75243dbdd7668c07417eb463d1b4f24d8ff4781b6d5aa0522afb2509b920cf9c

Analysis

max time kernel
219s
max time network
215s
platform
windows11-21h2_x64
resource
win11-20250314-de
resource tags

arch:x64arch:x86image:win11-20250314-delocale:de-deos:windows11-21h2-x64systemwindows
submitted
30/03/2025, 09:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ExLoader_Installer.exe
Size

26.5MB
MD5

dcd3344e5bdca9492706ed74cbf8b233
SHA1

ed0ad8d0e65d27d34644b75fbd73b7ee8a825bc6
SHA256

75243dbdd7668c07417eb463d1b4f24d8ff4781b6d5aa0522afb2509b920cf9c
SHA512

9d31001b90e2610a74aa66b7d9a383094b3d904ad105b50c55be3aa46ef8be2f2a45a082e990a905b8673e4bcf320b4f078a53fe1435bd96e08df0bc9e09bca4
SSDEEP

786432:+HzGgvrck3YGUanu5iNGMl6ZRFh2p8zaep7EYZJysWUt35IrLL:+TbX3YGUYuENMHFg6zPfZJysNtJI7

Score

7^/10

discovery execution persistence spyware stealer

Malware Config

Signatures

Executes dropped EXE 16 IoCs

pid	Process
3392	ExLoader_Installer.exe
3464	ExLoader.exe
2864	OperaSetup.exe
1652	setup.exe
1404	setup.exe
3704	setup.exe
5816	setup.exe
1212	setup.exe
4100	hwidsoonsingleplayerfaced.exe
2328	Assistant_117.0.5408.35_Setup.exe_sfx.exe
4816	assistant_installer.exe
612	assistant_installer.exe
5172	dxwebsetup.exe
2684	dxwsetup.exe
2900	dxwebsetup.exe
3340	dxwsetup.exe

Loads dropped DLL 42 IoCs

pid	Process
3392	ExLoader_Installer.exe
3392	ExLoader_Installer.exe
3392	ExLoader_Installer.exe
3392	ExLoader_Installer.exe
3392	ExLoader_Installer.exe
3464	ExLoader.exe
3464	ExLoader.exe
3464	ExLoader.exe
3464	ExLoader.exe
3464	ExLoader.exe
3464	ExLoader.exe
3464	ExLoader.exe
3464	ExLoader.exe
3464	ExLoader.exe
3464	ExLoader.exe
3464	ExLoader.exe
3464	ExLoader.exe
3464	ExLoader.exe
3464	ExLoader.exe
1652	setup.exe
1404	setup.exe
3704	setup.exe
5816	setup.exe
1212	setup.exe
4100	hwidsoonsingleplayerfaced.exe
4100	hwidsoonsingleplayerfaced.exe
4100	hwidsoonsingleplayerfaced.exe
4100	hwidsoonsingleplayerfaced.exe
4100	hwidsoonsingleplayerfaced.exe
4100	hwidsoonsingleplayerfaced.exe
4100	hwidsoonsingleplayerfaced.exe
4100	hwidsoonsingleplayerfaced.exe
4100	hwidsoonsingleplayerfaced.exe
4100	hwidsoonsingleplayerfaced.exe
4100	hwidsoonsingleplayerfaced.exe
4100	hwidsoonsingleplayerfaced.exe
4100	hwidsoonsingleplayerfaced.exe
4100	hwidsoonsingleplayerfaced.exe
4816	assistant_installer.exe
4816	assistant_installer.exe
612	assistant_installer.exe
612	assistant_installer.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	dxwebsetup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	dxwebsetup.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
4008	powershell.exe
3144	powershell.exe
1616	powershell.exe

Enumerates connected drives 3 TTPs 50 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\F:	setup.exe
File opened (read-only)	\??\A:	dxwsetup.exe
File opened (read-only)	\??\K:	dxwsetup.exe
File opened (read-only)	\??\P:	dxwsetup.exe
File opened (read-only)	\??\S:	dxwsetup.exe
File opened (read-only)	\??\W:	dxwsetup.exe
File opened (read-only)	\??\G:	dxwsetup.exe
File opened (read-only)	\??\J:	dxwsetup.exe
File opened (read-only)	\??\D:	setup.exe
File opened (read-only)	\??\H:	dxwsetup.exe
File opened (read-only)	\??\L:	dxwsetup.exe
File opened (read-only)	\??\N:	dxwsetup.exe
File opened (read-only)	\??\S:	dxwsetup.exe
File opened (read-only)	\??\V:	dxwsetup.exe
File opened (read-only)	\??\Y:	dxwsetup.exe
File opened (read-only)	\??\Z:	dxwsetup.exe
File opened (read-only)	\??\H:	dxwsetup.exe
File opened (read-only)	\??\T:	dxwsetup.exe
File opened (read-only)	\??\U:	dxwsetup.exe
File opened (read-only)	\??\Y:	dxwsetup.exe
File opened (read-only)	\??\K:	dxwsetup.exe
File opened (read-only)	\??\R:	dxwsetup.exe
File opened (read-only)	\??\O:	dxwsetup.exe
File opened (read-only)	\??\X:	dxwsetup.exe
File opened (read-only)	\??\L:	dxwsetup.exe
File opened (read-only)	\??\M:	dxwsetup.exe
File opened (read-only)	\??\D:	setup.exe
File opened (read-only)	\??\F:	setup.exe
File opened (read-only)	\??\E:	dxwsetup.exe
File opened (read-only)	\??\J:	dxwsetup.exe
File opened (read-only)	\??\B:	dxwsetup.exe
File opened (read-only)	\??\E:	dxwsetup.exe
File opened (read-only)	\??\M:	dxwsetup.exe
File opened (read-only)	\??\O:	dxwsetup.exe
File opened (read-only)	\??\Q:	dxwsetup.exe
File opened (read-only)	\??\X:	dxwsetup.exe
File opened (read-only)	\??\I:	dxwsetup.exe
File opened (read-only)	\??\Q:	dxwsetup.exe
File opened (read-only)	\??\R:	dxwsetup.exe
File opened (read-only)	\??\Z:	dxwsetup.exe
File opened (read-only)	\??\I:	dxwsetup.exe
File opened (read-only)	\??\P:	dxwsetup.exe
File opened (read-only)	\??\U:	dxwsetup.exe
File opened (read-only)	\??\N:	dxwsetup.exe
File opened (read-only)	\??\A:	dxwsetup.exe
File opened (read-only)	\??\T:	dxwsetup.exe
File opened (read-only)	\??\W:	dxwsetup.exe
File opened (read-only)	\??\V:	dxwsetup.exe
File opened (read-only)	\??\B:	dxwsetup.exe
File opened (read-only)	\??\G:	dxwsetup.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
5	raw.githubusercontent.com
6	raw.githubusercontent.com
23	raw.githubusercontent.com

Looks up external IP address via web service 6 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
21	api.ipify.org
35	ipapi.co
5	ipapi.co
6	ipapi.co
7	api.ipify.org
8	api.ipify.org

Drops file in System32 directory 16 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\directx\websetup\SET4E74.tmp	dxwsetup.exe
File created	C:\Windows\SysWOW64\directx\websetup\SET4F8E.tmp	dxwsetup.exe
File opened for modification	C:\Windows\SysWOW64\directx\websetup\dsetup32.dll	dxwsetup.exe
File opened for modification	C:\Windows\SysWOW64\directx\websetup\SET9BA.tmp	dxwsetup.exe
File created	C:\Windows\SysWOW64\directx\websetup\SETB13.tmp	dxwsetup.exe
File opened for modification	C:\Windows\SysWOW64\DirectX\WebSetup\filelist.dat	dxwsetup.exe
File opened for modification	C:\Windows\SysWOW64\directx\websetup\dsetup.dll	dxwsetup.exe
File created	C:\Windows\SysWOW64\DirectX\WebSetup\dxupdate.cab	dxwsetup.exe
File created	C:\Windows\SysWOW64\directx\websetup\SET9BA.tmp	dxwsetup.exe
File opened for modification	C:\Windows\SysWOW64\directx\websetup\dsetup.dll	dxwsetup.exe
File opened for modification	C:\Windows\SysWOW64\DirectX\WebSetup	dxwsetup.exe
File opened for modification	C:\Windows\SysWOW64\directx\websetup\SET4E74.tmp	dxwsetup.exe
File opened for modification	C:\Windows\SysWOW64\directx\websetup\SET4F8E.tmp	dxwsetup.exe
File opened for modification	C:\Windows\SysWOW64\DirectX\WebSetup\filelist.dat	dxwsetup.exe
File opened for modification	C:\Windows\SysWOW64\directx\websetup\SETB13.tmp	dxwsetup.exe
File opened for modification	C:\Windows\SysWOW64\directx\websetup\dsetup32.dll	dxwsetup.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\ExLoader\data\flutter_assets\resources\icons\preview.svg	ExLoader_Installer.exe
File opened for modification	C:\Program Files\ExLoader\media_kit\api-ms-win-crt-multibyte-l1-1-0.dll	ExLoader_Installer.exe
File opened for modification	C:\Program Files\ExLoader\data\flutter_assets\FontManifest.json	ExLoader_Installer.exe
File opened for modification	C:\Program Files\ExLoader\data\flutter_assets\resources\icons\description-blank.svg	ExLoader_Installer.exe
File opened for modification	C:\Program Files\ExLoader\data\flutter_assets\resources\icons\star-border.svg	ExLoader_Installer.exe
File opened for modification	C:\Program Files\ExLoader\data\flutter_assets\resources\icons\star-filled.svg	ExLoader_Installer.exe
File opened for modification	C:\Program Files\ExLoader\media_kit\api-ms-win-crt-locale-l1-1-0.dll	ExLoader_Installer.exe
File opened for modification	C:\Program Files\ExLoader\media_kit\vccorlib140.dll	ExLoader_Installer.exe
File opened for modification	C:\Program Files\ExLoader\data\flutter_assets\resources\backgrounds\Fallguys_v1.jpg	ExLoader_Installer.exe
File opened for modification	C:\Program Files\ExLoader\data\flutter_assets\resources\icons\collapse.svg	ExLoader_Installer.exe
File opened for modification	C:\Program Files\ExLoader\data\flutter_assets\resources\icons\favourite-add.svg	ExLoader_Installer.exe
File opened for modification	C:\Program Files\ExLoader\data\flutter_assets\resources\icons\key.svg	ExLoader_Installer.exe
File opened for modification	C:\Program Files\ExLoader\data\flutter_assets\resources\icons\settings.svg	ExLoader_Installer.exe
File opened for modification	C:\Program Files\ExLoader\data\flutter_assets\resources\icons\stars.svg	ExLoader_Installer.exe
File opened for modification	C:\Program Files\ExLoader\data\flutter_assets\resources\icons\windows.svg	ExLoader_Installer.exe
File opened for modification	C:\Program Files\ExLoader\data\flutter_assets\resources\images\fabric_second.png	ExLoader_Installer.exe
File opened for modification	C:\Program Files\ExLoader\data\flutter_assets\resources\icons\users.svg	ExLoader_Installer.exe
File opened for modification	C:\Program Files\ExLoader\media_kit\api-ms-win-core-debug-l1-1-0.dll	ExLoader_Installer.exe
File opened for modification	C:\Program Files\ExLoader\media_kit\api-ms-win-core-file-l1-2-0.dll	ExLoader_Installer.exe
File opened for modification	C:\Program Files\ExLoader\flutter_windows.dll	ExLoader_Installer.exe
File opened for modification	C:\Program Files\ExLoader\data\flutter_assets\resources\backgrounds\Halloween.jpg	ExLoader_Installer.exe
File opened for modification	C:\Program Files\ExLoader\data\flutter_assets\resources\compressed_logos\food.ico	ExLoader_Installer.exe
File opened for modification	C:\Program Files\ExLoader\media_kit\api-ms-win-core-interlocked-l1-1-0.dll	ExLoader_Installer.exe
File opened for modification	C:\Program Files\ExLoader\media_kit\api-ms-win-eventing-provider-l1-1-0.dll	ExLoader_Installer.exe
File opened for modification	C:\Program Files\ExLoader\data\flutter_assets\resources\icons\answer.svg	ExLoader_Installer.exe
File opened for modification	C:\Program Files\ExLoader\data\flutter_assets\resources\icons\pencil.svg	ExLoader_Installer.exe
File opened for modification	C:\Program Files\ExLoader\media_kit\api-ms-win-crt-time-l1-1-0.dll	ExLoader_Installer.exe
File opened for modification	C:\Program Files\ExLoader\media_kit\media_kit_libs_windows_video_plugin.dll	ExLoader_Installer.exe
File opened for modification	C:\Program Files\ExLoader\data\flutter_assets\resources\icons\moon.svg	ExLoader_Installer.exe
File opened for modification	C:\Program Files\ExLoader\data\flutter_assets\resources\images\fabric_first.png	ExLoader_Installer.exe
File opened for modification	C:\Program Files\ExLoader\data\flutter_assets\resources\images\grain.png	ExLoader_Installer.exe
File opened for modification	C:\Program Files\ExLoader\data\flutter_assets\resources\images\mascot.png	ExLoader_Installer.exe
File opened for modification	C:\Program Files\ExLoader\data\flutter_assets\resources\icons\sort.svg	ExLoader_Installer.exe
File opened for modification	C:\Program Files\ExLoader\data\flutter_assets\resources\fonts\NoirPro-Regular.otf	ExLoader_Installer.exe
File opened for modification	C:\Program Files\ExLoader\data\flutter_assets\resources\icons\advanced.svg	ExLoader_Installer.exe
File opened for modification	C:\Program Files\ExLoader\data\flutter_assets\resources\icons\puffer-fish.svg	ExLoader_Installer.exe
File opened for modification	C:\Program Files\ExLoader\media_kit\zlib.dll	ExLoader_Installer.exe
File opened for modification	C:\Program Files\ExLoader\data\flutter_assets\resources\backgrounds\CatsDay.jpg	ExLoader_Installer.exe
File opened for modification	C:\Program Files\ExLoader\data\flutter_assets\resources\backgrounds\IceCreamDay.jpg	ExLoader_Installer.exe
File opened for modification	C:\Program Files\ExLoader\data\flutter_assets\resources\icons\cancel.svg	ExLoader_Installer.exe
File opened for modification	C:\Program Files\ExLoader\data\flutter_assets\resources\icons\selected-viewbox.svg	ExLoader_Installer.exe
File opened for modification	C:\Program Files\ExLoader\media_kit\api-ms-win-core-file-l2-1-0.dll	ExLoader_Installer.exe
File opened for modification	C:\Program Files\ExLoader\media_kit\api-ms-win-crt-process-l1-1-0.dll	ExLoader_Installer.exe
File opened for modification	C:\Program Files\ExLoader\data\flutter_assets\resources\backgrounds\FishingDay.jpg	ExLoader_Installer.exe
File opened for modification	C:\Program Files\ExLoader\data\flutter_assets\resources\icons\optical.svg	ExLoader_Installer.exe
File opened for modification	C:\Program Files\ExLoader\media_kit\ucrtbase.dll	ExLoader_Installer.exe
File opened for modification	C:\Program Files\ExLoader\data\flutter_assets\resources\icons\checkmark.svg	ExLoader_Installer.exe
File opened for modification	C:\Program Files\ExLoader\data\flutter_assets\resources\icons\resume.svg	ExLoader_Installer.exe
File opened for modification	C:\Program Files\ExLoader\data\flutter_assets\resources\icons\shrimp.svg	ExLoader_Installer.exe
File opened for modification	C:\Program Files\ExLoader\media_kit\msvcp140_codecvt_ids.dll	ExLoader_Installer.exe
File opened for modification	C:\Program Files\ExLoader\data\flutter_assets\resources\icons\download-sharp.svg	ExLoader_Installer.exe
File opened for modification	C:\Program Files\ExLoader\data\flutter_assets\resources\icons\trash-can.svg	ExLoader_Installer.exe
File opened for modification	C:\Program Files\ExLoader\d3dcompiler_47.dll	ExLoader_Installer.exe
File opened for modification	C:\Program Files\ExLoader\data\flutter_assets\packages\wakelock_plus\assets\no_sleep.js	ExLoader_Installer.exe
File opened for modification	C:\Program Files\ExLoader\data\flutter_assets\resources\fonts\NoirPro-Bold.otf	ExLoader_Installer.exe
File opened for modification	C:\Program Files\ExLoader\data\flutter_assets\resources\icons\error-circle.svg	ExLoader_Installer.exe
File opened for modification	C:\Program Files\ExLoader\data\flutter_assets\resources\icons\keyboard-properties.svg	ExLoader_Installer.exe
File opened for modification	C:\Program Files\ExLoader\data\flutter_assets\resources\images\cloud.png	ExLoader_Installer.exe
File opened for modification	C:\Program Files\ExLoader\data\icudtl.dat	ExLoader_Installer.exe
File opened for modification	C:\Program Files\ExLoader\media_kit\api-ms-win-crt-heap-l1-1-0.dll	ExLoader_Installer.exe
File opened for modification	C:\Program Files\ExLoader\media_kit\vcruntime140_1d.dll	ExLoader_Installer.exe
File opened for modification	C:\Program Files\ExLoader\data\flutter_assets\resources\audio\Standard_press.wav	ExLoader_Installer.exe
File opened for modification	C:\Program Files\ExLoader\data\flutter_assets\resources\icons\admin-panel.svg	ExLoader_Installer.exe
File opened for modification	C:\Program Files\ExLoader\data\flutter_assets\resources\icons\arrow-left.svg	ExLoader_Installer.exe

