Malware Analysis Report

2025-01-19 06:04

Sample ID 231215-q4hrhschbr
Target stardust.exe
SHA256 d09022f77c93920dd730a3ae17aba701207f4cd33d422d2e75d8ee4bef5843e1
Tags
irata infostealer rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d09022f77c93920dd730a3ae17aba701207f4cd33d422d2e75d8ee4bef5843e1

Threat Level: Known bad

The file stardust.exe was found to be: Known bad.

Malicious Activity Summary

irata infostealer rat trojan

Irata payload

Irata

Loads dropped DLL

Executes dropped EXE

Looks up external IP address via web service

Legitimate hosting services abused for malware hosting/C2

Unsigned PE

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Enumerates processes with tasklist

Runs net.exe

Views/modifies file attributes

Creates scheduled task(s)

Collects information from the system

Detects videocard installed

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-15 13:49

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-15 13:48

Reported

2023-12-15 13:54

Platform

win10v2004-20231215-en

Max time kernel

16s

Max time network

160s

Command Line

"C:\Users\Admin\AppData\Local\Temp\stardust.exe"

Signatures

Irata

trojan infostealer rat irata

Irata payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Description Indicator Process Target
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A

Enumerates physical storage devices

Collects information from the system

Description Indicator Process Target
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A

Detects videocard installed

Description Indicator Process Target
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Enumerates processes with tasklist

Description Indicator Process Target
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A

Runs net.exe

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\stardust.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2ZK9FjHPdf8nttfHb8Qum4t8ORf\stardust.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2ZK9FjHPdf8nttfHb8Qum4t8ORf\stardust.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1776 wrote to memory of 2000 N/A C:\Users\Admin\AppData\Local\Temp\stardust.exe C:\Users\Admin\AppData\Local\Temp\2ZK9FjHPdf8nttfHb8Qum4t8ORf\stardust.exe
PID 1776 wrote to memory of 2000 N/A C:\Users\Admin\AppData\Local\Temp\stardust.exe C:\Users\Admin\AppData\Local\Temp\2ZK9FjHPdf8nttfHb8Qum4t8ORf\stardust.exe
PID 2000 wrote to memory of 776 N/A C:\Users\Admin\AppData\Local\Temp\2ZK9FjHPdf8nttfHb8Qum4t8ORf\stardust.exe C:\Windows\system32\cmd.exe
PID 2000 wrote to memory of 776 N/A C:\Users\Admin\AppData\Local\Temp\2ZK9FjHPdf8nttfHb8Qum4t8ORf\stardust.exe C:\Windows\system32\cmd.exe
PID 2000 wrote to memory of 656 N/A C:\Users\Admin\AppData\Local\Temp\2ZK9FjHPdf8nttfHb8Qum4t8ORf\stardust.exe C:\Users\Admin\AppData\Local\Temp\2ZK9FjHPdf8nttfHb8Qum4t8ORf\stardust.exe
PID 2000 wrote to memory of 656 N/A C:\Users\Admin\AppData\Local\Temp\2ZK9FjHPdf8nttfHb8Qum4t8ORf\stardust.exe C:\Users\Admin\AppData\Local\Temp\2ZK9FjHPdf8nttfHb8Qum4t8ORf\stardust.exe
PID 2000 wrote to memory of 656 N/A C:\Users\Admin\AppData\Local\Temp\2ZK9FjHPdf8nttfHb8Qum4t8ORf\stardust.exe C:\Users\Admin\AppData\Local\Temp\2ZK9FjHPdf8nttfHb8Qum4t8ORf\stardust.exe
PID 2000 wrote to memory of 656 N/A C:\Users\Admin\AppData\Local\Temp\2ZK9FjHPdf8nttfHb8Qum4t8ORf\stardust.exe C:\Users\Admin\AppData\Local\Temp\2ZK9FjHPdf8nttfHb8Qum4t8ORf\stardust.exe
PID 2000 wrote to memory of 656 N/A C:\Users\Admin\AppData\Local\Temp\2ZK9FjHPdf8nttfHb8Qum4t8ORf\stardust.exe C:\Users\Admin\AppData\Local\Temp\2ZK9FjHPdf8nttfHb8Qum4t8ORf\stardust.exe
PID 2000 wrote to memory of 656 N/A C:\Users\Admin\AppData\Local\Temp\2ZK9FjHPdf8nttfHb8Qum4t8ORf\stardust.exe C:\Users\Admin\AppData\Local\Temp\2ZK9FjHPdf8nttfHb8Qum4t8ORf\stardust.exe
PID 2000 wrote to memory of 656 N/A C:\Users\Admin\AppData\Local\Temp\2ZK9FjHPdf8nttfHb8Qum4t8ORf\stardust.exe C:\Users\Admin\AppData\Local\Temp\2ZK9FjHPdf8nttfHb8Qum4t8ORf\stardust.exe
PID 2000 wrote to memory of 656 N/A C:\Users\Admin\AppData\Local\Temp\2ZK9FjHPdf8nttfHb8Qum4t8ORf\stardust.exe C:\Users\Admin\AppData\Local\Temp\2ZK9FjHPdf8nttfHb8Qum4t8ORf\stardust.exe
PID 2000 wrote to memory of 656 N/A C:\Users\Admin\AppData\Local\Temp\2ZK9FjHPdf8nttfHb8Qum4t8ORf\stardust.exe C:\Users\Admin\AppData\Local\Temp\2ZK9FjHPdf8nttfHb8Qum4t8ORf\stardust.exe
PID 2000 wrote to memory of 656 N/A C:\Users\Admin\AppData\Local\Temp\2ZK9FjHPdf8nttfHb8Qum4t8ORf\stardust.exe C:\Users\Admin\AppData\Local\Temp\2ZK9FjHPdf8nttfHb8Qum4t8ORf\stardust.exe
PID 2000 wrote to memory of 656 N/A C:\Users\Admin\AppData\Local\Temp\2ZK9FjHPdf8nttfHb8Qum4t8ORf\stardust.exe C:\Users\Admin\AppData\Local\Temp\2ZK9FjHPdf8nttfHb8Qum4t8ORf\stardust.exe
PID 2000 wrote to memory of 656 N/A C:\Users\Admin\AppData\Local\Temp\2ZK9FjHPdf8nttfHb8Qum4t8ORf\stardust.exe C:\Users\Admin\AppData\Local\Temp\2ZK9FjHPdf8nttfHb8Qum4t8ORf\stardust.exe
PID 2000 wrote to memory of 656 N/A C:\Users\Admin\AppData\Local\Temp\2ZK9FjHPdf8nttfHb8Qum4t8ORf\stardust.exe C:\Users\Admin\AppData\Local\Temp\2ZK9FjHPdf8nttfHb8Qum4t8ORf\stardust.exe
PID 2000 wrote to memory of 656 N/A C:\Users\Admin\AppData\Local\Temp\2ZK9FjHPdf8nttfHb8Qum4t8ORf\stardust.exe C:\Users\Admin\AppData\Local\Temp\2ZK9FjHPdf8nttfHb8Qum4t8ORf\stardust.exe
PID 2000 wrote to memory of 656 N/A C:\Users\Admin\AppData\Local\Temp\2ZK9FjHPdf8nttfHb8Qum4t8ORf\stardust.exe C:\Users\Admin\AppData\Local\Temp\2ZK9FjHPdf8nttfHb8Qum4t8ORf\stardust.exe
PID 2000 wrote to memory of 656 N/A C:\Users\Admin\AppData\Local\Temp\2ZK9FjHPdf8nttfHb8Qum4t8ORf\stardust.exe C:\Users\Admin\AppData\Local\Temp\2ZK9FjHPdf8nttfHb8Qum4t8ORf\stardust.exe
PID 2000 wrote to memory of 656 N/A C:\Users\Admin\AppData\Local\Temp\2ZK9FjHPdf8nttfHb8Qum4t8ORf\stardust.exe C:\Users\Admin\AppData\Local\Temp\2ZK9FjHPdf8nttfHb8Qum4t8ORf\stardust.exe
PID 2000 wrote to memory of 656 N/A C:\Users\Admin\AppData\Local\Temp\2ZK9FjHPdf8nttfHb8Qum4t8ORf\stardust.exe C:\Users\Admin\AppData\Local\Temp\2ZK9FjHPdf8nttfHb8Qum4t8ORf\stardust.exe
PID 2000 wrote to memory of 656 N/A C:\Users\Admin\AppData\Local\Temp\2ZK9FjHPdf8nttfHb8Qum4t8ORf\stardust.exe C:\Users\Admin\AppData\Local\Temp\2ZK9FjHPdf8nttfHb8Qum4t8ORf\stardust.exe
PID 2000 wrote to memory of 656 N/A C:\Users\Admin\AppData\Local\Temp\2ZK9FjHPdf8nttfHb8Qum4t8ORf\stardust.exe C:\Users\Admin\AppData\Local\Temp\2ZK9FjHPdf8nttfHb8Qum4t8ORf\stardust.exe
PID 2000 wrote to memory of 656 N/A C:\Users\Admin\AppData\Local\Temp\2ZK9FjHPdf8nttfHb8Qum4t8ORf\stardust.exe C:\Users\Admin\AppData\Local\Temp\2ZK9FjHPdf8nttfHb8Qum4t8ORf\stardust.exe
PID 2000 wrote to memory of 656 N/A C:\Users\Admin\AppData\Local\Temp\2ZK9FjHPdf8nttfHb8Qum4t8ORf\stardust.exe C:\Users\Admin\AppData\Local\Temp\2ZK9FjHPdf8nttfHb8Qum4t8ORf\stardust.exe
PID 2000 wrote to memory of 656 N/A C:\Users\Admin\AppData\Local\Temp\2ZK9FjHPdf8nttfHb8Qum4t8ORf\stardust.exe C:\Users\Admin\AppData\Local\Temp\2ZK9FjHPdf8nttfHb8Qum4t8ORf\stardust.exe
PID 2000 wrote to memory of 656 N/A C:\Users\Admin\AppData\Local\Temp\2ZK9FjHPdf8nttfHb8Qum4t8ORf\stardust.exe C:\Users\Admin\AppData\Local\Temp\2ZK9FjHPdf8nttfHb8Qum4t8ORf\stardust.exe
PID 2000 wrote to memory of 656 N/A C:\Users\Admin\AppData\Local\Temp\2ZK9FjHPdf8nttfHb8Qum4t8ORf\stardust.exe C:\Users\Admin\AppData\Local\Temp\2ZK9FjHPdf8nttfHb8Qum4t8ORf\stardust.exe
PID 2000 wrote to memory of 656 N/A C:\Users\Admin\AppData\Local\Temp\2ZK9FjHPdf8nttfHb8Qum4t8ORf\stardust.exe C:\Users\Admin\AppData\Local\Temp\2ZK9FjHPdf8nttfHb8Qum4t8ORf\stardust.exe
PID 2000 wrote to memory of 656 N/A C:\Users\Admin\AppData\Local\Temp\2ZK9FjHPdf8nttfHb8Qum4t8ORf\stardust.exe C:\Users\Admin\AppData\Local\Temp\2ZK9FjHPdf8nttfHb8Qum4t8ORf\stardust.exe
PID 2000 wrote to memory of 656 N/A C:\Users\Admin\AppData\Local\Temp\2ZK9FjHPdf8nttfHb8Qum4t8ORf\stardust.exe C:\Users\Admin\AppData\Local\Temp\2ZK9FjHPdf8nttfHb8Qum4t8ORf\stardust.exe
PID 2000 wrote to memory of 656 N/A C:\Users\Admin\AppData\Local\Temp\2ZK9FjHPdf8nttfHb8Qum4t8ORf\stardust.exe C:\Users\Admin\AppData\Local\Temp\2ZK9FjHPdf8nttfHb8Qum4t8ORf\stardust.exe
PID 2000 wrote to memory of 656 N/A C:\Users\Admin\AppData\Local\Temp\2ZK9FjHPdf8nttfHb8Qum4t8ORf\stardust.exe C:\Users\Admin\AppData\Local\Temp\2ZK9FjHPdf8nttfHb8Qum4t8ORf\stardust.exe
PID 2000 wrote to memory of 656 N/A C:\Users\Admin\AppData\Local\Temp\2ZK9FjHPdf8nttfHb8Qum4t8ORf\stardust.exe C:\Users\Admin\AppData\Local\Temp\2ZK9FjHPdf8nttfHb8Qum4t8ORf\stardust.exe
PID 2000 wrote to memory of 656 N/A C:\Users\Admin\AppData\Local\Temp\2ZK9FjHPdf8nttfHb8Qum4t8ORf\stardust.exe C:\Users\Admin\AppData\Local\Temp\2ZK9FjHPdf8nttfHb8Qum4t8ORf\stardust.exe
PID 2000 wrote to memory of 656 N/A C:\Users\Admin\AppData\Local\Temp\2ZK9FjHPdf8nttfHb8Qum4t8ORf\stardust.exe C:\Users\Admin\AppData\Local\Temp\2ZK9FjHPdf8nttfHb8Qum4t8ORf\stardust.exe
PID 2000 wrote to memory of 656 N/A C:\Users\Admin\AppData\Local\Temp\2ZK9FjHPdf8nttfHb8Qum4t8ORf\stardust.exe C:\Users\Admin\AppData\Local\Temp\2ZK9FjHPdf8nttfHb8Qum4t8ORf\stardust.exe
PID 2000 wrote to memory of 656 N/A C:\Users\Admin\AppData\Local\Temp\2ZK9FjHPdf8nttfHb8Qum4t8ORf\stardust.exe C:\Users\Admin\AppData\Local\Temp\2ZK9FjHPdf8nttfHb8Qum4t8ORf\stardust.exe
PID 2000 wrote to memory of 656 N/A C:\Users\Admin\AppData\Local\Temp\2ZK9FjHPdf8nttfHb8Qum4t8ORf\stardust.exe C:\Users\Admin\AppData\Local\Temp\2ZK9FjHPdf8nttfHb8Qum4t8ORf\stardust.exe
PID 2000 wrote to memory of 656 N/A C:\Users\Admin\AppData\Local\Temp\2ZK9FjHPdf8nttfHb8Qum4t8ORf\stardust.exe C:\Users\Admin\AppData\Local\Temp\2ZK9FjHPdf8nttfHb8Qum4t8ORf\stardust.exe
PID 2000 wrote to memory of 656 N/A C:\Users\Admin\AppData\Local\Temp\2ZK9FjHPdf8nttfHb8Qum4t8ORf\stardust.exe C:\Users\Admin\AppData\Local\Temp\2ZK9FjHPdf8nttfHb8Qum4t8ORf\stardust.exe
PID 2000 wrote to memory of 656 N/A C:\Users\Admin\AppData\Local\Temp\2ZK9FjHPdf8nttfHb8Qum4t8ORf\stardust.exe C:\Users\Admin\AppData\Local\Temp\2ZK9FjHPdf8nttfHb8Qum4t8ORf\stardust.exe
PID 2000 wrote to memory of 656 N/A C:\Users\Admin\AppData\Local\Temp\2ZK9FjHPdf8nttfHb8Qum4t8ORf\stardust.exe C:\Users\Admin\AppData\Local\Temp\2ZK9FjHPdf8nttfHb8Qum4t8ORf\stardust.exe
PID 776 wrote to memory of 2756 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 776 wrote to memory of 2756 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\stardust.exe

