hxxps://drive[.]google[.]com/file/d/1rir_FU78BjbLxAw0lbhoU-e_8WZj4cR0/view?usp=sharing

Analysis

max time kernel
663s
max time network
593s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
14-09-2024 15:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://drive.google.com/file/d/1rir_FU78BjbLxAw0lbhoU-e_8WZj4cR0/view?usp=sharing

Score

9^/10

credential_access discovery execution persistence privilege_escalation spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	EnchantedWoods.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	EnchantedWoods.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	EnchantedWoods.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	EnchantedWoods.exe

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Executes dropped EXE 15 IoCs

pid	Process
3516	7zFM.exe
444	EnchantedWoods Setup 2.0.0.exe
3892	EnchantedWoods.exe
3952	EnchantedWoods.exe
2256	EnchantedWoods.exe
1644	EnchantedWoods.exe
2396	EnchantedWoods.exe
4776	EnchantedWoods.exe
3844	EnchantedWoods.exe
5052	EnchantedWoods.exe
4748	EnchantedWoods.exe
4380	EnchantedWoods.exe
4808	EnchantedWoods.exe
4324	EnchantedWoods.exe
3088	EnchantedWoods.exe

Loads dropped DLL 46 IoCs

pid	Process
3516	7zFM.exe
444	EnchantedWoods Setup 2.0.0.exe
444	EnchantedWoods Setup 2.0.0.exe
444	EnchantedWoods Setup 2.0.0.exe
444	EnchantedWoods Setup 2.0.0.exe
444	EnchantedWoods Setup 2.0.0.exe
444	EnchantedWoods Setup 2.0.0.exe
444	EnchantedWoods Setup 2.0.0.exe
3892	EnchantedWoods.exe
3952	EnchantedWoods.exe
3892	EnchantedWoods.exe
3952	EnchantedWoods.exe
3952	EnchantedWoods.exe
3952	EnchantedWoods.exe
3952	EnchantedWoods.exe
3892	EnchantedWoods.exe
2256	EnchantedWoods.exe
1644	EnchantedWoods.exe
2396	EnchantedWoods.exe
4776	EnchantedWoods.exe
4776	EnchantedWoods.exe
4776	EnchantedWoods.exe
4776	EnchantedWoods.exe
4776	EnchantedWoods.exe
1644	EnchantedWoods.exe
1644	EnchantedWoods.exe
3844	EnchantedWoods.exe
5052	EnchantedWoods.exe
4748	EnchantedWoods.exe
5052	EnchantedWoods.exe
5052	EnchantedWoods.exe
5052	EnchantedWoods.exe
5052	EnchantedWoods.exe
3844	EnchantedWoods.exe
3844	EnchantedWoods.exe
4380	EnchantedWoods.exe
4324	EnchantedWoods.exe
4808	EnchantedWoods.exe
4808	EnchantedWoods.exe
4808	EnchantedWoods.exe
4808	EnchantedWoods.exe
4808	EnchantedWoods.exe
4380	EnchantedWoods.exe
4380	EnchantedWoods.exe
3088	EnchantedWoods.exe
3088	EnchantedWoods.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs

Web Service

T1102

flow	ioc
70	drive.google.com
71	drive.google.com
149	drive.google.com
9	drive.google.com
14	drive.google.com
63	drive.google.com
64	drive.google.com
90	drive.google.com
10	drive.google.com
13	drive.google.com
19	drive.google.com

Command and Scripting Interpreter: PowerShell 1 TTPs 64 IoCs

Run Powershell to get system information.

execution

PowerShell

T1059.001

pid	Process
6032	powershell.exe
2568	powershell.exe
4656	powershell.exe
3792	powershell.exe
5264	powershell.exe
1732	powershell.exe
5208	powershell.exe
728	powershell.exe
5532	powershell.exe
1564	powershell.exe
1476	powershell.exe
4448	powershell.exe
4876	powershell.exe
2552	powershell.exe
456	powershell.exe
2224	powershell.exe
4684	powershell.exe
5752	powershell.exe
1784	powershell.exe
6124	powershell.exe
2744	powershell.exe
5224	powershell.exe
764	powershell.exe
1684	powershell.exe
3700	powershell.exe
5060	powershell.exe
4664	powershell.exe
4272	powershell.exe
2064	powershell.exe
1968	powershell.exe
2892	powershell.exe
3080	powershell.exe
5072	powershell.exe
3164	powershell.exe
4964	powershell.exe
3152	powershell.exe
3792	powershell.exe
5232	powershell.exe
2624	powershell.exe
4236	powershell.exe
1020	powershell.exe
3128	powershell.exe
1564	powershell.exe
4108	powershell.exe
4832	powershell.exe
4956	powershell.exe
5948	powershell.exe
4272	powershell.exe
3732	powershell.exe
2816	powershell.exe
4944	powershell.exe
5504	powershell.exe
1424	powershell.exe
4996	powershell.exe
1604	powershell.exe
4008	powershell.exe
876	powershell.exe
4312	powershell.exe
1768	powershell.exe
2736	powershell.exe
1596	powershell.exe
3380	powershell.exe
5568	powershell.exe
4288	powershell.exe

Enumerates processes with tasklist 1 TTPs 1 IoCs

discovery

Process Discovery

T1057

pid	Process
5524	tasklist.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\7-Zip\Lang\bn.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mn.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fa.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mng.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ug.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\vi.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hr.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\eo.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\pt.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\bg.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\uz-cyrl.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\yo.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\History.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ba.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fur.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mn.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\it.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\th.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sk.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\es.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\et.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\zh-tw.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\zh-cn.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hi.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mr.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\an.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\tt.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\History.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ca.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\it.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\si.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\uk.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\vi.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\lt.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\uz-cyrl.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\bg.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\da.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fi.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sq.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\cs.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\de.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fa.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\co.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\7-zip.chm	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\af.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ast.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ms.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ca.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\License.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\eo.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\en.ttt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\cs.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\is.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\pt.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sl.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\readme.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\be.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\gl.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\va.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ro.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ext.txt	7z2408-x64.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7z2408-x64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7z2408-x64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	find.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EnchantedWoods Setup 2.0.0.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133708035642990228"	chrome.exe

Modifies registry class 48 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ = "C:\\Program Files\\7-Zip\\7-zip32.dll"	7z2408-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ThreadingModel = "Apartment"	7z2408-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}	7z2408-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\7-Zip	7z2408-x64.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2170637797-568393320-3232933035-1000\{E0C24DCB-3A88-4536-851E-3ADE451898A7}	msedge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32	7z2408-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\7-Zip	7z2408-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\7-Zip	7z2408-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ = "C:\\Program Files\\7-Zip\\7-zip32.dll"	7z2408-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\7-Zip	7z2408-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\7-Zip	7z2408-x64.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings	OpenWith.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\ = "7-Zip Shell Extension"	7z2408-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}"	7z2408-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\ = "7-Zip Shell Extension"	7z2408-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\DragDropHandlers\7-Zip	7z2408-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\7-Zip	7z2408-x64.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings	OpenWith.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ThreadingModel = "Apartment"	7z2408-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\DragDropHandlers\7-Zip	7z2408-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ThreadingModel = "Apartment"	7z2408-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}"	7z2408-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\DragDropHandlers\7-Zip	7z2408-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}	7z2408-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}	7z2408-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32	7z2408-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ = "C:\\Program Files\\7-Zip\\7-zip.dll"	7z2408-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}"	7z2408-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\ = "7-Zip Shell Extension"	7z2408-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\DragDropHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}"	7z2408-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\DragDropHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}"	7z2408-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ThreadingModel = "Apartment"	7z2408-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\DragDropHandlers\7-Zip	7z2408-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\DragDropHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}"	7z2408-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}	7z2408-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ = "C:\\Program Files\\7-Zip\\7-zip.dll"	7z2408-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}"	7z2408-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\DragDropHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}"	7z2408-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32	7z2408-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\ = "7-Zip Shell Extension"	7z2408-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}"	7z2408-x64.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings	OpenWith.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}"	7z2408-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32	7z2408-x64.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2170637797-568393320-3232933035-1000\{AF060F3A-84E2-49DE-AC3B-0FDC5A246A5B}	chrome.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
444	EnchantedWoods Setup 2.0.0.exe
444	EnchantedWoods Setup 2.0.0.exe
5524	tasklist.exe
5524	tasklist.exe
4964	powershell.exe
4964	powershell.exe
4964	powershell.exe
4956	powershell.exe
4956	powershell.exe
4956	powershell.exe
3792	powershell.exe
3792	powershell.exe
3792	powershell.exe
2552	powershell.exe
2552	powershell.exe
2552	powershell.exe
5208	powershell.exe
5208	powershell.exe
5208	powershell.exe
6032	powershell.exe
6032	powershell.exe
6032	powershell.exe
3380	powershell.exe
3380	powershell.exe
3380	powershell.exe
3700	powershell.exe
3700	powershell.exe
3700	powershell.exe
728	powershell.exe
728	powershell.exe
728	powershell.exe
5356	powershell.exe
5356	powershell.exe
5356	powershell.exe
5752	powershell.exe
5752	powershell.exe
5752	powershell.exe
1424	powershell.exe
1424	powershell.exe
1424	powershell.exe
112	powershell.exe
112	powershell.exe
112	powershell.exe
1732	powershell.exe
1732	powershell.exe
1732	powershell.exe
4236	powershell.exe
4236	powershell.exe
4236	powershell.exe
1968	powershell.exe
1968	powershell.exe
1968	powershell.exe
1560	powershell.exe
1560	powershell.exe
1560	powershell.exe
1768	powershell.exe
1768	powershell.exe
1768	powershell.exe
2064	powershell.exe
2064	powershell.exe
2064	powershell.exe
6072	powershell.exe
6072	powershell.exe
6072	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 4 IoCs

pid	Process
2304	OpenWith.exe
4956	OpenWith.exe
3516	7zFM.exe
4980	OpenWith.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs

pid	Process
2796	chrome.exe
2796	chrome.exe
2796	chrome.exe
2796	chrome.exe
2796	chrome.exe
2796	chrome.exe
2796	chrome.exe
2796	chrome.exe
2796	chrome.exe
2796	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeBackupPrivilege	5112	svchost.exe
Token: SeRestorePrivilege	5112	svchost.exe
Token: SeSecurityPrivilege	5112	svchost.exe
Token: SeTakeOwnershipPrivilege	5112	svchost.exe
Token: 35	5112	svchost.exe
Token: SeRestorePrivilege	3516	7zFM.exe
Token: 35	3516	7zFM.exe
Token: SeSecurityPrivilege	3516	7zFM.exe
Token: SeDebugPrivilege	5524	tasklist.exe
Token: SeSecurityPrivilege	444	EnchantedWoods Setup 2.0.0.exe
Token: SeDebugPrivilege	4964	powershell.exe
Token: SeIncreaseQuotaPrivilege	4964	powershell.exe
Token: SeSecurityPrivilege	4964	powershell.exe
Token: SeTakeOwnershipPrivilege	4964	powershell.exe
Token: SeLoadDriverPrivilege	4964	powershell.exe
Token: SeSystemProfilePrivilege	4964	powershell.exe
Token: SeSystemtimePrivilege	4964	powershell.exe
Token: SeProfSingleProcessPrivilege	4964	powershell.exe
Token: SeIncBasePriorityPrivilege	4964	powershell.exe
Token: SeCreatePagefilePrivilege	4964	powershell.exe
Token: SeBackupPrivilege	4964	powershell.exe
Token: SeRestorePrivilege	4964	powershell.exe
Token: SeShutdownPrivilege	4964	powershell.exe
Token: SeDebugPrivilege	4964	powershell.exe
Token: SeSystemEnvironmentPrivilege	4964	powershell.exe
Token: SeRemoteShutdownPrivilege	4964	powershell.exe
Token: SeUndockPrivilege	4964	powershell.exe
Token: SeManageVolumePrivilege	4964	powershell.exe
Token: 33	4964	powershell.exe
Token: 34	4964	powershell.exe
Token: 35	4964	powershell.exe
Token: 36	4964	powershell.exe
Token: SeShutdownPrivilege	3892	EnchantedWoods.exe
Token: SeCreatePagefilePrivilege	3892	EnchantedWoods.exe
Token: SeDebugPrivilege	4956	powershell.exe
Token: SeIncreaseQuotaPrivilege	4956	powershell.exe
Token: SeSecurityPrivilege	4956	powershell.exe
Token: SeTakeOwnershipPrivilege	4956	powershell.exe
Token: SeLoadDriverPrivilege	4956	powershell.exe
Token: SeSystemProfilePrivilege	4956	powershell.exe
Token: SeSystemtimePrivilege	4956	powershell.exe
Token: SeProfSingleProcessPrivilege	4956	powershell.exe
Token: SeIncBasePriorityPrivilege	4956	powershell.exe
Token: SeCreatePagefilePrivilege	4956	powershell.exe
Token: SeBackupPrivilege	4956	powershell.exe
Token: SeRestorePrivilege	4956	powershell.exe
Token: SeShutdownPrivilege	4956	powershell.exe
Token: SeDebugPrivilege	4956	powershell.exe
Token: SeSystemEnvironmentPrivilege	4956	powershell.exe
Token: SeRemoteShutdownPrivilege	4956	powershell.exe
Token: SeUndockPrivilege	4956	powershell.exe
Token: SeManageVolumePrivilege	4956	powershell.exe
Token: 33	4956	powershell.exe
Token: 34	4956	powershell.exe
Token: 35	4956	powershell.exe
Token: 36	4956	powershell.exe
Token: SeDebugPrivilege	3792	powershell.exe
Token: SeIncreaseQuotaPrivilege	3792	powershell.exe
Token: SeSecurityPrivilege	3792	powershell.exe
Token: SeTakeOwnershipPrivilege	3792	powershell.exe
Token: SeLoadDriverPrivilege	3792	powershell.exe
Token: SeSystemProfilePrivilege	3792	powershell.exe
Token: SeSystemtimePrivilege	3792	powershell.exe
Token: SeProfSingleProcessPrivilege	3792	powershell.exe

Suspicious use of FindShellTrayWindow 31 IoCs

pid	Process
3516	7zFM.exe
3516	7zFM.exe
3516	7zFM.exe
1228	powershell.exe
2796	chrome.exe
2796	chrome.exe
2796	chrome.exe
2796	chrome.exe
2796	chrome.exe
2796	chrome.exe
2796	chrome.exe
2796	chrome.exe
2796	chrome.exe
2796	chrome.exe
2796	chrome.exe
2796	chrome.exe
2796	chrome.exe
2796	chrome.exe
2796	chrome.exe
2796	chrome.exe
2796	chrome.exe
2796	chrome.exe
2796	chrome.exe
2796	chrome.exe
2796	chrome.exe
2796	chrome.exe
2796	chrome.exe
2796	chrome.exe
2796	chrome.exe
2796	chrome.exe
2796	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2796	chrome.exe
2796	chrome.exe
2796	chrome.exe
2796	chrome.exe
2796	chrome.exe
2796	chrome.exe
2796	chrome.exe
2796	chrome.exe
2796	chrome.exe
2796	chrome.exe
2796	chrome.exe
2796	chrome.exe
2796	chrome.exe
2796	chrome.exe
2796	chrome.exe
2796	chrome.exe
2796	chrome.exe
2796	chrome.exe
2796	chrome.exe
2796	chrome.exe
2796	chrome.exe
2796	chrome.exe
2796	chrome.exe
2796	chrome.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
5040	OpenWith.exe
1896	OpenWith.exe
2304	OpenWith.exe
2304	OpenWith.exe
2304	OpenWith.exe
2304	OpenWith.exe
2304	OpenWith.exe
2304	OpenWith.exe
2304	OpenWith.exe
2304	OpenWith.exe
2304	OpenWith.exe
2304	OpenWith.exe
2304	OpenWith.exe
2304	OpenWith.exe
2304	OpenWith.exe
2304	OpenWith.exe
2304	OpenWith.exe
2304	OpenWith.exe
2304	OpenWith.exe
2304	OpenWith.exe
2304	OpenWith.exe
2304	OpenWith.exe
2304	OpenWith.exe
2304	OpenWith.exe
2304	OpenWith.exe
2304	OpenWith.exe
2304	OpenWith.exe
2304	OpenWith.exe
2304	OpenWith.exe
2304	OpenWith.exe
2304	OpenWith.exe
2304	OpenWith.exe
2304	OpenWith.exe
2304	OpenWith.exe
2304	OpenWith.exe
5504	7z2408-x64.exe
5468	7z2408-x64.exe
4956	OpenWith.exe
4956	OpenWith.exe
4956	OpenWith.exe
4956	OpenWith.exe
4956	OpenWith.exe
4956	OpenWith.exe
4956	OpenWith.exe
4956	OpenWith.exe
4956	OpenWith.exe
4956	OpenWith.exe
4956	OpenWith.exe
4956	OpenWith.exe
4956	OpenWith.exe
4956	OpenWith.exe
4956	OpenWith.exe
4956	OpenWith.exe
4956	OpenWith.exe
4956	OpenWith.exe
4956	OpenWith.exe
4956	OpenWith.exe
4956	OpenWith.exe
4956	OpenWith.exe
4956	OpenWith.exe
4956	OpenWith.exe
4956	OpenWith.exe
4956	OpenWith.exe
4956	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5964 wrote to memory of 3440	5964	AcroRd32.exe	149
PID 5964 wrote to memory of 3440	5964	AcroRd32.exe	149
PID 5964 wrote to memory of 3440	5964	AcroRd32.exe	149
PID 3440 wrote to memory of 1620	3440	RdrCEF.exe	150
PID 3440 wrote to memory of 1620	3440	RdrCEF.exe	150
PID 3440 wrote to memory of 1620	3440	RdrCEF.exe	150
PID 3440 wrote to memory of 1620	3440	RdrCEF.exe	150
PID 3440 wrote to memory of 1620	3440	RdrCEF.exe	150
PID 3440 wrote to memory of 1620	3440	RdrCEF.exe	150
PID 3440 wrote to memory of 1620	3440	RdrCEF.exe	150
PID 3440 wrote to memory of 1620	3440	RdrCEF.exe	150
PID 3440 wrote to memory of 1620	3440	RdrCEF.exe	150
PID 3440 wrote to memory of 1620	3440	RdrCEF.exe	150
PID 3440 wrote to memory of 1620	3440	RdrCEF.exe	150
PID 3440 wrote to memory of 1620	3440	RdrCEF.exe	150
PID 3440 wrote to memory of 1620	3440	RdrCEF.exe	150
PID 3440 wrote to memory of 1620	3440	RdrCEF.exe	150
PID 3440 wrote to memory of 1620	3440	RdrCEF.exe	150
PID 3440 wrote to memory of 1620	3440	RdrCEF.exe	150
PID 3440 wrote to memory of 1620	3440	RdrCEF.exe	150
PID 3440 wrote to memory of 1620	3440	RdrCEF.exe	150
PID 3440 wrote to memory of 1620	3440	RdrCEF.exe	150
PID 3440 wrote to memory of 1620	3440	RdrCEF.exe	150
PID 3440 wrote to memory of 1620	3440	RdrCEF.exe	150
PID 3440 wrote to memory of 1620	3440	RdrCEF.exe	150
PID 3440 wrote to memory of 1620	3440	RdrCEF.exe	150
PID 3440 wrote to memory of 1620	3440	RdrCEF.exe	150
PID 3440 wrote to memory of 1620	3440	RdrCEF.exe	150
PID 3440 wrote to memory of 1620	3440	RdrCEF.exe	150
PID 3440 wrote to memory of 1620	3440	RdrCEF.exe	150
PID 3440 wrote to memory of 1620	3440	RdrCEF.exe	150
PID 3440 wrote to memory of 1620	3440	RdrCEF.exe	150
PID 3440 wrote to memory of 1620	3440	RdrCEF.exe	150
PID 3440 wrote to memory of 1620	3440	RdrCEF.exe	150
PID 3440 wrote to memory of 1620	3440	RdrCEF.exe	150
PID 3440 wrote to memory of 1620	3440	RdrCEF.exe	150
PID 3440 wrote to memory of 1620	3440	RdrCEF.exe	150
PID 3440 wrote to memory of 1620	3440	RdrCEF.exe	150
PID 3440 wrote to memory of 1620	3440	RdrCEF.exe	150
PID 3440 wrote to memory of 1620	3440	RdrCEF.exe	150
PID 3440 wrote to memory of 1620	3440	RdrCEF.exe	150
PID 3440 wrote to memory of 1620	3440	RdrCEF.exe	150
PID 3440 wrote to memory of 1620	3440	RdrCEF.exe	150
PID 3440 wrote to memory of 1620	3440	RdrCEF.exe	150
PID 3440 wrote to memory of 3520	3440	RdrCEF.exe	151
PID 3440 wrote to memory of 3520	3440	RdrCEF.exe	151
PID 3440 wrote to memory of 3520	3440	RdrCEF.exe	151
PID 3440 wrote to memory of 3520	3440	RdrCEF.exe	151
PID 3440 wrote to memory of 3520	3440	RdrCEF.exe	151
PID 3440 wrote to memory of 3520	3440	RdrCEF.exe	151
PID 3440 wrote to memory of 3520	3440	RdrCEF.exe	151
PID 3440 wrote to memory of 3520	3440	RdrCEF.exe	151
PID 3440 wrote to memory of 3520	3440	RdrCEF.exe	151
PID 3440 wrote to memory of 3520	3440	RdrCEF.exe	151
PID 3440 wrote to memory of 3520	3440	RdrCEF.exe	151
PID 3440 wrote to memory of 3520	3440	RdrCEF.exe	151
PID 3440 wrote to memory of 3520	3440	RdrCEF.exe	151
PID 3440 wrote to memory of 3520	3440	RdrCEF.exe	151
PID 3440 wrote to memory of 3520	3440	RdrCEF.exe	151
PID 3440 wrote to memory of 3520	3440	RdrCEF.exe	151
PID 3440 wrote to memory of 3520	3440	RdrCEF.exe	151
PID 3440 wrote to memory of 3520	3440	RdrCEF.exe	151
PID 3440 wrote to memory of 3520	3440	RdrCEF.exe	151
PID 3440 wrote to memory of 3520	3440	RdrCEF.exe	151

