redline | 948138b91d471c0c5e690b2a25e677723caaa2698e0f156b945f056545faa4bc

Resubmissions

01-04-2023 02:21

230401-cszn1agg2s 10

01-04-2023 02:20

230401-csnlqsfd55 1

01-04-2023 02:17

230401-cqqnbafd36 6

Analysis

max time kernel
105s
max time network
150s
platform
windows10-1703_x64
resource
win10-20230220-en
resource tags

arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
submitted
01-04-2023 02:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Pass_2023_Setup.rar.html
Size

19KB
MD5

e714b3ab1380b7acf4f572d570125444
SHA1

9359a9069f5cdfe9a7ff8c372aab9f543516f17d
SHA256

948138b91d471c0c5e690b2a25e677723caaa2698e0f156b945f056545faa4bc
SHA512

35cd9e548b1be61fec56c2626f0bc13352faba93cd528e7492ccb5682737b9f514430e6379e40b951ae0213806ee77536175009c27653fad6a2b94533951a88f
SSDEEP

384:boJylIn7xpYwuu504YfeHYK3DRzhU3E8+UUKIz40qo+Q0aN0ba9l3eBizEmZX3:boJCIn7XY20tODRzh4E8+UUKIz40qoWu

Score

10^/10

redline youtube02 evasion infostealer themida trojan

Malware Config

Extracted

Family

redline

Botnet

youtube02

176.113.115.220:80

Attributes

auth_value
ac97023fed55cb3e4792a779ef00ca98

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

Setup_win32_64.exeSetup_win32_64.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Setup_win32_64.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Setup_win32_64.exe

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Setup_win32_64.exeSetup_win32_64.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Setup_win32_64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Setup_win32_64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Setup_win32_64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Setup_win32_64.exe

Executes dropped EXE 2 IoCs

Processes:

Setup_win32_64.exeSetup_win32_64.exe

pid process

4364 Setup_win32_64.exe
2208 Setup_win32_64.exe

pid	process
4364	Setup_win32_64.exe
2208	Setup_win32_64.exe

Themida packer 10 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
C:\Users\Admin\Desktop\Setup_win32_64.exe	themida
C:\Users\Admin\Desktop\Setup_win32_64.exe	themida
behavioral1/memory/4364-261-0x00000000001D0000-0x00000000007AC000-memory.dmp	themida
C:\Users\Admin\Desktop\Setup_win32_64.exe	themida
behavioral1/memory/4364-283-0x00000000001D0000-0x00000000007AC000-memory.dmp	themida
behavioral1/memory/2208-286-0x00000000001D0000-0x00000000007AC000-memory.dmp	themida
C:\Users\Admin\Desktop\Setup_win32_64.exe	themida
behavioral1/memory/2208-308-0x00000000001D0000-0x00000000007AC000-memory.dmp	themida
behavioral1/memory/4444-313-0x00000000001D0000-0x00000000007AC000-memory.dmp	themida
behavioral1/memory/4444-323-0x00000000001D0000-0x00000000007AC000-memory.dmp	themida

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

Setup_win32_64.exeSetup_win32_64.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Setup_win32_64.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Setup_win32_64.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

Setup_win32_64.exeSetup_win32_64.exe

pid process

4364 Setup_win32_64.exe
2208 Setup_win32_64.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

Setup_win32_64.exe

description pid process target process

PID 4364 set thread context of 5116 4364 Setup_win32_64.exe jsc.exe

pid	process
4364	Setup_win32_64.exe
2208	Setup_win32_64.exe

description	pid	process	target process
PID 4364 set thread context of 5116	4364	Setup_win32_64.exe	jsc.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133247964807427869"	chrome.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

Processes:

chrome.exeSetup_win32_64.exe

pid	process
2300	chrome.exe
2300	chrome.exe
4364	Setup_win32_64.exe
4364	Setup_win32_64.exe
4364	Setup_win32_64.exe
4364	Setup_win32_64.exe
4364	Setup_win32_64.exe
4364	Setup_win32_64.exe
4364	Setup_win32_64.exe
4364	Setup_win32_64.exe
4364	Setup_win32_64.exe
4364	Setup_win32_64.exe
4364	Setup_win32_64.exe
4364	Setup_win32_64.exe
4364	Setup_win32_64.exe
4364	Setup_win32_64.exe
4364	Setup_win32_64.exe
4364	Setup_win32_64.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

