1cdafbe519f60aaadb4a92e266fff709129f86f0c9ee595c45499c66092e0499

Analysis

max time kernel
2700s
max time network
2705s
platform
windows11-21h2_x64
resource
win11-20240709-en
resource tags

arch:x64arch:x86image:win11-20240709-enlocale:en-usos:windows11-21h2-x64system
submitted
10/07/2024, 10:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AnyDesk.exe
Size

5.1MB
MD5

aee6801792d67607f228be8cec8291f9
SHA1

bf6ba727ff14ca2fddf619f292d56db9d9088066
SHA256

1cdafbe519f60aaadb4a92e266fff709129f86f0c9ee595c45499c66092e0499
SHA512

09d9fc8702ab6fa4fc9323c37bc970b8a7dd180293b0dbf337de726476b0b9515a4f383fa294ba084eccf0698d1e3cb5a39d0ff9ea3ba40c8a56acafce3add4f
SSDEEP

98304:G5WW6KEdJxfpDVOMdq2668yIv1//nvkYCRThGXBJdicotUgwoAo5beyjF:y3vEbxfjf4Y8yofvktkLdurH5iyR

Score

7^/10

discovery execution persistence spyware stealer

Malware Config

Signatures

Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-514081398-208714212-3319599467-1000\Software\Microsoft\Windows\CurrentVersion\Run\Discord = "\"C:\\Users\\Admin\\AppData\\Local\\Discord\\Update.exe\" --processStart Discord.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-514081398-208714212-3319599467-1000\Software\Microsoft\Windows\CurrentVersion\Run\Discord = "\"C:\\Users\\Admin\\AppData\\Local\\Discord\\Update.exe\" --processStart Discord.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-514081398-208714212-3319599467-1000\Software\Microsoft\Windows\CurrentVersion\Run\Discord = "\"C:\\Users\\Admin\\AppData\\Local\\Discord\\Update.exe\" --processStart Discord.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Lightshot = "C:\\Program Files (x86)\\Skillbrains\\lightshot\\Lightshot.exe"	setup-lightshot.tmp

Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs

Web Service

T1102

flow	ioc
82	camo.githubusercontent.com
84	camo.githubusercontent.com
237	discord.com
37	discord.com
38	discord.com
81	camo.githubusercontent.com
233	discord.com
244	discord.com
1	discord.com
69	camo.githubusercontent.com
83	camo.githubusercontent.com

Drops file in System32 directory 17 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_custom_stream.db	AnyDesk.exe
File created	\??\c:\windows\system32\driverstore\filerepository\display.inf_amd64_01cf530faf2f1752\display.PNF	chrome.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_16.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_96.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_768.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_exif.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_2560.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_32.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_48.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_1280.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_1920.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_sr.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_256.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_wide.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_wide_alternate.db	AnyDesk.exe
File created	C:\Windows\System32\DriverStore\FileRepository\display.inf_amd64_01cf530faf2f1752\display.PNF	chrome.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\locales\is-56K3D.tmp	setup-lightshot.tmp
File created	C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\locales\is-5MJ24.tmp	setup-lightshot.tmp
File created	C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\locales\is-OK0OK.tmp	setup-lightshot.tmp
File created	C:\Program Files (x86)\Skillbrains\lightshot\is-Q5BV1.tmp	setup-lightshot.tmp
File created	C:\Program Files (x86)\Skillbrains\lightshot\unins000.msg	setup-lightshot.tmp
File created	C:\Program Files (x86)\Skillbrains\lightshot\info.xml	setup-lightshot.tmp
File created	C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\locales\is-UIQJK.tmp	setup-lightshot.tmp
File created	C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\locales\is-E2K5H.tmp	setup-lightshot.tmp
File created	C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\locales\is-DHK01.tmp	setup-lightshot.tmp
File created	C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\locales\is-V2GUV.tmp	setup-lightshot.tmp
File created	C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\locales\is-1SJV1.tmp	setup-lightshot.tmp
File created	C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\locales\is-QMD6A.tmp	setup-lightshot.tmp
File created	C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\locales\is-O0I8A.tmp	setup-lightshot.tmp
File created	C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\locales\is-CTK4S.tmp	setup-lightshot.tmp
File created	C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\locales\is-RTHCN.tmp	setup-lightshot.tmp
File created	C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\locales\is-GL10A.tmp	setup-lightshot.tmp
File created	C:\Program Files (x86)\Skillbrains\Updater\info.xml	setupupdater.tmp
File opened for modification	C:\Program Files (x86)\Skillbrains\lightshot\Lightshot.exe	setup-lightshot.tmp
File created	C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\locales\is-LDCDS.tmp	setup-lightshot.tmp
File created	C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\locales\is-ETC88.tmp	setup-lightshot.tmp
File created	C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\locales\is-EHMA4.tmp	setup-lightshot.tmp
File created	C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\locales\is-M53S7.tmp	setup-lightshot.tmp
File created	C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\is-QCUB1.tmp	setup-lightshot.tmp
File created	C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\locales\is-3B80M.tmp	setup-lightshot.tmp
File created	C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\locales\is-EM3JG.tmp	setup-lightshot.tmp
File created	C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\locales\is-M6SHN.tmp	setup-lightshot.tmp
File opened for modification	C:\Program Files (x86)\Skillbrains\Updater\MachineProducts.xml	Updater.exe
File opened for modification	C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\uploader.dll	setup-lightshot.tmp
File created	C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\locales\is-IAR4D.tmp	setup-lightshot.tmp
File created	C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\locales\is-IVHTO.tmp	setup-lightshot.tmp
File created	C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\locales\is-N1OQ1.tmp	setup-lightshot.tmp
File created	C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\locales\is-88M57.tmp	setup-lightshot.tmp
File created	C:\Program Files (x86)\Skillbrains\Updater\1.8.0.0\is-2TU0N.tmp	setupupdater.tmp
File created	C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\locales\is-079UJ.tmp	setup-lightshot.tmp
File created	C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\locales\is-E5FFN.tmp	setup-lightshot.tmp
File created	C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\locales\is-HA221.tmp	setup-lightshot.tmp
File created	C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\locales\is-1BR70.tmp	setup-lightshot.tmp
File created	C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\locales\is-JN8UO.tmp	setup-lightshot.tmp
File opened for modification	C:\Program Files (x86)\Skillbrains\Updater\1.8.0.0\Updater.exe	setupupdater.tmp
File opened for modification	C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\Lightshot.dll	setup-lightshot.tmp
File created	C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\locales\is-NO35R.tmp	setup-lightshot.tmp
File created	C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\locales\is-4JP6O.tmp	setup-lightshot.tmp
File created	C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\locales\is-9EU8J.tmp	setup-lightshot.tmp
File opened for modification	C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\DXGIODScreenshot.dll	setup-lightshot.tmp
File created	C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\is-NQV4I.tmp	setup-lightshot.tmp
File created	C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\locales\is-450L3.tmp	setup-lightshot.tmp
File created	C:\Program Files (x86)\Skillbrains\Updater\is-7MSFA.tmp	setupupdater.tmp
File opened for modification	C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\net.dll	setup-lightshot.tmp
File created	C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\locales\is-L88R7.tmp	setup-lightshot.tmp
File created	C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\locales\is-RNIV0.tmp	setup-lightshot.tmp
File created	C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\locales\is-HNC7P.tmp	setup-lightshot.tmp
File created	C:\Program Files (x86)\Skillbrains\lightshot\is-GBUBS.tmp	setup-lightshot.tmp
File created	C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\locales\is-760VN.tmp	setup-lightshot.tmp
File created	C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\locales\is-R918T.tmp	setup-lightshot.tmp
File created	C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\locales\is-VQ80E.tmp	setup-lightshot.tmp
File created	C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\locales\is-8RRMV.tmp	setup-lightshot.tmp
File opened for modification	C:\Program Files (x86)\Skillbrains\Updater\Updater.exe	setupupdater.tmp
File created	C:\Program Files (x86)\Skillbrains\Updater\MachineProducts.xml	Updater.exe
File created	C:\Program Files (x86)\Skillbrains\lightshot\unins000.dat	setup-lightshot.tmp
File created	C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\is-9CCF1.tmp	setup-lightshot.tmp
File created	C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\locales\is-D3QEK.tmp	setup-lightshot.tmp
File created	C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\locales\is-T433T.tmp	setup-lightshot.tmp
File opened for modification	C:\Program Files (x86)\Skillbrains\lightshot\unins000.dat	setup-lightshot.tmp
File opened for modification	C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\Lightshot.exe	setup-lightshot.tmp

Drops file in Windows directory 32 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Panther\UnattendGC\diagwrn.xml	UserOOBEBroker.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping6596_657165520\_metadata\verified_contents.json	Discord.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2700_2009859799\_platform_specific\win_x86\widevinecdm.dll	Discord.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping6596_657165520\_platform_specific\win_x64\widevinecdm.dll	Discord.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2700_2009859799\_platform_specific\win_x86\widevinecdm.dll.sig	Discord.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2700_2009859799\manifest.fingerprint	Discord.exe
File opened for modification	C:\Windows\Panther\UnattendGC\setuperr.log	UserOOBEBroker.exe
File created	C:\Windows\SystemTemp\chrome_url_fetcher_2700_997660375\oimompecagnajdejgnnjijobebaeigek_4.10.2710.0_win32_ad2kbvs6jks3au5dsxn7cqflsiiq.crx3	Discord.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping6596_1565052213\_metadata\verified_contents.json	Discord.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping6596_657165520\_platform_specific\win_x64\widevinecdm.dll.sig	Discord.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping6596_657165520\LICENSE	Discord.exe
File created	C:\Windows\SystemTemp\chrome_url_fetcher_6596_1332665311\neifaoindggfcjicffkgpmnlppeffabd_1.0.2738.0_win64_kj4dp5kifwxbdodqls7e5nzhtm.crx3	Discord.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping6596_657165520\manifest.json	Discord.exe
File created	C:\Windows\Tasks\update-S-1-5-21-514081398-208714212-3319599467-1000.job	updater.exe
File opened for modification	C:\Windows\SystemTemp	chrome.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagerr.xml	UserOOBEBroker.exe
File opened for modification	C:\Windows\Logs\DISM\dism.log	dismhost.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2700_2009859799\manifest.json	Discord.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping6596_1565052213\manifest.fingerprint	Discord.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping6596_657165520\manifest.fingerprint	Discord.exe
File opened for modification	C:\Windows\SystemTemp	chrome.exe
File opened for modification	C:\Windows\SystemTemp	Discord.exe
File opened for modification	C:\Windows\Logs\DISM\dism.log	Dism.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2700_2009859799\_metadata\verified_contents.json	Discord.exe
File opened for modification	C:\Windows\SystemTemp\temCCF1.tmp	Clipup.exe
File opened for modification	C:\Windows\Panther\UnattendGC\setupact.log	UserOOBEBroker.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2700_2009859799\LICENSE	Discord.exe
File opened for modification	C:\Windows\SystemTemp	Discord.exe
File created	C:\Windows\SystemTemp\chrome_url_fetcher_6596_679131680\oimompecagnajdejgnnjijobebaeigek_4.10.2710.0_win64_adsurwm4gclupf32xdrpgdnapira.crx3	Discord.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping6596_1565052213\Google.Widevine.CDM.dll	Discord.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping6596_1565052213\manifest.json	Discord.exe
File created	C:\Windows\Tasks\update-sys.job	Updater.exe

Executes dropped EXE 46 IoCs

pid	Process
5676	DiscordSetup.exe
5728	Update.exe
5436	Discord.exe
5520	Discord.exe
5452	Update.exe
1548	Discord.exe
5832	Discord.exe
4824	Update.exe
2700	Discord.exe
564	Discord.exe
5236	Discord.exe
5272	Discord.exe
5240	Discord.exe
2148	Discord.exe
5884	dismhost.exe
5368	Discord.exe
6596	Discord.exe
2264	Discord.exe
6216	Discord.exe
6240	Discord.exe
6260	Discord.exe
4028	Discord.exe
7096	Discord.exe
1656	Discord.exe
5616	Discord.exe
6704	Discord.exe
4112	Discord.exe
1932	gpu_encoder_helper.exe
5264	gpu_encoder_helper.exe
1860	gpu_encoder_helper.exe
6912	Discord.exe
3984	setup-lightshot.exe
7760	setup-lightshot.tmp
968	Lightshot.exe
7176	Lightshot.exe
5816	setupupdater.exe
6352	setupupdater.tmp
5144	Updater.exe
7260	Updater.exe
6468	Updater.exe
7376	Updater.exe
7460	Updater.exe
7512	updater.exe
7620	updater.exe
3408	updater.exe
7308	updater.exe

Launches sc.exe 64 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
6060	sc.exe
5452	sc.exe
3448	sc.exe
5800	sc.exe
1860	sc.exe
2816	sc.exe
2112	sc.exe
5212	sc.exe
3496	sc.exe
5300	sc.exe
1100	sc.exe
408	sc.exe
5944	sc.exe
5816	sc.exe
1960	sc.exe
5872	sc.exe
5284	sc.exe
4652	sc.exe
5272	sc.exe
4028	sc.exe
1504	sc.exe
5800	sc.exe
3508	sc.exe
1868	sc.exe
5696	sc.exe
5000	sc.exe
5248	sc.exe
5696	sc.exe
2752	sc.exe
5432	sc.exe
2408	sc.exe
988	sc.exe
4240	sc.exe
5188	sc.exe
2264	sc.exe
5260	sc.exe
1812	sc.exe
5664	sc.exe
2836	sc.exe
1812	sc.exe
5244	sc.exe
5224	sc.exe
2092	sc.exe
5244	sc.exe
5348	sc.exe
2880	sc.exe
2300	sc.exe
4588	sc.exe
5192	sc.exe
4652	sc.exe
5308	sc.exe
5624	sc.exe
5292	sc.exe
5584	sc.exe
1504	sc.exe
4256	sc.exe
3272	sc.exe
8	sc.exe
4500	sc.exe
3984	sc.exe
5976	sc.exe
5712	sc.exe
1644	sc.exe
1360	sc.exe

Loads dropped DLL 64 IoCs

pid	Process
5436	Discord.exe
5520	Discord.exe
1548	Discord.exe
5832	Discord.exe
1548	Discord.exe
1548	Discord.exe
1548	Discord.exe
1548	Discord.exe
2700	Discord.exe
564	Discord.exe
5236	Discord.exe
5272	Discord.exe
5240	Discord.exe
5236	Discord.exe
5236	Discord.exe
5236	Discord.exe
5236	Discord.exe
2700	Discord.exe
5240	Discord.exe
5240	Discord.exe
2148	Discord.exe
5884	dismhost.exe
5884	dismhost.exe
5884	dismhost.exe
5884	dismhost.exe
5884	dismhost.exe
5884	dismhost.exe
5884	dismhost.exe
5884	dismhost.exe
5884	dismhost.exe
5884	dismhost.exe
5884	dismhost.exe
5884	dismhost.exe
5884	dismhost.exe
5884	dismhost.exe
5884	dismhost.exe
5884	dismhost.exe
5884	dismhost.exe
5884	dismhost.exe
5884	dismhost.exe
5884	dismhost.exe
5884	dismhost.exe
5368	Discord.exe
5884	dismhost.exe
5884	dismhost.exe
6596	Discord.exe
2264	Discord.exe
6260	Discord.exe
6216	Discord.exe
6240	Discord.exe
6216	Discord.exe
6216	Discord.exe
6216	Discord.exe
6216	Discord.exe
6596	Discord.exe
6260	Discord.exe
6260	Discord.exe
4028	Discord.exe
7096	Discord.exe
1656	Discord.exe
5616	Discord.exe
1656	Discord.exe
1656	Discord.exe
1656	Discord.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 14 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
6044	powershell.exe
1492	powershell.exe
6036	powershell.exe
4888	powershell.exe
5940	powershell.exe
5160	powershell.exe
2696	powershell.exe
4712	powershell.exe
7076	powershell.exe
7020	powershell.exe
5184	powershell.exe
5900	powershell.exe
5276	powershell.exe
6900	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 48 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	Discord.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	Discord.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	clipup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	Discord.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	Discord.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	Discord.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	clipup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	Discord.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	Clipup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	Discord.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	Discord.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	Discord.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	Discord.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	Discord.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	Clipup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	Discord.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	Discord.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	Discord.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	Discord.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	Discord.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	Clipup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	clipup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	Discord.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	Discord.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	Discord.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	Discord.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	Discord.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	Discord.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs	Clipup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	Discord.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	Discord.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	Discord.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	Discord.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	Clipup.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs	clipup.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	clipup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	Discord.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	Discord.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	Discord.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	Clipup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	Discord.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	Discord.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	Discord.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	clipup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	Discord.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	Discord.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	Discord.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	Discord.exe

Checks processor information in registry 2 TTPs 30 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	Discord.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	Discord.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AnyDesk.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Discord.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	Discord.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	Discord.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	Discord.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	Discord.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Discord.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	Discord.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Discord.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	Discord.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AnyDesk.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	Discord.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\2	Discord.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	Discord.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Discord.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	Discord.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\2	Discord.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	Discord.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	Discord.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\2	Discord.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\2	Discord.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Discord.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Discord.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	Discord.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	Discord.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	Discord.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Discord.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Discord.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
5248	timeout.exe

Enumerates system info in registry 2 TTPs 12 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Kills process with taskkill 2 IoCs

evasion

pid	Process
7896	taskkill.exe
764	taskkill.exe

Modifies data under HKEY_USERS 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Modifies registry class 30 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-514081398-208714212-3319599467-1000_Classes\Discord\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Discord\\app-1.0.9152\\Discord.exe\" --url -- \"%1\""	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-514081398-208714212-3319599467-1000_Classes\Discord\DefaultIcon\ = "\"C:\\Users\\Admin\\AppData\\Local\\Discord\\app-1.0.9152\\Discord.exe\",-1"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-514081398-208714212-3319599467-1000_Classes\Discord\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Discord\\app-1.0.9051\\Discord.exe\" --url -- \"%1\""	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-514081398-208714212-3319599467-1000_Classes\Discord\ = "URL:Discord Protocol"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-514081398-208714212-3319599467-1000_Classes\Discord\DefaultIcon	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-514081398-208714212-3319599467-1000_Classes\Discord\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Discord\\app-1.0.9051\\Discord.exe\" --url -- \"%1\""	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-514081398-208714212-3319599467-1000_Classes\Discord	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-514081398-208714212-3319599467-1000_Classes\Discord	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-514081398-208714212-3319599467-1000_Classes\Discord\shell\open\command	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-514081398-208714212-3319599467-1000_Classes\Discord\DefaultIcon	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-514081398-208714212-3319599467-1000_Classes\Local Settings	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-514081398-208714212-3319599467-1000_Classes\Discord\URL Protocol	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-514081398-208714212-3319599467-1000_Classes\Discord\shell\open\command	reg.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-514081398-208714212-3319599467-1000\{FA3E7F43-41F3-43BD-BE24-48D8AF2950D5}	Discord.exe
Key created	\REGISTRY\USER\S-1-5-21-514081398-208714212-3319599467-1000_Classes\Discord	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-514081398-208714212-3319599467-1000_Classes\Discord\URL Protocol	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-514081398-208714212-3319599467-1000_Classes\Discord\shell\open	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-514081398-208714212-3319599467-1000_Classes\Discord\DefaultIcon	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-514081398-208714212-3319599467-1000_Classes\Discord\DefaultIcon\ = "\"C:\\Users\\Admin\\AppData\\Local\\Discord\\app-1.0.9051\\Discord.exe\",-1"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-514081398-208714212-3319599467-1000_Classes\Discord	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-514081398-208714212-3319599467-1000_Classes\Discord\DefaultIcon\ = "\"C:\\Users\\Admin\\AppData\\Local\\Discord\\app-1.0.9051\\Discord.exe\",-1"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-514081398-208714212-3319599467-1000_Classes\Discord\URL Protocol	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-514081398-208714212-3319599467-1000_Classes\Discord\shell	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-514081398-208714212-3319599467-1000_Classes\Discord\ = "URL:Discord Protocol"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-514081398-208714212-3319599467-1000_Classes\Discord	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-514081398-208714212-3319599467-1000_Classes\Discord\shell\open\command	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-514081398-208714212-3319599467-1000_Classes\Discord\ = "URL:Discord Protocol"	reg.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-514081398-208714212-3319599467-1000\{5DC2715E-DD55-4CC4-AC7A-BB9FD3755617}	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-514081398-208714212-3319599467-1000_Classes\Discord	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-514081398-208714212-3319599467-1000_Classes\Discord	reg.exe

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

pid	Process
2408	reg.exe
2092	reg.exe
6004	reg.exe
2752	reg.exe
5888	reg.exe
4352	reg.exe
5868	reg.exe
5976	reg.exe
1440	reg.exe
5448	reg.exe
5644	reg.exe
5844	reg.exe
3448	reg.exe
5292	reg.exe
3944	reg.exe
3508	reg.exe
5240	reg.exe
1900	reg.exe
4940	reg.exe
5384	reg.exe
6004	reg.exe
3208	reg.exe
3292	reg.exe
5292	reg.exe
5172	reg.exe
1412	reg.exe
1712	reg.exe
2908	reg.exe
2900	reg.exe
2016	reg.exe
1812	reg.exe
3484	reg.exe
2184	reg.exe
3592	reg.exe
4352	reg.exe
2448	reg.exe
3744	reg.exe
5716	reg.exe
5648	reg.exe
2112	reg.exe
5168	reg.exe
5884	reg.exe
5444	reg.exe
1344	reg.exe
3448	reg.exe
2072	reg.exe
416	reg.exe
4432	reg.exe
5556	reg.exe
1440	reg.exe
3516	reg.exe
5860	reg.exe
5228	reg.exe
2724	reg.exe
5448	reg.exe
5508	reg.exe
3660	reg.exe
1396	reg.exe
3932	reg.exe
6088	reg.exe
1560	reg.exe
4688	reg.exe
5752	reg.exe
6768	reg.exe

NTFS ADS 3 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\DiscordSetup.exe:Zone.Identifier	chrome.exe
File opened for modification	C:\Users\Admin\Downloads\Microsoft-Activation-Scripts-master.zip:Zone.Identifier	chrome.exe
File opened for modification	C:\Users\Admin\Downloads\setup-lightshot.exe:Zone.Identifier	chrome.exe

Runs net.exe

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery

T1018

pid	Process
3408	PING.EXE
236	PING.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
4780	AnyDesk.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1500	AnyDesk.exe
1500	AnyDesk.exe
1500	AnyDesk.exe
1500	AnyDesk.exe
1500	AnyDesk.exe
1500	AnyDesk.exe
2636	AnyDesk.exe
2636	AnyDesk.exe
2320	chrome.exe
2320	chrome.exe
3412	chrome.exe
3412	chrome.exe
5396	chrome.exe
5396	chrome.exe
5396	chrome.exe
5396	chrome.exe
5140	powershell.exe
5140	powershell.exe
5140	powershell.exe
1140	powershell.exe
1140	powershell.exe
1140	powershell.exe
3628	powershell.exe
3628	powershell.exe
3628	powershell.exe
6060	powershell.exe
6060	powershell.exe
6060	powershell.exe
1976	powershell.exe
1976	powershell.exe
1976	powershell.exe
5844	powershell.exe
5844	powershell.exe
5844	powershell.exe
2112	powershell.exe
2112	powershell.exe
2112	powershell.exe
3508	powershell.exe
3508	powershell.exe
3508	powershell.exe
2824	powershell.exe
2824	powershell.exe
2824	powershell.exe
4548	powershell.exe
4548	powershell.exe
4548	powershell.exe
5240	Discord.exe
5240	Discord.exe
7104	powershell.exe
7104	powershell.exe
7104	powershell.exe
5984	powershell.exe
5984	powershell.exe
5984	powershell.exe
964	powershell.exe
6260	Discord.exe
6260	Discord.exe
964	powershell.exe
964	powershell.exe
6596	Discord.exe
6596	Discord.exe
6596	Discord.exe
6596	Discord.exe
1656	Discord.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
4812	AnyDesk.exe
1656	Discord.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 48 IoCs

pid	Process
2320	chrome.exe
2320	chrome.exe
2320	chrome.exe
2320	chrome.exe
2320	chrome.exe
2320	chrome.exe
2320	chrome.exe
2320	chrome.exe
2320	chrome.exe
2320	chrome.exe
2320	chrome.exe
2320	chrome.exe
2320	chrome.exe
2320	chrome.exe
2320	chrome.exe
2320	chrome.exe
2320	chrome.exe
2320	chrome.exe
2320	chrome.exe
2320	chrome.exe
2320	chrome.exe
2320	chrome.exe
2320	chrome.exe
2320	chrome.exe
2320	chrome.exe
3412	chrome.exe
3412	chrome.exe
3412	chrome.exe
3412	chrome.exe
3412	chrome.exe
3412	chrome.exe
3412	chrome.exe
3412	chrome.exe
3412	chrome.exe
3412	chrome.exe
2156	msedge.exe
2156	msedge.exe
3412	chrome.exe
3412	chrome.exe
3412	chrome.exe
3412	chrome.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
3412	chrome.exe
3412	chrome.exe
3412	chrome.exe
3412	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1500	AnyDesk.exe
Token: 33	1692	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1692	AUDIODG.EXE
Token: SeShutdownPrivilege	2320	chrome.exe
Token: SeCreatePagefilePrivilege	2320	chrome.exe
Token: SeShutdownPrivilege	2320	chrome.exe
Token: SeCreatePagefilePrivilege	2320	chrome.exe
Token: SeShutdownPrivilege	2320	chrome.exe
Token: SeCreatePagefilePrivilege	2320	chrome.exe
Token: SeShutdownPrivilege	3412	chrome.exe
Token: SeCreatePagefilePrivilege	3412	chrome.exe
Token: SeShutdownPrivilege	3412	chrome.exe
Token: SeCreatePagefilePrivilege	3412	chrome.exe
Token: SeShutdownPrivilege	3412	chrome.exe
Token: SeCreatePagefilePrivilege	3412	chrome.exe
Token: SeShutdownPrivilege	3412	chrome.exe
Token: SeCreatePagefilePrivilege	3412	chrome.exe
Token: SeShutdownPrivilege	3412	chrome.exe
Token: SeCreatePagefilePrivilege	3412	chrome.exe
Token: SeShutdownPrivilege	3412	chrome.exe
Token: SeCreatePagefilePrivilege	3412	chrome.exe
Token: SeShutdownPrivilege	3412	chrome.exe
Token: SeCreatePagefilePrivilege	3412	chrome.exe
Token: SeShutdownPrivilege	3412	chrome.exe
Token: SeCreatePagefilePrivilege	3412	chrome.exe
Token: SeShutdownPrivilege	3412	chrome.exe
Token: SeCreatePagefilePrivilege	3412	chrome.exe
Token: SeShutdownPrivilege	3412	chrome.exe
Token: SeCreatePagefilePrivilege	3412	chrome.exe
Token: SeShutdownPrivilege	3412	chrome.exe
Token: SeCreatePagefilePrivilege	3412	chrome.exe
Token: SeShutdownPrivilege	3412	chrome.exe
Token: SeCreatePagefilePrivilege	3412	chrome.exe
Token: SeShutdownPrivilege	3412	chrome.exe
Token: SeCreatePagefilePrivilege	3412	chrome.exe
Token: SeShutdownPrivilege	3412	chrome.exe
Token: SeCreatePagefilePrivilege	3412	chrome.exe
Token: SeShutdownPrivilege	3412	chrome.exe
Token: SeCreatePagefilePrivilege	3412	chrome.exe
Token: SeShutdownPrivilege	3412	chrome.exe
Token: SeCreatePagefilePrivilege	3412	chrome.exe
Token: SeShutdownPrivilege	3412	chrome.exe
Token: SeCreatePagefilePrivilege	3412	chrome.exe
Token: SeShutdownPrivilege	3412	chrome.exe
Token: SeCreatePagefilePrivilege	3412	chrome.exe
Token: SeShutdownPrivilege	3412	chrome.exe
Token: SeCreatePagefilePrivilege	3412	chrome.exe
Token: SeShutdownPrivilege	3412	chrome.exe
Token: SeCreatePagefilePrivilege	3412	chrome.exe
Token: SeShutdownPrivilege	3412	chrome.exe
Token: SeCreatePagefilePrivilege	3412	chrome.exe
Token: SeShutdownPrivilege	3412	chrome.exe
Token: SeCreatePagefilePrivilege	3412	chrome.exe
Token: SeShutdownPrivilege	3412	chrome.exe
Token: SeCreatePagefilePrivilege	3412	chrome.exe
Token: SeShutdownPrivilege	3412	chrome.exe
Token: SeCreatePagefilePrivilege	3412	chrome.exe
Token: SeShutdownPrivilege	3412	chrome.exe
Token: SeCreatePagefilePrivilege	3412	chrome.exe
Token: SeShutdownPrivilege	3412	chrome.exe
Token: SeCreatePagefilePrivilege	3412	chrome.exe
Token: SeShutdownPrivilege	3412	chrome.exe
Token: SeCreatePagefilePrivilege	3412	chrome.exe
Token: SeShutdownPrivilege	3412	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4780	AnyDesk.exe
4780	AnyDesk.exe
4780	AnyDesk.exe
4780	AnyDesk.exe
4780	AnyDesk.exe
4780	AnyDesk.exe
2320	chrome.exe
2320	chrome.exe
2320	chrome.exe
2320	chrome.exe
2320	chrome.exe
2320	chrome.exe
2320	chrome.exe
2320	chrome.exe
2320	chrome.exe
2320	chrome.exe
2320	chrome.exe
2320	chrome.exe
2320	chrome.exe
2320	chrome.exe
2320	chrome.exe
2320	chrome.exe
2320	chrome.exe
2320	chrome.exe
2320	chrome.exe
2320	chrome.exe
2320	chrome.exe
2320	chrome.exe
2320	chrome.exe
2320	chrome.exe
2320	chrome.exe
2320	chrome.exe
2320	chrome.exe
4780	AnyDesk.exe
3412	chrome.exe
3412	chrome.exe
3412	chrome.exe
3412	chrome.exe
3412	chrome.exe
3412	chrome.exe
3412	chrome.exe
3412	chrome.exe
3412	chrome.exe
3412	chrome.exe
3412	chrome.exe
3412	chrome.exe
3412	chrome.exe
3412	chrome.exe
3412	chrome.exe
3412	chrome.exe
3412	chrome.exe
3412	chrome.exe
3412	chrome.exe
3412	chrome.exe
3412	chrome.exe
3412	chrome.exe
3412	chrome.exe
3412	chrome.exe
3412	chrome.exe
3412	chrome.exe
3412	chrome.exe
3412	chrome.exe
3412	chrome.exe
3412	chrome.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
4780	AnyDesk.exe
4780	AnyDesk.exe
4780	AnyDesk.exe
4780	AnyDesk.exe
4780	AnyDesk.exe
4780	AnyDesk.exe
2320	chrome.exe
2320	chrome.exe
2320	chrome.exe
2320	chrome.exe
2320	chrome.exe
2320	chrome.exe
2320	chrome.exe
2320	chrome.exe
2320	chrome.exe
2320	chrome.exe
2320	chrome.exe
2320	chrome.exe
4780	AnyDesk.exe
3412	chrome.exe
3412	chrome.exe
3412	chrome.exe
3412	chrome.exe
3412	chrome.exe
3412	chrome.exe
3412	chrome.exe
3412	chrome.exe
3412	chrome.exe
3412	chrome.exe
3412	chrome.exe
3412	chrome.exe
6596	Discord.exe
6596	Discord.exe
6596	Discord.exe
6596	Discord.exe
6596	Discord.exe
6596	Discord.exe
6596	Discord.exe
2156	msedge.exe
2156	msedge.exe
2156	msedge.exe
2156	msedge.exe
2156	msedge.exe
2156	msedge.exe
2156	msedge.exe
2156	msedge.exe
2156	msedge.exe
2156	msedge.exe
2156	msedge.exe
2156	msedge.exe
3412	chrome.exe
3412	chrome.exe
3412	chrome.exe
3412	chrome.exe
6596	Discord.exe
3412	chrome.exe
3412	chrome.exe
3412	chrome.exe
3412	chrome.exe
7176	Lightshot.exe
7176	Lightshot.exe
7176	Lightshot.exe
232	msedge.exe
232	msedge.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4812	AnyDesk.exe
4812	AnyDesk.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2636 wrote to memory of 1500	2636	AnyDesk.exe	79
PID 2636 wrote to memory of 1500	2636	AnyDesk.exe	79
PID 2636 wrote to memory of 1500	2636	AnyDesk.exe	79
PID 2636 wrote to memory of 4780	2636	AnyDesk.exe	80
PID 2636 wrote to memory of 4780	2636	AnyDesk.exe	80
PID 2636 wrote to memory of 4780	2636	AnyDesk.exe	80
PID 2320 wrote to memory of 4680	2320	chrome.exe	89
PID 2320 wrote to memory of 4680	2320	chrome.exe	89
PID 2320 wrote to memory of 2972	2320	chrome.exe	90
PID 2320 wrote to memory of 2972	2320	chrome.exe	90
PID 2320 wrote to memory of 2972	2320	chrome.exe	90
PID 2320 wrote to memory of 2972	2320	chrome.exe	90
PID 2320 wrote to memory of 2972	2320	chrome.exe	90
PID 2320 wrote to memory of 2972	2320	chrome.exe	90
PID 2320 wrote to memory of 2972	2320	chrome.exe	90
PID 2320 wrote to memory of 2972	2320	chrome.exe	90
PID 2320 wrote to memory of 2972	2320	chrome.exe	90
PID 2320 wrote to memory of 2972	2320	chrome.exe	90
PID 2320 wrote to memory of 2972	2320	chrome.exe	90
PID 2320 wrote to memory of 2972	2320	chrome.exe	90
PID 2320 wrote to memory of 2972	2320	chrome.exe	90
PID 2320 wrote to memory of 2972	2320	chrome.exe	90
PID 2320 wrote to memory of 2972	2320	chrome.exe	90
PID 2320 wrote to memory of 2972	2320	chrome.exe	90
PID 2320 wrote to memory of 2972	2320	chrome.exe	90
PID 2320 wrote to memory of 2972	2320	chrome.exe	90
PID 2320 wrote to memory of 2972	2320	chrome.exe	90
PID 2320 wrote to memory of 2972	2320	chrome.exe	90
PID 2320 wrote to memory of 2972	2320	chrome.exe	90
PID 2320 wrote to memory of 2972	2320	chrome.exe	90
PID 2320 wrote to memory of 2972	2320	chrome.exe	90
PID 2320 wrote to memory of 2972	2320	chrome.exe	90
PID 2320 wrote to memory of 2972	2320	chrome.exe	90
PID 2320 wrote to memory of 2972	2320	chrome.exe	90
PID 2320 wrote to memory of 2972	2320	chrome.exe	90
PID 2320 wrote to memory of 2972	2320	chrome.exe	90
PID 2320 wrote to memory of 2972	2320	chrome.exe	90
PID 2320 wrote to memory of 2972	2320	chrome.exe	90
PID 2320 wrote to memory of 2448	2320	chrome.exe	91
PID 2320 wrote to memory of 2448	2320	chrome.exe	91
PID 2320 wrote to memory of 5064	2320	chrome.exe	92
PID 2320 wrote to memory of 5064	2320	chrome.exe	92
PID 2320 wrote to memory of 5064	2320	chrome.exe	92
PID 2320 wrote to memory of 5064	2320	chrome.exe	92
PID 2320 wrote to memory of 5064	2320	chrome.exe	92
PID 2320 wrote to memory of 5064	2320	chrome.exe	92
PID 2320 wrote to memory of 5064	2320	chrome.exe	92
PID 2320 wrote to memory of 5064	2320	chrome.exe	92
PID 2320 wrote to memory of 5064	2320	chrome.exe	92
PID 2320 wrote to memory of 5064	2320	chrome.exe	92
PID 2320 wrote to memory of 5064	2320	chrome.exe	92
PID 2320 wrote to memory of 5064	2320	chrome.exe	92
PID 2320 wrote to memory of 5064	2320	chrome.exe	92
PID 2320 wrote to memory of 5064	2320	chrome.exe	92
PID 2320 wrote to memory of 5064	2320	chrome.exe	92
PID 2320 wrote to memory of 5064	2320	chrome.exe	92
PID 2320 wrote to memory of 5064	2320	chrome.exe	92
PID 2320 wrote to memory of 5064	2320	chrome.exe	92
PID 2320 wrote to memory of 5064	2320	chrome.exe	92
PID 2320 wrote to memory of 5064	2320	chrome.exe	92
PID 2320 wrote to memory of 5064	2320	chrome.exe	92
PID 2320 wrote to memory of 5064	2320	chrome.exe	92
PID 2320 wrote to memory of 5064	2320	chrome.exe	92
PID 2320 wrote to memory of 5064	2320	chrome.exe	92

