lumma | hxxps://cdn[.]discordapp[.]com/attachments/1087849368675176460/1088103716277723146/Setup[.]rar

Analysis

max time kernel
284s
max time network
298s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
01-04-2023 13:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://cdn.discordapp.com/attachments/1087849368675176460/1088103716277723146/Setup.rar

Score

10^/10

lumma discovery persistence ransomware spyware stealer

Malware Config

Extracted

Path

C:\Program Files\WinRAR\WhatsNew.txt

Ransom Note

WinRAR - What's new in the latest version Version 6.21 1. Both file and folder modification timestamps are restored when unpacking TAR and TAR based archives like tar.gz and tar.bz2. Previously only file modification timestamps were set for these archive formats. 2. Added decompression of .tar.zst archives with dictionary exceeding 128 MB. WinRAR 6.20 allowed such dictionary for .zst, but not for .tar.zst. 3. Switches -ed and -e+d are also supported by ZIP archives. Previously they worked only for RAR archives. 4. Bugs fixed: a) if unencrypted file was stored after encrypted in the same RAR archive and both files had been unpacked in the same extraction command, WinRAR 6.20 failed to unpack the unencrypted file; b) in some cases a wrong detailed reason of file open error could be displayed in the second line of open error message. Version 6.20 1. If "Autodetect passwords" option in "Organizer passwords" dialog is enabled and password matching a processing archive is present among saved passwords, it is applied automatically. This option is applicable only for archives in RAR 5.0 and ZIP formats, which allow to verify the password validity quickly. There is a minor chance of incorrect password detection for ZIP archives if stored passwords do not include a proper one. If encrypted ZIP archive extraction fails, you can try to disable this option, repeat extraction and enter a valid password manually. 2. If extraction command involves only a part of files in RAR archive, the additional archive analysis is performed when starting extraction. It helps to properly unpack file references even if reference source is not selected. It works for most of RAR archives except for volumes on multiple removable media and archives containing a very large number of references. Also in some cases such analysis may help to optimize the amount of processing data when extracting individual files from semi-solid archives created with -s<N> and -se switches. 3. "Save original archive name and time" option on "Options" page of archiving dialog allows to save the original archive name and creation time. If archive includes such saved name and time, they are displayed on "Info" page of "Show information" command and can be restored on "Options" page of same command. Restoring involves renaming an archive to original name and setting the saved time as the archive creation and modification time. Switch -ams or just -am together with archive modification commands can be used to save the archive name and time in the command line mode. These saved parameters are displayed in header of "l" and "v" commands output and can be restored with -amr switch combined with "ch" command, such as "rar ch -amr arc.rar". If -amr is specified, "ch" ignores other archive modification switches. 4. Faster RAR5 compression of poorly compressible data on modern CPUs with 8 or more execution threads. This applies to all methods except "Fastest", which performance remains the same. 5. "Repair" command efficiency is improved for shuffled data blocks in recovery record protected RAR5 archives. 6. If file size has grown after archiving when creating non-solid RAR volumes, such file is stored without compression regardless of volume number, provided that file isn't split between volumes. Previously it worked only for files in the first volume. 7. Added decompression of .zipx archives containing file references, provided that both reference source and target are selected and reference source precedes the target inside of archive. Typically, if .zipx archive includes file references, it is necessary to unpack the entire archive to extract references successfully. 8. Added decompression of .zst long range mode archives with dictionary exceeding 128 MB. Previously it was possible to decompress them only if dictionary was 128 MB or less. 9. If "Turn PC off", "Hibernate", "Sleep" or "Restart PC" archiving options are enabled in WinRAR, a prompt to confirm or cancel such power management action is displayed directly before starting it. If no selection was made by user for 30 seconds, the proposed action is confirmed and started automatically. This prompt is also displayed for -ioff switch in WinRAR command line, but not in console RAR command line. 10. Context menu in WinRAR file list provides "Open in internal viewer" command for archive files. It can be helpful if you wish to view the archive raw data in internal viewer. For example, to read an email archive with UUE attachments included. Usual "View" command always displays the archive contents. If file is recognized as UUE archive, "View" would show UUE attachments. 11. Recovery record size is displayed on "Archive" page of file properties invoked from Explorer context menu for archives in RAR5 format. Previously there was only "Present" instead of exact size for RAR5 archives. 12. When archiving from stdin with -si switch, RAR displays the current amount of read bytes as the progress indicator. 13. If wrong password is specified when adding files to encrypted solid RAR5 archive, a password will be requested again. Previous versions cancelled archiving in this case. 14. If both options "Test archived files" and "Clear attribute "Archive" after compressing" or their command line -t -ac equivalents are enabled when archiving, "Archive" attribute will be cleared only if test was completed successfully. Previously it was cleared even when test reported errors. 15. NoDrives value containing the bit mask to hide drives can be now read from "HKEY_CURRENT_USER\Software\WinRAR\Policy" Registry key, which allows to include it to winrar.ini if necessary. Its "Software\Microsoft\Windows\CurrentVersion\Policies" locations in HKEY_CURRENT_USER and HKEY_LOCAL_MACHINE are also supported. Previously only "Software\Microsoft\Windows\CurrentVersion\Policies" in HKEY_CURRENT_USER was recognized. 16. Bugs fixed: a) archive modification commands could fail for some ZIP archives with file comments; b) fixed a memory leak when reading contents of .tar.bz2 archives; c) if source and resulting archive format is the same, the archive conversion command didn't set the original archive time to a newly created archive even if "Original archive time" option was selected in archiving parameters; d) if "Merge volumes contents" option in "Settings/File list" was turned on, the folder packed size in WinRAR file list could be less than expected when browsing a multivolume archive contents. It didn't include the packed size of file parts continuing from previous volume into calculation; e) even if "Set file security" extraction option was turned off by default, extraction commands in Explorer context menu still attempted to restore NTFS file security data; f) WinRAR could read data beyond the end of buffer and crash when unpacking files from specially crafted ZIP archive. We are thankful to Bakker working with Trend Micro Zero Day Initiative for letting us know about this bug. Version 6.11 1. Added support for Gz archives with large archive comments. Previously the extraction command failed to unpack gz archives if comment size exceeded 16 KB. 2. Archive comments in gz archives are displayed in the comment window and recognized by "Show information" command. Large comments are shown partially. Previous versions didn't display Gzip comments. 3. Reserved device names followed by file extension, such as aux.txt, are extracted as is in Windows 11 even without "Allow potentially incompatible names" option or -oni command line switch. Unlike previous Windows versions, Windows 11 treats such names as usual files. Device names without extension, such as aux, still require these options to be unpacked as is regardless of Windows version. 4. Switch -mes can be also used to suppress the password prompt and abort when adding files to encrypted solid archive. 5. Additional measures to prevent extracting insecure links are implemented. 6. Bugs fixed: a) if password exceeding 127 characters was entered when unpacking an encrypted archive with console RAR, text after 127th character could be erroneously recognized as user's input by different prompts issued later; b) wrong archived file time could be displayed in overwrite prompt when extracting a file from ZIP archive. It happened if such archive included extended file times and was created in another time zone. It didn't affect the actual file time, which was set properly upon extraction. Version 6.10 1. WinRAR can unpack contents of .zst and .zipx archives utilizing Zstandard algorithm. 2. Added support of Windows 11 Explorer context menus. Beginning from Windows 11, an application can add only a single top level command or submenu to Explorer context menu. If "Cascaded context menus" in "Integration settings" dialog is on, this single item is a submenu storing all necessary WinRAR commands. If this option is off, only one extraction command for archives and one archiving command for usual files are available. You can select these commands with "Context menu items..." button in "Integration settings" dialog. 3. "Legacy context menus" option in "Settings/Integration" dialog can be used in Windows 11 if WinRAR commands are missing in "Show more options" Windows legacy context menu or in context menus of third party file managers. If WinRAR commands are already present here, keep "Legacy context menus" option turned off to prevent duplicating them. This option is not available in Windows 10 and older. 4. Windows XP is not supported anymore. Minimum required operating system version is Windows Vista. 5. "Close" item is added to "When done" list on "Advanced" page of archiving dialog. It closes WinRAR window, when archiving is done. 6. "When done" list is added to "Options" page of extraction dialog. It allows to select an action like turning a computer off or closing WinRAR after completing extraction. 7. Switch -si can be used when extracting or testing to read archive data from stdin, such as: type docs.rar | rar x -si -o+ -pmypwd dummy docs\ Even though the archive name is ignored with this switch, an arbitrary dummy archive name has to specified in the command line. Operations requiring backward seeks are unavailable in this mode. It includes displaying archive comments, testing the recovery record, utilizing the quick open information, processing multivolume archives. Prompts requiring user interaction are not allowed. Use -o[+|-|r], -p<pwd> or -mes switches to suppress such prompts. 8. New -ep4<path> switch excludes the path prefix when archiving or extracting if this path is found in the beginning of archived name. Path is compared with names already prepared to store in archive, without drive letters and leading path separators. For example: rar a -ep4texts\books archive c:\texts\books\technical removes "text\books" from archived names, so they start from 'technical'. 9. New -mes switch skips encrypted files when extracting or testing. It replaces the former -p- switch. 10. New -op<path> switch sets the destination folder for 'x' and 'e' extraction commands. Unlike <path_to_extract\> command line parameter, this switch also accepts paths without trailing path separator character. 11. If 'p' command is used to print a file to stdout, informational messages are suppressed automatically to prevent them mixing with file data. 12. "Generate archive name by mask" option and switch -ag treat only first two 'M' characters after 'H' as minutes. Previously any amount of such characters was considered as minutes. It makes possible to place the time field before the date, like -agHHMM-DDMMYY. Previous versions considered all 'M' in this string as minutes. 13. Maximum allowed size of RAR5 recovery record is increased to 1000% of protected data size. Maximum number of RAR5 recovery volumes can be 10 times larger than protected RAR volumes. Previous WinRAR versions are not able to use the recovery record to repair broken archives if recovery record size exceeds 99%. Similarly, previous versions cannot use recovery volumes if their number is equal or larger than number of RAR volumes. 14. Warning is issued if entered password exceeds the allowed limit of 127 characters and is truncated. Previously such passwords had been truncated silently. 15. If archive includes reserved device names, the underscore character is inserted in the beginning of such names when extracting. For example, aux.txt is converted to _aux.txt. It is done to prevent compatibility problems with software unable to process such names. You can use "Allow potentially incompatible names" option in "Advanced" part of extraction dialog or command line -oni switch to avoid this conversion. 16. WinRAR attempts to reset the file cache before testing an archive. It helps to verify actual data written to disk instead of reading a cached copy. 17. Multiple -v<size> switches specifying different sizes for different volumes are now allowed also for ZIP archives: WinRAR a -v100k -v200k -v300k arcname.zip Previously multiple -v<size> switches were supported only for RAR archives. 18. Switches -sl<size> and -sm<size> can be used in WinRAR.exe command line mode when extracting archives in any supported formats, provided that such archive includes unpacked file sizes. Previously these switches could filter files by size only in RAR and ZIP archives. 19. Newer folder selection dialog is invoked when pressing "Browse" button in WinRAR "Settings/Paths" page, "Repair" and "Convert" commands, also as in few other similar places. Previously a simpler XP style folder selection dialog was opened. 20. When restoring from tray after completing an operation, WinRAR window is positioned under other opened windows, to not interfere with current user activities. 21. "650 MB CD" is removed and "2 GB volumes" is added to the list of predefined volume sizes in "Define volume sizes" dialog invoked from WinRAR "Settings/Compression". 22. "Rename" command selects the file name part up to the final dot. Previously it selected the entire name. 23. If SFX archive size exceeds 4 GB, an error message is issued during compression, immediately after exceeding this threshold. Previously this error was reported only after completing compression. Executables of such size cannot be started by Windows. 24. Command line -en switch is not supported anymore. It created RAR4 archives without the end of archive record. End of archive record permits to gr

URLs

https

http

http://weirdsgn.com

http://icondesignlab.com

https://rarlab.com/themes/WinRAR_Classic_48x36.theme.rar

https://technet.microsoft.com/en-us/library/security/ms14-064.aspx

http://rarlab.com/vuln_sfx_html2.htm

https://blake2.net

Extracted

Path

C:\Program Files\WinRAR\Rar.txt

Ransom Note

User's Manual ~~~~~~~~~~~~~ RAR 6.21 console version ~~~~~~~~~~~~~~~~~~~~~~~~ =-=-=-=-=-=-=-=-=-=-=-=-=-=- Welcome to the RAR Archiver! -=-=-=-=-=-=-=-=-=-=-=-=-=-= Introduction ~~~~~~~~~~~~ RAR is a console application allowing to manage archive files in command line mode. RAR provides compression, encryption, data recovery and many other functions described in this manual. RAR supports only RAR format archives, which have .rar file name extension by default. ZIP and other formats are not supported. Even if you specify .zip extension when creating an archive, it will still be in RAR format. Windows users may install WinRAR, which supports more archive types including RAR and ZIP formats. WinRAR provides both graphical user interface and command line mode. While console RAR and GUI WinRAR have the similar command line syntax, some differences exist. So it is recommended to use this rar.txt manual for console RAR (rar.exe in case of Windows version) and winrar.chm WinRAR help file for GUI WinRAR (winrar.exe). Configuration file ~~~~~~~~~~~~~~~~~~ RAR and UnRAR for Unix read configuration information from .rarrc file in a user's home directory (stored in HOME environment variable) or in /etc directory. RAR and UnRAR for Windows read configuration information from rar.ini file, placed in the same directory as the rar.exe file. This file can contain the following string: switches=<any RAR switches separated by spaces> For example: switches=-m5 -s It is also possible to specify separate switch sets for individual RAR commands using the following syntax: switches_<command>=<any RAR switches separated by spaces> For example: switches_a=-m5 -s switches_x=-o+ Environment variable ~~~~~~~~~~~~~~~~~~~~ Default parameters may be added to the RAR command line by establishing an environment variable "RAR". For instance, in Unix following lines may be added to your profile: RAR='-s -md1024' export RAR RAR will use this string as default parameters in the command line and will create "solid" archives with 1024 MB sliding dictionary size. RAR handles options with priority as following: command line switches highest priority switches in the RAR variable lower priority switches saved in configuration file lowest priority Log file ~~~~~~~~ If switch -ilog is specified in the command line or configuration file, RAR will write informational messages about errors encountered while processing archives into a log file. Read the switch -ilog description for more details. The file order list for solid archiving - rarfiles.lst ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ rarfiles.lst contains a user-defined file list, which tells RAR the order in which to add files to a solid archive. It may contain file names, wildcards and special entry - $default. The default entry defines the place in order list for files not matched with other entries in this file. The comment character is ';'. In Windows this file should be placed in the same directory as RAR or in %APPDATA%\WinRAR directory, in Unix - to the user's home directory or in /etc. Tips to provide improved compression and speed of operation: - similar files should be grouped together in the archive; - frequently accessed files should be placed at the beginning. Normally masks placed nearer to the top of list have a higher priority, but there is an exception from this rule. If rarfiles.lst contains such two masks that all files matched by one mask are also matched by another, that mask which matches a smaller subset of file names will have higher priority regardless of its position in the list. For example, if you have *.cpp and f*.cpp masks, f*.cpp has a higher priority, so the position of 'filename.cpp' will be chosen according to 'f*.cpp', not '*.cpp'. RAR command line syntax ~~~~~~~~~~~~~~~~~~~~~~~ Syntax RAR <command> [ -<switches> ] <archive> [ <@listfiles...> ] [ <files...> ] [ <path_to_extract\> ] Description Command is a single character or string specifying an action to be performed by RAR. Switches are designed to modify the way RAR performs such action. Other parameters are archive name and files to be archived or extracted. Listfiles are plain text files containing names of files to process. File names must start at the first column. It is possible to put comments to the listfile after // characters. For example, you can create backup.lst containing the following strings: c:\work\doc\*.txt //backup text documents c:\work\image\*.bmp //backup pictures c:\work\misc and then run: rar a backup @backup.lst If you wish to read file names from stdin (standard input), specify the empty listfile name (just @). By default, console RAR uses the single byte encoding in list files, but it can be redefined with -sc<charset>l switch. You can specify both usual file names and list files in the same command line. If neither files nor listfiles are specified, then *.* is implied and RAR will process all files. path_to_extract includes the destination directory name followed by a path separator character. For example, it can be c:\dest\ in Windows or data/ in Unix. It specifies the directory to place extracted files in 'x' and 'e' commands. This directory is created by RAR if it does not exist yet. Alternatively it can be set with -op<path> switch. Many RAR commands, such as extraction, test or list, allow to use wildcards in archive name. If no extension is specified in archive mask, RAR assumes .rar, so * means all archives with .rar extension. If you need to process all archives without extension, use *. mask. *.* mask selects all files. Wildcards in archive name are not allowed when archiving and deleting. In Unix you need to enclose RAR command line parameters containing wildcards in single or double quotes to prevent their expansion by Unix shell. For example, this command will extract *.asm files from all *.rar archives in current directory: rar e '*.rar' '*.asm' Command could be any of the following: a Add files to archive. Examples: 1) add all *.hlp files from the current directory to the archive help.rar: rar a help *.hlp 2) archive all files from the current directory and subdirectories to 362000 bytes size solid, self-extracting volumes and add the recovery record to each volume: rar a -r -v362 -s -sfx -rr save Because no file names are specified, all files (*) are assumed. 3) as a special exception, if directory name is specified as an argument and if directory name does not include file masks and trailing path separator, the entire contents of the directory and all subdirectories will be added to the archive even if switch -r is not specified. The following command will add all files from the directory Bitmaps and its subdirectories to the RAR archive Pictures.rar: rar a Pictures.rar Bitmaps 4) if directory name includes the trailing path separator, normal rules apply and you need to specify switch -r to process its subdirectories. The following command will add all files from directory Bitmaps, but not from its subdirectories, because switch -r is not specified: rar a Pictures.rar Bitmaps\* c Add archive comment. Comments are displayed while the archive is being processed. Comment length is limited to 256 KB. Examples: rar c distrib.rar Also comments may be added from a file using -z[file] switch. The following command adds a comment from info.txt file: rar c -zinfo.txt dummy ch Change archive parameters. This command can be used with most of archive modification switches to modify archive parameters. It is especially convenient for switches like -cl, -cu, -tl, which do not have a dedicated command. It is not able to recompress, encrypt or decrypt archive data and it cannot merge or create volumes. If no switches are specified, 'ch' command just copies the archive data without modification. If used with -amr switch to restore the saved archive name and time, other archive modification switches are ignored. Example: Set archive time to latest file: rar ch -tl files.rar cw Write archive comment to specified file. Format of output file depends on -sc switch. If output file name is not specified, comment data will be sent to stdout. Examples: 1) rar cw arc comment.txt 2) rar cw -scuc arc unicode.txt 3) rar cw arc d Delete files from archive. If this command removes all files from archive, the empty archive is removed. e Extract files without archived paths. Extract files excluding their path component, so all files are created in the same destination directory. Use 'x' command if you wish to extract full pathnames. Example: rar e -or html.rar *.css css\ extract all *.css files from html.rar archive to 'css' directory excluding archived paths. Rename extracted files automatically in case several files have the same name. f Freshen files in archive. Updates archived files older than files to add. This command will not add new files to the archive. i[i|c|h|t]=<string> Find string in archives. Supports following optional parameters: i - case insensitive search (default); c - case sensitive search; h - hexadecimal search; t - use ANSI, UTF-8, UTF-16 and OEM (Windows only) character tables; If no parameters are specified, it is possible to use the simplified command syntax i<string> instead of i=<string> It is allowed to specify 't' modifier with other parameters, for example, ict=string performs case sensitive search using all mentioned above character tables. Examples: 1) rar "ic=first level" -r c:\*.rar *.txt Perform case sensitive search of "first level" string in *.txt files in *.rar archives on the disk c: 2) rar ih=f0e0aeaeab2d83e3a9 -r e:\texts\*.rar Search for hex string f0 e0 ae ae ab 2d 83 e3 a9 in rar archives in e:\texts directory. k Lock archive. RAR cannot modify locked archives, so locking important archives prevents their accidental modification by RAR. Such protection might be especially useful in case of RAR commands processing archives in groups. This command is not intended or able to prevent modification by other tools or willful third party. It implements a safety measure only for accidental data change by RAR. Example: rar k final.rar l[t[a],b] List archive contents [technical [all], bare]. 'l' command lists archived file attributes, size, date, time and name, one file per line. If file is encrypted, line starts from '*' character. 'lt' displays the detailed file information in multiline mode. This information includes file checksum value, host OS, compression options and other parameters. 'lta' provide the detailed information not only for files, but also for service headers like NTFS streams or file security data. 'lb' lists bare file names with path, one per line, without any additional information. You can use -v switch to list contents of all volumes in volume set: rar l -v vol.part1.rar Commands 'lt', 'lta' and 'lb' are equal to 'vt', 'vta' and 'vb' correspondingly. m[f] Move to archive [files only]. Moving files and directories results in the files and directories being erased upon successful completion of the packing operation. Directories will not be removed if 'f' modifier is used and/or '-ed' switch is applied. p Print file to stdout. Send unpacked file data to stdout. Informational messages are suppressed with this command, so they are not mixed with file data. r Repair archive. Archive repairing is performed in two stages. First, the damaged archive is searched for a recovery record (see 'rr' command). If archive contains the previously added recovery record and if damaged data area is continuous and smaller than error correction code size in recovery record, chance of successful archive reconstruction is high. When this stage has been completed, a new archive is created, named as fixed.arcname.rar, where 'arcname' is the original (damaged) archive name. If broken archive does not contain a recovery record or if archive is not completely recovered due to major damage, second stage is performed. During this stage only the archive structure is reconstructed and it is impossible to recover files which fail checksum validation, it is still possible, however, to recover undamaged files, which were inaccessible due to the broken archive structure. Mostly this is useful for non-solid archives. This stage is never efficient for archives with encrypted file headers, which can be repaired only if recovery record is present. When the second stage is completed, the reconstructed archive is saved as rebuilt.arcname.rar, where 'arcname' is the original archive name. By default, repaired archives are created in the current directory, but you can append an optional destpath\ parameter to specify another destination directory. Example: rar r buggy.rar c:\fixed\ repair buggy.rar and place the result to 'c:\fixed' directory. rc Reconstruct missing and damaged volumes using recovery volumes (.rev files). You need to specify any existing .rar or .rev volume as the archive name. Example: rar rc backup.part03.rar Read 'rv' command description for information about recovery volumes. rn Rename archived files. The command syntax is: rar rn <arcname> <srcname1> <destname1> ... <srcnameN> <destnameN> For example, the following command: rar rn data.rar readme.txt readme.bak info.txt info.bak will rename readme.txt to readme.bak and info.txt to info.bak in the

