redline | hxxps://www[.]youtube[.]com/redirect?event=video_description&redir_token=QUFFLUhqbnBGZzZoeHA0R1M3SE0zOVZyalJzSWlOMXk2UXxBQ3Jtc0tubnVzYkF0UXRmVnRoNWhVa1BsX0xiQ0VRdE5oX3liM2s4b2Y1blhHaDRacjNEQmw3TWJWNHNJem1HclFkYnljbXkwdUVBZU9JOHptTXdFVnVCZDYzSGhQY1pFck1yeWEtY3d2NHVUekwyRXlvSXNjSQ&q=https%3A%2F%2Fapp[.]mediafire[.]com%2Fkuoj051melyia&v=JLCOu8aF9z4

Analysis

max time kernel
263s
max time network
267s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
24-04-2024 18:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://www.youtube.com/redirect?event=video_description&redir_token=QUFFLUhqbnBGZzZoeHA0R1M3SE0zOVZyalJzSWlOMXk2UXxBQ3Jtc0tubnVzYkF0UXRmVnRoNWhVa1BsX0xiQ0VRdE5oX3liM2s4b2Y1blhHaDRacjNEQmw3TWJWNHNJem1HclFkYnljbXkwdUVBZU9JOHptTXdFVnVCZDYzSGhQY1pFck1yeWEtY3d2NHVUekwyRXlvSXNjSQ&q=https%3A%2F%2Fapp.mediafire.com%2Fkuoj051melyia&v=JLCOu8aF9z4

Score

10^/10

redline zgrat discovery infostealer rat spyware stealer

Malware Config

Signatures

Detect ZGRat V1 6 IoCs

Processes:

resource	yara_rule
behavioral1/memory/5536-655-0x0000000000400000-0x000000000044A000-memory.dmp	family_zgrat_v1
behavioral1/memory/1676-654-0x0000000000D20000-0x0000000000E49000-memory.dmp	family_zgrat_v1
behavioral1/memory/1676-660-0x0000000000D20000-0x0000000000E49000-memory.dmp	family_zgrat_v1
behavioral1/memory/7788-699-0x0000000000D20000-0x0000000000E49000-memory.dmp	family_zgrat_v1
behavioral1/memory/7004-703-0x0000000000D20000-0x0000000000E49000-memory.dmp	family_zgrat_v1
behavioral1/memory/6480-785-0x0000000000D20000-0x0000000000E49000-memory.dmp	family_zgrat_v1

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/5536-655-0x0000000000400000-0x000000000044A000-memory.dmp	family_redline

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

Designer.pif

description pid process target process

PID 7224 created 3368 7224 Designer.pif Explorer.EXE
ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

description	pid	process	target process
PID 7224 created 3368	7224	Designer.pif	Explorer.EXE

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

FixLoader.exeFixLoader.exeFixLoader.exeFixLoader.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\Control Panel\International\Geo\Nation	FixLoader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\Control Panel\International\Geo\Nation	FixLoader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\Control Panel\International\Geo\Nation	FixLoader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\Control Panel\International\Geo\Nation	FixLoader.exe

Executes dropped EXE 12 IoCs

Processes:

Loader.exeFixLoader.exeDesigner.pifLoader.exeLoader.exeFixLoader.exeDesigner.pifFixLoader.exeDesigner.pifFixLoader.exeDesigner.pifLoader.exe

pid	process
1676	Loader.exe
8188	FixLoader.exe
7224	Designer.pif
7788	Loader.exe
7004	Loader.exe
5164	FixLoader.exe
5812	Designer.pif
7824	FixLoader.exe
5184	Designer.pif
4920	FixLoader.exe
6976	Designer.pif
6480	Loader.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 4 IoCs

Processes:

Loader.exeLoader.exeLoader.exeLoader.exe

description	pid	process	target process
PID 1676 set thread context of 5536	1676	Loader.exe	RegAsm.exe
PID 7788 set thread context of 7776	7788	Loader.exe	RegAsm.exe
PID 7004 set thread context of 220	7004	Loader.exe	RegAsm.exe
PID 6480 set thread context of 5444	6480	Loader.exe	RegAsm.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 4 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
7692	1676	WerFault.exe	Loader.exe
8144	7788	WerFault.exe	Loader.exe
7480	7004	WerFault.exe	Loader.exe
1896	6480	WerFault.exe	Loader.exe

Enumerates processes with tasklist 1 TTPs 8 IoCs

Process Discovery
T1057

Processes:

tasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exe

pid process

5860 tasklist.exe
7244 tasklist.exe
1928 tasklist.exe
5044 tasklist.exe
2472 tasklist.exe
976 tasklist.exe
5732 tasklist.exe
5764 tasklist.exe

pid	process
5860	tasklist.exe
7244	tasklist.exe
1928	tasklist.exe
5044	tasklist.exe
2472	tasklist.exe
976	tasklist.exe
5732	tasklist.exe
5764	tasklist.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133584559862470686"	chrome.exe

Modifies registry class 1 IoCs

Processes:

chrome.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\Local Settings chrome.exe
Runs ping.exe 1 TTPs 4 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXEPING.EXEPING.EXE

pid process

5824 PING.EXE
7820 PING.EXE
3068 PING.EXE
7712 PING.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\Local Settings	chrome.exe

pid	process
5824	PING.EXE
7820	PING.EXE
3068	PING.EXE
7712	PING.EXE

Suspicious behavior: EnumeratesProcesses 37 IoCs

Processes:

chrome.exechrome.exeRegAsm.exeDesigner.pifRegAsm.exeRegAsm.exeDesigner.pifDesigner.pifDesigner.pifRegAsm.exe

pid	process
2348	chrome.exe
2348	chrome.exe
532	chrome.exe
532	chrome.exe
5536	RegAsm.exe
5536	RegAsm.exe
5536	RegAsm.exe
7224	Designer.pif
7224	Designer.pif
7224	Designer.pif
7224	Designer.pif
7224	Designer.pif
7224	Designer.pif
7776	RegAsm.exe
7776	RegAsm.exe
220	RegAsm.exe
5812	Designer.pif
5812	Designer.pif
5812	Designer.pif
5812	Designer.pif
5812	Designer.pif
5812	Designer.pif
5184	Designer.pif
5184	Designer.pif
5184	Designer.pif
5184	Designer.pif
5184	Designer.pif
5184	Designer.pif
6976	Designer.pif
6976	Designer.pif
6976	Designer.pif
6976	Designer.pif
6976	Designer.pif
6976	Designer.pif
5444	RegAsm.exe
7224	Designer.pif
7224	Designer.pif

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

7zFM.exe

pid process

6596 7zFM.exe

pid	process
6596	7zFM.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 48 IoCs

