98faaafd3b450d836415eff09da56591fe31c54b4a668498416537262f2cd4c6

Resubmissions

08/03/2024, 09:25

240308-ldsftacd9x 8

08/03/2024, 09:09

240308-k4tacsbc94 7

Analysis

max time kernel
1807s
max time network
1160s
platform
windows11-21h2_x64
resource
win11-20240221-en
resource tags

arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system
submitted
08/03/2024, 09:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Launcher.exe
Size

81.7MB
MD5

d4f685deb88b48dc0e55703f7ab56d82
SHA1

4db0f7c4a2c299eeeecb258c14d13c8c0714206a
SHA256

98faaafd3b450d836415eff09da56591fe31c54b4a668498416537262f2cd4c6
SHA512

e5794ca50a3336f4a0cd0f135fd78900dc6104c5e83791e15bc4887bd3b3ae3f6eb991fcb1261fcb6a15a539724f2b6b7ec4a8535a3a885be721a27413de8b36
SSDEEP

1572864:V/WHHr9qNUFkOVYIIu+eTt1Thl1RJzve1FizRreIQeLcsbI+No77:V/8L9qKiOYu+yzThlFzW1FizAIBQcNM7

Score

8^/10

spyware stealer

Malware Config

Signatures

Blocklisted process makes network request 2 IoCs

flow	pid	Process
17	2408	Process not Found
18	2408	Process not Found

Executes dropped EXE 4 IoCs

pid	Process
3948	Launcher.exe
1808	Launcher.exe
1972	Launcher.exe
2876	Launcher.exe

Loads dropped DLL 14 IoCs

pid	Process
2192	Launcher.exe
2192	Launcher.exe
2192	Launcher.exe
3948	Launcher.exe
3948	Launcher.exe
3948	Launcher.exe
1808	Launcher.exe
1972	Launcher.exe
1808	Launcher.exe
1808	Launcher.exe
1808	Launcher.exe
1808	Launcher.exe
2876	Launcher.exe
2876	Launcher.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
36	raw.githubusercontent.com
47	raw.githubusercontent.com

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
1	ipinfo.io
30	ipinfo.io

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 7 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	Launcher.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	Launcher.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	Launcher.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\2	Launcher.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Launcher.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	Launcher.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Launcher.exe

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
11204	WMIC.exe

Enumerates processes with tasklist 1 TTPs 64 IoCs

Process Discovery

T1057

pid	Process
8348	tasklist.exe
8184	tasklist.exe
7916	tasklist.exe
7748	tasklist.exe
7604	tasklist.exe
7564	tasklist.exe
7620	tasklist.exe
8340	tasklist.exe
7756	tasklist.exe
7740	tasklist.exe
7652	tasklist.exe
7544	tasklist.exe
8224	tasklist.exe
8432	tasklist.exe
8116	tasklist.exe
8092	tasklist.exe
8084	tasklist.exe
8032	tasklist.exe
7792	tasklist.exe
7784	tasklist.exe
1356	tasklist.exe
7924	tasklist.exe
7964	tasklist.exe
7636	tasklist.exe
6512	tasklist.exe
6436	tasklist.exe
7956	tasklist.exe
7932	tasklist.exe
7800	tasklist.exe
7580	tasklist.exe
8308	tasklist.exe
8000	tasklist.exe
8008	tasklist.exe
7876	tasklist.exe
7644	tasklist.exe
7816	tasklist.exe
8356	tasklist.exe
8124	tasklist.exe
8332	tasklist.exe
8168	tasklist.exe
7892	tasklist.exe
7884	tasklist.exe
7868	tasklist.exe
700	tasklist.exe
7732	tasklist.exe
7708	tasklist.exe
7572	tasklist.exe
7596	tasklist.exe
8176	tasklist.exe
7972	tasklist.exe
7900	tasklist.exe
7764	tasklist.exe
8392	tasklist.exe
8108	tasklist.exe
8316	tasklist.exe
8152	tasklist.exe
8052	tasklist.exe
7832	tasklist.exe
6812	tasklist.exe
8380	tasklist.exe
8100	tasklist.exe
8076	tasklist.exe
8068	tasklist.exe
8060	tasklist.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 23 IoCs

pid	Process
3948	Launcher.exe
3948	Launcher.exe
3948	Launcher.exe
3948	Launcher.exe
3948	Launcher.exe
3948	Launcher.exe
10328	powershell.exe
10328	powershell.exe
10328	powershell.exe
8796	powershell.exe
8796	powershell.exe
8796	powershell.exe
7564	powershell.exe
7564	powershell.exe
7888	powershell.exe
7888	powershell.exe
7564	powershell.exe
6848	powershell.exe
6848	powershell.exe
7888	powershell.exe
6848	powershell.exe
2876	Launcher.exe
2876	Launcher.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeSecurityPrivilege	2192	Launcher.exe
Token: SeDebugPrivilege	1356	tasklist.exe
Token: SeShutdownPrivilege	3948	Launcher.exe
Token: SeCreatePagefilePrivilege	3948	Launcher.exe
Token: SeShutdownPrivilege	3948	Launcher.exe
Token: SeCreatePagefilePrivilege	3948	Launcher.exe
Token: SeShutdownPrivilege	3948	Launcher.exe
Token: SeCreatePagefilePrivilege	3948	Launcher.exe
Token: SeShutdownPrivilege	3948	Launcher.exe
Token: SeCreatePagefilePrivilege	3948	Launcher.exe
Token: SeIncreaseQuotaPrivilege	3296	WMIC.exe
Token: SeSecurityPrivilege	3296	WMIC.exe
Token: SeTakeOwnershipPrivilege	3296	WMIC.exe
Token: SeLoadDriverPrivilege	3296	WMIC.exe
Token: SeSystemProfilePrivilege	3296	WMIC.exe
Token: SeSystemtimePrivilege	3296	WMIC.exe
Token: SeProfSingleProcessPrivilege	3296	WMIC.exe
Token: SeIncBasePriorityPrivilege	3296	WMIC.exe
Token: SeCreatePagefilePrivilege	3296	WMIC.exe
Token: SeBackupPrivilege	3296	WMIC.exe
Token: SeRestorePrivilege	3296	WMIC.exe
Token: SeShutdownPrivilege	3296	WMIC.exe
Token: SeDebugPrivilege	3296	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3296	WMIC.exe
Token: SeRemoteShutdownPrivilege	3296	WMIC.exe
Token: SeUndockPrivilege	3296	WMIC.exe
Token: SeManageVolumePrivilege	3296	WMIC.exe
Token: 33	3296	WMIC.exe
Token: 34	3296	WMIC.exe
Token: 35	3296	WMIC.exe
Token: 36	3296	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3296	WMIC.exe
Token: SeSecurityPrivilege	3296	WMIC.exe
Token: SeTakeOwnershipPrivilege	3296	WMIC.exe
Token: SeLoadDriverPrivilege	3296	WMIC.exe
Token: SeSystemProfilePrivilege	3296	WMIC.exe
Token: SeSystemtimePrivilege	3296	WMIC.exe
Token: SeProfSingleProcessPrivilege	3296	WMIC.exe
Token: SeIncBasePriorityPrivilege	3296	WMIC.exe
Token: SeCreatePagefilePrivilege	3296	WMIC.exe
Token: SeBackupPrivilege	3296	WMIC.exe
Token: SeRestorePrivilege	3296	WMIC.exe
Token: SeShutdownPrivilege	3296	WMIC.exe
Token: SeDebugPrivilege	3296	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3296	WMIC.exe
Token: SeRemoteShutdownPrivilege	3296	WMIC.exe
Token: SeUndockPrivilege	3296	WMIC.exe
Token: SeManageVolumePrivilege	3296	WMIC.exe
Token: 33	3296	WMIC.exe
Token: 34	3296	WMIC.exe
Token: 35	3296	WMIC.exe
Token: 36	3296	WMIC.exe
Token: SeShutdownPrivilege	3948	Launcher.exe
Token: SeCreatePagefilePrivilege	3948	Launcher.exe
Token: SeShutdownPrivilege	3948	Launcher.exe
Token: SeCreatePagefilePrivilege	3948	Launcher.exe
Token: SeDebugPrivilege	700	tasklist.exe
Token: SeDebugPrivilege	6812	tasklist.exe
Token: SeDebugPrivilege	6512	tasklist.exe
Token: SeDebugPrivilege	5528	tasklist.exe
Token: SeDebugPrivilege	7188	tasklist.exe
Token: SeDebugPrivilege	6436	tasklist.exe
Token: SeShutdownPrivilege	3948	Launcher.exe
Token: SeCreatePagefilePrivilege	3948	Launcher.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2192 wrote to memory of 3948	2192	Launcher.exe	82
PID 2192 wrote to memory of 3948	2192	Launcher.exe	82
PID 3948 wrote to memory of 3000	3948	Launcher.exe	212
PID 3948 wrote to memory of 3000	3948	Launcher.exe	212
PID 3948 wrote to memory of 1808	3948	Launcher.exe	87
PID 3948 wrote to memory of 1808	3948	Launcher.exe	87
PID 3948 wrote to memory of 1808	3948	Launcher.exe	87
PID 3948 wrote to memory of 1808	3948	Launcher.exe	87
PID 3948 wrote to memory of 1808	3948	Launcher.exe	87
PID 3948 wrote to memory of 1808	3948	Launcher.exe	87
PID 3948 wrote to memory of 1808	3948	Launcher.exe	87
PID 3948 wrote to memory of 1808	3948	Launcher.exe	87
PID 3948 wrote to memory of 1808	3948	Launcher.exe	87
PID 3948 wrote to memory of 1808	3948	Launcher.exe	87
PID 3948 wrote to memory of 1808	3948	Launcher.exe	87
PID 3948 wrote to memory of 1808	3948	Launcher.exe	87
PID 3948 wrote to memory of 1808	3948	Launcher.exe	87
PID 3948 wrote to memory of 1808	3948	Launcher.exe	87
PID 3948 wrote to memory of 1808	3948	Launcher.exe	87
PID 3948 wrote to memory of 1808	3948	Launcher.exe	87
PID 3948 wrote to memory of 1808	3948	Launcher.exe	87
PID 3948 wrote to memory of 1808	3948	Launcher.exe	87
PID 3948 wrote to memory of 1808	3948	Launcher.exe	87
PID 3948 wrote to memory of 1808	3948	Launcher.exe	87
PID 3948 wrote to memory of 1808	3948	Launcher.exe	87
PID 3948 wrote to memory of 1808	3948	Launcher.exe	87
PID 3948 wrote to memory of 1808	3948	Launcher.exe	87
PID 3948 wrote to memory of 1808	3948	Launcher.exe	87
PID 3948 wrote to memory of 1808	3948	Launcher.exe	87
PID 3948 wrote to memory of 1808	3948	Launcher.exe	87
PID 3948 wrote to memory of 1808	3948	Launcher.exe	87
PID 3948 wrote to memory of 1808	3948	Launcher.exe	87
PID 3948 wrote to memory of 1808	3948	Launcher.exe	87
PID 3948 wrote to memory of 1808	3948	Launcher.exe	87
PID 3948 wrote to memory of 1972	3948	Launcher.exe	88
PID 3948 wrote to memory of 1972	3948	Launcher.exe	88
PID 3000 wrote to memory of 1356	3000	cmd.exe	89
PID 3000 wrote to memory of 1356	3000	cmd.exe	89
PID 3948 wrote to memory of 1388	3948	Launcher.exe	92
PID 3948 wrote to memory of 1388	3948	Launcher.exe	92
PID 1388 wrote to memory of 3296	1388	cmd.exe	94
PID 1388 wrote to memory of 3296	1388	cmd.exe	94
PID 3948 wrote to memory of 4616	3948	Launcher.exe	95
PID 3948 wrote to memory of 4616	3948	Launcher.exe	95
PID 3948 wrote to memory of 2232	3948	Launcher.exe	96
PID 3948 wrote to memory of 2232	3948	Launcher.exe	96
PID 3948 wrote to memory of 4352	3948	Launcher.exe	97
PID 3948 wrote to memory of 4352	3948	Launcher.exe	97
PID 3948 wrote to memory of 4312	3948	Launcher.exe	98
PID 3948 wrote to memory of 4312	3948	Launcher.exe	98
PID 3948 wrote to memory of 2884	3948	Launcher.exe	99
PID 3948 wrote to memory of 2884	3948	Launcher.exe	99
PID 3948 wrote to memory of 4176	3948	Launcher.exe	100
PID 3948 wrote to memory of 4176	3948	Launcher.exe	100
PID 3948 wrote to memory of 4128	3948	Launcher.exe	101
PID 3948 wrote to memory of 4128	3948	Launcher.exe	101
PID 3948 wrote to memory of 2184	3948	Launcher.exe	102
PID 3948 wrote to memory of 2184	3948	Launcher.exe	102
PID 3948 wrote to memory of 8	3948	Launcher.exe	103
PID 3948 wrote to memory of 8	3948	Launcher.exe	103
PID 3948 wrote to memory of 3776	3948	Launcher.exe	104
PID 3948 wrote to memory of 3776	3948	Launcher.exe	104
PID 3948 wrote to memory of 4620	3948	Launcher.exe	105
PID 3948 wrote to memory of 4620	3948	Launcher.exe	105