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"
1⤵
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2636
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-service
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1500
- - C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
    "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --backend
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:4812
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-control
  2⤵
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:4780

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004D0 0x00000000000004E4
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1692

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" C:\Users\Admin\Desktop\CompressRegister.dotm C:\Users\Admin\Desktop\ConnectRename.wmf C:\Users\Admin\Desktop\FindOpen.rar C:\Users\Admin\Desktop\InitializeNew.jpeg C:\Users\Admin\Desktop\InstallEnable.xht C:\Users\Admin\Desktop\InstallUnblock.wps C:\Users\Admin\Desktop\InvokeReceive.html C:\Users\Admin\Desktop\LimitMount.vssx C:\Users\Admin\Desktop\LockDisable.m3u C:\Users\Admin\Desktop\MoveSave.xltm C:\Users\Admin\Desktop\OptimizeSkip.DVR C:\Users\Admin\Desktop\PingConvert.ppsm C:\Users\Admin\Desktop\PushAdd.MTS C:\Users\Admin\Desktop\RegisterCopy.jpeg C:\Users\Admin\Desktop\RequestJoin.wav C:\Users\Admin\Desktop\ResetClose.ocx C:\Users\Admin\Desktop\ShowMove.m1v C:\Users\Admin\Desktop\SubmitSet.wma C:\Users\Admin\Desktop\UnprotectStart.odt C:\Users\Admin\Desktop\UpdateCheckpoint.wma C:\Users\Admin\Desktop\WaitGroup.tiff C:\Users\Admin\Desktop\WriteNew.iso C:\Users\Admin\Desktop\ClearProtect.mht
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2320
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.106 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff822aacc40,0x7ff822aacc4c,0x7ff822aacc58
  2⤵
  PID:4680
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1940,i,3569300946943752500,3124265683615483010,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=1936 /prefetch:2
  2⤵
  PID:2972
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1704,i,3569300946943752500,3124265683615483010,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=1952 /prefetch:3
  2⤵
  PID:2448
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2200,i,3569300946943752500,3124265683615483010,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=2392 /prefetch:8
  2⤵
  PID:5064
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3084,i,3569300946943752500,3124265683615483010,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=3100 /prefetch:1
  2⤵
  PID:2336
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3088,i,3569300946943752500,3124265683615483010,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=3136 /prefetch:1
  2⤵
  PID:404
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3244,i,3569300946943752500,3124265683615483010,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=3544 /prefetch:1
  2⤵
  PID:4600
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=3496,i,3569300946943752500,3124265683615483010,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=3592 /prefetch:1
  2⤵
  PID:3836
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --field-trial-handle=3504,i,3569300946943752500,3124265683615483010,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=3720 /prefetch:1
  2⤵
  PID:3040
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=3512,i,3569300946943752500,3124265683615483010,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=3840 /prefetch:1
  2⤵
  PID:3220
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --field-trial-handle=3576,i,3569300946943752500,3124265683615483010,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=3960 /prefetch:1
  2⤵
  PID:2300
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --field-trial-handle=3712,i,3569300946943752500,3124265683615483010,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=4444 /prefetch:1
  2⤵
  PID:1664
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --field-trial-handle=3952,i,3569300946943752500,3124265683615483010,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=4468 /prefetch:1
  2⤵
  PID:3328
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=4076,i,3569300946943752500,3124265683615483010,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=4584 /prefetch:1
  2⤵
  PID:2036
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --field-trial-handle=4124,i,3569300946943752500,3124265683615483010,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=4700 /prefetch:1
  2⤵
  PID:4872
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --field-trial-handle=4120,i,3569300946943752500,3124265683615483010,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=4892 /prefetch:1
  2⤵
  PID:2412
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --field-trial-handle=4164,i,3569300946943752500,3124265683615483010,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=5104 /prefetch:1
  2⤵
  PID:4848
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --field-trial-handle=4180,i,3569300946943752500,3124265683615483010,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=5136 /prefetch:1
  2⤵
  PID:5072
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --field-trial-handle=4184,i,3569300946943752500,3124265683615483010,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=6052 /prefetch:1
  2⤵
  PID:4120
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --field-trial-handle=4196,i,3569300946943752500,3124265683615483010,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=6264 /prefetch:1
  2⤵
  PID:2964
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --field-trial-handle=4192,i,3569300946943752500,3124265683615483010,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=6288 /prefetch:1
  2⤵
  PID:2788
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --field-trial-handle=4228,i,3569300946943752500,3124265683615483010,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=6404 /prefetch:1
  2⤵
  PID:108
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --field-trial-handle=4236,i,3569300946943752500,3124265683615483010,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=6516 /prefetch:1
  2⤵
  PID:648
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --field-trial-handle=4272,i,3569300946943752500,3124265683615483010,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=6636 /prefetch:1
  2⤵
  PID:4164
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --field-trial-handle=4224,i,3569300946943752500,3124265683615483010,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=6848 /prefetch:1
  2⤵
  PID:4372
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --field-trial-handle=4280,i,3569300946943752500,3124265683615483010,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=6856 /prefetch:1
  2⤵
  PID:2076
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --field-trial-handle=4304,i,3569300946943752500,3124265683615483010,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=5420 /prefetch:1
  2⤵
  PID:2480
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --field-trial-handle=4316,i,3569300946943752500,3124265683615483010,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=7228 /prefetch:1
  2⤵
  PID:2056
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --field-trial-handle=6016,i,3569300946943752500,3124265683615483010,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=5684 /prefetch:1
  2⤵
  PID:1808

C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"
1⤵
PID:3940

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
1⤵
PID:4716

C:\Windows\System32\oobe\UserOOBEBroker.exe
C:\Windows\System32\oobe\UserOOBEBroker.exe -Embedding
1⤵
- Drops file in Windows directory
PID:3092

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe -Embedding
1⤵
PID:5020

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DisplayEnhancementService
1⤵
PID:3184

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3412
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.106 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff822aacc40,0x7ff822aacc4c,0x7ff822aacc58
  2⤵
  PID:1332
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1960,i,12491952338807418429,15565338495574486939,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=1956 /prefetch:2
  2⤵
  PID:2160
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1720,i,12491952338807418429,15565338495574486939,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=2136 /prefetch:3
  2⤵
  PID:328
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=1972,i,12491952338807418429,15565338495574486939,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=2144 /prefetch:8
  2⤵
  PID:4748
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1.25 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3096,i,12491952338807418429,15565338495574486939,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=3116 /prefetch:1
  2⤵
  PID:2100
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1.25 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3124,i,12491952338807418429,15565338495574486939,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=3156 /prefetch:1
  2⤵
  PID:2832
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1.25 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3892,i,12491952338807418429,15565338495574486939,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=4444 /prefetch:1
  2⤵
  PID:948
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4600,i,12491952338807418429,15565338495574486939,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=4960 /prefetch:8
  2⤵
  PID:2388
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4420,i,12491952338807418429,15565338495574486939,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=4384 /prefetch:8
  2⤵
  PID:2984
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1.25 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=4980,i,12491952338807418429,15565338495574486939,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=5084 /prefetch:1
  2⤵
  PID:5212
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=4560,i,12491952338807418429,15565338495574486939,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=4504 /prefetch:8
  2⤵
  PID:5336
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=4492,i,12491952338807418429,15565338495574486939,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=5516 /prefetch:8
  2⤵
  PID:5344
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=3532,i,12491952338807418429,15565338495574486939,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=5652 /prefetch:8
  2⤵
  - NTFS ADS
  PID:5512
- C:\Users\Admin\Downloads\DiscordSetup.exe
  "C:\Users\Admin\Downloads\DiscordSetup.exe"
  2⤵
  - Executes dropped EXE
  PID:5676
- - C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe
    "C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe" --install .
    3⤵
    - Executes dropped EXE
    PID:5728
  - - C:\Users\Admin\AppData\Local\Discord\app-1.0.9051\Discord.exe
      "C:\Users\Admin\AppData\Local\Discord\app-1.0.9051\Discord.exe" --squirrel-install 1.0.9051
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Checks processor information in registry
      PID:5436
    - - C:\Users\Admin\AppData\Local\Discord\app-1.0.9051\Discord.exe
        
        C:\Users\Admin\AppData\Local\Discord\app-1.0.9051\Discord.exe --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Roaming\discord /prefetch:4 --no-rate-limit --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Roaming\discord\Crashpad --url=https://f.a.k/e --annotation=_productName=discord --annotation=_version=1.0.9051 --annotation=plat=Win32 --annotation=prod=Electron --annotation=ver=30.1.0 --initial-client-data=0x550,0x554,0x558,0x54c,0x540,0x9bebcc4,0x9bebcd0,0x9bebcdc
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:5520
    - - C:\Users\Admin\AppData\Local\Discord\Update.exe
        
        C:\Users\Admin\AppData\Local\Discord\Update.exe --createShortcut Discord.exe --setupIcon C:\Users\Admin\AppData\Local\Discord\app.ico
        5⤵
        Executes dropped EXE
        
        PID:5452
    - - C:\Users\Admin\AppData\Local\Discord\app-1.0.9051\Discord.exe
        
        "C:\Users\Admin\AppData\Local\Discord\app-1.0.9051\Discord.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\discord" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1928,i,17114307287966705499,10695652631271325124,262144 --enable-features=kWebSQLAccess --disable-features=HardwareMediaKeyHandling,MediaSessionService,SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=1920 /prefetch:2
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1548
    - - C:\Users\Admin\AppData\Local\Discord\app-1.0.9051\Discord.exe
        
        "C:\Users\Admin\AppData\Local\Discord\app-1.0.9051\Discord.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\discord" --secure-schemes=sentry-ipc --bypasscsp-schemes=sentry-ipc --cors-schemes=sentry-ipc --fetch-schemes=sentry-ipc --field-trial-handle=2744,i,17114307287966705499,10695652631271325124,262144 --enable-features=kWebSQLAccess --disable-features=HardwareMediaKeyHandling,MediaSessionService,SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=2560 /prefetch:3
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:5832
    - - C:\Windows\SysWOW64\reg.exe
        
        C:\Windows\System32\reg.exe add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v Discord /d "\"C:\Users\Admin\AppData\Local\Discord\Update.exe\" --processStart Discord.exe" /f
        5⤵
        Adds Run key to start application
        Modifies registry key
        
        PID:1812
    - - C:\Windows\SysWOW64\reg.exe
        
        C:\Windows\System32\reg.exe add HKCU\Software\Classes\Discord /ve /d "URL:Discord Protocol" /f
        5⤵
        Modifies registry class
        
        PID:2388
    - - C:\Windows\SysWOW64\reg.exe
        
        C:\Windows\System32\reg.exe add HKCU\Software\Classes\Discord /v "URL Protocol" /f
        5⤵
        Modifies registry class
        Modifies registry key
        
        PID:4352
    - - C:\Windows\SysWOW64\reg.exe
        
        C:\Windows\System32\reg.exe add HKCU\Software\Classes\Discord\DefaultIcon /ve /d "\"C:\Users\Admin\AppData\Local\Discord\app-1.0.9051\Discord.exe\",-1" /f
        5⤵
        Modifies registry class
        
        PID:5156
    - - C:\Windows\SysWOW64\reg.exe
        
        C:\Windows\System32\reg.exe add HKCU\Software\Classes\Discord\shell\open\command /ve /d "\"C:\Users\Admin\AppData\Local\Discord\app-1.0.9051\Discord.exe\" --url -- \"%1\"" /f
        5⤵
        Modifies registry class
        Modifies registry key
        
        PID:2112
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1.25 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=5564,i,12491952338807418429,15565338495574486939,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=6204 /prefetch:1
  2⤵
  PID:5816
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1.25 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --field-trial-handle=3236,i,12491952338807418429,15565338495574486939,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=4568 /prefetch:1
  2⤵
  PID:4928
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1.25 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --field-trial-handle=5944,i,12491952338807418429,15565338495574486939,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=3192 /prefetch:1
  2⤵
  PID:6116
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --no-appcompat-clear --field-trial-handle=4788,i,12491952338807418429,15565338495574486939,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=3176 /prefetch:8
  2⤵
  PID:5724
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=3228,i,12491952338807418429,15565338495574486939,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=6404 /prefetch:8
  2⤵
  - Modifies registry class
  PID:5792
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1.25 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --field-trial-handle=6504,i,12491952338807418429,15565338495574486939,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=6532 /prefetch:1
  2⤵
  PID:752
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1.25 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --field-trial-handle=4472,i,12491952338807418429,15565338495574486939,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=6636 /prefetch:1
  2⤵
  PID:4372
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1.25 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --field-trial-handle=6536,i,12491952338807418429,15565338495574486939,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=6456 /prefetch:1
  2⤵
  PID:2964
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=6760,i,12491952338807418429,15565338495574486939,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=3708 /prefetch:8
  2⤵
  - NTFS ADS
  PID:2816
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=3192,i,12491952338807418429,15565338495574486939,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=1112 /prefetch:8
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  PID:5396
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1.25 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --field-trial-handle=2620,i,12491952338807418429,15565338495574486939,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=2968 /prefetch:1
  2⤵
  PID:5716
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1.25 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --field-trial-handle=3332,i,12491952338807418429,15565338495574486939,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=4416 /prefetch:1
  2⤵
  PID:6352
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1.25 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --field-trial-handle=6608,i,12491952338807418429,15565338495574486939,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=3724 /prefetch:1
  2⤵
  PID:6904
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1.25 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --field-trial-handle=6300,i,12491952338807418429,15565338495574486939,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=6624 /prefetch:1
  2⤵
  PID:3660
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=1452,i,12491952338807418429,15565338495574486939,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=4432 /prefetch:8
  2⤵
  PID:5976
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=3304,i,12491952338807418429,15565338495574486939,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=3452 /prefetch:8
  2⤵
  PID:5952
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=6076,i,12491952338807418429,15565338495574486939,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=6636 /prefetch:8
  2⤵
  - NTFS ADS
  PID:3040
- C:\Users\Admin\Downloads\setup-lightshot.exe
  "C:\Users\Admin\Downloads\setup-lightshot.exe"
  2⤵
  - Executes dropped EXE
  PID:3984
- - C:\Users\Admin\AppData\Local\Temp\is-KLO7E.tmp\setup-lightshot.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-KLO7E.tmp\setup-lightshot.tmp" /SL5="$A03A0,2148280,486912,C:\Users\Admin\Downloads\setup-lightshot.exe"
    3⤵
    - Adds Run key to start application
    - Drops file in Program Files directory
    - Executes dropped EXE
    PID:7760
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /f /im lightshot.exe
      4⤵
      Kills process with taskkill
      PID:7896
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /F /IM lightshot.exe
      4⤵
      Kills process with taskkill
      PID:764
  - - C:\Program Files (x86)\Skillbrains\lightshot\Lightshot.exe
      "C:\Program Files (x86)\Skillbrains\lightshot\Lightshot.exe"
      4⤵
      Executes dropped EXE
      PID:968
    - - C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\Lightshot.exe
        
        "C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\Lightshot.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SendNotifyMessage
        
        PID:7176
  - - C:\Users\Admin\AppData\Local\Temp\is-HR49H.tmp\setupupdater.exe
      "C:\Users\Admin\AppData\Local\Temp\is-HR49H.tmp\setupupdater.exe" /verysilent
      4⤵
      Executes dropped EXE
      PID:5816
    - - C:\Users\Admin\AppData\Local\Temp\is-R987P.tmp\setupupdater.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-R987P.tmp\setupupdater.tmp" /SL5="$B03F6,490430,120832,C:\Users\Admin\AppData\Local\Temp\is-HR49H.tmp\setupupdater.exe" /verysilent
        5⤵
        Drops file in Program Files directory
        Executes dropped EXE
        
        PID:6352
      - C:\Windows\SysWOW64\net.exe
        
        "C:\Windows\system32\net.exe" START SCHEDULE
        6⤵
        
        PID:6496
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 START SCHEDULE
        7⤵
        
        PID:6964
      - C:\Program Files (x86)\Skillbrains\Updater\1.8.0.0\Updater.exe
        
        "C:\Program Files (x86)\Skillbrains\Updater\1.8.0.0\Updater.exe" -runmode=addsystask
        6⤵
        Drops file in Windows directory
        Executes dropped EXE
        
        PID:5144
      - C:\Program Files (x86)\Skillbrains\Updater\Updater.exe
        
        "C:\Program Files (x86)\Skillbrains\Updater\Updater.exe" -runmode=addproduct -info="C:\Program Files (x86)\Skillbrains\Updater\info.xml"
        6⤵
        Executes dropped EXE
        
        PID:7260
        
        C:\Program Files (x86)\Skillbrains\Updater\1.8.0.0\Updater.exe
        
        "C:\Program Files (x86)\Skillbrains\Updater\1.8.0.0\Updater.exe" -runmode=addproduct -info="C:\Program Files (x86)\Skillbrains\Updater\info.xml"
        7⤵
        Drops file in Program Files directory
        Executes dropped EXE
        
        PID:6468
      - C:\Program Files (x86)\Skillbrains\Updater\Updater.exe
        
        "C:\Program Files (x86)\Skillbrains\Updater\Updater.exe" -runmode=ping -url="http://updater.prntscr.com/getver/updater?ping=true"
        6⤵
        Executes dropped EXE
        
        PID:7376
        
        C:\Program Files (x86)\Skillbrains\Updater\1.8.0.0\Updater.exe
        
        "C:\Program Files (x86)\Skillbrains\Updater\1.8.0.0\Updater.exe" -runmode=ping -url="http://updater.prntscr.com/getver/updater?ping=true"
        7⤵
        Executes dropped EXE
        
        PID:7460
  - - C:\Program Files (x86)\Skillbrains\Updater\updater.exe
      "C:\Program Files (x86)\Skillbrains\Updater\updater.exe" -runmode=addtask
      4⤵
      Executes dropped EXE
      PID:7512
    - - C:\Program Files (x86)\Skillbrains\Updater\1.8.0.0\updater.exe
        
        "C:\Program Files (x86)\Skillbrains\Updater\1.8.0.0\updater.exe" -runmode=addtask
        5⤵
        Drops file in Windows directory
        Executes dropped EXE
        
        PID:7620
  - - C:\Program Files (x86)\Skillbrains\Updater\updater.exe
      "C:\Program Files (x86)\Skillbrains\Updater\updater.exe" -runmode=addproduct -info="C:\Program Files (x86)\Skillbrains\lightshot\info.xml"
      4⤵
      Executes dropped EXE
      PID:3408
    - - C:\Program Files (x86)\Skillbrains\Updater\1.8.0.0\updater.exe
        
        "C:\Program Files (x86)\Skillbrains\Updater\1.8.0.0\updater.exe" -runmode=addproduct -info="C:\Program Files (x86)\Skillbrains\lightshot\info.xml"
        5⤵
        Executes dropped EXE
        
        PID:7308
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://app.prntscr.com/thankyou_desktop.html#install_source=default
      4⤵
      Enumerates system info in registry
      Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      Suspicious use of SendNotifyMessage
      PID:232
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x124,0x128,0x12c,0x100,0x130,0x7ff80b273cb8,0x7ff80b273cc8,0x7ff80b273cd8
        5⤵
        
        PID:6096
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1664,6691568729042833342,12137849758517560449,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1824 /prefetch:2
        5⤵
        
        PID:6040
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1664,6691568729042833342,12137849758517560449,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2392 /prefetch:3
        5⤵
        
        PID:5524
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1664,6691568729042833342,12137849758517560449,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2840 /prefetch:8
        5⤵
        
        PID:4028
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1664,6691568729042833342,12137849758517560449,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1.25 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3312 /prefetch:1
        5⤵
        
        PID:7600
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1664,6691568729042833342,12137849758517560449,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1.25 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3316 /prefetch:1
        5⤵
        
        PID:7756
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1664,6691568729042833342,12137849758517560449,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1.25 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5068 /prefetch:1
        5⤵
        
        PID:5880
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1.25 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --field-trial-handle=7016,i,12491952338807418429,15565338495574486939,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=6560 /prefetch:1
  2⤵
  PID:8084
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1.25 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --field-trial-handle=6876,i,12491952338807418429,15565338495574486939,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=5084 /prefetch:1
  2⤵
  PID:5248
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1.25 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --field-trial-handle=6564,i,12491952338807418429,15565338495574486939,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=6324 /prefetch:1
  2⤵
  PID:7924
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1.25 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --field-trial-handle=6560,i,12491952338807418429,15565338495574486939,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=7044 /prefetch:1
  2⤵
  PID:5124

C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"
1⤵
PID:860

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:1400

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2900

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Temp1_Microsoft-Activation-Scripts-master.zip\Microsoft-Activation-Scripts-master\MAS\All-In-One-Version\MAS_AIO-CRC32_31F7FD1E.cmd" "
1⤵
PID:5872
- C:\Windows\system32\sc.exe
  sc query Null
  2⤵
  - Launches sc.exe
  PID:1812
- C:\Windows\system32\find.exe
  find /i "RUNNING"
  2⤵
  PID:4352
- C:\Windows\System32\findstr.exe
  findstr /v "$" "MAS_AIO-CRC32_31F7FD1E.cmd"
  2⤵
  PID:2352
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ver
  2⤵
  PID:3628
- C:\Windows\System32\reg.exe
  reg query "HKCU\Console" /v ForceV2
  2⤵
  PID:5280
- C:\Windows\System32\find.exe
  find /i "0x0"
  2⤵
  PID:5196
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c echo prompt $E | cmd
  2⤵
  PID:3508
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo prompt $E "
    3⤵
    PID:2112
- - C:\Windows\System32\cmd.exe
    cmd
    3⤵
    PID:5300
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo "C:\Users\Admin\AppData\Local\Temp\Temp1_Microsoft-Activation-Scripts-master.zip\Microsoft-Activation-Scripts-master\MAS\All-In-One-Version\MAS_AIO-CRC32_31F7FD1E.cmd" "
  2⤵
  PID:5944
- C:\Windows\System32\find.exe
  find /i "C:\Users\Admin\AppData\Local\Temp"
  2⤵
  PID:5968

