redline | hxxps://joanlainez[.]com/wp-content/server4/v4_file_x86_64[.]rar

Analysis

max time kernel
150s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
28-04-2024 07:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://joanlainez.com/wp-content/server4/v4_file_x86_64.rar

Score

10^/10

redline risepro vidar zgrat logsdiller cloud (tg: @logsdillabot)evasion infostealer rat spyware stealer themida trojan

Malware Config

Extracted

Family

vidar

https://steamcommunity.com/profiles/76561199677575543

https://t.me/snsb82

Attributes

user_agent
Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0

Extracted

Family

redline

Botnet

LogsDiller Cloud (TG: @logsdillabot)

5.42.65.96:28380

Signatures

Detect Vidar Stealer 1 IoCs

stealer

Processes:

resource	yara_rule
behavioral1/memory/5348-351-0x0000000000400000-0x000000000064A000-memory.dmp	family_vidar_v7

Detect ZGRat V1 3 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\Documents\SimpleAdobe\isRGNmoWWcpTu9y2aQTUlGel.exe	family_zgrat_v1
C:\Users\Admin\Documents\SimpleAdobe\isRGNmoWWcpTu9y2aQTUlGel.exe	family_zgrat_v1
behavioral1/memory/3912-315-0x0000000000790000-0x0000000000B4A000-memory.dmp	family_zgrat_v1

Modifies firewall policy service 2 TTPs 1 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

Processes:

setup.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\C:\ = "1"	setup.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/5420-360-0x0000000000400000-0x0000000000452000-memory.dmp	family_redline

RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
stealer risepro
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

setup.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ setup.exe
Downloads MZ/PE file

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	setup.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

setup.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	setup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	setup.exe

Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

setup.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation setup.exe
Executes dropped EXE 1 IoCs

Processes:

setup.exe

pid process

3580 setup.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	setup.exe

pid	process
3580	setup.exe

Themida packer 15 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\7zOCED98188\setup.exe	themida
C:\Users\Admin\AppData\Local\Temp\7zOCED98188\setup.exe	themida
C:\Users\Admin\AppData\Local\Temp\7zOCED98188\setup.exe	themida
behavioral1/memory/3580-75-0x0000000140000000-0x0000000140739000-memory.dmp	themida
behavioral1/memory/3580-73-0x0000000140000000-0x0000000140739000-memory.dmp	themida
behavioral1/memory/3580-97-0x0000000140000000-0x0000000140739000-memory.dmp	themida
C:\Users\Admin\Documents\SimpleAdobe\yPoh5FfeO9AUMm7Frs8J1IF6.exe	themida
behavioral1/memory/3580-278-0x0000000140000000-0x0000000140739000-memory.dmp	themida
behavioral1/memory/2468-296-0x0000000000070000-0x0000000000706000-memory.dmp	themida
behavioral1/memory/3580-302-0x0000000140000000-0x0000000140739000-memory.dmp	themida
behavioral1/memory/2468-307-0x0000000000070000-0x0000000000706000-memory.dmp	themida
behavioral1/memory/2468-306-0x0000000000070000-0x0000000000706000-memory.dmp	themida
behavioral1/memory/2468-305-0x0000000000070000-0x0000000000706000-memory.dmp	themida
behavioral1/memory/3580-316-0x0000000140000000-0x0000000140739000-memory.dmp	themida
behavioral1/memory/2468-314-0x0000000000070000-0x0000000000706000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

setup.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA setup.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

204 iplogger.org
206 iplogger.org
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

62 api.myip.com
65 ipinfo.io
67 ipinfo.io
61 api.myip.com

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	setup.exe

flow	ioc
204	iplogger.org
206	iplogger.org

flow	ioc
62	api.myip.com
65	ipinfo.io
67	ipinfo.io
61	api.myip.com

Drops file in System32 directory 4 IoCs

Processes:

setup.exe

description	ioc	process
File opened for modification	C:\Windows\System32\GroupPolicy\GPT.INI	setup.exe
File opened for modification	C:\Windows\System32\GroupPolicy	setup.exe
File opened for modification	C:\Windows\System32\GroupPolicy\gpt.ini	setup.exe
File created	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	setup.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

setup.exe

pid process

3580 setup.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

5664 schtasks.exe

pid	process
3580	setup.exe

pid	process
5664	schtasks.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133587624391270509"	chrome.exe

Modifies registry class 3 IoCs

Processes:

OpenWith.exechrome.exe7zFM.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings	7zFM.exe

Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

NOTEPAD.EXE

pid process

2088 NOTEPAD.EXE
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

chrome.exe

pid process

1448 chrome.exe
1448 chrome.exe
Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

7zFM.exeOpenWith.exe

pid process

3564 7zFM.exe
4536 OpenWith.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