C:\Users\Admin\AppData\Local\Temp\Launcher.exe
"C:\Users\Admin\AppData\Local\Temp\Launcher.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2192
- C:\Users\Admin\AppData\Local\Temp\2dNiu8JVoUWUZ7CbD8IhUkJqPNY\Launcher.exe
  C:\Users\Admin\AppData\Local\Temp\2dNiu8JVoUWUZ7CbD8IhUkJqPNY\Launcher.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3948
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3000
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:1356
- - C:\Users\Admin\AppData\Local\Temp\2dNiu8JVoUWUZ7CbD8IhUkJqPNY\Launcher.exe
    "C:\Users\Admin\AppData\Local\Temp\2dNiu8JVoUWUZ7CbD8IhUkJqPNY\Launcher.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\script" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=1688 --field-trial-handle=1692,i,2521303045727992820,2822618149580938132,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1808
- - C:\Users\Admin\AppData\Local\Temp\2dNiu8JVoUWUZ7CbD8IhUkJqPNY\Launcher.exe
    "C:\Users\Admin\AppData\Local\Temp\2dNiu8JVoUWUZ7CbD8IhUkJqPNY\Launcher.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\script" --mojo-platform-channel-handle=2256 --field-trial-handle=1692,i,2521303045727992820,2822618149580938132,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1972
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "wmic process where processid=2192 get ExecutablePath"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1388
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic process where processid=2192 get ExecutablePath
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3296
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:4616
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:7596
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:2232
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:7564
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:4352
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:7604
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:4312
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:7544
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:2884
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      PID:7724
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:4176
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:7620
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:4128
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      PID:7588
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:2184
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:7708
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:8
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:6812
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:3776
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:7784
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:4620
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:7732
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:3772
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      PID:7536
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:4788
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:700
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:4068
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:7636
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:924
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      PID:7668
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:816
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:8084
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:1764
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      PID:7980
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:4280
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:6436
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:2856
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      PID:7948
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:3128
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:7964
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:872
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:5528
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:4724
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      PID:7676
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:2820
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:7764
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:3988
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:7580
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:4772
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:8076
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:2756
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:8032
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:4856
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:7748
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:4420
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      PID:7716
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:2460
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:7916
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:4884
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      PID:8132
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:572
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:8100
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:3096
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:8356
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:4416
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      PID:7848
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:3236
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:8308
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:4492
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:7792
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:3780
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:8116
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:3052
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      PID:8044
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:1092
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:6512
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:2288
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      PID:7660
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:1548
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:7816
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:2420
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      PID:7404
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:3976
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:7900
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:1344
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:8000
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:1424
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:8168
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:2344
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:7644
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:1040
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:7652
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:452
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      PID:7612
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:2844
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:8092
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:3476
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:7956
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:2804
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:8108
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:2876
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:7740
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:2220
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      PID:7908
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:4136
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:7188
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:2340
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      PID:7940
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:5060
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:8052
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:4140
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:7972
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:904
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:7832
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:2248
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:7892
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:1748
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:8184
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:1192
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:7756
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:2728
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      PID:7860
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:1300
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:7884
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:2628
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:7572
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:3584
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:7800
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:1820
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      PID:7840
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:1528
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:8340
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:2408
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:8124
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:4092
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:8432
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:2160
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:8348
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:4504
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      PID:8160
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:3000
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:8060
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:4600
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:7924
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:2356
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:8316
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:436
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      PID:8268
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:3164
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      PID:7520
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:5128
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      PID:8372
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:5156
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:8152
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:5180
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      PID:8016
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:5200
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:8176
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:5220
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:8392
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:5248
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:8332
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:5264
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:8224
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:5284
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:7876
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:5308
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      PID:8216
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:5320
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:8380
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:5332
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      PID:7808
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:5344
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:8068
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:5384
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:7932
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:5400
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      PID:8260
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:5416
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:8008
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:5424
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      PID:8024
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:5432
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:7868
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "net session"
    3⤵
    PID:5452
  - - C:\Windows\system32\net.exe
      net session
      4⤵
      PID:8364
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 session
        5⤵
        