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://drive.google.com/file/d/1rir_FU78BjbLxAw0lbhoU-e_8WZj4cR0/view?usp=sharing
1⤵
PID:4312

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --field-trial-handle=4156,i,11708048364682646792,608099842549576907,262144 --variations-seed-version --mojo-platform-channel-handle=5000 /prefetch:1
1⤵
PID:4188

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --field-trial-handle=4160,i,11708048364682646792,608099842549576907,262144 --variations-seed-version --mojo-platform-channel-handle=3808 /prefetch:1
1⤵
PID:2224

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --field-trial-handle=1740,i,11708048364682646792,608099842549576907,262144 --variations-seed-version --mojo-platform-channel-handle=5460 /prefetch:1
1⤵
PID:776

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=5480,i,11708048364682646792,608099842549576907,262144 --variations-seed-version --mojo-platform-channel-handle=5632 /prefetch:8
1⤵
PID:3512

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --field-trial-handle=5636,i,11708048364682646792,608099842549576907,262144 --variations-seed-version --mojo-platform-channel-handle=5708 /prefetch:8
1⤵
PID:3256

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --extension-process --renderer-sub-type=extension --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --field-trial-handle=6048,i,11708048364682646792,608099842549576907,262144 --variations-seed-version --mojo-platform-channel-handle=6004 /prefetch:2
1⤵
PID:4460

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=21 --field-trial-handle=5456,i,11708048364682646792,608099842549576907,262144 --variations-seed-version --mojo-platform-channel-handle=6256 /prefetch:1
1⤵
PID:4224

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=22 --field-trial-handle=6444,i,11708048364682646792,608099842549576907,262144 --variations-seed-version --mojo-platform-channel-handle=6472 /prefetch:1
1⤵
PID:880

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --field-trial-handle=5652,i,11708048364682646792,608099842549576907,262144 --variations-seed-version --mojo-platform-channel-handle=4848 /prefetch:8
1⤵
PID:1600

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=24 --field-trial-handle=6936,i,11708048364682646792,608099842549576907,262144 --variations-seed-version --mojo-platform-channel-handle=6960 /prefetch:1
1⤵
PID:3640

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=25 --field-trial-handle=6932,i,11708048364682646792,608099842549576907,262144 --variations-seed-version --mojo-platform-channel-handle=6944 /prefetch:1
1⤵
PID:3344

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --lang=en-US --service-sandbox-type=collections --field-trial-handle=7016,i,11708048364682646792,608099842549576907,262144 --variations-seed-version --mojo-platform-channel-handle=7044 /prefetch:8
1⤵
PID:3428

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=27 --field-trial-handle=7048,i,11708048364682646792,608099842549576907,262144 --variations-seed-version --mojo-platform-channel-handle=7036 /prefetch:1
1⤵
PID:2892

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.FileUtilService --lang=en-US --service-sandbox-type=service --field-trial-handle=7560,i,11708048364682646792,608099842549576907,262144 --variations-seed-version --mojo-platform-channel-handle=7444 /prefetch:8
1⤵
PID:4172

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --field-trial-handle=7704,i,11708048364682646792,608099842549576907,262144 --variations-seed-version --mojo-platform-channel-handle=7724 /prefetch:8
1⤵
PID:3168

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5040

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1896

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2304

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5476

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --field-trial-handle=6656,i,11708048364682646792,608099842549576907,262144 --variations-seed-version --mojo-platform-channel-handle=6448 /prefetch:8
1⤵
PID:5528

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --field-trial-handle=6660,i,11708048364682646792,608099842549576907,262144 --variations-seed-version --mojo-platform-channel-handle=4372 /prefetch:8
1⤵
PID:5760

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x308 0x4f4
1⤵
PID:5808

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --field-trial-handle=7072,i,11708048364682646792,608099842549576907,262144 --variations-seed-version --mojo-platform-channel-handle=6968 /prefetch:8
1⤵
PID:5868

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=33 --field-trial-handle=6160,i,11708048364682646792,608099842549576907,262144 --variations-seed-version --mojo-platform-channel-handle=6232 /prefetch:1
1⤵
PID:5908

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=34 --field-trial-handle=7928,i,11708048364682646792,608099842549576907,262144 --variations-seed-version --mojo-platform-channel-handle=7888 /prefetch:1
1⤵
PID:5996

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --field-trial-handle=6148,i,11708048364682646792,608099842549576907,262144 --variations-seed-version --mojo-platform-channel-handle=7620 /prefetch:8
1⤵
- Modifies registry class
PID:6076

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=36 --field-trial-handle=7952,i,11708048364682646792,608099842549576907,262144 --variations-seed-version --mojo-platform-channel-handle=7984 /prefetch:1
1⤵
PID:6140

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=37 --field-trial-handle=7892,i,11708048364682646792,608099842549576907,262144 --variations-seed-version --mojo-platform-channel-handle=6172 /prefetch:1
1⤵
PID:888

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=38 --field-trial-handle=8004,i,11708048364682646792,608099842549576907,262144 --variations-seed-version --mojo-platform-channel-handle=7876 /prefetch:1
1⤵
PID:5244

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=39 --field-trial-handle=7832,i,11708048364682646792,608099842549576907,262144 --variations-seed-version --mojo-platform-channel-handle=7860 /prefetch:1
1⤵
PID:5332

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --field-trial-handle=8348,i,11708048364682646792,608099842549576907,262144 --variations-seed-version --mojo-platform-channel-handle=8388 /prefetch:8
1⤵
PID:696

C:\Users\Admin\Downloads\7z2408-x64.exe
"C:\Users\Admin\Downloads\7z2408-x64.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5504

C:\Users\Admin\Downloads\7z2408-x64.exe
"C:\Users\Admin\Downloads\7z2408-x64.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5468

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=41 --field-trial-handle=7788,i,11708048364682646792,608099842549576907,262144 --variations-seed-version --mojo-platform-channel-handle=7344 /prefetch:1
1⤵
PID:6140

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=42 --field-trial-handle=8168,i,11708048364682646792,608099842549576907,262144 --variations-seed-version --mojo-platform-channel-handle=7848 /prefetch:1
1⤵
PID:2424

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=43 --field-trial-handle=6312,i,11708048364682646792,608099842549576907,262144 --variations-seed-version --mojo-platform-channel-handle=6400 /prefetch:1
1⤵
PID:3880

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.FileUtilService --lang=en-US --service-sandbox-type=service --field-trial-handle=8364,i,11708048364682646792,608099842549576907,262144 --variations-seed-version --mojo-platform-channel-handle=8136 /prefetch:8
1⤵
PID:5668

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --field-trial-handle=8360,i,11708048364682646792,608099842549576907,262144 --variations-seed-version --mojo-platform-channel-handle=8372 /prefetch:8
1⤵
PID:2572

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k SDRSVC
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5112

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:4956

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\Downloads\__EnchantedWoods_1.rar"
1⤵
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:5964
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3440
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=4064559F7CE656476E0CEDB455C111FC --mojo-platform-channel-handle=1752 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1620
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=8F06618329A9019BD76CDF238CCC9092 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=8F06618329A9019BD76CDF238CCC9092 --renderer-client-id=2 --mojo-platform-channel-handle=1764 --allow-no-sandbox-job /prefetch:1
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3520
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=E18FBCE8CF606F91193DD3923E8F84C3 --mojo-platform-channel-handle=2328 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1060
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=3F22D0EB3FDCFB7CF2201C6054C6130C --mojo-platform-channel-handle=1816 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4008

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5436

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3516

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
PID:4980

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
PID:5404

C:\Users\Admin\Downloads\EnchantedWoods Setup 2.0.0.exe
"C:\Users\Admin\Downloads\EnchantedWoods Setup 2.0.0.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:444
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c tasklist /FI "USERNAME eq %USERNAME%" /FI "IMAGENAME eq EnchantedWoods.exe" /FO csv | "C:\Windows\system32\find.exe" "EnchantedWoods.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5936
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist /FI "USERNAME eq Admin" /FI "IMAGENAME eq EnchantedWoods.exe" /FO csv
    3⤵
    - Enumerates processes with tasklist
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:5524
- - C:\Windows\SysWOW64\find.exe
    "C:\Windows\system32\find.exe" "EnchantedWoods.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4884

C:\Users\Admin\AppData\Local\Programs\EnchantedWoods\EnchantedWoods.exe
"C:\Users\Admin\AppData\Local\Programs\EnchantedWoods\EnchantedWoods.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:3892
- C:\Users\Admin\AppData\Local\Programs\EnchantedWoods\EnchantedWoods.exe
  "C:\Users\Admin\AppData\Local\Programs\EnchantedWoods\EnchantedWoods.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\EnchantedWoods" --gpu-preferences=UAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=1756,i,12835550010421395465,4965152420838278170,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=1748 /prefetch:2
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:3952
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe /c "Get-CimInstance -className win32_process | select Name,ProcessId,ParentProcessId,CommandLine,ExecutablePath"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4964
- C:\Users\Admin\AppData\Local\Programs\EnchantedWoods\EnchantedWoods.exe
  "C:\Users\Admin\AppData\Local\Programs\EnchantedWoods\EnchantedWoods.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\EnchantedWoods" --field-trial-handle=1588,i,12835550010421395465,4965152420838278170,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=2036 /prefetch:3
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:2256
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe /c "Get-CimInstance -className win32_process | select Name,ProcessId,ParentProcessId,CommandLine,ExecutablePath"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4956
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe /c "Get-CimInstance -className win32_process | select Name,ProcessId,ParentProcessId,CommandLine,ExecutablePath"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3792
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe /c "Get-CimInstance -className win32_process | select Name,ProcessId,ParentProcessId,CommandLine,ExecutablePath"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:2552
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe /c "Get-CimInstance -className win32_process | select Name,ProcessId,ParentProcessId,CommandLine,ExecutablePath"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:5208
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe /c "Get-CimInstance -className win32_process | select Name,ProcessId,ParentProcessId,CommandLine,ExecutablePath"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:6032
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe /c "Get-CimInstance -className win32_process | select Name,ProcessId,ParentProcessId,CommandLine,ExecutablePath"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:3380
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe /c "Get-CimInstance -className win32_process | select Name,ProcessId,ParentProcessId,CommandLine,ExecutablePath"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:3700
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe /c "Get-CimInstance -className win32_process | select Name,ProcessId,ParentProcessId,CommandLine,ExecutablePath"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:728
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe /c "Get-CimInstance -className win32_process | select Name,ProcessId,ParentProcessId,CommandLine,ExecutablePath"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5356
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe /c "Get-CimInstance -className win32_process | select Name,ProcessId,ParentProcessId,CommandLine,ExecutablePath"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:5752
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe /c "Get-CimInstance -className win32_process | select Name,ProcessId,ParentProcessId,CommandLine,ExecutablePath"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:1424
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe /c "Get-CimInstance -className win32_process | select Name,ProcessId,ParentProcessId,CommandLine,ExecutablePath"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:112
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe /c "Get-CimInstance -className win32_process | select Name,ProcessId,ParentProcessId,CommandLine,ExecutablePath"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:1732
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe /c "Get-CimInstance -className win32_process | select Name,ProcessId,ParentProcessId,CommandLine,ExecutablePath"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:4236
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe /c "Get-CimInstance -className win32_process | select Name,ProcessId,ParentProcessId,CommandLine,ExecutablePath"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:1968
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe /c "Get-CimInstance -className win32_process | select Name,ProcessId,ParentProcessId,CommandLine,ExecutablePath"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1560
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe /c "Get-CimInstance -className win32_process | select Name,ProcessId,ParentProcessId,CommandLine,ExecutablePath"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:1768
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe /c "Get-CimInstance -className win32_process | select Name,ProcessId,ParentProcessId,CommandLine,ExecutablePath"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:2064
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe /c "Get-CimInstance -className win32_process | select Name,ProcessId,ParentProcessId,CommandLine,ExecutablePath"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:6072
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe /c "Get-CimInstance -className win32_process | select Name,ProcessId,ParentProcessId,CommandLine,ExecutablePath"
  2⤵
  PID:5448
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe /c "Get-CimInstance -className win32_process | select Name,ProcessId,ParentProcessId,CommandLine,ExecutablePath"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:5060
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell -Command "& {Add-Type -AssemblyName System.Windows.Forms; [System.Windows.Forms.MessageBox]::Show('The application was unable to start correctly (0xc000007b). Click OK to close the application.', 'Application Error', [System.Windows.Forms.MessageBoxButtons]::OK, [System.Windows.Forms.MessageBoxIcon]::Error)}""
  2⤵
  PID:4324
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "& {Add-Type -AssemblyName System.Windows.Forms; [System.Windows.Forms.MessageBox]::Show('The application was unable to start correctly (0xc000007b). Click OK to close the application.', 'Application Error', [System.Windows.Forms.MessageBoxButtons]::OK, [System.Windows.Forms.MessageBoxIcon]::Error)}"
    3⤵
    - Suspicious use of FindShellTrayWindow
    PID:1228

C:\Users\Admin\AppData\Local\Programs\EnchantedWoods\EnchantedWoods.exe
"C:\Users\Admin\AppData\Local\Programs\EnchantedWoods\EnchantedWoods.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
PID:1644
- C:\Users\Admin\AppData\Local\Programs\EnchantedWoods\EnchantedWoods.exe
  "C:\Users\Admin\AppData\Local\Programs\EnchantedWoods\EnchantedWoods.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\EnchantedWoods" --gpu-preferences=UAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=1768,i,7941537844542185926,6037654816867190903,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=1760 /prefetch:2
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:4776
- C:\Users\Admin\AppData\Local\Programs\EnchantedWoods\EnchantedWoods.exe
  "C:\Users\Admin\AppData\Local\Programs\EnchantedWoods\EnchantedWoods.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\EnchantedWoods" --field-trial-handle=1960,i,7941537844542185926,6037654816867190903,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=1956 /prefetch:3
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:2396
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe /c "Get-CimInstance -className win32_process | select Name,ProcessId,ParentProcessId,CommandLine,ExecutablePath"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:5948
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe /c "Get-CimInstance -className win32_process | select Name,ProcessId,ParentProcessId,CommandLine,ExecutablePath"
  2⤵
  PID:5076
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe /c "Get-CimInstance -className win32_process | select Name,ProcessId,ParentProcessId,CommandLine,ExecutablePath"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:1020
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe /c "Get-CimInstance -className win32_process | select Name,ProcessId,ParentProcessId,CommandLine,ExecutablePath"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:3128
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe /c "Get-CimInstance -className win32_process | select Name,ProcessId,ParentProcessId,CommandLine,ExecutablePath"
  2⤵
  PID:1720
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe /c "Get-CimInstance -className win32_process | select Name,ProcessId,ParentProcessId,CommandLine,ExecutablePath"
  2⤵
  PID:5780
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe /c "Get-CimInstance -className win32_process | select Name,ProcessId,ParentProcessId,CommandLine,ExecutablePath"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:1564
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe /c "Get-CimInstance -className win32_process | select Name,ProcessId,ParentProcessId,CommandLine,ExecutablePath"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:5264
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe /c "Get-CimInstance -className win32_process | select Name,ProcessId,ParentProcessId,CommandLine,ExecutablePath"
  2⤵
  PID:5080
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe /c "Get-CimInstance -className win32_process | select Name,ProcessId,ParentProcessId,CommandLine,ExecutablePath"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:2568
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe /c "Get-CimInstance -className win32_process | select Name,ProcessId,ParentProcessId,CommandLine,ExecutablePath"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:4272
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe /c "Get-CimInstance -className win32_process | select Name,ProcessId,ParentProcessId,CommandLine,ExecutablePath"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:2892
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe /c "Get-CimInstance -className win32_process | select Name,ProcessId,ParentProcessId,CommandLine,ExecutablePath"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:3080
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe /c "Get-CimInstance -className win32_process | select Name,ProcessId,ParentProcessId,CommandLine,ExecutablePath"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:3732
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe /c "Get-CimInstance -className win32_process | select Name,ProcessId,ParentProcessId,CommandLine,ExecutablePath"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:5532
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe /c "Get-CimInstance -className win32_process | select Name,ProcessId,ParentProcessId,CommandLine,ExecutablePath"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:4312
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe /c "Get-CimInstance -className win32_process | select Name,ProcessId,ParentProcessId,CommandLine,ExecutablePath"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:4684
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe /c "Get-CimInstance -className win32_process | select Name,ProcessId,ParentProcessId,CommandLine,ExecutablePath"
  2⤵
  PID:4188
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe /c "Get-CimInstance -className win32_process | select Name,ProcessId,ParentProcessId,CommandLine,ExecutablePath"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:4996
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe /c "Get-CimInstance -className win32_process | select Name,ProcessId,ParentProcessId,CommandLine,ExecutablePath"
  2⤵
  PID:4672
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe /c "Get-CimInstance -className win32_process | select Name,ProcessId,ParentProcessId,CommandLine,ExecutablePath"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:1604
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe /c "Get-CimInstance -className win32_process | select Name,ProcessId,ParentProcessId,CommandLine,ExecutablePath"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:2624
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell -Command "& {Add-Type -AssemblyName System.Windows.Forms; [System.Windows.Forms.MessageBox]::Show('The application was unable to start correctly (0xc000007b). Click OK to close the application.', 'Application Error', [System.Windows.Forms.MessageBoxButtons]::OK, [System.Windows.Forms.MessageBoxIcon]::Error)}""
  2⤵
  PID:5912
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "& {Add-Type -AssemblyName System.Windows.Forms; [System.Windows.Forms.MessageBox]::Show('The application was unable to start correctly (0xc000007b). Click OK to close the application.', 'Application Error', [System.Windows.Forms.MessageBoxButtons]::OK, [System.Windows.Forms.MessageBoxIcon]::Error)}"
    3⤵
    PID:5304

C:\Users\Admin\AppData\Local\Programs\EnchantedWoods\EnchantedWoods.exe
"C:\Users\Admin\AppData\Local\Programs\EnchantedWoods\EnchantedWoods.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
PID:3844
- C:\Users\Admin\AppData\Local\Programs\EnchantedWoods\EnchantedWoods.exe
  "C:\Users\Admin\AppData\Local\Programs\EnchantedWoods\EnchantedWoods.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\EnchantedWoods" --gpu-preferences=UAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=1800,i,4219245889533938581,1296332884117188143,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=1792 /prefetch:2
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:5052
- C:\Users\Admin\AppData\Local\Programs\EnchantedWoods\EnchantedWoods.exe
  "C:\Users\Admin\AppData\Local\Programs\EnchantedWoods\EnchantedWoods.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\EnchantedWoods" --field-trial-handle=1968,i,4219245889533938581,1296332884117188143,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=1832 /prefetch:3
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:4748
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe /c "Get-CimInstance -className win32_process | select Name,ProcessId,ParentProcessId,CommandLine,ExecutablePath"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:3152
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe /c "Get-CimInstance -className win32_process | select Name,ProcessId,ParentProcessId,CommandLine,ExecutablePath"
  2⤵
  PID:1976
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe /c "Get-CimInstance -className win32_process | select Name,ProcessId,ParentProcessId,CommandLine,ExecutablePath"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:456
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe /c "Get-CimInstance -className win32_process | select Name,ProcessId,ParentProcessId,CommandLine,ExecutablePath"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:2224
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe /c "Get-CimInstance -className win32_process | select Name,ProcessId,ParentProcessId,CommandLine,ExecutablePath"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:5072
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe /c "Get-CimInstance -className win32_process | select Name,ProcessId,ParentProcessId,CommandLine,ExecutablePath"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:1564
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe /c "Get-CimInstance -className win32_process | select Name,ProcessId,ParentProcessId,CommandLine,ExecutablePath"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:3164
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe /c "Get-CimInstance -className win32_process | select Name,ProcessId,ParentProcessId,CommandLine,ExecutablePath"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:1476
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe /c "Get-CimInstance -className win32_process | select Name,ProcessId,ParentProcessId,CommandLine,ExecutablePath"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:5568
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe /c "Get-CimInstance -className win32_process | select Name,ProcessId,ParentProcessId,CommandLine,ExecutablePath"
  2⤵
  PID:5256
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe /c "Get-CimInstance -className win32_process | select Name,ProcessId,ParentProcessId,CommandLine,ExecutablePath"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:1784
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe /c "Get-CimInstance -className win32_process | select Name,ProcessId,ParentProcessId,CommandLine,ExecutablePath"
  2⤵
  PID:4112
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe /c "Get-CimInstance -className win32_process | select Name,ProcessId,ParentProcessId,CommandLine,ExecutablePath"
  2⤵
  PID:4580
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe /c "Get-CimInstance -className win32_process | select Name,ProcessId,ParentProcessId,CommandLine,ExecutablePath"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:4448
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe /c "Get-CimInstance -className win32_process | select Name,ProcessId,ParentProcessId,CommandLine,ExecutablePath"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:4288
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe /c "Get-CimInstance -className win32_process | select Name,ProcessId,ParentProcessId,CommandLine,ExecutablePath"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:6124
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe /c "Get-CimInstance -className win32_process | select Name,ProcessId,ParentProcessId,CommandLine,ExecutablePath"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:2744
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe /c "Get-CimInstance -className win32_process | select Name,ProcessId,ParentProcessId,CommandLine,ExecutablePath"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:2736
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe /c "Get-CimInstance -className win32_process | select Name,ProcessId,ParentProcessId,CommandLine,ExecutablePath"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:4108
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe /c "Get-CimInstance -className win32_process | select Name,ProcessId,ParentProcessId,CommandLine,ExecutablePath"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:4832
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe /c "Get-CimInstance -className win32_process | select Name,ProcessId,ParentProcessId,CommandLine,ExecutablePath"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:3792
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe /c "Get-CimInstance -className win32_process | select Name,ProcessId,ParentProcessId,CommandLine,ExecutablePath"
  2⤵
  PID:2740
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell -Command "& {Add-Type -AssemblyName System.Windows.Forms; [System.Windows.Forms.MessageBox]::Show('The application was unable to start correctly (0xc000007b). Click OK to close the application.', 'Application Error', [System.Windows.Forms.MessageBoxButtons]::OK, [System.Windows.Forms.MessageBoxIcon]::Error)}""
  2⤵
  PID:5820
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "& {Add-Type -AssemblyName System.Windows.Forms; [System.Windows.Forms.MessageBox]::Show('The application was unable to start correctly (0xc000007b). Click OK to close the application.', 'Application Error', [System.Windows.Forms.MessageBoxButtons]::OK, [System.Windows.Forms.MessageBoxIcon]::Error)}"
    3⤵
    PID:4656

