zgrat | hxxps://www[.]youtube[.]com/watch?v=fIcu6PGGEnI

Analysis

max time kernel
548s
max time network
542s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
02-05-2024 21:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://www.youtube.com/watch?v=fIcu6PGGEnI

Score

10^/10

zgrat discovery persistence rat spyware stealer

Malware Config

Signatures

Detect ZGRat V1 4 IoCs

resource	yara_rule
behavioral1/memory/1696-1919-0x0000000001100000-0x000000000115A000-memory.dmp	family_zgrat_v1
behavioral1/memory/8-2059-0x0000000000760000-0x00000000007BA000-memory.dmp	family_zgrat_v1
behavioral1/memory/1224-2127-0x0000000000950000-0x00000000009AA000-memory.dmp	family_zgrat_v1
behavioral1/memory/3472-2243-0x0000000000900000-0x000000000095A000-memory.dmp	family_zgrat_v1

Suspicious use of NtCreateUserProcessOtherParentProcess 12 IoCs

description	pid	Process	procid_target
PID 4648 created 3460	4648	Tight.pif	56
PID 4776 created 3460	4776	Tight.pif	56
PID 3020 created 3460	3020	Tight.pif	56
PID 5156 created 3460	5156	Tight.pif	56
PID 5680 created 3460	5680	Tight.pif	56
PID 5788 created 3460	5788	Tight.pif	56
PID 5140 created 3460	5140	Tight.pif	56
PID 4916 created 3460	4916	Tight.pif	56
PID 3512 created 3460	3512	Tight.pif	56
PID 2852 created 3460	2852	Tight.pif	56
PID 4792 created 3460	4792	Tight.pif	56
PID 1928 created 3460	1928	Tight.pif	56

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Checks computer location settings 2 TTPs 13 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000\Control Panel\International\Geo\Nation	7zFM.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000\Control Panel\International\Geo\Nation	Cel3ry.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000\Control Panel\International\Geo\Nation	Cel3ry.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000\Control Panel\International\Geo\Nation	Cel3ry.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000\Control Panel\International\Geo\Nation	Cel3ry.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000\Control Panel\International\Geo\Nation	Cel3ry.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000\Control Panel\International\Geo\Nation	Cel3ry.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000\Control Panel\International\Geo\Nation	Cel3ry.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000\Control Panel\International\Geo\Nation	Cel3ry.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000\Control Panel\International\Geo\Nation	Cel3ry.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000\Control Panel\International\Geo\Nation	Cel3ry.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000\Control Panel\International\Geo\Nation	Cel3ry.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000\Control Panel\International\Geo\Nation	Cel3ry.exe

Executes dropped EXE 35 IoCs

pid	Process
4792	7z2404-x64.exe
4836	7z2404-x64.exe
1780	7zFM.exe
2948	7zFM.exe
668	7zFM.exe
6024	7zG.exe
5892	7zG.exe
3412	Cel3ry.exe
4648	Tight.pif
3732	Cel3ry.exe
4776	Tight.pif
1748	Cel3ry.exe
3020	Tight.pif
5964	Cel3ry.exe
5156	Tight.pif
1356	Cel3ry.exe
1648	Cel3ry.exe
3416	Cel3ry.exe
5680	Tight.pif
3264	Cel3ry.exe
4944	Cel3ry.exe
1696	RegAsm.exe
5764	Cel3ry.exe
1752	Cel3ry.exe
5788	Tight.pif
5140	Tight.pif
4916	Tight.pif
3512	Tight.pif
2852	Tight.pif
4792	Tight.pif
5824	Cel3ry.exe
1928	Tight.pif
8	RegAsm.exe
1224	RegAsm.exe
3472	RegAsm.exe

Loads dropped DLL 6 IoCs

pid	Process
3460	Explorer.EXE
6024	7zG.exe
5892	7zG.exe
1780	7zFM.exe
3460	Explorer.EXE
3460	Explorer.EXE

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Registers COM server for autorun 1 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32	7z2404-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ = "C:\\Program Files\\7-Zip\\7-zip.dll"	7z2404-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ThreadingModel = "Apartment"	7z2404-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32	7z2404-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ = "C:\\Program Files\\7-Zip\\7-zip.dll"	7z2404-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ThreadingModel = "Apartment"	7z2404-x64.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\7-Zip\Lang\ps.txt	7z2404-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\uk.txt	7z2404-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hy.txt	7z2404-x64.exe
File opened for modification	C:\Program Files\7-Zip\readme.txt	7z2404-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\si.txt	7z2404-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\nl.txt	7z2404-x64.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	7z2404-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ku-ckb.txt	7z2404-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\nb.txt	7z2404-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\nn.txt	7z2404-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\zh-cn.txt	7z2404-x64.exe
File opened for modification	C:\Program Files\7-Zip\7z.dll	7z2404-x64.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	7z2404-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\kaa.txt	7z2404-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ext.txt	7z2404-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fi.txt	7z2404-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\yo.txt	7z2404-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ms.txt	7z2404-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ca.txt	7z2404-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\lt.txt	7z2404-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hy.txt	7z2404-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ku.txt	7z2404-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mng2.txt	7z2404-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\zh-tw.txt	7z2404-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hr.txt	7z2404-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ka.txt	7z2404-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fa.txt	7z2404-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ku-ckb.txt	7z2404-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ast.txt	7z2404-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\uz.txt	7z2404-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sa.txt	7z2404-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\uk.txt	7z2404-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\va.txt	7z2404-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\zh-tw.txt	7z2404-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\vi.txt	7z2404-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\et.txt	7z2404-x64.exe
File opened for modification	C:\Program Files\7-Zip\readme.txt	7z2404-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ru.txt	7z2404-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mng.txt	7z2404-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\tg.txt	7z2404-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\kaa.txt	7z2404-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\es.txt	7z2404-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ext.txt	7z2404-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\br.txt	7z2404-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\th.txt	7z2404-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\zh-cn.txt	7z2404-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\et.txt	7z2404-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\kab.txt	7z2404-x64.exe
File opened for modification	C:\Program Files\7-Zip\License.txt	7z2404-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mng.txt	7z2404-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\nb.txt	7z2404-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sr-spc.txt	7z2404-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fr.txt	7z2404-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\tk.txt	7z2404-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\pt-br.txt	7z2404-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ky.txt	7z2404-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ja.txt	7z2404-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hu.txt	7z2404-x64.exe
File opened for modification	C:\Program Files\7-Zip\descript.ion	7z2404-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\tt.txt	7z2404-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\yo.txt	7z2404-x64.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	7z2404-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\be.txt	7z2404-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\de.txt	7z2404-x64.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe

Enumerates processes with tasklist 1 TTPs 24 IoCs

Process Discovery

T1057

pid	Process
5608	tasklist.exe
6028	tasklist.exe
1948	tasklist.exe
748	tasklist.exe
3024	tasklist.exe
5644	tasklist.exe
5144	tasklist.exe
1152	tasklist.exe
4576	tasklist.exe
3400	tasklist.exe
4220	tasklist.exe
1480	tasklist.exe
2428	tasklist.exe
6120	tasklist.exe
5752	tasklist.exe
3496	tasklist.exe
3228	tasklist.exe
5796	tasklist.exe
4436	tasklist.exe
844	tasklist.exe
2592	tasklist.exe
2280	tasklist.exe
3900	tasklist.exe
2124	tasklist.exe

Enumerates system info in registry 2 TTPs 9 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133591586664291149"	chrome.exe

Modifies registry class 47 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ThreadingModel = "Apartment"	7z2404-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\DragDropHandlers\7-Zip	7z2404-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\DragDropHandlers\7-Zip	7z2404-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32	7z2404-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\7-Zip	7z2404-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}"	7z2404-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}"	7z2404-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\DragDropHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}"	7z2404-x64.exe
Key created	\REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}	7z2404-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\7-Zip	7z2404-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}	7z2404-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ = "C:\\Program Files\\7-Zip\\7-zip.dll"	7z2404-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\DragDropHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}"	7z2404-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\ = "7-Zip Shell Extension"	7z2404-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\7-Zip	7z2404-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\7-Zip	7z2404-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\DragDropHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}"	7z2404-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32	7z2404-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}"	7z2404-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}"	7z2404-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\DragDropHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}"	7z2404-x64.exe
Key created	\REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3411335054-1982420046-2118495756-1000\{E435DFF3-1CCB-4D15-A26B-CF9E87AF88F2}	msedge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ = "C:\\Program Files\\7-Zip\\7-zip32.dll"	7z2404-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32	7z2404-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\DragDropHandlers\7-Zip	7z2404-x64.exe
Key created	\REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000_Classes\Local Settings	OpenWith.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ThreadingModel = "Apartment"	7z2404-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\ = "7-Zip Shell Extension"	7z2404-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ThreadingModel = "Apartment"	7z2404-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\7-Zip	7z2404-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}"	7z2404-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}	7z2404-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ = "C:\\Program Files\\7-Zip\\7-zip32.dll"	7z2404-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ = "C:\\Program Files\\7-Zip\\7-zip.dll"	7z2404-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}"	7z2404-x64.exe
Key created	\REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000_Classes\Local Settings	OpenWith.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ThreadingModel = "Apartment"	7z2404-x64.exe
Key created	\REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}	7z2404-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\ = "7-Zip Shell Extension"	7z2404-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\7-Zip	7z2404-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\DragDropHandlers\7-Zip	7z2404-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\ = "7-Zip Shell Extension"	7z2404-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32	7z2404-x64.exe
Key created	\REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000_Classes\Local Settings	OpenWith.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 797675.crdownload:SmartScreen	msedge.exe

Runs ping.exe 1 TTPs 12 IoCs

Remote System Discovery

T1018

pid	Process
5304	PING.EXE
1060	PING.EXE
5928	PING.EXE
2544	PING.EXE
5668	PING.EXE
2992	PING.EXE
5800	PING.EXE
4552	PING.EXE
4168	PING.EXE
2860	PING.EXE
5644	PING.EXE
4476	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2128	msedge.exe
2128	msedge.exe
5084	msedge.exe
5084	msedge.exe
4264	identity_helper.exe
4264	identity_helper.exe
4940	msedge.exe
4940	msedge.exe
3928	msedge.exe
3928	msedge.exe
4840	msedge.exe
4840	msedge.exe
1360	msedge.exe
1360	msedge.exe
1360	msedge.exe
1360	msedge.exe
4648	Tight.pif
4648	Tight.pif
4648	Tight.pif
4648	Tight.pif
4648	Tight.pif
4648	Tight.pif
1780	7zFM.exe
1780	7zFM.exe
4776	Tight.pif
4776	Tight.pif
4776	Tight.pif
4776	Tight.pif
4776	Tight.pif
4776	Tight.pif
1780	7zFM.exe
1780	7zFM.exe
3020	Tight.pif
3020	Tight.pif
3020	Tight.pif
3020	Tight.pif
3020	Tight.pif
3020	Tight.pif
1780	7zFM.exe
1780	7zFM.exe
5156	Tight.pif
5156	Tight.pif
5156	Tight.pif
5156	Tight.pif
5156	Tight.pif
5156	Tight.pif
4648	Tight.pif
4648	Tight.pif
5680	Tight.pif
5680	Tight.pif
5680	Tight.pif
5680	Tight.pif
5680	Tight.pif
5680	Tight.pif
5788	Tight.pif
5788	Tight.pif
5788	Tight.pif
5788	Tight.pif
5788	Tight.pif
5788	Tight.pif
5140	Tight.pif
5140	Tight.pif
5140	Tight.pif
5140	Tight.pif

