amadey | hxxps://pivigames[.]blog/planet-coaster/

Analysis

max time kernel
344s
max time network
347s
platform
windows10-2004_x64
resource
win10v2004-20240508-es
resource tags

arch:x64arch:x86image:win10v2004-20240508-eslocale:es-esos:windows10-2004-x64systemwindows
submitted
02-07-2024 13:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://pivigames.blog/planet-coaster/

Score

10^/10

amadey lumma privateloader redline risepro stealc 4dd39d jony logsdiller cloud (tg: @logsdillabot)discovery evasion execution infostealer loader persistence spyware stealer themida trojan

Malware Config

Extracted

Family

risepro

191.101.209.39

77.105.133.27

Extracted

Family

redline

Botnet

LogsDiller Cloud (TG: @logsdillabot)

77.105.135.107:3445

Extracted

Family

stealc

Botnet

jony

http://85.28.47.4

Attributes

url_path
/920475a59bac849d.php

Extracted

Family

amadey

Version

4.30

Botnet

4dd39d

http://77.91.77.82

Attributes

install_dir
ad40971b6b
install_file
explorti.exe
strings_key
a434973ad22def7137dbb5e059b7081e
url_paths
/Hun4Ko/index.php

rc4.plain

Extracted

Family

lumma

https://potterryisiw.shop/api

https://foodypannyjsud.shop/api

https://contintnetksows.shop/api

https://reinforcedirectorywd.shop/api

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Lumma Stealer
An infostealer written in C++ first seen in August 2022.
stealer lumma
Modifies firewall policy service 3 TTPs 1 IoCs
evasion

Modify Registry
T1112

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

setup.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\C:\ = "1" setup.exe
PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
loader privateloader
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
RedLine payload 1 IoCs

Processes:

resource yara_rule

behavioral1/memory/6396-1681-0x0000000000400000-0x0000000000450000-memory.dmp family_redline
RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
stealer risepro
Stealc
Stealc is an infostealer written in C++.
stealer stealc
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

Spec.pif

description pid process target process

PID 1232 created 3556 1232 Spec.pif Explorer.EXE

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\C:\ = "1"	setup.exe

resource	yara_rule
behavioral1/memory/6396-1681-0x0000000000400000-0x0000000000450000-memory.dmp	family_redline

description	pid	process	target process
PID 1232 created 3556	1232	Spec.pif	Explorer.EXE

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 3 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

p3O2Df3zWTe31idjQX_xscMp.exeAKJDGDGDHD.exeexplorti.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	p3O2Df3zWTe31idjQX_xscMp.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	AKJDGDGDHD.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorti.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell and hide display window.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exe

pid process

2888 powershell.exe
6580 powershell.exe
Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002
Downloads MZ/PE file
Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

pid	process
2888	powershell.exe
6580	powershell.exe

Checks BIOS information in registry 2 TTPs 8 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

p3O2Df3zWTe31idjQX_xscMp.exeInstall.exeInstall.exeAKJDGDGDHD.exeexplorti.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	p3O2Df3zWTe31idjQX_xscMp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	p3O2Df3zWTe31idjQX_xscMp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	AKJDGDGDHD.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	AKJDGDGDHD.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorti.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorti.exe

Checks computer location settings 2 TTPs 7 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Yrz61nKeeAUUZyy8b4EWt94x.exeInstall.exeInstall.exei7Vqp4soBu3fWb8jSUp7ykDM.execmd.exeAKJDGDGDHD.exeexplorti.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Yrz61nKeeAUUZyy8b4EWt94x.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Install.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Install.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	i7Vqp4soBu3fWb8jSUp7ykDM.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	AKJDGDGDHD.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	explorti.exe

Drops startup file 3 IoCs

Processes:

cmd.exep3O2Df3zWTe31idjQX_xscMp.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VitaLink.url	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VitaLink.url	cmd.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PowerExpertNT.lnk	p3O2Df3zWTe31idjQX_xscMp.exe

Executes dropped EXE 24 IoCs

Processes:

RRiYB1trEnpXiYB26Ja7xI4J.exeavd4cwXGy8O5T5HaXlTOL3E1.exeYrz61nKeeAUUZyy8b4EWt94x.exeqc2LAigckqaLJJMGj9K2YVRH.exeyr1HEmNUsYMoqUos8HhVZrSA.exe9Rx1iFAabRHGhnmgHK7smGji.exetEITrdPxPAqamdFh9mTXsHhT.exesNaOJTD9uQICQF77rAfYP_e1.exep3O2Df3zWTe31idjQX_xscMp.exei7Vqp4soBu3fWb8jSUp7ykDM.exe9Rx1iFAabRHGhnmgHK7smGji.tmpInstall.exeInstall.exeInstall.exeudadvdfreeripper32.exeInstall.exeudadvdfreeripper32.exew9Bd8GUQVMRZzO1YvEvAY745.exeSpec.pifAKJDGDGDHD.exeexplorti.exeeqtpkqwqodik.exe3be7bb6c2c.exeBKFIJJEGHD.exe

pid	process
5880	RRiYB1trEnpXiYB26Ja7xI4J.exe
5928	avd4cwXGy8O5T5HaXlTOL3E1.exe
6340	Yrz61nKeeAUUZyy8b4EWt94x.exe
7368	qc2LAigckqaLJJMGj9K2YVRH.exe
5968	yr1HEmNUsYMoqUos8HhVZrSA.exe
8124	9Rx1iFAabRHGhnmgHK7smGji.exe
5688	tEITrdPxPAqamdFh9mTXsHhT.exe
5964	sNaOJTD9uQICQF77rAfYP_e1.exe
6016	p3O2Df3zWTe31idjQX_xscMp.exe
5936	i7Vqp4soBu3fWb8jSUp7ykDM.exe
5556	9Rx1iFAabRHGhnmgHK7smGji.tmp
3800	Install.exe
7148	Install.exe
7908	Install.exe
3456	udadvdfreeripper32.exe
4932	Install.exe
5896	udadvdfreeripper32.exe
4744	w9Bd8GUQVMRZzO1YvEvAY745.exe
1232	Spec.pif
7344	AKJDGDGDHD.exe
7536	explorti.exe
6804	eqtpkqwqodik.exe
4848	3be7bb6c2c.exe
1404	BKFIJJEGHD.exe

Identifies Wine through registry keys 2 TTPs 2 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

AKJDGDGDHD.exeexplorti.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Wine	AKJDGDGDHD.exe
Key opened	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Wine	explorti.exe

Loads dropped DLL 3 IoCs

Processes:

9Rx1iFAabRHGhnmgHK7smGji.tmpi7Vqp4soBu3fWb8jSUp7ykDM.exe

pid process

5556 9Rx1iFAabRHGhnmgHK7smGji.tmp
5936 i7Vqp4soBu3fWb8jSUp7ykDM.exe
5936 i7Vqp4soBu3fWb8jSUp7ykDM.exe
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
5556	9Rx1iFAabRHGhnmgHK7smGji.tmp
5936	i7Vqp4soBu3fWb8jSUp7ykDM.exe
5936	i7Vqp4soBu3fWb8jSUp7ykDM.exe

Themida packer 8 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
C:\Users\Admin\Documents\SimpleAdobe\p3O2Df3zWTe31idjQX_xscMp.exe	themida
behavioral1/memory/6016-1640-0x0000000000430000-0x0000000000DBF000-memory.dmp	themida
behavioral1/memory/6016-1683-0x0000000000430000-0x0000000000DBF000-memory.dmp	themida
behavioral1/memory/6016-1684-0x0000000000430000-0x0000000000DBF000-memory.dmp	themida
behavioral1/memory/6016-1685-0x0000000000430000-0x0000000000DBF000-memory.dmp	themida
behavioral1/memory/6016-1680-0x0000000000430000-0x0000000000DBF000-memory.dmp	themida
behavioral1/memory/6016-1682-0x0000000000430000-0x0000000000DBF000-memory.dmp	themida
behavioral1/memory/6016-2618-0x0000000000430000-0x0000000000DBF000-memory.dmp	themida

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

p3O2Df3zWTe31idjQX_xscMp.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ExtreamFanV5 = "C:\\Users\\Admin\\AppData\\Local\\ExtreamFanV5\\ExtreamFanV5.exe"	p3O2Df3zWTe31idjQX_xscMp.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

p3O2Df3zWTe31idjQX_xscMp.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA p3O2Df3zWTe31idjQX_xscMp.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs 6 IoCs

Web Service
T1102

Processes:

flow ioc

1019 bitbucket.org
1094 iplogger.org
1095 iplogger.org
992 bitbucket.org
998 bitbucket.org
1008 bitbucket.org
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

979 api.myip.com
980 api.myip.com
981 ipinfo.io
982 ipinfo.io
Power Settings 1 TTPs 8 IoCs
powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.
persistence

T1653

Processes:

powercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exe

pid process

6912 powercfg.exe
8172 powercfg.exe
7696 powercfg.exe
7736 powercfg.exe
7724 powercfg.exe
7112 powercfg.exe
7348 powercfg.exe
7076 powercfg.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	p3O2Df3zWTe31idjQX_xscMp.exe

flow	ioc
1019	bitbucket.org
1094	iplogger.org
1095	iplogger.org
992	bitbucket.org
998	bitbucket.org
1008	bitbucket.org

flow	ioc
979	api.myip.com
980	api.myip.com
981	ipinfo.io
982	ipinfo.io

pid	process
6912	powercfg.exe
8172	powercfg.exe
7696	powercfg.exe
7736	powercfg.exe
7724	powercfg.exe
7112	powercfg.exe
7348	powercfg.exe
7076	powercfg.exe

Drops file in System32 directory 4 IoCs

Processes:

setup.exe

description	ioc	process
File opened for modification	C:\Windows\System32\GroupPolicy	setup.exe
File opened for modification	C:\Windows\System32\GroupPolicy\gpt.ini	setup.exe
File created	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	setup.exe
File opened for modification	C:\Windows\System32\GroupPolicy\GPT.INI	setup.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs

Processes:

p3O2Df3zWTe31idjQX_xscMp.exei7Vqp4soBu3fWb8jSUp7ykDM.exeAKJDGDGDHD.exeexplorti.exe3be7bb6c2c.exe

pid process

6016 p3O2Df3zWTe31idjQX_xscMp.exe
5936 i7Vqp4soBu3fWb8jSUp7ykDM.exe
5936 i7Vqp4soBu3fWb8jSUp7ykDM.exe
7344 AKJDGDGDHD.exe
7536 explorti.exe
4848 3be7bb6c2c.exe

pid	process
6016	p3O2Df3zWTe31idjQX_xscMp.exe
5936	i7Vqp4soBu3fWb8jSUp7ykDM.exe
5936	i7Vqp4soBu3fWb8jSUp7ykDM.exe
7344	AKJDGDGDHD.exe
7536	explorti.exe
4848	3be7bb6c2c.exe

Suspicious use of SetThreadContext 7 IoCs

Processes:

RRiYB1trEnpXiYB26Ja7xI4J.exesNaOJTD9uQICQF77rAfYP_e1.exew9Bd8GUQVMRZzO1YvEvAY745.exetEITrdPxPAqamdFh9mTXsHhT.exeeqtpkqwqodik.exeBKFIJJEGHD.exe

description	pid	process	target process
PID 5880 set thread context of 6396	5880	RRiYB1trEnpXiYB26Ja7xI4J.exe	RegAsm.exe
PID 5964 set thread context of 7460	5964	sNaOJTD9uQICQF77rAfYP_e1.exe	MSBuild.exe
PID 4744 set thread context of 1276	4744	w9Bd8GUQVMRZzO1YvEvAY745.exe	MSBuild.exe
PID 5688 set thread context of 6544	5688	tEITrdPxPAqamdFh9mTXsHhT.exe	BitLockerToGo.exe
PID 6804 set thread context of 6104	6804	eqtpkqwqodik.exe	conhost.exe
PID 6804 set thread context of 2584	6804	eqtpkqwqodik.exe	svchost.exe
PID 1404 set thread context of 1396	1404	BKFIJJEGHD.exe	RegAsm.exe

Drops file in Windows directory 3 IoCs

Processes:

schtasks.exeschtasks.exeAKJDGDGDHD.exe

description	ioc	process
File created	C:\Windows\Tasks\bsqNJSiTyoMLfdbIdy.job	schtasks.exe
File created	C:\Windows\Tasks\bmQWCxleEgxbTUrSZz.job	schtasks.exe
File created	C:\Windows\Tasks\explorti.job	AKJDGDGDHD.exe

Launches sc.exe 4 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exe

pid process

2300 sc.exe
2952 sc.exe
7088 sc.exe
7332 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

6620 5880 WerFault.exe RRiYB1trEnpXiYB26Ja7xI4J.exe
3524 1404 WerFault.exe BKFIJJEGHD.exe

pid	process
2300	sc.exe
2952	sc.exe
7088	sc.exe
7332	sc.exe

pid	pid_target	process	target process
6620	5880	WerFault.exe	RRiYB1trEnpXiYB26Ja7xI4J.exe
3524	1404	WerFault.exe	BKFIJJEGHD.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

i7Vqp4soBu3fWb8jSUp7ykDM.exeMSBuild.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	i7Vqp4soBu3fWb8jSUp7ykDM.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	i7Vqp4soBu3fWb8jSUp7ykDM.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	MSBuild.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	MSBuild.exe

Delays execution with timeout.exe 2 IoCs
evasion

Processes:

timeout.exetimeout.exe

pid process

7408 timeout.exe
5828 timeout.exe
Enumerates processes with tasklist 1 TTPs 2 IoCs

Process Discovery
T1057

Processes:

tasklist.exetasklist.exe

pid process

7080 tasklist.exe
3316 tasklist.exe

pid	process
7408	timeout.exe
5828	timeout.exe

pid	process
7080	tasklist.exe
3316	tasklist.exe

Enumerates system info in registry 2 TTPs 7 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exeInstall.exeInstall.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	Install.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	Install.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133644011972303945"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Modifies registry class 2 IoCs

