zloader | hxxps://l[.]facebook[.]com/l[.]php?u=AT2XxCbjVjZEuf4J1iOKOwIql9nXkDd9PylVnza4XOb-u5lt30aevZdScUPu7BGXsjRKrNdZ-sk_KvYnZTDJbAkJ7zfR&h=AT25GomPtk3RrRqn4BxfXCIg2zV_MOA-cKnWfbsr-pivLZ8N26WyNxFunkVrhc2h_-1J3Ruw88o3LRxmPX1oTgR-QlA1vBUlAVFXQxf_ctQFMKHLu0WSyml7b87t3fj8gAA8QiY&__cft__0=AZWODYLpvI9VX1z6NqVUZqJr0MKHlzQDbdsa07yPinEcydKsxtUI25oPZzOvvbKenYgKhMdIHBkmFzr7eyC4H4eEP25CTk6Tum_VLTEpmnkgjnZGdIONPqSvdN9-04XjhuNlG5XIagRtwbUhYbCsTao39N3FHwE_saCKXGkQRZo63KKxG2fDHDUPSQ1CxwsHZ2vxdhZmKJUXdMh3IIUx1vc08G6-Zg-jQSaSGjiuedSKafPclT07VcQByR1NDxTIHGIDWYuMnpEZ1qXpw2jMWNmMMiD1cYE40Lx-0rZuTQk0dYASgNGbRXdDZplH70htLYM&__tn__=H-R

Analysis

max time kernel
1144s
max time network
1161s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
26-11-2022 18:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://l.facebook.com/l.php?u=AT2XxCbjVjZEuf4J1iOKOwIql9nXkDd9PylVnza4XOb-u5lt30aevZdScUPu7BGXsjRKrNdZ-sk_KvYnZTDJbAkJ7zfR&h=AT25GomPtk3RrRqn4BxfXCIg2zV_MOA-cKnWfbsr-pivLZ8N26WyNxFunkVrhc2h_-1J3Ruw88o3LRxmPX1oTgR-QlA1vBUlAVFXQxf_ctQFMKHLu0WSyml7b87t3fj8gAA8QiY&__cft__0=AZWODYLpvI9VX1z6NqVUZqJr0MKHlzQDbdsa07yPinEcydKsxtUI25oPZzOvvbKenYgKhMdIHBkmFzr7eyC4H4eEP25CTk6Tum_VLTEpmnkgjnZGdIONPqSvdN9-04XjhuNlG5XIagRtwbUhYbCsTao39N3FHwE_saCKXGkQRZo63KKxG2fDHDUPSQ1CxwsHZ2vxdhZmKJUXdMh3IIUx1vc08G6-Zg-jQSaSGjiuedSKafPclT07VcQByR1NDxTIHGIDWYuMnpEZ1qXpw2jMWNmMMiD1cYE40Lx-0rZuTQk0dYASgNGbRXdDZplH70htLYM&__tn__=H-R

Score

10^/10

zloader botnet persistence spyware stealer trojan

Malware Config

Signatures

Zloader, Terdot, DELoader, ZeusSphinx
Zloader is a malware strain that was initially discovered back in August 2015.
trojan botnet zloader
Executes dropped EXE 4 IoCs

Processes:

CNQ.exeDiskCompactionTool.exeBravia.exeChromeRecovery.exe

pid process

5688 CNQ.exe
5336 DiskCompactionTool.exe
3208 Bravia.exe
4132 ChromeRecovery.exe

pid	process
5688	CNQ.exe
5336	DiskCompactionTool.exe
3208	Bravia.exe
4132	ChromeRecovery.exe

Loads dropped DLL 13 IoCs

Processes:

DiskCompactionTool.exeBravia.exe

pid	process
5336	DiskCompactionTool.exe
5336	DiskCompactionTool.exe
5336	DiskCompactionTool.exe
5336	DiskCompactionTool.exe
3208	Bravia.exe
3208	Bravia.exe
3208	Bravia.exe
3208	Bravia.exe
3208	Bravia.exe
3208	Bravia.exe
3208	Bravia.exe
3208	Bravia.exe
3208	Bravia.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

CNQ.exeDiskCompactionTool.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Speaker2020 = "C:\\Users\\Admin\\AppData\\Roaming\\Canon\\CNQ.exe"	CNQ.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BlueStacks_bgp64 = "C:\\Users\\Admin\\AppData\\Roaming\\Bluestack\\DiskCompactionTool.exe"	DiskCompactionTool.exe

Drops file in Program Files directory 7 IoCs

Processes:

elevation_service.exe

description	ioc	process
File created	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir3416_1308580792\ChromeRecoveryCRX.crx	elevation_service.exe
File created	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir3416_1308580792\ChromeRecovery.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir3416_1308580792\ChromeRecovery.exe	elevation_service.exe
File created	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir3416_1308580792\manifest.json	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir3416_1308580792\manifest.json	elevation_service.exe
File created	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir3416_1308580792\_metadata\verified_contents.json	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir3416_1308580792\_metadata\verified_contents.json	elevation_service.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies Internet Explorer Phishing Filter 1 TTPs 2 IoCs

Modify Registry

T1112

Processes:

iexplore.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\PhishingFilter	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\PhishingFilter\ClientSupported_MigrationTime = 89be75672cbed801	iexplore.exe

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

Processes:

IEXPLORE.EXEiexplore.exeIEXPLORE.EXE

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "64"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\tag.idsync.analytics.yahoo.com\ = "76"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "2173"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "893185143"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\msn.com\Total = "23"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\DOMStorage\tag.idsync.analytics.yahoo.com	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\msn.com	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "32"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\msn.com\Total = "64"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\msn.com\Total = "2070"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\DOMStorage\rubiconproject.com	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = d0872d54c701d901	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\DOMStorage\yahoo.com	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "2146"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\www.msn.com\ = "2084"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\www.msn.com\ = "2097"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = a093c756c701d901	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\msn.com\Total = "43"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\msn.com\Total = "2084"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\msn.com\NumberOfSubdomains = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "43"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\www.msn.com\ = "64"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\yahoo.com\Total = "76"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "46"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\www.msn.com\ = "43"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "875370961"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\www.msn.com\ = "9"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\msn.com\Total = "46"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\IESettingSync	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000043e2eb2e51ccf149ab640c8bdb0d7906000000000200000000001066000000010000200000009e0420a0324a2a099f5468e230aa87fabd3a216bb4c2f04fa163552c2e4ccbaa000000000e8000000002000020000000ef938a58e505f1c915d91e1de430b4e84c30e2d47167730ceb7e7b420b6c199520000000f87f1213e5acdced2fb7bf57e2cd3ea4e548c2d0ae01b762da5cea146c0737624000000051e0a4d97d61a9f5cd49b447b5ebe0d4ea0185fa3f4f76c2f9ab3c3600fea8aaecabccfdcb37e0ae8865672cd2934b75f687ba74bc420c407c9ac8333dbe7421	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{5FAD3FE5-6DBA-11ED-A0EE-EAB2B6EB986A} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\msn.com\Total = "9"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\msn.com\Total = "32"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\DOMStorage\tineye.com	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\msn.com\Total = "16"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\DOMStorage\eus.rubiconproject.com	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\www.msn.com\ = "46"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\msn.com\Total = "2097"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\DownloadWindowPlacement = 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30998983"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "23"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\rubiconproject.com\NumberOfSubdomains = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\www.msn.com\ = "23"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "2070"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\www.msn.com\ = "2070"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe

Modifies registry class 2 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	iexplore.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-929662420-1054238289-2961194603-1000\{BC5C9D22-9168-4679-9681-58FA52AC9736}	IEXPLORE.EXE

Suspicious behavior: EnumeratesProcesses 34 IoCs

Processes:

iexplore.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exeCNQ.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exe

pid	process
5000	iexplore.exe
5000	iexplore.exe
4952	chrome.exe
4952	chrome.exe
1252	chrome.exe
1252	chrome.exe
5872	chrome.exe
5872	chrome.exe
6044	chrome.exe
6044	chrome.exe
4916	chrome.exe
4916	chrome.exe
5464	chrome.exe
5464	chrome.exe
4204	chrome.exe
4204	chrome.exe
3632	chrome.exe
3632	chrome.exe
5688	CNQ.exe
5688	CNQ.exe
5780	chrome.exe
5780	chrome.exe
5440	chrome.exe
5440	chrome.exe
1988	chrome.exe
1988	chrome.exe
1988	chrome.exe
1988	chrome.exe
5308	chrome.exe
5308	chrome.exe
2508	chrome.exe
2508	chrome.exe
448	chrome.exe
448	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 49 IoCs

Processes:

chrome.exe

pid	process
1252	chrome.exe
1252	chrome.exe
1252	chrome.exe
1252	chrome.exe
1252	chrome.exe
1252	chrome.exe
1252	chrome.exe
1252	chrome.exe
1252	chrome.exe
1252	chrome.exe
1252	chrome.exe
1252	chrome.exe
1252	chrome.exe
1252	chrome.exe
1252	chrome.exe
1252	chrome.exe
1252	chrome.exe
1252	chrome.exe
1252	chrome.exe
1252	chrome.exe
1252	chrome.exe
1252	chrome.exe
1252	chrome.exe
1252	chrome.exe
1252	chrome.exe
1252	chrome.exe
1252	chrome.exe
1252	chrome.exe
1252	chrome.exe
1252	chrome.exe
1252	chrome.exe
1252	chrome.exe
1252	chrome.exe
1252	chrome.exe
1252	chrome.exe
1252	chrome.exe
1252	chrome.exe
1252	chrome.exe
1252	chrome.exe
1252	chrome.exe
1252	chrome.exe
1252	chrome.exe
1252	chrome.exe
1252	chrome.exe
1252	chrome.exe
1252	chrome.exe
1252	chrome.exe
1252	chrome.exe
1252	chrome.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

CNQ.exeDiskCompactionTool.exeBravia.exe

description pid process

Token: SeDebugPrivilege 5688 CNQ.exe
Token: SeDebugPrivilege 5336 DiskCompactionTool.exe
Token: SeDebugPrivilege 3208 Bravia.exe

description	pid	process
Token: SeDebugPrivilege	5688	CNQ.exe
Token: SeDebugPrivilege	5336	DiskCompactionTool.exe
Token: SeDebugPrivilege	3208	Bravia.exe

Suspicious use of FindShellTrayWindow 32 IoCs

Processes:

iexplore.exechrome.exe

pid	process
5000	iexplore.exe
5000	iexplore.exe
1252	chrome.exe
1252	chrome.exe
1252	chrome.exe
1252	chrome.exe
1252	chrome.exe
1252	chrome.exe
1252	chrome.exe
1252	chrome.exe
1252	chrome.exe
1252	chrome.exe
1252	chrome.exe
1252	chrome.exe
1252	chrome.exe
1252	chrome.exe
1252	chrome.exe
1252	chrome.exe
1252	chrome.exe
1252	chrome.exe
1252	chrome.exe
1252	chrome.exe
1252	chrome.exe
1252	chrome.exe
1252	chrome.exe
1252	chrome.exe
1252	chrome.exe
1252	chrome.exe
1252	chrome.exe
1252	chrome.exe
1252	chrome.exe
1252	chrome.exe

Suspicious use of SendNotifyMessage 28 IoCs

Processes:

chrome.exe

pid	process
1252	chrome.exe
1252	chrome.exe
1252	chrome.exe
1252	chrome.exe
1252	chrome.exe
1252	chrome.exe
1252	chrome.exe
1252	chrome.exe
1252	chrome.exe
1252	chrome.exe
1252	chrome.exe
1252	chrome.exe
1252	chrome.exe
1252	chrome.exe
1252	chrome.exe
1252	chrome.exe
1252	chrome.exe
1252	chrome.exe
1252	chrome.exe
1252	chrome.exe
1252	chrome.exe
1252	chrome.exe
1252	chrome.exe
1252	chrome.exe
1252	chrome.exe
1252	chrome.exe
1252	chrome.exe
1252	chrome.exe

Suspicious use of SetWindowsHookEx 16 IoCs

Processes:

iexplore.exeIEXPLORE.EXEIEXPLORE.EXEdata.dat

pid	process
5000	iexplore.exe
5000	iexplore.exe
4792	IEXPLORE.EXE
4792	IEXPLORE.EXE
4792	IEXPLORE.EXE
4792	IEXPLORE.EXE
404	IEXPLORE.EXE
404	IEXPLORE.EXE
404	IEXPLORE.EXE
404	IEXPLORE.EXE
404	IEXPLORE.EXE
404	IEXPLORE.EXE
404	IEXPLORE.EXE
404	IEXPLORE.EXE
2536	data.dat
2536	data.dat

