Malware Analysis Report

2025-01-19 06:05

Sample ID 231213-1jgc3abae8
Target AORadar.exe
SHA256 8692eae1de2bd90196c7dbc7d821662ec2a8845990e0603ebd2b1a2ce449a46e
Tags
irata discovery infostealer rat spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

8692eae1de2bd90196c7dbc7d821662ec2a8845990e0603ebd2b1a2ce449a46e

Threat Level: Known bad

The file AORadar.exe was found to be: Known bad.

Malicious Activity Summary

irata discovery infostealer rat spyware stealer trojan

Irata

Irata payload

Loads dropped DLL

Reads user/profile data of web browsers

Executes dropped EXE

Checks installed software on the system

Looks up external IP address via web service

Unsigned PE

Enumerates physical storage devices

Collects information from the system

Enumerates processes with tasklist

Detects videocard installed

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-13 21:41

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-13 21:40

Reported

2023-12-13 21:43

Platform

win10-20231023-en

Max time kernel

102s

Max time network

131s

Command Line

"C:\Users\Admin\AppData\Local\Temp\AORadar.exe"

Signatures

Irata

trojan infostealer rat irata

Irata payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

Checks installed software on the system

discovery

Looks up external IP address via web service

Description Indicator Process Target
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A

Enumerates physical storage devices

Collects information from the system

Description Indicator Process Target
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Detects videocard installed

Description Indicator Process Target
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Enumerates processes with tasklist

Description Indicator Process Target
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ZVMRNo7TjicBJm6BgELO9JBjg7\AORadar.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ZVMRNo7TjicBJm6BgELO9JBjg7\AORadar.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ZVMRNo7TjicBJm6BgELO9JBjg7\AORadar.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ZVMRNo7TjicBJm6BgELO9JBjg7\AORadar.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ZVMRNo7TjicBJm6BgELO9JBjg7\AORadar.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ZVMRNo7TjicBJm6BgELO9JBjg7\AORadar.exe N/A
N/A N/A C:\Windows\System32\Conhost.exe N/A
N/A N/A C:\Windows\System32\Conhost.exe N/A
N/A N/A C:\Windows\System32\Conhost.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\AORadar.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2ZVMRNo7TjicBJm6BgELO9JBjg7\AORadar.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2ZVMRNo7TjicBJm6BgELO9JBjg7\AORadar.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\tasklist.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2ZVMRNo7TjicBJm6BgELO9JBjg7\AORadar.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2ZVMRNo7TjicBJm6BgELO9JBjg7\AORadar.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2ZVMRNo7TjicBJm6BgELO9JBjg7\AORadar.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2ZVMRNo7TjicBJm6BgELO9JBjg7\AORadar.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2ZVMRNo7TjicBJm6BgELO9JBjg7\AORadar.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2ZVMRNo7TjicBJm6BgELO9JBjg7\AORadar.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2ZVMRNo7TjicBJm6BgELO9JBjg7\AORadar.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2ZVMRNo7TjicBJm6BgELO9JBjg7\AORadar.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2ZVMRNo7TjicBJm6BgELO9JBjg7\AORadar.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2ZVMRNo7TjicBJm6BgELO9JBjg7\AORadar.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2ZVMRNo7TjicBJm6BgELO9JBjg7\AORadar.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2ZVMRNo7TjicBJm6BgELO9JBjg7\AORadar.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\tasklist.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2ZVMRNo7TjicBJm6BgELO9JBjg7\AORadar.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2ZVMRNo7TjicBJm6BgELO9JBjg7\AORadar.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2ZVMRNo7TjicBJm6BgELO9JBjg7\AORadar.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2ZVMRNo7TjicBJm6BgELO9JBjg7\AORadar.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2ZVMRNo7TjicBJm6BgELO9JBjg7\AORadar.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1472 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\AORadar.exe C:\Users\Admin\AppData\Local\Temp\2ZVMRNo7TjicBJm6BgELO9JBjg7\AORadar.exe
PID 1472 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\AORadar.exe C:\Users\Admin\AppData\Local\Temp\2ZVMRNo7TjicBJm6BgELO9JBjg7\AORadar.exe
PID 1260 wrote to memory of 5000 N/A C:\Users\Admin\AppData\Local\Temp\2ZVMRNo7TjicBJm6BgELO9JBjg7\AORadar.exe C:\Windows\system32\cmd.exe
PID 1260 wrote to memory of 5000 N/A C:\Users\Admin\AppData\Local\Temp\2ZVMRNo7TjicBJm6BgELO9JBjg7\AORadar.exe C:\Windows\system32\cmd.exe
PID 5000 wrote to memory of 4492 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 5000 wrote to memory of 4492 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 1260 wrote to memory of 4688 N/A C:\Users\Admin\AppData\Local\Temp\2ZVMRNo7TjicBJm6BgELO9JBjg7\AORadar.exe C:\Users\Admin\AppData\Local\Temp\2ZVMRNo7TjicBJm6BgELO9JBjg7\AORadar.exe
PID 1260 wrote to memory of 4688 N/A C:\Users\Admin\AppData\Local\Temp\2ZVMRNo7TjicBJm6BgELO9JBjg7\AORadar.exe C:\Users\Admin\AppData\Local\Temp\2ZVMRNo7TjicBJm6BgELO9JBjg7\AORadar.exe
PID 1260 wrote to memory of 4688 N/A C:\Users\Admin\AppData\Local\Temp\2ZVMRNo7TjicBJm6BgELO9JBjg7\AORadar.exe C:\Users\Admin\AppData\Local\Temp\2ZVMRNo7TjicBJm6BgELO9JBjg7\AORadar.exe
PID 1260 wrote to memory of 4688 N/A C:\Users\Admin\AppData\Local\Temp\2ZVMRNo7TjicBJm6BgELO9JBjg7\AORadar.exe C:\Users\Admin\AppData\Local\Temp\2ZVMRNo7TjicBJm6BgELO9JBjg7\AORadar.exe
PID 1260 wrote to memory of 4688 N/A C:\Users\Admin\AppData\Local\Temp\2ZVMRNo7TjicBJm6BgELO9JBjg7\AORadar.exe C:\Users\Admin\AppData\Local\Temp\2ZVMRNo7TjicBJm6BgELO9JBjg7\AORadar.exe
PID 1260 wrote to memory of 4688 N/A C:\Users\Admin\AppData\Local\Temp\2ZVMRNo7TjicBJm6BgELO9JBjg7\AORadar.exe C:\Users\Admin\AppData\Local\Temp\2ZVMRNo7TjicBJm6BgELO9JBjg7\AORadar.exe
PID 1260 wrote to memory of 4688 N/A C:\Users\Admin\AppData\Local\Temp\2ZVMRNo7TjicBJm6BgELO9JBjg7\AORadar.exe C:\Users\Admin\AppData\Local\Temp\2ZVMRNo7TjicBJm6BgELO9JBjg7\AORadar.exe
PID 1260 wrote to memory of 4688 N/A C:\Users\Admin\AppData\Local\Temp\2ZVMRNo7TjicBJm6BgELO9JBjg7\AORadar.exe C:\Users\Admin\AppData\Local\Temp\2ZVMRNo7TjicBJm6BgELO9JBjg7\AORadar.exe
PID 1260 wrote to memory of 4688 N/A C:\Users\Admin\AppData\Local\Temp\2ZVMRNo7TjicBJm6BgELO9JBjg7\AORadar.exe C:\Users\Admin\AppData\Local\Temp\2ZVMRNo7TjicBJm6BgELO9JBjg7\AORadar.exe
PID 1260 wrote to memory of 4688 N/A C:\Users\Admin\AppData\Local\Temp\2ZVMRNo7TjicBJm6BgELO9JBjg7\AORadar.exe C:\Users\Admin\AppData\Local\Temp\2ZVMRNo7TjicBJm6BgELO9JBjg7\AORadar.exe
PID 1260 wrote to memory of 4688 N/A C:\Users\Admin\AppData\Local\Temp\2ZVMRNo7TjicBJm6BgELO9JBjg7\AORadar.exe C:\Users\Admin\AppData\Local\Temp\2ZVMRNo7TjicBJm6BgELO9JBjg7\AORadar.exe
PID 1260 wrote to memory of 4688 N/A C:\Users\Admin\AppData\Local\Temp\2ZVMRNo7TjicBJm6BgELO9JBjg7\AORadar.exe C:\Users\Admin\AppData\Local\Temp\2ZVMRNo7TjicBJm6BgELO9JBjg7\AORadar.exe
PID 1260 wrote to memory of 4688 N/A C:\Users\Admin\AppData\Local\Temp\2ZVMRNo7TjicBJm6BgELO9JBjg7\AORadar.exe C:\Users\Admin\AppData\Local\Temp\2ZVMRNo7TjicBJm6BgELO9JBjg7\AORadar.exe
PID 1260 wrote to memory of 4688 N/A C:\Users\Admin\AppData\Local\Temp\2ZVMRNo7TjicBJm6BgELO9JBjg7\AORadar.exe C:\Users\Admin\AppData\Local\Temp\2ZVMRNo7TjicBJm6BgELO9JBjg7\AORadar.exe
PID 1260 wrote to memory of 4688 N/A C:\Users\Admin\AppData\Local\Temp\2ZVMRNo7TjicBJm6BgELO9JBjg7\AORadar.exe C:\Users\Admin\AppData\Local\Temp\2ZVMRNo7TjicBJm6BgELO9JBjg7\AORadar.exe
PID 1260 wrote to memory of 4688 N/A C:\Users\Admin\AppData\Local\Temp\2ZVMRNo7TjicBJm6BgELO9JBjg7\AORadar.exe C:\Users\Admin\AppData\Local\Temp\2ZVMRNo7TjicBJm6BgELO9JBjg7\AORadar.exe
PID 1260 wrote to memory of 4688 N/A C:\Users\Admin\AppData\Local\Temp\2ZVMRNo7TjicBJm6BgELO9JBjg7\AORadar.exe C:\Users\Admin\AppData\Local\Temp\2ZVMRNo7TjicBJm6BgELO9JBjg7\AORadar.exe
PID 1260 wrote to memory of 4688 N/A C:\Users\Admin\AppData\Local\Temp\2ZVMRNo7TjicBJm6BgELO9JBjg7\AORadar.exe C:\Users\Admin\AppData\Local\Temp\2ZVMRNo7TjicBJm6BgELO9JBjg7\AORadar.exe
PID 1260 wrote to memory of 4688 N/A C:\Users\Admin\AppData\Local\Temp\2ZVMRNo7TjicBJm6BgELO9JBjg7\AORadar.exe C:\Users\Admin\AppData\Local\Temp\2ZVMRNo7TjicBJm6BgELO9JBjg7\AORadar.exe
PID 1260 wrote to memory of 4688 N/A C:\Users\Admin\AppData\Local\Temp\2ZVMRNo7TjicBJm6BgELO9JBjg7\AORadar.exe C:\Users\Admin\AppData\Local\Temp\2ZVMRNo7TjicBJm6BgELO9JBjg7\AORadar.exe
PID 1260 wrote to memory of 4688 N/A C:\Users\Admin\AppData\Local\Temp\2ZVMRNo7TjicBJm6BgELO9JBjg7\AORadar.exe C:\Users\Admin\AppData\Local\Temp\2ZVMRNo7TjicBJm6BgELO9JBjg7\AORadar.exe
PID 1260 wrote to memory of 4688 N/A C:\Users\Admin\AppData\Local\Temp\2ZVMRNo7TjicBJm6BgELO9JBjg7\AORadar.exe C:\Users\Admin\AppData\Local\Temp\2ZVMRNo7TjicBJm6BgELO9JBjg7\AORadar.exe
PID 1260 wrote to memory of 4688 N/A C:\Users\Admin\AppData\Local\Temp\2ZVMRNo7TjicBJm6BgELO9JBjg7\AORadar.exe C:\Users\Admin\AppData\Local\Temp\2ZVMRNo7TjicBJm6BgELO9JBjg7\AORadar.exe
PID 1260 wrote to memory of 4688 N/A C:\Users\Admin\AppData\Local\Temp\2ZVMRNo7TjicBJm6BgELO9JBjg7\AORadar.exe C:\Users\Admin\AppData\Local\Temp\2ZVMRNo7TjicBJm6BgELO9JBjg7\AORadar.exe
PID 1260 wrote to memory of 4688 N/A C:\Users\Admin\AppData\Local\Temp\2ZVMRNo7TjicBJm6BgELO9JBjg7\AORadar.exe C:\Users\Admin\AppData\Local\Temp\2ZVMRNo7TjicBJm6BgELO9JBjg7\AORadar.exe
PID 1260 wrote to memory of 4688 N/A C:\Users\Admin\AppData\Local\Temp\2ZVMRNo7TjicBJm6BgELO9JBjg7\AORadar.exe C:\Users\Admin\AppData\Local\Temp\2ZVMRNo7TjicBJm6BgELO9JBjg7\AORadar.exe
PID 1260 wrote to memory of 4688 N/A C:\Users\Admin\AppData\Local\Temp\2ZVMRNo7TjicBJm6BgELO9JBjg7\AORadar.exe C:\Users\Admin\AppData\Local\Temp\2ZVMRNo7TjicBJm6BgELO9JBjg7\AORadar.exe
PID 1260 wrote to memory of 4688 N/A C:\Users\Admin\AppData\Local\Temp\2ZVMRNo7TjicBJm6BgELO9JBjg7\AORadar.exe C:\Users\Admin\AppData\Local\Temp\2ZVMRNo7TjicBJm6BgELO9JBjg7\AORadar.exe
PID 1260 wrote to memory of 4688 N/A C:\Users\Admin\AppData\Local\Temp\2ZVMRNo7TjicBJm6BgELO9JBjg7\AORadar.exe C:\Users\Admin\AppData\Local\Temp\2ZVMRNo7TjicBJm6BgELO9JBjg7\AORadar.exe
PID 1260 wrote to memory of 4688 N/A C:\Users\Admin\AppData\Local\Temp\2ZVMRNo7TjicBJm6BgELO9JBjg7\AORadar.exe C:\Users\Admin\AppData\Local\Temp\2ZVMRNo7TjicBJm6BgELO9JBjg7\AORadar.exe
PID 1260 wrote to memory of 4688 N/A C:\Users\Admin\AppData\Local\Temp\2ZVMRNo7TjicBJm6BgELO9JBjg7\AORadar.exe C:\Users\Admin\AppData\Local\Temp\2ZVMRNo7TjicBJm6BgELO9JBjg7\AORadar.exe
PID 1260 wrote to memory of 4688 N/A C:\Users\Admin\AppData\Local\Temp\2ZVMRNo7TjicBJm6BgELO9JBjg7\AORadar.exe C:\Users\Admin\AppData\Local\Temp\2ZVMRNo7TjicBJm6BgELO9JBjg7\AORadar.exe
PID 1260 wrote to memory of 4688 N/A C:\Users\Admin\AppData\Local\Temp\2ZVMRNo7TjicBJm6BgELO9JBjg7\AORadar.exe C:\Users\Admin\AppData\Local\Temp\2ZVMRNo7TjicBJm6BgELO9JBjg7\AORadar.exe
PID 1260 wrote to memory of 4688 N/A C:\Users\Admin\AppData\Local\Temp\2ZVMRNo7TjicBJm6BgELO9JBjg7\AORadar.exe C:\Users\Admin\AppData\Local\Temp\2ZVMRNo7TjicBJm6BgELO9JBjg7\AORadar.exe
PID 1260 wrote to memory of 4688 N/A C:\Users\Admin\AppData\Local\Temp\2ZVMRNo7TjicBJm6BgELO9JBjg7\AORadar.exe C:\Users\Admin\AppData\Local\Temp\2ZVMRNo7TjicBJm6BgELO9JBjg7\AORadar.exe
PID 1260 wrote to memory of 4688 N/A C:\Users\Admin\AppData\Local\Temp\2ZVMRNo7TjicBJm6BgELO9JBjg7\AORadar.exe C:\Users\Admin\AppData\Local\Temp\2ZVMRNo7TjicBJm6BgELO9JBjg7\AORadar.exe
PID 1260 wrote to memory of 4688 N/A C:\Users\Admin\AppData\Local\Temp\2ZVMRNo7TjicBJm6BgELO9JBjg7\AORadar.exe C:\Users\Admin\AppData\Local\Temp\2ZVMRNo7TjicBJm6BgELO9JBjg7\AORadar.exe
PID 1260 wrote to memory of 4688 N/A C:\Users\Admin\AppData\Local\Temp\2ZVMRNo7TjicBJm6BgELO9JBjg7\AORadar.exe C:\Users\Admin\AppData\Local\Temp\2ZVMRNo7TjicBJm6BgELO9JBjg7\AORadar.exe
PID 1260 wrote to memory of 4688 N/A C:\Users\Admin\AppData\Local\Temp\2ZVMRNo7TjicBJm6BgELO9JBjg7\AORadar.exe C:\Users\Admin\AppData\Local\Temp\2ZVMRNo7TjicBJm6BgELO9JBjg7\AORadar.exe
PID 1260 wrote to memory of 4688 N/A C:\Users\Admin\AppData\Local\Temp\2ZVMRNo7TjicBJm6BgELO9JBjg7\AORadar.exe C:\Users\Admin\AppData\Local\Temp\2ZVMRNo7TjicBJm6BgELO9JBjg7\AORadar.exe
PID 1260 wrote to memory of 1408 N/A C:\Users\Admin\AppData\Local\Temp\2ZVMRNo7TjicBJm6BgELO9JBjg7\AORadar.exe C:\Users\Admin\AppData\Local\Temp\2ZVMRNo7TjicBJm6BgELO9JBjg7\AORadar.exe
PID 1260 wrote to memory of 1408 N/A C:\Users\Admin\AppData\Local\Temp\2ZVMRNo7TjicBJm6BgELO9JBjg7\AORadar.exe C:\Users\Admin\AppData\Local\Temp\2ZVMRNo7TjicBJm6BgELO9JBjg7\AORadar.exe
PID 1260 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\2ZVMRNo7TjicBJm6BgELO9JBjg7\AORadar.exe C:\Windows\system32\cmd.exe
PID 1260 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\2ZVMRNo7TjicBJm6BgELO9JBjg7\AORadar.exe C:\Windows\system32\cmd.exe
PID 2724 wrote to memory of 1844 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2724 wrote to memory of 1844 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 1260 wrote to memory of 5072 N/A C:\Users\Admin\AppData\Local\Temp\2ZVMRNo7TjicBJm6BgELO9JBjg7\AORadar.exe C:\Windows\system32\cmd.exe
PID 1260 wrote to memory of 5072 N/A C:\Users\Admin\AppData\Local\Temp\2ZVMRNo7TjicBJm6BgELO9JBjg7\AORadar.exe C:\Windows\system32\cmd.exe
PID 1260 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\2ZVMRNo7TjicBJm6BgELO9JBjg7\AORadar.exe C:\Windows\system32\cmd.exe
PID 1260 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\2ZVMRNo7TjicBJm6BgELO9JBjg7\AORadar.exe C:\Windows\system32\cmd.exe
PID 5072 wrote to memory of 4160 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 5072 wrote to memory of 4160 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 1260 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\2ZVMRNo7TjicBJm6BgELO9JBjg7\AORadar.exe C:\Windows\system32\cmd.exe
PID 1260 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\2ZVMRNo7TjicBJm6BgELO9JBjg7\AORadar.exe C:\Windows\system32\cmd.exe
PID 1260 wrote to memory of 196 N/A C:\Users\Admin\AppData\Local\Temp\2ZVMRNo7TjicBJm6BgELO9JBjg7\AORadar.exe C:\Windows\system32\cmd.exe
PID 1260 wrote to memory of 196 N/A C:\Users\Admin\AppData\Local\Temp\2ZVMRNo7TjicBJm6BgELO9JBjg7\AORadar.exe C:\Windows\system32\cmd.exe
PID 1260 wrote to memory of 540 N/A C:\Users\Admin\AppData\Local\Temp\2ZVMRNo7TjicBJm6BgELO9JBjg7\AORadar.exe C:\Windows\system32\cmd.exe
PID 1260 wrote to memory of 540 N/A C:\Users\Admin\AppData\Local\Temp\2ZVMRNo7TjicBJm6BgELO9JBjg7\AORadar.exe C:\Windows\system32\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\AORadar.exe

"C:\Users\Admin\AppData\Local\Temp\AORadar.exe"

C:\Users\Admin\AppData\Local\Temp\2ZVMRNo7TjicBJm6BgELO9JBjg7\AORadar.exe

C:\Users\Admin\AppData\Local\Temp\2ZVMRNo7TjicBJm6BgELO9JBjg7\AORadar.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\tasklist.exe

tasklist

C:\Users\Admin\AppData\Local\Temp\2ZVMRNo7TjicBJm6BgELO9JBjg7\AORadar.exe

"C:\Users\Admin\AppData\Local\Temp\2ZVMRNo7TjicBJm6BgELO9JBjg7\AORadar.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\script" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1540 --field-trial-handle=1608,13502916366002262834,5583496006877062695,131072 --disable-features=PlzServiceWorker,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2

C:\Users\Admin\AppData\Local\Temp\2ZVMRNo7TjicBJm6BgELO9JBjg7\AORadar.exe

"C:\Users\Admin\AppData\Local\Temp\2ZVMRNo7TjicBJm6BgELO9JBjg7\AORadar.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\script" --mojo-platform-channel-handle=1828 --field-trial-handle=1608,13502916366002262834,5583496006877062695,131072 --disable-features=PlzServiceWorker,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic process where processid=1472 get ExecutablePath"

C:\Windows\System32\Wbem\WMIC.exe

wmic process where processid=1472 get ExecutablePath

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Users\Admin\AppData\Local\Temp\2ZVMRNo7TjicBJm6BgELO9JBjg7\resources\app.asar.unpacked\bind\main.exe"

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic OS get caption, osarchitecture | more +1"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "echo %NUMBER_OF_PROCESSORS%"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic csproduct get uuid"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic computersystem get totalphysicalmemory | more +1"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic logicaldisk get size"

C:\Windows\System32\Wbem\WMIC.exe

wmic OS get caption, osarchitecture

C:\Windows\system32\more.com

more +1

C:\Windows\System32\Wbem\WMIC.exe

wmic csproduct get uuid

C:\Windows\system32\more.com

more +1

C:\Windows\System32\Wbem\WMIC.exe

wmic computersystem get totalphysicalmemory

C:\Windows\System32\Wbem\WMIC.exe

wmic logicaldisk get size

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic cpu get name | more +1"

C:\Windows\System32\Wbem\WMIC.exe

wmic cpu get name

C:\Windows\system32\more.com

more +1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic PATH Win32_VideoController get name | more +1"

C:\Windows\system32\more.com

more +1

C:\Windows\System32\Wbem\WMIC.exe

wmic PATH Win32_VideoController get name

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic process where processid=1472 get ExecutablePath"

C:\Windows\System32\Wbem\WMIC.exe

wmic process where processid=1472 get ExecutablePath

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall""

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "cscript C:\Users\Admin\AppData\Roaming\ARoJXJrLX0Pp.vbs"

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\cscript.exe

cscript C:\Users\Admin\AppData\Roaming\ARoJXJrLX0Pp.vbs

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall"

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall""

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip""

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook""

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager""

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx""

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DXM_Runtime""

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DXM_Runtime"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE40""

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE40"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data""

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX""

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IEData""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IEData"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Firefox 105.0.3 (x64 en-US)""

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Firefox 105.0.3 (x64 en-US)"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MozillaMaintenanceService""

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MozillaMaintenanceService"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MPlayer2""

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MPlayer2"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ProPlusRetail - en-us""

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ProPlusRetail - en-us"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent""

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\VLC media player""

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\VLC media player"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WIC""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WIC"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{37B8F9C7-03FB-3253-8781-2517C99D7C00}""

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{37B8F9C7-03FB-3253-8781-2517C99D7C00}"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}""

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}""

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{64A3A4F4-B792-11D6-A78A-00B0D0180381}""

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{64A3A4F4-B792-11D6-A78A-00B0D0180381}"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{662A0088-6FCD-45DD-9EA7-68674058AED5}""

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{662A0088-6FCD-45DD-9EA7-68674058AED5}"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{6DB765A8-05AF-49A1-A71D-6F645EE3CE41}""

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{6DB765A8-05AF-49A1-A71D-6F645EE3CE41}"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{77924AE4-039E-4CA4-87B4-2F64180381F0}""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{77924AE4-039E-4CA4-87B4-2F64180381F0}"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-007E-0000-1000-0000000FF1CE}""

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-007E-0000-1000-0000000FF1CE}"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0000-1000-0000000FF1CE}""

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0000-1000-0000000FF1CE}"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0409-1000-0000000FF1CE}""

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0409-1000-0000000FF1CE}"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CB0836EC-B072-368D-82B2-D3470BF95707}""

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CB0836EC-B072-368D-82B2-D3470BF95707}"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}""

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell -ExecutionPolicy Bypass -NoProfile -File "C:\Users\Admin\AppData\Local\Temp\2s3NRRnp4vPp_temp.ps1""

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoProfile -Command "& { function Get-AntiVirusProduct { [CmdletBinding()] param ( [parameter(ValueFromPipeline=$true, ValueFromPipelineByPropertyName=$true)] [Alias('name')] $computername=$env:computername ) $AntiVirusProducts = Get-WmiObject -Namespace \"root\SecurityCenter2\" -Class AntiVirusProduct -ComputerName $computername $ret = @() foreach ($AntiVirusProduct in $AntiVirusProducts) { switch ($AntiVirusProduct.productState) { \"262144\" { $defstatus = \"Up to date\"; $rtstatus = \"Disabled\" } \"262160\" { $defstatus = \"Out of date\"; $rtstatus = \"Disabled\" } \"266240\" { $defstatus = \"Up to date\"; $rtstatus = \"Enabled\" } \"266256\" { $defstatus = \"Out of date\"; $rtstatus = \"Enabled\" } \"393216\" { $defstatus = \"Up to date\"; $rtstatus = \"Disabled\" } \"393232\" { $defstatus = \"Out of date\"; $rtstatus = \"Disabled\" } \"393488\" { $defstatus = \"Out of date\"; $rtstatus = \"Disabled\" } \"397312\" { $defstatus = \"Up to date\"; $rtstatus = \"Enabled\" } \"397328\" { $defstatus = \"Out of date\"; $rtstatus = \"Enabled\" } \"397584\" { $defstatus = \"Out of date\"; $rtstatus = \"Enabled\" } default { $defstatus = \"Unknown\"; $rtstatus = \"Unknown\" } } $ht = @{} $ht.Computername = $computername $ht.Name = $AntiVirusProduct.displayName $ht.'Product GUID' = $AntiVirusProduct.instanceGuid $ht.'Product Executable' = $AntiVirusProduct.pathToSignedProductExe $ht.'Reporting Exe' = $AntiVirusProduct.pathToSignedReportingExe $ht.'Definition Status' = $defstatus $ht.'Real-time Protection Status' = $rtstatus # Créez un nouvel objet pour chaque ordinateur $ret += New-Object -TypeName PSObject -Property $ht } Return $ret } Get-AntiVirusProduct }"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoProfile -Command "& {powershell Get-Clipboard}"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoProfile -Command "& {netsh wlan show profile}"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions""

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\app.asar.unpacked\node_modules\take-cam\prey-webcam.exe" -invalid youcam,cyberlink,google -frame 10 -outfile C:\Users\Admin\AppData\Local\Temp\D2S1UwnE0VRdwGqitdaI\System\cam.1260_Admin.jpg"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -ExecutionPolicy Bypass -NoProfile -File "C:\Users\Admin\AppData\Local\Temp\2s3NRRnp4vPp_temp.ps1"

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Clipboard

C:\Windows\system32\netsh.exe

"C:\Windows\system32\netsh.exe" wlan show profile

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\app.asar.unpacked\node_modules\take-cam\snapshot.exe" /T C:\Users\Admin\AppData\Local\Temp\D2S1UwnE0VRdwGqitdaI\System\cam.1260_Admin"

Network

Country Destination Domain Proto
US 8.8.8.8:53 dns.google udp
US 8.8.4.4:443 dns.google tcp
US 8.8.4.4:443 dns.google tcp
US 8.8.8.8:53 4.4.8.8.in-addr.arpa udp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 ipinfo.io udp
FR 216.58.204.68:80 www.google.com tcp
US 34.117.59.81:443 ipinfo.io tcp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 34.117.59.81:443 ipinfo.io tcp
US 8.8.8.8:53 68.204.58.216.in-addr.arpa udp
US 8.8.8.8:53 81.59.117.34.in-addr.arpa udp
US 34.117.59.81:443 ipinfo.io tcp
US 8.8.8.8:53 api.gofile.io udp
FR 151.80.29.83:443 api.gofile.io tcp
US 8.8.8.8:53 83.29.80.151.in-addr.arpa udp
US 8.8.8.8:53 store7.gofile.io udp
US 136.175.9.9:443 store7.gofile.io tcp
US 8.8.8.8:53 hawkish.eu udp
US 8.8.8.8:53 9.9.175.136.in-addr.arpa udp
FR 163.5.121.96:443 hawkish.eu tcp
FR 163.5.121.96:443 hawkish.eu tcp
FR 151.80.29.83:443 api.gofile.io tcp
FR 163.5.121.96:443 hawkish.eu tcp
US 8.8.8.8:53 store11.gofile.io udp
FR 31.14.70.247:443 store11.gofile.io tcp
FR 163.5.121.96:443 hawkish.eu tcp
FR 163.5.121.96:443 hawkish.eu tcp
FR 163.5.121.96:443 hawkish.eu tcp
US 8.8.8.8:53 96.121.5.163.in-addr.arpa udp
FR 163.5.121.96:443 hawkish.eu tcp
US 8.8.8.8:53 247.70.14.31.in-addr.arpa udp
US 8.8.8.8:53 24.73.42.20.in-addr.arpa udp

Files

\Users\Admin\AppData\Local\Temp\nsuC44B.tmp\System.dll

MD5 0d7ad4f45dc6f5aa87f606d0331c6901
SHA1 48df0911f0484cbe2a8cdd5362140b63c41ee457
SHA256 3eb38ae99653a7dbc724132ee240f6e5c4af4bfe7c01d31d23faf373f9f2eaca
SHA512 c07de7308cb54205e8bd703001a7fe4fd7796c9ac1b4bb330c77c872bf712b093645f40b80ce7127531fe6746a5b66e18ea073ab6a644934abed9bb64126fea9

\Users\Admin\AppData\Local\Temp\nsuC44B.tmp\nsis7z.dll

MD5 80e44ce4895304c6a3a831310fbf8cd0
SHA1 36bd49ae21c460be5753a904b4501f1abca53508
SHA256 b393f05e8ff919ef071181050e1873c9a776e1a0ae8329aefff7007d0cadf592
SHA512 c8ba7b1f9113ead23e993e74a48c4427ae3562c1f6d9910b2bbe6806c9107cf7d94bc7d204613e4743d0cd869e00dafd4fb54aad1e8adb69c553f3b9e5bc64df

C:\Users\Admin\AppData\Local\Temp\nsuC44B.tmp\7z-out\AORadar.exe

MD5 a5bf0b9aa8a1b9b69ad0af1dbf267735
SHA1 98783f38905c0d36e9c2b40a6ba787428d19ea00
SHA256 bad0457e84e72725c35490a71fa0f781b6e3fc6bb61abc2b6d069dac7c5e1fae
SHA512 4d8a92d965eb7f5fa1c282db3880043ebcdd408b59cba31fefeba30af10972860b51982c32b20419782ddfd082c14e5e44c31f1082e65d761036c5f67c58e191

C:\Users\Admin\AppData\Local\Temp\nsuC44B.tmp\7z-out\chrome_100_percent.pak

MD5 9c1b859b611600201ccf898f1eff2476
SHA1 87d5d9a5fcc2496b48bb084fdf04331823dd1699
SHA256 53102833760a725241841312de452c45e43edd60a122546105ab4020ccef591b
SHA512 1a8ec288e53b9d7e43d018995abe4e3d9c83d329d0561fbb7d022e8b79ffecf033e995b9bc6af352a71c646a1e8afba4addb54deab7455f24b7a279a3dd7c336

C:\Users\Admin\AppData\Local\Temp\nsuC44B.tmp\7z-out\chrome_200_percent.pak

MD5 b51a78961b1dbb156343e6e024093d41
SHA1 51298bfe945a9645311169fc5bb64a2a1f20bc38
SHA256 4a438f0e209ac62ffa2c14036efdd5474b5ecaa7cbf54110f2e6153abdfb8be9
SHA512 23dedde25ad9cb5829d4b6092a815712788698c2a5a0aefb4299675d39f8b5e2844eabd1ea42332a0408bd234548f5af628e7e365ab26f3385ebfa158cdd921d

C:\Users\Admin\AppData\Local\Temp\nsuC44B.tmp\7z-out\d3dcompiler_47.dll

MD5 7641e39b7da4077084d2afe7c31032e0
SHA1 2256644f69435ff2fee76deb04d918083960d1eb
SHA256 44422e6936dc72b7ac5ed16bb8bcae164b7554513e52efb66a3e942cec328a47
SHA512 8010e1cb17fa18bbf72d8344e1d63ded7cef7be6e7c13434fa6d8e22ce1d58a4d426959bdcb031502d4b145e29cb111af929fcbc66001111fbc6d7a19e8800a5

