ryuk | 13160edab74cc2dd34653920d4bf56e487fea2fd6adf8249e0be9215ced902b4

Target

13160edab74cc2dd34653920d4bf56e487fea2fd6adf8249e0be9215ced902b4.pdf
Size

2.6MB
MD5

7f6060451f81564336bd5d9e5c95797a
SHA1

70c756af084d013e703d5e1c0f561eea6cb2f781
SHA256

13160edab74cc2dd34653920d4bf56e487fea2fd6adf8249e0be9215ced902b4
SHA512

c5263836ef7264e48e4166042827340244fe430b490ad41acde7fef378757731e7d3fecfe05c5d75695d32dcba7a13db86bea36366c5f4fb1e0ea3e321032abf

Score

10^/10

ryuk evasion persistence ransomware trojan

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\sample.txt

Family

ryuk

Ransom Note

%PDF-1.4\\n%%%c%c\\n\" ascii wide \n $s8 = \"%Y-%m-%dT%H:%M:%S+0000\" ascii wide \n $s9 = \"rctrl_renwnd32\" ascii wide \n $s10 = \"NetUIHWND\" ascii wide \n $s11 = \"homePostalAddress\" ascii wide \n $s12 = \"/EXPORT;OVERRIDE;START=-%d;END=-%d;FOLDER=%s;OUT=\" ascii wide \n $s13 = \"Re:|FWD:|AW:|FYI:|NT|QUE:\" ascii wide \n $s14 = \"IPM.Note\" ascii wide \n $s15 = \"MAPILogonEx\" ascii wide \n $s16 = \"pipe\\\\The Bat! %d CmdLine\" ascii wide \n $s17 = \"PowerShellRunner.dll\" ascii wide \n $s18 = \"cmd container\" ascii wide \n $s19 = \"mapid.tlb\" ascii wide nocase \n $s20 = \"Content-Type: F)*+\" ascii wide fullword \n condition: \n 5 of them \n }","comment":"","description":"","mitre_techniques":[],"campaigns":[{"id":"d9ba4fe0-ae46-11ea-9477-02d538d9640e","name":"Operation Outlook Backdoor","description":"The campaign was discovered in 2018 and does not use command and control servers to interact with the remote access Trojan installed on the victim but instead uses malicious PDF documents which are transmitted via email. The threat actors have used the backdoor since at least 2013 to stay under the radar in an attempt to steal sensitive information. The attacks are able to go unnoticed by interacting with Microsoft Outlook using the Messaging Application Programming Interface (MAPI).","threat_level_id":2,"kb_article_link":null,"coverage":{"dat_version":{"min":3629}},"updated_on":"2021-05-07T09:35:07.000Z","external_analysis":{"links":["https://www.welivesecurity.com/wp-content/uploads/2018/08/Eset-Turla-Outlook-Backdoor.pdf"]},"is_coat":1,"created_on":"2020-06-14T13:56:31.000Z"}]},{"id":"553f5c1e-a363-4b45-8eac-425444a78b00","type":"vulnerability","category":"External analysis","value":"CVE-2019-1003029","comment":"A sandbox bypass vulnerability exists in Jenkins Script Security Plugin 1.53 and earlier","description":"","mitre_techniques":[],"campaigns":[{"id":"6f03a212-a5c5-4146-ac93-b57af6ebcf57","name":"Multiple Vulnerabilities And Tactics Used To Spread Capoae Malware","description":"The Capoae malicious software exploited multiple vulnerabilities and used weak credentials to attack Oracle WebLogic, ThinkPHP, WordPress, and Jenkins servers. Web shells, port scanners, and XMRig mining software were dropped onto the infected systems to mine for digital currency and find additional devices to infect. The malware maintained persistence by adding an entry to crontab and adding a public key into the SSH authorized_keys file. \r\n\r\nMcAfee’s ATR Team gathers and analyzes information from multiple open and closed sources before disseminating intelligence reports. This campaign was researched by Akamai Technologies and shared publicly https://www.akamai.com/blog/security/capoae-malware-ramps-up-uses-multiple-vulnerabilities-and-tactics-to-spread","threat_level_id":3,"kb_article_link":null,"coverage":null,"updated_on":"2021-09-22T21:08:45.000Z","external_analysis":{"links":["https://www.akamai.com/blog/security/capoae-malware-ramps-up-uses-multiple-vulnerabilities-and-tactics-to-spread"]},"is_coat":0,"created_on":"2021-09-22T21:08:45.000Z"}]},{"id":"55424f67-afc2-11eb-9d72-02d538d9640e","type":"yara","category":"Artifacts dropped","value":"rule turla_outlook_gen { \n meta: \n author = \"ESET Research\" \n date = \"22-08-2018\" \n description = \"Turla Outlook malware\" \n reference = \"https://www.welivesecurity.com/wp-content/uploads/2018/08/Eset-Turla-Outlook-Backdoor.pdf\" \n source = \"https://github.com/eset/malware-ioc/\" \n contact = \"[email protected]\" \n license = \"BSD 2-Clause\" \n strings: \n $s1 = \"Outlook\" ascii wide \n $s2 = \"Outlook Express\" ascii wide \n $s3 = \"Outlook watchdog\" ascii wide \n $s4 = \"Software\\\\RIT\\\\The Bat!\" ascii wide \n $s5 = \"Mail Event Window\" ascii wide \n $s6 = \"Software\\\\Mozilla\\\\Mozilla Thunderbird\\\\Profiles\" ascii wide \n $s7 = \"%%PDF-1.4\\n%%%c%c\\n\" ascii wide \n $s8 = \"%Y-%m-%dT%H:%M:%S+0000\" ascii wide \n $s9 = \"rctrl_renwnd32\" ascii wide \n $s10 = \"NetUIHWND\" ascii wide \n $s11 = \"homePostalAddress\" ascii wide \n $s12 = \"/EXPORT;OVERRIDE;START=-%d;END=-%d;FOLDER=%s;OUT=\" ascii wide \n $s13 = \"Re:|FWD:|AW:|FYI:|NT|QUE:\" ascii wide \n $s14 = \"IPM.Note\" ascii wide \n $s15 = \"MAPILogonEx\" ascii wide \n $s16 = \"pipe\\\\The Bat! %d CmdLine\" ascii wide \n $s17 = \"PowerShellRunner.dll\" ascii wide \n $s18 = \"cmd container\" ascii wide \n $s19 = \"mapid.tlb\" ascii wide nocase \n $s20 = \"Content-Type: F)*+\" ascii wide fullword \n condition: \n 5 of them \n }","comment":"","description":"","mitre_techniques":[],"campaigns":[{"id":"d9ba4fe0-ae46-11ea-9477-02d538d9640e","name":"Operation Outlook Backdoor","description":"The campaign was discovered in 2018 and does not use command and control servers to interact with the remote access Trojan installed on the victim but instead uses malicious PDF documents which are transmitted via email. The threat actors have used the backdoor since at least 2013 to stay under the radar in an attempt to steal sensitive information. The attacks are able to go unnoticed by interacting with Microsoft Outlook using the Messaging Application Programming Interface (MAPI).","threat_level_id":2,"kb_article_link":null,"coverage":{"dat_version":{"min":3629}},"updated_on":"2021-05-07T09:35:07.000Z","external_analysis":{"links":["https://www.welivesecurity.com/wp-content/uploads/2018/08/Eset-Turla-Outlook-Backdoor.pdf"]},"is_coat":1,"created_on":"2020-06-14T13:56:31.000Z"}]},{"id":"55459d45-afc2-11eb-9d72-02d538d9640e","type":"yara","category":"Artifacts dropped","value":"rule turla_outlook_gen { \n meta: \n author = \"ESET Research\" \n date = \"22-08-2018\" \n description = \"Turla Outlook malware\" \n reference = \"https://www.welivesecurity.com/wp-content/uploads/2018/08/Eset-Turla-Outlook-Backdoor.pdf\" \n source = \"https://github.com/eset/malware-ioc/\" \n contact = \"[email protected]\" \n license = \"BSD 2-Clause\" \n strings: \n $s1 = \"Outlook\" ascii wide \n $s2 = \"Outlook Express\" ascii wide \n $s3 = \"Outlook watchdog\" ascii wide \n $s4 = \"Software\\\\RIT\\\\The Bat!\" ascii wide \n $s5 = \"Mail Event Window\" ascii wide \n $s6 = \"Software\\\\Mozilla\\\\Mozilla Thunderbird\\\\Profiles\" ascii wide \n $s7 = \"%%PDF-1.4\\n%%%c%c\\n\" ascii wide \n $s8 = \"%Y-%m-%dT%H:%M:%S+0000\" ascii wide \n $s9 = \"rctrl_renwnd32\" ascii wide \n $s10 = \"NetUIHWND\" ascii wide \n $s11 = \"homePostalAddress\" ascii wide \n $s12 = \"/EXPORT;OVERRIDE;START=-%d;END=-%d;FOLDER=%s;OUT=\" ascii wide \n $s13 = \"Re:|FWD:|AW:|FYI:|NT|QUE:\" ascii wide \n $s14 = \"IPM.Note\" ascii wide \n $s15 = \"MAPILogonEx\" ascii wide \n $s16 = \"pipe\\\\The Bat! %d CmdLine\" ascii wide \n $s17 = \"PowerShellRunner.dll\" ascii wide \n $s18 = \"cmd container\" ascii wide \n $s19 = \"mapid.tlb\" ascii wide nocase \n $s20 = \"Content-Type: F)*+\" ascii wide fullword \n condition: \n 5 of them \n }","comment":"","description":"","mitre_techniques":[],"campaigns":[{"id":"d9ba4fe0-ae46-11ea-9477-02d538d9640e","name":"Operation Outlook Backdoor","description":"The campaign was discovered in 2018 and does not use command and control servers to interact with the remote access Trojan installed on the victim but instead uses malicious PDF documents which are transmitted via email. The threat actors have used the backdoor since at least 2013 to stay under the radar in an attempt to steal sensitive information. The attacks are able to go unnoticed by interacting with Microsoft Outlook using the Messaging Application Programming Interface (MAPI).","threat_level_id":2,"kb_article_link":null,"coverage":{"dat_version":{"min":3629}},"updated_on":"2021-05-07T09:35:07.000Z","external_analysis":{"links":["https://www.welivesecurity.com/wp-content/uploads/2018/08/Eset-Turla-Outlook-Backdoor.pdf"]},"is_coat":1,"created_on":"2020-06-14T13:56:31.000Z"}]},{"id":"5548bf24-afc2-11eb-9d72-02d538d9640e","type":"yara","category":"Artifacts dropped","value":"rule turla_outlook_gen { \n meta: \n author = \"ESET Research\" \n date = \"22-08-2018\" \n description = \"Turla Outlook malware\" \n reference = \"https://www.welivesecurity.com/wp-content/uploads/2018/08/Eset-Turla-Outlook-Backdoor.pdf\" \n source = \"https://github.com/eset/malware-ioc/\" \n contact = \"[email protected]\" \n license = \"BSD 2-Clause\" \n strings: \n $s1 = \"Outlook\" ascii wide \n $s2 = \"Outlook Express\" ascii wide \n $s3 = \"Outlook watchdog\" ascii wide \n $s4 = \"Software\\\\RIT\\\\The Bat!\" ascii wide \n $s5 = \"Mail Event Window\" ascii wide \n $s6 = \"Software\\\\Mozilla\\\\Mozilla Thunderbird\\\\Profiles\" ascii wide \n $s7 = \"%%PDF-1.4\\n%%%c%c\\n\" ascii wide \n $s8 = \"%Y-%m-%dT%H:%M:%S+0000\" ascii wide \n $s9 = \"rctrl_renwnd32\" ascii wide \n $s10 = \"NetUIHWND\" ascii wide \n $s11 = \"homePostalAddress\" ascii wide \n $s12 = \"/EXPORT;OVERRIDE;START=-%d;END=-%d;FOLDER=%s;OUT=\" ascii wide \n $s13 = \"Re:|FWD:|AW:|FYI:|NT|QUE:\" ascii wide \n $s14 = \"IPM.Note\" ascii wide \n $s15 = \"MAPILogonEx\" ascii wide \n $s16 = \"pipe\\\\The Bat! %d CmdLine\" ascii wide \n $s17 = \"PowerShellRunner.dll\" ascii wide \n $s18 = \"cmd container\" ascii wide \n $s19 = \"mapid.tlb\" ascii wide nocase \n $s20 = \"Content-Type: F)*+\" ascii wide fullword \n condition: \n 5 of them \n }","comment":"","description":"","mitre_techniques":[],"campaigns":[{"id":"d9ba4fe0-ae46-11ea-9477-02d538d9640e","name":"Operation Outlook Backdoor","description":"The campaign was discovered in 2018 and does not use command and control servers to interact with the remote access Trojan installed on the victim but instead uses malicious PDF documents which are transmitted via email. The threat actors have used the backdoor since at least 2013 to stay under the radar in an attempt to steal sensitive information. The attacks are able to go unnoticed by interacting with Microsoft Outlook using the Messaging Application Programming Interface (MAPI).","threat_level_id":2,"kb_article_link":null,"coverage":{"dat_version":{"min":3629}},"updated_on":"2021-05-07T09:35:07.000Z","external_analysis":{"links":["https://www.welivesecurity.com/wp-content/uploads/2018/08/Eset-Turla-Outlook-Backdoor.pdf"]},"is_coat":1,"created_on":"2020-06-14T13:56:31.000Z"}]},{"id":"554c1128-afc2-11eb-9d72-02d538d9640e","type":"yara","category":"Artifacts dropped","value":"rule turla_outlook_gen { \n meta: \n author = \"ESET Research\" \n date = \"22-08-2018\" \n description = \"Turla Outlook malware\" \n reference = \"https://www.welivesecurity.com/wp-content/uploads/2018/08/Eset-Turla-Outlook-Backdoor.pdf\" \n source = \"https://github.com/eset/malware-ioc/\" \n contact = \"[email protected]\" \n license = \"BSD 2-Clause\" \n strings: \n $s1 = \"Outlook\" ascii wide \n $s2 = \"Outlook Express\" ascii wide \n $s3 = \"Outlook watchdog\" ascii wide \n $s4 = \"Software\\\\RIT\\\\The Bat!\" ascii wide \n $s5 = \"Mail Event Window\" ascii wide \n $s6 = \"Software\\\\Mozilla\\\\Mozilla Thunderbird\\\\Profiles\" ascii wide \n $s7 = \"%%PDF-1.4\\n%%%c%c\\n\" ascii wide \n $s8 = \"%Y-%m-%dT%H:%M:%S+0000\" ascii wide \n $s9 = \"rctrl_renwnd32\" ascii wide \n $s10 = \"NetUIHWND\" ascii wide \n $s11 = \"homePostalAddress\" ascii wide \n $s12 = \"/EXPORT;OVERRIDE;START=-%d;END=-%d;FOLDER=%s;OUT=\" ascii wide \n $s13 = \"Re:|FWD:|AW:|FYI:|NT|QUE:\" ascii wide \n $s14 = \"IPM.Note\" ascii wide \n $s15 = \"MAPILogonEx\" ascii wide \n $s16 = \"pipe\\\\The Bat! %d CmdLine\" ascii wide \n $s17 = \"PowerShellRunner.dll\" ascii wide \n $s18 = \"cmd container\" ascii wide \n $s19 = \"mapid.tlb\" ascii wide nocase \n $s20 = \"Content-Type: F)*+\" ascii wide fullword \n condition: \n 5 of them \n }","comment":"","description":"","mitre_techniques":[],"campaigns":[{"id":"d9ba4fe0-ae46-11ea-9477-02d538d9640e","name":"Operation Outlook Backdoor","description":"The campaign was discovered in 2018 and does not use command and control servers to interact with the remote access Trojan installed on the victim but instead uses malicious PDF documents which are transmitted via email. The threat actors have used the backdoor since at least 2013 to stay under the radar in an attempt to steal sensitive information. The attacks are able to go unnoticed by interacting with Microsoft Outlook using the Messaging Application Programming Interface (MAPI).","threat_level_id":2,"kb_article_link":null,"coverage":{"dat_version":{"min":3629}},"updated_on":"2021-05-07T09:35:07.000Z","external_analysis":{"links":["https://www.welivesecurity.com/wp-content/uploads/2018/08/Eset-Turla-Outlook-Backdoor.pdf"]},"is_coat":1,"created_on":"2020-06-14T13:56:31.000Z"}]},{"id":"554f1351-afc2-11eb-9d72-02d538d9640e","type":"yara","category":"Artifacts dropped","value":"rule turla_outlook_gen { \n meta: \n author = \"ESET Research\" \n date = \"22-08-2018\" \n description = \"Turla Outlook malware\" \n reference = \"https://www.welivesecurity.com/wp-content/uploads/2018/08/Eset-Turla-Outlook-Backdoor.pdf\" \n source = \"https://github.com/eset/malware-ioc/\" \n contact = \"[email protected]\" \n license = \"BSD 2-Clause\" \n strings: \n $s1 = \"Outlook\" ascii wide \n $s2 = \"Outlook Express\" ascii wide \n $s3 = \"Outlook watchdog\" ascii wide \n $s4 = \"Software\\\\RIT\\\\The Bat!\" ascii wide \n $s5 = \"Mail Event Window\" ascii wide \n $s6 = \"Software\\\\Mozilla\\\\Mozilla Thunderbird\\\\Profiles\" ascii wide \n $s7 = \"%%PDF-1.4\\n%%%c%c\\n\" ascii wide \n $s8 = \"%Y-%m-%dT%H:%M:%S+0000\" ascii wide \n $s9 = \"rctrl_renwnd32\" ascii wide \n $s10 = \"NetUIHWND\" ascii wide \n $s11 = \"homePostalAddress\" ascii wide \n $s12 = \"/EXPORT;OVERRIDE;START=-%d;END=-%d;FOLDER=%s;OUT=\" ascii wide \n $s13 = \"Re:|FWD:|AW:|FYI:|NT|QUE:\" ascii wide \n $s14 = \"IPM.Note\" ascii wide \n $s15 = \"MAPILogonEx\" ascii wide \n $s16 = \"pipe\\\\The Bat! %d CmdLine\" ascii wide \n $s17 = \"PowerShellRunner.dll\" ascii wide \n $s18 = \"cmd container\" ascii wide \n $s19 = \"mapid.tlb\" ascii wide nocase \n $s20 = \"Content-Type: F)*+\" ascii wide fullword \n condition: \n 5 of them \n }","comment":"","description":"","mitre_techniques":[],"campaigns":[{"id":"d9ba4fe0-ae46-11ea-9477-02d538d9640e","name":"Operation Outlook Backdoor","description":"The campaign was discovered in 2018 and does not use command and control servers to

