553cfd502f672ddc071b7988611248a36ff1d0827973ba2ace2b1ff8bbecacf4

Analysis

max time kernel
150s
max time network
121s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
25/06/2024, 16:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

antagonist.exe
Size

52.9MB
MD5

86e4875abacc9b6d270c35d9b0a61c3e
SHA1

03d35145c6d108e9c710d3c79d01661cdc688892
SHA256

3efcb5efc2792f1b3b9111da25336f9a81b02e7b7e31e03b6f2186380c1b98ff
SHA512

cf179c6ec1c8791750733012b3d8fc5a6b5ef381f03fedf2599bea593e98b8f93a69087f729cede719e81126a3557be6440c74f1fc0df54d4193798f3260b015
SSDEEP

1572864:91rFCjZ4mexgwwO2VFOWUrFNM435VF2+WoSL:9ZF2ZaxgwwPV0WgFNhpVF2+Wt

Score

8^/10

defense_evasion execution persistence spyware stealer

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
2128	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Control Panel\International\Geo\Nation	antagonist.exe

Executes dropped EXE 4 IoCs

pid	Process
592	antagonist.exe
1716	antagonist.exe
1960	antagonist.exe
2576	antagonist.exe

Loads dropped DLL 18 IoCs

pid	Process
2788	antagonist.exe
2788	antagonist.exe
2788	antagonist.exe
2788	antagonist.exe
592	antagonist.exe
592	antagonist.exe
592	antagonist.exe
1716	antagonist.exe
1716	antagonist.exe
1716	antagonist.exe
1716	antagonist.exe
592	antagonist.exe
1960	antagonist.exe
592	antagonist.exe
2576	antagonist.exe
2576	antagonist.exe
2576	antagonist.exe
2576	antagonist.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\Run\Powershell = "\"powershell.exe\" -WindowStyle Hidden -ExecutionPolicy Bypass -File \"C:\\Users\\Admin\\AppData\\Roaming\\MfCeyYAROrWKujt.ps1\""	powershell.exe

Hide Artifacts: Hidden Window 1 TTPs 1 IoCs

Windows that would typically be displayed when an application carries out an operation can be hidden.

defense_evasion

Hidden Window

T1564.003

pid	Process
2020	cmd.exe

Looks up external IP address via web service 4 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
6	api.ipify.org
7	ipapi.co
8	api.ipify.org
9	ipapi.co

An obfuscated cmd.exe command-line is typically used to evade detection. 1 IoCs

pid	Process
1420	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates processes with tasklist 1 TTPs 2 IoCs