Processes:

chrome.exe

pid process

1448 chrome.exe
1448 chrome.exe

pid	process
2088	NOTEPAD.EXE

pid	process
3564	7zFM.exe
4536	OpenWith.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exe7zFM.exe

description	pid	process
Token: SeShutdownPrivilege	1448	chrome.exe
Token: SeCreatePagefilePrivilege	1448	chrome.exe
Token: SeShutdownPrivilege	1448	chrome.exe
Token: SeCreatePagefilePrivilege	1448	chrome.exe
Token: SeShutdownPrivilege	1448	chrome.exe
Token: SeCreatePagefilePrivilege	1448	chrome.exe
Token: SeShutdownPrivilege	1448	chrome.exe
Token: SeCreatePagefilePrivilege	1448	chrome.exe
Token: SeShutdownPrivilege	1448	chrome.exe
Token: SeCreatePagefilePrivilege	1448	chrome.exe
Token: SeShutdownPrivilege	1448	chrome.exe
Token: SeCreatePagefilePrivilege	1448	chrome.exe
Token: SeShutdownPrivilege	1448	chrome.exe
Token: SeCreatePagefilePrivilege	1448	chrome.exe
Token: SeShutdownPrivilege	1448	chrome.exe
Token: SeCreatePagefilePrivilege	1448	chrome.exe
Token: SeShutdownPrivilege	1448	chrome.exe
Token: SeCreatePagefilePrivilege	1448	chrome.exe
Token: SeShutdownPrivilege	1448	chrome.exe
Token: SeCreatePagefilePrivilege	1448	chrome.exe
Token: SeShutdownPrivilege	1448	chrome.exe
Token: SeCreatePagefilePrivilege	1448	chrome.exe
Token: SeRestorePrivilege	3564	7zFM.exe
Token: 35	3564	7zFM.exe
Token: SeShutdownPrivilege	1448	chrome.exe
Token: SeCreatePagefilePrivilege	1448	chrome.exe
Token: SeShutdownPrivilege	1448	chrome.exe
Token: SeCreatePagefilePrivilege	1448	chrome.exe
Token: SeShutdownPrivilege	1448	chrome.exe
Token: SeCreatePagefilePrivilege	1448	chrome.exe
Token: SeShutdownPrivilege	1448	chrome.exe
Token: SeCreatePagefilePrivilege	1448	chrome.exe
Token: SeShutdownPrivilege	1448	chrome.exe
Token: SeCreatePagefilePrivilege	1448	chrome.exe
Token: SeShutdownPrivilege	1448	chrome.exe
Token: SeCreatePagefilePrivilege	1448	chrome.exe
Token: SeShutdownPrivilege	1448	chrome.exe
Token: SeCreatePagefilePrivilege	1448	chrome.exe
Token: SeShutdownPrivilege	1448	chrome.exe
Token: SeCreatePagefilePrivilege	1448	chrome.exe
Token: SeShutdownPrivilege	1448	chrome.exe
Token: SeCreatePagefilePrivilege	1448	chrome.exe
Token: SeShutdownPrivilege	1448	chrome.exe
Token: SeCreatePagefilePrivilege	1448	chrome.exe
Token: SeShutdownPrivilege	1448	chrome.exe
Token: SeCreatePagefilePrivilege	1448	chrome.exe
Token: SeShutdownPrivilege	1448	chrome.exe
Token: SeCreatePagefilePrivilege	1448	chrome.exe
Token: SeShutdownPrivilege	1448	chrome.exe
Token: SeCreatePagefilePrivilege	1448	chrome.exe
Token: SeShutdownPrivilege	1448	chrome.exe
Token: SeCreatePagefilePrivilege	1448	chrome.exe
Token: SeShutdownPrivilege	1448	chrome.exe
Token: SeCreatePagefilePrivilege	1448	chrome.exe
Token: SeShutdownPrivilege	1448	chrome.exe
Token: SeCreatePagefilePrivilege	1448	chrome.exe
Token: SeSecurityPrivilege	3564	7zFM.exe
Token: SeShutdownPrivilege	1448	chrome.exe
Token: SeCreatePagefilePrivilege	1448	chrome.exe
Token: SeShutdownPrivilege	1448	chrome.exe
Token: SeCreatePagefilePrivilege	1448	chrome.exe
Token: SeShutdownPrivilege	1448	chrome.exe
Token: SeCreatePagefilePrivilege	1448	chrome.exe
Token: SeShutdownPrivilege	1448	chrome.exe

Suspicious use of FindShellTrayWindow 49 IoCs

Processes:

chrome.exe7zFM.exe

pid	process
1448	chrome.exe
1448	chrome.exe
1448	chrome.exe
1448	chrome.exe
1448	chrome.exe
1448	chrome.exe
1448	chrome.exe
1448	chrome.exe
1448	chrome.exe
1448	chrome.exe
1448	chrome.exe
1448	chrome.exe
1448	chrome.exe
1448	chrome.exe
1448	chrome.exe
1448	chrome.exe
1448	chrome.exe
1448	chrome.exe
1448	chrome.exe
1448	chrome.exe
1448	chrome.exe
1448	chrome.exe
1448	chrome.exe
1448	chrome.exe
1448	chrome.exe
1448	chrome.exe
1448	chrome.exe
1448	chrome.exe
1448	chrome.exe
1448	chrome.exe
1448	chrome.exe
1448	chrome.exe
1448	chrome.exe
1448	chrome.exe
1448	chrome.exe
1448	chrome.exe
1448	chrome.exe
1448	chrome.exe
1448	chrome.exe
1448	chrome.exe
1448	chrome.exe
1448	chrome.exe
1448	chrome.exe
1448	chrome.exe
1448	chrome.exe
3564	7zFM.exe
3564	7zFM.exe
3564	7zFM.exe
3564	7zFM.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

chrome.exe

pid	process
1448	chrome.exe
1448	chrome.exe
1448	chrome.exe
1448	chrome.exe
1448	chrome.exe
1448	chrome.exe
1448	chrome.exe
1448	chrome.exe
1448	chrome.exe
1448	chrome.exe
1448	chrome.exe
1448	chrome.exe
1448	chrome.exe
1448	chrome.exe
1448	chrome.exe
1448	chrome.exe
1448	chrome.exe
1448	chrome.exe
1448	chrome.exe
1448	chrome.exe
1448	chrome.exe
1448	chrome.exe
1448	chrome.exe
1448	chrome.exe