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\MAS_AIO-CRC32_31F7FD1E.cmd" "
1⤵
PID:5236
- C:\Windows\System32\sc.exe
  sc query Null
  2⤵
  - Launches sc.exe
  PID:5212
- C:\Windows\System32\find.exe
  find /i "RUNNING"
  2⤵
  PID:5512
- C:\Windows\System32\findstr.exe
  findstr /v "$" "MAS_AIO-CRC32_31F7FD1E.cmd"
  2⤵
  PID:5380
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ver
  2⤵
  PID:5624
- C:\Windows\System32\reg.exe
  reg query "HKCU\Console" /v ForceV2
  2⤵
  PID:6116
- C:\Windows\System32\find.exe
  find /i "0x0"
  2⤵
  PID:2164
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c echo prompt $E | cmd
  2⤵
  PID:5172
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo prompt $E "
    3⤵
    PID:3932
- - C:\Windows\System32\cmd.exe
    cmd
    3⤵
    PID:2352
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo "C:\Users\Admin\Downloads\MAS_AIO-CRC32_31F7FD1E.cmd" "
  2⤵
  PID:2156
- C:\Windows\System32\find.exe
  find /i "C:\Users\Admin\AppData\Local\Temp"
  2⤵
  PID:5280
- C:\Windows\System32\fltMC.exe
  fltmc
  2⤵
  PID:2756
- C:\Windows\System32\reg.exe
  reg query HKCU\Console /v QuickEdit
  2⤵
  PID:2092
- C:\Windows\System32\find.exe
  find /i "0x0"
  2⤵
  PID:4588
- C:\Windows\System32\reg.exe
  reg add HKCU\Console /v QuickEdit /t REG_DWORD /d "0" /f
  2⤵
  PID:5944
- C:\Windows\System32\cmd.exe
  cmd.exe /c ""C:\Users\Admin\Downloads\MAS_AIO-CRC32_31F7FD1E.cmd" -qedit"
  2⤵
  PID:5968
- - C:\Windows\System32\reg.exe
    reg add HKCU\Console /v QuickEdit /t REG_DWORD /d "1" /f
    3⤵
    - Modifies registry key
    PID:2724
- - C:\Windows\System32\sc.exe
    sc query Null
    3⤵
    - Launches sc.exe
    PID:5872
- - C:\Windows\System32\find.exe
    find /i "RUNNING"
    3⤵
    PID:5452
- - C:\Windows\System32\findstr.exe
    findstr /v "$" "MAS_AIO-CRC32_31F7FD1E.cmd"
    3⤵
    PID:3448
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo "-qedit" "
    3⤵
    PID:4112
- - C:\Windows\System32\find.exe
    find /i "/"
    3⤵
    PID:6052
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ver
    3⤵
    PID:6084
- - C:\Windows\System32\reg.exe
    reg query "HKCU\Console" /v ForceV2
    3⤵
    PID:6072
- - C:\Windows\System32\find.exe
    find /i "0x0"
    3⤵
    PID:6080
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c echo prompt $E | cmd
    3⤵
    PID:2492
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo prompt $E "
      4⤵
      PID:640
  - - C:\Windows\System32\cmd.exe
      cmd
      4⤵
      PID:6060
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo "C:\Users\Admin\Downloads\MAS_AIO-CRC32_31F7FD1E.cmd" "
    3⤵
    PID:5740
- - C:\Windows\System32\find.exe
    find /i "C:\Users\Admin\AppData\Local\Temp"
    3⤵
    PID:2036
- - C:\Windows\System32\fltMC.exe
    fltmc
    3⤵
    PID:1148
- - C:\Windows\System32\reg.exe
    reg query HKCU\Console /v QuickEdit
    3⤵
    PID:5708
- - C:\Windows\System32\find.exe
    find /i "0x0"
    3⤵
    PID:2908
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ping -4 -n 1 updatecheck.massgrave.dev
    3⤵
    PID:1548
  - - C:\Windows\System32\PING.EXE
      ping -4 -n 1 updatecheck.massgrave.dev
      4⤵
      Runs ping.exe
      PID:3408
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo "127.69.2.6" "
    3⤵
    PID:2712
- - C:\Windows\System32\find.exe
    find "127.69"
    3⤵
    PID:5720
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo "127.69.2.6" "
    3⤵
    PID:3828
- - C:\Windows\System32\find.exe
    find "127.69.2.6"
    3⤵
    PID:1800
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo "-qedit" "
    3⤵
    PID:1884
- - C:\Windows\System32\find.exe
    find /i "/S"
    3⤵
    PID:5348
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo "-qedit" "
    3⤵
    PID:5128
- - C:\Windows\System32\find.exe
    find /i "/"
    3⤵
    PID:2676
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /v Desktop
    3⤵
    PID:3028
  - - C:\Windows\System32\reg.exe
      reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /v Desktop
      4⤵
      PID:3208
- - C:\Windows\System32\mode.com
    mode 76, 30
    3⤵
    PID:4452
- - C:\Windows\System32\choice.exe
    choice /C:123456780 /N
    3⤵
    PID:4600
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ver
    3⤵
    PID:5444
- - C:\Windows\System32\reg.exe
    reg query "HKCU\Console" /v ForceV2
    3⤵
    PID:3256
- - C:\Windows\System32\find.exe
    find /i "0x0"
    3⤵
    PID:5108
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c echo prompt $E | cmd
    3⤵
    PID:5580
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo prompt $E "
      4⤵
      PID:5584
  - - C:\Windows\System32\cmd.exe
      cmd
      4⤵
      PID:1880
- - C:\Windows\System32\mode.com
    mode 110, 34
    3⤵
    PID:1976
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe $ExecutionContext.SessionState.LanguageMode
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:5140
- - C:\Windows\System32\find.exe
    find /i "Full"
    3⤵
    PID:5948
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell.exe $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); $meth = $TypeBuilder.DefinePInvokeMethod('BrandingFormatString', 'winbrand.dll', 'Public, Static', 1, [String], @([String]), 1, 3); $meth.SetImplementationFlags(128); $TypeBuilder.CreateType()::BrandingFormatString('%WINDOWS_LONG%')"
    3⤵
    PID:2444
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); $meth = $TypeBuilder.DefinePInvokeMethod('BrandingFormatString', 'winbrand.dll', 'Public, Static', 1, [String], @([String]), 1, 3); $meth.SetImplementationFlags(128); $TypeBuilder.CreateType()::BrandingFormatString('%WINDOWS_LONG%')
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:1140
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo "Windows 11 Pro" "
    3⤵
    PID:5844
- - C:\Windows\System32\find.exe
    find /i "Windows"
    3⤵
    PID:1612
- - C:\Windows\System32\wbem\WMIC.exe
    wmic path Win32_ComputerSystem get CreationClassName /value
    3⤵
    PID:5824
- - C:\Windows\System32\find.exe
    find /i "computersystem"
    3⤵
    PID:564
- - C:\Windows\System32\sc.exe
    sc start sppsvc
    3⤵
    - Launches sc.exe
    PID:5432
- - C:\Windows\System32\wbem\WMIC.exe
    wmic path SoftwareLicensingProduct where (LicenseStatus='1' and GracePeriodRemaining='0' and PartialProductKey is not NULL) get Name /value
    3⤵
    PID:5228
- - C:\Windows\System32\findstr.exe
    findstr /i "Windows"
    3⤵
    PID:4592
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell.exe $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); [void]$TypeBuilder.DefinePInvokeMethod('SLGetWindowsInformationDWORD', 'slc.dll', 'Public, Static', 1, [int], @([String], [int].MakeByRefType()), 1, 3); $Sku = 0; [void]$TypeBuilder.CreateType()::SLGetWindowsInformationDWORD('Kernel-BrandingInfo', [ref]$Sku); $Sku"
    3⤵
    PID:5192
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); [void]$TypeBuilder.DefinePInvokeMethod('SLGetWindowsInformationDWORD', 'slc.dll', 'Public, Static', 1, [int], @([String], [int].MakeByRefType()), 1, 3); $Sku = 0; [void]$TypeBuilder.CreateType()::SLGetWindowsInformationDWORD('Kernel-BrandingInfo', [ref]$Sku); $Sku
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:3628
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Control\ProductOptions" /v OSProductPfn 2>nul
    3⤵
    PID:5276
  - - C:\Windows\System32\reg.exe
      reg query "HKLM\SYSTEM\CurrentControlSet\Control\ProductOptions" /v OSProductPfn
      4⤵
      PID:5268
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic Path Win32_OperatingSystem Get OperatingSystemSKU /format:LIST" 2>nul
    3⤵
    PID:5904
  - - C:\Windows\System32\wbem\WMIC.exe
      wmic Path Win32_OperatingSystem Get OperatingSystemSKU /format:LIST
      4⤵
      PID:2460
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment" /v PROCESSOR_ARCHITECTURE
    3⤵
    PID:4728
  - - C:\Windows\System32\reg.exe
      reg query "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment" /v PROCESSOR_ARCHITECTURE
      4⤵
      PID:992
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ver
    3⤵
    PID:5548
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ping -n 1 l.root-servers.net
    3⤵
    PID:5496
  - - C:\Windows\System32\PING.EXE
      ping -n 1 l.root-servers.net
      4⤵
      Runs ping.exe
      PID:236
- - C:\Windows\System32\reg.exe
    reg query "HKCU\SOFTWARE\Microsoft\Windows Script Host\Settings" /v Enabled
    3⤵
    PID:6088
- - C:\Windows\System32\find.exe
    find /i "0x0"
    3⤵
    PID:412
- - C:\Windows\System32\reg.exe
    reg query "HKLM\SOFTWARE\Microsoft\Windows Script Host\Settings" /v Enabled
    3⤵
    PID:5652
- - C:\Windows\System32\find.exe
    find /i "0x0"
    3⤵
    PID:5744
- - C:\Windows\System32\sc.exe
    sc start ClipSVC
    3⤵
    - Launches sc.exe
    PID:5696
- - C:\Windows\System32\sc.exe
    sc query ClipSVC
    3⤵
    - Launches sc.exe
    PID:3496
- - C:\Windows\System32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v DependOnService
    3⤵
    PID:1148
- - C:\Windows\System32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v Description
    3⤵
    PID:4028
- - C:\Windows\System32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v DisplayName
    3⤵
    - Modifies registry key
    PID:2908
- - C:\Windows\System32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v ErrorControl
    3⤵
    - Modifies registry key
    PID:5716
- - C:\Windows\System32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v ImagePath
    3⤵
    - Modifies registry key
    PID:5648
- - C:\Windows\System32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v ObjectName
    3⤵
    - Modifies registry key
    PID:5556
- - C:\Windows\System32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v Start
    3⤵
    PID:5544
- - C:\Windows\System32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v Type
    3⤵
    - Modifies registry key
    PID:3484
- - C:\Windows\System32\sc.exe
    sc start wlidsvc
    3⤵
    - Launches sc.exe
    PID:1504
- - C:\Windows\System32\sc.exe
    sc query wlidsvc
    3⤵
    - Launches sc.exe
    PID:5348
- - C:\Windows\System32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\wlidsvc /v DependOnService
    3⤵
    - Modifies registry key
    PID:1344
- - C:\Windows\System32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\wlidsvc /v Description
    3⤵
    - Modifies registry key
    PID:3292
- - C:\Windows\System32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\wlidsvc /v DisplayName
    3⤵
    PID:3028
- - C:\Windows\System32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\wlidsvc /v ErrorControl
    3⤵
    PID:968
- - C:\Windows\System32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\wlidsvc /v ImagePath
    3⤵
    PID:2784
- - C:\Windows\System32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\wlidsvc /v ObjectName
    3⤵
    - Modifies registry key
    PID:5448
- - C:\Windows\System32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\wlidsvc /v Start
    3⤵
    - Modifies registry key
    PID:6004
- - C:\Windows\System32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\wlidsvc /v Type
    3⤵
    - Modifies registry key
    PID:1440
- - C:\Windows\System32\sc.exe
    sc start sppsvc
    3⤵
    - Launches sc.exe
    PID:2408
- - C:\Windows\System32\sc.exe
    sc query sppsvc
    3⤵
    - Launches sc.exe
    PID:1644
- - C:\Windows\System32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v DependOnService
    3⤵
    - Modifies registry key
    PID:1712
- - C:\Windows\System32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v Description
    3⤵
    PID:5580
- - C:\Windows\System32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v DisplayName
    3⤵
    - Modifies registry key
    PID:4940
- - C:\Windows\System32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v ErrorControl
    3⤵
    - Modifies registry key
    PID:1396
- - C:\Windows\System32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v ImagePath
    3⤵
    - Modifies registry key
    PID:3516
- - C:\Windows\System32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v ObjectName
    3⤵
    PID:1904
- - C:\Windows\System32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v Start
    3⤵
    PID:5960
- - C:\Windows\System32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v Type
    3⤵
    PID:1108
- - C:\Windows\System32\sc.exe
    sc start KeyIso
    3⤵
    - Launches sc.exe
    PID:1360
- - C:\Windows\System32\sc.exe
    sc query KeyIso
    3⤵
    - Launches sc.exe
    PID:2880
- - C:\Windows\System32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\KeyIso /v DependOnService
    3⤵
    - Modifies registry key
    PID:5168
- - C:\Windows\System32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\KeyIso /v Description
    3⤵
    PID:4380
- - C:\Windows\System32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\KeyIso /v DisplayName
    3⤵
    - Modifies registry key
    PID:2752
- - C:\Windows\System32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\KeyIso /v ErrorControl
    3⤵
    PID:1096
- - C:\Windows\System32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\KeyIso /v ImagePath
    3⤵
    - Modifies registry key
    PID:4432
- - C:\Windows\System32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\KeyIso /v ObjectName
    3⤵
    - Modifies registry key
    PID:3944
- - C:\Windows\System32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\KeyIso /v Start
    3⤵
    PID:5828
- - C:\Windows\System32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\KeyIso /v Type
    3⤵
    PID:5848
- - C:\Windows\System32\sc.exe
    sc start LicenseManager
    3⤵
    - Launches sc.exe
    PID:4652
- - C:\Windows\System32\sc.exe
    sc query LicenseManager
    3⤵
    - Launches sc.exe
    PID:5284
- - C:\Windows\System32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\LicenseManager /v DependOnService
    3⤵
    - Modifies registry key
    PID:5844
- - C:\Windows\System32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\LicenseManager /v Description
    3⤵
    - Modifies registry key
    PID:2900
- - C:\Windows\System32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\LicenseManager /v DisplayName
    3⤵
    PID:4548
- - C:\Windows\System32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\LicenseManager /v ErrorControl
    3⤵
    PID:5880
- - C:\Windows\System32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\LicenseManager /v ImagePath
    3⤵
    PID:4644
- - C:\Windows\System32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\LicenseManager /v ObjectName
    3⤵
    - Modifies registry key
    PID:5884
- - C:\Windows\System32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\LicenseManager /v Start
    3⤵
    - Modifies registry key
    PID:3744
- - C:\Windows\System32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\LicenseManager /v Type
    3⤵
    - Modifies registry key
    PID:2448
- - C:\Windows\System32\sc.exe
    sc start Winmgmt
    3⤵
    - Launches sc.exe
    PID:5000
- - C:\Windows\System32\sc.exe
    sc query Winmgmt
    3⤵
    - Launches sc.exe
    PID:988
- - C:\Windows\System32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v DependOnService
    3⤵
    PID:832
- - C:\Windows\System32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v Description
    3⤵
    PID:6116
- - C:\Windows\System32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v DisplayName
    3⤵
    - Modifies registry key
    PID:5860
- - C:\Windows\System32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v ErrorControl
    3⤵
    - Modifies registry key
    PID:2016
- - C:\Windows\System32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v ImagePath
    3⤵
    - Modifies registry key
    PID:5888
- - C:\Windows\System32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v ObjectName
    3⤵
    - Modifies registry key
    PID:5228
- - C:\Windows\System32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v Start
    3⤵
    PID:5200
- - C:\Windows\System32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v Type
    3⤵
    - Modifies registry key
    PID:5292
- - C:\Windows\System32\sc.exe
    sc start DoSvc
    3⤵
    - Launches sc.exe
    PID:5308
- - C:\Windows\System32\sc.exe
    sc query DoSvc
    3⤵
    PID:5188
- - C:\Windows\System32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\DoSvc /v DependOnService
    3⤵
    - Modifies registry key
    PID:4352
- - C:\Windows\System32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\DoSvc /v Description
    3⤵
    - Modifies registry key
    PID:5172
- - C:\Windows\System32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\DoSvc /v DisplayName
    3⤵
    PID:5316
- - C:\Windows\System32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\DoSvc /v ErrorControl
    3⤵
    PID:5008
- - C:\Windows\System32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\DoSvc /v ImagePath
    3⤵
    - Modifies registry key
    PID:3932
- - C:\Windows\System32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\DoSvc /v ObjectName
    3⤵
    - Modifies registry key
    PID:3508
- - C:\Windows\System32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\DoSvc /v Start
    3⤵
    - Modifies registry key
    PID:5240
- - C:\Windows\System32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\DoSvc /v Type
    3⤵
    - Modifies registry key
    PID:5868
- - C:\Windows\System32\sc.exe
    sc start UsoSvc
    3⤵
    - Launches sc.exe
    PID:5300
- - C:\Windows\System32\sc.exe
    sc query UsoSvc
    3⤵
    - Launches sc.exe
    PID:5244
- - C:\Windows\System32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /v DependOnService
    3⤵
    PID:5452
- - C:\Windows\System32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /v Description
    3⤵
    PID:5872
- - C:\Windows\System32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /v DisplayName
    3⤵
    - Modifies registry key
    PID:3448
- - C:\Windows\System32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /v ErrorControl
    3⤵
    PID:5664
- - C:\Windows\System32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /v ImagePath
    3⤵
    PID:5340
- - C:\Windows\System32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /v ObjectName
    3⤵
    - Modifies registry key
    PID:5976
- - C:\Windows\System32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /v Start
    3⤵
    - Modifies registry key
    PID:5384
- - C:\Windows\System32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /v Type
    3⤵
    PID:3220
- - C:\Windows\System32\sc.exe
    sc start CryptSvc
    3⤵
    - Launches sc.exe
    PID:6060
- - C:\Windows\System32\sc.exe
    sc query CryptSvc
    3⤵
    - Launches sc.exe
    PID:1100
- - C:\Windows\System32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\CryptSvc /v DependOnService
    3⤵
    PID:2492
- - C:\Windows\System32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\CryptSvc /v Description
    3⤵
    - Modifies registry key
    PID:6088
- - C:\Windows\System32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\CryptSvc /v DisplayName
    3⤵
    - Modifies registry key
    PID:2184
- - C:\Windows\System32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\CryptSvc /v ErrorControl
    3⤵
    PID:2100
- - C:\Windows\System32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\CryptSvc /v ImagePath
    3⤵
    - Modifies registry key
    PID:2072
- - C:\Windows\System32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\CryptSvc /v ObjectName
    3⤵
    PID:6048
- - C:\Windows\System32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\CryptSvc /v Start
    3⤵
    - Modifies registry key
    PID:3592
- - C:\Windows\System32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\CryptSvc /v Type
    3⤵
    - Modifies registry key
    PID:5644
- - C:\Windows\System32\sc.exe
    sc start BITS
    3⤵
    - Launches sc.exe
    PID:2300
- - C:\Windows\System32\sc.exe
    sc query BITS
    3⤵
    - Launches sc.exe
    PID:1504
- - C:\Windows\System32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\BITS /v DependOnService
    3⤵
    - Modifies registry key
    PID:1560
- - C:\Windows\System32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\BITS /v Description
    3⤵
    PID:968
- - C:\Windows\System32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\BITS /v DisplayName
    3⤵
    PID:2784
- - C:\Windows\System32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\BITS /v ErrorControl
    3⤵
    - Modifies registry key
    PID:5448
- - C:\Windows\System32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\BITS /v ImagePath
    3⤵
    - Modifies registry key
    PID:6004
- - C:\Windows\System32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\BITS /v ObjectName
    3⤵
    - Modifies registry key
    PID:1440
- - C:\Windows\System32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\BITS /v Start
    3⤵
    - Modifies registry key
    PID:2408
- - C:\Windows\System32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\BITS /v Type
    3⤵
    - Modifies registry key
    PID:5508
- - C:\Windows\System32\sc.exe
    sc start TrustedInstaller
    3⤵
    - Launches sc.exe
    PID:408
- - C:\Windows\System32\sc.exe
    sc query TrustedInstaller
    3⤵
    PID:4132
- - C:\Windows\System32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\TrustedInstaller /v DependOnService
    3⤵
    PID:4052
- - C:\Windows\System32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\TrustedInstaller /v Description
    3⤵
    PID:460
- - C:\Windows\System32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\TrustedInstaller /v DisplayName
    3⤵
    PID:5296
- - C:\Windows\System32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\TrustedInstaller /v ErrorControl
    3⤵
    PID:2844
- - C:\Windows\System32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\TrustedInstaller /v ImagePath
    3⤵
    PID:3404
- - C:\Windows\System32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\TrustedInstaller /v ObjectName
    3⤵
    PID:1088
- - C:\Windows\System32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\TrustedInstaller /v Start
    3⤵
    - Modifies registry key
    PID:1412
- - C:\Windows\System32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\TrustedInstaller /v Type
    3⤵
    PID:5948
- - C:\Windows\System32\sc.exe
    sc start wuauserv
    3⤵
    PID:1420
- - C:\Windows\System32\sc.exe
    sc query wuauserv
    3⤵
    PID:3808
- - C:\Windows\System32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v DependOnService
    3⤵
    - Modifies registry key
    PID:1900
- - C:\Windows\System32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v Description
    3⤵
    - Modifies registry key
    PID:3660
- - C:\Windows\System32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v DisplayName
    3⤵
    - Modifies registry key
    PID:416
- - C:\Windows\System32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v ErrorControl
    3⤵
    PID:3916
- - C:\Windows\System32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v ImagePath
    3⤵
    PID:2148
- - C:\Windows\System32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v ObjectName
    3⤵
    PID:5160
- - C:\Windows\System32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v Start
    3⤵
    - Modifies registry key
    PID:4688
- - C:\Windows\System32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v Type
    3⤵
    - Modifies registry key
    PID:5752
- - C:\Windows\System32\sc.exe
    sc start WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:2264
- - C:\Windows\System32\sc.exe
    sc query WaaSMedicSvc
    3⤵
    PID:2372
- - C:\Windows\System32\sc.exe
    sc start ClipSVC
    3⤵
    - Launches sc.exe
    PID:1860
- - C:\Windows\System32\sc.exe
    sc start wlidsvc
    3⤵
    - Launches sc.exe
    PID:5248
- - C:\Windows\System32\sc.exe
    sc start sppsvc
    3⤵
    - Launches sc.exe
    PID:5260
- - C:\Windows\System32\sc.exe
    sc start KeyIso
    3⤵
    PID:5212
- - C:\Windows\System32\sc.exe
    sc start LicenseManager
    3⤵
    - Launches sc.exe
    PID:5224
- - C:\Windows\System32\sc.exe
    sc start Winmgmt
    3⤵
    - Launches sc.exe
    PID:3272
- - C:\Windows\System32\sc.exe
    sc start DoSvc
    3⤵
    - Launches sc.exe
    PID:5624
- - C:\Windows\System32\sc.exe
    sc start UsoSvc
    3⤵
    - Launches sc.exe
    PID:1812
- - C:\Windows\System32\sc.exe
    sc start CryptSvc
    3⤵
    PID:2836
- - C:\Windows\System32\sc.exe
    sc start BITS
    3⤵
    - Launches sc.exe
    PID:2816
- - C:\Windows\System32\sc.exe
    sc start TrustedInstaller
    3⤵
    - Launches sc.exe
    PID:5800
- - C:\Windows\System32\sc.exe
    sc start wuauserv
    3⤵
    PID:5712
- - C:\Windows\System32\sc.exe
    sc start WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:5816
- - C:\Windows\System32\sc.exe
    sc config DoSvc start= delayed-auto
    3⤵
    - Launches sc.exe
    PID:2112
- - C:\Windows\System32\sc.exe
    sc config UsoSvc start= delayed-auto
    3⤵
    - Launches sc.exe
    PID:2092
- - C:\Windows\System32\sc.exe
    sc config wuauserv start= demand
    3⤵
    - Launches sc.exe
    PID:5292
- - C:\Windows\System32\sc.exe
    sc query ClipSVC
    3⤵
    PID:5208
- - C:\Windows\System32\find.exe
    find /i "RUNNING"
    3⤵
    PID:404
- - C:\Windows\System32\sc.exe
    sc start ClipSVC
    3⤵
    PID:5304
- - C:\Windows\System32\sc.exe
    sc query wlidsvc
    3⤵
    - Launches sc.exe
    PID:4588
- - C:\Windows\System32\find.exe
    find /i "RUNNING"
    3⤵
    PID:5316
- - C:\Windows\System32\sc.exe
    sc start wlidsvc
    3⤵
    - Launches sc.exe
    PID:5192
- - C:\Windows\System32\sc.exe
    sc query sppsvc
    3⤵
    - Launches sc.exe
    PID:8
- - C:\Windows\System32\find.exe
    find /i "RUNNING"
    3⤵
    PID:5276
- - C:\Windows\System32\sc.exe
    sc start sppsvc
    3⤵
    - Launches sc.exe
    PID:3984
- - C:\Windows\System32\sc.exe
    sc query KeyIso
    3⤵
    - Launches sc.exe
    PID:3508
- - C:\Windows\System32\find.exe
    find /i "RUNNING"
    3⤵
    PID:5264
- - C:\Windows\System32\sc.exe
    sc start KeyIso
    3⤵
    - Launches sc.exe
    PID:5244
- - C:\Windows\System32\sc.exe
    sc query LicenseManager
    3⤵
    - Launches sc.exe
    PID:5452
- - C:\Windows\System32\find.exe
    find /i "RUNNING"
    3⤵
    PID:3728
- - C:\Windows\System32\sc.exe
    sc start LicenseManager
    3⤵
    - Launches sc.exe
    PID:3448
- - C:\Windows\System32\sc.exe
    sc query Winmgmt
    3⤵
    - Launches sc.exe
    PID:5664
- - C:\Windows\System32\find.exe
    find /i "RUNNING"
    3⤵
    PID:4112
- - C:\Windows\System32\sc.exe
    sc start Winmgmt
    3⤵
    - Launches sc.exe
    PID:5976
- - C:\Windows\System32\sc.exe
    sc query DoSvc
    3⤵
    PID:5384
- - C:\Windows\System32\find.exe
    find /i "RUNNING"
    3⤵
    PID:5692
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe Start-Service DoSvc
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:6060
- - C:\Windows\System32\sc.exe
    sc query DoSvc
    3⤵
    - Launches sc.exe
    PID:4256
- - C:\Windows\System32\find.exe
    find /i "RUNNING"
    3⤵
    PID:5448
- - C:\Windows\System32\sc.exe
    sc start DoSvc
    3⤵
    - Launches sc.exe
    PID:5584
- - C:\Windows\System32\sc.exe
    sc query UsoSvc
    3⤵
    - Launches sc.exe
    PID:1868
- - C:\Windows\System32\find.exe
    find /i "RUNNING"
    3⤵
    PID:2408
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe Start-Service UsoSvc
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1976
- - C:\Windows\System32\sc.exe
    sc query UsoSvc
    3⤵
    - Launches sc.exe
    PID:1960
- - C:\Windows\System32\find.exe
    find /i "RUNNING"
    3⤵
    PID:1572
- - C:\Windows\System32\sc.exe
    sc start UsoSvc
    3⤵
    PID:5368
- - C:\Windows\System32\sc.exe
    sc query CryptSvc
    3⤵
    - Launches sc.exe
    PID:4240
- - C:\Windows\System32\find.exe
    find /i "RUNNING"
    3⤵
    PID:5828
- - C:\Windows\System32\sc.exe
    sc start CryptSvc
    3⤵
    PID:2444
- - C:\Windows\System32\sc.exe
    sc query BITS
    3⤵
    - Launches sc.exe
    PID:4652
- - C:\Windows\System32\find.exe
    find /i "RUNNING"
    3⤵
    PID:5160
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe Start-Service BITS
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:5844
- - C:\Windows\System32\sc.exe
    sc query BITS
    3⤵
    - Launches sc.exe
    PID:2836
- - C:\Windows\System32\find.exe
    find /i "RUNNING"
    3⤵
    PID:4192
- - C:\Windows\System32\sc.exe
    sc start BITS
    3⤵
    - Launches sc.exe
    PID:5800
- - C:\Windows\System32\sc.exe
    sc query TrustedInstaller
    3⤵
    - Launches sc.exe
    PID:5712
- - C:\Windows\System32\find.exe
    find /i "RUNNING"
    3⤵
    PID:128
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe Start-Service TrustedInstaller
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2112
- - C:\Windows\System32\sc.exe
    sc query TrustedInstaller
    3⤵
    - Launches sc.exe
    PID:5272
- - C:\Windows\System32\find.exe
    find /i "RUNNING"
    3⤵
    PID:5192
- - C:\Windows\System32\sc.exe
    sc start TrustedInstaller
    3⤵
    - Launches sc.exe
    PID:5944
- - C:\Windows\System32\sc.exe
    sc query wuauserv
    3⤵
    - Launches sc.exe
    PID:5188
- - C:\Windows\System32\find.exe
    find /i "RUNNING"
    3⤵
    PID:3984
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe Start-Service wuauserv
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3508
- - C:\Windows\System32\sc.exe
    sc query wuauserv
    3⤵
    PID:4080
- - C:\Windows\System32\find.exe
    find /i "RUNNING"
    3⤵
    PID:2492
- - C:\Windows\System32\sc.exe
    sc start wuauserv
    3⤵
    - Launches sc.exe
    PID:5696
- - C:\Windows\System32\sc.exe
    sc query WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:4028
- - C:\Windows\System32\find.exe
    find /i "RUNNING"
    3⤵
    PID:2072
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe Start-Service WaaSMedicSvc
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2824
- - C:\Windows\System32\sc.exe
    sc query WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:2752
- - C:\Windows\System32\find.exe
    find /i "RUNNING"
    3⤵
    PID:5020
- - C:\Windows\System32\sc.exe
    sc start WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:4500
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo TrustedInstaller-1058, WaaSMedicSvc-1060 "
    3⤵
    PID:4432
- - C:\Windows\System32\findstr.exe
    findstr /i "ClipSVC-1058 sppsvc-1058"
    3⤵
    PID:3720
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\State" /v ImageState
    3⤵
    PID:5160
  - - C:\Windows\System32\reg.exe
      reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\State" /v ImageState
      4⤵
      PID:1860
- - C:\Windows\System32\reg.exe
    reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinPE" /v InstRoot
    3⤵
    PID:5260
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c powershell.exe "$f=[io.file]::ReadAllText('C:\Users\Admin\Downloads\MAS_AIO-CRC32_31F7FD1E.cmd') -split ':wpatest\:.*';iex ($f[1]);" 2>nul
    3⤵
    PID:5856
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe "$f=[io.file]::ReadAllText('C:\Users\Admin\Downloads\MAS_AIO-CRC32_31F7FD1E.cmd') -split ':wpatest\:.*';iex ($f[1]);"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:4548
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo "6" "
    3⤵
    PID:2824
- - C:\Windows\System32\find.exe
    find /i "Error Found"
    3⤵
    PID:3808
- - C:\Windows\System32\Dism.exe
    DISM /English /Online /Get-CurrentEdition
    3⤵
    - Drops file in Windows directory
    PID:6128
  - - C:\Users\Admin\AppData\Local\Temp\0DB57F8C-97A1-4A49-ADC3-B4384F07FB45\dismhost.exe
      C:\Users\Admin\AppData\Local\Temp\0DB57F8C-97A1-4A49-ADC3-B4384F07FB45\dismhost.exe {CD95B910-A5D7-4120-83D9-41B4D9AD3374}
      4⤵
      Drops file in Windows directory
      Executes dropped EXE
      Loads dropped DLL
      PID:5884
- - C:\Windows\System32\cmd.exe
    cmd /c exit /b -2147467259
    3⤵
    PID:5508
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v EditionID 2>nul
    3⤵
    PID:5188
  - - C:\Windows\System32\reg.exe
      reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v EditionID
      4⤵
      PID:2800
- - C:\Windows\System32\cscript.exe
    cscript //nologo C:\Windows\system32\slmgr.vbs /dlv
    3⤵
    PID:2900
- - C:\Windows\System32\cmd.exe
    cmd /c exit /b 0
    3⤵
    PID:2720
- - C:\Windows\System32\wbem\WMIC.exe
    wmic path Win32_ComputerSystem get CreationClassName /value
    3⤵
    PID:6404
- - C:\Windows\System32\find.exe
    find /i "computersystem"
    3⤵
    PID:6412
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo "0" "
    3⤵
    PID:6604
- - C:\Windows\System32\findstr.exe
    findstr /i "0x800410 0x800440"
    3⤵
    PID:6612
- - C:\Windows\System32\reg.exe
    reg query "HKU\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\PersistedTSReArmed"
    3⤵
    PID:6632
- - C:\Windows\System32\reg.exe
    reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ClipSVC\Volatile\PersistedSystemState"
    3⤵
    PID:6644
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /v "SkipRearm" 2>nul
    3⤵
    PID:6660
  - - C:\Windows\System32\reg.exe
      reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /v "SkipRearm"
      4⤵
      PID:6672
- - C:\Windows\System32\reg.exe
    reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\Plugins\Objects\msft:rm/algorithm/hwid/4.0" /f ba02fed39662 /d
    3⤵
    PID:6692
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /v TokenStore 2>nul
    3⤵
    PID:6704
  - - C:\Windows\System32\reg.exe
      reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /v TokenStore
      4⤵
      PID:6720
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path SoftwareLicensingProduct where (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f') get ID /VALUE" 2>nul
    3⤵
    PID:6732
  - - C:\Windows\System32\wbem\WMIC.exe
      wmic path SoftwareLicensingProduct where (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f') get ID /VALUE
      4⤵
      PID:6756
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe "$acl = Get-Acl '"C:\Windows\System32\spp\store\2.0"'; if ($acl.Access.Where{ $_.IdentityReference -eq 'NT SERVICE\sppsvc' -and $_.AccessControlType -eq 'Deny' -or $acl.Access.IdentityReference -notcontains 'NT SERVICE\sppsvc'}) {Exit 2}"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:7104
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe "$acl = Get-Acl '"HKLM:\SYSTEM\WPA"'; if ($acl.Access.Where{ $_.IdentityReference -eq 'NT SERVICE\sppsvc' -and $_.AccessControlType -eq 'Deny' -or $acl.Access.IdentityReference -notcontains 'NT SERVICE\sppsvc'}) {Exit 2}"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:5984
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe "$acl = Get-Acl '"HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform"'; if ($acl.Access.Where{ $_.IdentityReference -eq 'NT SERVICE\sppsvc' -and $_.AccessControlType -eq 'Deny' -or $acl.Access.IdentityReference -notcontains 'NT SERVICE\sppsvc'}) {Exit 2}"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:964
- - C:\Windows\System32\reg.exe
    reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer /v SettingsPageVisibility
    3⤵
    - Modifies registry key
    PID:3208
- - C:\Windows\System32\find.exe
    find /i "windowsupdate"
    3⤵
    PID:4776
- - C:\Windows\System32\reg.exe
    reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdateSysprepInProgress
    3⤵
    - Modifies registry key
    PID:6768
- - C:\Windows\System32\reg.exe
    reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate /s
    3⤵
    PID:404
- - C:\Windows\System32\findstr.exe
    findstr /i "NoAutoUpdate DisableWindowsUpdateAccess"
    3⤵
    PID:5156
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo: TrustedInstaller-1058, WaaSMedicSvc-1060 "
    3⤵
    PID:7140
- - C:\Windows\System32\find.exe
    find /i "wuauserv"
    3⤵
    PID:5752
- - C:\Windows\System32\reg.exe
    reg query "HKLM\SOFTWARE\Policies\Microsoft\WindowsStore" /v DisableStoreApps
    3⤵
    PID:4768
- - C:\Windows\System32\find.exe
    find /i "0x1"
    3⤵
    PID:5300
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo "040fa323-92b1-4baf-97a2-5b67feaefddb 0724cb7d-3437-4cb7-93cb-830375d0079d 0ad2ac98-7bb9-4201-8d92-312299201369 1a9a717a-cf13-4ba5-83c3-0fe25fa868d5 221a02da-e2a1-4b75-864c-0a4410a33fdf 291ece0e-9c38-40ca-a9e1-32cc7ec19507 2936d1d2-913a-4542-b54e-ce5a602a2a38 2c293c26-a45a-4a2a-a350-c69a67097529 2de67392-b7a7-462a-b1ca-108dd189f588 2ffd8952-423e-4903-b993-72a1aa44cf82 30a42c86-b7a0-4a34-8c90-ff177cb2acb7 345a5db0-d94f-4e3b-a0c0-7c42f7bc3ebf 3502365a-f88a-4ba4-822a-5769d3073b65 377333b1-8b5d-48d6-9679-1225c872d37c 3df374ef-d444-4494-a5a1-4b0d9fd0e203 3f1afc82-f8ac-4f6c-8005-1d233e606eee 49cd895b-53b2-4dc4-a5f7-b18aa019ad37 4de7cb65-cdf1-4de9-8ae8-e3cce27b9f2c 4f3da0d2-271d-4508-ae81-626b60809a38 5d78c4e9-aeb3-4b40-8ac2-6a6005e0ad6d 60b3ec1b-9545-4921-821f-311b129dd6f6 613d217f-7f13-4268-9907-1662339531cd 62f0c100-9c53-4e02-b886-a3528ddfe7f6 6365275e-368d-46ca-a0ef-fc0404119333 721f9237-9341-4453-a661-09e8baa6cca5 73111121-5638-40f6-bc11-f1d7b0d64300 7a802526-4c94-4bd1-ba14-835a1aca2120 7cb546c0-c7d5-44d8-9a5c-69ecdd782b69 82bbc092-bc50-4e16-8e18-b74fc486aec3 8ab9bdd1-1f67-4997-82d9-8878520837d9 8b351c9c-f398-4515-9900-09df49427262 90da7373-1c51-430b-bf26-c97e9c5cdc31 92fb8726-92a8-4ffc-94ce-f82e07444653 95dca82f-385d-4d39-b85b-5c73fa285d6f a48938aa-62fa-4966-9d44-9f04da3f72f2 b0773a15-df3a-4312-9ad2-83d69648e356 b4bfe195-541e-4e64-ad23-6177f19e395e b68e61d2-68ca-4757-be45-0cc2f3e68eee bd3762d7-270d-4760-8fb3-d829ca45278a c86d5194-4840-4dae-9c1c-0301003a5ab0 ca7df2e3-5ea0-47b8-9ac1-b1be4d8edd69 d552befb-48cc-4327-8f39-47d2d94f987c d6eadb3b-5ca8-4a6b-986e-35b550756111 df96023b-dcd9-4be2-afa0-c6c871159ebe e0c42288-980c-4788-a014-c080d2e1926e e4db50ea-bda1-4566-b047-0ca50abc6f07 e558417a-5123-4f6f-91e7-385c1c7ca9d4 e7a950a2-e548-4f10-bf16-02ec848e0643 eb6d346f-1c60-4643-b960-40ec31596c45 ec868e65-fadf-4759-b23e-93fe37f2cc29 ef51e000-2659-4f25-8345-3de70a9cf4c4 f7af7d09-40e4-419c-a49b-eae366689ebd fa755fe6-6739-40b9-8d84-6d0ea3b6d1ab fe74f55b-0338-41d6-b267-4a201abe7285 " "
    3⤵
    PID:5844
- - C:\Windows\System32\find.exe
    find /i "4de7cb65-cdf1-4de9-8ae8-e3cce27b9f2c"
    3⤵
    PID:6320
- - C:\Windows\System32\wbem\WMIC.exe
    wmic path SoftwareLicensingService where __CLASS='SoftwareLicensingService' call InstallProductKey ProductKey="VK7JG-NPHTM-C97JM-9MPGT-3V66T"
    3⤵
    PID:6428
- - C:\Windows\System32\cmd.exe
    cmd /c exit /b 0
    3⤵
    PID:6576
- - C:\Windows\System32\wbem\WMIC.exe
    wmic path SoftwareLicensingService where __CLASS='SoftwareLicensingService' call RefreshLicenseStatus
    3⤵
    PID:6344
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg query "HKCU\Control Panel\International\Geo" /v Name 2>nul
    3⤵
    PID:3384
  - - C:\Windows\System32\reg.exe
      reg query "HKCU\Control Panel\International\Geo" /v Name
      4⤵
      PID:2092
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg query "HKCU\Control Panel\International\Geo" /v Nation 2>nul
    3⤵
    PID:2352
  - - C:\Windows\System32\reg.exe
      reg query "HKCU\Control Panel\International\Geo" /v Nation
      4⤵
      PID:7132
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c powershell.exe [convert]::ToBase64String([Text.Encoding]::Unicode.GetBytes("""OSMajorVersion=5;OSMinorVersion=1;OSPlatformId=2;PP=0;Pfn=Microsoft.Windows.48.X19-98841_8wekyb3d8bbwe;PKeyIID=465145217131314304264339481117862266242033457260311819664735280;$([char]0)"""))
    3⤵
    PID:5156
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe [convert]::ToBase64String([Text.Encoding]::Unicode.GetBytes("""OSMajorVersion=5;OSMinorVersion=1;OSPlatformId=2;PP=0;Pfn=Microsoft.Windows.48.X19-98841_8wekyb3d8bbwe;PKeyIID=465145217131314304264339481117862266242033457260311819664735280;$([char]0)"""))
      4⤵
      PID:7156
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo "TwBTAE0AYQBqAG8AcgBWAGUAcgBzAGkAbwBuAD0ANQA7AE8AUwBNAGkAbgBvAHIAVgBlAHIAcwBpAG8AbgA9ADEAOwBPAFMAUABsAGEAdABmAG8AcgBtAEkAZAA9ADIAOwBQAFAAPQAwADsAUABmAG4APQBNAGkAYwByAG8AcwBvAGYAdAAuAFcAaQBuAGQAbwB3AHMALgA0ADgALgBYADEAOQAtADkAOAA4ADQAMQBfADgAdwBlAGsAeQBiADMAZAA4AGIAYgB3AGUAOwBQAEsAZQB5AEkASQBEAD0ANAA2ADUAMQA0ADUAMgAxADcAMQAzADEAMwAxADQAMwAwADQAMgA2ADQAMwAzADkANAA4ADEAMQAxADcAOAA2ADIAMgA2ADYAMgA0ADIAMAAzADMANAA1ADcAMgA2ADAAMwAxADEAOAAxADkANgA2ADQANwAzADUAMgA4ADAAOwAAAA==" "
    3⤵
    PID:6328
- - C:\Windows\System32\find.exe
    find "AAAA"
    3⤵
    PID:7004
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe Restart-Service ClipSVC
    3⤵
    PID:4308
- - C:\Windows\System32\timeout.exe
    timeout /t 2
    3⤵
    - Delays execution with timeout.exe
    PID:5248
- - C:\Windows\System32\ClipUp.exe
    clipup -v -o
    3⤵
    PID:6696
  - - C:\Windows\System32\clipup.exe
      clipup -v -o -ppl C:\Users\Admin\AppData\Local\Temp\temD761.tmp
      4⤵
      Checks SCSI registry key(s)
      PID:6692
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell.exe $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); $meth = $TypeBuilder.DefinePInvokeMethod('BrandingFormatString', 'winbrand.dll', 'Public, Static', 1, [String], @([String]), 1, 3); $meth.SetImplementationFlags(128); $TypeBuilder.CreateType()::BrandingFormatString('%WINDOWS_LONG%')"
    3⤵
    PID:5696
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); $meth = $TypeBuilder.DefinePInvokeMethod('BrandingFormatString', 'winbrand.dll', 'Public, Static', 1, [String], @([String]), 1, 3); $meth.SetImplementationFlags(128); $TypeBuilder.CreateType()::BrandingFormatString('%WINDOWS_LONG%')
      4⤵
      PID:236
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo "Windows 11 Pro" "
    3⤵
    PID:3932
- - C:\Windows\System32\find.exe
    find /i "Windows"
    3⤵
    PID:7136
- - C:\Windows\System32\wbem\WMIC.exe
    wmic path SoftwareLicensingProduct where "ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f' and PartialProductKey<>null" call Activate
    3⤵
    PID:7016
- - C:\Windows\System32\cmd.exe
    cmd /c exit /b 0
    3⤵
    PID:4540
- - C:\Windows\System32\wbem\WMIC.exe
    wmic path SoftwareLicensingProduct where (LicenseStatus='1' and GracePeriodRemaining='0' and PartialProductKey is not NULL) get Name /value
    3⤵
    PID:6324
- - C:\Windows\System32\findstr.exe
    findstr /i "Windows"
    3⤵
    PID:6460

