a24b94f0c8155ac398004b57736f7eb75f7090af292f575c0fcd84ce6feed127

Analysis

max time kernel
93s
max time network
82s
platform
windows10-1703_x64
resource
win10-20220812-en
resource tags

arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
submitted
18-09-2022 17:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Spells_and_Secrets.exe
Size

58.7MB
MD5

b18fba589ca46253ae0ed8d0347a971b
SHA1

2ada894dd03e1ed845a9325ac56f64b880b4baef
SHA256

a24b94f0c8155ac398004b57736f7eb75f7090af292f575c0fcd84ce6feed127
SHA512

1baf53f830fa9cdc9b13106d83616c44418dfc36c99437ac16b87d2a0fba5a5d2fb9c77f090edab9cd45fb67b63995a4b8e30042ef34408d9c7e8fe4da9d303c
SSDEEP

1572864:k4/4rzOchPVfrTRR4BPmz6CXRWLUhAgur5eAeMBJ7:vkqcdSB+z6sWAKrMA37

Score

8^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
3408	Installer.exe
3616	Installer.exe
3824	Installer.exe

Loads dropped DLL 13 IoCs

pid	Process
4700	Spells_and_Secrets.exe
4700	Spells_and_Secrets.exe
4700	Spells_and_Secrets.exe
3408	Installer.exe
3408	Installer.exe
3408	Installer.exe
3616	Installer.exe
3616	Installer.exe
3616	Installer.exe
3616	Installer.exe
3616	Installer.exe
3616	Installer.exe
3824	Installer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\rescache\_merged\4183903823\810424605.pri	taskmgr.exe
File created	C:\Windows\rescache\_merged\1601268389\3877292338.pri	taskmgr.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Suspicious behavior: EnumeratesProcesses 59 IoCs

