ryuk | hxxps://www[.]mediafire[.]com/file/g6gxwtcv8egpez2/%2521Dont_Forget_To_Leave_A_like_Or_Rep[.]zip/file

Analysis

max time kernel
923s
max time network
924s
platform
windows10-1703_x64
resource
win10-20220812-en
resource tags

arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
submitted
23-08-2022 13:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://www.mediafire.com/file/g6gxwtcv8egpez2/%2521Dont_Forget_To_Leave_A_like_Or_Rep.zip/file

Score

10^/10

ryuk ransomware upx

Malware Config

Extracted

Path

C:\Users\Admin\Downloads\!Dont Forget To Leave A like Or Rep\!Ultimate Checking Pack - Version 7.0\!Best Bruteforcers For Pro Crackers\Sentry MBA 1.4.1 [Bruteforcer]\ToCheck\riotgames_1518365752.txt

Family

ryuk

Ransom Note

AIl For One:AIl For One AIl For One:AIl For One123 AbbesLuFZ:AbbesLuFZ123 Altanne:Altanne ArgiliecCharasa:ArgiliecCharasa ArrayEU:ArrayEU123 Ashes of Fenix:Ashes of Fenix123 BL Incidious:BL Incidious Bammi:Bammi Bammi:Bammi123 Bot Shacô:Bot Shacô123 Cambio De Nombre:Cambio De Nombre Cambio De Nombre:Cambio De Nombre123 Chengy:Chengy123 Cosine:Cosine123 DarkNoodles:DarkNoodles DatDragi:DatDragi DrStonehoof:DrStonehoof123 Duffers:Duffers Ethg:Ethg Flamien:Flamien Flashbone:Flashbone123 Færys:Færys123 Ghuntan:Ghuntan123 Give me mid pIs:Give me mid pIs Gliedeon:Gliedeon HDz BooLi:HDz BooLi Hackfruchtsalat:Hackfruchtsalat HarryTheRetard:HarryTheRetard Hi im Yacin:Hi im Yacin123 InsaneMecaniX:InsaneMecaniX123 Jhanaa:Jhanaa123 Jmaniac2:Jmaniac2123 Kaasbomber:Kaasbomber123 KisseMisse:KisseMisse123 Klajt:Klajt Lean EasyMac:Lean EasyMac Lombrick:Lombrick M Fringe:M Fringe M1N1 GANZALEZ:M1N1 GANZALEZ123 MentalCOP:MentalCOP Miika:Miika123 MonsieurHAZAGI:MonsieurHAZAGI MonsterVo1com:MonsterVo1com MyJaxInUrViJanna:MyJaxInUrViJanna123 Méllow:Méllow NG XMisterLapinX:NG XMisterLapinX NH Shurima:NH Shurima123 NaKï:NaKï123 NeQs:NeQs123 NoOpex:NoOpex Pain Beurré:Pain Beurré Perly:Perly123 RisinGHand:RisinGHand123 Ryukun37:Ryukun37 Ryukun37:Ryukun37123 Ryuseikai:Ryuseikai123 Ryze Targaryen:Ryze Targaryen123 Sabbor:Sabbor Sabbor:Sabbor123 Scott Flynt:Scott Flynt Shynëse:Shynëse Shynëse:Shynëse123 SoloQ BaitMaster:SoloQ BaitMaster SoloQ BaitMaster:SoloQ BaitMaster123 StarSaph:StarSaph The stoned cruck:The stoned cruck123 TrashReaction:TrashReaction VOID Spîrit:VOID Spîrit VOID Spîrit:VOID Spîrit123 VoxsOf:VoxsOf XizzelPewPew:XizzelPewPew123 ZaigonoxTV:ZaigonoxTV123 ZbaYlish:ZbaYlish123 acdc:acdc acdc:acdc123 bitouille:bitouille blackdarkside:blackdarkside blackdarkside:blackdarkside123 dabswow:dabswow123 dignityyy:dignityyy hide ºn bush:hide ºn bush ilsonoita:ilsonoita promalphite123:promalphite123 promalphite123:promalphite123123 sannerligen:sannerligen stop feed Shaco:stop feed Shaco xxglaederxx:xxglaederxx xxglaederxx:xxglaederxx123

Signatures

Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
ransomware ryuk

Executes dropped EXE 45 IoCs

Processes:

ChromeRecovery.exeAntiPublic.exeDorkCombine.exeSplitOrJoin0.2.exeDorkgen.exeLazy Mans Dork Gen v0.2.exeGorker Private - Black Edition.exeDork Generator v1.0.exeDork Maker V2.exeDorkWorker V1.1.13_Cracked.exeQuickDork Cracked.exeTSP Dork generator hot edition.exeKeywordCreator.exeBotop Combo Utilities.exeKidux AntiPublic v1.0.1.exeTextUtils.exeDorks Generator by UCT [1.0].exeHash Cracking v1.0.exeMultiHashChecker.exeOnline Reverse Hash Tool v3.3.exeAntiPublic.exeSQLi Dumper.exeSQLi v.8.0.exeSQLi v.8.5.exeTextUtils.exeWork With Dorks.exeUpdate.exeWork With Dork_v_2_1.exeSQLi v.8.5.exeSQLi Dorks Generator By The N3RoX.exeSplitOrJoin0.2.exeSLAYER Leecher v0.6.exeQuickDork Cracked.exeMultiHashChecker.exeLazy Mans Dork Gen v0.2.exeKeyword Scraper.vshost.exeKeyword Scraper.exeHash Cracking v1.0.exegScrape.exeGorker Private.exeGorker Private - Black Edition.exefSplit.exeEz_Dork_Gen_Deluxe.exeEz Dork Gen Black Edition.exeElite Dups Remover 1.5.exe

pid	process
4540	ChromeRecovery.exe
348	AntiPublic.exe
1432	DorkCombine.exe
4156	SplitOrJoin0.2.exe
1380	Dorkgen.exe
2524	Lazy Mans Dork Gen v0.2.exe
4788	Gorker Private - Black Edition.exe
1604	Dork Generator v1.0.exe
3308	Dork Maker V2.exe
4696	DorkWorker V1.1.13_Cracked.exe
1440	QuickDork Cracked.exe
3736	TSP Dork generator hot edition.exe
3728	KeywordCreator.exe
5048	Botop Combo Utilities.exe
1132	Kidux AntiPublic v1.0.1.exe
4772	TextUtils.exe
452	Dorks Generator by UCT [1.0].exe
4844	Hash Cracking v1.0.exe
2208	MultiHashChecker.exe
4172	Online Reverse Hash Tool v3.3.exe
2112	AntiPublic.exe
4928	SQLi Dumper.exe
1336	SQLi v.8.0.exe
4772	SQLi v.8.5.exe
4880	TextUtils.exe
1432	Work With Dorks.exe
636	Update.exe
3216	Work With Dork_v_2_1.exe
5096	SQLi v.8.5.exe
4744	SQLi Dorks Generator By The N3RoX.exe
2076	SplitOrJoin0.2.exe
2484	SLAYER Leecher v0.6.exe
2724	QuickDork Cracked.exe
3960	MultiHashChecker.exe
1484	Lazy Mans Dork Gen v0.2.exe
3932	Keyword Scraper.vshost.exe
2168	Keyword Scraper.exe
1804	Hash Cracking v1.0.exe
3592	gScrape.exe
4212	Gorker Private.exe
4644	Gorker Private - Black Edition.exe
4360	fSplit.exe
5048	Ez_Dork_Gen_Deluxe.exe
536	Ez Dork Gen Black Edition.exe
4932	Elite Dups Remover 1.5.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/4172-858-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral1/memory/4172-1169-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral1/memory/4172-1257-0x0000000000400000-0x000000000043E000-memory.dmp	upx

Loads dropped DLL 26 IoCs

Processes:

DorkCombine.exeGorker Private - Black Edition.exeDorkWorker V1.1.13_Cracked.exeBotop Combo Utilities.exe

pid	process
1432	DorkCombine.exe
1432	DorkCombine.exe
1432	DorkCombine.exe
1432	DorkCombine.exe
1432	DorkCombine.exe
1432	DorkCombine.exe
1432	DorkCombine.exe
1432	DorkCombine.exe
1432	DorkCombine.exe
1432	DorkCombine.exe
1432	DorkCombine.exe
1432	DorkCombine.exe
1432	DorkCombine.exe
1432	DorkCombine.exe
1432	DorkCombine.exe
1432	DorkCombine.exe
4788	Gorker Private - Black Edition.exe
4788	Gorker Private - Black Edition.exe
4788	Gorker Private - Black Edition.exe
4788	Gorker Private - Black Edition.exe
4696	DorkWorker V1.1.13_Cracked.exe
4696	DorkWorker V1.1.13_Cracked.exe
5048	Botop Combo Utilities.exe
5048	Botop Combo Utilities.exe
5048	Botop Combo Utilities.exe
5048	Botop Combo Utilities.exe

