redline | 64f622a1f573000d62900a8b048d8971a9b9c8b750aa077973d9e5deb0b50d7c

Resubmissions

Analysis

max time kernel
104s
max time network
130s
platform
windows11-21h2_x64
resource
win11-20240508-en
resource tags

arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system
submitted
04-06-2024 13:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AppFile_v4/setup.exe
Size

797.0MB
MD5

62e9d7714c85c824642d896247187aa5
SHA1

1dc0cc3541a93049c13effb36d9fbe27444a5c48
SHA256

604201c7cc370c0975b74c769f900a00267c048f7f3e0ece835f75b93e1ab839
SHA512

1c8057dde21fb7e2879bad756b8f3622085b02e206018e3bed91d63e05c028a8d984a6e8fcef543ba6a7c7584788d98811ca21aaf7602c12d2924a96a0a4f920
SSDEEP

98304:fWAHmwZ7DfvzXXxAam+/toU1LYnnzbHpZQBTZV:fRH3Znv7hAnuYPJZQ

Score

10^/10

redline stealc tofsee vidar logsdiller cloud (tg: @logsdillabot)discovery evasion execution infostealer persistence spyware stealer themida trojan

Malware Config

Extracted

Family

stealc

rc4.plain

Extracted

Family

vidar

https://t.me/r8z0l

https://steamcommunity.com/profiles/76561199698764354

Attributes

user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0

Extracted

Family

redline

Botnet

LogsDiller Cloud (TG: @logsdillabot)

5.42.65.63:14707

Signatures

Detect Vidar Stealer 3 IoCs

stealer

Processes:

resource	yara_rule
behavioral2/memory/2380-258-0x0000000000400000-0x0000000000648000-memory.dmp	family_vidar_v7
behavioral2/memory/2380-256-0x0000000000400000-0x0000000000648000-memory.dmp	family_vidar_v7
behavioral2/memory/2380-254-0x0000000000400000-0x0000000000648000-memory.dmp	family_vidar_v7

Modifies firewall policy service 2 TTPs 1 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

Processes:

setup.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\C:\ = "1"	setup.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/784-530-0x0000000000400000-0x0000000000450000-memory.dmp	family_redline

Stealc
Stealc is an infostealer written in C++.
stealer stealc
Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
trojan tofsee
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

setup.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ setup.exe
Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs
Run Powershell and hide display window.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exepowershell.exe

pid process

1096 powershell.exe
4596 powershell.exe
3500 powershell.exe
Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002
Downloads MZ/PE file
Modifies Windows Firewall 2 TTPs 1 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exe

pid process

1936 netsh.exe
Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	setup.exe

pid	process
1096	powershell.exe
4596	powershell.exe
3500	powershell.exe

pid	process
1936	netsh.exe

.NET Reactor proctector 4 IoCs

Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

Processes:

resource	yara_rule
C:\Users\Admin\Documents\SimpleAdobe\nDHOkxn_Q_4s_uoQQzMi7q08.exe	net_reactor
C:\Users\Admin\Documents\SimpleAdobe\tdz7rpRLgZe97VqjapgvaF2f.exe	net_reactor
behavioral2/memory/1368-265-0x0000000000A20000-0x0000000000F34000-memory.dmp	net_reactor
behavioral2/memory/3892-262-0x0000000000850000-0x0000000000D60000-memory.dmp	net_reactor

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

setup.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	setup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	setup.exe

Executes dropped EXE 21 IoCs

Processes:

OB9g8dozFl4vNqWH0wDlg8sh.exenDHOkxn_Q_4s_uoQQzMi7q08.exeSzMVpgE9GLtDrGCGQ31BaeJs.exeyL1UNOUTMDjvCx35jFWOjQSc.exeotSPsZuLzBbNxlThxouFkPp8.exeCsrxAkIJclEcWNVSNV79d2nN.exeGZvUEO2Y2Cn4K92Xoursk_FI.exeocoMfpMPfq0rrpZIBdDnZ5yF.exeHOVROxJUnmb7Ja4NOZDpiiAW.exe65kdh3onnHVm4UWXi1uTuxJj.exejspei3ulgA6k0uQ1E0ZakzN3.exeikaWYbVYa1EkbqTXgpQ6ZOYX.exeIOgqbtZKF3H5oKWgxrgIXRBz.exeVJnGeEIrhSAiwsbCBr1_MsmS.exetdz7rpRLgZe97VqjapgvaF2f.exeikaWYbVYa1EkbqTXgpQ6ZOYX.exeVJnGeEIrhSAiwsbCBr1_MsmS.tmpInstall.exeaudioamplifier.exeaudioamplifier.exeInstall.exe

pid	process
1652	OB9g8dozFl4vNqWH0wDlg8sh.exe
1368	nDHOkxn_Q_4s_uoQQzMi7q08.exe
1488	SzMVpgE9GLtDrGCGQ31BaeJs.exe
1448	yL1UNOUTMDjvCx35jFWOjQSc.exe
1016	otSPsZuLzBbNxlThxouFkPp8.exe
4760	CsrxAkIJclEcWNVSNV79d2nN.exe
1608	GZvUEO2Y2Cn4K92Xoursk_FI.exe
4864	ocoMfpMPfq0rrpZIBdDnZ5yF.exe
3284	HOVROxJUnmb7Ja4NOZDpiiAW.exe
424	65kdh3onnHVm4UWXi1uTuxJj.exe
2084	jspei3ulgA6k0uQ1E0ZakzN3.exe
3632	ikaWYbVYa1EkbqTXgpQ6ZOYX.exe
3776	IOgqbtZKF3H5oKWgxrgIXRBz.exe
576	VJnGeEIrhSAiwsbCBr1_MsmS.exe
3892	tdz7rpRLgZe97VqjapgvaF2f.exe
1888	ikaWYbVYa1EkbqTXgpQ6ZOYX.exe
888	VJnGeEIrhSAiwsbCBr1_MsmS.tmp
2092	Install.exe
2148	audioamplifier.exe
4564	audioamplifier.exe
3148	Install.exe

Loads dropped DLL 3 IoCs

Processes:

VJnGeEIrhSAiwsbCBr1_MsmS.tmpyL1UNOUTMDjvCx35jFWOjQSc.exe

pid process

888 VJnGeEIrhSAiwsbCBr1_MsmS.tmp
1448 yL1UNOUTMDjvCx35jFWOjQSc.exe
1448 yL1UNOUTMDjvCx35jFWOjQSc.exe
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
888	VJnGeEIrhSAiwsbCBr1_MsmS.tmp
1448	yL1UNOUTMDjvCx35jFWOjQSc.exe
1448	yL1UNOUTMDjvCx35jFWOjQSc.exe

Themida packer 9 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
behavioral2/memory/3580-0-0x0000000140000000-0x0000000140D0E000-memory.dmp	themida
behavioral2/memory/3580-10-0x0000000140000000-0x0000000140D0E000-memory.dmp	themida
behavioral2/memory/3580-9-0x0000000140000000-0x0000000140D0E000-memory.dmp	themida
behavioral2/memory/3580-8-0x0000000140000000-0x0000000140D0E000-memory.dmp	themida
behavioral2/memory/3580-11-0x0000000140000000-0x0000000140D0E000-memory.dmp	themida
behavioral2/memory/3580-19-0x0000000140000000-0x0000000140D0E000-memory.dmp	themida
behavioral2/memory/3580-128-0x0000000140000000-0x0000000140D0E000-memory.dmp	themida
behavioral2/memory/3580-176-0x0000000140000000-0x0000000140D0E000-memory.dmp	themida
behavioral2/memory/3580-679-0x0000000140000000-0x0000000140D0E000-memory.dmp	themida

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

setup.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA setup.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

34 iplogger.org
70 iplogger.org
Looks up external IP address via web service 6 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

2 api.myip.com
2 ipinfo.io
5 api.myip.com
6 ipinfo.io
98 ipinfo.io
103 ipinfo.io

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	setup.exe

flow	ioc
34	iplogger.org
70	iplogger.org

flow	ioc
2	api.myip.com
2	ipinfo.io
5	api.myip.com
6	ipinfo.io
98	ipinfo.io
103	ipinfo.io

Drops file in System32 directory 4 IoCs

Processes:

setup.exe

description	ioc	process
File opened for modification	C:\Windows\System32\GroupPolicy	setup.exe
File opened for modification	C:\Windows\System32\GroupPolicy\gpt.ini	setup.exe
File created	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	setup.exe
File opened for modification	C:\Windows\System32\GroupPolicy\GPT.INI	setup.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs

Processes:

setup.exeCsrxAkIJclEcWNVSNV79d2nN.exe

pid process

3580 setup.exe
3580 setup.exe
4760 CsrxAkIJclEcWNVSNV79d2nN.exe

pid	process
3580	setup.exe
3580	setup.exe
4760	CsrxAkIJclEcWNVSNV79d2nN.exe

Suspicious use of SetThreadContext 6 IoCs

Processes:

HOVROxJUnmb7Ja4NOZDpiiAW.exeocoMfpMPfq0rrpZIBdDnZ5yF.exeSzMVpgE9GLtDrGCGQ31BaeJs.exe65kdh3onnHVm4UWXi1uTuxJj.exenDHOkxn_Q_4s_uoQQzMi7q08.exetdz7rpRLgZe97VqjapgvaF2f.exe

description	pid	process	target process
PID 3284 set thread context of 2380	3284	HOVROxJUnmb7Ja4NOZDpiiAW.exe	RegAsm.exe
PID 4864 set thread context of 4748	4864	ocoMfpMPfq0rrpZIBdDnZ5yF.exe	RegAsm.exe
PID 1488 set thread context of 784	1488	SzMVpgE9GLtDrGCGQ31BaeJs.exe	MSBuild.exe
PID 424 set thread context of 3216	424	65kdh3onnHVm4UWXi1uTuxJj.exe	RegAsm.exe
PID 1368 set thread context of 4532	1368	nDHOkxn_Q_4s_uoQQzMi7q08.exe	RegAsm.exe
PID 3892 set thread context of 4352	3892	tdz7rpRLgZe97VqjapgvaF2f.exe	RegAsm.exe

Launches sc.exe 7 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exesc.exesc.exe

pid process

572 sc.exe
3132 sc.exe
948 sc.exe
2544 sc.exe
1520 sc.exe
3392 sc.exe
392 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
572	sc.exe
3132	sc.exe
948	sc.exe
2544	sc.exe
1520	sc.exe
3392	sc.exe
392	sc.exe