pid	Process
5104	taskmgr.exe
5104	taskmgr.exe
5104	taskmgr.exe
5104	taskmgr.exe
5104	taskmgr.exe
5104	taskmgr.exe
5104	taskmgr.exe
5104	taskmgr.exe
5104	taskmgr.exe
5104	taskmgr.exe
5104	taskmgr.exe
5104	taskmgr.exe
5104	taskmgr.exe
5104	taskmgr.exe
5104	taskmgr.exe
5104	taskmgr.exe
5104	taskmgr.exe
5104	taskmgr.exe
3824	Installer.exe
3824	Installer.exe
5104	taskmgr.exe
5104	taskmgr.exe
5104	taskmgr.exe
5104	taskmgr.exe
5104	taskmgr.exe
5104	taskmgr.exe
5104	taskmgr.exe
5104	taskmgr.exe
5104	taskmgr.exe
5104	taskmgr.exe
5104	taskmgr.exe
5104	taskmgr.exe
5104	taskmgr.exe
5104	taskmgr.exe
5104	taskmgr.exe
5104	taskmgr.exe
5104	taskmgr.exe
5104	taskmgr.exe
5104	taskmgr.exe
5104	taskmgr.exe
5104	taskmgr.exe
5104	taskmgr.exe
5104	taskmgr.exe
5104	taskmgr.exe
5104	taskmgr.exe
5104	taskmgr.exe
5104	taskmgr.exe
5104	taskmgr.exe
5104	taskmgr.exe
5104	taskmgr.exe
5104	taskmgr.exe
5104	taskmgr.exe
5104	taskmgr.exe
5104	taskmgr.exe
5104	taskmgr.exe
5104	taskmgr.exe
5104	taskmgr.exe
5104	taskmgr.exe
5104	taskmgr.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeSecurityPrivilege	4700	Spells_and_Secrets.exe
Token: SeDebugPrivilege	5104	taskmgr.exe
Token: SeSystemProfilePrivilege	5104	taskmgr.exe
Token: SeCreateGlobalPrivilege	5104	taskmgr.exe
Token: SeShutdownPrivilege	3408	Installer.exe
Token: SeCreatePagefilePrivilege	3408	Installer.exe
Token: SeShutdownPrivilege	3408	Installer.exe
Token: SeCreatePagefilePrivilege	3408	Installer.exe
Token: SeShutdownPrivilege	3408	Installer.exe
Token: SeCreatePagefilePrivilege	3408	Installer.exe
Token: SeShutdownPrivilege	3408	Installer.exe
Token: SeCreatePagefilePrivilege	3408	Installer.exe
Token: SeShutdownPrivilege	3408	Installer.exe
Token: SeCreatePagefilePrivilege	3408	Installer.exe
Token: SeShutdownPrivilege	3408	Installer.exe
Token: SeCreatePagefilePrivilege	3408	Installer.exe
Token: SeShutdownPrivilege	3408	Installer.exe
Token: SeCreatePagefilePrivilege	3408	Installer.exe
Token: SeShutdownPrivilege	3408	Installer.exe
Token: SeCreatePagefilePrivilege	3408	Installer.exe
Token: SeShutdownPrivilege	3408	Installer.exe
Token: SeCreatePagefilePrivilege	3408	Installer.exe
Token: SeShutdownPrivilege	3408	Installer.exe
Token: SeCreatePagefilePrivilege	3408	Installer.exe
Token: SeShutdownPrivilege	3408	Installer.exe
Token: SeCreatePagefilePrivilege	3408	Installer.exe
Token: SeShutdownPrivilege	3408	Installer.exe
Token: SeCreatePagefilePrivilege	3408	Installer.exe
Token: SeShutdownPrivilege	3408	Installer.exe
Token: SeCreatePagefilePrivilege	3408	Installer.exe
Token: SeShutdownPrivilege	3408	Installer.exe
Token: SeCreatePagefilePrivilege	3408	Installer.exe
Token: SeShutdownPrivilege	3408	Installer.exe
Token: SeCreatePagefilePrivilege	3408	Installer.exe
Token: SeShutdownPrivilege	3408	Installer.exe
Token: SeCreatePagefilePrivilege	3408	Installer.exe
Token: SeShutdownPrivilege	3408	Installer.exe
Token: SeCreatePagefilePrivilege	3408	Installer.exe
Token: SeShutdownPrivilege	3408	Installer.exe
Token: SeCreatePagefilePrivilege	3408	Installer.exe
Token: SeShutdownPrivilege	3408	Installer.exe
Token: SeCreatePagefilePrivilege	3408	Installer.exe
Token: SeShutdownPrivilege	3408	Installer.exe
Token: SeCreatePagefilePrivilege	3408	Installer.exe
Token: SeShutdownPrivilege	3408	Installer.exe
Token: SeCreatePagefilePrivilege	3408	Installer.exe
Token: SeShutdownPrivilege	3408	Installer.exe
Token: SeCreatePagefilePrivilege	3408	Installer.exe
Token: SeShutdownPrivilege	3408	Installer.exe
Token: SeCreatePagefilePrivilege	3408	Installer.exe
Token: SeShutdownPrivilege	3408	Installer.exe
Token: SeCreatePagefilePrivilege	3408	Installer.exe
Token: SeShutdownPrivilege	3408	Installer.exe
Token: SeCreatePagefilePrivilege	3408	Installer.exe
Token: SeShutdownPrivilege	3408	Installer.exe
Token: SeCreatePagefilePrivilege	3408	Installer.exe
Token: SeShutdownPrivilege	3408	Installer.exe
Token: SeCreatePagefilePrivilege	3408	Installer.exe
Token: SeShutdownPrivilege	3408	Installer.exe
Token: SeCreatePagefilePrivilege	3408	Installer.exe
Token: SeShutdownPrivilege	3408	Installer.exe
Token: SeCreatePagefilePrivilege	3408	Installer.exe
Token: SeShutdownPrivilege	3408	Installer.exe
Token: SeCreatePagefilePrivilege	3408	Installer.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
5104	taskmgr.exe
5104	taskmgr.exe
5104	taskmgr.exe
5104	taskmgr.exe
5104	taskmgr.exe
5104	taskmgr.exe
5104	taskmgr.exe
5104	taskmgr.exe
5104	taskmgr.exe
5104	taskmgr.exe
5104	taskmgr.exe
5104	taskmgr.exe
5104	taskmgr.exe
5104	taskmgr.exe
5104	taskmgr.exe
5104	taskmgr.exe
5104	taskmgr.exe
5104	taskmgr.exe
5104	taskmgr.exe
5104	taskmgr.exe
5104	taskmgr.exe
5104	taskmgr.exe
5104	taskmgr.exe
5104	taskmgr.exe
5104	taskmgr.exe
5104	taskmgr.exe
5104	taskmgr.exe
5104	taskmgr.exe
5104	taskmgr.exe
5104	taskmgr.exe
5104	taskmgr.exe
5104	taskmgr.exe
5104	taskmgr.exe
5104	taskmgr.exe
5104	taskmgr.exe
5104	taskmgr.exe
5104	taskmgr.exe
5104	taskmgr.exe
5104	taskmgr.exe
5104	taskmgr.exe
5104	taskmgr.exe
5104	taskmgr.exe
5104	taskmgr.exe
5104	taskmgr.exe
5104	taskmgr.exe
5104	taskmgr.exe
5104	taskmgr.exe
5104	taskmgr.exe
5104	taskmgr.exe
5104	taskmgr.exe
5104	taskmgr.exe
5104	taskmgr.exe
5104	taskmgr.exe
5104	taskmgr.exe
5104	taskmgr.exe
5104	taskmgr.exe
5104	taskmgr.exe
5104	taskmgr.exe
5104	taskmgr.exe
5104	taskmgr.exe
5104	taskmgr.exe
5104	taskmgr.exe
5104	taskmgr.exe
5104	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
5104	taskmgr.exe
5104	taskmgr.exe
5104	taskmgr.exe
5104	taskmgr.exe
5104	taskmgr.exe
5104	taskmgr.exe
5104	taskmgr.exe
5104	taskmgr.exe
5104	taskmgr.exe
5104	taskmgr.exe
5104	taskmgr.exe
5104	taskmgr.exe
5104	taskmgr.exe
5104	taskmgr.exe
5104	taskmgr.exe
5104	taskmgr.exe
5104	taskmgr.exe
5104	taskmgr.exe
5104	taskmgr.exe
5104	taskmgr.exe
5104	taskmgr.exe
5104	taskmgr.exe
5104	taskmgr.exe
5104	taskmgr.exe
5104	taskmgr.exe
5104	taskmgr.exe
5104	taskmgr.exe
5104	taskmgr.exe
5104	taskmgr.exe
5104	taskmgr.exe
5104	taskmgr.exe
5104	taskmgr.exe
5104	taskmgr.exe
5104	taskmgr.exe
5104	taskmgr.exe
5104	taskmgr.exe
5104	taskmgr.exe
5104	taskmgr.exe
5104	taskmgr.exe
5104	taskmgr.exe
5104	taskmgr.exe
5104	taskmgr.exe
5104	taskmgr.exe
5104	taskmgr.exe
5104	taskmgr.exe
5104	taskmgr.exe
5104	taskmgr.exe
5104	taskmgr.exe
5104	taskmgr.exe
5104	taskmgr.exe
5104	taskmgr.exe
5104	taskmgr.exe
5104	taskmgr.exe
5104	taskmgr.exe
5104	taskmgr.exe
5104	taskmgr.exe
5104	taskmgr.exe
5104	taskmgr.exe
5104	taskmgr.exe
5104	taskmgr.exe
5104	taskmgr.exe
5104	taskmgr.exe
5104	taskmgr.exe
5104	taskmgr.exe