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

iexplore.exechrome.exe

description	pid	process	target process
PID 5000 wrote to memory of 4792	5000	iexplore.exe	IEXPLORE.EXE
PID 5000 wrote to memory of 4792	5000	iexplore.exe	IEXPLORE.EXE
PID 5000 wrote to memory of 4792	5000	iexplore.exe	IEXPLORE.EXE
PID 5000 wrote to memory of 404	5000	iexplore.exe	IEXPLORE.EXE
PID 5000 wrote to memory of 404	5000	iexplore.exe	IEXPLORE.EXE
PID 5000 wrote to memory of 404	5000	iexplore.exe	IEXPLORE.EXE
PID 1252 wrote to memory of 1956	1252	chrome.exe	chrome.exe
PID 1252 wrote to memory of 1956	1252	chrome.exe	chrome.exe
PID 1252 wrote to memory of 2424	1252	chrome.exe	chrome.exe
PID 1252 wrote to memory of 2424	1252	chrome.exe	chrome.exe
PID 1252 wrote to memory of 2424	1252	chrome.exe	chrome.exe
PID 1252 wrote to memory of 2424	1252	chrome.exe	chrome.exe
PID 1252 wrote to memory of 2424	1252	chrome.exe	chrome.exe
PID 1252 wrote to memory of 2424	1252	chrome.exe	chrome.exe
PID 1252 wrote to memory of 2424	1252	chrome.exe	chrome.exe
PID 1252 wrote to memory of 2424	1252	chrome.exe	chrome.exe
PID 1252 wrote to memory of 2424	1252	chrome.exe	chrome.exe
PID 1252 wrote to memory of 2424	1252	chrome.exe	chrome.exe
PID 1252 wrote to memory of 2424	1252	chrome.exe	chrome.exe
PID 1252 wrote to memory of 2424	1252	chrome.exe	chrome.exe
PID 1252 wrote to memory of 2424	1252	chrome.exe	chrome.exe
PID 1252 wrote to memory of 2424	1252	chrome.exe	chrome.exe
PID 1252 wrote to memory of 2424	1252	chrome.exe	chrome.exe
PID 1252 wrote to memory of 2424	1252	chrome.exe	chrome.exe
PID 1252 wrote to memory of 2424	1252	chrome.exe	chrome.exe
PID 1252 wrote to memory of 2424	1252	chrome.exe	chrome.exe
PID 1252 wrote to memory of 2424	1252	chrome.exe	chrome.exe
PID 1252 wrote to memory of 2424	1252	chrome.exe	chrome.exe
PID 1252 wrote to memory of 2424	1252	chrome.exe	chrome.exe
PID 1252 wrote to memory of 2424	1252	chrome.exe	chrome.exe
PID 1252 wrote to memory of 2424	1252	chrome.exe	chrome.exe
PID 1252 wrote to memory of 2424	1252	chrome.exe	chrome.exe
PID 1252 wrote to memory of 2424	1252	chrome.exe	chrome.exe
PID 1252 wrote to memory of 2424	1252	chrome.exe	chrome.exe
PID 1252 wrote to memory of 2424	1252	chrome.exe	chrome.exe
PID 1252 wrote to memory of 2424	1252	chrome.exe	chrome.exe
PID 1252 wrote to memory of 2424	1252	chrome.exe	chrome.exe
PID 1252 wrote to memory of 2424	1252	chrome.exe	chrome.exe
PID 1252 wrote to memory of 2424	1252	chrome.exe	chrome.exe
PID 1252 wrote to memory of 2424	1252	chrome.exe	chrome.exe
PID 1252 wrote to memory of 2424	1252	chrome.exe	chrome.exe
PID 1252 wrote to memory of 2424	1252	chrome.exe	chrome.exe
PID 1252 wrote to memory of 2424	1252	chrome.exe	chrome.exe
PID 1252 wrote to memory of 2424	1252	chrome.exe	chrome.exe
PID 1252 wrote to memory of 2424	1252	chrome.exe	chrome.exe
PID 1252 wrote to memory of 2424	1252	chrome.exe	chrome.exe
PID 1252 wrote to memory of 2424	1252	chrome.exe	chrome.exe
PID 1252 wrote to memory of 2424	1252	chrome.exe	chrome.exe
PID 1252 wrote to memory of 4952	1252	chrome.exe	chrome.exe
PID 1252 wrote to memory of 4952	1252	chrome.exe	chrome.exe
PID 1252 wrote to memory of 5124	1252	chrome.exe	chrome.exe
PID 1252 wrote to memory of 5124	1252	chrome.exe	chrome.exe
PID 1252 wrote to memory of 5124	1252	chrome.exe	chrome.exe
PID 1252 wrote to memory of 5124	1252	chrome.exe	chrome.exe
PID 1252 wrote to memory of 5124	1252	chrome.exe	chrome.exe
PID 1252 wrote to memory of 5124	1252	chrome.exe	chrome.exe
PID 1252 wrote to memory of 5124	1252	chrome.exe	chrome.exe
PID 1252 wrote to memory of 5124	1252	chrome.exe	chrome.exe
PID 1252 wrote to memory of 5124	1252	chrome.exe	chrome.exe
PID 1252 wrote to memory of 5124	1252	chrome.exe	chrome.exe
PID 1252 wrote to memory of 5124	1252	chrome.exe	chrome.exe
PID 1252 wrote to memory of 5124	1252	chrome.exe	chrome.exe
PID 1252 wrote to memory of 5124	1252	chrome.exe	chrome.exe
PID 1252 wrote to memory of 5124	1252	chrome.exe	chrome.exe

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://l.facebook.com/l.php?u=AT2XxCbjVjZEuf4J1iOKOwIql9nXkDd9PylVnza4XOb-u5lt30aevZdScUPu7BGXsjRKrNdZ-sk_KvYnZTDJbAkJ7zfR&h=AT25GomPtk3RrRqn4BxfXCIg2zV_MOA-cKnWfbsr-pivLZ8N26WyNxFunkVrhc2h_-1J3Ruw88o3LRxmPX1oTgR-QlA1vBUlAVFXQxf_ctQFMKHLu0WSyml7b87t3fj8gAA8QiY&__cft__0=AZWODYLpvI9VX1z6NqVUZqJr0MKHlzQDbdsa07yPinEcydKsxtUI25oPZzOvvbKenYgKhMdIHBkmFzr7eyC4H4eEP25CTk6Tum_VLTEpmnkgjnZGdIONPqSvdN9-04XjhuNlG5XIagRtwbUhYbCsTao39N3FHwE_saCKXGkQRZo63KKxG2fDHDUPSQ1CxwsHZ2vxdhZmKJUXdMh3IIUx1vc08G6-Zg-jQSaSGjiuedSKafPclT07VcQByR1NDxTIHGIDWYuMnpEZ1qXpw2jMWNmMMiD1cYE40Lx-0rZuTQk0dYASgNGbRXdDZplH70htLYM&__tn__=H-R
1⤵
- Modifies Internet Explorer Phishing Filter
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5000

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:5000 CREDAT:17410 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:4792

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:5000 CREDAT:17422 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:404

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2220

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1252

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffd4e9a4f50,0x7ffd4e9a4f60,0x7ffd4e9a4f70
2⤵
PID:1956

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1620,9231038319709055585,13254733739813713284,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1788 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4952

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1620,9231038319709055585,13254733739813713284,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1588 /prefetch:2
2⤵
PID:2424

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1620,9231038319709055585,13254733739813713284,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2396 /prefetch:8
2⤵
PID:5124

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1620,9231038319709055585,13254733739813713284,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2968 /prefetch:1
2⤵
PID:5232

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1620,9231038319709055585,13254733739813713284,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3028 /prefetch:1
2⤵
PID:5244

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1620,9231038319709055585,13254733739813713284,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3588 /prefetch:1
2⤵
PID:5384

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1620,9231038319709055585,13254733739813713284,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4424 /prefetch:8
2⤵
PID:5460

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1620,9231038319709055585,13254733739813713284,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4656 /prefetch:8
2⤵
PID:5512

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1620,9231038319709055585,13254733739813713284,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4792 /prefetch:8
2⤵
PID:5540

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1620,9231038319709055585,13254733739813713284,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4488 /prefetch:8
2⤵
PID:5596

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1620,9231038319709055585,13254733739813713284,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4344 /prefetch:8
2⤵
PID:5648

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1620,9231038319709055585,13254733739813713284,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4472 /prefetch:8
2⤵
PID:5656

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1620,9231038319709055585,13254733739813713284,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3576 /prefetch:1
2⤵
PID:5752

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1620,9231038319709055585,13254733739813713284,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3024 /prefetch:1
2⤵
PID:5824

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1620,9231038319709055585,13254733739813713284,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3612 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:5872

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1620,9231038319709055585,13254733739813713284,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4900 /prefetch:8
2⤵
PID:6000

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1620,9231038319709055585,13254733739813713284,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4916 /prefetch:8
2⤵
PID:6036

