ba4c9bc4a4d91acc617a56ca2b36004881d4b830e0e8803041ed411fb3c8eb2b

Analysis

max time kernel
985s
max time network
984s
platform
windows10-2004_x64
resource
win10v2004-20220721-en
resource tags

arch:x64arch:x86image:win10v2004-20220721-enlocale:en-usos:windows10-2004-x64system
submitted
02-08-2022 10:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

sample.html
Size

38KB
MD5

5e2ae013eb8311a3305ef4feede19e52
SHA1

c7a2682bbcb049a34df44b57d2103421687baa70
SHA256

ba4c9bc4a4d91acc617a56ca2b36004881d4b830e0e8803041ed411fb3c8eb2b
SHA512

1274443a4cefe8f4769071fa7fc1c8deeb936cffa65292105f2e6b55f3a1518cfb5b59042f2797682207825d099f0eaf7075fe8171d5f46454e2930432f74d3b

Score

9^/10

discovery evasion spyware stealer themida trojan

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

lolicor.exeUAeRpBLhRgpi.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	lolicor.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	UAeRpBLhRgpi.exe

Downloads MZ/PE file

Executes dropped EXE 9 IoCs

Processes:

ChromeRecovery.exelolicor.exeUAeRpBLhRgpi.exeUAeRpBLhRgpi.exesoftware_reporter_tool.exesoftware_reporter_tool.exesoftware_reporter_tool.exesoftware_reporter_tool.exeUAeRpBLhRgpi.exe

pid	process
1948	ChromeRecovery.exe
5648	lolicor.exe
1796	UAeRpBLhRgpi.exe
5484	UAeRpBLhRgpi.exe
6120	software_reporter_tool.exe
1608	software_reporter_tool.exe
5104	software_reporter_tool.exe
5200	software_reporter_tool.exe
2608	UAeRpBLhRgpi.exe

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

lolicor.exeUAeRpBLhRgpi.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	lolicor.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	lolicor.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	UAeRpBLhRgpi.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	UAeRpBLhRgpi.exe

Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

lolicor.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\Control Panel\International\Geo\Nation lolicor.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\Control Panel\International\Geo\Nation	lolicor.exe

Loads dropped DLL 12 IoCs

Processes:

dcpfromhorizon.exesoftware_reporter_tool.exe

pid	process
3464	dcpfromhorizon.exe
3464	dcpfromhorizon.exe
3464	dcpfromhorizon.exe
5104	software_reporter_tool.exe
5104	software_reporter_tool.exe
5104	software_reporter_tool.exe
5104	software_reporter_tool.exe
5104	software_reporter_tool.exe
5104	software_reporter_tool.exe
5104	software_reporter_tool.exe
3464	dcpfromhorizon.exe
3464	dcpfromhorizon.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Themida packer 14 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
behavioral1/memory/5648-169-0x00007FF635FA0000-0x00007FF6394C9000-memory.dmp	themida
behavioral1/memory/5648-170-0x00007FF635FA0000-0x00007FF6394C9000-memory.dmp	themida
behavioral1/memory/5648-171-0x00007FF635FA0000-0x00007FF6394C9000-memory.dmp	themida
behavioral1/memory/5648-172-0x00007FF635FA0000-0x00007FF6394C9000-memory.dmp	themida
behavioral1/memory/5648-173-0x00007FF635FA0000-0x00007FF6394C9000-memory.dmp	themida
behavioral1/memory/5648-174-0x00007FF635FA0000-0x00007FF6394C9000-memory.dmp	themida
behavioral1/memory/5648-175-0x00007FF635FA0000-0x00007FF6394C9000-memory.dmp	themida
behavioral1/memory/1796-183-0x00007FF6488A0000-0x00007FF649558000-memory.dmp	themida
behavioral1/memory/1796-186-0x00007FF6488A0000-0x00007FF649558000-memory.dmp	themida
behavioral1/memory/1796-189-0x00007FF6488A0000-0x00007FF649558000-memory.dmp	themida
behavioral1/memory/1796-191-0x00007FF6488A0000-0x00007FF649558000-memory.dmp	themida
behavioral1/memory/1796-192-0x00007FF6488A0000-0x00007FF649558000-memory.dmp	themida
behavioral1/memory/1796-193-0x00007FF6488A0000-0x00007FF649558000-memory.dmp	themida
behavioral1/memory/1796-194-0x00007FF6488A0000-0x00007FF649558000-memory.dmp	themida

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

lolicor.exeUAeRpBLhRgpi.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lolicor.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	UAeRpBLhRgpi.exe

Drops desktop.ini file(s) 1 IoCs

Processes:

svchost.exe

description ioc process

File opened for modification C:\Users\Admin\Videos\Captures\desktop.ini svchost.exe
Suspicious use of NtCreateThreadExHideFromDebugger 6 IoCs

Processes:

lolicor.exeUAeRpBLhRgpi.exe

pid process

5648 lolicor.exe
5648 lolicor.exe
5648 lolicor.exe
1796 UAeRpBLhRgpi.exe
1796 UAeRpBLhRgpi.exe
1796 UAeRpBLhRgpi.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

lolicor.exeUAeRpBLhRgpi.exe

pid process

5648 lolicor.exe
1796 UAeRpBLhRgpi.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

dcpfromhorizon.exe

description pid process target process

PID 3464 set thread context of 5484 3464 dcpfromhorizon.exe UAeRpBLhRgpi.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Videos\Captures\desktop.ini	svchost.exe

pid	process
5648	lolicor.exe
5648	lolicor.exe
5648	lolicor.exe
1796	UAeRpBLhRgpi.exe
1796	UAeRpBLhRgpi.exe
1796	UAeRpBLhRgpi.exe

pid	process
5648	lolicor.exe
1796	UAeRpBLhRgpi.exe

description	pid	process	target process
PID 3464 set thread context of 5484	3464	dcpfromhorizon.exe	UAeRpBLhRgpi.exe

Drops file in Program Files directory 7 IoCs

Processes:

elevation_service.exe

description	ioc	process
File opened for modification	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir1212_259461077\_metadata\verified_contents.json	elevation_service.exe
File created	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir1212_259461077\ChromeRecoveryCRX.crx	elevation_service.exe
File created	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir1212_259461077\ChromeRecovery.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir1212_259461077\ChromeRecovery.exe	elevation_service.exe
File created	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir1212_259461077\manifest.json	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir1212_259461077\manifest.json	elevation_service.exe
File created	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir1212_259461077\_metadata\verified_contents.json	elevation_service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

svchost.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	svchost.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	svchost.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exechrome.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies Internet Explorer settings 1 TTPs 13 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{3EC64292-125C-11ED-BFB6-56B8B6DCAEAE} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe

Modifies registry class 58 IoCs

Processes:

dcpfromhorizon.exemsedge.exesvchost.exechrome.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0 = 56003100000000000255da61100072656c6561736500400009000400efbe0255d9610255da612e00000001310200000006000000000000000000000000000000589f3001720065006c006500610073006500000016000000	dcpfromhorizon.exe
Key created	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	dcpfromhorizon.exe
Key created	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	dcpfromhorizon.exe
Key created	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1	dcpfromhorizon.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\MRUListEx = 00000000ffffffff	dcpfromhorizon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	dcpfromhorizon.exe
Key created	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7	dcpfromhorizon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	dcpfromhorizon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	dcpfromhorizon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	dcpfromhorizon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	dcpfromhorizon.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 0100000000000000ffffffff	dcpfromhorizon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	dcpfromhorizon.exe
Key created	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\0	dcpfromhorizon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell\SniffedFolderType = "Generic"	dcpfromhorizon.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2372564722-193526734-2636556182-1000\{BD05BE60-46DD-4AA1-A963-94D4BC2037C7}	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg	dcpfromhorizon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	dcpfromhorizon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	dcpfromhorizon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\0\NodeSlot = "6"	dcpfromhorizon.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1 = 14002e803accbfb42cdb4c42b0297fe99a87c6410000	dcpfromhorizon.exe
Key created	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	dcpfromhorizon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\Shell\SniffedFolderType = "Generic"	dcpfromhorizon.exe
Key created	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000_Classes\Local Settings	dcpfromhorizon.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\0\MRUListEx = ffffffff	dcpfromhorizon.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	dcpfromhorizon.exe
Key created	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0	dcpfromhorizon.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	dcpfromhorizon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	dcpfromhorizon.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202020202	dcpfromhorizon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	dcpfromhorizon.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	dcpfromhorizon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	dcpfromhorizon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	dcpfromhorizon.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 000000000200000001000000ffffffff	dcpfromhorizon.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\0 = 4a003100000000000255b662300078363400380009000400efbe0255da610255b6622e00000095310200000006000000000000000000000000000000493e2b00780036003400000012000000	dcpfromhorizon.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	dcpfromhorizon.exe
Key created	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	dcpfromhorizon.exe
Key created	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell	dcpfromhorizon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	dcpfromhorizon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\NodeSlot = "7"	dcpfromhorizon.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202020202	dcpfromhorizon.exe
Key created	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	dcpfromhorizon.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202020202	dcpfromhorizon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	dcpfromhorizon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	dcpfromhorizon.exe
Key created	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg	dcpfromhorizon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	dcpfromhorizon.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\MRUListEx = 00000000ffffffff	dcpfromhorizon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	dcpfromhorizon.exe
Key created	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000_Classes\Local Settings	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6	dcpfromhorizon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	dcpfromhorizon.exe
Key created	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	dcpfromhorizon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	dcpfromhorizon.exe
Key created	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\Shell	dcpfromhorizon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	dcpfromhorizon.exe

Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

NOTEPAD.EXE

pid process

1348 NOTEPAD.EXE
Suspicious behavior: AddClipboardFormatListener 3 IoCs

Processes:

dcpfromhorizon.exedcpfromhorizon.exedcpfromhorizon.exe

pid process

4848 dcpfromhorizon.exe
5348 dcpfromhorizon.exe
3464 dcpfromhorizon.exe

pid	process
1348	NOTEPAD.EXE

pid	process
4848	dcpfromhorizon.exe
5348	dcpfromhorizon.exe
3464	dcpfromhorizon.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

chrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exemsedge.exechrome.exemsedge.exechrome.exechrome.exechrome.exedcpfromhorizon.exe

pid	process
3460	chrome.exe
3460	chrome.exe
1272	chrome.exe
1272	chrome.exe
4112	chrome.exe
4112	chrome.exe
4564	chrome.exe
4564	chrome.exe
5028	chrome.exe
5028	chrome.exe
5096	chrome.exe
5096	chrome.exe
224	chrome.exe
224	chrome.exe
2144	chrome.exe
2144	chrome.exe
5596	msedge.exe
5596	msedge.exe
6096	chrome.exe
6096	chrome.exe
6096	chrome.exe
6096	chrome.exe
5580	msedge.exe
5580	msedge.exe
4312	chrome.exe
4312	chrome.exe
5844	chrome.exe
5844	chrome.exe
1348	chrome.exe
1348	chrome.exe
3464	dcpfromhorizon.exe
3464	dcpfromhorizon.exe
3464	dcpfromhorizon.exe
3464	dcpfromhorizon.exe
3464	dcpfromhorizon.exe
3464	dcpfromhorizon.exe
3464	dcpfromhorizon.exe
3464	dcpfromhorizon.exe
3464	dcpfromhorizon.exe
3464	dcpfromhorizon.exe
3464	dcpfromhorizon.exe
3464	dcpfromhorizon.exe
3464	dcpfromhorizon.exe
3464	dcpfromhorizon.exe
3464	dcpfromhorizon.exe
3464	dcpfromhorizon.exe
3464	dcpfromhorizon.exe
3464	dcpfromhorizon.exe
3464	dcpfromhorizon.exe
3464	dcpfromhorizon.exe
3464	dcpfromhorizon.exe
3464	dcpfromhorizon.exe
3464	dcpfromhorizon.exe
3464	dcpfromhorizon.exe
3464	dcpfromhorizon.exe
3464	dcpfromhorizon.exe
3464	dcpfromhorizon.exe
3464	dcpfromhorizon.exe
3464	dcpfromhorizon.exe
3464	dcpfromhorizon.exe
3464	dcpfromhorizon.exe
3464	dcpfromhorizon.exe
3464	dcpfromhorizon.exe
3464	dcpfromhorizon.exe

Suspicious behavior: GetForegroundWindowSpam 4 IoCs

Processes:

7zFM.exedcpfromhorizon.exedcpfromhorizon.exedcpfromhorizon.exe

pid process

5776 7zFM.exe
4848 dcpfromhorizon.exe
5348 dcpfromhorizon.exe
3464 dcpfromhorizon.exe

pid	process
5776	7zFM.exe
4848	dcpfromhorizon.exe
5348	dcpfromhorizon.exe
3464	dcpfromhorizon.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 20 IoCs

Processes:

chrome.exe

pid	process
1272	chrome.exe
1272	chrome.exe
1272	chrome.exe
1272	chrome.exe
1272	chrome.exe
1272	chrome.exe
1272	chrome.exe
1272	chrome.exe
1272	chrome.exe
1272	chrome.exe
1272	chrome.exe
1272	chrome.exe
1272	chrome.exe
1272	chrome.exe
1272	chrome.exe
1272	chrome.exe
1272	chrome.exe
1272	chrome.exe
1272	chrome.exe
1272	chrome.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

Processes:

