501a2e4da5036dcdcb5e029a29b974c7e7dd5626a8d0aab9daec57dbb0439067

Analysis

max time kernel
1798s
max time network
1799s
platform
windows10-2004_x64
resource
win10v2004-20220722-en
resource tags

arch:x64arch:x86image:win10v2004-20220722-enlocale:en-usos:windows10-2004-x64system
submitted
01-08-2022 13:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

.html
Size

38KB
MD5

71b2262d19d20c85dc3f4ee21c9ae8a1
SHA1

f01876365490f3c8a087b8bfaf8ef2a7d8cf094a
SHA256

501a2e4da5036dcdcb5e029a29b974c7e7dd5626a8d0aab9daec57dbb0439067
SHA512

10b2883adee00e15f0ba561e6256b4d2ebc126977462682a11efbd0df53ff25e615faaca9e7f8601de93f61b90443f55b4a86386457b66106b9faaa4057126ec

Score

9^/10

discovery evasion spyware stealer themida trojan

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 4 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

xWNbUVFLOi5G.exexWNbUVFLOi5G.exelolicor.exexWNbUVFLOi5G.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	xWNbUVFLOi5G.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	xWNbUVFLOi5G.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	lolicor.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	xWNbUVFLOi5G.exe

Blocklisted process makes network request 2 IoCs

Processes:

msiexec.exe

flow pid process

357 1060 msiexec.exe
359 1060 msiexec.exe

flow	pid	process
357	1060	msiexec.exe
359	1060	msiexec.exe

Drops file in Drivers directory 2 IoCs

Processes:

HTTPDebuggerSvc.exe

description	ioc	process
File created	C:\Windows\system32\drivers\HttpDebuggerSdk.sys	HTTPDebuggerSvc.exe
File opened for modification	C:\Windows\system32\drivers\HttpDebuggerSdk.sys	HTTPDebuggerSvc.exe

Executes dropped EXE 13 IoCs

Processes:

ChromeRecovery.exelolicor.exexWNbUVFLOi5G.exexWNbUVFLOi5G.exeHTTPDebuggerSvc.exeHTTPDebuggerSvc.exeHTTPDebuggerUI.exexWNbUVFLOi5G.exeHTTPDebuggerUI.exesoftware_reporter_tool.exesoftware_reporter_tool.exesoftware_reporter_tool.exesoftware_reporter_tool.exe

pid	process
4892	ChromeRecovery.exe
1992	lolicor.exe
3656	xWNbUVFLOi5G.exe
1960	xWNbUVFLOi5G.exe
3572	HTTPDebuggerSvc.exe
932	HTTPDebuggerSvc.exe
4208	HTTPDebuggerUI.exe
4512	xWNbUVFLOi5G.exe
228	HTTPDebuggerUI.exe
2896	software_reporter_tool.exe
1460	software_reporter_tool.exe
3352	software_reporter_tool.exe
3444	software_reporter_tool.exe

Checks BIOS information in registry 2 TTPs 8 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

xWNbUVFLOi5G.exelolicor.exexWNbUVFLOi5G.exexWNbUVFLOi5G.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	xWNbUVFLOi5G.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	lolicor.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	lolicor.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	xWNbUVFLOi5G.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	xWNbUVFLOi5G.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	xWNbUVFLOi5G.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	xWNbUVFLOi5G.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	xWNbUVFLOi5G.exe

Loads dropped DLL 20 IoCs

Processes:

MsiExec.exeMsiExec.exeMsiExec.exeHTTPDebuggerUI.exeHTTPDebuggerUI.exesoftware_reporter_tool.exe

pid	process
4184	MsiExec.exe
4184	MsiExec.exe
4184	MsiExec.exe
1316	MsiExec.exe
4776	MsiExec.exe
4184	MsiExec.exe
4184	MsiExec.exe
4208	HTTPDebuggerUI.exe
4208	HTTPDebuggerUI.exe
4208	HTTPDebuggerUI.exe
228	HTTPDebuggerUI.exe
228	HTTPDebuggerUI.exe
228	HTTPDebuggerUI.exe
3352	software_reporter_tool.exe
3352	software_reporter_tool.exe
3352	software_reporter_tool.exe
3352	software_reporter_tool.exe
3352	software_reporter_tool.exe
3352	software_reporter_tool.exe
3352	software_reporter_tool.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Themida packer 33 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
C:\Users\Admin\Desktop\sdsd\lolicor.exe	themida
C:\Users\Admin\Desktop\sdsd\lolicor.exe	themida
behavioral1/memory/1992-159-0x00007FF6C40A0000-0x00007FF6C75C9000-memory.dmp	themida
behavioral1/memory/1992-160-0x00007FF6C40A0000-0x00007FF6C75C9000-memory.dmp	themida
behavioral1/memory/1992-161-0x00007FF6C40A0000-0x00007FF6C75C9000-memory.dmp	themida
behavioral1/memory/1992-162-0x00007FF6C40A0000-0x00007FF6C75C9000-memory.dmp	themida
behavioral1/memory/1992-163-0x00007FF6C40A0000-0x00007FF6C75C9000-memory.dmp	themida
behavioral1/memory/1992-164-0x00007FF6C40A0000-0x00007FF6C75C9000-memory.dmp	themida
behavioral1/memory/1992-165-0x00007FF6C40A0000-0x00007FF6C75C9000-memory.dmp	themida
C:\Users\Admin\Desktop\sdsd\xWNbUVFLOi5G.exe	themida
C:\Users\Admin\Desktop\sdsd\xWNbUVFLOi5G.exe	themida
behavioral1/memory/3656-178-0x00007FF62C360000-0x00007FF62D018000-memory.dmp	themida
behavioral1/memory/3656-179-0x00007FF62C360000-0x00007FF62D018000-memory.dmp	themida
behavioral1/memory/3656-180-0x00007FF62C360000-0x00007FF62D018000-memory.dmp	themida
behavioral1/memory/3656-181-0x00007FF62C360000-0x00007FF62D018000-memory.dmp	themida
behavioral1/memory/3656-183-0x00007FF62C360000-0x00007FF62D018000-memory.dmp	themida
behavioral1/memory/3656-184-0x00007FF62C360000-0x00007FF62D018000-memory.dmp	themida
behavioral1/memory/3656-185-0x00007FF62C360000-0x00007FF62D018000-memory.dmp	themida
C:\Users\Admin\Desktop\sdsd\xWNbUVFLOi5G.exe	themida
behavioral1/memory/1960-207-0x00007FF62C360000-0x00007FF62D018000-memory.dmp	themida
behavioral1/memory/1960-209-0x00007FF62C360000-0x00007FF62D018000-memory.dmp	themida
behavioral1/memory/1960-210-0x00007FF62C360000-0x00007FF62D018000-memory.dmp	themida
behavioral1/memory/1960-211-0x00007FF62C360000-0x00007FF62D018000-memory.dmp	themida
behavioral1/memory/1960-212-0x00007FF62C360000-0x00007FF62D018000-memory.dmp	themida
behavioral1/memory/1960-213-0x00007FF62C360000-0x00007FF62D018000-memory.dmp	themida
behavioral1/memory/1960-214-0x00007FF62C360000-0x00007FF62D018000-memory.dmp	themida
behavioral1/memory/4512-230-0x00007FF62C360000-0x00007FF62D018000-memory.dmp	themida
behavioral1/memory/4512-231-0x00007FF62C360000-0x00007FF62D018000-memory.dmp	themida
behavioral1/memory/4512-233-0x00007FF62C360000-0x00007FF62D018000-memory.dmp	themida
behavioral1/memory/4512-234-0x00007FF62C360000-0x00007FF62D018000-memory.dmp	themida
behavioral1/memory/4512-235-0x00007FF62C360000-0x00007FF62D018000-memory.dmp	themida
behavioral1/memory/4512-236-0x00007FF62C360000-0x00007FF62D018000-memory.dmp	themida
behavioral1/memory/4512-237-0x00007FF62C360000-0x00007FF62D018000-memory.dmp	themida

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

lolicor.exexWNbUVFLOi5G.exexWNbUVFLOi5G.exexWNbUVFLOi5G.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lolicor.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	xWNbUVFLOi5G.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	xWNbUVFLOi5G.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	xWNbUVFLOi5G.exe

Drops desktop.ini file(s) 1 IoCs

Processes:

svchost.exe

description ioc process

File opened for modification C:\Users\Admin\Videos\Captures\desktop.ini svchost.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Videos\Captures\desktop.ini	svchost.exe

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exemsiexec.exe

description	ioc	process
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe

Suspicious use of NtCreateThreadExHideFromDebugger 12 IoCs

Processes:

lolicor.exexWNbUVFLOi5G.exexWNbUVFLOi5G.exexWNbUVFLOi5G.exe

pid	process
1992	lolicor.exe
1992	lolicor.exe
1992	lolicor.exe
3656	xWNbUVFLOi5G.exe
3656	xWNbUVFLOi5G.exe
3656	xWNbUVFLOi5G.exe
1960	xWNbUVFLOi5G.exe
1960	xWNbUVFLOi5G.exe
1960	xWNbUVFLOi5G.exe
4512	xWNbUVFLOi5G.exe
4512	xWNbUVFLOi5G.exe
4512	xWNbUVFLOi5G.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

Processes:

lolicor.exexWNbUVFLOi5G.exexWNbUVFLOi5G.exexWNbUVFLOi5G.exe

pid process

1992 lolicor.exe
3656 xWNbUVFLOi5G.exe
1960 xWNbUVFLOi5G.exe
4512 xWNbUVFLOi5G.exe