Emails

[email protected]

Signatures

Lumma Stealer
An infostealer written in C++ first seen in August 2022.
stealer lumma
Downloads MZ/PE file

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

winrar-x64-621.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	winrar-x64-621.exe

Drops startup file 4 IoCs

Processes:

Cursed.exeCursed.exeCursed.exeCursed.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Updater.exe	Cursed.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Updater.exe	Cursed.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Updater.exe	Cursed.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Updater.exe	Cursed.exe

Executes dropped EXE 18 IoCs

Processes:

winrar-x64-621.exeuninstall.exeWinRAR.exeSetup.exeSetup.exeCursed.exeCursed.exeCursed.exeCursed.exeCursed.exeCursed.exeCursed.exeCursed.exeCursed.exeCursed.exeCursed.exeCursed.exeCursed.exe

pid	process
1592	winrar-x64-621.exe
1416	uninstall.exe
3504	WinRAR.exe
3884	Setup.exe
3968	Setup.exe
1088	Cursed.exe
1324	Cursed.exe
2828	Cursed.exe
3796	Cursed.exe
1776	Cursed.exe
1040	Cursed.exe
3844	Cursed.exe
3948	Cursed.exe
4328	Cursed.exe
1952	Cursed.exe
2968	Cursed.exe
2760	Cursed.exe
2252	Cursed.exe

Loads dropped DLL 51 IoCs

Processes:

Setup.exeSetup.exeCursed.exeCursed.exeCursed.exeCursed.exeCursed.exeCursed.exeCursed.exeCursed.exeCursed.exeCursed.exeCursed.exeCursed.exeCursed.exe

pid	process
3220
3220
3884	Setup.exe
3884	Setup.exe
3968	Setup.exe
3968	Setup.exe
3884	Setup.exe
1088	Cursed.exe
1088	Cursed.exe
1088	Cursed.exe
1324	Cursed.exe
1324	Cursed.exe
1324	Cursed.exe
1324	Cursed.exe
1324	Cursed.exe
1324	Cursed.exe
2828	Cursed.exe
3968	Setup.exe
3968	Setup.exe
3796	Cursed.exe
3796	Cursed.exe
1776	Cursed.exe
1776	Cursed.exe
3796	Cursed.exe
1040	Cursed.exe
1040	Cursed.exe
1040	Cursed.exe
1040	Cursed.exe
1040	Cursed.exe
1040	Cursed.exe
3844	Cursed.exe
1776	Cursed.exe
3948	Cursed.exe
3948	Cursed.exe
3948	Cursed.exe
3948	Cursed.exe
3948	Cursed.exe
3948	Cursed.exe
4328	Cursed.exe
1952	Cursed.exe
1952	Cursed.exe
1952	Cursed.exe
2968	Cursed.exe
2968	Cursed.exe
2968	Cursed.exe
2968	Cursed.exe
2968	Cursed.exe
2968	Cursed.exe
2760	Cursed.exe
2252	Cursed.exe
2252	Cursed.exe

Modifies system executable filetype association 2 TTPs 8 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1042

Processes:

uninstall.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}\	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR\ = "{B41DB860-64E4-11D2-9906-E49FADC173CA}"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}\	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR32	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR32\ = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"	uninstall.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Registers COM server for autorun 1 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Processes:

uninstall.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B41DB860-64E4-11D2-9906-E49FADC173CA}\InProcServer32\ThreadingModel = "Apartment"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B41DB860-64E4-11D2-9906-E49FADC173CA}\InProcServer32	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B41DB860-64E4-11D2-9906-E49FADC173CA}\InProcServer32\ = "C:\\Program Files\\WinRAR\\rarext.dll"	uninstall.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 60 IoCs

Processes:

winrar-x64-621.exeuninstall.exe

description	ioc	process
File opened for modification	C:\Program Files\WinRAR\Resources.pri	winrar-x64-621.exe
File created	C:\Program Files\WinRAR\WinCon.SFX	winrar-x64-621.exe
File created	C:\Program Files\WinRAR\RarExtLogo.altform-unplated_targetsize-32.png	winrar-x64-621.exe
File created	C:\Program Files\WinRAR\ReadMe.txt	winrar-x64-621.exe
File opened for modification	C:\Program Files\WinRAR\License.txt	winrar-x64-621.exe
File created	C:\Program Files\WinRAR\WinRAR.exe	winrar-x64-621.exe
File opened for modification	C:\Program Files\WinRAR\WhatsNew.txt	winrar-x64-621.exe
File opened for modification	C:\Program Files\WinRAR\7zxa.dll	winrar-x64-621.exe
File opened for modification	C:\Program Files\WinRAR\RarFiles.lst	winrar-x64-621.exe
File created	C:\Program Files\WinRAR\RarExtPackage.msix	winrar-x64-621.exe
File opened for modification	C:\Program Files\WinRAR\RarExtLogo.altform-unplated_targetsize-64.png	winrar-x64-621.exe
File opened for modification	C:\Program Files\WinRAR\RarExtLogo.altform-unplated_targetsize-48.png	winrar-x64-621.exe
File opened for modification	C:\Program Files\WinRAR\WinRAR.exe	winrar-x64-621.exe
File created	C:\Program Files\WinRAR\RarExt32.dll	winrar-x64-621.exe
File opened for modification	C:\Program Files\WinRAR\Zip.SFX	winrar-x64-621.exe
File created	C:\Program Files\WinRAR\Rar.txt	winrar-x64-621.exe
File opened for modification	C:\Program Files\WinRAR\Uninstall.lst	winrar-x64-621.exe
File opened for modification	C:\Program Files\WinRAR\WinCon64.SFX	winrar-x64-621.exe
File created	C:\Program Files\WinRAR\Uninstall.lst	winrar-x64-621.exe
File opened for modification	C:\Program Files\WinRAR\Default.SFX	winrar-x64-621.exe
File created	C:\Program Files\WinRAR\Default64.SFX	winrar-x64-621.exe
File opened for modification	C:\Program Files\WinRAR\Rar.exe	winrar-x64-621.exe
File created	C:\Program Files\WinRAR\UnRAR.exe	winrar-x64-621.exe
File opened for modification	C:\Program Files\WinRAR\UnRAR.exe	winrar-x64-621.exe
File opened for modification	C:\Program Files\WinRAR\WinCon.SFX	winrar-x64-621.exe
File created	C:\Program Files\WinRAR\Zip64.SFX	winrar-x64-621.exe
File opened for modification	C:\Program Files\WinRAR	winrar-x64-621.exe
File opened for modification	C:\Program Files\WinRAR\ReadMe.txt	winrar-x64-621.exe
File created	C:\Program Files\WinRAR\RarFiles.lst	winrar-x64-621.exe
File opened for modification	C:\Program Files\WinRAR\Zip64.SFX	winrar-x64-621.exe
File created	C:\Program Files\WinRAR\RarExtLogo.altform-unplated_targetsize-64.png	winrar-x64-621.exe
File created	C:\Program Files\WinRAR\Order.htm	winrar-x64-621.exe
File created	C:\Program Files\WinRAR\Rar.exe	winrar-x64-621.exe
File created	C:\Program Files\WinRAR\Resources.pri	winrar-x64-621.exe
File opened for modification	C:\Program Files\WinRAR\RarExtPackage.msix	winrar-x64-621.exe
File created	C:\Program Files\WinRAR\RarExtLogo.altform-unplated_targetsize-48.png	winrar-x64-621.exe
File created	C:\Program Files\WinRAR\rarnew.dat	uninstall.exe
File created	C:\Program Files\WinRAR\zipnew.dat	uninstall.exe
File created	C:\Program Files\WinRAR\__tmp_rar_sfx_access_check_240613546	winrar-x64-621.exe
File created	C:\Program Files\WinRAR\Descript.ion	winrar-x64-621.exe
File created	C:\Program Files\WinRAR\Uninstall.exe	winrar-x64-621.exe
File opened for modification	C:\Program Files\WinRAR\RarExt32.dll	winrar-x64-621.exe
File opened for modification	C:\Program Files\WinRAR\Descript.ion	winrar-x64-621.exe
File opened for modification	C:\Program Files\WinRAR\Order.htm	winrar-x64-621.exe
File created	C:\Program Files\WinRAR\7zxa.dll	winrar-x64-621.exe
File created	C:\Program Files\WinRAR\RarExt.dll	winrar-x64-621.exe
File created	C:\Program Files\WinRAR\License.txt	winrar-x64-621.exe
File created	C:\Program Files\WinRAR\WhatsNew.txt	winrar-x64-621.exe
File created	C:\Program Files\WinRAR\RarExtInstaller.exe	winrar-x64-621.exe
File created	C:\Program Files\WinRAR\WinCon64.SFX	winrar-x64-621.exe
File opened for modification	C:\Program Files\WinRAR\RarExtLogo.altform-unplated_targetsize-32.png	winrar-x64-621.exe
File opened for modification	C:\Program Files\WinRAR\Rar.txt	winrar-x64-621.exe
File opened for modification	C:\Program Files\WinRAR\Uninstall.exe	winrar-x64-621.exe
File opened for modification	C:\Program Files\WinRAR\Default64.SFX	winrar-x64-621.exe
File opened for modification	C:\Program Files\WinRAR\WinRAR.chm	winrar-x64-621.exe
File opened for modification	C:\Program Files\WinRAR\RarExt.dll	winrar-x64-621.exe
File created	C:\Program Files\WinRAR\Default.SFX	winrar-x64-621.exe
File created	C:\Program Files\WinRAR\Zip.SFX	winrar-x64-621.exe
File opened for modification	C:\Program Files\WinRAR\RarExtInstaller.exe	winrar-x64-621.exe
File created	C:\Program Files\WinRAR\WinRAR.chm	winrar-x64-621.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Enumerates processes with tasklist 1 TTPs 8 IoCs

Process Discovery
T1057

Processes:

tasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exe

pid process

3280 tasklist.exe
2040 tasklist.exe
1520 tasklist.exe
3800 tasklist.exe
2280 tasklist.exe
1276 tasklist.exe
1904 tasklist.exe
5024 tasklist.exe

pid	process
3280	tasklist.exe
2040	tasklist.exe
1520	tasklist.exe
3800	tasklist.exe
2280	tasklist.exe
1276	tasklist.exe
1904	tasklist.exe
5024	tasklist.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exemsedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

4460 taskkill.exe

pid	process
4460	taskkill.exe

Modifies Internet Explorer Phishing Filter 1 TTPs 2 IoCs

Modify Registry

T1112

Processes:

iexplore.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Internet Explorer\PhishingFilter	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\PhishingFilter\ClientSupported_MigrationTime = 575ec7859e45d901	iexplore.exe

Modifies Internet Explorer settings 1 TTPs 16 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\RepId\PublicId = "{B60F0783-FD64-443F-8251-A027DC0E849F}"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\Main\DownloadWindowPlacement = 2c0000000000000000000000ffffffffffffffffffffffffffffffff100100003c000000900300001c020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{29943314-D0A0-11ED-B7D7-62080863D4B5} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Internet Explorer\RepId	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133248358259983900"	chrome.exe

Modifies registry class 64 IoCs

Processes:

uninstall.exemsedge.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.rar\ShellNew	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.REV	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B41DB860-8EE4-11D2-9906-E49FADC173CA}	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B41DB860-8EE4-11D2-9906-E49FADC173CA}\ = "WinRAR"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\ContextMenuHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinRAR32	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.r05\ = "WinRAR"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.r16\ = "WinRAR"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.xz	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.r10\ = "WinRAR"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.r11\ = "WinRAR"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.r14	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.tar\ = "WinRAR"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.xxe	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.z	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.bz2\ = "WinRAR"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.r04	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.r10	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.r18\ = "WinRAR"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.r23\ = "WinRAR"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.r29	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\ = "WinRAR archive"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B41DB860-64E4-11D2-9906-E49FADC173CA}\InProcServer32\ThreadingModel = "Apartment"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.r09	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.r09\ = "WinRAR"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.tgz\ = "WinRAR"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.txz	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.001\ = "WinRAR"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.tzst	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shell\open	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\DropHandler\ = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\ContextMenuHandlers	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\ContextMenuHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}\	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\WinRAR\ = "{B41DB860-64E4-11D2-9906-E49FADC173CA}"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.tbz	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.taz	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\DefaultIcon\ = "C:\\Program Files\\WinRAR\\WinRAR.exe,0"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\DragDropHandlers\WinRAR	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.r17\ = "WinRAR"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.taz\ = "WinRAR"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.gz\ = "WinRAR"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.uue	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.001	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\DragDropHandlers\WinRAR32	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\DragDropHandlers\WinRAR	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.rar	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.rar\ = "WinRAR"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.r12	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\WinRAR32\ = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}\	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.r08	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.r21	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\ = "WinRAR ZIP archive"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shell\open\command\ = "\"C:\\Program Files\\WinRAR\\WinRAR.exe\" \"%1\""	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.r02	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.r08\ = "WinRAR"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.cab\ = "WinRAR"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.tbz2	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\DragDropHandlers\WinRAR32\ = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}\	uninstall.exe

Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

NOTEPAD.EXE

pid process

640 NOTEPAD.EXE

pid	process
640	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 52 IoCs

Processes:

chrome.exeCursed.exechrome.exeCursed.exeCursed.exeCursed.exeCursed.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exemsedge.exepowershell.exemsedge.exe

pid	process
2992	chrome.exe
2992	chrome.exe
1088	Cursed.exe
1088	Cursed.exe
1088	Cursed.exe
1088	Cursed.exe
1088	Cursed.exe
1088	Cursed.exe
2724	chrome.exe
2724	chrome.exe
3796	Cursed.exe
3796	Cursed.exe
3796	Cursed.exe
3796	Cursed.exe
3796	Cursed.exe
3796	Cursed.exe
1776	Cursed.exe
1776	Cursed.exe
1776	Cursed.exe
1776	Cursed.exe
1776	Cursed.exe
1776	Cursed.exe
1952	Cursed.exe
1952	Cursed.exe
1952	Cursed.exe
1952	Cursed.exe
1952	Cursed.exe
1952	Cursed.exe
2252	Cursed.exe
2252	Cursed.exe
1984	powershell.exe
1984	powershell.exe
1984	powershell.exe
396	powershell.exe
396	powershell.exe
396	powershell.exe
1736	powershell.exe
1736	powershell.exe
1736	powershell.exe
4552	powershell.exe
4552	powershell.exe
4552	powershell.exe
3192	powershell.exe
3192	powershell.exe
3192	powershell.exe
3020	msedge.exe
3020	msedge.exe
2724	powershell.exe
2724	powershell.exe
2724	powershell.exe
1768	msedge.exe
1768	msedge.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

