37da8f62f82912d2aaf872a4612aece68ed4989e2aaf3d41fd9554042806c3fa

Analysis

max time kernel
150s
max time network
163s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
01/09/2024, 18:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

HyperPlay.exe
Size

168.8MB
MD5

7f68dac78f6bfbb2893da60aad2ef98c
SHA1

31088dc58048fe4e70072bb911d66fa121f17d77
SHA256

0c8f4d1ba92a3be47722f6a034172d94a7a2bde4b0d358f727ac7a1c54d0c99a
SHA512

2fbd5bcad976953f41b334462b6b48dd134ce8661d85d5235441c655fc23fb784d35b647eba8c36366acede3c7270ab3fe8d3c1b0694712cd5359d7719f44317
SSDEEP

1572864:OkRc66Zgfa+fqa1q3kA9QPB64Cgc/NCaRyenmfgs4tNHTalbUu0OVRfmPQ1YAxLU:bEjmlcdwxLb

Score

7^/10

execution persistence

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	HyperPlay.exe

Loads dropped DLL 40 IoCs

pid	Process
2860	HyperPlay.exe
2860	HyperPlay.exe
2860	HyperPlay.exe
2040	gogdl.exe
2040	gogdl.exe
2040	gogdl.exe
2040	gogdl.exe
2040	gogdl.exe
2040	gogdl.exe
2040	gogdl.exe
2040	gogdl.exe
2040	gogdl.exe
2040	gogdl.exe
2040	gogdl.exe
2040	gogdl.exe
2040	gogdl.exe
2040	gogdl.exe
2040	gogdl.exe
2040	gogdl.exe
2040	gogdl.exe
2040	gogdl.exe
2040	gogdl.exe
2040	gogdl.exe
5960	legendary.exe
5960	legendary.exe
5960	legendary.exe
5960	legendary.exe
5960	legendary.exe
5960	legendary.exe
5960	legendary.exe
5960	legendary.exe
5960	legendary.exe
5960	legendary.exe
5960	legendary.exe
5960	legendary.exe
5960	legendary.exe
5960	legendary.exe
5960	legendary.exe
5960	legendary.exe
5960	legendary.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HyperPlay = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\HyperPlay.exe\""	reg.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

Start PowerShell.

execution

PowerShell

T1059.001

pid	Process
2416	powershell.exe
5496	powershell.exe
4324	powershell.exe
4404	powershell.exe
824	powershell.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\System32\DriverStore\FileRepository\display.inf_amd64_71aa85b0e2292a7a\display.PNF	HyperPlay.exe
File created	\??\c:\windows\system32\driverstore\filerepository\display.inf_amd64_71aa85b0e2292a7a\display.PNF	HyperPlay.exe

Checks processor information in registry 2 TTPs 7 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	HyperPlay.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	HyperPlay.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	HyperPlay.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\2	HyperPlay.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	HyperPlay.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	HyperPlay.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	HyperPlay.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
2352	reg.exe

