gcleaner | c9f2d7bd6e4329ff0d275ea8234d836751acf875884477aab125f4abe2919e93

Analysis

max time kernel
295s
max time network
308s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
09-03-2023 22:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Windows_Wick.Editor.Setup.1.19.0.exe
Size

130.6MB
MD5

4811057a1f20136f7b0ee241d468e4d5
SHA1

1c14c03c35fefb21388bb36dd63d17c9f0f1bee9
SHA256

c9f2d7bd6e4329ff0d275ea8234d836751acf875884477aab125f4abe2919e93
SHA512

d737c1abee30c1c2ba1c0e97427a803a2a10e051d86603df171b12517e6bb8f51c18a73589c81b24c35adc3cdff2fb1080d28fc4f50066c3a60254e44a087654
SSDEEP

3145728:1GJIRaKRRb5GWRZhXflHEZKwYIuz2GU9Ki/99W:Qqf3Gc9vwYIhN9W

Score

10^/10

gcleaner discovery loader persistence upx

Malware Config

Extracted

Family

gcleaner

85.31.45.39

85.31.45.250

85.31.45.251

85.31.45.88

Signatures

GCleaner
GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.
loader gcleaner
Downloads MZ/PE file

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\nspAFA.tmp\GetVersion.dll	acprotect

Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.

Query Registry
T1012

System Information Discovery
T1082

Processes:

fghfbgHKaDOcVHRM.exe

description ioc process

Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion fghfbgHKaDOcVHRM.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	fghfbgHKaDOcVHRM.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

fghfbgHKaDOcVHRM.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation	fghfbgHKaDOcVHRM.exe

Executes dropped EXE 15 IoCs

Processes:

is-DTKNA.tmpgLiteSort39.exegLiteSort39.exeT1LJ6q1.exeis-OHK1G.tmpcdc.execdc.exeUBVGvqfqFnEzYF.exeis-QD3R5.tmpSyncBackupShell.exec7a998HEYC0M0BZ09r.exeis-HJQN5.tmpBZggedFrog39.exefghfbgHKaDOcVHRM.exeqy0lE582Z5S8akO5SA.exe

pid	process
1684	is-DTKNA.tmp
4156	gLiteSort39.exe
3204	gLiteSort39.exe
1544	T1LJ6q1.exe
4052	is-OHK1G.tmp
4860	cdc.exe
672	cdc.exe
3892	UBVGvqfqFnEzYF.exe
1564	is-QD3R5.tmp
1448	SyncBackupShell.exe
1600	c7a998HEYC0M0BZ09r.exe
3340	is-HJQN5.tmp
3024	BZggedFrog39.exe
4732	fghfbgHKaDOcVHRM.exe
4460	qy0lE582Z5S8akO5SA.exe

Loads dropped DLL 64 IoCs

Processes:

Windows_Wick.Editor.Setup.1.19.0.exeis-DTKNA.tmpis-OHK1G.tmpis-QD3R5.tmpis-HJQN5.tmpregsvr32.exeregsvr32.exeqy0lE582Z5S8akO5SA.exe

pid	process
3088	Windows_Wick.Editor.Setup.1.19.0.exe
3088	Windows_Wick.Editor.Setup.1.19.0.exe
3088	Windows_Wick.Editor.Setup.1.19.0.exe
1684	is-DTKNA.tmp
1684	is-DTKNA.tmp
1684	is-DTKNA.tmp
4052	is-OHK1G.tmp
1564	is-QD3R5.tmp
3340	is-HJQN5.tmp
3340	is-HJQN5.tmp
3340	is-HJQN5.tmp
4972	regsvr32.exe
4888	regsvr32.exe
4460	qy0lE582Z5S8akO5SA.exe
4460	qy0lE582Z5S8akO5SA.exe
4460	qy0lE582Z5S8akO5SA.exe
4460	qy0lE582Z5S8akO5SA.exe
4460	qy0lE582Z5S8akO5SA.exe
4460	qy0lE582Z5S8akO5SA.exe
4460	qy0lE582Z5S8akO5SA.exe
4460	qy0lE582Z5S8akO5SA.exe
4460	qy0lE582Z5S8akO5SA.exe
4460	qy0lE582Z5S8akO5SA.exe
4460	qy0lE582Z5S8akO5SA.exe
4460	qy0lE582Z5S8akO5SA.exe
4460	qy0lE582Z5S8akO5SA.exe
4460	qy0lE582Z5S8akO5SA.exe
4460	qy0lE582Z5S8akO5SA.exe
4460	qy0lE582Z5S8akO5SA.exe
4460	qy0lE582Z5S8akO5SA.exe
4460	qy0lE582Z5S8akO5SA.exe
4460	qy0lE582Z5S8akO5SA.exe
4460	qy0lE582Z5S8akO5SA.exe
4460	qy0lE582Z5S8akO5SA.exe
4460	qy0lE582Z5S8akO5SA.exe
4460	qy0lE582Z5S8akO5SA.exe
4460	qy0lE582Z5S8akO5SA.exe
4460	qy0lE582Z5S8akO5SA.exe
4460	qy0lE582Z5S8akO5SA.exe
4460	qy0lE582Z5S8akO5SA.exe
4460	qy0lE582Z5S8akO5SA.exe
4460	qy0lE582Z5S8akO5SA.exe
4460	qy0lE582Z5S8akO5SA.exe
4460	qy0lE582Z5S8akO5SA.exe
4460	qy0lE582Z5S8akO5SA.exe
4460	qy0lE582Z5S8akO5SA.exe
4460	qy0lE582Z5S8akO5SA.exe
4460	qy0lE582Z5S8akO5SA.exe
4460	qy0lE582Z5S8akO5SA.exe
4460	qy0lE582Z5S8akO5SA.exe
4460	qy0lE582Z5S8akO5SA.exe
4460	qy0lE582Z5S8akO5SA.exe
4460	qy0lE582Z5S8akO5SA.exe
4460	qy0lE582Z5S8akO5SA.exe
4460	qy0lE582Z5S8akO5SA.exe
4460	qy0lE582Z5S8akO5SA.exe
4460	qy0lE582Z5S8akO5SA.exe
4460	qy0lE582Z5S8akO5SA.exe
4460	qy0lE582Z5S8akO5SA.exe
4460	qy0lE582Z5S8akO5SA.exe
4460	qy0lE582Z5S8akO5SA.exe
4460	qy0lE582Z5S8akO5SA.exe
4460	qy0lE582Z5S8akO5SA.exe
4460	qy0lE582Z5S8akO5SA.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\nspAFA.tmp\GetVersion.dll	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Software\Microsoft\Windows\CurrentVersion\Run	chrome.exe

Checks for any installed AV software in registry 1 TTPs 4 IoCs

Security Software Discovery

T1063

Processes:

gLiteSort39.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Avira\AntiVir Desktop	gLiteSort39.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Avira\AntiVir Desktop	gLiteSort39.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Avira\AntiVir Desktop\Build	gLiteSort39.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Avira\AntiVir Desktop\Build	gLiteSort39.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

441 api.ipify.org
442 api.ipify.org

flow	ioc
441	api.ipify.org
442	api.ipify.org

Drops file in Program Files directory 64 IoCs

Processes:

is-HJQN5.tmpis-DTKNA.tmpis-OHK1G.tmpis-QD3R5.tmpSyncBackupShell.exe

description	ioc	process
File created	C:\Program Files (x86)\BZggedFrog\extensions\Meta\translation\is-HI5TK.tmp	is-HJQN5.tmp
File created	C:\Program Files (x86)\gLiteSort\is-STPN8.tmp	is-DTKNA.tmp
File created	C:\Program Files (x86)\CD Collection\is-PFJ7I.tmp	is-OHK1G.tmp
File opened for modification	C:\Program Files (x86)\SyncBackup\unins000.dat	is-QD3R5.tmp
File created	C:\Program Files (x86)\SyncBackup\is-8922F.tmp	is-QD3R5.tmp
File created	C:\Program Files (x86)\BZggedFrog\is-EGAQR.tmp	is-HJQN5.tmp
File created	C:\Program Files (x86)\BZggedFrog\translation\is-NHTF6.tmp	is-HJQN5.tmp
File created	C:\Program Files (x86)\BZggedFrog\translation\is-DP9A1.tmp	is-HJQN5.tmp
File created	C:\Program Files (x86)\gLiteSort\is-VHAUO.tmp	is-DTKNA.tmp
File created	C:\Program Files (x86)\CD Collection\is-FCT4V.tmp	is-OHK1G.tmp
File opened for modification	C:\Program Files (x86)\CD Collection\unins000.dat	is-OHK1G.tmp
File created	C:\Program Files (x86)\SyncBackup\Help\images\is-SGF75.tmp	is-QD3R5.tmp
File created	C:\Program Files (x86)\BZggedFrog\is-I4F50.tmp	is-HJQN5.tmp
File created	C:\Program Files (x86)\BZggedFrog\translation\is-64APP.tmp	is-HJQN5.tmp
File created	C:\Program Files (x86)\gLiteSort\unins000.dat	is-DTKNA.tmp
File created	C:\Program Files (x86)\CD Collection\is-R03NO.tmp	is-OHK1G.tmp
File opened for modification	C:\Program Files (x86)\CD Collection\cdc.url	is-OHK1G.tmp
File created	C:\Program Files (x86)\clFlow	SyncBackupShell.exe
File created	C:\Program Files (x86)\BZggedFrog\is-5O20R.tmp	is-HJQN5.tmp
File created	C:\Program Files (x86)\BZggedFrog\extensions\Meta\translation\is-FU4C9.tmp	is-HJQN5.tmp
File created	C:\Program Files (x86)\BZggedFrog\extensions\Meta\translation\is-FISH2.tmp	is-HJQN5.tmp
File created	C:\Program Files (x86)\SyncBackup\Help\images\is-EDAPH.tmp	is-QD3R5.tmp
File opened for modification	C:\Program Files (x86)\SyncBackup\SyncBackupShell.exe	is-QD3R5.tmp
File created	C:\Program Files (x86)\BZggedFrog\unins000.dat	is-HJQN5.tmp
File opened for modification	C:\Program Files (x86)\gLiteSort\gLiteSort39.exe	is-DTKNA.tmp
File created	C:\Program Files (x86)\BZggedFrog\extensions\Meta\is-R7LE5.tmp	is-HJQN5.tmp
File created	C:\Program Files (x86)\gLiteSort\is-3SBNN.tmp	is-DTKNA.tmp
File created	C:\Program Files (x86)\SyncBackup\is-C7ERG.tmp	is-QD3R5.tmp
File created	C:\Program Files (x86)\SyncBackup\Help\images\is-AHAO9.tmp	is-QD3R5.tmp
File created	C:\Program Files (x86)\BZggedFrog\translation\is-J1O3B.tmp	is-HJQN5.tmp
File created	C:\Program Files (x86)\BZggedFrog\translation\is-BG3QC.tmp	is-HJQN5.tmp
File created	C:\Program Files (x86)\BZggedFrog\extensions\Meta\is-7IRA6.tmp	is-HJQN5.tmp
File opened for modification	C:\Program Files (x86)\BZggedFrog\BZggedFrog39.exe	is-HJQN5.tmp
File created	C:\Program Files (x86)\gLiteSort\is-C5LRK.tmp	is-DTKNA.tmp
File opened for modification	C:\Program Files (x86)\gLiteSort\unins000.dat	is-DTKNA.tmp
File opened for modification	C:\Program Files (x86)\CD Collection\cdc.exe	is-OHK1G.tmp
File created	C:\Program Files (x86)\BZggedFrog\extensions\Meta\translation\is-8O7MC.tmp	is-HJQN5.tmp
File created	C:\Program Files (x86)\BZggedFrog\extensions\Meta\translation\is-CKGC2.tmp	is-HJQN5.tmp
File created	C:\Program Files (x86)\BZggedFrog\is-8L09F.tmp	is-HJQN5.tmp
File created	C:\Program Files (x86)\BZggedFrog\is-E507O.tmp	is-HJQN5.tmp
File created	C:\Program Files (x86)\BZggedFrog\translation\is-EJSNK.tmp	is-HJQN5.tmp
File created	C:\Program Files (x86)\SyncBackup\Help\is-VVKHH.tmp	is-QD3R5.tmp
File created	C:\Program Files (x86)\BZggedFrog\translation\is-E5E4N.tmp	is-HJQN5.tmp
File created	C:\Program Files (x86)\BZggedFrog\translation\is-BLPRT.tmp	is-HJQN5.tmp
File created	C:\Program Files (x86)\BZggedFrog\is-M136F.tmp	is-HJQN5.tmp
File created	C:\Program Files (x86)\BZggedFrog\extensions\Meta\translation\is-CRPJN.tmp	is-HJQN5.tmp
File created	C:\Program Files (x86)\SyncBackup\is-CA14N.tmp	is-QD3R5.tmp
File created	C:\Program Files (x86)\SyncBackup\is-GD47V.tmp	is-QD3R5.tmp
File created	C:\Program Files (x86)\SyncBackup\Help\is-D56Q9.tmp	is-QD3R5.tmp
File created	C:\Program Files (x86)\SyncBackup\unins000.dat	is-QD3R5.tmp
File created	C:\Program Files (x86)\BZggedFrog\is-7TVBV.tmp	is-HJQN5.tmp
File created	C:\Program Files (x86)\BZggedFrog\is-LDF9D.tmp	is-HJQN5.tmp
File created	C:\Program Files (x86)\BZggedFrog\extensions\Meta\translation\is-C9058.tmp	is-HJQN5.tmp
File created	C:\Program Files (x86)\gLiteSort\is-01KI0.tmp	is-DTKNA.tmp
File created	C:\Program Files (x86)\SyncBackup\is-GCF0T.tmp	is-QD3R5.tmp
File created	C:\Program Files (x86)\SyncBackup\Help\images\is-ONBKK.tmp	is-QD3R5.tmp
File created	C:\Program Files (x86)\BZggedFrog\translation\is-9V2GP.tmp	is-HJQN5.tmp
File created	C:\Program Files (x86)\BZggedFrog\translation\is-0ERCI.tmp	is-HJQN5.tmp
File created	C:\Program Files (x86)\BZggedFrog\translation\is-8DTPQ.tmp	is-HJQN5.tmp
File created	C:\Program Files (x86)\BZggedFrog\translation\is-PKHFP.tmp	is-HJQN5.tmp
File created	C:\Program Files (x86)\BZggedFrog\extensions\Meta\translation\is-4Q3L4.tmp	is-HJQN5.tmp
File created	C:\Program Files (x86)\gLiteSort\is-DMSBO.tmp	is-DTKNA.tmp
File created	C:\Program Files (x86)\CD Collection\is-4C6GC.tmp	is-OHK1G.tmp
File created	C:\Program Files (x86)\BZggedFrog\translation\is-6P4EB.tmp	is-HJQN5.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 56 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
3592	4156	WerFault.exe	gLiteSort39.exe
4036	4156	WerFault.exe	gLiteSort39.exe
4748	4156	WerFault.exe	gLiteSort39.exe
3184	3204	WerFault.exe	gLiteSort39.exe
1780	3204	WerFault.exe	gLiteSort39.exe
3688	3204	WerFault.exe	gLiteSort39.exe
1064	3204	WerFault.exe	gLiteSort39.exe
2688	3204	WerFault.exe	gLiteSort39.exe
436	3204	WerFault.exe	gLiteSort39.exe
812	3204	WerFault.exe	gLiteSort39.exe
1092	3204	WerFault.exe	gLiteSort39.exe
4788	3204	WerFault.exe	gLiteSort39.exe
3080	3204	WerFault.exe	gLiteSort39.exe
2176	3204	WerFault.exe	gLiteSort39.exe
3592	3204	WerFault.exe	gLiteSort39.exe
2344	3204	WerFault.exe	gLiteSort39.exe
628	3204	WerFault.exe	gLiteSort39.exe
3480	3204	WerFault.exe	gLiteSort39.exe
2252	3204	WerFault.exe	gLiteSort39.exe
1080	3204	WerFault.exe	gLiteSort39.exe
4772	3204	WerFault.exe	gLiteSort39.exe
3688	3204	WerFault.exe	gLiteSort39.exe
616	3204	WerFault.exe	gLiteSort39.exe
1304	3204	WerFault.exe	gLiteSort39.exe
5016	3204	WerFault.exe	gLiteSort39.exe
1452	3204	WerFault.exe	gLiteSort39.exe
1836	3204	WerFault.exe	gLiteSort39.exe
1584	3204	WerFault.exe	gLiteSort39.exe
3976	3204	WerFault.exe	gLiteSort39.exe
2676	3204	WerFault.exe	gLiteSort39.exe
4364	3204	WerFault.exe	gLiteSort39.exe
3056	3204	WerFault.exe	gLiteSort39.exe
1612	3204	WerFault.exe	gLiteSort39.exe
4696	3204	WerFault.exe	gLiteSort39.exe
4392	3204	WerFault.exe	gLiteSort39.exe
3668	3204	WerFault.exe	gLiteSort39.exe
2480	3204	WerFault.exe	gLiteSort39.exe
3908	3204	WerFault.exe	gLiteSort39.exe
2860	3204	WerFault.exe	gLiteSort39.exe
1440	3204	WerFault.exe	gLiteSort39.exe
1836	3204	WerFault.exe	gLiteSort39.exe
3992	3204	WerFault.exe	gLiteSort39.exe
2160	3204	WerFault.exe	gLiteSort39.exe
4148	3204	WerFault.exe	gLiteSort39.exe
4344	3204	WerFault.exe	gLiteSort39.exe
4304	3204	WerFault.exe	gLiteSort39.exe
4372	3204	WerFault.exe	gLiteSort39.exe
1376	3204	WerFault.exe	gLiteSort39.exe
3760	3204	WerFault.exe	gLiteSort39.exe
4176	3204	WerFault.exe	gLiteSort39.exe
3956	3204	WerFault.exe	gLiteSort39.exe
3000	3204	WerFault.exe	gLiteSort39.exe
3812	3204	WerFault.exe	gLiteSort39.exe
4508	3204	WerFault.exe	gLiteSort39.exe
2772	3204	WerFault.exe	gLiteSort39.exe
1584	3204	WerFault.exe	gLiteSort39.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

