observer | 13dcfc1aa528addb278f703cd8fc7b0aaf8cbeb8242bdd0a070401099de854f2

Analysis

max time kernel
102s
max time network
103s
platform
windows11-21h2_x64
resource
win11-20240214-en
resource tags

arch:x64arch:x86image:win11-20240214-enlocale:en-usos:windows11-21h2-x64system
submitted
19/02/2024, 22:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Setup.exe
Size

99.7MB
MD5

3d54a88bea517fb58ecb46f3d7f94777
SHA1

b51360050b9785d01484d3d7b5c9796f98a8a0d1
SHA256

13dcfc1aa528addb278f703cd8fc7b0aaf8cbeb8242bdd0a070401099de854f2
SHA512

92c68b0b329b80ef892ffa838dd94e6c9d10e48e0e6f8840b9933b777bfa50cf5ed1c0ddea2c74a3c27d05310087a33ebfcaa6d8df71e8cdce46eab703d4299a
SSDEEP

3145728:qbzHAlMRvSvTXKX5U1LAcHbBlpmDHxc20Z/s:iTAmcLXKsxr2R4Z0

Score

10^/10

observer stealer

Malware Config

Extracted

Family

observer

http://5.42.66.25:3000

Signatures

Observer
Observer is an infostealer written in C++.
stealer observer
Downloads MZ/PE file

Executes dropped EXE 11 IoCs

pid	Process
4432	Launcher.exe
3288	Launcher.exe
4604	Launcher.exe
248	Launcher.exe
132	Launcher.exe
5040	Launcher.exe
1456	Launcher.exe
4108	file_2fp2wc.exe
2376	Awareness.pif
3512	Launcher.exe
2172	Launcher.exe

Loads dropped DLL 30 IoCs

pid	Process
4432	Launcher.exe
4432	Launcher.exe
4432	Launcher.exe
3288	Launcher.exe
4604	Launcher.exe
4604	Launcher.exe
4604	Launcher.exe
248	Launcher.exe
248	Launcher.exe
132	Launcher.exe
248	Launcher.exe
132	Launcher.exe
132	Launcher.exe
4604	Launcher.exe
4604	Launcher.exe
4604	Launcher.exe
4604	Launcher.exe
5040	Launcher.exe
5040	Launcher.exe
5040	Launcher.exe
5040	Launcher.exe
1456	Launcher.exe
1456	Launcher.exe
1456	Launcher.exe
3512	Launcher.exe
2172	Launcher.exe
2172	Launcher.exe
2172	Launcher.exe
3512	Launcher.exe
3512	Launcher.exe

Drops file in Windows directory 10 IoCs

description	ioc	Process
File created	C:\Windows\SystemTemp\nw4432_99398605\nw\background.png	Launcher.exe
File created	C:\Windows\SystemTemp\nw4432_99398605\nw\fav.png	Launcher.exe
File created	C:\Windows\SystemTemp\nw4432_99398605\nw\index.js	Launcher.exe
File opened for modification	C:\Windows\SystemTemp	Launcher.exe
File created	C:\Windows\SystemTemp\nw4432_99398605\package-lock.json	Launcher.exe
File created	C:\Windows\SystemTemp\nw4432_99398605\package.json	Launcher.exe
File created	C:\Windows\SystemTemp\nw4432_99398605\node_modules\.package-lock.json	Launcher.exe
File created	C:\Windows\SystemTemp\nw4432_99398605\nw\icon.icns	Launcher.exe
File created	C:\Windows\SystemTemp\nw4432_99398605\nw\icon.ico	Launcher.exe
File created	C:\Windows\SystemTemp\nw4432_99398605\nw\index.html	Launcher.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
4016	2376	WerFault.exe	107
4948	2376	WerFault.exe	107

Enumerates processes with tasklist 1 TTPs 2 IoCs

Process Discovery

T1057

pid	Process
1760	tasklist.exe
3312	tasklist.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Launcher.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	Launcher.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	Launcher.exe

Modifies data under HKEY_USERS 8 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\NGC\SoftLockoutVolatileKey	svchost.exe
Key created	\REGISTRY\USER\S-1-5-19	svchost.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE	svchost.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft	svchost.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography	svchost.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\NGC	svchost.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\NGC\SoftLockoutVolatileKey	svchost.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	Launcher.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
3728	PING.EXE

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
3288	Launcher.exe
3288	Launcher.exe
3288	Launcher.exe
3288	Launcher.exe
4432	Launcher.exe
4432	Launcher.exe
2376	Awareness.pif
2376	Awareness.pif
2376	Awareness.pif
2376	Awareness.pif
2376	Awareness.pif
2376	Awareness.pif
2376	Awareness.pif
2376	Awareness.pif
2376	Awareness.pif
2376	Awareness.pif
2376	Awareness.pif
2376	Awareness.pif

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4432	Launcher.exe
Token: SeCreatePagefilePrivilege	4432	Launcher.exe
Token: SeShutdownPrivilege	4432	Launcher.exe
Token: SeCreatePagefilePrivilege	4432	Launcher.exe
Token: SeShutdownPrivilege	4432	Launcher.exe
Token: SeCreatePagefilePrivilege	4432	Launcher.exe
Token: SeShutdownPrivilege	4432	Launcher.exe
Token: SeCreatePagefilePrivilege	4432	Launcher.exe
Token: SeShutdownPrivilege	4432	Launcher.exe
Token: SeCreatePagefilePrivilege	4432	Launcher.exe
Token: SeShutdownPrivilege	4432	Launcher.exe
Token: SeCreatePagefilePrivilege	4432	Launcher.exe
Token: SeShutdownPrivilege	4432	Launcher.exe
Token: SeCreatePagefilePrivilege	4432	Launcher.exe
Token: SeShutdownPrivilege	4432	Launcher.exe
Token: SeCreatePagefilePrivilege	4432	Launcher.exe
Token: SeShutdownPrivilege	4432	Launcher.exe
Token: SeCreatePagefilePrivilege	4432	Launcher.exe
Token: SeShutdownPrivilege	4432	Launcher.exe
Token: SeCreatePagefilePrivilege	4432	Launcher.exe
Token: SeShutdownPrivilege	4432	Launcher.exe
Token: SeCreatePagefilePrivilege	4432	Launcher.exe
Token: SeShutdownPrivilege	4432	Launcher.exe
Token: SeCreatePagefilePrivilege	4432	Launcher.exe
Token: SeShutdownPrivilege	4432	Launcher.exe
Token: SeCreatePagefilePrivilege	4432	Launcher.exe
Token: SeShutdownPrivilege	4432	Launcher.exe
Token: SeCreatePagefilePrivilege	4432	Launcher.exe
Token: SeShutdownPrivilege	4432	Launcher.exe
Token: SeCreatePagefilePrivilege	4432	Launcher.exe
Token: SeShutdownPrivilege	4432	Launcher.exe
Token: SeCreatePagefilePrivilege	4432	Launcher.exe
Token: SeShutdownPrivilege	4432	Launcher.exe
Token: SeCreatePagefilePrivilege	4432	Launcher.exe
Token: SeShutdownPrivilege	4432	Launcher.exe
Token: SeCreatePagefilePrivilege	4432	Launcher.exe
Token: SeShutdownPrivilege	4432	Launcher.exe
Token: SeCreatePagefilePrivilege	4432	Launcher.exe
Token: SeShutdownPrivilege	4432	Launcher.exe
Token: SeCreatePagefilePrivilege	4432	Launcher.exe
Token: SeDebugPrivilege	1760	tasklist.exe
Token: SeDebugPrivilege	3312	tasklist.exe
Token: SeShutdownPrivilege	4432	Launcher.exe
Token: SeCreatePagefilePrivilege	4432	Launcher.exe
Token: SeShutdownPrivilege	4432	Launcher.exe
Token: SeCreatePagefilePrivilege	4432	Launcher.exe
Token: SeShutdownPrivilege	4432	Launcher.exe
Token: SeCreatePagefilePrivilege	4432	Launcher.exe
Token: SeShutdownPrivilege	4432	Launcher.exe
Token: SeCreatePagefilePrivilege	4432	Launcher.exe
Token: SeShutdownPrivilege	4432	Launcher.exe
Token: SeCreatePagefilePrivilege	4432	Launcher.exe
Token: SeShutdownPrivilege	4432	Launcher.exe
Token: SeCreatePagefilePrivilege	4432	Launcher.exe
Token: SeShutdownPrivilege	4432	Launcher.exe
Token: SeCreatePagefilePrivilege	4432	Launcher.exe
Token: SeShutdownPrivilege	4432	Launcher.exe
Token: SeCreatePagefilePrivilege	4432	Launcher.exe
Token: SeShutdownPrivilege	4432	Launcher.exe
Token: SeCreatePagefilePrivilege	4432	Launcher.exe
Token: SeShutdownPrivilege	4432	Launcher.exe
Token: SeCreatePagefilePrivilege	4432	Launcher.exe
Token: SeShutdownPrivilege	4432	Launcher.exe
Token: SeCreatePagefilePrivilege	4432	Launcher.exe

