Malware Analysis Report

2025-01-19 06:03

Sample ID 231215-tgem5aefhn
Target GalaxySwapperV2.exe
SHA256 a72688354ecfc860ceaee7dca987319e58be9b0ac7b81d53d2471db6094bff74
Tags
irata infostealer persistence rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a72688354ecfc860ceaee7dca987319e58be9b0ac7b81d53d2471db6094bff74

Threat Level: Known bad

The file GalaxySwapperV2.exe was found to be: Known bad.

Malicious Activity Summary

irata infostealer persistence rat trojan

Irata payload

Irata

Executes dropped EXE

Drops startup file

Loads dropped DLL

Adds Run key to start application

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Unsigned PE

Enumerates physical storage devices

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Detects videocard installed

Enumerates processes with tasklist

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Creates scheduled task(s)

Suspicious use of SendNotifyMessage

Collects information from the system

Suspicious use of AdjustPrivilegeToken

Checks SCSI registry key(s)

Uses Task Scheduler COM API

Views/modifies file attributes

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-15 16:02

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-15 16:01

Reported

2023-12-15 16:05

Platform

win7-20231020-en

Max time kernel

14s

Max time network

128s

Command Line

"C:\Users\Admin\AppData\Local\Temp\GalaxySwapperV2.exe"

Signatures

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\GalaxySwapperV2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GalaxySwapperV2.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A

Enumerates physical storage devices

Collects information from the system

Description Indicator Process Target
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Detects videocard installed

Description Indicator Process Target
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Enumerates processes with tasklist

Description Indicator Process Target
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A

Runs net.exe

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\GalaxySwapperV2.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskmgr.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\GalaxySwapperV2.exe

"C:\Users\Admin\AppData\Local\Temp\GalaxySwapperV2.exe"

C:\Windows\system32\taskmgr.exe

"C:\Windows\system32\taskmgr.exe" /4

C:\Users\Admin\AppData\Local\Temp\2Za8IrWzfkMGdAKa6PexxI76zvm\GalaxySwapperV2.exe

C:\Users\Admin\AppData\Local\Temp\2Za8IrWzfkMGdAKa6PexxI76zvm\GalaxySwapperV2.exe

C:\Users\Admin\AppData\Local\Temp\2Za8IrWzfkMGdAKa6PexxI76zvm\GalaxySwapperV2.exe

"C:\Users\Admin\AppData\Local\Temp\2Za8IrWzfkMGdAKa6PexxI76zvm\GalaxySwapperV2.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\script" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=988 --field-trial-handle=1184,15036547872047101239,8592842826105193707,131072 --disable-features=PlzServiceWorker,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\System32\Wbem\WMIC.exe

wmic process where processid=2488 get ExecutablePath

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic process where processid=2488 get ExecutablePath"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 session

C:\Windows\system32\net.exe

net session

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Users\Admin\AppData\Local\Temp\2Za8IrWzfkMGdAKa6PexxI76zvm\resources\app.asar.unpacked\bind\main.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "net session"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic OS get caption, osarchitecture | more +1"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "echo %NUMBER_OF_PROCESSORS%"

C:\Users\Admin\AppData\Local\Temp\2Za8IrWzfkMGdAKa6PexxI76zvm\GalaxySwapperV2.exe

"C:\Users\Admin\AppData\Local\Temp\2Za8IrWzfkMGdAKa6PexxI76zvm\GalaxySwapperV2.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\script" --mojo-platform-channel-handle=1700 --field-trial-handle=1184,15036547872047101239,8592842826105193707,131072 --disable-features=PlzServiceWorker,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic csproduct get uuid"

C:\Windows\System32\Wbem\WMIC.exe

wmic logicaldisk get size

C:\Users\Admin\AppData\Local\Temp\2Za8IrWzfkMGdAKa6PexxI76zvm\GalaxySwapperV2.exe

"C:\Users\Admin\AppData\Local\Temp\2Za8IrWzfkMGdAKa6PexxI76zvm\GalaxySwapperV2.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\script" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1568 --field-trial-handle=1184,15036547872047101239,8592842826105193707,131072 --disable-features=PlzServiceWorker,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2

C:\Windows\system32\more.com

more +1

C:\Windows\system32\more.com

more +1

C:\Windows\System32\Wbem\WMIC.exe

wmic OS get caption, osarchitecture

C:\Windows\System32\Wbem\WMIC.exe

wmic computersystem get totalphysicalmemory

C:\Windows\System32\Wbem\WMIC.exe

wmic csproduct get uuid

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic cpu get name | more +1"

C:\Windows\system32\more.com

more +1

C:\Windows\System32\Wbem\WMIC.exe

wmic cpu get name

C:\Windows\System32\Wbem\WMIC.exe

wmic PATH Win32_VideoController get name

C:\Windows\system32\more.com

more +1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic PATH Win32_VideoController get name | more +1"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic computersystem get totalphysicalmemory | more +1"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic logicaldisk get size"

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 ipinfo.io udp
GB 142.250.200.4:80 www.google.com tcp
US 34.117.59.81:443 ipinfo.io tcp
US 34.117.59.81:443 ipinfo.io tcp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:443 dns.google tcp

Files

\Users\Admin\AppData\Local\Temp\nsi55AF.tmp\System.dll

MD5 0d7ad4f45dc6f5aa87f606d0331c6901
SHA1 48df0911f0484cbe2a8cdd5362140b63c41ee457
SHA256 3eb38ae99653a7dbc724132ee240f6e5c4af4bfe7c01d31d23faf373f9f2eaca
SHA512 c07de7308cb54205e8bd703001a7fe4fd7796c9ac1b4bb330c77c872bf712b093645f40b80ce7127531fe6746a5b66e18ea073ab6a644934abed9bb64126fea9

\Users\Admin\AppData\Local\Temp\nsi55AF.tmp\nsis7z.dll

MD5 80e44ce4895304c6a3a831310fbf8cd0
SHA1 36bd49ae21c460be5753a904b4501f1abca53508
SHA256 b393f05e8ff919ef071181050e1873c9a776e1a0ae8329aefff7007d0cadf592
SHA512 c8ba7b1f9113ead23e993e74a48c4427ae3562c1f6d9910b2bbe6806c9107cf7d94bc7d204613e4743d0cd869e00dafd4fb54aad1e8adb69c553f3b9e5bc64df

memory/2036-139-0x0000000140000000-0x00000001405E8000-memory.dmp

memory/2036-140-0x0000000140000000-0x00000001405E8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nsi55AF.tmp\7z-out\chrome_100_percent.pak