Process Discovery

T1057

pid	Process
1936	tasklist.exe
2000	tasklist.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
2128	powershell.exe
1756	powershell.exe
1960	antagonist.exe
592	antagonist.exe
592	antagonist.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeSecurityPrivilege	2788	antagonist.exe
Token: SeDebugPrivilege	1936	tasklist.exe
Token: SeDebugPrivilege	2128	powershell.exe
Token: SeDebugPrivilege	2000	tasklist.exe
Token: SeDebugPrivilege	1756	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2788 wrote to memory of 592	2788	antagonist.exe	28
PID 2788 wrote to memory of 592	2788	antagonist.exe	28
PID 2788 wrote to memory of 592	2788	antagonist.exe	28
PID 2788 wrote to memory of 592	2788	antagonist.exe	28
PID 592 wrote to memory of 2020	592	antagonist.exe	29
PID 592 wrote to memory of 2020	592	antagonist.exe	29
PID 592 wrote to memory of 2020	592	antagonist.exe	29
PID 592 wrote to memory of 1996	592	antagonist.exe	30
PID 592 wrote to memory of 1996	592	antagonist.exe	30
PID 592 wrote to memory of 1996	592	antagonist.exe	30
PID 2020 wrote to memory of 2128	2020	cmd.exe	34
PID 2020 wrote to memory of 2128	2020	cmd.exe	34
PID 2020 wrote to memory of 2128	2020	cmd.exe	34
PID 1996 wrote to memory of 1936	1996	cmd.exe	33
PID 1996 wrote to memory of 1936	1996	cmd.exe	33
PID 1996 wrote to memory of 1936	1996	cmd.exe	33
PID 592 wrote to memory of 572	592	antagonist.exe	36
PID 592 wrote to memory of 572	592	antagonist.exe	36
PID 592 wrote to memory of 572	592	antagonist.exe	36
PID 592 wrote to memory of 1420	592	antagonist.exe	37
PID 592 wrote to memory of 1420	592	antagonist.exe	37
PID 592 wrote to memory of 1420	592	antagonist.exe	37
PID 572 wrote to memory of 2000	572	cmd.exe	40
PID 572 wrote to memory of 2000	572	cmd.exe	40
PID 572 wrote to memory of 2000	572	cmd.exe	40
PID 1420 wrote to memory of 1756	1420	cmd.exe	41
PID 1420 wrote to memory of 1756	1420	cmd.exe	41
PID 1420 wrote to memory of 1756	1420	cmd.exe	41
PID 2128 wrote to memory of 2848	2128	powershell.exe	42
PID 2128 wrote to memory of 2848	2128	powershell.exe	42
PID 2128 wrote to memory of 2848	2128	powershell.exe	42
PID 2848 wrote to memory of 3056	2848	csc.exe	43
PID 2848 wrote to memory of 3056	2848	csc.exe	43
PID 2848 wrote to memory of 3056	2848	csc.exe	43
PID 592 wrote to memory of 1716	592	antagonist.exe	44
PID 592 wrote to memory of 1716	592	antagonist.exe	44
PID 592 wrote to memory of 1716	592	antagonist.exe	44
PID 592 wrote to memory of 1716	592	antagonist.exe	44
PID 592 wrote to memory of 1716	592	antagonist.exe	44
PID 592 wrote to memory of 1716	592	antagonist.exe	44
PID 592 wrote to memory of 1716	592	antagonist.exe	44
PID 592 wrote to memory of 1716	592	antagonist.exe	44
PID 592 wrote to memory of 1716	592	antagonist.exe	44
PID 592 wrote to memory of 1716	592	antagonist.exe	44
PID 592 wrote to memory of 1716	592	antagonist.exe	44
PID 592 wrote to memory of 1716	592	antagonist.exe	44
PID 592 wrote to memory of 1716	592	antagonist.exe	44
PID 592 wrote to memory of 1716	592	antagonist.exe	44
PID 592 wrote to memory of 1716	592	antagonist.exe	44
PID 592 wrote to memory of 1716	592	antagonist.exe	44
PID 592 wrote to memory of 1716	592	antagonist.exe	44
PID 592 wrote to memory of 1716	592	antagonist.exe	44
PID 592 wrote to memory of 1716	592	antagonist.exe	44
PID 592 wrote to memory of 1716	592	antagonist.exe	44
PID 592 wrote to memory of 1716	592	antagonist.exe	44
PID 592 wrote to memory of 1716	592	antagonist.exe	44
PID 592 wrote to memory of 1716	592	antagonist.exe	44
PID 592 wrote to memory of 1716	592	antagonist.exe	44
PID 592 wrote to memory of 1716	592	antagonist.exe	44
PID 592 wrote to memory of 1716	592	antagonist.exe	44
PID 592 wrote to memory of 1716	592	antagonist.exe	44
PID 592 wrote to memory of 1716	592	antagonist.exe	44
PID 592 wrote to memory of 1716	592	antagonist.exe	44
PID 592 wrote to memory of 1716	592	antagonist.exe	44

C:\Users\Admin\AppData\Local\Temp\antagonist.exe
"C:\Users\Admin\AppData\Local\Temp\antagonist.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2788
- C:\Users\Admin\AppData\Local\Temp\2iNSmXIeLk86GKE0EBlvCFwO3go\antagonist.exe
  C:\Users\Admin\AppData\Local\Temp\2iNSmXIeLk86GKE0EBlvCFwO3go\antagonist.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:592
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -File "C:\ProgramData\edge\Updater\Get-Clipboard.ps1""
    3⤵
    - Hide Artifacts: Hidden Window
    - Suspicious use of WriteProcessMemory
    PID:2020
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -File "C:\ProgramData\edge\Updater\Get-Clipboard.ps1"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Adds Run key to start application
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2128
    - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\3-z0yudr.cmdline"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2848
      - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3AEF.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC3AEE.tmp"
        6⤵
        