Drops file in Windows directory 15 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Panther\UnattendGC\setupact.log	UserOOBEBroker.exe
File opened for modification	C:\Windows\Logs\DirectX.log	dxwsetup.exe
File opened for modification	C:\Windows\Logs\DXError.log	dxwsetup.exe
File opened for modification	C:\Windows\Panther\UnattendGC\setuperr.log	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagerr.xml	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagwrn.xml	UserOOBEBroker.exe
File opened for modification	C:\Windows\security\logs\scecomp.log	dxwsetup.exe
File opened for modification	C:\Windows\Logs\DirectX.log	dxwsetup.exe
File opened for modification	C:\Windows\Logs\DXError.log	dxwsetup.exe
File opened for modification	C:\Windows\msdownld.tmp	dxwsetup.exe
File created	C:\Windows\msdownld.tmp\AS595BA9.tmp\dxupdate.cab	dxwsetup.exe
File opened for modification	C:\Windows\SystemTemp	chrome.exe
File opened for modification	C:\Windows\security\logs\scecomp.log	dxwsetup.exe
File opened for modification	C:\Windows\msdownld.tmp\AS595BA9.tmp\dxupdate.cab	dxwsetup.exe
File opened for modification	C:\Windows\msdownld.tmp\AS595BA9.tmp	dxwsetup.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 14 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	assistant_installer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	assistant_installer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dxwsetup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Assistant_117.0.5408.35_Setup.exe_sfx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dxwebsetup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dxwebsetup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dxwsetup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FileCoAuth.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	OperaSetup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Kills process with taskkill 1 IoCs

defense_evasion

pid	Process
1184	taskkill.exe

Modifies data under HKEY_USERS 17 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292114432"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133878000421328225"	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4290799360"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365268"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "177"	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = 99ebff004cc2ff000091f8000078d4000067c000003e9200001a6800f7630c00	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292114432"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365268"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe

Modifies registry class 4 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	BackgroundTransferHost.exe
Key created	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\MuiCache	BackgroundTransferHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	BackgroundTransferHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	BackgroundTransferHost.exe

Modifies system certificate store 2 TTPs 3 IoCs

defense_evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4	setup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 04000000010000001000000078f2fcaa601f2fb4ebc937ba532e75490f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703080b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f1d0000000100000010000000a86dc6a233eb339610f3ed414927c559030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e4190000000100000010000000ffac207997bb2cfe865570179ee037b92000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e	setup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 5c000000010000000400000000100000190000000100000010000000ffac207997bb2cfe865570179ee037b9030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e41d0000000100000010000000a86dc6a233eb339610f3ed414927c559140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac899880b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e199604000000010000001000000078f2fcaa601f2fb4ebc937ba532e75492000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e	setup.exe

Suspicious behavior: EnumeratesProcesses 22 IoCs

pid	Process
3392	ExLoader_Installer.exe
3392	ExLoader_Installer.exe
4008	powershell.exe
4008	powershell.exe
400	chrome.exe
400	chrome.exe
3464	ExLoader.exe
4100	hwidsoonsingleplayerfaced.exe
4100	hwidsoonsingleplayerfaced.exe
4100	hwidsoonsingleplayerfaced.exe
4100	hwidsoonsingleplayerfaced.exe
4100	hwidsoonsingleplayerfaced.exe
4100	hwidsoonsingleplayerfaced.exe
3144	powershell.exe
3144	powershell.exe
3144	powershell.exe
1616	powershell.exe
1616	powershell.exe
1616	powershell.exe
4100	hwidsoonsingleplayerfaced.exe
4100	hwidsoonsingleplayerfaced.exe
4100	hwidsoonsingleplayerfaced.exe

Suspicious behavior: LoadsDriver 64 IoCs

pid	Process
3836	Process not Found
2924	Process not Found
644	Process not Found
2412	Process not Found
3380	Process not Found
4896	Process not Found
4904	Process not Found
5076	Process not Found
1216	Process not Found
5372	Process not Found
4584	Process not Found
6072	Process not Found
2400	Process not Found
1084	Process not Found
1116	Process not Found
4624	Process not Found
5596	Process not Found
4272	Process not Found
1908	Process not Found
5708	Process not Found
5948	Process not Found
764	Process not Found
4644	Process not Found
2772	Process not Found
5628	Process not Found
5456	Process not Found
4936	Process not Found
4924	Process not Found
5484	Process not Found
5184	Process not Found
1668	Process not Found
3104	Process not Found
5692	Process not Found
3192	Process not Found
4524	Process not Found
5316	Process not Found
200	Process not Found
3596	Process not Found
4116	Process not Found
4872	Process not Found
5700	Process not Found
2180	Process not Found
5024	Process not Found
4404	Process not Found
5196	Process not Found
5632	Process not Found
4456	Process not Found
4868	Process not Found
5580	Process not Found
4888	Process not Found
3112	Process not Found
5516	Process not Found
3556	Process not Found
1144	Process not Found
6036	Process not Found
4228	Process not Found
4388	Process not Found
5844	Process not Found
3252	Process not Found
5676	Process not Found
5740	Process not Found
2596	Process not Found
4328	Process not Found
792	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs

pid	Process
400	chrome.exe
400	chrome.exe
400	chrome.exe
400	chrome.exe
400	chrome.exe

Suspicious use of AdjustPrivilegeToken 18 IoCs

description	pid	Process
Token: SeDebugPrivilege	4008	powershell.exe
Token: SeShutdownPrivilege	400	chrome.exe
Token: SeCreatePagefilePrivilege	400	chrome.exe
Token: SeShutdownPrivilege	400	chrome.exe
Token: SeCreatePagefilePrivilege	400	chrome.exe
Token: SeShutdownPrivilege	400	chrome.exe
Token: SeCreatePagefilePrivilege	400	chrome.exe
Token: SeShutdownPrivilege	400	chrome.exe
Token: SeCreatePagefilePrivilege	400	chrome.exe
Token: SeShutdownPrivilege	400	chrome.exe
Token: SeCreatePagefilePrivilege	400	chrome.exe
Token: SeShutdownPrivilege	400	chrome.exe
Token: SeCreatePagefilePrivilege	400	chrome.exe
Token: SeShutdownPrivilege	400	chrome.exe
Token: SeCreatePagefilePrivilege	400	chrome.exe
Token: SeDebugPrivilege	3144	powershell.exe
Token: SeDebugPrivilege	1184	taskkill.exe
Token: SeDebugPrivilege	1616	powershell.exe