7zFM.exedcpfromhorizon.exedcpfromhorizon.exedcpfromhorizon.exesoftware_reporter_tool.exesoftware_reporter_tool.exesoftware_reporter_tool.exesoftware_reporter_tool.exe

description	pid	process
Token: SeRestorePrivilege	5776	7zFM.exe
Token: 35	5776	7zFM.exe
Token: SeSecurityPrivilege	5776	7zFM.exe
Token: SeDebugPrivilege	4848	dcpfromhorizon.exe
Token: SeDebugPrivilege	5348	dcpfromhorizon.exe
Token: SeDebugPrivilege	3464	dcpfromhorizon.exe
Token: SeDebugPrivilege	3464	dcpfromhorizon.exe
Token: 33	1608	software_reporter_tool.exe
Token: SeIncBasePriorityPrivilege	1608	software_reporter_tool.exe
Token: 33	6120	software_reporter_tool.exe
Token: SeIncBasePriorityPrivilege	6120	software_reporter_tool.exe
Token: 33	5104	software_reporter_tool.exe
Token: SeIncBasePriorityPrivilege	5104	software_reporter_tool.exe
Token: 33	5200	software_reporter_tool.exe
Token: SeIncBasePriorityPrivilege	5200	software_reporter_tool.exe
Token: SeDebugPrivilege	3464	dcpfromhorizon.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

iexplore.exechrome.exemsedge.exe

pid	process
3580	iexplore.exe
1272	chrome.exe
1272	chrome.exe
1272	chrome.exe
1272	chrome.exe
1272	chrome.exe
1272	chrome.exe
1272	chrome.exe
1272	chrome.exe
1272	chrome.exe
1272	chrome.exe
1272	chrome.exe
1272	chrome.exe
1272	chrome.exe
1272	chrome.exe
1272	chrome.exe
1272	chrome.exe
1272	chrome.exe
1272	chrome.exe
1272	chrome.exe
1272	chrome.exe
1272	chrome.exe
1272	chrome.exe
1272	chrome.exe
1272	chrome.exe
1272	chrome.exe
1272	chrome.exe
1272	chrome.exe
1272	chrome.exe
1272	chrome.exe
1272	chrome.exe
1272	chrome.exe
1272	chrome.exe
1272	chrome.exe
1272	chrome.exe
1272	chrome.exe
1272	chrome.exe
1272	chrome.exe
1272	chrome.exe
1272	chrome.exe
1272	chrome.exe
1272	chrome.exe
1272	chrome.exe
1272	chrome.exe
1272	chrome.exe
1272	chrome.exe
1272	chrome.exe
1272	chrome.exe
1272	chrome.exe
1272	chrome.exe
1272	chrome.exe
1272	chrome.exe
1272	chrome.exe
1272	chrome.exe
1272	chrome.exe
1272	chrome.exe
1272	chrome.exe
1272	chrome.exe
5268	msedge.exe
1272	chrome.exe
1272	chrome.exe
1272	chrome.exe
1272	chrome.exe
1272	chrome.exe

Suspicious use of SendNotifyMessage 32 IoCs

Processes:

chrome.exe

pid	process
1272	chrome.exe
1272	chrome.exe
1272	chrome.exe
1272	chrome.exe
1272	chrome.exe
1272	chrome.exe
1272	chrome.exe
1272	chrome.exe
1272	chrome.exe
1272	chrome.exe
1272	chrome.exe
1272	chrome.exe
1272	chrome.exe
1272	chrome.exe
1272	chrome.exe
1272	chrome.exe
1272	chrome.exe
1272	chrome.exe
1272	chrome.exe
1272	chrome.exe
1272	chrome.exe
1272	chrome.exe
1272	chrome.exe
1272	chrome.exe
1272	chrome.exe
1272	chrome.exe
1272	chrome.exe
1272	chrome.exe
1272	chrome.exe
1272	chrome.exe
1272	chrome.exe
1272	chrome.exe

Suspicious use of SetWindowsHookEx 16 IoCs

Processes:

iexplore.exeIEXPLORE.EXEdcpfromhorizon.exelolicor.exeUAeRpBLhRgpi.exedcpfromhorizon.exedcpfromhorizon.exe

pid	process
3580	iexplore.exe
3580	iexplore.exe
3464	IEXPLORE.EXE
3464	IEXPLORE.EXE
4848	dcpfromhorizon.exe
4848	dcpfromhorizon.exe
5648	lolicor.exe
1796	UAeRpBLhRgpi.exe
5348	dcpfromhorizon.exe
5348	dcpfromhorizon.exe
3464	dcpfromhorizon.exe
3464	dcpfromhorizon.exe
3464	dcpfromhorizon.exe
3464	dcpfromhorizon.exe
3464	dcpfromhorizon.exe
3464	dcpfromhorizon.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

