e06ecabc302b098f3336fb21d126a1b69d44114f454ea9e1ba43ef599f3e53f9

Analysis

max time kernel
454s
max time network
459s
platform
windows10-1703_x64
resource
win10-20231020-en
resource tags

arch:x64arch:x86image:win10-20231020-enlocale:en-usos:windows10-1703-x64system
submitted
24/11/2023, 15:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

generator.exe
Size

70.9MB
MD5

680ec4f15e74372f4814288d994cd602
SHA1

33265e490b30eef8dc2e5740a2867e2b708974d8
SHA256

e06ecabc302b098f3336fb21d126a1b69d44114f454ea9e1ba43ef599f3e53f9
SHA512

ed12d9b018a5d679065abe59676a71fb9d566504b4b05cb5fda08a822cf0074b8ad29f9e656abc8c5e0613febf5320a5101d99df00baea6f3bb109cc78a80326
SSDEEP

1572864:B4/4rzOchP1vtuL6AEyqYMSvEDtqJQZbXj9hCbB9MvNgqgB7:WkqcdiLZ7Do4JijEcNgqS7

Score

8^/10

persistence

Malware Config

Signatures

Downloads MZ/PE file

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\GalaxySwapperV2.exe	GalaxySwapperV2.exe

Executes dropped EXE 11 IoCs

pid	Process
4900	GalaxySwapperV2.exe
2592	GalaxySwapperV2.exe
4076	GalaxySwapperV2.exe
7824	generator.exe
2672	GalaxySwapperV2.exe
9052	GalaxySwapperV2.exe
8768	GalaxySwapperV2.exe
7068	generator.exe
8028	GalaxySwapperV2.exe
1704	GalaxySwapperV2.exe
7324	GalaxySwapperV2.exe

Loads dropped DLL 33 IoCs

pid	Process
2060	generator.exe
2060	generator.exe
2060	generator.exe
4900	GalaxySwapperV2.exe
4900	GalaxySwapperV2.exe
4900	GalaxySwapperV2.exe
2592	GalaxySwapperV2.exe
2592	GalaxySwapperV2.exe
2592	GalaxySwapperV2.exe
2592	GalaxySwapperV2.exe
4076	GalaxySwapperV2.exe
7824	generator.exe
7824	generator.exe
7824	generator.exe
2672	GalaxySwapperV2.exe
2672	GalaxySwapperV2.exe
2672	GalaxySwapperV2.exe
9052	GalaxySwapperV2.exe
9052	GalaxySwapperV2.exe
9052	GalaxySwapperV2.exe
9052	GalaxySwapperV2.exe
8768	GalaxySwapperV2.exe
7068	generator.exe
7068	generator.exe
7068	generator.exe
8028	GalaxySwapperV2.exe
8028	GalaxySwapperV2.exe
8028	GalaxySwapperV2.exe
1704	GalaxySwapperV2.exe
1704	GalaxySwapperV2.exe
1704	GalaxySwapperV2.exe
1704	GalaxySwapperV2.exe
7324	GalaxySwapperV2.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2508097367-364665605-1201309312-1000\Software\Microsoft\Windows\CurrentVersion\Run\WindowsDriverSetupEPvbmn = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Themes\\CachedFiles\\WindowsDriverSetup.exe"	reg.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 12 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
85	ipinfo.io
29	ipinfo.io
31	ipinfo.io
38	ipinfo.io
84	ipinfo.io
69	ipinfo.io
82	ipinfo.io
86	ipinfo.io
32	ipinfo.io
64	ipinfo.io
66	ipinfo.io
67	ipinfo.io

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\rescache\_merged\1601268389\3877292338.pri	taskmgr.exe
File created	C:\Windows\rescache\_merged\4183903823\810424605.pri	taskmgr.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Checks processor information in registry 2 TTPs 7 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	taskmgr.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe

Collects information from the system 1 TTPs 3 IoCs

Uses WMIC.exe to find detailed system information.

Data from Local System

T1005

pid	Process
5708	WMIC.exe
7232	WMIC.exe
6504	WMIC.exe

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
5888	schtasks.exe

Detects videocard installed 1 TTPs 3 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
6036	WMIC.exe
7444	WMIC.exe
7604	WMIC.exe

Enumerates processes with tasklist 1 TTPs 64 IoCs

Process Discovery

T1057

pid	Process
7264	tasklist.exe
6856	tasklist.exe
6732	tasklist.exe
6108	tasklist.exe
6752	tasklist.exe
6640	tasklist.exe
7028	tasklist.exe
3036	tasklist.exe
392	tasklist.exe
6520	tasklist.exe
5308	tasklist.exe
7572	tasklist.exe
6320	tasklist.exe
2848	tasklist.exe
6772	tasklist.exe
6592	tasklist.exe
4456	tasklist.exe
6092	tasklist.exe
5856	tasklist.exe
6624	tasklist.exe
2848	tasklist.exe
8460	tasklist.exe
6688	tasklist.exe
6560	tasklist.exe
6540	tasklist.exe
6104	tasklist.exe
8440	tasklist.exe
6708	tasklist.exe
6856	tasklist.exe
7784	tasklist.exe
7296	tasklist.exe
7596	tasklist.exe
7336	tasklist.exe
6260	tasklist.exe
8020	tasklist.exe
6624	tasklist.exe
6832	tasklist.exe
6868	tasklist.exe
6972	tasklist.exe
6840	tasklist.exe
4328	tasklist.exe
6516	tasklist.exe
8304	tasklist.exe
7620	tasklist.exe
5840	tasklist.exe
6980	tasklist.exe
6988	tasklist.exe
6664	tasklist.exe
6484	tasklist.exe
6948	tasklist.exe
6284	tasklist.exe
8516	tasklist.exe
9084	tasklist.exe
5340	tasklist.exe
5936	tasklist.exe
6824	tasklist.exe
6548	tasklist.exe
6888	tasklist.exe
6104	tasklist.exe
4588	tasklist.exe
3032	tasklist.exe
8544	tasklist.exe
6576	tasklist.exe
7036	tasklist.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2508097367-364665605-1201309312-1000_Classes\Local Settings	firefox.exe

NTFS ADS 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\Downloads\generator.exe:Zone.Identifier	firefox.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4900	GalaxySwapperV2.exe
4900	GalaxySwapperV2.exe
4900	GalaxySwapperV2.exe
4900	GalaxySwapperV2.exe
4076	GalaxySwapperV2.exe
4076	GalaxySwapperV2.exe
6132	powershell.exe
6132	powershell.exe
6132	powershell.exe
6132	powershell.exe
5480	cmd.exe
5480	cmd.exe
5480	cmd.exe
5480	cmd.exe
5700	powershell.exe
5700	powershell.exe
5700	powershell.exe
5700	powershell.exe
2672	GalaxySwapperV2.exe
2672	GalaxySwapperV2.exe
2672	GalaxySwapperV2.exe
2672	GalaxySwapperV2.exe
8768	GalaxySwapperV2.exe
8768	GalaxySwapperV2.exe
7508	powershell.exe
7508	powershell.exe
7508	powershell.exe
7508	powershell.exe
236	powershell.exe
236	powershell.exe
236	powershell.exe
236	powershell.exe
8028	GalaxySwapperV2.exe
8028	GalaxySwapperV2.exe
8028	GalaxySwapperV2.exe
8028	GalaxySwapperV2.exe
7324	GalaxySwapperV2.exe
7324	GalaxySwapperV2.exe
5440	powershell.exe
5440	powershell.exe
5440	powershell.exe
5440	powershell.exe
6980	powershell.exe
6980	powershell.exe
6980	powershell.exe
6980	powershell.exe
5672	taskmgr.exe
5672	taskmgr.exe
5672	taskmgr.exe
5672	taskmgr.exe
5672	taskmgr.exe
5672	taskmgr.exe
5672	taskmgr.exe
5672	taskmgr.exe
5672	taskmgr.exe
5672	taskmgr.exe
5672	taskmgr.exe
5672	taskmgr.exe
5672	taskmgr.exe
5672	taskmgr.exe
5672	taskmgr.exe
5672	taskmgr.exe
5672	taskmgr.exe
5672	taskmgr.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeSecurityPrivilege	2060	generator.exe
Token: SeDebugPrivilege	192	firefox.exe
Token: SeDebugPrivilege	192	firefox.exe
Token: SeDebugPrivilege	4328	cmd.exe
Token: SeShutdownPrivilege	4900	GalaxySwapperV2.exe
Token: SeCreatePagefilePrivilege	4900	GalaxySwapperV2.exe
Token: SeShutdownPrivilege	4900	GalaxySwapperV2.exe
Token: SeCreatePagefilePrivilege	4900	GalaxySwapperV2.exe
Token: SeIncreaseQuotaPrivilege	5248	WMIC.exe
Token: SeSecurityPrivilege	5248	WMIC.exe
Token: SeTakeOwnershipPrivilege	5248	WMIC.exe
Token: SeLoadDriverPrivilege	5248	WMIC.exe
Token: SeSystemProfilePrivilege	5248	WMIC.exe
Token: SeSystemtimePrivilege	5248	WMIC.exe
Token: SeProfSingleProcessPrivilege	5248	WMIC.exe
Token: SeIncBasePriorityPrivilege	5248	WMIC.exe
Token: SeCreatePagefilePrivilege	5248	WMIC.exe
Token: SeBackupPrivilege	5248	WMIC.exe
Token: SeRestorePrivilege	5248	WMIC.exe
Token: SeShutdownPrivilege	5248	WMIC.exe
Token: SeDebugPrivilege	5248	WMIC.exe
Token: SeSystemEnvironmentPrivilege	5248	WMIC.exe
Token: SeRemoteShutdownPrivilege	5248	WMIC.exe
Token: SeUndockPrivilege	5248	WMIC.exe
Token: SeManageVolumePrivilege	5248	WMIC.exe
Token: 33	5248	WMIC.exe
Token: 34	5248	WMIC.exe
Token: 35	5248	WMIC.exe
Token: 36	5248	WMIC.exe
Token: SeShutdownPrivilege	4900	GalaxySwapperV2.exe
Token: SeCreatePagefilePrivilege	4900	GalaxySwapperV2.exe
Token: SeIncreaseQuotaPrivilege	5248	WMIC.exe
Token: SeSecurityPrivilege	5248	WMIC.exe
Token: SeTakeOwnershipPrivilege	5248	WMIC.exe
Token: SeLoadDriverPrivilege	5248	WMIC.exe
Token: SeSystemProfilePrivilege	5248	WMIC.exe
Token: SeSystemtimePrivilege	5248	WMIC.exe
Token: SeProfSingleProcessPrivilege	5248	WMIC.exe
Token: SeIncBasePriorityPrivilege	5248	WMIC.exe
Token: SeCreatePagefilePrivilege	5248	WMIC.exe
Token: SeBackupPrivilege	5248	WMIC.exe
Token: SeRestorePrivilege	5248	WMIC.exe
Token: SeShutdownPrivilege	5248	WMIC.exe
Token: SeDebugPrivilege	5248	WMIC.exe
Token: SeSystemEnvironmentPrivilege	5248	WMIC.exe
Token: SeRemoteShutdownPrivilege	5248	WMIC.exe
Token: SeUndockPrivilege	5248	WMIC.exe
Token: SeManageVolumePrivilege	5248	WMIC.exe
Token: 33	5248	WMIC.exe
Token: 34	5248	WMIC.exe
Token: 35	5248	WMIC.exe
Token: 36	5248	WMIC.exe
Token: SeDebugPrivilege	5388	tasklist.exe
Token: SeShutdownPrivilege	4900	GalaxySwapperV2.exe
Token: SeCreatePagefilePrivilege	4900	GalaxySwapperV2.exe
Token: SeIncreaseQuotaPrivilege	5708	WMIC.exe
Token: SeSecurityPrivilege	5708	WMIC.exe
Token: SeTakeOwnershipPrivilege	5708	WMIC.exe
Token: SeLoadDriverPrivilege	5708	WMIC.exe
Token: SeSystemProfilePrivilege	5708	WMIC.exe
Token: SeSystemtimePrivilege	5708	WMIC.exe
Token: SeProfSingleProcessPrivilege	5708	WMIC.exe
Token: SeIncBasePriorityPrivilege	5708	WMIC.exe
Token: SeCreatePagefilePrivilege	5708	WMIC.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
192	firefox.exe
192	firefox.exe
192	firefox.exe
192	firefox.exe
5672	taskmgr.exe
5672	taskmgr.exe
5672	taskmgr.exe
5672	taskmgr.exe
5672	taskmgr.exe
5672	taskmgr.exe
5672	taskmgr.exe
5672	taskmgr.exe
5672	taskmgr.exe
5672	taskmgr.exe
5672	taskmgr.exe
5672	taskmgr.exe
5672	taskmgr.exe
5672	taskmgr.exe
5672	taskmgr.exe
5672	taskmgr.exe
5672	taskmgr.exe
5672	taskmgr.exe
5672	taskmgr.exe
5672	taskmgr.exe
5672	taskmgr.exe
5672	taskmgr.exe
5672	taskmgr.exe
5672	taskmgr.exe
5672	taskmgr.exe
5672	taskmgr.exe
5672	taskmgr.exe
5672	taskmgr.exe
5672	taskmgr.exe
5672	taskmgr.exe
5672	taskmgr.exe
5672	taskmgr.exe
5672	taskmgr.exe
5672	taskmgr.exe
5672	taskmgr.exe
5672	taskmgr.exe
5672	taskmgr.exe
5672	taskmgr.exe
5672	taskmgr.exe
5672	taskmgr.exe
5672	taskmgr.exe
5672	taskmgr.exe
5672	taskmgr.exe
5672	taskmgr.exe
5672	taskmgr.exe
5672	taskmgr.exe
5672	taskmgr.exe
5672	taskmgr.exe
5672	taskmgr.exe
5672	taskmgr.exe
5672	taskmgr.exe
5672	taskmgr.exe
5672	taskmgr.exe
5672	taskmgr.exe
5672	taskmgr.exe
5672	taskmgr.exe
5672	taskmgr.exe
5672	taskmgr.exe
5672	taskmgr.exe
5672	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
192	firefox.exe
192	firefox.exe
192	firefox.exe
5672	taskmgr.exe
5672	taskmgr.exe
5672	taskmgr.exe
5672	taskmgr.exe
5672	taskmgr.exe
5672	taskmgr.exe
5672	taskmgr.exe
5672	taskmgr.exe
5672	taskmgr.exe
5672	taskmgr.exe
5672	taskmgr.exe
5672	taskmgr.exe
5672	taskmgr.exe
5672	taskmgr.exe
5672	taskmgr.exe
5672	taskmgr.exe
5672	taskmgr.exe
5672	taskmgr.exe
5672	taskmgr.exe
5672	taskmgr.exe
5672	taskmgr.exe
5672	taskmgr.exe
5672	taskmgr.exe
5672	taskmgr.exe
5672	taskmgr.exe
5672	taskmgr.exe
5672	taskmgr.exe
5672	taskmgr.exe
5672	taskmgr.exe
5672	taskmgr.exe
5672	taskmgr.exe
5672	taskmgr.exe
5672	taskmgr.exe
5672	taskmgr.exe
5672	taskmgr.exe
5672	taskmgr.exe
5672	taskmgr.exe
5672	taskmgr.exe
5672	taskmgr.exe
5672	taskmgr.exe
5672	taskmgr.exe
5672	taskmgr.exe
5672	taskmgr.exe
5672	taskmgr.exe
5672	taskmgr.exe
5672	taskmgr.exe
5672	taskmgr.exe
5672	taskmgr.exe
5672	taskmgr.exe
5672	taskmgr.exe
5672	taskmgr.exe
5672	taskmgr.exe
5672	taskmgr.exe
5672	taskmgr.exe
5672	taskmgr.exe
5672	taskmgr.exe
5672	taskmgr.exe
5672	taskmgr.exe
5672	taskmgr.exe
5672	taskmgr.exe
5672	taskmgr.exe

Suspicious use of SetWindowsHookEx 16 IoCs

pid	Process
192	firefox.exe
192	firefox.exe
192	firefox.exe
192	firefox.exe
192	firefox.exe
192	firefox.exe
192	firefox.exe
192	firefox.exe
192	firefox.exe
192	firefox.exe
192	firefox.exe
192	firefox.exe
192	firefox.exe
192	firefox.exe
192	firefox.exe
192	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1428 wrote to memory of 192	1428	firefox.exe	77
PID 1428 wrote to memory of 192	1428	firefox.exe	77
PID 1428 wrote to memory of 192	1428	firefox.exe	77
PID 1428 wrote to memory of 192	1428	firefox.exe	77
PID 1428 wrote to memory of 192	1428	firefox.exe	77
PID 1428 wrote to memory of 192	1428	firefox.exe	77
PID 1428 wrote to memory of 192	1428	firefox.exe	77
PID 1428 wrote to memory of 192	1428	firefox.exe	77
PID 1428 wrote to memory of 192	1428	firefox.exe	77
PID 1428 wrote to memory of 192	1428	firefox.exe	77
PID 1428 wrote to memory of 192	1428	firefox.exe	77
PID 192 wrote to memory of 1524	192	firefox.exe	78
PID 192 wrote to memory of 1524	192	firefox.exe	78
PID 192 wrote to memory of 3436	192	firefox.exe	79
PID 192 wrote to memory of 3436	192	firefox.exe	79
PID 192 wrote to memory of 3436	192	firefox.exe	79
PID 192 wrote to memory of 3436	192	firefox.exe	79
PID 192 wrote to memory of 3436	192	firefox.exe	79
PID 192 wrote to memory of 3436	192	firefox.exe	79
PID 192 wrote to memory of 3436	192	firefox.exe	79
PID 192 wrote to memory of 3436	192	firefox.exe	79
PID 192 wrote to memory of 3436	192	firefox.exe	79
PID 192 wrote to memory of 3436	192	firefox.exe	79
PID 192 wrote to memory of 3436	192	firefox.exe	79
PID 192 wrote to memory of 3436	192	firefox.exe	79
PID 192 wrote to memory of 3436	192	firefox.exe	79
PID 192 wrote to memory of 3436	192	firefox.exe	79
PID 192 wrote to memory of 3436	192	firefox.exe	79
PID 192 wrote to memory of 3436	192	firefox.exe	79
PID 192 wrote to memory of 3436	192	firefox.exe	79
PID 192 wrote to memory of 3436	192	firefox.exe	79
PID 192 wrote to memory of 3436	192	firefox.exe	79
PID 192 wrote to memory of 3436	192	firefox.exe	79
PID 192 wrote to memory of 3436	192	firefox.exe	79
PID 192 wrote to memory of 3436	192	firefox.exe	79
PID 192 wrote to memory of 3436	192	firefox.exe	79
PID 192 wrote to memory of 3436	192	firefox.exe	79
PID 192 wrote to memory of 3436	192	firefox.exe	79
PID 192 wrote to memory of 3436	192	firefox.exe	79
PID 192 wrote to memory of 3436	192	firefox.exe	79
PID 192 wrote to memory of 3436	192	firefox.exe	79
PID 192 wrote to memory of 3436	192	firefox.exe	79
PID 192 wrote to memory of 3436	192	firefox.exe	79
PID 192 wrote to memory of 3436	192	firefox.exe	79
PID 192 wrote to memory of 3436	192	firefox.exe	79
PID 192 wrote to memory of 3436	192	firefox.exe	79
PID 192 wrote to memory of 3436	192	firefox.exe	79
PID 192 wrote to memory of 3436	192	firefox.exe	79
PID 192 wrote to memory of 3436	192	firefox.exe	79
PID 192 wrote to memory of 3436	192	firefox.exe	79
PID 192 wrote to memory of 3436	192	firefox.exe	79
PID 192 wrote to memory of 3436	192	firefox.exe	79
PID 192 wrote to memory of 3436	192	firefox.exe	79
PID 192 wrote to memory of 3436	192	firefox.exe	79
PID 192 wrote to memory of 3436	192	firefox.exe	79
PID 192 wrote to memory of 3436	192	firefox.exe	79
PID 192 wrote to memory of 3436	192	firefox.exe	79
PID 192 wrote to memory of 3436	192	firefox.exe	79
PID 192 wrote to memory of 3436	192	firefox.exe	79
PID 192 wrote to memory of 3436	192	firefox.exe	79
PID 192 wrote to memory of 3436	192	firefox.exe	79
PID 2060 wrote to memory of 4900	2060	generator.exe	74
PID 2060 wrote to memory of 4900	2060	generator.exe	74
PID 192 wrote to memory of 2644	192	firefox.exe	80