Suspicious use of FindShellTrayWindow 5 IoCs

pid	Process
4432	Launcher.exe
4432	Launcher.exe
2376	Awareness.pif
2376	Awareness.pif
2376	Awareness.pif

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
2376	Awareness.pif
2376	Awareness.pif
2376	Awareness.pif

Suspicious use of WriteProcessMemory 53 IoCs

description	pid	Process	procid_target
PID 2780 wrote to memory of 4432	2780	Setup.exe	80
PID 2780 wrote to memory of 4432	2780	Setup.exe	80
PID 4432 wrote to memory of 3288	4432	Launcher.exe	83
PID 4432 wrote to memory of 3288	4432	Launcher.exe	83
PID 4432 wrote to memory of 4604	4432	Launcher.exe	86
PID 4432 wrote to memory of 4604	4432	Launcher.exe	86
PID 4432 wrote to memory of 248	4432	Launcher.exe	85
PID 4432 wrote to memory of 248	4432	Launcher.exe	85
PID 4432 wrote to memory of 132	4432	Launcher.exe	84
PID 4432 wrote to memory of 132	4432	Launcher.exe	84
PID 4432 wrote to memory of 5040	4432	Launcher.exe	87
PID 4432 wrote to memory of 5040	4432	Launcher.exe	87
PID 4432 wrote to memory of 1456	4432	Launcher.exe	91
PID 4432 wrote to memory of 1456	4432	Launcher.exe	91
PID 5040 wrote to memory of 2992	5040	Launcher.exe	96
PID 5040 wrote to memory of 2992	5040	Launcher.exe	96
PID 2992 wrote to memory of 4108	2992	cmd.exe	97
PID 2992 wrote to memory of 4108	2992	cmd.exe	97
PID 2992 wrote to memory of 4108	2992	cmd.exe	97
PID 4108 wrote to memory of 1708	4108	file_2fp2wc.exe	98
PID 4108 wrote to memory of 1708	4108	file_2fp2wc.exe	98
PID 4108 wrote to memory of 1708	4108	file_2fp2wc.exe	98
PID 1708 wrote to memory of 1760	1708	cmd.exe	101
PID 1708 wrote to memory of 1760	1708	cmd.exe	101
PID 1708 wrote to memory of 1760	1708	cmd.exe	101
PID 1708 wrote to memory of 800	1708	cmd.exe	100
PID 1708 wrote to memory of 800	1708	cmd.exe	100
PID 1708 wrote to memory of 800	1708	cmd.exe	100
PID 1708 wrote to memory of 3312	1708	cmd.exe	102
PID 1708 wrote to memory of 3312	1708	cmd.exe	102
PID 1708 wrote to memory of 3312	1708	cmd.exe	102
PID 1708 wrote to memory of 2104	1708	cmd.exe	103
PID 1708 wrote to memory of 2104	1708	cmd.exe	103
PID 1708 wrote to memory of 2104	1708	cmd.exe	103
PID 1708 wrote to memory of 3596	1708	cmd.exe	104
PID 1708 wrote to memory of 3596	1708	cmd.exe	104
PID 1708 wrote to memory of 3596	1708	cmd.exe	104
PID 1708 wrote to memory of 4972	1708	cmd.exe	105
PID 1708 wrote to memory of 4972	1708	cmd.exe	105
PID 1708 wrote to memory of 4972	1708	cmd.exe	105
PID 1708 wrote to memory of 1424	1708	cmd.exe	106
PID 1708 wrote to memory of 1424	1708	cmd.exe	106
PID 1708 wrote to memory of 1424	1708	cmd.exe	106
PID 1708 wrote to memory of 2376	1708	cmd.exe	107
PID 1708 wrote to memory of 2376	1708	cmd.exe	107
PID 1708 wrote to memory of 2376	1708	cmd.exe	107
PID 1708 wrote to memory of 3728	1708	cmd.exe	108
PID 1708 wrote to memory of 3728	1708	cmd.exe	108
PID 1708 wrote to memory of 3728	1708	cmd.exe	108
PID 4432 wrote to memory of 3512	4432	Launcher.exe	109
PID 4432 wrote to memory of 3512	4432	Launcher.exe	109
PID 4432 wrote to memory of 2172	4432	Launcher.exe	110
PID 4432 wrote to memory of 2172	4432	Launcher.exe	110

C:\Users\Admin\AppData\Local\Temp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\Setup.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2780
- C:\Users\Admin\AppData\Local\Temp\fj230ur90f90329039039093\Launcher.exe
  "C:\Users\Admin\AppData\Local\Temp\fj230ur90f90329039039093\Launcher.exe" /fj230ur90f90329039039093/Launcher.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:4432
- - C:\Users\Admin\AppData\Local\Temp\fj230ur90f90329039039093\Launcher.exe
    C:\Users\Admin\AppData\Local\Temp\fj230ur90f90329039039093\Launcher.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Launcher\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Launcher\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Launcher\User Data" --annotation=plat=Win64 --annotation=prod=Launcher --annotation=ver=1.9.0 --initial-client-data=0x250,0x254,0x258,0x24c,0x25c,0x7ffa4d1eb960,0x7ffa4d1eb970,0x7ffa4d1eb980
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    PID:3288
- - C:\Users\Admin\AppData\Local\Temp\fj230ur90f90329039039093\Launcher.exe
    "C:\Users\Admin\AppData\Local\Temp\fj230ur90f90329039039093\Launcher.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Launcher\User Data" --nwapp-path="C:\Windows\SystemTemp\nw4432_99398605" --no-appcompat-clear --mojo-platform-channel-handle=2232 --field-trial-handle=1808,i,3376575089359785408,4908927709898847941,262144 --variations-seed-version /prefetch:8
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:132
- - C:\Users\Admin\AppData\Local\Temp\fj230ur90f90329039039093\Launcher.exe
    "C:\Users\Admin\AppData\Local\Temp\fj230ur90f90329039039093\Launcher.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Launcher\User Data" --nwapp-path="C:\Windows\SystemTemp\nw4432_99398605" --no-appcompat-clear --start-stack-profiler --mojo-platform-channel-handle=1956 --field-trial-handle=1808,i,3376575089359785408,4908927709898847941,262144 --variations-seed-version /prefetch:8
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:248
- - C:\Users\Admin\AppData\Local\Temp\fj230ur90f90329039039093\Launcher.exe
    "C:\Users\Admin\AppData\Local\Temp\fj230ur90f90329039039093\Launcher.exe" --type=gpu-process --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Launcher\User Data" --nwapp-path="C:\Windows\SystemTemp\nw4432_99398605" --no-appcompat-clear --start-stack-profiler --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=1804 --field-trial-handle=1808,i,3376575089359785408,4908927709898847941,262144 --variations-seed-version /prefetch:2
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:4604
- - C:\Users\Admin\AppData\Local\Temp\fj230ur90f90329039039093\Launcher.exe
    "C:\Users\Admin\AppData\Local\Temp\fj230ur90f90329039039093\Launcher.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Local\Launcher\User Data" --nwapp-path="C:\Windows\SystemTemp\nw4432_99398605" --nwjs --extension-process --no-appcompat-clear --first-renderer-process --no-sandbox --file-url-path-alias="/gen=C:\Users\Admin\AppData\Local\Temp\fj230ur90f90329039039093\gen" --no-zygote --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2896 --field-trial-handle=1808,i,3376575089359785408,4908927709898847941,262144 --variations-seed-version /prefetch:1
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:5040
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "C:\Users\Admin\AppData\Local\Temp\file_2fp2wc.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2992
    - - C:\Users\Admin\AppData\Local\Temp\file_2fp2wc.exe
        
