9e68542a9eebdb982433cdca5e3bf79246d85c03e85ccb82ea2886290b493184

Analysis

max time kernel
10s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
25-04-2024 05:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

app.exe
Size

139.6MB
MD5

d4d78a1172851c26a6132cf65de31ae0
SHA1

89bbbcae5e98307ae4e14ae510af4bd17da582c4
SHA256

b9b6921e279b16b9035cc7beffee32ffcc10a4a99bbe6102d122a8b6d07c904c
SHA512

7436b6fc36f7e92e37a2ff555c4685054729c5ccfbb2b75a57696a6aec98339c13cee7009ed9c86016158c5d702a20611f09a514556b3e9c11b941902f848566
SSDEEP

786432:ESfg0tbLs2cRE3FsdxwBFyAaZZiljQWohhjbj6S46P845IPD:ESj5szmFcxwBFyAaZ4jMhhXcyC

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
4220	app.exe
1124	app.exe
884	app.exe

Loads dropped DLL 6 IoCs

pid	Process
4220	app.exe
884	app.exe
1124	app.exe
1124	app.exe
1124	app.exe
1124	app.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Detects videocard installed 1 TTPs 12 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
4916	WMIC.exe
772	WMIC.exe
1516	WMIC.exe
3436	WMIC.exe
2704	WMIC.exe
6048	WMIC.exe
5368	WMIC.exe
1516	WMIC.exe
5544	WMIC.exe
1544	WMIC.exe
5304	WMIC.exe
1200	WMIC.exe

Enumerates processes with tasklist 1 TTPs 6 IoCs

Process Discovery

T1057

pid	Process
2912	tasklist.exe
4652	tasklist.exe
4284	tasklist.exe
5488	tasklist.exe
5732	tasklist.exe
5856	tasklist.exe

Modifies registry key 1 TTPs 2 IoCs

Modify Registry

T1112

pid	Process
5148	reg.exe
4316	reg.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C	app.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0400000001000000100000003e455215095192e1b75d379fb187298a0f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d090000000100000068000000306606082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050508020206082b0601050507030606082b0601050507030706082b0601050507030906082b0601050507030106082b06010505070308530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520031000000620000000100000020000000ebd41040e4bb3ec742c9e381d31ef2a41a48b6685c96e7cef3c1df6cd4331c99140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b9992367f000000010000000c000000300a06082b060105050703097a000000010000000c000000300a06082b060105050703097e00000001000000080000000000042beb77d501030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c190000000100000010000000a823b4a20180beb460cab955c24d7e21200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	app.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 5c000000010000000400000000080000190000000100000010000000a823b4a20180beb460cab955c24d7e21030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c7e00000001000000080000000000042beb77d5017a000000010000000c000000300a06082b060105050703097f000000010000000c000000300a06082b060105050703091d00000001000000100000006ee7f3b060d10e90a31ba3471b999236140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b620000000100000020000000ebd41040e4bb3ec742c9e381d31ef2a41a48b6685c96e7cef3c1df6cd4331c990b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520031000000530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000068000000306606082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050508020206082b0601050507030606082b0601050507030706082b0601050507030906082b0601050507030106082b060105050703080f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d0400000001000000100000003e455215095192e1b75d379fb187298a200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	app.exe