Suspicious behavior: GetForegroundWindowSpam 6 IoCs

pid	Process
5996	OpenWith.exe
1780	7zFM.exe
5652	OpenWith.exe
2948	7zFM.exe
2992	OpenWith.exe
668	7zFM.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 34 IoCs

pid	Process
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5296	chrome.exe
5296	chrome.exe
5296	chrome.exe
2644	chrome.exe
2644	chrome.exe
2644	chrome.exe
2644	chrome.exe
2644	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: 33	4296	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	4296	AUDIODG.EXE
Token: SeRestorePrivilege	1780	7zFM.exe
Token: 35	1780	7zFM.exe
Token: SeRestorePrivilege	2948	7zFM.exe
Token: 35	2948	7zFM.exe
Token: SeRestorePrivilege	668	7zFM.exe
Token: 35	668	7zFM.exe
Token: SeRestorePrivilege	6024	7zG.exe
Token: 35	6024	7zG.exe
Token: SeSecurityPrivilege	6024	7zG.exe
Token: SeRestorePrivilege	5892	7zG.exe
Token: 35	5892	7zG.exe
Token: SeSecurityPrivilege	5892	7zG.exe
Token: SeSecurityPrivilege	5892	7zG.exe
Token: SeSecurityPrivilege	1780	7zFM.exe
Token: SeSecurityPrivilege	1780	7zFM.exe
Token: SeDebugPrivilege	3228	tasklist.exe
Token: SeDebugPrivilege	844	tasklist.exe
Token: SeSecurityPrivilege	1780	7zFM.exe
Token: SeDebugPrivilege	6028	tasklist.exe
Token: SeDebugPrivilege	1948	tasklist.exe
Token: SeDebugPrivilege	5796	tasklist.exe
Token: SeDebugPrivilege	2592	tasklist.exe
Token: SeDebugPrivilege	1480	tasklist.exe
Token: SeDebugPrivilege	748	tasklist.exe
Token: SeDebugPrivilege	3024	tasklist.exe
Token: SeDebugPrivilege	2280	tasklist.exe
Token: SeDebugPrivilege	5644	tasklist.exe
Token: SeDebugPrivilege	4436	tasklist.exe
Token: SeDebugPrivilege	5144	tasklist.exe
Token: SeDebugPrivilege	3900	tasklist.exe
Token: SeDebugPrivilege	1696	RegAsm.exe
Token: SeBackupPrivilege	1696	RegAsm.exe
Token: SeSecurityPrivilege	1696	RegAsm.exe
Token: SeSecurityPrivilege	1696	RegAsm.exe
Token: SeSecurityPrivilege	1696	RegAsm.exe
Token: SeSecurityPrivilege	1696	RegAsm.exe
Token: SeDebugPrivilege	2428	tasklist.exe
Token: SeDebugPrivilege	1152	tasklist.exe
Token: SeDebugPrivilege	6120	tasklist.exe
Token: SeDebugPrivilege	2124	tasklist.exe
Token: SeDebugPrivilege	5608	tasklist.exe
Token: SeDebugPrivilege	4576	tasklist.exe
Token: SeDebugPrivilege	3400	tasklist.exe
Token: SeDebugPrivilege	5752	tasklist.exe
Token: SeDebugPrivilege	4220	tasklist.exe
Token: SeDebugPrivilege	3496	tasklist.exe
Token: SeShutdownPrivilege	5296	chrome.exe
Token: SeCreatePagefilePrivilege	5296	chrome.exe
Token: SeDebugPrivilege	8	RegAsm.exe
Token: SeShutdownPrivilege	5296	chrome.exe
Token: SeCreatePagefilePrivilege	5296	chrome.exe
Token: SeBackupPrivilege	8	RegAsm.exe
Token: SeSecurityPrivilege	8	RegAsm.exe
Token: SeSecurityPrivilege	8	RegAsm.exe
Token: SeSecurityPrivilege	8	RegAsm.exe
Token: SeSecurityPrivilege	8	RegAsm.exe
Token: SeShutdownPrivilege	5296	chrome.exe
Token: SeCreatePagefilePrivilege	5296	chrome.exe
Token: SeShutdownPrivilege	5296	chrome.exe
Token: SeCreatePagefilePrivilege	5296	chrome.exe
Token: SeShutdownPrivilege	5296	chrome.exe
Token: SeCreatePagefilePrivilege	5296	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
4648	Tight.pif
4648	Tight.pif
4648	Tight.pif
4776	Tight.pif
4776	Tight.pif
4776	Tight.pif
3020	Tight.pif
3020	Tight.pif
3020	Tight.pif
5156	Tight.pif
5156	Tight.pif
5156	Tight.pif
5680	Tight.pif
5680	Tight.pif
5680	Tight.pif
5788	Tight.pif
5788	Tight.pif
5788	Tight.pif
5140	Tight.pif
5140	Tight.pif
5140	Tight.pif
4916	Tight.pif
4916	Tight.pif
4916	Tight.pif
3512	Tight.pif
3512	Tight.pif
3512	Tight.pif
2852	Tight.pif
2852	Tight.pif
2852	Tight.pif

Suspicious use of SetWindowsHookEx 55 IoCs

pid	Process
5996	OpenWith.exe
5996	OpenWith.exe
5996	OpenWith.exe
904	OpenWith.exe
904	OpenWith.exe
904	OpenWith.exe
4792	7z2404-x64.exe
4836	7z2404-x64.exe
5652	OpenWith.exe
5652	OpenWith.exe
5652	OpenWith.exe
5652	OpenWith.exe
5652	OpenWith.exe
5652	OpenWith.exe
5652	OpenWith.exe
5652	OpenWith.exe
5652	OpenWith.exe
5652	OpenWith.exe
5652	OpenWith.exe
5652	OpenWith.exe
5652	OpenWith.exe
5652	OpenWith.exe
5652	OpenWith.exe
5652	OpenWith.exe
5652	OpenWith.exe
5652	OpenWith.exe
5652	OpenWith.exe
5652	OpenWith.exe
5652	OpenWith.exe
5652	OpenWith.exe
5652	OpenWith.exe
5652	OpenWith.exe
5652	OpenWith.exe
5180	AcroRd32.exe
5180	AcroRd32.exe
5180	AcroRd32.exe
5180	AcroRd32.exe
2992	OpenWith.exe
2992	OpenWith.exe
2992	OpenWith.exe
2992	OpenWith.exe
2992	OpenWith.exe
2992	OpenWith.exe
2992	OpenWith.exe
2992	OpenWith.exe
2992	OpenWith.exe
2992	OpenWith.exe
2992	OpenWith.exe
2992	OpenWith.exe
2992	OpenWith.exe
4840	OpenWith.exe
4840	OpenWith.exe
4840	OpenWith.exe
4840	OpenWith.exe
4840	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5084 wrote to memory of 2380	5084	msedge.exe	85
PID 5084 wrote to memory of 2380	5084	msedge.exe	85
PID 5084 wrote to memory of 4324	5084	msedge.exe	86
PID 5084 wrote to memory of 4324	5084	msedge.exe	86
PID 5084 wrote to memory of 4324	5084	msedge.exe	86
PID 5084 wrote to memory of 4324	5084	msedge.exe	86
PID 5084 wrote to memory of 4324	5084	msedge.exe	86
PID 5084 wrote to memory of 4324	5084	msedge.exe	86
PID 5084 wrote to memory of 4324	5084	msedge.exe	86
PID 5084 wrote to memory of 4324	5084	msedge.exe	86
PID 5084 wrote to memory of 4324	5084	msedge.exe	86
PID 5084 wrote to memory of 4324	5084	msedge.exe	86
PID 5084 wrote to memory of 4324	5084	msedge.exe	86
PID 5084 wrote to memory of 4324	5084	msedge.exe	86
PID 5084 wrote to memory of 4324	5084	msedge.exe	86
PID 5084 wrote to memory of 4324	5084	msedge.exe	86
PID 5084 wrote to memory of 4324	5084	msedge.exe	86
PID 5084 wrote to memory of 4324	5084	msedge.exe	86
PID 5084 wrote to memory of 4324	5084	msedge.exe	86
PID 5084 wrote to memory of 4324	5084	msedge.exe	86
PID 5084 wrote to memory of 4324	5084	msedge.exe	86
PID 5084 wrote to memory of 4324	5084	msedge.exe	86
PID 5084 wrote to memory of 4324	5084	msedge.exe	86
PID 5084 wrote to memory of 4324	5084	msedge.exe	86
PID 5084 wrote to memory of 4324	5084	msedge.exe	86
PID 5084 wrote to memory of 4324	5084	msedge.exe	86
PID 5084 wrote to memory of 4324	5084	msedge.exe	86
PID 5084 wrote to memory of 4324	5084	msedge.exe	86
PID 5084 wrote to memory of 4324	5084	msedge.exe	86
PID 5084 wrote to memory of 4324	5084	msedge.exe	86
PID 5084 wrote to memory of 4324	5084	msedge.exe	86
PID 5084 wrote to memory of 4324	5084	msedge.exe	86
PID 5084 wrote to memory of 4324	5084	msedge.exe	86
PID 5084 wrote to memory of 4324	5084	msedge.exe	86
PID 5084 wrote to memory of 4324	5084	msedge.exe	86
PID 5084 wrote to memory of 4324	5084	msedge.exe	86
PID 5084 wrote to memory of 4324	5084	msedge.exe	86
PID 5084 wrote to memory of 4324	5084	msedge.exe	86
PID 5084 wrote to memory of 4324	5084	msedge.exe	86
PID 5084 wrote to memory of 4324	5084	msedge.exe	86
PID 5084 wrote to memory of 4324	5084	msedge.exe	86
PID 5084 wrote to memory of 4324	5084	msedge.exe	86
PID 5084 wrote to memory of 2128	5084	msedge.exe	87
PID 5084 wrote to memory of 2128	5084	msedge.exe	87
PID 5084 wrote to memory of 2076	5084	msedge.exe	88
PID 5084 wrote to memory of 2076	5084	msedge.exe	88
PID 5084 wrote to memory of 2076	5084	msedge.exe	88
PID 5084 wrote to memory of 2076	5084	msedge.exe	88
PID 5084 wrote to memory of 2076	5084	msedge.exe	88
PID 5084 wrote to memory of 2076	5084	msedge.exe	88
PID 5084 wrote to memory of 2076	5084	msedge.exe	88
PID 5084 wrote to memory of 2076	5084	msedge.exe	88
PID 5084 wrote to memory of 2076	5084	msedge.exe	88
PID 5084 wrote to memory of 2076	5084	msedge.exe	88
PID 5084 wrote to memory of 2076	5084	msedge.exe	88
PID 5084 wrote to memory of 2076	5084	msedge.exe	88
PID 5084 wrote to memory of 2076	5084	msedge.exe	88
PID 5084 wrote to memory of 2076	5084	msedge.exe	88
PID 5084 wrote to memory of 2076	5084	msedge.exe	88
PID 5084 wrote to memory of 2076	5084	msedge.exe	88
PID 5084 wrote to memory of 2076	5084	msedge.exe	88
PID 5084 wrote to memory of 2076	5084	msedge.exe	88
PID 5084 wrote to memory of 2076	5084	msedge.exe	88
PID 5084 wrote to memory of 2076	5084	msedge.exe	88

