redline | 4e5b72658b3ee150f255b726931d387e897d1e5db4f40fbd6a3181e1908671af

Resubmissions

22-09-2022 09:08

220922-k32v4sahh9 10

22-09-2022 09:02

220922-kzq97sefer 10

22-09-2022 08:41

220922-kly3wsagc3 10

Analysis

max time kernel
504s
max time network
514s
platform
windows10-2004_x64
resource
win10v2004-20220812-de
resource tags

arch:x64arch:x86image:win10v2004-20220812-delocale:de-deos:windows10-2004-x64systemwindows
submitted
22-09-2022 09:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Document.pdf.scr
Size

700.0MB
MD5

42a123d2a8c6b9bf813d4ba30c6f7339
SHA1

020db224e295b652601f34b1b5284f3ad6bdf22f
SHA256

4e5b72658b3ee150f255b726931d387e897d1e5db4f40fbd6a3181e1908671af
SHA512

aec4d9c6c9255ad4764a737bb38f68e525d95d38d634e286100c896683fa1bc5f3b62cdc829b6f990fb2570455a6f1c3a7c81e117499065520c24325700cccaf
SSDEEP

98304:Xm27HCFxPcIIqb9tIKdgEezl6nW1WIxV2UBPB3VsYT:XmHbPcIIqb9u15zl6nW1WA2rYT

Score

10^/10

redline web agilenet microsoft discovery infostealer persistence phishing

Malware Config

Extracted

Family

redline

Botnet

web

62.204.41.139:25190

Attributes

auth_value
2b0495835b75f494572b5792f0b7a9e1

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/636-148-0x0000000000400000-0x0000000000428000-memory.dmp	family_redline

Executes dropped EXE 7 IoCs

Processes:

ChromeRecovery.exeVC_redist.x64.exeVC_redist.x64.exeVC_redist.x64.exeVC_redist.x86.exeVC_redist.x86.exeVC_redist.x86.exe

pid	process
4744	ChromeRecovery.exe
648	VC_redist.x64.exe
1944	VC_redist.x64.exe
3740	VC_redist.x64.exe
3360	VC_redist.x86.exe
3272	VC_redist.x86.exe
4596	VC_redist.x86.exe

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Document.pdf.scrVC_redist.x64.exeDocument.pdf.scrVC_redist.x86.exeDocument.pdf.scr

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	Document.pdf.scr
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	VC_redist.x64.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	Document.pdf.scr
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	VC_redist.x86.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	Document.pdf.scr

Loads dropped DLL 4 IoCs

Processes:

VC_redist.x64.exeVC_redist.x64.exeVC_redist.x86.exeVC_redist.x86.exe

pid process

1944 VC_redist.x64.exe
628 VC_redist.x64.exe
3272 VC_redist.x86.exe
1336 VC_redist.x86.exe

pid	process
1944	VC_redist.x64.exe
628	VC_redist.x64.exe
3272	VC_redist.x86.exe
1336	VC_redist.x86.exe

Obfuscated with Agile.Net obfuscator 1 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

Processes:

resource	yara_rule
behavioral1/memory/484-132-0x0000000000290000-0x00000000006DC000-memory.dmp	agile_net

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

VC_redist.x64.exeVC_redist.x86.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\{3746f21b-c990-4045-bb33-1cf98cff7a68} = "\"C:\\ProgramData\\Package Cache\\{3746f21b-c990-4045-bb33-1cf98cff7a68}\\VC_redist.x64.exe\" /burn.runonce"	VC_redist.x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	VC_redist.x86.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\{a98dc6ff-d360-4878-9f0a-915eba86eaf3} = "\"C:\\ProgramData\\Package Cache\\{a98dc6ff-d360-4878-9f0a-915eba86eaf3}\\VC_redist.x86.exe\" /burn.runonce"	VC_redist.x86.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	VC_redist.x64.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exe

description	ioc	process
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe

Detected potential entity reuse from brand microsoft.
phishing microsoft

Drops file in System32 directory 64 IoCs

Processes:

msiexec.exe

description	ioc	process
File opened for modification	C:\Windows\system32\mfc140esn.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\mfc140deu.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\mfc140jpn.dll	msiexec.exe
File created	C:\Windows\SysWOW64\mfc140chs.dll	msiexec.exe
File created	C:\Windows\SysWOW64\mfc140kor.dll	msiexec.exe
File opened for modification	C:\Windows\system32\msvcp140_1.dll	msiexec.exe
File created	C:\Windows\system32\msvcp140_codecvt_ids.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfc140u.dll	msiexec.exe
File created	C:\Windows\SysWOW64\mfc140esn.dll	msiexec.exe
File created	C:\Windows\system32\vcruntime140.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\mfc140ita.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\mfc140rus.dll	msiexec.exe
File created	C:\Windows\SysWOW64\mfc140enu.dll	msiexec.exe
File created	C:\Windows\system32\vcomp140.dll	msiexec.exe
File created	C:\Windows\system32\mfc140esn.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\mfc140u.dll	msiexec.exe
File created	C:\Windows\system32\mfc140deu.dll	msiexec.exe
File created	C:\Windows\system32\mfc140ita.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\mfcm140.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfc140.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfc140chs.dll	msiexec.exe
File created	C:\Windows\system32\mfc140chs.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfc140fra.dll	msiexec.exe
File created	C:\Windows\SysWOW64\vccorlib140.dll	msiexec.exe
File created	C:\Windows\SysWOW64\mfcm140.dll	msiexec.exe
File opened for modification	C:\Windows\system32\vcruntime140.dll	msiexec.exe
File created	C:\Windows\system32\msvcp140_2.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfc140enu.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\mfc140fra.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\mfc140kor.dll	msiexec.exe
File created	C:\Windows\SysWOW64\mfc140fra.dll	msiexec.exe
File created	C:\Windows\SysWOW64\mfc140rus.dll	msiexec.exe
File opened for modification	C:\Windows\system32\vcruntime140_1.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\vcomp140.dll	msiexec.exe
File created	C:\Windows\SysWOW64\msvcp140_2.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\vccorlib140.dll	msiexec.exe
File created	C:\Windows\SysWOW64\msvcp140.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfc140cht.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfc140kor.dll	msiexec.exe
File created	C:\Windows\system32\mfc140fra.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\mfc140esn.dll	msiexec.exe
File created	C:\Windows\SysWOW64\mfc140ita.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfcm140.dll	msiexec.exe
File created	C:\Windows\system32\mfc140kor.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\mfc140cht.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\vcamp140.dll	msiexec.exe
File created	C:\Windows\SysWOW64\msvcp140_codecvt_ids.dll	msiexec.exe
File created	C:\Windows\SysWOW64\vcamp140.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\mfcm140u.dll	msiexec.exe
File created	C:\Windows\SysWOW64\mfc140jpn.dll	msiexec.exe
File opened for modification	C:\Windows\system32\msvcp140_2.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfc140jpn.dll	msiexec.exe
File created	C:\Windows\system32\mfc140enu.dll	msiexec.exe
File created	C:\Windows\system32\mfcm140.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\msvcp140.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\msvcp140_atomic_wait.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\mfc140chs.dll	msiexec.exe
File created	C:\Windows\SysWOW64\mfc140cht.dll	msiexec.exe
File opened for modification	C:\Windows\system32\msvcp140.dll	msiexec.exe
File opened for modification	C:\Windows\system32\msvcp140_atomic_wait.dll	msiexec.exe
File created	C:\Windows\system32\mfc140u.dll	msiexec.exe
File created	C:\Windows\SysWOW64\mfc140u.dll	msiexec.exe
File created	C:\Windows\system32\mfc140jpn.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\msvcp140_codecvt_ids.dll	msiexec.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

