hxxps://drive[.]google[.]com/file/d/1GZjlJx_17a_ZZZ29DVilHNZWhoa6-ueU/view?usp=drive_link

Analysis

max time kernel
178s
max time network
176s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
26-08-2024 22:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://drive.google.com/file/d/1GZjlJx_17a_ZZZ29DVilHNZWhoa6-ueU/view?usp=drive_link

Score

7^/10

discovery execution

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	Ultimate Tweaks.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	Ultimate Tweaks.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	Ultimate Tweaks.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	Ultimate Tweaks.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	Ultimate Tweaks.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	Ultimate Tweaks.exe

Executes dropped EXE 15 IoCs

pid	Process
688	Ultimate Tweaks.exe
4800	Ultimate Tweaks.exe
1064	Ultimate Tweaks.exe
4852	Ultimate Tweaks.exe
5400	Ultimate Tweaks.exe
5844	Ultimate-Tweaks-Setup-1.0.1.exe
3656	old-uninstaller.exe
1796	Ultimate Tweaks.exe
1992	Ultimate Tweaks.exe
5508	Ultimate Tweaks.exe
5088	Ultimate Tweaks.exe
716	Ultimate Tweaks.exe
6652	Ultimate Tweaks.exe
6704	Ultimate Tweaks.exe
6720	Ultimate Tweaks.exe

Loads dropped DLL 42 IoCs

pid	Process
688	Ultimate Tweaks.exe
688	Ultimate Tweaks.exe
688	Ultimate Tweaks.exe
688	Ultimate Tweaks.exe
688	Ultimate Tweaks.exe
688	Ultimate Tweaks.exe
688	Ultimate Tweaks.exe
688	Ultimate Tweaks.exe
688	Ultimate Tweaks.exe
4800	Ultimate Tweaks.exe
4852	Ultimate Tweaks.exe
5400	Ultimate Tweaks.exe
1064	Ultimate Tweaks.exe
1064	Ultimate Tweaks.exe
1064	Ultimate Tweaks.exe
1064	Ultimate Tweaks.exe
1064	Ultimate Tweaks.exe
5844	Ultimate-Tweaks-Setup-1.0.1.exe
5844	Ultimate-Tweaks-Setup-1.0.1.exe
5844	Ultimate-Tweaks-Setup-1.0.1.exe
5844	Ultimate-Tweaks-Setup-1.0.1.exe
3656	old-uninstaller.exe
3656	old-uninstaller.exe
3656	old-uninstaller.exe
3656	old-uninstaller.exe
5844	Ultimate-Tweaks-Setup-1.0.1.exe
1796	Ultimate Tweaks.exe
1992	Ultimate Tweaks.exe
5508	Ultimate Tweaks.exe
5088	Ultimate Tweaks.exe
1992	Ultimate Tweaks.exe
1992	Ultimate Tweaks.exe
1992	Ultimate Tweaks.exe
1992	Ultimate Tweaks.exe
716	Ultimate Tweaks.exe
6652	Ultimate Tweaks.exe
6704	Ultimate Tweaks.exe
6720	Ultimate Tweaks.exe
6652	Ultimate Tweaks.exe
6652	Ultimate Tweaks.exe
6652	Ultimate Tweaks.exe
6652	Ultimate Tweaks.exe

Modifies file permissions 1 TTPs 2 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
4420	takeown.exe
5452	takeown.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Command and Scripting Interpreter: PowerShell 1 TTPs 46 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
3888	powershell.exe
408	powershell.exe
6460	powershell.exe
5396	powershell.exe
8056	powershell.exe
5628	powershell.exe
5612	powershell.exe
3016	powershell.exe
7156	powershell.exe
116	powershell.exe
6348	powershell.exe
6260	powershell.exe
5620	powershell.exe
5280	powershell.exe
6228	powershell.exe
7164	powershell.exe
1792	powershell.exe
4080	powershell.exe
3720	powershell.exe
6856	powershell.exe
1388	powershell.exe
2156	powershell.exe
4124	powershell.exe
3468	powershell.exe
7960	powershell.exe
6140	powershell.exe
7136	powershell.exe
5456	powershell.exe
8040	powershell.exe
7728	powershell.exe
6500	powershell.exe
6868	powershell.exe
5296	powershell.exe
3820	powershell.exe
8048	powershell.exe
7732	powershell.exe
2272	powershell.exe
4060	powershell.exe
5680	powershell.exe
6356	powershell.exe
6876	powershell.exe
6468	powershell.exe
2676	powershell.exe
5968	powershell.exe
8	powershell.exe
6336	powershell.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
5	drive.google.com
8	drive.google.com

Network Share Discovery 1 TTPs
Attempt to gather information on host network.
discovery

Network Share Discovery
T1135

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\System32\DriverStore\FileRepository\display.inf_amd64_71aa85b0e2292a7a\display.PNF	chrome.exe
File created	\??\c:\windows\system32\driverstore\filerepository\display.inf_amd64_71aa85b0e2292a7a\display.PNF	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ultimate Tweaks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ultimate-Tweaks-Setup-1.0.1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	old-uninstaller.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000bf081c85bb6cd1e80000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000bf081c850000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900bf081c85000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1dbf081c85000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000bf081c8500000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe

Checks processor information in registry 2 TTPs 23 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Ultimate Tweaks.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	Ultimate Tweaks.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Ultimate Tweaks.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Ultimate Tweaks.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Ultimate Tweaks.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	Ultimate Tweaks.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	Ultimate Tweaks.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\2	Ultimate Tweaks.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Ultimate Tweaks.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	Ultimate Tweaks.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\2	Ultimate Tweaks.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Ultimate Tweaks.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	Ultimate Tweaks.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\2	Ultimate Tweaks.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	reg.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	Ultimate Tweaks.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	Ultimate Tweaks.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	Ultimate Tweaks.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	Ultimate Tweaks.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	Ultimate Tweaks.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	Ultimate Tweaks.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	reg.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	Ultimate Tweaks.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133691867785823465"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
500	chrome.exe
500	chrome.exe
688	Ultimate Tweaks.exe
688	Ultimate Tweaks.exe
408	powershell.exe
408	powershell.exe
4080	powershell.exe
4080	powershell.exe
4080	powershell.exe
408	powershell.exe
5628	powershell.exe
5628	powershell.exe
5620	powershell.exe
5620	powershell.exe
5620	powershell.exe
5628	powershell.exe
6140	powershell.exe
6140	powershell.exe
2272	powershell.exe
2272	powershell.exe
6140	powershell.exe
2272	powershell.exe
3888	powershell.exe
3888	powershell.exe
3888	powershell.exe
5356	chrome.exe
5356	chrome.exe
5356	chrome.exe
5356	chrome.exe
5844	Ultimate-Tweaks-Setup-1.0.1.exe
5844	Ultimate-Tweaks-Setup-1.0.1.exe
3656	old-uninstaller.exe
3656	old-uninstaller.exe
6468	powershell.exe
6468	powershell.exe
6460	powershell.exe
6460	powershell.exe
6468	powershell.exe
6460	powershell.exe
3720	powershell.exe
3720	powershell.exe
5280	powershell.exe
5280	powershell.exe
5280	powershell.exe
3720	powershell.exe
1388	powershell.exe
1388	powershell.exe
4060	powershell.exe
4060	powershell.exe
4060	powershell.exe
1388	powershell.exe
6856	powershell.exe
6856	powershell.exe
6868	powershell.exe
6868	powershell.exe
6868	powershell.exe
6856	powershell.exe
2676	powershell.exe
2676	powershell.exe
5612	powershell.exe
5612	powershell.exe
5296	powershell.exe
5296	powershell.exe
6228	powershell.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
500	chrome.exe
500	chrome.exe
500	chrome.exe
500	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	500	chrome.exe
Token: SeCreatePagefilePrivilege	500	chrome.exe
Token: SeShutdownPrivilege	500	chrome.exe
Token: SeCreatePagefilePrivilege	500	chrome.exe
Token: SeShutdownPrivilege	500	chrome.exe
Token: SeCreatePagefilePrivilege	500	chrome.exe
Token: SeShutdownPrivilege	500	chrome.exe
Token: SeCreatePagefilePrivilege	500	chrome.exe
Token: SeShutdownPrivilege	500	chrome.exe
Token: SeCreatePagefilePrivilege	500	chrome.exe
Token: SeShutdownPrivilege	500	chrome.exe
Token: SeCreatePagefilePrivilege	500	chrome.exe
Token: SeShutdownPrivilege	500	chrome.exe
Token: SeCreatePagefilePrivilege	500	chrome.exe
Token: SeShutdownPrivilege	500	chrome.exe
Token: SeCreatePagefilePrivilege	500	chrome.exe
Token: SeShutdownPrivilege	500	chrome.exe
Token: SeCreatePagefilePrivilege	500	chrome.exe
Token: SeShutdownPrivilege	500	chrome.exe
Token: SeCreatePagefilePrivilege	500	chrome.exe
Token: SeShutdownPrivilege	500	chrome.exe
Token: SeCreatePagefilePrivilege	500	chrome.exe
Token: SeShutdownPrivilege	500	chrome.exe
Token: SeCreatePagefilePrivilege	500	chrome.exe
Token: SeShutdownPrivilege	500	chrome.exe
Token: SeCreatePagefilePrivilege	500	chrome.exe
Token: SeShutdownPrivilege	500	chrome.exe
Token: SeCreatePagefilePrivilege	500	chrome.exe
Token: SeShutdownPrivilege	500	chrome.exe
Token: SeCreatePagefilePrivilege	500	chrome.exe
Token: SeShutdownPrivilege	500	chrome.exe
Token: SeCreatePagefilePrivilege	500	chrome.exe
Token: SeShutdownPrivilege	500	chrome.exe
Token: SeCreatePagefilePrivilege	500	chrome.exe
Token: SeShutdownPrivilege	500	chrome.exe
Token: SeCreatePagefilePrivilege	500	chrome.exe
Token: SeShutdownPrivilege	500	chrome.exe
Token: SeCreatePagefilePrivilege	500	chrome.exe
Token: SeShutdownPrivilege	500	chrome.exe
Token: SeCreatePagefilePrivilege	500	chrome.exe
Token: SeShutdownPrivilege	500	chrome.exe
Token: SeCreatePagefilePrivilege	500	chrome.exe
Token: SeShutdownPrivilege	500	chrome.exe
Token: SeCreatePagefilePrivilege	500	chrome.exe
Token: SeShutdownPrivilege	500	chrome.exe
Token: SeCreatePagefilePrivilege	500	chrome.exe
Token: SeShutdownPrivilege	500	chrome.exe
Token: SeCreatePagefilePrivilege	500	chrome.exe
Token: SeShutdownPrivilege	500	chrome.exe
Token: SeCreatePagefilePrivilege	500	chrome.exe
Token: SeShutdownPrivilege	500	chrome.exe
Token: SeCreatePagefilePrivilege	500	chrome.exe
Token: SeShutdownPrivilege	500	chrome.exe
Token: SeCreatePagefilePrivilege	500	chrome.exe
Token: SeShutdownPrivilege	500	chrome.exe
Token: SeCreatePagefilePrivilege	500	chrome.exe
Token: SeShutdownPrivilege	500	chrome.exe
Token: SeCreatePagefilePrivilege	500	chrome.exe
Token: SeShutdownPrivilege	500	chrome.exe
Token: SeCreatePagefilePrivilege	500	chrome.exe
Token: SeShutdownPrivilege	500	chrome.exe
Token: SeCreatePagefilePrivilege	500	chrome.exe
Token: SeShutdownPrivilege	500	chrome.exe
Token: SeCreatePagefilePrivilege	500	chrome.exe