"C:\Users\Admin\AppData\Local\Temp\stardust.exe"

C:\Users\Admin\AppData\Local\Temp\2ZK9FjHPdf8nttfHb8Qum4t8ORf\stardust.exe

C:\Users\Admin\AppData\Local\Temp\2ZK9FjHPdf8nttfHb8Qum4t8ORf\stardust.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\tasklist.exe

tasklist

C:\Users\Admin\AppData\Local\Temp\2ZK9FjHPdf8nttfHb8Qum4t8ORf\stardust.exe

"C:\Users\Admin\AppData\Local\Temp\2ZK9FjHPdf8nttfHb8Qum4t8ORf\stardust.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\script" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1656 --field-trial-handle=1696,17453964746846601434,985114850544599404,131072 --disable-features=PlzServiceWorker,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2

C:\Users\Admin\AppData\Local\Temp\2ZK9FjHPdf8nttfHb8Qum4t8ORf\stardust.exe

"C:\Users\Admin\AppData\Local\Temp\2ZK9FjHPdf8nttfHb8Qum4t8ORf\stardust.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\script" --mojo-platform-channel-handle=1940 --field-trial-handle=1696,17453964746846601434,985114850544599404,131072 --disable-features=PlzServiceWorker,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic process where processid=1776 get ExecutablePath"

C:\Windows\System32\Wbem\WMIC.exe

wmic process where processid=1776 get ExecutablePath

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "net session"

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 session

C:\Windows\system32\net.exe

net session

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Users\Admin\AppData\Local\Temp\2ZK9FjHPdf8nttfHb8Qum4t8ORf\resources\app.asar.unpacked\bind\main.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic computersystem get totalphysicalmemory | more +1"

C:\Windows\System32\Wbem\WMIC.exe

wmic logicaldisk get size

C:\Windows\system32\more.com

more +1

C:\Windows\System32\Wbem\WMIC.exe

wmic OS get caption, osarchitecture

C:\Windows\system32\more.com

more +1

C:\Windows\system32\more.com

more +1

C:\Windows\System32\Wbem\WMIC.exe

wmic cpu get name

C:\Windows\system32\more.com

more +1

C:\Windows\System32\Wbem\WMIC.exe

wmic PATH Win32_VideoController get name

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic PATH Win32_VideoController get name | more +1"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic cpu get name | more +1"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic process where processid=1776 get ExecutablePath"

C:\Windows\System32\Wbem\WMIC.exe

wmic process where processid=1776 get ExecutablePath

C:\Windows\System32\Wbem\WMIC.exe

wmic computersystem get totalphysicalmemory

C:\Windows\System32\Wbem\WMIC.exe

wmic csproduct get uuid

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic OS get caption, osarchitecture | more +1"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "echo %NUMBER_OF_PROCESSORS%"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic csproduct get uuid"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic logicaldisk get size"

C:\Windows\system32\cmd.exe

cmd /c schtasks /create /sc onlogon /tn WindowsDriverSetupYW4npe /tr \"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\stardust.exe\" /F /rl highest

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v WindowsDriverSetupYW4npe /t REG_SZ /d C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\stardust.exe /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "attrib +h +s \"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\stardust.exe\""

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell -Command "attrib +h +s \"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\stardust.exe\"""

C:\Windows\system32\attrib.exe

"C:\Windows\system32\attrib.exe" +h +s C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\stardust.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall""

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "cscript C:\Users\Admin\AppData\Roaming\npalEbgGXsMk.vbs"

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\cscript.exe

cscript C:\Users\Admin\AppData\Roaming\npalEbgGXsMk.vbs

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall"

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\schtasks.exe

schtasks /create /sc onlogon /tn WindowsDriverSetupYW4npe /tr \"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\stardust.exe\" /F /rl highest

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "cmd /c schtasks /create /sc onlogon /tn WindowsDriverSetupYW4npe /tr \"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\stardust.exe\" /F /rl highest"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v WindowsDriverSetupYW4npe /t REG_SZ /d C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\stardust.exe /f"

Network

Country Destination Domain Proto
US 20.231.121.79:80 tcp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 ipinfo.io udp
GB 142.250.200.4:80 www.google.com tcp
US 34.117.186.192:443 ipinfo.io tcp
US 34.117.186.192:443 ipinfo.io tcp
US 8.8.8.8:53 192.186.117.34.in-addr.arpa udp
US 8.8.8.8:53 4.200.250.142.in-addr.arpa udp
US 34.117.186.192:443 ipinfo.io tcp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.111.133:443 raw.githubusercontent.com tcp
US 185.199.111.133:443 raw.githubusercontent.com tcp
US 185.199.111.133:443 raw.githubusercontent.com tcp
US 185.199.111.133:443 raw.githubusercontent.com tcp
US 185.199.111.133:443 raw.githubusercontent.com tcp
US 185.199.111.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 133.111.199.185.in-addr.arpa udp
US 8.8.4.4:443 dns.google tcp
US 8.8.4.4:443 dns.google tcp
US 8.8.8.8:53 4.4.8.8.in-addr.arpa udp
US 8.8.4.4:443 dns.google tcp
US 8.8.4.4:443 dns.google tcp
US 8.8.8.8:53 178.223.142.52.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 17.53.126.40.in-addr.arpa udp
US 8.8.8.8:53 90.16.208.104.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\nsf7ACE.tmp\System.dll

MD5 0d7ad4f45dc6f5aa87f606d0331c6901
SHA1 48df0911f0484cbe2a8cdd5362140b63c41ee457
SHA256 3eb38ae99653a7dbc724132ee240f6e5c4af4bfe7c01d31d23faf373f9f2eaca
SHA512 c07de7308cb54205e8bd703001a7fe4fd7796c9ac1b4bb330c77c872bf712b093645f40b80ce7127531fe6746a5b66e18ea073ab6a644934abed9bb64126fea9