Drops file in Program Files directory 38 IoCs

Processes:

chrome.exemsiexec.exeelevation_service.exe

description	ioc	process
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\KsDumper v1.1\KsDumperClient.exe	chrome.exe
File created	C:\Program Files (x86)\HTTPDebuggerPro\HTTPDebuggerUI.exe	msiexec.exe
File created	C:\Program Files (x86)\HTTPDebuggerPro\drv\Win7\HttpDebuggerSdk32.sys	msiexec.exe
File created	C:\Program Files (x86)\HTTPDebuggerPro\nss\libplc4.dll	msiexec.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\KsDumper v1.1\Driver\LoadCapcom.bat	chrome.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\KsDumper v1.1\Driver\LoadUnsignedDriver.bat	chrome.exe
File created	C:\Program Files (x86)\HTTPDebuggerPro\nss\softokn3.dll	msiexec.exe
File created	C:\Program Files (x86)\HTTPDebuggerPro\nss\sqlite3.dll	msiexec.exe
File opened for modification	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir4492_1113312573\manifest.json	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir4492_1113312573\_metadata\verified_contents.json	elevation_service.exe
File created	C:\Program Files (x86)\HTTPDebuggerPro\license.rtf	msiexec.exe
File created	C:\Program Files (x86)\HTTPDebuggerPro\nss\libplds4.dll	msiexec.exe
File created	C:\Program Files (x86)\HTTPDebuggerPro\nss\nssckbi.dll	msiexec.exe
File created	C:\Program Files (x86)\HTTPDebuggerPro\cximagecrt.dll	msiexec.exe
File created	C:\Program Files (x86)\HTTPDebuggerPro\scintilla_license.txt	msiexec.exe
File created	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir4492_1113312573\ChromeRecoveryCRX.crx	elevation_service.exe
File created	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir4492_1113312573\_metadata\verified_contents.json	elevation_service.exe
File created	C:\Program Files (x86)\HTTPDebuggerPro\Styles\Office2016.dll	msiexec.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\KsDumper v1.1\Driver\Capcom.sys	chrome.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\KsDumper v1.1\Driver\drvmap.exe	chrome.exe
File created	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir4492_1113312573\manifest.json	elevation_service.exe
File created	C:\Program Files (x86)\HTTPDebuggerPro\HTTPDebuggerSvc.exe	msiexec.exe
File created	C:\Program Files (x86)\HTTPDebuggerPro\nss\nssutil3.dll	msiexec.exe
File created	C:\Program Files (x86)\HTTPDebuggerPro\nss\smime3.dll	msiexec.exe
File created	C:\Program Files (x86)\HTTPDebuggerPro\nss\certutil.exe	msiexec.exe
File opened for modification	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir4492_1113312573\ChromeRecovery.exe	elevation_service.exe
File created	C:\Program Files (x86)\HTTPDebuggerPro\drv\Win7\HttpDebuggerSdk64.sys	msiexec.exe
File created	C:\Program Files (x86)\HTTPDebuggerPro\zlib_license.txt	msiexec.exe
File created	C:\Program Files (x86)\HTTPDebuggerPro\drv\Win8\HttpDebuggerSdk64.sys	msiexec.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\KsDumper v1.1\Driver\KsDumperDriver.sys	chrome.exe
File created	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir4492_1113312573\ChromeRecovery.exe	elevation_service.exe
File created	C:\Program Files (x86)\HTTPDebuggerPro\nss\libnspr4.dll	msiexec.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\KsDumper v1.1\README.txt	chrome.exe
File created	C:\Program Files (x86)\HTTPDebuggerPro\drv\Win8\HttpDebuggerSdk32.sys	msiexec.exe
File created	C:\Program Files (x86)\HTTPDebuggerPro\nss\nss3.dll	msiexec.exe
File created	C:\Program Files (x86)\HTTPDebuggerPro\nss\nssdbm3.dll	msiexec.exe
File created	C:\Program Files (x86)\HTTPDebuggerPro\nss\freebl3.dll	msiexec.exe
File created	C:\Program Files (x86)\HTTPDebuggerPro\HTTPDebuggerBrowser.dll	msiexec.exe

Drops file in Windows directory 11 IoCs

Processes:

msiexec.exe

description	ioc	process
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{3AAA8F78-6858-4344-8675-C73E1573CA0F}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIF677.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\{3AAA8F78-6858-4344-8675-C73E1573CA0F}\HTTPDebuggerUI.exe	msiexec.exe
File created	C:\Windows\Installer\e64f1e4.msi	msiexec.exe
File created	C:\Windows\Installer\e64f1e2.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e64f1e2.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIF453.tmp	msiexec.exe
File created	C:\Windows\Installer\{3AAA8F78-6858-4344-8675-C73E1573CA0F}\HTTPDebuggerUI.exe	msiexec.exe

Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

3648 1992 WerFault.exe lolicor.exe
3148 4512 WerFault.exe xWNbUVFLOi5G.exe

pid	pid_target	process	target process
3648	1992	WerFault.exe	lolicor.exe
3148	4512	WerFault.exe	xWNbUVFLOi5G.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

vssvc.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000005cd502df9bbdf3820000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800005cd502df0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3f000000ffffffff0000000007000100006809005cd502df000000000000d0120000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000005cd502df00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000005cd502df00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

svchost.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	svchost.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exemsedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies Internet Explorer settings 1 TTPs 41 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Set value (data)	\REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000010d8f139cb8c084e8de38914d087aaf400000000020000000000106600000001000020000000f0d3cb337ea0b4bcc3d6272309c5c2ce5668b75d7636ef1a085eaa6d95ca7942000000000e8000000002000020000000837df1e862c5225271b7ae67d1222408accefd90451fc049b8fae6b3cab4fd9c200000003149535acdaf92cf053a5267d56e3ab4e1ff3f19530931a81465038f0912d74840000000a1e317d7515b490a8f0cdb1d33442b00c8d006746a921a59cb1dcb3ad5816f3669f9f6525a4e301b803b18f185ed557d4421b45a0003a36e2d340302bed4f501	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{36D6FB08-11B0-11ED-BE0E-56825A86E4B5} = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = f08f1726bda5d801	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30975421"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "192824561"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000\Software\Microsoft\Internet Explorer\IESettingSync	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "192824561"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30975421"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "366133385"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = e04fb325bda5d801	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30975421"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "247667325"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000010d8f139cb8c084e8de38914d087aaf4000000000200000000001066000000010000200000001f79a40ba42712ed1dac39fa8db99cc5d81dbd174e149a89f2c8904c92c90360000000000e80000000020000200000008bd56daa6426c1219c5a79c494af5f6a3b810d98d1f9dca3ee789715abd572a120000000f66f363e36fbc961113d02131b2cd1420cf3c4cbf67e070bc5d894b7f558f8744000000039547a4931af6add87f9d9795a3869b8a36b80469964bdc53e067bacb2f3658ad18143a287d103132edc2fc9f8ec68d08bbd406b5ff7b898344a0472c9521e78	iexplore.exe

Modifies data under HKEY_USERS 7 IoCs

Processes:

HTTPDebuggerSvc.exemsiexec.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	HTTPDebuggerSvc.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\1E\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1f	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	HTTPDebuggerSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	HTTPDebuggerSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	HTTPDebuggerSvc.exe

Modifies registry class 64 IoCs

Processes:

MsiExec.exemsiexec.exechrome.exechrome.exeOpenWith.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A8096483-2E53-45CF-A0E5-4E17CED6B7EF}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6E73D516-7CDC-435E-8A8D-86E0AE4D5E08}\TypeLib	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6E73D516-7CDC-435E-8A8D-86E0AE4D5E08}	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VbMHWB.vbWB\CurVer\ = "VbMHWB.vbWB.1"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\87F8AAA38586443468577CE35137ACF0\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\Downloads\\"	msiexec.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000_Classes\Local Settings	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 020000000000000001000000ffffffff	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\GroupView = "0"	chrome.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20247C83-3429-47B1-817F-C99F29D2BF3A}\MiscStatus	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\87F8AAA38586443468577CE35137ACF0\SourceList\Media	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\Mode = "1"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	chrome.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20247C83-3429-47B1-817F-C99F29D2BF3A}\ToolboxBitmap32	MsiExec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\87F8AAA38586443468577CE35137ACF0\DeploymentFlags = "3"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\87F8AAA38586443468577CE35137ACF0\SourceList\Net\1 = "C:\\Users\\Admin\\Downloads\\"	msiexec.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\LogicalViewMode = "3"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\GroupByDirection = "1"	chrome.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6E73D516-7CDC-435E-8A8D-86E0AE4D5E08}\TypeLib\Version = "1.0"	MsiExec.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616193"	chrome.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\87F8AAA38586443468577CE35137ACF0\PackageCode = "95D461321A43EC94B8CA54DA9339604F"	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}	chrome.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VbMHWB.vbWB\CLSID\ = "{20247C83-3429-47B1-817F-C99F29D2BF3A}"	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20247C83-3429-47B1-817F-C99F29D2BF3A}\Version	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\EFA6D6B88BD56724E9FE0AB5852CEEED\87F8AAA38586443468577CE35137ACF0	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000_Classes\Local Settings	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 000000000200000001000000ffffffff	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\NodeSlot = "4"	chrome.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A8096483-2E53-45CF-A0E5-4E17CED6B7EF}\ = "_IvbWBEvents"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6E73D516-7CDC-435E-8A8D-86E0AE4D5E08}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	MsiExec.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	chrome.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20247C83-3429-47B1-817F-C99F29D2BF3A}\MiscStatus\ = "0"	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\87F8AAA38586443468577CE35137ACF0\SourceList\Net	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\87F8AAA38586443468577CE35137ACF0\Clients = 3a0000000000	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	chrome.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\VbMHWB.vbWB\CurVer	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A8096483-2E53-45CF-A0E5-4E17CED6B7EF}\TypeLib	MsiExec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\87F8AAA38586443468577CE35137ACF0\Version = "151781376"	msiexec.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	chrome.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20247C83-3429-47B1-817F-C99F29D2BF3A}\ = "vbWB Class"	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20247C83-3429-47B1-817F-C99F29D2BF3A}\MiscStatus\1	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A8096483-2E53-45CF-A0E5-4E17CED6B7EF}\ = "_IvbWBEvents"	MsiExec.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	chrome.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{33658027-1004-4E1E-8D35-C9146DF87919}\1.0\ = "vbMHWB 1.0 Type Library"	MsiExec.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\IconSize = "48"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\SniffedFolderType = "Generic"	chrome.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\VbMHWB.vbWB.1\CLSID	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A8096483-2E53-45CF-A0E5-4E17CED6B7EF}\ProxyStubClsid32	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\87F8AAA38586443468577CE35137ACF0\SourceList	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\87F8AAA38586443468577CE35137ACF0\SourceList\Media\1 = ";"	msiexec.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 000000000100000002000000ffffffff	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	chrome.exe