        C:\Users\Admin\AppData\Local\Temp\file_2fp2wc.exe
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4108
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k move Bathrooms Bathrooms.bat & Bathrooms.bat & exit
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1708
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"
        7⤵
        
        PID:800
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        7⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:1760
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        7⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:3312
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr /I "wrsa.exe opssvc.exe"
        7⤵
        
        PID:2104
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c md 4083
        7⤵
        
        PID:3596
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c copy /b Compound + Injection + Emotions + Worm + Participants + Richmond 4083\Awareness.pif
        7⤵
        
        PID:4972
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c copy /b Subsequent + Controversy 4083\Q
        7⤵
        
        PID:1424
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\4083\Awareness.pif
        
        4083\Awareness.pif 4083\Q
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2376
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2376 -s 1592
        8⤵
        Program crash
        
        PID:4016
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2376 -s 1600
        8⤵
        Program crash
        
        PID:4948
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 5 localhost
        7⤵
        Runs ping.exe
        
        PID:3728
- - C:\Users\Admin\AppData\Local\Temp\fj230ur90f90329039039093\Launcher.exe
    "C:\Users\Admin\AppData\Local\Temp\fj230ur90f90329039039093\Launcher.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Launcher\User Data" --nwapp-path="C:\Windows\SystemTemp\nw4432_99398605" --no-appcompat-clear --mojo-platform-channel-handle=3916 --field-trial-handle=1808,i,3376575089359785408,4908927709898847941,262144 --variations-seed-version /prefetch:8
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1456
- - C:\Users\Admin\AppData\Local\Temp\fj230ur90f90329039039093\Launcher.exe
    "C:\Users\Admin\AppData\Local\Temp\fj230ur90f90329039039093\Launcher.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Launcher\User Data" --nwapp-path="C:\Windows\SystemTemp\nw4432_99398605" --no-appcompat-clear --mojo-platform-channel-handle=4404 --field-trial-handle=1808,i,3376575089359785408,4908927709898847941,262144 --variations-seed-version /prefetch:8
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:3512
- - C:\Users\Admin\AppData\Local\Temp\fj230ur90f90329039039093\Launcher.exe
    "C:\Users\Admin\AppData\Local\Temp\fj230ur90f90329039039093\Launcher.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Launcher\User Data" --nwapp-path="C:\Windows\SystemTemp\nw4432_99398605" --no-appcompat-clear --mojo-platform-channel-handle=4448 --field-trial-handle=1808,i,3376575089359785408,4908927709898847941,262144 --variations-seed-version /prefetch:8
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2172

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:1968

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc
1⤵
- Modifies data under HKEY_USERS
PID:2492

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 2376 -ip 2376
1⤵
PID:3404

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 2376 -ip 2376
1⤵
PID:2188

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Process Discovery

T1057

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Launcher\User Data\Crashpad\metadata

Filesize
114B

MD5
09573e2704f3a67ca97575c6ed65fede

SHA1
b5b461c1340aba6e2ebb329d56b5034c0d71aaa6

SHA256
e6457fcc35dbba54c9247830c8ae8bf1b1cfd2737e834663d8b72ff1a496f500

SHA512
220d71bf5ce663c54ca5934d773823d9ac4a0bd723b3b604d3ca24ae394e7dfe636ed02ccaac267e0f49d3b1d8c4616a0f6bee266177f36b2b9434c979326e19

Download Submit
C:\Users\Admin\AppData\Local\Launcher\User Data\Crashpad\reports\4f93b5ae-ec8c-4440-9994-675bc8709e0f.dmp

Filesize
1.9MB

MD5
af24e985772a4a87e9c4f176a919015b

SHA1
7c07cf42132960972e306f2ff56c60d5f5ac3530

SHA256
11161990ad81207330308ccc228b93d44105d4a06f9839ca27ccbf30f660ce88

SHA512
9389896b4d771e3d570ad6771c8994005e3bfaff7997ae38c58f8d5ad7727fe1763432450e628acea0134577df344d55f8f088fa3a87275932a8d026d74fbb37

Download Submit
C:\Users\Admin\AppData\Local\Launcher\User Data\Crashpad\settings.dat

Filesize
40B

MD5
9bf56e8a809dfbb75fe05eddcdbb9f6c

SHA1
d0a47949a78c26625eb1f892fe94fffa405a6675

SHA256
9d4ccdfe285876e1ffacb1b366e3f62b0bb829ab47728c576c0d7db20e742db3

SHA512
58c819855bb43686fbba208f4fe600064d02ac717510d192bc92dc07e0326f3419f11366d58fad6d6d36f9af9cd9aed9f2c20e9b2e498e8e6a480d78601ff16b

Download Submit
C:\Users\Admin\AppData\Local\Launcher\User Data\Default\987ac0e8-ce90-4e78-9082-6be381cebbe8.tmp

Filesize
148KB

MD5
728fe78292f104659fea5fc90570cc75

SHA1
11b623f76f31ec773b79cdb74869acb08c4052cb

SHA256
d98e226bea7a9c56bfdfab3c484a8e6a0fb173519c43216d3a1115415b166d20

SHA512
91e81b91b29d613fdde24b010b1724be74f3bae1d2fb4faa2c015178248ed6a0405e2b222f4a557a6b895663c159f0bf0dc6d64d21259299e36f53d95d7067aa

Download Submit
C:\Users\Admin\AppData\Local\Launcher\User Data\Default\Network\Network Persistent State

Filesize
883B

MD5
caef9730661753618c77f3efc1ba4586

SHA1
0fce1ae06c359af5139f90d9b51efebd0a1e79c1

SHA256
0b6d82e8c9da7a178eb887c616f437ac1a11a526574cb3912ec5c67ccb3f0729

SHA512
021f169da8e8b4f71721cf6a81ea3630d5052568c138f63f0b0d9fe99f0bb79931797aa7037c0d38ea5a1d37ca2729e0782b53a4cec7ed45d8285ea632e52204

Download Submit
C:\Users\Admin\AppData\Local\Launcher\User Data\Default\Network\Network Persistent State~RFe58bd8e.TMP

