4773be03b5794908a31aba98a946f02eec075bb7144411bec6d9fa88bb6d5e8e

Resubmissions

13/10/2022, 06:36

221013-hc4wnsbbg7 9

13/10/2022, 06:20

221013-g3y8faahhj 9

12/10/2022, 15:04

221012-sfnc7sgehq 8

Analysis

max time kernel
133s
max time network
180s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
12/10/2022, 15:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Sample.exe
Size

134.8MB
MD5

b91f99b87d1b4b97de96809626dce0f7
SHA1

6ba6325ffd36a0ee0ce6e3628d91848a9757dd91
SHA256

4773be03b5794908a31aba98a946f02eec075bb7144411bec6d9fa88bb6d5e8e
SHA512

72532f9102d43a78dac3563d881df6d207540544c5702c85f3560a321e32507ea9160eeea29a8e533a52ffe930b7042f80b22a037b1e5d2c10f12f17476f9b14
SSDEEP

3145728:Xmx2gA7SyL7n56rVjfgK+BSQUE19x2gAGN0GYNbVZ5ZNaZWwGA:4/yHSVLgK+BfLzNXEZN/bA

Score

8^/10

discovery persistence

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
3172	UA Cyber SHIELD.exe
2364	UA Cyber SHIELD.exe
5092	UA Cyber SHIELD.exe
3804	UA Cyber SHIELD.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	UA Cyber SHIELD.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	UA Cyber SHIELD.exe

Loads dropped DLL 16 IoCs

pid	Process
3968	Sample.exe
3968	Sample.exe
3968	Sample.exe
3968	Sample.exe
3968	Sample.exe
3968	Sample.exe
3968	Sample.exe
3172	UA Cyber SHIELD.exe
2364	UA Cyber SHIELD.exe
5092	UA Cyber SHIELD.exe
2364	UA Cyber SHIELD.exe
2364	UA Cyber SHIELD.exe
2364	UA Cyber SHIELD.exe
2364	UA Cyber SHIELD.exe
2364	UA Cyber SHIELD.exe
3804	UA Cyber SHIELD.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\Run	UA Cyber SHIELD.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\electron.app.UA Cyber SHIELD = "C:\\Users\\Admin\\AppData\\Local\\Programs\\shield\\UA Cyber SHIELD.exe"	UA Cyber SHIELD.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery

T1057

pid	Process
4940	tasklist.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
3968	Sample.exe
3968	Sample.exe
4940	tasklist.exe
4940	tasklist.exe
3172	UA Cyber SHIELD.exe
3172	UA Cyber SHIELD.exe
3172	UA Cyber SHIELD.exe
3172	UA Cyber SHIELD.exe
5092	UA Cyber SHIELD.exe
5092	UA Cyber SHIELD.exe
3804	UA Cyber SHIELD.exe
3804	UA Cyber SHIELD.exe

