agenttesla | hxxps://gofile[.]io/d/TZzUpn

Analysis

max time kernel
99s
max time network
99s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
08-09-2024 02:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://gofile.io/d/TZzUpn

Score

10^/10

agenttesla discovery keylogger spyware stealer trojan

Malware Config

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

AgentTesla payload 1 IoCs

resource	yara_rule
behavioral1/memory/5580-154-0x0000000006360000-0x0000000006574000-memory.dmp	family_agenttesla

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	cmd.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	cmd.exe

Executes dropped EXE 6 IoCs

pid	Process
5384	bypassed.exe
5580	Morphine.exe
5368	Morphine.exe
6136	bypassed.exe
3632	Morphine.exe
5200	Morphine.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Program crash 4 IoCs

pid	pid_target	Process	procid_target
5292	5580	WerFault.exe	122
3992	5368	WerFault.exe	137
3160	3632	WerFault.exe	155
3028	5200	WerFault.exe	163

System Location Discovery: System Language Discovery 1 TTPs 18 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Morphine.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bypassed.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Morphine.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Morphine.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Morphine.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bypassed.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe

Delays execution with timeout.exe 4 IoCs

evasion

pid	Process
4728	timeout.exe
3108	timeout.exe
5276	timeout.exe
5548	timeout.exe

Enumerates system info in registry 2 TTPs 15 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Morphine.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	Morphine.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Morphine.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	Morphine.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	Morphine.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	Morphine.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Morphine.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Morphine.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	Morphine.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	Morphine.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	Morphine.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	Morphine.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133702363110516825"	rundll32.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings	msedge.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Software\Microsoft\SystemCertificates\REQUEST	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\7976D14BA502C95403263A0AEE2A91DD357AAEB1	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\7976D14BA502C95403263A0AEE2A91DD357AAEB1\Blob = 04000000010000001000000007a3e63b7cd74c7a657eff7a33b2ab420f00000001000000200000001b110b5e195a2b4ff8d28a7b4b157708365b9f1d3f6f37133dbbf539bc4a32ab140000000100000014000000083b341918bc733b95b92864b57878f59ee4d44b1900000001000000100000007a0ee6665f7c51b3587c951eb94d94e45c0000000100000004000000000800000300000001000000140000007976d14ba502c95403263a0aee2a91dd357aaeb120000000010000003f0300003082033b30820223a003020102021425827126fb88f0d0167cbab089371092a40c7571300d06092a864886f70d01010b0500303a310b300906035504030c024536311e301c060355040a0c15476f6f676c65205472757374205365727669636573310b3009060355040613025553301e170d3234303832373136313130335a170d3235303832373136313130335a303a310b300906035504030c024536311e301c060355040a0c15476f6f676c65205472757374205365727669636573310b300906035504061302555330820122300d06092a864886f70d01010105000382010f003082010a0282010100a43fb28612a2a1aa1c2528e356ee87e4eaecd6acea46e92ae6ad57f72221e78d236a69d788260fc228a6e3fcdd9a63b9dcd72dfddc6cd13f4d072aca2c702ae4ea66aae2f3f315c6872c1415b3fb63ba095ff853ba77748260caa37d71772b8ac40b8507d0c1ecd60bf70e44b6b40b2439f776e95cb41084f5eef4a5bfbb85ee40f059b23406cb5505f3763d3570b9b42ac7f15eb707713f8b151fc3fe42e88eb96845b8601a3432a6cbc395d823e75013151658d082689c196137da55cebc3749f9c02d399a5b39dc7a23e398c08fbf15b9365fa83d6ed2b9d1b262a2a382de9e066814e2cad2fe44c5610160862658247ee1b478e6c078c0e335dcde6b5ae50203010001a339303730160603551d11040f300d820b6b6579617574682e77696e301d0603551d0e04160414083b341918bc733b95b92864b57878f59ee4d44b300d06092a864886f70d01010b05000382010100176d90883ee4576e694e7abeae08a6cf466032feab42c2a919bda0c2056b0feba4d64bbba9935a1bebf1afafb79a19d8454e43b97fe9e2ffbc744a7aa57c7ba35a07d903242bc15fa05ddcf2fea6285c8296cbd58880c02d8cce8b9a2f7537b84ea7cad4251f2a3afdf8afe5b8f898ac2cd4fec68d492d4a2497590d8be4c3aee4683eff3a64ead0e069cf2754ef84800cd9e3d74ba4fd6f486e1f6b829e50c531eeb2d03be4b70dad6f4a220be2c39905e46038131d854e3480af3ddce07cd70896c1a21501b80cd5f92fe0fe44ff3036b0eb27333701aea147fd757628612deea19c09a36b3c00e482b5b5186d7a009f036630c362eafcce8dbed470b73498	rundll32.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
1448	msedge.exe
1448	msedge.exe
5116	msedge.exe
5116	msedge.exe
2832	identity_helper.exe
2832	identity_helper.exe
4384	msedge.exe
4384	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs

pid	Process
5116	msedge.exe
5116	msedge.exe
5116	msedge.exe
5116	msedge.exe
5116	msedge.exe
5116	msedge.exe
5116	msedge.exe
5116	msedge.exe
5116	msedge.exe
5116	msedge.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeRestorePrivilege	5196	7zG.exe
Token: 35	5196	7zG.exe
Token: SeSecurityPrivilege	5196	7zG.exe
Token: SeSecurityPrivilege	5196	7zG.exe
Token: SeDebugPrivilege	5580	Morphine.exe
Token: SeDebugPrivilege	5368	Morphine.exe
Token: SeDebugPrivilege	3632	Morphine.exe
Token: SeDebugPrivilege	5200	Morphine.exe

Suspicious use of FindShellTrayWindow 36 IoCs

pid	Process
5116	msedge.exe
5116	msedge.exe
5116	msedge.exe
5116	msedge.exe
5116	msedge.exe
5116	msedge.exe
5116	msedge.exe
5116	msedge.exe
5116	msedge.exe
5116	msedge.exe
5116	msedge.exe
5116	msedge.exe
5116	msedge.exe
5116	msedge.exe
5116	msedge.exe
5116	msedge.exe
5116	msedge.exe
5116	msedge.exe
5116	msedge.exe
5116	msedge.exe
5116	msedge.exe
5116	msedge.exe
5116	msedge.exe
5116	msedge.exe
5116	msedge.exe
5116	msedge.exe
5116	msedge.exe
5116	msedge.exe
5116	msedge.exe
5116	msedge.exe
5116	msedge.exe
5116	msedge.exe
5116	msedge.exe
5116	msedge.exe
5116	msedge.exe
5196	7zG.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
5116	msedge.exe
5116	msedge.exe
5116	msedge.exe
5116	msedge.exe
5116	msedge.exe
5116	msedge.exe
5116	msedge.exe
5116	msedge.exe
5116	msedge.exe
5116	msedge.exe
5116	msedge.exe
5116	msedge.exe
5116	msedge.exe
5116	msedge.exe
5116	msedge.exe
5116	msedge.exe
5116	msedge.exe
5116	msedge.exe
5116	msedge.exe
5116	msedge.exe
5116	msedge.exe
5116	msedge.exe
5116	msedge.exe
5116	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5116 wrote to memory of 460	5116	msedge.exe	83
PID 5116 wrote to memory of 460	5116	msedge.exe	83
PID 5116 wrote to memory of 2344	5116	msedge.exe	84
PID 5116 wrote to memory of 2344	5116	msedge.exe	84
PID 5116 wrote to memory of 2344	5116	msedge.exe	84
PID 5116 wrote to memory of 2344	5116	msedge.exe	84
PID 5116 wrote to memory of 2344	5116	msedge.exe	84
PID 5116 wrote to memory of 2344	5116	msedge.exe	84
PID 5116 wrote to memory of 2344	5116	msedge.exe	84
PID 5116 wrote to memory of 2344	5116	msedge.exe	84
PID 5116 wrote to memory of 2344	5116	msedge.exe	84
PID 5116 wrote to memory of 2344	5116	msedge.exe	84
PID 5116 wrote to memory of 2344	5116	msedge.exe	84
PID 5116 wrote to memory of 2344	5116	msedge.exe	84
PID 5116 wrote to memory of 2344	5116	msedge.exe	84
PID 5116 wrote to memory of 2344	5116	msedge.exe	84