        PID:3056
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1996
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:1936
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:572
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:2000
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,111,179,208,135,196,238,156,75,178,37,80,253,131,160,57,5,0,0,0,0,2,0,0,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,252,109,145,134,41,133,56,51,58,221,29,105,60,238,113,44,142,142,122,69,85,113,46,9,53,29,188,131,62,208,21,67,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,47,253,228,82,188,176,121,88,241,115,215,240,198,113,37,68,78,255,115,195,141,131,184,168,214,248,112,34,156,125,188,187,48,0,0,0,224,174,198,10,41,135,219,192,150,251,94,114,162,24,36,21,34,245,154,124,244,200,219,202,38,205,50,184,157,89,115,169,40,205,255,140,126,26,112,40,10,243,244,42,96,181,103,224,64,0,0,0,229,173,83,186,146,84,102,199,203,141,75,36,246,164,121,196,224,54,235,191,43,160,215,105,165,249,142,154,224,244,82,229,78,200,54,99,114,8,100,114,28,170,0,59,62,225,141,137,217,236,97,103,96,234,8,16,151,14,212,76,12,124,8,36), $null, 'CurrentUser')"
    3⤵
    - An obfuscated cmd.exe command-line is typically used to evade detection.
    - Suspicious use of WriteProcessMemory
    PID:1420
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,111,179,208,135,196,238,156,75,178,37,80,253,131,160,57,5,0,0,0,0,2,0,0,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,252,109,145,134,41,133,56,51,58,221,29,105,60,238,113,44,142,142,122,69,85,113,46,9,53,29,188,131,62,208,21,67,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,47,253,228,82,188,176,121,88,241,115,215,240,198,113,37,68,78,255,115,195,141,131,184,168,214,248,112,34,156,125,188,187,48,0,0,0,224,174,198,10,41,135,219,192,150,251,94,114,162,24,36,21,34,245,154,124,244,200,219,202,38,205,50,184,157,89,115,169,40,205,255,140,126,26,112,40,10,243,244,42,96,181,103,224,64,0,0,0,229,173,83,186,146,84,102,199,203,141,75,36,246,164,121,196,224,54,235,191,43,160,215,105,165,249,142,154,224,244,82,229,78,200,54,99,114,8,100,114,28,170,0,59,62,225,141,137,217,236,97,103,96,234,8,16,151,14,212,76,12,124,8,36), $null, 'CurrentUser')
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1756
- - C:\Users\Admin\AppData\Local\Temp\2iNSmXIeLk86GKE0EBlvCFwO3go\antagonist.exe
    "C:\Users\Admin\AppData\Local\Temp\2iNSmXIeLk86GKE0EBlvCFwO3go\antagonist.exe" --type=gpu-process --field-trial-handle=1168,11608870359578157650,10984296089340397699,131072 --enable-features=WebComponentsV0Enabled --disable-features=CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=1176 /prefetch:2
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1716
- - C:\Users\Admin\AppData\Local\Temp\2iNSmXIeLk86GKE0EBlvCFwO3go\antagonist.exe
    "C:\Users\Admin\AppData\Local\Temp\2iNSmXIeLk86GKE0EBlvCFwO3go\antagonist.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1168,11608870359578157650,10984296089340397699,131072 --enable-features=WebComponentsV0Enabled --disable-features=CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1528 /prefetch:8
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    PID:1960
- - C:\Users\Admin\AppData\Local\Temp\2iNSmXIeLk86GKE0EBlvCFwO3go\antagonist.exe
    "C:\Users\Admin\AppData\Local\Temp\2iNSmXIeLk86GKE0EBlvCFwO3go\antagonist.exe" --type=gpu-process --field-trial-handle=1168,11608870359578157650,10984296089340397699,131072 --enable-features=WebComponentsV0Enabled --disable-features=CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=1280 /prefetch:2
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2576