C:\Users\Admin\AppData\Local\Programs\EnchantedWoods\EnchantedWoods.exe
"C:\Users\Admin\AppData\Local\Programs\EnchantedWoods\EnchantedWoods.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
PID:4380
- C:\Users\Admin\AppData\Local\Programs\EnchantedWoods\EnchantedWoods.exe
  "C:\Users\Admin\AppData\Local\Programs\EnchantedWoods\EnchantedWoods.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\EnchantedWoods" --gpu-preferences=UAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=1768,i,3051978352714935433,12197451649418804141,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=1760 /prefetch:2
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:4808
- C:\Users\Admin\AppData\Local\Programs\EnchantedWoods\EnchantedWoods.exe
  "C:\Users\Admin\AppData\Local\Programs\EnchantedWoods\EnchantedWoods.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\EnchantedWoods" --field-trial-handle=1916,i,3051978352714935433,12197451649418804141,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=1912 /prefetch:3
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:4324
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe /c "Get-CimInstance -className win32_process | select Name,ProcessId,ParentProcessId,CommandLine,ExecutablePath"
  2⤵
  PID:3640
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe /c "Get-CimInstance -className win32_process | select Name,ProcessId,ParentProcessId,CommandLine,ExecutablePath"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:4876
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe /c "Get-CimInstance -className win32_process | select Name,ProcessId,ParentProcessId,CommandLine,ExecutablePath"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:2816
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe /c "Get-CimInstance -className win32_process | select Name,ProcessId,ParentProcessId,CommandLine,ExecutablePath"
  2⤵
  PID:1916
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe /c "Get-CimInstance -className win32_process | select Name,ProcessId,ParentProcessId,CommandLine,ExecutablePath"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:4008
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe /c "Get-CimInstance -className win32_process | select Name,ProcessId,ParentProcessId,CommandLine,ExecutablePath"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:1596
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe /c "Get-CimInstance -className win32_process | select Name,ProcessId,ParentProcessId,CommandLine,ExecutablePath"
  2⤵
  PID:4604
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe /c "Get-CimInstance -className win32_process | select Name,ProcessId,ParentProcessId,CommandLine,ExecutablePath"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:4664
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe /c "Get-CimInstance -className win32_process | select Name,ProcessId,ParentProcessId,CommandLine,ExecutablePath"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:876
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe /c "Get-CimInstance -className win32_process | select Name,ProcessId,ParentProcessId,CommandLine,ExecutablePath"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:5224
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe /c "Get-CimInstance -className win32_process | select Name,ProcessId,ParentProcessId,CommandLine,ExecutablePath"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:764
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe /c "Get-CimInstance -className win32_process | select Name,ProcessId,ParentProcessId,CommandLine,ExecutablePath"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:4656
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe /c "Get-CimInstance -className win32_process | select Name,ProcessId,ParentProcessId,CommandLine,ExecutablePath"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:4944
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe /c "Get-CimInstance -className win32_process | select Name,ProcessId,ParentProcessId,CommandLine,ExecutablePath"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:5232
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe /c "Get-CimInstance -className win32_process | select Name,ProcessId,ParentProcessId,CommandLine,ExecutablePath"
  2⤵
  PID:5976
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe /c "Get-CimInstance -className win32_process | select Name,ProcessId,ParentProcessId,CommandLine,ExecutablePath"
  2⤵
  PID:5160
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe /c "Get-CimInstance -className win32_process | select Name,ProcessId,ParentProcessId,CommandLine,ExecutablePath"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:5504
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe /c "Get-CimInstance -className win32_process | select Name,ProcessId,ParentProcessId,CommandLine,ExecutablePath"
  2⤵
  PID:788
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe /c "Get-CimInstance -className win32_process | select Name,ProcessId,ParentProcessId,CommandLine,ExecutablePath"
  2⤵
  PID:3964
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe /c "Get-CimInstance -className win32_process | select Name,ProcessId,ParentProcessId,CommandLine,ExecutablePath"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:4272
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe /c "Get-CimInstance -className win32_process | select Name,ProcessId,ParentProcessId,CommandLine,ExecutablePath"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:1684
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe /c "Get-CimInstance -className win32_process | select Name,ProcessId,ParentProcessId,CommandLine,ExecutablePath"
  2⤵
  PID:3616
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell -Command "& {Add-Type -AssemblyName System.Windows.Forms; [System.Windows.Forms.MessageBox]::Show('The application was unable to start correctly (0xc000007b). Click OK to close the application.', 'Application Error', [System.Windows.Forms.MessageBoxButtons]::OK, [System.Windows.Forms.MessageBoxIcon]::Error)}""
  2⤵
  PID:2492
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "& {Add-Type -AssemblyName System.Windows.Forms; [System.Windows.Forms.MessageBox]::Show('The application was unable to start correctly (0xc000007b). Click OK to close the application.', 'Application Error', [System.Windows.Forms.MessageBoxButtons]::OK, [System.Windows.Forms.MessageBoxIcon]::Error)}"
    3⤵
    PID:5892
- C:\Users\Admin\AppData\Local\Programs\EnchantedWoods\EnchantedWoods.exe
  "C:\Users\Admin\AppData\Local\Programs\EnchantedWoods\EnchantedWoods.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --user-data-dir="C:\Users\Admin\AppData\Roaming\EnchantedWoods" --gpu-preferences=UAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAhAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=2660,i,3051978352714935433,12197451649418804141,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=2648 /prefetch:8
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:3088

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2796
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ff85f45cc40,0x7ff85f45cc4c,0x7ff85f45cc58
  2⤵
  PID:4104
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1828,i,3567367593798547923,15208564860290570633,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=1816 /prefetch:2
  2⤵
  PID:2940
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2076,i,3567367593798547923,15208564860290570633,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2148 /prefetch:3
  2⤵
  PID:5088
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2268,i,3567367593798547923,15208564860290570633,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2444 /prefetch:8
  2⤵
  PID:2720
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3140,i,3567367593798547923,15208564860290570633,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3168 /prefetch:1
  2⤵
  PID:4352
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3316,i,3567367593798547923,15208564860290570633,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3420 /prefetch:1
  2⤵
  PID:5332
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4576,i,3567367593798547923,15208564860290570633,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4568 /prefetch:1
  2⤵
  PID:3044
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4864,i,3567367593798547923,15208564860290570633,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4904 /prefetch:8
  2⤵
  PID:5004
- C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe
  "C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe" --reenable-autoupdates --system-level
  2⤵
  PID:5736
- - C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe
    "C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x284,0x288,0x28c,0x260,0x290,0x7ff63c8d4698,0x7ff63c8d46a4,0x7ff63c8d46b0
    3⤵
    PID:3728
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4684,i,3567367593798547923,15208564860290570633,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5088 /prefetch:8
  2⤵
  PID:5208
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=4896,i,3567367593798547923,15208564860290570633,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5180 /prefetch:1
  2⤵
  PID:2884
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --field-trial-handle=860,i,3567367593798547923,15208564860290570633,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3436 /prefetch:1
  2⤵
  PID:2988
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --field-trial-handle=4892,i,3567367593798547923,15208564860290570633,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3340 /prefetch:1
  2⤵
  PID:892
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --field-trial-handle=4912,i,3567367593798547923,15208564860290570633,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5140 /prefetch:1
  2⤵
  PID:228
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=5304,i,3567367593798547923,15208564860290570633,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5392 /prefetch:1
  2⤵
  PID:2868
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --field-trial-handle=4940,i,3567367593798547923,15208564860290570633,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5520 /prefetch:1
  2⤵
  PID:2976
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --field-trial-handle=5696,i,3567367593798547923,15208564860290570633,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5732 /prefetch:1
  2⤵
  PID:756
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --no-appcompat-clear --field-trial-handle=5888,i,3567367593798547923,15208564860290570633,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5868 /prefetch:8
  2⤵
  PID:2156
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5852,i,3567367593798547923,15208564860290570633,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5916 /prefetch:8
  2⤵
  - Modifies registry class
  PID:180

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:5048

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:3156

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc
1⤵
PID:3236

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Privilege Escalation

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\7-Zip\7-zip.chm

Filesize
117KB

MD5
99b88f4d6d13713053db06b449ed6a9f

SHA1
f718e09a42e9ec49db060589d24135ca6929e8e0

SHA256
f830ddc5280d00e1cb160f9e5dd114292d5efef66c23c3c03c224894250bac2f

SHA512
9f1cb9ad8023b340c82e987bab33cddd817e3ece892aca7350650343396d4dc5d00cfd99c0718a862280c81d7d525c5e870390e1cdfdb4987b6663b1394cf1fc

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp2

Filesize
99KB

MD5
d346530e648e15887ae88ea34c82efc9

SHA1
5644d95910852e50a4b42375bddfef05f6b3490f

SHA256
f972b164d9a90821be0ea2f46da84dd65f85cd0f29cd1abba0c8e9a7d0140902

SHA512
62db21717f79702cbdd805109f30f51a7f7ff5f751dc115f4c95d052c5405eb34d5e8c5a83f426d73875591b7d463f00f686c182ef3850db2e25989ae2d83673

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
963KB

MD5
004d7851f74f86704152ecaaa147f0ce

SHA1
45a9765c26eb0b1372cb711120d90b5f111123b3

SHA256
028cf2158df45889e9a565c9ce3c6648fb05c286b97f39c33317163e35d6f6be

SHA512
16ebda34803977a324f5592f947b32f5bb2362dd520dc2e97088d12729024498ddfa6800694d37f2e6e5c6fc8d4c6f603414f0c033df9288efc66a2c39b5ec29

Download Submit
C:\Program Files\7-Zip\Lang\af.txt

Filesize
4KB

MD5
df216fae5b13d3c3afe87e405fd34b97

SHA1
787ccb4e18fc2f12a6528adbb7d428397fc4678a

SHA256
9cf684ea88ea5a479f510750e4089aee60bbb2452aa85285312bafcc02c10a34

SHA512
a6eee3d60b88f9676200b40ca9c44cc4e64cf555d9b8788d4fde05e05b8ca5da1d2c7a72114a18358829858d10f2beff094afd3bc12b370460800040537cff68

Download Submit
C:\Program Files\7-Zip\Lang\ar.txt

Filesize
12KB

MD5
5747381dc970306051432b18fb2236f2

SHA1
20c65850073308e498b63e5937af68b2e21c66f3

SHA256
85a26c7b59d6d9932f71518ccd03eceeba42043cb1707719b72bfc348c1c1d72

SHA512
3306e15b2c9bb2751b626f6f726de0bcafdc41487ba11fabfcef0a6a798572b29f2ee95384ff347b3b83b310444aaeec23e12bb3ddd7567222a0dd275b0180ff

Download Submit
C:\Program Files\7-Zip\Lang\ast.txt

Filesize
4KB

MD5
1cf6411ff9154a34afb512901ba3ee02

SHA1
958f7ff322475f16ca44728349934bc2f7309423

SHA256
f5f2174daf36e65790c7f0e9a4496b12e14816dad2ee5b1d48a52307076be35f

SHA512
b554c1ab165a6344982533cceed316d7f73b5b94ce483b5dc6fb1f492c6b1914773027d31c35d60ab9408669520ea0785dc0d934d3b2eb4d78570ff7ccbfcf9c

Download Submit
C:\Program Files\7-Zip\Lang\az.txt

Filesize
10KB

MD5
9cd3a23ca6f66f570607f63be6aa0001

SHA1
912837c29c0e07470e257c21775b7513e9af4475

SHA256
1da941116e20e69f61a4a68481797e302c11fcf462ca7203a565588b26011615

SHA512
c90ead15096009b626b06f9eae1b004f4adba5d18ccdb5c7d92694d36903760541f8aa7352be96466f2b0775c69f850605988fa4ef86f3de4fca34f7b645457e

Download Submit
C:\Program Files\7-Zip\Lang\ba.txt

Filesize
10KB

MD5
387ff78cf5f524fc44640f3025746145

SHA1
8480e549d00003de262b54bc342af66049c43d3b

SHA256
8a85c3fcb5f81157490971ee4f5e6b9e4f80be69a802ebed04e6724ce859713f

SHA512
7851633ee62c00fa2c68f6f59220a836307e6dde37eae5e5dca3ca254d167e305fe1eb342f93112032dadafe9e9608c97036ac489761f7bdc776a98337152344

Download Submit
C:\Program Files\7-Zip\Lang\be.txt

Filesize
11KB

MD5
b1dd654e9d8c8c1b001f7b3a15d7b5d3

SHA1
5a933ae8204163c90c00d97ba0c589f4d9f3f532

SHA256
32071222af04465a3d98bb30e253579aa4beceaeb6b21ac7c15b25f46620bf30

SHA512
0137900aeb21f53e4af4027ea15eed7696ed0156577fe6194c2b2097f5fb9d201e7e9d52a51a26ae9a426f8137692154d80676f8705f335fed9ae7e0e1d0a10e

Download Submit
C:\Program Files\7-Zip\Lang\bg.txt

Filesize
17KB

MD5
2d0c8197d84a083ef904f8f5608afe46

SHA1
5ae918d2bb3e9337538ef204342c5a1d690c7b02

SHA256
62c6f410d011a109abecb79caa24d8aeb98b0046d329d611a4d07e66460eef3f

SHA512
3243d24bc9fdb59e1964e4be353c10b6e9d4229ef903a5ace9c0cb6e1689403173b11db022ca2244c1ef0f568be95f21915083a8c5b016f07752026d332878a4

Download Submit
C:\Program Files\7-Zip\Lang\bn.txt

Filesize
14KB

MD5
771c8b73a374cb30df4df682d9c40edf

SHA1
46aa892c3553bddc159a2c470bd317d1f7b8af2a

SHA256
3f55b2ec5033c39c159593c6f5ece667b92f32938b38fcaf58b4b2a98176c1fc

SHA512
8dcc9cc13322c4504ee49111e1f674809892900709290e58a4e219053b1f78747780e1266e1f4128c0c526c8c37b1a5d1a452eefba2890e3a5190eebe30657ba

Download Submit
C:\Program Files\7-Zip\Lang\br.txt

Filesize
4KB

MD5
07504a4edab058c2f67c8bcb95c605dd

SHA1
3e2ae05865fb474f10b396bfefd453c074f822fa

SHA256
432bdb3eaa9953b084ee14eee8fe0abbc1b384cbdd984ccf35f0415d45aabba8

SHA512
b3f54d695c2a12e97c93af4df09ce1800b49e40302bec7071a151f13866edfdfafc56f70de07686650a46a8664608d8d3ea38c2939f2f1630ce0bf968d669ccc

Download Submit
C:\Program Files\7-Zip\Lang\ca.txt

Filesize
8KB

MD5
264fb4b86bcfb77de221e063beebd832

SHA1
a2eb0a43ea4002c2d8b5817a207eb24296336a20

SHA256
07b5c0ac13d62882bf59db528168b6f0ffdf921d5442fae46319e84c90be3203

SHA512
8d1a73e902c50fd390b9372483ebd2ec58d588bacf0a3b8c8b9474657c67705b6a284bb16bba4326d314c7a3cc11caf320da38d5acb42e685ed2f8a8b6f411f4

Download Submit
C:\Program Files\7-Zip\Lang\co.txt

Filesize
11KB

MD5
de64842f09051e3af6792930a0456b16

SHA1
498b92a35f2a14101183ebe8a22c381610794465

SHA256
dcfb95b47a4435eb7504b804da47302d8a62bbe450dadf1a34baea51c7f60c77

SHA512
5dabeed739a753fd20807400dfc84f7bf1eb544704660a74afcf4e0205b7c71f1ddcf9f79ac2f7b63579735a38e224685b0125c49568cbde2d9d6add4c7d0ed8

Download Submit
C:\Program Files\7-Zip\Lang\cs.txt

Filesize
9KB

MD5
dbdcfc996677513ea17c583511a5323b

SHA1
d655664bc98389ed916bed719203f286bab79d3c

SHA256
a6e329f37aca346ef64f2c08cc36568d5383d5b325c0caf758857ed3ff3953f2

SHA512
df495a8e8d50d7ec24abb55ce66b7e9b8118af63db3eb2153a321792d809f7559e41de3a9c16800347623ab10292aac2e1761b716cb5080e99a5c8726f7cc113

Download Submit
C:\Program Files\7-Zip\Lang\cy.txt

Filesize
4KB

MD5
6bdf25354b531370754506223b146600

SHA1
c2487c59eeeaa5c0bdb19d826fb1e926d691358e

SHA256
470eaf5e67f5ead5b8c3ecc1b5b21b29d16c73591eb0047b681660346e25b3fb

SHA512
c357b07c176175cc36a85c42d91b0cada79dbfb584bdf57f22a6cb11898f88aecf4392037d5cea3e1bc02df7493bb27b9509226f810f1875105bbc33c6ae3f20

Download Submit
C:\Program Files\7-Zip\Lang\da.txt

Filesize
7KB

MD5
c397e8ac4b966e1476adbce006bb49e4

SHA1
3e473e3bc11bd828a1e60225273d47c8121f3f2c

SHA256
5ccd481367f7d8c544de6177187aff53f1143ae451ae755ce9ed9b52c5f5d478

SHA512
cbbece415d16b9984c82bd8fa4c03dbd1fec58ed04e9ef0a860b74d451d03d1c7e07b23b3e652374a3b9128a7987414074c2a281087f24a77873cc45ec5aadd2

Download Submit
C:\Program Files\7-Zip\Lang\de.txt

Filesize
9KB

MD5
1e30a705da680aaeceaec26dcf2981de

SHA1
965c8ed225fb3a914f63164e0df2d5a24255c3d0

SHA256
895f76bfa4b1165e4c5a11bdab70a774e7d05d4bbdaec0230f29dcc85d5d3563

SHA512
ff96e6578a1ee38db309e72a33f5de7960edcc260ca1f5d899a822c78595cc761fedbdcdd10050378c02d8a36718d76c18c6796498e2574501011f9d988da701

Download Submit
C:\Program Files\7-Zip\Lang\el.txt

Filesize
17KB

MD5
5894a446df1321fbdda52a11ff402295

SHA1
a08bf21d20f8ec0fc305c87c71e2c94b98a075a4

SHA256
2dd2130f94d31262b12680c080c96b38ad55c1007f9e610ec8473d4bb13d2908

SHA512
0a2c3d24e7e9add3ca583c09a63ba130d0088ed36947b9f7b02bb48be4d30ef8dc6b8d788535a941f74a7992566b969adf3bd729665e61bfe22b67075766f8de

Download Submit
C:\Program Files\7-Zip\Lang\en.ttt

Filesize
7KB

MD5
bf2e140e9d30d6c51d372638ba7f4bd9

SHA1
a4358379a21a050252d738f6987df587c0bd373d

SHA256
c218145bb039e1fd042fb1f5425b634a4bdc1f40b13801e33ed36cfdbda063ed

SHA512
b524388f7476c9a43e841746764ff59bdb1f8a1b4299353156081a854ee4435b94b34b1a87c299ec23f8909e0652222595b3177ee0392e3b8c0ff0a818db7f9a