iexplore.exechrome.exe

description	pid	process	target process
PID 3580 wrote to memory of 3464	3580	iexplore.exe	IEXPLORE.EXE
PID 3580 wrote to memory of 3464	3580	iexplore.exe	IEXPLORE.EXE
PID 3580 wrote to memory of 3464	3580	iexplore.exe	IEXPLORE.EXE
PID 1272 wrote to memory of 3712	1272	chrome.exe	chrome.exe
PID 1272 wrote to memory of 3712	1272	chrome.exe	chrome.exe
PID 1272 wrote to memory of 2648	1272	chrome.exe	chrome.exe
PID 1272 wrote to memory of 2648	1272	chrome.exe	chrome.exe
PID 1272 wrote to memory of 2648	1272	chrome.exe	chrome.exe
PID 1272 wrote to memory of 2648	1272	chrome.exe	chrome.exe
PID 1272 wrote to memory of 2648	1272	chrome.exe	chrome.exe
PID 1272 wrote to memory of 2648	1272	chrome.exe	chrome.exe
PID 1272 wrote to memory of 2648	1272	chrome.exe	chrome.exe
PID 1272 wrote to memory of 2648	1272	chrome.exe	chrome.exe
PID 1272 wrote to memory of 2648	1272	chrome.exe	chrome.exe
PID 1272 wrote to memory of 2648	1272	chrome.exe	chrome.exe
PID 1272 wrote to memory of 2648	1272	chrome.exe	chrome.exe
PID 1272 wrote to memory of 2648	1272	chrome.exe	chrome.exe
PID 1272 wrote to memory of 2648	1272	chrome.exe	chrome.exe
PID 1272 wrote to memory of 2648	1272	chrome.exe	chrome.exe
PID 1272 wrote to memory of 2648	1272	chrome.exe	chrome.exe
PID 1272 wrote to memory of 2648	1272	chrome.exe	chrome.exe
PID 1272 wrote to memory of 2648	1272	chrome.exe	chrome.exe
PID 1272 wrote to memory of 2648	1272	chrome.exe	chrome.exe
PID 1272 wrote to memory of 2648	1272	chrome.exe	chrome.exe
PID 1272 wrote to memory of 2648	1272	chrome.exe	chrome.exe
PID 1272 wrote to memory of 2648	1272	chrome.exe	chrome.exe
PID 1272 wrote to memory of 2648	1272	chrome.exe	chrome.exe
PID 1272 wrote to memory of 2648	1272	chrome.exe	chrome.exe
PID 1272 wrote to memory of 2648	1272	chrome.exe	chrome.exe
PID 1272 wrote to memory of 2648	1272	chrome.exe	chrome.exe
PID 1272 wrote to memory of 2648	1272	chrome.exe	chrome.exe
PID 1272 wrote to memory of 2648	1272	chrome.exe	chrome.exe
PID 1272 wrote to memory of 2648	1272	chrome.exe	chrome.exe
PID 1272 wrote to memory of 2648	1272	chrome.exe	chrome.exe
PID 1272 wrote to memory of 2648	1272	chrome.exe	chrome.exe
PID 1272 wrote to memory of 2648	1272	chrome.exe	chrome.exe
PID 1272 wrote to memory of 2648	1272	chrome.exe	chrome.exe
PID 1272 wrote to memory of 2648	1272	chrome.exe	chrome.exe
PID 1272 wrote to memory of 2648	1272	chrome.exe	chrome.exe
PID 1272 wrote to memory of 2648	1272	chrome.exe	chrome.exe
PID 1272 wrote to memory of 2648	1272	chrome.exe	chrome.exe
PID 1272 wrote to memory of 2648	1272	chrome.exe	chrome.exe
PID 1272 wrote to memory of 2648	1272	chrome.exe	chrome.exe
PID 1272 wrote to memory of 2648	1272	chrome.exe	chrome.exe
PID 1272 wrote to memory of 2648	1272	chrome.exe	chrome.exe
PID 1272 wrote to memory of 3460	1272	chrome.exe	chrome.exe
PID 1272 wrote to memory of 3460	1272	chrome.exe	chrome.exe
PID 1272 wrote to memory of 1484	1272	chrome.exe	chrome.exe
PID 1272 wrote to memory of 1484	1272	chrome.exe	chrome.exe
PID 1272 wrote to memory of 1484	1272	chrome.exe	chrome.exe
PID 1272 wrote to memory of 1484	1272	chrome.exe	chrome.exe
PID 1272 wrote to memory of 1484	1272	chrome.exe	chrome.exe
PID 1272 wrote to memory of 1484	1272	chrome.exe	chrome.exe
PID 1272 wrote to memory of 1484	1272	chrome.exe	chrome.exe
PID 1272 wrote to memory of 1484	1272	chrome.exe	chrome.exe
PID 1272 wrote to memory of 1484	1272	chrome.exe	chrome.exe
PID 1272 wrote to memory of 1484	1272	chrome.exe	chrome.exe
PID 1272 wrote to memory of 1484	1272	chrome.exe	chrome.exe
PID 1272 wrote to memory of 1484	1272	chrome.exe	chrome.exe
PID 1272 wrote to memory of 1484	1272	chrome.exe	chrome.exe
PID 1272 wrote to memory of 1484	1272	chrome.exe	chrome.exe
PID 1272 wrote to memory of 1484	1272	chrome.exe	chrome.exe
PID 1272 wrote to memory of 1484	1272	chrome.exe	chrome.exe
PID 1272 wrote to memory of 1484	1272	chrome.exe	chrome.exe

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\sample.html
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3580

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3580 CREDAT:17410 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:3464

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1272

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0x10c,0x110,0x114,0xe8,0x118,0x7fff746d4f50,0x7fff746d4f60,0x7fff746d4f70
2⤵
PID:3712

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1620,2695628795957621979,10644632433539977001,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1648 /prefetch:2
2⤵
PID:2648

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1620,2695628795957621979,10644632433539977001,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=2016 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3460

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1620,2695628795957621979,10644632433539977001,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2284 /prefetch:8
2⤵
PID:1484

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1620,2695628795957621979,10644632433539977001,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3000 /prefetch:1
2⤵
PID:4168

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1620,2695628795957621979,10644632433539977001,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3200 /prefetch:1
2⤵
PID:4176

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1620,2695628795957621979,10644632433539977001,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3912 /prefetch:1
2⤵
PID:4320

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1620,2695628795957621979,10644632433539977001,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4588 /prefetch:8
2⤵
PID:4548

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1620,2695628795957621979,10644632433539977001,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4704 /prefetch:8
2⤵
PID:4556

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1620,2695628795957621979,10644632433539977001,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4848 /prefetch:8
2⤵
PID:4612

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1620,2695628795957621979,10644632433539977001,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5160 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4112

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1620,2695628795957621979,10644632433539977001,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5320 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4564

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1620,2695628795957621979,10644632433539977001,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5320 /prefetch:8
2⤵
PID:4664

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1620,2695628795957621979,10644632433539977001,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5164 /prefetch:8
2⤵
PID:4568

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1620,2695628795957621979,10644632433539977001,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4688 /prefetch:8
2⤵
PID:4784

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1620,2695628795957621979,10644632433539977001,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5184 /prefetch:8
2⤵
PID:4956

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1620,2695628795957621979,10644632433539977001,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5236 /prefetch:8
2⤵
PID:5024

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1620,2695628795957621979,10644632433539977001,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4688 /prefetch:1
2⤵
PID:5100

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1620,2695628795957621979,10644632433539977001,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1596 /prefetch:1
2⤵
PID:2812

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1620,2695628795957621979,10644632433539977001,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4076 /prefetch:1
2⤵
PID:4764

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1620,2695628795957621979,10644632433539977001,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3280 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:5028

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1620,2695628795957621979,10644632433539977001,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3988 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:5096

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1620,2695628795957621979,10644632433539977001,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5352 /prefetch:1
2⤵
PID:4476

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1620,2695628795957621979,10644632433539977001,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5208 /prefetch:1
2⤵
PID:4864

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1620,2695628795957621979,10644632433539977001,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5892 /prefetch:1
2⤵
PID:1204

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1620,2695628795957621979,10644632433539977001,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6268 /prefetch:8
2⤵
PID:5036

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1620,2695628795957621979,10644632433539977001,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6220 /prefetch:8
2⤵
PID:4540

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1620,2695628795957621979,10644632433539977001,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6496 /prefetch:8
2⤵
PID:1200

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1620,2695628795957621979,10644632433539977001,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6604 /prefetch:8
2⤵
PID:2324

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1620,2695628795957621979,10644632433539977001,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6308 /prefetch:8
2⤵
PID:2004

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1620,2695628795957621979,10644632433539977001,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5928 /prefetch:1
2⤵
PID:4468

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1620,2695628795957621979,10644632433539977001,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2524 /prefetch:1
2⤵
PID:4000

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1620,2695628795957621979,10644632433539977001,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6520 /prefetch:8
2⤵
PID:3472