        PID:5476
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Users\Admin\AppData\Local\Temp\2dNiu8JVoUWUZ7CbD8IhUkJqPNY\resources\app.asar.unpacked\bind\main.exe"
    3⤵
    PID:5476
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "wmic csproduct get uuid"
    3⤵
    PID:5504
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:4408
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "wmic OS get caption, osarchitecture | more +1"
    3⤵
    PID:5516
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic OS get caption, osarchitecture
      4⤵
      PID:8252
  - - C:\Windows\system32\more.com
      more +1
      4⤵
      PID:8420
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "wmic cpu get name | more +1"
    3⤵
    PID:11052
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic cpu get name
      4⤵
      PID:11092
  - - C:\Windows\system32\more.com
      more +1
      4⤵
      PID:11100
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "wmic PATH Win32_VideoController get name | more +1"
    3⤵
    PID:11156
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic PATH Win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:11204
  - - C:\Windows\system32\more.com
      more +1
      4⤵
      PID:11216
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
    3⤵
    PID:11260
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:10328
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion' -Name ProductName"
    3⤵
    PID:10864
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion' -Name ProductName
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:8796
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:11092
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:8364
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      PID:11068
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "wmic process where processid=2192 get ExecutablePath"
    3⤵
    PID:5392
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic process where processid=2192 get ExecutablePath
      4⤵
      PID:5660
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall""
    3⤵
    PID:6012
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall"
      4⤵
      PID:5804
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall""
    3⤵
    PID:6088
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall"
      4⤵
      PID:5952
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip""
    3⤵
    PID:3968
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip"
      4⤵
      PID:6128
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook""
    3⤵
    PID:6176
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook"
      4⤵
      PID:6252
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager""
    3⤵
    PID:11232
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager"
      4⤵
      PID:6304
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx""
    3⤵
    PID:6224
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx"
      4⤵
      PID:6588
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DXM_Runtime""
    3⤵
    PID:6324
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DXM_Runtime"
      4⤵
      PID:6700
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore""
    3⤵
    PID:6568
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore"
      4⤵
      PID:6776
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE40""
    3⤵
    PID:6784
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE40"
      4⤵
      PID:6992
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data""
    3⤵
    PID:7300
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data"
      4⤵
      PID:2392
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX""
    3⤵
    PID:7024
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX"
      4⤵
      PID:3788
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IEData""
    3⤵
    PID:7060
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IEData"
      4⤵
      PID:5924
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack""
    3⤵
    PID:7032
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack"
      4⤵
      PID:7152
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Firefox 105.0.3 (x64 en-US)""
    3⤵
    PID:6984
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Firefox 105.0.3 (x64 en-US)"
      4⤵
      PID:7076
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MozillaMaintenanceService""
    3⤵
    PID:7448
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MozillaMaintenanceService"
      4⤵
      PID:7248
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MPlayer2""
    3⤵
    PID:7356
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MPlayer2"
      4⤵
      PID:7396
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ProPlusRetail - en-us""
    3⤵
    PID:7416
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ProPlusRetail - en-us"
      4⤵
      PID:7504
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent""
    3⤵
    PID:10384
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent"
      4⤵
      PID:8140
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\VLC media player""
    3⤵
    PID:8304
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\VLC media player"
      4⤵
      PID:8288
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WIC""
    3⤵
    PID:8452
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WIC"
      4⤵
      PID:8476
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{113C0ADC-B9BD-4F95-9653-4F5BC540ED03}""
    3⤵
    PID:8536
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{113C0ADC-B9BD-4F95-9653-4F5BC540ED03}"
      4⤵
      PID:8948
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}""
    3⤵
    PID:8644
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}"
      4⤵
      PID:8660
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3544B2EE-E62F-4D11-B79C-3DDEACE94DA5}""
    3⤵
    PID:8560
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3544B2EE-E62F-4D11-B79C-3DDEACE94DA5}"
      4⤵
      PID:8564
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{37B8F9C7-03FB-3253-8781-2517C99D7C00}""
    3⤵
    PID:8680
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{37B8F9C7-03FB-3253-8781-2517C99D7C00}"
      4⤵
      PID:8804
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3A706840-2882-423C-90EB-B31545E2BC7A}""
    3⤵
    PID:8832
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3A706840-2882-423C-90EB-B31545E2BC7A}"
      4⤵
      PID:9008
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}""
    3⤵
    PID:6940
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}"
      4⤵
      PID:9068
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}""
    3⤵
    PID:9104
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}"
      4⤵
      PID:9128
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{64A3A4F4-B792-11D6-A78A-00B0D0180381}""
    3⤵
    PID:9140
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{64A3A4F4-B792-11D6-A78A-00B0D0180381}"
      4⤵
      PID:9224
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{662A0088-6FCD-45DD-9EA7-68674058AED5}""
    3⤵
    PID:3028
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{662A0088-6FCD-45DD-9EA7-68674058AED5}"
      4⤵
      PID:11160
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{6DB765A8-05AF-49A1-A71D-6F645EE3CE41}""
    3⤵
    PID:2624
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{6DB765A8-05AF-49A1-A71D-6F645EE3CE41}"
      4⤵
      PID:1684
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{76DEEAB3-122F-4231-83C7-0C35363D02F9}""
    3⤵
    PID:5012
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{76DEEAB3-122F-4231-83C7-0C35363D02F9}"
      4⤵
      PID:8828
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{77924AE4-039E-4CA4-87B4-2F64180381F0}""
    3⤵
    PID:1028
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{77924AE4-039E-4CA4-87B4-2F64180381F0}"
      4⤵
      PID:6492
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-007E-0000-1000-0000000FF1CE}""
    3⤵
    PID:9360
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-007E-0000-1000-0000000FF1CE}"
      4⤵
      PID:11104
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0000-1000-0000000FF1CE}""
    3⤵
    PID:8392
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0000-1000-0000000FF1CE}"
      4⤵
      PID:7696
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0409-1000-0000000FF1CE}""
    3⤵
    PID:872
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0409-1000-0000000FF1CE}"
      4⤵
      PID:10468
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{AE86D888-1404-47CC-A7BB-8D86C0503E58}""
    3⤵
    PID:8156
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{AE86D888-1404-47CC-A7BB-8D86C0503E58}"
      4⤵
      PID:5896
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{C7141A99-592B-4226-A4E9-B767C1D0FBAF}""
    3⤵
    PID:2260
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:7716
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{C7141A99-592B-4226-A4E9-B767C1D0FBAF}"
      4⤵
      PID:9628
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CB0836EC-B072-368D-82B2-D3470BF95707}""
    3⤵
    PID:7924
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:8380
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CB0836EC-B072-368D-82B2-D3470BF95707}"
      4⤵
      PID:7116
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}""
    3⤵
    PID:7540
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}"
      4⤵
      PID:1752
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{D44822A8-FC28-42FC-8B1D-21A78579FC79}""
    3⤵
    PID:3288
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:8252
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{D44822A8-FC28-42FC-8B1D-21A78579FC79}"
      4⤵
      PID:9408
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{E016F2B9-01FE-4FAA-882E-ECC43FA49751}""
    3⤵
    PID:3096
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{E016F2B9-01FE-4FAA-882E-ECC43FA49751}"
      4⤵
      PID:10788
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell -ExecutionPolicy Bypass -NoProfile -File "C:\Users\Admin\AppData\Local\Temp\A4xakIAWm5mv_tezmp.ps1""
    3⤵
    PID:10180
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:8124
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -ExecutionPolicy Bypass -NoProfile -File "C:\Users\Admin\AppData\Local\Temp\A4xakIAWm5mv_tezmp.ps1"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:7888
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell -command "function Get-AntiVirusProduct { [CmdletBinding()] param ( [parameter(ValueFromPipeline=$true, ValueFromPipelineByPropertyName=$true)] [Alias('name')] $computername=$env:computername ) $AntiVirusProducts = Get-WmiObject -Namespace "root\\SecurityCenter2" -Class AntiVirusProduct -ComputerName $computername $ret = @() foreach ($AntiVirusProduct in $AntiVirusProducts) { switch ($AntiVirusProduct.productState) { "262144" { $defstatus = "Up to date"; $rtstatus = "Disabled" } "262160" { $defstatus = "Out of date"; $rtstatus = "Disabled" } "266240" { $defstatus = "Up to date"; $rtstatus = "Enabled" } "266256" { $defstatus = "Out of date"; $rtstatus = "Enabled" } "393216" { $defstatus = "Up to date"; $rtstatus = "Disabled" } "393232" { $defstatus = "Out of date"; $rtstatus = "Disabled" } "393488" { $defstatus = "Out of date"; $rtstatus = "Disabled" } "397312" { $defstatus = "Up to date"; $rtstatus = "Enabled" } "397328" { $defstatus = "Out of date"; $rtstatus = "Enabled" } "397584" { $defstatus = "Out of date"; $rtstatus = "Enabled" } default { $defstatus = "Unknown"; $rtstatus = "Unknown" } } $ht = @{} $ht.Computername = $computername $ht.Name = $AntiVirusProduct.displayName $ht.'Product GUID' = $AntiVirusProduct.instanceGuid $ht.'Product Executable' = $AntiVirusProduct.pathToSignedProductExe $ht.'Reporting Exe' = $AntiVirusProduct.pathToSignedReportingExe $ht.'Definition Status' = $defstatus $ht.'Real-time Protection Status' = $rtstatus # Créez un nouvel objet pour chaque ordinateur $ret += New-Object -TypeName PSObject -Property $ht } Return $ret } Get-AntiVirusProduct ""
    3⤵
    PID:5676
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -command "function Get-AntiVirusProduct {
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:6848
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:5548
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:7564
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "netsh wlan show profile"
    3⤵
    PID:10044
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profile
      4⤵
      PID:3776
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions""
    3⤵
    PID:4796
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe QUERY "HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions"
      4⤵
      PID:10952
- - C:\Users\Admin\AppData\Local\Temp\2dNiu8JVoUWUZ7CbD8IhUkJqPNY\Launcher.exe
    "C:\Users\Admin\AppData\Local\Temp\2dNiu8JVoUWUZ7CbD8IhUkJqPNY\Launcher.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --user-data-dir="C:\Users\Admin\AppData\Roaming\script" --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAABEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=2600 --field-trial-handle=1692,i,2521303045727992820,2822618149580938132,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    PID:2876

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
88dc70c361a22feac57b031dd9c1f02f

SHA1
a9b4732260c2a323750022a73480f229ce25d46d

SHA256
43244c0820ec5074e654ecd149fa744f51b2c1522e90285567713dae64b62f59

SHA512
19c0532741ebc9751390e6c5ca593a81493652f25c74c8cab29a8b5b1f1efef8d511254a04f50b0c4a20724bae10d96d52af7a76b0c85ddc5f020d4cac41100c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
50a8221b93fbd2628ac460dd408a9fc1

SHA1
7e99fe16a9b14079b6f0316c37cc473e1f83a7e6

SHA256
46e488628e5348c9c4dfcdeed5a91747eae3b3aa49ae1b94d37173b6609efa0e

SHA512
27dda53e7edcc1a12c61234e850fe73bf3923f5c3c19826b67f2faf9e0a14ba6658001a9d6a56a7036409feb9238dd452406e88e318919127b4a06c64dba86f0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
446dd1cf97eaba21cf14d03aebc79f27

SHA1
36e4cc7367e0c7b40f4a8ace272941ea46373799

SHA256
a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

SHA512
a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
fcbfea2bed3d0d2533fe957f0f83e35c

SHA1
70ca46e89e31d8918c482848cd566090aaffd910

SHA256
e97f54e5237ffeca4c9a6454f73690b98ac33e03c201f9f7e465394ecbc3ea38

SHA512
d382453207d961f63624ba4c5a0dea874e6b942f5cad731c262a44371fb25b309eacf608156e0234169e52337796128312e72edb0290c48f56104fe5e52509a6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
6e5843696d70df783161968b9f9e1759

SHA1
6e7ab4a749b553ff66e8914563ca9f98cabe3ecd

SHA256
51f80b81fae4ad9aa2b195b561274799f4bab0b9c12b0b86748044f12bbab719

SHA512
5b44b40619c0467fc41009a5ca7638ae3ab948757c4707b8439c7485635d9cfb120406d76e330b0993f17f63739a7d8d40e3ae71574a89428501ab63a44e9093

Download Submit
C:\Users\Admin\AppData\Local\Temp\2dNiu8JVoUWUZ7CbD8IhUkJqPNY\Launcher.exe

Filesize
1.1MB

MD5
9306f9358074537a4c9330f597fe9bf0

SHA1
4836f2185983747adb89dac049ffbf08832bd843

SHA256
ad8063fba0665face210edee6f769fd9b6793e6be99fae845f97115c71619eb1

SHA512
2bb0afa9dc3da27bab0fde6b065ffb177cf2ad14b9871c320bc66048f25a2b28539cfed819362019ac82f12c5571a87bff206aa5b8c9cd987844f37021134bc2

Download Submit
C:\Users\Admin\AppData\Local\Temp\2dNiu8JVoUWUZ7CbD8IhUkJqPNY\Launcher.exe

Filesize
1024KB

MD5
fedcd006a99ba6fc4a067e0ce953ed37

SHA1
ec0062c334fbaf9d42d265998421e3f72cae7b5a

SHA256
b9f9fd5db797ce3fb4e3a268e28fa61fc49e32f309a34756759e877ab4d767ce

SHA512
bb56004cad22ec44eef593651d8c1cbd4b9cd8bd75db851f1e3adaf9afe5666e69c46e452939e1906eb8aa79716701c41ee312bd3cbaba64b9a2ba6a9a8c7a92

Download Submit
C:\Users\Admin\AppData\Local\Temp\2dNiu8JVoUWUZ7CbD8IhUkJqPNY\Launcher.exe

Filesize
512KB

MD5
c1c54be07ca2463e1b8f4a7268cf947d

SHA1
1c1107dd3edf497c30350e3974121038cd6be4a1

SHA256
f7153780d61c08adc68c42c22bfd2d450520e77893a13728993e9c80007eb2a4

SHA512
1eaa4bfedbf1cf2a6d2a7d00f3ed6acedd201daf5fd3916f988c3ee3a67e30cd3b8a60bf839946227a4c8bc7b6d28a0ad52a01eedfcd85fda4ef531817f2c915

Download Submit
C:\Users\Admin\AppData\Local\Temp\2dNiu8JVoUWUZ7CbD8IhUkJqPNY\Launcher.exe

Filesize
16.5MB

MD5
74938fe16838a21cc82d4024e85d4e6d

SHA1
9dd9b06f7ebe362a0de85379f38ea453259fc0dc

SHA256
8327e0b2105e60fd458de4c805bed314fe70882d2b8c1f900141487eae87c497

SHA512
8fd463f2b98ad80da526299a64d011ec289f75b426c2f5c477106eb8042ccf6fe93a99768402f4db6b5f31930c8d5e1a06e9fc639a8a54768f4cd3a3879b4acb

Download Submit
C:\Users\Admin\AppData\Local\Temp\2dNiu8JVoUWUZ7CbD8IhUkJqPNY\chrome_100_percent.pak

Filesize
132KB

MD5
e4cbb48c438622a4298c7bdd75cc04f6

SHA1
6f756d31ef95fd745ba0e9c22aadb506f3a78471

SHA256
24d92bbeb63d06b01010fe230c1e3a31e667a159be7e570a8efe68f83ed9ad40

SHA512
8d3ea1b5ca74c20a336eaa29630fd76ecd32f5a56bb66e8cef2bce0fa19024ea917562fd31365081f7027dde9c8464742b833d08c8f41fdddc5bd1a74b9bc766

Download Submit
C:\Users\Admin\AppData\Local\Temp\2dNiu8JVoUWUZ7CbD8IhUkJqPNY\d3dcompiler_47.dll

Filesize
640KB

MD5
dfe55f14958f1bb1dbd2127a7aa9690b

SHA1
53e2cfc23aac968381fbf07cc5c5dd8e0a08c47e

SHA256
aea8f3f8e4ed61a4a6c5e206dc801e2a60df9e41c8b0f62deba31e22ad917cde

SHA512
8ddbf09183d370a9fbab3ed069ba20c4f5e981edf9a183affdf09f08efa53c835a0c4a56cd87639be909abd0cc1f99208cf3bba509da2036288aab4d78b0d7b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\2dNiu8JVoUWUZ7CbD8IhUkJqPNY\ffmpeg.dll