Drops desktop.ini file(s) 4 IoCs

Processes:

7zG.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Downloads\!Dont Forget To Leave A like Or Rep\!Ultimate Checking Pack - Version 7.0\!Combo Tools\Combo Tools\Dork Tools\Gorker Private - Black Edition\desktop.ini	7zG.exe
File created	C:\Users\Admin\Downloads\!Dont Forget To Leave A like Or Rep\!Ultimate Checking Pack - Version 7.0\!Combo Tools\Combo Tools\Hash Tool\Hash Cracking v1.0\desktop.ini	7zG.exe
File opened for modification	C:\Users\Admin\Downloads\!Dont Forget To Leave A like Or Rep\!Ultimate Checking Pack - Version 7.0\!Combo Tools\Combo Tools\Hash Tool\Hash Cracking v1.0\desktop.ini	7zG.exe
File created	C:\Users\Admin\Downloads\!Dont Forget To Leave A like Or Rep\!Ultimate Checking Pack - Version 7.0\!Combo Tools\Combo Tools\Dork Tools\Gorker Private - Black Edition\desktop.ini	7zG.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Drops file in Program Files directory 7 IoCs

Processes:

elevation_service.exe

description	ioc	process
File opened for modification	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir228_1031531445\manifest.json	elevation_service.exe
File created	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir228_1031531445\_metadata\verified_contents.json	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir228_1031531445\_metadata\verified_contents.json	elevation_service.exe
File created	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir228_1031531445\ChromeRecoveryCRX.crx	elevation_service.exe
File created	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir228_1031531445\ChromeRecovery.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir228_1031531445\ChromeRecovery.exe	elevation_service.exe
File created	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir228_1031531445\manifest.json	elevation_service.exe

Program crash 10 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
3284	348	WerFault.exe	AntiPublic.exe
2928	452	WerFault.exe	Dorks Generator by UCT [1.0].exe
800	2112	WerFault.exe	AntiPublic.exe
724	1432	WerFault.exe	Work With Dorks.exe
32	3216	WerFault.exe	Work With Dork_v_2_1.exe
3064	2484	WerFault.exe	SLAYER Leecher v0.6.exe
5068	3932	WerFault.exe	Keyword Scraper.vshost.exe
3248	4212	WerFault.exe	Gorker Private.exe
836	2168	WerFault.exe	Keyword Scraper.exe
4732	3592	WerFault.exe	gScrape.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies registry class 9 IoCs

Processes:

TextUtils.exeTextUtils.exechrome.exeOpenWith.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shell\Text Utils Pack\Icon = "SHELL32.dll,134"	TextUtils.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shell\Text Utils Pack\SubCommands = "DupRem;BaseEqual;Normalizer;GetLogins;GetPasswords;DomensSplit;DeleteDomens;MergeBase;Dsplit;Drandom;DBufer;DeleteTextUtils;InfoTextUtils"	TextUtils.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shell\Text Utils Pack\SubCommands = "DupRem;BaseEqual;Normalizer;GetLogins;GetPasswords;DomensSplit;DeleteDomens;MergeBase;Dsplit;Drandom;DBufer;DeleteTextUtils;InfoTextUtils"	TextUtils.exe
Key created	\REGISTRY\USER\S-1-5-21-2600230786-2767877416-126655653-1000_Classes\Local Settings	chrome.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shell\Text Utils Pack	TextUtils.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shell\Text Utils Pack\MUIVerb = "Text Utils Pack"	TextUtils.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shell\Text Utils Pack\MUIVerb = "Text Utils Pack"	TextUtils.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shell\Text Utils Pack\Icon = "SHELL32.dll,134"	TextUtils.exe
Key created	\REGISTRY\USER\S-1-5-21-2600230786-2767877416-126655653-1000_Classes\Local Settings	OpenWith.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

DorkCombine.exe

pid process

1432 DorkCombine.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

Processes:

chrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exeSQLi v.8.5.exeSQLi v.8.5.exe

pid	process
4680	chrome.exe
4680	chrome.exe
892	chrome.exe
892	chrome.exe
4892	chrome.exe
4892	chrome.exe
204	chrome.exe
204	chrome.exe
560	chrome.exe
560	chrome.exe
2704	chrome.exe
2704	chrome.exe
2116	chrome.exe
2116	chrome.exe
3056	chrome.exe
3056	chrome.exe
3056	chrome.exe
3056	chrome.exe
4844	chrome.exe
4844	chrome.exe
3924	chrome.exe
3924	chrome.exe
4400	chrome.exe
4400	chrome.exe
4772	SQLi v.8.5.exe
5096	SQLi v.8.5.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

DorkCombine.exe

pid process

1432 DorkCombine.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 26 IoCs

Processes:

chrome.exe

pid	process
892	chrome.exe
892	chrome.exe
892	chrome.exe
892	chrome.exe
892	chrome.exe
892	chrome.exe
892	chrome.exe
892	chrome.exe
892	chrome.exe
892	chrome.exe
892	chrome.exe
892	chrome.exe
892	chrome.exe
892	chrome.exe
892	chrome.exe
892	chrome.exe
892	chrome.exe
892	chrome.exe
892	chrome.exe
892	chrome.exe
892	chrome.exe
892	chrome.exe
892	chrome.exe
892	chrome.exe
892	chrome.exe
892	chrome.exe

Suspicious use of AdjustPrivilegeToken 31 IoCs

Processes:

7zG.exe7zG.exe7zG.exe7zG.exe7zG.exeTSP Dork generator hot edition.exeTextUtils.exeDorks Generator by UCT [1.0].exeHash Cracking v1.0.exeBotop Combo Utilities.exeAUDIODG.EXESQLi v.8.5.exeTextUtils.exeSQLi v.8.5.exeHash Cracking v1.0.exe

description	pid	process
Token: SeRestorePrivilege	2492	7zG.exe
Token: 35	2492	7zG.exe
Token: SeSecurityPrivilege	2492	7zG.exe
Token: SeSecurityPrivilege	2492	7zG.exe
Token: SeRestorePrivilege	1672	7zG.exe
Token: 35	1672	7zG.exe
Token: SeSecurityPrivilege	1672	7zG.exe
Token: SeSecurityPrivilege	1672	7zG.exe
Token: SeRestorePrivilege	5016	7zG.exe
Token: 35	5016	7zG.exe
Token: SeSecurityPrivilege	5016	7zG.exe
Token: SeSecurityPrivilege	5016	7zG.exe
Token: SeRestorePrivilege	2540	7zG.exe
Token: 35	2540	7zG.exe
Token: SeSecurityPrivilege	2540	7zG.exe
Token: SeSecurityPrivilege	2540	7zG.exe
Token: SeRestorePrivilege	4316	7zG.exe
Token: 35	4316	7zG.exe
Token: SeSecurityPrivilege	4316	7zG.exe
Token: SeSecurityPrivilege	4316	7zG.exe
Token: SeDebugPrivilege	3736	TSP Dork generator hot edition.exe
Token: SeDebugPrivilege	4772	TextUtils.exe
Token: SeDebugPrivilege	452	Dorks Generator by UCT [1.0].exe
Token: SeDebugPrivilege	4844	Hash Cracking v1.0.exe
Token: SeDebugPrivilege	5048	Botop Combo Utilities.exe
Token: 33	4720	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	4720	AUDIODG.EXE
Token: SeDebugPrivilege	4772	SQLi v.8.5.exe
Token: SeDebugPrivilege	4880	TextUtils.exe
Token: SeDebugPrivilege	5096	SQLi v.8.5.exe
Token: SeDebugPrivilege	1804	Hash Cracking v1.0.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

chrome.exe

pid	process
892	chrome.exe
892	chrome.exe
892	chrome.exe
892	chrome.exe
892	chrome.exe
892	chrome.exe
892	chrome.exe
892	chrome.exe
892	chrome.exe
892	chrome.exe
892	chrome.exe
892	chrome.exe
892	chrome.exe
892	chrome.exe
892	chrome.exe
892	chrome.exe
892	chrome.exe
892	chrome.exe
892	chrome.exe
892	chrome.exe
892	chrome.exe
892	chrome.exe
892	chrome.exe
892	chrome.exe
892	chrome.exe
892	chrome.exe
892	chrome.exe
892	chrome.exe
892	chrome.exe
892	chrome.exe
892	chrome.exe
892	chrome.exe
892	chrome.exe
892	chrome.exe
892	chrome.exe
892	chrome.exe
892	chrome.exe
892	chrome.exe
892	chrome.exe
892	chrome.exe
892	chrome.exe
892	chrome.exe
892	chrome.exe
892	chrome.exe
892	chrome.exe
892	chrome.exe
892	chrome.exe
892	chrome.exe
892	chrome.exe
892	chrome.exe
892	chrome.exe
892	chrome.exe
892	chrome.exe
892	chrome.exe
892	chrome.exe
892	chrome.exe
892	chrome.exe
892	chrome.exe
892	chrome.exe
892	chrome.exe
892	chrome.exe
892	chrome.exe
892	chrome.exe
892	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

chrome.exe

pid	process
892	chrome.exe
892	chrome.exe
892	chrome.exe
892	chrome.exe
892	chrome.exe
892	chrome.exe
892	chrome.exe
892	chrome.exe
892	chrome.exe
892	chrome.exe
892	chrome.exe
892	chrome.exe
892	chrome.exe
892	chrome.exe
892	chrome.exe
892	chrome.exe
892	chrome.exe
892	chrome.exe
892	chrome.exe
892	chrome.exe
892	chrome.exe
892	chrome.exe
892	chrome.exe
892	chrome.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

