb0021

SHA512
0f5f7537e414fbf04e54e744bd2c0d587c920e93ac8dcca58a15fbe041e53383b66bd7b2c1cd75f3584cab435e9ddb38354cfd7d4676dcf515642de601f3ed46

Download Submit
C:\Users\Admin\Desktop\CQClient2\_internal\SDL2_image.dll

Filesize
122KB

MD5
b8d249a5e394b4e6a954c557af1b80e6

SHA1
b03bb9d09447114a018110bfb91d56ef8d5ec3bb

SHA256
1e364af75fee0c83506fbdfd4d5b0e386c4e9c6a33ddbddac61ddb131e360194

SHA512
2f2e248c3963711f1a9f5d8baea5b8527d1df1748cd7e33bf898a380ae748f7a65629438711ff9a5343e64762ec0b5dc478cdf19fbf7111dac9d11a8427e0007

Download Submit
C:\Users\Admin\Desktop\CQClient2\_internal\SDL2_mixer.dll

Filesize
285KB

MD5
201aa86dc9349396b83eed4c15abe764

SHA1
1a239c479e275aa7be93c5372b2d35e98d8d8cec

SHA256
2a0fc5e9f72c2eaec3240cb82b7594a58ccda609485981f256b94d0a4dd8d6f8

SHA512
bb2cd185d1d936ceca3cc20372c98a1b1542288ad5523ff8b823fb5e842205656ec2f615f076929c69987c7468245a452238b509d37109c9bec26be5f638f3b7

Download Submit
C:\Users\Admin\Desktop\CQClient2\_internal\SDL2_ttf.dll

Filesize
1.5MB

MD5
f187dfdccc102436e27704dc572a2c16

SHA1
be4d499e66b8c4eb92480e4f520ccd8eaaa39b04

SHA256
fcdfabdfce868eb33f7514025ff59c1bb6c418f1bcd6ace2300a9cd4053e1d63

SHA512
75002d96153dfd2bfdd6291f842fb553695ef3997012dae0b9a537c95c3f3a83b844a8d1162faefcddf9e1807f3db23b1a10c2789c95dd5f6fad2286bae91afb

Download Submit
C:\Users\Admin\Desktop\CQClient2\_internal\VCRUNTIME140.dll

Filesize
116KB

MD5
be8dbe2dc77ebe7f88f910c61aec691a

SHA1
a19f08bb2b1c1de5bb61daf9f2304531321e0e40

SHA256
4d292623516f65c80482081e62d5dadb759dc16e851de5db24c3cbb57b87db83

SHA512
0da644472b374f1da449a06623983d0477405b5229e386accadb154b43b8b083ee89f07c3f04d2c0c7501ead99ad95aecaa5873ff34c5eeb833285b598d5a655

Download Submit
C:\Users\Admin\Desktop\CQClient2\_internal\VCRUNTIME140_1.dll

Filesize
48KB

MD5
f8dfa78045620cf8a732e67d1b1eb53d

SHA1
ff9a604d8c99405bfdbbf4295825d3fcbc792704

SHA256
a113f192195f245f17389e6ecbed8005990bcb2476ddad33f7c4c6c86327afe5

SHA512
ba7f8b7ab0deb7a7113124c28092b543e216ca08d1cf158d9f40a326fb69f4a2511a41a59ea8482a10c9ec4ec8ac69b70dfe9ca65e525097d93b819d498da371

Download Submit
C:\Users\Admin\Desktop\CQClient2\_internal\_asyncio.pyd

Filesize
69KB

MD5
477dba4d6e059ea3d61fad7b6a7da10e

SHA1
1f23549e60016eeed508a30479886331b22f7a8b

SHA256
5bebeb765ab9ef045bc5515166360d6f53890d3ad6fc360c20222d61841410b6

SHA512
8119362c2793a4c5da25a63ca68aa3b144db7e4c08c80cbe8c8e7e8a875f1bd0c30e497208ce20961ddb38d3363d164b6e1651d3e030ed7b8ee5f386faf809d2

Download Submit
C:\Users\Admin\Desktop\CQClient2\_internal\_bz2.pyd

Filesize
83KB

MD5
5bebc32957922fe20e927d5c4637f100

SHA1
a94ea93ee3c3d154f4f90b5c2fe072cc273376b3

SHA256
3ed0e5058d370fb14aa5469d81f96c5685559c054917c7280dd4125f21d25f62

SHA512
afbe80a73ee9bd63d9ffa4628273019400a75f75454667440f43beb253091584bf9128cbb78ae7b659ce67a5faefdba726edb37987a4fe92f082d009d523d5d6

