blacknet | hxxp://92[.]18[.]218[.]116

Resubmissions

14-06-2023 17:56

230614-wh19macb9t 10

14-06-2023 17:55

230614-whq4nacb28 7

14-06-2023 17:15

230614-vsxthsbg45 10

Analysis

max time kernel
300s
max time network
303s
platform
windows10-2004_x64
resource
win10v2004-20230221-en
resource tags

arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
submitted
14-06-2023 17:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://92.18.218.116

Score

10^/10

blacknet [id]trojan

Malware Config

Extracted

Family

blacknet

Version

v3.7.0 Public

Botnet

[ID]

[HOST]

Mutex

[MUTEX]

Attributes

antivm
false
elevate_uac
false
install_name
[Install_Name]
splitter
[Splitter]
start_name
[StartupName]
startup
false
usb_spread
false

aes.plain

Signatures

BlackNET
BlackNET is an open source remote access tool written in VB.NET.
trojan blacknet

BlackNET payload 22 IoCs

resource	yara_rule
behavioral1/files/0x0002000000022ece-611.dat	family_blacknet
behavioral1/files/0x0002000000022ece-676.dat	family_blacknet
behavioral1/files/0x0002000000022ece-677.dat	family_blacknet
behavioral1/memory/4020-678-0x0000000000490000-0x00000000004B0000-memory.dmp	family_blacknet
behavioral1/files/0x0002000000022ece-715.dat	family_blacknet
behavioral1/files/0x0002000000022ece-717.dat	family_blacknet
behavioral1/files/0x0002000000022ece-728.dat	family_blacknet
behavioral1/files/0x0002000000022ece-747.dat	family_blacknet
behavioral1/files/0x0002000000022ece-768.dat	family_blacknet
behavioral1/files/0x0002000000022ece-795.dat	family_blacknet
behavioral1/files/0x0002000000022ece-796.dat	family_blacknet
behavioral1/files/0x0002000000022ece-806.dat	family_blacknet
behavioral1/files/0x0002000000022ece-812.dat	family_blacknet
behavioral1/files/0x0002000000022ece-813.dat	family_blacknet
behavioral1/files/0x0002000000022ece-814.dat	family_blacknet
behavioral1/files/0x0002000000022ece-815.dat	family_blacknet
behavioral1/files/0x0002000000022ece-821.dat	family_blacknet
behavioral1/files/0x0002000000022ece-836.dat	family_blacknet
behavioral1/files/0x0002000000022ece-837.dat	family_blacknet
behavioral1/files/0x0002000000022ece-838.dat	family_blacknet
behavioral1/files/0x0002000000022ece-839.dat	family_blacknet
behavioral1/files/0x0002000000022ece-840.dat	family_blacknet

Contains code to disable Windows Defender 22 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

resource	yara_rule
behavioral1/files/0x0002000000022ece-611.dat	disable_win_def
behavioral1/files/0x0002000000022ece-676.dat	disable_win_def
behavioral1/files/0x0002000000022ece-677.dat	disable_win_def
behavioral1/memory/4020-678-0x0000000000490000-0x00000000004B0000-memory.dmp	disable_win_def
behavioral1/files/0x0002000000022ece-715.dat	disable_win_def
behavioral1/files/0x0002000000022ece-717.dat	disable_win_def
behavioral1/files/0x0002000000022ece-728.dat	disable_win_def
behavioral1/files/0x0002000000022ece-747.dat	disable_win_def
behavioral1/files/0x0002000000022ece-768.dat	disable_win_def
behavioral1/files/0x0002000000022ece-795.dat	disable_win_def
behavioral1/files/0x0002000000022ece-796.dat	disable_win_def
behavioral1/files/0x0002000000022ece-806.dat	disable_win_def
behavioral1/files/0x0002000000022ece-812.dat	disable_win_def
behavioral1/files/0x0002000000022ece-813.dat	disable_win_def
behavioral1/files/0x0002000000022ece-814.dat	disable_win_def
behavioral1/files/0x0002000000022ece-815.dat	disable_win_def
behavioral1/files/0x0002000000022ece-821.dat	disable_win_def
behavioral1/files/0x0002000000022ece-836.dat	disable_win_def
behavioral1/files/0x0002000000022ece-837.dat	disable_win_def
behavioral1/files/0x0002000000022ece-838.dat	disable_win_def
behavioral1/files/0x0002000000022ece-839.dat	disable_win_def
behavioral1/files/0x0002000000022ece-840.dat	disable_win_def

Downloads MZ/PE file

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	watcher.exe

Executes dropped EXE 64 IoCs

pid	Process
5040	BlackNET Builder.exe
4020	stub.exe
2224	watcher.exe
2868	stub.exe
4620	stub.exe
1992	stub.exe
2092	LokiRAT_Relapse.exe
5112	stub.exe
2148	stub.exe
844	stub.exe
2016	stub.exe
2324	stub.exe
1076	stub.exe
2004	stub.exe
2764	stub.exe
3780	stub.exe
1064	stub.exe
3940	stub.exe
5112	stub.exe
3596	stub.exe
668	stub.exe
2816	stub.exe
4268	stub.exe
1880	stub.exe
1168	stub.exe
3228	stub.exe
4480	stub.exe
4232	stub.exe
3352	stub.exe
4992	stub.exe
2320	stub.exe
4280	stub.exe
968	stub.exe
3196	stub.exe
2400	stub.exe
508	stub.exe
664	stub.exe
2016	stub.exe
4560	stub.exe
2628	stub.exe
2772	stub.exe
4656	stub.exe
1476	stub.exe
1792	stub.exe
768	stub.exe
4360	stub.exe
548	stub.exe
1056	stub.exe
2848	stub.exe
4796	stub.exe
4868	stub.exe
2840	stub.exe
4260	stub.exe
1064	stub.exe
952	stub.exe
3888	stub.exe
5112	stub.exe
2692	stub.exe
1476	stub.exe
3436	stub.exe
3732	stub.exe
3992	stub.exe
4348	stub.exe
1068	stub.exe

Loads dropped DLL 1 IoCs

pid	Process
2092	LokiRAT_Relapse.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
2092	LokiRAT_Relapse.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\AppCompat\Programs\Amcache.hve.tmp	dw20.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 64 IoCs

pid	pid_target	Process	procid_target
4980	5040	WerFault.exe	123
628	4020	WerFault.exe	128
4584	2868	WerFault.exe	132
4972	4620	WerFault.exe	135
2612	1992	WerFault.exe	143
4376	5112	WerFault.exe	147
4420	2148	WerFault.exe	151
4004	844	WerFault.exe	154
3880	2016	WerFault.exe	157
884	2324	WerFault.exe	160
3944	1076	WerFault.exe	163
3920	2004	WerFault.exe	166
3700	2764	WerFault.exe	169
2352	3780	WerFault.exe	172
2612	1064	WerFault.exe	175
3716	3940	WerFault.exe	179
1256	5112	WerFault.exe	182
1132	3596	WerFault.exe	185
4032	668	WerFault.exe	188
3224	2816	WerFault.exe	191
4340	4268	WerFault.exe	195
4788	1880	WerFault.exe	200
664	1168	WerFault.exe	204
2360	3228	WerFault.exe	207
628	4480	WerFault.exe	210
3380	4232	WerFault.exe	213
3752	3352	WerFault.exe	216
3800	4992	WerFault.exe	219
2856	2320	WerFault.exe	222
4360	4280	WerFault.exe	225
3376	968	WerFault.exe	229
2004	3196	WerFault.exe	232
3572	2400	WerFault.exe	235
3648	508	WerFault.exe	238
5028	664	WerFault.exe	241
452	2016	WerFault.exe	244
884	4560	WerFault.exe	247
4980	2628	WerFault.exe	250
4324	2772	WerFault.exe	253
3736	4656	WerFault.exe	256
4968	1476	WerFault.exe	259
3164	1792	WerFault.exe	262
1148	768	WerFault.exe	265
464	4360	WerFault.exe	268
1844	548	WerFault.exe	271
840	1056	WerFault.exe	274
4508	2848	WerFault.exe	277
4704	4796	WerFault.exe	280
508	4868	WerFault.exe	283
664	2840	WerFault.exe	286
1992	4260	WerFault.exe	289
3460	1064	WerFault.exe	292
2484	952	WerFault.exe	295
1572	3888	WerFault.exe	298
3736	5112	WerFault.exe	301
4756	2692	WerFault.exe	304
3644	1476	WerFault.exe	307
4920	3436	WerFault.exe	310
4444	3732	WerFault.exe	313
2616	3992	WerFault.exe	316
1588	4348	WerFault.exe	319
2384	1068	WerFault.exe	322
376	2196	WerFault.exe	325
4520	3012	WerFault.exe	328