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s DoSvc
1⤵
PID:6048

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
1⤵
PID:3404

C:\Users\Admin\AppData\Local\Discord\Update.exe
"C:\Users\Admin\AppData\Local\Discord\Update.exe" --processStart Discord.exe
1⤵
- Executes dropped EXE
PID:4824
- C:\Users\Admin\AppData\Local\Discord\app-1.0.9051\Discord.exe
  "C:\Users\Admin\AppData\Local\Discord\app-1.0.9051\Discord.exe"
  2⤵
  - Drops file in Windows directory
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks processor information in registry
  PID:2700
- - C:\Users\Admin\AppData\Local\Discord\app-1.0.9051\Discord.exe
    C:\Users\Admin\AppData\Local\Discord\app-1.0.9051\Discord.exe --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Roaming\discord /prefetch:4 --no-rate-limit --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Roaming\discord\Crashpad --url=https://f.a.k/e --annotation=_productName=discord --annotation=_version=1.0.9051 --annotation=plat=Win32 --annotation=prod=Electron --annotation=ver=30.1.0 --initial-client-data=0x558,0x55c,0x560,0x554,0x564,0x9bebcc4,0x9bebcd0,0x9bebcdc
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:564
- - C:\Users\Admin\AppData\Local\Discord\app-1.0.9051\Discord.exe
    "C:\Users\Admin\AppData\Local\Discord\app-1.0.9051\Discord.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\discord" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2144,i,7410687827945502064,8769898791409950378,262144 --enable-features=kWebSQLAccess --disable-features=HardwareMediaKeyHandling,MediaSessionService,SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=2136 /prefetch:2
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:5236
- - C:\Users\Admin\AppData\Local\Discord\app-1.0.9051\Discord.exe
    "C:\Users\Admin\AppData\Local\Discord\app-1.0.9051\Discord.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\discord" --secure-schemes=disclip --bypasscsp-schemes=sentry-ipc --cors-schemes=sentry-ipc --fetch-schemes=disclip --field-trial-handle=2660,i,7410687827945502064,8769898791409950378,262144 --enable-features=kWebSQLAccess --disable-features=HardwareMediaKeyHandling,MediaSessionService,SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=2560 /prefetch:3
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:5272
- - C:\Users\Admin\AppData\Local\Discord\app-1.0.9051\Discord.exe
    "C:\Users\Admin\AppData\Local\Discord\app-1.0.9051\Discord.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=0 --gpu-device-id=0 --gpu-sub-system-id=0 --gpu-revision=0 --user-data-dir="C:\Users\Admin\AppData\Roaming\discord" --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2708,i,7410687827945502064,8769898791409950378,262144 --enable-features=kWebSQLAccess --disable-features=HardwareMediaKeyHandling,MediaSessionService,SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=2704 /prefetch:8
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    PID:5240
- - C:\Windows\SysWOW64\reg.exe
    C:\Windows\System32\reg.exe add HKCU\Software\Classes\Discord /ve /d "URL:Discord Protocol" /f
    3⤵
    - Modifies registry class
    - Modifies registry key
    PID:5444
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:5020
- - C:\Users\Admin\AppData\Local\Discord\app-1.0.9051\Discord.exe
    "C:\Users\Admin\AppData\Local\Discord\app-1.0.9051\Discord.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\discord" --secure-schemes=disclip --bypasscsp-schemes=sentry-ipc --cors-schemes=sentry-ipc --fetch-schemes=disclip --app-user-model-id=com.squirrel.Discord.Discord --app-path="C:\Users\Admin\AppData\Local\Discord\app-1.0.9051\resources\app.asar" --no-sandbox --no-zygote --autoplay-policy=no-user-gesture-required --lang=en-US --device-scale-factor=1.25 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3348,i,7410687827945502064,8769898791409950378,262144 --enable-features=kWebSQLAccess --disable-features=HardwareMediaKeyHandling,MediaSessionService,SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=3344 /prefetch:1
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2148
- - C:\Windows\SysWOW64\reg.exe
    C:\Windows\System32\reg.exe add HKCU\Software\Classes\Discord /v "URL Protocol" /f
    3⤵
    - Modifies registry class
    PID:5300
- - C:\Windows\SysWOW64\reg.exe
    C:\Windows\System32\reg.exe add HKCU\Software\Classes\Discord\DefaultIcon /ve /d "\"C:\Users\Admin\AppData\Local\Discord\app-1.0.9051\Discord.exe\",-1" /f
    3⤵
    - Modifies registry class
    PID:4256
- - C:\Windows\SysWOW64\reg.exe
    C:\Windows\System32\reg.exe add HKCU\Software\Classes\Discord\shell\open\command /ve /d "\"C:\Users\Admin\AppData\Local\Discord\app-1.0.9051\Discord.exe\" --url -- \"%1\"" /f
    3⤵
    - Modifies registry class
    PID:488
- - C:\Users\Admin\AppData\Local\Discord\app-1.0.9051\Discord.exe
    "C:\Users\Admin\AppData\Local\Discord\app-1.0.9051\Discord.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --user-data-dir="C:\Users\Admin\AppData\Roaming\discord" --secure-schemes=disclip --bypasscsp-schemes=sentry-ipc --cors-schemes=sentry-ipc --fetch-schemes=disclip --field-trial-handle=4176,i,7410687827945502064,8769898791409950378,262144 --enable-features=kWebSQLAccess --disable-features=HardwareMediaKeyHandling,MediaSessionService,SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=4140 /prefetch:8
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:5368
- - C:\Windows\SysWOW64\reg.exe
    C:\Windows\System32\reg.exe query HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v Discord
    3⤵
    - Modifies registry key
    PID:3448
- - C:\Windows\SysWOW64\reg.exe
    C:\Windows\System32\reg.exe add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v Discord /d "\"C:\Users\Admin\AppData\Local\Discord\Update.exe\" --processStart Discord.exe" /f
    3⤵
    - Adds Run key to start application
    PID:6384
- - C:\Users\Admin\AppData\Local\Discord\app-1.0.9152\Discord.exe
    C:\Users\Admin\AppData\Local\Discord\app-1.0.9152\Discord.exe
    3⤵
    - Drops file in Windows directory
    - Executes dropped EXE
    - Loads dropped DLL
    - Checks processor information in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SendNotifyMessage
    PID:6596
  - - C:\Users\Admin\AppData\Local\Discord\app-1.0.9152\Discord.exe
      C:\Users\Admin\AppData\Local\Discord\app-1.0.9152\Discord.exe --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Roaming\discord /prefetch:4 --no-rate-limit --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Roaming\discord\Crashpad --url=https://f.a.k/e --annotation=_productName=discord --annotation=_version=1.0.9152 --annotation=plat=Win64 --annotation=prod=Electron --annotation=ver=30.1.0 --initial-client-data=0x524,0x528,0x52c,0x51c,0x530,0x7ff6db6b9218,0x7ff6db6b9224,0x7ff6db6b9230
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:2264
  - - C:\Users\Admin\AppData\Local\Discord\app-1.0.9152\Discord.exe
      "C:\Users\Admin\AppData\Local\Discord\app-1.0.9152\Discord.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\discord" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1908,i,13382138903539931393,16656007105776177385,262144 --enable-features=kWebSQLAccess --disable-features=HardwareMediaKeyHandling,MediaSessionService,SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=1896 /prefetch:2
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:6216
  - - C:\Users\Admin\AppData\Local\Discord\app-1.0.9152\Discord.exe
      "C:\Users\Admin\AppData\Local\Discord\app-1.0.9152\Discord.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\discord" --secure-schemes=disclip --bypasscsp-schemes=sentry-ipc --cors-schemes=sentry-ipc --fetch-schemes=disclip --field-trial-handle=2668,i,13382138903539931393,16656007105776177385,262144 --enable-features=kWebSQLAccess --disable-features=HardwareMediaKeyHandling,MediaSessionService,SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=2540 /prefetch:3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:6240
  - - C:\Users\Admin\AppData\Local\Discord\app-1.0.9152\Discord.exe
      "C:\Users\Admin\AppData\Local\Discord\app-1.0.9152\Discord.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=0 --gpu-device-id=0 --gpu-sub-system-id=0 --gpu-revision=0 --user-data-dir="C:\Users\Admin\AppData\Roaming\discord" --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2684,i,13382138903539931393,16656007105776177385,262144 --enable-features=kWebSQLAccess --disable-features=HardwareMediaKeyHandling,MediaSessionService,SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=2676 /prefetch:8
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious behavior: EnumeratesProcesses
      PID:6260
  - - C:\Windows\System32\reg.exe
      C:\Windows\System32\reg.exe add HKCU\Software\Classes\Discord /ve /d "URL:Discord Protocol" /f
      4⤵
      Modifies registry class
      PID:6684
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:6720
  - - C:\Users\Admin\AppData\Local\Discord\app-1.0.9152\Discord.exe
      "C:\Users\Admin\AppData\Local\Discord\app-1.0.9152\Discord.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\discord" --secure-schemes=disclip --bypasscsp-schemes=sentry-ipc --cors-schemes=sentry-ipc --fetch-schemes=disclip --app-user-model-id=com.squirrel.Discord.Discord --app-path="C:\Users\Admin\AppData\Local\Discord\app-1.0.9152\resources\app.asar" --no-sandbox --no-zygote --autoplay-policy=no-user-gesture-required --lang=en-US --device-scale-factor=1.25 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3352,i,13382138903539931393,16656007105776177385,262144 --enable-features=kWebSQLAccess --disable-features=HardwareMediaKeyHandling,MediaSessionService,SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=3344 /prefetch:1
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:4028
  - - C:\Windows\System32\reg.exe
      C:\Windows\System32\reg.exe add HKCU\Software\Classes\Discord /v "URL Protocol" /f
      4⤵
      Modifies registry class
      PID:6880
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "chcp"
      4⤵
      PID:7020
    - - C:\Windows\system32\chcp.com
        
        chcp
        5⤵
        
        PID:4880
  - - C:\Windows\System32\reg.exe
      C:\Windows\System32\reg.exe add HKCU\Software\Classes\Discord\DefaultIcon /ve /d "\"C:\Users\Admin\AppData\Local\Discord\app-1.0.9152\Discord.exe\",-1" /f
      4⤵
      Modifies registry class
      PID:4688
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:6128
  - - C:\Users\Admin\AppData\Local\Discord\app-1.0.9152\Discord.exe
      "C:\Users\Admin\AppData\Local\Discord\app-1.0.9152\Discord.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\discord" --secure-schemes=disclip --bypasscsp-schemes=sentry-ipc --cors-schemes=sentry-ipc --fetch-schemes=disclip --app-user-model-id=com.squirrel.Discord.Discord --app-path="C:\Users\Admin\AppData\Local\Discord\app-1.0.9152\resources\app.asar" --no-sandbox --no-zygote --autoplay-policy=no-user-gesture-required --lang=en-US --device-scale-factor=1.25 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=4104,i,13382138903539931393,16656007105776177385,262144 --enable-features=kWebSQLAccess --disable-features=HardwareMediaKeyHandling,MediaSessionService,SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=4100 --enable-node-leakage-in-renderers /prefetch:1
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:7096
  - - C:\Users\Admin\AppData\Local\Discord\app-1.0.9152\Discord.exe
      "C:\Users\Admin\AppData\Local\Discord\app-1.0.9152\Discord.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\discord" --secure-schemes=disclip --bypasscsp-schemes=sentry-ipc --cors-schemes=sentry-ipc --fetch-schemes=disclip --app-user-model-id=com.squirrel.Discord.Discord --app-path="C:\Users\Admin\AppData\Local\Discord\app-1.0.9152\resources\app.asar" --no-sandbox --no-zygote --autoplay-policy=no-user-gesture-required --lang=en-US --device-scale-factor=1.25 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4080,i,13382138903539931393,16656007105776177385,262144 --enable-features=kWebSQLAccess --disable-features=HardwareMediaKeyHandling,MediaSessionService,SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=4124 --enable-node-leakage-in-renderers /prefetch:1
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Checks SCSI registry key(s)
      Checks processor information in registry
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: GetForegroundWindowSpam
      PID:1656
    - - C:\Users\Admin\AppData\Local\Discord\app-1.0.9152\modules\discord_voice-1\discord_voice\gpu_encoder_helper.exe
        
        "\\?\C:\Users\Admin\AppData\Local\Discord\app-1.0.9152\modules\discord_voice-1\discord_voice\gpu_encoder_helper.exe" nvidia
        5⤵
        Executes dropped EXE
        
        PID:1932
    - - C:\Users\Admin\AppData\Local\Discord\app-1.0.9152\modules\discord_voice-1\discord_voice\gpu_encoder_helper.exe
        
        "\\?\C:\Users\Admin\AppData\Local\Discord\app-1.0.9152\modules\discord_voice-1\discord_voice\gpu_encoder_helper.exe" amd
        5⤵
        Executes dropped EXE
        
        PID:5264
    - - C:\Users\Admin\AppData\Local\Discord\app-1.0.9152\modules\discord_voice-1\discord_voice\gpu_encoder_helper.exe
        
        "\\?\C:\Users\Admin\AppData\Local\Discord\app-1.0.9152\modules\discord_voice-1\discord_voice\gpu_encoder_helper.exe" intel
        5⤵
        Executes dropped EXE
        
        PID:1860
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /d /s /c ""C:\Windows/System32/nvidia-smi.exe""
        5⤵
        
        PID:5156
  - - C:\Windows\System32\reg.exe
      C:\Windows\System32\reg.exe add HKCU\Software\Classes\Discord\shell\open\command /ve /d "\"C:\Users\Admin\AppData\Local\Discord\app-1.0.9152\Discord.exe\" --url -- \"%1\"" /f
      4⤵
      Modifies registry class
      Modifies registry key
      PID:2092
  - - C:\Users\Admin\AppData\Local\Discord\app-1.0.9152\Discord.exe
      "C:\Users\Admin\AppData\Local\Discord\app-1.0.9152\Discord.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --user-data-dir="C:\Users\Admin\AppData\Roaming\discord" --secure-schemes=disclip --bypasscsp-schemes=sentry-ipc --cors-schemes=sentry-ipc --fetch-schemes=disclip --field-trial-handle=4172,i,13382138903539931393,16656007105776177385,262144 --enable-features=kWebSQLAccess --disable-features=HardwareMediaKeyHandling,MediaSessionService,SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=4084 /prefetch:8
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:5616
  - - C:\Users\Admin\AppData\Local\Discord\app-1.0.9152\Discord.exe
      "C:\Users\Admin\AppData\Local\Discord\app-1.0.9152\Discord.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --user-data-dir="C:\Users\Admin\AppData\Roaming\discord" --secure-schemes=disclip --bypasscsp-schemes=sentry-ipc --cors-schemes=sentry-ipc --fetch-schemes=disclip --field-trial-handle=2040,i,13382138903539931393,16656007105776177385,262144 --enable-features=kWebSQLAccess --disable-features=HardwareMediaKeyHandling,MediaSessionService,SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=3376 /prefetch:8
      4⤵
      Executes dropped EXE
      PID:6704
  - - C:\Users\Admin\AppData\Local\Discord\app-1.0.9152\Discord.exe
      "C:\Users\Admin\AppData\Local\Discord\app-1.0.9152\Discord.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\discord" --secure-schemes=disclip --bypasscsp-schemes=sentry-ipc --cors-schemes=sentry-ipc --fetch-schemes=disclip --field-trial-handle=4296,i,13382138903539931393,16656007105776177385,262144 --enable-features=kWebSQLAccess --disable-features=HardwareMediaKeyHandling,MediaSessionService,SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=4304 /prefetch:8
      4⤵
      Executes dropped EXE
      Modifies registry class
      PID:4112
  - - C:\Users\Admin\AppData\Local\Discord\app-1.0.9152\Discord.exe
      "C:\Users\Admin\AppData\Local\Discord\app-1.0.9152\Discord.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --user-data-dir="C:\Users\Admin\AppData\Roaming\discord" --secure-schemes=disclip --bypasscsp-schemes=sentry-ipc --cors-schemes=sentry-ipc --fetch-schemes=disclip --field-trial-handle=4524,i,13382138903539931393,16656007105776177385,262144 --enable-features=kWebSQLAccess --disable-features=HardwareMediaKeyHandling,MediaSessionService,SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=4520 /prefetch:8
      4⤵
      Executes dropped EXE
      PID:6912
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://discordapp.com/handoff?rpc=6463&key=0bf20cbc-a594-49a1-83fb-499599255e53
      4⤵
      Enumerates system info in registry
      Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      Suspicious use of SendNotifyMessage
      PID:2156
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ff80b273cb8,0x7ff80b273cc8,0x7ff80b273cd8
        5⤵
        
        PID:4608
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1844,9439021882807373010,5009095259767131085,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1860 /prefetch:2
        5⤵
        
        PID:2012
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1844,9439021882807373010,5009095259767131085,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2184 /prefetch:3
        5⤵
        
        PID:5524
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1844,9439021882807373010,5009095259767131085,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2828 /prefetch:8
        5⤵
        
        PID:6564
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1844,9439021882807373010,5009095259767131085,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1.25 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3396 /prefetch:1
        5⤵
        
        PID:6772
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1844,9439021882807373010,5009095259767131085,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1.25 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3368 /prefetch:1
        5⤵
        
        PID:6812
  - - C:\Windows\System32\reg.exe
      C:\Windows\System32\reg.exe query HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v Discord
      4⤵
      PID:3132
  - - C:\Windows\System32\reg.exe
      C:\Windows\System32\reg.exe add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v Discord /d "\"C:\Users\Admin\AppData\Local\Discord\Update.exe\" --processStart Discord.exe" /f
      4⤵
      Adds Run key to start application
      Modifies registry key
      PID:5292
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:7076
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:7020
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:6900
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:4712
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:2696
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:5160
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:5276
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:5900
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:5940
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:4888
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:5184
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:6044
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:6036
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:1492

C:\Windows\system32\Clipup.exe
"C:\Windows\system32\Clipup.exe" -o
1⤵
PID:3384
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:404
- C:\Windows\system32\Clipup.exe
  "C:\Windows\system32\Clipup.exe" -o -ppl C:\Windows\SystemTemp\temCCF1.tmp
  2⤵
  - Drops file in Windows directory
  - Checks SCSI registry key(s)
  PID:6236

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:6808

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:6836

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:7032

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3956

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Skillbrains\Updater\Updater.exe

Filesize
405KB

MD5
3ec8f4bd54ef439a8fab6467122da0c4

SHA1
ee2e65cbbaa22db70d89b85db28ee955d4db12f9

SHA256
a5e3bdc3b0b0bd6455892e23008161b5478b24f4fe1801f43a8a01cfff1bcba7

SHA512
0f50ce35241d5d55f0f3bae6fb38de39213a48d356478efac76c0292b286b58ddb855e130fd03bdf3cd63e141aa14ffd5318671e9885b2c17411f8ba3aba6189

Download Submit
C:\Program Files (x86)\Skillbrains\lightshot\Lightshot.exe

Filesize
221KB

MD5
62eb961457df016fa3949e9601a1a845

SHA1
0c0a5fa4f6cb9e18c0e3431d5e1bf45fd2e05352

SHA256
8d4c4bcf7d7aedf0480e3eaac52138e63724ae83c419de8a98d6ab32d1c93645

SHA512
fb4fcb6a3f5b7a3eb35a1689a0d15e3d8f9f520180d6cc57857b90b8af3d576da179c30c18019da5500f58d6f86c07645090e0c75accbd87257e1b73d291ae81

Download Submit
C:\Program Files (x86)\Skillbrains\lightshot\unins000.exe

Filesize
1.5MB

MD5
c6bffd4da620b07cb214f1bd8e7f21d2

SHA1
054221dc0c8a686e0d17edd6e02c06458b1395c3

SHA256
55dbb288d5df6df375487bae50661dbf530fd43a7e96017b7183a54db8fc376a

SHA512
91e50df87a6e42b01e24accead25726047a641c3960fa3336f560168ed68356e6992d289a0a71b629d74ad7b00bbdbf7e6e909a4c8b5b1616fbf3b0cc63210ab

Download Submit
C:\ProgramData\Microsoft\Windows\ClipSVC\GenuineTicket\GenuineTicket

Filesize
1KB

MD5
67a8abe602fd21c5683962fa75f8c9fd

SHA1
e296942da1d2b56452e05ae7f753cd176d488ea8

SHA256
1d19fed36f7d678ae2b2254a5eef240e6b6b9630e5696d0f9efb8b744c60e411

SHA512
70b0b27a2b89f5f771467ac24e92b6cc927f3fdc10d8cb381528b2e08f2a5a3e8c25183f20233b44b71b54ce910349c279013c6a404a1a95b3cc6b8922ab9fc6

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idx

Filesize
64KB

MD5
b5ad5caaaee00cb8cf445427975ae66c

SHA1
dcde6527290a326e048f9c3a85280d3fa71e1e22

SHA256
b6409b9d55ce242ff022f7a2d86ae8eff873daabf3a0506031712b8baa6197b8

SHA512
92f7fbbcbbea769b1af6dd7e75577be3eb8bb4a4a6f8a9288d6da4014e1ea309ee649a7b089be09ba27866e175ab6f6a912413256d7e13eaf60f6f30e492ce7f

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock

Filesize
4B

MD5
f49655f856acb8884cc0ace29216f511

SHA1
cb0f1f87ec0455ec349aaa950c600475ac7b7b6b

SHA256
7852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba

SHA512
599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.val

Filesize
1008B

MD5
d222b77a61527f2c177b0869e7babc24

SHA1
3f23acb984307a4aeba41ebbb70439c97ad1f268

SHA256
80dc3ffa698e4ff2e916f97983b5eae79470203e91cb684c5ccd4ff1a465d747

SHA512
d17d836ea77aeaff4cd01f9c7523345167a4a6bc62528aac74acde12679f48079d75d159e9cea2e614da50e83c2dcd92c374c899ea6c4fe8e5513d9bf06c01ff

Download Submit
C:\Users\Admin\AppData\Local\Discord\app-1.0.9152\modules\discord_dispatch-1\discord_dispatch\dispatch.log

Filesize
660B

MD5
069bea61ca8315bae512a9d8d8b05260

SHA1
f2b940b0d92a15f8f1733dbad2de4d5f3ac54037

SHA256
8d74c699f883cd06e3935df3b0987d3591cd8131282fd4a12bc452ceb231b7b5

SHA512
e7ce07dce3078085ea51a242821f975a5dc820368163230cdc6ca9f80459704790743f0194286f2c3ec09c96ff3305c6d2865d4f605b1ebec1a0154557c9302b

Download Submit
C:\Users\Admin\AppData\Local\Discord\app.ico

Filesize
278KB

MD5
084f9bc0136f779f82bea88b5c38a358

SHA1
64f210b7888e5474c3aabcb602d895d58929b451

SHA256
dfcea1bea8a924252d507d0316d8cf38efc61cf1314e47dca3eb723f47d5fe43

SHA512
65bccb3e1d4849b61c68716831578300b20dcaf1cbc155512edbc6d73dccbaf6e5495d4f95d089ee496f8e080057b7097a628cc104fa8eaad8da866891d9e3eb

Download Submit
C:\Users\Admin\AppData\Local\Discord\download\1fd8295731b9d4b24fe4f0a07b7aed43194943f0bcbf75990d38503adea321a5

Filesize
270KB

MD5
40c91d4ca6206d64fed233d67bec986e

SHA1
62661e6e907059c8cc079f902b4794ff7dd082f0

SHA256
1fd8295731b9d4b24fe4f0a07b7aed43194943f0bcbf75990d38503adea321a5

SHA512
09deef2d03b220a82d85d2b3fd446b9bfa9428a9a4281aaf19213d2cf1a40ab9686be5fed3931719367bf14f67a1091abdb5359df1717b4cf583334e8edc0b8b

Download Submit
C:\Users\Admin\AppData\Local\Discord\download\2730d89fd87c93445dc5b0328ec61f7666fb0ff837e02fdba43eec667649ae45

Filesize
1.6MB

MD5
c0039fc8775c8a9e32ef2258fe73f604

SHA1
c2ef4b1c88557e2f2596cd2dfc5a7c2218b674a0

SHA256
2730d89fd87c93445dc5b0328ec61f7666fb0ff837e02fdba43eec667649ae45

SHA512
6493718c073780f6fb6ce3e2347cfc03275917975b4c4f27ca85a79cf4aacf16771f9f7fc8c10d4e7f683371029de73a31f1a9476183ca73c9af65f5d77722bd

Download Submit
C:\Users\Admin\AppData\Local\Discord\download\2f076e980994d14e782640ae3de7b50083e65007166aa4e8d4ca5040c609c179

Filesize
9.4MB

MD5
a574ab98f7d1714239b56717bb12b592

SHA1
b59604ba52247861ba2ef370884c78e7f9c91232

SHA256
2f076e980994d14e782640ae3de7b50083e65007166aa4e8d4ca5040c609c179

SHA512
89aae260262144b601c5bca8adc213a1b134d25c3a214369f85f4fdb4b10764231a4f8c881744c48dd0c3cbca3777d77f7afaecb0427b3c349232c74f964cbb2

Download Submit
C:\Users\Admin\AppData\Local\Discord\download\3bfe4b38e6a48e857910bf19084beadc9764483e2e25d48e849f623b0b5be41c

Filesize
315KB

MD5
b79e4ad57872ad9ed8546ad35bcc488c

SHA1
ee793c249e493246a98d842106b98f06ea30e780

SHA256
3bfe4b38e6a48e857910bf19084beadc9764483e2e25d48e849f623b0b5be41c

SHA512
ebd2f9b16d602bf1679d349c5d60d72db15ed6dc672d1fdd296d2f68ef8f1998a7e5927e9cce1440da8374c3ef2ca40692a31a0a1f1056d79f2b342606404a17

Download Submit
C:\Users\Admin\AppData\Local\Discord\download\4d954e739d4fdbbb263b7496d8f0eda2c744362cdda87a4a4061610f9004dabc

Filesize
413KB

MD5
ebd33aff637ef0d79b2dc0fbff3381c7

SHA1
96e82b6692b4218a59efac56a9f8d7bbfde6d920

SHA256
4d954e739d4fdbbb263b7496d8f0eda2c744362cdda87a4a4061610f9004dabc

SHA512
b495af887f17215bfb625a678e485ef3caa3df6b3166315f040e595b6e41c7b1ae32c5c57daa1cd0f04188385f825e7d91cd73f18f3fac26b735484101d05886

Download Submit
C:\Users\Admin\AppData\Local\Discord\download\51e05565b70606607ef93a1d65072b40fdf337057e968a1cb3522e87e98781a7

Filesize
3.8MB

MD5
687eddb58cd054479de4508605b5fd6c

SHA1
e39d37b264c965c066cb628e5013a073a586416a

SHA256
51e05565b70606607ef93a1d65072b40fdf337057e968a1cb3522e87e98781a7

SHA512
0da6f2dec629d8dcde7167efca83c54bb76810771ebbb439c78bae3ac8662fa3177366124181a9c2988dc6aec1cb9ab2c73277dbcdc6873deb277a4a2aea7b6f

Download Submit
C:\Users\Admin\AppData\Local\Discord\download\56ee2dfa922e38f2f6756a91aef9e44f070d1e7033fd46c0eacb158003df73bd

Filesize
16.6MB

MD5
982ade3d7ba7f640352948e825a8c157

SHA1
dbf4f5c58c52386e5f304fca39a3ef73fa27373e

SHA256
56ee2dfa922e38f2f6756a91aef9e44f070d1e7033fd46c0eacb158003df73bd

SHA512
9d25623b586604bbed032b52c03e51e845dffe234d39a6454a08079436bd7a9542e699fdf5834061b7fb29603314e83da795d0d412c73189b128066111e02a2e

Download Submit
C:\Users\Admin\AppData\Local\Discord\download\5cf6dc9ff4903cf491abe6d097d57e8f86a66c249a4a4dbf598467c52194b063

Filesize
187KB

MD5
404a5d70f6a7dc5911c166a5616d8c85

SHA1
f1d78f06ff0aa2d84cc5c9822fb9da4ac177b1f3

SHA256
5cf6dc9ff4903cf491abe6d097d57e8f86a66c249a4a4dbf598467c52194b063

SHA512
354b032dba18f6bbf48f157401f3fd20636745512d6cc3abeaa8e69acbdd0e3f3552493b8109980463fc416b909bae509c3bc8e5aa40b3e09f1702ef2bb2fed4

Download Submit
C:\Users\Admin\AppData\Local\Discord\download\86e71d6f45c0cb489e2321ba73c5eccc64fb357451f2fc9ec23903184f3cab2b

Filesize
232KB

MD5
14944b8f52ef9004d577043bf838fb59

SHA1
526446527fcf54c6f5479ea1032c405fe5d648ad

SHA256
86e71d6f45c0cb489e2321ba73c5eccc64fb357451f2fc9ec23903184f3cab2b

SHA512
a48c3876adf563236d7831c3bc755824ca84fb0fc070339cb3e4227e12578ae490f2e7800ba5987944735ca587e7c15de10819aec53242fe0cef91dcc0b5ae05

Download Submit
C:\Users\Admin\AppData\Local\Discord\download\ac67eb0fa11e60d81e4c2b353632ea4cc094dca2ee02104aa81b8e5b4d397592

Filesize
1.6MB

MD5
3d443c47f0316344c514533353b33100

SHA1
9bac99dfe5350c6b1944636a1ab73eb3dd6d8b6d

SHA256
ac67eb0fa11e60d81e4c2b353632ea4cc094dca2ee02104aa81b8e5b4d397592

SHA512
445d558143ae6879cb814dc691804b964837eebe23db16714f456def45d166df44ed196adac6d8011b109b8254086952c684507cf55b62d417df6335903a595d

Download Submit
C:\Users\Admin\AppData\Local\Discord\download\ce26c7492bfbf8669ac75a499e353b7636661e8b5f5374f76b7cfa92a1d79e23

