hxxp://q | Triage

Analysis

max time kernel
601s
max time network
620s
platform
windows10-1703_x64
resource
win10-20230831-en
resource tags

arch:x64arch:x86image:win10-20230831-enlocale:en-usos:windows10-1703-x64system
submitted
01/09/2023, 13:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://q

Score

7^/10

persistence

Malware Config

Signatures

Modifies system executable filetype association 2 TTPs 22 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\edit\command	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\runas	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\runas\command	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\runasuser\command	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\runasuser	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shellex\DropHandler	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shellex	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\edit	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\print\command	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shellex\ContextMenuHandlers\Compatibility	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shellex\{8895b1c6-b41f-4c1c-a562-0d564250836f}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\DefaultIcon	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shellex\DropHandler	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\DefaultIcon	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\print	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shellex\ContextMenuHandlers	reg.exe

Registers COM server for autorun 1 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6F3DD387-5AF2-492B-BDE2-30FF2F451241}\InprocServer32	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2398454716-3289288241-2843025796-1000_Classes\CLSID\{CAFEEFAC-0018-0000-0029-ABCDEFFEDCBB}\InprocServer32	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2398454716-3289288241-2843025796-1000_Classes\CLSID\{CAFEEFAC-0017-0000-0016-ABCDEFFEDCBB}\InprocServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C6E13370-30AC-11D0-A18C-00A0C9118956}\InprocServer32	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2398454716-3289288241-2843025796-1000_Classes\CLSID\{CAFEEFAC-0013-0001-0075-ABCDEFFEDCBA}\InprocServer32	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2398454716-3289288241-2843025796-1000_Classes\CLSID\{CAFEEFAC-0015-0000-0021-ABCDEFFEDCBB}\InprocServer32	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2398454716-3289288241-2843025796-1000_Classes\CLSID\{CAFEEFAC-0018-0000-0065-ABCDEFFEDCBA}\InprocServer32	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2398454716-3289288241-2843025796-1000_Classes\CLSID\{CAFEEFAC-0013-0001-0007-ABCDEFFEDCBB}\InprocServer32	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2398454716-3289288241-2843025796-1000_Classes\CLSID\{CAFEEFAC-0013-0001-0012-ABCDEFFEDCBB}\InprocServer32	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2398454716-3289288241-2843025796-1000_Classes\CLSID\{CAFEEFAC-0016-0000-0038-ABCDEFFEDCBB}\InprocServer32	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2398454716-3289288241-2843025796-1000_Classes\CLSID\{CAFEEFAC-0018-0000-0049-ABCDEFFEDCBB}\InprocServer32	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2398454716-3289288241-2843025796-1000_Classes\CLSID\{CAFEEFAC-0013-0001-0005-ABCDEFFEDCBB}\InprocServer32	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2398454716-3289288241-2843025796-1000_Classes\CLSID\{CAFEEFAC-0013-0001-0065-ABCDEFFEDCBA}\InprocServer32	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2398454716-3289288241-2843025796-1000_Classes\CLSID\{CAFEEFAC-0015-0000-0065-ABCDEFFEDCBB}\InprocServer32	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2398454716-3289288241-2843025796-1000_Classes\CLSID\{CAFEEFAC-0016-0000-0068-ABCDEFFEDCBC}\InprocServer32	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2398454716-3289288241-2843025796-1000_Classes\CLSID\{CAFEEFAC-0018-0000-0006-ABCDEFFEDCBC}\InprocServer32	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2398454716-3289288241-2843025796-1000_Classes\CLSID\{CAFEEFAC-0015-0000-0020-ABCDEFFEDCBA}\InprocServer32	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2398454716-3289288241-2843025796-1000_Classes\CLSID\{CAFEEFAC-0015-0000-0097-ABCDEFFEDCBC}\InprocServer32	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2398454716-3289288241-2843025796-1000_Classes\CLSID\{CAFEEFAC-0016-0000-0040-ABCDEFFEDCBA}\InprocServer32	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2398454716-3289288241-2843025796-1000_Classes\CLSID\{CAFEEFAC-0017-0000-0040-ABCDEFFEDCBA}\InprocServer32	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2398454716-3289288241-2843025796-1000_Classes\CLSID\{CAFEEFAC-0018-0000-0059-ABCDEFFEDCBB}\InprocServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F8CF7A98-2C45-4c8d-9151-2D716989DDAB}\InprocServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{000CDB0D-0000-0000-C000-000000000046}\InprocServer32	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2398454716-3289288241-2843025796-1000_Classes\CLSID\{CAFEEFAC-0013-0001-0091-ABCDEFFEDCBA}\InprocServer32	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2398454716-3289288241-2843025796-1000_Classes\CLSID\{CAFEEFAC-0015-0000-0081-ABCDEFFEDCBC}\InprocServer32	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2398454716-3289288241-2843025796-1000_Classes\CLSID\{CAFEEFAC-0017-0000-0086-ABCDEFFEDCBB}\InprocServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C100BEE3-D33A-4a4b-BF23-BBEF4663D017}\InProcServer32	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2398454716-3289288241-2843025796-1000_Classes\CLSID\{CAFEEFAC-0014-0002-0039-ABCDEFFEDCBB}\InprocServer32	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2398454716-3289288241-2843025796-1000_Classes\CLSID\{CAFEEFAC-0017-0000-0049-ABCDEFFEDCBA}\InprocServer32	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2398454716-3289288241-2843025796-1000_Classes\CLSID\{CAFEEFAC-0016-0000-0088-ABCDEFFEDCBA}\InprocServer32	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2398454716-3289288241-2843025796-1000_Classes\CLSID\{CAFEEFAC-0018-0000-0060-ABCDEFFEDCBB}\InprocServer32	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2398454716-3289288241-2843025796-1000_Classes\CLSID\{CAFEEFAC-0013-0001-0093-ABCDEFFEDCBA}\InprocServer32	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2398454716-3289288241-2843025796-1000_Classes\CLSID\{CAFEEFAC-0015-0000-0021-ABCDEFFEDCBC}\InprocServer32	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2398454716-3289288241-2843025796-1000_Classes\CLSID\{CAFEEFAC-0016-0000-0043-ABCDEFFEDCBC}\InprocServer32	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2398454716-3289288241-2843025796-1000_Classes\CLSID\{CAFEEFAC-0014-0000-0000-ABCDEFFEDCBA}\InprocServer32	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2398454716-3289288241-2843025796-1000_Classes\CLSID\{CAFEEFAC-0014-0001-0001-ABCDEFFEDCBA}\InprocServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DC67E480-C3CB-49F8-8232-60B0C2056C8E}\LocalServer32	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2398454716-3289288241-2843025796-1000_Classes\CLSID\{CAFEEFAC-0013-0001-0082-ABCDEFFEDCBA}\InprocServer32	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2398454716-3289288241-2843025796-1000_Classes\CLSID\{CAFEEFAC-0015-0000-0054-ABCDEFFEDCBC}\InprocServer32	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2398454716-3289288241-2843025796-1000_Classes\CLSID\{CAFEEFAC-0018-0000-0007-ABCDEFFEDCBB}\InprocServer32	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2398454716-3289288241-2843025796-1000_Classes\CLSID\{CAFEEFAC-0016-0000-0056-ABCDEFFEDCBB}\InprocServer32	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2398454716-3289288241-2843025796-1000_Classes\CLSID\{CAFEEFAC-0017-0000-0086-ABCDEFFEDCBA}\InprocServer32	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2398454716-3289288241-2843025796-1000_Classes\CLSID\{CAFEEFAC-0017-0000-0079-ABCDEFFEDCBC}\InprocServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5512D114-5CC6-11CF-8D67-00AA00BDCE1D}\InprocServer32	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2398454716-3289288241-2843025796-1000_Classes\CLSID\{CAFEEFAC-0013-0001-0046-ABCDEFFEDCBB}\InprocServer32	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2398454716-3289288241-2843025796-1000_Classes\CLSID\{CAFEEFAC-0013-0001-0098-ABCDEFFEDCBB}\InprocServer32	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2398454716-3289288241-2843025796-1000_Classes\CLSID\{CAFEEFAC-0017-0000-0055-ABCDEFFEDCBA}\InprocServer32	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2398454716-3289288241-2843025796-1000_Classes\CLSID\{CAFEEFAC-0018-0000-0013-ABCDEFFEDCBC}\InprocServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{AC14BBFA-7475-4E47-87A2-F36C170A7F66}\InProcServer32	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2398454716-3289288241-2843025796-1000_Classes\CLSID\{CAFEEFAC-0013-0001-0044-ABCDEFFEDCBA}\InprocServer32	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2398454716-3289288241-2843025796-1000_Classes\CLSID\{CAFEEFAC-0017-0000-0020-ABCDEFFEDCBC}\InprocServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{000209F2-0000-0000-C000-000000000046}\InprocServer32	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2398454716-3289288241-2843025796-1000_Classes\CLSID\{CAFEEFAC-0015-0000-0051-ABCDEFFEDCBA}\InprocServer32	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2398454716-3289288241-2843025796-1000_Classes\CLSID\{CAFEEFAC-0015-0000-0063-ABCDEFFEDCBA}\InprocServer32	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2398454716-3289288241-2843025796-1000_Classes\CLSID\{CAFEEFAC-0016-0000-0032-ABCDEFFEDCBA}\InprocServer32	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2398454716-3289288241-2843025796-1000_Classes\CLSID\{CAFEEFAC-0017-0000-0058-ABCDEFFEDCBA}\InprocServer32	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2398454716-3289288241-2843025796-1000_Classes\CLSID\{CAFEEFAC-0013-0001-0005-ABCDEFFEDCBA}\InprocServer32	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2398454716-3289288241-2843025796-1000_Classes\CLSID\{CAFEEFAC-0014-0002-0031-ABCDEFFEDCBB}\InprocServer32	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2398454716-3289288241-2843025796-1000_Classes\CLSID\{CAFEEFAC-0015-0000-0016-ABCDEFFEDCBB}\InprocServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{13516F23-4A53-4282-A462-CC1571129539}\InProcServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BE39F3DA-1B13-11D0-887F-00A0C90F2744}\InprocServer32	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2398454716-3289288241-2843025796-1000_Classes\CLSID\{CAFEEFAC-0015-0000-0069-ABCDEFFEDCBB}\InprocServer32	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2398454716-3289288241-2843025796-1000_Classes\CLSID\{CAFEEFAC-0015-0000-0040-ABCDEFFEDCBC}\InprocServer32	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2398454716-3289288241-2843025796-1000_Classes\CLSID\{CAFEEFAC-0017-0000-0012-ABCDEFFEDCBA}\InprocServer32	reg.exe