Filesize
59B

MD5
2800881c775077e1c4b6e06bf4676de4

SHA1
2873631068c8b3b9495638c865915be822442c8b

SHA256
226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974

SHA512
e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b

Download Submit
C:\Users\Admin\AppData\Local\Launcher\User Data\Default\Network\TransportSecurity

Filesize
355B

MD5
0a526bcaf9d28e7012a669cffef6fac6

SHA1
17381fe4aa4f3d31255bcb153271853f0c8115f2

SHA256
a238b0697f4ac373d7700d44190ed608935c33137d216b7cbf5268cb2c238b89

SHA512
a083869fa6a31a78755ff853f0976c5facd77a9529eb33f6f5ed6f0e246998cd661404dad0e134a81c0f102908c0c44dcba1816503bc44b70e6bcb886cc3a1f0

Download Submit
C:\Users\Admin\AppData\Local\Launcher\User Data\Default\Network\TransportSecurity~RFe58bf44.TMP

Filesize
355B

MD5
1ec70518cbc4233873d78214515a1f6c

SHA1
95ab7aee5c6e598fb3ac6bca86f2b700e22bee6f

SHA256
7dbb2c37803806fe3c82b5b5a5988443580a10ac798780329edee72f62d85a5a

SHA512
c87c53451bfc216c54e05c41a63ee74a6d7718b61d7a5eb625b27a7deadee3f194613b8b7ff5023a1cc8e05bcc88793d77989df91e367e754f7d5b8ed55a58d4

Download Submit
C:\Users\Admin\AppData\Local\Launcher\User Data\Default\Preferences

Filesize
4KB

MD5
3652ac3c7c093466799c8a697be30f30

SHA1
ca6d42178f07f4a0cca5100948cd9043941fc9d4

SHA256
b2c8e9ceb29e1c57cea9b0590ee9358248caf33280b3eccadc11f3a3b90e1bcc

SHA512
d8107b0755f256f6b174be8441f72a20700e0fbc7fb5a946bf307cc584d9b5b36183c611390a5b07da7dfa369f55b4aee1b52897484b7cdea8f704708d62a182

Download Submit
C:\Users\Admin\AppData\Local\Launcher\User Data\Default\Preferences

Filesize
4KB

MD5
ff24e8e850de70528f8745ef9d3dfeab

SHA1
66709544d0d75e70e661d2e65a4794d5d49342bf

SHA256
9aa825b9cb5f8e17be6eb0c653a86cf57a54d4b2b7029cce56b8a4eef3ea63de

SHA512
8953fa7edf20cf843de8651ab212381dc04055b2323419e8d4f8033e798fa1661682d1cf4d6efb4f8a6843775a8453a1d935bd84bec838435c8ab057a059afc4

Download Submit
C:\Users\Admin\AppData\Local\Launcher\User Data\Default\Preferences

Filesize
5KB

MD5
d0897b6735c1e6e62219110ca2906464

SHA1
836e93ed91fe13d28132bb3e7ab4861d11535e74

SHA256
0ddd181fc075b5b0d4e1ba8d5bd27bf8fe2782274242e976d22a5f56bee74eda

SHA512
9fa8a2f1dacb82c8c98b8fcd36f6480c7be382868d6841c6e8dab2595a2eba70527b51fe48dc94b4be4653cd171ab375110309afdae9889348b99a3fdba12b90

Download Submit
C:\Users\Admin\AppData\Local\Launcher\User Data\Default\Preferences

Filesize
5KB

MD5
b70167d7b6766360c753980f514eeb41

SHA1
07e9ee051fb886d7f8c0e6c56289a2b4c642035f

SHA256
a71c3097907d73e590a9e129bd14ce2510ad528dd512b6157c59733b3a0b4793

SHA512
33d5d71595196e10b8e026a54c40e1c6e2f4cced010b98c337a855a7ae4cfd726ce4e7db86941a1a4cc024dd80fb2586612adb0a67e0bb8a4b46f65ed14c21b0

Download Submit
C:\Users\Admin\AppData\Local\Launcher\User Data\Default\Preferences

Filesize
4KB

MD5
fd7a433b48b344db46d413faecf9fdb8

SHA1
ec1ea1878f5feb77f77ec05ea0ac3914cc9abde5

SHA256
cfd85ba3b8e8db4feeba0742ec575b52ac2d8d1b57101a8f2b07ba12c72fce5b

SHA512
626bcff607925c1c2721b10324f1c9de256687f8079373b7873166920fd75f7db4ad66049cecd1ea778caadd100c467ff2d7a78492da88e2387b1dc4390a5b50

Download Submit
C:\Users\Admin\AppData\Local\Launcher\User Data\Default\Preferences

Filesize
4KB

MD5
386640138c035646eb729d8f0c5095c6

SHA1
c2b91844482d229d5e2547d5382c414184f2f277

SHA256
8f3cf97395da7f3d39857628bb3cb39c1d90de60bec9c4446159157ff1b89a97

SHA512
980813e82357237be40880196babf04d614e674b784a4e54106b2db3581251fc8427eb6f28caf71b12ee5776a89264540d4f7053e2f56cdffc9a54aef46328fa

Download Submit
C:\Users\Admin\AppData\Local\Launcher\User Data\Default\Preferences~RFe57e8aa.TMP

Filesize
4KB

MD5
ff461bb01dee73fcbe4d0e7a08404c8e

SHA1
8915637479f962d34b95096c26fd1f599087ed0f

SHA256
182b2eff2677acb6aadbe07a70a872519a2df87bc432fa92d1b4720fe5b9bb42

SHA512
cb74cfaaf918bc6a98131895b8276601f3e42609dc75094a3ed66f72eae86dcebb9a531ecacea31ce593b52fa86c92060f1fcb65fc1c271321b76818dfde670f

Download Submit
C:\Users\Admin\AppData\Local\Launcher\User Data\Default\Site Characteristics Database\000001.dbtmp

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Launcher\User Data\Default\Site Characteristics Database\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Launcher\User Data\Default\e52feae6-84e1-4c31-b7d1-4de7ea341725.tmp

Filesize
5KB

MD5
6e7199189a525b8942f25b3f952e640c

SHA1
c7026b9f3f30ea475885c38c5575cd58ac3648a0

SHA256
4ca5076ad67603f1c63828319c0591fa3cfd7c9441628c54fcad47f0e5742014

SHA512
c3d40a9efae8e525bf5d1644931e0548c60817463726f8f17c88fc7cd5f5c5b50b78cf6c216cd3cba5ca425af9b3939577bad3ef3d34c1a5a80087e1c568ffa6

Download Submit
C:\Users\Admin\AppData\Local\Launcher\User Data\GraphiteDawnCache\data_0

Filesize
8KB

MD5
cf89d16bb9107c631daabf0c0ee58efb

SHA1
3ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b

SHA256
d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e

SHA512
8cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0

Download Submit
C:\Users\Admin\AppData\Local\Launcher\User Data\GraphiteDawnCache\data_1

Filesize
264KB

MD5
d0d388f3865d0523e451d6ba0be34cc4

SHA1
8571c6a52aacc2747c048e3419e5657b74612995

SHA256
902f30c1fb0597d0734bc34b979ec5d131f8f39a4b71b338083821216ec8d61b

SHA512
376011d00de659eb6082a74e862cfac97a9bb508e0b740761505142e2d24ec1c30aa61efbc1c0dd08ff0f34734444de7f77dd90a6ca42b48a4c7fad5f0bddd17

Download Submit
C:\Users\Admin\AppData\Local\Launcher\User Data\GraphiteDawnCache\data_2