Processes:

chrome.exe

pid	process
2348	chrome.exe
2348	chrome.exe
2348	chrome.exe
2348	chrome.exe
2348	chrome.exe
2348	chrome.exe
2348	chrome.exe
2348	chrome.exe
2348	chrome.exe
2348	chrome.exe
2348	chrome.exe
2348	chrome.exe
2348	chrome.exe
2348	chrome.exe
2348	chrome.exe
2348	chrome.exe
2348	chrome.exe
2348	chrome.exe
2348	chrome.exe
2348	chrome.exe
2348	chrome.exe
2348	chrome.exe
2348	chrome.exe
2348	chrome.exe
2348	chrome.exe
2348	chrome.exe
2348	chrome.exe
2348	chrome.exe
2348	chrome.exe
2348	chrome.exe
2348	chrome.exe
2348	chrome.exe
2348	chrome.exe
2348	chrome.exe
2348	chrome.exe
2348	chrome.exe
2348	chrome.exe
2348	chrome.exe
2348	chrome.exe
2348	chrome.exe
2348	chrome.exe
2348	chrome.exe
2348	chrome.exe
2348	chrome.exe
2348	chrome.exe
2348	chrome.exe
2348	chrome.exe
2348	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exe

description	pid	process
Token: SeShutdownPrivilege	2348	chrome.exe
Token: SeCreatePagefilePrivilege	2348	chrome.exe
Token: SeShutdownPrivilege	2348	chrome.exe
Token: SeCreatePagefilePrivilege	2348	chrome.exe
Token: SeShutdownPrivilege	2348	chrome.exe
Token: SeCreatePagefilePrivilege	2348	chrome.exe
Token: SeShutdownPrivilege	2348	chrome.exe
Token: SeCreatePagefilePrivilege	2348	chrome.exe
Token: SeShutdownPrivilege	2348	chrome.exe
Token: SeCreatePagefilePrivilege	2348	chrome.exe
Token: SeShutdownPrivilege	2348	chrome.exe
Token: SeCreatePagefilePrivilege	2348	chrome.exe
Token: SeShutdownPrivilege	2348	chrome.exe
Token: SeCreatePagefilePrivilege	2348	chrome.exe
Token: SeShutdownPrivilege	2348	chrome.exe
Token: SeCreatePagefilePrivilege	2348	chrome.exe
Token: SeShutdownPrivilege	2348	chrome.exe
Token: SeCreatePagefilePrivilege	2348	chrome.exe
Token: SeShutdownPrivilege	2348	chrome.exe
Token: SeCreatePagefilePrivilege	2348	chrome.exe
Token: SeShutdownPrivilege	2348	chrome.exe
Token: SeCreatePagefilePrivilege	2348	chrome.exe
Token: SeShutdownPrivilege	2348	chrome.exe
Token: SeCreatePagefilePrivilege	2348	chrome.exe
Token: SeShutdownPrivilege	2348	chrome.exe
Token: SeCreatePagefilePrivilege	2348	chrome.exe
Token: SeShutdownPrivilege	2348	chrome.exe
Token: SeCreatePagefilePrivilege	2348	chrome.exe
Token: SeShutdownPrivilege	2348	chrome.exe
Token: SeCreatePagefilePrivilege	2348	chrome.exe
Token: SeShutdownPrivilege	2348	chrome.exe
Token: SeCreatePagefilePrivilege	2348	chrome.exe
Token: SeShutdownPrivilege	2348	chrome.exe
Token: SeCreatePagefilePrivilege	2348	chrome.exe
Token: SeShutdownPrivilege	2348	chrome.exe
Token: SeCreatePagefilePrivilege	2348	chrome.exe
Token: SeShutdownPrivilege	2348	chrome.exe
Token: SeCreatePagefilePrivilege	2348	chrome.exe
Token: SeShutdownPrivilege	2348	chrome.exe
Token: SeCreatePagefilePrivilege	2348	chrome.exe
Token: SeShutdownPrivilege	2348	chrome.exe
Token: SeCreatePagefilePrivilege	2348	chrome.exe
Token: SeShutdownPrivilege	2348	chrome.exe
Token: SeCreatePagefilePrivilege	2348	chrome.exe
Token: SeShutdownPrivilege	2348	chrome.exe
Token: SeCreatePagefilePrivilege	2348	chrome.exe
Token: SeShutdownPrivilege	2348	chrome.exe
Token: SeCreatePagefilePrivilege	2348	chrome.exe
Token: SeShutdownPrivilege	2348	chrome.exe
Token: SeCreatePagefilePrivilege	2348	chrome.exe
Token: SeShutdownPrivilege	2348	chrome.exe
Token: SeCreatePagefilePrivilege	2348	chrome.exe
Token: SeShutdownPrivilege	2348	chrome.exe
Token: SeCreatePagefilePrivilege	2348	chrome.exe
Token: SeShutdownPrivilege	2348	chrome.exe
Token: SeCreatePagefilePrivilege	2348	chrome.exe
Token: SeShutdownPrivilege	2348	chrome.exe
Token: SeCreatePagefilePrivilege	2348	chrome.exe
Token: SeShutdownPrivilege	2348	chrome.exe
Token: SeCreatePagefilePrivilege	2348	chrome.exe
Token: SeShutdownPrivilege	2348	chrome.exe
Token: SeCreatePagefilePrivilege	2348	chrome.exe
Token: SeShutdownPrivilege	2348	chrome.exe
Token: SeCreatePagefilePrivilege	2348	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

chrome.exe

pid	process
2348	chrome.exe
2348	chrome.exe
2348	chrome.exe
2348	chrome.exe
2348	chrome.exe
2348	chrome.exe
2348	chrome.exe
2348	chrome.exe
2348	chrome.exe
2348	chrome.exe
2348	chrome.exe
2348	chrome.exe
2348	chrome.exe
2348	chrome.exe
2348	chrome.exe
2348	chrome.exe
2348	chrome.exe
2348	chrome.exe
2348	chrome.exe
2348	chrome.exe
2348	chrome.exe
2348	chrome.exe
2348	chrome.exe
2348	chrome.exe
2348	chrome.exe
2348	chrome.exe
2348	chrome.exe
2348	chrome.exe
2348	chrome.exe
2348	chrome.exe
2348	chrome.exe
2348	chrome.exe
2348	chrome.exe
2348	chrome.exe
2348	chrome.exe
2348	chrome.exe
2348	chrome.exe
2348	chrome.exe
2348	chrome.exe
2348	chrome.exe
2348	chrome.exe
2348	chrome.exe
2348	chrome.exe
2348	chrome.exe
2348	chrome.exe
2348	chrome.exe
2348	chrome.exe
2348	chrome.exe
2348	chrome.exe
2348	chrome.exe
2348	chrome.exe
2348	chrome.exe
2348	chrome.exe
2348	chrome.exe
2348	chrome.exe
2348	chrome.exe
2348	chrome.exe
2348	chrome.exe
2348	chrome.exe
2348	chrome.exe
2348	chrome.exe
2348	chrome.exe
2348	chrome.exe
2348	chrome.exe

Suspicious use of SendNotifyMessage 36 IoCs

Processes:

chrome.exeDesigner.pifDesigner.pifDesigner.pifDesigner.pif

pid	process
2348	chrome.exe
2348	chrome.exe
2348	chrome.exe
2348	chrome.exe
2348	chrome.exe
2348	chrome.exe
2348	chrome.exe
2348	chrome.exe
2348	chrome.exe
2348	chrome.exe
2348	chrome.exe
2348	chrome.exe
2348	chrome.exe
2348	chrome.exe
2348	chrome.exe
2348	chrome.exe
2348	chrome.exe
2348	chrome.exe
2348	chrome.exe
2348	chrome.exe
2348	chrome.exe
2348	chrome.exe
2348	chrome.exe
2348	chrome.exe
7224	Designer.pif
7224	Designer.pif
7224	Designer.pif
5812	Designer.pif
5812	Designer.pif
5812	Designer.pif
5184	Designer.pif
5184	Designer.pif
5184	Designer.pif
6976	Designer.pif
6976	Designer.pif
6976	Designer.pif