Filesize
31KB

MD5
23d18720b6a343cfe9bb441aeabc5953

SHA1
8f8f345f0f8aa2838a991b6d1a40548d8e8e54a2

SHA256
ce26c7492bfbf8669ac75a499e353b7636661e8b5f5374f76b7cfa92a1d79e23

SHA512
9c612d2dbb4ff628d477217a77bfa6fb7d75839b83e7878d3c8acf7b0aeed32578d5477e82642b9fda6f4556acbf6397f9ad67596315aa0777e8b055366fdfc8

Download Submit
C:\Users\Admin\AppData\Local\Discord\download\e1fe55e5b44b1525090c5153c82ad95bbab2f7900bc8e5a14b810de3e16e8147

Filesize
2.6MB

MD5
770f8378dfeda944aa32807c11eb94cf

SHA1
38b0e537e3643801e906c70879b6c50dd003ef98

SHA256
e1fe55e5b44b1525090c5153c82ad95bbab2f7900bc8e5a14b810de3e16e8147

SHA512
99849f85fd13090ec058e58d6a19a77da38c8e3858327e916ea28b62b9549433c322f88af02712086ef5216bd4e6a672a28a8a8f54f5222edb9390f836f6e6e7

Download Submit
C:\Users\Admin\AppData\Local\Discord\download\e22ad5a3a04d298873557c974a1f810aeadfc61edfff99d280f03db4305de4b3

Filesize
1.4MB

MD5
456ec3131b4cb4f4a42648150ff9fbb8

SHA1
9fa5279d017507cc70d757ab09811b5eb8beb86c

SHA256
e22ad5a3a04d298873557c974a1f810aeadfc61edfff99d280f03db4305de4b3

SHA512
506f5a5d7b8062ce2f35ed968db85deaf83618a99c1b01fd727adbc46d0423cd3bf9391d783601b11207ef251b6197e6c91e617315c487b597c1e71e3578f9cd

Download Submit
C:\Users\Admin\AppData\Local\Discord\download\fadbd3f392b8564c6d60faae7acb895350b6138d09860cdefffc5ed5567a1cce

Filesize
465KB

MD5
b393d06dce31c04424de9d55d32f18d6

SHA1
eedf84f38d7330b540913f20699e97d2fab2595a

SHA256
fadbd3f392b8564c6d60faae7acb895350b6138d09860cdefffc5ed5567a1cce

SHA512
40d5be4cdf1bce9b8a765004e182286c4554e874791d710ffd475b8ca6e340a0172e376a8eba33a087eea4339b5434b3fc81865f4e1d2248e63178dc1c601dc1

Download Submit
C:\Users\Admin\AppData\Local\Discord\installer.db

Filesize
120KB

MD5
aa87360b32c0e758734ae5ce9efc1187

SHA1
a9614815ab30bd4e18003a2344931e4137645bbd

SHA256
a0c9db6f796a24cd43c4475a4024ca08b14cd7e59ab414ebe4b686d63e4700c1

SHA512
9d60db0e3f67ed4c91541752c8c172df79df911f4151f9e9077e5b2cb6f2f0d66aec9263cce7e1e3536463c210eb6f43fabfd9e64a1762a8c2d58cac1a42d011

Download Submit
C:\Users\Admin\AppData\Local\Discord\installer.db

Filesize
224KB

MD5
42cd62b9d41701cf6f60bcbffdc285c5

SHA1
3d6370c39c9b6665db282a41fe9d861d4631bb0e

SHA256
eb3e07d06254386f6d5656b0a2d25893fb5833d6b67da9496f13db6eee6943f7

SHA512
1427817faf5220e80d662bea39f0cf7d37456bc3f7fef6fdcd912b2a1def5b983fb9fb6f54670e069b647e1d3d24f27872485df8dafaa2df8f23ae6b51a7d152

Download Submit
C:\Users\Admin\AppData\Local\Discord\installer.db

Filesize
232KB

MD5
7eb0c5f10d4919281b09349e0d44efe7

SHA1
ebdb99910a47ae3b2f9c30200c601cffa59d12b7

SHA256
1b8c173678d45bf8d0e2a62db64668fd03304201595f3e469c0c69ab17d1f849

SHA512
26f794ce99a4de09880ebc6384950c50a1520839f248808bddbf4c146c5971356de38ca0c74888f4fcf5c7ebcbc19ce78dcb6cefba64ca659a98e686aab09600

Download Submit
C:\Users\Admin\AppData\Local\Discord\packages\RELEASES

Filesize
73B

MD5
934e4cd396f3e384cfebcf0464108ae3

SHA1
72838d25a559d4e94a14fc1038011aff81b22ff5

SHA256
be2fc9c14b83f3e7123f7c319ff000b57af625ea22ddaa7d41834c78b2010c6a

SHA512
b829d6894c0446fc264a890cc2e2df8da4e34a6650f74e1343623dec380c8985806de5172f89886878712a48f3bc0ba97a8e8551d5c317281ac524b9f927e11f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
9dc2fdc15ceacfa678d1adc952405ef3

SHA1
764e61bb83333978f17b40b1976e6b4c67b313ab

SHA256
9ffc7768f8450b9626505be2d56a814f624fb25f665d6ca591c383aa1452d196

SHA512
43316994ef8564db8fc681d86051046aabb6bde77111297f7a2c6ed3d4ffe3360bf1262daec3e4e165841fc75d4025f1734adb7660686f60ae4695d12aa7a0c0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000005

Filesize
88KB

MD5
77e89b1c954303a8aa65ae10e18c1b51

SHA1
e2b15a0d930dcc11f0b38c95b1e68d1ca8334d73

SHA256
069a7cc0309c5d6fc99259d5d5a8e41926996bbae11dc8631a7303a0c2d8c953

SHA512
5780d3532af970f3942eecf731a43f04b0d2bdb9c0f1a262dbd1c3980bcc82fe6d2126236ad33c48ea5434d376de2214d84a9a2ccec46a0671886fe0aa5e5597

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000006

Filesize
64KB

MD5
2923c306256864061a11e426841fc44a

SHA1
d9bb657845d502acd69a15a66f9e667ce9b68351

SHA256
5bc3f12e012e1a39ac69afba923768b758089461ccea0b8391f682d91c0ed2fa

SHA512
f2614f699ac296ee1f81e32955c97d2c13177714dbd424e7f5f7de0d8869dd799d13c64929386ac9c942325456d26c4876a09341d17d7c9af4f80695d259cfea

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000007

Filesize
136KB

MD5
eb2e8647be6240d432811ef764839133

SHA1
bbc5d129359d3ace2db3aef00b871a01233c501c

SHA256
33aa5313217bfd6357a9bc854faf7478b1b85771c6339d962ba0073ca10e28d1

SHA512
ef9d2cc7c7e281c239f2f48b216f35abeb80d20fd3c0638f7f5cf3a29bcaddc9a8023cb8f2f41f6cc2114128dc611cf79c1b2a6c2a54ce5f42f3f85bc7cdb4a3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00000d

Filesize
62KB

MD5
c3c0eb5e044497577bec91b5970f6d30

SHA1
d833f81cf21f68d43ba64a6c28892945adc317a6

SHA256
eb48be34490ec9c4f9402b882166cd82cd317b51b2a49aae75cdf9ee035035eb

SHA512
83d3545a4ed9eed2d25f98c4c9f100ae0ac5e4bc8828dccadee38553b7633bb63222132df8ec09d32eb37d960accb76e7aab5719fc08cc0a4ef07b053f30cf38

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00000e

Filesize
67KB

MD5
9e3f75f0eac6a6d237054f7b98301754

SHA1
80a6cb454163c3c11449e3988ad04d6ad6d2b432

SHA256
33a84dec02c65acb6918a1ae82afa05664ee27ad2f07760e8b008636510fd5bf

SHA512
5cea53f27a4fdbd32355235c90ce3d9b39f550a1b070574cbc4ea892e9901ab0acace0f8eeb5814515ca6ff2970bc3cc0559a0c87075ac4bb3251bc8eaee6236

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00000f

Filesize
41KB

MD5
ddb12152235627d79d91205d518ca3b8

SHA1
ffb693be91d5489410e1e3df1026c8696f54aace

SHA256
8280f3b8757419a41cfc842bebb61cd15e98aebd64400cd4075e7b4a7af9231f

SHA512
478d4a236fa688ff043abd63f2cd18d42cef48be1b6a78e46f5d48dc666f68e8292a0dcdcfa9172236307ba62052d7ad50970cdb5afd3a137c38896ec2b15a61

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000010

Filesize
19KB

MD5
2e86a72f4e82614cd4842950d2e0a716

SHA1
d7b4ee0c9af735d098bff474632fc2c0113e0b9c

SHA256
c1334e604dbbffdf38e9e2f359938569afe25f7150d1c39c293469c1ee4f7b6f

SHA512
7a5fd3e3e89c5f8afca33b2d02e5440934e5186b9fa6367436e8d20ad42b211579225e73e3a685e5e763fa3f907fc4632b9425e8bd6d6f07c5c986b6556d47b1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000011

Filesize
63KB

MD5
710d7637cc7e21b62fd3efe6aba1fd27

SHA1
8645d6b137064c7b38e10c736724e17787db6cf3

SHA256
c0997474b99524325dfedb5c020436e7ea9f9c9a1a759ed6daf7bdd4890bdc2b

SHA512
19aa77bed3c441228789cf8f931ca6194cc8d4bc7bb85d892faf5eaeda67d22c8c3b066f8ceda8169177da95a1fe111bd3436ceeaf4c784bd2bf96617f4d0c44

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000014

Filesize
88KB

MD5
b38fbbd0b5c8e8b4452b33d6f85df7dc

SHA1
386ba241790252df01a6a028b3238de2f995a559

SHA256
b18b9eb934a5b3b81b16c66ec3ec8e8fecdb3d43550ce050eb2523aabc08b9cd

SHA512
546ca9fb302bf28e3a178e798dd6b80c91cba71d0467257b8ed42e4f845aa6ecb858f718aac1e0865b791d4ecf41f1239081847c75c6fb3e9afd242d3704ad16

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000015

Filesize
1.2MB

MD5
32f58aaf5a515bdbb3d13f72879d2bf0

SHA1
1742585148dcce5d9a85464fdc5b25f394e4736b

SHA256
b2be2096fe98a9b55d92512ae7859e8ba6a54be03afd7eb454b220f9ed888ec8

SHA512
28c693e9a85da7cd7441209c60c4da4b9b6b7da7555c86c2039387b470c453a474a07597069959cccc2840360f76dbb307f88a77e52248adcf8de71ab99cbe19

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000028

Filesize
275KB

MD5
eedcf0dd0452bbbfb728435cbec08f31

SHA1
f0547d59fdfe97345bcf212cf108d21f258173cb

SHA256
be2b14d6c100a6a873594a7eca14189f992a5d5fc03dfbac80124e7397e772cd

SHA512
e6687fe3145fc9f0b736e40984237292ccebaa72c54ef4f4f284a040fe1876a94176400fbaf632a7d778d099cf101778141508fa3fd916ec5a51bbd3ff95f549

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00005c

Filesize
105KB

MD5
9b16cf172b1580cb34581659f4f6910c

SHA1
d6f330d320d8c5457bcf1f0a6663850668a4c51c

SHA256
cf68ec8aea5ea2115e8a329152a2bcb77fd933e1462aa9ce655a509b591037ba

SHA512
8b0e4aafe572936538a305640636cfe2c4647e977584ff0ff9c6564d002085acb1497686d0e1d8524d6893e1b0ea6e929e480c9aacf5d10961250419e3fc3483

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00005d

Filesize
229KB

MD5
1e4be5d18e998503949eef043d8be4ab

SHA1
6f818b7b58ec2e2d9d2ccf3821602f19d3ae98b5

SHA256
52ff5087ef3e5ffe020fee4f35623ba0f18f76232e842cc464772371e4860bac

SHA512
564fbc63b2b1ee50504f4d39544752565e7aebc7ba46affead23b4fb9918587de7e0f193e441404f78fde344e533b604adb400a786ff44586a49ed002adea13d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000060

Filesize
1.8MB

MD5
602ced7b5e5ffe76d31888e1cb627fb3

SHA1
b2e2b076171670105c177c20db46fcae51a9c680

SHA256
2f04f2b5ae3f2f49740fc3ecad8a2c23b93738df3972a55cf9b5d04113c59c3b

SHA512
21ce5e4e9fc1e306b733c04dd327d7153090434e330d8d08aea88137e479440867fdc322de450ba643f2ca7e5b43b285b5b7c0fcb0c0af3b6cc2a2db5d0cc7be

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000062

Filesize
30KB

MD5
d023cf3a7ffd882aacd3f15b8f4ecd52

SHA1
0abcb6e5063c7f30855601ad5eec1926906c30d4

SHA256
b91bf37f1faebfc9af466288036cbc7ba473749bee5baf2c4a89491906a3ec3d

SHA512
a5c1e83ba555a6acf8d38cdc4b733f019c48785ff45245e8eb90aef548cee6043f8731968d0f3fc5885a97ebff0b29cc1cf58fb016e38de02be6e401985e74d6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000064

Filesize
321KB

MD5
4c9b3ab7f0d263d18d1068cace7d5404

SHA1
1e8e43e10b0d1b7bd2de92b92350094bc5006fc0

SHA256
c4621317e7365c7f86a1832f0c80cb10d1c57cd6d92235d2f2bccdae9eddeb77

SHA512
c53acc4a282f7a10a382f3cdf7d4789457fae959911e19d5652aa425cdb5034902f81ad1d2a8ec8cd32e87bc6e20ae789c35ee31ccf6fce43012f4667230ca84

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00006a

Filesize
23KB

MD5
94e75354c62ebcb059436630c2652be5

SHA1
5cc1a346a5fbc3b681932fb60d14b0f502ee98a1

SHA256
78058354ab4566b09b3c896990e7457348f6a800b5ed55969adcdd73dee8377e

SHA512
69937f2adaf3209ae067e1717409538d90bf52ae36bf4df0589a9a572be63839c7df85bb015cc229c059d3a29c629d38bd848e851fb1410535661d59401b1c14

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
5KB

MD5
23bf18a940bdabee6770ec9422f9c372

SHA1
a4bf3da3b31c043a485a066c37b786c9bf805995

SHA256
5e469cf7af8d5e7c86a3948555e6bdb54493da8a2dece242f21ec4584a478f8a

SHA512
fb5cbfb1703d3010f66ef92f6b06c18e83634ccab0b0450b335ff34c85ddbe1a3fe0bc35181f62084793cd479f4c6780e68fc5854b02ce905b7c4f7a172b5f4b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
5KB

MD5
beb75099a6813f38b017cba1b328bc81

SHA1
c34b92ce4e84c03b2dad334de3cf2c198ad7b41e

SHA256
c011773168d5d418e617d68cc6ea61d168c24fa30ca01599229d52cb8b14cbd4

SHA512
193a789a0106bfeac5158041a8801cc2aa5240612479896a84fb26e0d6aba11a8f328cf6dba3426d9b314cdb853ffbef869d671c65f70229f870a3bbfb14da88

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
7KB

MD5
bdfc334c0a7ca20cd9bc8a7e9f126a01

SHA1
945009b735277b384098baff566cc2dec6480792

SHA256
e2269b748a5974d20edc74923747bbef91f64c9d3f707676789bd77e4e725879

SHA512
6020555004c348406a4dbeb0f6cc236a9ea4d0b8cb89feddf1bbf6f1795a4033deb3fcc3073b2d5dc90ba515b46172976f309adffbc2d6b234d30e8a3e06b947

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
4KB

MD5
8aedaf5d6a8b72f9e588014839ccc548

SHA1
b3686398a17f295eb37bb7807ec0f8344a512aa0

SHA256
38f824514c87639b40a117c62d419083fda408ee0fa806f34bc50e526f3418c3

SHA512
b9142b6e7f951869fa71e8b73ec88120ee062034b09833c52b8fa91986d8924d3e6d074691e9089f39548a0f5c9715a1dff8ca55360234e6d117fd0601f42f95

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
7KB

MD5
ce06e41dc4490ee8eb5a0b2b6f5d5d61

SHA1
9d48221510e65686cfc892ef137e275a57aa9f5b

SHA256
322b7463acf18377e43c790d275d53bcfd4a5ba10d70fff0bf6ad1dd91271ffd

SHA512
9b2bd25ee7a73d48fdb6c28249c1ccf73853368567a25a21ecd0363ca97a4282b47653c33f9f41c469270df8bd7660acf5b995359b988153ea5464a299022690

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
8836bb7ab6e06c8f63f45d7d6ccdb4bd

SHA1
25ac6c3542d601087ef108ca82c07c292dd269bd

SHA256
e7efb4d9fa45f0d46d703c4b0a38ba2f2f2ba708fc7614057c939ed36b21c495

SHA512
b647d4c9a6a68d11069ff5460f48d1e09b9f74a81553aa548bab1232fb8f95a77e7368ae5d2a9cf02335280f18e4f09d3afb90d9a77615c6810ad35d9dce5c60

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
4KB

MD5
cf2e068dd4034c0c42e478c92e526901

SHA1
b9182426de1f384de018a17127e3a410af89c657

SHA256
1bf057e2cdf5a3379590002efd55680a9d30c5c3cdf516ec921c15cba380f78a

SHA512
faff63f9f3227ca3269e9d439dce1ce7f40ef3c6a55af618f93ce8ec333651ddeafcadb63ec946f31d9ac129a0f2f0ae880bef8d859e732c261dbb30cd23164c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
6KB

MD5
412e168c522e7a8fa098f2452630791a

SHA1
ed77ee5bab1045dedabe79226bf268739c62ac97

SHA256
9927ce97e536e4b13a1b228852738bd472996a8b432942b3bf71628ba56a6545

SHA512
5ae97033add8c359b30f494776f24cfbd4bb9615fbc254cc0c88adf4dedddda1031d1e7125307b1f9dbf26ff298c42e31405998fd71747fc5dcfb8a5a3686dbf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
4KB

MD5
0bcdd6780aca4cc7d7ab189cca086ec1

SHA1
492e61991425da3f660d30c474ab910875e4e2b5

SHA256
e99c4c553ca170b50f3d5f3090795c41ca656664f2025a7965fd785ace26f033

SHA512
bb7ceb11290914bdc52754a75c96d47693ff6a84cef5d36bd62eb731e77411eb3287bbfcbf3cc704a360da65e7b8286aa18e2c568ded3342df8dcf9ba47ddd0d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1024B

MD5
7140ae65cb6620c8d590f721404a82b0

SHA1
9800f877ec5c1122c359514285de0c96f887e7ee

SHA256
8e2b0ed9209045114206c0489a7e000ac2168078e988cdadb9de3654e2c81cf9

SHA512
eb47c1b7d01fd933981709f8f9fb15db9f5126e9b4fc3d18ce8d5423a9a1e6bd3592571f0bc7943feeaaeade5bda2e3718b9cba5caa2a68aae651952e4d4121d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
2KB

MD5
d1ac2f8a7290467227f145afe563c4ae

SHA1
8f595b9b597defdd31916180cd4a25c6a1a6982c

SHA256
fd8fdea297b02cc397ab4ca97278fd18e3dda71edc3a58f7f83f4f5c3908e0ae

SHA512
619d7cdee42d7f4d26eb56a08640f2df4d70ca1bc79b9ab6be877b391193a69a3684089edd1e09189be6f0b4ddc183ba96dcbb665dde0c4cc71d24936f1ae918

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
2KB

MD5
90099c1151f2e34864f60b13f04da57e

SHA1
f6c32da5d2ba8a5ef228fa93230dca455d47b784

SHA256
eade993414da531276d4c1ebbd2645b6f8d7e4caacb1facdef5f35a26d5cfc7c

SHA512
ef3f212a2f5edde466bb7f902c6e0581b0c06ed1bd65ca199b068dffac61b43f062a79f526fe1ae1bdc5a142579ab72bdcdd390df16bb83fcc4b7830d84f6003

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
2KB

MD5
20e81cfc2b916fe682cdfc881ee7c345

SHA1
c74319d51be7116a49b4c5c3c944f2d35028d8ef

SHA256
5519cef4b34395d69cb2456c6071c496239736f2c189a56f707ea7cefae81cf4

SHA512
6b19d04444b4ae1141c8e0cb252130011145bffae358c84928333f80f74457e803790c30b2a1329d552bac420c8f914b43de39ceab64c1d3e083a18e3af3538e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
3KB

MD5
41489129d42af1a29b9ec00e9624d188

SHA1
3feee2f27151a76dea484d21c2daee9f22d11e81

SHA256
54e544c10344e183f32ea87a84e718c7bcee95e359a8a961251f1a96d20ac545

SHA512
463eec23f4e0d1fc57aaa40786321b96e966f8dbec5b68d0e86c48182161bc6eb01e349a3de1cf6f895a154e9788bd6fade493cedd0b408decfd301549cc76f1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
3KB

MD5
7d45d9a34481367e388765059de76d92

SHA1
135582c79a10f45d64324b6ceff0b8083acbdc97

SHA256
9d5e733b1df29c72ad68713d673c43ac8c0d6a909f99b44ffce4b6b0238d6872

SHA512
2859ffb7ee662320c20e7e699dac01e681f7a4adc5bd927d8f969b11a799d02049e7ab41b7eb731f5523b9cbafab21c981ce94a99d18c4ff0ac2af86c8927ab3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
2KB

MD5
ee1a8a21264b3a0f052c41f4cd2a3576

SHA1
7ee23ba2176b24e7b6a54bd02ab4f72fcb797a84

SHA256
8d0330445c7c12d9eef11c20316031e3a1be0c260a7546379637b5827b9cfa24

SHA512
dcd85b7be618dc11b5e6679596e8365d1cbaa843f2f1da5920604877e5bdc8339386925845e5b716972f4465882e2f0bfeecc910741b18c17e55b0059737d350

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
2KB

MD5
5d296822adb6469b832d69d5c2274b62

SHA1
9a2940ad4bf11a6aedaa61c59ee05d3be95a0b9c

SHA256
3f90eeaaf791f48c5ad0173ab0a4a951d4925969a4737af4ce2e2bef219f956b

SHA512
c3f3ec4a9f1eb36a5967d44f539d3d40954a9551da58288ff2624e08a1370116059d6eb4782df63c6c497d86abfbb0229378e3936edaecc77a4e8998089bab1d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
3KB

MD5
4f2c9cfc74864ba7aece9e90ddab46f1

SHA1
66353ece7878f4e873c5ffc1c11825db0d528b40

SHA256
d7a361305d54088e67161051e02d329313e34038990ff56d9958e1cbfff787ed

SHA512
27afd56a7b4c23c6284882b27daf4678a46ffa309614a20363c71c2fed0529e4a2281ec3f75702c40749f17c016afa729d768d28196f1a5bb87653b98c1f050b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
3KB

MD5
b25a0fcb8727fe8ea571fd9572b0cf6f

SHA1
9afe075d22866173c570ad1744019e635df5606a

SHA256
1ba2019bf22b7abd3e0d28b9e55adf7a2a5e990a47734639baef85df158493ed

SHA512
8f133eed4f39c5a9aed73d212e1d2d88feb1b753f5c1b535004131d6dd582f6ea9b9057357391594ea8d9bf1e2c29d9bb3719c61b7640fa9b8b19292c29cae61

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
3KB

MD5
af1f522cd2273375bef1dc7434fc594d

SHA1
2160de0ac1849c811439d1ed9f229ad6fb352431

SHA256
ab18ffbb627ccabcecb0e9846bd5a5de1258833998aada718d22f23bbb51fd8b

SHA512
933427013bb6e29079f11f182d5460c3544890283ec723e13dbb13937c25f93313ed326d41ebc3cce0e12a0d9d5af16f36494982604847fa85ee885f88452199

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
523B

MD5
2fc78f2de9d3b0c0bed8fe4b672ddc99

SHA1
2d5f23d748dc3892a248a251e70bcfebfe7b3b3d

SHA256
8974dcefeeb19f7e8fe78a9e70a6ffc15692f3e8962650a4f9873fcb1efd5d7f

SHA512
4728a9dc369648e57188c20a9743439e89aae5ec00d8f4a0aa85d8e4aaca0069ffbf686639c3d0a1a5b11a200a4f54f941ed45f26268f867b3bc876768d9223c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
2KB

MD5
3a7031eb25f8db9869a4c0c83d6e0b49

SHA1
300e0bc2a8a6f6a17cec6bf1835bf019c535e303

SHA256
d804ce9def5d0f9f2479fcf1459729c2d9b464f4f0cdca783a42149c1f670684

SHA512
3a7205fd70bf327481adc65407cc3f32f3a214d4947ac548e22045d3b7d2f7baa3f49a2caf28dc7ac18655f822df966bf9c26312d1e40836ffe564812c8597cb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
3KB

MD5
b3e731cee948becc191256c8055c4a27

SHA1
64c7bd97f19830799b53c8f785861c6e2f2467f5

SHA256
1cb88d27e65fb4bfb53220b8007049e826bb579fa692767d46fb2b73e7b8ee7c

SHA512
d27bec24afdbe619a0f8f7581b7d8757ea69812e3da79e274ebd6fcc903035c4794855f03be3fd90eca729a3b9c47a7dfa062464cfdef85f3309e695d23a2bba

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
3KB

MD5
d578db4aee1593f2050c65d578d13b7f

SHA1
d40bb3ca1ff39814328f6e4d362b8ddc3a3efc8e

SHA256
0d3fd6a961d1c7cbedf15f75c0bda63cacd754931eca8b9496d26bf2c07280d4

SHA512
0c543711b9e0b8a9955cbd0fa2aab9a66b8deed242192d55d0e1221f10d7371147139a4ea97098c034286574d8e5c97290922e32b0a01294e37b1c7a7c7549a9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
3KB

MD5
14a907e08ab66702c1c8254d646b25a7

SHA1
1c4ccb4546343b61ad181ba0741a6a3a00189943

SHA256
312c2db2d0547986608e01fd75a3fc2104dbeb146ca7e99b1203d5b90c263a7e

SHA512
f30d7a3e5e92a6005049e4ddf711d4b78436670dd1dd730698ef269ae0aa1d393a3f143213ad5eb5f37d01da1a26a24cdfa2cd74f5ae93fc7f261337346507b1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
3KB

MD5
f10112ea3e7e61462497772bf69e8a50

SHA1
0f69128bd7c8f6622e0636ef37d4fc1ca4783909

SHA256
503a9c02d561407cb9b4fc46f7f6e88d414ddeb5d01384aa5ff4fbdf1ea0c1df

SHA512
3c6d734ce6a02bc56d0b69e42071f6b0630724c13f1c89482e833f3750d17332861e7fcc37f5ae5eb50ebf820fc6762c6de58725a72718e33d3c5b545ef87941

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
3KB

MD5
92a603f7b49bdd5b132fc977a012af7a

SHA1
7ef0513354148e01ff061f745cd1530c75f0e0f9

SHA256
eece7bfe358ee89d09dd0508f4eb89583c1bac7814b9379c7fa5535bada11b98

SHA512
778b44c339de861c044e1b201fdee606b6934f49ed7065df879dc45575be618070b13fb075cb39bf1df0a686360b78736808ccc0a8927e272c408ffd2a039f72

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
2KB

MD5
d3e67bbe07e75b5497919860f6cf851e

SHA1
48711f2ffbd1f510d46b2e08691039164e6dfee4

SHA256
ffe7b20297788363627b8fec7fbbf534a4faee0698f3bc5f938d8fcaa74b8ab0

SHA512
6be95382da9ee4a55de830bfb8dff7bb2d6af090865613f7d5c836f5d3475561867842e7fbe063dbcc5dd78709ee9d4a4106e1ccf069467b214b68aace4f65b1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
3KB

MD5
038f5e1684999e090ac2d6fc7f8b3258

SHA1
a4ab8c27bc67448f32a59601cfeb174966810501

SHA256
4c04271f015f84ac6786300f1bdc320f5dd5f8fa80e44ebe115664e09cc1ce43

SHA512
e8f6fc4490724100943fb1783d8ea86f07cb1b6da589c65766e4a70aaa32abc16001d2742d9b5fe0cc569477508b422038feb8ff992a5229c526246a8c28e7bb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
3KB

MD5
567c32b53047e67f1b37d8d01ab30350

SHA1
0785e96c93daf435c3f425760b06cc71cab66146

SHA256
5cf3c3a2001a024dce055fe4a724b19f3406e5a4536a67adf5e25f34d2636d49

SHA512
2e3f6384b1b8e9f3e01c77d2eff402176f605f709b74671f2d19dcb72de43d11fd573ca7c11963f382b9cdc38e00df7e3a92838d1c6df96294c41a2c93c1ef4f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
3KB

MD5
1712882067e4c9b03b88f25efb91d682

SHA1
854af4cadf4a3ab80c7e229375f2cae9ef3fc312

SHA256
f5b97564ad6da8d28310c85f354566a84ccb6ea687fbe9098b6418556a58ade7

SHA512
cc127fbb51f3649e18fedd588fff1d0335c1f4ac731d2d7cd9ead8fe497d27ad1e174ce47c3b8e0e2e500969075755ca0e74bf87588ead3e73872ee4ab222991

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
2KB

MD5
e9325a17966658aa78ae8eb868015616

SHA1
13b8902078ba5878fc6ce8b6ae5a99abbe474e6b

SHA256
a2fd5f42e36387ed6a072252edc12d657e6622179a74e450e5846ca31d9f0369

SHA512
5e1ddfe958acbe6856dc7398e885788e8f70cd5665fff797342edbf3538fc1f67e474978a9ecba65f83fcb213e8be624ad891543c517c92e8c8482dda70eb6fa

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
3KB

MD5
a1e1986f21274bc90b7646263a71f821

SHA1
c903ef7a908c6b1e6b9f63911de6eeb5c79b59b3

SHA256
bbe454d6670f027524cb79a09c5c3f857172acb7f6c9ff93af059e0cf1b93ef6

SHA512
04f61bf5991e445dfdcfefb195570bc6bddef0cf3477c4ca7eaf8cf815930e5cc5f4d096b140515822868b8955631c05a08440a4a13611f73b5b027002b450c4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
3KB

MD5
f500f87a87107e706107bd9cb24df45a

SHA1
ba2fbad304517e70c3d6a473eea13fa18e096095

SHA256
bd8477bf10e6ac1da9ee861919b05100f499aee0e1a9cb17e39740e73653a6cb

SHA512
77930aa641ef10751c6d2e122537761db50bc622c83b6a3ace8f6504ab0377c6e2eed5a70ea7c14ecc21ad692e9d3fa7ab6f2ea7ff1cb88a650ed5651b910572

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
3KB

MD5
63ea73bb76767c2d37baaf93eef81130

SHA1
e472179456935798c229815a067878fbb6d8e008

SHA256
bcf27d5a850d289f049149d6cb37d5831debcc45b34705b7e987cb74dd36945a

SHA512
497d62025363c2626bcee0c36214017db9c1d897bf0f609338242bd31b8587f2e42ec86dbfb51284f8e5cf7317a5f48b2da1bb6ac09a6edc3d0e5efc060e28a2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
3KB

MD5
ffcdd474d5c48b57851ca98df0fa2c2e

SHA1
6c38519539627c813ae80b2ba00b40991fcbce2b

SHA256
73daf4ad5644a1775cf447d24345cbd06ec8090b726c79b788eb59cc47f25c5a

SHA512
8fea6ab4a6eeca8613d11abbae421809163d6092048cd3a2a92a4d6cb5330f4653ea91cc041c3a08459cbc85816056df3195f33654326154ed79704c59aa35f1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
3KB

MD5
ad8955307c9f4befdaf2f389cdbf9f64

SHA1
223318a65eb13859595967a380a9fee2032b4ba1

SHA256
d3b60e34fc2f7ff765ecb0b600a3eb7164d145c158c3a051b8950509052c82a7

SHA512
6d64224e48f420b06c1bbeac5e291f69b6a7ae31f38538dffc4cfe44960b9c3e4e63cfcc7dad101b486600e19471424be6aec4d400711f1a0af6da5f290c6adb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
3KB

MD5
61e05030b3bef52cea3a782a581105ff

SHA1
63fab02a5c5664443d3c3bbcda9eca8a5f833445

SHA256
492cfa3af4bbca974da881031b3bc0b097d5a5428c83c0a928169e1ad653ddfd

SHA512
62d171f72bfdbbf89c48094c38113844549536b150f64aee4964d2e01a15c0b147cb276e94fad7dd905765965a326887337bfdbdb868c0c8ab7da9daf435971a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
1e2bf3af9d1a1b0b172ed4387baffd72

SHA1
cdf581926f67d01778e2ba6fa5a24ff05c13f18e

SHA256
deb0142de5f16450169d86829518bb843ffe054d0b7b5c58b0752f4c9f2ec9be

SHA512
feed118b699288b7fe6dbbd391454eb7b43ec57afa337433ffe6a354b22f11f626edbb116bd0786c90ef727ee0071b964d126b2609967484eaa02f05a59d04f8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
639f0ba28bf03d20397c4f4f3118e7ef

SHA1
c9e96bd3cf0d6c36837e5daecfe9a4ac2cd7fe9a

SHA256
1a373579de34b023981e24ac3fb71cda8501361d6d5263680be63548030a2c73

SHA512
ea638d627399a4afb2c6a46c3e9e9066fe4cdbfd6587ada3194532fef5946afe22b2a88f85ed78f1b6a554e778feae331d7768846bcbc8c002e68aa9b28d51c8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
11ac72cd6ad5a904f114d0da816ee5e3