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Window

T1564.003

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\edge\Updater\Get-Clipboard.ps1

Filesize
3KB

MD5
52cc110bb3777aa6bba7900630d4eb49

SHA1
3663dc658fd13d407e49781d1a5c2aa203c252fc

SHA256
892a9edb03db3fd88fecc1e1a2f56a7339f16f6734e8d77e6538ea2c8c9026d6

SHA512
89b80d2783e902d68ffd08b6f3fb1848ae6e6c4bf2d7a1e4afdac970b2ee6ffcc58116cdd6234e3d6278eb9413d36aafe62b5beca24a0846575d12af0c5112ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\2iNSmXIeLk86GKE0EBlvCFwO3go\D3DCompiler_47.dll

Filesize
4.3MB

MD5
7641e39b7da4077084d2afe7c31032e0

SHA1
2256644f69435ff2fee76deb04d918083960d1eb

SHA256
44422e6936dc72b7ac5ed16bb8bcae164b7554513e52efb66a3e942cec328a47

SHA512
8010e1cb17fa18bbf72d8344e1d63ded7cef7be6e7c13434fa6d8e22ce1d58a4d426959bdcb031502d4b145e29cb111af929fcbc66001111fbc6d7a19e8800a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\2iNSmXIeLk86GKE0EBlvCFwO3go\chrome_100_percent.pak

Filesize
121KB

MD5
06baf0ad34e0231bd76651203dba8326

SHA1
a5f99ecdcc06dec9d7f9ce0a8c66e46969117391

SHA256
5ae14147992a92548bcad76867dd88cdfcdb69d951c8720920cce6fb135e3189

SHA512
aff6616e56781ebb925a0ca146245ad3b2827250b32261c0c7c0d5b10b20a343a17fc3761c95d93104163e77b2eae3f1f9cbd3cb2b377f49b42bea39bdd09b91

Download Submit
C:\Users\Admin\AppData\Local\Temp\2iNSmXIeLk86GKE0EBlvCFwO3go\chrome_200_percent.pak

Filesize
181KB

MD5
57c27201e7cd33471da7ec205fe9973c

SHA1
a8e7bce09c4cbdae2797611b2be8aeb5491036f9

SHA256
dd8146b2ee289e4d54a4a0f1fd3b2f61b979c6a2baaba96a406d96c3f4fdb33b

SHA512
57258aa169bec66abf0f45a3e026bb68751fb970b74bd0cb465607fa3b2a89967e832d92d8f675f0449bb6662fcb7786d05f0597124cc8e18bb99a47245779b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\2iNSmXIeLk86GKE0EBlvCFwO3go\ffmpeg.dll

Filesize
2.7MB

MD5
eabfc10d56cb44a86493cb2f8ca7aab2

SHA1
09d7e87f43527333cd021329d6c2f4e8bd8ddab5

SHA256
42a2a996ac433ac33a22776b8418a82753557093d90147b7951138b5c83924b6

SHA512
ee31e3539fba9e5969a9f38c428f586de2dd7630cb5d8c5e3c2c934b5881f8176b8ab6ef6397c1ce4fa6ccf3ee9615225c7afa0e0b28c6fc23974e8b96625dec

Download Submit
C:\Users\Admin\AppData\Local\Temp\2iNSmXIeLk86GKE0EBlvCFwO3go\icudtl.dat

Filesize
10.0MB

MD5
ad2988770b8cb3281a28783ad833a201

SHA1
94b7586ee187d9b58405485f4c551b55615f11b5

SHA256
df876c7af43ed93eec6aea4d2d55c805009c219653cdeb368f1d048f4922b108

SHA512
f27e542a9c6c60fa28c5b7cc2818079341ef93aef3bbcadecad2dc11aff5b1592b19c7ebfa543ea42a3cbfec26a668641b255545fb0912056e25e852c2dedd01