PID 5116 wrote to memory of 2344	5116	msedge.exe	84
PID 5116 wrote to memory of 2344	5116	msedge.exe	84
PID 5116 wrote to memory of 2344	5116	msedge.exe	84
PID 5116 wrote to memory of 2344	5116	msedge.exe	84
PID 5116 wrote to memory of 2344	5116	msedge.exe	84
PID 5116 wrote to memory of 2344	5116	msedge.exe	84
PID 5116 wrote to memory of 2344	5116	msedge.exe	84
PID 5116 wrote to memory of 2344	5116	msedge.exe	84
PID 5116 wrote to memory of 2344	5116	msedge.exe	84
PID 5116 wrote to memory of 2344	5116	msedge.exe	84
PID 5116 wrote to memory of 2344	5116	msedge.exe	84
PID 5116 wrote to memory of 2344	5116	msedge.exe	84
PID 5116 wrote to memory of 2344	5116	msedge.exe	84
PID 5116 wrote to memory of 2344	5116	msedge.exe	84
PID 5116 wrote to memory of 2344	5116	msedge.exe	84
PID 5116 wrote to memory of 2344	5116	msedge.exe	84
PID 5116 wrote to memory of 2344	5116	msedge.exe	84
PID 5116 wrote to memory of 2344	5116	msedge.exe	84
PID 5116 wrote to memory of 2344	5116	msedge.exe	84
PID 5116 wrote to memory of 2344	5116	msedge.exe	84
PID 5116 wrote to memory of 2344	5116	msedge.exe	84
PID 5116 wrote to memory of 2344	5116	msedge.exe	84
PID 5116 wrote to memory of 2344	5116	msedge.exe	84
PID 5116 wrote to memory of 2344	5116	msedge.exe	84
PID 5116 wrote to memory of 2344	5116	msedge.exe	84
PID 5116 wrote to memory of 2344	5116	msedge.exe	84
PID 5116 wrote to memory of 1448	5116	msedge.exe	85
PID 5116 wrote to memory of 1448	5116	msedge.exe	85
PID 5116 wrote to memory of 1260	5116	msedge.exe	86
PID 5116 wrote to memory of 1260	5116	msedge.exe	86
PID 5116 wrote to memory of 1260	5116	msedge.exe	86
PID 5116 wrote to memory of 1260	5116	msedge.exe	86
PID 5116 wrote to memory of 1260	5116	msedge.exe	86
PID 5116 wrote to memory of 1260	5116	msedge.exe	86
PID 5116 wrote to memory of 1260	5116	msedge.exe	86
PID 5116 wrote to memory of 1260	5116	msedge.exe	86
PID 5116 wrote to memory of 1260	5116	msedge.exe	86
PID 5116 wrote to memory of 1260	5116	msedge.exe	86
PID 5116 wrote to memory of 1260	5116	msedge.exe	86
PID 5116 wrote to memory of 1260	5116	msedge.exe	86
PID 5116 wrote to memory of 1260	5116	msedge.exe	86
PID 5116 wrote to memory of 1260	5116	msedge.exe	86
PID 5116 wrote to memory of 1260	5116	msedge.exe	86
PID 5116 wrote to memory of 1260	5116	msedge.exe	86
PID 5116 wrote to memory of 1260	5116	msedge.exe	86
PID 5116 wrote to memory of 1260	5116	msedge.exe	86
PID 5116 wrote to memory of 1260	5116	msedge.exe	86
PID 5116 wrote to memory of 1260	5116	msedge.exe	86