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1620,2695628795957621979,10644632433539977001,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6576 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:224

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1620,2695628795957621979,10644632433539977001,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4020 /prefetch:1
2⤵
PID:2324

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1620,2695628795957621979,10644632433539977001,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3964 /prefetch:1
2⤵
PID:1844

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1620,2695628795957621979,10644632433539977001,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3100 /prefetch:8
2⤵
PID:4128

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.FileUtilService --field-trial-handle=1620,2695628795957621979,10644632433539977001,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5968 /prefetch:8
2⤵
PID:1948

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1620,2695628795957621979,10644632433539977001,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4516 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2144

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1620,2695628795957621979,10644632433539977001,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5972 /prefetch:8
2⤵
PID:6056

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1620,2695628795957621979,10644632433539977001,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=4048 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:6096

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1620,2695628795957621979,10644632433539977001,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5416 /prefetch:8
2⤵
PID:5928

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1620,2695628795957621979,10644632433539977001,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2168 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4312

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1620,2695628795957621979,10644632433539977001,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6312 /prefetch:8
2⤵
PID:5424

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1620,2695628795957621979,10644632433539977001,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=45 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2912 /prefetch:1
2⤵
PID:5840

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1620,2695628795957621979,10644632433539977001,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=46 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6216 /prefetch:1
2⤵
PID:5624

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1620,2695628795957621979,10644632433539977001,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5940 /prefetch:8
2⤵
PID:6040

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1620,2695628795957621979,10644632433539977001,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6696 /prefetch:8
2⤵
PID:5584

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1620,2695628795957621979,10644632433539977001,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=49 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2884 /prefetch:1
2⤵
PID:6008

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1620,2695628795957621979,10644632433539977001,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=50 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6476 /prefetch:1
2⤵
PID:5960

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1620,2695628795957621979,10644632433539977001,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5464 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:5844

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1620,2695628795957621979,10644632433539977001,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=52 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3100 /prefetch:1
2⤵
PID:5880

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1620,2695628795957621979,10644632433539977001,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=53 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6800 /prefetch:1
2⤵
PID:5480

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1620,2695628795957621979,10644632433539977001,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=54 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5112 /prefetch:1
2⤵
PID:5700

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1620,2695628795957621979,10644632433539977001,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5464 /prefetch:8
2⤵
PID:4112

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.FileUtilService --field-trial-handle=1620,2695628795957621979,10644632433539977001,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4580 /prefetch:8
2⤵
PID:5368

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1620,2695628795957621979,10644632433539977001,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6872 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1348

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1620,2695628795957621979,10644632433539977001,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5464 /prefetch:8
2⤵
PID:4480

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1620,2695628795957621979,10644632433539977001,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4860 /prefetch:8
2⤵
PID:2460

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1620,2695628795957621979,10644632433539977001,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=916 /prefetch:8
2⤵
PID:1820

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1620,2695628795957621979,10644632433539977001,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=908 /prefetch:8
2⤵
PID:5708

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1620,2695628795957621979,10644632433539977001,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4588 /prefetch:8
2⤵
PID:2916

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1620,2695628795957621979,10644632433539977001,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6300 /prefetch:8
2⤵
PID:1196

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1620,2695628795957621979,10644632433539977001,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7052 /prefetch:8
2⤵
PID:2236

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1620,2695628795957621979,10644632433539977001,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5388 /prefetch:8
2⤵
PID:6096

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1620,2695628795957621979,10644632433539977001,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1144 /prefetch:8
2⤵
PID:4396

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\SwReporter\102.286.200\software_reporter_tool.exe
"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\SwReporter\102.286.200\software_reporter_tool.exe" --engine=2 --scan-locations=1,2,3,4,5,6,7,8,10 --disabled-locations=9,11 --session-id=/ZVHPGtdRkZabaCdmF/jz8TIuU7TJCROauTLlUrP --registry-suffix=ESET --enable-crash-reporting --srt-field-trial-group-name=Off
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:6120

\??\c:\users\admin\appdata\local\google\chrome\user data\swreporter\102.286.200\software_reporter_tool.exe
"c:\users\admin\appdata\local\google\chrome\user data\swreporter\102.286.200\software_reporter_tool.exe" --crash-handler "--database=c:\users\admin\appdata\local\Google\Software Reporter Tool" --url=https://clients2.google.com/cr/report --annotation=plat=Win32 --annotation=prod=ChromeFoil --annotation=ver=102.286.200 --initial-client-data=0x284,0x288,0x28c,0x268,0x290,0x7ff79f41ecc8,0x7ff79f41ecd8,0x7ff79f41ece8
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1608

\??\c:\users\admin\appdata\local\google\chrome\user data\swreporter\102.286.200\software_reporter_tool.exe
"c:\users\admin\appdata\local\google\chrome\user data\swreporter\102.286.200\software_reporter_tool.exe" --enable-crash-reporting --use-crash-handler-with-id="\\.\pipe\crashpad_6120_FNQWBPNOBSJCLGFO" --sandboxed-process-id=2 --init-done-notifier=784 --sandbox-mojo-pipe-token=17451644760525738504 --mojo-platform-channel-handle=756 --engine=2
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:5104

\??\c:\users\admin\appdata\local\google\chrome\user data\swreporter\102.286.200\software_reporter_tool.exe
"c:\users\admin\appdata\local\google\chrome\user data\swreporter\102.286.200\software_reporter_tool.exe" --enable-crash-reporting --use-crash-handler-with-id="\\.\pipe\crashpad_6120_FNQWBPNOBSJCLGFO" --sandboxed-process-id=3 --init-done-notifier=996 --sandbox-mojo-pipe-token=4656706384181392041 --mojo-platform-channel-handle=992
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5200

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1620,2695628795957621979,10644632433539977001,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2476 /prefetch:8
2⤵
PID:5184

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:688

C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe"
1⤵
- Drops file in Program Files directory
PID:1212

C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir1212_259461077\ChromeRecovery.exe
"C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir1212_259461077\ChromeRecovery.exe" --appguid={8A69D345-D564-463c-AFF1-A69D9E530F96} --browser-version=89.0.4389.114 --sessionid={ef73c8ba-d33b-4029-a49b-3efbbc4edc8a} --system
2⤵
- Executes dropped EXE
PID:1948

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --default-search-provider=? --out-pipe-name=MSEdgeDefault3ce8e99ch39ach451ch8d19hebf13da1e0b0
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:5268

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7fff70de46f8,0x7fff70de4708,0x7fff70de4718
2⤵
PID:5352

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1384,7215333712965758042,5864987509363857779,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2188 /prefetch:2
2⤵
PID:5580

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1384,7215333712965758042,5864987509363857779,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2296 /prefetch:3
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:5596

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1384,7215333712965758042,5864987509363857779,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2976 /prefetch:8
2⤵
PID:5772