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	dw20.exe

Enumerates system info in registry 2 TTPs 5 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dw20.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	dw20.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133312365659078651"	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings	chrome.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
4972	vlc.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1584	chrome.exe
1584	chrome.exe
2224	watcher.exe
2224	watcher.exe
2224	watcher.exe
2224	watcher.exe
2224	watcher.exe
2224	watcher.exe
2224	watcher.exe
2224	watcher.exe
2224	watcher.exe
2224	watcher.exe
2224	watcher.exe
2224	watcher.exe
2224	watcher.exe
2224	watcher.exe
2224	watcher.exe
2224	watcher.exe
2224	watcher.exe
2224	watcher.exe
2224	watcher.exe
2224	watcher.exe
2224	watcher.exe
2224	watcher.exe
2224	watcher.exe
2224	watcher.exe
2224	watcher.exe
2224	watcher.exe
2224	watcher.exe
2224	watcher.exe
2224	watcher.exe
2224	watcher.exe
2224	watcher.exe
2224	watcher.exe
2224	watcher.exe
2224	watcher.exe
2224	watcher.exe
2224	watcher.exe
2224	watcher.exe
2224	watcher.exe
2224	watcher.exe
2224	watcher.exe
2224	watcher.exe
2224	watcher.exe
2224	watcher.exe
2224	watcher.exe
2224	watcher.exe
2224	watcher.exe
2224	watcher.exe
2224	watcher.exe
2224	watcher.exe
2224	watcher.exe
2224	watcher.exe
2224	watcher.exe
2224	watcher.exe
2224	watcher.exe
2224	watcher.exe
2224	watcher.exe
2224	watcher.exe
2224	watcher.exe
2224	watcher.exe
2224	watcher.exe
2224	watcher.exe
2224	watcher.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
4972	vlc.exe
2224	watcher.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1584	chrome.exe
Token: SeCreatePagefilePrivilege	1584	chrome.exe
Token: SeShutdownPrivilege	1584	chrome.exe
Token: SeCreatePagefilePrivilege	1584	chrome.exe
Token: SeShutdownPrivilege	1584	chrome.exe
Token: SeCreatePagefilePrivilege	1584	chrome.exe
Token: SeShutdownPrivilege	1584	chrome.exe
Token: SeCreatePagefilePrivilege	1584	chrome.exe
Token: SeShutdownPrivilege	1584	chrome.exe
Token: SeCreatePagefilePrivilege	1584	chrome.exe
Token: SeShutdownPrivilege	1584	chrome.exe
Token: SeCreatePagefilePrivilege	1584	chrome.exe
Token: SeShutdownPrivilege	1584	chrome.exe
Token: SeCreatePagefilePrivilege	1584	chrome.exe
Token: SeShutdownPrivilege	1584	chrome.exe
Token: SeCreatePagefilePrivilege	1584	chrome.exe
Token: SeShutdownPrivilege	1584	chrome.exe
Token: SeCreatePagefilePrivilege	1584	chrome.exe
Token: SeShutdownPrivilege	1584	chrome.exe
Token: SeCreatePagefilePrivilege	1584	chrome.exe
Token: SeShutdownPrivilege	1584	chrome.exe
Token: SeCreatePagefilePrivilege	1584	chrome.exe
Token: SeShutdownPrivilege	1584	chrome.exe
Token: SeCreatePagefilePrivilege	1584	chrome.exe
Token: SeShutdownPrivilege	1584	chrome.exe
Token: SeCreatePagefilePrivilege	1584	chrome.exe
Token: SeShutdownPrivilege	1584	chrome.exe
Token: SeCreatePagefilePrivilege	1584	chrome.exe
Token: SeShutdownPrivilege	1584	chrome.exe
Token: SeCreatePagefilePrivilege	1584	chrome.exe
Token: SeShutdownPrivilege	1584	chrome.exe
Token: SeCreatePagefilePrivilege	1584	chrome.exe
Token: SeShutdownPrivilege	1584	chrome.exe
Token: SeCreatePagefilePrivilege	1584	chrome.exe
Token: SeShutdownPrivilege	1584	chrome.exe
Token: SeCreatePagefilePrivilege	1584	chrome.exe
Token: SeShutdownPrivilege	1584	chrome.exe
Token: SeCreatePagefilePrivilege	1584	chrome.exe
Token: SeShutdownPrivilege	1584	chrome.exe
Token: SeCreatePagefilePrivilege	1584	chrome.exe
Token: SeShutdownPrivilege	1584	chrome.exe
Token: SeCreatePagefilePrivilege	1584	chrome.exe
Token: SeShutdownPrivilege	1584	chrome.exe
Token: SeCreatePagefilePrivilege	1584	chrome.exe
Token: SeShutdownPrivilege	1584	chrome.exe
Token: SeCreatePagefilePrivilege	1584	chrome.exe
Token: SeShutdownPrivilege	1584	chrome.exe
Token: SeCreatePagefilePrivilege	1584	chrome.exe
Token: SeShutdownPrivilege	1584	chrome.exe
Token: SeCreatePagefilePrivilege	1584	chrome.exe
Token: SeShutdownPrivilege	1584	chrome.exe
Token: SeCreatePagefilePrivilege	1584	chrome.exe
Token: SeShutdownPrivilege	1584	chrome.exe
Token: SeCreatePagefilePrivilege	1584	chrome.exe
Token: SeShutdownPrivilege	1584	chrome.exe
Token: SeCreatePagefilePrivilege	1584	chrome.exe
Token: SeShutdownPrivilege	1584	chrome.exe
Token: SeCreatePagefilePrivilege	1584	chrome.exe
Token: SeShutdownPrivilege	1584	chrome.exe
Token: SeCreatePagefilePrivilege	1584	chrome.exe
Token: SeShutdownPrivilege	1584	chrome.exe
Token: SeCreatePagefilePrivilege	1584	chrome.exe
Token: SeShutdownPrivilege	1584	chrome.exe
Token: SeCreatePagefilePrivilege	1584	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe

Suspicious use of SendNotifyMessage 32 IoCs

pid	Process
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
4972	vlc.exe
4972	vlc.exe
4972	vlc.exe
4972	vlc.exe
4972	vlc.exe
4972	vlc.exe
4972	vlc.exe
4972	vlc.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2092	LokiRAT_Relapse.exe
4972	vlc.exe
4972	vlc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1584 wrote to memory of 2312	1584	chrome.exe	83
PID 1584 wrote to memory of 2312	1584	chrome.exe	83
PID 1584 wrote to memory of 1772	1584	chrome.exe	84
PID 1584 wrote to memory of 1772	1584	chrome.exe	84
PID 1584 wrote to memory of 1772	1584	chrome.exe	84
PID 1584 wrote to memory of 1772	1584	chrome.exe	84
PID 1584 wrote to memory of 1772	1584	chrome.exe	84
PID 1584 wrote to memory of 1772	1584	chrome.exe	84
PID 1584 wrote to memory of 1772	1584	chrome.exe	84
PID 1584 wrote to memory of 1772	1584	chrome.exe	84
PID 1584 wrote to memory of 1772	1584	chrome.exe	84
PID 1584 wrote to memory of 1772	1584	chrome.exe	84
PID 1584 wrote to memory of 1772	1584	chrome.exe	84
PID 1584 wrote to memory of 1772	1584	chrome.exe	84
PID 1584 wrote to memory of 1772	1584	chrome.exe	84
PID 1584 wrote to memory of 1772	1584	chrome.exe	84
PID 1584 wrote to memory of 1772	1584	chrome.exe	84
PID 1584 wrote to memory of 1772	1584	chrome.exe	84
PID 1584 wrote to memory of 1772	1584	chrome.exe	84
PID 1584 wrote to memory of 1772	1584	chrome.exe	84
PID 1584 wrote to memory of 1772	1584	chrome.exe	84
PID 1584 wrote to memory of 1772	1584	chrome.exe	84
PID 1584 wrote to memory of 1772	1584	chrome.exe	84
PID 1584 wrote to memory of 1772	1584	chrome.exe	84
PID 1584 wrote to memory of 1772	1584	chrome.exe	84
PID 1584 wrote to memory of 1772	1584	chrome.exe	84
PID 1584 wrote to memory of 1772	1584	chrome.exe	84
PID 1584 wrote to memory of 1772	1584	chrome.exe	84
PID 1584 wrote to memory of 1772	1584	chrome.exe	84
PID 1584 wrote to memory of 1772	1584	chrome.exe	84
PID 1584 wrote to memory of 1772	1584	chrome.exe	84
PID 1584 wrote to memory of 1772	1584	chrome.exe	84
PID 1584 wrote to memory of 1772	1584	chrome.exe	84
PID 1584 wrote to memory of 1772	1584	chrome.exe	84
PID 1584 wrote to memory of 1772	1584	chrome.exe	84
PID 1584 wrote to memory of 1772	1584	chrome.exe	84
PID 1584 wrote to memory of 1772	1584	chrome.exe	84
PID 1584 wrote to memory of 1772	1584	chrome.exe	84
PID 1584 wrote to memory of 1772	1584	chrome.exe	84
PID 1584 wrote to memory of 1772	1584	chrome.exe	84
PID 1584 wrote to memory of 3576	1584	chrome.exe	85
PID 1584 wrote to memory of 3576	1584	chrome.exe	85
PID 1584 wrote to memory of 5052	1584	chrome.exe	86
PID 1584 wrote to memory of 5052	1584	chrome.exe	86
PID 1584 wrote to memory of 5052	1584	chrome.exe	86
PID 1584 wrote to memory of 5052	1584	chrome.exe	86
PID 1584 wrote to memory of 5052	1584	chrome.exe	86
PID 1584 wrote to memory of 5052	1584	chrome.exe	86
PID 1584 wrote to memory of 5052	1584	chrome.exe	86
PID 1584 wrote to memory of 5052	1584	chrome.exe	86
PID 1584 wrote to memory of 5052	1584	chrome.exe	86
PID 1584 wrote to memory of 5052	1584	chrome.exe	86
PID 1584 wrote to memory of 5052	1584	chrome.exe	86
PID 1584 wrote to memory of 5052	1584	chrome.exe	86
PID 1584 wrote to memory of 5052	1584	chrome.exe	86
PID 1584 wrote to memory of 5052	1584	chrome.exe	86
PID 1584 wrote to memory of 5052	1584	chrome.exe	86
PID 1584 wrote to memory of 5052	1584	chrome.exe	86
PID 1584 wrote to memory of 5052	1584	chrome.exe	86
PID 1584 wrote to memory of 5052	1584	chrome.exe	86
PID 1584 wrote to memory of 5052	1584	chrome.exe	86
PID 1584 wrote to memory of 5052	1584	chrome.exe	86
PID 1584 wrote to memory of 5052	1584	chrome.exe	86
PID 1584 wrote to memory of 5052	1584	chrome.exe	86