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 2348 wrote to memory of 2800	2348	chrome.exe	chrome.exe
PID 2348 wrote to memory of 2800	2348	chrome.exe	chrome.exe
PID 2348 wrote to memory of 4728	2348	chrome.exe	chrome.exe
PID 2348 wrote to memory of 4728	2348	chrome.exe	chrome.exe
PID 2348 wrote to memory of 4728	2348	chrome.exe	chrome.exe
PID 2348 wrote to memory of 4728	2348	chrome.exe	chrome.exe
PID 2348 wrote to memory of 4728	2348	chrome.exe	chrome.exe
PID 2348 wrote to memory of 4728	2348	chrome.exe	chrome.exe
PID 2348 wrote to memory of 4728	2348	chrome.exe	chrome.exe
PID 2348 wrote to memory of 4728	2348	chrome.exe	chrome.exe
PID 2348 wrote to memory of 4728	2348	chrome.exe	chrome.exe
PID 2348 wrote to memory of 4728	2348	chrome.exe	chrome.exe
PID 2348 wrote to memory of 4728	2348	chrome.exe	chrome.exe
PID 2348 wrote to memory of 4728	2348	chrome.exe	chrome.exe
PID 2348 wrote to memory of 4728	2348	chrome.exe	chrome.exe
PID 2348 wrote to memory of 4728	2348	chrome.exe	chrome.exe
PID 2348 wrote to memory of 4728	2348	chrome.exe	chrome.exe
PID 2348 wrote to memory of 4728	2348	chrome.exe	chrome.exe
PID 2348 wrote to memory of 4728	2348	chrome.exe	chrome.exe
PID 2348 wrote to memory of 4728	2348	chrome.exe	chrome.exe
PID 2348 wrote to memory of 4728	2348	chrome.exe	chrome.exe
PID 2348 wrote to memory of 4728	2348	chrome.exe	chrome.exe
PID 2348 wrote to memory of 4728	2348	chrome.exe	chrome.exe
PID 2348 wrote to memory of 4728	2348	chrome.exe	chrome.exe
PID 2348 wrote to memory of 4728	2348	chrome.exe	chrome.exe
PID 2348 wrote to memory of 4728	2348	chrome.exe	chrome.exe
PID 2348 wrote to memory of 4728	2348	chrome.exe	chrome.exe
PID 2348 wrote to memory of 4728	2348	chrome.exe	chrome.exe
PID 2348 wrote to memory of 4728	2348	chrome.exe	chrome.exe
PID 2348 wrote to memory of 4728	2348	chrome.exe	chrome.exe
PID 2348 wrote to memory of 4728	2348	chrome.exe	chrome.exe
PID 2348 wrote to memory of 4728	2348	chrome.exe	chrome.exe
PID 2348 wrote to memory of 4728	2348	chrome.exe	chrome.exe
PID 2348 wrote to memory of 2072	2348	chrome.exe	chrome.exe
PID 2348 wrote to memory of 2072	2348	chrome.exe	chrome.exe
PID 2348 wrote to memory of 1236	2348	chrome.exe	chrome.exe
PID 2348 wrote to memory of 1236	2348	chrome.exe	chrome.exe
PID 2348 wrote to memory of 1236	2348	chrome.exe	chrome.exe
PID 2348 wrote to memory of 1236	2348	chrome.exe	chrome.exe
PID 2348 wrote to memory of 1236	2348	chrome.exe	chrome.exe
PID 2348 wrote to memory of 1236	2348	chrome.exe	chrome.exe
PID 2348 wrote to memory of 1236	2348	chrome.exe	chrome.exe
PID 2348 wrote to memory of 1236	2348	chrome.exe	chrome.exe
PID 2348 wrote to memory of 1236	2348	chrome.exe	chrome.exe
PID 2348 wrote to memory of 1236	2348	chrome.exe	chrome.exe
PID 2348 wrote to memory of 1236	2348	chrome.exe	chrome.exe
PID 2348 wrote to memory of 1236	2348	chrome.exe	chrome.exe
PID 2348 wrote to memory of 1236	2348	chrome.exe	chrome.exe
PID 2348 wrote to memory of 1236	2348	chrome.exe	chrome.exe
PID 2348 wrote to memory of 1236	2348	chrome.exe	chrome.exe
PID 2348 wrote to memory of 1236	2348	chrome.exe	chrome.exe
PID 2348 wrote to memory of 1236	2348	chrome.exe	chrome.exe
PID 2348 wrote to memory of 1236	2348	chrome.exe	chrome.exe
PID 2348 wrote to memory of 1236	2348	chrome.exe	chrome.exe
PID 2348 wrote to memory of 1236	2348	chrome.exe	chrome.exe
PID 2348 wrote to memory of 1236	2348	chrome.exe	chrome.exe
PID 2348 wrote to memory of 1236	2348	chrome.exe	chrome.exe
PID 2348 wrote to memory of 1236	2348	chrome.exe	chrome.exe
PID 2348 wrote to memory of 1236	2348	chrome.exe	chrome.exe
PID 2348 wrote to memory of 1236	2348	chrome.exe	chrome.exe
PID 2348 wrote to memory of 1236	2348	chrome.exe	chrome.exe
PID 2348 wrote to memory of 1236	2348	chrome.exe	chrome.exe
PID 2348 wrote to memory of 1236	2348	chrome.exe	chrome.exe
PID 2348 wrote to memory of 1236	2348	chrome.exe	chrome.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3368

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://www.youtube.com/redirect?event=video_description&redir_token=QUFFLUhqbnBGZzZoeHA0R1M3SE0zOVZyalJzSWlOMXk2UXxBQ3Jtc0tubnVzYkF0UXRmVnRoNWhVa1BsX0xiQ0VRdE5oX3liM2s4b2Y1blhHaDRacjNEQmw3TWJWNHNJem1HclFkYnljbXkwdUVBZU9JOHptTXdFVnVCZDYzSGhQY1pFck1yeWEtY3d2NHVUekwyRXlvSXNjSQ&q=https%3A%2F%2Fapp.mediafire.com%2Fkuoj051melyia&v=JLCOu8aF9z4
2⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2348

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffcea7fab58,0x7ffcea7fab68,0x7ffcea7fab78
3⤵
PID:2800

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1652 --field-trial-handle=1856,i,13807127951234523643,673337009131285860,131072 /prefetch:2
3⤵
PID:4728

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2156 --field-trial-handle=1856,i,13807127951234523643,673337009131285860,131072 /prefetch:8
3⤵
PID:2072

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2236 --field-trial-handle=1856,i,13807127951234523643,673337009131285860,131072 /prefetch:8
3⤵
PID:1236

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3032 --field-trial-handle=1856,i,13807127951234523643,673337009131285860,131072 /prefetch:1
3⤵
PID:4992