DorkCombine.exeOnline Reverse Hash Tool v3.3.exeOpenWith.exeSQLi Dorks Generator By The N3RoX.exe

pid process

1432 DorkCombine.exe
4172 Online Reverse Hash Tool v3.3.exe
3372 OpenWith.exe
4744 SQLi Dorks Generator By The N3RoX.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 892 wrote to memory of 936	892	chrome.exe	chrome.exe
PID 892 wrote to memory of 936	892	chrome.exe	chrome.exe
PID 892 wrote to memory of 1772	892	chrome.exe	chrome.exe
PID 892 wrote to memory of 1772	892	chrome.exe	chrome.exe
PID 892 wrote to memory of 1772	892	chrome.exe	chrome.exe
PID 892 wrote to memory of 1772	892	chrome.exe	chrome.exe
PID 892 wrote to memory of 1772	892	chrome.exe	chrome.exe
PID 892 wrote to memory of 1772	892	chrome.exe	chrome.exe
PID 892 wrote to memory of 1772	892	chrome.exe	chrome.exe
PID 892 wrote to memory of 1772	892	chrome.exe	chrome.exe
PID 892 wrote to memory of 1772	892	chrome.exe	chrome.exe
PID 892 wrote to memory of 1772	892	chrome.exe	chrome.exe
PID 892 wrote to memory of 1772	892	chrome.exe	chrome.exe
PID 892 wrote to memory of 1772	892	chrome.exe	chrome.exe
PID 892 wrote to memory of 1772	892	chrome.exe	chrome.exe
PID 892 wrote to memory of 1772	892	chrome.exe	chrome.exe
PID 892 wrote to memory of 1772	892	chrome.exe	chrome.exe
PID 892 wrote to memory of 1772	892	chrome.exe	chrome.exe
PID 892 wrote to memory of 1772	892	chrome.exe	chrome.exe
PID 892 wrote to memory of 1772	892	chrome.exe	chrome.exe
PID 892 wrote to memory of 1772	892	chrome.exe	chrome.exe
PID 892 wrote to memory of 1772	892	chrome.exe	chrome.exe
PID 892 wrote to memory of 1772	892	chrome.exe	chrome.exe
PID 892 wrote to memory of 1772	892	chrome.exe	chrome.exe
PID 892 wrote to memory of 1772	892	chrome.exe	chrome.exe
PID 892 wrote to memory of 1772	892	chrome.exe	chrome.exe
PID 892 wrote to memory of 1772	892	chrome.exe	chrome.exe
PID 892 wrote to memory of 1772	892	chrome.exe	chrome.exe
PID 892 wrote to memory of 1772	892	chrome.exe	chrome.exe
PID 892 wrote to memory of 1772	892	chrome.exe	chrome.exe
PID 892 wrote to memory of 1772	892	chrome.exe	chrome.exe
PID 892 wrote to memory of 1772	892	chrome.exe	chrome.exe
PID 892 wrote to memory of 1772	892	chrome.exe	chrome.exe
PID 892 wrote to memory of 1772	892	chrome.exe	chrome.exe
PID 892 wrote to memory of 1772	892	chrome.exe	chrome.exe
PID 892 wrote to memory of 1772	892	chrome.exe	chrome.exe
PID 892 wrote to memory of 1772	892	chrome.exe	chrome.exe
PID 892 wrote to memory of 1772	892	chrome.exe	chrome.exe
PID 892 wrote to memory of 1772	892	chrome.exe	chrome.exe
PID 892 wrote to memory of 1772	892	chrome.exe	chrome.exe
PID 892 wrote to memory of 1772	892	chrome.exe	chrome.exe
PID 892 wrote to memory of 1772	892	chrome.exe	chrome.exe
PID 892 wrote to memory of 4680	892	chrome.exe	chrome.exe
PID 892 wrote to memory of 4680	892	chrome.exe	chrome.exe
PID 892 wrote to memory of 5012	892	chrome.exe	chrome.exe
PID 892 wrote to memory of 5012	892	chrome.exe	chrome.exe
PID 892 wrote to memory of 5012	892	chrome.exe	chrome.exe
PID 892 wrote to memory of 5012	892	chrome.exe	chrome.exe
PID 892 wrote to memory of 5012	892	chrome.exe	chrome.exe
PID 892 wrote to memory of 5012	892	chrome.exe	chrome.exe
PID 892 wrote to memory of 5012	892	chrome.exe	chrome.exe
PID 892 wrote to memory of 5012	892	chrome.exe	chrome.exe
PID 892 wrote to memory of 5012	892	chrome.exe	chrome.exe
PID 892 wrote to memory of 5012	892	chrome.exe	chrome.exe
PID 892 wrote to memory of 5012	892	chrome.exe	chrome.exe
PID 892 wrote to memory of 5012	892	chrome.exe	chrome.exe
PID 892 wrote to memory of 5012	892	chrome.exe	chrome.exe
PID 892 wrote to memory of 5012	892	chrome.exe	chrome.exe
PID 892 wrote to memory of 5012	892	chrome.exe	chrome.exe
PID 892 wrote to memory of 5012	892	chrome.exe	chrome.exe
PID 892 wrote to memory of 5012	892	chrome.exe	chrome.exe
PID 892 wrote to memory of 5012	892	chrome.exe	chrome.exe
PID 892 wrote to memory of 5012	892	chrome.exe	chrome.exe
PID 892 wrote to memory of 5012	892	chrome.exe	chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.mediafire.com/file/g6gxwtcv8egpez2/%2521Dont_Forget_To_Leave_A_like_Or_Rep.zip/file
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:892

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xb0,0xa8,0xd4,0xac,0xd8,0x7ffaa0b74f50,0x7ffaa0b74f60,0x7ffaa0b74f70
2⤵
PID:936

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1620,1282686186767817688,16599391286396830544,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1704 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4680

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1620,1282686186767817688,16599391286396830544,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1644 /prefetch:2
2⤵
PID:1772

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1620,1282686186767817688,16599391286396830544,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2324 /prefetch:8
2⤵
PID:5012

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1620,1282686186767817688,16599391286396830544,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2912 /prefetch:1
2⤵
PID:3816

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1620,1282686186767817688,16599391286396830544,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2904 /prefetch:1
2⤵
PID:2380

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1620,1282686186767817688,16599391286396830544,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4272 /prefetch:8
2⤵
PID:5064

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1620,1282686186767817688,16599391286396830544,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4988 /prefetch:1
2⤵
PID:3676

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1620,1282686186767817688,16599391286396830544,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4732 /prefetch:1
2⤵
PID:5008

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1620,1282686186767817688,16599391286396830544,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4728 /prefetch:1
2⤵
PID:3552

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1620,1282686186767817688,16599391286396830544,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5240 /prefetch:1
2⤵
PID:4552

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1620,1282686186767817688,16599391286396830544,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5396 /prefetch:1
2⤵
PID:768

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1620,1282686186767817688,16599391286396830544,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5560 /prefetch:1
2⤵
PID:4308

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1620,1282686186767817688,16599391286396830544,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5696 /prefetch:1
2⤵
PID:376

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1620,1282686186767817688,16599391286396830544,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5848 /prefetch:1
2⤵
PID:4116

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1620,1282686186767817688,16599391286396830544,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6016 /prefetch:1
2⤵
PID:4332

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1620,1282686186767817688,16599391286396830544,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6196 /prefetch:1
2⤵
PID:4816

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1620,1282686186767817688,16599391286396830544,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6380 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4892

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1620,1282686186767817688,16599391286396830544,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6376 /prefetch:1
2⤵
PID:4716

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1620,1282686186767817688,16599391286396830544,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6592 /prefetch:1
2⤵
PID:4848

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1620,1282686186767817688,16599391286396830544,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6396 /prefetch:1
2⤵
PID:2680

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1620,1282686186767817688,16599391286396830544,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7192 /prefetch:8
2⤵
PID:248

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1620,1282686186767817688,16599391286396830544,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6324 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:204