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" "--simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT'" http://92.18.218.116
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1584
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xdc,0x108,0x7ffae6339758,0x7ffae6339768,0x7ffae6339778
  2⤵
  PID:2312
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1808 --field-trial-handle=1824,i,5174290895763419037,18330458805660894189,131072 /prefetch:2
  2⤵
  PID:1772
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2168 --field-trial-handle=1824,i,5174290895763419037,18330458805660894189,131072 /prefetch:8
  2⤵
  PID:3576
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2164 --field-trial-handle=1824,i,5174290895763419037,18330458805660894189,131072 /prefetch:8
  2⤵
  PID:5052
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3100 --field-trial-handle=1824,i,5174290895763419037,18330458805660894189,131072 /prefetch:1
  2⤵
  PID:1752
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3112 --field-trial-handle=1824,i,5174290895763419037,18330458805660894189,131072 /prefetch:1
  2⤵
  PID:1964
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2668 --field-trial-handle=1824,i,5174290895763419037,18330458805660894189,131072 /prefetch:8
  2⤵
  PID:4088
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4820 --field-trial-handle=1824,i,5174290895763419037,18330458805660894189,131072 /prefetch:8
  2⤵
  PID:2332
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4832 --field-trial-handle=1824,i,5174290895763419037,18330458805660894189,131072 /prefetch:8
  2⤵
  PID:1624
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4760 --field-trial-handle=1824,i,5174290895763419037,18330458805660894189,131072 /prefetch:8
  2⤵
  PID:460
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4944 --field-trial-handle=1824,i,5174290895763419037,18330458805660894189,131072 /prefetch:8
  2⤵
  PID:1364
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4740 --field-trial-handle=1824,i,5174290895763419037,18330458805660894189,131072 /prefetch:8
  2⤵
  PID:4468
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4760 --field-trial-handle=1824,i,5174290895763419037,18330458805660894189,131072 /prefetch:8
  2⤵
  PID:4856
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=5044 --field-trial-handle=1824,i,5174290895763419037,18330458805660894189,131072 /prefetch:1
  2⤵
  PID:3440
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4660 --field-trial-handle=1824,i,5174290895763419037,18330458805660894189,131072 /prefetch:8
  2⤵
  PID:668
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5344 --field-trial-handle=1824,i,5174290895763419037,18330458805660894189,131072 /prefetch:8
  2⤵
  PID:3388
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5328 --field-trial-handle=1824,i,5174290895763419037,18330458805660894189,131072 /prefetch:8
  2⤵
  PID:1572
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4996 --field-trial-handle=1824,i,5174290895763419037,18330458805660894189,131072 /prefetch:8
  2⤵
  PID:3700
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5460 --field-trial-handle=1824,i,5174290895763419037,18330458805660894189,131072 /prefetch:8
  2⤵
  PID:2612
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5520 --field-trial-handle=1824,i,5174290895763419037,18330458805660894189,131072 /prefetch:8
  2⤵
  PID:1400
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5400 --field-trial-handle=1824,i,5174290895763419037,18330458805660894189,131072 /prefetch:8
  2⤵
  PID:1464
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5640 --field-trial-handle=1824,i,5174290895763419037,18330458805660894189,131072 /prefetch:8
  2⤵
  PID:3460
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4932 --field-trial-handle=1824,i,5174290895763419037,18330458805660894189,131072 /prefetch:8
  2⤵
  PID:4860
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=2780 --field-trial-handle=1824,i,5174290895763419037,18330458805660894189,131072 /prefetch:8
  2⤵
  PID:3224
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=2432 --field-trial-handle=1824,i,5174290895763419037,18330458805660894189,131072 /prefetch:8
  2⤵
  PID:4004
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5216 --field-trial-handle=1824,i,5174290895763419037,18330458805660894189,131072 /prefetch:8
  2⤵
  PID:4688
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5480 --field-trial-handle=1824,i,5174290895763419037,18330458805660894189,131072 /prefetch:8
  2⤵
  PID:2812
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5636 --field-trial-handle=1824,i,5174290895763419037,18330458805660894189,131072 /prefetch:8
  2⤵
  PID:4784
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5724 --field-trial-handle=1824,i,5174290895763419037,18330458805660894189,131072 /prefetch:8
  2⤵
  PID:4680
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5376 --field-trial-handle=1824,i,5174290895763419037,18330458805660894189,131072 /prefetch:8
  2⤵
  PID:3428
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4656 --field-trial-handle=1824,i,5174290895763419037,18330458805660894189,131072 /prefetch:8
  2⤵
  PID:4100
- C:\Users\Admin\Downloads\BlackNET Builder.exe
  "C:\Users\Admin\Downloads\BlackNET Builder.exe"
  2⤵
  - Executes dropped EXE
  PID:5040
- - C:\Windows\system32\WerFault.exe
    C:\Windows\system32\WerFault.exe -u -p 5040 -s 976
    3⤵
    - Program crash
    PID:4980
- C:\Users\Admin\Downloads\stub.exe
  "C:\Users\Admin\Downloads\stub.exe"
  2⤵
  - Executes dropped EXE
  PID:4020
- - C:\Windows\system32\WerFault.exe
    C:\Windows\system32\WerFault.exe -u -p 4020 -s 976
    3⤵
    - Program crash
    PID:628
- C:\Users\Admin\Downloads\watcher.exe
  "C:\Users\Admin\Downloads\watcher.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  PID:2224
- - C:\Users\Admin\Downloads\stub.exe
    "C:\Users\Admin\Downloads\stub.exe"
    3⤵
    - Executes dropped EXE
    PID:2868
  - - C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 2868 -s 956
      4⤵
      Program crash
      PID:4584
- - C:\Users\Admin\Downloads\stub.exe
    "C:\Users\Admin\Downloads\stub.exe"
    3⤵
    - Executes dropped EXE
    PID:4620
  - - C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 4620 -s 960
      4⤵
      Program crash
      PID:4972
- - C:\Users\Admin\Downloads\stub.exe
    "C:\Users\Admin\Downloads\stub.exe"
    3⤵
    - Executes dropped EXE
    PID:1992
  - - C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 1992 -s 952
      4⤵
      Program crash
      PID:2612
- - C:\Users\Admin\Downloads\stub.exe
    "C:\Users\Admin\Downloads\stub.exe"
    3⤵
    - Executes dropped EXE
    PID:5112
  - - C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 5112 -s 952
      4⤵
      Program crash
      PID:4376
- - C:\Users\Admin\Downloads\stub.exe
    "C:\Users\Admin\Downloads\stub.exe"
    3⤵
    - Executes dropped EXE
    PID:2148
  - - C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 2148 -s 952
      4⤵
      Program crash
      PID:4420
- - C:\Users\Admin\Downloads\stub.exe
    "C:\Users\Admin\Downloads\stub.exe"
    3⤵
    - Executes dropped EXE
    PID:844
  - - C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 844 -s 952
      4⤵
      Program crash
      PID:4004
- - C:\Users\Admin\Downloads\stub.exe
    "C:\Users\Admin\Downloads\stub.exe"
    3⤵
    - Executes dropped EXE
    PID:2016
  - - C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 2016 -s 952
      4⤵
      Program crash
      PID:3880
- - C:\Users\Admin\Downloads\stub.exe
    "C:\Users\Admin\Downloads\stub.exe"
    3⤵
    - Executes dropped EXE
    PID:2324
  - - C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 2324 -s 952
      4⤵
      Program crash
      PID:884
- - C:\Users\Admin\Downloads\stub.exe
    "C:\Users\Admin\Downloads\stub.exe"
    3⤵
    - Executes dropped EXE
    PID:1076
  - - C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 1076 -s 964
      4⤵
      Program crash
      PID:3944
- - C:\Users\Admin\Downloads\stub.exe
    "C:\Users\Admin\Downloads\stub.exe"
    3⤵
    - Executes dropped EXE
    PID:2004
  - - C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 2004 -s 952
      4⤵
      Program crash
      PID:3920
- - C:\Users\Admin\Downloads\stub.exe
    "C:\Users\Admin\Downloads\stub.exe"
    3⤵
    - Executes dropped EXE
    PID:2764
  - - C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 2764 -s 952
      4⤵
      Program crash
      PID:3700
- - C:\Users\Admin\Downloads\stub.exe
    "C:\Users\Admin\Downloads\stub.exe"
    3⤵
    - Executes dropped EXE
    PID:3780
  - - C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 3780 -s 952
      4⤵
      Program crash
      PID:2352
- - C:\Users\Admin\Downloads\stub.exe
    "C:\Users\Admin\Downloads\stub.exe"
    3⤵
    - Executes dropped EXE
    PID:1064
  - - C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 1064 -s 900
      4⤵
      Program crash
      PID:2612
- - C:\Users\Admin\Downloads\stub.exe
    "C:\Users\Admin\Downloads\stub.exe"
    3⤵
    - Executes dropped EXE
    PID:3940
  - - C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 3940 -s 952
      4⤵
      Program crash
      PID:3716
- - C:\Users\Admin\Downloads\stub.exe
    "C:\Users\Admin\Downloads\stub.exe"
    3⤵
    - Executes dropped EXE
    PID:5112
  - - C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 5112 -s 952
      4⤵
      Program crash
      PID:1256
- - C:\Users\Admin\Downloads\stub.exe
    "C:\Users\Admin\Downloads\stub.exe"
    3⤵
    - Executes dropped EXE
    PID:3596
  - - C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 3596 -s 952
      4⤵
      Program crash
      PID:1132
- - C:\Users\Admin\Downloads\stub.exe
    "C:\Users\Admin\Downloads\stub.exe"
    3⤵
    - Executes dropped EXE
    PID:668
  - - C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 668 -s 952
      4⤵
      Program crash
      PID:4032
- - C:\Users\Admin\Downloads\stub.exe
    "C:\Users\Admin\Downloads\stub.exe"
    3⤵
    - Executes dropped EXE
    PID:2816
  - - C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 2816 -s 952
      4⤵
      Program crash
      PID:3224
- - C:\Users\Admin\Downloads\stub.exe
    "C:\Users\Admin\Downloads\stub.exe"
    3⤵
    - Executes dropped EXE
    PID:4268
  - - C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 4268 -s 952
      4⤵
      Program crash
      PID:4340
- - C:\Users\Admin\Downloads\stub.exe
    "C:\Users\Admin\Downloads\stub.exe"
    3⤵
    - Executes dropped EXE
    PID:1880
  - - C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 1880 -s 952
      4⤵
      Program crash
      PID:4788
- - C:\Users\Admin\Downloads\stub.exe
    "C:\Users\Admin\Downloads\stub.exe"
    3⤵
    - Executes dropped EXE
    PID:1168
  - - C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 1168 -s 952
      4⤵
      Program crash
      PID:664
- - C:\Users\Admin\Downloads\stub.exe
    "C:\Users\Admin\Downloads\stub.exe"
    3⤵
    - Executes dropped EXE
    PID:3228
  - - C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 3228 -s 952
      4⤵
      Program crash
      PID:2360
- - C:\Users\Admin\Downloads\stub.exe
    "C:\Users\Admin\Downloads\stub.exe"
    3⤵
    - Executes dropped EXE
    PID:4480
  - - C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 4480 -s 952
      4⤵
      Program crash
      PID:628
- - C:\Users\Admin\Downloads\stub.exe
    "C:\Users\Admin\Downloads\stub.exe"
    3⤵
    - Executes dropped EXE
    PID:4232
  - - C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 4232 -s 952
      4⤵
      Program crash
      PID:3380
- - C:\Users\Admin\Downloads\stub.exe
    "C:\Users\Admin\Downloads\stub.exe"
    3⤵
    - Executes dropped EXE
    PID:3352
  - - C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 3352 -s 952
      4⤵
      Program crash
      PID:3752
- - C:\Users\Admin\Downloads\stub.exe
    "C:\Users\Admin\Downloads\stub.exe"
    3⤵
    - Executes dropped EXE
    PID:4992
  - - C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 4992 -s 952
      4⤵
      Program crash
      PID:3800
- - C:\Users\Admin\Downloads\stub.exe
    "C:\Users\Admin\Downloads\stub.exe"
    3⤵
    - Executes dropped EXE
    PID:2320
  - - C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 2320 -s 952
      4⤵
      Program crash
      PID:2856
- - C:\Users\Admin\Downloads\stub.exe