Download Submit
C:\Users\Admin\Desktop\CQClient2\_internal\_ctypes.pyd

Filesize
122KB

MD5
fb454c5e74582a805bc5e9f3da8edc7b

SHA1
782c3fa39393112275120eaf62fc6579c36b5cf8

SHA256
74e0e8384f6c2503215f4cf64c92efe7257f1aec44f72d67ad37dc8ba2530bc1

SHA512
727ada80098f07849102c76b484e9a61fb0f7da328c0276d82c6ee08213682c89deeb8459139a3fbd7f561bffaca91650a429e1b3a1ff8f341cebdf0bfa9b65d

Download Submit
C:\Users\Admin\Desktop\CQClient2\_internal\_decimal.pyd

Filesize
251KB

MD5
492c0c36d8ed1b6ca2117869a09214da

SHA1
b741cae3e2c9954e726890292fa35034509ef0f6

SHA256
b8221d1c9e2c892dd6227a6042d1e49200cd5cb82adbd998e4a77f4ee0e9abf1

SHA512
b8f1c64ad94db0252d96082e73a8632412d1d73fb8095541ee423df6f00bc417a2b42c76f15d7e014e27baae0ef50311c3f768b1560db005a522373f442e4be0

Download Submit
C:\Users\Admin\Desktop\CQClient2\_internal\_hashlib.pyd

Filesize
64KB

MD5
da02cefd8151ecb83f697e3bd5280775

SHA1
1c5d0437eb7e87842fde55241a5f0ca7f0fc25e7

SHA256
fd77a5756a17ec0788989f73222b0e7334dd4494b8c8647b43fe554cf3cfb354

SHA512
a13bc5c481730f48808905f872d92cb8729cc52cfb4d5345153ce361e7d6586603a58b964a1ebfd77dd6222b074e5dcca176eaaefecc39f75496b1f8387a2283

Download Submit
C:\Users\Admin\Desktop\CQClient2\_internal\_lzma.pyd

Filesize
156KB

MD5
195defe58a7549117e06a57029079702

SHA1
3795b02803ca37f399d8883d30c0aa38ad77b5f2

SHA256
7bf9ff61babebd90c499a8ed9b62141f947f90d87e0bbd41a12e99d20e06954a

SHA512
c47a9b1066dd9744c51ed80215bd9645aab6cc9d6a3f9df99f618e3dd784f6c7ce6f53eabe222cf134ee649250834193d5973e6e88f8a93151886537c62e2e2b

Download Submit
C:\Users\Admin\Desktop\CQClient2\_internal\_multiprocessing.pyd

Filesize
34KB

MD5
2bd43e8973882e32c9325ef81898ae62

SHA1
1e47b0420a2a1c1d910897a96440f1aeef5fa383

SHA256
3c34031b464e7881d8f9d182f7387a86b883581fd020280ec56c1e3ec6f4cc2d

SHA512
9d51bbd25c836f4f5d1fb9b42853476e13576126b8b521851948bdf08d53b8d4b4f66d2c8071843b01aa5631abdf13dc53c708dba195656a30f262dce30a88ca

Download Submit
C:\Users\Admin\Desktop\CQClient2\_internal\_overlapped.pyd

Filesize
54KB

MD5
7e4553ca5c269e102eb205585cc3f6b4

SHA1
73a60dbc7478877689c96c37107e66b574ba59c9

SHA256
d5f89859609371393d379b5ffd98e5b552078050e8b02a8e2900fa9b4ee8ff91

SHA512
65b72bc603e633596d359089c260ee3d8093727c4781bff1ec0b81c8244af68f69ff3141424c5de12355c668ae3366b4385a0db7455486c536a13529c47b54ef

Download Submit
C:\Users\Admin\Desktop\CQClient2\_internal\_queue.pyd

Filesize
31KB

MD5
b7e5fbd7ef3eefff8f502290c0e2b259

SHA1
9decba47b1cdb0d511b58c3146d81644e56e3611

SHA256
dbdabb5fe0ccbc8b951a2c6ec033551836b072cab756aaa56b6f22730080d173

SHA512
b7568b9df191347d1a8d305bd8ddd27cbfa064121c785fa2e6afef89ec330b60cafc366be2b22409d15c9434f5e46e36c5cbfb10783523fdcac82c30360d36f7