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://gofile.io/d/TZzUpn
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5116
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9099546f8,0x7ff909954708,0x7ff909954718
  2⤵
  PID:460
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2188,18171860029295703997,3384995065680976699,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2208 /prefetch:2
  2⤵
  PID:2344
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2188,18171860029295703997,3384995065680976699,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2264 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1448
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2188,18171860029295703997,3384995065680976699,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2728 /prefetch:8
  2⤵
  PID:1260
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,18171860029295703997,3384995065680976699,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3160 /prefetch:1
  2⤵
  PID:1632
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,18171860029295703997,3384995065680976699,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3252 /prefetch:1
  2⤵
  PID:3060
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,18171860029295703997,3384995065680976699,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3852 /prefetch:1
  2⤵
  PID:3996
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,18171860029295703997,3384995065680976699,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4140 /prefetch:1
  2⤵
  PID:4936
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2188,18171860029295703997,3384995065680976699,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5448 /prefetch:8
  2⤵
  PID:3160
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2188,18171860029295703997,3384995065680976699,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5448 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2832
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,18171860029295703997,3384995065680976699,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5520 /prefetch:1
  2⤵
  PID:616
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2188,18171860029295703997,3384995065680976699,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5060 /prefetch:8
  2⤵
  PID:2496
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,18171860029295703997,3384995065680976699,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3536 /prefetch:1
  2⤵
  PID:3364
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2188,18171860029295703997,3384995065680976699,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5904 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4384
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,18171860029295703997,3384995065680976699,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6228 /prefetch:1
  2⤵
  PID:5676
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,18171860029295703997,3384995065680976699,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6092 /prefetch:1
  2⤵
  PID:5688
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,18171860029295703997,3384995065680976699,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5536 /prefetch:1
  2⤵
  PID:5840
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,18171860029295703997,3384995065680976699,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5848 /prefetch:1
  2⤵
  PID:5848

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5108

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4916

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1672

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\Chaser+Temp+CRACKED\" -spe -an -ai#7zMap24663:100:7zEvent24714
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:5196

C:\Users\Admin\Downloads\Chaser+Temp+CRACKED\Chaser Temp CRACKED\bypassed.exe
"C:\Users\Admin\Downloads\Chaser+Temp+CRACKED\Chaser Temp CRACKED\bypassed.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5384
- C:\Windows\system32\cmd.exe
  "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\59.tmp\5A.tmp\5B.bat "C:\Users\Admin\Downloads\Chaser+Temp+CRACKED\Chaser Temp CRACKED\bypassed.exe""
  2⤵
  - Drops file in Drivers directory
  PID:5508
- - C:\Windows\system32\openfiles.exe
    openfiles
    3⤵
    PID:5528
- - C:\Windows\system32\certutil.exe
    certutil -addstore "Root" "C:\Users\Admin\Downloads\Chaser+Temp+CRACKED\Chaser Temp CRACKED\certificate.crt"
    3⤵
    PID:5544
- - C:\Users\Admin\Downloads\Chaser+Temp+CRACKED\Chaser Temp CRACKED\Morphine.exe
    "C:\Users\Admin\Downloads\Chaser+Temp+CRACKED\Chaser Temp CRACKED\Morphine.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Enumerates system info in registry
    - Suspicious use of AdjustPrivilegeToken
    PID:5580
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /c start cmd /C "color b && title Error && echo You must run the function KeyAuthApp.init(); first && timeout /t 5"
      4⤵
      System Location Discovery: System Language Discovery
      PID:3020
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /C "color b && title Error && echo You must run the function KeyAuthApp.init(); first && timeout /t 5"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:5180
      - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 5
        6⤵
        System Location Discovery: System Language Discovery
        Delays execution with timeout.exe
        
        PID:4728
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5580 -s 2544
      4⤵
      Program crash
      PID:5292

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 376 -p 5580 -ip 5580
1⤵
PID:5244

C:\Users\Admin\Downloads\Chaser+Temp+CRACKED\Chaser Temp CRACKED\Morphine.exe
"C:\Users\Admin\Downloads\Chaser+Temp+CRACKED\Chaser Temp CRACKED\Morphine.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
PID:5368
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c start cmd /C "color b && title Error && echo Signature checksum failed. Request was tampered with or session ended most likely. & echo: & echo Response: {"success": false, "message": "delete hosts file!"} && timeout /t 5"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5552
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C "color b && title Error && echo Signature checksum failed. Request was tampered with or session ended most likely. & echo: & echo Response: {"success": false, "message": "delete hosts file!"} && timeout /t 5"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4936
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 5
      4⤵
      System Location Discovery: System Language Discovery
      Delays execution with timeout.exe
      PID:3108
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 5368 -s 1004
  2⤵
  - Program crash
  PID:3992