Suspicious use of FindShellTrayWindow 51 IoCs

pid	Process
500	chrome.exe
500	chrome.exe
500	chrome.exe
500	chrome.exe
500	chrome.exe
500	chrome.exe
500	chrome.exe
500	chrome.exe
500	chrome.exe
500	chrome.exe
500	chrome.exe
500	chrome.exe
500	chrome.exe
500	chrome.exe
500	chrome.exe
500	chrome.exe
500	chrome.exe
500	chrome.exe
500	chrome.exe
500	chrome.exe
500	chrome.exe
500	chrome.exe
500	chrome.exe
500	chrome.exe
500	chrome.exe
500	chrome.exe
500	chrome.exe
500	chrome.exe
500	chrome.exe
500	chrome.exe
500	chrome.exe
500	chrome.exe
500	chrome.exe
500	chrome.exe
500	chrome.exe
500	chrome.exe
500	chrome.exe
500	chrome.exe
500	chrome.exe
500	chrome.exe
500	chrome.exe
500	chrome.exe
500	chrome.exe
500	chrome.exe
500	chrome.exe
500	chrome.exe
500	chrome.exe
500	chrome.exe
500	chrome.exe
500	chrome.exe
500	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
500	chrome.exe
500	chrome.exe
500	chrome.exe
500	chrome.exe
500	chrome.exe
500	chrome.exe
500	chrome.exe
500	chrome.exe
500	chrome.exe
500	chrome.exe
500	chrome.exe
500	chrome.exe
500	chrome.exe
500	chrome.exe
500	chrome.exe
500	chrome.exe
500	chrome.exe
500	chrome.exe
500	chrome.exe
500	chrome.exe
500	chrome.exe
500	chrome.exe
500	chrome.exe
500	chrome.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
5844	Ultimate-Tweaks-Setup-1.0.1.exe
3656	old-uninstaller.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 500 wrote to memory of 2324	500	chrome.exe	84
PID 500 wrote to memory of 2324	500	chrome.exe	84
PID 500 wrote to memory of 3632	500	chrome.exe	85
PID 500 wrote to memory of 3632	500	chrome.exe	85
PID 500 wrote to memory of 3632	500	chrome.exe	85
PID 500 wrote to memory of 3632	500	chrome.exe	85
PID 500 wrote to memory of 3632	500	chrome.exe	85
PID 500 wrote to memory of 3632	500	chrome.exe	85
PID 500 wrote to memory of 3632	500	chrome.exe	85
PID 500 wrote to memory of 3632	500	chrome.exe	85
PID 500 wrote to memory of 3632	500	chrome.exe	85
PID 500 wrote to memory of 3632	500	chrome.exe	85
PID 500 wrote to memory of 3632	500	chrome.exe	85
PID 500 wrote to memory of 3632	500	chrome.exe	85
PID 500 wrote to memory of 3632	500	chrome.exe	85
PID 500 wrote to memory of 3632	500	chrome.exe	85
PID 500 wrote to memory of 3632	500	chrome.exe	85
PID 500 wrote to memory of 3632	500	chrome.exe	85
PID 500 wrote to memory of 3632	500	chrome.exe	85
PID 500 wrote to memory of 3632	500	chrome.exe	85
PID 500 wrote to memory of 3632	500	chrome.exe	85
PID 500 wrote to memory of 3632	500	chrome.exe	85
PID 500 wrote to memory of 3632	500	chrome.exe	85
PID 500 wrote to memory of 3632	500	chrome.exe	85
PID 500 wrote to memory of 3632	500	chrome.exe	85
PID 500 wrote to memory of 3632	500	chrome.exe	85
PID 500 wrote to memory of 3632	500	chrome.exe	85
PID 500 wrote to memory of 3632	500	chrome.exe	85
PID 500 wrote to memory of 3632	500	chrome.exe	85
PID 500 wrote to memory of 3632	500	chrome.exe	85
PID 500 wrote to memory of 3632	500	chrome.exe	85
PID 500 wrote to memory of 3632	500	chrome.exe	85
PID 500 wrote to memory of 4600	500	chrome.exe	86
PID 500 wrote to memory of 4600	500	chrome.exe	86
PID 500 wrote to memory of 2884	500	chrome.exe	87
PID 500 wrote to memory of 2884	500	chrome.exe	87
PID 500 wrote to memory of 2884	500	chrome.exe	87
PID 500 wrote to memory of 2884	500	chrome.exe	87
PID 500 wrote to memory of 2884	500	chrome.exe	87
PID 500 wrote to memory of 2884	500	chrome.exe	87
PID 500 wrote to memory of 2884	500	chrome.exe	87
PID 500 wrote to memory of 2884	500	chrome.exe	87
PID 500 wrote to memory of 2884	500	chrome.exe	87
PID 500 wrote to memory of 2884	500	chrome.exe	87
PID 500 wrote to memory of 2884	500	chrome.exe	87
PID 500 wrote to memory of 2884	500	chrome.exe	87
PID 500 wrote to memory of 2884	500	chrome.exe	87
PID 500 wrote to memory of 2884	500	chrome.exe	87
PID 500 wrote to memory of 2884	500	chrome.exe	87
PID 500 wrote to memory of 2884	500	chrome.exe	87
PID 500 wrote to memory of 2884	500	chrome.exe	87
PID 500 wrote to memory of 2884	500	chrome.exe	87
PID 500 wrote to memory of 2884	500	chrome.exe	87
PID 500 wrote to memory of 2884	500	chrome.exe	87
PID 500 wrote to memory of 2884	500	chrome.exe	87
PID 500 wrote to memory of 2884	500	chrome.exe	87
PID 500 wrote to memory of 2884	500	chrome.exe	87
PID 500 wrote to memory of 2884	500	chrome.exe	87
PID 500 wrote to memory of 2884	500	chrome.exe	87
PID 500 wrote to memory of 2884	500	chrome.exe	87
PID 500 wrote to memory of 2884	500	chrome.exe	87
PID 500 wrote to memory of 2884	500	chrome.exe	87
PID 500 wrote to memory of 2884	500	chrome.exe	87
PID 500 wrote to memory of 2884	500	chrome.exe	87

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://drive.google.com/file/d/1GZjlJx_17a_ZZZ29DVilHNZWhoa6-ueU/view?usp=drive_link
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:500
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffe94a4cc40,0x7ffe94a4cc4c,0x7ffe94a4cc58
  2⤵
  PID:2324
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1892,i,14158985772204098075,3631687358962423872,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=1872 /prefetch:2
  2⤵
  PID:3632
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2152,i,14158985772204098075,3631687358962423872,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2160 /prefetch:3
  2⤵
  PID:4600
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2264,i,14158985772204098075,3631687358962423872,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2232 /prefetch:8
  2⤵
  PID:2884
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3108,i,14158985772204098075,3631687358962423872,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3128 /prefetch:1
  2⤵
  PID:2788
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3132,i,14158985772204098075,3631687358962423872,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3160 /prefetch:1
  2⤵
  PID:1860
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4472,i,14158985772204098075,3631687358962423872,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4456 /prefetch:1
  2⤵
  PID:3596
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5128,i,14158985772204098075,3631687358962423872,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5140 /prefetch:8
  2⤵
  PID:3808
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --field-trial-handle=5204,i,14158985772204098075,3631687358962423872,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4872 /prefetch:1
  2⤵
  PID:5004
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5428,i,14158985772204098075,3631687358962423872,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5436 /prefetch:8
  2⤵
  PID:1460
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5468,i,14158985772204098075,3631687358962423872,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5476 /prefetch:8
  2⤵
  PID:908
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4076,i,14158985772204098075,3631687358962423872,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5732 /prefetch:8
  2⤵
  PID:3040
- C:\Users\Admin\Downloads\Ultimate Tweaks.exe
  "C:\Users\Admin\Downloads\Ultimate Tweaks.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:688
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=4988,i,14158985772204098075,3631687358962423872,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5288 /prefetch:8
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  PID:5356

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:1392

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:1524

C:\Users\Admin\AppData\Local\Programs\Ultimate Tweaks\Ultimate Tweaks.exe
"C:\Users\Admin\AppData\Local\Programs\Ultimate Tweaks\Ultimate Tweaks.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
PID:4800
- C:\Users\Admin\AppData\Local\Programs\Ultimate Tweaks\Ultimate Tweaks.exe
  "C:\Users\Admin\AppData\Local\Programs\Ultimate Tweaks\Ultimate Tweaks.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\Ultimate Tweaks" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=1872 --field-trial-handle=1880,i,14473981797432209147,7598182291129640034,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version /prefetch:2
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:1064
- C:\Users\Admin\AppData\Local\Programs\Ultimate Tweaks\Ultimate Tweaks.exe
  "C:\Users\Admin\AppData\Local\Programs\Ultimate Tweaks\Ultimate Tweaks.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\Ultimate Tweaks" --mojo-platform-channel-handle=2000 --field-trial-handle=1880,i,14473981797432209147,7598182291129640034,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version /prefetch:3
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:4852
- C:\Users\Admin\AppData\Local\Programs\Ultimate Tweaks\Ultimate Tweaks.exe
  "C:\Users\Admin\AppData\Local\Programs\Ultimate Tweaks\Ultimate Tweaks.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\Ultimate Tweaks" --app-path="C:\Users\Admin\AppData\Local\Programs\Ultimate Tweaks\resources\app.asar" --no-sandbox --no-zygote --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --mojo-platform-channel-handle=2320 --field-trial-handle=1880,i,14473981797432209147,7598182291129640034,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version /prefetch:1
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks processor information in registry
  PID:5400
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "chcp"
    3⤵
    PID:4876
  - - C:\Windows\system32\chcp.com
      chcp
      4⤵
      PID:1072
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:4080
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:408
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:5620
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:5628
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "del *.log /a /s /q /f 2>NUL"
    3⤵
    PID:5560
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "RD /S /Q %temp% 2>NUL"
    3⤵
    PID:5296
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "takeown /f "%temp%" /r /d y"
    3⤵
    PID:4476
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Users\Admin\AppData\Local\Temp" /r /d y
      4⤵
      Modifies file permissions
      PID:4420
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "takeown /f "C:\Windows\Temp" /r /d y"
    3⤵
    PID:2132
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\Temp" /r /d y
      4⤵
      Modifies file permissions
      PID:5452
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "RD /S /Q C:\Windows\Temp 2>NUL"
    3⤵
    PID:5148
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "MKDIR C:\Windows\Temp"
    3⤵
    PID:5188
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:2272
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:6140
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell -ExecutionPolicy Bypass -Command "Checkpoint-Computer -Description 'f' -RestorePointType 'MODIFY_SETTINGS'""
    3⤵
    PID:5260
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -ExecutionPolicy Bypass -Command "Checkpoint-Computer -Description 'f' -RestorePointType 'MODIFY_SETTINGS'"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:3888
- C:\Users\Admin\AppData\Local\ultimate-tweaks-updater\pending\Ultimate-Tweaks-Setup-1.0.1.exe
  C:\Users\Admin\AppData\Local\ultimate-tweaks-updater\pending\Ultimate-Tweaks-Setup-1.0.1.exe --updated /S --force-run
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:5844
- - C:\Users\Admin\AppData\Local\Temp\nszA59E.tmp\old-uninstaller.exe
    "C:\Users\Admin\AppData\Local\Temp\nszA59E.tmp\old-uninstaller.exe" /S /KEEP_APP_DATA /currentuser --keep-shortcuts --updated _?=C:\Users\Admin\AppData\Local\Programs\Ultimate Tweaks
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:3656

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
PID:2144

C:\Windows\system32\srtasks.exe
C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
1⤵
PID:5640