Drops file in Windows directory 7 IoCs

description	ioc	Process
File created	C:\Windows\rescache\_merged\3720402701\2219095117.pri	MicrosoftEdge.exe
File opened for modification	C:\Windows\Debug\ESE.TXT	MicrosoftEdge.exe
File created	C:\Windows\rescache\_merged\3720402701\2219095117.pri	MicrosoftEdgeCP.exe
File created	C:\Windows\rescache\_merged\3720402701\2219095117.pri	MicrosoftEdgeCP.exe
File created	C:\Windows\rescache\_merged\4272278488\3302449443.pri	SecHealthUI.exe
File created	C:\Windows\rescache\_merged\4183903823\810424605.pri	taskmgr.exe
File created	C:\Windows\rescache\_merged\1601268389\3877292338.pri	taskmgr.exe

Program crash 4 IoCs

pid	pid_target	Process	procid_target
3128	1460	WerFault.exe	100
6232	6048	WerFault.exe	291
6364	6312	WerFault.exe	294
6480	3636	WerFault.exe	55

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Enumerates system info in registry 2 TTPs 9 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies Internet Explorer settings 1 TTPs 28 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2398454716-3289288241-2843025796-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2398454716-3289288241-2843025796-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2398454716-3289288241-2843025796-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 809830144adcd901	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2398454716-3289288241-2843025796-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2398454716-3289288241-2843025796-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2398454716-3289288241-2843025796-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2398454716-3289288241-2843025796-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2398454716-3289288241-2843025796-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2398454716-3289288241-2843025796-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2398454716-3289288241-2843025796-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2398454716-3289288241-2843025796-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2398454716-3289288241-2843025796-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2398454716-3289288241-2843025796-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2398454716-3289288241-2843025796-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2398454716-3289288241-2843025796-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2398454716-3289288241-2843025796-1000\Software\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.15063.0\"hypervisor=\"No Hypervisor (No SLAT)\""	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2398454716-3289288241-2843025796-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2398454716-3289288241-2843025796-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2398454716-3289288241-2843025796-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{3FD95815-483D-11EE-9F6D-76204EA362E2} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2398454716-3289288241-2843025796-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2398454716-3289288241-2843025796-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2398454716-3289288241-2843025796-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2398454716-3289288241-2843025796-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2398454716-3289288241-2843025796-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2398454716-3289288241-2843025796-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000ef9dfcadc5ac4f41a8ccd05ee29a9e33000000000200000000001066000000010000200000004d3d4f6f899f560b02d1d4b16e44783cc4840fe849ebc270ab0a88c0c84e6965000000000e8000000002000020000000037e66ad3d0657ccfbb133527027b319ec53fd0fc9368bc28b27549eec0d0a5a20000000dc11baef785efbfb36ba7e8fa319d1382e596c13d47ed07d3b583d0bb89f9416400000005a4f031c80f1cac5b53af7c0d38db9a25f465fb9510f59c23268182f0ea20083e670eece1d1d728cb70628d8f2fc257ee01f4f905bb076676ebda52b45797656	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2398454716-3289288241-2843025796-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 70cb21144adcd901	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2398454716-3289288241-2843025796-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000ef9dfcadc5ac4f41a8ccd05ee29a9e3300000000020000000000106600000001000020000000d944c31f3e8a8d49aef1afb4be28dd3663adc45b04f52a9735651c6db42ca370000000000e800000000200002000000014241df84540d4c3338535e16c77862b52993d0e6fcece5a740a51b1d786d40a2000000083bf1ffb23e8b05808b16d7c4f78395aee013d887a4a49a55de4a990383f91a1400000002efaa42d75822c42f6b5d443cddb175a367a083ffda9ef4bd2660b4086f3e6ce7752ebd68c8e6efd065b39a9ba1742e63c872be1c109d0ff4d7c9504e181ada6	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2398454716-3289288241-2843025796-1000\Software\Microsoft\Internet Explorer\Main	browser_broker.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00020827-0000-0000-C000-000000000046}\LocalServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{82B02375-B5BC-11CF-810F-00A0C9030074}	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2398454716-3289288241-2843025796-1000_Classes\CLSID\{CAFEEFAC-0014-0002-0000-ABCDEFFEDCBB}	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2398454716-3289288241-2843025796-1000_Classes\CLSID\{CAFEEFAC-0015-0000-0073-ABCDEFFEDCBA}\InprocServer32	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2398454716-3289288241-2843025796-1000_Classes\AppXvepbp3z66accmsd0x877zbbxjctkpr6t\Shell\open	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00020907-0000-0000-C000-000000000046}\LocalServer32	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2398454716-3289288241-2843025796-1000_Classes\CLSID\{CAFEEFAC-0013-0001-0059-ABCDEFFEDCBB}\InprocServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CF4F55F4-8F87-4D47-80BB-5808164BB3F8}\DataFormats	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{000209F4-0000-0000-C000-000000000046}\InprocServer32	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2398454716-3289288241-2843025796-1000_Classes\CLSID\{CAFEEFAC-0015-0000-0085-ABCDEFFEDCBC}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DDFE337F-4987-4EC8-BDE3-133FA63D5D85}\InProcServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.xltx	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\AccDictionary.AccDictionary\CurVer	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2398454716-3289288241-2843025796-1000_Classes\AppXtkjk7ve8gcvsz7s2y4kkf56wrmb5edr7\Shell	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00020906-0000-0000-C000-000000000046}\Conversion\Readable	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C4C4C4FC-0049-4E2B-98FB-9537F6CE516D}\Instance\Encrypt/Tag	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2398454716-3289288241-2843025796-1000_Classes\CLSID\{CAFEEFAC-0016-0000-0081-ABCDEFFEDCBC}\InprocServer32	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2398454716-3289288241-2843025796-1000_Classes\CLSID\{CAFEEFAC-0017-0000-0013-ABCDEFFEDCBB}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E18FEC31-2EA1-49A2-A7A6-902DC0D1FF05}\TypeLib	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\AudioCD\shell\PlayWithVLC	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CATFile	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{18A06B6B-2F3F-4e2b-A611-52BE631B2D22}\AuxUserType	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3BE786A0-0366-4F5C-9434-25CF162E475E}\ExtendedErrors\{3BE786A0-0366-4F5C-9434-25CF162E475F}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5512D112-5CC6-11CF-8D67-00AA00BDCE1D}\ProgID	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2398454716-3289288241-2843025796-1000_Classes\CLSID\{CAFEEFAC-0018-0000-0031-ABCDEFFEDCBA}\InprocServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\cmdfile\shellex\DropHandler	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\ContentDirectory.item.audioItem\shellex\PropertySheetHandlers	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2398454716-3289288241-2843025796-1000_Classes\AppX4j5v7692qeayhwcg2qhwgwbcdyrpwsc0\Shell	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8BD21D20-EC42-11CE-9E0D-00AA006002F3}\Implemented Categories	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2398454716-3289288241-2843025796-1000_Classes\CLSID\{CAFEEFAC-0014-0002-0029-ABCDEFFEDCBB}	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2398454716-3289288241-2843025796-1000_Classes\CLSID\{CAFEEFAC-0016-0000-0041-ABCDEFFEDCBA}\InprocServer32	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2398454716-3289288241-2843025796-1000_Classes\CLSID\{CAFEEFAC-0017-0000-0016-ABCDEFFEDCBB}	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2398454716-3289288241-2843025796-1000_Classes\CLSID\{CAFEEFAC-0017-0000-0083-ABCDEFFEDCBC}\InprocServer32	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2398454716-3289288241-2843025796-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\ACGStatus\ACGPolicyState = "8"	MicrosoftEdgeCP.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2398454716-3289288241-2843025796-1000_Classes\CLSID\{CAFEEFAC-0014-0002-0015-ABCDEFFEDCBA}\InprocServer32	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2398454716-3289288241-2843025796-1000_Classes\CLSID\{CAFEEFAC-0015-0000-0088-ABCDEFFEDCBB}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D7053240-CE69-11CD-A777-00DD01143C57}\Implemented Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shell\encrypt-bde-elev	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.URL\ShellEx\{000214F9-0000-0000-C000-000000000046}	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2398454716-3289288241-2843025796-1000_Classes\CLSID\{CAFEEFAC-0015-0000-0075-ABCDEFFEDCBA}	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2398454716-3289288241-2843025796-1000_Classes\CLSID\{CAFEEFAC-0018-0000-0062-ABCDEFFEDCBC}\InprocServer32	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2398454716-3289288241-2843025796-1000_Classes\CLSID\{CAFEEFAC-0014-0002-0021-ABCDEFFEDCBA}	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2398454716-3289288241-2843025796-1000_Classes\CLSID\{CAFEEFAC-0015-0000-0042-ABCDEFFEDCBC}\InprocServer32	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2398454716-3289288241-2843025796-1000_Classes\CLSID\{CAFEEFAC-0016-0000-0088-ABCDEFFEDCBB}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.m2v\ShellEx\{BB2E617C-0920-11D1-9A0B-00C04FC2D6C1}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\AdHocReportingExcelClientLib.AdHocReportingExcelClientAddIn\CurVer	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{000209F2-0000-0000-C000-000000000046}	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2398454716-3289288241-2843025796-1000_Classes\CLSID\{71DCE5D6-4B57-496B-AC21-CD5B54EB93FD}\VersionIndependentProgID	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{AC59432D-8659-48C4-A584-AFEBC920256F}\InprocServer32	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2398454716-3289288241-2843025796-1000_Classes\CLSID\{CAFEEFAC-0016-0000-0097-ABCDEFFEDCBA}\InprocServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.local	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.mhtml\OpenWithProgIds	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2398454716-3289288241-2843025796-1000_Classes\CLSID\{CAFEEFAC-0017-0000-0047-ABCDEFFEDCBA}\InprocServer32	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2398454716-3289288241-2843025796-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder\TreeView = "1"	MicrosoftEdge.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2398454716-3289288241-2843025796-1000_Classes\CLSID\{CAFEEFAC-0015-0000-0095-ABCDEFFEDCBB}	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2398454716-3289288241-2843025796-1000_Classes\CLSID\{CAFEEFAC-0018-0000-0033-ABCDEFFEDCBA}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.dot\PersistentHandler	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2398454716-3289288241-2843025796-1000_Classes\CLSID\{9AA2F32D-362A-42D9-9328-24A483E2CCC3}	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2398454716-3289288241-2843025796-1000_Classes\CLSID\{CAFEEFAC-0013-0000-0004-ABCDEFFEDCBA}\InprocServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.rat	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2398454716-3289288241-2843025796-1000_Classes\CLSID\{CAFEEFAC-0014-0002-0031-ABCDEFFEDCBA}\InprocServer32	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2398454716-3289288241-2843025796-1000_Classes\CLSID\{CAFEEFAC-0015-0000-0060-ABCDEFFEDCBB}\InprocServer32	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2398454716-3289288241-2843025796-1000_Classes\CLSID\{CAFEEFAC-0018-0000-0022-ABCDEFFEDCBB}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\DirectShow\MediaObjects\ef985e71-d5c7-42d4-ba4d-2d073e2e96f4	reg.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
5996	reg.exe