    "C:\Users\Admin\Downloads\stub.exe"
    3⤵
    - Executes dropped EXE
    PID:4280
  - - C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 4280 -s 952
      4⤵
      Program crash
      PID:4360
- - C:\Users\Admin\Downloads\stub.exe
    "C:\Users\Admin\Downloads\stub.exe"
    3⤵
    - Executes dropped EXE
    PID:968
  - - C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 968 -s 952
      4⤵
      Program crash
      PID:3376
- - C:\Users\Admin\Downloads\stub.exe
    "C:\Users\Admin\Downloads\stub.exe"
    3⤵
    - Executes dropped EXE
    PID:3196
  - - C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 3196 -s 952
      4⤵
      Program crash
      PID:2004
- - C:\Users\Admin\Downloads\stub.exe
    "C:\Users\Admin\Downloads\stub.exe"
    3⤵
    - Executes dropped EXE
    PID:2400
  - - C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 2400 -s 952
      4⤵
      Program crash
      PID:3572
- - C:\Users\Admin\Downloads\stub.exe
    "C:\Users\Admin\Downloads\stub.exe"
    3⤵
    - Executes dropped EXE
    PID:508
  - - C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 508 -s 964
      4⤵
      Program crash
      PID:3648
- - C:\Users\Admin\Downloads\stub.exe
    "C:\Users\Admin\Downloads\stub.exe"
    3⤵
    - Executes dropped EXE
    PID:664
  - - C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 664 -s 952
      4⤵
      Program crash
      PID:5028
- - C:\Users\Admin\Downloads\stub.exe
    "C:\Users\Admin\Downloads\stub.exe"
    3⤵
    - Executes dropped EXE
    PID:2016
  - - C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 2016 -s 964
      4⤵
      Program crash
      PID:452
- - C:\Users\Admin\Downloads\stub.exe
    "C:\Users\Admin\Downloads\stub.exe"
    3⤵
    - Executes dropped EXE
    PID:4560
  - - C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 4560 -s 952
      4⤵
      Program crash
      PID:884
- - C:\Users\Admin\Downloads\stub.exe
    "C:\Users\Admin\Downloads\stub.exe"
    3⤵
    - Executes dropped EXE
    PID:2628
  - - C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 2628 -s 952
      4⤵
      Program crash
      PID:4980
- - C:\Users\Admin\Downloads\stub.exe
    "C:\Users\Admin\Downloads\stub.exe"
    3⤵
    - Executes dropped EXE
    PID:2772
  - - C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 2772 -s 952
      4⤵
      Program crash
      PID:4324
- - C:\Users\Admin\Downloads\stub.exe
    "C:\Users\Admin\Downloads\stub.exe"
    3⤵
    - Executes dropped EXE
    PID:4656
  - - C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 4656 -s 952
      4⤵
      Program crash
      PID:3736
- - C:\Users\Admin\Downloads\stub.exe
    "C:\Users\Admin\Downloads\stub.exe"
    3⤵
    - Executes dropped EXE
    PID:1476
  - - C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 1476 -s 952
      4⤵
      Program crash
      PID:4968
- - C:\Users\Admin\Downloads\stub.exe
    "C:\Users\Admin\Downloads\stub.exe"
    3⤵
    - Executes dropped EXE
    PID:1792
  - - C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 1792 -s 952
      4⤵
      Program crash
      PID:3164
- - C:\Users\Admin\Downloads\stub.exe
    "C:\Users\Admin\Downloads\stub.exe"
    3⤵
    - Executes dropped EXE
    PID:768
  - - C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 768 -s 964
      4⤵
      Program crash
      PID:1148
- - C:\Users\Admin\Downloads\stub.exe
    "C:\Users\Admin\Downloads\stub.exe"
    3⤵
    - Executes dropped EXE
    PID:4360
  - - C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 4360 -s 952
      4⤵
      Program crash
      PID:464
- - C:\Users\Admin\Downloads\stub.exe
    "C:\Users\Admin\Downloads\stub.exe"
    3⤵
    - Executes dropped EXE
    PID:548
  - - C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 548 -s 952
      4⤵
      Program crash
      PID:1844
- - C:\Users\Admin\Downloads\stub.exe
    "C:\Users\Admin\Downloads\stub.exe"
    3⤵
    - Executes dropped EXE
    PID:1056
  - - C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 1056 -s 952
      4⤵
      Program crash
      PID:840
- - C:\Users\Admin\Downloads\stub.exe
    "C:\Users\Admin\Downloads\stub.exe"
    3⤵
    - Executes dropped EXE
    PID:2848
  - - C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 2848 -s 952
      4⤵
      Program crash
      PID:4508
- - C:\Users\Admin\Downloads\stub.exe
    "C:\Users\Admin\Downloads\stub.exe"
    3⤵
    - Executes dropped EXE
    PID:4796
  - - C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 4796 -s 952
      4⤵
      Program crash
      PID:4704
- - C:\Users\Admin\Downloads\stub.exe
    "C:\Users\Admin\Downloads\stub.exe"
    3⤵
    - Executes dropped EXE
    PID:4868
  - - C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 4868 -s 956
      4⤵
      Program crash
      PID:508
- - C:\Users\Admin\Downloads\stub.exe
    "C:\Users\Admin\Downloads\stub.exe"
    3⤵
    - Executes dropped EXE
    PID:2840
  - - C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 2840 -s 952
      4⤵
      Program crash
      PID:664
- - C:\Users\Admin\Downloads\stub.exe
    "C:\Users\Admin\Downloads\stub.exe"
    3⤵
    - Executes dropped EXE
    PID:4260
  - - C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 4260 -s 964
      4⤵
      Program crash
      PID:1992
- - C:\Users\Admin\Downloads\stub.exe
    "C:\Users\Admin\Downloads\stub.exe"
    3⤵
    - Executes dropped EXE
    PID:1064
  - - C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 1064 -s 952
      4⤵
      Program crash
      PID:3460
- - C:\Users\Admin\Downloads\stub.exe
    "C:\Users\Admin\Downloads\stub.exe"
    3⤵
    - Executes dropped EXE
    PID:952
  - - C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 952 -s 952
      4⤵
      Program crash
      PID:2484
- - C:\Users\Admin\Downloads\stub.exe
    "C:\Users\Admin\Downloads\stub.exe"
    3⤵
    - Executes dropped EXE
    PID:3888
  - - C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 3888 -s 968
      4⤵
      Program crash
      PID:1572
- - C:\Users\Admin\Downloads\stub.exe
    "C:\Users\Admin\Downloads\stub.exe"
    3⤵
    - Executes dropped EXE
    PID:5112
  - - C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 5112 -s 952
      4⤵
      Program crash
      PID:3736
- - C:\Users\Admin\Downloads\stub.exe
    "C:\Users\Admin\Downloads\stub.exe"
    3⤵
    - Executes dropped EXE
    PID:2692
  - - C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 2692 -s 952
      4⤵
      Program crash
      PID:4756
- - C:\Users\Admin\Downloads\stub.exe
    "C:\Users\Admin\Downloads\stub.exe"
    3⤵
    - Executes dropped EXE
    PID:1476
  - - C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 1476 -s 952
      4⤵
      Program crash
      PID:3644
- - C:\Users\Admin\Downloads\stub.exe
    "C:\Users\Admin\Downloads\stub.exe"
    3⤵
    - Executes dropped EXE
    PID:3436
  - - C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 3436 -s 952
      4⤵
      Program crash
      PID:4920
- - C:\Users\Admin\Downloads\stub.exe
    "C:\Users\Admin\Downloads\stub.exe"
    3⤵
    - Executes dropped EXE
    PID:3732
  - - C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 3732 -s 952
      4⤵
      Program crash
      PID:4444
- - C:\Users\Admin\Downloads\stub.exe
    "C:\Users\Admin\Downloads\stub.exe"
    3⤵
    - Executes dropped EXE
    PID:3992
  - - C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 3992 -s 952
      4⤵
      Program crash
      PID:2616
- - C:\Users\Admin\Downloads\stub.exe
    "C:\Users\Admin\Downloads\stub.exe"
    3⤵
    - Executes dropped EXE
    PID:4348
  - - C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 4348 -s 952
      4⤵
      Program crash
      PID:1588
- - C:\Users\Admin\Downloads\stub.exe
    "C:\Users\Admin\Downloads\stub.exe"
    3⤵
    - Executes dropped EXE
    PID:1068
  - - C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 1068 -s 952
      4⤵
      Program crash
      PID:2384
- - C:\Users\Admin\Downloads\stub.exe
    "C:\Users\Admin\Downloads\stub.exe"
    3⤵
    PID:2196
  - - C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 2196 -s 952
      4⤵
      Program crash
      PID:376
- - C:\Users\Admin\Downloads\stub.exe
    "C:\Users\Admin\Downloads\stub.exe"
    3⤵
    PID:3012
  - - C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 3012 -s 952
      4⤵
      Program crash
      PID:4520
- - C:\Users\Admin\Downloads\stub.exe
    "C:\Users\Admin\Downloads\stub.exe"
    3⤵
    PID:3676
  - - C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 3676 -s 964
      4⤵
      PID:1496
- - C:\Users\Admin\Downloads\stub.exe
    "C:\Users\Admin\Downloads\stub.exe"
    3⤵
    PID:4936
  - - C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 4936 -s 952
      4⤵
      PID:64
- - C:\Users\Admin\Downloads\stub.exe
    "C:\Users\Admin\Downloads\stub.exe"
    3⤵
    PID:1488
  - - C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 1488 -s 964
      4⤵
      PID:3692
- - C:\Users\Admin\Downloads\stub.exe
    "C:\Users\Admin\Downloads\stub.exe"
    3⤵
    PID:452
  - - C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 452 -s 964
      4⤵
      PID:4956
- - C:\Users\Admin\Downloads\stub.exe
    "C:\Users\Admin\Downloads\stub.exe"
    3⤵
    PID:2812
  - - C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 2812 -s 952
      4⤵
      PID:752
- - C:\Users\Admin\Downloads\stub.exe
    "C:\Users\Admin\Downloads\stub.exe"
    3⤵
    PID:3340
  - - C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 3340 -s 952
      4⤵
      PID:3116
- - C:\Users\Admin\Downloads\stub.exe
    "C:\Users\Admin\Downloads\stub.exe"
    3⤵
    PID:4908
  - - C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 4908 -s 952
      4⤵
      PID:964
- - C:\Users\Admin\Downloads\stub.exe
    "C:\Users\Admin\Downloads\stub.exe"
    3⤵
    PID:3132
  - - C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 3132 -s 956
      4⤵
      PID:3300
- - C:\Users\Admin\Downloads\stub.exe
    "C:\Users\Admin\Downloads\stub.exe"
    3⤵
    PID:1460
  - - C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 1460 -s 952
      4⤵
      PID:4756
- - C:\Users\Admin\Downloads\stub.exe
    "C:\Users\Admin\Downloads\stub.exe"
    3⤵
    PID:3252
  - - C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 3252 -s 952
      4⤵
      PID:4960
- - C:\Users\Admin\Downloads\stub.exe
    "C:\Users\Admin\Downloads\stub.exe"
    3⤵
    PID:3224
  - - C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 3224 -s 952
      4⤵
      PID:4600
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5400 --field-trial-handle=1824,i,5174290895763419037,18330458805660894189,131072 /prefetch:8
  2⤵
  PID:4260
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=2776 --field-trial-handle=1824,i,5174290895763419037,18330458805660894189,131072 /prefetch:8
  2⤵
  PID:4688
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4668 --field-trial-handle=1824,i,5174290895763419037,18330458805660894189,131072 /prefetch:8
  2⤵
  PID:1548
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5084 --field-trial-handle=1824,i,5174290895763419037,18330458805660894189,131072 /prefetch:8
  2⤵
  PID:4680
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5236 --field-trial-handle=1824,i,5174290895763419037,18330458805660894189,131072 /prefetch:8
  2⤵
  PID:64
- C:\Users\Admin\Downloads\LokiRAT_Relapse.exe
  "C:\Users\Admin\Downloads\LokiRAT_Relapse.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of SetWindowsHookEx
  PID:2092
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
    dw20.exe -x -s 1216
    3⤵
    - Drops file in Windows directory
    - Checks processor information in registry
    - Enumerates system info in registry
    PID:1136
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=216 --field-trial-handle=1824,i,5174290895763419037,18330458805660894189,131072 /prefetch:2
  2⤵
  PID:752
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5544 --field-trial-handle=1824,i,5174290895763419037,18330458805660894189,131072 /prefetch:8
  2⤵
  PID:1788
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5464 --field-trial-handle=1824,i,5174290895763419037,18330458805660894189,131072 /prefetch:8
  2⤵
  PID:2016
- C:\Program Files\VideoLAN\VLC\vlc.exe
  "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Downloads\movie.mov"
  2⤵
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:4972

