5f4b9ae4506d950030be7c04bbc0cc038b63b862401c34d5130ddaddd66976bf

Analysis

max time kernel
150s
max time network
153s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
10/08/2024, 15:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

FantasyLauncher.exe
Size

91.0MB
MD5

7e156534ade1b1180667624e19af2b26
SHA1

ab3a33e969759932bae66680274fc9f2e36d087c
SHA256

ce22a4a12abf7caad89fa8dbe07e0f1b997f481b726fc90d88910752ad1d1048
SHA512

e0d29582789b921e5cd10e2d0ec511133e1cd8681d76e0c532f8dff6fb596f508431c4348aecf453c337719de7b1b559558f67ccbf3868b3b950a386d78a601f
SSDEEP

1572864:OfhipuuP5JnMWLQIXi+14uQJUa2MtZ4H0VVf1yNQlcfFuCyzYLS9ymyYK:OJnuPnnMlEV5v21UNQlcfF/Q9yt

Score

9^/10

credential_access discovery execution spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
2872	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Control Panel\International\Geo\Nation	MysticLauncher.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\startApp.vbs	MysticLauncher.exe

Executes dropped EXE 5 IoCs

pid	Process
1932	MysticLauncher.exe
2480	MysticLauncher.exe
3748	MysticLauncher.exe
3088	y8u18.exe
4168	MysticLauncher.exe

Loads dropped DLL 19 IoCs

pid	Process
4880	FantasyLauncher.exe
4880	FantasyLauncher.exe
4880	FantasyLauncher.exe
4880	FantasyLauncher.exe
4880	FantasyLauncher.exe
4880	FantasyLauncher.exe
4880	FantasyLauncher.exe
1932	MysticLauncher.exe
1932	MysticLauncher.exe
2480	MysticLauncher.exe
2480	MysticLauncher.exe
2480	MysticLauncher.exe
2480	MysticLauncher.exe
2480	MysticLauncher.exe
3748	MysticLauncher.exe
1932	MysticLauncher.exe
1932	MysticLauncher.exe
4168	MysticLauncher.exe
4168	MysticLauncher.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

An obfuscated cmd.exe command-line is typically used to evade detection. 1 IoCs

pid	Process
1360	cmd.exe

Enumerates processes with tasklist 1 TTPs 8 IoCs

discovery

Process Discovery

T1057

pid	Process
2320	tasklist.exe
4720	tasklist.exe
4844	tasklist.exe
4736	tasklist.exe
1504	tasklist.exe
2668	tasklist.exe
1752	tasklist.exe
528	tasklist.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FantasyLauncher.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	find.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
4880	FantasyLauncher.exe
4880	FantasyLauncher.exe
4844	tasklist.exe
4844	tasklist.exe
2388	powershell.exe
2388	powershell.exe
2388	powershell.exe
2872	powershell.exe
2872	powershell.exe
2872	powershell.exe
4168	MysticLauncher.exe
4168	MysticLauncher.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4844	tasklist.exe
Token: SeSecurityPrivilege	4880	FantasyLauncher.exe
Token: SeDebugPrivilege	4736	tasklist.exe
Token: SeDebugPrivilege	1504	tasklist.exe
Token: SeIncreaseQuotaPrivilege	3984	WMIC.exe
Token: SeSecurityPrivilege	3984	WMIC.exe
Token: SeTakeOwnershipPrivilege	3984	WMIC.exe
Token: SeLoadDriverPrivilege	3984	WMIC.exe
Token: SeSystemProfilePrivilege	3984	WMIC.exe
Token: SeSystemtimePrivilege	3984	WMIC.exe
Token: SeProfSingleProcessPrivilege	3984	WMIC.exe
Token: SeIncBasePriorityPrivilege	3984	WMIC.exe
Token: SeCreatePagefilePrivilege	3984	WMIC.exe
Token: SeBackupPrivilege	3984	WMIC.exe
Token: SeRestorePrivilege	3984	WMIC.exe
Token: SeShutdownPrivilege	3984	WMIC.exe
Token: SeDebugPrivilege	3984	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3984	WMIC.exe
Token: SeRemoteShutdownPrivilege	3984	WMIC.exe
Token: SeUndockPrivilege	3984	WMIC.exe
Token: SeManageVolumePrivilege	3984	WMIC.exe
Token: 33	3984	WMIC.exe
Token: 34	3984	WMIC.exe
Token: 35	3984	WMIC.exe
Token: 36	3984	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3984	WMIC.exe
Token: SeSecurityPrivilege	3984	WMIC.exe
Token: SeTakeOwnershipPrivilege	3984	WMIC.exe
Token: SeLoadDriverPrivilege	3984	WMIC.exe
Token: SeSystemProfilePrivilege	3984	WMIC.exe
Token: SeSystemtimePrivilege	3984	WMIC.exe
Token: SeProfSingleProcessPrivilege	3984	WMIC.exe
Token: SeIncBasePriorityPrivilege	3984	WMIC.exe
Token: SeCreatePagefilePrivilege	3984	WMIC.exe
Token: SeBackupPrivilege	3984	WMIC.exe
Token: SeRestorePrivilege	3984	WMIC.exe
Token: SeShutdownPrivilege	3984	WMIC.exe
Token: SeDebugPrivilege	3984	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3984	WMIC.exe
Token: SeRemoteShutdownPrivilege	3984	WMIC.exe
Token: SeUndockPrivilege	3984	WMIC.exe
Token: SeManageVolumePrivilege	3984	WMIC.exe
Token: 33	3984	WMIC.exe
Token: 34	3984	WMIC.exe
Token: 35	3984	WMIC.exe
Token: 36	3984	WMIC.exe
Token: SeDebugPrivilege	2388	powershell.exe
Token: SeDebugPrivilege	2668	tasklist.exe
Token: SeIncreaseQuotaPrivilege	3724	WMIC.exe
Token: SeSecurityPrivilege	3724	WMIC.exe
Token: SeTakeOwnershipPrivilege	3724	WMIC.exe
Token: SeLoadDriverPrivilege	3724	WMIC.exe
Token: SeSystemProfilePrivilege	3724	WMIC.exe
Token: SeSystemtimePrivilege	3724	WMIC.exe
Token: SeProfSingleProcessPrivilege	3724	WMIC.exe
Token: SeIncBasePriorityPrivilege	3724	WMIC.exe
Token: SeCreatePagefilePrivilege	3724	WMIC.exe
Token: SeBackupPrivilege	3724	WMIC.exe
Token: SeRestorePrivilege	3724	WMIC.exe
Token: SeShutdownPrivilege	3724	WMIC.exe
Token: SeDebugPrivilege	3724	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3724	WMIC.exe
Token: SeRemoteShutdownPrivilege	3724	WMIC.exe
Token: SeUndockPrivilege	3724	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4880 wrote to memory of 2480	4880	FantasyLauncher.exe	73
PID 4880 wrote to memory of 2480	4880	FantasyLauncher.exe	73
PID 4880 wrote to memory of 2480	4880	FantasyLauncher.exe	73
PID 2480 wrote to memory of 4844	2480	cmd.exe	75
PID 2480 wrote to memory of 4844	2480	cmd.exe	75
PID 2480 wrote to memory of 4844	2480	cmd.exe	75
PID 2480 wrote to memory of 4356	2480	cmd.exe	76
PID 2480 wrote to memory of 4356	2480	cmd.exe	76
PID 2480 wrote to memory of 4356	2480	cmd.exe	76
PID 1932 wrote to memory of 3384	1932	MysticLauncher.exe	81
PID 1932 wrote to memory of 3384	1932	MysticLauncher.exe	81
PID 3384 wrote to memory of 4736	3384	cmd.exe	83
PID 3384 wrote to memory of 4736	3384	cmd.exe	83
PID 1932 wrote to memory of 2360	1932	MysticLauncher.exe	84
PID 1932 wrote to memory of 2360	1932	MysticLauncher.exe	84
PID 1932 wrote to memory of 2116	1932	MysticLauncher.exe	85
PID 1932 wrote to memory of 2116	1932	MysticLauncher.exe	85
PID 2116 wrote to memory of 1504	2116	cmd.exe	88
PID 2116 wrote to memory of 1504	2116	cmd.exe	88
PID 2360 wrote to memory of 3984	2360	cmd.exe	89
PID 2360 wrote to memory of 3984	2360	cmd.exe	89
PID 1932 wrote to memory of 2112	1932	MysticLauncher.exe	90
PID 1932 wrote to memory of 2112	1932	MysticLauncher.exe	90
PID 1932 wrote to memory of 1360	1932	MysticLauncher.exe	91
PID 1932 wrote to memory of 1360	1932	MysticLauncher.exe	91
PID 1360 wrote to memory of 2388	1360	cmd.exe	94
PID 1360 wrote to memory of 2388	1360	cmd.exe	94
PID 2112 wrote to memory of 2668	2112	cmd.exe	95
PID 2112 wrote to memory of 2668	2112	cmd.exe	95
PID 1932 wrote to memory of 4744	1932	MysticLauncher.exe	96
PID 1932 wrote to memory of 4744	1932	MysticLauncher.exe	96
PID 1932 wrote to memory of 2480	1932	MysticLauncher.exe	98
PID 1932 wrote to memory of 2480	1932	MysticLauncher.exe	98
PID 1932 wrote to memory of 2480	1932	MysticLauncher.exe	98
PID 1932 wrote to memory of 2480	1932	MysticLauncher.exe	98
PID 1932 wrote to memory of 2480	1932	MysticLauncher.exe	98
PID 1932 wrote to memory of 2480	1932	MysticLauncher.exe	98
PID 1932 wrote to memory of 2480	1932	MysticLauncher.exe	98
PID 1932 wrote to memory of 2480	1932	MysticLauncher.exe	98
PID 1932 wrote to memory of 2480	1932	MysticLauncher.exe	98
PID 1932 wrote to memory of 2480	1932	MysticLauncher.exe	98
PID 1932 wrote to memory of 2480	1932	MysticLauncher.exe	98
PID 1932 wrote to memory of 2480	1932	MysticLauncher.exe	98
PID 1932 wrote to memory of 2480	1932	MysticLauncher.exe	98
PID 1932 wrote to memory of 2480	1932	MysticLauncher.exe	98
PID 1932 wrote to memory of 2480	1932	MysticLauncher.exe	98
PID 1932 wrote to memory of 2480	1932	MysticLauncher.exe	98
PID 1932 wrote to memory of 2480	1932	MysticLauncher.exe	98
PID 1932 wrote to memory of 2480	1932	MysticLauncher.exe	98
PID 1932 wrote to memory of 2480	1932	MysticLauncher.exe	98
PID 1932 wrote to memory of 2480	1932	MysticLauncher.exe	98
PID 1932 wrote to memory of 2480	1932	MysticLauncher.exe	98
PID 1932 wrote to memory of 2480	1932	MysticLauncher.exe	98
PID 1932 wrote to memory of 2480	1932	MysticLauncher.exe	98
PID 1932 wrote to memory of 2480	1932	MysticLauncher.exe	98
PID 1932 wrote to memory of 2480	1932	MysticLauncher.exe	98
PID 1932 wrote to memory of 2480	1932	MysticLauncher.exe	98
PID 1932 wrote to memory of 2480	1932	MysticLauncher.exe	98
PID 1932 wrote to memory of 2480	1932	MysticLauncher.exe	98
PID 1932 wrote to memory of 2480	1932	MysticLauncher.exe	98
PID 1932 wrote to memory of 2480	1932	MysticLauncher.exe	98
PID 1932 wrote to memory of 3748	1932	MysticLauncher.exe	99
PID 1932 wrote to memory of 3748	1932	MysticLauncher.exe	99
PID 4744 wrote to memory of 3724	4744	cmd.exe	100