Runs .reg file with regedit 1 IoCs

pid	Process
4844	regedit.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

pid	Process
4728	chrome.exe
4728	chrome.exe
4188	chrome.exe
4188	chrome.exe
316	taskmgr.exe
316	taskmgr.exe
316	taskmgr.exe
4444	chrome.exe
4444	chrome.exe

Suspicious behavior: MapViewOfSection 4 IoCs

pid	Process
3632	MicrosoftEdgeCP.exe
3632	MicrosoftEdgeCP.exe
3632	MicrosoftEdgeCP.exe
3632	MicrosoftEdgeCP.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs

pid	Process
4728	chrome.exe
4728	chrome.exe
4728	chrome.exe
4188	chrome.exe
4188	chrome.exe
4188	chrome.exe
4188	chrome.exe
4444	chrome.exe
4444	chrome.exe
4444	chrome.exe

Suspicious use of AdjustPrivilegeToken 57 IoCs

description	pid	Process
Token: SeDebugPrivilege	1756	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	1756	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	1756	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	1756	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	3112	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	3112	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	3112	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	3112	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	4612	MicrosoftEdge.exe
Token: SeDebugPrivilege	4612	MicrosoftEdge.exe
Token: SeShutdownPrivilege	4728	chrome.exe
Token: SeCreatePagefilePrivilege	4728	chrome.exe
Token: SeShutdownPrivilege	4728	chrome.exe
Token: SeCreatePagefilePrivilege	4728	chrome.exe
Token: SeShutdownPrivilege	4188	chrome.exe
Token: SeCreatePagefilePrivilege	4188	chrome.exe
Token: SeShutdownPrivilege	4188	chrome.exe
Token: SeCreatePagefilePrivilege	4188	chrome.exe
Token: SeShutdownPrivilege	4188	chrome.exe
Token: SeCreatePagefilePrivilege	4188	chrome.exe
Token: SeShutdownPrivilege	4188	chrome.exe
Token: SeCreatePagefilePrivilege	4188	chrome.exe
Token: SeShutdownPrivilege	4188	chrome.exe
Token: SeCreatePagefilePrivilege	4188	chrome.exe
Token: SeShutdownPrivilege	4188	chrome.exe
Token: SeCreatePagefilePrivilege	4188	chrome.exe
Token: SeShutdownPrivilege	4188	chrome.exe
Token: SeCreatePagefilePrivilege	4188	chrome.exe
Token: SeShutdownPrivilege	4188	chrome.exe
Token: SeCreatePagefilePrivilege	4188	chrome.exe
Token: SeShutdownPrivilege	4188	chrome.exe
Token: SeCreatePagefilePrivilege	4188	chrome.exe
Token: SeShutdownPrivilege	4188	chrome.exe
Token: SeCreatePagefilePrivilege	4188	chrome.exe
Token: SeShutdownPrivilege	4188	chrome.exe
Token: SeCreatePagefilePrivilege	4188	chrome.exe
Token: SeShutdownPrivilege	4188	chrome.exe
Token: SeCreatePagefilePrivilege	4188	chrome.exe
Token: SeShutdownPrivilege	4188	chrome.exe
Token: SeCreatePagefilePrivilege	4188	chrome.exe
Token: SeShutdownPrivilege	4188	chrome.exe
Token: SeCreatePagefilePrivilege	4188	chrome.exe
Token: SeDebugPrivilege	316	taskmgr.exe
Token: SeSystemProfilePrivilege	316	taskmgr.exe
Token: SeCreateGlobalPrivilege	316	taskmgr.exe
Token: 33	316	taskmgr.exe
Token: SeIncBasePriorityPrivilege	316	taskmgr.exe
Token: SeShutdownPrivilege	4444	chrome.exe
Token: SeCreatePagefilePrivilege	4444	chrome.exe
Token: SeShutdownPrivilege	4444	chrome.exe
Token: SeCreatePagefilePrivilege	4444	chrome.exe
Token: SeShutdownPrivilege	4444	chrome.exe
Token: SeCreatePagefilePrivilege	4444	chrome.exe
Token: SeShutdownPrivilege	4444	chrome.exe
Token: SeCreatePagefilePrivilege	4444	chrome.exe
Token: SeShutdownPrivilege	4444	chrome.exe
Token: SeCreatePagefilePrivilege	4444	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4728	chrome.exe
4728	chrome.exe
4728	chrome.exe
4728	chrome.exe
4728	chrome.exe
4728	chrome.exe
4728	chrome.exe
4728	chrome.exe
4728	chrome.exe
4728	chrome.exe
4728	chrome.exe
4728	chrome.exe
4728	chrome.exe
4728	chrome.exe
4728	chrome.exe
4728	chrome.exe
4728	chrome.exe
4728	chrome.exe
4728	chrome.exe
4728	chrome.exe
4728	chrome.exe
4728	chrome.exe
4728	chrome.exe
4728	chrome.exe
4728	chrome.exe
4728	chrome.exe
4728	chrome.exe
4188	chrome.exe
4188	chrome.exe
4188	chrome.exe
4188	chrome.exe
4188	chrome.exe
4188	chrome.exe
4188	chrome.exe
4188	chrome.exe
4188	chrome.exe
4188	chrome.exe
4188	chrome.exe
4188	chrome.exe
4188	chrome.exe
4188	chrome.exe
4188	chrome.exe
4188	chrome.exe
4188	chrome.exe
4188	chrome.exe
4188	chrome.exe
4188	chrome.exe
4188	chrome.exe
4188	chrome.exe
4188	chrome.exe
4188	chrome.exe
4188	chrome.exe
4188	chrome.exe
4188	chrome.exe
316	taskmgr.exe
316	taskmgr.exe
316	taskmgr.exe
316	taskmgr.exe
316	taskmgr.exe
316	taskmgr.exe
316	taskmgr.exe
316	taskmgr.exe
316	taskmgr.exe
316	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
4728	chrome.exe
4728	chrome.exe
4728	chrome.exe
4728	chrome.exe
4728	chrome.exe
4728	chrome.exe
4728	chrome.exe
4728	chrome.exe
4728	chrome.exe
4728	chrome.exe
4728	chrome.exe
4728	chrome.exe
4728	chrome.exe
4728	chrome.exe
4728	chrome.exe
4728	chrome.exe
4728	chrome.exe
4728	chrome.exe
4728	chrome.exe
4728	chrome.exe
4728	chrome.exe
4728	chrome.exe
4728	chrome.exe
4728	chrome.exe
4188	chrome.exe
4188	chrome.exe
4188	chrome.exe
4188	chrome.exe
4188	chrome.exe
4188	chrome.exe
4188	chrome.exe
4188	chrome.exe
4188	chrome.exe
4188	chrome.exe
4188	chrome.exe
4188	chrome.exe
4188	chrome.exe
4188	chrome.exe
4188	chrome.exe
4188	chrome.exe
4188	chrome.exe
4188	chrome.exe
4188	chrome.exe
4188	chrome.exe
4188	chrome.exe
4188	chrome.exe
4188	chrome.exe
4188	chrome.exe
316	taskmgr.exe
316	taskmgr.exe
316	taskmgr.exe
316	taskmgr.exe
316	taskmgr.exe
316	taskmgr.exe
316	taskmgr.exe
316	taskmgr.exe
316	taskmgr.exe
316	taskmgr.exe
316	taskmgr.exe
316	taskmgr.exe
316	taskmgr.exe
316	taskmgr.exe
316	taskmgr.exe
316	taskmgr.exe

Suspicious use of SetWindowsHookEx 16 IoCs

pid	Process
4612	MicrosoftEdge.exe
3632	MicrosoftEdgeCP.exe
1756	MicrosoftEdgeCP.exe
3632	MicrosoftEdgeCP.exe
1460	SecHealthUI.exe
3880	xpsrchvw.exe
3880	xpsrchvw.exe
3880	xpsrchvw.exe
3880	xpsrchvw.exe
4936	iexplore.exe
4936	iexplore.exe
4508	IEXPLORE.EXE
4508	IEXPLORE.EXE
4888	notepad.exe
4888	notepad.exe
4888	notepad.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3632 wrote to memory of 3112	3632	MicrosoftEdgeCP.exe	74
PID 3632 wrote to memory of 3112	3632	MicrosoftEdgeCP.exe	74
PID 3632 wrote to memory of 3112	3632	MicrosoftEdgeCP.exe	74
PID 3632 wrote to memory of 3112	3632	MicrosoftEdgeCP.exe	74
PID 3632 wrote to memory of 3112	3632	MicrosoftEdgeCP.exe	74
PID 3632 wrote to memory of 3112	3632	MicrosoftEdgeCP.exe	74
PID 4728 wrote to memory of 1152	4728	chrome.exe	78
PID 4728 wrote to memory of 1152	4728	chrome.exe	78
PID 4728 wrote to memory of 3660	4728	chrome.exe	80
PID 4728 wrote to memory of 3660	4728	chrome.exe	80
PID 4728 wrote to memory of 3660	4728	chrome.exe	80
PID 4728 wrote to memory of 3660	4728	chrome.exe	80
PID 4728 wrote to memory of 3660	4728	chrome.exe	80
PID 4728 wrote to memory of 3660	4728	chrome.exe	80
PID 4728 wrote to memory of 3660	4728	chrome.exe	80
PID 4728 wrote to memory of 3660	4728	chrome.exe	80
PID 4728 wrote to memory of 3660	4728	chrome.exe	80
PID 4728 wrote to memory of 3660	4728	chrome.exe	80
PID 4728 wrote to memory of 3660	4728	chrome.exe	80
PID 4728 wrote to memory of 3660	4728	chrome.exe	80
PID 4728 wrote to memory of 3660	4728	chrome.exe	80
PID 4728 wrote to memory of 3660	4728	chrome.exe	80
PID 4728 wrote to memory of 3660	4728	chrome.exe	80
PID 4728 wrote to memory of 3660	4728	chrome.exe	80
PID 4728 wrote to memory of 3660	4728	chrome.exe	80
PID 4728 wrote to memory of 3660	4728	chrome.exe	80
PID 4728 wrote to memory of 3660	4728	chrome.exe	80
PID 4728 wrote to memory of 3660	4728	chrome.exe	80
PID 4728 wrote to memory of 3660	4728	chrome.exe	80
PID 4728 wrote to memory of 3660	4728	chrome.exe	80
PID 4728 wrote to memory of 3660	4728	chrome.exe	80
PID 4728 wrote to memory of 3660	4728	chrome.exe	80
PID 4728 wrote to memory of 3660	4728	chrome.exe	80
PID 4728 wrote to memory of 3660	4728	chrome.exe	80
PID 4728 wrote to memory of 3660	4728	chrome.exe	80
PID 4728 wrote to memory of 3660	4728	chrome.exe	80
PID 4728 wrote to memory of 3660	4728	chrome.exe	80
PID 4728 wrote to memory of 3660	4728	chrome.exe	80
PID 4728 wrote to memory of 3660	4728	chrome.exe	80
PID 4728 wrote to memory of 3660	4728	chrome.exe	80
PID 4728 wrote to memory of 3660	4728	chrome.exe	80
PID 4728 wrote to memory of 3660	4728	chrome.exe	80
PID 4728 wrote to memory of 3660	4728	chrome.exe	80
PID 4728 wrote to memory of 3660	4728	chrome.exe	80
PID 4728 wrote to memory of 3660	4728	chrome.exe	80
PID 4728 wrote to memory of 3660	4728	chrome.exe	80
PID 4728 wrote to memory of 4416	4728	chrome.exe	81
PID 4728 wrote to memory of 4416	4728	chrome.exe	81
PID 4728 wrote to memory of 2720	4728	chrome.exe	82
PID 4728 wrote to memory of 2720	4728	chrome.exe	82
PID 4728 wrote to memory of 2720	4728	chrome.exe	82
PID 4728 wrote to memory of 2720	4728	chrome.exe	82
PID 4728 wrote to memory of 2720	4728	chrome.exe	82
PID 4728 wrote to memory of 2720	4728	chrome.exe	82
PID 4728 wrote to memory of 2720	4728	chrome.exe	82
PID 4728 wrote to memory of 2720	4728	chrome.exe	82
PID 4728 wrote to memory of 2720	4728	chrome.exe	82
PID 4728 wrote to memory of 2720	4728	chrome.exe	82
PID 4728 wrote to memory of 2720	4728	chrome.exe	82
PID 4728 wrote to memory of 2720	4728	chrome.exe	82
PID 4728 wrote to memory of 2720	4728	chrome.exe	82
PID 4728 wrote to memory of 2720	4728	chrome.exe	82
PID 4728 wrote to memory of 2720	4728	chrome.exe	82
PID 4728 wrote to memory of 2720	4728	chrome.exe	82