C:\Users\Admin\AppData\Local\Temp\nsuC44B.tmp\7z-out\libEGL.dll

MD5 8352fd22f09b873193cabc2932be92f0
SHA1 5bd2b58854b279f1733c5f54ea2669ee8a888d9e
SHA256 14a4aaa010be14762edfee01fd1f6b9943471eb7a2f9011a2b5c230461cd129c
SHA512 7281e980f2e82f1cc8173d9f8387a97f6e23ec5099ed8dca02222c4e17fa4cfef59d6aa300b1cf06d502bdcf77d9a6dbb08ad6658ae0a28ae6f9f995109da0d2

C:\Users\Admin\AppData\Local\Temp\nsuC44B.tmp\7z-out\LICENSE.electron.txt

MD5 4d42118d35941e0f664dddbd83f633c5
SHA1 2b21ec5f20fe961d15f2b58efb1368e66d202e5c
SHA256 5154e165bd6c2cc0cfbcd8916498c7abab0497923bafcd5cb07673fe8480087d
SHA512 3ffbba2e4cd689f362378f6b0f6060571f57e228d3755bdd308283be6cbbef8c2e84beb5fcf73e0c3c81cd944d01ee3fcf141733c4d8b3b0162e543e0b9f3e63

C:\Users\Admin\AppData\Local\Temp\nsuC44B.tmp\7z-out\vulkan-1.dll

MD5 b91586bd80e057a7f62bdc4422744812
SHA1 a1df644421ece2e740e5bf0ed98b4f269fd85c39
SHA256 8ba72d98e0f78b77bda7816cd7232809d287310d34e0f1d7472b9d5fda2c6d02
SHA512 94f0a8e3e75e4803891c0fcb257052dbe0e7399772fc7a46ab802629f76ee580ed30b3678fa6bc3744c12cf9f3103bbc8276e88f6711278748148e9fbeef2053

C:\Users\Admin\AppData\Local\Temp\nsuC44B.tmp\7z-out\vk_swiftshader_icd.json

MD5 8642dd3a87e2de6e991fae08458e302b
SHA1 9c06735c31cec00600fd763a92f8112d085bd12a
SHA256 32d83ff113fef532a9f97e0d2831f8656628ab1c99e9060f0332b1532839afd9
SHA512 f5d37d1b45b006161e4cefeebba1e33af879a3a51d16ee3ff8c3968c0c36bbafae379bf9124c13310b77774c9cbb4fa53114e83f5b48b5314132736e5bb4496f

C:\Users\Admin\AppData\Local\Temp\nsuC44B.tmp\7z-out\vk_swiftshader.dll

MD5 de2d91476e625278c30a5f69a1892e05
SHA1 4d707f6a801611fb437f5c1cba31b0909bf41506
SHA256 02c7f0b926c64f5a19a9aacd5f94ee00be4d576486592e18acc80c0a027b05ba
SHA512 d027407539346e5aedd527f5f71de45bace6295e96a7fbefbf273c930d64a791e488e4bdf6ef8db61fc19c80cac52a6e398c2973499c6fedb1e422c3ba71f532

C:\Users\Admin\AppData\Local\Temp\nsuC44B.tmp\7z-out\v8_context_snapshot.bin

MD5 47014c0f81bad6d216c617c9c63bf040
SHA1 7bb483fdc5fed3c6ed437d9fe6e5023bc38201bf
SHA256 e1249d05bfc73c645b27d269f47b6923b33a3cf8088a8ca78b3b637c90f58178
SHA512 052d86cf3305a9e493bd2472e6b7ddab5e0291efd6d899984a79bae46e5fa4bd21157e19ab4a2591c9cff9069de568bad18c7baf4f35d117c77134e635466f87

C:\Users\Admin\AppData\Local\Temp\nsuC44B.tmp\7z-out\snapshot_blob.bin

MD5 c9ab741bbef53fa0e84952b8891a5f5a
SHA1 e2dcb8d034e07243537c86371de0c52bce62cee1
SHA256 4d82fe1e642fe3ca7ad1a173f806088c0652ecfe9f0f6f6e246066e15a3431d4
SHA512 177b98a3090ecfe4b4598dfcd7e8b3ca49efafba4dbd8d6c6d0def462de47c3fabfde831725622783ddc177de982de6115178d9bd9830d918bb544a5a4c27fc9

C:\Users\Admin\AppData\Local\Temp\nsuC44B.tmp\7z-out\resources.pak

MD5 bdfa339e708ea0f23ed3620adc4a2d64
SHA1 82a95b7b022836b6e888f53e69386570c05a1af2
SHA256 b66ae9eda4543685974d35d051d967538bc57d55c2577629007c534ff330e1e4
SHA512 ba87c70e1b6446e0a7b62da33d72a36ff92ee54fda64343262bc26afa8166174e76d058ec6d707cdebf2611858b3b4b7e21798febec53da02febd81ade4ce8f8

C:\Users\Admin\AppData\Local\Temp\nsuC44B.tmp\7z-out\LICENSES.chromium.html

MD5 df37c89638c65db9a4518b88e79350be
SHA1 6b9ba9fba54fb3aa1b938de218f549078924ac50
SHA256 dbd18fe7c6e72eeb81680fabef9b6c0262d1d2d1aa679b3b221d9d9ced509463
SHA512 93dd6df08fc0bfaf3e6a690943c090aefe66c5e9995392bebd510c5b6260533b1522dc529b8328dfe862192e1357e9e98d1cdd95117c08c76be3ab565c6eea67

C:\Users\Admin\AppData\Local\Temp\nsuC44B.tmp\7z-out\libGLESv2.dll

MD5 b6a433dc7b4030fb17bd1683a9606b6e
SHA1 0602c50532e3f13facc67bd95a048c470e88afcc
SHA256 f7ae57a1d7d3e284714ca354f5292aa9b75086489cbfba8b1f54548445b6b3e9
SHA512 b9ba2e20ec878e3acae93d8254e69374e391fd4a3d5c1833282c43896d123baa874f1088839f3bbcf05539eda0e2aeaef28d7742ab8e20ec788382501e2152b1

C:\Users\Admin\AppData\Local\Temp\nsuC44B.tmp\7z-out\icudtl.dat

MD5 599c39d9adb88686c4585b15fb745c0e
SHA1 2215eb6299aa18e87db21f686b08695a5199f4e2
SHA256 c5f82843420fa9d144e006b48d59ba7ef95f7e6cb1ea95b27fcdd2c97f850859
SHA512 16194186a8407b29f799d4b02f5674e4fbd5d91163fad9f8dce6ceedd865b754a681aa960d0f3f1b62cb21d5443879f1b8e9b691c19c5802d5bdfe4ed645b8bc

C:\Users\Admin\AppData\Local\Temp\nsuC44B.tmp\7z-out\ffmpeg.dll

MD5 c3842fb3087cdcdb04020ac38683c289
SHA1 329dbcd4a1c79b891b200f11eb50194b85c493bc
SHA256 e79792af338d61424bac87a19c6f34f3b4bc1382345633b8d509253a0a6c2133
SHA512 069196b8006e908954e7ab16131a0d10889a0f7517eaab2423a82fe49fb9b045c0d95dbf7c08c10ddf1a21983aea4a0d207decf91baacff0884511589a57dec5

C:\Users\Admin\AppData\Local\Temp\nsuC44B.tmp\7z-out\locales\ar.pak

MD5 6f3e791b4d35ee7d9515614d128752cf
SHA1 181ec3a84fb3e89336d77f24f562a2cbe07619d8
SHA256 e9df0fa338b763a3926c4ee3a87bedf650fa618b6fcf0560c3f5ffe891d48c60
SHA512 3657e610d13a2c938558ec320c298dd490c9e4895ccd304f738aaa2f050373efd7382ca402365f93d23ed488bae82de2d859da788dc8faa8e621346a278f4441

C:\Users\Admin\AppData\Local\Temp\nsuC44B.tmp\7z-out\locales\bg.pak

MD5 5ba0c7200362c9ed55610cc8b66ef53c
SHA1 d45239c2f1b00885407771a41a7776fc1fe8fa3b
SHA256 2339ff55464b4ff704fc3c5bf281eec52a539c494bd059cf0346d9c05ab7cda7
SHA512 6229dbf08a9322c4ec8de4912aa1832f01800a71b7e3ef5870e7fa2b623be4dd248fec4881c3e031e984616147be84d42ab3dd970ae56dc1bd78913a8682a37a

C:\Users\Admin\AppData\Local\Temp\nsuC44B.tmp\7z-out\locales\am.pak

MD5 e18a450ef034b42599341c3d09f280f1
SHA1 2001c8a85904962ac3a96938eccc69ad2c110fdf
SHA256 7c2b9098130f1f9e0cf4507b64c0e96ac6354bd6c3616be20e2067cfccc820da
SHA512 ddd87571218fe9f179a6c2a8a15b182625a71a7c19ed90c0969ca2e0e9bad823b926f8b8a6b390cb6fe9c95f4b6c1f1ec7b5167a8424ab1921943922208f798a

C:\Users\Admin\AppData\Local\Temp\nsuC44B.tmp\7z-out\locales\cs.pak

MD5 3cfd9dc564cfcc33cc5524711365c376
SHA1 2e5016d2643017f37658262122974429f18625a2
SHA256 8be34e4f8226c1dd4e725711ddd884ef4476560f7863edcf378573dde9db3cee
SHA512 6ee156d2fa3b6f601df28e38968d0eae2812d70b41333348dbecd833d5ee6ff944183f0eecde96be433cf1e98c8ec22d6a6d5af5153145842175ab43c73533ef

C:\Users\Admin\AppData\Local\Temp\nsuC44B.tmp\7z-out\locales\da.pak

MD5 55a8f5883805a65c854d25edb3959209
SHA1 d4b3b6bd2a26cbd021fa931d1f63c9ea64e2c268
SHA256 e190187adcbb5f829d162660968ba598ed17bd11339062ca4d807deec8a27fdb
SHA512 4e1f9e6da32f553cbc8cf162726d7aba9e23e2216d6d05b995cf19fff3aafa05ed08fce29b2f8538d46583366402b8630672e650dfbd46952a611e9db0d8016d

C:\Users\Admin\AppData\Local\Temp\nsuC44B.tmp\7z-out\locales\el.pak

MD5 38440b98bfdf5ed496da0f49d59534c0
SHA1 1498d9207ecaf4923a47271e24c68a817041c82e
SHA256 b1f78df8a7edc914357a2e90bc8dc0ac46f4df642bb22894569fe4905fb8ea0f
SHA512 95ba788fc2e1f07d54e398f1ec4d32c664cfb13118d46cb7af7a993367e032b10de84f3e604ab6e659d6410e2d736097ec5e9b3b002040c54412358f0ea10229

C:\Users\Admin\AppData\Local\Temp\nsuC44B.tmp\7z-out\locales\gu.pak

MD5 63a7fdc4eadf8ef1c35c72468a0ce33f
SHA1 e8d064f0e9c8a6a8c6ccb036711e292d011d9466
SHA256 e549ff4e5a094d04c2ce7bc6fd68bea1f03e935437bf164bebb6191c133fa70c
SHA512 0a097ff875132a984545ec677b04f97785f14c38a1df487cfb4722cdea07d14e1e88fcff7d58b82fa53f05f4eba779a95ef320b5a91692097726d0385a26a456

C:\Users\Admin\AppData\Local\Temp\nsuC44B.tmp\7z-out\locales\fr.pak

MD5 c3095ce1e88b0976ba7bef183d047347
SHA1 b14cfbf6e46ac1f189595fc09660178525301138
SHA256 66488dc10517b6e3638686be95b430477a39304e92ac45dfe62b58cae3a77272
SHA512 29f47b1eff4681a9a17a50d6e82d63c22fe7bfe4ceb79862e81d8cd9f96fa38e225978b4c4b1f8e55b220235b91652c776fa8d2e559c68942c6ccf402812a421

C:\Users\Admin\AppData\Local\Temp\nsuC44B.tmp\7z-out\locales\fil.pak

MD5 40bddaf97f64dfea9ebafc7f82166f80
SHA1 90d1fde3c0b27d2184f0353991259c2a92c7820c
SHA256 39a9d63736e7b4593fc6873ed3c19d45fbf9eb78a012bfdcee0fea5906ebc5b2
SHA512 d1e61c53e09a0dc50edf5aba5cf286a251ee88421aa2cd49332b70a5859646605ecb7d0bb97ea7242d14a18742e23da0a14c04b0b99b57a466ec87f4f66b897e

C:\Users\Admin\AppData\Local\Temp\nsuC44B.tmp\7z-out\locales\fi.pak

MD5 cc592d91ce8eabaa75249cb78b889376
SHA1 f2f0f7f105a17f3e4b1a97ed0e3c2e871c2c3eac
SHA256 b1cb0b32efa78fd8634652c74f298f1d5127f2363ef601cf000417e5c7fefd20
SHA512 58e2eaffe26d8fda8df43e7ebef449cfff1065e940c128efa0276511e34e96e52da9230f294b01d4ecd8ef606b792d372bff897d6d8bb67c31379418ce867d48

C:\Users\Admin\AppData\Local\Temp\nsuC44B.tmp\7z-out\locales\fa.pak

MD5 6458a239e994d8d18315deccd35389ed
SHA1 75c985f43503a6c44645786d46639a6b555ae163
SHA256 300fc1c735e92917a5ddf92feb812cbf3175d988ec7ad5955110248a1addbd34
SHA512 3062075b6be0c25c957ac88e537880bc25ff86b8ef0703a05209e9676e943e89476b7997394aeb25064e03a93be614fef535676e9cdfaf44b46035225b1b2cf5

C:\Users\Admin\AppData\Local\Temp\nsuC44B.tmp\7z-out\locales\et.pak

MD5 c76db3385190c6840315c4497e40258a
SHA1 34f1aef2ba2925bebc5dcdb70e5b6c1a138a5c46
SHA256 e8af084ef5e1062c5966dd7802074ac24f3672dc3c9b9c5453a397644727191f
SHA512 90a870369d307758b33d74e6213676d65c2d332f42577c8aff23d96b512f3c2a2bdace8d6d9007f88b9175eadc6f2ae28b498b1265550849ff9317465a37ad29

C:\Users\Admin\AppData\Local\Temp\nsuC44B.tmp\7z-out\locales\es.pak

MD5 f83d8f7f6108786c02c2edbf3d85f147
SHA1 57781d9d9eb7c90cdc71f78e25d0763045b6d29a
SHA256 5b929216ac823dbe2b0bb98e64db76519900e09a86c8513019325271c66ade0d
SHA512 12747a4a61cdd21cad6e3f768cb43b8bda5ec9de373337c191b6994b20acd676c9d0a6cde8410a1e18f35dd5d2d332ea1bb7e7f8f6fc4b73d8774559e33398f1

C:\Users\Admin\AppData\Local\Temp\nsuC44B.tmp\7z-out\locales\es-419.pak

MD5 b261b1efe945365588befdf68879040f
SHA1 616f44a5f73f0449b483f36ccf831db6474a10d2
SHA256 1380b9edc9cee4b505f12e8eefa288d8c746ca995b52ceaba27c7741ae8a5cd4
SHA512 9ea14234b9d4d09364e5727b3886fc14544d52508b3e45fb9fd607ca88d2e432361a02b2f7ba34c3d6ecd94b91f9eccd4d54047a97a1ba4eea580ead00b91cff

C:\Users\Admin\AppData\Local\Temp\nsuC44B.tmp\7z-out\locales\he.pak

MD5 6a02a37e1ca3215fa9ee0e1b0fbcf5e7
SHA1 89a8a126c0bbf536ac58e29fc50e045fb1b88220
SHA256 f5cf34ce58b7f0d450936981aa7ffa060821403e6768eee3746ea4ffc9193986
SHA512 6607eb2329b81f1eaf0ed3a564eddcb30e6ab59229f2fbf6fd3d2140ffaa8853a330eda627a4458ef6bb06f32c5183edda869e34cd4ead1f87f88d5c622c1a16

C:\Users\Admin\AppData\Local\Temp\nsuC44B.tmp\7z-out\locales\en-US.pak

MD5 0bb857860d8c9ab6d617cea5a5bd4d00
SHA1 351b744d95846bff2ce5f542fec2e87439aa0f8b
SHA256 5c56df9699fc7e8f09ec81421e50a6264cde055e822f5a8cd9bb1edb3066d816
SHA512 33fb73cffbb6781488cedbca4c92a7e4f66923a799beeb7f5cba58dbc23ba8f5130f63a7dac7114e3c3ef6f1df87884fbeb8858bc7604aec9449fdfd16c25078

C:\Users\Admin\AppData\Local\Temp\nsuC44B.tmp\7z-out\locales\ko.pak

MD5 d6e2c18c9eabba59b50d147d942125ea
SHA1 0918879203c2050b4f9f449f5616e430897ba0b9
SHA256 f3581cea2e5b022b121010ffc5d67f86f717e3a0c0402abd81e24c87fd135b76
SHA512 f605f7b9893166778af156f9eb76eaa1209e7432450899540cd462ce0ffa69caf6f570b910cdd6d7bef54354379e9892a658e711baa93241da33755c107da859

C:\Users\Admin\AppData\Local\Temp\nsuC44B.tmp\7z-out\locales\kn.pak

MD5 5115cde84b4c674db412619b65433004
SHA1 164f33e7e2e9f685a579da492a6fc8806beb6cbf
SHA256 891e092c6895e23be986c3e6d39dcea9b6b75f1448239c13fd406680e50407a7
SHA512 090a247898cb533325d2b289a6cbd8db2a755ef0abab49d82f333e57b290c50b5996b81f15d8adc30160b216eebed3a1476aec1627195e52189557c1d48b0216

C:\Users\Admin\AppData\Local\Temp\nsuC44B.tmp\7z-out\locales\lt.pak

MD5 2d4fca437a7548893dc4b51fa5b33c33
SHA1 c1493013d7d981ea9223716e415380992de65c2f
SHA256 776dba792df7b444e1b720326312d8b8312cade74a1372c49456d932b7c65769
SHA512 b6a55ee1deff48d717a3e9399aef3c45eeec810cc5b5709fa3e9f56850115a5b02e02b7959ec77a6797e68516ee9372bacd260e62ac0d55a8e4c1c27af782b42

C:\Users\Admin\AppData\Local\Temp\nsuC44B.tmp\7z-out\locales\ja.pak

MD5 833e8c4aa70351b6be7bd403e4e9a0a7
SHA1 46ccdbdea35deec8ef13a5fc833776875fad187b
SHA256 74422db1a5f28522f9a8b31a3bee9a6df794b419bf723cb6a6c88e82eb72cec0
SHA512 e8e709612a5ea81d2822e0025b7306f38571f2cec2ca72ac5a8ab852a0e36a0f5bc7e00d0baf7ac7becc2c54dda3a17c52ec1cd67ce12b14d91b6ae0b726d556

C:\Users\Admin\AppData\Local\Temp\nsuC44B.tmp\7z-out\locales\it.pak

MD5 5aa225aad4f9fe6d05ec24905a827d88
SHA1 f6d5ed337bd8e9cc3b962d3a498e3430fbf6de22
SHA256 96e02ab6937a1f1cb58762159761a737ce0e1dcd6a253554392baf4389326eab
SHA512 3fa928f19bdf65b8fbb274b478a801821b15c01224c113a8d7f6121a077b432c0cc84eefd9028a76adea9fa4bb65dcb868edfbd4368b1e4d477c49e187e4288a

C:\Users\Admin\AppData\Local\Temp\nsuC44B.tmp\7z-out\locales\id.pak

MD5 e40cb2f3b4db379e4d187aeef0dfd300
SHA1 537b1ebc615c980c89bbe2b9e91a11199fa7d6a6
SHA256 3339ef011c9bb64868da94adb25f4490acbc7f893e4337dbfe2797754cd659f5
SHA512 b87464460077aa55feb92eca8ed23d9a61829378bae7890c8a95dac5fcd735b145d65661f27facfe2586fcaa169692b00d8ee8dd505dc44bff7f7fd090f3e96c

C:\Users\Admin\AppData\Local\Temp\nsuC44B.tmp\7z-out\locales\hu.pak

MD5 71d42cb22d2d7a8b26c4514ab12df3aa
SHA1 cd0307503a7906f1742d1e98fc816959319c2171
SHA256 b51bcb888dbc27bab88a8c9d081df7496de8a9a5a4cd2cfe08abc154190e75e6
SHA512 29c67391bca706807be3a0cc79fe481f220e30263957a9c2485f0a4c498a5b250bdd83b5f4fad8d0b19c8a9a07d5650b5ebd5816b6aae311a1cde78a89303244

C:\Users\Admin\AppData\Local\Temp\nsuC44B.tmp\7z-out\locales\hr.pak

MD5 6f92235e6ba003af925a2d6584afd27d
SHA1 3ceba61e9c2975466b6244188f5ea72aaf042fc7
SHA256 479dc4f75a889d45f62b4ddb6eb48f21c473e37875468c9c26d928a263e15840
SHA512 82f2642dff4400704c15c2fa02d0ec74ed3fe888dc835447c1afce7463dee8f480bb81be358c306e681625864a6d25e5cd6c96252b8a56e6fc62014b3aa4d26a

C:\Users\Admin\AppData\Local\Temp\nsuC44B.tmp\7z-out\locales\hi.pak

MD5 590e9e73df9cbd83cd87b9c03848fec9
SHA1 da125e60a5a2c51a2d6219d3f81688bd22237b59
SHA256 089b9dd31090a987515809a68d26f6eeb64cd9283934e3dcc48b151eec7d3ad9
SHA512 fd0e5d0f2063e12b711275f390428b88f98ffaf6043cdb14b13674ac1e4aa9f70ae820ae960132d7155daf9b1308238775c4702694ab53068cdc709c50f9186a

C:\Users\Admin\AppData\Local\Temp\nsuC44B.tmp\7z-out\locales\de.pak

MD5 b73344e5a72fca6f956dbab984c123ba
SHA1 0561073aa40a63a9ce9930dd18b18e12ff139b2b
SHA256 6dda3fa65232ca0bff7314f916942a2aa5d9be73a0b0c7a6d016eb34ea6fff5b
SHA512 e8a12da397369f23c102244b3f18f533ec79afa6978785566056bbfe07b10a21ff4973bf17aa829fff65609363988c033b0e48d4a82c846863377c08d8df009d

C:\Users\Admin\AppData\Local\Temp\nsuC44B.tmp\7z-out\locales\en-GB.pak

MD5 52e2826fb5814776d47a7fcaf55cb675
SHA1 51fbbc59dcd61116cbc0a24b0304d4c1c58e8d0b
SHA256 83ff81c73228c7cadba984d9b500e4fce01de583ecde8f132137650c8107c454
SHA512 69257f976d01006c5f3d7e256738c97c59115471f8e7447cfa795f7fa4ff12d6fd19708e95ffb2aa494b50c1763fe35d5885b9414112d2934baf68fe668ed7cc

C:\Users\Admin\AppData\Local\Temp\nsuC44B.tmp\7z-out\locales\ca.pak

MD5 423651c45566cd90ea5edd8631e823b8
SHA1 13bed4173a08bcbfefba034aada3d838eece6d16
SHA256 7a39af99d55a1ea838d8d78c5f0da3e1402f9404d32255e31b676ceed4f0e414
SHA512 e09085023beaa37e9d5f7fdf3c32d0c001672b85e2826f0aba9a662ce958ac93cac17bf63495a604e47cb407b1593049388a4bf1b22b2339ead84a206a10569f

C:\Users\Admin\AppData\Local\Temp\nsuC44B.tmp\7z-out\locales\bn.pak

MD5 47c95e191e760dee3ef43345577e2379
SHA1 609634315270a91d4ec631642b18bd0036367aad
SHA256 ceed32e429ed1018d4c49343cf52105cbfd1e877c531a5738fd6e6cd33d27da7
SHA512 46b5f8d58780d19e79136c31a67d075c57ddf7e6a1eb197dea4088cc414a0dc24a68fc8ebcaac03b3940af2461123b586706d5dbf8dbdf6fbea0f7bec466db21

C:\Users\Admin\AppData\Local\Temp\nsuC44B.tmp\7z-out\locales\mr.pak

MD5 f22c99fe6a838e333e8ee06a4d01296b
SHA1 c3542ea8dd45a2b387dd02fa5687948f135e10f2
SHA256 b03a3042f907aed13253ae8083d08f5fad59ff438d024b097276856e72526911
SHA512 882022c2cb985d85f96d52c9bcfeeb089d6ff30e66187ccf424ef622092b9d359a51bdef1fb6ac3b9d3409aa79d37ca737ba7f3ed8b9cdaabfe04d90a7c8bc15

C:\Users\Admin\AppData\Local\Temp\nsuC44B.tmp\7z-out\locales\ml.pak

MD5 04b2540c25990a5e0a9b227dcce6ae0d
SHA1 4f8ccd154f54dfb083d4d1a3ed0994842c8ab13e
SHA256 556165b8b54c6e21bc66d12b3f5be393136714467c427f7114f314d18ad3c661
SHA512 4cab47e42e8f5d4a83851871f97f3e1360c993ba530dbb4b4b736350779784bd83189e1195d3480ce87298bb8f9b7f249fefa7764d850e5b0002895609626785

C:\Users\Admin\AppData\Local\Temp\nsuC44B.tmp\7z-out\locales\lv.pak

MD5 264c6e20b3088ceb4dae5773cef0cb55
SHA1 fb6ff83ff14df008092bc3ee73bda7491e8e090e
SHA256 a676a781c1a587eadf23e5c69bc52f2d352346a70bc53ca908450362535eefda
SHA512 01e949f92e1e8599c581929a601d39640abaf1d907ce10102e591c3d490dd3874c679c75bb51308ead55a3bd0c6dcd1b8d4b2daf98ce1cf1c6bab42946e8b1e8

C:\Users\Admin\AppData\Local\Temp\nsuC44B.tmp\7z-out\locales\pt-BR.pak

MD5 88ad860c73676ffb4025b5c691f29942
SHA1 3c5e5b999ea7153ccdd1b4cc7b6162de3456b558
SHA256 25f0bb0b0230d99a9064d52668636f3be85903bf27a68124d79a2fe93c30fe0e
SHA512 41589bb9ab1b8307f62ceb4e6493d7903731a3e63807e0044379c4acdda881c21839234f5f1b8ad1af732bfee6231c0556ce92e582505379ed949980185bb750

C:\Users\Admin\AppData\Local\Temp\nsuC44B.tmp\7z-out\locales\pl.pak

MD5 644c0ace25d6e532b56510a736c6bc2c
SHA1 1bd0fec952107b493da04c46423da634ff3e1504
SHA256 2ff9e382a31783285b7d85676e629e2f6db26bb9536ed17b7fbe5ac61a895ec7
SHA512 9a1f1e884c2f214b8b0c63543809ddd4ba0fd533f1d8434e926051f3db434f60cc4df2462c2a43254b2a9685b3869eef49463c212892e417c82c3a7b497e3559

C:\Users\Admin\AppData\Local\Temp\nsuC44B.tmp\7z-out\locales\nl.pak

MD5 cf6b1cbfd669e9461553974ba37a475e
SHA1 b33867e9bc7fd88ca98a76dc4bd756bcf18887aa
SHA256 9a83ad866ad7fd9d65ecbc1e95c276cfce27e8257c76a16950fd14971e66b864
SHA512 e463029bb37f6bb3ff5cb6281f64291ada1b785fa33137e7aedfc7b5e409e99c75a91e7cf9b6c0933e970f70c14861190de66fc5d68925b687a6f5da02e21077

C:\Users\Admin\AppData\Local\Temp\nsuC44B.tmp\7z-out\locales\nb.pak

MD5 b61e42f66d581b6a8929cdf5fb10662e
SHA1 6f06fa9ee092fbcb61bbd668734fb3b92cfb549a
SHA256 1b17dcde8fc7308d926fbe0faa83dfc9ffe2efc5715e9afd557dde839ad98b7e
SHA512 79b82346c3f133a6ba44148a8432ad4e08e2805187b759509cb386bc800fd20215592c07d953812c243f0b1d5e1354245f2cb42b2b3eb6c87280bcb4008dbe97

C:\Users\Admin\AppData\Local\Temp\nsuC44B.tmp\7z-out\locales\ms.pak

MD5 6cfadaa784e687e6dadbcd80e631bc9b
SHA1 481acb75f525055bf4e45ecabe0eadcb9c492106
SHA256 fb5e125dd5e1f21e8df229d22cb3d1f9078bd79bbddca352899248f2a8b21b71
SHA512 0d7da5a90fe9372bc704ab8cdc8cbfb14d323cafdef856987e2d9e34d980196c03985e25099f5d1bcb10c97f040f4766e2c3713718649bb3f43914a77f0dbb39

C:\Users\Admin\AppData\Local\Temp\nsuC44B.tmp\7z-out\locales\sl.pak

MD5 e015b6f5042be2dc96a4e23dcf035502
SHA1 7946509eed8db1e4c1f3da99ffe7155c86fdb4d6
SHA256 99536d1bc73eec81d5bebbff641ea195544ee5e3a41bb17ddcedf9cde9b141d4
SHA512 b2a2eaae93c506a053862bf1cde02eee53b3ea2e2fe4c964c51dbacb8b44de820a779311cfe01458e2f08f88bce1172e8c5e1e6d28cd3a355ff84baa00023b8f

C:\Users\Admin\AppData\Local\Temp\nsuC44B.tmp\7z-out\locales\te.pak

MD5 793a87d41cde6e6d1bb086284f69733b
SHA1 d887e3842b664f55b7308427aa6f5bf0b352d879
SHA256 5cdabd1ad41e8048f2cc6b1615e68b99159daa1aa6706b939447c1811bf0e255
SHA512 7c2e53baa387480eed45315bd9d53856ca46e5777ecdc9c29a0de7b0ad04beb6cbb8b5df0aa7c306395fda563037e06bea1ca70e433ce5a3ccc2ec184dfda972

C:\Users\Admin\AppData\Local\Temp\nsuC44B.tmp\7z-out\locales\ta.pak

MD5 31dada843d0b4f9a66b184cb6d7b8b92
SHA1 0320b31981043c6e4c17470bf2ff4c7488553511
SHA256 457070b35c813175f5a7b630478073e478ff2bf23915dd3dc7a5b3b339cc2b0b
SHA512 c5b6ea595d3154fd9fe03f49a19f78eb4068718ce005b18a165d491459a290c29956b02a109ce2c314746773760c8e5c0d7064f384c65a572c78109f03538860

C:\Users\Admin\AppData\Local\Temp\nsuC44B.tmp\7z-out\locales\sw.pak

MD5 99e385ebc1ef8d3daddb3a171fa79edf
SHA1 3164804dfe9d9b5e891abafe92e5ba67d2b5d4d1
SHA256 8ec45ac391a085d531fb21815086c2da4841aa016653cb4f8484cfc2615d6c01
SHA512 797c105fecef1e15870aa101e3fa1835d5a467a9059c03b3636c54934d1de263ab7f23599e21d9787cb3849c7cb7d29f5bdd8ae9ad10fda8015c1392462e94c0

C:\Users\Admin\AppData\Local\Temp\nsuC44B.tmp\7z-out\locales\sv.pak

MD5 41e76f7775fc9a2d6e3c02c46e9b32f6
SHA1 088c15c74a68bee69682bf89c31055332b68c84a
SHA256 2533676479e9469ffcdaabcb47d3e39bebfe7ae2b80f70784e918a8827439e13
SHA512 6cde752d748c4772b533c8894f18134e5842113f8c7590b44a7dfa088aed65b232361fd16170df3b0d738066dbc3a769847adf4dd8ba42de63c9c2b33f9beb6b

C:\Users\Admin\AppData\Local\Temp\nsuC44B.tmp\7z-out\locales\sr.pak

MD5 af7083f2a4bd95dcbe792efade352662
SHA1 dc69aa831836016f6e66c6079931503d534a7862
SHA256 e3b80d9fdd420a05d66cc12e685ac94500106dd51a555bbfa2d085094f81e8dd
SHA512 342400ba94f6cd08152f96aa2b905184fab429c38cedb4bcb4ac0c503169a9ecd47aef208b4d7ffae08b0c0afa7aa089347a20739379d05f3e4e111be842b8c4

C:\Users\Admin\AppData\Local\Temp\nsuC44B.tmp\7z-out\locales\sk.pak

MD5 b35daa0bd9627ca88b413a5af7c6b4a4
SHA1 d5efdcbc7ca17de29f3075f6434f31ab2e895826
SHA256 f47bc1f7f5ab64681d0b152e1a019da60f0ef057ee8bf2ccede019dc4030c177
SHA512 48abb6ca2290820db2898b05820bb25e70fb1292c816eb0c8f17b3c5452de9fff7027d216d2bf413900f408f44ed4ac99151b28142a212c5cff8dfe229e87b9b

C:\Users\Admin\AppData\Local\Temp\nsuC44B.tmp\7z-out\locales\ru.pak

MD5 75457b95d2bb03891232dae7db886387
SHA1 e5a7569df7f91533703626d167ecc8cddbd27205
SHA256 e0894d3aa3f8e0f8ac457a3300001d4e1dcf95980712f8c8e9c845eb4c2bbfa6
SHA512 9813239cb162cec24cb81cffdae2df06889782813d917da186ae40df6dae64477467e4b32ead2d714bc1de671538d4c1fde990d83d3ee69e0932f17226687a78