Filesize
8KB

MD5
0962291d6d367570bee5454721c17e11

SHA1
59d10a893ef321a706a9255176761366115bedcb

SHA256
ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7

SHA512
f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed

Download Submit
C:\Users\Admin\AppData\Local\Launcher\User Data\GraphiteDawnCache\data_3

Filesize
8KB

MD5
41876349cb12d6db992f1309f22df3f0

SHA1
5cf26b3420fc0302cd0a71e8d029739b8765be27

SHA256
e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c

SHA512
e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e

Download Submit
C:\Users\Admin\AppData\Local\Launcher\User Data\Local State

Filesize
2KB

MD5
6a614b9db4161691a3af0bd171f18eb7

SHA1
e1892298bfd8ed0082bc770d799a61150d791fc7

SHA256
038b6483e4c4b18170c8a9dae4bb6babaa282ce7a7690d3421e15a54075b1f46

SHA512
8f92330c16d8f31d919a6e76fc9a48ef509cbbfe880dba3fe064ead477943b43a9d05ec6d42651604f27615ed0f3e1ee156f688af58685af5d6a3f17aee08c25

Download Submit
C:\Users\Admin\AppData\Local\Launcher\User Data\Local State~RFe57c0b0.TMP

Filesize
868B

MD5
5b10702002d09042dfc6c8d88abaf606

SHA1
2281106d113d47e9bf48231874d3c444b66442ac

SHA256
e63ab047c0ad45183921f9bc93bf03c7493a78d7f2a161b8f05f09a1f997bdab

SHA512
8323690fd3ba5ec09b2ca30ec88b4392ac893f92e66cbeb87f4af9ed1cf67b0dfc2dc36625811f017ebddf0df4215398bdfaf3fd3fdb635e7c8915c0f45bfdb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\4083\Awareness.pif

Filesize
924KB

MD5
848164d084384c49937f99d5b894253e

SHA1
3055ef803eeec4f175ebf120f94125717ee12444

SHA256
f58d3a4b2f3f7f10815c24586fae91964eeed830369e7e0701b43895b0cefbd3

SHA512
aabe1cf076f48f32542f49a92e4ca9f054b31d5a9949119991b897b9489fe775d8009896408ba49ac43ec431c87c0d385daead9dbbde7ef6309b0c97bbaf852a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Bathrooms

Filesize
11KB

MD5
b1ef379960b1cc12b80454174ef222b3

SHA1
e85d00b4822433613e0d1523abc1edc4220421fe

SHA256
cc9605d93f0b3536ea951b84f3fbe3d0196f361de2276038165ceb2200c92c7b

SHA512
7a62f6413986032298a8baaed564becbadd24ed70949d64ef3411fbec488b82820c04d7c250165ea57371784168710403f94940acae8a97ff10ace57c27ec2a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Compound

Filesize
277KB

MD5
2ec41cd75e4e41ee8c1b1e0b9d31c7e4

SHA1
1ae820229667223c05471140f04486174f818306

SHA256
703e01cdb77a38db64afbcc43b8567a808dd0e5702eab102e16364437ceb2420

SHA512
46ea1d8606dedad2acd591c7591956925065952465423f1f77431e5b55de2955fe5db8ab8a46d92ef5ca0458e09a0dfa99461d6c849c0818f28d3863b358649d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Controversy

Filesize
432KB

MD5
646bb04049cee0a56192d2837d687ccd

SHA1
01579c8a98bdb098719e3398d3f234920b402d71

SHA256
808a6e79cff289bff2698b185e747ccd5d6c373b1c9fdf8128a9443ac90217ae

SHA512
f7dfeda6a5abffde61898fc12596f41a3de5d12a0c9498d0b7a1d0c374ce4527691968aa6d67c91b3d706d57e96c45b96f400ad26d1120886f374fcbb7893ece

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Emotions

Filesize
222KB

MD5
041ce253674ba21b9d38fc9fde7f054a

SHA1
7a59249c38c6a5bfe7766d2b5ac226a9cfd408d1

SHA256
a2d9ac3903c9299a993206ec17f7ec8e06bee2293239e8a8b517eef561de2d3d

SHA512
48ed73cb5f6872980018050a07741e08cf3abb3b7a1365eac635906b832c9963330d7523e21ac6a0f5c40485daea78df206d04a4c51c5ff9aec424f56edcd2e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Injection

Filesize
117KB

MD5
246eaad20996e50d7ef60b9200bd9651

SHA1
65d11b058e25e584ce67489c1ccfd85d09f15d0c

SHA256
851183e54980e91bdc772a752f738547841b22629afc14d05da9c954f320127a

SHA512
a0c24a4792afbc20f9b166e7a8764016409acd474091a0978d4b2dfd061ca142103549d19459f23d1dbdb0e624395c1258b8a609c6c283992ff625891e83eefd

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Participants

Filesize
167KB

MD5
f8f388e977f31c5fe1748541b54920ae

SHA1
e7136e52621f93ffb84325b57e98985ebc6512c1

SHA256
a8fd7c611b67f141db0423e5069f0e6fa5e8b4d441f920ceb0378692a2528754

SHA512
98d423d056f2bf9e63651d0106a6bf96af135c8f190e34222ba72786b5f2bab5ad8ffe82df47e34ba446fca03d3db3f7bc3b033774b79edffe6262f813b84e52

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Richmond

Filesize
21KB

MD5
1ca5141d992262432ba4fff828d7d092

SHA1
5e9aec92c0e85c0b7f576bf18adba9e3c3e93897

SHA256
9f7a626c7d33e97f707c415aeeb3f8f3697edd0988fee6b3be07e9a02b74ba75

SHA512
198e63037f7906681467daed4cffc6b07885ade1d80b5855746fe02c2d86689e1c6dbae6432784d67fe092e041e4943de846e0aa791bdc5c5a5e08da06af0242

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Subsequent

Filesize
426KB

MD5
c42dc09d03678e36fcd19b13b8f8e502

SHA1
be31c2f6e43f87a56eeea107ca20822f5d2b6c52

SHA256
4e84c8cea810d1466db293cb934b60e10067d34c851a2eff44894c60681810f0

SHA512
fd5028a518bbdfaddf75e6d2ce10956bd573535ab3f4f17aad11062711b10259c1983a2627ce283c49ee768148e993f4f0453304f8b0b2461e9c0c5b6ac29ad2

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Worm

Filesize
120KB

MD5
8b9a2094874a50a5d6611512322a41df

SHA1
649b2fc4751a857ac795637890c3ffd1a1f6c069

SHA256
5dbffacd5038833530ba781b5b1a020e504257ae796793b3b47c516549a9be0f

SHA512
f5a4e4460e1881e8a6e6db0e21d59efc4e635e2ba6c8620856d27e7b940f1f7784846e3fa7a8e5468506a7db6397ec411325bd60ea8c9f833bbcccc1a523491d

Download Submit
C:\Users\Admin\AppData\Local\Temp\file_2fp2wc.exe

Filesize
1.0MB

MD5
13125bd66d02c013b3eda2c69aff4ef3

SHA1
3b70cc23e7877fea920e0260ef6fd9b56076930c

SHA256
8299e1c15b75e38fbd3aca4b5e64ee8994d48458023764c9f899604f8a11cdab

SHA512
e6931d70ef77f638fe15e463e9a77f246913501faf1dc10ea09d57558d19c65191c7025dda80d45e947e45eb01ef4807fe7ab0ad7f84f26b55eb717e2b4c1280

Download Submit
C:\Users\Admin\AppData\Local\Temp\fj230ur90f90329039039093\D3DCompiler_47.dll