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:4588

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 412 -p 5040 -ip 5040
1⤵
PID:1972

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 188 -p 4020 -ip 4020
1⤵
PID:996

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 520 -p 2868 -ip 2868
1⤵
PID:4360

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 540 -p 4620 -ip 4620
1⤵
PID:2324

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 508 -p 1992 -ip 1992
1⤵
PID:1932

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 520 -p 5112 -ip 5112
1⤵
PID:2484

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 452 -p 2148 -ip 2148
1⤵
PID:2720

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 520 -p 844 -ip 844
1⤵
PID:1788

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 532 -p 2016 -ip 2016
1⤵
PID:776

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 504 -p 2324 -ip 2324
1⤵
PID:2840

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 508 -p 1076 -ip 1076
1⤵
PID:1208

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 460 -p 2004 -ip 2004
1⤵
PID:2692

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 524 -p 2764 -ip 2764
1⤵
PID:2196

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 520 -p 3780 -ip 3780
1⤵
PID:5116

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 460 -p 1064 -ip 1064
1⤵
PID:1664

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 540 -p 3940 -ip 3940
1⤵
PID:4504

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 508 -p 5112 -ip 5112
1⤵
PID:1572

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 540 -p 3596 -ip 3596
1⤵
PID:1732

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 504 -p 668 -ip 668
1⤵
PID:3900

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 540 -p 2816 -ip 2816
1⤵
PID:3992

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 504 -p 4268 -ip 4268
1⤵
PID:4672

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 384 -p 1880 -ip 1880
1⤵
PID:3612

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x408 0x320
1⤵
PID:4880

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 508 -p 1168 -ip 1168
1⤵
PID:1972

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 520 -p 3228 -ip 3228
1⤵
PID:3144

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 408 -p 4480 -ip 4480
1⤵
PID:4324

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 548 -p 4232 -ip 4232
1⤵
PID:3736

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 188 -p 3352 -ip 3352
1⤵
PID:4100

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 552 -p 4992 -ip 4992
1⤵
PID:3252

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 536 -p 2320 -ip 2320
1⤵
PID:2768

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 408 -p 4280 -ip 4280
1⤵
PID:2496

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 564 -p 968 -ip 968
1⤵
PID:4456

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 564 -p 3196 -ip 3196
1⤵
PID:5000

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 532 -p 2400 -ip 2400
1⤵
PID:392

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 464 -p 508 -ip 508
1⤵
PID:2332

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 460 -p 664 -ip 664
1⤵
PID:4620

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 560 -p 2016 -ip 2016
1⤵
PID:4748

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 384 -p 4560 -ip 4560
1⤵
PID:5040

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 520 -p 2628 -ip 2628
1⤵
PID:4024

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 516 -p 2772 -ip 2772
1⤵
PID:996

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 512 -p 4656 -ip 4656
1⤵
PID:4480

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 524 -p 1476 -ip 1476
1⤵
PID:4232

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 572 -p 1792 -ip 1792
1⤵
PID:3900

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 548 -p 768 -ip 768
1⤵
PID:2320

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 504 -p 4360 -ip 4360
1⤵
PID:4280

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 452 -p 548 -ip 548
1⤵
PID:3376

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 464 -p 1056 -ip 1056
1⤵
PID:4056

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 572 -p 2848 -ip 2848
1⤵
PID:4052

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 452 -p 4796 -ip 4796
1⤵
PID:848

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 452 -p 4868 -ip 4868
1⤵
PID:3464

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 540 -p 2840 -ip 2840
1⤵
PID:4932

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 548 -p 4260 -ip 4260
1⤵
PID:4116

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 540 -p 1064 -ip 1064
1⤵
PID:4744

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 504 -p 952 -ip 952
1⤵
PID:3892

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 544 -p 3888 -ip 3888
1⤵
PID:3664

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 520 -p 5112 -ip 5112
1⤵
PID:1552

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 460 -p 2692 -ip 2692
1⤵
PID:4616

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 572 -p 1476 -ip 1476
1⤵
PID:2580

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 452 -p 3436 -ip 3436
1⤵
PID:2440

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 524 -p 3732 -ip 3732
1⤵
PID:3400

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 572 -p 3992 -ip 3992
1⤵
PID:4568

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 520 -p 4348 -ip 4348
1⤵
PID:3204

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 540 -p 1068 -ip 1068
1⤵
PID:548

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 452 -p 2196 -ip 2196
1⤵
PID:4352

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 540 -p 3012 -ip 3012
1⤵
PID:4460

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 540 -p 3676 -ip 3676
1⤵
PID:4912

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 552 -p 4936 -ip 4936
1⤵
PID:508

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 568 -p 1488 -ip 1488
1⤵
PID:400

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 572 -p 452 -ip 452
1⤵
PID:4816

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 572 -p 2812 -ip 2812
1⤵
PID:5040

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 564 -p 3340 -ip 3340
1⤵
PID:4840

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 460 -p 4908 -ip 4908
1⤵
PID:4060

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 460 -p 3132 -ip 3132
1⤵
PID:4480

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 520 -p 1460 -ip 1460
1⤵
PID:1948

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 532 -p 3252 -ip 3252
1⤵
PID:3644

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 460 -p 3224 -ip 3224
1⤵
PID:2148

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\3f4b79d7-2501-4829-a545-003d3373613e.tmp

Filesize
6KB

MD5
e3f1f1c668f0b0741fe554e9aacd1764

SHA1
dd3355e535d64461d80f0e2f6e82f798742a90f2

SHA256
f8919168d7476ea13db2b5e2a56186b272698cdb3425732e0ff7b5b62542ef60

SHA512
d46f107960c72e5425aadb9a86825b667092dfcc4364d3acfebe403145bc02466e4c0ec3f973308fff8703c82bf6100a0e3dae368563ede109e52f089576492c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\572ad268-1add-4629-b2a8-cf92b02a9388.tmp

Filesize
6KB

MD5
b09db969e068d914566a667e47a3fdb1

SHA1
04af4047ac10f80d26533b9a319c285fb0ab5609

SHA256
928debbb08b80e11649a907d321f50ec877c70e2d38826ab08fe2d35b25df4e4

SHA512
b6522d94ae2d8e4eabaaa5de02fa25f3ec815778e2addcafb0a7de9a93deb2ad379c37751020792bfe14e9742dc1e7fa164856b7244e590d699fb5b99c04f2fa

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
288B

MD5
d1ad6c21ee0a09437d8e7cbf74a8110d

SHA1
c1678b7cf0a2abb353c581fa5fe64111173fc3ab

SHA256
809e100e78654aed308e1cdcbbf4a81c8cb3ab25b37916cc95fda20963a27784

SHA512
5f92283d99b5d9c0f59c5fc71a838f1aff8be947586ab6140d82d65ce4051aa2136b2c1b9dd000dfa9ecbd43cbd6de76afd522801995affbdd3bb950cf969abc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.62.0_0\_locales\en_CA\messages.json

Filesize
851B

MD5
07ffbe5f24ca348723ff8c6c488abfb8

SHA1
6dc2851e39b2ee38f88cf5c35a90171dbea5b690

SHA256
6895648577286002f1dc9c3366f558484eb7020d52bbf64a296406e61d09599c

SHA512
7ed2c8db851a84f614d5daf1d5fe633bd70301fd7ff8a6723430f05f642ceb3b1ad0a40de65b224661c782ffcec69d996ebe3e5bb6b2f478181e9a07d8cd41f6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.62.0_0\dasherSettingSchema.json