7zFM.exe

pid process

3100 7zFM.exe

pid	process
3100	7zFM.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 11 IoCs

Processes:

chrome.exe

pid	process
2300	chrome.exe
2300	chrome.exe
2300	chrome.exe
2300	chrome.exe
2300	chrome.exe
2300	chrome.exe
2300	chrome.exe
2300	chrome.exe
2300	chrome.exe
2300	chrome.exe
2300	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exe7zFM.exe

description	pid	process
Token: SeShutdownPrivilege	2300	chrome.exe
Token: SeCreatePagefilePrivilege	2300	chrome.exe
Token: SeShutdownPrivilege	2300	chrome.exe
Token: SeCreatePagefilePrivilege	2300	chrome.exe
Token: SeShutdownPrivilege	2300	chrome.exe
Token: SeCreatePagefilePrivilege	2300	chrome.exe
Token: SeShutdownPrivilege	2300	chrome.exe
Token: SeCreatePagefilePrivilege	2300	chrome.exe
Token: SeShutdownPrivilege	2300	chrome.exe
Token: SeCreatePagefilePrivilege	2300	chrome.exe
Token: SeShutdownPrivilege	2300	chrome.exe
Token: SeCreatePagefilePrivilege	2300	chrome.exe
Token: SeShutdownPrivilege	2300	chrome.exe
Token: SeCreatePagefilePrivilege	2300	chrome.exe
Token: SeShutdownPrivilege	2300	chrome.exe
Token: SeCreatePagefilePrivilege	2300	chrome.exe
Token: SeShutdownPrivilege	2300	chrome.exe
Token: SeCreatePagefilePrivilege	2300	chrome.exe
Token: SeShutdownPrivilege	2300	chrome.exe
Token: SeCreatePagefilePrivilege	2300	chrome.exe
Token: SeShutdownPrivilege	2300	chrome.exe
Token: SeCreatePagefilePrivilege	2300	chrome.exe
Token: SeShutdownPrivilege	2300	chrome.exe
Token: SeCreatePagefilePrivilege	2300	chrome.exe
Token: SeShutdownPrivilege	2300	chrome.exe
Token: SeCreatePagefilePrivilege	2300	chrome.exe
Token: SeShutdownPrivilege	2300	chrome.exe
Token: SeCreatePagefilePrivilege	2300	chrome.exe
Token: SeShutdownPrivilege	2300	chrome.exe
Token: SeCreatePagefilePrivilege	2300	chrome.exe
Token: SeShutdownPrivilege	2300	chrome.exe
Token: SeCreatePagefilePrivilege	2300	chrome.exe
Token: SeShutdownPrivilege	2300	chrome.exe
Token: SeCreatePagefilePrivilege	2300	chrome.exe
Token: SeShutdownPrivilege	2300	chrome.exe
Token: SeCreatePagefilePrivilege	2300	chrome.exe
Token: SeShutdownPrivilege	2300	chrome.exe
Token: SeCreatePagefilePrivilege	2300	chrome.exe
Token: SeShutdownPrivilege	2300	chrome.exe
Token: SeCreatePagefilePrivilege	2300	chrome.exe
Token: SeShutdownPrivilege	2300	chrome.exe
Token: SeCreatePagefilePrivilege	2300	chrome.exe
Token: SeShutdownPrivilege	2300	chrome.exe
Token: SeCreatePagefilePrivilege	2300	chrome.exe
Token: SeShutdownPrivilege	2300	chrome.exe
Token: SeCreatePagefilePrivilege	2300	chrome.exe
Token: SeShutdownPrivilege	2300	chrome.exe
Token: SeCreatePagefilePrivilege	2300	chrome.exe
Token: SeShutdownPrivilege	2300	chrome.exe
Token: SeCreatePagefilePrivilege	2300	chrome.exe
Token: SeShutdownPrivilege	2300	chrome.exe
Token: SeCreatePagefilePrivilege	2300	chrome.exe
Token: SeRestorePrivilege	3100	7zFM.exe
Token: 35	3100	7zFM.exe
Token: SeShutdownPrivilege	2300	chrome.exe
Token: SeCreatePagefilePrivilege	2300	chrome.exe
Token: SeShutdownPrivilege	2300	chrome.exe
Token: SeCreatePagefilePrivilege	2300	chrome.exe
Token: SeShutdownPrivilege	2300	chrome.exe
Token: SeCreatePagefilePrivilege	2300	chrome.exe
Token: SeSecurityPrivilege	3100	7zFM.exe
Token: SeShutdownPrivilege	2300	chrome.exe
Token: SeCreatePagefilePrivilege	2300	chrome.exe
Token: SeShutdownPrivilege	2300	chrome.exe