OpenWith.exe

pid process

4680 OpenWith.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

Processes:

chrome.exemsedge.exe

pid process

2992 chrome.exe
2992 chrome.exe
2992 chrome.exe
2992 chrome.exe
2992 chrome.exe
1768 msedge.exe
1768 msedge.exe

pid	process
4680	OpenWith.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exe

description	pid	process
Token: SeShutdownPrivilege	2992	chrome.exe
Token: SeCreatePagefilePrivilege	2992	chrome.exe
Token: SeShutdownPrivilege	2992	chrome.exe
Token: SeCreatePagefilePrivilege	2992	chrome.exe
Token: SeShutdownPrivilege	2992	chrome.exe
Token: SeCreatePagefilePrivilege	2992	chrome.exe
Token: SeShutdownPrivilege	2992	chrome.exe
Token: SeCreatePagefilePrivilege	2992	chrome.exe
Token: SeShutdownPrivilege	2992	chrome.exe
Token: SeCreatePagefilePrivilege	2992	chrome.exe
Token: SeShutdownPrivilege	2992	chrome.exe
Token: SeCreatePagefilePrivilege	2992	chrome.exe
Token: SeShutdownPrivilege	2992	chrome.exe
Token: SeCreatePagefilePrivilege	2992	chrome.exe
Token: SeShutdownPrivilege	2992	chrome.exe
Token: SeCreatePagefilePrivilege	2992	chrome.exe
Token: SeShutdownPrivilege	2992	chrome.exe
Token: SeCreatePagefilePrivilege	2992	chrome.exe
Token: SeShutdownPrivilege	2992	chrome.exe
Token: SeCreatePagefilePrivilege	2992	chrome.exe
Token: SeShutdownPrivilege	2992	chrome.exe
Token: SeCreatePagefilePrivilege	2992	chrome.exe
Token: SeShutdownPrivilege	2992	chrome.exe
Token: SeCreatePagefilePrivilege	2992	chrome.exe
Token: SeShutdownPrivilege	2992	chrome.exe
Token: SeCreatePagefilePrivilege	2992	chrome.exe
Token: SeShutdownPrivilege	2992	chrome.exe
Token: SeCreatePagefilePrivilege	2992	chrome.exe
Token: SeShutdownPrivilege	2992	chrome.exe
Token: SeCreatePagefilePrivilege	2992	chrome.exe
Token: SeShutdownPrivilege	2992	chrome.exe
Token: SeCreatePagefilePrivilege	2992	chrome.exe
Token: SeShutdownPrivilege	2992	chrome.exe
Token: SeCreatePagefilePrivilege	2992	chrome.exe
Token: SeShutdownPrivilege	2992	chrome.exe
Token: SeCreatePagefilePrivilege	2992	chrome.exe
Token: SeShutdownPrivilege	2992	chrome.exe
Token: SeCreatePagefilePrivilege	2992	chrome.exe
Token: SeShutdownPrivilege	2992	chrome.exe
Token: SeCreatePagefilePrivilege	2992	chrome.exe
Token: SeShutdownPrivilege	2992	chrome.exe
Token: SeCreatePagefilePrivilege	2992	chrome.exe
Token: SeShutdownPrivilege	2992	chrome.exe
Token: SeCreatePagefilePrivilege	2992	chrome.exe
Token: SeShutdownPrivilege	2992	chrome.exe
Token: SeCreatePagefilePrivilege	2992	chrome.exe
Token: SeShutdownPrivilege	2992	chrome.exe
Token: SeCreatePagefilePrivilege	2992	chrome.exe
Token: SeShutdownPrivilege	2992	chrome.exe
Token: SeCreatePagefilePrivilege	2992	chrome.exe
Token: SeShutdownPrivilege	2992	chrome.exe
Token: SeCreatePagefilePrivilege	2992	chrome.exe
Token: SeShutdownPrivilege	2992	chrome.exe
Token: SeCreatePagefilePrivilege	2992	chrome.exe
Token: SeShutdownPrivilege	2992	chrome.exe
Token: SeCreatePagefilePrivilege	2992	chrome.exe
Token: SeShutdownPrivilege	2992	chrome.exe
Token: SeCreatePagefilePrivilege	2992	chrome.exe
Token: SeShutdownPrivilege	2992	chrome.exe
Token: SeCreatePagefilePrivilege	2992	chrome.exe
Token: SeShutdownPrivilege	2992	chrome.exe
Token: SeCreatePagefilePrivilege	2992	chrome.exe
Token: SeShutdownPrivilege	2992	chrome.exe
Token: SeCreatePagefilePrivilege	2992	chrome.exe

Suspicious use of FindShellTrayWindow 46 IoCs

Processes:

iexplore.exechrome.exeWinRAR.exemsedge.exe

pid	process
4732	iexplore.exe
4732	iexplore.exe
2992	chrome.exe
2992	chrome.exe
2992	chrome.exe
2992	chrome.exe
2992	chrome.exe
2992	chrome.exe
2992	chrome.exe
2992	chrome.exe
2992	chrome.exe
2992	chrome.exe
2992	chrome.exe
2992	chrome.exe
2992	chrome.exe
2992	chrome.exe
2992	chrome.exe
2992	chrome.exe
2992	chrome.exe
2992	chrome.exe
2992	chrome.exe
2992	chrome.exe
2992	chrome.exe
2992	chrome.exe
2992	chrome.exe
2992	chrome.exe
2992	chrome.exe
2992	chrome.exe
2992	chrome.exe
2992	chrome.exe
2992	chrome.exe
2992	chrome.exe
2992	chrome.exe
2992	chrome.exe
2992	chrome.exe
2992	chrome.exe
2992	chrome.exe
2992	chrome.exe
2992	chrome.exe
3504	WinRAR.exe
3504	WinRAR.exe
3504	WinRAR.exe
3504	WinRAR.exe
3504	WinRAR.exe
1768	msedge.exe
1768	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

chrome.exe

pid	process
2992	chrome.exe
2992	chrome.exe
2992	chrome.exe
2992	chrome.exe
2992	chrome.exe
2992	chrome.exe
2992	chrome.exe
2992	chrome.exe
2992	chrome.exe
2992	chrome.exe
2992	chrome.exe
2992	chrome.exe
2992	chrome.exe
2992	chrome.exe
2992	chrome.exe
2992	chrome.exe
2992	chrome.exe
2992	chrome.exe
2992	chrome.exe
2992	chrome.exe
2992	chrome.exe
2992	chrome.exe
2992	chrome.exe
2992	chrome.exe

Suspicious use of SetWindowsHookEx 41 IoCs

Processes:

iexplore.exeIEXPLORE.EXEwinrar-x64-621.exeOpenWith.exe

pid	process
4732	iexplore.exe
4732	iexplore.exe
4688	IEXPLORE.EXE
4688	IEXPLORE.EXE
1592	winrar-x64-621.exe
1592	winrar-x64-621.exe
4680	OpenWith.exe
4680	OpenWith.exe
4680	OpenWith.exe
4680	OpenWith.exe
4680	OpenWith.exe
4680	OpenWith.exe
4680	OpenWith.exe
4680	OpenWith.exe
4680	OpenWith.exe
4680	OpenWith.exe
4680	OpenWith.exe
4680	OpenWith.exe
4680	OpenWith.exe
4680	OpenWith.exe
4680	OpenWith.exe
4680	OpenWith.exe
4680	OpenWith.exe
4680	OpenWith.exe
4680	OpenWith.exe
4680	OpenWith.exe
4680	OpenWith.exe
4680	OpenWith.exe
4680	OpenWith.exe
4680	OpenWith.exe
4680	OpenWith.exe
4680	OpenWith.exe
4680	OpenWith.exe
4680	OpenWith.exe
4680	OpenWith.exe
4680	OpenWith.exe
4680	OpenWith.exe
4680	OpenWith.exe
4680	OpenWith.exe
4680	OpenWith.exe
4680	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

iexplore.exechrome.exe

description	pid	process	target process
PID 4732 wrote to memory of 4688	4732	iexplore.exe	IEXPLORE.EXE
PID 4732 wrote to memory of 4688	4732	iexplore.exe	IEXPLORE.EXE
PID 4732 wrote to memory of 4688	4732	iexplore.exe	IEXPLORE.EXE
PID 2992 wrote to memory of 60	2992	chrome.exe	chrome.exe
PID 2992 wrote to memory of 60	2992	chrome.exe	chrome.exe
PID 2992 wrote to memory of 4580	2992	chrome.exe	chrome.exe
PID 2992 wrote to memory of 4580	2992	chrome.exe	chrome.exe
PID 2992 wrote to memory of 4580	2992	chrome.exe	chrome.exe
PID 2992 wrote to memory of 4580	2992	chrome.exe	chrome.exe
PID 2992 wrote to memory of 4580	2992	chrome.exe	chrome.exe
PID 2992 wrote to memory of 4580	2992	chrome.exe	chrome.exe
PID 2992 wrote to memory of 4580	2992	chrome.exe	chrome.exe
PID 2992 wrote to memory of 4580	2992	chrome.exe	chrome.exe
PID 2992 wrote to memory of 4580	2992	chrome.exe	chrome.exe
PID 2992 wrote to memory of 4580	2992	chrome.exe	chrome.exe
PID 2992 wrote to memory of 4580	2992	chrome.exe	chrome.exe
PID 2992 wrote to memory of 4580	2992	chrome.exe	chrome.exe
PID 2992 wrote to memory of 4580	2992	chrome.exe	chrome.exe
PID 2992 wrote to memory of 4580	2992	chrome.exe	chrome.exe
PID 2992 wrote to memory of 4580	2992	chrome.exe	chrome.exe
PID 2992 wrote to memory of 4580	2992	chrome.exe	chrome.exe
PID 2992 wrote to memory of 4580	2992	chrome.exe	chrome.exe
PID 2992 wrote to memory of 4580	2992	chrome.exe	chrome.exe
PID 2992 wrote to memory of 4580	2992	chrome.exe	chrome.exe
PID 2992 wrote to memory of 4580	2992	chrome.exe	chrome.exe
PID 2992 wrote to memory of 4580	2992	chrome.exe	chrome.exe
PID 2992 wrote to memory of 4580	2992	chrome.exe	chrome.exe
PID 2992 wrote to memory of 4580	2992	chrome.exe	chrome.exe
PID 2992 wrote to memory of 4580	2992	chrome.exe	chrome.exe
PID 2992 wrote to memory of 4580	2992	chrome.exe	chrome.exe
PID 2992 wrote to memory of 4580	2992	chrome.exe	chrome.exe
PID 2992 wrote to memory of 4580	2992	chrome.exe	chrome.exe
PID 2992 wrote to memory of 4580	2992	chrome.exe	chrome.exe
PID 2992 wrote to memory of 4580	2992	chrome.exe	chrome.exe
PID 2992 wrote to memory of 4580	2992	chrome.exe	chrome.exe
PID 2992 wrote to memory of 4580	2992	chrome.exe	chrome.exe
PID 2992 wrote to memory of 4580	2992	chrome.exe	chrome.exe
PID 2992 wrote to memory of 4580	2992	chrome.exe	chrome.exe
PID 2992 wrote to memory of 4580	2992	chrome.exe	chrome.exe
PID 2992 wrote to memory of 4580	2992	chrome.exe	chrome.exe
PID 2992 wrote to memory of 4580	2992	chrome.exe	chrome.exe
PID 2992 wrote to memory of 4580	2992	chrome.exe	chrome.exe
PID 2992 wrote to memory of 4580	2992	chrome.exe	chrome.exe
PID 2992 wrote to memory of 3872	2992	chrome.exe	chrome.exe
PID 2992 wrote to memory of 3872	2992	chrome.exe	chrome.exe
PID 2992 wrote to memory of 4256	2992	chrome.exe	chrome.exe
PID 2992 wrote to memory of 4256	2992	chrome.exe	chrome.exe
PID 2992 wrote to memory of 4256	2992	chrome.exe	chrome.exe
PID 2992 wrote to memory of 4256	2992	chrome.exe	chrome.exe
PID 2992 wrote to memory of 4256	2992	chrome.exe	chrome.exe
PID 2992 wrote to memory of 4256	2992	chrome.exe	chrome.exe
PID 2992 wrote to memory of 4256	2992	chrome.exe	chrome.exe
PID 2992 wrote to memory of 4256	2992	chrome.exe	chrome.exe
PID 2992 wrote to memory of 4256	2992	chrome.exe	chrome.exe
PID 2992 wrote to memory of 4256	2992	chrome.exe	chrome.exe
PID 2992 wrote to memory of 4256	2992	chrome.exe	chrome.exe
PID 2992 wrote to memory of 4256	2992	chrome.exe	chrome.exe
PID 2992 wrote to memory of 4256	2992	chrome.exe	chrome.exe
PID 2992 wrote to memory of 4256	2992	chrome.exe	chrome.exe
PID 2992 wrote to memory of 4256	2992	chrome.exe	chrome.exe
PID 2992 wrote to memory of 4256	2992	chrome.exe	chrome.exe
PID 2992 wrote to memory of 4256	2992	chrome.exe	chrome.exe
PID 2992 wrote to memory of 4256	2992	chrome.exe	chrome.exe
PID 2992 wrote to memory of 4256	2992	chrome.exe	chrome.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://cdn.discordapp.com/attachments/1087849368675176460/1088103716277723146/Setup.rar
1⤵
- Modifies Internet Explorer Phishing Filter
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4732

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4732 CREDAT:17410 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:4688

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2992

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffcb11c9758,0x7ffcb11c9768,0x7ffcb11c9778
2⤵
PID:60

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1796 --field-trial-handle=1812,i,6943341920188335595,16252467225538414349,131072 /prefetch:2
2⤵
PID:4580

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2172 --field-trial-handle=1812,i,6943341920188335595,16252467225538414349,131072 /prefetch:8
2⤵
PID:3872

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2236 --field-trial-handle=1812,i,6943341920188335595,16252467225538414349,131072 /prefetch:8
2⤵
PID:4256

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3172 --field-trial-handle=1812,i,6943341920188335595,16252467225538414349,131072 /prefetch:1
2⤵
PID:4084

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3308 --field-trial-handle=1812,i,6943341920188335595,16252467225538414349,131072 /prefetch:1
2⤵
PID:2140

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4520 --field-trial-handle=1812,i,6943341920188335595,16252467225538414349,131072 /prefetch:1
2⤵
PID:2460

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4700 --field-trial-handle=1812,i,6943341920188335595,16252467225538414349,131072 /prefetch:8
2⤵
PID:3768

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4736 --field-trial-handle=1812,i,6943341920188335595,16252467225538414349,131072 /prefetch:8
2⤵
PID:4336

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=4840 --field-trial-handle=1812,i,6943341920188335595,16252467225538414349,131072 /prefetch:1
2⤵
PID:4612

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=3396 --field-trial-handle=1812,i,6943341920188335595,16252467225538414349,131072 /prefetch:1
2⤵
PID:1524

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5384 --field-trial-handle=1812,i,6943341920188335595,16252467225538414349,131072 /prefetch:8
2⤵
PID:1340

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4680 --field-trial-handle=1812,i,6943341920188335595,16252467225538414349,131072 /prefetch:8
2⤵
PID:1448

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5240 --field-trial-handle=1812,i,6943341920188335595,16252467225538414349,131072 /prefetch:8
2⤵
PID:1772

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3444 --field-trial-handle=1812,i,6943341920188335595,16252467225538414349,131072 /prefetch:8
2⤵
PID:892

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4504 --field-trial-handle=1812,i,6943341920188335595,16252467225538414349,131072 /prefetch:8
2⤵
PID:1308

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2916 --field-trial-handle=1812,i,6943341920188335595,16252467225538414349,131072 /prefetch:8
2⤵
PID:4172

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5384 --field-trial-handle=1812,i,6943341920188335595,16252467225538414349,131072 /prefetch:8
2⤵
PID:4644

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5684 --field-trial-handle=1812,i,6943341920188335595,16252467225538414349,131072 /prefetch:8
2⤵
PID:1712

C:\Users\Admin\Downloads\winrar-x64-621.exe
"C:\Users\Admin\Downloads\winrar-x64-621.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
PID:1592

C:\Program Files\WinRAR\uninstall.exe
"C:\Program Files\WinRAR\uninstall.exe" /setup
3⤵
- Executes dropped EXE
- Modifies system executable filetype association
- Registers COM server for autorun
- Drops file in Program Files directory
- Modifies registry class
PID:1416

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3272 --field-trial-handle=1812,i,6943341920188335595,16252467225538414349,131072 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2724

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1224

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1264

C:\Program Files\WinRAR\WinRAR.exe
"C:\Program Files\WinRAR\WinRAR.exe" x -iext -ver -imon1 -- "C:\Users\Admin\Downloads\Setup.rar" C:\Users\Admin\Downloads\Setup\
1⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
PID:3504

C:\Users\Admin\Downloads\Setup\Setup.exe
"C:\Users\Admin\Downloads\Setup\Setup.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3884

C:\Users\Admin\AppData\Local\Temp\2NLCYtILPnJGv6F5rChl0lFetUG\Cursed.exe
C:\Users\Admin\AppData\Local\Temp\2NLCYtILPnJGv6F5rChl0lFetUG\Cursed.exe
2⤵
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:1088

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
3⤵
PID:2472

C:\Windows\SysWOW64\tasklist.exe
tasklist
4⤵
- Enumerates processes with tasklist
PID:1520

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "taskkill /IM chrome.exe /F"
3⤵
PID:1776

C:\Windows\SysWOW64\taskkill.exe
taskkill /IM chrome.exe /F
4⤵
- Kills process with taskkill
PID:4460

C:\Users\Admin\AppData\Local\Temp\2NLCYtILPnJGv6F5rChl0lFetUG\Cursed.exe
"C:\Users\Admin\AppData\Local\Temp\2NLCYtILPnJGv6F5rChl0lFetUG\Cursed.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\xxxxxxxxxxxxxxxx" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1864 --field-trial-handle=2032,i,13647242352122673380,1541460702268537804,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1324

C:\Users\Admin\AppData\Local\Temp\2NLCYtILPnJGv6F5rChl0lFetUG\Cursed.exe
"C:\Users\Admin\AppData\Local\Temp\2NLCYtILPnJGv6F5rChl0lFetUG\Cursed.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\xxxxxxxxxxxxxxxx" --mojo-platform-channel-handle=2316 --field-trial-handle=2032,i,13647242352122673380,1541460702268537804,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2828

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
3⤵
PID:4644

C:\Windows\SysWOW64\tasklist.exe
tasklist
4⤵
- Enumerates processes with tasklist
PID:3800

C:\Users\Admin\AppData\Local\Temp\2NLCYtILPnJGv6F5rChl0lFetUG\Cursed.exe
"C:\Users\Admin\AppData\Local\Temp\2NLCYtILPnJGv6F5rChl0lFetUG\Cursed.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --user-data-dir="C:\Users\Admin\AppData\Roaming\xxxxxxxxxxxxxxxx" --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1896 --field-trial-handle=2032,i,13647242352122673380,1541460702268537804,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:2252