Suspicious use of SetWindowsHookEx 15 IoCs

Processes:

OpenWith.exe

pid	process
4536	OpenWith.exe
4536	OpenWith.exe
4536	OpenWith.exe
4536	OpenWith.exe
4536	OpenWith.exe
4536	OpenWith.exe
4536	OpenWith.exe
4536	OpenWith.exe
4536	OpenWith.exe
4536	OpenWith.exe
4536	OpenWith.exe
4536	OpenWith.exe
4536	OpenWith.exe
4536	OpenWith.exe
4536	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 1448 wrote to memory of 2388	1448	chrome.exe	chrome.exe
PID 1448 wrote to memory of 2388	1448	chrome.exe	chrome.exe
PID 1448 wrote to memory of 416	1448	chrome.exe	chrome.exe
PID 1448 wrote to memory of 416	1448	chrome.exe	chrome.exe
PID 1448 wrote to memory of 416	1448	chrome.exe	chrome.exe
PID 1448 wrote to memory of 416	1448	chrome.exe	chrome.exe
PID 1448 wrote to memory of 416	1448	chrome.exe	chrome.exe
PID 1448 wrote to memory of 416	1448	chrome.exe	chrome.exe
PID 1448 wrote to memory of 416	1448	chrome.exe	chrome.exe
PID 1448 wrote to memory of 416	1448	chrome.exe	chrome.exe
PID 1448 wrote to memory of 416	1448	chrome.exe	chrome.exe
PID 1448 wrote to memory of 416	1448	chrome.exe	chrome.exe
PID 1448 wrote to memory of 416	1448	chrome.exe	chrome.exe
PID 1448 wrote to memory of 416	1448	chrome.exe	chrome.exe
PID 1448 wrote to memory of 416	1448	chrome.exe	chrome.exe
PID 1448 wrote to memory of 416	1448	chrome.exe	chrome.exe
PID 1448 wrote to memory of 416	1448	chrome.exe	chrome.exe
PID 1448 wrote to memory of 416	1448	chrome.exe	chrome.exe
PID 1448 wrote to memory of 416	1448	chrome.exe	chrome.exe
PID 1448 wrote to memory of 416	1448	chrome.exe	chrome.exe
PID 1448 wrote to memory of 416	1448	chrome.exe	chrome.exe
PID 1448 wrote to memory of 416	1448	chrome.exe	chrome.exe
PID 1448 wrote to memory of 416	1448	chrome.exe	chrome.exe
PID 1448 wrote to memory of 416	1448	chrome.exe	chrome.exe
PID 1448 wrote to memory of 416	1448	chrome.exe	chrome.exe
PID 1448 wrote to memory of 416	1448	chrome.exe	chrome.exe
PID 1448 wrote to memory of 416	1448	chrome.exe	chrome.exe
PID 1448 wrote to memory of 416	1448	chrome.exe	chrome.exe
PID 1448 wrote to memory of 416	1448	chrome.exe	chrome.exe
PID 1448 wrote to memory of 416	1448	chrome.exe	chrome.exe
PID 1448 wrote to memory of 416	1448	chrome.exe	chrome.exe
PID 1448 wrote to memory of 416	1448	chrome.exe	chrome.exe
PID 1448 wrote to memory of 416	1448	chrome.exe	chrome.exe
PID 1448 wrote to memory of 416	1448	chrome.exe	chrome.exe
PID 1448 wrote to memory of 416	1448	chrome.exe	chrome.exe
PID 1448 wrote to memory of 416	1448	chrome.exe	chrome.exe
PID 1448 wrote to memory of 416	1448	chrome.exe	chrome.exe
PID 1448 wrote to memory of 416	1448	chrome.exe	chrome.exe
PID 1448 wrote to memory of 416	1448	chrome.exe	chrome.exe
PID 1448 wrote to memory of 416	1448	chrome.exe	chrome.exe
PID 1448 wrote to memory of 2260	1448	chrome.exe	chrome.exe
PID 1448 wrote to memory of 2260	1448	chrome.exe	chrome.exe
PID 1448 wrote to memory of 1568	1448	chrome.exe	chrome.exe
PID 1448 wrote to memory of 1568	1448	chrome.exe	chrome.exe
PID 1448 wrote to memory of 1568	1448	chrome.exe	chrome.exe
PID 1448 wrote to memory of 1568	1448	chrome.exe	chrome.exe
PID 1448 wrote to memory of 1568	1448	chrome.exe	chrome.exe
PID 1448 wrote to memory of 1568	1448	chrome.exe	chrome.exe
PID 1448 wrote to memory of 1568	1448	chrome.exe	chrome.exe
PID 1448 wrote to memory of 1568	1448	chrome.exe	chrome.exe
PID 1448 wrote to memory of 1568	1448	chrome.exe	chrome.exe
PID 1448 wrote to memory of 1568	1448	chrome.exe	chrome.exe
PID 1448 wrote to memory of 1568	1448	chrome.exe	chrome.exe
PID 1448 wrote to memory of 1568	1448	chrome.exe	chrome.exe
PID 1448 wrote to memory of 1568	1448	chrome.exe	chrome.exe
PID 1448 wrote to memory of 1568	1448	chrome.exe	chrome.exe
PID 1448 wrote to memory of 1568	1448	chrome.exe	chrome.exe
PID 1448 wrote to memory of 1568	1448	chrome.exe	chrome.exe
PID 1448 wrote to memory of 1568	1448	chrome.exe	chrome.exe
PID 1448 wrote to memory of 1568	1448	chrome.exe	chrome.exe
PID 1448 wrote to memory of 1568	1448	chrome.exe	chrome.exe
PID 1448 wrote to memory of 1568	1448	chrome.exe	chrome.exe
PID 1448 wrote to memory of 1568	1448	chrome.exe	chrome.exe
PID 1448 wrote to memory of 1568	1448	chrome.exe	chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://joanlainez.com/wp-content/server4/v4_file_x86_64.rar
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1448