C:\Users\Admin\AppData\Local\Temp\FantasyLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\FantasyLauncher.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4880
- C:\Windows\SysWOW64\cmd.exe
  cmd /c tasklist /FI "USERNAME eq %USERNAME%" /FI "IMAGENAME eq MysticLauncher.exe" | %SYSTEMROOT%\System32\find.exe "MysticLauncher.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2480
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist /FI "USERNAME eq Admin" /FI "IMAGENAME eq MysticLauncher.exe"
    3⤵
    - Enumerates processes with tasklist
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4844
- - C:\Windows\SysWOW64\find.exe
    C:\Windows\System32\find.exe "MysticLauncher.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4356

C:\Users\Admin\AppData\Local\Programs\MysticLauncher\MysticLauncher.exe
"C:\Users\Admin\AppData\Local\Programs\MysticLauncher\MysticLauncher.exe"
1⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1932
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3384
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:4736
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_computersystemproduct get uuid"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2360
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path win32_computersystemproduct get uuid
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3984
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2116
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:1504
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2112
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2668
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,57,127,181,52,40,252,34,72,131,44,63,89,128,239,70,113,0,0,0,0,2,0,0,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,11,255,216,153,250,77,82,111,126,95,98,94,219,115,174,189,160,139,237,110,251,196,56,179,203,228,197,181,15,120,67,20,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,30,133,100,191,15,223,21,248,203,88,227,180,113,230,106,207,51,98,112,135,217,240,250,205,108,213,119,246,2,158,201,93,48,0,0,0,178,101,198,205,60,104,197,46,221,160,198,102,133,127,127,90,15,146,64,171,161,165,85,208,32,230,17,132,195,114,136,96,252,86,8,99,164,60,179,237,198,141,203,205,95,178,246,118,64,0,0,0,48,174,109,113,48,104,148,66,11,129,145,197,20,137,225,112,70,116,236,62,53,35,210,159,99,40,19,59,102,209,13,191,44,242,249,158,237,154,21,93,58,208,230,170,117,133,63,219,175,75,182,195,205,244,44,132,173,14,239,143,205,34,169,63), $null, 'CurrentUser')"
  2⤵
  - An obfuscated cmd.exe command-line is typically used to evade detection.
  - Suspicious use of WriteProcessMemory
  PID:1360
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,57,127,181,52,40,252,34,72,131,44,63,89,128,239,70,113,0,0,0,0,2,0,0,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,11,255,216,153,250,77,82,111,126,95,98,94,219,115,174,189,160,139,237,110,251,196,56,179,203,228,197,181,15,120,67,20,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,30,133,100,191,15,223,21,248,203,88,227,180,113,230,106,207,51,98,112,135,217,240,250,205,108,213,119,246,2,158,201,93,48,0,0,0,178,101,198,205,60,104,197,46,221,160,198,102,133,127,127,90,15,146,64,171,161,165,85,208,32,230,17,132,195,114,136,96,252,86,8,99,164,60,179,237,198,141,203,205,95,178,246,118,64,0,0,0,48,174,109,113,48,104,148,66,11,129,145,197,20,137,225,112,70,116,236,62,53,35,210,159,99,40,19,59,102,209,13,191,44,242,249,158,237,154,21,93,58,208,230,170,117,133,63,219,175,75,182,195,205,244,44,132,173,14,239,143,205,34,169,63), $null, 'CurrentUser')
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2388
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic OS get caption"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4744
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic OS get caption
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3724
- C:\Users\Admin\AppData\Local\Programs\MysticLauncher\MysticLauncher.exe
  "C:\Users\Admin\AppData\Local\Programs\MysticLauncher\MysticLauncher.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\MysticLauncher" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=1688 --field-trial-handle=1692,i,5363340089703888497,1051542051087253766,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:2480
- C:\Users\Admin\AppData\Local\Programs\MysticLauncher\MysticLauncher.exe
  "C:\Users\Admin\AppData\Local\Programs\MysticLauncher\MysticLauncher.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\MysticLauncher" --mojo-platform-channel-handle=2272 --field-trial-handle=1692,i,5363340089703888497,1051542051087253766,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:3748
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "hostname"
  2⤵
  PID:3888
- - C:\Windows\system32\HOSTNAME.EXE
    hostname
    3⤵
    PID:2744
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:3256
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:1752
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "where /r . cookies.sqlite"
  2⤵
  PID:3056
- - C:\Windows\system32\where.exe
    where /r . cookies.sqlite
    3⤵
    PID:4608
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:3328
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:528
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:3920
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:2320
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell -WindowStyle Hidden -Command "& {Start-Process -FilePath 'C:\Users\Admin\AppData\Local\Temp\y8u18.exe' -ArgumentList 'bJ13VTU9nV' -WindowStyle Hidden}""
  2⤵
  PID:3316
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -WindowStyle Hidden -Command "& {Start-Process -FilePath 'C:\Users\Admin\AppData\Local\Temp\y8u18.exe' -ArgumentList 'bJ13VTU9nV' -WindowStyle Hidden}"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:2872
  - - C:\Users\Admin\AppData\Local\Temp\y8u18.exe
      "C:\Users\Admin\AppData\Local\Temp\y8u18.exe" bJ13VTU9nV
      4⤵
      Executes dropped EXE
      PID:3088
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /d /s /c "tasklist"
        5⤵
        