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
3⤵
PID:980

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:1984

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
3⤵
PID:2820

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:396

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
3⤵
PID:1228

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:1736

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
3⤵
PID:4952

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:4552

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
3⤵
PID:2392

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:3192

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
3⤵
PID:1228

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:2724

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
3⤵
PID:5496

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
4⤵
PID:5548

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
3⤵
PID:5720

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
4⤵
PID:5772

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
3⤵
PID:5948

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
4⤵
PID:5988

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
3⤵
PID:1648

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
4⤵
PID:5580

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
3⤵
PID:5828

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
4⤵
PID:5840

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
3⤵
PID:4560

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
4⤵
PID:5180

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
3⤵
PID:5344

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
4⤵
PID:5396

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
3⤵
PID:3924

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
4⤵
PID:964

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
3⤵
PID:6000

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
4⤵
PID:6096

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
3⤵
PID:5612

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
4⤵
PID:2160

C:\Users\Admin\Downloads\Setup\Setup.exe
"C:\Users\Admin\Downloads\Setup\Setup.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3968

C:\Users\Admin\AppData\Local\Temp\2NLCYtILPnJGv6F5rChl0lFetUG\Cursed.exe
C:\Users\Admin\AppData\Local\Temp\2NLCYtILPnJGv6F5rChl0lFetUG\Cursed.exe
2⤵
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:3796

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
3⤵
PID:664

C:\Windows\SysWOW64\tasklist.exe
tasklist
4⤵
- Enumerates processes with tasklist
PID:2280

C:\Users\Admin\AppData\Local\Temp\2NLCYtILPnJGv6F5rChl0lFetUG\Cursed.exe
"C:\Users\Admin\AppData\Local\Temp\2NLCYtILPnJGv6F5rChl0lFetUG\Cursed.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\xxxxxxxxxxxxxxxx" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1788 --field-trial-handle=2004,i,7413140679836253057,8432199003050783857,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1040

C:\Users\Admin\AppData\Local\Temp\2NLCYtILPnJGv6F5rChl0lFetUG\Cursed.exe
"C:\Users\Admin\AppData\Local\Temp\2NLCYtILPnJGv6F5rChl0lFetUG\Cursed.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\xxxxxxxxxxxxxxxx" --mojo-platform-channel-handle=2296 --field-trial-handle=2004,i,7413140679836253057,8432199003050783857,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3844

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
3⤵
PID:4568

C:\Windows\SysWOW64\tasklist.exe
tasklist
4⤵
- Enumerates processes with tasklist
PID:1904

C:\Users\Admin\AppData\Local\Temp\2NLCYtILPnJGv6F5rChl0lFetUG\Cursed.exe
"C:\Users\Admin\AppData\Local\Temp\2NLCYtILPnJGv6F5rChl0lFetUG\Cursed.exe"
1⤵
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:1776

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:1436

C:\Windows\SysWOW64\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
PID:1276

C:\Users\Admin\AppData\Local\Temp\2NLCYtILPnJGv6F5rChl0lFetUG\Cursed.exe
"C:\Users\Admin\AppData\Local\Temp\2NLCYtILPnJGv6F5rChl0lFetUG\Cursed.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\xxxxxxxxxxxxxxxx" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1844 --field-trial-handle=2036,i,13272748382070144996,17570965652012947203,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3948

C:\Users\Admin\AppData\Local\Temp\2NLCYtILPnJGv6F5rChl0lFetUG\Cursed.exe
"C:\Users\Admin\AppData\Local\Temp\2NLCYtILPnJGv6F5rChl0lFetUG\Cursed.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\xxxxxxxxxxxxxxxx" --mojo-platform-channel-handle=2328 --field-trial-handle=2036,i,13272748382070144996,17570965652012947203,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4328

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:3504

C:\Windows\SysWOW64\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
PID:5024

C:\Users\Admin\AppData\Local\Temp\2NLCYtILPnJGv6F5rChl0lFetUG\Cursed.exe
"C:\Users\Admin\AppData\Local\Temp\2NLCYtILPnJGv6F5rChl0lFetUG\Cursed.exe"
1⤵
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:1952

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:3912

C:\Windows\SysWOW64\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
PID:3280

C:\Users\Admin\AppData\Local\Temp\2NLCYtILPnJGv6F5rChl0lFetUG\Cursed.exe
"C:\Users\Admin\AppData\Local\Temp\2NLCYtILPnJGv6F5rChl0lFetUG\Cursed.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\xxxxxxxxxxxxxxxx" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1960 --field-trial-handle=2100,i,2164036265796160166,17995484671068194500,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2968

C:\Users\Admin\AppData\Local\Temp\2NLCYtILPnJGv6F5rChl0lFetUG\Cursed.exe
"C:\Users\Admin\AppData\Local\Temp\2NLCYtILPnJGv6F5rChl0lFetUG\Cursed.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\xxxxxxxxxxxxxxxx" --mojo-platform-channel-handle=2304 --field-trial-handle=2100,i,2164036265796160166,17995484671068194500,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2760

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:4532

C:\Windows\SysWOW64\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
PID:2040

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:4680

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\2NLCYtILPnJGv6F5rChl0lFetUG\chrome_100_percent.pak
2⤵
- Opens file in notepad (likely ransom note)
PID:640

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\2NLCYtILPnJGv6F5rChl0lFetUG\LICENSES.chromium.html
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
PID:1768

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ffcc84046f8,0x7ffcc8404708,0x7ffcc8404718
2⤵
PID:1708

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2168,18276868863785083822,8488531749891851870,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2192 /prefetch:2
2⤵
PID:4444

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2168,18276868863785083822,8488531749891851870,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2300 /prefetch:3
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3020

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2168,18276868863785083822,8488531749891851870,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2704 /prefetch:8
2⤵
PID:1960

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,18276868863785083822,8488531749891851870,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3404 /prefetch:1
2⤵
PID:5040

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,18276868863785083822,8488531749891851870,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3392 /prefetch:1
2⤵
PID:2240

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4592

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Change Default File Association

T1042

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\WinRAR\Rar.txt

Filesize
109KB

MD5
e51d9ff73c65b76ccd7cd09aeea99c3c

SHA1
d4789310e9b7a4628154f21af9803e88e89e9b1b

SHA256
7456f489100ec876062d68d152081167ac00d45194b17af4a8dd53680acfc9bd

SHA512
57ab82d4a95d3b5d181c0ec1a1a1de56a4d6c83af5644032ff3af71e9bd8e13051ae274609bda8b336d70a99f2fba17331773694d7e98d4a7635f7b59651b77c

Download Submit
C:\Program Files\WinRAR\RarExt.dll

Filesize
659KB

MD5
4f190f63e84c68d504ae198d25bf2b09

SHA1
56a26791df3d241ce96e1bb7dd527f6fecc6e231

SHA256
3a5d6267a16c3cf5a20c556a7ddbfc80c64fcd2700a8bfd901e328b3945d6a1a

SHA512
521ada80acc35d41ac82ce41bcb84496a3c95cb4db34830787c13cdcb369c59830c2f7ff291f21b7f204d764f3812b68e77fd3ab52dfe0d148c01580db564291

Download Submit
C:\Program Files\WinRAR\RarExt.dll

Filesize
659KB

MD5
4f190f63e84c68d504ae198d25bf2b09

SHA1
56a26791df3d241ce96e1bb7dd527f6fecc6e231

SHA256
3a5d6267a16c3cf5a20c556a7ddbfc80c64fcd2700a8bfd901e328b3945d6a1a

SHA512
521ada80acc35d41ac82ce41bcb84496a3c95cb4db34830787c13cdcb369c59830c2f7ff291f21b7f204d764f3812b68e77fd3ab52dfe0d148c01580db564291

Download Submit
C:\Program Files\WinRAR\Uninstall.exe

Filesize
437KB

MD5
cac9723066062383778f37e9d64fd94e

SHA1
1cd78fc041d733f7eacdd447371c9dec25c7ef2c

SHA256
e187e1119350caa3aec9d531989f60452d0198368f19cf65ffd2194a8a4003ad

SHA512
2b3dc50fb5006f1f3beec1774d0927a0533b49d20122e49a0b4b41840f83c494376c8e61da735aa58d27453c44450203d5c2bb4f03fdd37b648ee0f51f925c59

Download Submit
C:\Program Files\WinRAR\Uninstall.exe

Filesize
437KB

MD5
cac9723066062383778f37e9d64fd94e

SHA1
1cd78fc041d733f7eacdd447371c9dec25c7ef2c

SHA256
e187e1119350caa3aec9d531989f60452d0198368f19cf65ffd2194a8a4003ad

SHA512
2b3dc50fb5006f1f3beec1774d0927a0533b49d20122e49a0b4b41840f83c494376c8e61da735aa58d27453c44450203d5c2bb4f03fdd37b648ee0f51f925c59

Download Submit
C:\Program Files\WinRAR\WhatsNew.txt

Filesize
103KB

MD5
4c88a040b31c4d144b44b0dc68fb2cc8

SHA1
bf473f5a5d3d8be6e5870a398212450580f8b37b

SHA256
6f1a005a0e5c765fcc68fe15f7ccd18667a6e583980e001ba7181aaaeed442b8

SHA512
e7f224a21d7c111b83775c778e6d9fa447e53809e0efd4f3ba99c7d6206036aa3dde9484248b244fb26789467559a40516c8e163d379e84dcf31ac84b4c5d2a8

Download Submit
C:\Program Files\WinRAR\WinRAR.chm

Filesize
317KB

MD5
381eae01a2241b8a4738b3c64649fbc0

SHA1
cc5944fde68ed622ebee2da9412534e5a44a7c9a

SHA256
ad58f39f5d429b5a3726c4a8ee5ccada86d24273eebf2f6072ad1fb61ea82d6e

SHA512
f7a8903ea38f2b62d6fa2cc755e0d972a14d00a2e1047e6e983902eff1d3a6bca98327c2b8ed47e46435d1156816e4b0d494726fce87b6cbe7722f5249889b88

Download Submit
C:\Program Files\WinRAR\WinRAR.exe

Filesize
2.4MB

MD5
46d15a70619d5e68415c8f22d5c81555

SHA1
12ec96e89b0fd38c469546042e30452b070e337f

SHA256
2e503ad5a9c800f2dac2fed2b3e8698d96d25b219ed86ed1a54896232cbe4781

SHA512
09446dc9d0c768844213f7f71ba65ee4e86b61d7a61610b63892d1b142952bdd346d14d27d878c026362e012e22fcb49c6746912d5e02db6b40223cafa6d01fb

Download Submit
C:\Program Files\WinRAR\WinRAR.exe

Filesize
2.4MB

MD5
46d15a70619d5e68415c8f22d5c81555

SHA1
12ec96e89b0fd38c469546042e30452b070e337f

SHA256
2e503ad5a9c800f2dac2fed2b3e8698d96d25b219ed86ed1a54896232cbe4781

SHA512
09446dc9d0c768844213f7f71ba65ee4e86b61d7a61610b63892d1b142952bdd346d14d27d878c026362e012e22fcb49c6746912d5e02db6b40223cafa6d01fb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
456B

MD5
b98a5ca58f4dc8699b24bb4677f4b2e9

SHA1
e55bebbdee410b2603a411c843e41b5f243366e8

SHA256
818a7c37551051ab256e07e4f8b3161d2302c2b8313272c5c43964cae997e334

SHA512
28af0670aa995ce5523819ee65b6a218e1907f6ab4780dffee8018dc0737034174eba325ada4d0a41bf940c9745abbbcb14861b995bde9f1a6f8d2603b4c78f6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\000003.log

Filesize
1KB

MD5
207b0b79967cfed17182575553ab7199

SHA1
a13af32f140dd619d3c807abd89103c16ccfda1b

SHA256
dd6722784dca57dc058ff6f64eb0c2aa72c3760796673883df95f7cabadeab22

SHA512
81982b7fbd49f5b03f83201b4130f5fb2bec25cd14ce770269fc81ed09053634447a19d243c58c696252c55041f0e0b17eeee4fc7578d95a1db5e85228218f05

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Login Data.bby

Filesize
46KB

MD5
02d2c46697e3714e49f46b680b9a6b83

SHA1
84f98b56d49f01e9b6b76a4e21accf64fd319140

SHA256
522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9

SHA512
60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies

Filesize
20KB

MD5
3e396dc41efcfe6035a641ffec4aa04d

SHA1
e0f859c6e8d2f329612881f348ea8ec6a1ad4133

SHA256
ebcac053dc1349696f9e190ad01130c2c780c11a3c56a77ebb16b35d2d19f5ca

SHA512
309e09b927b483cdcf9fd9e1fb78f50a341861b26a9e2b04a22dbc9c4f4dbbb68a038ac01034fb512ed34ec1e4ecf5016875a4649ce6b58892e6ed48a6b0b46a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies.bby

Filesize
20KB

MD5
3e396dc41efcfe6035a641ffec4aa04d

SHA1
e0f859c6e8d2f329612881f348ea8ec6a1ad4133

SHA256
ebcac053dc1349696f9e190ad01130c2c780c11a3c56a77ebb16b35d2d19f5ca

SHA512
309e09b927b483cdcf9fd9e1fb78f50a341861b26a9e2b04a22dbc9c4f4dbbb68a038ac01034fb512ed34ec1e4ecf5016875a4649ce6b58892e6ed48a6b0b46a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
238d7d94bcd1ab51afa32e3b3c90ac2e

SHA1
64aa0b3ebd3740966a08994c287f5efd54627783

SHA256
2f792356fed1aba8115ee382de87de3193c41c6878b866d856776ee0668d8e6f

SHA512
fa178e42022791512c4078f9967a7659ea4f43572e20140cbe9ba3e12de860ddbab545147ad3246dc217d280e73d9f40522bc3ee2c0454c80e13410543f87f05

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
872B

MD5
4b7f49d0dcf156ffa25c17980e770191

SHA1
f0db5ed862f4d2812bc374c2603129f4b9915349

SHA256
266a3830f9169b027d4fb2c52d2f5440269d16aa15c278047e00e51e374d878b

SHA512
01cb1031e300cc2795681de28b3fb234524ddf2f2c0c0b8527e0026eec5881780210927b80185293d6801c49d109f6726de07adbb49f14ba8849d814485107f6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
872B

MD5
f2d3d144fa7ae8958f7777c4ab843403

SHA1
41b30304af2ab430175775a4badb6c708379af57

SHA256
6187ebc0bbb78c79ca490183d1eb59821e22bf3461b3d830d022d291333f0b17

SHA512
feef9baac58fc4f22ff5e8cc3e618bb071a5b2124133b459107e8ee395e07de061a3cc36fe9d506438ba834aac6d7944f589cae43b15d002d5fa433c06e93408

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
b1eec9deafe5528da08975d6d02a19ac

SHA1
05634d26664259c17955259310591c574666a247

SHA256
6652916a1606c82b85cd2c3bb3d8ce4304f3f08f10f8691a250626c907a417e4

SHA512
d431367db2de09709983619cd23fb39d2c13a4b02de174c533d6f7a6b5f16ba8d6871c5b10936263895d43ce9e5151dae89fac8c3c76b890d78096048f6dc604

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
639666ca048628bdbd0264cf090064c7

SHA1
bddd1c97be5d0cafb3451ef55708c28e4c9dbe3e

SHA256
9b5a9501b0eb9e7ce2efc5122217fa309332ef4f49ebc113bbdefbc7d07bf8cd

SHA512
19a11ae6039edb2ef1d77c941d2d054580263bcfb6890c582beaa661389faf25d262d1e72b25a246b247df80c8f5c8cbae3c1980063ff4a5b11e1688028c2711

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
07961430bf23f3762b38ac187e2bc207

SHA1
896eb74425e30559963946b97912c3e80bea4a28

SHA256
b7dc8e690ca18d5a49ecd72265d545c2c2968f24bcddbdef3c151564582ec23a

SHA512
90c466e92d8afa462e4eeb7408b5f918f0eabcc568341c2f388651ea5564c1f2589d0d178a6b1b0f4a270092be870ab18fabf9daceee766c3ddbccc3b870dd19

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
c27c4914022eee1f8b23e2b7fff325bd

SHA1
a95f22b68d453e2d9dca3e6871bb8493444463d2

SHA256
7c244240caa432844ef5cdb50fb923bd92f271e5327606d987ebe8a71a351a4d

SHA512
15c629f4661761127d614214190bea251d5d910d70f25479bbacb2edebc5dcbc6ab1616cc3584c6a2026c2f5893cd831b823314ee0ff38b017c4823d79072bbb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Data

Filesize
92KB

MD5
a549f705eefaaf19b2800e2ebbe44c0e

SHA1
bf35c23ae4c5d1e267e819958b7018498b3f12d0

SHA256
e09a36dd558c264f03c87bbd49a39e0f8b6f015e67f23d435cb282aa1472422a

SHA512
ef3b8717e5be8e9204046f8ded5cd62695bef4afa004aeca54395b4670f9edd7f5ece824604b8519438f26f2ce8c92cf4b6a5c4f8c0d56811424cf46bda96890

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Data.bby

Filesize
92KB

MD5
a549f705eefaaf19b2800e2ebbe44c0e

SHA1
bf35c23ae4c5d1e267e819958b7018498b3f12d0

SHA256
e09a36dd558c264f03c87bbd49a39e0f8b6f015e67f23d435cb282aa1472422a

SHA512
ef3b8717e5be8e9204046f8ded5cd62695bef4afa004aeca54395b4670f9edd7f5ece824604b8519438f26f2ce8c92cf4b6a5c4f8c0d56811424cf46bda96890

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
173KB

MD5
8b22d577dfbce8af6cbfe72e8c7034b2

SHA1
c9b5c70d0945e43757f7d349ef0a106aecf72a43

SHA256
3de22df49ff1453fc2729ee68f08fe7da5f668d2b8e03a879e611a1a01b9e0e2

SHA512
ba8db3c745918d01b83567fc1e2db2ab39593c5e376032d4918f8391019573760f3ec23a277a8021dc152ea2e99e48c260a86052fca65dbb1c8409d59f2aac12

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
173KB

MD5
8b22d577dfbce8af6cbfe72e8c7034b2

SHA1
c9b5c70d0945e43757f7d349ef0a106aecf72a43

SHA256
3de22df49ff1453fc2729ee68f08fe7da5f668d2b8e03a879e611a1a01b9e0e2

SHA512
ba8db3c745918d01b83567fc1e2db2ab39593c5e376032d4918f8391019573760f3ec23a277a8021dc152ea2e99e48c260a86052fca65dbb1c8409d59f2aac12

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
aaeb1f5e097ab38083674077b84b8ed6

SHA1
7d9191cb2277c30f1147c9d29d75fc8e6aa0a4f2

SHA256
1654b27bfaeee49bfe56e0c4c0303418f4887f3ea1933f03cafce10352321aef

SHA512
130f1b62134626959f69b13e33c42c3182e343d7f0a5b6291f7bb0c2f64b60885f5e6331e1866a4944e9b7b2e49fe798e073316fde23927ede2c348ba0e56eda

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
1db53baf44edd6b1bc2b7576e2f01e12

SHA1
e35739fa87978775dcb3d8df5c8d2063631fa8df

SHA256
0d73ba3eea4c552ce3ffa767e4cd5fff4e459e543756987ab5d55f1e6d963f48

SHA512
84f544858803ac14bac962d2df1dbc7ed6e1134ecf16d242d7ee7316648b56b5bc095241363837bf0bf0afd16ca7deebe7afb7d40057604acbf09821fd5a9912