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fffa5d29758,0x7fffa5d29768,0x7fffa5d29778
2⤵
PID:2388

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1780 --field-trial-handle=1768,i,8230095906835073120,2798718822538591372,131072 /prefetch:2
2⤵
PID:416

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2092 --field-trial-handle=1768,i,8230095906835073120,2798718822538591372,131072 /prefetch:8
2⤵
PID:2260

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2208 --field-trial-handle=1768,i,8230095906835073120,2798718822538591372,131072 /prefetch:8
2⤵
PID:1568

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=1712 --field-trial-handle=1768,i,8230095906835073120,2798718822538591372,131072 /prefetch:1
2⤵
PID:2084

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2956 --field-trial-handle=1768,i,8230095906835073120,2798718822538591372,131072 /prefetch:1
2⤵
PID:3456

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5012 --field-trial-handle=1768,i,8230095906835073120,2798718822538591372,131072 /prefetch:8
2⤵
PID:3076

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4324 --field-trial-handle=1768,i,8230095906835073120,2798718822538591372,131072 /prefetch:8
2⤵
PID:848

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5208 --field-trial-handle=1768,i,8230095906835073120,2798718822538591372,131072 /prefetch:8
2⤵
PID:2468

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\v4_file_x86_64.rar"
2⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3564

C:\Users\Admin\AppData\Local\Temp\7zOCED98188\setup.exe
"C:\Users\Admin\AppData\Local\Temp\7zOCED98188\setup.exe"
3⤵
- Modifies firewall policy service
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:3580

C:\Users\Admin\Documents\SimpleAdobe\yZ1fgGZjAoOJPLB0Z_vN6mcb.exe
C:\Users\Admin\Documents\SimpleAdobe\yZ1fgGZjAoOJPLB0Z_vN6mcb.exe
4⤵
PID:3548

C:\Users\Admin\Documents\SimpleAdobe\IVCSZdc8i18h520PEJRtBuY7.exe
C:\Users\Admin\Documents\SimpleAdobe\IVCSZdc8i18h520PEJRtBuY7.exe
4⤵
PID:2264

C:\Users\Admin\Documents\SimpleAdobe\T7PSkrg3JUXbT0jBQOHYWjES.exe
C:\Users\Admin\Documents\SimpleAdobe\T7PSkrg3JUXbT0jBQOHYWjES.exe
4⤵
PID:2988

C:\Users\Admin\Documents\SimpleAdobe\fwfPW0Qa0G8CBZEIgsK83Lic.exe
C:\Users\Admin\Documents\SimpleAdobe\fwfPW0Qa0G8CBZEIgsK83Lic.exe
4⤵
PID:3184

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
5⤵
PID:5348

C:\Users\Admin\Documents\SimpleAdobe\KSCLKMVXs3Y5wQM9eNFJamVd.exe
C:\Users\Admin\Documents\SimpleAdobe\KSCLKMVXs3Y5wQM9eNFJamVd.exe
4⤵
PID:4104

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
5⤵
PID:5420

C:\Users\Admin\Documents\SimpleAdobe\9QcvYutOIRSn7FwU0JFsa6Lr.exe
C:\Users\Admin\Documents\SimpleAdobe\9QcvYutOIRSn7FwU0JFsa6Lr.exe
4⤵
PID:752

C:\Users\Admin\Documents\SimpleAdobe\yPoh5FfeO9AUMm7Frs8J1IF6.exe
C:\Users\Admin\Documents\SimpleAdobe\yPoh5FfeO9AUMm7Frs8J1IF6.exe
4⤵
PID:2468

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST
5⤵
- Creates scheduled task(s)
PID:5664

C:\Users\Admin\Documents\SimpleAdobe\baTjUOlmShi5lCyj3UOOL8u8.exe
C:\Users\Admin\Documents\SimpleAdobe\baTjUOlmShi5lCyj3UOOL8u8.exe
4⤵
PID:872

C:\Users\Admin\Documents\SimpleAdobe\z3prmGctJTE9SReotlTJRJpM.exe
C:\Users\Admin\Documents\SimpleAdobe\z3prmGctJTE9SReotlTJRJpM.exe
4⤵
PID:4504

