Analysis
-
max time kernel
42s -
max time network
47s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
03/05/2024, 15:03
Static task
static1
URLScan task
urlscan1
General
Malware Config
Signatures
-
Detect ZGRat V1 3 IoCs
resource yara_rule behavioral1/memory/5912-261-0x0000000000400000-0x000000000044A000-memory.dmp family_zgrat_v1 behavioral1/memory/5820-262-0x0000000000D60000-0x0000000000DD5FAE-memory.dmp family_zgrat_v1 behavioral1/memory/5132-285-0x0000000000D60000-0x0000000000DD5FAE-memory.dmp family_zgrat_v1 -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 3 IoCs
resource yara_rule behavioral1/memory/5912-261-0x0000000000400000-0x000000000044A000-memory.dmp family_redline behavioral1/memory/5820-262-0x0000000000D60000-0x0000000000DD5FAE-memory.dmp family_redline behavioral1/memory/5132-285-0x0000000000D60000-0x0000000000DD5FAE-memory.dmp family_redline -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 5820 set thread context of 5912 5820 TORONTO.exe 126 PID 5132 set thread context of 3624 5132 TORONTO.exe 128 -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe -
Modifies data under HKEY_USERS 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133592222099647127" chrome.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings chrome.exe -
Suspicious behavior: EnumeratesProcesses 41 IoCs
pid Process 4884 chrome.exe 4884 chrome.exe 5912 RegAsm.exe 5912 RegAsm.exe 5912 RegAsm.exe 5912 RegAsm.exe 5912 RegAsm.exe 5912 RegAsm.exe 5912 RegAsm.exe 5912 RegAsm.exe 5912 RegAsm.exe 5912 RegAsm.exe 5912 RegAsm.exe 5912 RegAsm.exe 5912 RegAsm.exe 5912 RegAsm.exe 5912 RegAsm.exe 5912 RegAsm.exe 5912 RegAsm.exe 5912 RegAsm.exe 5912 RegAsm.exe 5912 RegAsm.exe 5912 RegAsm.exe 5912 RegAsm.exe 5912 RegAsm.exe 5912 RegAsm.exe 5912 RegAsm.exe 5912 RegAsm.exe 5912 RegAsm.exe 5912 RegAsm.exe 5912 RegAsm.exe 5912 RegAsm.exe 5912 RegAsm.exe 5912 RegAsm.exe 5912 RegAsm.exe 5912 RegAsm.exe 5912 RegAsm.exe 5912 RegAsm.exe 5912 RegAsm.exe 5912 RegAsm.exe 3624 RegAsm.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 21 IoCs
pid Process 4884 chrome.exe 4884 chrome.exe 4884 chrome.exe 4884 chrome.exe 4884 chrome.exe 4884 chrome.exe 4884 chrome.exe 4884 chrome.exe 4884 chrome.exe 4884 chrome.exe 4884 chrome.exe 4884 chrome.exe 4884 chrome.exe 4884 chrome.exe 4884 chrome.exe 4884 chrome.exe 4884 chrome.exe 4884 chrome.exe 4884 chrome.exe 4884 chrome.exe 4884 chrome.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 4884 chrome.exe Token: SeCreatePagefilePrivilege 4884 chrome.exe Token: SeShutdownPrivilege 4884 chrome.exe Token: SeCreatePagefilePrivilege 4884 chrome.exe Token: SeShutdownPrivilege 4884 chrome.exe Token: SeCreatePagefilePrivilege 4884 chrome.exe Token: SeShutdownPrivilege 4884 chrome.exe Token: SeCreatePagefilePrivilege 4884 chrome.exe Token: SeShutdownPrivilege 4884 chrome.exe Token: SeCreatePagefilePrivilege 4884 chrome.exe Token: SeShutdownPrivilege 4884 chrome.exe Token: SeCreatePagefilePrivilege 4884 chrome.exe Token: SeShutdownPrivilege 4884 chrome.exe Token: SeCreatePagefilePrivilege 4884 chrome.exe Token: SeShutdownPrivilege 4884 chrome.exe Token: SeCreatePagefilePrivilege 4884 chrome.exe Token: SeShutdownPrivilege 4884 chrome.exe Token: SeCreatePagefilePrivilege 4884 chrome.exe Token: SeShutdownPrivilege 4884 chrome.exe Token: SeCreatePagefilePrivilege 4884 chrome.exe Token: SeShutdownPrivilege 4884 chrome.exe Token: SeCreatePagefilePrivilege 4884 chrome.exe Token: SeShutdownPrivilege 4884 chrome.exe Token: SeCreatePagefilePrivilege 4884 chrome.exe Token: SeShutdownPrivilege 4884 chrome.exe Token: SeCreatePagefilePrivilege 