xworm | 7b32c1420987a465d99cc1f7331e6d8a53e2b8f3d975362f27179cba9a0b0508

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
08/03/2025, 13:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

neverlose.exe
Size

9.4MB
MD5

5ea9e8fcbd947d824f90c64310f5f408
SHA1

19e126033e57b4431182434126e9f18ae58333d1
SHA256

eddf7f2852cf1a14bd776ca6ecd067b9623e0dd113b09d80f054348f48cc6816
SHA512

1d9e2b03a097c029fcc9bc48f971e54fc3eede9f5e3105b550d60d507bede9d15131635785c9637b84c686710b2bbd06a24798ac55f8a44621052df2ce0b6fb7
SSDEEP

196608:iW8b88HkdgjXMCHGLLc54i1wN+mrRRu7NtbFRKnZMZDRxk9mhzTNzslBnTN1D:aceXMCHWUjurRQ7XbFsn6ZDko4N

Score

10^/10

xworm evasion execution persistence rat trojan

Malware Config

Signatures

Contains code to disable Windows Defender 1 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

resource	yara_rule
behavioral4/memory/824-662-0x0000000001420000-0x000000000142E000-memory.dmp	disable_win_def

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral4/files/0x0007000000023d4a-548.dat	family_xworm
behavioral4/memory/824-553-0x0000000000720000-0x000000000075A000-memory.dmp	family_xworm

Modifies Windows Defender DisableAntiSpyware settings 3 TTPs 1 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware = "1"	neverlose.exe

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
3068	powershell.exe
6088	powershell.exe
5484	powershell.exe
5500	powershell.exe
5436	powershell.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\Control Panel\International\Geo\Nation	chrome_cache.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\Control Panel\International\Geo\Nation	cheat.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk	chrome_cache.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk	chrome_cache.exe

Executes dropped EXE 5 IoCs

pid	Process
824	chrome_cache.exe
2868	svchost.exe
2356	cheat.exe
5408	ExLoader_Installer.exe
5900	ExLoader.exe

Loads dropped DLL 44 IoCs

pid	Process
996	neverlose.exe
996	neverlose.exe
996	neverlose.exe
996	neverlose.exe
996	neverlose.exe
996	neverlose.exe
996	neverlose.exe
996	neverlose.exe
996	neverlose.exe
996	neverlose.exe
996	neverlose.exe
996	neverlose.exe
996	neverlose.exe
996	neverlose.exe
996	neverlose.exe
996	neverlose.exe
996	neverlose.exe
996	neverlose.exe
996	neverlose.exe
996	neverlose.exe
996	neverlose.exe
996	neverlose.exe
996	neverlose.exe
5408	ExLoader_Installer.exe
5408	ExLoader_Installer.exe
5408	ExLoader_Installer.exe
5408	ExLoader_Installer.exe
5408	ExLoader_Installer.exe
5408	ExLoader_Installer.exe
5900	ExLoader.exe
5900	ExLoader.exe
5900	ExLoader.exe
5900	ExLoader.exe
5900	ExLoader.exe
5900	ExLoader.exe
5900	ExLoader.exe
5900	ExLoader.exe
5900	ExLoader.exe
5900	ExLoader.exe
5900	ExLoader.exe
5900	ExLoader.exe
5900	ExLoader.exe
5900	ExLoader.exe
5900	ExLoader.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe"	chrome_cache.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service

T1102

flow	ioc
253	raw.githubusercontent.com
254	raw.githubusercontent.com
305	raw.githubusercontent.com
252	raw.githubusercontent.com

Looks up external IP address via web service 6 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
248	api.ipify.org
249	api.ipify.org
250	api.ipify.org
257	ipapi.co
258	ipapi.co
259	ipapi.co

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\ExLoader\media_kit\api-ms-win-downlevel-kernel32-l2-1-0.dll	ExLoader_Installer.exe
File opened for modification	C:\Program Files\ExLoader\media_kit\vccorlib140.dll	ExLoader_Installer.exe
File opened for modification	C:\Program Files\ExLoader\data\flutter_assets\resources\icons\cloud-off.svg	ExLoader_Installer.exe
File opened for modification	C:\Program Files\ExLoader\data\flutter_assets\resources\icons\flower.svg	ExLoader_Installer.exe
File opened for modification	C:\Program Files\ExLoader\media_kit\api-ms-win-core-libraryloader-l1-1-0.dll	ExLoader_Installer.exe
File opened for modification	C:\Program Files\ExLoader\data\flutter_assets\resources\icons\calendar.svg	ExLoader_Installer.exe
File opened for modification	C:\Program Files\ExLoader\data\flutter_assets\resources\icons\collapse.svg	ExLoader_Installer.exe
File opened for modification	C:\Program Files\ExLoader\data\flutter_assets\resources\icons\filter.svg	ExLoader_Installer.exe
File opened for modification	C:\Program Files\ExLoader\data\flutter_assets\resources\icons\new-year-star.svg	ExLoader_Installer.exe
File opened for modification	C:\Program Files\ExLoader\data\flutter_assets\resources\audio\AbominationPissed_RU.wav	ExLoader_Installer.exe
File opened for modification	C:\Program Files\ExLoader\data\flutter_assets\resources\icons\check.svg	ExLoader_Installer.exe
File opened for modification	C:\Program Files\ExLoader\data\flutter_assets\resources\icons\logo.svg	ExLoader_Installer.exe
File opened for modification	C:\Program Files\ExLoader\data\flutter_assets\resources\icons\medium.svg	ExLoader_Installer.exe
File opened for modification	C:\Program Files\ExLoader\data\flutter_assets\resources\icons\pencil.svg	ExLoader_Installer.exe
File opened for modification	C:\Program Files\ExLoader\data\flutter_assets\resources\icons\verified.svg	ExLoader_Installer.exe
File opened for modification	C:\Program Files\ExLoader\media_kit\msvcp140_1.dll	ExLoader_Installer.exe
File opened for modification	C:\Program Files\ExLoader\data\flutter_assets\resources\fonts\NoirPro-Medium.otf	ExLoader_Installer.exe
File opened for modification	C:\Program Files\ExLoader\data\flutter_assets\resources\icons\cat.svg	ExLoader_Installer.exe
File opened for modification	C:\Program Files\ExLoader\data\flutter_assets\resources\icons\puffer-fish.svg	ExLoader_Installer.exe
File opened for modification	C:\Program Files\ExLoader\data\flutter_assets\resources\icons\selected-check.svg	ExLoader_Installer.exe
File opened for modification	C:\Program Files\ExLoader\data\flutter_assets\resources\audio\CSGO_press.wav	ExLoader_Installer.exe
File opened for modification	C:\Program Files\ExLoader\data\flutter_assets\resources\icons\resume.svg	ExLoader_Installer.exe
File opened for modification	C:\Program Files\ExLoader\data\flutter_assets\resources\icons\warning.svg	ExLoader_Installer.exe
File opened for modification	C:\Program Files\ExLoader\media_kit\api-ms-win-core-localization-l1-2-0.dll	ExLoader_Installer.exe
File opened for modification	C:\Program Files\ExLoader\media_kit\api-ms-win-eventing-provider-l1-1-0.dll	ExLoader_Installer.exe
File opened for modification	C:\Program Files\ExLoader\media_kit\msvcp140_codecvt_ids.dll	ExLoader_Installer.exe
File opened for modification	C:\Program Files\ExLoader\media_kit\permission_handler_windows_plugin.dll	ExLoader_Installer.exe
File opened for modification	C:\Program Files\ExLoader\data\flutter_assets\resources\icons\arrow-right.svg	ExLoader_Installer.exe
File opened for modification	C:\Program Files\ExLoader\media_kit\media_kit_video_plugin.dll	ExLoader_Installer.exe
File opened for modification	C:\Program Files\ExLoader\data\flutter_assets\resources\icons\windows.svg	ExLoader_Installer.exe
File opened for modification	C:\Program Files\ExLoader\data\flutter_assets\AssetManifest.bin	ExLoader_Installer.exe
File opened for modification	C:\Program Files\ExLoader\data\flutter_assets\resources\compressed_logos\romantic.ico	ExLoader_Installer.exe
File opened for modification	C:\Program Files\ExLoader\data\flutter_assets\resources\icons\advanced.svg	ExLoader_Installer.exe
File opened for modification	C:\Program Files\ExLoader\data\flutter_assets\resources\icons\alien.svg	ExLoader_Installer.exe
File opened for modification	C:\Program Files\ExLoader\data\flutter_assets\resources\icons\notification.svg	ExLoader_Installer.exe
File opened for modification	C:\Program Files\ExLoader\data\flutter_assets\resources\icons\translate-not-google.svg	ExLoader_Installer.exe
File opened for modification	C:\Program Files\ExLoader\media_kit\api-ms-win-core-handle-l1-1-0.dll	ExLoader_Installer.exe
File opened for modification	C:\Program Files\ExLoader\data\flutter_assets\resources\compressed_logos\logo.ico	ExLoader_Installer.exe
File opened for modification	C:\Program Files\ExLoader\vcruntime140_1.dll	ExLoader_Installer.exe
File opened for modification	C:\Program Files\ExLoader\data\flutter_assets\resources\audio\Steam_press.wav	ExLoader_Installer.exe
File opened for modification	C:\Program Files\ExLoader\data\flutter_assets\resources\icons\simple.svg	ExLoader_Installer.exe
File opened for modification	C:\Program Files\ExLoader\media_kit\api-ms-win-crt-locale-l1-1-0.dll	ExLoader_Installer.exe
File opened for modification	C:\Program Files\ExLoader\data\flutter_assets\resources\backgrounds\FishingDay.jpg	ExLoader_Installer.exe
File opened for modification	C:\Program Files\ExLoader\data\flutter_assets\resources\icons\steam.svg	ExLoader_Installer.exe
File opened for modification	C:\Program Files\ExLoader\media_kit\api-ms-win-crt-heap-l1-1-0.dll	ExLoader_Installer.exe
File opened for modification	C:\Program Files\ExLoader\media_kit\api-ms-win-crt-utility-l1-1-0.dll	ExLoader_Installer.exe
File opened for modification	C:\Program Files\ExLoader\data\flutter_assets\resources\icons\selected-viewbox.svg	ExLoader_Installer.exe
File opened for modification	C:\Program Files\ExLoader\data\flutter_assets\resources\icons\sort.svg	ExLoader_Installer.exe
File opened for modification	C:\Program Files\ExLoader\flutter_windows.dll	ExLoader_Installer.exe
File opened for modification	C:\Program Files\ExLoader\data\flutter_assets\resources\backgrounds\LoveDay.jpg	ExLoader_Installer.exe
File opened for modification	C:\Program Files\ExLoader\data\flutter_assets\resources\icons\gear.svg	ExLoader_Installer.exe
File opened for modification	C:\Program Files\ExLoader\data\flutter_assets\resources\icons\plus.svg	ExLoader_Installer.exe
File opened for modification	C:\Program Files\ExLoader\data\flutter_assets\resources\icons\resolved.svg	ExLoader_Installer.exe
File opened for modification	C:\Program Files\ExLoader\data\flutter_assets\resources\icons\thumb-down.svg	ExLoader_Installer.exe
File opened for modification	C:\Program Files\ExLoader\media_kit\api-ms-win-core-string-l1-1-0.dll	ExLoader_Installer.exe
File opened for modification	C:\Program Files\ExLoader\media_kit\api-ms-win-crt-process-l1-1-0.dll	ExLoader_Installer.exe
File opened for modification	C:\Program Files\ExLoader\data\flutter_assets\resources\icons\download-sharp.svg	ExLoader_Installer.exe
File opened for modification	C:\Program Files\ExLoader\data\flutter_assets\resources\icons\neuronet.svg	ExLoader_Installer.exe
File opened for modification	C:\Program Files\ExLoader\data\flutter_assets\resources\icons\refresh.svg	ExLoader_Installer.exe
File opened for modification	C:\Program Files\ExLoader\data\flutter_assets\shaders\ink_sparkle.frag	ExLoader_Installer.exe
File opened for modification	C:\Program Files\ExLoader\media_kit\api-ms-win-core-memory-l1-1-0.dll	ExLoader_Installer.exe
File opened for modification	C:\Program Files\ExLoader\media_kit\api-ms-win-core-synch-l1-2-0.dll	ExLoader_Installer.exe
File opened for modification	C:\Program Files\ExLoader\data\flutter_assets\resources\backgrounds\SchoolDay.jpg	ExLoader_Installer.exe
File opened for modification	C:\Program Files\ExLoader\data\flutter_assets\resources\icons\bell.svg	ExLoader_Installer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000_Classes\Local Settings	firefox.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
5948	schtasks.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
6088	powershell.exe
6088	powershell.exe
6088	powershell.exe
5484	powershell.exe
5484	powershell.exe
5484	powershell.exe
5500	powershell.exe
5500	powershell.exe
5500	powershell.exe
5436	powershell.exe
5436	powershell.exe
5436	powershell.exe
824	chrome_cache.exe
824	chrome_cache.exe
824	chrome_cache.exe
5408	ExLoader_Installer.exe
5408	ExLoader_Installer.exe
3068	powershell.exe
3068	powershell.exe
3068	powershell.exe
824	chrome_cache.exe
824	chrome_cache.exe
824	chrome_cache.exe
824	chrome_cache.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeDebugPrivilege	2636	firefox.exe
Token: SeDebugPrivilege	2636	firefox.exe
Token: SeDebugPrivilege	824	chrome_cache.exe
Token: SeDebugPrivilege	6088	powershell.exe
Token: SeDebugPrivilege	5484	powershell.exe
Token: SeDebugPrivilege	5500	powershell.exe
Token: SeDebugPrivilege	5436	powershell.exe
Token: SeDebugPrivilege	824	chrome_cache.exe
Token: SeDebugPrivilege	2868	svchost.exe
Token: SeDebugPrivilege	3068	powershell.exe