Program crash 11 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
3716	1608	WerFault.exe	GZvUEO2Y2Cn4K92Xoursk_FI.exe
2352	1608	WerFault.exe	GZvUEO2Y2Cn4K92Xoursk_FI.exe
4828	1608	WerFault.exe	GZvUEO2Y2Cn4K92Xoursk_FI.exe
4824	1608	WerFault.exe	GZvUEO2Y2Cn4K92Xoursk_FI.exe
3596	1608	WerFault.exe	GZvUEO2Y2Cn4K92Xoursk_FI.exe
2992	1608	WerFault.exe	GZvUEO2Y2Cn4K92Xoursk_FI.exe
4984	1608	WerFault.exe	GZvUEO2Y2Cn4K92Xoursk_FI.exe
3472	1888	WerFault.exe	ikaWYbVYa1EkbqTXgpQ6ZOYX.exe
4472	2084	WerFault.exe	jspei3ulgA6k0uQ1E0ZakzN3.exe
1388	1448	WerFault.exe	yL1UNOUTMDjvCx35jFWOjQSc.exe
1244	1488	WerFault.exe	amurxkqo.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

yL1UNOUTMDjvCx35jFWOjQSc.exeRegAsm.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	yL1UNOUTMDjvCx35jFWOjQSc.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	yL1UNOUTMDjvCx35jFWOjQSc.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RegAsm.exe

Creates scheduled task(s) 1 TTPs 5 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

3100 schtasks.exe
2696 schtasks.exe
1884 schtasks.exe
2236 schtasks.exe
3372 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

1912 timeout.exe

pid	process
3100	schtasks.exe
2696	schtasks.exe
1884	schtasks.exe
2236	schtasks.exe
3372	schtasks.exe

pid	process
1912	timeout.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

RegAsm.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A	RegAsm.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 0f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6500b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b060105050703016200000001000000200000001465fa205397b876faa6f0a9958e5590e40fcc7faa4fb7c2c8677521fb5fb658140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e71d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a2000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	RegAsm.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

yL1UNOUTMDjvCx35jFWOjQSc.exeIOgqbtZKF3H5oKWgxrgIXRBz.exeRegAsm.exeRegAsm.exe

pid	process
1448	yL1UNOUTMDjvCx35jFWOjQSc.exe
1448	yL1UNOUTMDjvCx35jFWOjQSc.exe
3776	IOgqbtZKF3H5oKWgxrgIXRBz.exe
3776	IOgqbtZKF3H5oKWgxrgIXRBz.exe
2380	RegAsm.exe
2380	RegAsm.exe
3216	RegAsm.exe
3216	RegAsm.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

Processes:

ocoMfpMPfq0rrpZIBdDnZ5yF.exeSzMVpgE9GLtDrGCGQ31BaeJs.exe65kdh3onnHVm4UWXi1uTuxJj.exenDHOkxn_Q_4s_uoQQzMi7q08.exetdz7rpRLgZe97VqjapgvaF2f.exeRegAsm.exe

description	pid	process
Token: SeDebugPrivilege	4864	ocoMfpMPfq0rrpZIBdDnZ5yF.exe
Token: SeDebugPrivilege	1488	SzMVpgE9GLtDrGCGQ31BaeJs.exe
Token: SeDebugPrivilege	424	65kdh3onnHVm4UWXi1uTuxJj.exe
Token: SeDebugPrivilege	1368	nDHOkxn_Q_4s_uoQQzMi7q08.exe
Token: SeDebugPrivilege	3892	tdz7rpRLgZe97VqjapgvaF2f.exe
Token: SeDebugPrivilege	3216	RegAsm.exe
Token: SeBackupPrivilege	3216	RegAsm.exe
Token: SeSecurityPrivilege	3216	RegAsm.exe
Token: SeSecurityPrivilege	3216	RegAsm.exe
Token: SeSecurityPrivilege	3216	RegAsm.exe
Token: SeSecurityPrivilege	3216	RegAsm.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

VJnGeEIrhSAiwsbCBr1_MsmS.tmp

pid process

888 VJnGeEIrhSAiwsbCBr1_MsmS.tmp
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

CsrxAkIJclEcWNVSNV79d2nN.exe

pid process

4760 CsrxAkIJclEcWNVSNV79d2nN.exe

pid	process
888	VJnGeEIrhSAiwsbCBr1_MsmS.tmp

pid	process
4760	CsrxAkIJclEcWNVSNV79d2nN.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

setup.exeHOVROxJUnmb7Ja4NOZDpiiAW.exeikaWYbVYa1EkbqTXgpQ6ZOYX.exeVJnGeEIrhSAiwsbCBr1_MsmS.exeOB9g8dozFl4vNqWH0wDlg8sh.exe

description	pid	process	target process
PID 3580 wrote to memory of 1652	3580	setup.exe	OB9g8dozFl4vNqWH0wDlg8sh.exe
PID 3580 wrote to memory of 1652	3580	setup.exe	OB9g8dozFl4vNqWH0wDlg8sh.exe
PID 3580 wrote to memory of 1652	3580	setup.exe	OB9g8dozFl4vNqWH0wDlg8sh.exe
PID 3580 wrote to memory of 1368	3580	setup.exe	nDHOkxn_Q_4s_uoQQzMi7q08.exe
PID 3580 wrote to memory of 1368	3580	setup.exe	nDHOkxn_Q_4s_uoQQzMi7q08.exe
PID 3580 wrote to memory of 1368	3580	setup.exe	nDHOkxn_Q_4s_uoQQzMi7q08.exe
PID 3580 wrote to memory of 1488	3580	setup.exe	SzMVpgE9GLtDrGCGQ31BaeJs.exe
PID 3580 wrote to memory of 1488	3580	setup.exe	SzMVpgE9GLtDrGCGQ31BaeJs.exe
PID 3580 wrote to memory of 1488	3580	setup.exe	SzMVpgE9GLtDrGCGQ31BaeJs.exe
PID 3580 wrote to memory of 1448	3580	setup.exe	yL1UNOUTMDjvCx35jFWOjQSc.exe
PID 3580 wrote to memory of 1448	3580	setup.exe	yL1UNOUTMDjvCx35jFWOjQSc.exe
PID 3580 wrote to memory of 1448	3580	setup.exe	yL1UNOUTMDjvCx35jFWOjQSc.exe
PID 3580 wrote to memory of 1016	3580	setup.exe	otSPsZuLzBbNxlThxouFkPp8.exe
PID 3580 wrote to memory of 1016	3580	setup.exe	otSPsZuLzBbNxlThxouFkPp8.exe
PID 3580 wrote to memory of 1016	3580	setup.exe	otSPsZuLzBbNxlThxouFkPp8.exe
PID 3580 wrote to memory of 4864	3580	setup.exe	ocoMfpMPfq0rrpZIBdDnZ5yF.exe
PID 3580 wrote to memory of 4864	3580	setup.exe	ocoMfpMPfq0rrpZIBdDnZ5yF.exe
PID 3580 wrote to memory of 4864	3580	setup.exe	ocoMfpMPfq0rrpZIBdDnZ5yF.exe
PID 3580 wrote to memory of 4760	3580	setup.exe	CsrxAkIJclEcWNVSNV79d2nN.exe
PID 3580 wrote to memory of 4760	3580	setup.exe	CsrxAkIJclEcWNVSNV79d2nN.exe
PID 3580 wrote to memory of 4760	3580	setup.exe	CsrxAkIJclEcWNVSNV79d2nN.exe
PID 3580 wrote to memory of 1608	3580	setup.exe	GZvUEO2Y2Cn4K92Xoursk_FI.exe
PID 3580 wrote to memory of 1608	3580	setup.exe	GZvUEO2Y2Cn4K92Xoursk_FI.exe
PID 3580 wrote to memory of 1608	3580	setup.exe	GZvUEO2Y2Cn4K92Xoursk_FI.exe
PID 3580 wrote to memory of 3284	3580	setup.exe	HOVROxJUnmb7Ja4NOZDpiiAW.exe
PID 3580 wrote to memory of 3284	3580	setup.exe	HOVROxJUnmb7Ja4NOZDpiiAW.exe
PID 3580 wrote to memory of 3284	3580	setup.exe	HOVROxJUnmb7Ja4NOZDpiiAW.exe
PID 3580 wrote to memory of 424	3580	setup.exe	65kdh3onnHVm4UWXi1uTuxJj.exe
PID 3580 wrote to memory of 424	3580	setup.exe	65kdh3onnHVm4UWXi1uTuxJj.exe
PID 3580 wrote to memory of 424	3580	setup.exe	65kdh3onnHVm4UWXi1uTuxJj.exe
PID 3580 wrote to memory of 2084	3580	setup.exe	jspei3ulgA6k0uQ1E0ZakzN3.exe
PID 3580 wrote to memory of 2084	3580	setup.exe	jspei3ulgA6k0uQ1E0ZakzN3.exe
PID 3580 wrote to memory of 2084	3580	setup.exe	jspei3ulgA6k0uQ1E0ZakzN3.exe
PID 3580 wrote to memory of 3632	3580	setup.exe	ikaWYbVYa1EkbqTXgpQ6ZOYX.exe
PID 3580 wrote to memory of 3632	3580	setup.exe	ikaWYbVYa1EkbqTXgpQ6ZOYX.exe
PID 3580 wrote to memory of 3632	3580	setup.exe	ikaWYbVYa1EkbqTXgpQ6ZOYX.exe
PID 3580 wrote to memory of 3776	3580	setup.exe	IOgqbtZKF3H5oKWgxrgIXRBz.exe
PID 3580 wrote to memory of 3776	3580	setup.exe	IOgqbtZKF3H5oKWgxrgIXRBz.exe
PID 3580 wrote to memory of 576	3580	setup.exe	VJnGeEIrhSAiwsbCBr1_MsmS.exe
PID 3580 wrote to memory of 576	3580	setup.exe	VJnGeEIrhSAiwsbCBr1_MsmS.exe
PID 3580 wrote to memory of 576	3580	setup.exe	VJnGeEIrhSAiwsbCBr1_MsmS.exe
PID 3580 wrote to memory of 3892	3580	setup.exe	tdz7rpRLgZe97VqjapgvaF2f.exe
PID 3580 wrote to memory of 3892	3580	setup.exe	tdz7rpRLgZe97VqjapgvaF2f.exe
PID 3580 wrote to memory of 3892	3580	setup.exe	tdz7rpRLgZe97VqjapgvaF2f.exe
PID 3284 wrote to memory of 3108	3284	HOVROxJUnmb7Ja4NOZDpiiAW.exe	RegAsm.exe
PID 3284 wrote to memory of 3108	3284	HOVROxJUnmb7Ja4NOZDpiiAW.exe	RegAsm.exe
PID 3284 wrote to memory of 3108	3284	HOVROxJUnmb7Ja4NOZDpiiAW.exe	RegAsm.exe
PID 3284 wrote to memory of 2380	3284	HOVROxJUnmb7Ja4NOZDpiiAW.exe	RegAsm.exe
PID 3284 wrote to memory of 2380	3284	HOVROxJUnmb7Ja4NOZDpiiAW.exe	RegAsm.exe
PID 3284 wrote to memory of 2380	3284	HOVROxJUnmb7Ja4NOZDpiiAW.exe	RegAsm.exe
PID 3632 wrote to memory of 1888	3632	ikaWYbVYa1EkbqTXgpQ6ZOYX.exe	ikaWYbVYa1EkbqTXgpQ6ZOYX.exe
PID 3632 wrote to memory of 1888	3632	ikaWYbVYa1EkbqTXgpQ6ZOYX.exe	ikaWYbVYa1EkbqTXgpQ6ZOYX.exe
PID 3632 wrote to memory of 1888	3632	ikaWYbVYa1EkbqTXgpQ6ZOYX.exe	ikaWYbVYa1EkbqTXgpQ6ZOYX.exe
PID 576 wrote to memory of 888	576	VJnGeEIrhSAiwsbCBr1_MsmS.exe	VJnGeEIrhSAiwsbCBr1_MsmS.tmp
PID 576 wrote to memory of 888	576	VJnGeEIrhSAiwsbCBr1_MsmS.exe	VJnGeEIrhSAiwsbCBr1_MsmS.tmp
PID 576 wrote to memory of 888	576	VJnGeEIrhSAiwsbCBr1_MsmS.exe	VJnGeEIrhSAiwsbCBr1_MsmS.tmp
PID 3284 wrote to memory of 2380	3284	HOVROxJUnmb7Ja4NOZDpiiAW.exe	RegAsm.exe
PID 3284 wrote to memory of 2380	3284	HOVROxJUnmb7Ja4NOZDpiiAW.exe	RegAsm.exe
PID 3284 wrote to memory of 2380	3284	HOVROxJUnmb7Ja4NOZDpiiAW.exe	RegAsm.exe
PID 3284 wrote to memory of 2380	3284	HOVROxJUnmb7Ja4NOZDpiiAW.exe	RegAsm.exe
PID 3284 wrote to memory of 2380	3284	HOVROxJUnmb7Ja4NOZDpiiAW.exe	RegAsm.exe
PID 3284 wrote to memory of 2380	3284	HOVROxJUnmb7Ja4NOZDpiiAW.exe	RegAsm.exe
PID 1652 wrote to memory of 2092	1652	OB9g8dozFl4vNqWH0wDlg8sh.exe	Install.exe
PID 1652 wrote to memory of 2092	1652	OB9g8dozFl4vNqWH0wDlg8sh.exe	Install.exe