        PID:2336
      - C:\Windows\system32\tasklist.exe
        
        tasklist
        6⤵
        Enumerates processes with tasklist
        
        PID:4720
- C:\Users\Admin\AppData\Local\Programs\MysticLauncher\MysticLauncher.exe
  "C:\Users\Admin\AppData\Local\Programs\MysticLauncher\MysticLauncher.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --user-data-dir="C:\Users\Admin\AppData\Roaming\MysticLauncher" --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAABEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=2388 --field-trial-handle=1692,i,5363340089703888497,1051542051087253766,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  PID:4168

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\6u3dx4j1r0t.node

Filesize
275KB

MD5
b0de8894ef937d27715e81eedb6177b9

SHA1
7a3cce84c94c2a7cfc9b260d219d3738f0f93a99

SHA256
89cbacbc842eb08645bf0b2ea5a03f0a0504a213aa123242343e5588e2f0149c

SHA512
9166ddf27a1094817aba685c66bd2fc60d57c4d0961d96931a4e56bac34de339334532196253b676276241d88214e2927b1fc174acaf33296cf8f84e1455b055

Download Submit
C:\Users\Admin\8ig71mp9ky7.node

Filesize
137KB

MD5
04bfbfec8db966420fe4c7b85ebb506a

SHA1
939bb742a354a92e1dcd3661a62d69e48030a335

SHA256
da2172ce055fa47d6a0ea1c90654f530abed33f69a74d52fab06c4c7653b48fd

SHA512
4ea97a9a120ed5bee8638e0a69561c2159fc3769062d7102167b0e92b4f1a5c002a761bd104282425f6cee8d0e39dbe7e12ad4e4a38570c3f90f31b65072dd65

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\passwords.db

Filesize
46KB

MD5
02d2c46697e3714e49f46b680b9a6b83

SHA1
84f98b56d49f01e9b6b76a4e21accf64fd319140

SHA256
522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9

SHA512
60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
4acb11a02dea75974e27e38df2d43aed

SHA1
5759f53869dfe7bc5ea5b708e226358c97e0ba8f

SHA256
8763bcf011bd567bfdf7d08bad7391dc8f521e5073fa76bb0304dee2d72a2594

SHA512
dba6fe9d59b8bd7f1ae5f38fbcd2819215f63a79b614b3d3abf10c5fe4ab8433046fc0fd9ec853088be649de6cc0cc1e065704727c504057dd826322ec3710f8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
89468a2ea7fbb4a520bb0cfe1f7a70ff

SHA1
9674fcdb82d20544912864889917379de3c43613

SHA256
c0d99bed0262551c33a2d3bc388e868aca2a963e752d9645013ec1e50e8dc760

SHA512
a451076a609e70b3c192a700c2cd7ecad232da19d88d73fba168a94a788084a8c1344d5a70a12d9eeabf065f80e86fac63cd2b8cd0ee84651fd6bb5ca79ee7a3

Download Submit
C:\Users\Admin\AppData\Local\Programs\MysticLauncher\chrome_100_percent.pak

Filesize
132KB

MD5
e4cbb48c438622a4298c7bdd75cc04f6

SHA1
6f756d31ef95fd745ba0e9c22aadb506f3a78471

SHA256
24d92bbeb63d06b01010fe230c1e3a31e667a159be7e570a8efe68f83ed9ad40

SHA512
8d3ea1b5ca74c20a336eaa29630fd76ecd32f5a56bb66e8cef2bce0fa19024ea917562fd31365081f7027dde9c8464742b833d08c8f41fdddc5bd1a74b9bc766

Download Submit
C:\Users\Admin\AppData\Local\Temp\Autofills.txt

Filesize
85B

MD5
08dc8720082b2ede1ec6e33339f189c1

SHA1
e1b7e75d052d2ad60f42d400e968a5e9aa91481d

SHA256
1de83568c3158f5b5e9ae372d31453115a5c166eb83692a6c94ea6c7e1e0387c

SHA512
e9ed7977ac62e2ae15151e376d6ced8fd44a74cc62499bf61bf094f9862f99c1b8e1128b9a7d4971a6a726e27c559c99a155878297703f5161d9997a0ff0e6d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cookies.zip

Filesize
22B

MD5
76cdb2bad9582d23c1f6f4d868218d6c

SHA1
b04f3ee8f5e43fa3b162981b50bb72fe1acabb33

SHA256
8739c76e681f900923b900c9df0ef75cf421d39cabb54650c4b9ad19b6a76d85

SHA512
5e2f959f36b66df0580a94f384c5fc1ceeec4b2a3925f062d7b68f21758b86581ac2adcfdde73a171a28496e758ef1b23ca4951c05455cdae9357cc3b5a5825f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Passwords.txt

Filesize
14B

MD5
b4b41665eb819824e886204a28cc610b

SHA1
e778edb6f635f665c0b512748b8fec6a2a23a88b

SHA256
635f814c1f34ee53ee62b67f989fec91eb0e08f63769ab4bd22cf4206a2cfff6

SHA512
37648652b1df14aa427382a4dac70d58a107d3dd77bd1977afc3acce8c56b7b6531b67d33f4b61b9fb8fbb9230ab0dfd461db07c1cc11a2923604e910a743d67

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_my3ehjex.rr1.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsl6FC2.tmp\7z-out\LICENSE.electron.txt

Filesize
1KB

MD5
4d42118d35941e0f664dddbd83f633c5

SHA1
2b21ec5f20fe961d15f2b58efb1368e66d202e5c

SHA256
5154e165bd6c2cc0cfbcd8916498c7abab0497923bafcd5cb07673fe8480087d

SHA512
3ffbba2e4cd689f362378f6b0f6060571f57e228d3755bdd308283be6cbbef8c2e84beb5fcf73e0c3c81cd944d01ee3fcf141733c4d8b3b0162e543e0b9f3e63

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsl6FC2.tmp\7z-out\LICENSES.chromium.html

Filesize
8.4MB

MD5
e400cd908b8fb7c13985e2f5cc7a7044

SHA1
bbafebdf5b067a7d7da130025851eaa52ec3c9d7

SHA256
ee3b1ab8794c749673ce9bd2dd302f12d69f0a1a4adfe40a64247746cc311829

SHA512
e7ca440f0e042d7fcfa99367426bf19899a2b227c6d7b6e2c25d4f1a40113250f21ebeaaf91067d8569dfbad1415d4fe3e5626d7254722f2778497fcb22e5d6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsl6FC2.tmp\7z-out\chrome_200_percent.pak

Filesize
191KB

MD5
99b95d59d6817b46e9572e3354c97317

SHA1
6809db4ca8e10edd316261a3490d5fc657372c12

SHA256
55d873a9f3ac69bbf6eb6940443df8331ebd7aa57138681d615f3b89902447e7

SHA512
3071cfeb74d5058c4b7c01bfe3c6717d9bb426f3354c4d8a35bd3e16e15cde2f2c48238cb6382b0703b1cc257d87fcecfb84fbf4f597f58e64463ceede4366dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsl6FC2.tmp\7z-out\d3dcompiler_47.dll

Filesize
4.7MB

MD5
2191e768cc2e19009dad20dc999135a3

SHA1
f49a46ba0e954e657aaed1c9019a53d194272b6a

SHA256
7353f25dc5cf84d09894e3e0461cef0e56799adbc617fce37620ca67240b547d

SHA512
5adcb00162f284c16ec78016d301fc11559dd0a781ffbeff822db22efbed168b11d7e5586ea82388e9503b0c7d3740cf2a08e243877f5319202491c8a641c970

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsl6FC2.tmp\7z-out\ffmpeg.dll

Filesize
2.7MB

MD5
ce613fb05afd722fac05a28d6e935cd4

SHA1
d96ae5969cb134a8686d8ae72be304848a4d1f0e

SHA256
742c956f892ad0833a5b8c52d19aa69940bc15bedbb42890598df61b263f6fed

SHA512
c886e1e1e24e4b3320842127a7464a1baae93b0f791c7fff06af3ae1d7c312ae490f7d5f41c6d857b1be9da39c63e468b7ac6493ba7ee9e2ebf5e6344acda7d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsl6FC2.tmp\7z-out\icudtl.dat