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
6064	attrib.exe

C:\Users\Admin\AppData\Local\Temp\generator.exe
"C:\Users\Admin\AppData\Local\Temp\generator.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2060
- C:\Users\Admin\AppData\Local\Temp\2YcJLGWjsc30UuFXsxMKxDYc8hp\GalaxySwapperV2.exe
  C:\Users\Admin\AppData\Local\Temp\2YcJLGWjsc30UuFXsxMKxDYc8hp\GalaxySwapperV2.exe
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4900
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:4876
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      PID:4328
    - - C:\Windows\system32\tasklist.exe
        
        tasklist
        5⤵
        
        PID:6656
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:5840
- - C:\Users\Admin\AppData\Local\Temp\2YcJLGWjsc30UuFXsxMKxDYc8hp\GalaxySwapperV2.exe
    "C:\Users\Admin\AppData\Local\Temp\2YcJLGWjsc30UuFXsxMKxDYc8hp\GalaxySwapperV2.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\script" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1400 --field-trial-handle=1532,16596169723037212594,13540394723683290629,131072 --disable-features=PlzServiceWorker,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2592
- - C:\Users\Admin\AppData\Local\Temp\2YcJLGWjsc30UuFXsxMKxDYc8hp\GalaxySwapperV2.exe
    "C:\Users\Admin\AppData\Local\Temp\2YcJLGWjsc30UuFXsxMKxDYc8hp\GalaxySwapperV2.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\script" --mojo-platform-channel-handle=1832 --field-trial-handle=1532,16596169723037212594,13540394723683290629,131072 --disable-features=PlzServiceWorker,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    PID:4076
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "wmic process where processid=4900 get ExecutablePath"
    3⤵
    PID:5212
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic process where processid=4900 get ExecutablePath
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:5248
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "net session"
    3⤵
    PID:5328
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:7036
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "wmic OS get caption, osarchitecture | more +1"
    3⤵
    PID:5576
  - - C:\Windows\system32\more.com
      more +1
      4⤵
      PID:5804
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic OS get caption, osarchitecture
      4⤵
      PID:5796
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "wmic cpu get name | more +1"
    3⤵
    PID:5892
  - - C:\Windows\system32\more.com
      more +1
      4⤵
      PID:5940
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic cpu get name
      4⤵
      PID:5928
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
    3⤵
    PID:6092
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:6132
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      PID:6832
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "wmic PATH Win32_VideoController get name | more +1"
    3⤵
    PID:5996
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      PID:6688
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:5500
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "echo %NUMBER_OF_PROCESSORS%"
    3⤵
    PID:5568
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "wmic csproduct get uuid"
    3⤵
    PID:5560
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v WindowsDriverSetupEPvbmn /t REG_SZ /d C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\WindowsDriverSetup.exe /f
      4⤵
      Adds Run key to start application
      PID:5616
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "wmic computersystem get totalphysicalmemory | more +1"
    3⤵
    PID:5552
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "wmic logicaldisk get size"
    3⤵
    PID:5540
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic process where processid=4900 get ExecutablePath
      4⤵
      PID:5856
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:5312
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
    3⤵
    PID:5452
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      PID:6616
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:5704
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "wmic process where processid=4900 get ExecutablePath"
    3⤵
    PID:5540
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell -Command "attrib +h +s \"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\WindowsDriverSetup.exe\"""
    3⤵
    PID:5764
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "cmd /c schtasks /create /sc onlogon /tn WindowsDriverSetupEPvbmn /tr \"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\WindowsDriverSetup.exe\" /F /rl highest"
    3⤵
    PID:5648
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall""
    3⤵
    PID:5812
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall"
      4⤵
      PID:6632
    - - C:\Windows\system32\tasklist.exe
        
        tasklist
        5⤵
        Enumerates processes with tasklist
        
        PID:6516
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "cscript C:\Users\Admin\AppData\Roaming\bAR3SJw2YRcO.vbs"
    3⤵
    PID:5664
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:4364
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:5480
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:5452
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:5484
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:5524
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:5320
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:5412
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:5292
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:5372
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:5376
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:5332
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:5516
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:5328
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:824
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:5316
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:5336
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:5344
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:4724
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:5288
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:5508
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      PID:6600
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:5436
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:5512
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:5208
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:6092
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:6104
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:6128
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      PID:8752
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:6112
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:5232
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:5252
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:200
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4328
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:392
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:5164
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:3668
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:5264
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:5228
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:4456
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:3496
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:208
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      PID:8312
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:4412
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:4740
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:5156
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:6108
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:3044
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:6100
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:6008
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:5996
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v WindowsDriverSetupEPvbmn /t REG_SZ /d C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\WindowsDriverSetup.exe /f"
    3⤵
    PID:5560

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3628

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1428
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - NTFS ADS
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:192
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="192.0.2055188450\1796415203" -parentBuildID 20221007134813 -prefsHandle 1708 -prefMapHandle 1692 -prefsLen 20936 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {30480184-446f-47d9-907f-db9437dd4139} 192 "\\.\pipe\gecko-crash-server-pipe.192" 1808 181999cfd58 gpu
    3⤵
    PID:1524
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="192.1.1979932049\432104108" -parentBuildID 20221007134813 -prefsHandle 2172 -prefMapHandle 2168 -prefsLen 21017 -prefMapSize 232675 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d2978f19-b118-43d2-b438-d4d4b3c33eda} 192 "\\.\pipe\gecko-crash-server-pipe.192" 2200 1818e5e2458 socket
    3⤵
    PID:3436
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="192.2.663904917\93924776" -childID 1 -isForBrowser -prefsHandle 2896 -prefMapHandle 2932 -prefsLen 21055 -prefMapSize 232675 -jsInitHandle 1092 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {0bc377ba-0a3d-469d-81af-87bce415202e} 192 "\\.\pipe\gecko-crash-server-pipe.192" 2616 1819d7a9358 tab
    3⤵
    PID:2644
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="192.3.600090592\261952307" -childID 2 -isForBrowser -prefsHandle 3284 -prefMapHandle 3300 -prefsLen 26480 -prefMapSize 232675 -jsInitHandle 1092 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f274c0d8-4fb7-422b-b576-e3062323111b} 192 "\\.\pipe\gecko-crash-server-pipe.192" 3704 1818e568a58 tab
    3⤵
    PID:3264
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="192.4.851299220\577424539" -childID 3 -isForBrowser -prefsHandle 4300 -prefMapHandle 4296 -prefsLen 26539 -prefMapSize 232675 -jsInitHandle 1092 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {31013156-c885-4047-840b-d22c01e8d3de} 192 "\\.\pipe\gecko-crash-server-pipe.192" 3320 1819f65d358 tab
    3⤵
    PID:4856
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="192.7.311764587\228586654" -childID 6 -isForBrowser -prefsHandle 5148 -prefMapHandle 5152 -prefsLen 26620 -prefMapSize 232675 -jsInitHandle 1092 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f2ecd6ac-013c-4fc1-a167-24f4e880f0e0} 192 "\\.\pipe\gecko-crash-server-pipe.192" 5136 1819fb7cf58 tab
    3⤵
    PID:2316
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="192.6.324323946\1560924511" -childID 5 -isForBrowser -prefsHandle 4936 -prefMapHandle 4940 -prefsLen 26620 -prefMapSize 232675 -jsInitHandle 1092 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {fb21534f-5a23-4204-99a2-1a7acb48c232} 192 "\\.\pipe\gecko-crash-server-pipe.192" 4976 1819fb7b158 tab
    3⤵
    PID:3904
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="192.5.1422868659\1159211743" -childID 4 -isForBrowser -prefsHandle 4808 -prefMapHandle 4800 -prefsLen 26620 -prefMapSize 232675 -jsInitHandle 1092 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {bc042ce0-5a5a-4a75-8df0-ece792159569} 192 "\\.\pipe\gecko-crash-server-pipe.192" 4816 1819fb7ba58 tab
    3⤵
    PID:2556
- - C:\Users\Admin\Downloads\generator.exe
    "C:\Users\Admin\Downloads\generator.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:7824
  - - C:\Users\Admin\AppData\Local\Temp\2YcJLGWjsc30UuFXsxMKxDYc8hp\GalaxySwapperV2.exe
      C:\Users\Admin\AppData\Local\Temp\2YcJLGWjsc30UuFXsxMKxDYc8hp\GalaxySwapperV2.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious behavior: EnumeratesProcesses
      PID:2672
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /d /s /c "tasklist"
        5⤵
        
        PID:9192
      - C:\Windows\system32\tasklist.exe
        
        tasklist
        6⤵
        
        PID:9128
        
        C:\Windows\system32\tasklist.exe
        
        tasklist
        7⤵
        
        PID:7756
    - - C:\Users\Admin\AppData\Local\Temp\2YcJLGWjsc30UuFXsxMKxDYc8hp\GalaxySwapperV2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\2YcJLGWjsc30UuFXsxMKxDYc8hp\GalaxySwapperV2.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\script" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1536 --field-trial-handle=1644,17176681890360992853,13028107401305033946,131072 --disable-features=PlzServiceWorker,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:9052
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /d /s /c "wmic process where processid=2672 get ExecutablePath"
        5⤵
        
        PID:8824
      - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic process where processid=2672 get ExecutablePath
        6⤵
        
        PID:8668
    - - C:\Users\Admin\AppData\Local\Temp\2YcJLGWjsc30UuFXsxMKxDYc8hp\GalaxySwapperV2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\2YcJLGWjsc30UuFXsxMKxDYc8hp\GalaxySwapperV2.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\script" --mojo-platform-channel-handle=1544 --field-trial-handle=1644,17176681890360992853,13028107401305033946,131072 --disable-features=PlzServiceWorker,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        
        PID:8768
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /d /s /c "net session"
        5⤵
        
        PID:8508
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /d /s /c "wmic cpu get name | more +1"
        5⤵
        
        PID:7972
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /d /s /c "wmic PATH Win32_VideoController get name | more +1"
        5⤵
        
        PID:6692
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
        5⤵
        
        PID:5784
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /d /s /c "wmic OS get caption, osarchitecture | more +1"
        5⤵
        
        PID:684
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /d /s /c "echo %NUMBER_OF_PROCESSORS%"
        5⤵
        
        PID:3876
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /d /s /c "wmic csproduct get uuid"
        5⤵
        
        PID:2360
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /d /s /c "wmic computersystem get totalphysicalmemory | more +1"
        5⤵
        
        PID:292
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /d /s /c "wmic logicaldisk get size"
        5⤵
        
        PID:7680
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
        5⤵
        
        PID:2380
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /d /s /c "tasklist"
        5⤵
        
        PID:8516
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /d /s /c "tasklist"
        5⤵
        
        PID:2880
      - C:\Windows\system32\tasklist.exe
        
        tasklist
        6⤵
        
        PID:3956
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /d /s /c "wmic process where processid=2672 get ExecutablePath"
        5⤵
        
        PID:4940
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall""
        5⤵
        
        PID:6796
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /d /s /c "cscript C:\Users\Admin\AppData\Roaming\A7VlGlL35xgF.vbs"
        5⤵
        
        PID:6968
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /d /s /c "tasklist"
        5⤵
        
        PID:7276
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /d /s /c "tasklist"
        5⤵
        
        PID:7364
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /d /s /c "tasklist"
        5⤵
        
        PID:5668
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /d /s /c "tasklist"
        5⤵
        
        PID:6068
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /d /s /c "tasklist"
        5⤵
        
        PID:6620
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /d /s /c "tasklist"
        5⤵
        
        PID:7112
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /d /s /c "tasklist"
        5⤵
        
        PID:7176
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /d /s /c "tasklist"
        5⤵
        
        PID:7124
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /d /s /c "tasklist"
        5⤵
        
        PID:5932
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /d /s /c "tasklist"
        5⤵
        
        PID:5952
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /d /s /c "tasklist"
        5⤵
        
        PID:6528
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /d /s /c "tasklist"
        5⤵
        
        PID:6344
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /d /s /c "tasklist"
        5⤵
        
        PID:5468
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /d /s /c "tasklist"
        5⤵
        
        PID:5892
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /d /s /c "tasklist"
        5⤵
        
        PID:1300
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /d /s /c "tasklist"
        5⤵
        
        PID:6960
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /d /s /c "tasklist"
        5⤵
        
        PID:7700
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /d /s /c "tasklist"
        5⤵
        
        PID:6604
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /d /s /c "tasklist"
        5⤵
        
        PID:6272
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /d /s /c "tasklist"
        5⤵
        
        PID:5788
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /d /s /c "tasklist"
        5⤵
        
        PID:8280
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /d /s /c "tasklist"
        5⤵
        
        PID:6800
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /d /s /c "tasklist"
        5⤵
        
        PID:7080
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /d /s /c "tasklist"
        5⤵
        
        PID:7072
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /d /s /c "tasklist"
        5⤵
        
        PID:5256
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /d /s /c "tasklist"
        5⤵
        
        PID:1412
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /d /s /c "tasklist"
        5⤵
        
        PID:6372
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /d /s /c "tasklist"
        5⤵
        
        PID:8252
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /d /s /c "tasklist"
        5⤵
        
        PID:8224
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /d /s /c "tasklist"
        5⤵
        
        PID:8208
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /d /s /c "tasklist"
        5⤵
        
        PID:7472
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /d /s /c "tasklist"
        5⤵
        
        PID:2056
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /d /s /c "tasklist"
        5⤵
        
        PID:4944
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /d /s /c "tasklist"
        5⤵
        
        PID:8188
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /d /s /c "tasklist"
        5⤵
        
        PID:8168
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /d /s /c "tasklist"
        5⤵
        
        PID:8084
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /d /s /c "tasklist"
        5⤵
        
        PID:8076
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /d /s /c "tasklist"
        5⤵
        
        PID:8096
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /d /s /c "tasklist"
        5⤵
        
        PID:8028
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /d /s /c "tasklist"
        5⤵
        
        PID:8012
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /d /s /c "tasklist"
        5⤵
        
        PID:7980
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /d /s /c "tasklist"
        5⤵
        
        PID:7948
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /d /s /c "tasklist"
        5⤵
        
        PID:7940
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /d /s /c "tasklist"
        5⤵
        
        PID:5200
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /d /s /c "tasklist"
        5⤵
        
        PID:648
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /d /s /c "tasklist"
        5⤵
        
        PID:5196
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /d /s /c "tasklist"
        5⤵
        
        PID:7480

C:\Windows\system32\net.exe
net session
1⤵
PID:5416
- C:\Windows\system32\net1.exe
  C:\Windows\system32\net1 session
  2⤵
  PID:5500

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5388

C:\Windows\system32\more.com
more +1
1⤵
PID:5732

C:\Windows\system32\more.com
more +1
1⤵
PID:6048

C:\Windows\System32\Wbem\WMIC.exe
wmic PATH Win32_VideoController get name
1⤵
- Detects videocard installed
PID:6036

C:\Windows\System32\Wbem\WMIC.exe
wmic computersystem get totalphysicalmemory
1⤵
PID:5724

C:\Windows\System32\Wbem\WMIC.exe
wmic csproduct get uuid
1⤵
PID:5716

C:\Windows\System32\Wbem\WMIC.exe
wmic logicaldisk get size
1⤵
- Collects information from the system
- Suspicious use of AdjustPrivilegeToken
PID:5708

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
1⤵
PID:5480
- C:\Windows\system32\tasklist.exe
  tasklist
  2⤵
  PID:6672

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:5840

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "attrib +h +s \"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\WindowsDriverSetup.exe\""
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:5700
- C:\Windows\system32\attrib.exe
  "C:\Windows\system32\attrib.exe" +h +s C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\WindowsDriverSetup.exe
  2⤵
  - Views/modifies file attributes
  PID:6064

C:\Windows\system32\schtasks.exe
schtasks /create /sc onlogon /tn WindowsDriverSetupEPvbmn /tr \"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\WindowsDriverSetup.exe\" /F /rl highest
1⤵
- Creates scheduled task(s)
PID:5888

C:\Windows\system32\cmd.exe
cmd /c schtasks /create /sc onlogon /tn WindowsDriverSetupEPvbmn /tr \"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\WindowsDriverSetup.exe\" /F /rl highest
1⤵
PID:5680

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:5892
- C:\Windows\system32\tasklist.exe
  tasklist
  2⤵
  PID:5264

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:6576

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:6772

C:\Windows\system32\tasklist.exe
tasklist
1⤵
PID:6884

C:\Windows\system32\tasklist.exe
tasklist
1⤵
PID:7048

C:\Windows\system32\tasklist.exe
tasklist
1⤵
PID:7088

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:5936

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:7028

C:\Windows\system32\tasklist.exe
tasklist
1⤵
PID:7020

C:\Windows\system32\tasklist.exe
tasklist
1⤵
PID:7012

C:\Windows\system32\tasklist.exe
tasklist
1⤵
PID:7004

C:\Windows\system32\tasklist.exe
tasklist
1⤵
PID:6996

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:6980

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:6988

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:6972

C:\Windows\system32\tasklist.exe
tasklist
1⤵
PID:6964

C:\Windows\system32\tasklist.exe
tasklist
1⤵
PID:6956

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:6948
- C:\Windows\system32\tasklist.exe
  tasklist
  2⤵
  PID:8732