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1620,9231038319709055585,13254733739813713284,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4940 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:6044

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1620,9231038319709055585,13254733739813713284,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4516 /prefetch:8
2⤵
PID:6108

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1620,9231038319709055585,13254733739813713284,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4972 /prefetch:8
2⤵
PID:4376

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1620,9231038319709055585,13254733739813713284,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3272 /prefetch:1
2⤵
PID:1640

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1620,9231038319709055585,13254733739813713284,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2364 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4916

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1620,9231038319709055585,13254733739813713284,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2228 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:5464

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1620,9231038319709055585,13254733739813713284,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1484 /prefetch:1
2⤵
PID:4476

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1620,9231038319709055585,13254733739813713284,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5312 /prefetch:1
2⤵
PID:1368

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1620,9231038319709055585,13254733739813713284,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2340 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4204

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1620,9231038319709055585,13254733739813713284,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5132 /prefetch:8
2⤵
PID:868

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1620,9231038319709055585,13254733739813713284,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3428 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3632

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1620,9231038319709055585,13254733739813713284,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2776 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:5780

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1620,9231038319709055585,13254733739813713284,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3240 /prefetch:1
2⤵
PID:6036

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1620,9231038319709055585,13254733739813713284,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3568 /prefetch:1
2⤵
PID:3328

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1620,9231038319709055585,13254733739813713284,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5572 /prefetch:8
2⤵
PID:2292

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1620,9231038319709055585,13254733739813713284,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4348 /prefetch:8
2⤵
PID:1484

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1620,9231038319709055585,13254733739813713284,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5484 /prefetch:8
2⤵
PID:5012

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1620,9231038319709055585,13254733739813713284,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2436 /prefetch:8
2⤵
PID:3872

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1620,9231038319709055585,13254733739813713284,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5792 /prefetch:1
2⤵
PID:5960

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1620,9231038319709055585,13254733739813713284,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=38 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5196 /prefetch:1
2⤵
PID:6056

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1620,9231038319709055585,13254733739813713284,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=39 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5772 /prefetch:1
2⤵
PID:6088

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1620,9231038319709055585,13254733739813713284,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3344 /prefetch:8
2⤵
PID:5156

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1620,9231038319709055585,13254733739813713284,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5496 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:5440

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1620,9231038319709055585,13254733739813713284,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=42 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4408 /prefetch:1
2⤵
PID:5864

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1620,9231038319709055585,13254733739813713284,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3740 /prefetch:8
2⤵
PID:1216

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1620,9231038319709055585,13254733739813713284,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=5844 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1988

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1620,9231038319709055585,13254733739813713284,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=45 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5732 /prefetch:1
2⤵
PID:4032

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1620,9231038319709055585,13254733739813713284,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=46 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3164 /prefetch:1
2⤵
PID:4064

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1620,9231038319709055585,13254733739813713284,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=47 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5460 /prefetch:1
2⤵
PID:3272

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1620,9231038319709055585,13254733739813713284,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=48 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5152 /prefetch:1
2⤵
PID:5280

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1620,9231038319709055585,13254733739813713284,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6032 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:5308

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1620,9231038319709055585,13254733739813713284,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5856 /prefetch:8
2⤵
PID:5520

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1620,9231038319709055585,13254733739813713284,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=51 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1584 /prefetch:1
2⤵
PID:4816

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1620,9231038319709055585,13254733739813713284,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5784 /prefetch:8
2⤵
PID:640

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1620,9231038319709055585,13254733739813713284,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=6224 /prefetch:8
2⤵
PID:1180

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1620,9231038319709055585,13254733739813713284,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3304 /prefetch:8
2⤵
PID:1668

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1620,9231038319709055585,13254733739813713284,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5472 /prefetch:8
2⤵
PID:956

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1620,9231038319709055585,13254733739813713284,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3584 /prefetch:8
2⤵
PID:5896

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1620,9231038319709055585,13254733739813713284,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=57 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6096 /prefetch:1
2⤵
PID:3652

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1620,9231038319709055585,13254733739813713284,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=58 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5888 /prefetch:1
2⤵
PID:2256

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1620,9231038319709055585,13254733739813713284,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3716 /prefetch:8
2⤵
PID:3656

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1620,9231038319709055585,13254733739813713284,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=60 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5628 /prefetch:1
2⤵
PID:3360

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1620,9231038319709055585,13254733739813713284,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4868 /prefetch:8
2⤵
PID:5132

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1620,9231038319709055585,13254733739813713284,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=62 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2772 /prefetch:1
2⤵
PID:5356

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1620,9231038319709055585,13254733739813713284,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=63 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6536 /prefetch:1
2⤵
PID:5460

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1620,9231038319709055585,13254733739813713284,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=64 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6512 /prefetch:1
2⤵
PID:2328

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1620,9231038319709055585,13254733739813713284,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=65 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6760 /prefetch:1
2⤵
PID:4512

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1620,9231038319709055585,13254733739813713284,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=67 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7016 /prefetch:1
2⤵
PID:3392

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1620,9231038319709055585,13254733739813713284,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=66 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6852 /prefetch:1
2⤵
PID:5268

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1620,9231038319709055585,13254733739813713284,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=68 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6996 /prefetch:1
2⤵
PID:3052

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1620,9231038319709055585,13254733739813713284,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=70 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7324 /prefetch:1
2⤵
PID:3676

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1620,9231038319709055585,13254733739813713284,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=69 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7180 /prefetch:1
2⤵
PID:5488

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1620,9231038319709055585,13254733739813713284,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=71 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7680 /prefetch:1
2⤵
PID:4328

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1620,9231038319709055585,13254733739813713284,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=72 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8036 /prefetch:1
2⤵
PID:1920

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1620,9231038319709055585,13254733739813713284,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=73 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7836 /prefetch:1
2⤵
PID:3984

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1620,9231038319709055585,13254733739813713284,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=74 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8452 /prefetch:1
2⤵
PID:5512

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1620,9231038319709055585,13254733739813713284,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=75 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8732 /prefetch:1
2⤵
PID:5192

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1620,9231038319709055585,13254733739813713284,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=76 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8964 /prefetch:1
2⤵
PID:6056

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1620,9231038319709055585,13254733739813713284,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=78 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9132 /prefetch:1
2⤵
PID:1048

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1620,9231038319709055585,13254733739813713284,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=77 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9288 /prefetch:1
2⤵
PID:6128

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1620,9231038319709055585,13254733739813713284,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4768 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2508

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1620,9231038319709055585,13254733739813713284,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=80 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9024 /prefetch:1
2⤵
PID:3156

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1620,9231038319709055585,13254733739813713284,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=81 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8828 /prefetch:1
2⤵
PID:4948

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1620,9231038319709055585,13254733739813713284,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=9076 /prefetch:8
2⤵
PID:3148

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1620,9231038319709055585,13254733739813713284,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6476 /prefetch:8
2⤵
PID:4100

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1620,9231038319709055585,13254733739813713284,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7360 /prefetch:8
2⤵
PID:5528

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1620,9231038319709055585,13254733739813713284,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=8028 /prefetch:8
2⤵
PID:4132

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1620,9231038319709055585,13254733739813713284,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=8056 /prefetch:8
2⤵
PID:2776

