observer | 13dcfc1aa528addb278f703cd8fc7b0aaf8cbeb8242bdd0a070401099de854f2

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
19/02/2024, 22:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Setup.exe
Size

99.7MB
MD5

3d54a88bea517fb58ecb46f3d7f94777
SHA1

b51360050b9785d01484d3d7b5c9796f98a8a0d1
SHA256

13dcfc1aa528addb278f703cd8fc7b0aaf8cbeb8242bdd0a070401099de854f2
SHA512

92c68b0b329b80ef892ffa838dd94e6c9d10e48e0e6f8840b9933b777bfa50cf5ed1c0ddea2c74a3c27d05310087a33ebfcaa6d8df71e8cdce46eab703d4299a
SSDEEP

3145728:qbzHAlMRvSvTXKX5U1LAcHbBlpmDHxc20Z/s:iTAmcLXKsxr2R4Z0

Score

10^/10

observer stealer

Malware Config

Extracted

Family

observer

http://5.42.66.25:3000

Signatures

Observer
Observer is an infostealer written in C++.
stealer observer
Downloads MZ/PE file

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation	Setup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation	Launcher.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation	Launcher.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation	Launcher.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation	file_k36p3c.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation	file_wuuu1p.exe

Executes dropped EXE 15 IoCs

pid	Process
1456	Launcher.exe
1804	Launcher.exe
4852	Launcher.exe
4344	Launcher.exe
3276	Launcher.exe
4988	Launcher.exe
4476	Launcher.exe
5088	Launcher.exe
1908	Launcher.exe
3508	Launcher.exe
632	file_k36p3c.exe
1996	Awareness.pif
5664	Launcher.exe
6036	file_wuuu1p.exe
5364	Awareness.pif

Loads dropped DLL 35 IoCs

pid	Process
1456	Launcher.exe
1456	Launcher.exe
1456	Launcher.exe
1804	Launcher.exe
4852	Launcher.exe
4344	Launcher.exe
4344	Launcher.exe
4344	Launcher.exe
4344	Launcher.exe
4344	Launcher.exe
3276	Launcher.exe
4344	Launcher.exe
3276	Launcher.exe
3276	Launcher.exe
4988	Launcher.exe
4988	Launcher.exe
4988	Launcher.exe
4344	Launcher.exe
4476	Launcher.exe
4476	Launcher.exe
4476	Launcher.exe
4476	Launcher.exe
5088	Launcher.exe
5088	Launcher.exe
5088	Launcher.exe
1908	Launcher.exe
3508	Launcher.exe
3508	Launcher.exe
1908	Launcher.exe
3508	Launcher.exe
1908	Launcher.exe
5664	Launcher.exe
5664	Launcher.exe
5664	Launcher.exe
5664	Launcher.exe

Drops file in System32 directory 13 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.jtx	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSStmp.log	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSSres00001.jrs	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSSres00002.jrs	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.chk	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.dat	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.log	svchost.exe
File created	C:\Windows\System32\DriverStore\FileRepository\display.inf_amd64_71aa85b0e2292a7a\display.PNF	Launcher.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.chk	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.jfm	svchost.exe
File created	\??\c:\windows\system32\driverstore\filerepository\display.inf_amd64_71aa85b0e2292a7a\display.PNF	Launcher.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.jcp	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.dat	svchost.exe

Drops file in Program Files directory 9 IoCs

description	ioc	Process
File created	C:\Program Files\nw1456_1227146480\package-lock.json	Launcher.exe
File created	C:\Program Files\nw1456_1227146480\package.json	Launcher.exe
File created	C:\Program Files\nw1456_1227146480\nw\index.html	Launcher.exe
File created	C:\Program Files\nw1456_1227146480\nw\index.js	Launcher.exe
File created	C:\Program Files\nw1456_1227146480\node_modules\.package-lock.json	Launcher.exe
File created	C:\Program Files\nw1456_1227146480\nw\background.png	Launcher.exe
File created	C:\Program Files\nw1456_1227146480\nw\fav.png	Launcher.exe
File created	C:\Program Files\nw1456_1227146480\nw\icon.icns	Launcher.exe
File created	C:\Program Files\nw1456_1227146480\nw\icon.ico	Launcher.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
860	1996	WerFault.exe	116
4388	1996	WerFault.exe	116

Enumerates processes with tasklist 1 TTPs 4 IoCs

Process Discovery

T1057

pid	Process
4028	tasklist.exe
3660	tasklist.exe
5488	tasklist.exe
5508	tasklist.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Launcher.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	Launcher.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	Launcher.exe

Modifies data under HKEY_USERS 8 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133528541276132754"	Launcher.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\NGC\SoftLockoutVolatileKey	svchost.exe
Key created	\REGISTRY\USER\S-1-5-19	svchost.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE	svchost.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft	svchost.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography	svchost.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\NGC	svchost.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	Launcher.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000_Classes\Local Settings	mspaint.exe

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery

T1018

pid	Process
1500	PING.EXE
5312	PING.EXE

Suspicious behavior: EnumeratesProcesses 38 IoCs

pid	Process
1804	Launcher.exe
1804	Launcher.exe
1804	Launcher.exe
1804	Launcher.exe
1456	Launcher.exe
1456	Launcher.exe
1996	Awareness.pif
1996	Awareness.pif
1996	Awareness.pif
1996	Awareness.pif
1996	Awareness.pif
1996	Awareness.pif
1996	Awareness.pif
1996	Awareness.pif
1996	Awareness.pif
1996	Awareness.pif
1996	Awareness.pif
1996	Awareness.pif
5196	msedge.exe
5196	msedge.exe
5664	Launcher.exe
5664	Launcher.exe
5664	Launcher.exe
5664	Launcher.exe
5364	Awareness.pif
5364	Awareness.pif
5364	Awareness.pif
5364	Awareness.pif
5364	Awareness.pif
5364	Awareness.pif
5364	Awareness.pif
5364	Awareness.pif
5364	Awareness.pif
5364	Awareness.pif
5364	Awareness.pif
5364	Awareness.pif
5404	mspaint.exe
5404	mspaint.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1456	Launcher.exe
Token: SeCreatePagefilePrivilege	1456	Launcher.exe
Token: SeShutdownPrivilege	1456	Launcher.exe
Token: SeCreatePagefilePrivilege	1456	Launcher.exe
Token: SeShutdownPrivilege	1456	Launcher.exe
Token: SeCreatePagefilePrivilege	1456	Launcher.exe
Token: SeShutdownPrivilege	1456	Launcher.exe
Token: SeCreatePagefilePrivilege	1456	Launcher.exe
Token: SeShutdownPrivilege	1456	Launcher.exe
Token: SeCreatePagefilePrivilege	1456	Launcher.exe
Token: SeShutdownPrivilege	1456	Launcher.exe
Token: SeCreatePagefilePrivilege	1456	Launcher.exe
Token: SeShutdownPrivilege	1456	Launcher.exe
Token: SeCreatePagefilePrivilege	1456	Launcher.exe
Token: SeShutdownPrivilege	1456	Launcher.exe
Token: SeCreatePagefilePrivilege	1456	Launcher.exe
Token: SeShutdownPrivilege	1456	Launcher.exe
Token: SeCreatePagefilePrivilege	1456	Launcher.exe
Token: SeShutdownPrivilege	1456	Launcher.exe
Token: SeCreatePagefilePrivilege	1456	Launcher.exe
Token: SeShutdownPrivilege	1456	Launcher.exe
Token: SeCreatePagefilePrivilege	1456	Launcher.exe
Token: SeShutdownPrivilege	1456	Launcher.exe
Token: SeCreatePagefilePrivilege	1456	Launcher.exe
Token: SeShutdownPrivilege	1456	Launcher.exe
Token: SeCreatePagefilePrivilege	1456	Launcher.exe
Token: SeShutdownPrivilege	1456	Launcher.exe
Token: SeCreatePagefilePrivilege	1456	Launcher.exe
Token: SeShutdownPrivilege	1456	Launcher.exe
Token: SeCreatePagefilePrivilege	1456	Launcher.exe
Token: SeShutdownPrivilege	1456	Launcher.exe
Token: SeCreatePagefilePrivilege	1456	Launcher.exe
Token: SeShutdownPrivilege	1456	Launcher.exe
Token: SeCreatePagefilePrivilege	1456	Launcher.exe
Token: SeShutdownPrivilege	1456	Launcher.exe
Token: SeCreatePagefilePrivilege	1456	Launcher.exe
Token: SeShutdownPrivilege	1456	Launcher.exe
Token: SeCreatePagefilePrivilege	1456	Launcher.exe
Token: SeShutdownPrivilege	1456	Launcher.exe
Token: SeCreatePagefilePrivilege	1456	Launcher.exe
Token: SeShutdownPrivilege	1456	Launcher.exe
Token: SeCreatePagefilePrivilege	1456	Launcher.exe
Token: SeShutdownPrivilege	1456	Launcher.exe
Token: SeCreatePagefilePrivilege	1456	Launcher.exe
Token: SeShutdownPrivilege	1456	Launcher.exe
Token: SeCreatePagefilePrivilege	1456	Launcher.exe
Token: SeShutdownPrivilege	1456	Launcher.exe
Token: SeCreatePagefilePrivilege	1456	Launcher.exe
Token: SeShutdownPrivilege	1456	Launcher.exe
Token: SeCreatePagefilePrivilege	1456	Launcher.exe
Token: SeShutdownPrivilege	1456	Launcher.exe
Token: SeCreatePagefilePrivilege	1456	Launcher.exe
Token: SeShutdownPrivilege	1456	Launcher.exe
Token: SeCreatePagefilePrivilege	1456	Launcher.exe
Token: SeShutdownPrivilege	1456	Launcher.exe
Token: SeCreatePagefilePrivilege	1456	Launcher.exe
Token: SeShutdownPrivilege	1456	Launcher.exe
Token: SeCreatePagefilePrivilege	1456	Launcher.exe
Token: SeShutdownPrivilege	1456	Launcher.exe
Token: SeCreatePagefilePrivilege	1456	Launcher.exe
Token: SeShutdownPrivilege	1456	Launcher.exe
Token: SeCreatePagefilePrivilege	1456	Launcher.exe
Token: SeShutdownPrivilege	1456	Launcher.exe
Token: SeCreatePagefilePrivilege	1456	Launcher.exe