Document.pdf.scrDocument.pdf.scrDocument.pdf.scr

description	pid	process	target process
PID 484 set thread context of 636	484	Document.pdf.scr	InstallUtil.exe
PID 4984 set thread context of 1524	4984	Document.pdf.scr	InstallUtil.exe
PID 3380 set thread context of 4632	3380	Document.pdf.scr	InstallUtil.exe

Drops file in Program Files directory 7 IoCs

Processes:

elevation_service.exe

description	ioc	process
File opened for modification	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir3016_1772422651\_metadata\verified_contents.json	elevation_service.exe
File created	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir3016_1772422651\ChromeRecoveryCRX.crx	elevation_service.exe
File created	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir3016_1772422651\ChromeRecovery.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir3016_1772422651\ChromeRecovery.exe	elevation_service.exe
File created	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir3016_1772422651\manifest.json	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir3016_1772422651\manifest.json	elevation_service.exe
File created	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir3016_1772422651\_metadata\verified_contents.json	elevation_service.exe

Drops file in Windows directory 27 IoCs

Processes:

msiexec.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSICAC0.tmp	msiexec.exe
File created	C:\Windows\Installer\e5bbeaa.msi	msiexec.exe
File created	C:\Windows\Installer\e5bbece.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e5bbeaa.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSID735.tmp	msiexec.exe
File created	C:\Windows\Installer\e5bbe99.msi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{F4499EE3-A166-496C-81BB-51D1BCDC70A9}	msiexec.exe
File created	C:\Windows\Installer\e5bbebd.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI73B3.tmp	msiexec.exe
File created	C:\Windows\Installer\e5bbea9.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSID214.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI645E.tmp	msiexec.exe
File created	C:\Windows\Installer\SourceHash{AEAA18F7-9C96-4A43-BC07-8B88A4913EEB}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIC35C.tmp	msiexec.exe
File created	C:\Windows\Installer\SourceHash{3407B900-37F5-4CC2-B612-5CD5D580A163}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI6886.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\e5bbe99.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e5bbebe.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI6F7C.tmp	msiexec.exe
File created	C:\Windows\Installer\SourceHash{8972AC25-452E-4FFE-945A-EB9E28C20322}	msiexec.exe
File created	C:\Windows\Installer\e5bbee1.msi	msiexec.exe
File created	C:\Windows\Installer\e5bbebe.msi	msiexec.exe
File created	C:\Windows\Installer\e5bbecd.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\e5bbece.msi	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

vssvc.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000789d96067ff55f5b0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000789d96060000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3f000000ffffffff000000000700010000680900789d9606000000000000d0120000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000789d960600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000789d960600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies data under HKEY_USERS 17 IoCs

Processes:

msiexec.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\1F	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\23	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\1E\52C64B7E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1f	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\25	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\20	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\21	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\21	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\24	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\24	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\20	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\22	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\23	msiexec.exe

Modifies registry class 64 IoCs

Processes:

msiexec.exeVC_redist.x64.exeVC_redist.x86.exeVC_redist.x86.exeVC_redist.x64.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\3EE9944F661AC69418BB151DCBCD079A	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3EE9944F661AC69418BB151DCBCD079A\DeploymentFlags = "3"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3EE9944F661AC69418BB151DCBCD079A\SourceList\PackageName = "vc_runtimeAdditional_x64.msi"	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5040806F8AF9AAC49928419ED5A1D3CA\SourceList	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7F81AAEA69C934A4CB70B8884A19E3BE\AuthorizedLUAApp = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\VC,redist.x64,amd64,14.32,bundle\Dependents	VC_redist.x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3EE9944F661AC69418BB151DCBCD079A	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3EE9944F661AC69418BB151DCBCD079A\Clients = 3a0000000000	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7F81AAEA69C934A4CB70B8884A19E3BE\Assignment = "1"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\009B70435F732CC46B21C55D5D081A36\AdvertiseFlags = "388"	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5040806F8AF9AAC49928419ED5A1D3CA\SourceList\Net	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeMinimumVSU_x86,v14	VC_redist.x86.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8A567BD6FA501A947AD1F646E53EEC14\SourceList\Net	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3EE9944F661AC69418BB151DCBCD079A\SourceList\Net	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\60DB5E5629367203C8625813703DFCA1	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\679E80FBE29B63345BF612177149674C\SourceList\Media	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\52CA2798E254EFF449A5BEE9822C3022\SourceList\PackageName = "vc_runtimeAdditional_x86.msi"	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\VC,redist.x86,x86,14.30,bundle	VC_redist.x86.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\009B70435F732CC46B21C55D5D081A36\SourceList	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeAdditionalVSU_amd64,v14\Version = "14.32.31332"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3EE9944F661AC69418BB151DCBCD079A\Version = "237009508"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\VC,redist.x86,x86,14.32,bundle\Version = "14.32.31332.0"	VC_redist.x86.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5040806F8AF9AAC49928419ED5A1D3CA\SourceList\Media	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7F81AAEA69C934A4CB70B8884A19E3BE\InstanceType = "0"	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\INSTALLER\DEPENDENCIES\MICROSOFT.VS.VC_RUNTIMEMINIMUMVSU_X86,V14\DEPENDENTS\{4D8DCF8C-A72A-43E1-9833-C12724DB736E}	VC_redist.x86.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\009B70435F732CC46B21C55D5D081A36	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\009B70435F732CC46B21C55D5D081A36\SourceList\Media\1 = ";"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\52CA2798E254EFF449A5BEE9822C3022\ProductName = "Microsoft Visual C++ 2022 X86 Additional Runtime - 14.32.31332"	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8800A266DCF6DD54E97A86760485EA5D\SourceList\Net	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\15E8B87C56C0E773581D82F286F95E50	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\009B70435F732CC46B21C55D5D081A36\Assignment = "1"	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\INSTALLER\DEPENDENCIES\MICROSOFT.VS.VC_RUNTIMEADDITIONALVSU_AMD64,V14\DEPENDENTS\{57A73DF6-4BA9-4C1D-BBBB-517289FF6C13}	VC_redist.x64.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\52CA2798E254EFF449A5BEE9822C3022\AuthorizedLUAApp = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\009B70435F732CC46B21C55D5D081A36\SourceList\PackageName = "vc_runtimeMinimum_x64.msi"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\3EE9944F661AC69418BB151DCBCD079A\Servicing_Key	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7F81AAEA69C934A4CB70B8884A19E3BE\ProductName = "Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.32.31332"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7F81AAEA69C934A4CB70B8884A19E3BE\Language = "1033"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeMinimumVSU_x86,v14\Dependents\{a98dc6ff-d360-4878-9f0a-915eba86eaf3}	VC_redist.x86.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\52CA2798E254EFF449A5BEE9822C3022\SourceList\Media	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\009B70435F732CC46B21C55D5D081A36\VC_Runtime_Minimum	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeAdditionalVSU_x86,v14\DisplayName = "Microsoft Visual C++ 2022 X86 Additional Runtime - 14.32.31332"	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\VC,redist.x86,x86,14.30,bundle\Dependents	VC_redist.x86.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\679E80FBE29B63345BF612177149674C\SourceList\Net	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\VC,redist.x64,amd64,14.32,bundle\Version = "14.32.31332.0"	VC_redist.x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\VC,redist.x64,amd64,14.32,bundle\DisplayName = "Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.32.31332"	VC_redist.x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\009B70435F732CC46B21C55D5D081A36\ProductName = "Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.32.31332"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\009B70435F732CC46B21C55D5D081A36\SourceList\Net\1 = "C:\\ProgramData\\Package Cache\\{3407B900-37F5-4CC2-B612-5CD5D580A163}v14.32.31332\\packages\\vcRuntimeMinimum_amd64\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3EE9944F661AC69418BB151DCBCD079A\SourceList\Net\1 = "C:\\ProgramData\\Package Cache\\{F4499EE3-A166-496C-81BB-51D1BCDC70A9}v14.32.31332\\packages\\vcRuntimeAdditional_amd64\\"	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\INSTALLER\DEPENDENCIES\MICROSOFT.VS.VC_RUNTIMEMINIMUMVSU_AMD64,V14\DEPENDENTS\{57A73DF6-4BA9-4C1D-BBBB-517289FF6C13}	VC_redist.x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7F81AAEA69C934A4CB70B8884A19E3BE\SourceList\LastUsedSource = "n;1;C:\\ProgramData\\Package Cache\\{AEAA18F7-9C96-4A43-BC07-8B88A4913EEB}v14.32.31332\\packages\\vcRuntimeMinimum_x86\\"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\52CA2798E254EFF449A5BEE9822C3022\DeploymentFlags = "3"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\15E8B87C56C0E773581D82F286F95E50\52CA2798E254EFF449A5BEE9822C3022	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7F81AAEA69C934A4CB70B8884A19E3BE\SourceList\Net\1 = "C:\\ProgramData\\Package Cache\\{AEAA18F7-9C96-4A43-BC07-8B88A4913EEB}v14.32.31332\\packages\\vcRuntimeMinimum_x86\\"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7F81AAEA69C934A4CB70B8884A19E3BE\Clients = 3a0000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\VC,redist.x64,amd64,14.32,bundle\ = "{3746f21b-c990-4045-bb33-1cf98cff7a68}"	VC_redist.x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeMinimumVSU_amd64,v14\Dependents\{3746f21b-c990-4045-bb33-1cf98cff7a68}	VC_redist.x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\VC,redist.x86,x86,14.32,bundle\Dependents	VC_redist.x86.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7F81AAEA69C934A4CB70B8884A19E3BE\Version = "237009508"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\52CA2798E254EFF449A5BEE9822C3022\Provider	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\52CA2798E254EFF449A5BEE9822C3022\Version = "237009508"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7F81AAEA69C934A4CB70B8884A19E3BE\DeploymentFlags = "3"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\009B70435F732CC46B21C55D5D081A36\Provider	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\009B70435F732CC46B21C55D5D081A36\AuthorizedLUAApp = "0"	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\88AAB0B9F51EF1A3CA0C2B609EDD7FC1	msiexec.exe