Suspicious behavior: EnumeratesProcesses 50 IoCs

Processes:

chrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exemsiexec.exechrome.exechrome.exechrome.exesoftware_reporter_tool.exechrome.exemsedge.exemsedge.exe

pid	process
1340	chrome.exe
1340	chrome.exe
1984	chrome.exe
1984	chrome.exe
5064	chrome.exe
5064	chrome.exe
3196	chrome.exe
3196	chrome.exe
4468	chrome.exe
4468	chrome.exe
772	chrome.exe
772	chrome.exe
5116	chrome.exe
5116	chrome.exe
3428	chrome.exe
3428	chrome.exe
3220	chrome.exe
3220	chrome.exe
824	chrome.exe
824	chrome.exe
824	chrome.exe
824	chrome.exe
4148	chrome.exe
4148	chrome.exe
4124	chrome.exe
4124	chrome.exe
1372	chrome.exe
1372	chrome.exe
372	chrome.exe
372	chrome.exe
2744	chrome.exe
2744	chrome.exe
2280	chrome.exe
2280	chrome.exe
2772	msiexec.exe
2772	msiexec.exe
4216	chrome.exe
4216	chrome.exe
2352	chrome.exe
2352	chrome.exe
4152	chrome.exe
4152	chrome.exe
2896	software_reporter_tool.exe
2896	software_reporter_tool.exe
4928	chrome.exe
4928	chrome.exe
4304	msedge.exe
4304	msedge.exe
5788	msedge.exe
5788	msedge.exe

Suspicious behavior: GetForegroundWindowSpam 5 IoCs

Processes:

7zFM.exechrome.exeHTTPDebuggerUI.exeHTTPDebuggerUI.exechrome.exe

pid process

4728 7zFM.exe
372 chrome.exe
4208 HTTPDebuggerUI.exe
228 HTTPDebuggerUI.exe
1984 chrome.exe
Suspicious behavior: LoadsDriver 4 IoCs

Processes:

pid process

656
656
656
656

pid	process
4728	7zFM.exe
372	chrome.exe
4208	HTTPDebuggerUI.exe
228	HTTPDebuggerUI.exe
1984	chrome.exe

pid	process
656
656
656
656

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 34 IoCs

Processes:

chrome.exe

pid	process
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

7zFM.exe7zG.exe7zG.exemsiexec.exemsiexec.exe

description	pid	process
Token: SeRestorePrivilege	4728	7zFM.exe
Token: 35	4728	7zFM.exe
Token: SeSecurityPrivilege	4728	7zFM.exe
Token: SeRestorePrivilege	3716	7zG.exe
Token: 35	3716	7zG.exe
Token: SeSecurityPrivilege	3716	7zG.exe
Token: SeSecurityPrivilege	3716	7zG.exe
Token: SeRestorePrivilege	5040	7zG.exe
Token: 35	5040	7zG.exe
Token: SeSecurityPrivilege	5040	7zG.exe
Token: SeSecurityPrivilege	5040	7zG.exe
Token: SeShutdownPrivilege	1060	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1060	msiexec.exe
Token: SeSecurityPrivilege	2772	msiexec.exe
Token: SeCreateTokenPrivilege	1060	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1060	msiexec.exe
Token: SeLockMemoryPrivilege	1060	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1060	msiexec.exe
Token: SeMachineAccountPrivilege	1060	msiexec.exe
Token: SeTcbPrivilege	1060	msiexec.exe
Token: SeSecurityPrivilege	1060	msiexec.exe
Token: SeTakeOwnershipPrivilege	1060	msiexec.exe
Token: SeLoadDriverPrivilege	1060	msiexec.exe
Token: SeSystemProfilePrivilege	1060	msiexec.exe
Token: SeSystemtimePrivilege	1060	msiexec.exe
Token: SeProfSingleProcessPrivilege	1060	msiexec.exe
Token: SeIncBasePriorityPrivilege	1060	msiexec.exe
Token: SeCreatePagefilePrivilege	1060	msiexec.exe
Token: SeCreatePermanentPrivilege	1060	msiexec.exe
Token: SeBackupPrivilege	1060	msiexec.exe
Token: SeRestorePrivilege	1060	msiexec.exe
Token: SeShutdownPrivilege	1060	msiexec.exe
Token: SeDebugPrivilege	1060	msiexec.exe
Token: SeAuditPrivilege	1060	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1060	msiexec.exe
Token: SeChangeNotifyPrivilege	1060	msiexec.exe
Token: SeRemoteShutdownPrivilege	1060	msiexec.exe
Token: SeUndockPrivilege	1060	msiexec.exe
Token: SeSyncAgentPrivilege	1060	msiexec.exe
Token: SeEnableDelegationPrivilege	1060	msiexec.exe
Token: SeManageVolumePrivilege	1060	msiexec.exe
Token: SeImpersonatePrivilege	1060	msiexec.exe
Token: SeCreateGlobalPrivilege	1060	msiexec.exe
Token: SeCreateTokenPrivilege	1060	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1060	msiexec.exe
Token: SeLockMemoryPrivilege	1060	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1060	msiexec.exe
Token: SeMachineAccountPrivilege	1060	msiexec.exe
Token: SeTcbPrivilege	1060	msiexec.exe
Token: SeSecurityPrivilege	1060	msiexec.exe
Token: SeTakeOwnershipPrivilege	1060	msiexec.exe
Token: SeLoadDriverPrivilege	1060	msiexec.exe
Token: SeSystemProfilePrivilege	1060	msiexec.exe
Token: SeSystemtimePrivilege	1060	msiexec.exe
Token: SeProfSingleProcessPrivilege	1060	msiexec.exe
Token: SeIncBasePriorityPrivilege	1060	msiexec.exe
Token: SeCreatePagefilePrivilege	1060	msiexec.exe
Token: SeCreatePermanentPrivilege	1060	msiexec.exe
Token: SeBackupPrivilege	1060	msiexec.exe
Token: SeRestorePrivilege	1060	msiexec.exe
Token: SeShutdownPrivilege	1060	msiexec.exe
Token: SeDebugPrivilege	1060	msiexec.exe
Token: SeAuditPrivilege	1060	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1060	msiexec.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

iexplore.exechrome.exe7zFM.exe7zG.exe7zG.exe

pid	process
4468	iexplore.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
4728	7zFM.exe
4728	7zFM.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
3716	7zG.exe
5040	7zG.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

chrome.exe

pid	process
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe

Suspicious use of SetWindowsHookEx 37 IoCs

Processes:

iexplore.exeIEXPLORE.EXEOpenWith.exelolicor.exexWNbUVFLOi5G.exexWNbUVFLOi5G.exechrome.exeHTTPDebuggerUI.exexWNbUVFLOi5G.exeHTTPDebuggerUI.exechrome.exe

pid	process
4468	iexplore.exe
4468	iexplore.exe
1816	IEXPLORE.EXE
1816	IEXPLORE.EXE
1816	IEXPLORE.EXE
1816	IEXPLORE.EXE
2376	OpenWith.exe
2376	OpenWith.exe
2376	OpenWith.exe
1992	lolicor.exe
3656	xWNbUVFLOi5G.exe
1960	xWNbUVFLOi5G.exe
372	chrome.exe
372	chrome.exe
372	chrome.exe
4208	HTTPDebuggerUI.exe
4208	HTTPDebuggerUI.exe
4208	HTTPDebuggerUI.exe
4208	HTTPDebuggerUI.exe
4208	HTTPDebuggerUI.exe
4208	HTTPDebuggerUI.exe
4208	HTTPDebuggerUI.exe
4512	xWNbUVFLOi5G.exe
4208	HTTPDebuggerUI.exe
4208	HTTPDebuggerUI.exe
228	HTTPDebuggerUI.exe
228	HTTPDebuggerUI.exe
228	HTTPDebuggerUI.exe
228	HTTPDebuggerUI.exe
228	HTTPDebuggerUI.exe
228	HTTPDebuggerUI.exe
228	HTTPDebuggerUI.exe
228	HTTPDebuggerUI.exe
4152	chrome.exe
228	HTTPDebuggerUI.exe
228	HTTPDebuggerUI.exe
228	HTTPDebuggerUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