Suspicious use of FindShellTrayWindow 41 IoCs

Processes:

chrome.exe7zFM.exe

pid	process
2300	chrome.exe
2300	chrome.exe
2300	chrome.exe
2300	chrome.exe
2300	chrome.exe
2300	chrome.exe
2300	chrome.exe
2300	chrome.exe
2300	chrome.exe
2300	chrome.exe
2300	chrome.exe
2300	chrome.exe
2300	chrome.exe
2300	chrome.exe
2300	chrome.exe
2300	chrome.exe
2300	chrome.exe
2300	chrome.exe
2300	chrome.exe
2300	chrome.exe
2300	chrome.exe
2300	chrome.exe
2300	chrome.exe
2300	chrome.exe
2300	chrome.exe
2300	chrome.exe
2300	chrome.exe
2300	chrome.exe
2300	chrome.exe
2300	chrome.exe
2300	chrome.exe
2300	chrome.exe
2300	chrome.exe
2300	chrome.exe
2300	chrome.exe
2300	chrome.exe
2300	chrome.exe
2300	chrome.exe
2300	chrome.exe
3100	7zFM.exe
3100	7zFM.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

chrome.exe

pid	process
2300	chrome.exe
2300	chrome.exe
2300	chrome.exe
2300	chrome.exe
2300	chrome.exe
2300	chrome.exe
2300	chrome.exe
2300	chrome.exe
2300	chrome.exe
2300	chrome.exe
2300	chrome.exe
2300	chrome.exe
2300	chrome.exe
2300	chrome.exe
2300	chrome.exe
2300	chrome.exe
2300	chrome.exe
2300	chrome.exe
2300	chrome.exe
2300	chrome.exe
2300	chrome.exe
2300	chrome.exe
2300	chrome.exe
2300	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 2300 wrote to memory of 3984	2300	chrome.exe	chrome.exe
PID 2300 wrote to memory of 3984	2300	chrome.exe	chrome.exe
PID 2300 wrote to memory of 1788	2300	chrome.exe	chrome.exe
PID 2300 wrote to memory of 1788	2300	chrome.exe	chrome.exe
PID 2300 wrote to memory of 1788	2300	chrome.exe	chrome.exe
PID 2300 wrote to memory of 1788	2300	chrome.exe	chrome.exe
PID 2300 wrote to memory of 1788	2300	chrome.exe	chrome.exe
PID 2300 wrote to memory of 1788	2300	chrome.exe	chrome.exe
PID 2300 wrote to memory of 1788	2300	chrome.exe	chrome.exe
PID 2300 wrote to memory of 1788	2300	chrome.exe	chrome.exe
PID 2300 wrote to memory of 1788	2300	chrome.exe	chrome.exe
PID 2300 wrote to memory of 1788	2300	chrome.exe	chrome.exe
PID 2300 wrote to memory of 1788	2300	chrome.exe	chrome.exe
PID 2300 wrote to memory of 1788	2300	chrome.exe	chrome.exe
PID 2300 wrote to memory of 1788	2300	chrome.exe	chrome.exe
PID 2300 wrote to memory of 1788	2300	chrome.exe	chrome.exe
PID 2300 wrote to memory of 1788	2300	chrome.exe	chrome.exe
PID 2300 wrote to memory of 1788	2300	chrome.exe	chrome.exe
PID 2300 wrote to memory of 1788	2300	chrome.exe	chrome.exe
PID 2300 wrote to memory of 1788	2300	chrome.exe	chrome.exe
PID 2300 wrote to memory of 1788	2300	chrome.exe	chrome.exe
PID 2300 wrote to memory of 1788	2300	chrome.exe	chrome.exe
PID 2300 wrote to memory of 1788	2300	chrome.exe	chrome.exe
PID 2300 wrote to memory of 1788	2300	chrome.exe	chrome.exe
PID 2300 wrote to memory of 1788	2300	chrome.exe	chrome.exe
PID 2300 wrote to memory of 1788	2300	chrome.exe	chrome.exe
PID 2300 wrote to memory of 1788	2300	chrome.exe	chrome.exe
PID 2300 wrote to memory of 1788	2300	chrome.exe	chrome.exe
PID 2300 wrote to memory of 1788	2300	chrome.exe	chrome.exe
PID 2300 wrote to memory of 1788	2300	chrome.exe	chrome.exe
PID 2300 wrote to memory of 1788	2300	chrome.exe	chrome.exe
PID 2300 wrote to memory of 1788	2300	chrome.exe	chrome.exe
PID 2300 wrote to memory of 1788	2300	chrome.exe	chrome.exe
PID 2300 wrote to memory of 1788	2300	chrome.exe	chrome.exe
PID 2300 wrote to memory of 1788	2300	chrome.exe	chrome.exe
