cobaltstrike | hxxps://google[.]com

Analysis

max time kernel
275s
max time network
613s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
01-07-2024 01:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://google.com

Score

10^/10

cobaltstrike backdoor discovery trojan

Malware Config

Signatures

Cobalt Strike reflective loader 1 IoCs
Detects the reflective loader used by Cobalt Strike.

Processes:

resource yara_rule

C:\ProgramData\ReasonLabs\EPP\SignaturesYFS.dat.tmp cobalt_reflective_dll
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Downloads MZ/PE file

resource	yara_rule
C:\ProgramData\ReasonLabs\EPP\SignaturesYFS.dat.tmp	cobalt_reflective_dll

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

frostwire-6.13.2.windows.tmpprod0.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	frostwire-6.13.2.windows.tmp
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	prod0.exe

Executes dropped EXE 10 IoCs

Processes:

frostwire-6.13.2.windows.exefrostwire-6.13.2.windows.tmpfrostwire-6.13.2.windows.exeprod0.exesaBSI.exeFrostWire.exe2ulhs4fw.exeUnifiedStub-installer.exeinstaller.exeinstaller.exe

pid	process
3952	frostwire-6.13.2.windows.exe
1028	frostwire-6.13.2.windows.tmp
984	frostwire-6.13.2.windows.exe
4516	prod0.exe
468	saBSI.exe
848	FrostWire.exe
1632	2ulhs4fw.exe
3852	UnifiedStub-installer.exe
2616	installer.exe
3612	installer.exe

Loads dropped DLL 30 IoCs

Processes:

frostwire-6.13.2.windows.tmpfrostwire-6.13.2.windows.exeFrostWire.exeinstaller.exe

pid	process
1028	frostwire-6.13.2.windows.tmp
984	frostwire-6.13.2.windows.exe
984	frostwire-6.13.2.windows.exe
984	frostwire-6.13.2.windows.exe
984	frostwire-6.13.2.windows.exe
984	frostwire-6.13.2.windows.exe
984	frostwire-6.13.2.windows.exe
984	frostwire-6.13.2.windows.exe
984	frostwire-6.13.2.windows.exe
984	frostwire-6.13.2.windows.exe
984	frostwire-6.13.2.windows.exe
984	frostwire-6.13.2.windows.exe
984	frostwire-6.13.2.windows.exe
984	frostwire-6.13.2.windows.exe
848	FrostWire.exe
848	FrostWire.exe
848	FrostWire.exe
848	FrostWire.exe
848	FrostWire.exe
848	FrostWire.exe
848	FrostWire.exe
848	FrostWire.exe
848	FrostWire.exe
848	FrostWire.exe
848	FrostWire.exe
848	FrostWire.exe
848	FrostWire.exe
848	FrostWire.exe
3612	installer.exe
848	FrostWire.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.

Processes:

resource yara_rule

C:\ProgramData\ReasonLabs\EPP\SignaturesYFS.dat.tmp autoit_exe

resource	yara_rule
C:\ProgramData\ReasonLabs\EPP\SignaturesYFS.dat.tmp	autoit_exe

Drops file in Program Files directory 64 IoCs

Processes:

frostwire-6.13.2.windows.exeinstaller.exe

description	ioc	process
File created	C:\Program Files\FrostWire 6\jre\legal\jdk.unsupported\ASSEMBLY_EXCEPTION	frostwire-6.13.2.windows.exe
File created	C:\Program Files\McAfee\Temp4079216652\jslang\eula-pt-PT.txt	installer.exe
File created	C:\Program Files\McAfee\Temp4079216652\jslang\wa-res-install-sv-SE.js	installer.exe
File created	C:\Program Files\FrostWire 6\jre\bin\api-ms-win-crt-private-l1-1-0.dll	frostwire-6.13.2.windows.exe
File created	C:\Program Files\FrostWire 6\jre\bin\jli.dll	frostwire-6.13.2.windows.exe
File created	C:\Program Files\FrostWire 6\jre\legal\java.base\aes.md	frostwire-6.13.2.windows.exe
File created	C:\Program Files\FrostWire 6\jre\legal\java.scripting\LICENSE	frostwire-6.13.2.windows.exe
File created	C:\Program Files\FrostWire 6\jre\lib\fontconfig.bfc	frostwire-6.13.2.windows.exe
File created	C:\Program Files\McAfee\Temp4079216652\jslang\eula-el-GR.txt	installer.exe
File created	C:\Program Files\FrostWire 6\jre\bin\api-ms-win-core-datetime-l1-1-0.dll	frostwire-6.13.2.windows.exe
File created	C:\Program Files\FrostWire 6\jre\legal\java.compiler\ASSEMBLY_EXCEPTION	frostwire-6.13.2.windows.exe
File created	C:\Program Files\FrostWire 6\jre\legal\java.instrument\ADDITIONAL_LICENSE_INFO	frostwire-6.13.2.windows.exe
File created	C:\Program Files\McAfee\Temp4079216652\mcafee_pc_install_icon.png	installer.exe
File created	C:\Program Files\McAfee\Temp4079216652\jslang\eula-fr-FR.txt	installer.exe
File created	C:\Program Files\McAfee\Temp4079216652\jslang\wa-res-shared-nl-NL.js	installer.exe
File created	C:\Program Files\FrostWire 6\jre\lib\security\cacerts	frostwire-6.13.2.windows.exe
File created	C:\Program Files\FrostWire 6\jre\bin\api-ms-win-core-debug-l1-1-0.dll	frostwire-6.13.2.windows.exe
File created	C:\Program Files\FrostWire 6\jre\bin\api-ms-win-crt-heap-l1-1-0.dll	frostwire-6.13.2.windows.exe
File created	C:\Program Files\FrostWire 6\jre\legal\java.datatransfer\ASSEMBLY_EXCEPTION	frostwire-6.13.2.windows.exe
File created	C:\Program Files\McAfee\Temp4079216652\wa-utils.js	installer.exe
File created	C:\Program Files\FrostWire 6\jre\bin\api-ms-win-core-interlocked-l1-1-0.dll	frostwire-6.13.2.windows.exe
File created	C:\Program Files\FrostWire 6\jre\bin\api-ms-win-crt-stdio-l1-1-0.dll	frostwire-6.13.2.windows.exe
File created	C:\Program Files\FrostWire 6\jre\legal\java.desktop\jpeg.md	frostwire-6.13.2.windows.exe
File created	C:\Program Files\FrostWire 6\frostwire.bat	frostwire-6.13.2.windows.exe
File created	C:\Program Files\McAfee\Temp4079216652\jslang\wa-res-shared-hu-HU.js	installer.exe
File created	C:\Program Files\FrostWire 6\jre\conf\security\policy\README.txt	frostwire-6.13.2.windows.exe
File created	C:\Program Files\FrostWire 6\jre\legal\java.logging\ASSEMBLY_EXCEPTION	frostwire-6.13.2.windows.exe
File created	C:\Program Files\FrostWire 6\jre\legal\jdk.net\LICENSE	frostwire-6.13.2.windows.exe
File created	C:\Program Files\McAfee\Temp4079216652\eventmanager.cab	installer.exe
File created	C:\Program Files\McAfee\Temp4079216652\resourcedll.cab	installer.exe
File created	C:\Program Files\McAfee\Temp4079216652\jslang\wa-res-install-el-GR.js	installer.exe
File created	C:\Program Files\FrostWire 6\jre\bin\management.dll	frostwire-6.13.2.windows.exe
File created	C:\Program Files\FrostWire 6\jre\conf\security\policy\limited\default_local.policy	frostwire-6.13.2.windows.exe
File created	C:\Program Files\FrostWire 6\jre\bin\api-ms-win-crt-filesystem-l1-1-0.dll	frostwire-6.13.2.windows.exe
File created	C:\Program Files\FrostWire 6\jre\legal\java.prefs\LICENSE	frostwire-6.13.2.windows.exe
File created	C:\Program Files\McAfee\Temp4079216652\logicmodule.cab	installer.exe
File created	C:\Program Files\McAfee\Temp4079216652\jslang\wa-res-shared-ja-JP.js	installer.exe
File created	C:\Program Files\FrostWire 6\jre\bin\javaw.exe	frostwire-6.13.2.windows.exe
File created	C:\Program Files\FrostWire 6\jre\conf\management\jmxremote.password.template	frostwire-6.13.2.windows.exe
File created	C:\Program Files\FrostWire 6\jre\legal\java.base\icu.md	frostwire-6.13.2.windows.exe
File created	C:\Program Files\McAfee\Temp4079216652\jslang\wa-res-install-nl-NL.js	installer.exe
File created	C:\Program Files\FrostWire 6\jre\legal\java.management.rmi\LICENSE	frostwire-6.13.2.windows.exe
File created	C:\Program Files\McAfee\Temp4079216652\analyticsmanager.cab	installer.exe
File created	C:\Program Files\FrostWire 6\jre\bin\api-ms-win-core-rtlsupport-l1-1-0.dll	frostwire-6.13.2.windows.exe
File created	C:\Program Files\FrostWire 6\jre\bin\api-ms-win-crt-runtime-l1-1-0.dll	frostwire-6.13.2.windows.exe
File created	C:\Program Files\FrostWire 6\jre\bin\api-ms-win-crt-time-l1-1-0.dll	frostwire-6.13.2.windows.exe
File created	C:\Program Files\FrostWire 6\jre\bin\dt_socket.dll	frostwire-6.13.2.windows.exe
File created	C:\Program Files\FrostWire 6\jre\bin\jrunscript.exe	frostwire-6.13.2.windows.exe
File created	C:\Program Files\FrostWire 6\jre\bin\ucrtbase.dll	frostwire-6.13.2.windows.exe
File created	C:\Program Files\McAfee\Temp4079216652\main_close_large.png	installer.exe
File created	C:\Program Files\McAfee\Temp4079216652\wa_logo.png	installer.exe
File created	C:\Program Files\FrostWire 6\fwplayer.exe	frostwire-6.13.2.windows.exe
File created	C:\Program Files\McAfee\Temp4079216652\icon_failed.png	installer.exe
File created	C:\Program Files\McAfee\Temp4079216652\wa_install_close2.png	installer.exe
File created	C:\Program Files\McAfee\Temp4079216652\jslang\wa-res-shared-es-ES.js	installer.exe
File created	C:\Program Files\FrostWire 6\jre\bin\jsound.dll	frostwire-6.13.2.windows.exe
File created	C:\Program Files\FrostWire 6\jre\bin\server\jvm.dll	frostwire-6.13.2.windows.exe
File created	C:\Program Files\FrostWire 6\jre\conf\security\java.security	frostwire-6.13.2.windows.exe
File created	C:\Program Files\FrostWire 6\jre\legal\java.base\asm.md	frostwire-6.13.2.windows.exe
File created	C:\Program Files\FrostWire 6\jre\legal\java.desktop\LICENSE	frostwire-6.13.2.windows.exe
File created	C:\Program Files\McAfee\Temp4079216652\downloadscan.cab	installer.exe
File created	C:\Program Files\FrostWire 6\jre\bin\api-ms-win-core-processenvironment-l1-1-0.dll	frostwire-6.13.2.windows.exe
File created	C:\Program Files\FrostWire 6\jre\legal\java.datatransfer\LICENSE	frostwire-6.13.2.windows.exe
File created	C:\Program Files\FrostWire 6\jre\legal\java.logging\ADDITIONAL_LICENSE_INFO	frostwire-6.13.2.windows.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4132 1028 WerFault.exe frostwire-6.13.2.windows.tmp

pid	pid_target	process	target process
4132	1028	WerFault.exe	frostwire-6.13.2.windows.tmp

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

frostwire-6.13.2.windows.tmpFrostWire.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	frostwire-6.13.2.windows.tmp
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\	frostwire-6.13.2.windows.tmp
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	FrostWire.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	FrostWire.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133642710255388079"	chrome.exe

Modifies registry class 23 IoCs

Processes:

frostwire-6.13.2.windows.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Torrent File\shell\ = "open"	frostwire-6.13.2.windows.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Torrent File\shell\open\command	frostwire-6.13.2.windows.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\magnet\shell	frostwire-6.13.2.windows.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\magnet\shell\open\command	frostwire-6.13.2.windows.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\magnet\shell\open\command\ = "\"C:\\Program Files\\FrostWire 6\\FrostWire.exe\" \"%1\""	frostwire-6.13.2.windows.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.torrent\ = "Torrent File"	frostwire-6.13.2.windows.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Torrent File\DefaultIcon\ = "C:\\Program Files\\FrostWire 6\\FrostWire.exe,0"	frostwire-6.13.2.windows.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Torrent File\shell\edit\command	frostwire-6.13.2.windows.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\magnet	frostwire-6.13.2.windows.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.torrent	frostwire-6.13.2.windows.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Torrent File	frostwire-6.13.2.windows.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Torrent File\ = "Torrent File"	frostwire-6.13.2.windows.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Torrent File\shell	frostwire-6.13.2.windows.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Torrent File\DefaultIcon	frostwire-6.13.2.windows.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Torrent File\shell\open\command\ = "\"C:\\Program Files\\FrostWire 6\\FrostWire.exe\" \"%1\""	frostwire-6.13.2.windows.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Torrent File\shell\edit\ = "Edit Torrent File"	frostwire-6.13.2.windows.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\magnet\DefaultIcon\ = "\"C:\\Program Files\\FrostWire 6\\FrostWire.exe\",0"	frostwire-6.13.2.windows.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\magnet\DefaultIcon	frostwire-6.13.2.windows.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\magnet\shell\open	frostwire-6.13.2.windows.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Torrent File\shell\open	frostwire-6.13.2.windows.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Torrent File\shell\edit	frostwire-6.13.2.windows.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Torrent File\shell\edit\command\ = "\"C:\\Program Files\\FrostWire 6\\FrostWire.exe\" \"%1\""	frostwire-6.13.2.windows.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\magnet\ = "URL:Magnet Protocol"	frostwire-6.13.2.windows.exe

Modifies system certificate store 2 TTPs 5 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