C:\Users\Admin\AppData\Local\Temp\nsuC44B.tmp\7z-out\locales\ro.pak

MD5 24b01a438a3ab9699d4ca97c081b5e82
SHA1 0d0b082544d23425a74199fb0a6c11192f0bdf7d
SHA256 38290b1c9712296d82ea1681ef95544a1eef4872289134b11e50af735e6deaca
SHA512 43199772312156f4633c4202499cde8f808e5e632c2013ec1129acee01a3f184e86df2616626173178efe04b6f0773ad9a0e8b8cc6a735d23d68dcfe9dfd945b

C:\Users\Admin\AppData\Local\Temp\nsuC44B.tmp\7z-out\locales\pt-PT.pak

MD5 ecd84b296d3bb312ee18e21017311986
SHA1 f5625523f85c10723750834a54ff59a2dd886fb3
SHA256 fcfaa9c44c445876c286388b6a1abc1df949f3dda3d64fb57d6e0d54a05cdb94
SHA512 e95b74238220024cdd0bd1c0f18beadbbe427d76cd8d6b32d5700adcd34ffb068ad0bf75404921485c8077f395f5111cd40d5dfe2b5b8f34c62e6fc80b507456

C:\Users\Admin\AppData\Local\Temp\nsuC44B.tmp\7z-out\locales\th.pak

MD5 43edd25f67ce6e6cea5373009ff0a1f8
SHA1 ed72ca6620cf23837e1334be50ccf616806bc5a2
SHA256 287897cf3df2db1cf59b872e6575ba8dfcaa0c1f68c17a9c91da6c4490adb8b0
SHA512 7160a72bd2e6b0ffa71e5d279995cc8be24a87cd9386eb29ab0eee79b8e607f5d824a11b6b4e3ef4c0f851a9d485a9642cb6adaa65c07933dca6e6f2c0052fc7

C:\Users\Admin\AppData\Local\Temp\nsuC44B.tmp\7z-out\locales\uk.pak

MD5 d791b1ecf2931b2fb0c31aac170c7cdc
SHA1 02be115a9ff94fe5250651b6de4323eafc44fce1
SHA256 ffae6286d44c8e219ef90d411ad8746159a6ff8ea610e2a651147a3956696a22
SHA512 3a2edb8069e4a9734ce5e02b7c3de3c968c5bbc116f17f52f97e2bb2c78485c456c4f0cc952686c1aa17b7ee4d326a1dda698afafc63c79d842ca3905181a8da

C:\Users\Admin\AppData\Local\Temp\nsuC44B.tmp\7z-out\locales\vi.pak

MD5 69c8796439192577f48bd249175aaf37
SHA1 97c52088ca69dada593db0e42b2135d264646454
SHA256 d7fdb53592de803a5fbcd8561c4918f1562f92fc8a3fd0039a2a1a7b76a8ecc2
SHA512 65eb7cb15291474ec7f9354775e59bcf334c90ddf3498ebd184e4c47118308421b2405bfa679e4b3a70ed1790e167c109fc2c72e89c3e31b5378cae975424144

C:\Users\Admin\AppData\Local\Temp\nsuC44B.tmp\7z-out\locales\zh-TW.pak

MD5 c2c35fcedc3708b5bcadf36587393002
SHA1 31d72402cbd44ceb921cedd806259c2cd14e411f
SHA256 cfe4c2c5eb131fd92e0d11f912714c5a9a048833ef3ffbe32679b3d58da8f8ac
SHA512 9ba3ea2d569d1d3ef09e94d7e66f843c8804368c4d016b6289e7dba002f7d2d50884a76c93eef879d87abcf8b36dd3e682b7bd3a18b2b5a969256cef672abf01

C:\Users\Admin\AppData\Local\Temp\nsuC44B.tmp\7z-out\locales\zh-CN.pak

MD5 098d656a4f4bd8240bed10e7678186c7
SHA1 0c19ab62b4262f1b51558e8aaa79e7741f73393a
SHA256 a55f568ad3a8854cec25699484f55024501c8a0967738ba694e073151e5981c7
SHA512 084538ce774233ca6d4393bb42239b0b85e11bd73dd19ba47e55796ca19848941b037510c0fca4ac08b4b2e0ccbc9b4ae72ef88a3e841738dd211961dc53c1e2

C:\Users\Admin\AppData\Local\Temp\nsuC44B.tmp\7z-out\locales\tr.pak

MD5 40491896ad21543f339467186c5efb40
SHA1 695dde7cc35056dcbf0a533aff8299d4c6b61bd8
SHA256 43e99e132acaba88971b81a43531845dc7fc3a1e0794c3373de7d9a50a5655aa
SHA512 18d5ee9914849462e0b1bafd1ca216b29d0795e282ae0bdb354b15caf5c18f37f44fbd6f626b2cbb095e3398a6496de72e5b0d15621433979b5a589e34fac818

C:\Users\Admin\AppData\Local\Temp\nsuC44B.tmp\7z-out\resources\elevate.exe

MD5 792b92c8ad13c46f27c7ced0810694df
SHA1 d8d449b92de20a57df722df46435ba4553ecc802
SHA256 9b1fbf0c11c520ae714af8aa9af12cfd48503eedecd7398d8992ee94d1b4dc37
SHA512 6c247254dc18ed81213a978cce2e321d6692848c64307097d2c43432a42f4f4f6d3cf22fb92610dfa8b7b16a5f1d94e9017cf64f88f2d08e79c0fe71a9121e40

C:\Users\Admin\AppData\Local\Temp\nsuC44B.tmp\7z-out\resources\app.asar

MD5 5f421fdc98089800259ce7108e9683ed
SHA1 84214ffdb5bd9326c105f91a94400e440255b318
SHA256 eb97f57b6ced0b69b6b7db07a425f99a94e706b28a92c19e3b8bfdaf7545712f
SHA512 017d032751655a7addb24ed2819b37de6d6f592aea9e48e339bf0fd1270d115bfa7d1a7602d07a29c18278ee054a907f208528b777aaf8d3991d1508deb49662

C:\Users\Admin\AppData\Local\Temp\nsuC44B.tmp\7z-out\resources\app.asar.unpacked\node_modules\take-cam\DirectShowLib-2005.dll

MD5 c20c205c6f8d70a5e1351a4041a3ec9f
SHA1 e1b2a763dd6c42439656e4e55aba0f3610ff3784
SHA256 bbcbb170242d9ff1b56680a80b1f8755df1135f9c714535ff3b3f575442f38dc
SHA512 dffd59d775dbb89cd886a2212fb9fe4cf0b2bdd7f2c00f8dc7c6b2287053b4971c8c6c033109ff1f90cdacea082e44d3c19fa76325d24976420c418218e701f1

C:\Users\Admin\AppData\Local\Temp\nsuC44B.tmp\7z-out\resources\app.asar.unpacked\node_modules\take-cam\prey-webcam.exe

MD5 471b15abc9f2e98fb7ed7361d3f045eb
SHA1 95b5798d80a9410872f6ed485ae2b43ca3745540
SHA256 7c262639cb22348dfd627dc07c76e8748e5bcacde2dcf1614773ab174c831004
SHA512 5b3b59aa1dbaef31b0ff6ccde082d7c312e39e311a46fe20d590d5d7765f934d3b663da9609ff4fb7beba2e8fa85376cf74f14ae077f3c0b49189cc28c30163a

C:\Users\Admin\AppData\Local\Temp\nsuC44B.tmp\7z-out\swiftshader\libEGL.dll

MD5 38d13c6b179f7c548edc9122f40e6c0a
SHA1 b1f2481b1250a081e5c89fa72f6c2eba28a582e3
SHA256 225a5675282d6400b368c0b9878bb5edc54f22b4aa23a7e1d7c205bcda143e23
SHA512 92c42f03cbe6007a1f96e8ea8dea71ba7279ab7241b120312bc44918f33c43cbe1fe318e548afcee86bdcd815e21ce4a1202cf93bac9244e638541ac7344f7d0

C:\Users\Admin\AppData\Local\Temp\nsuC44B.tmp\7z-out\resources\app.asar.unpacked\node_modules\take-cam\snapshot.exe

MD5 16a12bdc986207390dd79d658a6b2263
SHA1 b4b41f62cbc1e1ede786c6e30e11df8e61750bad
SHA256 50a8dd2f292bea9190204a42de067a34d5cbbec53746d40fe5b067fc85190bac
SHA512 d20394028c5d3ca46bb4879cac40da07b7d857f9a4a834bb4db4bd047f1a3265a80e1f7528244da6ee97c2f3e0cb5b2e51bc88eeb382a027939c2188e66dcdd9

C:\Users\Admin\AppData\Local\Temp\nsuC44B.tmp\7z-out\resources\app.asar.unpacked\node_modules\take-cam\package.json

MD5 067e233b0609d56ff4756bedd8c0efe0
SHA1 96419d05adc4b6674948b4ac14f8ab5bb3ce4380
SHA256 6bee642c1b5de99e4edba87ec3221c2ecd10b65e666b6f2bef64a745538ecf74
SHA512 94900f5ff762930b1b060ba4dd44d629d6c3e2dfc0dacb1a543f1ea5a3cd40e793acaff4abefbff588ceb422d65f8041ec190a2b56f7c303c3314eb16eca4159

C:\Users\Admin\AppData\Local\Temp\nsuC44B.tmp\7z-out\swiftshader\libGLESv2.dll

MD5 e1ac6b0a2938b1617de8f526204ea12f
SHA1 13ad1b23b29f8b0232062d276fd425fb4e57c8b5
SHA256 c6cb768d23458dc57e29c2c4c9437127de9d35c2053c0e2063fb389c40ae780b
SHA512 a8e408b6e7c1ecc30c737e895c9120317e597d9f474f189efd0bae5b447a304692e7b89c06fd85f7faa1591d98b20a39e4c3304d3c4c1338c406c8c2e0951330

\Users\Admin\AppData\Local\Temp\nsuC44B.tmp\StdUtils.dll

MD5 c6a6e03f77c313b267498515488c5740
SHA1 3d49fc2784b9450962ed6b82b46e9c3c957d7c15
SHA256 b72e9013a6204e9f01076dc38dabbf30870d44dfc66962adbf73619d4331601e
SHA512 9870c5879f7b72836805088079ad5bbafcb59fc3d9127f2160d4ec3d6e88d3cc8ebe5a9f5d20a4720fe6407c1336ef10f33b2b9621bc587e930d4cbacf337803

C:\Users\Admin\AppData\Local\Temp\2ZVMRNo7TjicBJm6BgELO9JBjg7\AORadar.exe

MD5 ce91b0e962bd836c9bf0abdf7b640c66
SHA1 16944c6dec31fc7d4322eaf29d6e3174e0cf5829
SHA256 018c2cbb352884c7d08dbc103e0b1ac03941deab88207b48c7af7ffbf9e9fd0f
SHA512 2514b0151529fe645027e4d0eb9cea99d17c083faefb5c4c0deb7a2630514918f775200cf2a32cee5ac376712654c4130838de0cef24bb1473d115b44b9224de

C:\Users\Admin\AppData\Local\Temp\2ZVMRNo7TjicBJm6BgELO9JBjg7\resources\app.asar

MD5 cfc399356d31e6d65d86a1e52461c94e
SHA1 c795d2b2d3edc5445e423b4950e81fa9b36572cb
SHA256 8503bd6383df2e00dc74912ef6cd75b5f30d1ec68853c59aa35d892afc9bc9c1
SHA512 3beb2a6f9f0974f2a6f50518f9d0eb61effbdc8ac7285c43ca57591a5ba78051022dc84aa9ee12d2e6d9d6e75d2f04f8af199e33bcbe633bb0f9e51e8269a3c9

\Users\Admin\AppData\Local\Temp\535ecd70-0d5e-4019-8270-8e4aa6b8f8e9.tmp.node

MD5 3072b68e3c226aff39e6782d025f25a8
SHA1 cf559196d74fa490ac8ce192db222c9f5c5a006a
SHA256 7fb52b781709b065c240b6b81394be6e72e53fe11d7c8e0f7b49dd417eb78a01
SHA512 61ebc72c20195e99244d95af1ab44fa06201a1aee2b5da04490fdc4312e8324a40b0e15a7b42fab5179753d767c1d08ae1a7a56ac71a6e100e63f83db849ee61

\Users\Admin\AppData\Local\Temp\703db18c-eb74-4e82-af1a-9c050f007381.tmp.node

MD5 7e57aea46c573cfd9a87015ef7da1572
SHA1 fedc16eebd6a66908f1b1e5bb7a36eed52fbbcda
SHA256 9c992791636c649eaa777fd769d40715fed2f015e0f5a7a340097218a52487ec
SHA512 5119601feb7bbb036a0d0ff32a330fb078a0de29794296a217adccdbeae7067ef557d5e3fa539b99ccdc4a39f73880c8287112823c9b6f4ce223b796a16afe31

C:\Users\Admin\AppData\Local\Temp\2ZVMRNo7TjicBJm6BgELO9JBjg7\resources.pak

MD5 35abd6ef7080ff8c246ce129f30c3740
SHA1 ce632a0f72803eb2afe02f5833fb8719aad672a6
SHA256 44f0db52853c496d5e9850a2dcd226dedd4afee3e7aad7df217c99ca66d3ab13
SHA512 d6be45d1bd981d47d7e384ca68724bfd63ffb69ce33c907a97ca0d851e9f5200f71fd0b4faa19d85267c9951cd9d4f390fa56d6485166ad5c5132178c7cea504

memory/4688-581-0x00007FFDDC890000-0x00007FFDDC891000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\2ZVMRNo7TjicBJm6BgELO9JBjg7\AORadar.exe

MD5 c3eba635c22aa0f08a503e907d24d09d
SHA1 d9d9ed20421f26e5fb5a69958564190c66782ce7
SHA256 4892f972409ec7dc7f4345055b64a4e43ae9d97a9a3806b061a2c3dcf8e7bcff
SHA512 529758408d1e67bf1e5c19a817e8516544b9809254a7032f092e0243773252f4959ebd57ab259d6a5a07fc0ae4ba1df72acecde909ad3812cc8dee2cb6d5dd8f

\Users\Admin\AppData\Local\Temp\2ZVMRNo7TjicBJm6BgELO9JBjg7\ffmpeg.dll

MD5 7d5744767e8dd1acb9757848ed886448
SHA1 77a4ff0dfa0d604bc5f83180c53cae0a6fff486f
SHA256 078c006aad82c4dc861b86acf3f75ce69e3c18b72a62ad1382ea82c5ebd3c9b3
SHA512 8b9fa1c1c9472a12b4ade9404ffba83e35ba2ebb3987ccd880d92a7603ca96c6ecef91206bee51cda3b1039b412589f499fe9fcb0298e3b2422fdc909764cdfa

C:\Users\Admin\AppData\Local\Temp\2ZVMRNo7TjicBJm6BgELO9JBjg7\AORadar.exe

MD5 c0e0a2fec11174f3bc12a163fc7ede49
SHA1 a8d145be2a98d344346817c7443a49e0a40e68e1
SHA256 5bb1affb695daa80463cc3c54061f3e46db320db7455dcce84c495626837c9a9
SHA512 7dbbed0e82b0c5f3df3cf387a01e25e03c9e8cd99f38f1b47d37319cef7a58c2bad42a8b489cf80211062c51ecc4259b5a728fef839b8c2748ed39d9692df0ce

C:\Users\Admin\AppData\Local\Temp\2ZVMRNo7TjicBJm6BgELO9JBjg7\libglesv2.dll

MD5 0df3bc3e6e3c45d1ed5c0e57f94ba366
SHA1 e4cda3902cdac324b478b6ce982c03e87d496cc6
SHA256 d73d6a97ad81b7a860b4338e32e80708770b26426ee2300f2be60cf9cbc95361
SHA512 875022b72e3668331c01da20ff2006d98d847b7f12565059d42dfb066fe8989668195719bcc42c6c920f93a4fec5ed3ce1be573790e748f6de2d06d972deb363

\Users\Admin\AppData\Local\Temp\2ZVMRNo7TjicBJm6BgELO9JBjg7\libGLESv2.dll

MD5 08c6c118a484d8b7563fa8d782068908
SHA1 71325b6e630f81f271e443daf05cf4eec04e6611
SHA256 5138035aafaa77d8c90386caf2f2ea6529e531decc89da4c0f4a9395d284e771
SHA512 7293d8cb7ade2a44befcd18700549c76ade3b84129a2831ab561c7ee85dfc28e04c39f9632b6e6f7341234956ce6659955345344f673ed60ea72fcf54e3b42ce

\Users\Admin\AppData\Local\Temp\2ZVMRNo7TjicBJm6BgELO9JBjg7\d3dcompiler_47.dll

MD5 71d64466cda22db7393d1e246c1ecd3b
SHA1 0fb47d028cb1d40d449a84d803c2a7f3e581334a
SHA256 fc69dc89b8c241129bddae8859dcdda02839a57e63b7f83c7947dd94cd54311e
SHA512 0afd1080e6bfe6148026bb335aed3e42941f75235f1c6da7dd7975b8fc6838a326d08259710e89fd16e55c96ad9ecda88dce0a38e2e678324597f082d6e49c96

C:\Users\Admin\AppData\Local\Temp\2ZVMRNo7TjicBJm6BgELO9JBjg7\AORadar.exe

MD5 3cf800036fa8346277eaf32949afd680
SHA1 7169e045da99154548da74803cfd468e00e4ce4a
SHA256 0ca5c6f07cf3ae4d91df2fb7c287225cd09975e1e30be08954a8c9fd548afab0
SHA512 cdae7a99a3962f08de26b21d47ab588080e2a899754fca662103cda8f8a042f6b6ae0385d1ec82fd2636b0028bd344eaca7858b20b5f81a3cb139997a4f63e15

C:\Users\Admin\AppData\Local\Temp\2ZVMRNo7TjicBJm6BgELO9JBjg7\D3DCompiler_47.dll

MD5 1ce5ec6a4e99a8b42029074eb276b7da
SHA1 f4a411cccf25fd76e2669ec9a7a321a372df923c
SHA256 47e3ae681597aa5b3b338e0d6971b7f4bc1ab9f447e77b164593d76c1d0d7834
SHA512 a8d3dfd43722edb0685953addaa4c10c4ea3719f4ba18932fae497750561dcc5eecb45d6dc62ee1c980b3e05c23f59ccdb87f73218cf5914cbb6391cfa1907ac

\Users\Admin\AppData\Local\Temp\2ZVMRNo7TjicBJm6BgELO9JBjg7\ffmpeg.dll

MD5 7106ddfd5ee30f568d34ae4f51c2c0ef
SHA1 230dfeec9d32af53dea08384d6673639ce1c28a7
SHA256 00c6f500b16724f4872a1e2c8aad774583e58ac34e1c53f3e8664e9d81b7d954
SHA512 32599771f588af082256f54e72ad0ffc60b809d334aa659ae7fc445b869b51100b066ce57936b737cb4d950a97d20a3af184c527b62f4b678e0f3d5f6de5ccf7

memory/4688-620-0x000001E696CA0000-0x000001E696CC7000-memory.dmp

memory/2060-637-0x00007FFDC17E0000-0x00007FFDC21CC000-memory.dmp

memory/2060-639-0x000002B5BD030000-0x000002B5BD040000-memory.dmp

memory/2060-640-0x000002B5BD030000-0x000002B5BD040000-memory.dmp

memory/2060-641-0x000002B5BD320000-0x000002B5BD342000-memory.dmp

memory/2060-644-0x000002B5D5870000-0x000002B5D58E6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_3x5d3id4.ikp.ps1

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

memory/2060-662-0x000002B5BD030000-0x000002B5BD040000-memory.dmp

memory/2060-664-0x00007FFDC17E0000-0x00007FFDC21CC000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 5d574dc518025fad52b7886c1bff0e13
SHA1 68217a5f9e9a64ca8fed9eefa4171786a8f9f8f7
SHA256 755c4768f6e384030805284ab88689a325431667e9ab11d9aeaa55e9739742f2
SHA512 21de152e07d269b265dae58d46e8c68a3268b2f78d771d4fc44377a14e0c6e73aadae923dcfd34ce2ef53c2eaa53d4df8f281d9b8a627edee213946c9ef37d13

memory/4948-673-0x00007FFDC17E0000-0x00007FFDC21CC000-memory.dmp

memory/4948-675-0x000001D070740000-0x000001D070750000-memory.dmp

memory/4948-674-0x000001D070740000-0x000001D070750000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 43bbd03cae3c2f02f7aa32e4f928974f
SHA1 6f2158ba02e0621a011e558feea55449bf3afd46
SHA256 a88a496c33633a00a06577cafa023806edc056051b29d0a115b9a5d03a6355b8
SHA512 57f53e63804cea278fd7414c0b907d041b075a4fae251ea4a35f431222b001be9866f0101a6eccafbcc9638ee7599887fd3c12a6945708029bcbeac42ac680da

memory/4948-696-0x000001D070740000-0x000001D070750000-memory.dmp

memory/4948-697-0x00007FFDC17E0000-0x00007FFDC21CC000-memory.dmp

C:\Users\Admin\AppData\Roaming\ARoJXJrLX0Pp.vbs

MD5 bee4b835076d15b9486e145637c2a63b
SHA1 a419c29bbb768b6c75c9dbc6e4696dd369b22f4b
SHA256 aa18473a2407198dfcf922f7128694b1f45a83e5b5d3b8ae16857f863664fcd9
SHA512 f245a75722049dd609112562291cf3e2e5627b96d0678383142b8756526ebe0f178068760511b116985a983a3c63201c7c4cbce5dc567911fd446fbf0ab3a6ff

memory/7104-847-0x00007FFDC17E0000-0x00007FFDC21CC000-memory.dmp

memory/7104-849-0x0000021174360000-0x0000021174370000-memory.dmp

memory/7104-850-0x0000021174360000-0x0000021174370000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 66eaee79f39d2944cfb006a4ff62e367
SHA1 71832b8a6accab666d822219c257a138a4374818
SHA256 eeba2e78d62030f049681d96db3129ee7adcc7c1b2393bacebe75b228f8a3c37
SHA512 c9edaef9c3d2236b833e9b0a826e8e5a802371575811f773b4c60b8832cba8c16973f31c1fe96b1a15fb9c72d5e19c940986574a870d7d1fa08a8f78450586f8

memory/2948-857-0x00007FFDC17E0000-0x00007FFDC21CC000-memory.dmp

memory/2948-867-0x000001A4E1CB0000-0x000001A4E1CC0000-memory.dmp

memory/2948-865-0x000001A4E1CB0000-0x000001A4E1CC0000-memory.dmp

memory/6384-870-0x00007FFDC17E0000-0x00007FFDC21CC000-memory.dmp

memory/6384-872-0x000001FE35DB0000-0x000001FE35DC0000-memory.dmp

memory/6384-874-0x000001FE35DB0000-0x000001FE35DC0000-memory.dmp

memory/5820-885-0x00007FFDC17E0000-0x00007FFDC21CC000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 b9665473048514d500f0ea5b09d73180
SHA1 0d589df5b3c81cde0f27b78229e5be9c135739e4
SHA256 1807dffb92b53c12ca72aadd66303b1533b0aa11e3760653624c75502227753e
SHA512 4d59d3f77e616afdb8f72292a903cead0a70b181efd4a99c5110d71c89f938846dbc4511870afbb70389528382e24e73b8f72138e8e73aaab241b2c83b4ad4db

memory/5696-889-0x00007FFDC17E0000-0x00007FFDC21CC000-memory.dmp

memory/5820-890-0x000002D6715B0000-0x000002D6715C0000-memory.dmp

memory/5696-891-0x0000017776E80000-0x0000017776E90000-memory.dmp

memory/5820-892-0x000002D6715B0000-0x000002D6715C0000-memory.dmp

memory/5696-893-0x0000017776E80000-0x0000017776E90000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\2s3NRRnp4vPp_temp.ps1

MD5 b68542fdba9c3f2dc7d9f7f70e6e4dd9
SHA1 367796a03c2f8781afa562b007d792930b83cf0e
SHA256 d26063feb80d384e20de40d84340329f4e75fa2ccd45f602176e4933feefa17c
SHA512 eaea19f60ffc555ddc50d262314cafae9a11b7bdf8d40552f434833af785d38580e7c6326a2c2f635f7d04178727f06de3c9a1d6d6934d03609ee1fb2b8e3e41

memory/5728-962-0x00007FFDC17E0000-0x00007FFDC21CC000-memory.dmp

memory/5728-966-0x00000234CB3A0000-0x00000234CB3B0000-memory.dmp

memory/5728-967-0x00000234CB3A0000-0x00000234CB3B0000-memory.dmp

memory/5820-979-0x000002D6715B0000-0x000002D6715C0000-memory.dmp

memory/5820-983-0x000002D6715B0000-0x000002D6715C0000-memory.dmp

memory/2948-997-0x00007FFDC17E0000-0x00007FFDC21CC000-memory.dmp

memory/7104-999-0x0000021174360000-0x0000021174370000-memory.dmp

memory/7104-996-0x00007FFDC17E0000-0x00007FFDC21CC000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 5dd7928f323b629ea6b382a5562774d6
SHA1 ab9b0998e9e97b13e463c2fdc9ad6e8e3fbda6b9
SHA256 4b71cd938bda61a33286ad587b0c3bc99d6323c2cf68460cd5cc29e740426e1b
SHA512 3fb1ce7c70bef259a6e1436cae26043f299256bbaa1985cde6a7e866637fda596f24d35aa4bfdfcbeea1157b9e1c78cd049b908c01558af72956f2abaabd0aa0

memory/5820-1027-0x00007FFDC17E0000-0x00007FFDC21CC000-memory.dmp

memory/7104-1032-0x0000021174360000-0x0000021174370000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 0a1af598a98cc5f84d05b1df8d1b19b5
SHA1 9bd2c30f259f041a433c3903ad9b89e2f63e95dd
SHA256 b22db48d53a9811fbba3601a38dd48447b37b99895cbcf02975f00481290f33f
SHA512 f2bd5f5d31f37e28a316fcbcfd223108bb6930761c4bda6acbd08eb3fb0e8edb28d70cc5a9d2b455916c27aa9b38997e2e9c8d5684a6667d656a30d9418af61a

memory/5728-1040-0x00000234CB3A0000-0x00000234CB3B0000-memory.dmp

memory/5728-1041-0x00007FFDC17E0000-0x00007FFDC21CC000-memory.dmp

memory/5696-1042-0x00007FFDC17E0000-0x00007FFDC21CC000-memory.dmp

memory/7104-1047-0x0000021174360000-0x0000021174370000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 e13c0fadbd742b18dfd4add08c8a9a3d
SHA1 ca3d358a1930db80280cf9c62aae575f73005a15
SHA256 0ec94a8baeb3f84334b8317feaf08adfd451fe5863dde4f1a613facfc1d9827c
SHA512 24dce7b4a059b227b93396d0a502b69f1c059b44dea6677d79dab27c4d451316ac7d5ec370ccf0761d67c8935c12d82614bfbcb2fc393fabbfaf207a1bda8fe0

memory/7104-1048-0x00007FFDC17E0000-0x00007FFDC21CC000-memory.dmp

memory/6384-1052-0x00007FFDC17E0000-0x00007FFDC21CC000-memory.dmp

memory/7148-1055-0x00007FFDC17E0000-0x00007FFDC21CC000-memory.dmp

memory/7148-1058-0x00000234EC9C0000-0x00000234EC9D0000-memory.dmp

memory/7148-1059-0x00000234EC9C0000-0x00000234EC9D0000-memory.dmp

memory/5696-1035-0x0000017776E80000-0x0000017776E90000-memory.dmp

memory/7148-1080-0x00000234EC9C0000-0x00000234EC9D0000-memory.dmp

memory/7148-1081-0x00000234EC9C0000-0x00000234EC9D0000-memory.dmp

memory/7148-1086-0x00007FFDC17E0000-0x00007FFDC21CC000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\u5fl9cze.default-release\places.sqlite_tmp

MD5 c3bb14e17966e261196af4f972a930c8
SHA1 0db75b1498de75ed60bf7e45641a8df54b37a2d1
SHA256 2cddea2e093e8b2d31e8db13f3cd6746d8d4dc92f835ccb83f25c36f2450643b
SHA512 5bad67cb56699e98612c4ce6daaa14cd88d4b55eeb33ec42bcd9021116e4a1df3b14dfaebc5e6a694b9afb3578d5f6012fd90d3fc0f756afed16c6422b24e946

C:\Users\Admin\AppData\Local\Temp\D2S1UwnE0VRdwGqitdaI\System\HOVBOAGI - 2023-12-13_214312.png

MD5 9a3ba10cdd5a60e4bfcc6e69a907b731
SHA1 d59af0dcad256520b0622e817ca959bdad5e2d90
SHA256 82972074b346750f7f6c2fa406f7dc7a5b543f948fea949f138c5cbf54252227
SHA512 f6481f01eeaa129208a5a607fba533fb744756bd14df7014abea6d8d8edbce5f65b3f76cb06e2f80f0620a4c3bbdbae7dd9fc76cc38967074693a81313b9cf24

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-13 21:40

Reported

2023-12-13 21:43

Platform

win10v2004-20231127-en

Max time kernel

15s

Max time network

133s

Command Line

"C:\Users\Admin\AppData\Local\Temp\AORadar.exe"

Signatures

Irata

trojan infostealer rat irata

Irata payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ZVMRNo7TjicBJm6BgELO9JBjg7\AORadar.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A

Enumerates physical storage devices

Collects information from the system

Description Indicator Process Target
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Detects videocard installed

Description Indicator Process Target
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Enumerates processes with tasklist

Description Indicator Process Target
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\AORadar.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\AORadar.exe

"C:\Users\Admin\AppData\Local\Temp\AORadar.exe"

C:\Users\Admin\AppData\Local\Temp\2ZVMRNo7TjicBJm6BgELO9JBjg7\AORadar.exe

C:\Users\Admin\AppData\Local\Temp\2ZVMRNo7TjicBJm6BgELO9JBjg7\AORadar.exe

C:\Users\Admin\AppData\Local\Temp\2ZVMRNo7TjicBJm6BgELO9JBjg7\AORadar.exe

"C:\Users\Admin\AppData\Local\Temp\2ZVMRNo7TjicBJm6BgELO9JBjg7\AORadar.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\script" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1624 --field-trial-handle=1732,17697321527105766545,18080971132018948864,131072 --disable-features=PlzServiceWorker,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Users\Admin\AppData\Local\Temp\2ZVMRNo7TjicBJm6BgELO9JBjg7\AORadar.exe

"C:\Users\Admin\AppData\Local\Temp\2ZVMRNo7TjicBJm6BgELO9JBjg7\AORadar.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\script" --mojo-platform-channel-handle=1952 --field-trial-handle=1732,17697321527105766545,18080971132018948864,131072 --disable-features=PlzServiceWorker,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic process where processid=752 get ExecutablePath"

C:\Windows\System32\Wbem\WMIC.exe

wmic process where processid=752 get ExecutablePath

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Users\Admin\AppData\Local\Temp\2ZVMRNo7TjicBJm6BgELO9JBjg7\resources\app.asar.unpacked\bind\main.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "echo %NUMBER_OF_PROCESSORS%"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic OS get caption, osarchitecture | more +1"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic csproduct get uuid"

C:\Windows\system32\more.com

more +1

C:\Windows\System32\Wbem\WMIC.exe

wmic OS get caption, osarchitecture

C:\Windows\System32\Wbem\WMIC.exe

wmic logicaldisk get size

C:\Windows\system32\more.com

more +1

C:\Windows\System32\Wbem\WMIC.exe

wmic cpu get name

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic cpu get name | more +1"

C:\Windows\system32\more.com

more +1

C:\Windows\System32\Wbem\WMIC.exe

wmic PATH Win32_VideoController get name

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic PATH Win32_VideoController get name | more +1"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"

C:\Windows\system32\more.com

more +1

C:\Windows\System32\Wbem\WMIC.exe

wmic csproduct get uuid

C:\Windows\System32\Wbem\WMIC.exe

wmic computersystem get totalphysicalmemory

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic computersystem get totalphysicalmemory | more +1"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic logicaldisk get size"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\System32\Wbem\WMIC.exe

wmic process where processid=752 get ExecutablePath

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic process where processid=752 get ExecutablePath"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall""

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall"

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\cscript.exe

cscript C:\Users\Admin\AppData\Roaming\Rm08HYX4SNP3.vbs

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "cscript C:\Users\Admin\AppData\Roaming\Rm08HYX4SNP3.vbs"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall""

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip""

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip"

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook""

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager""

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx""

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx"

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DXM_Runtime"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DXM_Runtime""

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore""

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE40""

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE40"

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data""

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX""

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IEData""

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack""

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IEData"

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack"

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Firefox 105.0.3 (x64 en-US)"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Firefox 105.0.3 (x64 en-US)""

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MozillaMaintenanceService""

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MozillaMaintenanceService"

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MPlayer2"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ProPlusRetail - en-us""

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ProPlusRetail - en-us"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MPlayer2""

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent""

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\VLC media player""

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\VLC media player"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WIC""

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{113C0ADC-B9BD-4F95-9653-4F5BC540ED03}"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{113C0ADC-B9BD-4F95-9653-4F5BC540ED03}""

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WIC"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}""

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3544B2EE-E62F-4D11-B79C-3DDEACE94DA5}""