Suspicious behavior: EnumeratesProcesses 15 IoCs

pid	Process
3564	app.exe
3564	app.exe
3564	app.exe
3564	app.exe
2224	app.exe
2224	app.exe
4900	powershell.exe
4900	powershell.exe
4900	powershell.exe
4220	app.exe
4220	app.exe
4220	app.exe
4220	app.exe
884	app.exe
884	app.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3564	app.exe
Token: SeCreatePagefilePrivilege	3564	app.exe
Token: SeShutdownPrivilege	3564	app.exe
Token: SeCreatePagefilePrivilege	3564	app.exe
Token: SeShutdownPrivilege	3564	app.exe
Token: SeCreatePagefilePrivilege	3564	app.exe
Token: SeShutdownPrivilege	3564	app.exe
Token: SeCreatePagefilePrivilege	3564	app.exe
Token: SeShutdownPrivilege	3564	app.exe
Token: SeCreatePagefilePrivilege	3564	app.exe
Token: SeShutdownPrivilege	3564	app.exe
Token: SeCreatePagefilePrivilege	3564	app.exe
Token: SeDebugPrivilege	2912	tasklist.exe
Token: SeIncreaseQuotaPrivilege	4808	WMIC.exe
Token: SeSecurityPrivilege	4808	WMIC.exe
Token: SeTakeOwnershipPrivilege	4808	WMIC.exe
Token: SeLoadDriverPrivilege	4808	WMIC.exe
Token: SeSystemProfilePrivilege	4808	WMIC.exe
Token: SeSystemtimePrivilege	4808	WMIC.exe
Token: SeProfSingleProcessPrivilege	4808	WMIC.exe
Token: SeIncBasePriorityPrivilege	4808	WMIC.exe
Token: SeCreatePagefilePrivilege	4808	WMIC.exe
Token: SeBackupPrivilege	4808	WMIC.exe
Token: SeRestorePrivilege	4808	WMIC.exe
Token: SeShutdownPrivilege	4808	WMIC.exe
Token: SeDebugPrivilege	4808	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4808	WMIC.exe
Token: SeRemoteShutdownPrivilege	4808	WMIC.exe
Token: SeUndockPrivilege	4808	WMIC.exe
Token: SeManageVolumePrivilege	4808	WMIC.exe
Token: 33	4808	WMIC.exe
Token: 34	4808	WMIC.exe
Token: 35	4808	WMIC.exe
Token: 36	4808	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1200	WMIC.exe
Token: SeSecurityPrivilege	1200	WMIC.exe
Token: SeTakeOwnershipPrivilege	1200	WMIC.exe
Token: SeLoadDriverPrivilege	1200	WMIC.exe
Token: SeSystemProfilePrivilege	1200	WMIC.exe
Token: SeSystemtimePrivilege	1200	WMIC.exe
Token: SeProfSingleProcessPrivilege	1200	WMIC.exe
Token: SeIncBasePriorityPrivilege	1200	WMIC.exe
Token: SeCreatePagefilePrivilege	1200	WMIC.exe
Token: SeBackupPrivilege	1200	WMIC.exe
Token: SeRestorePrivilege	1200	WMIC.exe
Token: SeShutdownPrivilege	1200	WMIC.exe
Token: SeDebugPrivilege	1200	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1200	WMIC.exe
Token: SeRemoteShutdownPrivilege	1200	WMIC.exe
Token: SeUndockPrivilege	1200	WMIC.exe
Token: SeManageVolumePrivilege	1200	WMIC.exe
Token: 33	1200	WMIC.exe
Token: 34	1200	WMIC.exe
Token: 35	1200	WMIC.exe
Token: 36	1200	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4808	WMIC.exe
Token: SeSecurityPrivilege	4808	WMIC.exe
Token: SeTakeOwnershipPrivilege	4808	WMIC.exe
Token: SeLoadDriverPrivilege	4808	WMIC.exe
Token: SeSystemProfilePrivilege	4808	WMIC.exe
Token: SeSystemtimePrivilege	4808	WMIC.exe
Token: SeProfSingleProcessPrivilege	4808	WMIC.exe
Token: SeIncBasePriorityPrivilege	4808	WMIC.exe
Token: SeCreatePagefilePrivilege	4808	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3564 wrote to memory of 3028	3564	app.exe	89
PID 3564 wrote to memory of 3028	3564	app.exe	89
PID 3564 wrote to memory of 3028	3564	app.exe	89
PID 3564 wrote to memory of 3028	3564	app.exe	89
PID 3564 wrote to memory of 3028	3564	app.exe	89
PID 3564 wrote to memory of 3028	3564	app.exe	89
PID 3564 wrote to memory of 3028	3564	app.exe	89
PID 3564 wrote to memory of 3028	3564	app.exe	89
PID 3564 wrote to memory of 3028	3564	app.exe	89
PID 3564 wrote to memory of 3028	3564	app.exe	89
PID 3564 wrote to memory of 3028	3564	app.exe	89
PID 3564 wrote to memory of 3028	3564	app.exe	89
PID 3564 wrote to memory of 3028	3564	app.exe	89
PID 3564 wrote to memory of 3028	3564	app.exe	89
PID 3564 wrote to memory of 3028	3564	app.exe	89
PID 3564 wrote to memory of 3028	3564	app.exe	89
PID 3564 wrote to memory of 3028	3564	app.exe	89
PID 3564 wrote to memory of 3028	3564	app.exe	89
PID 3564 wrote to memory of 3028	3564	app.exe	89
PID 3564 wrote to memory of 3028	3564	app.exe	89
PID 3564 wrote to memory of 3028	3564	app.exe	89
PID 3564 wrote to memory of 3028	3564	app.exe	89
PID 3564 wrote to memory of 3028	3564	app.exe	89
PID 3564 wrote to memory of 3028	3564	app.exe	89
PID 3564 wrote to memory of 3028	3564	app.exe	89
PID 3564 wrote to memory of 3028	3564	app.exe	89
PID 3564 wrote to memory of 3028	3564	app.exe	89
PID 3564 wrote to memory of 3028	3564	app.exe	89
PID 3564 wrote to memory of 3028	3564	app.exe	89
PID 3564 wrote to memory of 3028	3564	app.exe	89
PID 3564 wrote to memory of 3028	3564	app.exe	89
PID 3564 wrote to memory of 3028	3564	app.exe	89
PID 3564 wrote to memory of 3028	3564	app.exe	89
PID 3564 wrote to memory of 3028	3564	app.exe	89
PID 3564 wrote to memory of 3028	3564	app.exe	89
PID 3564 wrote to memory of 3028	3564	app.exe	89
PID 3564 wrote to memory of 3028	3564	app.exe	89
PID 3564 wrote to memory of 3028	3564	app.exe	89
PID 3564 wrote to memory of 3028	3564	app.exe	89
PID 3564 wrote to memory of 3028	3564	app.exe	89
PID 3564 wrote to memory of 2224	3564	app.exe	90
PID 3564 wrote to memory of 2224	3564	app.exe	90
PID 3564 wrote to memory of 672	3564	app.exe	99
PID 3564 wrote to memory of 672	3564	app.exe	99
PID 3564 wrote to memory of 1748	3564	app.exe	132
PID 3564 wrote to memory of 1748	3564	app.exe	132
PID 3564 wrote to memory of 1092	3564	app.exe	122
PID 3564 wrote to memory of 1092	3564	app.exe	122
PID 3564 wrote to memory of 3160	3564	app.exe	103
PID 3564 wrote to memory of 3160	3564	app.exe	103
PID 3564 wrote to memory of 1108	3564	app.exe	105
PID 3564 wrote to memory of 1108	3564	app.exe	105
PID 672 wrote to memory of 4472	672	cmd.exe	109
PID 672 wrote to memory of 4472	672	cmd.exe	109
PID 1748 wrote to memory of 2912	1748	cmd.exe	110
PID 1748 wrote to memory of 2912	1748	cmd.exe	110
PID 1092 wrote to memory of 4808	1092	cmd.exe	111
PID 1092 wrote to memory of 4808	1092	cmd.exe	111
PID 3160 wrote to memory of 1200	3160	cmd.exe	112
PID 3160 wrote to memory of 1200	3160	cmd.exe	112
PID 1108 wrote to memory of 4900	1108	cmd.exe	113
PID 1108 wrote to memory of 4900	1108	cmd.exe	113
PID 3564 wrote to memory of 4092	3564	app.exe	114
PID 3564 wrote to memory of 4092	3564	app.exe	114

C:\Users\Admin\AppData\Local\Temp\app.exe
"C:\Users\Admin\AppData\Local\Temp\app.exe"
1⤵
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3564
- C:\Users\Admin\AppData\Local\Temp\app.exe
  "C:\Users\Admin\AppData\Local\Temp\app.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\app" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1700 --field-trial-handle=1828,7075238841416372570,12136618062121348297,131072 --disable-features=PlzServiceWorker,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
  2⤵
  PID:3028
- C:\Users\Admin\AppData\Local\Temp\app.exe
  "C:\Users\Admin\AppData\Local\Temp\app.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\app" --mojo-platform-channel-handle=2044 --field-trial-handle=1828,7075238841416372570,12136618062121348297,131072 --disable-features=PlzServiceWorker,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2224
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "xcopy "C:\Users\Admin\AppData\Local\Temp\" "C:\Users\Admin/AppData/Local/Microsoft/svchostservice" /S /Y"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:672
- - C:\Windows\system32\xcopy.exe
    xcopy "C:\Users\Admin\AppData\Local\Temp\" "C:\Users\Admin/AppData/Local/Microsoft/svchostservice" /S /Y
    3⤵
    PID:4472
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1748
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2912
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic csproduct get uuid"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1092
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic csproduct get uuid
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4808
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3160
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path win32_VideoController get name
    3⤵
    - Detects videocard installed
    - Suspicious use of AdjustPrivilegeToken
    PID:1200
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell.exe -Command "Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1108
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -Command "Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4900
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "cmd.exe /c "C:\Users\Admin/AppData/Local/Microsoft/svchostservice/app.exe""
  2⤵
  PID:4092
- - C:\Windows\system32\cmd.exe
    cmd.exe /c "C:\Users\Admin/AppData/Local/Microsoft/svchostservice/app.exe"
    3⤵
    PID:532
  - - C:\Users\Admin\AppData\Local\Microsoft\svchostservice\app.exe
      C:\Users\Admin/AppData/Local/Microsoft/svchostservice/app.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious behavior: EnumeratesProcesses
      PID:4220
    - - C:\Users\Admin\AppData\Local\Microsoft\svchostservice\app.exe
        
