raccoon | hxxps://softwarance[.]com/coreldraw-graphics-suite-2022-crack/

Analysis

max time kernel
439s
max time network
461s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
11-05-2023 22:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://softwarance.com/coreldraw-graphics-suite-2022-crack/

Score

10^/10

raccoon ee2a3d190100b91c20d8bc284238dda6 discovery spyware stealer vmprotect

Malware Config

Extracted

Family

raccoon

Botnet

ee2a3d190100b91c20d8bc284238dda6

http://94.142.138.176/

xor.plain

Signatures

Raccoon
Raccoon is an infostealer written in C++ and first seen in 2019.
stealer raccoon
Downloads MZ/PE file
Executes dropped EXE 1 IoCs

Processes:

setup.exe

pid process

4184 setup.exe
Loads dropped DLL 3 IoCs

Processes:

setup.exe

pid process

4184 setup.exe
4184 setup.exe
4184 setup.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
4184	setup.exe

pid	process
4184	setup.exe
4184	setup.exe
4184	setup.exe

VMProtect packed file 3 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
C:\Users\Admin\Downloads\LatestFileY1_PassKey_55551\FullSetup\setup.exe	vmprotect
C:\Users\Admin\Downloads\LatestFileY1_PassKey_55551\FullSetup\setup.exe	vmprotect
behavioral1/memory/4184-952-0x0000000000400000-0x0000000000DC0000-memory.dmp	vmprotect

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

2264 schtasks.exe
4232 schtasks.exe

pid	process
2264	schtasks.exe
4232	schtasks.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133283189734451303"	chrome.exe

Modifies registry class 1 IoCs

Processes:

chrome.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000_Classes\Local Settings chrome.exe
Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

NOTEPAD.EXE

pid process

1792 NOTEPAD.EXE
Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

chrome.exechrome.exesetup.exe

pid process

632 chrome.exe
632 chrome.exe
4640 chrome.exe
4640 chrome.exe
4184 setup.exe
4184 setup.exe
4184 setup.exe
4184 setup.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000_Classes\Local Settings	chrome.exe

pid	process
1792	NOTEPAD.EXE

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 12 IoCs

Processes:

chrome.exe

pid	process
632	chrome.exe
632	chrome.exe
632	chrome.exe
632	chrome.exe
632	chrome.exe
632	chrome.exe
632	chrome.exe
632	chrome.exe
632	chrome.exe
632	chrome.exe
632	chrome.exe
632	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exe

description	pid	process
Token: SeShutdownPrivilege	632	chrome.exe
Token: SeCreatePagefilePrivilege	632	chrome.exe
Token: SeShutdownPrivilege	632	chrome.exe
Token: SeCreatePagefilePrivilege	632	chrome.exe
Token: SeShutdownPrivilege	632	chrome.exe
Token: SeCreatePagefilePrivilege	632	chrome.exe
Token: SeShutdownPrivilege	632	chrome.exe
Token: SeCreatePagefilePrivilege	632	chrome.exe
Token: SeShutdownPrivilege	632	chrome.exe
Token: SeCreatePagefilePrivilege	632	chrome.exe
Token: SeShutdownPrivilege	632	chrome.exe
Token: SeCreatePagefilePrivilege	632	chrome.exe
Token: SeShutdownPrivilege	632	chrome.exe
Token: SeCreatePagefilePrivilege	632	chrome.exe
Token: SeShutdownPrivilege	632	chrome.exe
Token: SeCreatePagefilePrivilege	632	chrome.exe
Token: SeShutdownPrivilege	632	chrome.exe
Token: SeCreatePagefilePrivilege	632	chrome.exe
Token: SeShutdownPrivilege	632	chrome.exe
Token: SeCreatePagefilePrivilege	632	chrome.exe
Token: SeShutdownPrivilege	632	chrome.exe
Token: SeCreatePagefilePrivilege	632	chrome.exe
Token: SeShutdownPrivilege	632	chrome.exe
Token: SeCreatePagefilePrivilege	632	chrome.exe
Token: SeShutdownPrivilege	632	chrome.exe
Token: SeCreatePagefilePrivilege	632	chrome.exe
Token: SeShutdownPrivilege	632	chrome.exe
Token: SeCreatePagefilePrivilege	632	chrome.exe
Token: SeShutdownPrivilege	632	chrome.exe
Token: SeCreatePagefilePrivilege	632	chrome.exe
Token: SeShutdownPrivilege	632	chrome.exe
Token: SeCreatePagefilePrivilege	632	chrome.exe
Token: SeShutdownPrivilege	632	chrome.exe
Token: SeCreatePagefilePrivilege	632	chrome.exe
Token: SeShutdownPrivilege	632	chrome.exe
Token: SeCreatePagefilePrivilege	632	chrome.exe
Token: SeShutdownPrivilege	632	chrome.exe
Token: SeCreatePagefilePrivilege	632	chrome.exe
Token: SeShutdownPrivilege	632	chrome.exe
Token: SeCreatePagefilePrivilege	632	chrome.exe
Token: SeShutdownPrivilege	632	chrome.exe
Token: SeCreatePagefilePrivilege	632	chrome.exe
Token: SeShutdownPrivilege	632	chrome.exe
Token: SeCreatePagefilePrivilege	632	chrome.exe
Token: SeShutdownPrivilege	632	chrome.exe
Token: SeCreatePagefilePrivilege	632	chrome.exe
Token: SeShutdownPrivilege	632	chrome.exe
Token: SeCreatePagefilePrivilege	632	chrome.exe
Token: SeShutdownPrivilege	632	chrome.exe
Token: SeCreatePagefilePrivilege	632	chrome.exe
Token: SeShutdownPrivilege	632	chrome.exe
Token: SeCreatePagefilePrivilege	632	chrome.exe
Token: SeShutdownPrivilege	632	chrome.exe
Token: SeCreatePagefilePrivilege	632	chrome.exe
Token: SeShutdownPrivilege	632	chrome.exe
Token: SeCreatePagefilePrivilege	632	chrome.exe
Token: SeShutdownPrivilege	632	chrome.exe
Token: SeCreatePagefilePrivilege	632	chrome.exe
Token: SeShutdownPrivilege	632	chrome.exe
Token: SeCreatePagefilePrivilege	632	chrome.exe
Token: SeShutdownPrivilege	632	chrome.exe
Token: SeCreatePagefilePrivilege	632	chrome.exe
Token: SeShutdownPrivilege	632	chrome.exe
Token: SeCreatePagefilePrivilege	632	chrome.exe