saBSI.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8\Blob = 5c0000000100000004000000001000001900000001000000100000005d1b8ff2c30f63f5b536edd400f7f9b40300000001000000140000004efc31460c619ecae59c1bce2c008036d94c84b809000000010000000c000000300a06082b060105050703031d00000001000000100000005467b0adde8d858e30ee517b1a19ecd91400000001000000140000001f00bf46800afc7839b7a5b443d95650bbce963b53000000010000001f000000301d301b060567810c010330123010060a2b0601040182373c0101030200c06200000001000000200000007b9d553e1c92cb6e8803e137f4f287d4363757f5d44b37d52f9fca22fb97df860b000000010000004200000047006c006f00620061006c005300690067006e00200043006f006400650020005300690067006e0069006e006700200052006f006f007400200052003400350000000f0000000100000030000000c130bba37b8b350e89fd5ed76b4f78777feee220d3b9e729042bef6af46e8e4c1b252e32b3080c681bc9a8a1afdd0a3c040000000100000010000000e94fb54871208c00df70f708ac47085b200000000100000076050000308205723082035aa00302010202107653feac75464893f5e5d74a483a4ef8300d06092a864886f70d01010c05003053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f7420523435301e170d3230303331383030303030305a170d3435303331383030303030305a3053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f742052343530820222300d06092a864886f70d01010105000382020f003082020a0282020100b62dc530dd7ae8ab903d0372b03a4b991661b2e5ffa5671d371ce57eec9383aa84f5a3439b98458ab863575d9b00880425e9f868924b82d84bc94a03f3a87f6a8f8a6127bda144d0fdf53f22c2a34f918db305b22882915dfb5988050b9706c298f82ca73324ee503a41ccf0a0b07b1d4dd2a8583896e9dff91b91bb8b102cd2c7431da20974a180af7be6330a0c596b8ebcf4ab5a977b7fae55fb84f080fe844cd7e2babdc475a16fbd61107444b29807e274abff68dc6c263ee91fe5e00487ad30d30c8d037c55b816705c24782025eb676788abba4e34986b7011de38cad4bea1c09ce1df1e0201d83be1674384b6cffc74b72f84a3bfba09373d676cb1455c1961ab4183f5ac1deb770d464773cebfbd9595ed9d2b8810fefa58e8a757e1b3cfa85ae907259b12c49e80723d93dc8c94df3b44e62680fcd2c303f08c0cd245d62ee78f989ee604ee426e677e42167162e704f960c664a1b69c81214e2bc66d689486c699747367317a91f2d48c796e7ca6bb7e466f4dc585122bcf9a224408a88537ce07615706171224c0c43173a1983557477e103a45d92da4519098a9a00737c4651aaa1c6b1677f7a797ec3f1930996f31fbea40b2e7d2c4fac9d0f050767459fa8d6d1732bef8e97e03f4e787759ad44a912c850313022b4280f2896a36cfc84ca0ce9ef8cb8dad16a7d3ded59b18a7c6923af18263f12e0e2464df0203010001a3423040300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e041604141f00bf46800afc7839b7a5b443d95650bbce963b300d06092a864886f70d01010c050003820201005e2bba749734445f764828408493ee016ee9a1b3d68025e67be4bc09913d0ffc76add7d43020bb8f60d091d61cf29cef781a2b943202c12496525202d0f3d1fcf29b396e99e11f8e43417d9a1e5bc95d9a84fc26e687f3747226ada41bd93d3b6a52a03c091e2f1e7bb333b445c7f7acb1af9360ad76aeb8b21578eb836aebffdb46ab24e5ee02fa901f59c02f5dd6b75da45c10b77253f8414eccfa781a254acafe85624361c3b437aa81d2f4d63a0fbd8d597e3047de2b6be72150335fd4679bd4b8679f3c279903ff85438e7312ca20cde861d5b166dc17d6396d0fdbcf2337a182894e1c6b3fd6a0cdaa079d3e4226aad70ceefa47bf1a527ed17581d3c98a62176d4f88a021a0263eaf6dd962301fe99828ae6e8dd58e4c726693808d2ae355c760679042565c22510fb3dc4e39ee4dddd91d7810543b6ed0976f03b51eb22373c612b29a64d0fc958524a8ffdfa1b0dc9140aedf0933abb9dd92b7f1cc91743b69eb67971b90bfe7c7a06f71bb57bfb78f5aed7a406a16cd80842d2fe102d4249443b315fc0c2b1bfd716ffccbbc75173a5e83d2c9b32f1bd59c8d7f54fe7e7ee456a387a79de1595294418f6d5bbe86959aff1a76dd40d2514a70b41f336323773fec271e59e40887ed34824a0f3ffea01dc1f56773458678f4aa29e92787c619dbc61314c33949874da097e06513f59d7756e9dab358c73af2c0cd82	saBSI.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8	saBSI.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8\Blob = 0f0000000100000030000000c130bba37b8b350e89fd5ed76b4f78777feee220d3b9e729042bef6af46e8e4c1b252e32b3080c681bc9a8a1afdd0a3c0b000000010000004200000047006c006f00620061006c005300690067006e00200043006f006400650020005300690067006e0069006e006700200052006f006f007400200052003400350000006200000001000000200000007b9d553e1c92cb6e8803e137f4f287d4363757f5d44b37d52f9fca22fb97df8653000000010000001f000000301d301b060567810c010330123010060a2b0601040182373c0101030200c01400000001000000140000001f00bf46800afc7839b7a5b443d95650bbce963b1d00000001000000100000005467b0adde8d858e30ee517b1a19ecd909000000010000000c000000300a06082b060105050703030300000001000000140000004efc31460c619ecae59c1bce2c008036d94c84b8200000000100000076050000308205723082035aa00302010202107653feac75464893f5e5d74a483a4ef8300d06092a864886f70d01010c05003053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f7420523435301e170d3230303331383030303030305a170d3435303331383030303030305a3053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f742052343530820222300d06092a864886f70d01010105000382020f003082020a0282020100b62dc530dd7ae8ab903d0372b03a4b991661b2e5ffa5671d371ce57eec9383aa84f5a3439b98458ab863575d9b00880425e9f868924b82d84bc94a03f3a87f6a8f8a6127bda144d0fdf53f22c2a34f918db305b22882915dfb5988050b9706c298f82ca73324ee503a41ccf0a0b07b1d4dd2a8583896e9dff91b91bb8b102cd2c7431da20974a180af7be6330a0c596b8ebcf4ab5a977b7fae55fb84f080fe844cd7e2babdc475a16fbd61107444b29807e274abff68dc6c263ee91fe5e00487ad30d30c8d037c55b816705c24782025eb676788abba4e34986b7011de38cad4bea1c09ce1df1e0201d83be1674384b6cffc74b72f84a3bfba09373d676cb1455c1961ab4183f5ac1deb770d464773cebfbd9595ed9d2b8810fefa58e8a757e1b3cfa85ae907259b12c49e80723d93dc8c94df3b44e62680fcd2c303f08c0cd245d62ee78f989ee604ee426e677e42167162e704f960c664a1b69c81214e2bc66d689486c699747367317a91f2d48c796e7ca6bb7e466f4dc585122bcf9a224408a88537ce07615706171224c0c43173a1983557477e103a45d92da4519098a9a00737c4651aaa1c6b1677f7a797ec3f1930996f31fbea40b2e7d2c4fac9d0f050767459fa8d6d1732bef8e97e03f4e787759ad44a912c850313022b4280f2896a36cfc84ca0ce9ef8cb8dad16a7d3ded59b18a7c6923af18263f12e0e2464df0203010001a3423040300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e041604141f00bf46800afc7839b7a5b443d95650bbce963b300d06092a864886f70d01010c050003820201005e2bba749734445f764828408493ee016ee9a1b3d68025e67be4bc09913d0ffc76add7d43020bb8f60d091d61cf29cef781a2b943202c12496525202d0f3d1fcf29b396e99e11f8e43417d9a1e5bc95d9a84fc26e687f3747226ada41bd93d3b6a52a03c091e2f1e7bb333b445c7f7acb1af9360ad76aeb8b21578eb836aebffdb46ab24e5ee02fa901f59c02f5dd6b75da45c10b77253f8414eccfa781a254acafe85624361c3b437aa81d2f4d63a0fbd8d597e3047de2b6be72150335fd4679bd4b8679f3c279903ff85438e7312ca20cde861d5b166dc17d6396d0fdbcf2337a182894e1c6b3fd6a0cdaa079d3e4226aad70ceefa47bf1a527ed17581d3c98a62176d4f88a021a0263eaf6dd962301fe99828ae6e8dd58e4c726693808d2ae355c760679042565c22510fb3dc4e39ee4dddd91d7810543b6ed0976f03b51eb22373c612b29a64d0fc958524a8ffdfa1b0dc9140aedf0933abb9dd92b7f1cc91743b69eb67971b90bfe7c7a06f71bb57bfb78f5aed7a406a16cd80842d2fe102d4249443b315fc0c2b1bfd716ffccbbc75173a5e83d2c9b32f1bd59c8d7f54fe7e7ee456a387a79de1595294418f6d5bbe86959aff1a76dd40d2514a70b41f336323773fec271e59e40887ed34824a0f3ffea01dc1f56773458678f4aa29e92787c619dbc61314c33949874da097e06513f59d7756e9dab358c73af2c0cd82	saBSI.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8\Blob = 1900000001000000100000005d1b8ff2c30f63f5b536edd400f7f9b40300000001000000140000004efc31460c619ecae59c1bce2c008036d94c84b809000000010000000c000000300a06082b060105050703031d00000001000000100000005467b0adde8d858e30ee517b1a19ecd91400000001000000140000001f00bf46800afc7839b7a5b443d95650bbce963b53000000010000001f000000301d301b060567810c010330123010060a2b0601040182373c0101030200c06200000001000000200000007b9d553e1c92cb6e8803e137f4f287d4363757f5d44b37d52f9fca22fb97df860b000000010000004200000047006c006f00620061006c005300690067006e00200043006f006400650020005300690067006e0069006e006700200052006f006f007400200052003400350000000f0000000100000030000000c130bba37b8b350e89fd5ed76b4f78777feee220d3b9e729042bef6af46e8e4c1b252e32b3080c681bc9a8a1afdd0a3c200000000100000076050000308205723082035aa00302010202107653feac75464893f5e5d74a483a4ef8300d06092a864886f70d01010c05003053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f7420523435301e170d3230303331383030303030305a170d3435303331383030303030305a3053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f742052343530820222300d06092a864886f70d01010105000382020f003082020a0282020100b62dc530dd7ae8ab903d0372b03a4b991661b2e5ffa5671d371ce57eec9383aa84f5a3439b98458ab863575d9b00880425e9f868924b82d84bc94a03f3a87f6a8f8a6127bda144d0fdf53f22c2a34f918db305b22882915dfb5988050b9706c298f82ca73324ee503a41ccf0a0b07b1d4dd2a8583896e9dff91b91bb8b102cd2c7431da20974a180af7be6330a0c596b8ebcf4ab5a977b7fae55fb84f080fe844cd7e2babdc475a16fbd61107444b29807e274abff68dc6c263ee91fe5e00487ad30d30c8d037c55b816705c24782025eb676788abba4e34986b7011de38cad4bea1c09ce1df1e0201d83be1674384b6cffc74b72f84a3bfba09373d676cb1455c1961ab4183f5ac1deb770d464773cebfbd9595ed9d2b8810fefa58e8a757e1b3cfa85ae907259b12c49e80723d93dc8c94df3b44e62680fcd2c303f08c0cd245d62ee78f989ee604ee426e677e42167162e704f960c664a1b69c81214e2bc66d689486c699747367317a91f2d48c796e7ca6bb7e466f4dc585122bcf9a224408a88537ce07615706171224c0c43173a1983557477e103a45d92da4519098a9a00737c4651aaa1c6b1677f7a797ec3f1930996f31fbea40b2e7d2c4fac9d0f050767459fa8d6d1732bef8e97e03f4e787759ad44a912c850313022b4280f2896a36cfc84ca0ce9ef8cb8dad16a7d3ded59b18a7c6923af18263f12e0e2464df0203010001a3423040300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e041604141f00bf46800afc7839b7a5b443d95650bbce963b300d06092a864886f70d01010c050003820201005e2bba749734445f764828408493ee016ee9a1b3d68025e67be4bc09913d0ffc76add7d43020bb8f60d091d61cf29cef781a2b943202c12496525202d0f3d1fcf29b396e99e11f8e43417d9a1e5bc95d9a84fc26e687f3747226ada41bd93d3b6a52a03c091e2f1e7bb333b445c7f7acb1af9360ad76aeb8b21578eb836aebffdb46ab24e5ee02fa901f59c02f5dd6b75da45c10b77253f8414eccfa781a254acafe85624361c3b437aa81d2f4d63a0fbd8d597e3047de2b6be72150335fd4679bd4b8679f3c279903ff85438e7312ca20cde861d5b166dc17d6396d0fdbcf2337a182894e1c6b3fd6a0cdaa079d3e4226aad70ceefa47bf1a527ed17581d3c98a62176d4f88a021a0263eaf6dd962301fe99828ae6e8dd58e4c726693808d2ae355c760679042565c22510fb3dc4e39ee4dddd91d7810543b6ed0976f03b51eb22373c612b29a64d0fc958524a8ffdfa1b0dc9140aedf0933abb9dd92b7f1cc91743b69eb67971b90bfe7c7a06f71bb57bfb78f5aed7a406a16cd80842d2fe102d4249443b315fc0c2b1bfd716ffccbbc75173a5e83d2c9b32f1bd59c8d7f54fe7e7ee456a387a79de1595294418f6d5bbe86959aff1a76dd40d2514a70b41f336323773fec271e59e40887ed34824a0f3ffea01dc1f56773458678f4aa29e92787c619dbc61314c33949874da097e06513f59d7756e9dab358c73af2c0cd82	saBSI.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8\Blob = 040000000100000010000000e94fb54871208c00df70f708ac47085b0f0000000100000030000000c130bba37b8b350e89fd5ed76b4f78777feee220d3b9e729042bef6af46e8e4c1b252e32b3080c681bc9a8a1afdd0a3c0b000000010000004200000047006c006f00620061006c005300690067006e00200043006f006400650020005300690067006e0069006e006700200052006f006f007400200052003400350000006200000001000000200000007b9d553e1c92cb6e8803e137f4f287d4363757f5d44b37d52f9fca22fb97df8653000000010000001f000000301d301b060567810c010330123010060a2b0601040182373c0101030200c01400000001000000140000001f00bf46800afc7839b7a5b443d95650bbce963b1d00000001000000100000005467b0adde8d858e30ee517b1a19ecd909000000010000000c000000300a06082b060105050703030300000001000000140000004efc31460c619ecae59c1bce2c008036d94c84b81900000001000000100000005d1b8ff2c30f63f5b536edd400f7f9b4200000000100000076050000308205723082035aa00302010202107653feac75464893f5e5d74a483a4ef8300d06092a864886f70d01010c05003053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f7420523435301e170d3230303331383030303030305a170d3435303331383030303030305a3053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f742052343530820222300d06092a864886f70d01010105000382020f003082020a0282020100b62dc530dd7ae8ab903d0372b03a4b991661b2e5ffa5671d371ce57eec9383aa84f5a3439b98458ab863575d9b00880425e9f868924b82d84bc94a03f3a87f6a8f8a6127bda144d0fdf53f22c2a34f918db305b22882915dfb5988050b9706c298f82ca73324ee503a41ccf0a0b07b1d4dd2a8583896e9dff91b91bb8b102cd2c7431da20974a180af7be6330a0c596b8ebcf4ab5a977b7fae55fb84f080fe844cd7e2babdc475a16fbd61107444b29807e274abff68dc6c263ee91fe5e00487ad30d30c8d037c55b816705c24782025eb676788abba4e34986b7011de38cad4bea1c09ce1df1e0201d83be1674384b6cffc74b72f84a3bfba09373d676cb1455c1961ab4183f5ac1deb770d464773cebfbd9595ed9d2b8810fefa58e8a757e1b3cfa85ae907259b12c49e80723d93dc8c94df3b44e62680fcd2c303f08c0cd245d62ee78f989ee604ee426e677e42167162e704f960c664a1b69c81214e2bc66d689486c699747367317a91f2d48c796e7ca6bb7e466f4dc585122bcf9a224408a88537ce07615706171224c0c43173a1983557477e103a45d92da4519098a9a00737c4651aaa1c6b1677f7a797ec3f1930996f31fbea40b2e7d2c4fac9d0f050767459fa8d6d1732bef8e97e03f4e787759ad44a912c850313022b4280f2896a36cfc84ca0ce9ef8cb8dad16a7d3ded59b18a7c6923af18263f12e0e2464df0203010001a3423040300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e041604141f00bf46800afc7839b7a5b443d95650bbce963b300d06092a864886f70d01010c050003820201005e2bba749734445f764828408493ee016ee9a1b3d68025e67be4bc09913d0ffc76add7d43020bb8f60d091d61cf29cef781a2b943202c12496525202d0f3d1fcf29b396e99e11f8e43417d9a1e5bc95d9a84fc26e687f3747226ada41bd93d3b6a52a03c091e2f1e7bb333b445c7f7acb1af9360ad76aeb8b21578eb836aebffdb46ab24e5ee02fa901f59c02f5dd6b75da45c10b77253f8414eccfa781a254acafe85624361c3b437aa81d2f4d63a0fbd8d597e3047de2b6be72150335fd4679bd4b8679f3c279903ff85438e7312ca20cde861d5b166dc17d6396d0fdbcf2337a182894e1c6b3fd6a0cdaa079d3e4226aad70ceefa47bf1a527ed17581d3c98a62176d4f88a021a0263eaf6dd962301fe99828ae6e8dd58e4c726693808d2ae355c760679042565c22510fb3dc4e39ee4dddd91d7810543b6ed0976f03b51eb22373c612b29a64d0fc958524a8ffdfa1b0dc9140aedf0933abb9dd92b7f1cc91743b69eb67971b90bfe7c7a06f71bb57bfb78f5aed7a406a16cd80842d2fe102d4249443b315fc0c2b1bfd716ffccbbc75173a5e83d2c9b32f1bd59c8d7f54fe7e7ee456a387a79de1595294418f6d5bbe86959aff1a76dd40d2514a70b41f336323773fec271e59e40887ed34824a0f3ffea01dc1f56773458678f4aa29e92787c619dbc61314c33949874da097e06513f59d7756e9dab358c73af2c0cd82	saBSI.exe

Script User-Agent 2 IoCs
Uses user-agent string associated with script host/environment.