2812 schtasks.exe

pid	process
2812	schtasks.exe

Enumerates system info in registry 2 TTPs 7 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exechrome.exefghfbgHKaDOcVHRM.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	fghfbgHKaDOcVHRM.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	fghfbgHKaDOcVHRM.exe

Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

1980 taskkill.exe

pid	process
1980	taskkill.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133228797734679360"	chrome.exe

Modifies registry class 64 IoCs

Processes:

regsvr32.exeregsvr32.exechrome.exechrome.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\TaggedFrogExt\ = "{71068371-CDC2-4FA2-B0AE-66673A56D5CB}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3955D421-C8F3-11d2-B7C8-A22B3D95F811}\ = "OLE File Property Reader Class"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{93769744-DE48-11D2-B7C8-A62255602516}\TypeLib\Version = "1.4"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{93769741-DE48-11D2-B7C8-A62255602516}\TypeLib\Version = "1.4"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{93769741-DE48-11D2-B7C8-A62255602516}\TypeLib\Version = "1.4"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{93769743-DE48-11D2-B7C8-A62255602516}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{71068371-CDC2-4FA2-B0AE-66673A56D5CB}\ = "TaggedFrogShellMenu Class"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{71068371-CDC2-4FA2-B0AE-66673A56D5CB}\InprocServer32\ = "C:\\Program Files (x86)\\BZggedFrog\\TFShellMenu.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\TaggedFrogExt	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3955D421-C8F3-11d2-B7C8-A22B3D95F811}\InprocServer32\ = "C:\\Program Files (x86)\\BZggedFrog\\extensions\\Meta\\dsofile.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DSOleFile.PropertyReader\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{93769744-DE48-11D2-B7C8-A62255602516}\TypeLib\ = "{93769740-DE48-11D2-B7C8-A62255602516}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{93769741-DE48-11D2-B7C8-A62255602516}\ = "_PropertyReader"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{93769741-DE48-11D2-B7C8-A62255602516}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings	chrome.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{93769740-DE48-11D2-B7C8-A62255602516}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{93769744-DE48-11D2-B7C8-A62255602516}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{93769744-DE48-11D2-B7C8-A62255602516}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{93769743-DE48-11D2-B7C8-A62255602516}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{93769741-DE48-11D2-B7C8-A62255602516}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{93769742-DE48-11D2-B7C8-A62255602516}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{93769741-DE48-11D2-B7C8-A62255602516}\ = "_PropertyReader"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{72E8D54B-C929-4DD8-8723-3006F89F7D58}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{72E8D54B-C929-4DD8-8723-3006F89F7D58}\ = "TFShellMenu"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\TaggedFrogExt\ = "{71068371-CDC2-4FA2-B0AE-66673A56D5CB}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{93769740-DE48-11D2-B7C8-A62255602516}\1.4\HELPDIR\ = "C:\\Program Files (x86)\\BZggedFrog\\extensions\\Meta"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{93769744-DE48-11D2-B7C8-A62255602516}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{93769742-DE48-11D2-B7C8-A62255602516}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{71068371-CDC2-4FA2-B0AE-66673A56D5CB}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3955D421-C8F3-11d2-B7C8-A22B3D95F811}\ProgID\ = "DSOleFile.PropertyReader.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{93769744-DE48-11D2-B7C8-A62255602516}\TypeLib\ = "{93769740-DE48-11D2-B7C8-A62255602516}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{93769742-DE48-11D2-B7C8-A62255602516}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1529757233-3489015626-3409890339-1000\{AD0962FB-B0B4-410E-AB5B-5C3E7B74476B}	chrome.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3955D421-C8F3-11d2-B7C8-A22B3D95F811}\ProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{93769740-DE48-11D2-B7C8-A62255602516}\1.4\ = "DS: OLE Document Properties 1.4 Object Library"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{93769742-DE48-11D2-B7C8-A62255602516}\TypeLib\Version = "1.4"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\TFShellMenu.DLL	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{93769744-DE48-11D2-B7C8-A62255602516}\TypeLib\Version = "1.4"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{93769743-DE48-11D2-B7C8-A62255602516}\TypeLib\Version = "1.4"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{93769743-DE48-11D2-B7C8-A62255602516}\ = "CustomProperties"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DSOleFile.PropertyReader	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{93769744-DE48-11D2-B7C8-A62255602516}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{93769743-DE48-11D2-B7C8-A62255602516}\TypeLib\ = "{93769740-DE48-11D2-B7C8-A62255602516}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{93769742-DE48-11D2-B7C8-A62255602516}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\TaggedFrogExt	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{93769740-DE48-11D2-B7C8-A62255602516}\1.4\0\win32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{93769744-DE48-11D2-B7C8-A62255602516}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{93769744-DE48-11D2-B7C8-A62255602516}\ = "CustomProperty"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{93769744-DE48-11D2-B7C8-A62255602516}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{93769741-DE48-11D2-B7C8-A62255602516}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{93769740-DE48-11D2-B7C8-A62255602516}\1.4\HELPDIR	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{93769744-DE48-11D2-B7C8-A62255602516}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{93769743-DE48-11D2-B7C8-A62255602516}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{93769743-DE48-11D2-B7C8-A62255602516}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{93769742-DE48-11D2-B7C8-A62255602516}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{93769741-DE48-11D2-B7C8-A62255602516}\TypeLib\ = "{93769740-DE48-11D2-B7C8-A62255602516}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3955D421-C8F3-11d2-B7C8-A22B3D95F811}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DSOleFile.PropertyReader.1\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{93769740-DE48-11D2-B7C8-A62255602516}\1.4\FLAGS\ = "0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{93769744-DE48-11D2-B7C8-A62255602516}\ = "CustomProperty"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{93769742-DE48-11D2-B7C8-A62255602516}\ = "DocumentProperties"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{93769741-DE48-11D2-B7C8-A62255602516}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{93769742-DE48-11D2-B7C8-A62255602516}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{93769742-DE48-11D2-B7C8-A62255602516}\TypeLib	regsvr32.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

Processes:

chrome.exechrome.exegLiteSort39.exeqy0lE582Z5S8akO5SA.exe

pid	process
1788	chrome.exe
1788	chrome.exe
3000	chrome.exe
3000	chrome.exe
3204	gLiteSort39.exe
3204	gLiteSort39.exe
3204	gLiteSort39.exe
3204	gLiteSort39.exe
4460	qy0lE582Z5S8akO5SA.exe
4460	qy0lE582Z5S8akO5SA.exe
4460	qy0lE582Z5S8akO5SA.exe
4460	qy0lE582Z5S8akO5SA.exe
4460	qy0lE582Z5S8akO5SA.exe
4460	qy0lE582Z5S8akO5SA.exe
4460	qy0lE582Z5S8akO5SA.exe
4460	qy0lE582Z5S8akO5SA.exe
4460	qy0lE582Z5S8akO5SA.exe
4460	qy0lE582Z5S8akO5SA.exe
4460	qy0lE582Z5S8akO5SA.exe
4460	qy0lE582Z5S8akO5SA.exe
4460	qy0lE582Z5S8akO5SA.exe
4460	qy0lE582Z5S8akO5SA.exe
4460	qy0lE582Z5S8akO5SA.exe
4460	qy0lE582Z5S8akO5SA.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 29 IoCs

Processes:

chrome.exe

pid	process
1788	chrome.exe
1788	chrome.exe
1788	chrome.exe
1788	chrome.exe
1788	chrome.exe
1788	chrome.exe
1788	chrome.exe
1788	chrome.exe
1788	chrome.exe
1788	chrome.exe
1788	chrome.exe
1788	chrome.exe
1788	chrome.exe
1788	chrome.exe
1788	chrome.exe
1788	chrome.exe
1788	chrome.exe
1788	chrome.exe
1788	chrome.exe
1788	chrome.exe
1788	chrome.exe
1788	chrome.exe
1788	chrome.exe
1788	chrome.exe
1788	chrome.exe
1788	chrome.exe
1788	chrome.exe
1788	chrome.exe
1788	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exechrome.exe

description	pid	process
Token: SeShutdownPrivilege	1788	chrome.exe
Token: SeCreatePagefilePrivilege	1788	chrome.exe
Token: SeShutdownPrivilege	5032	chrome.exe
Token: SeCreatePagefilePrivilege	5032	chrome.exe
Token: SeShutdownPrivilege	1788	chrome.exe
Token: SeCreatePagefilePrivilege	1788	chrome.exe
Token: SeShutdownPrivilege	1788	chrome.exe
Token: SeCreatePagefilePrivilege	1788	chrome.exe
Token: SeShutdownPrivilege	1788	chrome.exe
Token: SeCreatePagefilePrivilege	1788	chrome.exe
Token: SeShutdownPrivilege	1788	chrome.exe
Token: SeCreatePagefilePrivilege	1788	chrome.exe
Token: SeShutdownPrivilege	1788	chrome.exe
Token: SeCreatePagefilePrivilege	1788	chrome.exe
Token: SeShutdownPrivilege	1788	chrome.exe
Token: SeCreatePagefilePrivilege	1788	chrome.exe
Token: SeShutdownPrivilege	1788	chrome.exe
Token: SeCreatePagefilePrivilege	1788	chrome.exe
Token: SeShutdownPrivilege	1788	chrome.exe
Token: SeCreatePagefilePrivilege	1788	chrome.exe
Token: SeShutdownPrivilege	1788	chrome.exe
Token: SeCreatePagefilePrivilege	1788	chrome.exe
Token: SeShutdownPrivilege	1788	chrome.exe
Token: SeCreatePagefilePrivilege	1788	chrome.exe
Token: SeShutdownPrivilege	1788	chrome.exe
Token: SeCreatePagefilePrivilege	1788	chrome.exe
Token: SeShutdownPrivilege	1788	chrome.exe
Token: SeCreatePagefilePrivilege	1788	chrome.exe
Token: SeShutdownPrivilege	1788	chrome.exe
Token: SeCreatePagefilePrivilege	1788	chrome.exe
Token: SeShutdownPrivilege	1788	chrome.exe
Token: SeCreatePagefilePrivilege	1788	chrome.exe
Token: SeShutdownPrivilege	1788	chrome.exe
Token: SeCreatePagefilePrivilege	1788	chrome.exe
Token: SeShutdownPrivilege	1788	chrome.exe
Token: SeCreatePagefilePrivilege	1788	chrome.exe
Token: SeShutdownPrivilege	1788	chrome.exe
Token: SeCreatePagefilePrivilege	1788	chrome.exe
Token: SeShutdownPrivilege	1788	chrome.exe
Token: SeCreatePagefilePrivilege	1788	chrome.exe
Token: SeShutdownPrivilege	1788	chrome.exe
Token: SeCreatePagefilePrivilege	1788	chrome.exe
Token: SeShutdownPrivilege	1788	chrome.exe
Token: SeCreatePagefilePrivilege	1788	chrome.exe
Token: SeShutdownPrivilege	1788	chrome.exe
Token: SeCreatePagefilePrivilege	1788	chrome.exe
Token: SeShutdownPrivilege	1788	chrome.exe
Token: SeCreatePagefilePrivilege	1788	chrome.exe
Token: SeShutdownPrivilege	1788	chrome.exe
Token: SeCreatePagefilePrivilege	1788	chrome.exe
Token: SeShutdownPrivilege	1788	chrome.exe
Token: SeCreatePagefilePrivilege	1788	chrome.exe
Token: SeShutdownPrivilege	1788	chrome.exe
Token: SeCreatePagefilePrivilege	1788	chrome.exe
Token: SeShutdownPrivilege	1788	chrome.exe
Token: SeCreatePagefilePrivilege	1788	chrome.exe
Token: SeShutdownPrivilege	1788	chrome.exe
Token: SeCreatePagefilePrivilege	1788	chrome.exe
Token: SeShutdownPrivilege	1788	chrome.exe
Token: SeCreatePagefilePrivilege	1788	chrome.exe
Token: SeShutdownPrivilege	1788	chrome.exe
Token: SeCreatePagefilePrivilege	1788	chrome.exe
Token: SeShutdownPrivilege	1788	chrome.exe
Token: SeCreatePagefilePrivilege	1788	chrome.exe