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3064 --field-trial-handle=1856,i,13807127951234523643,673337009131285860,131072 /prefetch:1
3⤵
PID:2500

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4400 --field-trial-handle=1856,i,13807127951234523643,673337009131285860,131072 /prefetch:8
3⤵
PID:3052

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4532 --field-trial-handle=1856,i,13807127951234523643,673337009131285860,131072 /prefetch:8
3⤵
PID:404

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=4668 --field-trial-handle=1856,i,13807127951234523643,673337009131285860,131072 /prefetch:1
3⤵
PID:4664

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=3356 --field-trial-handle=1856,i,13807127951234523643,673337009131285860,131072 /prefetch:1
3⤵
PID:2464

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=2724 --field-trial-handle=1856,i,13807127951234523643,673337009131285860,131072 /prefetch:1
3⤵
PID:228

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=4824 --field-trial-handle=1856,i,13807127951234523643,673337009131285860,131072 /prefetch:1
3⤵
PID:1004

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=4896 --field-trial-handle=1856,i,13807127951234523643,673337009131285860,131072 /prefetch:1
3⤵
PID:5172

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=5164 --field-trial-handle=1856,i,13807127951234523643,673337009131285860,131072 /prefetch:1
3⤵
PID:5308

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=5376 --field-trial-handle=1856,i,13807127951234523643,673337009131285860,131072 /prefetch:1
3⤵
PID:5572

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --mojo-platform-channel-handle=5512 --field-trial-handle=1856,i,13807127951234523643,673337009131285860,131072 /prefetch:1
3⤵
PID:5600

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --mojo-platform-channel-handle=5548 --field-trial-handle=1856,i,13807127951234523643,673337009131285860,131072 /prefetch:1
3⤵
PID:5608

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --mojo-platform-channel-handle=5564 --field-trial-handle=1856,i,13807127951234523643,673337009131285860,131072 /prefetch:1
3⤵
PID:5616

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --mojo-platform-channel-handle=5580 --field-trial-handle=1856,i,13807127951234523643,673337009131285860,131072 /prefetch:1
3⤵
PID:5624

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --mojo-platform-channel-handle=5596 --field-trial-handle=1856,i,13807127951234523643,673337009131285860,131072 /prefetch:1
3⤵
PID:5632

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --mojo-platform-channel-handle=5612 --field-trial-handle=1856,i,13807127951234523643,673337009131285860,131072 /prefetch:1
3⤵
PID:5640

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --mojo-platform-channel-handle=6532 --field-trial-handle=1856,i,13807127951234523643,673337009131285860,131072 /prefetch:1
3⤵
PID:6108

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --mojo-platform-channel-handle=6756 --field-trial-handle=1856,i,13807127951234523643,673337009131285860,131072 /prefetch:1
3⤵
PID:5464

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --mojo-platform-channel-handle=6912 --field-trial-handle=1856,i,13807127951234523643,673337009131285860,131072 /prefetch:1
3⤵
PID:5496

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --mojo-platform-channel-handle=7088 --field-trial-handle=1856,i,13807127951234523643,673337009131285860,131072 /prefetch:1
3⤵
PID:6308

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --mojo-platform-channel-handle=7280 --field-trial-handle=1856,i,13807127951234523643,673337009131285860,131072 /prefetch:1
3⤵
PID:6384

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --mojo-platform-channel-handle=7308 --field-trial-handle=1856,i,13807127951234523643,673337009131285860,131072 /prefetch:1
3⤵
PID:6392

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --mojo-platform-channel-handle=7324 --field-trial-handle=1856,i,13807127951234523643,673337009131285860,131072 /prefetch:1
3⤵
PID:6400

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --mojo-platform-channel-handle=7340 --field-trial-handle=1856,i,13807127951234523643,673337009131285860,131072 /prefetch:1
3⤵
PID:6408

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --mojo-platform-channel-handle=7356 --field-trial-handle=1856,i,13807127951234523643,673337009131285860,131072 /prefetch:1
3⤵
PID:6416

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --mojo-platform-channel-handle=7380 --field-trial-handle=1856,i,13807127951234523643,673337009131285860,131072 /prefetch:1
3⤵
PID:6424

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --mojo-platform-channel-handle=7632 --field-trial-handle=1856,i,13807127951234523643,673337009131285860,131072 /prefetch:1
3⤵
PID:6432

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --mojo-platform-channel-handle=7648 --field-trial-handle=1856,i,13807127951234523643,673337009131285860,131072 /prefetch:1
3⤵
PID:6440

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --mojo-platform-channel-handle=7664 --field-trial-handle=1856,i,13807127951234523643,673337009131285860,131072 /prefetch:1
3⤵
PID:6448

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --mojo-platform-channel-handle=7680 --field-trial-handle=1856,i,13807127951234523643,673337009131285860,131072 /prefetch:1
3⤵
PID:6456

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --mojo-platform-channel-handle=7704 --field-trial-handle=1856,i,13807127951234523643,673337009131285860,131072 /prefetch:1
3⤵
PID:6464

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --mojo-platform-channel-handle=7720 --field-trial-handle=1856,i,13807127951234523643,673337009131285860,131072 /prefetch:1
3⤵
PID:6472

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=38 --mojo-platform-channel-handle=7736 --field-trial-handle=1856,i,13807127951234523643,673337009131285860,131072 /prefetch:1
3⤵
PID:6480

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=39 --mojo-platform-channel-handle=7988 --field-trial-handle=1856,i,13807127951234523643,673337009131285860,131072 /prefetch:1
3⤵
PID:6488

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=40 --mojo-platform-channel-handle=9204 --field-trial-handle=1856,i,13807127951234523643,673337009131285860,131072 /prefetch:1
3⤵
PID:6544

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=41 --mojo-platform-channel-handle=9340 --field-trial-handle=1856,i,13807127951234523643,673337009131285860,131072 /prefetch:1
3⤵
PID:6552

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=42 --mojo-platform-channel-handle=10196 --field-trial-handle=1856,i,13807127951234523643,673337009131285860,131072 /prefetch:1
3⤵
PID:7604

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=43 --mojo-platform-channel-handle=7124 --field-trial-handle=1856,i,13807127951234523643,673337009131285860,131072 /prefetch:1
3⤵
PID:7696

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=44 --mojo-platform-channel-handle=9564 --field-trial-handle=1856,i,13807127951234523643,673337009131285860,131072 /prefetch:1
3⤵
PID:7704

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=45 --mojo-platform-channel-handle=10472 --field-trial-handle=1856,i,13807127951234523643,673337009131285860,131072 /prefetch:1
3⤵
PID:7856

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=46 --mojo-platform-channel-handle=7620 --field-trial-handle=1856,i,13807127951234523643,673337009131285860,131072 /prefetch:1
3⤵
PID:7552

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=47 --mojo-platform-channel-handle=8240 --field-trial-handle=1856,i,13807127951234523643,673337009131285860,131072 /prefetch:1
3⤵
PID:7688

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=48 --mojo-platform-channel-handle=7332 --field-trial-handle=1856,i,13807127951234523643,673337009131285860,131072 /prefetch:1
3⤵
PID:7992

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=49 --mojo-platform-channel-handle=7616 --field-trial-handle=1856,i,13807127951234523643,673337009131285860,131072 /prefetch:1
3⤵
PID:8176