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Loads dropped DLL
PID:3460
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/watch?v=fIcu6PGGEnI
  2⤵
  - Enumerates system info in registry
  - Modifies registry class
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:5084
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff848f846f8,0x7ff848f84708,0x7ff848f84718
    3⤵
    PID:2380
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2108,5442063246936950455,7271923301841586675,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2116 /prefetch:2
    3⤵
    PID:4324
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2108,5442063246936950455,7271923301841586675,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2392 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2128
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2108,5442063246936950455,7271923301841586675,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2752 /prefetch:8
    3⤵
    PID:2076
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,5442063246936950455,7271923301841586675,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3396 /prefetch:1
    3⤵
    PID:1628
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,5442063246936950455,7271923301841586675,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3408 /prefetch:1
    3⤵
    PID:3932
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,5442063246936950455,7271923301841586675,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4712 /prefetch:1
    3⤵
    PID:3700
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,5442063246936950455,7271923301841586675,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5216 /prefetch:1
    3⤵
    PID:1224
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2108,5442063246936950455,7271923301841586675,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5464 /prefetch:8
    3⤵
    PID:1160
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2108,5442063246936950455,7271923301841586675,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5948 /prefetch:8
    3⤵
    PID:556
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2108,5442063246936950455,7271923301841586675,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5948 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4264
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,5442063246936950455,7271923301841586675,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4724 /prefetch:1
    3⤵
    PID:5376
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,5442063246936950455,7271923301841586675,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4980 /prefetch:1
    3⤵
    PID:5604
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,5442063246936950455,7271923301841586675,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6520 /prefetch:1
    3⤵
    PID:6036
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,5442063246936950455,7271923301841586675,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2732 /prefetch:1
    3⤵
    PID:6044
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,5442063246936950455,7271923301841586675,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5624 /prefetch:1
    3⤵
    PID:5284
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,5442063246936950455,7271923301841586675,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5632 /prefetch:1
    3⤵
    PID:3468
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,5442063246936950455,7271923301841586675,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6748 /prefetch:1
    3⤵
    PID:3640
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,5442063246936950455,7271923301841586675,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5204 /prefetch:1
    3⤵
    PID:2976
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2108,5442063246936950455,7271923301841586675,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5684 /prefetch:8
    3⤵
    PID:2528
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,5442063246936950455,7271923301841586675,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5724 /prefetch:1
    3⤵
    PID:4240
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2108,5442063246936950455,7271923301841586675,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6352 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4940
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,5442063246936950455,7271923301841586675,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6040 /prefetch:1
    3⤵
    PID:5992
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,5442063246936950455,7271923301841586675,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7044 /prefetch:1
    3⤵
    PID:3068
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2108,5442063246936950455,7271923301841586675,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5560 /prefetch:8
    3⤵
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    PID:3928
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,5442063246936950455,7271923301841586675,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1132 /prefetch:1
    3⤵
    PID:3632
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,5442063246936950455,7271923301841586675,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3484 /prefetch:1
    3⤵
    PID:4148
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,5442063246936950455,7271923301841586675,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6996 /prefetch:1
    3⤵
    PID:5504
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,5442063246936950455,7271923301841586675,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4976 /prefetch:1
    3⤵
    PID:3220
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2108,5442063246936950455,7271923301841586675,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7020 /prefetch:8
    3⤵
    PID:4528
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2108,5442063246936950455,7271923301841586675,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7264 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4840
- - C:\Users\Admin\Downloads\7z2404-x64.exe
    "C:\Users\Admin\Downloads\7z2404-x64.exe"
    3⤵
    - Executes dropped EXE
    - Registers COM server for autorun
    - Drops file in Program Files directory
    - Modifies registry class
    - Suspicious use of SetWindowsHookEx
    PID:4792
- - C:\Users\Admin\Downloads\7z2404-x64.exe
    "C:\Users\Admin\Downloads\7z2404-x64.exe"
    3⤵
    - Executes dropped EXE
    - Registers COM server for autorun
    - Drops file in Program Files directory
    - Modifies registry class
    - Suspicious use of SetWindowsHookEx
    PID:4836
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,5442063246936950455,7271923301841586675,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6808 /prefetch:1
    3⤵
    PID:1696
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,5442063246936950455,7271923301841586675,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5532 /prefetch:1
    3⤵
    PID:2140
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,5442063246936950455,7271923301841586675,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3188 /prefetch:1
    3⤵
    PID:5784
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,5442063246936950455,7271923301841586675,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1132 /prefetch:1
    3⤵
    PID:5036
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2108,5442063246936950455,7271923301841586675,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6716 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1360
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,5442063246936950455,7271923301841586675,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=39 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7356 /prefetch:1
    3⤵
    PID:5728
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,5442063246936950455,7271923301841586675,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=41 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1384 /prefetch:1
    3⤵
    PID:3060
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,5442063246936950455,7271923301841586675,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=43 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6756 /prefetch:1
    3⤵
    PID:4868
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\Temp1_CEL3RY BY GODDY V3.2.1.zip\README.txt
  2⤵
  PID:3500
- C:\Program Files\7-Zip\7zFM.exe
  "C:\Program Files\7-Zip\7zFM.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  PID:1780
- - C:\Program Files\7-Zip\7zG.exe
    "C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\CEL3RY BY GODDY V3.2.1\CeleryX\" -ad -an -ai#7zMap4665:122:7zEvent25285
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:6024
- - C:\Program Files\7-Zip\7zG.exe
    "C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\CEL3RY BY GODDY V3.2.1\CeleryX\" -ad -an -ai#7zMap15919:122:7zEvent1709
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:5892
- - C:\Users\Admin\AppData\Local\Temp\7zO4F65DDDC\Cel3ry.exe
    "C:\Users\Admin\AppData\Local\Temp\7zO4F65DDDC\Cel3ry.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    PID:3412
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /k move Survivors Survivors.cmd & Survivors.cmd & exit
      4⤵
      PID:4864
    - - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        5⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:3228
    - - C:\Windows\SysWOW64\findstr.exe
        
        findstr /I "wrsa.exe opssvc.exe"
        5⤵
        
        PID:1116
    - - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        5⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:844
    - - C:\Windows\SysWOW64\findstr.exe
        
        findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"
        5⤵
        
        PID:956
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c md 4408704
        5⤵
        
        PID:1480
    - - C:\Windows\SysWOW64\findstr.exe
        
        findstr /V "unemploymentibmrecoveredfarm" Tall
        5⤵
        
        PID:2924
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c copy /b Jersey + Ln + Precise + Nominations + Nhl 4408704\o
        5⤵
        
        PID:2016
    - - C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\4408704\Tight.pif
        
        4408704\Tight.pif 4408704\o
        5⤵
        Suspicious use of NtCreateUserProcessOtherParentProcess
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SendNotifyMessage
        
        PID:4648
    - - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 5 127.0.0.1
        5⤵
        Runs ping.exe
        
        PID:1060
- - C:\Users\Admin\AppData\Local\Temp\7zO4F629A2D\Cel3ry.exe
    "C:\Users\Admin\AppData\Local\Temp\7zO4F629A2D\Cel3ry.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    PID:3732
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /k move Survivors Survivors.cmd & Survivors.cmd & exit
      4⤵
      PID:5244
    - - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        5⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:6028
    - - C:\Windows\SysWOW64\findstr.exe
        
        findstr /I "wrsa.exe opssvc.exe"
        5⤵
        
        PID:2796
    - - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        5⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:1948
    - - C:\Windows\SysWOW64\findstr.exe
        
        findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"
        5⤵
        
        PID:6104
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c md 4408864
        5⤵
        
        PID:396
    - - C:\Windows\SysWOW64\findstr.exe
        
        findstr /V "unemploymentibmrecoveredfarm" Tall
        5⤵
        
        PID:2852
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c copy /b Jersey + Ln + Precise + Nominations + Nhl 4408864\o
        5⤵
        
        PID:2532
    - - C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\4408864\Tight.pif
        
        4408864\Tight.pif 4408864\o
        5⤵
        Suspicious use of NtCreateUserProcessOtherParentProcess
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SendNotifyMessage
        
        PID:4776
    - - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 5 127.0.0.1
        5⤵
        Runs ping.exe
        
        PID:4552
- - C:\Users\Admin\AppData\Local\Temp\7zO4F61950D\Cel3ry.exe
    "C:\Users\Admin\AppData\Local\Temp\7zO4F61950D\Cel3ry.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    PID:1748
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /k move Survivors Survivors.cmd & Survivors.cmd & exit
      4⤵
      PID:992
    - - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        5⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:5796
    - - C:\Windows\SysWOW64\findstr.exe
        
        findstr /I "wrsa.exe opssvc.exe"
        5⤵
        
        PID:1680
    - - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        5⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:2592
    - - C:\Windows\SysWOW64\findstr.exe
        
        findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"
        5⤵
        
        PID:6132
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c md 4409064
        5⤵
        
        PID:4328
    - - C:\Windows\SysWOW64\findstr.exe
        
        findstr /V "unemploymentibmrecoveredfarm" Tall
        5⤵
        
        PID:6024
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c copy /b Jersey + Ln + Precise + Nominations + Nhl 4409064\o
        5⤵
        
        PID:4624
    - - C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\4409064\Tight.pif
        
        4409064\Tight.pif 4409064\o
        5⤵
        Suspicious use of NtCreateUserProcessOtherParentProcess
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SendNotifyMessage
        
        PID:3020
    - - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 5 127.0.0.1
        5⤵
        Runs ping.exe
        