Suspicious behavior: EnumeratesProcesses 62 IoCs

Processes:

powershell.exeDocument.pdf.scrchrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exemsiexec.exepowershell.exeDocument.pdf.scrchrome.exepowershell.exeDocument.pdf.scr

pid	process
1944	powershell.exe
1944	powershell.exe
484	Document.pdf.scr
484	Document.pdf.scr
484	Document.pdf.scr
484	Document.pdf.scr
484	Document.pdf.scr
484	Document.pdf.scr
3968	chrome.exe
3968	chrome.exe
4860	chrome.exe
4860	chrome.exe
5016	chrome.exe
5016	chrome.exe
4292	chrome.exe
4292	chrome.exe
4040	chrome.exe
4040	chrome.exe
876	chrome.exe
876	chrome.exe
3544	chrome.exe
3544	chrome.exe
4200	chrome.exe
4200	chrome.exe
3828	chrome.exe
3828	chrome.exe
3304	chrome.exe
3304	chrome.exe
3304	chrome.exe
3304	chrome.exe
3372	chrome.exe
3372	chrome.exe
4948	chrome.exe
4948	chrome.exe
3208	msiexec.exe
3208	msiexec.exe
3208	msiexec.exe
3208	msiexec.exe
3208	msiexec.exe
3208	msiexec.exe
3208	msiexec.exe
3208	msiexec.exe
3420	powershell.exe
3420	powershell.exe
4984	Document.pdf.scr
4984	Document.pdf.scr
3736	chrome.exe
3736	chrome.exe
3208	msiexec.exe
3208	msiexec.exe
3208	msiexec.exe
3208	msiexec.exe
3208	msiexec.exe
3208	msiexec.exe
3208	msiexec.exe
3208	msiexec.exe
1620	powershell.exe
1620	powershell.exe
3380	Document.pdf.scr
3380	Document.pdf.scr
3380	Document.pdf.scr
3380	Document.pdf.scr

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

Processes:

chrome.exe

pid process

4860 chrome.exe
4860 chrome.exe
4860 chrome.exe
4860 chrome.exe
4860 chrome.exe
4860 chrome.exe
4860 chrome.exe
4860 chrome.exe
4860 chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exeDocument.pdf.scrvssvc.exeVC_redist.x64.exemsiexec.exe

description	pid	process
Token: SeDebugPrivilege	1944	powershell.exe
Token: SeDebugPrivilege	484	Document.pdf.scr
Token: SeBackupPrivilege	2808	vssvc.exe
Token: SeRestorePrivilege	2808	vssvc.exe
Token: SeAuditPrivilege	2808	vssvc.exe
Token: SeShutdownPrivilege	3740	VC_redist.x64.exe
Token: SeIncreaseQuotaPrivilege	3740	VC_redist.x64.exe
Token: SeSecurityPrivilege	3208	msiexec.exe
Token: SeCreateTokenPrivilege	3740	VC_redist.x64.exe
Token: SeAssignPrimaryTokenPrivilege	3740	VC_redist.x64.exe
Token: SeLockMemoryPrivilege	3740	VC_redist.x64.exe
Token: SeIncreaseQuotaPrivilege	3740	VC_redist.x64.exe
Token: SeMachineAccountPrivilege	3740	VC_redist.x64.exe
Token: SeTcbPrivilege	3740	VC_redist.x64.exe
Token: SeSecurityPrivilege	3740	VC_redist.x64.exe
Token: SeTakeOwnershipPrivilege	3740	VC_redist.x64.exe
Token: SeLoadDriverPrivilege	3740	VC_redist.x64.exe
Token: SeSystemProfilePrivilege	3740	VC_redist.x64.exe
Token: SeSystemtimePrivilege	3740	VC_redist.x64.exe
Token: SeProfSingleProcessPrivilege	3740	VC_redist.x64.exe
Token: SeIncBasePriorityPrivilege	3740	VC_redist.x64.exe
Token: SeCreatePagefilePrivilege	3740	VC_redist.x64.exe
Token: SeCreatePermanentPrivilege	3740	VC_redist.x64.exe
Token: SeBackupPrivilege	3740	VC_redist.x64.exe
Token: SeRestorePrivilege	3740	VC_redist.x64.exe
Token: SeShutdownPrivilege	3740	VC_redist.x64.exe
Token: SeDebugPrivilege	3740	VC_redist.x64.exe
Token: SeAuditPrivilege	3740	VC_redist.x64.exe
Token: SeSystemEnvironmentPrivilege	3740	VC_redist.x64.exe
Token: SeChangeNotifyPrivilege	3740	VC_redist.x64.exe
Token: SeRemoteShutdownPrivilege	3740	VC_redist.x64.exe
Token: SeUndockPrivilege	3740	VC_redist.x64.exe
Token: SeSyncAgentPrivilege	3740	VC_redist.x64.exe
Token: SeEnableDelegationPrivilege	3740	VC_redist.x64.exe
Token: SeManageVolumePrivilege	3740	VC_redist.x64.exe
Token: SeImpersonatePrivilege	3740	VC_redist.x64.exe
Token: SeCreateGlobalPrivilege	3740	VC_redist.x64.exe
Token: SeRestorePrivilege	3208	msiexec.exe
Token: SeTakeOwnershipPrivilege	3208	msiexec.exe
Token: SeRestorePrivilege	3208	msiexec.exe
Token: SeTakeOwnershipPrivilege	3208	msiexec.exe
Token: SeRestorePrivilege	3208	msiexec.exe
Token: SeTakeOwnershipPrivilege	3208	msiexec.exe
Token: SeRestorePrivilege	3208	msiexec.exe
Token: SeTakeOwnershipPrivilege	3208	msiexec.exe
Token: SeRestorePrivilege	3208	msiexec.exe
Token: SeTakeOwnershipPrivilege	3208	msiexec.exe
Token: SeRestorePrivilege	3208	msiexec.exe
Token: SeTakeOwnershipPrivilege	3208	msiexec.exe
Token: SeRestorePrivilege	3208	msiexec.exe
Token: SeTakeOwnershipPrivilege	3208	msiexec.exe
Token: SeRestorePrivilege	3208	msiexec.exe
Token: SeTakeOwnershipPrivilege	3208	msiexec.exe
Token: SeRestorePrivilege	3208	msiexec.exe
Token: SeTakeOwnershipPrivilege	3208	msiexec.exe
Token: SeRestorePrivilege	3208	msiexec.exe
Token: SeTakeOwnershipPrivilege	3208	msiexec.exe
Token: SeRestorePrivilege	3208	msiexec.exe
Token: SeTakeOwnershipPrivilege	3208	msiexec.exe
Token: SeRestorePrivilege	3208	msiexec.exe
Token: SeTakeOwnershipPrivilege	3208	msiexec.exe
Token: SeRestorePrivilege	3208	msiexec.exe
Token: SeTakeOwnershipPrivilege	3208	msiexec.exe
Token: SeRestorePrivilege	3208	msiexec.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