Suspicious use of WriteProcessMemory 44 IoCs

description	pid	Process	procid_target
PID 4700 wrote to memory of 3408	4700	Spells_and_Secrets.exe	68
PID 4700 wrote to memory of 3408	4700	Spells_and_Secrets.exe	68
PID 3408 wrote to memory of 3616	3408	Installer.exe	70
PID 3408 wrote to memory of 3616	3408	Installer.exe	70
PID 3408 wrote to memory of 3616	3408	Installer.exe	70
PID 3408 wrote to memory of 3616	3408	Installer.exe	70
PID 3408 wrote to memory of 3616	3408	Installer.exe	70
PID 3408 wrote to memory of 3616	3408	Installer.exe	70
PID 3408 wrote to memory of 3616	3408	Installer.exe	70
PID 3408 wrote to memory of 3616	3408	Installer.exe	70
PID 3408 wrote to memory of 3616	3408	Installer.exe	70
PID 3408 wrote to memory of 3616	3408	Installer.exe	70
PID 3408 wrote to memory of 3616	3408	Installer.exe	70
PID 3408 wrote to memory of 3616	3408	Installer.exe	70
PID 3408 wrote to memory of 3616	3408	Installer.exe	70
PID 3408 wrote to memory of 3616	3408	Installer.exe	70
PID 3408 wrote to memory of 3616	3408	Installer.exe	70
PID 3408 wrote to memory of 3616	3408	Installer.exe	70
PID 3408 wrote to memory of 3616	3408	Installer.exe	70
PID 3408 wrote to memory of 3616	3408	Installer.exe	70
PID 3408 wrote to memory of 3616	3408	Installer.exe	70
PID 3408 wrote to memory of 3616	3408	Installer.exe	70
PID 3408 wrote to memory of 3616	3408	Installer.exe	70
PID 3408 wrote to memory of 3616	3408	Installer.exe	70
PID 3408 wrote to memory of 3616	3408	Installer.exe	70
PID 3408 wrote to memory of 3616	3408	Installer.exe	70
PID 3408 wrote to memory of 3616	3408	Installer.exe	70
PID 3408 wrote to memory of 3616	3408	Installer.exe	70
PID 3408 wrote to memory of 3616	3408	Installer.exe	70
PID 3408 wrote to memory of 3616	3408	Installer.exe	70
PID 3408 wrote to memory of 3616	3408	Installer.exe	70
PID 3408 wrote to memory of 3616	3408	Installer.exe	70
PID 3408 wrote to memory of 3616	3408	Installer.exe	70
PID 3408 wrote to memory of 3616	3408	Installer.exe	70
PID 3408 wrote to memory of 3616	3408	Installer.exe	70
PID 3408 wrote to memory of 3616	3408	Installer.exe	70
PID 3408 wrote to memory of 3616	3408	Installer.exe	70
PID 3408 wrote to memory of 3616	3408	Installer.exe	70
PID 3408 wrote to memory of 3616	3408	Installer.exe	70
PID 3408 wrote to memory of 3616	3408	Installer.exe	70
PID 3408 wrote to memory of 3616	3408	Installer.exe	70
PID 3408 wrote to memory of 3616	3408	Installer.exe	70
PID 3408 wrote to memory of 3824	3408	Installer.exe	71
PID 3408 wrote to memory of 3824	3408	Installer.exe	71