C:\Users\Admin\Documents\SimpleAdobe\isRGNmoWWcpTu9y2aQTUlGel.exe
C:\Users\Admin\Documents\SimpleAdobe\isRGNmoWWcpTu9y2aQTUlGel.exe
4⤵
PID:3912

C:\Users\Admin\Documents\SimpleAdobe\t3pyy4zaEevTeOm21kKwXB5p.exe
C:\Users\Admin\Documents\SimpleAdobe\t3pyy4zaEevTeOm21kKwXB5p.exe
4⤵
PID:468

C:\Users\Admin\AppData\Local\Temp\is-L0RKM.tmp\t3pyy4zaEevTeOm21kKwXB5p.tmp
"C:\Users\Admin\AppData\Local\Temp\is-L0RKM.tmp\t3pyy4zaEevTeOm21kKwXB5p.tmp" /SL5="$80268,4593287,54272,C:\Users\Admin\Documents\SimpleAdobe\t3pyy4zaEevTeOm21kKwXB5p.exe"
5⤵
PID:4236

C:\Users\Admin\Documents\SimpleAdobe\MJAUKkCno9bPNdE_JSVYK_gR.exe
C:\Users\Admin\Documents\SimpleAdobe\MJAUKkCno9bPNdE_JSVYK_gR.exe
4⤵
PID:928

C:\Users\Admin\Documents\SimpleAdobe\GKOqCeV3IZMXDmDV7aL5NcUz.exe
C:\Users\Admin\Documents\SimpleAdobe\GKOqCeV3IZMXDmDV7aL5NcUz.exe
4⤵
PID:2212

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=920 --field-trial-handle=1768,i,8230095906835073120,2798718822538591372,131072 /prefetch:2
2⤵
PID:1996

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:4284

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:4536

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\7zOCEDEAB48\bentonite.cfg
2⤵
- Opens file in notepad (likely ransom note)
PID:2088

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3792 --field-trial-handle=2356,i,13261194862334667799,7441241219475888176,262144 --variations-seed-version /prefetch:8
1⤵
PID:2860

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:3180

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:2952

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
673B

MD5
54b168e78de5fabeb73aaa974ab01c09

SHA1
07446e912d6d8f1b2a6cfd00c2d9cf20c27009e2

SHA256
583746f73a95162a271f23245012711e4ff10d4ea43a36437e7a924048bc0b29

SHA512
68bebee35bd962e2720c1782fcbc3297eb10d868ca5bdfded3a9d32325e0717987fb7bb51d2a3f17202d770fee6a4fedfd461d308c591afcae6532f5ed4e80b8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
5KB

MD5
c4413d07b03fdd3796507aab84609328

SHA1
7eec71857b623d9a56cabda32b5ddca87a4f5a4a

SHA256
4da74761b100c89cf4b3ea8d410773f84f7a40a8c473b15ab52676884065a89f

SHA512
42260f80d7c5919c8bb2b49b816663cf27999276c7ba82c97f354441cf4f06705f642bf0d39ed8f318ddbe5653e7bc3e924556b4a716aaa36f02a65514d0d7c5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
5KB

MD5
742f890528226efd68ef6fa7471a5fec

SHA1
23aaa68b279192535a58615cc5f499f67daf66d9

SHA256
3a4e6763589537b7198128893ba7017f7db09dd926ec848407bdd07b8f527308

SHA512
a5ce943f0d87a13e0bd88cc02fa5743271b45ac81f87f0f677da2a0a9c2488e7961efbb1d47a32de3b8a91c19bfb75173c20bbae199d4862998671c5732cdfac

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
5KB

MD5
85cd9c5116ba560bc4f4e59fa816f720

SHA1
34930995a4c7a0d9209863be41a1270890a06856

SHA256
ad3b65a69f665fa49bdf17fe4ccfe30bdcb1b99715c1da4de6866dfb4a08bf71

SHA512
e4aa5d31020c87c3cf0976372b33c68de4adc3440c1cfa3ca23ae67eba2318dfe0feb4781dd178db6d391b2e2fa153a8865751e959c4c3b7e792d8bf91b11af7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
128KB

MD5
c318fc17f4f6e7a2a6ac4e0a0301fd2a

SHA1
520483452be773150dba02a340bd13d6ea9a85e1

SHA256
2ff827532ebc5f8c1c3b3bc38bdb8d0eb10cddd802cd398aa8d8fbca0dd10e39

SHA512
f8109d82c9aba44ce5fb7ebb7c67b3da32f4f71fca527b2b99ed35d08e27d5f0846a9595e1bc109ca1f3ee2715bd63eda152e311fa507d967347566d5c5ad698

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json
Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zOCED98188\setup.exe
Filesize
474.8MB

MD5
4cf8a29b97c39537a4ade9d4db7d3696

SHA1
7c07a28533dfa038ea8081f5d7c6ef605759c1b9

SHA256
f53d810d70aaae13c433910e541405ebea4f7c8751f47fd4a309253bdb0e0dbc

SHA512
09ee0bca94a298d1c9310734c521ff54f717cee12144bbf961a4a187f1076f3b3a9bb869681e0b65e8c9f3df091b090010079661e5ebbe8e817425bb76f39c6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zOCED98188\setup.exe
Filesize
279.6MB