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1620,9231038319709055585,13254733739813713284,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7132 /prefetch:8
2⤵
PID:4232

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1620,9231038319709055585,13254733739813713284,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6460 /prefetch:8
2⤵
PID:984

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1620,9231038319709055585,13254733739813713284,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6984 /prefetch:8
2⤵
PID:1672

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1620,9231038319709055585,13254733739813713284,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=8216 /prefetch:8
2⤵
PID:4640

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1620,9231038319709055585,13254733739813713284,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=8108 /prefetch:8
2⤵
PID:1276

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1620,9231038319709055585,13254733739813713284,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6488 /prefetch:8
2⤵
PID:4788

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1620,9231038319709055585,13254733739813713284,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=8424 /prefetch:8
2⤵
PID:5444

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1620,9231038319709055585,13254733739813713284,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3312 /prefetch:8
2⤵
PID:5376

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1620,9231038319709055585,13254733739813713284,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6788 /prefetch:8
2⤵
PID:3656

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1620,9231038319709055585,13254733739813713284,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6724 /prefetch:8
2⤵
PID:2916

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1620,9231038319709055585,13254733739813713284,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7000 /prefetch:8
2⤵
PID:3760

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1620,9231038319709055585,13254733739813713284,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5940 /prefetch:8
2⤵
PID:2012

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1620,9231038319709055585,13254733739813713284,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7260 /prefetch:8
2⤵
PID:868

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1620,9231038319709055585,13254733739813713284,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6720 /prefetch:8
2⤵
PID:5608

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1620,9231038319709055585,13254733739813713284,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6416 /prefetch:8
2⤵
PID:2460

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1620,9231038319709055585,13254733739813713284,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=8092 /prefetch:8
2⤵
PID:2796

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1620,9231038319709055585,13254733739813713284,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6700 /prefetch:8
2⤵
PID:1248

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1620,9231038319709055585,13254733739813713284,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6380 /prefetch:8
2⤵
PID:5656

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1620,9231038319709055585,13254733739813713284,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7996 /prefetch:8
2⤵
PID:3352

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1620,9231038319709055585,13254733739813713284,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6880 /prefetch:8
2⤵
PID:1664

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1620,9231038319709055585,13254733739813713284,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=107 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8276 /prefetch:1
2⤵
PID:5072

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1620,9231038319709055585,13254733739813713284,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=108 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5204 /prefetch:1
2⤵
PID:2832

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1620,9231038319709055585,13254733739813713284,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=109 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9480 /prefetch:1
2⤵
PID:5616

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1620,9231038319709055585,13254733739813713284,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=110 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8732 /prefetch:1
2⤵
PID:5684

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1620,9231038319709055585,13254733739813713284,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6644 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:448

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1620,9231038319709055585,13254733739813713284,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=112 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7992 /prefetch:1
2⤵
PID:5180

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1620,9231038319709055585,13254733739813713284,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=113 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7092 /prefetch:1
2⤵
PID:4856

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1620,9231038319709055585,13254733739813713284,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=114 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8240 /prefetch:1
2⤵
PID:384

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1620,9231038319709055585,13254733739813713284,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6812 /prefetch:8
2⤵
PID:4528

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1620,9231038319709055585,13254733739813713284,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=116 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8624 /prefetch:1
2⤵
PID:1076

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1620,9231038319709055585,13254733739813713284,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2944 /prefetch:8
2⤵
PID:3556

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1620,9231038319709055585,13254733739813713284,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=9120 /prefetch:8
2⤵
PID:5944

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1620,9231038319709055585,13254733739813713284,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=9396 /prefetch:8
2⤵
PID:980

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1620,9231038319709055585,13254733739813713284,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3692 /prefetch:8
2⤵
PID:5488

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1620,9231038319709055585,13254733739813713284,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=9484 /prefetch:8
2⤵
PID:940

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1620,9231038319709055585,13254733739813713284,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2892 /prefetch:8
2⤵
PID:3044

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1620,9231038319709055585,13254733739813713284,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=8804 /prefetch:8
2⤵
PID:4516

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1620,9231038319709055585,13254733739813713284,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6016 /prefetch:8
2⤵
PID:4472

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5136

C:\Users\Admin\Documents\AlbumPrettyGirl\AlbumPrettyGirl.exe
"C:\Users\Admin\Documents\AlbumPrettyGirl\AlbumPrettyGirl.exe"
1⤵
PID:5476

C:\Users\Admin\Documents\AlbumPrettyGirl\data.dat
"C:\Users\Admin\Documents\AlbumPrettyGirl\data.dat"
2⤵
- Suspicious use of SetWindowsHookEx
PID:2536

C:\Users\Admin\AppData\Roaming\Canon\CNQ.exe
"C:\Users\Admin\AppData\Roaming\Canon\CNQ.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5688

C:\Users\Admin\AppData\Roaming\Bluestack\DiskCompactionTool.exe
"C:\Users\Admin\AppData\Roaming\Bluestack\DiskCompactionTool.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:5336

C:\Users\Admin\AppData\Roaming\Bravia\Bravia.exe
"C:\Users\Admin\AppData\Roaming\Bravia\Bravia.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:3208

C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe"
1⤵
- Drops file in Program Files directory
PID:3416

C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir3416_1308580792\ChromeRecovery.exe
"C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir3416_1308580792\ChromeRecovery.exe" --appguid={8A69D345-D564-463c-AFF1-A69D9E530F96} --browser-version=89.0.4389.114 --sessionid={96bfe365-8d5a-415a-9591-e2e30aad53db} --system
2⤵
- Executes dropped EXE
PID:4132

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x414 0x49c
1⤵
PID:5772

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x414 0x49c
1⤵
PID:2544

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
Filesize
1KB

MD5
5f3ccde13a2c02a15c9fb1c4b47f4cb1

SHA1
017be7f54853d4685b2cbe4eedb03ed999db8917

SHA256
fd4117eaf53402af49bcb0f2058dc2723b4fe61d185ca7dae37b3357e84ee4e8

SHA512
ef2c78fe6e1e16afc4fd5e4c3e0ae59392f4c287e7fa5be2bcd7c050dc048a3b2e06ef546c7d183c5856e3ec904144e816d509629232d7d696dd8755114cef4e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_1DC6D7385EA816C957BA2B715AC5C442
Filesize
1KB

MD5
fe56e8724f14ce1f3b7aefb4a62b0c16

SHA1
bdac2e002becfc2b8ffca0973540fa2851d21ebd

SHA256
3d06f4d78345d522e29652ada389e858ed290fcf2b3b783b1009f0525d55c7a4

SHA512
a5c18aeb916a3d1c68289c1b54a2e2269834bc8cd0df3702e98a4d0d480d74ff1cb663b184de89938f1d9c357d05e075ad27cd2f4bc09e02cd213c1fffb27950

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27
Filesize
1KB

MD5
06559d2af4462118f9a8b602fa795db0

SHA1
9ef686cfe6b0052228110812efcf380eb3b284f7

SHA256
3104bfa5b71108d80828fe0d7aaedc48a27509bc9f8bb1e8be3d7f23c4cbfce6

SHA512
d9f08d7afaef801f3a84acd67561a53fff8972aee03944bf429036c8cea9655e5d6a27621e06a5673ef557400e4aaa3cddc4ad1677bb91fd2d824a153f368107

