cryptbot | hxxps://youtube[.]com

CryptBot
A C++ stealer distributed widely in bundle with other software.
spyware stealer cryptbot
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497
Downloads MZ/PE file

Executes dropped EXE 13 IoCs

Processes:

Setup.exeKMSAutoNet.exeFile.exebin.datbin_x64.datDpEditor.exeSetup.exeKMSAutoNet.exesoftware_reporter_tool.exesoftware_reporter_tool.exesoftware_reporter_tool.exesoftware_reporter_tool.exe4c1dc737915d76b7ce579abddaba74ead6fdb5b519a1ea45308b8c49b950655c.exe

pid	process
1180	Setup.exe
5008	KMSAutoNet.exe
1084	File.exe
4328	bin.dat
4772	bin_x64.dat
4656	DpEditor.exe
1020	Setup.exe
4792	KMSAutoNet.exe
1576	software_reporter_tool.exe
4880	software_reporter_tool.exe
4904	software_reporter_tool.exe
2304	software_reporter_tool.exe
1656	4c1dc737915d76b7ce579abddaba74ead6fdb5b519a1ea45308b8c49b950655c.exe

Checks BIOS information in registry 2 TTPs 8 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

File.exeDpEditor.exeSetup.exeSetup.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	File.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	File.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	DpEditor.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	DpEditor.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Setup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Setup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Setup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Setup.exe

Loads dropped DLL 7 IoCs

Processes:

software_reporter_tool.exe

pid	process
4904	software_reporter_tool.exe
4904	software_reporter_tool.exe
4904	software_reporter_tool.exe
4904	software_reporter_tool.exe
4904	software_reporter_tool.exe
4904	software_reporter_tool.exe
4904	software_reporter_tool.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Themida packer 21 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
C:\Program Files (x86)\unsoul1\Setup.exe	themida
C:\Program Files (x86)\unsoul1\Setup.exe	themida
behavioral1/memory/1180-132-0x00000000013B0000-0x0000000001A99000-memory.dmp	themida
behavioral1/memory/1180-133-0x00000000013B0000-0x0000000001A99000-memory.dmp	themida
behavioral1/memory/1180-134-0x00000000013B0000-0x0000000001A99000-memory.dmp	themida
behavioral1/memory/1180-135-0x00000000013B0000-0x0000000001A99000-memory.dmp	themida
C:\Users\Admin\AppData\Local\Temp\File.exe	themida
C:\Users\Admin\AppData\Local\Temp\File.exe	themida
behavioral1/memory/1084-164-0x0000000000970000-0x0000000001055000-memory.dmp	themida
behavioral1/memory/1084-165-0x0000000000970000-0x0000000001055000-memory.dmp	themida
behavioral1/memory/1084-166-0x0000000000970000-0x0000000001055000-memory.dmp	themida
behavioral1/memory/1084-167-0x0000000000970000-0x0000000001055000-memory.dmp	themida
C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe	themida
behavioral1/memory/4656-182-0x0000000001170000-0x0000000001855000-memory.dmp	themida
behavioral1/memory/4656-184-0x0000000001170000-0x0000000001855000-memory.dmp	themida
behavioral1/memory/4656-185-0x0000000001170000-0x0000000001855000-memory.dmp	themida
behavioral1/memory/4656-186-0x0000000001170000-0x0000000001855000-memory.dmp	themida
behavioral1/memory/1020-198-0x0000000000970000-0x0000000001059000-memory.dmp	themida
behavioral1/memory/1020-199-0x0000000000970000-0x0000000001059000-memory.dmp	themida
behavioral1/memory/1020-200-0x0000000000970000-0x0000000001059000-memory.dmp	themida
behavioral1/memory/1020-201-0x0000000000970000-0x0000000001059000-memory.dmp	themida

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

Setup.exeFile.exeDpEditor.exeSetup.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Setup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	File.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	DpEditor.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Setup.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

Processes:

Setup.exeFile.exeDpEditor.exeSetup.exe

pid process

1180 Setup.exe
1084 File.exe
4656 DpEditor.exe
1020 Setup.exe

Drops file in Program Files directory 15 IoCs

Processes:

KMSAutoNet.execmd.execmd.exeKMSAutoNet.exeKMSAutoNet.exeKMSAutoNet.exe

description	ioc	process
File created	C:\Program Files (x86)\unsoul1\__tmp_rar_sfx_access_check_259452000	KMSAutoNet.exe
File created	C:\Program Files (x86)\unsoul1\Setup.exe	KMSAutoNet.exe
File opened for modification	C:\Program Files (x86)\unsoul1\test.test	cmd.exe
File created	C:\Program Files (x86)\unsoul1\KMSAutoNet.exe	KMSAutoNet.exe
File opened for modification	C:\Program Files (x86)\unsoul1\KMSAutoNet.exe	KMSAutoNet.exe
File opened for modification	C:\Program Files (x86)\unsoul1\Setup.exe	KMSAutoNet.exe
File opened for modification	C:\Program Files (x86)\unsoul1\test.test	cmd.exe
File opened for modification	C:\Program Files (x86)\unsoul1\Setup.exe	KMSAutoNet.exe
File opened for modification	C:\Program Files (x86)\unsoul1\test.test	KMSAutoNet.exe
File opened for modification	C:\Program Files (x86)\unsoul1	KMSAutoNet.exe
File opened for modification	C:\Program Files (x86)\unsoul1\KMSAutoNet.exe	KMSAutoNet.exe
File created	C:\Program Files (x86)\unsoul1\__tmp_rar_sfx_access_check_259519281	KMSAutoNet.exe
File opened for modification	C:\Program Files (x86)\unsoul1\KMSAutoNet.exe	KMSAutoNet.exe
File opened for modification	C:\Program Files (x86)\unsoul1\test.test	KMSAutoNet.exe
File created	C:\Program Files (x86)\unsoul1\Setup.exe	KMSAutoNet.exe

Drops file in Windows directory 1 IoCs

Processes:

LogonUI.exe

description ioc process

File created C:\Windows\rescache\_merged\421858948\3551649488.pri LogonUI.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
File created	C:\Windows\rescache\_merged\421858948\3551649488.pri	LogonUI.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Setup.exeSetup.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Setup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Setup.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Setup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Setup.exe

Delays execution with timeout.exe 2 IoCs
evasion

Processes:

timeout.exetimeout.exe

pid process

1344 timeout.exe
1208 timeout.exe

pid	process
1344	timeout.exe
1208	timeout.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies data under HKEY_USERS 15 IoCs

Processes:

LogonUI.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe

Modifies registry class 1 IoCs

Processes:

chrome.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000_Classes\Local Settings chrome.exe
Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