Suspicious use of FindShellTrayWindow 61 IoCs

Processes:

chrome.exe

pid	process
1788	chrome.exe
1788	chrome.exe
1788	chrome.exe
1788	chrome.exe
1788	chrome.exe
1788	chrome.exe
1788	chrome.exe
1788	chrome.exe
1788	chrome.exe
1788	chrome.exe
1788	chrome.exe
1788	chrome.exe
1788	chrome.exe
1788	chrome.exe
1788	chrome.exe
1788	chrome.exe
1788	chrome.exe
1788	chrome.exe
1788	chrome.exe
1788	chrome.exe
1788	chrome.exe
1788	chrome.exe
1788	chrome.exe
1788	chrome.exe
1788	chrome.exe
1788	chrome.exe
1788	chrome.exe
1788	chrome.exe
1788	chrome.exe
1788	chrome.exe
1788	chrome.exe
1788	chrome.exe
1788	chrome.exe
1788	chrome.exe
1788	chrome.exe
1788	chrome.exe
1788	chrome.exe
1788	chrome.exe
1788	chrome.exe
1788	chrome.exe
1788	chrome.exe
1788	chrome.exe
1788	chrome.exe
1788	chrome.exe
1788	chrome.exe
1788	chrome.exe
1788	chrome.exe
1788	chrome.exe
1788	chrome.exe
1788	chrome.exe
1788	chrome.exe
1788	chrome.exe
1788	chrome.exe
1788	chrome.exe
1788	chrome.exe
1788	chrome.exe
1788	chrome.exe
1788	chrome.exe
1788	chrome.exe
1788	chrome.exe
1788	chrome.exe

Suspicious use of SendNotifyMessage 48 IoCs

Processes:

chrome.exe

pid	process
1788	chrome.exe
1788	chrome.exe
1788	chrome.exe
1788	chrome.exe
1788	chrome.exe
1788	chrome.exe
1788	chrome.exe
1788	chrome.exe
1788	chrome.exe
1788	chrome.exe
1788	chrome.exe
1788	chrome.exe
1788	chrome.exe
1788	chrome.exe
1788	chrome.exe
1788	chrome.exe
1788	chrome.exe
1788	chrome.exe
1788	chrome.exe
1788	chrome.exe
1788	chrome.exe
1788	chrome.exe
1788	chrome.exe
1788	chrome.exe
1788	chrome.exe
1788	chrome.exe
1788	chrome.exe
1788	chrome.exe
1788	chrome.exe
1788	chrome.exe
1788	chrome.exe
1788	chrome.exe
1788	chrome.exe
1788	chrome.exe
1788	chrome.exe
1788	chrome.exe
1788	chrome.exe
1788	chrome.exe
1788	chrome.exe
1788	chrome.exe
1788	chrome.exe
1788	chrome.exe
1788	chrome.exe
1788	chrome.exe
1788	chrome.exe
1788	chrome.exe
1788	chrome.exe
1788	chrome.exe

Suspicious use of SetWindowsHookEx 16 IoCs

Processes:

Bandicam_OM6TfLCC.exeis-DTKNA.tmpgLiteSort39.exegLiteSort39.exeT1LJ6q1.exeis-OHK1G.tmpcdc.execdc.exeUBVGvqfqFnEzYF.exeis-QD3R5.tmpSyncBackupShell.exec7a998HEYC0M0BZ09r.exeis-HJQN5.tmpBZggedFrog39.exefghfbgHKaDOcVHRM.exeqy0lE582Z5S8akO5SA.exe

pid	process
1444	Bandicam_OM6TfLCC.exe
1684	is-DTKNA.tmp
4156	gLiteSort39.exe
3204	gLiteSort39.exe
1544	T1LJ6q1.exe
4052	is-OHK1G.tmp
4860	cdc.exe
672	cdc.exe
3892	UBVGvqfqFnEzYF.exe
1564	is-QD3R5.tmp
1448	SyncBackupShell.exe
1600	c7a998HEYC0M0BZ09r.exe
3340	is-HJQN5.tmp
3024	BZggedFrog39.exe
4732	fghfbgHKaDOcVHRM.exe
4460	qy0lE582Z5S8akO5SA.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exechrome.exe

description	pid	process	target process
PID 5032 wrote to memory of 2396	5032	chrome.exe	chrome.exe
PID 5032 wrote to memory of 2396	5032	chrome.exe	chrome.exe
PID 1788 wrote to memory of 2212	1788	chrome.exe	chrome.exe
PID 1788 wrote to memory of 2212	1788	chrome.exe	chrome.exe
PID 5032 wrote to memory of 3484	5032	chrome.exe	chrome.exe
PID 5032 wrote to memory of 3484	5032	chrome.exe	chrome.exe
PID 5032 wrote to memory of 3484	5032	chrome.exe	chrome.exe
PID 5032 wrote to memory of 3484	5032	chrome.exe	chrome.exe
PID 5032 wrote to memory of 3484	5032	chrome.exe	chrome.exe
PID 5032 wrote to memory of 3484	5032	chrome.exe	chrome.exe
PID 5032 wrote to memory of 3484	5032	chrome.exe	chrome.exe
PID 5032 wrote to memory of 3484	5032	chrome.exe	chrome.exe
PID 5032 wrote to memory of 3484	5032	chrome.exe	chrome.exe
PID 5032 wrote to memory of 3484	5032	chrome.exe	chrome.exe
PID 5032 wrote to memory of 3484	5032	chrome.exe	chrome.exe
PID 5032 wrote to memory of 3484	5032	chrome.exe	chrome.exe
PID 5032 wrote to memory of 3484	5032	chrome.exe	chrome.exe
PID 5032 wrote to memory of 3484	5032	chrome.exe	chrome.exe
PID 5032 wrote to memory of 3484	5032	chrome.exe	chrome.exe
PID 5032 wrote to memory of 3484	5032	chrome.exe	chrome.exe
PID 5032 wrote to memory of 3484	5032	chrome.exe	chrome.exe
PID 5032 wrote to memory of 3484	5032	chrome.exe	chrome.exe
PID 5032 wrote to memory of 3484	5032	chrome.exe	chrome.exe
PID 5032 wrote to memory of 3484	5032	chrome.exe	chrome.exe
PID 5032 wrote to memory of 3484	5032	chrome.exe	chrome.exe
PID 5032 wrote to memory of 3484	5032	chrome.exe	chrome.exe
PID 5032 wrote to memory of 3484	5032	chrome.exe	chrome.exe
PID 5032 wrote to memory of 3484	5032	chrome.exe	chrome.exe
PID 5032 wrote to memory of 3484	5032	chrome.exe	chrome.exe
PID 5032 wrote to memory of 3484	5032	chrome.exe	chrome.exe
PID 5032 wrote to memory of 3484	5032	chrome.exe	chrome.exe
PID 5032 wrote to memory of 3484	5032	chrome.exe	chrome.exe
PID 5032 wrote to memory of 3484	5032	chrome.exe	chrome.exe
PID 5032 wrote to memory of 3484	5032	chrome.exe	chrome.exe
PID 1788 wrote to memory of 2484	1788	chrome.exe	chrome.exe
PID 1788 wrote to memory of 2484	1788	chrome.exe	chrome.exe
PID 1788 wrote to memory of 2484	1788	chrome.exe	chrome.exe
PID 1788 wrote to memory of 2484	1788	chrome.exe	chrome.exe
PID 1788 wrote to memory of 2484	1788	chrome.exe	chrome.exe
PID 1788 wrote to memory of 2484	1788	chrome.exe	chrome.exe
PID 1788 wrote to memory of 2484	1788	chrome.exe	chrome.exe
PID 1788 wrote to memory of 2484	1788	chrome.exe	chrome.exe
PID 1788 wrote to memory of 2484	1788	chrome.exe	chrome.exe
PID 1788 wrote to memory of 2484	1788	chrome.exe	chrome.exe
PID 1788 wrote to memory of 2484	1788	chrome.exe	chrome.exe
PID 1788 wrote to memory of 2484	1788	chrome.exe	chrome.exe
PID 1788 wrote to memory of 2484	1788	chrome.exe	chrome.exe
PID 1788 wrote to memory of 2484	1788	chrome.exe	chrome.exe
PID 1788 wrote to memory of 2484	1788	chrome.exe	chrome.exe
PID 1788 wrote to memory of 2484	1788	chrome.exe	chrome.exe
PID 1788 wrote to memory of 2484	1788	chrome.exe	chrome.exe
PID 1788 wrote to memory of 2484	1788	chrome.exe	chrome.exe
PID 1788 wrote to memory of 2484	1788	chrome.exe	chrome.exe
PID 1788 wrote to memory of 2484	1788	chrome.exe	chrome.exe
PID 1788 wrote to memory of 2484	1788	chrome.exe	chrome.exe
PID 1788 wrote to memory of 2484	1788	chrome.exe	chrome.exe
PID 1788 wrote to memory of 2484	1788	chrome.exe	chrome.exe
PID 1788 wrote to memory of 2484	1788	chrome.exe	chrome.exe
PID 1788 wrote to memory of 2484	1788	chrome.exe	chrome.exe
PID 1788 wrote to memory of 2484	1788	chrome.exe	chrome.exe
PID 1788 wrote to memory of 2484	1788	chrome.exe	chrome.exe
PID 1788 wrote to memory of 2484	1788	chrome.exe	chrome.exe
PID 1788 wrote to memory of 2484	1788	chrome.exe	chrome.exe
PID 1788 wrote to memory of 2484	1788	chrome.exe	chrome.exe

C:\Users\Admin\AppData\Local\Temp\Windows_Wick.Editor.Setup.1.19.0.exe
"C:\Users\Admin\AppData\Local\Temp\Windows_Wick.Editor.Setup.1.19.0.exe"
1⤵
- Loads dropped DLL
PID:3088

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5032
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffadd689758,0x7ffadd689768,0x7ffadd689778
  2⤵
  PID:2396
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1420 --field-trial-handle=1812,i,8507562109256381497,3524594591285480176,131072 /prefetch:2
  2⤵
  PID:3484
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2172 --field-trial-handle=1812,i,8507562109256381497,3524594591285480176,131072 /prefetch:8
  2⤵
  PID:3220

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Adds Run key to start application
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1788
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffadd689758,0x7ffadd689768,0x7ffadd689778
  2⤵
  PID:2212
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1820 --field-trial-handle=1836,i,8800545682431280818,11119270721657035647,131072 /prefetch:2
  2⤵
  PID:2484
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2124 --field-trial-handle=1836,i,8800545682431280818,11119270721657035647,131072 /prefetch:8
  2⤵
  PID:4996
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1400 --field-trial-handle=1836,i,8800545682431280818,11119270721657035647,131072 /prefetch:8
  2⤵
  PID:3496
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3140 --field-trial-handle=1836,i,8800545682431280818,11119270721657035647,131072 /prefetch:1
  2⤵
  PID:2440
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3188 --field-trial-handle=1836,i,8800545682431280818,11119270721657035647,131072 /prefetch:1
  2⤵
  PID:4336
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4544 --field-trial-handle=1836,i,8800545682431280818,11119270721657035647,131072 /prefetch:1
  2⤵
  PID:4148
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4552 --field-trial-handle=1836,i,8800545682431280818,11119270721657035647,131072 /prefetch:8
  2⤵
  PID:1296
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4716 --field-trial-handle=1836,i,8800545682431280818,11119270721657035647,131072 /prefetch:8
  2⤵
  PID:1432
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4980 --field-trial-handle=1836,i,8800545682431280818,11119270721657035647,131072 /prefetch:8
  2⤵
  PID:3808
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5212 --field-trial-handle=1836,i,8800545682431280818,11119270721657035647,131072 /prefetch:8
  2⤵
  PID:4360
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4720 --field-trial-handle=1836,i,8800545682431280818,11119270721657035647,131072 /prefetch:8
  2⤵
  PID:2976
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5260 --field-trial-handle=1836,i,8800545682431280818,11119270721657035647,131072 /prefetch:8
  2⤵
  PID:1772
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=4672 --field-trial-handle=1836,i,8800545682431280818,11119270721657035647,131072 /prefetch:1
  2⤵
  PID:2520
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5256 --field-trial-handle=1836,i,8800545682431280818,11119270721657035647,131072 /prefetch:8
  2⤵
  PID:3004
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1752 --field-trial-handle=1836,i,8800545682431280818,11119270721657035647,131072 /prefetch:8
  2⤵
  PID:5008
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=17 --mojo-platform-channel-handle=5608 --field-trial-handle=1836,i,8800545682431280818,11119270721657035647,131072 /prefetch:1
  2⤵
  PID:4896
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5648 --field-trial-handle=1836,i,8800545682431280818,11119270721657035647,131072 /prefetch:8
  2⤵
  PID:4116
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5692 --field-trial-handle=1836,i,8800545682431280818,11119270721657035647,131072 /prefetch:8
  2⤵
  - Modifies registry class
  PID:5004
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=20 --mojo-platform-channel-handle=5744 --field-trial-handle=1836,i,8800545682431280818,11119270721657035647,131072 /prefetch:1
  2⤵
  PID:1044
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=21 --mojo-platform-channel-handle=1744 --field-trial-handle=1836,i,8800545682431280818,11119270721657035647,131072 /prefetch:1
  2⤵
  PID:772
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=22 --mojo-platform-channel-handle=1656 --field-trial-handle=1836,i,8800545682431280818,11119270721657035647,131072 /prefetch:1
  2⤵
  PID:924
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=23 --mojo-platform-channel-handle=5856 --field-trial-handle=1836,i,8800545682431280818,11119270721657035647,131072 /prefetch:1
  2⤵
  PID:1644
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=24 --mojo-platform-channel-handle=4844 --field-trial-handle=1836,i,8800545682431280818,11119270721657035647,131072 /prefetch:1
  2⤵
  PID:1100
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=25 --mojo-platform-channel-handle=5572 --field-trial-handle=1836,i,8800545682431280818,11119270721657035647,131072 /prefetch:1
  2⤵
  PID:3184
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=26 --mojo-platform-channel-handle=5892 --field-trial-handle=1836,i,8800545682431280818,11119270721657035647,131072 /prefetch:1
  2⤵
  PID:772
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6204 --field-trial-handle=1836,i,8800545682431280818,11119270721657035647,131072 /prefetch:8
  2⤵
  PID:32
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=28 --mojo-platform-channel-handle=956 --field-trial-handle=1836,i,8800545682431280818,11119270721657035647,131072 /prefetch:1
  2⤵
  PID:2216
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=29 --mojo-platform-channel-handle=6256 --field-trial-handle=1836,i,8800545682431280818,11119270721657035647,131072 /prefetch:1
  2⤵
  PID:784
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=30 --mojo-platform-channel-handle=6232 --field-trial-handle=1836,i,8800545682431280818,11119270721657035647,131072 /prefetch:1
  2⤵
  PID:3012
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=31 --mojo-platform-channel-handle=5324 --field-trial-handle=1836,i,8800545682431280818,11119270721657035647,131072 /prefetch:1
  2⤵
  PID:4496
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=32 --mojo-platform-channel-handle=6456 --field-trial-handle=1836,i,8800545682431280818,11119270721657035647,131072 /prefetch:1
  2⤵
  PID:1148
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=33 --mojo-platform-channel-handle=5668 --field-trial-handle=1836,i,8800545682431280818,11119270721657035647,131072 /prefetch:1
  2⤵
  PID:3916
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4380 --field-trial-handle=1836,i,8800545682431280818,11119270721657035647,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3000
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=35 --mojo-platform-channel-handle=5332 --field-trial-handle=1836,i,8800545682431280818,11119270721657035647,131072 /prefetch:1
  2⤵
  PID:772
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=36 --mojo-platform-channel-handle=1616 --field-trial-handle=1836,i,8800545682431280818,11119270721657035647,131072 /prefetch:1
  2⤵
  PID:5016
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=37 --mojo-platform-channel-handle=5472 --field-trial-handle=1836,i,8800545682431280818,11119270721657035647,131072 /prefetch:1
  2⤵
  PID:2724
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=38 --mojo-platform-channel-handle=6400 --field-trial-handle=1836,i,8800545682431280818,11119270721657035647,131072 /prefetch:1
  2⤵
  PID:4896
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=39 --mojo-platform-channel-handle=5484 --field-trial-handle=1836,i,8800545682431280818,11119270721657035647,131072 /prefetch:1
  2⤵
  PID:4448
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=40 --mojo-platform-channel-handle=5276 --field-trial-handle=1836,i,8800545682431280818,11119270721657035647,131072 /prefetch:1
  2⤵
  PID:4100
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=41 --mojo-platform-channel-handle=6148 --field-trial-handle=1836,i,8800545682431280818,11119270721657035647,131072 /prefetch:1
  2⤵
  PID:4452
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=42 --mojo-platform-channel-handle=6348 --field-trial-handle=1836,i,8800545682431280818,11119270721657035647,131072 /prefetch:1
  2⤵
  PID:2128
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=43 --mojo-platform-channel-handle=6264 --field-trial-handle=1836,i,8800545682431280818,11119270721657035647,131072 /prefetch:1
  2⤵
  PID:3360
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=44 --mojo-platform-channel-handle=5056 --field-trial-handle=1836,i,8800545682431280818,11119270721657035647,131072 /prefetch:1
  2⤵
  PID:4344
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=45 --mojo-platform-channel-handle=5632 --field-trial-handle=1836,i,8800545682431280818,11119270721657035647,131072 /prefetch:1
  2⤵
  PID:3928
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3204 --field-trial-handle=1836,i,8800545682431280818,11119270721657035647,131072 /prefetch:8
  2⤵
  PID:4628
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6620 --field-trial-handle=1836,i,8800545682431280818,11119270721657035647,131072 /prefetch:8
  2⤵
  PID:1336