4884 chrome.exe Token: SeShutdownPrivilege 4884 chrome.exe Token: SeCreatePagefilePrivilege 4884 chrome.exe Token: SeShutdownPrivilege 4884 chrome.exe Token: SeCreatePagefilePrivilege 4884 chrome.exe Token: SeShutdownPrivilege 4884 chrome.exe Token: SeCreatePagefilePrivilege 4884 chrome.exe Token: SeShutdownPrivilege 4884 chrome.exe Token: SeCreatePagefilePrivilege 4884 chrome.exe Token: SeShutdownPrivilege 4884 chrome.exe Token: SeCreatePagefilePrivilege 4884 chrome.exe Token: SeShutdownPrivilege 4884 chrome.exe Token: SeCreatePagefilePrivilege 4884 chrome.exe Token: SeShutdownPrivilege 4884 chrome.exe Token: SeCreatePagefilePrivilege 4884 chrome.exe Token: SeShutdownPrivilege 4884 chrome.exe Token: SeCreatePagefilePrivilege 4884 chrome.exe Token: SeShutdownPrivilege 4884 chrome.exe Token: SeCreatePagefilePrivilege 4884 chrome.exe Token: SeShutdownPrivilege 4884 chrome.exe Token: SeCreatePagefilePrivilege 4884 chrome.exe Token: SeShutdownPrivilege 4884 chrome.exe Token: SeCreatePagefilePrivilege 4884 chrome.exe Token: SeShutdownPrivilege 4884 chrome.exe Token: SeCreatePagefilePrivilege 4884 chrome.exe Token: SeShutdownPrivilege 4884 chrome.exe Token: SeCreatePagefilePrivilege 4884 chrome.exe Token: SeShutdownPrivilege 4884 chrome.exe Token: SeCreatePagefilePrivilege 4884 chrome.exe Token: SeShutdownPrivilege 4884 chrome.exe Token: SeCreatePagefilePrivilege 4884 chrome.exe Token: SeShutdownPrivilege 4884 chrome.exe Token: SeCreatePagefilePrivilege 4884 chrome.exe Token: SeShutdownPrivilege 4884 chrome.exe Token: SeCreatePagefilePrivilege 4884 chrome.exe Token: SeShutdownPrivilege 4884 chrome.exe Token: SeCreatePagefilePrivilege 4884 chrome.exe Token: SeDebugPrivilege 5912 RegAsm.exe Token: SeShutdownPrivilege 4884 chrome.exe -
Suspicious use of FindShellTrayWindow 45 IoCs
pid Process 4884 chrome.exe 4884 chrome.exe 4884 chrome.exe 4884 chrome.exe 4884 chrome.exe 4884 chrome.exe 4884 chrome.exe 4884 chrome.exe 4884 chrome.exe 4884 chrome.exe 4884 chrome.exe 4884 chrome.exe 4884 chrome.exe 4884 chrome.exe 4884 chrome.exe 4884 chrome.exe 4884 chrome.exe 4884 chrome.exe 4884 chrome.exe 4884 chrome.exe 4884 chrome.exe 4884 chrome.exe 4884 chrome.exe 4884 chrome.exe 4884 chrome.exe 4884 chrome.exe 4884 chrome.exe 4884 chrome.exe 4884 chrome.exe 4884 chrome.exe 4884 chrome.exe 4884 chrome.exe 4884 chrome.exe 4884 chrome.exe 4884 chrome.exe 4884 chrome.exe 4884 chrome.exe 4884 chrome.exe 4884 chrome.exe 4884 chrome.exe 4884 chrome.exe 4884 chrome.exe 4884 chrome.exe 4884 chrome.exe 4884 chrome.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 4884 chrome.exe 4884 chrome.exe 4884 chrome.exe 4884 chrome.exe 4884 chrome.exe 4884 chrome.exe 4884 chrome.exe 4884 chrome.exe 4884 chrome.exe 4884 chrome.exe 4884 chrome.exe 4884 chrome.exe 4884 chrome.exe 4884 chrome.exe 4884 chrome.exe 4884 chrome.exe 4884 chrome.exe 4884 chrome.exe 4884 chrome.exe 4884 chrome.exe 4884 chrome.exe 4884 chrome.exe 4884 chrome.exe 4884 chrome.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4884 wrote to memory of 2748 4884 chrome.exe 82 PID 4884 wrote to memory of 2748 4884 chrome.exe 82 PID 4884 wrote to memory of 1552 4884 chrome.exe 83 PID 4884 wrote to memory of 1552 4884 chrome.exe 83 PID 4884 wrote to memory of 1552 4884 chrome.exe 83 PID 4884 wrote to memory of 1552 4884 chrome.exe 83 PID 4884 wrote to memory of 1552 4884 chrome.exe 83 PID 4884 wrote to memory of 1552 4884 chrome.exe 83 PID 4884 wrote to memory of 1552 4884 chrome.exe 83 PID 4884 wrote to memory of 1552 4884 chrome.exe 83 PID 4884 wrote to memory of 1552 4884 chrome.exe 83 PID 4884 wrote to memory of 1552 