NOTEPAD.EXE

pid process

1612 NOTEPAD.EXE
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

DpEditor.exe

pid process

4656 DpEditor.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000_Classes\Local Settings	chrome.exe

pid	process
1612	NOTEPAD.EXE

pid	process
4656	DpEditor.exe

Suspicious behavior: EnumeratesProcesses 34 IoCs

Processes:

chrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exeSetup.exeFile.exeDpEditor.exechrome.exeSetup.exesoftware_reporter_tool.exechrome.exechrome.exe

pid	process
4052	chrome.exe
4052	chrome.exe
3652	chrome.exe
3652	chrome.exe
2032	chrome.exe
2032	chrome.exe
3136	chrome.exe
3136	chrome.exe
3056	chrome.exe
3056	chrome.exe
1976	chrome.exe
1976	chrome.exe
1828	chrome.exe
1828	chrome.exe
3748	chrome.exe
3748	chrome.exe
1180	Setup.exe
1180	Setup.exe
1084	File.exe
1084	File.exe
4656	DpEditor.exe
4656	DpEditor.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
1020	Setup.exe
1020	Setup.exe
1576	software_reporter_tool.exe
1576	software_reporter_tool.exe
1444	chrome.exe
1444	chrome.exe
3056	chrome.exe
3056	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 15 IoCs

Processes:

chrome.exe

pid	process
3652	chrome.exe
3652	chrome.exe
3652	chrome.exe
3652	chrome.exe
3652	chrome.exe
3652	chrome.exe
3652	chrome.exe
3652	chrome.exe
3652	chrome.exe
3652	chrome.exe
3652	chrome.exe
3652	chrome.exe
3652	chrome.exe
3652	chrome.exe
3652	chrome.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes:

software_reporter_tool.exesoftware_reporter_tool.exesoftware_reporter_tool.exesoftware_reporter_tool.exe

description	pid	process
Token: 33	4880	software_reporter_tool.exe
Token: SeIncBasePriorityPrivilege	4880	software_reporter_tool.exe
Token: 33	1576	software_reporter_tool.exe
Token: SeIncBasePriorityPrivilege	1576	software_reporter_tool.exe
Token: 33	4904	software_reporter_tool.exe
Token: SeIncBasePriorityPrivilege	4904	software_reporter_tool.exe
Token: 33	2304	software_reporter_tool.exe
Token: SeIncBasePriorityPrivilege	2304	software_reporter_tool.exe

Suspicious use of FindShellTrayWindow 57 IoCs

Processes:

chrome.exe

pid	process
3652	chrome.exe
3652	chrome.exe
3652	chrome.exe
3652	chrome.exe
3652	chrome.exe
3652	chrome.exe
3652	chrome.exe
3652	chrome.exe
3652	chrome.exe
3652	chrome.exe
3652	chrome.exe
3652	chrome.exe
3652	chrome.exe
3652	chrome.exe
3652	chrome.exe
3652	chrome.exe
3652	chrome.exe
3652	chrome.exe
3652	chrome.exe
3652	chrome.exe
3652	chrome.exe
3652	chrome.exe
3652	chrome.exe
3652	chrome.exe
3652	chrome.exe
3652	chrome.exe
3652	chrome.exe
3652	chrome.exe
3652	chrome.exe
3652	chrome.exe
3652	chrome.exe
3652	chrome.exe
3652	chrome.exe
3652	chrome.exe
3652	chrome.exe
3652	chrome.exe
3652	chrome.exe
3652	chrome.exe
3652	chrome.exe
3652	chrome.exe
3652	chrome.exe
3652	chrome.exe
3652	chrome.exe
3652	chrome.exe
3652	chrome.exe
3652	chrome.exe
3652	chrome.exe
3652	chrome.exe
3652	chrome.exe
3652	chrome.exe
3652	chrome.exe
3652	chrome.exe
3652	chrome.exe
3652	chrome.exe
3652	chrome.exe
3652	chrome.exe
3652	chrome.exe

Suspicious use of SendNotifyMessage 34 IoCs

Processes:

chrome.exe

pid	process
3652	chrome.exe
3652	chrome.exe
3652	chrome.exe
3652	chrome.exe
3652	chrome.exe
3652	chrome.exe
3652	chrome.exe
3652	chrome.exe
3652	chrome.exe
3652	chrome.exe
3652	chrome.exe
3652	chrome.exe
3652	chrome.exe
3652	chrome.exe
3652	chrome.exe
3652	chrome.exe
3652	chrome.exe
3652	chrome.exe
3652	chrome.exe
3652	chrome.exe
3652	chrome.exe
3652	chrome.exe
3652	chrome.exe
3652	chrome.exe
3652	chrome.exe
3652	chrome.exe
3652	chrome.exe
3652	chrome.exe
3652	chrome.exe
3652	chrome.exe
3652	chrome.exe
3652	chrome.exe
3652	chrome.exe
3652	chrome.exe

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

4c1dc737915d76b7ce579abddaba74ead6fdb5b519a1ea45308b8c49b950655c.exeLogonUI.exe

pid process

1656 4c1dc737915d76b7ce579abddaba74ead6fdb5b519a1ea45308b8c49b950655c.exe
1816 LogonUI.exe
1816 LogonUI.exe