Download Submit
C:\Program Files\7-Zip\Lang\eo.txt

Filesize
4KB

MD5
29caad3b73f6557f0306f4f6c6338235

SHA1
d4b3147f23c75de84287ad501e7403e0fce69921

SHA256
a6ef5a5a1e28d406fd78079d9cacf819b047a296adc7083d34f2bfb3d071e5af

SHA512
77618995d9cf90603c5d4ad60262832d8ad64c91a5e6944efd447a5cc082a381666d986bb294d7982c8721b0113f867b86490ca11bb3d46980132c9e4df1bd92

Download Submit
C:\Program Files\7-Zip\Lang\es.txt

Filesize
10KB

MD5
ed230f9f52ef20a79c4bed8a9fefdf21

SHA1
ec0153260b58438ad17faf1a506b22ad0fec1bdc

SHA256
7199b362f43e9dca2049c0eeb8b1bb443488ca87e12d7dda0f717b2adbdb7f95

SHA512
32f0e954235420a535291cf58b823baacf4a84723231a8636c093061a8c64fcd0952c414fc5bc7080fd8e93f050505d308e834fea44b8ab84802d8449f076bc9

Download Submit
C:\Program Files\7-Zip\Lang\et.txt

Filesize
6KB

MD5
d6a50c4139d0973776fc294ee775c2ac

SHA1
1881d68ae10d7eb53291b80bd527a856304078a0

SHA256
6b2718882bb47e905f1fdd7b75ece5cc233904203c1407c6f0dcdc5e08e276da

SHA512
0fd14b4fd9b613d04ef8747dcd6a47f6f7777ac35c847387c0ea4b217f198aa8ac54ea1698419d4122b808f852e9110d1780edcb61a4057c1e2774aa5382e727

Download Submit
C:\Program Files\7-Zip\Lang\eu.txt

Filesize
8KB

MD5
c90cd9f1e3d05b80aba527eb765cbf13

SHA1
66d1e1b250e2288f1e81322edc3a272fc4d0fffc

SHA256
a1c9d46b0639878951538f531bba69aeddd61e6ad5229e3bf9c458196851c7d8

SHA512
439375d01799da3500dfa48c54eb46f7b971a299dfebff31492f39887d53ed83df284ef196eb8bc07d99d0ec92be08a1bf1a7dbf0ce9823c85449cc6f948f24c

Download Submit
C:\Program Files\7-Zip\Lang\ext.txt

Filesize
7KB

MD5
459b9c72a423304ffbc7901f81588337

SHA1
0ba0a0d9668c53f0184c99e9580b90ff308d79be

SHA256
8075fd31b4ebb54603f69abb59d383dcef2f5b66a9f63bb9554027fd2949671c

SHA512
033ced457609563e0f98c66493f665b557ddd26fab9a603e9de97978d9f28465c5ac09e96f5f8e0ecd502d73df29305a7e2b8a0ad4ee50777a75d6ab8d996d7f

Download Submit
C:\Program Files\7-Zip\Lang\fa.txt

Filesize
12KB

MD5
741e0235c771e803c1b2a0b0549eac9d

SHA1
7839ae307e2690721ad11143e076c77d3b699a3c

SHA256
657f2aceb60d557f907603568b0096f9d94143ff5a624262bbfeb019d45d06d7

SHA512
f8662732464fa6a20f35edcce066048a6ba6811f5e56e9ca3d9aa0d198fc9517642b4f659a46d8cb8c87e890adc055433fa71380fb50189bc103d7fbb87e0be5

Download Submit
C:\Program Files\7-Zip\Lang\fi.txt

Filesize
8KB

MD5
a04b6a55f112679c7004226b6298f885

SHA1
06c2377ac6a288fe9edd42df0c52f63dce968312

SHA256
12cc4a2cef76045e07dafc7aec7cf6f16a646c0bb80873ec89a5ae0b4844443b

SHA512
88c7ed08b35558d6d2cd8713b5d045fba366010b8c7a4a7e315c0073cd510d3da41b0438f277d2e0e9043b6fcb87e8417eb5698ab18b3c3d24be7ff64b038e38

Download Submit
C:\Program Files\7-Zip\Lang\fr.txt

Filesize
10KB

MD5
a49801879184c9200b408375fc4408d7

SHA1
763231bd9b883692c0e5127207cbfc6a2a29bc7d

SHA256
397a3af716eb7f0084f3aa04ad36eab82aab881589a359e7d6d4be673e1789a8

SHA512
f408203907594afa116a2003d0b65d77c9bca47663f7f6b26e9158b91dad40569e92851bf788a39105298561f854264a8dc57611637745e04e68585b837702f2

Download Submit
C:\Program Files\7-Zip\Lang\fur.txt

Filesize
6KB

MD5
06b08fe12c0f075d317cf9a2a1dd96bc

SHA1
0062ba87b9207536b9088e94505d765268069f63

SHA256
6ba88938c468e7217bd300b607d7a730530e63d1f97562604ec0bb00d66a06c9

SHA512
9f9fb1c045d92c1f8035d547554457e3466ae861a04f1cd3f57965e4a92f0fc433b2a7b3e9e1e71588e97f8c73d5914a750deded5d3056e327d7efe19a220198

Download Submit
C:\Program Files\7-Zip\Lang\fy.txt

Filesize
5KB

MD5
03d38f09189799a0d927727d071c54b6

SHA1
17ff3a2c83e6a0b0733f2a9a8ce6b83af4f1b137

SHA256
c1c050ed6fe2f8fbc048fd7d82944b8ada784415b6e62316d590c3c7aa45e112

SHA512
e511c1a271a3d78cb7f6111759eec4d7cfc2d46f71f87aa3c4ac1bb11cd4e55e7d4dbe54f9c5107025ffe8c5fcadad4359dc673bc802b82388e74a8f2fa60ff7

Download Submit
C:\Program Files\7-Zip\Lang\ga.txt

Filesize
7KB

MD5
236cfc435288002763c68c4bbee7b39d

SHA1
e74a2402c2cb744dbed8ac1c2154fb1de38148f9

SHA256
b18730124208d26e5e88b76bb99985bf61938d7a994b626b2de5230557d2d8dd

SHA512
fa6941594454cda55e081f15f367f430559849d218895b0b157a2204e8b30ae95db99c62981a9c30a152a63d1bdb8edd975bf06ee5adf1f31b42a2c10cf11580

Download Submit
C:\Program Files\7-Zip\Lang\gl.txt

Filesize
8KB

MD5
6cd7c2b4d6bba163b1623035feb4297d

SHA1
5df07bcfd1edbd448b566aea5789ef251303de69

SHA256
9280ab90261b0c8f206eef7196d7531e4e4932c9174ab899cee4f8ed97cc87c6

SHA512
7ed13085ebc2545b434f5671f958f7a5faa1bc29f7c10721a972afd2c886fc39f0a6e290e70f1f8ea798199ca26974257eaf9b8445652c9b02c789e198191a3e

Download Submit
C:\Program Files\7-Zip\Lang\gu.txt

Filesize
16KB

MD5
93cdc8832328a22e198920630d597268

SHA1
315e5b1c77fb4e2d0c3cc1f48b6db4c79ce9488a

SHA256
c6e54e2a93b821bc974209cd7e2d10e9fbc4ff07d238ae84f552e4ade271702c

SHA512
e8355a42f3a3b5f21d5d4c7a21324433c997ad39412b3bcdcf26edbd5ef882179168b2b5618f9fe631b88407608ab1a83bf139db05c09b608fddf01694b710df

Download Submit
C:\Program Files\7-Zip\Lang\he.txt

Filesize
10KB

MD5
0771f160d56b1890a1cdc2ca040d2616

SHA1
36e69202682bf6993273b521424ec082998f6ca9

SHA256
03b4ea89cce3aa4193a7e3e1e6180dab8359388df3b574379935ea39d7b8d723

SHA512
b452c75292c7d365aa5759fb3f49de674255e839caa687436474b782f615b2ad86a11a58809a5bb60115b070c9b738a461db24e70502598a3bfeccf373220dbb

Download Submit
C:\Program Files\7-Zip\Lang\hi.txt

Filesize
17KB

MD5
18d9c82f12e07b71e03d6086deba0dc3

SHA1
c6c11c6f1fc00a25dd53e1c78f207f6c8c8b8b13

SHA256
5f79ae167a917860f95f73e5ed007fe250f30af794bcfce17941f9ef87d22a05

SHA512
196a859d52a1a742b98460eaf113552dce2cfc63378b19d2902beabc1e66cbd9e26bf37fc26453832aa10929aaf0196ed9211332e63c830b0e5946013c82bdc1

Download Submit
C:\Program Files\7-Zip\Lang\hr.txt

Filesize
7KB

MD5
9d8216183493ac2190a4d6e142ecab9a

SHA1
e534ebb714dbae2a9e12accbe96c6f2568b814c4

SHA256
210af273246d30cfde87295cd5f4ff135b0bdfb04fe7173bb60f935e685b8e10

SHA512
5b56560ad70652c9c6287f939b25676d8149c000c2388365197354dbe38c5cba5c25f0a3a529f0601a5b5d964b7278ab3a668e8469cf0ec718821fdabcf044bc

Download Submit
C:\Program Files\7-Zip\Lang\hu.txt

Filesize
10KB

MD5
a41e4d16c3b29603832ffd1bbb82283e

SHA1
15695a0bd98d429e9ab191cecb185b70cc492668

SHA256
486a382483096e9a86ccf6ca02123e48025de5055f1880af7f001c5c3fa25114

SHA512
413dd8c87015ede7868f992c25d568de66e1bd765c7a43066d8da8cf350f3620c77091f075020862ff6bf7c980c6091e92c5c843b3d57957c7516f5b0f51bca0

Download Submit
C:\Program Files\7-Zip\Lang\hy.txt

Filesize
13KB

MD5
fe73c2aacf07d5120aedd08792cb8268

SHA1
2c6e7d2ff42c5f65ef5f4c27600819354caa03b0

SHA256
91aac9368bd116ab11fda0b70ee4d75911a65713a272a3ba55d1435c33250f5a

SHA512
79dbd84fe71888b7c9fdbcd23f2d4735f731e3c2c7724fbd531c3ca531b1992e756b13b66889af30ec46770d350fcfaef2d7abe607594a2b4b92f60ed326d537

Download Submit
C:\Program Files\7-Zip\Lang\id.txt

Filesize
8KB

MD5
ba3591ccf26438cbe93e9c1d56bd1818

SHA1
758619a702d5a0794e4412aa6ae93fc46ea3dfb9

SHA256
90308689870ad079e1206a877157f7389bc4351a6b104ffa2bd9311409d6d92d

SHA512
2e9066bd733caaa9cedde2346be543d4360bd796e01bcb669602c9e6450ca5a2718cb67613469c11a4d2aa8c458d7fe9c59ab8eb9bde39846c195ce2cc22686b

Download Submit
C:\Program Files\7-Zip\Lang\io.txt

Filesize
4KB

MD5
0861ae63da2d00590369bb11b3857551

SHA1
8272f4761a3f2aca2bfaec6fcf08c82a9f36a65a

SHA256
b87a4fca8a0024a915ae86e36951cb7cea442948d9982d4247e49492445ba664

SHA512
70997d6775e1c91d021fda2143c831fe8396094e50337da3c4897da70636b7f10b363f35b997213a462b467fe6754d2c33e009e84363063eced871a2591cce88

Download Submit
C:\Program Files\7-Zip\Lang\is.txt

Filesize
8KB

MD5
c8f31d6adee368ca0aa00350df0d82df

SHA1
4146c7c62dd46b2c43c92cdf33e45fa7e2272d04

SHA256
dc61090369e1269a68c75e472d863aaf42207f702b3d3e12ca48d2852e1478e3

SHA512
758af54a33dc243992324974f01707c8027be7bdc7d07187a28038f4c9d8f7681d989b66f56a13b86e99c8bc74d80a70fa44bd5dd9532c99b78df7985b397ed8

Download Submit
C:\Program Files\7-Zip\Lang\it.txt

Filesize
9KB

MD5
aa7b46b6ddd673bc06bd90187e552743

SHA1
2c11a1e5f97ac1415073c2c953cd92018cf3eb93

SHA256
efb1aed5c52af731a733c720b6f5479898c9de28367a5de4c80f697fb745546a

SHA512
10c262122417b081d0403f9c917a4beba34078ca52e88478ebd2c0b6956aa6b61b34511fac71e87578d56ae1f5acdc265cddac8c92b9f14757daa75042dfc7aa

Download Submit
C:\Program Files\7-Zip\Lang\ja.txt

Filesize
12KB

MD5
a0c7eb5d5a5dd7ab6f4c1e4fef092256

SHA1
f121129211dbedba3c440267fd9bd1c636e263c2

SHA256
9f70f1943a8e0a9b9040d1f769ca2494c2b83ceb8dc55b08db1fc3e6973ad835

SHA512
f864c9ac99edc97968feca96919a412e87c27457f5e0a8956dcecf37351ce7aeaf0e745343a649743d665b46be108b3cc5bafd92029d25d5a5d9bf6c390e5149

Download Submit
C:\Program Files\7-Zip\Lang\ka.txt

Filesize
17KB

MD5
c99e6572f5638599dbca2ceac337a320

SHA1
73c64554a00c6d5a3dab8a2e7bd50426d6c7b6f4

SHA256
8dd6073b585dd2e9d8cdd8e0fce7dfeaf2f5a2d8bfc3059f67eaa3d8b5eb2d9e

SHA512
cde3d44793d1abab3b8d0ba71d1af85c7ca49b37f4331b43d546d1f2022fc9cedd1188869acee5bf9b74046788daf26f4e4658af86663065339103d2a602f7aa

Download Submit
C:\Program Files\7-Zip\Lang\kaa.txt

Filesize
7KB

MD5
ffc17520fb68fe464650b2f78e15ab5d

SHA1
2b83034ac04640160ddaa8e797faa5d8c80f956b

SHA256
24f7325271dd7ad2b63e977841d2f06ed0194bd9257f0db460df32baeeec4746

SHA512
4f1483796a8ef95b2be61811a6566ea2e19564f37733647b6eb4e1c82a8da8fa927afdf024a247fc7e70088f63133a7843fe6129b77b2ada01e39a1e814429c7

Download Submit
C:\Program Files\7-Zip\Lang\kab.txt

Filesize
7KB

MD5
5af10c5616e0487d236c8cbe2f23a7a4

SHA1
2049e1a82a0af13a8ed2cf9e4eb51f1dfd377480

SHA256
f249930089c374eab59078cf16b8652d443cf2a47485d737ae5a9fca2957d6b9

SHA512
8e2db2769d8c9d4af435986bc58f66f570c4d85bf7c8a2b9369f546cf45c0848a07986582e8e7f76a9aed569da2774e5b19706ec77bfd41bb6b4af86abcfcefe

Download Submit
C:\Program Files\7-Zip\Lang\kk.txt

Filesize
10KB

MD5
407130a212cfac68fa4873b0381b2cb1

SHA1
c0c9b84cc79619d27536e9f50f25d81237b234d3

SHA256
f813eac0b284edce156dd1e6b7ea75b027f4342e04d8b8db1131894a227a4562

SHA512
e80afdf726ccc5d495f62a9b289ee31703f151ea01eba32ad7d2da306c2c07de2f9049dc6592c3c962b7cc2cbe352b8b7a19e9dbcf7b3c6b61dcc4026b70c151

Download Submit
C:\Program Files\7-Zip\Lang\ko.txt

Filesize
10KB

MD5
e85ae412871344211d00326d3df2534d

SHA1
4a770eee2ef9f302b8190c8bbe3988a5d7c90e5e

SHA256
3ea103ffd2ff97e211c7ade3a79a882b494fe416bc56bd05f42f2e82158a7a03

SHA512
09eabfa3997f201f8402dc803319ee0ddc4007ef268ad44309fe78f9e2710d1a10930f2e89f2c0b201d1094c53f5cb7783e492503eb4737b2e3fdc1f39b69ef6

Download Submit
C:\Program Files\7-Zip\Lang\ku-ckb.txt

Filesize
11KB

MD5
8c3f9ad9c824dcf74a09c9d406db22e7

SHA1
0c683bb56a13c3fbca664f1e4c6c98d0f7aec8bc

SHA256
b8b7db8c139b19d414cef35ae96d854d5a8364c32b0c3fdc4cac331b5af44c16

SHA512
da33d4098679a14d2f434221ef968951407727126b12404c8b6c3e2ad6fa346d9d515dea940f9109d5d196e648583124f31a1d27cf518ab19e3dcad673c027cf

Download Submit
C:\Program Files\7-Zip\Lang\ku.txt

Filesize
5KB

MD5
28e69dd6e397fa98c07088e4cdbef1f4

SHA1
56e4a46b5c7360f609683562e617c75c28cd447c

SHA256
57ae544f3f9e8bf5d96ce1f9cfe5648eb6c1e2f5604da6eb0c80ae24bc1a40d7

SHA512
6bde04f3bbd42e73ea3e0a93e8ef69149f25dae491051d1655a85718af4d51f5247c610d87c20227f94beeeba038d54f7b213b0443382d080e87722485941aae

Download Submit
C:\Program Files\7-Zip\Lang\ky.txt

Filesize
11KB

MD5
e50c04d913dc92251aa6781c02e0bd45

SHA1
57e68c80b23a9b1bd689ccd81cbcd91e0cae6aac

SHA256
9a9e4ddacc494eaaa386f1220837020f332a49e7fff7f0bf8c38c847390dab18

SHA512
c428caf314f79d533246cee4015411102ed836d0173f67f3b2f4c61c3f3f81be7fb2fff7d3e863e999617ba05fd6f7fef4b67cff8557e1d0c86035ed29daa2ce

Download Submit
C:\Program Files\7-Zip\Lang\lij.txt

Filesize
7KB

MD5
58ff044fe195453f797dd1ac6903abf9

SHA1
4b8dae21dd14ac6daa1decf804336a1aae169aa9

SHA256
d9bb6bfc127938c47b43290241378887085314ad1326095934a362cd9836b560

SHA512
861300fe39ff0daca00b4cb56c4075afba2bb3a1654bcf35713251237630206f06bc63d7f339ecff040c9ea1f5b7094a11fe57c5848e91db9000f48d166ab1be

Download Submit
C:\Program Files\7-Zip\Lang\lt.txt

Filesize
8KB

MD5
b8056cba4edeb98d298d16edbc34d678

SHA1
a4d39c3eda31f8ce72c62e1db91deeabc884ceb0

SHA256
9c15db408e32dc699f598aab30f539f91a212e5fbaee2095022e24b3f1f09ecd

SHA512
5c3fb76a5502c7c0312a32cff38f99c303225c31c3e5c6041765bc2beb0e9d5ac9cb4f543b80eca969d54723a52122601b2074afa8991ad64b92cfda91104dc6

Download Submit
C:\Program Files\7-Zip\Lang\lv.txt

Filesize
4KB

MD5
056327042b9cfd5fcb5f788f22112d62

SHA1
fae6324417dc88e9a9bb0fbac9b4d4ce61c1980e

SHA256
533f9ff016e7bb36216665cca1065139a35d8da71651678814415ff457a9be7d

SHA512
fe853c2042251b3987c169f8241e0b3b0f1c3ae039dc7786b07e0db07e8a6b0f89e1d478f27d3c8dfd69473e6c6118ce13a39d7de84a22a3c2a660652b852660

Download Submit
C:\Program Files\7-Zip\Lang\mk.txt

Filesize
8KB

MD5
c16e6946f912b49963bfa7e44be2f7a0

SHA1
496922ad3e59737ac64289ee685f2fadaa942755

SHA256
90efca5f6b8e37b963f7e42f700938440171942e0de0ab8baeb08912c0952957

SHA512
55feea50104ed2249e6f5018b6883f89acbcc0396e80349653356f40329c4a420584b29734cd1ca8930e9a383da427ec979815cc3da3f6f59ad8948b2262e874

Download Submit
C:\Program Files\7-Zip\Lang\mn.txt

Filesize
7KB

MD5
1088565a362ebad250975f46f8a94328

SHA1
406593ac2e74b8911dda720952b7aff6c4b5c145

SHA256
c6a6cc400ee7420bfb680d71b43a9be1fbc75d7b98ae2b6ffe98229d5eefadca

SHA512
500093986ef49c23829d99251f0adcd20a6d348a91c74362e95e6d8e73b83f7ad665cb49da3e47da1ec671842abcc2d824850d243ee8d39c41e3568f9c2c89c4

Download Submit
C:\Program Files\7-Zip\Lang\mng.txt

Filesize
19KB

MD5
a10d62cb5875cc96d53e4bc02724f366

SHA1
bb8d2f73109084a9a11246733e5da148d964d6ea

SHA256
2e488ef05895b93aca2b5f72ea08da887722215d1b4cb85b12942ea32641da2b

SHA512
b01fcfa48883431ba98522c74a8ae9511bd6f122613e80a0439a049b8f509d689b89a59f280335532af284a351c52f44313a4961ea5acbfaf7ea2617af75e797

Download Submit
C:\Program Files\7-Zip\Lang\mng2.txt

Filesize
20KB

MD5
2be2f9c77556ca413b590b8477df5499

SHA1
dd5ce617642c977470aa20c6dc6815728c779245

SHA256
5a85cc532f802da683374c3f4c98e3f37425cf304d6772ba554d2c49bac7be0b

SHA512
3ba82549752e6bfe6c1f1706b205747d70f2f3106c49ea08d35e82047166c3d5b26457d6bf00fbbd0e9cac4ae8ec38123f533de3f68ed466f219c551b5417c40