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: SeDebugPrivilege	4940	tasklist.exe
Token: SeSecurityPrivilege	3968	Sample.exe
Token: SeShutdownPrivilege	3172	UA Cyber SHIELD.exe
Token: SeCreatePagefilePrivilege	3172	UA Cyber SHIELD.exe
Token: SeShutdownPrivilege	3172	UA Cyber SHIELD.exe
Token: SeCreatePagefilePrivilege	3172	UA Cyber SHIELD.exe
Token: SeShutdownPrivilege	3172	UA Cyber SHIELD.exe
Token: SeCreatePagefilePrivilege	3172	UA Cyber SHIELD.exe
Token: SeShutdownPrivilege	3172	UA Cyber SHIELD.exe
Token: SeCreatePagefilePrivilege	3172	UA Cyber SHIELD.exe
Token: SeShutdownPrivilege	3172	UA Cyber SHIELD.exe
Token: SeCreatePagefilePrivilege	3172	UA Cyber SHIELD.exe
Token: SeShutdownPrivilege	3172	UA Cyber SHIELD.exe
Token: SeCreatePagefilePrivilege	3172	UA Cyber SHIELD.exe
Token: SeShutdownPrivilege	3172	UA Cyber SHIELD.exe
Token: SeCreatePagefilePrivilege	3172	UA Cyber SHIELD.exe
Token: SeShutdownPrivilege	3172	UA Cyber SHIELD.exe
Token: SeCreatePagefilePrivilege	3172	UA Cyber SHIELD.exe
Token: SeShutdownPrivilege	3172	UA Cyber SHIELD.exe
Token: SeCreatePagefilePrivilege	3172	UA Cyber SHIELD.exe
Token: SeShutdownPrivilege	3172	UA Cyber SHIELD.exe
Token: SeCreatePagefilePrivilege	3172	UA Cyber SHIELD.exe
Token: SeShutdownPrivilege	3172	UA Cyber SHIELD.exe
Token: SeCreatePagefilePrivilege	3172	UA Cyber SHIELD.exe
Token: SeShutdownPrivilege	3172	UA Cyber SHIELD.exe
Token: SeCreatePagefilePrivilege	3172	UA Cyber SHIELD.exe
Token: SeShutdownPrivilege	3172	UA Cyber SHIELD.exe
Token: SeCreatePagefilePrivilege	3172	UA Cyber SHIELD.exe
Token: SeShutdownPrivilege	3172	UA Cyber SHIELD.exe
Token: SeCreatePagefilePrivilege	3172	UA Cyber SHIELD.exe
Token: SeShutdownPrivilege	3172	UA Cyber SHIELD.exe
Token: SeCreatePagefilePrivilege	3172	UA Cyber SHIELD.exe
Token: SeShutdownPrivilege	3172	UA Cyber SHIELD.exe
Token: SeCreatePagefilePrivilege	3172	UA Cyber SHIELD.exe
Token: SeShutdownPrivilege	3172	UA Cyber SHIELD.exe
Token: SeCreatePagefilePrivilege	3172	UA Cyber SHIELD.exe
Token: SeShutdownPrivilege	3172	UA Cyber SHIELD.exe
Token: SeCreatePagefilePrivilege	3172	UA Cyber SHIELD.exe
Token: SeShutdownPrivilege	3172	UA Cyber SHIELD.exe
Token: SeCreatePagefilePrivilege	3172	UA Cyber SHIELD.exe
Token: SeShutdownPrivilege	3172	UA Cyber SHIELD.exe
Token: SeCreatePagefilePrivilege	3172	UA Cyber SHIELD.exe

Suspicious use of FindShellTrayWindow 5 IoCs

pid	Process
3172	UA Cyber SHIELD.exe
3172	UA Cyber SHIELD.exe
3172	UA Cyber SHIELD.exe
3172	UA Cyber SHIELD.exe
3172	UA Cyber SHIELD.exe

Suspicious use of SendNotifyMessage 6 IoCs

pid	Process
3172	UA Cyber SHIELD.exe
3172	UA Cyber SHIELD.exe
3172	UA Cyber SHIELD.exe
3172	UA Cyber SHIELD.exe
3172	UA Cyber SHIELD.exe
3172	UA Cyber SHIELD.exe