Filesize
10.1MB

MD5
62880b7d351a9f547b62b8da6c97ce25

SHA1
057f11003013cfb3f1c63e6bdd4f2f9949ff0104

SHA256
7c40c811d30d459dbf04a04c141b60eb4247cd58a008fb836605317df665748f

SHA512
0d6f83175a91d90f4cc3ec4d9071b7acd0cd8ebbcc592322e46fde2adb7198e035af62c45a11a622f2a908e26d4dd8b8d1af023e634a74d0824d02c791ba3c1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsl6FC2.tmp\7z-out\libEGL.dll

Filesize
469KB

MD5
874b49121773393e5ab748e52c630089

SHA1
f35c93744cd2f0c178fc250116588654772d1339

SHA256
d9773c57e821ef87891375d687c68c0be75222316a666e8c49640aad80f60959

SHA512
ac8a09d44d7242d0e897ea84fa8f3f3c1d0e203fc3c03d5e62fba75f0c5e88189037145fb3548eba54c6c657af9126da96b6fa224dcbebbaa51f84f74dfa427b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsl6FC2.tmp\7z-out\libGLESv2.dll

Filesize
7.1MB

MD5
47fd3da85f490e65b3252c83c76e63a9

SHA1
6f799b2d5f1768682cb6d8c2407110410142444e

SHA256
49ace76d838e02994a03354e557ae65a305d9c5c8441774fa174177451e26dc9

SHA512
8df107a48ff17000ff0a59139fc545276a12355a052658d933a2681172d5bbabde48b2e17925680a80006587c318876d494096d27f0c41b281e39a5bdbd14fb7

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsl6FC2.tmp\7z-out\locales\af.pak

Filesize
425KB

MD5
d16ef573959cf5cf0a6eea20136b9c0b

SHA1
e3384ae3ee92e1dae47a48e45589372e940aab33

SHA256
73a8401e6dc17c4daf86b42c65b81359348f7e6b4d62d8637138e747bb3ff0ae

SHA512
064c2912f766f10ec042adf82709ac9582cb8430e3550690fc17343c380dcbabadc0084e08aa5f3eb6faf79a652d26e1fe2606625a180b7f47808df07a566933

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsl6FC2.tmp\7z-out\locales\am.pak

Filesize
693KB

MD5
39a396fce4d93f744b3c786d62d2686c

SHA1
7ec8176e652b666b6ab9fffb6cb9b7dcfdd1a2a2

SHA256
0b1d326be9dabcda8e37740017383f2d8f1bec7a8fdb1f11ebe538c3632453fd

SHA512
798063b51f745fc2c9e7f852f72ce55939ed41305d070d1844c790755f7ab42a6830406ba2485237d37a0c46b804512e7dc37c65b7f03249c28741a4f706017a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsl6FC2.tmp\7z-out\locales\ar.pak

Filesize
758KB

MD5
14b15761cb9d4e1956812df8b42c2aea

SHA1
7c25580d892711b9eff1a3ace4e6699ea64e0706

SHA256
c8d405127b032587e6ae6426a35cb766139bae26170ca08d811354486ab667f8

SHA512
ec9a6e6e715c817726ad744fadca4d1af3015d95421774ccfe54d616225b7a17e862e086fe0aebb3a903d2ebfb27779cffcd713d3042ecdf9761c24c5a56cdcf

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsl6FC2.tmp\7z-out\locales\bg.pak

Filesize
788KB

MD5
01dfb1a7815613fa0a5411235f45b27b

SHA1
3bf1ea5597ac77b26bd30caa1efea7cb4f7a1b19

SHA256
13d08d2c4972cd18bb8ea8a57587dad29684c2336f73282dd3284b0649377cf8

SHA512
5d8a65e5a17aa163fb679e003e1837ea96e515b105c9977029a5ca4854845289de5d65c0edfd473cb74410c5cacdb5b360f25a69776705fb05f48688d92680da

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsl6FC2.tmp\7z-out\locales\bn.pak

Filesize
1019KB

MD5
ff4f966849b4107535e41d037d9144c7

SHA1
3a973857b061914e8905bda7e8f2bdafa384588e

SHA256
2dc26dee345271f4606650912b0b7b5df68f621f2920864e0e36c1d1b22459b1

SHA512
98772f266f9553f77f91b11dc4589ec8a0930554e9e0b381bbacd8d23ce794c04f6fe821388a6e87cb14cb59c7522c18c06b1af11fc177c7e40ef71242adcba7

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsl6FC2.tmp\7z-out\locales\ca.pak

Filesize
479KB

MD5
a0b45b122241cf0c11a081eefb9cb4c6

SHA1
91fd660a4688aaa70fee42e783b8b1863b4d11d7

SHA256
7d911cda51564500dd7a6de43a1e347869427c035b15fa25cad0526be9e055b1

SHA512
abcb3bcb96934189cdfd52528cd7c65ea870c9b997bf6349599b7064fe6f4bef0d34809f0f958e4d4e46486e7c0a41f86b5ed0a132bbf20743d41f3af64788b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsl6FC2.tmp\7z-out\locales\cs.pak

Filesize
494KB

MD5
1101c784521a550b0561b363722086de

SHA1
838f2bfe3432b87b950a2ec5d9862d2f58fde3e5

SHA256
cc6ff937d1c9fec4634db4e2f6c0718d2606fe2d5d25addf1314e110c5b78772

SHA512
eca3ce2075d3c920116c9e34957631e0617a869467bb76b09873ae96f7803f20032a6dd0a0f785f9e59dcfce3a4ccecdab2d445a860bee20d42e140b45e74089

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsl6FC2.tmp\7z-out\locales\da.pak

Filesize
446KB

MD5
5b033c206820ace5eb4c6f82aed34a5d

SHA1
28017cfc13259273022059f02564ffc99dcd75a4

SHA256
1a51de04cb205c708520f1b013447f1a89f0b1330dbce6d1e71cf355319d1108

SHA512
e423069f7a895179ea17be5774284e9e2e27f02c40bac7d7211cab77348800622796f04c3e6618905364e189ca5ec772ed7dbd285872777d163d3ebec08a64d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsl6FC2.tmp\7z-out\locales\de.pak

Filesize
477KB

MD5
7ccdc41a3dbdf89058d71629225664ae

SHA1
e15c35b18685d9573349ff4247733b5f5ada8717

SHA256
163ea4c2cf67edd0526a8e18d3810872e92a1d4e17b5cf4f04107fda5967b0c9

SHA512
13b20b0db02a0a7480c56c79304ef594353507e1a30da0130b73aa8e9ec7636f306315a6f40729b10dc725f936642d2e2b282ed3040a079a6f25a7f9f7f1ae28

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsl6FC2.tmp\7z-out\locales\el.pak

Filesize
865KB

MD5
2b391b2b35f7e096f696faf5dc093366

SHA1
1409134a46fcb84457a0e332edde98f7666246bd

SHA256
f1fe39af50f4bfe9edcea3af6c132e87d464d7277fb491ed95d7189b3157d20d

SHA512
aa640ca41dc9d4f60392b61bbead215345abd32369b0de90ed1d7ca2ff7a838d04689d538789a1adc0324fe4539c34db26b6c245155e51fb0308af13b60bfdae

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsl6FC2.tmp\7z-out\locales\en-GB.pak

Filesize
389KB

MD5
745918a5a74c7b6f4818a8bb8813f456

SHA1
031f50286d003844425ddac557e13e2ea4554bc2

SHA256
91bdbf5f1f6bcbcaf16e47865f72ec97d72c74174fb929f089d14c00989f91f4

SHA512
5a1eb0231352705bab527ab27543612d75cb00c522620828ce2a0fdb0b47be9daa2dd7a192f8b4bf299007c5af1d9515f900b9586ba44dd2bd9f4cd4436aa681

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsl6FC2.tmp\7z-out\locales\en-US.pak

Filesize
391KB

MD5
c9c2abcb04e1ad5f1a20244da8d595a8

SHA1
89ca81da21900074a5ccdcdc852768277b2b620b

SHA256
0364c73f320e441b03cb2afcaaca3ffbfac51a3559dcd0ff99a1accf82c7f762

SHA512
96bbf21174f56a111a2fc6ec024ab2f143945306797e77d773367a7fad42b7828ebb7b08d0dab76858d9fa340bf3205be403bc53df9e5e4e390058c94a751ffd

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsl6FC2.tmp\7z-out\locales\es-419.pak

Filesize
473KB

MD5
c8f488b85c17431360e531aa507be979

SHA1
bea5d66bdcc05869a0389e051a9217fd49e48fcd

SHA256
536339d99dee6e8c01f018d4700ddd92ce063f765766a48073aeb256669680c1

SHA512
1d7f9f84a8d7c055bf705c71efaea817f1b9dedd5ba314fec6ce5324f578d3130b5541bb52fa55db9f6e46efa8e152d50199a61c7e2466844a4414df65d61c22