Suspicious use of FindShellTrayWindow 8 IoCs

pid	Process
1456	Launcher.exe
1456	Launcher.exe
1996	Awareness.pif
1996	Awareness.pif
1996	Awareness.pif
5364	Awareness.pif
5364	Awareness.pif
5364	Awareness.pif

Suspicious use of SendNotifyMessage 6 IoCs

pid	Process
1996	Awareness.pif
1996	Awareness.pif
1996	Awareness.pif
5364	Awareness.pif
5364	Awareness.pif
5364	Awareness.pif

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
5404	mspaint.exe
5056	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2336 wrote to memory of 1456	2336	Setup.exe	85
PID 2336 wrote to memory of 1456	2336	Setup.exe	85
PID 1456 wrote to memory of 1804	1456	Launcher.exe	87
PID 1456 wrote to memory of 1804	1456	Launcher.exe	87
PID 1804 wrote to memory of 4852	1804	Launcher.exe	89
PID 1804 wrote to memory of 4852	1804	Launcher.exe	89
PID 1456 wrote to memory of 4344	1456	Launcher.exe	93
PID 1456 wrote to memory of 4344	1456	Launcher.exe	93
PID 1456 wrote to memory of 3276	1456	Launcher.exe	90
PID 1456 wrote to memory of 3276	1456	Launcher.exe	90
PID 1456 wrote to memory of 4988	1456	Launcher.exe	92
PID 1456 wrote to memory of 4988	1456	Launcher.exe	92
PID 1456 wrote to memory of 4476	1456	Launcher.exe	94
PID 1456 wrote to memory of 4476	1456	Launcher.exe	94
PID 1456 wrote to memory of 5088	1456	Launcher.exe	97
PID 1456 wrote to memory of 5088	1456	Launcher.exe	97
PID 1456 wrote to memory of 1908	1456	Launcher.exe	104
PID 1456 wrote to memory of 1908	1456	Launcher.exe	104
PID 1456 wrote to memory of 3508	1456	Launcher.exe	103
PID 1456 wrote to memory of 3508	1456	Launcher.exe	103
PID 4476 wrote to memory of 4260	4476	Launcher.exe	107
PID 4476 wrote to memory of 4260	4476	Launcher.exe	107
PID 4260 wrote to memory of 632	4260	cmd.exe	108
PID 4260 wrote to memory of 632	4260	cmd.exe	108
PID 4260 wrote to memory of 632	4260	cmd.exe	108
PID 632 wrote to memory of 3852	632	file_k36p3c.exe	109
PID 632 wrote to memory of 3852	632	file_k36p3c.exe	109
PID 632 wrote to memory of 3852	632	file_k36p3c.exe	109
PID 3852 wrote to memory of 4028	3852	cmd.exe	112
PID 3852 wrote to memory of 4028	3852	cmd.exe	112
PID 3852 wrote to memory of 4028	3852	cmd.exe	112
PID 3852 wrote to memory of 1468	3852	cmd.exe	111
PID 3852 wrote to memory of 1468	3852	cmd.exe	111
PID 3852 wrote to memory of 1468	3852	cmd.exe	111
PID 3852 wrote to memory of 3660	3852	cmd.exe	114
PID 3852 wrote to memory of 3660	3852	cmd.exe	114
PID 3852 wrote to memory of 3660	3852	cmd.exe	114
PID 3852 wrote to memory of 4832	3852	cmd.exe	113
PID 3852 wrote to memory of 4832	3852	cmd.exe	113
PID 3852 wrote to memory of 4832	3852	cmd.exe	113
PID 3852 wrote to memory of 4668	3852	cmd.exe	119
PID 3852 wrote to memory of 4668	3852	cmd.exe	119
PID 3852 wrote to memory of 4668	3852	cmd.exe	119
PID 3852 wrote to memory of 2080	3852	cmd.exe	115
PID 3852 wrote to memory of 2080	3852	cmd.exe	115
PID 3852 wrote to memory of 2080	3852	cmd.exe	115
PID 3852 wrote to memory of 2480	3852	cmd.exe	118
PID 3852 wrote to memory of 2480	3852	cmd.exe	118
PID 3852 wrote to memory of 2480	3852	cmd.exe	118
PID 3852 wrote to memory of 1996	3852	cmd.exe	116
PID 3852 wrote to memory of 1996	3852	cmd.exe	116
PID 3852 wrote to memory of 1996	3852	cmd.exe	116
PID 3852 wrote to memory of 1500	3852	cmd.exe	117
PID 3852 wrote to memory of 1500	3852	cmd.exe	117
PID 3852 wrote to memory of 1500	3852	cmd.exe	117
PID 4080 wrote to memory of 2316	4080	msedge.exe	137
PID 4080 wrote to memory of 2316	4080	msedge.exe	137
PID 4080 wrote to memory of 5188	4080	msedge.exe	138
PID 4080 wrote to memory of 5188	4080	msedge.exe	138
PID 4080 wrote to memory of 5188	4080	msedge.exe	138
PID 4080 wrote to memory of 5188	4080	msedge.exe	138
PID 4080 wrote to memory of 5188	4080	msedge.exe	138
PID 4080 wrote to memory of 5188	4080	msedge.exe	138
PID 4080 wrote to memory of 5188	4080	msedge.exe	138