C:\Windows\system32\tasklist.exe
tasklist
1⤵
PID:6872
- C:\Windows\system32\tasklist.exe
  tasklist
  2⤵
  - Enumerates processes with tasklist
  PID:8440

C:\Windows\system32\tasklist.exe
tasklist
1⤵
PID:6864

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:6856

C:\Windows\system32\tasklist.exe
tasklist
1⤵
PID:6848

C:\Windows\system32\tasklist.exe
tasklist
1⤵
PID:6840

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:6824

C:\Windows\system32\tasklist.exe
tasklist
1⤵
PID:6816

C:\Windows\system32\tasklist.exe
tasklist
1⤵
PID:6808

C:\Windows\system32\tasklist.exe
tasklist
1⤵
PID:6752

C:\Windows\system32\tasklist.exe
tasklist
1⤵
PID:6740

C:\Windows\system32\tasklist.exe
tasklist
1⤵
PID:6732

C:\Windows\system32\tasklist.exe
tasklist
1⤵
PID:6724

C:\Windows\system32\tasklist.exe
tasklist
1⤵
PID:6680

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:6664

C:\Windows\system32\cscript.exe
cscript C:\Users\Admin\AppData\Roaming\bAR3SJw2YRcO.vbs
1⤵
PID:6648

C:\Windows\system32\tasklist.exe
tasklist
1⤵
PID:6640

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:6624

C:\Windows\system32\tasklist.exe
tasklist
1⤵
PID:6608

C:\Windows\system32\tasklist.exe
tasklist
1⤵
PID:6600

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:6592

C:\Windows\system32\tasklist.exe
tasklist
1⤵
PID:6584

C:\Windows\system32\tasklist.exe
tasklist
1⤵
PID:6568

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:6560

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:6548
- C:\Windows\system32\tasklist.exe
  tasklist
  2⤵
  - Enumerates processes with tasklist
  PID:5340

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:6540

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:5928

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:5680

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:5648

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:5796

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:5568

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:5704

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:5212

C:\Windows\system32\tasklist.exe
tasklist
1⤵
PID:8404

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 session
1⤵
PID:8316

C:\Windows\system32\net.exe
net session
1⤵
PID:8320

C:\Windows\system32\more.com
more +1
1⤵
PID:7968

C:\Windows\System32\Wbem\WMIC.exe
wmic computersystem get totalphysicalmemory
1⤵
PID:7404

C:\Windows\system32\more.com
more +1
1⤵
PID:3628

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get name
1⤵
PID:8132

C:\Windows\System32\Wbem\WMIC.exe
wmic logicaldisk get size
1⤵
- Collects information from the system
PID:7232

C:\Windows\system32\more.com
more +1
1⤵
PID:1044

C:\Windows\System32\Wbem\WMIC.exe
wmic OS get caption, osarchitecture
1⤵
PID:2240

C:\Windows\System32\Wbem\WMIC.exe
wmic csproduct get uuid
1⤵
PID:5732

C:\Windows\system32\more.com
more +1
1⤵
PID:6412

C:\Windows\System32\Wbem\WMIC.exe
wmic PATH Win32_VideoController get name
1⤵
- Detects videocard installed
PID:7444

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:7508

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:236

C:\Windows\System32\Wbem\WMIC.exe
wmic process where processid=2672 get ExecutablePath
1⤵
PID:5720

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:3036

C:\Windows\system32\tasklist.exe
tasklist
1⤵
PID:4348

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:4456

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:6484

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:6092

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:6840

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:6104

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:6856

C:\Windows\system32\tasklist.exe
tasklist
1⤵
PID:6112

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:6832

C:\Windows\system32\tasklist.exe
tasklist
1⤵
PID:6848

C:\Windows\system32\tasklist.exe
tasklist
1⤵
PID:5916

C:\Windows\system32\tasklist.exe
tasklist
1⤵
PID:6680

C:\Windows\system32\tasklist.exe
tasklist
1⤵
PID:6720

C:\Windows\system32\tasklist.exe
tasklist
1⤵
PID:7084

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:5856

C:\Windows\system32\tasklist.exe
tasklist
1⤵
PID:6432

C:\Windows\system32\tasklist.exe
tasklist
1⤵
PID:6116

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:6732

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:4328

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:392

C:\Windows\system32\tasklist.exe
tasklist
1⤵
PID:5164

C:\Windows\system32\tasklist.exe
tasklist
1⤵
PID:6664

C:\Windows\system32\tasklist.exe
tasklist
1⤵
PID:6584

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:6108

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:7572

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:6888

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:6320
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:1300

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall"
1⤵
PID:5660

C:\Windows\system32\tasklist.exe
tasklist
1⤵
PID:5472

C:\Windows\system32\tasklist.exe
tasklist
1⤵
PID:7544

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:6868

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:6260

C:\Windows\system32\tasklist.exe
tasklist
1⤵
PID:6152

C:\Windows\system32\tasklist.exe
tasklist
1⤵
PID:7768

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:7264

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:7620

C:\Windows\system32\tasklist.exe
tasklist
1⤵
PID:6288

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:6520

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:6284

C:\Windows\system32\cscript.exe
cscript C:\Users\Admin\AppData\Roaming\A7VlGlL35xgF.vbs
1⤵
PID:7788

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:7784

C:\Windows\system32\tasklist.exe
tasklist
1⤵
PID:6472

C:\Windows\system32\tasklist.exe
tasklist
1⤵
PID:4656

C:\Windows\system32\tasklist.exe
tasklist
1⤵
PID:2416

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:4588

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:2848

C:\Windows\system32\tasklist.exe
tasklist
1⤵
PID:2768

C:\Users\Admin\Downloads\generator.exe
"C:\Users\Admin\Downloads\generator.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:7068
- C:\Users\Admin\AppData\Local\Temp\2YcJLGWjsc30UuFXsxMKxDYc8hp\GalaxySwapperV2.exe
  C:\Users\Admin\AppData\Local\Temp\2YcJLGWjsc30UuFXsxMKxDYc8hp\GalaxySwapperV2.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  PID:8028
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:6320
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:6104
- - C:\Users\Admin\AppData\Local\Temp\2YcJLGWjsc30UuFXsxMKxDYc8hp\GalaxySwapperV2.exe
    "C:\Users\Admin\AppData\Local\Temp\2YcJLGWjsc30UuFXsxMKxDYc8hp\GalaxySwapperV2.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\script" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1396 --field-trial-handle=1640,8440606472425008549,18388701526454461209,131072 --disable-features=PlzServiceWorker,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1704
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "wmic process where processid=8028 get ExecutablePath"
    3⤵
    PID:424
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic process where processid=8028 get ExecutablePath
      4⤵
      PID:8136
- - C:\Users\Admin\AppData\Local\Temp\2YcJLGWjsc30UuFXsxMKxDYc8hp\GalaxySwapperV2.exe
    "C:\Users\Admin\AppData\Local\Temp\2YcJLGWjsc30UuFXsxMKxDYc8hp\GalaxySwapperV2.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\script" --mojo-platform-channel-handle=1820 --field-trial-handle=1640,8440606472425008549,18388701526454461209,131072 --disable-features=PlzServiceWorker,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    PID:7324
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "net session"
    3⤵
    PID:7320
  - - C:\Windows\system32\net.exe
      net session
      4⤵
      PID:5664
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 session
        5⤵
        
        PID:4900
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:5780
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:7296
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "wmic OS get caption, osarchitecture | more +1"
    3⤵
    PID:3656
  - - C:\Windows\system32\more.com
      more +1
      4⤵
      PID:1296
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic OS get caption, osarchitecture
      4⤵
      PID:5712
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "echo %NUMBER_OF_PROCESSORS%"
    3⤵
    PID:7308
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "wmic csproduct get uuid"
    3⤵
    PID:4984
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "wmic computersystem get totalphysicalmemory | more +1"
    3⤵
    PID:7592
  - - C:\Windows\system32\more.com
      more +1
      4⤵
      PID:7360
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic computersystem get totalphysicalmemory
      4⤵
      PID:7384
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "wmic logicaldisk get size"
    3⤵
    PID:6652
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "wmic cpu get name | more +1"
    3⤵
    PID:6900
  - - C:\Windows\system32\more.com
      more +1
      4⤵
      PID:3152
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic cpu get name
      4⤵
      PID:2948
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "wmic PATH Win32_VideoController get name | more +1"
    3⤵
    PID:2152
  - - C:\Windows\system32\more.com
      more +1
      4⤵
      PID:5768
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic PATH Win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:7604
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
    3⤵
    PID:1072
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:5440
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
    3⤵
    PID:8884
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:6980
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:3876
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      PID:1032
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "wmic process where processid=8028 get ExecutablePath"
    3⤵
    PID:1044
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic process where processid=8028 get ExecutablePath
      4⤵
      PID:8556
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall""
    3⤵
    PID:6176
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "cscript C:\Users\Admin\AppData\Roaming\x7gZhTAuYXfV.vbs"
    3⤵
    PID:9024
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:9188
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:8628
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:5136
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:9048
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:8560
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:6128
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:5508
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:7540
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:8572
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:7736
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:3160
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:8564
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:8432
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:5692
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:6704
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:6712
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:5388
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:6896
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:6548
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:1040
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:5352
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:1036
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:6872
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:6292
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:9128
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:7920
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:5216
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:5656
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:8796
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:7272
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:6204
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:8512
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:6632
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:9060
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:6240
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:6388
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:8372
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:8364
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:3768
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:1884
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:212
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:6844
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:7552
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:8520
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:9100
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:6948
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:208

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
PID:8224

C:\Windows\System32\Wbem\WMIC.exe
wmic logicaldisk get size
1⤵
- Collects information from the system
PID:6504

C:\Windows\System32\Wbem\WMIC.exe
wmic csproduct get uuid
1⤵
PID:4816

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:8668

C:\Windows\system32\tasklist.exe
tasklist
1⤵
PID:9196

C:\Windows\system32\tasklist.exe
tasklist
1⤵
PID:7212

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:3032

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:5308

C:\Windows\system32\tasklist.exe
tasklist
1⤵
PID:8148

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:8516

C:\Windows\system32\tasklist.exe
tasklist
1⤵
PID:352

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:6624

C:\Windows\system32\tasklist.exe
tasklist
1⤵
PID:5320

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:7596

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:8544

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:2848

C:\Windows\system32\tasklist.exe
tasklist
1⤵
PID:6584

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:9084

C:\Windows\system32\tasklist.exe
tasklist
1⤵
PID:9096

C:\Windows\system32\tasklist.exe
tasklist
1⤵
PID:9080

C:\Windows\system32\cscript.exe
cscript C:\Users\Admin\AppData\Roaming\x7gZhTAuYXfV.vbs
1⤵
PID:6012

C:\Windows\system32\tasklist.exe
tasklist
1⤵
PID:6788

C:\Windows\system32\tasklist.exe
tasklist
1⤵
PID:6760

C:\Windows\system32\tasklist.exe
tasklist
1⤵
PID:5740

C:\Windows\system32\tasklist.exe
tasklist
1⤵
PID:5456

C:\Windows\system32\tasklist.exe
tasklist
1⤵
PID:6336

C:\Windows\system32\tasklist.exe
tasklist
1⤵
PID:8180

C:\Windows\system32\tasklist.exe
tasklist
1⤵
PID:2720

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall"
1⤵
PID:7180

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:8304

C:\Windows\system32\tasklist.exe
tasklist
1⤵
PID:8504

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:8460

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:6640

C:\Windows\system32\tasklist.exe
tasklist
1⤵
PID:5184

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:8020

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:7336

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:6708

C:\Windows\system32\tasklist.exe
tasklist
1⤵
PID:8396

C:\Windows\system32\tasklist.exe
tasklist
1⤵
PID:3844

C:\Windows\system32\tasklist.exe
tasklist
1⤵
PID:9168

C:\Windows\system32\tasklist.exe
tasklist
1⤵
PID:9180

C:\Windows\system32\tasklist.exe
tasklist
1⤵
PID:7232

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:6752

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:6688

C:\Windows\system32\tasklist.exe
tasklist
1⤵
PID:5488

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /7
1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5672

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
5d574dc518025fad52b7886c1bff0e13

SHA1
68217a5f9e9a64ca8fed9eefa4171786a8f9f8f7

SHA256
755c4768f6e384030805284ab88689a325431667e9ab11d9aeaa55e9739742f2

SHA512
21de152e07d269b265dae58d46e8c68a3268b2f78d771d4fc44377a14e0c6e73aadae923dcfd34ce2ef53c2eaa53d4df8f281d9b8a627edee213946c9ef37d13

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
d5ef5389fb559eb00fc66f22055dcd0f

SHA1
9da109ab49581dc86bf91aee1426c00f5ff7035a

SHA256
2f8f3ce237bc4b3a8c58c6a3491e8e1ba2448c16efd396a4472087d4d3c50bc4

SHA512
2dd104d36875f523b8a950aacfd98ec646e7faa17aea98ab3a7462367e567f0147eb1fd2dd1b7a240ae3eab9b6992058249d2b9a0611b873ca05743c0e87a63c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
a02470f00d12cd219c02a58c3f275cd8

SHA1
970228f2b7f21852f37d08a3c1eb511f7f6d5cf1

SHA256
987f9c24a201adeecc740148c4df4cbf4771baaa60da1395edf5ba2b388fd3f4

SHA512
7f262a52ff231f2db1ad82b02e5800975854ae348c1b2eef2ec3e31ae872602f631530330fa198b11738765546259c65775300d7d7ab12445d3edbe8a5b6aab1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
0528f23afe134ca08c1c6d518ed23aa7

SHA1
3f4868ce73065308847a6242bbc163b056ecd6bc

SHA256
b67952e651492994b69c90068bd200e18754e666d176f3f1ec630b5f9c7678b0

SHA512
f4c2f21b7c3ab7b7df7f08123a4c19cae02d3254dc7433ac796c84980330ef90cbd1f7c72fefeb801507872deaa15bcd3a62d40ead06b67d49b0018e80fda57d

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\d25hmlvg.default-release\activity-stream.discovery_stream.json.tmp

Filesize
21KB

MD5
57c2dcee2dd11f041779fb778ba64388

SHA1
0ee1e2e32dbf9e3f94febdfc4833fd0e7bb0de6b

SHA256
f863a6435489a79cbe440d64df1edaabffce4528b008955784218d96a232de66

SHA512
46a3eaeae30a2ed4a1c4be68cb7015fb1a819e7d1ddb96ccb4860f6c9ff613d319f5348ee0e5a165b8e7f2d90d5ab858700f1cda6ac4be66b678aa81a9619933

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\d25hmlvg.default-release\cache2\entries\577A586685F8D27BD5B926CE96132B84424D8EA4

Filesize
13KB

MD5
8c96f934e6d80a5d73681cc3146cc1cc

SHA1
0813aacfe1122bedf5e880125f7fd73e3d8a152d

SHA256
e59566ff208e8bc8555c67849e035c59ea07ffd5245e9fc83fa8b8b29076ee98

SHA512
1f9b86e3089515418bc21b70cf1b8e09f4c2f6ce61f1b11f8e568bf14eea52304ef706a90461d2dda922d918042564910b4bb1fda29fe91c8b991f349dce9b56

Download Submit
C:\Users\Admin\AppData\Local\Temp\1792a572-f0a2-44c8-8b07-010057e553cb.tmp.node

Filesize
643KB

MD5
fdcf16a643c857e1e3e364e7f7b72292

SHA1
f62e8f3f728632ab2c22f9d7adac2d6d51eb2d88

SHA256
a8f468c7bf099e3db657e45e186ed747b3b5272f703af4efa6435a9e33081230

SHA512
2c56fd0a7c283d9627ec085abc2dfdccaea0da593d84d4b453d7bc0f37b249482895163ad3d0e53d5fc53770ded1eb9d49f1984a1d8f98082464816ca5a53ffc

Download Submit
C:\Users\Admin\AppData\Local\Temp\2YcJLGWjsc30UuFXsxMKxDYc8hp\D3DCompiler_47.dll

Filesize
4.3MB

MD5
7641e39b7da4077084d2afe7c31032e0

SHA1
2256644f69435ff2fee76deb04d918083960d1eb

SHA256
44422e6936dc72b7ac5ed16bb8bcae164b7554513e52efb66a3e942cec328a47

SHA512
8010e1cb17fa18bbf72d8344e1d63ded7cef7be6e7c13434fa6d8e22ce1d58a4d426959bdcb031502d4b145e29cb111af929fcbc66001111fbc6d7a19e8800a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\2YcJLGWjsc30UuFXsxMKxDYc8hp\D3DCompiler_47.dll

Filesize
4.3MB

MD5
7641e39b7da4077084d2afe7c31032e0

SHA1
2256644f69435ff2fee76deb04d918083960d1eb

SHA256
44422e6936dc72b7ac5ed16bb8bcae164b7554513e52efb66a3e942cec328a47

SHA512
8010e1cb17fa18bbf72d8344e1d63ded7cef7be6e7c13434fa6d8e22ce1d58a4d426959bdcb031502d4b145e29cb111af929fcbc66001111fbc6d7a19e8800a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\2YcJLGWjsc30UuFXsxMKxDYc8hp\GalaxySwapperV2.exe

Filesize
139.5MB

MD5
971dadb0c7a7ee5d95ee2dc2165b2a0b

SHA1
1b59162875fa6db95cc5c55236745965cf0827cd

SHA256
ae17a87bc3c29707efe2daa77f2e944b7e91685910bc40ab0abc0cb9f0e876a2

SHA512
a02819719f624a2d3ed2a0a69a9634ae220794c8e0606caa3c85fec8eade1261a3d3dba960e8c69b354b53695dc11695787a1c318ae4583bb3d559b5b1b11067

Download Submit
C:\Users\Admin\AppData\Local\Temp\2YcJLGWjsc30UuFXsxMKxDYc8hp\GalaxySwapperV2.exe

Filesize
139.5MB

MD5
971dadb0c7a7ee5d95ee2dc2165b2a0b

SHA1
1b59162875fa6db95cc5c55236745965cf0827cd

SHA256
ae17a87bc3c29707efe2daa77f2e944b7e91685910bc40ab0abc0cb9f0e876a2

SHA512
a02819719f624a2d3ed2a0a69a9634ae220794c8e0606caa3c85fec8eade1261a3d3dba960e8c69b354b53695dc11695787a1c318ae4583bb3d559b5b1b11067