Processes:

description flow ioc

HTTP User-Agent header 259 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header 247 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

description	flow	ioc
HTTP User-Agent header	259	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	247	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

chrome.exechrome.exesaBSI.exeUnifiedStub-installer.exe

pid	process
4444	chrome.exe
4444	chrome.exe
2324	chrome.exe
2324	chrome.exe
468	saBSI.exe
468	saBSI.exe
468	saBSI.exe
468	saBSI.exe
468	saBSI.exe
468	saBSI.exe
468	saBSI.exe
468	saBSI.exe
3852	UnifiedStub-installer.exe
3852	UnifiedStub-installer.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 15 IoCs

Processes:

chrome.exe

pid	process
4444	chrome.exe
4444	chrome.exe
4444	chrome.exe
4444	chrome.exe
4444	chrome.exe
4444	chrome.exe
4444	chrome.exe
4444	chrome.exe
4444	chrome.exe
4444	chrome.exe
4444	chrome.exe
4444	chrome.exe
4444	chrome.exe
4444	chrome.exe
4444	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exe

description	pid	process
Token: SeShutdownPrivilege	4444	chrome.exe
Token: SeCreatePagefilePrivilege	4444	chrome.exe
Token: SeShutdownPrivilege	4444	chrome.exe
Token: SeCreatePagefilePrivilege	4444	chrome.exe
Token: SeShutdownPrivilege	4444	chrome.exe
Token: SeCreatePagefilePrivilege	4444	chrome.exe
Token: SeShutdownPrivilege	4444	chrome.exe
Token: SeCreatePagefilePrivilege	4444	chrome.exe
Token: SeShutdownPrivilege	4444	chrome.exe
Token: SeCreatePagefilePrivilege	4444	chrome.exe
Token: SeShutdownPrivilege	4444	chrome.exe
Token: SeCreatePagefilePrivilege	4444	chrome.exe
Token: SeShutdownPrivilege	4444	chrome.exe
Token: SeCreatePagefilePrivilege	4444	chrome.exe
Token: SeShutdownPrivilege	4444	chrome.exe
Token: SeCreatePagefilePrivilege	4444	chrome.exe
Token: SeShutdownPrivilege	4444	chrome.exe
Token: SeCreatePagefilePrivilege	4444	chrome.exe
Token: SeShutdownPrivilege	4444	chrome.exe
Token: SeCreatePagefilePrivilege	4444	chrome.exe
Token: SeShutdownPrivilege	4444	chrome.exe
Token: SeCreatePagefilePrivilege	4444	chrome.exe
Token: SeShutdownPrivilege	4444	chrome.exe
Token: SeCreatePagefilePrivilege	4444	chrome.exe
Token: SeShutdownPrivilege	4444	chrome.exe
Token: SeCreatePagefilePrivilege	4444	chrome.exe
Token: SeShutdownPrivilege	4444	chrome.exe
Token: SeCreatePagefilePrivilege	4444	chrome.exe
Token: SeShutdownPrivilege	4444	chrome.exe
Token: SeCreatePagefilePrivilege	4444	chrome.exe
Token: SeShutdownPrivilege	4444	chrome.exe
Token: SeCreatePagefilePrivilege	4444	chrome.exe
Token: SeShutdownPrivilege	4444	chrome.exe
Token: SeCreatePagefilePrivilege	4444	chrome.exe
Token: SeShutdownPrivilege	4444	chrome.exe
Token: SeCreatePagefilePrivilege	4444	chrome.exe
Token: SeShutdownPrivilege	4444	chrome.exe
Token: SeCreatePagefilePrivilege	4444	chrome.exe
Token: SeShutdownPrivilege	4444	chrome.exe
Token: SeCreatePagefilePrivilege	4444	chrome.exe
Token: SeShutdownPrivilege	4444	chrome.exe
Token: SeCreatePagefilePrivilege	4444	chrome.exe
Token: SeShutdownPrivilege	4444	chrome.exe
Token: SeCreatePagefilePrivilege	4444	chrome.exe
Token: SeShutdownPrivilege	4444	chrome.exe
Token: SeCreatePagefilePrivilege	4444	chrome.exe
Token: SeShutdownPrivilege	4444	chrome.exe
Token: SeCreatePagefilePrivilege	4444	chrome.exe
Token: SeShutdownPrivilege	4444	chrome.exe
Token: SeCreatePagefilePrivilege	4444	chrome.exe
Token: SeShutdownPrivilege	4444	chrome.exe
Token: SeCreatePagefilePrivilege	4444	chrome.exe
Token: SeShutdownPrivilege	4444	chrome.exe
Token: SeCreatePagefilePrivilege	4444	chrome.exe
Token: SeShutdownPrivilege	4444	chrome.exe
Token: SeCreatePagefilePrivilege	4444	chrome.exe
Token: SeShutdownPrivilege	4444	chrome.exe
Token: SeCreatePagefilePrivilege	4444	chrome.exe
Token: SeShutdownPrivilege	4444	chrome.exe
Token: SeCreatePagefilePrivilege	4444	chrome.exe
Token: SeShutdownPrivilege	4444	chrome.exe
Token: SeCreatePagefilePrivilege	4444	chrome.exe
Token: SeShutdownPrivilege	4444	chrome.exe
Token: SeCreatePagefilePrivilege	4444	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

chrome.exe

pid	process
4444	chrome.exe
4444	chrome.exe
4444	chrome.exe
4444	chrome.exe
4444	chrome.exe
4444	chrome.exe
4444	chrome.exe
4444	chrome.exe
4444	chrome.exe
4444	chrome.exe
4444	chrome.exe
4444	chrome.exe
4444	chrome.exe
4444	chrome.exe
4444	chrome.exe
4444	chrome.exe
4444	chrome.exe
4444	chrome.exe
4444	chrome.exe
4444	chrome.exe
4444	chrome.exe
4444	chrome.exe
4444	chrome.exe
4444	chrome.exe
4444	chrome.exe
4444	chrome.exe
4444	chrome.exe
4444	chrome.exe
4444	chrome.exe
4444	chrome.exe
4444	chrome.exe
4444	chrome.exe
4444	chrome.exe
4444	chrome.exe
4444	chrome.exe
4444	chrome.exe
4444	chrome.exe
4444	chrome.exe
4444	chrome.exe
4444	chrome.exe
4444	chrome.exe
4444	chrome.exe
4444	chrome.exe
4444	chrome.exe
4444	chrome.exe
4444	chrome.exe
4444	chrome.exe
4444	chrome.exe
4444	chrome.exe
4444	chrome.exe
4444	chrome.exe
4444	chrome.exe
4444	chrome.exe
4444	chrome.exe
4444	chrome.exe
4444	chrome.exe
4444	chrome.exe
4444	chrome.exe
4444	chrome.exe
4444	chrome.exe
4444	chrome.exe
4444	chrome.exe
4444	chrome.exe
4444	chrome.exe

Suspicious use of SendNotifyMessage 48 IoCs

Processes:

chrome.exe

pid	process
4444	chrome.exe
4444	chrome.exe
4444	chrome.exe
4444	chrome.exe
4444	chrome.exe
4444	chrome.exe
4444	chrome.exe
4444	chrome.exe
4444	chrome.exe
4444	chrome.exe
4444	chrome.exe
4444	chrome.exe
4444	chrome.exe
4444	chrome.exe
4444	chrome.exe
4444	chrome.exe
4444	chrome.exe
4444	chrome.exe
4444	chrome.exe
4444	chrome.exe
4444	chrome.exe
4444	chrome.exe
4444	chrome.exe
4444	chrome.exe
4444	chrome.exe
4444	chrome.exe
4444	chrome.exe
4444	chrome.exe
4444	chrome.exe
4444	chrome.exe
4444	chrome.exe
4444	chrome.exe
4444	chrome.exe
4444	chrome.exe
4444	chrome.exe
4444	chrome.exe
4444	chrome.exe
4444	chrome.exe
4444	chrome.exe
4444	chrome.exe
4444	chrome.exe
4444	chrome.exe
4444	chrome.exe
4444	chrome.exe
4444	chrome.exe
4444	chrome.exe
4444	chrome.exe
4444	chrome.exe

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

frostwire-6.13.2.windows.tmpFrostWire.exe

pid process

1028 frostwire-6.13.2.windows.tmp
848 FrostWire.exe
848 FrostWire.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 4444 wrote to memory of 3784	4444	chrome.exe	chrome.exe
PID 4444 wrote to memory of 3784	4444	chrome.exe	chrome.exe
PID 4444 wrote to memory of 3988	4444	chrome.exe	chrome.exe
PID 4444 wrote to memory of 3988	4444	chrome.exe	chrome.exe
PID 4444 wrote to memory of 3988	4444	chrome.exe	chrome.exe
PID 4444 wrote to memory of 3988	4444	chrome.exe	chrome.exe
PID 4444 wrote to memory of 3988	4444	chrome.exe	chrome.exe
PID 4444 wrote to memory of 3988	4444	chrome.exe	chrome.exe
PID 4444 wrote to memory of 3988	4444	chrome.exe	chrome.exe
PID 4444 wrote to memory of 3988	4444	chrome.exe	chrome.exe
PID 4444 wrote to memory of 3988	4444	chrome.exe	chrome.exe
PID 4444 wrote to memory of 3988	4444	chrome.exe	chrome.exe
PID 4444 wrote to memory of 3988	4444	chrome.exe	chrome.exe
PID 4444 wrote to memory of 3988	4444	chrome.exe	chrome.exe
PID 4444 wrote to memory of 3988	4444	chrome.exe	chrome.exe
PID 4444 wrote to memory of 3988	4444	chrome.exe	chrome.exe
PID 4444 wrote to memory of 3988	4444	chrome.exe	chrome.exe
PID 4444 wrote to memory of 3988	4444	chrome.exe	chrome.exe
PID 4444 wrote to memory of 3988	4444	chrome.exe	chrome.exe
PID 4444 wrote to memory of 3988	4444	chrome.exe	chrome.exe
PID 4444 wrote to memory of 3988	4444	chrome.exe	chrome.exe
PID 4444 wrote to memory of 3988	4444	chrome.exe	chrome.exe
PID 4444 wrote to memory of 3988	4444	chrome.exe	chrome.exe
PID 4444 wrote to memory of 3988	4444	chrome.exe	chrome.exe
PID 4444 wrote to memory of 3988	4444	chrome.exe	chrome.exe
PID 4444 wrote to memory of 3988	4444	chrome.exe	chrome.exe
PID 4444 wrote to memory of 3988	4444	chrome.exe	chrome.exe
PID 4444 wrote to memory of 3988	4444	chrome.exe	chrome.exe
PID 4444 wrote to memory of 3988	4444	chrome.exe	chrome.exe
PID 4444 wrote to memory of 3988	4444	chrome.exe	chrome.exe
PID 4444 wrote to memory of 3988	4444	chrome.exe	chrome.exe
PID 4444 wrote to memory of 3988	4444	chrome.exe	chrome.exe
PID 4444 wrote to memory of 3988	4444	chrome.exe	chrome.exe
PID 4444 wrote to memory of 3988	4444	chrome.exe	chrome.exe
PID 4444 wrote to memory of 3988	4444	chrome.exe	chrome.exe
PID 4444 wrote to memory of 3988	4444	chrome.exe	chrome.exe
PID 4444 wrote to memory of 3988	4444	chrome.exe	chrome.exe
PID 4444 wrote to memory of 3988	4444	chrome.exe	chrome.exe
PID 4444 wrote to memory of 3988	4444	chrome.exe	chrome.exe
PID 4444 wrote to memory of 3988	4444	chrome.exe	chrome.exe
PID 4444 wrote to memory of 4832	4444	chrome.exe	chrome.exe
PID 4444 wrote to memory of 4832	4444	chrome.exe	chrome.exe
PID 4444 wrote to memory of 708	4444	chrome.exe	chrome.exe
PID 4444 wrote to memory of 708	4444	chrome.exe	chrome.exe
PID 4444 wrote to memory of 708	4444	chrome.exe	chrome.exe
PID 4444 wrote to memory of 708	4444	chrome.exe	chrome.exe
PID 4444 wrote to memory of 708	4444	chrome.exe	chrome.exe
PID 4444 wrote to memory of 708	4444	chrome.exe	chrome.exe
PID 4444 wrote to memory of 708	4444	chrome.exe	chrome.exe
PID 4444 wrote to memory of 708	4444	chrome.exe	chrome.exe
PID 4444 wrote to memory of 708	4444	chrome.exe	chrome.exe
PID 4444 wrote to memory of 708	4444	chrome.exe	chrome.exe
PID 4444 wrote to memory of 708	4444	chrome.exe	chrome.exe
PID 4444 wrote to memory of 708	4444	chrome.exe	chrome.exe
PID 4444 wrote to memory of 708	4444	chrome.exe	chrome.exe
PID 4444 wrote to memory of 708	4444	chrome.exe	chrome.exe
PID 4444 wrote to memory of 708	4444	chrome.exe	chrome.exe
PID 4444 wrote to memory of 708	4444	chrome.exe	chrome.exe
PID 4444 wrote to memory of 708	4444	chrome.exe	chrome.exe
PID 4444 wrote to memory of 708	4444	chrome.exe	chrome.exe
PID 4444 wrote to memory of 708	4444	chrome.exe	chrome.exe
PID 4444 wrote to memory of 708	4444	chrome.exe	chrome.exe
PID 4444 wrote to memory of 708	4444	chrome.exe	chrome.exe
PID 4444 wrote to memory of 708	4444	chrome.exe	chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://google.com
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4444

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fffa5d29758,0x7fffa5d29768,0x7fffa5d29778
2⤵
PID:3784

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1764 --field-trial-handle=1856,i,10281593975772553318,2943397188000543976,131072 /prefetch:2
2⤵
PID:3988

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2136 --field-trial-handle=1856,i,10281593975772553318,2943397188000543976,131072 /prefetch:8
2⤵
PID:4832

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2224 --field-trial-handle=1856,i,10281593975772553318,2943397188000543976,131072 /prefetch:8
2⤵
PID:708

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2944 --field-trial-handle=1856,i,10281593975772553318,2943397188000543976,131072 /prefetch:1
2⤵
PID:1740

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2952 --field-trial-handle=1856,i,10281593975772553318,2943397188000543976,131072 /prefetch:1
2⤵
PID:1656

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4316 --field-trial-handle=1856,i,10281593975772553318,2943397188000543976,131072 /prefetch:1
2⤵
PID:3396

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=3140 --field-trial-handle=1856,i,10281593975772553318,2943397188000543976,131072 /prefetch:1
2⤵
PID:4612

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=4828 --field-trial-handle=1856,i,10281593975772553318,2943397188000543976,131072 /prefetch:1
2⤵
PID:2164

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4740 --field-trial-handle=1856,i,10281593975772553318,2943397188000543976,131072 /prefetch:8
2⤵
PID:5044

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4692 --field-trial-handle=1856,i,10281593975772553318,2943397188000543976,131072 /prefetch:8
2⤵
PID:3180

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5076 --field-trial-handle=1856,i,10281593975772553318,2943397188000543976,131072 /prefetch:8
2⤵
PID:4404

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5028 --field-trial-handle=1856,i,10281593975772553318,2943397188000543976,131072 /prefetch:8
2⤵
PID:3856

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=5084 --field-trial-handle=1856,i,10281593975772553318,2943397188000543976,131072 /prefetch:1
2⤵
PID:2236

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=4544 --field-trial-handle=1856,i,10281593975772553318,2943397188000543976,131072 /prefetch:1
2⤵
PID:3944

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --mojo-platform-channel-handle=6012 --field-trial-handle=1856,i,10281593975772553318,2943397188000543976,131072 /prefetch:1
2⤵
PID:4740

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5956 --field-trial-handle=1856,i,10281593975772553318,2943397188000543976,131072 /prefetch:8
2⤵
PID:392

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5320 --field-trial-handle=1856,i,10281593975772553318,2943397188000543976,131072 /prefetch:8
2⤵
PID:1100

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --mojo-platform-channel-handle=5844 --field-trial-handle=1856,i,10281593975772553318,2943397188000543976,131072 /prefetch:1
2⤵
PID:2176

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --mojo-platform-channel-handle=4752 --field-trial-handle=1856,i,10281593975772553318,2943397188000543976,131072 /prefetch:1
2⤵
PID:668

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4920 --field-trial-handle=1856,i,10281593975772553318,2943397188000543976,131072 /prefetch:8
2⤵
PID:1544

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --mojo-platform-channel-handle=1136 --field-trial-handle=1856,i,10281593975772553318,2943397188000543976,131072 /prefetch:1
2⤵
PID:3320

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4332 --field-trial-handle=1856,i,10281593975772553318,2943397188000543976,131072 /prefetch:8
2⤵
PID:1288

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --mojo-platform-channel-handle=3164 --field-trial-handle=1856,i,10281593975772553318,2943397188000543976,131072 /prefetch:1
2⤵
PID:3420

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4384 --field-trial-handle=1856,i,10281593975772553318,2943397188000543976,131072 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2324

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --mojo-platform-channel-handle=3688 --field-trial-handle=1856,i,10281593975772553318,2943397188000543976,131072 /prefetch:1
2⤵
PID:4528

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --mojo-platform-channel-handle=4700 --field-trial-handle=1856,i,10281593975772553318,2943397188000543976,131072 /prefetch:1
2⤵
PID:2236

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --mojo-platform-channel-handle=924 --field-trial-handle=1856,i,10281593975772553318,2943397188000543976,131072 /prefetch:1
2⤵
PID:3432

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5456 --field-trial-handle=1856,i,10281593975772553318,2943397188000543976,131072 /prefetch:8
2⤵
PID:2644

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4716 --field-trial-handle=1856,i,10281593975772553318,2943397188000543976,131072 /prefetch:8
2⤵
PID:768

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5492 --field-trial-handle=1856,i,10281593975772553318,2943397188000543976,131072 /prefetch:8
2⤵
PID:4260

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6152 --field-trial-handle=1856,i,10281593975772553318,2943397188000543976,131072 /prefetch:8
2⤵
PID:1824

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4776 --field-trial-handle=1856,i,10281593975772553318,2943397188000543976,131072 /prefetch:8
2⤵
PID:4196

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6220 --field-trial-handle=1856,i,10281593975772553318,2943397188000543976,131072 /prefetch:8
2⤵
PID:404

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6376 --field-trial-handle=1856,i,10281593975772553318,2943397188000543976,131072 /prefetch:8
2⤵
PID:4256

C:\Users\Admin\Downloads\frostwire-6.13.2.windows.exe
"C:\Users\Admin\Downloads\frostwire-6.13.2.windows.exe"
2⤵
- Executes dropped EXE
PID:3952

C:\Users\Admin\AppData\Local\Temp\is-MMMI4.tmp\frostwire-6.13.2.windows.tmp
"C:\Users\Admin\AppData\Local\Temp\is-MMMI4.tmp\frostwire-6.13.2.windows.tmp" /SL5="$B0044,1684545,925696,C:\Users\Admin\Downloads\frostwire-6.13.2.windows.exe"
3⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Suspicious use of SetWindowsHookEx
PID:1028

C:\Users\Admin\AppData\Local\Temp\is-BO642.tmp\frostwire-6.13.2.windows.exe
"C:\Users\Admin\AppData\Local\Temp\is-BO642.tmp\frostwire-6.13.2.windows.exe" /S
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Modifies registry class
PID:984

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic process where name='fwplayer.exe' delete
5⤵
PID:1556

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic process where name='telluride.exe' delete
5⤵
PID:772