MD5
4f8ceab2ef38cb3267773a705dcdf7b0

SHA1
c1a6aea677c2ba1e2a38301d159a98cbe45a3a9d

SHA256
e594a72a5b96563dec944bef6cea7470af8d1e8a42e16217b72480d2eca4cf0d

SHA512
2eac47ade9452b39f313191e1bdab10df8067d72f4754753e7fe05ca7cfb1255e31409807a54f19c34611f25ed1e1c2a51485e59e3d00157fbf546561e4b4a2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zOCED98188\setup.exe
Filesize
314.9MB

MD5
0aca7f9fee29746c3fb9cca6f1d9e42f

SHA1
7fd0c34ab3fa22dd59ee2364eb922ccb53b2b9f5

SHA256
f8085a16daa6caf5b3e301755a9fb0dc582d4ec6d917c799a650a3ec04061541

SHA512
c3943ae2e769f866b34ff216fc1d8d1fce47949ea86781f184fb9d4af7d9082253840d06740ab9f69315ee6ec8f6e2164b122e44d0062e7d5cf7a0c5e4627850

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zOCEDEAB48\bentonite.cfg
Filesize
963KB

MD5
e7c43dc3ec4360374043b872f934ec9e

SHA1
6514933e53c6eb9594786a773f75595b0eafeaf7

SHA256
658ac17f4047ccc594edfd7c038701fe2c72ec2edf4aefe6f3c2dd28ab3dd471

SHA512
43b8cb4cacf8bc1e26f7c6af4e58d877287057975b3e28c52d4a3afa478b447a921fbde729ef24be9eb3858c00968455a6873a67e409a6a3fe6a35703470bd6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-VIBO0.tmp\_isetup\_iscrypt.dll
Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsaF35.tmp\INetC.dll
Filesize
25KB

MD5
40d7eca32b2f4d29db98715dd45bfac5

SHA1
124df3f617f562e46095776454e1c0c7bb791cc7

SHA256
85e03805f90f72257dd41bfdaa186237218bbb0ec410ad3b6576a88ea11dccb9

SHA512
5fd4f516ce23fb7e705e150d5c1c93fc7133694ba495fb73101674a528883a013a34ab258083aa7ce6072973b067a605158316a4c9159c1b4d765761f91c513d

Download Submit
C:\Users\Admin\AppData\Local\Temp\u3h4.0.exe
Filesize
64KB

MD5
b6198b553988dfcddac1a05d4b01433d

SHA1
b15f9562f035aa49d8629472893e4b3ce81cb54e

SHA256
69aa7a09b6a04be53046c301216a885fb13a9bff4758e38158b7366079aae9db

SHA512
63973b8a13f5c6445c41cf1aa4a7ea59ba2179e585039410f5dba57aab23bb00fb4e8cbd87fbaa3c0a188382dea903d246dd11cf3c47a31159e1d3ac52e62ad5

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\9QcvYutOIRSn7FwU0JFsa6Lr.exe
Filesize
5.6MB

MD5
2019322ea56c5b80294770f6018bddc1

SHA1
19285ecd68a4d9b957f87502c555dad437cfeb8f

SHA256
0823c2f58d094e1c096ae9184acf0b930df6dff97d0cd77728dc3ff07f9c0096

SHA512
092b6a5e503da5057fb569ba439dff8dea9c79ce6a036f460543ebbc7eb5de9bc206f5283c26f9f38e4ed027fb9b99336c199c7446e9e1bb3b973e71e11683e0

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\GKOqCeV3IZMXDmDV7aL5NcUz.exe
Filesize
49KB

MD5
705685a8deace858e7fc849471c045f3

SHA1
10132365b465a6f231c8e292f462c2d005b4f9b0

SHA256
7ff9182009a077962d7c00b287caaa60fe7888e5d6cf6018c14f967a2441a3f9

SHA512
b9dd7d5ca384ff4ad053d5f01d721f1180b1028e40c96cd94e04f2b2965e2f4be6cf4d2595f67c3e62039320b517e32200ffec165a9c544344d666732a57c56d

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\IVCSZdc8i18h520PEJRtBuY7.exe
Filesize
10.7MB

MD5
b091c4848287be6601d720997394d453

SHA1
9180e34175e1f4644d5fa63227d665b2be15c75b

SHA256
d0b06ca6ece3fef6671fa8acd3d560a9400891abcd10f5cedcfe7bd1e6050dfe

SHA512
a3b3663fd343389aee2cbf76f426401d436992b2b56cea3b60e9c2e385510fa874fa45b2ac75703074f0303934c4223eaee1983851374a2e753fd0302042cc5a

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\IVCSZdc8i18h520PEJRtBuY7.exe
Filesize
2.1MB

MD5
6d61be178c463370bd92f9405ae70eb7

SHA1
a6fdc445ba29c6341e983c0921f55f6ba1dad6e4

SHA256
62c700b37212390ef926cc9ff685a044045b92feebc205418b370bb82f388b44

SHA512
03d71607e615e2a988fdb173b3914fefbfc0652d076ae4b289a8bd9e9b286fefb3012cb8479da7bf266a2fe84b5c7c1d652cce17106d615da8860e234eff7197

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\KSCLKMVXs3Y5wQM9eNFJamVd.exe
Filesize
489KB

MD5
7b428390134b24bd185e6dadab294b1f

SHA1
9e59dbe76d50eb24d582cf82f2ff9bf21cbeab79

SHA256
b9485d6b8847b2dc4b3bc355ba24e0d359dd3ef60b95ca49165b24398dc56e07

SHA512
9ecb1b0e1f8b8b72db6038f1ac23632f8ef2b5833af1c07207157b16d09e2c366805eb345d4363a56248670aba1cebb6ac20e79ff0c266e31d35f193fb753eac