Filesize
832KB

MD5
935d9eeb067d64dcd7f784fe33ecdfc7

SHA1
17273e1f65d8b3aacf3ae6c0593ecbccf22c5bd6

SHA256
05357a7f8df19263f3507ea87459b9bf8a8c8d2c3ba805cfd9754741f060ebdd

SHA512
c194bd2d138ddd96c46b2d77c76d74b0a4294095e2e13cab2c4cda6d2219ed8c5cf501c65d9094d415fa7f9ee8eb1506632e884bc4587e0055caf9acbab97632

Download Submit
C:\Users\Admin\AppData\Local\Temp\2dNiu8JVoUWUZ7CbD8IhUkJqPNY\ffmpeg.dll

Filesize
704KB

MD5
618d7c339a165dc939978ab968e43330

SHA1
416295606145292dce5ad035be7deb58f497447c

SHA256
d10013d0c633788aed48b897b161b224aba0aad2229c06249dbc218bec2b8e2c

SHA512
6f484290eca9c5acc7b1064e8e9bd0464d50f2d5411f42593ef23637587c3d03b024a54313c3d44c26e2425bc1a266feb4e370007956e1f1b9dbc0707b16b5b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\2dNiu8JVoUWUZ7CbD8IhUkJqPNY\ffmpeg.dll

Filesize
1.1MB

MD5
e5e0ed01c568c8edc2ec7a0d1f9ff9b8

SHA1
9e5d2b13ae8581fb1edd00b61713a6df69ff800b

SHA256
95c6a931529521faba7903c56faec56ab9ed1e167ba27748148d23be455ed6e2

SHA512
faf8a67ef224bb7e1f1c41f22ddbdd4b13f40af703cb915702092a62affb104e9979f703ef9910d74a4dd7ca674cb040ac8d0a3eefe9b031e546e95370622061

Download Submit
C:\Users\Admin\AppData\Local\Temp\2dNiu8JVoUWUZ7CbD8IhUkJqPNY\ffmpeg.dll

Filesize
2.7MB

MD5
384713176a162115d30e9af7ee20a5c6

SHA1
7efd2c9adb08fd4b893cad5613891f2e96e88351

SHA256
64dbe39b8bced2d4f2ddd727e914f17a385366cac4d4e63118915b2b093d90c9

SHA512
2d25176ae9f9d35f82c713e2321e74fbe4e730437a0ae733adc49d85f41c6c47287617f497ea0b414716bd790079d1b4372bd07f51664222276879fcec15af5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\2dNiu8JVoUWUZ7CbD8IhUkJqPNY\icudtl.dat

Filesize
704KB

MD5
c738885e2b41f31e55741bb1bbf6ce46

SHA1
988eef0fc22ac46c7ed2abb26c6a73474ccb6730

SHA256
fab59fe160b51dda437af47dd3bf8cb69ff5b6cd5ac446922b4d6ff3b4bb7ccb

SHA512
b477babf64c0bff530cebb7844962ba76a1d05d2cea167b98a77947c8dea9b4150e29419a2ded3641e0d4e9fe04a5953ce010d6f139c3fbc01e80b754ee52072

Download Submit
C:\Users\Admin\AppData\Local\Temp\2dNiu8JVoUWUZ7CbD8IhUkJqPNY\libEGL.dll

Filesize
448KB

MD5
5268c9a6badd0c9be82bc98e6d8fa1a0

SHA1
c59ceff8bd525135db2fc9d4a8471ba55f09441a

SHA256
a1036bd087ffdbe8c25c78ebdc7ea348f08c12001d95c96943e95c00de7183db

SHA512
b3318cecb5832f4725e7316c63c736fc1548561693ba37ff6a62e555596b997489fb3b7645191fa3bdc7393f5fe2f5ba53718bed6349b21efd877afc12b21928

Download Submit
C:\Users\Admin\AppData\Local\Temp\2dNiu8JVoUWUZ7CbD8IhUkJqPNY\libGLESv2.dll

Filesize
512KB

MD5
9234ba59ab1336d0455fece7b7f7ae33

SHA1
99ce229d72ecb870f8abece9d61456c64c4fedf4

SHA256
cbe42892b4aea30cff9735dd3fd567ccc35535d7f353390db0a9b4df28ecccb2

SHA512
b07722a69ccb6d2781b1efdcc90965d3ccc807d3afdb4455824266d856b2461f6f0c1ab18d6df67789c4491ea4794cdc7300785ee7d103c36468c0f0f6360282

Download Submit
C:\Users\Admin\AppData\Local\Temp\2dNiu8JVoUWUZ7CbD8IhUkJqPNY\libglesv2.dll

Filesize
640KB

MD5
92981042771202cf30b02d4e73698211

SHA1
3b5345095c9446ce13503414cea3c404f3d8bb03

SHA256
3ad1364ca89e6d0b90c9cba0f3befa47ddb008d85e65b01e4e2a48e40d11be4c

SHA512
590b5db740227a9f3be5c5f66f2c3931da5d2c4637629a8508b005a6ace9bff572fda5d6c80f7ef4e02a65b500da3f6853297f2e549c98307c9bed34614afb4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\2dNiu8JVoUWUZ7CbD8IhUkJqPNY\resources.pak

Filesize
1.4MB

MD5
0e56bc7551a96f84dd7bc68b404ffbf9

SHA1
7e8b71fde2421acb17fee83bc3d0df74fbd2f510

SHA256
68a8fdb70ed935118e2f1485838e0bef2f51115898d339aa311e3408bc319f09

SHA512
6512bc866addec042d6793df96184698ae1f2d65dbe9ae52468abf177af309713d6464a97cf6a8f476fe55423d4919c2f097fe0e3440de8e6a3a0b2250075202

Download Submit
C:\Users\Admin\AppData\Local\Temp\2dNiu8JVoUWUZ7CbD8IhUkJqPNY\resources\app.asar

Filesize
9.5MB

MD5
d837a281c4b5369c8fe6848907f1d247

SHA1
a1eaad49e13d64b58ba991451f56cc578e2b1d57

SHA256
b2faa22bcc31a80d5dd5c9d748951811a4cb50fa9e0eda2259f8452d6e7a6e1a

SHA512
ee365a326b4582da85e277cf3c043b391dc805ffbd7422f26d0c78cc9b97d771e5e214f11d088bd85a20235b72cf1ea5e3068dc5de9cd7e47223d9f2fb4bdf54

Download Submit
C:\Users\Admin\AppData\Local\Temp\2dNiu8JVoUWUZ7CbD8IhUkJqPNY\vk_swiftshader.dll

Filesize
448KB

MD5
190be4eefa1e05840bb49ee32320ec72

SHA1
ccdc02af90c2c0d9c07630d6a319c9f7744e549b

SHA256
a824b35a60823b5e5c47a598f136c82665a264545ee982ad2ad69b436b0a3e2a

SHA512
20804c04bf4403c83ab7a6f5c0799adadbf0645f6a3a47d6e7767dca139f3018654e511caf46a91a251dd3d37abfc54da4b33de98a91a4d858b51b34f60213c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\2dNiu8JVoUWUZ7CbD8IhUkJqPNY\vk_swiftshader.dll

Filesize
512KB

MD5
63c0d02fb1b50813745f83b5158ef835

SHA1
21747b53a438bb91a158f3227c1c551eb551c0d6

SHA256
f141b741b5ab6e8434a6bcebd41f4330874db90850f56a12f422f34040df4deb

SHA512
971af4d7beede35d77c230d3636e9d1a765c2b37da72b0525f40e5b03abcee5ee68e2229fb9e4ea0e6257cb13ed549704a53d7efc9d4c2ad812cb4b1faffb63e

Download Submit
C:\Users\Admin\AppData\Local\Temp\2dNiu8JVoUWUZ7CbD8IhUkJqPNY\vk_swiftshader.dll

Filesize
4.9MB

MD5
413700033c7a02a0fb21eb0b57e3d87e

SHA1
77961132c3450418f6f8601e9210420602039cf0

SHA256
2a711ae49eea54fd2d7e213af228ffaf57f5a76d8c8d9c225f4b055198f47bc8

SHA512
9341b8395d4a689b215246171f05f5a0ef7c02b9d1716bd43ed5ed1b8047042f29be4f7a11145dae40afebcd1b28b27519dcaf113398c181082d3e4e6b45d92d

Download Submit
C:\Users\Admin\AppData\Local\Temp\68e433f0-5209-4537-876a-f6a2a3743b62.tmp.node

Filesize
154KB

MD5
cd377b1b62e707f788b1eb4fc7eb9033

SHA1
e0156d4b0ec82ae2a0c5bcecad9e51fd4e6ed384

SHA256
b3534aa759829810c18a4c8b9c85935c909f9aa38bd994239a09919365c7ce40

SHA512
1d7b14f7a589c9b06ff25f280e7b42ddfde9e27e7331e6c758a7d220f3c90b74099d1b9e5c253086263b4cf71145b56c3adf481a11fbf0a11f93ac750a2e1241

Download Submit
C:\Users\Admin\AppData\Local\Temp\A4xakIAWm5mv_tezmp.ps1

Filesize
728B

MD5
1d755b8a92893d5831ccf01dafd16f12

SHA1
cf3b3e66d93271a76ce69c86930849d89587e67d

SHA256
70f9f1d9035fcdf93bdd9cc167b1fbed59d35875f9dfb074ed358dfb11c064ec

SHA512
a092c1bdd54791bb3b725872e7038aebd470c2dff3925fe4898f8ccb34179787f0077dbf8c2f8baa5f3d48f0be0cd8b37078a1062858fbc9768deda49ab5aea9

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_dopbtnen.idh.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\fe13885d-67f2-45f1-8e42-117fd7f1d52f.tmp.node

Filesize
576KB

MD5
985711a6160ca37f2ba6a36cd8ac1803

SHA1
7422a9624d6ac7b90b5aea4bf6be96fb0598091a

SHA256
a5527feff100234ae1a80cabdc63df9123424d2b46d65392b7b0eb67771a5eb9

SHA512
3525164a6518a1b18c13c7b8a4bf9add7b553bca0abd8f9585789f86a9e9f5d94a426404700c77cd5b46deee48498b3b6daf1e674b8c1691f275a301da833387

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsnD8AE.tmp\7z-out\LICENSE.electron.txt

Filesize
1KB

MD5
4d42118d35941e0f664dddbd83f633c5

SHA1
2b21ec5f20fe961d15f2b58efb1368e66d202e5c

SHA256
5154e165bd6c2cc0cfbcd8916498c7abab0497923bafcd5cb07673fe8480087d

SHA512
3ffbba2e4cd689f362378f6b0f6060571f57e228d3755bdd308283be6cbbef8c2e84beb5fcf73e0c3c81cd944d01ee3fcf141733c4d8b3b0162e543e0b9f3e63

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsnD8AE.tmp\7z-out\LICENSES.chromium.html