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_1

Filesize
264KB

MD5
42f45fe60d4fc7b74fca481a35dfb6dc

SHA1
cc94dbd2fc84990d3ca849deedbe78d37331c735

SHA256
0ff81bfe8be0518d8f0d6ac60e1782d0c04745701c9ec549404fddf3e0604f8f

SHA512
c8855091db9b73ca924a8d3c8c84edba9bc5cc4766816872561d7f2b0d09874636247db6f82815f3d8dfd7a2202e8d664f7b8668925af166cb3e4b01163a2bf9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_2

Filesize
8KB

MD5
0962291d6d367570bee5454721c17e11

SHA1
59d10a893ef321a706a9255176761366115bedcb

SHA256
ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7

SHA512
f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_3

Filesize
8KB

MD5
41876349cb12d6db992f1309f22df3f0

SHA1
5cf26b3420fc0302cd0a71e8d029739b8765be27

SHA256
e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c

SHA512
e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.ico

Filesize
70KB

MD5
e5e3377341056643b0494b6842c0b544

SHA1
d53fd8e256ec9d5cef8ef5387872e544a2df9108

SHA256
e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25

SHA512
83f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Login Data.bby

Filesize
48KB

MD5
349e6eb110e34a08924d92f6b334801d

SHA1
bdfb289daff51890cc71697b6322aa4b35ec9169

SHA256
c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a

SHA512
2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Microsoft Edge.lnk

Filesize
2KB

MD5
f6d8c99fdf1614adc8d008d782ac1935

SHA1
ed25094c686161938a962616eaeb4b678ca23720

SHA256
43e8a9eb0342b110c94abb3c712f2481e42f1241f8c6a6feb5493c8ac7d3eba7

SHA512
1f151b5ae8e5f05b88b8ffc2d150c20930a1885f330c81d28ec0072a71c1fb574540bccd7c882bbee6b5710a56d63b2f499c5602bd4a9a0616279ae21d1bd110

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
4KB

MD5
f3ce2bbbc2c57c1d318577306c0e519b

SHA1
c18e206ef1eb5a67163b951f2b17c4fd831cfa99

SHA256
aa3a6020a67ccc93e3d9f8738355aca4661500de6ea6152e5c68b7de6a5d1cfa

SHA512
337d28712fb045ab086713ce0b621b698058fc3e622b7747e7b277a190763afb6f322bb636941eeadd136273dd9c6ba6c1cf6f6fc74f41a55abd58c51387c6dd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
a748cfece6eaebb31d809df7e74f1565

SHA1
0ad631b2a85d561ef7db113c8edde4c4d380cd2c

SHA256
b6d0861040ef327768498d6dbed02982c595c505f19c27ab8d5afcccd775f0f4

SHA512
9bba1c8e8a9b20dd0b38b566158936e394fb51146b2c56218f97be853e3a07fa9dbd6044962441d373d47d35faa9bc5c4b2c3ab96c1353735ad21ba03640cf43

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
47e94a96372e6f095b8a3fd7edc48ec0

SHA1
377b68f34e5964ca8be1b1b0c1507dd7f0e5f005

SHA256
15c77bafd922bd085317fd544d0fa129e3b8c814e3ba0d48936366004427732e

SHA512
5bd63de2e831805b723d7ddf1343c3b721ef5b757d9ab01bf8554ef8e29ac2cc09fa104fc85d530f27d66b67280774b3ebbef6729ea3ab61ce8028ab4ba5bdad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Web Data.bby

Filesize
112KB

MD5
780853cddeaee8de70f28a4b255a600b

SHA1
ad7a5da33f7ad12946153c497e990720b09005ed

SHA256
1055ff62de3dea7645c732583242adf4164bdcfb9dd37d9b35bbb9510d59b0a3

SHA512
e422863112084bb8d11c682482e780cd63c2f20c8e3a93ed3b9efd1b04d53eb5d3c8081851ca89b74d66f3d9ab48eb5f6c74550484f46e7c6e460a8250c9b1d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
9KB

MD5
aafdc18f60ecf9d488f6470a53886c1d

SHA1
061223b82bc289ed07854c2ec93c159642262928

SHA256
a5411f6b8496a2c82fff5646d67c186b079804a0ac6c7aca8379cba2116e8482

SHA512
14eef3a3dbf77f7e8055f086e759cff84028ba8fdf29ce29e9e75478656b6e425cf1b3ddc4ce955c466d82edfcb3183c8b9b6c102269da8ac84ce57664ffe99e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\G1ORIWBN\Setup[1].rar

Filesize
56.5MB

MD5
6305b5402391d1088f8086d21a24c241

SHA1
3eeac2dee953119bbe45eecd07c97833e97c9346

SHA256
90b0950960b30715a9f9c78ff507858c14655f55bd33ce76ff4e63d0a1eabb43

SHA512
3a40cbb093847f5372af9484bb8e9d74309e00ab556d1ad27df88da5d8482f34ffab1a12b25bc7a3b073dfe41c0fdd8fcb4251486b0ab211fb28402043aadc62

Download Submit
C:\Users\Admin\AppData\Local\Temp\06ff9b6c-5566-4da0-b3c8-927a793b2b39.tmp.node

Filesize
500KB

MD5
e1442f26c6b952a40b5fedded24bfbce

SHA1
f87aa6ab732893b3167b075872ccfded928e3903

SHA256
8001a2ecdd6c6b2fce7ac7971b2b0582400d96f713fa02efe8c3543de484f3cd

SHA512
e60d1cf9bc4bd73afb5921f44d49561d9c6611855cdb2f74a8083ee6b5125c8d0456f5636389e7659149c61254c975883b4915c442af85c30bb1b66014a1c15c

Download Submit
C:\Users\Admin\AppData\Local\Temp\2739e1b0-c2fb-41c1-a5de-53de99a211aa.tmp.node

Filesize
2.1MB

MD5
3bc107cac5de2a16c41af09753c17d8a

SHA1
3fc350965383a1850263322b163ea9e7db84aa18

SHA256
2fedc6242d32e83c3959ac2bc6d2d69f2ffbbf537fd9354a5fed31bf3ae75546

SHA512
a688118157fdcf0177b6667217c64c3dccad99c9a909d0aba3ef39861f773b96e30769c34af5a3853333f4c30fb3b1658b713e345677a0b7c46cf835a51a5d4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\2NLCYtILPnJGv6F5rChl0lFetUG\Cursed.exe

Filesize
124.3MB

MD5
c13d0c0e58eaa915bc7128395e4a3710

SHA1
2e783ae8969fc2b005a6c53b05a592f675bea501

SHA256
31fe90af4a89357a0ceb1be02ecc047c761752df1c7f9d8cd9b8552e4321cfd5

SHA512
a5e31669705be689457d6645cfe85f34063186773f077c5507e279358a33f82ed40336167c01daad63e07175abe0356857712a92f47f0029a6eb6331a3536f6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\2NLCYtILPnJGv6F5rChl0lFetUG\Cursed.exe

Filesize
124.3MB

MD5
c13d0c0e58eaa915bc7128395e4a3710

SHA1
2e783ae8969fc2b005a6c53b05a592f675bea501

SHA256
31fe90af4a89357a0ceb1be02ecc047c761752df1c7f9d8cd9b8552e4321cfd5

SHA512
a5e31669705be689457d6645cfe85f34063186773f077c5507e279358a33f82ed40336167c01daad63e07175abe0356857712a92f47f0029a6eb6331a3536f6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\2NLCYtILPnJGv6F5rChl0lFetUG\Cursed.exe

Filesize
124.3MB

MD5
c13d0c0e58eaa915bc7128395e4a3710

SHA1
2e783ae8969fc2b005a6c53b05a592f675bea501

SHA256
31fe90af4a89357a0ceb1be02ecc047c761752df1c7f9d8cd9b8552e4321cfd5

SHA512
a5e31669705be689457d6645cfe85f34063186773f077c5507e279358a33f82ed40336167c01daad63e07175abe0356857712a92f47f0029a6eb6331a3536f6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\2NLCYtILPnJGv6F5rChl0lFetUG\D3DCompiler_47.dll

Filesize
3.9MB

MD5
ab3be0c427c6e405fad496db1545bd61

SHA1
76012f31db8618624bc8b563698b2669365e49cb

SHA256
827d12e4ed62520b663078bbf26f95dfd106526e66048cf75b5c9612b2fb7ce6

SHA512
d1dc2ec77c770c5da99e688d799f88b1e585f8dcf63e6876e237fe7fce6e23b528e6a5ef94ffc68283c60ae4e465ff19d3fd6f2fae5de4504b5479d68cbc4dba

Download Submit
C:\Users\Admin\AppData\Local\Temp\2NLCYtILPnJGv6F5rChl0lFetUG\chrome_100_percent.pak

Filesize
125KB

MD5
0cf9de69dcfd8227665e08c644b9499c

SHA1
a27941acce0101627304e06533ba24f13e650e43

SHA256
d2c299095dbbd3a3cb2b4639e5b3bd389c691397ffd1a681e586f2cfe0e2ab88

SHA512
bb5d340009cef2bcb604ef38fdd7171fed0423c2dc6a01e590f8d15c4f6bc860606547550218db41fba554609e8395c9e3c3508dfa2d8b202e5059e7646bdcef

Download Submit
C:\Users\Admin\AppData\Local\Temp\2NLCYtILPnJGv6F5rChl0lFetUG\chrome_100_percent.pak

Filesize
125KB

MD5
0cf9de69dcfd8227665e08c644b9499c

SHA1
a27941acce0101627304e06533ba24f13e650e43

SHA256
d2c299095dbbd3a3cb2b4639e5b3bd389c691397ffd1a681e586f2cfe0e2ab88

SHA512
bb5d340009cef2bcb604ef38fdd7171fed0423c2dc6a01e590f8d15c4f6bc860606547550218db41fba554609e8395c9e3c3508dfa2d8b202e5059e7646bdcef

Download Submit
C:\Users\Admin\AppData\Local\Temp\2NLCYtILPnJGv6F5rChl0lFetUG\chrome_200_percent.pak

Filesize
174KB

MD5
d88936315a5bd83c1550e5b8093eb1e6

SHA1
6445d97ceb89635f6459bc2fb237324d66e6a4ee

SHA256
f49abd81e93a05c1e53c1201a5d3a12f2724f52b6971806c8306b512bf66aa25

SHA512
75142f03df6187fb75f887e4c8b9d5162902ba6aac86351186c85e5f0a2d3825ca312a36cf9f4bd656cdfc23a20cd38d4580ca1b41560d23ebaa0d41e4cf1dd2

Download Submit
C:\Users\Admin\AppData\Local\Temp\2NLCYtILPnJGv6F5rChl0lFetUG\chrome_200_percent.pak

Filesize
174KB

MD5
d88936315a5bd83c1550e5b8093eb1e6

SHA1
6445d97ceb89635f6459bc2fb237324d66e6a4ee

SHA256
f49abd81e93a05c1e53c1201a5d3a12f2724f52b6971806c8306b512bf66aa25

SHA512
75142f03df6187fb75f887e4c8b9d5162902ba6aac86351186c85e5f0a2d3825ca312a36cf9f4bd656cdfc23a20cd38d4580ca1b41560d23ebaa0d41e4cf1dd2

Download Submit
C:\Users\Admin\AppData\Local\Temp\2NLCYtILPnJGv6F5rChl0lFetUG\d3dcompiler_47.dll

Filesize
3.9MB

MD5
ab3be0c427c6e405fad496db1545bd61

SHA1
76012f31db8618624bc8b563698b2669365e49cb

SHA256
827d12e4ed62520b663078bbf26f95dfd106526e66048cf75b5c9612b2fb7ce6

SHA512
d1dc2ec77c770c5da99e688d799f88b1e585f8dcf63e6876e237fe7fce6e23b528e6a5ef94ffc68283c60ae4e465ff19d3fd6f2fae5de4504b5479d68cbc4dba

Download Submit
C:\Users\Admin\AppData\Local\Temp\2NLCYtILPnJGv6F5rChl0lFetUG\ffmpeg.dll

Filesize
2.5MB

MD5
6fa845139be73ae78dc4c939cafb761d

SHA1
26d427a3b35a09d78667d20de2a64e03bd22cb23

SHA256
d46473cb06cb8c8ba66659cdea497727c2880e8eeb73cb5ee4255b7fb671d043

SHA512
decc0fc52227165651dfedb56b877ace262823a211c21358f8ce7026c81e758ab131c7b9c56e09d07654d0973872ddd8b8c0db221ba4b6d81160ab24f66a0624

Download Submit
C:\Users\Admin\AppData\Local\Temp\2NLCYtILPnJGv6F5rChl0lFetUG\ffmpeg.dll

Filesize
2.5MB

MD5
6fa845139be73ae78dc4c939cafb761d

SHA1
26d427a3b35a09d78667d20de2a64e03bd22cb23

SHA256
d46473cb06cb8c8ba66659cdea497727c2880e8eeb73cb5ee4255b7fb671d043

SHA512
decc0fc52227165651dfedb56b877ace262823a211c21358f8ce7026c81e758ab131c7b9c56e09d07654d0973872ddd8b8c0db221ba4b6d81160ab24f66a0624

Download Submit
C:\Users\Admin\AppData\Local\Temp\2NLCYtILPnJGv6F5rChl0lFetUG\ffmpeg.dll

Filesize
2.5MB

MD5
6fa845139be73ae78dc4c939cafb761d

SHA1
26d427a3b35a09d78667d20de2a64e03bd22cb23

SHA256
d46473cb06cb8c8ba66659cdea497727c2880e8eeb73cb5ee4255b7fb671d043

SHA512
decc0fc52227165651dfedb56b877ace262823a211c21358f8ce7026c81e758ab131c7b9c56e09d07654d0973872ddd8b8c0db221ba4b6d81160ab24f66a0624

Download Submit
C:\Users\Admin\AppData\Local\Temp\2NLCYtILPnJGv6F5rChl0lFetUG\icudtl.dat

Filesize
9.9MB

MD5
c6ae43f9d596f3dd0d86fb3e62a5b5de

SHA1
198b3b4abc0f128398d25c66455c531a7af34a6d

SHA256
00f755664926fda5fda14b87af41097f6ea4b20154f90be65d73717580db26ee

SHA512
3c43e2dcdf037726a94319a147a8bc41a4c0fd66e6b18b3c7c95449912bf875382dde5ec0525dcad6a52e8820b0859caf8fa73cb287283334ec8d06eb3227ec4

Download Submit
C:\Users\Admin\AppData\Local\Temp\2NLCYtILPnJGv6F5rChl0lFetUG\libEGL.dll

Filesize
364KB

MD5
596c3217f870d63a9feb190305b45790

SHA1
a65bdf045c38e2580f724e1cc4e460c46a0ea9fc

SHA256
1679ccf85c0fab467a3d12dc63248eb4d34e7345d6e6399740ffc7f78e4e927b

SHA512
1aae19270de9cc0768543ae0f691da4ea6c7d350d54f8accc02f5eb94e03f6b1671f8aa31f9370b9758827ad42870c9e264c3fea65e2074717ab24f9c0872d86

Download Submit
C:\Users\Admin\AppData\Local\Temp\2NLCYtILPnJGv6F5rChl0lFetUG\libGLESv2.dll

Filesize
6.1MB

MD5
1baf13b30d409e0df85ac538d8883e3f

SHA1
e61c3231a330e806edebd04520b827b43820a268

SHA256
4a51e8a30804dd766dd01da3d574caeca459542f9aed255eca2bcc8e2ed9b893

SHA512
67fe5baa4948cacb2925710f68de3f7a226a9c26150d84b1a78d9d8d6aa097ae3055a557c4354eb545a314d9112702dec60c20fde2de5a4a025dce74f54e0bd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\2NLCYtILPnJGv6F5rChl0lFetUG\libegl.dll

Filesize
364KB

MD5
596c3217f870d63a9feb190305b45790

SHA1
a65bdf045c38e2580f724e1cc4e460c46a0ea9fc

SHA256
1679ccf85c0fab467a3d12dc63248eb4d34e7345d6e6399740ffc7f78e4e927b

SHA512
1aae19270de9cc0768543ae0f691da4ea6c7d350d54f8accc02f5eb94e03f6b1671f8aa31f9370b9758827ad42870c9e264c3fea65e2074717ab24f9c0872d86

Download Submit
C:\Users\Admin\AppData\Local\Temp\2NLCYtILPnJGv6F5rChl0lFetUG\libglesv2.dll

Filesize
6.1MB

MD5
1baf13b30d409e0df85ac538d8883e3f

SHA1
e61c3231a330e806edebd04520b827b43820a268

SHA256
4a51e8a30804dd766dd01da3d574caeca459542f9aed255eca2bcc8e2ed9b893

SHA512
67fe5baa4948cacb2925710f68de3f7a226a9c26150d84b1a78d9d8d6aa097ae3055a557c4354eb545a314d9112702dec60c20fde2de5a4a025dce74f54e0bd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\2NLCYtILPnJGv6F5rChl0lFetUG\locales\en-US.pak

Filesize
115KB

MD5
f982582f05ea5adf95d9258aa99c2aa5

SHA1
2f3168b09d812c6b9b6defc54390b7a833009abf

SHA256
4221cf9bae4ebea0edc1b0872c24ec708492d4fe13f051d1f806a77fe84ca94d

SHA512
75636f4d6aa1bcf0a573a061a55077106fbde059e293d095557cddfe73522aa5f55fe55a48158bf2cfc74e9edb74cae776369a8ac9123dc6f1f6afa805d0cc78

Download Submit
C:\Users\Admin\AppData\Local\Temp\2NLCYtILPnJGv6F5rChl0lFetUG\resources.pak

Filesize
4.9MB

MD5
c7b17b0c9e6e6aad4ffd1d61c9200123

SHA1
63a46fc028304de3920252c0dab5aa0a8095ed7d

SHA256
574c67ecd1d07f863343c2ea2854b2d9b2def23f04ba97b67938e72c67799f66

SHA512
96d72485598a6f104e148a8384739939bf4b65054ddde015dd075d357bcc156130690e70f5f50ec915c22df3d0383b0f2fbac73f5de629d5ff8dab5a7533d12b

Download Submit
C:\Users\Admin\AppData\Local\Temp\2NLCYtILPnJGv6F5rChl0lFetUG\resources\app.asar

Filesize
39.5MB

MD5
17c8a4e00b7d7db879f3599a7a9fa29b

SHA1
1b8824d579c58963a9d9aee043ff1b9c1c8066ae

SHA256
c6305fc95f9f5e39d67519d96ab272df468d9362de0145b5caf42a4a8581b1a0

SHA512
ca2c987aa421a6046b7660759e1a98b78bb64c9267d9a69241b3c01e941a48a0f0cd0e2d2baf60229378d8648c35364afc45f715ded80d86aa484a9ed1fd1a7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\2NLCYtILPnJGv6F5rChl0lFetUG\v8_context_snapshot.bin