        PID:5928
- C:\Program Files\7-Zip\7zFM.exe
  "C:\Program Files\7-Zip\7zFM.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  PID:2948
- C:\Program Files\7-Zip\7zFM.exe
  "C:\Program Files\7-Zip\7zFM.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  PID:668
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\CEL3RY BY GODDY V3.2.1\README.txt
  2⤵
  PID:2776
- C:\Users\Admin\Downloads\CEL3RY BY GODDY V3.2.1\CeleryX\CeleryX\Cel3ry.exe
  "C:\Users\Admin\Downloads\CEL3RY BY GODDY V3.2.1\CeleryX\CeleryX\Cel3ry.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:5964
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /k move Survivors Survivors.cmd & Survivors.cmd & exit
    3⤵
    PID:3228
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:1480
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /I "wrsa.exe opssvc.exe"
      4⤵
      PID:1012
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:748
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"
      4⤵
      PID:4540
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c md 4409784
      4⤵
      PID:3940
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /V "unemploymentibmrecoveredfarm" Tall
      4⤵
      PID:4840
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c copy /b Jersey + Ln + Precise + Nominations + Nhl 4409784\o
      4⤵
      PID:4588
  - - C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\4409784\Tight.pif
      4409784\Tight.pif 4409784\o
      4⤵
      Suspicious use of NtCreateUserProcessOtherParentProcess
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SendNotifyMessage
      PID:5156
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 5 127.0.0.1
      4⤵
      Runs ping.exe
      PID:2544
- C:\Users\Admin\Downloads\CEL3RY BY GODDY V3.2.1\CeleryX\CeleryX\Cel3ry.exe
  "C:\Users\Admin\Downloads\CEL3RY BY GODDY V3.2.1\CeleryX\CeleryX\Cel3ry.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:1356
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /k move Survivors Survivors.cmd & Survivors.cmd & exit
    3⤵
    PID:976
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:3024
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /I "wrsa.exe opssvc.exe"
      4⤵
      PID:5860
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:2280
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"
      4⤵
      PID:5752
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c md 4410204
      4⤵
      PID:4716
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /V "unemploymentibmrecoveredfarm" Tall
      4⤵
      PID:5252
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c copy /b Jersey + Ln + Precise + Nominations + Nhl 4410204\o
      4⤵
      PID:860
  - - C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\4410204\Tight.pif
      4410204\Tight.pif 4410204\o
      4⤵
      Suspicious use of NtCreateUserProcessOtherParentProcess
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SendNotifyMessage
      PID:5680
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 5 127.0.0.1
      4⤵
      Runs ping.exe
      PID:5668
- C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\4408704\RegAsm.exe
  C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\4408704\RegAsm.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1696
- C:\Users\Admin\Downloads\CEL3RY BY GODDY V3.2.1\CeleryX\CeleryX\Cel3ry.exe
  "C:\Users\Admin\Downloads\CEL3RY BY GODDY V3.2.1\CeleryX\CeleryX\Cel3ry.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:1648
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /k move Survivors Survivors.cmd & Survivors.cmd & exit
    3⤵
    PID:5476
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:5644
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /I "wrsa.exe opssvc.exe"
      4⤵
      PID:5024
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:4436
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"
      4⤵
      PID:5240
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c md 4410304
      4⤵
      PID:1944
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /V "unemploymentibmrecoveredfarm" Tall
      4⤵
      PID:1568
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c copy /b Jersey + Ln + Precise + Nominations + Nhl 4410304\o
      4⤵
      PID:3552
  - - C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\4410304\Tight.pif
      4410304\Tight.pif 4410304\o
      4⤵
      Suspicious use of NtCreateUserProcessOtherParentProcess
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SendNotifyMessage
      PID:5788
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 5 127.0.0.1
      4⤵
      Runs ping.exe
      PID:4168
- C:\Users\Admin\Downloads\CEL3RY BY GODDY V3.2.1\CeleryX\CeleryX\Cel3ry.exe
  "C:\Users\Admin\Downloads\CEL3RY BY GODDY V3.2.1\CeleryX\CeleryX\Cel3ry.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:3416
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /k move Survivors Survivors.cmd & Survivors.cmd & exit
    3⤵
    PID:4400
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:5144
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /I "wrsa.exe opssvc.exe"
      4⤵
      PID:3364
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:3900
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"
      4⤵
      PID:5152
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c md 4410334
      4⤵
      PID:5752
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /V "unemploymentibmrecoveredfarm" Tall
      4⤵
      PID:708
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c copy /b Jersey + Ln + Precise + Nominations + Nhl 4410334\o
      4⤵
      PID:2524
  - - C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\4410334\Tight.pif
      4410334\Tight.pif 4410334\o
      4⤵
      Suspicious use of NtCreateUserProcessOtherParentProcess
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SendNotifyMessage
      PID:5140
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 5 127.0.0.1
      4⤵
      Runs ping.exe
      PID:2860
- C:\Users\Admin\Downloads\CEL3RY BY GODDY V3.2.1\CeleryX\CeleryX\Cel3ry.exe
  "C:\Users\Admin\Downloads\CEL3RY BY GODDY V3.2.1\CeleryX\CeleryX\Cel3ry.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:3264
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /k move Survivors Survivors.cmd & Survivors.cmd & exit
    3⤵
    PID:1460
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:1152
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /I "wrsa.exe opssvc.exe"
      4⤵
      PID:4628
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:2124
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"
      4⤵
      PID:4648
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c md 4410404
      4⤵
      PID:1116
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /V "unemploymentibmrecoveredfarm" Tall
      4⤵
      PID:6108
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c copy /b Jersey + Ln + Precise + Nominations + Nhl 4410404\o
      4⤵
      PID:5936
  - - C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\4410404\Tight.pif
      4410404\Tight.pif 4410404\o
      4⤵
      Suspicious use of NtCreateUserProcessOtherParentProcess
      Executes dropped EXE
      Suspicious use of SendNotifyMessage
      PID:3512
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 5 127.0.0.1
      4⤵
      Runs ping.exe
      PID:4476
- C:\Users\Admin\Downloads\CEL3RY BY GODDY V3.2.1\CeleryX\CeleryX\Cel3ry.exe
  "C:\Users\Admin\Downloads\CEL3RY BY GODDY V3.2.1\CeleryX\CeleryX\Cel3ry.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:4944
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /k move Survivors Survivors.cmd & Survivors.cmd & exit
    3⤵
    PID:5652
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:2428
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /I "wrsa.exe opssvc.exe"
      4⤵
      PID:4896
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:6120
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"
      4⤵
      PID:5268
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c md 4410434
      4⤵
      PID:3680
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /V "unemploymentibmrecoveredfarm" Tall
      4⤵
      PID:5800
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c copy /b Jersey + Ln + Precise + Nominations + Nhl 4410434\o
      4⤵
      PID:4812
  - - C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\4410434\Tight.pif
      4410434\Tight.pif 4410434\o
      4⤵
      Suspicious use of NtCreateUserProcessOtherParentProcess
      Executes dropped EXE
      Suspicious use of SendNotifyMessage
      PID:4916
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 5 127.0.0.1
      4⤵
      Runs ping.exe
      PID:5644
- C:\Users\Admin\Downloads\CEL3RY BY GODDY V3.2.1\CeleryX\CeleryX\Cel3ry.exe
  "C:\Users\Admin\Downloads\CEL3RY BY GODDY V3.2.1\CeleryX\CeleryX\Cel3ry.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:5764
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /k move Survivors Survivors.cmd & Survivors.cmd & exit
    3⤵
    PID:928
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:4576
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /I "wrsa.exe opssvc.exe"
      4⤵
      PID:5668
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:5752
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"
      4⤵
      PID:5200
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c md 4410504
      4⤵
      PID:5496
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /V "unemploymentibmrecoveredfarm" Tall
      4⤵
      PID:1244
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c copy /b Jersey + Ln + Precise + Nominations + Nhl 4410504\o
      4⤵
      PID:5064
  - - C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\4410504\Tight.pif
      4410504\Tight.pif 4410504\o
      4⤵
      Suspicious use of NtCreateUserProcessOtherParentProcess
      Executes dropped EXE
      Suspicious use of SendNotifyMessage
      PID:2852
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 5 127.0.0.1
      4⤵
      Runs ping.exe
      PID:5800
- C:\Users\Admin\Downloads\CEL3RY BY GODDY V3.2.1\CeleryX\CeleryX\Cel3ry.exe
  "C:\Users\Admin\Downloads\CEL3RY BY GODDY V3.2.1\CeleryX\CeleryX\Cel3ry.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:1752
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /k move Survivors Survivors.cmd & Survivors.cmd & exit
    3⤵
    PID:3444
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:5608
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /I "wrsa.exe opssvc.exe"
      4⤵
      PID:4792
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:3400
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"
      4⤵
      PID:5708
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c md 4410564
      4⤵
      PID:5816
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /V "unemploymentibmrecoveredfarm" Tall
      4⤵
      PID:3228
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c copy /b Jersey + Ln + Precise + Nominations + Nhl 4410564\o
      4⤵
      PID:4232
  - - C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\4410564\Tight.pif
      4410564\Tight.pif 4410564\o
      4⤵
      Suspicious use of NtCreateUserProcessOtherParentProcess
      Executes dropped EXE
      PID:4792
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 5 127.0.0.1
      4⤵
      Runs ping.exe
      PID:2992
- C:\Users\Admin\Downloads\CEL3RY BY GODDY V3.2.1\CeleryX\CeleryX\Cel3ry.exe
  "C:\Users\Admin\Downloads\CEL3RY BY GODDY V3.2.1\CeleryX\CeleryX\Cel3ry.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:5824
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /k move Survivors Survivors.cmd & Survivors.cmd & exit
    3⤵
    PID:4856
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:4220
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /I "wrsa.exe opssvc.exe"
      4⤵
      PID:540
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:3496
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"
      4⤵
      PID:3736
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c md 4411354
      4⤵
      PID:3028
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /V "unemploymentibmrecoveredfarm" Tall
      4⤵
      PID:4928
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c copy /b Jersey + Ln + Precise + Nominations + Nhl 4411354\o
      4⤵
      PID:3936
  - - C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\4411354\Tight.pif
      4411354\Tight.pif 4411354\o
      4⤵
      Suspicious use of NtCreateUserProcessOtherParentProcess
      Executes dropped EXE
      PID:1928
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 5 127.0.0.1
      4⤵
      Runs ping.exe
      PID:5304
- C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\4408864\RegAsm.exe
  C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\4408864\RegAsm.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:8
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe"
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of AdjustPrivilegeToken
  PID:5296
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.106 --initial-client-data=0x128,0x12c,0x130,0x104,0x134,0x7ff83a46cc40,0x7ff83a46cc4c,0x7ff83a46cc58
    3⤵
    PID:1548
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1856,i,13714141953640145872,15130903292299479882,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=1864 /prefetch:2
    3⤵
    PID:2924
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2028,i,13714141953640145872,15130903292299479882,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=2184 /prefetch:3
    3⤵
    PID:4272
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2244,i,13714141953640145872,15130903292299479882,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=2260 /prefetch:8
    3⤵
    PID:6112
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3128,i,13714141953640145872,15130903292299479882,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=3140 /prefetch:1
    3⤵
    PID:2524
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3368,i,13714141953640145872,15130903292299479882,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=3396 /prefetch:1
    3⤵
    PID:244
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4556,i,13714141953640145872,15130903292299479882,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=4568 /prefetch:1
    3⤵
    PID:2984
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4668,i,13714141953640145872,15130903292299479882,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=4664 /prefetch:8
    3⤵
    PID:4624
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4792,i,13714141953640145872,15130903292299479882,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=4804 /prefetch:8
    3⤵
    PID:5504
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4952,i,13714141953640145872,15130903292299479882,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=4960 /prefetch:8
    3⤵
    PID:1560
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe"
  2⤵
  PID:5048
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.106 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff83a46cc40,0x7ff83a46cc4c,0x7ff83a46cc58
    3⤵
    PID:3996
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe"
  2⤵
  PID:5712
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.106 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff83a46cc40,0x7ff83a46cc4c,0x7ff83a46cc58
    3⤵
    PID:5428
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe"
  2⤵
  PID:412
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.106 --initial-client-data=0xf8,0xfc,0x100,0xd8,0x104,0x7ff83a46cc40,0x7ff83a46cc4c,0x7ff83a46cc58
    3⤵
    PID:3812
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe"
  2⤵
  PID:4924
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.106 --initial-client-data=0xf8,0xfc,0x100,0xdc,0x104,0x7ff83a46cc40,0x7ff83a46cc4c,0x7ff83a46cc58
    3⤵
    PID:1180
- C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\4409064\RegAsm.exe
  C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\4409064\RegAsm.exe
  2⤵
  - Executes dropped EXE
  PID:1224
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe"
  2⤵
  PID:2856
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.106 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff83a46cc40,0x7ff83a46cc4c,0x7ff83a46cc58
    3⤵
    PID:1160
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe"
  2⤵
  PID:4464
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.106 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff83a46cc40,0x7ff83a46cc4c,0x7ff83a46cc58
    3⤵
    PID:5088
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe"
  2⤵
  PID:2592
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.106 --initial-client-data=0xd4,0x104,0x108,0xd8,0xdc,0x7ff83a46cc40,0x7ff83a46cc4c,0x7ff83a46cc58
    3⤵
    PID:5108
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe"
  2⤵
  PID:6056
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.106 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff83a46cc40,0x7ff83a46cc4c,0x7ff83a46cc58
    3⤵
    PID:3068
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe"
  2⤵
  PID:4540
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.106 --initial-client-data=0xfc,0x100,0x104,0xf8,0x108,0x7ff83a46cc40,0x7ff83a46cc4c,0x7ff83a46cc58
    3⤵
    PID:4656
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe"
  2⤵
  PID:3732
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.106 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff83a46cc40,0x7ff83a46cc4c,0x7ff83a46cc58
    3⤵
    PID:5304
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe"
  2⤵
  PID:1308
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.106 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff83a46cc40,0x7ff83a46cc4c,0x7ff83a46cc58
    3⤵
    PID:5916
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe"
  2⤵
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  PID:2644
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.106 --initial-client-data=0x104,0x108,0x10c,0xe0,0x110,0x7ff848f7cc40,0x7ff848f7cc4c,0x7ff848f7cc58
    3⤵
    PID:2696
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2092,i,11220756418121079903,9566438362212262687,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=2088 /prefetch:2
    3⤵
    PID:4448
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1884,i,11220756418121079903,9566438362212262687,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=2124 /prefetch:3
    3⤵
    PID:5016
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2292,i,11220756418121079903,9566438362212262687,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=2304 /prefetch:8
    3⤵
    PID:3280
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3136,i,11220756418121079903,9566438362212262687,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=3148 /prefetch:1
    3⤵
    PID:4176
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3168,i,11220756418121079903,9566438362212262687,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=3180 /prefetch:1
    3⤵
    PID:3788
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4216,i,11220756418121079903,9566438362212262687,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=4208 /prefetch:1
    3⤵
    PID:2500
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4564,i,11220756418121079903,9566438362212262687,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=4596 /prefetch:8
    3⤵
    PID:2816
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4212,i,11220756418121079903,9566438362212262687,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=4620 /prefetch:8
    3⤵
    PID:3380
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=4128,i,11220756418121079903,9566438362212262687,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=4140 /prefetch:1
    3⤵
    PID:5728
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5032,i,11220756418121079903,9566438362212262687,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=5048 /prefetch:8
    3⤵
    PID:5832
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --field-trial-handle=5272,i,11220756418121079903,9566438362212262687,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=5320 /prefetch:1
    3⤵
    PID:3132
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4396,i,11220756418121079903,9566438362212262687,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=3320 /prefetch:8
    3⤵
    PID:1876
- C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\4409784\RegAsm.exe
  C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\4409784\RegAsm.exe
  2⤵
  - Executes dropped EXE
  PID:3472
- C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\4410204\RegAsm.exe
  C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\4410204\RegAsm.exe
  2⤵
  PID:5192
- C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\4410304\RegAsm.exe
  C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\4410304\RegAsm.exe
  2⤵
  PID:2796
- C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\4410334\RegAsm.exe
  C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\4410334\RegAsm.exe
  2⤵
  PID:4624
- C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\4410434\RegAsm.exe
  C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\4410434\RegAsm.exe
  2⤵
  PID:4684
- C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\4410404\RegAsm.exe
  C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\4410404\RegAsm.exe
  2⤵
  PID:4272
- C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\4410504\RegAsm.exe
  C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\4410504\RegAsm.exe
  2⤵
  PID:5700
- C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\4410564\RegAsm.exe
  C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\4410564\RegAsm.exe
  2⤵
  PID:692
- C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\4411354\RegAsm.exe
  C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\4411354\RegAsm.exe
  2⤵
  PID:1576

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1676

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5012

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3068

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x378 0x37c
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4296

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4588

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:5996

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:904

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:5652
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Temp1_CEL3RY BY GODDY V3.2.1.zip\CeleryX.rar"
  2⤵
  - Checks processor information in registry
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:5180
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
    3⤵
    PID:2304
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=2EE0A360DD688BC7A68B889D286E3C8C --mojo-platform-channel-handle=1744 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      PID:2976
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=ABD4D905333EAE4D18AE1E7979C23FC8 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=ABD4D905333EAE4D18AE1E7979C23FC8 --renderer-client-id=2 --mojo-platform-channel-handle=1756 --allow-no-sandbox-job /prefetch:1
      4⤵
      PID:3972
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=EEC3F6DC0838633F14E7D40139470D3A --mojo-platform-channel-handle=2332 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      PID:2448
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=C98782CCDD7105BDB025A05FE40B3284 --mojo-platform-channel-handle=2428 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      PID:4316
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=3BB6A08934C6DC8B649C4EBF8837D0AC --mojo-platform-channel-handle=2404 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      PID:3128

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5932

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2992

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4840

C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"
1⤵
PID:1696

C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"
1⤵
PID:5892

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:2860

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc
1⤵
PID:3232

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Process Discovery

T1057

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\7-Zip\7-zip.chm

Filesize
116KB

MD5
06a64af41b5db1a9210ee54586c973e8

SHA1
cd7eac5e9b9a0a05b8050369c2c6fb8e600a1f04

SHA256
d12efae8b2824701875e44d26210dcbd6905fa79610ae88618da773a43be1af0

SHA512
1aa7515a23231e4d89ae528c7b94bfd9614cf261324ee5f2752645e59435e953aa301e821af4fbcfaa6e70c10159cba5d54429d6649f93e17dcb4c2f712e3ed2