4884 chrome.exe 83 PID 4884 wrote to memory of 1552 4884 chrome.exe 83 PID 4884 wrote to memory of 1552 4884 chrome.exe 83 PID 4884 wrote to memory of 1552 4884 chrome.exe 83 PID 4884 wrote to memory of 1552 4884 chrome.exe 83 PID 4884 wrote to memory of 1552 4884 chrome.exe 83 PID 4884 wrote to memory of 1552 4884 chrome.exe 83 PID 4884 wrote to memory of 1552 4884 chrome.exe 83 PID 4884 wrote to memory of 1552 4884 chrome.exe 83 PID 4884 wrote to memory of 1552 4884 chrome.exe 83 PID 4884 wrote to memory of 1552 4884 chrome.exe 83 PID 4884 wrote to memory of 1552 4884 chrome.exe 83 PID 4884 wrote to memory of 1552 4884 chrome.exe 83 PID 4884 wrote to memory of 1552 4884 chrome.exe 83 PID 4884 wrote to memory of 1552 4884 chrome.exe 83 PID 4884 wrote to memory of 1552 4884 chrome.exe 83 PID 4884 wrote to memory of 1552 4884 chrome.exe 83 PID 4884 wrote to memory of 1552 4884 chrome.exe 83 PID 4884 wrote to memory of 1552 4884 chrome.exe 83 PID 4884 wrote to memory of 1552 4884 chrome.exe 83 PID 4884 wrote to memory of 1552 4884 chrome.exe 83 PID 4884 wrote to memory of 1552 4884 chrome.exe 83 PID 4884 wrote to memory of 836 4884 chrome.exe 84 PID 4884 wrote to memory of 836 4884 chrome.exe 84 PID 4884 wrote to memory of 3116 4884 chrome.exe 85 PID 4884 wrote to memory of 3116 4884 chrome.exe 85 PID 4884 wrote to memory of 3116 4884 chrome.exe 85 PID 4884 wrote to memory of 3116 4884 chrome.exe 85 PID 4884 wrote to memory of 3116 4884 chrome.exe 85 PID 4884 wrote to memory of 3116 4884 chrome.exe 85 PID 4884 wrote to memory of 3116 4884 chrome.exe 85 PID 4884 wrote to memory of 3116 4884 chrome.exe 85 PID 4884 wrote to memory of 3116 4884 chrome.exe 85 PID 4884 wrote to memory of 3116 4884 chrome.exe 85 PID 4884 wrote to memory of 3116 4884 chrome.exe 85 PID 4884 wrote to memory of 3116 4884 chrome.exe 85 PID 4884 wrote to memory of 3116 4884 chrome.exe 85 PID 4884 wrote to memory of 3116 4884 chrome.exe 85 PID 4884 wrote to memory of 3116 4884 chrome.exe 85 PID 4884 wrote to memory of 3116 4884 chrome.exe 85 PID 4884 wrote to memory of 3116 4884 chrome.exe 85 PID 4884 wrote to memory of 3116 4884 chrome.exe 85 PID 4884 wrote to memory of 3116 4884 chrome.exe 85 PID 4884 wrote to memory of 3116 4884 chrome.exe 85 PID 4884 wrote to memory of 3116 4884 chrome.exe 85 PID 4884 wrote to memory of 3116 4884 chrome.exe 85 PID 4884 wrote to memory of 3116 4884 chrome.exe 85 PID 4884 wrote to memory of 3116 4884 chrome.exe 85 PID 4884 wrote to memory of 3116 4884 chrome.exe 85 PID 4884 wrote to memory of 3116 4884 chrome.exe 85 PID 4884 wrote to memory of 3116 4884 chrome.exe 85 PID 4884 wrote to memory of 3116 4884 chrome.exe 85 PID 4884 wrote to memory of 3116 4884 chrome.exe 85
Processes
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://app.mediafire.com/394mngqbesoll1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4884 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd8a78ab58,0x7ffd8a78ab68,0x7ffd8a78ab782⤵PID:2748
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1700 --field-trial-handle=1908,i,11360715916896356671,2124794893011048197,131072 /prefetch:22⤵PID:1552
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2040 --field-trial-handle=1908,i,11360715916896356671,2124794893011048197,131072 /prefetch:82⤵PID:836
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2204 --field-trial-handle=1908,i,11360715916896356671,2124794893011048197,131072 /prefetch:82⤵PID:3116
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2952 --field-trial-handle=1908,i,11360715916896356671,2124794893011048197,131072 /prefetch:12⤵PID:4416