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic process where name='FrostWire.exe' delete
5⤵
PID:3088

C:\Users\Admin\AppData\Local\Temp\is-BO642.tmp\prod0.exe
"C:\Users\Admin\AppData\Local\Temp\is-BO642.tmp\prod0.exe" -ip:"dui=2397ee06-28fe-4eaa-8777-f7014368c353&dit=20240701013305&is_silent=true&oc=ZB_RAV_Cross_Tri_NCB&p=89fe&a=100&b=&se=true" -vp:"dui=2397ee06-28fe-4eaa-8777-f7014368c353&dit=20240701013305&oc=ZB_RAV_Cross_Tri_NCB&p=89fe&a=100&oip=26&ptl=7&dta=true" -dp:"dui=2397ee06-28fe-4eaa-8777-f7014368c353&dit=20240701013305&oc=ZB_RAV_Cross_Tri_NCB&p=89fe&a=100" -i -v -d -se=true
4⤵
- Checks computer location settings
- Executes dropped EXE
PID:4516

C:\Users\Admin\AppData\Local\Temp\2ulhs4fw.exe
"C:\Users\Admin\AppData\Local\Temp\2ulhs4fw.exe" /silent
5⤵
- Executes dropped EXE
PID:1632

C:\Users\Admin\AppData\Local\Temp\7zS066484BB\UnifiedStub-installer.exe
.\UnifiedStub-installer.exe /silent
6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3852

C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe
"C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe" -i -bn:ReasonLabs -pn:EPP -lpn:rav_antivirus -url:https://update.reasonsecurity.com/v2/live -dt:10
7⤵
PID:4700

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" setupapi.dll,InstallHinfSection DefaultInstall 128 C:\Program Files\ReasonLabs\EPP\x64\rsKernelEngine.inf
7⤵
PID:4764

C:\Windows\system32\runonce.exe
"C:\Windows\system32\runonce.exe" -r
8⤵
PID:4756

C:\Windows\System32\grpconv.exe
"C:\Windows\System32\grpconv.exe" -o
9⤵
PID:5956

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" im C:\Program Files\ReasonLabs\EPP\x64\rsKernelEngineEvents.xml
7⤵
PID:5232

C:\Windows\SYSTEM32\fltmc.exe
"fltmc.exe" load rsKernelEngine
7⤵
PID:6064

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" im C:\Program Files\ReasonLabs\EPP\elam\evntdrv.xml
7⤵
PID:4568

C:\Program Files\ReasonLabs\EPP\rsWSC.exe
"C:\Program Files\ReasonLabs\EPP\rsWSC.exe" -i -i
7⤵
PID:5976

C:\Program Files\ReasonLabs\EPP\rsClientSvc.exe
"C:\Program Files\ReasonLabs\EPP\rsClientSvc.exe" -i -i
7⤵
PID:6196

C:\Program Files\ReasonLabs\EPP\rsEngineSvc.exe
"C:\Program Files\ReasonLabs\EPP\rsEngineSvc.exe" -i -i
7⤵
PID:6920

C:\Program Files\ReasonLabs\EDR\rsEDRSvc.exe
"C:\Program Files\ReasonLabs\EDR\rsEDRSvc.exe" -i -i
7⤵
PID:4588

C:\Program Files\ReasonLabs\VPN\rsVPNClientSvc.exe
"C:\Program Files\ReasonLabs\VPN\rsVPNClientSvc.exe" -i -i
7⤵
PID:7064

C:\Program Files\ReasonLabs\VPN\rsVPNSvc.exe
"C:\Program Files\ReasonLabs\VPN\rsVPNSvc.exe" -i -i
7⤵
PID:5984

C:\Users\Admin\AppData\Local\Temp\is-BO642.tmp\prod1_extract\saBSI.exe
"C:\Users\Admin\AppData\Local\Temp\is-BO642.tmp\prod1_extract\saBSI.exe" /affid 91082 PaidDistribution=true CountryCode=GB
4⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
PID:468

C:\Users\Admin\AppData\Local\Temp\is-BO642.tmp\prod1_extract\installer.exe
"C:\Users\Admin\AppData\Local\Temp\is-BO642.tmp\prod1_extract\\installer.exe" /setOem:Affid=91082 /s /thirdparty /upgrade
5⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:2616

C:\Program Files\McAfee\Temp4079216652\installer.exe
"C:\Program Files\McAfee\Temp4079216652\installer.exe" /setOem:Affid=91082 /s /thirdparty /upgrade
6⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3612

C:\Windows\SYSTEM32\regsvr32.exe
regsvr32.exe /s "C:\Program Files\McAfee\WebAdvisor\win32\WSSDep.dll"
7⤵
PID:4464

C:\Windows\SysWOW64\regsvr32.exe
/s "C:\Program Files\McAfee\WebAdvisor\win32\WSSDep.dll"
8⤵
PID:1796

C:\Windows\SYSTEM32\regsvr32.exe
regsvr32.exe /s "C:\Program Files\McAfee\WebAdvisor\x64\WSSDep.dll"
7⤵
PID:3140

C:\Program Files\FrostWire 6\FrostWire.exe
"C:\Program Files\FrostWire 6\FrostWire.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Suspicious use of SetWindowsHookEx
PID:848

C:\Windows\SYSTEM32\cmd.exe
cmd /C tskill fwplayer
5⤵
PID:5528

C:\Windows\system32\tskill.exe
tskill fwplayer
6⤵
PID:2416

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1028 -s 1012
4⤵
- Program crash
PID:4132

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
PID:4540

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x100,0x104,0x108,0xd8,0x10c,0x7fffa5d29758,0x7fffa5d29768,0x7fffa5d29778
2⤵
PID:3196

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1340 --field-trial-handle=2356,i,13261194862334667799,7441241219475888176,262144 --variations-seed-version /prefetch:8
1⤵
PID:924

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1028 -ip 1028
1⤵
PID:3860

C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe
"C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe"
1⤵
PID:3600

C:\Program Files\McAfee\WebAdvisor\UIHost.exe
"C:\Program Files\McAfee\WebAdvisor\UIHost.exe"
2⤵
PID:5168

C:\Program Files\McAfee\WebAdvisor\updater.exe
"C:\Program Files\McAfee\WebAdvisor\updater.exe"
2⤵
PID:5820

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dir "C:\Program Files (x86)\McAfee Security Scan" 2>nul
2⤵
PID:1852

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dir "C:\Program Files (x86)\McAfee Security Scan" 2>nul
2⤵
PID:5912

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dir "C:\Program Files (x86)\McAfee Security Scan" 2>nul
2⤵
PID:5920

C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe
"C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe" -pn:EPP -lpn:rav_antivirus -url:https://update.reasonsecurity.com/v2/live -bn:ReasonLabs -dt:10
1⤵
PID:768

C:\Program Files\ReasonLabs\EPP\rsWSC.exe
"C:\Program Files\ReasonLabs\EPP\rsWSC.exe"
1⤵
PID:6512

C:\Program Files\ReasonLabs\EPP\rsClientSvc.exe
"C:\Program Files\ReasonLabs\EPP\rsClientSvc.exe"
1⤵
PID:6820

C:\Program Files\ReasonLabs\EPP\rsEngineSvc.exe
"C:\Program Files\ReasonLabs\EPP\rsEngineSvc.exe"
1⤵
PID:6940

\??\c:\program files\reasonlabs\epp\rsHelper.exe
"c:\program files\reasonlabs\epp\rsHelper.exe"
2⤵
PID:6992

C:\Program Files\ReasonLabs\EDR\rsEDRSvc.exe
"C:\Program Files\ReasonLabs\EDR\rsEDRSvc.exe"
1⤵
PID:6220

C:\Program Files\ReasonLabs\VPN\rsVPNClientSvc.exe
"C:\Program Files\ReasonLabs\VPN\rsVPNClientSvc.exe"
1⤵
PID:6864

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1400 --field-trial-handle=2356,i,13261194862334667799,7441241219475888176,262144 --variations-seed-version /prefetch:8
1⤵
PID:6172

C:\Program Files\ReasonLabs\VPN\rsVPNSvc.exe
"C:\Program Files\ReasonLabs\VPN\rsVPNSvc.exe"
1⤵
PID:1656

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\FrostWire 6\FrostWire.exe
Filesize
527KB

MD5
3548534fe1326cc27f9481195ee43056

SHA1
7ab036e17c59e7513894dc49288f7bbb55a85bb7

SHA256
28124e3395fa42f326fe5b3f59e1f50568adb729ea1c7c211c07e0b52441c9b8

SHA512
e58cb434f410f40d98f94ce3dc196452b6e7d4d68d5057990b7ee3b37a80992c32b417b402e35ed88228d0626538777ab7cfa0a22581fbb951a353b14f3ff6f2

Download Submit
C:\Program Files\FrostWire 6\jre\bin\server\jvm.dll
Filesize
12.9MB

MD5
175d1cc5752734a851ca0946b60fe9b3

SHA1
11c5ae1603c395b2a45a1e50b1dc341c80838f16

SHA256
ba061a2a9ca1d0b43deba79f4f91997081e337b1f796c9e71a5960a7627f8432

SHA512
ed26647eda1b8bc572117d0b5ea995a1947396f94c33a0dadf4775eb1430674317cd2d7f13f12f8cbc5f630cc5811b2e7604eec916a01a084cf429facd5f57c3

Download Submit
C:\Program Files\FrostWire 6\jre\legal\java.logging\ADDITIONAL_LICENSE_INFO
Filesize
49B

MD5
19c9d1d2aad61ce9cb8fb7f20ef1ca98

SHA1
2db86ab706d9b73feeb51a904be03b63bee92baf

SHA256
ebf9777bd307ed789ceabf282a9aca168c391c7f48e15a60939352efb3ea33f9

SHA512
7ec63b59d8f87a42689f544c2e8e7700da5d8720b37b41216cbd1372c47b1bc3b892020f0dd3a44a05f2a7c07471ff484e4165427f1a9cad0d2393840cd94e5b

Download Submit
C:\Program Files\FrostWire 6\jre\legal\java.logging\ASSEMBLY_EXCEPTION
Filesize
44B

MD5
7caf4cdbb99569deb047c20f1aad47c4

SHA1
24e7497426d27fe3c17774242883ccbed8f54b4d

SHA256
b998cda101e5a1ebcfb5ff9cddd76ed43a2f2169676592d428b7c0d780665f2a

SHA512
a1435e6f1e4e9285476a0e7bc3b4f645bbafb01b41798a2450390e16b18b242531f346373e01d568f6cc052932a3256e491a65e8b94b118069853f2b0c8cd619

Download Submit
C:\Program Files\FrostWire 6\jre\legal\java.logging\LICENSE
Filesize
33B

MD5
16989bab922811e28b64ac30449a5d05

SHA1
51ab20e8c19ee570bf6c496ec7346b7cf17bd04a

SHA256
86e0516b888276a492b19f9a84f5a866ed36925fae1510b3a94a0b6213e69192

SHA512
86571f127a6755a7339a9ed06e458c8dc5898e528de89e369a13c183711831af0646474986bae6573bc5155058d5f38348d6bfdeb3fd9318e98e0bf7916e6608

Download Submit
C:\Program Files\McAfee\WebAdvisor\Analytics\dataConfig.cab
Filesize
73KB

MD5
582cb55f1d5488c19de8a02e5c22e1b1

SHA1
107898c4b33c797fbdeaccf0d4c73c18e30fe81a

SHA256
7740054020dd617171342f29863839b1ab9e7666ea5e5467039f30306bd409b1

SHA512
ca3abfb0ba9b34bd006dc9576b1d56294ccf2b3086483277a15e6b96ed7ed206a858acfa618d6188f76214d86b2f2f40b43f2f10b3026dc3e5bcbe223186357c

Download Submit
C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe
Filesize
795KB

MD5
cc7167823d2d6d25e121fc437ae6a596

SHA1
559c334cd3986879947653b7b37e139e0c3c6262

SHA256
6138d9ea038014b293dac1c8fde8c0d051c0435c72cd6e7df08b2f095b27d916

SHA512
d4945c528e4687af03b40c27f29b3cbf1a8d1daf0ee7de10cd0cb19288b7bc47fae979e1462b3fa03692bf67da51ab6fa562eb0e30b73e55828f3735bbfffa48

Download Submit
C:\Program Files\ReasonLabs\EDR\rsEDRSvc.InstallLog
Filesize
248B

MD5
7c9b77fe49d24ef989c12e52bba2b7bc

SHA1
37b9ee5a72f1387776e3dc67c7c3ebeb2effac7a

SHA256
2dd1c9e0e4cd57cda19b20412556e7b6d536c1e82b7913976ad6e4774d52ca60

SHA512
9f52be631ca374c090639c4de41d6bd64805870d39545a40d7567a80e936c901a4123d9e42eb92f83e1504de6dabcadedf59363b8ccbb9ccc909794903fae529

Download Submit
C:\Program Files\ReasonLabs\EDR\rsEDRSvc.InstallLog
Filesize
633B

MD5
6895e7ce1a11e92604b53b2f6503564e

SHA1
6a69c00679d2afdaf56fe50d50d6036ccb1e570f

SHA256
3c609771f2c736a7ce540fec633886378426f30f0ef4b51c20b57d46e201f177

SHA512
314d74972ef00635edfc82406b4514d7806e26cec36da9b617036df0e0c2448a9250b0239af33129e11a9a49455aab00407619ba56ea808b4539549fd86715a2

Download Submit
C:\Program Files\ReasonLabs\EDR\rsEDRSvc.InstallState
Filesize
7KB

MD5
362ce475f5d1e84641bad999c16727a0

SHA1
6b613c73acb58d259c6379bd820cca6f785cc812

SHA256
1f78f1056761c6ebd8965ed2c06295bafa704b253aff56c492b93151ab642899

SHA512
7630e1629cf4abecd9d3ddea58227b232d5c775cb480967762a6a6466be872e1d57123b08a6179fe1cfbc09403117d0f81bc13724f259a1d25c1325f1eac645b

Download Submit
C:\Program Files\ReasonLabs\EPP\InstallerLib.dll
Filesize
335KB

MD5
5e2b4c627d4afac7b138fb229f3ba8cf

SHA1
7b8b27bfcbc2603f7e10474d3895e6dc821992c0

SHA256
b3df61de305444755aa5c79b4a88f10d5474980db8da0d674856ba158eb1c3b6

SHA512
325d151197bce5ba7a9ba76cdaaf5f9f5a3fc546542e78dc2b3b35337654a65ee2d19d20112d82b496104f148acb6b25e8c3d27a567b5eb6f0b2aa38aa4093ed

Download Submit
C:\Program Files\ReasonLabs\EPP\Uninstall.exe
Filesize
324KB

MD5
8157d03d4cd74d7df9f49555a04f4272

SHA1
eae3dad1a3794c884fae0d92b101f55393153f4e

SHA256
cdf775b4d83864b071dbcfeed6d5da930a9f065919d195bb801b6ffaf9645b74

SHA512
64a764068810a49a8d3191bc534cd6d7031e636ae306d2204af478b35d102012d8c7e502ed31af88280689012dc8e6afd3f7b2a1fe1e25da6142388713b67fa7

Download Submit
C:\Program Files\ReasonLabs\EPP\elam\rsElam.sys
Filesize
19KB

MD5
8129c96d6ebdaebbe771ee034555bf8f

SHA1
9b41fb541a273086d3eef0ba4149f88022efbaff

SHA256
8bcc210669bc5931a3a69fc63ed288cb74013a92c84ca0aba89e3f4e56e3ae51

SHA512
ccd92987da4bda7a0f6386308611afb7951395158fc6d10a0596b0a0db4a61df202120460e2383d2d2f34cbb4d4e33e4f2e091a717d2fc1859ed7f58db3b7a18

Download Submit
C:\Program Files\ReasonLabs\EPP\mc.dll
Filesize
1.1MB

MD5
5761d96590d91fa336c068269a7dbd93

SHA1
5a1b0a8b4f255680a7549b2b27c28dd65a5a3e47

SHA256
7dc02294611987dcffef0d1ce99ff316926901fc872099cbea2fb76997e29f65

SHA512
f8f5743547c96aeb579b7786fc9af64102bef3cf46a6df270cccf5d51a48467d9547732ff49f8d5258e7f28a5bf2d234d3344c2862a5a67f5054de81ec6f4ea2

Download Submit
C:\Program Files\ReasonLabs\EPP\rsEngine.Core.dll
Filesize
352KB

MD5
b3b1147d7bcff3698ed64b9ca31dd75d

SHA1
cfcfecdfef6103e606e6559920b0164e6ddec856

SHA256
1f260a7cf65d80332a58a16b713570054e83d2d842b17ca76262dedef69922f8

SHA512
8638c0c96ed95c6ce5b00444b7287b0017b2ad1c1aab874b9caa9210fcaf4f7e7a3aac6b261e6e2686b66bbb02d6a68827541bf7a78a922d057a0c0846884614

Download Submit
C:\Program Files\ReasonLabs\EPP\rsEngine.config
Filesize
5KB

MD5
3149ca79d09c362307bed37960f0fd04

SHA1
f5f43f511ef581dc7b88ed194bb8e86e42f45bd3

SHA256
5481ccc72cad44173cdfbf746a701bb79e2b75927ef71aee1226e07e1265d31b

SHA512
d7c519a58bdefd24bcc26ec681b27a72a0aabbf4135d8e47a493abe1e4affd7cb5740b132d445aa9ecf66247de7406d5974557ae671d5977e40d877167b94a70