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
960KB

MD5
246da2a8b76013599e3d11b9f6f03515

SHA1
6a10aa64297e68fb5bb5abb940338d5a51c0e81c

SHA256
996e8436a50a1818b574a7ecb078d4f3566d6666fc4defb2493ec7f0c08538a8

SHA512
df9d86b41bca8e90ae212267b3cdac24e5c506dec0d88832b3a7f407f7f9057f23bb5c341137727f593088eb33a811eaddc445ecf1bd61b89cb1777837b0f1f8

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
691KB

MD5
4a8614832d2512e1b1cf73051f083185

SHA1
da8b5fbc538cfc186dde7292dc17f4580b789c4a

SHA256
2f4f3768ca8f50f9a8882a7ac99aa95513f26fda7a41ce8c7971735d9b7ce920

SHA512
4846340d1726f14b9a932e032d914e15d7122dc5b24c12f63ac4b9b04ada46fe7a83551870509720be39e67abc6e7d27499fb853b4df5871253b26901c2d6e55

Download Submit
C:\Program Files\7-Zip\History.txt

Filesize
5KB

MD5
3f2c1471a31d0a869775b306277f4429

SHA1
b37a69269a50b12ba70c9e4867a4621371686cb7

SHA256
5832d48e029810253bfb74989a5644fce73dc02150ceb6b902aac0496b69feae

SHA512
1daf8717b19fa82d98f75ef7cb90a44245a5b6ee39cc473122eedc1401ec3e735c2cf132899d78410caff5b14ba6c3d31ff4e32370ea54619fd2646db0049928

Download Submit
C:\Program Files\7-Zip\Lang\af.txt

Filesize
4KB

MD5
df216fae5b13d3c3afe87e405fd34b97

SHA1
787ccb4e18fc2f12a6528adbb7d428397fc4678a

SHA256
9cf684ea88ea5a479f510750e4089aee60bbb2452aa85285312bafcc02c10a34

SHA512
a6eee3d60b88f9676200b40ca9c44cc4e64cf555d9b8788d4fde05e05b8ca5da1d2c7a72114a18358829858d10f2beff094afd3bc12b370460800040537cff68

Download Submit
C:\Program Files\7-Zip\Lang\an.txt

Filesize
7KB

MD5
f16218139e027338a16c3199091d0600

SHA1
da48140a4c033eea217e97118f595394195a15d5

SHA256
3ab9f7aacd38c4cde814f86bc37eec2b9df8d0dddb95fc1d09a5f5bcb11f0eeb

SHA512
b2e99d70d1a7a2a1bfa2ffb61f3ca2d1b18591c4707e4c6c5efb9becdd205d646b3baa0e8cbd28ce297d7830d3dfb8f737266c66e53a83bdbe58b117f8e3ae14

Download Submit
C:\Program Files\7-Zip\Lang\ar.txt

Filesize
12KB

MD5
5747381dc970306051432b18fb2236f2

SHA1
20c65850073308e498b63e5937af68b2e21c66f3

SHA256
85a26c7b59d6d9932f71518ccd03eceeba42043cb1707719b72bfc348c1c1d72

SHA512
3306e15b2c9bb2751b626f6f726de0bcafdc41487ba11fabfcef0a6a798572b29f2ee95384ff347b3b83b310444aaeec23e12bb3ddd7567222a0dd275b0180ff

Download Submit
C:\Program Files\7-Zip\Lang\ast.txt

Filesize
4KB

MD5
1cf6411ff9154a34afb512901ba3ee02

SHA1
958f7ff322475f16ca44728349934bc2f7309423

SHA256
f5f2174daf36e65790c7f0e9a4496b12e14816dad2ee5b1d48a52307076be35f

SHA512
b554c1ab165a6344982533cceed316d7f73b5b94ce483b5dc6fb1f492c6b1914773027d31c35d60ab9408669520ea0785dc0d934d3b2eb4d78570ff7ccbfcf9c

Download Submit
C:\Program Files\7-Zip\Lang\az.txt

Filesize
9KB

MD5
3c297fbe9b1ed5582beabfc112b55523

SHA1
c605c20acf399a90ac9937935b4dbdb64fad9c9f

SHA256
055ec86aed86abbdbd52d8e99fec6e868d073a6df92c60225add16676994c314

SHA512
417984a749471770157c44737ee76bfd3655ef855956be797433dadc2a71e12359454cc817b5c31c6af811067d658429a8706e15625bf4ca9f0db7586f0ae183

Download Submit
C:\Program Files\7-Zip\Lang\ba.txt

Filesize
10KB

MD5
387ff78cf5f524fc44640f3025746145

SHA1
8480e549d00003de262b54bc342af66049c43d3b

SHA256
8a85c3fcb5f81157490971ee4f5e6b9e4f80be69a802ebed04e6724ce859713f

SHA512
7851633ee62c00fa2c68f6f59220a836307e6dde37eae5e5dca3ca254d167e305fe1eb342f93112032dadafe9e9608c97036ac489761f7bdc776a98337152344

Download Submit
C:\Program Files\7-Zip\Lang\be.txt

Filesize
11KB

MD5
b1dd654e9d8c8c1b001f7b3a15d7b5d3

SHA1
5a933ae8204163c90c00d97ba0c589f4d9f3f532

SHA256
32071222af04465a3d98bb30e253579aa4beceaeb6b21ac7c15b25f46620bf30

SHA512
0137900aeb21f53e4af4027ea15eed7696ed0156577fe6194c2b2097f5fb9d201e7e9d52a51a26ae9a426f8137692154d80676f8705f335fed9ae7e0e1d0a10e

Download Submit
C:\Program Files\7-Zip\Lang\bg.txt

Filesize
17KB

MD5
7e72ddda5c9c36ff524237c6e9e04966

SHA1
579efd005bb150983ff9e45836412d5b0f4ff619

SHA256
e1459219f199f991d31baab97e8dc98de86dd263062cc8968193211f24eeec3b

SHA512
413ede16d362fcbab3b40268d9a87ca805a77e643b0716288779fd0487c9db2e462a9e98dfd4ee686b303a9171017e6505d5139938fdead0104bfdff3583d1cb

Download Submit
C:\Program Files\7-Zip\Lang\bn.txt

Filesize
14KB

MD5
771c8b73a374cb30df4df682d9c40edf

SHA1
46aa892c3553bddc159a2c470bd317d1f7b8af2a

SHA256
3f55b2ec5033c39c159593c6f5ece667b92f32938b38fcaf58b4b2a98176c1fc

SHA512
8dcc9cc13322c4504ee49111e1f674809892900709290e58a4e219053b1f78747780e1266e1f4128c0c526c8c37b1a5d1a452eefba2890e3a5190eebe30657ba

Download Submit
C:\Program Files\7-Zip\Lang\br.txt

Filesize
4KB

MD5
07504a4edab058c2f67c8bcb95c605dd

SHA1
3e2ae05865fb474f10b396bfefd453c074f822fa

SHA256
432bdb3eaa9953b084ee14eee8fe0abbc1b384cbdd984ccf35f0415d45aabba8

SHA512
b3f54d695c2a12e97c93af4df09ce1800b49e40302bec7071a151f13866edfdfafc56f70de07686650a46a8664608d8d3ea38c2939f2f1630ce0bf968d669ccc

Download Submit
C:\Program Files\7-Zip\Lang\ca.txt

Filesize
8KB

MD5
264fb4b86bcfb77de221e063beebd832

SHA1
a2eb0a43ea4002c2d8b5817a207eb24296336a20

SHA256
07b5c0ac13d62882bf59db528168b6f0ffdf921d5442fae46319e84c90be3203

SHA512
8d1a73e902c50fd390b9372483ebd2ec58d588bacf0a3b8c8b9474657c67705b6a284bb16bba4326d314c7a3cc11caf320da38d5acb42e685ed2f8a8b6f411f4

Download Submit
C:\Program Files\7-Zip\Lang\co.txt

Filesize
11KB

MD5
7ddb2afb758fe102ef8d4d19c2c26219

SHA1
ada803d73bb7919a4ec71802d1a0e9f4793face8

SHA256
c18b8b5ccb88795eb92a4ed54b5dc66e8d8ff036adfcf6d74e63317b304c408f

SHA512
f2e0ec180f50ae141be8e4a62ac0cfd341bd85798fda3defdf78c6d224029c9f1da9534337790e26e4dab554ab2c55e02a43a7b0963058969c777c047050999f

Download Submit
C:\Program Files\7-Zip\Lang\cs.txt

Filesize
9KB

MD5
dbdcfc996677513ea17c583511a5323b

SHA1
d655664bc98389ed916bed719203f286bab79d3c

SHA256
a6e329f37aca346ef64f2c08cc36568d5383d5b325c0caf758857ed3ff3953f2

SHA512
df495a8e8d50d7ec24abb55ce66b7e9b8118af63db3eb2153a321792d809f7559e41de3a9c16800347623ab10292aac2e1761b716cb5080e99a5c8726f7cc113

Download Submit
C:\Program Files\7-Zip\Lang\cy.txt

Filesize
4KB

MD5
6bdf25354b531370754506223b146600

SHA1
c2487c59eeeaa5c0bdb19d826fb1e926d691358e

SHA256
470eaf5e67f5ead5b8c3ecc1b5b21b29d16c73591eb0047b681660346e25b3fb

SHA512
c357b07c176175cc36a85c42d91b0cada79dbfb584bdf57f22a6cb11898f88aecf4392037d5cea3e1bc02df7493bb27b9509226f810f1875105bbc33c6ae3f20

Download Submit
C:\Program Files\7-Zip\Lang\da.txt

Filesize
7KB

MD5
c397e8ac4b966e1476adbce006bb49e4

SHA1
3e473e3bc11bd828a1e60225273d47c8121f3f2c

SHA256
5ccd481367f7d8c544de6177187aff53f1143ae451ae755ce9ed9b52c5f5d478

SHA512
cbbece415d16b9984c82bd8fa4c03dbd1fec58ed04e9ef0a860b74d451d03d1c7e07b23b3e652374a3b9128a7987414074c2a281087f24a77873cc45ec5aadd2

Download Submit
C:\Program Files\7-Zip\Lang\de.txt

Filesize
9KB

MD5
38582f79994872087e949087be309007

SHA1
7476974870949207739664d3a05ee3369b68763b

SHA256
50eb1f3dfbf20f03ed7b5edebc7b510fc94520e4c5c8d960f001427740b1fe71

SHA512
940f413f249e02010634041e2ca7f1e8320c13ef63929d08b77fd7935eaa1babc375d5441553116ad3b1192016fe048f477169ec3474d196a417cca8cfb0e48b

Download Submit
C:\Program Files\7-Zip\Lang\el.txt

Filesize
17KB

MD5
a5c9c5b3d31b480140022ac5d63b2a8f

SHA1
1c3bb0e61798073b490eb2786cdd05cf46f0becc

SHA256
8bee6dab891c8ca0c42d83b922b883acb9b32ed9f21abc32c4c4a58a29fb7cc8

SHA512
554b664b94398202eef6ce7c496d4a0d688e7e85d876c40b24cb47e1fb8c88380e1bfdcc7cf05af41671ea9df4830046a066f21a9f29314676915bd289b0ff25

Download Submit
C:\Program Files\7-Zip\Lang\en.ttt

Filesize
7KB

MD5
bf2e140e9d30d6c51d372638ba7f4bd9

SHA1
a4358379a21a050252d738f6987df587c0bd373d

SHA256
c218145bb039e1fd042fb1f5425b634a4bdc1f40b13801e33ed36cfdbda063ed

SHA512
b524388f7476c9a43e841746764ff59bdb1f8a1b4299353156081a854ee4435b94b34b1a87c299ec23f8909e0652222595b3177ee0392e3b8c0ff0a818db7f9a

Download Submit
C:\Program Files\7-Zip\Lang\eo.txt

Filesize
4KB

MD5
29caad3b73f6557f0306f4f6c6338235

SHA1
d4b3147f23c75de84287ad501e7403e0fce69921

SHA256
a6ef5a5a1e28d406fd78079d9cacf819b047a296adc7083d34f2bfb3d071e5af

SHA512
77618995d9cf90603c5d4ad60262832d8ad64c91a5e6944efd447a5cc082a381666d986bb294d7982c8721b0113f867b86490ca11bb3d46980132c9e4df1bd92

Download Submit
C:\Program Files\7-Zip\Lang\es.txt

Filesize
9KB

MD5
fd726a88e03aa84943ed42d2237ebec3

SHA1
41bc25feb77bcd83789219930218b66fafef79d9

SHA256
b1572724702a48dc1aaa6c0a34c63ddac5ee1f849b0239bc4d7b4a2f04665a1e

SHA512
f037eb12b0e9661295ca2a8ad30e94f90d82e5d395f239035ae03413854b3b24ae4071ad0de9f135f93d2f906ca606b88d9f0efddf0713b3d85daa7516a52ea3