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2988

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1496

C:\Users\Admin\Downloads\Bandicam_OM6TfLCC\Bandicam_OM6TfLCC.exe
"C:\Users\Admin\Downloads\Bandicam_OM6TfLCC\Bandicam_OM6TfLCC.exe"
1⤵
- Suspicious use of SetWindowsHookEx
PID:1444
- C:\Users\Admin\AppData\Local\Temp\is-KGEC2.tmp\is-DTKNA.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-KGEC2.tmp\is-DTKNA.tmp" /SL4 $20364 "C:\Users\Admin\Downloads\Bandicam_OM6TfLCC\Bandicam_OM6TfLCC.exe" 3748907 52736
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious use of SetWindowsHookEx
  PID:1684
- - C:\Windows\SysWOW64\net.exe
    "C:\Windows\system32\net.exe" helpmsg 6
    3⤵
    PID:2112
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 helpmsg 6
      4⤵
      PID:4864
- - C:\Program Files (x86)\gLiteSort\gLiteSort39.exe
    "C:\Program Files (x86)\gLiteSort\gLiteSort39.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:4156
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4156 -s 896
      4⤵
      Program crash
      PID:3592
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4156 -s 936
      4⤵
      Program crash
      PID:4036
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4156 -s 140
      4⤵
      Program crash
      PID:4748
- - C:\Windows\SysWOW64\net.exe
    "C:\Windows\system32\net.exe" pause glitesort39
    3⤵
    PID:2216
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 pause glitesort39
      4⤵
      PID:544
- - C:\Program Files (x86)\gLiteSort\gLiteSort39.exe
    "C:\Program Files (x86)\gLiteSort\gLiteSort39.exe" 37020a89dab6447be7bd999f329c1b4e
    3⤵
    - Executes dropped EXE
    - Checks for any installed AV software in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:3204
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3204 -s 880
      4⤵
      Program crash
      PID:3184
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3204 -s 888
      4⤵
      Program crash
      PID:1780
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3204 -s 876
      4⤵
      Program crash
      PID:3688
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3204 -s 1076
      4⤵
      Program crash
      PID:1064
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3204 -s 1096
      4⤵
      Program crash
      PID:2688
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3204 -s 1112
      4⤵
      Program crash
      PID:436
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3204 -s 1100
      4⤵
      Program crash
      PID:812
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3204 -s 1124
      4⤵
      Program crash
      PID:1092
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3204 -s 1236
      4⤵
      Program crash
      PID:4788
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3204 -s 1076
      4⤵
      Program crash
      PID:3080
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3204 -s 980
      4⤵
      Program crash
      PID:2176
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3204 -s 1392
      4⤵
      Program crash
      PID:3592
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3204 -s 972
      4⤵
      Program crash
      PID:2344
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3204 -s 1412
      4⤵
      Program crash
      PID:628
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3204 -s 1120
      4⤵
      Program crash
      PID:3480
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3204 -s 1476
      4⤵
      Program crash
      PID:2252
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3204 -s 1544
      4⤵
      Program crash
      PID:1080
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3204 -s 1596
      4⤵
      Program crash
      PID:4772
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3204 -s 1580
      4⤵
      Program crash
      PID:3688
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3204 -s 1704
      4⤵
      Program crash
      PID:616
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3204 -s 1712
      4⤵
      Program crash
      PID:1304
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3204 -s 1600
      4⤵
      Program crash
      PID:5016
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3204 -s 1592
      4⤵
      Program crash
      PID:1452
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3204 -s 1724
      4⤵
      Program crash
      PID:1836
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3204 -s 1736
      4⤵
      Program crash
      PID:1584
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3204 -s 1780
      4⤵
      Program crash
      PID:3976
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3204 -s 1744
      4⤵
      Program crash
      PID:2676
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3204 -s 1760
      4⤵
      Program crash
      PID:4364
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3204 -s 1832
      4⤵
      Program crash
      PID:3056
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3204 -s 1896
      4⤵
      Program crash
      PID:1612
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3204 -s 1744
      4⤵
      Program crash
      PID:4696
  - - C:\Users\Admin\AppData\Local\Temp\mGV6Tl70\T1LJ6q1.exe
      C:\Users\Admin\AppData\Local\Temp\mGV6Tl70\T1LJ6q1.exe /VERYSILENT
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:1544
    - - C:\Users\Admin\AppData\Local\Temp\is-8NP64.tmp\is-OHK1G.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-8NP64.tmp\is-OHK1G.tmp" /SL4 $10024E "C:\Users\Admin\AppData\Local\Temp\mGV6Tl70\T1LJ6q1.exe" 1187158 52736 /VERYSILENT
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:4052
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3204 -s 1888
      4⤵
      Program crash
      PID:4392
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3204 -s 1900
      4⤵
      Program crash
      PID:3668
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3204 -s 1920
      4⤵
      Program crash
      PID:2480
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3204 -s 1932
      4⤵
      Program crash
      PID:3908
  - - C:\Users\Admin\AppData\Local\Temp\y5jxibmb\UBVGvqfqFnEzYF.exe
      C:\Users\Admin\AppData\Local\Temp\y5jxibmb\UBVGvqfqFnEzYF.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:3892
    - - C:\Users\Admin\AppData\Local\Temp\is-CG0GD.tmp\is-QD3R5.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-CG0GD.tmp\is-QD3R5.tmp" /SL4 $7027A "C:\Users\Admin\AppData\Local\Temp\y5jxibmb\UBVGvqfqFnEzYF.exe" 1172296 52736
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:1564
      - C:\Program Files (x86)\SyncBackup\SyncBackupShell.exe
        
        "C:\Program Files (x86)\SyncBackup\SyncBackupShell.exe"
        6⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:1448
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3204 -s 1856
      4⤵
      Program crash
      PID:2860
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3204 -s 1588
      4⤵
      Program crash
      PID:1440
  - - C:\Users\Admin\AppData\Local\Temp\2qWqGox4\c7a998HEYC0M0BZ09r.exe
      C:\Users\Admin\AppData\Local\Temp\2qWqGox4\c7a998HEYC0M0BZ09r.exe /m SUB=37020a89dab6447be7bd999f329c1b4e
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:1600
    - - C:\Users\Admin\AppData\Local\Temp\is-G3A1R.tmp\is-HJQN5.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-G3A1R.tmp\is-HJQN5.tmp" /SL4 $6021E "C:\Users\Admin\AppData\Local\Temp\2qWqGox4\c7a998HEYC0M0BZ09r.exe" 2635646 52736 /m SUB=37020a89dab6447be7bd999f329c1b4e
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:3340
      - C:\Windows\SysWOW64\regsvr32.exe
        
        "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\BZggedFrog\TFShellMenu.dll"
        6⤵
        Loads dropped DLL
        Modifies registry class
        
        PID:4972
      - C:\Windows\SysWOW64\regsvr32.exe
        
        "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\BZggedFrog\extensions\Meta\dsofile.dll"
        6⤵
        Loads dropped DLL
        Modifies registry class
        
        PID:4888
      - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\system32\schtasks.exe" /Delete /F /TN "BZggedFrog39"
        6⤵
        
        PID:1472
      - C:\Program Files (x86)\BZggedFrog\BZggedFrog39.exe
        
        "C:\Program Files (x86)\BZggedFrog\BZggedFrog39.exe" /m SUB=37020a89dab6447be7bd999f329c1b4e
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3024
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c taskkill /im "BZggedFrog39.exe" /f & erase "C:\Program Files (x86)\BZggedFrog\BZggedFrog39.exe" & exit
        7⤵
        
        PID:4328
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im "BZggedFrog39.exe" /f
        8⤵
        Kills process with taskkill
        
        PID:1980
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3204 -s 1792
      4⤵
      Program crash
      PID:1836
  - - C:\Users\Admin\AppData\Local\Temp\ZH8xtvo4\fghfbgHKaDOcVHRM.exe
      C:\Users\Admin\AppData\Local\Temp\ZH8xtvo4\fghfbgHKaDOcVHRM.exe /S /site_id=690689
      4⤵
      Checks BIOS information in registry
      Checks computer location settings
      Executes dropped EXE
      Enumerates system info in registry
      Suspicious use of SetWindowsHookEx
      PID:4732
    - - C:\Windows\SysWOW64\forfiles.exe
        
        "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"
        5⤵
        
        PID:3444
      - C:\Windows\SysWOW64\cmd.exe
        
        /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&
        6⤵
        
        PID:4360
        
        \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32
        7⤵
        
        PID:4256
        
        \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64
        7⤵
        
        PID:4584
    - - C:\Windows\SysWOW64\forfiles.exe
        
        "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"
        5⤵
        
        PID:3540
      - C:\Windows\SysWOW64\cmd.exe
        
        /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&
        6⤵
        
        PID:4524
        
        \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32
        7⤵
        
        PID:816
        
        \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64
        7⤵
        
        PID:2044
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /CREATE /TN "gtXFgGMTC" /SC once /ST 00:00:34 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
        5⤵
        Creates scheduled task(s)
        
        PID:2812
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /run /I /tn "gtXFgGMTC"
        5⤵
        
        PID:2252
  - - C:\Users\Admin\AppData\Local\Temp\6N4e2ZUU\qy0lE582Z5S8akO5SA.exe
      C:\Users\Admin\AppData\Local\Temp\6N4e2ZUU\qy0lE582Z5S8akO5SA.exe /sid=9 /pid=102284 /lid=37020a89dab6447be7bd999f329c1b4e
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      PID:4460
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3204 -s 1736
      4⤵
      Program crash
      PID:3992
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3204 -s 1400
      4⤵
      Program crash
      PID:2160
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3204 -s 1736
      4⤵
      Program crash
      PID:4148
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3204 -s 1908
      4⤵
      Program crash
      PID:4344
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3204 -s 1716
      4⤵
      Program crash
      PID:4304
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3204 -s 1740
      4⤵
      Program crash
      PID:4372
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3204 -s 1976
      4⤵
      Program crash
      PID:1376
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3204 -s 1984
      4⤵
      Program crash
      PID:3760
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3204 -s 1704
      4⤵
      Program crash
      PID:4176
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3204 -s 1992
      4⤵
      Program crash
      PID:3956
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3204 -s 1996
      4⤵
      Program crash
      PID:3000
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3204 -s 2020
      4⤵
      Program crash
      PID:3812
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3204 -s 1760
      4⤵
      Program crash
      PID:4508
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3204 -s 1272
      4⤵
      Program crash
      PID:2772
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3204 -s 1592
      4⤵
      Program crash
      PID:1584

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4156 -ip 4156
1⤵
PID:3428

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 4156 -ip 4156
1⤵
PID:2156

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 4156 -ip 4156
1⤵
PID:3028

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3204 -ip 3204
1⤵
PID:2256

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 3204 -ip 3204
1⤵
PID:3720

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 3204 -ip 3204
1⤵
PID:2228

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 3204 -ip 3204
1⤵
PID:3112

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3204 -ip 3204
1⤵
PID:4036

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3204 -ip 3204
1⤵
PID:3944

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 3204 -ip 3204
1⤵
PID:2304

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 3204 -ip 3204
1⤵
PID:2252

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 3204 -ip 3204
1⤵
PID:2036

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 3204 -ip 3204
1⤵
PID:1564

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3204 -ip 3204
1⤵
PID:2672

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 3204 -ip 3204
1⤵
PID:1056

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 3204 -ip 3204
1⤵
PID:732

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 3204 -ip 3204
1⤵
PID:4192

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 3204 -ip 3204
1⤵
PID:4192

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 3204 -ip 3204
1⤵
PID:1912

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 3204 -ip 3204
1⤵
PID:3652

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 3204 -ip 3204
1⤵
PID:1972

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 3204 -ip 3204
1⤵
PID:3508

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 3204 -ip 3204
1⤵
PID:4216

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 3204 -ip 3204
1⤵
PID:32

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 3204 -ip 3204
1⤵
PID:4404

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 3204 -ip 3204
1⤵
PID:2260

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 3204 -ip 3204
1⤵
PID:5020

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 3204 -ip 3204
1⤵
PID:3340

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 3204 -ip 3204
1⤵
PID:3540

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 3204 -ip 3204
1⤵
PID:3416

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 3204 -ip 3204
1⤵
PID:1120

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 3204 -ip 3204
1⤵
PID:2420

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 3204 -ip 3204
1⤵
PID:1228

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 3204 -ip 3204
1⤵
PID:2204

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 3204 -ip 3204
1⤵
PID:4656

C:\Program Files (x86)\CD Collection\cdc.exe
"C:\Program Files (x86)\CD Collection\cdc.exe" install
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4860

C:\Windows\SysWOW64\net.exe
"C:\Windows\system32\net.exe" helpmsg 2
1⤵
PID:4048
- C:\Windows\SysWOW64\net1.exe
  C:\Windows\system32\net1 helpmsg 2
  2⤵
  PID:1360