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsl6FC2.tmp\7z-out\locales\es.pak

Filesize
473KB

MD5
29cbdcc2168f1bb29532122c39e67a1a

SHA1
f086c79d60daf2b0a7df91916387efa461795dcb

SHA256
232f41ab5996c917687276e82c177de208b36e77aa834bb5d94d6a331f4180fe

SHA512
b603edf2a18f5893ab482b0c34e4126f824fbdd1b669927d7bc30d68e2e5bdf78d7d4b2aabdbe257987e8e19f440d9396a3683340b94c3fd844c70e34e93d8a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsl6FC2.tmp\7z-out\locales\et.pak

Filesize
428KB

MD5
5b169234895d929930140b4869a0b81a

SHA1
f58ba50d1e19ce191a0f8117f3e70f7f3dcb7362

SHA256
c465da80b14981bdbc687b7c37bf70d2bd4b8e03293c04ae5410f84c91ef980e

SHA512
c4297e272b5c04a0ee0956b873d5246591bee98c3b340e72202f3448381c691096a5bc540fdbcf61fb40d6a69270afa7198c1f0ccf3b2e84cabc906e23eb022c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsl6FC2.tmp\7z-out\locales\fa.pak

Filesize
703KB

MD5
f7da0d07b54698bf8a213d0ccf1942c0

SHA1
d64fff18274ebe71a4aaa4754f9bb99d616fa000

SHA256
33bdd6eb52f648d475306f35b6103500b864672cbf39cc0fbd8c4ac84c997dec

SHA512
ce7a7b3df4c814a26e3fd9fddafc01ac1a4b2a87ef2d2893db5d0edf8e5b8bfe34afb6e91ff94306248361d57c6b3bd63d116635fb756aab74c4aed38f31c88f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsl6FC2.tmp\7z-out\locales\fi.pak

Filesize
438KB

MD5
1cbfa553a5b1de642ea4c248dfe1edba

SHA1
5de05b3c11fdd59ff5064a153a6dcbda33350971

SHA256
8f3e8ec0fbb471b45db65a77dc1013e3363f387d3d0c6a458c90f371907d0085

SHA512
ea3b99be7da893be8c3b228d1d3d7b644a1f5425b5380dc3e0ae0ba1bd29cf39dabe73819bcc4fa67f10a488f018e9fa2328995cb78f40ae8fdb66aa514188aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsl6FC2.tmp\7z-out\locales\fil.pak

Filesize
495KB

MD5
8ce446cac9221f07f912be59534d86ec

SHA1
15cd1b902b26abbe665fed518575748483a9c3e4

SHA256
b6ce37b1aeb4ca17a7f78ebc8f97c2807f588dfc4ad3e0639005c626b5c9b939

SHA512
20be2b5c7e8fca897109b1dc8219931eaaa1c8296b1d26dcc7f9058168fef371d7955fb0f6c5693399b83fa81d27369efac8c3742059eea2333bd66d20b8d0d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsl6FC2.tmp\7z-out\locales\fr.pak

Filesize
513KB

MD5
a1de4ad3d9b7aa8f122ba00cb983e49c

SHA1
323d6e1b4ed75f9406bb8488d7ffc7e12fa96886

SHA256
a69f52162f6081a06f835ede10818218df6e211f00d0ef24561e6221f4696e61

SHA512
542f0818ea4517fdea929f3d4938f7de75e2a5e6d872607e548f87de7e9cd0737fab3f5e82ab7895f44e809279d81c490999ed055acbddafe84f85e60ce2e23b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsl6FC2.tmp\7z-out\locales\gu.pak

Filesize
996KB

MD5
02bfa1114fd5b75261c24d6c0e6441f7

SHA1
d48b80339405cb8c8ec7a19b688e8d544938c4c7

SHA256
bbb17268412fb3e13584ca4dc90a94f984177d3c97ee89af2a57324709f8ed1d

SHA512
751b91d381c882a5dc0c0ee6313cf3e7ef51b4d369330a169cf9625de99e6019233109e815fc474fae44d79235940ba2ce68af7033f4c4c994e2774bbd8105be

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsl6FC2.tmp\7z-out\locales\he.pak

Filesize
616KB

MD5
9fccb330d8b07ca54661407cf737d847

SHA1
2c6f52801b66aac7d08acb60d9736f9149e48ae5

SHA256
bb06d364a91b8641724254822b2eec5d0675e262a4cbf93b92494f601807dbef

SHA512
0cbf36643cc7b1d85dc7cb7825bc816a8538d0cc50b137dd27d5a9703324ae7ff271d38dc0cd6e4a99c6b391070690b90eb8ddb1cc511bc8d84d49a32d36c34c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsl6FC2.tmp\7z-out\locales\hi.pak

Filesize
1.0MB

MD5
cd91036827739441e4cc849aa30706d6

SHA1
cc8e4c53e18db16876f855c2377f3cf0e2abf95a

SHA256
0936587aa072339f8dc347506e5553159319a686010ca1912bed1d830e107c6e

SHA512
553773bdc11be94f495b88e0587d572455ef68c182d51c9e1ae0e3aa23744f836996a446ed136afc562eb9a110e435b494d5955d2792a364a619111e7b3550e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsl6FC2.tmp\7z-out\locales\hr.pak

Filesize
477KB

MD5
ef62a50cc098afcf3fab69c7502219e9

SHA1
db474cf332c90de660fc575ef897d5389b65784c

SHA256
07effa557c8bc822626c05a4d299296f88d3da0654248c326d796f7c2de3ec64

SHA512
7ae6f40c7bf404532df0bc2ffa449e0d99debc2b9816450ed0d015b1634dd96cd5650ab6af5a6d44d52d0e3c9c81836ee350210c4f8a13be6cc0cb796a630350

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsl6FC2.tmp\7z-out\locales\hu.pak

Filesize
513KB

MD5
51b14b96d1b9fa99ed849347a8954133

SHA1
5259b749576a9612e429a665dfc8bf47651c39ea

SHA256
70d4a0724a2e0e80ec047e7683eec7715c0fb5f88795cc97a63e4c2ee2237800

SHA512
b68d4bc792f29df210602a557d0b3333a95e30cd03a0a4cb5f537c9c51da9937119391f2a359c03fb874c1f540c23f44bef121e45f048f32b1db06d67a0bad1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsl6FC2.tmp\7z-out\locales\id.pak

Filesize
421KB

MD5
3b5e08406059d1a76566e9a5d4c9b15a

SHA1
6bf45f2647e959ec1b545763180e8f29961ab3e1

SHA256
60409d8b785dd057e3495190b18e6d6d235d8313555341cba5f64327e3d8c3aa

SHA512
6c4150c064edf6ed0b83b216ce62134bbab12137e6b45749dad08d1d1734b3365309414900615137c6acdd12250add5c69a222daa7984a94ee850aaa55af1b8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsl6FC2.tmp\7z-out\locales\it.pak

Filesize
466KB

MD5
4e7ab6a5d407bf4d3f96671d65e467f9

SHA1
67f43053ccd167f2ce6d945202f64df29ee1ac49

SHA256
20408c09d9447f44aa920f2529d231072db8bb9c0c8b8fafa2db733561eb6964

SHA512
bf493e1a1c0898f7a54f8a5278dc0ca345e9937efe269b1bd3a3bc90645d767070ec9c117df001f8c3b51b4a383c30f025daf79606ac1840fcc5878ad4c53624

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsl6FC2.tmp\7z-out\locales\ja.pak

Filesize
570KB

MD5
74e2430cf18db7ecae2a9b1feeb049b5

SHA1
362a5f3e4d8a79b9d0b041d62a8a5233e20fb208

SHA256
1a726c500b5b3efdbc7b9e6626765dcb8957005f9c072c09d1f517587d6b673a

SHA512
324d0ba770c09cccac4c59e0e0605846a4e18f32cc79f14fbd4e5b0172f439ef8dee538f686458b3a07e5e8b4528ef67aa5d339ae25f7c601c9a302caa7970f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsl6FC2.tmp\7z-out\locales\kn.pak

Filesize
1.1MB

MD5
56c5f63f439cc962b815bbc4f3f12c32

SHA1
c96248cafd869fef11bc37aefb1382d0f60a7855

SHA256
14b332541c2cce0835202372f8cc822aef30b3575b651c96219a88b8d1381648

SHA512
9210759d8e73266381fbf04280aad0bc5006f315ce3fca74fe304b3261af0ba399210f0b84620230d6aa0c667e60c0a6d9e67681fdfac401338e9331475bb7f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsl6FC2.tmp\7z-out\locales\ko.pak