pid	process
1656	4c1dc737915d76b7ce579abddaba74ead6fdb5b519a1ea45308b8c49b950655c.exe
1816	LogonUI.exe
1816	LogonUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 3652 wrote to memory of 3832	3652	chrome.exe	chrome.exe
PID 3652 wrote to memory of 3832	3652	chrome.exe	chrome.exe
PID 3652 wrote to memory of 4092	3652	chrome.exe	chrome.exe
PID 3652 wrote to memory of 4092	3652	chrome.exe	chrome.exe
PID 3652 wrote to memory of 4092	3652	chrome.exe	chrome.exe
PID 3652 wrote to memory of 4092	3652	chrome.exe	chrome.exe
PID 3652 wrote to memory of 4092	3652	chrome.exe	chrome.exe
PID 3652 wrote to memory of 4092	3652	chrome.exe	chrome.exe
PID 3652 wrote to memory of 4092	3652	chrome.exe	chrome.exe
PID 3652 wrote to memory of 4092	3652	chrome.exe	chrome.exe
PID 3652 wrote to memory of 4092	3652	chrome.exe	chrome.exe
PID 3652 wrote to memory of 4092	3652	chrome.exe	chrome.exe
PID 3652 wrote to memory of 4092	3652	chrome.exe	chrome.exe
PID 3652 wrote to memory of 4092	3652	chrome.exe	chrome.exe
PID 3652 wrote to memory of 4092	3652	chrome.exe	chrome.exe
PID 3652 wrote to memory of 4092	3652	chrome.exe	chrome.exe
PID 3652 wrote to memory of 4092	3652	chrome.exe	chrome.exe
PID 3652 wrote to memory of 4092	3652	chrome.exe	chrome.exe
PID 3652 wrote to memory of 4092	3652	chrome.exe	chrome.exe
PID 3652 wrote to memory of 4092	3652	chrome.exe	chrome.exe
PID 3652 wrote to memory of 4092	3652	chrome.exe	chrome.exe
PID 3652 wrote to memory of 4092	3652	chrome.exe	chrome.exe
PID 3652 wrote to memory of 4092	3652	chrome.exe	chrome.exe
PID 3652 wrote to memory of 4092	3652	chrome.exe	chrome.exe
PID 3652 wrote to memory of 4092	3652	chrome.exe	chrome.exe
PID 3652 wrote to memory of 4092	3652	chrome.exe	chrome.exe
PID 3652 wrote to memory of 4092	3652	chrome.exe	chrome.exe
PID 3652 wrote to memory of 4092	3652	chrome.exe	chrome.exe
PID 3652 wrote to memory of 4092	3652	chrome.exe	chrome.exe
PID 3652 wrote to memory of 4092	3652	chrome.exe	chrome.exe
PID 3652 wrote to memory of 4092	3652	chrome.exe	chrome.exe
PID 3652 wrote to memory of 4092	3652	chrome.exe	chrome.exe
PID 3652 wrote to memory of 4092	3652	chrome.exe	chrome.exe
PID 3652 wrote to memory of 4092	3652	chrome.exe	chrome.exe
PID 3652 wrote to memory of 4092	3652	chrome.exe	chrome.exe
PID 3652 wrote to memory of 4092	3652	chrome.exe	chrome.exe
PID 3652 wrote to memory of 4092	3652	chrome.exe	chrome.exe
PID 3652 wrote to memory of 4092	3652	chrome.exe	chrome.exe
PID 3652 wrote to memory of 4092	3652	chrome.exe	chrome.exe
PID 3652 wrote to memory of 4092	3652	chrome.exe	chrome.exe
PID 3652 wrote to memory of 4092	3652	chrome.exe	chrome.exe
PID 3652 wrote to memory of 4092	3652	chrome.exe	chrome.exe
PID 3652 wrote to memory of 4052	3652	chrome.exe	chrome.exe
PID 3652 wrote to memory of 4052	3652	chrome.exe	chrome.exe
PID 3652 wrote to memory of 4280	3652	chrome.exe	chrome.exe
PID 3652 wrote to memory of 4280	3652	chrome.exe	chrome.exe
PID 3652 wrote to memory of 4280	3652	chrome.exe	chrome.exe
PID 3652 wrote to memory of 4280	3652	chrome.exe	chrome.exe
PID 3652 wrote to memory of 4280	3652	chrome.exe	chrome.exe
PID 3652 wrote to memory of 4280	3652	chrome.exe	chrome.exe
PID 3652 wrote to memory of 4280	3652	chrome.exe	chrome.exe
PID 3652 wrote to memory of 4280	3652	chrome.exe	chrome.exe
PID 3652 wrote to memory of 4280	3652	chrome.exe	chrome.exe
PID 3652 wrote to memory of 4280	3652	chrome.exe	chrome.exe
PID 3652 wrote to memory of 4280	3652	chrome.exe	chrome.exe
PID 3652 wrote to memory of 4280	3652	chrome.exe	chrome.exe
PID 3652 wrote to memory of 4280	3652	chrome.exe	chrome.exe
PID 3652 wrote to memory of 4280	3652	chrome.exe	chrome.exe
PID 3652 wrote to memory of 4280	3652	chrome.exe	chrome.exe
PID 3652 wrote to memory of 4280	3652	chrome.exe	chrome.exe
PID 3652 wrote to memory of 4280	3652	chrome.exe	chrome.exe
PID 3652 wrote to memory of 4280	3652	chrome.exe	chrome.exe
PID 3652 wrote to memory of 4280	3652	chrome.exe	chrome.exe
PID 3652 wrote to memory of 4280	3652	chrome.exe	chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" https://youtube.com
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3652

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ffb6ab14f50,0x7ffb6ab14f60,0x7ffb6ab14f70
2⤵
PID:3832

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1500,17869390006509613733,632918553204513465,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1484 /prefetch:2
2⤵
PID:4092

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1500,17869390006509613733,632918553204513465,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1868 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4052

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1500,17869390006509613733,632918553204513465,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2128 /prefetch:8
2⤵
PID:4280

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1500,17869390006509613733,632918553204513465,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2916 /prefetch:1
2⤵
PID:4360

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1500,17869390006509613733,632918553204513465,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2924 /prefetch:1
2⤵
PID:4368

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1500,17869390006509613733,632918553204513465,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4124 /prefetch:8
2⤵
PID:816

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1500,17869390006509613733,632918553204513465,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4092 /prefetch:1
2⤵
PID:436

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1500,17869390006509613733,632918553204513465,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4868 /prefetch:8
2⤵
PID:1604

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1500,17869390006509613733,632918553204513465,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4852 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2032

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1500,17869390006509613733,632918553204513465,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4904 /prefetch:8
2⤵
PID:2796

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1500,17869390006509613733,632918553204513465,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5224 /prefetch:1
2⤵
PID:2316

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1500,17869390006509613733,632918553204513465,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5420 /prefetch:1
2⤵
PID:4880

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1500,17869390006509613733,632918553204513465,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5728 /prefetch:8
2⤵
PID:4568

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1500,17869390006509613733,632918553204513465,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3564 /prefetch:8
2⤵
PID:2620

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1500,17869390006509613733,632918553204513465,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5848 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3136

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1500,17869390006509613733,632918553204513465,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3564 /prefetch:8
2⤵
PID:4768

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1500,17869390006509613733,632918553204513465,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4548 /prefetch:8
2⤵
PID:2656

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1500,17869390006509613733,632918553204513465,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4596 /prefetch:8
2⤵
PID:5080

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1500,17869390006509613733,632918553204513465,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4628 /prefetch:8
2⤵
PID:1232

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1500,17869390006509613733,632918553204513465,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6208 /prefetch:8
2⤵
PID:2476

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1500,17869390006509613733,632918553204513465,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6340 /prefetch:8
2⤵
PID:1080

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1500,17869390006509613733,632918553204513465,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=4560 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3056

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1500,17869390006509613733,632918553204513465,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6448 /prefetch:1
2⤵
PID:60

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1500,17869390006509613733,632918553204513465,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4124 /prefetch:1
2⤵
PID:1628

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1500,17869390006509613733,632918553204513465,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6360 /prefetch:1
2⤵
PID:1620

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1500,17869390006509613733,632918553204513465,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4844 /prefetch:1
2⤵
PID:2176

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1500,17869390006509613733,632918553204513465,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5432 /prefetch:1
2⤵
PID:2800

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1500,17869390006509613733,632918553204513465,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5836 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1976

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1500,17869390006509613733,632918553204513465,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1052 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1828

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.FileUtilService --field-trial-handle=1500,17869390006509613733,632918553204513465,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4792 /prefetch:8
2⤵
PID:1272

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1500,17869390006509613733,632918553204513465,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4488 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3748

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1500,17869390006509613733,632918553204513465,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2244 /prefetch:8
2⤵
PID:700

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1500,17869390006509613733,632918553204513465,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5888 /prefetch:8
2⤵
PID:4584

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1500,17869390006509613733,632918553204513465,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5400 /prefetch:8
2⤵
PID:4544

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1500,17869390006509613733,632918553204513465,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2468 /prefetch:8
2⤵
PID:1060

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1500,17869390006509613733,632918553204513465,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6452 /prefetch:8
2⤵
PID:4264

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1500,17869390006509613733,632918553204513465,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=6472 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4868