Suspicious use of FindShellTrayWindow 61 IoCs

Processes:

chrome.exe7zG.exe7zG.exe

pid	process
632	chrome.exe
632	chrome.exe
632	chrome.exe
632	chrome.exe
632	chrome.exe
632	chrome.exe
632	chrome.exe
632	chrome.exe
632	chrome.exe
632	chrome.exe
632	chrome.exe
632	chrome.exe
632	chrome.exe
632	chrome.exe
632	chrome.exe
632	chrome.exe
632	chrome.exe
632	chrome.exe
632	chrome.exe
632	chrome.exe
632	chrome.exe
632	chrome.exe
632	chrome.exe
632	chrome.exe
632	chrome.exe
632	chrome.exe
632	chrome.exe
632	chrome.exe
632	chrome.exe
632	chrome.exe
632	chrome.exe
632	chrome.exe
632	chrome.exe
632	chrome.exe
632	chrome.exe
632	chrome.exe
632	chrome.exe
632	chrome.exe
632	chrome.exe
632	chrome.exe
632	chrome.exe
632	chrome.exe
632	chrome.exe
632	chrome.exe
632	chrome.exe
632	chrome.exe
632	chrome.exe
632	chrome.exe
632	chrome.exe
632	chrome.exe
632	chrome.exe
632	chrome.exe
632	chrome.exe
632	chrome.exe
632	chrome.exe
632	chrome.exe
632	chrome.exe
632	chrome.exe
632	chrome.exe
4188	7zG.exe
5096	7zG.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