Emails

\"[email protected]\"

\"[email protected]\"\r\n

URLs

https://www.akamai.com/blog/security/capoae-malware-ramps-up-uses-multiple-vulnerabilities-and-tactics-to-spread","threat_level_id":3,"kb_article_link":null,"coverage":null,"updated_on":"2021-09-22T21:08:45.000Z","external_analysis":{"links":["https://www.akamai.com/blog/security/capoae-malware-ramps-up-uses-multiple-vulnerabilities-and-tactics-to-spread"]},"is_coat":0,"created_on":"2021-09-22T21:08:45.000Z"}]},{"id":"55424f67-afc2-11eb-9d72-02d538d9640e","type":"yara","category":"Artifacts

https://www.microsoft.com/security/blog/2021/07/13/microsoft-discovers-threat-actor-targeting-solarwinds-serv-u-software-with-0-day-exploit/","threat_level_id":2,"kb_article_link":null,"coverage":null,"updated_on":"2021-07-16T21:00:52.000Z","external_analysis":{"links":["https://www.microsoft.com/security/blog/2021/07/13/microsoft-discovers-threat-actor-targeting-solarwinds-serv-u-software-with-0-day-exploit/","https://www.cadosecurity.com/post/triage-analysis-of-serv-u-ftp-user-backdoor-deployed-by-cve-2021-35211","https://www.solarwinds.com/trust-center/security-advisories/cve-2021-35211"]},"is_coat":0,"created_on":"2021-07-16T21:00:52.000Z"}]},{"id":"55521ab5-afc2-11eb-9d72-02d538d9640e","type":"yara","category":"Artifacts

https://www.trellix.com/en-gb/about/newsroom/stories/threat-labs/prime-ministers-office-compromised.html","threat_level_id":1,"kb_article_link":null,"coverage":{"dat_version":{"min":4695}},"updated_on":"2022-03-10T22:12:48.000Z","external_analysis":{"links":["https://www.trellix.com/en-gb/about/newsroom/stories/threat-labs/prime-ministers-office-compromised.html","https://www.trellix.com/en-gb/about/newsroom/stories/threat-labs/looking-over-the-nation-state-actors-shoulders.html"]},"is_coat":1,"created_on":"2022-01-25T16:59:37.000Z"}]},{"id":"55587287-afc2-11eb-9d72-02d538d9640e","type":"yara","category":"Artifacts

https://unit42.paloaltonetworks.com/bazarloader-malware/.","threat_level_id":2,"kb_article_link":"https://kc.mcafee.com/corporate/index?page=content&id=KB95149","coverage":{"dat_version":{"min":4458}},"updated_on":"2022-02-21T18:23:50.000Z","external_analysis":{"links":["https://unit42.paloaltonetworks.com/bazarloader-malware/"]},"is_coat":1,"created_on":"2021-05-21T19:46:56.000Z"}]},{"id":"555b74bd-afc2-11eb-9d72-02d538d9640e","type":"yara","category":"Artifacts

https://unit42.paloaltonetworks.com/bazarloader-malware/.","threat_level_id":2,"kb_article_link":"https://kc.mcafee.com/corporate/index?page=content&id=KB95149","coverage":{"dat_version":{"min":4458}},"updated_on":"2022-02-21T18:23:50.000Z","external_analysis":{"links":["https://unit42.paloaltonetworks.com/bazarloader-malware/"]},"is_coat":1,"created_on":"2021-05-21T19:46:56.000Z"}]},{"id":"556b77d0-82d6-48e3-bc24-e19274b7298a","type":"yara","category":"Payload

https://github.com/Neo23x0/signature-base/blob/master/LICENSE\"\r\n\t\tauthor

https://www.trendmicro.com/en_us/research/21/i/cryptominer-z0miner-uses-newly-discovered-vulnerability-cve-2021.html","threat_level_id":3,"kb_article_link":null,"coverage":null,"updated_on":"2021-09-23T21:08:39.000Z","external_analysis":{"links":["https://www.trendmicro.com/en_us/research/21/i/cryptominer-z0miner-uses-newly-discovered-vulnerability-cve-2021.html"]},"is_coat":0,"created_on":"2021-09-23T05:08:48.000Z"}]},{"id":"5572c500-4fb6-4ecf-b438-558cefa2a0f1","type":"yara","category":"Payload

https://www.microsoft.com/security/blog/2021/07/22/when-coin-miners-evolve-part-1-exposing-lemonduck-and-lemoncat-modern-mining-malware-infrastructure/","threat_level_id":2,"kb_article_link":null,"coverage":null,"updated_on":"2021-07-30T21:00:36.000Z","external_analysis":{"links":["https://www.microsoft.com/security/blog/2021/07/22/when-coin-miners-evolve-part-1-exposing-lemonduck-and-lemoncat-modern-mining-malware-infrastructure/","https://github.com/craiu/iocs/blob/main/lemonduck/hashes.txt","https://www.microsoft.com/security/blog/2021/07/29/when-coin-miners-evolve-part-2-hunting-down-lemonduck-and-lemoncat-attacks/"]},"is_coat":0,"created_on":"2021-07-28T21:00:44.000Z"}]},{"id":"5600d974-8c73-4140-895d-664d35e4d812","type":"vulnerability","category":"External

https://blog.talosintelligence.com/2021/10/crimeware-targets-afghanistan-india.html","threat_level_id":3,"kb_article_link":null,"coverage":null,"updated_on":"2021-10-20T21:08:42.000Z","external_analysis":{"links":["https://blog.talosintelligence.com/2021/10/crimeware-targets-afghanistan-india.html#more"]},"is_coat":0,"created_on":"2021-10-20T21:08:42.000Z"}]},{"id":"5619e328-4e9c-4ed5-a95a-d627e0def0eb","type":"command-line","category":"Other","value":"\"CSIDL_SYSTEM\\wscript.exe\"

https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/shuckworm-gamaredon-espionage-ukraine","threat_level_id":2,"kb_article_link":null,"coverage":null,"updated_on":"2022-03-10T20:06:17.000Z","external_analysis":{"links":["https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/shuckworm-gamaredon-espionage-ukraine"]},"is_coat":0,"created_on":"2022-02-01T06:14:49.000Z"}]},{"id":"56223e89-06ec-40a4-a152-24e10b3bbe8e","type":"command-line","category":"Other","value":"curl

http://45.9.148[.]182/bin/bot/chimera.cc

https://www.uptycs.com/blog/team-tnt-deploys-malicious-docker-image-on-docker-hub-with-pentesting-tools","threat_level_id":3,"kb_article_link":null,"coverage":null,"updated_on":"2021-10-19T21:08:39.000Z","external_analysis":{"links":["https://www.uptycs.com/blog/team-tnt-deploys-malicious-docker-image-on-docker-hub-with-pentesting-tools","https://securityaffairs.co/wordpress/123535/cyber-crime/teamtnt-docker-attack.html"]},"is_coat":0,"created_on":"2021-10-08T21:08:42.000Z"}]},{"id":"5625cca8-c8ea-4a20-8770-2cd1da012ec9","type":"yara","category":"Payload

https://www.manageengine.com/data-security/how-to/how-to-detect-ransomware-attacks.html\nlogsource:\n

https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment\n

https://blog.talosintelligence.com/2017/05/wannacry.html\n

https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/new-teslacrypt-ransomware-arrives-via-spam/\n

https://www.bleepingcomputer.com/news/security/why-everyone-should-disable-vssadmin-exe-now/\n

https://www.hybrid-analysis.com/sample/ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa?environmentId=100\n

https://github.com/Neo23x0/Raccine#the-process\n

https://github.com/Neo23x0/Raccine/blob/main/yara/gen_ransomware_command_lines.yar\ntags:\n

Signatures

Registers COM server for autorun 1 TTPs
persistence

Registry Run Keys / Startup Folder
T1060
Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
ransomware ryuk
Executes dropped EXE 6 IoCs

Processes:

AdobeARMHelper.exearmsvc.exeAdobeARM.exeMSIA7CA.tmpRdrServicesUpdater.exearmsvc.exe

pid process

4784 AdobeARMHelper.exe
4344 armsvc.exe
1660 AdobeARM.exe
2288 MSIA7CA.tmp
1900 RdrServicesUpdater.exe
1436 armsvc.exe
Sets file execution options in registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

pid	process
4784	AdobeARMHelper.exe
4344	armsvc.exe
1660	AdobeARM.exe
2288	MSIA7CA.tmp
1900	RdrServicesUpdater.exe
1436	armsvc.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

AdobeARMHelper.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Control Panel\International\Geo\Nation	AdobeARMHelper.exe

Loads dropped DLL 48 IoCs

Processes:

MsiExec.exeMsiExec.exeMsiExec.exeMsiExec.exe

pid	process
812	MsiExec.exe
4688	MsiExec.exe
4688	MsiExec.exe
2240	MsiExec.exe
2240	MsiExec.exe
2240	MsiExec.exe
2240	MsiExec.exe
2240	MsiExec.exe
2240	MsiExec.exe
2240	MsiExec.exe
2240	MsiExec.exe
2240	MsiExec.exe
2240	MsiExec.exe
2240	MsiExec.exe
2240	MsiExec.exe
2240	MsiExec.exe
2240	MsiExec.exe
2240	MsiExec.exe
2240	MsiExec.exe
1852	MsiExec.exe
1852	MsiExec.exe
1852	MsiExec.exe
1852	MsiExec.exe
1852	MsiExec.exe
1852	MsiExec.exe
1852	MsiExec.exe
1852	MsiExec.exe
1852	MsiExec.exe
1852	MsiExec.exe
1852	MsiExec.exe
1852	MsiExec.exe
1852	MsiExec.exe
1852	MsiExec.exe
1852	MsiExec.exe
1852	MsiExec.exe
1852	MsiExec.exe
1852	MsiExec.exe
1852	MsiExec.exe
1852	MsiExec.exe
1852	MsiExec.exe
1852	MsiExec.exe
1852	MsiExec.exe
1852	MsiExec.exe
1852	MsiExec.exe
2240	MsiExec.exe
2240	MsiExec.exe
2240	MsiExec.exe
2240	MsiExec.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

AdobeARMHelper.exeAdobeARM.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	AdobeARMHelper.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	AdobeARM.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exe

description	ioc	process
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Drops file in System32 directory 1 IoCs

Processes:

MsiExec.exe

description ioc process

File created C:\Windows\SysWOW64\Elevation.tmp MsiExec.exe

description	ioc	process
File created	C:\Windows\SysWOW64\Elevation.tmp	MsiExec.exe

Drops file in Program Files directory 64 IoCs

Processes:

RdrServicesUpdater.exemsiexec.exe

description	ioc	process
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\images\file_types\themes\dark\s_agreement_filetype.svg	RdrServicesUpdater.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\send-for-sign\js\nls\uk-ua\ui-strings.js	RdrServicesUpdater.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\on-boarding\images\themeless\Download_on_the_App_Store_Badge_fi_135x40.svg	RdrServicesUpdater.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\on-boarding\images\themeless\scan-2x.png	RdrServicesUpdater.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\tracked-send\images\email\empty.png	RdrServicesUpdater.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Updater.api	msiexec.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\	msiexec.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\images\s_checkbox_partialselected-default_18.svg	RdrServicesUpdater.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\tracked-send\js\viewer\nls\en-gb\ui-strings.js	RdrServicesUpdater.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\fss\img\tools\@1x\themes\dark\[email protected]	RdrServicesUpdater.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\on-boarding\images\themeless\close_dark.svg	RdrServicesUpdater.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\my-files\js\nls\ko-kr\ui-strings.js	RdrServicesUpdater.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\images\RHP_icons_2x.png	RdrServicesUpdater.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\images\svgCheckboxSelected.svg	RdrServicesUpdater.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\pages-app\images\rhp_world_icon_2x.png	RdrServicesUpdater.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\send-for-sign\js\nls\pl-pl\ui-strings.js	RdrServicesUpdater.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\home\css\main.css	RdrServicesUpdater.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\on-boarding\images\themeless\Download_on_the_App_Store_Badge_nl_135x40.svg	RdrServicesUpdater.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\desktop-connector-files\js\selector.js	RdrServicesUpdater.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Protect_R_RHP.aapp	msiexec.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\images\themes\dark\s_invite_18.svg	RdrServicesUpdater.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\images\editpdf.svg	RdrServicesUpdater.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\editpdf\js\nls\sl-si\ui-strings.js	RdrServicesUpdater.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\fss\img\themes\dark\core_icons.png	RdrServicesUpdater.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\OptimizePDF_R_RHP.aapp	msiexec.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Mac\GREEK.TXT	msiexec.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\send-for-sign\images\themes\dark\sfs_icons.png	RdrServicesUpdater.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	msiexec.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\win\CP1258.TXT	msiexec.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\images\file_types\acrobat_pdf.svg	RdrServicesUpdater.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\aicuc\js\plugins\exportpdf-selector.js	RdrServicesUpdater.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\aicuc\js\plugins\rhp\exportpdf-rna-tool-view.js	RdrServicesUpdater.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\tracked-send\images\themes\dark\new_icons.png	RdrServicesUpdater.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\DVA.api	msiexec.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\ob-preview\js\nls\nl-nl\ui-strings.js	RdrServicesUpdater.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\walk-through\js\nls\fr-fr\ui-strings.js	RdrServicesUpdater.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\on-boarding\images\themeless\welcome-2x.png	RdrServicesUpdater.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\root\ui-strings.js	RdrServicesUpdater.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroPDFImpl64.dll	msiexec.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\activity-badge\css\main-selector.css	RdrServicesUpdater.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\digsig\js\nls\ja-jp\ui-strings.js	RdrServicesUpdater.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\ob-preview\js\nls\sk-sk\ui-strings.js	RdrServicesUpdater.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\search-summary\js\nls\fr-ma\ui-strings.js	RdrServicesUpdater.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\home\js\nls\en-gb\ui-strings.js	RdrServicesUpdater.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\home\js\nls\de-de\ui-strings.js	RdrServicesUpdater.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\app\dev\nls\ko-kr\ui-strings.js	RdrServicesUpdater.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\images\AddressBook2x.png	RdrServicesUpdater.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\images\themes\dark\s_filter-dark-disabled_32.svg	RdrServicesUpdater.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\uss-search\js\nls\pl-pl\ui-strings.js	RdrServicesUpdater.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\signatures\js\nls\eu-es\ui-strings.js	RdrServicesUpdater.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\fss\img\tools\@1x\[email protected]	RdrServicesUpdater.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\app\dev\nls\tr-tr\ui-strings.js	RdrServicesUpdater.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\css\main-high-contrast.css	RdrServicesUpdater.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\send-for-sign\js\nls\ja-jp\ui-strings.js	RdrServicesUpdater.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\walk-through\js\nls\sv-se\ui-strings.js	RdrServicesUpdater.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\exportpdfupsell-app\js\nls\fi-fi\ui-strings.js	RdrServicesUpdater.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	msiexec.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\activity-badge\js\nls\it-it\ui-strings.js	RdrServicesUpdater.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\my-computer\js\nls\fr-ma\ui-strings.js	RdrServicesUpdater.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\add-account\js\nls\eu-es\ui-strings.js	RdrServicesUpdater.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\scan-files\images\themeless\Playstore\ru_get.svg	RdrServicesUpdater.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\scan-files\images\themeless\Playstore\zh-tw_get.svg	RdrServicesUpdater.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\walk-through\js\nls\de-de\ui-strings.js	RdrServicesUpdater.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\my-computer\js\nls\zh-tw\ui-strings.js	RdrServicesUpdater.exe

Drops file in Windows directory 64 IoCs

Processes:

msiexec.exe

description	ioc	process
File created	C:\Windows\Installer\1d8ed93.HDR	msiexec.exe
File created	C:\Windows\Installer\1d8eda8.HDR	msiexec.exe
File opened for modification	C:\Windows\Installer\1d8edd4.HDR	msiexec.exe
File opened for modification	C:\Windows\Installer\1d8ed92.HDR	msiexec.exe
File created	C:\Windows\Installer\1d8edbf.HDR	msiexec.exe
File opened for modification	C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\XDPFile_8.ico	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI3246.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\1d8edb0.HDR	msiexec.exe
File created	C:\Windows\Installer\1d8ed85.HDR	msiexec.exe
File opened for modification	C:\Windows\Installer\1d8ed95.HDR	msiexec.exe
File opened for modification	C:\Windows\Installer\1d8edba.HDR	msiexec.exe
File created	C:\Windows\Installer\1d8edc9.HDR	msiexec.exe
File created	C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\PDXFile_8.ico	msiexec.exe
File opened for modification	C:\Windows\Installer\MSICD33.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI71A2.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\1d8eda1.HDR	msiexec.exe
File created	C:\Windows\Installer\1d8edaf.HDR	msiexec.exe
File opened for modification	C:\Windows\Installer\1d8edc0.HDR	msiexec.exe
File created	C:\Windows\Installer\1d8edcb.HDR	msiexec.exe
File opened for modification	C:\Windows\Installer\1d8ede1.HDR	msiexec.exe
File opened for modification	C:\Windows\Installer\1d8ede3.HDR	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB0EB.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIEAC9.tmp	msiexec.exe
File created	C:\Windows\Installer\1d8edf7.HDR	msiexec.exe
File opened for modification	C:\Windows\Installer\1d8ed9b.HDR	msiexec.exe
File created	C:\Windows\Installer\1d8edd4.HDR	msiexec.exe
File opened for modification	C:\Windows\Installer\1d8edd6.HDR	msiexec.exe
File opened for modification	C:\Windows\Installer\1d8edf0.HDR	msiexec.exe
File opened for modification	C:\Windows\Installer\1d8edf3.HDR	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI7059.tmp	msiexec.exe
File created	C:\Windows\Installer\1d8ede5.HDR	msiexec.exe
File created	C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\PDFFile_8.ico	msiexec.exe
File created	C:\Windows\Installer\1d8ed87.HDR	msiexec.exe
File created	C:\Windows\Installer\1d8ed98.HDR	msiexec.exe
File created	C:\Windows\Installer\1d8eda1.HDR	msiexec.exe
File created	C:\Windows\Installer\1d8edc7.HDR	msiexec.exe
File created	C:\Windows\Installer\1d8edd1.HDR	msiexec.exe
File created	C:\Windows\Installer\1d8edd3.HDR	msiexec.exe
File created	C:\Windows\Installer\1d8ede9.HDR	msiexec.exe
File created	C:\Windows\Installer\1d8edf4.HDR	msiexec.exe
File created	C:\Windows\Installer\1d8ed92.HDR	msiexec.exe
File opened for modification	C:\Windows\Installer\1d8edff.HDR	msiexec.exe
File opened for modification	C:\Windows\Installer\1d8edd7.HDR	msiexec.exe
File created	C:\Windows\Installer\1d8edde.HDR	msiexec.exe
File opened for modification	C:\Windows\Installer\1d8edbe.HDR	msiexec.exe
File opened for modification	C:\Windows\Installer\1d8eda4.HDR	msiexec.exe
File opened for modification	C:\Windows\Installer\1d8edb3.HDR	msiexec.exe
File created	C:\Windows\Installer\1d8edbb.HDR	msiexec.exe
File opened for modification	C:\Windows\Installer\1d8ede8.HDR	msiexec.exe
File opened for modification	C:\Windows\Installer\1d8edef.HDR	msiexec.exe
File opened for modification	C:\Windows\Installer\1d8ed9e.HDR	msiexec.exe
File opened for modification	C:\Windows\Installer\1d8ed89.HDR	msiexec.exe
File opened for modification	C:\Windows\Installer\1d8edad.HDR	msiexec.exe
File opened for modification	C:\Windows\Installer\1d8edb1.HDR	msiexec.exe
File created	C:\Windows\Installer\1d8edcf.HDR	msiexec.exe
File opened for modification	C:\Windows\Installer\1d8edd1.HDR	msiexec.exe
File created	C:\Windows\Installer\1d8edfd.HDR	msiexec.exe
File opened for modification	C:\Windows\Installer\1d8ed75.msi	msiexec.exe
File created	C:\Windows\Installer\1d8ed90.HDR	msiexec.exe
File created	C:\Windows\Installer\1d8edad.HDR	msiexec.exe
File created	C:\Windows\Installer\1d8edd0.HDR	msiexec.exe
File created	C:\Windows\Installer\1d8eddd.HDR	msiexec.exe
File opened for modification	C:\Windows\Installer\1d8ed7c.msp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI6FFA.tmp	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

860 2448 WerFault.exe chrome.exe

pid	pid_target	process	target process
860	2448	WerFault.exe	chrome.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

AcroRd32.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies Internet Explorer settings 1 TTPs 35 IoCs

adware spyware

Modify Registry

T1112

Processes:

msiexec.exeMsiExec.exeAcroRd32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{76E2369A-75BA-41F9-8B9E-16059E5CF9A6}\AppPath = "C:\\Program Files (x86)\\Common Files\\Adobe\\ARM\\1.0\\"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{15B3FB63-66F4-4EFC-B717-BB283B85E79B}\Policy = "3"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9C6A861C-B233-4994-AFB1-C158EE4FC578}\Policy = "3"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{8E1F80F4-953F-41E7-8460-E64AE5BE4ED3}\AppName = "AdobeCollabSync.exe"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{B7278BD0-7970-47D6-8954-99B2343EED88}\Policy = "3"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\Low Rights	MsiExec.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{B723F941-52A2-4392-B500-60F3889659B4}\AppPath = "C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Reader"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{7AC06A6F-4C88-4707-8DEC-61017CB50E1E}\AppPath = "C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Reader"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{7AC06A6F-4C88-4707-8DEC-61017CB50E1E}\AppName = "AcroRd32.exe"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{7AC06A6F-4C88-4707-8DEC-61017CB50E1E}\Policy = "3"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{15B3FB63-66F4-4EFC-B717-BB283B85E79B}\AppName = "AcroBroker.exe"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9C6A861C-B233-4994-AFB1-C158EE4FC578}	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{BD57A9B2-4E7D-4892-9107-9F4106472DA4}	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{8E1F80F4-953F-41E7-8460-E64AE5BE4ED3}	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{8E1F80F4-953F-41E7-8460-E64AE5BE4ED3}\Policy = "3"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{B723F941-52A2-4392-B500-60F3889659B4}\Policy = "3"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{76E2369A-75BA-41F9-8B9E-16059E5CF9A6}\AppName = "AdobeARM.exe"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{7AC06A6F-4C88-4707-8DEC-61017CB50E1E}	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{B7278BD0-7970-47D6-8954-99B2343EED88}	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9C6A861C-B233-4994-AFB1-C158EE4FC578}\AppName = "AcroRd32.exe"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{B7278BD0-7970-47D6-8954-99B2343EED88}\AppPath = "C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Reader\\AcroCEF"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{B723F941-52A2-4392-B500-60F3889659B4}	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{B723F941-52A2-4392-B500-60F3889659B4}\AppName = "AcroRd32.exe"	MsiExec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{76E2369A-75BA-41F9-8B9E-16059E5CF9A6}\Policy = "3"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9C6A861C-B233-4994-AFB1-C158EE4FC578}\AppPath = "C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Reader"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{8E1F80F4-953F-41E7-8460-E64AE5BE4ED3}\AppPath = "C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Reader"	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{76E2369A-75BA-41F9-8B9E-16059E5CF9A6}	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{15B3FB63-66F4-4EFC-B717-BB283B85E79B}	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{15B3FB63-66F4-4EFC-B717-BB283B85E79B}\AppPath = "C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Reader\\"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{BD57A9B2-4E7D-4892-9107-9F4106472DA4}\Compatibility Flags = "1024"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{B7278BD0-7970-47D6-8954-99B2343EED88}\AppName = "RdrCEF.exe"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\	msiexec.exe

Modifies data under HKEY_USERS 48 IoCs

Processes:

compattelrunner.exemsiexec.exesvchost.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CMicrosoft.AsyncTextService_8wekyb3d8bbwe%5Cresources.pri	compattelrunner.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5Cmicrosoft.creddialoghost_cw5n1h2txyewy%5Cresources.pri	compattelrunner.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CMicrosoft.Windows.CallingShellApp_cw5n1h2txyewy%5Cresources.pri	compattelrunner.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CMicrosoft.XboxGameCallableUI_cw5n1h2txyewy%5Cresources.pri	compattelrunner.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CMicrosoft.Windows.AppResolverUX_cw5n1h2txyewy%5Cresources.pri	compattelrunner.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\20\52C64B7E\@%SystemRoot%\System32\wuaueng.dll,-400 = "Windows Update"	compattelrunner.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\20\52C64B7E\@%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe,-124 = "Document Encryption"	compattelrunner.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CMicrosoft.Windows.FileExplorer_cw5n1h2txyewy%5Cresources.pri	compattelrunner.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CMicrosoft.Windows.Search_cw5n1h2txyewy%5Cresources.pri	compattelrunner.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\20\52C64B7E\@%SystemRoot%\system32\dnsapi.dll,-103 = "Domain Name System (DNS) Server Trust"	compattelrunner.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\20\52C64B7E\@%SystemRoot%\system32\NgcRecovery.dll,-100 = "Windows Hello Recovery Key Encryption"	compattelrunner.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CMicrosoft.Windows.AddSuggestedFoldersToLibraryDialog_cw5n1h2txyewy%5Cresources.pri	compattelrunner.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CParentalControls_cw5n1h2txyewy%5Cresources.pri	compattelrunner.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\20\52C64B7E\@%SystemRoot%\System32\fveui.dll,-844 = "BitLocker Data Recovery Agent"	compattelrunner.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\20\52C64B7E\@%SystemRoot%\System32\fveui.dll,-843 = "BitLocker Drive Encryption"	compattelrunner.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CMicrosoft.AAD.BrokerPlugin_cw5n1h2txyewy%5Cresources.pri	compattelrunner.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CMicrosoft.BioEnrollment_cw5n1h2txyewy%5Cresources.pri	compattelrunner.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CMicrosoft.MicrosoftEdgeDevToolsClient_8wekyb3d8bbwe%5Cresources.pri	compattelrunner.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CMicrosoft.Win32WebViewHost_cw5n1h2txyewy%5Cresources.pri	compattelrunner.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CMicrosoft.Windows.CloudExperienceHost_cw5n1h2txyewy%5Cresources.pri	compattelrunner.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CMicrosoft.Windows.XGpuEjectDialog_cw5n1h2txyewy%5Cresources.pri	compattelrunner.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\20\52C64B7E	compattelrunner.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1f	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\1F	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CMicrosoft.LockApp_cw5n1h2txyewy%5Cresources.pri	compattelrunner.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CMicrosoft.Windows.AppRep.ChxApp_cw5n1h2txyewy%5Cresources.pri	compattelrunner.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CMicrosoft.Windows.AssignedAccessLockApp_cw5n1h2txyewy%5Cresources.pri	compattelrunner.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CImmersiveControlPanel%5Cresources.pri	compattelrunner.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\1E\52C64B7E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\20	msiexec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\20\52C64B7E\@%SystemRoot%\System32\ci.dll,-101 = "Enclave"	compattelrunner.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CMicrosoft.Windows.FilePicker_cw5n1h2txyewy%5Cresources.pri	compattelrunner.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CShellExperienceHost_cw5n1h2txyewy%5Cresources.pri	compattelrunner.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CMicrosoftWindows.Client.CBS_cw5n1h2txyewy%5Cresources.pri	compattelrunner.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CMicrosoft.Windows.PeopleExperienceHost_cw5n1h2txyewy%5Cresources.pri	compattelrunner.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CMicrosoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy%5Cresources.pri	compattelrunner.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CMicrosoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy%5Cresources.pri	compattelrunner.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CPrintDialog%5Cresources.pri	compattelrunner.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5Cmicrosoft.windows.narratorquickstart_8wekyb3d8bbwe%5Cresources.pri	compattelrunner.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\20\52C64B7E\@%SystemRoot%\System32\ci.dll,-100 = "Isolated User Mode (IUM)"	compattelrunner.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CMicrosoft.AccountsControl_cw5n1h2txyewy%5Cresources.pri	compattelrunner.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CMicrosoft.ECApp_8wekyb3d8bbwe%5Cresources.pri	compattelrunner.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CMicrosoft.Windows.ContentDeliveryManager_cw5n1h2txyewy%5Cresources.pri	compattelrunner.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CMicrosoft.Windows.OOBENetworkCaptivePortal_cw5n1h2txyewy%5Cresources.pri	compattelrunner.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CMicrosoft.Windows.OOBENetworkConnectionFlow_cw5n1h2txyewy%5Cresources.pri	compattelrunner.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CWindows.CBSPreview_cw5n1h2txyewy%5Cresources.pri	compattelrunner.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e	msiexec.exe