        "C:\Users\Admin\AppData\Local\Microsoft\svchostservice\app.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\app" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1804 --field-trial-handle=1860,4332500483444101246,896878226181028596,131072 --disable-features=PlzServiceWorker,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1124
    - - C:\Users\Admin\AppData\Local\Microsoft\svchostservice\app.exe
        
        "C:\Users\Admin\AppData\Local\Microsoft\svchostservice\app.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\app" --mojo-platform-channel-handle=2064 --field-trial-handle=1860,4332500483444101246,896878226181028596,131072 --disable-features=PlzServiceWorker,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        
        PID:884
    - - C:\Windows\system32\reg.exe
        
        C:\Windows\system32\reg.exe QUERY HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v app
        5⤵
        Modifies registry key
        
        PID:4316
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /d /s /c "tasklist"
        5⤵
        
        PID:1716
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:1748
      - C:\Windows\system32\tasklist.exe
        
        tasklist
        6⤵
        Enumerates processes with tasklist
        
        PID:4284
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /d /s /c "wmic csproduct get uuid"
        5⤵
        
        PID:2640
      - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        6⤵
        
        PID:5224
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
        5⤵
        
        PID:4636
      - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path win32_VideoController get name
        6⤵
        Detects videocard installed
        
        PID:2704
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /d /s /c "powershell.exe -Command "Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName""
        5⤵
        
        PID:1948
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -Command "Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
        6⤵
        
        PID:5124
    - - C:\Windows\system32\reg.exe
        
        C:\Windows\system32\reg.exe ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v app /t REG_SZ /d "\"C:\Users\Admin\AppData\Local\Microsoft\svchostservice\app.exe\" --hidden" /f
        5⤵
        Modifies registry key
        
        PID:5148
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /d /s /c "tasklist"
        5⤵
        
        PID:5684
      - C:\Windows\system32\tasklist.exe
        
        tasklist
        6⤵
        Enumerates processes with tasklist
        
        PID:5732
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /d /s /c "tasklist"
        5⤵
        
        PID:5808
      - C:\Windows\system32\tasklist.exe
        
        tasklist
        6⤵
        Enumerates processes with tasklist
        
        PID:5856
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /d /s /c "wmic csproduct get uuid"
        5⤵
        
        PID:5940
      - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        6⤵
        
        PID:6040
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
        5⤵
        
        PID:5948
      - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path win32_VideoController get name
        6⤵
        Detects videocard installed
        
        PID:6048
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /d /s /c "powershell.exe -Command "Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName""
        5⤵
        
        PID:5964
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -Command "Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
        6⤵
        
        PID:6088
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /d /s /c "wmic csproduct get uuid"
        5⤵
        
        PID:2640
      - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        6⤵
        
        PID:4852
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
        5⤵
        
        PID:5388
      - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path win32_VideoController get name
        6⤵
        Detects videocard installed
        
        PID:5368
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /d /s /c "powershell.exe -Command "Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName""
        5⤵
        
        PID:5384
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -Command "Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
        6⤵
        
        PID:5432
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /d /s /c "wmic csproduct get uuid"
        5⤵
        
        PID:3400
      - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        6⤵
        
        PID:4956
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
        5⤵
        
        PID:5548
      - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path win32_VideoController get name
        6⤵
        Detects videocard installed
        
        PID:1516
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /d /s /c "powershell.exe -Command "Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName""
        5⤵
        
        PID:5556
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -Command "Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
        6⤵
        
        PID:4984
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /d /s /c "cd C:\Users\Admin && C:\Users\Admin\kxhves.exe "483e0474-e52b-4152-9985-c03bcbd3e9b0""
        5⤵
        
        PID:5612
      - C:\Users\Admin\kxhves.exe
        
        C:\Users\Admin\kxhves.exe "483e0474-e52b-4152-9985-c03bcbd3e9b0"
        6⤵
        
        PID:5676
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /d /s /c "cd C:\Users\Admin && C:\Users\Admin\kxhves.exe "483e0474-e52b-4152-9985-c03bcbd3e9b0""
        5⤵
        
        PID:5204
      - C:\Users\Admin\kxhves.exe
        
        C:\Users\Admin\kxhves.exe "483e0474-e52b-4152-9985-c03bcbd3e9b0"
        6⤵
        
        PID:6000
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /d /s /c "wmic csproduct get uuid"
        5⤵
        
        PID:2348
      - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        6⤵
        
        PID:5376
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
        5⤵
        
        PID:3508
      - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path win32_VideoController get name
        6⤵
        Detects videocard installed
        
        PID:4916
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /d /s /c "powershell.exe -Command "Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName""
        5⤵
        
        PID:4156
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -Command "Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
        6⤵
        
        PID:4908
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /d /s /c "cd C:\Users\Admin && C:\Users\Admin\kxhves.exe "483e0474-e52b-4152-9985-c03bcbd3e9b0""
        5⤵
        
        PID:3396
      - C:\Users\Admin\kxhves.exe
        
        C:\Users\Admin\kxhves.exe "483e0474-e52b-4152-9985-c03bcbd3e9b0"
        6⤵
        
        PID:5492
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /d /s /c "cd C:\Users\Admin && C:\Users\Admin\kxhves.exe "483e0474-e52b-4152-9985-c03bcbd3e9b0""
        5⤵
        
        PID:5516
      - C:\Users\Admin\kxhves.exe
        
        C:\Users\Admin\kxhves.exe "483e0474-e52b-4152-9985-c03bcbd3e9b0"
        6⤵
        
        PID:5164
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /d /s /c "wmic csproduct get uuid"
        5⤵
        
        PID:888
      - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        6⤵
        
        PID:2012
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
        5⤵
        
        PID:5532
      - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path win32_VideoController get name
        6⤵
        Detects videocard installed
        
        PID:5544
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /d /s /c "powershell.exe -Command "Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName""
        5⤵
        
        PID:1688
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -Command "Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
        6⤵
        