C:\Users\Admin\AppData\Local\Programs\Ultimate Tweaks\Ultimate Tweaks.exe
"C:\Users\Admin\AppData\Local\Programs\Ultimate Tweaks\Ultimate Tweaks.exe" --updated
1⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
PID:1796
- C:\Users\Admin\AppData\Local\Programs\Ultimate Tweaks\Ultimate Tweaks.exe
  "C:\Users\Admin\AppData\Local\Programs\Ultimate Tweaks\Ultimate Tweaks.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\Ultimate Tweaks" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=2120 --field-trial-handle=2112,i,4329481504145522250,17653244459252642162,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version /prefetch:2
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:1992
- C:\Users\Admin\AppData\Local\Programs\Ultimate Tweaks\Ultimate Tweaks.exe
  "C:\Users\Admin\AppData\Local\Programs\Ultimate Tweaks\Ultimate Tweaks.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\Ultimate Tweaks" --mojo-platform-channel-handle=2148 --field-trial-handle=2112,i,4329481504145522250,17653244459252642162,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version /prefetch:3
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:5508
- C:\Users\Admin\AppData\Local\Programs\Ultimate Tweaks\Ultimate Tweaks.exe
  "C:\Users\Admin\AppData\Local\Programs\Ultimate Tweaks\Ultimate Tweaks.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\Ultimate Tweaks" --app-path="C:\Users\Admin\AppData\Local\Programs\Ultimate Tweaks\resources\app.asar" --no-sandbox --no-zygote --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --mojo-platform-channel-handle=2260 --field-trial-handle=2112,i,4329481504145522250,17653244459252642162,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version /prefetch:1
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks processor information in registry
  PID:5088
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "chcp"
    3⤵
    PID:772
  - - C:\Windows\system32\chcp.com
      chcp
      4⤵
      PID:5220
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:6460
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:6468
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:6856
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:6868
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:2676
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:5612
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:1792
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:4124
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:5680
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:7732
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:6260
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:3468
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:116
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:6356
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:7960
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:6500

C:\Users\Admin\AppData\Local\Programs\Ultimate Tweaks\Ultimate Tweaks.exe
"C:\Users\Admin\AppData\Local\Programs\Ultimate Tweaks\Ultimate Tweaks.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
PID:716
- C:\Users\Admin\AppData\Local\Programs\Ultimate Tweaks\Ultimate Tweaks.exe
  "C:\Users\Admin\AppData\Local\Programs\Ultimate Tweaks\Ultimate Tweaks.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\Ultimate Tweaks" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=1736 --field-trial-handle=1744,i,1950303628063867758,6605693296609495693,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version /prefetch:2
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:6652
- C:\Users\Admin\AppData\Local\Programs\Ultimate Tweaks\Ultimate Tweaks.exe
  "C:\Users\Admin\AppData\Local\Programs\Ultimate Tweaks\Ultimate Tweaks.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\Ultimate Tweaks" --mojo-platform-channel-handle=2148 --field-trial-handle=1744,i,1950303628063867758,6605693296609495693,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version /prefetch:3
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:6704
- C:\Users\Admin\AppData\Local\Programs\Ultimate Tweaks\Ultimate Tweaks.exe
  "C:\Users\Admin\AppData\Local\Programs\Ultimate Tweaks\Ultimate Tweaks.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\Ultimate Tweaks" --app-path="C:\Users\Admin\AppData\Local\Programs\Ultimate Tweaks\resources\app.asar" --no-sandbox --no-zygote --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --mojo-platform-channel-handle=2280 --field-trial-handle=1744,i,1950303628063867758,6605693296609495693,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version /prefetch:1
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks processor information in registry
  PID:6720
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "chcp"
    3⤵
    PID:6408
  - - C:\Windows\system32\chcp.com
      chcp
      4⤵
      PID:6380
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:3720
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:5280
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:4060
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:1388
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:5296
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:6228
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "chcp"
    3⤵
    PID:744
  - - C:\Windows\system32\chcp.com
      chcp
      4⤵
      PID:6940
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:2156
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:5968
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:5456
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:8
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:3820
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:7156
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:6876
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:5396
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:3016
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:6336
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:7136
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:7164
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "reg query "HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0" /v FeatureSet"
    3⤵
    PID:6732
  - - C:\Windows\system32\reg.exe
      reg query "HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0" /v FeatureSet
      4⤵
      Checks processor information in registry
      PID:7220
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:8040
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:8048
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:8056
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:7728
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:6348

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Credential Access

Discovery

Browser Information Discovery

T1217

Network Share Discovery

T1135

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\01dc891d-fea4-4147-b019-c4dd12c215a8.tmp

Filesize
10KB

MD5
1d4d0494f7aebd46d7f0adfa1e3a1461

SHA1
53f75b91b500ca943dae9ac2441cb1ad65407678

SHA256
c02d53a6486f3305e12e0116f08e401f78ee2f989b8ade833af89e706c2eca6d

SHA512
964d4e0c97200c0263d606f5828ce18bec3419b634c1dba52320a674999044a462086a1436465e809a8d92b756f94c0cd7e1ab8f4504e463521d093f7e1f4545

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\68052a3e-23f3-42ef-b891-b197a227e77e.tmp

Filesize
10KB

MD5
de5dbfd4db661e1d2bd15bb82e4d0d9b

SHA1
d48c2590718255a3f5f61d324ce249b133ad3524

SHA256
82a6312a2685f4533507cf11d0b0080f154d81b0c8433ef4cac0fe5bc4a1bbd5

SHA512
a6aa9abcb18c557ebc74cd5b20328d1b559b3819973eb4615b41132bb188c0b5be24a60a0cf02b08779d2f43ce18e705daf9b81f4b0313f649b3cd8015ffe23e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
2271cf0ce76848d1d75a021ef3181fda

SHA1
71a751a982af82529cbb3d3a38fc2a00ada6d47b

SHA256
89ffa9d3a317559e533a8eba0b5223f47a0664576aa65072e53895a3c5ebaab7

SHA512
f9d938025c1c298b286ec6914380f22f04afeff73d6675bee6d465ee5f98dc123f083558c32499dd78ef41a19faaaf8e7bb88d1cfa338d6a3c872d39577c41cb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
312B

MD5
7fbcc06d302a04bf673476f3cbbae7cc

SHA1
d433c803bec2cb370b10f744c812c85743e63e5d

SHA256
50ce87f965548bdcdb8d750b16026a572f762372555ed7b724a60bd965a6e448

SHA512
f9b4ef415eb82f506887ccce8aeba8a821a6bbfa8582acafb542f94e387af110d682b0e5a961292f99ea7cca89b052eac76aad6ff6ce360fbe4871a9841dc137

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
5KB

MD5
886278b7897d8b739a17160123c33b7e

SHA1
64f573d06ae2e0a58dac9f99278ce755495ac6a4

SHA256
2f8f382f9e520f5e212b012ee32745c91621e596de0276621d2b076f636a0fac

SHA512
18c24734edf1af20d592dbfdf20fc46d51b0b5eaf271d1d1e1add5ffc545c7b2fee9f7c2b9c51da07bf3174e3a4453609be2183b2000ee276f1d40cf784ea610

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
5KB

MD5
43d29770aca4d7b1389d0cbcde298cb0

SHA1
773683c90f26381bf3d1ff9b61a034a01bda12f8

SHA256
b4a4fe1df0b4c0954aa826c3545a24d4a88ab000c3faba86ce7c7dd051123f88

SHA512
1e70ca8d83c413e5e8ac49ce44289d7ef1b3a6d426eca11094489f7a093e513216a06498d222ece4ad145a1dc07072b852efd10cab6fadfc017fb6460a6678fd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
859B

MD5
1c6d1f1bcb65b75c8af5580de3d18a5c

SHA1
4bfbf6463dd523f2602ceba956e8a88db142ffcd

SHA256
a3a0ba68330e2cc53af44d549a347d083c22611574cca28512ea9c028f72028d

SHA512
6cd80579d6f678823bd24f3ac8d3278be4de0c28451ece79ed52072a32b7f452b7c0d1c27325781e988742e2b77b1b4a78cc147b2cb6f017db57f45cdda656ec

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
aa01307d9f61b5614677d75276168b87

SHA1
1dcaf084634085efced49e2aaf1f1c62053798aa

SHA256
6111c8854c76350f3e7e18a372ac9f9360b817d6aff65f107f5958980f6aa3c6

SHA512
911f616fef4422477adb8754ed34332bac12cd4cb12963099207f8fa3226c799e1b37ab548e066846ac9b7b05ff92f539bdc60fa72cec10fda3197ae56a52d77

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
1ed5b7b8b98a64e19e028bc598b53a1b

SHA1
2c148ebd169b3c219f54896b4d80eed6d2bed009

SHA256
b42876031c20c7b8ab7bd6c161faa8da101a87ae5e586e6c38c4a449a803c63e

SHA512
e6981ad5cc25885d18337ab07ab12eb2014279547e398931e1f789647a2e0bcd877629db67a9ae21ef47f4773f199733ca20420fed7f5c431285d861557a1e1e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
7fded5c7f8f23f209f843d20987e5eec

SHA1
4319153769d1eccc86b115dd6d1a68da79ea9f9f

SHA256
c3e40d30f454503a51efd0b01f078043ac206072277cc0c36925aefb0297a0c1

SHA512
73da7b9ea52daf7672aa3ce72d30c546b86eb1dbaa61faba7a21b0a769e9fcef62113efd988e785da588fd965b819101b681625da89814771b7953614e64d7a0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
a663a0d8efddefb29eb303218ec28209

SHA1
895c7acc01edcfc32372d9a5414871a85de0cef8

SHA256
7a317d4881805d5970fb590021e959f0babb1554e44063657b77ac4034a77dbb

SHA512
47e16bdb8fb259620ab5c41b447ca2bc451a55f86f5d2a4a4b02defa002bb51f4a98127bbb80eb3d9db2245099a3b548046ce338db4dc87f170de9209f6d6a20

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
5ffc833f32962efcfc592a530cf40a2c

SHA1
e30dfaeb02e5ddb6ea8d632a506488318bdbe092

SHA256
87c26a9d8ad87e1584bba3323c7d194893d46d31c3d947c66bfdf3341798ab51

SHA512
779a20c5d6c91ebe95028af5adb0eb05d9f4e49c92d7570baf69ee77b05136eecbcd1c8fc73d2fbbd20ec408c402c2b84aec7cf6c069297bb4acf596075737ce

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
41511f8ed6be2b561affc1d47e0bc20a

SHA1
da52894df7f3cf91b7c5b787ce299def6ba78462

SHA256
235fdc48060073d2dca5ba82b7d1c10e72ca2e55bb68785ab3b86820684ba0d9

SHA512
2cb65aa03449e68b1314fd14230d61ddfbbfd0f0ea1ff77b56e9570ebf552abd34843db08d7e7fb02c911bfd344f11fcb7b5be9e89cf7446a86f7c7f461d401c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
387526df06684761f5b81470452774e1

SHA1
97dac5120cf114a00876db08c546d57fc5c776b4

SHA256
932bdfb7db32f317fa17fabef7569b201bd1102a8866f786cd584f4f19e14627

SHA512
c6e4ec385807ce448c9e6bf555eacb71c7598c832cca205b39977fcbeca89e843de1252dedffab4b3bad7ffbc6036260aa852a59044cc566b1de5c1d2a11e67f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
a100fd637db8e06caa83697959b56c82

SHA1
a8673c89a4bbb487c1bd55350484f87f618b3405

SHA256
0939a90bb07020d954f64e777cdc11ee46645cc73b92eba8d0bee84bf5164649

SHA512
9472ac5a15eb63a53cda97a0c6dd5a11bf594bcf4f4d734e4bc80babf54182651109f41f1a5db848a30bf585c017a4252ccaca50f1a9c40546c73e459674d031

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
1fcb3e266b9e10545748692910bcd2ea

SHA1
29e84d706f9d21b6bb1aef8dfceb8f99fce45aee

SHA256
f9a2e5a14e6d3ab83518295b756479f7920aeaaaa67b2de1ae275d3d1c73cfa4

SHA512
4665c68139e1b72aa565844b59089f3be234e2acd5bca049e320f3519997fcc540bf4ce3525bf9932e15a03f720162a2705902bc5188b008ec76d7bfe0958070