Suspicious use of FindShellTrayWindow 21 IoCs

pid	Process
2636	firefox.exe
2636	firefox.exe
2636	firefox.exe
2636	firefox.exe
2636	firefox.exe
2636	firefox.exe
2636	firefox.exe
2636	firefox.exe
2636	firefox.exe
2636	firefox.exe
2636	firefox.exe
2636	firefox.exe
2636	firefox.exe
2636	firefox.exe
2636	firefox.exe
2636	firefox.exe
2636	firefox.exe
2636	firefox.exe
2636	firefox.exe
2636	firefox.exe
2636	firefox.exe

Suspicious use of SendNotifyMessage 20 IoCs

pid	Process
2636	firefox.exe
2636	firefox.exe
2636	firefox.exe
2636	firefox.exe
2636	firefox.exe
2636	firefox.exe
2636	firefox.exe
2636	firefox.exe
2636	firefox.exe
2636	firefox.exe
2636	firefox.exe
2636	firefox.exe
2636	firefox.exe
2636	firefox.exe
2636	firefox.exe
2636	firefox.exe
2636	firefox.exe
2636	firefox.exe
2636	firefox.exe
2636	firefox.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
2636	firefox.exe
824	chrome_cache.exe
5408	ExLoader_Installer.exe
5408	ExLoader_Installer.exe
5408	ExLoader_Installer.exe
5408	ExLoader_Installer.exe
5900	ExLoader.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1104 wrote to memory of 996	1104	neverlose.exe	86
PID 1104 wrote to memory of 996	1104	neverlose.exe	86
PID 2324 wrote to memory of 2636	2324	firefox.exe	101
PID 2324 wrote to memory of 2636	2324	firefox.exe	101
PID 2324 wrote to memory of 2636	2324	firefox.exe	101
PID 2324 wrote to memory of 2636	2324	firefox.exe	101
PID 2324 wrote to memory of 2636	2324	firefox.exe	101
PID 2324 wrote to memory of 2636	2324	firefox.exe	101
PID 2324 wrote to memory of 2636	2324	firefox.exe	101
PID 2324 wrote to memory of 2636	2324	firefox.exe	101
PID 2324 wrote to memory of 2636	2324	firefox.exe	101
PID 2324 wrote to memory of 2636	2324	firefox.exe	101
PID 2324 wrote to memory of 2636	2324	firefox.exe	101
PID 2636 wrote to memory of 4480	2636	firefox.exe	102
PID 2636 wrote to memory of 4480	2636	firefox.exe	102
PID 2636 wrote to memory of 4480	2636	firefox.exe	102
PID 2636 wrote to memory of 4480	2636	firefox.exe	102
PID 2636 wrote to memory of 4480	2636	firefox.exe	102
PID 2636 wrote to memory of 4480	2636	firefox.exe	102
PID 2636 wrote to memory of 4480	2636	firefox.exe	102
PID 2636 wrote to memory of 4480	2636	firefox.exe	102
PID 2636 wrote to memory of 4480	2636	firefox.exe	102
PID 2636 wrote to memory of 4480	2636	firefox.exe	102
PID 2636 wrote to memory of 4480	2636	firefox.exe	102
PID 2636 wrote to memory of 4480	2636	firefox.exe	102
PID 2636 wrote to memory of 4480	2636	firefox.exe	102
PID 2636 wrote to memory of 4480	2636	firefox.exe	102
PID 2636 wrote to memory of 4480	2636	firefox.exe	102
PID 2636 wrote to memory of 4480	2636	firefox.exe	102
PID 2636 wrote to memory of 4480	2636	firefox.exe	102
PID 2636 wrote to memory of 4480	2636	firefox.exe	102
PID 2636 wrote to memory of 4480	2636	firefox.exe	102
PID 2636 wrote to memory of 4480	2636	firefox.exe	102
PID 2636 wrote to memory of 4480	2636	firefox.exe	102
PID 2636 wrote to memory of 4480	2636	firefox.exe	102
PID 2636 wrote to memory of 4480	2636	firefox.exe	102
PID 2636 wrote to memory of 4480	2636	firefox.exe	102
PID 2636 wrote to memory of 4480	2636	firefox.exe	102
PID 2636 wrote to memory of 4480	2636	firefox.exe	102
PID 2636 wrote to memory of 4480	2636	firefox.exe	102
PID 2636 wrote to memory of 4480	2636	firefox.exe	102
PID 2636 wrote to memory of 4480	2636	firefox.exe	102
PID 2636 wrote to memory of 4480	2636	firefox.exe	102
PID 2636 wrote to memory of 4480	2636	firefox.exe	102
PID 2636 wrote to memory of 4480	2636	firefox.exe	102
PID 2636 wrote to memory of 4480	2636	firefox.exe	102
PID 2636 wrote to memory of 4480	2636	firefox.exe	102
PID 2636 wrote to memory of 4480	2636	firefox.exe	102
PID 2636 wrote to memory of 4480	2636	firefox.exe	102
PID 2636 wrote to memory of 4480	2636	firefox.exe	102
PID 2636 wrote to memory of 4480	2636	firefox.exe	102
PID 2636 wrote to memory of 4480	2636	firefox.exe	102
PID 2636 wrote to memory of 4480	2636	firefox.exe	102
PID 2636 wrote to memory of 4480	2636	firefox.exe	102
PID 2636 wrote to memory of 4480	2636	firefox.exe	102
PID 2636 wrote to memory of 4480	2636	firefox.exe	102
PID 2636 wrote to memory of 4480	2636	firefox.exe	102
PID 2636 wrote to memory of 4480	2636	firefox.exe	102
PID 2636 wrote to memory of 404	2636	firefox.exe	103
PID 2636 wrote to memory of 404	2636	firefox.exe	103
PID 2636 wrote to memory of 404	2636	firefox.exe	103
PID 2636 wrote to memory of 404	2636	firefox.exe	103
PID 2636 wrote to memory of 404	2636	firefox.exe	103
PID 2636 wrote to memory of 404	2636	firefox.exe	103