MD5 2748589b3be27c8e3330a9e7f303f092
SHA1 28e28613c1f600cdcf2735079ec53275d84f48a8
SHA256 c276721ebcebacdcecf2d42066abea5fc6ccd682af543d8ab0250e6b244b749c
SHA512 1f0b2f83b314f49422a8de992857b9fbc0e8145034c2cc6946e2eaacf5477fe0715e69e35d9d5d20845812df9243a94939b7a5acb66533601cad0a5abd122127

C:\Users\Admin\AppData\Local\Temp\nsi55AF.tmp\7z-out\d3dcompiler_47.dll

MD5 c4705ef98416c6cb20399d55fd6325d2
SHA1 75b250d0647cb934136c41036927258d23202642
SHA256 f5343a82eb458be9200d1c5f40d6b7cd88d8100803859cefbd7e3eb4cd325c77
SHA512 ffb3d27318dfb2aa1aa9b52b1f1a8071f50cdd1155f79b72e6603048458aa38e4c28ab5858eeeaf4d9b80b9d68d7925dbe6c89e9d54ab05a68c64abfebb62903

C:\Users\Admin\AppData\Local\Temp\nsi55AF.tmp\7z-out\chrome_200_percent.pak

MD5 f0320e2e1792a504108a9287ac1794a1
SHA1 700a99d9b1dcbedc00d3685e8a75d81a229682a1
SHA256 30a0d8cdd601d490343c9fb1711c6ea624bc291d20b45e81185b289240bad4ec
SHA512 4ef0e70a9fd7cfff89e7c5ba591fcdd5a268ff00165eec5b72b5cb29aaa297f35ecccbbbae092bff8b4d59ac89124b0e5d549dd2f1c2903e755543adb6f17efe

C:\Users\Admin\AppData\Local\Temp\nsi55AF.tmp\7z-out\ffmpeg.dll

MD5 ebbefb383264aa0d94cb82d9a2f81b34
SHA1 25dd5ddf9509703f65049c0da35c401edcc49385
SHA256 66e488102b00ae34fe3282b394377c21bb0cd104218ba9ad4da8c7156c693a96
SHA512 2d7dc99674c83618651567ac033e64e3fc1e4ebf889b9109b02b9d7758ff3c0006e09157452dc5bcda4d0f89e53e3f371e801cee1dbe00e8f32b2d8089ada5c4

C:\Users\Admin\AppData\Local\Temp\nsi55AF.tmp\7z-out\GalaxySwapperV2.exe

MD5 378ead6fd7aeb677a6e391d0804a5916
SHA1 64fc819f730258939d12929c7d2649bca0a6b447
SHA256 8c4019fae60d91db1cbdafb99d9cc45f2892c4a3be1d04d493c6dd042a00fc54
SHA512 0de9a378cc880989b3430ca431adbf7e19fee0bc3046ccb20b049c631260bce4d8d3c35c8830c5dbeb87eafad95925f8aaa8df2a153dc13a90cd24f07139c7fa

C:\Users\Admin\AppData\Local\Temp\nsi55AF.tmp\7z-out\icudtl.dat

MD5 7bf3d5a81c40d256829da0012440ef5b
SHA1 569475be01ba36e4d31d4929cada17e67f5b8153
SHA256 796ece9039f81a3f653986c042723587ab811b703f1eed29eff9e26d1eb90cdc
SHA512 c01845d533f74b31889fcd2a54d3dbe3cda6e9b0a9862529c1edd8f73694df62717bf33def1e90c84efc95fe3851f941434e7de92deca961e0cf2c03135605d5

C:\Users\Admin\AppData\Local\Temp\nsi55AF.tmp\7z-out\libEGL.dll

MD5 1374fc5495e217d114d8712a480aee96
SHA1 527f76b5d69f12fb6b1d518d9bc7af3cd759c472
SHA256 861823ad183a49bf38d4579b395a749d2b9aa53a3e30e73de9c0212d7d5e82f9
SHA512 5d9d6380a961e1204db9fc7bdcf68f4dbf7fa7b916d7797596f1627937fa7af8d7c457afa006f2667bdd012a80e0fbc68a211d20a383ab109557e6e696f6b8de

C:\Users\Admin\AppData\Local\Temp\nsi55AF.tmp\7z-out\libGLESv2.dll

MD5 10ccf686a0137e9a0e3cbb28ba335bfa
SHA1 71c160c46bc7c6306c1f7f1c4dd3ac6854243a02
SHA256 4856d1738e896a3949e0e69dc8d48350dfbe3ab110914a63a7f448e9d746aadd
SHA512 3929786d2fc19ba48eec524f079044b8e61854f4ca36fe1d52d9809788c71424e15b912811de9891516e730d8bcef20d3827d11827217c5789953573ec4891e3

C:\Users\Admin\AppData\Local\Temp\nsi55AF.tmp\7z-out\LICENSE.electron.txt

MD5 4d42118d35941e0f664dddbd83f633c5
SHA1 2b21ec5f20fe961d15f2b58efb1368e66d202e5c
SHA256 5154e165bd6c2cc0cfbcd8916498c7abab0497923bafcd5cb07673fe8480087d
SHA512 3ffbba2e4cd689f362378f6b0f6060571f57e228d3755bdd308283be6cbbef8c2e84beb5fcf73e0c3c81cd944d01ee3fcf141733c4d8b3b0162e543e0b9f3e63

C:\Users\Admin\AppData\Local\Temp\nsi55AF.tmp\7z-out\snapshot_blob.bin

MD5 01575f1aa4fee7a604c36e8990398bed
SHA1 b3d3a3effd361a5fbdb8b37dee16f12a559762e2
SHA256 a542a8371744278b9c71ed9fb44d72a93691c529cf7ff3c2859c0d07246c4c53
SHA512 525fb6d03a840212209999efcbb6da1772bff532d1b346a7b19d20af68e047c62a2bd907b643a0ff5d2a3ba77ceb04d1930c86f61e6aa42ad611c9d544e1f00b

C:\Users\Admin\AppData\Local\Temp\nsi55AF.tmp\7z-out\resources.pak

MD5 400c7d8fc3cebcbefd994e76169bb940
SHA1 6e6f0b87617ec0dbde11d98fd71821ba8f918d1d
SHA256 5d32a269a6ec5954f433b1b9fdd1cad6277dd23c7166496b15271cb1a336cee7
SHA512 db9a10415bfe6f1c1ed2ea8ed7fac92afafa765f4860d4344e62021a6e3604e1a0334f1cb8da7b7e7157a3a45a451167b9d81a8af42fd913d9501ab1d1560c4c