Suspicious behavior: EnumeratesProcesses 39 IoCs

pid	Process
2860	HyperPlay.exe
2860	HyperPlay.exe
2860	HyperPlay.exe
2860	HyperPlay.exe
2860	HyperPlay.exe
2860	HyperPlay.exe
2860	HyperPlay.exe
2860	HyperPlay.exe
5580	powershell.exe
5580	powershell.exe
5580	powershell.exe
4404	powershell.exe
4404	powershell.exe
4404	powershell.exe
2416	powershell.exe
2416	powershell.exe
2416	powershell.exe
2416	powershell.exe
2416	powershell.exe
5496	powershell.exe
5496	powershell.exe
5496	powershell.exe
4324	powershell.exe
4324	powershell.exe
4324	powershell.exe
4404	powershell.exe
4404	powershell.exe
4404	powershell.exe
4324	powershell.exe
4324	powershell.exe
824	powershell.exe
824	powershell.exe
824	powershell.exe
824	powershell.exe
824	powershell.exe
216	HyperPlay.exe
216	HyperPlay.exe
216	HyperPlay.exe
216	HyperPlay.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2860	HyperPlay.exe
Token: SeCreatePagefilePrivilege	2860	HyperPlay.exe
Token: SeDebugPrivilege	5580	powershell.exe
Token: SeIncreaseQuotaPrivilege	5580	powershell.exe
Token: SeSecurityPrivilege	5580	powershell.exe
Token: SeTakeOwnershipPrivilege	5580	powershell.exe
Token: SeLoadDriverPrivilege	5580	powershell.exe
Token: SeSystemProfilePrivilege	5580	powershell.exe
Token: SeSystemtimePrivilege	5580	powershell.exe
Token: SeProfSingleProcessPrivilege	5580	powershell.exe
Token: SeIncBasePriorityPrivilege	5580	powershell.exe
Token: SeCreatePagefilePrivilege	5580	powershell.exe
Token: SeBackupPrivilege	5580	powershell.exe
Token: SeRestorePrivilege	5580	powershell.exe
Token: SeShutdownPrivilege	5580	powershell.exe
Token: SeDebugPrivilege	5580	powershell.exe
Token: SeSystemEnvironmentPrivilege	5580	powershell.exe
Token: SeRemoteShutdownPrivilege	5580	powershell.exe
Token: SeUndockPrivilege	5580	powershell.exe
Token: SeManageVolumePrivilege	5580	powershell.exe
Token: 33	5580	powershell.exe
Token: 34	5580	powershell.exe
Token: 35	5580	powershell.exe
Token: 36	5580	powershell.exe
Token: SeShutdownPrivilege	2860	HyperPlay.exe
Token: SeCreatePagefilePrivilege	2860	HyperPlay.exe
Token: SeDebugPrivilege	4404	powershell.exe
Token: SeShutdownPrivilege	2860	HyperPlay.exe
Token: SeCreatePagefilePrivilege	2860	HyperPlay.exe
Token: SeIncreaseQuotaPrivilege	4404	powershell.exe
Token: SeSecurityPrivilege	4404	powershell.exe
Token: SeTakeOwnershipPrivilege	4404	powershell.exe
Token: SeLoadDriverPrivilege	4404	powershell.exe
Token: SeSystemProfilePrivilege	4404	powershell.exe
Token: SeSystemtimePrivilege	4404	powershell.exe
Token: SeProfSingleProcessPrivilege	4404	powershell.exe
Token: SeIncBasePriorityPrivilege	4404	powershell.exe
Token: SeCreatePagefilePrivilege	4404	powershell.exe
Token: SeBackupPrivilege	4404	powershell.exe
Token: SeRestorePrivilege	4404	powershell.exe
Token: SeShutdownPrivilege	4404	powershell.exe
Token: SeDebugPrivilege	4404	powershell.exe
Token: SeSystemEnvironmentPrivilege	4404	powershell.exe
Token: SeRemoteShutdownPrivilege	4404	powershell.exe
Token: SeUndockPrivilege	4404	powershell.exe
Token: SeManageVolumePrivilege	4404	powershell.exe
Token: 33	4404	powershell.exe
Token: 34	4404	powershell.exe
Token: 35	4404	powershell.exe
Token: 36	4404	powershell.exe
Token: SeDebugPrivilege	2416	powershell.exe
Token: SeShutdownPrivilege	2860	HyperPlay.exe
Token: SeCreatePagefilePrivilege	2860	HyperPlay.exe
Token: SeShutdownPrivilege	2860	HyperPlay.exe
Token: SeCreatePagefilePrivilege	2860	HyperPlay.exe
Token: SeDebugPrivilege	5496	powershell.exe
Token: SeShutdownPrivilege	2860	HyperPlay.exe
Token: SeCreatePagefilePrivilege	2860	HyperPlay.exe
Token: SeIncreaseQuotaPrivilege	5496	powershell.exe
Token: SeSecurityPrivilege	5496	powershell.exe
Token: SeTakeOwnershipPrivilege	5496	powershell.exe
Token: SeLoadDriverPrivilege	5496	powershell.exe
Token: SeSystemProfilePrivilege	5496	powershell.exe
Token: SeSystemtimePrivilege	5496	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2860 wrote to memory of 3552	2860	HyperPlay.exe	90
PID 2860 wrote to memory of 3552	2860	HyperPlay.exe	90
PID 3552 wrote to memory of 4476	3552	cmd.exe	92
PID 3552 wrote to memory of 4476	3552	cmd.exe	92
PID 2860 wrote to memory of 2352	2860	HyperPlay.exe	93
PID 2860 wrote to memory of 2352	2860	HyperPlay.exe	93
PID 2860 wrote to memory of 2372	2860	HyperPlay.exe	97
PID 2860 wrote to memory of 2372	2860	HyperPlay.exe	97
PID 2860 wrote to memory of 2372	2860	HyperPlay.exe	97
PID 2860 wrote to memory of 2372	2860	HyperPlay.exe	97
PID 2860 wrote to memory of 2372	2860	HyperPlay.exe	97
PID 2860 wrote to memory of 2372	2860	HyperPlay.exe	97
PID 2860 wrote to memory of 2372	2860	HyperPlay.exe	97
PID 2860 wrote to memory of 2372	2860	HyperPlay.exe	97
PID 2860 wrote to memory of 2372	2860	HyperPlay.exe	97
PID 2860 wrote to memory of 2372	2860	HyperPlay.exe	97
PID 2860 wrote to memory of 2372	2860	HyperPlay.exe	97
PID 2860 wrote to memory of 2372	2860	HyperPlay.exe	97
PID 2860 wrote to memory of 2372	2860	HyperPlay.exe	97
PID 2860 wrote to memory of 2372	2860	HyperPlay.exe	97
PID 2860 wrote to memory of 2372	2860	HyperPlay.exe	97
PID 2860 wrote to memory of 2372	2860	HyperPlay.exe	97
PID 2860 wrote to memory of 2372	2860	HyperPlay.exe	97
PID 2860 wrote to memory of 2372	2860	HyperPlay.exe	97
PID 2860 wrote to memory of 2372	2860	HyperPlay.exe	97
PID 2860 wrote to memory of 2372	2860	HyperPlay.exe	97
PID 2860 wrote to memory of 2372	2860	HyperPlay.exe	97
PID 2860 wrote to memory of 2372	2860	HyperPlay.exe	97
PID 2860 wrote to memory of 2372	2860	HyperPlay.exe	97
PID 2860 wrote to memory of 2372	2860	HyperPlay.exe	97
PID 2860 wrote to memory of 2372	2860	HyperPlay.exe	97
PID 2860 wrote to memory of 2372	2860	HyperPlay.exe	97
PID 2860 wrote to memory of 2372	2860	HyperPlay.exe	97
PID 2860 wrote to memory of 2372	2860	HyperPlay.exe	97
PID 2860 wrote to memory of 2372	2860	HyperPlay.exe	97
PID 2860 wrote to memory of 2372	2860	HyperPlay.exe	97
PID 2860 wrote to memory of 4608	2860	HyperPlay.exe	98
PID 2860 wrote to memory of 4608	2860	HyperPlay.exe	98
PID 2860 wrote to memory of 5580	2860	HyperPlay.exe	99
PID 2860 wrote to memory of 5580	2860	HyperPlay.exe	99
PID 2860 wrote to memory of 4404	2860	HyperPlay.exe	101
PID 2860 wrote to memory of 4404	2860	HyperPlay.exe	101
PID 2860 wrote to memory of 1804	2860	HyperPlay.exe	103
PID 2860 wrote to memory of 1804	2860	HyperPlay.exe	103
PID 2860 wrote to memory of 532	2860	HyperPlay.exe	104
PID 2860 wrote to memory of 532	2860	HyperPlay.exe	104
PID 2860 wrote to memory of 4416	2860	HyperPlay.exe	107
PID 2860 wrote to memory of 4416	2860	HyperPlay.exe	107
PID 2860 wrote to memory of 2416	2860	HyperPlay.exe	109
PID 2860 wrote to memory of 2416	2860	HyperPlay.exe	109
PID 4416 wrote to memory of 2040	4416	gogdl.exe	111
PID 4416 wrote to memory of 2040	4416	gogdl.exe	111
PID 2416 wrote to memory of 696	2416	powershell.exe	112
PID 2416 wrote to memory of 696	2416	powershell.exe	112
PID 2860 wrote to memory of 5496	2860	HyperPlay.exe	113
PID 2860 wrote to memory of 5496	2860	HyperPlay.exe	113
PID 696 wrote to memory of 5960	696	legendary.exe	115
PID 696 wrote to memory of 5960	696	legendary.exe	115
PID 5960 wrote to memory of 5872	5960	legendary.exe	116
PID 5960 wrote to memory of 5872	5960	legendary.exe	116
PID 2860 wrote to memory of 4324	2860	HyperPlay.exe	117
PID 2860 wrote to memory of 4324	2860	HyperPlay.exe	117
PID 2860 wrote to memory of 4404	2860	HyperPlay.exe	119
PID 2860 wrote to memory of 4404	2860	HyperPlay.exe	119