Filesize
596KB

MD5
5d9b4473dd8705940bbb4a4036e395d0

SHA1
af35aa3374200dd2b9102f6767e53413e4e09e20

SHA256
ca2245da2a4aa7e4c9dcbf810c90048f73a9a96f6432f7895f3e6fe0c21e48f1

SHA512
bcc78b845a2aac96e46162c6a81dd1a914a6e8ed6d9753f648ae125958042a76ab49f1fefc8615891a1e007f0d0b63980517953ee088e29d46ba9d258f130192

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_0tgx3hhl.yrw.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\d7121156-abe3-4b15-9cd3-4a9b13463980.tmp.node

Filesize
500KB

MD5
e1442f26c6b952a40b5fedded24bfbce

SHA1
f87aa6ab732893b3167b075872ccfded928e3903

SHA256
8001a2ecdd6c6b2fce7ac7971b2b0582400d96f713fa02efe8c3543de484f3cd

SHA512
e60d1cf9bc4bd73afb5921f44d49561d9c6611855cdb2f74a8083ee6b5125c8d0456f5636389e7659149c61254c975883b4915c442af85c30bb1b66014a1c15c

Download Submit
C:\Users\Admin\AppData\Local\Temp\fef9da25-3d79-42b6-bc8c-f889b2996298.tmp.node

Filesize
2.1MB

MD5
3bc107cac5de2a16c41af09753c17d8a

SHA1
3fc350965383a1850263322b163ea9e7db84aa18

SHA256
2fedc6242d32e83c3959ac2bc6d2d69f2ffbbf537fd9354a5fed31bf3ae75546

SHA512
a688118157fdcf0177b6667217c64c3dccad99c9a909d0aba3ef39861f773b96e30769c34af5a3853333f4c30fb3b1658b713e345677a0b7c46cf835a51a5d4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsk7849.tmp\7z-out\Cursed.exe

Filesize
124.3MB

MD5
c13d0c0e58eaa915bc7128395e4a3710

SHA1
2e783ae8969fc2b005a6c53b05a592f675bea501

SHA256
31fe90af4a89357a0ceb1be02ecc047c761752df1c7f9d8cd9b8552e4321cfd5

SHA512
a5e31669705be689457d6645cfe85f34063186773f077c5507e279358a33f82ed40336167c01daad63e07175abe0356857712a92f47f0029a6eb6331a3536f6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsk7849.tmp\7z-out\LICENSE.electron.txt

Filesize
1KB

MD5
4d42118d35941e0f664dddbd83f633c5

SHA1
2b21ec5f20fe961d15f2b58efb1368e66d202e5c

SHA256
5154e165bd6c2cc0cfbcd8916498c7abab0497923bafcd5cb07673fe8480087d

SHA512
3ffbba2e4cd689f362378f6b0f6060571f57e228d3755bdd308283be6cbbef8c2e84beb5fcf73e0c3c81cd944d01ee3fcf141733c4d8b3b0162e543e0b9f3e63

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsk7849.tmp\7z-out\LICENSES.chromium.html

Filesize
5.1MB

MD5
f0882b4f2a11c1f0c524388c3307aad7

SHA1
c8952b4076167de1374d0c1f62b1fde8fe69f4ae

SHA256
1b8b8e268755376e95aaddd0a6881f6f4a4b96787af1b2db158e51958410da5f

SHA512
1e5cd07637e213d3f77f8a6204b5bb9a6e16c343790dda4ed677b081e8600de912165bb3436dacf56ea2e5145e888f5964deda4ee4b7dd3516ae2cab42e2fa0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsk7849.tmp\7z-out\chrome_100_percent.pak

Filesize
125KB

MD5
0cf9de69dcfd8227665e08c644b9499c

SHA1
a27941acce0101627304e06533ba24f13e650e43

SHA256
d2c299095dbbd3a3cb2b4639e5b3bd389c691397ffd1a681e586f2cfe0e2ab88

SHA512
bb5d340009cef2bcb604ef38fdd7171fed0423c2dc6a01e590f8d15c4f6bc860606547550218db41fba554609e8395c9e3c3508dfa2d8b202e5059e7646bdcef

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsk7849.tmp\7z-out\chrome_200_percent.pak

Filesize
174KB

MD5
d88936315a5bd83c1550e5b8093eb1e6

SHA1
6445d97ceb89635f6459bc2fb237324d66e6a4ee

SHA256
f49abd81e93a05c1e53c1201a5d3a12f2724f52b6971806c8306b512bf66aa25

SHA512
75142f03df6187fb75f887e4c8b9d5162902ba6aac86351186c85e5f0a2d3825ca312a36cf9f4bd656cdfc23a20cd38d4580ca1b41560d23ebaa0d41e4cf1dd2

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsk7849.tmp\7z-out\d3dcompiler_47.dll

Filesize
3.9MB

MD5
ab3be0c427c6e405fad496db1545bd61

SHA1
76012f31db8618624bc8b563698b2669365e49cb

SHA256
827d12e4ed62520b663078bbf26f95dfd106526e66048cf75b5c9612b2fb7ce6

SHA512
d1dc2ec77c770c5da99e688d799f88b1e585f8dcf63e6876e237fe7fce6e23b528e6a5ef94ffc68283c60ae4e465ff19d3fd6f2fae5de4504b5479d68cbc4dba

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsk7849.tmp\7z-out\ffmpeg.dll

Filesize
2.5MB

MD5
6fa845139be73ae78dc4c939cafb761d

SHA1
26d427a3b35a09d78667d20de2a64e03bd22cb23

SHA256
d46473cb06cb8c8ba66659cdea497727c2880e8eeb73cb5ee4255b7fb671d043

SHA512
decc0fc52227165651dfedb56b877ace262823a211c21358f8ce7026c81e758ab131c7b9c56e09d07654d0973872ddd8b8c0db221ba4b6d81160ab24f66a0624

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsk7849.tmp\7z-out\icudtl.dat

Filesize
9.9MB

MD5
c6ae43f9d596f3dd0d86fb3e62a5b5de

SHA1
198b3b4abc0f128398d25c66455c531a7af34a6d

SHA256
00f755664926fda5fda14b87af41097f6ea4b20154f90be65d73717580db26ee

SHA512
3c43e2dcdf037726a94319a147a8bc41a4c0fd66e6b18b3c7c95449912bf875382dde5ec0525dcad6a52e8820b0859caf8fa73cb287283334ec8d06eb3227ec4

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsk7849.tmp\7z-out\libEGL.dll

Filesize
364KB

MD5
596c3217f870d63a9feb190305b45790

SHA1
a65bdf045c38e2580f724e1cc4e460c46a0ea9fc

SHA256
1679ccf85c0fab467a3d12dc63248eb4d34e7345d6e6399740ffc7f78e4e927b

SHA512
1aae19270de9cc0768543ae0f691da4ea6c7d350d54f8accc02f5eb94e03f6b1671f8aa31f9370b9758827ad42870c9e264c3fea65e2074717ab24f9c0872d86

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsk7849.tmp\7z-out\libGLESv2.dll

Filesize
6.1MB

MD5
1baf13b30d409e0df85ac538d8883e3f

SHA1
e61c3231a330e806edebd04520b827b43820a268

SHA256
4a51e8a30804dd766dd01da3d574caeca459542f9aed255eca2bcc8e2ed9b893

SHA512
67fe5baa4948cacb2925710f68de3f7a226a9c26150d84b1a78d9d8d6aa097ae3055a557c4354eb545a314d9112702dec60c20fde2de5a4a025dce74f54e0bd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsk7849.tmp\7z-out\locales\af.pak

Filesize
125KB

MD5
46f982ccd1b8a98de5f4f9f1e8f19fe5

SHA1
13165653f2336037d4fb42a05a90251d2a4bc5cf

SHA256
9e0aeb9d58fecc27d43e39c8c433c444b2ce773cc5d510fc676e0ebbcab4bddf

SHA512
2c40e344194df1ca2d2e88dba0cb6c7ef308dd9c83e10bbc45286b5e3bc1d98a424a60ec28b2700606916105968984809321505765078d7caddbb1c4d3f519de

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsk7849.tmp\7z-out\locales\am.pak

Filesize
202KB

MD5
15b05881e1927eda0e41b86698ce12da

SHA1
d629f23b8a11700b410d25f3dc439c8c353b0953

SHA256
4c0129e1023e6e6cb5b71fadd59026d326fec3393463530c2f30fff8aacaaedd

SHA512
6f921563d6887d0b712966bf3f8dea044d1115dd0a5d46eeee5595966dd88e49d5dfbec74ee1de19a330bc9f1a11ef3c7c93d6c5e69f1ee7d1d86085b7a2bd7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsk7849.tmp\7z-out\locales\ar.pak

Filesize
207KB

MD5
1b55e90455877384795185791bc692c2

SHA1
3d7c04fc31c26b3ab34bd2d8f4dcfbf4d242bc46

SHA256
ac44c459f86c577f1f510c0b78a8317127522f0d2f80734b6c9ab338d637d4df

SHA512
bc3dc023c9af551279a4d22583aedf79e63ada46c79ea54b7da18c12b9acd726e4f534e26789d2583036c382bf6a8862335ca72fc8b510ed065bf895b8d7c3b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsk7849.tmp\7z-out\locales\bg.pak

Filesize
226KB

MD5
470dde3136a8da5752fcde269d4b6b43

SHA1
85196012cc0df090650244f7b55e51728c68806b

SHA256
cd6701f8b682b6d677ae2010abfb4bfd19555bb42847e2ffddc54e203d50b373

SHA512
b39397c8a3a081e61dd52ebbc0a4cc2ac33f9427c1ea9215995cd8915d705f30d2d3290742155890a61fc3819b6076c1ae41d278171517622ad35fc6f430702a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsk7849.tmp\7z-out\locales\bn.pak

Filesize
291KB

MD5
be160a93d35402ed4f4404f2b1d05d95

SHA1
52db7af673b6e5318e6663751938dbbce4f6280e

SHA256
a40148129ff88aff0ea269ef3ca4fb369e772257655d27dfa29f078270486287

SHA512
c2d2c4a2e24fdeeb22dadfa63ee8338efe8a5f08e17c3eb0e9a946098c57ba675c8ca5c73c04424e8307d9be60f9263553e8268f4815c73d081205fe8a92c8f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsk7849.tmp\7z-out\locales\ca.pak

Filesize
140KB

MD5
8fc109e240399b85168725bf46d0e512

SHA1
c42c1fc06b2c0e90d393a8ae9cebcdd0030642e5

SHA256
799ac8c1fa9cdd6a0c2e95057c3fc6b54112fe2aebbb1a159d9dac9d1583ca62

SHA512
84a51f291d75b2d60849edbc1958a50cfe2ac288ce716bf4827038b47bd855a65d04ebcef6f92d78e31a27daa63f07772149798740652078e27ec68930ec07dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsk7849.tmp\7z-out\locales\cs.pak

Filesize
143KB

MD5
df23addc3559428776232b1769bf505e

SHA1
04c45a59b1c7dce4cfabbac1982a0c701f93eed0

SHA256
c06ac5459d735f7ac7ed352d9f100c17749fa2a277af69c25e7afe0b6954d3c0

SHA512
fceca397dfc8a3a696a1ba302214ab4c9be910e0d94c5f8824b712ec08ff9491c994f0e6cfa9e8f5516d98c2c539fa141571640b490c8dd28b3a334b0449bdd8

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsk7849.tmp\7z-out\locales\da.pak

Filesize
130KB

MD5
875c8eaa5f2a5da2d36783024bff40c7

SHA1
d0cba9cfbb669bbb8117eee8eccf654d37c3d099

SHA256
6ee55e456d12246a4ea677c30be952adfb3ab57aca428516e35056e41e7828b5

SHA512
6e17692f6064df4089096aa2726eb609422b077e0feb01baaa53c2938d3526256c28fb79ef112164727202cdd902aae288e35cf894c5ef25fecd7a6efa51a7e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsk7849.tmp\7z-out\locales\de.pak

Filesize
139KB

MD5
5e7ea3ab0717b7fc84ef76915c3bfb21

SHA1
549cb0f459f47fc93b2e8c7eb423fd318c4a9982

SHA256
6272ed3d0487149874c9400b6f377fec3c5f0a7675be19f8610a8a1acb751403

SHA512
976fb09b4a82665fbf439fa55b67e59aeaa993344df3f0d1926a82fb64d295bbe6fd77bb65e9f2267d98408e01166dd0c55c8ec7263ed74b3855f65dffc026ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsk7849.tmp\7z-out\locales\el.pak

Filesize
249KB

MD5
7dca85c1719f09ec9b823d3dd33f855e

SHA1
4812cb8d5d5081fcc79dbde686964d364bc1627e

SHA256
82b3fbbdc73f76eaea8595f8587651e12a5f5f73f27badbc7283af9b7072818c

SHA512
8cb43c80654120c59da83efb5b939f762df4d55f4e33a407d1be08e885f3a19527ed0078ab512077604eb73c9c744c86ec1a3373b95d7598bf3835ad9f929d67

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsk7849.tmp\7z-out\locales\en-GB.pak

Filesize
115KB

MD5
db946e28e8cd67fc45a317a2d22943d3

SHA1
0e096f66915f75d06f2ec20eae20f78ad6b235e7

SHA256
7eb6af7620593bdd33cf4a6238e03afbf179097173cbfffdada5b3e25b8f0bbe

SHA512
b893650000f463c1f3807f1feae3e51664e42ec10c1a5af7c08970163d5188f1f9ffcc5e82fe2209c78d8b4fc2feba050abec4c44d1eb122cd42fcc14a8b1c3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsk7849.tmp\7z-out\locales\en-US.pak

Filesize
115KB

MD5
f982582f05ea5adf95d9258aa99c2aa5

SHA1
2f3168b09d812c6b9b6defc54390b7a833009abf

SHA256
4221cf9bae4ebea0edc1b0872c24ec708492d4fe13f051d1f806a77fe84ca94d

SHA512
75636f4d6aa1bcf0a573a061a55077106fbde059e293d095557cddfe73522aa5f55fe55a48158bf2cfc74e9edb74cae776369a8ac9123dc6f1f6afa805d0cc78

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsk7849.tmp\7z-out\locales\es-419.pak

Filesize
139KB

MD5
d25865c02378b768ef5072eccd8b3bf0

SHA1
548dbe6e90ece914d4b79c88b26285efc97ed70c

SHA256
e49a13bee7544583d88301349821d21af779ec2ebfca39ee6a129897b20dbbd0

SHA512
817a5ed547ef5cca026b1140870754ce25064fca0a9936b4ac58d3b1e654bb49b3ffa8186750b01640ac7d308bf7de2eadc0f34b7df3879c112e517d2faabc94

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsk7849.tmp\7z-out\locales\es.pak

Filesize
140KB

MD5
b1c6b6b7a04c5fb7747c962e3886b560

SHA1
70553b72b9c382c0b25fa10fe2c967efbcfcb125

SHA256
e4db8f397cd85fc5575670b3cacfc0c69e4bf07ef54a210e7ae852d2916f1736

SHA512
7fcd9ae80791de19df8644424ffdf1feb299f18a38a5d5bc546e8fd3d20d3ced6f565981c3c03026bc5400fe0806dfa3af3064e7a70e18061f5d5fe6d6bde8d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsk7849.tmp\7z-out\locales\et.pak

Filesize
126KB

MD5
339133a26a28ae136171145ba38d9075

SHA1
60c40c6c52effb96a3eb85d30fadc4e0a65518a6

SHA256
f2f66a74b2606565365319511d3c40b6accdde43a0af976f8b6ac12e2d92ec9f

SHA512
d7dd2a1c51a7144f1fe25336460d62622c2503aa64658063edcb95f50d97d65d538ce4e8ae986af25f6f7882f6f6578bfb367c201e22da2abdd149c0bb4194c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsk7849.tmp\7z-out\locales\fa.pak

Filesize
199KB

MD5
a67bfd62dcf0ab4edd5df98a5bb26a72

SHA1
5def04429a9d7b3a2d6cac61829f803a8aa9ef3b

SHA256
890ca9da16efc1efcc97ee406f9efa6a8d288f19a2192f89204bdc467e2868d3

SHA512
3419c6bed5fc96e82f9b1f688609b2d2190003b527d95699e071576c25730934fbed3437fdde870fc836bdc5e690362cae1e612b7ff779c22b853baf3cfcaabf

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsk7849.tmp\7z-out\locales\fi.pak

Filesize
129KB

MD5
aceed6757e21991632b063a7fe99c63c

SHA1
491b4aa5eaeb93e662f720c721736e892b9117e5

SHA256
370164e61142d8609d176ec0cc650540c526156009070563f456bcdb104e9c0f

SHA512
664c369e74930a61a8c9ccee37321c6610ffdeba8e4e8a5d4f9444d530097b0f4556e7b369dfd55323fe7df70b517c84ae9d62a89c1984a8cf56bae92d3e0455

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsk7849.tmp\7z-out\locales\fil.pak

Filesize
144KB

MD5
cb9fb6bc0e1ec2cb3a0c1f9c2dfbc856

SHA1
c3b5900a38354ea00b63622bb9044ffb4788723b

SHA256
945c0160938c3bcecda6659a411b33cd55dfac18814bed88575bfd100c53d42e

SHA512
6ed77d0fbbb1186ccb7493708f55f8a2c3005a1f1da759c16289713a853bcad4a2cc4846874d67f722f461b1950a763508a91a7970bc0eb5da686206aaa8489b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsk7849.tmp\7z-out\locales\fr.pak

Filesize
149KB

MD5
bc286000070c9a918a8e674f19a74e12

SHA1
41221bb668e41c13fbf5f110e7f2c6d900cdffd1

SHA256
d641d9d73262ca65a613ee0395204435d6830316dd551f8992407ae77ead4b64

SHA512
553dc84ffd09dd969802fc339ab20f6af3c36442c1ea23e4199519f2c5fb50be79874ae455ce5ff44511a3adcedae7f3030d13e0ecf2b456233d5f4ff186a5dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsk7849.tmp\7z-out\locales\gu.pak

Filesize
282KB

MD5
af5cc703c77e1a4b27233deb73c6ace8

SHA1
ea92dce379ec9405fd84274566d363ce302d7f1d

SHA256
cd761009ecbd4736b24383f020da05d2e6b9396c67a7ec1f4ac1966943cf9eab

SHA512
dd379cbab7a6fdce05b0ff34d339c2f3320f83f76d8e1fb7ebf20edcfebe541ae454490eeb83d8edc069aaf3db52d6b7de6d701672a13e75dfe59840e8f2c5df

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsk7849.tmp\7z-out\locales\he.pak

Filesize
174KB

MD5
b2f893d17e118cd03055b55b0923206b

SHA1
99b6358438a3eaffae38dcf6a215d8c5f9bfdc26

SHA256
f6d1e2a269783f27b85c2db2ce9286f581ec2e16586ecac476ab5735cd8ae12f

SHA512
34fa1c4bce2f9e2c5c7b494a829f5b492b40e8f4f0bc586f564755de703b5765d81795c67e19a27d2f21d297ce3b7e5058a126118afe6911cc429fc58d67f13e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsk7849.tmp\7z-out\locales\hi.pak