Processes:

chrome.exechrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	chrome.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-4124900551-4068476067-3491212533-1000\{A54F2212-EBCF-466A-9734-60E9ED306090}	chrome.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

6768 schtasks.exe
7164 schtasks.exe
6152 schtasks.exe
5236 schtasks.exe

pid	process
6768	schtasks.exe
7164	schtasks.exe
6152	schtasks.exe
5236	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

chrome.exechrome.exesetup.exesetup.exesetup.exep3O2Df3zWTe31idjQX_xscMp.exesNaOJTD9uQICQF77rAfYP_e1.exei7Vqp4soBu3fWb8jSUp7ykDM.exeyr1HEmNUsYMoqUos8HhVZrSA.exepowershell.exepowershell.exeMSBuild.exeRegAsm.exe

pid	process
904	chrome.exe
904	chrome.exe
7396	chrome.exe
7396	chrome.exe
3540	setup.exe
3540	setup.exe
6192	setup.exe
6192	setup.exe
5560	setup.exe
5560	setup.exe
6016	p3O2Df3zWTe31idjQX_xscMp.exe
6016	p3O2Df3zWTe31idjQX_xscMp.exe
5964	sNaOJTD9uQICQF77rAfYP_e1.exe
5964	sNaOJTD9uQICQF77rAfYP_e1.exe
5936	i7Vqp4soBu3fWb8jSUp7ykDM.exe
5936	i7Vqp4soBu3fWb8jSUp7ykDM.exe
5968	yr1HEmNUsYMoqUos8HhVZrSA.exe
5968	yr1HEmNUsYMoqUos8HhVZrSA.exe
2888	powershell.exe
2888	powershell.exe
2888	powershell.exe
6580	powershell.exe
6580	powershell.exe
6580	powershell.exe
7460	MSBuild.exe
7460	MSBuild.exe
7460	MSBuild.exe
7460	MSBuild.exe
7460	MSBuild.exe
7460	MSBuild.exe
7460	MSBuild.exe
7460	MSBuild.exe
7460	MSBuild.exe
7460	MSBuild.exe
7460	MSBuild.exe
7460	MSBuild.exe
7460	MSBuild.exe
7460	MSBuild.exe
7460	MSBuild.exe
7460	MSBuild.exe
7460	MSBuild.exe
7460	MSBuild.exe
7460	MSBuild.exe
7460	MSBuild.exe
7460	MSBuild.exe
7460	MSBuild.exe
7460	MSBuild.exe
7460	MSBuild.exe
7460	MSBuild.exe
7460	MSBuild.exe
7460	MSBuild.exe
7460	MSBuild.exe
6396	RegAsm.exe
6396	RegAsm.exe
5936	i7Vqp4soBu3fWb8jSUp7ykDM.exe
5936	i7Vqp4soBu3fWb8jSUp7ykDM.exe
6396	RegAsm.exe
6396	RegAsm.exe
6396	RegAsm.exe
6396	RegAsm.exe
6396	RegAsm.exe
6396	RegAsm.exe
6396	RegAsm.exe
6396	RegAsm.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 64 IoCs

Processes:

chrome.exe

pid	process
904	chrome.exe
904	chrome.exe
904	chrome.exe
904	chrome.exe
904	chrome.exe
904	chrome.exe
904	chrome.exe
904	chrome.exe
904	chrome.exe
904	chrome.exe
904	chrome.exe
904	chrome.exe
904	chrome.exe
904	chrome.exe
904	chrome.exe
904	chrome.exe
904	chrome.exe
904	chrome.exe
904	chrome.exe
904	chrome.exe
904	chrome.exe
904	chrome.exe
904	chrome.exe
904	chrome.exe
904	chrome.exe
904	chrome.exe
904	chrome.exe
904	chrome.exe
904	chrome.exe
904	chrome.exe
904	chrome.exe
904	chrome.exe
904	chrome.exe
904	chrome.exe
904	chrome.exe
904	chrome.exe
904	chrome.exe
904	chrome.exe
904	chrome.exe
904	chrome.exe
904	chrome.exe
904	chrome.exe
904	chrome.exe
904	chrome.exe
904	chrome.exe
904	chrome.exe
904	chrome.exe
904	chrome.exe
904	chrome.exe
904	chrome.exe
904	chrome.exe
904	chrome.exe
904	chrome.exe
904	chrome.exe
904	chrome.exe
904	chrome.exe
904	chrome.exe
904	chrome.exe
904	chrome.exe
904	chrome.exe
904	chrome.exe
904	chrome.exe
904	chrome.exe
904	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exe

description	pid	process
Token: SeShutdownPrivilege	904	chrome.exe
Token: SeCreatePagefilePrivilege	904	chrome.exe
Token: SeShutdownPrivilege	904	chrome.exe
Token: SeCreatePagefilePrivilege	904	chrome.exe
Token: SeShutdownPrivilege	904	chrome.exe
Token: SeCreatePagefilePrivilege	904	chrome.exe
Token: SeShutdownPrivilege	904	chrome.exe
Token: SeCreatePagefilePrivilege	904	chrome.exe
Token: SeShutdownPrivilege	904	chrome.exe
Token: SeCreatePagefilePrivilege	904	chrome.exe
Token: SeShutdownPrivilege	904	chrome.exe
Token: SeCreatePagefilePrivilege	904	chrome.exe
Token: SeShutdownPrivilege	904	chrome.exe
Token: SeCreatePagefilePrivilege	904	chrome.exe
Token: SeShutdownPrivilege	904	chrome.exe
Token: SeCreatePagefilePrivilege	904	chrome.exe
Token: SeShutdownPrivilege	904	chrome.exe
Token: SeCreatePagefilePrivilege	904	chrome.exe
Token: SeShutdownPrivilege	904	chrome.exe
Token: SeCreatePagefilePrivilege	904	chrome.exe
Token: SeShutdownPrivilege	904	chrome.exe
Token: SeCreatePagefilePrivilege	904	chrome.exe
Token: SeShutdownPrivilege	904	chrome.exe
Token: SeCreatePagefilePrivilege	904	chrome.exe
Token: SeShutdownPrivilege	904	chrome.exe
Token: SeCreatePagefilePrivilege	904	chrome.exe
Token: SeShutdownPrivilege	904	chrome.exe
Token: SeCreatePagefilePrivilege	904	chrome.exe
Token: SeShutdownPrivilege	904	chrome.exe
Token: SeCreatePagefilePrivilege	904	chrome.exe
Token: SeShutdownPrivilege	904	chrome.exe
Token: SeCreatePagefilePrivilege	904	chrome.exe
Token: SeShutdownPrivilege	904	chrome.exe
Token: SeCreatePagefilePrivilege	904	chrome.exe
Token: SeShutdownPrivilege	904	chrome.exe
Token: SeCreatePagefilePrivilege	904	chrome.exe
Token: SeShutdownPrivilege	904	chrome.exe
Token: SeCreatePagefilePrivilege	904	chrome.exe
Token: SeShutdownPrivilege	904	chrome.exe
Token: SeCreatePagefilePrivilege	904	chrome.exe
Token: SeShutdownPrivilege	904	chrome.exe
Token: SeCreatePagefilePrivilege	904	chrome.exe
Token: SeShutdownPrivilege	904	chrome.exe
Token: SeCreatePagefilePrivilege	904	chrome.exe
Token: SeShutdownPrivilege	904	chrome.exe
Token: SeCreatePagefilePrivilege	904	chrome.exe
Token: SeShutdownPrivilege	904	chrome.exe
Token: SeCreatePagefilePrivilege	904	chrome.exe
Token: SeShutdownPrivilege	904	chrome.exe
Token: SeCreatePagefilePrivilege	904	chrome.exe
Token: SeShutdownPrivilege	904	chrome.exe
Token: SeCreatePagefilePrivilege	904	chrome.exe
Token: SeShutdownPrivilege	904	chrome.exe
Token: SeCreatePagefilePrivilege	904	chrome.exe
Token: SeShutdownPrivilege	904	chrome.exe
Token: SeCreatePagefilePrivilege	904	chrome.exe
Token: SeShutdownPrivilege	904	chrome.exe
Token: SeCreatePagefilePrivilege	904	chrome.exe
Token: SeShutdownPrivilege	904	chrome.exe
Token: SeCreatePagefilePrivilege	904	chrome.exe
Token: SeShutdownPrivilege	904	chrome.exe
Token: SeCreatePagefilePrivilege	904	chrome.exe
Token: SeShutdownPrivilege	904	chrome.exe
Token: SeCreatePagefilePrivilege	904	chrome.exe

Suspicious use of FindShellTrayWindow 39 IoCs

Processes:

chrome.exe9Rx1iFAabRHGhnmgHK7smGji.tmpSpec.pif

pid	process
904	chrome.exe
904	chrome.exe
904	chrome.exe
904	chrome.exe
904	chrome.exe
904	chrome.exe
904	chrome.exe
904	chrome.exe
904	chrome.exe
904	chrome.exe
904	chrome.exe
904	chrome.exe
904	chrome.exe
904	chrome.exe
904	chrome.exe
904	chrome.exe
904	chrome.exe
904	chrome.exe
904	chrome.exe
904	chrome.exe
904	chrome.exe
904	chrome.exe
904	chrome.exe
904	chrome.exe
904	chrome.exe
904	chrome.exe
904	chrome.exe
904	chrome.exe
904	chrome.exe
904	chrome.exe
904	chrome.exe
904	chrome.exe
904	chrome.exe
904	chrome.exe
904	chrome.exe
5556	9Rx1iFAabRHGhnmgHK7smGji.tmp
1232	Spec.pif
1232	Spec.pif
1232	Spec.pif

Suspicious use of SendNotifyMessage 27 IoCs

Processes:

chrome.exeSpec.pif

pid	process
904	chrome.exe
904	chrome.exe
904	chrome.exe
904	chrome.exe
904	chrome.exe
904	chrome.exe
904	chrome.exe
904	chrome.exe
904	chrome.exe
904	chrome.exe
904	chrome.exe
904	chrome.exe
904	chrome.exe
904	chrome.exe
904	chrome.exe
904	chrome.exe
904	chrome.exe
904	chrome.exe
904	chrome.exe
904	chrome.exe
904	chrome.exe
904	chrome.exe
904	chrome.exe
904	chrome.exe
1232	Spec.pif
1232	Spec.pif
1232	Spec.pif

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

i7Vqp4soBu3fWb8jSUp7ykDM.execmd.exe3be7bb6c2c.exe

pid process

5936 i7Vqp4soBu3fWb8jSUp7ykDM.exe
7060 cmd.exe
4848 3be7bb6c2c.exe

pid	process
5936	i7Vqp4soBu3fWb8jSUp7ykDM.exe
7060	cmd.exe
4848	3be7bb6c2c.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 904 wrote to memory of 4716	904	chrome.exe	chrome.exe
PID 904 wrote to memory of 4716	904	chrome.exe	chrome.exe
PID 904 wrote to memory of 4972	904	chrome.exe	chrome.exe
PID 904 wrote to memory of 4972	904	chrome.exe	chrome.exe
PID 904 wrote to memory of 4972	904	chrome.exe	chrome.exe
PID 904 wrote to memory of 4972	904	chrome.exe	chrome.exe
PID 904 wrote to memory of 4972	904	chrome.exe	chrome.exe
PID 904 wrote to memory of 4972	904	chrome.exe	chrome.exe
PID 904 wrote to memory of 4972	904	chrome.exe	chrome.exe
PID 904 wrote to memory of 4972	904	chrome.exe	chrome.exe
PID 904 wrote to memory of 4972	904	chrome.exe	chrome.exe
PID 904 wrote to memory of 4972	904	chrome.exe	chrome.exe
PID 904 wrote to memory of 4972	904	chrome.exe	chrome.exe
PID 904 wrote to memory of 4972	904	chrome.exe	chrome.exe
PID 904 wrote to memory of 4972	904	chrome.exe	chrome.exe
PID 904 wrote to memory of 4972	904	chrome.exe	chrome.exe
PID 904 wrote to memory of 4972	904	chrome.exe	chrome.exe
PID 904 wrote to memory of 4972	904	chrome.exe	chrome.exe
PID 904 wrote to memory of 4972	904	chrome.exe	chrome.exe
PID 904 wrote to memory of 4972	904	chrome.exe	chrome.exe
PID 904 wrote to memory of 4972	904	chrome.exe	chrome.exe
PID 904 wrote to memory of 4972	904	chrome.exe	chrome.exe
PID 904 wrote to memory of 4972	904	chrome.exe	chrome.exe
PID 904 wrote to memory of 4972	904	chrome.exe	chrome.exe
PID 904 wrote to memory of 4972	904	chrome.exe	chrome.exe
PID 904 wrote to memory of 4972	904	chrome.exe	chrome.exe
PID 904 wrote to memory of 4972	904	chrome.exe	chrome.exe
PID 904 wrote to memory of 4972	904	chrome.exe	chrome.exe
PID 904 wrote to memory of 4972	904	chrome.exe	chrome.exe
PID 904 wrote to memory of 4972	904	chrome.exe	chrome.exe
PID 904 wrote to memory of 4972	904	chrome.exe	chrome.exe
PID 904 wrote to memory of 4972	904	chrome.exe	chrome.exe
PID 904 wrote to memory of 4972	904	chrome.exe	chrome.exe
PID 904 wrote to memory of 4172	904	chrome.exe	chrome.exe
PID 904 wrote to memory of 4172	904	chrome.exe	chrome.exe
PID 904 wrote to memory of 2984	904	chrome.exe	chrome.exe
PID 904 wrote to memory of 2984	904	chrome.exe	chrome.exe
PID 904 wrote to memory of 2984	904	chrome.exe	chrome.exe
PID 904 wrote to memory of 2984	904	chrome.exe	chrome.exe
PID 904 wrote to memory of 2984	904	chrome.exe	chrome.exe
PID 904 wrote to memory of 2984	904	chrome.exe	chrome.exe
PID 904 wrote to memory of 2984	904	chrome.exe	chrome.exe
PID 904 wrote to memory of 2984	904	chrome.exe	chrome.exe
PID 904 wrote to memory of 2984	904	chrome.exe	chrome.exe
PID 904 wrote to memory of 2984	904	chrome.exe	chrome.exe
PID 904 wrote to memory of 2984	904	chrome.exe	chrome.exe
PID 904 wrote to memory of 2984	904	chrome.exe	chrome.exe
PID 904 wrote to memory of 2984	904	chrome.exe	chrome.exe
PID 904 wrote to memory of 2984	904	chrome.exe	chrome.exe
PID 904 wrote to memory of 2984	904	chrome.exe	chrome.exe
PID 904 wrote to memory of 2984	904	chrome.exe	chrome.exe
PID 904 wrote to memory of 2984	904	chrome.exe	chrome.exe
PID 904 wrote to memory of 2984	904	chrome.exe	chrome.exe
PID 904 wrote to memory of 2984	904	chrome.exe	chrome.exe
PID 904 wrote to memory of 2984	904	chrome.exe	chrome.exe
PID 904 wrote to memory of 2984	904	chrome.exe	chrome.exe
PID 904 wrote to memory of 2984	904	chrome.exe	chrome.exe
PID 904 wrote to memory of 2984	904	chrome.exe	chrome.exe
PID 904 wrote to memory of 2984	904	chrome.exe	chrome.exe
PID 904 wrote to memory of 2984	904	chrome.exe	chrome.exe
PID 904 wrote to memory of 2984	904	chrome.exe	chrome.exe
PID 904 wrote to memory of 2984	904	chrome.exe	chrome.exe
PID 904 wrote to memory of 2984	904	chrome.exe	chrome.exe
PID 904 wrote to memory of 2984	904	chrome.exe	chrome.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3556