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\neverlose.exe
"C:\Users\Admin\AppData\Local\Temp\neverlose.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1104
- C:\Users\Admin\AppData\Local\Temp\neverlose.exe
  "C:\Users\Admin\AppData\Local\Temp\neverlose.exe"
  2⤵
  - Modifies Windows Defender DisableAntiSpyware settings
  - Loads dropped DLL
  PID:996
- - C:\Users\Admin\AppData\Local\chrome_cache.exe
    C:\Users\Admin\AppData\Local\chrome_cache.exe
    3⤵
    - Checks computer location settings
    - Drops startup file
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:824
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\chrome_cache.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:6088
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'chrome_cache.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:5484
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\svchost.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:5500
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:5436
  - - C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\Users\Admin\AppData\Roaming\svchost.exe"
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:5948
- - C:\Users\Admin\AppData\Local\Temp\cheat.exe
    C:\Users\Admin\AppData\Local\Temp\cheat.exe
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    PID:2356
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\ExLoader_Installer.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX0\ExLoader_Installer.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      PID:5408
    - - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
        
        C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe -command "$WshShell = New-Object -comObject WScript.Shell $Shortcut = $WshShell.CreateShortcut(\"c:\users\admin\desktop\ExLoader.lnk\") $Shortcut.TargetPath = \"C:\Program Files\ExLoader\ExLoader.exe\" $Shortcut.Save()"
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3068
    - - C:\Program Files\ExLoader\ExLoader.exe
        
        "C:\Program Files\ExLoader\ExLoader.exe" -deletePreviousExLoader
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:5900
      - C:\Program Files\ExLoader\deliberatelybyfron.exe
        
        "C:\Program Files\ExLoader\deliberatelybyfron.exe"
        6⤵
        
        PID:2976
    - - C:\Users\Admin\AppData\Local\Temp\OperaSetup.exe
        
        C:\Users\Admin\AppData\Local\Temp\OperaSetup.exe --silent --allusers=0
        5⤵
        
        PID:4776
      - C:\Users\Admin\AppData\Local\Temp\7zS8A25E179\setup.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8A25E179\setup.exe --silent --allusers=0 --server-tracking-blob=ZWMxNTNkMTUwNmE0ZDNiODc0ODM3MDQ2OGI4OGFiOGNhMzBmNDA3MTU4YmYyNzdmNDJhNDI0Y2ViZDc1NjM4ZDp7ImNvdW50cnkiOiJHQiIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFTZXR1cC5leGUiLCJwcm9kdWN0Ijoib3BlcmEiLCJxdWVyeSI6Ii9vcGVyYS9zdGFibGU/dXRtX21lZGl1bT1hcGImdXRtX3NvdXJjZT1PRlQmdXRtX2NhbXBhaWduPU5FV19fMTgyMjZhIiwidGltZXN0YW1wIjoiMTc0MTQ0MTQyMy45MTIxIiwidXNlcmFnZW50IjoiRGFydC8zLjUgKGRhcnQ6aW8pIiwidXRtIjp7ImNhbXBhaWduIjoiTkVXX18xODIyNmEiLCJtZWRpdW0iOiJhcGIiLCJzb3VyY2UiOiJPRlQifSwidXVpZCI6ImRjMjAzNjYzLWI4YmEtNGU5Mi1iZmQzLWFjMDAxZTBlMDk5OSJ9
        6⤵
        
        PID:940
        
        C:\Users\Admin\AppData\Local\Temp\7zS8A25E179\setup.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8A25E179\setup.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector-2.opera.com/ --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=117.0.5408.53 --initial-client-data=0x32c,0x330,0x334,0x2e4,0x338,0x74637144,0x74637150,0x7463715c
        7⤵
        
        PID:3068
        
        C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\setup.exe" --version
        7⤵
        
        PID:4052
        
        C:\Users\Admin\AppData\Local\Temp\7zS8A25E179\setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zS8A25E179\setup.exe" --backend --install --import-browser-data=0 --enable-crash-reporting=1 --enable-stats=1 --enable-installer-stats=1 --consent-given=0 --general-interests=0 --general-location=0 --personalized-content=0 --personalized-ads=0 --launchopera=1 --showunbox=0 --installfolder="C:\Users\Admin\AppData\Local\Programs\Opera" --profile-folder --language=en --singleprofile=0 --copyonly=0 --allusers=0 --setdefaultbrowser=1 --pintotaskbar=1 --pintostartmenu=1 --run-at-startup=1 --show-intro-overlay --server-tracking-data=server_tracking_data --initial-pid=940 --package-dir-prefix="C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_20250308134347" --session-guid=605366c7-1f2e-4121-96d3-6bf74ed5af04 --server-tracking-blob="NWFmZjI3ZDE5NzdhNmVhNDYyMGFiYWFjZTE2NzE5NDE3YWZlM2JkNDE5YzJlNDYxNGZlYTE2YzI0NDQ5YWIxOTp7ImNvdW50cnkiOiJHQiIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFTZXR1cC5leGUiLCJwcm9kdWN0Ijp7Im5hbWUiOiJvcGVyYSJ9LCJxdWVyeSI6Ii9vcGVyYS9zdGFibGU/dXRtX21lZGl1bT1hcGImdXRtX3NvdXJjZT1PRlQmdXRtX2NhbXBhaWduPU5FV19fMTgyMjZhIiwic3lzdGVtIjp7InBsYXRmb3JtIjp7ImFyY2giOiJ4ODZfNjQiLCJvcHN5cyI6IldpbmRvd3MiLCJvcHN5cy12ZXJzaW9uIjoiMTAiLCJwYWNrYWdlIjoiRVhFIn19LCJ0aW1lc3RhbXAiOiIxNzQxNDQxNDIzLjkxMjEiLCJ1c2VyYWdlbnQiOiJEYXJ0LzMuNSAoZGFydDppbykiLCJ1dG0iOnsiY2FtcGFpZ24iOiJORVdfXzE4MjI2YSIsIm1lZGl1bSI6ImFwYiIsInNvdXJjZSI6Ik9GVCJ9LCJ1dWlkIjoiZGMyMDM2NjMtYjhiYS00ZTkyLWJmZDMtYWMwMDFlMGUwOTk5In0= " --silent --desktopshortcut=1 --wait-for-package --initial-proc-handle=7405000000000000
        7⤵
        
        PID:1416
        
        C:\Users\Admin\AppData\Local\Temp\7zS8A25E179\setup.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8A25E179\setup.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector-2.opera.com/ --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=117.0.5408.53 --initial-client-data=0x31c,0x320,0x324,0x2f8,0x328,0x72647144,0x72647150,0x7264715c
        8⤵
        