Filesize
3.7MB

MD5
deceb541b6b82d25b93fa913b4a3a8f2

SHA1
7464c1bd8934225e0e8e2905dd0cf1fbc1823b30

SHA256
01f29cacc685ced081baf68cc6732985ddb1bdaa5863ed83738f41235d8eb64b

SHA512
4aa8d7fac97a3d6e651dcfaa685271bbf081ff20d5e584a6b0b6fc0d53e9b30f11a58cf5b3b5584cc512ea05bbcd35d9288c611a14541d25d9142ed86c8d9c5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsnD8AE.tmp\7z-out\Launcher.exe

Filesize
1.5MB

MD5
9e1c56afc79c01de3e243dda8173e432

SHA1
f077b5547fb7b541d1cae5a3788d1a96773662ea

SHA256
eb53d593ad0ea864551c41b6929a13bb9b765ab6f8cf1533705dfd53a278c6f1

SHA512
2bba68684f6d8007dcda749faf36a62c4aebf6dd8932382d04ff10e3bbaef04a13381fda93b1011739c79d6406fd37ed518375cbafc2236f4f684406b61ba7d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsnD8AE.tmp\7z-out\chrome_200_percent.pak

Filesize
191KB

MD5
99b95d59d6817b46e9572e3354c97317

SHA1
6809db4ca8e10edd316261a3490d5fc657372c12

SHA256
55d873a9f3ac69bbf6eb6940443df8331ebd7aa57138681d615f3b89902447e7

SHA512
3071cfeb74d5058c4b7c01bfe3c6717d9bb426f3354c4d8a35bd3e16e15cde2f2c48238cb6382b0703b1cc257d87fcecfb84fbf4f597f58e64463ceede4366dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsnD8AE.tmp\7z-out\d3dcompiler_47.dll

Filesize
3.8MB

MD5
221127ab9fcacc6c0dcf68840776ed8c

SHA1
b253a2c94a02a9a10f451e66a6b8f3ff47845f40

SHA256
e340c083bb54e24bcf2f54ee9c2549e0be807152ffb475d22ab3281e0f81a4d6

SHA512
1893394eb945f946a54ddbfade43772f8eaa6da2b41904b7f330bc82ae48953be9cdaf620dff39976cf66d8996450fbf77c448b6b19a00cc3b426122e508b5e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsnD8AE.tmp\7z-out\ffmpeg.dll

Filesize
2.5MB

MD5
38658d18a1e092f9c9fd30020882c326

SHA1
a9dfbd229d79975643a131739a4f109154a14fa1

SHA256
622fefb4508d36d635d90f3605f03df8cd1a4b3227c61aa9abb51188ccb619e4

SHA512
3316490d0b4367086d19d7ae4491859f7c611297793fd1fda56f7a37b6277a27d0f70c90d836f898479d0cc1dd6e5be5dba06a34ae58ffb83d34454df1fe50bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsnD8AE.tmp\7z-out\icudtl.dat

Filesize
2.2MB

MD5
89359b9ff5ce998276058c99ed06b6a6

SHA1
4f63b8c8098199bf95ee00c6dae49b36a67b0f9b

SHA256
e56bd6dcf365df1b9981d4f9739d2a2efebd99cf77e8915a1068eaf00837b8f9

SHA512
dd7fd64cc3d554cf375ccc52ae33d9d12cbfd9906b5167c3b01fe7716a09b4d8da00201721908bcd821288480c2fafb765771980693cf344c360211ffa33a7d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsnD8AE.tmp\7z-out\libEGL.dll

Filesize
469KB

MD5
6c5b0b0db75e8c47ab56becc18711074

SHA1
496fbf7623a6c81b5c7ffa9b24b73281261653ee

SHA256
f37e1330f5213a7171d8d227300b431dee8ba4f5809c86dd88240ce440724d0a

SHA512
cd5689cd1f72ef0e7f92515217290179885ae9a47186351347cb93354c028eba1c543920cf51c0f83ae16543c1dffd7f7cfae05d6883c1bf40924af08fed89ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsnD8AE.tmp\7z-out\libGLESv2.dll

Filesize
2.8MB

MD5
2e7a50d9d3deb9d56ac995e379475c37

SHA1
d0afb81fa8a750cc5a9eeb4ce306d0351c847b76

SHA256
4222cc95bcd9138f046f6167a43377e51a441c07402bd427bcc7c8d4629f72a9

SHA512
c8cee95f09550da9ced56dbf93728e4be0f42c2c0a93a6b18c6972e3809d41a0c9d4fc95db0a0cfbd0acf20ba49943a85622a621f6b6a25390fb56c9c285fd58

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsnD8AE.tmp\7z-out\locales\af.pak

Filesize
425KB

MD5
d16ef573959cf5cf0a6eea20136b9c0b

SHA1
e3384ae3ee92e1dae47a48e45589372e940aab33

SHA256
73a8401e6dc17c4daf86b42c65b81359348f7e6b4d62d8637138e747bb3ff0ae

SHA512
064c2912f766f10ec042adf82709ac9582cb8430e3550690fc17343c380dcbabadc0084e08aa5f3eb6faf79a652d26e1fe2606625a180b7f47808df07a566933

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsnD8AE.tmp\7z-out\locales\am.pak

Filesize
693KB

MD5
39a396fce4d93f744b3c786d62d2686c

SHA1
7ec8176e652b666b6ab9fffb6cb9b7dcfdd1a2a2

SHA256
0b1d326be9dabcda8e37740017383f2d8f1bec7a8fdb1f11ebe538c3632453fd

SHA512
798063b51f745fc2c9e7f852f72ce55939ed41305d070d1844c790755f7ab42a6830406ba2485237d37a0c46b804512e7dc37c65b7f03249c28741a4f706017a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsnD8AE.tmp\7z-out\locales\ar.pak

Filesize
758KB

MD5
14b15761cb9d4e1956812df8b42c2aea

SHA1
7c25580d892711b9eff1a3ace4e6699ea64e0706

SHA256
c8d405127b032587e6ae6426a35cb766139bae26170ca08d811354486ab667f8

SHA512
ec9a6e6e715c817726ad744fadca4d1af3015d95421774ccfe54d616225b7a17e862e086fe0aebb3a903d2ebfb27779cffcd713d3042ecdf9761c24c5a56cdcf

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsnD8AE.tmp\7z-out\locales\bg.pak

Filesize
788KB

MD5
01dfb1a7815613fa0a5411235f45b27b

SHA1
3bf1ea5597ac77b26bd30caa1efea7cb4f7a1b19

SHA256
13d08d2c4972cd18bb8ea8a57587dad29684c2336f73282dd3284b0649377cf8

SHA512
5d8a65e5a17aa163fb679e003e1837ea96e515b105c9977029a5ca4854845289de5d65c0edfd473cb74410c5cacdb5b360f25a69776705fb05f48688d92680da

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsnD8AE.tmp\7z-out\locales\bn.pak

Filesize
1019KB

MD5
ff4f966849b4107535e41d037d9144c7

SHA1
3a973857b061914e8905bda7e8f2bdafa384588e

SHA256
2dc26dee345271f4606650912b0b7b5df68f621f2920864e0e36c1d1b22459b1

SHA512
98772f266f9553f77f91b11dc4589ec8a0930554e9e0b381bbacd8d23ce794c04f6fe821388a6e87cb14cb59c7522c18c06b1af11fc177c7e40ef71242adcba7

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsnD8AE.tmp\7z-out\locales\ca.pak

Filesize
479KB

MD5
a0b45b122241cf0c11a081eefb9cb4c6

SHA1
91fd660a4688aaa70fee42e783b8b1863b4d11d7

SHA256
7d911cda51564500dd7a6de43a1e347869427c035b15fa25cad0526be9e055b1

SHA512
abcb3bcb96934189cdfd52528cd7c65ea870c9b997bf6349599b7064fe6f4bef0d34809f0f958e4d4e46486e7c0a41f86b5ed0a132bbf20743d41f3af64788b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsnD8AE.tmp\7z-out\locales\cs.pak

Filesize
494KB

MD5
1101c784521a550b0561b363722086de

SHA1
838f2bfe3432b87b950a2ec5d9862d2f58fde3e5

SHA256
cc6ff937d1c9fec4634db4e2f6c0718d2606fe2d5d25addf1314e110c5b78772

SHA512
eca3ce2075d3c920116c9e34957631e0617a869467bb76b09873ae96f7803f20032a6dd0a0f785f9e59dcfce3a4ccecdab2d445a860bee20d42e140b45e74089

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsnD8AE.tmp\7z-out\locales\da.pak

Filesize
446KB

MD5
5b033c206820ace5eb4c6f82aed34a5d

SHA1
28017cfc13259273022059f02564ffc99dcd75a4

SHA256
1a51de04cb205c708520f1b013447f1a89f0b1330dbce6d1e71cf355319d1108

SHA512
e423069f7a895179ea17be5774284e9e2e27f02c40bac7d7211cab77348800622796f04c3e6618905364e189ca5ec772ed7dbd285872777d163d3ebec08a64d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsnD8AE.tmp\7z-out\locales\de.pak

Filesize
477KB

MD5
7ccdc41a3dbdf89058d71629225664ae

SHA1
e15c35b18685d9573349ff4247733b5f5ada8717

SHA256
163ea4c2cf67edd0526a8e18d3810872e92a1d4e17b5cf4f04107fda5967b0c9

SHA512
13b20b0db02a0a7480c56c79304ef594353507e1a30da0130b73aa8e9ec7636f306315a6f40729b10dc725f936642d2e2b282ed3040a079a6f25a7f9f7f1ae28

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsnD8AE.tmp\7z-out\locales\el.pak

Filesize
865KB

MD5
2b391b2b35f7e096f696faf5dc093366

SHA1
1409134a46fcb84457a0e332edde98f7666246bd

SHA256
f1fe39af50f4bfe9edcea3af6c132e87d464d7277fb491ed95d7189b3157d20d

SHA512
aa640ca41dc9d4f60392b61bbead215345abd32369b0de90ed1d7ca2ff7a838d04689d538789a1adc0324fe4539c34db26b6c245155e51fb0308af13b60bfdae

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsnD8AE.tmp\7z-out\locales\en-GB.pak

Filesize
389KB

MD5
745918a5a74c7b6f4818a8bb8813f456

SHA1
031f50286d003844425ddac557e13e2ea4554bc2

SHA256
91bdbf5f1f6bcbcaf16e47865f72ec97d72c74174fb929f089d14c00989f91f4

SHA512
5a1eb0231352705bab527ab27543612d75cb00c522620828ce2a0fdb0b47be9daa2dd7a192f8b4bf299007c5af1d9515f900b9586ba44dd2bd9f4cd4436aa681

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsnD8AE.tmp\7z-out\locales\en-US.pak

Filesize
391KB

MD5
c9c2abcb04e1ad5f1a20244da8d595a8

SHA1
89ca81da21900074a5ccdcdc852768277b2b620b

SHA256
0364c73f320e441b03cb2afcaaca3ffbfac51a3559dcd0ff99a1accf82c7f762

SHA512
96bbf21174f56a111a2fc6ec024ab2f143945306797e77d773367a7fad42b7828ebb7b08d0dab76858d9fa340bf3205be403bc53df9e5e4e390058c94a751ffd

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsnD8AE.tmp\7z-out\locales\es-419.pak