Download Submit
C:\Program Files\ReasonLabs\EPP\ui\EPP.exe
Filesize
2.2MB

MD5
09e2401f12f54289c04af17d90f0798f

SHA1
2f95c7a2684338f5fc66b0c20e148b2a9938b154

SHA256
3efd3ea030a60cf4c5e0c6b93fdd24f1743e56cecd3a30329375ff80ef47091d

SHA512
8337b3f7bb29f546eaefe9adb8b7674007176c0f6d429d9b51df7eacf41b09042359d028ded0c934f71ce11e308252b86846027e10e07529327a451cfe7c2206

Download Submit
C:\Program Files\ReasonLabs\VPN\InstallerLib.dll
Filesize
279KB

MD5
babb847fc7125748264243a0a5dd9158

SHA1
78430deab4dfd87b398d549baf8e94e8e0dd734e

SHA256
bd331dd781d8aed921b0be562ddec309400f0f4731d0fd0b0e8c33b0584650cd

SHA512
2a452da179298555c6f661cb0446a3ec2357a99281acae6f1dbe0cc883da0c2f4b1157affb31c12ec4f6f476075f3cac975ec6e3a29af46d2e9f4afbd09c8755

Download Submit
C:\Program Files\ReasonLabs\VPN\Uninstall.exe
Filesize
197KB

MD5
410d4e81be560d860339e12ac63acb68

SHA1
06a9f74874c76eba0110cdd720dd1e66aa9c271a

SHA256
e4a8d1e07f851be8070dd9b74255e9dd8b49262c338bfb6ef1537edd8f088498

SHA512
4bbffeef276ce9b8fdd6d767ba00066309eee0f65e49cea999d48d1e8688c73d7011ed1301a668c69814457caad3981167a1e3fe2021329dd8fc05659103fb3a

Download Submit
C:\Program Files\ReasonLabs\VPN\rsEngine.Core.dll
Filesize
325KB

MD5
96cbdd0c761ad32e9d5822743665fe27

SHA1
c0a914d4aa6729fb8206220f84695d2f8f3a82ce

SHA256
cc3f60b37fec578938ee12f11a6357c45e5a97bd3bccdeb8e5efb90b1649a50b

SHA512
4dde7e5fb64ee253e07a40aaf8cbc4ddaaeeeafc6aeb33e96bc76c8110f26e2c3809a47266cb7503cbc981c6cb895f3eaae8743d07d6434997684e8d6a3d8eb0

Download Submit
C:\Program Files\ReasonLabs\VPN\rsVPNSvc.InstallLog
Filesize
248B

MD5
5f2d345efb0c3d39c0fde00cf8c78b55

SHA1
12acf8cc19178ce63ac8628d07c4ff4046b2264c

SHA256
bf5f767443e238cf7c314eae04b4466fb7e19601780791dd649b960765432e97

SHA512
d44b5f9859f4f34123f376254c7ad3ba8e0716973d340d0826520b6f5d391e0b4d2773cc165ef82c385c3922d8e56d2599a75e5dc2b92c10dad9d970dce2a18b

Download Submit
C:\Program Files\ReasonLabs\VPN\rsVPNSvc.InstallLog
Filesize
633B

MD5
db3e60d6fe6416cd77607c8b156de86d

SHA1
47a2051fda09c6df7c393d1a13ee4804c7cf2477

SHA256
d6cafeaaf75a3d2742cd28f8fc7045f2a703823cdc7acb116fa6df68361efccd

SHA512
aec90d563d8f54ac1dbb9e629a63d65f9df91eadc741e78ba22591ca3f47b7a5ff5a105af584d3a644280ff95074a066781e6a86e3eb7b7507a5532801eb52ee

Download Submit
C:\ProgramData\McAfee\WebAdvisor\LogicModule.dll\log_00200057003F001D0006.txt
Filesize
1KB

MD5
524dc81f34e8b715770300cb3e4040ab

SHA1
2b7e5679b78122f2c91059eefac6bfb79c96df54

SHA256
10b269076234d94dd6ac65f436dad336c4ddcbfbd29fbd5ca704c5030cf74d8f

SHA512
e7f117111d1474d1c1315b9cb8ae5139fa3dc47107b4e8211fc4d0f1c2149a9df3758678835c30f1f7253faddb09c5c26650e4e397fef6c6a56d7b1bf8c5ff08

Download Submit
C:\ProgramData\McAfee\WebAdvisor\LogicModule.dll\log_00200057003F001D0006.txt
Filesize
3KB

MD5
b50fcb404ede74df11aec22e88204c72

SHA1
b702fd839eb0765e7115f7b1d24e0bee9f993ebd

SHA256
4c93e61671f16235edd43ba89cee2ed2fb2a42ab32f5b5b7ed1c867a3a57a048

SHA512
1d3b693f959ca6e648d2cb6469eed7ba13981c384c41a55496a3b0ca13b07ab45984d2158a5a6c348fdaabab17872cd9d3b9cd6dccd51d02635ca6b33be89e9c

Download Submit
C:\ProgramData\McAfee\WebAdvisor\LogicModule.dll\log_00200057003F001D0006.txt
Filesize
3KB

MD5
7c97ec607efa4b365d91a33e0bf897fa

SHA1
0f112fb10700a299cbe830e5205860f4a065f849

SHA256
c69823e08c7cd9ddfdbc91624de34956759bcea85730455ec1367623853c158f

SHA512
a117cd19fdddce9d2b10faa7b01b4a4b0d3a83b1966181940f37fa80b5fd5dc48603ce5b3d0876bc36154d1df33937b0afe74d94a945328b53cd043e8d46a960

Download Submit
C:\ProgramData\McAfee\WebAdvisor\LogicModule.dll\log_00200057003F001D0006.txt
Filesize
4KB

MD5
dd92a3f7f471dcecd09c36aff33b4ed9

SHA1
1d5d755d1deda910f7f9e934ea2663e410285edc

SHA256
023263cb467227bc8f63c8631744d31cb33a45bd04467947f48546f3f949579c

SHA512
1b8703aa9fa457b49cc2d901dd1b92ac1bac9085608a4accbc6f5467ad8b2dffcac42ccddeb94a38079cafa3d6d4df815214d7c438f29d49fc89aeb9080a8778

Download Submit
C:\ProgramData\McAfee\WebAdvisor\ServiceHost.exe\log_00200057003F001D0006.txt
Filesize
4KB

MD5
4eed87e200d13845102723f15b46babe

SHA1
5b2cec3d1d6a8af88719206cfaf486d50030f459

SHA256
b1185f71d3383295fb2dd2da0be09f9e8748f1f403203e146adb58f4f576b268

SHA512
f7e7774ac7fc4ac575f0787077ea5b06e443803f217d4fb20b447869595d4b4ac9640c2af813347eed7eb01b62b85e6065701b35961fa33c6b12cb847f639242

Download Submit
C:\ProgramData\McAfee\WebAdvisor\TaskManager.dll\log_00200057003F001D0006.txt
Filesize
3KB

MD5
95c821c4bd15e6929fa424e2cc312f63

SHA1
4961d74b9083f03d0c3dba6a58ab18e95c62ce3f

SHA256
541510a51558d776567b04d4f8cdc1f427ca1fa5e8e872093c20bdd31255b926

SHA512
699731a37cfb079354d31cddee714148bff85d214c04f772a69f292bea54b52b0cb0bcf8c5d63d18c705a22b3b7237da31803778eb144f213fd381dd4f3eea6a

Download Submit
C:\ProgramData\McAfee\WebAdvisor\TaskManager.dll\log_00200057003F001D0006.txt
Filesize
3KB

MD5
368f42b47e2e2acb57f52758430c4013

SHA1
8ada0d88bed07599c1c9846614ff51efc320845b

SHA256
1207f8e2c65f2f8506ffcdc37df57204969b607e784d8bb6cbdfb13a08b79687

SHA512
852658614372ad11502b79c8fe30c3c9edb8e3e6d84270c35778432bed4d5dcccca73a256cd4a5ebd93208616aa0feb2d220be28e3ce837a895dece6f66d6c3b

Download Submit
C:\ProgramData\McAfee\WebAdvisor\TaskManager.dll\log_00200057003F001D0006.txt
Filesize
4KB

MD5
8a0a891df4af8834a401ac77a4da0984

SHA1
79b8748f93ad52e646ad488f2684a9635aadf02e

SHA256
1652b9563e7462ddd120bb02790646463a17967b3b81c881e2ddb4f57521ebe1

SHA512
ea94b92fc9b51b793d049a6e7ff7c52540c7ddf2bd15895e2091f8ade87979d075061830d48b4a0f227b4a3ec28c59f731ec49e628cb6caefc88c9f978e85f4c

Download Submit
C:\ProgramData\McAfee\WebAdvisor\UIManager.dll\log_00200057003F001D0006.txt
Filesize
3KB

MD5
27dca810e4791bb7bec960e9f4709018

SHA1
80ea9b8d8b8c7bda42ecf8719735dcee0c9dd914

SHA256
2105c3a76bdda0a2bbcb0c711e4ea3b203bbeba19ae8d3ee28c8fafe2bff8215

SHA512
6f5f86099719ac4966abae7e10c2e90bf46333a477a195c3aa2b5a7217889cd817b669675cfcab31fc85880f8e6214198bcdda9ea3402450fae037164df62c7a

Download Submit
C:\ProgramData\McAfee\WebAdvisor\UIManager.dll\log_00200057003F001D0006.txt
Filesize
4KB

MD5
e1667c3b5754a12861a15e2b89b646b9

SHA1
87815d96248845ee34c26a88915856a1f30d21c4

SHA256
1b31a6f97095a3301c2363b693a6a79aa922ba1e95e9b7b3ac6d0ca60c2a440a

SHA512
5f3f667f592038ee2d4f29de64477789274046c0e83e9c603b992293a65860a299341b2da00c0df2932c1e3f61c15eea8724446d9241949ed8783111a6bd5c68

Download Submit
C:\ProgramData\McAfee\WebAdvisor\WATaskManager.dll\log_00200057003F001D0006.txt
Filesize
1KB

MD5
d397e646c8ca8c9c4430e281d9da064a

SHA1
c73d0dd5004bb0262009d3eb426c7e0b0640d697

SHA256
9a11969b1c292f52d228241d3fa141794c537badc97db7b47897c4ffa2ae3af1

SHA512
fa4ab22387275f8276191002074c61010f192615de6922e554cfe130ad977b591454f76fcfbff7ff499725180dd74fbbbea227631f45ca59fcedce9e6a4efed1

Download Submit
C:\ProgramData\McAfee\WebAdvisor\WATaskManager.dll\log_00200057003F001D0006.txt
Filesize
3KB

MD5
c7fecd81ba98aa4e48c12a2be178d1dc

SHA1
b6d1c4285bf7e88d19b970eb3fb01233ffda6ab6

SHA256
482140eb56e4aef3ee8c782a76a04671df05df074d19340f3d1d39e1b5eb4609

SHA512
846481b2befb5e8ca31b24373060939f33934f46ca9a5832fb356582b509d2ecc705d22f6a5d6e2d6ba9f8a216f8c1891ea886581794731f2fd385e44537de3a

Download Submit
C:\ProgramData\McAfee\WebAdvisor\WATaskManager.dll\log_00200057003F001D0006.txt
Filesize
4KB

MD5
d7a799dfe97319ca9fdf4a84ad54bdd4

SHA1
fb52bfb30aba1b16e852daab5cf57b870915e20f

SHA256
35da500f5bb08537230990e4cde1deea8cd865a05eb2e74f19e459175bc72c1c

SHA512
876df70a4022fc5b4dd273a42a443c4b50f6ddbdd86dc3a2d7fcde8a6f566598fc63db56d6772da9945165c6316ebe236c4b3bb46b555b036a751a2273a3acac

Download Submit
C:\ProgramData\McAfee\WebAdvisor\updater.exe\log_00200057003F001D0006.txt
Filesize
1KB

MD5
54de4eefe3be5a644aafae82bb3d6705

SHA1
ec7dc7f128cdd4763ccc535dfca4ccc7eefa8fc9

SHA256
4f5d0b66fd1ca51770089bd8b208bea72138aeb27c5b826270e94cc6b4c4e33d

SHA512
176a8ea537019dfac20661ca69f286292591250e209c4be01b0d4e73487c45511701574a167d5fd5b94d9e90fe62f992f974f3ebbf07d39609048e8725366e26

Download Submit
C:\ProgramData\ReasonLabs\EPP\SignaturesYF.dat.tmp
Filesize
5.1MB

MD5
d13bddae18c3ee69e044ccf845e92116

SHA1
31129f1e8074a4259f38641d4f74f02ca980ec60

SHA256
1fac07374505f68520aa60852e3a3a656449fceacb7476df7414c73f394ad9e0

SHA512
70b2b752c2a61dcf52f0aadcd0ab0fdf4d06dc140aee6520a8c9d428379deb9fdcc101140c37029d2bac65a6cfcf5ed4216db45e4a162acbc7c8c8b666cd15dd

Download Submit
C:\ProgramData\ReasonLabs\EPP\SignaturesYFS.dat.tmp
Filesize
2.9MB

MD5
10a8f2f82452e5aaf2484d7230ec5758

SHA1
1bf814ddace7c3915547c2085f14e361bbd91959

SHA256
97bffb5fc024494f5b4ad1e50fdb8fad37559c05e5d177107895de0a1741b50b

SHA512
6df8953699e8f5ccff900074fd302d5eb7cad9a55d257ac1ef2cb3b60ba1c54afe74aee62dc4b06b3f6edf14617c2d236749357c5e80c5a13d4f9afcb4efa097

Download Submit
C:\ProgramData\ReasonLabs\EPP\SignaturesYS.dat.tmp
Filesize
550KB

MD5
afb68bc4ae0b7040878a0b0c2a5177de

SHA1
ed4cac2f19b504a8fe27ad05805dd03aa552654e

SHA256
76e6f11076cc48eb453abbdbd616c1c46f280d2b4c521c906adf12bb3129067b

SHA512
ebc4c1f2da977d359791859495f9e37b05491e47d39e88a001cb6f2b7b1836b1470b6904c026142c2b1b4fe835560017641d6810a7e8a5c89766e55dd26e8c43

Download Submit
C:\ProgramData\VPNBackup\rsEngine.config.backup
Filesize
4KB

MD5
04be4fc4d204aaad225849c5ab422a95

SHA1
37ad9bf6c1fb129e6a5e44ddbf12c277d5021c91

SHA256
6f8a17b8c96e6c748ebea988c26f6bcaad138d1fe99b9f828cd9ff13ae6a1446

SHA512
4e3455a4693646cdab43aef34e67dd785fa90048390003fa798a5bfcde118abda09d8688214cb973d7bbdd7c6aefc87201dceda989010b28c5fffc5da00dfc26

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat
Filesize
40B

MD5
85cfc13b6779a099d53221876df3b9e0

SHA1
08becf601c986c2e9f979f9143bbbcb7b48540ed

SHA256
bd34434d117b9572216229cb2ab703b5e98d588f5f6dfe072188bd3d6b3022f3

SHA512
b248162930702450893a112987e96ea70569ac35e14ef5eb6973238e426428272d1c930ce30552f19dd2d8d7754dc1f7f667ecd18f2c857b165b7873f4c03a48

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000009
Filesize
41KB

MD5
cfd2fdfedddc08d2932df2d665e36745

SHA1
b3ddd2ea3ff672a4f0babe49ed656b33800e79d0

SHA256
576cff014b4dea0ff3a0c7a4044503b758bceb6a30c2678a1177446f456a4536

SHA512
394c2f25b002b77fd5c12a4872fd669a0ef10c663b2803eb66e2cdaee48ca386e1f76fe552200535c30b05b7f21091a472a50271cd9620131dfb2317276dbe6c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00000a
Filesize
211KB

MD5
151fb811968eaf8efb840908b89dc9d4

SHA1
7ec811009fd9b0e6d92d12d78b002275f2f1bee1

SHA256
043fd8558e4a5a60aaccd2f0377f77a544e3e375242e9d7200dc6e51f94103ed

SHA512
83aface0ab01da52fd077f747c9d5916e3c06b0ea5c551d7d316707ec3e8f3f986ce1c82e6f2136e48c6511a83cb0ac67ff6dc8f0e440ac72fc6854086a87674

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00000b
Filesize
24KB

MD5
c594a826934b9505d591d0f7a7df80b7

SHA1
c04b8637e686f71f3fc46a29a86346ba9b04ae18

SHA256
e664eef3d68ac6336a28be033165d4780e8a5ab28f0d90df1b148ef86babb610

SHA512
04a1dfdb8ee2f5fefa101d5e3ff36e87659fd774e96aa8c5941d3353ccc268a125822cf01533c74839e5f1c54725da9cc437d3d69b88e5bf3f99caccd4d75961

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
336B

MD5
248bc9ecf338a5bfd28092992ecde20d

SHA1
c6f1b4638cd5112b5067aee3a7d89bb91cfb7463

SHA256
c18ef71af79ee0c4f6dede21bb41e13444aede859fdae24e35df2d689a810a9e

SHA512
95a24f67a6cf73d6833e5f55c567596ada968931a873da9024e7641f730db09b50961bb66ba07c65fa1f98218525198c6423c6916b0c3854020074cc8c7c3665