PID 2300 wrote to memory of 1788	2300	chrome.exe	chrome.exe
PID 2300 wrote to memory of 1788	2300	chrome.exe	chrome.exe
PID 2300 wrote to memory of 1788	2300	chrome.exe	chrome.exe
PID 2300 wrote to memory of 1788	2300	chrome.exe	chrome.exe
PID 2300 wrote to memory of 1788	2300	chrome.exe	chrome.exe
PID 2300 wrote to memory of 3968	2300	chrome.exe	chrome.exe
PID 2300 wrote to memory of 3968	2300	chrome.exe	chrome.exe
PID 2300 wrote to memory of 4356	2300	chrome.exe	chrome.exe
PID 2300 wrote to memory of 4356	2300	chrome.exe	chrome.exe
PID 2300 wrote to memory of 4356	2300	chrome.exe	chrome.exe
PID 2300 wrote to memory of 4356	2300	chrome.exe	chrome.exe
PID 2300 wrote to memory of 4356	2300	chrome.exe	chrome.exe
PID 2300 wrote to memory of 4356	2300	chrome.exe	chrome.exe
PID 2300 wrote to memory of 4356	2300	chrome.exe	chrome.exe
PID 2300 wrote to memory of 4356	2300	chrome.exe	chrome.exe
PID 2300 wrote to memory of 4356	2300	chrome.exe	chrome.exe
PID 2300 wrote to memory of 4356	2300	chrome.exe	chrome.exe
PID 2300 wrote to memory of 4356	2300	chrome.exe	chrome.exe
PID 2300 wrote to memory of 4356	2300	chrome.exe	chrome.exe
PID 2300 wrote to memory of 4356	2300	chrome.exe	chrome.exe
PID 2300 wrote to memory of 4356	2300	chrome.exe	chrome.exe
PID 2300 wrote to memory of 4356	2300	chrome.exe	chrome.exe
PID 2300 wrote to memory of 4356	2300	chrome.exe	chrome.exe
PID 2300 wrote to memory of 4356	2300	chrome.exe	chrome.exe
PID 2300 wrote to memory of 4356	2300	chrome.exe	chrome.exe
PID 2300 wrote to memory of 4356	2300	chrome.exe	chrome.exe
PID 2300 wrote to memory of 4356	2300	chrome.exe	chrome.exe
PID 2300 wrote to memory of 4356	2300	chrome.exe	chrome.exe
PID 2300 wrote to memory of 4356	2300	chrome.exe	chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" "--simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT'" C:\Users\Admin\AppData\Local\Temp\Pass_2023_Setup.rar.html
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2300

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xa8,0xd0,0xd4,0xcc,0xd8,0x7ff9a7549758,0x7ff9a7549768,0x7ff9a7549778
2⤵
PID:3984

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1804 --field-trial-handle=1740,i,11938662510541628449,4622305608429086442,131072 /prefetch:8
2⤵
PID:3968

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1604 --field-trial-handle=1740,i,11938662510541628449,4622305608429086442,131072 /prefetch:2
2⤵
PID:1788

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2088 --field-trial-handle=1740,i,11938662510541628449,4622305608429086442,131072 /prefetch:8
2⤵
PID:4356

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2932 --field-trial-handle=1740,i,11938662510541628449,4622305608429086442,131072 /prefetch:1
2⤵
PID:1380

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2964 --field-trial-handle=1740,i,11938662510541628449,4622305608429086442,131072 /prefetch:1
2⤵
PID:2256

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4400 --field-trial-handle=1740,i,11938662510541628449,4622305608429086442,131072 /prefetch:1
2⤵
PID:1372

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=4744 --field-trial-handle=1740,i,11938662510541628449,4622305608429086442,131072 /prefetch:1
2⤵
PID:5044

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=4560 --field-trial-handle=1740,i,11938662510541628449,4622305608429086442,131072 /prefetch:1
2⤵
PID:2744