Suspicious use of FindShellTrayWindow 27 IoCs

pid	Process
400	chrome.exe
400	chrome.exe
400	chrome.exe
400	chrome.exe
400	chrome.exe
400	chrome.exe
400	chrome.exe
400	chrome.exe
400	chrome.exe
400	chrome.exe
400	chrome.exe
400	chrome.exe
400	chrome.exe
400	chrome.exe
400	chrome.exe
400	chrome.exe
400	chrome.exe
400	chrome.exe
400	chrome.exe
400	chrome.exe
400	chrome.exe
400	chrome.exe
400	chrome.exe
400	chrome.exe
400	chrome.exe
400	chrome.exe
400	chrome.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
400	chrome.exe
400	chrome.exe
400	chrome.exe
400	chrome.exe
400	chrome.exe
400	chrome.exe
400	chrome.exe
400	chrome.exe
400	chrome.exe
400	chrome.exe
400	chrome.exe
400	chrome.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
3392	ExLoader_Installer.exe
3392	ExLoader_Installer.exe
3464	ExLoader.exe
3464	ExLoader.exe
4100	hwidsoonsingleplayerfaced.exe
4100	hwidsoonsingleplayerfaced.exe
5812	LogonUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5808 wrote to memory of 3392	5808	ExLoader_Installer.exe	78
PID 5808 wrote to memory of 3392	5808	ExLoader_Installer.exe	78
PID 3392 wrote to memory of 4008	3392	ExLoader_Installer.exe	80
PID 3392 wrote to memory of 4008	3392	ExLoader_Installer.exe	80
PID 400 wrote to memory of 2536	400	chrome.exe	97
PID 400 wrote to memory of 2536	400	chrome.exe	97
PID 400 wrote to memory of 5076	400	chrome.exe	98
PID 400 wrote to memory of 5076	400	chrome.exe	98
PID 400 wrote to memory of 4328	400	chrome.exe	99
PID 400 wrote to memory of 4328	400	chrome.exe	99
PID 400 wrote to memory of 5076	400	chrome.exe	98
PID 400 wrote to memory of 5076	400	chrome.exe	98
PID 400 wrote to memory of 5076	400	chrome.exe	98
PID 400 wrote to memory of 5076	400	chrome.exe	98
PID 400 wrote to memory of 5076	400	chrome.exe	98
PID 400 wrote to memory of 5076	400	chrome.exe	98
PID 400 wrote to memory of 5076	400	chrome.exe	98
PID 400 wrote to memory of 5076	400	chrome.exe	98
PID 400 wrote to memory of 5076	400	chrome.exe	98
PID 400 wrote to memory of 5076	400	chrome.exe	98
PID 400 wrote to memory of 5076	400	chrome.exe	98
PID 400 wrote to memory of 5076	400	chrome.exe	98
PID 400 wrote to memory of 5076	400	chrome.exe	98
PID 400 wrote to memory of 5076	400	chrome.exe	98
PID 400 wrote to memory of 5076	400	chrome.exe	98
PID 400 wrote to memory of 5076	400	chrome.exe	98
PID 400 wrote to memory of 5076	400	chrome.exe	98
PID 400 wrote to memory of 5076	400	chrome.exe	98
PID 400 wrote to memory of 5076	400	chrome.exe	98
PID 400 wrote to memory of 5076	400	chrome.exe	98
PID 400 wrote to memory of 5076	400	chrome.exe	98
PID 400 wrote to memory of 5076	400	chrome.exe	98
PID 400 wrote to memory of 5076	400	chrome.exe	98
PID 400 wrote to memory of 5076	400	chrome.exe	98
PID 400 wrote to memory of 5076	400	chrome.exe	98
PID 400 wrote to memory of 5076	400	chrome.exe	98
PID 400 wrote to memory of 5076	400	chrome.exe	98
PID 400 wrote to memory of 5076	400	chrome.exe	98
PID 400 wrote to memory of 1528	400	chrome.exe	100
PID 400 wrote to memory of 1528	400	chrome.exe	100
PID 400 wrote to memory of 1528	400	chrome.exe	100
PID 400 wrote to memory of 1528	400	chrome.exe	100
PID 400 wrote to memory of 1528	400	chrome.exe	100
PID 400 wrote to memory of 1528	400	chrome.exe	100
PID 400 wrote to memory of 1528	400	chrome.exe	100
PID 400 wrote to memory of 1528	400	chrome.exe	100
PID 400 wrote to memory of 1528	400	chrome.exe	100
PID 400 wrote to memory of 1528	400	chrome.exe	100
PID 400 wrote to memory of 1528	400	chrome.exe	100
PID 400 wrote to memory of 1528	400	chrome.exe	100
PID 400 wrote to memory of 1528	400	chrome.exe	100
PID 400 wrote to memory of 1528	400	chrome.exe	100
PID 400 wrote to memory of 1528	400	chrome.exe	100
PID 400 wrote to memory of 1528	400	chrome.exe	100
PID 400 wrote to memory of 1528	400	chrome.exe	100
PID 400 wrote to memory of 1528	400	chrome.exe	100
PID 400 wrote to memory of 1528	400	chrome.exe	100
PID 400 wrote to memory of 1528	400	chrome.exe	100
PID 400 wrote to memory of 1528	400	chrome.exe	100
PID 400 wrote to memory of 1528	400	chrome.exe	100
PID 400 wrote to memory of 1528	400	chrome.exe	100
PID 400 wrote to memory of 1528	400	chrome.exe	100
PID 400 wrote to memory of 1528	400	chrome.exe	100
PID 400 wrote to memory of 1528	400	chrome.exe	100

C:\Users\Admin\AppData\Local\Temp\ExLoader_Installer.exe
"C:\Users\Admin\AppData\Local\Temp\ExLoader_Installer.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:5808
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\ExLoader_Installer.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\ExLoader_Installer.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3392
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe -command "$WshShell = New-Object -comObject WScript.Shell $Shortcut = $WshShell.CreateShortcut(\"c:\users\admin\desktop\ExLoader.lnk\") $Shortcut.TargetPath = \"C:\Program Files\ExLoader\ExLoader.exe\" $Shortcut.Save()"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4008
- - C:\Program Files\ExLoader\ExLoader.exe
    "C:\Program Files\ExLoader\ExLoader.exe" -deletePreviousExLoader
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:3464
  - - C:\Program Files\ExLoader\hwidsoonsingleplayerfaced.exe
      "C:\Program Files\ExLoader\hwidsoonsingleplayerfaced.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      PID:4100
    - - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
        
        C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe -command (gwmi Win32_BaseBoard)
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3144
    - - C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /C C:\Windows\System32\taskkill.exe /f /im cs2.exe
        5⤵
        
        PID:5992
      - C:\Windows\System32\taskkill.exe
        
        C:\Windows\System32\taskkill.exe /f /im cs2.exe
        6⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:1184
    - - C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /C C:\Users\Admin\AppData\Roaming\com.swiftsoft\ExLoader\tools\dxwebsetup.exe /Q
        5⤵
        
        PID:5308
      - C:\Users\Admin\AppData\Roaming\com.swiftsoft\ExLoader\tools\dxwebsetup.exe
        
        C:\Users\Admin\AppData\Roaming\com.swiftsoft\ExLoader\tools\dxwebsetup.exe /Q
        6⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:5172
        
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe /windowsupdate
        7⤵
        Executes dropped EXE
        Enumerates connected drives
        Drops file in System32 directory
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2684
    - - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
        
        C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe -command C:\Users\Admin\AppData\Roaming\com.swiftsoft\ExLoader\tools\dxwebsetup.exe /Q
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1616
      - C:\Users\Admin\AppData\Roaming\com.swiftsoft\ExLoader\tools\dxwebsetup.exe
        
        "C:\Users\Admin\AppData\Roaming\com.swiftsoft\ExLoader\tools\dxwebsetup.exe" /Q
        6⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2900
        
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe /windowsupdate
        7⤵
        Executes dropped EXE
        Enumerates connected drives
        Drops file in System32 directory
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:3340
- - C:\Users\Admin\AppData\Local\Temp\OperaSetup.exe
    C:\Users\Admin\AppData\Local\Temp\OperaSetup.exe --silent --allusers=0
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2864
  - - C:\Users\Admin\AppData\Local\Temp\7zS03B8F118\setup.exe
      C:\Users\Admin\AppData\Local\Temp\7zS03B8F118\setup.exe --silent --allusers=0 --server-tracking-blob=MDk0YWFiMDliMWRkZjdiZWE5OTNkYjZmNzU1Yzk5ZWQyZTgzNDMxN2Q0NGFkMWY0NjRjNGMyNDBmZjg5YTMwNDp7ImNvdW50cnkiOiJHQiIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFTZXR1cC5leGUiLCJwcm9kdWN0Ijoib3BlcmEiLCJxdWVyeSI6Ii9vcGVyYS9zdGFibGU/dXRtX21lZGl1bT1hcGImdXRtX3NvdXJjZT1PRlQmdXRtX2NhbXBhaWduPU5FV19fMTgyMjZhIiwidGltZXN0YW1wIjoiMTc0MzMyNjQ0OS4xMzcyIiwidXNlcmFnZW50IjoiRGFydC8zLjUgKGRhcnQ6aW8pIiwidXRtIjp7ImNhbXBhaWduIjoiTkVXX18xODIyNmEiLCJtZWRpdW0iOiJhcGIiLCJzb3VyY2UiOiJPRlQifSwidXVpZCI6ImY2YzMxYmQxLTA5MTYtNDVkNC1iNzkxLTc2MWM1NDUzNjdjOCJ9
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Enumerates connected drives
      System Location Discovery: System Language Discovery
      Modifies system certificate store
      PID:1652
    - - C:\Users\Admin\AppData\Local\Temp\7zS03B8F118\setup.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS03B8F118\setup.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector-2.opera.com/ --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=117.0.5408.163 --initial-client-data=0x338,0x33c,0x340,0x310,0x344,0x7447c234,0x7447c240,0x7447c24c
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1404
    - - C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\setup.exe" --version
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:3704
    - - C:\Users\Admin\AppData\Local\Temp\7zS03B8F118\setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zS03B8F118\setup.exe" --backend --install --import-browser-data=0 --enable-crash-reporting=1 --enable-stats=1 --enable-installer-stats=1 --consent-given=0 --general-interests=0 --general-location=0 --personalized-content=0 --personalized-ads=0 --launchopera=1 --showunbox=0 --installfolder="C:\Users\Admin\AppData\Local\Programs\Opera" --profile-folder --language=de --singleprofile=0 --copyonly=0 --allusers=0 --pintotaskbar=1 --pintostartmenu=0 --run-at-startup=1 --show-intro-overlay --server-tracking-data=server_tracking_data --initial-pid=1652 --package-dir-prefix="C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_20250330092050" --session-guid=6b75e434-0a58-4072-84e2-ca876fb139d4 --server-tracking-blob="MDJmY2FjNmE2ZjdkYmU5NzI0YWM5MzU4MDFjZjJkN2YzYmRlYmJjYThlNzIyMzNjZTAzNWI1NGIwNWZhNjliYTp7ImNvdW50cnkiOiJHQiIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFTZXR1cC5leGUiLCJwcm9kdWN0Ijp7Im5hbWUiOiJvcGVyYSJ9LCJxdWVyeSI6Ii9vcGVyYS9zdGFibGU/dXRtX21lZGl1bT1hcGImdXRtX3NvdXJjZT1PRlQmdXRtX2NhbXBhaWduPU5FV19fMTgyMjZhIiwic3lzdGVtIjp7InBsYXRmb3JtIjp7ImFyY2giOiJ4ODZfNjQiLCJvcHN5cyI6IldpbmRvd3MiLCJvcHN5cy12ZXJzaW9uIjoiMTEiLCJwYWNrYWdlIjoiRVhFIn19LCJ0aW1lc3RhbXAiOiIxNzQzMzI2NDQ5LjEzNzIiLCJ1c2VyYWdlbnQiOiJEYXJ0LzMuNSAoZGFydDppbykiLCJ1dG0iOnsiY2FtcGFpZ24iOiJORVdfXzE4MjI2YSIsIm1lZGl1bSI6ImFwYiIsInNvdXJjZSI6Ik9GVCJ9LCJ1dWlkIjoiZjZjMzFiZDEtMDkxNi00NWQ0LWI3OTEtNzYxYzU0NTM2N2M4In0= " --silent --desktopshortcut=1 --wait-for-package --initial-proc-handle=0C06000000000000
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Enumerates connected drives
        System Location Discovery: System Language Discovery
        
        PID:5816
      - C:\Users\Admin\AppData\Local\Temp\7zS03B8F118\setup.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS03B8F118\setup.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector-2.opera.com/ --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=117.0.5408.163 --initial-client-data=0x344,0x348,0x34c,0x314,0x350,0x7262c234,0x7262c240,0x7262c24c
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1212
    - - C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202503300920501\assistant\Assistant_117.0.5408.35_Setup.exe_sfx.exe
        
        "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202503300920501\assistant\Assistant_117.0.5408.35_Setup.exe_sfx.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2328
    - - C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202503300920501\assistant\assistant_installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202503300920501\assistant\assistant_installer.exe" --version
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:4816
      - C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202503300920501\assistant\assistant_installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202503300920501\assistant\assistant_installer.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector-2.opera.com/ --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=117.0.5408.35 --initial-client-data=0x234,0x238,0x23c,0x210,0x240,0xa53d24,0xa53d30,0xa53d3c
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:612

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
1⤵
PID:2588

C:\Windows\System32\oobe\UserOOBEBroker.exe
C:\Windows\System32\oobe\UserOOBEBroker.exe -Embedding
1⤵
- Drops file in Windows directory
PID:612

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe -Embedding
1⤵
- System Location Discovery: System Language Discovery
PID:4784

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:400
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fffc235dcf8,0x7fffc235dd04,0x7fffc235dd10
  2⤵
  PID:2536
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=2020,i,15879109440345764949,9935964972059676710,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=2016 /prefetch:2
  2⤵
  PID:5076
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=de --service-sandbox-type=none --string-annotations --field-trial-handle=1484,i,15879109440345764949,9935964972059676710,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=2144 /prefetch:11
  2⤵
  PID:4328
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=de --service-sandbox-type=service --string-annotations --field-trial-handle=2376,i,15879109440345764949,9935964972059676710,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=2416 /prefetch:13
  2⤵
  PID:1528
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=de --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3248,i,15879109440345764949,9935964972059676710,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=3256 /prefetch:1
  2⤵
  PID:1708
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=de --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3276,i,15879109440345764949,9935964972059676710,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=3296 /prefetch:1
  2⤵
  PID:3028
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --extension-process --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=de --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4216,i,15879109440345764949,9935964972059676710,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=4232 /prefetch:9
  2⤵
  PID:3604
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=de --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4716,i,15879109440345764949,9935964972059676710,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=4604 /prefetch:1
  2⤵
  PID:1472
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=de --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=4852,i,15879109440345764949,9935964972059676710,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=3852 /prefetch:14
  2⤵
  PID:2996
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=de --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5020,i,15879109440345764949,9935964972059676710,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=5032 /prefetch:14
  2⤵
  PID:5108
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=de --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5264,i,15879109440345764949,9935964972059676710,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=5256 /prefetch:14
  2⤵
  PID:3860
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=de --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5500,i,15879109440345764949,9935964972059676710,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=5516 /prefetch:14
  2⤵
  PID:3320
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=de --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5276,i,15879109440345764949,9935964972059676710,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=5404 /prefetch:14
  2⤵
  PID:704
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=de --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5504,i,15879109440345764949,9935964972059676710,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=5576 /prefetch:14
  2⤵
  PID:388
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=de --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5396,i,15879109440345764949,9935964972059676710,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=5820 /prefetch:14
  2⤵
  PID:836
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=de --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5372,i,15879109440345764949,9935964972059676710,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=5512 /prefetch:14
  2⤵
  PID:4180
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=de --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --field-trial-handle=5300,i,15879109440345764949,9935964972059676710,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=5812 /prefetch:1
  2⤵
  PID:1116