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1620,1282686186767817688,16599391286396830544,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7228 /prefetch:8
2⤵
PID:2252

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1620,1282686186767817688,16599391286396830544,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7184 /prefetch:8
2⤵
PID:4352

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1620,1282686186767817688,16599391286396830544,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7160 /prefetch:8
2⤵
PID:3268

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1620,1282686186767817688,16599391286396830544,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4780 /prefetch:1
2⤵
PID:4356

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1620,1282686186767817688,16599391286396830544,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4816 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:560

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1620,1282686186767817688,16599391286396830544,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6128 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2704

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1620,1282686186767817688,16599391286396830544,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=772 /prefetch:8
2⤵
PID:3960

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1620,1282686186767817688,16599391286396830544,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6712 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2116

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1620,1282686186767817688,16599391286396830544,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=6848 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3056

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1620,1282686186767817688,16599391286396830544,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2380 /prefetch:8
2⤵
PID:4704

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1620,1282686186767817688,16599391286396830544,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2364 /prefetch:8
2⤵
PID:2160

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1620,1282686186767817688,16599391286396830544,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6064 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4844

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.FileUtilService --field-trial-handle=1620,1282686186767817688,16599391286396830544,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4464 /prefetch:8
2⤵
PID:4068

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1620,1282686186767817688,16599391286396830544,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6128 /prefetch:8
2⤵
PID:3812

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1620,1282686186767817688,16599391286396830544,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6052 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3924

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1620,1282686186767817688,16599391286396830544,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5016 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4400

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1620,1282686186767817688,16599391286396830544,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7536 /prefetch:8
2⤵
PID:940

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1620,1282686186767817688,16599391286396830544,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=41 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5668 /prefetch:1
2⤵
PID:540

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1620,1282686186767817688,16599391286396830544,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=42 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1344 /prefetch:1
2⤵
PID:4708

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1620,1282686186767817688,16599391286396830544,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=43 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5820 /prefetch:1
2⤵
PID:3776

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1620,1282686186767817688,16599391286396830544,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=44 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6472 /prefetch:1
2⤵
PID:4476

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1620,1282686186767817688,16599391286396830544,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=45 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1016 /prefetch:1
2⤵
PID:260

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1620,1282686186767817688,16599391286396830544,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=46 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1048 /prefetch:1
2⤵
PID:1104

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1620,1282686186767817688,16599391286396830544,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=47 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5240 /prefetch:1
2⤵
PID:4872

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1620,1282686186767817688,16599391286396830544,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=48 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3160 /prefetch:1
2⤵
PID:1552

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1620,1282686186767817688,16599391286396830544,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=49 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2392 /prefetch:1
2⤵
PID:2864

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1620,1282686186767817688,16599391286396830544,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=50 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4184 /prefetch:1
2⤵
PID:2724

C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe"
1⤵
- Drops file in Program Files directory
PID:228

C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir228_1031531445\ChromeRecovery.exe
"C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir228_1031531445\ChromeRecovery.exe" --appguid={8A69D345-D564-463c-AFF1-A69D9E530F96} --browser-version=89.0.4389.114 --sessionid={ea183c26-f7c7-4e77-8515-8425f1f797b3} --system
2⤵
- Executes dropped EXE
PID:4540

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3880

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\!Dont Forget To Leave A like Or Rep\" -spe -an -ai#7zMap14440:132:7zEvent15113
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2492

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\!Dont Forget To Leave A like Or Rep\!Ultimate Checking Pack - Version 7.0\" -spe -an -ai#7zMap20024:208:7zEvent20085
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1672

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\!Dont Forget To Leave A like Or Rep\!Ultimate Checking Pack - Version 7.0\" -spe -an -ai#7zMap9738:208:7zEvent32133
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5016

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\!Dont Forget To Leave A like Or Rep\!Ultimate Checking Pack - Version 7.0\!!READ THIS FOLDER FIRST!!!!!!!!\Message for graphics designers.txt
1⤵
PID:3760

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\!Dont Forget To Leave A like Or Rep\!Ultimate Checking Pack - Version 7.0\!Combo Tools\" -spe -an -ai#7zMap3920:234:7zEvent21054
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2540

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\!Dont Forget To Leave A like Or Rep\!Ultimate Checking Pack - Version 7.0\*\" -spe -an -ai#7zMap10440:4758:7zEvent32603
1⤵
- Drops desktop.ini file(s)
- Suspicious use of AdjustPrivilegeToken
PID:4316

C:\Users\Admin\Downloads\!Dont Forget To Leave A like Or Rep\!Ultimate Checking Pack - Version 7.0\!Combo Tools\Combo Tools\!Antipublic\AntiPublic.exe
"C:\Users\Admin\Downloads\!Dont Forget To Leave A like Or Rep\!Ultimate Checking Pack - Version 7.0\!Combo Tools\Combo Tools\!Antipublic\AntiPublic.exe"
1⤵
- Executes dropped EXE
PID:348

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 348 -s 696
2⤵
- Program crash
PID:3284

C:\Users\Admin\Downloads\!Dont Forget To Leave A like Or Rep\!Ultimate Checking Pack - Version 7.0\!Combo Tools\Combo Tools\Dork Tools\Dork Combine v1.2 by Volevanya\Dork Combine by Volevanya\DorkCombine.exe
"C:\Users\Admin\Downloads\!Dont Forget To Leave A like Or Rep\!Ultimate Checking Pack - Version 7.0\!Combo Tools\Combo Tools\Dork Tools\Dork Combine v1.2 by Volevanya\Dork Combine by Volevanya\DorkCombine.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:1432

C:\Users\Admin\Downloads\!Dont Forget To Leave A like Or Rep\!Ultimate Checking Pack - Version 7.0\!Combo Tools\Combo Tools\Split Combos\Combo Splitter\SplitOrJoin0.2.exe
"C:\Users\Admin\Downloads\!Dont Forget To Leave A like Or Rep\!Ultimate Checking Pack - Version 7.0\!Combo Tools\Combo Tools\Split Combos\Combo Splitter\SplitOrJoin0.2.exe"
1⤵
- Executes dropped EXE
PID:4156

C:\Users\Admin\Downloads\!Dont Forget To Leave A like Or Rep\!Ultimate Checking Pack - Version 7.0\!Combo Tools\Combo Tools\Dork Tools\Dorkgen by calix\Dorkgen.exe
"C:\Users\Admin\Downloads\!Dont Forget To Leave A like Or Rep\!Ultimate Checking Pack - Version 7.0\!Combo Tools\Combo Tools\Dork Tools\Dorkgen by calix\Dorkgen.exe"
1⤵
- Executes dropped EXE
PID:1380

C:\Users\Admin\Downloads\!Dont Forget To Leave A like Or Rep\!Ultimate Checking Pack - Version 7.0\!Combo Tools\Combo Tools\Dork Tools\Lazy Mans Dork Gen v0.2\Lazy Mans Dork Gen v0.2.exe
"C:\Users\Admin\Downloads\!Dont Forget To Leave A like Or Rep\!Ultimate Checking Pack - Version 7.0\!Combo Tools\Combo Tools\Dork Tools\Lazy Mans Dork Gen v0.2\Lazy Mans Dork Gen v0.2.exe"
1⤵
- Executes dropped EXE
PID:2524

C:\Users\Admin\Downloads\!Dont Forget To Leave A like Or Rep\!Ultimate Checking Pack - Version 7.0\!Combo Tools\Combo Tools\Dork Tools\Gorker Private - Black Edition\Gorker Private - Black Edition.exe
"C:\Users\Admin\Downloads\!Dont Forget To Leave A like Or Rep\!Ultimate Checking Pack - Version 7.0\!Combo Tools\Combo Tools\Dork Tools\Gorker Private - Black Edition\Gorker Private - Black Edition.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4788

C:\Users\Admin\Downloads\!Dont Forget To Leave A like Or Rep\!Ultimate Checking Pack - Version 7.0\!Combo Tools\Combo Tools\Dork Tools\Dork Generator v1.0 by kidux\Dork Generator v1.0.exe
"C:\Users\Admin\Downloads\!Dont Forget To Leave A like Or Rep\!Ultimate Checking Pack - Version 7.0\!Combo Tools\Combo Tools\Dork Tools\Dork Generator v1.0 by kidux\Dork Generator v1.0.exe"
1⤵
- Executes dropped EXE
PID:1604

C:\Users\Admin\Downloads\!Dont Forget To Leave A like Or Rep\!Ultimate Checking Pack - Version 7.0\!Combo Tools\Combo Tools\Dork Tools\Dork Maker V2 By Calix\Dork Maker V2.exe
"C:\Users\Admin\Downloads\!Dont Forget To Leave A like Or Rep\!Ultimate Checking Pack - Version 7.0\!Combo Tools\Combo Tools\Dork Tools\Dork Maker V2 By Calix\Dork Maker V2.exe"
1⤵
- Executes dropped EXE
PID:3308