iexplore.exechrome.exe

description	pid	process	target process
PID 4468 wrote to memory of 1816	4468	iexplore.exe	IEXPLORE.EXE
PID 4468 wrote to memory of 1816	4468	iexplore.exe	IEXPLORE.EXE
PID 4468 wrote to memory of 1816	4468	iexplore.exe	IEXPLORE.EXE
PID 1984 wrote to memory of 624	1984	chrome.exe	chrome.exe
PID 1984 wrote to memory of 624	1984	chrome.exe	chrome.exe
PID 1984 wrote to memory of 3800	1984	chrome.exe	chrome.exe
PID 1984 wrote to memory of 3800	1984	chrome.exe	chrome.exe
PID 1984 wrote to memory of 3800	1984	chrome.exe	chrome.exe
PID 1984 wrote to memory of 3800	1984	chrome.exe	chrome.exe
PID 1984 wrote to memory of 3800	1984	chrome.exe	chrome.exe
PID 1984 wrote to memory of 3800	1984	chrome.exe	chrome.exe
PID 1984 wrote to memory of 3800	1984	chrome.exe	chrome.exe
PID 1984 wrote to memory of 3800	1984	chrome.exe	chrome.exe
PID 1984 wrote to memory of 3800	1984	chrome.exe	chrome.exe
PID 1984 wrote to memory of 3800	1984	chrome.exe	chrome.exe
PID 1984 wrote to memory of 3800	1984	chrome.exe	chrome.exe
PID 1984 wrote to memory of 3800	1984	chrome.exe	chrome.exe
PID 1984 wrote to memory of 3800	1984	chrome.exe	chrome.exe
PID 1984 wrote to memory of 3800	1984	chrome.exe	chrome.exe
PID 1984 wrote to memory of 3800	1984	chrome.exe	chrome.exe
PID 1984 wrote to memory of 3800	1984	chrome.exe	chrome.exe
PID 1984 wrote to memory of 3800	1984	chrome.exe	chrome.exe
PID 1984 wrote to memory of 3800	1984	chrome.exe	chrome.exe
PID 1984 wrote to memory of 3800	1984	chrome.exe	chrome.exe
PID 1984 wrote to memory of 3800	1984	chrome.exe	chrome.exe
PID 1984 wrote to memory of 3800	1984	chrome.exe	chrome.exe
PID 1984 wrote to memory of 3800	1984	chrome.exe	chrome.exe
PID 1984 wrote to memory of 3800	1984	chrome.exe	chrome.exe
PID 1984 wrote to memory of 3800	1984	chrome.exe	chrome.exe
PID 1984 wrote to memory of 3800	1984	chrome.exe	chrome.exe
PID 1984 wrote to memory of 3800	1984	chrome.exe	chrome.exe
PID 1984 wrote to memory of 3800	1984	chrome.exe	chrome.exe
PID 1984 wrote to memory of 3800	1984	chrome.exe	chrome.exe
PID 1984 wrote to memory of 3800	1984	chrome.exe	chrome.exe
PID 1984 wrote to memory of 3800	1984	chrome.exe	chrome.exe
PID 1984 wrote to memory of 3800	1984	chrome.exe	chrome.exe
PID 1984 wrote to memory of 3800	1984	chrome.exe	chrome.exe
PID 1984 wrote to memory of 3800	1984	chrome.exe	chrome.exe
PID 1984 wrote to memory of 3800	1984	chrome.exe	chrome.exe
PID 1984 wrote to memory of 3800	1984	chrome.exe	chrome.exe
PID 1984 wrote to memory of 3800	1984	chrome.exe	chrome.exe
PID 1984 wrote to memory of 3800	1984	chrome.exe	chrome.exe
PID 1984 wrote to memory of 3800	1984	chrome.exe	chrome.exe
PID 1984 wrote to memory of 3800	1984	chrome.exe	chrome.exe
PID 1984 wrote to memory of 3800	1984	chrome.exe	chrome.exe
PID 1984 wrote to memory of 1340	1984	chrome.exe	chrome.exe
PID 1984 wrote to memory of 1340	1984	chrome.exe	chrome.exe
PID 1984 wrote to memory of 2288	1984	chrome.exe	chrome.exe
PID 1984 wrote to memory of 2288	1984	chrome.exe	chrome.exe
PID 1984 wrote to memory of 2288	1984	chrome.exe	chrome.exe
PID 1984 wrote to memory of 2288	1984	chrome.exe	chrome.exe
PID 1984 wrote to memory of 2288	1984	chrome.exe	chrome.exe
PID 1984 wrote to memory of 2288	1984	chrome.exe	chrome.exe
PID 1984 wrote to memory of 2288	1984	chrome.exe	chrome.exe
PID 1984 wrote to memory of 2288	1984	chrome.exe	chrome.exe
PID 1984 wrote to memory of 2288	1984	chrome.exe	chrome.exe
PID 1984 wrote to memory of 2288	1984	chrome.exe	chrome.exe
PID 1984 wrote to memory of 2288	1984	chrome.exe	chrome.exe
PID 1984 wrote to memory of 2288	1984	chrome.exe	chrome.exe
PID 1984 wrote to memory of 2288	1984	chrome.exe	chrome.exe
PID 1984 wrote to memory of 2288	1984	chrome.exe	chrome.exe
PID 1984 wrote to memory of 2288	1984	chrome.exe	chrome.exe
PID 1984 wrote to memory of 2288	1984	chrome.exe	chrome.exe
PID 1984 wrote to memory of 2288	1984	chrome.exe	chrome.exe

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\.html
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4468

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4468 CREDAT:17410 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1816

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1984

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7fff0ecc4f50,0x7fff0ecc4f60,0x7fff0ecc4f70
2⤵
PID:624

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1644,16533697945228502192,1637823935556379637,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1664 /prefetch:2
2⤵
PID:3800

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1644,16533697945228502192,1637823935556379637,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=2036 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1340

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1644,16533697945228502192,1637823935556379637,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2432 /prefetch:8
2⤵
PID:2288

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1644,16533697945228502192,1637823935556379637,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3032 /prefetch:1
2⤵
PID:1948

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1644,16533697945228502192,1637823935556379637,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3220 /prefetch:1
2⤵
PID:112

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1644,16533697945228502192,1637823935556379637,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3716 /prefetch:1
2⤵
PID:3056

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1644,16533697945228502192,1637823935556379637,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4576 /prefetch:8
2⤵
PID:4128

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1644,16533697945228502192,1637823935556379637,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4876 /prefetch:8
2⤵
PID:4112

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1644,16533697945228502192,1637823935556379637,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5000 /prefetch:8
2⤵
PID:3164

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1644,16533697945228502192,1637823935556379637,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5032 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:5064

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1644,16533697945228502192,1637823935556379637,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5140 /prefetch:8
2⤵
PID:3592

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1644,16533697945228502192,1637823935556379637,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4576 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3196

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1644,16533697945228502192,1637823935556379637,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4944 /prefetch:8
2⤵
PID:3380

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1644,16533697945228502192,1637823935556379637,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5348 /prefetch:8
2⤵
PID:4396

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1644,16533697945228502192,1637823935556379637,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5320 /prefetch:8
2⤵
PID:4452

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1644,16533697945228502192,1637823935556379637,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4912 /prefetch:8
2⤵
PID:1916

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1644,16533697945228502192,1637823935556379637,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4820 /prefetch:1
2⤵
PID:2460

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1644,16533697945228502192,1637823935556379637,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2084 /prefetch:1
2⤵
PID:1396

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1644,16533697945228502192,1637823935556379637,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1488 /prefetch:1
2⤵
PID:1428

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1644,16533697945228502192,1637823935556379637,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3044 /prefetch:1
2⤵
PID:1360

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1644,16533697945228502192,1637823935556379637,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3488 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4468

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1644,16533697945228502192,1637823935556379637,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3388 /prefetch:1
2⤵
PID:3160

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1644,16533697945228502192,1637823935556379637,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3924 /prefetch:1
2⤵
PID:3448

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1644,16533697945228502192,1637823935556379637,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4592 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:772

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1644,16533697945228502192,1637823935556379637,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2844 /prefetch:1
2⤵
PID:4620

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1644,16533697945228502192,1637823935556379637,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1628 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:5116

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1644,16533697945228502192,1637823935556379637,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1496 /prefetch:1
2⤵
PID:4092

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1644,16533697945228502192,1637823935556379637,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3100 /prefetch:1
2⤵
PID:4384

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1644,16533697945228502192,1637823935556379637,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4636 /prefetch:1
2⤵
PID:4300

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1644,16533697945228502192,1637823935556379637,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=840 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3428

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.FileUtilService --field-trial-handle=1644,16533697945228502192,1637823935556379637,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6032 /prefetch:8
2⤵
PID:2480

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1644,16533697945228502192,1637823935556379637,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6192 /prefetch:8
2⤵
PID:4108

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1644,16533697945228502192,1637823935556379637,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6296 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3220

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1644,16533697945228502192,1637823935556379637,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6040 /prefetch:8
2⤵
PID:4956

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1644,16533697945228502192,1637823935556379637,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=5768 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:824

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1644,16533697945228502192,1637823935556379637,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5020 /prefetch:8
2⤵
PID:2408

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1644,16533697945228502192,1637823935556379637,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1172 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4148

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1644,16533697945228502192,1637823935556379637,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=39 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=408 /prefetch:1
2⤵
PID:3492

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1644,16533697945228502192,1637823935556379637,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3396 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4124

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1644,16533697945228502192,1637823935556379637,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4876 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1372

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1644,16533697945228502192,1637823935556379637,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=42 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3336 /prefetch:1
2⤵
PID:3796

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1644,16533697945228502192,1637823935556379637,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5480 /prefetch:8
2⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:372

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1644,16533697945228502192,1637823935556379637,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=44 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4684 /prefetch:1
2⤵
PID:4352

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1644,16533697945228502192,1637823935556379637,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1628 /prefetch:8
2⤵
PID:4108

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1644,16533697945228502192,1637823935556379637,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3496 /prefetch:8
2⤵
PID:4272

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1644,16533697945228502192,1637823935556379637,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2372 /prefetch:8
2⤵
PID:112

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1644,16533697945228502192,1637823935556379637,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4960 /prefetch:8
2⤵
PID:4712

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1644,16533697945228502192,1637823935556379637,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4940 /prefetch:8
2⤵
PID:4416

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1644,16533697945228502192,1637823935556379637,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=50 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2300 /prefetch:1
2⤵
PID:4304

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1644,16533697945228502192,1637823935556379637,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=51 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4960 /prefetch:1
2⤵
PID:3420

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1644,16533697945228502192,1637823935556379637,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6432 /prefetch:8
2⤵
PID:3028

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1644,16533697945228502192,1637823935556379637,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5840 /prefetch:8
2⤵
PID:4856

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1644,16533697945228502192,1637823935556379637,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6532 /prefetch:8
2⤵
PID:4776

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1644,16533697945228502192,1637823935556379637,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=55 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6476 /prefetch:1
2⤵
PID:1468

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1644,16533697945228502192,1637823935556379637,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6564 /prefetch:8
2⤵
PID:1396