C:\Users\Admin\AppData\Local\Temp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\Setup.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2336
- C:\Users\Admin\AppData\Local\Temp\fj230ur90f90329039039093\Launcher.exe
  "C:\Users\Admin\AppData\Local\Temp\fj230ur90f90329039039093\Launcher.exe" /fj230ur90f90329039039093/Launcher.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:1456
- - C:\Users\Admin\AppData\Local\Temp\fj230ur90f90329039039093\Launcher.exe
    C:\Users\Admin\AppData\Local\Temp\fj230ur90f90329039039093\Launcher.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Launcher\User Data" /prefetch:7 --monitor-self --monitor-self-argument=--type=crashpad-handler "--monitor-self-argument=--user-data-dir=C:\Users\Admin\AppData\Local\Launcher\User Data" --monitor-self-argument=/prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Launcher\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Launcher\User Data" --annotation=plat=Win64 --annotation=prod=Launcher --annotation=ver=1.9.0 --initial-client-data=0x290,0x294,0x298,0x28c,0x29c,0x7ffdc195b960,0x7ffdc195b970,0x7ffdc195b980
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1804
  - - C:\Users\Admin\AppData\Local\Temp\fj230ur90f90329039039093\Launcher.exe
      C:\Users\Admin\AppData\Local\Temp\fj230ur90f90329039039093\Launcher.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Launcher\User Data" /prefetch:7 --no-periodic-tasks --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Launcher\User Data\Crashpad" --annotation=plat=Win64 --annotation=prod=Launcher --annotation=ver=1.9.0 --initial-client-data=0x1b0,0x1b4,0x1b8,0x134,0x1bc,0x7ff62baada20,0x7ff62baada30,0x7ff62baada40
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:4852
- - C:\Users\Admin\AppData\Local\Temp\fj230ur90f90329039039093\Launcher.exe
    "C:\Users\Admin\AppData\Local\Temp\fj230ur90f90329039039093\Launcher.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Launcher\User Data" --nwapp-path="C:\Program Files\nw1456_1227146480" --no-appcompat-clear --start-stack-profiler --mojo-platform-channel-handle=2000 --field-trial-handle=1944,i,17707848363302753603,3720210682540908009,262144 --variations-seed-version /prefetch:8
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:3276
- - C:\Users\Admin\AppData\Local\Temp\fj230ur90f90329039039093\Launcher.exe
    "C:\Users\Admin\AppData\Local\Temp\fj230ur90f90329039039093\Launcher.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Launcher\User Data" --nwapp-path="C:\Program Files\nw1456_1227146480" --no-appcompat-clear --mojo-platform-channel-handle=2272 --field-trial-handle=1944,i,17707848363302753603,3720210682540908009,262144 --variations-seed-version /prefetch:8
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Loads dropped DLL
    PID:4988
- - C:\Users\Admin\AppData\Local\Temp\fj230ur90f90329039039093\Launcher.exe
    "C:\Users\Admin\AppData\Local\Temp\fj230ur90f90329039039093\Launcher.exe" --type=gpu-process --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Launcher\User Data" --nwapp-path="C:\Program Files\nw1456_1227146480" --no-appcompat-clear --start-stack-profiler --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=1940 --field-trial-handle=1944,i,17707848363302753603,3720210682540908009,262144 --variations-seed-version /prefetch:2
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:4344
- - C:\Users\Admin\AppData\Local\Temp\fj230ur90f90329039039093\Launcher.exe
    "C:\Users\Admin\AppData\Local\Temp\fj230ur90f90329039039093\Launcher.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Local\Launcher\User Data" --nwapp-path="C:\Program Files\nw1456_1227146480" --nwjs --extension-process --no-appcompat-clear --first-renderer-process --no-sandbox --file-url-path-alias="/gen=C:\Users\Admin\AppData\Local\Temp\fj230ur90f90329039039093\gen" --no-zygote --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3136 --field-trial-handle=1944,i,17707848363302753603,3720210682540908009,262144 --variations-seed-version /prefetch:1
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:4476
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "C:\Users\Admin\AppData\Local\Temp\file_k36p3c.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4260
    - - C:\Users\Admin\AppData\Local\Temp\file_k36p3c.exe
        
        C:\Users\Admin\AppData\Local\Temp\file_k36p3c.exe
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:632
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k move Bathrooms Bathrooms.bat & Bathrooms.bat & exit
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:3852
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"
        7⤵
        
        PID:1468
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        7⤵
        Enumerates processes with tasklist
        
        PID:4028
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr /I "wrsa.exe opssvc.exe"
        7⤵
        
        PID:4832
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        7⤵
        Enumerates processes with tasklist
        
        PID:3660
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c copy /b Compound + Injection + Emotions + Worm + Participants + Richmond 1790\Awareness.pif
        7⤵
        
        PID:2080
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\1790\Awareness.pif
        
        1790\Awareness.pif 1790\Q
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:1996
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1996 -s 1476
        8⤵
        Program crash
        
        PID:860
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1996 -s 1504
        8⤵
        Program crash
        
        PID:4388
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 5 localhost
        7⤵
        Runs ping.exe
        
        PID:1500
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c copy /b Subsequent + Controversy 1790\Q
        7⤵
        
        PID:2480
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c md 1790
        7⤵
        
        PID:4668
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "C:\Users\Admin\AppData\Local\Temp\file_wuuu1p.exe"
      4⤵
      PID:5988
    - - C:\Users\Admin\AppData\Local\Temp\file_wuuu1p.exe
        
        C:\Users\Admin\AppData\Local\Temp\file_wuuu1p.exe
        5⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:6036
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k move Bathrooms Bathrooms.bat & Bathrooms.bat & exit
        6⤵
        
        PID:5160
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        7⤵
        Enumerates processes with tasklist
        
        PID:5488
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"
        7⤵
        
        PID:5472
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        7⤵
        Enumerates processes with tasklist
        
        PID:5508
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr /I "wrsa.exe opssvc.exe"
        7⤵
        
        PID:5512
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c md 2101
        7⤵
        
        PID:5132
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c copy /b Compound + Injection + Emotions + Worm + Participants + Richmond 2101\Awareness.pif
        7⤵
        
        PID:5200
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c copy /b Subsequent + Controversy 2101\Q
        7⤵
        
        PID:5292
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.001\2101\Awareness.pif
        
        2101\Awareness.pif 2101\Q
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:5364
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 5 localhost
        7⤵
        Runs ping.exe
        
        PID:5312
- - C:\Users\Admin\AppData\Local\Temp\fj230ur90f90329039039093\Launcher.exe
    "C:\Users\Admin\AppData\Local\Temp\fj230ur90f90329039039093\Launcher.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Launcher\User Data" --nwapp-path="C:\Program Files\nw1456_1227146480" --no-appcompat-clear --mojo-platform-channel-handle=4172 --field-trial-handle=1944,i,17707848363302753603,3720210682540908009,262144 --variations-seed-version /prefetch:8
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:5088
- - C:\Users\Admin\AppData\Local\Temp\fj230ur90f90329039039093\Launcher.exe
    "C:\Users\Admin\AppData\Local\Temp\fj230ur90f90329039039093\Launcher.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Launcher\User Data" --nwapp-path="C:\Program Files\nw1456_1227146480" --no-appcompat-clear --mojo-platform-channel-handle=4800 --field-trial-handle=1944,i,17707848363302753603,3720210682540908009,262144 --variations-seed-version /prefetch:8
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:3508
- - C:\Users\Admin\AppData\Local\Temp\fj230ur90f90329039039093\Launcher.exe
    "C:\Users\Admin\AppData\Local\Temp\fj230ur90f90329039039093\Launcher.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Launcher\User Data" --nwapp-path="C:\Program Files\nw1456_1227146480" --no-appcompat-clear --mojo-platform-channel-handle=4184 --field-trial-handle=1944,i,17707848363302753603,3720210682540908009,262144 --variations-seed-version /prefetch:8
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1908
- - C:\Users\Admin\AppData\Local\Temp\fj230ur90f90329039039093\Launcher.exe
    "C:\Users\Admin\AppData\Local\Temp\fj230ur90f90329039039093\Launcher.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Launcher\User Data" --nwapp-path="C:\Program Files\nw1456_1227146480" --no-appcompat-clear --start-stack-profiler --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAABEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=408 --field-trial-handle=1944,i,17707848363302753603,3720210682540908009,262144 --variations-seed-version /prefetch:8
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    PID:5664

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:4092

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc
1⤵
- Modifies data under HKEY_USERS
PID:2820

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 376 -p 1996 -ip 1996
1⤵
PID:8

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 1996 -ip 1996
1⤵
PID:4012

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --default-search-provider=? --out-pipe-name=MSEdgeDefaultbd4b7c9dhac45h43c7hb004h2860f75f092d
1⤵
- Suspicious use of WriteProcessMemory
PID:4080
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ffdaf1c46f8,0x7ffdaf1c4708,0x7ffdaf1c4718
  2⤵
  PID:2316
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2096,14676628938047806841,9182845910934685634,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2056 /prefetch:2
  2⤵
  PID:5188
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2096,14676628938047806841,9182845910934685634,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2160 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5196
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2096,14676628938047806841,9182845910934685634,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2844 /prefetch:8
  2⤵
  PID:5244

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5468

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5504

C:\Windows\system32\mspaint.exe
"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\Desktop\InvokePublish.jfif" /ForceBootstrapPaint3D
1⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:5404

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s DsSvc
1⤵
- Drops file in System32 directory
PID:5500

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:5056

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Process Discovery

T1057

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\nw1456_1227146480\nw\fav.png