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=50 --mojo-platform-channel-handle=7032 --field-trial-handle=1856,i,13807127951234523643,673337009131285860,131072 /prefetch:1
3⤵
PID:8184

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=51 --mojo-platform-channel-handle=10548 --field-trial-handle=1856,i,13807127951234523643,673337009131285860,131072 /prefetch:1
3⤵
PID:5444

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=52 --mojo-platform-channel-handle=10116 --field-trial-handle=1856,i,13807127951234523643,673337009131285860,131072 /prefetch:1
3⤵
PID:7812

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=53 --mojo-platform-channel-handle=7328 --field-trial-handle=1856,i,13807127951234523643,673337009131285860,131072 /prefetch:1
3⤵
PID:6568

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7608 --field-trial-handle=1856,i,13807127951234523643,673337009131285860,131072 /prefetch:8
3⤵
PID:7036

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=55 --mojo-platform-channel-handle=8324 --field-trial-handle=1856,i,13807127951234523643,673337009131285860,131072 /prefetch:1
3⤵
PID:7044

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=8244 --field-trial-handle=1856,i,13807127951234523643,673337009131285860,131072 /prefetch:8
3⤵
PID:7432

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=988 --field-trial-handle=1856,i,13807127951234523643,673337009131285860,131072 /prefetch:2
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:532

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6732 --field-trial-handle=1856,i,13807127951234523643,673337009131285860,131072 /prefetch:8
3⤵
PID:6884

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\Setup.rar"
2⤵
- Suspicious behavior: GetForegroundWindowSpam
PID:6596

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\Light Executor\Instruction.txt
2⤵
PID:4208

C:\Users\Admin\Desktop\Light Executor\Loader.exe
"C:\Users\Admin\Desktop\Light Executor\Loader.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1676

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:5536

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1676 -s 324
3⤵
- Program crash
PID:7692

C:\Users\Admin\Desktop\Light Executor\FixLoader.exe
"C:\Users\Admin\Desktop\Light Executor\FixLoader.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
PID:8188

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c move Emotions Emotions.cmd && Emotions.cmd
3⤵
PID:4180

C:\Windows\SysWOW64\tasklist.exe
tasklist
4⤵
- Enumerates processes with tasklist
PID:2472

C:\Windows\SysWOW64\findstr.exe
findstr /I "wrsa.exe opssvc.exe"
4⤵
PID:2096

C:\Windows\SysWOW64\tasklist.exe
tasklist
4⤵
- Enumerates processes with tasklist
PID:976

C:\Windows\SysWOW64\findstr.exe
findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"
4⤵
PID:7432

C:\Windows\SysWOW64\cmd.exe
cmd /c md 332043
4⤵
PID:7844

C:\Windows\SysWOW64\findstr.exe
findstr /V "MasBathroomsCompoundInjection" Participants
4⤵
PID:7908

C:\Windows\SysWOW64\cmd.exe
cmd /c copy /b Hit + Deutsche + Complex + Kitty + Take + Pins + Ai + Divide 332043\A
4⤵
PID:6812

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\332043\Designer.pif
332043\Designer.pif 332043\A
4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SendNotifyMessage
PID:7224

C:\Windows\SysWOW64\PING.EXE
ping -n 5 127.0.0.1
4⤵
- Runs ping.exe
PID:7712

C:\Users\Admin\Desktop\Light Executor\Loader.exe
"C:\Users\Admin\Desktop\Light Executor\Loader.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:7788

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:7776

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 7788 -s 284
3⤵
- Program crash
PID:8144

C:\Users\Admin\Desktop\Light Executor\Loader.exe
"C:\Users\Admin\Desktop\Light Executor\Loader.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:7004

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:220

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 7004 -s 288
3⤵
- Program crash
PID:7480

C:\Users\Admin\Desktop\Light Executor\FixLoader.exe
"C:\Users\Admin\Desktop\Light Executor\FixLoader.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
PID:5164

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c move Emotions Emotions.cmd && Emotions.cmd
3⤵
PID:5964

C:\Windows\SysWOW64\tasklist.exe
tasklist
4⤵
- Enumerates processes with tasklist
PID:5732

C:\Windows\SysWOW64\findstr.exe
findstr /I "wrsa.exe opssvc.exe"
4⤵
PID:5752

C:\Windows\SysWOW64\tasklist.exe
tasklist
4⤵
- Enumerates processes with tasklist
PID:5764

C:\Windows\SysWOW64\findstr.exe
findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"
4⤵
PID:5932

C:\Windows\SysWOW64\cmd.exe
cmd /c md 332403
4⤵
PID:6064

C:\Windows\SysWOW64\findstr.exe
findstr /V "MasBathroomsCompoundInjection" Participants
4⤵
PID:5728

C:\Windows\SysWOW64\cmd.exe
cmd /c copy /b Hit + Deutsche + Complex + Kitty + Take + Pins + Ai + Divide 332403\A
4⤵
PID:5808

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\332403\Designer.pif
332403\Designer.pif 332403\A
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SendNotifyMessage
PID:5812

C:\Windows\SysWOW64\PING.EXE
ping -n 5 127.0.0.1
4⤵
- Runs ping.exe
PID:5824

C:\Users\Admin\Desktop\Light Executor\FixLoader.exe
"C:\Users\Admin\Desktop\Light Executor\FixLoader.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
PID:7824

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c move Emotions Emotions.cmd && Emotions.cmd
3⤵
PID:5324

C:\Windows\SysWOW64\tasklist.exe
tasklist
4⤵
- Enumerates processes with tasklist
PID:5860

C:\Windows\SysWOW64\findstr.exe
findstr /I "wrsa.exe opssvc.exe"
4⤵
PID:5844

C:\Windows\SysWOW64\tasklist.exe
tasklist
4⤵
- Enumerates processes with tasklist
PID:7244

C:\Windows\SysWOW64\findstr.exe
findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"
4⤵
PID:7556

C:\Windows\SysWOW64\cmd.exe
cmd /c md 332533
4⤵
PID:6536

C:\Windows\SysWOW64\findstr.exe
findstr /V "MasBathroomsCompoundInjection" Participants
4⤵
PID:4728

C:\Windows\SysWOW64\cmd.exe
cmd /c copy /b Hit + Deutsche + Complex + Kitty + Take + Pins + Ai + Divide 332533\A
4⤵
PID:2912

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\332533\Designer.pif
332533\Designer.pif 332533\A
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SendNotifyMessage
PID:5184

C:\Windows\SysWOW64\PING.EXE
ping -n 5 127.0.0.1
4⤵
- Runs ping.exe
PID:7820

C:\Users\Admin\Desktop\Light Executor\FixLoader.exe
"C:\Users\Admin\Desktop\Light Executor\FixLoader.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
PID:4920

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c move Emotions Emotions.cmd && Emotions.cmd
3⤵
PID:4400

C:\Windows\SysWOW64\tasklist.exe
tasklist
4⤵
- Enumerates processes with tasklist
PID:1928

C:\Windows\SysWOW64\findstr.exe
findstr /I "wrsa.exe opssvc.exe"
4⤵
PID:1696

C:\Windows\SysWOW64\tasklist.exe
tasklist
4⤵
- Enumerates processes with tasklist
PID:5044