Filesize
473KB

MD5
c8f488b85c17431360e531aa507be979

SHA1
bea5d66bdcc05869a0389e051a9217fd49e48fcd

SHA256
536339d99dee6e8c01f018d4700ddd92ce063f765766a48073aeb256669680c1

SHA512
1d7f9f84a8d7c055bf705c71efaea817f1b9dedd5ba314fec6ce5324f578d3130b5541bb52fa55db9f6e46efa8e152d50199a61c7e2466844a4414df65d61c22

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsnD8AE.tmp\7z-out\locales\es.pak

Filesize
473KB

MD5
29cbdcc2168f1bb29532122c39e67a1a

SHA1
f086c79d60daf2b0a7df91916387efa461795dcb

SHA256
232f41ab5996c917687276e82c177de208b36e77aa834bb5d94d6a331f4180fe

SHA512
b603edf2a18f5893ab482b0c34e4126f824fbdd1b669927d7bc30d68e2e5bdf78d7d4b2aabdbe257987e8e19f440d9396a3683340b94c3fd844c70e34e93d8a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsnD8AE.tmp\7z-out\locales\et.pak

Filesize
428KB

MD5
5b169234895d929930140b4869a0b81a

SHA1
f58ba50d1e19ce191a0f8117f3e70f7f3dcb7362

SHA256
c465da80b14981bdbc687b7c37bf70d2bd4b8e03293c04ae5410f84c91ef980e

SHA512
c4297e272b5c04a0ee0956b873d5246591bee98c3b340e72202f3448381c691096a5bc540fdbcf61fb40d6a69270afa7198c1f0ccf3b2e84cabc906e23eb022c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsnD8AE.tmp\7z-out\locales\fa.pak

Filesize
703KB

MD5
f7da0d07b54698bf8a213d0ccf1942c0

SHA1
d64fff18274ebe71a4aaa4754f9bb99d616fa000

SHA256
33bdd6eb52f648d475306f35b6103500b864672cbf39cc0fbd8c4ac84c997dec

SHA512
ce7a7b3df4c814a26e3fd9fddafc01ac1a4b2a87ef2d2893db5d0edf8e5b8bfe34afb6e91ff94306248361d57c6b3bd63d116635fb756aab74c4aed38f31c88f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsnD8AE.tmp\7z-out\locales\fi.pak

Filesize
438KB

MD5
1cbfa553a5b1de642ea4c248dfe1edba

SHA1
5de05b3c11fdd59ff5064a153a6dcbda33350971

SHA256
8f3e8ec0fbb471b45db65a77dc1013e3363f387d3d0c6a458c90f371907d0085

SHA512
ea3b99be7da893be8c3b228d1d3d7b644a1f5425b5380dc3e0ae0ba1bd29cf39dabe73819bcc4fa67f10a488f018e9fa2328995cb78f40ae8fdb66aa514188aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsnD8AE.tmp\7z-out\locales\fil.pak

Filesize
495KB

MD5
8ce446cac9221f07f912be59534d86ec

SHA1
15cd1b902b26abbe665fed518575748483a9c3e4

SHA256
b6ce37b1aeb4ca17a7f78ebc8f97c2807f588dfc4ad3e0639005c626b5c9b939

SHA512
20be2b5c7e8fca897109b1dc8219931eaaa1c8296b1d26dcc7f9058168fef371d7955fb0f6c5693399b83fa81d27369efac8c3742059eea2333bd66d20b8d0d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsnD8AE.tmp\7z-out\locales\fr.pak

Filesize
513KB

MD5
a1de4ad3d9b7aa8f122ba00cb983e49c

SHA1
323d6e1b4ed75f9406bb8488d7ffc7e12fa96886

SHA256
a69f52162f6081a06f835ede10818218df6e211f00d0ef24561e6221f4696e61

SHA512
542f0818ea4517fdea929f3d4938f7de75e2a5e6d872607e548f87de7e9cd0737fab3f5e82ab7895f44e809279d81c490999ed055acbddafe84f85e60ce2e23b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsnD8AE.tmp\7z-out\locales\gu.pak

Filesize
996KB

MD5
02bfa1114fd5b75261c24d6c0e6441f7

SHA1
d48b80339405cb8c8ec7a19b688e8d544938c4c7

SHA256
bbb17268412fb3e13584ca4dc90a94f984177d3c97ee89af2a57324709f8ed1d

SHA512
751b91d381c882a5dc0c0ee6313cf3e7ef51b4d369330a169cf9625de99e6019233109e815fc474fae44d79235940ba2ce68af7033f4c4c994e2774bbd8105be

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsnD8AE.tmp\7z-out\locales\he.pak

Filesize
616KB

MD5
9fccb330d8b07ca54661407cf737d847

SHA1
2c6f52801b66aac7d08acb60d9736f9149e48ae5

SHA256
bb06d364a91b8641724254822b2eec5d0675e262a4cbf93b92494f601807dbef

SHA512
0cbf36643cc7b1d85dc7cb7825bc816a8538d0cc50b137dd27d5a9703324ae7ff271d38dc0cd6e4a99c6b391070690b90eb8ddb1cc511bc8d84d49a32d36c34c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsnD8AE.tmp\7z-out\locales\hi.pak

Filesize
1.0MB

MD5
cd91036827739441e4cc849aa30706d6

SHA1
cc8e4c53e18db16876f855c2377f3cf0e2abf95a

SHA256
0936587aa072339f8dc347506e5553159319a686010ca1912bed1d830e107c6e

SHA512
553773bdc11be94f495b88e0587d572455ef68c182d51c9e1ae0e3aa23744f836996a446ed136afc562eb9a110e435b494d5955d2792a364a619111e7b3550e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsnD8AE.tmp\7z-out\locales\hr.pak

Filesize
477KB

MD5
ef62a50cc098afcf3fab69c7502219e9

SHA1
db474cf332c90de660fc575ef897d5389b65784c

SHA256
07effa557c8bc822626c05a4d299296f88d3da0654248c326d796f7c2de3ec64

SHA512
7ae6f40c7bf404532df0bc2ffa449e0d99debc2b9816450ed0d015b1634dd96cd5650ab6af5a6d44d52d0e3c9c81836ee350210c4f8a13be6cc0cb796a630350

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsnD8AE.tmp\7z-out\locales\hu.pak

Filesize
513KB

MD5
51b14b96d1b9fa99ed849347a8954133

SHA1
5259b749576a9612e429a665dfc8bf47651c39ea

SHA256
70d4a0724a2e0e80ec047e7683eec7715c0fb5f88795cc97a63e4c2ee2237800

SHA512
b68d4bc792f29df210602a557d0b3333a95e30cd03a0a4cb5f537c9c51da9937119391f2a359c03fb874c1f540c23f44bef121e45f048f32b1db06d67a0bad1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsnD8AE.tmp\7z-out\locales\id.pak

Filesize
421KB

MD5
3b5e08406059d1a76566e9a5d4c9b15a

SHA1
6bf45f2647e959ec1b545763180e8f29961ab3e1

SHA256
60409d8b785dd057e3495190b18e6d6d235d8313555341cba5f64327e3d8c3aa

SHA512
6c4150c064edf6ed0b83b216ce62134bbab12137e6b45749dad08d1d1734b3365309414900615137c6acdd12250add5c69a222daa7984a94ee850aaa55af1b8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsnD8AE.tmp\7z-out\locales\it.pak

Filesize
466KB

MD5
4e7ab6a5d407bf4d3f96671d65e467f9

SHA1
67f43053ccd167f2ce6d945202f64df29ee1ac49

SHA256
20408c09d9447f44aa920f2529d231072db8bb9c0c8b8fafa2db733561eb6964

SHA512
bf493e1a1c0898f7a54f8a5278dc0ca345e9937efe269b1bd3a3bc90645d767070ec9c117df001f8c3b51b4a383c30f025daf79606ac1840fcc5878ad4c53624

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsnD8AE.tmp\7z-out\locales\ja.pak

Filesize
570KB

MD5
74e2430cf18db7ecae2a9b1feeb049b5

SHA1
362a5f3e4d8a79b9d0b041d62a8a5233e20fb208

SHA256
1a726c500b5b3efdbc7b9e6626765dcb8957005f9c072c09d1f517587d6b673a

SHA512
324d0ba770c09cccac4c59e0e0605846a4e18f32cc79f14fbd4e5b0172f439ef8dee538f686458b3a07e5e8b4528ef67aa5d339ae25f7c601c9a302caa7970f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsnD8AE.tmp\7z-out\locales\kn.pak

Filesize
1024KB

MD5
1f566a447fc869472b8e6db0fb57e929

SHA1
70572aceed674005279f67a7f40a2fda5b1b38bc

SHA256
7a716eb7f4db27aa29cbddae04d6dec9295f3c660ad55fa521584581b38ad280

SHA512
f6d858b715ecc1065c85fb571428771b667db22f754d8e30ce10f9640275eebcdaa3b38c30775fb9d1f207236cd4a962a89958bdff07b53b3dfa9b72b94e943e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsnD8AE.tmp\7z-out\locales\ko.pak

Filesize
481KB

MD5
a9b446bb79b0e5d0b4af4f7243b1f3e2

SHA1
fcf962506b32b34a6315ed61acdece33df3dbf23

SHA256
507fc8d2a468456f2842b65a111fc0c74fe1f56d5f5ac0d6e743aef186b43b2f

SHA512
e7f281206bd481427a75b581f8b2a435eb8a29bd8b5586a8db78605b1c1bbc20dc1f4b2ff92d04c62fb509dc6e1e062d1d584c195e386c5c2ffda0f764276aa6

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsnD8AE.tmp\7z-out\locales\lt.pak

Filesize
519KB

MD5
49201fae17b715a15fa03c4d89dd2176

SHA1
7c559c174850de48c4a2837fe32c58f74d8150b3

SHA256
4a80792cb9a401ebfa7ec3212182b5024d651ca6a5ead8fc9809d0d3ad4803cd

SHA512
3016f721d77206e13e275e7eea1adc95d403feaccf595eacf933940485031e9aac0c29b6f47a9ff5f73b08c354b7b82c72193c83e1ff09d84cb5b9b72b708166

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsnD8AE.tmp\7z-out\locales\lv.pak

Filesize
516KB

MD5
335158efe454819a0dc8de0edb0f0e90

SHA1
85871f85f626db1fc597ef24c79c84115a66c17e

SHA256
113073cf60ae3d2bcf8a61df655762e34ba28e4b35b97de33c18e13f959d76ff

SHA512
f81733bca3fa65c789630b55c4f414a8541e71c4e1aba56bdb9d231ce189677b3bff4dc57c92fbe1cbc88f1f2f7fbf1a7e4319a8918c50409fcba958d743ccbc

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsnD8AE.tmp\7z-out\locales\ml.pak

Filesize
1.2MB

MD5
1030c08ffbbe7366ce5b7d55bc8ecc0f

SHA1
b45b53c1e47a0051560c607874357130c499563d

SHA256
e1f97ce3011d9231f23fe033bdbb0905c173921b18402d362bfc35224ff67db7

SHA512
3b9127a0eec02f75f79c66f5f7845b65c4ebe2e6a33989c7686815ffe0651be47d42f55c2f32a67a221495a8bebf043d853df7b244a68f89390044210e52dd3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsnD8AE.tmp\7z-out\locales\mr.pak