C:\Users\Admin\AppData\Local\Temp\Spells_and_Secrets.exe
"C:\Users\Admin\AppData\Local\Temp\Spells_and_Secrets.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4700
- C:\Users\Admin\AppData\Local\Temp\2EurMtgOwjxhW8CrnSmZHw0obpV\Installer.exe
  C:\Users\Admin\AppData\Local\Temp\2EurMtgOwjxhW8CrnSmZHw0obpV\Installer.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3408
- - C:\Users\Admin\AppData\Local\Temp\2EurMtgOwjxhW8CrnSmZHw0obpV\Installer.exe
    "C:\Users\Admin\AppData\Local\Temp\2EurMtgOwjxhW8CrnSmZHw0obpV\Installer.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\installer" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1380 --field-trial-handle=1608,158095455417877291,8100649569250356810,131072 --disable-features=PlzServiceWorker,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:3616
- - C:\Users\Admin\AppData\Local\Temp\2EurMtgOwjxhW8CrnSmZHw0obpV\Installer.exe
    "C:\Users\Admin\AppData\Local\Temp\2EurMtgOwjxhW8CrnSmZHw0obpV\Installer.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\installer" --mojo-platform-channel-handle=1992 --field-trial-handle=1608,158095455417877291,8100649569250356810,131072 --disable-features=PlzServiceWorker,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    PID:3824

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5104

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2EurMtgOwjxhW8CrnSmZHw0obpV\D3DCompiler_47.dll

Filesize
4.3MB

MD5
7641e39b7da4077084d2afe7c31032e0

SHA1
2256644f69435ff2fee76deb04d918083960d1eb

SHA256
44422e6936dc72b7ac5ed16bb8bcae164b7554513e52efb66a3e942cec328a47

SHA512
8010e1cb17fa18bbf72d8344e1d63ded7cef7be6e7c13434fa6d8e22ce1d58a4d426959bdcb031502d4b145e29cb111af929fcbc66001111fbc6d7a19e8800a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\2EurMtgOwjxhW8CrnSmZHw0obpV\Installer.exe

Filesize
139.5MB

MD5
338e55d0bc18c1f661a0a4b710f043e4

SHA1
4299e9acbcf0d087d8f1ab3ae77fe3d20af82f6b

SHA256
9813fe7c1224ea50797b78901a9c8e2c125080f0f2c44b543c7ae9881c689695

SHA512
233742a979fbb6454b01c649b8e5fc6a6589bda7b266b5477401ba4ce1faaa0125a787b83f1655c6a3a669c111c57c0937284e0e06a236dbfbd12dc02caca5a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\2EurMtgOwjxhW8CrnSmZHw0obpV\Installer.exe

Filesize
139.5MB

MD5
338e55d0bc18c1f661a0a4b710f043e4

SHA1
4299e9acbcf0d087d8f1ab3ae77fe3d20af82f6b

SHA256
9813fe7c1224ea50797b78901a9c8e2c125080f0f2c44b543c7ae9881c689695

SHA512
233742a979fbb6454b01c649b8e5fc6a6589bda7b266b5477401ba4ce1faaa0125a787b83f1655c6a3a669c111c57c0937284e0e06a236dbfbd12dc02caca5a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\2EurMtgOwjxhW8CrnSmZHw0obpV\Installer.exe

Filesize
139.5MB

MD5
338e55d0bc18c1f661a0a4b710f043e4

SHA1
4299e9acbcf0d087d8f1ab3ae77fe3d20af82f6b

SHA256
9813fe7c1224ea50797b78901a9c8e2c125080f0f2c44b543c7ae9881c689695

SHA512
233742a979fbb6454b01c649b8e5fc6a6589bda7b266b5477401ba4ce1faaa0125a787b83f1655c6a3a669c111c57c0937284e0e06a236dbfbd12dc02caca5a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\2EurMtgOwjxhW8CrnSmZHw0obpV\chrome_100_percent.pak