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{37B8F9C7-03FB-3253-8781-2517C99D7C00}"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3A706840-2882-423C-90EB-B31545E2BC7A}""

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{37B8F9C7-03FB-3253-8781-2517C99D7C00}""

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3544B2EE-E62F-4D11-B79C-3DDEACE94DA5}"

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3A706840-2882-423C-90EB-B31545E2BC7A}"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}""

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}""

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{662A0088-6FCD-45DD-9EA7-68674058AED5}""

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{6DB765A8-05AF-49A1-A71D-6F645EE3CE41}"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{6DB765A8-05AF-49A1-A71D-6F645EE3CE41}""

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{76DEEAB3-122F-4231-83C7-0C35363D02F9}""

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{76DEEAB3-122F-4231-83C7-0C35363D02F9}"

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{77924AE4-039E-4CA4-87B4-2F64180381F0}"

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-007E-0000-1000-0000000FF1CE}"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0000-1000-0000000FF1CE}""

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0409-1000-0000000FF1CE}"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{AE86D888-1404-47CC-A7BB-8D86C0503E58}""

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{AE86D888-1404-47CC-A7BB-8D86C0503E58}"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{C7141A99-592B-4226-A4E9-B767C1D0FBAF}""

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CB0836EC-B072-368D-82B2-D3470BF95707}"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions""

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -ExecutionPolicy Bypass -NoProfile -File "C:\Users\Admin\AppData\Local\Temp\glx8bNd9MwRm_temp.ps1"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\app.asar.unpacked\node_modules\take-cam\prey-webcam.exe" -invalid youcam,cyberlink,google -frame 10 -outfile C:\Users\Admin\AppData\Local\Temp\Y24c5ncq7KLTaQQZ6z4Q\System\cam.4152_Admin.jpg"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoProfile -Command "& {netsh wlan show profile}"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoProfile -Command "& {powershell Get-Clipboard}"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoProfile -Command "& { function Get-AntiVirusProduct { [CmdletBinding()] param ( [parameter(ValueFromPipeline=$true, ValueFromPipelineByPropertyName=$true)] [Alias('name')] $computername=$env:computername ) $AntiVirusProducts = Get-WmiObject -Namespace \"root\SecurityCenter2\" -Class AntiVirusProduct -ComputerName $computername $ret = @() foreach ($AntiVirusProduct in $AntiVirusProducts) { switch ($AntiVirusProduct.productState) { \"262144\" { $defstatus = \"Up to date\"; $rtstatus = \"Disabled\" } \"262160\" { $defstatus = \"Out of date\"; $rtstatus = \"Disabled\" } \"266240\" { $defstatus = \"Up to date\"; $rtstatus = \"Enabled\" } \"266256\" { $defstatus = \"Out of date\"; $rtstatus = \"Enabled\" } \"393216\" { $defstatus = \"Up to date\"; $rtstatus = \"Disabled\" } \"393232\" { $defstatus = \"Out of date\"; $rtstatus = \"Disabled\" } \"393488\" { $defstatus = \"Out of date\"; $rtstatus = \"Disabled\" } \"397312\" { $defstatus = \"Up to date\"; $rtstatus = \"Enabled\" } \"397328\" { $defstatus = \"Out of date\"; $rtstatus = \"Enabled\" } \"397584\" { $defstatus = \"Out of date\"; $rtstatus = \"Enabled\" } default { $defstatus = \"Unknown\"; $rtstatus = \"Unknown\" } } $ht = @{} $ht.Computername = $computername $ht.Name = $AntiVirusProduct.displayName $ht.'Product GUID' = $AntiVirusProduct.instanceGuid $ht.'Product Executable' = $AntiVirusProduct.pathToSignedProductExe $ht.'Reporting Exe' = $AntiVirusProduct.pathToSignedReportingExe $ht.'Definition Status' = $defstatus $ht.'Real-time Protection Status' = $rtstatus # Créez un nouvel objet pour chaque ordinateur $ret += New-Object -TypeName PSObject -Property $ht } Return $ret } Get-AntiVirusProduct }"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell -ExecutionPolicy Bypass -NoProfile -File "C:\Users\Admin\AppData\Local\Temp\glx8bNd9MwRm_temp.ps1""

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{E016F2B9-01FE-4FAA-882E-ECC43FA49751}"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{E016F2B9-01FE-4FAA-882E-ECC43FA49751}""

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{D44822A8-FC28-42FC-8B1D-21A78579FC79}"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{D44822A8-FC28-42FC-8B1D-21A78579FC79}""

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}""

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CB0836EC-B072-368D-82B2-D3470BF95707}""

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{C7141A99-592B-4226-A4E9-B767C1D0FBAF}"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0409-1000-0000000FF1CE}""

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Clipboard

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0000-1000-0000000FF1CE}"

C:\Windows\system32\netsh.exe

"C:\Windows\system32\netsh.exe" wlan show profile

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-007E-0000-1000-0000000FF1CE}""

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{77924AE4-039E-4CA4-87B4-2F64180381F0}""

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{662A0088-6FCD-45DD-9EA7-68674058AED5}"

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{64A3A4F4-B792-11D6-A78A-00B0D0180381}"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{64A3A4F4-B792-11D6-A78A-00B0D0180381}""

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\app.asar.unpacked\node_modules\take-cam\snapshot.exe" /T C:\Users\Admin\AppData\Local\Temp\Y24c5ncq7KLTaQQZ6z4Q\System\cam.4152_Admin"

Network

Country Destination Domain Proto
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 11.2.37.23.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 ipinfo.io udp
FR 216.58.204.68:80 www.google.com tcp
US 34.117.186.192:443 ipinfo.io tcp
US 34.117.186.192:443 ipinfo.io tcp
US 8.8.8.8:53 68.204.58.216.in-addr.arpa udp
US 8.8.8.8:53 192.186.117.34.in-addr.arpa udp
US 34.117.186.192:443 ipinfo.io tcp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 dns.google udp
US 8.8.4.4:443 dns.google tcp
US 8.8.8.8:53 4.4.8.8.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 api.gofile.io udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
FR 51.38.43.18:443 api.gofile.io tcp
US 8.8.8.8:53 store3.gofile.io udp
FR 31.14.70.244:443 store3.gofile.io tcp
US 8.8.8.8:53 18.43.38.51.in-addr.arpa udp
US 8.8.8.8:53 244.70.14.31.in-addr.arpa udp
US 8.8.8.8:53 hawkish.eu udp
FR 163.5.121.96:443 hawkish.eu tcp
FR 51.38.43.18:443 api.gofile.io tcp
FR 163.5.121.96:443 hawkish.eu tcp
FR 163.5.121.96:443 hawkish.eu tcp
FR 163.5.121.96:443 hawkish.eu tcp
US 8.8.8.8:53 96.121.5.163.in-addr.arpa udp
FR 163.5.121.96:443 hawkish.eu tcp
US 8.8.8.8:53 store8.gofile.io udp
US 206.168.191.31:443 store8.gofile.io tcp
FR 163.5.121.96:443 hawkish.eu tcp
US 8.8.8.8:53 31.191.168.206.in-addr.arpa udp
FR 163.5.121.96:443 hawkish.eu tcp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 23.173.189.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\nsbB084.tmp\System.dll

MD5 0d7ad4f45dc6f5aa87f606d0331c6901
SHA1 48df0911f0484cbe2a8cdd5362140b63c41ee457
SHA256 3eb38ae99653a7dbc724132ee240f6e5c4af4bfe7c01d31d23faf373f9f2eaca
SHA512 c07de7308cb54205e8bd703001a7fe4fd7796c9ac1b4bb330c77c872bf712b093645f40b80ce7127531fe6746a5b66e18ea073ab6a644934abed9bb64126fea9

C:\Users\Admin\AppData\Local\Temp\nsbB084.tmp\nsis7z.dll

MD5 80e44ce4895304c6a3a831310fbf8cd0
SHA1 36bd49ae21c460be5753a904b4501f1abca53508
SHA256 b393f05e8ff919ef071181050e1873c9a776e1a0ae8329aefff7007d0cadf592
SHA512 c8ba7b1f9113ead23e993e74a48c4427ae3562c1f6d9910b2bbe6806c9107cf7d94bc7d204613e4743d0cd869e00dafd4fb54aad1e8adb69c553f3b9e5bc64df

C:\Users\Admin\AppData\Local\Temp\nsbB084.tmp\7z-out\AORadar.exe

MD5 808ffe1aaa6546570b0e49d457b46217
SHA1 cc939e9354d7b8913aecd31ea243902ee2fe1e88
SHA256 db380108350e426f37d5f21aaf751668e51b6604415421766b0ab4f75d2e9ca1
SHA512 305ca100cf48ca61219576044d818d87f839958059be9165f914886f3cdf9781e29d3e85fa321a6f6000782f6cdfdae81b076f747126062c965f3f4b6ec3aa81

C:\Users\Admin\AppData\Local\Temp\nsbB084.tmp\7z-out\chrome_100_percent.pak

MD5 9c1b859b611600201ccf898f1eff2476
SHA1 87d5d9a5fcc2496b48bb084fdf04331823dd1699
SHA256 53102833760a725241841312de452c45e43edd60a122546105ab4020ccef591b
SHA512 1a8ec288e53b9d7e43d018995abe4e3d9c83d329d0561fbb7d022e8b79ffecf033e995b9bc6af352a71c646a1e8afba4addb54deab7455f24b7a279a3dd7c336

C:\Users\Admin\AppData\Local\Temp\nsbB084.tmp\7z-out\chrome_200_percent.pak

MD5 b51a78961b1dbb156343e6e024093d41
SHA1 51298bfe945a9645311169fc5bb64a2a1f20bc38
SHA256 4a438f0e209ac62ffa2c14036efdd5474b5ecaa7cbf54110f2e6153abdfb8be9
SHA512 23dedde25ad9cb5829d4b6092a815712788698c2a5a0aefb4299675d39f8b5e2844eabd1ea42332a0408bd234548f5af628e7e365ab26f3385ebfa158cdd921d

C:\Users\Admin\AppData\Local\Temp\nsbB084.tmp\7z-out\d3dcompiler_47.dll

MD5 7d585a5c5d8d304f8681545baeff62ee
SHA1 66e96c7346ec9f15d017afd1f6038dfa0dcf27df
SHA256 687cbc25e251f8a68eb29eb01db99332676e63bec1a5e3b24e829e3247b7983c
SHA512 5fcddf01712cf7b2f538a5f66c960efd2c42eac1effa3045213a3bcdf5a531aea32cc1d237382963fcc642887021365495ac3573ce54215716763320eff29286

C:\Users\Admin\AppData\Local\Temp\nsbB084.tmp\7z-out\ffmpeg.dll

MD5 c3842fb3087cdcdb04020ac38683c289
SHA1 329dbcd4a1c79b891b200f11eb50194b85c493bc
SHA256 e79792af338d61424bac87a19c6f34f3b4bc1382345633b8d509253a0a6c2133
SHA512 069196b8006e908954e7ab16131a0d10889a0f7517eaab2423a82fe49fb9b045c0d95dbf7c08c10ddf1a21983aea4a0d207decf91baacff0884511589a57dec5

C:\Users\Admin\AppData\Local\Temp\nsbB084.tmp\7z-out\libGLESv2.dll

MD5 4ec1ca17ff22661d434325435a52178a
SHA1 9d21f75ac0c95cca305533c7154b06af634f9ebe
SHA256 d3d54fe3fb34ffda322846a89051f15b0134ae8050182eb4a86844d3b884ed84
SHA512 ad80db6310d5ba1e3200f969c053fc7322d3310143d984f3808974b40f4d0e486e9d972312f0086f89b8cdbbd50c0a6b01220de9f66144dfb08e5a0328fa4555

C:\Users\Admin\AppData\Local\Temp\nsbB084.tmp\7z-out\LICENSES.chromium.html

MD5 68ae1f19cb59cf3996ee1312416fa954
SHA1 0d6b099feea6b71cfa9f4c967928a161632396ee
SHA256 350ca16b2323d7081e7177293b47a1f362007a3055a536f01e4e6023dba8cc0e
SHA512 15b5048d4d9c787409afe535e49d870f03816e72e2e2e88a53a6f3bbd9062494e9435496e1f7619393c8e8fe5b765bfb5639c8bc42e1695b1d505d3d9c9bd145

C:\Users\Admin\AppData\Local\Temp\nsbB084.tmp\7z-out\LICENSE.electron.txt

MD5 4d42118d35941e0f664dddbd83f633c5
SHA1 2b21ec5f20fe961d15f2b58efb1368e66d202e5c
SHA256 5154e165bd6c2cc0cfbcd8916498c7abab0497923bafcd5cb07673fe8480087d
SHA512 3ffbba2e4cd689f362378f6b0f6060571f57e228d3755bdd308283be6cbbef8c2e84beb5fcf73e0c3c81cd944d01ee3fcf141733c4d8b3b0162e543e0b9f3e63

C:\Users\Admin\AppData\Local\Temp\nsbB084.tmp\7z-out\v8_context_snapshot.bin

MD5 47014c0f81bad6d216c617c9c63bf040
SHA1 7bb483fdc5fed3c6ed437d9fe6e5023bc38201bf
SHA256 e1249d05bfc73c645b27d269f47b6923b33a3cf8088a8ca78b3b637c90f58178
SHA512 052d86cf3305a9e493bd2472e6b7ddab5e0291efd6d899984a79bae46e5fa4bd21157e19ab4a2591c9cff9069de568bad18c7baf4f35d117c77134e635466f87

C:\Users\Admin\AppData\Local\Temp\nsbB084.tmp\7z-out\snapshot_blob.bin

MD5 c9ab741bbef53fa0e84952b8891a5f5a
SHA1 e2dcb8d034e07243537c86371de0c52bce62cee1
SHA256 4d82fe1e642fe3ca7ad1a173f806088c0652ecfe9f0f6f6e246066e15a3431d4
SHA512 177b98a3090ecfe4b4598dfcd7e8b3ca49efafba4dbd8d6c6d0def462de47c3fabfde831725622783ddc177de982de6115178d9bd9830d918bb544a5a4c27fc9

C:\Users\Admin\AppData\Local\Temp\nsbB084.tmp\7z-out\resources.pak

MD5 da3a469a9a4b8729653cf6231ef678ea
SHA1 225e85f48fbd27aac6ae1fbcaeaeebb2c3df19a6
SHA256 3cf3670cdc30c65bdeb925ace34d11cce36064f20458c1477634cf285d3c6ef3
SHA512 89b5c0069ac3671610e60a88f9ec909b0810b1f240115aeaa560919c5f14cbf064bb6c6912a5dfb858c3ce76df05a67e7fb6b76f9c0f6ee8115c02cfd7ce2bc7

C:\Users\Admin\AppData\Local\Temp\nsbB084.tmp\7z-out\vulkan-1.dll

MD5 b91586bd80e057a7f62bdc4422744812
SHA1 a1df644421ece2e740e5bf0ed98b4f269fd85c39
SHA256 8ba72d98e0f78b77bda7816cd7232809d287310d34e0f1d7472b9d5fda2c6d02
SHA512 94f0a8e3e75e4803891c0fcb257052dbe0e7399772fc7a46ab802629f76ee580ed30b3678fa6bc3744c12cf9f3103bbc8276e88f6711278748148e9fbeef2053

C:\Users\Admin\AppData\Local\Temp\nsbB084.tmp\7z-out\vk_swiftshader_icd.json

MD5 8642dd3a87e2de6e991fae08458e302b
SHA1 9c06735c31cec00600fd763a92f8112d085bd12a
SHA256 32d83ff113fef532a9f97e0d2831f8656628ab1c99e9060f0332b1532839afd9
SHA512 f5d37d1b45b006161e4cefeebba1e33af879a3a51d16ee3ff8c3968c0c36bbafae379bf9124c13310b77774c9cbb4fa53114e83f5b48b5314132736e5bb4496f

C:\Users\Admin\AppData\Local\Temp\nsbB084.tmp\7z-out\vk_swiftshader.dll

MD5 5f306bc63d7c573b5175f9301fdc6436
SHA1 2b2a4553a9405ddc40f6f1bf33033bc037898d01
SHA256 c43627c9f6e251d3ea6c3d471d89683c317fda9dd28bd1f76a3fdfb2655cf554
SHA512 9d1e7578efa57da2f384b6f1a885cd1b221e4f043c76242d11876773bf1e53cc44dc403084f4c8832db8c0a2239c276a12913b6c4c34a126d9469d0f21e05348

C:\Users\Admin\AppData\Local\Temp\nsbB084.tmp\7z-out\libEGL.dll

MD5 8352fd22f09b873193cabc2932be92f0
SHA1 5bd2b58854b279f1733c5f54ea2669ee8a888d9e
SHA256 14a4aaa010be14762edfee01fd1f6b9943471eb7a2f9011a2b5c230461cd129c
SHA512 7281e980f2e82f1cc8173d9f8387a97f6e23ec5099ed8dca02222c4e17fa4cfef59d6aa300b1cf06d502bdcf77d9a6dbb08ad6658ae0a28ae6f9f995109da0d2

C:\Users\Admin\AppData\Local\Temp\nsbB084.tmp\7z-out\icudtl.dat

MD5 876a6020f478161db8ba6ab90e5e2f8b
SHA1 b156b96d713a396ea55bb4a1a6abaf06b824f0e8
SHA256 a31a4d6109bce87b4dbfc8af47ca62fef193bf6e90eb109de63ea378d6eedabd
SHA512 5fd1b4e47f50d79c9455b9fcea593a51aa5671ee753402ff9fe892081499d66e9ace0b5b055229014c6e1f5a2e6ed772e34453305abcf98b0f0e16a31708cc92

C:\Users\Admin\AppData\Local\Temp\nsbB084.tmp\7z-out\locales\ar.pak

MD5 6f3e791b4d35ee7d9515614d128752cf
SHA1 181ec3a84fb3e89336d77f24f562a2cbe07619d8
SHA256 e9df0fa338b763a3926c4ee3a87bedf650fa618b6fcf0560c3f5ffe891d48c60
SHA512 3657e610d13a2c938558ec320c298dd490c9e4895ccd304f738aaa2f050373efd7382ca402365f93d23ed488bae82de2d859da788dc8faa8e621346a278f4441

C:\Users\Admin\AppData\Local\Temp\nsbB084.tmp\7z-out\locales\am.pak

MD5 e18a450ef034b42599341c3d09f280f1
SHA1 2001c8a85904962ac3a96938eccc69ad2c110fdf
SHA256 7c2b9098130f1f9e0cf4507b64c0e96ac6354bd6c3616be20e2067cfccc820da
SHA512 ddd87571218fe9f179a6c2a8a15b182625a71a7c19ed90c0969ca2e0e9bad823b926f8b8a6b390cb6fe9c95f4b6c1f1ec7b5167a8424ab1921943922208f798a

C:\Users\Admin\AppData\Local\Temp\nsbB084.tmp\7z-out\locales\bn.pak

MD5 47c95e191e760dee3ef43345577e2379
SHA1 609634315270a91d4ec631642b18bd0036367aad
SHA256 ceed32e429ed1018d4c49343cf52105cbfd1e877c531a5738fd6e6cd33d27da7
SHA512 46b5f8d58780d19e79136c31a67d075c57ddf7e6a1eb197dea4088cc414a0dc24a68fc8ebcaac03b3940af2461123b586706d5dbf8dbdf6fbea0f7bec466db21

C:\Users\Admin\AppData\Local\Temp\nsbB084.tmp\7z-out\locales\bg.pak

MD5 5ba0c7200362c9ed55610cc8b66ef53c
SHA1 d45239c2f1b00885407771a41a7776fc1fe8fa3b
SHA256 2339ff55464b4ff704fc3c5bf281eec52a539c494bd059cf0346d9c05ab7cda7
SHA512 6229dbf08a9322c4ec8de4912aa1832f01800a71b7e3ef5870e7fa2b623be4dd248fec4881c3e031e984616147be84d42ab3dd970ae56dc1bd78913a8682a37a

C:\Users\Admin\AppData\Local\Temp\nsbB084.tmp\7z-out\locales\da.pak

MD5 55a8f5883805a65c854d25edb3959209
SHA1 d4b3b6bd2a26cbd021fa931d1f63c9ea64e2c268
SHA256 e190187adcbb5f829d162660968ba598ed17bd11339062ca4d807deec8a27fdb
SHA512 4e1f9e6da32f553cbc8cf162726d7aba9e23e2216d6d05b995cf19fff3aafa05ed08fce29b2f8538d46583366402b8630672e650dfbd46952a611e9db0d8016d

C:\Users\Admin\AppData\Local\Temp\nsbB084.tmp\7z-out\locales\cs.pak

MD5 3cfd9dc564cfcc33cc5524711365c376
SHA1 2e5016d2643017f37658262122974429f18625a2
SHA256 8be34e4f8226c1dd4e725711ddd884ef4476560f7863edcf378573dde9db3cee
SHA512 6ee156d2fa3b6f601df28e38968d0eae2812d70b41333348dbecd833d5ee6ff944183f0eecde96be433cf1e98c8ec22d6a6d5af5153145842175ab43c73533ef

C:\Users\Admin\AppData\Local\Temp\nsbB084.tmp\7z-out\locales\ca.pak

MD5 423651c45566cd90ea5edd8631e823b8
SHA1 13bed4173a08bcbfefba034aada3d838eece6d16
SHA256 7a39af99d55a1ea838d8d78c5f0da3e1402f9404d32255e31b676ceed4f0e414
SHA512 e09085023beaa37e9d5f7fdf3c32d0c001672b85e2826f0aba9a662ce958ac93cac17bf63495a604e47cb407b1593049388a4bf1b22b2339ead84a206a10569f

C:\Users\Admin\AppData\Local\Temp\nsbB084.tmp\7z-out\locales\de.pak

MD5 b73344e5a72fca6f956dbab984c123ba
SHA1 0561073aa40a63a9ce9930dd18b18e12ff139b2b
SHA256 6dda3fa65232ca0bff7314f916942a2aa5d9be73a0b0c7a6d016eb34ea6fff5b
SHA512 e8a12da397369f23c102244b3f18f533ec79afa6978785566056bbfe07b10a21ff4973bf17aa829fff65609363988c033b0e48d4a82c846863377c08d8df009d

C:\Users\Admin\AppData\Local\Temp\nsbB084.tmp\7z-out\locales\en-GB.pak

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Temp\nsbB084.tmp\7z-out\locales\fi.pak

MD5 804fa3171cfae1da9772ae429fc17d3b
SHA1 6f71a8a2c4de031ae8276cf88ddc8a6dabcd96de
SHA256 37f47128ed77516578657e3e57d25af93fd543755162d232c312afbc937a63e9
SHA512 aa0ab898ead282e9fe2d9874e4095f74e833986640291c5a3e716eb6755f77d01f556dfcd4f2d985db79b7e8a9b519bdab3bfa6259ef7aa9a01883040f7d2efa

C:\Users\Admin\AppData\Local\Temp\nsbB084.tmp\7z-out\locales\ja.pak

MD5 367c92711c000128d2fdce2b996004a4
SHA1 7a273ecd3ceaa67aaa942043953f264f6f2000d8
SHA256 dcc8449e031c67109ca508df6c3461ccf8b64ed075d8476400c99ec5b12bbfa6
SHA512 cf0592b74f53a37f1887597ad2729a722ebd491c9f91175fb15f4e7ca133dd41e45bb808e0a590d1a54f53c7303ec2309b38335eb2f80ee2c599f573aba9440b

C:\Users\Admin\AppData\Local\Temp\nsbB084.tmp\7z-out\locales\pt-PT.pak

MD5 ecd84b296d3bb312ee18e21017311986
SHA1 f5625523f85c10723750834a54ff59a2dd886fb3
SHA256 fcfaa9c44c445876c286388b6a1abc1df949f3dda3d64fb57d6e0d54a05cdb94
SHA512 e95b74238220024cdd0bd1c0f18beadbbe427d76cd8d6b32d5700adcd34ffb068ad0bf75404921485c8077f395f5111cd40d5dfe2b5b8f34c62e6fc80b507456

C:\Users\Admin\AppData\Local\Temp\nsbB084.tmp\7z-out\locales\pt-BR.pak

MD5 88ad860c73676ffb4025b5c691f29942
SHA1 3c5e5b999ea7153ccdd1b4cc7b6162de3456b558
SHA256 25f0bb0b0230d99a9064d52668636f3be85903bf27a68124d79a2fe93c30fe0e
SHA512 41589bb9ab1b8307f62ceb4e6493d7903731a3e63807e0044379c4acdda881c21839234f5f1b8ad1af732bfee6231c0556ce92e582505379ed949980185bb750

C:\Users\Admin\AppData\Local\Temp\nsbB084.tmp\7z-out\locales\pl.pak

MD5 644c0ace25d6e532b56510a736c6bc2c
SHA1 1bd0fec952107b493da04c46423da634ff3e1504
SHA256 2ff9e382a31783285b7d85676e629e2f6db26bb9536ed17b7fbe5ac61a895ec7
SHA512 9a1f1e884c2f214b8b0c63543809ddd4ba0fd533f1d8434e926051f3db434f60cc4df2462c2a43254b2a9685b3869eef49463c212892e417c82c3a7b497e3559

C:\Users\Admin\AppData\Local\Temp\nsbB084.tmp\7z-out\locales\nl.pak

MD5 cf6b1cbfd669e9461553974ba37a475e
SHA1 b33867e9bc7fd88ca98a76dc4bd756bcf18887aa
SHA256 9a83ad866ad7fd9d65ecbc1e95c276cfce27e8257c76a16950fd14971e66b864
SHA512 e463029bb37f6bb3ff5cb6281f64291ada1b785fa33137e7aedfc7b5e409e99c75a91e7cf9b6c0933e970f70c14861190de66fc5d68925b687a6f5da02e21077

C:\Users\Admin\AppData\Local\Temp\nsbB084.tmp\7z-out\locales\nb.pak

MD5 b61e42f66d581b6a8929cdf5fb10662e
SHA1 6f06fa9ee092fbcb61bbd668734fb3b92cfb549a
SHA256 1b17dcde8fc7308d926fbe0faa83dfc9ffe2efc5715e9afd557dde839ad98b7e
SHA512 79b82346c3f133a6ba44148a8432ad4e08e2805187b759509cb386bc800fd20215592c07d953812c243f0b1d5e1354245f2cb42b2b3eb6c87280bcb4008dbe97

C:\Users\Admin\AppData\Local\Temp\nsbB084.tmp\7z-out\locales\ms.pak

MD5 6cfadaa784e687e6dadbcd80e631bc9b
SHA1 481acb75f525055bf4e45ecabe0eadcb9c492106
SHA256 fb5e125dd5e1f21e8df229d22cb3d1f9078bd79bbddca352899248f2a8b21b71
SHA512 0d7da5a90fe9372bc704ab8cdc8cbfb14d323cafdef856987e2d9e34d980196c03985e25099f5d1bcb10c97f040f4766e2c3713718649bb3f43914a77f0dbb39

C:\Users\Admin\AppData\Local\Temp\nsbB084.tmp\7z-out\locales\mr.pak

MD5 f22c99fe6a838e333e8ee06a4d01296b
SHA1 c3542ea8dd45a2b387dd02fa5687948f135e10f2
SHA256 b03a3042f907aed13253ae8083d08f5fad59ff438d024b097276856e72526911
SHA512 882022c2cb985d85f96d52c9bcfeeb089d6ff30e66187ccf424ef622092b9d359a51bdef1fb6ac3b9d3409aa79d37ca737ba7f3ed8b9cdaabfe04d90a7c8bc15

C:\Users\Admin\AppData\Local\Temp\nsbB084.tmp\7z-out\locales\ml.pak

MD5 04b2540c25990a5e0a9b227dcce6ae0d
SHA1 4f8ccd154f54dfb083d4d1a3ed0994842c8ab13e
SHA256 556165b8b54c6e21bc66d12b3f5be393136714467c427f7114f314d18ad3c661
SHA512 4cab47e42e8f5d4a83851871f97f3e1360c993ba530dbb4b4b736350779784bd83189e1195d3480ce87298bb8f9b7f249fefa7764d850e5b0002895609626785

C:\Users\Admin\AppData\Local\Temp\nsbB084.tmp\7z-out\locales\lv.pak

MD5 264c6e20b3088ceb4dae5773cef0cb55
SHA1 fb6ff83ff14df008092bc3ee73bda7491e8e090e
SHA256 a676a781c1a587eadf23e5c69bc52f2d352346a70bc53ca908450362535eefda
SHA512 01e949f92e1e8599c581929a601d39640abaf1d907ce10102e591c3d490dd3874c679c75bb51308ead55a3bd0c6dcd1b8d4b2daf98ce1cf1c6bab42946e8b1e8

C:\Users\Admin\AppData\Local\Temp\nsbB084.tmp\7z-out\locales\lt.pak

MD5 2d4fca437a7548893dc4b51fa5b33c33
SHA1 c1493013d7d981ea9223716e415380992de65c2f
SHA256 776dba792df7b444e1b720326312d8b8312cade74a1372c49456d932b7c65769
SHA512 b6a55ee1deff48d717a3e9399aef3c45eeec810cc5b5709fa3e9f56850115a5b02e02b7959ec77a6797e68516ee9372bacd260e62ac0d55a8e4c1c27af782b42

C:\Users\Admin\AppData\Local\Temp\nsbB084.tmp\7z-out\locales\ko.pak

MD5 d6e2c18c9eabba59b50d147d942125ea
SHA1 0918879203c2050b4f9f449f5616e430897ba0b9
SHA256 f3581cea2e5b022b121010ffc5d67f86f717e3a0c0402abd81e24c87fd135b76
SHA512 f605f7b9893166778af156f9eb76eaa1209e7432450899540cd462ce0ffa69caf6f570b910cdd6d7bef54354379e9892a658e711baa93241da33755c107da859

C:\Users\Admin\AppData\Local\Temp\nsbB084.tmp\7z-out\locales\kn.pak

MD5 5115cde84b4c674db412619b65433004
SHA1 164f33e7e2e9f685a579da492a6fc8806beb6cbf
SHA256 891e092c6895e23be986c3e6d39dcea9b6b75f1448239c13fd406680e50407a7
SHA512 090a247898cb533325d2b289a6cbd8db2a755ef0abab49d82f333e57b290c50b5996b81f15d8adc30160b216eebed3a1476aec1627195e52189557c1d48b0216

C:\Users\Admin\AppData\Local\Temp\nsbB084.tmp\7z-out\locales\it.pak

MD5 5aa225aad4f9fe6d05ec24905a827d88
SHA1 f6d5ed337bd8e9cc3b962d3a498e3430fbf6de22
SHA256 96e02ab6937a1f1cb58762159761a737ce0e1dcd6a253554392baf4389326eab
SHA512 3fa928f19bdf65b8fbb274b478a801821b15c01224c113a8d7f6121a077b432c0cc84eefd9028a76adea9fa4bb65dcb868edfbd4368b1e4d477c49e187e4288a

C:\Users\Admin\AppData\Local\Temp\nsbB084.tmp\7z-out\locales\ru.pak

MD5 75457b95d2bb03891232dae7db886387
SHA1 e5a7569df7f91533703626d167ecc8cddbd27205
SHA256 e0894d3aa3f8e0f8ac457a3300001d4e1dcf95980712f8c8e9c845eb4c2bbfa6
SHA512 9813239cb162cec24cb81cffdae2df06889782813d917da186ae40df6dae64477467e4b32ead2d714bc1de671538d4c1fde990d83d3ee69e0932f17226687a78

C:\Users\Admin\AppData\Local\Temp\nsbB084.tmp\7z-out\locales\sk.pak

MD5 b35daa0bd9627ca88b413a5af7c6b4a4
SHA1 d5efdcbc7ca17de29f3075f6434f31ab2e895826
SHA256 f47bc1f7f5ab64681d0b152e1a019da60f0ef057ee8bf2ccede019dc4030c177
SHA512 48abb6ca2290820db2898b05820bb25e70fb1292c816eb0c8f17b3c5452de9fff7027d216d2bf413900f408f44ed4ac99151b28142a212c5cff8dfe229e87b9b

C:\Users\Admin\AppData\Local\Temp\nsbB084.tmp\7z-out\locales\id.pak

MD5 e40cb2f3b4db379e4d187aeef0dfd300
SHA1 537b1ebc615c980c89bbe2b9e91a11199fa7d6a6
SHA256 3339ef011c9bb64868da94adb25f4490acbc7f893e4337dbfe2797754cd659f5
SHA512 b87464460077aa55feb92eca8ed23d9a61829378bae7890c8a95dac5fcd735b145d65661f27facfe2586fcaa169692b00d8ee8dd505dc44bff7f7fd090f3e96c

C:\Users\Admin\AppData\Local\Temp\nsbB084.tmp\7z-out\locales\hu.pak

MD5 71d42cb22d2d7a8b26c4514ab12df3aa
SHA1 cd0307503a7906f1742d1e98fc816959319c2171
SHA256 b51bcb888dbc27bab88a8c9d081df7496de8a9a5a4cd2cfe08abc154190e75e6
SHA512 29c67391bca706807be3a0cc79fe481f220e30263957a9c2485f0a4c498a5b250bdd83b5f4fad8d0b19c8a9a07d5650b5ebd5816b6aae311a1cde78a89303244