C:\Users\Admin\AppData\Local\Temp\HyperPlay.exe
"C:\Users\Admin\AppData\Local\Temp\HyperPlay.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2860
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "chcp"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3552
- - C:\Windows\system32\chcp.com
    chcp
    3⤵
    PID:4476
- C:\Windows\system32\reg.exe
  C:\Windows\system32\reg.exe ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v HyperPlay /t REG_SZ /d "\"C:\Users\Admin\AppData\Local\Temp\HyperPlay.exe\"" /f
  2⤵
  - Adds Run key to start application
  - Modifies registry key
  PID:2352
- C:\Users\Admin\AppData\Local\Temp\HyperPlay.exe
  "C:\Users\Admin\AppData\Local\Temp\HyperPlay.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\hyperplay" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=2000 --field-trial-handle=2004,i,6856910216835023900,12371850773564442150,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version /prefetch:2
  2⤵
  PID:2372
- C:\Users\Admin\AppData\Local\Temp\HyperPlay.exe
  "C:\Users\Admin\AppData\Local\Temp\HyperPlay.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\hyperplay" --mojo-platform-channel-handle=2308 --field-trial-handle=2004,i,6856910216835023900,12371850773564442150,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version /prefetch:8
  2⤵
  PID:4608
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell Get-CimInstance -Class Win32_VideoController -Property AdapterCompatibility,DriverVersion,PnPDeviceID | Select-Object AdapterCompatibility,DriverVersion,PnPDeviceID | ConvertTo-Json -Compress
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5580
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell Get-CimInstance -Class Win32_OperatingSystem -Property Caption,Version | Select-Object Caption,Version | ConvertTo-Json -Compress
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4404
- C:\Windows\system32\where.exe
  where powershell
  2⤵
  PID:1804
- C:\Windows\system32\where.exe
  where powershell
  2⤵
  PID:532
- C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\build\bin\win32\gogdl.exe
  gogdl --auth-config-path C:\Users\Admin\AppData\Roaming\hyperplay\gog_store\auth.json --version
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4416
- - C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\build\bin\win32\gogdl.exe
    gogdl --auth-config-path C:\Users\Admin\AppData\Roaming\hyperplay\gog_store\auth.json --version
    3⤵
    - Loads dropped DLL
    PID:2040
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell Start-Process "\"`\"C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\build\bin\win32\legendary`\"\"" -Wait -NoNewWindow -ArgumentList "\"`\"--version`\"\""
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2416
- - C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\build\bin\win32\legendary.exe
    "C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\build\bin\win32\legendary" "--version"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:696
  - - C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\build\bin\win32\legendary.exe
      "C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\build\bin\win32\legendary" "--version"
      4⤵
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:5960
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        5⤵
        
        PID:5872
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -NoProfile -Command "Get-CimInstance Win32_Process | Where-Object { $_.ParentProcessId -eq 4416 } | Select-Object -ExpandProperty ProcessId"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5496
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -NoProfile -Command "Stop-Process -Id 4416 -Force"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:4324
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -NoProfile -Command "Get-CimInstance Win32_Process | Where-Object { $_.ParentProcessId -eq 2416 } | Select-Object -ExpandProperty ProcessId"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:4404
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -NoProfile -Command "Stop-Process -Id 2416 -Force"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:824
- C:\Users\Admin\AppData\Local\Temp\HyperPlay.exe
  "C:\Users\Admin\AppData\Local\Temp\HyperPlay.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --user-data-dir="C:\Users\Admin\AppData\Roaming\hyperplay" --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=3316 --field-trial-handle=2004,i,6856910216835023900,12371850773564442150,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version /prefetch:8
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  PID:216

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
01ed18305a6edbb4b803608111fd9579

SHA1
ae6f145537eb3392d1acc2324adc84245173448c

SHA256
e523252276467ede6373629a9690d2dbc2343f27ff8fb0fbe7c4019a30c515dc

SHA512
736ab51ab1ce631a21a1c783e57be22dabb1859c1eb42d53e0625a173647abb37cd0074bce3dc536288e5e576c02db23d2e38a4ccf7f5300a54b940cd82d7f52

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
ecd7de13a0daafd50c4bf7e1aff9f322

SHA1
c684fba98f666ee24fa58af20abdb2a572dcbe07

SHA256
dc1ac76e95e3eed8deee9d215533bd8fc72c93f3da0e8fff131cbf2fc61d9a70

SHA512
469bbe310f5b03b7cb31a109b726ed4f82b18410fcaceae234ced30e489581fb458082408728863682d694fc0bb6007e27e751ffab9bd2ad982ed9a77baa05bc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
b550e59f21b5912472a367d0951d5843

SHA1
9c440f85a9d8b5935db2d8ddd8fefa45eea7ef11

SHA256
7c40bd7125d4c3acbfea10b254126032be5b8559c8605f2c9442759ddfbb2156

SHA512
8fc819d699bc8ee4e6217e1c5451437c8b1fa19adb87d5cdd97f87cbd20129dad08766741a14a50a06900ea192013a94741bad2f36bcd8e6ad17d45a38b96c4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\084dddd8-73f7-446f-9aae-861f9a2fc64f.tmp.node

Filesize
515KB

MD5
5ffa3b3aeb088fac234b08dc8a995970

SHA1
25ecd9a91c37ddaa16bedb835ee9018e6170bd23

SHA256
5576ec80f5a7cc6294cdfbc33b00a2ad285fd622016a161fd1c5b4f023454447

SHA512
3429ffc055fd35747e26b06d89197a2596ab7460098bf3fd997d7f8717184a89b020a2e3ecb096688e04382aaf738c3cb4523891a2a48698e0d8b5e38a056c10

Download Submit
C:\Users\Admin\AppData\Local\Temp\3698d586-0db3-4c52-97f7-b22c209b16d3.tmp.node

Filesize
148KB

MD5
4dc971c52b14a3843564fb0ce8a6a0c1

SHA1
5b19af49368e4f067cbc73af7b2b54bf2dc8efee

SHA256
27ec96008c48052d5f493683297c26b9136f1d6a9e73c3722e243bc959d7cc93

SHA512
52510b4c20146e635656814e7088464399cd4ca2d64ca67ee2b116ab4631918e092d90462fc450d610154b3284579cb8b7d0ca7bbc3a6eae6b0a348ccffd04dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI44162\VCRUNTIME140.dll