Filesize
248KB

MD5
3faf439a6cd9d9a9fa9f8aeb85cd0f05

SHA1
2af297f14c4a0d9ade6663d6eecb8fa051ea85f8

SHA256
a04a437646dc6d3ca3f6563384c0ed1a14364ce502df8fe75d6200cb53d229e0

SHA512
2b9bacb4039f967871af6fe772245e1f83f584ef17e49345eb4f000d49a4ba8c9ee3d154e61713687861775ab5e5496959b58b606edad4e489d2444c487db971

Download Submit
C:\Program Files\nw1456_1227146480\package.json

Filesize
554B

MD5
fef3c629b4988e5756d334f251e96748

SHA1
02ec04f252e2a00de7f991c212847b533a1c1165

SHA256
b94cbaf6c5e5c6f2222852305bca0013619f49ec1cee54e5cf4f84266d1eb13e

SHA512
8f488a4a40c1ee7103c30ba1c1b17fb43d7fdd01dc98f81008d16cc2ffb8fa419985d212d4a00e50e4d470d27c1438af3861c70b23ac4f191a7ffd2b96d2245a

Download Submit
C:\Users\Admin\AppData\Local\Launcher\User Data\Crashpad\settings.dat

Filesize
40B

MD5
27b3a29d84770e686b3b64bd82cb9da6

SHA1
d541459bcc77fa094140bbdc65ac7ea0a562015e

SHA256
dbd367eda0bf3e2a929c7df22ffbbb611ffbd204442fadb40bed23c465bb3d25

SHA512
206faf3501c87bbbce497ca075400febbcc5e9038a2fd348efb79e06970c78e9011498ef307a4425e82b6ef5a97b1bf8b02bfd98e114db764794c0af5672ce2a

Download Submit
C:\Users\Admin\AppData\Local\Launcher\User Data\Default\55753d18-b3cf-430f-987b-8dd3fe46003b.tmp

Filesize
148KB

MD5
728fe78292f104659fea5fc90570cc75

SHA1
11b623f76f31ec773b79cdb74869acb08c4052cb

SHA256
d98e226bea7a9c56bfdfab3c484a8e6a0fb173519c43216d3a1115415b166d20

SHA512
91e81b91b29d613fdde24b010b1724be74f3bae1d2fb4faa2c015178248ed6a0405e2b222f4a557a6b895663c159f0bf0dc6d64d21259299e36f53d95d7067aa

Download Submit
C:\Users\Admin\AppData\Local\Launcher\User Data\Default\Network\Network Persistent State

Filesize
883B

MD5
cafd6da2da1ca77d6911c37332684def

SHA1
6d96c5bcc2d79cb189dc20f6eb9def21631a1aea

SHA256
156413482ae45ce1845d8c6bf986d8fd080f035423c4f7db70d5ba7098de995c

SHA512
66ee70d30f64ed60d08ab67fe89e478adb5d56b43c6360758a4cb7de1bfe94f41f018d91508dc6fc894404ebf9d95b30b9ae633e26b220192c1ebb23190728ba

Download Submit
C:\Users\Admin\AppData\Local\Launcher\User Data\Default\Network\Network Persistent State~RFe587961.TMP

Filesize
59B

MD5
2800881c775077e1c4b6e06bf4676de4

SHA1
2873631068c8b3b9495638c865915be822442c8b

SHA256
226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974

SHA512
e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b

Download Submit
C:\Users\Admin\AppData\Local\Launcher\User Data\Default\Network\TransportSecurity

Filesize
355B

MD5
264db70a4a4eb74544c2df59b0da0976

SHA1
d6d666590b905c869f26566b7583f5485b7c4879

SHA256
01fdf53feb4666a4784faeccb000c793a51272c4bbb53169e7924719733c102a

SHA512
51d7e4b0a27a1b8ccc7fe810edcec572a4e59c2cef099787f19b732cd8782aa6740df8203b4c37642a74696d2c866fdf32bab665bae6a48dbd18172d6a21b05b

Download Submit
C:\Users\Admin\AppData\Local\Launcher\User Data\Default\Network\TransportSecurity~RFe58847d.TMP

Filesize
355B

MD5
bdf54d84acd24beaf941bd63c7e209b1

SHA1
aaf8f7fb05d0e73241339255083858e1635d34c7

SHA256
76b8964434519428460c716a4369283ecd09c39aa84c83573236423d716b5a9d

SHA512
78268a2efd64bcbe2823af7b6fb5849d22d1937e4e28fc0e8e14604bcbadd17bbf6dbc9cfa36468d67415ffb00338afe65b9922ab89e091d68cd162f2ff97bd5

Download Submit
C:\Users\Admin\AppData\Local\Launcher\User Data\Default\Preferences

Filesize
5KB

MD5
ec55946d08620536a7a4a1a580cb77d5

SHA1
59088ccc447b193d63b346ce4745ec429db95870

SHA256
e4839717bc2cdc8ca6583a7789b8bb779c62e1ecfaafa4ac8b6ec5130a5a1f39

SHA512
3b822081cd45df966cd80c09ffcf6efacacecf3dad23b9f8fe60ef0ae4fd04dd1bf5a86f714aa6aee8d6e06ea7765ab95005cc2ca1868fa1211030189b6c4167

Download Submit
C:\Users\Admin\AppData\Local\Launcher\User Data\Default\Preferences

Filesize
5KB

MD5
152b6a872bca765f63b3559024d2ae84

SHA1
0372f9cedb141745baf385c8f91fe7a40dfed2d8

SHA256
5312c1da7f31bf926408e12af69655170bb5d420d7d62014c47bb6dc63165349

SHA512
3ac7a01bcbe8521d794eb492d26c1cc97c316534a5cfbd88ec747991d415923883c44559bd20c35dba635fdd0868b7b47ac927cc649f5c19b4cd44affd539706

Download Submit
C:\Users\Admin\AppData\Local\Launcher\User Data\Default\Preferences

Filesize
5KB

MD5
2ee21696792484c67a2b6b452854575f

SHA1
84be242d1a4eba2aa280de69d130174803613d81

SHA256
987436498fca003ea8264445e2d57b29fe84b4ad2c3273cc647c27789dc76741

SHA512
529a74f7f351e770cd85475b6f84021bda79062b43f15288092ea436c9ef1c00a7beb51707695e64cef5e1d9c926afaa2c052a97edd40e2b6fe4232efbc1fea1

Download Submit
C:\Users\Admin\AppData\Local\Launcher\User Data\Default\Preferences

Filesize
5KB

MD5
3b95675a66151f8bfd5f695da1d483bb

SHA1
c0ca49ccb876913329bedbde8e441f3c84be669a

SHA256
7154e40b58e84f0e30c3faa824f352796fd031e918651890d2da0e5a827c8f8c

SHA512
37f5d92e15d192993de4f37c20dc53d7a0386f45c2da2ddfed50174b98043f8d2c42d0ec0f3d004e8c787a3bd04b7c7e488b6f83ac2bf516303dfad303362e4c

Download Submit
C:\Users\Admin\AppData\Local\Launcher\User Data\Default\Preferences

Filesize
5KB

MD5
4a166f2474981d4067015bb91036668b

SHA1
3a13272a3aea972e2d2799676685e19157e1cfce

SHA256
1cdef53c52223b858427bdf77060af3f49ee9d9e3503fb18aebfa68b57b59918

SHA512
cf3ff82ef5bec16be95c3b25c1db44572f3064f6f06255ec251f2b8f20ce579cdc75199733bfe7550e18c55ba85ce35e3b20421b971cc449ee6c1785642cb27c

Download Submit
C:\Users\Admin\AppData\Local\Launcher\User Data\Default\Preferences

Filesize
5KB

MD5
b7a9488a332d27712058f5790450788d

SHA1
1a2d7505fdea33b2ac9892147dc6d8cc1e1b6318

SHA256
ca89a14830eeb9d2eb2188e3ad57fab4d0c78da9dddda4aa9359f3e4c84eb09f

SHA512
d1c038a237106df9f9ec821310739b94c10a8dc9d07151fbfbb61328607d9eac90d3a2db445fa4879b1b7d53ed3346cffb086146bfd475b48e0da2c06aa6aa4d

Download Submit
C:\Users\Admin\AppData\Local\Launcher\User Data\Default\Preferences