chrome.exe

pid	process
632	chrome.exe
632	chrome.exe
632	chrome.exe
632	chrome.exe
632	chrome.exe
632	chrome.exe
632	chrome.exe
632	chrome.exe
632	chrome.exe
632	chrome.exe
632	chrome.exe
632	chrome.exe
632	chrome.exe
632	chrome.exe
632	chrome.exe
632	chrome.exe
632	chrome.exe
632	chrome.exe
632	chrome.exe
632	chrome.exe
632	chrome.exe
632	chrome.exe
632	chrome.exe
632	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 632 wrote to memory of 5028	632	chrome.exe	chrome.exe
PID 632 wrote to memory of 5028	632	chrome.exe	chrome.exe
PID 632 wrote to memory of 3672	632	chrome.exe	chrome.exe
PID 632 wrote to memory of 3672	632	chrome.exe	chrome.exe
PID 632 wrote to memory of 3672	632	chrome.exe	chrome.exe
PID 632 wrote to memory of 3672	632	chrome.exe	chrome.exe
PID 632 wrote to memory of 3672	632	chrome.exe	chrome.exe
PID 632 wrote to memory of 3672	632	chrome.exe	chrome.exe
PID 632 wrote to memory of 3672	632	chrome.exe	chrome.exe
PID 632 wrote to memory of 3672	632	chrome.exe	chrome.exe
PID 632 wrote to memory of 3672	632	chrome.exe	chrome.exe
PID 632 wrote to memory of 3672	632	chrome.exe	chrome.exe
PID 632 wrote to memory of 3672	632	chrome.exe	chrome.exe
PID 632 wrote to memory of 3672	632	chrome.exe	chrome.exe
PID 632 wrote to memory of 3672	632	chrome.exe	chrome.exe
PID 632 wrote to memory of 3672	632	chrome.exe	chrome.exe
PID 632 wrote to memory of 3672	632	chrome.exe	chrome.exe
PID 632 wrote to memory of 3672	632	chrome.exe	chrome.exe
PID 632 wrote to memory of 3672	632	chrome.exe	chrome.exe
PID 632 wrote to memory of 3672	632	chrome.exe	chrome.exe
PID 632 wrote to memory of 3672	632	chrome.exe	chrome.exe
PID 632 wrote to memory of 3672	632	chrome.exe	chrome.exe
PID 632 wrote to memory of 3672	632	chrome.exe	chrome.exe
PID 632 wrote to memory of 3672	632	chrome.exe	chrome.exe
PID 632 wrote to memory of 3672	632	chrome.exe	chrome.exe
PID 632 wrote to memory of 3672	632	chrome.exe	chrome.exe
PID 632 wrote to memory of 3672	632	chrome.exe	chrome.exe
PID 632 wrote to memory of 3672	632	chrome.exe	chrome.exe
PID 632 wrote to memory of 3672	632	chrome.exe	chrome.exe
PID 632 wrote to memory of 3672	632	chrome.exe	chrome.exe
PID 632 wrote to memory of 3672	632	chrome.exe	chrome.exe
PID 632 wrote to memory of 3672	632	chrome.exe	chrome.exe
PID 632 wrote to memory of 3672	632	chrome.exe	chrome.exe
PID 632 wrote to memory of 3672	632	chrome.exe	chrome.exe
PID 632 wrote to memory of 3672	632	chrome.exe	chrome.exe
PID 632 wrote to memory of 3672	632	chrome.exe	chrome.exe
PID 632 wrote to memory of 3672	632	chrome.exe	chrome.exe
PID 632 wrote to memory of 3672	632	chrome.exe	chrome.exe
PID 632 wrote to memory of 3672	632	chrome.exe	chrome.exe
PID 632 wrote to memory of 3672	632	chrome.exe	chrome.exe
PID 632 wrote to memory of 1224	632	chrome.exe	chrome.exe
PID 632 wrote to memory of 1224	632	chrome.exe	chrome.exe
PID 632 wrote to memory of 1640	632	chrome.exe	chrome.exe
PID 632 wrote to memory of 1640	632	chrome.exe	chrome.exe
PID 632 wrote to memory of 1640	632	chrome.exe	chrome.exe
PID 632 wrote to memory of 1640	632	chrome.exe	chrome.exe
PID 632 wrote to memory of 1640	632	chrome.exe	chrome.exe
PID 632 wrote to memory of 1640	632	chrome.exe	chrome.exe
PID 632 wrote to memory of 1640	632	chrome.exe	chrome.exe
PID 632 wrote to memory of 1640	632	chrome.exe	chrome.exe
PID 632 wrote to memory of 1640	632	chrome.exe	chrome.exe
PID 632 wrote to memory of 1640	632	chrome.exe	chrome.exe
PID 632 wrote to memory of 1640	632	chrome.exe	chrome.exe
PID 632 wrote to memory of 1640	632	chrome.exe	chrome.exe
PID 632 wrote to memory of 1640	632	chrome.exe	chrome.exe
PID 632 wrote to memory of 1640	632	chrome.exe	chrome.exe
PID 632 wrote to memory of 1640	632	chrome.exe	chrome.exe
PID 632 wrote to memory of 1640	632	chrome.exe	chrome.exe
PID 632 wrote to memory of 1640	632	chrome.exe	chrome.exe
PID 632 wrote to memory of 1640	632	chrome.exe	chrome.exe
PID 632 wrote to memory of 1640	632	chrome.exe	chrome.exe
PID 632 wrote to memory of 1640	632	chrome.exe	chrome.exe
PID 632 wrote to memory of 1640	632	chrome.exe	chrome.exe
PID 632 wrote to memory of 1640	632	chrome.exe	chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" "--simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT'" https://softwarance.com/coreldraw-graphics-suite-2022-crack/
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:632

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb46e39758,0x7ffb46e39768,0x7ffb46e39778
2⤵
PID:5028

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1792 --field-trial-handle=1812,i,6029471880821032454,16387658630521959641,131072 /prefetch:2
2⤵
PID:3672

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2168 --field-trial-handle=1812,i,6029471880821032454,16387658630521959641,131072 /prefetch:8
2⤵
PID:1224

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2164 --field-trial-handle=1812,i,6029471880821032454,16387658630521959641,131072 /prefetch:8
2⤵
PID:1640

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3144 --field-trial-handle=1812,i,6029471880821032454,16387658630521959641,131072 /prefetch:1
2⤵
PID:2328

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3172 --field-trial-handle=1812,i,6029471880821032454,16387658630521959641,131072 /prefetch:1
2⤵
PID:404

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4852 --field-trial-handle=1812,i,6029471880821032454,16387658630521959641,131072 /prefetch:8
2⤵
PID:4544

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5092 --field-trial-handle=1812,i,6029471880821032454,16387658630521959641,131072 /prefetch:8
2⤵
PID:1008

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=4800 --field-trial-handle=1812,i,6029471880821032454,16387658630521959641,131072 /prefetch:1
2⤵
PID:2432

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4880 --field-trial-handle=1812,i,6029471880821032454,16387658630521959641,131072 /prefetch:8
2⤵
PID:3852

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=4916 --field-trial-handle=1812,i,6029471880821032454,16387658630521959641,131072 /prefetch:1
2⤵
PID:4436

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4460 --field-trial-handle=1812,i,6029471880821032454,16387658630521959641,131072 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4640

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=5144 --field-trial-handle=1812,i,6029471880821032454,16387658630521959641,131072 /prefetch:1
2⤵
PID:3008

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=3256 --field-trial-handle=1812,i,6029471880821032454,16387658630521959641,131072 /prefetch:1
2⤵
PID:2552