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1500,17869390006509613733,632918553204513465,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1460 /prefetch:8
2⤵
PID:1928

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1500,17869390006509613733,632918553204513465,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5252 /prefetch:8
2⤵
PID:4464

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1500,17869390006509613733,632918553204513465,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5784 /prefetch:8
2⤵
PID:4624

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1500,17869390006509613733,632918553204513465,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1056 /prefetch:8
2⤵
PID:4784

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1500,17869390006509613733,632918553204513465,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=43 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1464 /prefetch:1
2⤵
PID:4188

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1500,17869390006509613733,632918553204513465,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=44 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6644 /prefetch:1
2⤵
PID:3712

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1500,17869390006509613733,632918553204513465,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6860 /prefetch:8
2⤵
PID:3320

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1500,17869390006509613733,632918553204513465,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4508 /prefetch:8
2⤵
PID:1448

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1500,17869390006509613733,632918553204513465,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2584 /prefetch:8
2⤵
PID:2132

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1500,17869390006509613733,632918553204513465,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5400 /prefetch:8
2⤵
PID:2348

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1500,17869390006509613733,632918553204513465,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4264 /prefetch:8
2⤵
PID:216

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\SwReporter\94.273.200\software_reporter_tool.exe
"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\SwReporter\94.273.200\software_reporter_tool.exe" --engine=2 --scan-locations=1,2,3,4,5,6,7,8,10 --disabled-locations=9,11 --session-id=9MGhfsMUlQXRF6ecFNN6+Fi4kdPqp48GLobf1fdY --registry-suffix=ESET --enable-crash-reporting --srt-field-trial-group-name=NewCleanerUIExperiment
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1576

\??\c:\users\admin\appdata\local\google\chrome\user data\swreporter\94.273.200\software_reporter_tool.exe
"c:\users\admin\appdata\local\google\chrome\user data\swreporter\94.273.200\software_reporter_tool.exe" --crash-handler "--database=c:\users\admin\appdata\local\Google\Software Reporter Tool" --url=https://clients2.google.com/cr/report --annotation=plat=Win32 --annotation=prod=ChromeFoil --annotation=ver=94.273.200 --initial-client-data=0x25c,0x260,0x264,0x238,0x268,0x7ff6349ec4b8,0x7ff6349ec4c8,0x7ff6349ec4d8
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4880

\??\c:\users\admin\appdata\local\google\chrome\user data\swreporter\94.273.200\software_reporter_tool.exe
"c:\users\admin\appdata\local\google\chrome\user data\swreporter\94.273.200\software_reporter_tool.exe" --enable-crash-reporting --use-crash-handler-with-id="\\.\pipe\crashpad_1576_LMAGVTDAEMTUPYRF" --sandboxed-process-id=2 --init-done-notifier=728 --sandbox-mojo-pipe-token=2869624733416200530 --mojo-platform-channel-handle=704 --engine=2
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:4904

\??\c:\users\admin\appdata\local\google\chrome\user data\swreporter\94.273.200\software_reporter_tool.exe
"c:\users\admin\appdata\local\google\chrome\user data\swreporter\94.273.200\software_reporter_tool.exe" --enable-crash-reporting --use-crash-handler-with-id="\\.\pipe\crashpad_1576_LMAGVTDAEMTUPYRF" --sandboxed-process-id=3 --init-done-notifier=928 --sandbox-mojo-pipe-token=2259500506997330967 --mojo-platform-channel-handle=924
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2304

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1500,17869390006509613733,632918553204513465,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5904 /prefetch:8
2⤵
PID:4112

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1500,17869390006509613733,632918553204513465,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=51 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6528 /prefetch:1
2⤵
PID:1284

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1500,17869390006509613733,632918553204513465,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=52 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6700 /prefetch:1
2⤵
PID:4380

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1500,17869390006509613733,632918553204513465,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4628 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1444

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1500,17869390006509613733,632918553204513465,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6508 /prefetch:8
2⤵
PID:3660

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1500,17869390006509613733,632918553204513465,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=55 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5464 /prefetch:1
2⤵
PID:3616

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1500,17869390006509613733,632918553204513465,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6396 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3056

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4184

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\Temp1_KMSAutoNet.zip\PASSWORD.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:1612

C:\Users\Admin\Desktop\KMSAutoNet.exe
"C:\Users\Admin\Desktop\KMSAutoNet.exe"
1⤵
- Drops file in Program Files directory
PID:5048

C:\Program Files (x86)\unsoul1\Setup.exe
"C:\Program Files (x86)\unsoul1\Setup.exe"
2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:1180

C:\Users\Admin\AppData\Local\Temp\File.exe
"C:\Users\Admin\AppData\Local\Temp\File.exe"
3⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:1084

C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe
"C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe"
4⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
PID:4656

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c rd /s /q C:\Users\Admin\AppData\Local\Temp\tifoCQWV & timeout 4 & del /f /q "C:\Program Files (x86)\unsoul1\Setup.exe"
3⤵
PID:1284

C:\Windows\SysWOW64\timeout.exe
timeout 4
4⤵
- Delays execution with timeout.exe
PID:1208

C:\Program Files (x86)\unsoul1\KMSAutoNet.exe
"C:\Program Files (x86)\unsoul1\KMSAutoNet.exe"
2⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:5008

C:\Windows\SysWOW64\cmd.exe
cmd /c md "C:\Users\Admin\AppData\Local\MSfree Inc"
3⤵
PID:4840

C:\Windows\SysWOW64\cmd.exe
cmd /c echo test>>"C:\Program Files (x86)\unsoul1\test.test"
3⤵
- Drops file in Program Files directory
PID:2280

C:\Windows\System32\cmd.exe
C:\Windows\Sysnative\cmd.exe /c del /F /Q "test.test"
3⤵
PID:3452

C:\Windows\SysWOW64\cscript.exe
"cscript.exe" /nologo C:\Windows\system32\slmgr.vbs /ipk W269N-WFGWX-YVC9B-4J6C9-T83GX
3⤵
PID:4760

C:\Windows\System32\cmd.exe
C:\Windows\Sysnative\cmd.exe /c md "C:\ProgramData\KMSAuto"
3⤵
PID:748

C:\Windows\System32\cmd.exe
C:\Windows\Sysnative\cmd.exe /c bin.dat -y -pkmsauto
3⤵
PID:1344

C:\ProgramData\KMSAuto\bin.dat
bin.dat -y -pkmsauto
4⤵
- Executes dropped EXE
PID:4328

C:\Windows\System32\cmd.exe
C:\Windows\Sysnative\cmd.exe /c del /F /Q "bin.dat"
3⤵
PID:1612

C:\Windows\System32\cmd.exe
C:\Windows\Sysnative\cmd.exe /c bin_x64.dat -y -pkmsauto
3⤵
PID:4568

C:\ProgramData\KMSAuto\bin_x64.dat
bin_x64.dat -y -pkmsauto
4⤵
- Executes dropped EXE
PID:4772

C:\Windows\System32\cmd.exe
C:\Windows\Sysnative\cmd.exe /c del /F /Q "bin_x64.dat"
3⤵
PID:2556