C:\Users\Admin\AppData\Local\Temp\nsi55AF.tmp\7z-out\LICENSES.chromium.html

MD5 3d07bb0471e3b127f628a28ff39d14ab
SHA1 067423c318207103d300d7836ed8e336f08bc426
SHA256 0132bedf87cc4f76707d59c81c8941162607c491a1e0895adba5815b57b3241d
SHA512 92ddcf016d7286b54071b422495d223adc89cd6bfcc0e6cc14accbb7ab4f249e6c8d0047bb786cf8c5f60dffc9e3e434a26c536634b9aa9779891af0516b6ff8

C:\Users\Admin\AppData\Local\Temp\nsi55AF.tmp\7z-out\v8_context_snapshot.bin

MD5 3ad9adbb368db249257ec09662469c5f
SHA1 64bb6250a39e2e40ffd6ae9e76684b140673480a
SHA256 17ebf81554b85cf480f8ed6f4fcf35f908584feb82b79186011840e2bac4aa20
SHA512 b432c1a92eb9e758e68a7d331bfc6e1188be852902f2163fffd074b8bd4a68020af3a1180f5953567782d12c99d675e86eddb6147514e4b953fadbec80687e10

C:\Users\Admin\AppData\Local\Temp\nsi55AF.tmp\7z-out\vk_swiftshader.dll

MD5 c5cb49cc1babfd83d4315629dc6bc997
SHA1 17baf421c7c540afed9dec1e7b672c17e3580105
SHA256 7533b395b1ca0082ff68132e3d25ad619a39bc787367a9cde3fc09dcbe09f0e5
SHA512 5ab9001c71da76b414a6a8dc2b60e630efb73da235446fff919866b246d63e56161b8c8f4fbeecae0dcf5a021bf142a49a1f9894620bde4798176a25d6d1611e

C:\Users\Admin\AppData\Local\Temp\nsi55AF.tmp\7z-out\vulkan-1.dll

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Temp\nsi55AF.tmp\7z-out\vk_swiftshader_icd.json

MD5 8642dd3a87e2de6e991fae08458e302b
SHA1 9c06735c31cec00600fd763a92f8112d085bd12a
SHA256 32d83ff113fef532a9f97e0d2831f8656628ab1c99e9060f0332b1532839afd9
SHA512 f5d37d1b45b006161e4cefeebba1e33af879a3a51d16ee3ff8c3968c0c36bbafae379bf9124c13310b77774c9cbb4fa53114e83f5b48b5314132736e5bb4496f

C:\Users\Admin\AppData\Local\Temp\nsi55AF.tmp\7z-out\locales\ca.pak

MD5 bc871cd21fc39c2f4fb90fe65dfea412
SHA1 466774e9fda46e711d20b554957aba291ed0059c
SHA256 8c9cdb3a3a0c4ad7493b70e1bd37f521de5ed858375e69e44aa6390eaa5a64ed
SHA512 27c1030fa26579a4c28f7f6f5f0037febb0dddcb219ba3f9c36ea03ad89b93a5c89f5bd81a06a15b32a55ed7cda44e2cebd32ec3818cb99296dc88f7df4dfbf8

C:\Users\Admin\AppData\Local\Temp\nsi55AF.tmp\7z-out\locales\bg.pak

MD5 9b40bef13bd329f4b4010a2c4e3c96f2
SHA1 1b25f33b83621abe22c4c76ea6ba9c5e64e15f13
SHA256 87343bdfa0a6c6e2733afc4ce558bd2be682d181d03879a593a2250f2f079298
SHA512 40755debc914b551c2a33f4f1b512d70d1fca61800365c621ad4be1dd553e55fea56a9ae58c0d4cfa75e0432e4b81344c47bf989b87fd477898e9e42132b3fe8

C:\Users\Admin\AppData\Local\Temp\nsi55AF.tmp\7z-out\locales\am.pak

MD5 3033d89c0de9d03421cc9a0432f85376
SHA1 a425cb39b615746dc8686a1ee93fc8e7ac941465
SHA256 8e679eb83749dd4e9a0075affc94b6b492095745bb2815ec4bf81940572a5147
SHA512 0ad2c2386120e778ec779f4983148457776ad26ba5706e871449d2193cbe2978564cb104445b473d428d3dc670c15613455ebd3ac0f9623ae15297cffae50cea

C:\Users\Admin\AppData\Local\Temp\nsi55AF.tmp\7z-out\locales\da.pak

MD5 212d8448f67ec186b72e6baa068ecd08
SHA1 546438baf847ffa9079b9fa9acd01cdd20e106ba
SHA256 dd1a3e93bef25f568fc5eeae148aaad6e1759e3db54ec4416d4a6ea22649be46
SHA512 c47ac4fb0fe77af68269346720d29cd08a093a973cb779e9b783b625a075398272ecbd04196a981353fa4361b2d259af62280572114aaa3a8daf6c866d4ab6f9

C:\Users\Admin\AppData\Local\Temp\nsi55AF.tmp\7z-out\locales\cs.pak

MD5 f62f679c755fd60610c1353276ce7a83
SHA1 2381df678e9c91dc4c8395aea83a91b965cfb0f4
SHA256 4e40f87692b3ecf8f386931563ade6be9db7be12f16ddb6a2e76319d6e3dedfb
SHA512 8ba3e3bf6eab43736d85c0910d9998314dd7d337dfba6ad722c25fe66eb1fd8c54326e54563b189e6db29644859a37340eaeb8a3fbc5465d703a07e04d11865e

C:\Users\Admin\AppData\Local\Temp\nsi55AF.tmp\7z-out\locales\et.pak

MD5 f35c16ca76faaed806729443b9f9cbf4
SHA1 16c3f89fe2c06ea94568b3783738302f875874c2
SHA256 0149bd22652031b055948227829b34c67f0dd9fb6da83909f248efe378796bf5
SHA512 f1da02b9a8465e18aa10829ae2868c59ab6f96e3739e853f2af5ed84113e54a2d635a03973553f173ce75b4dc497930703359240f44837bef31ef949b1be7527

C:\Users\Admin\AppData\Local\Temp\nsi55AF.tmp\7z-out\locales\es.pak

MD5 12bb9282240c6aabb199db1683f07e1a
SHA1 33fa143da088f8978ea4a6ba1395076134e651bc
SHA256 541040c9cc59b7d43f3bcae3948fc0306726009e468caefe2d9250d7c1da7edd
SHA512 edda44d1bd5c22b59f5c50905880a52b96d75915d4b0ec33cce1f9427ec1d185f87809eefdcfe280c1d550ecf56210b31c5fde87b46ea524d9bc866236c70f47