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 3204 -ip 3204
1⤵
PID:4996

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 pause CDCollection0218
1⤵
PID:4712

C:\Program Files (x86)\CD Collection\cdc.exe
"C:\Program Files (x86)\CD Collection\cdc.exe" start
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:672

C:\Windows\SysWOW64\net.exe
"C:\Windows\system32\net.exe" pause CDCollection0218
1⤵
PID:3724

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 3204 -ip 3204
1⤵
PID:1376

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 3204 -ip 3204
1⤵
PID:3760

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 3204 -ip 3204
1⤵
PID:508

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3204 -ip 3204
1⤵
PID:1304

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 3204 -ip 3204
1⤵
PID:4748

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 3204 -ip 3204
1⤵
PID:3536

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 3204 -ip 3204
1⤵
PID:1064

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 3204 -ip 3204
1⤵
PID:2772

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 3204 -ip 3204
1⤵
PID:5004

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 3204 -ip 3204
1⤵
PID:4836

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 3204 -ip 3204
1⤵
PID:3724

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 3204 -ip 3204
1⤵
PID:2092

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 3204 -ip 3204
1⤵
PID:3300

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 3204 -ip 3204
1⤵
PID:4312

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
1⤵
PID:460
- C:\Windows\system32\gpupdate.exe
  "C:\Windows\system32\gpupdate.exe" /force
  2⤵
  PID:5088

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 3204 -ip 3204
1⤵
PID:3688

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 3204 -ip 3204
1⤵
PID:4504

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 3204 -ip 3204
1⤵
PID:4400

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 3204 -ip 3204
1⤵
PID:3652

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 3204 -ip 3204
1⤵
PID:2160

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3204 -ip 3204
1⤵
PID:2724

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Security Software Discovery

T1063

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\gLiteSort\gLiteSort39.exe

Filesize
4.8MB

MD5
b6c1c417e8af7db66eef4e2b18fdea6e

SHA1
ed1b3c9d172e58b0b1bc04973cc55bb6b11eff05

SHA256
7729c7eeb686699ee2df62691ccb1924a3813792a6db85d423e365dab1522a78

SHA512
5c682f60af55fe87dcb5969c1553ca865291f39164998a8a293100a506290a264cdc67bba44e980afbf57a8fa6c44d4c4f56b161384b984f1230d2ac7e0e88a7

Download Submit
C:\Program Files (x86)\gLiteSort\gLiteSort39.exe

Filesize
4.8MB

MD5
b6c1c417e8af7db66eef4e2b18fdea6e

SHA1
ed1b3c9d172e58b0b1bc04973cc55bb6b11eff05

SHA256
7729c7eeb686699ee2df62691ccb1924a3813792a6db85d423e365dab1522a78

SHA512
5c682f60af55fe87dcb5969c1553ca865291f39164998a8a293100a506290a264cdc67bba44e980afbf57a8fa6c44d4c4f56b161384b984f1230d2ac7e0e88a7

Download Submit
C:\Program Files (x86)\gLiteSort\gLiteSort39.exe

Filesize
4.8MB

MD5
b6c1c417e8af7db66eef4e2b18fdea6e

SHA1
ed1b3c9d172e58b0b1bc04973cc55bb6b11eff05

SHA256
7729c7eeb686699ee2df62691ccb1924a3813792a6db85d423e365dab1522a78

SHA512
5c682f60af55fe87dcb5969c1553ca865291f39164998a8a293100a506290a264cdc67bba44e980afbf57a8fa6c44d4c4f56b161384b984f1230d2ac7e0e88a7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
8da121b8326f1eef18a97eb59d0ad5e2

SHA1
408632f615ea5ee863c7562105d8536ff7de062d

SHA256
06f284e3c5df4fedd4267c7e8929660fa14aef7400b5f4000109979df29769fc

SHA512
72a08f838371f1ee26357b5104e7f45b4aa0c954554c6e8e877d492c848d82b5f2bf061b4c9d43af1476619ffb911ce19b99f29d0e41be05f3e143df6e2aa1a0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
8da121b8326f1eef18a97eb59d0ad5e2

SHA1
408632f615ea5ee863c7562105d8536ff7de062d

SHA256
06f284e3c5df4fedd4267c7e8929660fa14aef7400b5f4000109979df29769fc

SHA512
72a08f838371f1ee26357b5104e7f45b4aa0c954554c6e8e877d492c848d82b5f2bf061b4c9d43af1476619ffb911ce19b99f29d0e41be05f3e143df6e2aa1a0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
8da121b8326f1eef18a97eb59d0ad5e2

SHA1
408632f615ea5ee863c7562105d8536ff7de062d

SHA256
06f284e3c5df4fedd4267c7e8929660fa14aef7400b5f4000109979df29769fc

SHA512
72a08f838371f1ee26357b5104e7f45b4aa0c954554c6e8e877d492c848d82b5f2bf061b4c9d43af1476619ffb911ce19b99f29d0e41be05f3e143df6e2aa1a0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
8da121b8326f1eef18a97eb59d0ad5e2

SHA1
408632f615ea5ee863c7562105d8536ff7de062d

SHA256
06f284e3c5df4fedd4267c7e8929660fa14aef7400b5f4000109979df29769fc

SHA512
72a08f838371f1ee26357b5104e7f45b4aa0c954554c6e8e877d492c848d82b5f2bf061b4c9d43af1476619ffb911ce19b99f29d0e41be05f3e143df6e2aa1a0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00000f

Filesize
31KB

MD5
1ba7b6efffeec06920e0e7f023fca66c

SHA1
0074a46721b6e44628ce987df87f80198ef2dd7c

SHA256
c2e3b747e6b77d512da86258b176385df9327570e6c9a7b7d1a2a98bce9cc7ef

SHA512
440dec4063e9a6fbe8f5e22fc857f98b07577bc600d2b0343fce6dd417374be592f2699fd7531e5b904b2a36c1fecbe531e4cf223a2131e6742c06fd5b94d793

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00001f

Filesize
64KB

MD5
797eb25f42a10ba24ac7c66f236ccf1f

SHA1
c0f82cca4ed826633c1b062fccd247dee8172de7

SHA256
b77fbc2b0a7902a4de275889bf3efc9d28df62d513ea5ef54f0e95c68b30a7f3

SHA512
56658a4ba58e3968dff4fade385b3ed62bcbc6a73f16c3370654352d5367a2b6b636d326f388f6234dba4d4b2c7dd2416d6dba06e67b39fa0fd8d8022d909c92

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000024

Filesize
66KB

MD5
e9a89bb6019b603ecc8c700f45811b87

SHA1
e61894bb044a0f57fd512963cc0674e098072391

SHA256
cc413f2e154258adb7de001550919d895d8f9d2cd2915cce7055d71289425b37

SHA512
e279a2cbc9339716d9c96881ec73454034b82a657db483b071245a2fe2b4b295974fd8cd2a69225f6f0634f322aa2a00642a002e0ee909a979fb894e7db4e264

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000028

Filesize
26KB

MD5
7f8aa1f2bc14e58093cbed973afa8141

SHA1
88c27b380b4c903e6115b8625991a011182baa13

SHA256
e36f1580b12ec6922cff8b0e0fe1d4f4105b42a30d20c0888f50cf195d74f6e3

SHA512
77f282bf043af92e204b454a6f93fe0983e08a1e424695e1f5e1baf31999957e310efbbafbdab1b2c1de6eef5f7c4ca48ffb49e8a9254311c61b941429063928

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000045

Filesize
32KB

MD5
5e7840a1349a63f0c7e3e60f8a3a9d73

SHA1
9e2bc5c15257f8c696e7d273f0b11455f3d7596b

SHA256
6cc8c42918adc7ad4cf922e25f0a3e2892c38df0a4949cdecc580472370f24b3

SHA512
de24a6bb21666f1a4577803fce9a0720938634beffdebad063dfe2716aecbcabe100e3d8c5697ef58314409ae458c98965ba3b8952add781d52c99806a133dc2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000046

Filesize
42KB

MD5
c804c805a78a6848d8fc4367b1127339

SHA1
37331930c588977807532bd134bd37833d35c20e

SHA256
0ff1f7989de6cc45ff093ee0b06a6ea7adcc15e031884141d867bbcef10cd942

SHA512
eb03ccff2e1c61a9917b58e146504f69b02abcb8eb4f54aad160f67ad4254b17489cdead79f7f6dd9d2f9b407e870f11a85a22d89540791e7a4b69ec1094af89

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000047

Filesize
106KB

MD5
0047652e7c285aa8c64713a525385a1a

SHA1
6014ac5cc569865aaa03d95cd0b3ada8c9a55caf

SHA256
4181f9c59a401a653c6268c5e686d9af204e7e66abab050abc07aafe368d9718

SHA512
17d57350d6608f560154ccc4ad3982a413d35c472f24cadb973f947fe5a92b6987578b39363f2cddf84304313ce695def1965bf0a883fe64fd57c7c50c84f7e7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000048

Filesize
17KB

MD5
8258a961d3c61d24d9f1ef13f33302c3

SHA1
993d6a23d466da8b577f51fc085e2476d484ca6b

SHA256
93a1dbc0dcf31abf107c630ecf7564612a8370f98f239f7fefef7bb19c67f27f

SHA512
a94df162bd0116e9d2885f1b8b4cdc2d9a2f4a1c54f236c4db6f275a7ea6c89c7c8e55eb1b9caa0eb197d4218614de2d9a2fe269f55d3f71526c304a15de3429

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000049

Filesize
19KB

MD5
ca7fbbfd120e3e329633044190bbf134

SHA1
d17f81e03dd827554ddd207ea081fb46b3415445

SHA256
847004cefb32f85a9cc16b0b1eb77529ff5753680c145bfcb23f651d214737db

SHA512
ab85f774403008f9f493e5988a66c4f325cbcfcb9205cc3ca23b87d8a99c0e68b9aaa1bf7625b4f191dd557b78ef26bb51fe1c75e95debf236f39d9ed1b4a59f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00004a

Filesize
286KB

MD5
e44be8e70a2e1142a6e7ea538f311c8a

SHA1
49d65a493aa7b68a1af7a9c559e0a950b28680e5

SHA256
420e01f21d366a0e0671cf925d6a75f6d992f1529849ecbe10d89c2d76f97cc8

SHA512
d13ceed60f29ce4616a0ae0d802ebfaba90aaa8b7decad2f7a5b7f9cdea2fe974a05e1d03fc2f3ef6eec42cd3b2debdf0eae6bc7fa5660d72fe1a95189ee5c75

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00004b

Filesize
1.0MB

MD5
acfd151b95d639addfff4941f1ebc344

SHA1
de66e54f237d97efa396d516da50f5f7aafb7a31

SHA256
f505f1190175c47ac031b4d856bc55f127e8f849712123693990a49cb4789e6d

SHA512
36d91449279226990a8d22e7896298a6cfa4621e7e53c2b5fc87afd1c62dfab3821d4d68eca4a0b947ad2c457a3d349cd1d182b845b212490b3c86a9ac5d6936

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00004c

Filesize
47KB

MD5
03f4ced9c2cde446e32782a268f9b070

SHA1
05330b724824d1ee1f29ad7f937b45d77d5cdf8e

SHA256
3080e4c84625cc63b186c993e2793fd9258422ae89070e4777c751df485c0e12

SHA512
e5ce14ec49e31dd2e7b2958a5e08fe8a9531fba857d374afcf3d024c24ace8ed5bb7cf740bd8eeab0049c133e92ecde49785815cdd654775c67555a7a1b5f049

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00004d

Filesize
24KB

MD5
a0760cb4038aee6a388c86ec02eb52d3

SHA1
22f7216201e664048c750bb8b251c3daf9fb5f78

SHA256
fa16dcfd52d8bbf72ddb368b3f5324badaec112c056d5d720b753258cb4e96fb

SHA512
75fc176aaa9eb657443524502ef30cc516ab582d18a0aec3ee3146f17f0c961e7247c55812058cd9c14f30e59b985a6102d830a9c8f0cf3d79ebd9191d22be75

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00004f

Filesize
31KB

MD5
58a10cc9eab02e769b08194d211045d3

SHA1
fe5a542e6dbdda69b25532f8331020da47a79865

SHA256
ea97c7fd122445fee6b45ec1edf4ad1434b14192b0753bb175b31553e14743e0

SHA512
72e7ce80b6587c4682ad5713761a4859577f9732554765b5004cdba3b6dae60a54d13b841896d9bdb3ab496d529c92825b6838302655480f88c8ba60cdca81e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000050

Filesize
43KB

MD5
d41b99751f48c3797a5e7eea91a41124

SHA1
b0c73d252278f7fea271a8524320219ea41f71fa

SHA256
551ff1dbd0df95853706e675f7627394eb5613cc51f68683258567ecba12a996

SHA512
6362490a9e4ff4d5e65437cac52a900a93b119788b3274acd19c05861864cc2b8628448ef27de8a2fa4464c8bda1979ca6a3a9c6c07ff6a0383e9ff593f75a04

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000051

Filesize
19KB

MD5
63e01e42a9fb484c35c305a7ba43be2f

SHA1
f1b6250365c8a70449cbf96fed84aa0f3dcf5a06

SHA256
db44bddbeac1a692ab23c2bd6119790c268d4f5e8121c0aab99b382a7aabbe7a

SHA512
9b30468c85d4d807d363aa49e9df1f9d51a2df6e0e59e38517190b51f08bbc3e38c9ee985c4051e62887fc43d8685fd43fac2d4208c8f1ced3fa9d17b2f29d35

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000052

Filesize
64KB

MD5
9d2163709d145730199c6be7794d59a5

SHA1
15226ea87b133939afba7e99d77869668901231f

SHA256
9fe66c7ad268c407d0d6b7900a80b65860f9ebbd56ba0c10b75f1a68d072ab9e

SHA512
bd388b81d9bc28f8aee970227667f935c7ffa4036b371a0422b4bef13bb48e6812c200f098707686e4de19cd653801cc13ba59cd00156dd70d578dd1ce1cabb5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000053

Filesize
16KB

MD5
d1e2e5f784ff10d3ca84077fb67f921d

SHA1
637e871007455a0af34129e9a12ea64479d697e4

SHA256
5ae855137e2620e8df8bcbb9550ea836fa17e37e5e800152cc922ae0d9b525a4

SHA512
ef675a387024ee4d0db5cca5857bcabe1f6333c7e93ee8f7e583d7dd31614a1a62dcc5189219f81e9725cddf9c20de03a5d720a72452037d77d3631cd18c01d0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000055

Filesize
19KB

MD5
206797badb5499493fd5a823a3d35a1f

SHA1
05fc13b7a240f3ebf42a03e5989b34d3e74653ff

SHA256
812011a838addc0b7eddf803b668532845f0839ace73fc3649056fb19c8e41c0

SHA512
d15dbed91f52ccd17f1c20698c846af6c544a576d2790ab7adcc858f1ae26692576af742c96099bfd1d52af28c1f9b7fd938b90fa92f63ba28a8621719ec93c3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000056