C:\Users\Admin\AppData\Local\Temp\AppFile_v4\setup.exe
"C:\Users\Admin\AppData\Local\Temp\AppFile_v4\setup.exe"
1⤵
- Modifies firewall policy service
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:3580

C:\Users\Admin\Documents\SimpleAdobe\OB9g8dozFl4vNqWH0wDlg8sh.exe
C:\Users\Admin\Documents\SimpleAdobe\OB9g8dozFl4vNqWH0wDlg8sh.exe
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1652

C:\Users\Admin\AppData\Local\Temp\7zSACF4.tmp\Install.exe
.\Install.exe
3⤵
- Executes dropped EXE
PID:2092

C:\Users\Admin\AppData\Local\Temp\7zSBE0B.tmp\Install.exe
.\Install.exe /FLMvodidQIjM "525403" /S
4⤵
- Executes dropped EXE
PID:3148

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
5⤵
PID:3960

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
6⤵
PID:4692

C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
7⤵
PID:3120

\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
8⤵
PID:3260

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
6⤵
PID:3272

C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
7⤵
PID:1488

\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
8⤵
PID:3440

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m help.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"
6⤵
PID:2992

C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
7⤵
PID:2000

\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
8⤵
PID:4928

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"
6⤵
PID:4852

C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
7⤵
PID:2948

\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
8⤵
PID:4636

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
6⤵
PID:2540

C:\Windows\SysWOW64\cmd.exe
/C powershell start-process -WindowStyle Hidden gpupdate.exe /force
7⤵
PID:1188

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell start-process -WindowStyle Hidden gpupdate.exe /force
8⤵
- Command and Scripting Interpreter: PowerShell
PID:4596

C:\Windows\SysWOW64\gpupdate.exe
"C:\Windows\system32\gpupdate.exe" /force
9⤵
PID:736

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m where.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"
5⤵
PID:4516

C:\Windows\SysWOW64\cmd.exe
/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
6⤵
PID:4584

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
7⤵
- Command and Scripting Interpreter: PowerShell
PID:1096

C:\Windows\SysWOW64\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
8⤵
PID:3268

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "bOyQhMdEabcKHnOHLp" /SC once /ST 13:16:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\7zSBE0B.tmp\Install.exe\" 8e /uzAdidZUby 525403 /S" /V1 /F
5⤵
- Creates scheduled task(s)
PID:1884

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m waitfor.exe /c "cmd /C schtasks /run /I /tn bOyQhMdEabcKHnOHLp"
5⤵
PID:4136

C:\Windows\SysWOW64\cmd.exe
/C schtasks /run /I /tn bOyQhMdEabcKHnOHLp
6⤵
PID:1032

\??\c:\windows\SysWOW64\schtasks.exe
schtasks /run /I /tn bOyQhMdEabcKHnOHLp
7⤵
PID:648

C:\Users\Admin\Documents\SimpleAdobe\IOgqbtZKF3H5oKWgxrgIXRBz.exe
C:\Users\Admin\Documents\SimpleAdobe\IOgqbtZKF3H5oKWgxrgIXRBz.exe
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3776

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
3⤵
PID:3108

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
3⤵
PID:3576

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
3⤵
PID:2084

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
3⤵
PID:1540

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe delete "RULTVSKP"
3⤵
- Launches sc.exe
PID:2544

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe create "RULTVSKP" binpath= "C:\ProgramData\qhbnnmvggfhr\bkqtzupkspiy.exe" start= "auto"
3⤵
- Launches sc.exe
PID:1520

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop eventlog
3⤵
- Launches sc.exe
PID:3392

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start "RULTVSKP"
3⤵
- Launches sc.exe
PID:392

C:\Users\Admin\Documents\SimpleAdobe\nDHOkxn_Q_4s_uoQQzMi7q08.exe
C:\Users\Admin\Documents\SimpleAdobe\nDHOkxn_Q_4s_uoQQzMi7q08.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1368

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:4532

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\ProgramData\MSIUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\MSIUpdaterV202.exe" /tn "MSIUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7 HR" /sc HOURLY /rl HIGHEST
4⤵
- Creates scheduled task(s)
PID:2236

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\ProgramData\MSIUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\MSIUpdaterV202.exe" /tn "MSIUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7 LG" /sc ONLOGON /rl HIGHEST
4⤵
- Creates scheduled task(s)
PID:3372

C:\Users\Admin\AppData\Local\Temp\spanMJ3Yd7Y4wsaY\eY0xuslQCgmcqalT7fcU.exe
"C:\Users\Admin\AppData\Local\Temp\spanMJ3Yd7Y4wsaY\eY0xuslQCgmcqalT7fcU.exe"
4⤵
PID:1620

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
5⤵
PID:3760

C:\Users\Admin\Documents\SimpleAdobe\SzMVpgE9GLtDrGCGQ31BaeJs.exe
C:\Users\Admin\Documents\SimpleAdobe\SzMVpgE9GLtDrGCGQ31BaeJs.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1488

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
3⤵
PID:784

C:\Users\Admin\Documents\SimpleAdobe\yL1UNOUTMDjvCx35jFWOjQSc.exe
C:\Users\Admin\Documents\SimpleAdobe\yL1UNOUTMDjvCx35jFWOjQSc.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:1448

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\CBKFBAECBA.exe"
3⤵
PID:4704

C:\Users\Admin\AppData\Local\Temp\CBKFBAECBA.exe
"C:\Users\Admin\AppData\Local\Temp\CBKFBAECBA.exe"
4⤵
PID:1060

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1448 -s 2540
3⤵
- Program crash
PID:1388

C:\Users\Admin\Documents\SimpleAdobe\otSPsZuLzBbNxlThxouFkPp8.exe
C:\Users\Admin\Documents\SimpleAdobe\otSPsZuLzBbNxlThxouFkPp8.exe
2⤵
- Executes dropped EXE
PID:1016

C:\Users\Admin\AppData\Local\Temp\katFCBA.tmp
C:\Users\Admin\AppData\Local\Temp\katFCBA.tmp
3⤵
PID:5108

C:\Users\Admin\Documents\SimpleAdobe\VJnGeEIrhSAiwsbCBr1_MsmS.exe
C:\Users\Admin\Documents\SimpleAdobe\VJnGeEIrhSAiwsbCBr1_MsmS.exe
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:576

C:\Users\Admin\AppData\Local\Temp\is-LTF3M.tmp\VJnGeEIrhSAiwsbCBr1_MsmS.tmp
"C:\Users\Admin\AppData\Local\Temp\is-LTF3M.tmp\VJnGeEIrhSAiwsbCBr1_MsmS.tmp" /SL5="$50212,6131445,54272,C:\Users\Admin\Documents\SimpleAdobe\VJnGeEIrhSAiwsbCBr1_MsmS.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
PID:888

C:\Users\Admin\AppData\Local\Free Audio Amplifier\audioamplifier.exe
"C:\Users\Admin\AppData\Local\Free Audio Amplifier\audioamplifier.exe" -i
4⤵
- Executes dropped EXE
PID:2148