Filesize
854B

MD5
4ec1df2da46182103d2ffc3b92d20ca5

SHA1
fb9d1ba3710cf31a87165317c6edc110e98994ce

SHA256
6c69ce0fe6fab14f1990a320d704fee362c175c00eb6c9224aa6f41108918ca6

SHA512
939d81e6a82b10ff73a35c931052d8d53d42d915e526665079eeb4820df4d70f1c6aebab70b59519a0014a48514833fefd687d5a3ed1b06482223a168292105d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1000B

MD5
61eef8b7926a83707762435ce5417467

SHA1
cf557a48f700c6cb99981a6d8e639c9193feaaa9

SHA256
4b50c96b749c70ad28fc89e101d47ef45fe259a7e48e82da6718424a46504750

SHA512
7f52e17ecdf762094d0e61d3935a7caffb381e2f124c67980a25c656c21355acc5f1a29b9b2c72fcf9eb0807824915d5a332828b65e148562a0407d63350d6f4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
8d6aa976647d4b38e7f716d2088ef2f6

SHA1
e5b14002f6e34ac1a42d511e5a70738368f3da90

SHA256
cd890c4c295bc057d23056db5ecd70879ed1487275ea55af6673c84212978c72

SHA512
36e339655de5a878870907b3404745e91e7b44c577187d98aff89509bcec39f20f9592b71a269bc41ea7072f256a3a0eca13ddccb46af4efb2d344827ec6b0b5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
539B

MD5
ed4ed93d2b05ea89473e4765a9773900

SHA1
0fc8ce465160f5d8fc0473313e8babc9baeee0f4

SHA256
d8d83aa5f525aa5f86e6fbff68b10338faaaa47899974e3b02577dc6d7608039

SHA512
bfb7a462f778d090d1047e8504bd608690429b0bd89d3b6a6cb264299b136cbed3224d5e4948d9cd87f0053d1bd536caefc11c741936357cfed1169098f338c7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
e378a51da2871cfa6bb54a336b5f5c52

SHA1
8a2e3f3a46262ce5e7d88ab7382f939b279293a4

SHA256
ac41f29adec572f2c92389d7683307f0b46511525aa127b301a4dc196afded6a

SHA512
ad5026127cf54858411c436a10a37e9035574c08f77111e9260846e82efd7ae690141ea02d30238723138486f17a74c5b84ea10633bd86523158f5d342fbbbc4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
38285462e61b9335e71ed3b07724f36f

SHA1
920b55de8b86a211106e2d59f748e379207a1a83

SHA256
afae12ee74adff1f91be66c6a9706624debfedaba2f76b6db3e9c72996738fca

SHA512
3efd1d702456bccbde1de8852fd2cd212cb149d9ddd0ffea33f3a0bd438ce7c7c2c82d4096b5917ea55d1c240f899e4010def423ac95bdc22d1d6b870e9ce093

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
b3cf33718ba1cc039973e72fda91b664

SHA1
906e3312d550290c0de4e313099d4c9131490638

SHA256
c774e622618e9464b434a5ec3f9b09cecaf5b9f0f2c2fa9ea3feed3fc807405c

SHA512
0c7431187ad26e1f36c0b8ea80a427c94812afa9aac9fc7339d1f0d0da89de54fe460483d038106f809d62c4130e807817e40741a3f14ec7700fdba7c4a537b7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
48b5e8b9ea2c910eaf9a8ed2b0acfaac

SHA1
409af0be6818740932c59ca28cc3209a443d7703

SHA256
55268daad8b96a1198b7ff0ae5ed049520fae6712790ea1412a935c872600e37

SHA512
83b36e6aa4603a44793857b764c16076a056660167b0dcb2e9601038af93f04223b4ebad1bd9e2f7858a6d8cba20b2f98fc92c7ba7529baa9f1a224ea49e7d02

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
2eefd8f7ae21b5078abffd0efb71c6fd

SHA1
649ea87773522c8775d5d7e3c2780873585b9e5c

SHA256
306b00a20cdc901003a60a89b74d255484b1a25ae2b571e1187bc4c0594b8c3b

SHA512
2946d4571ddd1f883b7d41974a59c887b69fbc9445748ed4fdc583b2017ff942d5178e50e5f64bed0923cb736af9612a4c2fb6391264fee6a3713f120665c92f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
61206a17466268c6ac027cc26e7f2254

SHA1
489ab1d3235bd445770f7f9d159b0d6067c9d59a

SHA256
685d36d67c074996c0239923a068e14eff4955f3cb8e4d32313229c42d048e75

SHA512
aae16afabfda2befe4ade5d628d53b18eea333d46f804e18b1db8fc236a51b75097e6f99cc55ebf5211cf75a5904bcc2c8f7fb6849f46b847f599b0c0f0c603c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
591f32aef9fc7933df836c5ea7ab885e

SHA1
6d027b93d12ff921c6d9b4a3066e7ab2284d87ab

SHA256
e14c6872d9bad34b6f1251a84eb371a0b6f3190b787bddca92bffe99795ff759

SHA512
cea9f7ddd75ffaeceb7e0eeeda4b249f02d7f5fbcac4b47f12080dd8d89c06f7472e37b9db42a759fb1ce424c6f29992f5235d92cc3c1a7fe6bbb3f18bb91bdc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
084af2e14ba20be0fdb045d700b2f85e

SHA1
5eb4e9e6cb67647bad5b78998629dcdd4b8cd57c

SHA256
e488de272bc3d296cd7cb5c45a36f8a36eaa589cd347ddf9d8228cff9910b8ce

SHA512
457858b3e592950abb4b4bcd68c448d8ee81ac0e67479c576153ae16c422845021554cf57a55a935894558e32e9816599926a7ad6e399e3b555dc7881bdd06b4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
159KB

MD5
14d6cdde948aaa2a8f3d80eb48eaf3be

SHA1
1ee3e1b6169f56d26e6224cfd7e111ce8b6a3edb

SHA256
59ef5f0a88eb4713ed524cd51dd8c9a8f1f8da3eff36a001c764140bf9341080

SHA512
1fa38d9e75e8785fafa290b6a6cac91a7367f7d56596254450726897b26f7dc09029014d864d437acad508036ea7001b25c946ef89f66226676bbdc38fbfa0ec

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
102KB

MD5
902a43ccd7a08453c83931c22016e078

SHA1
23dd56644bc8e8367ad7f0028ecbc03e84ed9785

SHA256
1c76b8ccd6c467dc150b304f0c82a613581ccba2206e3c6513bc17d5c466c825

SHA512
a689d2315e3cc31558e91d7cc55403cfa4086934da3fdb1f64eb0b226c0730b8409f5a1ab3748815885882a871271684534b0e20b2ac068af961ee512317a7fc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
110KB

MD5
928b305c9fbe7aaf03d636e3cc665cf9

SHA1
cc8211dfd906badcd2026187be5354ebcb41b0dc

SHA256
ccbb9eaea7d108a46441c505c56badc29d462a87355822f2392b54d6bdbf84be

SHA512
be137ef87f86b45a0a5bc9620e13faa0800a3a6ca20031bfbb75310c8402502cee5a6f5b66454f53d7f1249e7e5167e2842b80fbbeb160a69c2d3c41dfb0a376

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
112KB

MD5
cdd3d33820192ab30f78bca18ea9bbf3

SHA1
52ec37bf24885e7d57a735e9dc43a80459acdf42

SHA256
0cb026dff9ca2f85d6de8b97fc41c6ca5b7b6d32450296c6b282cacd3d260d8f

SHA512
aa794d9254e3c4cf3fba94f1e2e9b2eb27c1541f068675d9b4a578bc9639d27cdbd3db2da9532009e494ceabaaf69c9299bb8ae9c08c341ee637c7c25c0c6779

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe5769c6.TMP

Filesize
96KB

MD5
7b4f75df6e73f46dee165f59c40471fa

SHA1
c564f2459df1bcf7d0b3f239ce379b7db8bbfe9e

SHA256
39dac6f708609502deefde8da104bf116208d102bb5c3f2060e64a1110c1b027

SHA512
dde6b1c77e36ae65624881715da39469ae5657dac0dc542bcbdb00a48802e5b00cff36639936a745adb1f99dddb6a85e6b7ef3ac25fc69e4d07fae4fb5247f15

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\cbfcd52f-1b97-4146-a66d-c6959bc65b2b\CliSecureRT.dll

Filesize
109KB

MD5
46092bbddb5bdf775f67a341d2b03ad7

SHA1
5645a2b182986d0278c862390014e20cc501d996

SHA256
a9f6783f2864f4532db011c8fccb41fa3732148a810084c7efa8dddbd5ae6324

SHA512
5b6cdae42a17aad74500a0ec7c1c4c6d6f0a2a28a43e6620eb26bbf2fe0e0f6adf1836317a33e0e720c70909405c74b3e95df1cb7011732a97f723edb5d250d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\cbfcd52f-1b97-4146-a66d-c6959bc65b2b\CliSecureRT.dll

Filesize
109KB

MD5
46092bbddb5bdf775f67a341d2b03ad7

SHA1
5645a2b182986d0278c862390014e20cc501d996

SHA256
a9f6783f2864f4532db011c8fccb41fa3732148a810084c7efa8dddbd5ae6324

SHA512
5b6cdae42a17aad74500a0ec7c1c4c6d6f0a2a28a43e6620eb26bbf2fe0e0f6adf1836317a33e0e720c70909405c74b3e95df1cb7011732a97f723edb5d250d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir1584_895950081\1e46083a-1d0a-4ec2-8511-9c801c14ad0e.tmp

Filesize
88KB

MD5
2cc86b681f2cd1d9f095584fd3153a61

SHA1
2a0ac7262fb88908a453bc125c5c3fc72b8d490e

SHA256
d412fbbeb84e2a6882b2f0267b058f2ceb97f501e440fe3f9f70fac5c2277b9c

SHA512
14ba32c3cd5b1faf100d06f78981deebbbb673299a355b6eaec88e6cb5543725242c850235a541afa8abba4a609bb2ec26e4a0526c6b198016b08d8af868b986

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir1584_895950081\CRX_INSTALL\_locales\en_CA\messages.json

Filesize
711B

MD5
558659936250e03cc14b60ebf648aa09

SHA1
32f1ce0361bbfdff11e2ffd53d3ae88a8b81a825

SHA256
2445cad863be47bb1c15b57a4960b7b0d01864e63cdfde6395f3b2689dc1444b

SHA512
1632f5a3cd71887774bf3cb8a4d8b787ea6278271657b0f1d113dbe1a7fd42c4daa717cc449f157ce8972037572b882dc946a7dc2c0e549d71982dcdee89f727

