b3fda1ccc86d46a499cb30575dcbfdf7b7c184ea254ce6b822aa82308b6afa65

Analysis

max time kernel
411s
max time network
314s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
19-09-2024 07:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

qz-tray-2.2.2-x86_64.exe
Size

86.9MB
MD5

0b7ce52792891397d5dfb85ec7f0cb10
SHA1

75fe709af4aafe91d6b0143a0b2e4668c51bec79
SHA256

b3fda1ccc86d46a499cb30575dcbfdf7b7c184ea254ce6b822aa82308b6afa65
SHA512

df01c6e13add7488bf09a0caf1fee3f60f0f3af6e07a55575b16011743f0a3db4a448264d43618bcfe3363d1253732b18d68f2d44b401fa7b2e6a3c737e7444a
SSDEEP

1572864:RcG7SIBUdEABAQTX6fff/SG/WAiRM65vCcmlsNcmMpHsDEvlYONLhmK:RcG2IKdqQL6fqG/E5vJNclpp6WLhmK

Score

8^/10

discovery evasion persistence privilege_escalation

Malware Config

Signatures

Modifies Windows Firewall 2 TTPs 2 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
1132	netsh.exe
3588	netsh.exe

Drops startup file 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\QZ Tray.lnk	java.exe

Executes dropped EXE 8 IoCs

pid	Process
4120	java.exe
3560	java.exe
3200	java.exe
4136	java.exe
5052	java.exe
1508	qz-tray.exe
3196	java.exe
3744	javaw.exe

Loads dropped DLL 64 IoCs

pid	Process
4804	qz-tray-2.2.2-x86_64.exe
4804	qz-tray-2.2.2-x86_64.exe
4804	qz-tray-2.2.2-x86_64.exe
4120	java.exe
4120	java.exe
4120	java.exe
4120	java.exe
4120	java.exe
4120	java.exe
4120	java.exe
4120	java.exe
4804	qz-tray-2.2.2-x86_64.exe
3560	java.exe
3560	java.exe
3560	java.exe
3560	java.exe
3560	java.exe
3560	java.exe
3560	java.exe
3560	java.exe
4804	qz-tray-2.2.2-x86_64.exe
3200	java.exe
3200	java.exe
3200	java.exe
3200	java.exe
3200	java.exe
3200	java.exe
3200	java.exe
3200	java.exe
3200	java.exe
3200	java.exe
3200	java.exe
3200	java.exe
3200	java.exe
4804	qz-tray-2.2.2-x86_64.exe
4136	java.exe
4136	java.exe
4136	java.exe
4136	java.exe
4136	java.exe
4136	java.exe
4136	java.exe
4136	java.exe
4136	java.exe
4136	java.exe
4136	java.exe
4136	java.exe
4136	java.exe
4136	java.exe
4804	qz-tray-2.2.2-x86_64.exe
5052	java.exe
5052	java.exe
5052	java.exe
5052	java.exe
5052	java.exe
5052	java.exe
5052	java.exe
5052	java.exe
5052	java.exe
5052	java.exe
5052	java.exe
5052	java.exe
5052	java.exe
5052	java.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\FxsTmp\fxsF488.tmp	javaw.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\QZ Tray\libs\jnidispatch.dll	java.exe
File opened for modification	C:\Program Files\QZ Tray\runtime\lib\tzmappings	java.exe
File created	C:\Program Files\QZ Tray\libs\api-ms-win-core-localization-l1-2-0.dll	java.exe
File created	C:\Program Files\QZ Tray\runtime\bin\net.dll	java.exe
File created	C:\Program Files\QZ Tray\runtime\conf\security\policy\README.txt	java.exe
File created	C:\Program Files\QZ Tray\runtime\conf\security\policy\unlimited\default_US_export.policy	java.exe
File opened for modification	C:\Program Files\QZ Tray\libs\api-ms-win-core-memory-l1-1-0.dll	java.exe
File created	C:\Program Files\QZ Tray\runtime\release	java.exe
File opened for modification	C:\Program Files\QZ Tray\libs\api-ms-win-core-interlocked-l1-1-0.dll	java.exe
File opened for modification	C:\Program Files\QZ Tray\libs\api-ms-win-core-string-l1-1-0.dll	java.exe
File created	C:\Program Files\QZ Tray\demo\assets\signing\sign-message.vue.js	java.exe
File created	C:\Program Files\QZ Tray\libs\api-ms-win-core-debug-l1-1-0.dll	java.exe
File created	C:\Program Files\QZ Tray\libs\api-ms-win-crt-private-l1-1-0.dll	java.exe
File created	C:\Program Files\QZ Tray\runtime\bin\jawt.dll	java.exe
File created	C:\Program Files\QZ Tray\runtime\conf\logging.properties	java.exe
File opened for modification	C:\Program Files\QZ Tray\libs\api-ms-win-core-synch-l1-2-0.dll	java.exe
File opened for modification	C:\Program Files\QZ Tray\runtime\bin\javaw.exe	java.exe
File opened for modification	C:\Program Files\QZ Tray\runtime\bin\jsound.dll	java.exe
File opened for modification	C:\Program Files\QZ Tray\runtime\bin\nio.dll	java.exe
File opened for modification	C:\Program Files\QZ Tray\runtime\lib\tzdb.dat	java.exe
File opened for modification	C:\Program Files\QZ Tray\demo\assets\fgl_sample.txt	java.exe
File opened for modification	C:\Program Files\QZ Tray\runtime\bin\javajpeg.dll	java.exe
File opened for modification	C:\Program Files\QZ Tray\runtime\bin\vcruntime140.dll	java.exe
File opened for modification	C:\Program Files\QZ Tray\runtime\conf\security\java.policy	java.exe
File opened for modification	C:\Program Files\QZ Tray\runtime\conf\security\policy\limited\exempt_local.policy	java.exe
File created	C:\Program Files\QZ Tray\runtime\bin\javaw.exe	java.exe
File created	C:\Program Files\QZ Tray\runtime\lib\fontconfig.properties.src	java.exe
File opened for modification	C:\Program Files\QZ Tray\runtime\bin\freetype.dll	java.exe
File created	C:\Program Files\QZ Tray\libs\api-ms-win-core-timezone-l1-1-0.dll	java.exe
File created	C:\Program Files\QZ Tray\runtime\bin\jimage.dll	java.exe
File created	C:\Program Files\QZ Tray\runtime\bin\splashscreen.dll	java.exe
File created	C:\Program Files\QZ Tray\runtime\conf\sound.properties	java.exe
File opened for modification	C:\Program Files\QZ Tray\runtime\bin\lcms.dll	java.exe
File created	C:\Program Files\QZ Tray\demo\sample.html	java.exe
File created	C:\Program Files\QZ Tray\libs\api-ms-win-core-processthreads-l1-1-0.dll	java.exe
File created	C:\Program Files\QZ Tray\libs\jfxwebkit.dll	java.exe
File opened for modification	C:\Program Files\QZ Tray\runtime\bin\fontmanager.dll	java.exe
File opened for modification	C:\Program Files\QZ Tray\runtime\lib\fontconfig.properties.src	java.exe
File opened for modification	C:\Program Files\QZ Tray\demo\assets\zpl_sample.xml	java.exe
File opened for modification	C:\Program Files\QZ Tray\demo\sample.html	java.exe
File opened for modification	C:\Program Files\QZ Tray\windows-icon.ico	java.exe
File created	C:\Program Files\QZ Tray\demo\assets\signing\sign-message.pl	java.exe
File created	C:\Program Files\QZ Tray\demo\assets\signing\sign-message.py	java.exe
File created	C:\Program Files\QZ Tray\demo\assets\zpl_sample.xml	java.exe
File created	C:\Program Files\QZ Tray\libs\api-ms-win-core-interlocked-l1-1-0.dll	java.exe
File opened for modification	C:\Program Files\QZ Tray\demo\assets\signing\sign-message.cls	java.exe
File created	C:\Program Files\QZ Tray\demo\js\sample\promise-polyfill-8.1.3.min.js	java.exe
File created	C:\Program Files\QZ Tray\libs\glib-lite.dll	java.exe
File opened for modification	C:\Program Files\QZ Tray\demo\js\sample\bootstrap.min.js	java.exe
File opened for modification	C:\Program Files\QZ Tray\runtime\bin\splashscreen.dll	java.exe
File opened for modification	C:\Program Files\QZ Tray\runtime\bin\java.exe	java.exe
File created	C:\Program Files\QZ Tray\libs\api-ms-win-core-libraryloader-l1-1-0.dll	java.exe
File created	C:\Program Files\QZ Tray\libs\api-ms-win-core-namedpipe-l1-1-0.dll	java.exe
File created	C:\Program Files\QZ Tray\libs\api-ms-win-core-synch-l1-2-0.dll	java.exe
File created	C:\Program Files\QZ Tray\runtime\lib\jvm.lib	java.exe
File opened for modification	C:\Program Files\QZ Tray\libs\api-ms-win-core-sysinfo-l1-1-0.dll	java.exe
File opened for modification	C:\Program Files\QZ Tray\libs\concrt140.dll	java.exe
File created	C:\Program Files\QZ Tray\demo\css\bootstrap.min.css	java.exe
File created	C:\Program Files\QZ Tray\runtime\bin\mlib_image.dll	java.exe
File opened for modification	C:\Program Files\QZ Tray\libs\api-ms-win-core-datetime-l1-1-0.dll	java.exe
File opened for modification	C:\Program Files\QZ Tray\libs\api-ms-win-core-profile-l1-1-0.dll	java.exe
File opened for modification	C:\Program Files\QZ Tray\libs\api-ms-win-core-timezone-l1-1-0.dll	java.exe
File created	C:\Program Files\QZ Tray\libs\api-ms-win-crt-heap-l1-1-0.dll	java.exe
File opened for modification	C:\Program Files\QZ Tray\libs\api-ms-win-core-file-l1-2-0.dll	java.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qz-tray-2.2.2-x86_64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qz-tray.exe