        PID:4940
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /d /s /c "cd C:\Users\Admin && C:\Users\Admin\kxhves.exe "483e0474-e52b-4152-9985-c03bcbd3e9b0""
        5⤵
        
        PID:2464
      - C:\Users\Admin\kxhves.exe
        
        C:\Users\Admin\kxhves.exe "483e0474-e52b-4152-9985-c03bcbd3e9b0"
        6⤵
        
        PID:4828
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /d /s /c "cd C:\Users\Admin && C:\Users\Admin\kxhves.exe "483e0474-e52b-4152-9985-c03bcbd3e9b0""
        5⤵
        
        PID:5628
      - C:\Users\Admin\kxhves.exe
        
        C:\Users\Admin\kxhves.exe "483e0474-e52b-4152-9985-c03bcbd3e9b0"
        6⤵
        
        PID:2620
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /d /s /c "cd C:\Users\Admin && C:\Users\Admin\kxhves.exe "483e0474-e52b-4152-9985-c03bcbd3e9b0""
        5⤵
        
        PID:5692
      - C:\Users\Admin\kxhves.exe
        
        C:\Users\Admin\kxhves.exe "483e0474-e52b-4152-9985-c03bcbd3e9b0"
        6⤵
        
        PID:5884
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /d /s /c "wmic csproduct get uuid"
        5⤵
        
        PID:5160
      - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        6⤵
        
        PID:5276
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
        5⤵
        
        PID:5300
      - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path win32_VideoController get name
        6⤵
        Detects videocard installed
        
        PID:772
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /d /s /c "powershell.exe -Command "Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName""
        5⤵
        
        PID:4320
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -Command "Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
        6⤵
        
        PID:5208
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /d /s /c "cd C:\Users\Admin && C:\Users\Admin\kxhves.exe "483e0474-e52b-4152-9985-c03bcbd3e9b0""
        5⤵
        
        PID:2536
      - C:\Users\Admin\kxhves.exe
        
        C:\Users\Admin\kxhves.exe "483e0474-e52b-4152-9985-c03bcbd3e9b0"
        6⤵
        
        PID:3980
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /d /s /c "cd C:\Users\Admin && C:\Users\Admin\kxhves.exe "483e0474-e52b-4152-9985-c03bcbd3e9b0""
        5⤵
        
        PID:5164
      - C:\Users\Admin\kxhves.exe
        
        C:\Users\Admin\kxhves.exe "483e0474-e52b-4152-9985-c03bcbd3e9b0"
        6⤵
        
        PID:5500
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /d /s /c "wmic csproduct get uuid"
        5⤵
        
        PID:2904
      - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        6⤵
        
        PID:436
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
        5⤵
        
        PID:4968
      - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path win32_VideoController get name
        6⤵
        Detects videocard installed
        
        PID:1516
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /d /s /c "powershell.exe -Command "Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName""
        5⤵
        
        PID:1552
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -Command "Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
        6⤵
        
        PID:5572
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /d /s /c "cd C:\Users\Admin && C:\Users\Admin\kxhves.exe "483e0474-e52b-4152-9985-c03bcbd3e9b0""
        5⤵
        
        PID:5580
      - C:\Users\Admin\kxhves.exe
        
        C:\Users\Admin\kxhves.exe "483e0474-e52b-4152-9985-c03bcbd3e9b0"
        6⤵
        
        PID:4820
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /d /s /c "cd C:\Users\Admin && C:\Users\Admin\kxhves.exe "483e0474-e52b-4152-9985-c03bcbd3e9b0""
        5⤵
        
        PID:3208
      - C:\Users\Admin\kxhves.exe
        
        C:\Users\Admin\kxhves.exe "483e0474-e52b-4152-9985-c03bcbd3e9b0"
        6⤵
        
        PID:2200
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /d /s /c "wmic csproduct get uuid"
        5⤵
        
        PID:2768
      - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        6⤵
        
        PID:1548
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
        5⤵
        
        PID:2224
      - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path win32_VideoController get name
        6⤵
        Detects videocard installed
        
        PID:1544
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /d /s /c "powershell.exe -Command "Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName""
        5⤵
        
        PID:2312
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -Command "Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
        6⤵
        
        PID:2924
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /d /s /c "cd C:\Users\Admin && C:\Users\Admin\kxhves.exe "483e0474-e52b-4152-9985-c03bcbd3e9b0""
        5⤵
        
        PID:3764
      - C:\Users\Admin\kxhves.exe
        
        C:\Users\Admin\kxhves.exe "483e0474-e52b-4152-9985-c03bcbd3e9b0"
        6⤵
        
        PID:5884
    - - C:\Users\Admin\AppData\Local\Microsoft\svchostservice\app.exe
        
        "C:\Users\Admin\AppData\Local\Microsoft\svchostservice\app.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --user-data-dir="C:\Users\Admin\AppData\Roaming\app" --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAIAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3480 --field-trial-handle=1860,4332500483444101246,896878226181028596,131072 --disable-features=PlzServiceWorker,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
        5⤵
        
        PID:6108
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /d /s /c "cd C:\Users\Admin && C:\Users\Admin\kxhves.exe "483e0474-e52b-4152-9985-c03bcbd3e9b0""
        5⤵
        
        PID:5336
      - C:\Users\Admin\kxhves.exe
        
        C:\Users\Admin\kxhves.exe "483e0474-e52b-4152-9985-c03bcbd3e9b0"
        6⤵
        
        PID:4500
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /d /s /c "cd C:\Users\Admin && C:\Users\Admin\kxhves.exe "483e0474-e52b-4152-9985-c03bcbd3e9b0""
        5⤵
        
        PID:5508
      - C:\Users\Admin\kxhves.exe
        
        C:\Users\Admin\kxhves.exe "483e0474-e52b-4152-9985-c03bcbd3e9b0"
        6⤵
        
        PID:3224
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /d /s /c "wmic csproduct get uuid"
        5⤵
        
        PID:1644
      - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        6⤵
        
        PID:5072
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
        5⤵
        
        PID:4852
      - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path win32_VideoController get name
        6⤵
        Detects videocard installed
        
        PID:5304
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /d /s /c "powershell.exe -Command "Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName""
        5⤵
        
        PID:4088
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -Command "Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
        6⤵
        
        PID:2600
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /d /s /c "cd C:\Users\Admin && C:\Users\Admin\kxhves.exe "483e0474-e52b-4152-9985-c03bcbd3e9b0""
        5⤵
        