Filesize
2.8MB

MD5
8dede65bbe78848e923e0c274788b589

SHA1
07b148d6888ce83b66534d61dfb80edc819c22b1

SHA256
58eee8e6255a1af8abed54e8f35044d171f53e6e1acb169651ef20e995d75812

SHA512
837da24efd9ee18c3086c27e1ef240e115085f170609bf328a97ce1a9b0d7188de967c0e604e97cf30a4087565e5511a1a02cad33130ac91f612230a41c1d67f

Download Submit
C:\Users\Admin\AppData\Local\Temp\fj230ur90f90329039039093\Launcher.exe

Filesize
2.5MB

MD5
2784b288057106a5e08f16377339d4ad

SHA1
62a5705f96a2665519a7940fb309745b791e98b6

SHA256
6f7833e864e20b2fa1ef454fc60590b7f246fe4a81f22c35dee247c7d8df03e6

SHA512
663e06957d3de5dcdad6559391d733c350efffdb85363ec00943bf0ff07fef61fde164b71c4f9bd5f2e8d0570f85a1734c03c53e9ad85f4b55ac7628b5664331

Download Submit
C:\Users\Admin\AppData\Local\Temp\fj230ur90f90329039039093\Launcher.exe

Filesize
896KB

MD5
4240476a39fc71d47815c6898273ea38

SHA1
445b535e8fc8184826e79b1bdc2b2c627db788cc

SHA256
692c87706b95368ddf09df0d8f4a08e9f802fed13213fa2f0bb95f7ff374de26

SHA512
5485cb8ac80f0e74e34b93fefafc159724b8bfc8b5328d98491374a54728299a4df6ad9063cb445fdae680618747fe2770a51c4047797dc597e7f3c2d4fb2a68

Download Submit
C:\Users\Admin\AppData\Local\Temp\fj230ur90f90329039039093\Launcher.exe

Filesize
1024KB

MD5
ed86c98c4eaae88ea666d5702623d8a2

SHA1
f16aa1280b600439653678eefaac6e8439c284ea

SHA256
7c47aefa8992a2c3ee730467f317214c69be95c14b6cec1ca7ab5da5ae3fea6e

SHA512
61d729878b7f65584fa64a68510e0a29ec5efbb5a80fa50e55e2deca5d5f52c4dca58410edac8d2938ffc0ab080038adfc517fec4d244932f35bd027efd4d57b

Download Submit
C:\Users\Admin\AppData\Local\Temp\fj230ur90f90329039039093\Launcher.exe

Filesize
960KB

MD5
10ac0768a970f43e9069dcb75d08a881

SHA1
edde2822624093c2ac1e7d8cbd3cb2eee039f229

SHA256
ec654430c2d52812207eec024bdd7c97f07a404bdbbfcc899ef8014668a7875d

SHA512
f968e3c5b68c947ba630fb60ff7d8e81710efea02c3c2d0e7b9ae95a6711a20f2a4c0e97fb269e72b212285abc565af7093a3c0973a07896dafb6f0aaacaf768

Download Submit
C:\Users\Admin\AppData\Local\Temp\fj230ur90f90329039039093\Launcher.exe

Filesize
2.1MB

MD5
a5d9fb1d58b83e52b2ba53182411a033

SHA1
7cda53405d9f689900423a00f06f6eb88482751f

SHA256
071811e738648a561ae179166283bd0b28e4180cab5b81eeaff2d3820bc3ad2c

SHA512
207764005eac21605481a8cc0cb46fc43938ab959439e61c50b9743413ac028be106219acc6225a52ba2b9beb7e7a9ed83de8f73a0f36bb2f40398bf78bbafed

Download Submit
C:\Users\Admin\AppData\Local\Temp\fj230ur90f90329039039093\d3dcompiler_47.dll

Filesize
2.6MB

MD5
bb79c327a703e9611a4d80631d3d23e9

SHA1
2843f793f2b5c809dff438333811e10e1f96a358

SHA256
c489555fd75da5aa2c7bf4731cfc59d7933bc98f8e59f82563a5351916bd0d10

SHA512
7aa7cffb861bacbf99f9f0ecf873c0c054a78c5f33043bacbcb660f31b10a9d53baf0d27f94a4e539b4b216657d4c937890c542f49ec751865ee75645a291817

Download Submit
C:\Users\Admin\AppData\Local\Temp\fj230ur90f90329039039093\ffmpeg.dll

Filesize
1.9MB

MD5
8fb19b8e58a567a27619a91b99ad8bca

SHA1
9f24a832705ea853b4c0cfe9f2100f42aacbd0bd

SHA256
424a34741ce0e5104df6d33ea16633c018af5f3a7396734218d1a6eb4f70b1c4

SHA512
b0415aa5728d39efb01d3e0cb082bbd4f42ff1284447ad89f85604e7ebc6da2bf479af7d326282920c543f351e856c5e3b1a97e2fe6c3bcf198e619165f3be5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\fj230ur90f90329039039093\ffmpeg.dll

Filesize
1.2MB

MD5
f251fc45d9c63395571d9874801fe7ef

SHA1
ee4c9be2831698e05a8fd0dabefc1320a6c2567c

SHA256
47cfb8f45a8afe399ce444dc1bb6e73c68daf866db7950a81be38d5a769a3152

SHA512
96335a6fb3dbee5251fd20c58d258479e9443e770dc76d06e75b3d1048efcd1a0f68e279a4b5449aa5c3ce2bcfbefbe19d6694ae4ab6cd087430742515d8b95a

Download Submit
C:\Users\Admin\AppData\Local\Temp\fj230ur90f90329039039093\ffmpeg.dll

Filesize
896KB

MD5
0dec8614c226a55c9bf444f1bd1b0b7a

SHA1
bc8151ffba717a73887a6bd8515d65a8506bde87

SHA256
41bdf5730afaf28256dea9fec9bc1a39b23680bba1104686090f457c08f18cd4

SHA512
818d97a4c027c8ab971f5004405cfe49a3ac73c4eebbc7f3cd2acdb04f756147ff83e57844688e21562441885dfe454465717ca1eb9fefe3a7bdd6bf97edf9c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\fj230ur90f90329039039093\ffmpeg.dll

Filesize
832KB

MD5
1412f7e96dc289df1e5d5ccbe3767036

SHA1
e60e4442c066c1b23b0c8f6a6d0d67d32597b55b

SHA256
1d02cb2e86b4cbb48c90f0ebecb51a7249096685c9bf1f3a0aab7af7b02f33c2

SHA512
fae74aca2053de0eeb6d27b664152603a531ec416107134411dce310fc5e9973628a3d57a12ad39fad1cac6bfffae52da8569d0164e36a2711a77002a4de2322

Download Submit
C:\Users\Admin\AppData\Local\Temp\fj230ur90f90329039039093\icudtl.dat

Filesize
768KB

MD5
8f1114b03f55f8a3c87467759745535a

SHA1
1a398f15e0be73777444aed77a248f24ed4e43b7

SHA256
b274d09035498d79403f2d2951c96d224a943ea2345dbe132d5a6fec4a1d4446

SHA512
603b6b2b18a68e46567264ba7ead666a804b16f47b0dd706d79b3f07fc485a0fde0db90a25264d8222dad73809ecdca1824ee95cf806b46f3c3cada960699cf9

Download Submit
C:\Users\Admin\AppData\Local\Temp\fj230ur90f90329039039093\libEGL.dll

Filesize
444KB

MD5
8aa1a64d7094509196fcb4a72d608213

SHA1
e7ab1c7ca53581578ae56dc0211773ac780a4f91

SHA256
15e7eafcfe14bd255c21360de3d019cfa5852bd059c36779c351c0592dc841f6

SHA512
a915759817f6a84dd061f45415e6fa9b00d7060095360257763342d59252525de4c04956e2e15e23fc3465074d1e719a0d988f6798aa38ba3471b8e38aa70200