chrome.exeVC_redist.x64.exe

pid	process
4860	chrome.exe
4860	chrome.exe
4860	chrome.exe
4860	chrome.exe
4860	chrome.exe
4860	chrome.exe
4860	chrome.exe
4860	chrome.exe
4860	chrome.exe
4860	chrome.exe
4860	chrome.exe
4860	chrome.exe
4860	chrome.exe
4860	chrome.exe
4860	chrome.exe
4860	chrome.exe
4860	chrome.exe
4860	chrome.exe
4860	chrome.exe
4860	chrome.exe
4860	chrome.exe
4860	chrome.exe
4860	chrome.exe
4860	chrome.exe
4860	chrome.exe
4860	chrome.exe
4860	chrome.exe
4860	chrome.exe
4860	chrome.exe
4860	chrome.exe
4860	chrome.exe
4860	chrome.exe
4860	chrome.exe
4860	chrome.exe
4860	chrome.exe
4860	chrome.exe
4860	chrome.exe
4860	chrome.exe
4860	chrome.exe
4860	chrome.exe
4860	chrome.exe
4860	chrome.exe
4860	chrome.exe
1944	VC_redist.x64.exe
1944	VC_redist.x64.exe
4860	chrome.exe
4860	chrome.exe
4860	chrome.exe
4860	chrome.exe
4860	chrome.exe
4860	chrome.exe
4860	chrome.exe
4860	chrome.exe
4860	chrome.exe
4860	chrome.exe
4860	chrome.exe
4860	chrome.exe
4860	chrome.exe
4860	chrome.exe
4860	chrome.exe
4860	chrome.exe
4860	chrome.exe
4860	chrome.exe
4860	chrome.exe

Suspicious use of SendNotifyMessage 32 IoCs

Processes:

chrome.exe

pid	process
4860	chrome.exe
4860	chrome.exe
4860	chrome.exe
4860	chrome.exe
4860	chrome.exe
4860	chrome.exe
4860	chrome.exe
4860	chrome.exe
4860	chrome.exe
4860	chrome.exe
4860	chrome.exe
4860	chrome.exe
4860	chrome.exe
4860	chrome.exe
4860	chrome.exe
4860	chrome.exe
4860	chrome.exe
4860	chrome.exe
4860	chrome.exe
4860	chrome.exe
4860	chrome.exe
4860	chrome.exe
4860	chrome.exe
4860	chrome.exe
4860	chrome.exe
4860	chrome.exe
4860	chrome.exe
4860	chrome.exe
4860	chrome.exe
4860	chrome.exe
4860	chrome.exe
4860	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Document.pdf.scrchrome.exe