Download Submit
C:\Users\Admin\AppData\Local\Temp\2iNSmXIeLk86GKE0EBlvCFwO3go\libglesv2.dll

Filesize
7.3MB

MD5
bc45db0195aa369cc3c572e4e9eefc7e

SHA1
b880ca4933656be52f027028af5ef8a3b7e07e97

SHA256
a81729fd6ee2d64dfc47501a1d53794cdeee5c1daa3751f7554aea2503686d10

SHA512
dd8c39947e7d767fbdccf90c5b3eaedf3937b43c55200d2199107333b63ac09e5356c286618874fac841e1357dd927e0c70b5066c1feeedd8cc6c0fba605ee5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\2iNSmXIeLk86GKE0EBlvCFwO3go\locales\en-US.pak

Filesize
83KB

MD5
bd8f7b719110342b7cefb16ddd05ec55

SHA1
82a79aeaa1dd4b1464b67053ba1766a4498c13e7

SHA256
d1d3f892be16329c79f9a8ee8c5fa1c9fb46d17edfeb56a3d9407f9d7587a0de

SHA512
7cd1493e59e87c70927e66769eb200f79a57e1eb1223af4eb4064088571893d3e32cbc4b5ece568fd308992aad65684aa280dc9834f2b5d327bdee514b046e5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\2iNSmXIeLk86GKE0EBlvCFwO3go\resources.pak

Filesize
4.8MB

MD5
d13873f6fb051266deb3599b14535806

SHA1
143782c0ce5a5773ae0aae7a22377c8a6d18a5b2

SHA256
7b953443e3cd54a0a4775528b52fbfe5ebecbc2c71731600ed0999d227969506

SHA512
1ab38fcb70d1958c74da2493459532b52a04b884009509a1ac8dd39f6e9e670658a52f4d19ef57f1bc71dccfdd6ceedbc18034bbcad0b500d75a97c74aac6939

Download Submit
C:\Users\Admin\AppData\Local\Temp\2iNSmXIeLk86GKE0EBlvCFwO3go\resources\app.asar

Filesize
12.4MB

MD5
4a5dc054962240efc3669951c6a3a058

SHA1
af025c91626b0973878a2f186bbe5f3f95bd3897

SHA256
9a15dc860ebcefdeca3f67715551b380245eee5465c9b7715abade378069ac7d

SHA512
685a646a296e1b9eab0eac37b3facbd8dd844ff379015ae2e48b797de815c68063183b0c7d43c9d412aa1fdbd0120c14354bc95d48a7af899bfe1f02b5e0616d

Download Submit
C:\Users\Admin\AppData\Local\Temp\2iNSmXIeLk86GKE0EBlvCFwO3go\swiftshader\libegl.dll

Filesize
460KB

MD5
acd46d81bb4f34912c255a8d01953635

SHA1
25969cc9e588e174b854566778f283f067c3c0c6

SHA256
bd1bc00a5c29726fb39645041fc6c8295256d90c7f739ebeaa8b6c382a4db189

SHA512
83692654ada422391b428953b2cec67048a171bbef4c59158f34607a762feac8a233b52ceaa528306cf103d9830ee38897afa996389e086d3778f290555a059b

Download Submit
C:\Users\Admin\AppData\Local\Temp\2iNSmXIeLk86GKE0EBlvCFwO3go\swiftshader\libglesv2.dll

Filesize
3.1MB

MD5
8090f82a02c6850cc7bd2b481a7533e0

SHA1
54a0b66d76c1b60e45e83ba4627299d0b2aae84a

SHA256
e9473ba82f6d8742ab74e67484886291aa69037db72e0ae256b19581de0b772e

SHA512
b2e3c57926860a7954ca6e426f5f2fa080cf6ccb5c4edd77f59744f240f597aa9613f46294e8b344db76b46fe78777b5016828b8ab2fc274ca107f3af7abd878

Download Submit
C:\Users\Admin\AppData\Local\Temp\2iNSmXIeLk86GKE0EBlvCFwO3go\v8_context_snapshot.bin