        PID:4888

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2324
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2636
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1996 -parentBuildID 20240401114208 -prefsHandle 1924 -prefMapHandle 1916 -prefsLen 27194 -prefMapSize 244628 -appDir "C:\Program Files\Mozilla Firefox\browser" - {2b9e9e60-14d6-4d1f-80b5-83d583e47a80} 2636 "\\.\pipe\gecko-crash-server-pipe.2636" gpu
    3⤵
    PID:4480
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2408 -parentBuildID 20240401114208 -prefsHandle 2400 -prefMapHandle 2388 -prefsLen 27230 -prefMapSize 244628 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {38c47316-7fcc-4d53-8a35-52a6c47e18a2} 2636 "\\.\pipe\gecko-crash-server-pipe.2636" socket
    3⤵
    PID:404
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2980 -childID 1 -isForBrowser -prefsHandle 2964 -prefMapHandle 3056 -prefsLen 27371 -prefMapSize 244628 -jsInitHandle 1268 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {03a131e8-d059-4d55-9130-ef745700c1f5} 2636 "\\.\pipe\gecko-crash-server-pipe.2636" tab
    3⤵
    PID:4024
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3704 -childID 2 -isForBrowser -prefsHandle 3632 -prefMapHandle 2732 -prefsLen 32604 -prefMapSize 244628 -jsInitHandle 1268 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {67a4c77e-f41c-43fc-97d0-82dd1599a460} 2636 "\\.\pipe\gecko-crash-server-pipe.2636" tab
    3⤵
    PID:3988
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4848 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4824 -prefMapHandle 3628 -prefsLen 32604 -prefMapSize 244628 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7c8fdfce-4061-4ab7-9f6d-66833475dac6} 2636 "\\.\pipe\gecko-crash-server-pipe.2636" utility
    3⤵
    - Checks processor information in registry
    PID:5492
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5408 -childID 3 -isForBrowser -prefsHandle 5392 -prefMapHandle 5400 -prefsLen 27035 -prefMapSize 244628 -jsInitHandle 1268 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5dbf10fa-9a7b-4cd8-be6c-da24f2671e71} 2636 "\\.\pipe\gecko-crash-server-pipe.2636" tab
    3⤵
    PID:5868
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5572 -childID 4 -isForBrowser -prefsHandle 5380 -prefMapHandle 5384 -prefsLen 27035 -prefMapSize 244628 -jsInitHandle 1268 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e2ce1528-ca1e-40ad-8011-66efa7ad8df4} 2636 "\\.\pipe\gecko-crash-server-pipe.2636" tab
    3⤵
    PID:5880
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5708 -childID 5 -isForBrowser -prefsHandle 5664 -prefMapHandle 5660 -prefsLen 27035 -prefMapSize 244628 -jsInitHandle 1268 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {451a8e17-3fe5-4c17-a65c-aea01b6c0b03} 2636 "\\.\pipe\gecko-crash-server-pipe.2636" tab
    3⤵
    PID:5892
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6224 -childID 6 -isForBrowser -prefsHandle 6184 -prefMapHandle 6188 -prefsLen 27083 -prefMapSize 244628 -jsInitHandle 1268 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f6ed920e-4613-429b-b5be-441918ae6f5f} 2636 "\\.\pipe\gecko-crash-server-pipe.2636" tab
    3⤵
    PID:5596

C:\Users\Admin\AppData\Roaming\svchost.exe
C:\Users\Admin\AppData\Roaming\svchost.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2868

C:\Users\Admin\AppData\Roaming\svchost.exe
C:\Users\Admin\AppData\Roaming\svchost.exe
1⤵
PID:5140

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\ExLoader\ExLoader.zip

Filesize
45.4MB

MD5
aac135f19ae9d61bc4b6abba665f5cef

SHA1
e136f4ea23cb8ae748f6b3e86e42daf7ec84e9e5

SHA256
c74bc8f65aa6b97b04ba0e60833a67752ec5a0fa46bb4df19868f02e5a06d94d

SHA512
5d4f9f0f155c4640d40c570081ed12d3d770e6b69f4a879ba8c5bdf1ea4b291f685ce72b10d41ea82dff1d68a86765a30cd5b90ea7d4a690e97044fc7e8721d0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6d42b6da621e8df5674e26b799c8e2aa

SHA1
ab3ce1327ea1eeedb987ec823d5e0cb146bafa48

SHA256
5ab6a1726f425c6d0158f55eb8d81754ddedd51e651aa0a899a29b7a58619c4c

SHA512
53faffbda8a835bc1143e894c118c15901a5fd09cfc2224dd2f754c06dc794897315049a579b9a8382d4564f071576045aaaf824019b7139d939152dca38ce29

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
ba169f4dcbbf147fe78ef0061a95e83b

SHA1
92a571a6eef49fff666e0f62a3545bcd1cdcda67

SHA256
5ef1421e19fde4bc03cd825dd7d6c0e7863f85fd8f0aa4a4d4f8d555dc7606d1

SHA512
8d2e5e552210dcda684682538bc964fdd8a8ff5b24cc2cc8af813729f0202191f98eb42d38d2355df17ae620fe401aad6ceaedaed3b112fdacd32485a3a0c07c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
34f595487e6bfd1d11c7de88ee50356a

SHA1
4caad088c15766cc0fa1f42009260e9a02f953bb

SHA256
0f9a4b52e01cb051052228a55d0515911b7ef5a8db3cf925528c746df511424d

SHA512
10976c5deaf9fac449e703e852c3b08d099f430de2d7c7b8e2525c35d63e28b890e5aab63feff9b20bca0aaf9f35a3ba411aee3fbeee9ea59f90ed25bd617a0b

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\outbhah2.default-release\settings\main\ms-language-packs\browser\newtab\asrouter.ftl

Filesize
15KB

MD5
96c542dec016d9ec1ecc4dddfcbaac66

SHA1
6199f7648bb744efa58acf7b96fee85d938389e4

SHA256
7f32769d6bb4e875f58ceb9e2fbfdc9bd6b82397eca7a4c5230b0786e68f1798

SHA512
cda2f159c3565bc636e0523c893b293109de2717142871b1ec78f335c12bad96fc3f62bcf56a1a88abdeed2ac3f3e5e9a008b45e24d713e13c23103acc15e658

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\setup.exe

Filesize
5.5MB

MD5
b21f966a4ab470cd5f3f860a93f29f2a

SHA1
76cdf8ab2a0f8707788e3ff9477ff39572304822

SHA256
2e5c697a6a194d7fbeec32c7f2fe62d7b24cf36b6a3edf1ecc277e20aa7fd020

SHA512
109ac44bc80ce86e4ee5718a917c78598e583a8f3ab7d4e3602659e52919b8b51130e844d392d99e9560c1f5f2f3d1e2be4b5374b4fe62cd5383ce55fb48f573

Download Submit
C:\Users\Admin\AppData\Local\Temp\OperaSetup.exe

Filesize
2.2MB

MD5
86f074da9f13aa98bd14e852408b3323

SHA1
ed2823348afdc0d6700194da5200a8973d85ad6d

SHA256
57ad7e8ef0d270483909d813483dc3ac7d4a329d0db9d3fe0c238bd37c3e632b

SHA512
0b0749e254e5eaba018db5a77646d4e726f7fcbb5c883afc891d1169f48c94feef7038b66707a5d2a6ce0f62f4e7f87e2eca2fba5c55c7edcd1c083bd3bac84c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Opera_installer_2503081343467103068.dll

Filesize
5.0MB

MD5
4819ab21539936a61a0b47965d8c62ba

SHA1
f79150f431b19baedcb0bc6a2c216ca8bc41ffe1

SHA256
9445b5f8c13d7f94a293260cf9b8dbf6e485188ff497222e4748e4c3819489bb

SHA512
0a1c25c2d661e63f15d7184274e3bcb97e6237cebb5d22d7989827a22d6aca570b3e7d0753b33b05c38ed4ea9838b5b1672600a7b6398094334a50850ded270a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\ExLoader_Installer.exe

Filesize
184KB

MD5
672d8f840df04da81a68c12354c67602

SHA1
f14a9a358bce7225435a4f9327722edf363139cf

SHA256
cc8522a81ca478837e76ee0975f820c0211242f859769dad4349afc9892dd6b2

SHA512
4ac90decbf88025c7ed0484b030d484b3659541ad4bf2f029d74657bcb4fc4d7f5f66a84ac9bfe8184e21fd412c1ad367c8ebf6a9e19761736bbeaf9722db962

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\MSVCP140.dll

Filesize
559KB

MD5
c3d497b0afef4bd7e09c7559e1c75b05

SHA1
295998a6455cc230da9517408f59569ea4ed7b02

SHA256
1e57a6df9e3742e31a1c6d9bff81ebeeae8a7de3b45a26e5079d5e1cce54cd98

SHA512
d5c62fdac7c5ee6b2f84b9bc446d5b10ad1a019e29c653cfdea4d13d01072fdf8da6005ad4817044a86bc664d1644b98a86f31c151a3418be53eb47c1cfae386

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\VCRUNTIME140.dll

Filesize
116KB

MD5
e9b690fbe5c4b96871214379659dd928

SHA1
c199a4beac341abc218257080b741ada0fadecaf

SHA256
a06c9ea4f815dac75d2c99684d433fbfc782010fae887837a03f085a29a217e8

SHA512
00cf9b22af6ebbc20d1b9c22fc4261394b7d98ccad4823abc5ca6fdac537b43a00db5b3829c304a85738be5107927c0761c8276d6cb7f80e90f0a2c991dbcd8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\flutter_windows.dll

Filesize
17.3MB

MD5
225782e5d02f400a76b8fabe8a6f5cd1

SHA1
e54ef4f664a250808749be2ea9870607c20ace31

SHA256
b66713715a7aeaa2f88ba18838aa7c245556eaaeb31c82da3f5aebcb71a7715e

SHA512
9e88489361b36970a982329184b7afa9ef403ca86830427c60397e49522e5d38fc652ce4b65e79c54583a50ffee83fb138a02d638e015c9ff53e56164556be76