C:\Users\Admin\AppData\Local\Temp\nsbB084.tmp\7z-out\locales\hr.pak

MD5 6f92235e6ba003af925a2d6584afd27d
SHA1 3ceba61e9c2975466b6244188f5ea72aaf042fc7
SHA256 479dc4f75a889d45f62b4ddb6eb48f21c473e37875468c9c26d928a263e15840
SHA512 82f2642dff4400704c15c2fa02d0ec74ed3fe888dc835447c1afce7463dee8f480bb81be358c306e681625864a6d25e5cd6c96252b8a56e6fc62014b3aa4d26a

C:\Users\Admin\AppData\Local\Temp\nsbB084.tmp\7z-out\locales\hi.pak

MD5 590e9e73df9cbd83cd87b9c03848fec9
SHA1 da125e60a5a2c51a2d6219d3f81688bd22237b59
SHA256 089b9dd31090a987515809a68d26f6eeb64cd9283934e3dcc48b151eec7d3ad9
SHA512 fd0e5d0f2063e12b711275f390428b88f98ffaf6043cdb14b13674ac1e4aa9f70ae820ae960132d7155daf9b1308238775c4702694ab53068cdc709c50f9186a

C:\Users\Admin\AppData\Local\Temp\nsbB084.tmp\7z-out\locales\he.pak

MD5 6a02a37e1ca3215fa9ee0e1b0fbcf5e7
SHA1 89a8a126c0bbf536ac58e29fc50e045fb1b88220
SHA256 f5cf34ce58b7f0d450936981aa7ffa060821403e6768eee3746ea4ffc9193986
SHA512 6607eb2329b81f1eaf0ed3a564eddcb30e6ab59229f2fbf6fd3d2140ffaa8853a330eda627a4458ef6bb06f32c5183edda869e34cd4ead1f87f88d5c622c1a16

C:\Users\Admin\AppData\Local\Temp\nsbB084.tmp\7z-out\locales\gu.pak

MD5 63a7fdc4eadf8ef1c35c72468a0ce33f
SHA1 e8d064f0e9c8a6a8c6ccb036711e292d011d9466
SHA256 e549ff4e5a094d04c2ce7bc6fd68bea1f03e935437bf164bebb6191c133fa70c
SHA512 0a097ff875132a984545ec677b04f97785f14c38a1df487cfb4722cdea07d14e1e88fcff7d58b82fa53f05f4eba779a95ef320b5a91692097726d0385a26a456

C:\Users\Admin\AppData\Local\Temp\nsbB084.tmp\7z-out\locales\fr.pak

MD5 c3095ce1e88b0976ba7bef183d047347
SHA1 b14cfbf6e46ac1f189595fc09660178525301138
SHA256 66488dc10517b6e3638686be95b430477a39304e92ac45dfe62b58cae3a77272
SHA512 29f47b1eff4681a9a17a50d6e82d63c22fe7bfe4ceb79862e81d8cd9f96fa38e225978b4c4b1f8e55b220235b91652c776fa8d2e559c68942c6ccf402812a421

C:\Users\Admin\AppData\Local\Temp\nsbB084.tmp\7z-out\locales\fil.pak

MD5 40bddaf97f64dfea9ebafc7f82166f80
SHA1 90d1fde3c0b27d2184f0353991259c2a92c7820c
SHA256 39a9d63736e7b4593fc6873ed3c19d45fbf9eb78a012bfdcee0fea5906ebc5b2
SHA512 d1e61c53e09a0dc50edf5aba5cf286a251ee88421aa2cd49332b70a5859646605ecb7d0bb97ea7242d14a18742e23da0a14c04b0b99b57a466ec87f4f66b897e

C:\Users\Admin\AppData\Local\Temp\nsbB084.tmp\7z-out\locales\fa.pak

MD5 6458a239e994d8d18315deccd35389ed
SHA1 75c985f43503a6c44645786d46639a6b555ae163
SHA256 300fc1c735e92917a5ddf92feb812cbf3175d988ec7ad5955110248a1addbd34
SHA512 3062075b6be0c25c957ac88e537880bc25ff86b8ef0703a05209e9676e943e89476b7997394aeb25064e03a93be614fef535676e9cdfaf44b46035225b1b2cf5

C:\Users\Admin\AppData\Local\Temp\nsbB084.tmp\7z-out\locales\et.pak

MD5 c76db3385190c6840315c4497e40258a
SHA1 34f1aef2ba2925bebc5dcdb70e5b6c1a138a5c46
SHA256 e8af084ef5e1062c5966dd7802074ac24f3672dc3c9b9c5453a397644727191f
SHA512 90a870369d307758b33d74e6213676d65c2d332f42577c8aff23d96b512f3c2a2bdace8d6d9007f88b9175eadc6f2ae28b498b1265550849ff9317465a37ad29

C:\Users\Admin\AppData\Local\Temp\nsbB084.tmp\7z-out\locales\es-419.pak

MD5 b261b1efe945365588befdf68879040f
SHA1 616f44a5f73f0449b483f36ccf831db6474a10d2
SHA256 1380b9edc9cee4b505f12e8eefa288d8c746ca995b52ceaba27c7741ae8a5cd4
SHA512 9ea14234b9d4d09364e5727b3886fc14544d52508b3e45fb9fd607ca88d2e432361a02b2f7ba34c3d6ecd94b91f9eccd4d54047a97a1ba4eea580ead00b91cff

C:\Users\Admin\AppData\Local\Temp\nsbB084.tmp\7z-out\locales\en-US.pak

MD5 0bb857860d8c9ab6d617cea5a5bd4d00
SHA1 351b744d95846bff2ce5f542fec2e87439aa0f8b
SHA256 5c56df9699fc7e8f09ec81421e50a6264cde055e822f5a8cd9bb1edb3066d816
SHA512 33fb73cffbb6781488cedbca4c92a7e4f66923a799beeb7f5cba58dbc23ba8f5130f63a7dac7114e3c3ef6f1df87884fbeb8858bc7604aec9449fdfd16c25078

C:\Users\Admin\AppData\Local\Temp\nsbB084.tmp\7z-out\locales\el.pak

MD5 38440b98bfdf5ed496da0f49d59534c0
SHA1 1498d9207ecaf4923a47271e24c68a817041c82e
SHA256 b1f78df8a7edc914357a2e90bc8dc0ac46f4df642bb22894569fe4905fb8ea0f
SHA512 95ba788fc2e1f07d54e398f1ec4d32c664cfb13118d46cb7af7a993367e032b10de84f3e604ab6e659d6410e2d736097ec5e9b3b002040c54412358f0ea10229

C:\Users\Admin\AppData\Local\Temp\nsbB084.tmp\7z-out\locales\es.pak

MD5 f83d8f7f6108786c02c2edbf3d85f147
SHA1 57781d9d9eb7c90cdc71f78e25d0763045b6d29a
SHA256 5b929216ac823dbe2b0bb98e64db76519900e09a86c8513019325271c66ade0d
SHA512 12747a4a61cdd21cad6e3f768cb43b8bda5ec9de373337c191b6994b20acd676c9d0a6cde8410a1e18f35dd5d2d332ea1bb7e7f8f6fc4b73d8774559e33398f1

C:\Users\Admin\AppData\Local\Temp\nsbB084.tmp\7z-out\locales\ta.pak

MD5 31dada843d0b4f9a66b184cb6d7b8b92
SHA1 0320b31981043c6e4c17470bf2ff4c7488553511
SHA256 457070b35c813175f5a7b630478073e478ff2bf23915dd3dc7a5b3b339cc2b0b
SHA512 c5b6ea595d3154fd9fe03f49a19f78eb4068718ce005b18a165d491459a290c29956b02a109ce2c314746773760c8e5c0d7064f384c65a572c78109f03538860

C:\Users\Admin\AppData\Local\Temp\nsbB084.tmp\7z-out\locales\sw.pak

MD5 99e385ebc1ef8d3daddb3a171fa79edf
SHA1 3164804dfe9d9b5e891abafe92e5ba67d2b5d4d1
SHA256 8ec45ac391a085d531fb21815086c2da4841aa016653cb4f8484cfc2615d6c01
SHA512 797c105fecef1e15870aa101e3fa1835d5a467a9059c03b3636c54934d1de263ab7f23599e21d9787cb3849c7cb7d29f5bdd8ae9ad10fda8015c1392462e94c0

C:\Users\Admin\AppData\Local\Temp\nsbB084.tmp\7z-out\locales\zh-TW.pak

MD5 c2c35fcedc3708b5bcadf36587393002
SHA1 31d72402cbd44ceb921cedd806259c2cd14e411f
SHA256 cfe4c2c5eb131fd92e0d11f912714c5a9a048833ef3ffbe32679b3d58da8f8ac
SHA512 9ba3ea2d569d1d3ef09e94d7e66f843c8804368c4d016b6289e7dba002f7d2d50884a76c93eef879d87abcf8b36dd3e682b7bd3a18b2b5a969256cef672abf01

C:\Users\Admin\AppData\Local\Temp\nsbB084.tmp\7z-out\locales\zh-CN.pak

MD5 098d656a4f4bd8240bed10e7678186c7
SHA1 0c19ab62b4262f1b51558e8aaa79e7741f73393a
SHA256 a55f568ad3a8854cec25699484f55024501c8a0967738ba694e073151e5981c7
SHA512 084538ce774233ca6d4393bb42239b0b85e11bd73dd19ba47e55796ca19848941b037510c0fca4ac08b4b2e0ccbc9b4ae72ef88a3e841738dd211961dc53c1e2

C:\Users\Admin\AppData\Local\Temp\nsbB084.tmp\7z-out\locales\vi.pak

MD5 69c8796439192577f48bd249175aaf37
SHA1 97c52088ca69dada593db0e42b2135d264646454
SHA256 d7fdb53592de803a5fbcd8561c4918f1562f92fc8a3fd0039a2a1a7b76a8ecc2
SHA512 65eb7cb15291474ec7f9354775e59bcf334c90ddf3498ebd184e4c47118308421b2405bfa679e4b3a70ed1790e167c109fc2c72e89c3e31b5378cae975424144

C:\Users\Admin\AppData\Local\Temp\nsbB084.tmp\7z-out\locales\uk.pak

MD5 d791b1ecf2931b2fb0c31aac170c7cdc
SHA1 02be115a9ff94fe5250651b6de4323eafc44fce1
SHA256 ffae6286d44c8e219ef90d411ad8746159a6ff8ea610e2a651147a3956696a22
SHA512 3a2edb8069e4a9734ce5e02b7c3de3c968c5bbc116f17f52f97e2bb2c78485c456c4f0cc952686c1aa17b7ee4d326a1dda698afafc63c79d842ca3905181a8da

C:\Users\Admin\AppData\Local\Temp\nsbB084.tmp\7z-out\locales\tr.pak

MD5 40491896ad21543f339467186c5efb40
SHA1 695dde7cc35056dcbf0a533aff8299d4c6b61bd8
SHA256 43e99e132acaba88971b81a43531845dc7fc3a1e0794c3373de7d9a50a5655aa
SHA512 18d5ee9914849462e0b1bafd1ca216b29d0795e282ae0bdb354b15caf5c18f37f44fbd6f626b2cbb095e3398a6496de72e5b0d15621433979b5a589e34fac818

C:\Users\Admin\AppData\Local\Temp\nsbB084.tmp\7z-out\locales\th.pak

MD5 43edd25f67ce6e6cea5373009ff0a1f8
SHA1 ed72ca6620cf23837e1334be50ccf616806bc5a2
SHA256 287897cf3df2db1cf59b872e6575ba8dfcaa0c1f68c17a9c91da6c4490adb8b0
SHA512 7160a72bd2e6b0ffa71e5d279995cc8be24a87cd9386eb29ab0eee79b8e607f5d824a11b6b4e3ef4c0f851a9d485a9642cb6adaa65c07933dca6e6f2c0052fc7

C:\Users\Admin\AppData\Local\Temp\nsbB084.tmp\7z-out\locales\te.pak

MD5 793a87d41cde6e6d1bb086284f69733b
SHA1 d887e3842b664f55b7308427aa6f5bf0b352d879
SHA256 5cdabd1ad41e8048f2cc6b1615e68b99159daa1aa6706b939447c1811bf0e255
SHA512 7c2e53baa387480eed45315bd9d53856ca46e5777ecdc9c29a0de7b0ad04beb6cbb8b5df0aa7c306395fda563037e06bea1ca70e433ce5a3ccc2ec184dfda972

C:\Users\Admin\AppData\Local\Temp\2ZVMRNo7TjicBJm6BgELO9JBjg7\locales\sv.pak

MD5 41e76f7775fc9a2d6e3c02c46e9b32f6
SHA1 088c15c74a68bee69682bf89c31055332b68c84a
SHA256 2533676479e9469ffcdaabcb47d3e39bebfe7ae2b80f70784e918a8827439e13
SHA512 6cde752d748c4772b533c8894f18134e5842113f8c7590b44a7dfa088aed65b232361fd16170df3b0d738066dbc3a769847adf4dd8ba42de63c9c2b33f9beb6b

C:\Users\Admin\AppData\Local\Temp\nsbB084.tmp\7z-out\locales\sr.pak

MD5 af7083f2a4bd95dcbe792efade352662
SHA1 dc69aa831836016f6e66c6079931503d534a7862
SHA256 e3b80d9fdd420a05d66cc12e685ac94500106dd51a555bbfa2d085094f81e8dd
SHA512 342400ba94f6cd08152f96aa2b905184fab429c38cedb4bcb4ac0c503169a9ecd47aef208b4d7ffae08b0c0afa7aa089347a20739379d05f3e4e111be842b8c4

C:\Users\Admin\AppData\Local\Temp\nsbB084.tmp\7z-out\locales\sl.pak

MD5 e015b6f5042be2dc96a4e23dcf035502
SHA1 7946509eed8db1e4c1f3da99ffe7155c86fdb4d6
SHA256 99536d1bc73eec81d5bebbff641ea195544ee5e3a41bb17ddcedf9cde9b141d4
SHA512 b2a2eaae93c506a053862bf1cde02eee53b3ea2e2fe4c964c51dbacb8b44de820a779311cfe01458e2f08f88bce1172e8c5e1e6d28cd3a355ff84baa00023b8f

C:\Users\Admin\AppData\Local\Temp\nsbB084.tmp\7z-out\resources\elevate.exe

MD5 792b92c8ad13c46f27c7ced0810694df
SHA1 d8d449b92de20a57df722df46435ba4553ecc802
SHA256 9b1fbf0c11c520ae714af8aa9af12cfd48503eedecd7398d8992ee94d1b4dc37
SHA512 6c247254dc18ed81213a978cce2e321d6692848c64307097d2c43432a42f4f4f6d3cf22fb92610dfa8b7b16a5f1d94e9017cf64f88f2d08e79c0fe71a9121e40

C:\Users\Admin\AppData\Local\Temp\nsbB084.tmp\7z-out\resources\app.asar.unpacked\node_modules\take-cam\snapshot.exe

MD5 16a12bdc986207390dd79d658a6b2263
SHA1 b4b41f62cbc1e1ede786c6e30e11df8e61750bad
SHA256 50a8dd2f292bea9190204a42de067a34d5cbbec53746d40fe5b067fc85190bac
SHA512 d20394028c5d3ca46bb4879cac40da07b7d857f9a4a834bb4db4bd047f1a3265a80e1f7528244da6ee97c2f3e0cb5b2e51bc88eeb382a027939c2188e66dcdd9

C:\Users\Admin\AppData\Local\Temp\nsbB084.tmp\7z-out\resources\app.asar.unpacked\node_modules\take-cam\DirectShowLib-2005.dll

MD5 c20c205c6f8d70a5e1351a4041a3ec9f
SHA1 e1b2a763dd6c42439656e4e55aba0f3610ff3784
SHA256 bbcbb170242d9ff1b56680a80b1f8755df1135f9c714535ff3b3f575442f38dc
SHA512 dffd59d775dbb89cd886a2212fb9fe4cf0b2bdd7f2c00f8dc7c6b2287053b4971c8c6c033109ff1f90cdacea082e44d3c19fa76325d24976420c418218e701f1

C:\Users\Admin\AppData\Local\Temp\nsbB084.tmp\7z-out\resources\app.asar.unpacked\node_modules\take-cam\prey-webcam.exe

MD5 471b15abc9f2e98fb7ed7361d3f045eb
SHA1 95b5798d80a9410872f6ed485ae2b43ca3745540
SHA256 7c262639cb22348dfd627dc07c76e8748e5bcacde2dcf1614773ab174c831004
SHA512 5b3b59aa1dbaef31b0ff6ccde082d7c312e39e311a46fe20d590d5d7765f934d3b663da9609ff4fb7beba2e8fa85376cf74f14ae077f3c0b49189cc28c30163a

C:\Users\Admin\AppData\Local\Temp\nsbB084.tmp\7z-out\swiftshader\libGLESv2.dll

MD5 f6574fe7d39b00e3d5eb692f2c5231d8
SHA1 6a475da49192ea5d3e20a4fbc08ddcb8a8cadfba
SHA256 ed86146cc4315b7de5f5d7432f2a7aa6190cae165fa2b9482e54672eb0a64ee2
SHA512 76d75bd457446e63f19fb7a5053ef5ad081105ba5f55d3ce81ae7616627700014ab2cac77ac5401ec6cfc634c5d95811d98dbac9a99c6966021dc8d78366b241

C:\Users\Admin\AppData\Local\Temp\nsbB084.tmp\7z-out\swiftshader\libEGL.dll

MD5 19dc9ee70e7765bb63a66b6826e8ecb7
SHA1 1a12f983f8b35cc2955d30657971f113c47dc164
SHA256 83d5719abee35e051d984510e1d5d9317a109031698814742b59bdbbe7d4e30f
SHA512 1fda2bcc4b2e70987ca6011ab2534007ae4f752016d29a588aaae839bb25c35e03773f220b6a8e926cf2643997e7d4c0f28743304269b2c55642ce12934def68

C:\Users\Admin\AppData\Local\Temp\nsbB084.tmp\7z-out\resources\app.asar

MD5 eafcf49954b9be5bee76a471d41d2a96
SHA1 1dde300e364142e8d49ef5b58ce1019390dcd0b6
SHA256 ec9499abc3bc389754901f5b728c98833583e0eca3fe2c0b16a5d5cc449a1677
SHA512 5bf4956838f4593008ed82f75dbc4267d4f1177a9dc50f809116365fbc4c914e4199ff14f7ac2bedc216683de8db5568596db629937e8fa016613b38cfce7d0e

C:\Users\Admin\AppData\Local\Temp\nsbB084.tmp\7z-out\resources\app.asar.unpacked\node_modules\take-cam\package.json

MD5 067e233b0609d56ff4756bedd8c0efe0
SHA1 96419d05adc4b6674948b4ac14f8ab5bb3ce4380
SHA256 6bee642c1b5de99e4edba87ec3221c2ecd10b65e666b6f2bef64a745538ecf74
SHA512 94900f5ff762930b1b060ba4dd44d629d6c3e2dfc0dacb1a543f1ea5a3cd40e793acaff4abefbff588ceb422d65f8041ec190a2b56f7c303c3314eb16eca4159

C:\Users\Admin\AppData\Local\Temp\nsbB084.tmp\StdUtils.dll

MD5 c6a6e03f77c313b267498515488c5740
SHA1 3d49fc2784b9450962ed6b82b46e9c3c957d7c15
SHA256 b72e9013a6204e9f01076dc38dabbf30870d44dfc66962adbf73619d4331601e
SHA512 9870c5879f7b72836805088079ad5bbafcb59fc3d9127f2160d4ec3d6e88d3cc8ebe5a9f5d20a4720fe6407c1336ef10f33b2b9621bc587e930d4cbacf337803

C:\Users\Admin\AppData\Local\Temp\2ZVMRNo7TjicBJm6BgELO9JBjg7\AORadar.exe

MD5 22d6d926de56b804efa594d36b00d5af
SHA1 6ff1fd00281fda173d1175821a0d50974f0f617d
SHA256 ea655f44dd758a33003e187d61614c201ee6d5faf777785535fe12cd2859cd03
SHA512 4dcec920bc1609d0f967b00c5f92aeb25ee38f74197fd2b857ae1316928fcce65cd4eff877219642da12be8894059e0fe30ef33783a287ceb41e35a045e5bfc8

C:\Users\Admin\AppData\Local\Temp\2ZVMRNo7TjicBJm6BgELO9JBjg7\ffmpeg.dll

MD5 e1e1fc9d9b9f7fd86c955c2b204492df
SHA1 15e9a395f807d783f2bcc6fcc903136047fd188a
SHA256 d906cc18cd7b4b1293d22fff1f882ce878a76ef13408bcce775229c18e5a4bbb
SHA512 1bb4f0dc287f75b01c1a0e26732970ab3f0f92abb27f642618d3f9031ce8e033f6f3e8bc58f76bd4901a6dd2e06b263c72e620f1e4cd189d2042b82b9fe005d5

C:\Users\Admin\AppData\Local\Temp\2ZVMRNo7TjicBJm6BgELO9JBjg7\ffmpeg.dll

MD5 5310ad0fa8e8bee90fcd856742a28abb
SHA1 9c2d07c3f86ea28cdb90270693be87a4816c08af
SHA256 9276c2cd836a9b91d0a15ffe94bdfa3225303920b5bed168a903be7e02719abf
SHA512 2bfe4b6b290cddbabf40641c097d22967db10a855fe29e0d2626243364c9bc39b09f85c4bfd6db5ee4b875492d5121bd71d5065dee6f3ed522d2a516a0aa66a7

C:\Users\Admin\AppData\Local\Temp\2ZVMRNo7TjicBJm6BgELO9JBjg7\icudtl.dat

MD5 b48b5bd071f1993c21fa5793b8174cab
SHA1 38ad9d761f07dd213e5a8678a9f37233d34b680f
SHA256 8b679731af3ba70d072e181f866e53debc220d4548e6a08d0130288c59d09f00
SHA512 1fdd36a4dade71b2039b45532775a8d0d1977d23e961d4bc39e0f9b2da7b3bb1853b985d9287dde87c282bb63867eb5593bbcbec20416e88b9fc3112aaed20ae

C:\Users\Admin\AppData\Local\Temp\2ZVMRNo7TjicBJm6BgELO9JBjg7\resources\app.asar

MD5 9a45e135fa5715cc88526c036e0f2345
SHA1 528030ed1c62906c2073c1ef8aa9ef4e2d21479d
SHA256 3129bc1cd398f248f8668041d45910c97501c3b94c6d653f8f62c6d765c00770
SHA512 00ca5e653f0ecc3f9a3bb4e2b8b5bf2889f245bb3b8a0c4037744b9255773055bb8d12abcd684e2e138ed900102f84f9fb11d38cf8f20348d8ed6b0211bf4f83

C:\Users\Admin\AppData\Local\Temp\d37aea17-c521-4b0e-9715-0dee2899afa6.tmp.node

MD5 dad81e19750b3fb7d810744e23fdfcf6
SHA1 bee87639a6c8f1069423a10386a4ff7522e375da
SHA256 ecd08e31d771f6f7319665ce4b686ce56fd5c6ab0e7c1d88ce7283084fd1c2a8
SHA512 83b8255683b624835820f30c7057a068acd3d95cbf6795fe255beaa9f299f98c509f8d6a496ccaae85830201806b7e0a06c64c6ed1bb0b6c70c895febdc8aaed

C:\Users\Admin\AppData\Local\Temp\08d56186-0e7b-43e4-8ae1-7ddcf8fa60c6.tmp.node

MD5 04f8c613602f7c7a77fe359c00ca587b
SHA1 dae11d6533b74289481a924fe3e3b3bff83154fc
SHA256 a093bb6e8410879dd9b420f9fdf1492ef75267e3e1df8e33585b05f97c0b7588
SHA512 4a780291dd7f84988b78e4ff348203a41b280050f7423007e9e9b122ffa666e2a1c9903fbad9ab9d85336db9c19bf0952f9abf1e64f10df893d1ee0bc422bea6

C:\Users\Admin\AppData\Local\Temp\2ZVMRNo7TjicBJm6BgELO9JBjg7\resources.pak

MD5 141bc756e5d12b845598ea1d88df11bc
SHA1 25cd040d102f9944bafceae397eb583be0dff406
SHA256 492b4738b865746edee4ee41cadc71c5e830fd5c1aa67ae467c9e5399cc42b6d
SHA512 56ef550b1d3e78b26c20ed5e953a994c9191c030078b9e362edaa7dff8d13d90f5b52e7d5106b62bb7a321a5a52d46bf2847be8c32e03f63bc36ea05bcc21c9d

C:\Users\Admin\AppData\Local\Temp\2ZVMRNo7TjicBJm6BgELO9JBjg7\locales\en-US.pak

MD5 6147c4e3628d94532110eaf5621f3264
SHA1 f3cb41ad64ed8bd40fe18dab73a4e4f2377961d9
SHA256 dc811c6161282292c42588699a1227cae762aec0002fb5da3d6f6ca4dc7db21e
SHA512 c6b1027258247a5f154e33c7bfe26143853860093e9c358b2e3ca73bf02a38226e7c4f448afbe2323cd9d95b154133f529df69771c6ee92994c9019f50dabe2e

memory/4288-578-0x00007FFB9B320000-0x00007FFB9B321000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\2ZVMRNo7TjicBJm6BgELO9JBjg7\AORadar.exe

MD5 85f7309ca94743ab0f7c57b8ae50dc96
SHA1 9f2c87ed8a6814082473ccba6233a8febae25c22
SHA256 acdfe18b8da472111193a9f4f5e541e90bcd504f274fb3f294c3e71e460a9d43
SHA512 f619a9e173dc9a17d8a37fed8cf7db40933ece53f4919aeb58a9015370ebeabfb9b7b131a7c426a3e4d50dabc3a29ffd063881d0e356dbb237c065f25ad87ff1

C:\Users\Admin\AppData\Local\Temp\2ZVMRNo7TjicBJm6BgELO9JBjg7\chrome_200_percent.pak

MD5 701a2189087c2fa39952960d7e19420e
SHA1 093cddbff5933e51f969b5cfd139e726f53eb34a
SHA256 862fd8a78c3c58e4eed9adda5c0f589991ed9fa3c50cc92dcd93cfa6842bd417
SHA512 344c5390c03e24a4a515bd3d559c81732b80f8d410a5c18a2131e8f350bf9948939c455a12b8c680426f9f4690a8b203d9368e392c24dd7e3edb9a895edd0c2a

C:\Users\Admin\AppData\Local\Temp\2ZVMRNo7TjicBJm6BgELO9JBjg7\ffmpeg.dll

MD5 c3e58bfee2ff13f46e33e1e8d19dd70d
SHA1 9d1e83469474a866686950943a5c07ebf50387da
SHA256 b467a59bb7991cdff06a850188201e263f1a3c7933fe7119408595f855ec64d6
SHA512 58bb5d8f19d7995a99737eae6f35d83eff69ead32697a909359f64a528fdedd6e75d3088cec7af68907f8f12dfc7bd20c67bca57548459b67176864ce9877773

C:\Users\Admin\AppData\Local\Temp\2ZVMRNo7TjicBJm6BgELO9JBjg7\AORadar.exe

MD5 1391882631522c16462dbe0a224aa43e
SHA1 dbe8b65ee466b73bec7d3beeaaa1a3b12c528e71
SHA256 6fe1f3f8bf8b26521ff6519b901fd534269904e934b33ba0e722efa01b58fcc1
SHA512 c2506b56d0ee00350798d77183bac025e33b8f8b23b611d8786a163e020bcbdd1dca01de877890e39853074be6dc6406f2a5e2a8cd29bd8cfb138c328af260d2

C:\Users\Admin\AppData\Local\Temp\2ZVMRNo7TjicBJm6BgELO9JBjg7\libEGL.dll

MD5 02abbb290c2d576ed658c59f774bca4b
SHA1 46cf56a49242ff7b0788c8b007f503417ff5698e
SHA256 d2375751713771ee5f1e00e58c2ad915dfa6f147796e9e5c0c58fb7a8dad022c
SHA512 c2f8ec815da8a0200559abecb42cf563c434ec6009b87927dcc73444d1aff77c750ac3bee414122df1e972f7abea4bca3d75a8f27c3f5be7d3ea7efff7fb308e

C:\Users\Admin\AppData\Local\Temp\2ZVMRNo7TjicBJm6BgELO9JBjg7\libegl.dll

MD5 30ed1f8bfde2884f05b251c3ef5cea8f
SHA1 6e79bb5a52bc5609c6a29e48ccd5fa50d4fe95ad
SHA256 b4ff61ff1b1d3c27de59e9b3a62d9020520c86a8f651fbc265cbbdd601514a79
SHA512 cffa68dd8178a9740e7bb415c514fe1d74ad8125b521a615b4e6e90708f02deeacd6c996eb89e4f366bad869ecdb039ab2a1241673e6eb4a6f53d7a2f2beade2

C:\Users\Admin\AppData\Local\Temp\2ZVMRNo7TjicBJm6BgELO9JBjg7\ffmpeg.dll

MD5 c0ecb7a3d9fe0ffe512e1d7bde0467ac
SHA1 d858ad3f50fb176745331f947b962a5091c75523
SHA256 e0e8f6ba2b8effde77f110772ce49c1d063b2770e21379829812b4db9b20d800
SHA512 7e034cad536a5578f4a16940e23199a7ad396e9d2c3a100907a0a1fa4b36e722eae143d645d230d1aa19efabefa3369664a311adeb6dcb39f8d1d5e338bb3b3a

C:\Users\Admin\AppData\Local\Temp\2ZVMRNo7TjicBJm6BgELO9JBjg7\AORadar.exe

MD5 310a5dfbb378e8ee86b306c66c1a8763
SHA1 c031175dda97f48dca2acebe679d1e46ad1c3874
SHA256 98db4a877aeecca5f85f5068f8e5243ad29605a29257d37670d1aaa83f06ca2f
SHA512 28aa1be0b02ca7a650409284e37cae178af09aab977d57effccbf7ff7497d3d91a3dd91168c0f6fa0f690878dead0dcb6781ff9ad1cda07348ce757d0eaed787

C:\Users\Admin\AppData\Local\Temp\2ZVMRNo7TjicBJm6BgELO9JBjg7\libGLESv2.dll

MD5 3724c7d0ebeb71c19deeb1103dc45a71
SHA1 3bab961dccddd8fde750df64fe7af3f9ffcd779b
SHA256 83b407712ceeea0b0d70b5287901486dfeae3cc41b38eadd57bd11e789be3b47
SHA512 a32097ef18b4bf0ec4a394c1fd7a80d6e3f0012e6d82403ad80c35b0a72562d1bc368f124c8b030cc172e0b91b33853c864ff428ce0f80f3009769b4d934d9c2

C:\Users\Admin\AppData\Local\Temp\2ZVMRNo7TjicBJm6BgELO9JBjg7\libglesv2.dll

MD5 44080d31b03fdbe00047f1fc6b5822f0
SHA1 9417334de40a331d57a7ceeeb91ca11ac5097c1e
SHA256 0f5dabed7d8e0c12167712161099b46a804f25c6eae18fa75363327ab2703372
SHA512 811f5e22ab976d8714b0df9e5c4fdb0c79cf2bcb23db350fb2d4037f8ec7edceb3fd9509e607ec5c5f0beb9177370d6c622d621acaa90e72e3eecfb8e204687b

C:\Users\Admin\AppData\Local\Temp\2ZVMRNo7TjicBJm6BgELO9JBjg7\d3dcompiler_47.dll

MD5 e92ec838274a86f7a874d30014eb17f1
SHA1 ecb38d26716157b4677f69a218b1740a53a64dac
SHA256 168cd9d4cc2d7a6ab8b03fd18ba0a94ed5a6027ae44cfc28d3e7d66324492b88
SHA512 14a8ac00de52be9630069f6f49c5d021593d2b4b41ea2e476b06c64e1da522289e534a28ce212375168371804e5bf9e85f0d982af5b37c73c0ee94d48af96074

C:\Users\Admin\AppData\Local\Temp\2ZVMRNo7TjicBJm6BgELO9JBjg7\D3DCompiler_47.dll

MD5 ecf2524b614221ad9eae0593691a58f2
SHA1 f469a5b107aa2d4295d14f2fb14e43fca58cb856
SHA256 0183e643c47e4fde9814a85be8ce87fd2d89dfefa98064ace9dcb8c8723ab6d8
SHA512 3999d04364ea1910b5dd595fdc93bea912e95958a359985ff8515de061d583f1b7458220f0d06e11635371606b6984c763f956e306e0bfd6e9800f404d0c5c70