        PID:5432
      - C:\Users\Admin\kxhves.exe
        
        C:\Users\Admin\kxhves.exe "483e0474-e52b-4152-9985-c03bcbd3e9b0"
        6⤵
        
        PID:984
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /d /s /c "cd C:\Users\Admin && C:\Users\Admin\kxhves.exe "483e0474-e52b-4152-9985-c03bcbd3e9b0""
        5⤵
        
        PID:2904
      - C:\Users\Admin\kxhves.exe
        
        C:\Users\Admin\kxhves.exe "483e0474-e52b-4152-9985-c03bcbd3e9b0"
        6⤵
        
        PID:5556
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /d /s /c "wmic csproduct get uuid"
        5⤵
        
        PID:2212
      - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        6⤵
        
        PID:2204
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
        5⤵
        
        PID:1592
      - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path win32_VideoController get name
        6⤵
        Detects videocard installed
        
        PID:3436
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /d /s /c "powershell.exe -Command "Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName""
        5⤵
        
        PID:3356
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -Command "Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
        6⤵
        
        PID:2420
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:4460
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:4652
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:5440
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:5488

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2096

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3604

C:\Windows\System32\mousocoreworker.exe
C:\Windows\System32\mousocoreworker.exe -Embedding
1⤵
PID:1092

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Process Discovery

T1057

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
6cf293cb4d80be23433eecf74ddb5503

SHA1
24fe4752df102c2ef492954d6b046cb5512ad408

SHA256
b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8

SHA512
0f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
50a8221b93fbd2628ac460dd408a9fc1

SHA1
7e99fe16a9b14079b6f0316c37cc473e1f83a7e6

SHA256
46e488628e5348c9c4dfcdeed5a91747eae3b3aa49ae1b94d37173b6609efa0e

SHA512
27dda53e7edcc1a12c61234e850fe73bf3923f5c3c19826b67f2faf9e0a14ba6658001a9d6a56a7036409feb9238dd452406e88e318919127b4a06c64dba86f0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
446dd1cf97eaba21cf14d03aebc79f27

SHA1
36e4cc7367e0c7b40f4a8ace272941ea46373799

SHA256
a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

SHA512
a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\svchostservice\35a755fa-4afe-4937-b335-4fb7b16ec8cd.tmp.ico

Filesize
51KB

MD5
a86565d75056c72776915eb0ae7ce715

SHA1
41bbf8e5f5f78e415db22bec532b946196893d61

SHA256
8d9ea3b6dee47c19084f49a00691584a4f84a4f1c509c300d54f23215557c860

SHA512
96cf117d04062c2d3bb4f0144fbfeffe047c56e68da187790fb19ec2bc2b92210bcbfefaf4ce4b3782678372751e66e7baf8a6702072ce693638d8b75cfedeab

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\svchostservice\app.exe

Filesize
139.6MB

MD5
d4d78a1172851c26a6132cf65de31ae0

SHA1
89bbbcae5e98307ae4e14ae510af4bd17da582c4

SHA256
b9b6921e279b16b9035cc7beffee32ffcc10a4a99bbe6102d122a8b6d07c904c

SHA512
7436b6fc36f7e92e37a2ff555c4685054729c5ccfbb2b75a57696a6aec98339c13cee7009ed9c86016158c5d702a20611f09a514556b3e9c11b941902f848566

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\svchostservice\chrome_100_percent.pak

Filesize
138KB

MD5
9c1b859b611600201ccf898f1eff2476

SHA1
87d5d9a5fcc2496b48bb084fdf04331823dd1699

SHA256
53102833760a725241841312de452c45e43edd60a122546105ab4020ccef591b

SHA512
1a8ec288e53b9d7e43d018995abe4e3d9c83d329d0561fbb7d022e8b79ffecf033e995b9bc6af352a71c646a1e8afba4addb54deab7455f24b7a279a3dd7c336

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\svchostservice\chrome_200_percent.pak

Filesize
202KB

MD5
b51a78961b1dbb156343e6e024093d41

SHA1
51298bfe945a9645311169fc5bb64a2a1f20bc38

SHA256
4a438f0e209ac62ffa2c14036efdd5474b5ecaa7cbf54110f2e6153abdfb8be9

SHA512
23dedde25ad9cb5829d4b6092a815712788698c2a5a0aefb4299675d39f8b5e2844eabd1ea42332a0408bd234548f5af628e7e365ab26f3385ebfa158cdd921d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\svchostservice\d3dcompiler_47.dll

Filesize
4.3MB

MD5
7641e39b7da4077084d2afe7c31032e0

SHA1
2256644f69435ff2fee76deb04d918083960d1eb

SHA256
44422e6936dc72b7ac5ed16bb8bcae164b7554513e52efb66a3e942cec328a47

SHA512
8010e1cb17fa18bbf72d8344e1d63ded7cef7be6e7c13434fa6d8e22ce1d58a4d426959bdcb031502d4b145e29cb111af929fcbc66001111fbc6d7a19e8800a5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\svchostservice\ffmpeg.dll

Filesize
2.6MB

MD5
12cb29b61007fd6cd166882635241038

SHA1
31bacefd2d7238fb5ac77f728bb39a27b400dbb0

SHA256
2e60bc5a05d3e98d12d2bd577d63b6dc77bd1b3734633259fcaf50fa3688ca9c

SHA512
cbfab7708a01fe47904facfdf9604025d6f1c680e40ada0b4c1b1ef35a4eab7de5de96c22d0491c6d202175d2c66693216efab6cfab73e316d466811d834b126

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\svchostservice\icudtl.dat

Filesize
9.8MB

MD5
599c39d9adb88686c4585b15fb745c0e

SHA1
2215eb6299aa18e87db21f686b08695a5199f4e2

SHA256
c5f82843420fa9d144e006b48d59ba7ef95f7e6cb1ea95b27fcdd2c97f850859

SHA512
16194186a8407b29f799d4b02f5674e4fbd5d91163fad9f8dce6ceedd865b754a681aa960d0f3f1b62cb21d5443879f1b8e9b691c19c5802d5bdfe4ed645b8bc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\svchostservice\libEGL.dll

Filesize
437KB

MD5
979b72ca6e98fc7fdcfcc50d77906fb5

SHA1
dc4b874f495ed73c90b39feb566a48a081371c4b

SHA256
73d1f5880980a2ccb8e5a15e285a4a11fccd80754829e85aa9a3b8ffecf39dd9

SHA512
bd4d25a591d1c52d9a4a850a5bccbbf5ec8d174f5f093c0fd611a18af8d337b918464220a4f9591d03582aadf1c9cb392596a5449fb7d0a928889b0f65f8c619

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\svchostservice\libGLESv2.dll