C:\Users\Admin\AppData\Local\Temp\nsf7ACE.tmp\nsis7z.dll

MD5 80e44ce4895304c6a3a831310fbf8cd0
SHA1 36bd49ae21c460be5753a904b4501f1abca53508
SHA256 b393f05e8ff919ef071181050e1873c9a776e1a0ae8329aefff7007d0cadf592
SHA512 c8ba7b1f9113ead23e993e74a48c4427ae3562c1f6d9910b2bbe6806c9107cf7d94bc7d204613e4743d0cd869e00dafd4fb54aad1e8adb69c553f3b9e5bc64df

C:\Users\Admin\AppData\Local\Temp\2ZK9FjHPdf8nttfHb8Qum4t8ORf\chrome_100_percent.pak

MD5 9c1b859b611600201ccf898f1eff2476
SHA1 87d5d9a5fcc2496b48bb084fdf04331823dd1699
SHA256 53102833760a725241841312de452c45e43edd60a122546105ab4020ccef591b
SHA512 1a8ec288e53b9d7e43d018995abe4e3d9c83d329d0561fbb7d022e8b79ffecf033e995b9bc6af352a71c646a1e8afba4addb54deab7455f24b7a279a3dd7c336

C:\Users\Admin\AppData\Local\Temp\nsf7ACE.tmp\7z-out\chrome_200_percent.pak

MD5 b51a78961b1dbb156343e6e024093d41
SHA1 51298bfe945a9645311169fc5bb64a2a1f20bc38
SHA256 4a438f0e209ac62ffa2c14036efdd5474b5ecaa7cbf54110f2e6153abdfb8be9
SHA512 23dedde25ad9cb5829d4b6092a815712788698c2a5a0aefb4299675d39f8b5e2844eabd1ea42332a0408bd234548f5af628e7e365ab26f3385ebfa158cdd921d

C:\Users\Admin\AppData\Local\Temp\nsf7ACE.tmp\7z-out\d3dcompiler_47.dll

MD5 342f9991af20e4d98fd66c9603fc68f6
SHA1 0da25101f69430e1c398d54444e11930fc2b2042
SHA256 ee352b6205c432e013139c57fb975de03a14f55283bd7d324c494ba1599caf03
SHA512 10587a2783c62addb049916cf96487432d1d58d09027dd90b374e97d7b9d3039d2407b7fc0dd665bfd8d6b40edbed334548c44f3560319c4678b4667dce2eafe

C:\Users\Admin\AppData\Local\Temp\nsf7ACE.tmp\7z-out\icudtl.dat

MD5 3eb1d2e98e2f5d83b4efae9c2ccd1aa7
SHA1 1a180068ed26cf91b6af8e0d343419c02ccb8458
SHA256 9bbfd0d233be47c0620764fd1e40655ba87bb6a8b7659ea69047a74cdb9c8db0
SHA512 a1d35321324f2f8f3712bc614a992aee0240e087ef5ed21bf51661be9ebfa0b3ed3d8a411409f5b7204c8633c426072b9edb7f73f6fa7081dccb4b541ade0fe4

C:\Users\Admin\AppData\Local\Temp\nsf7ACE.tmp\7z-out\ffmpeg.dll

MD5 c3842fb3087cdcdb04020ac38683c289
SHA1 329dbcd4a1c79b891b200f11eb50194b85c493bc
SHA256 e79792af338d61424bac87a19c6f34f3b4bc1382345633b8d509253a0a6c2133
SHA512 069196b8006e908954e7ab16131a0d10889a0f7517eaab2423a82fe49fb9b045c0d95dbf7c08c10ddf1a21983aea4a0d207decf91baacff0884511589a57dec5

C:\Users\Admin\AppData\Local\Temp\nsf7ACE.tmp\7z-out\libEGL.dll

MD5 8352fd22f09b873193cabc2932be92f0
SHA1 5bd2b58854b279f1733c5f54ea2669ee8a888d9e
SHA256 14a4aaa010be14762edfee01fd1f6b9943471eb7a2f9011a2b5c230461cd129c
SHA512 7281e980f2e82f1cc8173d9f8387a97f6e23ec5099ed8dca02222c4e17fa4cfef59d6aa300b1cf06d502bdcf77d9a6dbb08ad6658ae0a28ae6f9f995109da0d2

C:\Users\Admin\AppData\Local\Temp\nsf7ACE.tmp\7z-out\libGLESv2.dll

MD5 fe597e2f3144a4ce03ff73eae9419c66
SHA1 d972e6e7590f629816733ef9fc7a4652a5758aad
SHA256 46861d6aa771365d6b0294597a3cec306d3a5a87e32e4edf3ed7c203751c689f
SHA512 f8a36a302f475bc253722cdfecf76ca2973601e46cd2bf12740fca58bb08fa1bee6d7a09c210cdd3d28c40f0eae5a886f06feb00bc6b7c3d80f0d47fa039af74

C:\Users\Admin\AppData\Local\Temp\nsf7ACE.tmp\7z-out\resources.pak

MD5 44792054dca0eb596f0db1e13e3987b7
SHA1 f33054b794c9496dc16ca667516072ed69064fb8
SHA256 b48fc03a4893e36d29240309bd8b49c031246496eaa211e12ceeb6ca6e9dbde1
SHA512 20baea0788c9b6e68ccac8e3075c3adc4e3de3c2ee8b962541a6eb4477a120452b217c109ec4f682d68fce1cf00c0fe572866faca2de5288d3f9803e3e7108d1

C:\Users\Admin\AppData\Local\Temp\nsf7ACE.tmp\7z-out\snapshot_blob.bin

MD5 c9ab741bbef53fa0e84952b8891a5f5a
SHA1 e2dcb8d034e07243537c86371de0c52bce62cee1
SHA256 4d82fe1e642fe3ca7ad1a173f806088c0652ecfe9f0f6f6e246066e15a3431d4
SHA512 177b98a3090ecfe4b4598dfcd7e8b3ca49efafba4dbd8d6c6d0def462de47c3fabfde831725622783ddc177de982de6115178d9bd9830d918bb544a5a4c27fc9

C:\Users\Admin\AppData\Local\Temp\nsf7ACE.tmp\7z-out\LICENSES.chromium.html

MD5 8348e2149baac6372502ea45b78be0cb
SHA1 6dfd19c2ba837086abc100b57ed401161104f786
SHA256 d4f213af1f6f96d5ff3abb12bff5a3933bbca079ade185678fa04a88deb0ca38
SHA512 bc27d1f410d8bacaddd22bc0795627848fd79128544596ea5c9c602cbbc841943bd18b06da116a012c182a111026eee69368d4e551810d5e8de4081428823710

C:\Users\Admin\AppData\Local\Temp\nsf7ACE.tmp\7z-out\LICENSE.electron.txt

MD5 4d42118d35941e0f664dddbd83f633c5
SHA1 2b21ec5f20fe961d15f2b58efb1368e66d202e5c
SHA256 5154e165bd6c2cc0cfbcd8916498c7abab0497923bafcd5cb07673fe8480087d
SHA512 3ffbba2e4cd689f362378f6b0f6060571f57e228d3755bdd308283be6cbbef8c2e84beb5fcf73e0c3c81cd944d01ee3fcf141733c4d8b3b0162e543e0b9f3e63

C:\Users\Admin\AppData\Local\Temp\nsf7ACE.tmp\7z-out\stardust.exe

MD5 bb99443741d3063a58c38ff432c86ef4
SHA1 98da0656960614c59cbec898d01bece3cd204d9e
SHA256 bcd8185940ea5f54c8950aed64fb9a5a1f254b4c866cb8870136923de61b42be
SHA512 8234dfef014ebcda7c6555c0e38be35f23922de2b87617fff348582423e66633abb7c62b57bddfa630ffadb10cac5a37912a4cb85f447ab0aef355357d0c3944

C:\Users\Admin\AppData\Local\Temp\nsf7ACE.tmp\7z-out\v8_context_snapshot.bin

MD5 8c236cb34fc32fe8c517960b87498fcb
SHA1 9ad3764558629084c057ef03ba3d0829f8cc6c6c
SHA256 fb60a661674defbc94ab8a171a1cf815e08afd96295ffea83297270171dc70aa
SHA512 6e4518a55e8c3ef6396c931bff4f03ce3494faf9ed552db13941fdd57f0a475656cb87d5049d2f79f8b3d21b4a44ecf735e06c3ace9ebbd601d7ef8ff530ddcf

C:\Users\Admin\AppData\Local\Temp\nsf7ACE.tmp\7z-out\vulkan-1.dll

MD5 bfa0a26d85f459d0ab59530f80f3521f
SHA1 1bee28a662a2d61d1721039a4e85c284f13829c6
SHA256 243d1e78c582e69f5d4dea7006d25377941c9b40d817e6355e00a2c6ca5de2d0
SHA512 fc4c9b3f1628092f62cd45bcccce9ce81be56e750c4922d9e265db4fd5fe5b54f89d5ec280c66847483a8c12983fea529775415a660bf8ba2b11947a9bca1baa

C:\Users\Admin\AppData\Local\Temp\nsf7ACE.tmp\7z-out\vk_swiftshader_icd.json

MD5 8642dd3a87e2de6e991fae08458e302b
SHA1 9c06735c31cec00600fd763a92f8112d085bd12a
SHA256 32d83ff113fef532a9f97e0d2831f8656628ab1c99e9060f0332b1532839afd9
SHA512 f5d37d1b45b006161e4cefeebba1e33af879a3a51d16ee3ff8c3968c0c36bbafae379bf9124c13310b77774c9cbb4fa53114e83f5b48b5314132736e5bb4496f

C:\Users\Admin\AppData\Local\Temp\nsf7ACE.tmp\7z-out\locales\am.pak

MD5 e18a450ef034b42599341c3d09f280f1
SHA1 2001c8a85904962ac3a96938eccc69ad2c110fdf
SHA256 7c2b9098130f1f9e0cf4507b64c0e96ac6354bd6c3616be20e2067cfccc820da
SHA512 ddd87571218fe9f179a6c2a8a15b182625a71a7c19ed90c0969ca2e0e9bad823b926f8b8a6b390cb6fe9c95f4b6c1f1ec7b5167a8424ab1921943922208f798a