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 5368 -ip 5368
1⤵
PID:5632

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\Chaser+Temp+CRACKED\Chaser Temp CRACKED\Instructions.txt
1⤵
PID:5808

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" cryptext.dll,CryptExtOpenCER C:\Users\Admin\Downloads\Chaser+Temp+CRACKED\Chaser Temp CRACKED\certificate.crt
1⤵
PID:5720

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\Chaser+Temp+CRACKED\Chaser Temp CRACKED\Instructions.txt
1⤵
PID:1888

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" cryptext.dll,CryptExtAddCER C:\Users\Admin\Downloads\Chaser+Temp+CRACKED\Chaser Temp CRACKED\certificate.crt
1⤵
- Modifies data under HKEY_USERS
- Modifies system certificate store
PID:4800

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:400

C:\Users\Admin\Downloads\Chaser+Temp+CRACKED\Chaser Temp CRACKED\bypassed.exe
"C:\Users\Admin\Downloads\Chaser+Temp+CRACKED\Chaser Temp CRACKED\bypassed.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:6136
- C:\Windows\system32\cmd.exe
  "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\DE55.tmp\DE56.tmp\DE57.bat "C:\Users\Admin\Downloads\Chaser+Temp+CRACKED\Chaser Temp CRACKED\bypassed.exe""
  2⤵
  - Drops file in Drivers directory
  PID:4076
- - C:\Windows\system32\openfiles.exe
    openfiles
    3⤵
    PID:5248
- - C:\Windows\system32\certutil.exe
    certutil -addstore "Root" "C:\Users\Admin\Downloads\Chaser+Temp+CRACKED\Chaser Temp CRACKED\certificate.crt"
    3⤵
    PID:4364
- - C:\Users\Admin\Downloads\Chaser+Temp+CRACKED\Chaser Temp CRACKED\Morphine.exe
    "C:\Users\Admin\Downloads\Chaser+Temp+CRACKED\Chaser Temp CRACKED\Morphine.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Enumerates system info in registry
    - Suspicious use of AdjustPrivilegeToken
    PID:3632
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /c start cmd /C "color b && title Error && echo Signature checksum failed. Request was tampered with or session ended most likely. & echo: & echo Response: {"success": false, "message": "delete hosts file!"} && timeout /t 5"
      4⤵
      System Location Discovery: System Language Discovery
      PID:5520
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /C "color b && title Error && echo Signature checksum failed. Request was tampered with or session ended most likely. & echo: & echo Response: {"success": false, "message": "delete hosts file!"} && timeout /t 5"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2260
      - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 5
        6⤵
        System Location Discovery: System Language Discovery
        Delays execution with timeout.exe
        
        PID:5276
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3632 -s 2276
      4⤵
      Program crash
      PID:3160

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 3632 -ip 3632
1⤵
PID:5468

C:\Users\Admin\Downloads\Chaser+Temp+CRACKED\Chaser Temp CRACKED\Morphine.exe
"C:\Users\Admin\Downloads\Chaser+Temp+CRACKED\Chaser Temp CRACKED\Morphine.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
PID:5200
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c start cmd /C "color b && title Error && echo Signature checksum failed. Request was tampered with or session ended most likely. & echo: & echo Response: {"success": false, "message": "delete hosts file!"} && timeout /t 5"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5572
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C "color b && title Error && echo Signature checksum failed. Request was tampered with or session ended most likely. & echo: & echo Response: {"success": false, "message": "delete hosts file!"} && timeout /t 5"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5732
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 5
      4⤵
      System Location Discovery: System Language Discovery
      Delays execution with timeout.exe
      PID:5548
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 5200 -s 2272
  2⤵
  - Program crash
  PID:3028

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 5200 -ip 5200
1⤵
PID:5592

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Morphine.exe.log

Filesize
1KB

MD5
4f818cf0e8d5f04a1a1ad5c4abfc4c7f

SHA1
9048e304ee570e25dcbad76d752188dac1594f1c

SHA256
5b09309e8184cfd02165002c8f6a0b35cf8ff8184db6dfb649d47968fe72862a

SHA512
00cc0d1cf1f412768d721ba3f394ac6e2fcac8349479b7ea3eb64fb83540b67ce5131e19b65c081ba938e09f18f3d13d0d5b9cc74d275ac0cdd6e0e388d2c98a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
d18f79790bd369cd4e40987ee28ebbe8