Checks processor information in registry 2 TTPs 14 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	java.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	java.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	java.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	java.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	java.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	javaw.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	java.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	java.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	java.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	java.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	java.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	java.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	javaw.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	java.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133712034740259576"	chrome.exe

Modifies registry class 41 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	javaw.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	javaw.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy\{885A186E-A440-4ADA-812B-DB871B942259}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	javaw.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy\{885A186E-A440-4ADA-812B-DB871B942259}\IconSize = "16"	javaw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\qz\DefaultIcon	java.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	javaw.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 14002e8005398e082303024b98265d99428e115f0000	javaw.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	javaw.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy\{885A186E-A440-4ADA-812B-DB871B942259}	javaw.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy\{885A186E-A440-4ADA-812B-DB871B942259}\Mode = "4"	javaw.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByDirection = "4294967295"	javaw.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1"	javaw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\qz\ = "URL:QZ Tray Protocol"	java.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\qz\DefaultIcon\ = "\"C:\\Program Files\\QZ Tray\\qz-tray.exe\",1"	java.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\qz\shell\open	java.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	javaw.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	javaw.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1092616257"	javaw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\qz\shell\open\command\ = "\"C:\\Program Files\\QZ Tray\\qz-tray.exe\" \"%1\""	java.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:FMTID = "{B725F130-47EF-101A-A5F1-02608C9EEBAC}"	javaw.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1"	javaw.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy\{885A186E-A440-4ADA-812B-DB871B942259}\GroupView = "4294967295"	javaw.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:PID = "14"	javaw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\qz	java.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\qz\shell\open\command	java.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	javaw.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	javaw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Downloads"	javaw.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy	javaw.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	javaw.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy\{885A186E-A440-4ADA-812B-DB871B942259}\LogicalViewMode = "1"	javaw.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings	javaw.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	javaw.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000	javaw.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	javaw.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff	javaw.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	javaw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\qz\URL Protocol	java.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\qz\shell	java.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\KnownFolderDerivedFolderType = "{885A186E-A440-4ADA-812B-DB871B942259}"	javaw.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy\{885A186E-A440-4ADA-812B-DB871B942259}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0e000000ffffffff	javaw.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\62ADAE0BDCC18CE65D9CFF60655B37C38C298CB2	java.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\62ADAE0BDCC18CE65D9CFF60655B37C38C298CB2\Blob = 03000000010000001400000062adae0bdcc18ce65d9cff60655b37c38c298cb22000000001000000ff030000308203fb308202e3a00302010202060192091c096e300d06092a864886f70d01010b050030819a310b3009060355040613025553310b300906035504080c024e593112301006035504070c0943616e6173746f7461311b3019060355040a0c12515a20496e64757374726965732c204c4c43311b3019060355040b0c12515a20496e64757374726965732c204c4c43311c301a06092a864886f70d010901160d737570706f727440717a2e696f3112301006035504030c096c6f63616c686f7374301e170d3234303931383037303830355a170d3434303931383037303830355a30819a310b3009060355040613025553310b300906035504080c024e593112301006035504070c0943616e6173746f7461311b3019060355040a0c12515a20496e64757374726965732c204c4c43311b3019060355040b0c12515a20496e64757374726965732c204c4c43311c301a06092a864886f70d010901160d737570706f727440717a2e696f3112301006035504030c096c6f63616c686f737430820122300d06092a864886f70d01010105000382010f003082010a0282010100d52f705a9ee07dced247a4813d263faad10852295176802dc3cc9b0155755ec1fb37acf6390a0a3a4850b742caed0910580389aa131a88a20d0254a04b56d4de1d0fd715f6d9024950bf58ea2bcfdd675ed62ff1e04165a5132aa871034d336484077a146ac89f30f4e316c5e98265e838c19ef1e1d9de40549c222af9ab344d28e4936a3aa812d9f6c8fb3116e4dc1fb0c601ae2019e842a7e092cadb4483447a50dbd9d148eb3a758b793b8dbc5993b393ea9c9418483274ea0029a00dccd813a9daa7df54ccb9eadbd7934b2f907763ea61bbd4d824a73c3cc9e3e0f44e75293ca26140c8a87dacf8f24297bcc1c5a57d84cbd4d7c64ef311bf5b84bbf29b0203010001a345304330120603551d130101ff040830060101ff020101300e0603551d0f0101ff040403020106301d0603551d0e04160414bfdb3c2aabe85c3d8444f48e4f2ebaf31e902ae7300d06092a864886f70d01010b05000382010100ad585b14cad066a6c041ced5417401e0de35b96dad631d711c5f28aa296bfee5a34253c90a6c586bc308a0b7404470c5e92ce0d22471bff56623a60df3531754d8a8b418cc21f1473c1463d5c9b74dca4626414e1ff5cdbfe59d233e56e3373060cd723c5e8d7fb8020252da1607545c4bbd72a941e3fc3df90c2b8497f0d7c40d531a762799bac1159bfacf94ca95531bcb6999afdae8305548fd8b06d0e6d548203ed7b3e2da88620367001507958e18ec5209d832823bb685144920fcd88bce756c6c120a5f5ec508859d94f93783845f622c9a6889a8d642da77147a9df05f8f6d064a2f3c14f050853dc4cd87b25555b7f77363135268e31f76afc440bd	java.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
4564	msedge.exe
4564	msedge.exe
3628	msedge.exe
3628	msedge.exe
3272	chrome.exe
3272	chrome.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4804	qz-tray-2.2.2-x86_64.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