C:\Users\Admin\Downloads\!Dont Forget To Leave A like Or Rep\!Ultimate Checking Pack - Version 7.0\!Combo Tools\Combo Tools\Dork Tools\DorkWorker 1.1.13 (Latest) Cracked\DorkWorker V1.1.13_Cracked.exe
"C:\Users\Admin\Downloads\!Dont Forget To Leave A like Or Rep\!Ultimate Checking Pack - Version 7.0\!Combo Tools\Combo Tools\Dork Tools\DorkWorker 1.1.13 (Latest) Cracked\DorkWorker V1.1.13_Cracked.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4696

C:\Users\Admin\Downloads\!Dont Forget To Leave A like Or Rep\!Ultimate Checking Pack - Version 7.0\!Combo Tools\Combo Tools\Dork Tools\QuickDork Cracked\QuickDork Cracked.exe
"C:\Users\Admin\Downloads\!Dont Forget To Leave A like Or Rep\!Ultimate Checking Pack - Version 7.0\!Combo Tools\Combo Tools\Dork Tools\QuickDork Cracked\QuickDork Cracked.exe"
1⤵
- Executes dropped EXE
PID:1440

C:\Users\Admin\Downloads\!Dont Forget To Leave A like Or Rep\!Ultimate Checking Pack - Version 7.0\!Combo Tools\Combo Tools\Dork Tools\TSP Dork generator v8.0\TSP Dork generator hot edition.exe
"C:\Users\Admin\Downloads\!Dont Forget To Leave A like Or Rep\!Ultimate Checking Pack - Version 7.0\!Combo Tools\Combo Tools\Dork Tools\TSP Dork generator v8.0\TSP Dork generator hot edition.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3736

C:\Users\Admin\Downloads\!Dont Forget To Leave A like Or Rep\!Ultimate Checking Pack - Version 7.0\!Combo Tools\Combo Tools\Keyword Scraper\KeywordCreator.exe
"C:\Users\Admin\Downloads\!Dont Forget To Leave A like Or Rep\!Ultimate Checking Pack - Version 7.0\!Combo Tools\Combo Tools\Keyword Scraper\KeywordCreator.exe"
1⤵
- Executes dropped EXE
PID:3728

C:\Users\Admin\Downloads\!Dont Forget To Leave A like Or Rep\!Ultimate Checking Pack - Version 7.0\!Combo Tools\Combo Tools\Utils\Combo Creator\Botop Combo Utilities.exe
"C:\Users\Admin\Downloads\!Dont Forget To Leave A like Or Rep\!Ultimate Checking Pack - Version 7.0\!Combo Tools\Combo Tools\Utils\Combo Creator\Botop Combo Utilities.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:5048

C:\Users\Admin\Downloads\!Dont Forget To Leave A like Or Rep\!Ultimate Checking Pack - Version 7.0\!Combo Tools\Combo Tools\Utils\Kidux_AntiPublic_v1.0.1\Kidux AntiPublic v1.0.1.exe
"C:\Users\Admin\Downloads\!Dont Forget To Leave A like Or Rep\!Ultimate Checking Pack - Version 7.0\!Combo Tools\Combo Tools\Utils\Kidux_AntiPublic_v1.0.1\Kidux AntiPublic v1.0.1.exe"
1⤵
- Executes dropped EXE
PID:1132

C:\Users\Admin\Downloads\!Dont Forget To Leave A like Or Rep\!Ultimate Checking Pack - Version 7.0\!Combo Tools\Combo Tools\Utils\TextUtils\TextUtils.exe
"C:\Users\Admin\Downloads\!Dont Forget To Leave A like Or Rep\!Ultimate Checking Pack - Version 7.0\!Combo Tools\Combo Tools\Utils\TextUtils\TextUtils.exe"
1⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:4772

C:\Users\Admin\Downloads\!Dont Forget To Leave A like Or Rep\!Ultimate Checking Pack - Version 7.0\!Combo Tools\Combo Tools\Dork Tools\Dork Tools\DorksGenerator by UCT\Dorks Generator by UCT [1.0].exe
"C:\Users\Admin\Downloads\!Dont Forget To Leave A like Or Rep\!Ultimate Checking Pack - Version 7.0\!Combo Tools\Combo Tools\Dork Tools\Dork Tools\DorksGenerator by UCT\Dorks Generator by UCT [1.0].exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:452

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 452 -s 1708
2⤵
- Program crash
PID:2928

C:\Users\Admin\Downloads\!Dont Forget To Leave A like Or Rep\!Ultimate Checking Pack - Version 7.0\!Combo Tools\Combo Tools\Hash Tool\Hash Cracking v1.0\Hash Cracking v1.0.exe
"C:\Users\Admin\Downloads\!Dont Forget To Leave A like Or Rep\!Ultimate Checking Pack - Version 7.0\!Combo Tools\Combo Tools\Hash Tool\Hash Cracking v1.0\Hash Cracking v1.0.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4844

C:\Users\Admin\Downloads\!Dont Forget To Leave A like Or Rep\!Ultimate Checking Pack - Version 7.0\!Combo Tools\Combo Tools\Hash Tool\Multi-Hash-Checker\MultiHashChecker.exe
"C:\Users\Admin\Downloads\!Dont Forget To Leave A like Or Rep\!Ultimate Checking Pack - Version 7.0\!Combo Tools\Combo Tools\Hash Tool\Multi-Hash-Checker\MultiHashChecker.exe"
1⤵
- Executes dropped EXE
PID:2208

C:\Users\Admin\Downloads\!Dont Forget To Leave A like Or Rep\!Ultimate Checking Pack - Version 7.0\!Combo Tools\Combo Tools\Hash Tool\Reverse Hash Tool\Online Reverse Hash Tool v3.3.exe
"C:\Users\Admin\Downloads\!Dont Forget To Leave A like Or Rep\!Ultimate Checking Pack - Version 7.0\!Combo Tools\Combo Tools\Hash Tool\Reverse Hash Tool\Online Reverse Hash Tool v3.3.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4172

C:\Users\Admin\Desktop\exe\AntiPublic.exe
"C:\Users\Admin\Desktop\exe\AntiPublic.exe"
1⤵
- Executes dropped EXE
PID:2112

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2112 -s 676
2⤵
- Program crash
PID:800

C:\Users\Admin\Desktop\exe\SQLi Dumper.exe
"C:\Users\Admin\Desktop\exe\SQLi Dumper.exe"
1⤵
- Executes dropped EXE
PID:4928

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x3f0
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4720

C:\Users\Admin\Desktop\exe\SQLi v.8.0.exe
"C:\Users\Admin\Desktop\exe\SQLi v.8.0.exe"
1⤵
- Executes dropped EXE
PID:1336

C:\Users\Admin\Desktop\exe\SQLi v.8.5.exe
"C:\Users\Admin\Desktop\exe\SQLi v.8.5.exe"
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4772

C:\Users\Admin\Desktop\exe\TextUtils.exe
"C:\Users\Admin\Desktop\exe\TextUtils.exe"
1⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:4880

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3372

C:\Users\Admin\Desktop\exe\Work With Dorks.exe
"C:\Users\Admin\Desktop\exe\Work With Dorks.exe"
1⤵
- Executes dropped EXE
PID:1432

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1432 -s 1012
2⤵
- Program crash
PID:724

C:\Users\Admin\Desktop\exe\Update.exe
"C:\Users\Admin\Desktop\exe\Update.exe"
1⤵
- Executes dropped EXE
PID:636

C:\Users\Admin\Desktop\exe\Work With Dork_v_2_1.exe
"C:\Users\Admin\Desktop\exe\Work With Dork_v_2_1.exe"
1⤵
- Executes dropped EXE
PID:3216

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3216 -s 1012
2⤵
- Program crash
PID:32

C:\Users\Admin\Desktop\exe\SQLi v.8.5.exe
"C:\Users\Admin\Desktop\exe\SQLi v.8.5.exe"
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5096

C:\Users\Admin\Desktop\exe\SQLi Dorks Generator By The N3RoX.exe
"C:\Users\Admin\Desktop\exe\SQLi Dorks Generator By The N3RoX.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4744

C:\Users\Admin\Desktop\exe\SplitOrJoin0.2.exe
"C:\Users\Admin\Desktop\exe\SplitOrJoin0.2.exe"
1⤵
- Executes dropped EXE
PID:2076

C:\Users\Admin\Desktop\exe\SLAYER Leecher v0.6.exe
"C:\Users\Admin\Desktop\exe\SLAYER Leecher v0.6.exe"
1⤵
- Executes dropped EXE
PID:2484

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2484 -s 1076
2⤵
- Program crash
PID:3064

C:\Users\Admin\Desktop\exe\QuickDork Cracked.exe
"C:\Users\Admin\Desktop\exe\QuickDork Cracked.exe"
1⤵
- Executes dropped EXE
PID:2724