Download Submit
C:\Users\Admin\AppData\Local\Temp\2YcJLGWjsc30UuFXsxMKxDYc8hp\GalaxySwapperV2.exe

Filesize
139.5MB

MD5
971dadb0c7a7ee5d95ee2dc2165b2a0b

SHA1
1b59162875fa6db95cc5c55236745965cf0827cd

SHA256
ae17a87bc3c29707efe2daa77f2e944b7e91685910bc40ab0abc0cb9f0e876a2

SHA512
a02819719f624a2d3ed2a0a69a9634ae220794c8e0606caa3c85fec8eade1261a3d3dba960e8c69b354b53695dc11695787a1c318ae4583bb3d559b5b1b11067

Download Submit
C:\Users\Admin\AppData\Local\Temp\2YcJLGWjsc30UuFXsxMKxDYc8hp\GalaxySwapperV2.exe

Filesize
139.5MB

MD5
971dadb0c7a7ee5d95ee2dc2165b2a0b

SHA1
1b59162875fa6db95cc5c55236745965cf0827cd

SHA256
ae17a87bc3c29707efe2daa77f2e944b7e91685910bc40ab0abc0cb9f0e876a2

SHA512
a02819719f624a2d3ed2a0a69a9634ae220794c8e0606caa3c85fec8eade1261a3d3dba960e8c69b354b53695dc11695787a1c318ae4583bb3d559b5b1b11067

Download Submit
C:\Users\Admin\AppData\Local\Temp\2YcJLGWjsc30UuFXsxMKxDYc8hp\GalaxySwapperV2.exe

Filesize
139.5MB

MD5
971dadb0c7a7ee5d95ee2dc2165b2a0b

SHA1
1b59162875fa6db95cc5c55236745965cf0827cd

SHA256
ae17a87bc3c29707efe2daa77f2e944b7e91685910bc40ab0abc0cb9f0e876a2

SHA512
a02819719f624a2d3ed2a0a69a9634ae220794c8e0606caa3c85fec8eade1261a3d3dba960e8c69b354b53695dc11695787a1c318ae4583bb3d559b5b1b11067

Download Submit
C:\Users\Admin\AppData\Local\Temp\2YcJLGWjsc30UuFXsxMKxDYc8hp\GalaxySwapperV2.exe

Filesize
139.5MB

MD5
971dadb0c7a7ee5d95ee2dc2165b2a0b

SHA1
1b59162875fa6db95cc5c55236745965cf0827cd

SHA256
ae17a87bc3c29707efe2daa77f2e944b7e91685910bc40ab0abc0cb9f0e876a2

SHA512
a02819719f624a2d3ed2a0a69a9634ae220794c8e0606caa3c85fec8eade1261a3d3dba960e8c69b354b53695dc11695787a1c318ae4583bb3d559b5b1b11067

Download Submit
C:\Users\Admin\AppData\Local\Temp\2YcJLGWjsc30UuFXsxMKxDYc8hp\GalaxySwapperV2.exe

Filesize
139.5MB

MD5
971dadb0c7a7ee5d95ee2dc2165b2a0b

SHA1
1b59162875fa6db95cc5c55236745965cf0827cd

SHA256
ae17a87bc3c29707efe2daa77f2e944b7e91685910bc40ab0abc0cb9f0e876a2

SHA512
a02819719f624a2d3ed2a0a69a9634ae220794c8e0606caa3c85fec8eade1261a3d3dba960e8c69b354b53695dc11695787a1c318ae4583bb3d559b5b1b11067

Download Submit
C:\Users\Admin\AppData\Local\Temp\2YcJLGWjsc30UuFXsxMKxDYc8hp\GalaxySwapperV2.exe

Filesize
139.5MB

MD5
971dadb0c7a7ee5d95ee2dc2165b2a0b

SHA1
1b59162875fa6db95cc5c55236745965cf0827cd

SHA256
ae17a87bc3c29707efe2daa77f2e944b7e91685910bc40ab0abc0cb9f0e876a2

SHA512
a02819719f624a2d3ed2a0a69a9634ae220794c8e0606caa3c85fec8eade1261a3d3dba960e8c69b354b53695dc11695787a1c318ae4583bb3d559b5b1b11067

Download Submit
C:\Users\Admin\AppData\Local\Temp\2YcJLGWjsc30UuFXsxMKxDYc8hp\chrome_100_percent.pak

Filesize
138KB

MD5
9c1b859b611600201ccf898f1eff2476

SHA1
87d5d9a5fcc2496b48bb084fdf04331823dd1699

SHA256
53102833760a725241841312de452c45e43edd60a122546105ab4020ccef591b

SHA512
1a8ec288e53b9d7e43d018995abe4e3d9c83d329d0561fbb7d022e8b79ffecf033e995b9bc6af352a71c646a1e8afba4addb54deab7455f24b7a279a3dd7c336

Download Submit
C:\Users\Admin\AppData\Local\Temp\2YcJLGWjsc30UuFXsxMKxDYc8hp\chrome_100_percent.pak

Filesize
138KB

MD5
9c1b859b611600201ccf898f1eff2476

SHA1
87d5d9a5fcc2496b48bb084fdf04331823dd1699

SHA256
53102833760a725241841312de452c45e43edd60a122546105ab4020ccef591b

SHA512
1a8ec288e53b9d7e43d018995abe4e3d9c83d329d0561fbb7d022e8b79ffecf033e995b9bc6af352a71c646a1e8afba4addb54deab7455f24b7a279a3dd7c336

Download Submit
C:\Users\Admin\AppData\Local\Temp\2YcJLGWjsc30UuFXsxMKxDYc8hp\chrome_100_percent.pak

Filesize
138KB

MD5
9c1b859b611600201ccf898f1eff2476

SHA1
87d5d9a5fcc2496b48bb084fdf04331823dd1699

SHA256
53102833760a725241841312de452c45e43edd60a122546105ab4020ccef591b

SHA512
1a8ec288e53b9d7e43d018995abe4e3d9c83d329d0561fbb7d022e8b79ffecf033e995b9bc6af352a71c646a1e8afba4addb54deab7455f24b7a279a3dd7c336

Download Submit
C:\Users\Admin\AppData\Local\Temp\2YcJLGWjsc30UuFXsxMKxDYc8hp\chrome_200_percent.pak

Filesize
202KB

MD5
b51a78961b1dbb156343e6e024093d41

SHA1
51298bfe945a9645311169fc5bb64a2a1f20bc38

SHA256
4a438f0e209ac62ffa2c14036efdd5474b5ecaa7cbf54110f2e6153abdfb8be9

SHA512
23dedde25ad9cb5829d4b6092a815712788698c2a5a0aefb4299675d39f8b5e2844eabd1ea42332a0408bd234548f5af628e7e365ab26f3385ebfa158cdd921d

Download Submit
C:\Users\Admin\AppData\Local\Temp\2YcJLGWjsc30UuFXsxMKxDYc8hp\chrome_200_percent.pak

Filesize
202KB

MD5
b51a78961b1dbb156343e6e024093d41

SHA1
51298bfe945a9645311169fc5bb64a2a1f20bc38

SHA256
4a438f0e209ac62ffa2c14036efdd5474b5ecaa7cbf54110f2e6153abdfb8be9

SHA512
23dedde25ad9cb5829d4b6092a815712788698c2a5a0aefb4299675d39f8b5e2844eabd1ea42332a0408bd234548f5af628e7e365ab26f3385ebfa158cdd921d

Download Submit
C:\Users\Admin\AppData\Local\Temp\2YcJLGWjsc30UuFXsxMKxDYc8hp\ffmpeg.dll

Filesize
2.6MB

MD5
c3842fb3087cdcdb04020ac38683c289

SHA1
329dbcd4a1c79b891b200f11eb50194b85c493bc

SHA256
e79792af338d61424bac87a19c6f34f3b4bc1382345633b8d509253a0a6c2133

SHA512
069196b8006e908954e7ab16131a0d10889a0f7517eaab2423a82fe49fb9b045c0d95dbf7c08c10ddf1a21983aea4a0d207decf91baacff0884511589a57dec5

Download Submit
C:\Users\Admin\AppData\Local\Temp\2YcJLGWjsc30UuFXsxMKxDYc8hp\ffmpeg.dll

Filesize
2.6MB

MD5
c3842fb3087cdcdb04020ac38683c289

SHA1
329dbcd4a1c79b891b200f11eb50194b85c493bc

SHA256
e79792af338d61424bac87a19c6f34f3b4bc1382345633b8d509253a0a6c2133

SHA512
069196b8006e908954e7ab16131a0d10889a0f7517eaab2423a82fe49fb9b045c0d95dbf7c08c10ddf1a21983aea4a0d207decf91baacff0884511589a57dec5

Download Submit
C:\Users\Admin\AppData\Local\Temp\2YcJLGWjsc30UuFXsxMKxDYc8hp\icudtl.dat

Filesize
9.8MB

MD5
599c39d9adb88686c4585b15fb745c0e

SHA1
2215eb6299aa18e87db21f686b08695a5199f4e2

SHA256
c5f82843420fa9d144e006b48d59ba7ef95f7e6cb1ea95b27fcdd2c97f850859

SHA512
16194186a8407b29f799d4b02f5674e4fbd5d91163fad9f8dce6ceedd865b754a681aa960d0f3f1b62cb21d5443879f1b8e9b691c19c5802d5bdfe4ed645b8bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\2YcJLGWjsc30UuFXsxMKxDYc8hp\icudtl.dat

Filesize
9.8MB

MD5
599c39d9adb88686c4585b15fb745c0e

SHA1
2215eb6299aa18e87db21f686b08695a5199f4e2

SHA256
c5f82843420fa9d144e006b48d59ba7ef95f7e6cb1ea95b27fcdd2c97f850859

SHA512
16194186a8407b29f799d4b02f5674e4fbd5d91163fad9f8dce6ceedd865b754a681aa960d0f3f1b62cb21d5443879f1b8e9b691c19c5802d5bdfe4ed645b8bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\2YcJLGWjsc30UuFXsxMKxDYc8hp\libegl.dll

Filesize
437KB

MD5
8352fd22f09b873193cabc2932be92f0

SHA1
5bd2b58854b279f1733c5f54ea2669ee8a888d9e

SHA256
14a4aaa010be14762edfee01fd1f6b9943471eb7a2f9011a2b5c230461cd129c

SHA512
7281e980f2e82f1cc8173d9f8387a97f6e23ec5099ed8dca02222c4e17fa4cfef59d6aa300b1cf06d502bdcf77d9a6dbb08ad6658ae0a28ae6f9f995109da0d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\2YcJLGWjsc30UuFXsxMKxDYc8hp\libegl.dll

Filesize
437KB

MD5
8352fd22f09b873193cabc2932be92f0

SHA1
5bd2b58854b279f1733c5f54ea2669ee8a888d9e

SHA256
14a4aaa010be14762edfee01fd1f6b9943471eb7a2f9011a2b5c230461cd129c

SHA512
7281e980f2e82f1cc8173d9f8387a97f6e23ec5099ed8dca02222c4e17fa4cfef59d6aa300b1cf06d502bdcf77d9a6dbb08ad6658ae0a28ae6f9f995109da0d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\2YcJLGWjsc30UuFXsxMKxDYc8hp\libglesv2.dll

Filesize
6.7MB

MD5
b6a433dc7b4030fb17bd1683a9606b6e

SHA1
0602c50532e3f13facc67bd95a048c470e88afcc

SHA256
f7ae57a1d7d3e284714ca354f5292aa9b75086489cbfba8b1f54548445b6b3e9

SHA512
b9ba2e20ec878e3acae93d8254e69374e391fd4a3d5c1833282c43896d123baa874f1088839f3bbcf05539eda0e2aeaef28d7742ab8e20ec788382501e2152b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\2YcJLGWjsc30UuFXsxMKxDYc8hp\libglesv2.dll

Filesize
6.7MB

MD5
b6a433dc7b4030fb17bd1683a9606b6e

SHA1
0602c50532e3f13facc67bd95a048c470e88afcc

SHA256
f7ae57a1d7d3e284714ca354f5292aa9b75086489cbfba8b1f54548445b6b3e9

SHA512
b9ba2e20ec878e3acae93d8254e69374e391fd4a3d5c1833282c43896d123baa874f1088839f3bbcf05539eda0e2aeaef28d7742ab8e20ec788382501e2152b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\2YcJLGWjsc30UuFXsxMKxDYc8hp\locales\en-US.pak

Filesize
100KB

MD5
0bb857860d8c9ab6d617cea5a5bd4d00

SHA1
351b744d95846bff2ce5f542fec2e87439aa0f8b

SHA256
5c56df9699fc7e8f09ec81421e50a6264cde055e822f5a8cd9bb1edb3066d816

SHA512
33fb73cffbb6781488cedbca4c92a7e4f66923a799beeb7f5cba58dbc23ba8f5130f63a7dac7114e3c3ef6f1df87884fbeb8858bc7604aec9449fdfd16c25078

Download Submit
C:\Users\Admin\AppData\Local\Temp\2YcJLGWjsc30UuFXsxMKxDYc8hp\locales\en-US.pak

Filesize
100KB

MD5
0bb857860d8c9ab6d617cea5a5bd4d00

SHA1
351b744d95846bff2ce5f542fec2e87439aa0f8b

SHA256
5c56df9699fc7e8f09ec81421e50a6264cde055e822f5a8cd9bb1edb3066d816

SHA512
33fb73cffbb6781488cedbca4c92a7e4f66923a799beeb7f5cba58dbc23ba8f5130f63a7dac7114e3c3ef6f1df87884fbeb8858bc7604aec9449fdfd16c25078

Download Submit
C:\Users\Admin\AppData\Local\Temp\2YcJLGWjsc30UuFXsxMKxDYc8hp\resources.pak

Filesize
4.8MB

MD5
bdfa339e708ea0f23ed3620adc4a2d64

SHA1
82a95b7b022836b6e888f53e69386570c05a1af2

SHA256
b66ae9eda4543685974d35d051d967538bc57d55c2577629007c534ff330e1e4

SHA512
ba87c70e1b6446e0a7b62da33d72a36ff92ee54fda64343262bc26afa8166174e76d058ec6d707cdebf2611858b3b4b7e21798febec53da02febd81ade4ce8f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\2YcJLGWjsc30UuFXsxMKxDYc8hp\resources.pak

Filesize
4.8MB

MD5
bdfa339e708ea0f23ed3620adc4a2d64

SHA1
82a95b7b022836b6e888f53e69386570c05a1af2

SHA256
b66ae9eda4543685974d35d051d967538bc57d55c2577629007c534ff330e1e4

SHA512
ba87c70e1b6446e0a7b62da33d72a36ff92ee54fda64343262bc26afa8166174e76d058ec6d707cdebf2611858b3b4b7e21798febec53da02febd81ade4ce8f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\2YcJLGWjsc30UuFXsxMKxDYc8hp\resources\app.asar

Filesize
103.5MB

MD5
e1f62ba688f5d617e68cd1ae967315fe

SHA1
73feb620ccb03b2512fc33887da48795e278140d

SHA256
35c4bc0277b610d0262d4ab80ae7406d6ad3b6533b95468e766f754425bd523a

SHA512
0b99e21bb6bad3da2b0092eb651dfde3db8da8c9d076fbc0a8953c5942613bdef7a33a330597e62d44f5a295de8e728b3e4e4f3ee2fdf0a20cf64520aba1b0ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\2YcJLGWjsc30UuFXsxMKxDYc8hp\resources\app.asar

Filesize
103.5MB

MD5
e1f62ba688f5d617e68cd1ae967315fe

SHA1
73feb620ccb03b2512fc33887da48795e278140d

SHA256
35c4bc0277b610d0262d4ab80ae7406d6ad3b6533b95468e766f754425bd523a

SHA512
0b99e21bb6bad3da2b0092eb651dfde3db8da8c9d076fbc0a8953c5942613bdef7a33a330597e62d44f5a295de8e728b3e4e4f3ee2fdf0a20cf64520aba1b0ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\2YcJLGWjsc30UuFXsxMKxDYc8hp\v8_context_snapshot.bin

Filesize
656KB

MD5
47014c0f81bad6d216c617c9c63bf040

SHA1
7bb483fdc5fed3c6ed437d9fe6e5023bc38201bf

SHA256
e1249d05bfc73c645b27d269f47b6923b33a3cf8088a8ca78b3b637c90f58178

SHA512
052d86cf3305a9e493bd2472e6b7ddab5e0291efd6d899984a79bae46e5fa4bd21157e19ab4a2591c9cff9069de568bad18c7baf4f35d117c77134e635466f87

Download Submit
C:\Users\Admin\AppData\Local\Temp\2YcJLGWjsc30UuFXsxMKxDYc8hp\v8_context_snapshot.bin

Filesize
656KB

MD5
47014c0f81bad6d216c617c9c63bf040

SHA1
7bb483fdc5fed3c6ed437d9fe6e5023bc38201bf

SHA256
e1249d05bfc73c645b27d269f47b6923b33a3cf8088a8ca78b3b637c90f58178

SHA512
052d86cf3305a9e493bd2472e6b7ddab5e0291efd6d899984a79bae46e5fa4bd21157e19ab4a2591c9cff9069de568bad18c7baf4f35d117c77134e635466f87

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_4lmv1bja.z10.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Temp\f4adb359-83ea-425f-b899-ec9e3714a6ea.tmp.node

Filesize
1.8MB

MD5
3072b68e3c226aff39e6782d025f25a8

SHA1
cf559196d74fa490ac8ce192db222c9f5c5a006a

SHA256
7fb52b781709b065c240b6b81394be6e72e53fe11d7c8e0f7b49dd417eb78a01

SHA512
61ebc72c20195e99244d95af1ab44fa06201a1aee2b5da04490fdc4312e8324a40b0e15a7b42fab5179753d767c1d08ae1a7a56ac71a6e100e63f83db849ee61

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsr458.tmp\System.dll

Filesize
12KB

MD5
0d7ad4f45dc6f5aa87f606d0331c6901

SHA1
48df0911f0484cbe2a8cdd5362140b63c41ee457

SHA256
3eb38ae99653a7dbc724132ee240f6e5c4af4bfe7c01d31d23faf373f9f2eaca

SHA512
c07de7308cb54205e8bd703001a7fe4fd7796c9ac1b4bb330c77c872bf712b093645f40b80ce7127531fe6746a5b66e18ea073ab6a644934abed9bb64126fea9