Suspicious use of WriteProcessMemory 57 IoCs

description	pid	Process	procid_target
PID 3968 wrote to memory of 5048	3968	Sample.exe	82
PID 3968 wrote to memory of 5048	3968	Sample.exe	82
PID 3968 wrote to memory of 5048	3968	Sample.exe	82
PID 5048 wrote to memory of 4940	5048	cmd.exe	84
PID 5048 wrote to memory of 4940	5048	cmd.exe	84
PID 5048 wrote to memory of 4940	5048	cmd.exe	84
PID 5048 wrote to memory of 732	5048	cmd.exe	85
PID 5048 wrote to memory of 732	5048	cmd.exe	85
PID 5048 wrote to memory of 732	5048	cmd.exe	85
PID 3172 wrote to memory of 4800	3172	UA Cyber SHIELD.exe	92
PID 3172 wrote to memory of 4800	3172	UA Cyber SHIELD.exe	92
PID 4800 wrote to memory of 1528	4800	cmd.exe	94
PID 4800 wrote to memory of 1528	4800	cmd.exe	94
PID 3172 wrote to memory of 2364	3172	UA Cyber SHIELD.exe	95
PID 3172 wrote to memory of 2364	3172	UA Cyber SHIELD.exe	95
PID 3172 wrote to memory of 2364	3172	UA Cyber SHIELD.exe	95
PID 3172 wrote to memory of 2364	3172	UA Cyber SHIELD.exe	95
PID 3172 wrote to memory of 2364	3172	UA Cyber SHIELD.exe	95
PID 3172 wrote to memory of 2364	3172	UA Cyber SHIELD.exe	95
PID 3172 wrote to memory of 2364	3172	UA Cyber SHIELD.exe	95
PID 3172 wrote to memory of 2364	3172	UA Cyber SHIELD.exe	95
PID 3172 wrote to memory of 2364	3172	UA Cyber SHIELD.exe	95
PID 3172 wrote to memory of 2364	3172	UA Cyber SHIELD.exe	95
PID 3172 wrote to memory of 2364	3172	UA Cyber SHIELD.exe	95
PID 3172 wrote to memory of 2364	3172	UA Cyber SHIELD.exe	95
PID 3172 wrote to memory of 2364	3172	UA Cyber SHIELD.exe	95
PID 3172 wrote to memory of 2364	3172	UA Cyber SHIELD.exe	95
PID 3172 wrote to memory of 2364	3172	UA Cyber SHIELD.exe	95
PID 3172 wrote to memory of 2364	3172	UA Cyber SHIELD.exe	95
PID 3172 wrote to memory of 2364	3172	UA Cyber SHIELD.exe	95
PID 3172 wrote to memory of 2364	3172	UA Cyber SHIELD.exe	95
PID 3172 wrote to memory of 2364	3172	UA Cyber SHIELD.exe	95
PID 3172 wrote to memory of 2364	3172	UA Cyber SHIELD.exe	95
PID 3172 wrote to memory of 2364	3172	UA Cyber SHIELD.exe	95
PID 3172 wrote to memory of 2364	3172	UA Cyber SHIELD.exe	95
PID 3172 wrote to memory of 2364	3172	UA Cyber SHIELD.exe	95
PID 3172 wrote to memory of 2364	3172	UA Cyber SHIELD.exe	95
PID 3172 wrote to memory of 2364	3172	UA Cyber SHIELD.exe	95
PID 3172 wrote to memory of 2364	3172	UA Cyber SHIELD.exe	95
PID 3172 wrote to memory of 2364	3172	UA Cyber SHIELD.exe	95
PID 3172 wrote to memory of 2364	3172	UA Cyber SHIELD.exe	95
PID 3172 wrote to memory of 2364	3172	UA Cyber SHIELD.exe	95
PID 3172 wrote to memory of 2364	3172	UA Cyber SHIELD.exe	95
PID 3172 wrote to memory of 2364	3172	UA Cyber SHIELD.exe	95
PID 3172 wrote to memory of 2364	3172	UA Cyber SHIELD.exe	95
PID 3172 wrote to memory of 2364	3172	UA Cyber SHIELD.exe	95
PID 3172 wrote to memory of 2364	3172	UA Cyber SHIELD.exe	95
PID 3172 wrote to memory of 2364	3172	UA Cyber SHIELD.exe	95
PID 3172 wrote to memory of 2364	3172	UA Cyber SHIELD.exe	95
PID 3172 wrote to memory of 2364	3172	UA Cyber SHIELD.exe	95
PID 3172 wrote to memory of 2364	3172	UA Cyber SHIELD.exe	95
PID 3172 wrote to memory of 2364	3172	UA Cyber SHIELD.exe	95
PID 3172 wrote to memory of 2364	3172	UA Cyber SHIELD.exe	95
PID 3172 wrote to memory of 5092	3172	UA Cyber SHIELD.exe	96
PID 3172 wrote to memory of 5092	3172	UA Cyber SHIELD.exe	96
PID 3172 wrote to memory of 3804	3172	UA Cyber SHIELD.exe	97
PID 3172 wrote to memory of 3804	3172	UA Cyber SHIELD.exe	97

C:\Users\Admin\AppData\Local\Temp\Sample.exe
"C:\Users\Admin\AppData\Local\Temp\Sample.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3968
- C:\Windows\SysWOW64\cmd.exe
  cmd /c tasklist /FI "USERNAME eq %USERNAME%" /FI "IMAGENAME eq UA Cyber SHIELD.exe" | find "UA Cyber SHIELD.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5048
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist /FI "USERNAME eq Admin" /FI "IMAGENAME eq UA Cyber SHIELD.exe"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4940
- - C:\Windows\SysWOW64\find.exe
    find "UA Cyber SHIELD.exe"
    3⤵
    PID:732