C:\Users\Admin\AppData\Local\Temp\nsf7ACE.tmp\7z-out\locales\cs.pak

MD5 3cfd9dc564cfcc33cc5524711365c376
SHA1 2e5016d2643017f37658262122974429f18625a2
SHA256 8be34e4f8226c1dd4e725711ddd884ef4476560f7863edcf378573dde9db3cee
SHA512 6ee156d2fa3b6f601df28e38968d0eae2812d70b41333348dbecd833d5ee6ff944183f0eecde96be433cf1e98c8ec22d6a6d5af5153145842175ab43c73533ef

C:\Users\Admin\AppData\Local\Temp\nsf7ACE.tmp\7z-out\locales\ca.pak

MD5 423651c45566cd90ea5edd8631e823b8
SHA1 13bed4173a08bcbfefba034aada3d838eece6d16
SHA256 7a39af99d55a1ea838d8d78c5f0da3e1402f9404d32255e31b676ceed4f0e414
SHA512 e09085023beaa37e9d5f7fdf3c32d0c001672b85e2826f0aba9a662ce958ac93cac17bf63495a604e47cb407b1593049388a4bf1b22b2339ead84a206a10569f

C:\Users\Admin\AppData\Local\Temp\nsf7ACE.tmp\7z-out\locales\bn.pak

MD5 47c95e191e760dee3ef43345577e2379
SHA1 609634315270a91d4ec631642b18bd0036367aad
SHA256 ceed32e429ed1018d4c49343cf52105cbfd1e877c531a5738fd6e6cd33d27da7
SHA512 46b5f8d58780d19e79136c31a67d075c57ddf7e6a1eb197dea4088cc414a0dc24a68fc8ebcaac03b3940af2461123b586706d5dbf8dbdf6fbea0f7bec466db21

C:\Users\Admin\AppData\Local\Temp\nsf7ACE.tmp\7z-out\locales\bg.pak

MD5 5ba0c7200362c9ed55610cc8b66ef53c
SHA1 d45239c2f1b00885407771a41a7776fc1fe8fa3b
SHA256 2339ff55464b4ff704fc3c5bf281eec52a539c494bd059cf0346d9c05ab7cda7
SHA512 6229dbf08a9322c4ec8de4912aa1832f01800a71b7e3ef5870e7fa2b623be4dd248fec4881c3e031e984616147be84d42ab3dd970ae56dc1bd78913a8682a37a

C:\Users\Admin\AppData\Local\Temp\nsf7ACE.tmp\7z-out\locales\ar.pak

MD5 6f3e791b4d35ee7d9515614d128752cf
SHA1 181ec3a84fb3e89336d77f24f562a2cbe07619d8
SHA256 e9df0fa338b763a3926c4ee3a87bedf650fa618b6fcf0560c3f5ffe891d48c60
SHA512 3657e610d13a2c938558ec320c298dd490c9e4895ccd304f738aaa2f050373efd7382ca402365f93d23ed488bae82de2d859da788dc8faa8e621346a278f4441

C:\Users\Admin\AppData\Local\Temp\nsf7ACE.tmp\7z-out\vk_swiftshader.dll

MD5 455ce58e580e0522c5e9a7ee4dcce779
SHA1 7af1d249fbee3b928885c3559ba321130eab80e3
SHA256 dc1b128b9a71e960c7d975f9d0999bbd8eacf10fb0817205df66735e6984e101
SHA512 af942c8ded5a49d5053c1588850e35edee5bbca267d115941aa7f22b5bc74ec118b31a4e28d8c478c3a2fc069d68e8c9b4ebda6626735eef5c3151141e1e143b

C:\Users\Admin\AppData\Local\Temp\nsf7ACE.tmp\7z-out\locales\da.pak

MD5 55a8f5883805a65c854d25edb3959209
SHA1 d4b3b6bd2a26cbd021fa931d1f63c9ea64e2c268
SHA256 e190187adcbb5f829d162660968ba598ed17bd11339062ca4d807deec8a27fdb
SHA512 4e1f9e6da32f553cbc8cf162726d7aba9e23e2216d6d05b995cf19fff3aafa05ed08fce29b2f8538d46583366402b8630672e650dfbd46952a611e9db0d8016d

C:\Users\Admin\AppData\Local\Temp\nsf7ACE.tmp\7z-out\locales\de.pak

MD5 b73344e5a72fca6f956dbab984c123ba
SHA1 0561073aa40a63a9ce9930dd18b18e12ff139b2b
SHA256 6dda3fa65232ca0bff7314f916942a2aa5d9be73a0b0c7a6d016eb34ea6fff5b
SHA512 e8a12da397369f23c102244b3f18f533ec79afa6978785566056bbfe07b10a21ff4973bf17aa829fff65609363988c033b0e48d4a82c846863377c08d8df009d

C:\Users\Admin\AppData\Local\Temp\nsf7ACE.tmp\7z-out\locales\el.pak

MD5 38440b98bfdf5ed496da0f49d59534c0
SHA1 1498d9207ecaf4923a47271e24c68a817041c82e
SHA256 b1f78df8a7edc914357a2e90bc8dc0ac46f4df642bb22894569fe4905fb8ea0f
SHA512 95ba788fc2e1f07d54e398f1ec4d32c664cfb13118d46cb7af7a993367e032b10de84f3e604ab6e659d6410e2d736097ec5e9b3b002040c54412358f0ea10229

C:\Users\Admin\AppData\Local\Temp\nsf7ACE.tmp\7z-out\locales\fa.pak

MD5 6458a239e994d8d18315deccd35389ed
SHA1 75c985f43503a6c44645786d46639a6b555ae163
SHA256 300fc1c735e92917a5ddf92feb812cbf3175d988ec7ad5955110248a1addbd34
SHA512 3062075b6be0c25c957ac88e537880bc25ff86b8ef0703a05209e9676e943e89476b7997394aeb25064e03a93be614fef535676e9cdfaf44b46035225b1b2cf5

C:\Users\Admin\AppData\Local\Temp\nsf7ACE.tmp\7z-out\locales\et.pak

MD5 c76db3385190c6840315c4497e40258a
SHA1 34f1aef2ba2925bebc5dcdb70e5b6c1a138a5c46
SHA256 e8af084ef5e1062c5966dd7802074ac24f3672dc3c9b9c5453a397644727191f
SHA512 90a870369d307758b33d74e6213676d65c2d332f42577c8aff23d96b512f3c2a2bdace8d6d9007f88b9175eadc6f2ae28b498b1265550849ff9317465a37ad29

C:\Users\Admin\AppData\Local\Temp\nsf7ACE.tmp\7z-out\locales\es.pak

MD5 f83d8f7f6108786c02c2edbf3d85f147
SHA1 57781d9d9eb7c90cdc71f78e25d0763045b6d29a
SHA256 5b929216ac823dbe2b0bb98e64db76519900e09a86c8513019325271c66ade0d
SHA512 12747a4a61cdd21cad6e3f768cb43b8bda5ec9de373337c191b6994b20acd676c9d0a6cde8410a1e18f35dd5d2d332ea1bb7e7f8f6fc4b73d8774559e33398f1

C:\Users\Admin\AppData\Local\Temp\nsf7ACE.tmp\7z-out\locales\es-419.pak

MD5 b261b1efe945365588befdf68879040f
SHA1 616f44a5f73f0449b483f36ccf831db6474a10d2
SHA256 1380b9edc9cee4b505f12e8eefa288d8c746ca995b52ceaba27c7741ae8a5cd4
SHA512 9ea14234b9d4d09364e5727b3886fc14544d52508b3e45fb9fd607ca88d2e432361a02b2f7ba34c3d6ecd94b91f9eccd4d54047a97a1ba4eea580ead00b91cff

C:\Users\Admin\AppData\Local\Temp\nsf7ACE.tmp\7z-out\locales\en-US.pak

MD5 0bb857860d8c9ab6d617cea5a5bd4d00
SHA1 351b744d95846bff2ce5f542fec2e87439aa0f8b
SHA256 5c56df9699fc7e8f09ec81421e50a6264cde055e822f5a8cd9bb1edb3066d816
SHA512 33fb73cffbb6781488cedbca4c92a7e4f66923a799beeb7f5cba58dbc23ba8f5130f63a7dac7114e3c3ef6f1df87884fbeb8858bc7604aec9449fdfd16c25078

C:\Users\Admin\AppData\Local\Temp\nsf7ACE.tmp\7z-out\locales\en-GB.pak

MD5 52e2826fb5814776d47a7fcaf55cb675
SHA1 51fbbc59dcd61116cbc0a24b0304d4c1c58e8d0b
SHA256 83ff81c73228c7cadba984d9b500e4fce01de583ecde8f132137650c8107c454
SHA512 69257f976d01006c5f3d7e256738c97c59115471f8e7447cfa795f7fa4ff12d6fd19708e95ffb2aa494b50c1763fe35d5885b9414112d2934baf68fe668ed7cc

C:\Users\Admin\AppData\Local\Temp\nsf7ACE.tmp\7z-out\locales\fi.pak

MD5 cc592d91ce8eabaa75249cb78b889376
SHA1 f2f0f7f105a17f3e4b1a97ed0e3c2e871c2c3eac
SHA256 b1cb0b32efa78fd8634652c74f298f1d5127f2363ef601cf000417e5c7fefd20
SHA512 58e2eaffe26d8fda8df43e7ebef449cfff1065e940c128efa0276511e34e96e52da9230f294b01d4ecd8ef606b792d372bff897d6d8bb67c31379418ce867d48

C:\Users\Admin\AppData\Local\Temp\nsf7ACE.tmp\7z-out\locales\fr.pak

MD5 c3095ce1e88b0976ba7bef183d047347
SHA1 b14cfbf6e46ac1f189595fc09660178525301138
SHA256 66488dc10517b6e3638686be95b430477a39304e92ac45dfe62b58cae3a77272
SHA512 29f47b1eff4681a9a17a50d6e82d63c22fe7bfe4ceb79862e81d8cd9f96fa38e225978b4c4b1f8e55b220235b91652c776fa8d2e559c68942c6ccf402812a421

C:\Users\Admin\AppData\Local\Temp\nsf7ACE.tmp\7z-out\locales\fil.pak

MD5 40bddaf97f64dfea9ebafc7f82166f80
SHA1 90d1fde3c0b27d2184f0353991259c2a92c7820c
SHA256 39a9d63736e7b4593fc6873ed3c19d45fbf9eb78a012bfdcee0fea5906ebc5b2
SHA512 d1e61c53e09a0dc50edf5aba5cf286a251ee88421aa2cd49332b70a5859646605ecb7d0bb97ea7242d14a18742e23da0a14c04b0b99b57a466ec87f4f66b897e