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1644,16533697945228502192,1637823935556379637,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=57 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5788 /prefetch:1
2⤵
PID:2904

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1644,16533697945228502192,1637823935556379637,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=58 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6648 /prefetch:1
2⤵
PID:2632

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1644,16533697945228502192,1637823935556379637,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=59 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6540 /prefetch:1
2⤵
PID:5080

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1644,16533697945228502192,1637823935556379637,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6416 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2744

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1644,16533697945228502192,1637823935556379637,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4960 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2280

C:\Windows\System32\msiexec.exe
"C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\Downloads\HTTPDebuggerPro.msi"
2⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
PID:1060

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1644,16533697945228502192,1637823935556379637,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2904 /prefetch:8
2⤵
PID:1372

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1644,16533697945228502192,1637823935556379637,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1492 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4216

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1644,16533697945228502192,1637823935556379637,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5736 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2352

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1644,16533697945228502192,1637823935556379637,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4700 /prefetch:8
2⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4152

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1644,16533697945228502192,1637823935556379637,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=66 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6864 /prefetch:1
2⤵
PID:1316

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1644,16533697945228502192,1637823935556379637,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=67 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6904 /prefetch:1
2⤵
PID:116

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1644,16533697945228502192,1637823935556379637,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2148 /prefetch:8
2⤵
PID:3592

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1644,16533697945228502192,1637823935556379637,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6924 /prefetch:8
2⤵
PID:4816

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1644,16533697945228502192,1637823935556379637,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=70 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6956 /prefetch:1
2⤵
PID:3408

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1644,16533697945228502192,1637823935556379637,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=71 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6328 /prefetch:1
2⤵
PID:1808

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1644,16533697945228502192,1637823935556379637,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=72 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4580 /prefetch:1
2⤵
PID:2156

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1644,16533697945228502192,1637823935556379637,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6992 /prefetch:8
2⤵
PID:2960

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\SwReporter\102.286.200\software_reporter_tool.exe
"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\SwReporter\102.286.200\software_reporter_tool.exe" --engine=2 --scan-locations=1,2,3,4,5,6,7,8,10 --disabled-locations=9,11 --session-id=10pg7JyqNNdhTMMTyOVubhQNRgoO5Igoha6cTYGv --registry-suffix=ESET --enable-crash-reporting --srt-field-trial-group-name=Off
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2896

\??\c:\users\admin\appdata\local\google\chrome\user data\swreporter\102.286.200\software_reporter_tool.exe
"c:\users\admin\appdata\local\google\chrome\user data\swreporter\102.286.200\software_reporter_tool.exe" --crash-handler "--database=c:\users\admin\appdata\local\Google\Software Reporter Tool" --url=https://clients2.google.com/cr/report --annotation=plat=Win32 --annotation=prod=ChromeFoil --annotation=ver=102.286.200 --initial-client-data=0x2a0,0x2a4,0x2a8,0x27c,0x2ac,0x7ff749bcecc8,0x7ff749bcecd8,0x7ff749bcece8
3⤵
- Executes dropped EXE
PID:1460

\??\c:\users\admin\appdata\local\google\chrome\user data\swreporter\102.286.200\software_reporter_tool.exe
"c:\users\admin\appdata\local\google\chrome\user data\swreporter\102.286.200\software_reporter_tool.exe" --enable-crash-reporting --use-crash-handler-with-id="\\.\pipe\crashpad_2896_HFFBZEWEOGIZHLCQ" --sandboxed-process-id=2 --init-done-notifier=804 --sandbox-mojo-pipe-token=5114218037086183464 --mojo-platform-channel-handle=780 --engine=2
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3352

\??\c:\users\admin\appdata\local\google\chrome\user data\swreporter\102.286.200\software_reporter_tool.exe
"c:\users\admin\appdata\local\google\chrome\user data\swreporter\102.286.200\software_reporter_tool.exe" --enable-crash-reporting --use-crash-handler-with-id="\\.\pipe\crashpad_2896_HFFBZEWEOGIZHLCQ" --sandboxed-process-id=3 --init-done-notifier=1028 --sandbox-mojo-pipe-token=6864236922645290938 --mojo-platform-channel-handle=1020
3⤵
- Executes dropped EXE
PID:3444

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1644,16533697945228502192,1637823935556379637,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=74 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5928 /prefetch:1
2⤵
PID:1428

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1644,16533697945228502192,1637823935556379637,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=75 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7016 /prefetch:1
2⤵
PID:3548

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1644,16533697945228502192,1637823935556379637,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=76 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5640 /prefetch:1
2⤵
PID:3240

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1644,16533697945228502192,1637823935556379637,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=77 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6304 /prefetch:1
2⤵
PID:424

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1644,16533697945228502192,1637823935556379637,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7064 /prefetch:8
2⤵
PID:1720

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1644,16533697945228502192,1637823935556379637,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7192 /prefetch:8
2⤵
PID:1556

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1644,16533697945228502192,1637823935556379637,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=80 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5196 /prefetch:1
2⤵
PID:1936

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1644,16533697945228502192,1637823935556379637,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=81 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6168 /prefetch:1
2⤵
PID:1316

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.FileUtilService --field-trial-handle=1644,16533697945228502192,1637823935556379637,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6484 /prefetch:8
2⤵
- Drops file in Program Files directory
PID:2128

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1644,16533697945228502192,1637823935556379637,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=83 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6484 /prefetch:1
2⤵
PID:1960

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.FileUtilService --field-trial-handle=1644,16533697945228502192,1637823935556379637,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7216 /prefetch:8
2⤵
PID:1172

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1644,16533697945228502192,1637823935556379637,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7236 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4928

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1644,16533697945228502192,1637823935556379637,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4920 /prefetch:8
2⤵
PID:536

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1644,16533697945228502192,1637823935556379637,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3400 /prefetch:8
2⤵
PID:5712

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1644,16533697945228502192,1637823935556379637,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5400 /prefetch:8
2⤵
PID:3756

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1644,16533697945228502192,1637823935556379637,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5100 /prefetch:8
2⤵
PID:5740

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1644,16533697945228502192,1637823935556379637,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6944 /prefetch:8
2⤵
PID:4748

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2772

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4972

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2376

C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe"
1⤵
- Drops file in Program Files directory
PID:4492

C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir4492_1113312573\ChromeRecovery.exe
"C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir4492_1113312573\ChromeRecovery.exe" --appguid={8A69D345-D564-463c-AFF1-A69D9E530F96} --browser-version=89.0.4389.114 --sessionid={c75fd8a9-d48f-4c50-9f9d-5d78fc3b65b3} --system
2⤵
- Executes dropped EXE
PID:4892

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Desktop\sdsd.rar"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4728

C:\Users\Admin\Desktop\sdsd\lolicor.exe
"C:\Users\Admin\Desktop\sdsd\lolicor.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
PID:1992

C:\Users\Admin\Desktop\sdsd\xWNbUVFLOi5G.exe
xWNbUVFLOi5G.exe
2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
PID:3656

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 1992 -s 864
2⤵
- Program crash
PID:3648

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 432 -p 1992 -ip 1992
1⤵
PID:908

C:\Users\Admin\Desktop\sdsd\xWNbUVFLOi5G.exe
"C:\Users\Admin\Desktop\sdsd\xWNbUVFLOi5G.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
PID:1960

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" a -i#7zMap17461:92:7zEvent12594 -t7z -sae -- "C:\Users\Admin\Desktop\sdsd\xWNbUVFLOi5G.7z"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3716

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" a -i#7zMap20053:58:7zEvent4402 -ad -saa -- "C:\Users\Admin\Desktop\sdsd"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:5040

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2772

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding C42EA5394FBC72859BF219C20FCCF4C9 C
2⤵
- Loads dropped DLL
PID:4184

C:\Program Files (x86)\HTTPDebuggerPro\HTTPDebuggerUI.exe
"C:\Program Files (x86)\HTTPDebuggerPro\HTTPDebuggerUI.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:4208

C:\Windows\system32\srtasks.exe
C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
2⤵
PID:4964

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 126ACCB7CA4280B5461FD3E1325FB805
2⤵
- Loads dropped DLL
PID:1316

C:\Windows\syswow64\MsiExec.exe
"C:\Windows\syswow64\MsiExec.exe" /Y "C:\Program Files (x86)\HTTPDebuggerPro\HTTPDebuggerBrowser.dll"
2⤵
- Loads dropped DLL
- Modifies registry class
PID:4776

C:\Program Files (x86)\HTTPDebuggerPro\HTTPDebuggerSvc.exe
"C:\Program Files (x86)\HTTPDebuggerPro\HTTPDebuggerSvc.exe" /install
2⤵
- Executes dropped EXE
PID:932

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
PID:636

C:\Program Files (x86)\HTTPDebuggerPro\HTTPDebuggerSvc.exe
"C:\Program Files (x86)\HTTPDebuggerPro\HTTPDebuggerSvc.exe"
1⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:3572

C:\Users\Admin\Desktop\sdsd\xWNbUVFLOi5G.exe
"C:\Users\Admin\Desktop\sdsd\xWNbUVFLOi5G.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
PID:4512

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 4512 -s 536
2⤵
- Program crash
PID:3148

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 176 -p 4512 -ip 4512
1⤵
PID:116

C:\Program Files (x86)\HTTPDebuggerPro\HTTPDebuggerUI.exe
"C:\Program Files (x86)\HTTPDebuggerPro\HTTPDebuggerUI.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:228

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --default-search-provider=? --out-pipe-name=MSEdgeDefault2b486f2dh6c4ah491fh9f68h27202e25e319
1⤵
- Enumerates system info in registry
PID:1624

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7fff0f6446f8,0x7fff0f644708,0x7fff0f644718
2⤵
PID:3392

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2152,16977539155674543462,3756695892683207386,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2160 /prefetch:2
2⤵
PID:1332

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2152,16977539155674543462,3756695892683207386,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2700 /prefetch:3
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4304

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2152,16977539155674543462,3756695892683207386,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3164 /prefetch:8
2⤵
PID:5216