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsr458.tmp\app-64.7z

Filesize
70.5MB

MD5
eb72abf8a439a5c0595340f88e1bece9

SHA1
78635f4b540b5d1627c50480840a5d7811d585ba

SHA256
c8d8d4c354c0d50253c9da8053bd4fa18416bcebfc4d88258b6acc646b97ec67

SHA512
4ada71ea160106ab37e16fe98cab29dcf0c44bd4bfac8d94349fb6c23b4dd80c407cb75380302c2fd8322f4441379efd3f18318309af1d6ae92404b6bda9a80b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsr458.tmp\nsis7z.dll

Filesize
424KB

MD5
80e44ce4895304c6a3a831310fbf8cd0

SHA1
36bd49ae21c460be5753a904b4501f1abca53508

SHA256
b393f05e8ff919ef071181050e1873c9a776e1a0ae8329aefff7007d0cadf592

SHA512
c8ba7b1f9113ead23e993e74a48c4427ae3562c1f6d9910b2bbe6806c9107cf7d94bc7d204613e4743d0cd869e00dafd4fb54aad1e8adb69c553f3b9e5bc64df

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsyC2E3.tmp\7z-out\GalaxySwapperV2.exe

Filesize
139.5MB

MD5
971dadb0c7a7ee5d95ee2dc2165b2a0b

SHA1
1b59162875fa6db95cc5c55236745965cf0827cd

SHA256
ae17a87bc3c29707efe2daa77f2e944b7e91685910bc40ab0abc0cb9f0e876a2

SHA512
a02819719f624a2d3ed2a0a69a9634ae220794c8e0606caa3c85fec8eade1261a3d3dba960e8c69b354b53695dc11695787a1c318ae4583bb3d559b5b1b11067

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsyC2E3.tmp\7z-out\LICENSE.electron.txt

Filesize
1KB

MD5
4d42118d35941e0f664dddbd83f633c5

SHA1
2b21ec5f20fe961d15f2b58efb1368e66d202e5c

SHA256
5154e165bd6c2cc0cfbcd8916498c7abab0497923bafcd5cb07673fe8480087d

SHA512
3ffbba2e4cd689f362378f6b0f6060571f57e228d3755bdd308283be6cbbef8c2e84beb5fcf73e0c3c81cd944d01ee3fcf141733c4d8b3b0162e543e0b9f3e63

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsyC2E3.tmp\7z-out\LICENSES.chromium.html

Filesize
5.2MB

MD5
df37c89638c65db9a4518b88e79350be

SHA1
6b9ba9fba54fb3aa1b938de218f549078924ac50

SHA256
dbd18fe7c6e72eeb81680fabef9b6c0262d1d2d1aa679b3b221d9d9ced509463

SHA512
93dd6df08fc0bfaf3e6a690943c090aefe66c5e9995392bebd510c5b6260533b1522dc529b8328dfe862192e1357e9e98d1cdd95117c08c76be3ab565c6eea67

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsyC2E3.tmp\7z-out\chrome_200_percent.pak

Filesize
202KB

MD5
b51a78961b1dbb156343e6e024093d41

SHA1
51298bfe945a9645311169fc5bb64a2a1f20bc38

SHA256
4a438f0e209ac62ffa2c14036efdd5474b5ecaa7cbf54110f2e6153abdfb8be9

SHA512
23dedde25ad9cb5829d4b6092a815712788698c2a5a0aefb4299675d39f8b5e2844eabd1ea42332a0408bd234548f5af628e7e365ab26f3385ebfa158cdd921d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsyC2E3.tmp\7z-out\d3dcompiler_47.dll

Filesize
4.3MB

MD5
7641e39b7da4077084d2afe7c31032e0

SHA1
2256644f69435ff2fee76deb04d918083960d1eb

SHA256
44422e6936dc72b7ac5ed16bb8bcae164b7554513e52efb66a3e942cec328a47

SHA512
8010e1cb17fa18bbf72d8344e1d63ded7cef7be6e7c13434fa6d8e22ce1d58a4d426959bdcb031502d4b145e29cb111af929fcbc66001111fbc6d7a19e8800a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsyC2E3.tmp\7z-out\ffmpeg.dll

Filesize
2.6MB

MD5
c3842fb3087cdcdb04020ac38683c289

SHA1
329dbcd4a1c79b891b200f11eb50194b85c493bc

SHA256
e79792af338d61424bac87a19c6f34f3b4bc1382345633b8d509253a0a6c2133

SHA512
069196b8006e908954e7ab16131a0d10889a0f7517eaab2423a82fe49fb9b045c0d95dbf7c08c10ddf1a21983aea4a0d207decf91baacff0884511589a57dec5

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsyC2E3.tmp\7z-out\icudtl.dat

Filesize
9.8MB

MD5
599c39d9adb88686c4585b15fb745c0e

SHA1
2215eb6299aa18e87db21f686b08695a5199f4e2

SHA256
c5f82843420fa9d144e006b48d59ba7ef95f7e6cb1ea95b27fcdd2c97f850859

SHA512
16194186a8407b29f799d4b02f5674e4fbd5d91163fad9f8dce6ceedd865b754a681aa960d0f3f1b62cb21d5443879f1b8e9b691c19c5802d5bdfe4ed645b8bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsyC2E3.tmp\7z-out\libEGL.dll

Filesize
437KB

MD5
8352fd22f09b873193cabc2932be92f0

SHA1
5bd2b58854b279f1733c5f54ea2669ee8a888d9e

SHA256
14a4aaa010be14762edfee01fd1f6b9943471eb7a2f9011a2b5c230461cd129c

SHA512
7281e980f2e82f1cc8173d9f8387a97f6e23ec5099ed8dca02222c4e17fa4cfef59d6aa300b1cf06d502bdcf77d9a6dbb08ad6658ae0a28ae6f9f995109da0d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsyC2E3.tmp\7z-out\libGLESv2.dll

Filesize
6.7MB

MD5
b6a433dc7b4030fb17bd1683a9606b6e

SHA1
0602c50532e3f13facc67bd95a048c470e88afcc

SHA256
f7ae57a1d7d3e284714ca354f5292aa9b75086489cbfba8b1f54548445b6b3e9

SHA512
b9ba2e20ec878e3acae93d8254e69374e391fd4a3d5c1833282c43896d123baa874f1088839f3bbcf05539eda0e2aeaef28d7742ab8e20ec788382501e2152b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsyC2E3.tmp\7z-out\locales\am.pak

Filesize
175KB

MD5
e18a450ef034b42599341c3d09f280f1

SHA1
2001c8a85904962ac3a96938eccc69ad2c110fdf

SHA256
7c2b9098130f1f9e0cf4507b64c0e96ac6354bd6c3616be20e2067cfccc820da

SHA512
ddd87571218fe9f179a6c2a8a15b182625a71a7c19ed90c0969ca2e0e9bad823b926f8b8a6b390cb6fe9c95f4b6c1f1ec7b5167a8424ab1921943922208f798a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsyC2E3.tmp\7z-out\locales\ar.pak

Filesize
181KB

MD5
6f3e791b4d35ee7d9515614d128752cf

SHA1
181ec3a84fb3e89336d77f24f562a2cbe07619d8

SHA256
e9df0fa338b763a3926c4ee3a87bedf650fa618b6fcf0560c3f5ffe891d48c60

SHA512
3657e610d13a2c938558ec320c298dd490c9e4895ccd304f738aaa2f050373efd7382ca402365f93d23ed488bae82de2d859da788dc8faa8e621346a278f4441

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsyC2E3.tmp\7z-out\locales\bg.pak

Filesize
196KB

MD5
5ba0c7200362c9ed55610cc8b66ef53c

SHA1
d45239c2f1b00885407771a41a7776fc1fe8fa3b

SHA256
2339ff55464b4ff704fc3c5bf281eec52a539c494bd059cf0346d9c05ab7cda7

SHA512
6229dbf08a9322c4ec8de4912aa1832f01800a71b7e3ef5870e7fa2b623be4dd248fec4881c3e031e984616147be84d42ab3dd970ae56dc1bd78913a8682a37a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsyC2E3.tmp\7z-out\locales\bn.pak

Filesize
253KB

MD5
47c95e191e760dee3ef43345577e2379

SHA1
609634315270a91d4ec631642b18bd0036367aad

SHA256
ceed32e429ed1018d4c49343cf52105cbfd1e877c531a5738fd6e6cd33d27da7

SHA512
46b5f8d58780d19e79136c31a67d075c57ddf7e6a1eb197dea4088cc414a0dc24a68fc8ebcaac03b3940af2461123b586706d5dbf8dbdf6fbea0f7bec466db21

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsyC2E3.tmp\7z-out\locales\ca.pak

Filesize
122KB

MD5
423651c45566cd90ea5edd8631e823b8

SHA1
13bed4173a08bcbfefba034aada3d838eece6d16

SHA256
7a39af99d55a1ea838d8d78c5f0da3e1402f9404d32255e31b676ceed4f0e414

SHA512
e09085023beaa37e9d5f7fdf3c32d0c001672b85e2826f0aba9a662ce958ac93cac17bf63495a604e47cb407b1593049388a4bf1b22b2339ead84a206a10569f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsyC2E3.tmp\7z-out\locales\cs.pak

Filesize
125KB

MD5
3cfd9dc564cfcc33cc5524711365c376

SHA1
2e5016d2643017f37658262122974429f18625a2

SHA256
8be34e4f8226c1dd4e725711ddd884ef4476560f7863edcf378573dde9db3cee

SHA512
6ee156d2fa3b6f601df28e38968d0eae2812d70b41333348dbecd833d5ee6ff944183f0eecde96be433cf1e98c8ec22d6a6d5af5153145842175ab43c73533ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsyC2E3.tmp\7z-out\locales\da.pak

Filesize
114KB

MD5
55a8f5883805a65c854d25edb3959209

SHA1
d4b3b6bd2a26cbd021fa931d1f63c9ea64e2c268

SHA256
e190187adcbb5f829d162660968ba598ed17bd11339062ca4d807deec8a27fdb

SHA512
4e1f9e6da32f553cbc8cf162726d7aba9e23e2216d6d05b995cf19fff3aafa05ed08fce29b2f8538d46583366402b8630672e650dfbd46952a611e9db0d8016d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsyC2E3.tmp\7z-out\locales\de.pak

Filesize
123KB

MD5
b73344e5a72fca6f956dbab984c123ba

SHA1
0561073aa40a63a9ce9930dd18b18e12ff139b2b

SHA256
6dda3fa65232ca0bff7314f916942a2aa5d9be73a0b0c7a6d016eb34ea6fff5b

SHA512
e8a12da397369f23c102244b3f18f533ec79afa6978785566056bbfe07b10a21ff4973bf17aa829fff65609363988c033b0e48d4a82c846863377c08d8df009d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsyC2E3.tmp\7z-out\locales\el.pak

Filesize
216KB

MD5
38440b98bfdf5ed496da0f49d59534c0

SHA1
1498d9207ecaf4923a47271e24c68a817041c82e

SHA256
b1f78df8a7edc914357a2e90bc8dc0ac46f4df642bb22894569fe4905fb8ea0f

SHA512
95ba788fc2e1f07d54e398f1ec4d32c664cfb13118d46cb7af7a993367e032b10de84f3e604ab6e659d6410e2d736097ec5e9b3b002040c54412358f0ea10229

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsyC2E3.tmp\7z-out\locales\en-GB.pak

Filesize
99KB

MD5
52e2826fb5814776d47a7fcaf55cb675

SHA1
51fbbc59dcd61116cbc0a24b0304d4c1c58e8d0b

SHA256
83ff81c73228c7cadba984d9b500e4fce01de583ecde8f132137650c8107c454

SHA512
69257f976d01006c5f3d7e256738c97c59115471f8e7447cfa795f7fa4ff12d6fd19708e95ffb2aa494b50c1763fe35d5885b9414112d2934baf68fe668ed7cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsyC2E3.tmp\7z-out\locales\en-US.pak

Filesize
100KB

MD5
0bb857860d8c9ab6d617cea5a5bd4d00

SHA1
351b744d95846bff2ce5f542fec2e87439aa0f8b

SHA256
5c56df9699fc7e8f09ec81421e50a6264cde055e822f5a8cd9bb1edb3066d816

SHA512
33fb73cffbb6781488cedbca4c92a7e4f66923a799beeb7f5cba58dbc23ba8f5130f63a7dac7114e3c3ef6f1df87884fbeb8858bc7604aec9449fdfd16c25078

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsyC2E3.tmp\7z-out\locales\es-419.pak

Filesize
120KB

MD5
b261b1efe945365588befdf68879040f

SHA1
616f44a5f73f0449b483f36ccf831db6474a10d2

SHA256
1380b9edc9cee4b505f12e8eefa288d8c746ca995b52ceaba27c7741ae8a5cd4

SHA512
9ea14234b9d4d09364e5727b3886fc14544d52508b3e45fb9fd607ca88d2e432361a02b2f7ba34c3d6ecd94b91f9eccd4d54047a97a1ba4eea580ead00b91cff

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsyC2E3.tmp\7z-out\locales\es.pak

Filesize
122KB

MD5
f83d8f7f6108786c02c2edbf3d85f147

SHA1
57781d9d9eb7c90cdc71f78e25d0763045b6d29a

SHA256
5b929216ac823dbe2b0bb98e64db76519900e09a86c8513019325271c66ade0d

SHA512
12747a4a61cdd21cad6e3f768cb43b8bda5ec9de373337c191b6994b20acd676c9d0a6cde8410a1e18f35dd5d2d332ea1bb7e7f8f6fc4b73d8774559e33398f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsyC2E3.tmp\7z-out\locales\et.pak

Filesize
110KB

MD5
c76db3385190c6840315c4497e40258a

SHA1
34f1aef2ba2925bebc5dcdb70e5b6c1a138a5c46

SHA256
e8af084ef5e1062c5966dd7802074ac24f3672dc3c9b9c5453a397644727191f

SHA512
90a870369d307758b33d74e6213676d65c2d332f42577c8aff23d96b512f3c2a2bdace8d6d9007f88b9175eadc6f2ae28b498b1265550849ff9317465a37ad29

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsyC2E3.tmp\7z-out\locales\fa.pak

Filesize
173KB

MD5
6458a239e994d8d18315deccd35389ed

SHA1
75c985f43503a6c44645786d46639a6b555ae163

SHA256
300fc1c735e92917a5ddf92feb812cbf3175d988ec7ad5955110248a1addbd34

SHA512
3062075b6be0c25c957ac88e537880bc25ff86b8ef0703a05209e9676e943e89476b7997394aeb25064e03a93be614fef535676e9cdfaf44b46035225b1b2cf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsyC2E3.tmp\7z-out\locales\fi.pak

Filesize
112KB

MD5
cc592d91ce8eabaa75249cb78b889376

SHA1
f2f0f7f105a17f3e4b1a97ed0e3c2e871c2c3eac

SHA256
b1cb0b32efa78fd8634652c74f298f1d5127f2363ef601cf000417e5c7fefd20

SHA512
58e2eaffe26d8fda8df43e7ebef449cfff1065e940c128efa0276511e34e96e52da9230f294b01d4ecd8ef606b792d372bff897d6d8bb67c31379418ce867d48

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsyC2E3.tmp\7z-out\locales\fil.pak

Filesize
126KB

MD5
40bddaf97f64dfea9ebafc7f82166f80

SHA1
90d1fde3c0b27d2184f0353991259c2a92c7820c

SHA256
39a9d63736e7b4593fc6873ed3c19d45fbf9eb78a012bfdcee0fea5906ebc5b2

SHA512
d1e61c53e09a0dc50edf5aba5cf286a251ee88421aa2cd49332b70a5859646605ecb7d0bb97ea7242d14a18742e23da0a14c04b0b99b57a466ec87f4f66b897e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsyC2E3.tmp\7z-out\locales\fr.pak

Filesize
131KB

MD5
c3095ce1e88b0976ba7bef183d047347

SHA1
b14cfbf6e46ac1f189595fc09660178525301138

SHA256
66488dc10517b6e3638686be95b430477a39304e92ac45dfe62b58cae3a77272

SHA512
29f47b1eff4681a9a17a50d6e82d63c22fe7bfe4ceb79862e81d8cd9f96fa38e225978b4c4b1f8e55b220235b91652c776fa8d2e559c68942c6ccf402812a421

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsyC2E3.tmp\7z-out\locales\gu.pak

Filesize
245KB

MD5
63a7fdc4eadf8ef1c35c72468a0ce33f

SHA1
e8d064f0e9c8a6a8c6ccb036711e292d011d9466

SHA256
e549ff4e5a094d04c2ce7bc6fd68bea1f03e935437bf164bebb6191c133fa70c

SHA512
0a097ff875132a984545ec677b04f97785f14c38a1df487cfb4722cdea07d14e1e88fcff7d58b82fa53f05f4eba779a95ef320b5a91692097726d0385a26a456

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsyC2E3.tmp\7z-out\locales\he.pak

Filesize
151KB

MD5
6a02a37e1ca3215fa9ee0e1b0fbcf5e7

SHA1
89a8a126c0bbf536ac58e29fc50e045fb1b88220

SHA256
f5cf34ce58b7f0d450936981aa7ffa060821403e6768eee3746ea4ffc9193986

SHA512
6607eb2329b81f1eaf0ed3a564eddcb30e6ab59229f2fbf6fd3d2140ffaa8853a330eda627a4458ef6bb06f32c5183edda869e34cd4ead1f87f88d5c622c1a16

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsyC2E3.tmp\7z-out\locales\hi.pak

Filesize
253KB

MD5
590e9e73df9cbd83cd87b9c03848fec9

SHA1
da125e60a5a2c51a2d6219d3f81688bd22237b59

SHA256
089b9dd31090a987515809a68d26f6eeb64cd9283934e3dcc48b151eec7d3ad9

SHA512
fd0e5d0f2063e12b711275f390428b88f98ffaf6043cdb14b13674ac1e4aa9f70ae820ae960132d7155daf9b1308238775c4702694ab53068cdc709c50f9186a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsyC2E3.tmp\7z-out\locales\hr.pak

Filesize
119KB

MD5
6f92235e6ba003af925a2d6584afd27d

SHA1
3ceba61e9c2975466b6244188f5ea72aaf042fc7

SHA256
479dc4f75a889d45f62b4ddb6eb48f21c473e37875468c9c26d928a263e15840

SHA512
82f2642dff4400704c15c2fa02d0ec74ed3fe888dc835447c1afce7463dee8f480bb81be358c306e681625864a6d25e5cd6c96252b8a56e6fc62014b3aa4d26a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsyC2E3.tmp\7z-out\locales\hu.pak

Filesize
129KB

MD5
71d42cb22d2d7a8b26c4514ab12df3aa

SHA1
cd0307503a7906f1742d1e98fc816959319c2171

SHA256
b51bcb888dbc27bab88a8c9d081df7496de8a9a5a4cd2cfe08abc154190e75e6

SHA512
29c67391bca706807be3a0cc79fe481f220e30263957a9c2485f0a4c498a5b250bdd83b5f4fad8d0b19c8a9a07d5650b5ebd5816b6aae311a1cde78a89303244