C:\Users\Admin\AppData\Local\Temp\nsi55AF.tmp\7z-out\locales\es-419.pak

MD5 a581fd62f8dff4f0e500adbbd2014c8e
SHA1 7591272b573b128a084ee073021886078d441c9b
SHA256 953f4db9107711783170c0c97eae1a0f95f5df9fc2f6f75256224036c7d9ab84
SHA512 4ea4d6b0677cd5a162bc24b4ce3d32d492c9d5d80a099982e54fd79c0b16331b7b873e18a7c0568ee699b0d2d8d7a6f0821705fc9bca8ecfa853e48ccd0f8060

C:\Users\Admin\AppData\Local\Temp\nsi55AF.tmp\7z-out\locales\en-US.pak

MD5 9769d60eeec2eb7d7352f5e8b0518dbd
SHA1 6919c0094004293f0dbf98d82b9b34c34b03492a
SHA256 df3ca30dbffdb95688473de9da834b486639755e0c710569a02de09cf11b8ad3
SHA512 2615e8620fd35b5aa9492d490dcbd8b577b037bacb2a30d86ba5d51eebf624c299258533df56a0b1b375e0680ac130a493732a088d848fab432990d846c49b35

C:\Users\Admin\AppData\Local\Temp\nsi55AF.tmp\7z-out\locales\en-GB.pak

MD5 ddc70f440b93212cc28f5d82a1a00541
SHA1 504ac34eb8cf59c0db625e8ce480528a4b5380a7
SHA256 082f50c5d18a160d70f0cecccde450393ab1a70b6a7076720492041a9649d3e1
SHA512 6f7648b605c9fb5430e0d760009a81f47b5c91084b659040b2e65d742973c2715797623ee949af47323920442a5b2c2bb07b6617ed1f1fbf4dbd6fc61fd1a6b9

C:\Users\Admin\AppData\Local\Temp\nsi55AF.tmp\7z-out\locales\el.pak

MD5 ffa7bc983e6373b8763b36042840d444
SHA1 49307cd29534f0bb707902be3b4298a91cf72208
SHA256 cd9f8f2385c6358619d7b3703ba1e4e5148cc3a6dcfab1adccf24f52ebf56fbc
SHA512 6eb913db8ad9337cc3400a07f81e7fcf755e18f6468b67f5bf7914a709f7371accc5597ca15dd3c6a346448e94ec9706e817131f85404bd028c3a991c7f927b4

C:\Users\Admin\AppData\Local\Temp\nsi55AF.tmp\7z-out\locales\fa.pak

MD5 2534fc80798a2f1ddc9c58a2ec60f7f2
SHA1 5e0fe5013f2ef9c27aca75d978d2465604f04d73
SHA256 3d4c54b0f816bff44f06ae5efd2669bd3850db43c5ce77e170857bb17a36134c
SHA512 60a5632cb3e9aabf87780fa2f0232f6732f954db14d710ecd776e4c957da7ad6af533cf9d70d251113993d1d9d28de32d9fb09a1343a34b21f369da615385749

C:\Users\Admin\AppData\Local\Temp\nsi55AF.tmp\7z-out\locales\gu.pak

MD5 5aad6c3a3db879c0c4ba3de294346d72
SHA1 69f40b2e9e6e353390239be76ba931fc968676f5
SHA256 a0cdcb3ec6fcfee7e0925caeb1a403b2fe45dc3d33f1da0bda8a837b8dead8ac
SHA512 b24acbf291ca204346a8b038f5aec8aea1ba19deb3e1d6d02e473c9f4b0512a53a7eb7e08ab33da0ca5f58d6acd09b2007d53a0912d028a14e5e792635a3fa50

C:\Users\Admin\AppData\Local\Temp\nsi55AF.tmp\7z-out\locales\fr.pak

MD5 59dbc798129e14879fa53aecf8866722
SHA1 12d79e5fce16a44232e840732c0134dfb173a36d
SHA256 a144f65c86d50708b0288fada45ec41e46ece4e590b0a69148561d7c37778fcd
SHA512 c8ebe3c18b330b60a879bf018d405ed967ca84a9afb2be923097514cbe8aaf2d8077852f1851f69d4117b453bae85d4dadd5c18a63e8e607fe8b20743b3c31ca

C:\Users\Admin\AppData\Local\Temp\nsi55AF.tmp\7z-out\locales\fil.pak

MD5 3577185fddb8d61d95b216bd311d1a9b
SHA1 848f4901e350d289c22371bfc9e0edf3eb34c919
SHA256 b766b89946fec5a7643323cea89df5c8c3c4ed17fa7fc13fb5525d6911f95be4
SHA512 b5118dfb79422d3d3db6e9d3f5569b3178880049ab65a045d452ac8783256b45514fe2503c8bdc24f65fc1298054202d57293e54395e619527836ee8783068df

C:\Users\Admin\AppData\Local\Temp\nsi55AF.tmp\7z-out\locales\fi.pak

MD5 56d16ca4119f9048df0af37882d86ac9
SHA1 c8ae5d273f83f4b394e14b882e399a2b8aa1cf6c
SHA256 895008e398f5b2c1442fbda356a36adee269cd532f44f1714637cfd435b32ee0
SHA512 f036868c00570d8c3f270414c3d93bc04486f4e0213f32fa02972b5e1ad928f7e7debbb1295f73e44a86874ca38184f5ca60240f48fcaaf4f4117bf54c395a34

C:\Users\Admin\AppData\Local\Temp\nsi55AF.tmp\7z-out\locales\hu.pak

MD5 1c3ec49c0e4898825fc4e7055727189e
SHA1 8c5192690280b810d8b6cf1a52ac718c5d8acbba
SHA256 198bbc8de67169c6045e5a1dbbbfee68921b3cd3cb11f6723f7c43e7559b9130
SHA512 8d915c3f1226284b9d2fb18651d71cabc2a8e461748c09a3b5e8ab3a58badc5fdf3728b94c2f41ba665b784234c8139fc5987fc4e104ab4be6b50c1197b06c8c

C:\Users\Admin\AppData\Local\Temp\2Za8IrWzfkMGdAKa6PexxI76zvm\locales\hr.pak

MD5 25f637c6249f0f633ec7be4c3c6981c0
SHA1 f01a0af2558b94b4529cf3a023aed945953c3d4d
SHA256 7e04a61c75a4afb3b1261484fb21aa251604256df61e256e8890cacec564b1fd
SHA512 6711b8f1b7d43e734975da5647a5fad23f3abf8ecddf30d4d7594bfc25bd35130350ec45d740e0a4f52ebcb19a937c8e739482dd62f0834c5c8e47121991643a