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\MJAUKkCno9bPNdE_JSVYK_gR.exe
Filesize
65KB

MD5
22e35bea6a2653c8393db13a83b0cf97

SHA1
31adf1873277d5c64f1533a257de3f4fd67d6ad8

SHA256
2e8af331adb9cd46185ae5f7982157267ef3c6e4ccdd943226ee5aec8455fae8

SHA512
666fd393f101f25855a63e75b023bff28c91bde2490c7bb83925049f6aa07519b2814659974dca642446afcfd80216dd36062dc270e2377989c56580e67680fb

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\T7PSkrg3JUXbT0jBQOHYWjES.exe
Filesize
5.2MB

MD5
a7995b98daf0e9d5cdab05f6b1a9ee31

SHA1
266d76d49c0710cb97abb768e1da3bf78714dc94

SHA256
9c51cf022c30a213be00dd998993863a258ab33dfa07c73aaacfe93efccd3dc0

SHA512
42a6cedc22a71a529136f6d8341b4f5c12ffd36b95d330009f552128ccda5ae3182a15d48b8b6602fbe1fbba8729e242ff474eefbcf8352b8bf13cd5eed048e8

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\UEpRkx3bFmxwVvXquSdHFCTf.exe
Filesize
4.2MB

MD5
e7a15d0fdc4c314a9c6d751c2ee40928

SHA1
bbee4504fe35daae70bb4527cbfd8977ee89b88d

SHA256
0b8dffdcf7901d8361b5a90715418508da5d769277cf1cac40431ba138bda758

SHA512
83c067e2a0e8d83b942cf2ebd1be962cbda8df9d0520b326e6c0476e2a76d7c4211c5eab6cd50b17dd34c2e907e98d7b132dc8b4d655a93e3c72e7aabdb5a283

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\fwfPW0Qa0G8CBZEIgsK83Lic.exe
Filesize
393KB

MD5
b96f9d010e1c6150e78bd217212f2854

SHA1
c43a35a08db7358281d25a2f0134d41eb37a3ae8

SHA256
e49fbe983f9657085fd6ed87ef01d3d80b8c89fc15e159e227e661c8a9f76704

SHA512
956b90536bb9fa138854a1e47313219b117485708a20e110946682eff972a8e0ee396041b13b1cc03f103989f3029cf59e55ea0b17940ffd8be50dd3f4f2252d

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\ikrqu2Iv8EQgGWFBc684gadq.exe
Filesize
449KB

MD5
9203dc4ef3987ea3477cd97190698449

SHA1
da71339a28dc2a437e9b813e7efaa708500f2c56

SHA256
f1dc3673538d69b36493148e4943e983e4a67c79477604cda8af937c0b7cdf46

SHA512
7ffc4a515367961759d228e274e8303c8666877a52b90b7da0b0994329902d2655f169ce06042d084c54234d4daf72e978c80be9ac9d954e9e8d9a08bab52075

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\isRGNmoWWcpTu9y2aQTUlGel.exe
Filesize
3.8MB

MD5
acfc823a15fbc0247f1974b9a7dc7cf8

SHA1
3289cb74a353915117e7b1649acbff7449068018

SHA256
2b8795c54cc826e2f7c62a5c15088a1d9aa9ff31373abf710caacf4d0a5f1b81

SHA512
1429b568485669dd1376cf2082efa4dff7ac2042fab6ddc31889cb92087dfd4609399395935e47910f4c982f85e1e5b3dc6061e97258c5078a8791aa2d5b3568

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\isRGNmoWWcpTu9y2aQTUlGel.exe
Filesize
3.0MB

MD5
9c48dd1ca221ad00b49bbae10a439456

SHA1
a3358b6fafbe4027e867f4d58ec386098a289beb

SHA256
ced541c8afa1514d261b4e3f8eed12060bfa46518c18b7cc1edbe37d69175024

SHA512
09aa05a0a0d10b5839d4295296cd81d402a7adb953f95b72f5784a747b88f72422acd4f9d0f6f9e0fb658bad7ee55056b8f9dc93f49aa9ee94882b6f3db482b4

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\t3pyy4zaEevTeOm21kKwXB5p.exe
Filesize
4.6MB

MD5
c9bc54d979bcd59bb9116e02969a8438

SHA1
7126a637299a38f75c641d1201127d91b6f66bb4

SHA256
0c264f43a4f99ca4c576cbce92c22715c0563a590631200fbd6cfb70b5046f7c

SHA512
b3906d400a21f241b4905ffe6d5503f6f5e5cd81d58700f79e53625c0ae92c04e4bfabd9a917f8292dee99f1d6037a823110f3efdd17786e4a3d764a3b27f273

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\yPoh5FfeO9AUMm7Frs8J1IF6.exe
Filesize
2.2MB

MD5
fd18b27222e4a9e3abea79212f6c2e92

SHA1
e4fb8166f119fa4aa545cafb9095510ae3d44e32

SHA256
ae0d929efc63331d85840148cde7ab09005a0487c231b24a9e7a480edd55820e

SHA512
90b647f7303c3618463153997baa35efe84570db9bc9be274e3c450208af8e600f3a907497a1ce6c6ae6d8c15f13daef7c47a7fffe97a402fcde7eb59907cf85