Download Submit
C:\Users\Admin\Desktop\CQClient2\_internal\_socket.pyd

Filesize
81KB

MD5
dd8ff2a3946b8e77264e3f0011d27704

SHA1
a2d84cfc4d6410b80eea4b25e8efc08498f78990

SHA256
b102522c23dac2332511eb3502466caf842d6bcd092fbc276b7b55e9cc01b085

SHA512
958224a974a3449bcfb97faab70c0a5b594fa130adc0c83b4e15bdd7aab366b58d94a4a9016cb662329ea47558645acd0e0cc6df54f12a81ac13a6ec0c895cd8

Download Submit
C:\Users\Admin\Desktop\CQClient2\_internal\_ssl.pyd

Filesize
174KB

MD5
c87c5890039c3bdb55a8bc189256315f

SHA1
84ef3c2678314b7f31246471b3300da65cb7e9de

SHA256
a5d361707f7a2a2d726b20770e8a6fc25d753be30bcbcbbb683ffee7959557c2

SHA512
e750dc36ae00249ed6da1c9d816f1bd7f8bc84ddea326c0cd0410dbcfb1a945aac8c130665bfacdccd1ee2b7ac097c6ff241bfc6cc39017c9d1cde205f460c44

Download Submit
C:\Users\Admin\Desktop\CQClient2\_internal\_wmi.pyd

Filesize
36KB

MD5
8a9a59559c614fc2bcebb50073580c88

SHA1
4e4ced93f2cb5fe6a33c1484a705e10a31d88c4d

SHA256
752fb80edb51f45d3cc1c046f3b007802432b91aef400c985640d6b276a67c12

SHA512
9b17c81ff89a41307740371cb4c2f5b0cf662392296a7ab8e5a9eba75224b5d9c36a226dce92884591636c343b8238c19ef61c1fdf50cc5aa2da86b1959db413

Download Submit
C:\Users\Admin\Desktop\CQClient2\_internal\base_library.zip

Filesize
1.3MB

MD5
68f96a1f0b49d240b392ebb7ea147939

SHA1
5d8aa0cccc0f744f17e546ef7120308016cb5438

SHA256
29556cc179d145e9f64d287f0455991bd62a8dc4304e20429f83a1a40959fd09

SHA512
b326d5feb4f9b3d76254240dc3b0d16cb60c0a47d75ab7a1742fe7bb0bdfafff00a9d24a4c84559f1b2b04d23fd4f53d3b8d654532cb7c57c60bb83041331d35

Download Submit
C:\Users\Admin\Desktop\CQClient2\_internal\error.png

Filesize
3KB

MD5
262c31c6de4a946ab29aed0bc1dc40ad

SHA1
80c69c6ebcece999aae83079c5a0a1dbf7792145

SHA256
2cd305fbe0ac978502e48c3e3b57d8a397f298004f76a24e9d178833487331f6

SHA512
343970a1bd03c10e4d86874e2871a3932333cba7997f76085f03dee2477114dcef1029f19f37adc29d8178c453ffd4efe3a8d6ad35b8bc13776bb5d2c3fcc37c

Download Submit
C:\Users\Admin\Desktop\CQClient2\_internal\freetype.dll

Filesize
639KB

MD5
236f879a5dd26dc7c118d43396444b1c

SHA1
5ed3e4e084471cf8600fb5e8c54e11a254914278

SHA256
1c487392d6d06970ba3c7b52705881f1fb069f607243499276c2f0c033c7df6f

SHA512
cc9326bf1ae8bf574a4715158eba889d7f0d5e3818e6f57395740a4b593567204d6eef95b6e99d2717128c3bffa34a8031c213ff3f2a05741e1eaf3ca07f2254

Download Submit
C:\Users\Admin\Desktop\CQClient2\_internal\libcrypto-3.dll

Filesize
5.0MB

MD5
e547cf6d296a88f5b1c352c116df7c0c

SHA1
cafa14e0367f7c13ad140fd556f10f320a039783

SHA256
05fe080eab7fc535c51e10c1bd76a2f3e6217f9c91a25034774588881c3f99de

SHA512
9f42edf04c7af350a00fa4fdf92b8e2e6f47ab9d2d41491985b20cd0adde4f694253399f6a88f4bdd765c4f49792f25fb01e84ec03fd5d0be8bb61773d77d74d