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\LaunchWinApp.exe
"C:\Windows\system32\LaunchWinApp.exe" "http://q"
1⤵
PID:4448

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4612

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
- Modifies Internet Explorer settings
PID:2540

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3632

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1756

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious use of AdjustPrivilegeToken
PID:3112

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:2392

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4728
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ffe006e9758,0x7ffe006e9768,0x7ffe006e9778
  2⤵
  PID:1152
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1548 --field-trial-handle=1792,i,8186136297578665396,17505832512094567850,131072 /prefetch:2
  2⤵
  PID:3660
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2032 --field-trial-handle=1792,i,8186136297578665396,17505832512094567850,131072 /prefetch:8
  2⤵
  PID:4416
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2108 --field-trial-handle=1792,i,8186136297578665396,17505832512094567850,131072 /prefetch:8
  2⤵
  PID:2720
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2932 --field-trial-handle=1792,i,8186136297578665396,17505832512094567850,131072 /prefetch:1
  2⤵
  PID:5056
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2924 --field-trial-handle=1792,i,8186136297578665396,17505832512094567850,131072 /prefetch:1
  2⤵
  PID:316
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4500 --field-trial-handle=1792,i,8186136297578665396,17505832512094567850,131072 /prefetch:1
  2⤵
  PID:3984
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4680 --field-trial-handle=1792,i,8186136297578665396,17505832512094567850,131072 /prefetch:8
  2⤵
  PID:5112
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4684 --field-trial-handle=1792,i,8186136297578665396,17505832512094567850,131072 /prefetch:8
  2⤵
  PID:3528

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:632

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:168

C:\Windows\SystemApps\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\SecHealthUI.exe
"C:\Windows\SystemApps\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\SecHealthUI.exe" -ServerName:SecHealthUI.AppXep4x2tbtjws1v9qqs0rmb3hxykvkpqtn.mca
1⤵
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:1460
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 1460 -s 1716
  2⤵
  - Program crash
  PID:3128

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4188
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ffe006e9758,0x7ffe006e9768,0x7ffe006e9778
  2⤵
  PID:5000
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1804 --field-trial-handle=1888,i,6864034115498175095,4408750835064831235,131072 /prefetch:8
  2⤵
  PID:592
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2856 --field-trial-handle=1888,i,6864034115498175095,4408750835064831235,131072 /prefetch:1
  2⤵
  PID:4200
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2848 --field-trial-handle=1888,i,6864034115498175095,4408750835064831235,131072 /prefetch:1
  2⤵
  PID:2708
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2064 --field-trial-handle=1888,i,6864034115498175095,4408750835064831235,131072 /prefetch:8
  2⤵
  PID:2560
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1372 --field-trial-handle=1888,i,6864034115498175095,4408750835064831235,131072 /prefetch:2
  2⤵
  PID:4832
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4428 --field-trial-handle=1888,i,6864034115498175095,4408750835064831235,131072 /prefetch:1
  2⤵
  PID:4196
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4588 --field-trial-handle=1888,i,6864034115498175095,4408750835064831235,131072 /prefetch:8
  2⤵
  PID:4308
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4576 --field-trial-handle=1888,i,6864034115498175095,4408750835064831235,131072 /prefetch:8
  2⤵
  PID:2120
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3732 --field-trial-handle=1888,i,6864034115498175095,4408750835064831235,131072 /prefetch:8
  2⤵
  PID:448
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5008 --field-trial-handle=1888,i,6864034115498175095,4408750835064831235,131072 /prefetch:8
  2⤵
  PID:4576
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=5140 --field-trial-handle=1888,i,6864034115498175095,4408750835064831235,131072 /prefetch:1
  2⤵
  PID:4284

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2764

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:316

C:\Windows\System32\xpsrchvw.exe
"C:\Windows\System32\xpsrchvw.exe" "C:\Users\Admin\Desktop\RestartConfirm.dwfx"
1⤵
- Suspicious use of SetWindowsHookEx
PID:3880

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\CopySwitch.svg
1⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:4936
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4936 CREDAT:82945 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:4508

C:\Windows\regedit.exe
"regedit.exe" "C:\Users\Admin\Desktop\BackupInstall.reg"
1⤵
- Runs .reg file with regedit
PID:4844

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
PID:4444
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ffe006e9758,0x7ffe006e9768,0x7ffe006e9778
  2⤵
  PID:1756
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1828 --field-trial-handle=1832,i,4681670204889485091,16941821347674740813,131072 /prefetch:8
  2⤵
  PID:4132
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2120 --field-trial-handle=1832,i,4681670204889485091,16941821347674740813,131072 /prefetch:8
  2⤵
  PID:2212
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1652 --field-trial-handle=1832,i,4681670204889485091,16941821347674740813,131072 /prefetch:2
  2⤵
  PID:4856
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2976 --field-trial-handle=1832,i,4681670204889485091,16941821347674740813,131072 /prefetch:1
  2⤵
  PID:5108
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2956 --field-trial-handle=1832,i,4681670204889485091,16941821347674740813,131072 /prefetch:1
  2⤵
  PID:4532
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4488 --field-trial-handle=1832,i,4681670204889485091,16941821347674740813,131072 /prefetch:1
  2⤵
  PID:4776
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4668 --field-trial-handle=1832,i,4681670204889485091,16941821347674740813,131072 /prefetch:8
  2⤵
  PID:4248
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4816 --field-trial-handle=1832,i,4681670204889485091,16941821347674740813,131072 /prefetch:8
  2⤵
  PID:1908
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4800 --field-trial-handle=1832,i,4681670204889485091,16941821347674740813,131072 /prefetch:8
  2⤵
  PID:3144
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5064 --field-trial-handle=1832,i,4681670204889485091,16941821347674740813,131072 /prefetch:8
  2⤵
  PID:3316

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:756

C:\Windows\system32\notepad.exe
"C:\Windows\system32\notepad.exe"
1⤵
- Suspicious use of SetWindowsHookEx
PID:4888