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
Filesize
471B

MD5
33b7e09d1c6e875887fd38ae0a7ee659

SHA1
192864bc83504fafbd87af8c3834b835076c414a

SHA256
f200eaab5663e542461bbae7aac0473f6455eec451011f016c84920520b19dfb

SHA512
b1d6872519f5956bb511b4eca8e1b79123482e9aacb1cef704c1d3ef7f9daade10573dd206df4c62c623bbfb10f757f01c914bfc2b0e9ab567981ea08b404799

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\9FF67FB3141440EED32363089565AE60_CC7EB9107DD569C500E1B4579715D2D1
Filesize
279B

MD5
644759b1c7c83302adec575fb6413af6

SHA1
60c84e3e68d0806d88d1853e5b2fd49c99fc4877

SHA256
9f53dbc31a53be0f48bcc8f35b76f75b7f946be4c80b67af5ad81ffcfd8aab2b

SHA512
f26a678f68cdaab19fa7bd7059a76f71bd59984b52772a24e2c48840aa4b64ae34933d80a6f7fe5321cfae1d7141b214a44ac10d70ee4a347ad3095393ff622d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\A16C6C16D94F76E0808C087DFC657D99_5C379F3600DE745720AF61433A9796B2
Filesize
472B

MD5
b05606331c6f88a724d9e404e62974e4

SHA1
72176bc6b618fbbe567b5746ed54e14d381a9815

SHA256
7179b3d4ee227d9bf6d768a5fb1a9499f285d5949d21893c9a6997da8ea7b026

SHA512
e10b2fa43ed6401f951a82563f9f9aff25dc32864bfda970d9e5939df2fee54c3d8baefb700d473dad9f7ff58275311827fb84332880418df2ab74811d28e953

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA
Filesize
724B

MD5
f569e1d183b84e8078dc456192127536

SHA1
30c537463eed902925300dd07a87d820a713753f

SHA256
287bc80237497eb8681dbf136a56cc3870dd5bd12d48051525a280ae62aab413

SHA512
49553b65a8e3fc0bf98c1bc02bae5b22188618d8edf8e88e4e25932105796956ae8301c63c487e0afe368ea39a4a2af07935a808f5fb53287ef9287bc73e1012

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\EDC238BFF48A31D55A97E1E93892934B_C20E0DA2D0F89FE526E1490F4A2EE5AB
Filesize
471B

MD5
ba7c6f09e456984a42ffa54366c6a1a7

SHA1
3180ca4f7516bfa74ea3438faf8e9465b11933c3

SHA256
f0771969219f38e28b81c6908e4be2eac40ce209a34cf678ef8d85a65289334c

SHA512
f7006aaff4ddaee981d0dee7f73b53d274e8b89b1b6105dd5b48107f05f51eb772c58ec5feef0177b6120bd0f9191387002087043539a7e81041d20e9d45551b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F07644E38ED7C9F37D11EEC6D4335E02_DD5E18651A85E635F184F73BE6D3DB70
Filesize
472B

MD5
619fa0039b94697fc8a5bd24f57e8aa2

SHA1
53a366391a51d625029cc6d32fb4e8b6060990fd

SHA256
dff604305831a0399aa44b2fac806e43512afa846569ba6e5685eca6495d9fa5

SHA512
e5c2c70e069327e339de79dc61e21803a4a19edd31444b1d031798a94e9d50f2dd8568abe5a4ba7068041bd9bbbc7957c3eb9e5f5db9d7c55f8f7e50df36c4af

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
Filesize
410B

MD5
e812671ffe7e8020c53b7142aa492a4a

SHA1
df80cd11ed5cbc95b98f409afe7bcc76702b2e26

SHA256
def24327242446520daab6506c238ac29950705a0dfa9fc3dc80fc21c50de22b

SHA512
a8a12be0a2f657c0190adef92c668240a8359829ce163fa01664863a268a375d8537c5d3f876890a79f84e1dd40a58e3f342acaad134303ce396a4163a82766c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_1DC6D7385EA816C957BA2B715AC5C442
Filesize
446B

MD5
38f988f4653b59c8494140bd987a5160

SHA1
cbf8307e7111a181a7a68b03b56935224fe7d39b

SHA256
ae04cf711db89b168955b33488eeac4ccdffc703f89a52e454350fa17a0e60f3

SHA512
4b01b66ebcdba7d0c8342bd530e0cf815518070900a14f8c4e152ad979edc1da66a24665316da446b29ae3d2c636351bab6040457cf73d403c62c66b48fbdf51

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27
Filesize
438B

MD5
0003bd99d1cf0df47677a0208a647d3b

SHA1
bd17c5ed219c85e4839bba9dadbba3a448da5672

SHA256
c2aa28e07069b21727be1ea19aa93f7b0c926182336230858e652e74ac1912e6

SHA512
c81d9d1b69f8c1c409bd30f4423e5428fd1636e69e803e15cd25fe6e4f4ccdde024993daaa8006a5d2c6a99c8648a5b9f815ac59ac79d85bce7f23847980197f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
Filesize
434B

MD5
19de15c428afd43920062e6acea04082

SHA1
2100bc9b5b448f94aba168f9baafb2592f74fac6

SHA256
185fcd23fa7853e5197e01eb8607a1f2f707c6bbc16d6f0b1ab468c86ff27d7a

SHA512
f8e8aa7e5e4976f860322ecf983c276dcc7a8994d586c419057dbe9f15c832354a7047840ae910683815908af289162401a72d78d244efafff7b05a7511da7be

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\9FF67FB3141440EED32363089565AE60_CC7EB9107DD569C500E1B4579715D2D1
Filesize
426B

MD5
8b2292da9f8ff32d2c3f1276da37fb02

SHA1
4c50f2949a0dd1bfbc2e22798903b302eeadef2c

SHA256
8d1f34f5d000e6bafbd3bcb19a8cf8905385a4dba0bfb50e92118b529d1bc3e9

SHA512
10f919bf2cc29c87230daa7b19938038a0a062f36d202d110e667e9a7381c868d1d45ca1ac796e9aa1490e2cf80206429111d6d8e72a942b3e84d250e24d09a9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\A16C6C16D94F76E0808C087DFC657D99_5C379F3600DE745720AF61433A9796B2
Filesize
410B

MD5
07945627ebb0297b7c824c0603add2b2

SHA1
7ad21ac5e13753ff45fde67c5d10e072c574f4ea

SHA256
a7c4a3da947c95650e0ff6c513c059ba886037fc20ba6e4028f57be08c4aac81

SHA512
3f6a728a29b9d40832e4c7157fa061c4ccf56765f82230a94aad514fe45e38c141f1a34df45dc81bc160d75b00b9b858bfd0541627d1ba0c3264cd89f1513f58

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA
Filesize
392B

MD5
b391a57e9e32c5f5740db3078aa37468

SHA1
a217e39681fd666ab1cf8f529af332b8813474a0

SHA256
3792fb373716de1e28781fcc0df565a988d58c2da94daae39184167b11ed6de7

SHA512
0223f3ca3aa0a8dca007ca59fddcdc8e85a56e27a531420d90ad1c4af22ea182ee89d2bcda6f5eeb218e803e72af9b35364241f0608ef1c71af145698416074e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EDC238BFF48A31D55A97E1E93892934B_C20E0DA2D0F89FE526E1490F4A2EE5AB
Filesize
426B