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5180

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --default-search-provider=? --out-pipe-name=MSEdgeDefault4e824bd3hba8dh4f7fhbafah3c7d26104bf2
1⤵
PID:5488

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7fff091d46f8,0x7fff091d4708,0x7fff091d4718
2⤵
PID:5512

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2164,17862792092880335089,645442236974903791,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2184 /prefetch:2
2⤵
PID:5760

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2164,17862792092880335089,645442236974903791,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2240 /prefetch:3
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:5788

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2164,17862792092880335089,645442236974903791,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2488 /prefetch:8
2⤵
PID:5808

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k BcastDVRUserService -s BcastDVRUserService
1⤵
- Drops desktop.ini file(s)
- Checks processor information in registry
PID:5792

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir4492_1113312573\ChromeRecovery.exe
Filesize
253KB

MD5
49ac3c96d270702a27b4895e4ce1f42a

SHA1
55b90405f1e1b72143c64113e8bc65608dd3fd76

SHA256
82aa3fd6a25cda9e16689cfadea175091be010cecae537e517f392e0bef5ba0f

SHA512
b62f6501cb4c992d42d9097e356805c88ac4ac5a46ead4a8eee9f8cbae197b2305da8aab5b4a61891fe73951588025f2d642c32524b360687993f98c913138a0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\0DA515F703BB9B49479E8697ADB0B955_7DAD5545724AA2C98C55095F428499FB
Filesize
1KB

MD5
5b5061762d6332a4ac97b4e6d2d43826

SHA1
2dfdd0f1f7f0daa1de2969011ef4ac07e7ff379c

SHA256
9dc5bfe744063c81776f0464bd01d1388914313819bdd891dcc7646ff9e8f9d2

SHA512
0f0b89cebd45dd8bd4d08fac08b2fd3af253f548f773c91ca97bed5df34ac47edc2d5731ac39d634e1274cd1401e679d1f3fefda5ae5b103ab39aa1452233f82

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
Filesize
1KB

MD5
1076d2c26a158d5d258a5e2a9c7a5584

SHA1
ab7bb0cdf5dcf00abc48b1643dd96535acba0350

SHA256
5946b7befa7c740931eadc5590faef386b611a451f7cd74f24a03db64a5138fd

SHA512
a7d38cbd8a45a47eff943fd9021c2943dd678e28793ed4fb097f891344e32b1550ba360de22e09ac3525376c08c3c26865d38bb36b1d3f08624c7c1e2cd1497a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\66F835E41EC6A985EB9271E4A70169D7_CF44E3C99F7F4AC558EEB35244F7E046
Filesize
1KB

MD5
58570ca291adb58faac3303a515cce54

SHA1
697dce74a6edc76128fdf14383fbc353dd6877df

SHA256
e6934a63303699ff511477e5ff7f4a67326f8145b9eb2ebfdbfda054fe176d3c

SHA512
ad532e181e9199b975c4cda8b192a74315c59d0f2a16b9d1e307232f847e8598a2ec258efce8ac735d2398bb52d7dca1e13d2016295bcd94ec69cc34ecb672fa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\709A8EC0F6D3194AD001E9041914421F_1393D43F33EA5DF544C48FF754B269CF
Filesize
471B

MD5
12f893e7d16646051a371db32228331f

SHA1
fd711af869ecc9b79a4cc258d20d35832b51f08c

SHA256
0f69bf8f02b30767bb25a35b2ba9a82a638e4fcffc62149c059e80d81ea9d25a

SHA512
7effafaabb287a7300461470199edf7e30337864cc7f6eb70e84a5d6445159d5e1bf171de775c5cb6b61dc931532fe337b3791b840f527741f72173dcd90226b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_86C2A03C133240EC4C95180B9FD368BB
Filesize
471B

MD5
62c70adbdad5672d9ca3bdada4ba873f

SHA1
3a440e71a52b46684963a7c1ec6cadd5fd84b863

SHA256
c737e7bcdbe633cd628988d1ea4fcb1c55e1d0ddac8609675ca6ede33fb05395

SHA512
205dd58db123e1b6de999530c99b7bbbd7f1e748f61cea81b8a2514630358406bb92e96be60fbbfc5f992de8dca7dc50e4ebb3cd9f85fbab14ae31673c22743e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\81B9B36F9ABC4DA631A4713EE66FAEC6_45FF766101CC336A2829FBE2065CA0C8
Filesize
939B

MD5
ac909df40aa9dc6f65ac22d3646914c3

SHA1
074d0fc0e91861e8dbe2bddb7c6346c0caebd4fd

SHA256
93d55090ec32914ae541cc931022ee2fb8ee56806b32a1f47354d0be96bc7f6b

SHA512
7ac90aa9ac7f25d486ecb66fcda093c2ef6326353eaf03828f227ac04dd52822cdae9142be363553152a009e9528824a81f45370667a30f6c19e250c3787d6b9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\A16C6C16D94F76E0808C087DFC657D99_F97E3458719FE8B5437DE55F349865B9
Filesize
472B

MD5
56c037d3393fa563ec0eeedb6375338d

SHA1
444259f434a18433301e1cb11bf9c4e0d7f0680f

SHA256
6346997d1a44db3dc002a61b4d4b50410dd051c172023171aff898df6d3025dd

SHA512
e7d2d04215f37f392feb8159f780865b75c5e409be8822191d2594ed4cf4b446f16559fe81ca53e5d2f34f3888d0472d7cef4f63d4307562c6f3c1836437898f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA
Filesize
724B

MD5
5a11c6099b9e5808dfb08c5c9570c92f

SHA1
e5dc219641146d1839557973f348037fa589fd18

SHA256
91291a5edc4e10a225d3c23265d236ecc74473d9893be5bd07e202d95b3fb172

SHA512
c2435b6619464a14c65ab116ab83a6e0568bdf7abc5e5a5e19f3deaf56c70a46360965da8b60e1256e9c8656aef9751adb9e762731bb8dbab145f1c8224ac8f9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F07644E38ED7C9F37D11EEC6D4335E02_1BB5C00F9867EBA4DB72171487117DED
Filesize
471B

MD5
c173358a16e764e45011a00837670727

SHA1
451a87fa01f78d3d522b02be6e19d7dee2136000

SHA256
3e3657a5eba9ed395238c3822977602341b09fa37ca22d3e70f35d73847dae63

SHA512
eaecd5e2bd196b1f5884353b2fcd51057466d2f2dbf15d8bd092a0ac31e298442c0601b0ba9b68ab9b83d926a768f384b91c923a1cd733417cbd042d897b7246

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F2DDCD2B5F37625B82E81F4976CEE400_03A533819719C2DBE00934F8CF2CE3BE
Filesize
472B

MD5
88874919d18a79552a9877e302958fba

SHA1
bd206a4404291a11d9a74970bd1d2f3c5a8a1cb2

SHA256
4463c0810885ea9400100e3dd5e484c59f6298816e1361fcfaf707db4f63a9eb

SHA512
c09e2411313accccfe215dec1b0452fdaa680bc5487d84765d6a5a8f4c1650eee95b11dd1fdc066462105b315eb5023df999f9f50e4fd8c6cb9687a3dc8f0714

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\0DA515F703BB9B49479E8697ADB0B955_7DAD5545724AA2C98C55095F428499FB
Filesize
512B

MD5
124981846238d19fe319a67b41cd411c

SHA1
2233a43e8148f8c93a4ea2e11b03627acccd4c40

SHA256
bb17bb9a7d61fe93902326e72ff59d656e7359492d9376319d40944e8c2289a4

SHA512
0b87a795d1db1ca7e4729328e0850ae131e3eb90ef2a17c7e76d19d98e0ebb6a003fd4343f30abd77a70439602d8adfc78e2def43cfe5dcedaba564b84b673d7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
Filesize
410B

MD5
73dbf748c93b440612ce4276b17d973a

SHA1
b8ba2976ceafa376f6ecf08bfebeb816d9463758

SHA256
c56676cef0880f8b93d62de04b9a1392e6ed4bd399a40bbb60202a014112dad3

SHA512
0b2b8bf1c725012cdb67c4c98429e51055f8fde58fa958b00d930c43e44654a5a0e325cf2b7dcaf79bcb2fe18581d692a840fa45a54a94d4d694f2e8b8d7f8e6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\66F835E41EC6A985EB9271E4A70169D7_CF44E3C99F7F4AC558EEB35244F7E046
Filesize
502B

MD5
79e7db6d87d0beb450558299ed5279eb

SHA1
4cb21e4c1b64e0ba67ab09cf4b6adb24cbbd43a7

SHA256
4a6770d74e0cf8b66950753b018b1b40c562c0462b3244c7bf0ce14443181f69

SHA512
5e4507a6076ea55e4d00314afc20353bfff2d52889b997a18a8df8cf0ab9151ebcbc05be1bfd5b05aace569184c04a0bc43b352cb49dc7096f2bc02c9bf6bb99

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\709A8EC0F6D3194AD001E9041914421F_1393D43F33EA5DF544C48FF754B269CF
Filesize
400B

MD5
facbed8d9a800d20ee0544f08bab4286

SHA1
bca12eb899d2decb5df711ddd0ab4d2a1a6167a6

SHA256
88b1961bffcbc61600b816afa798d393ae5322c32762eabd06f047508e1f908c

SHA512
02cdb372011bbc7d06e66d05a9e623c685fa4a1dab03dbbbc99bc65ae3124e25688f448c9bcce964adc03d616ee3f44704a1ebe97474f87b705204f92e3a45a9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_86C2A03C133240EC4C95180B9FD368BB
Filesize
430B

MD5
009005c6aed41aa8dde8f6894f84bc8c

SHA1
fb6031d39fdf5e1de4ac3cf6be53b8a463c9f88e

SHA256
ab6fc4f9019e67473619fbc448c217e383092c3d0bc1794416bc647805545333

SHA512
d6ad5f4a7a90631517a2515f1668fb8a4dc7e8bb741b18a639ead923afeb26f2be4ccdb9fb602643932570ef32781994f95e8c81a9c532688c7c1777c2d51b88