SHA1
01d68c57e72a6c7e512c56e9d45eb57cf439e6ba

SHA256
c286da52a17e50b6ae4126e15ecb9ff580939c51bf51ae1dda8cec3de503d48b

SHA512
82376b4550c0de80d3bf0bb4fd742a2f7b48eb1eae0796e0e822cb9b1c6044a0062163de56c8afa71364a298a39c2627325c5c69e310ca94e1f1346e429ff6ab

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
9eb20214ae533fa98dfbfdc8128e6393

SHA1
c6b5b44c9f4fff2662968c050af58957d4649b61

SHA256
b2be14a1372115d7f53c2e179b50655e0d0b06b447a9d084b13629df7eec24ab

SHA512
58648305f6a38f477d98fcc1e525b82fc0d08fb1ab7f871d20bd2977650fa7dafa3a50d9f32e07d61bd462c294e7b651dc82b6a333752ca81682329a389ae8c6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
288B

MD5
6a0d17218028b9df845445a9a8e406c8

SHA1
9155234504ce1e6215f61de0dbaf75243618de2e

SHA256
766f8eb974e831829656e0cf0e34caa22ead3310d8df9369ce608f8d7e945799

SHA512
c5321f4ce68224215c9bd7f6c26f6c99b5605807ce1624bb75cf024cce90b8e07c0fefa57a0a07a9f983a4b2225aa18f7228acd2aaa6c0ac197c9562f117f349

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
930B

MD5
99774f38d949c29816883453444bba8d

SHA1
89962cba3cbe90104720b2de7b79b6c17eb2d9c5

SHA256
ef29efc21344d30086841c6bfd10e60b9fb0a27b6148085461da311e5c2cbf1e

SHA512
34e29b19c8e018cb5f4a1bf4064303eb532405f384eca5e65f1630f8ddb316bd9c8bdd14918d96083a53dd461992f3c2b4050216f8536bdc3555efb8331c88a7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
b5dc82ef3b750ef3232e36bcab87fbd9

SHA1
bafd7de99a6351b9639dce0d90dc29a117b3f67d

SHA256
99017643f3dcf822d3c9839e57644500a1d214b901a908b7e96ce8d7ce2c4fdc

SHA512
8c3aa71f8b51505de4d94d786cf7199059f1d105af89f49f1c12943300f060628a7a6728b68ef4f46a5fea26ae8feede23472524ae373766ad0b05a42e17b0f8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
2368154ba2229511b7355bd54689fb04

SHA1
2f7d1cb44e95b18e546565226bec688f886e64f3

SHA256
6e1e27004a39141bbdcc5f159b3e531b43f9ab173863e50ef82f6d80ca8a093e

SHA512
fe38236cee16205c33d6f968ad41196ea56664d681852a3dd92094da1b9a29a9dcaed3fe8ab7e78e96b66562c59908694a9b6f8b8849507040a4b97802f5f7c7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\c1c03568-ec56-451b-8f0e-f14674358f55.tmp

Filesize
24KB

MD5
6be217d826ff7c4aa81d39663a38dc10

SHA1
b32f46cf12fc4821f702880382f18ef3714eec66

SHA256
754dca9404f119306b757d135efbab8856521366fe9a3961c5373dda2a57becd

SHA512
306a06b11f079ad10db885200c0bbe37b56bd9687024e18fa84cfb95663f8fb00debebb381e030d5e6c4daca8eddcf180a37668745ec4972ef732dcb0bd4296d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
b81f5182561b4cde5bc237ccacfc7feb

SHA1
b3a3b7e9df780b459284511a6549a04293a7eb6f

SHA256
7761644e961529b5d8d0a3357054674ee2ded27c57ed50418dcb12f9e1c88db9

SHA512
9665d11f7976591f54f48c8c3822f0f9d19c6f09c2dd2cedc2a52c82eb93b5b2e1dfe1544361eeca3314b9e4dae2b6424bf3db8d1cd0bd418b46ec3bffb999b5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
dd76002776f0b0740e50a3fe855d791d