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsyC2E3.tmp\7z-out\locales\id.pak

Filesize
108KB

MD5
e40cb2f3b4db379e4d187aeef0dfd300

SHA1
537b1ebc615c980c89bbe2b9e91a11199fa7d6a6

SHA256
3339ef011c9bb64868da94adb25f4490acbc7f893e4337dbfe2797754cd659f5

SHA512
b87464460077aa55feb92eca8ed23d9a61829378bae7890c8a95dac5fcd735b145d65661f27facfe2586fcaa169692b00d8ee8dd505dc44bff7f7fd090f3e96c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsyC2E3.tmp\7z-out\locales\it.pak

Filesize
123KB

MD5
5aa225aad4f9fe6d05ec24905a827d88

SHA1
f6d5ed337bd8e9cc3b962d3a498e3430fbf6de22

SHA256
96e02ab6937a1f1cb58762159761a737ce0e1dcd6a253554392baf4389326eab

SHA512
3fa928f19bdf65b8fbb274b478a801821b15c01224c113a8d7f6121a077b432c0cc84eefd9028a76adea9fa4bb65dcb868edfbd4368b1e4d477c49e187e4288a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsyC2E3.tmp\7z-out\locales\ja.pak

Filesize
143KB

MD5
833e8c4aa70351b6be7bd403e4e9a0a7

SHA1
46ccdbdea35deec8ef13a5fc833776875fad187b

SHA256
74422db1a5f28522f9a8b31a3bee9a6df794b419bf723cb6a6c88e82eb72cec0

SHA512
e8e709612a5ea81d2822e0025b7306f38571f2cec2ca72ac5a8ab852a0e36a0f5bc7e00d0baf7ac7becc2c54dda3a17c52ec1cd67ce12b14d91b6ae0b726d556

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsyC2E3.tmp\7z-out\locales\kn.pak

Filesize
277KB

MD5
5115cde84b4c674db412619b65433004

SHA1
164f33e7e2e9f685a579da492a6fc8806beb6cbf

SHA256
891e092c6895e23be986c3e6d39dcea9b6b75f1448239c13fd406680e50407a7

SHA512
090a247898cb533325d2b289a6cbd8db2a755ef0abab49d82f333e57b290c50b5996b81f15d8adc30160b216eebed3a1476aec1627195e52189557c1d48b0216

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsyC2E3.tmp\7z-out\locales\ko.pak

Filesize
120KB

MD5
d6e2c18c9eabba59b50d147d942125ea

SHA1
0918879203c2050b4f9f449f5616e430897ba0b9

SHA256
f3581cea2e5b022b121010ffc5d67f86f717e3a0c0402abd81e24c87fd135b76

SHA512
f605f7b9893166778af156f9eb76eaa1209e7432450899540cd462ce0ffa69caf6f570b910cdd6d7bef54354379e9892a658e711baa93241da33755c107da859

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsyC2E3.tmp\7z-out\locales\lt.pak

Filesize
131KB

MD5
2d4fca437a7548893dc4b51fa5b33c33

SHA1
c1493013d7d981ea9223716e415380992de65c2f

SHA256
776dba792df7b444e1b720326312d8b8312cade74a1372c49456d932b7c65769

SHA512
b6a55ee1deff48d717a3e9399aef3c45eeec810cc5b5709fa3e9f56850115a5b02e02b7959ec77a6797e68516ee9372bacd260e62ac0d55a8e4c1c27af782b42

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsyC2E3.tmp\7z-out\locales\lv.pak

Filesize
130KB

MD5
264c6e20b3088ceb4dae5773cef0cb55

SHA1
fb6ff83ff14df008092bc3ee73bda7491e8e090e

SHA256
a676a781c1a587eadf23e5c69bc52f2d352346a70bc53ca908450362535eefda

SHA512
01e949f92e1e8599c581929a601d39640abaf1d907ce10102e591c3d490dd3874c679c75bb51308ead55a3bd0c6dcd1b8d4b2daf98ce1cf1c6bab42946e8b1e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsyC2E3.tmp\7z-out\locales\ml.pak

Filesize
292KB

MD5
04b2540c25990a5e0a9b227dcce6ae0d

SHA1
4f8ccd154f54dfb083d4d1a3ed0994842c8ab13e

SHA256
556165b8b54c6e21bc66d12b3f5be393136714467c427f7114f314d18ad3c661

SHA512
4cab47e42e8f5d4a83851871f97f3e1360c993ba530dbb4b4b736350779784bd83189e1195d3480ce87298bb8f9b7f249fefa7764d850e5b0002895609626785

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsyC2E3.tmp\7z-out\locales\mr.pak

Filesize
240KB

MD5
f22c99fe6a838e333e8ee06a4d01296b

SHA1
c3542ea8dd45a2b387dd02fa5687948f135e10f2

SHA256
b03a3042f907aed13253ae8083d08f5fad59ff438d024b097276856e72526911

SHA512
882022c2cb985d85f96d52c9bcfeeb089d6ff30e66187ccf424ef622092b9d359a51bdef1fb6ac3b9d3409aa79d37ca737ba7f3ed8b9cdaabfe04d90a7c8bc15

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsyC2E3.tmp\7z-out\locales\ms.pak

Filesize
111KB

MD5
6cfadaa784e687e6dadbcd80e631bc9b

SHA1
481acb75f525055bf4e45ecabe0eadcb9c492106

SHA256
fb5e125dd5e1f21e8df229d22cb3d1f9078bd79bbddca352899248f2a8b21b71

SHA512
0d7da5a90fe9372bc704ab8cdc8cbfb14d323cafdef856987e2d9e34d980196c03985e25099f5d1bcb10c97f040f4766e2c3713718649bb3f43914a77f0dbb39

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsyC2E3.tmp\7z-out\locales\nb.pak

Filesize
110KB

MD5
b61e42f66d581b6a8929cdf5fb10662e

SHA1
6f06fa9ee092fbcb61bbd668734fb3b92cfb549a

SHA256
1b17dcde8fc7308d926fbe0faa83dfc9ffe2efc5715e9afd557dde839ad98b7e

SHA512
79b82346c3f133a6ba44148a8432ad4e08e2805187b759509cb386bc800fd20215592c07d953812c243f0b1d5e1354245f2cb42b2b3eb6c87280bcb4008dbe97

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsyC2E3.tmp\7z-out\locales\nl.pak

Filesize
114KB

MD5
cf6b1cbfd669e9461553974ba37a475e

SHA1
b33867e9bc7fd88ca98a76dc4bd756bcf18887aa

SHA256
9a83ad866ad7fd9d65ecbc1e95c276cfce27e8257c76a16950fd14971e66b864

SHA512
e463029bb37f6bb3ff5cb6281f64291ada1b785fa33137e7aedfc7b5e409e99c75a91e7cf9b6c0933e970f70c14861190de66fc5d68925b687a6f5da02e21077

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsyC2E3.tmp\7z-out\locales\pl.pak

Filesize
125KB

MD5
644c0ace25d6e532b56510a736c6bc2c

SHA1
1bd0fec952107b493da04c46423da634ff3e1504

SHA256
2ff9e382a31783285b7d85676e629e2f6db26bb9536ed17b7fbe5ac61a895ec7

SHA512
9a1f1e884c2f214b8b0c63543809ddd4ba0fd533f1d8434e926051f3db434f60cc4df2462c2a43254b2a9685b3869eef49463c212892e417c82c3a7b497e3559

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsyC2E3.tmp\7z-out\locales\pt-BR.pak

Filesize
119KB

MD5
88ad860c73676ffb4025b5c691f29942

SHA1
3c5e5b999ea7153ccdd1b4cc7b6162de3456b558

SHA256
25f0bb0b0230d99a9064d52668636f3be85903bf27a68124d79a2fe93c30fe0e

SHA512
41589bb9ab1b8307f62ceb4e6493d7903731a3e63807e0044379c4acdda881c21839234f5f1b8ad1af732bfee6231c0556ce92e582505379ed949980185bb750

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsyC2E3.tmp\7z-out\locales\pt-PT.pak

Filesize
123KB

MD5
ecd84b296d3bb312ee18e21017311986

SHA1
f5625523f85c10723750834a54ff59a2dd886fb3

SHA256
fcfaa9c44c445876c286388b6a1abc1df949f3dda3d64fb57d6e0d54a05cdb94

SHA512
e95b74238220024cdd0bd1c0f18beadbbe427d76cd8d6b32d5700adcd34ffb068ad0bf75404921485c8077f395f5111cd40d5dfe2b5b8f34c62e6fc80b507456

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsyC2E3.tmp\7z-out\locales\ro.pak

Filesize
122KB

MD5
24b01a438a3ab9699d4ca97c081b5e82

SHA1
0d0b082544d23425a74199fb0a6c11192f0bdf7d

SHA256
38290b1c9712296d82ea1681ef95544a1eef4872289134b11e50af735e6deaca

SHA512
43199772312156f4633c4202499cde8f808e5e632c2013ec1129acee01a3f184e86df2616626173178efe04b6f0773ad9a0e8b8cc6a735d23d68dcfe9dfd945b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsyC2E3.tmp\7z-out\locales\ru.pak

Filesize
195KB

MD5
75457b95d2bb03891232dae7db886387

SHA1
e5a7569df7f91533703626d167ecc8cddbd27205

SHA256
e0894d3aa3f8e0f8ac457a3300001d4e1dcf95980712f8c8e9c845eb4c2bbfa6

SHA512
9813239cb162cec24cb81cffdae2df06889782813d917da186ae40df6dae64477467e4b32ead2d714bc1de671538d4c1fde990d83d3ee69e0932f17226687a78

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsyC2E3.tmp\7z-out\locales\sk.pak

Filesize
127KB

MD5
b35daa0bd9627ca88b413a5af7c6b4a4

SHA1
d5efdcbc7ca17de29f3075f6434f31ab2e895826

SHA256
f47bc1f7f5ab64681d0b152e1a019da60f0ef057ee8bf2ccede019dc4030c177

SHA512
48abb6ca2290820db2898b05820bb25e70fb1292c816eb0c8f17b3c5452de9fff7027d216d2bf413900f408f44ed4ac99151b28142a212c5cff8dfe229e87b9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsyC2E3.tmp\7z-out\locales\sl.pak

Filesize
121KB

MD5
e015b6f5042be2dc96a4e23dcf035502

SHA1
7946509eed8db1e4c1f3da99ffe7155c86fdb4d6

SHA256
99536d1bc73eec81d5bebbff641ea195544ee5e3a41bb17ddcedf9cde9b141d4

SHA512
b2a2eaae93c506a053862bf1cde02eee53b3ea2e2fe4c964c51dbacb8b44de820a779311cfe01458e2f08f88bce1172e8c5e1e6d28cd3a355ff84baa00023b8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsyC2E3.tmp\7z-out\locales\sr.pak

Filesize
185KB

MD5
af7083f2a4bd95dcbe792efade352662

SHA1
dc69aa831836016f6e66c6079931503d534a7862

SHA256
e3b80d9fdd420a05d66cc12e685ac94500106dd51a555bbfa2d085094f81e8dd

SHA512
342400ba94f6cd08152f96aa2b905184fab429c38cedb4bcb4ac0c503169a9ecd47aef208b4d7ffae08b0c0afa7aa089347a20739379d05f3e4e111be842b8c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsyC2E3.tmp\7z-out\locales\sv.pak

Filesize
111KB

MD5
41e76f7775fc9a2d6e3c02c46e9b32f6

SHA1
088c15c74a68bee69682bf89c31055332b68c84a

SHA256
2533676479e9469ffcdaabcb47d3e39bebfe7ae2b80f70784e918a8827439e13

SHA512
6cde752d748c4772b533c8894f18134e5842113f8c7590b44a7dfa088aed65b232361fd16170df3b0d738066dbc3a769847adf4dd8ba42de63c9c2b33f9beb6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsyC2E3.tmp\7z-out\locales\sw.pak

Filesize
114KB

MD5
99e385ebc1ef8d3daddb3a171fa79edf

SHA1
3164804dfe9d9b5e891abafe92e5ba67d2b5d4d1

SHA256
8ec45ac391a085d531fb21815086c2da4841aa016653cb4f8484cfc2615d6c01

SHA512
797c105fecef1e15870aa101e3fa1835d5a467a9059c03b3636c54934d1de263ab7f23599e21d9787cb3849c7cb7d29f5bdd8ae9ad10fda8015c1392462e94c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsyC2E3.tmp\7z-out\locales\ta.pak

Filesize
290KB

MD5
31dada843d0b4f9a66b184cb6d7b8b92

SHA1
0320b31981043c6e4c17470bf2ff4c7488553511

SHA256
457070b35c813175f5a7b630478073e478ff2bf23915dd3dc7a5b3b339cc2b0b

SHA512
c5b6ea595d3154fd9fe03f49a19f78eb4068718ce005b18a165d491459a290c29956b02a109ce2c314746773760c8e5c0d7064f384c65a572c78109f03538860

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsyC2E3.tmp\7z-out\locales\te.pak

Filesize
270KB

MD5
793a87d41cde6e6d1bb086284f69733b

SHA1
d887e3842b664f55b7308427aa6f5bf0b352d879

SHA256
5cdabd1ad41e8048f2cc6b1615e68b99159daa1aa6706b939447c1811bf0e255

SHA512
7c2e53baa387480eed45315bd9d53856ca46e5777ecdc9c29a0de7b0ad04beb6cbb8b5df0aa7c306395fda563037e06bea1ca70e433ce5a3ccc2ec184dfda972

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsyC2E3.tmp\7z-out\locales\th.pak

Filesize
227KB

MD5
43edd25f67ce6e6cea5373009ff0a1f8

SHA1
ed72ca6620cf23837e1334be50ccf616806bc5a2

SHA256
287897cf3df2db1cf59b872e6575ba8dfcaa0c1f68c17a9c91da6c4490adb8b0

SHA512
7160a72bd2e6b0ffa71e5d279995cc8be24a87cd9386eb29ab0eee79b8e607f5d824a11b6b4e3ef4c0f851a9d485a9642cb6adaa65c07933dca6e6f2c0052fc7

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsyC2E3.tmp\7z-out\locales\tr.pak

Filesize
117KB

MD5
40491896ad21543f339467186c5efb40

SHA1
695dde7cc35056dcbf0a533aff8299d4c6b61bd8

SHA256
43e99e132acaba88971b81a43531845dc7fc3a1e0794c3373de7d9a50a5655aa

SHA512
18d5ee9914849462e0b1bafd1ca216b29d0795e282ae0bdb354b15caf5c18f37f44fbd6f626b2cbb095e3398a6496de72e5b0d15621433979b5a589e34fac818

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsyC2E3.tmp\7z-out\locales\uk.pak

Filesize
198KB

MD5
d791b1ecf2931b2fb0c31aac170c7cdc

SHA1
02be115a9ff94fe5250651b6de4323eafc44fce1

SHA256
ffae6286d44c8e219ef90d411ad8746159a6ff8ea610e2a651147a3956696a22

SHA512
3a2edb8069e4a9734ce5e02b7c3de3c968c5bbc116f17f52f97e2bb2c78485c456c4f0cc952686c1aa17b7ee4d326a1dda698afafc63c79d842ca3905181a8da

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsyC2E3.tmp\7z-out\locales\vi.pak

Filesize
140KB

MD5
69c8796439192577f48bd249175aaf37

SHA1
97c52088ca69dada593db0e42b2135d264646454

SHA256
d7fdb53592de803a5fbcd8561c4918f1562f92fc8a3fd0039a2a1a7b76a8ecc2

SHA512
65eb7cb15291474ec7f9354775e59bcf334c90ddf3498ebd184e4c47118308421b2405bfa679e4b3a70ed1790e167c109fc2c72e89c3e31b5378cae975424144

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsyC2E3.tmp\7z-out\locales\zh-CN.pak

Filesize
101KB

MD5
098d656a4f4bd8240bed10e7678186c7

SHA1
0c19ab62b4262f1b51558e8aaa79e7741f73393a

SHA256
a55f568ad3a8854cec25699484f55024501c8a0967738ba694e073151e5981c7

SHA512
084538ce774233ca6d4393bb42239b0b85e11bd73dd19ba47e55796ca19848941b037510c0fca4ac08b4b2e0ccbc9b4ae72ef88a3e841738dd211961dc53c1e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsyC2E3.tmp\7z-out\locales\zh-TW.pak

Filesize
101KB

MD5
c2c35fcedc3708b5bcadf36587393002

SHA1
31d72402cbd44ceb921cedd806259c2cd14e411f

SHA256
cfe4c2c5eb131fd92e0d11f912714c5a9a048833ef3ffbe32679b3d58da8f8ac

SHA512
9ba3ea2d569d1d3ef09e94d7e66f843c8804368c4d016b6289e7dba002f7d2d50884a76c93eef879d87abcf8b36dd3e682b7bd3a18b2b5a969256cef672abf01

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsyC2E3.tmp\7z-out\resources.pak

Filesize
4.8MB

MD5
bdfa339e708ea0f23ed3620adc4a2d64

SHA1
82a95b7b022836b6e888f53e69386570c05a1af2

SHA256
b66ae9eda4543685974d35d051d967538bc57d55c2577629007c534ff330e1e4

SHA512
ba87c70e1b6446e0a7b62da33d72a36ff92ee54fda64343262bc26afa8166174e76d058ec6d707cdebf2611858b3b4b7e21798febec53da02febd81ade4ce8f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsyC2E3.tmp\7z-out\resources\app.asar

Filesize
103.5MB

MD5
e1f62ba688f5d617e68cd1ae967315fe

SHA1
73feb620ccb03b2512fc33887da48795e278140d

SHA256
35c4bc0277b610d0262d4ab80ae7406d6ad3b6533b95468e766f754425bd523a

SHA512
0b99e21bb6bad3da2b0092eb651dfde3db8da8c9d076fbc0a8953c5942613bdef7a33a330597e62d44f5a295de8e728b3e4e4f3ee2fdf0a20cf64520aba1b0ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsyC2E3.tmp\7z-out\resources\app.asar.unpacked\node_modules\take-cam\DirectShowLib-2005.dll

Filesize
296KB

MD5
c20c205c6f8d70a5e1351a4041a3ec9f

SHA1
e1b2a763dd6c42439656e4e55aba0f3610ff3784

SHA256
bbcbb170242d9ff1b56680a80b1f8755df1135f9c714535ff3b3f575442f38dc

SHA512
dffd59d775dbb89cd886a2212fb9fe4cf0b2bdd7f2c00f8dc7c6b2287053b4971c8c6c033109ff1f90cdacea082e44d3c19fa76325d24976420c418218e701f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsyC2E3.tmp\7z-out\resources\app.asar.unpacked\node_modules\take-cam\package.json