C:\Windows\System32\cmd.exe
C:\Windows\Sysnative\cmd.exe /c del /F /Q "kmsauto.ini"
3⤵
PID:4876

C:\Users\Admin\Desktop\KMSAutoNet.exe
"C:\Users\Admin\Desktop\KMSAutoNet.exe"
1⤵
- Drops file in Program Files directory
PID:3916

C:\Program Files (x86)\unsoul1\Setup.exe
"C:\Program Files (x86)\unsoul1\Setup.exe"
2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:1020

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c rd /s /q C:\Users\Admin\AppData\Local\Temp\UFwYRtBQkE & timeout 4 & del /f /q "C:\Program Files (x86)\unsoul1\Setup.exe"
3⤵
PID:1660

C:\Windows\SysWOW64\timeout.exe
timeout 4
4⤵
- Delays execution with timeout.exe
PID:1344

C:\Program Files (x86)\unsoul1\KMSAutoNet.exe
"C:\Program Files (x86)\unsoul1\KMSAutoNet.exe"
2⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:4792

C:\Windows\SysWOW64\cmd.exe
cmd /c echo test>>"C:\Program Files (x86)\unsoul1\test.test"
3⤵
- Drops file in Program Files directory
PID:1284

C:\Windows\System32\cmd.exe
C:\Windows\Sysnative\cmd.exe /c del /F /Q "test.test"
3⤵
PID:3280

C:\Windows\SysWOW64\cscript.exe
"cscript.exe" /nologo C:\Windows\system32\slmgr.vbs /ipk W269N-WFGWX-YVC9B-4J6C9-T83GX
3⤵
PID:2968

C:\Windows\System32\cmd.exe
C:\Windows\Sysnative\cmd.exe /c del /F /Q "kmsauto.ini"
3⤵
PID:2328

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
PID:5080

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xdc,0xe0,0xe4,0xb8,0xe8,0x7ffb6ab14f50,0x7ffb6ab14f60,0x7ffb6ab14f70
2⤵
PID:4232

C:\Users\Admin\Desktop\4c1dc737915d76b7ce579abddaba74ead6fdb5b519a1ea45308b8c49b950655c.exe
"C:\Users\Admin\Desktop\4c1dc737915d76b7ce579abddaba74ead6fdb5b519a1ea45308b8c49b950655c.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1656

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3adf055 /state1:0x41c64e6d
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:1816

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\unsoul1\KMSAutoNet.exe
MD5
6ee7f3ecd5111cd5306792fd3141515d

SHA1
45c92d0e691175a39a8c61228f526f80a7ca94fc

SHA256
69a8ae6352cffd366409df8e566e84315b4bffcf5865a4b8079c446123ba1d26

SHA512
1dc9b725115bc703373f5e4759f4081012538366e9fa2a497a06182908a1715659c876c3a471b176ce81e74181965750b7376d2a8492500c403231241522e16c

Download Submit
C:\Program Files (x86)\unsoul1\KMSAutoNet.exe
MD5
6ee7f3ecd5111cd5306792fd3141515d

SHA1
45c92d0e691175a39a8c61228f526f80a7ca94fc

SHA256
69a8ae6352cffd366409df8e566e84315b4bffcf5865a4b8079c446123ba1d26

SHA512
1dc9b725115bc703373f5e4759f4081012538366e9fa2a497a06182908a1715659c876c3a471b176ce81e74181965750b7376d2a8492500c403231241522e16c

Download Submit
C:\Program Files (x86)\unsoul1\Setup.exe
MD5
621c2c302f2c1224c8d01a91dffd734a

SHA1
a6449375cab47c579319c7ab069b3968d90b6b66

SHA256
29f415d1d12bf9e0da2eb368d51837413fe2d908539ecbed6e8504b944eaf482

SHA512
56344f9455c7f105ead0aa7bd43097b1d9aa58767cb727f32de93730a9c8dba9a0ce4d5ae7dbfc213f92f081102f92039de6e85b0584955a10324742ba5a9bbd

Download Submit
C:\Program Files (x86)\unsoul1\Setup.exe
MD5
621c2c302f2c1224c8d01a91dffd734a

SHA1
a6449375cab47c579319c7ab069b3968d90b6b66

SHA256
29f415d1d12bf9e0da2eb368d51837413fe2d908539ecbed6e8504b944eaf482

SHA512
56344f9455c7f105ead0aa7bd43097b1d9aa58767cb727f32de93730a9c8dba9a0ce4d5ae7dbfc213f92f081102f92039de6e85b0584955a10324742ba5a9bbd

Download Submit
C:\Program Files (x86)\unsoul1\test.test
MD5
9f06243abcb89c70e0c331c61d871fa7

SHA1
fde773a18bb29f5ed65e6f0a7aa717fd1fa485d4

SHA256
837ccb607e312b170fac7383d7ccfd61fa5072793f19a25e75fbacb56539b86b

SHA512
b947b99d1baddd347550c9032e9ab60b6be56551cf92c076b38e4e11f436051a4af51c47e54f8641316a720b043641a3b3c1e1b01ba50445ea1ba60bfd1b7a86

Download Submit
C:\ProgramData\KMSAuto\bin.dat
MD5
25f096b533e87afba34432f577e45013

SHA1
ba513e0d57a7971cc751a3827344217baa288363

SHA256
0b4af6d407e5adb4975ccb3d3b1a504f211dfc9e3307a36e8d40d8029a7d11fa

SHA512
bf5710895f85541bc0becffc1bc5843d9c05b9a97a360ab1ffeca4532dd5e7afc351ad92dd8c9adfe3fcc5f55676e09820a6663ee0004bff4c64cb223e26c1fc

Download Submit
C:\ProgramData\KMSAuto\bin.dat
MD5
25f096b533e87afba34432f577e45013

SHA1
ba513e0d57a7971cc751a3827344217baa288363

SHA256
0b4af6d407e5adb4975ccb3d3b1a504f211dfc9e3307a36e8d40d8029a7d11fa

SHA512
bf5710895f85541bc0becffc1bc5843d9c05b9a97a360ab1ffeca4532dd5e7afc351ad92dd8c9adfe3fcc5f55676e09820a6663ee0004bff4c64cb223e26c1fc

Download Submit
C:\ProgramData\KMSAuto\bin_x64.dat
MD5
0d42791e1447ddab3d145e4a9354acc3

SHA1
f442951d6e9d8bc821de72c7fd10e0e0ad025d68

SHA256
a374c877cfad58399cc7100da71d11fc81119e6940f62d0c98a4ff4034d8a653

SHA512
3916d5242af5affde6af2a00554d2d47b653fe7b98285ac554e2dbc81302415c3eafc4fe037f484ac199fe1fc4d6870c71dee0e8815f3e62a0faab7b8d0c26e6

Download Submit
C:\ProgramData\KMSAuto\bin_x64.dat
MD5
0d42791e1447ddab3d145e4a9354acc3