pid	Process
3628	msedge.exe
3628	msedge.exe
3272	chrome.exe
3272	chrome.exe
3272	chrome.exe
3628	msedge.exe
3628	msedge.exe
3272	chrome.exe
3272	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	4956	wmic.exe
Token: SeSecurityPrivilege	4956	wmic.exe
Token: SeTakeOwnershipPrivilege	4956	wmic.exe
Token: SeLoadDriverPrivilege	4956	wmic.exe
Token: SeSystemProfilePrivilege	4956	wmic.exe
Token: SeSystemtimePrivilege	4956	wmic.exe
Token: SeProfSingleProcessPrivilege	4956	wmic.exe
Token: SeIncBasePriorityPrivilege	4956	wmic.exe
Token: SeCreatePagefilePrivilege	4956	wmic.exe
Token: SeBackupPrivilege	4956	wmic.exe
Token: SeRestorePrivilege	4956	wmic.exe
Token: SeShutdownPrivilege	4956	wmic.exe
Token: SeDebugPrivilege	4956	wmic.exe
Token: SeSystemEnvironmentPrivilege	4956	wmic.exe
Token: SeRemoteShutdownPrivilege	4956	wmic.exe
Token: SeUndockPrivilege	4956	wmic.exe
Token: SeManageVolumePrivilege	4956	wmic.exe
Token: 33	4956	wmic.exe
Token: 34	4956	wmic.exe
Token: 35	4956	wmic.exe
Token: 36	4956	wmic.exe
Token: SeIncreaseQuotaPrivilege	4956	wmic.exe
Token: SeSecurityPrivilege	4956	wmic.exe
Token: SeTakeOwnershipPrivilege	4956	wmic.exe
Token: SeLoadDriverPrivilege	4956	wmic.exe
Token: SeSystemProfilePrivilege	4956	wmic.exe
Token: SeSystemtimePrivilege	4956	wmic.exe
Token: SeProfSingleProcessPrivilege	4956	wmic.exe
Token: SeIncBasePriorityPrivilege	4956	wmic.exe
Token: SeCreatePagefilePrivilege	4956	wmic.exe
Token: SeBackupPrivilege	4956	wmic.exe
Token: SeRestorePrivilege	4956	wmic.exe
Token: SeShutdownPrivilege	4956	wmic.exe
Token: SeDebugPrivilege	4956	wmic.exe
Token: SeSystemEnvironmentPrivilege	4956	wmic.exe
Token: SeRemoteShutdownPrivilege	4956	wmic.exe
Token: SeUndockPrivilege	4956	wmic.exe
Token: SeManageVolumePrivilege	4956	wmic.exe
Token: 33	4956	wmic.exe
Token: 34	4956	wmic.exe
Token: 35	4956	wmic.exe
Token: 36	4956	wmic.exe
Token: SeIncreaseQuotaPrivilege	3556	wmic.exe
Token: SeSecurityPrivilege	3556	wmic.exe
Token: SeTakeOwnershipPrivilege	3556	wmic.exe
Token: SeLoadDriverPrivilege	3556	wmic.exe
Token: SeSystemProfilePrivilege	3556	wmic.exe
Token: SeSystemtimePrivilege	3556	wmic.exe
Token: SeProfSingleProcessPrivilege	3556	wmic.exe
Token: SeIncBasePriorityPrivilege	3556	wmic.exe
Token: SeCreatePagefilePrivilege	3556	wmic.exe
Token: SeBackupPrivilege	3556	wmic.exe
Token: SeRestorePrivilege	3556	wmic.exe
Token: SeShutdownPrivilege	3556	wmic.exe
Token: SeDebugPrivilege	3556	wmic.exe
Token: SeSystemEnvironmentPrivilege	3556	wmic.exe
Token: SeRemoteShutdownPrivilege	3556	wmic.exe
Token: SeUndockPrivilege	3556	wmic.exe
Token: SeManageVolumePrivilege	3556	wmic.exe
Token: 33	3556	wmic.exe
Token: 34	3556	wmic.exe
Token: 35	3556	wmic.exe
Token: 36	3556	wmic.exe
Token: SeIncreaseQuotaPrivilege	3556	wmic.exe

Suspicious use of FindShellTrayWindow 57 IoCs

pid	Process
3744	javaw.exe
3744	javaw.exe
3744	javaw.exe
3744	javaw.exe
3628	msedge.exe
3628	msedge.exe
3628	msedge.exe
3628	msedge.exe
3628	msedge.exe
3628	msedge.exe
3628	msedge.exe
3628	msedge.exe
3628	msedge.exe
3628	msedge.exe
3628	msedge.exe
3628	msedge.exe
3628	msedge.exe
3628	msedge.exe
3628	msedge.exe
3628	msedge.exe
3628	msedge.exe
3628	msedge.exe
3628	msedge.exe
3628	msedge.exe
3628	msedge.exe
3628	msedge.exe
3628	msedge.exe
3628	msedge.exe
3628	msedge.exe
3272	chrome.exe
3272	chrome.exe
3272	chrome.exe
3272	chrome.exe
3272	chrome.exe
3272	chrome.exe
3272	chrome.exe
3272	chrome.exe
3272	chrome.exe
3272	chrome.exe
3272	chrome.exe
3272	chrome.exe
3272	chrome.exe
3272	chrome.exe
3272	chrome.exe
3272	chrome.exe
3272	chrome.exe
3272	chrome.exe
3272	chrome.exe
3272	chrome.exe
3272	chrome.exe
3272	chrome.exe
3272	chrome.exe
3272	chrome.exe
3272	chrome.exe
3272	chrome.exe
3628	msedge.exe
3272	chrome.exe