Download Submit
C:\Program Files\7-Zip\Lang\et.txt

Filesize
6KB

MD5
d6a50c4139d0973776fc294ee775c2ac

SHA1
1881d68ae10d7eb53291b80bd527a856304078a0

SHA256
6b2718882bb47e905f1fdd7b75ece5cc233904203c1407c6f0dcdc5e08e276da

SHA512
0fd14b4fd9b613d04ef8747dcd6a47f6f7777ac35c847387c0ea4b217f198aa8ac54ea1698419d4122b808f852e9110d1780edcb61a4057c1e2774aa5382e727

Download Submit
C:\Program Files\7-Zip\Lang\eu.txt

Filesize
8KB

MD5
c90cd9f1e3d05b80aba527eb765cbf13

SHA1
66d1e1b250e2288f1e81322edc3a272fc4d0fffc

SHA256
a1c9d46b0639878951538f531bba69aeddd61e6ad5229e3bf9c458196851c7d8

SHA512
439375d01799da3500dfa48c54eb46f7b971a299dfebff31492f39887d53ed83df284ef196eb8bc07d99d0ec92be08a1bf1a7dbf0ce9823c85449cc6f948f24c

Download Submit
C:\Program Files\7-Zip\Lang\ext.txt

Filesize
7KB

MD5
459b9c72a423304ffbc7901f81588337

SHA1
0ba0a0d9668c53f0184c99e9580b90ff308d79be

SHA256
8075fd31b4ebb54603f69abb59d383dcef2f5b66a9f63bb9554027fd2949671c

SHA512
033ced457609563e0f98c66493f665b557ddd26fab9a603e9de97978d9f28465c5ac09e96f5f8e0ecd502d73df29305a7e2b8a0ad4ee50777a75d6ab8d996d7f

Download Submit
C:\Program Files\7-Zip\Lang\fa.txt

Filesize
12KB

MD5
741e0235c771e803c1b2a0b0549eac9d

SHA1
7839ae307e2690721ad11143e076c77d3b699a3c

SHA256
657f2aceb60d557f907603568b0096f9d94143ff5a624262bbfeb019d45d06d7

SHA512
f8662732464fa6a20f35edcce066048a6ba6811f5e56e9ca3d9aa0d198fc9517642b4f659a46d8cb8c87e890adc055433fa71380fb50189bc103d7fbb87e0be5

Download Submit
C:\Program Files\7-Zip\Lang\fi.txt

Filesize
8KB

MD5
a04b6a55f112679c7004226b6298f885

SHA1
06c2377ac6a288fe9edd42df0c52f63dce968312

SHA256
12cc4a2cef76045e07dafc7aec7cf6f16a646c0bb80873ec89a5ae0b4844443b

SHA512
88c7ed08b35558d6d2cd8713b5d045fba366010b8c7a4a7e315c0073cd510d3da41b0438f277d2e0e9043b6fcb87e8417eb5698ab18b3c3d24be7ff64b038e38

Download Submit
C:\Program Files\7-Zip\Lang\fr.txt

Filesize
9KB

MD5
fea8b58345c4df966c6e594149a131dc

SHA1
2ba9036a09b76e6a3eea425200ae96aee1b0cd0d

SHA256
e3c81a807bc965f97bbf349a602c6208e25a55611f8d1def85c2ea99ec12c7cd

SHA512
d4f91b6c7c37fb0a97e1b4a573e6aa8cf8f72fddf7b4175502d521db8bc671f87ad685b1056886d6a815085fd1b6896385b69c86f621cac98ad8230e41d1d192

Download Submit
C:\Program Files\7-Zip\descript.ion

Filesize
366B

MD5
eb7e322bdc62614e49ded60e0fb23845

SHA1
1bb477811ecdb01457790c46217b61cb53153b75

SHA256
1da513f5a4e8018b9ae143884eb3eaf72454b606fd51f2401b7cfd9be4dbbf4f

SHA512
8160b581a3f237d87e664d93310f5e85a42df793b3e22390093f9fb9a0a39950be6df2a713b55259fce5d5411d0499886a8039288d9481b4095fabadddbebb60

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
1ca6cb4612073ca520a8c11e8c3cffdd

SHA1
64cb3f75e67b42b949d705144cdd267bdcca8905

SHA256
a103cf1d9462068e88af2393033008d45b33a7b20f6809bc071e4a3c72fce6ca

SHA512
2d5b430fbc7f29173027c0aa32dbcd34aa566ee78b43e8860114ef5dbd13ed4cd65c3a08e535a25e8b0607bdb398263b57862931a1fb4a6c2604a63b7395b456

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
354B

MD5
eef846846642f1427d20f96d2a0e7225

SHA1
e82ec79d00d7725523773c72ec1ff5c96cec1c36

SHA256
c949f16b089b63f415e74c9fec0531f5882330c9fe92a06bdb46f4d8a3ba352e

SHA512
8a410bc9d959c6a819d87db35acf15ea83eae691b8123207d70d8a956bd363177a11cbde509d2ffe127e35c5ecd31be87bd4921139663604840188caec511108

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
6b7c2fced872ffc2a87c658b7fa3ef94

SHA1
7cf7619bde5a8b1e7d0839761b0f8729a7371a5e

SHA256
265aeccd819ea1bdb556b6a3675a1eac59daabfa78b32792823432e5b94eb704

SHA512
a9b3a3b3da6cd3a4ae8cb8b9f77f5c70617c44f5084e625713d1e6993f92a302a32949b95daa1de2bd317378dd40868a9f27472c81d288fa88fd643594447448

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
20329d6cf6c3ae3a8e5241602b2770cc

SHA1
5521ae2e65af3117a98537710b310bd70c26db7d

SHA256
a5aeef5820a2b614b4df215a041ac54eced00d7730f7e4241c20fa3a8b938ad1

SHA512
01351da08aa9f7dbeb9f0770bb7cf2408de34a333cf758d5d8d794f85ac58dbd2f4e44eb6550dd70dba7fb3b4a443d19f60942c1d92e7bd9141d10dbe95021d9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
664c76f90df2f96542aa1fee83f291b6

SHA1
d92125303f0ffb643476b53ad4fd64df65a96df5

SHA256
5e710f84c61c3bf3f39c32babbb215cd78792a561d0f54cd57998c095e3458e2

SHA512
57b16444bc4adc1705a175e47c15c685390820b05b6bbfd83f2a45e90a250c8226de413673a3772ae6fec792acf15eba0a1997b4505f687a48c6fce67bb6d872

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
99d3a3edb52fe3871c2550a62ba19ec2

SHA1
a75faff8f606733b3217d48b281585b5b20c6f52

SHA256
f0ad7f538b636321953bb2b5bad347611ea10f0567389745a26ba46ce1c009de

SHA512
21a8fee55361cc660069ff6d123808ac6dde6ca18b580750ba84b3f36ab8e8eef2f77f38dc528940d1a6d3a473afb6d5a5e2325bf17bc623891bef014b0a8a76

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\efcc758c-2390-42c5-9021-e26f1b07ea55.tmp

Filesize
1B

MD5
5058f1af8388633f609cadb75a75dc9d

SHA1
3a52ce780950d4d969792a2559cd519d7ee8c727

SHA256
cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8

SHA512
0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
78KB

MD5
3bb517a697df8a9db5a7a6ff10b12ce0

SHA1
50aec208b14471e925ca739051581f7f8e124e98

SHA256
7362b2109f79c1b26dd79d4a74311e3225099d649376927f7a85a97c6ef8b898

SHA512
e28bba13d4d0a575622b6ebd239bcfecfcee44ef9f9630d6cd064c85c2bf1e945ff05087259edb5e25703f73b152c06af9d1d0cd3bb3c595bf2da37ecfce39f3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
151KB

MD5
76d397c506300cedc4a32e322d4b4dcb

SHA1
831ddff6938f6e7d8c79cb92353c49e3e15d49f0

SHA256
53703a4134affa31b1db809929e66b8a939cd03485fa5f59a819d9029de6312b

SHA512
44b526ac762dff3e529092694d69b1b2a4857d1b741c8c4f374c8ead8067b8e8bfbe7a2928888172530b72ee4f88a24c08a1539fd2b77d423c3e13032a37f895

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
9dc60aef38e7832217e7fa02d6f0d9f6

SHA1
4f8539dc7d5739b36fe976a932338f459d066db6

SHA256
8a0ee0b6fafabb256571b691c2faf77c7244945faa749c72124d5eb43a197a32

SHA512
18371541811910992c2b84a8eae7e997e8627640bdb60b9e82751389e50931db9b3e206d31f4d9d2dc3ca25ea3a82c0be413ecb0ef3ac227a14e54f406eaa7e7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
7ac03b15b68af2d5cb5c8063057cc83e

SHA1
9b2d4db737f57322ff5c4bbddd765b3177f930ab

SHA256
b90d7596301470b389842eecb46bd3a8e614260b0d374d5c35a36afb9c71a700

SHA512
a5e9f40dd9040803046b0218fab6b058d49e5e2a3ada315e161fe9fc80ebb8d6d4442ccc1c98d19e561fc7c61bcf43d662fe2231cacacb447876a2113c2e3732

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
912B

MD5
8cb3a3433e13b84dbd1dc7fc3642fb06

SHA1
e4dc463a7c674fe05eae3890c6cfd807f702406c

SHA256
e767207673e2f2519cf09e3cd842f8983be8faed1a8046ebaf6406916f4a7f75

SHA512
cb26cc806145024fe639c6a829061a7764842142c41c6a3dba11154518fee026345c1d06e566d5504ace5e7c8090693d1a0ba9096c901a0769320b1f2fccfbed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
142a3380e6457aab37d3c0e4858295f5

SHA1
1b425eda9211990ead507d7e4e77b40be54d71f0

SHA256
b739f1ffa5f531a4aa6edf9dc17f631a5dd43a73584b75437d5659e9729f1c10

SHA512
b03fa04d33b81c625cc997950e4569f3224510b3b3f0fdfc1af0bf42dfc6984fea547a7497d8dfa4fa1098853cc0fbd7b5615e8e0168bbe8785ef0b5e5b40c89

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
6KB

MD5
8222a0859f51d13fcdc4ae479ac4f53e

SHA1
2bcd9450a59ac4ce07b75f38ca5a142ed12ac500

SHA256
d840e4348b1079c828c3a2838f61520fa05e28c9284f3c212e67716b39b7e5d5

SHA512
418fe3ed47fa311b15eb7afc1c9a85e631977a320f8f57eb024a4622ffa97160a8aa24533c03a7e03f9338d8da5b8ac21e1375440cad7744faae91d53799381c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
6KB

MD5
2407bfb56766a74510032fd150d8d78c

SHA1
e40a0564d210651621cbbba23d305a6d466b95ef

SHA256
dc20f7b1234bf2b6befa69caa66181fc9642ce03039615afdfe6927d788fb874

SHA512
6060676d3d97b342649ad0644ec865e9c5024169fea000f26a65c6b1a816f60c0a2b4798d4b9c4fa871f1a16345fca6a8f14b2d4ac1e2ed22286923c7ba88282

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
6KB

MD5
974b5b3ee647bad9dd6c4b9959e4ab71

SHA1
b90cc6748ba9714c6c9b4df6147b9c15421138e6

SHA256
ae0ab06c8da828fb684a3250dad20c29595303177130f28a3d5453a2db353924

SHA512
5a5c2d033ba659bba65e565a4b6de602736d61d9f2d43acdf7e82a315666eeb566382759fe546c9c449875a73df51489dd0d6998d3724df36ff81c3c19519558

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
53facfe44299423f4c55314c38c36806

SHA1
f5cdeffb7477f3da4e2618405f100559ce36b692

SHA256
5deb72ff7b1ba2a77ef5353e7cb67892ca46a322a49d423b490b2192fb83f285

SHA512
52e185c0469c2d0a97b2b55f7339b4bb5e77a850466a6e9b3003e4740a17c9964568ffc9656b46c89868fbc0e2e7e0b6b580e7c2e0463f441d58c041ed5ea571

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
9KB

MD5
dcbdb3b1b7c96844b7bbbdf75c2f0ff5

SHA1
cbf509e4676c81773eb9e00d75290dd688f5d1e7

SHA256
585bcae389df518d7f7d34d49cb11f2b8e1e3c1084d100250cb1c8e17fd8795e

SHA512
5e04bb0d09e107af574de58408ce2d87b10bb7c3b246b327b1b4ce95a1cad30db87dcd5220a8da1472da0dbf887152b998b202924b4348ce64fbb95f001094b3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
cbbca7b9ef0795d18e487a5577a11cb8