Filesize
138KB

MD5
9c1b859b611600201ccf898f1eff2476

SHA1
87d5d9a5fcc2496b48bb084fdf04331823dd1699

SHA256
53102833760a725241841312de452c45e43edd60a122546105ab4020ccef591b

SHA512
1a8ec288e53b9d7e43d018995abe4e3d9c83d329d0561fbb7d022e8b79ffecf033e995b9bc6af352a71c646a1e8afba4addb54deab7455f24b7a279a3dd7c336

Download Submit
C:\Users\Admin\AppData\Local\Temp\2EurMtgOwjxhW8CrnSmZHw0obpV\chrome_200_percent.pak

Filesize
202KB

MD5
b51a78961b1dbb156343e6e024093d41

SHA1
51298bfe945a9645311169fc5bb64a2a1f20bc38

SHA256
4a438f0e209ac62ffa2c14036efdd5474b5ecaa7cbf54110f2e6153abdfb8be9

SHA512
23dedde25ad9cb5829d4b6092a815712788698c2a5a0aefb4299675d39f8b5e2844eabd1ea42332a0408bd234548f5af628e7e365ab26f3385ebfa158cdd921d

Download Submit
C:\Users\Admin\AppData\Local\Temp\2EurMtgOwjxhW8CrnSmZHw0obpV\ffmpeg.dll

Filesize
2.6MB

MD5
c3842fb3087cdcdb04020ac38683c289

SHA1
329dbcd4a1c79b891b200f11eb50194b85c493bc

SHA256
e79792af338d61424bac87a19c6f34f3b4bc1382345633b8d509253a0a6c2133

SHA512
069196b8006e908954e7ab16131a0d10889a0f7517eaab2423a82fe49fb9b045c0d95dbf7c08c10ddf1a21983aea4a0d207decf91baacff0884511589a57dec5

Download Submit
C:\Users\Admin\AppData\Local\Temp\2EurMtgOwjxhW8CrnSmZHw0obpV\icudtl.dat

Filesize
9.8MB

MD5
599c39d9adb88686c4585b15fb745c0e

SHA1
2215eb6299aa18e87db21f686b08695a5199f4e2

SHA256
c5f82843420fa9d144e006b48d59ba7ef95f7e6cb1ea95b27fcdd2c97f850859

SHA512
16194186a8407b29f799d4b02f5674e4fbd5d91163fad9f8dce6ceedd865b754a681aa960d0f3f1b62cb21d5443879f1b8e9b691c19c5802d5bdfe4ed645b8bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\2EurMtgOwjxhW8CrnSmZHw0obpV\libegl.dll

Filesize
437KB

MD5
8352fd22f09b873193cabc2932be92f0

SHA1
5bd2b58854b279f1733c5f54ea2669ee8a888d9e

SHA256
14a4aaa010be14762edfee01fd1f6b9943471eb7a2f9011a2b5c230461cd129c

SHA512
7281e980f2e82f1cc8173d9f8387a97f6e23ec5099ed8dca02222c4e17fa4cfef59d6aa300b1cf06d502bdcf77d9a6dbb08ad6658ae0a28ae6f9f995109da0d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\2EurMtgOwjxhW8CrnSmZHw0obpV\libglesv2.dll

Filesize
6.7MB

MD5
b6a433dc7b4030fb17bd1683a9606b6e

SHA1
0602c50532e3f13facc67bd95a048c470e88afcc

SHA256
f7ae57a1d7d3e284714ca354f5292aa9b75086489cbfba8b1f54548445b6b3e9

SHA512
b9ba2e20ec878e3acae93d8254e69374e391fd4a3d5c1833282c43896d123baa874f1088839f3bbcf05539eda0e2aeaef28d7742ab8e20ec788382501e2152b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\2EurMtgOwjxhW8CrnSmZHw0obpV\locales\en-US.pak

Filesize
100KB

MD5
0bb857860d8c9ab6d617cea5a5bd4d00

SHA1
351b744d95846bff2ce5f542fec2e87439aa0f8b

SHA256
5c56df9699fc7e8f09ec81421e50a6264cde055e822f5a8cd9bb1edb3066d816

SHA512
33fb73cffbb6781488cedbca4c92a7e4f66923a799beeb7f5cba58dbc23ba8f5130f63a7dac7114e3c3ef6f1df87884fbeb8858bc7604aec9449fdfd16c25078

Download Submit
C:\Users\Admin\AppData\Local\Temp\2EurMtgOwjxhW8CrnSmZHw0obpV\resources.pak