Download Submit
C:\Users\Admin\Desktop\CQClient2\_internal\libffi-8.dll

Filesize
38KB

MD5
0f8e4992ca92baaf54cc0b43aaccce21

SHA1
c7300975df267b1d6adcbac0ac93fd7b1ab49bd2

SHA256
eff52743773eb550fcc6ce3efc37c85724502233b6b002a35496d828bd7b280a

SHA512
6e1b223462dc124279bfca74fd2c66fe18b368ffbca540c84e82e0f5bcbea0e10cc243975574fa95ace437b9d8b03a446ed5ee0c9b1b094147cefaf704dfe978

Download Submit
C:\Users\Admin\Desktop\CQClient2\_internal\libjpeg-9.dll

Filesize
238KB

MD5
c540308d4a8e6289c40753fdd3e1c960

SHA1
1b84170212ca51970f794c967465ca7e84000d0e

SHA256
3a224af540c96574800f5e9acf64b2cdfb9060e727919ec14fbd187a9b5bfe69

SHA512
1dadc6b92de9af998f83faf216d2ab6483b2dea7cdea3387ac846e924adbf624f36f8093daf5cee6010fea7f3556a5e2fcac494dbc87b5a55ce564c9cd76f92b

Download Submit
C:\Users\Admin\Desktop\CQClient2\_internal\libmodplug-1.dll

Filesize
259KB

MD5
ead020db018b03e63a64ebff14c77909

SHA1
89bb59ae2b3b8ec56416440642076ae7b977080e

SHA256
0c1a9032812ec4c20003a997423e67b71ecb5e59d62cdc18a5bf591176a9010e

SHA512
c4742d657e5598c606ceff29c0abb19c588ba7976a7c4bff1df80a3109fe7df25e7d0dace962ec3962a94d2715a4848f2acc997a0552bf8d893ff6e7a78857e5

Download Submit
C:\Users\Admin\Desktop\CQClient2\_internal\libogg-0.dll

Filesize
25KB

MD5
307ef797fc1af567101afba8f6ce6a8c

SHA1
0023f520f874a0c3eb3dc1fe8df73e71bde5f228

SHA256
57abc4f6a9accdd08bf9a2b022a66640cc626a5bd4dac6c7c4f06a5df61ee1fe

SHA512
5b0b6049844c6fef0cd2b6b1267130bb6e4c17b26afc898cfc17499ef05e79096cd705007a74578f11a218786119be37289290c5c47541090d7b9dea2908688e

Download Submit
C:\Users\Admin\Desktop\CQClient2\_internal\libopus-0.dll

Filesize
359KB

MD5
e1adac219ec78b7b2ac9999d8c2e1c94

SHA1
6910ec9351bee5c355587e42bbb2d75a65ffc0cf

SHA256
771cae79410f7fcc4f993a105a18c4ed9e8cbddd6f807a42228d95f575808806

SHA512
da1912243491227168e23fb92def056b229f9f1d8c35ae122e1a0474b0be84ceb7167b138f2ee5fffd812b80c6aca719250aca6b25931585e224e27384f4cc67

Download Submit
C:\Users\Admin\Desktop\CQClient2\_internal\libopusfile-0.dll

Filesize
45KB

MD5
245498839af5a75cd034190fe805d478

SHA1
d164c38fd9690b8649afaef7c048f4aabb51dba8

SHA256
ccaaca81810bd2d1cab4692b4253a639f8d5516996db0e24d881efd3efdcc6a4

SHA512
4181dea590cbc7a9e06729b79201aa29e8349408cb922de8d4cda555fc099b3e10fee4f5a9ddf1a22eaec8f5ede12f9d6e37ed7ad0486beb12b7330cca51a79e

Download Submit
C:\Users\Admin\Desktop\CQClient2\_internal\libpng16-16.dll

Filesize
206KB

MD5
3a26cd3f92436747d2285dcef1fae67f

SHA1
e3d1403be06beb32fc8dc7e8a58c31e18b586a70

SHA256
e688b4a4d18f4b6ccc99c6ca4980f51218cb825610775192d9b60b2f05eff2d5

SHA512
73d651f063246723807d837811ead30e3faca8cb0581603f264c28fea1b2bdb6d874a73c1288c7770e95463786d6945b065d4ca1cf553e08220aea4e78a6f37f