SHA1
78447d2071ec56fcf02620e595a40be84759d40a

SHA256
439c95b8368431cc2e80d109dcbd5e8f3b65207ab3ba2e54498e0facb9ef02a3

SHA512
12739f5ac8d8a634b649de8aa02343ff0fe05c3a647067771dfa08204622ad5d5def5c66dcd979c028c689a87865ad7005d9abb19f5f6011885de5fdd07665e9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
3cd675c4b5e83975cb159496c01d91d2

SHA1
56c86faa75e26ccd607120d4b553b264a0d70ffe

SHA256
a64d70686e7e3e3821e1540f6cf8916e7e19c742685978a5bdde2c9439952daa

SHA512
1f652857af30d021dfaad3e1c4ec23015ab270595a5a9e867b33d1e067acc123da12c916274558242919b2756733634ffc6e0b9e030cc2fd56f3f697734b7ad1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
98cc16d691ffe4cb70b15316a7a04ff4

SHA1
056d84d59a8b01df46f47345432370d10eefdf72

SHA256
0a96a9b9f418404cbf7cf30df501efd2cce918f0a8c217accc4b6599d5a7f2a6

SHA512
359e06760ce1cc5a32d3035f02b330f17b2fd22137f479369d55b24b936295f352f0087a82814187590c24497dc184e808ff69119f04d3c964e7ee061ce49b25

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
713e395e8abede03378dca9d4ded00ef

SHA1
d6eeffa7f44bd5e7253bd008a232a0e63069aae2

SHA256
ee30994be9e5f2148c1fa38788514b0427d0e86c8ba8472bcf15bb598a1408ef

SHA512
81993daa85a6b0e5a6849141d8b56ff8f9fe9fafd3b310418bf86fc164fdc72181195632bd512895f1b130ae859b5d279fe8c8c8ef01fe97769c6a064d0c06bf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
a300a34e8be410c4ececd5f69d97acae

SHA1
21b1a40c995ba606e5b3f9ff27f3d6bdbeada670

SHA256
6713cedf4f0e40fe24c5040d91f306436e2a95c8307f12ba168408ad9a9fac7e

SHA512
3d728e0f308004551d0c50396afbf94ed5e152442a958ddffab56ec7aeb2607d59400c9227ccfef035ee91e2230aba939109c3293a870d359312d490ee95dd3c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
bfa940960c1afdc57eae73c4326feab0

SHA1
eb6ddf6eead4be851f3ca06f6529769b24f3c9c3

SHA256
8a70fbf34def71d98bb9f5d7d3e22a3422483e7a94a245bc14095b32abb4e79e

SHA512
e8ee27dd82fe9cef48cfa9382f141265c7889a01ae5d803a18e7b7bbbd03758572baa81b23c11e6ef01580ebae83e5f6eafb7e788a7d6dfa25defd7d1d31c5d1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
d64c0d338a76fab9d13c9ac626f870d7

SHA1
7edb6eb4d947b29682b830e6a44b808110e5df05

SHA256
22ac825b976706fdd8e5742a75db13e52c717975d3e9e514753644f75294a29e

SHA512
35fcf1ebb97e8a59a5a39e8290638ae6b387cf5a2d65415e636d019b26f4d0e0fc35452086eb49e519da29367f95f94880058839ece8ed31b78ad8d9b2a7d748

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
f3f2e4140f4c27ac79e0d2701e35cf11

SHA1
14dbbefe0396fe87c608e62726e32f0ebb542bc5

SHA256
c1d1eb974cd77da21721e297f97ba23b2342f65e0458d7e134bd27c91b2508b4

SHA512
6a238dc7cc6ae06219f3a422188f95f95887fc2cde8fcae9ba2a2dc3069678edd058d36d009e0292f621f19f92f3cfbd0554f30f584be3ae383499026d0bb609

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
13KB

MD5
2cef3665a764b43eee395834a90ec381

SHA1
58bc51c633be929446e94a39e35567e96a43f4a1

SHA256
e786ad3f3dc6999b4f981c5cf663272ccdead42a217813e9813eebf887e3ee06

SHA512
b80ba1c4a3d0db00714ef3b2dce804405d8e7f4c027b6daa9ae6cf91f6d0c5b1e00a06d6aaf73c5726984bef419382249cfda9a2b6e7f740d27dd31e7f75b185

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
13KB

MD5
288e09462e667e34243dd860f974010f

SHA1
5ef22e5f0a10a60d8b74e540b9ffe95041f2d604

SHA256
067ad01032e2c9aade25598d9b517607280a51597b30319839cd77cc573d2523

SHA512
0e40f5ec70265463577d1953af33ed7c9e959b176e6b39972bb9a50669a804331863f4110374ff676ca9232eb5c66f3127a118998b638e7334659114cc4c1868

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
aac524c6dfa6c1dd384f38f26d39b293

SHA1
23e537125e963344c1454da38294c77a2a9e1bdd

SHA256
0ab6306445016c9cbd71c7d7793777e3f88d15a2995c5996ff1cbccc4f5a15f8

SHA512
8c924f0107c84c6bbada751fc622916c86631b153e1a460bf9a7ce0fe97d3c7ffc82c5b8bf5fa47c513e6b015215c5d023f2f8385d0049ed97d057b91086d8b6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
1b569073adafe1f6b01e2e16c8299e72

SHA1
bfb8fab1aa21bafcd4e2bc6570614949aec7da43

SHA256
4cb1535b6d96a827000d42d26067d1d2a0bcb14ce7cd34554001e460354627a2

SHA512
5e655707745e2c79ebe32a666cfde59416413bab09bc2e6398472f30bc0153ece885a784e414e3a5a4696a1f4f51821333d7e0ab4fbaf5b6a9cf560638ddda63

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
c371f87ded3376855195c479e2067197

SHA1
1b8bfb045fc3cb16a63f382c12d739f3b2eadf8d

SHA256
14359416e9affe949c10ff6370a0c3cf0ae4728a71bee863a2d606472f57ead5

SHA512
5553c77faef8f3f39d6dc3689eeb84d37858a00d48c14f94b57c6898db90a99b653cbec239e19c95fc3fd5dbfbc93610aa4e33ec423254e3863d9dc6dbcd0251

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
b190517c7222820d595a63e7965a61cd

SHA1
bfb462b66e92bbdd105d8b3c608ad348101c6142

SHA256
22257fc8190142c7224ef0557fb6ff90313be8324a4dc9614032a21327b123da

SHA512
db6a86761bb037782fa695a37b5220adebec73a866adf9fb6920ede05547cda59c132bcf74f90c988ea85e325a3aa02a0d66be5ae1da810dbc2239c047b82127

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
b092296ee92ce14c21b869ed35ce9f3a

SHA1
62386bf62eb7e1cea8d50d6087f36176cf72eb34

SHA256
10642697f3058d2744e27eb0cbed4dc24e1ac245442fd88af15bfc3421a3dd8d

SHA512
27f049808a9ed1ae96bb1f6ff544b89a4bf9abeb0461a6af96def9327981f0619b55e59d0ec13ee5b9f9aa3689a50cef11ba031b6b71793e802cd91e334dad1f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
72c8c6b2a46c61b1c7a7e646dbfac704

SHA1
a79ed3b3a505ac94d4307714619d4b31a922fd0e

SHA256
3ecafc085be1eac9707299d18ecf84f99cecca77828bb0a202d402e8758ed916

SHA512
864f1fb4ed2ceba25a50967ea5760ae0985aef5018668dba9247c0b399ac40e284c63b7c4deea8f6c0bf3878488ab14095ccad2c513a049dd6ee9682b62dcdf5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
430c3687273bf6a97449b32f6b8be0a4

SHA1
64f5fc724dc1dc6d7c5baf226932125af1512502

SHA256
b524eac7ada1e1b9b9c59f6e4996825c65445854d9bd1af9f50839950ca10f0c

SHA512
b84c6dacfd9dccf46a6612dc90af8960c950bfc92f37a6a433e2a8eaf6b137b2a4a910f95ed32263140cbd02102541fefcd785f802586376197fd5701ca718de

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
fa6861cb83222e8309a69e661866b96d

SHA1
724b85646dbbf51fed2bdfeac2c75f4f63da794b

SHA256
39ae5c34abfb8c363cdb3742ea035cf62db2bd3df0c425ef202a25b9115f1b57

SHA512
a9645a84c0a82675e13f7738eee5a7f3e5a8d4d5549975294411b476c40143f0a69677ccbc6167fd968dc11dead16cd0788cdccc67af5948a8a098608bc3c831

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
5b291036182262c3cbaa0300f54153c4

SHA1
7d545b30051a60d33084f9cb1267949aa47a120d

SHA256
5f81847b022df0a12b113e1b34006df0e167c82200c44d1464714dc504844fdb

SHA512
35a2e14eb4bfdc28e8dc405496995e28b7f26676dd329f617cfc60090cfa2b18791adf8e883d0bfee5e79c4e3a5401fa7bd5b8145e8edda6a42c9137e15488fd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
b145130072261ef8d8a75b58458314ec

SHA1
fbeae64e0a4b669bd589f0694eecfc22da7ee28b

SHA256
fdc13e278208fd4e204461c9023645e4995402308269ee9d5cbfd8a7887f2774

SHA512
441b8c65caf0d5e0371e390d8045cdaef301125cc38de8a8eda92d83a077577d77cd7a8a9688b1576304c80ebaf4fdce8ec009e9aba077fc614805019414bb3e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
751c26ea5a5615c634a52d08b79b0854

SHA1
f20096057c71cb9abac59fccff22c2827ba23d49

SHA256
fccac0d5bef2ee930fd3ace84c3d76b2cc7946577c9515a65a791d093f549157

SHA512
d446cc3a77a00ee8b38767a562e61dfb55203cae6402e9d3129966f3240f2844aa0ef4f0a3ecbf1a434b472199cd46ecd86ba485754f09a364c4e9cef0b8fd4a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
19ed4a9a9bbfa7186eca8a480f64095e

SHA1
d6d2cbc7fe709a8cada60489b14f05058c832b7e

SHA256
3686d21f271a522713b3a1bbe120d11b892175c051e04cd16a1c7f972d4c44a7

SHA512
ec25595307f8f61ccef3445f09999804d48e023c504a844409181ac8c5ac0b16c127afca090223c4b757809f8ef8ee9447ec30ef62d6a49b881e9b9529cbf178

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
049a8b06f3e110daa32d1e6f95b78451

SHA1
9e243025e026690d28ccaa3ab91044c4d8b034d9

SHA256
e33df406dccb57477b264f258c296f51e3884056ade805feba53cfc9ffb3f1d7

SHA512
2a568b383361fe91212614bc384bde47eb584d81f318155fa4980e73badf25407bc7cd264a87f2e958be49547a4f754b3021a5272760eebbc624b80b138fdbec

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
da28c3ea0181603b25c22fb2133cb106

SHA1
236fca31e9edcce9921438847a102b78cec83bd5

SHA256
bd21ad917b780623e3518faa1cf9db353ddb578a52bd3c84db0603cf14f03b29

SHA512
73f009cf4f6c3ed9da12968f46bdabdf8d09b27ec1b14b4e8125cd55f709f91536bb13195bf89dbebef8e3eb42ddb900f176fa24f572c3cbbc62eeb99751f6fb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
55c6a3c45f95e8a3a6e86b100af6f8da

SHA1
e589e11aebdf4935273616ad9fb34fa42bcb35d7

SHA256
8ab5640454461ad153b964bf47a93efaf9c98e407ce17560c0158774c88d06f5

SHA512
35b442a52d060d73e246a75e8311aa5b485868ab44aa9758bbf1bd0ad85777e108111f97ba86187c18aa1babf13d831c13ed239c2724648abae61d4dfde06cc0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
ce8e7e9dddaeae9c9243b74811cdacfa

SHA1
750e5400b7c90404725e493bcc4a771160744628

SHA256
b7ebce594369be12381580b51f73a9be2a06ca691776a0014e61e074882417b2

SHA512
3a0fe73eb782ae4e0dc95e0494e581ae8e0def9d90feb69324854e63868d9fe120b00cbec1ad3b3f6940b80dd4852207f3463a97640f4756abf810dd9d41251e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
257835653a95b96ac59c3ea89a46ea81

SHA1
95e4bf6641739871025d0a5222d900503ba4bd1a

SHA256
581218accd293fda2583b2f2e4b48e1643b46177d2e6ef04107928b626fe65c6

SHA512
de5132d2d6c7dcd9b61c4d7fc1e6361d2806e191a4d6dc74b5a0687bac340e9e100207c39f087379f507055241de8e5ccb58cf171662cbdd611809ad82dae06d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
61eab278676da55104e54f8a32f797c5

SHA1
34293fed5721fd621853f91f6815f7771d5e4ba8

SHA256
b7ebc68e34cb851af048573ed50e4f2bf98ed3ce610c05eeffd5d1a1acd96c09

SHA512
fed258b98d1e89216e21308f4bc4af39c6543ca1f0508c6598bb523f161082cb32576fc01c395bc9b70cf0c210e24c23faffc74bb73cb12dd0ede341dea05b69

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
85bab4fb7a890b09829c0f8456a7f349

SHA1
2136b64717587aa6c8e7ba0ba00942530b06fe48

SHA256
2552612cb69e5d54cef6ec8b46febcc6a46b51fa2e41ed2649e4590c1fc54757

SHA512
19c36bdaf25691d608df5ae640d953ab922577a4600ff0d08613bef9395a508e92976542d4ec1c0bb6fa7f78abe01d921465029928a800f6dc3312d71eba06bd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
e84e05e637322e954ad89b17220587a5

SHA1
d41d8da97a1caa8947c62d5d924046d2d75bbf8f

SHA256
24193bd2727bdb5764143f4ba048e4550f59bf05ba7bbae97f52106454b4a35a

SHA512
8fee81b0c4de5b02bc0c0eb757d5d61121bebfa3c3d95cb4b334012ec57118fe208d3832d9f8f688880f35ba6e91230b1774592e982d293274f7cd63d1a09754

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
0a3b1a3f6c8b9fab91e7c04375fb9286

SHA1
6400d013fcf55c4e3f93cf0814ac620aa922c1eb

SHA256
f7145f19cad13a2b18e62032521c01b41f903f0bc89fa966a6d72da7a67feb90

SHA512
2207f7e09f00fda8b2c88e9fed79e8e0c0005e839ce0d5025f344a6ca9cee4ec7ec55b6521b03dd18bd7320b8da3dbcd742711bcbdb9989eb0e82c7a330ae220

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
31d8c6fa34b77ace3f36de0ae2c57117

SHA1
a2d07fc1f24ad8f3daaf1830fa5909f745674b66

SHA256
a91a0825fbb64d3c211d523e71e42eb87d58934e462ea2a7e61220aca9e0d010

SHA512
f16824b57317719f36f3884f2efa0043d4c0f33fe3951cad37aac5281e132244eeec82217dba97b69e975fef513abf410d1526fd45a1ca836938f2626c9be7de

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
cd262e6846a3a94bf7a6eab8c0e4e1bf

SHA1
e87ba32310b7c5ef42c11fe110c16df85959b191

SHA256
8a64dbf6a343097588c3f5d1ed6bf736934697f19b6db83174e562530bd9c69f

SHA512
592952b161b4fa0ae8334ab6665cd2857d6c0f556ec26b8cb20eaf8f954e6d7a89c08b23a5365b238d71945e06dce5d128d7a57783bf0378d18ef7f3e7695332

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
2465e1a1ac324914a08365b5392a1981

SHA1
ca1cdf5de98ac35e6cebc6828e5d8cd926078884

SHA256
4d1c829611e8de2ab31a3ea93c4b85457c52b4a1b434df9659e8405b9eaa462e

SHA512
843d8e987e2ccb038ae9bbf82d10d94dc18a9321ef0c4b72cfd7217865bdf69ad76db98c4f5cc9bfe5cc5d216b48096eca63e75ff7fa904949ec3a760484aee5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
ba162b3df76a3a9e51aea415a65d30db

SHA1
0048b680ac149523e8900eb884ad9e95a56a54e8

SHA256
3756867e9757bcdfa39b41f044351ea01f6f08fd377e1853ad8fdc71977745df

SHA512
8edb8da7cb100f58ca39ca2e13e29d429f6f468053483366ea955dcde6449330a04a03f0fe3690571c962edb9bf470e73543e80e3a7457655622c80e5cac4371

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
2d52b57e8b36f305bc7bb0022b352c55

SHA1
9e153958abe0860acd6c8513646ebd64d0c6fc5c

SHA256
a09dd2f21bef9102574c3c95fabea8c040bc17fad66abd00917eff50ef75cd75

SHA512
a45f565cba9d0231b52e2c76f5d16c1eaf76b78522c621a6dcd21008cf80d1a408e3d6f88fe1fdb4e80923fff2dce4a8eb01e0f8cb8ed866363eacfec8b0ac63

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
27fb2d1c47dacc02e6626b35e67d22f4

SHA1
034aa8735e5cfea6426eabf176872ed4e653b282

SHA256
924fe3401961d17517a6eb5ce399a87f54e4c94d5a910425f617a2ebae3c6589

SHA512
b841da9e3c95c4c8014e1fa58f3d8937000d28d7ab98b93e4d4947195568aa0d6d23d799cb440a4bbc53fbb797a00eb949d36641d460fd3f2fba351a073d7d9f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
9ee89e74ed261d67a701a8c554e38be2

SHA1
1d65e30fb05801aff76cc55561f74aed3ea94a20

SHA256
1a2da5e02f21e61464cda1504e72914a82e078ade1c91b7126b48e2c801a7d7a

SHA512
1e5915af46ce368af62e2894f3936186f7e4b9730d23bf07ffb543f87fa3243d83359a8333748f617c233eeb27f6f1063da159bd4f655c54af804fb73ea327ba

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
f5bac78612de3539d18a49230b4fcb74

SHA1
ad4cda978bfcc9fa7adf6ed68a5efc55ce0df9bf

SHA256
29503b407627ea0f465ebe7adbad02d74548d409782061ded3c2533f27da594f

SHA512
da922b67163945f5274289298efd5b0f15e2acc9ebaa6c620f2f82e23172e4ec19bf89632fd2c6de161d04d6bbd46727cdb1963009a3dea11595eaeb13791039

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
b65bd0219a3121befcce9e2340d3a2b6

SHA1
02c3c0368ab5f2a77121d260a2a61373a26f6882

SHA256
4caf92818ac9a490e812546f472946fc677dad1e051c350233f8aa2cc49ee716

SHA512
9bd0d3bc7693823ba44e0c28e3e69fc9ade4af63b527ede723758e7b2437422c039aadb425bfad473d8ebeb1577320fe223554f4eabb1dc5dc2978c46165a9f7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
86815f6dd6f0f1ee47f1df8f160ca643

SHA1
60cde1b156b934c627f5e3cbb750e6008906a45d

SHA256
eddeaf684559075244e443a87fec6ff4baffde8ed9ebb95224be67e9b5c60482

SHA512
555a40d92a66277ed55d14d5681cbf7d53ecb50e81f10f82a9ca919c11227675e9aad06a399143ec6d9bbec8464af277e41a65f37283572e98e7180b9e597363

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\ca4f8a45-7680-4d9e-84b1-38e0283959b1.tmp

Filesize
10KB

MD5
b48cf8a2faba43ee6285645173c6813e

SHA1
486cfc5d494a1ee82a632e1eda42423e704a7fe0

SHA256
f46da75c823c458ef2e8408846099401d5a88ebbb71722c26cd21a6bd9430bfe

SHA512
6553af52b91b8e65d9ff541045315471cd1ce173356e66e88d1b8b191b632409caa2f5dd28a0a7a94e33f7563e20fa2d0e04ba46c54facc78d23c04fa653e2af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\cedf02a5-6b46-43cf-bc65-f4293e8be9e1.tmp

Filesize
10KB

MD5
0edec7b9361536603373a77f01477fb2

SHA1
ba445169bf2c1d1ea29f4d9313ef5b20bcbfdc72

SHA256
e96089933a94f4c1eb4a70bc0ad1a9cd44eae6594646f8caede38deb1c7cf30a

SHA512
f0f4261e32102663b70e4caf0afecf1023f38c35363b3ba2406d233c466acdba114f1958769320ce03a2b949fbdfa13894f4adcef4e5f65b83eda0bef99b4249

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
92KB

MD5
995907dd56a0045ce2cd9303fde2efe0

SHA1
c7a64376db92ec1a814a2700d7b0160a6fd7af03

SHA256
491ea6f7f640621312f2442b6d8e7b6915279db1a97185d5c6fc942645b282ee

SHA512
4c8315d619d7a80d71288adffdbb9b29e2cd1aa58619cb64cd22af0f6c47754c8ffe6f52b639454bc2407aba85564b4c2fbb32667e9fa6d755f2593d825346e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
92KB

MD5
334f844ce428407d969f51c8d8d10286

SHA1
14a44e734bad725044f9c5f330a6345636378464

SHA256
233a5585776da2e541c7700b98143707e59891c3e2e2888a491f4ae2805ba2f6

SHA512
add327d66741d01b025174aa2a5b197aea3a0cdcecd33e9aca15fb2184f7b8e4fc247e4e40f1e20197a30dd816081504ff1fe37d2aeb5890396b3a5ff1abbbcb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
92KB

MD5
59392b1087159c8d63ef3606bf986d9f

SHA1
ae9184cfcd30900c1511508f4bdfa6934cf2ed69

SHA256
70b359819df41ff4b5b40954715896bed4f4c31a9d71f52a1c1184037816cf1d

SHA512
986e64820fa6fc1610ff0b6eb4bce253e211565db748090a9eda2ab731eef51f0624303ecce5a222328233361a43246080d1e03451a4936e7537bd379c3483e6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
92KB

MD5
36ffc011c717ec53c6f4e6d498e88e15

SHA1
d9864d9bf84a58e0d43dd2ab1fe2e484e382d2d0

SHA256
f6499eaab401b0057b70b47dba8862ca2f065001e5ef7c41d06e7cd0eb136490

SHA512
0c218f02da4a5d9d72aba75301c400fdd81d225e47d56e7a10812d91c48e8dcc3b35a5a26224b3f360227b9907abcd3c3575e79c33e200b8dbaed81c0219ac74

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
92KB

MD5
07aa1b305172db57e562aa3ec4a923e1

SHA1
a2e0ad385cee3b672db2e1e26ee26b2996317f04

SHA256
ac40914994bf674bfd5af24f5fa2f43f9fd2fd74eb778d50f04ff5eee51e7269

SHA512
2ee2c99f3c662b6170ddd71bd35b079cc0dc83e1b45ad4db8015f3ec8970eb1e929e7d3ea152b9f1718e8b62aabe9f90f63b608ee5532c19d5ad161a21826a9f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
92KB

MD5
49fadbd81a91422ecdd5c396fbbca7ce

SHA1
8c7ad5c73235c86187cb07cc13c9ca9419443a82

SHA256
444237ff260c225bb56651dc67fc37e6e8f002a7adce2935ad61ee95e91f0e54

SHA512
1186b1615c96cf66e301bfb16cee3b2fc874b1e55b03ef7b1721fa526e0271b82f1e5ad416b2a41274ecd55d3d2fdc7d76440b9477eb9a3f2dc32a97263a2d3f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
6f3725d32588dca62fb31e116345b5eb

SHA1
0229732ae5923f45de70e234bae88023521a9611

SHA256
b81d7e414b2b2d039d3901709a7b8d2f2f27133833ecf80488ba16991ce81140

SHA512
31bacf4f376c5bad364889a16f8ac61e5881c8e45b610cc0c21aa88453644524525fd4ccf85a87f73c0565c072af857e33acffbbca952df92fedddd21f169325

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
c0f062e1807aca2379b4e5a1e7ffbda8

SHA1
076c2f58dfb70eefb6800df6398b7bf34771c82d

SHA256
f80debea5c7924a92b923901cd2f2355086fe0ce4be21e575d3d130cd05957ca

SHA512
24ae4ec0c734ef1e1227a25b8d8c4262b583de1101f2c9b336ac67d0ce9b3de08f2b5d44b0b2da5396860034ff02d401ad739261200ae032daa4f5085c6d669e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f55e38dd73dc2246f8c07fc5588a4737

SHA1
0ca6ce08a41a1ad9690f36e21198ed305cea8ed8

SHA256
88ab3b5b963ba3d756b1a667ef14037dc079e1fd4d98340a1f0dc56d989d6cdc

SHA512
58c748079ea5c34c06d82d7b5e8c86e1769f1ec9c36a2a8493e9c0361f2d3d8ebc90f9dd92d3f8bd6228cfc2578b5643fae4d7c18b9102a8323b78e7747c6745

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\14abd300-ee0a-42fa-8f51-1f0a38d6d1cd.tmp

Filesize
1B

MD5
5058f1af8388633f609cadb75a75dc9d

SHA1
3a52ce780950d4d969792a2559cd519d7ee8c727

SHA256
cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8

SHA512
0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
192B

MD5
31480893d64d1ff97e4e1443b4aafd0f

SHA1
539828fbad2e95ea44c81b0752a55c3176eb4d6d

SHA256
aee5fde7bef4ecb022608fac851b691edabcc180aa44ef67d403cc84d86142e7

SHA512
d122e9e54d7c56b08332ad28a1a03baa519b1adc4379f6d633a3578f2ea90d44ec5240639547a8963a43a4aa82b4bc7e2b52a3e35d9198f167fb9a5a0f110dae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
797B

MD5
ffeac97d72ee2f6a63a20733271d8b40

SHA1
4b290401e5a06e3e1768abd281f91721464148cb

SHA256
440f69d421011acdae54fb0f2fb7723ab02960714e98f525a7e0f3ed3eea9217

SHA512
d79151634f3e6e80f1b190ea42b84393d4c3f52092cd3c3b29a5c1c06551d80aa52abf54778e39ee491254b81b8b83af51ad04a03ed5f41b9272279e8662c27f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
61B

MD5
4df4574bfbb7e0b0bc56c2c9b12b6c47

SHA1
81efcbd3e3da8221444a21f45305af6fa4b71907

SHA256
e1b77550222c2451772c958e44026abe518a2c8766862f331765788ddd196377

SHA512
78b14f60f2d80400fe50360cf303a961685396b7697775d078825a29b717081442d357c2039ad0984d4b622976b0314ede8f478cde320daec118da546cb0682a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
0d464949d07754945be5267ae9bc441b

SHA1
8dd4cb934c592df6538224ffd3696b6d23191088

SHA256
203667c932947a795616dd19d040b504201a402a6d6d767e7624da4c66dd2727

SHA512
842bcbf214a3762df990315fed6d74197a3968107b473571588689beb6a18cf01f9cc1fc92a64e8e908032351d251898bc881ab45a386f3d4d2872841bf389c4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
fa863106fd94c0a49e46cc7b8685642d

SHA1
e287882fde5274fedbe0c1625e7866576ed5a158

SHA256
79a781bcf2a439cfffbedceb57bffcb8f7f64217fc4c5ade6176644f40d1f968

SHA512
de0321a01703665b5e4e3de2ce551579f08cf1eaf8083c54ffb5337489507c4f09937cdce73f982cb4018fc67357ad82f4f40ffd3f03c026d97f11695f1c4c53

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
34dd7ea8702b86b0a1cc73c530d0009c

SHA1
1775d0008766abfe889902c1b0dbaa36fb2a6438

SHA256
c9f3a6c7c46943a1c5ef1facadefc38dfc637fe98544641de7c0278ab1dea023

SHA512
34fabd8412184e84672cced45adb466c208a9f5e158037027c7a5d2fbfb5ae234f48b6ca84daf38a3e631bcd1c50d4c714e3b58e012028e406a7e62f99d6a7b5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
fda46b74c96e948c3d504c6c6c5b9ee9

SHA1
53e6c282df2e3c4a0f29dd9d5aea68cf841ef9fa

SHA256
fd7ba11915acd7a6bf6c9d2e106d1276acf138d4d63d8096c86febf10842158c

SHA512
fb424333fc77ea04fea28ee6f4468fca07b12d70fbfb2f2bf6dfb1aeaf76310c7bbb9b8d32eff3deb25525ed17ec890608420656be1855b41a59553af7036bf9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
6db3fd495f9b88f0b4899b6ee5411ec6

SHA1
2e9e05e9d17fd73ee8139dad5b92dcf7c296a39e

SHA256
0670e4a0c6a41f64ca01f250915015d56080342904bd7a48903cfab8d1c72b78

SHA512
f92c07b080fed5ddb14e2697e8fef01c427d9307de9262997f7e343406b431ba66db4e7b7b2338b0ab87460d0944233fddf0ab476f089084a72123860af9a2a2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\36UD5846\1[2].gif

Filesize
43B

MD5
df3e567d6f16d040326c7a0ea29a4f41

SHA1
ea7df583983133b62712b5e73bffbcd45cc53736

SHA256
548f2d6f4d0d820c6c5ffbeffcbd7f0e73193e2932eefe542accc84762deec87

SHA512
b2ca25a3311dc42942e046eb1a27038b71d689925b7d6b3ebb4d7cd2c7b9a0c7de3d10175790ac060dc3f8acf3c1708c336626be06879097f4d0ecaa7f567041

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\36UD5846\__utm[1].gif

Filesize
35B

MD5
28d6814f309ea289f847c69cf91194c6

SHA1
0f4e929dd5bb2564f7ab9c76338e04e292a42ace

SHA256
8337212354871836e6763a41e615916c89bac5b3f1f0adf60ba43c7c806e1015

SHA512
1d68b92e8d822fe82dc7563edd7b37f3418a02a89f1a9f0454cca664c2fc2565235e0d85540ff9be0b20175be3f5b7b4eae1175067465d5cca13486aab4c582c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
1KB

MD5
0254494a4c89bf8f623066957ccb7ea1

SHA1
0a31bf0f80c2e5caaf36fdf4266b72379cfb3751

SHA256
ffda9233d24b63e14924cddc16d3885111c7cf09abe840547c0a266c2000687f

SHA512
8f8c04122ae09f4a544d482eb72c30fc6d1ae9840e4247eb9e7a5cbe6e912fbff9132afc78974509923c24c30a8049199d43d83aba49b8a66ab78316546673bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_tmfokiqz.kfq.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\gcapi.dll

Filesize
385KB

MD5
1ce7d5a1566c8c449d0f6772a8c27900

SHA1
60854185f6338e1bfc7497fd41aa44c5c00d8f85

SHA256
73170761d6776c0debacfbbc61b6988cb8270a20174bf5c049768a264bb8ffaf

SHA512
7e3411be8614170ae91db1626c452997dc6db663d79130872a124af982ee1d457cefba00abd7f5269adce3052403be31238aecc3934c7379d224cb792d519753

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-HR49H.tmp\setupupdater.exe

Filesize
865KB

MD5
843d23f6aab075a3c032b06d30ce9c5d

SHA1
8e9f98e609db50ee6167a76b6ae1ca7886e6c866

SHA256
088f048ee972ef80bd527e301431c1ad7e46d0c994ad8a2b586c4fa6d86ac399

SHA512
101cc5a0a5c927adac497cf901ebfcb73bd92eec0b8855c8fa0aab0bb0411dcb5cc3271b6f73c0fdf6238a21df30871afcddf5bd8f0164ddaf8acd72d14a7db4

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
8KB

MD5
50f2e08c0d8732e04f8a04f93148f811

SHA1
e68af6d443d001d9742e6b5094cf1a8c29dfbf66

SHA256
e923d9c974ea56294656a527b18a4e6184944e94deb30216f575996171f3e758

SHA512
35edbf0fc9cf89d097c49380a399e9fb2abbdff04eda750480f6cae6941e0939f533b7a1209770483abb232c5b25e4a4344d1a86bac86345f339fadc43d56081

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
37KB

MD5
8ac4737653a3754614f923d7e4149dd6

SHA1
934733d673f9a5ff0595c7c9855c2237ac2b9405

SHA256
1f62566e022ec2c48abc16bbf5d840dfccaa4263db45c41d83a1be25c22dbbcc

SHA512
60055e5fb6894316e827351303c3af9c1ce6a1d71cfc5ea5c93b93d2199e1b51fb1a3db4555df14766dd87e45b696c59413f8b1e0d9ffe56970aa29f51599551

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
a48c7eb647df12b0ad7c216ec1002415

SHA1
7eb9fe04b6e39e38e640557e5fba36957d201b00

SHA256
87861df30eb97a146005d4b2528607b4308f0d9b85725b5e5dc0c4c66e4c062e

SHA512
3f0f66d2a1e17ec8b506ee8e689fa1e1f0ffcd2e190753c3511f7131efeecd0b35e8f0148c0af1bd33a1d7b667b034d52bb0fd89bd039a3c14c8adaa72aedfb8

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
ba979a13e061eb5589b18ea2ce085610

SHA1
08566cf7bcb33af96a77251614bb4a1080f76676

SHA256
314dc1f0bb3e2e464deccfce58139e2412523521ca950f7c14e42459ce146bc8

SHA512
ede4971c22611c0c4e25c9937a7cfe79695acc058ff4d307112ff6968fbbb2642173dacb0487ffd8c94a8fe221fb5c34b9da43d127ecd8bd20243b7ae2928fd9

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
701B

MD5
b043f21824cf4af659b740ca9a6747ec

SHA1
0abda6913455a3254a27f2f0b210c05db148f999

SHA256
fb90f6b4ab508d67f3a6a1e5f980fa096f62092ea9933317528898a7975c364d

SHA512
fcb92b251351a86731929419ccab0b5a340940c0d8cc47729d411cad33ac1e273ee618c6a4c480fcef0dba1da11ea3e4b650b42c7d76b0d23cdd23d615e3fac8