Filesize
4.8MB

MD5
bdfa339e708ea0f23ed3620adc4a2d64

SHA1
82a95b7b022836b6e888f53e69386570c05a1af2

SHA256
b66ae9eda4543685974d35d051d967538bc57d55c2577629007c534ff330e1e4

SHA512
ba87c70e1b6446e0a7b62da33d72a36ff92ee54fda64343262bc26afa8166174e76d058ec6d707cdebf2611858b3b4b7e21798febec53da02febd81ade4ce8f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\2EurMtgOwjxhW8CrnSmZHw0obpV\resources\app.asar

Filesize
10.8MB

MD5
50a4e1d235114111b693b11ff0c0a667

SHA1
6359e0fe7c667ff34555bad5f4dc9341faa4a39a

SHA256
5e9033f4ee0eeb9ac9aa8c99faccc1d9dc57de0a43a5bec9353105a77ad71e24

SHA512
b3d1ef6bd334939583eded901562fcab0545eac8662b1b4de9f240b5cbfa679aff492b99901898640ee6c97179168d7a38ddba43272f96a3b4194872be9fbab2

Download Submit
C:\Users\Admin\AppData\Local\Temp\2EurMtgOwjxhW8CrnSmZHw0obpV\v8_context_snapshot.bin

Filesize
656KB

MD5
47014c0f81bad6d216c617c9c63bf040

SHA1
7bb483fdc5fed3c6ed437d9fe6e5023bc38201bf

SHA256
e1249d05bfc73c645b27d269f47b6923b33a3cf8088a8ca78b3b637c90f58178

SHA512
052d86cf3305a9e493bd2472e6b7ddab5e0291efd6d899984a79bae46e5fa4bd21157e19ab4a2591c9cff9069de568bad18c7baf4f35d117c77134e635466f87

Download Submit
C:\Users\Admin\AppData\Local\Temp\2EurMtgOwjxhW8CrnSmZHw0obpV\vk_swiftshader.dll

Filesize
4.4MB

MD5
de2d91476e625278c30a5f69a1892e05

SHA1
4d707f6a801611fb437f5c1cba31b0909bf41506

SHA256
02c7f0b926c64f5a19a9aacd5f94ee00be4d576486592e18acc80c0a027b05ba

SHA512
d027407539346e5aedd527f5f71de45bace6295e96a7fbefbf273c930d64a791e488e4bdf6ef8db61fc19c80cac52a6e398c2973499c6fedb1e422c3ba71f532

Download Submit
C:\Users\Admin\AppData\Local\Temp\2EurMtgOwjxhW8CrnSmZHw0obpV\vk_swiftshader_icd.json

Filesize
106B

MD5
8642dd3a87e2de6e991fae08458e302b

SHA1
9c06735c31cec00600fd763a92f8112d085bd12a

SHA256
32d83ff113fef532a9f97e0d2831f8656628ab1c99e9060f0332b1532839afd9

SHA512
f5d37d1b45b006161e4cefeebba1e33af879a3a51d16ee3ff8c3968c0c36bbafae379bf9124c13310b77774c9cbb4fa53114e83f5b48b5314132736e5bb4496f

Download Submit
C:\Users\Admin\AppData\Local\Temp\2EurMtgOwjxhW8CrnSmZHw0obpV\vulkan-1.dll

Filesize
819KB

MD5
b91586bd80e057a7f62bdc4422744812

SHA1
a1df644421ece2e740e5bf0ed98b4f269fd85c39

SHA256
8ba72d98e0f78b77bda7816cd7232809d287310d34e0f1d7472b9d5fda2c6d02

SHA512
94f0a8e3e75e4803891c0fcb257052dbe0e7399772fc7a46ab802629f76ee580ed30b3678fa6bc3744c12cf9f3103bbc8276e88f6711278748148e9fbeef2053

Download Submit
\??\c:\users\admin\appdata\local\temp\2eurmtgowjxhw8crnsmzhw0obpv\installer.exe

Filesize
139.5MB

MD5
338e55d0bc18c1f661a0a4b710f043e4

SHA1
4299e9acbcf0d087d8f1ab3ae77fe3d20af82f6b

SHA256
9813fe7c1224ea50797b78901a9c8e2c125080f0f2c44b543c7ae9881c689695

SHA512
233742a979fbb6454b01c649b8e5fc6a6589bda7b266b5477401ba4ce1faaa0125a787b83f1655c6a3a669c111c57c0937284e0e06a236dbfbd12dc02caca5a0

Download Submit
\Users\Admin\AppData\Local\Temp\24ffb389-fa77-40ef-9db7-30010121dc60.tmp.node