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://pivigames.blog/planet-coaster/
2⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:904

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9e099ab58,0x7ff9e099ab68,0x7ff9e099ab78
3⤵
PID:4716

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1640 --field-trial-handle=1912,i,14221492141826334470,5521650217902608771,131072 /prefetch:2
3⤵
PID:4972

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2172 --field-trial-handle=1912,i,14221492141826334470,5521650217902608771,131072 /prefetch:8
3⤵
PID:4172

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2220 --field-trial-handle=1912,i,14221492141826334470,5521650217902608771,131072 /prefetch:8
3⤵
PID:2984

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2992 --field-trial-handle=1912,i,14221492141826334470,5521650217902608771,131072 /prefetch:1
3⤵
PID:3608

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3000 --field-trial-handle=1912,i,14221492141826334470,5521650217902608771,131072 /prefetch:1
3⤵
PID:2900

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4236 --field-trial-handle=1912,i,14221492141826334470,5521650217902608771,131072 /prefetch:8
3⤵
PID:2788

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4416 --field-trial-handle=1912,i,14221492141826334470,5521650217902608771,131072 /prefetch:8
3⤵
PID:1412

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=4584 --field-trial-handle=1912,i,14221492141826334470,5521650217902608771,131072 /prefetch:1
3⤵
PID:3136

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=5056 --field-trial-handle=1912,i,14221492141826334470,5521650217902608771,131072 /prefetch:1
3⤵
PID:4952

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=1240 --field-trial-handle=1912,i,14221492141826334470,5521650217902608771,131072 /prefetch:1
3⤵
PID:1828

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=4908 --field-trial-handle=1912,i,14221492141826334470,5521650217902608771,131072 /prefetch:1
3⤵
PID:5096

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4480 --field-trial-handle=1912,i,14221492141826334470,5521650217902608771,131072 /prefetch:8
3⤵
PID:1840

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1904 --field-trial-handle=1912,i,14221492141826334470,5521650217902608771,131072 /prefetch:8
3⤵
- Modifies registry class
PID:5040

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=4216 --field-trial-handle=1912,i,14221492141826334470,5521650217902608771,131072 /prefetch:1
3⤵
PID:2924

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --mojo-platform-channel-handle=5132 --field-trial-handle=1912,i,14221492141826334470,5521650217902608771,131072 /prefetch:1
3⤵
PID:4552

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --mojo-platform-channel-handle=5316 --field-trial-handle=1912,i,14221492141826334470,5521650217902608771,131072 /prefetch:1
3⤵
PID:2720

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --mojo-platform-channel-handle=5612 --field-trial-handle=1912,i,14221492141826334470,5521650217902608771,131072 /prefetch:1
3⤵
PID:1876

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --mojo-platform-channel-handle=5696 --field-trial-handle=1912,i,14221492141826334470,5521650217902608771,131072 /prefetch:1
3⤵
PID:5040

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5428 --field-trial-handle=1912,i,14221492141826334470,5521650217902608771,131072 /prefetch:8
3⤵
PID:4136

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --mojo-platform-channel-handle=5508 --field-trial-handle=1912,i,14221492141826334470,5521650217902608771,131072 /prefetch:1
3⤵
PID:5072

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --mojo-platform-channel-handle=5132 --field-trial-handle=1912,i,14221492141826334470,5521650217902608771,131072 /prefetch:1
3⤵
PID:2352

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --mojo-platform-channel-handle=5736 --field-trial-handle=1912,i,14221492141826334470,5521650217902608771,131072 /prefetch:1
3⤵
PID:1708

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --mojo-platform-channel-handle=6116 --field-trial-handle=1912,i,14221492141826334470,5521650217902608771,131072 /prefetch:1
3⤵
PID:5036

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --mojo-platform-channel-handle=4412 --field-trial-handle=1912,i,14221492141826334470,5521650217902608771,131072 /prefetch:1
3⤵
PID:4156

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --mojo-platform-channel-handle=6036 --field-trial-handle=1912,i,14221492141826334470,5521650217902608771,131072 /prefetch:1
3⤵
PID:1700

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --mojo-platform-channel-handle=5832 --field-trial-handle=1912,i,14221492141826334470,5521650217902608771,131072 /prefetch:1
3⤵
PID:3792

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --mojo-platform-channel-handle=5620 --field-trial-handle=1912,i,14221492141826334470,5521650217902608771,131072 /prefetch:1
3⤵
PID:4856

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --mojo-platform-channel-handle=5328 --field-trial-handle=1912,i,14221492141826334470,5521650217902608771,131072 /prefetch:1
3⤵
PID:5088

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --mojo-platform-channel-handle=6488 --field-trial-handle=1912,i,14221492141826334470,5521650217902608771,131072 /prefetch:1
3⤵
PID:4244

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --mojo-platform-channel-handle=6496 --field-trial-handle=1912,i,14221492141826334470,5521650217902608771,131072 /prefetch:1
3⤵
PID:1416

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --mojo-platform-channel-handle=6784 --field-trial-handle=1912,i,14221492141826334470,5521650217902608771,131072 /prefetch:1
3⤵
PID:5076

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --mojo-platform-channel-handle=6980 --field-trial-handle=1912,i,14221492141826334470,5521650217902608771,131072 /prefetch:1
3⤵
PID:3168

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --mojo-platform-channel-handle=7136 --field-trial-handle=1912,i,14221492141826334470,5521650217902608771,131072 /prefetch:1
3⤵
PID:3396

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --mojo-platform-channel-handle=7264 --field-trial-handle=1912,i,14221492141826334470,5521650217902608771,131072 /prefetch:1
3⤵
PID:2300

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --mojo-platform-channel-handle=7272 --field-trial-handle=1912,i,14221492141826334470,5521650217902608771,131072 /prefetch:1
3⤵
PID:4068

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --mojo-platform-channel-handle=7592 --field-trial-handle=1912,i,14221492141826334470,5521650217902608771,131072 /prefetch:1
3⤵
PID:5240

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=38 --mojo-platform-channel-handle=7308 --field-trial-handle=1912,i,14221492141826334470,5521650217902608771,131072 /prefetch:1
3⤵
PID:5316

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=39 --mojo-platform-channel-handle=7564 --field-trial-handle=1912,i,14221492141826334470,5521650217902608771,131072 /prefetch:1
3⤵
PID:5324

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=40 --mojo-platform-channel-handle=7612 --field-trial-handle=1912,i,14221492141826334470,5521650217902608771,131072 /prefetch:1
3⤵
PID:5428

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=41 --mojo-platform-channel-handle=7860 --field-trial-handle=1912,i,14221492141826334470,5521650217902608771,131072 /prefetch:1
3⤵
PID:5504

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=42 --mojo-platform-channel-handle=8112 --field-trial-handle=1912,i,14221492141826334470,5521650217902608771,131072 /prefetch:1
3⤵
PID:5568

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=43 --mojo-platform-channel-handle=8468 --field-trial-handle=1912,i,14221492141826334470,5521650217902608771,131072 /prefetch:1
3⤵
PID:5672

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=44 --mojo-platform-channel-handle=8476 --field-trial-handle=1912,i,14221492141826334470,5521650217902608771,131072 /prefetch:1
3⤵
PID:5688

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=45 --mojo-platform-channel-handle=8464 --field-trial-handle=1912,i,14221492141826334470,5521650217902608771,131072 /prefetch:1
3⤵
PID:5828

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=46 --mojo-platform-channel-handle=8772 --field-trial-handle=1912,i,14221492141826334470,5521650217902608771,131072 /prefetch:1
3⤵
PID:5836

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=47 --mojo-platform-channel-handle=8924 --field-trial-handle=1912,i,14221492141826334470,5521650217902608771,131072 /prefetch:1
3⤵
PID:6020

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=48 --mojo-platform-channel-handle=9064 --field-trial-handle=1912,i,14221492141826334470,5521650217902608771,131072 /prefetch:1
3⤵
PID:6108

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=49 --mojo-platform-channel-handle=9180 --field-trial-handle=1912,i,14221492141826334470,5521650217902608771,131072 /prefetch:1
3⤵
PID:6116

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=50 --mojo-platform-channel-handle=9312 --field-trial-handle=1912,i,14221492141826334470,5521650217902608771,131072 /prefetch:1
3⤵
PID:6124

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=51 --mojo-platform-channel-handle=9468 --field-trial-handle=1912,i,14221492141826334470,5521650217902608771,131072 /prefetch:1
3⤵
PID:6132

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=52 --mojo-platform-channel-handle=9432 --field-trial-handle=1912,i,14221492141826334470,5521650217902608771,131072 /prefetch:1
3⤵
PID:2020

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=53 --mojo-platform-channel-handle=9732 --field-trial-handle=1912,i,14221492141826334470,5521650217902608771,131072 /prefetch:1
3⤵
PID:488

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=54 --mojo-platform-channel-handle=9992 --field-trial-handle=1912,i,14221492141826334470,5521650217902608771,131072 /prefetch:1
3⤵
PID:1720

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=55 --mojo-platform-channel-handle=10144 --field-trial-handle=1912,i,14221492141826334470,5521650217902608771,131072 /prefetch:1
3⤵
PID:3800

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=56 --mojo-platform-channel-handle=10188 --field-trial-handle=1912,i,14221492141826334470,5521650217902608771,131072 /prefetch:1
3⤵
PID:1808

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=57 --mojo-platform-channel-handle=10444 --field-trial-handle=1912,i,14221492141826334470,5521650217902608771,131072 /prefetch:1
3⤵
PID:6340

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=58 --mojo-platform-channel-handle=10496 --field-trial-handle=1912,i,14221492141826334470,5521650217902608771,131072 /prefetch:1
3⤵
PID:6348

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=59 --mojo-platform-channel-handle=10992 --field-trial-handle=1912,i,14221492141826334470,5521650217902608771,131072 /prefetch:1
3⤵
PID:6764

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=60 --mojo-platform-channel-handle=11172 --field-trial-handle=1912,i,14221492141826334470,5521650217902608771,131072 /prefetch:1
3⤵
PID:6956

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=61 --mojo-platform-channel-handle=11408 --field-trial-handle=1912,i,14221492141826334470,5521650217902608771,131072 /prefetch:1
3⤵
PID:7096

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=62 --mojo-platform-channel-handle=11540 --field-trial-handle=1912,i,14221492141826334470,5521650217902608771,131072 /prefetch:1
3⤵
PID:7108

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=63 --mojo-platform-channel-handle=11560 --field-trial-handle=1912,i,14221492141826334470,5521650217902608771,131072 /prefetch:1
3⤵
PID:7116

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=64 --mojo-platform-channel-handle=11700 --field-trial-handle=1912,i,14221492141826334470,5521650217902608771,131072 /prefetch:1
3⤵
PID:7132

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=65 --mojo-platform-channel-handle=11936 --field-trial-handle=1912,i,14221492141826334470,5521650217902608771,131072 /prefetch:1
3⤵
PID:7140

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=66 --mojo-platform-channel-handle=10448 --field-trial-handle=1912,i,14221492141826334470,5521650217902608771,131072 /prefetch:1
3⤵
PID:7480

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=67 --mojo-platform-channel-handle=12080 --field-trial-handle=1912,i,14221492141826334470,5521650217902608771,131072 /prefetch:1
3⤵
PID:7512

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7708 --field-trial-handle=1912,i,14221492141826334470,5521650217902608771,131072 /prefetch:8
3⤵
PID:7692

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=69 --mojo-platform-channel-handle=9376 --field-trial-handle=1912,i,14221492141826334470,5521650217902608771,131072 /prefetch:1
3⤵
PID:7752

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=70 --mojo-platform-channel-handle=12268 --field-trial-handle=1912,i,14221492141826334470,5521650217902608771,131072 /prefetch:1
3⤵
PID:7828