Filesize
5KB

MD5
f657d55a95243d8f6203d26573cb6b90

SHA1
7102798bc60251186d83d6c9e364d2e8ee7aefb7

SHA256
0762a1d285f283b5afb0d080ceb0340cccc7114f794240c01cee36516df205f8

SHA512
f31d0072d36a626e5584a8442f3e4c5dc400aec1d1c6d91c6869709ea4765aad24e58ad7443a13866a2b86b47413032d2f7907fa83b67908e167f8553f482582

Download Submit
C:\Users\Admin\AppData\Local\Launcher\User Data\Default\Preferences

Filesize
4KB

MD5
0f7e1535a7cdd573bb9537cf5fe3a52d

SHA1
46c845262716d2861bbd91ea10131a44e1b0a10d

SHA256
90a56c8dc2a6fbeb4cb5c7c69de85bbb98c23053cc7383bdf938cbd6d6df7572

SHA512
ff8b661fa8ab0c138cfb210fcd509afce75fb0475b6626386c98cee1c07f9f1d36c38bfbc508ccf0713b026c5bae8528afae61a20fd647fb7d1b32ef71121785

Download Submit
C:\Users\Admin\AppData\Local\Launcher\User Data\Default\Preferences

Filesize
4KB

MD5
89d245a8124074c60b8d11e430527664

SHA1
14b48420a0f1f99d762931fb1e9e01bdbb3a3764

SHA256
1150675d82a9724a9303e653a9cf222c18ad6288d66912081be3068d7b822508

SHA512
d128aa76e24eab818bc66d0b5a2d7017aefb3a330685ed6045a8028a16d0eda68eb14d0d2fa52797204d209bc5c1aaa5e865e74d625aa2ea8f5642d9a08ec1dd

Download Submit
C:\Users\Admin\AppData\Local\Launcher\User Data\Default\Preferences

Filesize
5KB

MD5
2cbbb706a539a0d4d7280136d1d5d443

SHA1
c5c16faac80bc939a31e186fdcc455ed7986f4da

SHA256
4fef6c088fbcae9fcca7724ff6b586da62b429d8a3c4272483ac3e74e4fe3e6b

SHA512
e0459290a3bb7e7c425c97bcb0bcdc69b7b31ffb61aa8a5d138822007bf13eaa0458e7214591a6573d8b917fc322eea75ca0464973ca072c6dcc1744b12218cc

Download Submit
C:\Users\Admin\AppData\Local\Launcher\User Data\Default\Preferences

Filesize
4KB

MD5
4ba95a22e504fbef4d638cbbbbbafd3b

SHA1
399543f34867253da911134d873af4057872e810

SHA256
c49b5f96a8585b64dff38a95841c0470937fc25e63fc258b08971c474d801b1e

SHA512
c4c951884aaf20403c1a09a8c70e6ae9c43f6884ff91ed20f90668149557ce21f86309daf4a74760d23026ef6ac4b5c8eb621d03e0a87a4bd7d7608f1468bf22

Download Submit
C:\Users\Admin\AppData\Local\Launcher\User Data\Default\Preferences

Filesize
4KB

MD5
5a60eacc40b50cc510e2c8ef17d2b502

SHA1
722409a639b094e59dfe07c35ca0be4573ae2a8f

SHA256
a3ff2fe972ad434d078b03fc3a444f7dd888a1bbb370841216598e71ddd0428b

SHA512
26b79af70b75d82cfabbf3a38a440212fdd3f74abbf9f08bb4f58e474431e2e1fec6fdbc30378188b188e7df1779fe5a918aa97703584d9f7b5f7564ae4dd706

Download Submit
C:\Users\Admin\AppData\Local\Launcher\User Data\Default\Preferences~RFe57b0f1.TMP

Filesize
4KB

MD5
1d3366a6c7e79be0462fe1ebe4c650c3

SHA1
df063a470f931fb7fbf3bfa22549ef58b2141d89

SHA256
8120f60f5e255297dc5fa44ff024f26040a628faea9c39775d4ee8ae8369f97e

SHA512
bdd2a824e80c14d1023535877b79f1a517f1894e02c60e985307ded960d4818feba5df12abf0a352a56b75ec5a93591c8f7071564bb56dcdd7873aa9fbece8c4

Download Submit
C:\Users\Admin\AppData\Local\Launcher\User Data\Default\Sync Data\LevelDB\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Launcher\User Data\Default\Sync Data\LevelDB\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Launcher\User Data\GraphiteDawnCache\data_0

Filesize
8KB

MD5
cf89d16bb9107c631daabf0c0ee58efb

SHA1
3ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b

SHA256
d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e

SHA512
8cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0

Download Submit
C:\Users\Admin\AppData\Local\Launcher\User Data\GraphiteDawnCache\data_1

Filesize
264KB

MD5
d0d388f3865d0523e451d6ba0be34cc4

SHA1
8571c6a52aacc2747c048e3419e5657b74612995

SHA256
902f30c1fb0597d0734bc34b979ec5d131f8f39a4b71b338083821216ec8d61b

SHA512
376011d00de659eb6082a74e862cfac97a9bb508e0b740761505142e2d24ec1c30aa61efbc1c0dd08ff0f34734444de7f77dd90a6ca42b48a4c7fad5f0bddd17

Download Submit
C:\Users\Admin\AppData\Local\Launcher\User Data\GraphiteDawnCache\data_2

Filesize
8KB

MD5
0962291d6d367570bee5454721c17e11

SHA1
59d10a893ef321a706a9255176761366115bedcb

SHA256
ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7

SHA512
f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed

Download Submit
C:\Users\Admin\AppData\Local\Launcher\User Data\GraphiteDawnCache\data_3

Filesize
8KB

MD5
41876349cb12d6db992f1309f22df3f0

SHA1
5cf26b3420fc0302cd0a71e8d029739b8765be27

SHA256
e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c

SHA512
e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e

Download Submit
C:\Users\Admin\AppData\Local\Launcher\User Data\Local State

Filesize
2KB

MD5
ea630df692f6676f0876a0fc92f55fe2

SHA1
1cc0c1315b2fe4d255675531032e77ad6eb1590b

SHA256
f2e247f99a53b537e395ad740094dae79eaee7d23dbf6cd4a89e4f6d4eb2b6fd

SHA512
3161c6eef90d424a03d58f9209516b2a1d015bf6c84ac994a87c81afd5d68642b67c6b097adc0a203568524fc777082beadadb34b6436bf01609c1bc3eea7881

Download Submit
C:\Users\Admin\AppData\Local\Launcher\User Data\Local State~RFe5785ca.TMP

Filesize
867B

MD5
5eaab213a76ae732452f01e9c334e609

SHA1
e5f1db0d13d4514f75d19c4ec76bd94c5e3ed734

SHA256
567f168a16541aedb1c906d599dc1ab70c6faa6d77174c0ee366c7de23cb8f05

SHA512
a94a9dec361a8230550692aa7763deb822cf036bcc9772c9ec8547f47378e810acefe19db74bdee31fc654f4a890cb2a05f2d7da0f2ddcdfc6f1b0d8dd6cdec9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
3e71d66ce903fcba6050e4b99b624fa7

SHA1
139d274762405b422eab698da8cc85f405922de5

SHA256
53b34e24e3fbb6a7f473192fc4dec2ae668974494f5636f0359b6ca27d7c65e3

SHA512
17e2f1400000dd6c54c8dc067b31bcb0a3111e44a9d2c5c779f484a51ada92d88f5b6e6847270faae8ff881117b7ceaaf8dfe9df427cbb8d9449ceacd0480388

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
a7e24b2f789010566a012e20015f4dab

SHA1
762dc0384c8d45d9ad96405ade40f6f5b1478036

SHA256
b23d1d39b87c8c637abe6d7fc5a5c9bf248ac03768a0f4995afac4030ab188a5

SHA512
3b0c38d457e150ad99a8eb9d825e75865680c1268451a664150d6bf8f8b2f869ec3b4a20bb9d27657900832824ee8c1c1fc6b22510d7a2ec235d8668953131bb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
3KB

MD5
78aa825825eb01897cd69b28ea7dd292

SHA1
a5102886b8ec9bd0856a401ca31f54e86a63fc63

SHA256
3b2309c7e84ca2cbb7365b0dc427e2b0b579187ab69561afa1cebad5bf891eee

SHA512
2b2afef68cc24d6b91179103346e6f0465b57dd0832230c14509b45213ba467813db158cfa41f59b632c336a4dc47e9cde092eb47d612a8ff0d4f7d24bd2a73a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.001\Compound