Filesize
256KB

MD5
85d53cad4fce833591b05a73baa2cc8b

SHA1
ed21e89bb83d99e97e9c7e184445306e8dda3007

SHA256
4359df2aa1b84edcbf24571563b1a57991e0dcb6e93033e89d5ee73e9f084405

SHA512
681ad34af0bd02429de09bfc679b9a1775c09524fc734d3d27de1051eecccbc7a149d40edfacc9927f30c5763940520319edd0174fa2eef45b482c1f61da807c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsnD8AE.tmp\7z-out\locales\ms.pak

Filesize
442KB

MD5
3d0dc94a638f98d9bf3c0f60f89a0c95

SHA1
a979b04c65832d908305fb0406cb0653271ad744

SHA256
a9f9ae23a3bc2ac919c5b46d16b7e1f3bff73698d2626260196210e101d119c2

SHA512
6d687f1eb9a7fda3791295487063393b8f0a7409b55461b185aaf106c596229de6988114230625d6504b869d25d7a624bc3b90d66a0bdf561cb05a57d5b87c15

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsnD8AE.tmp\7z-out\locales\nb.pak

Filesize
431KB

MD5
9c18dfa9e69c1d7810132800d084136c

SHA1
bbaa9576e1b012df33d79a5dc7776c00e67295e4

SHA256
4f3babcbec0d138654ec59fd8ab5fd58da2273237a587928b9687928c7ca10ff

SHA512
a82b1e340a25a3858906ded73624bd0be4b3ccd1f5728560480b4a4e3a78529f5a178d20cf7d95fd55ded7ca4fa95a5fff87d89f0520ea08b54e7b99c9057d6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsnD8AE.tmp\7z-out\locales\nl.pak

Filesize
444KB

MD5
5cde06a63c9dc07fdbb0fdc94e403d00

SHA1
11be56054908f1f9cd56ab77692fe3717ee91ee8

SHA256
3b9ed5ed0dd07d8fa67412a046ab085137542c156876dbfe6f83376571af91a3

SHA512
2716496dcbf76cc2dece938103813a8dbc17d4c795b4e3459a572de4f62f9ac0e1788de3a21f5fb287ad364decbd541a5e3bddd406e130d2a9c72118ccee5390

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsnD8AE.tmp\7z-out\locales\pl.pak

Filesize
497KB

MD5
b44fcf9fdc4ec7bb5e72cae30aa15c01

SHA1
daaae4aa7987bcce299995feea5c54f2d77b61d4

SHA256
7f1a8392fe3aff4e6bb4bacbc1f4b395f08ecafda9f81e36b41b77fb4ab0bc76

SHA512
52b46d7affac4949fa19841d26d2f4bf877e36cbda4b75f3ff289a7abe9a80c2a014b1ae23d3079f4d31ed5fa76c320103733284a2c13d99a451810407325674

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsnD8AE.tmp\7z-out\locales\pt-BR.pak

Filesize
468KB

MD5
de8ff9456ba9ea999d0d1bc9b831e7ce

SHA1
1d67c6dd97fcf221c71137cc8b1946368807aba8

SHA256
b32fe8f602ec9800d59806e097e369fd065d8fbf473da40fd29289493489930c

SHA512
5a3a48ddad801382ec9065c6160698dd746aae810374c2b772d521a1764e7e0fd2c28c5dd1cdccb50834d699ee19441713fe10a91dddead46ba0cff3edbd6984

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsnD8AE.tmp\7z-out\locales\pt-PT.pak

Filesize
469KB

MD5
002d5b37e68a0725dd7d89fe3fc7ec48

SHA1
545de8047d3f89150516b95031965adc8f17df68

SHA256
1fadff356a7e89a8ff2af3ddf84f70fd0ce69525c7787f8adae10beed9d76d4e

SHA512
abad6cbb30a958bb84a521a66636af4221a9f63774122d3ac3b552503930ad83d343ec4c8109c8031cab17c546ef7549aa0f87746e39a80f6758fad28ecee129

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsnD8AE.tmp\7z-out\locales\ro.pak

Filesize
486KB

MD5
7056fc61de4a16c7f4f5bf44d2e87f8a

SHA1
99d16dcb3b1aefc472601439f630e1244b1aa277

SHA256
b7ba9435d82f6bedd7005b6e868ee86f0bb6c4d7b312fe5f5d4afbd440ad5b85

SHA512
529152da39f7ade6713206fa9f767b35b9bf03816387579522eea78ac7d0e150bad557fcdbef51e76d52e39f61a0b4e54ff6a3b592eb7e34fafdb98afe460f7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsnD8AE.tmp\7z-out\locales\ru.pak

Filesize
797KB

MD5
91379a583d22fa9343ed466c261366ff

SHA1
61e8c39235945c4f38807b14ac74da7d3257759a

SHA256
0d4d0b8052519848abd182c44dfbf444a77a0c6994965c4a3001f0a3a4d1459e

SHA512
dde26b59a1e5f94d5b245f47399d7a9d3db8d247037331a471c39b1d7e79e236c5a0732fea4c53b843d8eaff1f54ca155a816a193b7baa870fc458a5aadf76be

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsnD8AE.tmp\7z-out\locales\sk.pak

Filesize
192KB

MD5
458171c9f8ca24cf1882f37cb6b493fd

SHA1
3b5be0af6b92ef04b32920670170909dd14e7b44

SHA256
786a90eb38ce1269619d7a244680de90390f7d8f629aae0a3be520bf285218a3

SHA512
480b87daed32f519e7dbd64061c05e069e17a289e6ae225e36086673d8866894c09ada7d59eb1e7375eee90799d4620a4b07a1273c61ec9cc52cf71dc83fbf5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsnD8AE.tmp\7z-out\locales\sl.pak

Filesize
192KB

MD5
12b2c0a8ba55ceb1f04f4baa1f397b7f

SHA1
be3f06f0cb2b84215b045d5fa5b3272360171138

SHA256
edca66de58311bb1d9a696a8c155e0e60e874edbfe814867c166f5d430a4fd5c

SHA512
88fddc5b494e5f52f4634360d4ff172497aba4db57da94af5fa5d2f2516b1e79de931f3308021c2614edeeb9e11a338fabf43d436ba5bbe888e63f8bfc972d0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsnD8AE.tmp\7z-out\locales\sr.pak

Filesize
192KB

MD5
2a18e70e2e9025eee8b5f552bc8b1199

SHA1
48c44715cfc68987a17172722cea26493d544d57

SHA256
56d3d8539c6322ee00a5fdeb9935b68d3c787c3258a35c33733c4069474d3d6d

SHA512
1a89d345beb445616589a086dca56766c914181fddafba0c29ddbd73ef04be69f6d40ea50addf7ddcfa697ed4f39734b8d15f2cbce150ada26de66c0d2f6e2d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsnD8AE.tmp\7z-out\locales\sv.pak

Filesize
129KB

MD5
b9e8d31072c78155534bc8007081c560

SHA1
77c8146c137e38b45e598398837ad6354798e423

SHA256
9a7510c9c846cbca120b7c169f9ec4d29addec8a0a14ffcc2b17dfc19d74d4bf

SHA512
d31ea101117abb80a7a5f9fe6a09f0b1a0b7a2d296ce8d930a71a6c437237efafd4365c6170fc14be1bf0ac94867531092044f96337a0e686ae7abc60c1a6673

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsnD8AE.tmp\7z-out\locales\sw.pak

Filesize
149KB

MD5
69f757c937bdd4b144ed426bdb34a10f

SHA1
0a83c2a8eb809425acb26dfae3d1a142c11f751f

SHA256
da968e8c12ec69cb4407bd2b7004ff163ae09da857c6fd8d9623629a9851913d

SHA512
5ad4ebcf2586a18c8648273ce62a6873f73dda0b94b2d760fad9959094fdc31acb6ca1e849adbf75bdd81a72a3793595468e883b0bca87f742ea21eb6486f013

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsnD8AE.tmp\7z-out\locales\ta.pak

Filesize
128KB

MD5
43139011dbd2ae32016cf76c728da31d

SHA1
df0c2f08833003525d1f334ff7207ee33294cee7

SHA256
6176359734acfdd36f22de510980e73d0af03f5cc27ae29e8c6ca5d73333c6bf

SHA512
edbfb2a827ad7a1ed1f6ddbbd97ae40f4359e1c6b39a30abfba673c4d9a53345adbd9e2d49fab7659f377b34071e3304ddf8db2b5da539b09a3db7c5daf0740b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsnD8AE.tmp\7z-out\locales\te.pak

Filesize
1.1MB

MD5
5f9b7a945638b88e75a3175a7923119d

SHA1
6af614f2cbd72da2224f48a203a6430a623fc7ed

SHA256
3b476d2ce7c72c3a10170808020dc3f1a87309f9f725b08217c4716b28d10888

SHA512
3b66c9152ec032d6f2372ae5075cbfe7d0fb398c4bf173a7f8c76d91d9eaa816e6f839b90884533b46a9224e9fb52c4d439b3d1907885b8e9f80c5c55a852b65

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsnD8AE.tmp\7z-out\locales\th.pak

Filesize
918KB

MD5
84ad3f888c0ec307bb7b8c278cd36757

SHA1
948a5f8b43d059280d5374ca6d66e8dfc6a76d49

SHA256
56665860fe6577fbe00543a47a15e10eceae83458815f2989d179e42af07f81b

SHA512
7001c0607df927145e40a605e2b97914d02712d11e09ca20339cb1aefb042a1f853fd06e78b76f6dc6f19b6df837bca12946a3470c6c064ca767af1db57042e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsnD8AE.tmp\7z-out\locales\tr.pak

Filesize
465KB

MD5
0aedf5c2f6f4f49074a2adea454df4c9

SHA1
a48d9d8461e61170257897766dbd6906e754a0c3

SHA256
3f4658b3811b36f5cad794e48e6507335abfe78b0bfa0c80d1ef9c5d7bb410d0

SHA512
e359e446330fc154c16e34a7335174f372bce701faf85de8a5f4b432ce3e10c69f42c93b7182deac89bb4d29750d0dd525b6dcd74a5b7bd724f544d14ba44a79

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsnD8AE.tmp\7z-out\locales\uk.pak

Filesize
798KB

MD5
64aa9344abd9a32f10d6c05a58eda4eb

SHA1
3286ee43f36e2232677b4573e8b4a3303c7df048

SHA256
ca20af5982ae706f5029467901d7d66f90b261f03c7d240d0d1ab2fca2b50a7b

SHA512
dd768b314da50b8ba5a006a4e56d70044c1af79960834722894d930f5347194ae7f9f5697bc4cd0790a79341635cb1df8c74ff45f74d1736049161af5b163efb

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsnD8AE.tmp\7z-out\locales\ur.pak

Filesize
696KB

MD5
88eef2798dee8a361c3ea9bafaa02a35

SHA1
6f8d4ce422336ca5048ef35d6ece360a9b416d8a

SHA256
91318006c880e427417a2b2fff81fd451769a5536fa16d1dc185972137bc2d6a

SHA512
db36b58186f165ff3f746ac483f75b6fed596fad9b3f335e86b374b359e563407acf58ac7cded9420e4fcb91f31eebc8a91c7777ea59bafced8cff2f1c0e9a53

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsnD8AE.tmp\7z-out\locales\vi.pak