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\vcruntime140_1.dll

Filesize
48KB

MD5
eb49c1d33b41eb49dfed58aafa9b9a8f

SHA1
61786eb9f3f996d85a5f5eea4c555093dd0daab6

SHA256
6d3a6cde6fc4d3c79aabf785c04d2736a3e2fd9b0366c9b741f054a13ecd939e

SHA512
d15905a3d7203b00181609f47ce6e4b9591a629f2bf26ff33bf964f320371e06d535912fda13987610b76a85c65c659adac62f6b3176dbca91a01374178cd5c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11042\VCRUNTIME140.dll

Filesize
117KB

MD5
862f820c3251e4ca6fc0ac00e4092239

SHA1
ef96d84b253041b090c243594f90938e9a487a9a

SHA256
36585912e5eaf83ba9fea0631534f690ccdc2d7ba91537166fe53e56c221e153

SHA512
2f8a0f11bccc3a8cb99637deeda0158240df0885a230f38bb7f21257c659f05646c6b61e993f87e0877f6ba06b347ddd1fc45d5c44bc4e309ef75ed882b82e4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11042\VCRUNTIME140_1.dll

Filesize
48KB

MD5
68156f41ae9a04d89bb6625a5cd222d4

SHA1
3be29d5c53808186eba3a024be377ee6f267c983

SHA256
82a2f9ae1e6146ae3cb0f4bc5a62b7227e0384209d9b1aef86bbcc105912f7cd

SHA512
f7bf8ad7cd8b450050310952c56f6a20b378a972c822ccc253ef3d7381b56ffb3ca6ce3323bea9872674ed1c02017f78ab31e9eb9927fc6b3cba957c247e5d57

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11042\_bz2.pyd

Filesize
83KB

MD5
c17dcb7fc227601471a641ec90e6237f

SHA1
c93a8c2430e844f40f1d9c880aa74612409ffbb9

SHA256
55894b2b98d01f37b9a8cf4daf926d0161ff23c2fb31c56f9dbbac3a61932712

SHA512
38851cbd234a51394673a7514110eb43037b4e19d2a6fb79471cc7d01dbcf2695e70df4ba2727c69f1fed56fc7980e3ca37fddff73cc3294a2ea44facdeb0fa9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11042\_ctypes.pyd

Filesize
129KB

MD5
2bd5dabbb35398a506e3406bc01eba26

SHA1
af3ab9d8467e25367d03cb7479a3e4324917f8d0

SHA256
5c4c489ac052795c27af063c96bc4db5ab250144d4839050cfa9bb3836b87c32

SHA512
c07860d86ae0d900e44945da77e3b620005667304c0715985f06000f3d410fffb7e38e1bc84e4e6d24889d46b9dac6bf18861c95b2b09e760012edc5406b3838

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11042\_decimal.pyd

Filesize
274KB

MD5
ad4324e5cc794d626ffccda544a5a833

SHA1
ef925e000383b6cad9361430fc38264540d434a5

SHA256
040f361f63204b55c17a100c260c7ddfadd00866cc055fbd641b83a6747547d5

SHA512
0a002b79418242112600b9246da66a5c04651aecb2e245f0220b2544d7b7df67a20139f45ddf2d4e7759ce8cc3d6b4be7f98b0a221c756449eb1b6d7af602325

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11042\_hashlib.pyd

Filesize
63KB

MD5
422e214ca76421e794b99f99a374b077

SHA1
58b24448ab889948303cdefe28a7c697687b7ebc

SHA256
78223aef72777efc93c739f5308a3fc5de28b7d10e6975b8947552a62592772b

SHA512
03fcccc5a300cc029bef06c601915fa38604d955995b127b5b121cb55fb81752a8a1eec4b1b263ba12c51538080335dabaef9e2b8259b4bf02af84a680552fa0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11042\_lzma.pyd

Filesize
155KB

MD5
66a9028efd1bb12047dafce391fd6198

SHA1
e0b61ce28ea940f1f0d5247d40abe61ae2b91293

SHA256
e44dea262a24df69fd9b50b08d09ae6f8b051137ce0834640c977091a6f9fca8

SHA512
3c2a4e2539933cbeb1d0b3c8ef14f0563675fd53b6ef487c7a5371dfe2ee1932255f91db598a61aaadacd8dc2fe2486a91f586542c52dfc054b22ad843831d1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11042\_multiprocessing.pyd

Filesize
35KB

MD5
22d20bd3946419ecf0882315ae1f96de

SHA1
f3c07bef75fa372a6905e971ca8350d1e3e48058

SHA256
9da721822a592f8c4e9a96ebaa4517c45768d7737582e0e5b933066f453a2e5e

SHA512
a3bec1f99240b9e9d823405eecc1c511c46f11c7d844229a0dad7e23edb69df365874c184fe9b2637f12a94132e44acecc3a434810d0ff5c819f8207f1ddde9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11042\_queue.pyd

Filesize
34KB

MD5
955b197c38ea5bd537ce9c7cb2109802

SHA1
8feffcb11740ddafc4479fc008cc06c6b570a8bc

SHA256
73cade82ee139459fe5841e5631274fc9caf7f579418b613f278125435653539

SHA512
cab0d8d10fb3bff72d20b287901ccd9be685796142cd2e45e4712cd6f4551dec69180490c2fdfad262c6927a3c7f4fefe68187f64c066731fe17012f78a0ed69

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11042\_socket.pyd

Filesize
82KB

MD5
abf998769f3cba685e90fa06e0ec8326

SHA1
daa66047cf22b6be608127f8824e59b30c9026bf

SHA256
62d0493ced6ca33e2fd8141649dd9889c23b2e9afc5fdf56edb4f888c88fb823

SHA512
08c6b3573c596a15accf4936533567415198a0daab5b6e9824b820fd1f078233bbc3791fde6971489e70155f7c33c1242b0b0a3a17fe2ec95b9fadae555ed483

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11042\_ssl.pyd

Filesize
178KB

MD5
cf541cc288ac0bec9b682a2e0011d1ff

SHA1
ef0dd009fdad14b3f6063619112dcdfafb17186d

SHA256
e94f0195363c5c9babfc4c17ec6fb1aa8bbabf59e377db66ce6a79c4c58bbd07

SHA512
f97e7fc644356bebe7e3deaa46b7de61118b13af99c9e91d0fbcbe3caea0c941265bcb28fee31a22fc3031c6428517c5202c1425654f3c2cd234979c9e3c04b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11042\_wmi.pyd

Filesize
39KB

MD5
c629ce084fc76ac60b7a77479cb2225c

SHA1
fe80955f217162ce9d4910202bbe30f7601d254a

SHA256
afad80f9e62a57814779cf3e48352b583c1a0697b11a23cc9db3f4e43f7f8664

SHA512
9863767981508f458c61553e5a50b6c5d70956676fee92e15b5ab08b1770ba0f640392fa12feddd6ab1eac5a418f3f8cd057c608e33653a2825ca36edded78b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11042\base_library.zip

Filesize
1.3MB

MD5
18c3f8bf07b4764d340df1d612d28fad

SHA1
fc0e09078527c13597c37dbea39551f72bbe9ae8

SHA256
6e30043dfa5faf9c31bd8fb71778e8e0701275b620696d29ad274846676b7175

SHA512
135b97cd0284424a269c964ed95b06d338814e5e7b2271b065e5eabf56a8af4a213d863dd2a1e93c1425fadb1b20e6c63ffa6e8984156928be4a9a2fbbfd5e93

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11042\certifi\cacert.pem

Filesize
292KB

MD5
50ea156b773e8803f6c1fe712f746cba

SHA1
2c68212e96605210eddf740291862bdf59398aef

SHA256
94edeb66e91774fcae93a05650914e29096259a5c7e871a1f65d461ab5201b47

SHA512
01ed2e7177a99e6cb3fbef815321b6fa036ad14a3f93499f2cb5b0dae5b713fd2e6955aa05f6bda11d80e9e0275040005e5b7d616959b28efc62abb43a3238f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11042\charset_normalizer\md.cp313-win_amd64.pyd

Filesize
10KB

MD5
56fe4f6c7e88212161f49e823ccc989a

SHA1
16d5cbc5f289ad90aeaa4ff7cb828627ac6d4acf

SHA256
002697227449b6d69026d149cfb220ac85d83b13056c8aa6b9dac3fd3b76caa4

SHA512
7c9d09cf9503f73e6f03d30e54dbb50606a86d09b37302dd72238880c000ae2b64c99027106ba340753691d67ec77b3c6e5004504269508f566bdb5e13615f1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11042\charset_normalizer\md__mypyc.cp313-win_amd64.pyd

Filesize
122KB

MD5
10116447f9276f10664ba85a5614ba3a

SHA1
efd761a3e6d14e897d37afb0c7317c797f7ae1d6

SHA256
c393098e7803abf08ee8f7381ad7b0f8faffbf66319c05d72823308e898f8cfc

SHA512
c04461e52b7fe92d108cbdeb879b7a8553dd552d79c88dfa3f5d0036eed8d4b8c839c0bf2563bc0c796f8280ed2828ca84747cb781d2f26b44214fca2091eae4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11042\libcrypto-3.dll