Filesize
277KB

MD5
2ec41cd75e4e41ee8c1b1e0b9d31c7e4

SHA1
1ae820229667223c05471140f04486174f818306

SHA256
703e01cdb77a38db64afbcc43b8567a808dd0e5702eab102e16364437ceb2420

SHA512
46ea1d8606dedad2acd591c7591956925065952465423f1f77431e5b55de2955fe5db8ab8a46d92ef5ca0458e09a0dfa99461d6c849c0818f28d3863b358649d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.001\Subsequent

Filesize
426KB

MD5
c42dc09d03678e36fcd19b13b8f8e502

SHA1
be31c2f6e43f87a56eeea107ca20822f5d2b6c52

SHA256
4e84c8cea810d1466db293cb934b60e10067d34c851a2eff44894c60681810f0

SHA512
fd5028a518bbdfaddf75e6d2ce10956bd573535ab3f4f17aad11062711b10259c1983a2627ce283c49ee768148e993f4f0453304f8b0b2461e9c0c5b6ac29ad2

Download Submit
C:\Users\Admin\AppData\Local\Temp\fj230ur90f90329039039093\D3DCompiler_47.dll

Filesize
2.8MB

MD5
c58eff24437d08a6175ab2b07f43d799

SHA1
d53aa188f56ded042d42333235b94d8083acddb2

SHA256
fc334bde0876835175c096937be25a71aa2b8b98ab3abb71cdbaf1a874a9893f

SHA512
8c992316e84a5c5cff36dc410f40889ecd7be20db824cb0dc53401e02a729a1407ecc4425d243f5262be327a6958912cd270a5b2753d3db24c2c599dee78b342

Download Submit
C:\Users\Admin\AppData\Local\Temp\fj230ur90f90329039039093\Launcher.exe

Filesize
2.5MB

MD5
2784b288057106a5e08f16377339d4ad

SHA1
62a5705f96a2665519a7940fb309745b791e98b6

SHA256
6f7833e864e20b2fa1ef454fc60590b7f246fe4a81f22c35dee247c7d8df03e6

SHA512
663e06957d3de5dcdad6559391d733c350efffdb85363ec00943bf0ff07fef61fde164b71c4f9bd5f2e8d0570f85a1734c03c53e9ad85f4b55ac7628b5664331

Download Submit
C:\Users\Admin\AppData\Local\Temp\fj230ur90f90329039039093\Launcher.exe

Filesize
768KB

MD5
9533c12c8511065c80bc0fe0ea7c7ebe

SHA1
980f8681b5c527734889f522d03dc049c6db5f3a

SHA256
4a04582fcabfd6b7f01d5bbd1d55a4b08b694f355038007238a00c1587f439b0

SHA512
f66c9ccab8ed38f7045372ed1e045b72783f6d045a89291eb0cf5762e5533f3176be4b2e970f11d24ac6d10711ebf65b6f212f7f22724a7466ff5f3f277190eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\fj230ur90f90329039039093\Launcher.exe

Filesize
2.3MB

MD5
57d1139802cbdf905104e7b4f61ae504

SHA1
b01ffc019c78d0b108104f239b2bb60388d9515f

SHA256
aefabcf95ea350d53a181e2424d2f06f8a7080a4d4534695334e8b4accf959bc

SHA512
038562303522d8a6eee5b6f460fe4ccf6f9f721d05a0b976fcc7bbc31c0ffedadff430d763f023984c9213caa9181a3c4a8062b6924daf8b87a70f6a1efdfce8

Download Submit
C:\Users\Admin\AppData\Local\Temp\fj230ur90f90329039039093\Launcher.exe

Filesize
2.3MB

MD5
2f6ba819df0ceebdd5f7945559f5cb26

SHA1
3ee043ea2fb21a140a06ab9dd812f4dc59bd4f1c

SHA256
d12f9435a570da446649ad1c582b88302bd3086d0a0152e479e7801c4e0ca7ee

SHA512
baacffa6202cdcbe08e51d36ffbc39491ef24ff0746792d6d6c052fa8cad14a7cb4dc349705e9a9b2a2460d2a87a4ad66f96918610c5327e02cb6d045a996e25

Download Submit
C:\Users\Admin\AppData\Local\Temp\fj230ur90f90329039039093\Launcher.exe

Filesize
2.1MB

MD5
6bfd05330a48cc23885ba47c8766973f

SHA1
61cd6ae93b6da8f04b16184f2dae8d9b9d307a66

SHA256
b71eb6aa3564b92c8e4163d7384cb47ed99ea9d3409fa08494eb9619638a704a

SHA512
79fef9a0961c2b0f313c73255c531cdc4d54cf8b3426c59ab5f9655743f5e2db10ca44b752848ab3c84a1424f5fb2954f00411e8ef4d5f9a8256fe51c2f83f6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\fj230ur90f90329039039093\d3dcompiler_47.dll

Filesize
3.7MB

MD5
9264548ecf9f42e07f1a163a4336c526

SHA1
26969a030c4f947db9438e3a8d11b8045edb9b72

SHA256
b4b6a90f3823c31f2e5acc641284d11ccd50dc6ea05c8954ad21239a13e5290e

SHA512
63b54177a08bfc551857a6818870e9fe11fce3f218a4cdf8bf07e67266bef8089af38bc83a5f4a45a2de1a5f8217069ae3be4d5639b1e6430ee2047ed947c7a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\fj230ur90f90329039039093\ffmpeg.dll

Filesize
1.3MB

MD5
b6c5a9ce27da31ea0be1c4fff9914321

SHA1
af864d04dca4fcc2036d76ddb0dfc621550d44c6

SHA256
0c117aa2e2e9f36a0673e46d1bcd1fee2baa119ede83a14c1be5c1c524f0f410

SHA512
d4dc34255d07d78a0cd188b5bdda773eb1e590872e4e4ebc4c6319c3937b881f3cbb4f432a6ea7d6115c85b064f1102a9e3c4c0a82f5b31e79aceda218dc79ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\fj230ur90f90329039039093\ffmpeg.dll

Filesize
128KB

MD5
4d1b92a3e41a5a9e4edbbd9c2d21c0be

SHA1
d66a16b82f90c1ecbd2afba49fce1ceee5d95064

SHA256
778fca5c8f83c74544aac0abcf4140e74df657bb59115a8d42aadfead7d031f5

SHA512
8dbf21faf595858d949b7c4cf224a4945b019bebf8b7110470de8e6037f6db9718124ffd031a844fa84a9cfe57eb500fc1add7511c150eafdb8a6169371fc04f

Download Submit
C:\Users\Admin\AppData\Local\Temp\fj230ur90f90329039039093\ffmpeg.dll

Filesize
1.9MB

MD5
8fb19b8e58a567a27619a91b99ad8bca

SHA1
9f24a832705ea853b4c0cfe9f2100f42aacbd0bd

SHA256
424a34741ce0e5104df6d33ea16633c018af5f3a7396734218d1a6eb4f70b1c4

SHA512
b0415aa5728d39efb01d3e0cb082bbd4f42ff1284447ad89f85604e7ebc6da2bf479af7d326282920c543f351e856c5e3b1a97e2fe6c3bcf198e619165f3be5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\fj230ur90f90329039039093\icudtl.dat

Filesize
2.6MB

MD5
7775cbd853ec478fd53587b3fc13b1d9

SHA1
d18b8a783b9996328c6698aaecb656b4640cde5e

SHA256
5378b19d0824f00d7af0b329001020290bbdc7fa9097667607e8aab5353e19bc

SHA512
b67cc4d843cb0e4e23f58946c4ccd91826e99f1cf00f9cb6123e575c0bbb07bb95993ba2b8b52ebd4140334bb8eb7513fde6b7ee7b25b65d412ed5d48b9521b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\fj230ur90f90329039039093\libEGL.dll

Filesize
444KB

MD5
8aa1a64d7094509196fcb4a72d608213

SHA1
e7ab1c7ca53581578ae56dc0211773ac780a4f91

SHA256
15e7eafcfe14bd255c21360de3d019cfa5852bd059c36779c351c0592dc841f6

SHA512
a915759817f6a84dd061f45415e6fa9b00d7060095360257763342d59252525de4c04956e2e15e23fc3465074d1e719a0d988f6798aa38ba3471b8e38aa70200

Download Submit
C:\Users\Admin\AppData\Local\Temp\fj230ur90f90329039039093\libGLESv2.dll