Filesize
142KB

MD5
aae5135ee0ea273e2347ba302dcc4ec6

SHA1
479ca070cef7f81da6e087aa0543a7eb6e99916a

SHA256
e9ce94dc52d888830ec525af346ea78af3c4445f4f961742ef593cdd703ea682

SHA512
b3160311b6624c71173978d7af9cc84b9ba27a49f448dc183ec52a1781ce9ad99e2ebcd3acba45f6189b7d9d5f8ed0e1f0ed1a51ae37f78020726faa824365b1

Download Submit
\Users\Admin\AppData\Local\Temp\2EurMtgOwjxhW8CrnSmZHw0obpV\d3dcompiler_47.dll

Filesize
4.3MB

MD5
7641e39b7da4077084d2afe7c31032e0

SHA1
2256644f69435ff2fee76deb04d918083960d1eb

SHA256
44422e6936dc72b7ac5ed16bb8bcae164b7554513e52efb66a3e942cec328a47

SHA512
8010e1cb17fa18bbf72d8344e1d63ded7cef7be6e7c13434fa6d8e22ce1d58a4d426959bdcb031502d4b145e29cb111af929fcbc66001111fbc6d7a19e8800a5

Download Submit
\Users\Admin\AppData\Local\Temp\2EurMtgOwjxhW8CrnSmZHw0obpV\ffmpeg.dll

Filesize
2.6MB

MD5
c3842fb3087cdcdb04020ac38683c289

SHA1
329dbcd4a1c79b891b200f11eb50194b85c493bc

SHA256
e79792af338d61424bac87a19c6f34f3b4bc1382345633b8d509253a0a6c2133

SHA512
069196b8006e908954e7ab16131a0d10889a0f7517eaab2423a82fe49fb9b045c0d95dbf7c08c10ddf1a21983aea4a0d207decf91baacff0884511589a57dec5

Download Submit
\Users\Admin\AppData\Local\Temp\2EurMtgOwjxhW8CrnSmZHw0obpV\ffmpeg.dll

Filesize
2.6MB

MD5
c3842fb3087cdcdb04020ac38683c289

SHA1
329dbcd4a1c79b891b200f11eb50194b85c493bc

SHA256
e79792af338d61424bac87a19c6f34f3b4bc1382345633b8d509253a0a6c2133

SHA512
069196b8006e908954e7ab16131a0d10889a0f7517eaab2423a82fe49fb9b045c0d95dbf7c08c10ddf1a21983aea4a0d207decf91baacff0884511589a57dec5

Download Submit
\Users\Admin\AppData\Local\Temp\2EurMtgOwjxhW8CrnSmZHw0obpV\ffmpeg.dll

Filesize
2.6MB

MD5
c3842fb3087cdcdb04020ac38683c289

SHA1
329dbcd4a1c79b891b200f11eb50194b85c493bc

SHA256
e79792af338d61424bac87a19c6f34f3b4bc1382345633b8d509253a0a6c2133

SHA512
069196b8006e908954e7ab16131a0d10889a0f7517eaab2423a82fe49fb9b045c0d95dbf7c08c10ddf1a21983aea4a0d207decf91baacff0884511589a57dec5

Download Submit
\Users\Admin\AppData\Local\Temp\2EurMtgOwjxhW8CrnSmZHw0obpV\libEGL.dll

Filesize
437KB

MD5
8352fd22f09b873193cabc2932be92f0

SHA1
5bd2b58854b279f1733c5f54ea2669ee8a888d9e

SHA256
14a4aaa010be14762edfee01fd1f6b9943471eb7a2f9011a2b5c230461cd129c

SHA512
7281e980f2e82f1cc8173d9f8387a97f6e23ec5099ed8dca02222c4e17fa4cfef59d6aa300b1cf06d502bdcf77d9a6dbb08ad6658ae0a28ae6f9f995109da0d2

Download Submit
\Users\Admin\AppData\Local\Temp\2EurMtgOwjxhW8CrnSmZHw0obpV\libGLESv2.dll

Filesize
6.7MB

MD5
b6a433dc7b4030fb17bd1683a9606b6e

SHA1
0602c50532e3f13facc67bd95a048c470e88afcc

SHA256
f7ae57a1d7d3e284714ca354f5292aa9b75086489cbfba8b1f54548445b6b3e9

SHA512
b9ba2e20ec878e3acae93d8254e69374e391fd4a3d5c1833282c43896d123baa874f1088839f3bbcf05539eda0e2aeaef28d7742ab8e20ec788382501e2152b1

Download Submit
\Users\Admin\AppData\Local\Temp\2EurMtgOwjxhW8CrnSmZHw0obpV\vk_swiftshader.dll