Filesize
95KB

MD5
f34eb034aa4a9735218686590cba2e8b

SHA1
2bc20acdcb201676b77a66fa7ec6b53fa2644713

SHA256
9d2b40f0395cc5d1b4d5ea17b84970c29971d448c37104676db577586d4ad1b1

SHA512
d27d5e65e8206bd7923cf2a3c4384fec0fc59e8bc29e25f8c03d039f3741c01d1a8c82979d7b88c10b209db31fbbec23909e976b3ee593dc33481f0050a445af

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI44162\_bz2.pyd

Filesize
85KB

MD5
b024a6f227eafa8d43edfc1a560fe651

SHA1
92451be6a2a6bfc4a8de8ad3559ba4a25d409f2e

SHA256
c0dd9496b19ba9536a78a43a97704e7d4bef3c901d196ed385e771366682819d

SHA512
b9edb6d0f1472dd01969e6f160b41c1e7e935d4eebcaf08554195eb85d91c19ff1bfbc150773f197462e582c6d31f12bd0304f636eb4f189ed3ed976824b283e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI44162\_ctypes.pyd

Filesize
125KB

MD5
a1e9b3cc6b942251568e59fd3c342205

SHA1
3c5aaa6d011b04250f16986b3422f87a60326834

SHA256
a8703f949c9520b76cb1875d1176a23a2b3ef1d652d6dfac6e1de46dc08b2aa3

SHA512
2015b2ae1b17afc0f28c4af9cedf7d0b6219c4c257dd0c89328e5bd3eee35e2df63ef4fccb3ee38e7e65f01233d7b97fc363c0eae0cfa7754612c80564360d6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI44162\_elementtree.pyd

Filesize
187KB

MD5
392453e4810d468aa04cf65f9318a23f

SHA1
2cb635189dede828cc5ba8f6cc4c571b3a3ae7c7

SHA256
0823eb435d8cb63c8adfb8b4bea759121ed79326d758357f8187369461455a64

SHA512
94d5bd79aef109a0120450109aa5afef3c0363a749aa3929ab9893bd0276023eb67d8fcb3aeeab8c3f961d55a40a75387227c638076ae226dcce3c1a4dd731b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI44162\_hashlib.pyd

Filesize
64KB

MD5
69dc506cf2fa3da9d0caba05fca6a35d

SHA1
33b24abb7b1d68d3b0315be7f8f49de50c9bdcb6

SHA256
c5b8c4582e201fef2d8cb2c8672d07b86dec31afb4a17b758dbfb2cff163b12f

SHA512
0009ec88134e25325a47b8b358da0fed8bb34fe80602e08a60686f6029b80f4287d33adb66ef41435d11d6edff86a88916f776eeaf2d1cb72035783f109ca1ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI44162\_lzma.pyd

Filesize
160KB

MD5
77b78b43d58fe7ce9eb2fbb1420889fa

SHA1
de55ce88854e314697fa54703a2cd6cc970f3111

SHA256
6e571d93ce55d09583ec91c607883a43c1da3d4d36794d68c6ecd6bea4ab466a

SHA512
7b03b7d3f2fd9b51391de08e69ca9156a0232b56f210878a488b9d5a19492ab5880f45d9407331360fbe543a52c03d68f68da4387bf6a13b20ec903a7b081846

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI44162\_queue.pyd

Filesize
30KB

MD5
328e41b501a51b58644c7c6930b03234

SHA1
bc09f8b62fec750a48bafd9db3494d2f30f7bd54

SHA256
2782cf3c04801ede65011be282e99cd34d163b2b2b2333fd3147b33f7d5e72ab

SHA512
c6e6e6bca0e9c4e84f7c07541995a7ee4960da095329f69120ba631c3c3e07c0441cf2612d9dcc3d062c779aec7d4e6a00f71f57cc32e2a980a1e3574b67d248

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI44162\_socket.pyd

Filesize
79KB

MD5
cd56f508e7c305d4bfdeb820ecf3a323

SHA1
711c499bcf780611a815afa7374358bbfd22fcc9

SHA256
9e97b782b55400e5a914171817714bbbc713c0a396e30496c645fc82835e4b34

SHA512
e937c322c78e40947c70413404beba52d3425945b75255590dedf84ee429f685e0e5bc86ad468044925fbc59cf7ec8698a5472dd4f05b4363da30de04f9609a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI44162\_ssl.pyd

Filesize
153KB

MD5
70014e88ecf3133b7be097536f77b459

SHA1
5d75675bb35ba6fae774937789491e051e62a252

SHA256
d318795c98c5f3c127c8e47220a92acba0736daf31bab0dc9c7e6c3513bb2aa3

SHA512
aa59b32c9164afca1b799e389c7087e95eeaa543790b6f590f9e30aa13b7fdb8cc83d0ef6351f0b578a4da636f4ca1e6dfe4558dcf3a813b744a80f7392aa462

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI44162\base_library.zip

Filesize
1013KB

MD5
945473d8913d8ad065760cdfab37f584

SHA1
d22104edf1f42cac6b06c8c6b9b247b39b9e10e4

SHA256
e85375d06010b20615e7413688741ca16b608f487387684b1e4f6d73e4c003b8

SHA512
ecddc432b06d9195022721b7bf13eb2e93ca370715d50e6a77d653e8966a7a253acf37c554310a041bb0a49285b9fe1089489a74f7966c6a464db7e9b5089e28

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI44162\charset_normalizer\md.cp39-win_amd64.pyd

Filesize
10KB

MD5
c4de5638d7cf59a01c768448c6bef89d

SHA1
4405bae0d6fc5502e32689d99e74abafd87f9588

SHA256
cd8f4e8f69c855042a8f36f68a1601d96f09568baff51f96decda4fa5aeb274d

SHA512
adbf18508988af7c081539110d1b2b2f3acdea0e63bd039ec94fc57b53464761abae1639ad21f6302465ddf8fed3b0f987d9300d457be2706f10b2a36d58bce9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI44162\charset_normalizer\md__mypyc.cp39-win_amd64.pyd

Filesize
111KB

MD5
d67200e140f7226beda03e3fac5dbfce

SHA1
d09d0d558ca640d380ec463ef0c6acaaf800f12c

SHA256
ae2bdf86ce87b46bd557f7955ae4d018155e9bead7ccb63c65f359ae79fc5309

SHA512
d8fb745b85db89978b4abfa1ebd645bf837ed9bdec80ab647f31de0fc0a547112a893e3f76912445a367d289e57a080da25797ef8ead7cd18e1b3f6e4aaf8350