Download Submit
C:\Users\Admin\Downloads\BlackNET Builder.exe

Filesize
367KB

MD5
e426c21445dae36d36bb5d1cfe9d383b

SHA1
bfc79210d073fdb6511bdf6a0b519cc29cebbc3b

SHA256
f4461e8b0f3831b6ee77d57f52dd74f28e79114bc5bb29d6b7ab5ca3adbf27f6

SHA512
096d36231581a894d5e9a07bb8fbe6ba483b92545a32040d448519c7b0de417bce836a1c817dd0ddf5bb98483a4c17dd3013674b6275ffacdfa2155ab32ef3a0

Download Submit
C:\Users\Admin\Downloads\BlackNET Builder.exe

Filesize
367KB

MD5
e426c21445dae36d36bb5d1cfe9d383b

SHA1
bfc79210d073fdb6511bdf6a0b519cc29cebbc3b

SHA256
f4461e8b0f3831b6ee77d57f52dd74f28e79114bc5bb29d6b7ab5ca3adbf27f6

SHA512
096d36231581a894d5e9a07bb8fbe6ba483b92545a32040d448519c7b0de417bce836a1c817dd0ddf5bb98483a4c17dd3013674b6275ffacdfa2155ab32ef3a0

Download Submit
C:\Users\Admin\Downloads\BlackNET Builder.exe

Filesize
367KB

MD5
e426c21445dae36d36bb5d1cfe9d383b

SHA1
bfc79210d073fdb6511bdf6a0b519cc29cebbc3b

SHA256
f4461e8b0f3831b6ee77d57f52dd74f28e79114bc5bb29d6b7ab5ca3adbf27f6

SHA512
096d36231581a894d5e9a07bb8fbe6ba483b92545a32040d448519c7b0de417bce836a1c817dd0ddf5bb98483a4c17dd3013674b6275ffacdfa2155ab32ef3a0

Download Submit
C:\Users\Admin\Downloads\LokiRAT_Relapse.exe

Filesize
1.1MB

MD5
aabb54951546132e70a8e9f02bf8b5ba

SHA1
29df820f6a1ba8225ecb5628b6f3d1ec71bc3cdd

SHA256
1cc4fab54263dfa842c80a72b78a9c223894264b9b4f25263d8fdc2f69def8a1

SHA512
5049fe5833af239207d4c7b8cca5715b4c363a372b39b76450dd1ef866e5a83201646ab6e97bcca9e4be7cf2461096b45777d29d645920b8f367d8d5e66422dd

Download Submit
C:\Users\Admin\Downloads\LokiRAT_Relapse.exe

Filesize
1.1MB

MD5
aabb54951546132e70a8e9f02bf8b5ba

SHA1
29df820f6a1ba8225ecb5628b6f3d1ec71bc3cdd

SHA256
1cc4fab54263dfa842c80a72b78a9c223894264b9b4f25263d8fdc2f69def8a1

SHA512
5049fe5833af239207d4c7b8cca5715b4c363a372b39b76450dd1ef866e5a83201646ab6e97bcca9e4be7cf2461096b45777d29d645920b8f367d8d5e66422dd

Download Submit
C:\Users\Admin\Downloads\movie.mov

Filesize
80KB

MD5
59b51039174d119180f7064227f5e5f9

SHA1
ad5c4ec60bd18b37b65866142f352a43fd4f9af2

SHA256
3154eb0b45519f200d05acfa4be8ea81ab952180826620c9b7a9e43c2129aa52

SHA512
01b91180c698cbb02480d196fb36280b1344e9fb2190200286dc23c0957f3bf3e706264a7f51f772360d355716b54dcab4c051d7309debc618f7f3af290e042a

Download Submit
C:\Users\Admin\Downloads\stub.exe

Filesize
102KB

MD5
e162b1333458a713bc6916cc8ac4110c

SHA1
7053e1ae3e60b42f9fb8850f8a727099530c8fcd

SHA256
2b3b8c1083bb3e4524b758a755cf17fbb352aa92d272912997bd0674365d6d02

SHA512
9a508117a757e4fcf192916641c77e26769e5939b6c3fa078fedad9a2821e24e69de0da74dd0cbff0309aa28cd813599dc261ded932a711dfdbb80c7ea3b353a

Download Submit
C:\Users\Admin\Downloads\stub.exe

Filesize
102KB

MD5
e162b1333458a713bc6916cc8ac4110c

SHA1
7053e1ae3e60b42f9fb8850f8a727099530c8fcd

SHA256
2b3b8c1083bb3e4524b758a755cf17fbb352aa92d272912997bd0674365d6d02

SHA512
9a508117a757e4fcf192916641c77e26769e5939b6c3fa078fedad9a2821e24e69de0da74dd0cbff0309aa28cd813599dc261ded932a711dfdbb80c7ea3b353a

Download Submit
C:\Users\Admin\Downloads\stub.exe

Filesize
102KB

MD5
e162b1333458a713bc6916cc8ac4110c

SHA1
7053e1ae3e60b42f9fb8850f8a727099530c8fcd

SHA256
2b3b8c1083bb3e4524b758a755cf17fbb352aa92d272912997bd0674365d6d02

SHA512
9a508117a757e4fcf192916641c77e26769e5939b6c3fa078fedad9a2821e24e69de0da74dd0cbff0309aa28cd813599dc261ded932a711dfdbb80c7ea3b353a

Download Submit
C:\Users\Admin\Downloads\stub.exe

Filesize
102KB

MD5
e162b1333458a713bc6916cc8ac4110c

SHA1
7053e1ae3e60b42f9fb8850f8a727099530c8fcd

SHA256
2b3b8c1083bb3e4524b758a755cf17fbb352aa92d272912997bd0674365d6d02

SHA512
9a508117a757e4fcf192916641c77e26769e5939b6c3fa078fedad9a2821e24e69de0da74dd0cbff0309aa28cd813599dc261ded932a711dfdbb80c7ea3b353a

Download Submit
C:\Users\Admin\Downloads\stub.exe

Filesize
102KB

MD5
e162b1333458a713bc6916cc8ac4110c

SHA1
7053e1ae3e60b42f9fb8850f8a727099530c8fcd

SHA256
2b3b8c1083bb3e4524b758a755cf17fbb352aa92d272912997bd0674365d6d02

SHA512
9a508117a757e4fcf192916641c77e26769e5939b6c3fa078fedad9a2821e24e69de0da74dd0cbff0309aa28cd813599dc261ded932a711dfdbb80c7ea3b353a

Download Submit
C:\Users\Admin\Downloads\stub.exe

Filesize
102KB

MD5
e162b1333458a713bc6916cc8ac4110c

SHA1
7053e1ae3e60b42f9fb8850f8a727099530c8fcd

SHA256
2b3b8c1083bb3e4524b758a755cf17fbb352aa92d272912997bd0674365d6d02

SHA512
9a508117a757e4fcf192916641c77e26769e5939b6c3fa078fedad9a2821e24e69de0da74dd0cbff0309aa28cd813599dc261ded932a711dfdbb80c7ea3b353a

Download Submit
C:\Users\Admin\Downloads\stub.exe

Filesize
102KB

MD5
e162b1333458a713bc6916cc8ac4110c

SHA1
7053e1ae3e60b42f9fb8850f8a727099530c8fcd

SHA256
2b3b8c1083bb3e4524b758a755cf17fbb352aa92d272912997bd0674365d6d02

SHA512
9a508117a757e4fcf192916641c77e26769e5939b6c3fa078fedad9a2821e24e69de0da74dd0cbff0309aa28cd813599dc261ded932a711dfdbb80c7ea3b353a

Download Submit
C:\Users\Admin\Downloads\stub.exe

Filesize
102KB

MD5
e162b1333458a713bc6916cc8ac4110c

SHA1
7053e1ae3e60b42f9fb8850f8a727099530c8fcd

SHA256
2b3b8c1083bb3e4524b758a755cf17fbb352aa92d272912997bd0674365d6d02

SHA512
9a508117a757e4fcf192916641c77e26769e5939b6c3fa078fedad9a2821e24e69de0da74dd0cbff0309aa28cd813599dc261ded932a711dfdbb80c7ea3b353a

Download Submit
C:\Users\Admin\Downloads\stub.exe

Filesize
102KB

MD5
e162b1333458a713bc6916cc8ac4110c

SHA1
7053e1ae3e60b42f9fb8850f8a727099530c8fcd

SHA256
2b3b8c1083bb3e4524b758a755cf17fbb352aa92d272912997bd0674365d6d02

SHA512
9a508117a757e4fcf192916641c77e26769e5939b6c3fa078fedad9a2821e24e69de0da74dd0cbff0309aa28cd813599dc261ded932a711dfdbb80c7ea3b353a

Download Submit
C:\Users\Admin\Downloads\stub.exe

Filesize
102KB

MD5
e162b1333458a713bc6916cc8ac4110c

SHA1
7053e1ae3e60b42f9fb8850f8a727099530c8fcd

SHA256
2b3b8c1083bb3e4524b758a755cf17fbb352aa92d272912997bd0674365d6d02

SHA512
9a508117a757e4fcf192916641c77e26769e5939b6c3fa078fedad9a2821e24e69de0da74dd0cbff0309aa28cd813599dc261ded932a711dfdbb80c7ea3b353a

Download Submit
C:\Users\Admin\Downloads\stub.exe

Filesize
102KB

MD5
e162b1333458a713bc6916cc8ac4110c

SHA1
7053e1ae3e60b42f9fb8850f8a727099530c8fcd

SHA256
2b3b8c1083bb3e4524b758a755cf17fbb352aa92d272912997bd0674365d6d02

SHA512
9a508117a757e4fcf192916641c77e26769e5939b6c3fa078fedad9a2821e24e69de0da74dd0cbff0309aa28cd813599dc261ded932a711dfdbb80c7ea3b353a

Download Submit
C:\Users\Admin\Downloads\stub.exe

Filesize
102KB

MD5
e162b1333458a713bc6916cc8ac4110c

SHA1
7053e1ae3e60b42f9fb8850f8a727099530c8fcd

SHA256
2b3b8c1083bb3e4524b758a755cf17fbb352aa92d272912997bd0674365d6d02

SHA512
9a508117a757e4fcf192916641c77e26769e5939b6c3fa078fedad9a2821e24e69de0da74dd0cbff0309aa28cd813599dc261ded932a711dfdbb80c7ea3b353a