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=71 --mojo-platform-channel-handle=9340 --field-trial-handle=1912,i,14221492141826334470,5521650217902608771,131072 /prefetch:1
3⤵
PID:7904

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=72 --mojo-platform-channel-handle=12592 --field-trial-handle=1912,i,14221492141826334470,5521650217902608771,131072 /prefetch:1
3⤵
PID:7912

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=73 --mojo-platform-channel-handle=8356 --field-trial-handle=1912,i,14221492141826334470,5521650217902608771,131072 /prefetch:1
3⤵
PID:5184

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=12476 --field-trial-handle=1912,i,14221492141826334470,5521650217902608771,131072 /prefetch:2
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:7396

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=75 --mojo-platform-channel-handle=12764 --field-trial-handle=1912,i,14221492141826334470,5521650217902608771,131072 /prefetch:1
3⤵
PID:5980

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=76 --mojo-platform-channel-handle=5892 --field-trial-handle=1912,i,14221492141826334470,5521650217902608771,131072 /prefetch:1
3⤵
PID:7288

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=77 --mojo-platform-channel-handle=6072 --field-trial-handle=1912,i,14221492141826334470,5521650217902608771,131072 /prefetch:1
3⤵
PID:6332

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=78 --mojo-platform-channel-handle=9036 --field-trial-handle=1912,i,14221492141826334470,5521650217902608771,131072 /prefetch:1
3⤵
PID:7648

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=79 --mojo-platform-channel-handle=4784 --field-trial-handle=1912,i,14221492141826334470,5521650217902608771,131072 /prefetch:1
3⤵
PID:6216

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=80 --mojo-platform-channel-handle=4612 --field-trial-handle=1912,i,14221492141826334470,5521650217902608771,131072 /prefetch:1
3⤵
PID:4268

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=81 --mojo-platform-channel-handle=5964 --field-trial-handle=1912,i,14221492141826334470,5521650217902608771,131072 /prefetch:1
3⤵
PID:7400

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=82 --mojo-platform-channel-handle=5516 --field-trial-handle=1912,i,14221492141826334470,5521650217902608771,131072 /prefetch:1
3⤵
PID:5540

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=83 --mojo-platform-channel-handle=9016 --field-trial-handle=1912,i,14221492141826334470,5521650217902608771,131072 /prefetch:1
3⤵
PID:2880

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=84 --mojo-platform-channel-handle=5080 --field-trial-handle=1912,i,14221492141826334470,5521650217902608771,131072 /prefetch:1
3⤵
PID:5464

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3376 --field-trial-handle=1912,i,14221492141826334470,5521650217902608771,131072 /prefetch:8
3⤵
PID:6292

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5164 --field-trial-handle=1912,i,14221492141826334470,5521650217902608771,131072 /prefetch:8
3⤵
PID:3660

C:\Users\Admin\Downloads\Planet_Coaster_Thrillseeker_Edition_PC_Full_Español\safe-archive\setup.exe
"C:\Users\Admin\Downloads\Planet_Coaster_Thrillseeker_Edition_PC_Full_Español\safe-archive\setup.exe"
2⤵
- Modifies firewall policy service
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:3540

C:\Users\Admin\Documents\SimpleAdobe\RRiYB1trEnpXiYB26Ja7xI4J.exe
C:\Users\Admin\Documents\SimpleAdobe\RRiYB1trEnpXiYB26Ja7xI4J.exe
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:5880

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
4⤵
PID:6732

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
4⤵
PID:7120

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:6396

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5880 -s 264
4⤵
- Program crash
PID:6620

C:\Users\Admin\Documents\SimpleAdobe\avd4cwXGy8O5T5HaXlTOL3E1.exe
C:\Users\Admin\Documents\SimpleAdobe\avd4cwXGy8O5T5HaXlTOL3E1.exe
3⤵
- Executes dropped EXE
PID:5928

C:\Users\Admin\AppData\Local\Temp\7zS2E6.tmp\Install.exe
.\Install.exe
4⤵
- Executes dropped EXE
PID:7148

C:\Users\Admin\AppData\Local\Temp\7zSBCF.tmp\Install.exe
.\Install.exe /XRbQMdidgK "385137" /S
5⤵
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Enumerates system info in registry
PID:4932

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m ping.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"
6⤵
PID:5560

C:\Windows\SysWOW64\cmd.exe
/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
7⤵
PID:1020

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
8⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:6580

C:\Windows\SysWOW64\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
9⤵
PID:7144

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "bsqNJSiTyoMLfdbIdy" /SC once /ST 13:46:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\7zSBCF.tmp\Install.exe\" 2Z /xUedidaoE 385137 /S" /V1 /F
6⤵
- Drops file in Windows directory
- Scheduled Task/Job: Scheduled Task
PID:6152

C:\Users\Admin\Documents\SimpleAdobe\Yrz61nKeeAUUZyy8b4EWt94x.exe
C:\Users\Admin\Documents\SimpleAdobe\Yrz61nKeeAUUZyy8b4EWt94x.exe
3⤵
- Checks computer location settings
- Executes dropped EXE
PID:6340

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k copy Urban Urban.cmd & Urban.cmd & exit
4⤵
PID:3148

C:\Windows\SysWOW64\tasklist.exe
tasklist
5⤵
- Enumerates processes with tasklist
PID:7080

C:\Windows\SysWOW64\findstr.exe
findstr /I "wrsa.exe opssvc.exe"
5⤵
PID:7324

C:\Windows\SysWOW64\tasklist.exe
tasklist
5⤵
- Enumerates processes with tasklist
PID:3316

C:\Windows\SysWOW64\findstr.exe
findstr /I "avastui.exe avgui.exe bdservicehost.exe nswscsvc.exe sophoshealth.exe"
5⤵
PID:5356

C:\Windows\SysWOW64\cmd.exe
cmd /c md 780229
5⤵
PID:4624

C:\Windows\SysWOW64\findstr.exe
findstr /V "STEADYSIMSCOLLABORATIVEHUMANITIES" Stylus
5⤵
PID:2056

C:\Windows\SysWOW64\cmd.exe
cmd /c copy /b Conservative + Transmission + Employee + Conservation + Coastal + Atlanta 780229\p
5⤵
PID:4856

C:\Users\Admin\AppData\Local\Temp\780229\Spec.pif
780229\Spec.pif 780229\p
5⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1232

C:\Windows\SysWOW64\timeout.exe
timeout 5
5⤵
- Delays execution with timeout.exe
PID:7408

C:\Users\Admin\Documents\SimpleAdobe\yr1HEmNUsYMoqUos8HhVZrSA.exe
C:\Users\Admin\Documents\SimpleAdobe\yr1HEmNUsYMoqUos8HhVZrSA.exe
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:5968

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
4⤵
- Power Settings
PID:8172

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
4⤵
- Power Settings
PID:7696

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
4⤵
- Power Settings
PID:7736

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
4⤵
- Power Settings
PID:7724

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe delete "CIFUBVHI"
4⤵
- Launches sc.exe
PID:2300

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe create "CIFUBVHI" binpath= "C:\ProgramData\lmguvcpihozg\eqtpkqwqodik.exe" start= "auto"
4⤵
- Launches sc.exe
PID:2952

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop eventlog
4⤵
- Launches sc.exe
PID:7332

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start "CIFUBVHI"
4⤵
- Launches sc.exe
PID:7088

C:\Users\Admin\Documents\SimpleAdobe\sNaOJTD9uQICQF77rAfYP_e1.exe
C:\Users\Admin\Documents\SimpleAdobe\sNaOJTD9uQICQF77rAfYP_e1.exe
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:5964

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
4⤵
PID:5672

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:7460

C:\Users\Admin\Documents\SimpleAdobe\qc2LAigckqaLJJMGj9K2YVRH.exe
C:\Users\Admin\Documents\SimpleAdobe\qc2LAigckqaLJJMGj9K2YVRH.exe
3⤵
- Executes dropped EXE
PID:7368

C:\Users\Admin\AppData\Local\Temp\7zS363.tmp\Install.exe
.\Install.exe
4⤵
- Executes dropped EXE
PID:3800

C:\Users\Admin\AppData\Local\Temp\7zSB13.tmp\Install.exe
.\Install.exe /mdidmNmv "525403" /S
5⤵
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Enumerates system info in registry
PID:7908

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m help.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"
6⤵
PID:7336

C:\Windows\SysWOW64\cmd.exe
/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
7⤵
PID:2248

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
8⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:2888

C:\Windows\SysWOW64\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
9⤵
PID:7032

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "bmQWCxleEgxbTUrSZz" /SC once /ST 13:46:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\7zSB13.tmp\Install.exe\" xv /EyZdidr 525403 /S" /V1 /F
6⤵
- Drops file in Windows directory
- Scheduled Task/Job: Scheduled Task
PID:5236

C:\Users\Admin\Documents\SimpleAdobe\9Rx1iFAabRHGhnmgHK7smGji.exe
C:\Users\Admin\Documents\SimpleAdobe\9Rx1iFAabRHGhnmgHK7smGji.exe
3⤵
- Executes dropped EXE
PID:8124

C:\Users\Admin\AppData\Local\Temp\is-SFF80.tmp\9Rx1iFAabRHGhnmgHK7smGji.tmp
"C:\Users\Admin\AppData\Local\Temp\is-SFF80.tmp\9Rx1iFAabRHGhnmgHK7smGji.tmp" /SL5="$403F6,5296842,54272,C:\Users\Admin\Documents\SimpleAdobe\9Rx1iFAabRHGhnmgHK7smGji.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
PID:5556

C:\Users\Admin\AppData\Local\UDA DVD Free Ripper\udadvdfreeripper32.exe
"C:\Users\Admin\AppData\Local\UDA DVD Free Ripper\udadvdfreeripper32.exe" -i
5⤵
- Executes dropped EXE
PID:3456

C:\Users\Admin\AppData\Local\UDA DVD Free Ripper\udadvdfreeripper32.exe
"C:\Users\Admin\AppData\Local\UDA DVD Free Ripper\udadvdfreeripper32.exe" -s
5⤵
- Executes dropped EXE
PID:5896

C:\Users\Admin\Documents\SimpleAdobe\p3O2Df3zWTe31idjQX_xscMp.exe
C:\Users\Admin\Documents\SimpleAdobe\p3O2Df3zWTe31idjQX_xscMp.exe
3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:6016

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\ProgramData\WinTrackerSP\WinTrackerSP.exe" /tn "WinTrackerSP HR" /sc HOURLY /rl HIGHEST
4⤵
- Scheduled Task/Job: Scheduled Task
PID:6768

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\ProgramData\WinTrackerSP\WinTrackerSP.exe" /tn "WinTrackerSP LG" /sc ONLOGON /rl HIGHEST
4⤵
- Scheduled Task/Job: Scheduled Task
PID:7164

C:\Users\Admin\Documents\SimpleAdobe\i7Vqp4soBu3fWb8jSUp7ykDM.exe
C:\Users\Admin\Documents\SimpleAdobe\i7Vqp4soBu3fWb8jSUp7ykDM.exe
3⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:5936

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\AKJDGDGDHD.exe"
4⤵
PID:4876

C:\Users\Admin\AppData\Local\Temp\AKJDGDGDHD.exe
"C:\Users\Admin\AppData\Local\Temp\AKJDGDGDHD.exe"
5⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
PID:7344

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
"C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe"
6⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:7536

C:\Users\Admin\AppData\Local\Temp\1000006001\3be7bb6c2c.exe
"C:\Users\Admin\AppData\Local\Temp\1000006001\3be7bb6c2c.exe"
7⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
PID:4848

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\CAFIEBKKJJ.exe"
4⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
PID:7060

C:\Users\Admin\Documents\SimpleAdobe\tEITrdPxPAqamdFh9mTXsHhT.exe
C:\Users\Admin\Documents\SimpleAdobe\tEITrdPxPAqamdFh9mTXsHhT.exe
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:5688

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
4⤵
PID:6544

C:\Users\Admin\Documents\SimpleAdobe\w9Bd8GUQVMRZzO1YvEvAY745.exe
C:\Users\Admin\Documents\SimpleAdobe\w9Bd8GUQVMRZzO1YvEvAY745.exe
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4744

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
4⤵
- Checks processor information in registry
PID:1276

C:\ProgramData\BKFIJJEGHD.exe
"C:\ProgramData\BKFIJJEGHD.exe"
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1404

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
6⤵
PID:5872

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
6⤵
PID:1396

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1404 -s 300
6⤵
- Program crash
PID:3524

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\DHJEBGIEBFIJ" & exit
5⤵
PID:6024

C:\Windows\SysWOW64\timeout.exe
timeout /t 10
6⤵
- Delays execution with timeout.exe
PID:5828

C:\Users\Admin\Downloads\Planet_Coaster_Thrillseeker_Edition_PC_Full_Español\safe-archive\setup.exe
"C:\Users\Admin\Downloads\Planet_Coaster_Thrillseeker_Edition_PC_Full_Español\safe-archive\setup.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:6192

C:\Users\Admin\Downloads\Planet_Coaster_Thrillseeker_Edition_PC_Full_Español\safe-archive\setup.exe
"C:\Users\Admin\Downloads\Planet_Coaster_Thrillseeker_Edition_PC_Full_Español\safe-archive\setup.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:5560

C:\Windows\SysWOW64\cmd.exe
cmd /k echo [InternetShortcut] > "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VitaLink.url" & echo URL="C:\Users\Admin\AppData\Local\VitaConnect Innovations\VitaLink.js" >> "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VitaLink.url" & exit
2⤵
- Drops startup file
PID:4964

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:2536

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:6876

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:7816

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:488

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 5880 -ip 5880
1⤵
PID:1444

C:\ProgramData\lmguvcpihozg\eqtpkqwqodik.exe
C:\ProgramData\lmguvcpihozg\eqtpkqwqodik.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:6804