C:\Users\Admin\AppData\Local\Temp\nsf7ACE.tmp\7z-out\locales\gu.pak

MD5 63a7fdc4eadf8ef1c35c72468a0ce33f
SHA1 e8d064f0e9c8a6a8c6ccb036711e292d011d9466
SHA256 e549ff4e5a094d04c2ce7bc6fd68bea1f03e935437bf164bebb6191c133fa70c
SHA512 0a097ff875132a984545ec677b04f97785f14c38a1df487cfb4722cdea07d14e1e88fcff7d58b82fa53f05f4eba779a95ef320b5a91692097726d0385a26a456

C:\Users\Admin\AppData\Local\Temp\nsf7ACE.tmp\7z-out\locales\id.pak

MD5 e40cb2f3b4db379e4d187aeef0dfd300
SHA1 537b1ebc615c980c89bbe2b9e91a11199fa7d6a6
SHA256 3339ef011c9bb64868da94adb25f4490acbc7f893e4337dbfe2797754cd659f5
SHA512 b87464460077aa55feb92eca8ed23d9a61829378bae7890c8a95dac5fcd735b145d65661f27facfe2586fcaa169692b00d8ee8dd505dc44bff7f7fd090f3e96c

C:\Users\Admin\AppData\Local\Temp\nsf7ACE.tmp\7z-out\locales\hu.pak

MD5 71d42cb22d2d7a8b26c4514ab12df3aa
SHA1 cd0307503a7906f1742d1e98fc816959319c2171
SHA256 b51bcb888dbc27bab88a8c9d081df7496de8a9a5a4cd2cfe08abc154190e75e6
SHA512 29c67391bca706807be3a0cc79fe481f220e30263957a9c2485f0a4c498a5b250bdd83b5f4fad8d0b19c8a9a07d5650b5ebd5816b6aae311a1cde78a89303244

C:\Users\Admin\AppData\Local\Temp\nsf7ACE.tmp\7z-out\locales\hr.pak

MD5 6f92235e6ba003af925a2d6584afd27d
SHA1 3ceba61e9c2975466b6244188f5ea72aaf042fc7
SHA256 479dc4f75a889d45f62b4ddb6eb48f21c473e37875468c9c26d928a263e15840
SHA512 82f2642dff4400704c15c2fa02d0ec74ed3fe888dc835447c1afce7463dee8f480bb81be358c306e681625864a6d25e5cd6c96252b8a56e6fc62014b3aa4d26a

C:\Users\Admin\AppData\Local\Temp\nsf7ACE.tmp\7z-out\locales\hi.pak

MD5 802740560621d65734615e52e53361ca
SHA1 8d5d271129dbcb1a57f2d9e63f559a63b84195b1
SHA256 5d0c881090d305283269f466066bedf207ca54fdefef91842c6d12d5f5f6bc4f
SHA512 5b9675f6183ee6fbfa44787e730924db09677be2c75840a3c49042757143c29125eef8bd86637c04c9f4c25f2b39db4f31429c671829730d52fa86fb380e6703

C:\Users\Admin\AppData\Local\Temp\nsf7ACE.tmp\7z-out\locales\he.pak

MD5 6a02a37e1ca3215fa9ee0e1b0fbcf5e7
SHA1 89a8a126c0bbf536ac58e29fc50e045fb1b88220
SHA256 f5cf34ce58b7f0d450936981aa7ffa060821403e6768eee3746ea4ffc9193986
SHA512 6607eb2329b81f1eaf0ed3a564eddcb30e6ab59229f2fbf6fd3d2140ffaa8853a330eda627a4458ef6bb06f32c5183edda869e34cd4ead1f87f88d5c622c1a16

C:\Users\Admin\AppData\Local\Temp\nsf7ACE.tmp\7z-out\locales\ko.pak

MD5 5dc88085fc7e71356ece4b9278613139
SHA1 b7c9c09b48f81bc6c476f94c32a5f018c2fff35f
SHA256 5f103ad0fb19e7f029d5b6cb7f09fc143370019dc72d4e59c729514b93757a02
SHA512 4ddefd14f30ce73da5ef5937418b8529b3cf0603c07c8dd532496061a7302c2e6e07bfd6a9f0be3b323faad5d1ef820b93f960e1d35a4daafe24f77bbab4ca79

C:\Users\Admin\AppData\Local\Temp\nsf7ACE.tmp\7z-out\locales\kn.pak

MD5 0b0f44913e43cc4319222466045b6450
SHA1 811b33bc848c3c3210761a533f5c03791fc6dc38
SHA256 cb505979dc51980674c044fe847339d6bf75a847f76f2b923c021643e7362544
SHA512 06fed91fa90f48d8aa7a0008f0eb62d7d1c1e0544a14bad996c4c7fb2469f1b4b70a14deead8c6f3c3936a8da414a480461cb007ba442a8d99811f0c9038a72a

C:\Users\Admin\AppData\Local\Temp\nsf7ACE.tmp\7z-out\locales\ja.pak

MD5 833e8c4aa70351b6be7bd403e4e9a0a7
SHA1 46ccdbdea35deec8ef13a5fc833776875fad187b
SHA256 74422db1a5f28522f9a8b31a3bee9a6df794b419bf723cb6a6c88e82eb72cec0
SHA512 e8e709612a5ea81d2822e0025b7306f38571f2cec2ca72ac5a8ab852a0e36a0f5bc7e00d0baf7ac7becc2c54dda3a17c52ec1cd67ce12b14d91b6ae0b726d556

C:\Users\Admin\AppData\Local\Temp\nsf7ACE.tmp\7z-out\locales\it.pak

MD5 5aa225aad4f9fe6d05ec24905a827d88
SHA1 f6d5ed337bd8e9cc3b962d3a498e3430fbf6de22
SHA256 96e02ab6937a1f1cb58762159761a737ce0e1dcd6a253554392baf4389326eab
SHA512 3fa928f19bdf65b8fbb274b478a801821b15c01224c113a8d7f6121a077b432c0cc84eefd9028a76adea9fa4bb65dcb868edfbd4368b1e4d477c49e187e4288a

C:\Users\Admin\AppData\Local\Temp\nsf7ACE.tmp\7z-out\locales\lt.pak

MD5 2d4fca437a7548893dc4b51fa5b33c33
SHA1 c1493013d7d981ea9223716e415380992de65c2f
SHA256 776dba792df7b444e1b720326312d8b8312cade74a1372c49456d932b7c65769
SHA512 b6a55ee1deff48d717a3e9399aef3c45eeec810cc5b5709fa3e9f56850115a5b02e02b7959ec77a6797e68516ee9372bacd260e62ac0d55a8e4c1c27af782b42

C:\Users\Admin\AppData\Local\Temp\nsf7ACE.tmp\7z-out\locales\mr.pak

MD5 4ee34ac7a9929d4ebf40886505687177
SHA1 cdbd3cb1d56dc4a81a7a7cb884417ca71ed90ba2
SHA256 06a344036fcd416dfd89151f77a5a3a345d5eecf8d7093d23cc52c1348b4abd6
SHA512 58379a2e6f20c07992c5e5ed2fe90518b56bb40ee46ed03c5e1f0791ff834745b7a4f0a3364ac50d41dcaa6b4b47263436b40a1c8bfd0641d1c9cabcc7050b4c

C:\Users\Admin\AppData\Local\Temp\nsf7ACE.tmp\7z-out\locales\ml.pak

MD5 05a7042a5029f0fd2f2d6f12190fda3e
SHA1 470de6a1e373f1e4162823028bb65281460943a0
SHA256 0ee38692cccdef25aa8f29ac287474599cd086e77bcce12998158e5ceb424877
SHA512 1f7b5fbc45756698578972c565ec8f2ab626283fefa7d47337fe107f92a6f7c1a2dba0c6e6f13aa271f8acd51aa14749974ec154bed307d9e6fe3311e767e19f

C:\Users\Admin\AppData\Local\Temp\nsf7ACE.tmp\7z-out\locales\lv.pak

MD5 13c730f5ab99fc5c88f25bda678358a4
SHA1 0d13d8e2920ed90a46eba5c20618beed8f2ed31a
SHA256 68d9c4074feb16bd489b6a1c70e30d5ce6df8576bbc1225519add81e558958d2
SHA512 bac0f3ba05ed412c5a37a7e17303ad4dca7d4ca46a37118e950d3c7241bc9f73bce79a57bdeb697c5ed004d4841bc00c57f44ad75bcb2248660b1ce545229e1c

C:\Users\Admin\AppData\Local\Temp\nsf7ACE.tmp\7z-out\locales\nb.pak

MD5 b61e42f66d581b6a8929cdf5fb10662e
SHA1 6f06fa9ee092fbcb61bbd668734fb3b92cfb549a
SHA256 1b17dcde8fc7308d926fbe0faa83dfc9ffe2efc5715e9afd557dde839ad98b7e
SHA512 79b82346c3f133a6ba44148a8432ad4e08e2805187b759509cb386bc800fd20215592c07d953812c243f0b1d5e1354245f2cb42b2b3eb6c87280bcb4008dbe97

C:\Users\Admin\AppData\Local\Temp\nsf7ACE.tmp\7z-out\locales\ms.pak

MD5 1f30efcf8bad74fd98d565c9fe4c53c2
SHA1 0f1d7d6be18a4e33193313ff444865a2b7025156
SHA256 d247b9fc2be77f5f783b6839e0ed77b4276024e4cf92afb143ec5e40d278042d
SHA512 2a729219d560c2c6f26472693a821b24e845c21e05ff32722e34710b0c4f81e26877b57e1126473c661b83ea22a3ab0dcd417e8e777fdb2c67b9a46aebec1d60

C:\Users\Admin\AppData\Local\Temp\nsf7ACE.tmp\7z-out\locales\pl.pak

MD5 91903fd795fd8e3ee26987253c353f9b
SHA1 03ecd7b325bd54e563fcbcf5a90126d08eefee4a
SHA256 ceb2ba2562869715ed0aaa84d8c59a20ffadeafb1e9b875de88609dfb015f68b
SHA512 fa0e0650fd7af33563634425be59630821223633efa98deb78fd20aa7c121c2d9ca6d686b92737a32a36349c1f7bdb97ce86b933f2b4d0db269706f227552b26