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
c9a47a65d92a17f37612aa7b68c5e289

SHA1
44c6d33f8020d1aabb5bad01e02836f9c441941f

SHA256
410bac486ab5ab4c8048abc9a9473ab31105edc39656d797fa512a8e0af2b33b

SHA512
627e831ece406ba3f335b10aed4001273b482b1ca696ad56e38455f3be8eda1c7f66a7a76dd33bd1686e43f5e5fae1f8a8a1b48be98feee6e37ff64c2bb9a2ac

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
99KB

MD5
8589d4640be006ad01167ea86289973c

SHA1
55d78dd40dea50fbc7860eeab48c8814bcdb3edb

SHA256
d757181e243b913cd13085586963e8e1141a6973d91395a9d5901fd514e9bab6

SHA512
ba9654743b1738cc1bbb0c97027bc2234d24850b0177d52eb761b96e84fac0fb91d1c8a2019f7a9b6f602c38b4c800d36072e1205c7791a00660a45bf9b5d9d2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
99KB

MD5
dad0d55e78c933b8088a857f70b1c96d

SHA1
b31a5743eee79bab7ebb8ea289ea83323da8022e

SHA256
4a01ab898e3621ca531cff242c2ed04471988c8a1fb4e095daae5f8773d29521

SHA512
d3e3e6292ee4a8ac216ffb675093bfc9c7a931f52501afa22a87c1bf3a2ad75f663d553805b2159171ae696c11ce41dec60ca3d14171c38f685e0dbfe8e6d39d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
5c3cc3c6ae2c1e0b92b502859ce79d0c

SHA1
bde46d0f91ad780ce5cba924f8d9f4c175c5b83d

SHA256
5a48860ad5bdf15d7a241aa16124163ec48adc0f0af758e43561ac07e4f163b2

SHA512
269b79931df92c30741c9a42a013cb24935887272ed8077653f0b6525793da52c5004c70329d8e0e7b2776fc1aba6e32da5dadf237ae42f7398fdf35a930663e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
28c65370f12e84b734af87ad491ea257

SHA1
402d3a8203115f1365d48fa72daf0a56e14d8a08

SHA256
4ea873fb3d77a2f8eefae82c943f621f16723516e181bde133568f8f0c91290c

SHA512
56eb34162b0a39da4aaf66aad35ef355a7709982b5060792e3b4849c36650725176e927815537ec58e7ddf0fb1763066b203d6b7f9d1b3dd2c8bc091c0c850cc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
254B

MD5
312ad083a9e58ec1fb3b45ebf3140fd8

SHA1
37106e22665f343903f7cf1cba20e09a75115f79

SHA256
5e3ce906c6bfb1895164017ee252fb79b86c852739d6a16fffc830096456a733

SHA512
2020ae819e4a3899011e4065254d32482898164462019fc36449655d861ec3e4331c0d81ec30b6d0ba57d2a8a579e103ae31f7e4d40d4f9fb402083d82fc3a42

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
bf6f821223fbfcf7e8df6d52af0c4b19

SHA1
589bd0bbd8b7cd5d2fbc014cad6a16ff0944ff4b

SHA256
a19182611ebff727b64aea865e697653e1747532b572d45f0f87a4cd5dbdbf06

SHA512
fd329f0898e5f96c943ebc580393ee17e5e567c6fff8fe6f5f435e58f39e565991dcd1bb6eb084840494226d79ca7144a61247d2c7c2a9e5820c2cafeff832d9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
296B

MD5
3c71f017e96198ea2b5e77de96798223

SHA1
1e2e50238ec56f84c4637b8ce6117289230cbda2

SHA256
2cdb857b4e8a2a49f7dd29f134811e66af0fca358a9000c458596d4f954b8542

SHA512
4777fd15b345e5452064e80c3f50418e27d11dd7ad391d26d18512511bad6cada20f83b11c3362cd25abc909be11dbc6620bfefc9d53d01d7037fb51ec6d4621

Download Submit
C:\Users\Admin\AppData\Local\Programs\Ultimate Tweaks\Uninstall Ultimate Tweaks.exe

Filesize
294KB

MD5
b00081183a277c83edfd5eb2a6c7e9a1

SHA1
1c0ecd3bef674b0bdb53a3d7ac84a4a9a5067de6

SHA256
0bab2bb3a48d29244a8c7dead813eaafe761f83e63ad4771f832bec6129f4692

SHA512
35e723ff29fcf0329f585ec128a602aa22498512d998917d883006e3c4cd23e6c9ed4f9c4a41c6ea92f14b314c031fa71866dd113ccadea21b2cefb21a899d08

Download Submit
C:\Users\Admin\AppData\Local\Programs\Ultimate Tweaks\chrome_100_percent.pak

Filesize
150KB

MD5
b1bccf31fa5710207026d373edd96161

SHA1
ae7bb0c083aea838df1d78d61b54fb76c9a1182e

SHA256
49aff5690cb9b0f54f831351aa0f64416ba180a0c4891a859fa7294e81e9c8e3

SHA512
134a13ad86f8bd20a1d2350236269fd39c306389a600556a82025d5e0d5adaab0709d59e9b7ee96e8e2d25b6df49fefea27cdccefe5fba9687abf92a9a941d91

Download Submit
C:\Users\Admin\AppData\Local\Temp\528A5B~1.TMP

Filesize
1.0MB

MD5
6fd4622d84799fe50d1afed220961692

SHA1
1361db8f39acf215e14f6a1ed1e4c5d085fe550d

SHA256
8d9fb198a228d127a68dc7259240cd3eb33800753f8b8841657d78c66856c88c

SHA512
78d996078f645eeb31a82a01792c2da2b4a41abf0d57055215cc8b23dd6bd4c767ec305c468838d1f44fa0921fe40121cb660e1326472556df2a4776b4575f72

Download Submit
C:\Users\Admin\AppData\Local\Temp\5F1A63~1.TMP

Filesize
1.2MB

MD5
cd39bd8d9c9e929cee9924a74dc9d464

SHA1
25b17d0c3eded532972dde8b4e2465b7e84d2ff6

SHA256
2b2941c9ae639fec86de31d6cf20dec3109e9e4fbb27409c405b34357746dd95

SHA512
2ad5cb2d1e7cc78dc9d36ed73deba98533b2ecd1c4412af1a8bfde1932e7d6eb3a20cd1a5b41c81c53ee9e451ee2849e6df2e0f079ebf382b4c0d8da0798c7d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\EE67F4~1.TMP

Filesize
34KB

MD5
e18e4b23a01dd9032b8ca69ae27058fc

SHA1
f28aa40280f937c7b778e2d944ac794158c21452

SHA256
7e8cee869fb03edd501e6e2d1d4e8c7acecb6de27cde2175ba26dcfa0dbdbbbe

SHA512
59262fe87892ef6bc01dee8530dde715a3a30957db5f4512bc711ed2a4fb267b34333073eade6b83e6f95c5d89456b2fbe9eb60cfc388a0fd1552b24adb1abce

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_fchwf1ia.4m1.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsw630B.tmp\7z-out\LICENSE.electron.txt

Filesize
1KB

MD5
4d42118d35941e0f664dddbd83f633c5

SHA1
2b21ec5f20fe961d15f2b58efb1368e66d202e5c

SHA256
5154e165bd6c2cc0cfbcd8916498c7abab0497923bafcd5cb07673fe8480087d

SHA512
3ffbba2e4cd689f362378f6b0f6060571f57e228d3755bdd308283be6cbbef8c2e84beb5fcf73e0c3c81cd944d01ee3fcf141733c4d8b3b0162e543e0b9f3e63

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsw630B.tmp\7z-out\LICENSES.chromium.html

Filesize
8.7MB

MD5
bd0ced1bc275f592b03bafac4b301a93

SHA1
68776b7d9139588c71fbc51fe15243c9835acb67

SHA256
ad35e72893910d6f6ed20f4916457417af05b94ab5204c435c35f66a058d156b

SHA512
5052ae32dae0705cc29ea170bcc5210b48e4af91d4ecec380cb4a57ce1c56bc1d834fc2d96e2a0f5f640fcac8cafe4a4fdd0542f26ca430d76aa8b9212ba77aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsw630B.tmp\7z-out\chrome_200_percent.pak

Filesize
229KB

MD5
e02160c24b8077b36ff06dc05a9df057

SHA1
fc722e071ce9caf52ad9a463c90fc2319aa6c790

SHA256
4d5b51f720f7d3146e131c54a6f75e4e826c61b2ff15c8955f6d6dd15bedf106

SHA512
1bf873b89b571974537b685cdb739f8ed148f710f6f24f0f362f8b6bb605996fcfec1501411f2cb2df374d5fdaf6e2daaada8cea68051e3c10a67030ea25929e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsw630B.tmp\7z-out\d3dcompiler_47.dll

Filesize
4.7MB

MD5
2191e768cc2e19009dad20dc999135a3

SHA1
f49a46ba0e954e657aaed1c9019a53d194272b6a

SHA256
7353f25dc5cf84d09894e3e0461cef0e56799adbc617fce37620ca67240b547d

SHA512
5adcb00162f284c16ec78016d301fc11559dd0a781ffbeff822db22efbed168b11d7e5586ea82388e9503b0c7d3740cf2a08e243877f5319202491c8a641c970

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsw630B.tmp\7z-out\ffmpeg.dll

Filesize
2.7MB

MD5
bf09deeeb497aeddaf6194e695776b8b

SHA1
e7d8719d6d0664b8746581b88eb03a486f588844

SHA256
450d5e6a11dc31dc6e1a7af472cd08b7e7a78976b1f0aa1c62055a0a720f5080

SHA512
38d3cac922634df85ddfd8d070b38cf4973bba8f37d3246453377f30165cc4377b4e67c4e0bca0ffe3c3fa0e024b23a31ec009e16d0ab3042593b5a6e164669f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsw630B.tmp\7z-out\icudtl.dat

Filesize
10.2MB

MD5
e0f1ad85c0933ecce2e003a2c59ae726

SHA1
a8539fc5a233558edfa264a34f7af6187c3f0d4f

SHA256
f5170aa2b388d23bebf98784dd488a9bcb741470384a6a9a8d7a2638d768defb

SHA512
714ed5ae44dfa4812081b8de42401197c235a4fa05206597f4c7b4170dd37e8360cc75d176399b735c9aec200f5b7d5c81c07b9ab58cbca8dc08861c6814fb28

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsw630B.tmp\7z-out\libEGL.dll

Filesize
467KB

MD5
3a5cbf0ce848ec30a2f8fe1760564515

SHA1
31bf9312cd1beaedaa91766e5cde13406d6ea219

SHA256
afef052c621f72ba986d917a9e090d23a13f4ab6bc09f158eeb73fd671b94219

SHA512
bd5713e1d22145b4cc52f4e46b464f443aad6f783a5793268e7d9dca969f27b70e706eecd54cb01be1c94256e6a95864c6b7e50027cef7fa870cdb16820ad602

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsw630B.tmp\7z-out\libGLESv2.dll

Filesize
7.3MB

MD5
c783045e4b7f00c847678d43a77367f7

SHA1
7f9192ce0b23ac93561aeec9d9c38daa3136c146

SHA256
3a39137dcee6cb6663ae9cca424b6b05cf56c0ad7e32fb72cb94549ea9dbcae8

SHA512
64e6d4fc84f1217ceef05a22ad63a6618ffdc470b1faf4ad9e2d7bab59e9285527b9c5fd7ea4be673a08b9466434e3c098e839bf6955597e3d8aa0e80589f4a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsw630B.tmp\7z-out\locales\af.pak

Filesize
478KB

MD5
9554e414159d76754147d7e185056094

SHA1
e0fb0c95cef8e8d1ebeb11a6e2ea03b9067d799e

SHA256
f402c0d8494c9a2fceedcd7845ddf43b62e7d01ddb1d9c8e132efea83b724824

SHA512
9e8b41f69605d7bd426243e49b0f22347b211f7d13038ee6350d86d06cc7274bb2ef1918e27548802a5437903a653d86fce85338fa97f8c9642c0e74ed59ae88