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5292 --field-trial-handle=1812,i,6029471880821032454,16387658630521959641,131072 /prefetch:8
2⤵
PID:2600

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5452 --field-trial-handle=1812,i,6029471880821032454,16387658630521959641,131072 /prefetch:8
2⤵
PID:4152

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=17 --mojo-platform-channel-handle=5380 --field-trial-handle=1812,i,6029471880821032454,16387658630521959641,131072 /prefetch:1
2⤵
PID:460

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5280 --field-trial-handle=1812,i,6029471880821032454,16387658630521959641,131072 /prefetch:8
2⤵
PID:1936

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5452 --field-trial-handle=1812,i,6029471880821032454,16387658630521959641,131072 /prefetch:8
2⤵
PID:2328

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3228 --field-trial-handle=1812,i,6029471880821032454,16387658630521959641,131072 /prefetch:8
2⤵
PID:1788

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=21 --mojo-platform-channel-handle=3136 --field-trial-handle=1812,i,6029471880821032454,16387658630521959641,131072 /prefetch:1
2⤵
PID:4724

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=22 --mojo-platform-channel-handle=3296 --field-trial-handle=1812,i,6029471880821032454,16387658630521959641,131072 /prefetch:1
2⤵
PID:3032

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=24 --mojo-platform-channel-handle=6036 --field-trial-handle=1812,i,6029471880821032454,16387658630521959641,131072 /prefetch:1
2⤵
PID:1480

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=23 --mojo-platform-channel-handle=5904 --field-trial-handle=1812,i,6029471880821032454,16387658630521959641,131072 /prefetch:1
2⤵
PID:2912

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6268 --field-trial-handle=1812,i,6029471880821032454,16387658630521959641,131072 /prefetch:8
2⤵
PID:4420

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=26 --mojo-platform-channel-handle=6296 --field-trial-handle=1812,i,6029471880821032454,16387658630521959641,131072 /prefetch:1
2⤵
PID:3724

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1232

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3496

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\LatestFileY1_PassKey_55551\" -spe -an -ai#7zMap9319:114:7zEvent16948
1⤵
- Suspicious use of FindShellTrayWindow
PID:4188

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\LatestFileY1_PassKey_55551\FullSetup\" -spe -an -ai#7zMap16888:134:7zEvent3351
1⤵
- Suspicious use of FindShellTrayWindow
PID:5096

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\LatestFileY1_PassKey_55551\Read.me.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:1792

C:\Users\Admin\Downloads\LatestFileY1_PassKey_55551\FullSetup\setup.exe
"C:\Users\Admin\Downloads\LatestFileY1_PassKey_55551\FullSetup\setup.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:4184

C:\Users\Admin\AppData\Roaming\E4Qoi2c5.exe
"C:\Users\Admin\AppData\Roaming\E4Qoi2c5.exe"
2⤵
PID:4900

C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 5 /tn "TSTheme Server Module{Q4F5H2C4V3-J6F4M7O4-A3E4F2Q1}" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\TSTheme\TSTheme.exe"
3⤵
- Creates scheduled task(s)
PID:2264

C:\Windows\SysWOW64\schtasks.exe
/C /Query /XML /TN "TSTheme Server Module{Q4F5H2C4V3-J6F4M7O4-A3E4F2Q1}"
3⤵
PID:2276

C:\Windows\SysWOW64\schtasks.exe
/C /create /F /tn "TSTheme Server Module{Q4F5H2C4V3-J6F4M7O4-A3E4F2Q1}" /XML "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\TSTheme\6745645343447557"
3⤵
- Creates scheduled task(s)
PID:4232

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\mozglue.dll
Filesize
612KB

MD5
f07d9977430e762b563eaadc2b94bbfa

SHA1
da0a05b2b8d269fb73558dfcf0ed5c167f6d3877

SHA256
4191faf7e5eb105a0f4c5c6ed3e9e9c71014e8aa39bbee313bc92d1411e9e862

SHA512
6afd512e4099643bba3fc7700dd72744156b78b7bda10263ba1f8571d1e282133a433215a9222a7799f9824f244a2bc80c2816a62de1497017a4b26d562b7eaf

Download Submit
C:\Users\Admin\AppData\LocalLow\nss3.dll
Filesize
1.9MB

MD5
f67d08e8c02574cbc2f1122c53bfb976

SHA1
6522992957e7e4d074947cad63189f308a80fcf2

SHA256
c65b7afb05ee2b2687e6280594019068c3d3829182dfe8604ce4adf2116cc46e

SHA512
2e9d0a211d2b085514f181852fae6e7ca6aed4d29f396348bedb59c556e39621810a9a74671566a49e126ec73a60d0f781fa9085eb407df1eefd942c18853be5

Download Submit
C:\Users\Admin\AppData\LocalLow\sqlite3.dll
Filesize
1.0MB

MD5
dbf4f8dcefb8056dc6bae4b67ff810ce

SHA1
bbac1dd8a07c6069415c04b62747d794736d0689

SHA256
47b64311719000fa8c432165a0fdcdfed735d5b54977b052de915b1cbbbf9d68

SHA512
b572ca2f2e4a5cc93e4fcc7a18c0ae6df888aa4c55bc7da591e316927a4b5cfcbdda6e60018950be891ff3b26f470cc5cce34d217c2d35074322ab84c32a25d1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
240B