MD5
d49d6826939382e96881d8484eaff280

SHA1
9059699ec545d39c260d58befda1f345d1e096a7

SHA256
177d2ccb54d64cdce58f19e168d19c5ae1caed1b48a668a01e250b9956bca057

SHA512
bd2e08839d541fc1c9faea79d7ac384b0cbd0a4e32b1e91ecfad1028b39429e79789e67b79d0cc089a3884c136c9de47104cceb8c44cb672f8151e373fc9e13d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F07644E38ED7C9F37D11EEC6D4335E02_DD5E18651A85E635F184F73BE6D3DB70
Filesize
406B

MD5
ed1572ecf1c4a7a3e6c7c2bdb106c728

SHA1
fc2ee33561a59d26c7dfcb6104ad161b4b9bf395

SHA256
ba39422f485fea842375cd1a787fc39379c8d58538f943022a64013b434e8fcd

SHA512
691cbdde5698bcca09631764f172d95c02253713badf61938f2e3d35320d2114dfffac38f3bb297b5ab49420f6b9ea83c32047e00c973a7f0cbc81c8976a080d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\ckj4gk4\imagestore.dat
Filesize
34KB

MD5
bc123bead046b8639c36cba6494cbccf

SHA1
73beb1e2b882e24a14b351a9842046d8b825affa

SHA256
ce093f6e5e5d77088e721bf21758f577499f30a87075a9fac691aefe344a3fd5

SHA512
3a9e364a1fc4616e7359b14d01ab5f72c784c5d7f668c879d4aab32feedea719835387c3d7f88c80cb4d7b2ea001780fd966c3848bb8851f4c816f153b124af2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\ckj4gk4\imagestore.dat
Filesize
38KB

MD5
c7e782d3f7ea65650d478f7521a8f77e

SHA1
4264a9b7971e694416b4d3f77b343ded70cf4abe

SHA256
5d3480476280167368227295631d0220d9c855b328089e44350a64e7fe51b69d

SHA512
19754733ae0f8b1cbee8393bea899065fd5d6d3e5c54b9ff37fc97ae7a7c59e20c21874f9fe8feb43f3b02db159a2fa43c95443043d0b8ece8cba06124b88c0e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\ckj4gk4\imagestore.dat
Filesize
52KB

MD5
30c7294c135f255d2e359050e3fa9be0

SHA1
549c520fdad2a15b0b4c9518094215e02844a20e

SHA256
c6ffa030b6b53c89fe5472b8a31d0981841d47c45394c7f349050fc4974676e7

SHA512
61e4691343690c2b6935be3b5132f10c99cfb8e84ae0b1f712e3544c42aff5d043210f262c378b9df4af48ce4796ecd7b3e84bb38c9be3d8fbb656862bc27b11

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Caches
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\ZX6MAMIN\AlbumPrettyGirl.zip.2gib0xr.partial
Filesize
8.6MB

MD5
f4d796851e7cc41d79d459032ebfd82f

SHA1
6f5f26f9b44b7903695e4e129bbb09c40b101dd5

SHA256
4b1a069b648770cb53d5e45fe1a47dd3ad3982c811134aaaf7284e4a94a06253

SHA512
b89c28bf818b8011a7e440e399baf99062187a107490a1e8086606006aa361b3a0db3a4cd996710bf168892218c9ed5cb75f2689fded719f1e22cb122b56bf80

Download Submit
C:\Users\Admin\AppData\Roaming\Bluestack\ComponentToolkit.dll
Filesize
102KB

MD5
e18cf4b28e38fa3c9b71d646cd3efccb

SHA1
27c68164ec35b59c3e3f6b372f1145fa969d189e

SHA256
da203abb85e4e9a03f7c04e4a29dac4113deeed0a059e61fd74ffeb1f63c7843

SHA512
2fec8ba5025496ffacf2c27e6c4596be8a9b25f01c152b27b5b655378bccb6024fc50ea2488b20482fe68033e75a1a212bcb75501d9091974169f48d52544e2a

Download Submit
C:\Users\Admin\AppData\Roaming\Bluestack\ComponentToolkit.dll
Filesize
102KB

MD5
e18cf4b28e38fa3c9b71d646cd3efccb

SHA1
27c68164ec35b59c3e3f6b372f1145fa969d189e

SHA256
da203abb85e4e9a03f7c04e4a29dac4113deeed0a059e61fd74ffeb1f63c7843

SHA512
2fec8ba5025496ffacf2c27e6c4596be8a9b25f01c152b27b5b655378bccb6024fc50ea2488b20482fe68033e75a1a212bcb75501d9091974169f48d52544e2a

Download Submit
C:\Users\Admin\AppData\Roaming\Bluestack\ComponentToolkit.dll
Filesize
102KB

MD5
e18cf4b28e38fa3c9b71d646cd3efccb

SHA1
27c68164ec35b59c3e3f6b372f1145fa969d189e

SHA256
da203abb85e4e9a03f7c04e4a29dac4113deeed0a059e61fd74ffeb1f63c7843

SHA512
2fec8ba5025496ffacf2c27e6c4596be8a9b25f01c152b27b5b655378bccb6024fc50ea2488b20482fe68033e75a1a212bcb75501d9091974169f48d52544e2a

Download Submit
C:\Users\Admin\AppData\Roaming\Bluestack\DiskCompactionTool.exe
Filesize
1.4MB

MD5
53f5ca6d6d81f5bff1a4c1987e0dbc08

SHA1
71a0514643e7af48bdf78a59b73a7d9e9bf723a3

SHA256
9214231d48270199f1239631e5ff54910794ec2b1f610d9d4c996f90775d33fb

SHA512
3a04b3cf08ddf1a2328fb7987ed3fe69bc66368c97527aacfa6748b3496cdf47cf8c0b149b2e382414850fc31710f005b3ecb035cbd5a321744b95cd9bdea0ea

Download Submit
C:\Users\Admin\AppData\Roaming\Bluestack\DiskCompactionTool.exe
Filesize
1.4MB

MD5
53f5ca6d6d81f5bff1a4c1987e0dbc08

SHA1
71a0514643e7af48bdf78a59b73a7d9e9bf723a3

SHA256
9214231d48270199f1239631e5ff54910794ec2b1f610d9d4c996f90775d33fb

SHA512
3a04b3cf08ddf1a2328fb7987ed3fe69bc66368c97527aacfa6748b3496cdf47cf8c0b149b2e382414850fc31710f005b3ecb035cbd5a321744b95cd9bdea0ea

Download Submit
C:\Users\Admin\AppData\Roaming\Bluestack\DiskCompactionTool.exe.config
Filesize
310B

MD5
51796bbea926cafbb9309bca14132614

SHA1
b63ca71497366ba78360aa0ed717d8224e0bad9b

SHA256
b7e23432ac3b5552efe231cba78b34023ac94d6fecb2e7ffc37aceb0be4cdf40

SHA512
6c8483810cb6cd474002d21b69eed8c8c1886dd9901319a48f453825c04d23787d07a5a9ed4b3a896b0605eed1ffbcaf1a6a445f2f9f01a1818241d9fa585c1c