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\81B9B36F9ABC4DA631A4713EE66FAEC6_45FF766101CC336A2829FBE2065CA0C8
Filesize
520B

MD5
8bcfe465e92cae85f43b29a8e9b3067f

SHA1
753298ff3742917a1a730fff74982d61326a39e3

SHA256
07a30bb7bf5581b763412acd7559cd2653e1b0b447f59896a8c0b6466bca365f

SHA512
81a40dff0cbf3ee5b9d0e76ffaf6e0f9618fbca4da8e2fcb34782d2908d4f22a544ab3fcd6c2c310302b2771ef99bcb48a0402831618124670edc5503a059d84

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\A16C6C16D94F76E0808C087DFC657D99_F97E3458719FE8B5437DE55F349865B9
Filesize
410B

MD5
86924323ac6ec24beab7746ffa71fc59

SHA1
04d65f36a09a24cd7b1883d6f203365aa547c038

SHA256
758ef327264fe631950d13e31408d6aedfe627690814a77ccba658c3370d042d

SHA512
b28cc913d7f909648d60f7a46f12532e87337117902af275c936145f31da6d70a8a15daeab225210de971d13fc791fbfa02881668a16d5888399532c113e588c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA
Filesize
392B

MD5
774dcf787bbd1817a8cb3390741976ca

SHA1
4632940b1e2a6d74753f6b84ea646edf17a7bbea

SHA256
e338ea69c1387ce638dd07e7778fd6a95c03851933ec65f9601d34ca8dc54b23

SHA512
cba04a6b339618e406f8c4633dfbcbf5d39b4e1c4778b0604a1622661962f489e5e7058c0da32312733deb69fa849c770a774d0e1913097218984509602f1e9f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F07644E38ED7C9F37D11EEC6D4335E02_1BB5C00F9867EBA4DB72171487117DED
Filesize
406B

MD5
9fc6e76ce75138e19cf9757929c20a72

SHA1
2c1af609c730068ccd32eec125afc754688de5bc

SHA256
c49510d80af822f728a8936777cc9a04c9adf9db54a24427c584120cb1c003aa

SHA512
e236947efd625d7bd7a432d71baf55abc8875fcc0c32811ae6e63423c272ca44024320d358e6d322605f3caf1bc1043ac514c2ce678324cf7bf260cddcabe026

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F2DDCD2B5F37625B82E81F4976CEE400_03A533819719C2DBE00934F8CF2CE3BE
Filesize
402B

MD5
d2a585c55347f65c016c1893b1a877f3

SHA1
0e46b0003d6c778e32a83c9143a818a99516aae6

SHA256
69263857e6ed7e28c05c61c25dbbe2265a0149d2b75570ae1d5cc36ac3d83f70

SHA512
2e84db4050ed55c746ad754f068f95ff7930ee2883cf142407eea0ad93d971b2f2997abafdf90fa623aaf4639a2f4b3ad2e0c7fe52df9949697a14550dbe02cf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\RecoveryImproved\1.3.36.141\Recovery.crx3
Filesize
141KB

MD5
ea1c1ffd3ea54d1fb117bfdbb3569c60

SHA1
10958b0f690ae8f5240e1528b1ccffff28a33272

SHA256
7c3a6a7d16ac44c3200f572a764bce7d8fa84b9572dd028b15c59bdccbc0a77d

SHA512
6c30728cac9eac53f0b27b7dbe2222da83225c3b63617d6b271a6cfedf18e8f0a8dffa1053e1cbc4c5e16625f4bbc0d03aa306a946c9d72faa4ceb779f8ffcaf

Download Submit
C:\Users\Admin\Desktop\sdsd\lolicor.exe
Filesize
21.0MB

MD5
2bac38efc266026c4ae3703b9c0e2055

SHA1
942203af26745eedfe0d7ecd768275a65cfff7fe

SHA256
f4fe44f6675981c85152ffacf8a86f7d0d8d72694252db268e9a89f2e224a188

SHA512
dddfa1bad075fa73c38bf15364f028bd8bb22fd1340a630558bd9a442519008cde23ebccb1dbc68f9e0e4c4111deae2e0c4d8cbedfd78de630814f156dba898c

Download Submit
C:\Users\Admin\Desktop\sdsd\lolicor.exe
Filesize
21.0MB

MD5
2bac38efc266026c4ae3703b9c0e2055

SHA1
942203af26745eedfe0d7ecd768275a65cfff7fe

SHA256
f4fe44f6675981c85152ffacf8a86f7d0d8d72694252db268e9a89f2e224a188

SHA512
dddfa1bad075fa73c38bf15364f028bd8bb22fd1340a630558bd9a442519008cde23ebccb1dbc68f9e0e4c4111deae2e0c4d8cbedfd78de630814f156dba898c

Download Submit
C:\Users\Admin\Desktop\sdsd\xWNbUVFLOi5G.exe
Filesize
5.0MB

MD5
6684f64f8d4f71afa600a88f52b7cdec

SHA1
9099fed76121afdaaae78ab7ba87f10a8f83c339

SHA256
aa263157b8f202e98ffa7b7db6aa3488b763730903578ae6e3e5735c181632c1

SHA512
f291c53657aeeb1d45e3adc4bce4494666559c02e5c73010533428d09b519a1a814870b6b5e02d7882721d516519cf38ce5cfcaa3c03cd3cebb5c5a325a6dd0a

Download Submit
C:\Users\Admin\Desktop\sdsd\xWNbUVFLOi5G.exe
Filesize
5.0MB

MD5
6684f64f8d4f71afa600a88f52b7cdec

SHA1
9099fed76121afdaaae78ab7ba87f10a8f83c339

SHA256
aa263157b8f202e98ffa7b7db6aa3488b763730903578ae6e3e5735c181632c1

SHA512
f291c53657aeeb1d45e3adc4bce4494666559c02e5c73010533428d09b519a1a814870b6b5e02d7882721d516519cf38ce5cfcaa3c03cd3cebb5c5a325a6dd0a

Download Submit
C:\Users\Admin\Desktop\sdsd\xWNbUVFLOi5G.exe
Filesize
5.0MB

MD5
6684f64f8d4f71afa600a88f52b7cdec

SHA1
9099fed76121afdaaae78ab7ba87f10a8f83c339

SHA256
aa263157b8f202e98ffa7b7db6aa3488b763730903578ae6e3e5735c181632c1

SHA512
f291c53657aeeb1d45e3adc4bce4494666559c02e5c73010533428d09b519a1a814870b6b5e02d7882721d516519cf38ce5cfcaa3c03cd3cebb5c5a325a6dd0a

Download Submit
\??\pipe\crashpad_1984_GEPDZTEUZRWLAPPT
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/932-228-0x0000000000000000-mapping.dmp