Download Submit
C:\Program Files\7-Zip\Lang\mr.txt

Filesize
10KB

MD5
b681f52bc54b1b340a3184cde7ff59c2

SHA1
ba8d38155c0c81416233a360f7387eaf48c57db2

SHA256
f6d67ce2eae4c125bbf54c04ac783005bddc07007398cabd3b9603020af67bfd

SHA512
82fdb75b2f2a06e3cbbeaf1dfe84b196908286b9518194485dbbb168777181fa86a7e37136756544acc98165860e8ca61b83545f6cd1f13ee91bfa995a5df0d2

Download Submit
C:\Program Files\7-Zip\Lang\ms.txt

Filesize
4KB

MD5
e3267c5ed8158da2b7e2679107ce1394

SHA1
6550cde7359a1b3450d8c0937affbf0252fa4b82

SHA256
c88bc7ea0c20769847a0403e188e273a0897d1c77dd72cc4b45471fc67e0d5e1

SHA512
63c185613c5855379dd4cac3d2cf264d6bb2a0e9b483b22eab93b7e8b9abda88bee2f80fcd24f0e9be0972a04f6c725cb20cae678e3e4f61251721b5bdb1cdcd

Download Submit
C:\Program Files\7-Zip\Lang\nb.txt

Filesize
5KB

MD5
3b1958da0544a6c318d18ef5779e81f5

SHA1
67e991a6525da165145c4584c3d9b398583d7e68

SHA256
f349529ea4584eba51cd519b8a1d535d2daec762cd7369673b237fa03a526cc7

SHA512
e9b5e76fc908bc193738781fdbebd894ae310f6693f7b52d4369bc4f979a8ec9e2201e5a2056fbfc380fdad3143f3e5a3bc00d7ccb00cec078bc0e8caf318861

Download Submit
C:\Program Files\7-Zip\Lang\ne.txt

Filesize
12KB

MD5
04cfc22f9293329c5ea7ec5c4a14d3bc

SHA1
57aa51dec6bed50703054060f46918aa26ae0e4a

SHA256
e016e8872f2de7cbc1f4fc786c747cc26b2e250e6c1b8f1c46040b72c523d90f

SHA512
5099e2a8b6be04e2124280711af1bf5807dca5df93dd33cca416d56337adad19903aacef3872f550d16a82f8f1471ec5d821d6e4e096e817a8c4d8340291d402

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
25dce84d69ec0bda8b773566145ae456

SHA1
7b9b9e6cee9d9b7550788e8c6849d0f28bb01cf1

SHA256
11cc471b21bf249c0b0056f77b18900c8f064ad3843072e8ebadcf4b81ade6a9

SHA512
5e02121628aedafc8b436e246517efaa74a2af529485478de73ef8bfeb1b2dea04979f381faf46d0ae6a7f6daa83ab08eb230212cb0412c41df5f2dde1782a2a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000001

Filesize
212KB

MD5
08ec57068db9971e917b9046f90d0e49

SHA1
28b80d73a861f88735d89e301fa98f2ae502e94b

SHA256
7a68efe41e5d8408eed6e9d91a7b7b965a3062e4e28eeffeefb8cdba6391f4d1

SHA512
b154142173145122bc49ddd7f9530149100f6f3c5fd2f2e7503b13f7b160147b8b876344f6faae5e8616208c51311633df4c578802ac5d34c005bb154e9057cf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000021

Filesize
24KB

MD5
c594a826934b9505d591d0f7a7df80b7

SHA1
c04b8637e686f71f3fc46a29a86346ba9b04ae18

SHA256
e664eef3d68ac6336a28be033165d4780e8a5ab28f0d90df1b148ef86babb610

SHA512
04a1dfdb8ee2f5fefa101d5e3ff36e87659fd774e96aa8c5941d3353ccc268a125822cf01533c74839e5f1c54725da9cc437d3d69b88e5bf3f99caccd4d75961

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
216B

MD5
474298dc72376cc0f799fd3ea96c1ff9

SHA1
9ef4e171f0a4b36c442881d07d061212b54f04a2

SHA256
38e54e8602bc9a1a9f9dc44c8dfed34ef0ba81aff4752ac5b9caa8525faa8a90

SHA512
5c27e79d5f0c8a86e5618a8236eb42e8722f0e184368529fc4a5650cb633b8136ee87cb27907d421fc6966d27d7cf47b68b69039d047881323259e1734879e9c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
db879cb8bc048dfb9d3bb854a43867ca

SHA1
1f1b428fd439851a59c0de5f020e3bca1f5b72d0

SHA256
ed889c4f4a193cc2fee77fc6a9c37ea9be574fecb2c186074fa2f0f358840903

SHA512
4d68a2d198e6a50144d319f142da87423b1949551a0f8061981d809b5fb3ed88cf95f21880bd9691eecc23e98d9a8bc31a4ce8ede59fc3a670637f64d8ea6bb3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
840B

MD5
1a865952c63a39c0b221f781e6645588

SHA1
9e9705123b4334fa11ec8e10bd080b71c1f65243

SHA256
fd81b4576d2c9af7899236a05a8cdc7ac2db0fee6fb85f5d6a6616405ed9ac96

SHA512
fcfdf9bd81c14c5ef79903b9f581d079c30e6dd0805476577c66ede1575d2cc228522f778308381cce1cc4caa9367d1c7104e0516ee157243f17a3d72f4f5831

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
01aaf00970a12b4ac1b45f35b7dd430b

SHA1
948742004d45423360d974b0d107d3346aa4a28f

SHA256
d2a4c9b3c983a7b760890f1c2fa4ad04ea613aa98978c52d1fd54a6c89400623

SHA512
40ff988a13f23857d939c7c757ece8156a65a79d79fce236962272eb45e07e1229a56ad7dffd081971102c68365a6ed21ce061f2381e8ed56c791f7a6afab178

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
6KB

MD5
3acd4ea1645abf1bd9a78986d1b79c5a

SHA1
741b20359458ddb601680955a6a04fe1a7ae22c9

SHA256
a717f3b0edf87aab9d9cd03efbadbf8f048642e945acdd756764e91371f182db

SHA512
010f74cdc0ba2613efb60ca8e91ec425be2e454df9650c9e712a54c309feede5a5c5c2897be02c5a2c35df89aa766d08b686e950f196bfa4270ff201e656a90c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
d19457b2ab15291c13c937318546d5ec

SHA1
76295fb7d90a2bc2696e1f90c55ecfaeae945277

SHA256
7cf0dc7fc4c535f1d0fcac4dad3a10f4f04aaaf53e6b855a9285e4b69bd692d4

SHA512
16be07f281705100dfc8eb78e9e0b0b11b486c230cde24ef18280d111a39d2dcd43f4c71ec973daeaa838916c5e162890cc3a49f0c0044f06e19403724d0593f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
524B

MD5
7e197b8d2bb670761b85aa379b6e1e30

SHA1
abacb56b8f450f70dcdd66df4a7a6c5d15bc1874

SHA256
62765ddca552a46a5810fa77fdd10b89f32d71dc3cdf7b15b87da3141f17fff3

SHA512
d92ad76753e08790fbff420e6f70e35377e078252348f933cec9a4c39f77cf03ebdd23ac5e09e9f699e0c0253a43688a579342432e63428a05c1a921ddd8e521

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
524B

MD5
8ac086bf478737b08287111031820aed

SHA1
0226b92b6ec8bc0e45594202d69a350043ef26a3

SHA256
bd4ba14b920ca237bb3e9a508cf6b676f28036d2a746f614ee56ee008ddecafa

SHA512
72b0de1128b0db60db97a9aee1b4d822015503f5724915d8a6ed84a06ce768abf6e6c3588c0e7078b385097aad69a7fcdd2db2177d3c5e477d83ccd9328643a9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
d9b72b3c5275d4491bc5611b5ee04c2b

SHA1
3543724c8d3d400ee2f116289b96dfca202a4d7b

SHA256
3912c824f9675661251b84a4265a20f4855d67d164889e22505adf7bc6f881e9

SHA512
50cafa867d4c2def364079da2a98a6a5840d1e3480670fc090e4b17173fa2e4b7e2fcaec2b0db0fad49e5a9432f59a99b8b74f689aaf23b797145055afa0349b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
df4c40982befc9c36b18858bdcda2eb3

SHA1
46975a4a43f80022d291852c10b83add6ebed8cd

SHA256
68245e2b77901ce80801598e266bfea40370081f517cd1e327cc870902e36e62

SHA512
60e5a7165f90e5d4c5b7dbf3e8155dc8b9196450b2c915df67fd5804fa494ad6ec8695f609b0c65c422058608daf49f9500194058fb2283f1c49d3a1d23ff5d4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
024748a78469e613b78eb34a6a548f7c

SHA1
a9bc295a10c86a9c1ab53bb869961a4bc82800a6

SHA256
e02c1073f1714c17ba10a637e2699c27d9200fa8dad5852268be771e99a89615

SHA512
0125b27138ed71e96553a896dad6f145b9e2ecd13b37e6d566225c9b2398f4b427ab05b74503d4a97fff10170adbdb915873ab0f2f24602c115e94555f471080

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
0e98cd8fdbd6327e700f63b4e5aa96b3

SHA1
d458cd90127ccdde6e93a633e6b76b5d9eb2a74e

SHA256
1a877f07954dfc72f3e087154aff91edf53aa39d6fc8f8ae3b9dbca074e93222

SHA512
1d56546a6f580ce3c4249eca4579104fea33a85ef7921bc2ef4ad5a68e7bff69b1d0d68ab27d7b060a23e1e8d80208618755cb78bbaf9715adab8dedebf31f97

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
a7ed2f5153a2aac08739f42f49006dcc

SHA1
f353aff05098dbe3b3279095c704f91b49e2dab8

SHA256
0386fb78afadf9c0b974dbf09ae3cfc6a231712e4aa194274b7527911b7bcdad

SHA512
88d4791cb28133c3b000918d148233b743641e9f574e06810d30d01ce4338694ab606d36cc0fa7d238b909329873f48831bef7e4382ee32176bd7d48ac260553

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
5fd72d0a7e4d5a5dc8412a78e33ac1e3

SHA1
a0430f4665e85e3c7a849f7e817e963b26378ef6

SHA256
e9da07953f6265292c2b8d606860ed7de7ac04e102cf8a062fcbdb6b325ef82c

SHA512
9681ecf3e61aa88e4e26edf487ae8890f2a89db49f589de14936e913d43d27837c376f92d778534b84a4621d6857d335fbb6791f2548b5ba8bf19a0f55c812c0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
fd442ce50988de77fb0db1af50a7c84d

SHA1
7013af8a7e0ae9f4d92cfa2402ef7166d23de085

SHA256
b83f48d3b362a58f68e8e8702288525c6e5279ed5b6824a7380c2997c3b7b506

SHA512
024b59c943634893ace0b6d9be1d6de94ce7ca3ebe6e88eb5abf006c7cf5de2c125b4b8365bc0a5faac33dedd75acb54d6d4e94cbffa96bedb9b43ae56a84836

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
6f12840851569f74e10fa67da693a408

SHA1
8ba5dc2d207b1730ad9e32cec3a2b1dcecb1848f

SHA256
03aebe7d2f068e103d96a94c15d765f90d2ee667aef5fef626b8814831dbc7dc

SHA512
0ab3dca6e91e9401402e6f620681c2371d91af8d9ab54bced7c411acacceb7fad00ba35c7bd407ffe6f882ccc3a6b6b66912c71119f93e613b4651e0d1a16943

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
2a06a54741463e96d20dc02490a3e812

SHA1
519014a5a4e625e99b50d8ab94be45e7800f308f

SHA256
802dc4a22afc021d9a5f0dc527fed2f373cf466e1f4febff806ccd3c6d9fe4bf

SHA512
a285eed53252c1b5a56c5423bf5a89e813e2ec3a3e96b4a13aa1482e09ff75a792daa30d4dfe754530d0883355c75e5069dfbbdf0934ef031f976253883d13c8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
2a3af0cce22a28b5564655aa640efd87

SHA1
5619189f7f5c9f097b6b6656acd7936d3fecb18c

SHA256
606d834ba5fc7f00cc22b65ff870496e321067e4359217b6496b0aa590ba9919

SHA512
8318db8e508e5dc70a63ea1b65a825a3bba23126ae075a8d2a69e1bdd118b8af55840554810cffb83860b91051d6786c1bfe2e2c6e582a40d9effdf4c4bfc248

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
208KB

MD5
92084abac1ae21c835220c575370f45c

SHA1
ecd8929f70d4ba0c3be1030042af2cb9feac1360

SHA256
75935cc35adb75795c31113c13c954af6a85a8f58b7a94c3af1f42a8392975b5

SHA512
8e33aad9922199318ded010f5423406270851614aa966b66b5048e7cc6e729922df429780ee773d01c3dc7794054bef195b41421f448c4c06effe5cdc891d546

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
208KB

MD5
558d0724228a553f1b0fa5f370dd841e

SHA1
e309f82020c02ec2f82323d21c5ab4633a5315cd

SHA256
83bfe80799e324c06d660ae878e7693c6926016a9ccefd5556ea2eb1799ebfd9

SHA512
b21ae9291e763b0a71b87d39fb9f9857994fa81883304db793547a00113fe3817c77d65c850d5a76662925b4cc9d32bfad8180a2e56022d6a4bceaa1f12b8046

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
208KB

MD5
f9960627ef4b591b3047215b89d403d4

SHA1
bdb6c73406390692d7283aef1b014fe1138549e3

SHA256
85202592e9644668f5c9fdfebde61f0005c5825a308f019279074e8329dd714d

SHA512
9124a7913bbb56a7f59e8afd72b9cfc863363f2d073de67d3e76e5a3971d16169c2e1a84c62dac51f0985c9e316771d698bb6bae5bd59cc0db87d1aa7d9580c5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1

Filesize
264KB

MD5
cdbc53ae07c8edd6ba53320d746c4912

SHA1
fcee4b42f50177afb646622e0cc49db522045faf

SHA256
500ba709d814408907f9cc065cac2c8dae8486a6b91424405e6a8b9179448753

SHA512
5d74725515f6d51957388518f7df4fea552fe51c8c960cd627d900ecf5f747192b9828440ab4a6e254677d1b1ad58e6a0f5b94b85f90d8a5dc69a83d51f3cc63

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
3f81481f0251165ee8051799d5487156

SHA1
dadc07e6eff95dd6fde0f3fb3eca0a4aa1941434

SHA256
020c968aedf44573c2dc9945010abb1109638dffdd9a627c503321068b79d845

SHA512
c93f39f6f41ad4256c1c6e6fb5afd4a44477372c8459d369ef962b42ddcfb3b7c84ac8b93f128fac8e9e8405c84c62c8891ca05ce97a84a0e6a411fe50371efe

Download Submit
C:\Users\Admin\AppData\Local\Programs\EnchantedWoods\chrome_100_percent.pak

Filesize
147KB

MD5
3c72d78266a90ed10dc0b0da7fdc6790

SHA1
6690eb15b179c8790e13956527ebbf3d274eef9b

SHA256
14a6a393c60f62df9bc1036e98346cd557e0ae73e8c7552d163fa64da77804d7

SHA512
b1babf1c37b566a5f0e5f84156f7ab59872690ba0bdd51850525f86769bfebc245f83988a3508945cf7617d73cd25e8469228974dd2c38415388b6a378552420

Download Submit
C:\Users\Admin\AppData\Local\Temp\31c6d7da-694a-4e79-aa6d-7110a815dc76.zip

Filesize
3.5MB

MD5
06ef589c49761e1ff19e961dd5bd7324

SHA1
a409d25e2e1d485e752758a184414a66b1ef01da

SHA256
072336c4485f2d973cdc3fd600c664f3282e85f38ee3eabb3ff44e3abc7613a7

SHA512
fd64add5cda1f64956d8acd36ac382e2a153e243b0d4478f1185e978cb2f6a14ed64c5a05d0559f9f8b91a63575337a386a11c172bbff97d74a0a6a9fce0f0d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\529603ef-bb49-4db6-97d3-5084de6ed70a.zip

Filesize
3.5MB

MD5
42f926278fa08e58a4eabac0346a7b29

SHA1
8696e2f21c8e6174604e6f7f9e7a0b302e9ec3d2

SHA256
a83dcd735a3b65d05712d1f7a552fcaf251fc508837733b8253842cc30697abd

SHA512
1356021560d7ab62f2119c0a0494eaaf360dc8eb1581d516f93af1b4784434fdd249de709c61a06ce25750382179c3bb0bbea41c04a62f2081da2676f5098ec8

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_3zb3mkxa.0pq.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\c16f3832-3511-41a5-bb3e-7d60910d7325.zip

Filesize
3.5MB

MD5
cf592936f353cb25673d704d4b2070ad

SHA1
1ad62c1960e0a313a3b5bf913d89e2313cf501b0

SHA256
e8a6edfbb672bca7a75550d6994f744df78c2d5a4bd28604ffa73e24540ab9ef

SHA512
fe71080cd94806c3a85f41b92a083a381e570a34612441f4daf8aa2242a0412bfcc845229af5aeca154c0f47204b2fb6b6e64819e5785b1e429f75d68f0cb0af

Download Submit
C:\Users\Admin\AppData\Local\Temp\c16f3832-3511-41a5-bb3e-7d60910d7325\Cookies\Edge_Default.txt

Filesize
4KB

MD5
a16f34281e9c20663039a1b18e35db82

SHA1
5ce60187268b3bef69aacf1cf57b72431e7d940d

SHA256
c74f50a42a010ee3117c1e517333b04620835481f46eaca5575d598bf7153be3

SHA512
27def3c93f51ae472823b1fa5ddc9d81c23099613133a5a252ab3dcf397e2d1807f0baefcb3208f8686b9b9610e7fd95dcb1df1f08481ac695d0400ed433cbe7

Download Submit
C:\Users\Admin\AppData\Local\Temp\c16f3832-3511-41a5-bb3e-7d60910d7325\History\Edge_Default.txt

Filesize
1KB

MD5
50932ad96a123c38acc60e6edacb375d

SHA1
e4e376da6dfc1125942d09ef4c0ebaaef3940376

SHA256
9a99244784c445a001489842004ad4fb0f3d4fb8517095ca64b1632ce49dc383

SHA512
1c593995b13265b1c748bb226e9060673b5fddba751c3a2caea9088fbbaf5d8d87931a1c404a9722e84ddf859c20b933a2e0dbe6bbdca64a90c79fe07108ccf8

Download Submit
C:\Users\Admin\AppData\Local\Temp\c16f3832-3511-41a5-bb3e-7d60910d7325\ImportantFiles\DisconnectHide.doc

Filesize
2.4MB

MD5
a87a72283596338f8ef7bc402c8c4295

SHA1
5ba3645b4bb390675630169f45c06c6db71f1910

SHA256
57b0dfd8fefa2851ed934ee820cc29a0044531ebb7a715e5b956b52d10c26a26

SHA512
0519a2cbf3a72b06fa91e3d31ec5de396d129295484dfab080dbc341d07b464881693ec72220440d15c6e544fcb6232782e12b9e4f5314ef6d7ec62db4d4e56a

Download Submit
C:\Users\Admin\AppData\Local\Temp\c16f3832-3511-41a5-bb3e-7d60910d7325\ImportantFiles\DisconnectReceive.csv

Filesize
1.1MB

MD5
04149ffd2a747a3ea0834a1a8888324f

SHA1
7ff4c734f8c9693f35d093713e4a4a55a9da97fb

SHA256
81ab5aa442d535d72d55d623103a172f6aceb59b42cda22b3c4dd55339d995f9

SHA512
70ac4126ac63357a1c065bda946ad419d538b3b11b457f60cbca6fcf0e4d0e78ad6684a53c398832a2ebb540cb34e5c5d7521e3a7c574e94fc847200ab4dcf0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\cc5f0808-3554-4252-856e-8b675918a9ba.zip

Filesize
3.5MB

MD5
65efbfc728c9c65b188a140c49ffe7af

SHA1
2fe4e2f555a31f24afe857ae189ab9ed3b60bb06

SHA256
4c3a58577105bf2046e0b888ce7af59b0bad0fefcd9fda114bf3d6a145ef5828

SHA512
1113cb94bfa347f8e1b12215d29969c3700d0751161cbab3f08de842496dcd888a02e90228b4a04b1d0c381444078dfcea5c62aa08876a04253416560f57a5b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\nskF9AB.tmp\7z-out\LICENSE.electron.txt

Filesize
1KB

MD5
4d42118d35941e0f664dddbd83f633c5

SHA1
2b21ec5f20fe961d15f2b58efb1368e66d202e5c

SHA256
5154e165bd6c2cc0cfbcd8916498c7abab0497923bafcd5cb07673fe8480087d

SHA512
3ffbba2e4cd689f362378f6b0f6060571f57e228d3755bdd308283be6cbbef8c2e84beb5fcf73e0c3c81cd944d01ee3fcf141733c4d8b3b0162e543e0b9f3e63

Download Submit
C:\Users\Admin\AppData\Local\Temp\nskF9AB.tmp\7z-out\LICENSES.chromium.html