Download Submit
C:\Users\Admin\AppData\Roaming\Bluestack\InstantKeyLibrary.dll
Filesize
216KB

MD5
b3793d28a9215fee6ae576c54f7944e0

SHA1
50fbf806825896b90c632033adb7c69aed900ff6

SHA256
c40b504a3684d642b20d5309e45ee08dc25941c3e5b0108a315c236cf137f7e1

SHA512
f44efa281cf62908202a7dcc88d42bdfdc536adc40d500819f862bf766b8113551fd3285d6f42638c55fc4339589743bb941fb3e323951d45318d6be904f2e3b

Download Submit
C:\Users\Admin\AppData\Roaming\Bluestack\InstantKeyLibrary.dll
Filesize
216KB

MD5
b3793d28a9215fee6ae576c54f7944e0

SHA1
50fbf806825896b90c632033adb7c69aed900ff6

SHA256
c40b504a3684d642b20d5309e45ee08dc25941c3e5b0108a315c236cf137f7e1

SHA512
f44efa281cf62908202a7dcc88d42bdfdc536adc40d500819f862bf766b8113551fd3285d6f42638c55fc4339589743bb941fb3e323951d45318d6be904f2e3b

Download Submit
C:\Users\Admin\AppData\Roaming\Bluestack\InstantKeyLibrary.dll
Filesize
216KB

MD5
b3793d28a9215fee6ae576c54f7944e0

SHA1
50fbf806825896b90c632033adb7c69aed900ff6

SHA256
c40b504a3684d642b20d5309e45ee08dc25941c3e5b0108a315c236cf137f7e1

SHA512
f44efa281cf62908202a7dcc88d42bdfdc536adc40d500819f862bf766b8113551fd3285d6f42638c55fc4339589743bb941fb3e323951d45318d6be904f2e3b

Download Submit
C:\Users\Admin\AppData\Roaming\Canon\CNQ.exe
Filesize
11KB

MD5
549c1d520428afe6d3a631903a4ed879

SHA1
4c9808d9a792abbf356412875a0196a28a97d455

SHA256
3b49b8f4ef2fc22d22217c024112e3418db80c195f7c930b4f2689b341055698

SHA512
ba7c6076f3d4421fed22d55f4cd97cf0707e337cbe8cab8d4e9f57ebceb1ebbc1ce2a7579e99b01b4db9ab401ae26432ba68673b471bbf039a0f7cc8f0758718

Download Submit
C:\Users\Admin\AppData\Roaming\Canon\CNQ.exe
Filesize
11KB

MD5
549c1d520428afe6d3a631903a4ed879

SHA1
4c9808d9a792abbf356412875a0196a28a97d455

SHA256
3b49b8f4ef2fc22d22217c024112e3418db80c195f7c930b4f2689b341055698

SHA512
ba7c6076f3d4421fed22d55f4cd97cf0707e337cbe8cab8d4e9f57ebceb1ebbc1ce2a7579e99b01b4db9ab401ae26432ba68673b471bbf039a0f7cc8f0758718

Download Submit
C:\Users\Admin\AppData\Roaming\Canon\SystemMetadataCollector.dll
Filesize
203KB

MD5
a8f8e831f6ebf39b5ae3628c023ac343

SHA1
a4dc651d2afe1cfbc1822afc656163a5dafd194a

SHA256
f6705eb9940ca16a161297efa0b19c8eb198be26fe7b83305a9f1a0c02a41fcf

SHA512
25574a2a998336e3d113dee2b1496dc5fc4beb4167dadeb2a2f29674513a001046f8ea296a03561b79734b760a0afd1082010ccd79f229ca421cb1af0f40b4b6

Download Submit
C:\Users\Admin\Documents\AlbumPrettyGirl\Cung-xem-clip-teen-viet-show-hang-cuc-sexy-va-nong-bong.jpg
Filesize
22KB

MD5
4f05238fdc10abb03252b92cb1c9c7bc

SHA1
af629d4efee54b61b2112eeb1feffc8e84019527

SHA256
0e79d7fb30b06159cc69a6ca3dba0f26e22ac8b2cf090b6f9ebccfa1bffeae29

SHA512
a742775f340b4e44b4f1dfc7ae4893db0d25334287158fd676c006e0c42afe21ebaef0b9d1a6f14c123b9a06a421e89911e40a29cf73aa48cc15dcb2ea0dea3d

Download Submit
\??\pipe\crashpad_1252_YDOEDVDLFSNYQPGL
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/2536-158-0x0000000000000000-mapping.dmp

Download
memory/3208-193-0x0000000006DA0000-0x0000000007020000-memory.dmp

Filesize
2.5MB

Download
memory/3208-188-0x0000000004D40000-0x0000000004DD2000-memory.dmp

Filesize
584KB

Download
memory/3208-185-0x0000000000000000-mapping.dmp

Download
memory/3208-186-0x0000000000410000-0x0000000000472000-memory.dmp

Filesize
392KB

Download
memory/3208-191-0x0000000005990000-0x00000000059E0000-memory.dmp

Filesize
320KB

Download
memory/3208-189-0x0000000004DE0000-0x0000000004E46000-memory.dmp

Filesize
408KB

Download
memory/3208-192-0x0000000005B20000-0x0000000005B5C000-memory.dmp

Filesize
240KB

Download
memory/3208-190-0x0000000005910000-0x0000000005932000-memory.dmp

Filesize
136KB

Download
memory/3208-187-0x00000000026C0000-0x00000000026D2000-memory.dmp

Filesize
72KB

Download
memory/4132-194-0x0000000000000000-mapping.dmp

Download
memory/5336-175-0x0000000002F60000-0x0000000002F9C000-memory.dmp

Filesize
240KB

Download
memory/5336-181-0x00000000059D0000-0x0000000005A36000-memory.dmp

Filesize
408KB

Download
memory/5336-180-0x0000000005E10000-0x00000000063B4000-memory.dmp

Filesize
5.6MB

Download
memory/5336-179-0x0000000005790000-0x00000000057B0000-memory.dmp

Filesize
128KB

Download
memory/5336-171-0x0000000000940000-0x0000000000AB2000-memory.dmp

Filesize
1.4MB

Download
memory/5336-167-0x0000000000000000-mapping.dmp

Download
memory/5476-159-0x00007FFD3EF30000-0x00007FFD3F9F1000-memory.dmp

Filesize
10.8MB

Download
memory/5476-157-0x00000000015F0000-0x0000000001644000-memory.dmp

Filesize
336KB

Download
memory/5476-182-0x00007FFD3EF30000-0x00007FFD3F9F1000-memory.dmp

Filesize
10.8MB

Download
memory/5476-156-0x0000000000D50000-0x0000000000D78000-memory.dmp

Filesize
160KB

Download
memory/5688-166-0x00007FFD3EF30000-0x00007FFD3F9F1000-memory.dmp

Filesize
10.8MB

Download
memory/5688-184-0x00007FFD3EF30000-0x00007FFD3F9F1000-memory.dmp

Filesize
10.8MB

Download
memory/5688-165-0x0000000002DC0000-0x0000000002DFA000-memory.dmp

Filesize
232KB

Download
memory/5688-163-0x0000000000770000-0x0000000000776000-memory.dmp

Filesize
24KB

Download
memory/5688-160-0x0000000000000000-mapping.dmp

Download