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\Desktop\VIRUS.bat"
1⤵
PID:1408
- C:\Windows\explorer.exe
  explorer
  2⤵
  PID:4908
- C:\Windows\system32\fontview.exe
  fontview.exe
  2⤵
  PID:2944
- C:\Windows\system32\fontview.exe
  fontview.exe
  2⤵
  PID:4244
- C:\Windows\system32\fontview.exe
  fontview.exe
  2⤵
  PID:4852
- C:\Windows\system32\fontview.exe
  fontview.exe
  2⤵
  PID:2864
- C:\Windows\system32\fontview.exe
  fontview.exe
  2⤵
  PID:5016
- C:\Windows\system32\fontview.exe
  fontview.exe
  2⤵
  PID:312
- C:\Windows\system32\fontview.exe
  fontview.exe
  2⤵
  PID:2900
- C:\Windows\system32\reg.exe
  reg delete hkcr /f
  2⤵
  - Modifies system executable filetype association
  - Registers COM server for autorun
  - Modifies registry class
  PID:3872
- C:\Windows\system32\fontview.exe
  fontview.exe
  2⤵
  PID:2492
- C:\Windows\system32\fontview.exe
  fontview.exe
  2⤵
  PID:3496
- C:\Windows\system32\fontview.exe
  fontview.exe
  2⤵
  PID:3124
- C:\Windows\system32\fontview.exe
  fontview.exe
  2⤵
  PID:3532
- C:\Windows\system32\fontview.exe
  fontview.exe
  2⤵
  PID:3148
- C:\Windows\system32\fontview.exe
  fontview.exe
  2⤵
  PID:4100
- C:\Windows\system32\fontview.exe
  fontview.exe
  2⤵
  PID:764
- C:\Windows\system32\fontview.exe
  fontview.exe
  2⤵
  PID:996
- C:\Windows\system32\fontview.exe
  fontview.exe
  2⤵
  PID:4844
- C:\Windows\system32\fontview.exe
  fontview.exe
  2⤵
  PID:824
- C:\Windows\system32\fontview.exe
  fontview.exe
  2⤵
  PID:3804
- C:\Windows\system32\fontview.exe
  fontview.exe
  2⤵
  PID:4916
- C:\Windows\system32\fontview.exe
  fontview.exe
  2⤵
  PID:216
- C:\Windows\system32\fontview.exe
  fontview.exe
  2⤵
  PID:5044
- C:\Windows\system32\fontview.exe
  fontview.exe
  2⤵
  PID:4192
- C:\Windows\system32\fontview.exe
  fontview.exe
  2⤵
  PID:1000
- C:\Windows\system32\fontview.exe
  fontview.exe
  2⤵
  PID:2872
- C:\Windows\system32\fontview.exe
  fontview.exe
  2⤵
  PID:3300
- C:\Windows\system32\fontview.exe
  fontview.exe
  2⤵
  PID:3000
- C:\Windows\system32\fontview.exe
  fontview.exe
  2⤵
  PID:4048
- C:\Windows\system32\fontview.exe
  fontview.exe
  2⤵
  PID:3348
- C:\Windows\system32\fontview.exe
  fontview.exe
  2⤵
  PID:4400
- C:\Windows\system32\fontview.exe
  fontview.exe
  2⤵
  PID:4472
- C:\Windows\system32\fontview.exe
  fontview.exe
  2⤵
  PID:3284
- C:\Windows\system32\fontview.exe
  fontview.exe
  2⤵
  PID:2724
- C:\Windows\system32\fontview.exe
  fontview.exe
  2⤵
  PID:3864
- C:\Windows\system32\fontview.exe
  fontview.exe
  2⤵
  PID:3084
- C:\Windows\system32\fontview.exe
  fontview.exe
  2⤵
  PID:4540
- C:\Windows\system32\fontview.exe
  fontview.exe
  2⤵
  PID:3008
- C:\Windows\system32\fontview.exe
  fontview.exe
  2⤵
  PID:4884
- C:\Windows\system32\fontview.exe
  fontview.exe
  2⤵
  PID:660
- C:\Windows\system32\fontview.exe
  fontview.exe
  2⤵
  PID:4040
- C:\Windows\system32\fontview.exe
  fontview.exe
  2⤵
  PID:5112
- C:\Windows\system32\fontview.exe
  fontview.exe
  2⤵
  PID:4264
- C:\Windows\system32\fontview.exe
  fontview.exe
  2⤵
  PID:2184
- C:\Windows\system32\fontview.exe
  fontview.exe
  2⤵
  PID:4184
- C:\Windows\system32\fontview.exe
  fontview.exe
  2⤵
  PID:1404
- C:\Windows\system32\fontview.exe
  fontview.exe
  2⤵
  PID:4776
- C:\Windows\system32\fontview.exe
  fontview.exe
  2⤵
  PID:4480
- C:\Windows\system32\fontview.exe
  fontview.exe
  2⤵
  PID:2832
- C:\Windows\system32\fontview.exe
  fontview.exe
  2⤵
  PID:3976
- C:\Windows\system32\fontview.exe
  fontview.exe
  2⤵
  PID:5108
- C:\Windows\system32\fontview.exe
  fontview.exe
  2⤵
  PID:1880
- C:\Windows\system32\fontview.exe
  fontview.exe
  2⤵
  PID:2216
- C:\Windows\system32\fontview.exe
  fontview.exe
  2⤵
  PID:2976
- C:\Windows\system32\fontview.exe
  fontview.exe
  2⤵
  PID:64
- C:\Windows\system32\fontview.exe
  fontview.exe
  2⤵
  PID:3064
- C:\Windows\system32\fontview.exe
  fontview.exe
  2⤵
  PID:3996
- C:\Windows\system32\fontview.exe
  fontview.exe
  2⤵
  PID:2120
- C:\Windows\system32\fontview.exe
  fontview.exe
  2⤵
  PID:3772
- C:\Windows\system32\fontview.exe
  fontview.exe
  2⤵
  PID:2260
- C:\Windows\system32\fontview.exe
  fontview.exe
  2⤵
  PID:3824
- C:\Windows\system32\fontview.exe
  fontview.exe
  2⤵
  PID:168
- C:\Windows\system32\fontview.exe
  fontview.exe
  2⤵
  PID:2764
- C:\Windows\system32\fontview.exe
  fontview.exe
  2⤵
  PID:1548
- C:\Windows\system32\fontview.exe
  fontview.exe
  2⤵
  PID:1388
- C:\Windows\system32\fontview.exe
  fontview.exe
  2⤵
  PID:1836
- C:\Windows\system32\fontview.exe
  fontview.exe
  2⤵
  PID:2080
- C:\Windows\system32\fontview.exe
  fontview.exe
  2⤵
  PID:2972
- C:\Windows\system32\fontview.exe
  fontview.exe
  2⤵
  PID:308
- C:\Windows\system32\fontview.exe
  fontview.exe
  2⤵
  PID:4268
- C:\Windows\system32\fontview.exe
  fontview.exe
  2⤵
  PID:2116
- C:\Windows\system32\fontview.exe
  fontview.exe
  2⤵
  PID:4860
- C:\Windows\system32\fontview.exe
  fontview.exe
  2⤵
  PID:880
- C:\Windows\system32\fontview.exe
  fontview.exe
  2⤵
  PID:2700
- C:\Windows\system32\fontview.exe
  fontview.exe
  2⤵
  PID:2708
- C:\Windows\system32\fontview.exe
  fontview.exe
  2⤵
  PID:2232
- C:\Windows\system32\fontview.exe
  fontview.exe
  2⤵
  PID:1344
- C:\Windows\system32\fontview.exe
  fontview.exe
  2⤵
  PID:4592
- C:\Windows\system32\fontview.exe
  fontview.exe
  2⤵
  PID:2212
- C:\Windows\system32\fontview.exe
  fontview.exe
  2⤵
  PID:2248
- C:\Windows\system32\fontview.exe
  fontview.exe
  2⤵
  PID:4380
- C:\Windows\system32\fontview.exe
  fontview.exe
  2⤵
  PID:2556
- C:\Windows\system32\fontview.exe
  fontview.exe
  2⤵
  PID:1016
- C:\Windows\system32\fontview.exe
  fontview.exe
  2⤵
  PID:2828
- C:\Windows\system32\fontview.exe
  fontview.exe
  2⤵
  PID:2836
- C:\Windows\system32\fontview.exe
  fontview.exe
  2⤵
  PID:4900
- C:\Windows\system32\fontview.exe
  fontview.exe
  2⤵
  PID:1068
- C:\Windows\system32\fontview.exe
  fontview.exe
  2⤵
  PID:3344
- C:\Windows\system32\fontview.exe
  fontview.exe
  2⤵
  PID:3984
- C:\Windows\system32\fontview.exe
  fontview.exe
  2⤵
  PID:1552
- C:\Windows\system32\fontview.exe
  fontview.exe
  2⤵
  PID:1176
- C:\Windows\system32\fontview.exe
  fontview.exe
  2⤵
  PID:2728
- C:\Windows\system32\fontview.exe
  fontview.exe
  2⤵
  PID:4052
- C:\Windows\system32\fontview.exe
  fontview.exe
  2⤵
  PID:720
- C:\Windows\system32\fontview.exe
  fontview.exe
  2⤵
  PID:4948
- C:\Windows\system32\fontview.exe
  fontview.exe
  2⤵
  PID:3688
- C:\Windows\system32\fontview.exe
  fontview.exe
  2⤵
  PID:2856
- C:\Windows\system32\fontview.exe
  fontview.exe
  2⤵
  PID:4516
- C:\Windows\system32\fontview.exe
  fontview.exe
  2⤵
  PID:2560
- C:\Windows\system32\fontview.exe
  fontview.exe
  2⤵
  PID:1960
- C:\Windows\system32\fontview.exe
  fontview.exe
  2⤵
  PID:4252
- C:\Windows\system32\fontview.exe
  fontview.exe
  2⤵
  PID:2028
- C:\Windows\system32\fontview.exe
  fontview.exe
  2⤵
  PID:1900
- C:\Windows\system32\fontview.exe
  fontview.exe
  2⤵
  PID:856
- C:\Windows\system32\fontview.exe
  fontview.exe
  2⤵
  PID:2528
- C:\Windows\system32\fontview.exe
  fontview.exe
  2⤵
  PID:4932
- C:\Windows\system32\fontview.exe
  fontview.exe
  2⤵
  PID:1400
- C:\Windows\system32\fontview.exe
  fontview.exe
  2⤵
  PID:3232
- C:\Windows\system32\fontview.exe
  fontview.exe
  2⤵
  PID:1784
- C:\Windows\system32\fontview.exe
  fontview.exe
  2⤵
  PID:1600
- C:\Windows\system32\fontview.exe
  fontview.exe
  2⤵
  PID:4120
- C:\Windows\system32\fontview.exe
  fontview.exe
  2⤵
  PID:4600
- C:\Windows\system32\fontview.exe
  fontview.exe
  2⤵
  PID:4288
- C:\Windows\system32\fontview.exe
  fontview.exe
  2⤵
  PID:1440
- C:\Windows\system32\fontview.exe
  fontview.exe
  2⤵
  PID:372
- C:\Windows\system32\fontview.exe
  fontview.exe
  2⤵
  PID:2012
- C:\Windows\system32\fontview.exe
  fontview.exe
  2⤵
  PID:1596
- C:\Windows\system32\fontview.exe
  fontview.exe
  2⤵
  PID:1624
- C:\Windows\system32\fontview.exe
  fontview.exe
  2⤵
  PID:3376
- C:\Windows\system32\fontview.exe
  fontview.exe
  2⤵
  PID:328
- C:\Windows\system32\fontview.exe
  fontview.exe
  2⤵
  PID:4124
- C:\Windows\system32\fontview.exe
  fontview.exe
  2⤵
  PID:3800
- C:\Windows\system32\fontview.exe
  fontview.exe
  2⤵
  PID:1516
- C:\Windows\system32\fontview.exe
  fontview.exe
  2⤵
  PID:1140
- C:\Windows\system32\fontview.exe
  fontview.exe
  2⤵
  PID:5084
- C:\Windows\system32\fontview.exe
  fontview.exe
  2⤵
  PID:1456
- C:\Windows\system32\fontview.exe
  fontview.exe
  2⤵
  PID:3628
- C:\Windows\system32\fontview.exe
  fontview.exe
  2⤵
  PID:3164
- C:\Windows\system32\fontview.exe
  fontview.exe
  2⤵
  PID:1120
- C:\Windows\system32\fontview.exe
  fontview.exe
  2⤵
  PID:3020
- C:\Windows\system32\fontview.exe
  fontview.exe
  2⤵
  PID:1112
- C:\Windows\system32\fontview.exe
  fontview.exe
  2⤵
  PID:4672
- C:\Windows\system32\fontview.exe
  fontview.exe
  2⤵
  PID:4512
- C:\Windows\system32\fontview.exe
  fontview.exe
  2⤵
  PID:3360
- C:\Windows\system32\fontview.exe
  fontview.exe
  2⤵
  PID:4156
- C:\Windows\system32\fontview.exe
  fontview.exe
  2⤵
  PID:4548
- C:\Windows\system32\fontview.exe
  fontview.exe
  2⤵
  PID:956
- C:\Windows\system32\fontview.exe
  fontview.exe
  2⤵
  PID:592
- C:\Windows\system32\fontview.exe
  fontview.exe
  2⤵
  PID:3616
- C:\Windows\system32\fontview.exe
  fontview.exe
  2⤵
  PID:2652
- C:\Windows\system32\fontview.exe
  fontview.exe
  2⤵
  PID:1268
- C:\Windows\system32\fontview.exe
  fontview.exe
  2⤵
  PID:4396
- C:\Windows\system32\reg.exe
  reg delete hklm /f
  2⤵
  - Modifies registry key
  PID:5996
- C:\Windows\system32\fontview.exe
  fontview.exe
  2⤵
  PID:3944
- C:\Windows\system32\fontview.exe
  fontview.exe
  2⤵
  PID:4080
- C:\Windows\system32\fontview.exe
  fontview.exe
  2⤵
  PID:4088
- C:\Windows\system32\fontview.exe
  fontview.exe
  2⤵
  PID:2100
- C:\Windows\system32\fontview.exe
  fontview.exe
  2⤵
  PID:392
- C:\Windows\system32\fontview.exe
  fontview.exe
  2⤵
  PID:3716
- C:\Windows\system32\fontview.exe
  fontview.exe
  2⤵
  PID:3388
- C:\Windows\system32\fontview.exe
  fontview.exe
  2⤵
  PID:2548
- C:\Windows\system32\fontview.exe
  fontview.exe
  2⤵
  PID:3816
- C:\Windows\system32\fontview.exe
  fontview.exe
  2⤵
  PID:2732
- C:\Windows\system32\fontview.exe
  fontview.exe
  2⤵
  PID:6292
- C:\Windows\system32\fontview.exe
  fontview.exe
  2⤵
  PID:3636
- C:\Windows\system32\fontview.exe
  fontview.exe
  2⤵
  PID:4432
- C:\Windows\system32\fontview.exe
  fontview.exe
  2⤵
  PID:6068