Filesize
6.7MB

MD5
5300049a47fd88310ef94f9e37eeb247

SHA1
89672d16382a75781eeca002c850c17cfc46e851

SHA256
33863ea4047e4eaae8f24bfa3491bb809d4c3d44489ae2bbe5e3af9e5cc1fe50

SHA512
b38ef83cb40923654ae1efcdb8af63e1fb47f640a0cbeac350b97f24da1365da23d757cacef1f9e994ace0b076b4bc1408644347aec3c94995bb27d184a93c09

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\svchostservice\locales\en-US.pak

Filesize
103KB

MD5
b58cb46758c6bc8fe4385ec2ce4e50b7

SHA1
34026e96e02220cea46a31c2319f695ca2e0a914

SHA256
e34c459684971971765943e8b5b2d1751b329a9502f0fd6649679823f725b8c3

SHA512
702384f9d6d77da08fc8c49a5f65957c56e363e1ad37f9d0611092d248db1f79636a6cf336e55669e002194f589f584b5663b4d77e54fa95e18f84eb4864d7f5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\svchostservice\resources.pak

Filesize
4.8MB

MD5
2db0729cb0a452b13400e0ad97a46a8e

SHA1
2aaaa7e0e932e7b46958214cce81d60099cfc2a0

SHA256
af41c2d4484ee3b86b63bde75f150bf67f78a6257d91b397b6b15d47b041e177

SHA512
967bcac22315ecbe76c5a1cec4439523a92710791ea6112aedeb2d294419714e7aab5526f868898c6c2cb83886dc98c694dddd314766c2ae373f55f3529a65fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\svchostservice\resources\app.asar

Filesize
30.5MB

MD5
ad5c760ffb7ed9a9a1f4e35b00544e4f

SHA1
b6a6b1514814082e181e1e2bc645f0ede6556842

SHA256
7a7062ff6969599dafed74baf71c88f6c07643c49c2670b728a38c8377e50087

SHA512
f907f2521be6a422c311758673295aed0b3713f83abf6f7d36f478f003a1d6d7a4bdabdca17be3d000e757135589d1b75d22c68e530c3a1d1ba2982ff3c98a9d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\svchostservice\v8_context_snapshot.bin

Filesize
656KB

MD5
c384ae622a7a6c7ec328678af12922c2

SHA1
25165dcaf78d3d29a16e4f979370e0b009ede240

SHA256
977a027c50bd79e93ec015fbebaccfaaa8885b88c76f7e5a2c33337d6d5173c3

SHA512
d0571f5e18dcf14a591a76243d52094bb843b0779630f31cbb66fd738c1c35d10bb7ef751eb01a953305ee19f2777f4d3ca6f9b132199b2af357c0b03185d9a7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\svchostservice\wct5795.tmp

Filesize
63KB

MD5
e516a60bc980095e8d156b1a99ab5eee

SHA1
238e243ffc12d4e012fd020c9822703109b987f6

SHA256
543796a1b343b4ebc0285d89cb8eb70667ac7b513da37495e38003704e9d88d7

SHA512
9b51e99ba20e9da56d1acc24a1cf9f9c9dbdeb742bec034e0ff2bc179a60f4aff249f40344f9ddd43229dcdefa1041940f65afb336d46c175ffeff725c638d58

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_x3khojuf.gzw.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Roaming\app\4a22bbee-6dc6-4384-9563-fbc70f7cded3.tmp

Filesize
57B

MD5
58127c59cb9e1da127904c341d15372b

SHA1
62445484661d8036ce9788baeaba31d204e9a5fc

SHA256
be4b8924ab38e8acf350e6e3b9f1f63a1a94952d8002759acd6946c4d5d0b5de

SHA512
8d1815b277a93ad590ff79b6f52c576cf920c38c4353c24193f707d66884c942f39ff3989530055d2fade540ade243b41b6eb03cd0cc361c3b5d514cca28b50a

Download Submit
C:\Users\Admin\AppData\Roaming\app\Cache\Cache_Data\data_0

Filesize
8KB

MD5
cf89d16bb9107c631daabf0c0ee58efb

SHA1
3ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b

SHA256
d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e

SHA512
8cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0

Download Submit
C:\Users\Admin\AppData\Roaming\app\Cache\Cache_Data\data_1

Filesize
264KB

MD5
d0d388f3865d0523e451d6ba0be34cc4

SHA1
8571c6a52aacc2747c048e3419e5657b74612995

SHA256
902f30c1fb0597d0734bc34b979ec5d131f8f39a4b71b338083821216ec8d61b

SHA512
376011d00de659eb6082a74e862cfac97a9bb508e0b740761505142e2d24ec1c30aa61efbc1c0dd08ff0f34734444de7f77dd90a6ca42b48a4c7fad5f0bddd17

Download Submit
C:\Users\Admin\AppData\Roaming\app\Cache\Cache_Data\data_2

Filesize
8KB

MD5
0962291d6d367570bee5454721c17e11

SHA1
59d10a893ef321a706a9255176761366115bedcb

SHA256
ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7

SHA512
f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed

Download Submit
C:\Users\Admin\AppData\Roaming\app\Cache\Cache_Data\data_3

Filesize
8KB

MD5
41876349cb12d6db992f1309f22df3f0

SHA1
5cf26b3420fc0302cd0a71e8d029739b8765be27

SHA256
e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c

SHA512
e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e

Download Submit
C:\Users\Admin\AppData\Roaming\app\Cache\Cache_Data\index

Filesize
256KB

MD5
701151478d48b3194e5554df15a4455c

SHA1
067b1be46476be14cd30ada0eaaf23bd36b65031

SHA256
f9ce9dbd0cfb1acc5f6496b170ba556869a952f5971ac06a7faab1f3125ab019

SHA512
31e9b8846905e1361f5c18e73d9aa075398a8d99f2c5fd8b12eaa09a4163414719f6291b1b029e2766a1364997a6819ad74475af558c2b8999453171994007a9

Download Submit
C:\Users\Admin\AppData\Roaming\app\Code Cache\wasm\index

Filesize
24B

MD5
54cb446f628b2ea4a5bce5769910512e

SHA1
c27ca848427fe87f5cf4d0e0e3cd57151b0d820d

SHA256
fbcfe23a2ecb82b7100c50811691dde0a33aa3da8d176be9882a9db485dc0f2d

SHA512
8f6ed2e91aed9bd415789b1dbe591e7eab29f3f1b48fdfa5e864d7bf4ae554acc5d82b4097a770dabc228523253623e4296c5023cf48252e1b94382c43123cb0

Download Submit
C:\Users\Admin\AppData\Roaming\app\Code Cache\wasm\index-dir\the-real-index