description	pid	process	target process
PID 484 wrote to memory of 1944	484	Document.pdf.scr	powershell.exe
PID 484 wrote to memory of 1944	484	Document.pdf.scr	powershell.exe
PID 484 wrote to memory of 1944	484	Document.pdf.scr	powershell.exe
PID 484 wrote to memory of 4116	484	Document.pdf.scr	InstallUtil.exe
PID 484 wrote to memory of 4116	484	Document.pdf.scr	InstallUtil.exe
PID 484 wrote to memory of 4116	484	Document.pdf.scr	InstallUtil.exe
PID 484 wrote to memory of 1136	484	Document.pdf.scr	InstallUtil.exe
PID 484 wrote to memory of 1136	484	Document.pdf.scr	InstallUtil.exe
PID 484 wrote to memory of 1136	484	Document.pdf.scr	InstallUtil.exe
PID 484 wrote to memory of 636	484	Document.pdf.scr	InstallUtil.exe
PID 484 wrote to memory of 636	484	Document.pdf.scr	InstallUtil.exe
PID 484 wrote to memory of 636	484	Document.pdf.scr	InstallUtil.exe
PID 484 wrote to memory of 636	484	Document.pdf.scr	InstallUtil.exe
PID 484 wrote to memory of 636	484	Document.pdf.scr	InstallUtil.exe
PID 484 wrote to memory of 636	484	Document.pdf.scr	InstallUtil.exe
PID 484 wrote to memory of 636	484	Document.pdf.scr	InstallUtil.exe
PID 484 wrote to memory of 636	484	Document.pdf.scr	InstallUtil.exe
PID 4860 wrote to memory of 2272	4860	chrome.exe	chrome.exe
PID 4860 wrote to memory of 2272	4860	chrome.exe	chrome.exe
PID 4860 wrote to memory of 4144	4860	chrome.exe	chrome.exe
PID 4860 wrote to memory of 4144	4860	chrome.exe	chrome.exe
PID 4860 wrote to memory of 4144	4860	chrome.exe	chrome.exe
PID 4860 wrote to memory of 4144	4860	chrome.exe	chrome.exe
PID 4860 wrote to memory of 4144	4860	chrome.exe	chrome.exe
PID 4860 wrote to memory of 4144	4860	chrome.exe	chrome.exe
PID 4860 wrote to memory of 4144	4860	chrome.exe	chrome.exe
PID 4860 wrote to memory of 4144	4860	chrome.exe	chrome.exe
PID 4860 wrote to memory of 4144	4860	chrome.exe	chrome.exe
PID 4860 wrote to memory of 4144	4860	chrome.exe	chrome.exe
PID 4860 wrote to memory of 4144	4860	chrome.exe	chrome.exe
PID 4860 wrote to memory of 4144	4860	chrome.exe	chrome.exe
PID 4860 wrote to memory of 4144	4860	chrome.exe	chrome.exe
PID 4860 wrote to memory of 4144	4860	chrome.exe	chrome.exe
PID 4860 wrote to memory of 4144	4860	chrome.exe	chrome.exe
PID 4860 wrote to memory of 4144	4860	chrome.exe	chrome.exe
PID 4860 wrote to memory of 4144	4860	chrome.exe	chrome.exe
PID 4860 wrote to memory of 4144	4860	chrome.exe	chrome.exe
PID 4860 wrote to memory of 4144	4860	chrome.exe	chrome.exe
PID 4860 wrote to memory of 4144	4860	chrome.exe	chrome.exe
PID 4860 wrote to memory of 4144	4860	chrome.exe	chrome.exe
PID 4860 wrote to memory of 4144	4860	chrome.exe	chrome.exe
PID 4860 wrote to memory of 4144	4860	chrome.exe	chrome.exe
PID 4860 wrote to memory of 4144	4860	chrome.exe	chrome.exe
PID 4860 wrote to memory of 4144	4860	chrome.exe	chrome.exe
PID 4860 wrote to memory of 4144	4860	chrome.exe	chrome.exe
PID 4860 wrote to memory of 4144	4860	chrome.exe	chrome.exe
PID 4860 wrote to memory of 4144	4860	chrome.exe	chrome.exe
PID 4860 wrote to memory of 4144	4860	chrome.exe	chrome.exe
PID 4860 wrote to memory of 4144	4860	chrome.exe	chrome.exe
PID 4860 wrote to memory of 4144	4860	chrome.exe	chrome.exe
PID 4860 wrote to memory of 4144	4860	chrome.exe	chrome.exe
PID 4860 wrote to memory of 4144	4860	chrome.exe	chrome.exe
PID 4860 wrote to memory of 4144	4860	chrome.exe	chrome.exe
PID 4860 wrote to memory of 4144	4860	chrome.exe	chrome.exe
PID 4860 wrote to memory of 4144	4860	chrome.exe	chrome.exe
PID 4860 wrote to memory of 4144	4860	chrome.exe	chrome.exe
PID 4860 wrote to memory of 4144	4860	chrome.exe	chrome.exe
PID 4860 wrote to memory of 4144	4860	chrome.exe	chrome.exe
PID 4860 wrote to memory of 4144	4860	chrome.exe	chrome.exe
PID 4860 wrote to memory of 3968	4860	chrome.exe	chrome.exe
PID 4860 wrote to memory of 3968	4860	chrome.exe	chrome.exe
PID 4860 wrote to memory of 1592	4860	chrome.exe	chrome.exe
PID 4860 wrote to memory of 1592	4860	chrome.exe	chrome.exe
PID 4860 wrote to memory of 1592	4860	chrome.exe	chrome.exe

C:\Users\Admin\AppData\Local\Temp\Document.pdf.scr
"C:\Users\Admin\AppData\Local\Temp\Document.pdf.scr" /S
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:484

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMQA1AA==
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1944

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
2⤵
PID:4116

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
2⤵
PID:1136

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
2⤵
PID:636

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4860

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0x124,0x128,0x12c,0x100,0x130,0x7ffb3cb94f50,0x7ffb3cb94f60,0x7ffb3cb94f70
2⤵
PID:2272

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1636,4786651375740266680,2730636670786496040,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1668 /prefetch:2
2⤵
PID:4144

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1636,4786651375740266680,2730636670786496040,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=2024 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3968

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1636,4786651375740266680,2730636670786496040,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2276 /prefetch:8
2⤵
PID:1592

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1636,4786651375740266680,2730636670786496040,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2968 /prefetch:1
2⤵
PID:2524

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1636,4786651375740266680,2730636670786496040,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2956 /prefetch:1
2⤵
PID:3540

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1636,4786651375740266680,2730636670786496040,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3804 /prefetch:1
2⤵
PID:3108

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1636,4786651375740266680,2730636670786496040,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4484 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:5016

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1636,4786651375740266680,2730636670786496040,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4980 /prefetch:8
2⤵
PID:4988

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1636,4786651375740266680,2730636670786496040,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5116 /prefetch:8
2⤵
PID:3596

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1636,4786651375740266680,2730636670786496040,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5248 /prefetch:8
2⤵
PID:4024

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1636,4786651375740266680,2730636670786496040,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5248 /prefetch:8
2⤵
PID:1676

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1636,4786651375740266680,2730636670786496040,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5224 /prefetch:8
2⤵
PID:1372

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1636,4786651375740266680,2730636670786496040,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5156 /prefetch:8
2⤵
PID:2948

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1636,4786651375740266680,2730636670786496040,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5212 /prefetch:8
2⤵
PID:3492

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1636,4786651375740266680,2730636670786496040,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5024 /prefetch:1
2⤵
PID:1344

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1636,4786651375740266680,2730636670786496040,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5292 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4292

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1636,4786651375740266680,2730636670786496040,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5096 /prefetch:8
2⤵
PID:1808

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1636,4786651375740266680,2730636670786496040,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5516 /prefetch:8
2⤵
PID:1736

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1636,4786651375740266680,2730636670786496040,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5300 /prefetch:8
2⤵
PID:1564

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1636,4786651375740266680,2730636670786496040,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5000 /prefetch:8
2⤵
PID:628

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1636,4786651375740266680,2730636670786496040,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5192 /prefetch:8
2⤵
PID:2512

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1636,4786651375740266680,2730636670786496040,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2780 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4040

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1636,4786651375740266680,2730636670786496040,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2628 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:876

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1636,4786651375740266680,2730636670786496040,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1548 /prefetch:8
2⤵
PID:2368

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1636,4786651375740266680,2730636670786496040,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2636 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3544

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1636,4786651375740266680,2730636670786496040,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2784 /prefetch:8
2⤵
PID:4116

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1636,4786651375740266680,2730636670786496040,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2696 /prefetch:1
2⤵
PID:1792

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1636,4786651375740266680,2730636670786496040,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3128 /prefetch:1
2⤵
PID:2948

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1636,4786651375740266680,2730636670786496040,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3368 /prefetch:8
2⤵
PID:1684

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1636,4786651375740266680,2730636670786496040,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2588 /prefetch:1
2⤵
PID:3936

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1636,4786651375740266680,2730636670786496040,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5700 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4200

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1636,4786651375740266680,2730636670786496040,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5792 /prefetch:1
2⤵
PID:2628

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1636,4786651375740266680,2730636670786496040,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3796 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3828

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1636,4786651375740266680,2730636670786496040,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3368 /prefetch:8
2⤵
PID:4468

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1636,4786651375740266680,2730636670786496040,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5800 /prefetch:8
2⤵
PID:316

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1636,4786651375740266680,2730636670786496040,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=5604 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3304

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1636,4786651375740266680,2730636670786496040,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6004 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3372

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1636,4786651375740266680,2730636670786496040,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3808 /prefetch:8
2⤵
PID:2836

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1636,4786651375740266680,2730636670786496040,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3952 /prefetch:8
2⤵
PID:3916

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1636,4786651375740266680,2730636670786496040,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5780 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4948

C:\Users\Admin\Downloads\VC_redist.x64.exe
"C:\Users\Admin\Downloads\VC_redist.x64.exe"
2⤵
- Executes dropped EXE
PID:648