Download Submit
C:\Users\Admin\Desktop\CQClient2\_internal\libssl-3.dll

Filesize
768KB

MD5
19a2aba25456181d5fb572d88ac0e73e

SHA1
656ca8cdfc9c3a6379536e2027e93408851483db

SHA256
2e9fbcd8f7fdc13a5179533239811456554f2b3aa2fb10e1b17be0df81c79006

SHA512
df17dc8a882363a6c5a1b78ba3cf448437d1118ccc4a6275cc7681551b13c1a4e0f94e30ffb94c3530b688b62bff1c03e57c2c185a7df2bf3e5737a06e114337

Download Submit
C:\Users\Admin\Desktop\CQClient2\_internal\libtiff-5.dll

Filesize
422KB

MD5
7d40a697ca6f21a8f09468b9fce565ad

SHA1
dc3b7f7fc0d9056af370e06f1451a65e77ff07f7

SHA256
ebfe97ac5ef26b94945af3db5ffd110a4b8e92dc02559bf81ccb33f0d5ebce95

SHA512
5a195e3123f7f17d92b7eca46b9afa1ea600623ad6929ac29197447bb4d474a068fd5f61fca6731a60514125d3b0b2cafe1ff6be3a0161251a366355b660d61a

Download Submit
C:\Users\Admin\Desktop\CQClient2\_internal\libwebp-7.dll

Filesize
437KB

MD5
2c5aca898ff88eb2c9028bbeefebbd1e

SHA1
7a0048674ef614bebe6cc83b1228d670372076c9

SHA256
9a53563b6058f70f2725029b7dd2fe96f869c20e8090031cd303e994dfe07b50

SHA512
46fe8b151e3a13ab506c4fc8a9f3f0f47b21f64f37097a4f1f573b547443ed23e7b2f489807c1623fbc41015f7da11665d88690d8cd0ddd61aa53789586c5a13

Download Submit
C:\Users\Admin\Desktop\CQClient2\_internal\portmidi.dll

Filesize
41KB

MD5
df538704b8cd0b40096f009fd5d1b767

SHA1
d2399fbb69d237d43624e987445694ec7e0b8615

SHA256
c9f8d9043ac1570b10f104f2d00aec791f56261c84ee40773be73d0a3822e013

SHA512
408de3e99bc1bfb5b10e58ae621c0f9276530913ff26256135fe44ce78016de274cbe4c3e967457eb71870aad34dfeb362058afcebfa2d9e64f05604ab1517d4

Download Submit
C:\Users\Admin\Desktop\CQClient2\_internal\pyexpat.pyd

Filesize
197KB

MD5
958231414cc697b3c59a491cc79404a7

SHA1
3dec86b90543ea439e145d7426a91a7aca1eaab6

SHA256
efd6099b1a6efdadd988d08dce0d8a34bd838106238250bccd201dc7dcd9387f

SHA512
fd29d0aab59485340b68dc4552b9e059ffb705d4a64ff9963e1ee8a69d9d96593848d07be70528d1beb02bbbbd69793ee3ea764e43b33879f5c304d8a912c3be

Download Submit
C:\Users\Admin\Desktop\CQClient2\_internal\python3.DLL

Filesize
66KB

MD5
a07661c5fad97379cf6d00332999d22c

SHA1
dca65816a049b3cce5c4354c3819fef54c6299b0

SHA256
5146005c36455e7ede4b8ecc0dc6f6fa8ea6b4a99fedbabc1994ae27dfab9d1b

SHA512
6ddeb9d89ccb4d2ec5d994d85a55e5e2cc7af745056dae030ab8d72ee7830f672003f4675b6040f123fc64c19e9b48cabd0da78101774dafacf74a88fbd74b4d

Download Submit
C:\Users\Admin\Desktop\CQClient2\_internal\python312.dll

Filesize
6.6MB

MD5
d521654d889666a0bc753320f071ef60

SHA1
5fd9b90c5d0527e53c199f94bad540c1e0985db6

SHA256
21700f0bad5769a1b61ea408dc0a140ffd0a356a774c6eb0cc70e574b929d2e2

SHA512
7a726835423a36de80fb29ef65dfe7150bd1567cac6f3569e24d9fe091496c807556d0150456429a3d1a6fd2ed0b8ae3128ea3b8674c97f42ce7c897719d2cd3