C:\Windows\SysWOW64\findstr.exe
findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"
4⤵
PID:6948

C:\Windows\SysWOW64\cmd.exe
cmd /c md 332693
4⤵
PID:4600

C:\Windows\SysWOW64\findstr.exe
findstr /V "MasBathroomsCompoundInjection" Participants
4⤵
PID:2820

C:\Windows\SysWOW64\cmd.exe
cmd /c copy /b Hit + Deutsche + Complex + Kitty + Take + Pins + Ai + Divide 332693\A
4⤵
PID:7108

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\332693\Designer.pif
332693\Designer.pif 332693\A
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SendNotifyMessage
PID:6976

C:\Windows\SysWOW64\PING.EXE
ping -n 5 127.0.0.1
4⤵
- Runs ping.exe
PID:3068

C:\Users\Admin\Desktop\Light Executor\Loader.exe
"C:\Users\Admin\Desktop\Light Executor\Loader.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:6480

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:5444

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6480 -s 308
3⤵
- Program crash
PID:1896

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\332043\RegAsm.exe
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\332043\RegAsm.exe
2⤵
PID:8036

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:1232

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1676

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1676 -ip 1676
1⤵
PID:5236

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 7788 -ip 7788
1⤵
PID:8112

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 7004 -ip 7004
1⤵
PID:7728

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 6480 -ip 6480
1⤵
PID:4796

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Process Discovery

T1057

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
58bb95b4094ea52340b0fa368840c9a5

SHA1
03e801a2f4735f3f47b6822d4660e55210e56567

SHA256
65d15a1557409d3cb361251a31e7a620874bd504e12187d1260d9b80fbf6b235

SHA512
6931e70506a094e390cbcb45ae3bbca25ea54ab1937d6b5b3443890c5f436f5ee04dd587605ff1d7055f4f810d3ac690e1a42b39020e242389dddbce5f7b3deb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000023

Filesize
20KB

MD5
8dc2756f85fccea2e456061d06bdea5e

SHA1
cdb7f846722ae88cfcca334697b1c61e7945d8ea

SHA256
ff17f0a5c2b621ce0625cfd2d947bf0eabf322c95a8e75a27f42d0722329ae9e

SHA512
585b17e9f72a35299cf49d23567dd29d1fbc70caef0c8374f20ed43c16bcfbbe0cb95107a88e3666b88c1d09263e2180771effeb9fdfdd8423cc08840dcf0d69

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
8a7426bd86567db6e03fbc31487fa128

SHA1
9ed66332091aa8a04e52e975d790546adde062fe

SHA256
a3c88e4494408de1734c229219cdd10a483dd8a35a1796b6edeb71dda3efe128

SHA512
eeaa1b4fb84914b2f966ba53a5f8de68378ede8b747280786ce1d48bb2e61071b7872392709c2024fab06a537dce6d6c288c63c19dd2ab5b5f4278888dc9d100

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
43745356e2ceac038f955096953688e7

SHA1
f26711b58c9620904a8abf0124a7ac089b997030

SHA256
3dc4680034db7955d00287379fc642aa2b328fe700e57dca3c201e81b3a34760

SHA512
782ff9864212ddc0526f0566c37cc0f395127f20c51b0b70ff9cba0e70efc82094a6fe32a24f582e20a5ffbb93165b8feeb7f5778a8a600c7e9de88129d6aba3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
c292d4e7cbc859e3f3bb3137fbdfb865

SHA1
3f286d2134c395c212135f17b3eab7eca43e7b7c

SHA256
27c13cbf1495ae694d280839a569324af3a6d4b814603d3c39dcca8fd09b9607

SHA512
47030b6f2bbda7b3981d3c94cf67393d2815d52f1bd149def3a348c61fe6149cf1bef7b47d47d6f0d09d36f658ba05cddb5da87bb444cc81843847bcf8c067d4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies

Filesize
96KB

MD5
340baee16b68950b4c368b71d0af45c0

SHA1
0d9efa033ed7043887e3597da4cee7074025ffac

SHA256
d6ba764306ee927a0aebeeb0f06fbb23dfe90365ad8d60c3e0989bb0a20b783f

SHA512
640ff7911f49ff950b3b963a1a41aa12a62f2a020b06ff041fcb156f876abb9d304b8c264fb23a760f25d0818cf363f4d468d2ce67fde85111471d6fef18fe78

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
21KB

MD5
bcd3493cad4f0257a7071faeae342901

SHA1
8a354afb6432bb81e0c33f50242957b8d89323fb

SHA256
47fcfdc90a90bedd4bb67ff09abef7390746c624ef609143e2c6ed854afec413

SHA512
56cc483ba4fb7bb4277f6c48857b63fa5671ad5737446f208230d4238dc5dc3fa3962962ffc450ee4465d2e652d5c7981ab5bdc6cd02982ee01aaf61f3a5ebae

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
19KB

MD5
dca26259df76b08ca06ac7a609c7d304

SHA1
b3e89aebd68097be4e84006449545189e323f6f7

SHA256
091b409a3d4ad40a44b12abeabc42d5fd282f2f7959a6ba9400675bb9ef2646a

SHA512
38270699b425330af59f7f8e2f587c5bcb1c529dc24373c03619c14a865475ada70b7c52531051e5d3586f378bc3695254bdec7e4e4ad5242d36481ced9672d1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
c8e73627af58ead58fb31e8bb53acbd1

SHA1
be8cc8b49121505f169f024ea4be0c2bb3515962

SHA256
800edda7fb823485f7714d768f213d44d8cc4da75a4f41a811c9d40f1de1b705

SHA512
5fd285dc4a2af261d651e18a0d9e25cfe03eb336dd2981554764db068b54bcc023d026ff6890ef297e9dcb35f25754220b0ab52734ad582d201fc050935e96cd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
5c2605f6d6586c2fdf957bfe1b6c4540

SHA1
2ba503d76b67fb5082e5d8d4d05456d8a761e502

SHA256
5aabf4c8ecc67dd3d2fdd4733456bc2788af40ce08f6fce95a56f3fae390a37d

SHA512
e6d20d38f99e8f981d2e94fd893e6b0c8206df2ef03599b2c660727a6649a23701d0dc18c2e03fc8edf516ccb0b9bc3f114537a39f08ed64240777a04ebfebca

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
5KB

MD5
4e0d8f311af3f45c6a8c65a7dfd59e61

SHA1
85fbd7fd9bd50aa50a18c3ccf819a173893a3062

SHA256
2e7437aec2bd14d9d94cb127a7323551638222334e51eacaf7a3713260c47a10

SHA512
46b705cc0c58365e565b8670c86b00e94fcda6227852cb97ba7267010081a1c691962a3180857ce5ae8a592e0f1e1d1d8b0404ab76bedfb13ade4684c6f7a810

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
5KB

MD5
b48e0e55a6c4037597acb100f25dffe9

SHA1
5f388d902b5b3b20841e7c50ad4a48fa200d9bc3

SHA256
5577b2a2d2019d1de1b5e56a633df0820e3917a8b13b27cae85c53a7dc77dc5e

SHA512
c0f157dd92ca194d897d269d7c73c8a030fcdf26780b845d11b6e9db7606a6ff60835f7d68bb6f2a1eb1054b4727ed716874ca01ae0f0c830d2a5df8ab67414d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
4KB