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=5288 --field-trial-handle=1740,i,11938662510541628449,4622305608429086442,131072 /prefetch:1
2⤵
PID:4712

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=4372 --field-trial-handle=1740,i,11938662510541628449,4622305608429086442,131072 /prefetch:1
2⤵
PID:444

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=4604 --field-trial-handle=1740,i,11938662510541628449,4622305608429086442,131072 /prefetch:1
2⤵
PID:3480

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=4644 --field-trial-handle=1740,i,11938662510541628449,4622305608429086442,131072 /prefetch:1
2⤵
PID:3360

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=4664 --field-trial-handle=1740,i,11938662510541628449,4622305608429086442,131072 /prefetch:1
2⤵
PID:1196

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=5232 --field-trial-handle=1740,i,11938662510541628449,4622305608429086442,131072 /prefetch:1
2⤵
PID:2636

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3628 --field-trial-handle=1740,i,11938662510541628449,4622305608429086442,131072 /prefetch:8
2⤵
PID:1296

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5584 --field-trial-handle=1740,i,11938662510541628449,4622305608429086442,131072 /prefetch:8
2⤵
PID:2872

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6100 --field-trial-handle=1740,i,11938662510541628449,4622305608429086442,131072 /prefetch:8
2⤵
PID:3096

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6220 --field-trial-handle=1740,i,11938662510541628449,4622305608429086442,131072 /prefetch:8
2⤵
PID:3128

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4948 --field-trial-handle=1740,i,11938662510541628449,4622305608429086442,131072 /prefetch:2
2⤵
PID:2600

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:4752

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3808

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\Pass_2023_Setup.rar"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3100

C:\Users\Admin\Desktop\Setup_win32_64.exe
"C:\Users\Admin\Desktop\Setup_win32_64.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:4364

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe"
2⤵
PID:4236

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe"
2⤵
PID:616

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe"
2⤵
PID:5116

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe"
2⤵
PID:1140

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe"
2⤵
PID:2548

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ComSvcConfig.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ComSvcConfig.exe"
2⤵
PID:4880

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInUtil.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInUtil.exe"
2⤵
PID:4948

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe"
2⤵
PID:888

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CasPol.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CasPol.exe"
2⤵
PID:4860

C:\Users\Admin\Desktop\Setup_win32_64.exe
"C:\Users\Admin\Desktop\Setup_win32_64.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:2208

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe"
2⤵
PID:4448

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe"
2⤵
PID:2084

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis.exe"
2⤵
PID:4020

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngentask.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngentask.exe"
2⤵
PID:5016

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe"
2⤵
PID:3440

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ServiceModelReg.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ServiceModelReg.exe"
2⤵
PID:5004

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"
2⤵
PID:4944

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ilasm.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ilasm.exe"
2⤵
PID:2776

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regbrowsers.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regbrowsers.exe"
2⤵
PID:3700

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe"
2⤵
PID:3608

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe"
2⤵
PID:3808

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\DataSvcUtil.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\DataSvcUtil.exe"
2⤵
PID:1840

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe"
2⤵
PID:2020

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ComSvcConfig.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ComSvcConfig.exe"
2⤵
PID:5052

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInUtil.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInUtil.exe"
2⤵
PID:4924

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe"
2⤵
PID:4268

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\EdmGen.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\EdmGen.exe"
2⤵
PID:4700

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe"
2⤵
PID:3816

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe"
2⤵
PID:3080

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WsatConfig.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WsatConfig.exe"
2⤵
PID:2144

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe"
2⤵
PID:4792

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regsql.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regsql.exe"
2⤵
PID:4432

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe"
2⤵
PID:4456

C:\Users\Admin\Desktop\Setup_win32_64.exe
"C:\Users\Admin\Desktop\Setup_win32_64.exe"
1⤵
PID:4444

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe"
2⤵
PID:3964

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ilasm.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ilasm.exe"
2⤵
PID:2168

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis.exe"
2⤵
PID:1420

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe"
2⤵
PID:4748

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe"
2⤵
PID:1364

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ServiceModelReg.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ServiceModelReg.exe"
2⤵
PID:4968

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe"
2⤵
PID:2748

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe"
2⤵
PID:324

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ComSvcConfig.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ComSvcConfig.exe"
2⤵
PID:4772

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"
2⤵
PID:4688

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe"
2⤵
PID:384

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInUtil.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInUtil.exe"
2⤵
PID:1792