C:\Users\Admin\AppData\Local\Temp\nsi55AF.tmp\7z-out\locales\hi.pak

MD5 6e013ddd9db39251c91947174886c8e0
SHA1 b9ed73ab5e2d8c27d8237e9700d96906d9919d5a
SHA256 14e5be6ed0b59231200a8fb352f56340551689807098ec953267e3bcf11b4f4e
SHA512 e3740dc2099661d97e0145c97c0fc6cbc263bb6aea937555a816b69f109dc10eeae9f411e69d0c2cad5b5ef22a4626ad9da6da5c523037afbbe5ad069c16c2a6

C:\Users\Admin\AppData\Local\Temp\nsi55AF.tmp\7z-out\locales\he.pak

MD5 21a67f40a102d912e11370fe9e94dcf7
SHA1 9ad058de1d5d2ecf808ebe2c93ba813366538d18
SHA256 14289752c75c783cce26754e9b23a7641da0b46f152452e57e4f3b2b6eedf5c7
SHA512 63c3dde9635d2beebce1c707e5acde7744cebb553d53149dd39e3ebd6a9418508196c6ce2193eca98f4ef0d60a7a4a0d01da6acf0fc9fb1b971bd89a02cee8b7

C:\Users\Admin\AppData\Local\Temp\nsi55AF.tmp\7z-out\locales\ko.pak

MD5 1141fc7b0c266bb5177588f61197ff0b
SHA1 01be7eec1430135ec25226e474017be5fbd80c1d
SHA256 fe3754bd8ecac917aaba5b0a4083fa7df3b8d1e3761694b745076e366cd77b8c
SHA512 4a779bb0bbb10d589a5a09b20278b160a05e3451b8ab975bf611994a570c3d253923dbff6ff3b414de7c6d2454ea403fa6c7c90bcab5d5145c9dd4496bbeb441

C:\Users\Admin\AppData\Local\Temp\nsi55AF.tmp\7z-out\locales\lt.pak

MD5 93163cb161e4b91b6f82da01e2691fb3
SHA1 554ed547e50464aa444b3a04309a9dcbdcb4bbda
SHA256 62b58124d8a062ba4bf625a7dbb2eab7b93a93a7b1c1755f788861c1164ff2e5
SHA512 b3ff7429e535e361d12ade91a92055640b399961fe3ecfeee1f14144265b0b6559f463d6e134fb8fc4906719d51081c55adac3754d2477d9daed286f690a0361

C:\Users\Admin\AppData\Local\Temp\nsi55AF.tmp\7z-out\locales\kn.pak

MD5 720d5d602ac651152c6d7483993c3d18
SHA1 47f4e394241d9dea05b6a1045f8b3e8b2649e066
SHA256 350a84821df97cfbb20576d95e060496697b4efd90ba89b9d8e862ed472425d4
SHA512 9c4bd1a4e229780b9c41ab5028167bcc288adeb736cb6903c86098b3a01ed77009ba74fac54fd80493a11850d0756262fe1c3d7649e1d47e5faf68d3b2d71b12

C:\Users\Admin\AppData\Local\Temp\nsi55AF.tmp\7z-out\locales\lv.pak

MD5 2a65ecbbce5d4058c4b6eb04ca14367c
SHA1 e87182cda9651c8f07e02bde18aa42c9eabc544d
SHA256 a7352ea552eaabcf65ff65c83d6753365f815d065977cf29b8e1a494147a7853
SHA512 d2701e2939cf396e6f915cddaf91b8e9d3bf129a8615797be9d6cd61934dabbb5510e23b9d66fe5bfe58c4870964cdf535e1de6aa62ff2473bb0089825ff5535

C:\Users\Admin\AppData\Local\Temp\nsi55AF.tmp\7z-out\locales\ja.pak

MD5 89648d1a641dcada9ee9423ce2aeabda
SHA1 d98517079c2bdf841afb396278026f90439b52e3
SHA256 cf4e102f3ad60803c64c45bd63cef9b49cb0670ec0ea0e2c75d3d6b414009780
SHA512 6a974795bc0f233318ad3694ca32060f8353a35bfd72b4ae9812b6ea5883a2db5bc690c68312c24187d1fbf513c6e294393a6785eb9146e3dc921a935342924e

C:\Users\Admin\AppData\Local\Temp\nsi55AF.tmp\7z-out\locales\it.pak

MD5 2fc6fecae213f8b5f155543131e1638a
SHA1 98bdf9a0b9923794618bdcf4752705b4f9cad2a3
SHA256 e054b34f0d9a1587a219bb42a1c736f6b02afaf5efa2a8d6bf6f8b3a0694150f
SHA512 dd20d954cc7593cc5748b56e1bfed381057c6216a3b3a2707a0dc0dbe5e62490dac7f4964f71da58e626712e3612c5a4f3cf8720d160c341726f39c67064545f

C:\Users\Admin\AppData\Local\Temp\nsi55AF.tmp\7z-out\locales\ml.pak

MD5 daac96dde653eaf192b1b075fccc88ee
SHA1 0ed9ef35c4c365fa2f9330465fca35280f246653
SHA256 b30c85a560d3ff8574e44f711331e909493ee92cb0e124b8471bf14838640c6f
SHA512 616da86bb0283b4b23b0d05d264a70246c7db40595c6073e489f02b24264b0703de0034e9cacef8e73751517a0e1b8640b99648647581c9b94f63576a4538c03

C:\Users\Admin\AppData\Local\Temp\nsi55AF.tmp\7z-out\locales\mr.pak

MD5 e2402cbe232205bcc490e0bd401cea53
SHA1 58e494d192f6cd18968dc3a076396af0514b9f5a
SHA256 587ef4a74754d57bb478ce9efd4c7bfbadf4a77abb28d941718430362c0fffce
SHA512 f957787047b2ab340f318193021dd0125c2cd6d0c1a81adead2192c06f983d80f99b365f5c18c0c863cfd94de9eb1598f085e686e156e67253894a4ce3d74290