Filesize
481KB

MD5
a9b446bb79b0e5d0b4af4f7243b1f3e2

SHA1
fcf962506b32b34a6315ed61acdece33df3dbf23

SHA256
507fc8d2a468456f2842b65a111fc0c74fe1f56d5f5ac0d6e743aef186b43b2f

SHA512
e7f281206bd481427a75b581f8b2a435eb8a29bd8b5586a8db78605b1c1bbc20dc1f4b2ff92d04c62fb509dc6e1e062d1d584c195e386c5c2ffda0f764276aa6

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsl6FC2.tmp\7z-out\locales\lt.pak

Filesize
519KB

MD5
49201fae17b715a15fa03c4d89dd2176

SHA1
7c559c174850de48c4a2837fe32c58f74d8150b3

SHA256
4a80792cb9a401ebfa7ec3212182b5024d651ca6a5ead8fc9809d0d3ad4803cd

SHA512
3016f721d77206e13e275e7eea1adc95d403feaccf595eacf933940485031e9aac0c29b6f47a9ff5f73b08c354b7b82c72193c83e1ff09d84cb5b9b72b708166

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsl6FC2.tmp\7z-out\locales\lv.pak

Filesize
516KB

MD5
335158efe454819a0dc8de0edb0f0e90

SHA1
85871f85f626db1fc597ef24c79c84115a66c17e

SHA256
113073cf60ae3d2bcf8a61df655762e34ba28e4b35b97de33c18e13f959d76ff

SHA512
f81733bca3fa65c789630b55c4f414a8541e71c4e1aba56bdb9d231ce189677b3bff4dc57c92fbe1cbc88f1f2f7fbf1a7e4319a8918c50409fcba958d743ccbc

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsl6FC2.tmp\7z-out\locales\ml.pak

Filesize
1.2MB

MD5
1030c08ffbbe7366ce5b7d55bc8ecc0f

SHA1
b45b53c1e47a0051560c607874357130c499563d

SHA256
e1f97ce3011d9231f23fe033bdbb0905c173921b18402d362bfc35224ff67db7

SHA512
3b9127a0eec02f75f79c66f5f7845b65c4ebe2e6a33989c7686815ffe0651be47d42f55c2f32a67a221495a8bebf043d853df7b244a68f89390044210e52dd3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsl6FC2.tmp\7z-out\locales\mr.pak

Filesize
976KB

MD5
eafb18d633064d0f02a3eff3eff9aadd

SHA1
a8846e473014be80125630f1c5b51366220ff018

SHA256
fcb7c4aeed28ae4d16fa7b82d9571165aab0fdd46eb65d3ab29007231630ccef

SHA512
d332a4b7f4cb1583a5bf5ce08fdb46661a5bccbf0a66f7f5ab6ce04367e9bc589588dcb32f443695a3ab129dc50d2962ed4c138f97858639d4ea37c117e23495

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsl6FC2.tmp\7z-out\locales\ms.pak

Filesize
442KB

MD5
3d0dc94a638f98d9bf3c0f60f89a0c95

SHA1
a979b04c65832d908305fb0406cb0653271ad744

SHA256
a9f9ae23a3bc2ac919c5b46d16b7e1f3bff73698d2626260196210e101d119c2

SHA512
6d687f1eb9a7fda3791295487063393b8f0a7409b55461b185aaf106c596229de6988114230625d6504b869d25d7a624bc3b90d66a0bdf561cb05a57d5b87c15

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsl6FC2.tmp\7z-out\locales\nb.pak

Filesize
431KB

MD5
9c18dfa9e69c1d7810132800d084136c

SHA1
bbaa9576e1b012df33d79a5dc7776c00e67295e4

SHA256
4f3babcbec0d138654ec59fd8ab5fd58da2273237a587928b9687928c7ca10ff

SHA512
a82b1e340a25a3858906ded73624bd0be4b3ccd1f5728560480b4a4e3a78529f5a178d20cf7d95fd55ded7ca4fa95a5fff87d89f0520ea08b54e7b99c9057d6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsl6FC2.tmp\7z-out\locales\nl.pak

Filesize
444KB

MD5
5cde06a63c9dc07fdbb0fdc94e403d00

SHA1
11be56054908f1f9cd56ab77692fe3717ee91ee8

SHA256
3b9ed5ed0dd07d8fa67412a046ab085137542c156876dbfe6f83376571af91a3

SHA512
2716496dcbf76cc2dece938103813a8dbc17d4c795b4e3459a572de4f62f9ac0e1788de3a21f5fb287ad364decbd541a5e3bddd406e130d2a9c72118ccee5390

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsl6FC2.tmp\7z-out\locales\pl.pak

Filesize
497KB

MD5
b44fcf9fdc4ec7bb5e72cae30aa15c01

SHA1
daaae4aa7987bcce299995feea5c54f2d77b61d4

SHA256
7f1a8392fe3aff4e6bb4bacbc1f4b395f08ecafda9f81e36b41b77fb4ab0bc76

SHA512
52b46d7affac4949fa19841d26d2f4bf877e36cbda4b75f3ff289a7abe9a80c2a014b1ae23d3079f4d31ed5fa76c320103733284a2c13d99a451810407325674

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsl6FC2.tmp\7z-out\locales\pt-BR.pak

Filesize
468KB

MD5
de8ff9456ba9ea999d0d1bc9b831e7ce

SHA1
1d67c6dd97fcf221c71137cc8b1946368807aba8

SHA256
b32fe8f602ec9800d59806e097e369fd065d8fbf473da40fd29289493489930c

SHA512
5a3a48ddad801382ec9065c6160698dd746aae810374c2b772d521a1764e7e0fd2c28c5dd1cdccb50834d699ee19441713fe10a91dddead46ba0cff3edbd6984

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsl6FC2.tmp\7z-out\locales\pt-PT.pak

Filesize
469KB

MD5
002d5b37e68a0725dd7d89fe3fc7ec48

SHA1
545de8047d3f89150516b95031965adc8f17df68

SHA256
1fadff356a7e89a8ff2af3ddf84f70fd0ce69525c7787f8adae10beed9d76d4e

SHA512
abad6cbb30a958bb84a521a66636af4221a9f63774122d3ac3b552503930ad83d343ec4c8109c8031cab17c546ef7549aa0f87746e39a80f6758fad28ecee129

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsl6FC2.tmp\7z-out\locales\ro.pak

Filesize
486KB

MD5
7056fc61de4a16c7f4f5bf44d2e87f8a

SHA1
99d16dcb3b1aefc472601439f630e1244b1aa277

SHA256
b7ba9435d82f6bedd7005b6e868ee86f0bb6c4d7b312fe5f5d4afbd440ad5b85

SHA512
529152da39f7ade6713206fa9f767b35b9bf03816387579522eea78ac7d0e150bad557fcdbef51e76d52e39f61a0b4e54ff6a3b592eb7e34fafdb98afe460f7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsl6FC2.tmp\7z-out\locales\ru.pak

Filesize
797KB

MD5
91379a583d22fa9343ed466c261366ff

SHA1
61e8c39235945c4f38807b14ac74da7d3257759a

SHA256
0d4d0b8052519848abd182c44dfbf444a77a0c6994965c4a3001f0a3a4d1459e

SHA512
dde26b59a1e5f94d5b245f47399d7a9d3db8d247037331a471c39b1d7e79e236c5a0732fea4c53b843d8eaff1f54ca155a816a193b7baa870fc458a5aadf76be

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsl6FC2.tmp\7z-out\locales\sk.pak

Filesize
502KB

MD5
78bc785a75ee512391a9cb462a771c09

SHA1
229d39e017174dc0a8cefcfcc72b0feca94d6208

SHA256
ec15c82956ebddb7b246c78045ad414ed34ca97d890a915070e252c8715096b0

SHA512
96556f6072e69351e1bbce06bbf896b1ad53060c7cbaf7928eebbe0f610f5e8778b2b8b97a5a268b7942a1c8d1adc6bea0403383a2a5bb99049437e95d575ea0

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsl6FC2.tmp\7z-out\locales\sl.pak