SHA1
f442951d6e9d8bc821de72c7fd10e0e0ad025d68

SHA256
a374c877cfad58399cc7100da71d11fc81119e6940f62d0c98a4ff4034d8a653

SHA512
3916d5242af5affde6af2a00554d2d47b653fe7b98285ac554e2dbc81302415c3eafc4fe037f484ac199fe1fc4d6870c71dee0e8815f3e62a0faab7b8d0c26e6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cookies
MD5
8d39155ed4657f847597cdc983feba42

SHA1
eb5aa52ecb09b800fb18531bab491a40e287e607

SHA256
3d92e0cbf08558f7774ea8ea1e6c4077f6e34fa673bf9f6eefeab252a2e51e4c

SHA512
0c1666d3b36479a6cffb9dba504cb930cd78947fcc318efb055ee2462abcf5df772813e9bc2de1b3dfd43b0ff0052c01cac529ba4551e19928e4dec02b9402e7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Data
MD5
8e01df4ad2f70765ce83ab8a602eab44

SHA1
a943b20b302f60bcd88f4c9c4f12969656d4de6e

SHA256
dcba993872ce775fdd5389781414aa8683ab922ac21662249c6ee8212527792f

SHA512
f0b0fc203b601eea033388dce541a124696b3bd47a78a94bd6432755f43b040fe9d5590b71dd501fc1d5a60ea8ffc11e792481fe933d48574ce0d1226d404585

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
MD5
d592aa184dcc803a580afe3979fa302a

SHA1
1c12fde584469174340f4d66f7736681c3cc014e

SHA256
3671dfbaab91a91f98dcee7fd13efc41582aa002e715692da92e0249af5c5d67

SHA512
5b1c922a5413664497610954a256257346018e9a4409d0e4dfa4cb141debe0181b8e0a3dd56e338ff19c0d296cad7518a3a224a8eb2230b4179c4a92bbb151cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\File.exe
MD5
99237d9b047317fa9469066ea665f4c9

SHA1
de56d98b0ca57a9c4ebb7328356fae23a8aca660

SHA256
a9bdcc20acf2d5f03dcfae9ebedc1b39dba702328e43e9c3181d8b5b8aa40611

SHA512
f5c569230773335fc63461387fe4373f2c93d02cf8b2ddd86e5ec62e5c8046f9a0dd9990495bd28b9cfcebbbd491c41bd86b9230064a5e046737f2e36e9e6039

Download Submit
C:\Users\Admin\AppData\Local\Temp\File.exe
MD5
99237d9b047317fa9469066ea665f4c9

SHA1
de56d98b0ca57a9c4ebb7328356fae23a8aca660

SHA256
a9bdcc20acf2d5f03dcfae9ebedc1b39dba702328e43e9c3181d8b5b8aa40611

SHA512
f5c569230773335fc63461387fe4373f2c93d02cf8b2ddd86e5ec62e5c8046f9a0dd9990495bd28b9cfcebbbd491c41bd86b9230064a5e046737f2e36e9e6039

Download Submit
C:\Users\Admin\AppData\Local\Temp\tifoCQWV\IERYBX~1.ZIP
MD5
fc31f56b03a7ce1f9581ebe84c62d84d

SHA1
48927e2ee82fbe2d88b3ee335fc34c3b40353085

SHA256
651304f1fcf0855aef6b7b1d0da62031383ede183226893b8e44df9dbd6ffe61

SHA512
7d844db2537b96b44356e957c834925d0090309e40417b86560f1684c4a60129d99a12a5a6a4dedb4bc56b21289906c55428031f94cff6d31a2789cd2c156f28

Download Submit
C:\Users\Admin\AppData\Local\Temp\tifoCQWV\OYWSKV~1.ZIP
MD5
7f4f577d116a1c038e50aec713257f85

SHA1
f494edc672ec8a97bd2f8b91cb47dbac4ce85525

SHA256
9156ba3690b3f1a222f0aafcaec15f4378405026720c5081366c7b82c3309d4e

SHA512
2b4a74c06d59ae55510c62f0a6ee5dfe5431266a1e454ef715fb74b54ec15013f961ecbd655fef3a1a9d4f9c8f950189bf6b2d143935d8195304a1c7f6c22334

Download Submit
C:\Users\Admin\AppData\Local\Temp\tifoCQWV\_Files\_Chrome\DEFAUL~1.BIN
MD5
09500b419541e759ce53d87e324fe8fc

SHA1
4b882732508d2fc28536f8281c3b58777720c7da

SHA256
f80e7db7d3a06c87f03f5d0a9c7ab592ef05bc4fa5a8ab65c318c8455bd94476

SHA512
45e04f6283559638be00bffaf1a52a52a6998f835d5d40f756806a2323623074cb7ee9f802f4eba7d7523ccf3170f8986f89349ffbc1f2514ce25fdae0114fde

Download Submit
C:\Users\Admin\AppData\Local\Temp\tifoCQWV\_Files\_Chrome\DEFAUL~1.DB
MD5
b608d407fc15adea97c26936bc6f03f6

SHA1
953e7420801c76393902c0d6bb56148947e41571

SHA256
b281ce54125d4250a80f48fcc02a8eea53f2c35c3b726e2512c3d493da0013bf

SHA512
cc96ddf4bf90d6aaa9d86803cb2aa30cd8e9b295aee1bd5544b88aeab63dc60bb1d4641e846c9771bab51aabbfbcd984c6d3ee83b96f5b65d09c0841d464b9e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\tifoCQWV\_Files\_Chrome\DEFAUL~2.DB
MD5
8d39155ed4657f847597cdc983feba42

SHA1
eb5aa52ecb09b800fb18531bab491a40e287e607

SHA256
3d92e0cbf08558f7774ea8ea1e6c4077f6e34fa673bf9f6eefeab252a2e51e4c

SHA512
0c1666d3b36479a6cffb9dba504cb930cd78947fcc318efb055ee2462abcf5df772813e9bc2de1b3dfd43b0ff0052c01cac529ba4551e19928e4dec02b9402e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\tifoCQWV\_Files\_Chrome\DEFAUL~3.DB
MD5
8e01df4ad2f70765ce83ab8a602eab44

SHA1
a943b20b302f60bcd88f4c9c4f12969656d4de6e

SHA256
dcba993872ce775fdd5389781414aa8683ab922ac21662249c6ee8212527792f

SHA512
f0b0fc203b601eea033388dce541a124696b3bd47a78a94bd6432755f43b040fe9d5590b71dd501fc1d5a60ea8ffc11e792481fe933d48574ce0d1226d404585

Download Submit
C:\Users\Admin\AppData\Local\Temp\tifoCQWV\_Files\_INFOR~1.TXT
MD5
a7b324d833f9a4b2c1d6a9e001f48c0a

SHA1
ccd04d0278fc08ad589703c0acc5b1508fcba5d0

SHA256
f4387242cad0eaf8e2b5d2b79ea7de000f5546d9da6c16e4b19e968964328fc9

SHA512
d78d1fb3eaa3543db6add7f9d4adaf3b833cdd127e0c23a7a10030dae065308f05f4028ec6863741f4adcf6d98cf60b1413a8ab07c32e7a94d2610bb5d281bab