Filesize
292KB

MD5
9697c9ecfa893db09d046e4feb8f1260

SHA1
db08fecfc31d278b3f74c85f98c34dc78b75f4fd

SHA256
de4b369e012831a5ced3ae02e34fd34374348b016274c99911a294de3f9bee5b

SHA512
ec9b87003853640c5f3c477f389dbd16bf1d75269c3fbd8620db43942ba7e323a3198fbbb16d27c10bbae40fd047cfdad170659b9ef26488928a24ee535885d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsk7849.tmp\7z-out\locales\hr.pak

Filesize
137KB

MD5
209efaa890532ddbb1673852e42ded7e

SHA1
8e9a3e643183d4cbdfad9fd2a116e749b5313a95

SHA256
3d01f9d2c51efa0c0d8d720dd832493b1b87d2429970396c42cee2199e7bef40

SHA512
5410b31ab46ccfd29b750f39d3796a533ec0c0a7b7b31b70977f59f348dd4190edc00c86db8d5b73df2117f27fd283de2057493c081cef69d04ad9894eb5c05b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsk7849.tmp\7z-out\locales\hu.pak

Filesize
149KB

MD5
7317adfcba87621963e9cb2f44600e2f

SHA1
0398d795f9a3cde03ae85e8cd2c4723e7ef5f7e4

SHA256
6edcdaf17483c4b7b74d9c728c3f38d9e4704bfbdb618b578c7ccb6bbe6e824f

SHA512
e8ec0df2ddf67799194e8d3f722b5643553fb05026bd5f8d933d1cc18df6a641eb1b810e22114b44513b57a005d326b91a1fcf1c470a636cd42c5bc5fa0f254f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsk7849.tmp\7z-out\locales\id.pak

Filesize
124KB

MD5
f6d153fa3087dab3fcef255b5afe8538

SHA1
99f123a133d3ce1a70349a7d1948a8d57981e1c4

SHA256
fa38d911dec71800d33802441412f20133e960bb316c79161bdc7f78ea1af3d7

SHA512
c092339a2a64dd10a45b516ba19013ad096c4c43d51df33e4c779c9ede6d71bcb59c18d5ba568f4876c0b5454ccdf05a1e632be0f97db5b4eaadf263e7d1967b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsk7849.tmp\7z-out\locales\it.pak

Filesize
138KB

MD5
23d70fc1cc74275719c4f882400150e1

SHA1
e8235d0bd4dbfbd708deb80139f0acb1cc0fbdef

SHA256
75b37965b88933ba32119ebdd13cb98c54300b1e1e312080947eed6a94fc70b0

SHA512
ca9a6fc273d5b0b656e902fb87f8792de604a3b6ce598dc577d08541ce9f35256849b1503f15edbe5d1e1d5785cffc38ed12650d1d026aa23b5ce6f9c3ac4cb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsk7849.tmp\7z-out\locales\ja.pak

Filesize
164KB

MD5
781fec59b38a21dc663f3a482732196b

SHA1
1b660ba0bd9aaf67c5fe49a372687facd6d264ea

SHA256
3849f8b48b034fe6319112eff77b7c9f6a8d7b20cf7bc8400528a0a8458677da

SHA512
f2c3a6d8c23f72db8e70ec8cd87793eb103b58bdd3976e99f42867c33a6688a41c79eadcdf25c6ae01fd20920affd43f228a5134af28f83ee50fe02819665e95

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsk7849.tmp\7z-out\locales\kn.pak

Filesize
319KB

MD5
66867a2133ef0c73f385af7d5d2eed91

SHA1
8ca6e7e6d679255c2c151d38cf70a5f25cce059f

SHA256
407599a388bc151ccd2561181ea90ff620f4cb5c767317af8ca4748927ba7f35

SHA512
482c0b75c921470866b7c6ccf09cddd59ce81507e8df7a2158d3abf08c7201ebeed67c1ecd36f5cb015a8833ae9f1917ab6118f9f0a959364de958729295f37c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsk7849.tmp\7z-out\locales\ko.pak

Filesize
138KB

MD5
27705557eb4977c33bc69f27c2ee9f96

SHA1
b0297538c4e68515b8f65d44371cb8f4cdbc489f

SHA256
de71f906636d2a8f5833a22e92b61161182c53e233b75b302dbe061ed57e9bdc

SHA512
53c8917049d72a9739bf7f2abdbde3120ed3124967cd9b1b71b172b7b36ed41a1ff970d3841c0f5eb5b53616dd9f8e03f65a79e6a6964b83da2c84174c1dd56f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsk7849.tmp\7z-out\locales\lt.pak

Filesize
151KB

MD5
a3e29f4a3ca6f2058a6f464e49f914b6

SHA1
3fc632eaccf91e86b365d444e7acba6f9302aa5c

SHA256
ec70edca70373390f028aa751a74057fb1c2c583c310492723a228c863007c47

SHA512
eec22e3347affc0eb0f9452f3b9b239e8b714148a39be83ebe7979bac706a942da3a17de01e9a1b89dfec9e970692c3e9fe566750092fc139325ae25ed1c3e04

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsk7849.tmp\7z-out\locales\lv.pak

Filesize
149KB

MD5
28eeee40b2722e1cc42905c70367fbdb

SHA1
fd82465b1522d314b295207934a7641b3d257d66

SHA256
026e6a4ea0fd11c07375f0532a0756bffef585889a71f33243a116c462b0c684

SHA512
a99d203ce67a3e5d4f831064f83c730b045fb1eba47ca804ce6c407e04240f4c51b4114446c3494e2985a1109695533d1b1c5c7594a5555276be366c07d0b855

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsk7849.tmp\7z-out\locales\ml.pak

Filesize
337KB

MD5
a7f6cdc17eddc1550260489d478ec093

SHA1
3308eb8f7d1958fe6b9f94602599cdc56460aa89

SHA256
01a0e2f809fed45b9b67831202d297c3221077fa2dd84f3b635ab33016a07577

SHA512
42132ca4a62bd5de5928f8c313c930c1fab0ad918fe08612ccd118e421eca768956ad42f7551d6ce58d10be6c34cae7a2fef518bde9f0641c339f7af70f42688

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsk7849.tmp\7z-out\locales\mr.pak

Filesize
277KB

MD5
be22080b1e45301c313d92d825a7a9ed

SHA1
84c9370a4845ddfa1eab8ae334c1f4cc02ffaba6

SHA256
c09d274406a36f90c75a1daf018c5373d697c42bbc20771a827f62ebe08dab57

SHA512
9558690ae7ac41984553aea1e0133778301ee12e0dd6e16f5dc0380619b82a7a8d37cbe0ef59efcd53c05987ed6fdeb869dee8fe2224fda8880d473e932c2f87

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsk7849.tmp\7z-out\locales\ms.pak

Filesize
128KB

MD5
bff5ea1dbedfab0da766909c2b0beed3

SHA1
9ab6989c47ab4cea0d620fe70bba5c1e15a58a51

SHA256
6240e885116732ae850542cab40c80950bf83171c17a84bf02d7df9b1a2a98a4

SHA512
8bc32f7bade04932b51a2bc4e8d5d609d379a157accca63e43977a19f2604e87ba754bf545651a1237c74e05577f36d85e53d20fa1da41e7967e8ef8a657464d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsk7849.tmp\7z-out\locales\nb.pak

Filesize
126KB

MD5
2f31dbf3f36906c58b68f7f88c433257

SHA1
55552671f81a9b24ef05d16249bcf5135d5a98c9

SHA256
ca435b5ca91a253129bde2155592d9c3876005c4ca4389e4ecf97adab9a6de4a

SHA512
079ea4f01582e9ab05e2c63850b654ab84ce3b8bb72390899dfe662e2c4138b82f869829fad3ee645546dd8e27c749d2ef20a0d5bc94db174a59c6e0d43ea27c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsk7849.tmp\7z-out\locales\nl.pak

Filesize
131KB

MD5
1e5b9d923d5f8cef49c913badd2784ba

SHA1
6e42a558a7207b2cee2452263eb661843fe74d0d

SHA256
7a7be29044bf2fa9459a90dcce12ed531931660ba680dec8f32ad8a3364d973e

SHA512
e4392f91392b79fa14c3545c9733deb128f399163dcbee698bf51b2218b1abab6aef45c35130545ddc86626012599e4a8bd77205baa735c957258539c9b6d484

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsk7849.tmp\7z-out\locales\pl.pak

Filesize
144KB

MD5
bc72c8e2426765839539a3b8340fe19e

SHA1
630bd0e844e673454477b819c808b7e18bebe0db

SHA256
6a97c2ce05545607a59df2f0daef5da71058dc1e1685f26263b7110edc431755

SHA512
a0f2c68ebb8e5e2ab5ad682b5ce0b1dc955aced7de32001a0decfafb924ca94ef322605ddf69ba74baf18871cfddbad97fc326c43e5b3168019e21912f7da421

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsk7849.tmp\7z-out\locales\pt-BR.pak

Filesize
137KB

MD5
54efb4172a7110a567ad87f67cfcd551

SHA1
ea8eac6f2328b8a1b27249fced7c16154060dcf3

SHA256
c17ed07165ec47de5acdfa7e4783af4b417843e5f232e9f38ce02138c8bd1742

SHA512
ae8aa02e9bcb3bfd8b39329a2c37f789484661e283dc63297e1ec2dd5d14558b349c312990048dc6a03cc7040a1c6fea2571c6102b1a61a638f9ab615f5fc938

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsk7849.tmp\7z-out\locales\pt-PT.pak

Filesize
138KB

MD5
f7a822e3dedaa3df046c3172613e275d

SHA1
14c21d2cc296197a9a618f21dc103f0d6749b77f

SHA256
e2e84e23275190865c685e0712530245e35dc63ff82c4e854068494192917f3e

SHA512
0d08fedb423e9ea4f9ca54b55fcb6a88c4f4aa7ed71897b4a7625f093e8dc05733ec52e4577709dd4e4c7be001770e1dc85c0e10e0dad883f3291c515736b7c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsk7849.tmp\7z-out\locales\ro.pak

Filesize
141KB

MD5
5f6af740e111066ba5245a7fb58c3d38

SHA1
bb09d9f89ec6e1db0a45cd15f84930dc34011b16

SHA256
b9fee8754a5307751f197d1968dd02e163dba30f09a36c72f88b63b4ee5bcd26

SHA512
d2c74477bfa01e8b5b51fbb4393368dc967be362833cc2ac61fc989f41896f17b957d10c0e03b442fba1f3d6059637f355dd6e537e6e00c382eaacfc1b5d64e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsk7849.tmp\7z-out\locales\ru.pak

Filesize
225KB

MD5
822750ab24d9ef1a54f3d987eee1acb5

SHA1
dc99948cfd029cc9d98c10e487625832db8f1855

SHA256
3906f069e6e2a3a0235826e9382624e7a4cfba309f00bbd0963ff0c9f2c179fa

SHA512
b0d9521e088c80470e5d15e310bf7e3e27b16464c5349f2bd6f29a78e7fdc7da36b3b1bee68e4496585b0e2f20098fa6b0b3360c4b43f2ed9718d292755f5be4

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsk7849.tmp\7z-out\locales\sk.pak

Filesize
146KB

MD5
7cedcf98e68f4001cc13f2b761571681

SHA1
fba32c46564452fee5697777b6d3c60d69589528

SHA256
e6509f7a6c6b9912f2875c7efa34434ab9562df3cdcaf0546b6370d594ca46fb

SHA512
c90ca580c5da2fff68b5957940d9b2c377cb07632b1fc0c8a23fef9a076cd05da618890f197f5b2f7314583fba89be083ad180335201d28c27a7c8c21a55c72c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsk7849.tmp\7z-out\locales\sl.pak

Filesize
139KB

MD5
c08d0d08fd48822c603a27aaad4e9557

SHA1
8b7d616ef86bd955cbdf68197cdf748aaf99240a

SHA256
ef205cf8911a96d772711675e75bc8df5866ce0d9d44ebb110bc07e4f340ff65

SHA512
480a23a25860616be8844ce29042fa15cc7f360e2c53b367f6701926b9a6df72d82ad6c5dc7c0fafd537202d4ea7c44dfe24589fb4a4f52b4440629865f8c19e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsk7849.tmp\7z-out\locales\sr.pak

Filesize
213KB

MD5
7cfb6dd166594df07bccb7c08774a667

SHA1
1c06a8adb81c357909ade0307a67a122c94c0cb7

SHA256
c3b5c6965affb7f30dcdb5fdb485767e83f3b5d694865a677783c64e3b84934d

SHA512
92febe5a65c90f105bd7609e2eff2626bf0e22b186d73d6c1aeb0497e49d9c34b2bb22d26e0abde4713da2c7cf51296723694ee9bc1decc5071a5225f60e650c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsk7849.tmp\7z-out\locales\sv.pak

Filesize
127KB

MD5
b4d3ab3791e862711986bb585c1676fc

SHA1
2123c8879a70728657e72415d7056aac4a1527e2

SHA256
080ce56662a0a32a4164ba88f9c5081d7c43dc1908412368a70e789e1adcbf66

SHA512
b904f1741079a8c7ed7647efe42e9d7b9be403079de7e512539b70bc653e55420a3aca4b599e8a9d440245a61f94124476b3a5afa43b39ff1aa48cb48fc5c15d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsk7849.tmp\7z-out\locales\sw.pak

Filesize
133KB

MD5
a5f4010de863114025b898d78036b336

SHA1
0fa93fee8f60d1bf2fec4e01c5306404e831e94c

SHA256
8c58adbff7d672154c6f399ea29b549005460d80679e1f6cf997d95732857c30

SHA512
7f8b00ae7718f39c0ab91f3f63a3b5062d9878f224417282c3ff43ae9c88562a045c54f7c6f9f7447119a16bfd0ec40b48f762a52b64bc384ec80f53898c53c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsk7849.tmp\7z-out\locales\ta.pak

Filesize
335KB

MD5
ab1ece31afe29124d183b3826c7ef291

SHA1
e707a983f039310b867bf4b502165f1f512b9818

SHA256
5cabdecd2a89bd97782c13d9f5b24550ea00b28750cdb26a7843af7e75e34b22

SHA512
6510d54c2dd177be19ca6b250e936fe0e26036aee7bd1d48e141cffde743fe03a02be0cee22642c3e8a702b2277d7bf307bde69a863855bc65a55425a1f2f884

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsk7849.tmp\7z-out\locales\te.pak

Filesize
312KB

MD5
11c4c1ef8708db1f742333e71e312831

SHA1
ef432cf1d5df168039cb3d1b5f4d34bab76cd475

SHA256
9889b8d2e5f5fc5ed199831954af7b05028ec7a68f448b19ba74d91b97c223d6

SHA512
27c73d81271612bb2e4925d2091db9119859080484f5fa17536291c06bacdffadb1962ce56d0979d4f1f49add14990d73c5bafea45ce48141a36a2e55ade756c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsk7849.tmp\7z-out\locales\th.pak

Filesize
265KB

MD5
5abd2a1b2749449a0cbba60e32393f4f

SHA1
31097bf4728f752508482c298710cffecfb78d60

SHA256
c666359fc9fa137f6d7f868ccef01dac8701b457bb6bb51fcd581185d4bc8780

SHA512
094df53f3bac23eb384015e8f2500484556b6ebda0cb62bc12a773dd1d520d82c13cbad25eeb67fa04ceb209d80144fac70fe60eb792cfc1a0c5027513b7448f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsk7849.tmp\7z-out\locales\tr.pak

Filesize
135KB

MD5
08b737a1b8ecb81c8ef4d7b8f6b5f503

SHA1
99d2cdbb720f114051627acbb79475ccc57ce6a6

SHA256
84f08423fc516988761517511d36bf5d3428866965addbf3ef4399a80f8278e8

SHA512
142c61f08e56a084f335dcf35c543dab872dee898c719052fb8d42be2050c5fe6d9245180ff9d0d0e07cd884daaaffa6ccb5428fee91ae00413e0ea38a5e8c9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsk7849.tmp\7z-out\locales\uk.pak

Filesize
227KB

MD5
8162ec467ac9a8dac71d22c630a3e6a3

SHA1
4e9e8f49cbcc5e583b8acc3a65ffd87818c96e2a

SHA256
d1e07ac8b6a6ce53f06c66241d44407f98a1940259883e143a574f28a2ac170f

SHA512
e944e3f8f3e9b2c8c6f26e1a7606e441816406afe031bac9a5716ce060a63f03e01a95cc365342518629065b07fc72cf23d65ac84f0b58ef100cf9706a239b58

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsk7849.tmp\7z-out\locales\ur.pak

Filesize
199KB

MD5
30ce113bc3c466751bdf8d50cc568ff8

SHA1
d0b434b8f196a320995f49845d64054dcaedb97f

SHA256
34d46d28af3012bb84767a418957f12d877789b88a13ea29b047c7926abafb41

SHA512
a8139d60e498082c122b068a478038e3d3a7d6fa71bb8cd2b1bd7976827ffc23f7117f989b18d600960b222178351f01dbfa0fcdc3e7f0917cd0d47b5902fb44

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsk7849.tmp\7z-out\locales\vi.pak

Filesize
161KB

MD5
247e8cfc494fd37d086db9a747991abc

SHA1
bdc53c042a1c4bc2ebed6781b1b01091c8fb7a92

SHA256
4c4e69af3d7f7012e3cb19ba386fc69edd0c87ccd9be326dd6db902401d123f3

SHA512
852ddeb1ce8dbf13280e9dfa72dd10b646f8b06caf88055aeab32009f3fdc397a05764be48a04730e16f23c931d069880574d8bf9c7f4ef151e1d47467a7d60d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsk7849.tmp\7z-out\locales\zh-CN.pak

Filesize
116KB

MD5
7507e95fbb433aa97dd9c2e3c2e08d0b

SHA1
f61227f2173ceece432289b099285d4a9322e2ef

SHA256
bf3fb791392d8044c2cb3552cc974d95adbfc1548eac617c9d2a981505fb89e1

SHA512
f8f42e09eb0af51aa48325ec824814e52244201f627734e81c9e84ea319f5c2166c2450e9b89edd3ce84d3959f0c9ba445ba7a32d4164cf730f0949e11dea082

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsk7849.tmp\7z-out\locales\zh-TW.pak

Filesize
115KB

MD5
96620581f25ac84ddd4b9d0cd29b0749

SHA1
6413faf7b2e31755674f27de8cdab0788488526c

SHA256
2a674d423322d1772e97a627f1e291efba5f12b7efd0f174cdc99d1b1b376988

SHA512
7fd315ca93b431c59f92d31b803571effc5d758a52fc5d2f797a306fa63ea73162ac91805a892479b6940582aadc8903bdea6bb70168d660d58525bca4202520

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsk7849.tmp\7z-out\resources.pak