Filesize
394B

MD5
067e233b0609d56ff4756bedd8c0efe0

SHA1
96419d05adc4b6674948b4ac14f8ab5bb3ce4380

SHA256
6bee642c1b5de99e4edba87ec3221c2ecd10b65e666b6f2bef64a745538ecf74

SHA512
94900f5ff762930b1b060ba4dd44d629d6c3e2dfc0dacb1a543f1ea5a3cd40e793acaff4abefbff588ceb422d65f8041ec190a2b56f7c303c3314eb16eca4159

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsyC2E3.tmp\7z-out\resources\app.asar.unpacked\node_modules\take-cam\prey-webcam.exe

Filesize
24KB

MD5
471b15abc9f2e98fb7ed7361d3f045eb

SHA1
95b5798d80a9410872f6ed485ae2b43ca3745540

SHA256
7c262639cb22348dfd627dc07c76e8748e5bcacde2dcf1614773ab174c831004

SHA512
5b3b59aa1dbaef31b0ff6ccde082d7c312e39e311a46fe20d590d5d7765f934d3b663da9609ff4fb7beba2e8fa85376cf74f14ae077f3c0b49189cc28c30163a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsyC2E3.tmp\7z-out\resources\app.asar.unpacked\node_modules\take-cam\snapshot.exe

Filesize
161KB

MD5
16a12bdc986207390dd79d658a6b2263

SHA1
b4b41f62cbc1e1ede786c6e30e11df8e61750bad

SHA256
50a8dd2f292bea9190204a42de067a34d5cbbec53746d40fe5b067fc85190bac

SHA512
d20394028c5d3ca46bb4879cac40da07b7d857f9a4a834bb4db4bd047f1a3265a80e1f7528244da6ee97c2f3e0cb5b2e51bc88eeb382a027939c2188e66dcdd9

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsyC2E3.tmp\7z-out\resources\elevate.exe

Filesize
105KB

MD5
792b92c8ad13c46f27c7ced0810694df

SHA1
d8d449b92de20a57df722df46435ba4553ecc802

SHA256
9b1fbf0c11c520ae714af8aa9af12cfd48503eedecd7398d8992ee94d1b4dc37

SHA512
6c247254dc18ed81213a978cce2e321d6692848c64307097d2c43432a42f4f4f6d3cf22fb92610dfa8b7b16a5f1d94e9017cf64f88f2d08e79c0fe71a9121e40

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsyC2E3.tmp\7z-out\snapshot_blob.bin

Filesize
342KB

MD5
c9ab741bbef53fa0e84952b8891a5f5a

SHA1
e2dcb8d034e07243537c86371de0c52bce62cee1

SHA256
4d82fe1e642fe3ca7ad1a173f806088c0652ecfe9f0f6f6e246066e15a3431d4

SHA512
177b98a3090ecfe4b4598dfcd7e8b3ca49efafba4dbd8d6c6d0def462de47c3fabfde831725622783ddc177de982de6115178d9bd9830d918bb544a5a4c27fc9

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsyC2E3.tmp\7z-out\swiftshader\libEGL.dll

Filesize
450KB

MD5
19dc9ee70e7765bb63a66b6826e8ecb7

SHA1
1a12f983f8b35cc2955d30657971f113c47dc164

SHA256
83d5719abee35e051d984510e1d5d9317a109031698814742b59bdbbe7d4e30f

SHA512
1fda2bcc4b2e70987ca6011ab2534007ae4f752016d29a588aaae839bb25c35e03773f220b6a8e926cf2643997e7d4c0f28743304269b2c55642ce12934def68

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsyC2E3.tmp\7z-out\swiftshader\libGLESv2.dll

Filesize
3.0MB

MD5
c0b36d56d83e601bf246f7709a8c5f9d

SHA1
b025a6070f7d61c7d1827856d2d4043834fd23f2

SHA256
45bb5e1f8dd87129ac0a75c78f8f29d06e3ac182a00fc5199b692068f1e05a53

SHA512
e429ae63bd8a7d5a936a638783511693e8fbbc91d97779b3d4dd3f0880f1c8a820106bfb57cf7ee6b3639f19165de87bbe127aadd81218689fc6c8fada2106d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsyC2E3.tmp\7z-out\v8_context_snapshot.bin

Filesize
656KB

MD5
47014c0f81bad6d216c617c9c63bf040

SHA1
7bb483fdc5fed3c6ed437d9fe6e5023bc38201bf

SHA256
e1249d05bfc73c645b27d269f47b6923b33a3cf8088a8ca78b3b637c90f58178

SHA512
052d86cf3305a9e493bd2472e6b7ddab5e0291efd6d899984a79bae46e5fa4bd21157e19ab4a2591c9cff9069de568bad18c7baf4f35d117c77134e635466f87

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsyC2E3.tmp\7z-out\vk_swiftshader.dll

Filesize
4.4MB

MD5
de2d91476e625278c30a5f69a1892e05

SHA1
4d707f6a801611fb437f5c1cba31b0909bf41506

SHA256
02c7f0b926c64f5a19a9aacd5f94ee00be4d576486592e18acc80c0a027b05ba

SHA512
d027407539346e5aedd527f5f71de45bace6295e96a7fbefbf273c930d64a791e488e4bdf6ef8db61fc19c80cac52a6e398c2973499c6fedb1e422c3ba71f532

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsyC2E3.tmp\7z-out\vk_swiftshader_icd.json

Filesize
106B

MD5
8642dd3a87e2de6e991fae08458e302b

SHA1
9c06735c31cec00600fd763a92f8112d085bd12a

SHA256
32d83ff113fef532a9f97e0d2831f8656628ab1c99e9060f0332b1532839afd9

SHA512
f5d37d1b45b006161e4cefeebba1e33af879a3a51d16ee3ff8c3968c0c36bbafae379bf9124c13310b77774c9cbb4fa53114e83f5b48b5314132736e5bb4496f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsyC2E3.tmp\7z-out\vulkan-1.dll

Filesize
819KB

MD5
b91586bd80e057a7f62bdc4422744812

SHA1
a1df644421ece2e740e5bf0ed98b4f269fd85c39

SHA256
8ba72d98e0f78b77bda7816cd7232809d287310d34e0f1d7472b9d5fda2c6d02

SHA512
94f0a8e3e75e4803891c0fcb257052dbe0e7399772fc7a46ab802629f76ee580ed30b3678fa6bc3744c12cf9f3103bbc8276e88f6711278748148e9fbeef2053

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsyC2E3.tmp\StdUtils.dll

Filesize
100KB

MD5
c6a6e03f77c313b267498515488c5740

SHA1
3d49fc2784b9450962ed6b82b46e9c3c957d7c15

SHA256
b72e9013a6204e9f01076dc38dabbf30870d44dfc66962adbf73619d4331601e

SHA512
9870c5879f7b72836805088079ad5bbafcb59fc3d9127f2160d4ec3d6e88d3cc8ebe5a9f5d20a4720fe6407c1336ef10f33b2b9621bc587e930d4cbacf337803

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
442KB

MD5
85430baed3398695717b0263807cf97c

SHA1
fffbee923cea216f50fce5d54219a188a5100f41

SHA256
a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e

SHA512
06511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
8.0MB

MD5
a01c5ecd6108350ae23d2cddf0e77c17

SHA1
c6ac28a2cd979f1f9a75d56271821d5ff665e2b6

SHA256
345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42

SHA512
b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms

Filesize
7KB

MD5
b9f7aa27f5f49490de21209a67496f29

SHA1
42a79e4f66582f30a577704bfa4f0f65be75576f

SHA256
5732097eda35f74dceee8e7d88fb7f91d31aa8a78d5a35c97c5231ac198003f4

SHA512
6f732630079f45836f8c5e7a3e63fdaee5bcfde31e16909ae22211b7cec79479528ed5ca91c37557751d3a77d4e149669138120c8322fc0f7b536cbce524f19f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\WindowsDriverSetup.exe

Filesize
139.5MB

MD5
971dadb0c7a7ee5d95ee2dc2165b2a0b

SHA1
1b59162875fa6db95cc5c55236745965cf0827cd

SHA256
ae17a87bc3c29707efe2daa77f2e944b7e91685910bc40ab0abc0cb9f0e876a2

SHA512
a02819719f624a2d3ed2a0a69a9634ae220794c8e0606caa3c85fec8eade1261a3d3dba960e8c69b354b53695dc11695787a1c318ae4583bb3d559b5b1b11067

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\d25hmlvg.default-release\datareporting\glean\db\data.safe.bin

Filesize
182B

MD5
7d3d11283370585b060d50a12715851a

SHA1
3a05d9b7daa2d377d95e7a5f3e8e7a8f705938e3

SHA256
86bff840e1bec67b7c91f97f4d37e3a638c5fdc7b56aae210b01745f292347b9

SHA512
a185a956e7105ad5a903d5d0e780df9421cf7b84ef1f83f7e9f3ab81bf683b440f23e55df4bbd52d60e89af467b5fc949bf1faa7810c523b98c7c2361fde010e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\d25hmlvg.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll

Filesize
997KB

MD5
fe3355639648c417e8307c6d051e3e37

SHA1
f54602d4b4778da21bc97c7238fc66aa68c8ee34

SHA256
1ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e

SHA512
8f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\d25hmlvg.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info

Filesize
116B

MD5
3d33cdc0b3d281e67dd52e14435dd04f

SHA1
4db88689282fd4f9e9e6ab95fcbb23df6e6485db

SHA256
f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b

SHA512
a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\d25hmlvg.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt

Filesize
479B

MD5
49ddb419d96dceb9069018535fb2e2fc

SHA1
62aa6fea895a8b68d468a015f6e6ab400d7a7ca6

SHA256
2af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539

SHA512
48386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\d25hmlvg.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json

Filesize
372B

MD5
8be33af717bb1b67fbd61c3f4b807e9e

SHA1
7cf17656d174d951957ff36810e874a134dd49e0

SHA256
e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd

SHA512
6125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\d25hmlvg.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll

Filesize
11.8MB

MD5
33bf7b0439480effb9fb212efce87b13

SHA1
cee50f2745edc6dc291887b6075ca64d716f495a

SHA256
8ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e

SHA512
d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\d25hmlvg.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib

Filesize
1KB

MD5
688bed3676d2104e7f17ae1cd2c59404

SHA1
952b2cdf783ac72fcb98338723e9afd38d47ad8e

SHA256
33899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237

SHA512
7a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\d25hmlvg.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig

Filesize
1KB

MD5
937326fead5fd401f6cca9118bd9ade9

SHA1
4526a57d4ae14ed29b37632c72aef3c408189d91

SHA256
68a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81

SHA512
b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\d25hmlvg.default-release\prefs-1.js

Filesize
8KB

MD5
7be87048802ffdec46b6bbf3a8880023

SHA1
569eefc84c9f7bf7142a20dfc172ff02428a41bc

SHA256
d8030baefd5c08c10fa10a102184c625aaa9ee8f851a9e7f50772895033ee423

SHA512
d0a5a0a351895e3a39c6410233aa3236a140ecfa80a09b9557f262e3c5f4485ac791241e78d3094c043d14a18b33acff39d280661566e6e1bb7ad61022a4bc7a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\d25hmlvg.default-release\prefs-1.js

Filesize
6KB

MD5
08b546717def9b501218fe70b6bb8b93

SHA1
894380b54601e4257042a409584925ef94ea32b2

SHA256
eb82e3883a53fa5ae039b584488509bd1d7430f11392d910fefccbe7b937adf8

SHA512
1fff84f4777a6ad13dd6a06d3205dff0bb9681a7b71a9dcd094971000c2eb4d6e9249245a538c1cfa85aca302e23d50f5260183cf0fe1a7e0bf077f9da36d2a3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\d25hmlvg.default-release\prefs-1.js

Filesize
6KB

MD5
5596d3dd8622d2d7fd2ea24a962fe864

SHA1
8772bd3007aabe7a1b874f8663a3c5fe7ad4da30

SHA256
c437aecaa3e01045910361a37fc4a4158d9db0c2da5eeb71e65e4a5d962debe1

SHA512
32a46cd2c9709b7c1d56c10ff0efe053d3253415be4ecb2646c3ca5e268d331a0276aa7215068830ab44d029285f9f72642520662d19998d375e538300189af1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\d25hmlvg.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
1KB

MD5
a425ab47bb8776c6ff7a6ff5177e556a

SHA1
4ed22d328c3e28e60982c9a3804082aca046a785

SHA256
67edf002a9de4cc4a715fbbf43ee6258af8ee3d8918bc4650b60e4f5b24c6b32

SHA512
bd5b2c4ddfb69eea4492aa1e3c4550dac0b4e0a6c5e8654db5bdb128a3842fc347f03c318f5caa1eb6643a00fcf1785729e8cbd16b088935bbc411dd527a9ee5

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\d25hmlvg.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
1KB

MD5
2b1dd7c9a53a2302796a8a80af3e81a0

SHA1
e352e961df5ffa4e99fc208a9e88c1fe5db3c2a4

SHA256
795a7566edff9448271568027789b2f639189020c4180e6fca3bd3fa200bd5d8

SHA512
e4b19d995004db4f4edb871e2e77fb935a4fcd59d4710dc0fd2563222cf531d39f33b9c55b7eb8117f0c80bf277cd0c590ca4d3f6472e7f6c5f61e4a94d374cc

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\d25hmlvg.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
1KB

MD5
ab0795839498604969eaa70ca1fdd083

SHA1
e43eb56109c691c422e633f18c38ba741baba523

SHA256
f3dc31cb29a83157842f6bf831752af152d3ae2f4b2cb7d64194ba7347fa7581

SHA512
a8bf72a87d8dc39d86171b49209396ac0f94faf6e42aac6c3a77c62c5fac01b3c66dce40088061c8206f9ce8acd680a95db9ee3e8c3362a79fec4b7abb5cc59a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\d25hmlvg.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
7.6MB

MD5
8da201d27535b5efefa2b0925b3b6194

SHA1
7c1ce69b6d27b10606c0c6f34ac550a3d0db86d1

SHA256
5b305157f851bad595b78e5a289689b728e185af9b7c8c86842b7f587cd6fa27

SHA512
f8b5b124a86c01f444aeab1bc90d01d8e6c925539ec0e9366f82c2bdd1697a2752860ca1814efd85265a7394c8b72c7d1d66781d5ba2cf3d1edb1f60e5d43c15

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\d25hmlvg.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
176KB

MD5
e540b4ba056dc849b62401d849c9110c

SHA1
e317f21395f50a4e8558d373fdb5cff3e7b9fb8a

SHA256
7b8f511529030bd604d3d45cff3106bd45c2deb4a2086bf21236075d2d57fb1f

SHA512
88d6adb62652482b4fb234265bc1c36338f8eebc2b864bb25b35b5928b083bfec1d6c19d79636542114ddc0e5dc0411fffb28c9a21eb1d607d999ec409ceab7a

Download Submit
C:\Users\Admin\AppData\Roaming\bAR3SJw2YRcO.vbs

Filesize
130B

MD5
8c22448ae8262c3687c230c9e6f41c75

SHA1
4e722a44743e014e153140fa69f5fdb4fe516b8e

SHA256
3362d96fb0c32f81c0aad010491991db5d6c1b4242c73ebb7234a48253f229b7

SHA512
0d071791b7fec3662979c4824acd1afb7d89d8d486287f934f0c45a6b502f49292c97922445e50eca6cbc4d7f2f7e26cc3d272a27448b025d445d0e585f9af3b

Download Submit
C:\Users\Admin\AppData\Roaming\script\Local State

Filesize
389B

MD5
230ab40092654ab9eca383c8f58713d7

SHA1
3a572fed26085e688f11bbe42e580459fa937d7f

SHA256
20a8191a415173921966460f9cad19b6e9bc43a3119c8486ea9929cd7e153dd9

SHA512
d4d1117938a5438c146a110b4854d6c56294334b0a086830d1858c3ef239f5ac81fdc1d946150fe2d343f81bd2fa01d9d47f585c21eb250c808a8b5b0671f05a

Download Submit
C:\Users\Admin\Downloads\generator.exe

Filesize
70.9MB

MD5
680ec4f15e74372f4814288d994cd602

SHA1
33265e490b30eef8dc2e5740a2867e2b708974d8

SHA256
e06ecabc302b098f3336fb21d126a1b69d44114f454ea9e1ba43ef599f3e53f9

SHA512
ed12d9b018a5d679065abe59676a71fb9d566504b4b05cb5fda08a822cf0074b8ad29f9e656abc8c5e0613febf5320a5101d99df00baea6f3bb109cc78a80326

Download Submit
C:\Users\Admin\Downloads\generator.exe

Filesize
70.9MB

MD5
680ec4f15e74372f4814288d994cd602

SHA1
33265e490b30eef8dc2e5740a2867e2b708974d8

SHA256
e06ecabc302b098f3336fb21d126a1b69d44114f454ea9e1ba43ef599f3e53f9

SHA512
ed12d9b018a5d679065abe59676a71fb9d566504b4b05cb5fda08a822cf0074b8ad29f9e656abc8c5e0613febf5320a5101d99df00baea6f3bb109cc78a80326

Download Submit
C:\Users\Admin\Downloads\generator.exe

Filesize
70.9MB

MD5
680ec4f15e74372f4814288d994cd602

SHA1
33265e490b30eef8dc2e5740a2867e2b708974d8

SHA256
e06ecabc302b098f3336fb21d126a1b69d44114f454ea9e1ba43ef599f3e53f9

SHA512
ed12d9b018a5d679065abe59676a71fb9d566504b4b05cb5fda08a822cf0074b8ad29f9e656abc8c5e0613febf5320a5101d99df00baea6f3bb109cc78a80326

Download Submit
\Users\Admin\AppData\Local\Temp\0ab2d8b3-f347-4556-9913-bd2f08f1c743.tmp.node

Filesize
1.8MB

MD5
3072b68e3c226aff39e6782d025f25a8

SHA1
cf559196d74fa490ac8ce192db222c9f5c5a006a

SHA256
7fb52b781709b065c240b6b81394be6e72e53fe11d7c8e0f7b49dd417eb78a01

SHA512
61ebc72c20195e99244d95af1ab44fa06201a1aee2b5da04490fdc4312e8324a40b0e15a7b42fab5179753d767c1d08ae1a7a56ac71a6e100e63f83db849ee61

Download Submit
\Users\Admin\AppData\Local\Temp\12dfe6ab-5db4-4d3a-b5be-c010ff9588bb.tmp.node