C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"
1⤵
PID:2228

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:5900

C:\Windows\system32\WerFault.exe
"C:\Windows\system32\WerFault.exe" -k -lc WATCHDOG WATCHDOG-20250330-0921.dmp
1⤵
PID:6024

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rundll32.exe C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\"
1⤵
PID:2256
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\"
  2⤵
  PID:3572

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rundll32.exe C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\"
1⤵
PID:6012
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\"
  2⤵
  PID:4904

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.13
1⤵
- Modifies registry class
PID:5208

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa39d4855 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:5812

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\ExLoader\ExLoader.exe

Filesize
374KB

MD5
0ec1cd018e7368ebe246fff56b1955df

SHA1
a594d6fe7478ec8c444e110644905311497a1f9b

SHA256
dbe7d8c48816843a4dce4f67c6d4fe79b2f2d8cf7c30576bdba4628d1875ca46

SHA512
0d26696c5c585d320fe03ccc119e00d9630178dd1a02559d264d17de696e80e2da436782965145be208d16b5ff5ece14030aab61b53b9fdb05a874bbe61c36ee

Download Submit
C:\Program Files\ExLoader\ExLoader.zip

Filesize
45.4MB

MD5
aac135f19ae9d61bc4b6abba665f5cef

SHA1
e136f4ea23cb8ae748f6b3e86e42daf7ec84e9e5

SHA256
c74bc8f65aa6b97b04ba0e60833a67752ec5a0fa46bb4df19868f02e5a06d94d

SHA512
5d4f9f0f155c4640d40c570081ed12d3d770e6b69f4a879ba8c5bdf1ea4b291f685ce72b10d41ea82dff1d68a86765a30cd5b90ea7d4a690e97044fc7e8721d0

Download Submit
C:\Program Files\ExLoader\data\app.so

Filesize
14.4MB

MD5
df78d219a33a9668676a05d5d2f7269c

SHA1
c7354cddd130879e9d8259bd1d864bf0a7583239

SHA256
1feb25dc271f2d5f8cb93da85dead9c8475daf8f96f521cbcedbd5d303472a9e

SHA512
5cdc75562830939f290a6433fd795ed108cd93d8c41dcbaf926db6a1d4b0aaa1601920163d6ae0d9b3fd09010f393c14244ac833283c5d17c1c5db35dd3790cf

Download Submit
C:\Program Files\ExLoader\media_kit\libEGL.dll

Filesize
461KB

MD5
0f61da7cea39e89861117f3cb4620dae

SHA1
9ca286bf6d5617eb38101d5e166edac29497c9c5

SHA256
b2590bd0692f0381fc45c20bf1c7f7f713c9ea19c7ea6bab62efdd1fadc4eaac

SHA512
7dc2bbce9808e00122ae0d960ad6b0156d201494aedf4c4c9e261f50986b72dd19b41d443138ffdf1b2e5b8e29614f0a1e909e4c867262eab311f6675618369d

Download Submit
C:\Program Files\ExLoader\media_kit\libmpv-2.dll

Filesize
28.4MB

MD5
3a6bd0dc9ab32d7b450f06bca2359274

SHA1
b2be6a73be23b60f1d23543363ea559438218c72

SHA256
d5f0694b08c124e785d858d00082f3e3b158dd9138bfc48c0382bf1eb443a5fc

SHA512
4c8133321833bc94c8a2f1ddc83523fd554d9699efa09d8dea6ef4aa9bbca0a4f041a10e4793b6424c8cffc4583e36c2a96039017f29465458a9a2e5510631ef

Download Submit
C:\Program Files\ExLoader\media_kit\media_kit_libs_windows_video_plugin.dll

Filesize
12KB

MD5
62852c790347a9447d96b4362d1a2672

SHA1
876303737752173988b9500d6bf91b6b41754422

SHA256
d40294be5f1b91e06b544eb010366bc08d9cf4ad5343558d9f00469e24155c72

SHA512
775d878ea3e564169526e93fce68705d4f27ada508f629e370a537a55703f614da8302475198886dbd36c32e20c2795cca2abfe22d7a1f8736517f1414e0f01b

Download Submit
C:\Program Files\ExLoader\media_kit\media_kit_video_plugin.dll

Filesize
138KB

MD5
65bc935901fb1ad22c6aa07129ed782e

SHA1
fce996c3cfde2e1b0f940b10c5ee5212cdd4f4a2

SHA256
1a51109891e185f233df7c788eeccd5d5f028c088162f5d9f47c7cf5e61aa1eb

SHA512
45c9a1992615745ebdbd7018af2146412acd41413852da27ec034ac8489e5c390077198fccb49c9967ad7180070db30d05e11e640fb8de6ff122a77a0daecb41

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
619bbea941132b9d0f518b51714bfe4b

SHA1
1b9257f4fb13194fdef5e0747943e2a06fa5123a

SHA256
add6bb47441bbaadd5e0cf9b6a7e31294e260616c020df1898c264aa0c50a367

SHA512
443763abc8bda4fe13c79939dfc35bedc37fd6ec8bad241e7964ddbba8f8671d3340b745499f5832cd8643659880211d59e6b6d8fe80dedd1fa21c3ee169f749

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\DawnWebGPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
341d445b420a0672826b12140df1963f

SHA1
5006d8350b78f74134df0a23748d31330c37f108

SHA256
4fd60aa073852f891c60ca01c592ffaa41feaf468a8840a87feb030e742eebb7

SHA512
698be428537865d101a7c2c90b7b46ade6ac5ff10e9871296a397ac71335e92588a04fbfc4bb51a1deec4d26b46464b2c9730679471f5c672baf96d1c2b51ebf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
523B

MD5
54039eb7b904a3a12793ee061868a44d

SHA1
a18800b99f21ffc0524b67d9891ba02274aec3db

SHA256
d10e77bcb876f97d49a6fccb256e08d299eb19549b484c38c00d76405a92f07e

SHA512
c46aba5654b2ef5986fdba5778f62b40a618db948fdeb6d58b1f23ffdd4d947084b4a9ba617db2a77b63b72886143bae435bc6fd5ef71848b97f03346f987ea2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
325469f02da110befcd9715bc4ddb46e

SHA1
a33f9dd32dd35be94c97a5eec4f5422ada59ba9e

SHA256
77179294fba905f8d80b0d246c659848595fd811a56390bc61864b2935279485

SHA512
de4bbde63b14c6f64bf97afc50e32f07671cce9504699642cdb2d010af4168c9ade45ae55241c9bb486fcc8d9102036b803434ea484099e114fe0d24f874c06b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
18KB

MD5
731266917133fa8fbed6a33536117579

SHA1
060a74b8928bb67727aa034031656db1b2c196e6

SHA256
9a1dfd5641dae1cfc8fbda32a55dc1cf4046d6d7cd0c75222e1f4f200380ec03

SHA512
24468eac4589efd906157a8ac06f23da6e176288b8c3b2000fe74b21a420c6e0259d750b4490b86738702257338d2c7974f1160be5b17da9386eff1dfb40b902

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
3feb111ee4673cb1a18461f1e1c53f44

SHA1
75939708205c40c0a586214688f7526dfe6ac076

SHA256
59db408dc72b4ec88814a8ebc9d6b61d3107cf04afc16981ee662642d693830c

SHA512
ced2c96223bde8d5793afc2dc1506093ed25fab5ee1dadf4f3fb82253d7a627d104eb5032184c585be8339c94bbb90f67204c50c42ab15894a0ca92e212107ec

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe57f925.TMP

Filesize
48B

MD5
94011bc6be60d47782f2e3efa105f918

SHA1
9a6bf92e5af91d398de97db358aa977ae944d13c

SHA256
f59a144f3384577e3dd0683357c82358ad1f21a492d160837eb42905d30a2ccb

SHA512
e68a4bfd8c60a48c0f70943e3c25d1416a37ca96356c2a74d3e315adfe8827db295985848df16227226ed117741c760e3d1ea41d2e0d33850e06df27c3d0f78c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
155KB

MD5
5ffe6afc0eae04acec77ddd25f0283e1

SHA1
28e32327033a11dac454a4865da311618b8212a0

SHA256
bb37400990c6e8aef3e593f4214825facc91b834127251b6397dd8cb1609a34a

SHA512
c4ec839fd47f3ac10c50f2c456243d04d42d4e4cba32beea92790339bd80cac7335928b483b8aefc392b18dcf1e2072389c1fd8c273a9d474e9a028591e9bb80

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
80KB

MD5
0177718abcae13ad71d5b5de8e2c8246

SHA1
b1d4cb5911f0fa16e4f23b6fcdc6b37920d58acd

SHA256
247e4ac744c3924f1164aa644a41c618242e84893b55f626e4b9c0097246621d

SHA512
010beed9b9929beac35d95db0fb8a5eea5825fbb806c4a3c5bbde48ebd19c8e30b36d1f2e518a6df408825da089ddd86c9111bf10d13ad408009f0884a696d23

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\BackgroundTransferApi\d9ac12dc-9e7c-46a2-82e5-90211df0eb7f.down_data

Filesize
141KB

MD5
d0fbc5fba8125e51fe5deac2fdc4e2ee

SHA1
5a5710759c501924156c0bda3a38c4bcfe87e7ec

SHA256
4705a04616a64e92f1cc92885d59235be6b1593a62e90cdff86f1461b7b253fd

SHA512
a57fde5dde27d953d7602b4aafe1016b2e17e191334232c0ccee502afd886777fb80730c642f48213ab8271b3b923819173e7676cbc46cfe2f50ab9b79d0baaa

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202503300920501\additional_file0.tmp

Filesize
2.4MB

MD5
def6e15d8b63743747e8bbcd18857ea5

SHA1
61991c54069f5a8c6c075ef6543ba2faabca8233

SHA256
84e13eccbeb2d7620c683dd5d76df9ccb3522f5babd833c6efc2291df5e02e87

SHA512
5f82ca7236c40726701b77e8275e4eff27d4f13964dc20c268fa84a7589c5109b6535a7735a0c547fa0aa8ad47c777dda5a6eb2d33782b28f0dfe59d408a265b

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\setup.exe

Filesize
5.6MB

MD5
08cb536a32f3871021bbe98b26e2f118

SHA1
f12ca4a7b85a9ffd6b321ac8090cc69b54a534cd

SHA256
7ce73faec3717348a02e9ec084815818d7fd6d18c56d05000f742d0f08eba4ff

SHA512
e049ce310ddb00093a3cbc172e7317f28a604934a2a5268c7db23bb86931b3a967c18f803bb8f983c78bf3bb0e78d97d2bab99ae0a443271b3040206b48b4077

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe

Filesize
515KB

MD5
ac3a5f7be8cd13a863b50ab5fe00b71c

SHA1
eee417cd92e263b84dd3b5dcc2b4b463fe6e84d9

SHA256
8f5e89298e3dc2e22d47515900c37cca4ee121c5ba06a6d962d40ad6e1a595da

SHA512
c8bbe791373dad681f0ac9f5ab538119bde685d4f901f5db085c73163fc2e868972b2de60e72ccd44f745f1fd88fcde2e27f32302d8cbd3c1f43e6e657c79fba

Download Submit
C:\Users\Admin\AppData\Local\Temp\OperaSetup.exe

Filesize
2.2MB

MD5
8c5234a456c0e46e9e8c8ea02593e9ba

SHA1
4293444ec50c63c920a39ece376e7060c515902c

SHA256
ec641e6492722ca35cbfaa7f82659d00552f8432201406fc90d4bd9a8d1f5cf2

SHA512
ada4f6470361ff37f03f1984bdf7518f2aafd6c8723f2d314e8d4b126fd3247fb143ba4d9bb9c8ecd3819b5cf5a21d1eb021492831c3bd1f8940ff79ed6751be

Download Submit
C:\Users\Admin\AppData\Local\Temp\Opera_installer_2503300920500911404.dll

Filesize
5.1MB

MD5
35b06de4e32f8e29bfe1a09aced9e977

SHA1
c8f08f241b93ce58ae61bd5760f7fd6be54eab84

SHA256
1b7c928c52a30da0fb5b070cdaa3f9e9e19ca4c4dd703b2212abe60e3f696177

SHA512
890776a54c6412489c5498c9c0176b8c75eca53840453ca08536f8433ca7b3087d2daf91773f3703554a85c45ab0aab44840bdfec19ae3ddf38c9dbb675d725d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\ExLoader_Installer.exe