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_kwofocd5.1iu.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3424-604-0x000001426AA50000-0x000001426AA72000-memory.dmp

memory/3424-612-0x000001426AA80000-0x000001426AA90000-memory.dmp

memory/3424-611-0x000001426AA80000-0x000001426AA90000-memory.dmp

memory/3424-610-0x000001426AA80000-0x000001426AA90000-memory.dmp

memory/3424-609-0x00007FFB7AE40000-0x00007FFB7B901000-memory.dmp

memory/3424-616-0x00007FFB7AE40000-0x00007FFB7B901000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 6cf293cb4d80be23433eecf74ddb5503
SHA1 24fe4752df102c2ef492954d6b046cb5512ad408
SHA256 b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8
SHA512 0f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00

memory/3300-631-0x000002E1D57C0000-0x000002E1D57D0000-memory.dmp

memory/3300-630-0x000002E1D57C0000-0x000002E1D57D0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 d8b9a260789a22d72263ef3bb119108c
SHA1 376a9bd48726f422679f2cd65003442c0b6f6dd5
SHA256 d69d47e428298f194850d14c3ce375e7926128a0bfb62c1e75940ab206f8fddc
SHA512 550314fab1e363851a7543c989996a440d95f7c9db9695cce5abaad64523f377f48790aa091d66368f50f941179440b1fa94448289ee514d5b5a2f4fe6225e9b

memory/3300-629-0x00007FFB7AEF0000-0x00007FFB7B9B1000-memory.dmp

memory/3300-634-0x00007FFB7AEF0000-0x00007FFB7B9B1000-memory.dmp

C:\Users\Admin\AppData\Roaming\Rm08HYX4SNP3.vbs

MD5 bee4b835076d15b9486e145637c2a63b
SHA1 a419c29bbb768b6c75c9dbc6e4696dd369b22f4b
SHA256 aa18473a2407198dfcf922f7128694b1f45a83e5b5d3b8ae16857f863664fcd9
SHA512 f245a75722049dd609112562291cf3e2e5627b96d0678383142b8756526ebe0f178068760511b116985a983a3c63201c7c4cbce5dc567911fd446fbf0ab3a6ff

memory/5248-730-0x00007FFB7AEF0000-0x00007FFB7B9B1000-memory.dmp

memory/5248-732-0x000001CDEC4D0000-0x000001CDEC4E0000-memory.dmp

memory/7544-735-0x000001D07B280000-0x000001D07B290000-memory.dmp

memory/7544-736-0x000001D07B280000-0x000001D07B290000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\USRYTEKS4N603HW7NHNO.temp

MD5 8d4690528b991eec6dd547ad5a4430ad
SHA1 73b20cc877cc1a0c414611d8f55194327a6be049
SHA256 7a8add00c05db49b2e52ad180f12584605eb2bf463acd7c0b7a790a11b69f98f
SHA512 d2e63f51e2f90dc02e7aa572970d425c5c984700378538081f18aeb343bf602d45c02040367f0fbaadafbfcb96f02d98102cb110d1dc8305049370bea36cf202

memory/7300-759-0x000001BBBD980000-0x000001BBBD990000-memory.dmp

memory/7300-757-0x000001BBBD980000-0x000001BBBD990000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 68c33cac6095460c611eb4dad3e6a15f
SHA1 0601a84b3f87655650b6f9cd40b42bc2f4a49dc5
SHA256 e986d9dbd89726da8116ba8c60f883d4b390a9d58da8f86626682fe5ed56835e
SHA512 a8c90886518b3c7a1c9e82be0e203eb93d54e239ef9b6366557f47b9bc1d392804e0e949aa1d07e670ec3f04e106686583c7c1393030116628fe964ef6cf7e3b

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 dfb984f3f39553405a50186ddc6f20e0
SHA1 475c6b6f08a9dc5e81d183b8a1f1a374c77f0582
SHA256 faea2adea6c880fe9382b597ef55b65fd44c26a33165deb242157705caa20c6b
SHA512 1de5be745def7e0248408f4bd799f4ed36b769ffa5d845dc462490add485f2f7c8c3c9b5e2961134e581e10435de7632ea5f4d216c92312433c57d41979138f2

memory/5248-731-0x000001CDEC4D0000-0x000001CDEC4E0000-memory.dmp

memory/7544-769-0x00007FFB7AEF0000-0x00007FFB7B9B1000-memory.dmp

memory/5016-799-0x000001C77B650000-0x000001C77B660000-memory.dmp

memory/6080-800-0x00007FFB7AEF0000-0x00007FFB7B9B1000-memory.dmp

memory/7300-798-0x00007FFB7AEF0000-0x00007FFB7B9B1000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 446dd1cf97eaba21cf14d03aebc79f27
SHA1 36e4cc7367e0c7b40f4a8ace272941ea46373799
SHA256 a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf
SHA512 a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

memory/6080-801-0x00000246FA950000-0x00000246FA960000-memory.dmp

memory/6080-802-0x00000246FA950000-0x00000246FA960000-memory.dmp

memory/7544-803-0x000001D07B280000-0x000001D07B290000-memory.dmp

memory/5016-804-0x00007FFB7AEF0000-0x00007FFB7B9B1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\glx8bNd9MwRm_temp.ps1

MD5 4b72fffb815642f038606ea826e120d6
SHA1 9d9cb954bebff6b7cad85645b7e594ecef4b62dd
SHA256 fc98e3f031a1911474874e29e8a04ad814301687a3efcbd5ed2b10805613b617
SHA512 2f15f36484db095b6f82072e6df5b0b9d507759a8c1df048cda62c7ba8a72f9c64baaceb724ab28d02a02aeca49d06090f56563fd308339d226dd52c6728284b

memory/5248-806-0x000001CDEC4D0000-0x000001CDEC4E0000-memory.dmp

memory/7300-808-0x000001BBBD980000-0x000001BBBD990000-memory.dmp

memory/5016-807-0x000001C77B650000-0x000001C77B660000-memory.dmp

memory/6724-809-0x00007FFB7AEF0000-0x00007FFB7B9B1000-memory.dmp

memory/6724-821-0x000002506FBB0000-0x000002506FBC0000-memory.dmp

memory/6724-820-0x000002506FBB0000-0x000002506FBC0000-memory.dmp

memory/6724-824-0x000002506FBB0000-0x000002506FBC0000-memory.dmp

memory/5248-825-0x00007FFB7AEF0000-0x00007FFB7B9B1000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 e5ea61f668ad9fe64ff27dec34fe6d2f
SHA1 5d42aa122b1fa920028b9e9514bd3aeac8f7ff4b
SHA256 8f161e4c74eb4ca15c0601ce7a291f3ee1dc0aa46b788181bfe1d33f2b099466
SHA512 cb308188323699eaa2903424527bcb40585792f5152aa7ab02e32f94a0fcfe73cfca2c7b3cae73a9df3e307812dbd18d2d50acbbfeb75d87edf1eb83dd109f34

memory/6080-828-0x00007FFB7AEF0000-0x00007FFB7B9B1000-memory.dmp

memory/7544-833-0x00007FFB7AEF0000-0x00007FFB7B9B1000-memory.dmp

memory/5016-841-0x00007FFB7AEF0000-0x00007FFB7B9B1000-memory.dmp

memory/7300-842-0x00007FFB7AEF0000-0x00007FFB7B9B1000-memory.dmp

memory/5284-843-0x00007FFB7AEF0000-0x00007FFB7B9B1000-memory.dmp

memory/6724-834-0x00007FFB7AEF0000-0x00007FFB7B9B1000-memory.dmp

memory/5284-844-0x000001FFB7040000-0x000001FFB7050000-memory.dmp

memory/5284-845-0x000001FFB7040000-0x000001FFB7050000-memory.dmp

memory/5284-856-0x000001FFB7040000-0x000001FFB7050000-memory.dmp

memory/5284-858-0x00007FFB7AEF0000-0x00007FFB7B9B1000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bni6tbij.default-release\places.sqlite_tmp

MD5 3c829b57805b644c67e87c73aa3e8fe9
SHA1 f8b58f34e8cfd8364af195787f4d2d79e82172ec
SHA256 6631d06790d9153e5bed5e540f54bb704243e918e123bf3dc13eb0db42672576
SHA512 e556e7cc8f51d51b792e102cdbfdf5ccca282ac85eac30613b00896d9be5f3124a7001f7e54511d7f80563c4c443c644ec70c7540cc8bc513e8ce3b38190031d

C:\Users\Admin\AppData\Local\Temp\Y24c5ncq7KLTaQQZ6z4Q\System\PEKSRROU - 2023-12-13_214202.png

MD5 3a488a4c646a433f91122965bd6788a6
SHA1 157a6a525778aa2a8e802ea2bbc07b72f7a0d3e5
SHA256 890aadbd33fc9ae1d20af8fc281e8e40c350387befcc451fc5c8ac8eac89d097
SHA512 28e9d9611f140d73f309587b037c9d31b9e44552d61e73e574e5ea944efdac2add940b4111a19eacc5e4adc3ed10c89b1ab0b3f636db80e11c19844dcd8e2d7a

Analysis: behavioral3

Detonation Overview

Submitted

2023-12-13 21:40

Reported

2023-12-13 21:43

Platform

win11-20231128-en

Max time kernel

132s

Max time network

137s

Command Line

"C:\Users\Admin\AppData\Local\Temp\AORadar.exe"

Signatures

Irata

trojan infostealer rat irata

Irata payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

Looks up external IP address via web service

Description Indicator Process Target
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A

Enumerates physical storage devices

Collects information from the system

Description Indicator Process Target
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Detects videocard installed

Description Indicator Process Target
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Enumerates processes with tasklist

Description Indicator Process Target
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ZVMRNo7TjicBJm6BgELO9JBjg7\AORadar.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ZVMRNo7TjicBJm6BgELO9JBjg7\AORadar.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ZVMRNo7TjicBJm6BgELO9JBjg7\AORadar.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ZVMRNo7TjicBJm6BgELO9JBjg7\AORadar.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ZVMRNo7TjicBJm6BgELO9JBjg7\AORadar.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ZVMRNo7TjicBJm6BgELO9JBjg7\AORadar.exe N/A
N/A N/A C:\Windows\System32\Conhost.exe N/A
N/A N/A C:\Windows\System32\Conhost.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\AORadar.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\tasklist.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Conhost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Conhost.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Conhost.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Conhost.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Conhost.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Conhost.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Conhost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Conhost.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Conhost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Conhost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Conhost.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Conhost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Conhost.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Conhost.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Conhost.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Conhost.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Conhost.exe N/A
Token: 33 N/A C:\Windows\System32\Conhost.exe N/A
Token: 34 N/A C:\Windows\System32\Conhost.exe N/A
Token: 35 N/A C:\Windows\System32\Conhost.exe N/A
Token: 36 N/A C:\Windows\System32\Conhost.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Conhost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Conhost.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Conhost.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Conhost.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Conhost.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Conhost.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Conhost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Conhost.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Conhost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Conhost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Conhost.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Conhost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Conhost.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Conhost.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Conhost.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Conhost.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Conhost.exe N/A
Token: 33 N/A C:\Windows\System32\Conhost.exe N/A
Token: 34 N/A C:\Windows\System32\Conhost.exe N/A
Token: 35 N/A C:\Windows\System32\Conhost.exe N/A
Token: 36 N/A C:\Windows\System32\Conhost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\tasklist.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2ZVMRNo7TjicBJm6BgELO9JBjg7\AORadar.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2ZVMRNo7TjicBJm6BgELO9JBjg7\AORadar.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3840 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\AORadar.exe C:\Users\Admin\AppData\Local\Temp\2ZVMRNo7TjicBJm6BgELO9JBjg7\AORadar.exe
PID 3840 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\AORadar.exe C:\Users\Admin\AppData\Local\Temp\2ZVMRNo7TjicBJm6BgELO9JBjg7\AORadar.exe
PID 3008 wrote to memory of 4700 N/A C:\Users\Admin\AppData\Local\Temp\2ZVMRNo7TjicBJm6BgELO9JBjg7\AORadar.exe C:\Windows\system32\cmd.exe
PID 3008 wrote to memory of 4700 N/A C:\Users\Admin\AppData\Local\Temp\2ZVMRNo7TjicBJm6BgELO9JBjg7\AORadar.exe C:\Windows\system32\cmd.exe
PID 3008 wrote to memory of 2080 N/A C:\Users\Admin\AppData\Local\Temp\2ZVMRNo7TjicBJm6BgELO9JBjg7\AORadar.exe C:\Users\Admin\AppData\Local\Temp\2ZVMRNo7TjicBJm6BgELO9JBjg7\AORadar.exe
PID 3008 wrote to memory of 2080 N/A C:\Users\Admin\AppData\Local\Temp\2ZVMRNo7TjicBJm6BgELO9JBjg7\AORadar.exe C:\Users\Admin\AppData\Local\Temp\2ZVMRNo7TjicBJm6BgELO9JBjg7\AORadar.exe
PID 3008 wrote to memory of 2080 N/A C:\Users\Admin\AppData\Local\Temp\2ZVMRNo7TjicBJm6BgELO9JBjg7\AORadar.exe C:\Users\Admin\AppData\Local\Temp\2ZVMRNo7TjicBJm6BgELO9JBjg7\AORadar.exe
PID 3008 wrote to memory of 2080 N/A C:\Users\Admin\AppData\Local\Temp\2ZVMRNo7TjicBJm6BgELO9JBjg7\AORadar.exe C:\Users\Admin\AppData\Local\Temp\2ZVMRNo7TjicBJm6BgELO9JBjg7\AORadar.exe
PID 3008 wrote to memory of 2080 N/A C:\Users\Admin\AppData\Local\Temp\2ZVMRNo7TjicBJm6BgELO9JBjg7\AORadar.exe C:\Users\Admin\AppData\Local\Temp\2ZVMRNo7TjicBJm6BgELO9JBjg7\AORadar.exe
PID 3008 wrote to memory of 2080 N/A C:\Users\Admin\AppData\Local\Temp\2ZVMRNo7TjicBJm6BgELO9JBjg7\AORadar.exe C:\Users\Admin\AppData\Local\Temp\2ZVMRNo7TjicBJm6BgELO9JBjg7\AORadar.exe
PID 3008 wrote to memory of 2080 N/A C:\Users\Admin\AppData\Local\Temp\2ZVMRNo7TjicBJm6BgELO9JBjg7\AORadar.exe C:\Users\Admin\AppData\Local\Temp\2ZVMRNo7TjicBJm6BgELO9JBjg7\AORadar.exe
PID 3008 wrote to memory of 2080 N/A C:\Users\Admin\AppData\Local\Temp\2ZVMRNo7TjicBJm6BgELO9JBjg7\AORadar.exe C:\Users\Admin\AppData\Local\Temp\2ZVMRNo7TjicBJm6BgELO9JBjg7\AORadar.exe
PID 3008 wrote to memory of 2080 N/A C:\Users\Admin\AppData\Local\Temp\2ZVMRNo7TjicBJm6BgELO9JBjg7\AORadar.exe C:\Users\Admin\AppData\Local\Temp\2ZVMRNo7TjicBJm6BgELO9JBjg7\AORadar.exe
PID 3008 wrote to memory of 2080 N/A C:\Users\Admin\AppData\Local\Temp\2ZVMRNo7TjicBJm6BgELO9JBjg7\AORadar.exe C:\Users\Admin\AppData\Local\Temp\2ZVMRNo7TjicBJm6BgELO9JBjg7\AORadar.exe
PID 3008 wrote to memory of 2080 N/A C:\Users\Admin\AppData\Local\Temp\2ZVMRNo7TjicBJm6BgELO9JBjg7\AORadar.exe C:\Users\Admin\AppData\Local\Temp\2ZVMRNo7TjicBJm6BgELO9JBjg7\AORadar.exe
PID 3008 wrote to memory of 2080 N/A C:\Users\Admin\AppData\Local\Temp\2ZVMRNo7TjicBJm6BgELO9JBjg7\AORadar.exe C:\Users\Admin\AppData\Local\Temp\2ZVMRNo7TjicBJm6BgELO9JBjg7\AORadar.exe
PID 3008 wrote to memory of 2080 N/A C:\Users\Admin\AppData\Local\Temp\2ZVMRNo7TjicBJm6BgELO9JBjg7\AORadar.exe C:\Users\Admin\AppData\Local\Temp\2ZVMRNo7TjicBJm6BgELO9JBjg7\AORadar.exe
PID 3008 wrote to memory of 2080 N/A C:\Users\Admin\AppData\Local\Temp\2ZVMRNo7TjicBJm6BgELO9JBjg7\AORadar.exe C:\Users\Admin\AppData\Local\Temp\2ZVMRNo7TjicBJm6BgELO9JBjg7\AORadar.exe
PID 3008 wrote to memory of 2080 N/A C:\Users\Admin\AppData\Local\Temp\2ZVMRNo7TjicBJm6BgELO9JBjg7\AORadar.exe C:\Users\Admin\AppData\Local\Temp\2ZVMRNo7TjicBJm6BgELO9JBjg7\AORadar.exe
PID 3008 wrote to memory of 2080 N/A C:\Users\Admin\AppData\Local\Temp\2ZVMRNo7TjicBJm6BgELO9JBjg7\AORadar.exe C:\Users\Admin\AppData\Local\Temp\2ZVMRNo7TjicBJm6BgELO9JBjg7\AORadar.exe
PID 3008 wrote to memory of 2080 N/A C:\Users\Admin\AppData\Local\Temp\2ZVMRNo7TjicBJm6BgELO9JBjg7\AORadar.exe C:\Users\Admin\AppData\Local\Temp\2ZVMRNo7TjicBJm6BgELO9JBjg7\AORadar.exe
PID 3008 wrote to memory of 2080 N/A C:\Users\Admin\AppData\Local\Temp\2ZVMRNo7TjicBJm6BgELO9JBjg7\AORadar.exe C:\Users\Admin\AppData\Local\Temp\2ZVMRNo7TjicBJm6BgELO9JBjg7\AORadar.exe
PID 3008 wrote to memory of 2080 N/A C:\Users\Admin\AppData\Local\Temp\2ZVMRNo7TjicBJm6BgELO9JBjg7\AORadar.exe C:\Users\Admin\AppData\Local\Temp\2ZVMRNo7TjicBJm6BgELO9JBjg7\AORadar.exe
PID 3008 wrote to memory of 2080 N/A C:\Users\Admin\AppData\Local\Temp\2ZVMRNo7TjicBJm6BgELO9JBjg7\AORadar.exe C:\Users\Admin\AppData\Local\Temp\2ZVMRNo7TjicBJm6BgELO9JBjg7\AORadar.exe
PID 3008 wrote to memory of 2080 N/A C:\Users\Admin\AppData\Local\Temp\2ZVMRNo7TjicBJm6BgELO9JBjg7\AORadar.exe C:\Users\Admin\AppData\Local\Temp\2ZVMRNo7TjicBJm6BgELO9JBjg7\AORadar.exe
PID 3008 wrote to memory of 2080 N/A C:\Users\Admin\AppData\Local\Temp\2ZVMRNo7TjicBJm6BgELO9JBjg7\AORadar.exe C:\Users\Admin\AppData\Local\Temp\2ZVMRNo7TjicBJm6BgELO9JBjg7\AORadar.exe
PID 3008 wrote to memory of 2080 N/A C:\Users\Admin\AppData\Local\Temp\2ZVMRNo7TjicBJm6BgELO9JBjg7\AORadar.exe C:\Users\Admin\AppData\Local\Temp\2ZVMRNo7TjicBJm6BgELO9JBjg7\AORadar.exe
PID 3008 wrote to memory of 2080 N/A C:\Users\Admin\AppData\Local\Temp\2ZVMRNo7TjicBJm6BgELO9JBjg7\AORadar.exe C:\Users\Admin\AppData\Local\Temp\2ZVMRNo7TjicBJm6BgELO9JBjg7\AORadar.exe
PID 3008 wrote to memory of 2080 N/A C:\Users\Admin\AppData\Local\Temp\2ZVMRNo7TjicBJm6BgELO9JBjg7\AORadar.exe C:\Users\Admin\AppData\Local\Temp\2ZVMRNo7TjicBJm6BgELO9JBjg7\AORadar.exe
PID 3008 wrote to memory of 2080 N/A C:\Users\Admin\AppData\Local\Temp\2ZVMRNo7TjicBJm6BgELO9JBjg7\AORadar.exe C:\Users\Admin\AppData\Local\Temp\2ZVMRNo7TjicBJm6BgELO9JBjg7\AORadar.exe
PID 3008 wrote to memory of 2080 N/A C:\Users\Admin\AppData\Local\Temp\2ZVMRNo7TjicBJm6BgELO9JBjg7\AORadar.exe C:\Users\Admin\AppData\Local\Temp\2ZVMRNo7TjicBJm6BgELO9JBjg7\AORadar.exe
PID 3008 wrote to memory of 2080 N/A C:\Users\Admin\AppData\Local\Temp\2ZVMRNo7TjicBJm6BgELO9JBjg7\AORadar.exe C:\Users\Admin\AppData\Local\Temp\2ZVMRNo7TjicBJm6BgELO9JBjg7\AORadar.exe
PID 3008 wrote to memory of 2080 N/A C:\Users\Admin\AppData\Local\Temp\2ZVMRNo7TjicBJm6BgELO9JBjg7\AORadar.exe C:\Users\Admin\AppData\Local\Temp\2ZVMRNo7TjicBJm6BgELO9JBjg7\AORadar.exe
PID 3008 wrote to memory of 2080 N/A C:\Users\Admin\AppData\Local\Temp\2ZVMRNo7TjicBJm6BgELO9JBjg7\AORadar.exe C:\Users\Admin\AppData\Local\Temp\2ZVMRNo7TjicBJm6BgELO9JBjg7\AORadar.exe
PID 3008 wrote to memory of 2080 N/A C:\Users\Admin\AppData\Local\Temp\2ZVMRNo7TjicBJm6BgELO9JBjg7\AORadar.exe C:\Users\Admin\AppData\Local\Temp\2ZVMRNo7TjicBJm6BgELO9JBjg7\AORadar.exe
PID 3008 wrote to memory of 2080 N/A C:\Users\Admin\AppData\Local\Temp\2ZVMRNo7TjicBJm6BgELO9JBjg7\AORadar.exe C:\Users\Admin\AppData\Local\Temp\2ZVMRNo7TjicBJm6BgELO9JBjg7\AORadar.exe
PID 4700 wrote to memory of 4808 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 4700 wrote to memory of 4808 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 3008 wrote to memory of 2080 N/A C:\Users\Admin\AppData\Local\Temp\2ZVMRNo7TjicBJm6BgELO9JBjg7\AORadar.exe C:\Users\Admin\AppData\Local\Temp\2ZVMRNo7TjicBJm6BgELO9JBjg7\AORadar.exe
PID 3008 wrote to memory of 2080 N/A C:\Users\Admin\AppData\Local\Temp\2ZVMRNo7TjicBJm6BgELO9JBjg7\AORadar.exe C:\Users\Admin\AppData\Local\Temp\2ZVMRNo7TjicBJm6BgELO9JBjg7\AORadar.exe
PID 3008 wrote to memory of 2080 N/A C:\Users\Admin\AppData\Local\Temp\2ZVMRNo7TjicBJm6BgELO9JBjg7\AORadar.exe C:\Users\Admin\AppData\Local\Temp\2ZVMRNo7TjicBJm6BgELO9JBjg7\AORadar.exe
PID 3008 wrote to memory of 2080 N/A C:\Users\Admin\AppData\Local\Temp\2ZVMRNo7TjicBJm6BgELO9JBjg7\AORadar.exe C:\Users\Admin\AppData\Local\Temp\2ZVMRNo7TjicBJm6BgELO9JBjg7\AORadar.exe
PID 3008 wrote to memory of 2080 N/A C:\Users\Admin\AppData\Local\Temp\2ZVMRNo7TjicBJm6BgELO9JBjg7\AORadar.exe C:\Users\Admin\AppData\Local\Temp\2ZVMRNo7TjicBJm6BgELO9JBjg7\AORadar.exe
PID 3008 wrote to memory of 2080 N/A C:\Users\Admin\AppData\Local\Temp\2ZVMRNo7TjicBJm6BgELO9JBjg7\AORadar.exe C:\Users\Admin\AppData\Local\Temp\2ZVMRNo7TjicBJm6BgELO9JBjg7\AORadar.exe
PID 3008 wrote to memory of 2080 N/A C:\Users\Admin\AppData\Local\Temp\2ZVMRNo7TjicBJm6BgELO9JBjg7\AORadar.exe C:\Users\Admin\AppData\Local\Temp\2ZVMRNo7TjicBJm6BgELO9JBjg7\AORadar.exe
PID 3008 wrote to memory of 2080 N/A C:\Users\Admin\AppData\Local\Temp\2ZVMRNo7TjicBJm6BgELO9JBjg7\AORadar.exe C:\Users\Admin\AppData\Local\Temp\2ZVMRNo7TjicBJm6BgELO9JBjg7\AORadar.exe
PID 3008 wrote to memory of 4556 N/A C:\Users\Admin\AppData\Local\Temp\2ZVMRNo7TjicBJm6BgELO9JBjg7\AORadar.exe C:\Users\Admin\AppData\Local\Temp\2ZVMRNo7TjicBJm6BgELO9JBjg7\AORadar.exe
PID 3008 wrote to memory of 4556 N/A C:\Users\Admin\AppData\Local\Temp\2ZVMRNo7TjicBJm6BgELO9JBjg7\AORadar.exe C:\Users\Admin\AppData\Local\Temp\2ZVMRNo7TjicBJm6BgELO9JBjg7\AORadar.exe
PID 3008 wrote to memory of 740 N/A C:\Users\Admin\AppData\Local\Temp\2ZVMRNo7TjicBJm6BgELO9JBjg7\AORadar.exe C:\Windows\system32\cmd.exe
PID 3008 wrote to memory of 740 N/A C:\Users\Admin\AppData\Local\Temp\2ZVMRNo7TjicBJm6BgELO9JBjg7\AORadar.exe C:\Windows\system32\cmd.exe
PID 740 wrote to memory of 4296 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Conhost.exe
PID 740 wrote to memory of 4296 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Conhost.exe
PID 3008 wrote to memory of 3432 N/A C:\Users\Admin\AppData\Local\Temp\2ZVMRNo7TjicBJm6BgELO9JBjg7\AORadar.exe C:\Windows\system32\cmd.exe
PID 3008 wrote to memory of 3432 N/A C:\Users\Admin\AppData\Local\Temp\2ZVMRNo7TjicBJm6BgELO9JBjg7\AORadar.exe C:\Windows\system32\cmd.exe
PID 3008 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\2ZVMRNo7TjicBJm6BgELO9JBjg7\AORadar.exe C:\Windows\system32\cmd.exe
PID 3008 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\2ZVMRNo7TjicBJm6BgELO9JBjg7\AORadar.exe C:\Windows\system32\cmd.exe
PID 3432 wrote to memory of 3016 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 3432 wrote to memory of 3016 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 3008 wrote to memory of 896 N/A C:\Users\Admin\AppData\Local\Temp\2ZVMRNo7TjicBJm6BgELO9JBjg7\AORadar.exe C:\Windows\system32\cmd.exe
PID 3008 wrote to memory of 896 N/A C:\Users\Admin\AppData\Local\Temp\2ZVMRNo7TjicBJm6BgELO9JBjg7\AORadar.exe C:\Windows\system32\cmd.exe
PID 3008 wrote to memory of 1552 N/A C:\Users\Admin\AppData\Local\Temp\2ZVMRNo7TjicBJm6BgELO9JBjg7\AORadar.exe C:\Windows\system32\cmd.exe
PID 3008 wrote to memory of 1552 N/A C:\Users\Admin\AppData\Local\Temp\2ZVMRNo7TjicBJm6BgELO9JBjg7\AORadar.exe C:\Windows\system32\cmd.exe
PID 3008 wrote to memory of 4748 N/A C:\Users\Admin\AppData\Local\Temp\2ZVMRNo7TjicBJm6BgELO9JBjg7\AORadar.exe C:\Windows\system32\cmd.exe
PID 3008 wrote to memory of 4748 N/A C:\Users\Admin\AppData\Local\Temp\2ZVMRNo7TjicBJm6BgELO9JBjg7\AORadar.exe C:\Windows\system32\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\AORadar.exe

"C:\Users\Admin\AppData\Local\Temp\AORadar.exe"

C:\Users\Admin\AppData\Local\Temp\2ZVMRNo7TjicBJm6BgELO9JBjg7\AORadar.exe

C:\Users\Admin\AppData\Local\Temp\2ZVMRNo7TjicBJm6BgELO9JBjg7\AORadar.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\tasklist.exe

tasklist

C:\Users\Admin\AppData\Local\Temp\2ZVMRNo7TjicBJm6BgELO9JBjg7\AORadar.exe

"C:\Users\Admin\AppData\Local\Temp\2ZVMRNo7TjicBJm6BgELO9JBjg7\AORadar.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\script" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1620 --field-trial-handle=1688,7504246443935922160,3478039839079271670,131072 --disable-features=PlzServiceWorker,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Users\Admin\AppData\Local\Temp\2ZVMRNo7TjicBJm6BgELO9JBjg7\AORadar.exe

"C:\Users\Admin\AppData\Local\Temp\2ZVMRNo7TjicBJm6BgELO9JBjg7\AORadar.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\script" --mojo-platform-channel-handle=1908 --field-trial-handle=1688,7504246443935922160,3478039839079271670,131072 --disable-features=PlzServiceWorker,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8

C:\Windows\System32\Wbem\WMIC.exe

wmic process where processid=3840 get ExecutablePath

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic process where processid=3840 get ExecutablePath"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Users\Admin\AppData\Local\Temp\2ZVMRNo7TjicBJm6BgELO9JBjg7\resources\app.asar.unpacked\bind\main.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic OS get caption, osarchitecture | more +1"

C:\Windows\System32\Wbem\WMIC.exe

wmic logicaldisk get size

C:\Windows\system32\more.com

more +1

C:\Windows\system32\more.com

more +1

C:\Windows\System32\Wbem\WMIC.exe

wmic csproduct get uuid

C:\Windows\System32\Wbem\WMIC.exe

wmic computersystem get totalphysicalmemory

C:\Windows\System32\Wbem\WMIC.exe

wmic OS get caption, osarchitecture

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "echo %NUMBER_OF_PROCESSORS%"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic csproduct get uuid"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic computersystem get totalphysicalmemory | more +1"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic logicaldisk get size"

C:\Windows\system32\more.com

more +1

C:\Windows\System32\Wbem\WMIC.exe

wmic cpu get name

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic cpu get name | more +1"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic PATH Win32_VideoController get name | more +1"

C:\Windows\system32\more.com

more +1

C:\Windows\System32\Wbem\WMIC.exe

wmic PATH Win32_VideoController get name

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic process where processid=3840 get ExecutablePath"

C:\Windows\System32\Wbem\WMIC.exe

wmic process where processid=3840 get ExecutablePath

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\cscript.exe

cscript C:\Users\Admin\AppData\Roaming\3N0yLzaIwpOE.vbs

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall"

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall""

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager""

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager"

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore"

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX"

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IEData"

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack"

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MozillaMaintenanceService"

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ProPlusRetail - en-us"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\VLC media player""

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\VLC media player"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent""

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ProPlusRetail - en-us""

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MPlayer2"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MPlayer2""

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MozillaMaintenanceService""

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Firefox 105.0.3 (x64 en-US)"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Firefox 105.0.3 (x64 en-US)""

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack""

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WIC""

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IEData""

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX""

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data""

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE40"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE40""

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WIC"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore""

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DXM_Runtime"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DXM_Runtime""

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx""

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook""

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{113C0ADC-B9BD-4F95-9653-4F5BC540ED03}""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip""

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall"

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{113C0ADC-B9BD-4F95-9653-4F5BC540ED03}"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}""

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "cscript C:\Users\Admin\AppData\Roaming\3N0yLzaIwpOE.vbs"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3544B2EE-E62F-4D11-B79C-3DDEACE94DA5}""

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3544B2EE-E62F-4D11-B79C-3DDEACE94DA5}"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{37B8F9C7-03FB-3253-8781-2517C99D7C00}""

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{37B8F9C7-03FB-3253-8781-2517C99D7C00}"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3A706840-2882-423C-90EB-B31545E2BC7A}""

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3A706840-2882-423C-90EB-B31545E2BC7A}"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}""

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}""

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{64A3A4F4-B792-11D6-A78A-00B0D0180381}""

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{64A3A4F4-B792-11D6-A78A-00B0D0180381}"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{662A0088-6FCD-45DD-9EA7-68674058AED5}""

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{662A0088-6FCD-45DD-9EA7-68674058AED5}"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{6DB765A8-05AF-49A1-A71D-6F645EE3CE41}""

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{6DB765A8-05AF-49A1-A71D-6F645EE3CE41}"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{76DEEAB3-122F-4231-83C7-0C35363D02F9}""

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{76DEEAB3-122F-4231-83C7-0C35363D02F9}"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{77924AE4-039E-4CA4-87B4-2F64180381F0}""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{77924AE4-039E-4CA4-87B4-2F64180381F0}"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-007E-0000-1000-0000000FF1CE}""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-007E-0000-1000-0000000FF1CE}"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0000-1000-0000000FF1CE}""

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0000-1000-0000000FF1CE}"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0409-1000-0000000FF1CE}""

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0409-1000-0000000FF1CE}"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{AE86D888-1404-47CC-A7BB-8D86C0503E58}""

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{AE86D888-1404-47CC-A7BB-8D86C0503E58}"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{C7141A99-592B-4226-A4E9-B767C1D0FBAF}""

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{C7141A99-592B-4226-A4E9-B767C1D0FBAF}"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CB0836EC-B072-368D-82B2-D3470BF95707}""

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CB0836EC-B072-368D-82B2-D3470BF95707}"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}""

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{D44822A8-FC28-42FC-8B1D-21A78579FC79}""

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{D44822A8-FC28-42FC-8B1D-21A78579FC79}"

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{E016F2B9-01FE-4FAA-882E-ECC43FA49751}"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{E016F2B9-01FE-4FAA-882E-ECC43FA49751}""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions""