C:\Users\Admin\AppData\Local\Temp\nsi55AF.tmp\7z-out\locales\ms.pak

MD5 fe4511e996920d2d497f50385777bdc6
SHA1 274b34665bc8111d0fe670a71d9cb57236f5c221
SHA256 c4fa56e99002d6bcd284e8cd2830982d59c6e3c78d48187e22238ea7f543d69c
SHA512 f95fa0df226d5bfa89806fd7f34823b70671edd8e93e430342604a4e381108d8dcb4ef65689b654715c75ae2b04a52b1a84de52f83c19c90c1d0185e761f7204

C:\Users\Admin\AppData\Local\Temp\nsi55AF.tmp\7z-out\locales\nb.pak

MD5 429855b14d518474c08fcb2810c8279f
SHA1 ef52c1cd46ec4d3e430588061f08272f0313bec7
SHA256 816ed7aec58054de12a98a41b5edc9b6aed166a5d24e0dfcb4e992af78eb9f84
SHA512 1cf34e665b7a9805aeed52d903c79de1fb659b1172819bd2aee14a06db5c0fa86b4f394113278668b0f1309f1f3d152d63e5d2b132a0df37f8add76b933ccd85

C:\Users\Admin\AppData\Local\Temp\nsi55AF.tmp\7z-out\locales\pt-BR.pak

MD5 f7d0c87333d72e6f868eb33c69572b0e
SHA1 9406f574d4e04d5eb6f6e4c4de51f40059104333
SHA256 5ab9b521569bfedf0f39e45f948ea4ff2cc4c1f37139d577c376fe4181543ad7
SHA512 6f7e6c2a9e39cccd79193c66ec596b3c0cae5d265dcea97feea41f153cf7a3d57fa058af9fc9d2a1e972f01ed91b40dd049f76093389da56f27811ee8d2831c9

C:\Users\Admin\AppData\Local\Temp\nsi55AF.tmp\7z-out\locales\pt-PT.pak

MD5 2d480c62e663c6d21f2faa86b22a6981
SHA1 aa2789ee06dbc82a3ed4954a85293e4e5e0f503f
SHA256 24a45ce65c2f75e2b61ccffa703ee92eab8ee960f948c7b4b5b16c045bb2d9c2
SHA512 89a3f08603e499bf5c7bac22981385a4f78b4b5a979f6137231123a27309a1bb43eea2277053184bf1c24cebc4af8169ef5a9c60ce7dc1348064a569cce0c7ec

C:\Users\Admin\AppData\Local\Temp\nsi55AF.tmp\7z-out\locales\sk.pak

MD5 ef606e05926d9ed9e1556baa92423ae2
SHA1 0d437de6b3c28f34c3952af77728df5485bd188a
SHA256 5b57a314efa0bdb45df569225c9c83194c3b950d8de1c2d775441e59dae982f8
SHA512 b7aa602612d6c206a39b16dc7a52362b83d471b9430e6fe7e3cf660ebf60fa06436bc6ada9d84a17efcb7ba692a754a86e6b30c997efffb0eb00c30521d49f10

C:\Users\Admin\AppData\Local\Temp\nsi55AF.tmp\7z-out\locales\ru.pak

MD5 9f04fa02a82fa4a2cb0c7a1cd1a8a987
SHA1 f06af96961fa42eaa39f2d162cc1cbb03010dace
SHA256 0c81a7d91b605acff0aed142ae5332c622db7d82e0b0c872f4b41e6657d9b66d
SHA512 21d6ed7fe0f529bd293f1d5194c30fe00bd4bc079987063415ec618b5e11dab2376dbc8eec77c228b456bddc5e76512935da985d5a3c88165c397a6d8af93a48

C:\Users\Admin\AppData\Local\Temp\nsi55AF.tmp\7z-out\locales\sl.pak

MD5 22b55ace69b99a83b1334a43b77ae108
SHA1 18a2b8336b1304ebb51cdf6290808268af1244a7
SHA256 2a1a085c9b5088f1a212b3cea53dcff52c7fba59815ffbf7332d9f022b407b6e
SHA512 af0315698729a4fab35d88daa86154f71252193ed816fbae0cf779526d79ce30326d6f82204a8dc101ac8b9dcf03baddd31843f46ce4d0bf0e82277dad04d138

C:\Users\Admin\AppData\Local\Temp\nsi55AF.tmp\7z-out\locales\sv.pak

MD5 875470248e4ad12a53dd8b749ff73a80
SHA1 86bc434f06704a13dc03b278cfa0d6a8156beea3
SHA256 f63d93ef108d31cbd0a4a6720621a1d50d4a836c437726c5da41136f485ff4df
SHA512 020162a42206898c3a993332c28ba93ec1cb0ee072859f5015b94e9adc6f217997322674f0105e64d1561c9be3a018e0604d4e45765ac707ddac13845261caef

C:\Users\Admin\AppData\Local\Temp\nsi55AF.tmp\7z-out\locales\ta.pak

MD5 0ee7b3b6f48e2767c6666c53eaaee216
SHA1 6da671885a3625963c23c44f3cbaca74c0262cea
SHA256 795574731cfa6e8e4318d1ac7c980b27238fba8864ddfbe8ba59a7d9ec517f36
SHA512 b9918caa52645ae9e7f1298eb476d86cfa260f4473202cb9937026805863ed408345d6160f0c51784b770dff06ede6f507d680fdef97c5c7d791ee21fc0c23d5

C:\Users\Admin\AppData\Local\Temp\nsi55AF.tmp\7z-out\locales\th.pak

MD5 4fac90ed23a8e10fa3492da64249e541
SHA1 a21870cbe5ac014698d6f874ff24352975e0a8a9
SHA256 b7a0eebf6ee68a38b0da17a91bc1bf5165e3a4261f97bc273cc6b8c08c54a058
SHA512 b4cd59546c93e9a062ebb2321884f8924737e23f704f7aac9c7f16f5bfab5ae1e258d3cef201e167772b8817ca039f37172e126c880fa945b93bb948390723d1

C:\Users\Admin\AppData\Local\Temp\nsi55AF.tmp\7z-out\locales\uk.pak

MD5 9754821e2aa63cb42e14003f3160ddb7
SHA1 2753ff454eaed41f91cf71871c0405ba4bca6c71
SHA256 826efc0e406699f70ebeec7280f74c202f01cc807506273cbede75df1147087f
SHA512 730ab3ebec0a2762d43242dd7b61150c60b64767e3bb248e39a5838585fc4a6af81ccfe2fa676dd4f164593d4772cd9c0d730dccf339d9850c0b50e9676c08b0