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5732

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k BcastDVRUserService -s BcastDVRUserService
1⤵
- Drops desktop.ini file(s)
- Checks processor information in registry
- Modifies registry class
PID:5908

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DisplayEnhancementService
1⤵
PID:5312

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --default-search-provider=? --out-pipe-name=MSEdgeDefault28c55ed8hacc6h437ch8016h4e2e157acf82
1⤵
PID:3352

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7fff70de46f8,0x7fff70de4708,0x7fff70de4718
2⤵
PID:5876

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2200,6812630102198291291,14103571168014888013,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2212 /prefetch:2
2⤵
PID:5528

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2200,6812630102198291291,14103571168014888013,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2264 /prefetch:3
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:5580

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2200,6812630102198291291,14103571168014888013,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2704 /prefetch:8
2⤵
PID:5772

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3960

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3536

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Desktop\hdf.rar"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:5776

C:\Users\Admin\Desktop\release\x64\dcpfromhorizon.exe
"C:\Users\Admin\Desktop\release\x64\dcpfromhorizon.exe"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4848

C:\Users\Admin\Desktop\lolicor.exe
"C:\Users\Admin\Desktop\lolicor.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Checks BIOS information in registry
- Checks computer location settings
- Checks whether UAC is enabled
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
PID:5648

C:\Users\Admin\Desktop\UAeRpBLhRgpi.exe
UAeRpBLhRgpi.exe
2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
PID:1796

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\Desktop\lolicor.exe >> NUL
2⤵
PID:4932

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\commithash.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:1348

C:\Users\Admin\Desktop\release\x64\dcpfromhorizon.exe
"C:\Users\Admin\Desktop\release\x64\dcpfromhorizon.exe"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:5348

C:\Users\Admin\Desktop\release\x64\dcpfromhorizon.exe
"C:\Users\Admin\Desktop\release\x64\dcpfromhorizon.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3464

C:\Users\Admin\Desktop\UAeRpBLhRgpi.exe
"C:\Users\Admin\Desktop\UAeRpBLhRgpi.exe"
2⤵
- Executes dropped EXE
PID:5484

C:\Users\Admin\Desktop\UAeRpBLhRgpi.exe
"C:\Users\Admin\Desktop\UAeRpBLhRgpi.exe"
2⤵
- Executes dropped EXE
PID:2608

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir1212_259461077\ChromeRecovery.exe

Filesize
253KB

MD5
49ac3c96d270702a27b4895e4ce1f42a

SHA1
55b90405f1e1b72143c64113e8bc65608dd3fd76

SHA256
82aa3fd6a25cda9e16689cfadea175091be010cecae537e517f392e0bef5ba0f

SHA512
b62f6501cb4c992d42d9097e356805c88ac4ac5a46ead4a8eee9f8cbae197b2305da8aab5b4a61891fe73951588025f2d642c32524b360687993f98c913138a0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
1KB

MD5
1a48d311ea8e2297e65ac1b8dc5b39ed

SHA1
8335f95b49f5250d0514f0682be10a975ee359db

SHA256
5b50e78fb2b9b66f7af834a3f15d4bff9e477a820c6598aa4f9dbf6313ea51b0

SHA512
f7270813913f7af90f89451c8f868c9a8bb4e58f46ba08d378082976f4ed24cdc9c8b9b8eccbfa68ea294e73cd9bf897b53d1993edc44256dee1d3983381de6b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA

Filesize
724B

MD5
5a11c6099b9e5808dfb08c5c9570c92f

SHA1
e5dc219641146d1839557973f348037fa589fd18

SHA256
91291a5edc4e10a225d3c23265d236ecc74473d9893be5bd07e202d95b3fb172

SHA512
c2435b6619464a14c65ab116ab83a6e0568bdf7abc5e5a5e19f3deaf56c70a46360965da8b60e1256e9c8656aef9751adb9e762731bb8dbab145f1c8224ac8f9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E87CE99F124623F95572A696C80EFCAF_6C5C4E1A482F75D0EA0262D75C3C6DA4

Filesize
472B

MD5
6ed7108a5333627bdc92b1ef3eda946f

SHA1
b50c5d16748dfe96799d540aaf862d160f1eb8ba

SHA256
655a864ac58518cd5939e92fdbe88a16f5259f4d2f62a645993ef0d67245f8c4

SHA512
b64cc7a07b5a09dabc68b5588969fcef94c5e5f7446275d194a44e73a9b88eae1afe9306eaed72f7252ff90230a5b78e112bfc26fc590f4cf2e51c0d37647f8d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
410B

MD5
417b512682bc3db2e9c3f3d670b8d217

SHA1
7634bc09abd7e2cf6d81956f25cb0d834f4c477c

SHA256
d21b70b582972c92bcad504fa2421139f298bcb6aa7fd0fcbb1f8bfaa4dd476b

SHA512
9c1b5d7ad10a4dd5b1c6b0eec12bf4213881f66ff798aa9ba4f25c1782d6fb4ea6f540125c8e8ae16d0741ded1591033473c78a1d3b47f106fb2de80b25447f4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA

Filesize
392B

MD5
1f85c2b3695b8ec1a1e35359e79733f3

SHA1
4fb6bee6da691529f67f07a40a9588ef91be968a

SHA256
976debdb783ae518fafedea0466bf027c91d7b961f17ba1c784a37770e1638bc

SHA512
c7596b7201c661626d46e115cb2ae818766c339fffd6191e93681c8fe79f5510ff82d3a0066684580ede0315b7cd19d320b7ff03845ab9075d888d6cbb7d2e5a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E87CE99F124623F95572A696C80EFCAF_6C5C4E1A482F75D0EA0262D75C3C6DA4

Filesize
402B

MD5
3187179036dd097bd4d933c19a517ad3

SHA1
41d3d8f202ebc454b4897fcf27cbdd83c033a099

SHA256
10869f82b000abab9b3e1c68ca88fb18cc5a7f96d407ff8119314eff8f6f9743

SHA512
20a7d4405eb1c87d75f15c5f8dc9ef4a48c1d1696cc46bba136c94b66d6a7f92bbd3fbc8dd1447ecddfab0db5d92452978c61b514b0614ce9e504b4c02c91c06

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
171KB

MD5
087e994ccfdd7d05eaa48355208fb1f8

SHA1
6eae906e692b1134a064450ced6cffea42db1487

SHA256
588c41a0c59db8409ac14196ecd90d64b228ffc38b5235ffc45fb0d9df499079

SHA512
425582114985bc79e66f062e9d2dd15d694637bc9c7cae700febdc5903798e4cfd60c870a91298f411fa474410a57fd1f70b2f5f1f1baf46adf0ab8c412d209b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\RecoveryImproved\1.3.36.141\Recovery.crx3