C:\Users\Admin\AppData\Local\Free Audio Amplifier\audioamplifier.exe
"C:\Users\Admin\AppData\Local\Free Audio Amplifier\audioamplifier.exe" -s
4⤵
- Executes dropped EXE
PID:4564

C:\Users\Admin\Documents\SimpleAdobe\ocoMfpMPfq0rrpZIBdDnZ5yF.exe
C:\Users\Admin\Documents\SimpleAdobe\ocoMfpMPfq0rrpZIBdDnZ5yF.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:4864

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:4748

C:\Users\Admin\Documents\SimpleAdobe\CsrxAkIJclEcWNVSNV79d2nN.exe
C:\Users\Admin\Documents\SimpleAdobe\CsrxAkIJclEcWNVSNV79d2nN.exe
2⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
PID:4760

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST
3⤵
- Creates scheduled task(s)
PID:3100

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST
3⤵
- Creates scheduled task(s)
PID:2696

C:\Users\Admin\Documents\SimpleAdobe\GZvUEO2Y2Cn4K92Xoursk_FI.exe
C:\Users\Admin\Documents\SimpleAdobe\GZvUEO2Y2Cn4K92Xoursk_FI.exe
2⤵
- Executes dropped EXE
PID:1608

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1608 -s 772
3⤵
- Program crash
PID:3716

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1608 -s 772
3⤵
- Program crash
PID:2352

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1608 -s 804
3⤵
- Program crash
PID:4828

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1608 -s 812
3⤵
- Program crash
PID:4824

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1608 -s 1040
3⤵
- Program crash
PID:3596

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1608 -s 1052
3⤵
- Program crash
PID:2992

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1608 -s 1256
3⤵
- Program crash
PID:4984

C:\Users\Admin\Documents\SimpleAdobe\tdz7rpRLgZe97VqjapgvaF2f.exe
C:\Users\Admin\Documents\SimpleAdobe\tdz7rpRLgZe97VqjapgvaF2f.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:3892

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:4352

C:\Users\Admin\Documents\SimpleAdobe\65kdh3onnHVm4UWXi1uTuxJj.exe
C:\Users\Admin\Documents\SimpleAdobe\65kdh3onnHVm4UWXi1uTuxJj.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:424

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3216

C:\Users\Admin\Documents\SimpleAdobe\HOVROxJUnmb7Ja4NOZDpiiAW.exe
C:\Users\Admin\Documents\SimpleAdobe\HOVROxJUnmb7Ja4NOZDpiiAW.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3284

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:3108

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
- Checks processor information in registry
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
PID:2380

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\GDHCGDGIEBKJ" & exit
4⤵
PID:1552

C:\Windows\SysWOW64\timeout.exe
timeout /t 10
5⤵
- Delays execution with timeout.exe
PID:1912

C:\Users\Admin\Documents\SimpleAdobe\ikaWYbVYa1EkbqTXgpQ6ZOYX.exe
C:\Users\Admin\Documents\SimpleAdobe\ikaWYbVYa1EkbqTXgpQ6ZOYX.exe
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3632

C:\Users\Admin\AppData\Local\Temp\e58b39b\ikaWYbVYa1EkbqTXgpQ6ZOYX.exe
C:\Users\Admin\Documents\SimpleAdobe\ikaWYbVYa1EkbqTXgpQ6ZOYX.exe run=1 shortcut="C:\Users\Admin\Documents\SimpleAdobe\ikaWYbVYa1EkbqTXgpQ6ZOYX.exe"
3⤵
- Executes dropped EXE
PID:1888

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1888 -s 2088
4⤵
- Program crash
PID:3472

C:\Users\Admin\Documents\SimpleAdobe\jspei3ulgA6k0uQ1E0ZakzN3.exe
C:\Users\Admin\Documents\SimpleAdobe\jspei3ulgA6k0uQ1E0ZakzN3.exe
2⤵
- Executes dropped EXE
PID:2084

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\kkqjaduf\
3⤵
PID:3416

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\amurxkqo.exe" C:\Windows\SysWOW64\kkqjaduf\
3⤵
PID:3976

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" create kkqjaduf binPath= "C:\Windows\SysWOW64\kkqjaduf\amurxkqo.exe /d\"C:\Users\Admin\Documents\SimpleAdobe\jspei3ulgA6k0uQ1E0ZakzN3.exe\"" type= own start= auto DisplayName= "wifi support"
3⤵
- Launches sc.exe
PID:572

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" description kkqjaduf "wifi internet conection"
3⤵
- Launches sc.exe
PID:3132

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" start kkqjaduf
3⤵
- Launches sc.exe
PID:948

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
3⤵
- Modifies Windows Firewall
PID:1936

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2084 -s 948
3⤵
- Program crash
PID:4472

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:2508

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:560

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1608 -ip 1608
1⤵
PID:3016

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1608 -ip 1608
1⤵
PID:4228

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 1608 -ip 1608
1⤵
PID:988

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1608 -ip 1608
1⤵
PID:3272

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 1608 -ip 1608
1⤵
PID:996

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1608 -ip 1608
1⤵
PID:4376

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 1608 -ip 1608
1⤵
PID:4928

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 1888 -ip 1888
1⤵
PID:1868

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 2084 -ip 2084
1⤵
PID:2824

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 1448 -ip 1448
1⤵
PID:1028

C:\Windows\SysWOW64\kkqjaduf\amurxkqo.exe
C:\Windows\SysWOW64\kkqjaduf\amurxkqo.exe /d"C:\Users\Admin\Documents\SimpleAdobe\jspei3ulgA6k0uQ1E0ZakzN3.exe"
1⤵
PID:1488

C:\Windows\SysWOW64\svchost.exe
svchost.exe
2⤵
PID:960

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1488 -s 548
2⤵
- Program crash
PID:1244

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 1488 -ip 1488
1⤵
PID:488

C:\Users\Admin\AppData\Local\Temp\7zSBE0B.tmp\Install.exe
C:\Users\Admin\AppData\Local\Temp\7zSBE0B.tmp\Install.exe 8e /uzAdidZUby 525403 /S
1⤵
PID:2536

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
2⤵
PID:4708

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
3⤵
PID:2388

C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
4⤵
PID:796

\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
5⤵
PID:3048

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
3⤵
PID:4512

C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
4⤵
PID:1376

\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
5⤵
PID:4476

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"
3⤵
PID:3412

C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
4⤵
PID:1464

\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
5⤵
PID:4976

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"
3⤵
PID:3216

C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
4⤵
PID:2000

\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
5⤵
PID:4136

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
3⤵
PID:5084

C:\Windows\SysWOW64\cmd.exe
/C powershell start-process -WindowStyle Hidden gpupdate.exe /force
4⤵
PID:4804

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell start-process -WindowStyle Hidden gpupdate.exe /force
5⤵
- Command and Scripting Interpreter: PowerShell
PID:3500

C:\Windows\SysWOW64\gpupdate.exe
"C:\Windows\system32\gpupdate.exe" /force
6⤵
PID:2320

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:64;"
2⤵
PID:4964

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
3⤵
PID:1704

C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
4⤵
PID:1624

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:64
3⤵
PID:1632

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:32
3⤵
PID:2568

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:64
3⤵
PID:4476

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:32
3⤵
PID:1032

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:64
3⤵
PID:648

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:32
3⤵
PID:2372

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:64
3⤵
PID:2148

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:32
3⤵
PID:2528

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:64
3⤵
PID:2112

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:32
3⤵
PID:1028

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:64
3⤵
PID:2196

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:32
3⤵
PID:1092

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:64
3⤵
PID:1948

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:32
3⤵
PID:2960

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:64
3⤵
PID:568

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:2808

C:\ProgramData\qhbnnmvggfhr\bkqtzupkspiy.exe
C:\ProgramData\qhbnnmvggfhr\bkqtzupkspiy.exe
1⤵
PID:4664

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
2⤵
PID:440

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
2⤵
PID:3948

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
2⤵
PID:1368

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
2⤵
PID:4516

C:\Windows\system32\conhost.exe
C:\Windows\system32\conhost.exe
2⤵
PID:1932

C:\Windows\system32\svchost.exe
svchost.exe
2⤵
PID:1200

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Virtualization/Sandbox Evasion

T1497

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\DBKKKEHDHCBF\AKJDAE
Filesize
6KB

MD5
c0419f6f75759e3dcaeaf8c31c7f6191

SHA1
18388554cf85412c8aa049ec41ee510e349a69ae

SHA256
a08ea5e05554d95ca3a9073ab0f6d5e1b05b670b29fec8054460c08650a843a6

SHA512
8d6fe54e97276636d54e2b1c0149fb92cf757ce4d86e046513b1daaf14ee64d6747801da57ef5bc527d07b96c05805449b55addc701c4c79760fae6e110f8cfb

Download Submit
C:\ProgramData\GDHCGDGIEBKJ\BAKFBK
Filesize
112KB

MD5
87210e9e528a4ddb09c6b671937c79c6

SHA1
3c75314714619f5b55e25769e0985d497f0062f2

SHA256
eeb23424586eb7bc62b51b19f1719c6571b71b167f4d63f25984b7f5c5436db1

SHA512
f8cb8098dc8d478854cddddeac3396bc7b602c4d0449491ecacea7b9106672f36b55b377c724dc6881bee407c6b6c5c3352495ed4b852dd578aa3643a43e37c0

Download Submit
C:\ProgramData\GDHCGDGIEBKJ\CAKKEG
Filesize
100KB

MD5
b5a2b7cd14930f21483dde89c8ab1c34

SHA1
85e7f62baa7218d9d86e83ca84f1f583354b7f6c

SHA256
e9da28248aba48d8819297a64e9913217778aca459a00eb829241601fa3111db

SHA512
86a5c97bdfc4301223a39595b87c9695a5229114e3c6c9115f5386380451a3908e358aa0a5ba55ad7b74d952e57a5debcea4b119a9decfe96636b1e27ec1d734

Download Submit
C:\ProgramData\OSI AppLevel 6.3.66\OSI AppLevel 6.3.66.exe
Filesize
4.5MB