Filesize
48B

MD5
4d8e6283e422c7d061a11b71b7cb762a

SHA1
6d816c7ea14d1dc665cf2209761fb5a1580840c1

SHA256
6aca252a38e20e144ae741c8f18e7f9678ccbb7d25ce8fb753d4313d71384c16

SHA512
656e6d7e43c348c66e9d50bab251b3073d4a55cbe9ad9e592851b63d3a8af86bd4206137cb6b959e78baf910c30f59fafd87798cf8293b38695421ab23fdaad7

Download Submit
C:\Users\Admin\AppData\Roaming\app\Local State

Filesize
389B

MD5
1f2164464ce6954f35cab31eed57e263

SHA1
e109bb7a8172173aa27e81478c8040f627a4220d

SHA256
f7921409a171a04239750e968a77904e8570ab4ab798d9293ca11ab9f61e2f97

SHA512
b608127197d645ae33d7285ad4e204103fa58fb2d830637c8583c53f8b494c7de8f25a8762526116ccb5cccc580bf84ddbdd7a933b4ffe451ce69bda6093e1bf

Download Submit
C:\Users\Admin\AppData\Roaming\app\Local State

Filesize
389B

MD5
ff652521e628ab7b9118bf9ea559a19c

SHA1
4e43304cb9f56dc60ddb780f3e73659b246e3699

SHA256
39296d95b358d58b59ae7da9a204963dc263d49280075d883b08b90e70ce45c0

SHA512
1f467b0b1a56f80b6d5a49efb5ef1c676e9d2b546734047a5192a2a103681bc41f92fcf36d5462f7b49e76d05496f6b5b35bc08676508f303df9cbcaea78afba

Download Submit
C:\Users\Admin\AppData\Roaming\app\Network\Network Persistent State

Filesize
393B

MD5
fb3c7f163f85b05c653d8fa076c7eb05

SHA1
2301563e2fafc24be4058dd8f1d892ef9cce00b0

SHA256
30f4688adb2be45d51b5f0b6ed255f5d041dd2fc83bdce585cad7c1e18ba8b36

SHA512
ca414a5b67115ee7f703bf949179ea0d9cf14df908494f87e43d4c11150aca5c2ec08e1db309496330816b3d90f37ba4f2bed70d102b9777a330337dd6a22673

Download Submit
C:\Users\Admin\AppData\Roaming\app\Network\Network Persistent State

Filesize
59B

MD5
78bfcecb05ed1904edce3b60cb5c7e62

SHA1
bf77a7461de9d41d12aa88fba056ba758793d9ce

SHA256
c257f929cff0e4380bf08d9f36f310753f7b1ccb5cb2ab811b52760dd8cb9572

SHA512
2420dff6eb853f5e1856cdab99561a896ea0743fcff3e04b37cb87eddf063770608a30c6ffb0319e5d353b0132c5f8135b7082488e425666b2c22b753a6a4d73

Download Submit
C:\Users\Admin\AppData\Roaming\app\Network\Network Persistent State

Filesize
484B

MD5
eb5e0a23e9d5808a2f95910d7a7893f7

SHA1
79aa1be62619d18ed388fc095c6478c6b85a0cb2

SHA256
ef865e6d1e0e69d04e2c3abd921fac552ffac1b8d936d6011801cfb345956b65

SHA512
0cfb3f3645cee85de1123286b1785e2cfe8516c7ceb606cffa34c9aeb568b09f10d9ab90a4b3c2c4e37b6d1dfe82b32cb09053146aeaac626e1eae937baa5095

Download Submit
C:\Users\Admin\AppData\Roaming\app\Network\Network Persistent State~RFe5788f6.TMP

Filesize
59B

MD5
2800881c775077e1c4b6e06bf4676de4

SHA1
2873631068c8b3b9495638c865915be822442c8b

SHA256
226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974

SHA512
e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b

Download Submit
C:\Users\Admin\AppData\Roaming\app\Network\TransportSecurity

Filesize
203B

MD5
338e77126eb44fcbd33f0248b97e5257

SHA1
c690930b6cffe210872ecaeaf747d47b6ddb6e81

SHA256
74aaac8523dea781ad1279b103a57413e3498318ff475b28da2c0f898126bea9

SHA512
bcf0a7cfcc3658848126142150c9436c7584ad474e6fe4bb79f945eed786824fd522a210e5b6d419eaffe9f730dbab95d62563a5c6aeddef0e6b1091ff8de379

Download Submit
C:\Users\Admin\AppData\Roaming\app\Network\TransportSecurity

Filesize
203B

MD5
fdf211bee27a634d231b20c3a722c153

SHA1
2afc0d4a504f41b3593538afeb56bdd89349ad75

SHA256
8614fdc2fc52e2d61eab6e9b61a739bc576e175d0fd3b592c67249c4998247d1

SHA512
d84d48e9946ad209c6ef3851012cb82b49c4df917c47f119e20faf97c5bf5f1e18283ebe673fbe3d76b0f027e06bbdd53e5f40009987a381d6a941f6744de507

Download Submit
C:\Users\Admin\kxhves.exe

Filesize
30.4MB

MD5
66c4256bfc23d0c5a67d26f03ed336b3

SHA1
160f44e0c6a101ac35da1efa3c818c33bfbb6bdb

SHA256
203a55f05216870706cf7b486428263d311c36db3811b8c6621687a93e40df46

SHA512
7a857c2933684e829ec2320be92f0a1a6e7ce3bdb14a62295d9636c44c0e74321114852c5f2cc0afaaa6989b27d19ced29ffe9b85fa6f6d156be5481fccc4866

Download Submit
C:\Users\Admin\version.txt

Filesize
36B

MD5
8c9b854d032c20b49e385c1062f00378

SHA1
b91e336fe270bb57e1fe1ddc04fbb0291afc555a

SHA256
1f22cc0b3d5e370ca8124f58817adfd855a81ea1c5319c6aaa135f52cc699647

SHA512
a7737d320bde9d289f9a61c9d953c2d5f5d6b306c31e5c3b22404a39448f5ffa2baa8edfaeeb65906c203dea2dafb215ac141413aad1ca551f048ddcc1091642