C:\Users\Admin\AppData\Local\Temp\nsf7ACE.tmp\7z-out\locales\nl.pak

MD5 cf6b1cbfd669e9461553974ba37a475e
SHA1 b33867e9bc7fd88ca98a76dc4bd756bcf18887aa
SHA256 9a83ad866ad7fd9d65ecbc1e95c276cfce27e8257c76a16950fd14971e66b864
SHA512 e463029bb37f6bb3ff5cb6281f64291ada1b785fa33137e7aedfc7b5e409e99c75a91e7cf9b6c0933e970f70c14861190de66fc5d68925b687a6f5da02e21077

C:\Users\Admin\AppData\Local\Temp\nsf7ACE.tmp\7z-out\locales\pt-BR.pak

MD5 dcd8e6d6ff87c52a39b0c035ea3cd2a3
SHA1 0633ea7e1d67d3c9e0f3b7eb5efe803e8504c015
SHA256 48aacc0d84fab9ecd6683c481e183c76529cfb1f71ed3fed943efe0e622eda33
SHA512 ea979cf49b831294d8852afdde8b64d507bd56264f8c16e5b6ff9fe4db65ffdd1d8f648fdaa53aca1d42ad45744e8951f60aa6e76e76df38ce6a81d738e0d915

C:\Users\Admin\AppData\Local\Temp\nsf7ACE.tmp\7z-out\locales\pt-PT.pak

MD5 2afbd769f7291cbfcf25575e52ce5513
SHA1 23fdf95c73a9e3853ac115c481cd0146e73e0aab
SHA256 5f9b26c7edff8c8d18c10aee8f0e35755b9ca9ca676c76e9a5254101e0780fe0
SHA512 069b5ad5e56c2a6119aa1265588fc95f6bfed020ee6eedb274be83c487c621b3a3ed61a8cdfaa76aa154ddc21267425009d5d5dab77828afa1d781a387341225

C:\Users\Admin\AppData\Local\Temp\nsf7ACE.tmp\7z-out\locales\ru.pak

MD5 dddf696899350bff0ef8312a78fc0ed9
SHA1 5e68e74ccdff5dc346c23ab70aa1d0317a4c1f1b
SHA256 8ce307243ef6f7122715e7fb6865a0a44e769ba726da5869aeee5b3b6bdd394f
SHA512 0feded7521229316560eea25e5f89c3c9b077dc712c7c28fbf09116846bd793b1ad7096a1dcc738609e040af571b63297e81ba8d5b9393c89c6bd1b81cbb066d

C:\Users\Admin\AppData\Local\Temp\nsf7ACE.tmp\7z-out\locales\ro.pak

MD5 da56344f67d2744d2e21a225d2427f7c
SHA1 3a26abb2bb2a0505600a44bf63f0c3443ed8ec70
SHA256 76db6d7e270c1b8738c51ba7c2e7b8f9445e17859a06c2a3914de6bd180480b6
SHA512 c73894aaf3b17fc0d9953b5ad6ccad7c295a1c10c3102d511d67e89a52b70ecad3f16f92d5bc129780ee8838084467995cb2c93b9a55e075220736a4db7949a8

C:\Users\Admin\AppData\Local\Temp\nsf7ACE.tmp\7z-out\locales\sl.pak

MD5 14afee3f958e6f5ebe479dc984d30fe2
SHA1 66df76c88adb9838e6497dce1d2b63e1e11d58c8
SHA256 42a50a854e14b0bd9ad11ba2e825218b12ac84c3645b7a78b75831eba85e97cb
SHA512 4336c4e8396ffcc2b11837ff76e8aab11f19a7725a24c4b6b0c4f807a4e0c0b87d77839f1e3550e7e24e122b200367010ee656c5dddc7ec4ce2e459736aa9906

C:\Users\Admin\AppData\Local\Temp\nsf7ACE.tmp\7z-out\locales\sk.pak

MD5 e9b715b94ffa02f241e68e049352ad44
SHA1 43c279153e6e1ac312c6c5fbd5c8082bc32a7474
SHA256 7db8ab93d35ee4c496b368ee2bc9ad854a241da327307d78b085a348c1e8e468
SHA512 1bf6a776f1def828499eaff85da64c95f4f4c20fbfd4dc85c5af35247ed460d6c46cf752d41917ce06bbe6071017a5d4a37b66b74894cff8eb5bb22939ba705c

C:\Users\Admin\AppData\Local\Temp\nsf7ACE.tmp\7z-out\locales\sv.pak

MD5 93380ec6aee9f860bbb8efca405d6781
SHA1 52b8e5d7d710934d4d86fbc4f79947a5b480f13a
SHA256 7fde1753e3ca445fae7d540e935a3c711f76cc0264cea24d5873c433d3fbe633
SHA512 f6fe48b93090162ef61d37a75c003426734629c888a59bc48eb3589ac0f923ecda8b2f0df411d7238c42e36fce5d5678948e1cd38edfd8cfce2f3f5a93b56aa2

C:\Users\Admin\AppData\Local\Temp\nsf7ACE.tmp\7z-out\locales\sr.pak

MD5 21cb695039c0b1d947328be14c5f04ba
SHA1 0f0fa4023fb3625ba4b8f80a7e7fd37195cc4235
SHA256 1c7f966bfe3b0bfc4ab1a96cf480bd8ba2b8c9e1c84d0188516b25d749f73c87
SHA512 f8fbc82a25593bbb9235d26cfe8631efc8f5924b2692361dc7c8969d56dd4b35bf4dfc3420fa97ca0097cf69dc4fac1884537e450dada91dd09aa88298ff5c7e

C:\Users\Admin\AppData\Local\Temp\nsf7ACE.tmp\7z-out\locales\te.pak

MD5 3250d0a3916f9ef293bea0ffc06191dc
SHA1 9922e79a37e7b43b90080784c20d23af5057d284
SHA256 6da48d726cbf6059ce28adf06db43d7fec4b834733942e3f8b120e9b1d509caf
SHA512 3958116abb56e861ee28e3dbcb29a9c69b40b67b1cbc354e6fabf6dad66b8f8163fb2a8a02d47cca697b74e5e56463d9e8755bfda8c6a5eb7d4c5fb92c9632e5

C:\Users\Admin\AppData\Local\Temp\nsf7ACE.tmp\7z-out\locales\ta.pak

MD5 51ece1a99f21e89fa66648ee576d9a41
SHA1 dfbe16ffdf246a84913dcdc4659c7299718a1559
SHA256 0705187003e90f80d2580ef3a2945e1fb5e17ff42a42b7458026263b2fca184c
SHA512 f3d26af4bba49db13dfd9e99a1e021a75c5972f103a9a182a272600a697ca1715b8ff5b8efea9b03bbb36ce69b5f5a82bc5f13d7add37c10a5d418ade2052d64

C:\Users\Admin\AppData\Local\Temp\nsf7ACE.tmp\7z-out\locales\sw.pak

MD5 3188e52e6f4c4d260d46cccd832669c2
SHA1 2e56c0d72eeaec43680a57130d1b17c61eeb7a2d
SHA256 2538a967f27587fa49906c0b33c1e67c9deb8970f0ef8c2616578211cc8a84ab
SHA512 d9b9cc3338177423adf5b6986f1fef6411cb48fa001e3d3a6a1ea98e9c600a0332a4af0bc4357b2aedde93d03dc68cc07ba151671de844069264d85bf7015381

C:\Users\Admin\AppData\Local\Temp\nsf7ACE.tmp\7z-out\locales\uk.pak

MD5 0e1936791f992e079244a18bb22df740
SHA1 ed57bee76cd08d1b869ac9cd7760066c9db08cbe
SHA256 540c8376b1b395559dc540e16bee6e05e55265b870f1a8d96847ff44974e2c58
SHA512 a2e7d3a17864b973effc6b4c9562af9c5bcd4fe37f889c26225cf3f46cc521bf3e180cb262eed021d9f499924e3291b34125053021c383d1a6ce4794234e5f2f

C:\Users\Admin\AppData\Local\Temp\nsf7ACE.tmp\7z-out\locales\tr.pak

MD5 a96cc7d8a36a604b5248c7cd455ebdd6
SHA1 7c968e38db295381275e392c85f545c974ea58fc
SHA256 fd0dc75835483ac703d84aa8f9c2338a7fb67532f80afd0eb1cde737ae124065
SHA512 767befe8c5260cab4c04d44186380b807a8a1abcd424ad19b6b3184ecbdb92e59325076ad8bd619ab6d534498a6b7a4e52b443657331755ed2edff06f73a1ea5

C:\Users\Admin\AppData\Local\Temp\nsf7ACE.tmp\7z-out\locales\th.pak

MD5 08c28fc611528a78d604f613c82caea9
SHA1 f0b5795007a0cd6c90b8a6eeccda9b2986692ba8
SHA256 90ca04ce95e77decc294c4c23ac0c87e5d271a93598060ed06aaae13f6fdc600
SHA512 be30bb7e6fd7ba5f35aa6f8561024cf2a8222cc37e889fc8936c224230dff5ee8e341012fec6ede715e7c436175db36c4dd9f141b028850c1a91f08163748cc5

C:\Users\Admin\AppData\Local\Temp\nsf7ACE.tmp\7z-out\locales\zh-TW.pak

MD5 ecb1030a46b6a7c8ea5994d3a73fc01b
SHA1 e798bfa4886e5ed2103e7955af469a94233dcc4c
SHA256 1aa82bf1847e1898382ffc30528cb7b27f7d624ecfd2dfc14519d303819e0a32
SHA512 b4d060b9f309b2001057c0bddbc4f502030351d9dc0a76dc65f9a15dda26fb3154c9a23fafad2f7769f659d912cd89cdef33f2eac33857897f18cb9dcb88f33e

C:\Users\Admin\AppData\Local\Temp\nsf7ACE.tmp\7z-out\locales\zh-CN.pak

MD5 d437763922cd747becadc865c9cce6fc
SHA1 36565b4d8bcab29ee45eb5928089f04a251d153c
SHA256 425b384a7652f746f8b70dda44fe1871cb2e848dcc08b79c2be9f392aa357958
SHA512 0b8bb8ce22249615dabc9a8d60425341a5177fced304d643c0261428aeb3aba6e3afdd094136d9592933530713f9097a98ae191eb8e4ef9213bfbc89e59688c3

C:\Users\Admin\AppData\Local\Temp\nsf7ACE.tmp\7z-out\locales\vi.pak

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Temp\nsf7ACE.tmp\7z-out\resources\elevate.exe