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
336B

MD5
5f1800f418998651fe875686dcc465ca

SHA1
21bdadd32130b3d3811407d2292b9c95cb0b5477

SHA256
df66a5bb672b94763ed31d8f7099f832d141b238d3094a6d79a326f97ede3114

SHA512
d00559ead510932147546f7bdd86ab63a692ca3a9049130ed64e14862f61b7f10d8f7a6c5beece461e2f35f334e6a16a694541ef075e568cb5e26e531dc709c5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
1KB

MD5
5c6498e825953617352e84f3a2c5da09

SHA1
9ad6630a0ef95e7a6348f6692d59341d19b68737

SHA256
efc18fb02fb65e672e6ef2e7a259c1a360c917425dbbbc651b59704098b1ae53

SHA512
0b958f2f515c10aee45d7342c46d0e05e74d0826ff941205d9d6976bd6af80d994d81ea5bf37368fd67302d5226ab5e3fc869e52ea42499993b7875e4d54434c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1
Filesize
264KB

MD5
fbd10a7096169c59cd6ca855b79d6061

SHA1
ce2fe44c0eeb109122014408c21b78479ac5e13e

SHA256
25851954431307c7c3523ad5b94498461b0c960237b2c5451a7787f15cfdfa08

SHA512
70c5b08cfdfc1455b9b2c2833158dede9db8e7accfe7047eed08e8c41d61d4ad1670c663e8cd0f64269f8a104db075a70d80d8a95539dfc97bdb13da720d4259

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
6KB

MD5
bdbc622c2ec89639bd2ddd3e193534f4

SHA1
b9482bb7cd37432f8c3b696da7ea96882b4127fe

SHA256
49b8fad1f835d5954a668f15dbf5a0718953da8a63ded19e5433b71c2488c3e8

SHA512
40dfd8b4d3a90aac3e03e045b7b9f8302781e1c36e37416c6fe42d99d5a96174a274ee36e8fcd301ff15d5b506aa4db9e723b6aeb521ee0defbfefbf0006e3a6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
1KB

MD5
8d991aa8b6313c4c2cdfe1dbceb6d772

SHA1
66e34d687af7c69381ee7f2aa63ffe91f7b8f268

SHA256
e7b26e2e17139a118ae6a8f7b812110834b23286c724f1abca461b268224f57b

SHA512
c5f56ef7876602c30594f5f2457de7226923ed7c8e3ce2dcaab91e4dba3bceb78bf29b367332dbefd7f00b120b61682802bbf084ae1cc8c93f904823d75b7765

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
6KB

MD5
ef8ce25ed763401ec700aa79fd34b047

SHA1
bdcd2f6daacb7e3a74070402e78392418fdbfed9

SHA256
9c389a6b0a1a83cf87fe85865ff3be448a6cc45ab7237f5a4eb8eb716e1416eb

SHA512
dd4a6193a9fedc1598d5bed5a776d03a9ff1226585372a176aa32382fe501e8a642188d0c7645e1e819392748995ecd9f68972bcac296efd2be7c39fda0d23c5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
369B

MD5
38f92b2e9ac469ae162e5fa6af80798e

SHA1
eccba8d0bbc563bd2f88cf45c4a174ef95a92c36

SHA256
88726153b782f796dd38de1f99eab7f50c357d05fecd7f4d4186101a73b0ceb3

SHA512
306fb0fdf5ac112af1b2662063fca21e67556b4e2ad2cf6bac750bdc1152ec3bbef36ce3f87888e10dae89a02636bca53abb947323c46b79490345f13d7532de

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
369B

MD5
a1597772469e3db2fb56c75fbfb00126

SHA1
f0f9b44cbf85b67c138187109d5f260a0af9ca90

SHA256
de9403cd47fa5545c7d59c60bef50b6009e2d3914d509dd94ca060b435323082

SHA512
c32f79304f9036ecd0d39a018f78d8476e7b09278780c7fc1a78b2cb6b721188d55541c44f5bd9b3ed8e4b95b436d2c4f1efb07b4094615e4157b40356f0340d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
0a84a0656486aa9ff941d40a959bc4e7

SHA1
ceb006813ab0d5324cd68e766190e168a118a6e1

SHA256
a2c186d8e2bed1f03eb4f85d2c7c272cc424d5ade8a3ac21ecfe174b2328ad3c

SHA512
c4bf07dbf7d277a78fafbed6f838cbc81fdab6e55810189924b91fa54b642c0e69771de1041980c864bb4779c5028922e352a350920bcdb29fd802f6201c9f50

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
369B

MD5
066ae71248197a7431ce05629e95d36e

SHA1
8b5fa993aeb513f039bd57a0593745b3dc7722e4

SHA256
c18657aec0e0d6f73faa5ed3a3bcc71f3bf8abbba0fd1f4d888dc7e34d85f510

SHA512
a120a8fed8922fe5b0ffac8c42fe315aecff9343692ce8b80e52b69c252e6ae7aba6d9c4da07022cb93ece27a0b6cf20060379afb94162e8f96928683dbeafd0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
6a5fc538ab311b7893b1b018eb0ea25e

SHA1
b023ad5bc3c960462ddc2b10a3fc207c6f3001b1

SHA256
bb4691073e7ce495c5623be46ce9d6b0f644138f63e67199358c1b1edeec7410

SHA512
0eccbc395edd47e8fb432e8cf68796ea6c4a79e6e13edd7fc08ea989aedf5bf1f473226f4a41b0330da13115d08522d5992e813c63b9000fa1d0099aba37ad87

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
2KB

MD5
19f580462a319930706ff196a65cd2a6

SHA1
e0a7123592f7074372c63c8fec3b0d7fe204257c

SHA256
8e222233a28e3319a913a25f6ea1c1d45776ea391b1d2f921bde83422d30e975

SHA512
d7b69f5e65ca1826d023c47223e12b0b96af8e67484ba81c3bfbff0985c84a12029d3fcbd688ae506d345946d315db85938b0a9e3341efb858fab71017426b13

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
2KB

MD5
beeaf22ccb25446b36099e8dbed836a6

SHA1
96996908736b048972ec346e1d35ae1659fed6f1

SHA256
d374d324574e15feb5cbfc108f00e2d6bb1a72ec7bcfb530022fa4949021e4c1

SHA512
062835e339842cfed02b2fda3921fba4e81d6ecd79cb50f0b1dd1a854787b0638c0108305159b086b43a9676a8139af38c82be50ae31e09b077f839a1df9f871

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
55da75dd3786b7b0a97f7efcf8aff8b2

SHA1
b5d7d2b495891735073dc2bf4f043dbf0afc1361

SHA256
d189cdb854acc5f2a5ee4cbfff1c8705c2d6b6402acad51b92b64f70bffc0cf8

SHA512
82c499f7738cbbca6fcdc1ba871107ebe9363f299f5b86d4835bd99cfd0bf29ad7c5765c817c2ad42c643c705d5214e1e018cea0281da3242dcc163a26d9fae6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
c751828290d11a5a6251b617500966c7

SHA1
8dac1d718b4d2ed415ee1f3c1de68edef0839255

SHA256
464fd847b952ce2fc7ca45c2e9bba6a961f15bd7ab93353cb0b89d457ffdb08b

SHA512
3c976bdcccc646c29f59e2f13fead79e85434b6285c0445a6e701835c3ec857dd2cf6e44f7e84e6643bb72cfa3ad416497d8306658f450a825aaa9a9f25dff5c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
ffe9c3105247de2667642046062ca686

SHA1
4d1a10207057aa0183780f64c4a88c884271a6a4

SHA256
042d4e89c2bda4b953dd5a04b5712a8ad119b006da9541b3cf5ffbe5426a7cf5

SHA512
d36d93a643b7585011feb99152ab9c0abbf8218901898ed024da38b6517e637338176f0a681b90448d0650e9300ff6e68e141f4609f3d10a8bb51be7d557fa96

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
e5d2730e222da869896c2e3962bf36e6

SHA1
5f2b9b1d68a484a9e22bfcb189a960625d1454e2

SHA256
f972142cd8bebf9a89acfe2c95ce2acd162d3db9fe1842023b908aa26d2eef6d

SHA512
6397bb21f70059e9e2e71bfa9f01b44b5a2f1311aea93d878a105b7b488d6d084b9f7d49af0abc39c4c921606a3dd381bfcd6676a9ab73ad8f174d363ebc92e6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
5KB

MD5
c77b07a5d21b17c957c6589d7d297b84

SHA1
d05151cbf4abb6a3f60f18219c851630c47f2c9c

SHA256
76933e641973d060ac8e7b94f2b8d0285bb4c73c5fae43053ef53c3695dd3455

SHA512
3d7381971fad1a27740b013e5d50457c9c6cb8b1df470332a399fd4b07abb3d7314389ceddf079b4faf791a6372ea6b77e5f92a49f0e022c2db89a5728a2122c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
a888ceeaa57d6bae399dcfdce00b2796

SHA1
b747c673786d2029bb6146f5d115d632253e6830

SHA256
283fc7e00acc74f4f9f13eed973ddee41787c878f144c0dd7d3aeb2a49369c62

SHA512
8f9ec7dbc6bc3ac3142b4b2229069530a0581e55ab80fcfd8b6a526d19ba902c643e207f1cb57ea8564c8730e8dc24fe37b7de6bf879ba87a93d47763b842a9b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
ed6ba5376c80ef0506fd82969cd8cff1

SHA1
3bf4a0e50561211aaaedb6a63e4befb5e94544bb

SHA256
6fd6539542629b12896b774b68a6a4b528917eb043b6b4a8d40e6867fb850e05

SHA512
6b17c4c8976e26a4ca1a6a78442214778339e815bdaa4c464d49a0cb6d4438f8ea8fc712e7a2417e7a0c65759fa468d8561e7639d8e1064f6468905fa8bf4a70

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
f663748dacb5e33eeb65551bd22ae349

SHA1
fb5baef4dce7c524ab179b30bccff257376b8f1b

SHA256
72a6087e02c11d4eeb1cd7d2076632a0018b2e5ba2b1c90861fc1288bcf99063

SHA512
e0819b8330bd364d555d86346d6fe40844a34652e94923b02498aa275c8bf9bb995c7251ff984a2626041161ffc411d589007b1378bfadac514a502291714f9a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
b239f53a7b1a26727361969550d96a9b

SHA1
43ef78df25fdf6b8268160adf0ea27225b6b754f

SHA256
c691bf2bdf19f693507b55b215a7d33805986edfe9f3993206f298283c968afa

SHA512
21c02c8e911fd676073489cb85ea3cd5a7b888f36d3186e8ef6ad6f2412fd780d46d78eca97ab7e47a8eae4d9bb2815104e6c043e4d3638fef32e1607d6192e4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
128KB

MD5
89d15207f038baba15ab9f70742431e6

SHA1
8d88fbf475d02c477a97cc3fdf4a15c36a4d5ef3

SHA256
b59193db470ae612720f99209f85c545fa08ba68a00911426e7c21a2518ff136

SHA512
800e89fa2918116b488154de2d46edd26e873d0ab66be6ddb1e1ddb7593b28b246bbf35b9aa522ce225f329435af192c4fadb65ff4c2aa251701cbba07e6b3f1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
128KB

MD5
45b34271566af38ad8269cdb894a9af8

SHA1
0ded6f9a594c2b52f085e90e5bc99dcd8c86d3b8

SHA256
dd6344c4ab7c8d484e7fb0c6b3fde517dbe0a17cd4ff4e8d9e7d5393aa389888

SHA512
2f580ae6817fdc6c93daa7fc8b512d5be5d1a4299584372bed5e91de7f029fbf2ad35c9a879191dcfb11dd30ccd7d1f933676635154dadbf90d71b77ee7b9004

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
128KB

MD5
c12df33eb9b18a9375fd46d3299a594a

SHA1
a8e1f56a5219a94154ab3351314ffe6828e50c83

SHA256
cfd040d0d996491ce884f35c1b38dbac8ff64ea5d7ce7a5f9c6ab21fe2c20395

SHA512
d8fa1f38c1195ce31e3068d439c7096d936b934baa44bc031a047e32ac2d2da8eae7be3ee7b9acd266234bcb41dabc327a45aff679aca8f39cb6702e852d2126

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
128KB

MD5
704658d08f01007b4f6cca5fe9c6e2de

SHA1
d56df500693247781f445b82a3e442609b027b49

SHA256
6676e2cd0e242a17ed8ff7a66ed004f2c1d89de82579bbfe7325b186d373dee1

SHA512
a8ddb7ba49040384a532a4a0d89431ec80a3112544fecc10aa4e5e4b773a2ce888462eb245fd57b7da73e0a2804ad55fe88b552b8bba0f7f48fc9d1ece6835ca

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache
Filesize
103KB

MD5
9b960d78213e9cb83de132e451e93c40

SHA1
6a702f518c34ca25b221f779c7168b51ae2f3599

SHA256
9a4a5eefd2753124d6fcec3849e721818faf0598911275964c9fc9bcfdd583d5

SHA512
dc08f109922197e0af3ce591dfa2238039c32ebe72fde2b0ad6996eedbccfcc4ef0c25b47832e259f837562b33bda6e6eb9f20914d06a4066243462cc7e35613

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe599b0d.TMP
Filesize
96KB

MD5
fcfcdce51e9045a59cf2cfa082f165df

SHA1
a1ac85f5696ba1f3f8e9023d92a326a09f144f8a

SHA256
358c94fd276c11313bc71887b4fa2ec0050adba4e8e51a4a9beac4e74b011fe4

SHA512
9f9d98d605c3694edb49f4d64f57a299d2ad1f9e1e5eb35204ebafd8fa60b43c1a70ddfa04c4e4faa69e8b818ab816a2505675755647883a1732c8138b3bf202

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json
Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\2ulhs4fw.exe
Filesize
2.3MB

MD5
15ed053f0f9a4d5517c7e4bf886a6e3c

SHA1
d26b29f62c9083957686641958dbdda483caa388

SHA256
29f8ee2a6b46cb988e0632787523c8990d0b82f2bfefa64429d2659d416f5ff5

SHA512
5b94528924469c9fbb5ce0b77705670f62854a154707f0fb2387f274436a3305164b05489d09861f22a34c128cb0f7147b1fc6d7999108817173367553973faa

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS066484BB\311d8e79-f5c1-4a1c-9a75-1c9cce862b9a\UnifiedStub-installer.exe\assembly\dl3\6ee1b748\032b6022_57cbda01\rsJSON.DLL
Filesize
216KB

MD5
8528610b4650860d253ad1d5854597cb

SHA1
def3dc107616a2fe332cbd2bf5c8ce713e0e76a1

SHA256
727557ec407cadd21aa26353d04e6831a98d1fa52b8d37d48e422d3206f9a9c4

SHA512
dd4ff4b6d8bc37771416ceb8bd2f30d8d3d3f16ef85562e8485a847a356f3644d995942e9b1d3f9854c5b56993d9488e38f5175f3f430e032e4091d97d4d1f7d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS066484BB\311d8e79-f5c1-4a1c-9a75-1c9cce862b9a\UnifiedStub-installer.exe\assembly\dl3\93a52b02\41536022_57cbda01\rsLogger.DLL
Filesize
179KB

MD5
148dc2ce0edbf59f10ca54ef105354c3

SHA1
153457a9247c98a50d08ca89fad177090249d358

SHA256
efe944c3ae3ad02011e6341aa9c2aab25fb8a17755ea2596058d70f8018122a4

SHA512
10630bd996e9526147b0e01b16279e96a6f1080a95317629ecb61b83f9ebee192c08201873ff5df2de82d977558b2eeb0e4808667083cd0f3bf9f195db4890d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS066484BB\311d8e79-f5c1-4a1c-9a75-1c9cce862b9a\UnifiedStub-installer.exe\assembly\dl3\b8765b34\18485222_57cbda01\rsAtom.DLL
Filesize
157KB

MD5
3ae6f007b30db9507cc775122f9fc1d7

SHA1
ada34eebb84a83964e2d484e8b447dca8214e8b7

SHA256
892a7ee985715c474a878f0f27f6832b9782d343533e68ae405cd3f20d303507

SHA512
5dd37e9f2ac9b2e03e0d3fd6861c5a7dcb71af232672083ac869fc7fae34ac1e1344bdfabe21c98b252edd8df641f041c95ea669dc4ebb495bf269d161b63e5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS066484BB\311d8e79-f5c1-4a1c-9a75-1c9cce862b9a\UnifiedStub-installer.exe\assembly\dl3\d1943265\58796022_57cbda01\rsServiceController.DLL
Filesize
173KB

MD5
8e10c436653b3354707e3e1d8f1d3ca0

SHA1
25027e364ff242cf39de1d93fad86967b9fe55d8

SHA256
2e55bb3a9cdef38134455aaa1ef71e69e1355197e2003432e4a86c0331b34e53

SHA512
9bd2a1ae49b2b3c0f47cfefd65499133072d50628fec7da4e86358c34cf45d1fdb436388b2dd2af0094a9b6f7a071fb8453cf291cf64733953412fdf2457d98e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS066484BB\48246dbb-fda5-4060-b5cf-c441a389a805\UnifiedStub-installer.exe\assembly\dl3\37a778d4\5ff936f8_56cbda01\rsAtom.DLL
Filesize
158KB