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\app.asar.unpacked\node_modules\take-cam\prey-webcam.exe" -invalid youcam,cyberlink,google -frame 10 -outfile C:\Users\Admin\AppData\Local\Temp\K8XaWDSLEnE7IH5PqDBA\System\cam.3008_Admin.jpg"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -ExecutionPolicy Bypass -NoProfile -File "C:\Users\Admin\AppData\Local\Temp\ssXEN5weGJ8x_temp.ps1"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoProfile -Command "& {netsh wlan show profile}"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoProfile -Command "& {powershell Get-Clipboard}"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoProfile -Command "& { function Get-AntiVirusProduct { [CmdletBinding()] param ( [parameter(ValueFromPipeline=$true, ValueFromPipelineByPropertyName=$true)] [Alias('name')] $computername=$env:computername ) $AntiVirusProducts = Get-WmiObject -Namespace \"root\SecurityCenter2\" -Class AntiVirusProduct -ComputerName $computername $ret = @() foreach ($AntiVirusProduct in $AntiVirusProducts) { switch ($AntiVirusProduct.productState) { \"262144\" { $defstatus = \"Up to date\"; $rtstatus = \"Disabled\" } \"262160\" { $defstatus = \"Out of date\"; $rtstatus = \"Disabled\" } \"266240\" { $defstatus = \"Up to date\"; $rtstatus = \"Enabled\" } \"266256\" { $defstatus = \"Out of date\"; $rtstatus = \"Enabled\" } \"393216\" { $defstatus = \"Up to date\"; $rtstatus = \"Disabled\" } \"393232\" { $defstatus = \"Out of date\"; $rtstatus = \"Disabled\" } \"393488\" { $defstatus = \"Out of date\"; $rtstatus = \"Disabled\" } \"397312\" { $defstatus = \"Up to date\"; $rtstatus = \"Enabled\" } \"397328\" { $defstatus = \"Out of date\"; $rtstatus = \"Enabled\" } \"397584\" { $defstatus = \"Out of date\"; $rtstatus = \"Enabled\" } default { $defstatus = \"Unknown\"; $rtstatus = \"Unknown\" } } $ht = @{} $ht.Computername = $computername $ht.Name = $AntiVirusProduct.displayName $ht.'Product GUID' = $AntiVirusProduct.instanceGuid $ht.'Product Executable' = $AntiVirusProduct.pathToSignedProductExe $ht.'Reporting Exe' = $AntiVirusProduct.pathToSignedReportingExe $ht.'Definition Status' = $defstatus $ht.'Real-time Protection Status' = $rtstatus # Créez un nouvel objet pour chaque ordinateur $ret += New-Object -TypeName PSObject -Property $ht } Return $ret } Get-AntiVirusProduct }"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell -ExecutionPolicy Bypass -NoProfile -File "C:\Users\Admin\AppData\Local\Temp\ssXEN5weGJ8x_temp.ps1""

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Clipboard

C:\Windows\system32\netsh.exe

"C:\Windows\system32\netsh.exe" wlan show profile

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\app.asar.unpacked\node_modules\take-cam\snapshot.exe" /T C:\Users\Admin\AppData\Local\Temp\K8XaWDSLEnE7IH5PqDBA\System\cam.3008_Admin"

Network

Country Destination Domain Proto
US 8.8.8.8:53 85.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
FR 216.58.204.68:80 www.google.com tcp
US 34.117.186.192:443 ipinfo.io tcp
US 34.117.186.192:443 ipinfo.io tcp
US 34.117.186.192:443 ipinfo.io tcp
US 8.8.4.4:443 dns.google tcp
FR 51.178.66.33:443 api.gofile.io tcp
FR 31.14.70.246:443 store5.gofile.io tcp
FR 163.5.121.96:443 hawkish.eu tcp
FR 163.5.121.96:443 hawkish.eu tcp
FR 51.178.66.33:443 api.gofile.io tcp
FR 163.5.121.96:443 hawkish.eu tcp
FR 31.14.70.243:443 store1.gofile.io tcp
FR 163.5.121.96:443 hawkish.eu tcp
FR 163.5.121.96:443 hawkish.eu tcp
FR 163.5.121.96:443 hawkish.eu tcp
FR 163.5.121.96:443 hawkish.eu tcp

Files

C:\Users\Admin\AppData\Local\Temp\nsz9F3E.tmp\System.dll

MD5 0d7ad4f45dc6f5aa87f606d0331c6901
SHA1 48df0911f0484cbe2a8cdd5362140b63c41ee457
SHA256 3eb38ae99653a7dbc724132ee240f6e5c4af4bfe7c01d31d23faf373f9f2eaca
SHA512 c07de7308cb54205e8bd703001a7fe4fd7796c9ac1b4bb330c77c872bf712b093645f40b80ce7127531fe6746a5b66e18ea073ab6a644934abed9bb64126fea9

C:\Users\Admin\AppData\Local\Temp\nsz9F3E.tmp\nsis7z.dll

MD5 80e44ce4895304c6a3a831310fbf8cd0
SHA1 36bd49ae21c460be5753a904b4501f1abca53508
SHA256 b393f05e8ff919ef071181050e1873c9a776e1a0ae8329aefff7007d0cadf592
SHA512 c8ba7b1f9113ead23e993e74a48c4427ae3562c1f6d9910b2bbe6806c9107cf7d94bc7d204613e4743d0cd869e00dafd4fb54aad1e8adb69c553f3b9e5bc64df

C:\Users\Admin\AppData\Local\Temp\2ZVMRNo7TjicBJm6BgELO9JBjg7\AORadar.exe

MD5 808ffe1aaa6546570b0e49d457b46217
SHA1 cc939e9354d7b8913aecd31ea243902ee2fe1e88
SHA256 db380108350e426f37d5f21aaf751668e51b6604415421766b0ab4f75d2e9ca1
SHA512 305ca100cf48ca61219576044d818d87f839958059be9165f914886f3cdf9781e29d3e85fa321a6f6000782f6cdfdae81b076f747126062c965f3f4b6ec3aa81

C:\Users\Admin\AppData\Local\Temp\nsz9F3E.tmp\7z-out\ffmpeg.dll

MD5 4954b00b09d28c55c31c7cb1bf58fae1
SHA1 c52922f3bc072b76107a2c9e6f4ddfe4f9fd8d8a
SHA256 59a3cb41171a4eb4b5ba4de80a62042c1229474fc6d5712ed2b32c91e9bdc6d6
SHA512 2d0bc256b3fb62dcd36872fab61e39a4e1510a8dd9b4e249415e4cd8d0c28989302a779cf7977d8ef12d014521134e723ae5010898e91a304758b5d171879235

C:\Users\Admin\AppData\Local\Temp\nsz9F3E.tmp\7z-out\d3dcompiler_47.dll

MD5 6f5c48be5c1075132f76d413583c02a0
SHA1 cb4286d7924ef52350de0a04ef8d3eab55a65460
SHA256 b9fda47b0c3428ffa86b9cd941c3b8ffbf14dba879e3e72b11f91ebb2387faca
SHA512 3bd0c0f2079c1b933c456b3ab0e6e955e9e2df3d94009ad6971ba2739f24ada76087e8b215b03237d0506a5ba6650261d93879bb233c1134c1a486a74b94728c

C:\Users\Admin\AppData\Local\Temp\nsz9F3E.tmp\7z-out\chrome_200_percent.pak

MD5 b51a78961b1dbb156343e6e024093d41
SHA1 51298bfe945a9645311169fc5bb64a2a1f20bc38
SHA256 4a438f0e209ac62ffa2c14036efdd5474b5ecaa7cbf54110f2e6153abdfb8be9
SHA512 23dedde25ad9cb5829d4b6092a815712788698c2a5a0aefb4299675d39f8b5e2844eabd1ea42332a0408bd234548f5af628e7e365ab26f3385ebfa158cdd921d

C:\Users\Admin\AppData\Local\Temp\nsz9F3E.tmp\7z-out\chrome_100_percent.pak

MD5 9c1b859b611600201ccf898f1eff2476
SHA1 87d5d9a5fcc2496b48bb084fdf04331823dd1699
SHA256 53102833760a725241841312de452c45e43edd60a122546105ab4020ccef591b
SHA512 1a8ec288e53b9d7e43d018995abe4e3d9c83d329d0561fbb7d022e8b79ffecf033e995b9bc6af352a71c646a1e8afba4addb54deab7455f24b7a279a3dd7c336

C:\Users\Admin\AppData\Local\Temp\nsz9F3E.tmp\7z-out\icudtl.dat

MD5 6d9ce0856cc0a6073a2830ac3eab8034
SHA1 235876d2dd59df847c7d26f0941be5ececc8c193
SHA256 bf1489915f3bd63da437458c97a024affba3db419a55015177474c63701ff7b6
SHA512 38e662efb45a10dfe6ba3ce4eca693f7485d34d4623ca32ad676f7cc317146ab531710297367382d3af798931e5c28361b088ab1dd17b7f885737a1c32e5cd89

C:\Users\Admin\AppData\Local\Temp\nsz9F3E.tmp\7z-out\libEGL.dll

MD5 8352fd22f09b873193cabc2932be92f0
SHA1 5bd2b58854b279f1733c5f54ea2669ee8a888d9e
SHA256 14a4aaa010be14762edfee01fd1f6b9943471eb7a2f9011a2b5c230461cd129c
SHA512 7281e980f2e82f1cc8173d9f8387a97f6e23ec5099ed8dca02222c4e17fa4cfef59d6aa300b1cf06d502bdcf77d9a6dbb08ad6658ae0a28ae6f9f995109da0d2

C:\Users\Admin\AppData\Local\Temp\nsz9F3E.tmp\7z-out\LICENSE.electron.txt

MD5 4d42118d35941e0f664dddbd83f633c5
SHA1 2b21ec5f20fe961d15f2b58efb1368e66d202e5c
SHA256 5154e165bd6c2cc0cfbcd8916498c7abab0497923bafcd5cb07673fe8480087d
SHA512 3ffbba2e4cd689f362378f6b0f6060571f57e228d3755bdd308283be6cbbef8c2e84beb5fcf73e0c3c81cd944d01ee3fcf141733c4d8b3b0162e543e0b9f3e63

C:\Users\Admin\AppData\Local\Temp\nsz9F3E.tmp\7z-out\LICENSES.chromium.html

MD5 0bd3ad36a8ab3ab257cf68edca6bd8c7
SHA1 2c1e210a520d01164009d841aa0168f9a4e6ee09
SHA256 ea58d1cb4dc67eadad23b5b40c2461de0849b976a5ba41f4527ac2954abed412
SHA512 ee13a65263df1a8e3a660d9a01eaf72f5739c3db6ddf274d6d7e14a1ade4aa38fcd8fc7de7b088a1746ee97b5e0eaf84381fa07da7cd53d3584412d5f5388d37

C:\Users\Admin\AppData\Local\Temp\nsz9F3E.tmp\7z-out\libGLESv2.dll

MD5 b6a433dc7b4030fb17bd1683a9606b6e
SHA1 0602c50532e3f13facc67bd95a048c470e88afcc
SHA256 f7ae57a1d7d3e284714ca354f5292aa9b75086489cbfba8b1f54548445b6b3e9
SHA512 b9ba2e20ec878e3acae93d8254e69374e391fd4a3d5c1833282c43896d123baa874f1088839f3bbcf05539eda0e2aeaef28d7742ab8e20ec788382501e2152b1

C:\Users\Admin\AppData\Local\Temp\nsz9F3E.tmp\7z-out\snapshot_blob.bin

MD5 c9ab741bbef53fa0e84952b8891a5f5a
SHA1 e2dcb8d034e07243537c86371de0c52bce62cee1
SHA256 4d82fe1e642fe3ca7ad1a173f806088c0652ecfe9f0f6f6e246066e15a3431d4
SHA512 177b98a3090ecfe4b4598dfcd7e8b3ca49efafba4dbd8d6c6d0def462de47c3fabfde831725622783ddc177de982de6115178d9bd9830d918bb544a5a4c27fc9

C:\Users\Admin\AppData\Local\Temp\nsz9F3E.tmp\7z-out\resources.pak

MD5 bdfa339e708ea0f23ed3620adc4a2d64
SHA1 82a95b7b022836b6e888f53e69386570c05a1af2
SHA256 b66ae9eda4543685974d35d051d967538bc57d55c2577629007c534ff330e1e4
SHA512 ba87c70e1b6446e0a7b62da33d72a36ff92ee54fda64343262bc26afa8166174e76d058ec6d707cdebf2611858b3b4b7e21798febec53da02febd81ade4ce8f8

C:\Users\Admin\AppData\Local\Temp\nsz9F3E.tmp\7z-out\v8_context_snapshot.bin

MD5 47014c0f81bad6d216c617c9c63bf040
SHA1 7bb483fdc5fed3c6ed437d9fe6e5023bc38201bf
SHA256 e1249d05bfc73c645b27d269f47b6923b33a3cf8088a8ca78b3b637c90f58178
SHA512 052d86cf3305a9e493bd2472e6b7ddab5e0291efd6d899984a79bae46e5fa4bd21157e19ab4a2591c9cff9069de568bad18c7baf4f35d117c77134e635466f87

C:\Users\Admin\AppData\Local\Temp\nsz9F3E.tmp\7z-out\vulkan-1.dll

MD5 b91586bd80e057a7f62bdc4422744812
SHA1 a1df644421ece2e740e5bf0ed98b4f269fd85c39
SHA256 8ba72d98e0f78b77bda7816cd7232809d287310d34e0f1d7472b9d5fda2c6d02
SHA512 94f0a8e3e75e4803891c0fcb257052dbe0e7399772fc7a46ab802629f76ee580ed30b3678fa6bc3744c12cf9f3103bbc8276e88f6711278748148e9fbeef2053

C:\Users\Admin\AppData\Local\Temp\nsz9F3E.tmp\7z-out\locales\am.pak

MD5 e18a450ef034b42599341c3d09f280f1
SHA1 2001c8a85904962ac3a96938eccc69ad2c110fdf
SHA256 7c2b9098130f1f9e0cf4507b64c0e96ac6354bd6c3616be20e2067cfccc820da
SHA512 ddd87571218fe9f179a6c2a8a15b182625a71a7c19ed90c0969ca2e0e9bad823b926f8b8a6b390cb6fe9c95f4b6c1f1ec7b5167a8424ab1921943922208f798a

C:\Users\Admin\AppData\Local\Temp\nsz9F3E.tmp\7z-out\locales\el.pak

MD5 38440b98bfdf5ed496da0f49d59534c0
SHA1 1498d9207ecaf4923a47271e24c68a817041c82e
SHA256 b1f78df8a7edc914357a2e90bc8dc0ac46f4df642bb22894569fe4905fb8ea0f
SHA512 95ba788fc2e1f07d54e398f1ec4d32c664cfb13118d46cb7af7a993367e032b10de84f3e604ab6e659d6410e2d736097ec5e9b3b002040c54412358f0ea10229

C:\Users\Admin\AppData\Local\Temp\nsz9F3E.tmp\7z-out\locales\de.pak

MD5 b73344e5a72fca6f956dbab984c123ba
SHA1 0561073aa40a63a9ce9930dd18b18e12ff139b2b
SHA256 6dda3fa65232ca0bff7314f916942a2aa5d9be73a0b0c7a6d016eb34ea6fff5b
SHA512 e8a12da397369f23c102244b3f18f533ec79afa6978785566056bbfe07b10a21ff4973bf17aa829fff65609363988c033b0e48d4a82c846863377c08d8df009d

C:\Users\Admin\AppData\Local\Temp\nsz9F3E.tmp\7z-out\locales\da.pak

MD5 55a8f5883805a65c854d25edb3959209
SHA1 d4b3b6bd2a26cbd021fa931d1f63c9ea64e2c268
SHA256 e190187adcbb5f829d162660968ba598ed17bd11339062ca4d807deec8a27fdb
SHA512 4e1f9e6da32f553cbc8cf162726d7aba9e23e2216d6d05b995cf19fff3aafa05ed08fce29b2f8538d46583366402b8630672e650dfbd46952a611e9db0d8016d

C:\Users\Admin\AppData\Local\Temp\nsz9F3E.tmp\7z-out\locales\cs.pak

MD5 3cfd9dc564cfcc33cc5524711365c376
SHA1 2e5016d2643017f37658262122974429f18625a2
SHA256 8be34e4f8226c1dd4e725711ddd884ef4476560f7863edcf378573dde9db3cee
SHA512 6ee156d2fa3b6f601df28e38968d0eae2812d70b41333348dbecd833d5ee6ff944183f0eecde96be433cf1e98c8ec22d6a6d5af5153145842175ab43c73533ef

C:\Users\Admin\AppData\Local\Temp\nsz9F3E.tmp\7z-out\locales\ca.pak

MD5 423651c45566cd90ea5edd8631e823b8
SHA1 13bed4173a08bcbfefba034aada3d838eece6d16
SHA256 7a39af99d55a1ea838d8d78c5f0da3e1402f9404d32255e31b676ceed4f0e414
SHA512 e09085023beaa37e9d5f7fdf3c32d0c001672b85e2826f0aba9a662ce958ac93cac17bf63495a604e47cb407b1593049388a4bf1b22b2339ead84a206a10569f

C:\Users\Admin\AppData\Local\Temp\nsz9F3E.tmp\7z-out\locales\bn.pak

MD5 47c95e191e760dee3ef43345577e2379
SHA1 609634315270a91d4ec631642b18bd0036367aad
SHA256 ceed32e429ed1018d4c49343cf52105cbfd1e877c531a5738fd6e6cd33d27da7
SHA512 46b5f8d58780d19e79136c31a67d075c57ddf7e6a1eb197dea4088cc414a0dc24a68fc8ebcaac03b3940af2461123b586706d5dbf8dbdf6fbea0f7bec466db21

C:\Users\Admin\AppData\Local\Temp\nsz9F3E.tmp\7z-out\locales\bg.pak

MD5 5ba0c7200362c9ed55610cc8b66ef53c
SHA1 d45239c2f1b00885407771a41a7776fc1fe8fa3b
SHA256 2339ff55464b4ff704fc3c5bf281eec52a539c494bd059cf0346d9c05ab7cda7
SHA512 6229dbf08a9322c4ec8de4912aa1832f01800a71b7e3ef5870e7fa2b623be4dd248fec4881c3e031e984616147be84d42ab3dd970ae56dc1bd78913a8682a37a

C:\Users\Admin\AppData\Local\Temp\nsz9F3E.tmp\7z-out\locales\ar.pak

MD5 6f3e791b4d35ee7d9515614d128752cf
SHA1 181ec3a84fb3e89336d77f24f562a2cbe07619d8
SHA256 e9df0fa338b763a3926c4ee3a87bedf650fa618b6fcf0560c3f5ffe891d48c60
SHA512 3657e610d13a2c938558ec320c298dd490c9e4895ccd304f738aaa2f050373efd7382ca402365f93d23ed488bae82de2d859da788dc8faa8e621346a278f4441

C:\Users\Admin\AppData\Local\Temp\nsz9F3E.tmp\7z-out\vk_swiftshader_icd.json

MD5 8642dd3a87e2de6e991fae08458e302b
SHA1 9c06735c31cec00600fd763a92f8112d085bd12a
SHA256 32d83ff113fef532a9f97e0d2831f8656628ab1c99e9060f0332b1532839afd9
SHA512 f5d37d1b45b006161e4cefeebba1e33af879a3a51d16ee3ff8c3968c0c36bbafae379bf9124c13310b77774c9cbb4fa53114e83f5b48b5314132736e5bb4496f

C:\Users\Admin\AppData\Local\Temp\nsz9F3E.tmp\7z-out\vk_swiftshader.dll

MD5 de2d91476e625278c30a5f69a1892e05
SHA1 4d707f6a801611fb437f5c1cba31b0909bf41506
SHA256 02c7f0b926c64f5a19a9aacd5f94ee00be4d576486592e18acc80c0a027b05ba
SHA512 d027407539346e5aedd527f5f71de45bace6295e96a7fbefbf273c930d64a791e488e4bdf6ef8db61fc19c80cac52a6e398c2973499c6fedb1e422c3ba71f532

C:\Users\Admin\AppData\Local\Temp\nsz9F3E.tmp\7z-out\locales\fa.pak

MD5 6458a239e994d8d18315deccd35389ed
SHA1 75c985f43503a6c44645786d46639a6b555ae163
SHA256 300fc1c735e92917a5ddf92feb812cbf3175d988ec7ad5955110248a1addbd34
SHA512 3062075b6be0c25c957ac88e537880bc25ff86b8ef0703a05209e9676e943e89476b7997394aeb25064e03a93be614fef535676e9cdfaf44b46035225b1b2cf5

C:\Users\Admin\AppData\Local\Temp\nsz9F3E.tmp\7z-out\locales\kn.pak

MD5 5115cde84b4c674db412619b65433004
SHA1 164f33e7e2e9f685a579da492a6fc8806beb6cbf
SHA256 891e092c6895e23be986c3e6d39dcea9b6b75f1448239c13fd406680e50407a7
SHA512 090a247898cb533325d2b289a6cbd8db2a755ef0abab49d82f333e57b290c50b5996b81f15d8adc30160b216eebed3a1476aec1627195e52189557c1d48b0216

C:\Users\Admin\AppData\Local\Temp\nsz9F3E.tmp\7z-out\locales\ml.pak

MD5 04b2540c25990a5e0a9b227dcce6ae0d
SHA1 4f8ccd154f54dfb083d4d1a3ed0994842c8ab13e
SHA256 556165b8b54c6e21bc66d12b3f5be393136714467c427f7114f314d18ad3c661
SHA512 4cab47e42e8f5d4a83851871f97f3e1360c993ba530dbb4b4b736350779784bd83189e1195d3480ce87298bb8f9b7f249fefa7764d850e5b0002895609626785

C:\Users\Admin\AppData\Local\Temp\nsz9F3E.tmp\7z-out\locales\lv.pak

MD5 264c6e20b3088ceb4dae5773cef0cb55
SHA1 fb6ff83ff14df008092bc3ee73bda7491e8e090e
SHA256 a676a781c1a587eadf23e5c69bc52f2d352346a70bc53ca908450362535eefda
SHA512 01e949f92e1e8599c581929a601d39640abaf1d907ce10102e591c3d490dd3874c679c75bb51308ead55a3bd0c6dcd1b8d4b2daf98ce1cf1c6bab42946e8b1e8

C:\Users\Admin\AppData\Local\Temp\nsz9F3E.tmp\7z-out\locales\lt.pak

MD5 2d4fca437a7548893dc4b51fa5b33c33
SHA1 c1493013d7d981ea9223716e415380992de65c2f
SHA256 776dba792df7b444e1b720326312d8b8312cade74a1372c49456d932b7c65769
SHA512 b6a55ee1deff48d717a3e9399aef3c45eeec810cc5b5709fa3e9f56850115a5b02e02b7959ec77a6797e68516ee9372bacd260e62ac0d55a8e4c1c27af782b42

C:\Users\Admin\AppData\Local\Temp\nsz9F3E.tmp\7z-out\locales\ko.pak

MD5 d6e2c18c9eabba59b50d147d942125ea
SHA1 0918879203c2050b4f9f449f5616e430897ba0b9
SHA256 f3581cea2e5b022b121010ffc5d67f86f717e3a0c0402abd81e24c87fd135b76
SHA512 f605f7b9893166778af156f9eb76eaa1209e7432450899540cd462ce0ffa69caf6f570b910cdd6d7bef54354379e9892a658e711baa93241da33755c107da859

C:\Users\Admin\AppData\Local\Temp\nsz9F3E.tmp\7z-out\locales\ja.pak

MD5 833e8c4aa70351b6be7bd403e4e9a0a7
SHA1 46ccdbdea35deec8ef13a5fc833776875fad187b
SHA256 74422db1a5f28522f9a8b31a3bee9a6df794b419bf723cb6a6c88e82eb72cec0
SHA512 e8e709612a5ea81d2822e0025b7306f38571f2cec2ca72ac5a8ab852a0e36a0f5bc7e00d0baf7ac7becc2c54dda3a17c52ec1cd67ce12b14d91b6ae0b726d556

C:\Users\Admin\AppData\Local\Temp\nsz9F3E.tmp\7z-out\locales\it.pak

MD5 5aa225aad4f9fe6d05ec24905a827d88
SHA1 f6d5ed337bd8e9cc3b962d3a498e3430fbf6de22
SHA256 96e02ab6937a1f1cb58762159761a737ce0e1dcd6a253554392baf4389326eab
SHA512 3fa928f19bdf65b8fbb274b478a801821b15c01224c113a8d7f6121a077b432c0cc84eefd9028a76adea9fa4bb65dcb868edfbd4368b1e4d477c49e187e4288a

C:\Users\Admin\AppData\Local\Temp\nsz9F3E.tmp\7z-out\locales\id.pak

MD5 e40cb2f3b4db379e4d187aeef0dfd300
SHA1 537b1ebc615c980c89bbe2b9e91a11199fa7d6a6
SHA256 3339ef011c9bb64868da94adb25f4490acbc7f893e4337dbfe2797754cd659f5
SHA512 b87464460077aa55feb92eca8ed23d9a61829378bae7890c8a95dac5fcd735b145d65661f27facfe2586fcaa169692b00d8ee8dd505dc44bff7f7fd090f3e96c

C:\Users\Admin\AppData\Local\Temp\nsz9F3E.tmp\7z-out\locales\hu.pak

MD5 71d42cb22d2d7a8b26c4514ab12df3aa
SHA1 cd0307503a7906f1742d1e98fc816959319c2171
SHA256 b51bcb888dbc27bab88a8c9d081df7496de8a9a5a4cd2cfe08abc154190e75e6
SHA512 29c67391bca706807be3a0cc79fe481f220e30263957a9c2485f0a4c498a5b250bdd83b5f4fad8d0b19c8a9a07d5650b5ebd5816b6aae311a1cde78a89303244

C:\Users\Admin\AppData\Local\Temp\nsz9F3E.tmp\7z-out\locales\hr.pak

MD5 6f92235e6ba003af925a2d6584afd27d
SHA1 3ceba61e9c2975466b6244188f5ea72aaf042fc7
SHA256 479dc4f75a889d45f62b4ddb6eb48f21c473e37875468c9c26d928a263e15840
SHA512 82f2642dff4400704c15c2fa02d0ec74ed3fe888dc835447c1afce7463dee8f480bb81be358c306e681625864a6d25e5cd6c96252b8a56e6fc62014b3aa4d26a

C:\Users\Admin\AppData\Local\Temp\nsz9F3E.tmp\7z-out\locales\hi.pak

MD5 590e9e73df9cbd83cd87b9c03848fec9
SHA1 da125e60a5a2c51a2d6219d3f81688bd22237b59
SHA256 089b9dd31090a987515809a68d26f6eeb64cd9283934e3dcc48b151eec7d3ad9
SHA512 fd0e5d0f2063e12b711275f390428b88f98ffaf6043cdb14b13674ac1e4aa9f70ae820ae960132d7155daf9b1308238775c4702694ab53068cdc709c50f9186a

C:\Users\Admin\AppData\Local\Temp\nsz9F3E.tmp\7z-out\locales\he.pak

MD5 6a02a37e1ca3215fa9ee0e1b0fbcf5e7
SHA1 89a8a126c0bbf536ac58e29fc50e045fb1b88220
SHA256 f5cf34ce58b7f0d450936981aa7ffa060821403e6768eee3746ea4ffc9193986
SHA512 6607eb2329b81f1eaf0ed3a564eddcb30e6ab59229f2fbf6fd3d2140ffaa8853a330eda627a4458ef6bb06f32c5183edda869e34cd4ead1f87f88d5c622c1a16

C:\Users\Admin\AppData\Local\Temp\nsz9F3E.tmp\7z-out\locales\gu.pak

MD5 63a7fdc4eadf8ef1c35c72468a0ce33f
SHA1 e8d064f0e9c8a6a8c6ccb036711e292d011d9466
SHA256 e549ff4e5a094d04c2ce7bc6fd68bea1f03e935437bf164bebb6191c133fa70c
SHA512 0a097ff875132a984545ec677b04f97785f14c38a1df487cfb4722cdea07d14e1e88fcff7d58b82fa53f05f4eba779a95ef320b5a91692097726d0385a26a456

C:\Users\Admin\AppData\Local\Temp\nsz9F3E.tmp\7z-out\locales\fr.pak

MD5 c3095ce1e88b0976ba7bef183d047347
SHA1 b14cfbf6e46ac1f189595fc09660178525301138
SHA256 66488dc10517b6e3638686be95b430477a39304e92ac45dfe62b58cae3a77272
SHA512 29f47b1eff4681a9a17a50d6e82d63c22fe7bfe4ceb79862e81d8cd9f96fa38e225978b4c4b1f8e55b220235b91652c776fa8d2e559c68942c6ccf402812a421

C:\Users\Admin\AppData\Local\Temp\nsz9F3E.tmp\7z-out\locales\fil.pak

MD5 40bddaf97f64dfea9ebafc7f82166f80
SHA1 90d1fde3c0b27d2184f0353991259c2a92c7820c
SHA256 39a9d63736e7b4593fc6873ed3c19d45fbf9eb78a012bfdcee0fea5906ebc5b2
SHA512 d1e61c53e09a0dc50edf5aba5cf286a251ee88421aa2cd49332b70a5859646605ecb7d0bb97ea7242d14a18742e23da0a14c04b0b99b57a466ec87f4f66b897e

C:\Users\Admin\AppData\Local\Temp\nsz9F3E.tmp\7z-out\locales\fi.pak

MD5 cc592d91ce8eabaa75249cb78b889376
SHA1 f2f0f7f105a17f3e4b1a97ed0e3c2e871c2c3eac
SHA256 b1cb0b32efa78fd8634652c74f298f1d5127f2363ef601cf000417e5c7fefd20
SHA512 58e2eaffe26d8fda8df43e7ebef449cfff1065e940c128efa0276511e34e96e52da9230f294b01d4ecd8ef606b792d372bff897d6d8bb67c31379418ce867d48

C:\Users\Admin\AppData\Local\Temp\nsz9F3E.tmp\7z-out\locales\et.pak

MD5 c76db3385190c6840315c4497e40258a
SHA1 34f1aef2ba2925bebc5dcdb70e5b6c1a138a5c46
SHA256 e8af084ef5e1062c5966dd7802074ac24f3672dc3c9b9c5453a397644727191f
SHA512 90a870369d307758b33d74e6213676d65c2d332f42577c8aff23d96b512f3c2a2bdace8d6d9007f88b9175eadc6f2ae28b498b1265550849ff9317465a37ad29

C:\Users\Admin\AppData\Local\Temp\nsz9F3E.tmp\7z-out\locales\en-US.pak

MD5 0bb857860d8c9ab6d617cea5a5bd4d00
SHA1 351b744d95846bff2ce5f542fec2e87439aa0f8b
SHA256 5c56df9699fc7e8f09ec81421e50a6264cde055e822f5a8cd9bb1edb3066d816
SHA512 33fb73cffbb6781488cedbca4c92a7e4f66923a799beeb7f5cba58dbc23ba8f5130f63a7dac7114e3c3ef6f1df87884fbeb8858bc7604aec9449fdfd16c25078

C:\Users\Admin\AppData\Local\Temp\nsz9F3E.tmp\7z-out\locales\en-GB.pak

MD5 52e2826fb5814776d47a7fcaf55cb675
SHA1 51fbbc59dcd61116cbc0a24b0304d4c1c58e8d0b
SHA256 83ff81c73228c7cadba984d9b500e4fce01de583ecde8f132137650c8107c454
SHA512 69257f976d01006c5f3d7e256738c97c59115471f8e7447cfa795f7fa4ff12d6fd19708e95ffb2aa494b50c1763fe35d5885b9414112d2934baf68fe668ed7cc

C:\Users\Admin\AppData\Local\Temp\nsz9F3E.tmp\7z-out\locales\es.pak

MD5 f83d8f7f6108786c02c2edbf3d85f147
SHA1 57781d9d9eb7c90cdc71f78e25d0763045b6d29a
SHA256 5b929216ac823dbe2b0bb98e64db76519900e09a86c8513019325271c66ade0d
SHA512 12747a4a61cdd21cad6e3f768cb43b8bda5ec9de373337c191b6994b20acd676c9d0a6cde8410a1e18f35dd5d2d332ea1bb7e7f8f6fc4b73d8774559e33398f1

C:\Users\Admin\AppData\Local\Temp\nsz9F3E.tmp\7z-out\locales\es-419.pak

MD5 b261b1efe945365588befdf68879040f
SHA1 616f44a5f73f0449b483f36ccf831db6474a10d2
SHA256 1380b9edc9cee4b505f12e8eefa288d8c746ca995b52ceaba27c7741ae8a5cd4
SHA512 9ea14234b9d4d09364e5727b3886fc14544d52508b3e45fb9fd607ca88d2e432361a02b2f7ba34c3d6ecd94b91f9eccd4d54047a97a1ba4eea580ead00b91cff

C:\Users\Admin\AppData\Local\Temp\nsz9F3E.tmp\7z-out\locales\pt-PT.pak

MD5 ecd84b296d3bb312ee18e21017311986
SHA1 f5625523f85c10723750834a54ff59a2dd886fb3
SHA256 fcfaa9c44c445876c286388b6a1abc1df949f3dda3d64fb57d6e0d54a05cdb94
SHA512 e95b74238220024cdd0bd1c0f18beadbbe427d76cd8d6b32d5700adcd34ffb068ad0bf75404921485c8077f395f5111cd40d5dfe2b5b8f34c62e6fc80b507456