MD5
a6b75163d30d398198622e2567c20924

SHA1
b4d94297c38f52ffb5fba6e46beb6c8e36e8d7b4

SHA256
00ab2965fcde2cde9bd2292a9bd399cc1d2c9eb0cf679caafdc5e464fa31a92f

SHA512
a7e55f55896ad3f9dfb6133f97aefea38d8fa1ed83e9d18cbf46d3713dc546f11881ec33276dfb39b60ed9894fb0da5a0e74a26b9fedbff533fcc9a826f14b6d

Download Submit
C:\ProgramData\mozglue.dll
Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
C:\ProgramData\nss3.dll
Filesize
2.0MB

MD5
1cc453cdf74f31e4d913ff9c10acdde2

SHA1
6e85eae544d6e965f15fa5c39700fa7202f3aafe

SHA256
ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

SHA512
dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize
1KB

MD5
5b74da6778ccaa0e1ca4ae7484775943

SHA1
0a2f6f315a0ca1a0366b509aec7b13c606645654

SHA256
172282931d7eeb60228e6b9b4b913fd78c73f2a7855620f35fb24a5c847b6c78

SHA512
20b4cb7174f49b22426b249f1dfc8f6273f50d1502536e773f4dcd073bf027f2a554d2437c2dc628dbe021c5c3b968b2d89f810ff1bb19630c1560e7feee1a1a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\tdz7rpRLgZe97VqjapgvaF2f.exe.log
Filesize
522B

MD5
6658b021c1f7ac5e44634117ffe5bbeb

SHA1
23584308445dcbc6ccc2f8c94ca34018e752f312

SHA256
ab332f4f12e0cfa58daf8a27e801fcd5ed7f2781d7149a9be89e6ef40623d793

SHA512
ed8ba3c2c86a8a8c016c0f035ef79393c6d96531ff10bde005038897f5af48e4b37908d0c3b7394cf3b60e8c50ccde0f374a3f113493be1b772acc3e6b06311f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\9K4J3G8B\advdlc[1].htm
Filesize
1B

MD5
cfcd208495d565ef66e7dff9f98764da

SHA1
b6589fc6ab0dc82cf12099d1c2d40ab994e8410c

SHA256
5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9

SHA512
31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\C76012RU\sqls[1].dll
Filesize
2.3MB

MD5
90e744829865d57082a7f452edc90de5

SHA1
833b178775f39675fa4e55eab1032353514e1052

SHA256
036a57102385d7f0d7b2deacf932c1c372ae30d924365b7a88f8a26657dd7550

SHA512
0a2d112ff7cb806a74f5ec17fe097d28107bb497d6ed5ad28ea47e6795434ba903cdb49aaf97a9a99c08cd0411f1969cad93031246dc107c26606a898e570323

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
11KB

MD5
d5494b3cf2891a5be2c80d9c5debe02e

SHA1
59eaf0f946947510d28b1837a4ac22932e13b5cb

SHA256
c74eaf0353f6505e10bf60b534241c3de197a7cd1ca6452e2e60beb46639ed66

SHA512
d097f7f122e57ab317fba1afb2c2eb40cc166b5dee9e03162d5b26353dd740fe02948afcdc765783834549af881c2d1fa8ea5debf0148cc0bffeb12196a66d5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSACF4.tmp\Install.exe
Filesize
6.4MB

MD5
8fd0883921314ee6b49f4ebbae55c229

SHA1
e5dc628aa8aa43889bfb7fa8b24211fcdfd5bd88

SHA256
030c6bda48a82d52153646dcb185238fa669c10ffc1655c6465e3b79ad484605

SHA512
3df030f14fdd1afff6864e623be3b02eca8235cf206dabf8e62fc98883fc05386cb6744d740b51ffcd3e3a6430b6ad2c23aaa1a55e8760128554424deda5c559

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSBE0B.tmp\Install.exe
Filesize
6.7MB

MD5
1dc997d901e42223b4b68e305691df3e

SHA1
54cc5a133d2bb5b91f65475e9756fabade31960d

SHA256
0ca5e6ef54af68c270036a4c103c31999cba5027ae152c78ee6ac1e4616f4033

SHA512
ecc76c27688a14a3af8275bf32b5e9ee72a0a84405eff398bda3f2e180a4a918595148e33ccb3df8f8dc95396eed3c71d1ef12a039b98f03b11ac28da55fe92a

Download Submit
C:\Users\Admin\AppData\Local\Temp\CBKFBAECBA.exe
Filesize
533KB

MD5
6c93fc68e2f01c20fb81af24470b790c

SHA1
d5927b38a32e30afcf5a658612a8266476fc4ad8

SHA256
64a71b664d76641b35dac312161cb356b3b3b5f0b45c9d88c8afa547b4902580

SHA512
355e9677121ef17cf8c398f0c17399776d206c62014080a2c62682e1152ea0729dcc6e233358dcd6bae009b07e3db936d4b18eb37d6e7ebc2fe9cf8d827c4ade

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_cmit5qve.2og.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\amurxkqo.exe
Filesize
11.3MB

MD5
03acaf3dd955e7832060809ec7b44f22

SHA1
c42241ebd0e281616ed42f0fb1c4f03201fed44c

SHA256
1e5004c966276e5e03da70f7ca1e0bd1174468ed8399ee2c20cae97bc2c623a0

SHA512
3dcfc80b699260d0713afef599f160bd5a44e5b2a54d3f764eca4cabbd0287b535fc4b535b7151b360f9f79b8d9c19cee706a63ceef4597b996116efeed10f96

Download Submit
C:\Users\Admin\AppData\Local\Temp\e58d2eb\Load.html
Filesize
2KB

MD5
1757c2d0841f85052f85d8d3cd03a827

SHA1
801b085330505bad85e7a5af69e6d15d962a7c3a

SHA256
3cf5674efaaf74beccd16d1b9bcf3ffb35c174d6d93375bc532b46d9b4b4ed35

SHA512
4a12a55aac846f137c18849302e74d34df70ea5aaff78d57fce05b4776bedcde9e1b1032734e29650bcbac3e6932dfef75d97931443446a23e21cf5b3072dd9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\e58d2eb\common\js\common.js
Filesize
45KB

MD5
87daf84c22986fa441a388490e2ed220

SHA1
4eede8fb28a52e124261d8f3b10e6a40e89e5543

SHA256
787f5c13eac01bd8bbce329cc32d2f03073512e606b158e3fff07de814ea7f23

SHA512
af72a1d3757bd7731fa7dc3f820c0619e42634169643d786da5cce0c9b0d4babd4f7f57b12371180204a42fec6140a2cff0c13b37d183c9d6bbaeb8f5ce25e5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\e58d2eb\common\js\external.js
Filesize
36B

MD5
140918feded87fe0a5563a4080071258

SHA1
9a45488c130eba3a9279393d27d4a81080d9b96a

SHA256
25df7ab9509d4e8760f1fdc99684e0e72aac6e885cbdd3396febc405ea77e7f6

SHA512
56f5771db6f0f750ae60a1bb04e187a75fbee1210e1381831dcc2d9d0d4669ef4e58858945c1d5935e1f2d2f2e02fe4d2f08dd2ab27a14be10280b2dd4d8a7c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\e58d2eb\common\js\jquery-1.11.2.min.js
Filesize
93KB

MD5
5790ead7ad3ba27397aedfa3d263b867

SHA1
8130544c215fe5d1ec081d83461bf4a711e74882

SHA256
2ecd295d295bec062cedebe177e54b9d6b19fc0a841dc5c178c654c9ccff09c0

SHA512
781acedc99de4ce8d53d9b43a158c645eab1b23dfdfd6b57b3c442b11acc4a344e0d5b0067d4b78bb173abbded75fb91c410f2b5a58f71d438aa6266d048d98a

Download Submit
C:\Users\Admin\AppData\Local\Temp\e58d2eb\config\config.js
Filesize
5KB

MD5
34f8eb4ea7d667d961dccfa7cfd8d194

SHA1
80ca002efed52a92daeed1477f40c437a6541a07

SHA256
30c3d0e8bb3620fe243a75a10f23d83436ff4b15acb65f4f016258314581b73d

SHA512
b773b49c0bbd904f9f87b0b488ed38c23fc64b0bdd51ab78375a444ea656d929b3976808e715a62962503b0d579d791f9a21c45a53038ed7ae8263bd63bc0d50

Download Submit
C:\Users\Admin\AppData\Local\Temp\e58d2eb\config\installerlist.js
Filesize
2KB

MD5
f90f74ad5b513b0c863f2a5d1c381c0b

SHA1
7ef91f2c0a7383bd4e76fd38c8dd2467abb41db7

SHA256
df2f68a1db705dc49b25faf1c04d69e84e214142389898110f6abb821a980dcc

SHA512
4e95032c4d3dbd5c5531d96a0e4c4688c4205255566a775679c5187422762a17cbca3e4b0068918dbf5e9bf148fc8594f8b747930e0634d10cc710bea9e6ff5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\e58d2eb\config\installparams.js
Filesize
534B

MD5
5341de2e990c85795bcd6f09252f908b

SHA1
b88dd2301853dfcab8b54f45be648b17131e83c6

SHA256
8f93c4023af718e0f8e87d19a8b3e840a88dfb8e329fd8f5eaaa2a5b9bfa219e

SHA512
e0fb846c9bb836c4d3b5c444d9b45b2e489354d55688cb7da710c199a9f8f11491b74d1ff631c38eca633165923a3271c2136040b23a52a8dc6825fffada70ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\e58d2eb\config\stubparams.js
Filesize
37KB

MD5
91f6304d426d676ec9365c3e1ff249d5

SHA1
05a3456160862fbaf5b4a96aeb43c722e0a148da

SHA256
823f4f8dfe55d3ce894308122d6101fed1b8ef1eb8e93101945836655b2aed1b

SHA512
530f4fad6af5a0e600b037fcd094596652d2e3bf2f6d2ce465aae697ea90a361a0ffcc770c118102a0dd9bf12ab830ac6b459e57a268f435c88c049c127491f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\e58d2eb\pages\Initialization\features.js
Filesize
506B

MD5
7e20d80564b5d02568a8c9f00868b863

SHA1
15391f96e1b003f3c790a460965ebce9fce40b8a

SHA256
cba5152c525188a27394b48761362a9e119ef3d79761358a1e42c879c2fe08cc

SHA512
74d333f518cabb97a84aab98fbc72da9ce07dd74d8aab877e749815c17c1b836db63061b7ac5928dc0bb3ffd54f9a1d14b8be7ed3a1ba7b86ee1776f82ba78e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\e58d2eb\pages\Initialization\page.html
Filesize
2KB