Modifies registry class 64 IoCs

Processes:

msiexec.exeMsiExec.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{9B4CD3EA-4981-101B-9CA8-9240CE2738AE}\ProxyStubClsid	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9B4CD3EB-4981-101B-9CA8-9240CE2738AE}\ProxyStubClsid\ = "{00020424-0000-0000-C000-000000000046}"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B801CA65-A1FC-11D0-85AD-444553540000}\DataFormats\GetSet\6\ = "3, 1, 32, 1"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C523F390-9C83-11D3-9094-00104BD0D535}\3.0\FLAGS\ = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{671B6145-4169-4ADD-9AF3-E6990EB2B325}\ProxyStubClsid32	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Adobe.AcrobatSearch\CurVer\ = "Adobe.AcrobatSearch.1"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BDE0D630-7801-47cd-984E-1F0AFBC5ACBF}\ProgID\ = "Adobe.Reader.HTMLPreview.1"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\launchreader	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\AcroExch.FDFDoc\shell\Read\command\command = 3300340054004c006000690060005a00350028004e0033003200260028006a0046007b0029002100520065006100640065007200500072006f006700720061006d00460069006c00650073003e006600570044004b003600510062006e006400390033002600280053005e0046004a006900340030002000220025003100220000000000	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AcroExch.FDFDoc\DefaultIcon	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C523F390-9C83-11D3-9094-00104BD0D535}\3.0\0\win32\ = "C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Reader\\plug_ins\\Accessibility.api"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{74A13FDD-9BCF-4229-9CAB-0079A5E17A25}\InprocServer32\ = "C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroPDFImpl.dll"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.api\OpenWithProgids	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\66EDAE6A408000009195000000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AcroExch.Document.DC\Shellex\PropertySheetHandlers\InfoPage\ = "{F9DB5320-233E-11D1-9F84-707F02C10627}"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\AcroPDF.PDF.1\DocObject	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{81F9B44F-BA3A-4F5D-9B51-090C74A9B3A4}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.acrobatsecuritysettings\ = "AcroExch.acrobatsecuritysettings"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AcroExch.pdfxml.1\Insertable\	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{41738EEA-442F-477F-92CF-2889BD6CD7E7}\1.0\FLAGS\ = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\66EDAE6A408000009195000000000000\68AB67CA408033019195008142136144	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.xfdf\Content Type = "application/vnd.adobe.xfdf"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AcroExch.FDFDoc\ = "Adobe Acrobat Forms Document"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DF9A1DA0-23C0-101B-B02E-FDFDFDFDFDFD}\AutoTreatAs\ = "{B801CA65-A1FC-11D0-85AD-444553540000}"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\AcroExch.Document.DC\shell	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\AcroExch.acrobatsecuritysettings	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Applications\AcroRD32.exe\shell	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5007373A-20D7-458F-9FFB-ABC900E3A831}\TypeLib\ = "{C523F390-9C83-11D3-9094-00104BD0D535}"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{673E8454-7646-11D1-B90B-00A0C9259304}\ProxyStubClsid\ = "{00020424-0000-0000-C000-000000000046}"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CA8A9780-280D-11CF-A24D-444553540000}\Implemented Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4}\	MsiExec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{5007373A-20D7-458F-9FFB-ABC900E3A831}	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CA8A9780-280D-11CF-A24D-444553540000}\InprocServer32\ThreadingModel = "Apartment"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{00FFD6C4-1A94-44BC-AD3E-8AC18552E3E6}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{EE5A151A-AD2A-4CEE-AD65-228B59F5B4AD}\ProxyStubClsid\ = "{00020424-0000-0000-C000-000000000046}"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\PDXFileType\DefaultIcon	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7EA23D88-569E-4EFD-9851-A1528A7745F9}\TypeLib\Version = "1.0"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{BD57A9B2-4E7D-4892-9107-9F4106472DA4}\TypeLib	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\AcroExch.pdfxml.1\Insertable	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\.fdf\OpenWithProgids\AcroExch.FDFDoc = "0"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3B813CE7-7C10-4F84-AD06-9DF76D97A9AA}\	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4A894040-247E-4AFF-BB08-3489E9905235}\ = "IPDDomNodeExt"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\MIME\Database\Content Type\application/pdf	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C523F39F-9C83-11D3-9094-00104BD0D535}\InprocServer32\ = "C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Reader\\plug_ins\\Accessibility.api"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\AcroExch.pdfxml.1\CLSID	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D38406DA-E8AA-484b-B80D-3D3DBDCC2FB2}\LocalServer32	MsiExec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\AcroExch.XDPDoc\DefaultIcon	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9B4CD3EA-4981-101B-9CA8-9240CE2738AE}\TypeLib\ = "{E64169B3-3592-47D2-816E-602C5C13F328}"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{F1E6C7A4-6B15-4C06-B1EF-88A4F2A886CB}\ProxyStubClsid32	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{673E8454-7646-11D1-B90B-00A0C9259304}\ = "IField"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F0B4F6AD-5E09-4CB1-B763-EC390CBDE51D}\ToolboxBitmap32\ = "C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroPDFImpl64.dll, 102"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{81F9B44F-BA3A-4F5D-9B51-090C74A9B3A4}\ = "IAccID"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8D46C1B6-BBAB-450D-A61F-4DDC898B21D4}\ = "IPDFShellInfo"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Adobe.AcrobatSearch\CLSID	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9B4CD3F1-4981-101B-9CA8-9240CE2738AE}\ProxyStubClsid\ = "{00020424-0000-0000-C000-000000000046}"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4A894040-247E-4AFF-BB08-3489E9905235}\ProxyStubClsid\ = "{00020424-0000-0000-C000-000000000046}"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Patches\68AB67CA7DA700005205CA31A0E42800\SourceList\Media\DiskPrompt = "[1]"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E790E1D1-9DE8-4853-8AC6-933D4FD9C927}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{0F6D3808-7974-4B1A-94C2-3200767EACE8}\1.0	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F0B4F6AD-5E09-4CB1-B763-EC390CBDE51D}\DocObject\	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0F6D3808-7974-4B1A-94C2-3200767EACE8}\1.0\FLAGS\ = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{DC6EFB56-9CFA-464D-8880-44885D7DC193}\TypeLib	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F0B4F6AD-5E09-4CB1-B763-EC390CBDE51D}\TypeLib\ = "{05BFD3F1-6319-4F30-B752-C7A22889BCC4}"	MsiExec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{9B4CD3E7-4981-101B-9CA8-9240CE2738AE}\ProxyStubClsid	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\acrobat\shell\open\command	msiexec.exe

Opens file in notepad (likely ransom note) 2 IoCs
ransomware

Processes:

NOTEPAD.EXENOTEPAD.EXE

pid process

2064 NOTEPAD.EXE
548 NOTEPAD.EXE

pid	process
2064	NOTEPAD.EXE
548	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

AcroRd32.exeAdobeARM.exeAdobeARMHelper.exeMsiExec.exechrome.exe

pid	process
4544	AcroRd32.exe
4544	AcroRd32.exe
4544	AcroRd32.exe
4544	AcroRd32.exe
4544	AcroRd32.exe
4544	AcroRd32.exe
4544	AcroRd32.exe
4544	AcroRd32.exe
4544	AcroRd32.exe
4544	AcroRd32.exe
4544	AcroRd32.exe
4544	AcroRd32.exe
4544	AcroRd32.exe
4544	AcroRd32.exe
4544	AcroRd32.exe
4544	AcroRd32.exe
4544	AcroRd32.exe
4544	AcroRd32.exe
4544	AcroRd32.exe
4544	AcroRd32.exe
396	AdobeARM.exe
396	AdobeARM.exe
396	AdobeARM.exe
396	AdobeARM.exe
396	AdobeARM.exe
396	AdobeARM.exe
396	AdobeARM.exe
396	AdobeARM.exe
396	AdobeARM.exe
396	AdobeARM.exe
396	AdobeARM.exe
396	AdobeARM.exe
396	AdobeARM.exe
396	AdobeARM.exe
396	AdobeARM.exe
396	AdobeARM.exe
4544	AcroRd32.exe
4544	AcroRd32.exe
4544	AcroRd32.exe
4544	AcroRd32.exe
4544	AcroRd32.exe
4544	AcroRd32.exe
396	AdobeARM.exe
396	AdobeARM.exe
4784	AdobeARMHelper.exe
4784	AdobeARMHelper.exe
4784	AdobeARMHelper.exe
4784	AdobeARMHelper.exe
4784	AdobeARMHelper.exe
4784	AdobeARMHelper.exe
4784	AdobeARMHelper.exe
4784	AdobeARMHelper.exe
4784	AdobeARMHelper.exe
4784	AdobeARMHelper.exe
1852	MsiExec.exe
1852	MsiExec.exe
1852	MsiExec.exe
1852	MsiExec.exe
1852	MsiExec.exe
1852	MsiExec.exe
1852	MsiExec.exe
1852	MsiExec.exe
1296	chrome.exe
1296	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 64 IoCs

Processes:

chrome.exe

pid	process
4748	chrome.exe
4748	chrome.exe
4748	chrome.exe
4748	chrome.exe
4748	chrome.exe
4748	chrome.exe
4748	chrome.exe
4748	chrome.exe
4748	chrome.exe
4748	chrome.exe
4748	chrome.exe
4748	chrome.exe
4748	chrome.exe
4748	chrome.exe
4748	chrome.exe
4748	chrome.exe
4748	chrome.exe
4748	chrome.exe
4748	chrome.exe
4748	chrome.exe
4748	chrome.exe
4748	chrome.exe
4748	chrome.exe
4748	chrome.exe
4748	chrome.exe
4748	chrome.exe
4748	chrome.exe
4748	chrome.exe
4748	chrome.exe
4748	chrome.exe
4748	chrome.exe
4748	chrome.exe
4748	chrome.exe
4748	chrome.exe
4748	chrome.exe
4748	chrome.exe
4748	chrome.exe
4748	chrome.exe
4748	chrome.exe
4748	chrome.exe
4748	chrome.exe
4748	chrome.exe
4748	chrome.exe
4748	chrome.exe
4748	chrome.exe
4748	chrome.exe
4748	chrome.exe
4748	chrome.exe
4748	chrome.exe
4748	chrome.exe
4748	chrome.exe
4748	chrome.exe
4748	chrome.exe
4748	chrome.exe
4748	chrome.exe
4748	chrome.exe
4748	chrome.exe
4748	chrome.exe
4748	chrome.exe
4748	chrome.exe
4748	chrome.exe
4748	chrome.exe
4748	chrome.exe
4748	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

AdobeARMHelper.exemsiexec.exe

description	pid	process
Token: SeShutdownPrivilege	4784	AdobeARMHelper.exe
Token: SeIncreaseQuotaPrivilege	4784	AdobeARMHelper.exe
Token: SeSecurityPrivilege	1132	msiexec.exe
Token: SeCreateTokenPrivilege	4784	AdobeARMHelper.exe
Token: SeAssignPrimaryTokenPrivilege	4784	AdobeARMHelper.exe
Token: SeLockMemoryPrivilege	4784	AdobeARMHelper.exe
Token: SeIncreaseQuotaPrivilege	4784	AdobeARMHelper.exe
Token: SeMachineAccountPrivilege	4784	AdobeARMHelper.exe
Token: SeTcbPrivilege	4784	AdobeARMHelper.exe
Token: SeSecurityPrivilege	4784	AdobeARMHelper.exe
Token: SeTakeOwnershipPrivilege	4784	AdobeARMHelper.exe
Token: SeLoadDriverPrivilege	4784	AdobeARMHelper.exe
Token: SeSystemProfilePrivilege	4784	AdobeARMHelper.exe
Token: SeSystemtimePrivilege	4784	AdobeARMHelper.exe
Token: SeProfSingleProcessPrivilege	4784	AdobeARMHelper.exe
Token: SeIncBasePriorityPrivilege	4784	AdobeARMHelper.exe
Token: SeCreatePagefilePrivilege	4784	AdobeARMHelper.exe
Token: SeCreatePermanentPrivilege	4784	AdobeARMHelper.exe
Token: SeBackupPrivilege	4784	AdobeARMHelper.exe
Token: SeRestorePrivilege	4784	AdobeARMHelper.exe
Token: SeShutdownPrivilege	4784	AdobeARMHelper.exe
Token: SeDebugPrivilege	4784	AdobeARMHelper.exe
Token: SeAuditPrivilege	4784	AdobeARMHelper.exe
Token: SeSystemEnvironmentPrivilege	4784	AdobeARMHelper.exe
Token: SeChangeNotifyPrivilege	4784	AdobeARMHelper.exe
Token: SeRemoteShutdownPrivilege	4784	AdobeARMHelper.exe
Token: SeUndockPrivilege	4784	AdobeARMHelper.exe
Token: SeSyncAgentPrivilege	4784	AdobeARMHelper.exe
Token: SeEnableDelegationPrivilege	4784	AdobeARMHelper.exe
Token: SeManageVolumePrivilege	4784	AdobeARMHelper.exe
Token: SeImpersonatePrivilege	4784	AdobeARMHelper.exe
Token: SeCreateGlobalPrivilege	4784	AdobeARMHelper.exe
Token: SeRestorePrivilege	1132	msiexec.exe
Token: SeTakeOwnershipPrivilege	1132	msiexec.exe
Token: SeRestorePrivilege	1132	msiexec.exe
Token: SeTakeOwnershipPrivilege	1132	msiexec.exe
Token: SeRestorePrivilege	1132	msiexec.exe
Token: SeTakeOwnershipPrivilege	1132	msiexec.exe
Token: SeRestorePrivilege	1132	msiexec.exe
Token: SeTakeOwnershipPrivilege	1132	msiexec.exe
Token: SeRestorePrivilege	1132	msiexec.exe
Token: SeTakeOwnershipPrivilege	1132	msiexec.exe
Token: SeRestorePrivilege	1132	msiexec.exe
Token: SeTakeOwnershipPrivilege	1132	msiexec.exe
Token: SeSecurityPrivilege	1132	msiexec.exe
Token: SeRestorePrivilege	1132	msiexec.exe
Token: SeTakeOwnershipPrivilege	1132	msiexec.exe
Token: SeRestorePrivilege	1132	msiexec.exe
Token: SeTakeOwnershipPrivilege	1132	msiexec.exe
Token: SeRestorePrivilege	1132	msiexec.exe
Token: SeTakeOwnershipPrivilege	1132	msiexec.exe
Token: SeRestorePrivilege	1132	msiexec.exe
Token: SeTakeOwnershipPrivilege	1132	msiexec.exe
Token: SeRestorePrivilege	1132	msiexec.exe
Token: SeTakeOwnershipPrivilege	1132	msiexec.exe
Token: SeRestorePrivilege	1132	msiexec.exe
Token: SeTakeOwnershipPrivilege	1132	msiexec.exe
Token: SeRestorePrivilege	1132	msiexec.exe
Token: SeTakeOwnershipPrivilege	1132	msiexec.exe
Token: SeRestorePrivilege	1132	msiexec.exe
Token: SeTakeOwnershipPrivilege	1132	msiexec.exe
Token: SeRestorePrivilege	1132	msiexec.exe
Token: SeTakeOwnershipPrivilege	1132	msiexec.exe
Token: SeRestorePrivilege	1132	msiexec.exe