Filesize
5.0MB

MD5
123ad0908c76ccba4789c084f7a6b8d0

SHA1
86de58289c8200ed8c1fc51d5f00e38e32c1aad5

SHA256
4e5d5d20d6d31e72ab341c81e97b89e514326c4c861b48638243bdf0918cfa43

SHA512
80fae0533ba9a2f5fa7806e86f0db8b6aab32620dde33b70a3596938b529f3822856de75bddb1b06721f8556ec139d784bc0bb9c8da0d391df2c20a80d33cb04

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11042\libffi-8.dll

Filesize
38KB

MD5
0f8e4992ca92baaf54cc0b43aaccce21

SHA1
c7300975df267b1d6adcbac0ac93fd7b1ab49bd2

SHA256
eff52743773eb550fcc6ce3efc37c85724502233b6b002a35496d828bd7b280a

SHA512
6e1b223462dc124279bfca74fd2c66fe18b368ffbca540c84e82e0f5bcbea0e10cc243975574fa95ace437b9d8b03a446ed5ee0c9b1b094147cefaf704dfe978

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11042\libssl-3.dll

Filesize
774KB

MD5
4ff168aaa6a1d68e7957175c8513f3a2

SHA1
782f886709febc8c7cebcec4d92c66c4d5dbcf57

SHA256
2e4d35b681a172d3298caf7dc670451be7a8ba27c26446efc67470742497a950

SHA512
c372b759b8c7817f2cbb78eccc5a42fa80bdd8d549965bd925a97c3eebdce0335fbfec3995430064dead0f4db68ebb0134eb686a0be195630c49f84b468113e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11042\pyexpat.pyd

Filesize
197KB

MD5
03493d1441671abe9339af942253dac3

SHA1
0d8800be2733bb56fb2909a6f9389c00eb00f612

SHA256
3a4830342ab562e41ab93b4bc2dc45fe0ab760815e7c3ec4a7fddc914ec99982

SHA512
1b092a9e2e9e64533e7436c239961cee4ffde0fa6fed4c6e0ca2a9f72fc72065d457968dc92e74f4e052cd2557f6d380a86046117b6a450306a16ac6e885a036

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11042\python3.dll

Filesize
70KB

MD5
ad2c4784c3240063eeaa646fd59be62c

SHA1
5efab563725781ab38a511e3f26e0406d5d46e8d

SHA256
c1de4bfe57dc4a5be8c72c865d617dc39dfd8162fcd2ce1fac9f401cf9efb504

SHA512
c964d4289206d099310bd5299f71a32c643311e0e8445e35ae3179772136d0ca9b75f5271eaf31efc75c055cd438799cef836ed87797589629b0e9f247424676

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11042\python313.dll

Filesize
5.8MB

MD5
3aad23292404a7038eb07ce5a6348256

SHA1
35cac5479699b28549ebe36c1d064bfb703f0857

SHA256
78b1dd211c0e66a0603df48da2c9b67a915ab3258701b9285d3faa255ed8dc25

SHA512
f5b6ef04e744d2c98c1ef9402d7a8ce5cda3b008837cf2c37a8b6d0cd1b188ca46585a40b2db7acf019f67e6ced59eff5bc86e1aaf48d3c3b62fecf37f3aec6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11042\select.pyd

Filesize
31KB

MD5
62fe3761d24b53d98cc9b0cbbd0feb7c

SHA1
317344c9edf2fcfa2b9bc248a18f6e6acedafffb

SHA256
81f124b01a85882e362a42e94a13c0eff2f4ccd72d461821dc5457a789554413

SHA512
a1d3da17937087af4e5980d908ed645d4ea1b5f3ebfab5c572417df064707cae1372b331c7096cc8e2e041db9315172806d3bc4bb425c6bb4d2fa55e00524881

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11042\unicodedata.pyd

Filesize
695KB

MD5
43b8b61debbc6dd93124a00ddd922d8c

SHA1
5dee63d250ac6233aac7e462eee65c5326224f01

SHA256
3f462ee6e7743a87e5791181936539642e3761c55de3de980a125f91fe21f123

SHA512
dd4791045cf887e6722feae4442c38e641f19ec994a8eaf7667e9df9ea84378d6d718caf3390f92443f6bbf39840c150121bb6fa896c4badd3f78f1ffe4de19d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11042\zstandard\backend_c.cp313-win_amd64.pyd

Filesize
508KB

MD5
23266e25821ce9e162f050db8b81c6f9

SHA1
fd1049338e304d7688562991091d59c310999b23

SHA256
0b494d168a67f2eb2d75593714a4db65fe0f000b66388ab3c721a67515a2fefc

SHA512
e118531a6bf5354bf082d4ceaaf5247fea3305a9add399ecbbe08ab083d39ab760f3ca28a0dd2b4d5d8400f3e88ec3decd696e3987fb9f2264a5b8b16f66a61b

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ksrveyrn.kp3.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\cheat.exe

Filesize
26.5MB

MD5
dcd3344e5bdca9492706ed74cbf8b233

SHA1
ed0ad8d0e65d27d34644b75fbd73b7ee8a825bc6

SHA256
75243dbdd7668c07417eb463d1b4f24d8ff4781b6d5aa0522afb2509b920cf9c

SHA512
9d31001b90e2610a74aa66b7d9a383094b3d904ad105b50c55be3aa46ef8be2f2a45a082e990a905b8673e4bcf320b4f078a53fe1435bd96e08df0bc9e09bca4

Download Submit
C:\Users\Admin\AppData\Local\Temp\libCachedImageData_v2\2429aa5ff888f44983a422afb67ca897.png

Filesize
175KB

MD5
205b5add8538195f6bcaba8a85e07160

SHA1
2d8544012f2abbcdcaa4d9b48ba0c8aec932316e

SHA256
10c1b10ef9570b4b4b7bb10a46b0416ebfce773c67c2349651b76f8543bbd03d

SHA512
427297f6cacfb0a829d198647c18aad082e28ec89870692d5efd6d0c3114ae3327b1ec7749d388c619a179a2557474da99ec6a660083e520b7d117cc453ad85c

Download Submit
C:\Users\Admin\AppData\Local\Temp\libCachedImageData_v2\4f18f98323f2bfcb3d780bfd15984957.png

Filesize
296KB

MD5
cdf0f44b9be2be8d98d19d338c0a5b11

SHA1
4008a2006a775605caf245410cf9c346667e024c

SHA256
5b300cc2a308d9f5640d8ac7643d5a5dbbcb025e02f305402cbdc015d2a49781

SHA512
f56ec411ad4f6b6c547f99ccf4b12fdce8207649c48faa7ab37fc9aaa2a5092aa8b093c229467bd09c58c1cc3077c8a0bfb108e3c8eafed2dbbff0a40a1666fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\libCachedImageData_v2\6b33174148264dc750390ac448debd44.png

Filesize
381KB

MD5
faa264ef80599430df4773babbc75cba

SHA1
f4e08ab89fb9364efa3c305584985e4a03c58019

SHA256
fc3f79c76e1051f2305cbdd78bdbccf6bb78144f74146604741de01a35feed05

SHA512
f063bcf41dd1ecf442f5412fd2fe282432bf17437972abc19e5d9bb52f496b425809f3bc1e143dc9a719c3c0b59b6ebbe23eec176fc93d8e7f588e75610019d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\libCachedImageData_v2\7e9954eeb2fb6ee1bd36286b32a02ef8.png

Filesize
283KB

MD5
78f4e28a3cf5170ed6d78f3943d98ac3

SHA1
24d2f2d73c715d978b7f656dcf982d30df53afb3

SHA256
bc7e7a2c7842c6aaa6531f84b91edfcc26a38aab1173c69e8b7ca2a5eb2b1ff9

SHA512
53b73968757138f98b0c7378fb0cbbf74bc7e870ee7cab867eb4965abfcf5f4d3aa7a68d6bc6c12d7c991f9f3513493d13ab72556a9d3cf77e80bbdddcf047d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\libCachedImageData_v2\b4a8832fa9c87f1884eea3f0e9decd2a.png

Filesize
145KB

MD5
bd75930472ba1efac6323e4bc13e3a7f

SHA1
3600f2fd293cd705bf7cc0ebc0fa48f759a01bd5

SHA256
c7ee23cc6b532e73738744abb8833e625a34b1caac9229fa9a99a5ed940f8592

SHA512
bcee871df3061ec44bed1d9da86e43b02a9c69a8238df72e21b06bdd464d4f6b7214355ffc43505590d7840acc751d50452e45a6018bc4657413aef687826701

Download Submit
C:\Users\Admin\AppData\Local\Temp\libCachedImageData_v2\c09521ba779c159b61c312273ef94380.png