C:\Users\Admin\AppData\Local\Programs\shield\UA Cyber SHIELD.exe
"C:\Users\Admin\AppData\Local\Programs\shield\UA Cyber SHIELD.exe"
1⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3172
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "%windir%\System32\REG.exe QUERY HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography /v MachineGuid"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4800
- - C:\Windows\System32\reg.exe
    C:\Windows\System32\REG.exe QUERY HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography /v MachineGuid
    3⤵
    PID:1528
- C:\Users\Admin\AppData\Local\Programs\shield\UA Cyber SHIELD.exe
  "C:\Users\Admin\AppData\Local\Programs\shield\UA Cyber SHIELD.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\UA Cyber SHIELD" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1768 --field-trial-handle=1804,15104901942359012324,6733192084547026456,131072 --disable-features=PlzServiceWorker,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:2364
- C:\Users\Admin\AppData\Local\Programs\shield\UA Cyber SHIELD.exe
  "C:\Users\Admin\AppData\Local\Programs\shield\UA Cyber SHIELD.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\UA Cyber SHIELD" --mojo-platform-channel-handle=2208 --field-trial-handle=1804,15104901942359012324,6733192084547026456,131072 --disable-features=PlzServiceWorker,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  PID:5092
- C:\Users\Admin\AppData\Local\Programs\shield\UA Cyber SHIELD.exe
  "C:\Users\Admin\AppData\Local\Programs\shield\UA Cyber SHIELD.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\UA Cyber SHIELD" --app-user-model-id="electron.app.UA Cyber SHIELD" --app-path="C:\Users\Admin\AppData\Local\Programs\shield\resources\app.asar" --no-sandbox --no-zygote --node-integration-in-worker --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=4 --mojo-platform-channel-handle=2576 --field-trial-handle=1804,15104901942359012324,6733192084547026456,131072 --disable-features=PlzServiceWorker,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:1
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  PID:3804

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Web Service

T1102

Credential Access

Discovery

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Programs\shield\D3DCompiler_47.dll

Filesize
4.3MB

MD5
7641e39b7da4077084d2afe7c31032e0

SHA1
2256644f69435ff2fee76deb04d918083960d1eb

SHA256
44422e6936dc72b7ac5ed16bb8bcae164b7554513e52efb66a3e942cec328a47

SHA512
8010e1cb17fa18bbf72d8344e1d63ded7cef7be6e7c13434fa6d8e22ce1d58a4d426959bdcb031502d4b145e29cb111af929fcbc66001111fbc6d7a19e8800a5

Download Submit
C:\Users\Admin\AppData\Local\Programs\shield\UA Cyber SHIELD.exe

Filesize
31.7MB

MD5
04c7e9e6ebef3be565cac1552737fcea

SHA1
d756cdc244641b18b5231c2633289d406b36c84c

SHA256
cf9c113923c42379425c15a30b780fdf73c0c54cf2a0c1b49a3d31783ad1a59d

SHA512
46078b69ab0da94081ab9e9f948c0e04cf8a80d2e0ca11d6876d9e8492bc0a469081df6b9fa536b60b495bd4813ec73eec5dfa789ef22a05c6c32ab7e74296de

Download Submit
C:\Users\Admin\AppData\Local\Programs\shield\UA Cyber SHIELD.exe

Filesize
31.1MB

MD5
4ef6868151e038278c218a39e78b2f7d

SHA1
ee08fac11cbda6a7593cba4149e670218ffb5762

SHA256
1190ffe77993bd7240b56a53ab34110ab159c0d018d85082ae0cfbf5b6e306b2

SHA512
24552fd4cae9d2decd58b977d9c870692b3dfc2e911272e73aa4233a769314f9a69830def88faa887a48792430a445bb939f6367fe468955fd28fd9fc87ee75f

Download Submit
C:\Users\Admin\AppData\Local\Programs\shield\UA Cyber SHIELD.exe

Filesize
27.6MB

MD5
00ead8e78f0c64a454d205af02f68941

SHA1
a9416c81b88186db52a0f8e7dbaefaf7ab96ee82

SHA256
b39e21ef7236c2428dfd2ff8eccacfcb2254fceb829877902d4f54ed3e1b3acf

SHA512
b728563ec570132dfc40a686835f6c26fae6c9b8ed3559a94d6a70aaf079da37e7a49ef21fc0f8cfa42b2f7dae95d1375df2afa303e9a2f46d06dc2f4f904092

Download Submit
C:\Users\Admin\AppData\Local\Programs\shield\UA Cyber SHIELD.exe

Filesize
16.3MB

MD5
9f67613271dfa8370a1635f142c7c57d

SHA1
3770def9ea4ed0c52aa5ca7af6b1508005c6be49

SHA256
07f4d5f65b53501bebf2afbdb6ea2e631062f8755cd0aef7ded27377538b6bb4

SHA512
a71142a61ceb0cc6fd9ac6fef5e84f97eb5e5c65e5c9591157dabc6128ab7a5d2de16bb981009a4f870d0bb308c7d724510e25a5e4a928d149ae91d2511d8169

Download Submit
C:\Users\Admin\AppData\Local\Programs\shield\UA Cyber SHIELD.exe

Filesize
15.6MB

MD5
789e9087540782fbf5b9715f74498dc4

SHA1
f896c592d49ed664adbbcbdba050c0223d7d39e7

SHA256
d1f4d02903cbd180bcff1343b2a5d624be43b2585af7451999db9fbb020bac52

SHA512
ae8bf95d29e4841bf848c155569b3cf67d49bb6c1017fad80db0b88645f8e676f6e2b1b2a55e98857f5bbb9f46ec9c3f92600750dece648b4254f7d295ce83bf