C:\Users\Admin\AppData\Local\Temp\nsi55AF.tmp\7z-out\locales\zh-CN.pak

MD5 c2da5029daaa6358a6e8c45e1b071e9a
SHA1 3a0e4b6d8ebafa011c74eb0865038aabd3f98df7
SHA256 efef411202106d00d47ec3e049cac68b61684714e4e1139a00309962e2e4c68f
SHA512 12b816c727a45fbfe1df27e33d41622853182a06699d9e47d5e604933838159371820f32ebc12068c1e787546fb730b33564b1df17471627e8e3125f33adb128

C:\Users\Admin\AppData\Local\Temp\nsi55AF.tmp\7z-out\locales\zh-TW.pak

MD5 08ac2bcbfeb27ef4d385a645426096db
SHA1 b3436b163ab901bbfcec10b8152baa2f1cd41849
SHA256 fdc76f3636ad83cbc724524e4555919f0915f7a3ab52ead302c8da9d8b68b870
SHA512 112ee10e1193b81092b609cfca4390b84980808fc7fe26a777e4856efa1da0913c43959f50a937201df441b0649212fade902f25a86c68a4a97298a37cdff370

C:\Users\Admin\AppData\Local\Temp\nsi55AF.tmp\7z-out\locales\vi.pak

MD5 8e6a14a7774f2daf2bd231b212cf541f
SHA1 6dc91ab0785027077ca454198ae1d33adfac4df6
SHA256 aeba1d428482a676c55ea3b42f23f0c6073395f2d85d1ad87338dea7a23005e0
SHA512 b7d2e72fb82e91250bcc2a418145ef01a7ef8a61ba6ae6818b75d5b8323af4856a98f0d0f195ceebe6872f7434f8286f6d47b4d8bcd13bf1e1fd72f32657b995

C:\Users\Admin\AppData\Local\Temp\nsi55AF.tmp\7z-out\locales\tr.pak

MD5 18c8fcf7792c2770470dc6966dd1dbb8
SHA1 524d9517d1f8dd88f00d571a7726e81b0768e73e
SHA256 446ffbcfc5f47cd51a31efd6e71cc8928fc721f00b8bee28fff8afc962676f7f
SHA512 7f7a700ca0b027a3dd4dc692c44b3d626a86e8cd90542579d888eae9190b5151aa1aff2f9da658f4baf9f630805286aa897c17e01a92e16bc7d62ae496791df8

C:\Users\Admin\AppData\Local\Temp\nsi55AF.tmp\7z-out\locales\te.pak

MD5 9a27c975b8acfc3ebd22168e63b3bee9
SHA1 a41c111cab57c7c9ecf8ec96e715dcf7a2d23bd0
SHA256 ad8f94b070aedffb1e3f850a5a05beb5546c643f5272581bea203d6eeca1772c
SHA512 bba09363dd97aaaac099e440417efb35e497481242e7f14f8465baab522736715f078776a1cb52ffa98be8cfe10b6504e6d50dfdc92296cee3952bb8e73e6933

C:\Users\Admin\AppData\Local\Temp\nsi55AF.tmp\7z-out\locales\sw.pak

MD5 50db574b254271492fc904fa9b3b1070
SHA1 3e89978cc08884253f9d0b27abfce61c7cafffdd
SHA256 055a02eda6ba45cdd985939c19bc29075b25a3a69f37dcaeefc8a0880c98947b
SHA512 49647b6cff2b59565492d5bbeacba40af6f11674414dac6db36518b8cdcde66bbbf72524abd7616a19dce453e1dd60c69146e3fd89fe6b32857ae82affd14966

C:\Users\Admin\AppData\Local\Temp\nsi55AF.tmp\7z-out\locales\sr.pak

MD5 69474f8dfd784b338d6184e57dae96fe
SHA1 0dcf41404c3fca4029d5e11faf3a7fb39906ef76
SHA256 6a13ffbf9f0910b4ac7c7aecd0bef1eea212a7eca8e512294594277946dbdd40
SHA512 0e3ba52d87fd6f485b728c7de5616a6194b23f2a84cf26dd5853e7aeb9fb62645a4e720b64f120e02bfe89eade550ededc31b219f8b663ad494ffc4704cfd12b

C:\Users\Admin\AppData\Local\Temp\nsi55AF.tmp\7z-out\locales\ro.pak

MD5 db579c8e7b688424025b1f95a90bb372
SHA1 5931883b87e539685805d922e5fa245d4cde2511
SHA256 b1ba9a87233ead70a0385fbbf7c5507d4554fd1fe9c6b69cfbd38c43406f2f0e
SHA512 9fb8880d3ff7a75a54a0858752c87b9b2b5751f4e784b7bb8338da0c60eb05c61ad4ff8407d7312eb53a653288647dc50c291ab35ae34e167794e2adbe212393

C:\Users\Admin\AppData\Local\Temp\nsi55AF.tmp\7z-out\locales\pl.pak

MD5 f711a5708c0cde9d9cdbb91a25e96d95
SHA1 e4a209732bb2f73cedf61a3263b50d62cb5d29d7
SHA256 142c6ce2a40688c0dc020054656606db8930910380e00bd8f88cf1a504188161
SHA512 3eddc78c7cd160c5cc27e5a87c1eb068e4b072c9210506db354902a479283292ad14f8d1cc476423140b907ad49a4480948bad5aa33dc50b2ea8585b0cd6b4f9

C:\Users\Admin\AppData\Local\Temp\nsi55AF.tmp\7z-out\locales\nl.pak

MD5 7b5a9d72c593d4a67186b6df09989389
SHA1 9eadd5317162368ea176cb23cc76e38c9591fe1b
SHA256 5ffef04b61b993eb8c511751789bc4b28d244bf28f5159dd355509e3c6123efe
SHA512 db4cbae9c95288023d6479b67da706a30bdc21f355615ba2482441d570e5b48d207c0a051884326388b6a26ce3477690d7bef2fa4b87b493c0e0905d01ffa4d2

C:\Users\Admin\AppData\Local\Temp\nsi55AF.tmp\7z-out\locales\id.pak

MD5 4b974c4c91fe58aafdd472f3d50b18b0
SHA1 7e1217758a3d90fcd92361dadfcbdf44cdb2c507
SHA256 1ff14fe683469be7f67361bc787f6fe980e2540ca5b9449127052d96cb07c169
SHA512 b05c4fdbeba6cac1ec2036701a067fb15fd8b158cc06ad6ad2ba0650681c7e3f65a5bae75a3f73e5e9706332ae92cb45fbeddff4e9f1a24c912b59c3189bc692