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
2⤵
- Power Settings
PID:6912

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
2⤵
- Power Settings
PID:7076

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
2⤵
- Power Settings
PID:7348

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
2⤵
- Power Settings
PID:7112

C:\Windows\system32\conhost.exe
C:\Windows\system32\conhost.exe
2⤵
PID:6104

C:\Windows\system32\svchost.exe
svchost.exe
2⤵
PID:2584

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 1404 -ip 1404
1⤵
PID:6524

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\BKFIJJEGHD.exe
Filesize
516KB

MD5
0309dd0131150796ea99b30a62194fae

SHA1
2df6e334708eae810a74b844fd57e18e9fdc34cd

SHA256
07c09ba5a84f619e5b83a54298ffc58d20b00f14399c7a94b7f02b70efc60f35

SHA512
3d4e5a0718d04fee92d8040880b631107d1e23a6b3bce430d58769179af999c28b99e50c5cd45f283339f7bbb24ffacbf601a5447edb12e28da4517fbfa282e8

Download Submit
C:\ProgramData\DHJEBGIEBFIJ\BGIIDA
Filesize
6KB

MD5
9423f4a9b4c8cdf1b750404895a913ec

SHA1
4ecbb0b1f040d253f864b7ad9e44bd4171e4762c

SHA256
5f3b004d90c3f9817c8d75089a507e2df64aac3c7a3a7ec92777401d05d63dd2

SHA512
2ac84bb10d2f063c78657e1e2a609bd71f9dd5ebd78cacf012be9246565f5c738ecd114d8a32219f476b32fbea62876fb4a6326004c17aa5824bb13cc5c09507

Download Submit
C:\ProgramData\DHJEBGIEBFIJ\FBFHJJ
Filesize
116KB

MD5
f70aa3fa04f0536280f872ad17973c3d

SHA1
50a7b889329a92de1b272d0ecf5fce87395d3123

SHA256
8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8

SHA512
30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84

Download Submit
C:\ProgramData\DHJEBGIEBFIJ\GCGHJE
Filesize
116KB

MD5
d222ad5b2a45f369838452b022f390ec

SHA1
58041a077d83f67322449e96bde92e92cc97dd9c

SHA256
1c703a39a65b4cf94300be761b87d4083bbcad7bf4c2b02d05cff5239c566227

SHA512
da0c5f18af70c26b302a1431965cac026c2a1785c79963510b7079efe1e25d86a2c9443a0ca407693e0122d7f9128c18227367c80deec3cf111816f6d8a9dfe2

Download Submit
C:\ProgramData\mozglue.dll
Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000038
Filesize
30KB

MD5
9d10357bdfcc925a6549f18ef191107c

SHA1
395610d7611293a4cfd690b1f4ac70220c22e3f5

SHA256
7482abd00de5bd827fa020573bd137b1c6bbb748c38ef8e440b86610e2755f68

SHA512
050fdc60d780d03949f7c4b86f08ebb4ec8e9cac3607ec6aa3bf8c36863f13bffa2a6a30b2c44c7dde593e7b8eea7be0689403e9af89266281191c00ad6e59e8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00003a
Filesize
21KB

MD5
af77c4e52ddd4e50b8ef1cba91a4a1a3

SHA1
a4963afa285e369a181258faa9d35314e9b7d437

SHA256
753c379055078574a07e0c259de0d71d3eee0e12663d7c62b9a4e4b13774c0c7

SHA512
c00614105688b1a36c85cafeb3f2c728482caa1cf86e916d2ae0b59e8f4f4ecfdca5e0ad6b527d661ab95984eec90791629aa8089262a9942bc0bc543fe36286

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00003b
Filesize
42KB

MD5
0c74385e7737386aa46ae9cf3aa09966

SHA1
a5703db8b6ad7256d932cd528a55e9c3d23cc85d

SHA256
7dc1e70e67a65dc2032e0fdf7ef3edb35c5cb1efee4ef548501ea9fd953601c9

SHA512
3f7f85d4b52a285b85928683e3c36ffcc75e6c0ee6d7801f7afb2069eae6ea555378fbfa43e09bb46a192ca6a8d40d06389a453e94de2da7a290885065182caf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00003c
Filesize
133KB

MD5
8c8ca3a7249de8c0b8e011cebeb44efd

SHA1
b4ad275f7bc805b9e5fd607bda1643db367a7bdb

SHA256
dc2908d7ec5d91da2e5a7ba2cd7f32774b406e1835ae751db8d3193cca549f76

SHA512
9e0359c549711d3e0d3f3c4d0077daab21cc9b73e932ef578f706e8f1c6a1d2b460fefd25736c3d0322bcc5e41512c611090a87d95022f4d42fe9c0e93528652

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00003d
Filesize
21KB

MD5
0f179accbc31f6544ba4cf6f40dc87ac

SHA1
409a6d8763f775e981c89db5c77d0782f8b9b903

SHA256
265e15c678955739a266554750553c1895114ceba4ed8920153424ba0bd54fa3

SHA512
1848b3a74794fc9b78d3ec761533c1e379435d140a0a4df6d0a5188d623cbbf7163838d251663dd33df67995c7812c9f5762bcd3a938b663ab9da8b1e6670839

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000041
Filesize
103KB

MD5
906386e6baca6e86574b987a960d19a7

SHA1
98e9904c43f4909f2a223494c97cb195de27023b

SHA256
d74a1a9fa690badf176cd3a26d26245262f23f43556f622042169669e9946ca1

SHA512
8f10daf11d9e8e5779294b290c5ff3bb3533e5670c532482af9f0835d5e6347abc5b527cfd159966c7d7b6d6cc0b6e51963f4d0e4fe11ae2175d9cf557bb1cc6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000042
Filesize
1.1MB

MD5
87fc4337196f05f2a6fa9134a710b25f

SHA1
43d024f6d62d74135e359b968150e81de870e5ca

SHA256
686007a127e06071c65ceee45b67cd260dfec09ad3b7067a4260ff97d5614ed4

SHA512
6d6201cc4f869f422ae8ca6d6c956b63e1cdb731fae1c78cb98be24e17831209e28c683e5fb3447c43755d5706c521f314900af1dfbc2a4d3ffb6bcdc40095a1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000043
Filesize
39KB

MD5
806cf4bb9d95a71f5e00db1d58f25ac9

SHA1
5b54f62adaec06a7616425c08f496244bdee80b8

SHA256
cf836123a97a53ea8cf65c2d429d5cf8bcebd25707e93d30681fcb6b776e4d62

SHA512
7eb2a6b069bcf5ff2678550fc2255d50e43431bcdc9ccce2c047914d5e8a7886cc5f39fdbe9a590561054726df41ae052d95928ec826f457d7a9963de8efb724

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000045
Filesize
21KB

MD5
c99a6d99b8fe6b4737b211b497848564

SHA1
fd44f4edada95fc7136904147e23ea9fd2f63f74

SHA256
9d142e74424c3c33d63812acd9e20a6c8be5bb0a7302af20141f4951c92cac6e

SHA512
811f5d9008aea96d6634477d93d736cab1f093b4f56789cd12bf6bb8a7f2e6b14ba11b8ac73ab7f85907382df0fe14a639a68f026f7602059d2e5a5514b92de8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000049
Filesize
24KB

MD5
b2cb20a43656b74a93a20bf2911a367c

SHA1
ae8f8cac204f047be86d1860c7b0a71fdaa554ce

SHA256
dd56d16453c60a7717d22af1f609772160d09897a7b88cdfd7d6e92a7344e1f4

SHA512
7f63c99049cf950e7ed3dae05ae7ae9edbe28c6bc8d4e648ed7e1062b1f3aad512c27e5c08f396663cbbbcad8924a7f06177508d1095009421748c0a353d6739

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00004a
Filesize
112KB

MD5
ff367528c894eec97c5b41eea845cd75

SHA1
6f7e3671b27792d8d141aebcde8b48bf679d2f31

SHA256
aa099e5a834ef87ec7fa265b67a8fb6cd4799215e330c8b478c1108653a51d21

SHA512
293ba3f60425eef80de94f786de506b3d5a34830a068a43262661ff44c9896e178c6989991983f40d802746f0139d48f0cd141f16ac1617a81d38c700d57bb9a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000050
Filesize
19KB

MD5
bb30ea3b46964f49ba85f475efd1fb6f

SHA1
1bb4aae7781af8b933e1dd4dee56879a3ef92d38

SHA256
7a5bfdc2463dfde6b169ca4555ce9f5a0fb21c15c3ac807967590df27dd800e6

SHA512
bc52e8de4712d416aebf1d403d6ee8dcb6386a93dfc6727613af487f73de69db90913a9e9781660d8dec121d720ceec9c84b260c76f0f6f565ae80967eee7474

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000069
Filesize
62KB

MD5
1721006aa7e52dafddd68998f1ca9ac0

SHA1
884e3081a1227cd1ed4ec63fb0a98bec572165ba

SHA256
c16e012546b3d1ef206a1ecbbb7bf8b5dfd0c13cfeb3bdc8af8c11eaa9da8b84

SHA512
ff7bfd489dc8c5001eea8f823e5ec7abf134e8ad52ee9544a8f4c20800cb67a724ec157ca8f4c434a94262a8e07c3452b6ad994510b2b9118c78e2f53d75a493

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
3KB

MD5
1335d2b29d6afb7e818a85718c909588

SHA1
da2d25036da8df5bd25b38af409e53eb92089ffb

SHA256
05c1c915ae3d9fb61248ed91817d65494bbe3c7626d13df3753c2793d93349e5

SHA512
f6e58dbcd4a742f5e514601e28e20846f561a0c0c463f0a9a5927d73894c37245dbb464bec08ac84f8524a709712c43d5780ee5e290753dc9fa2e364b4ced620

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
3KB

MD5
7664f0b6b9ddb1255ce3ebbf241b128a

SHA1
5e53e8162204cb7f30dc2af4b2e8e37dfe3a588e

SHA256
6850b2dda6cef4318cf37b998f73295e154c755bf54a4d3d242f3144627a0fa7

SHA512
dacadcf1ee45abbee541fc3d5f8869bcdb8bdb718e551bde258d426c9295d6d98a455552c5aead4a7bf6338f385fc4d9c491d2679a7c7255625a09d08071e403

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\8ddc6db8-3d6b-47e2-a9e0-5b1a791add03.tmp
Filesize
1KB

MD5
9479192afa59a7a23813f93af792c112

SHA1
6de382f45238696c9f23da2193e9baf2464caf4e

SHA256
fe3472bcf1bdb7dae5cfe2c4aa44321cc369bdb291b1a598068def65afcbadca

SHA512
40c56486c78ae43c1f1cdc56764a6437273197022382c0dc3d78e7da8749f2cbb0213291768aed9df1d18fd08067cb917d0ed0dc7057ef5c8524523c54912d4b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
25KB

MD5
13f41cc0d603086720a1c169e3dbed92

SHA1
b7a91f75a916eb81de1299d985f247a0292f9928

SHA256
65773c5d893d1d0257e2830faa1bcf697eca4d566618e55d84680fb9ba1034c0

SHA512
ae153136dfb3543334eed53280ba1635de1989dae3af6444ce64fb394a9591e3ffa80b843252ba406c5ce5cae9fbcf7fb319bcc211cce54eb072ada8f44cd82f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
5KB

MD5
24bbf8c068fd6d4ec46b0d247199a4b0

SHA1
9031135abdb304d0dc3a6c55b97f0bfd3e518160

SHA256
fc5a7ac168edbbcaaac2f8c76c3ef14274305b7b1ca0923e3318de1ea5860742

SHA512
4f9ae8764a1e856bf1f3edba017d4037fa58f357587272a75d56c3b8b666046c9bfb214224df8294f483a5581e317718f02a50350669d9f29e8a96761ffa0eff

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
21KB

MD5
4c90e90cd70478f36f562b15cfd51bc5

SHA1
4f9fc372f68cf5dae31215586f6310e5535a35c2

SHA256
d08a9bfdf423ea792d1ffc0f779c55a167ce89316639a68935650a5c1978a72a

SHA512
2214cc1175b9c14bb43a786dfc4bd17e33e53af6a5c55f2234ca2666174eb9ddd71e2ecb92b4db91b9436e4b4f35da501b9c33da8a0b6ff45ee9e9947bda96e1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
5KB

MD5
e6f1d5d0ff3978348f139b00ea12cc32

SHA1
f183e8a2ca21f23ab830a54cc8a8437ac87e0970

SHA256
f1f8bf01ec9e4656f598292659305b88651fb54dd744863e6c06e49e41fbed8b

SHA512
ac5fa658013be0090971c617ccbfb75b7aebac098403b7beb9181f15b6b689aa5965c151219651d985c2b55e46f6f6980850f31a748ad7c19f218805da683432

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
6KB

MD5
45b3166167f61405dab1e4b39786d8cb

SHA1
90d0cd9e2bf9e4f4e7385ede52beec0abd9a0e61

SHA256
6bd55a47efabc6d6270e8eec8be232622989de0ed5af99ada54ab48b0ef41d7d

SHA512
0218a414d5337c3ec66bd7f2f2102eb6ce5f8c64b976101b08263beded847a5fa00797d884777ba85dc98e9d97f1ac7b361a50788a5ab757c80296d33253d26b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
7KB

MD5
a73a03615fc1e92166841ba4c3d02e54

SHA1
6dde6bad8c886dc2f3769e7949a4a63e82d93c81

SHA256
6fa038cee0bd2161c4af3ec9eadfe5d6f422185976c5270cfaf2ebec2393743a

SHA512
b57563e104477a72ff264384dbe2eb9a2b23855eda6085cfe2454515838d3eee4fc4b0a68c747c72e771362213caf24e741a24c7dd9797a90073d1186b7987db