C:\Users\Admin\AppData\Local\Temp\nsz9F3E.tmp\7z-out\locales\ro.pak

MD5 24b01a438a3ab9699d4ca97c081b5e82
SHA1 0d0b082544d23425a74199fb0a6c11192f0bdf7d
SHA256 38290b1c9712296d82ea1681ef95544a1eef4872289134b11e50af735e6deaca
SHA512 43199772312156f4633c4202499cde8f808e5e632c2013ec1129acee01a3f184e86df2616626173178efe04b6f0773ad9a0e8b8cc6a735d23d68dcfe9dfd945b

C:\Users\Admin\AppData\Local\Temp\nsz9F3E.tmp\7z-out\locales\pt-BR.pak

MD5 88ad860c73676ffb4025b5c691f29942
SHA1 3c5e5b999ea7153ccdd1b4cc7b6162de3456b558
SHA256 25f0bb0b0230d99a9064d52668636f3be85903bf27a68124d79a2fe93c30fe0e
SHA512 41589bb9ab1b8307f62ceb4e6493d7903731a3e63807e0044379c4acdda881c21839234f5f1b8ad1af732bfee6231c0556ce92e582505379ed949980185bb750

C:\Users\Admin\AppData\Local\Temp\nsz9F3E.tmp\7z-out\locales\pl.pak

MD5 644c0ace25d6e532b56510a736c6bc2c
SHA1 1bd0fec952107b493da04c46423da634ff3e1504
SHA256 2ff9e382a31783285b7d85676e629e2f6db26bb9536ed17b7fbe5ac61a895ec7
SHA512 9a1f1e884c2f214b8b0c63543809ddd4ba0fd533f1d8434e926051f3db434f60cc4df2462c2a43254b2a9685b3869eef49463c212892e417c82c3a7b497e3559

C:\Users\Admin\AppData\Local\Temp\nsz9F3E.tmp\7z-out\locales\nl.pak

MD5 cf6b1cbfd669e9461553974ba37a475e
SHA1 b33867e9bc7fd88ca98a76dc4bd756bcf18887aa
SHA256 9a83ad866ad7fd9d65ecbc1e95c276cfce27e8257c76a16950fd14971e66b864
SHA512 e463029bb37f6bb3ff5cb6281f64291ada1b785fa33137e7aedfc7b5e409e99c75a91e7cf9b6c0933e970f70c14861190de66fc5d68925b687a6f5da02e21077

C:\Users\Admin\AppData\Local\Temp\nsz9F3E.tmp\7z-out\locales\nb.pak

MD5 b61e42f66d581b6a8929cdf5fb10662e
SHA1 6f06fa9ee092fbcb61bbd668734fb3b92cfb549a
SHA256 1b17dcde8fc7308d926fbe0faa83dfc9ffe2efc5715e9afd557dde839ad98b7e
SHA512 79b82346c3f133a6ba44148a8432ad4e08e2805187b759509cb386bc800fd20215592c07d953812c243f0b1d5e1354245f2cb42b2b3eb6c87280bcb4008dbe97

C:\Users\Admin\AppData\Local\Temp\nsz9F3E.tmp\7z-out\locales\ms.pak

MD5 6cfadaa784e687e6dadbcd80e631bc9b
SHA1 481acb75f525055bf4e45ecabe0eadcb9c492106
SHA256 fb5e125dd5e1f21e8df229d22cb3d1f9078bd79bbddca352899248f2a8b21b71
SHA512 0d7da5a90fe9372bc704ab8cdc8cbfb14d323cafdef856987e2d9e34d980196c03985e25099f5d1bcb10c97f040f4766e2c3713718649bb3f43914a77f0dbb39

C:\Users\Admin\AppData\Local\Temp\nsz9F3E.tmp\7z-out\locales\mr.pak

MD5 f22c99fe6a838e333e8ee06a4d01296b
SHA1 c3542ea8dd45a2b387dd02fa5687948f135e10f2
SHA256 b03a3042f907aed13253ae8083d08f5fad59ff438d024b097276856e72526911
SHA512 882022c2cb985d85f96d52c9bcfeeb089d6ff30e66187ccf424ef622092b9d359a51bdef1fb6ac3b9d3409aa79d37ca737ba7f3ed8b9cdaabfe04d90a7c8bc15

C:\Users\Admin\AppData\Local\Temp\nsz9F3E.tmp\7z-out\locales\sk.pak

MD5 b35daa0bd9627ca88b413a5af7c6b4a4
SHA1 d5efdcbc7ca17de29f3075f6434f31ab2e895826
SHA256 f47bc1f7f5ab64681d0b152e1a019da60f0ef057ee8bf2ccede019dc4030c177
SHA512 48abb6ca2290820db2898b05820bb25e70fb1292c816eb0c8f17b3c5452de9fff7027d216d2bf413900f408f44ed4ac99151b28142a212c5cff8dfe229e87b9b

C:\Users\Admin\AppData\Local\Temp\nsz9F3E.tmp\7z-out\locales\ru.pak

MD5 75457b95d2bb03891232dae7db886387
SHA1 e5a7569df7f91533703626d167ecc8cddbd27205
SHA256 e0894d3aa3f8e0f8ac457a3300001d4e1dcf95980712f8c8e9c845eb4c2bbfa6
SHA512 9813239cb162cec24cb81cffdae2df06889782813d917da186ae40df6dae64477467e4b32ead2d714bc1de671538d4c1fde990d83d3ee69e0932f17226687a78

C:\Users\Admin\AppData\Local\Temp\nsz9F3E.tmp\7z-out\locales\sv.pak

MD5 41e76f7775fc9a2d6e3c02c46e9b32f6
SHA1 088c15c74a68bee69682bf89c31055332b68c84a
SHA256 2533676479e9469ffcdaabcb47d3e39bebfe7ae2b80f70784e918a8827439e13
SHA512 6cde752d748c4772b533c8894f18134e5842113f8c7590b44a7dfa088aed65b232361fd16170df3b0d738066dbc3a769847adf4dd8ba42de63c9c2b33f9beb6b

C:\Users\Admin\AppData\Local\Temp\nsz9F3E.tmp\7z-out\locales\sw.pak

MD5 99e385ebc1ef8d3daddb3a171fa79edf
SHA1 3164804dfe9d9b5e891abafe92e5ba67d2b5d4d1
SHA256 8ec45ac391a085d531fb21815086c2da4841aa016653cb4f8484cfc2615d6c01
SHA512 797c105fecef1e15870aa101e3fa1835d5a467a9059c03b3636c54934d1de263ab7f23599e21d9787cb3849c7cb7d29f5bdd8ae9ad10fda8015c1392462e94c0

C:\Users\Admin\AppData\Local\Temp\nsz9F3E.tmp\7z-out\locales\sr.pak

MD5 af7083f2a4bd95dcbe792efade352662
SHA1 dc69aa831836016f6e66c6079931503d534a7862
SHA256 e3b80d9fdd420a05d66cc12e685ac94500106dd51a555bbfa2d085094f81e8dd
SHA512 342400ba94f6cd08152f96aa2b905184fab429c38cedb4bcb4ac0c503169a9ecd47aef208b4d7ffae08b0c0afa7aa089347a20739379d05f3e4e111be842b8c4

C:\Users\Admin\AppData\Local\Temp\nsz9F3E.tmp\7z-out\locales\sl.pak

MD5 e015b6f5042be2dc96a4e23dcf035502
SHA1 7946509eed8db1e4c1f3da99ffe7155c86fdb4d6
SHA256 99536d1bc73eec81d5bebbff641ea195544ee5e3a41bb17ddcedf9cde9b141d4
SHA512 b2a2eaae93c506a053862bf1cde02eee53b3ea2e2fe4c964c51dbacb8b44de820a779311cfe01458e2f08f88bce1172e8c5e1e6d28cd3a355ff84baa00023b8f

C:\Users\Admin\AppData\Local\Temp\nsz9F3E.tmp\7z-out\locales\ta.pak

MD5 31dada843d0b4f9a66b184cb6d7b8b92
SHA1 0320b31981043c6e4c17470bf2ff4c7488553511
SHA256 457070b35c813175f5a7b630478073e478ff2bf23915dd3dc7a5b3b339cc2b0b
SHA512 c5b6ea595d3154fd9fe03f49a19f78eb4068718ce005b18a165d491459a290c29956b02a109ce2c314746773760c8e5c0d7064f384c65a572c78109f03538860

C:\Users\Admin\AppData\Local\Temp\nsz9F3E.tmp\7z-out\locales\tr.pak

MD5 40491896ad21543f339467186c5efb40
SHA1 695dde7cc35056dcbf0a533aff8299d4c6b61bd8
SHA256 43e99e132acaba88971b81a43531845dc7fc3a1e0794c3373de7d9a50a5655aa
SHA512 18d5ee9914849462e0b1bafd1ca216b29d0795e282ae0bdb354b15caf5c18f37f44fbd6f626b2cbb095e3398a6496de72e5b0d15621433979b5a589e34fac818

C:\Users\Admin\AppData\Local\Temp\nsz9F3E.tmp\7z-out\locales\zh-TW.pak

MD5 c2c35fcedc3708b5bcadf36587393002
SHA1 31d72402cbd44ceb921cedd806259c2cd14e411f
SHA256 cfe4c2c5eb131fd92e0d11f912714c5a9a048833ef3ffbe32679b3d58da8f8ac
SHA512 9ba3ea2d569d1d3ef09e94d7e66f843c8804368c4d016b6289e7dba002f7d2d50884a76c93eef879d87abcf8b36dd3e682b7bd3a18b2b5a969256cef672abf01

C:\Users\Admin\AppData\Local\Temp\nsz9F3E.tmp\7z-out\locales\zh-CN.pak

MD5 098d656a4f4bd8240bed10e7678186c7
SHA1 0c19ab62b4262f1b51558e8aaa79e7741f73393a
SHA256 a55f568ad3a8854cec25699484f55024501c8a0967738ba694e073151e5981c7
SHA512 084538ce774233ca6d4393bb42239b0b85e11bd73dd19ba47e55796ca19848941b037510c0fca4ac08b4b2e0ccbc9b4ae72ef88a3e841738dd211961dc53c1e2

C:\Users\Admin\AppData\Local\Temp\nsz9F3E.tmp\7z-out\locales\vi.pak

MD5 69c8796439192577f48bd249175aaf37
SHA1 97c52088ca69dada593db0e42b2135d264646454
SHA256 d7fdb53592de803a5fbcd8561c4918f1562f92fc8a3fd0039a2a1a7b76a8ecc2
SHA512 65eb7cb15291474ec7f9354775e59bcf334c90ddf3498ebd184e4c47118308421b2405bfa679e4b3a70ed1790e167c109fc2c72e89c3e31b5378cae975424144

C:\Users\Admin\AppData\Local\Temp\nsz9F3E.tmp\7z-out\locales\uk.pak

MD5 d791b1ecf2931b2fb0c31aac170c7cdc
SHA1 02be115a9ff94fe5250651b6de4323eafc44fce1
SHA256 ffae6286d44c8e219ef90d411ad8746159a6ff8ea610e2a651147a3956696a22
SHA512 3a2edb8069e4a9734ce5e02b7c3de3c968c5bbc116f17f52f97e2bb2c78485c456c4f0cc952686c1aa17b7ee4d326a1dda698afafc63c79d842ca3905181a8da

C:\Users\Admin\AppData\Local\Temp\nsz9F3E.tmp\7z-out\locales\th.pak

MD5 43edd25f67ce6e6cea5373009ff0a1f8
SHA1 ed72ca6620cf23837e1334be50ccf616806bc5a2
SHA256 287897cf3df2db1cf59b872e6575ba8dfcaa0c1f68c17a9c91da6c4490adb8b0
SHA512 7160a72bd2e6b0ffa71e5d279995cc8be24a87cd9386eb29ab0eee79b8e607f5d824a11b6b4e3ef4c0f851a9d485a9642cb6adaa65c07933dca6e6f2c0052fc7

C:\Users\Admin\AppData\Local\Temp\nsz9F3E.tmp\7z-out\locales\te.pak

MD5 793a87d41cde6e6d1bb086284f69733b
SHA1 d887e3842b664f55b7308427aa6f5bf0b352d879
SHA256 5cdabd1ad41e8048f2cc6b1615e68b99159daa1aa6706b939447c1811bf0e255
SHA512 7c2e53baa387480eed45315bd9d53856ca46e5777ecdc9c29a0de7b0ad04beb6cbb8b5df0aa7c306395fda563037e06bea1ca70e433ce5a3ccc2ec184dfda972

C:\Users\Admin\AppData\Local\Temp\nsz9F3E.tmp\7z-out\resources\elevate.exe

MD5 792b92c8ad13c46f27c7ced0810694df
SHA1 d8d449b92de20a57df722df46435ba4553ecc802
SHA256 9b1fbf0c11c520ae714af8aa9af12cfd48503eedecd7398d8992ee94d1b4dc37
SHA512 6c247254dc18ed81213a978cce2e321d6692848c64307097d2c43432a42f4f4f6d3cf22fb92610dfa8b7b16a5f1d94e9017cf64f88f2d08e79c0fe71a9121e40

C:\Users\Admin\AppData\Local\Temp\nsz9F3E.tmp\7z-out\swiftshader\libGLESv2.dll

MD5 c0b36d56d83e601bf246f7709a8c5f9d
SHA1 b025a6070f7d61c7d1827856d2d4043834fd23f2
SHA256 45bb5e1f8dd87129ac0a75c78f8f29d06e3ac182a00fc5199b692068f1e05a53
SHA512 e429ae63bd8a7d5a936a638783511693e8fbbc91d97779b3d4dd3f0880f1c8a820106bfb57cf7ee6b3639f19165de87bbe127aadd81218689fc6c8fada2106d1

C:\Users\Admin\AppData\Local\Temp\nsz9F3E.tmp\7z-out\swiftshader\libEGL.dll

MD5 19dc9ee70e7765bb63a66b6826e8ecb7
SHA1 1a12f983f8b35cc2955d30657971f113c47dc164
SHA256 83d5719abee35e051d984510e1d5d9317a109031698814742b59bdbbe7d4e30f
SHA512 1fda2bcc4b2e70987ca6011ab2534007ae4f752016d29a588aaae839bb25c35e03773f220b6a8e926cf2643997e7d4c0f28743304269b2c55642ce12934def68

C:\Users\Admin\AppData\Local\Temp\nsz9F3E.tmp\7z-out\resources\app.asar.unpacked\node_modules\take-cam\snapshot.exe

MD5 16a12bdc986207390dd79d658a6b2263
SHA1 b4b41f62cbc1e1ede786c6e30e11df8e61750bad
SHA256 50a8dd2f292bea9190204a42de067a34d5cbbec53746d40fe5b067fc85190bac
SHA512 d20394028c5d3ca46bb4879cac40da07b7d857f9a4a834bb4db4bd047f1a3265a80e1f7528244da6ee97c2f3e0cb5b2e51bc88eeb382a027939c2188e66dcdd9

C:\Users\Admin\AppData\Local\Temp\nsz9F3E.tmp\7z-out\resources\app.asar.unpacked\node_modules\take-cam\prey-webcam.exe

MD5 471b15abc9f2e98fb7ed7361d3f045eb
SHA1 95b5798d80a9410872f6ed485ae2b43ca3745540
SHA256 7c262639cb22348dfd627dc07c76e8748e5bcacde2dcf1614773ab174c831004
SHA512 5b3b59aa1dbaef31b0ff6ccde082d7c312e39e311a46fe20d590d5d7765f934d3b663da9609ff4fb7beba2e8fa85376cf74f14ae077f3c0b49189cc28c30163a

C:\Users\Admin\AppData\Local\Temp\nsz9F3E.tmp\7z-out\resources\app.asar.unpacked\node_modules\take-cam\package.json

MD5 067e233b0609d56ff4756bedd8c0efe0
SHA1 96419d05adc4b6674948b4ac14f8ab5bb3ce4380
SHA256 6bee642c1b5de99e4edba87ec3221c2ecd10b65e666b6f2bef64a745538ecf74
SHA512 94900f5ff762930b1b060ba4dd44d629d6c3e2dfc0dacb1a543f1ea5a3cd40e793acaff4abefbff588ceb422d65f8041ec190a2b56f7c303c3314eb16eca4159

C:\Users\Admin\AppData\Local\Temp\nsz9F3E.tmp\StdUtils.dll

MD5 c6a6e03f77c313b267498515488c5740
SHA1 3d49fc2784b9450962ed6b82b46e9c3c957d7c15
SHA256 b72e9013a6204e9f01076dc38dabbf30870d44dfc66962adbf73619d4331601e
SHA512 9870c5879f7b72836805088079ad5bbafcb59fc3d9127f2160d4ec3d6e88d3cc8ebe5a9f5d20a4720fe6407c1336ef10f33b2b9621bc587e930d4cbacf337803

C:\Users\Admin\AppData\Local\Temp\nsz9F3E.tmp\7z-out\resources\app.asar.unpacked\node_modules\take-cam\DirectShowLib-2005.dll

MD5 c20c205c6f8d70a5e1351a4041a3ec9f
SHA1 e1b2a763dd6c42439656e4e55aba0f3610ff3784
SHA256 bbcbb170242d9ff1b56680a80b1f8755df1135f9c714535ff3b3f575442f38dc
SHA512 dffd59d775dbb89cd886a2212fb9fe4cf0b2bdd7f2c00f8dc7c6b2287053b4971c8c6c033109ff1f90cdacea082e44d3c19fa76325d24976420c418218e701f1

C:\Users\Admin\AppData\Local\Temp\nsz9F3E.tmp\7z-out\resources\app.asar

MD5 d278346d71edec19d703e8af1a6fba41
SHA1 6ff4c01cec51f125d7b2bfb24552621e464eb2cf
SHA256 5cdad7b25c002feda2a5cf36d1f57984047122150e1f7fd5e27365c0011f5552
SHA512 210b0cca6e15bcbf88e8a8ae2d8772c2c8f3f492225a21e53622f9c0740f7c9df1b051fbfef6c30c769ef77a2f33560f6f383582cbece4a442004fac2ca57ddb

C:\Users\Admin\AppData\Local\Temp\2ZVMRNo7TjicBJm6BgELO9JBjg7\ffmpeg.dll

MD5 c3842fb3087cdcdb04020ac38683c289
SHA1 329dbcd4a1c79b891b200f11eb50194b85c493bc
SHA256 e79792af338d61424bac87a19c6f34f3b4bc1382345633b8d509253a0a6c2133
SHA512 069196b8006e908954e7ab16131a0d10889a0f7517eaab2423a82fe49fb9b045c0d95dbf7c08c10ddf1a21983aea4a0d207decf91baacff0884511589a57dec5

C:\Users\Admin\AppData\Local\Temp\2ZVMRNo7TjicBJm6BgELO9JBjg7\AORadar.exe

MD5 4776256e11bcbff1376d09a2700fdd80
SHA1 c5cd7279ad14130834fac1e3908b8041756dd2cc
SHA256 758af4546008d94705c41b39a5443a215fe6852f4f64977778ee1dcdfecee7a7
SHA512 fead3ac9b44d6b404147015872a671f19d9b8e4b58315e6b5c5462e0523b0cee9ee871069c9530661a09faed368c9db36ae532f060516902b406cf7c280c160e

C:\Users\Admin\AppData\Local\Temp\2ZVMRNo7TjicBJm6BgELO9JBjg7\icudtl.dat

MD5 599c39d9adb88686c4585b15fb745c0e
SHA1 2215eb6299aa18e87db21f686b08695a5199f4e2
SHA256 c5f82843420fa9d144e006b48d59ba7ef95f7e6cb1ea95b27fcdd2c97f850859
SHA512 16194186a8407b29f799d4b02f5674e4fbd5d91163fad9f8dce6ceedd865b754a681aa960d0f3f1b62cb21d5443879f1b8e9b691c19c5802d5bdfe4ed645b8bc

C:\Users\Admin\AppData\Local\Temp\2ZVMRNo7TjicBJm6BgELO9JBjg7\resources\app.asar

MD5 b223dfa0d777e57404a0aa3056da0b2d
SHA1 f34fa0c9ff0bede5f0275ddec97f1395fd699e00
SHA256 fe9ee628ee3d29004b85716b155c178ce578cc65270464241fb7c433126836af
SHA512 ce697487d15dfd3221827bb7581c0f851c8697c31e0c8fc62fde5714d5f8384a2da41f57b8fa9f38b2ce1217d8b15ef06557877a934273837f111f1252032032

C:\Users\Admin\AppData\Local\Temp\218a17ec-7a93-476b-90d2-45da0ea55706.tmp.node

MD5 3072b68e3c226aff39e6782d025f25a8
SHA1 cf559196d74fa490ac8ce192db222c9f5c5a006a
SHA256 7fb52b781709b065c240b6b81394be6e72e53fe11d7c8e0f7b49dd417eb78a01
SHA512 61ebc72c20195e99244d95af1ab44fa06201a1aee2b5da04490fdc4312e8324a40b0e15a7b42fab5179753d767c1d08ae1a7a56ac71a6e100e63f83db849ee61

C:\Users\Admin\AppData\Local\Temp\4d9559b9-c347-42f0-ac6e-9677b009c31d.tmp.node

MD5 7e57aea46c573cfd9a87015ef7da1572
SHA1 fedc16eebd6a66908f1b1e5bb7a36eed52fbbcda
SHA256 9c992791636c649eaa777fd769d40715fed2f015e0f5a7a340097218a52487ec
SHA512 5119601feb7bbb036a0d0ff32a330fb078a0de29794296a217adccdbeae7067ef557d5e3fa539b99ccdc4a39f73880c8287112823c9b6f4ce223b796a16afe31

memory/2080-578-0x00007FFB77280000-0x00007FFB77281000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\2ZVMRNo7TjicBJm6BgELO9JBjg7\AORadar.exe

MD5 ec98fabbfbb7292bc2a62b414cb0b3c9
SHA1 00ce50d3b7e65bae0f2415c0c83195a5d1ad600e
SHA256 c3bdc57562dc1297a76f2bdbef2491cbfb8ae4bb2d704015649f73c17206fc1e
SHA512 57120bfa83554220c630e5bb485b65ff2a87abf54a21e935ff7cd2b4a2465c9e37679fe6e4879ce5038c7b9fd3040d3fd2104e192c28680060fd4fc8e2b52cf9

C:\Users\Admin\AppData\Local\Temp\2ZVMRNo7TjicBJm6BgELO9JBjg7\AORadar.exe

MD5 0dbae1611a891a06d86b540a13316940
SHA1 8100388a0958918fb5badeb569b0bb72c1911e7f
SHA256 83885f9b95280bbc52405c882c80655d33ad1d679fd4507affbb619cdd2c48cd
SHA512 838c10c4e84ac7b663e6a92648dd200666c1b2cb174cf7a1d10af84c03b04e836dbcbc39f9107a3267ae77bf16ed1bce4d655c09c5ad0509029812868fca6e2f

C:\Users\Admin\AppData\Local\Temp\2ZVMRNo7TjicBJm6BgELO9JBjg7\d3dcompiler_47.dll

MD5 7641e39b7da4077084d2afe7c31032e0
SHA1 2256644f69435ff2fee76deb04d918083960d1eb
SHA256 44422e6936dc72b7ac5ed16bb8bcae164b7554513e52efb66a3e942cec328a47
SHA512 8010e1cb17fa18bbf72d8344e1d63ded7cef7be6e7c13434fa6d8e22ce1d58a4d426959bdcb031502d4b145e29cb111af929fcbc66001111fbc6d7a19e8800a5

C:\Users\Admin\AppData\Local\Temp\2ZVMRNo7TjicBJm6BgELO9JBjg7\AORadar.exe

MD5 d5b1cc78794d140f8a80f55553012f31
SHA1 a273e6539253531c0b6c5ecf8139b1f0cae66ab2
SHA256 ef2639a4f094b2531a04eb7b1fa43ca1e1fb5a4bab5b2e2329ce7ffec059e181
SHA512 9eb089929568dad6388242da7b73ff5ba7cbc9ea3611c2a744bec547aaeda3aa644b77d236e7d71936a5722de483cdadc3453ae70bff49df54e3cb67b44767b8

memory/2532-601-0x000002BDE8AC0000-0x000002BDE8AE2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_x5wjk2yf.odh.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2532-610-0x00007FFB551F0000-0x00007FFB55CB2000-memory.dmp

memory/2532-611-0x000002BDE8AF0000-0x000002BDE8B00000-memory.dmp

memory/2532-613-0x000002BDE8AF0000-0x000002BDE8B00000-memory.dmp

memory/2532-612-0x000002BDE8AF0000-0x000002BDE8B00000-memory.dmp

memory/2532-617-0x00007FFB551F0000-0x00007FFB55CB2000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 88dc70c361a22feac57b031dd9c1f02f
SHA1 a9b4732260c2a323750022a73480f229ce25d46d
SHA256 43244c0820ec5074e654ecd149fa744f51b2c1522e90285567713dae64b62f59
SHA512 19c0532741ebc9751390e6c5ca593a81493652f25c74c8cab29a8b5b1f1efef8d511254a04f50b0c4a20724bae10d96d52af7a76b0c85ddc5f020d4cac41100c

memory/4764-621-0x0000026320C00000-0x0000026320C10000-memory.dmp

memory/4764-620-0x00007FFB551F0000-0x00007FFB55CB2000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 d8b9a260789a22d72263ef3bb119108c
SHA1 376a9bd48726f422679f2cd65003442c0b6f6dd5
SHA256 d69d47e428298f194850d14c3ce375e7926128a0bfb62c1e75940ab206f8fddc
SHA512 550314fab1e363851a7543c989996a440d95f7c9db9695cce5abaad64523f377f48790aa091d66368f50f941179440b1fa94448289ee514d5b5a2f4fe6225e9b

memory/4764-633-0x00007FFB551F0000-0x00007FFB55CB2000-memory.dmp

C:\Users\Admin\AppData\Roaming\3N0yLzaIwpOE.vbs

MD5 bee4b835076d15b9486e145637c2a63b
SHA1 a419c29bbb768b6c75c9dbc6e4696dd369b22f4b
SHA256 aa18473a2407198dfcf922f7128694b1f45a83e5b5d3b8ae16857f863664fcd9
SHA512 f245a75722049dd609112562291cf3e2e5627b96d0678383142b8756526ebe0f178068760511b116985a983a3c63201c7c4cbce5dc567911fd446fbf0ab3a6ff

memory/7356-706-0x00007FFB551F0000-0x00007FFB55CB2000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6304TV3F0NDOAQKCS1GC.temp

MD5 00f0e45c084b0609d22fbd48dcb52507
SHA1 bbe923b06668ca14152aa7b2505a600f71750e8e
SHA256 5d57410bdff195ee507afe5e30be0fdd92fbaf0e2bc144c05a3ebf6579649aac
SHA512 c9d7bed3a644d07bda29a15e942aa1360d144a0e3a9da085944596b31accba360791acfbb659338f08685fe6bfc347ff74ae002f7b9d332bc977f48b8647b59c

memory/8164-720-0x0000024A6B530000-0x0000024A6B540000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 af0f961dee58bd6f46824500f172a9cc
SHA1 640d13b20156e502709ce05e14ebb74fa4830fe7
SHA256 dd2991e7481a2fff05b3eef60e9836e575754de7b2430a772e9657f9ea6df3e5
SHA512 e0e278fdbdac1b374282707ba9c12f0ca30ad955036c2314916c3b0535435ee85ba504e11c5319b6ce9b515f528357610efbf3f1bbeaf3537b8f93bee1ad5933

memory/8164-721-0x0000024A6B530000-0x0000024A6B540000-memory.dmp

memory/6484-722-0x000002069D2C0000-0x000002069D2D0000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 cf8e98c83fb2d5f093b08937c6f0fe48
SHA1 8a926b779263de03c39daae490166db967974709
SHA256 24287b4d3e5be9f83a7025130a82eebaf7da3e1c65a1ed22e70cac8396b7df88
SHA512 d088d6fb9a1d6db56bc6776f76b2e85a3b279fa9f7a7cf06eb21ae5b3ff6f6f9df5058cfa9f1830210f4f7cf12667f895fd6ed78450d317bdcbddeff77c6b846

memory/6484-723-0x000002069D2C0000-0x000002069D2D0000-memory.dmp

memory/7356-707-0x0000024CE9320000-0x0000024CE9330000-memory.dmp

memory/8148-732-0x00007FFB551F0000-0x00007FFB55CB2000-memory.dmp

memory/7356-741-0x0000024CE9320000-0x0000024CE9330000-memory.dmp

memory/8164-758-0x00007FFB551F0000-0x00007FFB55CB2000-memory.dmp

memory/6484-767-0x00007FFB551F0000-0x00007FFB55CB2000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 446dd1cf97eaba21cf14d03aebc79f27
SHA1 36e4cc7367e0c7b40f4a8ace272941ea46373799
SHA256 a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf
SHA512 a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

memory/8124-769-0x00007FFB551F0000-0x00007FFB55CB2000-memory.dmp

memory/8124-770-0x0000022B72410000-0x0000022B72420000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ssXEN5weGJ8x_temp.ps1

MD5 b070d2e1ac0f80296485fce6e47b00f7
SHA1 7b07d72c2ba3fee74108eac27b228119b0cae887
SHA256 fb7ce2f9b5342ece9d023dbbbf10d3039c2a049ce62c0f331ecd7d09ad62ab57
SHA512 99625f67f2bfb750aa5b141c84227b926109d0c57db397ee9db41310a7bf0ef093bd50ab4cd44e40f3c337c40c5a0cebb22501a1946fb0bc295288b61478c220

memory/6484-772-0x000002069D2C0000-0x000002069D2D0000-memory.dmp

memory/7356-773-0x0000024CE9320000-0x0000024CE9330000-memory.dmp

memory/8164-774-0x0000024A6B530000-0x0000024A6B540000-memory.dmp

memory/8148-775-0x0000020337EB0000-0x0000020337EC0000-memory.dmp

memory/8124-776-0x0000022B72410000-0x0000022B72420000-memory.dmp

memory/3864-778-0x00007FFB551F0000-0x00007FFB55CB2000-memory.dmp

memory/3864-779-0x000001E717D40000-0x000001E717D50000-memory.dmp

memory/3864-788-0x000001E717D40000-0x000001E717D50000-memory.dmp

memory/7356-791-0x00007FFB551F0000-0x00007FFB55CB2000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 6e5843696d70df783161968b9f9e1759
SHA1 6e7ab4a749b553ff66e8914563ca9f98cabe3ecd
SHA256 51f80b81fae4ad9aa2b195b561274799f4bab0b9c12b0b86748044f12bbab719
SHA512 5b44b40619c0467fc41009a5ca7638ae3ab948757c4707b8439c7485635d9cfb120406d76e330b0993f17f63739a7d8d40e3ae71574a89428501ab63a44e9093

memory/8164-794-0x00007FFB551F0000-0x00007FFB55CB2000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 9b5655b797c26ffc04f79597d8d56eba
SHA1 8b6d6e58ab350bf1c526ed324e523f4f0cf808f0
SHA256 5893e9041f26e97ce9864f245da1211ae2570503facf24a5bb21ee7b858c9548
SHA512 89549717ce4b618fc68df01066d0cc1d3198a94e616fa84e563e5cbcd2f9aae4dff4599d5b8e013ab5e8da798c669dd41751d25f988f729bf8bc8ed0fd9645ae

memory/3864-801-0x00007FFB551F0000-0x00007FFB55CB2000-memory.dmp

memory/6484-804-0x00007FFB551F0000-0x00007FFB55CB2000-memory.dmp

memory/8148-800-0x00007FFB551F0000-0x00007FFB55CB2000-memory.dmp

memory/8124-808-0x00007FFB551F0000-0x00007FFB55CB2000-memory.dmp

memory/5524-809-0x00007FFB551F0000-0x00007FFB55CB2000-memory.dmp

memory/5524-810-0x000001F39C180000-0x000001F39C190000-memory.dmp

memory/5524-819-0x000001F39C180000-0x000001F39C190000-memory.dmp

memory/5524-822-0x00007FFB551F0000-0x00007FFB55CB2000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bmp1livs.default-release\places.sqlite_tmp

MD5 4febee6548bce08b65442296ccd88852
SHA1 6fcd082c33ebae78f3a6073b229e02f77e8034ec
SHA256 8960679f614d4069096053c84ba69957fc83a37ec1ffa445588c40385c226393
SHA512 304a95c2e206baacdc3bfe0c4d5408d7010402b930d4a46edbd26019102fc6a63c204ea5203d7b9c9df906ce34723434ccb4005a4cafae83788f3f9f83182314

C:\Users\Admin\AppData\Local\Temp\K8XaWDSLEnE7IH5PqDBA\System\MUXPROJA - 2023-12-13_214214.png

MD5 73ce5b578831af7c7c211eab3f81493b
SHA1 e1774e21d50e20c4c41e2721acc9ad2606264a35
SHA256 193fcc2ece1a1813b189423decfe0d3748d1de4f5b3ace1bd50217847ef37f8d
SHA512 7bdc0baafe0fe46f2592d411ab1fb3ce28e11edfed80efa5e03a6e0dbd09850e5b480e04b299c2767db232cc8102719cfc3303afe2af9ac58c59a0f811e1e35c