Filesize
9.0MB

MD5
f017c462d59fd22271a2c5e7f38327f9

SHA1
7e1bbeea6ac2599bd0f08877aa5811d32f1aceb9

SHA256
40f314c778851106918aae749d75b2d913984327602a1bfb7ef0cc6443ff2a37

SHA512
72177281486f6ec26ccc743b43481c31470c7dd53f17b0a67ac087dded190c2e3dde5570260150c2e9650186a515740af7f81e31965c95bb762340f9ac100c07

Download Submit
C:\Users\Admin\AppData\Local\Temp\nskF9AB.tmp\7z-out\chrome_200_percent.pak

Filesize
222KB

MD5
3969308aae1dc1c2105bbd25901bcd01

SHA1
a32f3c8341944da75e3eed5ef30602a98ec75b48

SHA256
20c93f2cfd69f3249cdfd46f317b37a9432ecc0de73323d24ecf65ce0f3c1bb6

SHA512
f81ed1890b46f7d9f6096b9ef5daab5b21788952efb5c4dcd6b8fd43e4673a91607c748f31434c84a180d943928d83928037058493e7e9b48c3de1fc8025df7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nskF9AB.tmp\7z-out\d3dcompiler_47.dll

Filesize
4.7MB

MD5
a7b7470c347f84365ffe1b2072b4f95c

SHA1
57a96f6fb326ba65b7f7016242132b3f9464c7a3

SHA256
af7b99be1b8770c0e4d18e43b04e81d11bdeb667fa6b07ade7a88f4c5676bf9a

SHA512
83391a219631f750499fd9642d59ec80fb377c378997b302d10762e83325551bb97c1086b181fff0521b1ca933e518eab71a44a3578a23691f215ebb1dce463d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nskF9AB.tmp\7z-out\ffmpeg.dll

Filesize
2.8MB

MD5
ebf0485fbf546b010c2b10c5c8e7d5ed

SHA1
a4a546f6be93bae535aa724ce2832f428cc91f89

SHA256
46a20d91861f6e966959635dd5f1adfd7f33449dd814a9aecf207b0cd53117ba

SHA512
9e6011c0269556376907850fddac8fdf50e132434da7daf4d87be83c1b89b7aef847b25b6216686915225a82374fac6ff987f22efc01d5b1c2cc81d53d7facc9

Download Submit
C:\Users\Admin\AppData\Local\Temp\nskF9AB.tmp\7z-out\icudtl.dat

Filesize
10.0MB

MD5
ffd67c1e24cb35dc109a24024b1ba7ec

SHA1
99f545bc396878c7a53e98a79017d9531af7c1f5

SHA256
9ae98c06cbb0ea43c5cd6b5725310c008c65e46072421a1118cb88e1de9a8b92

SHA512
e1a865e685d2d3bacd0916d4238a79462519d887feb273a251120bb6af2b4481d025f3b21ce9a1a95a49371a0aa3ecf072175ba756974e831dbfde1f0feaeb79

Download Submit
C:\Users\Admin\AppData\Local\Temp\nskF9AB.tmp\7z-out\libEGL.dll

Filesize
473KB

MD5
4c01b3614be1f38a6d594443a547c257

SHA1
7eaa456b164613577d0965ab5a57ba2b681a6ffa

SHA256
e36da1a4228899bebe50cc5da1fcbbc590cdcb3ddee0b2a19defd99a805b6ed4

SHA512
b72fc071dc791c63978465a68c9a4904d5f1c458d302bb710e83576f20ef928d73c487248a305bb455990c2d8a6b894ee47d88bca6bc92360f286849ae1a1257

Download Submit
C:\Users\Admin\AppData\Local\Temp\nskF9AB.tmp\7z-out\libGLESv2.dll

Filesize
8.0MB

MD5
9bbeb7b27646442c8bc2d202a73516d5

SHA1
a7f7a52dc45bf130581953e07ce9b9851cbce90a

SHA256
2b80817443265e7979b9a77075492e8e29be3ba775d20f646cdda391efbab21c

SHA512
f9826e43f53bb9b906b5c62ff2502d4e8dc3ff99b72420cf313a5811061cb146651cba3b8f864f34dfcfd51c6e3b39a0a640719ef94d7696bdc4fab7e9d16785

Download Submit
C:\Users\Admin\AppData\Local\Temp\nskF9AB.tmp\7z-out\locales\af.pak

Filesize
508KB

MD5
09455048c30cecbb17d6e0e95e4c01da

SHA1
6572850b07df45933ed57754f72c44895a7ef662

SHA256
e973763dcc0ffd7a5afe0a62ec9651c4c3db7fe29a23797fafc34b83512d03aa

SHA512
f59b68c213815ad81379c964abe6597b900b9fac5fe17e2cb378d015c4803f96b598ef70333d594599b3283a88a9ca9cb2475afc2590eda2ddf7b041ba2368e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\nskF9AB.tmp\7z-out\locales\am.pak

Filesize
822KB

MD5
1c47cbc228940f5c645f2fd77602253e

SHA1
474a5006ae9ae774b5d420c2f1fb0d0f2ff36afb

SHA256
5245154c986ca89ef53a24a4246345e3db01ebe47219f1d0772935b03e81e37b

SHA512
dd4e7c1e26759001ab1ef63f93e847e2908c78d943c7546c88e1988d96a6625f9de9e0ab8b38af4c7b07202e1a5488023cc3429075de6c9b9394307c88442673

Download Submit
C:\Users\Admin\AppData\Local\Temp\nskF9AB.tmp\7z-out\locales\ar.pak

Filesize
901KB

MD5
513e6bea67200feef37fb2e8c7fcec36

SHA1
b0edbb5846b8ddfd95ad74905e890892192279d3

SHA256
00a9c88b644807369637ddb78d9832d7137b5f1c64ca9720a36bfccea8c38d98

SHA512
fbc184640fc419b50f6b1a78168a9efb63f8ac4c151baed17b5e9b9d333a360dce109351654ebf1c71c97471917c922456cf9c816118c6c781efdee14d8360fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\nskF9AB.tmp\7z-out\locales\bg.pak

Filesize
938KB

MD5
e1322b5cdbb96d2cf4a5fa5993c2acc6

SHA1
e813a5685b1885c2788c4826a8f8659493febbf5

SHA256
39707fb80e38e9404accac5f12ff1f3745589bd80b1586e2208b27c0c8eafcc2

SHA512
2c6e766d671bc4ac772196e40b818039fc88f02eeaa59f78c78558e5e2670c1fb7fed9391684160c0af5a92acf8991533b298b5aabc3919c706f23f094f2ac15

Download Submit
C:\Users\Admin\AppData\Local\Temp\nskF9AB.tmp\7z-out\locales\bn.pak

Filesize
1.2MB

MD5
880e325d5643051ad7e29c2280fab954

SHA1
cc46cff349031f9036cafafd3c091d1a5ab93f2f

SHA256
2fbcb9524eba04637e3f6c2874f7fce917326ba90877e1715eae4b35f141dd3d

SHA512
d16d085bd51ad267738c649f6bbfb15b8ce5ac73b838cfb7e2ab0f4c135317c358b83a7b5d3506c492f75b97edb8d1eeee9733d12c9eca1bc51012d660b9e912

Download Submit
C:\Users\Admin\AppData\Local\Temp\nskF9AB.tmp\7z-out\locales\ca.pak

Filesize
571KB

MD5
84b1e5be23e838708773d4e022f99986

SHA1
53e411d571605a0a86a1040bff32a5e951ce9ee8

SHA256
faff0931e9479b76d2b6247739d4f934023a64bbe8578be08e2dd0eb053231f6

SHA512
8afc396b859fbd0c03d1b7604f5cd80d41fd8e3df52ab88ba22a31a6a0df447671377f2ad0f6797682da6aa32d7c779defa1097ee140af207adc94575957fca8

Download Submit
C:\Users\Admin\AppData\Local\Temp\nskF9AB.tmp\7z-out\locales\cs.pak

Filesize
589KB

MD5
709ed2e9426081c9e86d9abdc74b44a3

SHA1
f55fc17c8b9bc5f09a539ecb8b995c1b43fc4d25

SHA256
6597d0dadf724999741e0f24953ce9be02c8b98ecb8a382115b205edde87c160

SHA512
992ba983cb8b24bf0ff190715c5845f34b13f17227486350fc736c872ac8f0b21347f5f6d13e2e204e928ec664e283ca65b65f72d9910725f55d737b6c5fda40

Download Submit
C:\Users\Admin\AppData\Local\Temp\nskF9AB.tmp\7z-out\locales\da.pak

Filesize
533KB

MD5
96bbef1eee0b0a197ec834839c00e11c

SHA1
35adba0aafbb4d19015e11dde1f37de87292252d

SHA256
600e02877374dc083b21deb3cc3bf6a4e3e2b2c581a631955494b0591c56289c

SHA512
e1ae7ad30735b6c42f81d30d50162330603753b0ce7705506918d0bf3bf9a52ac60f8fca570cdfe87f0d6dd46cfa3064d5a1526d39d81a053571b434b1cbffe1

Download Submit
C:\Users\Admin\AppData\Local\Temp\nskF9AB.tmp\7z-out\locales\de.pak

Filesize
569KB

MD5
3a9f06d1708b7620e2639851024ed0b8

SHA1
51c0d824bf38250ec0aae58e63141489931f02ec

SHA256
91da97794994f6544707299fee6b775745dc3891fc879d8e8a05844c6383eb53

SHA512
08e80783de403651af208387a3191db30d1353cc25f310c917a1133b2622e4b6809bc2bd881517678e9229e6492705c5f45be3e849c0512c4a651c5b7026c926

Download Submit
C:\Users\Admin\AppData\Local\Temp\nskF9AB.tmp\7z-out\locales\el.pak

Filesize
1.0MB

MD5
4009c890acb9b81928e6e1a4b593dd62

SHA1
83083e9c948ebba18fa990e230ee33fceae43cbc

SHA256
897b6fae230e6a3cd14e16eb537f96d820950f5a4537fe146a732ab028b7124d

SHA512
b4c87024d3cd612b8af6f73b31853936614f4315ba9a48b4687120dc64e1794c568c4e074e41ae6f8dedeab61484e145dc0ca3bdb95482fd85492fddc26ab6ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\nskF9AB.tmp\7z-out\locales\en-GB.pak

Filesize
463KB

MD5
ceba44242f8b24b70c9b59b5094d8da8

SHA1
84e16c522ad397289a923e5cd4b012e2d323af4e

SHA256
b0fd61679565a7649c90214efecdf6e1231a8e7895dad93452bfa1425417d5b7

SHA512
31cd936157a7408a43dcba597f6e098499dd4c5fc011ef818ce93eb7a05c9d354229c3b2295dbc290a6d3f3600373f18f75b334ba9013a5dc0be44c82f2e51bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\nskF9AB.tmp\7z-out\locales\en-US.pak

Filesize
467KB

MD5
d47cded365a28d27906414035c1cb3ca

SHA1
429123c86f6ca48a89bedc9a26027e01508e6db9

SHA256
46958caf9847e33a11593ad024d5a95cc696edcd4620cf07e7b2b78c72b9c00c

SHA512
1a16d784913fead116460c9ff42e21ae482865cfe2d6ed1b1296496e46a05e513f8d048fa4d245e7a82ef61de4c4130696d5b1c647c918995f6877a888bd0853

Download Submit
C:\Users\Admin\AppData\Local\Temp\nskF9AB.tmp\7z-out\locales\es-419.pak

Filesize
562KB

MD5
ae62374bc2e71d9abed6e0c1d4bfe309

SHA1
624a8210376e11814485fe90a8825bb6ca883188

SHA256
48bd8f17823ce0f0a6f1c9fda020d5b5655e2419634f92725ab263339d9a321a

SHA512
345794d617dd3aa200ca248566e9ba36dc846af9afe259545b5a61e787b1b52e112c7eb68bc025b0d2076790a4b77a82a724bc213fad9f0f38db6054332bfced

Download Submit
C:\Users\Admin\AppData\Local\Temp\nskF9AB.tmp\7z-out\locales\es.pak

Filesize
562KB

MD5
070cbd6f42db1cb9b6a2f74e03d6b124

SHA1
f8830e1c8a601123d85fd75188ed01833f910691

SHA256
91de93a4dc9c9276b9ee3ae498bdafaa55fd464c1f20fdaca84c4b79842327d4

SHA512
2ebee4e289eb2a19a97c86d1abdc1ad53c6a76b8c1dc28fc89cfde236c4abfbb823bf52573cc0848fd76ed9e0ab2d49def542837bc5c474ca1593fb5ed10a390

Download Submit
C:\Users\Admin\AppData\Local\Temp\nskF9AB.tmp\7z-out\locales\et.pak

Filesize
511KB

MD5
294c830b9e6667c8d5e7287cabd6a4b6

SHA1
52f44b97b71624bee6360301e8f6f34cfa428e72

SHA256
198674c98f10c36205161e382cc31560a4bf0de5f597a0c65f7f95777dc9bb24

SHA512
ade98fa9cc25148979f325660ed3f0f649a38709ea34b759796c4e202b3c30e76da3b8c17ecf2e1948db4a5be26af23c3a6e6b28f9445ceff68d251a5645db5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nskF9AB.tmp\7z-out\locales\fa.pak

Filesize
836KB

MD5
e5d53b9d5756871d684d018fb0c745b5

SHA1
b00a40704c91b33c2aa0f6829ae3dd886ba7177d

SHA256
8b93023af6428322b9b13aca5da9bd395a9c4775c72b758df8eb564d35d15cbd

SHA512
e722f114485cbbb5284d23f1ad1061213f40083c5da2ac9753e1416f75f7cee9d8315e6f4582322d992beb9a8cacefb607ee0b1737e3a6da775fc059a17c3fb1

Download Submit
C:\Users\Admin\AppData\Local\Temp\nskF9AB.tmp\7z-out\locales\fi.pak

Filesize
521KB

MD5
925f45e80be419aa0125096ebb81a23f

SHA1
e73a32362952dc0aea997ee408da090f1886a438

SHA256
bf20054eb68d3d67d17d2a8c594d896c9c33fbbd562535d0c7e6cf6c940a8732

SHA512
8510e2e9749b4342eb8d79bbfb983c43293f7f37d138464c96053a79685c578a148dd54013d211b02115256f174f51a74ca9155883055801bbe146053de52eb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\nskF9AB.tmp\7z-out\locales\fil.pak

Filesize
590KB

MD5
a96f6f164897e62c984e9a61f6c3f7cb

SHA1
3ab2a714eb8e9b57e8a39792d152606ba0ef6a3a

SHA256
ff21df22f24c92a06f6bbda2c70b57e098d7bb6754988a5ada087aed9bc8b8af

SHA512
cd522884b66c940d64eb1377f9dd60143ae984fa7d144aa9d83b82a006b5da2ee9eabdcf046d362b2096d8a6b8486f36a10ac9f0642bb8cfb1e7903fda4c41f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\nskF9AB.tmp\7z-out\locales\fr.pak

Filesize
608KB

MD5
fe0ea306a7b48ee2750af3a263d9f3d1

SHA1
877968909cfbbe499911b4d8b807a593c4be52c7

SHA256
955de4737419c06609227c63c2fbba7c8abf497fb976c99a4dc9f5d5105afbd1

SHA512
07978311caa9be82bd398100d1d8367c5ca840ffcc166b73aeea0bc7c86b53db13bf648decfb3f54a43b9d199e0d98fcd29fdfb291a703502369b025eccdf872

Download Submit
C:\Users\Admin\AppData\Local\Temp\nskF9AB.tmp\7z-out\locales\gu.pak

Filesize
1.2MB

MD5
cd212ed25482d2b5a246440b62c4fbbf

SHA1
197f3616dec4fb308e0ec5a17458ef8a2d027cd1

SHA256
0e8762ac08963088c33b74ee790df95370bbfc298bae8abfb87eb1307ef46d37

SHA512
207d3e9a6bfbd3eb19cf53a0a300eb0172ecb872496d627ac5b55b9ea11d52f24f01393893450fefaa3c42bb481129d54e552679f2f67a2af0e117d12464601d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nskF9AB.tmp\7z-out\locales\he.pak

Filesize
734KB

MD5
06e89cfa4c6f4bfb7aaead492c4f08f2

SHA1
39d943e0eb1637cd3f5a7b66ebcd28e76c89aaeb

SHA256
6b7937f16ae53457ac9a0c18fbac68b2076200b0fc98cb781415fdaf18c49301

SHA512
8b6d33657eda8a3f1d1bfd55135de88953d21916e72df646fec2b5f5b17e9e15849f428b0fd83143f375ada174aa953be8f07fa8ba90ca4d07dd1b859d034b4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nskF9AB.tmp\7z-out\locales\hi.pak

Filesize
1.2MB

MD5
e3b31e519b925414176ef2d9546c356c

SHA1
7cebb1c5fd9c78f704bb9e5c463f67c5426d0171

SHA256
82fbb97e7d9634df3c806439e144cf8d153d840bad98f6e790726841a91acd13

SHA512
fc3e735f010776cbdaba1592e6f685a1fb4773ab5062f5ba9ed95d9bcab2f0ce9ab024ed95158263450fc58c3197b84e38883262a588d6d92c4e623c61b4d200

Download Submit
C:\Users\Admin\AppData\Local\Temp\nskF9AB.tmp\7z-out\locales\hr.pak

Filesize
567KB

MD5
92e6ef5db4c0191282ce2dd3645461ea

SHA1
045d3ed58a625516af741c9e2f85680fc1561ed4

SHA256
f8d6694f1c05ca259a31e0427ba7cef5b57f0c4b33493fda21003911a5da6f07

SHA512
08b09857f173ef2a3067d60120167223b4ec7414ff6117d206bb12213ce9563c8d7923fc0ce6e7df0ea5d8ae2b3ded2a23993ab43bc46bea3c08df1bf59e16ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\nskF9AB.tmp\7z-out\locales\hu.pak

Filesize
611KB

MD5
40807c6b0eefd2a2f16cf0ac2c28ed53

SHA1
1b416b29e59ef41e1f18b168947e42b7fa969d2e

SHA256
533ae7e865898b61ecfdec68c581b3c4858f2c3ec1fe496ab02c61db0362d941

SHA512
487cf71df0f2e59ce1151c146651f567b624ac0e48f770a2f1da76b27933aa2bdc30990788e2dba4543a11b9e5d3da6f31badb26d7f3a5c87088c5b4e1bd7756

Download Submit
C:\Users\Admin\AppData\Local\Temp\nskF9AB.tmp\7z-out\locales\id.pak

Filesize
504KB

MD5
a20c777901a144622f8a5520583af79b

SHA1
3506f8e07ee301bb195eb185032ebdc7fd231272

SHA256
fd44af213520242ba41f4c9003ddeedc71f923cb37e25b14e595f3e652ae18dd

SHA512
6a53bc2f5d0e4660767d21070d19f0c407fe676b9e9cbdc20e6016e333b2ad33da225bfc2833a0c0724e1b6245ca6ee3cc0e782ac955d6aebac3dc468db79a1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nskF9AB.tmp\7z-out\locales\it.pak

Filesize
554KB

MD5
acfd6f4b73b87455acb703e59303db33

SHA1
70eabbca61eb365191cd1256f3be40ea9223b2d5

SHA256
cae7bd535284f5f156c1466820aae2bcc0b0c0ba378ad0f04eef3a145deed9b9

SHA512
bfd52bc383f1f5a7d559968bdd779198c81286796564499174c3b5b9bbc7112f427e8316f78fb09ebc668c5cbf94c89c37e97abb00c9b87b5c5c108028fc549d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nskF9AB.tmp\7z-out\locales\ja.pak

Filesize
675KB

MD5
63cbeb056020b6ee8cfad26c7c6abb79

SHA1
99bf018555eec56aae4b19d10c85ac506f4164a7

SHA256
aad9e17b2170b76248d61a3bac9b1bebc44b94885403ec2cc21a31397bf029b4

SHA512
5aa4e764f06f0e8490dab89a8b3754cccdd41739b4654ac8e30de160cad335f681fa5dd7782482aaf66ff1d827ce0c34df85c23c334a35035a3a4e3d0f305343

Download Submit
C:\Users\Admin\AppData\Local\Temp\nskF9AB.tmp\7z-out\locales\kn.pak

Filesize
1.3MB

MD5
f4c1e83eabd580c0b4c63b2dc510ce6a

SHA1
fc1d9fed0f073504b022606e424e7cc9796648b2

SHA256
79fd72e764a1d8ad623892e563e174463f29d6ce61a2ae29af102d71da4b8e25

SHA512
927e6ff4c7d1c28c89afdf44c62643740a94b01e9f6e927e543834c833e1b4abf97de1489c6717f9054243c180474fc695a70c4ea8852d95c690f38c785705e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\nskF9AB.tmp\7z-out\locales\ko.pak

Filesize
572KB

MD5
626e172ad9b55ba0a1e2802ce5e10d0d

SHA1
ecd855a47448609e8e9d7bdd80f92edd494ca77c

SHA256
7111342770c33aaaffdd6fd9ef15095a6d89e48d2468c19172c0eb9b6f26ebdf

SHA512
d42594259929e35b763e71cb7022d34a11bf75a4b9bb058e251cbbe8e80bccdfb284eed1c6367f98e3023134c24d50542c64673d80e29230fdd057de70a10d5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nskF9AB.tmp\7z-out\locales\lt.pak