MD5
1e6cca79d5b340b0bd00abae0ef594fa

SHA1
e1ce86a2220cfe94d4ef11e3ed111a1f54bb74b3

SHA256
3dca289d4baac206ac5d41f0b514cc5799557df780c9e3c95adb6d5562731470

SHA512
e12d61148262cd7f1deb4a1c99e3f7a631fee658d21979e19f79ee7f32834afcd938e64b3bd318a41123b0f7dee1f2920f11edb39614e92cbcdfe6dcc862e97d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
5KB

MD5
30b25a41db1616bdbe0bf9e75fdc3d7a

SHA1
7c6fb2c41a66cbfc852eb9b3dfea6cd0d9e1ca12

SHA256
9dcbd047069ffbfbea9d823b67ef18f7ce79b1c24a94a6e65ff6f0a612724f48

SHA512
f8d4914e80f5d3d2c21bc7f06b1968ceb9ba27f72b64f076e7a0fb4a9f1656bc12db7cddd9375cdb5cbdc224ceb2a87ec2610fdf312694f7785346feb9a378fb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
2062258e4c101c42f53ca9def72f0fae

SHA1
b180d40dd3ec717440f453d57cb805d1f530ea80

SHA256
ef225e8b2896c39d356c6130a718cf164655e9ae6f26b3946145b0497fce6be5

SHA512
088b6086139d687d642c229f2ffc853404f6d197cc864a52ca50c81fa54daf0ae22bac32cc2ce88acd0066ced55a894f636d6ea240ab95248f7d33d0f6f1a96c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
24683da27a078b446ac9f5ebb957dd39

SHA1
c37de5db15f5d8c5e6f2e0d4d7ad266d79ffab6f

SHA256
82be2397d2c651bd8525a482358b968f98472969d1ae0926930148b6ab9ce80d

SHA512
588a0b989c8db8f5016f7cc4fc1694f8c90f4d6471d07f2e3bec14017df556fae726a8d26600387bb38e38f15a5b5b5d724e3e986678651e81f24af77ff2929d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
ff80a5353b0b2a5ab06d399b0300394b

SHA1
f179371ae82ea2b6b02c6b8b9156cd1957d71e33

SHA256
e20d548532463aabaf434989932d41106cb6c2098419701548454cfa7b624cd2

SHA512
e3e8382b409b623d1d17d818aaa712af9ba868ab6046a0726537cbaf34722ad9018e433f6d2ecee80930d889b058174a28fcb3d68e7e6a0e0d9451ff6d6af0d9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
9afbf23696f6eab02565068bed383835

SHA1
05a0cd8fc6000321e88d7f02ccfc416daacde79c

SHA256
1072bf05cda5ae7fc483688c17541e3664e442be532b672c32d44d3b56a1b3e7

SHA512
77153c2060c2d6a9f03dc243083044fab70b0e298ea0793c3049a23a1f37f74ffab93859c6a35170d311efd20b2ab9bd69a082e574864440f9461843abb1a22b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
db6738805bddd6c308d6e044cf10f910

SHA1
e96bd2042b4e06f85ea1bd55cb58f925db2624a2

SHA256
bf496053c04611a38aa275cc7de07cebd154a7cfc79689993b22a22a2094e4eb

SHA512
9c4d30761ea6d69fdf021020e921781ff6e00e0fe365eda050b7dbd94f4cff0219d4f503793349f8ebbe5a4134971b300e5153c3e7ba851e8cb7af45bf132560

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
250KB

MD5
920e500f79012ef462a8755c89f125d6

SHA1
11899d97f38eecca0fcfe022bad5bd2505135a1c

SHA256
d87ca5ffeeab16676bb1c723a1de5544a88bba73e6e2f3f0e7e692a77b1feb0f

SHA512
220e7d5c6f1d8d73e3e049ddb291622c1ff9b6ae6049d8bffb9f713a6cad6ccee80122fee910010ecf56dc9baad30278c5b83eb3ca19fc23c0a863566d305962

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
250KB

MD5
67681ff3eb38f3b63db1bf00beb0d0a6

SHA1
5c73fb875952900e2d3ea410dd8e87c3595b6e99

SHA256
2b26e982188cbc909562613ccd1f9514279bcd7675c4a0281ee44d60e5f98496

SHA512
388c44320ced75626946b2ba67d6562cc280333ac9b025bb2234c6835d6a08fe7489ebd15811190aa1588e4aabaea3b1c4acedcc86c2171f853dce885a2fd645

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
250KB

MD5
f8681ed98f8f799454c631254d3d0ae1

SHA1
7fea82766a5808d91dc4f862c7f74f7f50489926

SHA256
016aa60007b59bb55f350dc2eace288212d6ffd69d58bfa658244506ba0f4e76

SHA512
beddaaaf67b3e6737daa59bc46e2698a5245622eadcd14481bb786338f8e9e5c300e1fedb4af1bfda48184a65c9150e8ca1b7692a051863c829973d779ecca52

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
250KB

MD5
0a520b42830accf82190b951aac4be2e

SHA1
749eac5f5fe8c3750eb57bd077f747cdb74a5afa

SHA256
bfe3027633e2525dccbfbfba9683c7c72bed4f283769694b1ce0a91e4ac7dd3f

SHA512
161b71698e4b3c26eee245ba8c46684a52ef8e90d4280853594bc768285587f2fbc68e9901812809309cf22721c2c31ae8341262a27e959acca00a4e1428c226

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
96KB

MD5
14048d184659bc8eac379f60edcb0c80

SHA1
e439f4453c0dc1b412aa63f027d540f829690062

SHA256
7499b88ba2964ae8c6c04bf9528469c219dd9b7f2573e318c89fe6d2ceddcff8

SHA512
7b6d51a91c0f6be5b3982df3719a99c5e5828b458bce06e14a407fd0a1b6b96dfa88a8552e7f9cc1fa1cf2573dbf7d4b402fdddcee5f9e00b53f70749ec619a7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe58432e.TMP

Filesize
91KB

MD5
efb18c32b6f3e0b9460e68ecff164a93

SHA1
74709cb76c0101a8da9d06c1ea93b3cef15522dc

SHA256
d9e4b51a01a1676c5254bbe88124a352b1c062d064d1d2145794c214fd618c30

SHA512
052731b537af0835452f29976974c1668f26063915dd69cdbf96604b7cc7e97fff914f3e682950024f8128ec57c11c8a28db757700ebab8909960ef76bc2f377

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\332533\Designer.pif

Filesize
196B

MD5
c663948910204a8847a4368e87c2ae75

SHA1
78316a31a3a18ca95950f76d3d29acbc67a2b9f2

SHA256
5e10ea830d562937494b6089114f55b6929a643c723131577cf00f635e2e7bd3

SHA512
e475f185a03017a5ed94cb703f6e78b4f0fa6eef22439a3cb02cc582360aa274628082a00a941e791ce6f302a0488ae60c6659225758a5051f861a035c76661e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\332533\Designer.pif