SHA1
abda23fe810b50166c27ece58333f10369d913d6

SHA256
4602eb9d2a8926395358abd85aff5b8394a69bded214fbda9ce66be2d0082cfd

SHA512
3cbce996e921f67fcc0cbb83f131e58cac7489d69f0a15ee7666274ff277a15fe6eec69856171dcb83809353103fcbae31eb0a19f2934b1def742ffae929154d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
2506e57f46e58ec15a4b99127efe732d

SHA1
d6286124b1a2e9e55831682064b70554c91aa36b

SHA256
5876494bd43db29f34a3c4f1d50502d54b65fb0c4a980e913b48f135e16919d3

SHA512
aa4f0550aa949e58ee1eb5233b4b315472c326ef167b3d7b39f172be10fe0dd0af7617407ad00d764f1c5878d02458f5441fd83c3f19a6f0fd63dda4fe36d3fe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
829dd6a82b29f471b92b210c423e32af

SHA1
8776c8f5678473bf3bf74e51b6030881aa410efb

SHA256
25e21060923e155166161a778822af9ed3c656840629a052bdf0bdd1dc9d4f70

SHA512
21f02128c2154c555b8df793b0e07f22fc96513812b6d08ba33059616665d090f89ad06d67cc4de0fc42e6726ae61a2bf2daaff04fa828f0d0c8df9a8270b076

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
7aee0d77be8125b6402d25b749a80744

SHA1
44b98b158f003da30d875d35951da1b98f716f74

SHA256
fc1230bf3379dea2d52b43758fa37de0922a2c3b1c3965e00b91175c9ef6b7aa

SHA512
1ba630823f67d782095533d728f14f8c6785ecccf842881c9582616df95d0f095694ae15a40a21c5c19766b9f7dd845b0dd663d642cf1e3e71d4b7a63530efa7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\85e76828-6778-4a9a-af75-6dd0f2390c57\index-dir\the-real-index

Filesize
2KB

MD5
be67e546d2b0051bc8899595237a98f5

SHA1
6582a1746e93fe5ce030464d5225b4766e8d9b9e

SHA256
cd1f2b0cb34432efe9697e048a98bcd5283b53907a261c963a7cac8819937f8b

SHA512
485adc28deeb578f3ad87484325088f3477a53b2f6dec2caa2fae2cfaea76faf56a5100dd037d7d6a6a4c395844ac03e6d00acbbec56b96719b892806dce332a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\85e76828-6778-4a9a-af75-6dd0f2390c57\index-dir\the-real-index

Filesize
2KB

MD5
f6eec0d5d1a1efda340ab2aa8252a3d3

SHA1
a1bf6a89eb729dc34636f64a1f492d2a666e3bda

SHA256
89309a573beb2a6d832ec204d0352983028fa4e087dba4c508df7cb309f016b7

SHA512
d8300fc38c249a0872da96357754a714122b341fdb7e758598b17c54a0a685620292164685d0339bf004c34e14d6f5e7ecf37bd2597e4bf6504752d56c1fc06b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\85e76828-6778-4a9a-af75-6dd0f2390c57\index-dir\the-real-index~RFe576fd1.TMP

Filesize
48B

MD5
e6f7d8bae90e6ecc5b0fa68e41a66fac

SHA1
9071edb7dd1f43803a8aaa7dadda710ed4cb565e

SHA256
56432ea0dbe39a30de1f7472bb74c411f69aa2c8a75989f3b8802f3a65bb4fef

SHA512
94d5ef775930dd1d6012be0a68be43ec4e46165684af1f90fbabe326075cc02db54e70515d34528ff95937aea425ba13fc1aa74d9796d95f534672bdd54ac21e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\a59c19f6-557d-4e6d-bc50-ca211d231be1\index-dir\the-real-index

Filesize
624B

MD5
cb3a9964b435a9cef716bf6f107b7c62

SHA1
65a2618f46c52ac7b53ea64575621a7fc20fa2b1

SHA256
2f76df69f182845c287aac10c915c57ad795d05e7f131e0a963e7199f04f692c

SHA512
c814ecdd3fa1447beaff68dcbdb7d638b4080e971c2e4e23963076dd682532a920b399e707f036b0fd8f00bc0cd5bbf6e07f42ba6b7edb91ed0d2b2b410af025

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\a59c19f6-557d-4e6d-bc50-ca211d231be1\index-dir\the-real-index~RFe57d6f7.TMP

Filesize
48B

MD5
91c4e2be4485799727710efc90de1456

SHA1
62e0654716e988c8d3964aa389384d37c180f787

SHA256
4525c84b314c6112e894d2b358b1fb2550318763a9d54db47e91d2a18f5631ac

SHA512
2d11aa1f82c00024f5642bd752f8f48cdee580263a5876e218376832d41959e59d4a3d0bca81845daa4f9632e7225bc4ad346c226b5513bd39cb38b6d7d806b3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\f5c08b4d-98fd-4182-af0b-261da457f51f\index

Filesize
24B

MD5
54cb446f628b2ea4a5bce5769910512e

SHA1
c27ca848427fe87f5cf4d0e0e3cd57151b0d820d

SHA256
fbcfe23a2ecb82b7100c50811691dde0a33aa3da8d176be9882a9db485dc0f2d

SHA512
8f6ed2e91aed9bd415789b1dbe591e7eab29f3f1b48fdfa5e864d7bf4ae554acc5d82b4097a770dabc228523253623e4296c5023cf48252e1b94382c43123cb0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
148B

MD5
ea7d44b83f8d302008949fe43189b382

SHA1
2267f20d26e314c08c473f1171776a75b5e2e991

SHA256
0c41352a82d8be0e87ab47b53d9fd78efca2dad41e3815527cfce7571b3f371b

SHA512
fd40cde52130496ca1103666ce278784a8520e56447479d629792763539214c1f6be4cdbcae92cf98f5539493de697271277be5f59aacd672a4bf1db726aad9a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
157B

MD5
b19ffabd32e1c1773abe1e05245cd4c0

SHA1
fe4de5cb85b8af8d7f92d57e945229449915b798

SHA256
38296822583f00b4468eb46a9f8f94813271b8c63f4fd8693beb0e2b30e92357

SHA512
d88f150ac06d20de2aac2ce56ef1c3e3a3eeeb05706996e9e9b4908ae6b6825e4f4de6d430ad762d6df9b08924986640ec501415d8398f1828510cb0d44f1c0a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
153B

MD5
52aa1ee4a3198e5369d26dcfd2955bd5

SHA1
0c276809579b10058c19d02065b4bd945074b7e8

SHA256
f6a350b5ebb7ab3b98e53e956f8c274b8736609d8f077db0c7682088c1eb116b

SHA512
8bc3f433bdef6f6d3c80d5ad76ea959c64e9b46147e5795c2727dcd54ee458e7a754832c9a106b72b68bdd652ac95a68ab52220ad225f94b85b2f0f44fbdaf86

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
89B

MD5
ccbecc0365540e3dc32b620a0b873bc4

SHA1
5d8fe76f4f24a5c5b75ebd155cd3e21373d30dbb

SHA256
bcf66effd297c912051f49f120d3ee92af8842486b719c640255d7f433008505

SHA512
ba6242cb0adddd8c6bae57550e16096e29f360290c0c223be052b9167a5d5a60a45d84f8bdf6105aeb3177a878d481b3df9d42eaf986e2f21b46402162d4f882

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
146B

MD5
cec81aed566e4cd1bbb3c84546807dac

SHA1
34ab80219a019ae80d658bbbb5b131e8f2e63fd1

SHA256
3d18051c5eadae44c4e9d9bf5fe6fd32a4dff167e3114bd35b3241ee2f2fe9b5

SHA512
9a9dc86c6e6a043dc5774fe607571d2fb327905d937b42c07ebd6be38e1e2a75b31b1ff164c39c5f901d326ac9c9eea938973b6e575f45f522416993ee8bd2b2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
82B

MD5
8a1797660572419b3f98c1c35a1b8053

SHA1
5ab1c4f6d5c002c8675c7fdb238fd4e4d50939a0

SHA256
43910299af272d975045e10b7aa69708a9995917dd032118ec963f89f31a8b48

SHA512
18837c026923c740aba05dfa955efc1d9409e79603e5eebf1402dbdc00d6994d9de28c98efb4efe2ea4755a5310ce3d11fdff85ca325100ec05be86df3d5a184

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
84B

MD5
4e29d10fc06c02c7d094fb06984276e9

SHA1
8a8fd9f1c22e593d48f5629a7ddd7d495dd75a73

SHA256
4f537a37eb301f0aebf0353ad4f96aef359d761ec3c8dd6b5fcfeaab208dd2a9

SHA512
7975d539f5c384b335df1540f15a7b3f9b1f657c48de59e95006d50ea2c8f93426810ba2b7123a67bd7451ca254379a58b299f4c1353199941dee8d08d6e7119

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
96B

MD5
ffd0655254e2a4b9cf1116fe3a523b62

SHA1
ff53ed57375180f69fa67ea451e58554c05994e4

SHA256
17c1b2b529df82147a3af7f486f3d84f4cdbef648deb324e6b1485bbeec96d00

SHA512
e48739ae68f8641ad5edfed948a26888b5a3334cfd6e4c7afc0d778820fa9377b37832ef367ed6eac50dac2b2a57edb1edd399418a80db248d9a2db38cd7b805

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe57c534.TMP

Filesize
48B

MD5
94285c8c5a67c05d2bf48a6b5eb556a6

SHA1
23c401421ef384fa60071ac673283d790b219f26

SHA256
7b86a289f3961b39493484d7a736dd5cd203a51a44c05f827cc9b0bcc39a944a

SHA512
86d19856da12f03756f9ddf1632c42afb96581d6753eed4c310e4268e65ecf795124d5bea54c108574cfc08d617948dc0fce7aaeedb341460ae555d4ade91c45

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
704B

MD5
09b8a6dbdd60e4b0797e4765f7b07650

SHA1
820122625d6f640835247501beacf65ee7cbc66a

SHA256
8fce7db6b5bc47b54dc7b6c62a4e0ac7de7436623031b351bc142f8b332b44cc

SHA512
e5bb867d28a6ee2e6dda358c4beb9b52e6608004eecaa5be53138a0e53838ec261b0dc0ac31ade43a6c5e4e55fcb379ea4f37a907bea26eda3f47dcccd5b48cc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
451d8272837c37324d4d8f4879aceede

SHA1
fcd66689b170dea9c6cfc84c06e4fa4d7ffc4dc5

SHA256
b31ed5264daa186a10b04df2e5664c99d5e78b68b4d18f1471db844e5f902769

SHA512
cc0cd5686620d2bcca3847e6e179774bf727cd37c37edf49d1d633f5fe93ac2ca9d0a6e173d624528b30f38cf28059ae33ea9926e962fdd5cd1bf88146adc155

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
8ea3c8435c0cd56e56f54f17ccec6b80

SHA1
6511c40d7acf8bc42476f0291ccfdfbcefd2f13c

SHA256
943837e247b3fcce7f2eba371b04aa9fad41e456e2a42f58abef548edfcad719

SHA512
3065026a11573d4f2dac04e72568541fa1d849c9dcb33b7ee1aa30066bbf207682105d334a7cf9b2182c720297ae8c4bee55d779356a34d6aa63bfa2c1f83249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe579625.TMP

Filesize
706B

MD5
24cb7d8622a8fdb0122ee12646b116d8

SHA1
ffe879e2f741dca6674b2120cca2d940b8c6a502

SHA256
e5259f20967c0ec6f1adb939d64c37964535f0858c5a5ae5652386dff45c7e3a

SHA512
d1e46b6e881a25cab3b9b54badaabbcc3f1e29784a8dac28d6c98cb435ca9e6396502253696f28a6551184f01d52902ae021f4caa2df56c3777547643b3d9b68

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
3e38be95209e9f8576ebf373e610d2ef

SHA1
a46f4d13a2fa8b6dceff09e53b45c5e90508af60

SHA256
1e1b878b700b22a1b28794cade6b5e2b9365fb395ec5cea4fa047f90e0e373f7

SHA512
5cf988f591b49ad843ec345d42b939760352768e45285d93797c59438368c94d7e238ed3f972c5ccdb3fed1799eea8e49f56e6fc2c13941ff45a8cbd61d68615

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\4408864\Tight.pif

Filesize
872KB

MD5
6ee7ddebff0a2b78c7ac30f6e00d1d11

SHA1
f2f57024c7cc3f9ff5f999ee20c4f5c38bfc20a2

SHA256
865347471135bb5459ad0e647e75a14ad91424b6f13a5c05d9ecd9183a8a1cf4

SHA512
57d56de2bb882f491e633972003d7c6562ef2758c3731b913ff4d15379ada575062f4de2a48ca6d6d9241852a5b8a007f52792753fd8d8fee85b9a218714efd0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\4409064\RegAsm.exe