Filesize
168KB

MD5
c2208c06c8ff81bca3c092cc42b8df1b

SHA1
f7b9faa9ba0e72d062f68642a02cc8f3fed49910

SHA256
4a67de195878d290f49b503b83e415917b8bbcbd9936b07a5d33b48e9bc6e0a3

SHA512
6c3c370dd086a976c44d4059a315bd3bcbb50961aa34734e65a40d861cffca9090d47cec74575afe23952e394e4845bda2d8798eebe01fb54a7a6288bce238f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\3-z0yudr.dll

Filesize
3KB

MD5
3234716a466f749fd8be0c945e45697a

SHA1
3c6a800a140c81c059e1877ceb4e83cd1eac90f0

SHA256
5f21b7354fc4ccce540b2983cdd40c3e50089a02e1ec08a7f760c104c83f71c6

SHA512
eeeef90d662858a9700dfe3d17612deb4610a5921feea6eb285b3dd21752dfd68c94a7d81216a84a237596d49907629eadd9957619739c86e161c8c3c752df5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\3-z0yudr.pdb

Filesize
11KB

MD5
948a2994b568d86caee33b18f4d0dfa4

SHA1
a269067a8fc69277902770f223f5788eb3cb104e

SHA256
55db8021911116cac6c318febc6bdd05e91f02cf79f5440b5d19ab6c4f602518

SHA512
82bfc7d8452ff5e1241d53ecd33156bc2b5fce6bdc7988b0040dc2dbcd8124559db8048536845441d8ecec76bb4d29392ddd9e7f68b67a21ea6f2c76502dd89f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES3AEF.tmp

Filesize
1KB

MD5
2dfb3d09d173e69d41e130e13a58bfd7

SHA1
bfa22184bc06c3833df2f68555310eba531c5d30

SHA256
76c0fe44930088a2e8eaca19554eff0e2672e2fc175219abc8f620480772aa29

SHA512
45d4d11f4a994a969d1e75160ea05b02edc55a363e5f2bf20ce24ca5b39f4b1865e26d71580956e933ac34226cb09c0714b721e54731b02a8b4b4989de6d70b6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
41966a4e186118ffbd1b8e6e1f98998d

SHA1
89af949eb62c7be45266b30ad837aad5373d0ad3

SHA256
4e9bc228eb1d1d9da639cf0b539a2c39b45849c42863ce4159f4f2af4a9c7bb2

SHA512
0272817bda7b329711a69960e70dcdb612e4bf04504e029e60b639827c47ee72b251f4423fb0960ea05fbc3230c0dd4c7596d85aef9a1d8f952556eee00fb00a

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\3-z0yudr.0.cs

Filesize
426B

MD5
b462a7b0998b386a2047c941506f7c1b

SHA1
61e8aa007164305a51fa2f1cebaf3f8e60a6a59f

SHA256
a81f86cd4d33ebbf2b725df6702b8f6b3c31627bf52eb1cadc1e40b1c0c2bb35

SHA512
eb41b838cc5726f4d1601d3c68d455203d3c23f17469b3c8cbdd552f479f14829856d699f310dec05fe7504a2ae511d0b7ffff6b66ceadb5a225efe3e2f3a020

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\3-z0yudr.cmdline

Filesize
309B

MD5
8c0cfc0e946926be6c32389c40f8c8d0

SHA1
b6259ceed7c8753c2047b45b7a98f852ab278f6e

SHA256
b2762ad1a3bf5c58165ef6475745c7b49b03bd17943adb73228fd975bc495209

SHA512
5ae1cf57d894c009427b34b99e562f0d1489cf2cf61f423e0b1669d3ee2f8b9d6b805ae89f3c8465972a7b66fcfd3377be474acff048bc0d7becd6bd6009d554

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC3AEE.tmp

Filesize
652B

MD5
acbf1d304dec06faa41b9b602d8682fa

SHA1
9b118e2d03310ce381f0aa456e6f348b08bbc083

SHA256
eb9918f7dffb126c7deff7e85b711f20aad7e7660a98a0ad9697428ef11a38f7

SHA512
7ea4135238252955a0d63fcfa87c8bc7d039cf733a117b6a887e2a297280f456db789bde12bea5bfdf9f27b93a8decb30cda850766ff169d935a264d71b87dbc