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
524B

MD5
f67f0f16d0dbd41dee5c8ef0fe964239

SHA1
7f6571841a80f374e5e06a5c27cca5d2c715925b

SHA256
19450ab0fdc6a5abe1ac75ec328053b79f56581c6e06d720092fddfb9ce44273

SHA512
cc3a03cf2e596af71ba7aa7ac39cfce646c5e67094ce51fe7984853c82c693818c6244e5eb33a70c61011d7972465fbe56401ca0b707045215516a607f7ca3ec

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
2c322feb42eb61060894c3355c24c8b3

SHA1
b02cff1ba1ce68f78f2c4ff4e8173bebe39e4a82

SHA256
2d0f06231ca837443ef2e00f8ed26ae4d71829d095d7dd41ae04656166d85475

SHA512
8ef5dae0aedbfd0cafeab3833df1293dfd35a3dc3ef6f4257815cc587fb8a1535884103747a09fff71b7cd11e5e2bbaa0d6aeb8e4a1301107453cc90c4d386d9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
5KB

MD5
5ba149aa8df6afed387fd315f1f3c201

SHA1
676ef1af646bdccf232af6f9e9ff0efb9da11b38

SHA256
0b9b64b56ee7b50a5a291102b93ae46da41cc6042f5952ea25fde644f115362e

SHA512
b44b4b1bdc8facb24deb05ed67bfced4168f2ef9e2a14b12407460961a5214325ed2bfa11bc2f49b5c487d3f292ac764987b1b996bc4951ecdd51d1e3744bbd0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
7KB

MD5
f39391863015c0c5939aa72a9acc5730

SHA1
cc38d0c082e404013b32513d6c3e46253f80e391

SHA256
57aa7c3c3d2dde11a6ce75d9a44bbb54a527ac70dab8b77ee432ab4e87257019

SHA512
b586cb9c46825ed2295617df046ebc0c73725b53384b405e83b1e7b05862f061483e2e07bcf0194711d2c826a9e2f0cd9ff62a892651f19574ff4e797d944985

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
692B

MD5
86eca9f75d73f742b747e4adbd4e8690

SHA1
d83ee84acc42c6e215324a0ee596d5b451ca5d43

SHA256
4da30025ae11420a9ada2b6cf85b29c275b65d1d11ffb460c6ce57d921d09937

SHA512
a8d6b5c8744a08f0c4fe1eda4b95347cdd49b902455ffaa832cd80f95fcd6cf9f5d944cb3e09168f81c2a2b4d018d936b8c59ba32821c8de7d893623f2e5d7ed

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
859B

MD5
6006d19751042984afadbb4d1769cf21

SHA1
e259b097d7b97a13465cb40d9f683bd8a67ca9a4

SHA256
a0458c21eed1bf58df98718a2e89de309bed9e04b5b53bf6edbfa0d5b48f760d

SHA512
ed2f5ccdc0f78bc883c1a43bc54e3c7f5befef6a2771fb0cbb58c846f577b38c40787e2f0638cbcae4fd78cd4f698b23caf37836c27f61b0d79560ad7e65e661

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
859B

MD5
e9e9cf1990cbb53e8aa3d3134b27bda1

SHA1
04d5dfdf4663a83b1f7fb8b4d90d45f1b3cf192d

SHA256
0e7cd572c98e5a2147a8c5c2a2916e698b4d26066046c4cb58535b1d79530d5a

SHA512
c1d50eaf1d3e9b7eee2418c0175b6eece3a5646e67c24024bbb54eaff9532e68a806d2c578324dfb8dde9ead98be3a99b352ecfcfae13708060f6e108e40626d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
8KB

MD5
8701af0e7549629e5f593a0dcc213772

SHA1
8e7355b8e608af6022531a09f5ac920f48306e49

SHA256
30d89151221bfa6eded76f35a9eec36331d7f3270ce57dc4bed8357aaac236c9

SHA512
34ff1b803d3380ce74b032a2f7ff1de9113e3efab997257de31431847a46474765e58902e6c801b6bbfde78e56b9a9696155a59f7977052a60373e3ee1567310

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
910528dab34430d037f2c5182d27e5c8

SHA1
9914fd0a0ec55b0d63d302328f8467f94f708254

SHA256
a1e12ffd4ea28e1b1184bf76e473ce0a737e1d5d8924d4166ca1d09c7520af12

SHA512
cf79fac6d089418cf9576fdaf21c042caa181174ede6ea67dff63bcb39fba563fe3e608d56d0e8399f21bac511853e4fa6dd747e58d3632566109b41a7186fef

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
2ec96dc19471ed717ff07521e46252a6

SHA1
0ff774cfa3c7e9620a84b6c0ff30e73cd2745392

SHA256
1a7ebdda4600e644f49e93a2ab1e0aa19cff91e9d551ea07505f03ef7822ae4c

SHA512
e1a33ac90362786f67a05ae45ef3165e2d9abbd9eb1b81de38e46bfca3183a040433e73bd577aa2e84667a7af571e887986936adfe77d891bf9d1e366c312ced

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
9KB

MD5
2bce8070c34bed3c1cd966f97005ef39

SHA1
0fec08fea0e3aa1ee686f261562d9467679b9bdf

SHA256
6002fba9413b3f52c67bbfbd51d07534ab99ff26d914528d18ae5095c80bda40

SHA512
c006097813eee21f66c6eba4fa3218cbccae21c5dc7a334038197ffbbd4a899fc2908d430e65cadac55781907baaeb56a17c58d1e0bf20ce8310fce232736415

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
8KB

MD5
874b2e10e924bf7501bf63a1e7d41ec0

SHA1
16aee0b0bc18a2ec4ec5bd4bd7622fdc0f1edc3f

SHA256
e38b57573104f06d91db121e72197ed2c794be63ad972e3e376102d6bdf3b3d5

SHA512
f91027e050c3f2e7663cca3ebea8d297937cd17acca057f65a1334ed3be412043432926ad78b3f817bb24569ffbbe6cf82fe35341021f085087373bb05be99ac

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
8KB

MD5
14b62ae827e9f6994979056ce51ab557

SHA1
4ca58688f10bc87f046508ea6571a6395ed13fd6

SHA256
58ebd4dd1e98e41db32e5946155c333132a87eadeb937794703567f1f7d930c6

SHA512
29ba520be969ee94ab9b429a6bcc13a4c708d84000ca6e4b89b45840250f26a4ba2c3e09dd58d5e7378e3ec267a1e70f091a59b85f4928e3b8fc156c04e4993e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
9KB

MD5
c7baacbad8304f4031a94adeb042d8be

SHA1
fb0d5ec7defaaeca442e00b8946e3c82ace87319

SHA256
ef348113b3937f99a8b6e8dc40ed0921bfe94256c530e0c7cb89cb1f400d7d12

SHA512
6c284d963b4ce150258fe1ef3e3c320fee65197392aeeb17feb0d620a511b30cfd9564ac76b852119fa52787c7541f1f2702db0cd831698b0990dbcd855c599d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
9KB

MD5
814fc7ccb6a8ed73d97c54efd77f45d1

SHA1
8dc6da389f8239ac9d947dec599824614b9cfa8f

SHA256
6c18355d33be1aa915ef18913f8a702db1e2cba4c03153ef3f163e935f0feee4

SHA512
f392c410cdff310a8884180cfd2fa8888bcc1381f4fd47d3fe3bfda1ad5866741d4916c030ecd86c4c1ffb3e467c5fdae14e8242ffed43c3927a3aad1e7051c9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
8KB

MD5
21644ca2091eb0d2978f47c6a0a106a1

SHA1
91245f5d0639f2808f77d5985a63514d29c310d7

SHA256
58f010dc9148f22c34587859c8f8eb4ebc4b6fd9954e0ea8b5c1bf41389933ba

SHA512
1c85bf8a14b620e69d9957ec43c71505d94aa00cc0e5b3e98b7bdc9079c3bbdb6cadb1656ce8b5da0f828f691d7290fd40c3f4d120741a0afa31f379800feced

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt
Filesize
56B

MD5
ae1bccd6831ebfe5ad03b482ee266e4f

SHA1
01f4179f48f1af383b275d7ee338dd160b6f558a

SHA256
1b11047e738f76c94c9d15ee981ec46b286a54def1a7852ca1ade7f908988649

SHA512
baf7ff6747f30e542c254f46a9678b9dbf42312933962c391b79eca6fcb615e4ba9283c00f554d6021e594f18c087899bc9b5362c41c0d6f862bba7fb9f83038

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt
Filesize
120B

MD5
1b2531baa4213f0870be30646db96587

SHA1
aa8bcb0e8e0495dff970e1282c8ccf56a21f5742

SHA256
fe13d9c0938dbfd963e67bdb4306ac377918a30d57ef42ab4afa57560489e567

SHA512
84cabcd95f920fe1ce3b008dc8753630c9fa155df91a7379eabe591f3e8d152637cc2e86a3a9bf8e199015b007f8aec3e482e3bd5419b1b62903e12d3ba24e0d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt~RFe57c498.TMP
Filesize
120B

MD5
2f1fb7a6c94efe7be26846ee10c881c5

SHA1
ec8d7e11576caa689de7bfff3f2d664e152debca

SHA256
c684729cf5fadaf234f7c2891ba105d87d7a1545dadc78ae32eb8701cc7d160d

SHA512
28fd0990aaaa1533e4a19098fd56e8c2087a0f84c39eb6152b061bc771d542fe613cc77c8c9861ed21058ae211370619135490364417bf3eb62b11a5ed1f5a8b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
255KB

MD5
142de223563b2dc570237add5517e391

SHA1
9a2d3a57c68807733ecc7989c739985b813991bc

SHA256
9dc720dcf1be13bd5c98b144cb745910640095a9f78e6a05e3457196a68f4027

SHA512
c08a132e359fe6d6be524de049fc27d3ddbe37fb9050c6a9bc96c75fae414e181e2583016f5262ff22f2703b706f8ae91cae931e6377baf6c0c519291ad3a7f0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
255KB

MD5
5857648d84f451271109ff34b9469bb7

SHA1
02b17d6880c1c08f9ec60a75cc1a58a27a135e54

SHA256
cc3dae0266ab48b04d686097cafedb99c1c2465f1a5293c2734b3698a434ced9

SHA512
9c2c893cf22dda2f9aa533ddcc22e197972f4796f5ba9dfc423276b81b795d0b6cd9634b461e7910ff69546065346fa850433717b139123e152b47ef816d7804

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
255KB

MD5
218eef567e473e7d8b90c87ebfeb1205

SHA1
0b011ae92ccb6ca1633401789fa33a6f1df2da49

SHA256
fa2a6cd941b633b116e9cbbdc01294953ba7d7f5cb2951415e32040e0e16673e

SHA512
f2dad59dfaae4738f5447861e4a0d7195d7b6c2e3dbfec569c5252c87f80b90ecbcf4a775f782f967f0eadd48fc3d1aed8f745da5c028986936104aef5b00a58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
255KB

MD5
29d5ec920e222ad70fd7d0fa90dbb183

SHA1
97cd95ade55431744c6dd8f72982579a5066be99

SHA256
82021d97b57b3559e3b37c915f93f005bf13ab8e620275e7e5e86f46c721fee6

SHA512
0170e2bbf14b0a37f3a855af1887a56ceef6bbd6d74d6ac7221fde40246568489290d9209111b8661e47ce0c81395395912e067be6798ca0e54264eaf69dd3f5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
255KB

MD5
0c246c2457c6fff02908c1f47226164f

SHA1
fecbccd2f045d562ae262925ad13ecf13dbfe2c3

SHA256
8539acbb4b3e35f9889e1e6b89a3bb8f01ba1ea14a2c5f790e282e02454a4e28

SHA512
f5e2b3eeabf3eaa3ab806af1ea2e5f0638a80f685ab09c57eea28dc2dd7420275428131cc8f81e93feb293c119db918f8e4384d103994ee1abb2fa978744f8ff

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
255KB

MD5
b886e1dafd488523b52df76f3ba89664

SHA1
3f0ba9d2c3f55e577764803ae18db4ee5c771b99

SHA256
1f98bab979948d38fcf45c9fbed182b6641ca77e9f4df95a7266a3eab705c00f

SHA512
25d60db6c4a707b64f3541dbf8521248693af8152d042cf8f560f07203d10dcd2a561c380d82ebbef2aee0b1cd0044ce8ddbfa886f858621d6fafa90b8070a50

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
255KB

MD5
0ff524d76741f22b77fb31662ef9ecf6

SHA1
93ee625bcddda3d41f2871f922a011e10a7e32fc

SHA256
15720b6489e29f92599cfa5db8f83fe02ac7491011e0f69102bd03184a9603f4

SHA512
c9a860e0a0067a8dd7f47005f224be741bfb3e106aa6149dedfd106b8b5da4e9d9c6b1f0a1ba33aa8a4093c6dbd49223761fa7b781f95f8f63a0d568defd6046

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
255KB

MD5
0c26fa33db3941262724fe6c80bb837b

SHA1
66207f1501846c60ef04a3b8dad378f4bdb0e73e

SHA256
6206ebfe156096d15746928af374edeed299d14cb5996790e8923013ac5a386e

SHA512
f9d1df22038fac7ba50561f2086f02148b97b18048896b5730d0abb1343d2f5c7e2f8b24304f612f09261e90fa591ae69db079cbc6b4bb68bb8aabf3ff8cca44

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
255KB

MD5
12ebf62738be4ca11a1fffcb2ab2fbd0

SHA1
a1194e5b4101a4054a9dda134b130576f1406bd9

SHA256
8804ac4e7f8af054651b6ab1a617ad29abd51a03a9383114ad394abb7a37e07f

SHA512
b83a20b46af47594c2751e21b5e71f9663e408a4a781e1e5b2b2834f79d4176114429afc4975fe46ae8d464ee9335b00c7fd7aeede44d1e87f85cbb09f73ef29