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2960 --field-trial-handle=1908,i,11360715916896356671,2124794893011048197,131072 /prefetch:12⤵PID:3388
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4076 --field-trial-handle=1908,i,11360715916896356671,2124794893011048197,131072 /prefetch:82⤵PID:3556
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4400 --field-trial-handle=1908,i,11360715916896356671,2124794893011048197,131072 /prefetch:82⤵PID:1844
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=4948 --field-trial-handle=1908,i,11360715916896356671,2124794893011048197,131072 /prefetch:12⤵PID:2924
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=4932 --field-trial-handle=1908,i,11360715916896356671,2124794893011048197,131072 /prefetch:12⤵PID:884
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=4792 --field-trial-handle=1908,i,11360715916896356671,2124794893011048197,131072 /prefetch:12⤵PID:1424
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=5172 --field-trial-handle=1908,i,11360715916896356671,2124794893011048197,131072 /prefetch:12⤵PID:1472
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=5368 --field-trial-handle=1908,i,11360715916896356671,2124794893011048197,131072 /prefetch:12⤵PID:464
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=5528 --field-trial-handle=1908,i,11360715916896356671,2124794893011048197,131072 /prefetch:12⤵PID:3304
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=5560 --field-trial-handle=1908,i,11360715916896356671,2124794893011048197,131072 /prefetch:12⤵PID:840
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --mojo-platform-channel-handle=5576 --field-trial-handle=1908,i,11360715916896356671,2124794893011048197,131072 /prefetch:12⤵PID:2600
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --mojo-platform-channel-handle=6052 --field-trial-handle=1908,i,11360715916896356671,2124794893011048197,131072 /prefetch:12⤵PID:3164
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --mojo-platform-channel-handle=6172 --field-trial-handle=1908,i,11360715916896356671,2124794893011048197,131072 /prefetch:12⤵PID:4660
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --mojo-platform-channel-handle=6344 --field-trial-handle=1908,i,11360715916896356671,2124794893011048197,131072 /prefetch:12⤵PID:5184
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --mojo-platform-channel-handle=6900 --field-trial-handle=1908,i,11360715916896356671,2124794893011048197,131072 /prefetch:12⤵PID:5300
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --mojo-platform-channel-handle=6224 --field-trial-handle=1908,i,11360715916896356671,2124794893011048197,131072 /prefetch:12⤵PID:5412
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --mojo-platform-channel-handle=6532 --field-trial-handle=1908,i,11360715916896356671,2124794893011048197,131072 /prefetch:12⤵PID:5440
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --mojo-platform-channel-handle=6808 --field-trial-handle=1908,i,11360715916896356671,2124794893011048197,131072 /prefetch:12⤵PID:5448
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --mojo-platform-channel-handle=6284 --field-trial-handle=1908,i,11360715916896356671,2124794893011048197,131072 /prefetch:12⤵PID:5600
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --mojo-platform-channel-handle=7216 --field-trial-handle=1908,i,11360715916896356671,2124794893011048197,131072 /prefetch:12⤵PID:5680
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --mojo-platform-channel-handle=7376 --field-trial-handle=1908,i,11360715916896356671,2124794893011048197,131072 /prefetch:12⤵PID:5688