Filesize
184KB

MD5
672d8f840df04da81a68c12354c67602

SHA1
f14a9a358bce7225435a4f9327722edf363139cf

SHA256
cc8522a81ca478837e76ee0975f820c0211242f859769dad4349afc9892dd6b2

SHA512
4ac90decbf88025c7ed0484b030d484b3659541ad4bf2f029d74657bcb4fc4d7f5f66a84ac9bfe8184e21fd412c1ad367c8ebf6a9e19761736bbeaf9722db962

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\MSVCP140.dll

Filesize
559KB

MD5
c3d497b0afef4bd7e09c7559e1c75b05

SHA1
295998a6455cc230da9517408f59569ea4ed7b02

SHA256
1e57a6df9e3742e31a1c6d9bff81ebeeae8a7de3b45a26e5079d5e1cce54cd98

SHA512
d5c62fdac7c5ee6b2f84b9bc446d5b10ad1a019e29c653cfdea4d13d01072fdf8da6005ad4817044a86bc664d1644b98a86f31c151a3418be53eb47c1cfae386

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\VCRUNTIME140.dll

Filesize
116KB

MD5
e9b690fbe5c4b96871214379659dd928

SHA1
c199a4beac341abc218257080b741ada0fadecaf

SHA256
a06c9ea4f815dac75d2c99684d433fbfc782010fae887837a03f085a29a217e8

SHA512
00cf9b22af6ebbc20d1b9c22fc4261394b7d98ccad4823abc5ca6fdac537b43a00db5b3829c304a85738be5107927c0761c8276d6cb7f80e90f0a2c991dbcd8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\d3dcompiler_47.dll

Filesize
4.7MB

MD5
cb9807f6cf55ad799e920b7e0f97df99

SHA1
bb76012ded5acd103adad49436612d073d159b29

SHA256
5653bc7b0e2701561464ef36602ff6171c96bffe96e4c3597359cd7addcba88a

SHA512
f7c65bae4ede13616330ae46a197ebad106920dce6a31fd5a658da29ed1473234ca9e2b39cc9833ff903fb6b52ff19e39e6397fac02f005823ed366ca7a34f62

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\data\app.so

Filesize
13.9MB

MD5
9386561be5064cf480bc89737df498ab

SHA1
fc99e79ec57dc8ef4c682dcf70edd3dfd4e8b089

SHA256
0b285e12ae83e6b2de12350c20d4b13b825b65a24e0855ce7104ebfc8f2c5e71

SHA512
42b17f154b5c71209a35737dc6a2b0451941096e8d931e1a38b192d67bea782fcad3101badc4ee7e80b053dcf9b23cb62bf9084106559183ebc1d852ed31ad7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\data\flutter_assets\AssetManifest.bin

Filesize
14KB

MD5
e6ee07a908803b70dcdf31271bbc05bc

SHA1
4328b159cebeae8594bda27a63617e2cc7626bfb

SHA256
5bc7d9a70129040cb1a99067d26a8a74f1679b345ae7e7fbd6c71d26a97e2688

SHA512
53293ee1c663824b3170b994209ad034024df9d77fb782b13a9c104c8dd89316c2fa18fc3b7e106260b3ef3e4d9a54b8b110aad52f5defd01abf5a370a4855b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\data\flutter_assets\FontManifest.json

Filesize
413B

MD5
fb1230bb41c3c1290008b9e44059dd39

SHA1
66493d0f8a6a112d8376cd296b05c277b111dca1

SHA256
2429b610ba9010211d18626d311d3dea7274473c2dd50fae833ed739b67b1292

SHA512
d5ae9b9124a7c7f8c3d04c4750459c9bc620e3aeb84f5d56a64308eb9b343d4fb62f8b3e03210e04ad90b91bbbb35dd1a56148d06dbcc0872f99e9b1b9d37c7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\data\flutter_assets\fonts\MaterialIcons-Regular.otf

Filesize
1.6MB

MD5
e7069dfd19b331be16bed984668fe080

SHA1
fc25284ee3d0aaa75ec5fc8e4fd96926157ed8c4

SHA256
d9865b671a09d683d13a863089d8825e0f61a37696ce5d7d448bc8023aa62453

SHA512
27d9662a22c3e9fe66c261c45bf309e81be7a738ae5dc5b07ad90d207d9901785f3f11dc227c75ca683186b4553b0aa5a621f541c039475b0f032b7688aaa484

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\data\flutter_assets\resources\backgrounds\Ori%20and%20the%20Blind%20Forest.jpg

Filesize
93KB

MD5
babd1b019be8944f7ef6c64c8194bc8d

SHA1
702a50d3e3a0933db4dc1f37423bca3b5c52acde

SHA256
71ea07c900e7993072f4896c0ab621303feaf4d13b7c9a4b2993e06122b10f76

SHA512
6a854fc0db7206dd182f6ebc594d763b62a75f64663d3e58029cfa2586048838fe8878b043d174923e05f4e3cd2f3e9d96a6dcf5ba8bbd7322bbc3540bbb8b0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\data\flutter_assets\resources\fonts\NoirPro-Bold.otf

Filesize
46KB

MD5
e57b6bc24b970a377574124e026a7c01

SHA1
00184aedd4ee4d2ca6b5c87cf41e78f64304c89b

SHA256
b012d85155925bbe2106b20234b96522dec7914f03b09bc6e2fff71554f31bf6

SHA512
c162cd8a7130d2c94dac5c3dad58794f368436cbf782e8063c245d4cae405af6aa25c2f381549defd520c3f7cdbc04a27f891798697e9c291317d3b3ba82efdc

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\data\flutter_assets\resources\fonts\NoirPro-Light.otf

Filesize
45KB

MD5
d10d77b03ba3abe6ccc1c142d9852595

SHA1
6108edf0cfb3d5f25e3c593949c301c5c2aa5f25

SHA256
3c9ef459625f995c62b993b64da299204b741e153ba8e6d988463aaa86b1aa44

SHA512
71c4fc3b6f43b4125c5ea5ae09297d72446de81ffc2928fee33aef386754e60dab11cc170c4d6689dd6eeac451f2a57b9d3372278f750dca6ed39ec82fcf9368

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\data\flutter_assets\resources\fonts\NoirPro-Medium.otf

Filesize
46KB

MD5
df63e8855d04ab0e25d2bb6a0b1fabfb

SHA1
5512dc285f36cdf7da5ba5eabaca128ca3442537

SHA256
a728e91375dcadbdf6ef6d7e3cd0bbf5c56fb992d5b1be6640b83214c9d015ed

SHA512
eba8afd3289089841e4eda4abd992c2e2020d18d44741733b5a51a2a1e0c0982ffd9da187aa56ba3b891bc259398ec156e08e45265f7218e87eb914794ca69d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\data\flutter_assets\resources\fonts\NoirPro-Regular.otf

Filesize
45KB

MD5
d969db6adb881f1dfa91a5b7ec0154d9

SHA1
d7b44b20eb246b0ff5c41147c0d0fb96fde47c48

SHA256
c7fc6d9f2ff611073fa09a6c61a8c086da0ebe8da841a9f4ec4087a3e9b52152

SHA512
2a225a8c12b46aa14e14dd547c6a55c80aef6bfe8cc791dcf60a14ef91994eddc4dec473d856f7c2446d62a41d017d256b64b603d87ae45e75fdeb2230deb5b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\data\flutter_assets\resources\fonts\NoirPro-SemiBold.otf

Filesize
46KB

MD5
5177edfb54762b59df676052d11b363d

SHA1
fa18815bf4914b93d587c2758b65e234ad51b38b

SHA256
50000ce2f0f8bf3018f1d04aa5c6716583b808ca05c802c46a9de4f084a91f7d

SHA512
7475fe248eafd528a05acab94f3973eeeb0d169203769ee6b42d007b5fa0605a58a290e145d74d57e17486367bacffed22e4a88e576fa9f65d000e487aa78e27

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\data\flutter_assets\resources\icons\arrow-right.svg

Filesize
250B

MD5
caf3668c9e2b82819137f778b10f04f9

SHA1
a3713391b4ce86c084f1981851cef5e76afc71aa

SHA256
92b25cb5172f158b02e577ad36c7de69fd277378cfab9c8cdc7e639b16c03433

SHA512
0b9bf756c36026d853ba5809819f29c308ba15149debc75d04ac5cc2eff4f6c59f3a1da2ac50f268c7751243f96d3c3eb707a16ec0b1ac14fa49199a284826fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\data\flutter_assets\resources\icons\close.svg

Filesize
201B

MD5
7f8d672a2849987b498734dcb90f0c51

SHA1
e53b9319bf964c15099080ac5497ee39f8bab362

SHA256
4a290648cd1cfaaf1db4909d7552ae8cb83cb0b0e36770e64d153ab07ce6e7d4

SHA512
b3ddbf719f42440238c55cee896409179b4562ffe74f607d3640f623c8264c2fd2000b085dfd9a25ffd8ba2166695dcd663efec56cdac679f9993cfb602459d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\data\flutter_assets\resources\icons\cloud-off.svg

Filesize
1KB

MD5
e99140f842b471d330fc27cd73817c4c

SHA1
9957147463f586824b65bc7bfb121d33a9523a96

SHA256
0f4cb470185e3c6c26ae033a3a88e3995340bb08a63432dd9ebb82b73dd665ae

SHA512
f579aef41980539675609c62ff4d80dde22bad59917d439dbd4d325173bed3f24534a72e9903aef58c6ee5d4b03fcb7d0a7be8c93c35da6dbb2e1e046b7da0f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\data\flutter_assets\resources\icons\window-minimize.svg

Filesize
151B

MD5
d47255b6d3e685cac4804eb58207d0b6

SHA1
7fe02211cf6b77f3971522a3b3888460491ae153

SHA256
29bc4875912360fac26586adaca21449026cc2cf6479f9d9bbb066abe2dd2640

SHA512
b39c96fd2479585b32146a3b33a5419f665391f1b1857b08896c8254b48fdb733551bd9974a3c7dcfb679cbb5b35ed9b8f538f5c44156d399b02b8d0d4fe95ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\data\flutter_assets\resources\images\grain.png

Filesize
79KB

MD5
3577f702479e7f31a32a96f38a36e752

SHA1
e407b9ac4cfe3270cdd640a5018bec2178d49bb1

SHA256
cc453dfe977598a839a52037ef947388e008e5cdfe91b1f1a4e85afb5509bee2

SHA512
1a4a03931ab56c8352382414f55eb25b324e11890d51ba95597dbd867b35db45db5adcefb47d95b3763f413a66e3228e59531bdbd5ba5541469196adb5eb3d70

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\data\icudtl.dat

Filesize
760KB

MD5
692337664e861ad322138061132dddc6

SHA1
8a99bc860eda0772f3b1f4a125fa4d474410e21c

SHA256
c12537022ef818991a7bfed41a76d8d6ae962ffbc0e6511ac762a5d0845e7f7c

SHA512
3e2e6adb651e37e530734f999634d7c101fa1c45ae380be8ad169bbfb0a047f2878ff6c8d1428d6b9e7301b447ab2f8839484322ddb3831984be71d442829a55

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\flutter_windows.dll

Filesize
17.3MB

MD5
225782e5d02f400a76b8fabe8a6f5cd1

SHA1
e54ef4f664a250808749be2ea9870607c20ace31

SHA256
b66713715a7aeaa2f88ba18838aa7c245556eaaeb31c82da3f5aebcb71a7715e

SHA512
9e88489361b36970a982329184b7afa9ef403ca86830427c60397e49522e5d38fc652ce4b65e79c54583a50ffee83fb138a02d638e015c9ff53e56164556be76

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\vcruntime140_1.dll

Filesize
48KB

MD5
eb49c1d33b41eb49dfed58aafa9b9a8f

SHA1
61786eb9f3f996d85a5f5eea4c555093dd0daab6

SHA256
6d3a6cde6fc4d3c79aabf785c04d2736a3e2fd9b0366c9b741f054a13ecd939e

SHA512
d15905a3d7203b00181609f47ce6e4b9591a629f2bf26ff33bf964f320371e06d535912fda13987610b76a85c65c659adac62f6b3176dbca91a01374178cd5c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_as2r0qlg.vzi.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\libCachedImageData_v2\06863b6c997b988a0b25478954936acd.png

Filesize
1.7MB

MD5
0aacdd690568fc5f112aa989e683744f

SHA1
1178d794f9ffdc70a7d5d72a02685607f7390726

SHA256
0d558fcd28438bb6aa883b7b8915cc2dfb509b7fa015519b892d22bf33c9839f

SHA512
3cde92ded136762b5fc82f082530b03fb3c941ffad2adbb25bc5eaaf4254f89d9a0f5d25daeb128318e06f5b1bce93eb80446a5458fee263a6bbdad207c1611d

Download Submit
C:\Users\Admin\AppData\Local\Temp\libCachedImageData_v2\097b615add13ffe41987120e11394b78.png