Filesize
2.9MB

MD5
856b51f2406d210b3052c7d884a722f5

SHA1
3bd12acbcf87b61d92726c3911c533105aeeb253

SHA256
bc11f72048760b4a9a84aa0c54a9ba2df11624ad12db9e02365c9c7d8327c7cf

SHA512
29df7c343f066ac18b6d7c5f48f24a5f467ae121da2703869b470b0a4b69bee5599c642961fe577a9cdf71b844bff431fd8510fa94e0d23b195157fdf9022fbc

Download Submit
C:\Users\Admin\AppData\Local\Temp\fj230ur90f90329039039093\libglesv2.dll

Filesize
2.8MB

MD5
c589ef05b2b61708884a5126042a9502

SHA1
e87e66db90f1b7ce82edfd5592136bc56947b824

SHA256
5c6b9bda34e00aed1dcdbc912dd4f0fc1a4b9eb02dbbffe569a661d01efe1d8f

SHA512
cfa2aaca478d63985ccca264bfa0ac4274591c070fbd746f6182459c430b7f90ba2b238a112f4a9e6b99e3503761d3d0764669fbe66c5a22803088fd321ae7aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\fj230ur90f90329039039093\locales\ar-XB.pak.info

Filesize
1015KB

MD5
edaef65b3082ac1502e46a7efe9a7260

SHA1
80fd9d68b4a0af62ef7f53d58ee9fb3ef1ef32c4

SHA256
7f8d7ac684642fb44625b0e32c0d8d20df0f661db616b157be04dfec918416eb

SHA512
3564bd96293d4a07c15d2ddd50abb531aea0a62cd4e0a8e70b60c7ef015b6e11f8221f353b668b0670938299770cf3607303075fc5f34bb73f9abbd48f666726

Download Submit
C:\Users\Admin\AppData\Local\Temp\fj230ur90f90329039039093\locales\en-US.pak

Filesize
448KB

MD5
09a27daab8ed231994af216a98a73b85

SHA1
c2211a4cdc878c7685f30454bf9742b68025d22a

SHA256
b8a8ee9f3dd6946649beb4f3ff96889bc010aec561678903316cfb26d7819479

SHA512
40016c3fe93989936cd63ed1e20da403f9b19f712efc31b65d485f06daa7df41ba86da76ca0ea04db2932cb4ef928ff2ab70aedc839a8ce472b83a92ac298e2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\fj230ur90f90329039039093\node.dll

Filesize
1.8MB

MD5
26274988d01acde87a44ed61b34bdf34

SHA1
b9c965ef356815cb4e3bb418282654d708bc4d07

SHA256
fe8fdb104a5900595fdfa3b8aa78e0023dd53793e46027412e6c9fe08d19bb36

SHA512
851f78a8afa1e51df358b7fbdd4a59b64da570085fdd7ebb79f66afc3a7dae70265698a468181afd3ce1f9551e0996a2d67563353e7dc82770032b8bcb55a814

Download Submit
C:\Users\Admin\AppData\Local\Temp\fj230ur90f90329039039093\node.dll

Filesize
1.5MB

MD5
d7bbf3e8c4d223234cf054ba61838865

SHA1
f83dab14eae23d110239dff48fc1d3f7b7133d92

SHA256
13808f699605798f185af99c12c3063ce67c9ebb7e5084b38c2b0a2564a76a6e

SHA512
79a57b9445276866d60a72afa8a53ca83f8853cf1f777e8e815d2ac32432f9ced802a34bac012e7274586f62dc4fa5eb95c8cbdd0ddcde409611e9e9e30b5ed1

Download Submit
C:\Users\Admin\AppData\Local\Temp\fj230ur90f90329039039093\nw.dll

Filesize
18.6MB

MD5
d0ef893b7be31e2d1b968f10ab53694e

SHA1
7474bc830902a49261e6834a9dd7ba2a184efafa

SHA256
9c567187c0b411e84544a53fca8ebc65228dd035adec1b98f1354fbd26ced65f

SHA512
05df94c79eea3a45f99eee211b665cd7f416712b403a81b8769b93166c12d2f3fae537131124b613eed627d3e6a17a64f17b693ce688ab7e5bed2dbda7d473c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\fj230ur90f90329039039093\nw.dll

Filesize
1.4MB

MD5
73d66ba39324838ea477ed9256dcc5fb

SHA1
f2420ae5901225244e3cd192df86e7ae612a310e

SHA256
5ff1f0ae1095870fac15412d652526cdd9f54eb43bad7f792be173d9bc7ea69f

SHA512
1efe786c62909413b3bd99b785a2d180af2f16b6a11bcf8803837a8c86723236e18c9a9149292b25baf48b0e8f0aa2ddf872a1f06c7c6d7fdd008d2e51451b51

Download Submit
C:\Users\Admin\AppData\Local\Temp\fj230ur90f90329039039093\nw.dll

Filesize
2.9MB

MD5
1479aac901ce96b67111a18a1b5163b1

SHA1
31abc6df3b946410fc6c006a831b213bdc65839c

SHA256
50d839ccdb1003b64b5d3f1ee44477eaabab469097c4707347afe6c4952fdc93

SHA512
42e75cb4e962a6cc26d0ddec9c92a668e161bd3b349d0aa3f3cb11e257d262aec6f7107cced6c6d280353ef17c3dfac7c468bbfa563f468f42be49c0b13f5b22

Download Submit
C:\Users\Admin\AppData\Local\Temp\fj230ur90f90329039039093\nw.dll

Filesize
1.8MB

MD5
9bc58e48c6f9e8a60478d3f39d489905

SHA1
f329a19c5618e8004005514bb62589d8b0096abe

SHA256
14f5227a5223aef7ee7bd58b70a406a9280b4fd4b5e24fcde43c70320f84e199

SHA512
655404f1aab3c8eee4ee28d1da413b958e180eb3be33dacd1e041a9c7c19271ad313777df15af064b4973ce01e48a4694aa961ac73cbaeb33784ecdd679d15b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\fj230ur90f90329039039093\nw.dll

Filesize
2.2MB

MD5
8455adc7e6ebcf935e92ec6f95fc0be3

SHA1
0d86ba9fe23b0c3f9f738c091473b2aa39463cf5

SHA256
4090894840201612ef9806f0b579c875eb8d9fd8e8f61e5a8002cb11bc8cad11

SHA512
97652d2654e9f2547707e1c1f7825f544ee0a295b6143042082af83f226e344f84eaf9a30d07c7359a910d775c8868b367f140ddb2eff3f1150f5597a22ce5a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\fj230ur90f90329039039093\nw.dll

Filesize
2.0MB

MD5
d2479327e0b78e576f430955604f227a

SHA1
a9c4dfcd3504a02af5ed550a749e4cad1692321d

SHA256
d0447e78eee79be1fc2c599b0399af15a609d04b96c9ebdfe0c0c80ac72e783b

SHA512
d332e4eeaf87ad895cdf9204c6864acac20c91d57947e94006418f488a84ae3f058793983d18bdf9c10c554dab60977026102ecd8ee69002cb4de8682d80f870

Download Submit
C:\Users\Admin\AppData\Local\Temp\fj230ur90f90329039039093\nw.dll

Filesize
9.5MB

MD5
763e5cb0e71411dcea9ebf3dbb7a9ca2

SHA1
0538bedfadadae7f916e5574736572da24142443

SHA256
fbed220d96f13adbb5e56a419de6edaada6afb5a39b9daa8b6c8371b11d99afc

SHA512
a2e8378aeefc4ba920429eb578b42babe458dd6fa2fd75314571c9e86a2456abcf48644fdecedc008da05690637c1c13520cb5f6d8fc85299ece44ccc8f63c04

Download Submit
C:\Users\Admin\AppData\Local\Temp\fj230ur90f90329039039093\nw.dll

Filesize
3.6MB

MD5
060edefaf5ca99f0e402c5b86f8b3ce5

SHA1
63bb4d5935e268049e6060e0167a7b8a673b635d

SHA256
71fef3cf64c2389de0e476114f0fa564a9b0c0a80c513f11ca99872f57396707

SHA512
fc4ffb3edf46a2dc927957e0e0e613392acd5cd1a0195de610b2961368186f1f40e2f1d09a63df35610fe9639e3ae3e71ade70e0fab45b08b816069cd0137f7d

Download Submit
C:\Users\Admin\AppData\Local\Temp\fj230ur90f90329039039093\nw.dll