Download Submit
memory/1124-435-0x00007FFC96E90000-0x00007FFC96E91000-memory.dmp

Filesize
4KB

Download
memory/2420-809-0x00000271B8F00000-0x00000271B8F10000-memory.dmp

Filesize
64KB

Download
memory/2420-825-0x00007FFC76B90000-0x00007FFC77651000-memory.dmp

Filesize
10.8MB

Download
memory/2420-810-0x00000271B8F00000-0x00000271B8F10000-memory.dmp

Filesize
64KB

Download
memory/2420-808-0x00007FFC76B90000-0x00007FFC77651000-memory.dmp

Filesize
10.8MB

Download
memory/2600-800-0x00007FFC76B90000-0x00007FFC77651000-memory.dmp

Filesize
10.8MB

Download
memory/2600-794-0x00000281D4800000-0x00000281D4810000-memory.dmp

Filesize
64KB

Download
memory/2600-792-0x00007FFC76B90000-0x00007FFC77651000-memory.dmp

Filesize
10.8MB

Download
memory/2600-793-0x00000281D4800000-0x00000281D4810000-memory.dmp

Filesize
64KB

Download
memory/2924-750-0x00007FFC76B90000-0x00007FFC77651000-memory.dmp

Filesize
10.8MB

Download
memory/2924-757-0x00007FFC76B90000-0x00007FFC77651000-memory.dmp

Filesize
10.8MB

Download
memory/3028-17-0x00007FFC96E90000-0x00007FFC96E91000-memory.dmp

Filesize
4KB

Download
memory/4900-391-0x00007FFC75230000-0x00007FFC75CF1000-memory.dmp

Filesize
10.8MB

Download
memory/4900-196-0x0000017A87F00000-0x0000017A87F10000-memory.dmp

Filesize
64KB

Download
memory/4900-212-0x0000017A89800000-0x0000017A89822000-memory.dmp

Filesize
136KB

Download
memory/4900-138-0x00007FFC75230000-0x00007FFC75CF1000-memory.dmp

Filesize
10.8MB

Download
memory/4900-171-0x0000017A87F00000-0x0000017A87F10000-memory.dmp

Filesize
64KB

Download
memory/4908-630-0x00007FFC76B90000-0x00007FFC77651000-memory.dmp

Filesize
10.8MB

Download
memory/4908-639-0x00007FFC76B90000-0x00007FFC77651000-memory.dmp

Filesize
10.8MB

Download
memory/4908-632-0x0000020FE3430000-0x0000020FE3440000-memory.dmp

Filesize
64KB

Download
memory/4908-631-0x0000020FE3430000-0x0000020FE3440000-memory.dmp

Filesize
64KB

Download
memory/4940-660-0x00007FFC76B90000-0x00007FFC77651000-memory.dmp

Filesize
10.8MB

Download
memory/4940-661-0x00000138B0040000-0x00000138B0050000-memory.dmp

Filesize
64KB

Download
memory/4940-668-0x00007FFC76B90000-0x00007FFC77651000-memory.dmp

Filesize
10.8MB

Download
memory/4984-606-0x00007FFC76B90000-0x00007FFC77651000-memory.dmp

Filesize
10.8MB

Download
memory/4984-598-0x00007FFC76B90000-0x00007FFC77651000-memory.dmp

Filesize
10.8MB

Download
memory/4984-600-0x000001A259600000-0x000001A259610000-memory.dmp

Filesize
64KB

Download
memory/4984-599-0x000001A259600000-0x000001A259610000-memory.dmp

Filesize
64KB

Download
memory/5124-477-0x00000197185F0000-0x0000019718600000-memory.dmp

Filesize
64KB

Download
memory/5124-496-0x00007FFC74660000-0x00007FFC75121000-memory.dmp

Filesize
10.8MB

Download
memory/5124-476-0x00007FFC74660000-0x00007FFC75121000-memory.dmp

Filesize
10.8MB

Download
memory/5124-478-0x00000197185F0000-0x0000019718600000-memory.dmp

Filesize
64KB

Download
memory/5208-706-0x000001B91B510000-0x000001B91B520000-memory.dmp

Filesize
64KB

Download
memory/5208-705-0x000001B91B510000-0x000001B91B520000-memory.dmp

Filesize
64KB

Download
memory/5208-702-0x00007FFC76B90000-0x00007FFC77651000-memory.dmp

Filesize
10.8MB

Download
memory/5208-710-0x00007FFC76B90000-0x00007FFC77651000-memory.dmp

Filesize
10.8MB

Download
memory/5432-579-0x00000164D8D90000-0x00000164D8DA0000-memory.dmp

Filesize
64KB

Download
memory/5432-586-0x00007FFC76B90000-0x00007FFC77651000-memory.dmp

Filesize
10.8MB

Download
memory/5432-578-0x00007FFC76B90000-0x00007FFC77651000-memory.dmp

Filesize
10.8MB

Download
memory/5572-734-0x00007FFC76B90000-0x00007FFC77651000-memory.dmp

Filesize
10.8MB

Download
memory/5572-728-0x00000291958C0000-0x00000291958D0000-memory.dmp

Filesize
64KB

Download
memory/5572-727-0x00007FFC76B90000-0x00007FFC77651000-memory.dmp

Filesize
10.8MB

Download
memory/6088-550-0x00000251D05A0000-0x00000251D05B0000-memory.dmp

Filesize
64KB

Download
memory/6088-549-0x00007FFC76B90000-0x00007FFC77651000-memory.dmp

Filesize
10.8MB

Download
memory/6088-567-0x00007FFC76B90000-0x00007FFC77651000-memory.dmp

Filesize
10.8MB

Download
memory/6088-551-0x00000251D05A0000-0x00000251D05B0000-memory.dmp

Filesize
64KB

Download
memory/6108-768-0x0000022ED09E0000-0x0000022ED09E1000-memory.dmp

Filesize
4KB

Download
memory/6108-769-0x0000022ED09E0000-0x0000022ED09E1000-memory.dmp

Filesize
4KB

Download
memory/6108-774-0x0000022ED09E0000-0x0000022ED09E1000-memory.dmp

Filesize
4KB

Download
memory/6108-773-0x0000022ED09E0000-0x0000022ED09E1000-memory.dmp

Filesize
4KB

Download
memory/6108-762-0x0000022ED09E0000-0x0000022ED09E1000-memory.dmp

Filesize
4KB

Download
memory/6108-763-0x0000022ED09E0000-0x0000022ED09E1000-memory.dmp

Filesize
4KB

Download
memory/6108-764-0x0000022ED09E0000-0x0000022ED09E1000-memory.dmp

Filesize
4KB

Download
memory/6108-770-0x0000022ED09E0000-0x0000022ED09E1000-memory.dmp

Filesize
4KB

Download
memory/6108-771-0x0000022ED09E0000-0x0000022ED09E1000-memory.dmp

Filesize
4KB

Download
memory/6108-772-0x0000022ED09E0000-0x0000022ED09E1000-memory.dmp

Filesize
4KB

Download