Download
memory/1060-223-0x0000000000000000-mapping.dmp

Download
memory/1316-226-0x0000000000000000-mapping.dmp

Download
memory/1332-274-0x0000000000000000-mapping.dmp

Download
memory/1460-248-0x0000000000000000-mapping.dmp

Download
memory/1960-218-0x00007FFF2E690000-0x00007FFF2E885000-memory.dmp

Filesize
2.0MB

Download
memory/1960-219-0x00007FFF2E690000-0x00007FFF2E885000-memory.dmp

Filesize
2.0MB

Download
memory/1960-216-0x00007FFF2E690000-0x00007FFF2E885000-memory.dmp

Filesize
2.0MB

Download
memory/1960-221-0x00007FFF2E690000-0x00007FFF2E885000-memory.dmp

Filesize
2.0MB

Download
memory/1960-211-0x00007FF62C360000-0x00007FF62D018000-memory.dmp

Filesize
12.7MB

Download
memory/1960-220-0x00007FFF2E690000-0x00007FFF2E885000-memory.dmp

Filesize
2.0MB

Download
memory/1960-215-0x00007FFF2E690000-0x00007FFF2E885000-memory.dmp

Filesize
2.0MB

Download
memory/1960-222-0x00007FFF2E690000-0x00007FFF2E885000-memory.dmp

Filesize
2.0MB

Download
memory/1960-217-0x00007FFF2E690000-0x00007FFF2E885000-memory.dmp

Filesize
2.0MB

Download
memory/1960-210-0x00007FF62C360000-0x00007FF62D018000-memory.dmp

Filesize
12.7MB

Download
memory/1960-208-0x00007FFF2E690000-0x00007FFF2E885000-memory.dmp

Filesize
2.0MB

Download
memory/1960-207-0x00007FF62C360000-0x00007FF62D018000-memory.dmp

Filesize
12.7MB

Download
memory/1960-209-0x00007FF62C360000-0x00007FF62D018000-memory.dmp

Filesize
12.7MB

Download
memory/1960-214-0x00007FF62C360000-0x00007FF62D018000-memory.dmp

Filesize
12.7MB

Download
memory/1960-213-0x00007FF62C360000-0x00007FF62D018000-memory.dmp

Filesize
12.7MB

Download
memory/1960-212-0x00007FF62C360000-0x00007FF62D018000-memory.dmp

Filesize
12.7MB

Download
memory/1992-160-0x00007FF6C40A0000-0x00007FF6C75C9000-memory.dmp

Filesize
53.2MB

Download
memory/1992-163-0x00007FF6C40A0000-0x00007FF6C75C9000-memory.dmp

Filesize
53.2MB

Download
memory/1992-159-0x00007FF6C40A0000-0x00007FF6C75C9000-memory.dmp

Filesize
53.2MB

Download
memory/1992-166-0x00007FFF2E690000-0x00007FFF2E885000-memory.dmp

Filesize
2.0MB

Download
memory/1992-165-0x00007FF6C40A0000-0x00007FF6C75C9000-memory.dmp

Filesize
53.2MB

Download
memory/1992-175-0x00007FFF2E690000-0x00007FFF2E885000-memory.dmp

Filesize
2.0MB

Download
memory/1992-158-0x00007FFF2E690000-0x00007FFF2E885000-memory.dmp

Filesize
2.0MB

Download
memory/1992-164-0x00007FF6C40A0000-0x00007FF6C75C9000-memory.dmp

Filesize
53.2MB

Download
memory/1992-182-0x00007FFF2E690000-0x00007FFF2E885000-memory.dmp

Filesize
2.0MB

Download
memory/1992-173-0x00007FFF2E690000-0x00007FFF2E885000-memory.dmp

Filesize
2.0MB

Download
memory/1992-177-0x00007FFF2E690000-0x00007FFF2E885000-memory.dmp

Filesize
2.0MB

Download
memory/1992-170-0x00007FFF2E690000-0x00007FFF2E885000-memory.dmp

Filesize
2.0MB

Download
memory/1992-167-0x00007FFF2E690000-0x00007FFF2E885000-memory.dmp

Filesize
2.0MB

Download
memory/1992-168-0x00007FFF2E690000-0x00007FFF2E885000-memory.dmp

Filesize
2.0MB

Download
memory/1992-169-0x00007FFF2E690000-0x00007FFF2E885000-memory.dmp

Filesize
2.0MB

Download
memory/1992-162-0x00007FF6C40A0000-0x00007FF6C75C9000-memory.dmp

Filesize
53.2MB

Download
memory/1992-161-0x00007FF6C40A0000-0x00007FF6C75C9000-memory.dmp

Filesize
53.2MB

Download
memory/2896-247-0x0000000000000000-mapping.dmp

Download
memory/3352-266-0x0000014926250000-0x0000014926290000-memory.dmp

Filesize
256KB

Download
memory/3352-259-0x0000014926250000-0x0000014926290000-memory.dmp

Filesize
256KB

Download
memory/3352-265-0x0000014926250000-0x0000014926290000-memory.dmp

Filesize
256KB

Download
memory/3352-253-0x0000014926250000-0x0000014926290000-memory.dmp

Filesize
256KB

Download
memory/3352-254-0x0000014926250000-0x0000014926290000-memory.dmp

Filesize
256KB

Download
memory/3352-255-0x0000014926250000-0x0000014926290000-memory.dmp

Filesize
256KB

Download
memory/3352-256-0x0000014926250000-0x0000014926290000-memory.dmp

Filesize
256KB

Download
memory/3352-257-0x0000014926250000-0x0000014926290000-memory.dmp

Filesize
256KB

Download
memory/3352-258-0x0000014926250000-0x0000014926290000-memory.dmp

Filesize
256KB

Download
memory/3352-250-0x0000000000000000-mapping.dmp

Download
memory/3352-260-0x0000014926250000-0x0000014926290000-memory.dmp

Filesize
256KB

Download
memory/3352-261-0x0000014926250000-0x0000014926290000-memory.dmp

Filesize
256KB

Download
memory/3352-262-0x0000014926250000-0x0000014926290000-memory.dmp

Filesize
256KB

Download
memory/3352-263-0x0000014926250000-0x0000014926290000-memory.dmp

Filesize
256KB

Download
memory/3352-264-0x0000014926250000-0x0000014926290000-memory.dmp

Filesize
256KB

Download
memory/3392-270-0x0000000000000000-mapping.dmp

Download
memory/3444-252-0x0000000000000000-mapping.dmp

Download
memory/3656-202-0x00007FFF2E690000-0x00007FFF2E885000-memory.dmp

Filesize
2.0MB

Download
memory/3656-185-0x00007FF62C360000-0x00007FF62D018000-memory.dmp

Filesize
12.7MB

Download
memory/3656-204-0x00007FFF2E690000-0x00007FFF2E885000-memory.dmp

Filesize
2.0MB

Download
memory/3656-203-0x00007FFF2E690000-0x00007FFF2E885000-memory.dmp

Filesize
2.0MB

Download
memory/3656-201-0x00007FFF2E690000-0x00007FFF2E885000-memory.dmp

Filesize
2.0MB

Download
memory/3656-200-0x00007FFF2E690000-0x00007FFF2E885000-memory.dmp

Filesize
2.0MB

Download
memory/3656-199-0x00007FFF2E690000-0x00007FFF2E885000-memory.dmp

Filesize
2.0MB

Download
memory/3656-198-0x00007FFF2E690000-0x00007FFF2E885000-memory.dmp

Filesize
2.0MB

Download
memory/3656-195-0x00007FFF2E690000-0x00007FFF2E885000-memory.dmp

Filesize
2.0MB

Download
memory/3656-193-0x00007FFF2E690000-0x00007FFF2E885000-memory.dmp

Filesize
2.0MB

Download
memory/3656-197-0x00007FFF2E690000-0x00007FFF2E885000-memory.dmp

Filesize
2.0MB

Download
memory/3656-171-0x0000000000000000-mapping.dmp

Download
memory/3656-196-0x00007FFF2E690000-0x00007FFF2E885000-memory.dmp

Filesize
2.0MB

Download
memory/3656-192-0x00007FFF2E690000-0x00007FFF2E885000-memory.dmp

Filesize
2.0MB

Download
memory/3656-176-0x00007FFF2E690000-0x00007FFF2E885000-memory.dmp

Filesize
2.0MB

Download
memory/3656-205-0x00007FFF2E690000-0x00007FFF2E885000-memory.dmp

Filesize
2.0MB

Download
memory/3656-178-0x00007FF62C360000-0x00007FF62D018000-memory.dmp

Filesize
12.7MB

Download
memory/3656-179-0x00007FF62C360000-0x00007FF62D018000-memory.dmp

Filesize
12.7MB

Download
memory/3656-180-0x00007FF62C360000-0x00007FF62D018000-memory.dmp

Filesize
12.7MB

Download
memory/3656-181-0x00007FF62C360000-0x00007FF62D018000-memory.dmp

Filesize
12.7MB

Download
memory/3656-183-0x00007FF62C360000-0x00007FF62D018000-memory.dmp

Filesize
12.7MB

Download
memory/3656-184-0x00007FF62C360000-0x00007FF62D018000-memory.dmp

Filesize
12.7MB

Download
memory/3656-194-0x00007FFF2E690000-0x00007FFF2E885000-memory.dmp

Filesize
2.0MB

Download
memory/3656-186-0x00007FFF2E690000-0x00007FFF2E885000-memory.dmp

Filesize
2.0MB

Download
memory/3656-187-0x00007FFF2E690000-0x00007FFF2E885000-memory.dmp

Filesize
2.0MB

Download
memory/3656-188-0x00007FFF2E690000-0x00007FFF2E885000-memory.dmp

Filesize
2.0MB

Download
memory/3656-189-0x00007FFF2E690000-0x00007FFF2E885000-memory.dmp

Filesize
2.0MB

Download
memory/3656-190-0x00007FFF2E690000-0x00007FFF2E885000-memory.dmp

Filesize
2.0MB

Download
memory/3656-191-0x00007FFF2E690000-0x00007FFF2E885000-memory.dmp

Filesize
2.0MB

Download
memory/4184-224-0x0000000000000000-mapping.dmp

Download
memory/4208-229-0x0000000000000000-mapping.dmp

Download
memory/4304-275-0x0000000000000000-mapping.dmp

Download
memory/4512-231-0x00007FF62C360000-0x00007FF62D018000-memory.dmp

Filesize
12.7MB

Download
memory/4512-246-0x00007FFF2E690000-0x00007FFF2E885000-memory.dmp

Filesize
2.0MB

Download
memory/4512-245-0x00007FFF2E690000-0x00007FFF2E885000-memory.dmp

Filesize
2.0MB

Download
memory/4512-244-0x00007FFF2E690000-0x00007FFF2E885000-memory.dmp

Filesize
2.0MB

Download
memory/4512-243-0x00007FFF2E690000-0x00007FFF2E885000-memory.dmp

Filesize
2.0MB

Download
memory/4512-242-0x00007FFF2E690000-0x00007FFF2E885000-memory.dmp

Filesize
2.0MB

Download
memory/4512-241-0x00007FFF2E690000-0x00007FFF2E885000-memory.dmp

Filesize
2.0MB

Download
memory/4512-240-0x00007FFF2E690000-0x00007FFF2E885000-memory.dmp

Filesize
2.0MB

Download
memory/4512-239-0x00007FFF2E690000-0x00007FFF2E885000-memory.dmp

Filesize
2.0MB

Download
memory/4512-238-0x00007FFF2E690000-0x00007FFF2E885000-memory.dmp

Filesize
2.0MB

Download
memory/4512-237-0x00007FF62C360000-0x00007FF62D018000-memory.dmp

Filesize
12.7MB

Download
memory/4512-236-0x00007FF62C360000-0x00007FF62D018000-memory.dmp

Filesize
12.7MB

Download
memory/4512-235-0x00007FF62C360000-0x00007FF62D018000-memory.dmp

Filesize
12.7MB

Download
memory/4512-234-0x00007FF62C360000-0x00007FF62D018000-memory.dmp

Filesize
12.7MB

Download
memory/4512-233-0x00007FF62C360000-0x00007FF62D018000-memory.dmp

Filesize
12.7MB

Download
memory/4512-232-0x00007FFF2E690000-0x00007FFF2E885000-memory.dmp

Filesize
2.0MB

Download
memory/4512-230-0x00007FF62C360000-0x00007FF62D018000-memory.dmp

Filesize
12.7MB

Download
memory/4776-227-0x0000000000000000-mapping.dmp

Download
memory/4892-154-0x0000000000000000-mapping.dmp

Download
memory/4964-225-0x0000000000000000-mapping.dmp

Download
memory/5216-278-0x0000000000000000-mapping.dmp

Download
memory/5512-280-0x0000000000000000-mapping.dmp

Download
memory/5760-282-0x0000000000000000-mapping.dmp

Download
memory/5788-283-0x0000000000000000-mapping.dmp

Download
memory/5808-285-0x0000000000000000-mapping.dmp

Download