Filesize
4.1MB

MD5
f3572ab94cf3f2d8b8cbf750679e5360

SHA1
db9a3506246c5324ada0c39d44812c1088ed5b89

SHA256
014c17b4bb6606bbe8a2b849a09228b2598c542b1c7e06ff651e54bdf7d8c81c

SHA512
f5faf2374333eb01eeb07c9c40b531435bcf7e188db8fbf322fafed02a288ab4bc027c25a592eb1b0f02484137b88430e8c9bdc4cadcad6700df7a5f295deef8

Download Submit
C:\Users\Admin\AppData\Local\Temp\fj230ur90f90329039039093\nw_100_percent.pak

Filesize
718KB

MD5
2f1c41cd4f8d630e965c83608aeb8dd1

SHA1
877ee7e4190967d69c6ebf9c6a52327ec10dffae

SHA256
a476dbd7731b7db5a771445cb9cd8a838dc706d8986f9e1da3d81fac59cbeb1d

SHA512
1780bbeece915ff4d959b13dce849ad608301eab7b299bc8fad9251c2ca392b6833ceece30256ed607b4b5e12dbb7b5e0d247b711901c628b180497eed872239

Download Submit
C:\Users\Admin\AppData\Local\Temp\fj230ur90f90329039039093\nw_200_percent.pak

Filesize
1.0MB

MD5
700774b8661621c44437ddbc8cb2ec04

SHA1
47bf0f010008b30c19039fe6e360c6866dae7c4d

SHA256
b5e62133ffb3827d75d74d5e23326c9827ea931b693a5e09554809eb4240d63a

SHA512
a7c80a80931bf4cf1ff02ad1a6b6e662171fe3add5d6a120e66d92e242757ef18aa30238d0e821ef9dd89f3aac8024eaeac8a79731a33d214dfade0a79740ed2

Download Submit
C:\Users\Admin\AppData\Local\Temp\fj230ur90f90329039039093\nw_elf.dll

Filesize
1.1MB

MD5
98acbb1ba1112cfa4da907558ea7cc0e

SHA1
9e041b920a7a9e9bc0aea6fc7709deb67eecf7ef

SHA256
0c57bc73ca823aef5dbb3785cdb343dec62854f80e811df16ac71ba88a039a5f

SHA512
a4845ccf34b534d5ff336a909b66f8cd4f48c151540197ebf63242a83c02a4f5a9f992a7975de44ca0f66e810e302a37f331d4bd26afff5088f2c44df517ac86

Download Submit
C:\Users\Admin\AppData\Local\Temp\fj230ur90f90329039039093\resources.pak

Filesize
2.6MB

MD5
91168bb47f9914ad6fad9149f22cc233

SHA1
7c24765920921d94d695efa3e5db270076a8a415

SHA256
17c9cb1b1ff3e96a3019522167bb12cdb662c63c985644575c3f27d4f5b3b0a9

SHA512
e30d4e9231aa3dc80d9bd141bc228caad0a27caee1b26f2f7057dcf7ebd2d5370f61bc81737a490ac4a910430fb6717ffa89cabc5c5a2b2e93c485f7d7ef761f

Download Submit
C:\Users\Admin\AppData\Local\Temp\fj230ur90f90329039039093\v8_context_snapshot.bin

Filesize
669KB

MD5
c0e7602b0c7d5de0be5e83c20591f941

SHA1
838d2038682db7008f6a2776026cd6085db9ff3d

SHA256
345726227a3d92f5e2f87fbdea70385690b38f8d181c902254845021093c5697

SHA512
7d2ff90ebb6b051fdb050495cf5f3d353f4f14e1d5777d7d181ddb70cdd3ea4f633364fa5a0e2e2ff8c9a5a2de636160e0612a7f45fc65882114caab53ea0cbb

Download Submit
C:\Users\Admin\AppData\Local\Temp\fj230ur90f90329039039093\vk_swiftshader.dll

Filesize
1.9MB

MD5
938bb72d6f5dd875d93de35b185f7b42

SHA1
cca534c4af988a67cdb51261f8daf905eae9fff2

SHA256
2e89228c3b7a7510f269ac056e142ba3ce9fd5d04f6c0f7892e67d447e9a5bd3

SHA512
9f68b3a4409a59d9a52ee2803312974ba9ce9b42e818305b614f3b4878f513ce8952ba2b90f85f63d89c700916703307f304803e61de35de0fc112f40bb4f898

Download Submit
C:\Users\Admin\AppData\Local\Temp\fj230ur90f90329039039093\vk_swiftshader.dll

Filesize
1.6MB

MD5
4c4dc34e2f9e2b5eb91be4f3b1b482db

SHA1
f629dac3d1ae8ba95458a0c02f2b4ecbc4a7c4b6

SHA256
44086bf3768ffe3ceba6daa8a0c5ddf43fa9bd71e123817f8490e9de36c4df7e

SHA512
7aaff72f97b1f54632118df158959a0558b91a5101c53dd671085572d17bf4adfc1069b0fd80f247b9e62ae47ac4339e8fc9af179e22fb6cce7a888e4b043ac8

Download Submit
memory/1996-558-0x00000000770F1000-0x0000000077211000-memory.dmp

Filesize
1.1MB

Download
memory/1996-584-0x0000000000280000-0x00000000002F3000-memory.dmp

Filesize
460KB

Download
memory/1996-582-0x0000000000280000-0x00000000002F3000-memory.dmp

Filesize
460KB

Download
memory/1996-581-0x0000000000280000-0x00000000002F3000-memory.dmp

Filesize
460KB

Download
memory/1996-578-0x0000000001660000-0x0000000001661000-memory.dmp

Filesize
4KB

Download
memory/1996-579-0x0000000000280000-0x00000000002F3000-memory.dmp

Filesize
460KB

Download
memory/1996-580-0x0000000000280000-0x00000000002F3000-memory.dmp

Filesize
460KB

Download
memory/1996-583-0x0000000000280000-0x00000000002F3000-memory.dmp

Filesize
460KB

Download
memory/5500-801-0x0000029E7AE80000-0x0000029E7AE81000-memory.dmp

Filesize
4KB

Download
memory/5500-802-0x0000029E7AF10000-0x0000029E7AF11000-memory.dmp

Filesize
4KB

Download
memory/5500-799-0x0000029E7AE80000-0x0000029E7AE81000-memory.dmp

Filesize
4KB

Download
memory/5500-797-0x0000029E7AE00000-0x0000029E7AE01000-memory.dmp

Filesize
4KB

Download
memory/5500-790-0x0000029E721B0000-0x0000029E721C0000-memory.dmp

Filesize
64KB

Download
memory/5500-786-0x0000029E72170000-0x0000029E72180000-memory.dmp

Filesize
64KB

Download
memory/5500-803-0x0000029E7AF10000-0x0000029E7AF11000-memory.dmp

Filesize
4KB

Download
memory/5500-804-0x0000029E7AF20000-0x0000029E7AF21000-memory.dmp

Filesize
4KB

Download
memory/5500-805-0x0000029E7AF20000-0x0000029E7AF21000-memory.dmp

Filesize
4KB

Download
memory/5664-711-0x000001EBBC3F0000-0x000001EBBC3F1000-memory.dmp

Filesize
4KB

Download
memory/5664-717-0x000001EBBC3F0000-0x000001EBBC3F1000-memory.dmp

Filesize
4KB

Download
memory/5664-716-0x000001EBBC3F0000-0x000001EBBC3F1000-memory.dmp

Filesize
4KB

Download
memory/5664-715-0x000001EBBC3F0000-0x000001EBBC3F1000-memory.dmp

Filesize
4KB

Download
memory/5664-714-0x000001EBBC3F0000-0x000001EBBC3F1000-memory.dmp

Filesize
4KB

Download
memory/5664-712-0x000001EBBC3F0000-0x000001EBBC3F1000-memory.dmp

Filesize
4KB

Download
memory/5664-713-0x000001EBBC3F0000-0x000001EBBC3F1000-memory.dmp

Filesize
4KB

Download
memory/5664-707-0x000001EBBC3F0000-0x000001EBBC3F1000-memory.dmp

Filesize
4KB

Download
memory/5664-706-0x000001EBBC3F0000-0x000001EBBC3F1000-memory.dmp

Filesize
4KB

Download
memory/5664-705-0x000001EBBC3F0000-0x000001EBBC3F1000-memory.dmp

Filesize
4KB

Download