Suspicious use of SendNotifyMessage 52 IoCs

pid	Process
3744	javaw.exe
3744	javaw.exe
3744	javaw.exe
3744	javaw.exe
3628	msedge.exe
3628	msedge.exe
3628	msedge.exe
3628	msedge.exe
3628	msedge.exe
3628	msedge.exe
3628	msedge.exe
3628	msedge.exe
3628	msedge.exe
3628	msedge.exe
3628	msedge.exe
3628	msedge.exe
3628	msedge.exe
3628	msedge.exe
3628	msedge.exe
3628	msedge.exe
3628	msedge.exe
3628	msedge.exe
3628	msedge.exe
3628	msedge.exe
3628	msedge.exe
3628	msedge.exe
3628	msedge.exe
3628	msedge.exe
3272	chrome.exe
3272	chrome.exe
3272	chrome.exe
3272	chrome.exe
3272	chrome.exe
3272	chrome.exe
3272	chrome.exe
3272	chrome.exe
3272	chrome.exe
3272	chrome.exe
3272	chrome.exe
3272	chrome.exe
3272	chrome.exe
3272	chrome.exe
3272	chrome.exe
3272	chrome.exe
3272	chrome.exe
3272	chrome.exe
3272	chrome.exe
3272	chrome.exe
3272	chrome.exe
3272	chrome.exe
3272	chrome.exe
3272	chrome.exe

Suspicious use of SetWindowsHookEx 11 IoCs

pid	Process
3744	javaw.exe
3744	javaw.exe
3744	javaw.exe
3744	javaw.exe
3744	javaw.exe
3744	javaw.exe
3744	javaw.exe
3744	javaw.exe
3744	javaw.exe
3744	javaw.exe
3744	javaw.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4804 wrote to memory of 4120	4804	qz-tray-2.2.2-x86_64.exe	90
PID 4804 wrote to memory of 4120	4804	qz-tray-2.2.2-x86_64.exe	90
PID 4804 wrote to memory of 3560	4804	qz-tray-2.2.2-x86_64.exe	92
PID 4804 wrote to memory of 3560	4804	qz-tray-2.2.2-x86_64.exe	92
PID 4804 wrote to memory of 3200	4804	qz-tray-2.2.2-x86_64.exe	94
PID 4804 wrote to memory of 3200	4804	qz-tray-2.2.2-x86_64.exe	94
PID 4804 wrote to memory of 4136	4804	qz-tray-2.2.2-x86_64.exe	100
PID 4804 wrote to memory of 4136	4804	qz-tray-2.2.2-x86_64.exe	100
PID 4136 wrote to memory of 1132	4136	java.exe	102
PID 4136 wrote to memory of 1132	4136	java.exe	102
PID 4136 wrote to memory of 3588	4136	java.exe	104
PID 4136 wrote to memory of 3588	4136	java.exe	104
PID 4804 wrote to memory of 5052	4804	qz-tray-2.2.2-x86_64.exe	106
PID 4804 wrote to memory of 5052	4804	qz-tray-2.2.2-x86_64.exe	106
PID 5052 wrote to memory of 2424	5052	java.exe	108
PID 5052 wrote to memory of 2424	5052	java.exe	108
PID 5052 wrote to memory of 3872	5052	java.exe	110
PID 5052 wrote to memory of 3872	5052	java.exe	110
PID 5052 wrote to memory of 2288	5052	java.exe	113
PID 5052 wrote to memory of 2288	5052	java.exe	113
PID 2288 wrote to memory of 2036	2288	net.exe	115
PID 2288 wrote to memory of 2036	2288	net.exe	115
PID 5052 wrote to memory of 5028	5052	java.exe	116
PID 5052 wrote to memory of 5028	5052	java.exe	116
PID 1508 wrote to memory of 3196	1508	qz-tray.exe	120
PID 1508 wrote to memory of 3196	1508	qz-tray.exe	120
PID 1508 wrote to memory of 3744	1508	qz-tray.exe	122
PID 1508 wrote to memory of 3744	1508	qz-tray.exe	122
PID 3744 wrote to memory of 3460	3744	javaw.exe	123
PID 3744 wrote to memory of 3460	3744	javaw.exe	123
PID 3460 wrote to memory of 4660	3460	net.exe	125
PID 3460 wrote to memory of 4660	3460	net.exe	125
PID 3744 wrote to memory of 1784	3744	javaw.exe	126
PID 3744 wrote to memory of 1784	3744	javaw.exe	126
PID 3628 wrote to memory of 408	3628	msedge.exe	133
PID 3628 wrote to memory of 408	3628	msedge.exe	133
PID 3628 wrote to memory of 916	3628	msedge.exe	134
PID 3628 wrote to memory of 916	3628	msedge.exe	134
PID 3628 wrote to memory of 916	3628	msedge.exe	134
PID 3628 wrote to memory of 916	3628	msedge.exe	134
PID 3628 wrote to memory of 916	3628	msedge.exe	134
PID 3628 wrote to memory of 916	3628	msedge.exe	134
PID 3628 wrote to memory of 916	3628	msedge.exe	134
PID 3628 wrote to memory of 916	3628	msedge.exe	134
PID 3628 wrote to memory of 916	3628	msedge.exe	134
PID 3628 wrote to memory of 916	3628	msedge.exe	134
PID 3628 wrote to memory of 916	3628	msedge.exe	134
PID 3628 wrote to memory of 916	3628	msedge.exe	134
PID 3628 wrote to memory of 916	3628	msedge.exe	134
PID 3628 wrote to memory of 916	3628	msedge.exe	134
PID 3628 wrote to memory of 916	3628	msedge.exe	134
PID 3628 wrote to memory of 916	3628	msedge.exe	134
PID 3628 wrote to memory of 916	3628	msedge.exe	134
PID 3628 wrote to memory of 916	3628	msedge.exe	134
PID 3628 wrote to memory of 916	3628	msedge.exe	134
PID 3628 wrote to memory of 916	3628	msedge.exe	134
PID 3628 wrote to memory of 916	3628	msedge.exe	134
PID 3628 wrote to memory of 916	3628	msedge.exe	134
PID 3628 wrote to memory of 916	3628	msedge.exe	134
PID 3628 wrote to memory of 916	3628	msedge.exe	134
PID 3628 wrote to memory of 916	3628	msedge.exe	134
PID 3628 wrote to memory of 916	3628	msedge.exe	134
PID 3628 wrote to memory of 916	3628	msedge.exe	134
PID 3628 wrote to memory of 916	3628	msedge.exe	134