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe"
2⤵
PID:680

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regbrowsers.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regbrowsers.exe"
2⤵
PID:2392

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe"
2⤵
PID:932

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CasPol.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CasPol.exe"
2⤵
PID:836

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngentask.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngentask.exe"
2⤵
PID:2428

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe"
2⤵
PID:4440

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\EdmGen.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\EdmGen.exe"
2⤵
PID:4412

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe"
2⤵
PID:4464

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"
2⤵
PID:2180

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
PID:1604

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

T1064

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Scripting

T1064

Credential Access

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
288B

MD5
76638098dc7c55dfbd0e972fb2f9d292

SHA1
bb1e6c30c15c811f55030732835feedde5d14de4

SHA256
3a0f410afb5f6aac0dd5ed328c476c1d2cbed2b8b80499863dc46b49aa40f4f7

SHA512
f01502a9f4e8badebc49ee5c2b875917ee54dae80ebf0d3566dbad3b9b89d0c7802823769f97ae29c45f55e4fc78d0fb8330e646fd775027a6b20dc08f06acef

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
Filesize
20KB

MD5
3a50a9fc1e95b1d51d29d38d6f67cb6a

SHA1
156297083408b7c9b84c1c41060aceea034392a1

SHA256
ed831efe358cf40715b011f97bb83a2de0f4ae63b3c69d44743375959456996f

SHA512
931fff1ee605f3b320254e453f048484c31a0ac120f6f26e5286fb9301c378ce906d279156fe0052afa7a7b474f0a5c1b9743061abaa46a3d59b4a16457f2348

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
3KB

MD5
523beddea5143675f1b8d50ea32d9f85

SHA1
01f779200bc39877c14f3c8860e34627b3e3f58c

SHA256
77f072f3f99defd430e9eaf2d9b7cf301188bddb8bb06817d49ac94c1d3c509d

SHA512
578bcf309327b5abc10d25b0dbcdd0c3ad81ea943369d977190a9c0e84e22c919566ddd5c86062164ed857a67eeaf47ddf1d3475a59fd79dc49f1dc77af8d609

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
0a6984aa0e61c435d4e38c3a40012c69

SHA1
503fe3a8735b45c6cd3a2c272857e775990369fa

SHA256
a9cd81a21eaa028796bb7977beceab29e06acbefc60a548abc7f2822a47f34ae

SHA512
b733445d9208282a87017cfc9fbeaba69e0c022b082938e5c713e00a8affe874c95e1cda2896ffcf9667187ba4a7ffa1b747afcc2db62bea9f00326854ff1b23

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
5KB

MD5
b0a51d87b4fc65a37278e6bcfd47ddad

SHA1
50283f9c84f9ea43d071fb8c50828aa4ac451a1d

SHA256
ad9a0c784de0cb231a626da938a30b90a5c403f55b9ac364b8cae96f39a812e0

SHA512
cc3a76eb3a9c9dbf6fb88b9196a5a79aa31518483b67c160a8c8b783c129e361dca96aa767952034798fb16a79e9cd4434708276585ed0e251a0539c6c163525

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
5KB

MD5
3be376f1f6f58e71e300b35b3ab733b6

SHA1
d9a362e5eaffea179db23723b99e0dc8875fce25

SHA256
088deb1227c554082dbbd31f113dd9aa747215a5cd88b8719c30cdf443f620d7

SHA512
58ca373f7faa797ef3f58c26945e3ccf60dfa50fe51fe2a2fb75e22f75db83c97ffee7d144a147b47f63a64f35bc2c5e598b66720efa64270cf8d8d22ae46796

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
5KB

MD5
2664be2d9b28001698e0cc4a3524dec4

SHA1
243d0e93d740e607bba29dd106ac975047d4fcf1

SHA256
8219180d485d325dc57c5446812b1826eb694b847e800817393a665718092b13

SHA512
0792047ebcacd1ed2b022a683f5a9bdf530349b5804d7aaefa559809d2c4e055c22e602065d4b352163b823c68de96af6c6f48df48ca6d7e265aa653266b64c4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
Filesize
12KB

MD5
4457bfee83622f47db80426df086b5fd

SHA1
13fb805007ae196734f021a67c33e5b30627dec5

SHA256
eae18ff334a19bfe229fa0c2d99888b035663b7c66c76aea4e3c6c448be95146

SHA512
fdf37b95ae54d375479784dc184925be25024e3fe58363f786ed467600d6db80bd2a2197b66f5394015be94de03de5ae6eed2aadd93b0f3f969132114903bd2b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
173KB