Suspicious use of FindShellTrayWindow 29 IoCs

Processes:

AdobeARM.exechrome.exe

pid	process
1660	AdobeARM.exe
1660	AdobeARM.exe
1660	AdobeARM.exe
4748	chrome.exe
4748	chrome.exe
4748	chrome.exe
4748	chrome.exe
4748	chrome.exe
4748	chrome.exe
4748	chrome.exe
4748	chrome.exe
4748	chrome.exe
4748	chrome.exe
4748	chrome.exe
4748	chrome.exe
4748	chrome.exe
4748	chrome.exe
4748	chrome.exe
4748	chrome.exe
4748	chrome.exe
4748	chrome.exe
4748	chrome.exe
4748	chrome.exe
4748	chrome.exe
4748	chrome.exe
4748	chrome.exe
4748	chrome.exe
4748	chrome.exe
4748	chrome.exe

Suspicious use of SendNotifyMessage 27 IoCs

Processes:

AdobeARM.exechrome.exe

pid	process
1660	AdobeARM.exe
1660	AdobeARM.exe
1660	AdobeARM.exe
4748	chrome.exe
4748	chrome.exe
4748	chrome.exe
4748	chrome.exe
4748	chrome.exe
4748	chrome.exe
4748	chrome.exe
4748	chrome.exe
4748	chrome.exe
4748	chrome.exe
4748	chrome.exe
4748	chrome.exe
4748	chrome.exe
4748	chrome.exe
4748	chrome.exe
4748	chrome.exe
4748	chrome.exe
4748	chrome.exe
4748	chrome.exe
4748	chrome.exe
4748	chrome.exe
4748	chrome.exe
4748	chrome.exe
4748	chrome.exe

Suspicious use of SetWindowsHookEx 23 IoCs

Processes:

AcroRd32.exeAdobeARM.exeAdobeARM.exeOpenWith.exe

pid	process
4544	AcroRd32.exe
4544	AcroRd32.exe
4544	AcroRd32.exe
4544	AcroRd32.exe
4544	AcroRd32.exe
396	AdobeARM.exe
4544	AcroRd32.exe
1660	AdobeARM.exe
1660	AdobeARM.exe
1660	AdobeARM.exe
4976	OpenWith.exe
4976	OpenWith.exe
4976	OpenWith.exe
4976	OpenWith.exe
4976	OpenWith.exe
4976	OpenWith.exe
4976	OpenWith.exe
4976	OpenWith.exe
4976	OpenWith.exe
4976	OpenWith.exe
4976	OpenWith.exe
4976	OpenWith.exe
4976	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

AcroRd32.exeRdrCEF.exe

description	pid	process	target process
PID 4544 wrote to memory of 3192	4544	AcroRd32.exe	RdrCEF.exe
PID 4544 wrote to memory of 3192	4544	AcroRd32.exe	RdrCEF.exe
PID 4544 wrote to memory of 3192	4544	AcroRd32.exe	RdrCEF.exe
PID 3192 wrote to memory of 2000	3192	RdrCEF.exe	RdrCEF.exe
PID 3192 wrote to memory of 2000	3192	RdrCEF.exe	RdrCEF.exe
PID 3192 wrote to memory of 2000	3192	RdrCEF.exe	RdrCEF.exe
PID 3192 wrote to memory of 2000	3192	RdrCEF.exe	RdrCEF.exe
PID 3192 wrote to memory of 2000	3192	RdrCEF.exe	RdrCEF.exe
PID 3192 wrote to memory of 2000	3192	RdrCEF.exe	RdrCEF.exe
PID 3192 wrote to memory of 2000	3192	RdrCEF.exe	RdrCEF.exe
PID 3192 wrote to memory of 2000	3192	RdrCEF.exe	RdrCEF.exe
PID 3192 wrote to memory of 2000	3192	RdrCEF.exe	RdrCEF.exe
PID 3192 wrote to memory of 2000	3192	RdrCEF.exe	RdrCEF.exe
PID 3192 wrote to memory of 2000	3192	RdrCEF.exe	RdrCEF.exe
PID 3192 wrote to memory of 2000	3192	RdrCEF.exe	RdrCEF.exe
PID 3192 wrote to memory of 2000	3192	RdrCEF.exe	RdrCEF.exe
PID 3192 wrote to memory of 2000	3192	RdrCEF.exe	RdrCEF.exe
PID 3192 wrote to memory of 2000	3192	RdrCEF.exe	RdrCEF.exe
PID 3192 wrote to memory of 2000	3192	RdrCEF.exe	RdrCEF.exe
PID 3192 wrote to memory of 2000	3192	RdrCEF.exe	RdrCEF.exe
PID 3192 wrote to memory of 2000	3192	RdrCEF.exe	RdrCEF.exe
PID 3192 wrote to memory of 2000	3192	RdrCEF.exe	RdrCEF.exe
PID 3192 wrote to memory of 2000	3192	RdrCEF.exe	RdrCEF.exe
PID 3192 wrote to memory of 2000	3192	RdrCEF.exe	RdrCEF.exe
PID 3192 wrote to memory of 2000	3192	RdrCEF.exe	RdrCEF.exe
PID 3192 wrote to memory of 2000	3192	RdrCEF.exe	RdrCEF.exe
PID 3192 wrote to memory of 2000	3192	RdrCEF.exe	RdrCEF.exe
PID 3192 wrote to memory of 2000	3192	RdrCEF.exe	RdrCEF.exe
PID 3192 wrote to memory of 2000	3192	RdrCEF.exe	RdrCEF.exe
PID 3192 wrote to memory of 2000	3192	RdrCEF.exe	RdrCEF.exe
PID 3192 wrote to memory of 2000	3192	RdrCEF.exe	RdrCEF.exe
PID 3192 wrote to memory of 2000	3192	RdrCEF.exe	RdrCEF.exe
PID 3192 wrote to memory of 2000	3192	RdrCEF.exe	RdrCEF.exe
PID 3192 wrote to memory of 2000	3192	RdrCEF.exe	RdrCEF.exe
PID 3192 wrote to memory of 2000	3192	RdrCEF.exe	RdrCEF.exe
PID 3192 wrote to memory of 2000	3192	RdrCEF.exe	RdrCEF.exe
PID 3192 wrote to memory of 2000	3192	RdrCEF.exe	RdrCEF.exe
PID 3192 wrote to memory of 2000	3192	RdrCEF.exe	RdrCEF.exe
PID 3192 wrote to memory of 2000	3192	RdrCEF.exe	RdrCEF.exe
PID 3192 wrote to memory of 2000	3192	RdrCEF.exe	RdrCEF.exe
PID 3192 wrote to memory of 2000	3192	RdrCEF.exe	RdrCEF.exe
PID 3192 wrote to memory of 2000	3192	RdrCEF.exe	RdrCEF.exe
PID 3192 wrote to memory of 2000	3192	RdrCEF.exe	RdrCEF.exe
PID 3192 wrote to memory of 2000	3192	RdrCEF.exe	RdrCEF.exe
PID 3192 wrote to memory of 4952	3192	RdrCEF.exe	RdrCEF.exe
PID 3192 wrote to memory of 4952	3192	RdrCEF.exe	RdrCEF.exe
PID 3192 wrote to memory of 4952	3192	RdrCEF.exe	RdrCEF.exe
PID 3192 wrote to memory of 4952	3192	RdrCEF.exe	RdrCEF.exe
PID 3192 wrote to memory of 4952	3192	RdrCEF.exe	RdrCEF.exe
PID 3192 wrote to memory of 4952	3192	RdrCEF.exe	RdrCEF.exe
PID 3192 wrote to memory of 4952	3192	RdrCEF.exe	RdrCEF.exe
PID 3192 wrote to memory of 4952	3192	RdrCEF.exe	RdrCEF.exe
PID 3192 wrote to memory of 4952	3192	RdrCEF.exe	RdrCEF.exe
PID 3192 wrote to memory of 4952	3192	RdrCEF.exe	RdrCEF.exe
PID 3192 wrote to memory of 4952	3192	RdrCEF.exe	RdrCEF.exe
PID 3192 wrote to memory of 4952	3192	RdrCEF.exe	RdrCEF.exe
PID 3192 wrote to memory of 4952	3192	RdrCEF.exe	RdrCEF.exe
PID 3192 wrote to memory of 4952	3192	RdrCEF.exe	RdrCEF.exe
PID 3192 wrote to memory of 4952	3192	RdrCEF.exe	RdrCEF.exe
PID 3192 wrote to memory of 4952	3192	RdrCEF.exe	RdrCEF.exe
PID 3192 wrote to memory of 4952	3192	RdrCEF.exe	RdrCEF.exe
PID 3192 wrote to memory of 4952	3192	RdrCEF.exe	RdrCEF.exe
PID 3192 wrote to memory of 4952	3192	RdrCEF.exe	RdrCEF.exe
PID 3192 wrote to memory of 4952	3192	RdrCEF.exe	RdrCEF.exe

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\13160edab74cc2dd34653920d4bf56e487fea2fd6adf8249e0be9215ced902b4.pdf"
1⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4544
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3192
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=25261554BA6875CEC2F05930A1988DB5 --mojo-platform-channel-handle=1712 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:2000
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=5B449177FEA78C565D3D21CC195B455D --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=5B449177FEA78C565D3D21CC195B455D --renderer-client-id=2 --mojo-platform-channel-handle=1736 --allow-no-sandbox-job /prefetch:1
    3⤵
    PID:4952
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=602C54D72C54B70B06EB21265AA3D9E5 --mojo-platform-channel-handle=2260 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:4004
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=0F002292CAC95A092DCAF5A9E3D8E1C4 --mojo-platform-channel-handle=1884 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:3652
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=66C6A26FD3CBA4D7C6BC635E624EC2A2 --mojo-platform-channel-handle=1712 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:2544
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
  2⤵
  PID:2960
- C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe
  "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" /PRODUCT:Reader /VERSION:19.0 /MODE:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:396
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Reader_sl.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Reader_sl.exe"
    3⤵
    PID:3420
- - C:\ProgramData\Adobe\ARM\S\30839\AdobeARMHelper.exe
    "C:\ProgramData\Adobe\ARM\S\30839\AdobeARMHelper.exe" /ArmUpdate /MSI FOLDER:"C:\ProgramData\Adobe\ARM\S\30839" /MODE:3 /PRODUCT:Reader /VERSION:19.0 /LANG:ENU
    3⤵
    - Executes dropped EXE
    - Checks computer location settings
    - Checks whether UAC is enabled
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4784
  - - C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe
      "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" /ArmUpdate /MSI FOLDER:"C:\ProgramData\Adobe\ARM\S\30839" /MODE:3 /PRODUCT:Reader /VERSION:19.0 /LANG:ENU
      4⤵
      Executes dropped EXE
      Checks whether UAC is enabled
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of SetWindowsHookEx
      PID:1660

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
1⤵
- Modifies data under HKEY_USERS
PID:2500

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1420

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
1⤵
PID:4252

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:1132
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 0FDCED77DCC4D2E6CECBD714E2A0D9E1
  2⤵
  - Loads dropped DLL
  PID:812
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding CDDC96E8DBCA4B9FB719C7527B62291B E Global\MSI0000
  2⤵
  - Loads dropped DLL
  PID:4688
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding E56B4C8007BAAE3D8CD2FDECB55C8B0E
  2⤵
  - Loads dropped DLL
  - Drops file in System32 directory
  PID:2240
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding D663CE915EA1CB6A3CF99D3735B30667 E Global\MSI0000
  2⤵
  - Loads dropped DLL
  - Modifies Internet Explorer settings
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:1852
- C:\Windows\Installer\MSIA7CA.tmp
  "C:\Windows\Installer\MSIA7CA.tmp" /b 2 120 0
  2⤵
  - Executes dropped EXE
  PID:2288
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe" 19.010.20098 19.010.20069.0
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  PID:1900

C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
"C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe"
1⤵
- Executes dropped EXE
PID:4344

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1088

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:4976
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\13160edab74cc2dd34653920d4bf56e487fea2fd6adf8249e0be9215ced902b4.pdf
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:2064

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\sample.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:548

C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
"C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe"
1⤵
- Executes dropped EXE
PID:1436

C:\Windows\system32\compattelrunner.exe
C:\Windows\system32\compattelrunner.exe -m:aeinv.dll -f:UpdateSoftwareInventoryW
1⤵
- Modifies data under HKEY_USERS
PID:372