Filesize
872KB

MD5
6ee7ddebff0a2b78c7ac30f6e00d1d11

SHA1
f2f57024c7cc3f9ff5f999ee20c4f5c38bfc20a2

SHA256
865347471135bb5459ad0e647e75a14ad91424b6f13a5c05d9ecd9183a8a1cf4

SHA512
57d56de2bb882f491e633972003d7c6562ef2758c3731b913ff4d15379ada575062f4de2a48ca6d6d9241852a5b8a007f52792753fd8d8fee85b9a218714efd0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Hit

Filesize
116KB

MD5
8d9c7a9996e5534d0d196c7227fe4713

SHA1
1a8205ac680c59dd1147940fd809954789175428

SHA256
f903d1c57fe91a08b26c805b129c1ef42e34e53472431d877bb5d15bf90c9a9c

SHA512
af8a2f733ce023872a29467c07ee72355398fab86f7acc366e1f118674d1d8acb0f4a36a9abfdcc3c3aed81f919d46b7295bf6c91e738aadb9c6e3a72683beb0

Download Submit
C:\Users\Admin\Desktop\Light Executor\Instruction.txt

Filesize
74B

MD5
b24b86616035a209a0e45f56bde84981

SHA1
5e78c31ac5d3c4a049e54339fdd3301b46cbee29

SHA256
39d414392fe21a01657f5dd092b39153ec901997eed932d07cf4028613419d80

SHA512
cffd7a310283067a580f6cd6d76e1ea30635cb23c77310ceaa47501bb8366240b2357ef74ac9321056d873d39d0d0b40bbf97a5716888ab4c1e4dc7772b5f888

Download Submit
C:\Users\Admin\Desktop\Light Executor\Loader.exe

Filesize
1.2MB

MD5
60dae4c83541c53b127e717e9b3804e9

SHA1
2b1f3931272cd4af9d56a54982261315b09b6020

SHA256
fc314b5d4c36eb592a8a64acb9e28825f574ce33a0862a9d11fc10736c8e799a

SHA512
7dd5821f1b735f7328d03df3ee9f886e34f698dfc369023f12c96a28142b7185904ccabaeb385ef45ba4297bf6a1f50ef9ab0f375cf0d27dbfef0a653bfb4f04

Download Submit
C:\Users\Admin\Downloads\Setup.rar

Filesize
3.1MB

MD5
6527e9e5f91723119eb30c7c8f90e5f3

SHA1
c4f43a89210238355fb3112311b8b47f1f782f65

SHA256
a36f0d745f5f9e55449ef90ad095cad79de54e346ad5cb7ba0d6944543de57b6

SHA512
256525aa724cec146a2d654984b241a338280c2f4028968624b6a3c62a6d797cd6f9c39a75737479c8d4252c18ec2d2ce9b5c0941d4912ab794ee4ebb6d470e7

Download Submit
\??\pipe\crashpad_2348_IPPMWNFRPXPNSLYI

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/220-788-0x0000000074310000-0x0000000074AC0000-memory.dmp

Filesize
7.7MB

Download
memory/220-783-0x00000000053C0000-0x00000000053D0000-memory.dmp

Filesize
64KB

Download
memory/220-781-0x0000000074310000-0x0000000074AC0000-memory.dmp

Filesize
7.7MB

Download
memory/220-706-0x00000000053C0000-0x00000000053D0000-memory.dmp

Filesize
64KB

Download
memory/220-704-0x0000000074310000-0x0000000074AC0000-memory.dmp

Filesize
7.7MB

Download
memory/1676-660-0x0000000000D20000-0x0000000000E49000-memory.dmp

Filesize
1.2MB

Download
memory/1676-654-0x0000000000D20000-0x0000000000E49000-memory.dmp

Filesize
1.2MB

Download
memory/5444-786-0x0000000074310000-0x0000000074AC0000-memory.dmp

Filesize
7.7MB

Download
memory/5444-787-0x0000000005A70000-0x0000000005A80000-memory.dmp

Filesize
64KB

Download
memory/5536-658-0x00000000054C0000-0x0000000005552000-memory.dmp

Filesize
584KB

Download
memory/5536-663-0x0000000006650000-0x000000000675A000-memory.dmp

Filesize
1.0MB

Download
memory/5536-669-0x00000000068B0000-0x00000000068CE000-memory.dmp

Filesize
120KB

Download
memory/5536-671-0x00000000089B0000-0x0000000008B72000-memory.dmp

Filesize
1.8MB

Download
memory/5536-672-0x00000000090B0000-0x00000000095DC000-memory.dmp

Filesize
5.2MB

Download
memory/5536-667-0x00000000068E0000-0x0000000006946000-memory.dmp

Filesize
408KB

Download
memory/5536-661-0x0000000005660000-0x000000000566A000-memory.dmp

Filesize
40KB

Download
memory/5536-657-0x00000000059B0000-0x0000000005F54000-memory.dmp

Filesize
5.6MB

Download
memory/5536-668-0x0000000007270000-0x00000000072E6000-memory.dmp

Filesize
472KB

Download
memory/5536-655-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/5536-756-0x0000000074310000-0x0000000074AC0000-memory.dmp

Filesize
7.7MB

Download
memory/5536-666-0x0000000006760000-0x00000000067AC000-memory.dmp

Filesize
304KB

Download
memory/5536-705-0x0000000074310000-0x0000000074AC0000-memory.dmp

Filesize
7.7MB

Download
memory/5536-665-0x00000000065E0000-0x000000000661C000-memory.dmp

Filesize
240KB

Download
memory/5536-707-0x0000000005670000-0x0000000005680000-memory.dmp

Filesize
64KB

Download
memory/5536-664-0x0000000006580000-0x0000000006592000-memory.dmp

Filesize
72KB

Download
memory/5536-659-0x0000000005670000-0x0000000005680000-memory.dmp

Filesize
64KB

Download
memory/5536-662-0x0000000006AD0000-0x00000000070E8000-memory.dmp

Filesize
6.1MB

Download
memory/5536-656-0x0000000074310000-0x0000000074AC0000-memory.dmp

Filesize
7.7MB

Download
memory/6480-785-0x0000000000D20000-0x0000000000E49000-memory.dmp

Filesize
1.2MB

Download
memory/7004-703-0x0000000000D20000-0x0000000000E49000-memory.dmp

Filesize
1.2MB

Download
memory/7224-790-0x0000000003F90000-0x0000000003F91000-memory.dmp

Filesize
4KB

Download
memory/7224-697-0x0000000077731000-0x0000000077851000-memory.dmp

Filesize
1.1MB

Download
memory/7776-700-0x0000000074310000-0x0000000074AC0000-memory.dmp

Filesize
7.7MB

Download
memory/7776-782-0x0000000074310000-0x0000000074AC0000-memory.dmp

Filesize
7.7MB

Download
memory/7776-780-0x00000000052A0000-0x00000000052B0000-memory.dmp

Filesize
64KB

Download
memory/7776-755-0x0000000074310000-0x0000000074AC0000-memory.dmp

Filesize
7.7MB

Download
memory/7776-701-0x00000000052A0000-0x00000000052B0000-memory.dmp

Filesize
64KB

Download
memory/7788-699-0x0000000000D20000-0x0000000000E49000-memory.dmp

Filesize
1.2MB

Download