MD5
ce40359c8d699c742ad562e979357f5a

SHA1
15fd2866778a0a06c0cefca9ab179de5a0ed5488

SHA256
9fac683bbc1b23992889247817328d2b696bbe34cac8fb3583585a7d7663bca3

SHA512
26038527040b8f41ae84de4cf302f0b4e838906515b664807e760acead42ceca2b6e9b06355dc0646deadef2d7ec0f000be589acbfbd39cfcecaedc32311e607

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
173KB

MD5
ce40359c8d699c742ad562e979357f5a

SHA1
15fd2866778a0a06c0cefca9ab179de5a0ed5488

SHA256
9fac683bbc1b23992889247817328d2b696bbe34cac8fb3583585a7d7663bca3

SHA512
26038527040b8f41ae84de4cf302f0b4e838906515b664807e760acead42ceca2b6e9b06355dc0646deadef2d7ec0f000be589acbfbd39cfcecaedc32311e607

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json
Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Setup_win32_64.exe.log
Filesize
1KB

MD5
d63ff49d7c92016feb39812e4db10419

SHA1
2307d5e35ca9864ffefc93acf8573ea995ba189b

SHA256
375076241775962f3edc08a8c72832a00920b427a4f3332528d91d21e909fa12

SHA512
00f8c8d0336d6575b956876183199624d6f4d2056f2c0aa633a6f17c516f22ee648062d9bc419254d84c459323e9424f0da8aed9dd4e16c2926e5ba30e797d8a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\jsc.exe.log
Filesize
2KB

MD5
e0aa3f31d47084ef29012fa569912559

SHA1
4dde56fd125b5e422ca052840e165a96a0fce488

SHA256
9d519e9c2915750cd71e0f2534427248fed4d76b3ad1105ceb5d64db47fbe609

SHA512
9dd6d1be30781fb17da8ff0f44642b658dddc9051877f7afab0531574ff9bbbc931e1fd16fa4f9e10f57fd0f0e159a405861119c3b78419b0c9b20dc3e377b4c

Download Submit
C:\Users\Admin\Desktop\Setup_win32_64.exe
Filesize
407.1MB

MD5
717b4a674633528b81bd2569898110ae

SHA1
8f6f803bf29c37498ad29173e05caaead5557f4b

SHA256
091313ed337fa0c8927b227c3f92c8e4ccd59dd5ce89a4d7966b78494d55c35b

SHA512
7a024d5587925d3c21fedfbf9206ac390d7b823f36c20f3e754e9779007733cc3a6e73c33ab11936c79a589711e9ae6fe1460c832fc2753d06697b7f767f7f64

Download Submit
C:\Users\Admin\Desktop\Setup_win32_64.exe
Filesize
401.5MB

MD5
4103d5fdf941199ac9ef2a9fe9524e3e

SHA1
6a37414b76db28ce1fe27b49d4336be2c3adddbd

SHA256
f79051395da5721269efdb7e2ae352907afd7af63da4f567d7e50aaf18d23aa6

SHA512
6b15916c343224e8d9aae5c2fd9a131527000cbb6fc2c58587371173907982771771616f7097f74678be2df8f7cfb9b2e16e4badf260ce63a8e7d7acee1c4c86

Download Submit
C:\Users\Admin\Desktop\Setup_win32_64.exe
Filesize
290.7MB

MD5
4cab5f65136225e47b190319b9fa8676

SHA1
d9e80ecc399ea1379c390f77ed68a9d3ea22ecff

SHA256
f87ec6a3e933371dccc292c453a84e1e84ede6e115cb4d29d5a1b53a7afc7442

SHA512
d831acc4c109a42788a0ff82d100495e4226fe89869d46132036d2b9a7b7019f967117458ade38a0f80dd5c6d6d4b7d9520f74528836b2f4e8f4f8938cf4f32e

Download Submit
C:\Users\Admin\Desktop\Setup_win32_64.exe
Filesize
132.4MB

MD5
bccf5a0905f4d7fb54fbf4371262337f

SHA1
98819bea9b8cedebafb6e436f81340876e5c3e90

SHA256
3c409ecc15f9f68923cf3aebe785e5f79a706c76e4d140b5e826e84b84ba1fad

SHA512
7ea6f170351bd9312d28e62da5b6ca68e4f6920db89851eb890c88783f7eb1df9f78e379295cae27a4cf93a9324a255f9998ede22e92febe2ad24ec77c092e5d