C:\Users\Admin\AppData\Local\Temp\qz-tray-2.2.2-x86_64.exe
"C:\Users\Admin\AppData\Local\Temp\qz-tray-2.2.2-x86_64.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:4804
- C:\Users\Admin\AppData\Local\Temp\nstC276.tmp\payload\runtime\bin\java.exe
  "C:\Users\Admin\AppData\Local\Temp\nstC276.tmp\payload\runtime\bin\java.exe" -version
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks processor information in registry
  PID:4120
- C:\Users\Admin\AppData\Local\Temp\nstC276.tmp\payload\runtime\bin\java.exe
  "C:\Users\Admin\AppData\Local\Temp\nstC276.tmp\payload\runtime\bin\java.exe" -version"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks processor information in registry
  PID:3560
- C:\Users\Admin\AppData\Local\Temp\nstC276.tmp\payload\runtime\bin\java.exe
  "C:\Users\Admin\AppData\Local\Temp\nstC276.tmp\payload\runtime\bin\java.exe" -Djna.nosys=true -jar "C:\Users\Admin\AppData\Local\Temp\nstC276.tmp\payload\qz-tray.jar" "preinstall" "" ""
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks processor information in registry
  PID:3200
- - C:\Windows\System32\Wbem\wmic.exe
    wmic.exe process where "(Name='java.exe' OR Name='javaw.exe')" get processid
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4956
- - C:\Windows\System32\Wbem\wmic.exe
    wmic.exe process where "CommandLine like '%qz-tray.jar%'" get processid
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3556
- C:\Users\Admin\AppData\Local\Temp\nstC276.tmp\payload\runtime\bin\java.exe
  "C:\Users\Admin\AppData\Local\Temp\nstC276.tmp\payload\runtime\bin\java.exe" -Djna.nosys=true -jar "C:\Users\Admin\AppData\Local\Temp\nstC276.tmp\payload\qz-tray.jar" "install" "--dest" "C:\Program Files\QZ Tray"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4136
- - C:\Windows\SYSTEM32\netsh.exe
    netsh.exe advfirewall firewall delete rule "name=QZ Tray"
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:1132
- - C:\Windows\SYSTEM32\netsh.exe
    netsh.exe advfirewall firewall add rule "name=QZ Tray" dir=in action=allow profile=any localport=8181,8282,8383,8484,8182,8283,8384,8485 localip=any protocol=tcp
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:3588
- C:\Users\Admin\AppData\Local\Temp\nstC276.tmp\payload\runtime\bin\java.exe
  "C:\Users\Admin\AppData\Local\Temp\nstC276.tmp\payload\runtime\bin\java.exe" -Djna.nosys=true -jar "C:\Program Files\QZ Tray\qz-tray.jar" "certgen" "" ""
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks processor information in registry
  - Modifies system certificate store
  - Suspicious use of WriteProcessMemory
  PID:5052
- - C:\Windows\System32\Wbem\wmic.exe
    wmic.exe process where "(Name='java.exe' OR Name='javaw.exe')" get processid
    3⤵
    PID:2424
- - C:\Windows\System32\Wbem\wmic.exe
    wmic.exe process where "CommandLine like '%qz-tray.jar%'" get processid
    3⤵
    PID:3872
- - C:\Windows\SYSTEM32\net.exe
    net session
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2288
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 session
      4⤵
      PID:2036
- - C:\Windows\System32\Wbem\wmic.exe
    wmic.exe process where (Name='firefox.exe') get processid
    3⤵
    PID:5028

C:\Program Files\QZ Tray\qz-tray.exe
"C:\Program Files\QZ Tray\qz-tray.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1508
- C:\Program Files\QZ Tray\runtime\bin\java.exe
  "C:\Program Files\QZ Tray\runtime\bin\java.exe" -version
  2⤵
  - Executes dropped EXE
  - Checks processor information in registry
  PID:3196
- C:\Program Files\QZ Tray\runtime\bin\javaw.exe
  "C:\Program Files\QZ Tray\runtime\bin\javaw.exe" -Xms512m -Djna.nosys=true --add-exports java.desktop/sun.swing=ALL-UNNAMED -jar "C:\Program Files\QZ Tray/qz-tray.jar"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3744
- - C:\Windows\SYSTEM32\net.exe
    net session
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3460
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 session
      4⤵
      PID:4660
- - C:\Windows\SYSTEM32\CheckNetIsolation.exe
    CheckNetIsolation.exe LoopbackExempt -a -n=Microsoft.MicrosoftEdge_8wekyb3d8bbwe
    3⤵
    PID:1784

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
1⤵
PID:3440

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3628
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffab69346f8,0x7ffab6934708,0x7ffab6934718
  2⤵
  PID:408
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2068,3500358645085341123,13765555145715308880,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2096 /prefetch:2
  2⤵
  PID:916
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2068,3500358645085341123,13765555145715308880,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2228 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4564
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2068,3500358645085341123,13765555145715308880,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2676 /prefetch:8
  2⤵
  PID:4244
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,3500358645085341123,13765555145715308880,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3376 /prefetch:1
  2⤵
  PID:4492
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,3500358645085341123,13765555145715308880,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3392 /prefetch:1
  2⤵
  PID:592
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,3500358645085341123,13765555145715308880,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3772 /prefetch:1
  2⤵
  PID:740
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,3500358645085341123,13765555145715308880,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3860 /prefetch:1
  2⤵
  PID:4448

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1780

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1396

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3272
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffaa427cc40,0x7ffaa427cc4c,0x7ffaa427cc58
  2⤵
  PID:400
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2036,i,5040836881931162338,7208473069171579964,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2032 /prefetch:2
  2⤵
  PID:4532
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1940,i,5040836881931162338,7208473069171579964,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2276 /prefetch:3
  2⤵
  PID:8
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2248,i,5040836881931162338,7208473069171579964,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2512 /prefetch:8
  2⤵
  PID:2084
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3160,i,5040836881931162338,7208473069171579964,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3168 /prefetch:1
  2⤵
  PID:2528
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3176,i,5040836881931162338,7208473069171579964,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3228 /prefetch:1
  2⤵
  PID:4948
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3712,i,5040836881931162338,7208473069171579964,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3700 /prefetch:1
  2⤵
  PID:1776
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4804,i,5040836881931162338,7208473069171579964,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4824 /prefetch:8
  2⤵
  PID:2280
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4880,i,5040836881931162338,7208473069171579964,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4824 /prefetch:8
  2⤵
  PID:1768
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=5184,i,5040836881931162338,7208473069171579964,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4864 /prefetch:1
  2⤵
  PID:432
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --field-trial-handle=4392,i,5040836881931162338,7208473069171579964,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5228 /prefetch:1
  2⤵
  PID:4796

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:4972

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:3220

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\QZ Tray\runtime\conf\security\policy\limited\default_US_export.policy

Filesize
146B

MD5
1a08ffdf0bc871296c8d698fb22f542a

SHA1
f3f974d3f6245c50804dcc47173aa29d4d7f0e2c

SHA256
758b930a526fc670ab7537f8c26321527050a31f5f42149a2dda623c56a0a1a9

SHA512
4cfca5b10cd7addcff887c8f3621d2fbec1b5632436326377b0ce5af1ae3e8b68ac5a743ca6082fc79991b8eec703a6e1dfd5b896153407ad72327753222fdb3

Download Submit
C:\Program Files\QZ Tray\runtime\lib\client\Xusage.txt

Filesize
1KB

MD5
3d780dd3bf8219e52483ed6ac3a17a50

SHA1
e4dff259d66551cf1bf80c26dee51d241e998855

SHA256
3edc3cdd94ebc53f45786c57777ed338c27b0bc89145f6f0fbe21d176f4cd9e8

SHA512
5a85ea3a5a6c5341967ddfcab2c29d2485910b27c61953856c14fcbd6cec6019d9fd7a3facf5374ede71189e88563ed719dad66ec3f64deb679fff8b142649e7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\53d82494-7a34-46f7-b91f-0e2c7bf091cf.tmp