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 6048 -s 1536
1⤵
- Program crash
PID:6232

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 6312 -s 1516
1⤵
- Program crash
PID:6364

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 3636 -s 3720
1⤵
- Program crash
PID:6480

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\CrashpadMetrics-active.pma

Filesize
1024KB

MD5
6d908a8ecd2f1c6502f458fb20a6726c

SHA1
c08b99d4d26137fabbe7ca50bd40e943002af14e

SHA256
2e463be6d4b3319eb52cc3b989fdfe5be0e914441a966d37e6f0dd75ea2e4f88

SHA512
02b6e19d97c42d8b9fabbde14bc96752110312955c423df1375fa82632e568c06e8ef6888c68fed1d5e4edceab6881c6eacdff77bddf2f1ba1695cee793ec657

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
a3b238a2bd92e092ca1ed987be5ec5c2

SHA1
b7026b6d5cf28232fb31dbb297a421463bd3eb7d

SHA256
09576755bf265ca16205c36f4bdd3ae2135a10fdf2b961e7fae13b1a85d4cc41

SHA512
22da3e578ad3eb2054c12d69193767be43ddba8e13f626155961243f7636360b3d27c08db08e900af1872949cf8a743d04f7df8edf4b1ef042893f850a9e3878

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
a3b238a2bd92e092ca1ed987be5ec5c2

SHA1
b7026b6d5cf28232fb31dbb297a421463bd3eb7d

SHA256
09576755bf265ca16205c36f4bdd3ae2135a10fdf2b961e7fae13b1a85d4cc41

SHA512
22da3e578ad3eb2054c12d69193767be43ddba8e13f626155961243f7636360b3d27c08db08e900af1872949cf8a743d04f7df8edf4b1ef042893f850a9e3878

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
a3b238a2bd92e092ca1ed987be5ec5c2

SHA1
b7026b6d5cf28232fb31dbb297a421463bd3eb7d

SHA256
09576755bf265ca16205c36f4bdd3ae2135a10fdf2b961e7fae13b1a85d4cc41

SHA512
22da3e578ad3eb2054c12d69193767be43ddba8e13f626155961243f7636360b3d27c08db08e900af1872949cf8a743d04f7df8edf4b1ef042893f850a9e3878

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\data_0

Filesize
44KB

MD5
50297e177fdb1e03e7ffd124e767ab02

SHA1
073ae0e09906558aaf09afb464a5522ff4a489cb

SHA256
5b24db3817ec400a1298ff323f3cc0c54bcc435147aaa0845324a94885a268ed

SHA512
ab7f4e74359f3e68e966848ca7955220bdfb51ac5e6768f1889854ef33d839275d56da44d8f63e491fa4b77fc94b15e9e42b61ec66f691fbd1de185da6fcb427

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\data_1

Filesize
264KB

MD5
5b2647f995aa0f018d8aa302edb74818

SHA1
be4da1e20d41fa7bead5b3493261bf785ab32045

SHA256
0707125525df1275d6f3c3ed950d12561b0249eb1bf6ddfe186edd332c922288

SHA512
b4676436538d07f8389afc72145745c8a9caf7b79082a2d531d7a2e790b6050c85224cd6ff5bb835f3fab4eff9b111fda98a10c4971a6f2e6e6b174de15f5172

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\data_3

Filesize
4.0MB

MD5
79d0784621645c8f2aa6e8d8d460479d

SHA1
7ee82b5a85652ee003860ce533ed5bd35a30b224

SHA256
b43a023f4f6dd3fa91ff114277c32463198e45cf32ea2a486d36cc582b8563a6

SHA512
a45317aa30472fc4d189e70a58111b270c19a87323021741a94d9c438121f41f96ac7b22fd2d5b494d72a00d8fe8d5ab7a8378a1c618e3a36f1522bdf2980007

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000006

Filesize
37KB

MD5
2e767244d64e5e852cf685a3fc586576

SHA1
407edc5d1a520116add5115d68466e92707457fb

SHA256
10aea587d5291eefeb2793bd7f6ab86e5819c5fc9969a8443c3d45aed9ccbf85

SHA512
eb44e0d4d7466b97f5ae2dd18a838350ade0cf5c3693536339970b5549c3f0cef63a0e67851e8b11a56eafb2217cfc75153750ea0a6954a2af70e79ba3e41569

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
168B

MD5
18d7bac352530d349d8672a67ad8169a

SHA1
edbec4f44bb72c2ba37fbd26cfb65f5d57fd39cb

SHA256
ef617eb0ac68ce5f84d055a63d75c618489231abf1de76747207f88e8cc7fdb4

SHA512
f848b87e12745754bca155d47ea6e027c7b4881d4c5233e25641dc3edd64b6f45d848c1aa89bae7a1b260bf9de93953b030eedaaffec91ad9afca7c6a1dfa502

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\DawnCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extension State\LOG

Filesize
320B

MD5
56d749fa10b42dd2cc14fca350e43ef0

SHA1
4ade6cdf3a1f6afef2f58e7865035a11ade94601

SHA256
bef5cd09d543361ab97a857ea4b2db1b66930262603b646b733a122e8526eac6

SHA512
8ac73e16ca05eade38f4291e6bd6dce6c719d0b1c79394f4d05a5b6f34048f6b3015e431e44b390e81ae69b789582400bc75d984ed58817890cab0a5b0f5c037

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\LOG

Filesize
332B

MD5
735c23dba5fa295e05f6d62e10460f21

SHA1
667821b2519058d7bb6d2967906700df25f06e3d

SHA256
ea597832543f480bee13736540bd635651cde01d758bdf57a869061f7551624b

SHA512
187928781fc81959c2c404edf14705cb3c8b5f32ecdf98e1c845973c981b7e78692a46db0c1c681ccea5fa40821bf7186877bcb353ac383cd3fb727db0c6a80d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
a9940684b16257cf607de0eeae2cda1a

SHA1
fcd24491e0954a47005c2bbb9b4091b4db56747b

SHA256
5fc9e1df23aab47a28dae91a0561b64b9e2ee267662470f58131f9b0a4e90c04

SHA512
c6827751f9853a6cdcd45b72be022026e2c3717b2379ef51fff39fb89fbc3bba6c54021d2a41ea72f5384265c7368eeb9bf37392644e9c334332acc3724bfb79

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
daa2f52d9553747c3ff6c50e5465554f

SHA1
f341340d45441818be6d29a495159b56aae71756

SHA256
45be2fe060842eaf6dcf0924e06b37be99e277c233dd2ce3e376b731c2cb0454

SHA512
26935cfc698b8ee276c40127bfd9a7df1cc3eb4a6c884704bc857ffdccfdfd511c9a2d75e79cb741305a669db403c0c38b22e2ac8e1ef92bcc0c6626d267d368

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
c7c621bf81ab1d65974f35fa69a499a9

SHA1
eb7c0ca7bc7eef7f47dd185f0b7cdb9506b3e19d

SHA256
bfbd168c1b8007e5e604c593358e48990543cd7e90468ef6ed5d32eac41dd843

SHA512
30241d1bc09bc476188d12845e3b8cbe13c09ba0bb48ff3ced7774a0db3e9f1d2a703864d481a47a625269dfcd16501b16d2e96922d8119993a32ff8d257497f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
c7c621bf81ab1d65974f35fa69a499a9

SHA1
eb7c0ca7bc7eef7f47dd185f0b7cdb9506b3e19d

SHA256
bfbd168c1b8007e5e604c593358e48990543cd7e90468ef6ed5d32eac41dd843

SHA512
30241d1bc09bc476188d12845e3b8cbe13c09ba0bb48ff3ced7774a0db3e9f1d2a703864d481a47a625269dfcd16501b16d2e96922d8119993a32ff8d257497f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Reporting and NEL

Filesize
36KB

MD5
3c53135c52de67814ba31551d49fc7cb

SHA1
c1165ac9950fdf49be3fa2703377909b07eb2682

SHA256
6eda8cc60b1fafcbd1c4bf1630cfba2b2c307419fd6cedf3ff7cac6645b31974

SHA512
d32bd1ddae1b75db97ec5221bb8390a675f6716e7e0a7a5005fbc04857dd23d000929a6487ba7e45399c0debcf2aa550228b3968f5e9a80f8473490cb10d2dc1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Reporting and NEL-journal

Filesize
20KB

MD5
3b1ded5080f99bba482ba22191d1eaa5

SHA1
6844555b242417307d84bfff1453e34f98d0d1bb

SHA256
7f5b0f83fcc64ac4b74b337275936bcc4db4967e0c0e694b24e69f36dd17210d

SHA512
2e4ca3118364f9c8852732263ca95eb19066db015e7855122aec2327a9e2929af2b8a1252803615c08e503ec37f37b5970bff1e850a97236adac742226b0576c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
539B