Filesize
141KB

MD5
ea1c1ffd3ea54d1fb117bfdbb3569c60

SHA1
10958b0f690ae8f5240e1528b1ccffff28a33272

SHA256
7c3a6a7d16ac44c3200f572a764bce7d8fa84b9572dd028b15c59bdccbc0a77d

SHA512
6c30728cac9eac53f0b27b7dbe2222da83225c3b63617d6b271a6cfedf18e8f0a8dffa1053e1cbc4c5e16625f4bbc0d03aa306a946c9d72faa4ceb779f8ffcaf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
007709614bb3de70288cedc2bb85bc6e

SHA1
2b0049ace9237c72d5b068a07246870fbae9a41b

SHA256
2159616661c7e0266d814763042fc6a1eb9f9b32783474fefc2171f1140e7ab1

SHA512
cb523fa8dc7d42a942fcfdff8bcf97812f76de3451731c01b3fc435afe73e4f1ba9393d34a85984f0348d2aa39a4d1f5b194b71e323e934b2d3a16c60ed246a0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.ico

Filesize
70KB

MD5
e5e3377341056643b0494b6842c0b544

SHA1
d53fd8e256ec9d5cef8ef5387872e544a2df9108

SHA256
e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25

SHA512
83f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
4KB

MD5
eb4c0283fab919ca2b6d9e304de5a483

SHA1
828eb9c49bc809b3f20210cecb4017114cce8b6d

SHA256
ad399cce9555fba85e0a0f47e47546690f59d76924b6281b79af11ae5da5e04a

SHA512
94105056e3d737999b32979fe9fa561786a702e9b6fcef92c29646ecc6d290330118b1f09b2ade0fad39a91d6d6360a20afb5985064cfe4ef2aaff03b8c521db

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\LOG

Filesize
350B

MD5
0919773b437b5cb37abfb1f37121d3ab

SHA1
bb75c19154fd5beea0f541f3aa42949a14ea0695

SHA256
ad0bed1e20881a2fafdd27ee8e453f2835735fc4824baf8d0412bf4d33293d80

SHA512
42d53e135253dc809727067dc7e4c8f44b615d571eee4c4ec999b99a66cd682637521c0f563d8b45bade7802b900685f6089109547a24f0c2127e618db4cee13

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB\LOG

Filesize
326B

MD5
c4a7fee0d1ab66e81af8f120530e3dc1

SHA1
8447975ee0ebd42e1eb7142bc146ee04f933759d

SHA256
4081a828883c790d2a08955db1fe26a594c18350a1c7384ef1546fce484fe831

SHA512
77dbd38284524b23cbee2cd5cd27309750820fec0106956ae3a6385b2d505bf0468664d37e14840ad5ca8847f9fc9c278d71d0a9496c6315ffdb89c76cd8f70e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Last Version

Filesize
11B

MD5
838a7b32aefb618130392bc7d006aa2e

SHA1
5159e0f18c9e68f0e75e2239875aa994847b8290

SHA256
ac3dd2221d90b09b795f1f72e72e4860342a4508fe336c4b822476eb25a55eaa

SHA512
9e350f0565cc726f66146838f9cebaaa38dd01892ffab9a45fe4f72e5be5459c0442e99107293a7c6f2412c71f668242c5e5a502124bc57cbf3b6ad8940cb3e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
3KB

MD5
b41f1061e86504aa3cafb732eb831efb

SHA1
2af0616952ec48963366711c523b409a0700e777

SHA256
48290da4ef954d2a88afdbcf4141fd6ab510f72541b8b2c7847e9b0a215ded2c

SHA512
3ff62cfa05ce7b229f03483092f8b7ef7da9441a2203f537c2d8c253c3a6a4167d14865a8128856bf3ba3e6ff2f21e3c521de143e5aa4914cd4699f0392be41d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
\??\pipe\LOCAL\crashpad_3352_RNNDKKKHLTJARWIZ

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\pipe\LOCAL\crashpad_5268_GUHXHNVGVQSTJJZS

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\pipe\crashpad_1272_BZZYFDTZQMGHIZNN

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1608-213-0x0000000000000000-mapping.dmp