C:\Users\Admin\Desktop\exe\MultiHashChecker.exe
"C:\Users\Admin\Desktop\exe\MultiHashChecker.exe"
1⤵
- Executes dropped EXE
PID:3960

C:\Users\Admin\Desktop\exe\Lazy Mans Dork Gen v0.2.exe
"C:\Users\Admin\Desktop\exe\Lazy Mans Dork Gen v0.2.exe"
1⤵
- Executes dropped EXE
PID:1484

C:\Users\Admin\Desktop\exe\Keyword Scraper.vshost.exe
"C:\Users\Admin\Desktop\exe\Keyword Scraper.vshost.exe"
1⤵
- Executes dropped EXE
PID:3932

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3932 -s 744
2⤵
- Program crash
PID:5068

C:\Users\Admin\Desktop\exe\Keyword Scraper.exe
"C:\Users\Admin\Desktop\exe\Keyword Scraper.exe"
1⤵
- Executes dropped EXE
PID:2168

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2168 -s 1012
2⤵
- Program crash
PID:836

C:\Users\Admin\Desktop\exe\Hash Cracking v1.0.exe
"C:\Users\Admin\Desktop\exe\Hash Cracking v1.0.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1804

C:\Users\Admin\Desktop\exe\gScrape.exe
"C:\Users\Admin\Desktop\exe\gScrape.exe"
1⤵
- Executes dropped EXE
PID:3592

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3592 -s 1012
2⤵
- Program crash
PID:4732

C:\Users\Admin\Desktop\exe\Gorker Private.exe
"C:\Users\Admin\Desktop\exe\Gorker Private.exe"
1⤵
- Executes dropped EXE
PID:4212

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 4212 -s 916
2⤵
- Program crash
PID:3248

C:\Users\Admin\Desktop\exe\Gorker Private - Black Edition.exe
"C:\Users\Admin\Desktop\exe\Gorker Private - Black Edition.exe"
1⤵
- Executes dropped EXE
PID:4644

C:\Users\Admin\Desktop\exe\Ez_Dork_Gen_Deluxe.exe
"C:\Users\Admin\Desktop\exe\Ez_Dork_Gen_Deluxe.exe"
1⤵
- Executes dropped EXE
PID:5048

C:\Users\Admin\Desktop\exe\fSplit.exe
"C:\Users\Admin\Desktop\exe\fSplit.exe"
1⤵
- Executes dropped EXE
PID:4360

C:\Users\Admin\Desktop\exe\Ez Dork Gen Black Edition.exe
"C:\Users\Admin\Desktop\exe\Ez Dork Gen Black Edition.exe"
1⤵
- Executes dropped EXE
PID:536

C:\Users\Admin\Desktop\exe\Elite Dups Remover 1.5.exe
"C:\Users\Admin\Desktop\exe\Elite Dups Remover 1.5.exe"
1⤵
- Executes dropped EXE
PID:4932

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir228_1031531445\ChromeRecovery.exe
Filesize
253KB

MD5
49ac3c96d270702a27b4895e4ce1f42a

SHA1
55b90405f1e1b72143c64113e8bc65608dd3fd76

SHA256
82aa3fd6a25cda9e16689cfadea175091be010cecae537e517f392e0bef5ba0f

SHA512
b62f6501cb4c992d42d9097e356805c88ac4ac5a46ead4a8eee9f8cbae197b2305da8aab5b4a61891fe73951588025f2d642c32524b360687993f98c913138a0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\RecoveryImproved\1.3.36.141\Recovery.crx3
Filesize
141KB

MD5
ea1c1ffd3ea54d1fb117bfdbb3569c60

SHA1
10958b0f690ae8f5240e1528b1ccffff28a33272

SHA256
7c3a6a7d16ac44c3200f572a764bce7d8fa84b9572dd028b15c59bdccbc0a77d

SHA512
6c30728cac9eac53f0b27b7dbe2222da83225c3b63617d6b271a6cfedf18e8f0a8dffa1053e1cbc4c5e16625f4bbc0d03aa306a946c9d72faa4ceb779f8ffcaf

Download Submit
C:\Users\Admin\Downloads\!Dont Forget To Leave A like Or Rep.zip
Filesize
812.2MB

MD5
29b93c712445a4261dc420a507f125ee

SHA1
0e54997e178f22b0ebfc376493fad2338199b796

SHA256
b0eee88252ae3df7162286d3adc00567c6b5818740a9ca9073f379185b16a8d5

SHA512
38632e39323e3a7ddd7e0f54ca5ce74aa62e6a8028bf2769524e267cad1cf2c448cab8b4a38b6e1d0c86881ac7c53566dfcb19dd2b801b2ad478ef1d5a7471dd

Download Submit
C:\Users\Admin\Downloads\!Dont Forget To Leave A like Or Rep\!Ultimate Checking Pack - Version 7.0.rar
Filesize
812.2MB

MD5
cbeffbe56404b9207f3793ea73e42a5f

SHA1
e3295e1fb693b301f543f0e118fc627b2361696c

SHA256
1f0676910a7df7212d60d87ea4913b109b9f26c2b0b741112e3d02d263b7ce57

SHA512
0a1f6f48dff229cf63fd9b3f19d87143c155ce7f934bd988d1d77edefedd65f50bfa308fbe8f70d565dc64355674c6117c866345b9d5ee66a2bc7ca895d9c64e

Download Submit
C:\Users\Admin\Downloads\!Dont Forget To Leave A like Or Rep\!Ultimate Checking Pack - Version 7.0\!!READ THIS FOLDER FIRST!!!!!!!!\Message for graphics designers.txt
Filesize
245B

MD5
2bae38f661bff3920602812f0b964375

SHA1
a552e6a86f92247fd2ab73c602d537630374148d

SHA256
5851bede54b6d0a38efd62d19e1286ce86f2e17b441e4b99d015965d1c13363f

SHA512
efc76652b194df48ca4579cb226bb6678cbb5d044a37d9c6efac20d4d7fd8697adbd944db4ad66432ff4dfb6f81a0a3ef5dd57df3f255e4223b0657fca349352

Download Submit
C:\Users\Admin\Downloads\!Dont Forget To Leave A like Or Rep\!Ultimate Checking Pack - Version 7.0\!Best Bruteforcers For Pro Crackers.rar
Filesize
120.5MB

MD5
5d21000fff19115655de38ebc787c318

SHA1
341c46e5378637c37f581d4be9f036194d6f62a0

SHA256
53f5c89a34b0ca9e6df55b96d2ef1f8f3b1e87e5b1d2a79a161195ca1e047458

SHA512
db2de31510d8c19b0785d413a8d83d56245689944851b6c51661bae69ce43581b38b3631170924e6b68886c96eeff35074f962df22eb51b21e1373d0a70a943a

Download Submit
C:\Users\Admin\Downloads\!Dont Forget To Leave A like Or Rep\!Ultimate Checking Pack - Version 7.0\!Combo Tools.rar
Filesize
83.8MB

MD5
0668600567d8f9949a7094260ecef10d

SHA1
b0e15b7977a2bd427c76932f8fde9eccd3950d40

SHA256
5d240db4708dc18696e93486ceee50b43ee96c4c761a9d6cf95fd9788c73042f

SHA512
ee4c5ce64a906dda8dd7dae325ffc48c577768bcf4a9b9f554da40986d0fcb91d56b13551a04304b6ba19e82f8fd39cb8cfbd5e8ab9dfef80d3efd9a97085371

Download Submit
C:\Users\Admin\Downloads\!Dont Forget To Leave A like Or Rep\!Ultimate Checking Pack - Version 7.0\!Configs for all Bruteforcers can be found here.rar
Filesize
10.2MB

MD5
874cefbf7228a628683b61ca9b53fd4f

SHA1
6f470c4036d237060d5c60ed0f97bd79c87f25c2

SHA256
4c50bd1da2080c317d8ad8cb14823ef3c163d7d40fb80e0d17735dba88ffdb4c

SHA512
1dfbf845eaf11e64f1d45bc09e620568f33e6e70e16f1957b583320a53a0c327ff00009e818b34a6926feea07e507de40cb31339f8f1e752c9148175fed2b9f2

Download Submit
C:\Users\Admin\Downloads\!Dont Forget To Leave A like Or Rep\!Ultimate Checking Pack - Version 7.0\!Proxy Scrapers.rar
Filesize
258.9MB

MD5
573ac0877ad2901a0d8af856493aabbb

SHA1
07fc27303fb68ede711188cc3492fdb9d8a4b63b

SHA256
2d4c2c3e6ccd51001bc5307abd50acfba012bd396baf27787c27f0c29a9b8757

SHA512
d0eceb1e768b253f55ea336244706fc0c543668dcf8c83cb9878779909a2e3a3179e90e7bd6acabfc363ff3692a226af0b312543ad92573d5797b1b7961e43fe