Filesize
615KB

MD5
b02bf54687716b5d5f18aee02411a980

SHA1
4cf766077382c49fb89d59d861de0f482f989798

SHA256
0b0e3fcb82ddca52f9eb1ff9e1ee224639ff81f1c0af6ded4e21944811babc0b

SHA512
aea879ac96a5719e8988011a7b82726bf51a24e170e260182146191f43914cd50991928d2283277d173ad650f7cfb1246fad9445260e9ca0769052079d431f25

Download Submit
C:\Users\Admin\AppData\Local\Temp\nskF9AB.tmp\7z-out\locales\lv.pak

Filesize
614KB

MD5
df9985ecfc958f343ab7e56e71149d71

SHA1
fc0d2c4a194d500a1f4cfafcd9102186016ba5a3

SHA256
7e17246e23ca2d0241d56d91b5d5e6bfb3ff4e08f1a3734f9d032b4191282fa2

SHA512
0dd65eed7a5bccee0ac5e2826f0cceed848dff0d0d41904e00d35cec9d96fc0b91a4eb54fbcf0bbba61f89848562a606f9f7aa827cb180abe7e97a2e77a29309

Download Submit
C:\Users\Admin\AppData\Local\Temp\nskF9AB.tmp\7z-out\locales\ml.pak

Filesize
1.4MB

MD5
265d7fbee9a021895d51209dc0181f90

SHA1
30e37013971bacd3ee93ad2fca01cb59a26d6a87

SHA256
682463d4a0221711e565ecf409893536d727650efd2ed0563c722cceab66b1ad

SHA512
028e1ad499b20ff7cda822b91f9b8d1cbb1efe108b7236d817b73a6f8e518b5f4a8ae77d653ae5c9d799842eaee3915250ef56f634f847fc5fc8a3b36eea176c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nskF9AB.tmp\7z-out\locales\mr.pak

Filesize
1.1MB

MD5
af7c7d72a968e1936f26a3c755157f6b

SHA1
2ec71950847f5fb4b85697b6acd05224c28bb092

SHA256
e5702b9578435abbbcc922f1d4ff8c5a345856926c2174c329e228987c3ac7d5

SHA512
d265eeee96adafc3ced76901c9263bc1cb349caf925a02d5deb010c02843fb653a17e1e8a4e942c9912f654316c4a7a1776e6a7eda56ab82ae9d4d077a58a929

Download Submit
C:\Users\Admin\AppData\Local\Temp\nskF9AB.tmp\7z-out\locales\ms.pak

Filesize
528KB

MD5
06f24bba6fa8e9a009b3062227d4c259

SHA1
f50b0da2a86a138d16022f5642d96ff1a3ce7568

SHA256
cdfcbd86ddf584621bb2966c2d43f18096f974edb795cac0d1db43a60f3bc24c

SHA512
02239741f103c8b63072abab475ac313cb48612cac36890b7946fd816028fcba9be7ecc17ba5b934016d8817c52855ef208bffe5191d0eed35aa5243527e2150

Download Submit
C:\Users\Admin\AppData\Local\Temp\nskF9AB.tmp\7z-out\locales\nb.pak

Filesize
512KB

MD5
cf18f58e8e4e37b2e5fa7ef8269a294f

SHA1
c60d6e84f5cfe4cadbf4efed9b5998307b20fb9f

SHA256
3f1ed8ff0207c678b6a0a98e82fefd6340e35b7d16689672dfa90d9ee63921c6

SHA512
8f336fc50943d693ee80475250d2dbfc1401c615da571115f2c02551959028125b91ea6ffe22171dd12241688703e1869402146ef4e85a46059fe022759da953

Download Submit
C:\Users\Admin\AppData\Local\Temp\nskF9AB.tmp\7z-out\locales\nl.pak

Filesize
530KB

MD5
d7048d029ab3ff807dff790113328574

SHA1
07872f608062aa482532edda0dd2e1de31669380

SHA256
0e9c114529b9ec20118bb96ffeea05d1a408e4eb621e3fc65f49353195d1af96

SHA512
050b0eacf5b4da024d1a2af54f3511c4671756b0dab3f961d8acee5d1695eb29fba7768246dd5b3bcc253136df97e49a305832c37943380dc337776cb1fb1549

Download Submit
C:\Users\Admin\AppData\Local\Temp\nskF9AB.tmp\7z-out\locales\pl.pak

Filesize
591KB

MD5
4003c253ef85ec0ff8a65204955994b0

SHA1
af3074fb622445f6429899cb33a33bbcc60e5e5a

SHA256
4db10dace60cc56b610a7f92caebf4e7e98ddcaf8dac4f5a87db8f750f51ef8e

SHA512
5624c8f6268c8a8dbf1a69a032ebb89e670685cb736a3cb42a65e2dca118a85e076818b58ba2e392991eff7921495167616107f402c841a8456b5b5888b70ca1

Download Submit
C:\Users\Admin\AppData\Local\Temp\nskF9AB.tmp\7z-out\locales\pt-BR.pak

Filesize
555KB

MD5
0711b3f59ac95761899b013b3b242c93

SHA1
73fe7a4f60a6b92a966f1177c71bf85c6f95004f

SHA256
be445bfcd9429570e5006063b1c8299a41e762e8e0c2b63551bcf16cb6fb868b

SHA512
aad5ff84d1833db418a46961a5e3abd040e19e5a87bd6763039f8db7dda19c3cd9d7ea862585080636c2888ab1a50f2ba579cbc0ca0df8135537f1cc7543882b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nskF9AB.tmp\7z-out\locales\pt-PT.pak

Filesize
558KB

MD5
fbff8ba7e31acc6c26c0e4b7277cbbd0

SHA1
b9acdcbe2f0f429474acc4dd883d668cde9d3165

SHA256
477d6666bed083b27335a479c71279ad41a674f7b6a412ada1bba18be542ddc7

SHA512
ffdbb2773f18038f5d4cf145f3311feae25110ceb8efd9c895267f98acef7e901dd7d843f7c5291cd333fc81b80da301d0c92e5c0d6857da7e4eb68a5a0c540b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nskF9AB.tmp\7z-out\locales\ro.pak

Filesize
579KB

MD5
5d5a27c52ae905fd85f5d50cb793e7ca

SHA1
b858bba1ef66c4d3943be19a4bf8a508c23e6671

SHA256
9ff47f6890b3f543bc51015f263e791d8a3bc332098f8cd8199852fa131fa579

SHA512
f4754951ff0dd3f1ec2c0859a93422330145f9e4e3407bb7f95863c85227b96d3f8af449c0a051b60f333df3695eea5df70fd5f7fe4916e60eb6f7c4c21aa5e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\nskF9AB.tmp\7z-out\locales\ru.pak

Filesize
951KB

MD5
4ec91cdba9839e214ef7c008775e9e6e

SHA1
ea9f0f22ee1bca09ac38c01300cc91e2fc8aee51

SHA256
64f069a34be4966a9c28361e1c4914ce23bf96faa3bb5533fc3d233bfeac5cc1

SHA512
8c49ca910bfff175a4d88778ea34437a5acb0d52e349160f31091bd33d8ed76524950fe3e0f508c243ed76b289a550291ec68a7e0c1c426a64fbff0579c94d14

Download Submit
C:\Users\Admin\AppData\Local\Temp\nskF9AB.tmp\7z-out\locales\sk.pak

Filesize
598KB

MD5
b7d16d6702d4b4b5d3a9e4c3e0e13eb2

SHA1
6b2f1591ec51c4a7cf1435fbec7b5af94e0b5d4b

SHA256
e93580dffc1715edb37965c5787048e3e282d0477f277668ca7f49cfda7142c0

SHA512
a09950a9bb3f9814d946857e32901a9b6d73b4862a85f00b7f1f035ce0cab5af4ebf3aa003731ffa8ccea88d71866ec01d9ce578fc0b13b3cfdd3df332a0c40c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nskF9AB.tmp\7z-out\locales\sl.pak

Filesize
574KB

MD5
48ead6e0160cbc6cbacb247cd3643110

SHA1
b39a91bb90f26c74dbc9fa28b257b705b54f2b81

SHA256
fc4cc46ff82cb8a41181e825a3d4e4508753fb68ff01a60486b7df4a4e11e89b

SHA512
c037d352d315805a18796a121e47c73d37d68e735c9334e11b393235ae75b803cbc03cf7cf8480683bc68c9b98fba9f5a7b045b650598e5d9367ab58a24e75f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\nskF9AB.tmp\7z-out\locales\sr.pak

Filesize
883KB

MD5
5c811e0c9b775886bc11b46703cb67a0

SHA1
e9a777cc72263c7e7c4bfaa36e41b29e405a2a18

SHA256
4c524e149c02c37034ec92dd90f20f463413f2650ac9f32d52ef7260f9a34f1b

SHA512
d7db44fbfff3e3204b92aff44dc02c184344853d85fd79cd962bcad8efe85a13d1aaf9ed69a6e81fcc6e690afa4b1ba7cf1764225916f398c0f960d56e5bc57c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nskF9AB.tmp\7z-out\locales\sv.pak

Filesize
516KB

MD5
b75471d16a5b4cfbb43ea86d3077e63a

SHA1
302958743c97218d13a72ade3a22e4181922531f

SHA256
ec0f43dae8e52169396f289dfeb5d49b7f9258bafb0ed3060dd652fa744e5264

SHA512
63556f738df1527ad96cca95f3e37934b054df83cfacd4e120745ceeb0536d4bc1919c66acff3e5253a62824c032ae7e8f9496df13b9ccb6fe00f67920a63cb1

Download Submit
C:\Users\Admin\AppData\Local\Temp\nskF9AB.tmp\7z-out\locales\sw.pak

Filesize
543KB

MD5
912db9e797ea3e277f18e72173f26ad5

SHA1
a83461503becad16ea0d33fd5501603688a65ed5

SHA256
89d1245c645cc26d67ac0f556734ebeb99b436cf19edd3cb3b220e78a87796e0

SHA512
b5c334b528ba6d26dde9b4b1100c01bd1675cfcc7167a9bab4d9fb95584ae629e9567ab3a4729776fbee22ca927d42e04fa016cf3f9fe510edfdc340309110ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\nskF9AB.tmp\7z-out\locales\ta.pak

Filesize
1.4MB

MD5
22949a4acb6639bc4fea591bde3f6cec

SHA1
672163723e294a5242e9654470e1efbb3e8aa0a4

SHA256
84776412fd7f2cff26713781be937bdb30352f9c7eb297ca811241e6cf4284d3

SHA512
5e3ee2d29eabfc4398b0f9784064eb03b3c3e13c59f4fb1b857c612727eebe1a4a1bcd76503b1356cf4b4d407431a643503d9068f61f1ed05041f3aad325262e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nskF9AB.tmp\7z-out\locales\te.pak

Filesize
1.3MB

MD5
f0a8ccf00882e83751fd666876c937bd

SHA1
6fd5045a20bdb912f61dd38f4d046b333bfb03c9

SHA256
65ce3f1fe059a8d8b67cd47485233c6ab3870cfbb313241fe0f24e948bb0f158

SHA512
8ea9f2215ac8354378aff1717ef6f1ba97ba8bcc1c660290d8a070c9a7cb9b0e1a87b8e37e68cd71d7bd429adba8b17c6cda68508b7389e42841fbe2f9c79528

Download Submit
C:\Users\Admin\AppData\Local\Temp\nskF9AB.tmp\7z-out\locales\th.pak

Filesize
1.1MB

MD5
77721a07831a7aef49934706398559cc

SHA1
240ac6e472ac7312f02b99a8d588813d3dfeb468

SHA256
e8cdabe4557192a6ad7040de396d807f96f50d6ef256dd04972211b9c898bc1d

SHA512
f73be17166c7a94c216d13d837146c3c72a5e205688479ce8199c8cf468eb1bf780f2569d42e908684f0059e6ded370428d9b123389ad2cf1553a0aecd1ef06f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nskF9AB.tmp\7z-out\locales\tr.pak

Filesize
554KB

MD5
41bc209ee64f56f04836fca3e2de362d

SHA1
c019805b555d4c24c347112a583ac9f9bf2ef142

SHA256
71356710c485d7db228a866789ce9d253276725d94a4e4622e7b82037beb9825

SHA512
a65c4f9147c5796567e61b0661b4766c199f156541a252ec442fe5b5e3e1156c80e8fc7cfb6d9e55db4c5f60732b55cfa74a65e7dc46fbd5a4e5dfc8f3891add

Download Submit
C:\Users\Admin\AppData\Local\Temp\nskF9AB.tmp\7z-out\locales\uk.pak

Filesize
952KB

MD5
7e2cbb9d3591278a76dd08364d3dad4d

SHA1
a760a029070bfe57d4ef273b705650cef0a92f61

SHA256
38616b5f7f939a84d5205e758a8d3fed024a8e3fbcc8159c90666ce650ae1d30

SHA512
81e5ebada5990d79363e2583efdd3ccb19d8a10291cf6680d77d7c399816fe273a4fea5a7cb5e55e11f445df46a7ccad2942dc04f4fb8b6f66d2f2b151374de2

Download Submit
C:\Users\Admin\AppData\Local\Temp\nskF9AB.tmp\7z-out\locales\ur.pak

Filesize
830KB

MD5
157117641502b63c89110363dc7083b2

SHA1
fc86039a03b2e48fafc70e1cadc096fd46389af2

SHA256
fb7cd2f4beeceaf445f4d299a3db26cce49a7950a37e5a9b48fae7f5a8e09f99

SHA512
422d92c5f0b2b2f9f35dbb7c11cd1b463085201912948c61222bb4f43f8dfd777fce678f04371df53ab6d07ec14cfbc9e4b1b084a72a0f2aa80ca7a4728e6359

Download Submit
C:\Users\Admin\AppData\Local\Temp\nskF9AB.tmp\7z-out\locales\vi.pak

Filesize
657KB

MD5
e6db9a8c61dc84aff75efc00b486a8d1

SHA1
6d1f0329f9a44b64fa3474313c7bf207bfd78557

SHA256
8ff2d05730915c1b15a97a3915c03d83239c34771ed661ccac745fb308901f14

SHA512
89cf188b5d21528166353b29986f5afb9aad9a51a57864951f7945124b157e0129125caeed58c70568e38f7ba3a34a17d10056902b58ba48ee2e4e10a4649f75

Download Submit
C:\Users\Admin\AppData\Local\Temp\nskF9AB.tmp\7z-out\locales\zh-CN.pak

Filesize
473KB

MD5
5356bf9ddeb7ffad20e27ef092dac528

SHA1
3514ded7211ff71297c87275ef0805588da2d47d

SHA256
0b6f0a9ded5734b260c1c02d7c717305d139bded5ec7ea80de40b641f13bfe0a

SHA512
887be5ed95b40d73e0f61f4b3e85f8a77d4bf4a222197b9d1c60711ae8481efbf9c183ba902dcbf437fdf70381bd232fe9c27cf0ce87c0f45b283b75b6d19962

Download Submit
C:\Users\Admin\AppData\Local\Temp\nskF9AB.tmp\7z-out\locales\zh-TW.pak

Filesize
468KB

MD5
9c51b828271263d574382077abd2e2f3

SHA1
4de07caed06477855e4f4bba1d0d1178c5757171

SHA256
21550464b12c7f9b23380acf7ca2b42c1b578581613c342196da95908f14c8af

SHA512
0e6921dbc4be8d5d98bf80e9b0f8c7fc31cb4e7553ca76b9c697a3f1428f855e59ee0dee99903a5215dddee9375532226af81128f066656d98db28a8d9738604

Download Submit
C:\Users\Admin\AppData\Local\Temp\nskF9AB.tmp\7z-out\resources.pak

Filesize
5.4MB

MD5
7398d5aee46689f03c278c8954f68f2b

SHA1
62e10057cfb2dc53c62d088d4fde3252d1216d86

SHA256
9590361aa74c43818881e622f2e3b7992c978397f7ac269f37accb435b134fc8

SHA512
1d6ae4cadd302fd683be66016cc4aa092bfe9689b81e1a764512327983f558a7ad9a10aadb7f8e13b73949d648d0e14ea0eb7c2de2420353a46e44c6b647c652

Download Submit
C:\Users\Admin\AppData\Local\Temp\nskF9AB.tmp\7z-out\resources\app.asar

Filesize
8.2MB

MD5
018fa0b0ae760c79c0da177139e53b35

SHA1
201b06e8172ff19179dd1806403b3327a508f3bf

SHA256
ef2de7e220b02abe074d1a165565feb5371589ad97aa4e07038c5cc45fe2f8ba

SHA512
1240459bb5f02862d9f3d0bffde291dfe4baf9e6fdcc6cfaf9c6189fabf520a6d9fa34d1605b12cc218f5c6fc55abef0401e7365eaf46d1619705f3673474688

Download Submit
C:\Users\Admin\AppData\Local\Temp\nskF9AB.tmp\7z-out\resources\app.asar.unpacked\node_modules\@primno\dpapi\LICENSE

Filesize
1KB

MD5
7bd114b023fa6209fb7b02150a202ccc

SHA1
4451515f9d7b16ce8983abb4e85609fe4162c4d4

SHA256
455dda47a3fc2f58ab06d8e526f490ec43d0fc23a5ea80dd0942644397316d9b

SHA512
87ee4dc1da13937055eade250f1f8a357f549c709b9659258c137009060080aca5cfd979890a7b2d662083f4c646cce9af6e20774b58541af9e712fb5f4f1c60

Download Submit
C:\Users\Admin\AppData\Local\Temp\nskF9AB.tmp\7z-out\resources\app.asar.unpacked\node_modules\@primno\dpapi\dist\index.js

Filesize
412B

MD5
0b33e83d33b01a51625a0fdcbef42ce3

SHA1
1c29d999ff7da39426b97f2eb31a3d83db8f5fc7

SHA256
a7ff0225cb5ebcbef8499c6c8ac2be924f584eb375dacb1d8bd3dc6540b510f2

SHA512
1d04caf4fc2e876bdf2a089ae938a41fe4d3f2928aa846709bafd2de236fa8c754fcc84d7e8a5f5734bc1cecc04b395ab9d2114945b35e8c85cd3b9ee8f9799c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nskF9AB.tmp\7z-out\resources\app.asar.unpacked\node_modules\@primno\dpapi\package.json

Filesize
934B

MD5
83a6b767cd4ade2116654eb0a90fec3c

SHA1
07a0f29ddb1c8a48947ee05bb4d6ec3d2abe1df9

SHA256
59f4704391d2247b2a8d029d7338566d47d2ff0cd7477c49343efe93475f7a12

SHA512
404ed15686b7d611ba8aeac12e706af75a876502c51e40e48a598d05a9ac89f88902b2830a5c679f9bb7931f5c33bb10da3a32753fdb8c71a9d7b4346a1be8d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\nskF9AB.tmp\7z-out\resources\app.asar.unpacked\node_modules\@primno\dpapi\prebuilds\win32-x64\node.napi.node

Filesize
137KB

MD5
04bfbfec8db966420fe4c7b85ebb506a

SHA1
939bb742a354a92e1dcd3661a62d69e48030a335

SHA256
da2172ce055fa47d6a0ea1c90654f530abed33f69a74d52fab06c4c7653b48fd

SHA512
4ea97a9a120ed5bee8638e0a69561c2159fc3769062d7102167b0e92b4f1a5c002a761bd104282425f6cee8d0e39dbe7e12ad4e4a38570c3f90f31b65072dd65

Download Submit
C:\Users\Admin\AppData\Local\Temp\nskF9AB.tmp\7z-out\resources\app.asar.unpacked\node_modules\@primno\dpapi\src\dpapi_addon.h

Filesize
206B

MD5
ea1e5899ec0210d7de4ce325d1d94022

SHA1
464da48d40547cb08a67a1ed38cb0ae8369f2f42

SHA256
18280b1135123aff82fbf4188a5aadfc9a5d6fffad9309f72f347f380f2da550

SHA512
6dae672ea822a7dc5e42914def21c019c0fa8aeaf1c27c155b78312d8a33a63ae9a1910dd32b72760578671780b8c37b91ff5e1f6588f08c7fbaaff80d8fb6fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\nskF9AB.tmp\7z-out\resources\app.asar.unpacked\node_modules\@primno\dpapi\src\dpapi_not_supported.cpp

Filesize
327B

MD5
c510e65ebcb2fa7c00712e770ec8c692

SHA1
ca1ea3c8340dcf69f344d5eaa884631eef37472b

SHA256
7c03cec11c438b6d2512239477d9f1b45d6e16763122a3a36458ab339f50d3c4

SHA512
b0b312426b4409c80b45a0f3337069be9870e050dc8b55184fb2bc63532c247089c8d35cbd1f12f0bd2bd38d581566faa74a6469b548a1ad7d837285ad37c178

Download Submit
C:\Users\Admin\AppData\Local\Temp\nskF9AB.tmp\7z-out\resources\app.asar.unpacked\node_modules\@primno\dpapi\src\dpapi_win.cpp