C:\Windows\Temp\{22461030-5776-4904-93DB-89A32697A622}\.cr\VC_redist.x64.exe
"C:\Windows\Temp\{22461030-5776-4904-93DB-89A32697A622}\.cr\VC_redist.x64.exe" -burn.clean.room="C:\Users\Admin\Downloads\VC_redist.x64.exe" -burn.filehandle.attached=716 -burn.filehandle.self=720
3⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
PID:1944

C:\Windows\Temp\{5F149C9B-308B-4F07-8DFB-D05DD25777CD}\.be\VC_redist.x64.exe
"C:\Windows\Temp\{5F149C9B-308B-4F07-8DFB-D05DD25777CD}\.be\VC_redist.x64.exe" -q -burn.elevated BurnPipe.{7BA12BCE-377C-4C21-B4CE-E8CC6FC6FE0B} {E6501797-C21A-4C97-965E-10113F79809C} 1944
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:3740

C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe
"C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe" -uninstall -quiet -burn.related.upgrade -burn.ancestors={3746f21b-c990-4045-bb33-1cf98cff7a68} -burn.filehandle.self=1064 -burn.embedded BurnPipe.{9F7866A9-25B3-4546-9761-B17E635A15AF} {2ED83A28-7586-41A8-A8A2-29E3E6E102E3} 3740
5⤵
PID:316

C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe
"C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe" -burn.clean.room="C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe" -burn.filehandle.attached=544 -burn.filehandle.self=564 -uninstall -quiet -burn.related.upgrade -burn.ancestors={3746f21b-c990-4045-bb33-1cf98cff7a68} -burn.filehandle.self=1064 -burn.embedded BurnPipe.{9F7866A9-25B3-4546-9761-B17E635A15AF} {2ED83A28-7586-41A8-A8A2-29E3E6E102E3} 3740
6⤵
- Loads dropped DLL
PID:628

C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe
"C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe" -q -burn.elevated BurnPipe.{5CD1A6AD-64C1-448F-9883-2338AAD70BA6} {D67E981C-37BA-4A32-971D-BFA3A6DDB8C7} 628
7⤵
- Modifies registry class
PID:3272

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1636,4786651375740266680,2730636670786496040,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3400 /prefetch:8
2⤵
PID:888

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1636,4786651375740266680,2730636670786496040,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3552 /prefetch:8
2⤵
PID:4100

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1636,4786651375740266680,2730636670786496040,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=44 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5108 /prefetch:1
2⤵
PID:4192

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1636,4786651375740266680,2730636670786496040,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5948 /prefetch:8
2⤵
PID:1788

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1636,4786651375740266680,2730636670786496040,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5988 /prefetch:8
2⤵
PID:484

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1636,4786651375740266680,2730636670786496040,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1496 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3736

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1636,4786651375740266680,2730636670786496040,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5864 /prefetch:8
2⤵
PID:4132

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1636,4786651375740266680,2730636670786496040,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6000 /prefetch:8
2⤵
PID:1652

C:\Users\Admin\Downloads\VC_redist.x86.exe
"C:\Users\Admin\Downloads\VC_redist.x86.exe"
2⤵
- Executes dropped EXE
PID:3360

C:\Windows\Temp\{CABD647A-41A9-4B72-B0E1-5A3EA9EB6406}\.cr\VC_redist.x86.exe
"C:\Windows\Temp\{CABD647A-41A9-4B72-B0E1-5A3EA9EB6406}\.cr\VC_redist.x86.exe" -burn.clean.room="C:\Users\Admin\Downloads\VC_redist.x86.exe" -burn.filehandle.attached=568 -burn.filehandle.self=676
3⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
PID:3272

C:\Windows\Temp\{CE2BC954-B4D7-4133-85D7-5B34D1F7FFF9}\.be\VC_redist.x86.exe
"C:\Windows\Temp\{CE2BC954-B4D7-4133-85D7-5B34D1F7FFF9}\.be\VC_redist.x86.exe" -q -burn.elevated BurnPipe.{1C6BC4F8-81DE-45F1-9CDE-61BF40BC1583} {810C2E58-3E12-4067-8E23-FBCBDDE77741} 3272
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
PID:4596

C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe
"C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe" -uninstall -quiet -burn.related.upgrade -burn.ancestors={a98dc6ff-d360-4878-9f0a-915eba86eaf3} -burn.filehandle.self=1080 -burn.embedded BurnPipe.{B2684204-0BA2-44B0-85F5-F2268C0BAE64} {2DCADB67-A952-41D3-B390-6A18CC330E89} 4596
5⤵
PID:2640

C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe
"C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe" -burn.clean.room="C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe" -burn.filehandle.attached=544 -burn.filehandle.self=564 -uninstall -quiet -burn.related.upgrade -burn.ancestors={a98dc6ff-d360-4878-9f0a-915eba86eaf3} -burn.filehandle.self=1080 -burn.embedded BurnPipe.{B2684204-0BA2-44B0-85F5-F2268C0BAE64} {2DCADB67-A952-41D3-B390-6A18CC330E89} 4596
6⤵
- Loads dropped DLL
PID:1336

C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe
"C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe" -q -burn.elevated BurnPipe.{66B6A886-51CB-46AA-8204-BB9968A21D12} {370F0C5C-B878-47C8-9C4D-CB7AA7913D9F} 1336
7⤵
- Modifies registry class
PID:4224

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1636,4786651375740266680,2730636670786496040,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4028 /prefetch:8
2⤵
PID:1064

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:312

C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe"
1⤵
- Drops file in Program Files directory
PID:3016

C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir3016_1772422651\ChromeRecovery.exe
"C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir3016_1772422651\ChromeRecovery.exe" --appguid={8A69D345-D564-463c-AFF1-A69D9E530F96} --browser-version=89.0.4389.114 --sessionid={24568c58-64ff-4e10-beea-aaa46d40ef33} --system
2⤵
- Executes dropped EXE
PID:4744

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:2808

C:\Windows\system32\srtasks.exe
C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
1⤵
PID:5020

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3208

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3372

C:\Users\Admin\AppData\Local\Temp\Document.pdf.scr
"C:\Users\Admin\AppData\Local\Temp\Document.pdf.scr" /S
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:4984

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMQA1AA==
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3420

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
2⤵
PID:1524

C:\Users\Admin\AppData\Local\Temp\Document.pdf.scr
"C:\Users\Admin\AppData\Local\Temp\Document.pdf.scr" /S
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:3380

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMQA1AA==
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1620

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
2⤵
PID:1224

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
2⤵
PID:4632

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir3016_1772422651\ChromeRecovery.exe
Filesize
253KB

MD5
49ac3c96d270702a27b4895e4ce1f42a

SHA1
55b90405f1e1b72143c64113e8bc65608dd3fd76

SHA256
82aa3fd6a25cda9e16689cfadea175091be010cecae537e517f392e0bef5ba0f

SHA512
b62f6501cb4c992d42d9097e356805c88ac4ac5a46ead4a8eee9f8cbae197b2305da8aab5b4a61891fe73951588025f2d642c32524b360687993f98c913138a0

Download Submit
C:\ProgramData\Package Cache\{3746f21b-c990-4045-bb33-1cf98cff7a68}\VC_redist.x64.exe
Filesize
635KB

MD5
d940ea062ed6e99f6d873c2f5f09d1c9

SHA1
6abec3341d3bca045542c7b812947b55ddaf6b64

SHA256
a0fce2b6c865ae4f00145c9b366c39484daf3160b526c77005e59f6f65adb202

SHA512
e4069e41311e8bd4599de0a1bdf0ee0b76316359a0c83ac663c23da8833e5dc0effa260fe8d0e47f4befa94c87fc7bf93bce2b79792abe8befc59acf5401cfe1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\RecoveryImproved\1.3.36.141\Recovery.crx3
Filesize
141KB