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI44162\libcrypto-1_1.dll

Filesize
3.3MB

MD5
ab01c808bed8164133e5279595437d3d

SHA1
0f512756a8db22576ec2e20cf0cafec7786fb12b

SHA256
9c0a0a11629cced6a064932e95a0158ee936739d75a56338702fed97cb0bad55

SHA512
4043cda02f6950abdc47413cfd8a0ba5c462f16bcd4f339f9f5a690823f4d0916478cab5cae81a3d5b03a8a196e17a716b06afee3f92dec3102e3bbc674774f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI44162\libffi-7.dll

Filesize
32KB

MD5
eef7981412be8ea459064d3090f4b3aa

SHA1
c60da4830ce27afc234b3c3014c583f7f0a5a925

SHA256
f60dd9f2fcbd495674dfc1555effb710eb081fc7d4cae5fa58c438ab50405081

SHA512
dc9ff4202f74a13ca9949a123dff4c0223da969f49e9348feaf93da4470f7be82cfa1d392566eaaa836d77dde7193fed15a8395509f72a0e9f97c66c0a096016

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI44162\libssl-1_1.dll

Filesize
682KB

MD5
de72697933d7673279fb85fd48d1a4dd

SHA1
085fd4c6fb6d89ffcc9b2741947b74f0766fc383

SHA256
ed1c8769f5096afd000fc730a37b11177fcf90890345071ab7fbceac684d571f

SHA512
0fd4678c65da181d7c27b19056d5ab0e5dd0e9714e9606e524cdad9e46ec4d0b35fe22d594282309f718b30e065f6896674d3edce6b3b0c8eb637a3680715c2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI44162\pyexpat.pyd

Filesize
201KB

MD5
3ee5ec36b631c2352cd8bd2e4b58b37f

SHA1
d6ddab5eb14226fea6e5212382b5dd39aa50df97

SHA256
f32af8a21c016702647a83661eb4460bac7c791754cb1faaf1c4d096a94cd7cb

SHA512
873f72bc481bf6c55cdd00e97ea0e5946f466790f3319374b1c15772d4abdc7f394defd2cb130323fff2169380b0cda7319bb2b19f87ed5dfa479635f4b21317

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI44162\python39.dll

Filesize
4.3MB

MD5
2135da9f78a8ef80850fa582df2c7239

SHA1
aac6ad3054de6566851cae75215bdeda607821c4

SHA256
324963a39b8fd045ff634bb3271508dab5098b4d99e85e7648d0b47c32dc85c3

SHA512
423b03990d6aa9375ce10e6b62ffdb7e1e2f20a62d248aac822eb9d973ae2bf35deddd2550a4a0e17c51ad9f1e4f86443ca8f94050e0986daa345d30181a2369

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI44162\select.pyd

Filesize
29KB

MD5
35bb285678b249770dda3f8a15724593

SHA1
a91031d56097a4cbf800a6960e229e689ba63099

SHA256
71ed480da28968a7fd07934e222ae87d943677468936fd419803280d0cad07f3

SHA512
956759742b4b47609a57273b1ea7489ce39e29ebced702245a9665bb0479ba7d42c053e40c6dc446d5b0f95f8cc3f2267af56ccaaaf06e6875c94d4e3f3b6094

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI44162\ucrtbase.dll

Filesize
1.1MB

MD5
3b337c2d41069b0a1e43e30f891c3813

SHA1
ebee2827b5cb153cbbb51c9718da1549fa80fc5c

SHA256
c04daeba7e7c4b711d33993ab4c51a2e087f98f4211aea0dcb3a216656ba0ab7

SHA512
fdb3012a71221447b35757ed2bdca6ed1f8833b2f81d03aabebd2cd7780a33a9c3d816535d03c5c3edd5aaf11d91156842b380e2a63135e3c7f87193ad211499

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI44162\unicodedata.pyd

Filesize
1.1MB

MD5
3ba2a20dda6d1b4670767455bbe32870

SHA1
7c98221bc6ed763030087b1f33fb83eac2823ea4

SHA256
3a0987025f1cf2111dc6e4f59402073ba123d7436d809ee4198b4e7bfb8cb868

SHA512
0688f8af3359a8571bef2a89efabc2dbf26f3f5c6220932a4e7df2e33fac95cafee8b80796346ba698e6bf43630b8069f56538b95a8ff62ec21d629787ca5cd1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI6962\VCRUNTIME140.dll

Filesize
94KB

MD5
a87575e7cf8967e481241f13940ee4f7

SHA1
879098b8a353a39e16c79e6479195d43ce98629e

SHA256
ded5adaa94341e6c62aea03845762591666381dca30eb7c17261dd154121b83e

SHA512
e112f267ae4c9a592d0dd2a19b50187eb13e25f23ded74c2e6ccde458bcdaee99f4e3e0a00baf0e3362167ae7b7fe4f96ecbcd265cc584c1c3a4d1ac316e92f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI6962\_ctypes.pyd

Filesize
123KB

MD5
a1b81ce092c5a2c9afd13b5cae872441

SHA1
05b695dbb5e62adb368d8bd142f667b2e7e9d437

SHA256
eb5ebeb25888ff124abd0db3e08577b84538e62610107fe4e008d7c188a78210

SHA512
5158e462b0aeebf711e42363cf9ca1ac546958154257cc3063ba4575da28c2a7c95b1527a54adfa00d9b3c6f8832aedd97e6c79f5cd70a47146afb0f1afa288a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI6962\_socket.pyd

Filesize
78KB

MD5
439b4d756cde64fba441e640df56dd60

SHA1
881dbf2366915399b3bb8be6083f94f46eebaaf7

SHA256
acb377fd6967b2ce819601c7d6a102d30af570eaee9e312e383f34aecd5df142

SHA512
ef4b78e9f6cc740696836062dffa956ee5b9d1f0be8d809497ea778fea80761fc5b3baa938756344edc18dbaeeae6fe660f2ee8fcc25e0d7985e55f4461e3c33

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI6962\base_library.zip

Filesize
678KB

MD5
3ae15fe280ecda05eed0cab7624af175

SHA1
17b9c742b740ac67674963a2e57a9a3a2cc90e48

SHA256
5a189878f57afdcc6b45f03f641f58bf736ace225d5f7f0a4898b802bfabf090

SHA512
750c11240a5df35edbdd1e45a4cb1d0aa67ba117fd0ce4bb999ac85940322d33694645f9c104c888f3e265bb476055aaa5d4f99fe991d594369f02d2b903a2ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI6962\python39.dll