Download Submit
C:\Users\Admin\Downloads\!Dont Forget To Leave A like Or Rep\!Ultimate Checking Pack - Version 7.0\!Special Guides and Methods.rar
Filesize
2.7MB

MD5
b2b6535f36b221b7d684ac22bdedfd0d

SHA1
88eb0bc611f2ee8218eb8609360552d603318fb9

SHA256
8eecfce04dbb48b7d69d7d0de9c47bf53f1d1d5fcf5a6615d871f274eafaf56f

SHA512
2ee8621e17d1f5a5ece9d41b859ef820f3c854d1d1e57625a9a7447dca29c5ee47fdbafcccdd5f332c79a8f2cf8e2a7989d452a0331478098a85f12a167c5708

Download Submit
C:\Users\Admin\Downloads\!Dont Forget To Leave A like Or Rep\!Ultimate Checking Pack - Version 7.0\Adobe Software Pre-Activated.rar
Filesize
558B

MD5
c3c8bb2917897f7d4c39ca40956c7978

SHA1
46922b882853ccc059105ce6af268bc66ba4f14f

SHA256
804d50e77a1c9626c646d5f3b694c4537e990b190f697da39403177e3e902b7c

SHA512
8470cdf298a8da17d7275eb3581abeca9c20a9d6caaa41d0da3b799fa814c4daa66a9056e3a8dc763158fa0c91b0888d6fecf06597952fb843e239125ca25a9d

Download Submit
C:\Users\Admin\Downloads\!Dont Forget To Leave A like Or Rep\!Ultimate Checking Pack - Version 7.0\Checkers By DarkDante.rar
Filesize
39.5MB

MD5
494ff03dbb20d5ac3d2972216d4d58da

SHA1
6f7f75aa22d04c14105cbf0ca22f727c015ddab4

SHA256
57340d320b1a4e24dce36041df41a011ea2f614c95beb7124a6f8f9b8458d542

SHA512
0544de0d555cfad1dff457b64582167a71fd24fa1cedc49b39d6c2d8f64391e50aaa223ed25423dac61039fe72c0891bfdb36f3ea5a3e1343aa027f3a98400bb

Download Submit
C:\Users\Admin\Downloads\!Dont Forget To Leave A like Or Rep\!Ultimate Checking Pack - Version 7.0\Checkers by m1st.rar
Filesize
6.3MB

MD5
0461987045fdfda74d233e837c90c64f

SHA1
1b53080da96e482dcd9ca8c8bcf1b4c342915159

SHA256
06842f19df4d99075d680d939d3be43d69068fefaa4f1b5c89b87198caddf17b

SHA512
38aba7456aba1926e94318a0c1fa66e9c697a7a8c9b0f02150f11c40ad09dcce1b12b0cd69db9486197bf9032fd1ea0c5a129e37473ec1f9126d9313faca79be

Download Submit
\??\pipe\crashpad_892_MKNRFBMIBJOXIPYR
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/348-204-0x00000000008C0000-0x00000000008F4000-memory.dmp

Filesize
208KB

Download
memory/452-1069-0x0000000000D60000-0x0000000000D7C000-memory.dmp

Filesize
112KB

Download
memory/452-1009-0x0000000000390000-0x00000000003B2000-memory.dmp

Filesize
136KB

Download
memory/1132-942-0x0000000000740000-0x00000000007AE000-memory.dmp

Filesize
440KB

Download
memory/1132-1006-0x0000000007460000-0x00000000074C2000-memory.dmp

Filesize
392KB

Download
memory/1336-1276-0x0000000000A20000-0x0000000000C76000-memory.dmp

Filesize
2.3MB

Download
memory/1380-498-0x0000000005590000-0x000000000559A000-memory.dmp

Filesize
40KB

Download
memory/1380-410-0x00000000055D0000-0x0000000005662000-memory.dmp

Filesize
584KB

Download
memory/1380-398-0x0000000005AD0000-0x0000000005FCE000-memory.dmp

Filesize
5.0MB

Download
memory/1380-377-0x0000000005430000-0x00000000054CC000-memory.dmp

Filesize
624KB

Download
memory/1380-505-0x00000000056E0000-0x0000000005736000-memory.dmp

Filesize
344KB

Download
memory/1380-373-0x0000000000BD0000-0x0000000000C28000-memory.dmp

Filesize
352KB

Download
memory/1432-1323-0x0000000000720000-0x00000000007E0000-memory.dmp

Filesize
768KB

Download
memory/1432-295-0x0000000001540000-0x00000000017ED000-memory.dmp

Filesize
2.7MB

Download
memory/1432-277-0x0000000068880000-0x0000000068D28000-memory.dmp

Filesize
4.7MB

Download
memory/1432-274-0x0000000001540000-0x00000000017ED000-memory.dmp

Filesize
2.7MB

Download
memory/1432-279-0x0000000068880000-0x0000000068D28000-memory.dmp

Filesize
4.7MB

Download
memory/1432-280-0x0000000061940000-0x0000000061E4E000-memory.dmp

Filesize
5.1MB

Download
memory/1432-281-0x0000000061940000-0x0000000061E4E000-memory.dmp

Filesize
5.1MB

Download
memory/1432-282-0x0000000000DF0000-0x0000000001424000-memory.dmp

Filesize
6.2MB

Download
memory/1432-294-0x0000000068F80000-0x0000000069133000-memory.dmp

Filesize
1.7MB

Download
memory/1432-271-0x0000000068F80000-0x0000000069133000-memory.dmp

Filesize
1.7MB

Download
memory/1432-298-0x0000000000DF0000-0x0000000001424000-memory.dmp

Filesize
6.2MB

Download
memory/1432-297-0x0000000061940000-0x0000000061E4E000-memory.dmp

Filesize
5.1MB

Download
memory/1432-296-0x0000000068880000-0x0000000068D28000-memory.dmp

Filesize
4.7MB

Download
memory/1440-645-0x0000000000BB0000-0x0000000000BC2000-memory.dmp

Filesize
72KB

Download
memory/1440-675-0x00000000015C0000-0x00000000015C6000-memory.dmp

Filesize
24KB

Download
memory/2076-2001-0x0000000002C68000-0x0000000002C6F000-memory.dmp

Filesize
28KB

Download
memory/2076-1660-0x0000000002C68000-0x0000000002C6F000-memory.dmp

Filesize
28KB

Download
memory/2076-1494-0x0000000002C68000-0x0000000002C6F000-memory.dmp

Filesize
28KB

Download
memory/2168-1819-0x00000000002E0000-0x0000000000386000-memory.dmp

Filesize
664KB

Download
memory/2484-1568-0x0000000000850000-0x0000000000F0E000-memory.dmp

Filesize
6.7MB

Download
memory/2524-469-0x0000000000AD0000-0x0000000000B1C000-memory.dmp

Filesize
304KB

Download
memory/3308-582-0x0000000000B60000-0x0000000000B6C000-memory.dmp

Filesize
48KB

Download
memory/3592-1887-0x0000000000310000-0x0000000000328000-memory.dmp

Filesize
96KB

Download
memory/3728-776-0x0000000000820000-0x000000000082A000-memory.dmp

Filesize
40KB

Download
memory/3736-444-0x0000020BDECB0000-0x0000020BDED1E000-memory.dmp

Filesize
440KB

Download
memory/3932-1713-0x00000000002F0000-0x00000000002F8000-memory.dmp

Filesize
32KB

Download
memory/4156-357-0x0000000002AD8000-0x0000000002ADF000-memory.dmp

Filesize
28KB

Download
memory/4156-669-0x0000000002AD8000-0x0000000002ADF000-memory.dmp

Filesize
28KB

Download
memory/4156-712-0x0000000002AD8000-0x0000000002ADF000-memory.dmp

Filesize
28KB

Download
memory/4172-858-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4172-1169-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4172-1257-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4212-1749-0x0000000000E20000-0x0000000000E8A000-memory.dmp