Filesize
63KB

MD5
0d5df43af2916f47d00c1573797c1a13

SHA1
230ab5559e806574d26b4c20847c368ed55483b0

SHA256
c066aee7aa3aa83f763ebc5541daa266ed6c648fbffcde0d836a13b221bb2adc

SHA512
f96cf9e1890746b12daf839a6d0f16f062b72c1b8a40439f96583f242980f10f867720232a6fa0f7d4d7ac0a7a6143981a5a130d6417ea98b181447134c7cfe2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\4409784\Tight.pif

Filesize
69B

MD5
7774285e3ebcad0ee1383c20afd009c1

SHA1
85032512c88be4440836ec98ef20fa088071e0c9

SHA256
1b66f14e747659a401df5aa57e07e383e611fa74cf2c697a0a7fa3f6a7e2acea

SHA512
2f85dbc58e89fe708bfa6124d21f671a3497ea51fc155abc09015a9d0750306b73cb994c1cbe04bfe8fe140b740de97e2cc94391dbf8571140b17329a6f4fdeb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Ballot

Filesize
174KB

MD5
048263c25239abbd5ecfffd24313bba3

SHA1
2b10d008b0ecd1c6f594b8017abd6a8d8a6f290d

SHA256
b469309b45bc77bde7d7593e0ac2b675f7698bed8a38ac973a7cbc7228573de7

SHA512
5563d68b85845d37566f7a7c980e9f821790e46047e9efbc1dcf13cdacb9883d0501ff80c4b7dff86cc3279f2240b8faf4ae4f6e4b444770564e4d0728b1e57c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\De

Filesize
52KB

MD5
e072dd1deee0bc3f1a544c725183ae73

SHA1
4dbc04900ab4f00d7112044e37897c25fcb7d491

SHA256
109e787154f2b5c1156c7261b510561d8e2d349d40ac4757931b2822d6c7a3a5

SHA512
da2a2061c38bd85e883029094e2e4fac14b53945cfd62b062e90960610d6d534da94c9f7aa310c47ecb565b1806ef186c9c2460ef5bb6b628d930e9324e2d70b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Jersey

Filesize
78KB

MD5
e23669cdf38b0893d18a8a32633e1447

SHA1
7acacfe1e7b440a4c8f51e7db5b00973e22a018d

SHA256
f44940459aeb945ea918ab10c0134865a828987a38a17d72031905f97b97f5e2

SHA512
16070adbd370511735c75c1101a90926af0d5ec10fabeeb556b4105abc94301f6c254204063fdd5e72499fccd835d39142a0247590da125ef68643344cbdabff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Ln

Filesize
191KB

MD5
731603cce22e41ae5abf103fd9c6c315

SHA1
aa5cce06e8b30f76709411177bc5e8079f9cc4b7

SHA256
540e351768b15b80eb6b6ff57077b56219cb82c37ce6cd97af2b498a4752c73b

SHA512
b2f5173fa02d138f799e83c493a183948fb1da8387f07cc0ce3da33a5f44275a3fcc34ddc7af36c0350aa6f0a04401149bdf42722a45ad37a4648fca6285130c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Nhl

Filesize
53KB

MD5
3d9cfd7ee3b39be68779ef7c402b0f88

SHA1
97abda2bfa806ce568f40be1009f9e9fb02892cc

SHA256
a2044183bde2b08538b8a1f7ab20fbcd78c6ffbb957050ddbf2e79dbe950bd29

SHA512
a97446f4084609404431d94fb33d50eb235165eaddf324fa2a76143b3450b05480f3884e0da7cd5e9862e5a70b25c833b3b33c3cf1589f3207a3c1babc6abf58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Nominations

Filesize
28KB

MD5
a960bb0bfa890f7b17092927491951f5

SHA1
01ed334db20e3bd02eff9161de2f52c74c4a03ad

SHA256
9d3970eab9fb5a3c23e1ae22833685f4e028c6ce1c4e8c3bf166d840f46209e2

SHA512
3c4dfe56aadb7acd84e367ee66c9b83a787e338572c6ed5bdf68c81584bc9c5224db0a8416618f50f801b528c3b1e4f9c3424841823ed1087f47928f61c63b07

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Phantom

Filesize
220KB

MD5
572bbdae8e009af0d2840f10feaa4fde

SHA1
cef63dac1cf2112676c2c6f1f34d8619f5d7c9de

SHA256
c07c20860d8aded0d53da2789d679b7dcffe5ecc741857ed5caae8c385a8dedf

SHA512
eaddb4814afad4159bc9678322262378c531b73f444812bc6b77b9b0fc0cbe6fc7ae9a7115d279ac82d668a7383c723d47f14a23b96b5de90467fe222412dfb7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Plaza

Filesize
97KB

MD5
80b0185c61fb245926dec26217976e2a

SHA1
9ddb686647eeabb704c9c2bd46625ad898a48cfe

SHA256
0958ae8d97ac8e3285457a179f768eac30c8ef95cad6936492a0b76a6ba88f8a

SHA512
267055a9d6973571b9332cb6b30ae202ed84354e382d04194c6e28fd6a01c3c9f7e984e190a50c8047c36505b8ac3c4584c618ab1443f336b5a3d22c136292b8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Precise

Filesize
139KB

MD5
14bf7d55effe56d8eb97e275df411f4e

SHA1
cb924a610c857aa8d13f1490b667cf96ebf89621

SHA256
0bd26eb862c76e036de851e5d4ba028b7bb70feb07a80da1b8b43ed9a798bdf6

SHA512
f7441a3f2163e63847ef0264867c29f08883ba76130bd0d079b7c829b39856d4682dee4b3ad6d61552524975e86c165d4857d493a7141f550cdd7a635e945122

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Railway

Filesize
182KB

MD5
2df85c40fdae66b23d7be0bd2a6b12e0

SHA1
22c6eb371aebc8c12dc6b0e34ce625a177092710

SHA256
f9d331d0aad9f14726c1ab87c2a0224858bfc525ac1b70df0fcd8decf49ff906

SHA512
b213ca0a8738eb7e793292a8fa658a23292ae61f103f272bc5b70c834c25da36b168137887e901ce2b76986b6eaf38ed0f3fa64aa7d4fa7618a7923de4be62e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Spirits

Filesize
147KB

MD5
3d7a3c2178dfa66fa9af97342c929198

SHA1
9f61d84863c7cc71e53e325542798aeaf74c1d35

SHA256
eb28ac821250fcbca882d80c68d58a40ea8fe99606bf302f8d53ee7aa32a3b41

SHA512
cdfd9cbab8bc553f3253ef6e67647caba95fb2ffda57ae7e8ccb8e2ecd0212740048e679519cca13eed51b331dd4aba62db0c85a2dc323a4d326febc0edf094e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Survivors

Filesize
24KB

MD5
ec59908d44dae3c6763dfa1ff6e028d7

SHA1
692052f3a2b8ae0c3c833d79e879b04da2c6f2d9

SHA256
47b184b8d27dadc64fa276c3d1f43b048f7cd39b1d9f13ae746e316aee6dd133

SHA512
62f26d02cf268ef844006f22c5b3cb64cb6a24a3acbf6767f0928abbbbaf135d671808a0145940e7d89fac13e1575f8d9c64baaf6ae6550602dbdf1b4f90583c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Tall

Filesize
99B

MD5
2deac528950398199abb1557e1760b0c

SHA1
36869327c9ff42859c62510f5714d32d8dc50b05

SHA256
df7ac59dcd9591f07f9a37f631f1cc92ed0cb0bc2e889cd69b83c8fecf3c990e

SHA512
9eb113c2de4e9d3f9f3a67ba7b3674dc288f0f852be5fb0a9901607d3517af674c5d0eaae9dc54aea1ec2b00fc10a7ce728f58ef268ac7678ea5da014990b28c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp1EE2.tmp

Filesize
48KB

MD5
349e6eb110e34a08924d92f6b334801d

SHA1
bdfb289daff51890cc71697b6322aa4b35ec9169

SHA256
c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a

SHA512
2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp1F24.tmp

Filesize
116KB

MD5
2a0d8214ae71aabb8b0128666ad6ccef

SHA1
ef2662291742adb1abc5673882f95d97e3c5aabd

SHA256
f6cbf320a2a65d4229bdebb9b49b14129cc2c28ac208353e150db9cb248105e3

SHA512
c8b29a768c6190b67589d535934445a4588ac5db8e3e2b3734621f5b8ca3aa600a52bf81c98a0f6e5b2c7a751fc1e047cc0438b3a3a892e4a9d11004f743feb2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7B6D.tmp

Filesize
40KB

MD5
a182561a527f929489bf4b8f74f65cd7

SHA1
8cd6866594759711ea1836e86a5b7ca64ee8911f

SHA256
42aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914

SHA512
9bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7BAE.tmp

Filesize
114KB

MD5
7c8954707ce768a5c5af744c5d8c8485

SHA1
7f3d703fd12277a5a9a53695205f15e1baf01969

SHA256
1a0e936c37570094b39d6f270c53dede1600b55f42ea127f538f3da7dc1be438

SHA512
b8b08a4d226ebdccf73766a776c0812e2fa0cf9e0637030440e421292bf22590d7c981ab274464e051dbe6175e0b7a41752aa6ff4997843d2a321d9c1b409965

Download Submit
C:\Users\Admin\Downloads\CEL3RY BY GODDY V3.2.1.zip

Filesize
9.5MB

MD5
627066057611ef9f4bb5259107a9e752

SHA1
8f0643f23a0cea2ff241815c96dd31a5cfba0255

SHA256
cc2956caa4a83e34181f290e6b51dc3eb909ca9b7737d25f6473359dc218d361

SHA512
ff687014cdfcbd1eeaa52d352d651233684dc7d55ef20d092c013064c604990c16b96f55424f9661b7195171c0a2829d7a9bdc8990181e56d7e2aa40cac1baac

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 797675.crdownload

Filesize
1.5MB

MD5
61ba723e67d41dd15e134b973f2d7262

SHA1
3282a5b7c20c7123ae6168f0c565d19930ffb6f6

SHA256
4931869d95ffa6f55788e3b5d92088f3fe590e13532b9d8e811a52e2b377bfb6

SHA512
b293d21403e8ac935a0ae8daf27a069b31b3b6c4d078d3966f2411e5df34094f9e0ea50c7fdb118ae7f2e7ca25a3b526f0bc172e769244bd92125858357ce0ff

Download Submit
memory/8-2064-0x0000000007F10000-0x0000000007F5C000-memory.dmp

Filesize
304KB

Download
memory/8-2059-0x0000000000760000-0x00000000007BA000-memory.dmp

Filesize
360KB

Download
memory/1224-2127-0x0000000000950000-0x00000000009AA000-memory.dmp

Filesize
360KB

Download
memory/1224-2137-0x0000000008240000-0x000000000828C000-memory.dmp

Filesize
304KB

Download
memory/1696-1953-0x0000000005800000-0x000000000580A000-memory.dmp

Filesize
40KB

Download
memory/1696-1952-0x0000000005630000-0x00000000056C2000-memory.dmp

Filesize
584KB

Download
memory/1696-1964-0x0000000008460000-0x0000000008472000-memory.dmp

Filesize
72KB

Download
memory/1696-1974-0x0000000009130000-0x00000000091A6000-memory.dmp

Filesize
472KB

Download
memory/1696-1971-0x00000000087B0000-0x0000000008816000-memory.dmp

Filesize
408KB

Download
memory/1696-1963-0x0000000008520000-0x000000000862A000-memory.dmp

Filesize
1.0MB

Download
memory/1696-1965-0x00000000084C0000-0x00000000084FC000-memory.dmp

Filesize
240KB

Download
memory/1696-1966-0x0000000008630000-0x000000000867C000-memory.dmp

Filesize
304KB

Download
memory/1696-1962-0x0000000008890000-0x0000000008EA8000-memory.dmp

Filesize
6.1MB

Download
memory/1696-1951-0x0000000005AF0000-0x0000000006094000-memory.dmp

Filesize
5.6MB

Download
memory/1696-1919-0x0000000001100000-0x000000000115A000-memory.dmp

Filesize
360KB

Download
memory/1696-1978-0x000000000A2D0000-0x000000000A7FC000-memory.dmp

Filesize
5.2MB

Download
memory/1696-1975-0x00000000090B0000-0x00000000090CE000-memory.dmp

Filesize
120KB

Download
memory/1696-1977-0x0000000009BD0000-0x0000000009D92000-memory.dmp

Filesize
1.8MB

Download
memory/3472-2243-0x0000000000900000-0x000000000095A000-memory.dmp

Filesize
360KB

Download