Filesize
200KB

MD5
c750892215c7488392c5829d8a9f6dd5

SHA1
1276ad45446329138880b6cbbe6666b749f411a8

SHA256
74dee0ecb1f53276a7935f6c907cf2ffa987f17fd1eb36ea37765e0d4ad275e4

SHA512
bb2dc331cd4e25d295236645b5e61fc99831c902c5e1d23769984c546c3457c1141fee328b22871f1f3419a8381a60fef868b2f1af7eecfcdfd933bc896b04aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\libCachedImageData_v2\0f0be7f6b36c6273da10e9452f28b1f0.png

Filesize
1.6MB

MD5
3b67dc34324a46beeb9c2968f5ed9256

SHA1
5ddc7617f5d09e97b43089dca59e82ed953a259f

SHA256
9997d0b23e68778ffb85b1f9efcf1f9ff9dee287ef44da71bc4688b2a74e927f

SHA512
5def7ae832aa74c44879dc5408f537e8558668fa8cf275fe097d2fad622ede3163885aab3c44771ab98735dce6597d274800571bb1f2ea1787c759e0694762e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\libCachedImageData_v2\1771d68933a4387b7c9f9453d7ccfa5e.png

Filesize
427KB

MD5
f1ef671cb6f45a0e1f3711cb4a19cc82

SHA1
a1e577847ccf806a1bb5199a9d73a9c3656b69ef

SHA256
2953ec0adc7e3cafa94664d6ba7fb0fecbd110227cdf42baf4d29f69cf001526

SHA512
f32fae6de8fae090e6333d2b3afdf6c8e1dcd9dfaee620cc11b5c199caf21110aacb11a928fbcc5255909bb86074918d4248f98dddae27ebf99f82148751765d

Download Submit
C:\Users\Admin\AppData\Local\Temp\libCachedImageData_v2\1e980c873c774fa8e94283a1ce509bc0.png

Filesize
309KB

MD5
67a50cf02f92461e18046c6c0e66fd25

SHA1
31ea768b478dbcfa03ee7fa8fdcb86a3369065b2

SHA256
a929a07eee2930e6cd8b8d5aa4845d440492b5d3e8c399929341af4cd1a9905f

SHA512
b717e91b12197a5d5e543d5d961b60a25b82a7ab1b46fdb1458590c90cd5c24280d33586764e1eb8ce0e020fb25f348a3cebf1eb849b7668ad8e792dd52d8bef

Download Submit
C:\Users\Admin\AppData\Local\Temp\libCachedImageData_v2\2429aa5ff888f44983a422afb67ca897.png

Filesize
302KB

MD5
78f8d650520bfa8699bf5bbedf0c45bc

SHA1
b0b25d6923fd39ced207b76eb9319bda3aeb70bc

SHA256
ad4b286b1760785ed35dda4a909242f2f218598bb3552391ee60821106c42415

SHA512
fe76107433dc1890c7e6968e7afb5213a1294d567c47cd9550589307bf053518d6dbe5266e962fc044eeb033b39aa4754dd9c9afb83cdd75a90f3b2286f5f34c

Download Submit
C:\Users\Admin\AppData\Local\Temp\libCachedImageData_v2\24c1caf60e52536265299267cd0e4cea.png

Filesize
451KB

MD5
758caed982c894b0f398adb7f659772b

SHA1
6ffe9317dcb094b5106fe135ae4389c535d731e7

SHA256
2010dcbda935556eb53f41a722744c2e23bb50cd05f1d9432e5461045812515c

SHA512
205b15bee0b60f090eb8022174da6991d35c801f3874f500fa64e9959db5136fe0ec25a241d6f5c2bbdff87a5bf68e0f92d8fa8517a37c350735f10ff99e5198

Download Submit
C:\Users\Admin\AppData\Local\Temp\libCachedImageData_v2\28bce4aa0ed6cc95001deb18f5af6df6.png

Filesize
1.1MB

MD5
8ff54539db826cd25d454094534963ce

SHA1
8800e2660ee95e850282f2d0c58923bf3fd8134b

SHA256
a13ec435ae469a4c4379c149467de10ad11ab2333e47f1ffb09487caa7230eb2

SHA512
0e71cfcaf06f92c89cdccb44b240da8fab21e1ebe73bc6d401da379b4bf021de4051360e8b8ea979325a6c70c38daa6c56e2051d2b83e233641388d27bea7845

Download Submit
C:\Users\Admin\AppData\Local\Temp\libCachedImageData_v2\2af6b891761ef18801b0aa9f9878e125.png

Filesize
3.0MB

MD5
49ba1a0a0bdcbc8a86b16017a80ac51a

SHA1
5a95d8ecbf900a74666b3eb1b13ac56c6d016d47

SHA256
bf6527527f9b12831083fd27b2dd35cc50f464b53d2e418a2cdfc96d04facf1e

SHA512
09bda338e33f4ee3994c410743252c2cc8e78e0d52418c2d65fc17eb70c30e75e11e1cf056cbe27d0f8742d0f48e027dfc6b8151785f6885069dcc8dfa3e0a5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\libCachedImageData_v2\305494b58d8fd53ffeb260a6cb918e1d.png

Filesize
2.9MB

MD5
c06ec4b445ac9eefc20b8c05492d224f

SHA1
a6a8ce50c67f165e3fcd70b7a202bf08ac165ec4

SHA256
9eec25db42ccc4d457ea3ee1ba870d101dae44659797597133331c971f4b4dcb

SHA512
b5da6f5841159803ea2982cb1715582cb6cfe65a35d4af60249595099b36320713d9f8ecc70dfd1291dd5d17bbf8dbe6cffac248fb98acfccbb8f846b6adde15

Download Submit
C:\Users\Admin\AppData\Local\Temp\libCachedImageData_v2\31ca3aa80939a6863de0f64f63008de2.jpg

Filesize
6KB

MD5
dfcd2bf89cb42d4b920e5cf93bae0ca0

SHA1
8b79cb1e8f4f741e8aee909372af81868fccdc40

SHA256
65f4dccd81f7b5d8e1ef39f7402a684cbb5f6e207408552a628a10c3e8fd1412

SHA512
cdad2a9dc6e18d81937bccb164b4f9774176a588061dcc81b76a608d6630eb06639293089f2b42416f6e5bed89d4ed098ed824fb450508edeee7fd84c0a1cb3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\libCachedImageData_v2\4f18f98323f2bfcb3d780bfd15984957.png

Filesize
296KB

MD5
cdf0f44b9be2be8d98d19d338c0a5b11

SHA1
4008a2006a775605caf245410cf9c346667e024c

SHA256
5b300cc2a308d9f5640d8ac7643d5a5dbbcb025e02f305402cbdc015d2a49781

SHA512
f56ec411ad4f6b6c547f99ccf4b12fdce8207649c48faa7ab37fc9aaa2a5092aa8b093c229467bd09c58c1cc3077c8a0bfb108e3c8eafed2dbbff0a40a1666fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\libCachedImageData_v2\54b86bccdb2760a66bbdcd724292eb02.png

Filesize
172KB

MD5
806f6146b3f8970b235fc628ac8b9a0b

SHA1
b20be9f495bf4656f4e9bf5e7f158ad7a91a7611

SHA256
8a7081f2bb71d80ef9e5562753fe74a4d58a850271c9194de3def3bc39ed7ba9

SHA512
30e28e7aeb47cc1010a4cad4a4c564805f74fada30ab190ce6a08f3413e8e89e51329ade2293411b645096656b1ed30067e175975e255e926e10ce5b6d4b5481

Download Submit
C:\Users\Admin\AppData\Local\Temp\libCachedImageData_v2\63e78fc5dc38deacb9eb79bd0d516f7e.png

Filesize
4.0MB

MD5
6ea80b93a4e6c61aec20efb67e5d7236

SHA1
40bce81c1e2f13534aabdb77bb1e22bda033947b

SHA256
3910122fe87fb7a96c42f2e057a2c7eabf75e2aa3b0af4dea777b7e2e8371d48

SHA512
608c3187e3ad5ecb9a787a4976f69e46b840e04d900eb9ba9f618155f4eb818321414809af99f917f24b77bf7672ec4ff77543e72f080c3c2de0111ee2a50be2

Download Submit
C:\Users\Admin\AppData\Local\Temp\libCachedImageData_v2\6b33174148264dc750390ac448debd44.png

Filesize
381KB

MD5
faa264ef80599430df4773babbc75cba

SHA1
f4e08ab89fb9364efa3c305584985e4a03c58019

SHA256
fc3f79c76e1051f2305cbdd78bdbccf6bb78144f74146604741de01a35feed05

SHA512
f063bcf41dd1ecf442f5412fd2fe282432bf17437972abc19e5d9bb52f496b425809f3bc1e143dc9a719c3c0b59b6ebbe23eec176fc93d8e7f588e75610019d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\libCachedImageData_v2\7e9954eeb2fb6ee1bd36286b32a02ef8.png

Filesize
283KB

MD5
78f4e28a3cf5170ed6d78f3943d98ac3

SHA1
24d2f2d73c715d978b7f656dcf982d30df53afb3

SHA256
bc7e7a2c7842c6aaa6531f84b91edfcc26a38aab1173c69e8b7ca2a5eb2b1ff9

SHA512
53b73968757138f98b0c7378fb0cbbf74bc7e870ee7cab867eb4965abfcf5f4d3aa7a68d6bc6c12d7c991f9f3513493d13ab72556a9d3cf77e80bbdddcf047d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\libCachedImageData_v2\832015b1eb9c8a39c49d907f61bdea47.png

Filesize
682KB

MD5
63a4203739931a9bba55648dede9d96a

SHA1
e606e0d4474cd69f7f696a0dde6770f66f2b0df5

SHA256
4a72e437c33fb86bf1513f1088a14516dea2e2c409126bf760c3365e0e3f411c

SHA512
46798c6d116100d44ce753ab08f704fbb2c0cc83d948560dff9752406855b71cc67f3fd2e5439a3d0e85e248f5a0daa32bd0afe20f7632186b7bd968df5d2867

Download Submit
C:\Users\Admin\AppData\Local\Temp\libCachedImageData_v2\88ffe0cddd2d5f2001fc24ee21df3b61.png

Filesize
132KB

MD5
5b5a500cfd4ddf9f7dfb446668da148d

SHA1
aeb9c24a65235e6e70bc51fd6d12425dcf9cb9c4

SHA256
2622c99d9efe1d6cb35b0212ee7de3de5109d6df9695536bf2d0d52109f956ad

SHA512
59e07c665d648d2554400d16ece7735f7e9f5a13684627fbbcc3a8180acb884429b36ec410087603e9a9dd6580adab1348f589645c541e70492e0f271f98a9ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\libCachedImageData_v2\93a690d33b042d44bd9b94dcd0d11909.png

Filesize
1.5MB

MD5
a3f4e0adcb9bb53eb8a8c2e0cd3b957f

SHA1
1155c4bd814475622fb90443ae61e430ba9963ba

SHA256
0104cd8aa64f09635834a3c7440a6684e5344b82b883d2007014c60ce35c03e2

SHA512
449a42b4cf84597ab0b108e9a4ae83e717bc796985e7dffa8ecdea770fb72eee25ada4b2de0e41c547a11a0991eec47363f99227e14c9ddc24b249a64282fcc6

Download Submit
C:\Users\Admin\AppData\Local\Temp\libCachedImageData_v2\975942dfe3e605d0ed593eb51484b6ff.png

Filesize
3.0MB

MD5
618379f6827483814dc500be66b43803

SHA1
17d287bcca398be07a787ea2a5ce295422789d52

SHA256
12d015a35f5d5cc97621e243776aed2039e6d55d41404315c266cc73f74cebff

SHA512
fd97e4110a9e4d22635c652b70a3acafeaf72e343c69a2a120156cc1ed03552452a3d435e2876912ecb2dcd11ecee1d3b47792bf7dab6711dd03b9ea7cdf110d

Download Submit
C:\Users\Admin\AppData\Local\Temp\libCachedImageData_v2\990ed225833d0627f612862a8e5f7b09.png

Filesize
377KB

MD5
f4d002685d9a194f1c8e378f31d34a7a

SHA1
eef3de2f726b0f4e5ae2a87406dd867e1c7bc0f6

SHA256
e326c12afae210d30ed9f26cc36d1c4e1e9c06ef820a6b601fce7019b5416385

SHA512
5c03adab5340dfe55b0430e5c9f888725f60f3ede15662c3f40df9fea4ca1526c47f34aaccff85be28c982a05203fd62f33689bd9c21cb829b962c08ef2c2901

Download Submit
C:\Users\Admin\AppData\Local\Temp\libCachedImageData_v2\a27cdf0b12cf833a33b1e14b6c2692e2.png

Filesize
2.9MB

MD5
3a74324717b2ad7cd4a4b0b30ebda213

SHA1
770480887ea6fec212ee9841dfd45acc3d847e33

SHA256
0e4f55e866322c3dca839ed08aaacd3653be1ae3824fa53c6892295931d77a76

SHA512
d6e4ea69232353ae7a0185e14ed3e32a30e93737a6a73ff2da9627ba055a193f491803f01541f5db82871abc264b4317a1b81680be49fa3e550313d7c21fc407