Download Submit
C:\Users\Admin\Desktop\CQClient2\_internal\select.pyd

Filesize
30KB

MD5
d0cc9fc9a0650ba00bd206720223493b

SHA1
295bc204e489572b74cc11801ed8590f808e1618

SHA256
411d6f538bdbaf60f1a1798fa8aa7ed3a4e8fcc99c9f9f10d21270d2f3742019

SHA512
d3ebcb91d1b8aa247d50c2c4b2ba1bf3102317c593cbf6c63883e8bf9d6e50c0a40f149654797abc5b4f17aee282ddd972a8cd9189bfcd5b9cec5ab9c341e20b

Download Submit
C:\Users\Admin\Desktop\CQClient2\_internal\unicodedata.pyd

Filesize
1.1MB

MD5
cc8142bedafdfaa50b26c6d07755c7a6

SHA1
0fcab5816eaf7b138f22c29c6d5b5f59551b39fe

SHA256
bc2cf23b7b7491edcf03103b78dbaf42afd84a60ea71e764af9a1ddd0fe84268

SHA512
c3b0c1dbe5bf159ab7706f314a75a856a08ebb889f53fe22ab3ec92b35b5e211edab3934df3da64ebea76f38eb9bfc9504db8d7546a36bc3cabe40c5599a9cbd

Download Submit
C:\Users\Admin\Desktop\CQClient2\_internal\zlib1.dll

Filesize
106KB

MD5
5eac41b641e813f2a887c25e7c87a02e

SHA1
ec3f6cf88711ef8cfb3cc439cb75471a2bb9e1b5

SHA256
b1f58a17f3bfd55523e7bef685acf5b32d1c2a6f25abdcd442681266fd26ab08

SHA512
cad34a495f1d67c4d79ed88c5c52cf9f2d724a1748ee92518b8ece4e8f2fe1d443dfe93fb9dba8959c0e44c7973af41eb1471507ab8a5b1200a25d75287d5de5

Download Submit
C:\Users\Admin\Desktop\WONTESCAPE5.txt

Filesize
12B

MD5
fca3db21a572d2aff037548ee4c9a0db

SHA1
a8bc739013636e338896c15eda9c662b7bbba136

SHA256
ecd298cc2b4f93c6fc354069f0c2f4a0475b8b98cf81f32b4b663f20f4d17510

SHA512
b51b4425cca7d841b6256c15877a680ace036e3bbd70a0b3fff35a9aae124fcddd44873063599cdd453809d6766b869f393ae5e7aea1abf0853fe3f1aa53763f

Download Submit
C:\Users\Admin\Downloads\CQClient2.zip

Filesize
29.8MB

MD5
2f30fc69eccdb528e7b84daed801332e

SHA1
e9a63377bfa69521233abf5a5e0af817bf00d9ed

SHA256
744f3c8aa8dc53e874283f401b01677e58a228c94967fd2aa3d9f5f79863b278

SHA512
8da8136c8800953c17d819733f9533a227ede3a3bff648b0f24e357b4da72b672a6849993820949620d43923b3bd71f559885677bf2ecc6906108fad6369e68b

Download Submit
C:\Users\Admin\Downloads\CQClient2.zip:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
memory/2068-558-0x000001EC1ECD0000-0x000001EC1ECF2000-memory.dmp

Filesize
136KB

Download
memory/5068-567-0x0000000062E80000-0x0000000062EA4000-memory.dmp

Filesize
144KB

Download
memory/5068-565-0x0000000068B40000-0x0000000068B7C000-memory.dmp

Filesize
240KB

Download
memory/5068-566-0x000000006A880000-0x000000006A8A7000-memory.dmp

Filesize
156KB

Download
memory/5068-564-0x00007FFC78410000-0x00007FFC7867C000-memory.dmp

Filesize
2.4MB

Download
memory/5068-580-0x00007FFC78410000-0x00007FFC7867C000-memory.dmp

Filesize
2.4MB

Download
memory/5068-597-0x0000000068B40000-0x0000000068B7C000-memory.dmp

Filesize
240KB

Download
memory/5068-599-0x0000000062E80000-0x0000000062EA4000-memory.dmp

Filesize
144KB

Download
memory/5068-598-0x000000006A880000-0x000000006A8A7000-memory.dmp

Filesize
156KB

Download
memory/5068-596-0x00007FFC78410000-0x00007FFC7867C000-memory.dmp

Filesize
2.4MB

Download