MD5 792b92c8ad13c46f27c7ced0810694df
SHA1 d8d449b92de20a57df722df46435ba4553ecc802
SHA256 9b1fbf0c11c520ae714af8aa9af12cfd48503eedecd7398d8992ee94d1b4dc37
SHA512 6c247254dc18ed81213a978cce2e321d6692848c64307097d2c43432a42f4f4f6d3cf22fb92610dfa8b7b16a5f1d94e9017cf64f88f2d08e79c0fe71a9121e40

C:\Users\Admin\AppData\Local\Temp\nsf7ACE.tmp\7z-out\resources\app.asar

MD5 af521258ddd7eb212b7a901c29c9142a
SHA1 8cd819e0e72139e57827c69eb33f7caabf4bd7a6
SHA256 8b17cdd23f5bfef456e1bf06e5fceb28e6478abe6654fff79a35d1d6a752a772
SHA512 6dc368817e875ddc5289a853460f3fc041ffce28ffb6208f2fc9aeb5a41b158d6fc73848e79e75f1b52d11f0adea73f99bb95d3803144ad1f6cd0bb56725e5d6

C:\Users\Admin\AppData\Local\Temp\nsf7ACE.tmp\7z-out\resources\app.asar.unpacked\node_modules\take-cam\DirectShowLib-2005.dll

MD5 c20c205c6f8d70a5e1351a4041a3ec9f
SHA1 e1b2a763dd6c42439656e4e55aba0f3610ff3784
SHA256 bbcbb170242d9ff1b56680a80b1f8755df1135f9c714535ff3b3f575442f38dc
SHA512 dffd59d775dbb89cd886a2212fb9fe4cf0b2bdd7f2c00f8dc7c6b2287053b4971c8c6c033109ff1f90cdacea082e44d3c19fa76325d24976420c418218e701f1

C:\Users\Admin\AppData\Local\Temp\nsf7ACE.tmp\7z-out\resources\app.asar.unpacked\node_modules\take-cam\snapshot.exe

MD5 16a12bdc986207390dd79d658a6b2263
SHA1 b4b41f62cbc1e1ede786c6e30e11df8e61750bad
SHA256 50a8dd2f292bea9190204a42de067a34d5cbbec53746d40fe5b067fc85190bac
SHA512 d20394028c5d3ca46bb4879cac40da07b7d857f9a4a834bb4db4bd047f1a3265a80e1f7528244da6ee97c2f3e0cb5b2e51bc88eeb382a027939c2188e66dcdd9

C:\Users\Admin\AppData\Local\Temp\nsf7ACE.tmp\7z-out\resources\app.asar.unpacked\node_modules\take-cam\prey-webcam.exe

MD5 471b15abc9f2e98fb7ed7361d3f045eb
SHA1 95b5798d80a9410872f6ed485ae2b43ca3745540
SHA256 7c262639cb22348dfd627dc07c76e8748e5bcacde2dcf1614773ab174c831004
SHA512 5b3b59aa1dbaef31b0ff6ccde082d7c312e39e311a46fe20d590d5d7765f934d3b663da9609ff4fb7beba2e8fa85376cf74f14ae077f3c0b49189cc28c30163a

C:\Users\Admin\AppData\Local\Temp\nsf7ACE.tmp\7z-out\resources\app.asar.unpacked\node_modules\take-cam\package.json

MD5 067e233b0609d56ff4756bedd8c0efe0
SHA1 96419d05adc4b6674948b4ac14f8ab5bb3ce4380
SHA256 6bee642c1b5de99e4edba87ec3221c2ecd10b65e666b6f2bef64a745538ecf74
SHA512 94900f5ff762930b1b060ba4dd44d629d6c3e2dfc0dacb1a543f1ea5a3cd40e793acaff4abefbff588ceb422d65f8041ec190a2b56f7c303c3314eb16eca4159

C:\Users\Admin\AppData\Local\Temp\nsf7ACE.tmp\7z-out\swiftshader\libGLESv2.dll

MD5 b5771be5e4801be1f3ad778e2f2a6dc2
SHA1 19a57eb27290a69247324bfd311eb19ede83097c
SHA256 c2a0cd89882ecab3c51de4defd7eeedbb5640af13e0d49ffa85a05ecd0837f04
SHA512 c95dc5fa0f3b1c2d4781a5f046046c1188a6163c86a5137cd54bff96da8e1fe767d43ffa7c9d9d814be6ab4a9b7f6f59e40ad855975c6953df94b0822986f8f8

C:\Users\Admin\AppData\Local\Temp\nsf7ACE.tmp\7z-out\swiftshader\libEGL.dll

MD5 19dc9ee70e7765bb63a66b6826e8ecb7
SHA1 1a12f983f8b35cc2955d30657971f113c47dc164
SHA256 83d5719abee35e051d984510e1d5d9317a109031698814742b59bdbbe7d4e30f
SHA512 1fda2bcc4b2e70987ca6011ab2534007ae4f752016d29a588aaae839bb25c35e03773f220b6a8e926cf2643997e7d4c0f28743304269b2c55642ce12934def68

C:\Users\Admin\AppData\Local\Temp\nsf7ACE.tmp\StdUtils.dll

MD5 c6a6e03f77c313b267498515488c5740
SHA1 3d49fc2784b9450962ed6b82b46e9c3c957d7c15
SHA256 b72e9013a6204e9f01076dc38dabbf30870d44dfc66962adbf73619d4331601e
SHA512 9870c5879f7b72836805088079ad5bbafcb59fc3d9127f2160d4ec3d6e88d3cc8ebe5a9f5d20a4720fe6407c1336ef10f33b2b9621bc587e930d4cbacf337803

C:\Users\Admin\AppData\Local\Temp\2ZK9FjHPdf8nttfHb8Qum4t8ORf\stardust.exe

MD5 2a5f72905af7e929993ffff9066e5184
SHA1 d30c1e29e88acedd01ce02408b5dcc9c7e662c01
SHA256 86d5e9f40c22ba6c9b8625a40b5d83a067c82512e6378b15c9ccaf3cd6e1a450
SHA512 eec4f5430b854a4a8560c72e5391765c262fdba056ff1b1f6a73e61bdbb32dc6501e9407b85e0487874a0f65d8512ccefea4e2f4ddfd067b2d1279f4b1ff44f4

C:\Users\Admin\AppData\Local\Temp\2ZK9FjHPdf8nttfHb8Qum4t8ORf\ffmpeg.dll

MD5 02d1a00041c632712ad062d9d87efae9
SHA1 aeaf263964169c87ad06dc408c6097eee5a6ae8e
SHA256 72983e4cafb3344bfd1dfcc4ac9f5ca346e3c84d0559850f29839bb9d86cdf72
SHA512 a825c6c3a2778ad40c8a395009e30cadf660ed57976a5c40433f7273f44197b46ecff42393b9a12e300b4940229661598aff2d3811d10e7d67428d2b4807cf91

C:\Users\Admin\AppData\Local\Temp\2ZK9FjHPdf8nttfHb8Qum4t8ORf\ffmpeg.dll

MD5 622e3d6e332466cf0687f01423659b2f
SHA1 ac4e344a85ad030deb7af79371f94cacdddef1a6
SHA256 6aef33c81b2893276c99277fc330ce157d62fb78a627e840859e75bd125b1179
SHA512 c8b4503082ba3f67239e968f3dd7cb02d811378562a0dc0d8d4b11f3451ca84bf26b72b1cc2a4a477b03548fdd4fd64f38ea0992fb83f58dc8d8f2d80c272a9b

C:\Users\Admin\AppData\Local\Temp\2ZK9FjHPdf8nttfHb8Qum4t8ORf\icudtl.dat

MD5 94ab8ccd80fc82bb715893233a661fee
SHA1 cd67c55c275b53fc86b796f2b31a4a7828a59001
SHA256 96a80bf9971630b6aedf8cab01fee2fdc20e8f256bd8c71a2d6acc136e2eb03d
SHA512 2c05c4258a6146d3763df99652ecb9923ab0f062a2a7bfc42f04dc0ad1f5599746a1342321462236b77751b265c48cb9aea8c6bdbf6a85888b302d85cc2441c0

C:\Users\Admin\AppData\Local\Temp\2ZK9FjHPdf8nttfHb8Qum4t8ORf\v8_context_snapshot.bin

MD5 47014c0f81bad6d216c617c9c63bf040
SHA1 7bb483fdc5fed3c6ed437d9fe6e5023bc38201bf
SHA256 e1249d05bfc73c645b27d269f47b6923b33a3cf8088a8ca78b3b637c90f58178
SHA512 052d86cf3305a9e493bd2472e6b7ddab5e0291efd6d899984a79bae46e5fa4bd21157e19ab4a2591c9cff9069de568bad18c7baf4f35d117c77134e635466f87

C:\Users\Admin\AppData\Local\Temp\2ZK9FjHPdf8nttfHb8Qum4t8ORf\resources\app.asar

MD5 cc971c5d0ad68f6b26f2df0b58220153
SHA1 e3714695b6e0242ae26c5e141b0b8e5010f9c1b6
SHA256 ce4a4c6e6387a8d967a194172afdbafc63c62bffc2c82dd16c577261d73dc1a5
SHA512 b23be72ead1c0a2bfff06120add048d106af279a8a73c01a56e468cbc807ff23fb3c5db59c77944ea1302181b284576a463232700236e67ff433eef6728ebb9c

C:\Users\Admin\AppData\Local\Temp\d883e444-d40f-4c10-8262-91ce3a46ff2f.tmp.node

MD5 15cc79774bcf7cd018829176f9dee77a
SHA1 5764c5d29c1e347808c8ef7cb474b24e7cdf9964
SHA256 1a0a8a19e992f882de28aac3aecb6097e9b018ba62be21434befec1c3a1b7ce2
SHA512 a6033392cc33a9be7d629414c4fc881bacb45e3440c73418f88ee82af43c7e8579ea5ab62efd1d0bef7add42d8530b29d43705ae07871ca74ea5b40dfa29d3db

C:\Users\Admin\AppData\Local\Temp\9bce0c4c-fecc-4f93-b038-aae6c710feec.tmp.node

MD5 9988dd396a5f5f37234b9d43adf1120a
SHA1 9bd12a98ed704cf359310c08b3006842ecb09491
SHA256 6627eac7e75bb6bc83ee46873df250763540691f38f1857e1b6a556183f5085b
SHA512 87deb5dd8590db5c0a35f0d1e90053c2694db89532ba29ac9fcacae5fed7791b1004fadd482411313eacbec8ac52785a1369e275b3767c87db2cf0fadbf3457a