Download Submit
C:\Users\Admin\AppData\Local\Programs\shield\chrome_100_percent.pak

Filesize
138KB

MD5
9c1b859b611600201ccf898f1eff2476

SHA1
87d5d9a5fcc2496b48bb084fdf04331823dd1699

SHA256
53102833760a725241841312de452c45e43edd60a122546105ab4020ccef591b

SHA512
1a8ec288e53b9d7e43d018995abe4e3d9c83d329d0561fbb7d022e8b79ffecf033e995b9bc6af352a71c646a1e8afba4addb54deab7455f24b7a279a3dd7c336

Download Submit
C:\Users\Admin\AppData\Local\Programs\shield\chrome_200_percent.pak

Filesize
202KB

MD5
b51a78961b1dbb156343e6e024093d41

SHA1
51298bfe945a9645311169fc5bb64a2a1f20bc38

SHA256
4a438f0e209ac62ffa2c14036efdd5474b5ecaa7cbf54110f2e6153abdfb8be9

SHA512
23dedde25ad9cb5829d4b6092a815712788698c2a5a0aefb4299675d39f8b5e2844eabd1ea42332a0408bd234548f5af628e7e365ab26f3385ebfa158cdd921d

Download Submit
C:\Users\Admin\AppData\Local\Programs\shield\d3dcompiler_47.dll

Filesize
4.3MB

MD5
7641e39b7da4077084d2afe7c31032e0

SHA1
2256644f69435ff2fee76deb04d918083960d1eb

SHA256
44422e6936dc72b7ac5ed16bb8bcae164b7554513e52efb66a3e942cec328a47

SHA512
8010e1cb17fa18bbf72d8344e1d63ded7cef7be6e7c13434fa6d8e22ce1d58a4d426959bdcb031502d4b145e29cb111af929fcbc66001111fbc6d7a19e8800a5

Download Submit
C:\Users\Admin\AppData\Local\Programs\shield\ffmpeg.dll

Filesize
2.6MB

MD5
08e9070f59ca6ba9edf7a22c33ac79f4

SHA1
34ab94d3c929edec56a1f0b3bf772d07e1082f9a

SHA256
8e3e6d74bcaae9bdef2fc25361f07b542ae311a96c121ce7820d618fab949b1f

SHA512
c8693d56699edcdf44aee62dbbfd43267df844f875ff14b337b568d41dc53aad2ef7891cb9df4f94508cea72965d73ee31afb7c631d14aa06f3f677e0ee3c57c

Download Submit
C:\Users\Admin\AppData\Local\Programs\shield\ffmpeg.dll

Filesize
2.6MB

MD5
08e9070f59ca6ba9edf7a22c33ac79f4

SHA1
34ab94d3c929edec56a1f0b3bf772d07e1082f9a

SHA256
8e3e6d74bcaae9bdef2fc25361f07b542ae311a96c121ce7820d618fab949b1f

SHA512
c8693d56699edcdf44aee62dbbfd43267df844f875ff14b337b568d41dc53aad2ef7891cb9df4f94508cea72965d73ee31afb7c631d14aa06f3f677e0ee3c57c

Download Submit
C:\Users\Admin\AppData\Local\Programs\shield\ffmpeg.dll

Filesize
2.6MB

MD5
08e9070f59ca6ba9edf7a22c33ac79f4

SHA1
34ab94d3c929edec56a1f0b3bf772d07e1082f9a

SHA256
8e3e6d74bcaae9bdef2fc25361f07b542ae311a96c121ce7820d618fab949b1f

SHA512
c8693d56699edcdf44aee62dbbfd43267df844f875ff14b337b568d41dc53aad2ef7891cb9df4f94508cea72965d73ee31afb7c631d14aa06f3f677e0ee3c57c

Download Submit
C:\Users\Admin\AppData\Local\Programs\shield\ffmpeg.dll

Filesize
2.6MB

MD5
08e9070f59ca6ba9edf7a22c33ac79f4

SHA1
34ab94d3c929edec56a1f0b3bf772d07e1082f9a

SHA256
8e3e6d74bcaae9bdef2fc25361f07b542ae311a96c121ce7820d618fab949b1f

SHA512
c8693d56699edcdf44aee62dbbfd43267df844f875ff14b337b568d41dc53aad2ef7891cb9df4f94508cea72965d73ee31afb7c631d14aa06f3f677e0ee3c57c