Download Submit
C:\Users\Admin\AppData\Local\Temp\tifoCQWV\_Files\_SCREE~1.JPE
MD5
ec8e2aa8e89f96772a2f77120cfb03ea

SHA1
e675f602909277108ea569ef69f7504b13a57def

SHA256
09ba986be7ec882d42955602ac44991a6e0bb5cbce7e9eece50de3f96df70360

SHA512
ec683480c5213f8c129111e5ed0d4cab6f3292900aa4302f060c8afd62b8bf82714693e2db1384966407354080a19200139e8d71635ac04b8d90858c328c080d

Download Submit
C:\Users\Admin\AppData\Local\Temp\tifoCQWV\files_\SCREEN~1.JPG
MD5
ec8e2aa8e89f96772a2f77120cfb03ea

SHA1
e675f602909277108ea569ef69f7504b13a57def

SHA256
09ba986be7ec882d42955602ac44991a6e0bb5cbce7e9eece50de3f96df70360

SHA512
ec683480c5213f8c129111e5ed0d4cab6f3292900aa4302f060c8afd62b8bf82714693e2db1384966407354080a19200139e8d71635ac04b8d90858c328c080d

Download Submit
C:\Users\Admin\AppData\Local\Temp\tifoCQWV\files_\SYSTEM~1.TXT
MD5
a7b324d833f9a4b2c1d6a9e001f48c0a

SHA1
ccd04d0278fc08ad589703c0acc5b1508fcba5d0

SHA256
f4387242cad0eaf8e2b5d2b79ea7de000f5546d9da6c16e4b19e968964328fc9

SHA512
d78d1fb3eaa3543db6add7f9d4adaf3b833cdd127e0c23a7a10030dae065308f05f4028ec6863741f4adcf6d98cf60b1413a8ab07c32e7a94d2610bb5d281bab

Download Submit
C:\Users\Admin\AppData\Local\Temp\tifoCQWV\files_\_Chrome\DEFAUL~1.BIN
MD5
09500b419541e759ce53d87e324fe8fc

SHA1
4b882732508d2fc28536f8281c3b58777720c7da

SHA256
f80e7db7d3a06c87f03f5d0a9c7ab592ef05bc4fa5a8ab65c318c8455bd94476

SHA512
45e04f6283559638be00bffaf1a52a52a6998f835d5d40f756806a2323623074cb7ee9f802f4eba7d7523ccf3170f8986f89349ffbc1f2514ce25fdae0114fde

Download Submit
C:\Users\Admin\AppData\Local\Temp\tifoCQWV\files_\_Chrome\DEFAUL~1.DB
MD5
b608d407fc15adea97c26936bc6f03f6

SHA1
953e7420801c76393902c0d6bb56148947e41571

SHA256
b281ce54125d4250a80f48fcc02a8eea53f2c35c3b726e2512c3d493da0013bf

SHA512
cc96ddf4bf90d6aaa9d86803cb2aa30cd8e9b295aee1bd5544b88aeab63dc60bb1d4641e846c9771bab51aabbfbcd984c6d3ee83b96f5b65d09c0841d464b9e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\tifoCQWV\files_\_Chrome\DEFAUL~2.DB
MD5
8d39155ed4657f847597cdc983feba42

SHA1
eb5aa52ecb09b800fb18531bab491a40e287e607

SHA256
3d92e0cbf08558f7774ea8ea1e6c4077f6e34fa673bf9f6eefeab252a2e51e4c

SHA512
0c1666d3b36479a6cffb9dba504cb930cd78947fcc318efb055ee2462abcf5df772813e9bc2de1b3dfd43b0ff0052c01cac529ba4551e19928e4dec02b9402e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\tifoCQWV\files_\_Chrome\DEFAUL~3.DB
MD5
8e01df4ad2f70765ce83ab8a602eab44

SHA1
a943b20b302f60bcd88f4c9c4f12969656d4de6e

SHA256
dcba993872ce775fdd5389781414aa8683ab922ac21662249c6ee8212527792f

SHA512
f0b0fc203b601eea033388dce541a124696b3bd47a78a94bd6432755f43b040fe9d5590b71dd501fc1d5a60ea8ffc11e792481fe933d48574ce0d1226d404585

Download Submit
C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe
MD5
99237d9b047317fa9469066ea665f4c9

SHA1
de56d98b0ca57a9c4ebb7328356fae23a8aca660

SHA256
a9bdcc20acf2d5f03dcfae9ebedc1b39dba702328e43e9c3181d8b5b8aa40611

SHA512
f5c569230773335fc63461387fe4373f2c93d02cf8b2ddd86e5ec62e5c8046f9a0dd9990495bd28b9cfcebbbd491c41bd86b9230064a5e046737f2e36e9e6039

Download Submit
\??\pipe\crashpad_3652_XRKJEPFMOVCGMNAX
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/748-169-0x0000000000000000-mapping.dmp