Filesize
4.3MB

MD5
789b4ecbce732a7e8479e8909f097d16

SHA1
a79c2e1ca0ad675a48f3bba0fbdeff1b888f0e74

SHA256
8314174dacfc1c4f177be8266c78f147621cf577a39742642a76ec27e7b87b02

SHA512
b9b57ff21735c06f4b3957cdd5a3ab54602a7141f1792de52aea0e6fc41be957070b958ab75b1a26a302b6fb17a02e9a187ad289a6af0c72a5ade43b4bf06e6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI6962\select.pyd

Filesize
28KB

MD5
db414debf94abe8d159f42f71fd4c292

SHA1
1b585a565d6c769a9323885d0f3af2038fb06dfe

SHA256
2a451074afe05260fc274fba6851f8f96cd46ad32b657d876dd55f237244b6e3

SHA512
16a35bacd1511a327dd490304b48d7b2b87e906e693283950c46b3ae4da5db1f68d50b937f3e31329d106e92751456a9f31637495b2b8190b5f2a4a49c9146a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI6962\ucrtbase.dll

Filesize
977KB

MD5
5b1c91b53ac3c3026d50de8c05aba139

SHA1
b9c2d160b1ce856d9904a340362236473a3d559c

SHA256
d804ea40eacfc22a5e029b66d6d4f83d81f76a7ead80313b33839253f90af6b7

SHA512
8e01056830e65320d684245bf055305e03ef136545efb51aad484a5b1b006f7d534c30b7973da8628f49c31710ae23d3420f941156c941172b97efe9e1ef9a1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_zskokezz.3ne.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\d87c64b2-e2e1-4c48-bb65-72f50e1a7816.tmp.node

Filesize
168KB

MD5
d0aab4c09f5d7c40333bfe038c8fd999

SHA1
e54095de9cde1fdd8ae7e942e411dae5850d507f

SHA256
74cf6e8c147adecd0f51f15dfc736316e978dc7bc6431b86b80cc115189c13e3

SHA512
e840ecfe86135d3fd3c016c1f14b3051d2a2dfc53ea5a44859bf071eb3fc32a02dce11afad334093b67c00b4a03801b7e69866a5631d608653c1a4ef733760f7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
6KB

MD5
8d0b666b5f7a95392a4f67da56a06b15

SHA1
f92eea93ee67745d2eb271a5b835d7d2b81eff87

SHA256
b6eb8cce854cb6ef4dd1576cfafd9d4a51a49ce3717a1108a777503ddc197a03

SHA512
1bbbac639ef729fb8e090a254225a44d5a00c7438670db304a8a88fa30883cec10c144d412301d8818a87178d9df473363b7daddd82b3a59fc09ae335e2f3949

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
6KB

MD5
588dad9c7a37c6a5dc123966625700d6

SHA1
7cd8438f7586708fa3623e07a24cc28a337f2e90

SHA256
cf634fdf7e6fe84e44b021b3e45f5d78da6fb411111a5732cf0e80abfb39fccb

SHA512
c6e2ab7441cd10abf85b5c565d20d23d1bfdf60aa3b0e6a22329eb5f94838028738eb2c046bdfd63fdd7081face48ce2c447ab7f6d5f5709a6f16cb859adfd05

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
6KB

MD5
a7673cb758d60461ccdac724c2e5ec97

SHA1
b0cc704bbd600461a6b59b4b7c58db92229ece65

SHA256
abf708ca126082d204e5e9e2e4920555848da2c665ca232fe4899b2d6e80fbda

SHA512
28eeb4bcf26030e8a979350ce227e17ce4469bd8c8bd05355c86b11a6ed9e21325350076e610366039000e51fdafe943c05bb462a07e8efbeb3b42ac32825c75

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
6KB

MD5
84825769d8ccf47e85249e09c62f6d2e

SHA1
f7020749166b00bb390f515956741291b590e86e

SHA256
61a0fde0322bd1b0bb911274eb0a13318c3c813ba3f133e9e0600d191129475f

SHA512
d75acf5ca623ac107b44c377aa9d9e97fb75421b29910716341e3fa561e1ddddb2dd03f75f8a0fbf6db1cdc31a7f46a212a8824de30a9ffefb0f03cf9344cb38

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
6KB

MD5
0abfd590ceadf0e58a9f6d54400aae2b

SHA1
c7d5683526caec762ba481fa518e3f459a07d55b

SHA256
cdf059c0302070f70edb5ccf7da8f796aadcf09bec350fa072f345fb2efddf3c

SHA512
97a11babd30f1dcab452dfe11ecc3c19eb4406c1b8f0cc55e5a42a853806e521a725f459ace49491882a26b7758bd139c46942698b967490fd861f92fb8548f4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
6KB

MD5
0619e07aef64530a4d476aa1ce64e2b5

SHA1
827c8057f2721f039fedde752d941f940839e0bf

SHA256
9e68dcc55d2799a920d5bca3118f81684f38a46a6d579f052b7c98d15d94179a

SHA512
046c75a734ff6dabe04f785fab08de58e2a513a10458a7e6d9e362119f0ad602296d4a2c8318bcdf38779b360bac7945c5a53881768d27c9c171f05fdba6143e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
6KB

MD5
90a05f6993b8a4db242f34e180481a98

SHA1
9140d61fda2faeab44f70698bb9220d14d518b46

SHA256
e957a239b9f3e8e99ae5e75f013461a78beaed355c396e0efc23d9f4aa05dc89

SHA512
6eadd0934b3476b4c8e7ce316c49954385867dfc21453c44ade1b91916ffe4d04159029534402cc58b1966f9d27673eb7e5772e6dcd4d5f3427045a85b1e2a01

Download Submit
C:\Users\Admin\AppData\Roaming\hyperplay\Cache\Cache_Data\data_0

Filesize
8KB

MD5
cf89d16bb9107c631daabf0c0ee58efb

SHA1
3ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b

SHA256
d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e

SHA512
8cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0

Download Submit
C:\Users\Admin\AppData\Roaming\hyperplay\Cache\Cache_Data\data_1

Filesize
264KB

MD5
d0d388f3865d0523e451d6ba0be34cc4

SHA1
8571c6a52aacc2747c048e3419e5657b74612995

SHA256
902f30c1fb0597d0734bc34b979ec5d131f8f39a4b71b338083821216ec8d61b

SHA512
376011d00de659eb6082a74e862cfac97a9bb508e0b740761505142e2d24ec1c30aa61efbc1c0dd08ff0f34734444de7f77dd90a6ca42b48a4c7fad5f0bddd17