Filesize
643KB

MD5
fdcf16a643c857e1e3e364e7f7b72292

SHA1
f62e8f3f728632ab2c22f9d7adac2d6d51eb2d88

SHA256
a8f468c7bf099e3db657e45e186ed747b3b5272f703af4efa6435a9e33081230

SHA512
2c56fd0a7c283d9627ec085abc2dfdccaea0da593d84d4b453d7bc0f37b249482895163ad3d0e53d5fc53770ded1eb9d49f1984a1d8f98082464816ca5a53ffc

Download Submit
\Users\Admin\AppData\Local\Temp\1792a572-f0a2-44c8-8b07-010057e553cb.tmp.node

Filesize
643KB

MD5
fdcf16a643c857e1e3e364e7f7b72292

SHA1
f62e8f3f728632ab2c22f9d7adac2d6d51eb2d88

SHA256
a8f468c7bf099e3db657e45e186ed747b3b5272f703af4efa6435a9e33081230

SHA512
2c56fd0a7c283d9627ec085abc2dfdccaea0da593d84d4b453d7bc0f37b249482895163ad3d0e53d5fc53770ded1eb9d49f1984a1d8f98082464816ca5a53ffc

Download Submit
\Users\Admin\AppData\Local\Temp\2YcJLGWjsc30UuFXsxMKxDYc8hp\d3dcompiler_47.dll

Filesize
4.3MB

MD5
7641e39b7da4077084d2afe7c31032e0

SHA1
2256644f69435ff2fee76deb04d918083960d1eb

SHA256
44422e6936dc72b7ac5ed16bb8bcae164b7554513e52efb66a3e942cec328a47

SHA512
8010e1cb17fa18bbf72d8344e1d63ded7cef7be6e7c13434fa6d8e22ce1d58a4d426959bdcb031502d4b145e29cb111af929fcbc66001111fbc6d7a19e8800a5

Download Submit
\Users\Admin\AppData\Local\Temp\2YcJLGWjsc30UuFXsxMKxDYc8hp\d3dcompiler_47.dll

Filesize
4.3MB

MD5
7641e39b7da4077084d2afe7c31032e0

SHA1
2256644f69435ff2fee76deb04d918083960d1eb

SHA256
44422e6936dc72b7ac5ed16bb8bcae164b7554513e52efb66a3e942cec328a47

SHA512
8010e1cb17fa18bbf72d8344e1d63ded7cef7be6e7c13434fa6d8e22ce1d58a4d426959bdcb031502d4b145e29cb111af929fcbc66001111fbc6d7a19e8800a5

Download Submit
\Users\Admin\AppData\Local\Temp\2YcJLGWjsc30UuFXsxMKxDYc8hp\ffmpeg.dll

Filesize
2.6MB

MD5
c3842fb3087cdcdb04020ac38683c289

SHA1
329dbcd4a1c79b891b200f11eb50194b85c493bc

SHA256
e79792af338d61424bac87a19c6f34f3b4bc1382345633b8d509253a0a6c2133

SHA512
069196b8006e908954e7ab16131a0d10889a0f7517eaab2423a82fe49fb9b045c0d95dbf7c08c10ddf1a21983aea4a0d207decf91baacff0884511589a57dec5

Download Submit
\Users\Admin\AppData\Local\Temp\2YcJLGWjsc30UuFXsxMKxDYc8hp\ffmpeg.dll

Filesize
2.6MB

MD5
c3842fb3087cdcdb04020ac38683c289

SHA1
329dbcd4a1c79b891b200f11eb50194b85c493bc

SHA256
e79792af338d61424bac87a19c6f34f3b4bc1382345633b8d509253a0a6c2133

SHA512
069196b8006e908954e7ab16131a0d10889a0f7517eaab2423a82fe49fb9b045c0d95dbf7c08c10ddf1a21983aea4a0d207decf91baacff0884511589a57dec5

Download Submit
\Users\Admin\AppData\Local\Temp\2YcJLGWjsc30UuFXsxMKxDYc8hp\ffmpeg.dll

Filesize
2.6MB

MD5
c3842fb3087cdcdb04020ac38683c289

SHA1
329dbcd4a1c79b891b200f11eb50194b85c493bc

SHA256
e79792af338d61424bac87a19c6f34f3b4bc1382345633b8d509253a0a6c2133

SHA512
069196b8006e908954e7ab16131a0d10889a0f7517eaab2423a82fe49fb9b045c0d95dbf7c08c10ddf1a21983aea4a0d207decf91baacff0884511589a57dec5

Download Submit
\Users\Admin\AppData\Local\Temp\2YcJLGWjsc30UuFXsxMKxDYc8hp\ffmpeg.dll

Filesize
2.6MB

MD5
c3842fb3087cdcdb04020ac38683c289

SHA1
329dbcd4a1c79b891b200f11eb50194b85c493bc

SHA256
e79792af338d61424bac87a19c6f34f3b4bc1382345633b8d509253a0a6c2133

SHA512
069196b8006e908954e7ab16131a0d10889a0f7517eaab2423a82fe49fb9b045c0d95dbf7c08c10ddf1a21983aea4a0d207decf91baacff0884511589a57dec5

Download Submit
\Users\Admin\AppData\Local\Temp\2YcJLGWjsc30UuFXsxMKxDYc8hp\ffmpeg.dll

Filesize
2.6MB

MD5
c3842fb3087cdcdb04020ac38683c289

SHA1
329dbcd4a1c79b891b200f11eb50194b85c493bc

SHA256
e79792af338d61424bac87a19c6f34f3b4bc1382345633b8d509253a0a6c2133

SHA512
069196b8006e908954e7ab16131a0d10889a0f7517eaab2423a82fe49fb9b045c0d95dbf7c08c10ddf1a21983aea4a0d207decf91baacff0884511589a57dec5

Download Submit
\Users\Admin\AppData\Local\Temp\2YcJLGWjsc30UuFXsxMKxDYc8hp\ffmpeg.dll

Filesize
2.6MB

MD5
c3842fb3087cdcdb04020ac38683c289

SHA1
329dbcd4a1c79b891b200f11eb50194b85c493bc

SHA256
e79792af338d61424bac87a19c6f34f3b4bc1382345633b8d509253a0a6c2133

SHA512
069196b8006e908954e7ab16131a0d10889a0f7517eaab2423a82fe49fb9b045c0d95dbf7c08c10ddf1a21983aea4a0d207decf91baacff0884511589a57dec5

Download Submit
\Users\Admin\AppData\Local\Temp\2YcJLGWjsc30UuFXsxMKxDYc8hp\libEGL.dll

Filesize
437KB

MD5
8352fd22f09b873193cabc2932be92f0

SHA1
5bd2b58854b279f1733c5f54ea2669ee8a888d9e

SHA256
14a4aaa010be14762edfee01fd1f6b9943471eb7a2f9011a2b5c230461cd129c

SHA512
7281e980f2e82f1cc8173d9f8387a97f6e23ec5099ed8dca02222c4e17fa4cfef59d6aa300b1cf06d502bdcf77d9a6dbb08ad6658ae0a28ae6f9f995109da0d2

Download Submit
\Users\Admin\AppData\Local\Temp\2YcJLGWjsc30UuFXsxMKxDYc8hp\libEGL.dll

Filesize
437KB

MD5
8352fd22f09b873193cabc2932be92f0

SHA1
5bd2b58854b279f1733c5f54ea2669ee8a888d9e

SHA256
14a4aaa010be14762edfee01fd1f6b9943471eb7a2f9011a2b5c230461cd129c

SHA512
7281e980f2e82f1cc8173d9f8387a97f6e23ec5099ed8dca02222c4e17fa4cfef59d6aa300b1cf06d502bdcf77d9a6dbb08ad6658ae0a28ae6f9f995109da0d2

Download Submit
\Users\Admin\AppData\Local\Temp\2YcJLGWjsc30UuFXsxMKxDYc8hp\libGLESv2.dll

Filesize
6.7MB

MD5
b6a433dc7b4030fb17bd1683a9606b6e

SHA1
0602c50532e3f13facc67bd95a048c470e88afcc

SHA256
f7ae57a1d7d3e284714ca354f5292aa9b75086489cbfba8b1f54548445b6b3e9

SHA512
b9ba2e20ec878e3acae93d8254e69374e391fd4a3d5c1833282c43896d123baa874f1088839f3bbcf05539eda0e2aeaef28d7742ab8e20ec788382501e2152b1

Download Submit
\Users\Admin\AppData\Local\Temp\2YcJLGWjsc30UuFXsxMKxDYc8hp\libGLESv2.dll

Filesize
6.7MB

MD5
b6a433dc7b4030fb17bd1683a9606b6e

SHA1
0602c50532e3f13facc67bd95a048c470e88afcc

SHA256
f7ae57a1d7d3e284714ca354f5292aa9b75086489cbfba8b1f54548445b6b3e9

SHA512
b9ba2e20ec878e3acae93d8254e69374e391fd4a3d5c1833282c43896d123baa874f1088839f3bbcf05539eda0e2aeaef28d7742ab8e20ec788382501e2152b1

Download Submit
\Users\Admin\AppData\Local\Temp\f4adb359-83ea-425f-b899-ec9e3714a6ea.tmp.node

Filesize
1.8MB

MD5
3072b68e3c226aff39e6782d025f25a8

SHA1
cf559196d74fa490ac8ce192db222c9f5c5a006a

SHA256
7fb52b781709b065c240b6b81394be6e72e53fe11d7c8e0f7b49dd417eb78a01

SHA512
61ebc72c20195e99244d95af1ab44fa06201a1aee2b5da04490fdc4312e8324a40b0e15a7b42fab5179753d767c1d08ae1a7a56ac71a6e100e63f83db849ee61

Download Submit
\Users\Admin\AppData\Local\Temp\nsr458.tmp\StdUtils.dll

Filesize
100KB

MD5
c6a6e03f77c313b267498515488c5740

SHA1
3d49fc2784b9450962ed6b82b46e9c3c957d7c15

SHA256
b72e9013a6204e9f01076dc38dabbf30870d44dfc66962adbf73619d4331601e

SHA512
9870c5879f7b72836805088079ad5bbafcb59fc3d9127f2160d4ec3d6e88d3cc8ebe5a9f5d20a4720fe6407c1336ef10f33b2b9621bc587e930d4cbacf337803

Download Submit
\Users\Admin\AppData\Local\Temp\nsr458.tmp\System.dll

Filesize
12KB

MD5
0d7ad4f45dc6f5aa87f606d0331c6901

SHA1
48df0911f0484cbe2a8cdd5362140b63c41ee457

SHA256
3eb38ae99653a7dbc724132ee240f6e5c4af4bfe7c01d31d23faf373f9f2eaca

SHA512
c07de7308cb54205e8bd703001a7fe4fd7796c9ac1b4bb330c77c872bf712b093645f40b80ce7127531fe6746a5b66e18ea073ab6a644934abed9bb64126fea9

Download Submit
\Users\Admin\AppData\Local\Temp\nsr458.tmp\nsis7z.dll

Filesize
424KB

MD5
80e44ce4895304c6a3a831310fbf8cd0

SHA1
36bd49ae21c460be5753a904b4501f1abca53508

SHA256
b393f05e8ff919ef071181050e1873c9a776e1a0ae8329aefff7007d0cadf592

SHA512
c8ba7b1f9113ead23e993e74a48c4427ae3562c1f6d9910b2bbe6806c9107cf7d94bc7d204613e4743d0cd869e00dafd4fb54aad1e8adb69c553f3b9e5bc64df

Download Submit
\Users\Admin\AppData\Local\Temp\nsyC2E3.tmp\StdUtils.dll

Filesize
100KB

MD5
c6a6e03f77c313b267498515488c5740

SHA1
3d49fc2784b9450962ed6b82b46e9c3c957d7c15

SHA256
b72e9013a6204e9f01076dc38dabbf30870d44dfc66962adbf73619d4331601e

SHA512
9870c5879f7b72836805088079ad5bbafcb59fc3d9127f2160d4ec3d6e88d3cc8ebe5a9f5d20a4720fe6407c1336ef10f33b2b9621bc587e930d4cbacf337803

Download Submit
\Users\Admin\AppData\Local\Temp\nsyC2E3.tmp\System.dll

Filesize
12KB

MD5
0d7ad4f45dc6f5aa87f606d0331c6901

SHA1
48df0911f0484cbe2a8cdd5362140b63c41ee457

SHA256
3eb38ae99653a7dbc724132ee240f6e5c4af4bfe7c01d31d23faf373f9f2eaca

SHA512
c07de7308cb54205e8bd703001a7fe4fd7796c9ac1b4bb330c77c872bf712b093645f40b80ce7127531fe6746a5b66e18ea073ab6a644934abed9bb64126fea9

Download Submit
\Users\Admin\AppData\Local\Temp\nsyC2E3.tmp\nsis7z.dll

Filesize
424KB

MD5
80e44ce4895304c6a3a831310fbf8cd0

SHA1
36bd49ae21c460be5753a904b4501f1abca53508

SHA256
b393f05e8ff919ef071181050e1873c9a776e1a0ae8329aefff7007d0cadf592

SHA512
c8ba7b1f9113ead23e993e74a48c4427ae3562c1f6d9910b2bbe6806c9107cf7d94bc7d204613e4743d0cd869e00dafd4fb54aad1e8adb69c553f3b9e5bc64df

Download Submit
memory/236-1824-0x0000014D8D0D0000-0x0000014D8D0E0000-memory.dmp

Filesize
64KB

Download
memory/236-1845-0x00007FFB3C610000-0x00007FFB3CFFC000-memory.dmp

Filesize
9.9MB

Download
memory/236-1822-0x00007FFB3C610000-0x00007FFB3CFFC000-memory.dmp

Filesize
9.9MB

Download
memory/236-1823-0x0000014D8D0D0000-0x0000014D8D0E0000-memory.dmp

Filesize
64KB

Download
memory/236-1844-0x0000014D8D0D0000-0x0000014D8D0E0000-memory.dmp

Filesize
64KB

Download
memory/1704-2720-0x00007FFB58CB0000-0x00007FFB58CB1000-memory.dmp

Filesize
4KB

Download
memory/1704-3128-0x0000021BF5C60000-0x0000021BF7097000-memory.dmp

Filesize
20.2MB

Download
memory/2592-754-0x0000021171D50000-0x0000021173187000-memory.dmp

Filesize
20.2MB

Download
memory/2592-614-0x00007FFB58CB0000-0x00007FFB58CB1000-memory.dmp

Filesize
4KB

Download
memory/5440-2758-0x00007FFB3C430000-0x00007FFB3CE1C000-memory.dmp

Filesize
9.9MB

Download
memory/5440-2782-0x00007FFB3C430000-0x00007FFB3CE1C000-memory.dmp

Filesize
9.9MB

Download
memory/5440-2781-0x0000025F1BEE0000-0x0000025F1BEF0000-memory.dmp

Filesize
64KB

Download
memory/5440-2760-0x0000025F1BEE0000-0x0000025F1BEF0000-memory.dmp

Filesize
64KB

Download
memory/5440-2759-0x0000025F1BEE0000-0x0000025F1BEF0000-memory.dmp

Filesize
64KB

Download
memory/5480-718-0x0000024E536D0000-0x0000024E536E0000-memory.dmp

Filesize
64KB

Download
memory/5480-738-0x0000024E536D0000-0x0000024E536E0000-memory.dmp

Filesize
64KB

Download
memory/5480-739-0x00007FFB3CAB0000-0x00007FFB3D49C000-memory.dmp

Filesize
9.9MB

Download
memory/5480-717-0x0000024E536D0000-0x0000024E536E0000-memory.dmp

Filesize
64KB

Download
memory/5480-716-0x00007FFB3CAB0000-0x00007FFB3D49C000-memory.dmp

Filesize
9.9MB

Download
memory/5700-779-0x000001A56F9D0000-0x000001A56F9E0000-memory.dmp

Filesize
64KB

Download
memory/5700-780-0x00007FFB3CAB0000-0x00007FFB3D49C000-memory.dmp

Filesize
9.9MB

Download
memory/5700-763-0x000001A56F9D0000-0x000001A56F9E0000-memory.dmp

Filesize
64KB

Download
memory/5700-762-0x000001A56F9D0000-0x000001A56F9E0000-memory.dmp

Filesize
64KB

Download
memory/5700-759-0x00007FFB3CAB0000-0x00007FFB3D49C000-memory.dmp

Filesize
9.9MB

Download
memory/6132-707-0x00007FFB3CAB0000-0x00007FFB3D49C000-memory.dmp

Filesize
9.9MB

Download
memory/6132-706-0x00000234EFE30000-0x00000234EFE40000-memory.dmp

Filesize
64KB

Download
memory/6132-679-0x00007FFB3CAB0000-0x00007FFB3D49C000-memory.dmp

Filesize
9.9MB

Download
memory/6132-680-0x00000234EFE30000-0x00000234EFE40000-memory.dmp

Filesize
64KB

Download
memory/6132-682-0x00000234EFE30000-0x00000234EFE40000-memory.dmp

Filesize
64KB

Download
memory/6132-683-0x00000234EFFE0000-0x00000234F0002000-memory.dmp

Filesize
136KB

Download
memory/6132-686-0x00000234F0190000-0x00000234F0206000-memory.dmp

Filesize
472KB

Download
memory/6980-2791-0x00007FFB3C430000-0x00007FFB3CE1C000-memory.dmp

Filesize
9.9MB

Download
memory/6980-2793-0x000001FF6A640000-0x000001FF6A650000-memory.dmp

Filesize
64KB

Download
memory/6980-2792-0x000001FF6A640000-0x000001FF6A650000-memory.dmp

Filesize
64KB

Download
memory/6980-2814-0x00007FFB3C430000-0x00007FFB3CE1C000-memory.dmp

Filesize
9.9MB

Download
memory/6980-2813-0x000001FF6A640000-0x000001FF6A650000-memory.dmp

Filesize
64KB

Download
memory/7508-1810-0x000001C14BD90000-0x000001C14BDA0000-memory.dmp

Filesize
64KB

Download
memory/7508-1789-0x00007FFB3C610000-0x00007FFB3CFFC000-memory.dmp

Filesize
9.9MB

Download
memory/7508-1791-0x000001C14BD90000-0x000001C14BDA0000-memory.dmp

Filesize
64KB

Download
memory/7508-1792-0x000001C14BD90000-0x000001C14BDA0000-memory.dmp

Filesize
64KB

Download
memory/7508-1816-0x00007FFB3C610000-0x00007FFB3CFFC000-memory.dmp

Filesize
9.9MB

Download
memory/9052-1754-0x00007FFB58CB0000-0x00007FFB58CB1000-memory.dmp

Filesize
4KB

Download
memory/9052-1854-0x0000012B01EC0000-0x0000012B032F7000-memory.dmp

Filesize
20.2MB

Download