Download Submit
C:\Users\Admin\AppData\Local\Temp\libCachedImageData_v2\a8364d727776d745ead86f6f016f13a0.png

Filesize
956KB

MD5
180ed9f7f1fb062ee013ed2d2db4baf4

SHA1
2fde78fee3388f37e3d963cf377b6cfe05e68719

SHA256
47c0f7eb3b1ccf939eedfad6de69b83efc606498c2a852c4e37e3c481b40890a

SHA512
3bc168dc925a71a05016072a41a9b90260900786cb54842096d29663411d11b46a0e531fa42e48f74b9cc48365597be6bbfc76372b33b85611001af5a58295c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\libCachedImageData_v2\a8decafedc160821d5d78010c8b65a56.png

Filesize
1.1MB

MD5
a924291fb4f8e3ca693fd97723a0b38a

SHA1
6e50dc6904b856453cfe35db4933d26cbdfff3a2

SHA256
8d12cac6dd8da28e270c339325d67a2e3aa3d5fdcb64d1ac0a6698e507573959

SHA512
5464c724977505c0b3b2be2dadcc98d85417766c252826795adcfdcca95acc39263b8dd533b1bc1a0630690769bd4614c037c93d506d76933a10d0a33af3198e

Download Submit
C:\Users\Admin\AppData\Local\Temp\libCachedImageData_v2\a9d8421f6a9142171a7defe3177eb186.png

Filesize
2.9MB

MD5
a7995442bc4da83fc197b42baf4125d8

SHA1
103d0f7f75b6781738a83d35038c89906693cbed

SHA256
1d3172ec2776e7826425ba3e9a040c604d309872d4e78bc37c321ab25c831a2b

SHA512
5f66f1bee4dbbb6eebfa0767f255b9d5c32e630a00bb05afd72be913a1e9f115013d613528c27c7147d23d62b95047960dab9f3b614ebde7c3335355555d1ac2

Download Submit
C:\Users\Admin\AppData\Local\Temp\libCachedImageData_v2\abbe94b395467964d08af2580a508ebf.jpg

Filesize
83KB

MD5
ff8887a3fff2b6112f819735099e0762

SHA1
378d14eb68626c9d077c90ef8f1a5f75d2d87981

SHA256
49b993fb6fb224595f37f8326e5bf2105ad13af84a19d3730ad40e0f5c10e251

SHA512
5235440b3fa810cdc3da9fd3672fccd7d426c03902b7e42a0d42a9c57b96d9a22447563629863c69209d3a3a04c005c96e3588f3f865c2fd913a0e77affee965

Download Submit
C:\Users\Admin\AppData\Local\Temp\libCachedImageData_v2\ae78148e589ef2b02ced63c2312c6ec6.png

Filesize
2.3MB

MD5
2646bd2443f62807dc1447ef565e9737

SHA1
fc809f906a4621137adb03da680285c3a695720c

SHA256
e58cf57f20957044784d78f35639c2149ea3291d342040588baba080160da01f

SHA512
2ea450a87ae0d98e50eaa0070fc22000281f3fe1c1a98e27fa5db6ce8afc7622d0d1f5ac698b4564d00320dd6dad036523a123110cc753e9d1d90fbba128c7c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\libCachedImageData_v2\b118cb7da74eb59bfe7618c9c93c0308.jpg

Filesize
9KB

MD5
42e9d9e70d75feda50a5651bace3acf9

SHA1
059dded31278ab21068c96271c9bd558dafae2ab

SHA256
1bf777b8c0883ef180fffb147a32f849b43ed104cd384ae408353a92dbe0460e

SHA512
c275053f7095e7e9eca4665b536fc05059425a90f9c5068764fc34d92855b0ebd6c416adfed39a7130e15f66c9897a6a9fd4bf2ce074415f781138acfc4c2d51

Download Submit
C:\Users\Admin\AppData\Local\Temp\libCachedImageData_v2\b4a8832fa9c87f1884eea3f0e9decd2a.png

Filesize
1.1MB

MD5
f5a4dc1f02c29f80386d970d6cfdff86

SHA1
4ef613d075450c9784a138bd7dfd01463f4685fb

SHA256
18a7ac8e98cb7e7d593438ae1f026922a83ed35f6d70e56ffb76a4159aad6e06

SHA512
be2fa650d577f62dd8d87e3190a68f9a4448d2007df0412f571abdf02fcf3e6f68be78282ceda604cc7719d5d704b93e1834da1cfbac0b6d4b6fa5b714af8e6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\libCachedImageData_v2\bc3df891abdc935ad666672bcc5d7dac.png

Filesize
1.3MB

MD5
be5bdc15b93ff553449ccf882cd3e633

SHA1
dcabdd3ac9b60ccacce808d4b5d80970be69dbe7

SHA256
22d87af2d104ef54d0fda416512cd279e538e83af89220a96e11e7f9f79d96e2

SHA512
cae5c8f95453d2c3f930a55468c55bcfc101b08ff23224eea761ea4b61ef96a0fb08bb9ace102fbe6f8cd031740ddbbc8d75ae0dccea8ce68162b608bec809e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\libCachedImageData_v2\bc88975951e7e55547ba828c835df912.png

Filesize
4.3MB

MD5
c2618593cbf3f483954c27734e7c91cc

SHA1
1fae4a3634d7ca370572d045bfe27a3879586a52

SHA256
910a0f8455a3c7a3b460a215892030bc99576800cdb9ba23406a24cf7a05ae60

SHA512
6fecd47b037262e7b5e806b55382bb052c793085f4966c8177bbbbd23bb3213f6aa341726636509550ab281568aec409a558da26d1034226f8f1f82b527313ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\libCachedImageData_v2\c09521ba779c159b61c312273ef94380.png

Filesize
193KB

MD5
1be4d35bb03410dc5814a391fb39093a

SHA1
364ba729f6a17b7196efe354c7f9ecfa70db81d4

SHA256
4282e98f7e8ba8d9f133f4c7d5d1f730263c565cdc4270e00ea9dc637761e584

SHA512
69adb08c57d0ffe2320a7c78d8dd3b7e18ef5aa7df7351b339f4fcebcd2f435070a32fc44f7de4668defb435d5107cdbc7d43fc8a9183dbc6a99e2b065557f3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\libCachedImageData_v2\c67ef28e5e24b41f5acf294138443e42.png

Filesize
809KB

MD5
9aaa60a98d05e8e0512a855242a916c2

SHA1
b56f525e4ef9cd75f35b993ac2df527fdb5b5c55

SHA256
71f9cbacec79254dcbad11551d4009a69399c55006cf95aaf61e10ec7e88c287

SHA512
f6aa4110eb6c904b9ca6c6ea34083c01e0466ea050f9e9b968e70e1b21e7e138e9550223478b0c21b50cb0f7ec3d87b88b5ef8a751f5a26a3f146d89fed7ecca

Download Submit
C:\Users\Admin\AppData\Local\Temp\libCachedImageData_v2\c6d0c946421426f1600bd303fda9f2e3.png

Filesize
1.7MB

MD5
7be72749b45084375456270c7dd961c0

SHA1
caea2cd6f900d3ff9c57cc1965bc0d774be5d655

SHA256
378890deeae57d3c9873c752227c5e8849cfce41c4e6f42d0264d2a23de11d5e

SHA512
d4b63661120970ec804c84171fc237a5771629897699ac2916e96eabbdd72e4d4043731f84dc797db1c9ccd655edfee542f7f947810cfb4cc8fa38dcbd083a9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\libCachedImageData_v2\ccb87a94623b415801c62c3074666d44.png

Filesize
271KB

MD5
45bec10d0569de6d5d8088ca9f8bcb75

SHA1
8830c5b4a0242a0f34ab8d054df27e57cb45e714

SHA256
d62bc5d430072585637df740cf990449cf6e5aea47dfcab67d4960bee3cf8339

SHA512
2d299b523ada4113126fd45ec948bb314ffde55f03bd862d66de9a702a27cdbfd3c3bb3d96937b7b43743910d76eb17f98e33193473b31816e51879b7c3fd723

Download Submit
C:\Users\Admin\AppData\Local\Temp\libCachedImageData_v2\dedd20c7e26b0f56bcf4e0befdcf82e3.png

Filesize
378KB

MD5
d831293ccb3a1ffdf88639b6c180180f

SHA1
be2a0f420fa7b61053f16b59d0a63108e26e943a

SHA256
6f00699629bda1aabed500c80e95d99c93d6038d2e88459e86f023cb1bd219d5

SHA512
52028163d22816bc0a82a81654cba38128c1cdb58808a74f1e55d16bdb4143ac3e7db036cabb67c55bde705127db527e4848fc537166c904bcf89e32bb24522e

Download Submit
C:\Users\Admin\AppData\Local\Temp\libCachedImageData_v2\df1b848cdf0cb9d3c34393d5672ee8fa.png

Filesize
2.4MB

MD5
228a64476feac8d4cdf54e80502126c2

SHA1
541cb33c8dc0c271dcf064d2bb1a5a09451c6256

SHA256
6e33bf6847f1e78f654477cf9e8cb20ba7b4e1023da2ffff879d87b99eb106c1

SHA512
4baf332d6c36eb1965346db8758532ded2d4191f74c6c0be54422a4c915c9655b831403e38bfac4a0a32f00905e6b6199c542bf8ff80a6ceeb6d0bafa5ae4086

Download Submit
C:\Users\Admin\AppData\Local\Temp\libCachedImageData_v2\e21b5715e2f4f1a02945a861bf94b9b8.png

Filesize
280KB

MD5
7850120a910edbcfd5362ecfab76fc2e

SHA1
f0945e15a27732b6b917b09300cc6b3267d017ff

SHA256
83afab61dd1e26c7bedcae74fc7128744579d2bfcd576ddee3d42fa0d72987d6

SHA512
78adc040c6e9b2bc2c202ab2e4dc4b9223e7df9e3a1bbcfbc97a227cf4c5b0ba42cbb8b65a1d4e8d497edeede09a1e6d3f57d314a4b4d9da9a1d3cccd396ef5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\libCachedImageData_v2\e778a48f7db4d09a1ae2a64ece7f3551.png

Filesize
228KB

MD5
2cec65e6907d9409210d1182b1eb96ed

SHA1
2d1051ab31839c0c9ebd64f4ea53155f479686bc

SHA256
0a9b7449915e8e1d79de85d8606ae865149276ceec7ce736a39af96214768876

SHA512
81b1de5595c7e2f312889972a749b84d527d6abb3960d013b5b27362c8394e1fd2eb0e0a6bf8f6014233be8dce3a51f679215367d8e8bdd483720815d5174cfb

Download Submit
C:\Users\Admin\AppData\Local\Temp\libCachedImageData_v2\f4debda1455ca11217f27dbd9a60a114.png

Filesize
1.0MB

MD5
3afad9fcbd2a754accf46cdedd734556

SHA1
b19d8c500b12ab50c7025c3e263e541959ec5b92

SHA256
520aefa172c7e6b21dff426536fe11f438bef767f483ce26dccd18968b304cdf

SHA512
36ed54986e10a2ad9a910f184afed56998c4e7ee8a2707b432525df8184b5dc0578c9c9cedaf4808678bdb669b6772455ebd33762f380ce93aa21912fc45c463

Download Submit
C:\Users\Admin\AppData\Local\Temp\libCachedImageData_v2\f5e1f490620f877f855a544ecf869199.png

Filesize
429KB

MD5
3d66f520496d3a84063dcf3559dcf972

SHA1
e2ffeec965ecb249dd6ac1e45e5a0497adcb7ef2

SHA256
269640c56a282486a33fb40a8e57b078634f20eff22ca331f67fe30ad824a55f

SHA512
e06766b8600d592094b0efed97a5ec1d1451a963b81e913cf794f2f7e99296f16b6acf8e878b0d9be7fbed889b211e936b2546357daa5655b52dcd6d5ee56a73

Download Submit
C:\Users\Admin\AppData\Local\Temp\libCachedImageData_v2\f5e2a99099c2de6b47db1068c0fb00c8.png

Filesize
517KB

MD5
43ac81d7267e7773bdf4f74886181d87

SHA1
04f95b2646f643bcab06a196a225d780342709de

SHA256
7db600461e0d1a07848c693a64b077bc5897c347a1c08a3c1e6d1d0bd3b51d1d

SHA512
726fbe9d7e8be0374b3e88feed8a1e395ab45263ad88f3dc94e7b4627b83c72cfbada8f1e2e9b8f279ba217b8c49d866bf1d9e43481fdd4a172073bd4d08bf70

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir400_925049195\01f8269b-7807-4712-a873-2ce95aa7a876.tmp

Filesize
152KB

MD5
dd9bf8448d3ddcfd067967f01e8bf6d7

SHA1
d7829475b2bd6a3baa8fabfaf39af57c6439b35e

SHA256
fa2232917a5656ea4f811936561ea6b7c92b3c0004c5e08ecb97636d3afc6f72

SHA512
65347df34378c2bbb34417e2cccfb3251a0b2412422cc190eed9df525b6e0a9948e0295ea3c33b3ad873ce81e369e89a138ac41d6eb7229546c3269107e661de