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsw630B.tmp\7z-out\locales\am.pak

Filesize
776KB

MD5
92ffe73f193d41c5a90303955b2da67f

SHA1
1d4136d8bb752da2834ebf0f4f62de56efefd78f

SHA256
325dd137903fc0d9e5010a62a314d9c6984ff82afbdff2254f7c48bd03dda06a

SHA512
6c4f0aac10276ab84ec4e63ec9ad0e20a1b3ce9d2368ec966cc6471600c3d28df8f9e501b4843bafa5bcf2aab57242559ba430d58853180ea653afbc8f468e67

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsw630B.tmp\7z-out\locales\ar.pak

Filesize
851KB

MD5
7608398c66cd0b55396f7250b3c8747c

SHA1
7e8417dfc7055fb9ecbe7cfc97a8aba0bd5a0e13

SHA256
3bb407fa588fb801ab241e8dda018461b54010a38648c3acc1e3550c0dfbd75a

SHA512
5dd757e4f114782eab9ab8cadbfe3179ded594285b3d0f7f6fa5ca50d80d866e7c8ff6a1f44deba8bdf09c04106de635c1da22597c008023b1fdf1cc747b6f1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsw630B.tmp\7z-out\locales\bg.pak

Filesize
885KB

MD5
c80a2008d9f61c182430a728a6e059af

SHA1
2f2aa33573156d9939e3fc81f8d81de4aac21e61

SHA256
5947f567ce1f4ab945dc6dab1599422d412f4417b9097905150d669122e43f7d

SHA512
016ce835b6bac4d5b38d72c0b3adf4d6b4e0ac04677d70c53e5938acd28b12220d2878bca7875471d008b779ea6ab4972a9875b44304e867d0bb5e4318c0edc3

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsw630B.tmp\7z-out\locales\bn.pak

Filesize
1.1MB

MD5
d179d38e8b9f7e60a943e2fc9f9471ad

SHA1
8d109081959d194c82b89fb25a514a65233435a7

SHA256
a45279ccc13390e0d93cfe1e33a7f276a5d9e97f6aefa6b6e14ecc4289703bda

SHA512
fa6f3e45f40e1e48f191e4a65f5d15dabd7058af4537eea3e34998dc67dd250b00e52d1f07b10a73a67a15aada4523e50f40160d98a5f37ef4684a30ff338468

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsw630B.tmp\7z-out\locales\ca.pak

Filesize
538KB

MD5
bd846046383d64073da6eb192f5cddb1

SHA1
6dd4bfb982101ecafc14eb35834caa1fe5b1e3f5

SHA256
1dca9a7fcd850aecd48288999b436ff7e70cd4a96f47b40319759a800fb8eefa

SHA512
521ddf6e8fb444b911212501825392562af14cfb5b31a80707fdeffb13c8afb04852b0e3f7e3363a1c3a37c5c35bb1cbe84b458e14e30b5e8d8cb00a6a349ce0

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsw630B.tmp\7z-out\locales\cs.pak

Filesize
555KB

MD5
926b4d7f540ce0b1912e5fb6383dabb7

SHA1
a7adbc83ef38092a90d964d61359a6caa1253090

SHA256
2964edcdcb27b2edf73515615501d8af28ad94b5dd31d2794f2624808c74de38

SHA512
bf6160e46eebf16d6b6f05d330068fa226118457ff03277b59ed4e1a6d2d28b212155cae2f48c34adfa81d20ff71e4206f25052257559f4768323b342dd16278

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsw630B.tmp\7z-out\locales\da.pak

Filesize
501KB

MD5
c54edb2260d2b907049cdd4772d5313b

SHA1
a12f623e6310b667a9c38b4c9143920d08564377

SHA256
318a9ec9e9fbe35d5d8cb9b719ecfbe1ecba9d8f246876c949c082107b439ddb

SHA512
4eef045080fecaf55bf2cca7d72d039b7d7a7b28021b649becee320a3a8c0753f4e0e5f869a188813e746bad05fd08c726b5c25f40ef9555967fafd93f7f6989

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsw630B.tmp\7z-out\locales\de.pak

Filesize
536KB

MD5
5a252c49719970b8fb33fbc8ec98971a

SHA1
931834866af36a9e25582a1f631a8cbc965a8e84

SHA256
d5746f48800efbff7db9d1bb8d6e5a5102eb7d79ae136e0485fd427be1ca63a1

SHA512
d4e6ab68d0b1a564b886c8bbe60e7bf67c3f71e6fc70ed5bfbb63a974f72afce62e03559f29f46a424908c256e990ff6cebeab8fddfbd79f6deca997cf7117cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsw630B.tmp\7z-out\locales\el.pak

Filesize
971KB

MD5
35ba1b364ecfff6486daed2a33cc6431

SHA1
b894b392d400fde4d35bc3b4edc130853cda340b

SHA256
c0434492be64b08f9ad00bc7cff65314822406dfb0c591fea0df6af9b6fc89c5

SHA512
5f5d2cf1d5c8158c62fe310338bfb1c9683ea2f43726c9f02fe6d2c29482e3211fd3d61a30dc0cf738549dc7047dfce0dbac36b9d22dfffb558f118fdbb3d856

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsw630B.tmp\7z-out\locales\en-GB.pak

Filesize
436KB

MD5
a44922cb4cd8816b9ce3d018dba9e6a0

SHA1
2ed3a8bd4a11bb89d3699f583372ad7aecc46ddd

SHA256
e0df967ffdf872f0a9589a0d74d68a742fa9b956add7a6736b82aebd9e8f02d3

SHA512
461b04a170c562382f6c1022f881db9f6928a36c962a2e3aeabee62dd4c46e08b59ef33a2d1d26af21dcc47d00b0c51e10b43f14dcd627f84104ab4f31a9e526

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsw630B.tmp\7z-out\locales\en-US.pak

Filesize
440KB

MD5
731c45f9f23957acc11b43d775758aaa

SHA1
12e66417a2dc0c5211ed67f026208ef02fcb40af

SHA256
02b97817b6eebd7caeaaff750f6462abc68911c398ddf0571b7900ff9b4ea9a2

SHA512
1a008df585ef76d9cf4459fc3e617b8d4397e7078c77852712fc7cf4f304081bc5195243437e64074016b05a8cd671db93666042e59b959595ba854ceb330a81

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsw630B.tmp\7z-out\locales\es-419.pak

Filesize
530KB

MD5
763f8c8ce092a3d64bbebddf4169e108

SHA1
89f2834c1b4e3f84870af29650bda6fe360350f5

SHA256
0c816f00b15d59809d30b6611aa455ea1bf8b022d2f887137f1c9d7a5600d5d9

SHA512
8401cec52e80a5136543473b317f0e2d920008c83b9667605cd0deb9fa5f933deeda0aa475b436520001c6a7c91118a4d9b11e28a9f4b31271662780e678dc06

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsw630B.tmp\7z-out\locales\es.pak

Filesize
530KB

MD5
f6f452e9fe45b56b489b2e99c99848d7

SHA1
c64384626ea966d3a24dfd4d6c2f42c1cc082d2f

SHA256
54f85551269c8b5f3985a09d313fdc04c4595e5058163cf147ede049b8faa605

SHA512
f3c50308531f9654ff394cbdfdcc6029c60dc6659fe60e0326b4855a31f3eedc86f3df82a96a9e7691d12c7a69079c4abe2722f599aae29f48b291fb5a39a3a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsw630B.tmp\7z-out\locales\et.pak

Filesize
481KB

MD5
97918bb7b36900705b1a53b7851db6b3

SHA1
f8cca656478c6e15baa8f344dda2704087f54776

SHA256
8021814965878c4913d1f9f9d226da49cc2a37746d976f3b84aad7fe096fd14f

SHA512
6daa8f56c231cfd7dfc17bb5d5c56afca9490f953f22c92365a1f88e995c3a1705de98a725177001bb449070c860fd1c843ee0a499c6dd8321f2e6f4cf914da9

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsw630B.tmp\7z-out\locales\fa.pak

Filesize
789KB

MD5
04f629bc5fa6d761f1d7b5dc28a6b97e

SHA1
d80f74a2b6508bae49b8344809062b48dc2b2dc5

SHA256
9b5334e4883a716c5616c859889aacd7b179b30ac65e5657198eb4e877700f81

SHA512
ea412096170ae29b33f3d54f17fb9f2f5a41035df56e2af9596ec7c15422277943c5c651df6b3a232aca4e979946732bec496da03b3e47e0d4629675751a4c67

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsw630B.tmp\7z-out\locales\fi.pak

Filesize
492KB

MD5
3acdfec7edd4d3eb473f0deb32713c14

SHA1
41fdd4af5f9fa78f4f81d3996ecafd69587f05ef

SHA256
4bf099ac8a76449bf597caf005790f5c02efd533b9a329c5fdc460d38f77607e

SHA512
b167caf1e5ff38b0c80f891715866a7754e9bf3f1479aa1faa3cf3e8ae7fe9b71a87109239750f71855330b6d20704b43e814f188672aa52a5dc6912297f1997

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsw630B.tmp\7z-out\locales\fil.pak

Filesize
556KB

MD5
89a63085d14b1b80f259e166e6ffe56d

SHA1
d1326c879a6ad203489226f7c5be08c897be71ac

SHA256
00b8cfe6131499a8a67a51dd8560a965a2abb863d52635dd3931df0479c3f5ee

SHA512
ab48fc4bc604648b4cc010a530fbcc5138b9d0a0f09398d2a69b6219799a43a052722c47dba96c9d001b4f6ddd491683c0a871c19ac2abc12843e68f9d4c2cf4

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsw630B.tmp\7z-out\locales\fr.pak

Filesize
574KB

MD5
6708a286a0529ba7bed9840d53035be8

SHA1
af289ed518d9d90c75b69a870615e3f475c5d0e4

SHA256
7169684ff44f342b98648839b8963916f7323115dead332c2471baed6264b80e

SHA512
b329798fd85eac1505d0af5cb827ba11a5850eb926be39b414c40b5fdb56432db5f3dbc45237510bd4d1174c1cd62f623c6cc8ab10eb0ca51dea5d5487f0b0fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsw630B.tmp\7z-out\locales\gu.pak

Filesize
1.1MB

MD5
ba34657d3f5ebe61b36a807c4a053d72

SHA1
163875c4ef39e3473d9d5aec4b6273f34a90a02d

SHA256
8c762963cca8eef2cbd39bd7bcd8b809f3b57a75353e687743894add9c19440f

SHA512
cb1c4adc59c3e99f819645ae84e3e6b601b340e05ae2182c0b1568bbbcd3eabf7bf09ef34e5d0757530997d0734dc52dd744b8b0edbb3702a3c06e29ba7f0c4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsw630B.tmp\7z-out\locales\he.pak

Filesize
691KB

MD5
c47322869b458a1cd231f3dc385f80fb

SHA1
4155444dcb69c5b64711139cadb32a6df95ce3ae

SHA256
9e5544340da0e0aa28298e68765716a3960a28e50d86146b5324fd70fd756b41

SHA512
ca4664a9acbdd5896c6a0921e09d99f1a7ce3d7a80338c1a4310ad499a5a2cbb60ca074a02fcff128789da0a4cf82d3869f83836ae3ae3171085e58d6155fb73

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsw630B.tmp\7z-out\locales\hi.pak

Filesize
1.2MB

MD5
6d3ce5a6049eda31ecbc55a9d3abb163

SHA1
100afed265c77a20f6636a0ab48c8a723e30b087

SHA256
8dae029a489f1bd7530650a9cb1be1f03741e1d7018503feb3c78759da8af531

SHA512
3668952ea707da9ee8fd3753c04d5dfbed97685b76dcc75dcf8d6a3699a832c3ff0db9cd40810f6ea9364f2b7aff4b1cd68980c74b59808fcb4900a36d933bba