MD5
b23411777957312ec2a28cf8da6bcb4a

SHA1
6dd3bdf8be0abb5cb8bf63a35de95c8304f5e7c7

SHA256
4d0bdf44125e8be91eecaba44c9b965be9b0d2cb8897f3f35e94f2a74912f074

SHA512
e520b4096949a6d7648c197a57f8ce5462adb2cc260ccac712e5b939e7d259f1eee0dfc782959f3ea689befce99cddf38b56a2cc140566870b045114e9b240dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\e58d2eb\pages\Initialization\page.js
Filesize
2KB

MD5
50c3c85a9b0a5a57c534c48763f9d17e

SHA1
0455f60e056146082fd36d4aafe24fdbb61e2611

SHA256
0135163476d0eb025e0b26e9d6b673730b76b61d3fd7c8ffcd064fc2c0c0682a

SHA512
01fb800963516fd5b9f59a73e397f80daba1065c3d7186891523162b08559e93abf936f154fc84191bbadec0fa947d54b5b74c6981cebc987c8e90f83ddf22c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-LTF3M.tmp\VJnGeEIrhSAiwsbCBr1_MsmS.tmp
Filesize
680KB

MD5
a7490f12cdec09b1dc7217fcdaa4043e

SHA1
f08d46215e8cf086e9081a462fd5cf0da75ff698

SHA256
86da6f4664c6b81959be90e74b773579d1cc6ded671149b73d74725a4ed8263b

SHA512
5e54e5d21721a1b8d5181ded4f3c34384b21adf8c5821b2ee4ce65ad75529d553aaf28496f96735cf6463b60e86560b48a3b6c7e08528906ded32892fc13cd80

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-VOUEG.tmp\_isetup\_iscrypt.dll
Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
C:\Users\Admin\AppData\Local\Temp\katFCBA.tmp
Filesize
861KB

MD5
66064dbdb70a5eb15ebf3bf65aba254b

SHA1
0284fd320f99f62aca800fb1251eff4c31ec4ed7

SHA256
6a94dbda2dd1edcff2331061d65e1baf09d4861cc7ba590c5ec754f3ac96a795

SHA512
b05c6c09ae7372c381fba591c3cb13a69a2451b9d38da1a95aac89413d7438083475d06796acb5440cd6ec65b030c9fa6cbdaa0d2fe91a926bae6499c360f17f

Download Submit
C:\Users\Admin\AppData\Local\Temp\spanMJ3Yd7Y4wsaY\3b6N2Xdh3CYwplaces.sqlite
Filesize
5.0MB

MD5
d1abbbe47d1bd4c7f08007120ee5ddb0

SHA1
dd1aff38bb84b2e04b90aa7bf8aa2bbeffcf25f3

SHA256
279d39356a89e85f7ebad9ef41444150c90e484d9e1edbb18647017cd80b9cba

SHA512
40b71999178d9d4363f2666e1febfa9c64d6b636c5eae1ac047fc3feb3e7677d2b3ed1794399701f752c573e4b83a5444c01ab3d600c2bc8c85450a8cbb1657d

Download Submit
C:\Users\Admin\AppData\Local\Temp\spanMJ3Yd7Y4wsaY\EGv2F96_gAjMHistory
Filesize
152KB

MD5
73bd1e15afb04648c24593e8ba13e983

SHA1
4dd85ca46fcdf9d93f6b324f8bb0b5bb512a1b91

SHA256
aab0b201f392fef9fdff09e56a9d0ac33d0f68be95da270e6dab89bb1f971d8b

SHA512
6eb58fb41691894045569085bd64a83acd62277575ab002cf73d729bda4b6d43c36643a5fa336342e87a493326337ed43b8e5eaeae32f53210714699cb8dfac7

Download Submit
C:\Users\Admin\AppData\Local\Temp\spanMJ3Yd7Y4wsaY\WcdkjJTlmhmZCookies
Filesize
20KB

MD5
22be08f683bcc01d7a9799bbd2c10041

SHA1
2efb6041cf3d6e67970135e592569c76fc4c41de

SHA256
451c2c0cf3b7cb412a05347c6e75ed8680f0d2e5f2ab0f64cc2436db9309a457

SHA512
0eef192b3d5abe5d2435acf54b42c729c3979e4ad0b73d36666521458043ee7df1e10386bef266d7df9c31db94fb2833152bb2798936cb2082715318ef05d936

Download Submit
C:\Users\Admin\AppData\Local\Temp\spanMJ3Yd7Y4wsaY\XzIPk64rBupuCookies
Filesize
20KB

MD5
42c395b8db48b6ce3d34c301d1eba9d5

SHA1
b7cfa3de344814bec105391663c0df4a74310996

SHA256
5644546ecefc6786c7be5b1a89e935e640963ccd34b130f21baab9370cb9055d

SHA512
7b9214db96e9bec8745b4161a41c4c0520cdda9950f0cd3f12c7744227a25d639d07c0dd68b552cf1e032181c2e4f8297747f27bad6c7447b0f415a86bd82845

Download Submit
C:\Users\Admin\AppData\Local\Temp\spanMJ3Yd7Y4wsaY\eY0xuslQCgmcqalT7fcU.exe
Filesize
1.2MB

MD5
a09ef83719952de3da58e3af375af664

SHA1
8cb249125770b65dd0f8e4bc575a9ed9fd64e1dd

SHA256
97767dcc0522540da20c9f3e68de20f75779e326697e1c0e201be9ff57154484

SHA512
0de74d2b7dac3af23680d89da186f495f4eaa3722b7966132e5f2c9cbe7d0f0f80da1c90c0a695fe82c917ad7190fb3696d257d7d3841b4cd7276b2034594fd9

Download Submit
C:\Users\Admin\AppData\Local\Temp\spanMJ3Yd7Y4wsaY\h53mNNvRUbWzLogin Data
Filesize
46KB

MD5
8f5942354d3809f865f9767eddf51314

SHA1
20be11c0d42fc0cef53931ea9152b55082d1a11e

SHA256
776ecf8411b1b0167bea724409ac9d3f8479973df223ecc6e60e3302b3b2b8ea

SHA512
fde8dfae8a862cf106b0cb55e02d73e4e4c0527c744c20886681245c8160287f722612a6de9d0046ed1156b1771229c8950b9ac036b39c988d75aa20b7bac218

Download Submit
C:\Users\Admin\AppData\Local\Temp\spanMJ3Yd7Y4wsaY\nYHTraWodnOqHistory
Filesize
116KB

MD5
4e2922249bf476fb3067795f2fa5e794

SHA1
d2db6b2759d9e650ae031eb62247d457ccaa57d2

SHA256
c2c17166e7468877d1e80822f8a5f35a7700ac0b68f3b369a1f4154ae4f811e1

SHA512
8e5e12daf11f9f6e73fb30f563c8f2a64bbc7bb9deffe4969e23081ec1c4073cdf6c74e8dbcc65a271142083ad8312ec7d59505c90e718a5228d369f4240e1da

Download Submit
C:\Users\Admin\AppData\Local\Temp\spanMJ3Yd7Y4wsaY\xpoH9uuznR0ALogin Data
Filesize
46KB

MD5
14ccc9293153deacbb9a20ee8f6ff1b7

SHA1
46b4d7b004ff4f1f40ad9f107fe7c7e3abc9a9f3

SHA256
3195ce0f7aa2eae2b21c447f264e2bd4e1dc5208353ac72d964a750de9a83511

SHA512
916f2178be05dc329461d2739271972238b22052b5935883da31e6c98d2697bd2435c9f6a2d1fcafb4811a1d867c761055532669aac2ea1a3a78c346cdeba765

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\65kdh3onnHVm4UWXi1uTuxJj.exe
Filesize
2.8MB

MD5
3d996391791111e82e3300e1baa6ddb7

SHA1
65136e285aad65e6cec95755714415aa5a1fdf4c

SHA256
1cf3753e2489cce7cfe5cb87dfd9825eab65104064f212245ce101728e205997

SHA512
1d8eeebba17a3eaa98c2ba78bf7cf2ac4fef80d8aeacbd1208211a23509aa54cbbeba80b41af6198a78ac2c1a57f9c85c5a123cd2fb01f4ded160b72482ed662

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\65kdh3onnHVm4UWXi1uTuxJj.exe
Filesize
2.8MB

MD5
64e769e16f853835dd768a9b65626407

SHA1
87c0e29f2335809e3e70aaee47187db3ee8ceece

SHA256
5ece0d233ac404577a0ae14c8195299d239e4bbf3cb004b56cdeddf77de94733

SHA512
f275730523bbf75d6f96bef1255be756fd84ae570d0d5aae7f29a513da15b2d7f9b1b057912accb15be5de27e80067b2e83a07b4e78968cb412c2f0ffdd35879

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\ASAFyR25fn5PE34ooCrITJ7I.exe
Filesize
458KB

MD5
b8a378d321313492eb5246b67dca2bc2

SHA1
8c6096a38cd2cf0e1d5bf830783117ee0c4bee45

SHA256
827ddd9655c746d379831f301758e598a3a4dc41a23bbfedb288c49365a31e2a

SHA512
9f6600d50331b0c13498edcb0b73d6e170f00383ed201dc78599bf24ff661bc9c7fc1f1e39762009a1d8360e4bcb357b892a019b6d8dcc4935e6a2eb72605639

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\CsrxAkIJclEcWNVSNV79d2nN.exe
Filesize
1.3MB

MD5
a97d24cc8f19c45ab500d935e1d911fc

SHA1
ee10e964b8e2fcf3aaadae427b11a2c920d2316a

SHA256
955fb1a3afb27a02086df849a0acfc5c0fe1070ec26bdebf6b90177aa32778b7

SHA512
2dcebd28dbd378c8b5a3b6874a9b6f210cf8c62a9e91510deacf0fa6d18f80ef4bda09a04fc601db37dfcf7c049aec5102a90a6a35e0a41e4868cc6573d63ad2

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\GZvUEO2Y2Cn4K92Xoursk_FI.exe
Filesize
340KB