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
255KB

MD5
8718dc8ef500193be7f9d22c967b8680

SHA1
8dda016a75e3037314bbfa46845704102ab5c8d3

SHA256
86bb57dadf97a1d250868a83631fed44d8349542e486a1361bd5e4931ba9947b

SHA512
c1a673191b83836b4a24a1b8cd44026ca91b86bcc2369ac65c00b91709652ede20ebed21108a95050e9abbbe110a4bf49d51f59a3387911ea6c521021dea7d17

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache
Filesize
96KB

MD5
fead7747f96d7bd0fc187e26ba46fa13

SHA1
37f97f7bc1e643aa1b915d2928c332ac968ec8c9

SHA256
d48faf38c47bd55e3dc82bad0e73e36bef2af90742a636389823a6a186556082

SHA512
598e5667b1818d76ed30d50d98501651ea350bcc78c906942b0044f9ef860eb34e31041596f2133166bf80f9731ec886ee24d399e72d24e715e69503057a5153

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache
Filesize
106KB

MD5
31a5df21a37a40c3b7b8132bd7d12158

SHA1
47480b6035b7c3cf6ceafc419423f1b4f4ea1c91

SHA256
8d66366be6348e853883110271c6db0fc176d85e428f7b552007c0d59f809991

SHA512
af1e23943741f25cf58c95b2e23f33239e4892edffb6d27331f45a81e28c811521c9254ada547382bf7ad835bfa0feb4fbbd07f0453f16ba27cc5884ea8a0260

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache
Filesize
98KB

MD5
d94e9bd729c62a06364b223356413c8f

SHA1
001a7fc89aad48c1a431abbfa1799d44cce693cb

SHA256
b459af880ceee3c0b48518252caf20d290b1c3fed31c0b800fd7aa7cbee2d20c

SHA512
c3d7d87a556c4b1cd16c8c7d01bce5443d56ebadc43370c9fa86906303e61c6c4e9fbc66bc6a4128a987dc7188aa3dda7b5a0a229d79a416858810e76255224f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe58c975.TMP
Filesize
89KB

MD5
1404ecce4632b904571980556aece882

SHA1
867c40b89ade7d5f05d3c458b9cdaf50dacafc50

SHA256
f354405c1a465c78de70f74e458c4f2f0e4fcec8ea5baba1e0aa88ee0a3aa156

SHA512
3d9371b43b40bdf17df5f3d77642c9db5d89eb0b51be9d87ad6b1f66a5411bfc05a80287ccd73df7a89c64f67a9b4a9f2e59900e494bb098bc7d7472ec15a8c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Urban.cmd
Filesize
19KB

MD5
0acf541cbe9a635dab7b5bcf6f2bb645

SHA1
765e9babeddb81d9c0b88282e6b8a9ada0445de4

SHA256
873200c6afe55ab1b0c4bdea11370b84bca64d0bf7a5d2976416c43cda53bdfd

SHA512
71d1c51aa76b0e3adac409bc8124b57c529e12918b58dc42e4ffea603771377d654c88f7733ca04dd2b7daab45bd4b4a00aa5ca68604151c6077b6c803e3fe21

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_0oakk0my.nwr.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
Filesize
1.9MB

MD5
6736102416370f08e14b120d5410fa2c

SHA1
c24afec979ab51111f7e5320229ea75e8b67ed35

SHA256
ff3384b68d9bfa3fbf73e71dbd2536cf03d6d9b05e843028eab0824a7eee8c88

SHA512
afd754deeb9513b3c7c356b9c891c43e4b5db1b214b222a5037219c831dfa34f8676aeb977e0a254e87627a4fd2ecc3ce701a540b6d635fdd90c164507041b04

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp34F4.tmp
Filesize
46KB

MD5
8f5942354d3809f865f9767eddf51314

SHA1
20be11c0d42fc0cef53931ea9152b55082d1a11e

SHA256
776ecf8411b1b0167bea724409ac9d3f8479973df223ecc6e60e3302b3b2b8ea

SHA512
fde8dfae8a862cf106b0cb55e02d73e4e4c0527c744c20886681245c8160287f722612a6de9d0046ed1156b1771229c8950b9ac036b39c988d75aa20b7bac218

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp3544.tmp
Filesize
100KB

MD5
d4b753fe98966917d325dd364677dcc8

SHA1
669c92717ee7a8d097a8f5a8cbae124a10ec7948

SHA256
04919a66d79ccad94b32757662035c7629387308217a08e1f672ac08fe3ec9a9

SHA512
fe7a41ceaf39fc5b22f1341b8f048fcdbe1f331973f357a59c2fd5f7607dd09da0434936ce6f1d9fdd7e5fa283165a23d1f3ba1ec985831e2aa3b31840495c9c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\5d696d521de238c3.customDestinations-ms
Filesize
10KB

MD5
81b256d38ff2338f8c60bb21e2c7fd4c

SHA1
6d3dae8d7a0e89bde0e227a725dc4e3316ed5269

SHA256
e127e12611e68ba65a6b78055f469feda96a7ec3552df2078e0ebf7b7b01c4e9

SHA512
28cc55243428caee6ad8874fad94ac4c6e2a2d54ceeb1c6bd99243bf1d742e82a8d3fb5a2037110369f9d7d41c1134aa73b5e5054bb3079724d795c1a6e2626d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\5d696d521de238c3.customDestinations-ms
Filesize
9KB

MD5
aecd7147ba5d24be1551c4b6ecb11415

SHA1
5319360f76ea1de1a87b3d50f3dafda8d1f24689

SHA256
3c64daf6f107b98d42977edcd2d58d5e71984dc8df7390b3d66dff5412f69a94

SHA512
ade6d18304049bccf6be6cead9d44c7740c9bfedbe557bef93b6e57f2d14507838f7ea57effd3eb1ec819e0de8e1986476d52eed678003f8d68e29fa83add932

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\5d696d521de238c3.customDestinations-ms
Filesize
9KB

MD5
c04f5cb5fac9fc576296b8b1574c7408

SHA1
a37f85f88d9984107e00abdc648316207d69c5f4

SHA256
78e0ac2803bb7235705df3c767e8c9416d8c544e93f88e39e92d51b02a0b4248

SHA512
3d8a398d5e96443840948b465b9e5524738ecbc3fc985095c3f6540db79043d7fd3ad0ebb38945fcb92dec4d59011df4ccbdb5a23c1416ed7c57925d717bdc0f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\5d696d521de238c3.customDestinations-ms
Filesize
7KB

MD5
c9b6b0dade4ae84ee64b3f72b13519a5

SHA1
98fc52f959de74489918c8efdcb9dcb8d5b7933f

SHA256
6a067f9d434f2271b7e7ad6878308c40dc31ddf5f1daf83d7a04f054e9c65269

SHA512
15bedfcd92318f1f1c99cf65d5887359a98d2a284be929a3098015f7b1d7d9014b143ed6d3edbeb1fd9e7e37b1521e44d2917970b0edbc1d7d63bafa44902b2c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\5d696d521de238c3.customDestinations-ms
Filesize
10KB

MD5
7df0878f164fd7d333cc6555834cf5b3

SHA1
6a0df3e3a59c30c2a691e1215b5b2dc26bf442e6

SHA256
92c8650f287c19141ec26d94e2bebd9e6f9e934e4703b66c9e8cc9c6f002aac5

SHA512
5257f56a9117450510570bea3b6e579fb88ee26793c69d61a88d34e0a095290056484c09dadc7e16b1c8a0cbb23a2b8bbe89cf85e12761a753f8f64952d57815

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\5d696d521de238c3.customDestinations-ms
Filesize
9KB

MD5
f7b5e9eee48841aac1c2fda2e9517fe1

SHA1
3b73faca48d67ecd2e3221b83fda2f436142535a

SHA256
5bfb0f80c6861e072d18743e171ac24aae27ae40a3cbca413fba7244f9b284ee

SHA512
4d4e44fe2e81e6bff860c22dfa391bcc7079dad376bc6376e7ac7722b06ac0fc4bb73196c1c92991bfd89685e469846595f452e315a178003ec25fb3b750f0f2

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\9Rx1iFAabRHGhnmgHK7smGji.exe
Filesize
5.3MB

MD5
be3eba3801eb2804cf73258e6d19cd47

SHA1
f822cec55c21da3c948dce6c8b279ed52f9a078f

SHA256
a22d69c1fab2e83dcd896b87c6d1e93d5a042edbb94f219d9da43afba5a1d535

SHA512
82172d11a7f0079431e69d08474660224f6249063b61acae11896db0111f45fa469ff45c59d019f7648b1db9e0e888e07593fdf5fbc30bad31dfbf7b0e5a25ec

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\RRiYB1trEnpXiYB26Ja7xI4J.exe
Filesize
935KB

MD5
d576876cad919a58b7ac939528454c45

SHA1
31f21c211549cc754dd5482286a9bc8dfa69f673

SHA256
a0a6894015fe3f93673567b6db97e7102fcb36168f1abe0d47b6a901725eb7df

SHA512
022cd2712ae2454fa686c9244825ab8d1ac90da89e1cbbf95271cdfb4f738d0582ed80969805847991dbf3c3976c1a4aeca667ed76b482628cc2a48516ca6b12

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\RRiYB1trEnpXiYB26Ja7xI4J.exe
Filesize
935KB

MD5
5d505724b7a084217d7db6b2710d8613

SHA1
f444284be57973aa0d2fa22cdea4e3a639bdb6c4

SHA256
c4024302b2f74461f6aecd5ca2f2889fa8ed48a420cb2176ae782368e2c5c6eb

SHA512
bcc79a8856aa5aee6349d602d75c2c1c615a12502d1256b044572b69bb3ac3bb9632a4b61956d41c7186a3d97dcf376968983bd16b417a8dcd89ecc4aeef42d0

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\Yrz61nKeeAUUZyy8b4EWt94x.exe
Filesize
1.1MB

MD5
48102e563cc217fcf12d728d21937c4b

SHA1
903d74e06549a428f093690e42cf6367df0ef471

SHA256
ca493283882c5b200bfedf9eae4b16e4f992e3f44d180bd268bf8241b35f445c

SHA512
709cc57176d03628ece45262df4189573bc53eaa4acd4347a2b933aafbbc03f6bbff4979a17b0546401f4b5092b1ca5a0d8d4c7accf941203e36cf2ca379433c

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\Yrz61nKeeAUUZyy8b4EWt94x.exe
Filesize
1.1MB

MD5
470aed70b81cb24f9316bac75ce9c409

SHA1
6797699947374efbe4e4746f7500a1e2d92ce36a

SHA256
afbfed421c1da695c193849d153e11975eb3f2f6fa9d936bf987d4f046d86f7e

SHA512
b26ad5e4fac0bbca810554f0a5453bffa8ad4d654bd057fefc8e83e3dbfd42e1e63ddef308c445a783d8684038e9a2f1f546ff1a7948b93c63b886632e242cb6

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\_XC6ZFQjGSQNUqxKbkg9LkqK.exe
Filesize
492KB

MD5
b116a1ba048cc8bef3191da2d9982481

SHA1
28c71932a79fb89794ad02de4294839feb71531e

SHA256
bebd82db6f170ac03c173979eb9d77ea9c00f423f540eac574f3f0d93977a003

SHA512
8caeb9f108f532906558ca7c3d10799d1e4977dc4c96a7a21947a02608650eb5b39f2208e04438ae55d123559ad939d8b51db023a8ec8c7dee5d1828d03d79f7

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\i7Vqp4soBu3fWb8jSUp7ykDM.exe
Filesize
2.4MB

MD5
8369d155da8c3f7bcea8490d36f2f114

SHA1
3d7fc15294497e6af579bdf8343eae47a05ae2c2

SHA256
2ea252fc14bd9190e6a6d57b8f2ecb7870a4eecf01acfbba9d0f698838f03fe8

SHA512
81afcb035c63110ed2cc845ac77472a54ebb6ecc939d8dcadc9e0640bec1d9914775f16aa113a681d171c0f3ab3ad73bfb7f646796476233b3d7cc867d0aa47a

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\p3O2Df3zWTe31idjQX_xscMp.exe
Filesize
3.7MB

MD5
15941771a756b2e6958b64a18eecae66

SHA1
0ff890cb70d49bc730b08b66e089f1a3c46957f0

SHA256
effcdea42cf5e4cd05c41d6d6ce489446a5fb9a6cc0bd75b4eb7571bcb67be14

SHA512
75896861facdf99f7ba71f0704535ddcd4490dd7c0a47913df44c714897695012f0ca95c3abcea0f89719173ec325d5dd4625f18532f8aa160ee34de554a14dd

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\p3O2Df3zWTe31idjQX_xscMp.exe
Filesize
3.7MB

MD5
2ab891d9c6b24c5462e32a0bab3d1fec

SHA1
4dbb387d2fce2b47ff3699468590466505ba7554

SHA256
6ffd157eb781504eadd72996c2cdbd4881034ffb7f7d2bc4b96d4daa61fb4d86

SHA512
0317a30e9e70d0ac8416f14a91119504fc40e9a72ee34d358741ebf820367abb3b18e2c64987f6d86d3c4a8952621aebeca83fa027d66edb456c749e56d42d89

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\qc2LAigckqaLJJMGj9K2YVRH.exe
Filesize
7.2MB

MD5
4ce34c3b3797abb8b8c1a22bffa0085a

SHA1
4d32086b67357fb52206089cc56d9a3c8b7259fa

SHA256
893399d2aae7ce18ac072624f98b0071f7498d038944d80719bd739521ab55cf

SHA512
8fa7608f533c230fd0668846ede325a546ef76e3990b2b4a545f961bdfbd301bb608ee00de260a10ca3f80f11054527f794641077ca8c26ba9db1536a87bd528