Download Submit
C:\Users\Admin\AppData\Local\Temp\fj230ur90f90329039039093\libGLESv2.dll

Filesize
2.4MB

MD5
e394e97cdcdde64e4bbf2fb66d51fb34

SHA1
d718863e99f652df7aecb28306606fcdbe6922cd

SHA256
4d794ef1fe87171aca3d551b889f111bf818d96df48791d5d152e6e6167594e3

SHA512
1c39d4bb42255a98a68dce646da84d0e7e5e13d0110a478c17dacb9f6ea1047d20145047d1a8705deeeab53d128ec7109a7ae8a1b5d9c30633fe1c38d3930b41

Download Submit
C:\Users\Admin\AppData\Local\Temp\fj230ur90f90329039039093\libglesv2.dll

Filesize
2.5MB

MD5
9380973bda1167ce838feea0fa4208fa

SHA1
3b63cc78ba0ac85d1ec3531c46e890679925459b

SHA256
329c6d67d8543173cbbe4fc889bca80f9b9727c5d49b717d5abd9a388cfd96cf

SHA512
edecaddc1cb5a16b1b1ee24a10d4002985050487249b41c9bd27b48181ac100ffe8833230e4c9705a8caf9958acca9559cb5ae9a1711331d0be919f4408b5b62

Download Submit
C:\Users\Admin\AppData\Local\Temp\fj230ur90f90329039039093\locales\ar-XB.pak.info

Filesize
1015KB

MD5
edaef65b3082ac1502e46a7efe9a7260

SHA1
80fd9d68b4a0af62ef7f53d58ee9fb3ef1ef32c4

SHA256
7f8d7ac684642fb44625b0e32c0d8d20df0f661db616b157be04dfec918416eb

SHA512
3564bd96293d4a07c15d2ddd50abb531aea0a62cd4e0a8e70b60c7ef015b6e11f8221f353b668b0670938299770cf3607303075fc5f34bb73f9abbd48f666726

Download Submit
C:\Users\Admin\AppData\Local\Temp\fj230ur90f90329039039093\locales\en-US.pak

Filesize
448KB

MD5
09a27daab8ed231994af216a98a73b85

SHA1
c2211a4cdc878c7685f30454bf9742b68025d22a

SHA256
b8a8ee9f3dd6946649beb4f3ff96889bc010aec561678903316cfb26d7819479

SHA512
40016c3fe93989936cd63ed1e20da403f9b19f712efc31b65d485f06daa7df41ba86da76ca0ea04db2932cb4ef928ff2ab70aedc839a8ce472b83a92ac298e2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\fj230ur90f90329039039093\node.dll

Filesize
448KB

MD5
016d7f172bc0a14826df0291d3e69756

SHA1
08cdf0d0ec71b4509f58643eb818aca0da2500fa

SHA256
055b90aef1ecbb1859c9d06a26544e907e7a9413b69091583a5555cbdd84326f

SHA512
39de4195797068befbf81133ef94625e9e5cd7b466f192107f7b8abdee8619cd8b5096dbfff72e774960f706771c901dbd9b88eeb31a8a0b4322f6965f22cd02

Download Submit
C:\Users\Admin\AppData\Local\Temp\fj230ur90f90329039039093\nw.dll

Filesize
36.0MB

MD5
32461c9112d7fae550f076a11c271163

SHA1
3c64a3beac2d454c50fb285fc197a3c43cc41459

SHA256
28bcbcb151af9e928feb2db6e9dc8f9298092f92313f659400dd90137514d1e5

SHA512
ef7e0b2e0f08e057243037fdd427051ab97724df1173cd6c55d7c61265e24310100298515bc4d97196511e69446ec891ed69fd4138ff50642f7b0c54cd77d746

Download Submit
C:\Users\Admin\AppData\Local\Temp\fj230ur90f90329039039093\nw.dll

Filesize
15.0MB

MD5
f7336187ef649948f192dab72cd280ca

SHA1
6a2722b9912ef94fd12aa28923622e89d88b5fc4

SHA256
ef8b58f8119170f3ff70ab196e3472c97081496acd4cb27e9c9251de197561ff

SHA512
5f624503a43636a25b82871a4a6559301fd3ead0c7e8d4ad27a017da46455118ed2ac7c385d08f7e05f8d6ae9387a7954c723035ab64827031716f7b1172baef

Download Submit
C:\Users\Admin\AppData\Local\Temp\fj230ur90f90329039039093\nw.dll

Filesize
832KB

MD5
8cf147626b37324250759fa010e6fba5

SHA1
2a90af65e738179dfd4b3d0b7ef539c6457ca3b3

SHA256
32c4afbc98a81c0d19592cab5d89109aa1de5401c7ec4814394c909e3a88e544

SHA512
41032d50c316c0ea59eae04b5eefa5d0041bbbd6d2c294e52b3add6d2d2d9c7b52dfc0a3bb9d199451f499bdeb5450e18f782ff957c79dd3d50433015f2fbd17

Download Submit
C:\Users\Admin\AppData\Local\Temp\fj230ur90f90329039039093\nw.dll

Filesize
3.1MB

MD5
715b9cabdabac04d77bdeb43aefcc862

SHA1
3e55d7baf7a06a601fb53d6e4644155b0fb33588

SHA256
dce696489626cab89357ed4db9cfbbf75fe455a3dd4079c0c51b78b57c15a4a4

SHA512
df59873c654c9f0bc3241af2747bc6a06c024e18d88e072e1b03602e19bfcaaf1072bc40cacc9380b0d1c53a5a6631caa5a31bec258c08d9251deccc73e40f73

Download Submit
C:\Users\Admin\AppData\Local\Temp\fj230ur90f90329039039093\nw.dll

Filesize
2.9MB

MD5
5d1b66fa5a91622eec424cd524948ae7

SHA1
40aaf8a920078667f3cd71134ae5d193863efe87

SHA256
4fa5e47b276e8984f8ef28cb363875efce9acc64fe4fd513be5a83969c9d32d9

SHA512
33a38d6fde7ea2ee28286e4b00086ce87492b414cfd60ccf6d3bebd9315f0206ee488fb865cc9c26c61c6de188e440f84a5585b0e9ae50c89849aa4bf80aa718

Download Submit
C:\Users\Admin\AppData\Local\Temp\fj230ur90f90329039039093\nw.dll

Filesize
2.0MB

MD5
51d4ab9a4bdf0cba22ba5873c4f8be6e

SHA1
7f770d7602621fbdb52ab0b7fe3e8806cd54ab1d

SHA256
26ace3b3c84709982d5e8730d08daa0d5524ab73a070fdd4e6c01c631306bb58

SHA512
e122bd9cd16d651ca28daa050438b427ec8652862c5a3373e1412df4f91b371162fd2f0b42e71cbb049dd9691e9967ce860b00705c8f60f7768f17eb08d31d57

Download Submit
C:\Users\Admin\AppData\Local\Temp\fj230ur90f90329039039093\nw.dll

Filesize
6.0MB

MD5
0738f9746969b0811b135a6af13fcaf0

SHA1
6287ba7930d38ed7a5ca0d49f9594cffaa669d5c

SHA256
05df42947fdae3f02268d7336ed3876248e8ee45eadd5b70bc75530b786ff8ae

SHA512
f16bd8902eed6850907431a20fd512b0c9ad5c464b9e5d4377c1d2006d2459927d3b4e7209388c78fb732975691883da3acf4e9f66fd02f21b23527e89ae6ddc

Download Submit
C:\Users\Admin\AppData\Local\Temp\fj230ur90f90329039039093\nw_100_percent.pak