Filesize
4.4MB

MD5
de2d91476e625278c30a5f69a1892e05

SHA1
4d707f6a801611fb437f5c1cba31b0909bf41506

SHA256
02c7f0b926c64f5a19a9aacd5f94ee00be4d576486592e18acc80c0a027b05ba

SHA512
d027407539346e5aedd527f5f71de45bace6295e96a7fbefbf273c930d64a791e488e4bdf6ef8db61fc19c80cac52a6e398c2973499c6fedb1e422c3ba71f532

Download Submit
\Users\Admin\AppData\Local\Temp\2EurMtgOwjxhW8CrnSmZHw0obpV\vulkan-1.dll

Filesize
819KB

MD5
b91586bd80e057a7f62bdc4422744812

SHA1
a1df644421ece2e740e5bf0ed98b4f269fd85c39

SHA256
8ba72d98e0f78b77bda7816cd7232809d287310d34e0f1d7472b9d5fda2c6d02

SHA512
94f0a8e3e75e4803891c0fcb257052dbe0e7399772fc7a46ab802629f76ee580ed30b3678fa6bc3744c12cf9f3103bbc8276e88f6711278748148e9fbeef2053

Download Submit
\Users\Admin\AppData\Local\Temp\e5d741e7-256c-4a6c-bf0d-91cb2f9355a7.tmp.node

Filesize
1.6MB

MD5
d5d477af6910a4856d5457b8e667f84b

SHA1
80e99d5b15c1c65ffa7e44c52c14056691ee3295

SHA256
152ddddf0ebc8fd9fdd0143778b6765e49678532a2b1e33e66adc235fa88b7a7

SHA512
435bc0f5b6af33549e59b5c50c43bd62ef5faf6acad85ad9d79f5ee80c82fed86f45391f20a35c0114d92aa80cc8c68aef0420501f4d5f5e2eed701c830013f2

Download Submit
\Users\Admin\AppData\Local\Temp\nsf6E60.tmp\StdUtils.dll

Filesize
100KB

MD5
c6a6e03f77c313b267498515488c5740

SHA1
3d49fc2784b9450962ed6b82b46e9c3c957d7c15

SHA256
b72e9013a6204e9f01076dc38dabbf30870d44dfc66962adbf73619d4331601e

SHA512
9870c5879f7b72836805088079ad5bbafcb59fc3d9127f2160d4ec3d6e88d3cc8ebe5a9f5d20a4720fe6407c1336ef10f33b2b9621bc587e930d4cbacf337803

Download Submit
\Users\Admin\AppData\Local\Temp\nsf6E60.tmp\System.dll

Filesize
12KB

MD5
0d7ad4f45dc6f5aa87f606d0331c6901

SHA1
48df0911f0484cbe2a8cdd5362140b63c41ee457

SHA256
3eb38ae99653a7dbc724132ee240f6e5c4af4bfe7c01d31d23faf373f9f2eaca

SHA512
c07de7308cb54205e8bd703001a7fe4fd7796c9ac1b4bb330c77c872bf712b093645f40b80ce7127531fe6746a5b66e18ea073ab6a644934abed9bb64126fea9

Download Submit
\Users\Admin\AppData\Local\Temp\nsf6E60.tmp\nsis7z.dll

Filesize
424KB

MD5
80e44ce4895304c6a3a831310fbf8cd0

SHA1
36bd49ae21c460be5753a904b4501f1abca53508

SHA256
b393f05e8ff919ef071181050e1873c9a776e1a0ae8329aefff7007d0cadf592

SHA512
c8ba7b1f9113ead23e993e74a48c4427ae3562c1f6d9910b2bbe6806c9107cf7d94bc7d204613e4743d0cd869e00dafd4fb54aad1e8adb69c553f3b9e5bc64df

Download Submit
memory/4700-137-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/4700-144-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/4700-158-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/4700-155-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/4700-153-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/4700-151-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/4700-149-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/4700-147-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/4700-133-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/4700-160-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/4700-156-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/4700-162-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/4700-154-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/4700-163-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/4700-164-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/4700-165-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/4700-166-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/4700-167-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/4700-152-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/4700-169-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/4700-170-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/4700-171-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/4700-150-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/4700-148-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/4700-139-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/4700-146-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/4700-145-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/4700-157-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/4700-143-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/4700-142-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/4700-141-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/4700-140-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/4700-116-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/4700-138-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/4700-136-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/4700-135-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/4700-134-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/4700-132-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/4700-130-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/4700-131-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/4700-129-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/4700-128-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/4700-127-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/4700-126-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/4700-125-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/4700-124-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/4700-123-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/4700-122-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/4700-121-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/4700-120-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/4700-119-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/4700-118-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/4700-117-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download