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsw630B.tmp\7z-out\locales\hr.pak

Filesize
535KB

MD5
2f7462a076c14f2c2733a41dcc5ecf1b

SHA1
c453dbf62d1cfe85adb64ae374b6a79cff2ef97f

SHA256
6dcc7d5d771475874471b78ee84db0230341f8634f4b38a9cb90c37226d70b00

SHA512
f1df750b779c908547a38b49bae0ed8734fe37cd96d3502186926e6cbd657c248c528cf9944353dfd26695ab384f17f22f0bec251e65a20906da4d67852cc516

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsw630B.tmp\7z-out\locales\hu.pak

Filesize
576KB

MD5
f55e37076460b2e8b5ed0f414618d256

SHA1
b313287de6197f1bf9f9770e3d2c99e70c4d8179

SHA256
61854ab102bc57a7ad7b85a4fa008c3f071306838ba1a0491f68c19153decd49

SHA512
e8121a064a3209878f24c33e9c20c810c56aa15476909de1ce076c80ef635e69a60ac655b7714a116951de5b99bb690827edafddcd5e6b00ee6310807d78ce58

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsw630B.tmp\7z-out\locales\id.pak

Filesize
475KB

MD5
260d34aaada70c9d491bfbedcf5ca8d1

SHA1
5fa83a3e53e6aa9eede9fa34a84eb55ee8493314

SHA256
64a8a25717ffae1855114d84b02223ad5b3963c1c6a21c826636146726d0a8a2

SHA512
a19ec6fae22689a8f851c1a782eb748ee9f38dfad89f05291c01a6070b24a8a02fac4bb4a441421f411966e8bc08e996900871d498efa307ac1793191710ebd2

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsw630B.tmp\7z-out\locales\it.pak

Filesize
523KB

MD5
cfb2ddc4caafd038db00c1e7378d316e

SHA1
2573f32a41735efde916f0a73b415ca689c0dd36

SHA256
9395bf9a547561df6cd20d8e076452369cb72184f215448d1acd802dccf3a47d

SHA512
8a02ca980a8de8af8b179d610ff25557f81f67bfb5a9f82511641ec87b378a2ab7214d5ec681797acba1a865bd726cb9c5f609647ae6ee71a393b7e16fc06f8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsw630B.tmp\7z-out\locales\ja.pak

Filesize
639KB

MD5
d84e12cecf6e4355933ed68816f090f6

SHA1
eb35ef52f341442dd887d43a52af7f02926d5288

SHA256
8de18410e38f4036367113bd4ed253a4957709d87e0aeb11134742bc89e16d62

SHA512
9dbe703493acb7b48ee1dbc4458ce0b9d757419e3fbf01379bc8dcbd22cc30a99348f7cb96840c19e873d6d97bb4d1a3baa4fcd6e0d332480273020a6e13a375

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsw630B.tmp\7z-out\locales\kn.pak

Filesize
1.3MB

MD5
a4cce1cfe646eb2c268493603dcb358b

SHA1
aa19ee1cdf8776d07bf35614ff063aed5a798ef8

SHA256
01250aec7310bb59e0e847382325f940ea2cdab00369c1c7efe2f340d01ff806

SHA512
cecb7794a288e879324e74e7522bee61a43072ab58a289b686f1d48d98fe9a0d29a5505b8c891fe411b823c3d8366d6c1cffbcc1deffa6c7d3a04339a769dbc7

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsw630B.tmp\7z-out\locales\ko.pak

Filesize
540KB

MD5
c21dde26f43530135ef37323b00dc1fd

SHA1
a118e9713b155bd2999f04c3075f2e1bb05bffaa

SHA256
ff88b56be0614232947bfb07e6beb88327a18ebec98cece17caa9b7cd8e6dd24

SHA512
0db144f03992c41c3703719e985183a6ec988265e5a629d09bf683d9b208656d605565d6b5597cead909c814f25ce200739e65b1327172afe10d395a5018206c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsw630B.tmp\7z-out\locales\lt.pak

Filesize
580KB

MD5
93a0a8181e8c251a2375645a552293d6

SHA1
57faf2e9f965a49d5294cf9759b9b50d87c2ad1d

SHA256
f87b2baacdde69b2b24dc7859d47bad0844cf4d275072812aaf4eedb10318450

SHA512
51e1ff74442cfd51fd2fe218755335ed99e4850c8266425b8d55aa0abde2712ab765ff909d6ee620268ade9d7b51a93be659d6a52143da2abf4ec309bbe9f2fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsw630B.tmp\7z-out\locales\lv.pak

Filesize
579KB

MD5
07405dc51eddde72e367737c093c20db

SHA1
c66b8eccf167060c43b3c53631fc0c95b3afe05d

SHA256
dbc860a35ad08e4f502b8784ca1548110d3c7334478f6c392db42f52cb3074f2

SHA512
98f276fc137d6592cdbc1c804dd59983e290409bf7908137627ab114ab485e332f568d28c60a35d1dcb3d9753c2d1740065c654396af5f56f0dd5e1dfcffcf71

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsw630B.tmp\7z-out\locales\ml.pak

Filesize
1.3MB

MD5
70c0c80fdfc006be0ff502e0e6115b2b

SHA1
43f96be4652ecbd22677b18ffe2260b79bcca19c

SHA256
878e268428ec7aa51105c921740931c545d4ba6a274b367c52675c90741d23bf

SHA512
c463c5d91b3cae6b2c70ef6b7e3758bacecbe76088d813e2632bde7939c1fb28bad3cccf914a14861b8611a490ea74ef2d8d10e7336b203d12cee9904e8f9423

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsw630B.tmp\7z-out\locales\mr.pak

Filesize
1.1MB

MD5
fcaca3a4264563461b42b16d8fde4b02

SHA1
af37d4e73588d4a6d3d52f2dba67414393c9b168

SHA256
362df1aa112a0a521617c0496087b3547a242eb79a5416b8414c5798f31e187d

SHA512
9114dc4e7da2affdcee5c86b1f1f78e47279c31d0f76c8deb1eac545e0268b9592463bbe1a4b433ff4fcab1ad4a596655b775608515bf7455fda550d3bf47b8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsw630B.tmp\7z-out\locales\ms.pak

Filesize
498KB

MD5
578dcc1aef901d00a57f2698a6e15826

SHA1
4dca370c3b22f9f54a62d31166a84848336a8fea

SHA256
e5e77421c5fca5b1eaef96fbf33c345c63119015986163cb43d65075df6265d0

SHA512
073aecedf4132faef7e896e6840bb6297e866a06fd65a7490f0a61179013f27b6592a4fb2be91cb5e139c77f6db7695bf60e5788154e51c9ab7889f6e7040a33

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsw630B.tmp\7z-out\locales\nb.pak

Filesize
483KB

MD5
c2c49ebaebc448cfeb7933ce2cbd6ca6

SHA1
c3efca0fee40a3daf7d69768d7659de60b3e2c4f

SHA256
67d997fff8a24eaa030eadede7f5345fff5e954e96bc8f36d399839bed998774

SHA512
c500bc1097ed9077742c5708bd55dc4215c45f751522131b8203d7ae802d278ffc3a9ef607325bbea5b650d594dde0d74e7fa4502e1a0f905534c32fa1521bba

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsw630B.tmp\7z-out\locales\nl.pak

Filesize
499KB

MD5
9229e4ded3219c948747a4dc9a6a5e32

SHA1
9147b2f2ac3837588aa3b71eb4a255d29cab0e74

SHA256
d88b02d74e01b9350d3ac9c48fe08333ca9c68e3e3824d64fae86c5b8b531feb

SHA512
8a81cefd9fa718b18de87555cb2d5c8e87ed14921fd3a0247b47988a1f3896d63b16dbf86fbf103097c73181473c37393c0f4e9e0a07d95d847aebcad526e8e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsw630B.tmp\7z-out\locales\pl.pak

Filesize
557KB

MD5
ab94060826404cc09d5fed31f63cec05

SHA1
20d1cea9d2e60b9bbd4fddb38a652856a3561008

SHA256
03258ecf731487231cc7eab8f6cb96e92b7ede4cc5b63c3def6ba08e0f16da10

SHA512
a9ec28912bdd2b8b1e1b3fc4d5c76139253ee4ada8f0d562ecd611d7366b0cdc97c379c5ae93c9db69eb045d8834cd0e1e0ba84813ac0071b5a2bf6cea81173e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsw630B.tmp\7z-out\locales\pt-BR.pak

Filesize
524KB

MD5
f18cae95b8bb6760d370b435235c5629

SHA1
eb62bc4249ea8e5688c67aa65bfa2b628fd5e1d8

SHA256
952234ef1d2792204f4e65cc814e9fc6dc007610668ceffb980c74fc0167ba0b

SHA512
218e9e4e59c875fe7931f16e6df877f67b8466a5e8a5565a1cab0f091b40b0652eefcf205536f5f4b8697966aa201092c26249142dcd8b40e055529e23ef7819

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsw630B.tmp\7z-out\locales\pt-PT.pak

Filesize
527KB

MD5
4aa908b531adedb0ee795704ab72e248

SHA1
2ea9f4a7e561e70b06b675b3fe35ccb0f2a12fca

SHA256
72ca754dcb34c54b72087ab7fd5a4a3fa03e09cd1ced906d99d6525c7a19ee9c

SHA512
7d4a1add737136acfc7ed7848b0ee54646d5c8aa3a54addd7cf0340ebf42b58f6ce2eff56a2ba94125475e7b64989d06fedfc8b1ee41ece63b18b1f95686ad08

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsw630B.tmp\7z-out\locales\ro.pak

Filesize
546KB

MD5
36f8327b36f2c6c003f864895968af2f

SHA1
248d88aa9fe46cbcd013ea7d7270f8483215c073

SHA256
6343589863bdd2ae81ec9c33e335048fd8792d2c2e8872f91f7a325a1f0d97ac

SHA512
bb03b5af3ddf676dadb35d5b94f40ae1c95cba2e7175c87d128c319e0055dd91f412883daace89fa33a17b9761f1cd7bccdf261b16ffadd6e10da594445c2c8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsw630B.tmp\7z-out\locales\ru.pak

Filesize
897KB

MD5
a0072d84d1bcb2fa7bbe7ae4e06151ba

SHA1
b9227c6cd4ff9f6db6a8edf694c444beccd369f6

SHA256
8c169d6995d97feae8b8ec947be27697ca0ff731b593fff36163e4f31969a6fd

SHA512
fad335e81a24427f2b0a2853733da94c9839139a7982796bf742eacba306ecd9998914bcac49b925d5bb18953091a4dcc62ea6a628fff125c086099cfd33e3b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsw630B.tmp\7z-out\locales\sk.pak

Filesize
563KB

MD5
e9bb6352cdd0f1c2fdd543a48ba076fe

SHA1
50053620d7be5566bb3ee588feda1a4daa207672

SHA256
441155d63257beaac9e2998afa1a9e65957286ed1cd9e0670072a63e24ff3f8b

SHA512
c1f87c7976159c8ff3e28185adcabf93d47ace0dc9b95fbaa4d1e5ed9ea8257263276880486a4c17a68a5869e6ec640eaf81f5ae6c4481e351e73e7b4dd9dd9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsw630B.tmp\7z-out\locales\sl.pak

Filesize
541KB

MD5
299acf51d74b95ae4272730c437763aa

SHA1
8a0ff73f37d830b6677e514371a5825631aa455d

SHA256
26e29cd70c4143d7e9fb65e86e02c9173997f2fc062633a5edb2b7df55942157

SHA512
d7d298a4eb476a3cd4411261058f6f9409d0dddb3756cdc1e27e64280efc8b84fe40afbd92c754d56f58ea333623b0481766320b5969f5dd71f0c2a93be8ff77