Filesize
718KB

MD5
2f1c41cd4f8d630e965c83608aeb8dd1

SHA1
877ee7e4190967d69c6ebf9c6a52327ec10dffae

SHA256
a476dbd7731b7db5a771445cb9cd8a838dc706d8986f9e1da3d81fac59cbeb1d

SHA512
1780bbeece915ff4d959b13dce849ad608301eab7b299bc8fad9251c2ca392b6833ceece30256ed607b4b5e12dbb7b5e0d247b711901c628b180497eed872239

Download Submit
C:\Users\Admin\AppData\Local\Temp\fj230ur90f90329039039093\nw_200_percent.pak

Filesize
1.0MB

MD5
700774b8661621c44437ddbc8cb2ec04

SHA1
47bf0f010008b30c19039fe6e360c6866dae7c4d

SHA256
b5e62133ffb3827d75d74d5e23326c9827ea931b693a5e09554809eb4240d63a

SHA512
a7c80a80931bf4cf1ff02ad1a6b6e662171fe3add5d6a120e66d92e242757ef18aa30238d0e821ef9dd89f3aac8024eaeac8a79731a33d214dfade0a79740ed2

Download Submit
C:\Users\Admin\AppData\Local\Temp\fj230ur90f90329039039093\nw_elf.dll

Filesize
1.1MB

MD5
98acbb1ba1112cfa4da907558ea7cc0e

SHA1
9e041b920a7a9e9bc0aea6fc7709deb67eecf7ef

SHA256
0c57bc73ca823aef5dbb3785cdb343dec62854f80e811df16ac71ba88a039a5f

SHA512
a4845ccf34b534d5ff336a909b66f8cd4f48c151540197ebf63242a83c02a4f5a9f992a7975de44ca0f66e810e302a37f331d4bd26afff5088f2c44df517ac86

Download Submit
C:\Users\Admin\AppData\Local\Temp\fj230ur90f90329039039093\nw_elf.dll

Filesize
832KB

MD5
645a832e59c48d36988984b4cce9b1b5

SHA1
0ae35599ce3b4794b326bead4e125f24898cd4cd

SHA256
51e4935e1a704929636911e2f8a09cb118a380edf23ac604172729e48b824739

SHA512
21ce3b9f7ec24921f1d61a9e50f019bdc312fb0232270c5e0a1a62e4a39ac7e5727bec3d5b1e8b2cdb81a6a1f6df2b6b12ab0d38c7a43c972a052d90e3ac58cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\fj230ur90f90329039039093\nw_elf.dll

Filesize
960KB

MD5
7104aecb5df772d8be0889672a06d43c

SHA1
695b885a0dcedd386e991a31a86ed9283db50792

SHA256
22ad11d45092e59aaa31ed3b4f949e561973858e8e32a3a36d6820b762a4e890

SHA512
604b9ae9bdcfa2eb1c30245f652ad03d7255cc18d260be43d51639e19478438abdd2a798fc74926930a5db098c069118c2d8150308a05c9d2aa565cb9d7bcb6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\fj230ur90f90329039039093\resources.pak

Filesize
1.6MB

MD5
c4154d3423776121c42681a8afd785f1

SHA1
cc4116d5ce48cd406e3ed9f2235e344294525f09

SHA256
b337b8a949410b07043b61ce4f485f53e85d3378c8ae8e60a0b62258aa8ed0b5

SHA512
ffcdf796959c711e64155fcece09b86b2ee94107bb3e5f8f814a2e8fa9965dfeba1b9bb7560478ffefd640e181f3ecdd80f3e7557c2c76ca2a70b6407700b40d

Download Submit
C:\Users\Admin\AppData\Local\Temp\fj230ur90f90329039039093\v8_context_snapshot.bin

Filesize
669KB

MD5
c0e7602b0c7d5de0be5e83c20591f941

SHA1
838d2038682db7008f6a2776026cd6085db9ff3d

SHA256
345726227a3d92f5e2f87fbdea70385690b38f8d181c902254845021093c5697

SHA512
7d2ff90ebb6b051fdb050495cf5f3d353f4f14e1d5777d7d181ddb70cdd3ea4f633364fa5a0e2e2ff8c9a5a2de636160e0612a7f45fc65882114caab53ea0cbb

Download Submit
C:\Users\Admin\AppData\Local\Temp\fj230ur90f90329039039093\vk_swiftshader.dll

Filesize
2.2MB

MD5
3aac0478b1bc8af2ea313886b18cbc97

SHA1
6bbbcdd1ea073aa736847e97d63d5d9e92362887

SHA256
c9b484d7560ea0631481772858eaac8aed04662e16087054417842f99e3a8f4c

SHA512
6d8976d0b97837672247255cc285cbd7fe6ba60ec92613bed28422ee8326b58d6173bc4d2dce0868bb552960b6027a5507f0b7f1d8772821d559f5355cee3da7

Download Submit
C:\Users\Admin\AppData\Local\Temp\fj230ur90f90329039039093\vk_swiftshader.dll

Filesize
2.1MB

MD5
ab6cb1ca12fac32cc08c3c20271b458b

SHA1
a229a49536444ae1eb139e9ab75086f91975eddc

SHA256
1c510ac5e4ae81230c908ebba6fc16b88e344989de0f8a01d147db2dd839c05b

SHA512
888242b919f72e2a0a6b7ca0f90cda223ef89e1837e875e3d0542c580da5515ddd6c97aaaedc79ffc07654f86f11b2220ce12993566f41770a52dc1e390088f6

Download Submit
C:\Windows\SystemTemp\nw4432_99398605\nw\fav.png

Filesize
192KB

MD5
10ba6764cb44f3f683e40f60ef779ecb

SHA1
13f2fb3956670cf54d8a59f1168acb36285ca2e9

SHA256
e261a567008f265cd121ebc0845fd7dc9ae51e78928f53a099996cb169c9bba0

SHA512
4fb27411828a1a6d41e8b9e5ffd0bddd92c55a05308979ff94b6796afb9ddb895537eec7185e2fcdce1362079ea96f2590860088ec19f805efefe11a336f2d54

Download Submit
C:\Windows\SystemTemp\nw4432_99398605\package.json

Filesize
554B

MD5
fef3c629b4988e5756d334f251e96748

SHA1
02ec04f252e2a00de7f991c212847b533a1c1165

SHA256
b94cbaf6c5e5c6f2222852305bca0013619f49ec1cee54e5cf4f84266d1eb13e

SHA512
8f488a4a40c1ee7103c30ba1c1b17fb43d7fdd01dc98f81008d16cc2ffb8fa419985d212d4a00e50e4d470d27c1438af3861c70b23ac4f191a7ffd2b96d2245a

Download Submit
memory/2376-598-0x0000000000010000-0x0000000000083000-memory.dmp

Filesize
460KB

Download
memory/2376-602-0x0000000000010000-0x0000000000083000-memory.dmp

Filesize
460KB

Download
memory/2376-601-0x0000000000010000-0x0000000000083000-memory.dmp

Filesize
460KB

Download
memory/2376-600-0x0000000000010000-0x0000000000083000-memory.dmp

Filesize
460KB

Download
memory/2376-599-0x0000000000010000-0x0000000000083000-memory.dmp

Filesize
460KB

Download
memory/2376-597-0x0000000000010000-0x0000000000083000-memory.dmp

Filesize
460KB

Download
memory/2376-565-0x0000000077531000-0x0000000077653000-memory.dmp

Filesize
1.1MB

Download
memory/2376-596-0x0000000005A00000-0x0000000005A01000-memory.dmp

Filesize
4KB

Download