Download
memory/1796-203-0x00007FFF92DD0000-0x00007FFF92FC5000-memory.dmp

Filesize
2.0MB

Download
memory/1796-192-0x00007FF6488A0000-0x00007FF649558000-memory.dmp

Filesize
12.7MB

Download
memory/1796-179-0x0000000000000000-mapping.dmp

Download
memory/1796-204-0x00007FFF92DD0000-0x00007FFF92FC5000-memory.dmp

Filesize
2.0MB

Download
memory/1796-205-0x00007FFF92DD0000-0x00007FFF92FC5000-memory.dmp

Filesize
2.0MB

Download
memory/1796-201-0x00007FFF92DD0000-0x00007FFF92FC5000-memory.dmp

Filesize
2.0MB

Download
memory/1796-182-0x00007FFF92DD0000-0x00007FFF92FC5000-memory.dmp

Filesize
2.0MB

Download
memory/1796-183-0x00007FF6488A0000-0x00007FF649558000-memory.dmp

Filesize
12.7MB

Download
memory/1796-200-0x00007FFF92DD0000-0x00007FFF92FC5000-memory.dmp

Filesize
2.0MB

Download
memory/1796-199-0x00007FFF92DD0000-0x00007FFF92FC5000-memory.dmp

Filesize
2.0MB

Download
memory/1796-198-0x00007FFF92DD0000-0x00007FFF92FC5000-memory.dmp

Filesize
2.0MB

Download
memory/1796-197-0x00007FFF92DD0000-0x00007FFF92FC5000-memory.dmp

Filesize
2.0MB

Download
memory/1796-196-0x00007FFF92DD0000-0x00007FFF92FC5000-memory.dmp

Filesize
2.0MB

Download
memory/1796-195-0x00007FFF92DD0000-0x00007FFF92FC5000-memory.dmp

Filesize
2.0MB

Download
memory/1796-194-0x00007FF6488A0000-0x00007FF649558000-memory.dmp

Filesize
12.7MB

Download
memory/1796-193-0x00007FF6488A0000-0x00007FF649558000-memory.dmp

Filesize
12.7MB

Download
memory/1796-202-0x00007FFF92DD0000-0x00007FFF92FC5000-memory.dmp

Filesize
2.0MB

Download
memory/1796-191-0x00007FF6488A0000-0x00007FF649558000-memory.dmp

Filesize
12.7MB

Download
memory/1796-189-0x00007FF6488A0000-0x00007FF649558000-memory.dmp

Filesize
12.7MB

Download
memory/1796-186-0x00007FF6488A0000-0x00007FF649558000-memory.dmp

Filesize
12.7MB

Download
memory/1948-138-0x0000000000000000-mapping.dmp

Download
memory/2608-239-0x0000000000000000-mapping.dmp

Download
memory/3464-211-0x00000171A1890000-0x00000171A18A0000-memory.dmp

Filesize
64KB

Download
memory/3464-209-0x000000005EB80000-0x000000005F0CA000-memory.dmp

Filesize
5.3MB

Download
memory/3464-208-0x00007FFF6FF90000-0x00007FFF704AC000-memory.dmp

Filesize
5.1MB

Download
memory/4848-164-0x000000005EB80000-0x000000005F0CA000-memory.dmp

Filesize
5.3MB

Download
memory/4848-165-0x00007FFF6F830000-0x00007FFF6FD4C000-memory.dmp

Filesize
5.1MB

Download
memory/4848-166-0x000000005EB80000-0x000000005F0CA000-memory.dmp

Filesize
5.3MB

Download
memory/4848-167-0x00007FFF6F830000-0x00007FFF6FD4C000-memory.dmp

Filesize
5.1MB

Download
memory/4932-188-0x0000000000000000-mapping.dmp

Download
memory/5104-231-0x0000022DED560000-0x0000022DED5A0000-memory.dmp

Filesize
256KB

Download
memory/5104-233-0x0000022DED5A0000-0x0000022DED5E0000-memory.dmp

Filesize
256KB

Download
memory/5104-232-0x0000022DED560000-0x0000022DED5A0000-memory.dmp

Filesize
256KB

Download
memory/5104-229-0x0000022DED560000-0x0000022DED5A0000-memory.dmp

Filesize
256KB

Download
memory/5104-228-0x0000022DED560000-0x0000022DED5A0000-memory.dmp

Filesize
256KB

Download
memory/5104-227-0x0000022DED560000-0x0000022DED5A0000-memory.dmp

Filesize
256KB

Download
memory/5104-226-0x0000022DED560000-0x0000022DED5A0000-memory.dmp

Filesize
256KB

Download
memory/5104-225-0x0000022DED560000-0x0000022DED5A0000-memory.dmp

Filesize
256KB

Download
memory/5104-224-0x0000022DED5A0000-0x0000022DED5E0000-memory.dmp

Filesize
256KB

Download
memory/5104-223-0x0000022DED560000-0x0000022DED5A0000-memory.dmp

Filesize
256KB

Download
memory/5104-222-0x0000022DED560000-0x0000022DED5A0000-memory.dmp

Filesize
256KB

Download
memory/5104-230-0x0000022DED560000-0x0000022DED5A0000-memory.dmp

Filesize
256KB

Download
memory/5104-235-0x0000022DED560000-0x0000022DED5A0000-memory.dmp

Filesize
256KB

Download
memory/5104-234-0x0000022DED560000-0x0000022DED5A0000-memory.dmp

Filesize
256KB

Download
memory/5104-236-0x0000022DED560000-0x0000022DED5A0000-memory.dmp

Filesize
256KB

Download
memory/5104-221-0x0000022DED560000-0x0000022DED5A0000-memory.dmp

Filesize
256KB

Download
memory/5104-220-0x0000022DED560000-0x0000022DED5A0000-memory.dmp

Filesize
256KB

Download
memory/5104-219-0x0000022DED560000-0x0000022DED5A0000-memory.dmp

Filesize
256KB

Download
memory/5104-218-0x0000022DED560000-0x0000022DED5A0000-memory.dmp

Filesize
256KB

Download
memory/5104-237-0x0000022DED560000-0x0000022DED5A0000-memory.dmp

Filesize
256KB

Download
memory/5104-215-0x0000000000000000-mapping.dmp

Download
memory/5200-217-0x0000000000000000-mapping.dmp

Download
memory/5348-206-0x00007FFF6F830000-0x00007FFF6FD4C000-memory.dmp

Filesize
5.1MB

Download
memory/5348-207-0x000000005EB80000-0x000000005F0CA000-memory.dmp

Filesize
5.3MB

Download
memory/5352-140-0x0000000000000000-mapping.dmp

Download
memory/5484-210-0x0000000000000000-mapping.dmp

Download
memory/5484-238-0x00007FFF92DD0000-0x00007FFF92FC5000-memory.dmp

Filesize
2.0MB

Download
memory/5528-155-0x0000000000000000-mapping.dmp

Download
memory/5580-142-0x0000000000000000-mapping.dmp

Download
memory/5580-158-0x0000000000000000-mapping.dmp

Download
memory/5596-143-0x0000000000000000-mapping.dmp

Download
memory/5648-184-0x00007FFF92DD0000-0x00007FFF92FC5000-memory.dmp

Filesize
2.0MB

Download
memory/5648-175-0x00007FF635FA0000-0x00007FF6394C9000-memory.dmp

Filesize
53.2MB

Download
memory/5648-178-0x00007FFF92DD0000-0x00007FFF92FC5000-memory.dmp

Filesize
2.0MB

Download
memory/5648-168-0x00007FFF92DD0000-0x00007FFF92FC5000-memory.dmp

Filesize
2.0MB

Download
memory/5648-169-0x00007FF635FA0000-0x00007FF6394C9000-memory.dmp

Filesize
53.2MB

Download
memory/5648-170-0x00007FF635FA0000-0x00007FF6394C9000-memory.dmp

Filesize
53.2MB

Download
memory/5648-171-0x00007FF635FA0000-0x00007FF6394C9000-memory.dmp

Filesize
53.2MB

Download
memory/5648-172-0x00007FF635FA0000-0x00007FF6394C9000-memory.dmp

Filesize
53.2MB

Download
memory/5648-173-0x00007FF635FA0000-0x00007FF6394C9000-memory.dmp

Filesize
53.2MB

Download
memory/5648-190-0x00007FFF92DD0000-0x00007FFF92FC5000-memory.dmp

Filesize
2.0MB

Download
memory/5648-174-0x00007FF635FA0000-0x00007FF6394C9000-memory.dmp

Filesize
53.2MB

Download
memory/5648-180-0x00007FFF92DD0000-0x00007FFF92FC5000-memory.dmp

Filesize
2.0MB

Download
memory/5648-187-0x00007FFF92DD0000-0x00007FFF92FC5000-memory.dmp

Filesize
2.0MB

Download
memory/5648-181-0x00007FFF92DD0000-0x00007FFF92FC5000-memory.dmp

Filesize
2.0MB

Download
memory/5648-185-0x00007FFF92DD0000-0x00007FFF92FC5000-memory.dmp

Filesize
2.0MB

Download
memory/5648-176-0x00007FFF92DD0000-0x00007FFF92FC5000-memory.dmp

Filesize
2.0MB

Download
memory/5648-177-0x00007FFF92DD0000-0x00007FFF92FC5000-memory.dmp

Filesize
2.0MB

Download
memory/5772-146-0x0000000000000000-mapping.dmp

Download
memory/5772-161-0x0000000000000000-mapping.dmp

Download
memory/5876-148-0x0000000000000000-mapping.dmp

Download
memory/6120-212-0x0000000000000000-mapping.dmp

Download