Filesize
208KB

MD5
4409afc5b261f78c700a90f09c7b851d

SHA1
5af5d7a0c4c6b73030c5af5866214ae3170952aa

SHA256
449331998ba897a69ba66cf63e1095d2a91f512e44f1426dc3d6e446a0f916e7

SHA512
92a40b2f9b7ad9e7b6f1565aa7d967ac6072c40e75c79b33d033e9af00803bff36cfa3903240ec27b3c5e3e2b43d5cb53d96eda6c54d23e023c1a2621608cf96

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
348c42712efcc2195625775f59804332

SHA1
8719b245ca07aaae4c933e69b1188af8f8b7aec4

SHA256
6b2173e6125f4abcde63339db4a9278f43bba3f1d3d8e3c992835e8c0ba525c7

SHA512
a4e923a25fca9af12bbb0ac9448e992f173d530bc486baa108b407c88f1f179b7a82171b45c983c8496bec0c063d45fd0a77086f82d76eb7776a7faf919fd571

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
97d38ed1ebc18e9df3cc345561ad9649

SHA1
0c3a54f4594351b33c0f6f8c0cb2a7eb1ff412bd

SHA256
adb6311df81ebbaec2c48d46e538b18920fdf3448ca1f04e75735ae224dc42ad

SHA512
5d4bd2a5718854267b741307fdb2d5e0ce826c6d3a5636a4c9ee31744e3f9643f46e0f0d93b0f122035520ca29ad6cdb80b4c98c181c6a24b04cd66e76ca9a53

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
c441e4f3e1bb1dc36c65da2a525a8082

SHA1
67321d54f32005a5c29f6da383466bd34e170d37

SHA256
8ca1ba740e16c73ba77db3401b94d5551b98c3a8ffad34268bb04991a13c37bf

SHA512
96898da52b1c201c1f640f142ac2a6f40a0a14c5bebc7e419e312960df32bd36b5106514ad537b752a36e6688393960d7ee084ebe1c4ce0a45219d02ab66b82b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
8b7b8f046d306ab204c323c756ab75d7

SHA1
b96e1858aa2ed75adf37e8ae6e8097b9b13d60eb

SHA256
0ba4e3080942d4967acc5cb4f938eb02c6d644c8c4774b14a82b7f668a3a8a0a

SHA512
f3b0bd91867965104ce9652b9ecf865ab65846e6c17b058623092e734239033512415d1d2d9b814b1b64441c5492bdd322854e9a629c9d9a2fd7b0df9940ff9e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
29cb1bc39d3a122c0f32ebb4d3f76061

SHA1
abfa211220b1f65b7e7564c90f8b4417579da648

SHA256
7e217267d2e32974a408ade606eafcfedc9a361cb77289192277b3cc06afc5c9

SHA512
3dc69a88c715094ff2578af92f6c2e790be703a8f96d4df8891ef9ecb0fbe0f90bad2e6ab0864bbfc906842122dcde442e433ada85f3c0bd82eb7f6b32e0cfea

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
18c730ebe18a350baab9da58d6fe418d

SHA1
848db84efb27e71bda5eb98c0d3856053aa92e37

SHA256
895046f032dd46c68389db7963f79a40ae7e8de3b0d5568295aab7f951c8043c

SHA512
790914cce8b6521394047f29689d393576fe74541de07c98d1d55ccdf0c751621f893089e7e644c7ae86babc72edc8dd3a9222bf7d37900f3b1a3f65b8760082

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
dbcb09809ccd730ef63d1582f7e50ed6

SHA1
aad2125894b0dfe691474bc00079f7f9448d5cd6

SHA256
de3ccfb72d5ef2c9455594c93811e2559d51f9b4e9f57acc2072ca5515d030f4

SHA512
0a91c5e3b672df6fc477a56f43283a46932651ec2d64f7d61cf10f5d8f7cc3fdbde1557061083946bc73e0ce4033c166076f1dfd81829e09d66eb6061e38edc0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
208KB

MD5
4d623f2a5a73859e247b9803326fb8f1

SHA1
1c862475b1326c14ce6c27e8404ea5479d98b890

SHA256
81fcfdd3388bf64e4814a7c16372c41b3c94212b20928314d7de9f60892230cf

SHA512
61d344ce94c8041ba3f17801381a4a3ee6a9e51dab5a8af884cf3ea8dac27dd0120b96382b7d1ab2887500748b0475a835e43ea4ed75578f098aa2b04153b0a3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
719923124ee00fb57378e0ebcbe894f7

SHA1
cc356a7d27b8b27dc33f21bd4990f286ee13a9f9

SHA256
aa22ab845fa08c786bd3366ec39f733d5be80e9ac933ed115ff048ff30090808

SHA512
a207b6646500d0d504cf70ee10f57948e58dab7f214ad2e7c4af0e7ca23ce1d37c8c745873137e6c55bdcf0f527031a66d9cc54805a0eac3678be6dd497a5bbc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
d7114a6cd851f9bf56cf771c37d664a2

SHA1
769c5d04fd83e583f15ab1ef659de8f883ecab8a

SHA256
d2c75c7d68c474d4b8847b4ba6cfd09fe90717f46dd398c86483d825a66e977e

SHA512
33bdae2305ae98e7c0de576de5a6600bd70a425e7b891d745cba9de992036df1b3d1df9572edb0f89f320e50962d06532dae9491985b6b57fd37d5f46f7a2ff8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
b5564d8197925ace346dfe3e1241998e

SHA1
0479ed3c6be4eb176aaa9507f3368675deb58f4a

SHA256
d379adb2a0b5894ff66f894e4af9a10fa5c842d84dc7bcb0cf0c61e9fdf7b47e

SHA512
beee44073af939783cc05e00659ca1fd6b10514d1f75e36153d3605ffcef193f44db65f840f26fd8abc442aa071835547b0a19ee7de4fbfa46c1db7366208078

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
a7dfa6a03eafb04d09cadf6b97300961

SHA1
bc1f88e6ca162a940ae058c5d5c4c2b48a775da9

SHA256
c2224077d3f0266df97a2b76a466c5029e7d8cc8f4a7af05374c5c3b9eea053f

SHA512
2ee3601356841e6dc4606d5b38037c4f25bca678d488bb8984c2f42a03f11b324e69c5b297f5a40d639ad300293c393a880b16b4140b94cae58dea91f8bd908a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
445fedfa6c21eaec8f0c398b6b0afcf8

SHA1
7448d92a08957fb2dda756cbb3e00b1dbfe69276

SHA256
773ea82fcf658f15e1c55eee02ca25322d5cd06dafb80ce399e706780dc205dc

SHA512
cf664e77e7dad62016db87ef01d74c91fe1cf48c00ca0361bb1240e24ddf5494664226fec9760e5ef38b6cc057f34401042dd9e15a0a50d73ef39974cb59215d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Temp\nstC276.tmp\StdUtils.dll