Filesize
424KB

Download
memory/4540-156-0x0000000077A90000-0x0000000077C1E000-memory.dmp

Filesize
1.6MB

Download
memory/4540-150-0x0000000077A90000-0x0000000077C1E000-memory.dmp

Filesize
1.6MB

Download
memory/4540-183-0x0000000077A90000-0x0000000077C1E000-memory.dmp

Filesize
1.6MB

Download
memory/4540-184-0x0000000077A90000-0x0000000077C1E000-memory.dmp

Filesize
1.6MB

Download
memory/4540-185-0x0000000077A90000-0x0000000077C1E000-memory.dmp

Filesize
1.6MB

Download
memory/4540-186-0x0000000077A90000-0x0000000077C1E000-memory.dmp

Filesize
1.6MB

Download
memory/4540-187-0x0000000077A90000-0x0000000077C1E000-memory.dmp

Filesize
1.6MB

Download
memory/4540-188-0x0000000077A90000-0x0000000077C1E000-memory.dmp

Filesize
1.6MB

Download
memory/4540-189-0x0000000077A90000-0x0000000077C1E000-memory.dmp

Filesize
1.6MB

Download
memory/4540-181-0x0000000077A90000-0x0000000077C1E000-memory.dmp

Filesize
1.6MB

Download
memory/4540-180-0x0000000077A90000-0x0000000077C1E000-memory.dmp

Filesize
1.6MB

Download
memory/4540-179-0x0000000077A90000-0x0000000077C1E000-memory.dmp

Filesize
1.6MB

Download
memory/4540-178-0x0000000077A90000-0x0000000077C1E000-memory.dmp

Filesize
1.6MB

Download
memory/4540-177-0x0000000077A90000-0x0000000077C1E000-memory.dmp

Filesize
1.6MB

Download
memory/4540-176-0x0000000077A90000-0x0000000077C1E000-memory.dmp

Filesize
1.6MB

Download
memory/4540-175-0x0000000077A90000-0x0000000077C1E000-memory.dmp

Filesize
1.6MB

Download
memory/4540-174-0x0000000077A90000-0x0000000077C1E000-memory.dmp

Filesize
1.6MB

Download
memory/4540-173-0x0000000077A90000-0x0000000077C1E000-memory.dmp

Filesize
1.6MB

Download
memory/4540-172-0x0000000077A90000-0x0000000077C1E000-memory.dmp

Filesize
1.6MB

Download
memory/4540-171-0x0000000077A90000-0x0000000077C1E000-memory.dmp

Filesize
1.6MB

Download
memory/4540-170-0x0000000077A90000-0x0000000077C1E000-memory.dmp

Filesize
1.6MB

Download
memory/4540-169-0x0000000077A90000-0x0000000077C1E000-memory.dmp

Filesize
1.6MB

Download
memory/4540-168-0x0000000077A90000-0x0000000077C1E000-memory.dmp

Filesize
1.6MB

Download
memory/4540-167-0x0000000077A90000-0x0000000077C1E000-memory.dmp

Filesize
1.6MB

Download
memory/4540-166-0x0000000077A90000-0x0000000077C1E000-memory.dmp

Filesize
1.6MB

Download
memory/4540-165-0x0000000077A90000-0x0000000077C1E000-memory.dmp

Filesize
1.6MB

Download
memory/4540-164-0x0000000077A90000-0x0000000077C1E000-memory.dmp

Filesize
1.6MB

Download
memory/4540-163-0x0000000077A90000-0x0000000077C1E000-memory.dmp

Filesize
1.6MB

Download
memory/4540-162-0x0000000077A90000-0x0000000077C1E000-memory.dmp

Filesize
1.6MB

Download
memory/4540-161-0x0000000077A90000-0x0000000077C1E000-memory.dmp

Filesize
1.6MB

Download
memory/4540-160-0x0000000077A90000-0x0000000077C1E000-memory.dmp

Filesize
1.6MB

Download
memory/4540-159-0x0000000077A90000-0x0000000077C1E000-memory.dmp

Filesize
1.6MB

Download
memory/4540-158-0x0000000077A90000-0x0000000077C1E000-memory.dmp

Filesize
1.6MB

Download
memory/4540-157-0x0000000077A90000-0x0000000077C1E000-memory.dmp

Filesize
1.6MB

Download
memory/4540-155-0x0000000077A90000-0x0000000077C1E000-memory.dmp

Filesize
1.6MB

Download
memory/4540-154-0x0000000077A90000-0x0000000077C1E000-memory.dmp

Filesize
1.6MB

Download
memory/4540-153-0x0000000077A90000-0x0000000077C1E000-memory.dmp

Filesize
1.6MB

Download
memory/4540-152-0x0000000077A90000-0x0000000077C1E000-memory.dmp

Filesize
1.6MB

Download
memory/4540-151-0x0000000077A90000-0x0000000077C1E000-memory.dmp

Filesize
1.6MB

Download
memory/4540-182-0x0000000077A90000-0x0000000077C1E000-memory.dmp

Filesize
1.6MB

Download
memory/4540-147-0x0000000077A90000-0x0000000077C1E000-memory.dmp

Filesize
1.6MB

Download
memory/4540-149-0x0000000077A90000-0x0000000077C1E000-memory.dmp

Filesize
1.6MB

Download
memory/4540-124-0x0000000000000000-mapping.dmp

Download
memory/4540-148-0x0000000077A90000-0x0000000077C1E000-memory.dmp

Filesize
1.6MB

Download
memory/4540-126-0x0000000077A90000-0x0000000077C1E000-memory.dmp

Filesize
1.6MB

Download
memory/4540-127-0x0000000077A90000-0x0000000077C1E000-memory.dmp

Filesize
1.6MB

Download
memory/4540-128-0x0000000077A90000-0x0000000077C1E000-memory.dmp

Filesize
1.6MB

Download
memory/4540-144-0x0000000077A90000-0x0000000077C1E000-memory.dmp

Filesize
1.6MB

Download
memory/4540-129-0x0000000077A90000-0x0000000077C1E000-memory.dmp

Filesize
1.6MB

Download
memory/4540-146-0x0000000077A90000-0x0000000077C1E000-memory.dmp

Filesize
1.6MB

Download
memory/4540-130-0x0000000077A90000-0x0000000077C1E000-memory.dmp

Filesize
1.6MB

Download
memory/4540-145-0x0000000077A90000-0x0000000077C1E000-memory.dmp

Filesize
1.6MB

Download
memory/4540-143-0x0000000077A90000-0x0000000077C1E000-memory.dmp

Filesize
1.6MB

Download
memory/4540-142-0x0000000077A90000-0x0000000077C1E000-memory.dmp

Filesize
1.6MB

Download
memory/4540-131-0x0000000077A90000-0x0000000077C1E000-memory.dmp

Filesize
1.6MB

Download
memory/4540-139-0x0000000077A90000-0x0000000077C1E000-memory.dmp

Filesize
1.6MB

Download
memory/4540-133-0x0000000077A90000-0x0000000077C1E000-memory.dmp

Filesize
1.6MB

Download
memory/4540-141-0x0000000077A90000-0x0000000077C1E000-memory.dmp

Filesize
1.6MB

Download
memory/4540-140-0x0000000077A90000-0x0000000077C1E000-memory.dmp

Filesize
1.6MB

Download
memory/4540-138-0x0000000077A90000-0x0000000077C1E000-memory.dmp

Filesize
1.6MB

Download
memory/4540-132-0x0000000077A90000-0x0000000077C1E000-memory.dmp

Filesize
1.6MB

Download
memory/4540-134-0x0000000077A90000-0x0000000077C1E000-memory.dmp

Filesize
1.6MB

Download
memory/4540-137-0x0000000077A90000-0x0000000077C1E000-memory.dmp

Filesize
1.6MB

Download
memory/4540-135-0x0000000077A90000-0x0000000077C1E000-memory.dmp

Filesize
1.6MB

Download
memory/4540-136-0x0000000077A90000-0x0000000077C1E000-memory.dmp

Filesize
1.6MB

Download
memory/4696-635-0x0000000000350000-0x0000000000360000-memory.dmp

Filesize
64KB

Download
memory/4696-673-0x0000000007000000-0x000000000701C000-memory.dmp

Filesize
112KB

Download
memory/4772-1277-0x0000000000730000-0x000000000098A000-memory.dmp

Filesize
2.4MB

Download
memory/4772-809-0x0000000000AB0000-0x0000000000ADE000-memory.dmp

Filesize
184KB

Download
memory/4788-527-0x0000000000720000-0x0000000000754000-memory.dmp

Filesize
208KB

Download
memory/4788-588-0x0000000005010000-0x000000000506C000-memory.dmp

Filesize
368KB

Download
memory/4788-581-0x0000000004F10000-0x0000000004F38000-memory.dmp

Filesize
160KB

Download
memory/4788-666-0x0000000007220000-0x00000000072CA000-memory.dmp

Filesize
680KB

Download
memory/4844-1024-0x0000000000200000-0x0000000000240000-memory.dmp

Filesize
256KB

Download
memory/4932-1998-0x00000000008B0000-0x0000000000954000-memory.dmp

Filesize
656KB

Download
memory/5048-1027-0x0000000004A40000-0x0000000004B30000-memory.dmp

Filesize
960KB

Download
memory/5048-876-0x0000000000100000-0x0000000000114000-memory.dmp

Filesize
80KB

Download
memory/5048-1151-0x00000000094D0000-0x0000000009508000-memory.dmp

Filesize
224KB

Download
memory/5048-1093-0x0000000004F10000-0x0000000004F20000-memory.dmp

Filesize
64KB

Download
memory/5048-1146-0x0000000005560000-0x0000000005568000-memory.dmp

Filesize
32KB

Download