Filesize
4.9MB

MD5
c7b17b0c9e6e6aad4ffd1d61c9200123

SHA1
63a46fc028304de3920252c0dab5aa0a8095ed7d

SHA256
574c67ecd1d07f863343c2ea2854b2d9b2def23f04ba97b67938e72c67799f66

SHA512
96d72485598a6f104e148a8384739939bf4b65054ddde015dd075d357bcc156130690e70f5f50ec915c22df3d0383b0f2fbac73f5de629d5ff8dab5a7533d12b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsk7849.tmp\7z-out\resources\app.asar

Filesize
39.5MB

MD5
17c8a4e00b7d7db879f3599a7a9fa29b

SHA1
1b8824d579c58963a9d9aee043ff1b9c1c8066ae

SHA256
c6305fc95f9f5e39d67519d96ab272df468d9362de0145b5caf42a4a8581b1a0

SHA512
ca2c987aa421a6046b7660759e1a98b78bb64c9267d9a69241b3c01e941a48a0f0cd0e2d2baf60229378d8648c35364afc45f715ded80d86aa484a9ed1fd1a7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsk7849.tmp\7z-out\resources\elevate.exe

Filesize
105KB

MD5
792b92c8ad13c46f27c7ced0810694df

SHA1
d8d449b92de20a57df722df46435ba4553ecc802

SHA256
9b1fbf0c11c520ae714af8aa9af12cfd48503eedecd7398d8992ee94d1b4dc37

SHA512
6c247254dc18ed81213a978cce2e321d6692848c64307097d2c43432a42f4f4f6d3cf22fb92610dfa8b7b16a5f1d94e9017cf64f88f2d08e79c0fe71a9121e40

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsk7849.tmp\7z-out\snapshot_blob.bin

Filesize
281KB

MD5
52304e76978a13b8d7fd46771cbfea84

SHA1
a1af053116b9cd1018fa3c145785eb3c030f709f

SHA256
bb3acfe786e2efd17ad5f5957f06e4ba3d656aac65dcab1b9a2ddaae877bc824

SHA512
d1face9a819fe54500435dd55dc051337229de4f1c10713457b6a7847eb71b4713c2a50f260c35576cc41fef7606a3b6b33407962c91224c389ed0b97ed8b3dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsk7849.tmp\7z-out\v8_context_snapshot.bin

Filesize
596KB

MD5
5d9b4473dd8705940bbb4a4036e395d0

SHA1
af35aa3374200dd2b9102f6767e53413e4e09e20

SHA256
ca2245da2a4aa7e4c9dcbf810c90048f73a9a96f6432f7895f3e6fe0c21e48f1

SHA512
bcc78b845a2aac96e46162c6a81dd1a914a6e8ed6d9753f648ae125958042a76ab49f1fefc8615891a1e007f0d0b63980517953ee088e29d46ba9d258f130192

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsk7849.tmp\7z-out\vk_swiftshader.dll

Filesize
4.0MB

MD5
f6f3a64471f6a9738456259d09e617c4

SHA1
47cf0831fa4fb561c045e38f5edb5aa45a01324a

SHA256
0e7950569c56123708e5f9b934c3d2abfe787c3e275af3fab9fb0517329783be

SHA512
7eb35f7283475471e8e8ba77fb276bb7348c4c5b2ee552edf3b23f94b3eeb92d54ed09c8930faa059733532a33861e3af5f261e36e288237b611864e7b272118

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsk7849.tmp\7z-out\vk_swiftshader_icd.json

Filesize
106B

MD5
8642dd3a87e2de6e991fae08458e302b

SHA1
9c06735c31cec00600fd763a92f8112d085bd12a

SHA256
32d83ff113fef532a9f97e0d2831f8656628ab1c99e9060f0332b1532839afd9

SHA512
f5d37d1b45b006161e4cefeebba1e33af879a3a51d16ee3ff8c3968c0c36bbafae379bf9124c13310b77774c9cbb4fa53114e83f5b48b5314132736e5bb4496f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsk7849.tmp\7z-out\vulkan-1.dll

Filesize
743KB

MD5
eafcefd44884880bb202cfac8f2576ad

SHA1
9936e5fed1328e72d34a8a6239101f1264290879

SHA256
1e7851e7828d9b99745fdb9f13793147df3248a6550ae81af99177c168aad5b2

SHA512
c7745839afbe953f030e54cec75db50ccd1277ce59c7c3cf05004b15d1476ae0ef27bb7de7be3c7beccc2946c43c422a48adba82d47dddc7fa58a9db6ed1325a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsk7849.tmp\StdUtils.dll

Filesize
100KB

MD5
c6a6e03f77c313b267498515488c5740

SHA1
3d49fc2784b9450962ed6b82b46e9c3c957d7c15

SHA256
b72e9013a6204e9f01076dc38dabbf30870d44dfc66962adbf73619d4331601e

SHA512
9870c5879f7b72836805088079ad5bbafcb59fc3d9127f2160d4ec3d6e88d3cc8ebe5a9f5d20a4720fe6407c1336ef10f33b2b9621bc587e930d4cbacf337803

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsk7849.tmp\StdUtils.dll

Filesize
100KB

MD5
c6a6e03f77c313b267498515488c5740

SHA1
3d49fc2784b9450962ed6b82b46e9c3c957d7c15

SHA256
b72e9013a6204e9f01076dc38dabbf30870d44dfc66962adbf73619d4331601e

SHA512
9870c5879f7b72836805088079ad5bbafcb59fc3d9127f2160d4ec3d6e88d3cc8ebe5a9f5d20a4720fe6407c1336ef10f33b2b9621bc587e930d4cbacf337803

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsk7849.tmp\System.dll

Filesize
12KB

MD5
0d7ad4f45dc6f5aa87f606d0331c6901

SHA1
48df0911f0484cbe2a8cdd5362140b63c41ee457

SHA256
3eb38ae99653a7dbc724132ee240f6e5c4af4bfe7c01d31d23faf373f9f2eaca

SHA512
c07de7308cb54205e8bd703001a7fe4fd7796c9ac1b4bb330c77c872bf712b093645f40b80ce7127531fe6746a5b66e18ea073ab6a644934abed9bb64126fea9

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsk7849.tmp\nsis7z.dll

Filesize
424KB

MD5
80e44ce4895304c6a3a831310fbf8cd0

SHA1
36bd49ae21c460be5753a904b4501f1abca53508

SHA256
b393f05e8ff919ef071181050e1873c9a776e1a0ae8329aefff7007d0cadf592

SHA512
c8ba7b1f9113ead23e993e74a48c4427ae3562c1f6d9910b2bbe6806c9107cf7d94bc7d204613e4743d0cd869e00dafd4fb54aad1e8adb69c553f3b9e5bc64df

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsr9650.tmp\System.dll

Filesize
12KB

MD5
0d7ad4f45dc6f5aa87f606d0331c6901

SHA1
48df0911f0484cbe2a8cdd5362140b63c41ee457

SHA256
3eb38ae99653a7dbc724132ee240f6e5c4af4bfe7c01d31d23faf373f9f2eaca

SHA512
c07de7308cb54205e8bd703001a7fe4fd7796c9ac1b4bb330c77c872bf712b093645f40b80ce7127531fe6746a5b66e18ea073ab6a644934abed9bb64126fea9

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsr9650.tmp\System.dll

Filesize
12KB

MD5
0d7ad4f45dc6f5aa87f606d0331c6901

SHA1
48df0911f0484cbe2a8cdd5362140b63c41ee457

SHA256
3eb38ae99653a7dbc724132ee240f6e5c4af4bfe7c01d31d23faf373f9f2eaca

SHA512
c07de7308cb54205e8bd703001a7fe4fd7796c9ac1b4bb330c77c872bf712b093645f40b80ce7127531fe6746a5b66e18ea073ab6a644934abed9bb64126fea9

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsr9650.tmp\app-32.7z

Filesize
56.0MB

MD5
0284f5c1a2dfcb83e80678f82e50b0c5

SHA1
a79f9a739be5677ab29f34975e3b378707f422f3

SHA256
27ead2d1d28e47daca29b7ce2c7b6d41bea8931856f47da2d3641399dae4d1b1

SHA512
8efff6816169d702993098ae7be97ace872ea5e12d7b81e267dde142ad3eeae9c3c52fc6f1b2c31be12b989c0800f3a66cabc375412bbe7498c6b66dd3c5cbcd

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsr9650.tmp\nsis7z.dll

Filesize
424KB

MD5
80e44ce4895304c6a3a831310fbf8cd0

SHA1
36bd49ae21c460be5753a904b4501f1abca53508

SHA256
b393f05e8ff919ef071181050e1873c9a776e1a0ae8329aefff7007d0cadf592

SHA512
c8ba7b1f9113ead23e993e74a48c4427ae3562c1f6d9910b2bbe6806c9107cf7d94bc7d204613e4743d0cd869e00dafd4fb54aad1e8adb69c553f3b9e5bc64df

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsr9650.tmp\nsis7z.dll

Filesize
424KB

MD5
80e44ce4895304c6a3a831310fbf8cd0

SHA1
36bd49ae21c460be5753a904b4501f1abca53508

SHA256
b393f05e8ff919ef071181050e1873c9a776e1a0ae8329aefff7007d0cadf592

SHA512
c8ba7b1f9113ead23e993e74a48c4427ae3562c1f6d9910b2bbe6806c9107cf7d94bc7d204613e4743d0cd869e00dafd4fb54aad1e8adb69c553f3b9e5bc64df

Download Submit
C:\Users\Admin\Downloads\Setup.rar.3851vww.partial

Filesize
56.5MB

MD5
6305b5402391d1088f8086d21a24c241

SHA1
3eeac2dee953119bbe45eecd07c97833e97c9346

SHA256
90b0950960b30715a9f9c78ff507858c14655f55bd33ce76ff4e63d0a1eabb43

SHA512
3a40cbb093847f5372af9484bb8e9d74309e00ab556d1ad27df88da5d8482f34ffab1a12b25bc7a3b073dfe41c0fdd8fcb4251486b0ab211fb28402043aadc62

Download Submit
C:\Users\Admin\Downloads\Setup\Setup.exe

Filesize
56.5MB

MD5
e1b0653393170d747aeb19bf8272c6c2

SHA1
f9c6bdad9909324e0ed1d64f36212f011e7717e6

SHA256
4a088011e8944795b6f08e057d96fd171bc39dc39aec293c9abe88956af6688f

SHA512
09f88fc077427759272a7d5c7befdf46246ea884ad07ab7475681527fb6749f9a6224aaa55c40125646a902044a46f11f0e866e588fef7c860448bdce373fce4

Download Submit
C:\Users\Admin\Downloads\Setup\Setup.exe

Filesize
56.5MB

MD5
e1b0653393170d747aeb19bf8272c6c2

SHA1
f9c6bdad9909324e0ed1d64f36212f011e7717e6

SHA256
4a088011e8944795b6f08e057d96fd171bc39dc39aec293c9abe88956af6688f

SHA512
09f88fc077427759272a7d5c7befdf46246ea884ad07ab7475681527fb6749f9a6224aaa55c40125646a902044a46f11f0e866e588fef7c860448bdce373fce4

Download Submit
C:\Users\Admin\Downloads\Setup\Setup.exe

Filesize
56.5MB

MD5
e1b0653393170d747aeb19bf8272c6c2

SHA1
f9c6bdad9909324e0ed1d64f36212f011e7717e6

SHA256
4a088011e8944795b6f08e057d96fd171bc39dc39aec293c9abe88956af6688f

SHA512
09f88fc077427759272a7d5c7befdf46246ea884ad07ab7475681527fb6749f9a6224aaa55c40125646a902044a46f11f0e866e588fef7c860448bdce373fce4

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 154249.crdownload

Filesize
3.4MB

MD5
766ac70b840c029689d3c065712cf46e

SHA1
e54f4628076d81b36de97b01c098a2e7ba123663

SHA256
06d6ecc5f9d88636b0bac62218c296bfa1b2222f734c9cbed5575bd9f634e219

SHA512
49064dc2c30eecd7320a6431abfee49d250ea7cda5e8ae630d2c55325f5bdf338355ae8d7a3246b4036afce5c100b8b30599baf19ab64d20190392d2d9a28608

Download Submit
C:\Users\Admin\Downloads\winrar-x64-621.exe

Filesize
3.4MB

MD5
766ac70b840c029689d3c065712cf46e

SHA1
e54f4628076d81b36de97b01c098a2e7ba123663

SHA256
06d6ecc5f9d88636b0bac62218c296bfa1b2222f734c9cbed5575bd9f634e219

SHA512
49064dc2c30eecd7320a6431abfee49d250ea7cda5e8ae630d2c55325f5bdf338355ae8d7a3246b4036afce5c100b8b30599baf19ab64d20190392d2d9a28608

Download Submit
C:\Users\Admin\Downloads\winrar-x64-621.exe

Filesize
3.4MB

MD5
766ac70b840c029689d3c065712cf46e

SHA1
e54f4628076d81b36de97b01c098a2e7ba123663

SHA256
06d6ecc5f9d88636b0bac62218c296bfa1b2222f734c9cbed5575bd9f634e219

SHA512
49064dc2c30eecd7320a6431abfee49d250ea7cda5e8ae630d2c55325f5bdf338355ae8d7a3246b4036afce5c100b8b30599baf19ab64d20190392d2d9a28608

Download Submit
\??\pipe\crashpad_2992_RJROMMDQDUWCAMGH

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/396-1624-0x0000000002EE0000-0x0000000002EF0000-memory.dmp

Filesize
64KB

Download
memory/396-1625-0x0000000002EE0000-0x0000000002EF0000-memory.dmp

Filesize
64KB

Download
memory/964-1983-0x00000000047C0000-0x00000000047D0000-memory.dmp

Filesize
64KB

Download
memory/964-1984-0x00000000047C0000-0x00000000047D0000-memory.dmp

Filesize
64KB

Download
memory/1736-1637-0x0000000002230000-0x0000000002240000-memory.dmp

Filesize
64KB

Download
memory/1736-1636-0x0000000002230000-0x0000000002240000-memory.dmp

Filesize
64KB

Download
memory/1984-1607-0x00000000062C0000-0x00000000062DA000-memory.dmp

Filesize
104KB

Download
memory/1984-1598-0x0000000005770000-0x00000000057D6000-memory.dmp

Filesize
408KB

Download
memory/1984-1609-0x0000000007560000-0x0000000007B04000-memory.dmp

Filesize
5.6MB

Download
memory/1984-1608-0x0000000006310000-0x0000000006332000-memory.dmp

Filesize
136KB

Download
memory/1984-1610-0x0000000007090000-0x0000000007122000-memory.dmp

Filesize
584KB

Download
memory/1984-1606-0x0000000006340000-0x00000000063D6000-memory.dmp

Filesize
600KB

Download
memory/1984-1589-0x00000000024C0000-0x00000000024F6000-memory.dmp

Filesize
216KB

Download
memory/1984-1590-0x0000000005020000-0x0000000005648000-memory.dmp

Filesize
6.2MB

Download
memory/1984-1591-0x0000000004F10000-0x0000000004F32000-memory.dmp

Filesize
136KB

Download
memory/1984-1605-0x0000000005DB0000-0x0000000005DCE000-memory.dmp

Filesize
120KB

Download
memory/1984-1592-0x0000000005700000-0x0000000005766000-memory.dmp

Filesize
408KB

Download
memory/1984-1603-0x00000000025B0000-0x00000000025C0000-memory.dmp

Filesize
64KB

Download
memory/1984-1604-0x00000000025B0000-0x00000000025C0000-memory.dmp

Filesize
64KB

Download
memory/2160-1999-0x0000000004750000-0x0000000004760000-memory.dmp

Filesize
64KB

Download
memory/2160-1998-0x0000000004750000-0x0000000004760000-memory.dmp

Filesize
64KB

Download
memory/2252-1588-0x000000000E070000-0x000000000E071000-memory.dmp

Filesize
4KB

Download
memory/2252-1578-0x000000000E070000-0x000000000E071000-memory.dmp

Filesize
4KB

Download
memory/2252-1583-0x000000000E070000-0x000000000E071000-memory.dmp

Filesize
4KB

Download
memory/2252-1587-0x000000000E070000-0x000000000E071000-memory.dmp

Filesize
4KB

Download
memory/2252-1576-0x000000000E070000-0x000000000E071000-memory.dmp

Filesize
4KB

Download
memory/2252-1577-0x000000000E070000-0x000000000E071000-memory.dmp

Filesize
4KB

Download
memory/2252-1586-0x000000000E070000-0x000000000E071000-memory.dmp

Filesize
4KB

Download
memory/2252-1585-0x000000000E070000-0x000000000E071000-memory.dmp

Filesize
4KB

Download
memory/2252-1584-0x000000000E070000-0x000000000E071000-memory.dmp

Filesize
4KB

Download
memory/2252-1582-0x000000000E070000-0x000000000E071000-memory.dmp

Filesize
4KB

Download
memory/2724-1682-0x0000000002820000-0x0000000002830000-memory.dmp

Filesize
64KB

Download
memory/2724-1683-0x0000000002820000-0x0000000002830000-memory.dmp

Filesize
64KB

Download
memory/3192-1664-0x0000000004FD0000-0x0000000004FE0000-memory.dmp

Filesize
64KB

Download
memory/3192-1665-0x0000000004FD0000-0x0000000004FE0000-memory.dmp

Filesize
64KB

Download
memory/5180-1960-0x00000000025D0000-0x00000000025E0000-memory.dmp

Filesize
64KB

Download
memory/5180-1961-0x00000000025D0000-0x00000000025E0000-memory.dmp

Filesize
64KB

Download
memory/5396-1972-0x0000000004750000-0x0000000004760000-memory.dmp

Filesize
64KB

Download
memory/5548-1771-0x00000000049F0000-0x0000000004A00000-memory.dmp

Filesize
64KB

Download
memory/5580-1937-0x0000000003010000-0x0000000003020000-memory.dmp

Filesize
64KB

Download
memory/5580-1936-0x0000000003010000-0x0000000003020000-memory.dmp

Filesize
64KB

Download
memory/5772-1783-0x0000000005230000-0x0000000005240000-memory.dmp

Filesize
64KB

Download
memory/5772-1782-0x0000000005230000-0x0000000005240000-memory.dmp

Filesize
64KB

Download
memory/5840-1949-0x0000000005260000-0x0000000005270000-memory.dmp

Filesize
64KB

Download
memory/5840-1948-0x0000000005260000-0x0000000005270000-memory.dmp

Filesize
64KB

Download
memory/5988-1795-0x0000000002B00000-0x0000000002B10000-memory.dmp

Filesize
64KB

Download
memory/5988-1794-0x0000000002B00000-0x0000000002B10000-memory.dmp

Filesize
64KB

Download
memory/6096-1995-0x00000000048F0000-0x0000000004900000-memory.dmp

Filesize
64KB

Download
memory/6096-1996-0x00000000048F0000-0x0000000004900000-memory.dmp

Filesize
64KB

Download