Filesize
193KB

MD5
1be4d35bb03410dc5814a391fb39093a

SHA1
364ba729f6a17b7196efe354c7f9ecfa70db81d4

SHA256
4282e98f7e8ba8d9f133f4c7d5d1f730263c565cdc4270e00ea9dc637761e584

SHA512
69adb08c57d0ffe2320a7c78d8dd3b7e18ef5aa7df7351b339f4fcebcd2f435070a32fc44f7de4668defb435d5107cdbc7d43fc8a9183dbc6a99e2b065557f3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\libCachedImageData_v2\e21b5715e2f4f1a02945a861bf94b9b8.png

Filesize
280KB

MD5
7850120a910edbcfd5362ecfab76fc2e

SHA1
f0945e15a27732b6b917b09300cc6b3267d017ff

SHA256
83afab61dd1e26c7bedcae74fc7128744579d2bfcd576ddee3d42fa0d72987d6

SHA512
78adc040c6e9b2bc2c202ab2e4dc4b9223e7df9e3a1bbcfbc97a227cf4c5b0ba42cbb8b65a1d4e8d497edeede09a1e6d3f57d314a4b4d9da9a1d3cccd396ef5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
479KB

MD5
09372174e83dbbf696ee732fd2e875bb

SHA1
ba360186ba650a769f9303f48b7200fb5eaccee1

SHA256
c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

SHA512
b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
13.8MB

MD5
0a8747a2ac9ac08ae9508f36c6d75692

SHA1
b287a96fd6cc12433adb42193dfe06111c38eaf0

SHA256
32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

SHA512
59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

Download Submit
C:\Users\Admin\AppData\Local\chrome_cache.exe

Filesize
207KB

MD5
74975c4459f68e1fc1b26a71754729bf

SHA1
f70914b2adcf9bd2cc8b1e5f3f50d11d6e6dc801

SHA256
30f365796bbe5ddcd8f1a290d2d50d5db39c53b26d2180033a07b58789eca229

SHA512
7b3fab026aa5a30c838dc99a07426e437cf7a0390bc66954a02a5a430c7dddc56790132e07931800847d32f0d509627cb91f53a1d3dfef1a389b9a505112d0d9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\outbhah2.default-release\AlternateServices.bin

Filesize
7KB

MD5
282d44dc0b1ed553f93e8def60381bd2

SHA1
0be348a301abc6baddac2c83dc4788d0d464dda0

SHA256
f90999eeb1298537165dd82b3a75c67b8564af9b3a1b090c3d1f379199b524cd

SHA512
9b86302d9ca8973dfb6b3076751ec185d1758e4db05a67e512c183b2efcc7a6829d3c57e7631e4115c7e7d3dd05dae17cd066bb8839b12357d6074cac3017a40

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\outbhah2.default-release\AlternateServices.bin

Filesize
18KB

MD5
b463caa22d84c78101e7a9d7f5ec6512

SHA1
37180e93ef92327831d72edb5b247bf9220bb037

SHA256
6b22a176c845c773019d2a58452f27f97ce9b5887483e49f4f15294984063b5f

SHA512
c1f0b7e7711c325c55d6ddc2d494924097845d5cbdabcd0b400bcbb836cde02e0b6a8feeb67a18435cb2c577f3eb26a961206d6d5bed462542d396cc07b2befa

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\outbhah2.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
7dba158dd5e6758e731a7c8c3e6c5305

SHA1
572fa833a82093e8dd1a281e9805d131a3440409

SHA256
0933a0bd70c2e7705507f036d24021a0444950c94b9511ccb5261aed7b9aaa3d

SHA512
f5bbce8d05c1b92c5baed061e87c3c82c1be4f52ea942c6bc810c0e84640c0f37dd32e8bbeff90706dd6a017d806e0ff528190bfde3af025bc76aa88098b146a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\outbhah2.default-release\datareporting\glean\db\data.safe.tmp

Filesize
6KB

MD5
9411fcfed31b86cffc4b2d493cf44d5a

SHA1
40e0bc57b05526b2e83dea349f37b427bb3690bd

SHA256
eae25e1839b8c62907d88ae737d68cea8ec8ece7089b4d378373c1c79ef6ff65

SHA512
679e66f5007b823f1783b0c8f71957e06d51576e1cbc749632c192711cfa8c9c71521f450d68bedc9129b7bdb7d8fc0a9c1d84f46fa927676cc524df67f5d44e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\outbhah2.default-release\datareporting\glean\pending_pings\2a2f4be6-98ab-450d-999e-5f27b92faf03

Filesize
982B

MD5
8e1a76e4da2850a5f93c8172f8e8eae6

SHA1
43de933953d5722b73b37a173576c6da08eb8173

SHA256
697750fde450f1b991d9f884d3a8c33b60797fb50167f82abdce38a422341ee4

SHA512
4af61914b7f1228d4dc3a2839299877ab1cbc8cb1be224e44f2b6aa5363cd57d95285409bbb6fa3f64cdca4515c120f3ece5613178cb11e1a3823542f4ccf5d9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\outbhah2.default-release\datareporting\glean\pending_pings\5c397b9d-8e32-45bb-adb6-f5483891d080

Filesize
28KB

MD5
3321f0bc95c11c90b27ca343cfb17ce9

SHA1
a152d2b9d604b9e8fb87e05ceaa353751052af0c

SHA256
f1a68b6718b8f17a8587d3f265e8ad5fb5881ea4b62136c366679f76e1517392

SHA512
4b54f966b586597dbc77f126de6a6a3eb6373a7aae3eb9e2c2167f03c5c5b8797370ccf8bed2d8637acb118581aa3f159252d236a09937942e0aa9fb6029933a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\outbhah2.default-release\datareporting\glean\pending_pings\ec71f46f-83b4-442e-9432-2c65fb80a194

Filesize
671B

MD5
5df6181a6708e15812b8251400f0f133

SHA1
3a713f7bdaed243bce9f7692046879faccc06a3f

SHA256
4b47c988c00aa494700cf6c19c9824dd11c9b9888ceacc77c18b249eb2886913

SHA512
5bfb4965e29fb2deaee6d8f3d2b2af485ddb8c622e7defc9db50c02bfdc75f8992622f4199e08df08c6564a47ed4aa9d3282c36556948490f5923601771268d2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\outbhah2.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

Filesize
1.1MB

MD5
842039753bf41fa5e11b3a1383061a87

SHA1
3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

SHA256
d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

SHA512
d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\outbhah2.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

Filesize
116B

MD5
2a461e9eb87fd1955cea740a3444ee7a

SHA1
b10755914c713f5a4677494dbe8a686ed458c3c5

SHA256
4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

SHA512
34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\outbhah2.default-release\gmp-widevinecdm\4.10.2710.0\LICENSE.txt.tmp

Filesize
479B

MD5
49ddb419d96dceb9069018535fb2e2fc

SHA1
62aa6fea895a8b68d468a015f6e6ab400d7a7ca6

SHA256
2af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539

SHA512
48386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\outbhah2.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

Filesize
372B

MD5
bf957ad58b55f64219ab3f793e374316

SHA1
a11adc9d7f2c28e04d9b35e23b7616d0527118a1

SHA256
bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

SHA512
79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\outbhah2.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

Filesize
17.8MB

MD5
daf7ef3acccab478aaa7d6dc1c60f865

SHA1
f8246162b97ce4a945feced27b6ea114366ff2ad

SHA256
bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

SHA512
5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\outbhah2.default-release\prefs-1.js

Filesize
11KB

MD5
672e4ccfe9284e5084efe25bb19de092

SHA1
5c440eaa59c7c1155f8aebf8b672ac69a25fbe5a

SHA256
f0f69642203a4c6e23f37f79c01c962689cc961d930dc5905ea6bb650c7d60d6

SHA512
67e0287fc50bf6cdacc71b243b2b5a41beb41073e59439ac69547e69d9e7846ec9bb337221883e4fb23f364fe937b97adb5d2f3c088be1b8b6879e6ab96b0286

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\outbhah2.default-release\prefs-1.js

Filesize
10KB

MD5
b2e762132a0eae4605f748e57da9332b

SHA1
3464f8b49db9514c2996ca77e32bcf80b444b0b8

SHA256
48cc236bd03a0d3b88329e541e5a6fc63f5c125a66e59e65e3ed795931ed97d4

SHA512
7cf90515f12483c4daf384251e7190466fe53fa6536615781a007cebd2f53d09abfae7448e366b537c4ca92d8a340eaff64243e026cf2abec9709076bdc15687

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\outbhah2.default-release\prefs-1.js

Filesize
9KB

MD5
ea01ef0eb9683db49bd2a2f6e4c8e76e

SHA1
1bbbd26b2d5cabcbaa2c1442db2538b554ab28b2

SHA256
010054b189f1c5e2b34ac8985226ee755787d136e25e4b9fb325be1cc9474fbe

SHA512
a89b84460bf67ade8a9634051c3ee56d9367f055c156a253125ce0bf798cda9e1c34318a63adfd671a48754a16a9f9c0963af6eb45575e244f77a7b786c49f50

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\outbhah2.default-release\prefs.js

Filesize
9KB

MD5
928b830d023b6a82ec98521490e459c9

SHA1
b1671e22a7d1a59fca8be33d2c5bc7830bdaf3e8

SHA256
75b986a778fb6ff60ab5665292d14b1e4a95402fba1ff07731e819579fdcea87

SHA512
6a63331f347e0e857d89c174552d5079d1bd3b29e4729440a76c0fa26b9050f3ae5b3d89493a57ad8302f3ce0ca380ca89a379437a2e47203d5253e916b2d961