MD5
e8819efd871a9aa3b7424654a0ca9cdc

SHA1
1c6a6c5c04d08f41fefef1136d35b4fe3c58e31a

SHA256
18b6150cfb7c6ed414e4b445fdee3022495e77eb9e1ec7b6c995a29a54aee1eb

SHA512
0847cde1b5bb808481da080f52a11a1fb690a5b5e8eac69980c201d043cf80ea7af958edce67f061acc8a0dfea0ec36481bbad13fd246f5c2e2c5e12ad3338df

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
539B

MD5
65397c89d0bee4ac28c8abdc7f8d3b04

SHA1
d50671359407df50fa59a2959565e19299c84a00

SHA256
625512af84e29cd4af3515a0cbc860554013d9ac8506ac3a50a2afd0bcd8187e

SHA512
23a78237faf91e9be80224a2a84b5ac640f4d6bf87a4f0786cc642f94a825321816352301f15dd7720bbfd53b142ce51373856ef58d10ecefda7f332e5548af9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
371B

MD5
1f9bd120df82423c679ba1cbb0f15720

SHA1
0e1599b0d7d1ab338ac5b8b53cd44b6cf8cb6904

SHA256
b1171b8febb805ee41b3afb39b79d976fbd825a99a2a9de1a610fef4708d1798

SHA512
817815edb96b52c3879f716b94449a037c3f59595d54e107f6a9e2c36e0d209a62d55108a4d0c7206da02904ec8d5c5a567fcc4f867aa7b95b159c365ee7545d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
371B

MD5
72f7166909e0cd93de75483d1a1b6185

SHA1
15b04be1df7e6ee09911600af9c6bdd090340d26

SHA256
21f745f7d4b478770228b17b21f6241ae8355f7d284fd8b05f38287af6e4ef30

SHA512
a1ccb557523086868351216acdca2a0a0135d75b879d6919cfdf3d9bdab60e6f12345b27ba53b5b3ed9534e258e5d5d0e547497087ac3cf1f773f29cb9204a58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
371B

MD5
72f7166909e0cd93de75483d1a1b6185

SHA1
15b04be1df7e6ee09911600af9c6bdd090340d26

SHA256
21f745f7d4b478770228b17b21f6241ae8355f7d284fd8b05f38287af6e4ef30

SHA512
a1ccb557523086868351216acdca2a0a0135d75b879d6919cfdf3d9bdab60e6f12345b27ba53b5b3ed9534e258e5d5d0e547497087ac3cf1f773f29cb9204a58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
1aefd1c96c710cffbecfcd60d4ada19b

SHA1
077494b4758fb9669ab66847ab6f811f5b45d5d2

SHA256
7a23970305bf1380e7dd803347d190c2532a21fc32cad386bbc50579257c6ce2

SHA512
8df55c89ef029dcb48368fba58310293076c1ab6d56b2366dbd6ade919dffe6cb8f10ce4d0e3116b7bf6aa6fbc210f3e479813c6a3cfdc41b10e7c9bd37994fa

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
1aefd1c96c710cffbecfcd60d4ada19b

SHA1
077494b4758fb9669ab66847ab6f811f5b45d5d2

SHA256
7a23970305bf1380e7dd803347d190c2532a21fc32cad386bbc50579257c6ce2

SHA512
8df55c89ef029dcb48368fba58310293076c1ab6d56b2366dbd6ade919dffe6cb8f10ce4d0e3116b7bf6aa6fbc210f3e479813c6a3cfdc41b10e7c9bd37994fa

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
e9b35b51acca9d60631d99b362c7c1c9

SHA1
e8b6e0640984da649ae041d7d6547f55da38c87c

SHA256
388e0e17aca24d08f1ecc46d5584c70e3d14822eee23915a80180ed0fac9689b

SHA512
3d9a3bd57bf9552251c07359ae3944e8bc7023f2e943c5d875f1026f4546f26de63cb3bddf3ebd0b5bb48258a6313bde0d81c52953525f501860f318c79d814d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
e9b35b51acca9d60631d99b362c7c1c9

SHA1
e8b6e0640984da649ae041d7d6547f55da38c87c

SHA256
388e0e17aca24d08f1ecc46d5584c70e3d14822eee23915a80180ed0fac9689b

SHA512
3d9a3bd57bf9552251c07359ae3944e8bc7023f2e943c5d875f1026f4546f26de63cb3bddf3ebd0b5bb48258a6313bde0d81c52953525f501860f318c79d814d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
9ef948b54013d06fcbb3d917c6469838

SHA1
ec7e09a7727e20b921fc10d5c4ee4a1a53088782

SHA256
1471cd33070501a926e3151bdb21397dd061f300a49eb2969248476aae44b9a8

SHA512
e3bebc69981320f24b7b3e0d2460f99c8a11f37c3a9118313c53c9a4b4353b1315135950eb1e53065d86d7f253cc2f84a58aba7d2b83e8a9fed3ed0b34abe28e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
15096c77cb847f1b512eec13d673caab

SHA1
65008dccd107a37ba9ad697e5dabf170087d57e6

SHA256
0c820133788fa0b4923de9c9c1232b80e70585ccf62f45d0b1efa1712d3d09f1

SHA512
9d380adf032c0b038ab1941fed21a88947444ef49c6d20f0f0e891761374eeb1026b973dbbfd339e43fbee5b9576048e7d8a4e478d03b9ecf5c4399aeb5a31c2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Session Storage\000003.log

Filesize
213B

MD5
046cc08d163fc4578cd1b77a5d0965ac

SHA1
92f503e605c30974baf385f1619f1269b81dec57

SHA256
693a60684aa9ff4f01cb6027e9c938f4701c0c898afc224a0776cb1e18e87166

SHA512
e8b1df36a237bcbbad897146ca247edf75466b2a4030fec620c46932b5c31137f2931cd2758534e4308aed3fb9cc40edf2d7646a38530bcc5e6d7069c19a3b1f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Session Storage\LOG

Filesize
320B

MD5
d7edd5647b3e02a9cf62cc497831109b

SHA1
d3a188bcea104aa8a71577569200958d45b9dcdd

SHA256
cc5241c9ca128dde320b46c53a6e16dd2893106a9a39fd0c7ee6108b1a92911e

SHA512
711b78e82aa8b4eebe0954adc53e0ca4b7afbc3e8c3d8417f73e3b858a496046dfcedb30cff6370ea234c1aec12852e70a5ebabb38d5931e0174d509819dc5d3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sessions\Session_13338048751947557

Filesize
2KB

MD5
0f2e4fa696d4b2e1897713277647a487

SHA1
5a6e779605880639f98e990b897ce569cbfde46c

SHA256
fee7fdf0a73235bf1eb79f5df4574c4d6fe12a7e04556c26c5feadffd19ff32c

SHA512
c3ced00b763e22263fb0171d7119c51b22279f4f2d6a962e74fa34333a1501caf551d685f827283fa82e4265f1856ed7b9d74a857a91c7c3c5401812c0aed911

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\LOG

Filesize
348B

MD5
758571f388ad6f2c4b0a44114014e555

SHA1
c6ab7186b9a7ea5bff98f91fd6b6da6c6a4bdf99

SHA256
4060bf29c463c8149bda16b6625761c57e15dbccaf7375daca7586d4af630683

SHA512
7205ccb85be9947183e8c8b5bc9780947a082d234471798e9e440060083094a029ee8e364cf5b8a5e8259bfd4c6e69f6e0ff34189fbc6ace8359fdd67ab604d7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\LOG

Filesize
345B

MD5
8406403cd59e972930da1d7de8934786

SHA1
e7a240df284e6477cb49aa483e723ae6d0c0708d

SHA256
015619a0b335dbe4d8a6db1e2eed3663ad94b82eb296bce26dac7d44b6ebe14f

SHA512
1483828467bb4955b6363a5fd3a3b12d7c40c05f8236a7dd648c83801d4b97ef5b27863b12000182dd9a939a82db111c3a33fc75e995f6e1f59fea582eb06c65

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000003.log

Filesize
8KB

MD5
40919a21b993df50307efe69a68f53ea

SHA1
79b014678c271351cec584faff9160cec133c841

SHA256
807cbef7003544d8ecd50e90befaddecc9507d9c8d8e858ae721ed9142b49aa5

SHA512
578bba6aca455862fee4caf35e50608f4d6f549b00c3313be6ac473f0dca3902bcd1afbe25065dcc8a963ac5a1b2d550cd5860c930372c3d1edf5d477aab9595

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\LOG

Filesize
321B

MD5
2e0a8830b04826d2a35355f8745525d4

SHA1
e1dae3bcd8d21feb798fbed1e8657aef9c4a340c

SHA256
c2aced077403fd594c5960c1c9a7787bfd12e83d31d97de0c4ec4ff4765583f8

SHA512
7bc42b4c241ee70169bbf91d736f8073003a11bedc6425ad77b0299e4c51d38a5478dd820fe4b3ed647e2c2078385706c9aed287fb8d312fafee75a5977dbfec

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\LOG

Filesize
324B

MD5
21b499ca8ae9196ebdde029b1cb92dc8

SHA1
183357cfb26c88b805eb2eb68867407d059f1587

SHA256
589ee61a8b523763100b4a3e6e87c25bf12e09f85589e90d84c828476df1eb26

SHA512
4166d671011716825ba5f75b67a595a2bd405248d4da6163300650d957db44a7efdccb3620b4f09471ef3361615e04b27c46d9bdb73356ff648273f33d354872

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\c37c128b-d693-4f74-9b02-3cf26070ad05.tmp

Filesize
1B

MD5
5058f1af8388633f609cadb75a75dc9d

SHA1
3a52ce780950d4d969792a2559cd519d7ee8c727

SHA256
cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8

SHA512
0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\000003.log

Filesize
770B

MD5
d95658900d1f0396befb37a8e01782fb

SHA1
92110580e6880aa844b3efc5cb58a6d73086e513

SHA256
3292bc045a96d088d10c2ad5a1ca561afcb0c29aa264564c0fa9138cf41dd04e

SHA512
54d2688540e0ba3e22bce5b3d09d2befdb026ad264e8a2bba2befb34b03dd9fc33cbff02125004093562a283b9dc9c2c55ea668fe04e469fe7d193d62fa1b63a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\LOG

Filesize
317B

MD5
cd176c6075db9279f9b385046d49f076

SHA1
40aa453f0e0a9c7b088f3c2dd3a714d513823812

SHA256
f65ce6cbe41ffe98b8d6c4d2d15a65c6fd4965774478b85184572d4d8d66090b

SHA512
a1af9c5cf17ab07d3469addb897cb2f780ca81f3b1e8f3246bfdec690dc69af71e8ebd2f5fc0fbf6b3fd593f0d4dfdfe14bd4b3d679f7d6c602da3e84511efca