Download Submit
C:\Users\Admin\AppData\Roaming\com.swiftsoft\ExLoader\games\0.svg

Filesize
1KB

MD5
3c82bc5493a92aebc9064551ea8d38ac

SHA1
b1019e3fe4397f7215ed8af2c0914159e986fbb2

SHA256
6046c1e9b8fc8cada4c4e063b031e164163e7c5723afd8c37d7df6c3054e1e7c

SHA512
126c5773e2192629eee40a611997f01c14bf598215d6ed33488b9d934ac41acfa83b99d7f373e0726a459dfee950011a0c24f97fbc600f5f96dfbb16ac7d9bb9

Download Submit
C:\Users\Admin\AppData\Roaming\com.swiftsoft\ExLoader\games\game_icons.zip

Filesize
132KB

MD5
e99357e2175b6a74d955bbda98ee48f6

SHA1
2c9ca87414b6da042f372ba4602690ccc4117225

SHA256
e93ef119eb0d9fb377f17709ff42fe2f52d1663ac164773fe6d38bb3475d1e40

SHA512
7805124b9c3c1a4385b79a0afa60ff162a11eff8689b7caf727127b289956c5c61cc5c1c77bfd5ce7a8a233af579d27568fefb1f1919b778aee85c2aee5e1e48

Download Submit
C:\Users\Admin\AppData\Roaming\com.swiftsoft\ExLoader\libCachedImageData_v2.json

Filesize
3KB

MD5
7e8a578da5ce61d89789663312c713d9

SHA1
70a32f9a0b670fc76ee2570b4499d7536146f87f

SHA256
b02bd58de69a6b6a7a858ecc8678900ac679de48fef30f746c4c494fda04c117

SHA512
156b8c96f8692414a49e9e408b108d8b64163a7a9b7d4146cd8e30de82d20b39c74a335580864a62bc67efe971a28a64999aa1e64aff7cf8eb74db35211f5d3a

Download Submit
C:\Users\Admin\AppData\Roaming\com.swiftsoft\ExLoader\libCachedImageData_v2.json

Filesize
6KB

MD5
b263cd52571b6ed39b1155772a5cc20f

SHA1
9be7623798f6906130d31d33c29786f187953b2b

SHA256
09b72367fe84184c712b10e4c849e9df13211f986e15a36fccf03540887dc5ca

SHA512
1c0d84a53370e4561edcb5d833731798517d73cea0ed35ce826f62645ccbf7df7ba7a6fb27261cdad347ce4b8363e0502cf6277cca00dc5a827a015cf17fbbdf

Download Submit
C:\Users\Admin\AppData\Roaming\com.swiftsoft\ExLoader\shared_preferences.json

Filesize
371B

MD5
3456c2d07712ba8fee6ffe0d4e6da1c6

SHA1
4e46183f5cfe1ed70f3d6c5ad10861f4a8269493

SHA256
48c4145113534381852d3a9f1f8a7f388cce81b355b5701f361a3aae9a262a8c

SHA512
5de700f847d1c7dcc684d536a5527a0d2024eac3ea66bc54d68ba74e101efd554aa9964af1000f4d0bfa1e893fa6285d83ce094cae81dcd5d732d18282a49d01

Download Submit
C:\Users\Admin\AppData\Roaming\com.swiftsoft\ExLoader\shared_preferences.json

Filesize
869B

MD5
282c82ec6d7225ddc15cd00990b998b8

SHA1
4e607bc556a3d1a41c6298cccf3e4b72dc0965db

SHA256
61cd0818ca41dae5b4a88a28904c9d276ec3d38878fb90cdc65e9eedd00af505

SHA512
6b149f3098c2b9db03b259fe0c5b3cdd895105be658841a906de3c5a83dc5a5b168b15e59f008471e7d66ca88501e8dbf87466706d8a4576a1f127d44f83def0

Download Submit
C:\Users\Admin\AppData\Roaming\com.swiftsoft\ExLoader\shared_preferences.json

Filesize
1KB

MD5
2bf49a0512a82be16ce1d88b5a43b17d

SHA1
2e9eb9913233a9d51193d451213a40b70d325909

SHA256
dd702317c112f2898f62e6fd23a5df3056fb5007fc093e22eb46c6d8845f9eb5

SHA512
2e0c7ecdeef72997fc3cb809cbeb4001808f304ab1000af5cc1f7c87d3e9f4b827b63318310c4c96fdb9602beffa4940dd357473dca713404d0008c7a28a24b6

Download Submit
C:\Users\Admin\AppData\Roaming\com.swiftsoft\ExLoader\tools\dxwebsetup.exe

Filesize
288KB

MD5
2cbd6ad183914a0c554f0739069e77d7

SHA1
7bf35f2afca666078db35ca95130beb2e3782212

SHA256
2cf71d098c608c56e07f4655855a886c3102553f648df88458df616b26fd612f

SHA512
ff1af2d2a883865f2412dddcd68006d1907a719fe833319c833f897c93ee750bac494c0991170dc1cf726b3f0406707daa361d06568cd610eeb4ed1d9c0fbb10

Download Submit
C:\Users\Admin\AppData\Roaming\com.swiftsoft\ExLoader_Installer\shared_preferences.json

Filesize
371B

MD5
6e8413f600daaf46def993adbd38e1e6

SHA1
fbe143c5dbb0a3b39b53f310c9919f4316882484

SHA256
2e3a2c28841edca04582103d4756c9ce030ce605b795ac0e4508f7ea49b146ad

SHA512
d350a264d00bc786c420372f770bbb1306b0cffa5248e57fde99711c11a8b34dc9c104e825394b72291196e434a7cacd86d1712a956c543beb48db2b6a265125

Download Submit
C:\Windows\Logs\DXError.log

Filesize
406B

MD5
9deea3d673772ba166e168b22ef7773e

SHA1
f7a7e1303956ca47094ab9a8744fba273ac23959

SHA256
c1e4794d43f38888e0be24afd124265769e27de46f21f4c1e617189dbe6b4b38

SHA512
a86d5f46405cdd8b4b25ea8be2e7cf59fc7013283f97e6dc8ba66e14927d77e6f7f32df3adb234173acb369536bd7db35c3ce55074efd8690d7b336b76fed89d

Download Submit
C:\Windows\Logs\DXError.log

Filesize
1019B

MD5
413de3bbd2f43d610b17fb78bdaaa489

SHA1
c624cf7f2318713edfb9dbcf9294fc72e5f0949e

SHA256
ba6d398c352843a2ba0ae1ccbf5b242eb2356657de683580c3ad1f9c27b36735

SHA512
d751ce7117a80db0f4eebc1cc1b57ed579aff1d2b902a22fed2530dfc9ab630ca402c13dc5a83e31d9331364da86df48886e8a18c919531d42f406da5b82bd20

Download Submit
C:\Windows\Logs\DirectX.log

Filesize
1KB

MD5
1fcfd2adc67588b3a67d6546b99a704c

SHA1
61cd038159eca35fb7e6fb91d2e4e0618040fca4

SHA256
8a2ff439652387f688b4d91e47eaa3d44dbb3e4ad6090e73d7bae8654deba1af

SHA512
d4e64e27c4e9b59ccb63ddf356c973e25f57319fcbc01e72dffd4bedd5b5aad159ca1f17c06020261173c6ff4476c541df8b960e316c9abbcdeee3dc498f83fa

Download Submit
C:\Windows\Logs\DirectX.log

Filesize
3KB

MD5
90d51b67798b4666d3a5927430da5309

SHA1
0ada55acccd9e812a3e0bf0d70a14a46f5073de2

SHA256
5c88c15ad6becb6ba5eea61a3ffacd0f5e80a6ac68ec66a20f0d4374c7a44993

SHA512
44223390e5c1e7c266ef848007b79be361e8e01a7728cf95c388968907e40f8cc63ebea0dade37ba4deb4fd92609a7979c37cdf7f5f670ad23abaa93f2bb845b

Download Submit
C:\Windows\Logs\DirectX.log

Filesize
4KB

MD5
2b1349e29f7ce97021028524a0c954f7

SHA1
d689ed0e3d4b23a486fec9c76eec49069cf6cd2d

SHA256
ec634f2fffc23132ca802ab807a629c7f3b51f79ab159649af644b88dfead487

SHA512
df7706e0867e92e19bf1950188f72b81481cad9169ab621d824f17ffe587532e0ed1a23c822ce744b16aeaa9482395472943921a7928f046f94c1e32eae31da4

Download Submit
C:\Windows\SysWOW64\directx\websetup\dsetup.dll

Filesize
93KB

MD5
984cad22fa542a08c5d22941b888d8dc

SHA1
3e3522e7f3af329f2235b0f0850d664d5377b3cd

SHA256
57bc22850bb8e0bcc511a9b54cd3da18eec61f3088940c07d63b9b74e7fe2308

SHA512
8ef171218b331f0591a4b2a5e68dcbae98f5891518ce877f1d8d1769c59c0f4ddae43cc43da6606975078f889c832f0666484db9e047782e7a0ae4a2d41f5bef

Download Submit
C:\Windows\SysWOW64\directx\websetup\dsetup32.dll

Filesize
1.5MB

MD5
a5412a144f63d639b47fcc1ba68cb029

SHA1
81bd5f1c99b22c0266f3f59959dfb4ea023be47e

SHA256
8a011da043a4b81e2b3d41a332e0ff23a65d546bd7636e8bc74885e8746927d6

SHA512
2679a4cb690e8d709cb5e57b59315d22f69f91efa6c4ee841943751c882b0c0457fd4a3376ac3832c757c6dfaffb7d844909c5665b86a95339af586097ee0405

Download Submit
C:\Windows\SysWOW64\directx\websetup\filelist.dat

Filesize
111B

MD5
d6f81567baaf05b557d9bc6c348cb5f1

SHA1
0c840165fcd34d996c85b6b44b00c7206bf772b6

SHA256
e60413bec64775bf1933ef4f9673c8bcfbe0ce71e950fd589bbd14c0f9a00359

SHA512
09b84cc9199592821d7de38cbe24332097b276bb25b6d09f7dcdc3a6b17369ee944a6f8120f13ea6a5c15eb759a90d7ce29cc845a5c0680ff2fa53e2623171e2

Download Submit
C:\Windows\msdownld.tmp\AS595BA9.tmp\dxupdate.cab

Filesize
98KB

MD5
4afd7f5c0574a0efd163740ecb142011

SHA1
3ebca5343804fe94d50026da91647442da084302

SHA256
6e39b3fdb6722ea8aa0dc8f46ae0d8bd6496dd0f5f56bac618a0a7dd22d6cfb2

SHA512
6f974acec7d6c1b6a423b28810b0840e77a9f9c1f9632c5cba875bd895e076c7e03112285635cf633c2fa9a4d4e2f4a57437ae8df88a7882184ff6685ee15f3f

Download Submit
memory/3392-655-0x0000020FEC120000-0x0000020FECF05000-memory.dmp

Filesize
13.9MB

Download
memory/3392-654-0x0000020FEC120000-0x0000020FECF05000-memory.dmp

Filesize
13.9MB

Download
memory/3392-656-0x0000020FEBCB0000-0x0000020FEBCB1000-memory.dmp

Filesize
4KB

Download
memory/3392-653-0x0000020FEC120000-0x0000020FECF05000-memory.dmp

Filesize
13.9MB

Download
memory/3392-652-0x0000020FEBCA0000-0x0000020FEBCA1000-memory.dmp

Filesize
4KB

Download
memory/3464-1486-0x0000020286570000-0x00000202873D1000-memory.dmp

Filesize
14.4MB

Download
memory/3464-1483-0x0000020283FC0000-0x0000020283FC1000-memory.dmp

Filesize
4KB

Download
memory/3464-1484-0x0000020286570000-0x00000202873D1000-memory.dmp

Filesize
14.4MB

Download
memory/3464-1487-0x0000020283FD0000-0x0000020283FD1000-memory.dmp

Filesize
4KB

Download
memory/3464-1485-0x0000020286570000-0x00000202873D1000-memory.dmp

Filesize
14.4MB

Download
memory/3464-1572-0x00007FFFAE690000-0x00007FFFB0798000-memory.dmp

Filesize
33.0MB

Download
memory/3464-1619-0x00007FFFAE690000-0x00007FFFB0798000-memory.dmp

Filesize
33.0MB

Download
memory/4008-978-0x000002065D1E0000-0x000002065D266000-memory.dmp

Filesize
536KB

Download
memory/4008-979-0x0000020644FD0000-0x0000020644FF2000-memory.dmp

Filesize
136KB

Download
memory/4008-988-0x0000020644E80000-0x0000020644E90000-memory.dmp

Filesize
64KB

Download
memory/4008-989-0x000002065D380000-0x000002065D484000-memory.dmp

Filesize
1.0MB

Download
memory/4100-2149-0x00007FFFAE690000-0x00007FFFB0798000-memory.dmp

Filesize
33.0MB

Download
memory/4100-2545-0x00007FFFAE690000-0x00007FFFB0798000-memory.dmp

Filesize
33.0MB

Download