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\yZ1fgGZjAoOJPLB0Z_vN6mcb.exe
Filesize
5.3MB

MD5
698438cba179693c98e0bd1c19f5a5ed

SHA1
bbd44b4c22c36e182fb7e03b77c2b5d3bec995cc

SHA256
b3b751fc496eed398b80e7d10bee3064576729522e17d122baf787672ea7a8d0

SHA512
c0fa18faa23233bde63c5c69af73648d519d05f1d4e1aa58fe0f4884775c6149ebae48ffa64013773398adf259d03a294e58f70642c8786ae9eb568db274699b

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\z3prmGctJTE9SReotlTJRJpM.exe
Filesize
456KB

MD5
9f10349504fae0960f2cf133ccf21252

SHA1
73a89cb697803cc046362bc68027e184e83b4e45

SHA256
850b16ddca4fb0ec70a60e534bc3c75aac0f0b6d2af52674d09ec7bd75dd6938

SHA512
aab1c7f04f58f06abe7a1a433d8f209871457b893f2f894532e4cf4c543faab53ce8a5f0918cafe1d8b9ea485c556a55c45805a88114cd031ee5e6d085745711

Download Submit
C:\Users\Admin\Downloads\v4_file_x86_64.rar.crdownload
Filesize
10.0MB

MD5
062667c22eed83d85925684327275064

SHA1
e9e17d0cbd9e968f2e3eb1aaab10728d590c9bd2

SHA256
29bf715c7c0aa2b6736d5ede93f922946c87d839bff580b8818b2c11f827de53

SHA512
3c5030494faf565902fd037e137448b5c6bea12461e24326cd64110b3988c63ca9aefe24e877a8a33158b72400191d198f5f5ea3bed2f371f1df36251a9f1d94

Download Submit
C:\Windows\System32\GroupPolicy\gpt.ini
Filesize
127B

MD5
8ef9853d1881c5fe4d681bfb31282a01

SHA1
a05609065520e4b4e553784c566430ad9736f19f

SHA256
9228f13d82c3dc96b957769f6081e5bac53cffca4ffde0ba1e102d9968f184a2

SHA512
5ddee931a08cfea5bb9d1c36355d47155a24d617c2a11d08364ffc54e593064011dee4fea8ac5b67029cab515d3071f0ba0422bb76af492a3115272ba8feb005

Download Submit
\??\pipe\crashpad_1448_LWOJNPVMPICXPVAE
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/468-300-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/928-350-0x0000023F6EFE0000-0x0000023F6F056000-memory.dmp

Filesize
472KB

Download
memory/928-327-0x0000023F6E750000-0x0000023F6E762000-memory.dmp

Filesize
72KB

Download
memory/928-368-0x0000023F6EFA0000-0x0000023F6EFBE000-memory.dmp

Filesize
120KB

Download
memory/928-295-0x0000023F6C970000-0x0000023F6C984000-memory.dmp

Filesize
80KB

Download
memory/928-321-0x0000023F6E700000-0x0000023F6E70A000-memory.dmp

Filesize
40KB

Download
memory/928-340-0x0000023F6E730000-0x0000023F6E73A000-memory.dmp

Filesize
40KB

Download
memory/2468-296-0x0000000000070000-0x0000000000706000-memory.dmp

Filesize
6.6MB

Download
memory/2468-307-0x0000000000070000-0x0000000000706000-memory.dmp

Filesize
6.6MB

Download
memory/2468-306-0x0000000000070000-0x0000000000706000-memory.dmp

Filesize
6.6MB

Download
memory/2468-305-0x0000000000070000-0x0000000000706000-memory.dmp

Filesize
6.6MB

Download
memory/2468-314-0x0000000000070000-0x0000000000706000-memory.dmp

Filesize
6.6MB

Download
memory/2988-354-0x0000000000400000-0x000000000101C000-memory.dmp

Filesize
12.1MB

Download
memory/2988-320-0x0000000000400000-0x000000000101C000-memory.dmp

Filesize
12.1MB

Download
memory/3548-309-0x0000000000400000-0x000000000103C000-memory.dmp

Filesize
12.2MB

Download
memory/3580-278-0x0000000140000000-0x0000000140739000-memory.dmp

Filesize
7.2MB

Download
memory/3580-73-0x0000000140000000-0x0000000140739000-memory.dmp

Filesize
7.2MB

Download
memory/3580-75-0x0000000140000000-0x0000000140739000-memory.dmp

Filesize
7.2MB

Download
memory/3580-316-0x0000000140000000-0x0000000140739000-memory.dmp

Filesize
7.2MB

Download
memory/3580-302-0x0000000140000000-0x0000000140739000-memory.dmp

Filesize
7.2MB

Download
memory/3580-97-0x0000000140000000-0x0000000140739000-memory.dmp

Filesize
7.2MB

Download
memory/3912-329-0x0000000005450000-0x00000000054EC000-memory.dmp

Filesize
624KB

Download
memory/3912-315-0x0000000000790000-0x0000000000B4A000-memory.dmp

Filesize
3.7MB

Download
memory/4104-361-0x0000000000430000-0x00000000004AF000-memory.dmp

Filesize
508KB

Download
memory/5348-351-0x0000000000400000-0x000000000064A000-memory.dmp

Filesize
2.3MB

Download
memory/5420-360-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download