Filesize
100KB

MD5
c6a6e03f77c313b267498515488c5740

SHA1
3d49fc2784b9450962ed6b82b46e9c3c957d7c15

SHA256
b72e9013a6204e9f01076dc38dabbf30870d44dfc66962adbf73619d4331601e

SHA512
9870c5879f7b72836805088079ad5bbafcb59fc3d9127f2160d4ec3d6e88d3cc8ebe5a9f5d20a4720fe6407c1336ef10f33b2b9621bc587e930d4cbacf337803

Download Submit
C:\Users\Admin\AppData\Local\Temp\nstC276.tmp\System.dll

Filesize
12KB

MD5
cff85c549d536f651d4fb8387f1976f2

SHA1
d41ce3a5ff609df9cf5c7e207d3b59bf8a48530e

SHA256
8dc562cda7217a3a52db898243de3e2ed68b80e62ddcb8619545ed0b4e7f65a8

SHA512
531d6328daf3b86d85556016d299798fa06fefc81604185108a342d000e203094c8c12226a12bd6e1f89b0db501fb66f827b610d460b933bd4ab936ac2fd8a88

Download Submit
C:\Users\Admin\AppData\Local\Temp\nstC276.tmp\nsDialogs.dll

Filesize
9KB

MD5
6c3f8c94d0727894d706940a8a980543

SHA1
0d1bcad901be377f38d579aafc0c41c0ef8dcefd

SHA256
56b96add1978b1abba286f7f8982b0efbe007d4a48b3ded6a4d408e01d753fe2

SHA512
2094f0e4bb7c806a5ff27f83a1d572a5512d979eefda3345baff27d2c89e828f68466d08c3ca250da11b01fc0407a21743037c25e94fbe688566dd7deaebd355

Download Submit
C:\Users\Admin\AppData\Local\Temp\nstC276.tmp\nsExec.dll

Filesize
7KB

MD5
675c4948e1efc929edcabfe67148eddd

SHA1
f5bdd2c4329ed2732ecfe3423c3cc482606eb28e

SHA256
1076ca39c449ed1a968021b76ef31f22a5692dfafeea29460e8d970a63c59906

SHA512
61737021f86f54279d0a4e35db0d0808e9a55d89784a31d597f2e4b65b7bbeec99aa6c79d65258259130eeda2e5b2820f4f1247777a3010f2dc53e30c612a683

Download Submit
C:\Users\Admin\AppData\Local\Temp\nstC276.tmp\payload\libs\libusb4java.dll

Filesize
377KB

MD5
d5a5fca6f1197b29801b3a8ca9b6839b

SHA1
bcae93aa3ae291fd859b0de8cf120396e772b92b

SHA256
9e1f9a56c4f701c3a81b6e7d600941acb8293f45c6c4af4fbfef2d90005d5c30

SHA512
7e288c103d72c75f8755a3b7ff943b07c35f3e6953c7b9a8996d57fd29464ac5e25d029450af02000426d5400ab1dcdcef328193c49b792847734a0c59c09383

Download Submit
C:\Users\Admin\AppData\Local\Temp\nstC276.tmp\payload\qz-tray.jar

Filesize
32.4MB

MD5
7cd6e809aca304354b0302da0f30aa40

SHA1
75e3a3bf399772c92bb40bf8166fad71299030e7

SHA256
0e60cd28ead72a88bce9f21ae29b2c5298aca20e09d191510f9039a17bfcd88c

SHA512
b29b7818abec0942c8cddb2a8ced6ab29529d5b68f5a96e20dd2d279f0ca76699a1c6bb14d02c18647eb744d96a927dbc8f8e73de993578558836efe66e9454f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nstC276.tmp\payload\runtime\bin\VCRUNTIME140.dll

Filesize
68KB

MD5
fa0a5a7d8271b7c71c9db26889494fe1

SHA1
8a13b288f62a0d352069989488c3b9e5c542e81a

SHA256
abd71102c0b37591f1fffc846774fbc6b1b5f35bfeef531943e16206ff8746f9

SHA512
c3d788e6661f4953f30a416cc5ca269df3521242d6d93b46b5d114ab1f2ce27d5d8dc9bdbaf5063a38b85266b2b9d207670391a147b264515237975035054336

Download Submit
C:\Users\Admin\AppData\Local\Temp\nstC276.tmp\payload\runtime\bin\awt.dll

Filesize
1.4MB

MD5
770ad0d49efd0de94c25d6904219e9ef

SHA1
d2cc4fb786e5c7047958bd6fa8d2052c18479559

SHA256
ac026d84ce6aa7195fe2a5ff3d3bd14fec20d39bd82aaf8e299a7c0a767328f9

SHA512
e9212c8e0be89d22c4f1398c4c12ad4fa56f17774f434eab81764acd281960d655e6a500470817146467516fe9889243550092f6dabcad54ab1eea7c2816c3f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\nstC276.tmp\payload\runtime\bin\java.dll

Filesize
143KB

MD5
185f792b87362f773bf61fe2d040602f

SHA1
ce7abc0ed14ee88259b10828bf3e2e4cf711f630

SHA256
224758ad8f830c82fdfd9bbf500d4e28cc5fe97e7249ddd8c95e8d221dade118

SHA512
6ec5a3cb77b5dbe3c45352ed7db1205d8a2d38e868eaa5bc8e15535d494bbf830f5311030281e5e08a671a3400505100e079752f5ae18c94fd15af055e806d1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nstC276.tmp\payload\runtime\bin\java.exe

Filesize
39KB

MD5
2af90ca65b9f8e6bca1d2a8b8a7bf3d0

SHA1
d4bf01148fd211c40b70e897aadc9d9fc414b678

SHA256
8280ca5bf212ac18b62d49ec1a572acd4a4c8fbceeab67bfcd52fd321948cd7a

SHA512
3ca6da542b62d22001d8799d035982b2ae4f96a41888347979b4fad1d320b921d5015f8e720f89739abfe83f58da30900f2b821529b52b72b9bd9e17e5c18ecb

Download Submit
C:\Users\Admin\AppData\Local\Temp\nstC276.tmp\payload\runtime\bin\jimage.dll

Filesize
23KB

MD5
305bda3eb31a21a1fb2897f05fe228ed

SHA1
c4ae07161d7696a207fbc38d29009638fedee92a

SHA256
ec40ccb6d13e1c29a3341a9ae1b0aa499efd3a3e4c28392a123125eb236a0ed5

SHA512
a8f7a4c09f09b36fbdf2ed93440365d469cef34b1ec7b50ee91aaa03b242248e62efc4b526c1b056ccb15560124c703167128e6cfe94a33557677609cbe17cc6

Download Submit
C:\Users\Admin\AppData\Local\Temp\nstC276.tmp\payload\runtime\bin\jli.dll

Filesize
75KB

MD5
357279d6b526c54b023b6e3e5004f892

SHA1
4a3e4256568426fcd1e3221795d5933c29bf0666

SHA256
5047b89bc82c11802a89332e4b64c6b746a78193116bcf5690f2c26fd001ce6b

SHA512
44abac999e05311ffbb5b7a89f25584882d7fbed8ec5afe8ee755c1c906bcd43eee829cce0320c182977176547eb40c7304ed591c1dc0a590025471272406e12