MD5
ea1c1ffd3ea54d1fb117bfdbb3569c60

SHA1
10958b0f690ae8f5240e1528b1ccffff28a33272

SHA256
7c3a6a7d16ac44c3200f572a764bce7d8fa84b9572dd028b15c59bdccbc0a77d

SHA512
6c30728cac9eac53f0b27b7dbe2222da83225c3b63617d6b271a6cfedf18e8f0a8dffa1053e1cbc4c5e16625f4bbc0d03aa306a946c9d72faa4ceb779f8ffcaf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Document.pdf.scr.log
Filesize
1KB

MD5
7e88081fcf716d85992bb3af3d9b6454

SHA1
2153780fbc71061b0102a7a7b665349e1013e250

SHA256
5ffb4a3ea94a6a53c4f88e2191c6fec5fd8a7336e367aa113fe8c12631e0c4d2

SHA512
ec606e14367ae221c04f213a61a6f797034495121198e4788e3afa4aa8db67bf59c5c5210a56afae5557158e8923b013b371b84c7d64303618c5b4c57a2224f7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize
1KB

MD5
6195a91754effb4df74dbc72cdf4f7a6

SHA1
aba262f5726c6d77659fe0d3195e36a85046b427

SHA256
3254495a5513b37a2686a876d0040275414699e7ce760e7b5ee05e41a54b96f5

SHA512
ed723d15de267390dc93263538428e2c881be3494c996a810616b470d6df7d5acfcc8725687d5c50319ebef45caef44f769bfc32e0dc3abd249dacff4a12cc89

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
16KB

MD5
eb519f623bc04eda51d885a2074440cb

SHA1
375fd6f2bd8505d3ce8b4efb539cfa0767ef5e3d

SHA256
e17c9e1441e3f6fde15b2fa5de11cd4922980fc1e256792f4374d0b01cde59ee

SHA512
b528d3dd63d2297d0875d16b186e4b89209183972ec97703cec7e153d8b94c711c093ccc59b83296239c242bd62fe99fb36289488fd1869b02ec39642adc9003

Download Submit
C:\Users\Admin\AppData\Local\Temp\dd_vcredist_amd64_20220922111616_000_vcRuntimeMinimum_x64.log
Filesize
2KB

MD5
5b1f012a0e99b4f306493f3ec533ba57

SHA1
a98fe8267dd868c47c01bf61195825394bd74ec8

SHA256
1143629ddf0504b6c005174f9fc9700fc11928f8b850b83bbbf5a30df4a711f0

SHA512
a669b2d10d66745111cc67acee7cacc944e6883c9ecbd9f4d2aa27d61f6830e664830e573dd71139e676288b7d0c2f8e44a4ac45dc12e95251c7868c5013074f

Download Submit
C:\Users\Admin\AppData\Local\Temp\dd_vcredist_amd64_20220922111616_001_vcRuntimeAdditional_x64.log
Filesize
2KB

MD5
f530b8860fb3c1ff0e8b285cfdd70965

SHA1
d7e73cf470409ab7b164febefc9ad9d1639311be

SHA256
5499b8310d27ae11b90b4f4b16db1ffefe3f537cca06130a82f2af75fa7db41d

SHA512
cc14cf52ae7a1cd2b78d8b9998ad99334b653fd0ab3e1fb4ad8ad9cea1a6b11c49b698c828eaa47d7870590b9b152c48165954e1df337cc34a0cb6f94c787a3d

Download Submit
C:\Users\Admin\Downloads\VC_redist.x64.exe
Filesize
24.1MB

MD5
cdce5d5ee259d8071fa82f522c5c7d6e

SHA1
d4f9181e70e3f1aa6c8edffcc15b3c3d4babe36b

SHA256
ce6593a1520591e7dea2b93fd03116e3fc3b3821a0525322b0a430faa6b3c0b4

SHA512
8f86693bf9fb4ee0ba021b826663028158d580a0424417a30d8f95ef8853fcd224b5a213beba5d99b48be0607a0a6870158bf1899fe1445da9ca19a208608527

Download Submit
C:\Users\Admin\Downloads\VC_redist.x64.exe
Filesize
24.1MB

MD5
cdce5d5ee259d8071fa82f522c5c7d6e

SHA1
d4f9181e70e3f1aa6c8edffcc15b3c3d4babe36b

SHA256
ce6593a1520591e7dea2b93fd03116e3fc3b3821a0525322b0a430faa6b3c0b4

SHA512
8f86693bf9fb4ee0ba021b826663028158d580a0424417a30d8f95ef8853fcd224b5a213beba5d99b48be0607a0a6870158bf1899fe1445da9ca19a208608527

Download Submit
C:\Windows\Temp\{22461030-5776-4904-93DB-89A32697A622}\.cr\VC_redist.x64.exe
Filesize
635KB

MD5
d940ea062ed6e99f6d873c2f5f09d1c9

SHA1
6abec3341d3bca045542c7b812947b55ddaf6b64

SHA256
a0fce2b6c865ae4f00145c9b366c39484daf3160b526c77005e59f6f65adb202

SHA512
e4069e41311e8bd4599de0a1bdf0ee0b76316359a0c83ac663c23da8833e5dc0effa260fe8d0e47f4befa94c87fc7bf93bce2b79792abe8befc59acf5401cfe1

Download Submit
C:\Windows\Temp\{22461030-5776-4904-93DB-89A32697A622}\.cr\VC_redist.x64.exe
Filesize
635KB

MD5
d940ea062ed6e99f6d873c2f5f09d1c9

SHA1
6abec3341d3bca045542c7b812947b55ddaf6b64

SHA256
a0fce2b6c865ae4f00145c9b366c39484daf3160b526c77005e59f6f65adb202

SHA512
e4069e41311e8bd4599de0a1bdf0ee0b76316359a0c83ac663c23da8833e5dc0effa260fe8d0e47f4befa94c87fc7bf93bce2b79792abe8befc59acf5401cfe1

Download Submit
C:\Windows\Temp\{5F149C9B-308B-4F07-8DFB-D05DD25777CD}\.ba\wixstdba.dll
Filesize
191KB

MD5
eab9caf4277829abdf6223ec1efa0edd

SHA1
74862ecf349a9bedd32699f2a7a4e00b4727543d

SHA256
a4efbdb2ce55788ffe92a244cb775efd475526ef5b61ad78de2bcdfaddac7041

SHA512
45b15ade68e0a90ea7300aeb6dca9bc9e347a63dba5ce72a635957564d1bdf0b1584a5e34191916498850fc7b3b7ecfbcbfcb246b39dbf59d47f66bc825c6fd2

Download Submit
C:\Windows\Temp\{5F149C9B-308B-4F07-8DFB-D05DD25777CD}\.be\VC_redist.x64.exe
Filesize
635KB

MD5
d940ea062ed6e99f6d873c2f5f09d1c9

SHA1
6abec3341d3bca045542c7b812947b55ddaf6b64

SHA256
a0fce2b6c865ae4f00145c9b366c39484daf3160b526c77005e59f6f65adb202

SHA512
e4069e41311e8bd4599de0a1bdf0ee0b76316359a0c83ac663c23da8833e5dc0effa260fe8d0e47f4befa94c87fc7bf93bce2b79792abe8befc59acf5401cfe1

Download Submit
C:\Windows\Temp\{5F149C9B-308B-4F07-8DFB-D05DD25777CD}\.be\VC_redist.x64.exe
Filesize
635KB