SHA1
214b0a295badfe2d0c96c48023ff9829e993ad38

SHA256
04c23a7dc76d765d97df32cbb77b4c429a53db40a72e1a888b6daa922fc57dd3

SHA512
516fc9d6ddde10e0c7532412990c98a496c84636b3364332835a7c61ad68bcc75bc628a4f102b5d0dd0d8b702174d213b33b8cff7eed45f49065f1c531d09a70

Download Submit
C:\Users\Admin\AppData\Local\Temp\59.tmp\5A.tmp\5B.bat

Filesize
1KB

MD5
4139d82b7887de939696e636b8c4a86e

SHA1
42ac906cc609814eb6cc27d5d0ff93c25ff842f2

SHA256
3c5bee69f5de7ccf115c18fe5d908a8a8f6232178f5af7bbb74a8efeddf85647

SHA512
8ddb01874b1c1e37780dfe4defaae393d65e8102ba9f4d0ff67c88694aea5167402b2c748e18078c15924583418bae6fa10a627868f2c94528519bd803103ceb

Download Submit
C:\Users\Admin\Downloads\Chaser+Temp+CRACKED.rar

Filesize
4.4MB

MD5
48454de3d67bed84b0930e6274e0e2a1

SHA1
a0d55c9f1cf8cb6c5ee8af27bbb13a18dd1968c0

SHA256
a3f787415a9808601d402ac69e903858bc1edc6724c7a81e00173d1510ff13a3

SHA512
4457caf801d23b8f32dbf583249b06520b12e8be9b9b03a968e9572e4dd934e11f526413e3170e051a1ae0a29db338efa2785fafcce1bf9921714a5c6ec8c73c

Download Submit
C:\Users\Admin\Downloads\Chaser+Temp+CRACKED\Chaser Temp CRACKED\Instructions.txt

Filesize
99B

MD5
378d8ddbc344f0711eb1c610f10ffe53

SHA1
962346ec837aa2f095eb7487282df5e7a3ee7759

SHA256
5e7e978df60bf6ac0953e9dc3a5865edf884cc10747181b63659230be617bd9a

SHA512
1bfd3380aa2e568a181d56a6bce2e9006c038db0541dd433035d512db736fa21d4ad99723dc74a54310419b30a992e8979b65dfa308c13e5ce4dd0c770cf3145

Download Submit
C:\Users\Admin\Downloads\Chaser+Temp+CRACKED\Chaser Temp CRACKED\Logs\ErrorLogs.txt

Filesize
257B

MD5
204a8ff4cdedea7e239ff4a6deeb7433

SHA1
b42be83d6f22feff4cacadd6159da5424e6cee29

SHA256
fd26220ceb503ed140c51e02e71df76055cbe025c891bbefd1edfaac6100e535

SHA512
0b21e2e71d4aa1654b8760a06025c4391bc95c741c0aca1191004b0ba4057a7ed5f1b7374a64148b4eafdcb4f749e3f40d1413dcefc0ad82e147a8020cdea543

Download Submit
C:\Users\Admin\Downloads\Chaser+Temp+CRACKED\Chaser Temp CRACKED\Logs\ErrorLogs.txt

Filesize
440B

MD5
ed3cf2ac3e4e5b2b25464f8d458e5471

SHA1
e312668e25cd1c8004910b4aee019e0aeedd15d5

SHA256
ec98098d14f9ce4045af3cb779c877017c37727927c0160bbf0c9bcc268b4117

SHA512
641d451541f049aac6e1d1cf6399ae161f2119a36a624df6cc80520aada8d3b7d726809dbba07afe12472b280862bdf0b38df4a0d63cf46f5863f1db3cb37f6a

Download Submit
C:\Users\Admin\Downloads\Chaser+Temp+CRACKED\Chaser Temp CRACKED\Logs\ErrorLogs.txt