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4748
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ff8962a4f50,0x7ff8962a4f60,0x7ff8962a4f70
  2⤵
  PID:2448
- - C:\Windows\system32\WerFault.exe
    C:\Windows\system32\WerFault.exe -u -p 2448 -s 1048
    3⤵
    - Program crash
    PID:860
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1640,4552959404320090500,10763480477842569859,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1648 /prefetch:2
  2⤵
  PID:1448
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1640,4552959404320090500,10763480477842569859,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1976 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1296
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1640,4552959404320090500,10763480477842569859,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2544 /prefetch:8
  2⤵
  PID:5036
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1640,4552959404320090500,10763480477842569859,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2932 /prefetch:1
  2⤵
  PID:1740
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1640,4552959404320090500,10763480477842569859,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2940 /prefetch:1
  2⤵
  PID:4972
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1640,4552959404320090500,10763480477842569859,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4248 /prefetch:1
  2⤵
  PID:1584
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1640,4552959404320090500,10763480477842569859,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4400 /prefetch:8
  2⤵
  PID:3992
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1640,4552959404320090500,10763480477842569859,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4484 /prefetch:8
  2⤵
  PID:4248
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1640,4552959404320090500,10763480477842569859,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4896 /prefetch:8
  2⤵
  PID:4688
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1640,4552959404320090500,10763480477842569859,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3736 /prefetch:1
  2⤵
  PID:4880
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1640,4552959404320090500,10763480477842569859,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5648 /prefetch:8
  2⤵
  PID:180
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1640,4552959404320090500,10763480477842569859,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5776 /prefetch:8
  2⤵
  PID:3276
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1640,4552959404320090500,10763480477842569859,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5448 /prefetch:8
  2⤵
  PID:1452
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1640,4552959404320090500,10763480477842569859,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5024 /prefetch:8
  2⤵
  PID:3036
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1640,4552959404320090500,10763480477842569859,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5028 /prefetch:8
  2⤵
  PID:3552
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1640,4552959404320090500,10763480477842569859,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4628 /prefetch:8
  2⤵
  PID:1776
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1640,4552959404320090500,10763480477842569859,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4580 /prefetch:8
  2⤵
  PID:3324
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1640,4552959404320090500,10763480477842569859,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5440 /prefetch:8
  2⤵
  PID:2168
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1640,4552959404320090500,10763480477842569859,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5852 /prefetch:8
  2⤵
  PID:4732
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1640,4552959404320090500,10763480477842569859,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5800 /prefetch:1
  2⤵
  PID:3196
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1640,4552959404320090500,10763480477842569859,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3352 /prefetch:1
  2⤵
  PID:3236
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1640,4552959404320090500,10763480477842569859,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2612 /prefetch:8
  2⤵
  PID:1548
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1640,4552959404320090500,10763480477842569859,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1856 /prefetch:8
  2⤵
  PID:2464
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1640,4552959404320090500,10763480477842569859,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1852 /prefetch:1
  2⤵
  PID:4940
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1640,4552959404320090500,10763480477842569859,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3172 /prefetch:1
  2⤵
  PID:1352
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1640,4552959404320090500,10763480477842569859,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4668 /prefetch:1
  2⤵
  PID:4532
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1640,4552959404320090500,10763480477842569859,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=244 /prefetch:1
  2⤵
  PID:4208
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1640,4552959404320090500,10763480477842569859,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2320 /prefetch:1
  2⤵
  PID:2724
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1640,4552959404320090500,10763480477842569859,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4532 /prefetch:8
  2⤵
  PID:5000
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1640,4552959404320090500,10763480477842569859,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2348 /prefetch:1
  2⤵
  PID:4684
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1640,4552959404320090500,10763480477842569859,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6732 /prefetch:1
  2⤵
  PID:4512
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1640,4552959404320090500,10763480477842569859,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6600 /prefetch:1
  2⤵
  PID:1640
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1640,4552959404320090500,10763480477842569859,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6372 /prefetch:1
  2⤵
  PID:1328
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1640,4552959404320090500,10763480477842569859,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6364 /prefetch:1
  2⤵
  PID:936
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1640,4552959404320090500,10763480477842569859,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6188 /prefetch:1
  2⤵
  PID:3696
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1640,4552959404320090500,10763480477842569859,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3388 /prefetch:1
  2⤵
  PID:4908
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1640,4552959404320090500,10763480477842569859,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=38 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2212 /prefetch:1
  2⤵
  PID:5096
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1640,4552959404320090500,10763480477842569859,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=39 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6228 /prefetch:1
  2⤵
  PID:2620
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1640,4552959404320090500,10763480477842569859,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=41 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6188 /prefetch:1
  2⤵
  PID:3576
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1640,4552959404320090500,10763480477842569859,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=42 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6364 /prefetch:1
  2⤵
  PID:4952
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1640,4552959404320090500,10763480477842569859,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=40 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4672 /prefetch:1
  2⤵
  PID:2164
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1640,4552959404320090500,10763480477842569859,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=45 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7908 /prefetch:1
  2⤵
  PID:2076
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1640,4552959404320090500,10763480477842569859,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=44 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7712 /prefetch:1
  2⤵
  PID:4876
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1640,4552959404320090500,10763480477842569859,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=46 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8036 /prefetch:1
  2⤵
  PID:3848
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1640,4552959404320090500,10763480477842569859,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=43 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7672 /prefetch:1
  2⤵
  PID:3636
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1640,4552959404320090500,10763480477842569859,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=47 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4392 /prefetch:1
  2⤵
  PID:1184
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1640,4552959404320090500,10763480477842569859,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=51 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8396 /prefetch:1
  2⤵
  PID:4752
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1640,4552959404320090500,10763480477842569859,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=50 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8632 /prefetch:1
  2⤵
  PID:4760
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1640,4552959404320090500,10763480477842569859,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=49 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8600 /prefetch:1
  2⤵
  PID:3608
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1640,4552959404320090500,10763480477842569859,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=48 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7528 /prefetch:1
  2⤵
  PID:1228
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1640,4552959404320090500,10763480477842569859,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=52 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3752 /prefetch:1
  2⤵
  PID:4020
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1640,4552959404320090500,10763480477842569859,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=54 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5144 /prefetch:1
  2⤵
  PID:2808
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1640,4552959404320090500,10763480477842569859,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=53 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5860 /prefetch:1
  2⤵
  PID:4552
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1640,4552959404320090500,10763480477842569859,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=55 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7500 /prefetch:1
  2⤵
  PID:2500
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1640,4552959404320090500,10763480477842569859,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=9192 /prefetch:8
  2⤵
  PID:1348
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1640,4552959404320090500,10763480477842569859,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=57 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7944 /prefetch:1
  2⤵
  PID:4880
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1640,4552959404320090500,10763480477842569859,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=58 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9156 /prefetch:1
  2⤵
  PID:3756
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1640,4552959404320090500,10763480477842569859,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=59 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7556 /prefetch:1
  2⤵
  PID:1996
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1640,4552959404320090500,10763480477842569859,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=60 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8872 /prefetch:1
  2⤵
  PID:5232
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1640,4552959404320090500,10763480477842569859,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=61 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8960 /prefetch:1
  2⤵
  PID:5240
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1640,4552959404320090500,10763480477842569859,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=62 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9540 /prefetch:1
  2⤵
  PID:5264
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1640,4552959404320090500,10763480477842569859,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=63 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9564 /prefetch:1
  2⤵
  PID:5272
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1640,4552959404320090500,10763480477842569859,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=64 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9092 /prefetch:1
  2⤵
  PID:5280
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1640,4552959404320090500,10763480477842569859,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=65 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9716 /prefetch:1
  2⤵
  PID:5292
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1640,4552959404320090500,10763480477842569859,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=66 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9776 /prefetch:1
  2⤵
  PID:5300
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1640,4552959404320090500,10763480477842569859,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=67 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9916 /prefetch:1
  2⤵
  PID:5308
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1640,4552959404320090500,10763480477842569859,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=69 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=10060 /prefetch:1
  2⤵
  PID:5324
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1640,4552959404320090500,10763480477842569859,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=68 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9952 /prefetch:1
  2⤵
  PID:5316
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1640,4552959404320090500,10763480477842569859,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=70 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9344 /prefetch:1
  2⤵
  PID:5332
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1640,4552959404320090500,10763480477842569859,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=71 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=10412 /prefetch:1
  2⤵
  PID:5340
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1640,4552959404320090500,10763480477842569859,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=72 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9452 /prefetch:1
  2⤵
  PID:5852
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1640,4552959404320090500,10763480477842569859,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=74 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7264 /prefetch:1
  2⤵
  PID:5868
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1640,4552959404320090500,10763480477842569859,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=73 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9464 /prefetch:1
  2⤵
  PID:5860
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1640,4552959404320090500,10763480477842569859,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=75 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8624 /prefetch:1
  2⤵
  PID:5968
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1640,4552959404320090500,10763480477842569859,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=76 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6656 /prefetch:1
  2⤵
  PID:6080
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1640,4552959404320090500,10763480477842569859,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=80 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7752 /prefetch:1
  2⤵
  PID:4752
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1640,4552959404320090500,10763480477842569859,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=79 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7724 /prefetch:1
  2⤵
  PID:3136
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1640,4552959404320090500,10763480477842569859,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=78 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7772 /prefetch:1
  2⤵
  PID:4404
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1640,4552959404320090500,10763480477842569859,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=81 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8916 /prefetch:1
  2⤵
  PID:3504
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1640,4552959404320090500,10763480477842569859,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=77 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6988 /prefetch:1
  2⤵
  PID:3988
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1640,4552959404320090500,10763480477842569859,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=82 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6608 /prefetch:1
  2⤵
  PID:3928
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1640,4552959404320090500,10763480477842569859,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=83 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9828 /prefetch:1
  2⤵
  PID:4872
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1640,4552959404320090500,10763480477842569859,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2680 /prefetch:8
  2⤵
  PID:1632
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1640,4552959404320090500,10763480477842569859,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=85 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2608 /prefetch:1
  2⤵
  PID:2076
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1640,4552959404320090500,10763480477842569859,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=86 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8264 /prefetch:1
  2⤵
  PID:2628
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1640,4552959404320090500,10763480477842569859,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=87 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8968 /prefetch:1
  2⤵
  PID:5420
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1640,4552959404320090500,10763480477842569859,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=88 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7324 /prefetch:1
  2⤵
  PID:984
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1640,4552959404320090500,10763480477842569859,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=90 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8616 /prefetch:1
  2⤵
  PID:2920
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1640,4552959404320090500,10763480477842569859,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=89 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9976 /prefetch:1
  2⤵
  PID:2728
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1640,4552959404320090500,10763480477842569859,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=91 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6752 /prefetch:1
  2⤵
  PID:4268
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1640,4552959404320090500,10763480477842569859,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=92 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6680 /prefetch:1
  2⤵
  PID:1856
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1640,4552959404320090500,10763480477842569859,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=93 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6780 /prefetch:1
  2⤵
  PID:3772
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1640,4552959404320090500,10763480477842569859,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=94 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9944 /prefetch:1
  2⤵
  PID:3036
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1640,4552959404320090500,10763480477842569859,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=95 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4868 /prefetch:1
  2⤵
  PID:2804
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1640,4552959404320090500,10763480477842569859,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=5508 /prefetch:2
  2⤵
  PID:5548
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1640,4552959404320090500,10763480477842569859,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2212 /prefetch:8
  2⤵
  PID:5488
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1640,4552959404320090500,10763480477842569859,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=98 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=10248 /prefetch:1
  2⤵
  PID:1580
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1640,4552959404320090500,10763480477842569859,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=99 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9420 /prefetch:1
  2⤵
  PID:2072
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1640,4552959404320090500,10763480477842569859,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=100 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=10900 /prefetch:1
  2⤵
  PID:1584
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1640,4552959404320090500,10763480477842569859,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=101 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2044 /prefetch:1
  2⤵
  PID:3668
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1640,4552959404320090500,10763480477842569859,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=102 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5832 /prefetch:1
  2⤵
  PID:1664
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1640,4552959404320090500,10763480477842569859,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=107 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8436 /prefetch:1
  2⤵
  PID:3736
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1640,4552959404320090500,10763480477842569859,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=106 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=10580 /prefetch:1
  2⤵
  PID:1172
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1640,4552959404320090500,10763480477842569859,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=105 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9892 /prefetch:1
  2⤵
  PID:336
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1640,4552959404320090500,10763480477842569859,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=104 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7780 /prefetch:1
  2⤵
  PID:1328
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1640,4552959404320090500,10763480477842569859,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=103 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5700 /prefetch:1
  2⤵
  PID:3084
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1640,4552959404320090500,10763480477842569859,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=109 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1580 /prefetch:1
  2⤵
  PID:1320
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1640,4552959404320090500,10763480477842569859,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=108 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9688 /prefetch:1
  2⤵
  PID:6120
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1640,4552959404320090500,10763480477842569859,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=110 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6608 /prefetch:1
  2⤵
  PID:3192
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1640,4552959404320090500,10763480477842569859,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=111 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6912 /prefetch:1
  2⤵
  PID:6108
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1640,4552959404320090500,10763480477842569859,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=112 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=10612 /prefetch:1
  2⤵
  PID:1632
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1640,4552959404320090500,10763480477842569859,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=113 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4812 /prefetch:1
  2⤵
  PID:6056
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1640,4552959404320090500,10763480477842569859,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=10664 /prefetch:8
  2⤵
  PID:4920

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:984

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
1⤵
PID:4208

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Web Service

T1102

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe

MD5
50b17d217f07d5968b34f42311638f74

SHA1
de0c092e9e157288c661f3471301fc5ee1bddbb5

SHA256
9ad7c8083743312c9742f5844f6eff38d9273c3e363ed872ec3640303764e74c

SHA512
5dddf066ebaecdffda6a023704f86b53849d8ba2806b196a71eadb6e250fc77681cab009c1feec691d27aaf0049d0358ac38d17ffe4d73d7a8af5952c5a2c6fb

Download Submit
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe

MD5
50b17d217f07d5968b34f42311638f74

SHA1
de0c092e9e157288c661f3471301fc5ee1bddbb5

SHA256
9ad7c8083743312c9742f5844f6eff38d9273c3e363ed872ec3640303764e74c

SHA512
5dddf066ebaecdffda6a023704f86b53849d8ba2806b196a71eadb6e250fc77681cab009c1feec691d27aaf0049d0358ac38d17ffe4d73d7a8af5952c5a2c6fb

Download Submit
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe

MD5
fd59fc6011af0e430fdc63aa15b6de75

SHA1
376a72f8ca10471b391d082e09d357a8a067e432

SHA256
28bafddf4f7f85cca3551a3920012e59a6fc4f9334ba80b9f755b43e605f9899

SHA512
11df7b783292f0d08df57eac67d25e1a2dac77010c2f3794dfc6895b532787a2cd2d57b7f72be04354db12a4082ed6760e322de766d6191c7b77c5e0f739c0b4

Download Submit
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\Cache\Arm_001824311644_3216470296253461728914826581029245617.msi

MD5
daef9610629678de57c4567339f6e52c

SHA1
3c2f60cce0d017c9f93fe0d09c80a7ca0dc63d0f

SHA256
9aebffc9bb8192c5ba7e51bf7b47246d53837fab2b435d71ccaeaee1cd74c701

SHA512
9a550ec8cb373b6ab488750aa9c679e419b8dfeddf3ccb02593c044553b5bb447516ceebc18e73db2b8c848b79f124ed6764484795b8f4a6d58d954b77f0b4a5

Download Submit
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe

MD5
10a58da77ae2073d1baf4f13630ea516

SHA1
aed9c3190f2a2508a150b2f03568f9aa0b4f00c0

SHA256
cb914e1a70aa98cbaae25192df867d73605aa9ae5db4ef77c274c266c2d0b2d8

SHA512
a83454e609d88111463e620f0ea2f2e066ec87136716ccc5146fab432a5fba8778335d9597cbf7bdf475207962194e0f6cf9c97ad8830c4694a23f5aa0a7766d

Download Submit
C:\ProgramData\Adobe\ARM\ArmReport.ini

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\ProgramData\Adobe\ARM\ArmReport.ini

MD5
3126111af03149e47eb4c44bef028b7c

SHA1
7a88b1631aa01a2e665ebc1809cda57234aa7846

SHA256
3635638cf5a04fd246d63e6788dbd899ab83aa54f4ad71ff1e0c2564cdb1d8a9

SHA512
3f03f2146491542f1286abe81db863948ae4e4144d2dbaf983a6e05ade84bf39168b67dbfad2f6c9a0f9e01e9ab8af6a917f2fecec0f7a10f461c59cc7f71413

Download Submit
C:\ProgramData\Adobe\ARM\Reader_19.010.20069\AcroRdrDCUpd1901020098.msp

MD5
3404522672187ad49ad74aec689075c0

SHA1
af6b91326f443b04088cd3718b93334a7247ce1a

SHA256
0ef813051b890501283103fb2999aaa01438227b681dcf711d09c10c5846d72d

SHA512
35d47d228977ae3e77b1510e67fc082da37a39f346a23d4d5f65d91ac46ae51581ccb3c507efe6b33a8ac26af11e58ee2128f98a16ba4b1f2bf9b14e70389f18

Download Submit
C:\ProgramData\Adobe\ARM\Reader_19.010.20069\ReaderDCManifest2.msi

MD5
6f014505b038aa70695dc6557662df8b

SHA1
25607777270af2b0a38da97d8d98ab9bc7926980

SHA256
52040d7492e91856c658e4779bdc2de38a81f47e5136d9a772f4559178fbe7fc

SHA512
25c53e4b7c273b3699be727e5a6688dbfad7b6633d78d29e753bc3446b8e2b5e8c752a8842870264fe10a2b3a0246c335bea7457daa289faec67f7ca7c2aaac0