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
758B

MD5
7849b2bc42229939b4dd97843903c6a1

SHA1
2bcbbb02bc73e0854d9f2c7a45f7cd7b7433bc2a

SHA256
957ff29dcf8b806caa3cfcb2da31de7d62a21292034c72e827ed619230813583

SHA512
856e5eb84d3fa1aaf45b72037143f03e73bd7ebc6c519de0c7e50b2ded0636250b82cb354180f025b1f5aef6c5d7dd71812b2d1c32df8f242b0a271e1bcdccf4

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
312B

MD5
0c04ad1083dc5c7c45e3ee2cd344ae38

SHA1
f1cf190f8ca93000e56d49732e9e827e2554c46f

SHA256
6452273c017db7cbe0ffc5b109bbf3f8d3282fb91bfa3c5eabc4fb8f1fc98cb0

SHA512
6c414b39bbc1f1f08446c6c6da6f6e1ceb9303bbf183ae279c872d91641ea8d67ec5e5c4e0824da3837eca73ec29fe70e92b72c09458c8ce50fa6f08791d1492

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
1d694b0c8ca42fdb5f56fdbd760a3f29

SHA1
ab53e0aebc6f19c2e69c69f304460711b124aee7

SHA256
0a5d65bfa623552e5c6393dbc6b02aecbee5864e9eb85659c4deb038365494bd

SHA512
cbbd8cb2a8d5c50cfe6d5a7866d637a6806988f421b0d4bcb32e97edfcd8619183d5e73eac10561b8502671bcca541633d2f22d9fd025ef886ae098fa51d0720

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
5cb8093b9f7434c516311a24385c0044

SHA1
2f1deeab8c1e5ec37f4f4c3b9911159cc81dc484

SHA256
6958e4bb712b579245b4b4beeb164fd4b02d758f54bbb3d17fc90cc41253ae6c

SHA512
009cf984d9d0968ceacd11e8d28d0eb95b01fa04814a5c998c5ed60ff6e476a046d3bf665bab7d81b451684aeabb94ec93ed0bf4ac1b87f39ee0c556b8c10ec4

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
ba77a346d3e9dfb61133a6e31aa9a689

SHA1
7221f5e0fc40580419507baab3fc919bc3079629

SHA256
3bb01430a3731d484f7965cc5cca2979e4d51cfcd3f92eef071b7a16e9127091

SHA512
815210da2271d58145766f8ba61b4a7ae21373caff703fde5b67b92fdf3ea2b113c4e41cad910a89484420f939914831a0d7027333683f92bd449b4f520285f5

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
e82f23c456b3a6f39d476e060ea610ea

SHA1
d436a1bd1b1ead28b8874bf2595ce5c83e40d6d0

SHA256
7872b1fe102d4fe2d028dddc68f52aececd51de2655102cb191b6d1828013bae

SHA512
9c55cb40b47f63b9a0b4401c3982d11d1250b92ea776e4eeb5b55d4362b06b7f1722d4c6fbe264fca2b0eccc5e74fb5f205686110de926756f81443fdeb89b7e

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
3KB

MD5
c3aea0ea6ddc6a026b28ed09d0f89477

SHA1
0bb13b3512699f8f72a15488c35de12bcddefa25

SHA256
bbb821447b0cc252c53fb230640c7bc3fd515f0821c69de4a23389d002931b9d

SHA512
ee94c96845460e9767ad0fb737ac6fc3a0ea5c796e93c3040f7b410a0c88ef6e069afa198d8fdedec6eaae3de9d4a78054449a180287254f94b206a78da0369b

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
c258dd8804809b3d54c7f5ffe5304751

SHA1
52dafbd040ec70309b4b811c97c12932d26df673

SHA256
7b307bf8fdef7ef7ab0eec057646dc858dbdf6a9ab8814b621942372b5fb19a4

SHA512
859668d529df029ff89f680abe10a3d549e6631235c324489e8a30f93fc241452f00d6464e0f9b002c37d08335475af518300116d59e1360b168fb7528083ccc

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
3KB

MD5
d4d737dfc1e93f90750b98a6dbf96cb2

SHA1
0ac34e4780c99a14c02c6ea40f269910aa2ead60

SHA256
b1e7f795a303a3007c5ad56359795ee3d025866cbfca7a3fc6aa8580212b5cff

SHA512
e7693eef12b9a33ab82d2234b4fcd91e56a021e477f7109922602c365e0609a0e53bbe0dd4a60f7f16b173fa5b7a3a0cff3f586f08cfd740a2b8e8af2fcdfdc8

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
3KB

MD5
d364a30c49dfd5a740e5af6c284bae2f

SHA1
22e1b917aa4cc11a4785b8c242c1805fe64221a0

SHA256
dbfc2d3397295b151d2f5a0518554fe52faa7f47bc341885f7c7b63a6f9467ab

SHA512
dc10b0c6b65011287f91ebd5e6ab1ab25697e84d6a4475908867c7c9f0479c591ff27d864448f9834a09b53d5a6ca24262aaa85a7cca04d872c762d854e2b7d4

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
7KB

MD5
63099692b5a816ffe8e0590a6a9db9f9

SHA1
0bc955b8a8f12ed317948d7a649609c570a82a75

SHA256
414444dce43f534f9bdf0414569f1759956025e855971740fdf2ab5e0ebbaeaf

SHA512
e80e1d21978ceeed5720119fe2c13207b2bf2cad98940a28c3cd0f77b8458486a67d6b45afe353d5efb3d6c454cd2d687f57f1b9db46da38276467de8aba8dc7

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
cb80e0fc15b9ff915ff08543ffdfe442

SHA1
2fa13eb4200dc3edc52911144f1ab2970ab445a7

SHA256
3ab29b70633b0513a0687b1d0bb217eb3b04d5ac42ef2c5aa7fc971413f5bdc3

SHA512
8361e896596b9be48a07b9aa60222230b31ab90d79d5417b2865e29eed4d2892e837b05840512900943ece9051ba103f3d51d562122e7045dd412d787d1dc0c9

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
1171dab881bf89cdbb0c3562400a6714

SHA1
6674d1a314e3883b267ea754f2317191f7868b1a

SHA256
8a6cec7a93b4f1c20262ad5016bde3fa0b6e53b8ed83d3f45ad68fc64821bb3e

SHA512
71eb0bf2728f95e420b52fb0fcec4a0532c71b937916f6fe086ac188362b2ddd3169354423932a60a4be6b588704e91546c0e7d59776b0ed2dea9a11684cb189

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
7KB

MD5
c9f0704c6d087412597dff9494293480

SHA1
9b484e6b1faa8d64b8f6d359447705a66fb0bc87

SHA256
26649d4318c4ea1cd8e9e89165524ae276fb0c5b2d2b75f474fb987004b3857c

SHA512
477583a35c1d7e9634d1d1d4441b03075a8aa318ff691fac70befa7d65bb0f3a0b5f5a55313376f7d0c1d627ec50fbcd21704eab93f4ca7c5aad67ed07516d60

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
7KB

MD5
10829a03bf12b993879874db8831219c

SHA1
36b0cef0679908e255de1d166fb9aa3e81b0395d

SHA256
71723559b98a99c5325624055aa091d3653c7c4d3a6edfd3928a3de6b26ae60e

SHA512
81c531401e8d79e5c08cfab336b4827955a938ba9087d6529faf6738a817da404e3687e40b2be3465d44443e01aa153d74f3522c718f5afea0a80b8000f4c87a

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
7KB

MD5
0c0e4d08625c4a74b7c311a575e6c339

SHA1
03e3fd3dd6e5fbec23ba9c95082888ec341dee0b

SHA256
013d7e588ecd95a770c0bf65022f8d01fc0d9421b86a00cf2f44c49a1794f881

SHA512
afddaf3fa7135ad5bb4a1cd58f2edceb0d7bb7da0c08d2c5e49943bf583c7396fa308b60597b12736126347df33a8b36f2cd6cc0131a231d463cb0a3fe33954d

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
7KB

MD5
b9dce6cd16019f5f7cd25c06514c9832

SHA1
f459ae2c9cb5fcfe0c77cc4c7762f4026b594f99

SHA256
836e38bd065420d9984ec91e25502f6bc4fd0124e2059e18408c8cff4ef5674b

SHA512
8f028560f9f4b896e7035d47c8537328c774083b47d74913f91d97ce748d62d29a429136f9e4d20b84f266e1404937f6fc2861c424c2aa2af90f366b33fa7c9c

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
7KB

MD5
842cad15ada470ccf05926746d279817

SHA1
6e34d6b70bb22d8c685e3f64a47374b306f4e330

SHA256
422e9a9e085f907f71b2d9705495a3e4ab82f13cad9edde9884cbd8080a837fc

SHA512
7002fc999e0562a2251ded8184efde81e31ee5133cc81ada26a4efb203093b047e1b24386e0060700df4994acedf949151032f5c535615e10595b179c32b39b2

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
7KB

MD5
4163a397e8c8667785bbbb8e8d1a2583

SHA1
c884db427f5e1d22037015dc2b97c920cdcbc024

SHA256
917c0381e85cc50bd7c65a358ed644914f09078aeda96d8ab0991315a4de8e9d

SHA512
3d43a465be8b549cfee8c64a97008628281b41397a36d8bf210fee19486c7246aa20c1b9922b12c59f8c9735cec174de114d70afadbdd29d96ad13fac0235585

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
737d4f182f9a6daf01a4541cb7563be2

SHA1
aade3c5d972d7d5686ea15d3e9e9857b9371bc62

SHA256
04ee8c14ef33c83fe7a568d6594162cc05d70e6c863c2b01d96cdf729a0cfb9c

SHA512
5d8cde992320786ad3d6899bf9e27841505cd97fe536130736dbe2ffead5f6bb784209e4196411d43e6848807e6c6b6102b941d871e7c8bff8183ee1bfff43c1

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
524d63ff608d351e840710dbeb503ef1

SHA1
bbec1d3f955751502dad7972ddd3103b5406e9b1

SHA256
8fe400cdc99b1220a87554863cb8a001e97767f59fe4e05cd61e6457d62f0ecb

SHA512
f80e9bf93a63972713eca893d2166788a251107db7f8e5270c715679855b716594bbcbeb3380a21d7818ecc6f607a1f3f44c91193d65ee4803134c4b93b24388

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
be7076563315840a32e2eb0d9acc2c66

SHA1
b181a5d00ca0c6832adefebe2ca94490c7640018

SHA256
3fa43ba523482aefa08137c4ddf40e137d9430ba81dcdebb781504424188fadf

SHA512
ba3a7dcb5b1dc1221968496ade1263a37cf9c99c97395d84a309c11d5ad78992c118ce55f5b40b6adb9553028056d4880fccb4e3944be3e7fa52b16ae8c4c788

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\75fdacd8330bac18.customDestinations-ms

Filesize
3KB

MD5
c7b18dbe1a34beafc97754392b4609c5

SHA1
7d44eea48dd1c7b580ffa345e22f30f55ef7af21

SHA256
fbcc8abce810bc047f2fe35a071a942325b4d4a52b55121272bd4b67d1caa80f

SHA512
70b4e69419cd1ff029299528494a0473b42cf7c9e689fc3d21d482e12aa6a1ec100dfe621c3c4f29c779d218d9cef68848db0de6040407162cfbc097056d2d33

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\75fdacd8330bac18.customDestinations-ms

Filesize
3KB

MD5
be10072f377174f80885cf65e54a6a62

SHA1
c2695edd81b1144af48df9f05f088084b89c359a

SHA256
4746f50d8355225ad6b715a709311845d306237fdecadd499571b9203d22c43d

SHA512
ed241b9b9d00eb9f60b3bb42dc89ac0d37efe7077d9101b84fff22f5905b2772f31bf7b864927e21d4836da793440fd9ce0a5fe0afb36e5c69bbaf76af6399e2

Download Submit
C:\Users\Admin\AppData\Roaming\discord\.win_arch_transition

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Roaming\discord\87bbd084-c69c-4310-9b1f-be0f511d3fe6.tmp

Filesize
57B

MD5
58127c59cb9e1da127904c341d15372b

SHA1
62445484661d8036ce9788baeaba31d204e9a5fc

SHA256
be4b8924ab38e8acf350e6e3b9f1f63a1a94952d8002759acd6946c4d5d0b5de

SHA512
8d1815b277a93ad590ff79b6f52c576cf920c38c4353c24193f707d66884c942f39ff3989530055d2fade540ade243b41b6eb03cd0cc361c3b5d514cca28b50a

Download Submit
C:\Users\Admin\AppData\Roaming\discord\Cache\Cache_Data\f_000025

Filesize
48KB

MD5
f1d58e4915378af6428d3ca55a6975ec

SHA1
f7e4cdc6148108fbce58443e2b65ad1f8e48090b

SHA256
f4c8c4a589a8377de188d731aa1d5845ba5534d3f84d3c50cd6113e956975fa9

SHA512
12166dc4be9eba111920d3a8c7eb72bc4a4bbea335fc4a016970f3d5a49c5a498723accf5573c441f1f11dd97c20c9842a8e690a8e2cd78002ea905ecc09cc40

Download Submit
C:\Users\Admin\AppData\Roaming\discord\Cache\Cache_Data\f_00002b

Filesize
1.8MB

MD5
a15c12580edf7f5561d8c065d93216a5

SHA1
437e197ad5dc7591e5ba6eefcf1427513cb9d3de

SHA256
8bd2234206e32420299b813c5a7d174970226c600f71334021463cf56cfac278

SHA512
43f42ca4cf717bd56c9832f81faa3d65c34f12af052a28bd87213acaf7bc17af1d6637562a030267830b8d07db04d9084906990d2fb773780f3ffa0d9ced6800

Download Submit
C:\Users\Admin\AppData\Roaming\discord\Cache\Cache_Data\f_00002d

Filesize
770KB

MD5
ae88898829735b481e426467f2d923af

SHA1
e799ca467ba5cc766e7790730bba1bcb97dad877

SHA256
9d52596d0562415b21f32b1d3845f97942700ae72604a7e7c942646894885789

SHA512
76ce5110084ff387b0547f904bb22ad140f7aab21ad9de4079fafff61cb0d66e56a8dd4aaeac93215149203c5aa401bce82f253f6b2c4425fe786881b57b2f3b

Download Submit
C:\Users\Admin\AppData\Roaming\discord\Cache\Cache_Data\f_00002f

Filesize
138KB

MD5
cfca60c2d69fafa74d48f0d00eb59270

SHA1
167122bc23375158d482170103e7cff18e5aa0b9

SHA256
3f42dbff307d94f1c99004fb25f31a00ddbc0da1a464400ac17242cd8b6d58b8

SHA512
3a849cbaf15da82ae212704596ef125da4b7f4a54181a22b638d840cdfe2f11bbb265444d75822fcc4b3a3672fa64abf21e1cc16fabb9fb02a4bd0adfd0aad8c

Download Submit
C:\Users\Admin\AppData\Roaming\discord\Cache\Cache_Data\f_000030

Filesize
148KB

MD5
606f4b7cc53f8b6474ec89a0085a7674

SHA1
4ad0df5aee28c17abde80814dad904b1e37a4f88

SHA256
c8de65ee7b29f147b784a04600bfaa21a0515feb783c4e9ca111accf8a78e4e3

SHA512
47d141a81cfce3b8246dce0a21a9620fc1910c6257e79f6260ea2b062fb5d6575bb23ca04401ee80de5371fb3a18678ed0e1cc3b34d036facd4c712aaf99dfff

Download Submit
C:\Users\Admin\AppData\Roaming\discord\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
41dd9445570ff628916e173919a9463a

SHA1
8927249eea5edaadc4a0be5f01e154e1051995b6

SHA256
efd84b14bd67a683549400d9de491f7b20718b1767ab67e23de3944fa154685f

SHA512
35b3304c2a878f64a29fc790178eabadd5a8730c013afe3dee41dcd38177c7efe675833f0eae1928a80e23dcec4a6e5b0a44f228f70aaef35b8c397defb7ce3a

Download Submit
C:\Users\Admin\AppData\Roaming\discord\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
16aac76f2056a89c1b86540049c9ff65

SHA1
10cdb97bc2a98153c0b9aab12a998af9e0c5d200

SHA256
0ce3662bb5eb87674c23f07233f0e73cdf41e0aa4d71e4a7a7f94abbeea6620f

SHA512
c1c7ca8d4a334de63ac79681fa66f82f5c1c95cafed3fbfe57b06292e56d56ee52aa64eae339818bc6228486e8ed35fe180f1ed13ccaedfc25689b70c578eac0

Download Submit
C:\Users\Admin\AppData\Roaming\discord\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
00ed4d1877632030cc972ebe62bc75db

SHA1
70bc2647e8bc9d9964a4b41e71ba34329fab1ddb

SHA256
31d5e024f74999431cb8fb87556f8f9b21a984b640ee62cf816daae407e870aa

SHA512
1a44aa78e50f657b4321eb784f29a28d571fb5aeed62d0b14fb43669b5ec073e25a825584ede46242957a8b5f626ab62e48ad8052c7ee19c93e4904d440cbd07

Download Submit
C:\Users\Admin\AppData\Roaming\discord\DawnWebGPUCache\data_0

Filesize
8KB

MD5
cf89d16bb9107c631daabf0c0ee58efb

SHA1
3ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b

SHA256
d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e

SHA512
8cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0

Download Submit
C:\Users\Admin\AppData\Roaming\discord\DawnWebGPUCache\data_2

Filesize
8KB

MD5
0962291d6d367570bee5454721c17e11

SHA1
59d10a893ef321a706a9255176761366115bedcb

SHA256
ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7

SHA512
f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed

Download Submit
C:\Users\Admin\AppData\Roaming\discord\DawnWebGPUCache\data_3

Filesize
8KB

MD5
41876349cb12d6db992f1309f22df3f0

SHA1
5cf26b3420fc0302cd0a71e8d029739b8765be27

SHA256
e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c

SHA512
e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e

Download Submit
C:\Users\Admin\AppData\Roaming\discord\Local State

Filesize
1017B

MD5
c68f2f5c66a53bbaa45aa94881514cfe

SHA1
9bbc11e1db7c34fc8fc88ad47440a7fcefa0ba47

SHA256
7ba5f4cc47b175d62a815488f552a4828c2aa3a82999210425a60d3ab2715f2e

SHA512
a2b10472ef7c84f3f46258459634edafa3e92984cf17764af1b703f3fab0c67cc5405c98a91726cbf73cbae1462a291abbea88b4a2254ac8308a356398bd1783

Download Submit
C:\Users\Admin\AppData\Roaming\discord\Local State

Filesize
1017B

MD5
f878e2f4500c249081c9c24e0cd0fa4f

SHA1
b775321505d7b01d5702d49107256823b99f71f0

SHA256
bb7ee5e4dcbb50925f66bb7798abc380e7fb9de562afd2d5b262df322eaac723

SHA512
bda84be3c19cf55a1417f1521c72d476f965e11a5174c96276669663cb51a7569b9beb914f9e6ea9c30bf943934fba2d55700eaf41e53dc0618080016ef1ae38

Download Submit
C:\Users\Admin\AppData\Roaming\discord\Local State

Filesize
755B

MD5
6060060fa3f281b871bdf61bcc08c7e9

SHA1
b12eed5592fd0df289fb033ceddae4288488a585

SHA256
9562a4c7090ef6fc41179dc8afc4af3926cef725e705bcde563e3aea7d4225ab

SHA512
fbc601a08bf59ac2e363eeb3fc17c3f6328388a30e42258e0330207456366311d70b0e77c93a4226d618bd4c5eaea9b510358a09f3904b43ea2ac9b80555eff3

Download Submit
C:\Users\Admin\AppData\Roaming\discord\Local State

Filesize
643B

MD5
d79fe141f9a29e8a1024f0d1def7364a

SHA1
ae06f33ffa84e1ed068f7a5668363a4181b0ece8

SHA256
a1ef1b7fd86752247d17a289ab57fceebdfc4124c06ad4a2401a1fefd4f577f6

SHA512
fe8df431e6a76830fab6cfc57e213b3b43bd4cda7d37892322ddfc840c42ef7dedbb2510a3884b2143ba3a59917358fd17f45459024740937b92272655aed506

Download Submit
C:\Users\Admin\AppData\Roaming\discord\Local State

Filesize
1017B

MD5
07e3f6a077ebd9096c2958cf0f94d9a0

SHA1
663077924e6c0bd1056eeafb97b0664d7819c8c9

SHA256
2e1af0cddd22a3da8a0b6e620714b623f6ae3676777137136204899c5e4a99cf

SHA512
21f78b9261a779f9b585e3a24a600ef6d237443d9d6d77d79268368c4bcaa9bb9f8336e47b665cce4d2134be3a8be1c2a13e8f5850c0f86ed142c0918ed2c84c

Download Submit
C:\Users\Admin\AppData\Roaming\discord\MediaFoundationWidevineCdm\x64\1.0.2738.0\_metadata\verified_contents.json

Filesize
1KB

MD5
3e839ba4da1ffce29a543c5756a19bdf

SHA1
d8d84ac06c3ba27ccef221c6f188042b741d2b91

SHA256
43daa4139d3ed90f4b4635bd4d32346eb8e8528d0d5332052fcda8f7860db729

SHA512
19b085a9cfec4d6f1b87cc6bbeeb6578f9cba014704d05c9114cfb0a33b2e7729ac67499048cb33823c884517cbbdc24aa0748a9bb65e9c67714e6116365f1ab

Download Submit
C:\Users\Admin\AppData\Roaming\discord\MediaFoundationWidevineCdm\x64\1.0.2738.0\manifest.fingerprint

Filesize
66B

MD5
d30a5bbc00f7334eede0795d147b2e80

SHA1
78f3a6995856854cad0c524884f74e182f9c3c57

SHA256
a08c1bc41de319392676c7389048d8b1c7424c4b74d2f6466bcf5732b8d86642

SHA512
dacf60e959c10a3499d55dc594454858343bf6a309f22d73bdee86b676d8d0ced10e86ac95ecd78e745e8805237121a25830301680bd12bfc7122a82a885ff4b

Download Submit
C:\Users\Admin\AppData\Roaming\discord\Network\0c534726-e2f7-4800-9a0a-d4b9cac3d042.tmp

Filesize
1KB

MD5
1c9b49ba644cfb690d2b2c6539878b63

SHA1
912af626f3fd235f6e65c3d97d3e205f691cd8df

SHA256
4c975251b4b8a11336f8c7b4a20e34903d4cc649c58bf6fc286a69c575032c65

SHA512
89227cc759146f701c5e79c0b55162aea24dea4c9a8ccc548991ae74da9048ab3194e08fa613e4f6156966f34bc3fc17a3d4d483afd12d00d9958ce9ff2c2bbb

Download Submit
C:\Users\Admin\AppData\Roaming\discord\Network\Network Persistent State

Filesize
300B

MD5
ca873f8dd7d376838de7263fca05d372

SHA1
aee209b531e5e67493035af8da01104ad2e43dcd

SHA256
fc264241c12fc67a3f0ac18252b57b7f8275ecb13c4a244ba2af03f054149ad5

SHA512
091e7785cafb03bd64bdee2625f6628b6ce553122eaa558ac493703024e73ef394c1ac47a604932a00ae421ec83a36484c120577d3fe105d24a8cdcf25b9d154

Download Submit
C:\Users\Admin\AppData\Roaming\discord\Network\Network Persistent State

Filesize
563B

MD5
89501f19b350c3cbe86c001ffd8b37da

SHA1
9c671815c95b86445634cdaccef8285af5b0ac77

SHA256
36febb99524e1db4770a86b41cfe33467cd5561ddb4963b1ebc91d92d56d057a

SHA512
761e22ecd149f1fad6edd33677183df222624b0ac794d9c2a27ae160561763178b3b8a34227a48ee3fb95b0e9f071ddd40c3a4e9b7f4bcb7eed671377e7ed006

Download Submit
C:\Users\Admin\AppData\Roaming\discord\Network\Network Persistent State

Filesize
1KB

MD5
b257bc24288ffba06923059c2b39fa67

SHA1
fdb6e1fb780472b46e2ea895010f56dd3d1cbf24

SHA256
adc59d3ada689ed5e5731c16d7a5684a10cc5aad092b156ac2da3789907081e0

SHA512
847ff2652df230b3baa7eff0ce2cee1f7c22d835114b7abd4d15baa3d86e046b2c59af777526015e4a67ada1188ac949489cd6254890b356a417e4d3c415f4f8

Download Submit
C:\Users\Admin\AppData\Roaming\discord\Network\Network Persistent State

Filesize
1KB

MD5
8dbd9559e32c350feb2e39f946162288

SHA1
de8276d509af7c5af161861039a5f2520cab9254

SHA256
8d7d5a4c7073392a5ebd0f042e9057d7f58f296309e5a6fb331e7db99c12d706

SHA512
d0549cde55ab3bdf2fbdea7f3b91e841fba88edcbc155b66667c37447dbae17991a74fb62503d9b4bc41c71f0142118423c582a960a4ac0c8c8c700954de3e26

Download Submit
C:\Users\Admin\AppData\Roaming\discord\Network\Network Persistent State

Filesize
1KB

MD5
ddff4a3e025e9f66c9506d80ec6011a5

SHA1
de002c5612bf3f329430bfe1edb6219af5ba047d

SHA256
81c4adf40f1ddcc3eb2b30a0efc69c1e12ca4863e8f8582add4634c90a7e5763

SHA512
e252189da38d5a6fafb5d7ec8fe2da942cc8d9695dbd6dd8fe9defdc0e0693de27b7b942e28270fee1c62bde8cba263a1d676d6e3f5c02dfcb3cb8cedd616c53

Download Submit
C:\Users\Admin\AppData\Roaming\discord\Network\Network Persistent State

Filesize
1KB

MD5
272544517fc4146dee5742747b20da09

SHA1
db8794b29d3acfcb63a56c8d1ac52dfd7ea74616

SHA256
de7aef20a3afd481daa50d381d29e80be8d2293051c50838400a0365305a2eb6

SHA512
3ea2a089d749d2469528740f2bd9fe5ee236f55e08646f50ddf8c4a23580986fbfa9b6d7746743c5bcec91fda497b7ae3c1880448f4f5fb43694497cfad7631e

Download Submit
C:\Users\Admin\AppData\Roaming\discord\Network\Network Persistent State

Filesize
1KB

MD5
b279d17e435c13dd956044b096609f5f

SHA1
9be93742919dcbf0bb5af621427efc41fa2db173

SHA256
a3ba1e3db1eb19a69d045f73947e6daefbd35ff5928a8ee39410cb820ad9ebd4

SHA512
49b6b54d4643686da1581c9e3cf65979ca724e5ff33fdad08d578cd6c0a63bf433f760ea372f2882ad1d2aecfc133d0e03e37f4b74d942bf70eded665608582a

Download Submit
C:\Users\Admin\AppData\Roaming\discord\Network\Network Persistent State

Filesize
1KB

MD5
85a6dca159d91efde1cb3c427fabf883

SHA1
7e5efec357202730de1a31da7282607c0673c1c2

SHA256
865745f8150df50617bf089e8dbddb50a9478c4ebdf405b47e6084c1905d5637

SHA512
202279e9a8644f9e1003086bd6f677f6f8ea0df57a6cdd37f349221d91f35cfba1a08332405f57666e6b9317b16beb64a7bcc366f0b4b73ae34a9b4fede59ec2

Download Submit
C:\Users\Admin\AppData\Roaming\discord\Network\Network Persistent State

Filesize
1KB

MD5
195f85f30df356e58f7ca1f0969229da

SHA1
bb7d263351c6761fd9a377d7fce1a51fb8031ee2

SHA256
2ca58fcf4d046ee000076916d4eba1a939af34f6ec0dade551c5a80070c86c76

SHA512
1686e6bffa44c9b8038e763882171710afaa21f2375a4397eef95d26baa1384bbc9b9cf86dcc4b9f09b30a5c46d6605f24e657d734d656a63416e2464fa59f12

Download Submit
C:\Users\Admin\AppData\Roaming\discord\Network\Network Persistent State

Filesize
1KB

MD5
d4ad8715e56846bbebb728834f9d10cb

SHA1
28169bd8b0b66dc548a84616ab12271948cc8b0b

SHA256
e88674c13858e300b77c7d59c726f9742ce6dea1e44a5f6f58ab1499c9ded971

SHA512
d8d15d68352c7aade7bcb6c40b913ff53c64bd71d9e4695680117cd41ad9c3652174bc06f620e490bf47883a7c4d53a5c345a7d12e6dd3f11d770084cb747119

Download Submit
C:\Users\Admin\AppData\Roaming\discord\Network\Network Persistent State

Filesize
1KB

MD5
a2ee8b6917acc9fc75b26b429b8ecf45

SHA1
7bb14c9b15b1c8eb5a6528afb5f7567832fda645

SHA256
ec4c32901cdb334a04b58daf038905ede7d8437753dee084ffc8162b9b2f9fbc

SHA512
e6902578afd9aba527477fee9d761a96a2457a2085806166eca675d88d00d44fbcd319e9e86a855a673ee66953d8cd283f94847d1dcc796f50f71abb9e0123e4

Download Submit
C:\Users\Admin\AppData\Roaming\discord\Network\Network Persistent State

Filesize
1KB

MD5
658fea5e207606887aec678e4faa746b

SHA1
c7beab633afe55666d6f073aacff4a540d51d93a

SHA256
cf772575e7e161022b9f775cc4a270f17dca3628b700999f45f640797c789545

SHA512
f50506cc0c026e828baaf9a589c3f44a73325423a40675147dc028d1bd89f0318d0bf2766a4128908504438796f9a0c9d899ea8af1417d7cf0f82cc2b6018697

Download Submit
C:\Users\Admin\AppData\Roaming\discord\Network\Network Persistent State

Filesize
1KB

MD5
619057fab69ff8447503ff3ed57c86f9

SHA1
331f22824c8bb14755890c3fc5530b47d058b399

SHA256
f7b2f1cfd4c2a59492f4d4f2729b823819c411e7eccdb3d5e88d59c88a924d6c

SHA512
cf57f9570eab648432a0c956e318a8e61b68be61da5d63244da5d736f8401dbef26c8bd6baf43bbf97b18ebcc313f7bb520e1724a650a7cd2eee8a54595c8b98

Download Submit
C:\Users\Admin\AppData\Roaming\discord\Network\Network Persistent State

Filesize
1KB

MD5
16213fe852c86bb9fb63582de253a239

SHA1
bcd46ac430f6ef3e7c04aa62136ddea532015f5d

SHA256
5568a649c85a9d3d63fc0a1a47023ba7c76469c3cfa74cf6b32a738cc92b85ef

SHA512
d5876f27c260623e21547f9cdd9dd2b37b34506beea534d0fffb09950aa1558f34878ae82a9d497b47cd91e4ece7f5f6f1ee2d04299fe146b372a22b23305129

Download Submit
C:\Users\Admin\AppData\Roaming\discord\Network\TransportSecurity

Filesize
355B

MD5
8da07b2863ee7a28218be15a07b71ff1

SHA1
8cd9b5c7c28a972ac45e89c73fe04957a1c06db2

SHA256
a393f32d1ec20b01c3cf0c22593be5d1a0c5c489eaad59f1a04b0cf947d94079

SHA512
a96104ffa8c3cd502db136fc228588889d1b52318755fee8a1b1697c48bd02ca17c11d5e5be01306fbf93daf61e78b3169bec18ea997e94884b1d096d2adb630

Download Submit
C:\Users\Admin\AppData\Roaming\discord\Network\TransportSecurity

Filesize
1024B

MD5
70930b7cab1cc02bf852f0ab629b4bc4

SHA1
4c65a12faceb7899cdf03afc92feb2b0dac2e155

SHA256
feb83ff32137696fd931e79c10ec1efa2192bde7789e885fe9ad5bcde46275f7

SHA512
3fc6024317cd598236ef1e2c68642e2029011b4820b76423944bd4c35836dae9812b06b2ecb90ba96e62a05c11c8de1843d738f5af20378ba1abcab09f294f0e

Download Submit
C:\Users\Admin\AppData\Roaming\discord\Network\TransportSecurity

Filesize
1020B

MD5
3e67197e3d318daef7c6aa52ca4bccc2

SHA1
b812624c70fbe78363d8f8f93d60e16a5401b968

SHA256
24fe0442bd93773f58f11fe965ebbfde5da389538ed5d1a271f05472a01424a9

SHA512
44eeb416c08d14fca96349dc6e33429059c17969564aad21c0c45080b6677bea2f320ef15f62c4ae359b3a4df574bba68f464268934bb31de43a90d4086e45f6

Download Submit
C:\Users\Admin\AppData\Roaming\discord\Network\TransportSecurity

Filesize
1KB

MD5
bafc2d6bbd32db12c01c70807df617b6

SHA1
b7ab51a62d9c4035e7197beb76eff45986ab0677

SHA256
c9ff9a1a274ffa211d4f59cb96c87e0afa5e1da1ff1c8e622ead6ab36e69ee74

SHA512
5fdc2ca67c41e9bc141b7e15e382793563d82e756b4a20e7949de260b09ce10b77eedd0d87a8b2a06795d06a368e588a696e864677d4f692f28fb31055264d1b