Download Submit
C:\Users\Admin\Downloads\Pass_2023_Setup.rar
Filesize
7.2MB

MD5
8707b760c28c0e44e1547e7f184dd1ac

SHA1
7b79cb451965a224e27548f2839447143e4712d6

SHA256
2c6ba22bdb5d01a9c78df27a6c6f1b1a062afbc4ada5f10acdce3ffc7129749a

SHA512
1de598dc5b92c29e8acae79487826d62566e6095ff3e0d2d30c47f7912382d0c88f3af4bab120900849e66dbf56adfaa1761cb5325d16f05ee5e3d2319591764

Download Submit
\??\pipe\crashpad_2300_HMVAHGEFNUEUVYSX
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/384-325-0x0000000005550000-0x0000000005560000-memory.dmp

Filesize
64KB

Download
memory/2084-316-0x00000000057B0000-0x00000000057C0000-memory.dmp

Filesize
64KB

Download
memory/2208-269-0x00000000001D0000-0x00000000007AC000-memory.dmp

Filesize
5.9MB

Download
memory/2208-298-0x0000010EC59D0000-0x0000010EC59E0000-memory.dmp

Filesize
64KB

Download
memory/2208-286-0x00000000001D0000-0x00000000007AC000-memory.dmp

Filesize
5.9MB

Download
memory/2208-308-0x00000000001D0000-0x00000000007AC000-memory.dmp

Filesize
5.9MB

Download
memory/4364-262-0x00007FF980000000-0x00007FF980002000-memory.dmp

Filesize
8KB

Download
memory/4364-263-0x000001A595390000-0x000001A595414000-memory.dmp

Filesize
528KB

Download
memory/4364-283-0x00000000001D0000-0x00000000007AC000-memory.dmp

Filesize
5.9MB

Download
memory/4364-264-0x000001A595420000-0x000001A595430000-memory.dmp

Filesize
64KB

Download
memory/4364-261-0x00000000001D0000-0x00000000007AC000-memory.dmp

Filesize
5.9MB

Download
memory/4364-257-0x00000000001D0000-0x00000000007AC000-memory.dmp

Filesize
5.9MB

Download
memory/4364-258-0x00007FF980030000-0x00007FF980031000-memory.dmp

Filesize
4KB

Download
memory/4444-323-0x00000000001D0000-0x00000000007AC000-memory.dmp

Filesize
5.9MB

Download
memory/4444-317-0x00000248338F0000-0x0000024833900000-memory.dmp

Filesize
64KB

Download
memory/4444-313-0x00000000001D0000-0x00000000007AC000-memory.dmp

Filesize
5.9MB

Download
memory/4444-303-0x00000000001D0000-0x00000000007AC000-memory.dmp

Filesize
5.9MB

Download
memory/5116-288-0x00000000058D0000-0x0000000005ED6000-memory.dmp

Filesize
6.0MB

Download
memory/5116-307-0x0000000006EE0000-0x00000000073DE000-memory.dmp

Filesize
5.0MB

Download
memory/5116-311-0x0000000006C20000-0x0000000006DE2000-memory.dmp

Filesize
1.8MB

Download
memory/5116-304-0x0000000006940000-0x00000000069D2000-memory.dmp

Filesize
584KB

Download
memory/5116-312-0x0000000007910000-0x0000000007E3C000-memory.dmp

Filesize
5.2MB

Download
memory/5116-301-0x0000000006720000-0x0000000006786000-memory.dmp

Filesize
408KB

Download
memory/5116-299-0x00000000052F0000-0x0000000005300000-memory.dmp

Filesize
64KB

Download
memory/5116-297-0x00000000054E0000-0x000000000552B000-memory.dmp

Filesize
300KB

Download
memory/5116-315-0x0000000006B60000-0x0000000006BB0000-memory.dmp

Filesize
320KB

Download
memory/5116-296-0x0000000005380000-0x00000000053BE000-memory.dmp

Filesize
248KB

Download
memory/5116-295-0x0000000005320000-0x0000000005332000-memory.dmp

Filesize
72KB

Download
memory/5116-294-0x00000000053D0000-0x00000000054DA000-memory.dmp

Filesize
1.0MB

Download
memory/5116-270-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download