Download Submit
C:\ProgramData\Adobe\ARM\S\30839\AdobeARM.msi

MD5
daef9610629678de57c4567339f6e52c

SHA1
3c2f60cce0d017c9f93fe0d09c80a7ca0dc63d0f

SHA256
9aebffc9bb8192c5ba7e51bf7b47246d53837fab2b435d71ccaeaee1cd74c701

SHA512
9a550ec8cb373b6ab488750aa9c679e419b8dfeddf3ccb02593c044553b5bb447516ceebc18e73db2b8c848b79f124ed6764484795b8f4a6d58d954b77f0b4a5

Download Submit
C:\ProgramData\Adobe\ARM\S\30839\AdobeARMHelper.exe

MD5
522026a14d6bc781d2a15c665e454310

SHA1
9451a39108326ba578793b1feb62f23a02bce916

SHA256
fd115ae8ebd2f37cf1ef72f75242206cf1331c7cb258305011302e981137ee5e

SHA512
4e4eb2f582c8590899a0ada6133b705d13775f60818f1ff4f9bb35e40e09d6570af4f7ac4c80b525b445a03702ca0f3a9867a93080f90697d8be668e2abe2fe7

Download Submit
C:\ProgramData\Adobe\ARM\S\30839\AdobeARMHelper.exe

MD5
522026a14d6bc781d2a15c665e454310

SHA1
9451a39108326ba578793b1feb62f23a02bce916

SHA256
fd115ae8ebd2f37cf1ef72f75242206cf1331c7cb258305011302e981137ee5e

SHA512
4e4eb2f582c8590899a0ada6133b705d13775f60818f1ff4f9bb35e40e09d6570af4f7ac4c80b525b445a03702ca0f3a9867a93080f90697d8be668e2abe2fe7

Download Submit
C:\ProgramData\Adobe\ARM\S\ARM.msi

MD5
daef9610629678de57c4567339f6e52c

SHA1
3c2f60cce0d017c9f93fe0d09c80a7ca0dc63d0f

SHA256
9aebffc9bb8192c5ba7e51bf7b47246d53837fab2b435d71ccaeaee1cd74c701

SHA512
9a550ec8cb373b6ab488750aa9c679e419b8dfeddf3ccb02593c044553b5bb447516ceebc18e73db2b8c848b79f124ed6764484795b8f4a6d58d954b77f0b4a5

Download Submit
C:\ProgramData\Adobe\ARM\S\ArmManifest2.msi

MD5
9143aa55d6501307e953cb70ef371d95

SHA1
caf0709471745e9fe777e72f14b76dec9323feb7

SHA256
7b28c43870421a07e46dbcc29b6f5d3fa4d0656328c318eeabd3780464502827

SHA512
1edd5df07c7894fed273d959ac62f64a9c82135d6ab5a151d5fccf72cec0b3e282a1ee4e5baa4037925ab30451b700c565777da2cf3d29dfa5d7ea8c2a3ac9df

Download Submit
C:\ProgramData\Microsoft\Network\Downloader\edb.chk

MD5
12e2c40794242f6be8edf3d657b369f4

SHA1
cff5024b69c0f99610b5ff175880103c4edcba6e

SHA256
11526e419f69b59919799cb04ac5fb71c7bf6f231ccb417729911d3e7d7f9f6a

SHA512
aa3362127079db5b4befacba0bc91241f426ee173183772b7b9320b76035aaec0db0833b07fb394be872ce7fc1168e0a891dfc65d5966dd6d74cf57f34a406e5

Download Submit
C:\ProgramData\Microsoft\Network\Downloader\edb.log

MD5
51dd3069180e0e3d24fcb334c252c824

SHA1
a25d085b93f023a7686a78c692e9852dfa286330

SHA256
3d2e4110e601bc63054fb1094b1bf737c012628a15c5afedbe691ce30a2d4007

SHA512
a83e05711280e05fbab92c05e9d2e4528a1e1ea235ea99a68c5d351c5f8b89050690556e8acd424a1e0a0c61d97519d67b44ad168f0039f1ce3af0191792d0c7

Download Submit
C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

MD5
d43bf711f932a804e22b65234633886f

SHA1
f4d7f3ec61dcb69c33b4127ff101bc768bceae4a

SHA256
417bc343b618131868fca1f14bd2d6fb51b8282e1dfdd7e10f407ba2e886d1ee

SHA512
e5f3c32c393b5cb25ef0d9deb791e8a8cf7dcb9d1008802deab158329666efe7c37960826f1f1b7595a7403e06680aa3864fc4adaf62072254be88c4cade60d7

Download Submit
C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm

MD5
66eb69e503ef7d505d71e9ca416f2a71

SHA1
952a542d24d642e831faae95760a119409d9219b

SHA256
fedf0361177c06fcb64cc2f25667c804f1ff27fddad772b360ad9d85fd18de26

SHA512
7d4ede2296d73726e2d0d14b1dfc251737e7014a1e88aa1e8b594ae6486a26560a02e0560d3e3ee06b1c9ad3491b1e8b809c9f843a1e349a7a93316ee764dcfb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8890A77645B73478F5B1DED18ACBF795_C090A8C88B266C6FF99A97210E92B44D

MD5
76b85117ac9ac54dd783415fd0adaee5

SHA1
7e8ea42833e0c6366f41d1b72488ce659472bdf4

SHA256
36a0000505b65db9810240c1fb9d3d30ef3e945cbfe532b2bfd8a0b5c323ad53

SHA512
40119f9e4d2021ad9bdd6563fc49fbd6501ba288fb56e78fcaac7c13d04e9ef68826ed46dbd341635d660ec2a2eeb19ed9951862f32dda6fc6589094299246e3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\DA3B6E45325D5FFF28CF6BAD6065C907_FBEAFB4EE7383EC8E0A3A2C1EC7FCEAC

MD5
45864b921432eaba312ab922c1053738

SHA1
0b0bdb0ac731b20b4479ccc4fc1857e508d902ce

SHA256
86b0deff34c9c87ffe0f02ae8585ed3c2dd72a41fe569d39532d1292af6bb50e

SHA512
20df99eb084fb250375fadd3f71de7ca674ad63c56ad499c5e6a2b262813c154788a52cf26b23fef251da61c0c56c58a1f67c1e270f4378ba4e0e0c3b089f499

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8890A77645B73478F5B1DED18ACBF795_C090A8C88B266C6FF99A97210E92B44D

MD5
db806a3084b03840bd5ab0246190b108

SHA1
eacbc79c1be42a3c9bb5885449306e8e0179d81c

SHA256
b1c368dc996c608ec87313298307b42c7abe9f8975b8bacee69df69afafa67f4

SHA512
ec96dbb656bc7299297ed73ea94a1a42e8d83c2db3744c2061ee01417f8c494a4460dfc60c687632604e05a8d6ad9fd327cba0e65f052d5157edb83de8e51c2e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\DA3B6E45325D5FFF28CF6BAD6065C907_FBEAFB4EE7383EC8E0A3A2C1EC7FCEAC

MD5
fb33d742177ace3ec9f51abc6ab6bd52

SHA1
162774c1e9edafcdd9083c78be8b90d33110a960

SHA256
5492ca99955c199eafbf338214a1b5220cc4ad77a19890badb55c2ee3b606a73

SHA512
f764b5cecf05acb20aeb0be800b0767ecb2b82e11017aaef461de96f6739649136b6af6f3e2e2b47fc2639a10a29eda0649ea1ad501da04e7500341e8b755c82

Download Submit
C:\Users\Admin\AppData\Local\Temp\AdobeARM.log

MD5
f44b88414986cb3eff02f97570805b29

SHA1
db254350e662922c318f95cbfc17b0274d9e457c

SHA256
c84ba23fe69fd489110ad5a86b88187e6eacaa022b8b193b799c82660411b0fa

SHA512
7ed26429bbfa34b85f3dcef5eb760598c13a6d3a2e5cdfb8db860405ab7a79fa874d23da5cc03493dc7c1d9bbb894f2ddc3b962c01d6f3a445b7b688c663f7b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\AdobeARM.log

MD5
01b5dba6afca6b01181b57b6f4637300

SHA1
499d48a27560a3af6253cce706d8e21b744a1ae8

SHA256
5def5de33cf6d0b35c7200107de1b78bffd9c2405ffa6595d6f973e03444beb2

SHA512
de8e65dee581961eac7d261d31b0481ebd6ad5a4b0f04051ae5539afc50711d993da8c880367189973c43466b3f2ae179dc47200a0ac418329ea52020af665d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\ArmUI.ini

MD5
864c22fb9a1c0670edf01c6ed3e4fbe4

SHA1
bf636f8baed998a1eb4531af9e833e6d3d8df129

SHA256
b4d4dcd9594d372d7c0c975d80ef5802c88502895ed4b8a26ca62e225f2f18b0

SHA512
ff23616ee67d51daa2640ae638f59a8d331930a29b98c2d1bd3b236d2f651f243f9bae38d58515714886cfbb13b9be721d490aad4f2d10cbba74d7701ab34e09

Download Submit
C:\Windows\Installer\MSI2250.tmp

MD5
fadffef98d0f28368b843c6e9afd9782

SHA1
578101fadf1034c4a928b978260b120b740cdfb9

SHA256
73f7e51214b775421f6679acabc51ac1d34b4271116f5f3dd3426df50d214886

SHA512
ba5ab56a7e5d2e54fc304d77c78a14b35b187fdd95a090d39193b3da6ab40ef1b38c3cd56b160edceded3d622c0b645376efaf3df8fc8c437f448f91587f3233

Download Submit
C:\Windows\Installer\MSI2250.tmp

MD5
fadffef98d0f28368b843c6e9afd9782

SHA1
578101fadf1034c4a928b978260b120b740cdfb9

SHA256
73f7e51214b775421f6679acabc51ac1d34b4271116f5f3dd3426df50d214886

SHA512
ba5ab56a7e5d2e54fc304d77c78a14b35b187fdd95a090d39193b3da6ab40ef1b38c3cd56b160edceded3d622c0b645376efaf3df8fc8c437f448f91587f3233

Download Submit
C:\Windows\Installer\MSI3B29.tmp

MD5
4184a5369d3bd6592b1db5cd2ac465ef

SHA1
be848190344933e38e0d40f0d56854594f113c42

SHA256
5f7b6321625dbc7901a8c22fc70d1902654aef3e47499d9e243ad7c2f83a0ac5

SHA512
49c10020c012cf89cfe27f31e51ca844c8ae0de9c21d3f491e5cab2b737693e1e09b37b4b8aeb1745524b0adce4a19ecc7d158b6eb97bcf2ba59c13569c200b1

Download Submit
C:\Windows\Installer\MSI3B29.tmp

MD5
4184a5369d3bd6592b1db5cd2ac465ef

SHA1
be848190344933e38e0d40f0d56854594f113c42

SHA256
5f7b6321625dbc7901a8c22fc70d1902654aef3e47499d9e243ad7c2f83a0ac5

SHA512
49c10020c012cf89cfe27f31e51ca844c8ae0de9c21d3f491e5cab2b737693e1e09b37b4b8aeb1745524b0adce4a19ecc7d158b6eb97bcf2ba59c13569c200b1

Download Submit
C:\Windows\Installer\MSI3DBB.tmp

MD5
4184a5369d3bd6592b1db5cd2ac465ef

SHA1
be848190344933e38e0d40f0d56854594f113c42

SHA256
5f7b6321625dbc7901a8c22fc70d1902654aef3e47499d9e243ad7c2f83a0ac5

SHA512
49c10020c012cf89cfe27f31e51ca844c8ae0de9c21d3f491e5cab2b737693e1e09b37b4b8aeb1745524b0adce4a19ecc7d158b6eb97bcf2ba59c13569c200b1

Download Submit
C:\Windows\Installer\MSI3DBB.tmp

MD5
4184a5369d3bd6592b1db5cd2ac465ef

SHA1
be848190344933e38e0d40f0d56854594f113c42

SHA256
5f7b6321625dbc7901a8c22fc70d1902654aef3e47499d9e243ad7c2f83a0ac5

SHA512
49c10020c012cf89cfe27f31e51ca844c8ae0de9c21d3f491e5cab2b737693e1e09b37b4b8aeb1745524b0adce4a19ecc7d158b6eb97bcf2ba59c13569c200b1

Download Submit
C:\Windows\Installer\MSI6FFA.tmp

MD5
67f23a38c85856e8a20e815c548cd424

SHA1
16e8959c52f983e83f688f4cce3487364b1ffd10

SHA256
f3c935cac911d9024c7797e8ffe4cce7d28154b236ad3e182f9efb85cd5a0a40

SHA512
41fc1b4e2f47d5705861ee726c8d5d7b42191e7d586b370981da268414f207f6dea00a59dc53012cf6510c44651fec4a3a33bf69e501d85fd2efd66517e4169d

Download Submit
C:\Windows\Installer\MSI6FFA.tmp

MD5
67f23a38c85856e8a20e815c548cd424

SHA1
16e8959c52f983e83f688f4cce3487364b1ffd10

SHA256
f3c935cac911d9024c7797e8ffe4cce7d28154b236ad3e182f9efb85cd5a0a40

SHA512
41fc1b4e2f47d5705861ee726c8d5d7b42191e7d586b370981da268414f207f6dea00a59dc53012cf6510c44651fec4a3a33bf69e501d85fd2efd66517e4169d

Download Submit
C:\Windows\Installer\MSI7059.tmp

MD5
be0b6bea2e4e12bf5d966c6f74fa79b5

SHA1
8468ec23f0a30065eee6913bf8eba62dd79651ec

SHA256
6bac226fb3b530c6d4b409dd1858e0b53735abb5344779b6dfe8859658b2e164

SHA512
dddb9689ad4910cc6c40f5f343bd661bae23b986156f2a56ab32832ddb727af5c767c9f21f94eec3986023bae9a4f10f8d24a9af44fa6e8e7e8610d7b686867b

Download Submit
C:\Windows\Installer\MSI7059.tmp

MD5
be0b6bea2e4e12bf5d966c6f74fa79b5

SHA1
8468ec23f0a30065eee6913bf8eba62dd79651ec

SHA256
6bac226fb3b530c6d4b409dd1858e0b53735abb5344779b6dfe8859658b2e164

SHA512
dddb9689ad4910cc6c40f5f343bd661bae23b986156f2a56ab32832ddb727af5c767c9f21f94eec3986023bae9a4f10f8d24a9af44fa6e8e7e8610d7b686867b

Download Submit
C:\Windows\Installer\MSI71A2.tmp

MD5
be0b6bea2e4e12bf5d966c6f74fa79b5

SHA1
8468ec23f0a30065eee6913bf8eba62dd79651ec

SHA256
6bac226fb3b530c6d4b409dd1858e0b53735abb5344779b6dfe8859658b2e164

SHA512
dddb9689ad4910cc6c40f5f343bd661bae23b986156f2a56ab32832ddb727af5c767c9f21f94eec3986023bae9a4f10f8d24a9af44fa6e8e7e8610d7b686867b

Download Submit
C:\Windows\Installer\MSI71A2.tmp

MD5
be0b6bea2e4e12bf5d966c6f74fa79b5

SHA1
8468ec23f0a30065eee6913bf8eba62dd79651ec

SHA256
6bac226fb3b530c6d4b409dd1858e0b53735abb5344779b6dfe8859658b2e164

SHA512
dddb9689ad4910cc6c40f5f343bd661bae23b986156f2a56ab32832ddb727af5c767c9f21f94eec3986023bae9a4f10f8d24a9af44fa6e8e7e8610d7b686867b