Filesize
46KB

MD5
6ddc73e86f2540adad7015b0049d3e8b

SHA1
e109fd980200be8d36033bedbbfe8beb84ffbd87

SHA256
5de13a8123aca52bbeee3a19ed0ba2b04c7ef1d19f6aa56171393d5d979aa2fd

SHA512
c48268fcaa16555b2f340ee5b2b6e96c49cab8e7c55234dea18f2e3a8dd3355f6c63ce55a838a0cae24765c5de1a627cfdb2ae8b8a13c79ffa7dc7ae3773b8d4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000057

Filesize
26KB

MD5
48d399faaa696e710b9d841b934461e2

SHA1
8b867014ac0ae0a2b81a55f171deede8336a496f

SHA256
c905a4d23caf1f95d96c244084f15336fba5f65b74de870ec5c2be878410625d

SHA512
e5394eb68a809bfb251c26ee272f584bc786252667c4241f2f05e1f0f640cef65cd293f538d35d402633dd161bbbfa41898e6c4031848c9e68a03cfec36a5e70

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000058

Filesize
28KB

MD5
92b24b0b2184a77a835645f806b3ec36

SHA1
dcb8bf9bb7ba97fb6f2855f217fc484633f5eedf

SHA256
1f6b0f475a97937295e51237f2605db56090910cb525ebb34544106292b382fe

SHA512
18810840ff090b6f7383c2d4e36782dabd2252f767d8ebee17581b3c84ae9f5da5e9ffbbb580411fc3888038d963e92ed802374223a805fd9a992ba9fae2e8f5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000059

Filesize
46KB

MD5
f51db1556443e2658d66384deef8dccc

SHA1
5688baed81f3a42732833ee19e39e6b34bcea00a

SHA256
24ad70333bc39b3872b8b2144ffd929faac8bcb7591de661bb3af58ed2ad660b

SHA512
6ef88b55f1aefca912c536e771c155a48ac2f18ee48e3e55627753c91b684ed28cbedc77a0422839fcb14aa6a05928562e60abf962b22d716fa7f6d4decf2965

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00005f

Filesize
76KB

MD5
3f68725ebcebec38f396409a6e50a099

SHA1
c4ba7cfcc18c6ac2587306e7aa5d391c14ec5b39

SHA256
4c5543799bf8985fb05db9cdfee4ad95cdbfaf6c94e4b8fee46b9449023ff1b4

SHA512
3e5974786e02b65ee7b40c82fcb2538ac1c0bc0167b52ccf8687835ddef9df2f74640445a7724fed4bdc51912632c1ab761a3d096ffbb2c5cfd6355f4a404ab3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000060

Filesize
78KB

MD5
66fd29b3da03b5226f213ad5fe916441

SHA1
a6f94d215b094528926d11f31eb524f10e870578

SHA256
09c46793a69a660cb75263205a56a067f3ef2370f199d5912e64aaa826adf712

SHA512
b38240e2f2b1d3dab33d8d0184276f3208782c4bff6669f72fc7e96d7503ef484604844bc996138637878eb937cff0a55efac343b556d5a49da6325b73113e28

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000063

Filesize
34KB

MD5
80dd176c19c79dc817a00e6a0a52e458

SHA1
91ff651c3147c669586055563f4209ccda5ba2b4

SHA256
245201cc4d40686bb11165e627c97b08d039af4a6ed92ef042f972d767854ab6

SHA512
be7463cf1c7765393ac23259d9a43a32388a2b407a4eb48d6f7858c859c6d0d4de3c1fa73056eacd5cdde44320ab9a4b13a739334464a76d609cc9923a1711d9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\2abf49efb655b2b0_0

Filesize
260B

MD5
f4d5ab69a79e863a5ffd210222398c44

SHA1
e3bcee19d12dc772731b931984fd1353546be56d

SHA256
f578085c548c0fca30b66f0a959a72a70a72632add35701db81444bc2d9ee2c2

SHA512
6c1e6fb597a50f02c7b35e43f23ac4a3ea19a36a9a4ac219d8270b1faef76e6c03585c4d07ca6f0c50287534da5716f043a0d539b10aacb36aac365d57ea36e4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
936B

MD5
d499739a5179bf0ea78e49072d8b8b23

SHA1
c633bfe76ed2e9ab6dcf24368ee0627b0680e649

SHA256
c6fff1a131302290d06e5f4738d7a9dc2e22dbd90f8c33b135ea3bcb2b89833e

SHA512
48878294c6392f87aca2d0461f28f631c93e34f993197842b366093d095e069442ef062113ecf4fa9cdc3ad44e4259a40bb4c98e6df1fcbf658a3f4007a3ab9e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
20e98b0bdeee0a1b75570159ddbf912d

SHA1
518bcf25a02d67e6ac283499b4f30978e7d65685

SHA256
6c959ad9625e75c42a1330c3777839f3974f9fbe7f4972db3877eab92fc4ddbf

SHA512
afcc6010df73f9d6d20b08da3d568b410401c264209c532351ceecc764d8777e6d945150d1a66eb29638b7d7c9368c521360846db884599bd0e83877a8ebf857

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\File System\000\t\Paths\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
133a0d7d52b5a81ffd6c1a3059e12211

SHA1
0153fcd79c3b2b28822d4af8a990793b9dd233d1

SHA256
94315a6b21301375ac62755c554b3949e8b4f602f33139ccd051a4d631a12013

SHA512
a63ecf760aa1d03a25087dbd1cfa54825430fdd86e7155036286144651518d2dd0e8c7956661bd6f4373e807d3307d858a76b9948380db8760a18951d5c5df56

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\https_accounts.binance.com_0.indexeddb.leveldb\000003.log

Filesize
108KB

MD5
cab9e058bdefd9c5d4e74dab92251e0a

SHA1
ac316397fed894d4e5fb85248b80eb494fcac6f5

SHA256
514988b2ca24f99088d1ae6e00eeeac2a6a27572a5a7a886ee9b348399ea98a7

SHA512
bdeab8c8f2777a00273ecf268498746ea92899eba216d299ef7e05cad83de814452d6de3c310d816e2c9e71194edec58c437df06567c957e5019a55219d9aa84

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\https_accounts.binance.com_0.indexeddb.leveldb\LOG.old

Filesize
399B

MD5
19c7092ae45db838aacdb66ccd619951

SHA1
9d1965e0119d264060cde6708845fe31fd0ac2da

SHA256
196dcf64970a6f04cd7ef3404a2cf3c697532424f0873e77686cabea5aaab1e9

SHA512
82ca73e5fb6b865e19297ecf1e6a33d5b9451df04cdc2162b6b41efaa435846077d2daaee9ef733bb4815e34668b6166667f4475a0254541c5e856bfb8ec81a5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\https_accounts.binance.com_0.indexeddb.leveldb\LOG.old

Filesize
402B

MD5
31fa80a1e00e333376b441536643de8f

SHA1
2aa9d78937985df2cbc5d4baea5bc9c2ed55e2e4

SHA256
9b2fc79c50a776e65bf73e1507e03a58a77701c103ec3e612f74a52a88f68bd7

SHA512
b9c096a05c2d1f9044184803157cf7e05b097fdb36f798bb5c7b7b6bd6ad5c6594ab7139b358bacc6683601ef8ceb9cf3d2a09e1cfa6133cf471712b2c9f3cbc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\https_accounts.binance.com_0.indexeddb.leveldb\LOG.old~RFe58cd6d.TMP

Filesize
359B

MD5
b576eca3ec7032a7cc2cbdbca7a53ec3

SHA1
44040332c07d6ca4c0dc28df4fac6c334b3a8c4e

SHA256
f0b52f4013f56f35af24fbe478279c27d49269ebb2a81d9a652283a170d67ce0

SHA512
153c3aabff6e56fe83956aecc79b9a7f7f5a06c78654fafc81455922c6a3c35e1d9486fd9efb3dbe766af1ec2f5e39cb02cf045b5c45749064da609fb192db79

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\https_accounts.binance.com_0.indexeddb.leveldb\MANIFEST-000001

Filesize
23B

MD5
3fd11ff447c1ee23538dc4d9724427a3

SHA1
1335e6f71cc4e3cf7025233523b4760f8893e9c9

SHA256
720a78803b84cbcc8eb204d5cf8ea6ee2f693be0ab2124ddf2b81455de02a3ed

SHA512
10a3bd3813014eb6f8c2993182e1fa382d745372f8921519e1d25f70d76f08640e84cb8d0b554ccd329a6b4e6de6872328650fefa91f98c3c0cfc204899ee824

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
6KB

MD5
baf9ead9165bce17ef918405495189da

SHA1
4afb6e121341e0db88cb9cb5b14752bd057e1776

SHA256
2f95ac202ff8fe2100d1f2e294ecdad4db25a55883da5f2ce6d5f1c6415d7e85

SHA512
302132a5c1cf71578be7225a6e611e6f9830105f14633791e81d2f93ca58a579d2aed77c4deded11e67e954e99c1fff4e532e3108c6bca2dfcd7e7617ff80f23

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
4KB

MD5
cfddc15565829d04ea686deb73152cb7

SHA1
0f77b45669f0507fee3819abd5292f12dd4f1522

SHA256
205cf7fba936a70d07a1630abfe985926835f3060b56149ae2428451ec8ac134

SHA512
329ff77760272ee197ef4b2f3c99f80835b6a28e1bbf3435a5c9ef908ad087f777142d89d53fd53dfd5c136418942cd33653ffd054443bb6c04685c3a1e717d3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
8KB

MD5
c2f6dfc881607ffa2e9611f3131d97ff

SHA1
dd5ad25087ba0357a304fdc8c5df9b8fcd31da57

SHA256
b5eeecfd5fb5c72070245d93c01ca55afcdbefff5e9dc2ce0d617bb3b176dd38

SHA512
ae1d4ccf93511c27033300c60f0416ec318ebae597ab6ea0a8ed8de6f8cd06e2e7671f39dd7aa9ed5dd02eca1706ea8af274aa9af99fc1f08d1e7b0a094c7d64

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
8KB

MD5
04e7bb7d0df407d85b88ef3761f37fdc

SHA1
479d275495cf3b734bf6250e3de9e0585aef5c75

SHA256
61878ab8efc3b381fa5d705f76b83f322297cac94cb3c3e413f68f8c90ac9f0a

SHA512
5555d68fcaefddcc0fdbffebbb86dff0de575b2ffb63bba75d4c6206a680411cba9cbe027e2938c9de4511896c371199dbbf7526be7e15dcc7ab650fcfcb82e3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
371B

MD5
3a47dd420803463702b4b4a243467c38

SHA1
7d57640a705af3734ba5e680e34daa9a95a9d9c9

SHA256
720a1018e9fb0349d9d0cad1fc82227b0f37305cfb60bdd16a7bba0436b0fdbc

SHA512
8dcf9eceef53d84c60d7023b2c37d930b0986ea7211fecfd5376f8465cb81b2b32cb9f680964b704a2d2ef3c9dcf5c1d60f8dc4b9f1cca686fd9bcc75d747fc3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
539B

MD5
b4495d6b7c7b70d9b03c74ea0e1f5c2a

SHA1
9dfff0633f7bdb0576c911ebd4900ea868f9b9ae

SHA256
7ee68c92c5f34acdb8f2a0a86a1ceadd8f449ef39f5938e106de0e58c7b2ad09

SHA512
846ad1e018ac06cb70cae11bf3d23575baa5ca81b9b52063ce8110e97a7f4c15f27fac6a5b4ba576277da8b2f20cbed94bd7665784c86c410828a26fb34d85d7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
dc63871132bfec423be1360788d24ba3

SHA1
6c0e0069252e5283ee19f7f083e5886a73e44ef4

SHA256
1ce35dd4ad77e3eeb1af80e7c12613a4770e76fcd5d27296d2a4b5e843796be8

SHA512
0fd9fce0bce1bb8448c81381372df9ddccda9527fa295222dd7106a0904c970a6834179b479659f5de983e2f163a942153300be85062e9e6dbf661c722be1d1e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
fd86f6d857aaadf6a3c1ba0d049bf1b1

SHA1
739970512313b07e50d039e63bb770c4efaccf70

SHA256
060bf4103943f77b1e6b3137a247374c0bc2bb06426f3294449ba0c12df3c2c4

SHA512
4da15be862200b9ccd64d8737754edf4b4fbeac43cc110387b4fa5323681bdf2d1fa84a8eff1960f5a88165854afdbdda1e4e077f5f79f245b6ab1f74353cbc0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
049baa2461f896ddb80f93cc3b417c7a

SHA1
1d841b3a46aa591fea4c996560121c5ef6ce551e

SHA256
5a75ad7027eacc65543727eea06165236d46822d9c44353cfdcae9b5db24adc8

SHA512
14dc7a8673bfb95c2b8ba6fa7e1dfee28fd881a2ade554407ad63ab1895342876eaf0471d93cf14aadfd921a2b8bb7bd5950bb301fe111d94c100a78205ace11

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
eefee43494fee6f79f457b8ba11c07c5

SHA1
f4996ae0ef0d7cd07451224cffad663598a94ff7

SHA256
14020f5a2e6097f8f628de95e1cecd305bb74c4a64a7d8bc72cfc02339046cfb

SHA512
645fd37b783fe92f8e23ba96782b20f614744d8285f70d46bcaac8c9cdd787b942d816b88070136e1f0686f94e27c0c2f004377d390a74c1a9a1d50bb0f06bed

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
2KB

MD5
090c8fd411b80c0bba252c95e76bc3f7

SHA1
6bf7da11503d325ea92cab9a90c8697ac6c5a5d5

SHA256
e68cef87bbbc75c225fddea127ff496ec320ffc014d48fca647f2dd8b32c7de4

SHA512
fb65db0208eb11ad5ef50713f45335e07f3fd0bc2f7c970d757ace77c85f173e6f0ec1facefdfe3dfcec7ca7c59372384f88f762b7484affb89639673e20c2bf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
2KB

MD5
a4716d40cf277f731817b8de3e665eff

SHA1
891691f97595f4314f20307eda8654246a1ee43e

SHA256
6a1c14fe72cd4450ffbe39b2e5b7c2563505ffd0b4a7b8d8ae25552be8c9ec27

SHA512
29ce946a6a828b0c379e03b3be621d5ef20c6cb23a55ee479a5435d9df38a197f0311718db88175e41c186b4de1ab129af4bea4ad153397f6339bddbcde5a548

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
a5c380eab989143a23ab95f1c457c198

SHA1
30c407d9d18775235713889080c5972052b7f93b

SHA256
2d15e38860f27b9d7fa78c63f1f44afe51f8d28980981cfb60f937076c44766c

SHA512
e054273f38315fcba69d54ce79cf182b5c486ea5e6d0e45ce0f83e6583efef104f971cee799c5dc1fcc62988c3d590879e7de1a7e9f6f7b46c8b0e48a03487b9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
0dd993fa87a2b04d3176ea7181c94856

SHA1
222d4f0beba21ab287866229214de79bf6f73db4

SHA256
c7bb9e5412c52fcf98c5db572b9ed93240ef1074817799502f7310f3a905f7ca

SHA512
0f581de74c6f18e4509e658e02348e796b65545b45563ab8ac788d3cd41b87ad2edef22110c8acb0abcb8c2d5e5fbfa0e8ee05d2470d31fc54819cc189f34a9d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
b9a180f0160c4f1c3cb4d5b524f8761f