Download Submit
C:\Users\Admin\AppData\Roaming\hyperplay\Cache\Cache_Data\data_2

Filesize
8KB

MD5
0962291d6d367570bee5454721c17e11

SHA1
59d10a893ef321a706a9255176761366115bedcb

SHA256
ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7

SHA512
f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed

Download Submit
C:\Users\Admin\AppData\Roaming\hyperplay\Cache\Cache_Data\data_3

Filesize
8KB

MD5
41876349cb12d6db992f1309f22df3f0

SHA1
5cf26b3420fc0302cd0a71e8d029739b8765be27

SHA256
e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c

SHA512
e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e

Download Submit
C:\Users\Admin\AppData\Roaming\hyperplay\Code Cache\wasm\index-dir\temp-index

Filesize
48B

MD5
8129b4f6d38d5465270b5dcffbc63c0d

SHA1
facf1a9ef0a7889cc5ca0aba8605368cea82d799

SHA256
dc86514abbd4be7469e484875ed9094add86a2cb935a6d466c2e49bbe00306d8

SHA512
9b09a9fafc5a2471f3fa128a21f229a9986e641c2815023c1297f5a72fca5121971ced578501649c4076e02acd3bb4bc7eb50593385738754af34ceb2a446b4a

Download Submit
C:\Users\Admin\AppData\Roaming\hyperplay\Network\Trust Tokens

Filesize
4KB

MD5
9d25e908f15093238dd68a3e17d36183

SHA1
8ef52634b1320b2196679791917c02f157c836dc

SHA256
a3c2f28d8467edc0abc6dacfbe6b3144198d56db7ab7ee6e06e5315aa4211971

SHA512
67e3dc60f98f01275fe8948bd4db9a7fd258abdbb49cc55a386a73402045687d39f3a6813ca745c4fd9fcaad7016b156c2b6abd5bd59c9dc4d5d700f9058007d

Download Submit
C:\Users\Admin\AppData\Roaming\hyperplay\Partitions\auth\Code Cache\js\index

Filesize
24B

MD5
54cb446f628b2ea4a5bce5769910512e

SHA1
c27ca848427fe87f5cf4d0e0e3cd57151b0d820d

SHA256
fbcfe23a2ecb82b7100c50811691dde0a33aa3da8d176be9882a9db485dc0f2d

SHA512
8f6ed2e91aed9bd415789b1dbe591e7eab29f3f1b48fdfa5e864d7bf4ae554acc5d82b4097a770dabc228523253623e4296c5023cf48252e1b94382c43123cb0

Download Submit
C:\Users\Admin\AppData\Roaming\hyperplay\Partitions\auth\Code Cache\js\index-dir\temp-index

Filesize
48B

MD5
bd4ea2591264208482314f98c6923adb

SHA1
a2958972d49792110899c2274182747b48ed9206

SHA256
cd4aeb93472ccc05994104c03db8be623caad2f867bfa34bbf031cb951c9e766

SHA512
5353c6743af70b4e209440491a14ce08cbf32a0e5c198ddc7b6e240e91a7d52da78e76c98f2e8ba9932c67bffc15c2a8553ebf76c0b13de9fe2f5c0b57812442

Download Submit
C:\Users\Admin\AppData\Roaming\hyperplay\Partitions\epicstore\Local Storage\leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Roaming\hyperplay\Partitions\epicstore\Local Storage\leveldb\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Roaming\hyperplay\Partitions\epicstore\Network\9c9b5421-93c8-498f-8f3b-97d779527396.tmp

Filesize
300B

MD5
bec2a09a13d19e07d14b408344b77d8a

SHA1
e4880ae5648f9b2649e348eb15787dd44b3af832

SHA256
50b2c303b2300ba8223dfa8a3e0e3c5fce660c914a61a435b22a890e74219a4f

SHA512
6c7113875e4c77cab3a8b1f4e9f4edcaafd07921abecc28ef8f197c1bf88629fa0707e82581f9a4f4b64a800be3af612ce2581e9bb423757b628b038337628bf

Download Submit
C:\Users\Admin\AppData\Roaming\hyperplay\Partitions\hyperplaystore\Network\Network Persistent State

Filesize
300B

MD5
cb784118dcfdf3c219ae16cc2621247f

SHA1
b5426334fd990c665d2a5e36f42db3d26fa330e0

SHA256
da5c278680a5fdd8ff2481714adddf7b6f1ed02d1bbbb5e8c12255014d408eab

SHA512
8f00af62c10e0630dd20eef5c61ae97d274e163e36b89f28832e190f1f3688b92b629b668953888e13ab969e91d052991944efeff5a8e76b64884a50d207ada9

Download Submit
C:\Users\Admin\AppData\Roaming\hyperplay\Partitions\hyperplaystore\Preferences

Filesize
57B

MD5
58127c59cb9e1da127904c341d15372b

SHA1
62445484661d8036ce9788baeaba31d204e9a5fc

SHA256
be4b8924ab38e8acf350e6e3b9f1f63a1a94952d8002759acd6946c4d5d0b5de

SHA512
8d1815b277a93ad590ff79b6f52c576cf920c38c4353c24193f707d66884c942f39ff3989530055d2fade540ade243b41b6eb03cd0cc361c3b5d514cca28b50a

Download Submit
C:\Users\Admin\AppData\Roaming\hyperplay\Partitions\inpagewindowethereumexternalwallet\Network\241e96f4-a172-4ed9-80e7-0cbb38942051.tmp

Filesize
300B

MD5
519ad6753367320de17eda887d0f89b3

SHA1
d78d0527adb31a03ac31d41eadb9ce837ffa0f94

SHA256
f9f44a4f87461dee37e68d60977c2b0d4ece6d53116e54bc7113a8bc79e4b105

SHA512
96c7fd34d9f2fd1db6d77cef5007b3c872932fe136f95727282d37b9354392a825df46c5ad9c4dacb3fd3a0e5e23d89ac45eab1be0178fefacb37ccd2d709cca

Download Submit
C:\Users\Admin\AppData\Roaming\hyperplay\Partitions\inpagewindowethereumexternalwallet\Network\491c67ab-74e8-4822-b54e-caba4480b0b2.tmp

Filesize
59B

MD5
2800881c775077e1c4b6e06bf4676de4

SHA1
2873631068c8b3b9495638c865915be822442c8b

SHA256
226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974

SHA512
e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b

Download Submit
C:\Users\Admin\AppData\Roaming\hyperplay\Partitions\inpagewindowethereumexternalwallet\Shared Dictionary\cache\index-dir\temp-index