MD5
88c8750d41be38bc7eefcc6eb4bbd316

SHA1
9284e05675c95182eafcd6d4d1e79ee59555e19a

SHA256
c82a10bc6a7dee461b9da7b6a03b15b64ff41ce99bf68216a7bfd2cde1e0aace

SHA512
f41cf44f23e396192d2b2c6d0b279920b25236b2844176eaef26d5734c1774037ba23d91e2ed6716189771ebaac572b12502e42fef0b6ccd8a3e77436ab4ac8f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
648B

MD5
3698c805442aacb6c3c6b453d8120862

SHA1
d4a54b2b43aaa0e4aa0d0c3c1dfb9d354c1e4021

SHA256
0f24d5b3ff2d79d816f35cc816cfb3da8b62fe1ffd54c8807cd5b4d847fc1ff9

SHA512
950a1f44fe4227a09ec698160d1096c2efe4e1088409099278d6c8d7cac689959644265d52407bc83866987036e2d5664a2bb9a76388197034e7933a6c384967

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
Filesize
20KB

MD5
9980436a9799155b54169e78f7918f76

SHA1
ad91da12a6dc003363a1eef7d590b9579ae44ba3

SHA256
9fdd1776fb36d20826c8a190b64cd147478c18b732b9db1cbabbad857ddd4b9e

SHA512
af9ae5b5e93f591398f76d7c91ac56d4cda4b536f318acb1adb42006d64eff42310d9761ad6c25a3d610f471b805a180a45891fa2037f1a6d8e966886574b92b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
1KB

MD5
ef1b6298dc68f16efd339a0c4d9b131c

SHA1
80fa40be5945459fa755ecb0db20824f6e3b4a38

SHA256
0958133a0687a31549331fabc7e2316a0e411a5ae1c283ef648e62efe9ab1bc6

SHA512
14e5e59275b9966025728e8052f5162310a949c879e7cfb60ce3c821953469fbaf32db22c5485d5625b65fcf920d2cb81c10eeaa4ec691d3eefc7e19bbfd578a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
2KB

MD5
42b1cfddaa338f739f9e1c26d377a726

SHA1
c21d76962427a28b841692588e0d0b3007cdeee4

SHA256
6803272c91cdde004de3af529553b5875e156873fd75927474c9f43aa4b0b5e1

SHA512
cb76412141af3b97f0d859ab0b0449fb5390f02507f50d3ce174a2b19df70ae1cdf8680ee5b50cd9f4e3d54d4f99c0f74e85040517487fd371b9e37680a21fc5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
1KB

MD5
31fccb23b0328ad770911da8175a708d

SHA1
456add406171f7ea87d889acad1d20c1f2a7cb61

SHA256
cd2eeb59c675d81c19e99015c552ad2d6f641db75e568d9699e418b6514a72c4

SHA512
0873e6b0b1ad9a70e5f2722fa6f2a109259527f31bcdcb3112fae6f2319026fb70e7c63005dca6895a1d2436f32ff0cebb6094f543a53abbf1b5849aa94f3f84

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
2KB

MD5
9add5b02edb3b298128829f22f2a4c02

SHA1
288c8d29172c32d4874772d56da7875834eb080b

SHA256
c2fcbb86cd9eab7b1b8eee071c917b430c985c40d52414263638a7d115f30c86

SHA512
5001c962497761d1584b29a8c094c97ed5603432d46ae07c6c0ff6d152ed4418e000c462800ffd4559285f38cd0d8097c627bce0e21304406fa8fe4d78dce793

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
4KB

MD5
3197a13ffb77c5faad490479cef2b9a6

SHA1
97c001c5c45ca541f4de102f2a1e51d4300f1179

SHA256
4a81a180dac67b080a204fbda6fd7f5696b0cc698470741674e57d577412717f

SHA512
b606801f5683764cf5e7cbbd686e3ee40a1620705230176a41d0bfacce8b8e0e7f4d6b6ad56b52daab08627db74f9d0266146ce2a0da9dbadfa5f3ad4aa2cd84

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
538B

MD5
ea3fdc106195c86f6732daa16179b083

SHA1
6878bbaf21aa0dd9f3ce2a902f0707c878b6818a

SHA256
4028bd22752593e9f788a896035d8ff819a1c6debed18e305a880c0d0a8ce9fe

SHA512
f4d1ec9c28998d94dce9092371fc654f10d4d3e4174cbb54f065834494cae536c38657fcb24d83a47d97ed36b88f5f12f29d10ddf60df4a2f51bf62cc916235b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
371B

MD5
ea3abf39942815177ef56d4b08116a23

SHA1
c6ce93b9605c7a9e9b4115544d77d3ae19228c65

SHA256
17c61196acdcd4e29baf52d07ddb1a2210ab8f75ad1e144dc4821f617a91495f

SHA512
1b717c9bf5862d1b51eeff76f57b1555161e81cabc53b42853ba31044fbc4b757f74f0ac79955cb830168037e5c802801b64f964ee9519d5072b3d546ae98e7c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
5KB