Download Submit
C:\Users\Admin\AppData\Local\Programs\shield\ffmpeg.dll

Filesize
2.6MB

MD5
08e9070f59ca6ba9edf7a22c33ac79f4

SHA1
34ab94d3c929edec56a1f0b3bf772d07e1082f9a

SHA256
8e3e6d74bcaae9bdef2fc25361f07b542ae311a96c121ce7820d618fab949b1f

SHA512
c8693d56699edcdf44aee62dbbfd43267df844f875ff14b337b568d41dc53aad2ef7891cb9df4f94508cea72965d73ee31afb7c631d14aa06f3f677e0ee3c57c

Download Submit
C:\Users\Admin\AppData\Local\Programs\shield\icudtl.dat

Filesize
9.8MB

MD5
599c39d9adb88686c4585b15fb745c0e

SHA1
2215eb6299aa18e87db21f686b08695a5199f4e2

SHA256
c5f82843420fa9d144e006b48d59ba7ef95f7e6cb1ea95b27fcdd2c97f850859

SHA512
16194186a8407b29f799d4b02f5674e4fbd5d91163fad9f8dce6ceedd865b754a681aa960d0f3f1b62cb21d5443879f1b8e9b691c19c5802d5bdfe4ed645b8bc

Download Submit
C:\Users\Admin\AppData\Local\Programs\shield\libEGL.dll

Filesize
437KB

MD5
b729e51875a36553db9afa9500828a64

SHA1
7d0d833fe1ec8b5d3acd0a13c946a9bf156cf89b

SHA256
3096f43775b041718da22d480cb70db2149061967d0a5778ac5bb8e99cb3026f

SHA512
bcb220d63ca3f96d892b7eb488b16989d5a49488875e289adafe031a1b88803e824f76998cf32762d269260cf89e39ff23fd966010e73b1d6614b9c9d7a075d6

Download Submit
C:\Users\Admin\AppData\Local\Programs\shield\libGLESv2.dll

Filesize
6.7MB

MD5
8b6b5dfdbb3076baf1079640fcd8d21c

SHA1
1e7a176868b403de782e0405d19b60709d695272

SHA256
987ed1566d557d968b19480146abd09fced7ff50fa0ca3e123dd59c14202fac4

SHA512
bdffeabacf1979fc06816351cee6e121c7bc78d6894ee8a3a015e8fa91a08464fda03e1681c9d69f8edfd64624c672739f8fdf55bbe16f384c7246fb7e22223e

Download Submit
C:\Users\Admin\AppData\Local\Programs\shield\libegl.dll

Filesize
437KB

MD5
b729e51875a36553db9afa9500828a64

SHA1
7d0d833fe1ec8b5d3acd0a13c946a9bf156cf89b

SHA256
3096f43775b041718da22d480cb70db2149061967d0a5778ac5bb8e99cb3026f

SHA512
bcb220d63ca3f96d892b7eb488b16989d5a49488875e289adafe031a1b88803e824f76998cf32762d269260cf89e39ff23fd966010e73b1d6614b9c9d7a075d6

Download Submit
C:\Users\Admin\AppData\Local\Programs\shield\libglesv2.dll

Filesize
6.7MB

MD5
8b6b5dfdbb3076baf1079640fcd8d21c

SHA1
1e7a176868b403de782e0405d19b60709d695272

SHA256
987ed1566d557d968b19480146abd09fced7ff50fa0ca3e123dd59c14202fac4

SHA512
bdffeabacf1979fc06816351cee6e121c7bc78d6894ee8a3a015e8fa91a08464fda03e1681c9d69f8edfd64624c672739f8fdf55bbe16f384c7246fb7e22223e

Download Submit
C:\Users\Admin\AppData\Local\Programs\shield\locales\en-US.pak

Filesize
100KB

MD5
0bb857860d8c9ab6d617cea5a5bd4d00

SHA1
351b744d95846bff2ce5f542fec2e87439aa0f8b

SHA256
5c56df9699fc7e8f09ec81421e50a6264cde055e822f5a8cd9bb1edb3066d816

SHA512
33fb73cffbb6781488cedbca4c92a7e4f66923a799beeb7f5cba58dbc23ba8f5130f63a7dac7114e3c3ef6f1df87884fbeb8858bc7604aec9449fdfd16c25078

Download Submit
C:\Users\Admin\AppData\Local\Programs\shield\resources.pak

Filesize
4.8MB

MD5
d1eabfe170135e6a704a9f09a9f04985

SHA1
6c5287378ff373fe27ddb8cf6bf641c1c862af3b

SHA256
91efacf94428e702772779e5ebc122b25a1d12c64a3ed20bc0b5b396503ba308

SHA512
fa3fec856da70a2bdf6a211a4bf1d6d0114f925842d9d185570defe25f8f33216823e2473efefa5982859ffd783fced912b086300b298201abaa12711fe0f782