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\metadata\000003.log

Filesize
918B

MD5
212bc5819bf8ea8179e93a4faa126162

SHA1
5456bcecb137aab937692bb985867b8641f30b44

SHA256
86037c7b70e9c2d52a1721de5f6ceeccf8802ec5b95a1027823c08fc825c8e38

SHA512
9774a10a5ed2fee4a0e837b86fe211b2d45a590f5b866bc2be1f92589fa32ca27bd88b5f0188e50ed7f6ebb52e79956ad36e337765c6c2f120585fe88be3a554

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\metadata\LOG

Filesize
335B

MD5
87def0a6ef283e46fa648212d64078fc

SHA1
cb7668bc1f08dae40fab5676873e2766a933a2c2

SHA256
e1f1bc623c04458a16d3ffb87bd4efa5be84358c2e61a5505458bc5b3814d004

SHA512
a20c0e873b9730e74697a2a9b8f10f449c03f0dabdf4d76b3b13f2bfb0b4e80d22cdd569cf2f8c7204365ccbebc9aaaf8f4ec106b35054b5aed170f82f2e7f54

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\GrShaderCache\data_0

Filesize
44KB

MD5
e7e23b2c68a43d19beedb46916d269a4

SHA1
596e3d6e8852a9dc2ec1755a7858a27309e65118

SHA256
f1e7ad95c0b7174aa89bb65b6dfb6de5c5493b4885e030490d04821dbd6f60a0

SHA512
650abae89b74bf1c240b7f43cb7cc8cd747fc8a1aa7f9a33457aae92502ac8c8950125201a5646e276bf2df67677739d27fca4e1d64b96ecf43f75b80acfc30b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\GrShaderCache\data_1

Filesize
264KB

MD5
ff2760aa3d75c21c6da88d5c6659b1d4

SHA1
b32c7b29a761e99ab981ababcba2b491f3ec0653

SHA256
ab8ec29cca19013c01e76dbfcf2b892b1c7ed01aefde0b566bf1fc744af373e3

SHA512
ebcbd9d1cfb5c41dc7ce8162b60489b8de026c789c0b8c553d5e3efc9a277c79e55eb33d113e996bd57e463032668e5967017e9a2321b78643488a239f69de62

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\GrShaderCache\data_3

Filesize
4.0MB

MD5
a34d67986bbdb47c7d3618e63f1204af

SHA1
8a07fe23e266cfc38d156561bed527c922bedf81

SHA256
f997ed64d6ef940ef7feb1702abbff4619e8122633a10ab547cd2c943c5cfdf1

SHA512
28d8cec1c9c07d3d86945ee1e0a3a2b327923988a3a3379e5cda4e477d569ec8877bdb5ba982f98b422915186fc8cb2301699e66fb90024887b6597bc45aa92e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Last Version

Filesize
14B

MD5
9eae63c7a967fc314dd311d9f46a45b7

SHA1
caba9c2c93acfe0b9ceb9ab19b992b0fc19c71cf

SHA256
4288925b0cf871c7458c22c46936efb0e903802feb991a0e1803be94ca6c251d

SHA512
bed924bff236bf5b6ce1df1db82e86c935e5830a20d9d24697efd82ca331e30604db8d04b0d692ec8541ec6deb2225bcc7d805b79f2db5726642198ecf6348b8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Last Version

Filesize
14B

MD5
9eae63c7a967fc314dd311d9f46a45b7

SHA1
caba9c2c93acfe0b9ceb9ab19b992b0fc19c71cf

SHA256
4288925b0cf871c7458c22c46936efb0e903802feb991a0e1803be94ca6c251d

SHA512
bed924bff236bf5b6ce1df1db82e86c935e5830a20d9d24697efd82ca331e30604db8d04b0d692ec8541ec6deb2225bcc7d805b79f2db5726642198ecf6348b8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
99KB

MD5
38a2554bb4b4b153b5cd9b879682a57a

SHA1
c903467face70427c6f75857e1bb09c4a35ee37c

SHA256
8404e8c5c9b761e7930b3e2b1c04bde133ac5b0549db0d15265699b00327f374

SHA512
6be08b1595e5ecf0e27ab5b34ef5e3875acf0d9ee25b78a2ceb44597e7327a2bbf4c9567b57c02aecceb9639bf5f1681751e5dcbaf005f4ecd01e3cacf082e49

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
193KB

MD5
7cf504a59f48f896d782d30d139eaba3

SHA1
fa92ae2444dcf6f649581cf793c60504f02ed6ba

SHA256
8c3f51e77d49234e07e2861d2f5d06dde6e8c94d390a08cda61424b14b1c2bcc

SHA512
1dd5cfd5aeca1543007f479f07355015b01bcffba26cca7d018e17a6d192ebc0d14e6725e068f3eedf3cc579051df40e3b290e110549a54c8077a44a1e53929a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
99KB

MD5
2a22e1f4908f89dd7c98822424aaf7b3

SHA1
f3263e0b75188146544b7c3800d6020c25c3a554

SHA256
d6b4f1d4330eda550710c0b60d3fff131da1b33ff4275dd125190037b83df601

SHA512
85e494d71a41b897a0404dfbc3df866c042923d0fc1296b339837a9f2f16c7bcd90a8d60baf615d6013fce4f50ae77e3dded7e78a0092a0510cb9eaa6e6d91c5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
99KB

MD5
2a22e1f4908f89dd7c98822424aaf7b3

SHA1
f3263e0b75188146544b7c3800d6020c25c3a554

SHA256
d6b4f1d4330eda550710c0b60d3fff131da1b33ff4275dd125190037b83df601

SHA512
85e494d71a41b897a0404dfbc3df866c042923d0fc1296b339837a9f2f16c7bcd90a8d60baf615d6013fce4f50ae77e3dded7e78a0092a0510cb9eaa6e6d91c5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
99KB

MD5
8061260e1866f64ccf3b9da2dd89bbc0

SHA1
ce2dd5cafaaf2f74598d81dc017adfa0b1175f41

SHA256
573e9a4549aacdf108abb879bbaf820077d04014145dc42b8bb78d89df36fd14

SHA512
aeeaaed86beba7ac78c0e0d1af3a1af5252aaa68b754923e9a36ee03b809f3ea50f2eef7f44dbb1675736bc4de5ced55ed556261f6ee7a386397405c25485bc1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
192KB

MD5
07ef9139588bfdb266b48a8489b3f712

SHA1
24d66c37f20a60b8d693a42ee58f4ff584671b79

SHA256
20cf210577f7f8e246946c33a723aa4b7379229d25bd3289ada8329bc87e49c5

SHA512
67e8eec18f868c7e3830aedee0c49df7da59bd14ef40057454e046f1a54b931f4d420dda5774ef7b224a425ec42497ca8286d3f40c32063ebb6d047b212e83ba

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
193KB

MD5
7cf504a59f48f896d782d30d139eaba3

SHA1
fa92ae2444dcf6f649581cf793c60504f02ed6ba

SHA256
8c3f51e77d49234e07e2861d2f5d06dde6e8c94d390a08cda61424b14b1c2bcc

SHA512
1dd5cfd5aeca1543007f479f07355015b01bcffba26cca7d018e17a6d192ebc0d14e6725e068f3eedf3cc579051df40e3b290e110549a54c8077a44a1e53929a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Variations

Filesize
85B

MD5
bc6142469cd7dadf107be9ad87ea4753

SHA1
72a9aa05003fab742b0e4dc4c5d9eda6b9f7565c

SHA256
b26da4f8c7e283aa74386da0229d66af14a37986b8ca828e054fc932f68dd557

SHA512
47d1a67a16f5dc6d50556c5296e65918f0a2fcad0e8cee5795b100fe8cd89eaf5e1fd67691e8a57af3677883a5d8f104723b1901d11845b286474c8ac56f6182

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Variations

Filesize
85B

MD5
bc6142469cd7dadf107be9ad87ea4753

SHA1
72a9aa05003fab742b0e4dc4c5d9eda6b9f7565c

SHA256
b26da4f8c7e283aa74386da0229d66af14a37986b8ca828e054fc932f68dd557

SHA512
47d1a67a16f5dc6d50556c5296e65918f0a2fcad0e8cee5795b100fe8cd89eaf5e1fd67691e8a57af3677883a5d8f104723b1901d11845b286474c8ac56f6182

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\chrome_shutdown_ms.txt

Filesize
4B

MD5
e06073965fcfc3784416988f6345db86

SHA1
4ab05806ea148c392c1637dbb0e3841f90429491

SHA256
a6bf0332ed58c67b311cd2a13296cbbbb07943cf19bd731efca14737446a4b22

SHA512
917fcbe2d55854b068aeb09ede3989a396937c00f53b29d6f27d50f6bf611cdc949d69d81aba3ad22a2631e341fb92ce37df6e93ddf6d20ec5d8c3f51f7da1dc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\Temp\~DFB7CAECE56F05CDDC.TMP

Filesize
16KB

MD5
71724b0e437dc122006cc269ae1ec6c6

SHA1
dbd34271a14615aad8f94d80e5b675b5afa1b010

SHA256
1dc21b94071c45eb546e9aeddb78d26ecde433e395504236ebd8510b23175551

SHA512
1d6420e983b0bbe33302ab2feb0ae2d3e0cf9ef9f78bd26864e8f1a78f17f44b757099ca0efb3bcf43f9ed6ddc6773d3f30c0a1b8258ff1912d0efb20e4381c4

Download Submit
memory/3112-57-0x000002A1DD920000-0x000002A1DD922000-memory.dmp

Filesize
8KB

Download
memory/3112-63-0x000002A1DD980000-0x000002A1DD982000-memory.dmp

Filesize
8KB

Download
memory/3112-55-0x000002A1DD900000-0x000002A1DD902000-memory.dmp

Filesize
8KB

Download
memory/3112-65-0x000002A1DD9A0000-0x000002A1DD9A2000-memory.dmp

Filesize
8KB

Download
memory/3112-61-0x000002A1DD960000-0x000002A1DD962000-memory.dmp

Filesize
8KB

Download
memory/3112-59-0x000002A1DD940000-0x000002A1DD942000-memory.dmp

Filesize
8KB

Download
memory/4612-16-0x0000021FB3B10000-0x0000021FB3B20000-memory.dmp

Filesize
64KB

Download
memory/4612-35-0x0000021FB3C90000-0x0000021FB3C92000-memory.dmp

Filesize
8KB

Download
memory/4612-87-0x0000021FB3CE0000-0x0000021FB3CE1000-memory.dmp

Filesize
4KB

Download
memory/4612-91-0x0000021FB3CB0000-0x0000021FB3CB1000-memory.dmp

Filesize
4KB

Download
memory/4612-0-0x0000021FB3520000-0x0000021FB3530000-memory.dmp

Filesize
64KB

Download
memory/4612-84-0x0000021FB8820000-0x0000021FB8822000-memory.dmp

Filesize
8KB

Download