MD5
592efaf845015557310505ecc7d9d66e

SHA1
b5642c5511f7dd38ad33491530d84f034678e5d7

SHA256
f44be71270e1b6bebb3a76bfd800a8c01f77b43940b9958530d67cd3112867c2

SHA512
a63d8ce879b560e9bf7f708a92e85c4894529790810910864b2e6dbc774e507a05bd6c5c3b6b3933e74b766b6a286ab690f0fcc61d3638c194a8c49ba0a4a330

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
ec4a1b6852a453bc4a017c16ed4db25d

SHA1
3d7a119bcf2ce77eabfefae0e719fc7a19c83dd6

SHA256
3f8139a1636166c4fba290b743ffad18e3e60f740ad5e92716ec96f0fad9e9d8

SHA512
6e2a492bd4cf2fe185282df40545b4cadd8cf65f76db171bd6b5a8e07e7d8f2d45d91286be173e0df2f668f99bb8fa1c248c33aaf55ce11e72b815700f8d2c78

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
4cf9fd69e5e009247f843e5e5036da0a

SHA1
70546997981a421bddfc6cbe643d1f61bf1e30ff

SHA256
d58b35ffd343217a152696b654a9eb4990ab3c8f5becc2d46660c8419f1da41b

SHA512
b45c5f951353a1b60f8228b76fc7fd5a44912f5bc5286c0b5660e1b11ea6470cd497dcbc7c97d46ae3f18a29b74cc9550783b459affdedf787cd64c663ddbd38

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
28571675ba6c17ca7b7a87ecbe54be93

SHA1
cfa20526d7a44e342c19f92e4f6e331f39ec1ace

SHA256
8b7bc993670dc6c0344b8ace81aa1f7225a6bb590c361794630b418e3b10c586

SHA512
992b24610f0a55f7125b2ec41f9ec2104429701cd545ff23dbc3a05936b573ac807554575604299c22180f13e338024958e9a83fae91ee6b239b7cc79961bc59

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
5KB

MD5
dfb3fb5532786318d0851d16d8a440d7

SHA1
f8a04b3d7816b3709d6e8a7aa52bdebd6841e820

SHA256
dcf5f8826f5db267390aae6c5a2fd9ff4af47632ca365c3ffe5b2e998d25479b

SHA512
0d95d3b29e949497b70ae6841928430e614bba1e9ce3f90b643c9cc55e700b291af8b2c0bbfd5f48cd07b0a6ec6fb2d920156e8fa3836955786c11c297d68d66

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
f4b0e09594a45ad79282f210529345f5

SHA1
2082d660accb34161c5084f22f37dcd577b0e967

SHA256
393ed9aca9176bcd64dea3c56bd181502daa307d60a0f125b0c52085e4fee175

SHA512
196eaa4609c35dee89774df7e8b15d2babbd3fecb20da40bd46a2310c2da6241b4721d81c797fd4c256d5a6c425b8390d691b8419c915b14dd95e65b4f993af7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
6d562432f2485d32d42c452e8c5a3ef3

SHA1
6da78b64af80103dc23195ce0b3ebaef663ea7aa

SHA256
1efe18493e8a13c71d24f39017fa355070f2aa5b8bcb58525a7e3b881e89a5ca

SHA512
06af980f57f34f61bbb09b34d8a7e809280e7c4fab6976438ac6a2e160152d6919765d0e048d43d41ccfd6c301ba2cd0d78ca21323b041ee0679417397662a4d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
4a7a883b692ffb19cf063cc1100ed882

SHA1
41e5b32391de3ea7f202a2f13655441d6b5ac4a4

SHA256
1f99376633c6444ef43520d316d0b219be92b42d0f0f2cf8a596fe9ace34f77b

SHA512
d9741984e06afb14750593e00a95a741563a0d33344d76780059705535144047339fc000b22148fea7d0a9ec069a22f5afe4ba8f728618a5c0bfb5a03a960b80

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
149KB

MD5
af19a7fb0dcfcf9c80d25e943253c039

SHA1
050f1bf45b1ab7589b47d9b2d4fa715d635d44db

SHA256
457eab9e6e63e9d78e2ce70a411930b0099f4dba610400d047113771e2992dd1

SHA512
e87d7a33fff3a17e64f00e53484769985c11c49b70d2195e1da6e847d0f8792c8b952cc9a1c817d332b61731a373baee138946e5b8f4cc955cf4275fef4ef146

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
149KB

MD5
c0d03e80a0aca2b7e2db38961a3e7bcd

SHA1
91095a9de36c8dac34747194ccbec12adb8e896c

SHA256
1e041f8eb464f040d0e54e9f9241a477c42e85375cd474c3835ee8c9c9d35d95

SHA512
daac2063fff3cb1072b21dab59597e8334ec0c67960dc16faa313adb0a8be07af1b54a45cf457b06cae4e9c672b1f15f4e54615949e51cb85b9c87c38a2522d3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
149KB

MD5
caad56cccd192c287ea6b3a536a9e3c9

SHA1
a3d30236d6cd5a182034d63feadc868157677bdd

SHA256
dbd2c06546b35357838f1919304670d9ca59ec86189fb98419dbf73c8c83c3f6

SHA512
a2cc2fcf9693a43de9c061ef192b54be06bc11a4a73371c93214e9a60179f6ebe579282fbcc2cbffe874f66125a1e54b20416ace10c438b50f99ce19c033b968