C:\Users\Admin\AppData\Local\Temp\2ZK9FjHPdf8nttfHb8Qum4t8ORf\resources.pak

MD5 617b2e6c4ef68e7e58e0e5aa8451916b
SHA1 9bfc853be9f8a6d3a1030cca6b545c3f5308ea48
SHA256 26e8bc59731a7f1bbd457467eb89cb17a9cc8f1a0f69d2466e78a78efbf622b5
SHA512 2068a60d6687b4070f966bab0cb4ed16edd4bbde5e66bd9280e1b1df0cc20850721a599976ec11ef1a151f5ed854ce4b05248967e961ed9d5f73c14af2107d9c

memory/656-578-0x00007FFD90840000-0x00007FFD90841000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\2ZK9FjHPdf8nttfHb8Qum4t8ORf\ffmpeg.dll

MD5 623f4a593aefaaa9b84d125ad9d8b79d
SHA1 89673d386b9300c78800e918b4d982e53beb2f59
SHA256 5e0d110977d90463f21c398ea4967d63455504fe8745740b4cb40cf9ee2b4186
SHA512 fa454bcafaefffa3b66ebb70ec8154e59a0d211f39de16fc78efc84195e835a90138fb57cc910ef9cb3552e41efaca8bdf03000fa877a6515f208782072646bd

C:\Users\Admin\AppData\Local\Temp\2ZK9FjHPdf8nttfHb8Qum4t8ORf\stardust.exe

MD5 87e1b29925f0630f1993e2cfb60db61b
SHA1 2a93832f41733b93d27ba9b4f994c63b546aa025
SHA256 cf7ff14b869a772074082f906ddb2f68a3c6e059ed507bed5328f9ac6cdf43b7
SHA512 1cc56eda01b11f3ad3dd593df0e9fa2910de687b62df28b2371da85beaf01108573e21bd99ff1f06065745051fd7fe6cb36bad35d4e9fa783c6e7d6802cb3ee3

C:\Users\Admin\AppData\Local\Temp\2ZK9FjHPdf8nttfHb8Qum4t8ORf\D3DCompiler_47.dll

MD5 7ec12890f7c738c5fb42213cafc5cc45
SHA1 87f8d83e898fd22c2bb9b913fb554626dabbc5f4
SHA256 100807be5318436867ad59ec8a13f42a2c807176216c1c88d52110706db69f0b
SHA512 1db414af748e7c550ac582933a547131550a379546df72561a5771767632631f2a774d0d7b2eb446c73293d0287c3af2993bdbb99598dffb274d85767bfbc780

C:\Users\Admin\AppData\Local\Temp\2ZK9FjHPdf8nttfHb8Qum4t8ORf\libglesv2.dll

MD5 efbecdba2fc3a51f2cd7bb2420704251
SHA1 68bb0ea9fb66e0612a14cde05da512a44eef7ee7
SHA256 17fa8d0b0d64d5287683e8c37539a5a72ab85820f781a088eb0cc22697343049
SHA512 4f5da38685ff68521812a053b877e3636cba097c22d9f48779432f67d91bcba75d238370c83bfaed63b9a4dc5745e7866dfe40b5113d6af93a91b6c2e6994814

C:\Users\Admin\AppData\Local\Temp\2ZK9FjHPdf8nttfHb8Qum4t8ORf\libEGL.dll

MD5 2bec23fa4c6ffe9063581a5da845014e
SHA1 17fddba285cdc8b07f164850419fc865c05989e8
SHA256 14621dcd10977ed40b318abed262c96fb2efe45b28264ebc249df2a9f7415a6a
SHA512 03faa093ec9de2a903591eec8fc024fe5c902b3e202f4bf56e60fa62e51ae5215107396028c60bd0ca0589fd614409d589c529de56aaa1f7448a8cd6efb4aa72

C:\Users\Admin\AppData\Local\Temp\2ZK9FjHPdf8nttfHb8Qum4t8ORf\libegl.dll

MD5 c65bce2cda727acc8bc15d5b092b7b82
SHA1 5c2416a38c55dca544d9ace58a11fb7307b26ef8
SHA256 ed7a0da122ebf6ee4882d6fcf90e3a49eb3359ac296c16f59593e7ba2f5dc65a
SHA512 86aa28a0cba121bb50e577c72b72a330e3cdf654d0bc6dc3d9505001762b48e3c42af91ccebc5cddc1b254136ab330333e2369952860b60c40793d516e11a774

C:\Users\Admin\AppData\Local\Temp\2ZK9FjHPdf8nttfHb8Qum4t8ORf\libGLESv2.dll

MD5 8bc4f0ce62d2893cb6fc83fc5dcc0615
SHA1 fb8d6fc7fd11cce342ad5c54485b07ccc696685d
SHA256 5bb08a9ddb6cd25ce33c7f36523b6f0e73f649f6c93c8b1af2a3ebfc28ed738f
SHA512 aef67bc4b5d924476b5a0a0e9e84b3445aac442af714e34226406a6535c28c6af53c6b3aacb0f91ac459ce1eebf8e376001fc2772aa58d691eaa0b121d89c701

C:\Users\Admin\AppData\Local\Temp\2ZK9FjHPdf8nttfHb8Qum4t8ORf\ffmpeg.dll

MD5 957b63ef1f9e122a4890e218d1f51f27
SHA1 f1963b73824f45566cd42ea282cfb1bba14ac9ca
SHA256 1233abebab342054bd604d4e8c9029596de8d64a9e125e14f6fcd6f2cda53090
SHA512 3a1068cb04374b5fc0cde8a9ce48bb1855320a099e8bca12512e65351e605fee844476ed8b1deae87ff267a466cbd7c09ec4d19dd6bf11ff98fc7d5de9f18b1e

C:\Users\Admin\AppData\Local\Temp\2ZK9FjHPdf8nttfHb8Qum4t8ORf\stardust.exe

MD5 c2c962b73ff735c6a81afa1843d272cf
SHA1 534b45f5f24f463b52da066fad9d035869516dbe
SHA256 090ce08294683e6625da3f90ba3632bc0372bcbcc50434159e94d2ed3d6b71dc
SHA512 373949d4c8a6dd9dd0f5588bab36b6e48f926574a4f7fea87f5186f3b57b98b11c084a962d5b1784c46294e797b60a804685d18a79230197037fa4247b5f701d

C:\Users\Admin\AppData\Local\Temp\2ZK9FjHPdf8nttfHb8Qum4t8ORf\d3dcompiler_47.dll

MD5 70959a0ddcd3c65d5ddc80f1a96866ae
SHA1 dcb7ff75e5d2f33230f649e0a2d300a538a65e1f
SHA256 46964d13e0deab07cbb2c4abc778a85b437bdb040570be712f894dceab0b8837
SHA512 98b43015dfcab45cd3c4dbffbbf47585822b0eea01827ad8c5606c2665bcec26e04fe2d89a01dd9b26de043e84c01192b4a3757899c448a7320f59f3d2a0f8a6

C:\Users\Admin\AppData\Local\Temp\2ZK9FjHPdf8nttfHb8Qum4t8ORf\stardust.exe

MD5 2a57d1f278416f424ac6f1ff68cc346c
SHA1 756e80ca874a2eed5ce4caf6267e44eb0c431e54
SHA256 c11b01a35c02d22c6524f150ec12a0790d093e9000027f8afc0a5294f6c3d2d4
SHA512 76acbc4e6cd218f695718591834ee055fc353d2d9bc02eca9359cdd246e22597f49af428995ed5ac5be3bd209ef8a49bbcf90ef0d039366de7c02aee574169ee

memory/4668-610-0x000001CE6CA40000-0x000001CE6CA62000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_3mp4q51s.vvx.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4668-611-0x00007FFD71510000-0x00007FFD71FD1000-memory.dmp

memory/4668-616-0x000001CE6CA70000-0x000001CE6CA80000-memory.dmp

memory/4668-613-0x000001CE6CA70000-0x000001CE6CA80000-memory.dmp

memory/4668-612-0x000001CE6CA70000-0x000001CE6CA80000-memory.dmp

memory/4668-617-0x00007FFD71510000-0x00007FFD71FD1000-memory.dmp

memory/4764-630-0x00000168375E0000-0x00000168375F0000-memory.dmp

memory/4764-631-0x00000168375E0000-0x00000168375F0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 1a11402783a8686e08f8fa987dd07bca
SHA1 580df3865059f4e2d8be10644590317336d146ce
SHA256 9b1d1b468932a2d88548dc18504ac3066f8248079ecb083e919460bdb88398c0
SHA512 5f7f9f76d9d12a25fdc5b8d193391fb42c37515c657250fe01a9bfd9fe4cc4eab9d5ec254b2596ac1b9005f12511905f19fdae41f057062261d75bd83254b510

memory/4764-629-0x00007FFD71510000-0x00007FFD71FD1000-memory.dmp

memory/4764-634-0x00007FFD71510000-0x00007FFD71FD1000-memory.dmp

memory/2992-652-0x000001CB96FC0000-0x000001CB96FD0000-memory.dmp

memory/2992-651-0x000001CB96FC0000-0x000001CB96FD0000-memory.dmp

memory/2992-655-0x00007FFD715C0000-0x00007FFD72081000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\stardust.exe

MD5 6959d773e117ad1b89cd84a5c730d202
SHA1 4a08c6278fdc1ee6ba2e1eb591859a196855395d
SHA256 b38e91a7253f72c2b77f96c6a65d2cdf863ebfb733ef36ad67413d43450452b2
SHA512 19c3f111d3b99e6eec92e4c9bffc993fe20fe94cf9953af25063b3bbe67a54d4715e0415084877e54381db5474b5a9dd64e97f001ecdb22bff07d3b7809670f5

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 446dd1cf97eaba21cf14d03aebc79f27
SHA1 36e4cc7367e0c7b40f4a8ace272941ea46373799
SHA256 a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf
SHA512 a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

memory/2992-649-0x00007FFD715C0000-0x00007FFD72081000-memory.dmp

C:\Users\Admin\AppData\Roaming\npalEbgGXsMk.vbs

MD5 3b84c0310975cd10a5cad5073dd3b477
SHA1 f0cc9c2a0027caffe87ccea39d10fe7f4692ad2a
SHA256 221ffca9d2496556ceec4cc9e304dde30cc0e09f088f5de6012f08c90438fd23
SHA512 4c288323b298c508a756cb350d50408aa422169575eabebafc3da47b232653e23c197dd9b9e31eaed00a3783ab31b23746408e117d0b84cabee569256b648135