Download Submit
\Users\Admin\AppData\Local\Temp\2iNSmXIeLk86GKE0EBlvCFwO3go\libEGL.dll

Filesize
438KB

MD5
660a9ae1282e6205fc0a51e64470eb5b

SHA1
f91a9c9559f51a8f33a552f0145ed9e706909de8

SHA256
f2a841b6ef320f226965c7cb01fbc4709fc31425e490a3edfa20147ce3656c85

SHA512
20bed2bed042033e3d8b077f9d66bce67922aaec180cc3777f20560219226b7efc73932bb87445afda4e3877472ddcd307215d23954cd082051437e5f2224263

Download Submit
\Users\Admin\AppData\Local\Temp\42a6ba5b-ae0d-4e58-aa2f-fd6abdb4ec1f.tmp.node

Filesize
1.8MB

MD5
3072b68e3c226aff39e6782d025f25a8

SHA1
cf559196d74fa490ac8ce192db222c9f5c5a006a

SHA256
7fb52b781709b065c240b6b81394be6e72e53fe11d7c8e0f7b49dd417eb78a01

SHA512
61ebc72c20195e99244d95af1ab44fa06201a1aee2b5da04490fdc4312e8324a40b0e15a7b42fab5179753d767c1d08ae1a7a56ac71a6e100e63f83db849ee61

Download Submit
\Users\Admin\AppData\Local\Temp\nsd2BD2.tmp\StdUtils.dll

Filesize
101KB

MD5
33b4e69e7835e18b9437623367dd1787

SHA1
53afa03edaf931abdc2d828e5a2c89ad573d926c

SHA256
72d38ef115e71fc73dc5978987c583fc8c6b50ff12e4a5d30649a4d164a8b6ae

SHA512
ca890e785d1a0a7e0b4a748416fba417826ae66b46e600f407d4e795b444612a8b830f579f2cf5b6e051bea800604f34f8801cc3daf05c8d29ad05bcda454a77

Download Submit
\Users\Admin\AppData\Local\Temp\nsd2BD2.tmp\System.dll

Filesize
11KB

MD5
75ed96254fbf894e42058062b4b4f0d1

SHA1
996503f1383b49021eb3427bc28d13b5bbd11977

SHA256
a632d74332b3f08f834c732a103dafeb09a540823a2217ca7f49159755e8f1d7

SHA512
58174896db81d481947b8745dafe3a02c150f3938bb4543256e8cce1145154e016d481df9fe68dac6d48407c62cbe20753320ebd5fe5e84806d07ce78e0eb0c4

Download Submit
\Users\Admin\AppData\Local\Temp\nsd2BD2.tmp\nsis7z.dll

Filesize
391KB

MD5
c6a070b3e68b292bb0efc9b26e85e9cc

SHA1
5a922b96eda6595a68fd0a9051236162ff2e2ada

SHA256
66ac8bd1f273a73e17a3f31d6add739d3cb0330a6417faeda11a9cae00b62d8b

SHA512
8eff8fc16f5bb574bd9483e3b217b67a8986e31497368c06fdaa3a1e93a40aee94a5b31729d01905157b0ae1e556a402f43cd29a4d30a0587e1ec334458a44e8

Download Submit
memory/1716-220-0x0000000000060000-0x0000000000061000-memory.dmp

Filesize
4KB

Download
memory/1716-253-0x0000000077820000-0x0000000077821000-memory.dmp

Filesize
4KB

Download
memory/2128-204-0x0000000002960000-0x0000000002968000-memory.dmp

Filesize
32KB

Download
memory/2128-182-0x0000000001F40000-0x0000000001F48000-memory.dmp

Filesize
32KB

Download
memory/2128-181-0x000000001B730000-0x000000001BA12000-memory.dmp

Filesize
2.9MB

Download