Download Submit
C:\Windows\Installer\MSI76.tmp

MD5
67f23a38c85856e8a20e815c548cd424

SHA1
16e8959c52f983e83f688f4cce3487364b1ffd10

SHA256
f3c935cac911d9024c7797e8ffe4cce7d28154b236ad3e182f9efb85cd5a0a40

SHA512
41fc1b4e2f47d5705861ee726c8d5d7b42191e7d586b370981da268414f207f6dea00a59dc53012cf6510c44651fec4a3a33bf69e501d85fd2efd66517e4169d

Download Submit
C:\Windows\Installer\MSI76.tmp

MD5
67f23a38c85856e8a20e815c548cd424

SHA1
16e8959c52f983e83f688f4cce3487364b1ffd10

SHA256
f3c935cac911d9024c7797e8ffe4cce7d28154b236ad3e182f9efb85cd5a0a40

SHA512
41fc1b4e2f47d5705861ee726c8d5d7b42191e7d586b370981da268414f207f6dea00a59dc53012cf6510c44651fec4a3a33bf69e501d85fd2efd66517e4169d

Download Submit
C:\Windows\Installer\MSI7627.tmp

MD5
67f23a38c85856e8a20e815c548cd424

SHA1
16e8959c52f983e83f688f4cce3487364b1ffd10

SHA256
f3c935cac911d9024c7797e8ffe4cce7d28154b236ad3e182f9efb85cd5a0a40

SHA512
41fc1b4e2f47d5705861ee726c8d5d7b42191e7d586b370981da268414f207f6dea00a59dc53012cf6510c44651fec4a3a33bf69e501d85fd2efd66517e4169d

Download Submit
C:\Windows\Installer\MSI7627.tmp

MD5
67f23a38c85856e8a20e815c548cd424

SHA1
16e8959c52f983e83f688f4cce3487364b1ffd10

SHA256
f3c935cac911d9024c7797e8ffe4cce7d28154b236ad3e182f9efb85cd5a0a40

SHA512
41fc1b4e2f47d5705861ee726c8d5d7b42191e7d586b370981da268414f207f6dea00a59dc53012cf6510c44651fec4a3a33bf69e501d85fd2efd66517e4169d

Download Submit
C:\Windows\Installer\MSI78E8.tmp

MD5
67f23a38c85856e8a20e815c548cd424

SHA1
16e8959c52f983e83f688f4cce3487364b1ffd10

SHA256
f3c935cac911d9024c7797e8ffe4cce7d28154b236ad3e182f9efb85cd5a0a40

SHA512
41fc1b4e2f47d5705861ee726c8d5d7b42191e7d586b370981da268414f207f6dea00a59dc53012cf6510c44651fec4a3a33bf69e501d85fd2efd66517e4169d

Download Submit
C:\Windows\Installer\MSI78E8.tmp

MD5
67f23a38c85856e8a20e815c548cd424

SHA1
16e8959c52f983e83f688f4cce3487364b1ffd10

SHA256
f3c935cac911d9024c7797e8ffe4cce7d28154b236ad3e182f9efb85cd5a0a40

SHA512
41fc1b4e2f47d5705861ee726c8d5d7b42191e7d586b370981da268414f207f6dea00a59dc53012cf6510c44651fec4a3a33bf69e501d85fd2efd66517e4169d

Download Submit
C:\Windows\Installer\MSI990B.tmp

MD5
c23d4d5a87e08f8a822ad5a8dbd69592

SHA1
317df555bc309dace46ae5c5589bec53ea8f137e

SHA256
6d149866246e79919bde5a0b45569ea41327c32ee250f37ad8216275a641bb27

SHA512
fa584655ae241004af44774a1f43508e53e95028ce96b39f8b5c62742f38acdf2b1df8871b468ac70c6043ca0e7ae8241bad2db6bc4f700d78471f12bb809e6b

Download Submit
C:\Windows\Installer\MSI990B.tmp

MD5
c23d4d5a87e08f8a822ad5a8dbd69592

SHA1
317df555bc309dace46ae5c5589bec53ea8f137e

SHA256
6d149866246e79919bde5a0b45569ea41327c32ee250f37ad8216275a641bb27

SHA512
fa584655ae241004af44774a1f43508e53e95028ce96b39f8b5c62742f38acdf2b1df8871b468ac70c6043ca0e7ae8241bad2db6bc4f700d78471f12bb809e6b

Download Submit
C:\Windows\Installer\MSIA2C5.tmp

MD5
f88c6a79abbb5680ae8628fbc7a6915c

SHA1
6e1eb7906cdae149c6472f394fa8fe8dc274a556

SHA256
5ded99991217600ebd0b48f21c4cd946f3c7858f07d712fcfb93f743faa635ed

SHA512
33e150822331356e1cdcbff824b897ca5bf2bed0345d2fa39cf9b1f36a77201167819761b1cc3b6cb02a87625e0b6b85a8505281ccc575ca6b73af68e1e90361

Download Submit
C:\Windows\Installer\MSIA2C5.tmp

MD5
f88c6a79abbb5680ae8628fbc7a6915c

SHA1
6e1eb7906cdae149c6472f394fa8fe8dc274a556

SHA256
5ded99991217600ebd0b48f21c4cd946f3c7858f07d712fcfb93f743faa635ed

SHA512
33e150822331356e1cdcbff824b897ca5bf2bed0345d2fa39cf9b1f36a77201167819761b1cc3b6cb02a87625e0b6b85a8505281ccc575ca6b73af68e1e90361

Download Submit
C:\Windows\Installer\MSIAFD0.tmp

MD5
67f23a38c85856e8a20e815c548cd424

SHA1
16e8959c52f983e83f688f4cce3487364b1ffd10

SHA256
f3c935cac911d9024c7797e8ffe4cce7d28154b236ad3e182f9efb85cd5a0a40

SHA512
41fc1b4e2f47d5705861ee726c8d5d7b42191e7d586b370981da268414f207f6dea00a59dc53012cf6510c44651fec4a3a33bf69e501d85fd2efd66517e4169d

Download Submit
C:\Windows\Installer\MSIAFD0.tmp

MD5
67f23a38c85856e8a20e815c548cd424

SHA1
16e8959c52f983e83f688f4cce3487364b1ffd10

SHA256
f3c935cac911d9024c7797e8ffe4cce7d28154b236ad3e182f9efb85cd5a0a40

SHA512
41fc1b4e2f47d5705861ee726c8d5d7b42191e7d586b370981da268414f207f6dea00a59dc53012cf6510c44651fec4a3a33bf69e501d85fd2efd66517e4169d

Download Submit
C:\Windows\Installer\MSIB07D.tmp

MD5
67f23a38c85856e8a20e815c548cd424

SHA1
16e8959c52f983e83f688f4cce3487364b1ffd10

SHA256
f3c935cac911d9024c7797e8ffe4cce7d28154b236ad3e182f9efb85cd5a0a40

SHA512
41fc1b4e2f47d5705861ee726c8d5d7b42191e7d586b370981da268414f207f6dea00a59dc53012cf6510c44651fec4a3a33bf69e501d85fd2efd66517e4169d

Download Submit
C:\Windows\Installer\MSIB07D.tmp

MD5
67f23a38c85856e8a20e815c548cd424

SHA1
16e8959c52f983e83f688f4cce3487364b1ffd10

SHA256
f3c935cac911d9024c7797e8ffe4cce7d28154b236ad3e182f9efb85cd5a0a40

SHA512
41fc1b4e2f47d5705861ee726c8d5d7b42191e7d586b370981da268414f207f6dea00a59dc53012cf6510c44651fec4a3a33bf69e501d85fd2efd66517e4169d

Download Submit
C:\Windows\Installer\MSIB0EB.tmp

MD5
be0b6bea2e4e12bf5d966c6f74fa79b5

SHA1
8468ec23f0a30065eee6913bf8eba62dd79651ec

SHA256
6bac226fb3b530c6d4b409dd1858e0b53735abb5344779b6dfe8859658b2e164

SHA512
dddb9689ad4910cc6c40f5f343bd661bae23b986156f2a56ab32832ddb727af5c767c9f21f94eec3986023bae9a4f10f8d24a9af44fa6e8e7e8610d7b686867b

Download Submit
C:\Windows\Installer\MSIB0EB.tmp

MD5
be0b6bea2e4e12bf5d966c6f74fa79b5

SHA1
8468ec23f0a30065eee6913bf8eba62dd79651ec

SHA256
6bac226fb3b530c6d4b409dd1858e0b53735abb5344779b6dfe8859658b2e164

SHA512
dddb9689ad4910cc6c40f5f343bd661bae23b986156f2a56ab32832ddb727af5c767c9f21f94eec3986023bae9a4f10f8d24a9af44fa6e8e7e8610d7b686867b

Download Submit
C:\Windows\Installer\MSIB205.tmp

MD5
67f23a38c85856e8a20e815c548cd424

SHA1
16e8959c52f983e83f688f4cce3487364b1ffd10

SHA256
f3c935cac911d9024c7797e8ffe4cce7d28154b236ad3e182f9efb85cd5a0a40

SHA512
41fc1b4e2f47d5705861ee726c8d5d7b42191e7d586b370981da268414f207f6dea00a59dc53012cf6510c44651fec4a3a33bf69e501d85fd2efd66517e4169d

Download Submit
C:\Windows\Installer\MSIB205.tmp

MD5
67f23a38c85856e8a20e815c548cd424

SHA1
16e8959c52f983e83f688f4cce3487364b1ffd10

SHA256
f3c935cac911d9024c7797e8ffe4cce7d28154b236ad3e182f9efb85cd5a0a40

SHA512
41fc1b4e2f47d5705861ee726c8d5d7b42191e7d586b370981da268414f207f6dea00a59dc53012cf6510c44651fec4a3a33bf69e501d85fd2efd66517e4169d

Download Submit
C:\Windows\Installer\MSIB283.tmp

MD5
0e91605ee2395145d077adb643609085

SHA1
303263aa6889013ce889bd4ea0324acdf35f29f2

SHA256
5472237b0947d129ab6ad89b71d8e007fd5c4624e97af28cd342919ba0d5f87b

SHA512
3712c3645be47db804f08ef0f44465d0545cd0d435b4e6310c39966ccb85a801645adb98781b548472b2dfd532dd79520bf3ff98042a5457349f2380b52b45be

Download Submit
C:\Windows\Installer\MSIB283.tmp

MD5
0e91605ee2395145d077adb643609085

SHA1
303263aa6889013ce889bd4ea0324acdf35f29f2

SHA256
5472237b0947d129ab6ad89b71d8e007fd5c4624e97af28cd342919ba0d5f87b

SHA512
3712c3645be47db804f08ef0f44465d0545cd0d435b4e6310c39966ccb85a801645adb98781b548472b2dfd532dd79520bf3ff98042a5457349f2380b52b45be

Download Submit
C:\Windows\Installer\MSICF08.tmp

MD5
0e91605ee2395145d077adb643609085

SHA1
303263aa6889013ce889bd4ea0324acdf35f29f2

SHA256
5472237b0947d129ab6ad89b71d8e007fd5c4624e97af28cd342919ba0d5f87b

SHA512
3712c3645be47db804f08ef0f44465d0545cd0d435b4e6310c39966ccb85a801645adb98781b548472b2dfd532dd79520bf3ff98042a5457349f2380b52b45be

Download Submit
C:\Windows\Installer\MSICF08.tmp

MD5
0e91605ee2395145d077adb643609085

SHA1
303263aa6889013ce889bd4ea0324acdf35f29f2

SHA256
5472237b0947d129ab6ad89b71d8e007fd5c4624e97af28cd342919ba0d5f87b

SHA512
3712c3645be47db804f08ef0f44465d0545cd0d435b4e6310c39966ccb85a801645adb98781b548472b2dfd532dd79520bf3ff98042a5457349f2380b52b45be

Download Submit
C:\Windows\Installer\MSIFFD9.tmp

MD5
67f23a38c85856e8a20e815c548cd424

SHA1
16e8959c52f983e83f688f4cce3487364b1ffd10

SHA256
f3c935cac911d9024c7797e8ffe4cce7d28154b236ad3e182f9efb85cd5a0a40

SHA512
41fc1b4e2f47d5705861ee726c8d5d7b42191e7d586b370981da268414f207f6dea00a59dc53012cf6510c44651fec4a3a33bf69e501d85fd2efd66517e4169d

Download Submit
C:\Windows\Installer\MSIFFD9.tmp

MD5
67f23a38c85856e8a20e815c548cd424

SHA1
16e8959c52f983e83f688f4cce3487364b1ffd10

SHA256
f3c935cac911d9024c7797e8ffe4cce7d28154b236ad3e182f9efb85cd5a0a40

SHA512
41fc1b4e2f47d5705861ee726c8d5d7b42191e7d586b370981da268414f207f6dea00a59dc53012cf6510c44651fec4a3a33bf69e501d85fd2efd66517e4169d

Download Submit
memory/2500-150-0x000001B125A50000-0x000001B125A51000-memory.dmp

Filesize
4KB

Download
memory/2500-149-0x000001B125A70000-0x000001B125A74000-memory.dmp

Filesize
16KB

Download
memory/2500-134-0x000001B122560000-0x000001B122570000-memory.dmp

Filesize
64KB

Download
memory/2500-135-0x000001B123120000-0x000001B123130000-memory.dmp

Filesize
64KB

Download
memory/2500-151-0x000001B125510000-0x000001B125514000-memory.dmp

Filesize
16KB

Download
memory/2500-152-0x000001B125500000-0x000001B125501000-memory.dmp

Filesize
4KB

Download
memory/2500-153-0x000001B125500000-0x000001B125504000-memory.dmp

Filesize
16KB

Download
memory/2500-154-0x000001B125400000-0x000001B125401000-memory.dmp

Filesize
4KB

Download
memory/2500-136-0x000001B1254E0000-0x000001B1254E4000-memory.dmp

Filesize
16KB

Download
memory/4208-227-0x000001CB59350000-0x000001CB59354000-memory.dmp

Filesize
16KB

Download
memory/4208-228-0x000001CB59690000-0x000001CB59694000-memory.dmp

Filesize
16KB

Download
memory/4208-233-0x000001CB59270000-0x000001CB59271000-memory.dmp

Filesize
4KB

Download
memory/4208-232-0x000001CB59370000-0x000001CB59374000-memory.dmp

Filesize
16KB

Download
memory/4208-231-0x000001CB59370000-0x000001CB59371000-memory.dmp

Filesize
4KB

Download
memory/4208-230-0x000001CB59380000-0x000001CB59384000-memory.dmp

Filesize
16KB

Download
memory/4208-229-0x000001CB59680000-0x000001CB59681000-memory.dmp

Filesize
4KB

Download
memory/4252-161-0x000001D431CA0000-0x000001D431CA4000-memory.dmp

Filesize
16KB

Download
memory/4252-171-0x000001D42F9C0000-0x000001D42F9C1000-memory.dmp

Filesize
4KB

Download
memory/4252-170-0x000001D431CC0000-0x000001D431CC4000-memory.dmp

Filesize
16KB

Download
memory/4252-169-0x000001D431CC0000-0x000001D431CC1000-memory.dmp

Filesize
4KB

Download
memory/4252-167-0x000001D432250000-0x000001D432251000-memory.dmp

Filesize
4KB

Download
memory/4252-166-0x000001D432260000-0x000001D432264000-memory.dmp

Filesize
16KB

Download
memory/4252-168-0x000001D431CD0000-0x000001D431CD4000-memory.dmp

Filesize
16KB

Download