Filesize
2KB

MD5
4a55597a2c7466278439452bb708b822

SHA1
eaadcda8f410f2dd1fd9522fd7a2221624dd1713

SHA256
da37b02fb0babb651244479ea019d229fff1c41ecde74bc06335b5e603d9b30e

SHA512
b20efe8026de41dd8c13c6f844455cacc13fa80bc3dd41fef422fb178054a7c8d6f14af8b1d6928e52648ab95a793aee1f996dc2aceead3aa8d317a99aad23bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\nskF9AB.tmp\7z-out\resources\app.asar.unpacked\node_modules\@primno\dpapi\src\main.cpp

Filesize
698B

MD5
88934cc736b505ada3d07afe22083568

SHA1
6d1d112f4e7fc943dc5c9ce5ad2f32154aeb2f3a

SHA256
1ada21451bab629832372d519e366bfb08c80facfefe5a40c76a4f10a697c905

SHA512
9f45386cba32d13a50360916b0c2f240e43cba5983a86ad80f85c75cd8e6ac2c6b931992842a736e84e234b91fc46a7a66824a3a2748f474cf1bbd22ec138a99

Download Submit
C:\Users\Admin\AppData\Local\Temp\nskF9AB.tmp\7z-out\resources\app.asar.unpacked\node_modules\sqlite3\LICENSE

Filesize
1KB

MD5
79558839a9db3e807e4ae6f8cd100c1c

SHA1
ae3dbcee04c86fbc589fcf2547d4aaaeb41db3c2

SHA256
7686f81e580cd6774f609a2d8a41b2cebdf79bc30e6b46c3efff5a656158981c

SHA512
b42c93f2b097afa6e09d79ed045b4dd293df2c29d91dda5dda04084d3329b721a6aa92a6ad6714564386a7928e9af9195ac310deecd37a93bb04b6a6f744be46

Download Submit
C:\Users\Admin\AppData\Local\Temp\nskF9AB.tmp\7z-out\resources\app.asar.unpacked\node_modules\sqlite3\deps\common-sqlite.gypi

Filesize
1KB

MD5
92c4c5168a6a883f2a69ea4a1a37b7b5

SHA1
6dedc03d603631c1f70c626f5ef9d8ee6f342efa

SHA256
7b557c097c162c9ba04985ab822f92a176bf848c34ca38e54f061057ad0d8bd0

SHA512
904e605fe5bf1134031edcadc91ed55bf72d7fb1c862f99f25a672d29fdb34af22d4114cae389a853d703bc35bfc2c8429f86608fed5eec897c115ac3dea8de5

Download Submit
C:\Users\Admin\AppData\Local\Temp\nskF9AB.tmp\7z-out\resources\app.asar.unpacked\node_modules\sqlite3\deps\extract.js

Filesize
224B

MD5
f0a82a6a6043bf87899114337c67df6c

SHA1
a906c146eb0a359742ff85c1d96a095bd0dd95fd

SHA256
5be353d29c0fabea29cfd34448c196da9506009c0b20fde55e01d4191941dd74

SHA512
d26879f890226808d9bd2644c5ca85cc339760e86b330212505706e5749464fafad1cb5f018c59a8f034d68d327cd3fa5234ceac0677de1ac9ae09039f574240

Download Submit
C:\Users\Admin\AppData\Local\Temp\nskF9AB.tmp\7z-out\resources\app.asar.unpacked\node_modules\sqlite3\deps\sqlite-autoconf-3410100.tar.gz

Filesize
3.0MB

MD5
c6d5034cf39232299ccfdf8e3ddc5781

SHA1
e77599a2df4c5b114c942ddba4483550d8982bf2

SHA256
4dadfbeab9f8e16c695d4fbbc51c16b2f77fb97ff4c1c3d139919dfc038c9e33

SHA512
6e6dafc35b8b11df3cd3bea48aaf84a102893242cffbe18eb7b111791563095111a2a8a5632636b8f46523d98d16e2b48dab79ee6707a141b22c2e6fde3002a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\nskF9AB.tmp\7z-out\resources\app.asar.unpacked\node_modules\sqlite3\deps\sqlite3.gyp

Filesize
2KB

MD5
0e4d1d898d697ec33a9ad8a27f0483bf

SHA1
1505f707a17f35723cd268744c189d8df47bb3a3

SHA256
8793f62b1133892ba376d18a15f552ef12b1e016f7e5df32ffb7279b760c11bd

SHA512
c530aba70e5555a27d547562d8b826b186540068af9b4ccd01483ec39f083a991ac11d0cc66f40acaa8b03d774080f227ee705a38995f356a14abe6e5f97b545

Download Submit
C:\Users\Admin\AppData\Local\Temp\nskF9AB.tmp\7z-out\resources\app.asar.unpacked\node_modules\sqlite3\lib\binding\napi-v6-win32-unknown-x64\node_sqlite3.node

Filesize
1.8MB

MD5
3072b68e3c226aff39e6782d025f25a8

SHA1
cf559196d74fa490ac8ce192db222c9f5c5a006a

SHA256
7fb52b781709b065c240b6b81394be6e72e53fe11d7c8e0f7b49dd417eb78a01

SHA512
61ebc72c20195e99244d95af1ab44fa06201a1aee2b5da04490fdc4312e8324a40b0e15a7b42fab5179753d767c1d08ae1a7a56ac71a6e100e63f83db849ee61

Download Submit
C:\Users\Admin\AppData\Local\Temp\nskF9AB.tmp\7z-out\resources\app.asar.unpacked\node_modules\sqlite3\lib\sqlite3-binding.js

Filesize
241B

MD5
ff6a0462767c6bf185a566f4aef65ba5

SHA1
7a3c3ee6748d00fac6e51e366518bb48a41794bb

SHA256
049b7b1b10417274be6c3e6a9518ac364729354435298d70abf834c35e8f3bf3

SHA512
088d706f5a18323128547b0f126564fb7fa7a36dc8365ee8287663b2cb63da2d02a991bc5cda19af24da2aa063357c25f21347835f9a8aaef341b33bd21127df

Download Submit
C:\Users\Admin\AppData\Local\Temp\nskF9AB.tmp\7z-out\resources\app.asar.unpacked\node_modules\sqlite3\lib\sqlite3.js

Filesize
6KB

MD5
275019a4199a84cfd18abd0f1ae497aa

SHA1
8601683f9b6206e525e4a087a7cca40d07828fd8

SHA256
8d6b400ae7f69a80d0cdd37a968d7b9a913661fa53475e5b8de49dda21684973

SHA512
6422249ccd710973f15d1242a8156d98fa8bdea820012df669e5363c50c5d8492d21ffefcdfa05b46c3c18033dde30f03349e880a4943feda8d1ee3c00f952b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\nskF9AB.tmp\7z-out\resources\app.asar.unpacked\node_modules\sqlite3\lib\trace.js

Filesize
1KB

MD5
e5c2de3c74bc66d4906bb34591859a5f

SHA1
37ec527d9798d43898108080506126b4146334e7

SHA256
d06caec6136120c6fb7ee3681b1ca949e8b634e747ea8d3080c90f35aeb7728f

SHA512
e250e53dae618929cbf3cb2f1084a105d3a78bdfb6bb29e290f63a1fd5fbb5b2fab934ad16bc285e245d749a90c84bdc72fdc1a77af912b7356c18b0b197fbe5

Download Submit
C:\Users\Admin\AppData\Local\Temp\nskF9AB.tmp\7z-out\resources\app.asar.unpacked\node_modules\sqlite3\package.json

Filesize
1KB

MD5
f9560f0fb25f1dc014682359373146c4

SHA1
b19c6321292cc63d26a18bef5d80787c5e57e746

SHA256
b145c00c63dde4da0eb3736b0d25fe79fa252a02daa9c3fdbb2d3a5783e98cf6

SHA512
dd51dcca43554f27b2718f87661cdfc86e6a51b36c15574870d793fa358f76816423c0ebcef34dd9a7fd7ce42e6be18f834100a327cdb3e6eb8dbd9d65792262

Download Submit
C:\Users\Admin\AppData\Local\Temp\nskF9AB.tmp\7z-out\resources\app.asar.unpacked\node_modules\sqlite3\src\async.h

Filesize
1KB

MD5
7fcbaffdc03bb5164fbb27f8552dcf5d

SHA1
590e3430c1dfa30f241d56ea01f364d5b9e7e991

SHA256
b6e86bf43d74c8ee2c2f57eb1947be6ce5d8c258c4866609571ed6c97b58b53c

SHA512
e44d4850651e0e070d3f686db3d3797632121e32dc65b869739c0b45cfa13c055fc42d650f04c41915264b8772fcfeb2a38148b9fbe21a001af5a455854336b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\nskF9AB.tmp\7z-out\resources\app.asar.unpacked\node_modules\sqlite3\src\backup.h

Filesize
6KB

MD5
283f3987e0e65dca1b029bdbb625ccc2

SHA1
285d7995459c11a47e13834ae3ec0167eacf7d01

SHA256
d3956cdbb650e1ecff8c94fe4e8645f80e10088156d409703c19f186a9c41aa8

SHA512
ff5c21bd53bf75b33a5430d1abdc8a8649af1535ec02aa5fceb91ed1189e44f0818e25556946d3ad8032b077fa30e73503464aff219b42cbace1ea3f97acb605

Download Submit
C:\Users\Admin\AppData\Local\Temp\nskF9AB.tmp\7z-out\resources\app.asar.unpacked\node_modules\sqlite3\src\database.h

Filesize
5KB

MD5
f023c6c0baf0411cb6eef0a7b2baad13

SHA1
748b78bf3ed5adc11e83f705033d8338d7eef2b5

SHA256
8c5bcd084dddab2f2994b6cddc9b69a8f78a1034588b765e7bd859f27868fe43

SHA512
08648cb37c0284799bb98fa2eb1abb508c8b992b43425203839e1e7f4092b7d2d7c83f6419417281ae278d3d61ade0b65959cf12f0c449a9688ee97749593dad

Download Submit
C:\Users\Admin\AppData\Local\Temp\nskF9AB.tmp\7z-out\resources\app.asar.unpacked\node_modules\sqlite3\src\gcc-preinclude.h

Filesize
861B

MD5
55a9165c6720727b6ec6cb815b026deb

SHA1
e737e117bdefa5838834f342d2c51e8009011008

SHA256
9d4264bb1dcbef8d927bb3a1809a01b0b89d726c217cee99ea9ccfdc7d456b6f

SHA512
79ed80377bfb576f695f271ed5200bb975f2546110267d264f0ab917f56c26abf6d3385878285fe3e378b254af99b59bdb8bbcab7427788c90a0460eb2ee5b77

Download Submit
C:\Users\Admin\AppData\Local\Temp\nskF9AB.tmp\7z-out\resources\app.asar.unpacked\node_modules\sqlite3\src\macros.h

Filesize
11KB

MD5
592ca8ac280135c059c9ed651ac738c3

SHA1
ac8e8b5e835ea2810a443df2a57f3bdc3c60b2c6

SHA256
8d1afb5d27eab8302de08aca87eb6edc1b99ae963a854d3bd652a4fc61cbe3c6

SHA512
b4e317200e3cab4dfac93e684150d21f7dd89a656f8a9f576b9cfb22090e8db6c458008a4a1406121fabdac034cfb80200a740d0caf6ec63fbf71ad2fde41029

Download Submit
C:\Users\Admin\AppData\Local\Temp\nskF9AB.tmp\7z-out\resources\app.asar.unpacked\node_modules\sqlite3\src\statement.h

Filesize
6KB

MD5
13d7bf3557e57ef3036bad68cfa8faae

SHA1
94c1af952f38e9f1ad2d722ec3a063fbe666e66b

SHA256
2c99d9cef21876db64b610dd9baba8de1f7c94028d6d1c463eb3db213745b3bf

SHA512
63e4543833d602b0c6ad9c21438e61782c252a5e30b776a9c942e1ecc34c1a7c471a39195caa20aefb072add66c83d99af902d620857d18ddad196f4f207a161

Download Submit
C:\Users\Admin\AppData\Local\Temp\nskF9AB.tmp\7z-out\resources\app.asar.unpacked\node_modules\sqlite3\src\threading.h

Filesize
388B

MD5
f2a075d3101c2bf109d94f8c65b4ecb5

SHA1
d48294aec0b7aeb03cf5d56a9912e704b9e90bf6

SHA256
e0ab4f798bccb877548b0ab0f3d98c051b36cde240fdf424c70ace7daf0ffd36

SHA512
d95b5fda6cb93874fe577439f7bd16b10eae37b70c45ae2bd914790c1e3ba70dfb6bda7be79d196f2c40837d98f1005c3ed209cab9ba346ada9ce2ed62a87f13

Download Submit
C:\Users\Admin\AppData\Local\Temp\nskF9AB.tmp\7z-out\resources\elevate.exe

Filesize
105KB

MD5
792b92c8ad13c46f27c7ced0810694df

SHA1
d8d449b92de20a57df722df46435ba4553ecc802

SHA256
9b1fbf0c11c520ae714af8aa9af12cfd48503eedecd7398d8992ee94d1b4dc37

SHA512
6c247254dc18ed81213a978cce2e321d6692848c64307097d2c43432a42f4f4f6d3cf22fb92610dfa8b7b16a5f1d94e9017cf64f88f2d08e79c0fe71a9121e40

Download Submit
C:\Users\Admin\AppData\Local\Temp\nskF9AB.tmp\7z-out\snapshot_blob.bin

Filesize
306KB

MD5
0406a232eb55e516dc38b4967671846a

SHA1
aade7c03b1ecc81027c98a79285687bc19276fc5

SHA256
4f944691b7066ef5653cfbf6b016488f6e5f0afd2d6bc03b90de5485514f83f5

SHA512
c608095510f88348e1e412ef573e4aeb4a7d328dec2892bada688a06baa023fcea1cc0dfbba6f6c41de303f3b6d5e1c4335a2610f3ec47a690e4f309f8782359

Download Submit
C:\Users\Admin\AppData\Local\Temp\nskF9AB.tmp\7z-out\v8_context_snapshot.bin

Filesize
650KB

MD5
3eef488e8b9d35f710634c4d404c7e1a

SHA1
971c730ccfba2db0fee379683f4e310df5c9f1df

SHA256
3a189b50da4b31b5af6cdfdb6398fa039ccac9e13898e4851b27c4d91f4dff6c

SHA512
f787b7633edf75905674c467f7c291a2b3791a8475b11e1d4fb1769ebe872c6b70d778124c22a55b96efe2ac443c82750371421ac9fe8f2cc8bb47ce0e3648d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\nskF9AB.tmp\7z-out\vk_swiftshader.dll

Filesize
5.2MB

MD5
abd993f23ed3c75fb80320a10451dd66

SHA1
95b13400418512870a37a4e59ecc7dd9c467df2b

SHA256
52c64e3bd5f852f7c2628bca773bb5a270ad40f5e31bcf8429323cb9fd1bd4da

SHA512
fe98cabf2e3500d52b09f9869f3ceab6c7ed8fefb7fba56eb62a5319053ea997881112abf139f2e642210eb4b61d5a726b8dc41d4565b81faaeb5d64a00e6267

Download Submit
C:\Users\Admin\AppData\Local\Temp\nskF9AB.tmp\7z-out\vk_swiftshader_icd.json

Filesize
106B

MD5
8642dd3a87e2de6e991fae08458e302b

SHA1
9c06735c31cec00600fd763a92f8112d085bd12a

SHA256
32d83ff113fef532a9f97e0d2831f8656628ab1c99e9060f0332b1532839afd9

SHA512
f5d37d1b45b006161e4cefeebba1e33af879a3a51d16ee3ff8c3968c0c36bbafae379bf9124c13310b77774c9cbb4fa53114e83f5b48b5314132736e5bb4496f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nskF9AB.tmp\7z-out\vulkan-1.dll

Filesize
874KB

MD5
0b95f0a5905c4075a3fbef0ddb71e915

SHA1
72a4536da15d5d9e1617331d8e4a5c5a579c75b3

SHA256
03b808d8045ebefebf2e2847be039358f7ec1db63e1c601847b8cd304c3db448

SHA512
9e57eeaafdaf0b5516822d1ca7ef1995442a03677f856828d49ccc01ab8492245d8659eec7675822fc8610ba250e49a6f3c8569aad2a324cec83e0d6b5201187

Download Submit
C:\Users\Admin\AppData\Local\Temp\nskF9AB.tmp\SpiderBanner.dll

Filesize
9KB

MD5
4287dbf2ad9e000d8653137470528fb7

SHA1
d488ea09a1c35f9d773195b3cbdbb20e4878c0a4

SHA256
35a523fe649201442c9fa00d875cf9acf8ced7c11347726cc0c6df5b0eda9f95

SHA512
e5dafa93600e9c1e994b4e0131b841b2e14f76d874875926f90f1f1c2cfd9e2caa374a1f584594f41e4feb0c06e93115e9fa23237dbc31d3e1c208ad8d0cf58a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nskF9AB.tmp\StdUtils.dll

Filesize
93KB

MD5
21d805663834f61cb443545b8883faf2

SHA1
b222c5ca1e4cb8a7bff7eb7b78d46b8d99bf71e1

SHA256
c18b46a68436d164c964ba9b208e5c27ccc50e6a5a2db115e8fb086663b5308f

SHA512
37836150ef2837f69b82399024d0b93dbdac992971c7fe7b50959107c0520f5874d45f4230f08554514e3bd6a76d6e35c55c8afd53f993aba18f77475ef02001

Download Submit
C:\Users\Admin\AppData\Local\Temp\nskF9AB.tmp\System.dll

Filesize
11KB

MD5
fbe295e5a1acfbd0a6271898f885fe6a

SHA1
d6d205922e61635472efb13c2bb92c9ac6cb96da

SHA256
a1390a78533c47e55cc364e97af431117126d04a7faed49390210ea3e89dd0e1

SHA512
2cb596971e504eaf1ce8e3f09719ebfb3f6234cea5ca7b0d33ec7500832ff4b97ec2bbe15a1fbf7e6a5b02c59db824092b9562cd8991f4d027feab6fd3177b06

Download Submit
C:\Users\Admin\AppData\Local\Temp\nskF9AB.tmp\WinShell.dll

Filesize
3KB

MD5
5c6b12fefc626a0594f4412b5be04b22

SHA1
b7e8af03e3f264fa066224687547de7e62318db3

SHA256
83d8c52c47d81dd019c8986deb1108166518248ed0d0c691906f8cf9de57a672

SHA512
b4306c41b1f60e9aaaf55867340dbb3648c792b48cee770202f9274e7fa94c144e1b619ece631f769e9bc3d6a2e96181bcf43bdaa5f19a68beef4996c3211b7d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nskF9AB.tmp\nsExec.dll

Filesize
6KB

MD5
50ba20cad29399e2db9fa75a1324bd1d

SHA1
3850634bb15a112623222972ef554c8d1eca16f4

SHA256
e7b145abc7c519e6bd91dc06b7b83d1e73735ac1ac37d30a7889840a6eed38fc

SHA512
893e053fcb0a2d3742e2b13b869941a3a485b2bda3a92567f84190cb1be170b67d20cc71c6a2cb92f4202140c8afd9c40a358496947d709e0c4b68d43a368754

Download Submit
C:\Users\Admin\AppData\Local\Temp\nskF9AB.tmp\nsis7z.dll

Filesize
436KB

MD5
d7778720208a94e2049972fb7a1e0637

SHA1
080d607b10f93c839ec3f07faec3548bb78ac4dc

SHA256
98f425f30e42e85f57e039356e30d929e878fdb551e67abfb9f71c31eeb5d44e

SHA512
98493ea271738ed6ba3a02de774deef267bfa3c16f3736f1a1a3856b9fecc07f0ea8670827e7eb4ed05c907e96425a0c762e7010cb55a09302ca3cfb3fe44b2b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
memory/3088-2956-0x000001B8F8300000-0x000001B8F8301000-memory.dmp

Filesize
4KB

Download
memory/3088-2962-0x000001B8F8300000-0x000001B8F8301000-memory.dmp

Filesize
4KB

Download
memory/3088-2963-0x000001B8F8300000-0x000001B8F8301000-memory.dmp

Filesize
4KB

Download
memory/3088-2964-0x000001B8F8300000-0x000001B8F8301000-memory.dmp

Filesize
4KB

Download
memory/3088-2965-0x000001B8F8300000-0x000001B8F8301000-memory.dmp

Filesize
4KB

Download
memory/3088-2966-0x000001B8F8300000-0x000001B8F8301000-memory.dmp

Filesize
4KB

Download
memory/3088-2967-0x000001B8F8300000-0x000001B8F8301000-memory.dmp

Filesize
4KB

Download
memory/3088-2968-0x000001B8F8300000-0x000001B8F8301000-memory.dmp

Filesize
4KB

Download
memory/3088-2957-0x000001B8F8300000-0x000001B8F8301000-memory.dmp

Filesize
4KB

Download
memory/3088-2958-0x000001B8F8300000-0x000001B8F8301000-memory.dmp

Filesize
4KB

Download
memory/4964-1281-0x000001A6494A0000-0x000001A6494C4000-memory.dmp

Filesize
144KB

Download
memory/4964-1280-0x000001A6494A0000-0x000001A6494CA000-memory.dmp

Filesize
168KB

Download
memory/4964-1279-0x000001A630FD0000-0x000001A630FF2000-memory.dmp

Filesize
136KB

Download