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\outbhah2.default-release\sessionstore-backups\recovery.baklz4

Filesize
3KB

MD5
fdd19cbd741cceb54c587b2897805e3b

SHA1
b3ebb453d745095e797a71eea70e3339be9ba0c0

SHA256
9dabb8c3843a58b461ce974ede0685e9700e43b6bb09ce78b27abb2ea8327277

SHA512
72aeb26eda2558e603641a7e7e371b1eaa8c436ac2a5e0b9b783a4b8816c84da2f982974115cf5be4268d9438e1521c30396a55180c3ef581adcb294bb26132a

Download Submit
C:\Users\Admin\AppData\Roaming\com.swiftsoft\ExLoader\games\0.svg

Filesize
1KB

MD5
3c82bc5493a92aebc9064551ea8d38ac

SHA1
b1019e3fe4397f7215ed8af2c0914159e986fbb2

SHA256
6046c1e9b8fc8cada4c4e063b031e164163e7c5723afd8c37d7df6c3054e1e7c

SHA512
126c5773e2192629eee40a611997f01c14bf598215d6ed33488b9d934ac41acfa83b99d7f373e0726a459dfee950011a0c24f97fbc600f5f96dfbb16ac7d9bb9

Download Submit
C:\Users\Admin\AppData\Roaming\com.swiftsoft\ExLoader\games\game_icons.zip

Filesize
132KB

MD5
0749e05994fe118d3df080f47a775a48

SHA1
c83a3e521866854a9c97c26e1f9f2bb4a0a5e351

SHA256
24d6d4e5f2f4d6a74b47b24901b77443ec528d0c218af82c0067028a92088945

SHA512
75577a0ffef5d60c4b5843b95271c8c24cee58f01db66a107342ea13ac1dbc29b1697c9774547db16a6cc8904c56cce1082c88a0472254b6f93e415103f77c31

Download Submit
C:\Users\Admin\AppData\Roaming\com.swiftsoft\ExLoader\shared_preferences.json

Filesize
269B

MD5
fff6a77a0862316bcc72a1bc30e9daa1

SHA1
def527e4f45f483d87f6e76980cbdf86a2caa5b9

SHA256
70e173d997c4d8d315f9152a96ffa38617d494d3013bb48c068a2bdf96fe375c

SHA512
48a8b49d421790888425a366ada88efc9dcb7f2220a24f47925ab7d1a16017bc0a13fbd421d97e22cd6ed1d65effc86629aeb34184fbb6c95645547b3c502910

Download Submit
C:\Users\Admin\AppData\Roaming\com.swiftsoft\ExLoader\shared_preferences.json

Filesize
371B

MD5
aebd38ce3089903e77ef7c63c9d8a50a

SHA1
b7076b57247ffe9cf088b0340570050892a3568b

SHA256
8845895d562390bbf5dea43f6d210ba5c136e02461ba5eda76326514878f634b

SHA512
9e88ca815944b4edbc8d0075b4931742a5fb1ecca3988f114e314bf61573fb5d3f258d02d1de9fb19cd2fa326ec2f66c8664b13ca67ad4263192541acb7e2ede

Download Submit
C:\Users\Admin\AppData\Roaming\com.swiftsoft\ExLoader\shared_preferences.json

Filesize
813B

MD5
00dc83df3496227a31d94860e61dc609

SHA1
cfd2138a18600f89bc7c696c26c5f8db7ca42b74

SHA256
03c7c7331f29b9f32f4f58924a016c0bf2fdceefafc3990df9eddfe015926108

SHA512
5f236d1357d90a0a760846b6a65c287b26b88f4716962aa22ce8dce6569e5b96e71a2b141be4e550fb7f8faacbfac8b5025449139c3b906c7162b5df0265182b

Download Submit
C:\Users\Admin\AppData\Roaming\com.swiftsoft\ExLoader\shared_preferences.json

Filesize
1KB

MD5
62b97d4037ece9145b7ace77a81583e4

SHA1
8595a66bd081130cd7f3fd63bc118d8f5edf3339

SHA256
73781bb7962bf8d08c730ce44145a2b5504550d954b1059cbf91006c488528ff

SHA512
c504989c33c97108e3a25dee5bbda0597033dd75f3ddf80c035ed05dfbe5a2ed274711b11d185273adb4272545bbd6faaf9ed4ac7f592c1475463ecb92fbd201

Download Submit
C:\Users\Admin\AppData\Roaming\com.swiftsoft\ExLoader_Installer\shared_preferences.json

Filesize
229B

MD5
3c18d8d54e167feb99d2388da0c5e7ce

SHA1
2180a2acb552b9767e1dac54bfea080eb8153eed

SHA256
1d1e81c28a1f630d0c7ab7e82cb441bc172b8b62bce0cf683d5af755793e4dd3

SHA512
e459447fb9ef02f204942ac98429aa84bd6ee61ded252d5234956edaf55b956e4703133d5a2a05b408cacc99abd01f0c9afc512b35ab5e7e24c3f166518f327b

Download Submit
C:\Users\Admin\AppData\Roaming\com.swiftsoft\ExLoader_Installer\shared_preferences.json

Filesize
371B

MD5
211f3b7a9f8f6b0e03d94a0afe8795d1

SHA1
8c6e0da9c3f09c5dccec62cea5ab447102ed8016

SHA256
2a03c4960457b7e2ba6a6d06a639a09c9fa60666db67ce4215f41fc1435eecab

SHA512
35b178a15b4bf005704a9cf836c03eedec093948588450e91397c29170955d3a268ee0975f77ad1416430399b9d80792b4df6e8a51c30c63f62f3b257153e00f

Download Submit
C:\Users\Admin\AppData\Roaming\com.swiftsoft\ExLoader_Installer\shared_preferences.json

Filesize
3KB

MD5
1474021a8b65c8a6ce30fb142e5470ea

SHA1
4d5db326e3633f7e81621d278ee68a8ca3a698ed

SHA256
f7a0f0acd15e0a3f161b4cf4cb101cc1524defbe7bfb3830a5fa6ed6b1dd9da2

SHA512
d7c2db42210a777de0c54e18ecb3024b46aa5aa199bb0d80fffa278a00cf0661de95b5de5fa988a08bc10e41833ff471ba1488ebd3f518997d6d262a4ec0723d

Download Submit
memory/824-625-0x00007FFF01190000-0x00007FFF01C51000-memory.dmp

Filesize
10.8MB

Download
memory/824-662-0x0000000001420000-0x000000000142E000-memory.dmp

Filesize
56KB

Download
memory/824-627-0x00007FFF01190000-0x00007FFF01C51000-memory.dmp

Filesize
10.8MB

Download
memory/824-626-0x00007FFF01193000-0x00007FFF01195000-memory.dmp

Filesize
8KB

Download
memory/824-553-0x0000000000720000-0x000000000075A000-memory.dmp

Filesize
232KB

Download
memory/824-552-0x00007FFF01193000-0x00007FFF01195000-memory.dmp

Filesize
8KB

Download
memory/2976-2052-0x00007FFEE5830000-0x00007FFEE7938000-memory.dmp

Filesize
33.0MB

Download
memory/5408-1422-0x000001F455E50000-0x000001F455E51000-memory.dmp

Filesize
4KB

Download
memory/5408-1419-0x000001F455FE0000-0x000001F456DC5000-memory.dmp

Filesize
13.9MB

Download
memory/5408-1416-0x000001F455E40000-0x000001F455E41000-memory.dmp

Filesize
4KB

Download
memory/5408-1420-0x000001F455FE0000-0x000001F456DC5000-memory.dmp

Filesize
13.9MB

Download
memory/5408-1421-0x000001F455FE0000-0x000001F456DC5000-memory.dmp

Filesize
13.9MB

Download
memory/5900-1770-0x0000022AB7E90000-0x0000022AB8CF1000-memory.dmp

Filesize
14.4MB

Download
memory/5900-1845-0x00007FFEE5830000-0x00007FFEE7938000-memory.dmp

Filesize
33.0MB

Download
memory/5900-1771-0x0000022AB8D00000-0x0000022AB8D01000-memory.dmp

Filesize
4KB

Download
memory/5900-1769-0x0000022AB7E90000-0x0000022AB8CF1000-memory.dmp

Filesize
14.4MB

Download
memory/5900-1768-0x0000022AB7E90000-0x0000022AB8CF1000-memory.dmp

Filesize
14.4MB

Download
memory/5900-1767-0x0000022AB7E80000-0x0000022AB7E81000-memory.dmp

Filesize
4KB

Download
memory/5900-1888-0x00007FFEE5830000-0x00007FFEE7938000-memory.dmp

Filesize
33.0MB

Download
memory/6088-581-0x000002BFE7190000-0x000002BFE73AC000-memory.dmp

Filesize
2.1MB

Download
memory/6088-569-0x000002BFE7140000-0x000002BFE7162000-memory.dmp

Filesize
136KB

Download