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\sNaOJTD9uQICQF77rAfYP_e1.exe
Filesize
2.6MB

MD5
7ecf48aaa1e1257b3d70412e139bc7f8

SHA1
2fdc2423017bd353a606a3cba87d735d23affa87

SHA256
ebe27c033786b4692736ad9f20af3867f6e656dd8360840572087de0c126e6e1

SHA512
20c7d74eadfaebffecc453fdc65b206210ed6d354f730ab50c75e554578ce8b681e13d2b091bdb4230fdcc8853362138e8baedd405d892c413901ff63e6643c8

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\sNaOJTD9uQICQF77rAfYP_e1.exe
Filesize
2.6MB

MD5
520f92170a2cf78ed3152f83973b9b66

SHA1
c6f979d3f405d1e9527566a9cc763dc2560ee39c

SHA256
63f33fc0da67b18a2a5d75d5509d7aee76f5b2bdc94ab5aead8ac09a91b0da01

SHA512
66d4c23cc9d276b947bce13c6089ca9676e30e1db07013b2144d2534728e8ace07ab3456cb66824416ba1f314f998be62a3479dda3143dd21d7778ce303846a7

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\tEITrdPxPAqamdFh9mTXsHhT.exe
Filesize
7.7MB

MD5
2bc0db539a8fab08bf4104eb7f2de7e7

SHA1
ff4a5defedb18c93ef815434b40e19b9452ca410

SHA256
ec84ec11567566db3ba9096df164f0b7a8217d50ffab16fa3642f8f12d759b04

SHA512
ffaeb6c876d2aeda75b6576d2b307964a7b5330a0ab73352a4c95ef18ac3b1b1bfff350805553833a754582ed54215337c376bce0abd44c117b5d8a0e1468d71

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\w9Bd8GUQVMRZzO1YvEvAY745.exe
Filesize
4.7MB

MD5
06333e350e25e29677256d9be86e4ee1

SHA1
088fa1f912473c3dfb5ab118b0bc39ec016cf15a

SHA256
137a7220fb3cbe605b6c74712ad96dcb1bdea1c489e9df159044500ccc23f3c8

SHA512
1475fd313ef0ca847eb7921b5bfb017f9b7f9274497df42fe3fa1477f40c6da8723ee0c46fa5c3fac6e9572c47712e1f4412c9460385c8f47117c82befdc329d

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\yr1HEmNUsYMoqUos8HhVZrSA.exe
Filesize
10.1MB

MD5
3b24971c5fef776db7df10a769f0857a

SHA1
ab314ddf208ef3e8d06f2f5e96f0f481075de0f4

SHA256
0d990bedac4696a67ad46dbc686750086f72f4795ed8a6121782ba3b0dc736b5

SHA512
f70dccd6fd95516eac21b0cc30c70fb5f17c3c8f1f3b28fe3bdaec6053c2de53daf68caf422dea8861e4ab84f3dd7be36965c6998c1380dbf2a05a2a74b36b28

Download Submit
C:\Users\Admin\Downloads\Planet_Coaster_Thrillseeker_Edition_PC_Full_Español.zip.crdownload
Filesize
4.1MB

MD5
75bb293f62498aabfcceee61664699b6

SHA1
46b380286fec3ea994a5d317724a0cda4b38c2e0

SHA256
b14b1e19f4cac359ed0e2de2a2730e7ec690c4ee189bc2295239166cdabaab4c

SHA512
0bd7b7cf1a53278595d0d2c03352870f52ab874d3fae9b9bb1917a2eaf5b9b375232e34ce8da83045369f9838b8711bef293a329f55fe1cfe82dec16df4e2b51

Download Submit
\??\pipe\crashpad_904_PQWMOUGNFDYQLLGZ
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/2888-2260-0x0000000005FB0000-0x0000000006016000-memory.dmp

Filesize
408KB

Download
memory/2888-2254-0x0000000005EA0000-0x0000000005EC2000-memory.dmp

Filesize
136KB

Download
memory/2888-2281-0x0000000006480000-0x0000000006490000-memory.dmp

Filesize
64KB

Download
memory/2888-2255-0x0000000005F40000-0x0000000005FA6000-memory.dmp

Filesize
408KB

Download
memory/2888-2253-0x0000000005CA0000-0x0000000005D22000-memory.dmp

Filesize
520KB

Download
memory/2888-2249-0x0000000005670000-0x0000000005C98000-memory.dmp

Filesize
6.2MB

Download
memory/2888-2267-0x0000000006020000-0x0000000006374000-memory.dmp

Filesize
3.3MB

Download
memory/2888-2247-0x0000000005000000-0x0000000005036000-memory.dmp

Filesize
216KB

Download
memory/2888-2297-0x0000000006740000-0x000000000675E000-memory.dmp

Filesize
120KB

Download
memory/3456-1829-0x0000000000400000-0x000000000080B000-memory.dmp

Filesize
4.0MB

Download
memory/3540-1833-0x00007FF6EDFD0000-0x00007FF6EE73E000-memory.dmp

Filesize
7.4MB

Download
memory/3540-1429-0x00007FF9EE4A0000-0x00007FF9EE4A2000-memory.dmp

Filesize
8KB

Download
memory/3540-1426-0x00007FF9EEC70000-0x00007FF9EEC72000-memory.dmp

Filesize
8KB

Download
memory/3540-1428-0x00007FF9EE490000-0x00007FF9EE492000-memory.dmp

Filesize
8KB

Download
memory/3540-1425-0x00007FF6EE135000-0x00007FF6EE3D7000-memory.dmp

Filesize
2.6MB

Download
memory/3540-1431-0x00007FF9EC710000-0x00007FF9EC712000-memory.dmp

Filesize
8KB

Download
memory/3540-2285-0x00007FF6EE135000-0x00007FF6EE3D7000-memory.dmp

Filesize
2.6MB

Download
memory/3540-1430-0x00007FF6EDFD0000-0x00007FF6EE73E000-memory.dmp

Filesize
7.4MB

Download
memory/3540-1427-0x00007FF9EEC80000-0x00007FF9EEC82000-memory.dmp

Filesize
8KB

Download
memory/3540-2286-0x00007FF6EDFD0000-0x00007FF6EE73E000-memory.dmp

Filesize
7.4MB

Download
memory/3540-1432-0x00007FF9EC720000-0x00007FF9EC722000-memory.dmp

Filesize
8KB

Download
memory/3540-1831-0x00007FF6EE135000-0x00007FF6EE3D7000-memory.dmp

Filesize
2.6MB

Download
memory/3540-1566-0x000002685BAD0000-0x000002685BB30000-memory.dmp

Filesize
384KB

Download
memory/4744-2301-0x0000000005C90000-0x0000000005C9A000-memory.dmp

Filesize
40KB

Download
memory/4744-2302-0x0000000005EA0000-0x0000000005FAA000-memory.dmp

Filesize
1.0MB

Download
memory/4744-2287-0x0000000000F90000-0x000000000144E000-memory.dmp

Filesize
4.7MB

Download
memory/4848-2637-0x00000000002E0000-0x0000000000ED1000-memory.dmp

Filesize
11.9MB

Download
memory/4848-2635-0x00000000002E0000-0x0000000000ED1000-memory.dmp

Filesize
11.9MB

Download
memory/4932-1834-0x0000000000570000-0x0000000000C20000-memory.dmp

Filesize
6.7MB

Download
memory/4932-2669-0x0000000000570000-0x0000000000C20000-memory.dmp

Filesize
6.7MB

Download
memory/5560-1583-0x00007FF6EDFD0000-0x00007FF6EE73E000-memory.dmp

Filesize
7.4MB

Download
memory/5896-1835-0x0000000000400000-0x000000000080B000-memory.dmp

Filesize
4.0MB

Download
memory/5896-2672-0x0000000000400000-0x000000000080B000-memory.dmp

Filesize
4.0MB

Download
memory/5936-1675-0x0000000000AE0000-0x00000000016D1000-memory.dmp

Filesize
11.9MB

Download
memory/5936-2514-0x0000000000AE0000-0x00000000016D1000-memory.dmp

Filesize
11.9MB

Download
memory/5964-1705-0x0000000004F20000-0x0000000004F35000-memory.dmp

Filesize
84KB

Download
memory/5964-1696-0x0000000004F20000-0x0000000004F35000-memory.dmp

Filesize
84KB

Download
memory/5964-1687-0x0000000004F20000-0x0000000004F3C000-memory.dmp

Filesize
112KB

Download
memory/5964-1697-0x0000000004F20000-0x0000000004F35000-memory.dmp

Filesize
84KB

Download
memory/5964-1699-0x0000000004F20000-0x0000000004F35000-memory.dmp

Filesize
84KB

Download
memory/5964-1701-0x0000000004F20000-0x0000000004F35000-memory.dmp

Filesize
84KB

Download
memory/5964-1679-0x0000000005050000-0x00000000051CC000-memory.dmp

Filesize
1.5MB

Download
memory/5964-1703-0x0000000004F20000-0x0000000004F35000-memory.dmp

Filesize
84KB

Download
memory/5964-1707-0x0000000004F20000-0x0000000004F35000-memory.dmp

Filesize
84KB

Download
memory/5964-1709-0x0000000004F20000-0x0000000004F35000-memory.dmp

Filesize
84KB

Download
memory/5964-1711-0x0000000004F20000-0x0000000004F35000-memory.dmp

Filesize
84KB

Download
memory/5964-1677-0x0000000004F40000-0x0000000004FDC000-memory.dmp

Filesize
624KB

Download
memory/5964-1713-0x0000000004F20000-0x0000000004F35000-memory.dmp

Filesize
84KB

Download
memory/5964-1676-0x0000000000400000-0x00000000006AE000-memory.dmp

Filesize
2.7MB

Download
memory/5964-1715-0x0000000004F20000-0x0000000004F35000-memory.dmp

Filesize
84KB

Download
memory/5964-1717-0x0000000004F20000-0x0000000004F35000-memory.dmp

Filesize
84KB

Download
memory/5964-1719-0x0000000004F20000-0x0000000004F35000-memory.dmp

Filesize
84KB

Download
memory/6016-1685-0x0000000000430000-0x0000000000DBF000-memory.dmp

Filesize
9.6MB

Download
memory/6016-1680-0x0000000000430000-0x0000000000DBF000-memory.dmp

Filesize
9.6MB

Download
memory/6016-1640-0x0000000000430000-0x0000000000DBF000-memory.dmp

Filesize
9.6MB

Download
memory/6016-1683-0x0000000000430000-0x0000000000DBF000-memory.dmp

Filesize
9.6MB

Download
memory/6016-1684-0x0000000000430000-0x0000000000DBF000-memory.dmp

Filesize
9.6MB

Download
memory/6016-2618-0x0000000000430000-0x0000000000DBF000-memory.dmp

Filesize
9.6MB

Download
memory/6016-1682-0x0000000000430000-0x0000000000DBF000-memory.dmp

Filesize
9.6MB

Download
memory/6192-1450-0x00007FF6EDFD0000-0x00007FF6EE73E000-memory.dmp

Filesize
7.4MB

Download
memory/6396-2457-0x00000000073F0000-0x0000000007430000-memory.dmp

Filesize
256KB

Download
memory/6396-1772-0x0000000005330000-0x000000000533A000-memory.dmp

Filesize
40KB

Download
memory/6396-2256-0x0000000006110000-0x0000000006130000-memory.dmp

Filesize
128KB

Download
memory/6396-1681-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/6396-1763-0x0000000005170000-0x0000000005202000-memory.dmp

Filesize
584KB

Download
memory/6396-1779-0x0000000006250000-0x0000000006868000-memory.dmp

Filesize
6.1MB

Download
memory/6396-2383-0x0000000006E30000-0x0000000006E80000-memory.dmp

Filesize
320KB

Download
memory/6396-1758-0x0000000005680000-0x0000000005C24000-memory.dmp

Filesize
5.6MB

Download
memory/6396-1780-0x00000000054D0000-0x00000000055DA000-memory.dmp

Filesize
1.0MB

Download
memory/6396-2261-0x0000000006980000-0x0000000006A82000-memory.dmp

Filesize
1.0MB

Download
memory/6396-1813-0x00000000055E0000-0x000000000562C000-memory.dmp

Filesize
304KB

Download
memory/6396-1781-0x0000000005400000-0x0000000005412000-memory.dmp

Filesize
72KB

Download
memory/6396-1794-0x0000000005460000-0x000000000549C000-memory.dmp

Filesize
240KB

Download
memory/7344-2542-0x00000000005B0000-0x0000000000A80000-memory.dmp

Filesize
4.8MB

Download
memory/7344-2519-0x00000000005B0000-0x0000000000A80000-memory.dmp

Filesize
4.8MB

Download
memory/7460-2243-0x0000000006A50000-0x0000000006A9A000-memory.dmp

Filesize
296KB

Download
memory/7460-2374-0x000000000A260000-0x000000000A422000-memory.dmp

Filesize
1.8MB

Download
memory/7460-2379-0x000000000A960000-0x000000000AE8C000-memory.dmp

Filesize
5.2MB

Download
memory/7460-1821-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/7460-2280-0x00000000098E0000-0x00000000098FE000-memory.dmp

Filesize
120KB

Download
memory/7460-2276-0x0000000009960000-0x00000000099D6000-memory.dmp

Filesize
472KB

Download
memory/7536-2543-0x0000000000100000-0x00000000005D0000-memory.dmp

Filesize
4.8MB

Download
memory/7908-1830-0x0000000000840000-0x0000000000EF4000-memory.dmp

Filesize
6.7MB

Download
memory/7908-2645-0x0000000000840000-0x0000000000EF4000-memory.dmp

Filesize
6.7MB

Download
memory/8124-1637-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download