Filesize
623B

MD5
74d32228f7ccd3dc7d95ad2894207a8a

SHA1
807fff9f09684ebd181abe523841a54fafa0ef61

SHA256
b66d9371a6b45e02e59c4623cbbcd97449ef05f3593fa4640d7f5843bbe17544

SHA512
742704a45d58e437865230eb923fcc033c8bb4b9a3b6cc71e2a0bf012a50c15cb5b03ee79fb39d2b81c30d5e743a1a7c1214ce134948315ce90d07acfe09c07e

Download Submit
C:\Users\Admin\Downloads\Chaser+Temp+CRACKED\Chaser Temp CRACKED\Morphine.exe

Filesize
5.8MB

MD5
c61fbe172730e0e221f4abe4069dd8e9

SHA1
f0b7f3d5b45537c3250db2ce7f15bc74e545cab3

SHA256
b4af9f34ccb4774459d6586598e0c32e7ffcd5efb45226e2d47da7def44dcc83

SHA512
f03559718dbba771620269ac5a5c0a1aefdf74e37f3fdf84c6bab39f4cc859494fd053763642debe19c99ce3f356513c23d42eb2c8c33aa5e8447b864ba70490

Download Submit
C:\Users\Admin\Downloads\Chaser+Temp+CRACKED\Chaser Temp CRACKED\bypassed.exe

Filesize
90KB

MD5
5d046cd83e8e4bbb64ca82a250e90ea8

SHA1
231c777db2aaa5677953a275137e8959ecc447ff

SHA256
049ea73a545bf2c262f03a53e2c54020dbf3314b694d37d0d0255768c73cbcf1

SHA512
6c6f5ab99735353b65eed9efd7b3f5cd90f5879cdc67856384be9aa22022377404632bea26b7c26ae771f07515251a67c360da7d3d76e76091a729d2d4bfeb87

Download Submit
C:\Users\Admin\Downloads\Chaser+Temp+CRACKED\Chaser Temp CRACKED\certificate.crt

Filesize
1KB

MD5
e3eff8b29b2d04da7a2e09e214f0949b

SHA1
34a05a3e6a8fc1710d22b9fb891f6c7a400c5701

SHA256
dfea79c5653186395f8c5c06942471144d1528a2bb0a270321b1a53bcab32f58

SHA512
bd7207bed45d100a522228ed21d1bee079e4cbd449369f114a9feda56d0ca7df1fc05c8451454f60b77ae27a12a1467eae667c9f1a992a9dab755dcd7f3344c5

Download Submit
C:\Windows\system32\drivers\etc\hosts

Filesize
1KB

MD5
d3a34187a3ade2feeb0164910bedc348

SHA1
ef5d6a667b344b4591cd620728b0cd82a0cc7d9c

SHA256
e97e0209d668ff9dce7f03c4c9cbd40267c0bf0dbff72a0b0bf137ce55fdd543

SHA512
70a511c80096f62dca1cc8fbe3c41399c76a9edbc7cf6433a4649ec43b3db26259ac93bde95c106b73fe666806c0ae6c8df9810c55aec0c65e2de4ea7d33e2b0

Download Submit
C:\Windows\system32\drivers\etc\hosts

Filesize
1KB

MD5
c46900d0885faa62b57c36fa3fa25a43

SHA1
ab4e4dfcd548508ac520a5728aee565c3155a33b

SHA256
950c2ebc6731cdfcd04f51d5051e2751b1a566f942aec9bea14ee2dbf9532659

SHA512
caa037b5173f11d8d86f6abd81a1b32443f48e7c1cafe45d72617b884b9f070f7311e754253a6c81e3ed703b864c44311a2d8fad5daf78991e5f95776dab1d46

Download Submit
memory/5580-154-0x0000000006360000-0x0000000006574000-memory.dmp

Filesize
2.1MB

Download
memory/5580-153-0x00000000062D0000-0x00000000062E2000-memory.dmp

Filesize
72KB

Download
memory/5580-152-0x0000000006110000-0x000000000611A000-memory.dmp

Filesize
40KB

Download
memory/5580-151-0x0000000006120000-0x00000000061B2000-memory.dmp

Filesize
584KB

Download
memory/5580-150-0x0000000006630000-0x0000000006BD4000-memory.dmp

Filesize
5.6MB

Download
memory/5580-149-0x0000000000E80000-0x0000000001452000-memory.dmp

Filesize
5.8MB

Download