Download Submit
C:\Users\Admin\AppData\Local\Temp\nstC276.tmp\payload\runtime\bin\management.dll

Filesize
19KB

MD5
9350dcf79377d38655b7719b60467930

SHA1
b43de39fd6d3961b252dfa239191dc737a283370

SHA256
b9d64fe055eb59fe4c2942b9ed13a73e939908bad71495934b2ccf6e209998a2

SHA512
9534e97ae2379c441ed5300481a432b7ce3f00671cd01af4aaca417b0f508829a066edcfc2ca33e42ce507beb0d0aca62bb6e4289ddc4e7c68af4d69bae3dd19

Download Submit
C:\Users\Admin\AppData\Local\Temp\nstC276.tmp\payload\runtime\bin\msvcp140.dll

Filesize
598KB

MD5
6c7a8f485e070c2a11fd9fcbe0d6fb0d

SHA1
846a254ec1ebe23591ce8f3c830e0b30a8f95f7a

SHA256
da2ded0ff2c50132887a81393cbf52dbc2db54624fb376abb3cf0c7ca21174c2

SHA512
0fa94c950f0c9ea2e662c60c168436eceefa367d308607b8e693f231c67ba0c574ab6cb3f139b89b2bd0109738bd97c62b464d69e0f5017e8b5d74e2d7272172

Download Submit
C:\Users\Admin\AppData\Local\Temp\nstC276.tmp\payload\runtime\bin\net.dll

Filesize
83KB

MD5
808f31dd3b5effb2e3f86376b7683904

SHA1
278cc0c2f25f6eaebf470918715cb8b9b2244608

SHA256
58963c0abd0a3d33694d7bd28083754eb4732712854cd5838209a9870fea0400

SHA512
0a56fff4f7cb26b503242fdde64a88cf290fa072a60b1f3405fd57c81edf368be30e5477828e4ca4191cb9dc04af33f61d316a26b82b9e452ab766b86a435c04

Download Submit
C:\Users\Admin\AppData\Local\Temp\nstC276.tmp\payload\runtime\bin\nio.dll

Filesize
56KB

MD5
bf0b074034d342c3a6d67d70f666e96c

SHA1
7d30f595e15cde5a3cefa51f54b9e93c99a06a8b

SHA256
c30c0d3e3ff2b9049577222dab0e765d7857c07e380c5a100c9b65e82489d415

SHA512
7eec80e735b9f32b72decabb4345fe44a69cebb0a0a80a7df5dec57497718a31d252d35a7435c4d133240e6d602bcceea3772c59043a91c0297686d157496610

Download Submit
C:\Users\Admin\AppData\Local\Temp\nstC276.tmp\payload\runtime\bin\server\jvm.dll

Filesize
11.2MB

MD5
ef33e8cf9dec31bbe8c08f0c449d9cdc

SHA1
540dffd7d1d091a0e173781653e8f80d99419203

SHA256
bef7cdc2d14b958cf841e47bcc5b9a5daf6764249eb79fed0f76328e6f9e723f

SHA512
bc1a68a3e2f2e39835d48a7a3e4f1d31626c881c33f460834bc62c9d302e107290692076f29fe44f90773fb3d866cfbbe0555ab7de4399943ecb6321e70f7f95

Download Submit
C:\Users\Admin\AppData\Local\Temp\nstC276.tmp\payload\runtime\bin\verify.dll

Filesize
45KB

MD5
639adfe1bbf46b09d4b624aa5f72c691

SHA1
976eb08f12767129d314c136742085d106c4359e

SHA256
800d77a293a0a2ab2c3820e27bb6707dd59cf04df50dbcc5a28bae367851d031

SHA512
3a057d2b716cd8ed5148a421e02ce28b8c92d1c84a3252f4cf38523c0cfe93902b6ab5f246bcdb6e9a3272f2193b06bba286c29a447826c790c75db60b2fc69b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nstC276.tmp\payload\runtime\bin\zip.dll

Filesize
75KB

MD5
5096a528913b46f832bc482e1a19f5c7

SHA1
01abc96e1647026c1f1785441dc47b6aa4ea0177

SHA256
7b34b44307475d5dc68d48c7d4a443c055aaebf58f425cadca265de23095eccb

SHA512
10fdf60a510a0c311bc4dc2b13a6f25cc93b1b681e4746187e20cdc1992caf3c0064f357ce7661b57e67d86e43bba18d7f30cf01c6aea3614cfe85492a202246

Download Submit
C:\Users\Admin\AppData\Local\Temp\nstC276.tmp\payload\runtime\lib\jvm.cfg

Filesize
28B

MD5
4006564666795c838eed8b7fd958b0af

SHA1
cd6d4f2868725ef7541485719c6ea88d05e43724

SHA256
54ac5bb838f64585085f6c04b73431a96b9246cc0090943c48b067ab05086180

SHA512
87643b6f1da35a9a60869ef1f68141b3e4225fc65b256f31f7289c854d0e929e587ab572d4f67f2802aea89958b3a45a23c83bcc60c6b30613c87021ef537b03

Download Submit
C:\Users\Admin\AppData\Local\Temp\nstC276.tmp\payload\runtime\lib\modules

Filesize
22.6MB

MD5
858757c41c317da215c0aada59a4efd7

SHA1
9bde803181f001aed54fa0dbe7d481af07d4db1d

SHA256
77656af208e35c91af18176c4791f7486e816df1283e9343540c8106a12d3270

SHA512
06a48b062c6c2a606147f829359456a48ef05870cfa0b73429579a0061b91c5d2267c8db1fd5829cf7ad8cfdef2176a49bd3d14c690a57a78d6bf186aad4b776

Download Submit
memory/3560-261-0x000001F65DD90000-0x000001F65E000000-memory.dmp

Filesize
2.4MB

Download
memory/3560-259-0x000001F65D800000-0x000001F65DA70000-memory.dmp

Filesize
2.4MB

Download
memory/3560-260-0x000001F6652C0000-0x000001F665530000-memory.dmp

Filesize
2.4MB

Download
memory/3560-258-0x000001F6652C0000-0x000001F665530000-memory.dmp

Filesize
2.4MB

Download
memory/3560-256-0x000001F65DD90000-0x000001F65E000000-memory.dmp

Filesize
2.4MB

Download
memory/3560-247-0x000001F65D800000-0x000001F65DA70000-memory.dmp

Filesize
2.4MB

Download
memory/4120-226-0x000002206FB30000-0x000002206FDA0000-memory.dmp

Filesize
2.4MB

Download
memory/4120-227-0x00000220775F0000-0x0000022077860000-memory.dmp

Filesize
2.4MB

Download
memory/4120-228-0x00000220700C0000-0x0000022070330000-memory.dmp

Filesize
2.4MB

Download
memory/4120-225-0x00000220775F0000-0x0000022077860000-memory.dmp

Filesize
2.4MB

Download
memory/4120-223-0x00000220700C0000-0x0000022070330000-memory.dmp

Filesize
2.4MB

Download
memory/4120-214-0x000002206FB30000-0x000002206FDA0000-memory.dmp

Filesize
2.4MB

Download