Filesize
483KB

MD5
e76e473c419c25768b08a95a2822918f

SHA1
0fa7e2fcabb03a8788f50f1d4b4eb383c833e9ba

SHA256
fcd27a9f5cb4b4be373da7076a8232006ebe020999fdf90d20745f16cd7ef223

SHA512
e39ae0acbb7d148d6ade676d92e83fa9fb433230bae4339c31693a538198bf0679adef51883b96f8dfbcc8593a982544c64a2b265897f35a693183b27070ea5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsl6FC2.tmp\7z-out\locales\sr.pak

Filesize
745KB

MD5
48abf758a49e2e8aab013f2bf56091c0

SHA1
ca909bc28b03bf959ac32e218a318289e0badbf0

SHA256
b4cf2d19b5e443b57ca9d1189880458a7cacfe1c8b231265557a3fb58f597617

SHA512
22d65df1cd35a8127296420a699f26edf55813fd6a970050dc9b2b051aaf7da2cf2fe6314a94977587021c02aa7d8b42541e1d08d5940fb7e1af127e87268c68

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsl6FC2.tmp\7z-out\locales\sv.pak

Filesize
433KB

MD5
06c878c1538813e5938d087770058b44

SHA1
c8ab9b516b8470bdee86483151ae76368646bffc

SHA256
90dc45426bc1302aa05261f136881ddf038272e9ac315297aa8e5dae2b31109b

SHA512
6ddf615bcf0a8c62221233687bae1eeda5cfd749aa8acc179d6650987289201b405edd453fc181a1d250eba9bbdf61ea28fb7c694539fae3d320bfdea56665cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsl6FC2.tmp\7z-out\locales\sw.pak

Filesize
456KB

MD5
55241312a3aaba14a6b19a9012ca25b8

SHA1
69fadf0817faec3bc6b018f0af5f63378ade0939

SHA256
722c86bd857a93ae06ca0b7cfe2cc04237a7ed5a52586cab7246336c802abe37

SHA512
612f815c25e9f593d1f1c4de8e9016dce048cfe90f21319c4cdbb5772580cb8c71229e9ddba60852cd0bec80a07a783ace24f873d90dc3323e5fdcc44905f2c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsl6FC2.tmp\7z-out\locales\ta.pak

Filesize
1.2MB

MD5
2c0a9cc4a7c775ff13a6888234265cab

SHA1
497bde42737667fc833bbb9d8a9edaf014d99957

SHA256
1dd55659ef21082b9d58bed50f387c0e1fc0f28d0ede52251b9ada25ed2a657f

SHA512
b862221cf17d3f2ca0495a8a3e1f630ab915fd9b2a46ac16c71deffee9a6f71264a8550233781474d60cc6001a48c7c658c77d4e0dbd5b543e768928119d2f0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsl6FC2.tmp\7z-out\locales\te.pak

Filesize
1.1MB

MD5
5f9b7a945638b88e75a3175a7923119d

SHA1
6af614f2cbd72da2224f48a203a6430a623fc7ed

SHA256
3b476d2ce7c72c3a10170808020dc3f1a87309f9f725b08217c4716b28d10888

SHA512
3b66c9152ec032d6f2372ae5075cbfe7d0fb398c4bf173a7f8c76d91d9eaa816e6f839b90884533b46a9224e9fb52c4d439b3d1907885b8e9f80c5c55a852b65

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsl6FC2.tmp\7z-out\locales\th.pak

Filesize
918KB

MD5
84ad3f888c0ec307bb7b8c278cd36757

SHA1
948a5f8b43d059280d5374ca6d66e8dfc6a76d49

SHA256
56665860fe6577fbe00543a47a15e10eceae83458815f2989d179e42af07f81b

SHA512
7001c0607df927145e40a605e2b97914d02712d11e09ca20339cb1aefb042a1f853fd06e78b76f6dc6f19b6df837bca12946a3470c6c064ca767af1db57042e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsl6FC2.tmp\7z-out\locales\tr.pak

Filesize
465KB

MD5
0aedf5c2f6f4f49074a2adea454df4c9

SHA1
a48d9d8461e61170257897766dbd6906e754a0c3

SHA256
3f4658b3811b36f5cad794e48e6507335abfe78b0bfa0c80d1ef9c5d7bb410d0

SHA512
e359e446330fc154c16e34a7335174f372bce701faf85de8a5f4b432ce3e10c69f42c93b7182deac89bb4d29750d0dd525b6dcd74a5b7bd724f544d14ba44a79

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsl6FC2.tmp\7z-out\locales\uk.pak

Filesize
798KB

MD5
64aa9344abd9a32f10d6c05a58eda4eb

SHA1
3286ee43f36e2232677b4573e8b4a3303c7df048

SHA256
ca20af5982ae706f5029467901d7d66f90b261f03c7d240d0d1ab2fca2b50a7b

SHA512
dd768b314da50b8ba5a006a4e56d70044c1af79960834722894d930f5347194ae7f9f5697bc4cd0790a79341635cb1df8c74ff45f74d1736049161af5b163efb

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsl6FC2.tmp\7z-out\locales\ur.pak

Filesize
696KB

MD5
88eef2798dee8a361c3ea9bafaa02a35

SHA1
6f8d4ce422336ca5048ef35d6ece360a9b416d8a

SHA256
91318006c880e427417a2b2fff81fd451769a5536fa16d1dc185972137bc2d6a

SHA512
db36b58186f165ff3f746ac483f75b6fed596fad9b3f335e86b374b359e563407acf58ac7cded9420e4fcb91f31eebc8a91c7777ea59bafced8cff2f1c0e9a53

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsl6FC2.tmp\7z-out\locales\vi.pak

Filesize
551KB

MD5
4c5c09cb7e6eb120c8019fe94e1ac716

SHA1
f018e7f095605e21db24944b828cc3580cba863f

SHA256
e7319ca18eba379772954132493bbabb448d4e97d755b85360ed337216b48800

SHA512
d171ee83cf02a8904290a74df1224556887e41333b8a01fbd95f0cacc88d230195fbfb6f99f9e02573d4864b3c95b570a77c2a0b1e19324d2599925e40684807

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsl6FC2.tmp\7z-out\locales\zh-CN.pak

Filesize
398KB

MD5
07b6c43d87dbf93ac8abe6837f3c2103

SHA1
79e033179b445609b3f1756c3f4184d5efacf1c2

SHA256
7f85b35938fadca91bfd8f92ca53613718e375ef010c340947dd27a4ff66594c

SHA512
38ef8f8a8a950b11c18eb7a40da721b888ef792a49e1371dc8c1eb22058a6791f95bf9b25df4ba190a7aa6cb62ce38b0bfaea83c71b62cde6980d12cf9da53f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsl6FC2.tmp\7z-out\locales\zh-TW.pak

Filesize
394KB

MD5
960e99a171c4ed4b6d787027ba88774d

SHA1
e3869aff0c52841c9df718133e7c4be2977de7fb

SHA256
e42640f5309add2ea7fd5a4db503b93e479ef14807710a06d7e53a0f261da8e6

SHA512
4e51d787aff8f425d101882bd70e71b88b253f2ca61ed54dd7ff77c7e3a1d6570b270f4eb91f2d03869ea4537d09e141f3e32ea3a27537295ec698bf26305cbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsl6FC2.tmp\7z-out\resources.pak

Filesize
5.2MB

MD5
4f1e4a359a66a46eb55313e04090e102

SHA1
e3f971830be08bf10638ec136e7b9a7990abe4d2

SHA256
50dfd64b881b8ff256c7fc4d3743389e6e2f95cf6da453629557812ddc0f7004

SHA512
7762848e8404dacce11a83195ab4e8d1cf391d9916f27e165ee257a6ba7d6a73fc12c855be74c734eacc897cf64655b949557ea12275f3d488cc3680d7fb5e7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsl6FC2.tmp\7z-out\resources\app.asar

Filesize
46.5MB

MD5
4ef13090ac76f849ccf5ef07dd9bd00f

SHA1
42c84f11ef3cc9141b856cd16e66c36331092cef

SHA256
0bed94f318aae195c4888e1cf0fd212ce5443c36f6ebc68506e1ad8a539d97b2

SHA512
a346073987528a80e2aa6620286e7f95b5add9506a373e2ada3381e90171f1956760e95fad8516bbf4a1b64e68eedfdb0b5b26bc33d8beff4a3c4811dbffeea0

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsl6FC2.tmp\7z-out\resources\elevate.exe