Filesize
551KB

MD5
4c5c09cb7e6eb120c8019fe94e1ac716

SHA1
f018e7f095605e21db24944b828cc3580cba863f

SHA256
e7319ca18eba379772954132493bbabb448d4e97d755b85360ed337216b48800

SHA512
d171ee83cf02a8904290a74df1224556887e41333b8a01fbd95f0cacc88d230195fbfb6f99f9e02573d4864b3c95b570a77c2a0b1e19324d2599925e40684807

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsnD8AE.tmp\7z-out\locales\zh-CN.pak

Filesize
398KB

MD5
07b6c43d87dbf93ac8abe6837f3c2103

SHA1
79e033179b445609b3f1756c3f4184d5efacf1c2

SHA256
7f85b35938fadca91bfd8f92ca53613718e375ef010c340947dd27a4ff66594c

SHA512
38ef8f8a8a950b11c18eb7a40da721b888ef792a49e1371dc8c1eb22058a6791f95bf9b25df4ba190a7aa6cb62ce38b0bfaea83c71b62cde6980d12cf9da53f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsnD8AE.tmp\7z-out\locales\zh-TW.pak

Filesize
394KB

MD5
960e99a171c4ed4b6d787027ba88774d

SHA1
e3869aff0c52841c9df718133e7c4be2977de7fb

SHA256
e42640f5309add2ea7fd5a4db503b93e479ef14807710a06d7e53a0f261da8e6

SHA512
4e51d787aff8f425d101882bd70e71b88b253f2ca61ed54dd7ff77c7e3a1d6570b270f4eb91f2d03869ea4537d09e141f3e32ea3a27537295ec698bf26305cbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsnD8AE.tmp\7z-out\resources.pak

Filesize
4.4MB

MD5
de6f965e77880daa5f3af405d68af132

SHA1
eff05f05777190dab7365031d0a88f931708199a

SHA256
be1cad33843a814c73436e4185927e7f287bfb32621075b697a0a992f07484b4

SHA512
f0d157781de45caa236dc2e5d9831382fe26d81bc6208d69a99de2bb3db56117015d0266d938e1c36aa380c89fdd3387cb0effdf7f3d6017b514068d07d41106

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsnD8AE.tmp\7z-out\resources\app.asar

Filesize
4.3MB

MD5
93037444f5bfb2223b8a7951fd651702

SHA1
ba513dc11472c22699379f7af7284978a65fdaa4

SHA256
2f9909794b39dd12c5df6010a9be8769eee5784ee68f54fb7cca0466ab65e572

SHA512
1d7a2f0aaa1d79db781de176ad62efa783d5c58a1f069905dccaa3b2f1931f4c34a7c3746128de0a552117de1fc47d09bcdc3adf1ea268eabff745ad9548560e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsnD8AE.tmp\7z-out\resources\elevate.exe

Filesize
105KB

MD5
792b92c8ad13c46f27c7ced0810694df

SHA1
d8d449b92de20a57df722df46435ba4553ecc802

SHA256
9b1fbf0c11c520ae714af8aa9af12cfd48503eedecd7398d8992ee94d1b4dc37

SHA512
6c247254dc18ed81213a978cce2e321d6692848c64307097d2c43432a42f4f4f6d3cf22fb92610dfa8b7b16a5f1d94e9017cf64f88f2d08e79c0fe71a9121e40

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsnD8AE.tmp\7z-out\snapshot_blob.bin

Filesize
262KB

MD5
40a3c2200e4126e8c47a7802532c9236

SHA1
212a4686dea5a467b7b6fa54397e42122b235f1e

SHA256
94aa518fc892ee9a0f1eb5fe35b60123ee61a5f848864b00519b96d8d5d9786d

SHA512
fa1a943822abe3737587d520654078117cae86c58fefe6dd6a09f4a08c09293e9547a0ad79c52f8638dfbb1c496df3d0e828ce414176c8fbb77113be41212866

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsnD8AE.tmp\7z-out\v8_context_snapshot.bin

Filesize
581KB

MD5
264e3b574e4f86b1fc47b2427402e779

SHA1
4a4f9e7c3da262713e4cf7af6ac51822c56b5ef3

SHA256
ed559c6e81b6003b2057e5c1b0bdb5b28ca094b895ca86c69fe11c5c9e014f06

SHA512
144365d0fb83576aaa02ea6ecea51d7ba2cacb044eea568a08f65b98a83d3e7d7e693738e065e22f94bfd1165d0ea93a749dd1325d829257a9bb6607a9a927db

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsnD8AE.tmp\7z-out\vk_swiftshader.dll

Filesize
4.2MB

MD5
795bf67fb83f492c0af616dbf4f120f5

SHA1
d4335b3ccb44d195b2b0d6744887b5e40ab4abcd

SHA256
be95098bf781f1abca62b45c244af3215360f381378e09379335cd41d79d5559

SHA512
9a1f831565ca53560b4b85a4209e8982d57054f20c01f36dff42a6bce9f141e6a303f4c12c064d66f3a505605dd66896970703a34b8020df76e6bd7a5336300a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsnD8AE.tmp\7z-out\vk_swiftshader_icd.json

Filesize
106B

MD5
8642dd3a87e2de6e991fae08458e302b

SHA1
9c06735c31cec00600fd763a92f8112d085bd12a

SHA256
32d83ff113fef532a9f97e0d2831f8656628ab1c99e9060f0332b1532839afd9

SHA512
f5d37d1b45b006161e4cefeebba1e33af879a3a51d16ee3ff8c3968c0c36bbafae379bf9124c13310b77774c9cbb4fa53114e83f5b48b5314132736e5bb4496f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsnD8AE.tmp\7z-out\vulkan-1.dll

Filesize
917KB

MD5
a820f574b55fc3dd5a7a5fae89e90bf9

SHA1
c0c81463a64b3f98a6a3c8810f4dbb42ae284f9f

SHA256
52ba3ca2a03fd547e0ca45d8338265f4c5898a7c0e941dc90c80e9e5e9fbcebf

SHA512
4f0f65141a8941f66c452389d75dc719a27ea213502abe05353d4d8dc1a494ae67ea38af19bef4dc4ae6c97427043c175d98af8b0247a8fc2337a9492c75ddcd

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsnD8AE.tmp\StdUtils.dll

Filesize
100KB

MD5
c6a6e03f77c313b267498515488c5740

SHA1
3d49fc2784b9450962ed6b82b46e9c3c957d7c15

SHA256
b72e9013a6204e9f01076dc38dabbf30870d44dfc66962adbf73619d4331601e

SHA512
9870c5879f7b72836805088079ad5bbafcb59fc3d9127f2160d4ec3d6e88d3cc8ebe5a9f5d20a4720fe6407c1336ef10f33b2b9621bc587e930d4cbacf337803

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsnD8AE.tmp\System.dll

Filesize
12KB

MD5
0d7ad4f45dc6f5aa87f606d0331c6901

SHA1
48df0911f0484cbe2a8cdd5362140b63c41ee457

SHA256
3eb38ae99653a7dbc724132ee240f6e5c4af4bfe7c01d31d23faf373f9f2eaca

SHA512
c07de7308cb54205e8bd703001a7fe4fd7796c9ac1b4bb330c77c872bf712b093645f40b80ce7127531fe6746a5b66e18ea073ab6a644934abed9bb64126fea9

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsnD8AE.tmp\nsis7z.dll

Filesize
424KB

MD5
80e44ce4895304c6a3a831310fbf8cd0

SHA1
36bd49ae21c460be5753a904b4501f1abca53508

SHA256
b393f05e8ff919ef071181050e1873c9a776e1a0ae8329aefff7007d0cadf592

SHA512
c8ba7b1f9113ead23e993e74a48c4427ae3562c1f6d9910b2bbe6806c9107cf7d94bc7d204613e4743d0cd869e00dafd4fb54aad1e8adb69c553f3b9e5bc64df

Download Submit
memory/2876-845-0x000001A204340000-0x000001A204341000-memory.dmp

Filesize
4KB

Download
memory/2876-836-0x000001A204340000-0x000001A204341000-memory.dmp

Filesize
4KB

Download
memory/2876-842-0x000001A204340000-0x000001A204341000-memory.dmp

Filesize
4KB

Download
memory/2876-837-0x000001A204340000-0x000001A204341000-memory.dmp

Filesize
4KB

Download
memory/2876-843-0x000001A204340000-0x000001A204341000-memory.dmp

Filesize
4KB

Download
memory/2876-844-0x000001A204340000-0x000001A204341000-memory.dmp

Filesize
4KB

Download
memory/2876-838-0x000001A204340000-0x000001A204341000-memory.dmp

Filesize
4KB

Download
memory/2876-846-0x000001A204340000-0x000001A204341000-memory.dmp

Filesize
4KB

Download
memory/2876-847-0x000001A204340000-0x000001A204341000-memory.dmp

Filesize
4KB

Download
memory/2876-848-0x000001A204340000-0x000001A204341000-memory.dmp

Filesize
4KB

Download
memory/6848-816-0x00007FFF03270000-0x00007FFF03D32000-memory.dmp

Filesize
10.8MB

Download
memory/6848-818-0x000001F61A060000-0x000001F61A070000-memory.dmp

Filesize
64KB

Download
memory/6848-824-0x00007FFF03270000-0x00007FFF03D32000-memory.dmp

Filesize
10.8MB

Download
memory/7564-806-0x00000274134D0000-0x00000274134E0000-memory.dmp

Filesize
64KB

Download
memory/7564-819-0x00007FFF03270000-0x00007FFF03D32000-memory.dmp

Filesize
10.8MB

Download
memory/7564-807-0x00000274134D0000-0x00000274134E0000-memory.dmp

Filesize
64KB

Download
memory/7564-777-0x00000274134D0000-0x00000274134E0000-memory.dmp

Filesize
64KB

Download
memory/7564-755-0x00007FFF03270000-0x00007FFF03D32000-memory.dmp

Filesize
10.8MB

Download
memory/7888-830-0x00007FFF03270000-0x00007FFF03D32000-memory.dmp

Filesize
10.8MB

Download
memory/7888-797-0x000001FAEAC60000-0x000001FAEAC70000-memory.dmp

Filesize
64KB

Download
memory/7888-766-0x000001FAEAC60000-0x000001FAEAC70000-memory.dmp

Filesize
64KB

Download
memory/7888-764-0x00007FFF03270000-0x00007FFF03D32000-memory.dmp

Filesize
10.8MB

Download
memory/8796-607-0x00007FFF03270000-0x00007FFF03D32000-memory.dmp

Filesize
10.8MB

Download
memory/8796-595-0x0000026F36660000-0x0000026F36670000-memory.dmp

Filesize
64KB

Download
memory/8796-594-0x0000026F36660000-0x0000026F36670000-memory.dmp

Filesize
64KB

Download
memory/8796-593-0x00007FFF03270000-0x00007FFF03D32000-memory.dmp

Filesize
10.8MB

Download
memory/10328-590-0x00007FFF03270000-0x00007FFF03D32000-memory.dmp

Filesize
10.8MB

Download
memory/10328-586-0x000001205B570000-0x000001205B580000-memory.dmp

Filesize
64KB

Download
memory/10328-584-0x000001205B6F0000-0x000001205B712000-memory.dmp

Filesize
136KB

Download
memory/10328-585-0x00007FFF03270000-0x00007FFF03D32000-memory.dmp

Filesize
10.8MB

Download