Download Submit
C:\Users\Admin\AppData\Roaming\discord\Network\TransportSecurity

Filesize
522B

MD5
659014fa20a4ec6e0e680085e02ee1ef

SHA1
4ba5210e8846d3822a7a905bf200e6cd85487705

SHA256
bbf3c944697bd326fca99a24b8c114804932e445f45d67b81f3fcf329c88fb42

SHA512
e22f95ee3557f04933916f00337ecd47ce2f278f67dec7169d0ea4c80b7ca176de2d198e15a742158ad31ff9d6960e60d6f20b6f5b99d1994b9e0c6df6c92f03

Download Submit
C:\Users\Admin\AppData\Roaming\discord\Network\TransportSecurity

Filesize
1024B

MD5
1b3cd1e6142f6f2b227cff16888394fd

SHA1
d14ba32c7a4ae91525017f6582b576a7b96b51ca

SHA256
fedf260ca18846ba607e4d748d44b1456c08e57b38c389237583b6cf8f41d415

SHA512
23b8acfca42092d49b8cad5227085529c2ca4aed78227ae98bebdfb835c19b315cf6655963898f0b4460e3abc16d3d295f3daa4a550e8a7a671c504e847b95e9

Download Submit
C:\Users\Admin\AppData\Roaming\discord\Network\TransportSecurity

Filesize
1KB

MD5
1cd1d0d9dc83d9e953eb62b5622020aa

SHA1
5814819b6e353ea7200bda042c0003f4ee213148

SHA256
9f6a382de4404497a8931bcc6fc97bd973a0007f40be91d3d60de62ca51c83af

SHA512
8638d61b8d0b18b7237dc79fcbe484a7fc4dde119118f432711e0a67e01644a35b6cdf81c97adb882043510ae4842bff2e034f66cb97a4af83ba2233170961ad

Download Submit
C:\Users\Admin\AppData\Roaming\discord\Network\TransportSecurity

Filesize
1KB

MD5
a1cdd61f86e2e0b9e4599d4efafce075

SHA1
a88fa56e815a206a72f92bc13c67fc8abc3d6f10

SHA256
7172d3fb3811fbba44058c59cd36118943b861a5d5b3f886c398365307ea04f1

SHA512
bac70e38923ff4ea5ee07071328ec03808b5803c01c2127596c54d8daee15da7c056dfe668e6fcc11fa1c2aeac6ddd1c0adcbc8ff6db3e2df81acb4afeaa4b8e

Download Submit
C:\Users\Admin\AppData\Roaming\discord\Network\TransportSecurity

Filesize
1KB

MD5
8f45f28f6009eb71d0341a77f86e07ac

SHA1
a4d5cc03d8ca7f7ab79d9e4e3cfaaba2833abac5

SHA256
781a7da4307625fbd095d77b7048b754a3e9afc0c35b19a198e761e8e7518281

SHA512
6ec251856749edbce2a7722ce2d5fd123d27caab733520dfa6dfa971871d6e495cab6a70720ba23e8f79e5504e65b5e3959af7f5dde2a4359cfb6d488183c55c

Download Submit
C:\Users\Admin\AppData\Roaming\discord\Network\TransportSecurity

Filesize
1KB

MD5
109674c156891149f0f39bf9dd0d4b66

SHA1
a1149847e4ba22253e637de02fc949db6607cfa3

SHA256
be0c9cf3e38c25212d18e7b9e85cc05ab9ee3ea12d556a82639e30ae9f855a1e

SHA512
b814aedda75696de3a36b5c7e3e6904e2218b34e43c0d9f5a47930e5f82e3ef00413b375875d0069354949d6990674a709f22aa03cee662ec45ccab50dee02d0

Download Submit
C:\Users\Admin\AppData\Roaming\discord\Network\TransportSecurity

Filesize
1KB

MD5
d87d75aeee9775d2ff0decc0a65e2c6e

SHA1
f714f562e0f720e007cc2f0be63967d217bf103a

SHA256
663479bf3e9c4a356989cc7b848e6f52a1f6048a218ef92be573a22bba98ad70

SHA512
f061e28d45db941ed0d54a6bb92ec6aaa29fd17fb258ec9d0056aa1c5ef00784a59e62c0049c209d5451c6131fb8ebb7abc80d6966da448fa376f36065685fbb

Download Submit
C:\Users\Admin\AppData\Roaming\discord\Network\TransportSecurity

Filesize
1KB

MD5
a0c155cbaff23383749abd0044dfc153

SHA1
340b590cdd726904f6ebfbea913f432971435f84

SHA256
410b99d7556323382e6bcfb9e893270040874e848e114c9140b9ef206259bd63

SHA512
f55952b97034b0489b7752499fde08bd0abfad8af23aa5407d86026e3dda59370660adb93cab268a3e4e7dc839feb2b5eb0c6343eb68c072c8f7246ff5c8123d

Download Submit
C:\Users\Admin\AppData\Roaming\discord\Network\TransportSecurity

Filesize
1KB

MD5
a4b90552cb85482e29c47d613a3dfd52

SHA1
ee9f4663c80f120d5eda88a3665e850cca9875c8

SHA256
b9d90834e905d4ef09ba77520408df2017c313695da0fba56e6fc5587a8c7815

SHA512
4eca20956c9a1ca8d4778d2fbaeefed6770fcd24709224f1f32e2374463d60be6c720a968a123e57ee0d272674a6f8986fd83a9d4962e846a4488619e747039e

Download Submit
C:\Users\Admin\AppData\Roaming\discord\Network\TransportSecurity

Filesize
355B

MD5
a68433974978fa32fbd10d7bd423b52e

SHA1
bcdbb422e87b2e968d70a50680d75e961042d354

SHA256
267a888fc9cc63447ce2a2175c6993b61d7ad8d1a72fce09727d6dc53024a0cf

SHA512
a3af189515db8881ab9fa6ead6cae1844b173540ff093c1f2693f36551f931d422825403311f93c959ee65091785a9c74f4f356d10c8c0eaf96dd017c0e50a05

Download Submit
C:\Users\Admin\AppData\Roaming\discord\Network\TransportSecurity

Filesize
1KB

MD5
87b4d32848a4fcfc2dbd2309c21dd66c

SHA1
73336d906f7bb2bd2d7a8e103e9397ae58709f04

SHA256
9277f5d75e8736e0910037d749bf8184a3e0d2c7de5b165722e1707d37ca4893

SHA512
8274364a4807c9d2d68087ca201fa98c8336ab37096a13eeeba62fd3cbcada4de71f31c6a1d32487c02f7f3e53e875a23bd1e0665b8aef841bc9f8ce2aa589c5

Download Submit
C:\Users\Admin\AppData\Roaming\discord\Network\TransportSecurity

Filesize
1KB

MD5
df8915648f191f3074f55a1abace5b4d

SHA1
b12339c96ed5af2d3be486d479bad0888db7a3d4

SHA256
3ccbaaf2a153e346cccc73efb19220df308609534c7c7d52564f41b8be16881c

SHA512
97a21d0488b1cd4c7d00bd3606937f9ec54f17e7bd9ce763818ff3ce4ff84e02fd33ff90a675df1bcffcdf91a7001a912d25dbcf9168ef97de18adc118030214

Download Submit
C:\Users\Admin\AppData\Roaming\discord\Network\TransportSecurity

Filesize
1KB

MD5
e9116a67a51f2b38c7acd426133f4af7

SHA1
af09988908de39eb4a75a5c5784c3ba7a8aeb8ac

SHA256
024d2620a3502846fba0ee52488514c1d587290fb7e273d9376f75e6aa29e043

SHA512
748e4dcbfb90dbfecb30030716fb8c5523741b7995b1009cca78fbba8efb652097fcabd478943f398b7eeef06f04ee0f5fd61b0c2c57eba08b532e03acdf794a

Download Submit
C:\Users\Admin\AppData\Roaming\discord\Network\TransportSecurity

Filesize
522B

MD5
390b5c790cc1aa29470aba73f11d95a2

SHA1
7b1a2be7eb002f670b870c5fd79b316f713eac70

SHA256
3c9db3ea16391856bebce7572e1bcd6beb809b3eea9194ad4077b59c9f6cc851

SHA512
d1ac432923dab0b4d70e6d9bd0cda13281abae238a4ab5ffb25ad9135be5bdd84448dd7ae7c399ebce180a7c81af6f03a404e351969a5097d8fb9b9250c703c6

Download Submit
C:\Users\Admin\AppData\Roaming\discord\Network\TransportSecurity

Filesize
1KB

MD5
b6393f4b7eb4bf2b4fb1e59752f7a7d2

SHA1
cae9f0cb406388cadd7c1675d4b3ac5c344c6825

SHA256
7ce86c3054dd67afb7d42ad6053d942637bc5dbf4482944471afdcabee19380a

SHA512
ee9905fff722cb265cf79fa4055e9501697cfeb62477a92e84fce832c1c822bb3639ebd5f3a8b230e15878f15a679d85e7b251eea827b0470ffa781840ec49b3

Download Submit
C:\Users\Admin\AppData\Roaming\discord\Network\TransportSecurity

Filesize
1KB

MD5
419bc6583baf726e75757957e0d32249

SHA1
33ee898fe4fb079b0786146eb6c0c172dc98820d

SHA256
4889089c7da9cfbf2e23f04315fc5103c4750ae29bd51b916297ff4d862ce86a

SHA512
9c05fbe15042b96200fa86b42224ff23a4dec66f92a53585d35dbef4b11381b0801107f804425f901361e9871d8981060de5ca6e4d9ab6eaa1f4578ea882459b

Download Submit
C:\Users\Admin\AppData\Roaming\discord\Network\TransportSecurity

Filesize
1024B

MD5
e3f3dc351b25eaf29563af8b06f7a17d

SHA1
eacdab473cedacdcbd30643a9ea15cb9bbf7f279

SHA256
432f2860733de8028fdadee02391b121a17e720dcbb0dd27ad6f8af234136d74

SHA512
b34e873b69ffbc079fcbd0274a296871c3306412313b3ceb4681303cda7889d0be837f4f1a5cb9b10eeaa7b8323759d2e157af8ba381f42e6229480528fe9caf

Download Submit
C:\Users\Admin\AppData\Roaming\discord\Network\TransportSecurity

Filesize
1KB

MD5
9043cf65c567a0f6a35339cfc337d922

SHA1
f7c6cf307c9cd6bf1be1bfd8a08388dde1da6772

SHA256
078371bbde5f2c7f1c6633fe8ad33730402f3714e72cbdbdda1b5b7ef73547a9

SHA512
8b063ed725717849c5d2754176c5e2e573860391b51f9ee18286d229d950c7929624c3bde3744049b3f3552a7f21710f9fd32248611d06bd624e7a8c8b2e6144

Download Submit
C:\Users\Admin\AppData\Roaming\discord\Network\TransportSecurity

Filesize
1KB

MD5
be3187e0747ef65194e9258b85fb284d

SHA1
f1b2db61702921571e077b759784752d4d2e5fb2

SHA256
a3a6ce594fa9d506818b8408a217bdd328d8b727e8258cd05c31d3754135235b

SHA512
f90f3e094a0104d6b7255a503f1bf38fdfc532546e5e005452de6976d07f6f9b32a649559330bf6e192cfb49e018dbf210bc5f1e2e4198546f97ab6eda9906cd

Download Submit
C:\Users\Admin\AppData\Roaming\discord\Network\TransportSecurity

Filesize
1KB

MD5
e1ae9747c0caea2cfaf87e8503dab384

SHA1
ae24cd438824013d1ea8479cf68a9d0d0c85b13d

SHA256
04587ca1bd059c4227aee1d43b0f0a2d746b299bb5c7988e21930e7ba21a828c

SHA512
cba281b3596007e65fe5e34bdd3689c9cdf8de315c7a34e283d1e466fd3ecd0908d0f17707658e9197f7bfc92f8f334ad083b72b01f6071ab2d569164df89699

Download Submit
C:\Users\Admin\AppData\Roaming\discord\Network\TransportSecurity

Filesize
1KB

MD5
b43d7e1db5f9a8be857fdbaef6dee69c

SHA1
4176f0a3cd82ff588c50dfa47b53250196dd9adf

SHA256
ee6314f01c0e23bac3df47a3f54c18f47735ff0eb22b19668c0ce40bbc8fca28

SHA512
01d5050b907e40ac982e55541233f0f9e01155f0932dcd68067ee9ac8df24edd93d4a8a04e832e31130c754d5c37912c24a302c51cf75847e88a4ef5b5d7721c

Download Submit
C:\Users\Admin\AppData\Roaming\discord\Network\TransportSecurity

Filesize
1KB

MD5
ea5163de4c9544ecc33029ac4bde85cc

SHA1
37ed7870b66f8b04dc0efd47f61e0fb3a6d9fc1a

SHA256
bdb69b2b9813f7852d9d519d7417fc55a7356ec3689aca378e30853aba8e9782

SHA512
523c863ccd7275d9179d88e0f5ddd8a9e866c23f433fffb1c83cd6db3f980ae8f5e85a15e29199fd264efb6faf05135d288ececf5db3efbba191513a33b83acd

Download Submit
C:\Users\Admin\AppData\Roaming\discord\Network\TransportSecurity

Filesize
1KB

MD5
17f7c8e26a11d31945c62a53566b81c0

SHA1
5e144a05dff682935a3132853314ba62ae5621ff

SHA256
d384ae7208241e7f0e54f43137343959e1b07cafac9aa39bc01598a290e1f3d6

SHA512
4e575752e298a5ad0235606b68a860e072a79129e28c545493d3fd10cf976560a62eed04a348e9af57fa8f275b129f3f02c5fac7ffd5f5636166805bb21c4c94

Download Submit
C:\Users\Admin\AppData\Roaming\discord\Network\TransportSecurity

Filesize
1KB

MD5
3a9e60cd06405ce749215199a883626e

SHA1
459329bac3df1dc0e28ee79f1beb521df877a40f

SHA256
735f8c13dff9febd203787a09953731d32aa1e28e7243ebe216ee2daf3d5249d

SHA512
f63dd04a13fa387fd1e94093c32c867dfb8a6ad0711a7771055db81bf33027b827fd095b9011364b5208ea494d494418e3cace46f22d85b0de88a4e00c4ad5a9

Download Submit
C:\Users\Admin\AppData\Roaming\discord\Preferences

Filesize
132B

MD5
2277e1eeafea53bf66cba5e6225ec92a

SHA1
9da916c122d4413888905c11b0ca1f4cf4ceac7e

SHA256
a139ca328960c35b82d7e2bac36f674f596f668f4e309d0b495bedac4a64743c

SHA512
27ce250c3c6c563a8d8a0ba325ee851206f5856dce77c72915f12dd7e6239d6f057721e2b4cddf54f7f5adc8383061a1628cc377f0fb0f884337ac1cdbb07e08

Download Submit
C:\Users\Admin\AppData\Roaming\discord\Preferences

Filesize
172B

MD5
3715918bbb23cd917c71f699d5d5a852

SHA1
987a263ff208f6d4ccbb6f5364ba9296a447ef44

SHA256
2b7267e600359f1d007ef63df7a98a7e475f51cbdb5b40c951ed94a5c2681407

SHA512
912fee55c91b30a47acee322bbdfe67533879c8797d706d1d66e8883f6176711223fcc69fc030f772fadd26e98a97dadf6c2cb3462a4379079a232d81c1afe2f

Download Submit
C:\Users\Admin\AppData\Roaming\discord\Session Storage\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Roaming\discord\Session Storage\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Roaming\discord\component_crx_cache\neifaoindggfcjicffkgpmnlppeffabd_1.c900ba9a2d8318263fd43782ee6fd5fb50bad78bf0eb2c972b5922c458af45ed

Filesize
1.1MB

MD5
f265d47475ffd3884329d92deefae504

SHA1
98c74386481f171b09cb9490281688392eefbfdd

SHA256
c900ba9a2d8318263fd43782ee6fd5fb50bad78bf0eb2c972b5922c458af45ed

SHA512
4fd27594c459fb1cd94a857be10f7d1d6216dbf202cd43e8a3fa395a268c72fc5f5c456c9cb314f2220d766af741db469c8bb106acbed419149a44a3b87619f1

Download Submit
C:\Users\Admin\AppData\Roaming\discord\component_crx_cache\oimompecagnajdejgnnjijobebaeigek_1.2903aec9f77378fa19280af8ff89294fb9ce2caf8e0092c69e19973c0a9cc6fe

Filesize
13.5MB

MD5
5d9ad58399fbef9be94190d149c2f863

SHA1
45f3674f0425d58d9ffc5d9001ff6754f357543c

SHA256
2903aec9f77378fa19280af8ff89294fb9ce2caf8e0092c69e19973c0a9cc6fe

SHA512
9a9532cce2de086d5934235d21d27b8a0863ae902a81151a728364aebe044faef5e5805d64efe68d67a5a5aaf408f74954d08f10c6a011dc9ea82c629339d3b0

Download Submit
C:\Users\Admin\AppData\Roaming\discord\component_crx_cache\oimompecagnajdejgnnjijobebaeigek_1.d9a253514b6a010dfc1916c55246797e5773f13844ea3ec2d25078e845fef760

Filesize
13.7MB

MD5
17c227679ab0ed29eae2192843b1802f

SHA1
cc78820a5be29fd58da8ef97f756b5331db3c13e

SHA256
d9a253514b6a010dfc1916c55246797e5773f13844ea3ec2d25078e845fef760

SHA512
7e33288afd65948a5752323441c42fcc437d7c12d1eaf7a9b6ae1995784d0771e15637f23cc6bc958e40ea870414543d67a27b4c20331fde93d5b6dc6a59cbaf

Download Submit
C:\Users\Admin\AppData\Roaming\discord\sentry\scope_v3.json

Filesize
6KB

MD5
eb60e8815fef0cd868447f0fc0ab2c4e

SHA1
1503587b9750634db4b7ca339654f4cd8bfbd54d

SHA256
c0c6bbb242dfce5c9143b9c77977b6c85bd13822a7137125fe7a580b1e2e2914

SHA512
f4577a358959705a846aa7e2d05915d45031513de97f42292f8702eb41a5accc981af0ec70e6d0ae8d841ee332d8c0e9e3cc71081c366d0681cb81f8ae6517b1

Download Submit
C:\Users\Admin\Desktop\InstallEnable.xht

Filesize
159KB

MD5
2460d2eb1b1365c8f3b3435a61e03a05

SHA1
5febb0887e44c5acfd8a3b2b4f190b5a8106cd0c

SHA256
50e7a3aba8a6f7efd030ef5e0c866342847f3351544a46b66bb45469741dac1d

SHA512
86fb5bdb3fe8fdeaa55ef1d5c9ab38a8ab96384fd348273c2a5d5d9c56e81c841ac2528501a2f12ce20d017ce546bce3c9e08f26b141788555b1451a3678c5ab

Download Submit
C:\Users\Admin\Desktop\InstallUnblock.wps

Filesize
169KB

MD5
58508b2cf9dca3cb23f673b076531fa6

SHA1
2b14d50665cabd768c3faf2300fd95aa0e47dab3

SHA256
9868caa717219f9c6144a8497f84c7db0e54046fdb16e9aa55fcb3339f52acf8

SHA512
886e0ad8be7636fa1e19aa351103bb186b25d7047d42ba84d257801b1b02c4d467e3b46885ceadf59bdf0d528d45aae2e7b52684654fdea5b0b8b917345eaa46

Download Submit
C:\Users\Admin\Desktop\InvokeReceive.html

Filesize
227KB

MD5
3b7c448df78321d1d4bbaccd4f9a2ea0

SHA1
ec04ce9531b0e52da6054ed8456de2e73306dada

SHA256
206de0b0b3fce28a94c01705f4a2b89de533a40035c206a7fdd62f02e088aaf6

SHA512
93ee1ce9a7c9671f63f5729a31db5909aed183b8e625f22296024220e11a2709551f3452998d7c6dcf77ea534369e7c387365daa63848aef87d52eea337ae263

Download Submit
C:\Users\Admin\Desktop\LimitMount.vssx

Filesize
208KB

MD5
876a65f99aa02a9b2bb6a86cb0177b87

SHA1
244944b9c9853a1986ba9e06adf0593b6d2c6067

SHA256
e2086c9ecc77395192e326e777861c087fabd9365a43bc80403e8c6452f8823a

SHA512
687927c051aa88276ab5dfc5be80ec38b2bccc110a45c4996e82aff836b8fbbcadc2d82a5b0820c9139223bd88f534f0dae0f489b0ec905856da7e590aaa4d5c

Download Submit
C:\Users\Admin\Desktop\LockDisable.m3u

Filesize
295KB

MD5
c8590e94abe1e9ceb7e279270ac7f9b8

SHA1
9104cb124c671892b4308d40ab7312f460b6d45b

SHA256
eb0804dd9d73e80acc8309c9c4de67de64bb5764b5a235e4fce68bb5fd430b61

SHA512
e18710feb30b0a2591effbb657e8410ca0c48dc54f6b15d1d7946a3265f8204e3bb4ff464a08f76170d52529c5279502a38ad0c7d88a2e349d175d0231ee65d3

Download Submit
C:\Users\Admin\Desktop\MoveSave.xltm

Filesize
217KB

MD5
da024a8eb3d3e23229f2d55cf2f8e005

SHA1
38586d20289ce58b70d44bb4115d168410e46f86

SHA256
58b6442c986f114fc8c4669e5bf398f71adaee407c4b77b2ce086d29d20a63a4

SHA512
203825c8c07229f2f2a1dc8a0a37b5084836af87a26643b9a355a3f536ad09580f1de0b3250cb8c5f955d5aee92196465b79b7335b4b34e34c16ef0cb34c6ebe

Download Submit
C:\Users\Admin\Desktop\OptimizeSkip.DVR

Filesize
285KB

MD5
6a89d77ca45c4f59471b7b45dc12a78c

SHA1
319db3cd6716fe147324d732988ac0bccf5b6daf

SHA256
ebd033c2d5a7584821ecb819958089087b9badcc7e9a8d1635552a87d768fa85

SHA512
f1ca49696fc943fedd24fd0c2ed85a1c1434d04afe565dd788d6a9afe4cd3cfec0d886908ddca49f40cba194ff639d7a355f8b4226ac1e03bc40ce47457dca9c

Download Submit
C:\Users\Admin\Desktop\PingConvert.ppsm

Filesize
314KB

MD5
af1a4daeecd01d5a56deff174897cf69

SHA1
1bc4a68a54dcaad4c6c3a8a5cf61790971631fb6

SHA256
cf7a4002a533dcde8e30ee2fd5e6b6a32671b4d6eb684a88084f4ab42a4c66fa

SHA512
fb434bf40eb27141b824e23434d74fd51d914dec4688c64c3e46cd505f84661d48695ef42fa2be5a3e5aa1dd0a42a0155f3a271ddef580af38c6eb6563ebf2a8

Download Submit
C:\Users\Admin\Desktop\PushAdd.MTS

Filesize
304KB

MD5
5d69a3c48d9015bdf450fede61215f91

SHA1
9705cee6a871466c1679aaab8aa99c3a0c982aa2

SHA256
4199243156c66e67c6805ea326de9fc7d895f86f7dcc9334d16cdc4e6b45440f

SHA512
453c6d642716081194352c01192608a8abf8362730a160f0feb997c05c83078e344142db90c4b3f13af97fa83be4062a7d6e07e729d00f17a6f6e7d94f095536

Download Submit
C:\Users\Admin\Desktop\RegisterCopy.jpeg

Filesize
246KB

MD5
e04eb62ee7fdd432c5a694fd75c56383

SHA1
0331db6453d6223c3c84d6fc82121ebff481cf86

SHA256
22e5cc91e548d3b916675e8a195ed65f5cb258faa3f4110267ce5dcafbf32ec1

SHA512
0caaee83af3f58c644316372a27e52cc7ffd3e0be037b42745619f564f016f0e4e149ca26ed762dec8ee732efa858109107764859a0cb98acc9a8caaeefcdf8f

Download Submit
C:\Users\Admin\Desktop\RequestJoin.wav

Filesize
120KB

MD5
b659b17359841eda7b0d44066f49179a

SHA1
582f5e8e49f1d2da95886ee59c158469bfde6009

SHA256
bdf05fb28b6516da7f6b2f9ed4f921887c9df6d401521e7b822b7e2ec99f0d7c

SHA512
508ba9e0815e62f1e5d8e526b50697175ef36a0e7554b07758cf81e946fdcd1114eaa035ee64191fa39cce575537811c468e1528e5815fb481a825a68e4e7bfc

Download Submit
C:\Users\Admin\Desktop\ResetClose.ocx

Filesize
130KB

MD5
2875b6284a213fcc1b6a4bebbc76f812

SHA1
527b79b3ebaf0c067507d7f5211f2211ed458e54

SHA256
25e572526a4cdf82cd53bc86c6cf83193274472be17c55fce191143200cd88c2

SHA512
034a817d80927f85e4da1b76edc269f666f50cf1c54c274784a0a6e11eec0d3caec74a6a04a930506c5358563db5cb231b8edad68f14253bdcc0bd4869fa5bc1

Download Submit
C:\Users\Admin\Desktop\ShowMove.m1v

Filesize
256KB

MD5
337cf1c54b12c09407aa8f278330327a

SHA1
a738f8acc4b7ea74db2ad204adb324fc19c1fd8d

SHA256
e4f027b394303106d30e40d3118b0361bed4b39df6675b9bfaeb97230d44f174

SHA512
9168e4db043b5109ade8fe663252d8cbfda43e6cdaecc7296f194e45b22dbc97a10c653718f405f7cbf2dc19067c1cb8d6e5b9cf0c368952a9a7b04c7f126cc8

Download Submit
C:\Users\Admin\Desktop\SubmitSet.wma

Filesize
179KB

MD5
b51997c390a52b8d6893cce978fbd92c

SHA1
1ad297e9e18e4189aeb1f8da82dd18f897ef3529

SHA256
a568b2327ec101298fe5524fbc0b903b9457664e5703cd899cd65ab020ca96e6

SHA512
1617f6549de88b50b93b8d7a3eefbf9431c94b93b781b1a1bd544308e775aad399907118374e3a979b08d84397f4e83cdf28034783ed6876a66b1bed2b17a902

Download Submit
C:\Windows\Logs\DISM\dism.log

Filesize
23KB

MD5
0134fef4d0f4e21b1acdb3ef1fcb2d61

SHA1
605d1a92bdce83651e6cdfb795a9e2679bce2d7e

SHA256
6fd3381f05d3bd1359cedd4202952563d0169f57fafeea7c8cdf9afc7ac2e5a4

SHA512
df417aa68f61720328bbdd1de59085cca2a0e19d01a499f80cf0c2b404dfba3c0af2c47beefba7130009b8f0547749451a576c253b254d1ba78847e2289ae91f

Download Submit
C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2700_2009859799\LICENSE

Filesize
473B

MD5
f6719687bed7403612eaed0b191eb4a9

SHA1
dd03919750e45507743bd089a659e8efcefa7af1

SHA256
afb514e4269594234b32c873ba2cd3cc8892e836861137b531a40a1232820c59

SHA512
dd14a7eae05d90f35a055a5098d09cd2233d784f6ac228b5927925241689bff828e573b7a90a5196bfdd7aaeecf00f5c94486ad9e3910cfb07475fcfbb7f0d56

Download Submit
C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2700_2009859799\manifest.json

Filesize
984B

MD5
0359d5b66d73a97ce5dc9f89ed84c458

SHA1
ce17e52eaac909dd63d16d93410de675d3e6ec0d

SHA256
beeab2f8d3833839399dde15ce9085c17b304445577d21333e883d6db6d0b755

SHA512
8fd94a098a4ab5c0fcd48c2cef2bb03328dd4d25c899bf5ed1ca561347d74a8aab8a214ba2d3180a86df72c52eb26987a44631d0ecd9edc84976c28d6c9dc16a

Download Submit
C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping6596_1565052213\Google.Widevine.CDM.dll

Filesize
2.7MB

MD5
477c17b6448695110b4d227664aa3c48

SHA1
949ff1136e0971a0176f6adea8adcc0dd6030f22

SHA256
cb190e7d1b002a3050705580dd51eba895a19eb09620bdd48d63085d5d88031e

SHA512
1e267b01a78be40e7a02612b331b1d9291da8e4330dea10bf786acbc69f25e0baece45fb3bafe1f4389f420ebaa62373e4f035a45e34eada6f72c7c61d2302ed

Download Submit
C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping6596_1565052213\manifest.json

Filesize
145B

MD5
bbc03e9c7c5944e62efc9c660b7bd2b6

SHA1
83f161e3f49b64553709994b048d9f597cde3dc6

SHA256
6cce5ad8d496bc5179fa84af8afc568eeba980d8a75058c6380b64fb42298c28

SHA512
fb80f091468a299b5209acc30edaf2001d081c22c3b30aad422cbe6fea7e5fe36a67a8e000d5dd03a30c60c30391c85fa31f3931e804c351ab0a71e9a978cc0f

Download Submit
C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping6596_657165520\manifest.json

Filesize
1001B

MD5
2648d437c53db54b3ebd00e64852687e

SHA1
66cfe157f4c8e17bfda15325abfef40ec6d49608

SHA256
68a3d7cb10f3001f40bc583b7fff0183895a61d3bd1b7a1c34e602df6f0f8806

SHA512
86d5c3129bec156b17b8ebd5dec5a6258e10cb426b84dd3e4af85c9c2cd7ebf4faea01fd10dd906a18ea1042394c3f41a835eae2d83dc8146dfe4b6d71147828

Download Submit
memory/1500-247-0x0000000000B40000-0x0000000002289000-memory.dmp

Filesize
23.3MB

Download
memory/1500-16-0x0000000000B40000-0x0000000002289000-memory.dmp

Filesize
23.3MB

Download
memory/1500-1054-0x0000000000B40000-0x0000000002289000-memory.dmp

Filesize
23.3MB

Download
memory/1500-497-0x0000000000B40000-0x0000000002289000-memory.dmp

Filesize
23.3MB

Download
memory/1500-468-0x0000000000B40000-0x0000000002289000-memory.dmp

Filesize
23.3MB

Download
memory/1500-267-0x0000000000B40000-0x0000000002289000-memory.dmp

Filesize
23.3MB

Download
memory/1500-465-0x0000000000B40000-0x0000000002289000-memory.dmp

Filesize
23.3MB

Download
memory/1500-462-0x0000000000B40000-0x0000000002289000-memory.dmp

Filesize
23.3MB

Download
memory/1500-457-0x0000000000B40000-0x0000000002289000-memory.dmp

Filesize
23.3MB

Download
memory/1500-450-0x0000000000B40000-0x0000000002289000-memory.dmp

Filesize
23.3MB

Download
memory/2636-9-0x0000000000B40000-0x0000000002289000-memory.dmp

Filesize
23.3MB

Download
memory/2636-0-0x0000000000B44000-0x0000000001D7A000-memory.dmp

Filesize
18.2MB

Download
memory/2636-1-0x0000000000B40000-0x0000000002289000-memory.dmp

Filesize
23.3MB

Download
memory/2636-260-0x0000000000B44000-0x0000000001D7A000-memory.dmp

Filesize
18.2MB

Download
memory/2636-316-0x0000000000B40000-0x0000000002289000-memory.dmp

Filesize
23.3MB

Download
memory/2636-246-0x0000000000B40000-0x0000000002289000-memory.dmp

Filesize
23.3MB

Download
memory/2636-317-0x0000000000B44000-0x0000000001D7A000-memory.dmp

Filesize
18.2MB

Download
memory/4712-3920-0x0000015862E00000-0x0000015862E2A000-memory.dmp

Filesize
168KB

Download
memory/4712-3921-0x0000015862E00000-0x0000015862E24000-memory.dmp

Filesize
144KB

Download
memory/4780-18-0x0000000000B40000-0x0000000002289000-memory.dmp

Filesize
23.3MB

Download
memory/4780-248-0x0000000000B40000-0x0000000002289000-memory.dmp

Filesize
23.3MB

Download
memory/4780-268-0x0000000000B40000-0x0000000002289000-memory.dmp

Filesize
23.3MB

Download
memory/4780-466-0x0000000000B40000-0x0000000002289000-memory.dmp

Filesize
23.3MB

Download
memory/4780-1261-0x0000000000B40000-0x0000000002289000-memory.dmp

Filesize
23.3MB

Download
memory/4812-452-0x0000000000B40000-0x0000000002289000-memory.dmp

Filesize
23.3MB

Download
memory/4812-252-0x0000000000B40000-0x0000000002289000-memory.dmp

Filesize
23.3MB

Download
memory/4812-464-0x0000000000B40000-0x0000000002289000-memory.dmp

Filesize
23.3MB

Download
memory/4812-318-0x0000000000B40000-0x0000000002289000-memory.dmp

Filesize
23.3MB

Download
memory/4812-1276-0x0000000000B40000-0x0000000002289000-memory.dmp

Filesize
23.3MB

Download
memory/5140-1334-0x000001CB2C6B0000-0x000001CB2C6D2000-memory.dmp

Filesize
136KB

Download
memory/5452-758-0x0000000005900000-0x0000000005920000-memory.dmp

Filesize
128KB

Download
memory/5728-556-0x0000000000B60000-0x0000000000CD6000-memory.dmp

Filesize
1.5MB

Download
memory/5728-619-0x00000000070F0000-0x00000000070F8000-memory.dmp

Filesize
32KB

Download
memory/5728-624-0x0000000007140000-0x000000000714E000-memory.dmp

Filesize
56KB

Download
memory/5728-623-0x0000000007170000-0x00000000071A8000-memory.dmp

Filesize
224KB

Download
memory/7076-3905-0x00000262FB720000-0x00000262FB766000-memory.dmp

Filesize
280KB

Download