MD5
f2c6d0704191203c591b7257beff2d57

SHA1
0f8e468f8c26b71c5162b33caa812fa48bac8dd6

SHA256
ea791c403f402fbe8763d1adbb3a317463562a42757aa74d96505f2a4997585e

SHA512
2637921c04e98b14085778f85716e92efb76f9a50a0a9c1793b0310043ad60413642199e49f72eccdb4d2cbdbaeccf87ed83bd49976e6409b10916ef0218be08

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS066484BB\48246dbb-fda5-4060-b5cf-c441a389a805\UnifiedStub-installer.exe\assembly\dl3\3aef8839\d5c743f8_56cbda01\rsServiceController.DLL
Filesize
175KB

MD5
3c11f1f4ab1b51e92af5210a25cb1a98

SHA1
f34e01f036d6279cb99ad36b7ad4f93875055ef1

SHA256
aadf52eefbc4330a9af62a2554635bc4f6d9503e0689ba86ee56c194b34d6382

SHA512
f872d8ec41c38e2c6527e4dd5285f7f877fe0714e94fde304f62b37b6f300d5bae38943df0c62dfa829886b0adbed01f6af14bdb8353ff6fdf73acedeb5ffcb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS066484BB\48246dbb-fda5-4060-b5cf-c441a389a805\UnifiedStub-installer.exe\assembly\dl3\6cb045bb\47105276_eeb0da01\rsStubLib.dll
Filesize
255KB

MD5
fa4e3d9b299da1abc5f33f1fb00bfa4f

SHA1
9919b46034b9eff849af8b34bc48aa39fb5b6386

SHA256
9631939542e366730a9284a63f1d0d5459c77ec0b3d94de41196f719fc642a96

SHA512
d21cf55d6b537ef9882eacd737e153812c0990e6bdea44f5352dfe0b1320e530f89f150662e88db63bedf7f691a11d89f432a3c32c8a14d1eb5fc99387420680

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS066484BB\48246dbb-fda5-4060-b5cf-c441a389a805\UnifiedStub-installer.exe\assembly\dl3\eafeb1db\375243f8_56cbda01\rsLogger.DLL
Filesize
179KB

MD5
683e19faf979c5ab2ae5919f0b3d1485

SHA1
8453dbc5029e96e4c42cf96b327aef987b15b9e8

SHA256
60834a138a215289237b1f99c05489e7bda8e8c4357ef8e96d7914ef270e5ca8

SHA512
0b3764b1fe3b7fe10f7b78243f5a91c8563816eb19dad8d06e31dcaf6898ecfce667fe2585cff4dacc2a2650cd09428b5e4f2ff58baa54855e9749dc4f5d44f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS066484BB\48246dbb-fda5-4060-b5cf-c441a389a805\UnifiedStub-installer.exe\assembly\dl3\f13ed33b\cd9042f8_56cbda01\rsJSON.DLL
Filesize
219KB

MD5
8740daedb5e9ab8a48389ee3088a9c16

SHA1
4d821d8523ee72ebe2cd3e74e3c0cdcea7038d92

SHA256
8c0123b38ef50dc9aa0cb7c56028ae9c031425ab812ee0b56ff396c35b7af95a

SHA512
e847f7bd7c02662196b1bdbbd1073e21bb185c4a2d19c351b643de80c3efca661c126f9ebd834373d1baf56e8a67d03ce9624132d35f4a8deeec00d4a3236b26

Download Submit
C:\Users\Admin\AppData\Local\Temp\imageio10432963933932799360.tmp
Filesize
1KB

MD5
221b956bbee7bed6bf0268c1848b6c1f

SHA1
c650115597bb2132e4a6f31676e8e176b0fde541

SHA256
8656449ea4832516a12a3b0bad4b0405c75bd3dee8ec88881060b9dcb159509c

SHA512
3f222d3517badaacf1465bd03ec274b718c6cab25c182b2e522eceba36e27d5e09c1bd220c73b9c15b6877e823340370c4f41a698f3ac1fdedbb0a5b01ba564f

Download Submit
C:\Users\Admin\AppData\Local\Temp\imageio11371133244822737295.tmp
Filesize
1KB

MD5
030b1e8197ccde1ea0752adf5793c9c6

SHA1
de5b7be8f2f6034606b4da82e9eab42db273f436

SHA256
8e0421f72670cb77f971553fb170dc68a49b537591b2827a0f5b4ef2f79fefc7

SHA512
bc8eb953da5e77fd336ea8ee83587d9b5bf907859a4a574624dfb6023a2562e7c028c94f618b3890a6e6b3f182ad08fb4abbd6577b2b2584ad2ba6b7d8c6973b

Download Submit
C:\Users\Admin\AppData\Local\Temp\imageio14136135674265155917.tmp
Filesize
692B

MD5
25c4e70099f2daf3f04fafa8b5a05aaf

SHA1
7a8c3d9b4479a1814be2eb2a91994a5cc337ede2

SHA256
1f45ce3f19719abff65e94f65bbedd3283922c9541dcc723382d7bd32933f481

SHA512
471e9a3c99a491f63abf20b4e9ed9a05f0e456206c0ecca48716bad1addb97380b19a523a4f8b9a5869a974cc827838e24087e2fc54cf1de9392e080121d441f

Download Submit
C:\Users\Admin\AppData\Local\Temp\imageio18190998089811865745.tmp
Filesize
1KB

MD5
ffe699a13ebc36887b49346a518460b0

SHA1
7f9a78d6373ed06589c963b48621c532439c749e

SHA256
4e63c145af2f345670e4f59f992bd8cffb4adea6771d6f92141b17e5036744d9

SHA512
acbd257144ef802a504f67e7628af54075474f5d2d6fd6ebb8abef5b319e184dea84e8c3b3399e768794571e8203180ad259c7f782b6de636e0a004963f0e2c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\imageio3086471467967102901.tmp
Filesize
1KB

MD5
823c02547be99f8191ea69269d973050

SHA1
8f69c092f13856dbe86cc2de54c93b2848f4e012

SHA256
493eb1bbca7ead6119a584beaa6e39f909bd38c3e1ccdf0a36abbf7b0d81c27f

SHA512
7f6fca9881cbb359ae12d19673cf9406ed7d50987bed7406a39c7be231a9fe3c30cd1e90ae9997588eb274382b28ae8725511f8ce54de73048453acd7590dacc

Download Submit
C:\Users\Admin\AppData\Local\Temp\imageio4043189394454761718.tmp
Filesize
476B

MD5
1b67471cba6bc5ad662b0611441df3a0

SHA1
a59b8e59ac9889bd1e427ff9758e9b1018798838

SHA256
0fad867898dd730b558da7f189e03ef57c0c605e02837b3b03e746ff48e67cff

SHA512
3661ab1aeced113cefd899b06a179a468f92b3ea16570e8df9d0c6da5dc735c4f4b41d1ade17330097b08d98d076b66e2ecd8016a55abec9cd18ac6eee7a7c96

Download Submit
C:\Users\Admin\AppData\Local\Temp\imageio4208638173432396952.tmp
Filesize
1KB

MD5
661d8692a070d5b2a26008313517f38e

SHA1
960baee8adf4a4c56a8e8311b0a88d80f629600d

SHA256
f7d4cb9e0c90eb3cadd21142f96845e7fa823f6748accf24f1b5e42cffe93e45

SHA512
c6d0185993787ee4ece986bb2c6647c99902e013acb62831e72b48769442e3d1a8185aab5eec3705e4b8a4aaf71d38a6fabac638bb803dbe4310c3994602e8fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\imageio468271461682743356.tmp
Filesize
557B

MD5
40f34b6525884ae79d38b0dfa289e945

SHA1
f59ea4084fcc4bcff0400bf28ddc7f3910f8c49d

SHA256
a1fdffac95ced65d5a3a3c9b3a379c85dea96000a2b341b19d0dee014f0953be

SHA512
df9986b825ea3ea07a0e166553d338f9415c65473093da2b84bd15ddc0dd8a7f3486cb5d8cd8473878e50caace57b3e293abacfcec32bf6d877640f5c805597d

Download Submit
C:\Users\Admin\AppData\Local\Temp\imageio6210374701410710343.tmp
Filesize
1KB

MD5
36d1d531c3ee365ce44ab56484d5c247

SHA1
aaa7aecc30575d3ce0843b0ae010688a578a00f3

SHA256
7fe4e2425c5ff3f7752d2dc0931df2fcf09b0541b2ef1686c959b391cb9842e7

SHA512
f351910a6c68f314d1a0a6f29f7f34ca203b8636a55d85c0ae76ba6e31bc0ad9b9bfc66263a819c9fe38844d58bbefea687b0377d4e8ca534672d4f47b2fe942

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-BO642.tmp\RAV_Cross.png
Filesize
74KB

MD5
cd09f361286d1ad2622ba8a57b7613bd

SHA1
4cd3e5d4063b3517a950b9d030841f51f3c5f1b1

SHA256
b92a31d4853d1b2c4e5b9d9624f40b439856d0c6a517e100978cbde8d3c47dc8

SHA512
f73d60c92644e0478107e0402d1c7b4dfa1674f69b41856f74f937a7b57ceaa2b3be9242f2b59f1fcf71063aac6cbe16c594618d1a8cdd181510de3240f31dff

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-BO642.tmp\WebAdvisor.png
Filesize
33KB

MD5
db6c259cd7b58f2f7a3cca0c38834d0e

SHA1
046fd119fe163298324ddcd47df62fa8abcae169

SHA256
494169cdd9c79eb4668378f770bfa55d4b140f23a682ff424441427dfab0ced2

SHA512
a5e8bb6dc4cae51d4ebbe5454d1b11bc511c69031db64eff089fb2f8f68665f4004f0f215b503f7630a56c995bbe9cf72e8744177e92447901773cc7e2d9fdbb

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-BO642.tmp\loader.gif
Filesize
10KB

MD5
f23a523b82ad9103a9ac1dcc33eca72f

SHA1
5363bb6b51923441ef56638576307cc252f05a71

SHA256
59853c413b0813ded6f1e557959768d6662f010f49884d36b62c13038fac739c

SHA512
514ec63f7ed80d0708f7e2355fad8a558b4dcf2d0122ff98fe7c3ca1f40e7cd04e8869ca7a3b95622c0848c0d99306d7e791b86ca69b9e240beae959ca6285be

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-BO642.tmp\prod0.exe
Filesize
32KB

MD5
a6df04236c13b05f85259739fa26e172

SHA1
184491b8c25f57767809aa70f1c32511d13a0fe2

SHA256
859fbd546d6dcd762a7e5a8bcf5687b9bb2b0f93c21c13cf85c2668244229650

SHA512
e06aa06b0db98f95d2dca8fa2306efda7845e227379e2c622471cee965c0fe15aa9c135922c99ce2ded9c8445d7bd7716092bb739e45171e62d99c2b514dd415

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-BO642.tmp\prod1.zip
Filesize
515KB

MD5
f68008b70822bd28c82d13a289deb418

SHA1
06abbe109ba6dfd4153d76cd65bfffae129c41d8

SHA256
cc6f4faf4e8a9f4d2269d1d69a69ea326f789620fb98078cc98597f3cb998589

SHA512
fa482942e32e14011ae3c6762c638ccb0a0e8ec0055d2327c3acc381dddf1400de79e4e9321a39a418800d072e59c36b94b13b7eb62751d3aec990fb38ce9253

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-BO642.tmp\prod1_extract\installer.exe
Filesize
28.1MB

MD5
8d6d7d2b4b15a56c187288485d57f2a3

SHA1
06980d9bb48deb03fcc34734d45a12a7e73a174e

SHA256
eeed21499b9903b7d8d09392db96475c432ada134afc8ac68099bcf4238dae05

SHA512
e6c3a2d2e956ff8cba77b824e1e9daeb25bce8350c85bd26f5184d5ce9d08e0c76bbdb3772e671a87eb50daeaa45966064cce09374bd6b68985bac90dfefd41a

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-BO642.tmp\prod1_extract\saBSI.exe
Filesize
1.1MB

MD5
143255618462a577de27286a272584e1

SHA1
efc032a6822bc57bcd0c9662a6a062be45f11acb

SHA256
f5aa950381fbcea7d730aa794974ca9e3310384a95d6cf4d015fbdbd9797b3e4

SHA512
c0a084d5c0b645e6a6479b234fa73c405f56310119dd7c8b061334544c47622fdd5139db9781b339bb3d3e17ac59fddb7d7860834ecfe8aad6d2ae8c869e1cb9

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-BO642.tmp\zbShieldUtils.dll
Filesize
2.0MB

MD5
b83f5833e96c2eb13f14dcca805d51a1

SHA1
9976b0a6ef3dabeab064b188d77d870dcdaf086d

SHA256
00e667b838a4125c8cf847936168bb77bb54580bc05669330cb32c0377c4a401

SHA512
8641b351e28b3c61ed6762adbca165f4a5f2ee26a023fd74dd2102a6258c0f22e91b78f4a3e9fba6094b68096001de21f10d6495f497580847103c428d30f7bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-MMMI4.tmp\frostwire-6.13.2.windows.tmp
Filesize
3.0MB

MD5
f2715a9e9a8bae265b65108b9f823c4b

SHA1
1e47977af8b2626eb58922312d24714d6aebce1f

SHA256
98f0a2bbe10ee11749c9ee6e6b8a222e3fac7121b9113053124c1ef6d39e21d5

SHA512
10f8c415cadecd9f5d4bbc1da877bc659beb85c065cfacb0bce851b409aeeed8704ffd31b1161db222893256e968502331d0bcc93379655b585047ba2090996f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nss394E.tmp\System.dll
Filesize
11KB

MD5
959ea64598b9a3e494c00e8fa793be7e

SHA1
40f284a3b92c2f04b1038def79579d4b3d066ee0

SHA256
03cd57ab00236c753e7ddeee8ee1c10839ace7c426769982365531042e1f6f8b

SHA512
5e765e090f712beffce40c5264674f430b08719940d66e3a4d4a516fd4ade859f7853f614d9d6bbb602780de54e11110d66dbb0f9ca20ef6096ede531f9f6d64

Download Submit
C:\Users\Admin\AppData\Local\Temp\nss394E.tmp\inetc.dll
Filesize
25KB

MD5
40d7eca32b2f4d29db98715dd45bfac5

SHA1
124df3f617f562e46095776454e1c0c7bb791cc7

SHA256
85e03805f90f72257dd41bfdaa186237218bbb0ec410ad3b6576a88ea11dccb9

SHA512
5fd4f516ce23fb7e705e150d5c1c93fc7133694ba495fb73101674a528883a013a34ab258083aa7ce6072973b067a605158316a4c9159c1b4d765761f91c513d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nss394E.tmp\nsExec.dll
Filesize
6KB

MD5
08e9796ca20c5fc5076e3ac05fb5709a

SHA1
07971d52dcbaa1054060073571ced046347177f7

SHA256
8165c7aef7de3d3e0549776535bedc380ad9be7bb85e60ad6436f71528d092af

SHA512
02618317d6ab0302324aae4d3c5fca56b21e68c899e211cfa9412cf73820a1f931e56753c904fd7e510c638b4463aedbfe9536790279e096ea0387b67013e0c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\sqlite-3.43.0.0-87e6274d-0b6a-4c7c-b01c-6ed772a0886b-sqlitejdbc.dll
Filesize
926KB

MD5
3264e4962850cf05474810a8b6a496db

SHA1
34f9422e0d695c7ee9b7c7fba6148e3057de6cd6

SHA256
7f99b81b58540d3e08a8766b0cf06857afb1550d285ef6d1be4a29e504f5c09f

SHA512
ed8dd2f368106d4ebe4db41b3f08e3f9c3ee3a45e808410be2a37baa6c9bcf48d1fcea8e4c0e14f9782328ac2201792f0b24bb0dcdeb4ac945cade28c5ded006

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\5d696d521de238c3.customDestinations-ms
Filesize
8KB

MD5
14710687a2d6aa5b46feb1b817f7410f

SHA1
db42a724a51553c48f3952cda22148ef0799ce06

SHA256
1273ceb322cbc846628fb4278a15522f7607dfcff7cc6051e989e5b3e31dac6e

SHA512
c1fdbd424062ca42c93698b5609528891764fb126f5ef42d0532fe02baf938c083d4b677e3bd7b4b40289b7583c8f883df0e6d66d10fb6762bdb4315e789e429

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\5d696d521de238c3.customDestinations-ms
Filesize
11KB

MD5
f9002871739bc92a1fc04236dce5cc5c

SHA1
db0604d00fa8dce13e88a0e4d643ea19b186f168

SHA256
053ad57fcc20963262e27c9e3e7f529c1a64c2a1c9bacef3ec7c4fdea109cd75

SHA512
471009069cb2c2a36223b725d23e09e886a8a22736b8cde61ba49ea03f0adf795273688a2e73310c86be67c0bc683aad577265558ad2779b809b05d6706a03bd

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 362262.crdownload
Filesize
2.5MB

MD5
bd352ada33c61ceb9db09d3601b302bc

SHA1
2ece05e008eca40c17172ae72b5c0d29f81b664b

SHA256
887c5af40ba3a354696ee0be278d482bdca6a262e3a0520bb32368ca17ac5357

SHA512
aa5e49f0101c066068261dedd4a80f068fd46f5f4b2778b665e81bd688e07ba5f387ec029919b9ad1fad00df72b57ea0bbe754d86e51dded90fa370edf2a5935