Download
memory/1020-201-0x0000000000970000-0x0000000001059000-memory.dmp

Filesize
6.9MB

Download
memory/1020-200-0x0000000000970000-0x0000000001059000-memory.dmp

Filesize
6.9MB

Download
memory/1020-202-0x0000000076FF0000-0x000000007717E000-memory.dmp

Filesize
1.6MB

Download
memory/1020-199-0x0000000000970000-0x0000000001059000-memory.dmp

Filesize
6.9MB

Download
memory/1020-198-0x0000000000970000-0x0000000001059000-memory.dmp

Filesize
6.9MB

Download
memory/1020-190-0x0000000000000000-mapping.dmp

Download
memory/1084-144-0x0000000000000000-mapping.dmp

Download
memory/1084-163-0x0000000076FF0000-0x000000007717E000-memory.dmp

Filesize
1.6MB

Download
memory/1084-167-0x0000000000970000-0x0000000001055000-memory.dmp

Filesize
6.9MB

Download
memory/1084-166-0x0000000000970000-0x0000000001055000-memory.dmp

Filesize
6.9MB

Download
memory/1084-165-0x0000000000970000-0x0000000001055000-memory.dmp

Filesize
6.9MB

Download
memory/1084-164-0x0000000000970000-0x0000000001055000-memory.dmp

Filesize
6.9MB

Download
memory/1180-132-0x00000000013B0000-0x0000000001A99000-memory.dmp

Filesize
6.9MB

Download
memory/1180-135-0x00000000013B0000-0x0000000001A99000-memory.dmp

Filesize
6.9MB

Download
memory/1180-131-0x0000000076FF0000-0x000000007717E000-memory.dmp

Filesize
1.6MB

Download
memory/1180-118-0x0000000000000000-mapping.dmp

Download
memory/1180-133-0x00000000013B0000-0x0000000001A99000-memory.dmp

Filesize
6.9MB

Download
memory/1180-134-0x00000000013B0000-0x0000000001A99000-memory.dmp

Filesize
6.9MB

Download
memory/1208-162-0x0000000000000000-mapping.dmp

Download
memory/1284-147-0x0000000000000000-mapping.dmp

Download
memory/1284-204-0x0000000000000000-mapping.dmp

Download
memory/1344-208-0x0000000000000000-mapping.dmp

Download
memory/1344-170-0x0000000000000000-mapping.dmp

Download
memory/1576-212-0x0000000000000000-mapping.dmp

Download
memory/1576-214-0x0000027328270000-0x0000027328272000-memory.dmp

Filesize
8KB

Download
memory/1576-213-0x0000027328270000-0x0000027328272000-memory.dmp

Filesize
8KB

Download
memory/1612-174-0x0000000000000000-mapping.dmp

Download
memory/1660-207-0x0000000000000000-mapping.dmp

Download
memory/2280-140-0x0000000000000000-mapping.dmp

Download
memory/2304-225-0x0000000000000000-mapping.dmp

Download
memory/2304-227-0x000001700F810000-0x000001700F812000-memory.dmp

Filesize
8KB

Download
memory/2304-226-0x000001700F810000-0x000001700F812000-memory.dmp

Filesize
8KB

Download
memory/2328-211-0x0000000000000000-mapping.dmp

Download
memory/2556-179-0x0000000000000000-mapping.dmp

Download
memory/2968-209-0x0000000000000000-mapping.dmp

Download
memory/3280-205-0x0000000000000000-mapping.dmp

Download
memory/3452-143-0x0000000000000000-mapping.dmp

Download
memory/3916-188-0x0000000000B00000-0x0000000000B01000-memory.dmp

Filesize
4KB

Download
memory/3916-189-0x0000000000B00000-0x0000000000B01000-memory.dmp

Filesize
4KB

Download
memory/4328-171-0x0000000000000000-mapping.dmp

Download
memory/4568-175-0x0000000000000000-mapping.dmp

Download
memory/4656-185-0x0000000001170000-0x0000000001855000-memory.dmp

Filesize
6.9MB

Download
memory/4656-182-0x0000000001170000-0x0000000001855000-memory.dmp

Filesize
6.9MB

Download
memory/4656-186-0x0000000001170000-0x0000000001855000-memory.dmp

Filesize
6.9MB

Download
memory/4656-180-0x0000000000000000-mapping.dmp

Download
memory/4656-184-0x0000000001170000-0x0000000001855000-memory.dmp

Filesize
6.9MB

Download
memory/4656-183-0x0000000076FF0000-0x000000007717E000-memory.dmp

Filesize
1.6MB

Download
memory/4760-168-0x0000000000000000-mapping.dmp

Download
memory/4772-176-0x0000000000000000-mapping.dmp

Download
memory/4792-203-0x00000000054F0000-0x00000000059EE000-memory.dmp

Filesize
5.0MB

Download
memory/4792-210-0x00000000054F0000-0x00000000059EE000-memory.dmp

Filesize
5.0MB

Download
memory/4792-206-0x00000000054F0000-0x00000000059EE000-memory.dmp

Filesize
5.0MB

Download
memory/4792-191-0x0000000000000000-mapping.dmp

Download
memory/4840-136-0x0000000000000000-mapping.dmp

Download
memory/4876-187-0x0000000000000000-mapping.dmp

Download
memory/4880-217-0x0000013525300000-0x0000013525302000-memory.dmp

Filesize
8KB

Download
memory/4880-216-0x0000013525300000-0x0000013525302000-memory.dmp

Filesize
8KB

Download
memory/4880-215-0x0000000000000000-mapping.dmp

Download
memory/4904-232-0x0000027C62920000-0x0000027C62960000-memory.dmp

Filesize
256KB

Download
memory/4904-230-0x0000027C628A0000-0x0000027C628E0000-memory.dmp

Filesize
256KB

Download
memory/4904-233-0x0000027C62960000-0x0000027C629A0000-memory.dmp

Filesize
256KB

Download
memory/4904-235-0x0000027C629E0000-0x0000027C62A20000-memory.dmp

Filesize
256KB

Download
memory/4904-242-0x0000027C62BA0000-0x0000027C62BE0000-memory.dmp

Filesize
256KB

Download
memory/4904-245-0x0000027C62C60000-0x0000027C62CA0000-memory.dmp

Filesize
256KB

Download
memory/4904-244-0x0000027C62C20000-0x0000027C62C60000-memory.dmp

Filesize
256KB

Download
memory/4904-243-0x0000027C62BE0000-0x0000027C62C20000-memory.dmp

Filesize
256KB

Download
memory/4904-219-0x0000000000000000-mapping.dmp

Download
memory/4904-218-0x0000027C605AD000-0x0000027C605AE000-memory.dmp

Filesize
4KB

Download
memory/4904-221-0x0000027C60530000-0x0000027C60532000-memory.dmp

Filesize
8KB

Download
memory/4904-220-0x0000027C60530000-0x0000027C60532000-memory.dmp

Filesize
8KB

Download
memory/4904-222-0x00007FFB78570000-0x00007FFB78571000-memory.dmp

Filesize
4KB

Download
memory/4904-223-0x00007FFB778A0000-0x00007FFB778A1000-memory.dmp

Filesize
4KB

Download
memory/4904-241-0x0000027C62B60000-0x0000027C62BA0000-memory.dmp

Filesize
256KB

Download
memory/4904-236-0x0000027C62A20000-0x0000027C62A60000-memory.dmp

Filesize
256KB

Download
memory/4904-240-0x0000027C62B20000-0x0000027C62B60000-memory.dmp

Filesize
256KB

Download
memory/4904-239-0x0000027C62AE0000-0x0000027C62B20000-memory.dmp

Filesize
256KB

Download
memory/4904-238-0x0000027C62AA0000-0x0000027C62AE0000-memory.dmp

Filesize
256KB

Download
memory/4904-231-0x0000027C628E0000-0x0000027C62920000-memory.dmp

Filesize
256KB

Download
memory/4904-234-0x0000027C629A0000-0x0000027C629E0000-memory.dmp

Filesize
256KB

Download
memory/4904-237-0x0000027C62A60000-0x0000027C62AA0000-memory.dmp

Filesize
256KB

Download
memory/5008-141-0x00000000058C3000-0x00000000058C5000-memory.dmp

Filesize
8KB

Download
memory/5008-127-0x0000000005A30000-0x0000000005A31000-memory.dmp

Filesize
4KB

Download
memory/5008-121-0x0000000000000000-mapping.dmp

Download
memory/5008-130-0x00000000058C0000-0x00000000058C1000-memory.dmp

Filesize
4KB

Download
memory/5008-129-0x0000000005B90000-0x0000000005B91000-memory.dmp

Filesize
4KB

Download
memory/5008-128-0x0000000005990000-0x0000000005991000-memory.dmp

Filesize
4KB

Download
memory/5008-124-0x0000000000A10000-0x0000000000A11000-memory.dmp

Filesize
4KB

Download
memory/5008-125-0x00000000058F0000-0x00000000058F1000-memory.dmp

Filesize
4KB

Download
memory/5008-126-0x0000000005E90000-0x0000000005E91000-memory.dmp

Filesize
4KB

Download
memory/5048-117-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/5048-116-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download