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
149KB

MD5
caad56cccd192c287ea6b3a536a9e3c9

SHA1
a3d30236d6cd5a182034d63feadc868157677bdd

SHA256
dbd2c06546b35357838f1919304670d9ca59ec86189fb98419dbf73c8c83c3f6

SHA512
a2cc2fcf9693a43de9c061ef192b54be06bc11a4a73371c93214e9a60179f6ebe579282fbcc2cbffe874f66125a1e54b20416ace10c438b50f99ce19c033b968

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache
Filesize
106KB

MD5
ecb98bc65de4b3a6e6cf301d50cbf958

SHA1
95808a73730016607e2eded8804abebf8b0c45bc

SHA256
fcd882f030211f69874beb02c934252e97851e284f94276f9a4128da01632ac0

SHA512
aa38aef8580a591bd11ea00572a24bb9ac9fc1ce3cfd61cdab34ee6446e8398a736d87828c243c79db4d41ce4e31f55aca043daac081f87385a004b26938b44f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache
Filesize
110KB

MD5
c00c3794651ad1094db4fd62941ef5a0

SHA1
731252da7961ffd1441b77510ffea2525840ec59

SHA256
b425de0dbb682aeeb8d162033d0d244fb23015a1af1df7d985d9b6d31cef4636

SHA512
52d2e211586a3dd764af66a7d1266685a4d3c1edcaabec86f32e9f4d720219d05d627d8d47308109af1616916e57e5d8a45d1ad8029e72f862ddb91fe2a70566

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache
Filesize
100KB

MD5
bf156ceae82015f0b3cace102e456fe4

SHA1
10ac65ba3d735e91c64510fea6b2dc509b1c6598

SHA256
1545c2368aaca2bbef39af01f35b0dec07b19c5c198cfa88b0b9bf7e8ec20aed

SHA512
2a576dca1500ec1b4e9a9aeac2ebc992c3ef4545cc5319a27fcec84519c6630c1d5355545802d7452227b3e04a793e72674128d3ee8f770912654bdcd0b27ce1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache
Filesize
112KB

MD5
7cdca1483ee43d924237b4187bc9ac5e

SHA1
d1c9306afb40ea7b4cd02a236a62f9b341b7ba07

SHA256
c206ba0d403c6cfdc5d8083052f7079576acd7024530392b64c9e19a41306932

SHA512
577caad549a4a5f2efaf1cec74edf44137da8abeb0fe989e4d47ffdcfe1e90e5ca0acf3cb2b2571eb9501a1d00ee8055fdddefa46528fdabfa6941bcda0b4d36

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe584253.TMP
Filesize
97KB

MD5
22ff357e4bb363dad627087418d4e289

SHA1
6e5d39219355f4e74032457aace36c1f6b20d662

SHA256
523341a2267e25f9ce1de532375597cb1d4944f0ed1c99efcb6e85486b80ea6c

SHA512
64d3b8ae1c7944351fab021894c07bc06f8d1578f43bf831ba1cd243bfe36759e3ac3cb09b047010b1e0f8e04977b42e5befe828fcd9a80275d270a182381a6b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json
Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Roaming\E4Qoi2c5.exe
Filesize
6.0MB

MD5
fab02f4052aadb65ebe180e58da323b9

SHA1
36ffff98b13e5edcfe560cd42c429f2183789aad

SHA256
dd87e832d0e814f6a5f50c00cc7a8eb7a67ebbc7100973a4a7039b1a905446cb

SHA512
e23d9c14a9aae98fa37e37a36437110940656670387787979c57a95ddc67eb20aa5039c33eef199bbdc84fb348f072e1bf95675084c4bd8d560a990677823779

Download Submit
C:\Users\Admin\AppData\Roaming\E4Qoi2c5.exe
Filesize
6.0MB

MD5
fab02f4052aadb65ebe180e58da323b9

SHA1
36ffff98b13e5edcfe560cd42c429f2183789aad

SHA256
dd87e832d0e814f6a5f50c00cc7a8eb7a67ebbc7100973a4a7039b1a905446cb

SHA512
e23d9c14a9aae98fa37e37a36437110940656670387787979c57a95ddc67eb20aa5039c33eef199bbdc84fb348f072e1bf95675084c4bd8d560a990677823779

Download Submit
C:\Users\Admin\AppData\Roaming\E4Qoi2c5.exe
Filesize
6.0MB

MD5
fab02f4052aadb65ebe180e58da323b9

SHA1
36ffff98b13e5edcfe560cd42c429f2183789aad

SHA256
dd87e832d0e814f6a5f50c00cc7a8eb7a67ebbc7100973a4a7039b1a905446cb

SHA512
e23d9c14a9aae98fa37e37a36437110940656670387787979c57a95ddc67eb20aa5039c33eef199bbdc84fb348f072e1bf95675084c4bd8d560a990677823779

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\TSTheme\6745645343447557
Filesize
1KB