MD5
c8cad70465e9fbdfd084dbacb2065f9e

SHA1
afcc9a9e680b9fbaba8ce01ed524c559cf970c53

SHA256
62f2b3fa98a0f9aa9b90b4174f9886faaa0c7b3fe8827dd24115faf26af15c93

SHA512
42c49e622acee89c44f72f0d732dc76619ece1d7ff67a87877859104b2632747e771d211c5a0265f91797eedb65347d5d7fd9cc0babac543e030aff64f19b86c

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\HOVROxJUnmb7Ja4NOZDpiiAW.exe
Filesize
421KB

MD5
0af645b0d5ba2f665c227545523fb8f6

SHA1
6b59ed2186e1554bccba0e3c3b9f517cfdaefe0a

SHA256
220fe23a30228c363d816fb619345ab1ce40dd67541ec6b17083a45c67cc4a9b

SHA512
605fae3c8eb499b2d903e0c2c539de7ef2d645486f15229ba8cd9e4c84d7680e43a7ba9c4ed264cf96cd77948dba136e223c320de88ebdade39c8410b8a6aa14

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\IOgqbtZKF3H5oKWgxrgIXRBz.exe
Filesize
10.9MB

MD5
d43ac79abe604caffefe6313617079a3

SHA1
b3587d3fa524761b207f812e11dd807062892335

SHA256
8b750884259dd004300a84505be782d05fca2e487a66484765a4a1e357b7c399

SHA512
bb22c73ed01ff97b73feb68ae2611b70ef002d1829035f58a4ba84c5a217db368aae8bdc02cdec59c1121922a207c662aa5f0a93377537da42657dd787587082

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\OB9g8dozFl4vNqWH0wDlg8sh.exe
Filesize
7.3MB

MD5
23f5a800ff80df357974bbf2a872c6e9

SHA1
24d9e300bb466d5ce3f23cb7c072f01d97e3f7c4

SHA256
e4373a7ddfa4684b5c509cfc44f4bcf7a9c948c63c320d9d830555c5bc991e3b

SHA512
baaf594f590fe95ae306f4525dc3fdb2ce97225de8a6acbcbef3e3c37a4616be7bee22a37330ae96b5194f39a78dcb2796e36a33ec324f2d129d8737b67793b4

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\SzMVpgE9GLtDrGCGQ31BaeJs.exe
Filesize
1.1MB

MD5
0207de1c5255c7d8bd1f3eca8dc2a5e1

SHA1
9e990ce806e9ccf8ef175292c444bc284df493b4

SHA256
9f91480eba0dee5f059fa12eedf1527063b10c34dbc39a90721bf670d1a75f27

SHA512
673fca58b155e24dce85aa99d3e6e6a93e8dd9f51111371ff5b79bc7a0a0c35be9f2fb6f14bcf327cb019cee531cf9d41f55af92a58cd57dc57a33bb1fe13363

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\SzMVpgE9GLtDrGCGQ31BaeJs.exe
Filesize
3.6MB

MD5
261613f7d8c7122853609f94e92d9074

SHA1
463ee942186ffd501747e6b4961ebc4f34d9ee8a

SHA256
2a1c24a9ffbd4b15e8bdb6f46dae51dd4c346288e31d6c992619ac962198bb10

SHA512
09795574895eb7cd465ed1367000cc237f0727c8896f0f4d3b9f6de312ed0f0e96201251920765dd6f9de8ec123b95d7587e080d14422c36cecda37743ca9c9e

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\VJnGeEIrhSAiwsbCBr1_MsmS.exe
Filesize
6.1MB

MD5
4cc9eaca83cb8342f7baefcd5584e5a3

SHA1
fe669d4204fd2954301a9fca0e498d611a1e034b

SHA256
5092f2dea769bc6d2e39c41961a92307e527809d04c0e61435abc9ff687cb97c

SHA512
13332ba334e65a22c922a203244f137cf87eb152c6ae43fcbda2f511e88d5f10f18c95774ade40d8fbe8ccca03cb8e78bb97ff419cd5351e7b3ba9d7ddb32149

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\ikaWYbVYa1EkbqTXgpQ6ZOYX.exe
Filesize
2.8MB

MD5
17687f01ca5191c5e9dd733b30248ea2

SHA1
9b63db46a9d58b945dd9b850236ed8d4d7d3567a

SHA256
37b3035464123d188316fc8e7574f2e31768df08aca8e9dc2adceb41d34f2428

SHA512
d366482d520fb250de54441daa9744129e692c24faeec2e7dce071370cfeeb00b50ef10fe47a3d788d3c4a17719d6133420ab99c6384798ea2017dca6260eb3c

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\jspei3ulgA6k0uQ1E0ZakzN3.exe
Filesize
310KB

MD5
ee84f59af8cb2ba82f1086a18c9b14bf

SHA1
72a4e51c7cdedb2dd402dd1da5624cce5463bad6

SHA256
f11cf678986fa5c45fd77952c802f46c802e4ef255d0cb1785336cccb9071c2e

SHA512
0578130df3d32df6a7e72b0acf5baa3b431b9ee10b1fa3671b031d15ca5f5d9b2f35d51ee6efacac9fd17a0ef78a05b41b8f315b8add0b81d0f080e6e846dbeb

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\nDHOkxn_Q_4s_uoQQzMi7q08.exe
Filesize
5.1MB

MD5
076096e098b228134894fe2460ad7f76

SHA1
384473a1c5ef0a883b409bd0f1ee306308f58bdb

SHA256
66fe515b72f67f47ec945b4428034dd9522e2d7dbb8a3ee3db391aeec3ca31d9

SHA512
1ae8dc1d3aaa7fd8c9df65689dc374b0f8b1aeb0b6c2db55ed36d40cd2753b871955c82918c88b5512047a4a70497a1922926e2e01c2437535cad5d8499172db

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\ocoMfpMPfq0rrpZIBdDnZ5yF.exe
Filesize
3.6MB

MD5
df279432bc4983ee79a6f00a35d10b69

SHA1
4a74e5c8888a9840cba2e0c1d685c7db44576a42

SHA256
47beeb5ed54a47028f7046f0c774316bf22c50ca68e89af15bd7fec5adf0ec38

SHA512
6b8bf7a548cfc497b52a51377299e1942e8ea1cf7450e0718c5fe1f7592674438931e68097f4014b2d61d644980ca3da75e1a735f2104b41eacbd6a52329dc94

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\ocoMfpMPfq0rrpZIBdDnZ5yF.exe
Filesize
3.6MB

MD5
131e367009cf014321e7a70e70c4067c

SHA1
4c02332af53519fdae235f804f5144ba9c7e725d

SHA256
c4c7045103f42bea7bc9afb11433e4f49d767be0d0b28b678a824e5627804b89

SHA512
3702fefbcf4eab279484359f61d997b7c32d9c77dd9e255a44e96de9373d18b68ff262037494203f181c359aca549020dcfea3db01d11f8f51e224261259f99e

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\otSPsZuLzBbNxlThxouFkPp8.exe
Filesize
1.8MB

MD5
147c6b51cb9b68f7a0a42a29c859164f

SHA1
3e708ef7e1d6655b27a7370cb7719a5ff2dbeacf

SHA256
fb85b81253e6dd25198bbabb4dffd3628e07a9b7f1543a5aae299a360eed43ec

SHA512
3ae6e4c5b2cf06961d3aad7dca6b4f1be71c8f487d38e49ae633f67e76ebc69041b604fed8d7df2f5dd8554370555470bf3f5d58cd9866e36769d12857c7fc4c

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\tdz7rpRLgZe97VqjapgvaF2f.exe
Filesize
5.0MB

MD5
fb89f0ac0b34c519fed9aa4e2ad7cd3a

SHA1
9c26c8b4b6674abcdce46e8bf36a4b051338c052

SHA256
ae973d44c63b1057e21f61ea517d31e9ae1998d8ff074dc25fdf608cfc7664b1

SHA512
3a46cc216145ae1a7d3c8d2d59d2b8e5c782e1a84dcc5cad85dbda302269ec7e32916e8dee1f596c8685136d255cdbc65a1828579e93afcb1c51b6922d310186

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\yL1UNOUTMDjvCx35jFWOjQSc.exe
Filesize
314KB

MD5
f090e9622ff313cab77d204330acb92f

SHA1
d7424e2a25d416985ec3bb7f8319d395814ccb66

SHA256
83d6c17e232f80d694ae45b4b3afb4e707ecc1530c62a82a2fc539db6f8b6cd0

SHA512
b129d3a7d97cd553ca37dcc1227c6e64ec9f3345bac2328ab97ae85ad9977f3fd07913688a24e84e0288d6986fd598d8b4f602911b92ca56677e67ec691fe859

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
15KB

MD5
df4f6ee2e0fe19dc3ec91d69909a0b26

SHA1
8ee7eb51bdd076abe1e3578c21f3ebedb04a03e9

SHA256
cca0009ab4792894877af814b8221c38bf39008e663121c0541f17b4c8b936a7

SHA512
1ada373a30ad175c415d29374a1383f3d1462452815eb4f2d582bac9a95b330415f50d5991c9c1b5ac42b8b0ee7d0e8700200c53fb8f7f95cdf89f9d5d328e78

Download Submit
C:\Windows\system32\GroupPolicy\Machine\Registry.pol
Filesize
1KB

MD5
cdfd60e717a44c2349b553e011958b85

SHA1
431136102a6fb52a00e416964d4c27089155f73b

SHA256
0ee08da4da3e4133e1809099fc646468e7156644c9a772f704b80e338015211f

SHA512
dfea0d0b3779059e64088ea9a13cd6b076d76c64db99fa82e6612386cae5cda94a790318207470045ef51f0a410b400726ba28cb6ecb6972f081c532e558d6a8

Download Submit
memory/424-278-0x0000000004EA0000-0x000000000501A000-memory.dmp

Filesize
1.5MB

Download
memory/424-382-0x0000000005020000-0x0000000005180000-memory.dmp

Filesize
1.4MB

Download
memory/424-259-0x0000000000150000-0x0000000000416000-memory.dmp

Filesize
2.8MB

Download
memory/576-241-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/784-672-0x00000000055D0000-0x000000000560C000-memory.dmp