Download Submit
\??\pipe\crashpad_4444_QXEUWVZOLUDYOVAC
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1028-808-0x0000000004C50000-0x0000000004D90000-memory.dmp

Filesize
1.2MB

Download
memory/1028-824-0x0000000000400000-0x0000000000711000-memory.dmp

Filesize
3.1MB

Download
memory/1028-782-0x0000000000400000-0x0000000000711000-memory.dmp

Filesize
3.1MB

Download
memory/1028-780-0x0000000000400000-0x0000000000711000-memory.dmp

Filesize
3.1MB

Download
memory/1028-797-0x0000000000400000-0x0000000000711000-memory.dmp

Filesize
3.1MB

Download
memory/1028-1450-0x0000000000400000-0x0000000000711000-memory.dmp

Filesize
3.1MB

Download
memory/1028-810-0x0000000000400000-0x0000000000711000-memory.dmp

Filesize
3.1MB

Download
memory/1028-819-0x0000000000400000-0x0000000000711000-memory.dmp

Filesize
3.1MB

Download
memory/1028-823-0x0000000004C50000-0x0000000004D90000-memory.dmp

Filesize
1.2MB

Download
memory/1028-784-0x0000000000400000-0x0000000000711000-memory.dmp

Filesize
3.1MB

Download
memory/1028-833-0x0000000000400000-0x0000000000711000-memory.dmp

Filesize
3.1MB

Download
memory/1028-834-0x0000000000400000-0x0000000000711000-memory.dmp

Filesize
3.1MB

Download
memory/1028-812-0x0000000000400000-0x0000000000711000-memory.dmp

Filesize
3.1MB

Download
memory/1028-818-0x0000000004C50000-0x0000000004D90000-memory.dmp

Filesize
1.2MB

Download
memory/1028-813-0x0000000000400000-0x0000000000711000-memory.dmp

Filesize
3.1MB

Download
memory/1028-1139-0x0000000000400000-0x0000000000711000-memory.dmp

Filesize
3.1MB

Download
memory/1028-1174-0x0000000004C50000-0x0000000004D90000-memory.dmp

Filesize
1.2MB

Download
memory/3612-1599-0x00007FF6D8A70000-0x00007FF6D8A80000-memory.dmp

Filesize
64KB

Download
memory/3612-1615-0x00007FF6D8A70000-0x00007FF6D8A80000-memory.dmp

Filesize
64KB

Download
memory/3612-1595-0x00007FF6D8A70000-0x00007FF6D8A80000-memory.dmp

Filesize
64KB

Download
memory/3612-1593-0x00007FF6D8A70000-0x00007FF6D8A80000-memory.dmp

Filesize
64KB

Download
memory/3612-1594-0x00007FF6D8A70000-0x00007FF6D8A80000-memory.dmp

Filesize
64KB

Download
memory/3612-1592-0x00007FF6D8A70000-0x00007FF6D8A80000-memory.dmp

Filesize
64KB

Download
memory/3612-1587-0x00007FF6D8A70000-0x00007FF6D8A80000-memory.dmp

Filesize
64KB

Download
memory/3612-1588-0x00007FF6D8A70000-0x00007FF6D8A80000-memory.dmp

Filesize
64KB

Download
memory/3612-1589-0x00007FF6D8A70000-0x00007FF6D8A80000-memory.dmp

Filesize
64KB

Download
memory/3612-1591-0x00007FF6D8A70000-0x00007FF6D8A80000-memory.dmp

Filesize
64KB

Download
memory/3612-1590-0x00007FF6D8A70000-0x00007FF6D8A80000-memory.dmp

Filesize
64KB

Download
memory/3612-1617-0x00007FF6D8A70000-0x00007FF6D8A80000-memory.dmp

Filesize
64KB

Download
memory/3612-1596-0x00007FF6D8A70000-0x00007FF6D8A80000-memory.dmp

Filesize
64KB

Download
memory/3612-1618-0x00007FF6D5670000-0x00007FF6D5680000-memory.dmp

Filesize
64KB

Download
memory/3612-1638-0x00007FF6F2E20000-0x00007FF6F2E30000-memory.dmp

Filesize
64KB

Download
memory/3612-1606-0x00007FF6D8A70000-0x00007FF6D8A80000-memory.dmp

Filesize
64KB

Download
memory/3612-1614-0x00007FF6D8A70000-0x00007FF6D8A80000-memory.dmp

Filesize
64KB

Download
memory/3612-1613-0x00007FF6D8A70000-0x00007FF6D8A80000-memory.dmp

Filesize
64KB

Download
memory/3612-1612-0x00007FF6D8A70000-0x00007FF6D8A80000-memory.dmp

Filesize
64KB

Download
memory/3612-1598-0x00007FF6D8A70000-0x00007FF6D8A80000-memory.dmp

Filesize
64KB

Download
memory/3612-1616-0x00007FF6D8A70000-0x00007FF6D8A80000-memory.dmp

Filesize
64KB

Download
memory/3612-1600-0x00007FF6D8A70000-0x00007FF6D8A80000-memory.dmp

Filesize
64KB

Download
memory/3612-1611-0x00007FF6D8A70000-0x00007FF6D8A80000-memory.dmp

Filesize
64KB

Download
memory/3612-1601-0x00007FF6D8A70000-0x00007FF6D8A80000-memory.dmp

Filesize
64KB

Download
memory/3612-1610-0x00007FF6D8A70000-0x00007FF6D8A80000-memory.dmp

Filesize
64KB

Download
memory/3612-1603-0x00007FF6D8A70000-0x00007FF6D8A80000-memory.dmp

Filesize
64KB

Download
memory/3612-1597-0x00007FF6D8A70000-0x00007FF6D8A80000-memory.dmp

Filesize
64KB

Download
memory/3612-1609-0x00007FF6D8A70000-0x00007FF6D8A80000-memory.dmp

Filesize
64KB

Download
memory/3612-1607-0x00007FF6D8A70000-0x00007FF6D8A80000-memory.dmp

Filesize
64KB

Download
memory/3612-1604-0x00007FF6D8A70000-0x00007FF6D8A80000-memory.dmp

Filesize
64KB

Download
memory/3612-1608-0x00007FF6D8A70000-0x00007FF6D8A80000-memory.dmp

Filesize
64KB

Download
memory/3612-1605-0x00007FF6D8A70000-0x00007FF6D8A80000-memory.dmp

Filesize
64KB

Download
memory/3852-5780-0x0000020454C30000-0x0000020454C60000-memory.dmp

Filesize
192KB

Download
memory/3852-2596-0x00000204548A0000-0x00000204548F8000-memory.dmp

Filesize
352KB

Download
memory/3852-5796-0x0000020454C30000-0x0000020454C5A000-memory.dmp

Filesize
168KB

Download
memory/3852-5767-0x0000020454BB0000-0x0000020454BEA000-memory.dmp

Filesize
232KB

Download
memory/3852-7742-0x0000020453F50000-0x0000020453F7E000-memory.dmp

Filesize
184KB

Download
memory/3852-1319-0x0000020454590000-0x00000204545CA000-memory.dmp

Filesize
232KB

Download
memory/3852-7653-0x0000020453EC0000-0x0000020453EEA000-memory.dmp

Filesize
168KB

Download
memory/3852-1316-0x0000020439ED0000-0x0000020439FE0000-memory.dmp

Filesize
1.1MB

Download
memory/3852-4128-0x0000020454B50000-0x0000020454BA6000-memory.dmp

Filesize
344KB

Download
memory/3852-1602-0x0000020454540000-0x000002045456A000-memory.dmp

Filesize
168KB

Download
memory/3852-1317-0x00000204543F0000-0x0000020454432000-memory.dmp

Filesize
264KB

Download
memory/3852-1318-0x000002043BB70000-0x000002043BBA0000-memory.dmp

Filesize
192KB

Download
memory/3852-7466-0x0000020453EC0000-0x0000020453EF0000-memory.dmp

Filesize
192KB

Download
memory/3852-5815-0x0000020454D70000-0x0000020454D9E000-memory.dmp

Filesize
184KB

Download
memory/3852-7313-0x0000020453E40000-0x0000020453E78000-memory.dmp

Filesize
224KB

Download
memory/3852-6829-0x0000020453D50000-0x0000020453D98000-memory.dmp

Filesize
288KB

Download
memory/3952-783-0x0000000000400000-0x00000000004EF000-memory.dmp

Filesize
956KB

Download
memory/3952-781-0x0000000000400000-0x00000000004EF000-memory.dmp

Filesize
956KB

Download
memory/3952-775-0x0000000000401000-0x00000000004B7000-memory.dmp

Filesize
728KB

Download
memory/3952-773-0x0000000000400000-0x00000000004EF000-memory.dmp

Filesize
956KB

Download
memory/3952-1465-0x0000000000400000-0x00000000004EF000-memory.dmp

Filesize
956KB

Download
memory/4516-1140-0x000001EFF96B0000-0x000001EFF9BD8000-memory.dmp

Filesize
5.2MB

Download
memory/4516-1138-0x000001EFDEB70000-0x000001EFDEB78000-memory.dmp

Filesize
32KB

Download
memory/4588-6118-0x000001ACDA070000-0x000001ACDA204000-memory.dmp

Filesize
1.6MB

Download
memory/4588-6117-0x000001ACBF920000-0x000001ACBF948000-memory.dmp

Filesize
160KB

Download
memory/4588-6123-0x000001ACBF920000-0x000001ACBF948000-memory.dmp

Filesize
160KB

Download
memory/5976-5846-0x0000018287060000-0x000001828708E000-memory.dmp

Filesize
184KB

Download
memory/5976-5849-0x0000018287060000-0x000001828708E000-memory.dmp

Filesize
184KB

Download
memory/5976-5862-0x0000018288D60000-0x0000018288D72000-memory.dmp

Filesize
72KB

Download
memory/5976-5865-0x0000018288DC0000-0x0000018288DFC000-memory.dmp

Filesize
240KB

Download
memory/5984-7767-0x000001E0F1180000-0x000001E0F11B8000-memory.dmp

Filesize
224KB

Download
memory/6220-6199-0x0000013077D90000-0x0000013077DC8000-memory.dmp

Filesize
224KB

Download
memory/6220-6374-0x0000013079E80000-0x0000013079E88000-memory.dmp

Filesize
32KB

Download
memory/6220-6413-0x000001307AB70000-0x000001307AB92000-memory.dmp

Filesize
136KB

Download
memory/6220-6161-0x0000013078420000-0x0000013078710000-memory.dmp

Filesize
2.9MB

Download
memory/6220-6367-0x00000130790E0000-0x00000130790F6000-memory.dmp

Filesize
88KB

Download
memory/6220-6368-0x0000013077F80000-0x0000013077F8A000-memory.dmp

Filesize
40KB

Download
memory/6220-6401-0x000001307A950000-0x000001307A958000-memory.dmp

Filesize
32KB

Download
memory/6220-6391-0x000001307A2E0000-0x000001307A330000-memory.dmp

Filesize
320KB

Download
memory/6220-6375-0x0000013079EB0000-0x0000013079EBA000-memory.dmp

Filesize
40KB

Download
memory/6220-6162-0x000001305F420000-0x000001305F44E000-memory.dmp

Filesize
184KB

Download
memory/6220-6220-0x0000013078390000-0x00000130783EE000-memory.dmp

Filesize
376KB

Download
memory/6512-5922-0x000002289E490000-0x000002289E7F6000-memory.dmp

Filesize
3.4MB

Download
memory/6512-5929-0x000002289E150000-0x000002289E172000-memory.dmp

Filesize
136KB

Download
memory/6512-5928-0x0000022885910000-0x000002288592A000-memory.dmp

Filesize
104KB

Download
memory/6512-5927-0x000002289E310000-0x000002289E48C000-memory.dmp

Filesize
1.5MB

Download
memory/6920-5932-0x0000020C104C0000-0x0000020C1051A000-memory.dmp

Filesize
360KB

Download
memory/6920-5983-0x0000020C29B50000-0x0000020C29DAE000-memory.dmp

Filesize
2.4MB

Download
memory/6920-5953-0x0000020C29530000-0x0000020C29B48000-memory.dmp

Filesize
6.1MB

Download
memory/6920-5948-0x0000020C0ECD0000-0x0000020C0ED02000-memory.dmp

Filesize
200KB

Download
memory/6920-5938-0x0000020C0E840000-0x0000020C0E89C000-memory.dmp

Filesize
368KB

Download
memory/6920-5935-0x0000020C0ECA0000-0x0000020C0ECC8000-memory.dmp

Filesize
160KB

Download
memory/6920-5931-0x0000020C0E840000-0x0000020C0E89C000-memory.dmp

Filesize
368KB

Download
memory/6940-6218-0x000001387CFA0000-0x000001387CFDA000-memory.dmp

Filesize
232KB

Download
memory/6940-6243-0x000001387D050000-0x000001387D084000-memory.dmp

Filesize
208KB

Download
memory/6940-6385-0x000001387D450000-0x000001387D492000-memory.dmp

Filesize
264KB

Download
memory/6940-6404-0x000001387D4A0000-0x000001387D4D2000-memory.dmp

Filesize
200KB

Download
memory/6940-6405-0x000001387D0F0000-0x000001387D0F8000-memory.dmp

Filesize
32KB

Download
memory/6940-6406-0x000001387E520000-0x000001387E546000-memory.dmp

Filesize
152KB

Download
memory/6940-6350-0x000001387E890000-0x000001387EE34000-memory.dmp

Filesize
5.6MB

Download
memory/6940-6443-0x000001387D110000-0x000001387D118000-memory.dmp

Filesize
32KB

Download
memory/6940-6448-0x000001387F370000-0x000001387F616000-memory.dmp

Filesize
2.6MB

Download
memory/6940-6453-0x000001387E5F0000-0x000001387E61C000-memory.dmp

Filesize
176KB

Download
memory/6940-6462-0x000001387E6A0000-0x000001387E720000-memory.dmp

Filesize
512KB

Download
memory/6940-6472-0x000001387E720000-0x000001387E788000-memory.dmp

Filesize
416KB

Download
memory/6940-6478-0x000001387E620000-0x000001387E64A000-memory.dmp

Filesize
168KB

Download
memory/6940-6487-0x000001387E810000-0x000001387E886000-memory.dmp

Filesize
472KB

Download
memory/6940-6347-0x000001387D3E0000-0x000001387D446000-memory.dmp

Filesize
408KB

Download
memory/6940-6774-0x000001387F620000-0x000001387F796000-memory.dmp

Filesize
1.5MB

Download
memory/6940-6082-0x000001387C0C0000-0x000001387C120000-memory.dmp

Filesize
384KB

Download
memory/6940-5993-0x000001387C020000-0x000001387C050000-memory.dmp

Filesize
192KB

Download
memory/6940-6328-0x000001387D090000-0x000001387D0BA000-memory.dmp

Filesize
168KB

Download
memory/6940-6832-0x000001387E790000-0x000001387E7C2000-memory.dmp

Filesize
200KB

Download
memory/6940-7262-0x000001387F120000-0x000001387F174000-memory.dmp

Filesize
336KB

Download
memory/6940-6388-0x000001387EE40000-0x000001387F0C0000-memory.dmp

Filesize
2.5MB

Download
memory/6940-6223-0x000001387CFE0000-0x000001387D008000-memory.dmp

Filesize
160KB

Download
memory/6940-7311-0x000001387E650000-0x000001387E678000-memory.dmp

Filesize
160KB

Download
memory/6940-7374-0x000001387E7D0000-0x000001387E7FE000-memory.dmp

Filesize
184KB

Download
memory/6940-6219-0x000001387CEC0000-0x000001387CEE6000-memory.dmp

Filesize
152KB

Download
memory/6940-6212-0x000001387CF30000-0x000001387CF96000-memory.dmp

Filesize
408KB

Download
memory/6940-6209-0x000001387D150000-0x000001387D3D6000-memory.dmp

Filesize
2.5MB

Download
memory/6940-6205-0x000001387C710000-0x000001387C75F000-memory.dmp

Filesize
316KB

Download
memory/6940-6202-0x000001387CB50000-0x000001387CEB9000-memory.dmp

Filesize
3.4MB

Download
memory/6940-7530-0x000001387F180000-0x000001387F1CE000-memory.dmp

Filesize
312KB

Download
memory/6940-7641-0x000001387F7A0000-0x000001387F8A0000-memory.dmp

Filesize
1024KB

Download
memory/6940-6119-0x000001387C050000-0x000001387C076000-memory.dmp

Filesize
152KB

Download
memory/6940-6163-0x000001387C880000-0x000001387C8DE000-memory.dmp

Filesize
376KB

Download
memory/6940-7724-0x000001387F8A0000-0x000001387F9AA000-memory.dmp

Filesize
1.0MB

Download
memory/6940-6160-0x000001387C7F0000-0x000001387C81E000-memory.dmp

Filesize
184KB

Download
memory/6940-6154-0x000001387C120000-0x000001387C146000-memory.dmp

Filesize
152KB

Download
memory/6940-6120-0x000001387C080000-0x000001387C0A8000-memory.dmp

Filesize
160KB

Download
memory/6940-6124-0x000001387C160000-0x000001387C198000-memory.dmp

Filesize
224KB

Download
memory/6940-6139-0x000001387C690000-0x000001387C6C2000-memory.dmp

Filesize
200KB

Download
memory/6940-6140-0x000001387C760000-0x000001387C7E6000-memory.dmp

Filesize
536KB

Download