MD5
117e7bccd342500e0f8bdc486d687ee2

SHA1
1380258faab2baf5a11353086bc3822718bd7218

SHA256
a8eba270b92c29dca12796f0f2802fedf690a4ef4dd90b9ecb9c889341c7e7e3

SHA512
ba9e4bcc2d26a15a916bf97d94493e8f43de6dcdbc1b0ed53be7e36f37b394ed9c6ba3ed5410d7d14b1b778a0567dfb894af025a902fe301917e3984b55228b0

Download Submit
C:\Users\Admin\Downloads\LatestFileY1_PassKey_55551.rar
Filesize
14.9MB

MD5
753e49295a38fa60e4dde227810af5c0

SHA1
bcdfdef03968f1909302bd638f3dfde5c2b64e19

SHA256
d67c3ea7e4144dbf85a4a8abdcce93660a6f890fd7831854fe883e569ed68414

SHA512
4ba7c34614d89c421bec22deade1dbd4956388a5020044f2e87d86b1537db0afe4512bb9eda1ebaf66a9225796246fcca530cc5764d55aadf6586964457fd5c5

Download Submit
C:\Users\Admin\Downloads\LatestFileY1_PassKey_55551\FullSetup.rar
Filesize
14.9MB

MD5
c8a67f256bf631b58baec15f5f4be4b1

SHA1
915f07e4dfc2f01ef1922c55a28fdde76cb6f7ec

SHA256
4b8743c942f7a21a73e40659fc548ea9018375b2547b9d5c0d71ebf8c3fcd779

SHA512
a04699a67b343ddffd863e1d74bd512f2df6f3ecd3ecaf77a5386911c9e211a4b6af870d2592a12be7a267b9846c704dc272ca9c05ea48173d5f4f533ef6f5a6

Download Submit
C:\Users\Admin\Downloads\LatestFileY1_PassKey_55551\FullSetup\setup.exe
Filesize
201.7MB

MD5
566a5da2a27e9a5edd1403b79dfffc7e

SHA1
ad388de9b15857e65df52c072a1d0aaf27753df5

SHA256
aac91f66b812a231fd17d9dde6ee01f8015b3e165cf9405150fff0d40ddf9451

SHA512
c184a72a921fda1a54402b7ad525bc7148f154615e404fd7c14ba6197a0620293081413e8b9d68caa98515c5f6645675bd2bd0928981e4cf94cbe0370add0b79

Download Submit
C:\Users\Admin\Downloads\LatestFileY1_PassKey_55551\FullSetup\setup.exe
Filesize
195.7MB

MD5
07672ba65f8f0ebc5cccb97a4c3a9c26

SHA1
3ae1fa0b03a1e021772c63333591dabe2e0508aa

SHA256
ca168acb07662f67fa429ebe30221ba191f2f0d3dfe9e649736db298c9d006c9

SHA512
583c7dbabdf2cda7e95c7e28bc4db5344c1ebf282f05cbe5aa44fa42021bf534810f2d468be26c2fbcba876af47125ef13a99f4646ce0c1d1177dce87470b47f

Download Submit
C:\Users\Admin\Downloads\LatestFileY1_PassKey_55551\Read.me.txt
Filesize
130B

MD5
e07a8409049576e72c1ee11c15cd4930

SHA1
b1221ccfc13ebe95b7bda241c217b6e55a8869b3

SHA256
b86d7740aeb7ab9d0e8b034abc57d7bf77cab6ce4eb1384f2f16c594404a7071

SHA512
0bc15fdf8b424bd27e3a8a15ad61fcbb30ab0632efec122a4551f41e00da720d80b857db846892bba842b4fb347ac710212865b0089f1c9bbf04899e86bff7c4

Download Submit
\??\pipe\crashpad_632_WPSPPWKKRLSEECXN
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/4184-950-0x0000000002B50000-0x0000000002B51000-memory.dmp

Filesize
4KB

Download
memory/4184-952-0x0000000000400000-0x0000000000DC0000-memory.dmp

Filesize
9.8MB

Download
memory/4184-951-0x0000000002B60000-0x0000000002B61000-memory.dmp

Filesize
4KB

Download
memory/4184-949-0x0000000002B40000-0x0000000002B41000-memory.dmp

Filesize
4KB

Download
memory/4184-1000-0x0000000061E00000-0x0000000061EF1000-memory.dmp

Filesize
964KB

Download
memory/4184-948-0x0000000002920000-0x0000000002921000-memory.dmp

Filesize
4KB

Download
memory/4184-947-0x0000000002910000-0x0000000002911000-memory.dmp

Filesize
4KB

Download
memory/4184-946-0x00000000028F0000-0x00000000028F1000-memory.dmp

Filesize
4KB

Download
memory/4184-945-0x00000000028E0000-0x00000000028E1000-memory.dmp

Filesize
4KB

Download
memory/4900-1019-0x0000000000DA0000-0x0000000000DA1000-memory.dmp

Filesize
4KB

Download
memory/4900-1020-0x0000000000E00000-0x0000000000E01000-memory.dmp

Filesize
4KB

Download
memory/4900-1021-0x0000000000400000-0x0000000000D5E000-memory.dmp

Filesize
9.4MB

Download

pid	process
632	chrome.exe
632	chrome.exe
4640	chrome.exe
4640	chrome.exe
4184	setup.exe
4184	setup.exe
4184	setup.exe
4184	setup.exe