Filesize
240KB

Download
memory/784-531-0x0000000005830000-0x0000000005DD6000-memory.dmp

Filesize
5.6MB

Download
memory/784-533-0x0000000005300000-0x000000000530A000-memory.dmp

Filesize
40KB

Download
memory/784-667-0x0000000006400000-0x0000000006A18000-memory.dmp

Filesize
6.1MB

Download
memory/784-1007-0x00000000075A0000-0x00000000075F0000-memory.dmp

Filesize
320KB

Download
memory/784-671-0x0000000005570000-0x0000000005582000-memory.dmp

Filesize
72KB

Download
memory/784-669-0x0000000005650000-0x000000000575A000-memory.dmp

Filesize
1.0MB

Download
memory/784-530-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/784-532-0x0000000005320000-0x00000000053B2000-memory.dmp

Filesize
584KB

Download
memory/784-674-0x0000000005760000-0x00000000057AC000-memory.dmp

Filesize
304KB

Download
memory/1096-978-0x0000000005D50000-0x0000000005D6E000-memory.dmp

Filesize
120KB

Download
memory/1096-969-0x0000000005890000-0x0000000005BE7000-memory.dmp

Filesize
3.3MB

Download
memory/1096-955-0x0000000002840000-0x0000000002876000-memory.dmp

Filesize
216KB

Download
memory/1096-957-0x0000000005010000-0x000000000563A000-memory.dmp

Filesize
6.2MB

Download
memory/1096-960-0x00000000057B0000-0x0000000005816000-memory.dmp

Filesize
408KB

Download
memory/1096-959-0x0000000004FB0000-0x0000000004FD2000-memory.dmp

Filesize
136KB

Download
memory/1368-265-0x0000000000A20000-0x0000000000F34000-memory.dmp

Filesize
5.1MB

Download
memory/1368-391-0x0000000005B70000-0x0000000005DC0000-memory.dmp

Filesize
2.3MB

Download
memory/1368-526-0x0000000006EF0000-0x000000000711A000-memory.dmp

Filesize
2.2MB

Download
memory/1488-381-0x0000000005160000-0x0000000005242000-memory.dmp

Filesize
904KB

Download
memory/1488-252-0x00000000000F0000-0x0000000000486000-memory.dmp

Filesize
3.6MB

Download
memory/1488-276-0x0000000005050000-0x0000000005156000-memory.dmp

Filesize
1.0MB

Download
memory/1488-266-0x0000000004F00000-0x0000000004F9C000-memory.dmp

Filesize
624KB

Download
memory/2148-461-0x0000000000400000-0x000000000088A000-memory.dmp

Filesize
4.5MB

Download
memory/2380-256-0x0000000000400000-0x0000000000648000-memory.dmp

Filesize
2.3MB

Download
memory/2380-254-0x0000000000400000-0x0000000000648000-memory.dmp

Filesize
2.3MB

Download
memory/2380-258-0x0000000000400000-0x0000000000648000-memory.dmp

Filesize
2.3MB

Download
memory/3216-916-0x0000000009ED0000-0x000000000A3FC000-memory.dmp

Filesize
5.2MB

Download
memory/3216-915-0x00000000097D0000-0x0000000009992000-memory.dmp

Filesize
1.8MB

Download
memory/3216-898-0x00000000083A0000-0x00000000083BE000-memory.dmp

Filesize
120KB

Download
memory/3216-680-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/3216-897-0x0000000008C60000-0x0000000008CD6000-memory.dmp

Filesize
472KB

Download
memory/3216-872-0x0000000008330000-0x0000000008396000-memory.dmp

Filesize
408KB

Download
memory/3284-255-0x00000000011D0000-0x00000000011D1000-memory.dmp

Filesize
4KB

Download
memory/3284-247-0x00000000011D0000-0x00000000011D1000-memory.dmp

Filesize
4KB

Download
memory/3500-1066-0x00000000047D0000-0x0000000004B27000-memory.dmp

Filesize
3.3MB

Download
memory/3500-1070-0x0000000004D70000-0x0000000004DBC000-memory.dmp

Filesize
304KB

Download
memory/3580-8-0x0000000140000000-0x0000000140D0E000-memory.dmp

Filesize
13.1MB

Download
memory/3580-4-0x00007FF929AD0000-0x00007FF929B8D000-memory.dmp

Filesize
756KB

Download
memory/3580-7-0x00007FF929AD0000-0x00007FF929B8D000-memory.dmp

Filesize
756KB

Download
memory/3580-10-0x0000000140000000-0x0000000140D0E000-memory.dmp

Filesize
13.1MB

Download
memory/3580-2-0x00007FF929AD0000-0x00007FF929B8D000-memory.dmp

Filesize
756KB

Download
memory/3580-9-0x0000000140000000-0x0000000140D0E000-memory.dmp

Filesize
13.1MB

Download
memory/3580-176-0x0000000140000000-0x0000000140D0E000-memory.dmp

Filesize
13.1MB

Download
memory/3580-0-0x0000000140000000-0x0000000140D0E000-memory.dmp

Filesize
13.1MB

Download
memory/3580-11-0x0000000140000000-0x0000000140D0E000-memory.dmp

Filesize
13.1MB

Download
memory/3580-19-0x0000000140000000-0x0000000140D0E000-memory.dmp

Filesize
13.1MB

Download
memory/3580-128-0x0000000140000000-0x0000000140D0E000-memory.dmp

Filesize
13.1MB

Download
memory/3580-1-0x00007FF929AEA000-0x00007FF929AEB000-memory.dmp

Filesize
4KB

Download
memory/3580-3-0x00007FF929AD0000-0x00007FF929B8D000-memory.dmp

Filesize
756KB

Download
memory/3580-6-0x00007FF929AD0000-0x00007FF929B8D000-memory.dmp

Filesize
756KB

Download
memory/3580-5-0x00007FF929AD0000-0x00007FF929B8D000-memory.dmp

Filesize
756KB

Download
memory/3580-21-0x00007FF929AEA000-0x00007FF929AEB000-memory.dmp

Filesize
4KB

Download
memory/3580-679-0x0000000140000000-0x0000000140D0E000-memory.dmp

Filesize
13.1MB

Download
memory/3580-678-0x00007FF929AD0000-0x00007FF929B8D000-memory.dmp

Filesize
756KB

Download
memory/3892-262-0x0000000000850000-0x0000000000D60000-memory.dmp

Filesize
5.1MB

Download
memory/3892-320-0x00000000058B0000-0x0000000005B00000-memory.dmp

Filesize
2.3MB

Download
memory/3892-464-0x0000000006C50000-0x0000000006E7A000-memory.dmp

Filesize
2.2MB

Download
memory/4564-656-0x0000000000400000-0x000000000088A000-memory.dmp

Filesize
4.5MB

Download
memory/4596-1016-0x0000000006140000-0x000000000615A000-memory.dmp

Filesize
104KB

Download
memory/4596-1017-0x0000000006190000-0x00000000061B2000-memory.dmp

Filesize
136KB

Download
memory/4596-1015-0x0000000006C00000-0x0000000006C96000-memory.dmp

Filesize
600KB

Download
memory/4760-244-0x0000000000FC0000-0x00000000014F2000-memory.dmp

Filesize
5.2MB

Download
memory/4864-358-0x0000000002EE0000-0x0000000002EF5000-memory.dmp

Filesize
84KB

Download
memory/4864-321-0x0000000002EE0000-0x0000000002EF5000-memory.dmp

Filesize
84KB

Download
memory/4864-338-0x0000000002EE0000-0x0000000002EF5000-memory.dmp

Filesize
84KB

Download
memory/4864-334-0x0000000002EE0000-0x0000000002EF5000-memory.dmp

Filesize
84KB

Download
memory/4864-340-0x0000000002EE0000-0x0000000002EF5000-memory.dmp

Filesize
84KB

Download
memory/4864-332-0x0000000002EE0000-0x0000000002EF5000-memory.dmp

Filesize
84KB

Download
memory/4864-342-0x0000000002EE0000-0x0000000002EF5000-memory.dmp

Filesize
84KB

Download
memory/4864-330-0x0000000002EE0000-0x0000000002EF5000-memory.dmp

Filesize
84KB

Download
memory/4864-328-0x0000000002EE0000-0x0000000002EF5000-memory.dmp

Filesize
84KB

Download
memory/4864-326-0x0000000002EE0000-0x0000000002EF5000-memory.dmp

Filesize
84KB

Download
memory/4864-324-0x0000000002EE0000-0x0000000002EF5000-memory.dmp

Filesize
84KB

Download
memory/4864-322-0x0000000002EE0000-0x0000000002EF5000-memory.dmp

Filesize
84KB

Download
memory/4864-289-0x0000000005710000-0x00000000057FE000-memory.dmp

Filesize
952KB

Download
memory/4864-336-0x0000000002EE0000-0x0000000002EF5000-memory.dmp

Filesize
84KB

Download
memory/4864-319-0x0000000002EE0000-0x0000000002EFC000-memory.dmp

Filesize
112KB

Download
memory/4864-316-0x0000000005630000-0x00000000056FC000-memory.dmp

Filesize
816KB

Download
memory/4864-344-0x0000000002EE0000-0x0000000002EF5000-memory.dmp

Filesize
84KB

Download
memory/4864-362-0x0000000002EE0000-0x0000000002EF5000-memory.dmp

Filesize
84KB

Download
memory/4864-360-0x0000000002EE0000-0x0000000002EF5000-memory.dmp

Filesize
84KB

Download
memory/4864-356-0x0000000002EE0000-0x0000000002EF5000-memory.dmp

Filesize
84KB

Download
memory/4864-354-0x0000000002EE0000-0x0000000002EF5000-memory.dmp

Filesize
84KB

Download
memory/4864-352-0x0000000002EE0000-0x0000000002EF5000-memory.dmp

Filesize
84KB

Download
memory/4864-346-0x0000000002EE0000-0x0000000002EF5000-memory.dmp

Filesize
84KB

Download
memory/4864-350-0x0000000002EE0000-0x0000000002EF5000-memory.dmp

Filesize
84KB

Download
memory/4864-260-0x00000000007F0000-0x0000000000B86000-memory.dmp

Filesize
3.6MB

Download
memory/4864-348-0x0000000002EE0000-0x0000000002EF5000-memory.dmp

Filesize
84KB

Download
memory/4964-1086-0x00000000052D0000-0x000000000531C000-memory.dmp

Filesize
304KB

Download