Download Submit
C:\Users\Admin\AppData\Local\Programs\shield\resources\app-update.yml

Filesize
103B

MD5
4da3d57483025aae83861c78e38219e1

SHA1
93cc2e23f79e23b3906b7542a105457202c31616

SHA256
db5162220111412e3164f5216c3401fa5246cd4ca661f901a57c2b000656eedf

SHA512
35bfccdaa69acf2c5d0ce35ff71e97be7cdeb5568485a412f3409ad4046b52e183afbf26d3dedad1f7913af71201fc634c0e6d2bccc174de6559bec6785ec157

Download Submit
C:\Users\Admin\AppData\Local\Programs\shield\resources\app.asar

Filesize
28.6MB

MD5
2d817980683a5d2dc1dd0566e2e78435

SHA1
ffafe3bcb74cf348f4dcd6a5e6e4c8a438e5d54a

SHA256
1e41db5cd2b59cd1a83e76c697824b47ddefd0c4302fc5d4003bf2448507d4f1

SHA512
e7784484b252c4c7cfc6ce1b5b6ef2548ccd2c95032264bd80493b46c4576ccd5eced7ef4921ac2a5409ea46b89b18929a062ca9850c2700ae9843e51dc887b3

Download Submit
C:\Users\Admin\AppData\Local\Programs\shield\v8_context_snapshot.bin

Filesize
656KB

MD5
38923110390a201fdf5ec4cb7d5c0bbc

SHA1
9194f10cc8b0018af007959059a4ed3bf15f3168

SHA256
d761262b5d774e62cab86eef34f9d2f58c23f36e4d7a9fd49c50dcb573f4a274

SHA512
2dc6d70e663c32d3efc4f297022721d0f24f014fccf2ca4ffb6ff3a7355ec2fdce458bd45989b453501bfd8380d89b558bc1f35ff578dc15dc4b1468cb1a5ac7

Download Submit
C:\Users\Admin\AppData\Local\Programs\shield\vk_swiftshader.dll

Filesize
4.4MB

MD5
41e3c1567c9b1001e37472d84ab61763

SHA1
4ca2b7e92605e61c17453c0799854b3a573afbe4

SHA256
1d50eeda54e777b95c20763e09dc83c9e7712e9992e7b0cbbe9fa386e51bf724

SHA512
1b903baaa92d46bc90b16b7252e14ea97fddf028d308a375b1b6a3fc021fc679b240857567a33f5ff1ec57df2df70c39d39e304718c5792b3c0a19ddd33994be

Download Submit
C:\Users\Admin\AppData\Local\Programs\shield\vk_swiftshader.dll

Filesize
4.4MB

MD5
41e3c1567c9b1001e37472d84ab61763

SHA1
4ca2b7e92605e61c17453c0799854b3a573afbe4

SHA256
1d50eeda54e777b95c20763e09dc83c9e7712e9992e7b0cbbe9fa386e51bf724

SHA512
1b903baaa92d46bc90b16b7252e14ea97fddf028d308a375b1b6a3fc021fc679b240857567a33f5ff1ec57df2df70c39d39e304718c5792b3c0a19ddd33994be

Download Submit
C:\Users\Admin\AppData\Local\Programs\shield\vk_swiftshader_icd.json

Filesize
106B

MD5
8642dd3a87e2de6e991fae08458e302b

SHA1
9c06735c31cec00600fd763a92f8112d085bd12a

SHA256
32d83ff113fef532a9f97e0d2831f8656628ab1c99e9060f0332b1532839afd9

SHA512
f5d37d1b45b006161e4cefeebba1e33af879a3a51d16ee3ff8c3968c0c36bbafae379bf9124c13310b77774c9cbb4fa53114e83f5b48b5314132736e5bb4496f

Download Submit
C:\Users\Admin\AppData\Local\Programs\shield\vulkan-1.dll

Filesize
819KB

MD5
0b358fcfd361a70be7c71d3ca622005e

SHA1
6816e46184152cfbb1631ce97d590f134eeef678

SHA256
e8a4c2daa590a5672ae5e9dbc21d02e644b18392144f59c1af5c9dadba3d20c1

SHA512
225e8ba8e6391c19468a1f8da27a49d115f7ae762fe46b693bf5166a471593d2fec1d54185583c45d2bc8102911f707b874b7336d1dfcc0abd4b0f522870cdc1