SHA1
c24d325eaa83615269ff1ebde2c73b9e3738b7c1

SHA256
ccc74fa80b3b01b7344fce768d3740eb817ea911a340adebf3b0c05bcfefdf4f

SHA512
00e1ad976c95597f16fc3185472aa6c514f6d055de72a6391bdc2b4a4f42f74a76793dcb5859f6645cbb72f1bc6f7a6a46e766475c70a030bb235e6164d31c24

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
5876db85bdcf67aad9aadcbfca8a5368

SHA1
7881b1fd4bd886b786f705b9aa6fceeae3570247

SHA256
f51d13548dac8752fa39fdbc033bce3c216c6901c46d80387096aa6ce66505ba

SHA512
ebb22196224c26c0283ae925b71838530ad9b2d8c08833f96347fc7732f24df6e951d87e5589bdbeb4a289e185c9ac0f42c58ec41eed3b32ed18b6f86fa5dbdc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
dafb1d999638ed45c353756a1752c173

SHA1
03012a88e533baf7dd833886791d9c921055988f

SHA256
a5c392b7571b0177a57f5fbd5ef5b63d66c5dcaf671843931acc485e08410cbb

SHA512
c2b05ed6fbf3683911daf55d3c9165f953b77b8a1232fba0e6d417dbceb56e5deff8a6ef6fb1e676be026e5715a4cf5879fe4887c40e0a831eac48691f4f2de3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
be8aa9e479cd301abbaa904d95618013

SHA1
b297794af4a7a874f3378efd08026e4e9d6ec03a

SHA256
55ef7cf8a77ef9210e5f8dfe90deec2cd23b5ac790c3ee7abfd1319bcadc58df

SHA512
2e9f999ff33d082a23a157c73cb6e2e115d07cc9393a53e903db0ac7248cd29757812da57d0a323c49820fcadaad4ba401d2dc18c3c42d098372bf81daf90308

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
4be07b7157f4c61aee2b14fec06b626a

SHA1
bc1cb05723e20a9ca20c4edc0c5a2fb280a2fa89

SHA256
28c6ec523fa8ad43c952f848ee1884d45d993a2022882aee4073aa841218846d

SHA512
a1756e91c04a032767e4194076a640a4b0968d8ae54711d44fcad1d88c5dbd4808ad35a462e711399e5bc59e26789e84616fe7721030f8cd5f9cfd40eb05f0fa

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
72c67f43055b051eba18cfa294f0ea61

SHA1
768a37247d22702835a5d3f85ff463236a12b86e

SHA256
6bc98f306ca1d52ddf04c828c224c302f4b4b3a9de7315080ca8e42f2eb689d0

SHA512
8ae0810457c61a4b75895e032b12d77546f43f85efe302b7a2de5dab0c14f278c6a51230228f795e9f92809028f830079bcd95431a654986cfba4b49b42304eb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
0d8b417f64b7cca52023e7f1e30b5a3b

SHA1
9fbf4fa5a30033112b63a5ff46ec3e76f239d0b4

SHA256
337c20778ce4246908055ef7d1898499c8d0bd8705fabb743bc0e3cd554ceec9

SHA512
c81e165eebb5b05577c549ef2a6ad2f4e469fa6d2fb16e1fd865bcd8e9f7442360d7c065eb1072813f80f2bb07ef60fe025a483002836339a45cf2010cc43066

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
5dc7197133c54f4d9f79a93d92021507

SHA1
80789e49048564b12c5cf69b31e61e8af03c9f07

SHA256
1dab9801571302cf337cfc366a856751ef242ba29d153f7875c067d45f9dd9dd

SHA512
52a629a2748d78ccb26d32d8c8bab14a3dfd0b4f6ee0658ad78ec7070a21b094725146e2cc36326c6ab3bdb2c42c4c49bf9e043133b8cde5ed668c4556e89d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
a897dbd369cb8cf3f81a835baae39538

SHA1
a37ce2705868e4cbc4d418668ee6f2474c3e658f

SHA256
7b53c03a981185ea85f5737789ef22ae50a73365ae5b05715f287fbbf083e33c

SHA512
79547b01a9095f71cf3df8065cd4bd1f053473a510062148439dd11dfd7803c6e72ab642f389334da18099b0ecf2276a96e628211d9744d81224bcde534b8561

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
a6acf062c8d41b05973742721a637843

SHA1
e5e6d423be45e86d1c3ee39544859d7713aa4c7c

SHA256
63f75ee31401d0c96cdc269b5f9034089728216fcd1736b527c8bd662e1e6fe8

SHA512
38fad0f097f3bb6eec55f9155bbbfe4438ad0114577ab2ab4d7e98d911ba032b9b8627c168ca6d39b3f4be8fd3895daada406435aa702e69415737afe966e8f8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
71KB

MD5
2118c5935a47890e63273b6397472a36

SHA1
5eb8fb114bd0fdef3290579a7af82267a115feca

SHA256
565227a5d42cbb4305577709a921dfa316abaf7723e2b5bd396f36a1ce7e4f5f

SHA512
2621841988812df634c916019ab521c420c23352efda9fc32495577b82ddda00bf2b56fdbce205018b17c21e5381c2aa3f0abe0247efe07ef4c8545de27ea80c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
143KB

MD5
12a77cbdde547c10ba97de5f8562da23

SHA1
0cb3a82a237bcdf16203f93503a9ab5393a80349

SHA256
7b2c5fdf458f7495b5bff70c6ca60bfeafbf1c9aa8e094e1eacf81121f7f64f9

SHA512
3163fb5e4d0110ec6780e9590196c99ed54d6f850c597f6a25c906b0ba59fc9b75b900293d3c27ca280facabf8f83386871e6363bbb316a32c42ca9920b94598

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
71KB

MD5
2118c5935a47890e63273b6397472a36

SHA1
5eb8fb114bd0fdef3290579a7af82267a115feca

SHA256
565227a5d42cbb4305577709a921dfa316abaf7723e2b5bd396f36a1ce7e4f5f

SHA512
2621841988812df634c916019ab521c420c23352efda9fc32495577b82ddda00bf2b56fdbce205018b17c21e5381c2aa3f0abe0247efe07ef4c8545de27ea80c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
143KB

MD5
af8b1af8948f2f322cef55f568790d93

SHA1
6958ed88c020527e7fa587bc42eba31a14b7bef9

SHA256
961dbd5af50f356b256b7dddc80030cf7381a13513431e10055d742421c53459

SHA512
9fdc00a9648a256d645d6011c12bf07667af95a0621ad2c2e3c76f4c3cf295640ea34c040405d3299c7a761cc61dfb7f200673fdab1ade86fb65366198bfb6bd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
143KB

MD5
6230fa05f6599f1d1aebbc01680d5c5b

SHA1
1af7cb23e6429f8be93265db0ce54b63b07088cc

SHA256
7bf345073391ed823eb51d47a56990caadb1d937642fa12052470ce96dcdcb4b

SHA512
16b9ff4b9479b3d32241eed9787d6f645378c28fc6228e4c04b75ae543117da04cce76cb96cc0a206ad5f78d2411fafec37aa2cef3bece33c0daa3340eee569c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
143KB

MD5
8cf2927de98f162e30f33d4f745a965f

SHA1
7d958634c8035adaf367cd134d1819fd1c66f154

SHA256
55517a600d02700c53e23e45c514dfbb9684a96525c64aaa847d715abbbbe7d9

SHA512
8427a94677b8c1f4e023ea0e5933686516953f499bfc0986395010f74a1e138bca43228d4330128521014a15471e7d22d8f619c389a45830ca688e42338a5c15

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
143KB

MD5
104ff2101547e9190d80e00e76210b43

SHA1
dd8a6e79b484a8e2ea746b6c458ea0e93280c3ee

SHA256
19fba1e48e554ad2ca974e9525f48a3d26ec4fa7fc3f949144249c2ac1a1ddfd

SHA512
1dbb8ce00f1cf366d91287106a5c92a3d0236c8fc68bb16ec6dfe9fd431d32d0635dc190986ed7d72aa140d337c0f002858215bf312e9f30f8b41fb2d02b3ab3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
143KB

MD5
14fc67375ee9cabb778f37a59ac95329

SHA1
fce58d844e1eec3cc13b5f3afe3526c4c42108d6

SHA256
89abd7854c0c100246363c24b5475bebc8e01a8267b81e4f78cda00d518cd558

SHA512
b0c7bc757fb86c08efe742cfac480c49bd3bf529d0bd94240e5c4c833ce2796597dfb6cf1e3aabe4c13dd7798072085fea9dcf52c7c95462c7d47fc0782e72e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
143KB

MD5
1489167bc3fe478eae73f4501a2c7def

SHA1
acbc61f036abba16d49160979bedc8dc36b6100b

SHA256
d42756a3bab1d3fc24e2a56ff9dcf042998a2ee23db1cf700b4b21afbb35d43d

SHA512
4b3b862c09faeccebd11698fc4e8e714beef16bdbb5aab8c56a59cab5195bc01c94901ffab8335288397e0ac9f280edb19373310d68a9e3dd8e4e77c1c39c04f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
117KB

MD5
369e1bed05cdea0574bb774f1859895f

SHA1
f929cd8216e65368746a2863e0fab0feebf67963

SHA256
24f44d38379fef4728d366c70cf065882466836d3a17483aed3ddb577a272b16

SHA512
a987772818e2ccb2c32a840da8845116475c6075395f740240da3a2228d9056cfe045e9b85bd8a6e991a45e2849f33a28c868733191d95a3cc74b3e6499cd5cb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
100KB

MD5
af0901ebf9fb320bbcda6ca3ed2be778

SHA1
5e8d8ff06696ad635b0a719ce315ed81a26c57b5

SHA256
2a7d33ff365098bcaa4bf281d02d0ded529fdf598fe1923f683517c8ed71b70a

SHA512
d6e2283efeed1501fd201b40ec42896af42f4c78f912204857d3d20495d0912b8e38aecdc6a2ff67207431a999938f40f9d0c46717dd8a7463fc26800c15adfc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
103KB

MD5
d3c4203d0953397f37f309f74c72b095

SHA1
198916321838fb6286f4dc5a133dfdf916505bd4

SHA256
27e86a77768c72a5b203544c11d1059235822caac699ac595a673608dfbe6c56

SHA512
bd6c8f3f6415e77d9f48b6f5e6d93ba53b438e48d9e91414ce83f9ecf15e1ac2889775fa4da8cc101e9e7052fbd979dc6f18707b0488f7643705a743c61ec585

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
110KB

MD5
640ff28ecee5b3253938f2160cf3472a

SHA1
369969cf381c603a6760b8d20313af08d6c97f28

SHA256
ebf87ed1e442ada91c5b30b012dae745c81d5552fa8d7f4d60d4b5dd011eb06e

SHA512
f3bf492feb86c4d4f75586a860d2fe6a1ad718ffad78de6c1e2710eeea32cce8004ec28f6067dd5e4025231c3ac72340313ad9c956a2292328211d71a281d848

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe579c9e.TMP

Filesize
96KB

MD5
e69814c9966d90fc5f8436710a966221

SHA1
c48933061aad492d637d82d628a2aa201ae65770

SHA256
0913818202d44962fb173101a276899a22683379bf5f92971fe0d5fc456ad5f8

SHA512
54e740787628b1c0591652a6ae2bdce9e5cf24c2652f63d39622c806466e7292c6b5b3f6bff6551de7b037903f4d64298dcb07c290861b94ce85d072f04d7a3d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Variations

Filesize
85B

MD5
bc6142469cd7dadf107be9ad87ea4753

SHA1
72a9aa05003fab742b0e4dc4c5d9eda6b9f7565c

SHA256
b26da4f8c7e283aa74386da0229d66af14a37986b8ca828e054fc932f68dd557

SHA512
47d1a67a16f5dc6d50556c5296e65918f0a2fcad0e8cee5795b100fe8cd89eaf5e1fd67691e8a57af3677883a5d8f104723b1901d11845b286474c8ac56f6182

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\a6fa96aa-03d3-4308-a351-b7962b64cd15.tmp

Filesize
143KB

MD5
c4db40196263621ce3ab5b343276bdab

SHA1
0dadab1f52cc53d789222a347d0be459828d21bc

SHA256
cd583a657e1581c2b7167b640b8fad5cbd4aa1bde85874aa86d2c7bd9d9572ac

SHA512
5f0eb063be4a6d31ae33e523cbdf537d414ce94deb9c0d7986b7a8f0e28d853a3647ab6d978a8a0c47c97d8b94598535e360c96f6f16d23a47b48a927b590a54

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\2qWqGox4\c7a998HEYC0M0BZ09r.exe

Filesize
2.7MB

MD5
66dc5909b9c40295b178ca64253790e8

SHA1
b73784e31c69882d8e23a915d69da9f4efab4385

SHA256
031ffbbd445d172fa63cffd3845a1fbce96d01b36c2faf3dec90c0bb68d52fd9

SHA512
007218ee143a6139e66fd1fc3214e1ab731b4821d40bd7270cd56076560b41aa5fb34d47e6113137b3bcb97b5fab9b1d11e1c31b32282a9e8a9d8a04d091d672

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_tpaxfsp1.wrl.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-C0EGR.tmp\_isetup\_isdecmp.dll

Filesize
13KB

MD5
a813d18268affd4763dde940246dc7e5

SHA1
c7366e1fd925c17cc6068001bd38eaef5b42852f

SHA256
e19781aabe466dd8779cb9c8fa41bbb73375447066bb34e876cf388a6ed63c64

SHA512
b310ed4cd2e94381c00a6a370fcb7cc867ebe425d705b69caaaaffdafbab91f72d357966916053e72e68ecf712f2af7585500c58bb53ec3e1d539179fcb45fb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-EQ32N.tmp\_isetup\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-EQ32N.tmp\_isetup\_isdecmp.dll

Filesize
13KB

MD5
a813d18268affd4763dde940246dc7e5

SHA1
c7366e1fd925c17cc6068001bd38eaef5b42852f

SHA256
e19781aabe466dd8779cb9c8fa41bbb73375447066bb34e876cf388a6ed63c64

SHA512
b310ed4cd2e94381c00a6a370fcb7cc867ebe425d705b69caaaaffdafbab91f72d357966916053e72e68ecf712f2af7585500c58bb53ec3e1d539179fcb45fb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-EQ32N.tmp\_isetup\_isdecmp.dll

Filesize
13KB

MD5
a813d18268affd4763dde940246dc7e5

SHA1
c7366e1fd925c17cc6068001bd38eaef5b42852f

SHA256
e19781aabe466dd8779cb9c8fa41bbb73375447066bb34e876cf388a6ed63c64

SHA512
b310ed4cd2e94381c00a6a370fcb7cc867ebe425d705b69caaaaffdafbab91f72d357966916053e72e68ecf712f2af7585500c58bb53ec3e1d539179fcb45fb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-KGEC2.tmp\is-DTKNA.tmp

Filesize
659KB

MD5
63bdf487b26c0886dbced14bab4d4257

SHA1
e3621d870aa54d552861f1c71dea1fb36d71def6

SHA256
ca5e816fa95cbcd2a880f2c319d3ddf09686e96ee633af63a396969e5e62335a

SHA512
b433e540c9da175efdd09d44be39c563176046d89aa03edcc43e3582aa1f180e40e283503d152a46e07d4e77f8fa18b76118e425961b507ad5ca3864c39a7c40