MD5
d940ea062ed6e99f6d873c2f5f09d1c9

SHA1
6abec3341d3bca045542c7b812947b55ddaf6b64

SHA256
a0fce2b6c865ae4f00145c9b366c39484daf3160b526c77005e59f6f65adb202

SHA512
e4069e41311e8bd4599de0a1bdf0ee0b76316359a0c83ac663c23da8833e5dc0effa260fe8d0e47f4befa94c87fc7bf93bce2b79792abe8befc59acf5401cfe1

Download Submit
C:\Windows\Temp\{5F149C9B-308B-4F07-8DFB-D05DD25777CD}\cab2C04DDC374BD96EB5C8EB8208F2C7C92
Filesize
5.4MB

MD5
be501f118803c6b283e5743cb94d4f44

SHA1
a9530c227fb73f98d137e6c178f48c4fcb78a1da

SHA256
008ca0b47d627692050c2b7fd16bc670c2ea2a7541ed4cad9abd1675a481b6c5

SHA512
ddb3f7913f45e9d9c757cbc7b75b7a65c3eb9bf429c97ad73e9b321849427617ea4a1fdc15ca5166a5417345552046c6ba043a8d14ff4fc61d58a1f38f288356

Download Submit
C:\Windows\Temp\{5F149C9B-308B-4F07-8DFB-D05DD25777CD}\cab5046A8AB272BF37297BB7928664C9503
Filesize
883KB

MD5
c1f40b16e6dfd6c841c1f97524ac53f6

SHA1
7eaf1a916ac8498253a310ef30d6e2198f2c0555

SHA256
a05b0138d3c22af4593feb5b4a3a55f92e4d958246bc4a87754eee73e5e52600

SHA512
b5aba56c88d9375157954996cae73e1d55faaf956181a2ef8c1f62612da91356454ad367ae5a5eb370d5c96cc27bf2b7d359f874a191c8913cfc3723b166ee6e

Download Submit
C:\Windows\Temp\{5F149C9B-308B-4F07-8DFB-D05DD25777CD}\vcRuntimeAdditional_x64
Filesize
180KB

MD5
049e4621dbd5337ae926e067b6b442b5

SHA1
6dae8d1d8106021c21b47b06765849e93f8e3359

SHA256
f76e2807b845c49e15d8a41e3191716eac9931467bfdd8366b60900b1fef4235

SHA512
46788a3c050508ac0868d8fc312a62724ae44d9f04f456075413d5a364b7152faab1027659435e39163952bb216b629ae77ab2f6a6b4318e8a8bb33f7d6413d3

Download Submit
C:\Windows\Temp\{5F149C9B-308B-4F07-8DFB-D05DD25777CD}\vcRuntimeMinimum_x64
Filesize
180KB

MD5
61f974cf8f47f9a47760c3fb21a2ce3f

SHA1
16ba7bd668619f8e284bd7cbce08fad3ce97fcb9

SHA256
78f2a39485d7b48733bc4767619baa34310cf8f9dedc120d054d0842eb4201ea

SHA512
152a520fb24857ab0a834f1c94e0f7a21c1b998c71861843e37d55a2364a6730fae2f3a02507941ff593a9c1c9f57018d9912bd0d80ab0b87d7b4158194b927c

Download Submit
C:\Windows\Temp\{74EBAA70-5AC8-428F-A419-46F9AAF7B29E}\.ba\wixstdba.dll
Filesize
191KB

MD5
eab9caf4277829abdf6223ec1efa0edd

SHA1
74862ecf349a9bedd32699f2a7a4e00b4727543d

SHA256
a4efbdb2ce55788ffe92a244cb775efd475526ef5b61ad78de2bcdfaddac7041

SHA512
45b15ade68e0a90ea7300aeb6dca9bc9e347a63dba5ce72a635957564d1bdf0b1584a5e34191916498850fc7b3b7ecfbcbfcb246b39dbf59d47f66bc825c6fd2

Download Submit
\??\pipe\crashpad_4860_XWOCMIHCQDFQMDWU
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/316-174-0x0000000000000000-mapping.dmp

Download
memory/484-133-0x0000000005640000-0x0000000005744000-memory.dmp

Filesize
1.0MB

Download
memory/484-134-0x0000000005600000-0x0000000005622000-memory.dmp

Filesize
136KB

Download
memory/484-132-0x0000000000290000-0x00000000006DC000-memory.dmp

Filesize
4.3MB

Download
memory/628-175-0x0000000000000000-mapping.dmp

Download
memory/636-147-0x0000000000000000-mapping.dmp

Download
memory/636-148-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/636-152-0x0000000007AF0000-0x0000000007B2C000-memory.dmp

Filesize
240KB

Download
memory/636-149-0x00000000061B0000-0x00000000067C8000-memory.dmp

Filesize
6.1MB

Download
memory/636-153-0x0000000008850000-0x00000000088E4000-memory.dmp

Filesize
592KB

Download
memory/636-151-0x0000000007A90000-0x0000000007AA2000-memory.dmp

Filesize
72KB

Download
memory/636-150-0x0000000007B80000-0x0000000007C8A000-memory.dmp

Filesize
1.0MB

Download
memory/648-158-0x0000000000000000-mapping.dmp

Download
memory/1136-146-0x0000000000000000-mapping.dmp

Download
memory/1224-192-0x0000000000000000-mapping.dmp

Download
memory/1336-189-0x0000000000000000-mapping.dmp

Download
memory/1524-183-0x0000000000000000-mapping.dmp

Download
memory/1620-191-0x0000000000000000-mapping.dmp

Download
memory/1944-161-0x0000000000000000-mapping.dmp

Download
memory/1944-138-0x00000000054A0000-0x0000000005526000-memory.dmp

Filesize
536KB

Download
memory/1944-137-0x00000000055B0000-0x0000000005BD8000-memory.dmp

Filesize
6.2MB

Download
memory/1944-141-0x0000000005E80000-0x0000000005E90000-memory.dmp

Filesize
64KB

Download
memory/1944-142-0x0000000006620000-0x000000000663E000-memory.dmp

Filesize
120KB

Download
memory/1944-140-0x0000000005ED0000-0x0000000005F36000-memory.dmp

Filesize
408KB

Download
memory/1944-136-0x0000000002E60000-0x0000000002E96000-memory.dmp

Filesize
216KB

Download
memory/1944-139-0x0000000005DF0000-0x0000000005E56000-memory.dmp

Filesize
408KB

Download
memory/1944-135-0x0000000000000000-mapping.dmp

Download
memory/1944-143-0x0000000007E80000-0x00000000084FA000-memory.dmp

Filesize
6.5MB

Download
memory/1944-144-0x0000000006B40000-0x0000000006B5A000-memory.dmp

Filesize
104KB

Download
memory/2640-188-0x0000000000000000-mapping.dmp

Download
memory/3272-186-0x0000000000000000-mapping.dmp

Download
memory/3272-178-0x0000000000000000-mapping.dmp

Download
memory/3360-185-0x0000000000000000-mapping.dmp

Download
memory/3420-180-0x0000000000000000-mapping.dmp

Download
memory/3740-165-0x0000000000000000-mapping.dmp

Download
memory/4116-145-0x0000000000000000-mapping.dmp

Download
memory/4224-190-0x0000000000000000-mapping.dmp

Download
memory/4596-187-0x0000000000000000-mapping.dmp

Download
memory/4632-193-0x0000000000000000-mapping.dmp

Download
memory/4744-156-0x0000000000000000-mapping.dmp

Download