Download Submit
C:\Users\Admin\AppData\Local\Programs\shield\vulkan-1.dll

Filesize
819KB

MD5
0b358fcfd361a70be7c71d3ca622005e

SHA1
6816e46184152cfbb1631ce97d590f134eeef678

SHA256
e8a4c2daa590a5672ae5e9dbc21d02e644b18392144f59c1af5c9dadba3d20c1

SHA512
225e8ba8e6391c19468a1f8da27a49d115f7ae762fe46b693bf5166a471593d2fec1d54185583c45d2bc8102911f707b874b7336d1dfcc0abd4b0f522870cdc1

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsfEF76.tmp\SpiderBanner.dll

Filesize
9KB

MD5
17309e33b596ba3a5693b4d3e85cf8d7

SHA1
7d361836cf53df42021c7f2b148aec9458818c01

SHA256
996a259e53ca18b89ec36d038c40148957c978c0fd600a268497d4c92f882a93

SHA512
1abac3ce4f2d5e4a635162e16cf9125e059ba1539f70086c2d71cd00d41a6e2a54d468e6f37792e55a822d7082fb388b8dfecc79b59226bbb047b7d28d44d298

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsfEF76.tmp\StdUtils.dll

Filesize
100KB

MD5
c6a6e03f77c313b267498515488c5740

SHA1
3d49fc2784b9450962ed6b82b46e9c3c957d7c15

SHA256
b72e9013a6204e9f01076dc38dabbf30870d44dfc66962adbf73619d4331601e

SHA512
9870c5879f7b72836805088079ad5bbafcb59fc3d9127f2160d4ec3d6e88d3cc8ebe5a9f5d20a4720fe6407c1336ef10f33b2b9621bc587e930d4cbacf337803

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsfEF76.tmp\System.dll

Filesize
12KB

MD5
0d7ad4f45dc6f5aa87f606d0331c6901

SHA1
48df0911f0484cbe2a8cdd5362140b63c41ee457

SHA256
3eb38ae99653a7dbc724132ee240f6e5c4af4bfe7c01d31d23faf373f9f2eaca

SHA512
c07de7308cb54205e8bd703001a7fe4fd7796c9ac1b4bb330c77c872bf712b093645f40b80ce7127531fe6746a5b66e18ea073ab6a644934abed9bb64126fea9

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsfEF76.tmp\WinShell.dll

Filesize
3KB

MD5
1cc7c37b7e0c8cd8bf04b6cc283e1e56

SHA1
0b9519763be6625bd5abce175dcc59c96d100d4c

SHA256
9be85b986ea66a6997dde658abe82b3147ed2a1a3dcb784bb5176f41d22815a6

SHA512
7acf7f8e68aa6066b59ca9f2ae2e67997e6b347bc08eb788d2a119b3295c844b5b9606757168e8d2fbd61c2cda367bf80e9e48c9a52c28d5a7a00464bfd2048f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsfEF76.tmp\WinShell.dll

Filesize
3KB

MD5
1cc7c37b7e0c8cd8bf04b6cc283e1e56

SHA1
0b9519763be6625bd5abce175dcc59c96d100d4c

SHA256
9be85b986ea66a6997dde658abe82b3147ed2a1a3dcb784bb5176f41d22815a6

SHA512
7acf7f8e68aa6066b59ca9f2ae2e67997e6b347bc08eb788d2a119b3295c844b5b9606757168e8d2fbd61c2cda367bf80e9e48c9a52c28d5a7a00464bfd2048f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsfEF76.tmp\nsExec.dll

Filesize
6KB

MD5
ec0504e6b8a11d5aad43b296beeb84b2

SHA1
91b5ce085130c8c7194d66b2439ec9e1c206497c

SHA256
5d9ceb1ce5f35aea5f9e5a0c0edeeec04dfefe0c77890c80c70e98209b58b962

SHA512
3f918f1b47e8a919cbe51eb17dc30acc8cfc18e743a1bae5b787d0db7d26038dc1210be98bf5ba3be8d6ed896dbbd7ac3d13e66454a98b2a38c7e69dad30bb57

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsfEF76.tmp\nsis7z.dll

Filesize
424KB

MD5
80e44ce4895304c6a3a831310fbf8cd0

SHA1
36bd49ae21c460be5753a904b4501f1abca53508

SHA256
b393f05e8ff919ef071181050e1873c9a776e1a0ae8329aefff7007d0cadf592

SHA512
c8ba7b1f9113ead23e993e74a48c4427ae3562c1f6d9910b2bbe6806c9107cf7d94bc7d204613e4743d0cd869e00dafd4fb54aad1e8adb69c553f3b9e5bc64df

Download Submit