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsw630B.tmp\7z-out\locales\sr.pak

Filesize
833KB

MD5
02bdb4d99bd466eed5fed3445560d52d

SHA1
c24e1895145b3066840be0d349f5e866e46e2a39

SHA256
ac09005a83d4ac8f61855c7e301e48a753d2f3558a04cdb94f23b539e2086e54

SHA512
fac7bcefe31f41b6e37f215f271b33ab21dad281c1b0bdaf28769c99e31bccca625f213fcfd7c0047b3e2104a8f51b2ebc5fb374b32f58ae22c4130e315aee1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsw630B.tmp\7z-out\locales\sv.pak

Filesize
486KB

MD5
eb39645ebed4f980ab12585feae2f4b5

SHA1
fc7c471b93f59bef13f7bb4669e683385a8b9dec

SHA256
ca34ee1c147358b5e32b5829acc0c355708925dc8df91c21d8e495c7485fa5c7

SHA512
5fb25d7dfca3483967a5262d2c62b5d37a192f5a7a19dcf6722a9a8753e299e567bf7f26171859c374c8d035bb521fb4eddc4821aebf9ceea1253c63e1595c60

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsw630B.tmp\7z-out\locales\sw.pak

Filesize
512KB

MD5
e2958cf2ab6cc74551c8360e6cc34333

SHA1
806aa1129f228ee48744cfa55d061149b37522b0

SHA256
51482431411be2d89bfc026b9acf9ce1a0fb971376468a47829a15392b47178a

SHA512
1f5f306b7233279800d18fa461f4c94ecad809b2bb7c292fce16abcac2e963f7567a86e43a3c950fc86bc73b4fef8451389fc57ac6750fe7546afad8ae00f589

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsw630B.tmp\7z-out\locales\ta.pak

Filesize
1.3MB

MD5
474a2016df48f886e91fb9fd331d9bf9

SHA1
2548525143292d7d150f5014b44ef294ba7c4189

SHA256
75638ac7fdb226c0840d5c2edf763bae35afa1f47e89199d9724ff46c003a2c2

SHA512
a4c2c2c046420c77948a0479cbd2be3aa11c1b347eb508d020231eece5cf0c2cba8d4f6a0e9f875dece4a16413157fd9e9f1cf09e1746335eb11e8f8590cd013

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsw630B.tmp\7z-out\locales\te.pak

Filesize
1.2MB

MD5
1f20952c1a61fa6e42a7f055de8986ea

SHA1
301ec89ca80695865d884927c4c07c6777fb321e

SHA256
caeba6c853a0ee12a802fb9f610a95c676071414c1d8407d18b05f2fe8ce6bb7

SHA512
c43f5316dff21cd08f86e0d3d7c407449cdc751ff466683dff9a51e3a07bda203e8e22064bf240726e6e389b661d6dc2bf5ed5dc42750539990379e513228d53

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsw630B.tmp\7z-out\locales\th.pak

Filesize
1.0MB

MD5
7512a162ea0b65dd9477ac8c190136b9

SHA1
ae5fbce9516882a0d58da9ebee3c767c7ba4c305

SHA256
d01ecd4edecf1809d5c2133366df2502a4621e88d894817e80b913f3a0926fa4

SHA512
425fd803cd3ed9589df5d04bb8ca4b62af0e573301d31c48a1a05bf3b707a0672e1a033965946223e5873a98eb3c9d52bcdcc1296a08cb4971d0b1b6d2e95eb7

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsw630B.tmp\7z-out\locales\tr.pak

Filesize
523KB

MD5
4727af70df9094888ba46f3a62eff264

SHA1
d2ead301efab607d040c69c238a06d3b4d080717

SHA256
026fc65ed90fe356ce2b5e2b459a4487512d89e48f0ff8b044d6739ef51c1658

SHA512
5bb8dd6ad100581a7e0cb87b57e054ab23551c263144f7ffebf729b2280a1bd95e92eba9c64b80e2f77ce59c3c4315ba2b5253ac83dbb540828e7a59a70e74ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsw630B.tmp\7z-out\locales\uk.pak

Filesize
896KB

MD5
7f8d31b43f7319164bc0f6453bbaf007

SHA1
4be254da0ccb13040489403cc2d8015f448292da

SHA256
e33b1a611feca93d105dee7c867521b5fbf27da38532ea3ca0aec61bec7f6108

SHA512
9569bd24aa5d2f9b0a13784f5f3d98e636f72177c7ff7a14c7d390f1d5f0b39ffab512276f70e4d2df0d37fba94a2c2322a840ba303a4cde33ccb20f7980395f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsw630B.tmp\7z-out\locales\ur.pak

Filesize
782KB

MD5
305d39b5de5a1935d786da4bfc736dc5

SHA1
8dd952fea4dae937b9f87d229638cd22ca197a8c

SHA256
b551a93a300ab78ee6da5087ea417584c4fd3941fbac99c84c9c58be2c88a7e8

SHA512
d75ef12a56c2dbde5c7a1967297270f7d717a366776f6b2a316784f033c71fcb9d25dabc857398e8459d8ac40aae1bae59e82f551e00e9b96bfbea00a54fcde5

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsw630B.tmp\7z-out\locales\vi.pak

Filesize
619KB

MD5
593d33203c539d027c5b5bcc13bb38c9

SHA1
2f6288bc43ddf31e49a733af97e3e9e2fb8a2940

SHA256
d435c4c7154c24982185842a09cacd343cea77a5eb7fb859c4d38973cf240a42

SHA512
7c41c74f7220270da242562b93db8db053c0a7b08fdc1864d063706caccbc6926f288ae6bff1de43af656af67fcf2d8ad57f53d791bbc47a3b29a6a0856a68e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsw630B.tmp\7z-out\locales\zh-CN.pak

Filesize
447KB

MD5
156894db535f0fbe193d66c0afb4b112

SHA1
e347caa3c41ea7461c217c029dbca54567fbe27c

SHA256
cc5a411d3bf0ddfba9e5041dfeeaed70265ba949f7b7ccba0170b88e3e14ceb0

SHA512
e81a0968598536e91c17a1998682cb5fff42bd3199c41b64e2d76827c96b187e8f86182843c061735dad2b7cd5e32750e473c1a5f9c82bcc0dcc30f1bdb8b806

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsw630B.tmp\7z-out\locales\zh-TW.pak

Filesize
442KB

MD5
337bba163068f2dd7ff107ea929c8473

SHA1
536ec5756f229696dd6f875180778afcee1966fb

SHA256
58753d4313ed7f548df16a9cd9aa1f0e30cebee675a76b8359ed23fc95825574

SHA512
000b98249d7b0e4c7e463bafdf827e3dc5afac447750320d6344c984f4ad41cab5795861920525f03dcaeea5aa3615684101b08bbc103d3ba01065676c8bd64f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsw630B.tmp\7z-out\resources.pak

Filesize
5.0MB

MD5
67bb5e75ceb8ced4c98cf0454933cb45

SHA1
c2b1c8c8d753318bc5ec18762c27512a5eb9f9cd

SHA256
5d63acd4034f7771ca346d138d7478014abf1f3f4386d07fc025dbc2c2bc0bff

SHA512
fd213d59ebc625f6f8b20cc8fde1a22132ce827b81deaddb9ca7993fe0d9616de17e089def338d23c4b6bbd7d3a931ee73aa329325eaa17f8145a58fe11d8c38

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsw630B.tmp\7z-out\resources\app-update.yml

Filesize
106B

MD5
b0e31c54422860c9390a2e456d8f4624

SHA1
1b73cc7e00cbcae94a3ed921fbd055a393dedc0c

SHA256
897dac554968a2c49044a5e601cfcaf7c24d41599a58c03e91c62bd664b60ecf

SHA512
561cff0a281e073b0b2e3bc139a18b44ee1e2ab147d99ff007d5deae48c0c4c847bee4e14ad2e36abb27f7d9240f95aee7fcc9987246c717ba48666f550cc121

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsw630B.tmp\7z-out\resources\app.asar

Filesize
7.1MB

MD5
8bcbb3a116b0035d6a5621f6ce6d4ba9

SHA1
0f974db0d87af4aff602a410e7f09e6821f30ce7

SHA256
f975415a103c1faa4c7aac4f31868c0e408a24615bcac355e3f7640046df995c

SHA512
463fbc355f8fb4268417acc0e82d7774894fb076fdce5f6e3b59a7353f8af369e4215cc3722b34cb1936ca849173912d05e2cfb01a3146b1467239dd2a424c8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsw630B.tmp\7z-out\resources\elevate.exe

Filesize
105KB

MD5
792b92c8ad13c46f27c7ced0810694df

SHA1
d8d449b92de20a57df722df46435ba4553ecc802

SHA256
9b1fbf0c11c520ae714af8aa9af12cfd48503eedecd7398d8992ee94d1b4dc37

SHA512
6c247254dc18ed81213a978cce2e321d6692848c64307097d2c43432a42f4f4f6d3cf22fb92610dfa8b7b16a5f1d94e9017cf64f88f2d08e79c0fe71a9121e40

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsw630B.tmp\7z-out\snapshot_blob.bin

Filesize
298KB

MD5
cadef56f5fb216b1fbf7ada1f894ea6d

SHA1
373d2a4266be5c8fbf61d4363ec47ddeb2d79253

SHA256
0976145cc8c02f3e64ddbf51dc983bdbb456be7fcf3ce54608e218981671ac12

SHA512
9c90e8943f9ef6d644fe0fbe55ab25ed371739d17da8cf973893a2e41ebfa0a92bcf1761e72da032f9f3d1c6f1080c62f856aa07a3cbb609c9e8c186f92216b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsw630B.tmp\7z-out\v8_context_snapshot.bin

Filesize
663KB

MD5
81870fb2f641c8b845e9c6d1a632f0b7

SHA1
fcd47d8d1232c189a1c4087bb03a015ce14c25ba

SHA256
875515af4e7254458c17a98bed087fc609d45fbc8ebf60663e112c37204f6840

SHA512
7748c8fb6f356aa45023a56245c43c5171d0413617fb1ac6c75650be75bbe94bd5528e9aa83cd9df9a08af65540a76ab59bc866e5dcf0fa7284122f290bd45d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsw630B.tmp\7z-out\vk_swiftshader.dll

Filesize
5.1MB

MD5
0a071201e4dd76996e273c81533bfa74

SHA1
5c92c634027692c344a8e74eab8b4d5c3e049497

SHA256
08e34bc25653f9357a4ccf62966d698b7cc6265dc668046a28403ae5786132ee

SHA512
b5de6548c5c743b6f119183fa06aaf67dcd4cdbc3542378ff87916b670ace1e2f4270f6dcaa4caabd01460c638bd02b565267e7bd9617ca92d72187d374bb7d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsw630B.tmp\7z-out\vk_swiftshader_icd.json

Filesize
106B

MD5
8642dd3a87e2de6e991fae08458e302b

SHA1
9c06735c31cec00600fd763a92f8112d085bd12a

SHA256
32d83ff113fef532a9f97e0d2831f8656628ab1c99e9060f0332b1532839afd9

SHA512
f5d37d1b45b006161e4cefeebba1e33af879a3a51d16ee3ff8c3968c0c36bbafae379bf9124c13310b77774c9cbb4fa53114e83f5b48b5314132736e5bb4496f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsw630B.tmp\7z-out\vulkan-1.dll

Filesize
932KB

MD5
a6588e66186ccf486eede8e9223f0d41

SHA1
777a5c4028c7675ee1fc4e265a825b35d5099577

SHA256
419488597ea255ec61f028aeecd36572d072dfe49b7ab716cd2c0a8e186f24e6

SHA512
ba8b9577f47ac5b9503aab8d4cca6059c7208bf0eb37999f4fbef0c2cf03032a9359559a0221f332c6cd66c38366fb0e1f1d32173f282afd639fabea8fc9400e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsw630B.tmp\StdUtils.dll