Filesize
105KB

MD5
792b92c8ad13c46f27c7ced0810694df

SHA1
d8d449b92de20a57df722df46435ba4553ecc802

SHA256
9b1fbf0c11c520ae714af8aa9af12cfd48503eedecd7398d8992ee94d1b4dc37

SHA512
6c247254dc18ed81213a978cce2e321d6692848c64307097d2c43432a42f4f4f6d3cf22fb92610dfa8b7b16a5f1d94e9017cf64f88f2d08e79c0fe71a9121e40

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsl6FC2.tmp\7z-out\snapshot_blob.bin

Filesize
262KB

MD5
40a3c2200e4126e8c47a7802532c9236

SHA1
212a4686dea5a467b7b6fa54397e42122b235f1e

SHA256
94aa518fc892ee9a0f1eb5fe35b60123ee61a5f848864b00519b96d8d5d9786d

SHA512
fa1a943822abe3737587d520654078117cae86c58fefe6dd6a09f4a08c09293e9547a0ad79c52f8638dfbb1c496df3d0e828ce414176c8fbb77113be41212866

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsl6FC2.tmp\7z-out\v8_context_snapshot.bin

Filesize
581KB

MD5
264e3b574e4f86b1fc47b2427402e779

SHA1
4a4f9e7c3da262713e4cf7af6ac51822c56b5ef3

SHA256
ed559c6e81b6003b2057e5c1b0bdb5b28ca094b895ca86c69fe11c5c9e014f06

SHA512
144365d0fb83576aaa02ea6ecea51d7ba2cacb044eea568a08f65b98a83d3e7d7e693738e065e22f94bfd1165d0ea93a749dd1325d829257a9bb6607a9a927db

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsl6FC2.tmp\7z-out\vk_swiftshader.dll

Filesize
4.9MB

MD5
e53fd0779465c910b275f93abafa6e3e

SHA1
f38f2711805d08b4b6d29b0a49253db0da939fcd

SHA256
58e2b5ab33366550207ed8e1f420b24c94b19fbe8e753f5a6c038beb829533a7

SHA512
934e8e68042d1adcf17efc1fbe728930ecb2d6cbc0fd60ad064e28e18ed2a57fffc7331b2eb807f6972c0c37bb9acc69c97a137b264efab67e180a8fe0d1cdc3

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsl6FC2.tmp\7z-out\vk_swiftshader_icd.json

Filesize
106B

MD5
8642dd3a87e2de6e991fae08458e302b

SHA1
9c06735c31cec00600fd763a92f8112d085bd12a

SHA256
32d83ff113fef532a9f97e0d2831f8656628ab1c99e9060f0332b1532839afd9

SHA512
f5d37d1b45b006161e4cefeebba1e33af879a3a51d16ee3ff8c3968c0c36bbafae379bf9124c13310b77774c9cbb4fa53114e83f5b48b5314132736e5bb4496f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsl6FC2.tmp\7z-out\vulkan-1.dll

Filesize
917KB

MD5
5148e286ea76b5c3a01656a84548d035

SHA1
9f90b7523c64c62d7b0adf4511b49a3f2bb022eb

SHA256
7fb87a7f0d50007dca64bf845d444fc66116a57edecdd8487c91d6879b578a0f

SHA512
23527f9eedc4873320c65b91afd90873febce3f666470dbaaa42e1165c4b864f1df19038bb272954eb2281bb103c15199c6ff25ca44c0ecbfebfa1f5b34c01d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\y8u18.exe

Filesize
41.6MB

MD5
20a0693d7cc2c0565097d6e2d692c89d

SHA1
2a858816db05f9dfe278869208caef3830f21c0e

SHA256
95a96945897713af96eb6ca1b0d7818d707d2a8a53eb8742b5a3a96a6a8d5ca8

SHA512
e2c6be218d50d10e33906be4b81898cc80504b05951618c11b2fbdadd591c530970286b9ddabc1d7ee5ad572183ea03cfef77c4876f2d2ce328ac95c432488a0

Download Submit
\Users\Admin\AppData\Local\Temp\0f62eabc-559a-4b54-9a84-12b6601952e7.tmp.node

Filesize
1.4MB

MD5
56192831a7f808874207ba593f464415

SHA1
e0c18c72a62692d856da1f8988b0bc9c8088d2aa

SHA256
6aa8763714aa5199a4065259af792292c2a7d6a2c381aa27007255421e5c9d8c

SHA512
c82aa1ef569c232b4b4f98a3789f2390e5f7bf5cc7e73d199fe23a3f636817edfdc2fb49ce7f69169c028a9dd5ab9f63e8f64964bb22424fc08db71e85054a33

Download Submit
\Users\Admin\AppData\Local\Temp\nsl6FC2.tmp\SpiderBanner.dll

Filesize
9KB

MD5
17309e33b596ba3a5693b4d3e85cf8d7

SHA1
7d361836cf53df42021c7f2b148aec9458818c01

SHA256
996a259e53ca18b89ec36d038c40148957c978c0fd600a268497d4c92f882a93

SHA512
1abac3ce4f2d5e4a635162e16cf9125e059ba1539f70086c2d71cd00d41a6e2a54d468e6f37792e55a822d7082fb388b8dfecc79b59226bbb047b7d28d44d298

Download Submit
\Users\Admin\AppData\Local\Temp\nsl6FC2.tmp\StdUtils.dll

Filesize
100KB

MD5
c6a6e03f77c313b267498515488c5740

SHA1
3d49fc2784b9450962ed6b82b46e9c3c957d7c15

SHA256
b72e9013a6204e9f01076dc38dabbf30870d44dfc66962adbf73619d4331601e

SHA512
9870c5879f7b72836805088079ad5bbafcb59fc3d9127f2160d4ec3d6e88d3cc8ebe5a9f5d20a4720fe6407c1336ef10f33b2b9621bc587e930d4cbacf337803

Download Submit
\Users\Admin\AppData\Local\Temp\nsl6FC2.tmp\System.dll

Filesize
12KB

MD5
0d7ad4f45dc6f5aa87f606d0331c6901

SHA1
48df0911f0484cbe2a8cdd5362140b63c41ee457

SHA256
3eb38ae99653a7dbc724132ee240f6e5c4af4bfe7c01d31d23faf373f9f2eaca

SHA512
c07de7308cb54205e8bd703001a7fe4fd7796c9ac1b4bb330c77c872bf712b093645f40b80ce7127531fe6746a5b66e18ea073ab6a644934abed9bb64126fea9

Download Submit
\Users\Admin\AppData\Local\Temp\nsl6FC2.tmp\WinShell.dll

Filesize
3KB

MD5
1cc7c37b7e0c8cd8bf04b6cc283e1e56

SHA1
0b9519763be6625bd5abce175dcc59c96d100d4c

SHA256
9be85b986ea66a6997dde658abe82b3147ed2a1a3dcb784bb5176f41d22815a6

SHA512
7acf7f8e68aa6066b59ca9f2ae2e67997e6b347bc08eb788d2a119b3295c844b5b9606757168e8d2fbd61c2cda367bf80e9e48c9a52c28d5a7a00464bfd2048f

Download Submit
\Users\Admin\AppData\Local\Temp\nsl6FC2.tmp\nsExec.dll

Filesize
6KB

MD5
ec0504e6b8a11d5aad43b296beeb84b2

SHA1
91b5ce085130c8c7194d66b2439ec9e1c206497c

SHA256
5d9ceb1ce5f35aea5f9e5a0c0edeeec04dfefe0c77890c80c70e98209b58b962

SHA512
3f918f1b47e8a919cbe51eb17dc30acc8cfc18e743a1bae5b787d0db7d26038dc1210be98bf5ba3be8d6ed896dbbd7ac3d13e66454a98b2a38c7e69dad30bb57

Download Submit
\Users\Admin\AppData\Local\Temp\nsl6FC2.tmp\nsis7z.dll

Filesize
424KB

MD5
80e44ce4895304c6a3a831310fbf8cd0

SHA1
36bd49ae21c460be5753a904b4501f1abca53508

SHA256
b393f05e8ff919ef071181050e1873c9a776e1a0ae8329aefff7007d0cadf592

SHA512
c8ba7b1f9113ead23e993e74a48c4427ae3562c1f6d9910b2bbe6806c9107cf7d94bc7d204613e4743d0cd869e00dafd4fb54aad1e8adb69c553f3b9e5bc64df

Download Submit
memory/2388-750-0x0000022D30F70000-0x0000022D30FE6000-memory.dmp

Filesize
472KB

Download
memory/2388-777-0x0000022D310F0000-0x0000022D31140000-memory.dmp

Filesize
320KB

Download
memory/2388-747-0x0000022D187E0000-0x0000022D18802000-memory.dmp

Filesize
136KB

Download