Download Submit
C:\Users\Admin\Downloads\stub.exe

Filesize
102KB

MD5
e162b1333458a713bc6916cc8ac4110c

SHA1
7053e1ae3e60b42f9fb8850f8a727099530c8fcd

SHA256
2b3b8c1083bb3e4524b758a755cf17fbb352aa92d272912997bd0674365d6d02

SHA512
9a508117a757e4fcf192916641c77e26769e5939b6c3fa078fedad9a2821e24e69de0da74dd0cbff0309aa28cd813599dc261ded932a711dfdbb80c7ea3b353a

Download Submit
C:\Users\Admin\Downloads\stub.exe

Filesize
102KB

MD5
e162b1333458a713bc6916cc8ac4110c

SHA1
7053e1ae3e60b42f9fb8850f8a727099530c8fcd

SHA256
2b3b8c1083bb3e4524b758a755cf17fbb352aa92d272912997bd0674365d6d02

SHA512
9a508117a757e4fcf192916641c77e26769e5939b6c3fa078fedad9a2821e24e69de0da74dd0cbff0309aa28cd813599dc261ded932a711dfdbb80c7ea3b353a

Download Submit
C:\Users\Admin\Downloads\stub.exe

Filesize
102KB

MD5
e162b1333458a713bc6916cc8ac4110c

SHA1
7053e1ae3e60b42f9fb8850f8a727099530c8fcd

SHA256
2b3b8c1083bb3e4524b758a755cf17fbb352aa92d272912997bd0674365d6d02

SHA512
9a508117a757e4fcf192916641c77e26769e5939b6c3fa078fedad9a2821e24e69de0da74dd0cbff0309aa28cd813599dc261ded932a711dfdbb80c7ea3b353a

Download Submit
C:\Users\Admin\Downloads\stub.exe

Filesize
102KB

MD5
e162b1333458a713bc6916cc8ac4110c

SHA1
7053e1ae3e60b42f9fb8850f8a727099530c8fcd

SHA256
2b3b8c1083bb3e4524b758a755cf17fbb352aa92d272912997bd0674365d6d02

SHA512
9a508117a757e4fcf192916641c77e26769e5939b6c3fa078fedad9a2821e24e69de0da74dd0cbff0309aa28cd813599dc261ded932a711dfdbb80c7ea3b353a

Download Submit
C:\Users\Admin\Downloads\stub.exe

Filesize
102KB

MD5
e162b1333458a713bc6916cc8ac4110c

SHA1
7053e1ae3e60b42f9fb8850f8a727099530c8fcd

SHA256
2b3b8c1083bb3e4524b758a755cf17fbb352aa92d272912997bd0674365d6d02

SHA512
9a508117a757e4fcf192916641c77e26769e5939b6c3fa078fedad9a2821e24e69de0da74dd0cbff0309aa28cd813599dc261ded932a711dfdbb80c7ea3b353a

Download Submit
C:\Users\Admin\Downloads\stub.exe

Filesize
102KB

MD5
e162b1333458a713bc6916cc8ac4110c

SHA1
7053e1ae3e60b42f9fb8850f8a727099530c8fcd

SHA256
2b3b8c1083bb3e4524b758a755cf17fbb352aa92d272912997bd0674365d6d02

SHA512
9a508117a757e4fcf192916641c77e26769e5939b6c3fa078fedad9a2821e24e69de0da74dd0cbff0309aa28cd813599dc261ded932a711dfdbb80c7ea3b353a

Download Submit
C:\Users\Admin\Downloads\stub.exe

Filesize
102KB

MD5
e162b1333458a713bc6916cc8ac4110c

SHA1
7053e1ae3e60b42f9fb8850f8a727099530c8fcd

SHA256
2b3b8c1083bb3e4524b758a755cf17fbb352aa92d272912997bd0674365d6d02

SHA512
9a508117a757e4fcf192916641c77e26769e5939b6c3fa078fedad9a2821e24e69de0da74dd0cbff0309aa28cd813599dc261ded932a711dfdbb80c7ea3b353a

Download Submit
C:\Users\Admin\Downloads\stub.exe

Filesize
102KB

MD5
e162b1333458a713bc6916cc8ac4110c

SHA1
7053e1ae3e60b42f9fb8850f8a727099530c8fcd

SHA256
2b3b8c1083bb3e4524b758a755cf17fbb352aa92d272912997bd0674365d6d02

SHA512
9a508117a757e4fcf192916641c77e26769e5939b6c3fa078fedad9a2821e24e69de0da74dd0cbff0309aa28cd813599dc261ded932a711dfdbb80c7ea3b353a

Download Submit
C:\Users\Admin\Downloads\stub.exe

Filesize
102KB

MD5
e162b1333458a713bc6916cc8ac4110c

SHA1
7053e1ae3e60b42f9fb8850f8a727099530c8fcd

SHA256
2b3b8c1083bb3e4524b758a755cf17fbb352aa92d272912997bd0674365d6d02

SHA512
9a508117a757e4fcf192916641c77e26769e5939b6c3fa078fedad9a2821e24e69de0da74dd0cbff0309aa28cd813599dc261ded932a711dfdbb80c7ea3b353a

Download Submit
C:\Users\Admin\Downloads\watcher.exe

Filesize
17KB

MD5
89dd6e72358a669b7d6e2348307a7af7

SHA1
0db348f3c6114a45d71f4d218e0e088b71c7bb0a

SHA256
ad34794058212006ae974fcc6a0242598e6d020f08044439e3512773cd402b7e

SHA512
93b8a47686d7491281a0809b138a6244a535302ba0d6b2146849e9888632c72b6223ae8eb7a24f1006aaf57ab947a8f43719cff4837df559e7bf42f52c63856b

Download Submit
C:\Users\Admin\Downloads\watcher.exe

Filesize
17KB

MD5
89dd6e72358a669b7d6e2348307a7af7

SHA1
0db348f3c6114a45d71f4d218e0e088b71c7bb0a

SHA256
ad34794058212006ae974fcc6a0242598e6d020f08044439e3512773cd402b7e

SHA512
93b8a47686d7491281a0809b138a6244a535302ba0d6b2146849e9888632c72b6223ae8eb7a24f1006aaf57ab947a8f43719cff4837df559e7bf42f52c63856b

Download Submit
C:\Users\Admin\Downloads\watcher.exe

Filesize
17KB

MD5
89dd6e72358a669b7d6e2348307a7af7

SHA1
0db348f3c6114a45d71f4d218e0e088b71c7bb0a

SHA256
ad34794058212006ae974fcc6a0242598e6d020f08044439e3512773cd402b7e

SHA512
93b8a47686d7491281a0809b138a6244a535302ba0d6b2146849e9888632c72b6223ae8eb7a24f1006aaf57ab947a8f43719cff4837df559e7bf42f52c63856b

Download Submit
memory/452-929-0x000000001B200000-0x000000001B210000-memory.dmp

Filesize
64KB

Download
memory/1880-850-0x000000001B030000-0x000000001B040000-memory.dmp

Filesize
64KB

Download
memory/2092-749-0x0000000002990000-0x0000000002991000-memory.dmp

Filesize
4KB

Download
memory/2092-767-0x0000000000480000-0x00000000008C2000-memory.dmp

Filesize
4.3MB

Download
memory/2092-748-0x0000000000480000-0x00000000008C2000-memory.dmp

Filesize
4.3MB

Download
memory/2092-763-0x0000000010000000-0x000000001002C000-memory.dmp

Filesize
176KB

Download
memory/2092-762-0x00000000042A0000-0x00000000042B0000-memory.dmp

Filesize
64KB

Download
memory/2092-757-0x0000000073100000-0x000000007315B000-memory.dmp

Filesize
364KB

Download
memory/2224-704-0x000000001BFB0000-0x000000001BFFC000-memory.dmp

Filesize
304KB

Download
memory/2224-729-0x0000000000860000-0x0000000000870000-memory.dmp

Filesize
64KB

Download
memory/2224-700-0x000000001B8D0000-0x000000001BD9E000-memory.dmp

Filesize
4.8MB

Download
memory/2224-698-0x0000000000440000-0x000000000044C000-memory.dmp

Filesize
48KB

Download
memory/2224-702-0x0000000000860000-0x0000000000870000-memory.dmp

Filesize
64KB

Download
memory/2224-745-0x0000000000860000-0x0000000000870000-memory.dmp

Filesize
64KB

Download
memory/2224-703-0x0000000000BD0000-0x0000000000BD8000-memory.dmp

Filesize
32KB

Download
memory/2224-714-0x0000000000860000-0x0000000000870000-memory.dmp

Filesize
64KB

Download
memory/2224-699-0x000000001B2F0000-0x000000001B396000-memory.dmp

Filesize
664KB

Download
memory/2224-701-0x000000001BE50000-0x000000001BEEC000-memory.dmp

Filesize
624KB

Download
memory/2812-930-0x000000001BAA0000-0x000000001BAB0000-memory.dmp

Filesize
64KB

Download
memory/2868-716-0x000000001B440000-0x000000001B450000-memory.dmp

Filesize
64KB

Download
memory/3888-928-0x000000001B030000-0x000000001B040000-memory.dmp

Filesize
64KB

Download
memory/4020-679-0x000000001B0F0000-0x000000001B100000-memory.dmp

Filesize
64KB

Download
memory/4020-678-0x0000000000490000-0x00000000004B0000-memory.dmp

Filesize
128KB

Download
memory/4620-718-0x0000000000E90000-0x0000000000EA0000-memory.dmp

Filesize
64KB

Download
memory/4972-879-0x00007FF667170000-0x00007FF667268000-memory.dmp

Filesize
992KB

Download
memory/4972-882-0x00007FFAD0440000-0x00007FFAD14EB000-memory.dmp

Filesize
16.7MB

Download
memory/4972-881-0x00007FFAE07D0000-0x00007FFAE0A84000-memory.dmp

Filesize
2.7MB

Download
memory/4972-880-0x00007FFAECAE0000-0x00007FFAECB14000-memory.dmp

Filesize
208KB

Download
memory/5040-665-0x00000237C7510000-0x00000237C7574000-memory.dmp

Filesize
400KB

Download
memory/5040-666-0x00000237E1CF0000-0x00000237E1D00000-memory.dmp

Filesize
64KB

Download