Filesize
100KB

MD5
c6a6e03f77c313b267498515488c5740

SHA1
3d49fc2784b9450962ed6b82b46e9c3c957d7c15

SHA256
b72e9013a6204e9f01076dc38dabbf30870d44dfc66962adbf73619d4331601e

SHA512
9870c5879f7b72836805088079ad5bbafcb59fc3d9127f2160d4ec3d6e88d3cc8ebe5a9f5d20a4720fe6407c1336ef10f33b2b9621bc587e930d4cbacf337803

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsw630B.tmp\System.dll

Filesize
12KB

MD5
0d7ad4f45dc6f5aa87f606d0331c6901

SHA1
48df0911f0484cbe2a8cdd5362140b63c41ee457

SHA256
3eb38ae99653a7dbc724132ee240f6e5c4af4bfe7c01d31d23faf373f9f2eaca

SHA512
c07de7308cb54205e8bd703001a7fe4fd7796c9ac1b4bb330c77c872bf712b093645f40b80ce7127531fe6746a5b66e18ea073ab6a644934abed9bb64126fea9

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsw630B.tmp\UAC.dll

Filesize
14KB

MD5
adb29e6b186daa765dc750128649b63d

SHA1
160cbdc4cb0ac2c142d361df138c537aa7e708c9

SHA256
2f7f8fc05dc4fd0d5cda501b47e4433357e887bbfed7292c028d99c73b52dc08

SHA512
b28adcccf0c33660fecd6f95f28f11f793dc9988582187617b4c113fb4e6fdad4cf7694cd8c0300a477e63536456894d119741a940dda09b7df3ff0087a7eada

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsw630B.tmp\WinShell.dll

Filesize
3KB

MD5
1cc7c37b7e0c8cd8bf04b6cc283e1e56

SHA1
0b9519763be6625bd5abce175dcc59c96d100d4c

SHA256
9be85b986ea66a6997dde658abe82b3147ed2a1a3dcb784bb5176f41d22815a6

SHA512
7acf7f8e68aa6066b59ca9f2ae2e67997e6b347bc08eb788d2a119b3295c844b5b9606757168e8d2fbd61c2cda367bf80e9e48c9a52c28d5a7a00464bfd2048f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsw630B.tmp\nsDialogs.dll

Filesize
9KB

MD5
466179e1c8ee8a1ff5e4427dbb6c4a01

SHA1
eb607467009074278e4bd50c7eab400e95ae48f7

SHA256
1e40211af65923c2f4fd02ce021458a7745d28e2f383835e3015e96575632172

SHA512
7508a29c722d45297bfb090c8eb49bd1560ef7d4b35413f16a8aed62d3b1030a93d001a09de98c2b9fea9acf062dc99a7278786f4ece222e7436b261d14ca817

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsw630B.tmp\nsis7z.dll

Filesize
424KB

MD5
80e44ce4895304c6a3a831310fbf8cd0

SHA1
36bd49ae21c460be5753a904b4501f1abca53508

SHA256
b393f05e8ff919ef071181050e1873c9a776e1a0ae8329aefff7007d0cadf592

SHA512
c8ba7b1f9113ead23e993e74a48c4427ae3562c1f6d9910b2bbe6806c9107cf7d94bc7d204613e4743d0cd869e00dafd4fb54aad1e8adb69c553f3b9e5bc64df

Download Submit
C:\Users\Admin\AppData\Local\Temp\nszA59E.tmp\7z-out\resources\app.asar

Filesize
7.7MB

MD5
b9726ab9ae7ff67137a925f054603567

SHA1
eb4d82d0da5af98b95e310a5448ce187fdcd80cd

SHA256
2a335493fd8692c86137ec32777d2a610c9f4fbffa1beaa19ec84252f069059d

SHA512
f73e92da99443f779bdf99927c4a67e0a7904343a29bee56577bb0f7207acd4a115a4440b6a59c8607fc007d3fb79f45d14738d22595416029618f0866252858

Download Submit
C:\Users\Admin\AppData\Local\Temp\nszA59E.tmp\nsExec.dll

Filesize
6KB

MD5
ec0504e6b8a11d5aad43b296beeb84b2

SHA1
91b5ce085130c8c7194d66b2439ec9e1c206497c

SHA256
5d9ceb1ce5f35aea5f9e5a0c0edeeec04dfefe0c77890c80c70e98209b58b962

SHA512
3f918f1b47e8a919cbe51eb17dc30acc8cfc18e743a1bae5b787d0db7d26038dc1210be98bf5ba3be8d6ed896dbbd7ac3d13e66454a98b2a38c7e69dad30bb57

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Roaming\Ultimate Tweaks\DawnCache\data_2

Filesize
8KB

MD5
0962291d6d367570bee5454721c17e11

SHA1
59d10a893ef321a706a9255176761366115bedcb

SHA256
ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7

SHA512
f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed

Download Submit
C:\Users\Admin\AppData\Roaming\Ultimate Tweaks\DawnCache\data_3

Filesize
8KB

MD5
41876349cb12d6db992f1309f22df3f0

SHA1
5cf26b3420fc0302cd0a71e8d029739b8765be27

SHA256
e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c

SHA512
e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e

Download Submit
C:\Users\Admin\AppData\Roaming\Ultimate Tweaks\Network\Network Persistent State

Filesize
59B

MD5
78bfcecb05ed1904edce3b60cb5c7e62

SHA1
bf77a7461de9d41d12aa88fba056ba758793d9ce

SHA256
c257f929cff0e4380bf08d9f36f310753f7b1ccb5cb2ab811b52760dd8cb9572

SHA512
2420dff6eb853f5e1856cdab99561a896ea0743fcff3e04b37cb87eddf063770608a30c6ffb0319e5d353b0132c5f8135b7082488e425666b2c22b753a6a4d73

Download Submit
C:\Users\Admin\AppData\Roaming\Ultimate Tweaks\Network\Network Persistent State

Filesize
967B

MD5
3c71b6c9a1271f6067fa5585f23177f4

SHA1
826ab3cf734e58ecc90ebda34676b636b9b9a30f

SHA256
b1502505b58b1f790929bf889cd90e014c4ce6912fdb0ecb0381963885c52cf2

SHA512
e7299e7d74c5eedfb5de890f312cee4a08745265534c5253a978f16db313b9a99cac77312e691c436bb99a98ccb7b6c425012fa2ee4c74a5a28faafb6640ad56

Download Submit
C:\Users\Admin\AppData\Roaming\Ultimate Tweaks\Network\Network Persistent State

Filesize
967B

MD5
ae0e337d0950bef184d79be9c73e7734

SHA1
9d3a354b297dce1ff0c4a152c31628303f359711

SHA256
df750037941484871592adb06834596b797fbc4ba6cec4fba910da123b6a5575

SHA512
17b5848ce46369f2ad418a88e1dd0019a72031ae54c673e0608ab3039cbb59883f2169ec197e65f141080431ee8707e9153010884c39e7732f039f31018021e0

Download Submit
C:\Users\Admin\AppData\Roaming\Ultimate Tweaks\Network\Network Persistent State~RFe592503.TMP

Filesize
59B

MD5
2800881c775077e1c4b6e06bf4676de4

SHA1
2873631068c8b3b9495638c865915be822442c8b

SHA256
226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974

SHA512
e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b

Download Submit
C:\Users\Admin\AppData\Roaming\Ultimate Tweaks\Network\TransportSecurity

Filesize
524B

MD5
2cb69574c56835e1b16eefd48aa8c824

SHA1
56b5fc0f9b9891a735bdc9aff08bc760ac51abb2

SHA256
0cf3f9448bb5f4c48c8edb5cb7aae40d316e0ee3445e692c47316b6922201d67

SHA512
277f4596437ba4178720dfcaa32975c192c1721e660ac27db493403b268c60bed68856819f36319af5aa481fa20f58482e5ae11c35eb6e6635491dbddadd77ee

Download Submit
C:\Users\Admin\AppData\Roaming\Ultimate Tweaks\Network\TransportSecurity

Filesize
524B

MD5
afd688c36e251a2cdb93031bbd815c76

SHA1
d68e20af72403f6a8733e00c97ee15bb8cd59ce1

SHA256
762b53815d9eb3bec433da3625127499ce3dd30be1486cfc79af03a10dfc2e23

SHA512
e3d77b71caac0e5db33f524558daa5c8fc36446f6935eab3cd28263171a393ce0fd565b070e236fb033d72b0f7e632d2a39890c60e4e1fc595bea2d3fd082d36

Download Submit
C:\Users\Admin\AppData\Roaming\Ultimate Tweaks\Preferences

Filesize
57B

MD5
58127c59cb9e1da127904c341d15372b

SHA1
62445484661d8036ce9788baeaba31d204e9a5fc

SHA256
be4b8924ab38e8acf350e6e3b9f1f63a1a94952d8002759acd6946c4d5d0b5de

SHA512
8d1815b277a93ad590ff79b6f52c576cf920c38c4353c24193f707d66884c942f39ff3989530055d2fade540ade243b41b6eb03cd0cc361c3b5d514cca28b50a

Download Submit
C:\Users\Admin\AppData\Roaming\Ultimate Tweaks\Preferences~RFe58c9c3.TMP

Filesize
86B

MD5
d11dedf80b85d8d9be3fec6bb292f64b

SHA1
aab8783454819cd66ddf7871e887abdba138aef3

SHA256
8029940de92ae596278912bbbd6387d65f4e849d3c136287a1233f525d189c67

SHA512
6b7ec1ca5189124e0d136f561ca7f12a4653633e2d9452d290e658dfe545acf6600cc9496794757a43f95c91705e9549ef681d4cc9e035738b03a18bdc2e25f0

Download Submit
C:\Users\Admin\AppData\Roaming\Ultimate Tweaks\Session Storage\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Roaming\Ultimate Tweaks\Session Storage\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Roaming\Ultimate Tweaks\logs\main.log

Filesize
4KB

MD5
52fd5bedce7f749810972ac0a2b040c3

SHA1
35cf0569c73b24c184add0ea5f65e6bc73990160

SHA256
5a70e74cfcf4e3bcaa8ebf9131ef6e525ccc9f01d7b2d3e3fbe0ddcd34d15646

SHA512
d5103a5d0cdbe997c7f12183897886e07604cf057ff27638fb0f24277c05b05341ca8baae1d96b51ef70343d940afbd50d439fc470afcef43516b410b2fe5fa7

Download Submit
memory/116-2793-0x000001D7ABD90000-0x000001D7ABEFA000-memory.dmp

Filesize
1.4MB

Download
memory/408-1016-0x00000168A1580000-0x00000168A15A4000-memory.dmp

Filesize
144KB

Download
memory/408-994-0x00000168893F0000-0x0000016889412000-memory.dmp

Filesize
136KB

Download
memory/408-1015-0x00000168A1580000-0x00000168A15AA000-memory.dmp

Filesize
168KB

Download
memory/4080-1011-0x0000017DD6F00000-0x0000017DD6F44000-memory.dmp

Filesize
272KB

Download
memory/4080-1012-0x0000017DD6FD0000-0x0000017DD7046000-memory.dmp

Filesize
472KB

Download
memory/5680-2744-0x000001EC1DAA0000-0x000001EC1DCBC000-memory.dmp

Filesize
2.1MB

Download
memory/6356-2794-0x0000025BF1D20000-0x0000025BF1E8A000-memory.dmp

Filesize
1.4MB

Download
memory/6500-2826-0x0000017798940000-0x0000017798AAA000-memory.dmp

Filesize
1.4MB

Download
memory/7732-2741-0x000001D79D200000-0x000001D79D41C000-memory.dmp

Filesize
2.1MB

Download
memory/7960-2829-0x00000259AA290000-0x00000259AA3FA000-memory.dmp

Filesize
1.4MB

Download