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-KGEC2.tmp\is-DTKNA.tmp

Filesize
659KB

MD5
63bdf487b26c0886dbced14bab4d4257

SHA1
e3621d870aa54d552861f1c71dea1fb36d71def6

SHA256
ca5e816fa95cbcd2a880f2c319d3ddf09686e96ee633af63a396969e5e62335a

SHA512
b433e540c9da175efdd09d44be39c563176046d89aa03edcc43e3582aa1f180e40e283503d152a46e07d4e77f8fa18b76118e425961b507ad5ca3864c39a7c40

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-N259N.tmp\_isetup\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-N259N.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsbA4B2.tmp\StdUtils.dll

Filesize
100KB

MD5
c6a6e03f77c313b267498515488c5740

SHA1
3d49fc2784b9450962ed6b82b46e9c3c957d7c15

SHA256
b72e9013a6204e9f01076dc38dabbf30870d44dfc66962adbf73619d4331601e

SHA512
9870c5879f7b72836805088079ad5bbafcb59fc3d9127f2160d4ec3d6e88d3cc8ebe5a9f5d20a4720fe6407c1336ef10f33b2b9621bc587e930d4cbacf337803

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsbA4B2.tmp\StdUtils.dll

Filesize
100KB

MD5
c6a6e03f77c313b267498515488c5740

SHA1
3d49fc2784b9450962ed6b82b46e9c3c957d7c15

SHA256
b72e9013a6204e9f01076dc38dabbf30870d44dfc66962adbf73619d4331601e

SHA512
9870c5879f7b72836805088079ad5bbafcb59fc3d9127f2160d4ec3d6e88d3cc8ebe5a9f5d20a4720fe6407c1336ef10f33b2b9621bc587e930d4cbacf337803

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsbA4B2.tmp\System.dll

Filesize
12KB

MD5
0d7ad4f45dc6f5aa87f606d0331c6901

SHA1
48df0911f0484cbe2a8cdd5362140b63c41ee457

SHA256
3eb38ae99653a7dbc724132ee240f6e5c4af4bfe7c01d31d23faf373f9f2eaca

SHA512
c07de7308cb54205e8bd703001a7fe4fd7796c9ac1b4bb330c77c872bf712b093645f40b80ce7127531fe6746a5b66e18ea073ab6a644934abed9bb64126fea9

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsbA4B2.tmp\UAC.dll

Filesize
14KB

MD5
adb29e6b186daa765dc750128649b63d

SHA1
160cbdc4cb0ac2c142d361df138c537aa7e708c9

SHA256
2f7f8fc05dc4fd0d5cda501b47e4433357e887bbfed7292c028d99c73b52dc08

SHA512
b28adcccf0c33660fecd6f95f28f11f793dc9988582187617b4c113fb4e6fdad4cf7694cd8c0300a477e63536456894d119741a940dda09b7df3ff0087a7eada

Download Submit
C:\Users\Admin\AppData\Local\Temp\nspAFA.tmp\GetVersion.dll

Filesize
6KB

MD5
dc9562578490df8bc464071f125bfc19

SHA1
56301a36ae4e3f92883f89f86b5d04da1e52770d

SHA256
0351fe33a6eb13417437c1baaee248442fb1ecc2c65940c9996bcda574677c3f

SHA512
9242f8e8ece707874ef61680cbfcba7fc810ec3a03d2cb2e803da59cc9c82badd71be0e76275574bc0c44cdfcef9b6db4e917ca8eb5391c5ae4b37e226b0c321

Download Submit
C:\Users\Admin\AppData\Local\Temp\nspAFA.tmp\INetC.dll

Filesize
21KB

MD5
92ec4dd8c0ddd8c4305ae1684ab65fb0

SHA1
d850013d582a62e502942f0dd282cc0c29c4310e

SHA256
5520208a33e6409c129b4ea1270771f741d95afe5b048c2a1e6a2cc2ad829934

SHA512
581351aef694f2489e1a0977ebca55c4d7268ca167127cefb217ed0d2098136c7eb433058469449f75be82b8e5d484c9e7b6cf0b32535063709272d7810ec651

Download Submit
C:\Users\Admin\AppData\Local\Temp\nspAFA.tmp\blowfish.dll

Filesize
22KB

MD5
5afd4a9b7e69e7c6e312b2ce4040394a

SHA1
fbd07adb3f02f866dc3a327a86b0f319d4a94502

SHA256
053b4487d22aacf8274bab448ae1d665fe7926102197b47bfba6c7ed5493b3ae

SHA512
f78efe9d1fa7d2ffc731d5f878f81e4dcbfaf0c561fdfbf4c133ba2ce1366c95c4672d67cae6a8bd8fcc7d04861a9da389d98361055ac46fc9793828d9776511

Download Submit
C:\Users\Admin\AppData\Local\Temp\nspAFA.tmp\nsProcess.dll

Filesize
4KB

MD5
faa7f034b38e729a983965c04cc70fc1

SHA1
df8bda55b498976ea47d25d8a77539b049dab55e

SHA256
579a034ff5ab9b732a318b1636c2902840f604e8e664f5b93c07a99253b3c9cf

SHA512
7868f9b437fcf829ad993ff57995f58836ad578458994361c72ae1bf1dfb74022f9f9e948b48afd3361ed3426c4f85b4bb0d595e38ee278fee5c4425c4491dbf

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\5d696d521de238c3.customDestinations-ms

Filesize
14KB

MD5
0abf6dcb7b3ce9d02c0159445dc8cd5d

SHA1
229faaef2456a015e5f0da2ea0c8f7084300f77e

SHA256
8646824a31d0a14454fcb9c7b1720ec8c5de5ff0c88a5735f6f34f1e9d756b04

SHA512
7e06d57f2b2a0f328021822a5e6336b4954ef8a808f11cef90ef7804fadb7ccb315dcef782d0c25d7eff9fa37eaf217873a34518a75b96ffee91483e34a508b7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\5d696d521de238c3.customDestinations-ms

Filesize
14KB

MD5
6a0319ba66a79497014e1889004d6afa

SHA1
54224d1e81cadb366fa5b9cba83839bc42283479

SHA256
0f61b8e7ca5a3f7d2583ba6f9c7111f06a1d1b589c4f888ab6e56b7ab00ce269

SHA512
9a1a208aec0c7f0cd8b17fa7b30fdc4bc3455ddb69aca0616fcc861e80ac1bd12bd335c3b8340b76d55c890b1c289b640a09e6a3ad30e5b8f3f42a2601235dd7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\5d696d521de238c3.customDestinations-ms

Filesize
11KB

MD5
922b42157d31d37941729412ad0dd5bb

SHA1
5663aef9cb0b8b027b1d3b3966f088fa43fa371c

SHA256
9671d2aff666d15dc1ae38dfd5b84394b2f4aa0f38b36b2ea721881299ffbcc6

SHA512
a6b063c4d4a1dd74e1995e383272e67ef2421a2ccd6c60ff9a6d0cf800bdabf66729ba015dd20368d447328dfb07c7d32186a8a41f3b71ececce11db8ec06bf6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\5d696d521de238c3.customDestinations-ms

Filesize
14KB

MD5
053e2d0be4600cee39f454fe0d17c56d

SHA1
7b35c1def2e11dc8817fc148d05509c8078a4694

SHA256
24b6ba629fc9fed9fa8e4fa62892eb19edd3b1e201cb906376ec845f9ea3b5e3

SHA512
b9393e7d697b51afcbc1a078f1da10c8b19893cbf3bc5c2a7b086828a894b21f90b6ae94cbd7ca2df16e00318217f86c4ee4dfebaa8259e7292734801e980f74

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\5d696d521de238c3.customDestinations-ms

Filesize
14KB

MD5
13af78573cdc59368d15f60f8b3be7ce

SHA1
6bc354c95770f917fd9bb27657572af5fa21c873

SHA256
a37cf48d6ff7814ff0fb29128155f5b1ba4a207d727c0982cada7fadb9d2242a

SHA512
1bc7209bd1601f022cb7c6ee9318d53a4b248ba5f4aa0cc505dc0730414e1ddb40283d61112c1d1c7b6dda166158dc04c3e8e174dbcf3c6aa2e832cc55b5d15e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\5d696d521de238c3.customDestinations-ms

Filesize
11KB

MD5
c1bac7b5ccd9958187895e18f0cc79b4

SHA1
bbbce7e9faf747411cf58bc7b52ec3936226a40a

SHA256
a3771b5aa1adc8ae9396916211590cf0c1127e39bf311752e31ae95ac6040b51

SHA512
4e73e34576a8742e168d8392a7405c9a4f97ae763766cad6cb28e5dfa403ef3f6fde2d5db257f54ef0c1708f69540a2db3a163cc71ff16064b5002282525f441

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\5d696d521de238c3.customDestinations-ms

Filesize
11KB

MD5
796284c26fa78df4c0919b2cbab2407e

SHA1
4d3823e311934247290d274f5c4e1f54cd70fb7b

SHA256
4224861d1da3db7afa954859875d7801fd2fdd33a56150de625194d1d468f5cc

SHA512
3da44ef4ed43342c7030e11d2b81a9dc3f0946c43b6d32bc5132b74540827aab38e6d22d37a81266c7f279f746ea7c95af78c4703eb73fac6225336abb8f3fa9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\5d696d521de238c3.customDestinations-ms~RFe5890b2.TMP

Filesize
9KB

MD5
217019b5cd17fe6a0cfb12827099d4af

SHA1
ba9afffe0add59ceba59498e129fad6cc607f258

SHA256
6c93410be9d72ef33906a2ce277fd4d7a6d3e25676fdda02654e3d2282831cf7

SHA512
8813ecb9f0d1d171fef1b711d6e5acee4e357efce33a4dc1df68ff221b5c2cafa878c561ce75d662cb251b0de7b56c9e2909b9f4dd3ffbbcfc661353434d6231

Download Submit
C:\Users\Admin\Downloads\Bandicam_OM6TfLCC.zip

Filesize
9.2MB

MD5
5873a584917a9d7f0ee93490684f37bc

SHA1
9c992b110cfd6e67d31295525a9a935539717e0c

SHA256
1b81a7b0179df2ecf2d1bcd360e11aae28e9b15b198cf98af7dfa538d9b122d8

SHA512
5f4dff91c9791c4097a0f048db6f8b41c67c7f4fe7fdc4aceefb769e2195a414cb574bd652acfe7b3c0423cd76ce9b9c51e3869bfb0a688a85341046b7567d78

Download Submit
\??\pipe\crashpad_1788_SADXRNKTSDYPBOIR

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\pipe\crashpad_5032_PEFADHIDHSGCAOJW

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/460-2224-0x0000019656BB0000-0x0000019656BD2000-memory.dmp

Filesize
136KB

Download
memory/460-2226-0x000001966F330000-0x000001966F340000-memory.dmp

Filesize
64KB

Download
memory/460-2227-0x000001966F330000-0x000001966F340000-memory.dmp

Filesize
64KB

Download
memory/460-2228-0x000001966F330000-0x000001966F340000-memory.dmp

Filesize
64KB

Download
memory/672-1860-0x0000000000400000-0x000000000128C000-memory.dmp

Filesize
14.5MB

Download
memory/1296-212-0x00007FFAFBCF0000-0x00007FFAFBCF1000-memory.dmp

Filesize
4KB

Download
memory/1432-214-0x00007FFAFB750000-0x00007FFAFB751000-memory.dmp

Filesize
4KB

Download
memory/1444-1648-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/1444-1601-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/1448-1914-0x0000000000400000-0x00000000011BF000-memory.dmp

Filesize
13.7MB

Download
memory/1564-1912-0x00000000020B0000-0x00000000020B1000-memory.dmp

Filesize
4KB

Download
memory/1684-1639-0x0000000002230000-0x0000000002231000-memory.dmp

Filesize
4KB

Download
memory/1684-1649-0x0000000000400000-0x00000000004B4000-memory.dmp

Filesize
720KB

Download
memory/2484-163-0x00007FFAFAF90000-0x00007FFAFAF91000-memory.dmp

Filesize
4KB

Download
memory/3000-1208-0x0000024CB78D0000-0x0000024CB78D1000-memory.dmp

Filesize
4KB

Download
memory/3000-1193-0x0000024CB78D0000-0x0000024CB78D1000-memory.dmp

Filesize
4KB

Download
memory/3000-1205-0x0000024CB78D0000-0x0000024CB78D1000-memory.dmp

Filesize
4KB

Download
memory/3000-1198-0x0000024CB78D0000-0x0000024CB78D1000-memory.dmp

Filesize
4KB

Download
memory/3000-1196-0x0000024CB78D0000-0x0000024CB78D1000-memory.dmp

Filesize
4KB

Download
memory/3000-1217-0x0000024CB78D0000-0x0000024CB78D1000-memory.dmp

Filesize
4KB

Download
memory/3000-1203-0x0000024CB78D0000-0x0000024CB78D1000-memory.dmp

Filesize
4KB

Download
memory/3000-1216-0x0000024CB78D0000-0x0000024CB78D1000-memory.dmp

Filesize
4KB

Download
memory/3000-1214-0x0000024CB78D0000-0x0000024CB78D1000-memory.dmp

Filesize
4KB

Download
memory/3000-1213-0x0000024CB78D0000-0x0000024CB78D1000-memory.dmp

Filesize
4KB

Download
memory/3024-2173-0x0000000000400000-0x0000000001537000-memory.dmp

Filesize
17.2MB

Download
memory/3024-2022-0x0000000000400000-0x0000000001537000-memory.dmp

Filesize
17.2MB

Download
memory/3204-1655-0x00000000043F0000-0x00000000043F1000-memory.dmp

Filesize
4KB

Download
memory/3204-1651-0x0000000000400000-0x00000000016CC000-memory.dmp

Filesize
18.8MB

Download
memory/3204-1647-0x0000000000400000-0x00000000016CC000-memory.dmp

Filesize
18.8MB

Download
memory/3204-1650-0x00000000043F0000-0x00000000043F1000-memory.dmp

Filesize
4KB

Download
memory/3204-1652-0x0000000000400000-0x00000000016CC000-memory.dmp

Filesize
18.8MB

Download
memory/3340-1938-0x0000000000710000-0x0000000000711000-memory.dmp

Filesize
4KB

Download
memory/4052-1858-0x0000000000530000-0x0000000000531000-memory.dmp

Filesize
4KB

Download
memory/4156-1644-0x0000000000400000-0x00000000016CC000-memory.dmp

Filesize
18.8MB

Download
memory/4156-1642-0x00000000043F0000-0x00000000043F1000-memory.dmp

Filesize
4KB

Download
memory/4156-1640-0x0000000000400000-0x00000000016CC000-memory.dmp

Filesize
18.8MB

Download
memory/4156-1641-0x0000000000400000-0x00000000016CC000-memory.dmp

Filesize
18.8MB

Download
memory/4460-2155-0x0000000072080000-0x0000000072089000-memory.dmp

Filesize
36KB

Download
memory/4860-1857-0x0000000000400000-0x000000000128C000-memory.dmp

Filesize
14.5MB

Download