Filesize
48B

MD5
4b982cb198ad2bfdeb357bd15106bac6

SHA1
d63a14d426ff9e255f524e10ed1e208c58e5afdc

SHA256
2bf630b20cae2e06ae23888f83e3f87ee4efd335c49703f0d5db447c942ef2c5

SHA512
b31c50834eb5f585df1a68ff34cb49d3abf55bc3d04accda6b815a4e1558a55261f5dfbbae5df68021bf5a4c4be9bf220a81b20d5b8e0369af12bcc6d48aa69f

Download Submit
C:\Users\Admin\AppData\Roaming\hyperplay\config.json

Filesize
1KB

MD5
4f7ba2039542755282371460f9638d42

SHA1
bc0a1cc2ad784c933a6abeacba29a17b0f650b33

SHA256
766ac29f908c1d41cef159718c72b47869280e81c7962d9982a6a7fa45f38ccc

SHA512
2dd05d168757196cd8fed2bb07e10e58ea3c49e9203f76b8fd3f009a1d1ffecabb50be05798e815a0b0db5d95d5ce620ac3ca54cecc8c4c5fa69c8d26339fbb1

Download Submit
C:\Users\Admin\AppData\Roaming\hyperplay\hp_store\library.json

Filesize
16B

MD5
856fe2d57bcda54f7d2cd9ecdde0cd85

SHA1
a23a340786638271cadfec495d81effaccb00b5f

SHA256
3230be4f264a41a39a953d3e640a33d83dc35e06abd397c915d53c5b4b2c439c

SHA512
d50c2102cc35a89f42e643f410bd66e6ce451acaed3d1d7cccb16766ffc351b0aa2343d8716b74a3a8f7823badaed27111796c6c808e5a87ba7708e8b9bb2a7c

Download Submit
C:\Users\Admin\AppData\Roaming\hyperplay\hp_store\library.json

Filesize
83B

MD5
0fd62cf39e26c9c7e7ac2e11a0094b51

SHA1
602e12751ce5fc94762c4413741a6ff6fd1df8fc

SHA256
4ef9dd380aae46aad09d181908fe3ecdd8b68246111431ed79f9f4a1a51043ab

SHA512
252543aa27128e3b679570ea8f9590e294f376dfbfff1661971ead2dd41db848c2ae973033afb8ee300bfa64ed9f21719c1bdfc04772d5c4ecb6e3ed9d87f7c6

Download Submit
C:\Users\Admin\AppData\Roaming\hyperplay\logs\hyperplay-2024-09-01T18_50_49.935Z.log

Filesize
1KB

MD5
48b42618cbfa6edb6431232e5f0453ed

SHA1
737e1067234e04378b893831906cae1867e472f5

SHA256
503ad196079c5d5a8883d2a53857c6e056ee644f705d63ea9f60e63949739ec6

SHA512
a77c7f42d359a7ea5cbe45541b2b625c89dc6059a35ae312ed340fe327d39396244b78f152b3548adf1beb1961fb4edd742c36a04771b9487ee48d9e7478809d

Download Submit
C:\Users\Admin\AppData\Roaming\hyperplay\store\config.json

Filesize
386B

MD5
8dc645dc83630e9708cd26189dd856d3

SHA1
2d109d7588ccf07747fb100db8073c18a0b9d41e

SHA256
b18d16a3fce0713dbf6b8fff9bf6944063773a54ae659be9992cff368ef52bd3

SHA512
a89c5ab40b34d47117fd6d59050f25f0df4cb4a12294d3b92a85e21115cb7714c7c96c1f045ea767538065d298634fa31398c380379f23cc7c5783826a902a1a

Download Submit
C:\Users\Admin\AppData\Roaming\hyperplay\store\config.json

Filesize
1KB

MD5
a7b8f31da0e1b6e29cfafe806c85d36e

SHA1
d6cffbc463cf9b155d635b52634910388faaaef9

SHA256
be187dd3058964c68933521ad1b3dc77836896553e99dcdb609a7838bc19d8fb

SHA512
00aae53005761b032dfc62652a78c8d245c6a71bcdce3289458c1c15e070b0967c2298836070c17676b2fb08954a90a73508c4ffdd1d65dc879b9591a8819d02

Download Submit
C:\Users\Admin\AppData\Roaming\hyperplay\store\metrics-store.json

Filesize
74B

MD5
91e4fbc8ff7ee5b67bc7ff34a4bddcfd

SHA1
72e1c37867ea0b09a220e3854ba33e1be9e0a998

SHA256
3fb44cfad2b641e41fc2dc848f26d60dcd65600b8e7c71c38f5752b1707f9bf5

SHA512
e7de1c7e97112c986f8fe11ef072972d83142ef0a0178a68521a59cd6ef515e7fca1f288847d0f8db634419e559c538f44712a4352aafe6e4980ca03c65dbd19

Download Submit
C:\Users\Admin\AppData\Roaming\hyperplay\store_cache\gog_playtime_sync_queue.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
memory/216-1031-0x000001C7F19E0000-0x000001C7F19E1000-memory.dmp

Filesize
4KB

Download
memory/216-1023-0x000001C7F19E0000-0x000001C7F19E1000-memory.dmp

Filesize
4KB

Download
memory/216-1028-0x000001C7F19E0000-0x000001C7F19E1000-memory.dmp

Filesize
4KB

Download
memory/216-1029-0x000001C7F19E0000-0x000001C7F19E1000-memory.dmp

Filesize
4KB

Download
memory/216-1030-0x000001C7F19E0000-0x000001C7F19E1000-memory.dmp

Filesize
4KB

Download
memory/216-1022-0x000001C7F19E0000-0x000001C7F19E1000-memory.dmp

Filesize
4KB

Download
memory/216-1034-0x000001C7F19E0000-0x000001C7F19E1000-memory.dmp

Filesize
4KB

Download
memory/216-1032-0x000001C7F19E0000-0x000001C7F19E1000-memory.dmp

Filesize
4KB

Download
memory/216-1024-0x000001C7F19E0000-0x000001C7F19E1000-memory.dmp

Filesize
4KB

Download
memory/216-1033-0x000001C7F19E0000-0x000001C7F19E1000-memory.dmp

Filesize
4KB

Download
memory/5580-488-0x000001964C1B0000-0x000001964C1D2000-memory.dmp

Filesize
136KB

Download
memory/5580-503-0x000001964CF10000-0x000001964D438000-memory.dmp

Filesize
5.2MB

Download
memory/5580-501-0x000001964C810000-0x000001964C9D2000-memory.dmp

Filesize
1.8MB

Download
memory/5580-500-0x000001964C670000-0x000001964C694000-memory.dmp

Filesize
144KB

Download
memory/5580-499-0x000001964C670000-0x000001964C69A000-memory.dmp

Filesize
168KB

Download