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --mojo-platform-channel-handle=7568 --field-trial-handle=1908,i,11360715916896356671,2124794893011048197,131072 /prefetch:12⤵PID:5828
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6416 --field-trial-handle=1908,i,11360715916896356671,2124794893011048197,131072 /prefetch:82⤵PID:6088
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7540 --field-trial-handle=1908,i,11360715916896356671,2124794893011048197,131072 /prefetch:82⤵PID:5148
-
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"1⤵PID:2008
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:2496
-
C:\Users\Admin\Desktop\TORONTO.exe"C:\Users\Admin\Desktop\TORONTO.exe"1⤵
- Suspicious use of SetThreadContext
PID:5820 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵PID:5900
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵PID:5904
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5912
-
-
C:\Users\Admin\Desktop\TORONTO.exe"C:\Users\Admin\Desktop\TORONTO.exe"1⤵
- Suspicious use of SetThreadContext
PID:5132 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3624
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
40B
MD5ead5c5b65992ef68cf2eb90edd0f8846
SHA1e23f95767614ce9830147ec6ba7b0b5ca18a8101
SHA256be7c1faec23a46d25250554bdeb10d8f49b4fc3176004c914f34cd0c8caa990f
SHA512043645f254ad57e33e6968a60ad645630ca980de7555b410631fbc597bdee7402e1f4b15e7d522537f01304ca08400fd58a69609a125e7440dfa3f1bb33d1077
-
Filesize
56KB
MD51d900174b33faefc91805efe00c27f8f
SHA174109ac1c4a58f259dd2fc201c00b66868884f20
SHA2562e29d1870efdb62977283ed655df8e446e66626a0a8874c9fee036268f13934b
SHA5123de179640a3d3494cc86d03e400955cdc7df71435d307bedb8349c858b21e7053f2b217c94bd9528bfca0a7161392d622c967af4b7d6adb594de1e4b9db78a7c
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
3KB
MD582163549db9dee120434b4ee688a508e
SHA15925797ce09f8b361754288bf0b5c51a563c08a3
SHA25612d9a7914bd7cea8cf2389f0551632cb6995789c016ed6ca9999262812643495
SHA5128241dac8d9515d60232a01e447a4e5b2f2253bed2878365dd2ea2f4d46d7f4aa3f49dcf7657389170b1b9f3e8807dc2f14ce067e6c14fc211b8a086bbc2e41be
-
Filesize
2KB
MD5bfef9ee21f0ef2405a8ca85c7045284f
SHA179b93406fbd3b2971b049dbc7c50aa4d94a76001
SHA256d25a0159f16b5d126c9064af35fe7b7971ed25a5922939ff1b20f15deab0cf66
SHA5124d3a2c35dea9863d2c86a950001665771e1d6d901505c8f412633f01198115e10ecdfb5b3696d8ebf8d76a29a13304d774d75a92a63392c91ca5499626d9da9c
-
Filesize
7KB
MD53d8440268773b397a9a8ba0a445e5058
SHA1222d2e739dd2e7a4b54657dabd256c9a52944083
SHA25678d0dcd425aa680862ef26c76ead08f0e33982225ca3e6583d60e88345ac5526
SHA5122d6059549cdb73ce9244a99172207d3700ecbef53d6fb8485e7c215720eed2c89da0e83c52ca6f9596e710d48ba449a555241581a01d27db3dffb9e654f296bd
-
Filesize
7KB
MD5eec757da892e9c044788a8f1c1e2d3c2
SHA15f6ed4d78f9fa79113fc56f6093878919f8390ea
SHA2562c9b8bd57cd44ef478d823c22799359b8b15b38abc8fc3014dc912229c794b54
SHA512bab744185a398f03eff8e00db1ebeec9b888d9787770d16953a22a9d4e377feaf89889ad60f7ce2cee28f0c44d3a22c4ee135184f785b1f9fc00abedde2e3436
-
Filesize
130KB
MD52a2e8236cd47627beb513cada514bf9d
SHA12b1a07140b727dec40d25ec0e21c075b5d0f0c96
SHA2561f6ffd1107436c12b3a8b283ce95340d277473317752835eda597b2e80147843
SHA51202ef0db46f9b07cd74bcd2d6680d2b367f946d8fb9c458059ccd6cba48e32294c1360866350b4ea07ab9de683d797b2c987724a09df6719f471e301995a02841
-
Filesize
130KB
MD575add0a684f2bb77b721a54c54994903
SHA10e0863b3631499e145e8ec00366064f9c7f1d0ea
SHA256b8c19f0c3b18526c100e79348c989050d115f1adf3de458d1cda51041a13ac4f
SHA5122ae9e99cd398e2e74966c105484b8c63bac966de7b0a03bfa6c4622712759627d72ba5c7aecf7bc8a525550933e35f6f4c374c9a0d73f37d788d804b845d5331