C:\Users\Admin\AppData\Local\Temp\nsi55AF.tmp\7z-out\resources\elevate.exe

MD5 1cf1075ffd8c5d19b94abc0d5226e4da
SHA1 ede318c85390c9b347f306f0a8f65e874b7208c5
SHA256 223a8e2c3c2f3d33dfa400d8965eb8c9972013609cfa5eaea6e1a1699d544659
SHA512 8056e3b880faad00ec6f8b1a0393cf15e1088ac3058cda576944b6b9ecea4f801857d0a3e0ea0b26f663ac351355070d57234a705f60dd8bda19e678369f2f41

C:\Users\Admin\AppData\Local\Temp\nsi55AF.tmp\7z-out\resources\app.asar

MD5 dd106861df707b796df5cdb17f59038d
SHA1 b078a46ec78d21ab1c47a0a7f242c5c8fe9272a1
SHA256 c6a094720942286a7fbe1d05857824550a348746ffa7666286c00e37a62cea14
SHA512 ea6c9bb0e2aa4373d3160f6758ddb5eea0f12a085983fd2289444a9bedbd107b3427dbd58f4e8923de6e8c6357df45e13a24157a1e60c600ed5fbc27c6467f1e

C:\Users\Admin\AppData\Local\Temp\nsi55AF.tmp\7z-out\resources\app.asar.unpacked\node_modules\take-cam\package.json

MD5 067e233b0609d56ff4756bedd8c0efe0
SHA1 96419d05adc4b6674948b4ac14f8ab5bb3ce4380
SHA256 6bee642c1b5de99e4edba87ec3221c2ecd10b65e666b6f2bef64a745538ecf74
SHA512 94900f5ff762930b1b060ba4dd44d629d6c3e2dfc0dacb1a543f1ea5a3cd40e793acaff4abefbff588ceb422d65f8041ec190a2b56f7c303c3314eb16eca4159

C:\Users\Admin\AppData\Local\Temp\nsi55AF.tmp\7z-out\resources\app.asar.unpacked\node_modules\take-cam\DirectShowLib-2005.dll

MD5 fb78eb6134fb9e6be84f4c4678d5efa1
SHA1 5258f2bfada1c783c544f50d22a3a7cd92a14d42
SHA256 2a5e2daefa509326aafffc9141b00c059c60b9b1d327024d94006cfb31c77e4c
SHA512 7995f7dc3c476122d837e2703e2e9e3ea78cd3911187f5445a5b19226d222b1386cc92844093a2338f9e38329b10027eac51a25cf2d29b0c8b7085cbc16a5b4f

C:\Users\Admin\AppData\Local\Temp\nsi55AF.tmp\7z-out\swiftshader\libGLESv2.dll

MD5 620072be39b6b4d7869e32d3f71df90b
SHA1 abd81458fc2c7fa6c6f9df34a4e14e8ab91ea2c4
SHA256 f632450fcad202cb100c39b00463c9ddf834b853ee7b88fa2c6f609d38eb7706
SHA512 1c6d6264aa0ebeeb156c971839a40202ddd9ad785e9acdfa079592fa01b7bc958af833fcb65d6a615794168c4c8921dbcdb846971fb711ffb52d879cc8600825

C:\Users\Admin\AppData\Local\Temp\nsi55AF.tmp\7z-out\swiftshader\libEGL.dll

MD5 e6ea7c20df92bdb72a3dd6ee4682bda2
SHA1 22e49bb3025f40fe8c3f544dff0724f0328f7e55
SHA256 7565347b5e567e4b806e432858a2f902646e3a0a62b365785bea647a2da85153
SHA512 8353ecc67f71fd2e1426b14dda19221caecda5bdf010fac12481ded9b096f3fdcd0a9d211433c272679906c105168c80a2ccd5f78383039501f25f5b7a1686d8

C:\Users\Admin\AppData\Local\Temp\nsi55AF.tmp\7z-out\resources\app.asar.unpacked\node_modules\take-cam\snapshot.exe

MD5 3ce3fd10e5ea4f865d608a26756e6dfe
SHA1 4a5ed9616baf638544151df6d0312645e664da9a
SHA256 9d3dbb59d6697ac3724d80b53c4b579d14b7c073e5807dc535707573e0fc11a9
SHA512 0a9fe18280349f5764b613af3e55e6ff45989669a121f9d053ceb99966aa7e932b3eb5371057a96905bb67db8b4c13e833df7cc52a1cca7a22062f91bb8e857f

C:\Users\Admin\AppData\Local\Temp\nsi55AF.tmp\7z-out\resources\app.asar.unpacked\node_modules\take-cam\prey-webcam.exe

MD5 f8f8e1e336511abe4fef9c0396c61742
SHA1 9be135b39f455775e60a95b48c591087e24b3d07
SHA256 753a6998e0a09ef82f9471e8d589825167cf0c45b8694b754f4b9ff6e7330809
SHA512 820db9d2e134f4d00550c255b7385899f65b1e2b6f71d9e6a41b1919450d2994b15644ccf1baacbaadd9198defdb51a66f6c4003db14d9da037618917e95e615

C:\Users\Admin\AppData\Local\Temp\nsi55AF.tmp\StdUtils.dll

MD5 610703fd64039bc7d30609bb4b9ce2d9
SHA1 66ec2849148ba72cd4a6c3e3389168b341a019fc
SHA256 096b1c0c9903d42be7cdd85ea6335c9797949edb612fd49993d699a37323fecd
SHA512 d73ec8a807c3b71f185f8a667ab424fd76c3fd2764d0a31b4c533b5f2b456b99d759f78b519c550d74f888f8f3df4dca1c1c6daf48ca67951e33b5cca88bd2ac

\Users\Admin\AppData\Local\Temp\nsi55AF.tmp\StdUtils.dll

MD5 4af88a7fe61bb36635ece1209db7f79e
SHA1 9ae3267f88e6509449d8cdbfda63b8d661641090
SHA256 3f1bc7aefd01690f7da8927c81531d7434e9a834259673a825b6b8ba1152a090
SHA512 7a68f6164ab254a51bd56a0f37563c707451d8801c21e2efc83ae833ef39bdeb9de22b0e2d58751527f6aa24b9a1a173fcf272f8bcfcf00fcd03186336f963b9

\Users\Admin\AppData\Local\Temp\2Za8IrWzfkMGdAKa6PexxI76zvm\ffmpeg.dll

MD5 8fb66a259b0bb48b2e74f6b31cddcb9a
SHA1 1812a877b278ee481e5e15cf4c0a8c0c19087824
SHA256 29b68c59f4eb18b7b8b088d50fffccaeb9006dfb73cc960a40482c2871f00431
SHA512 293160e9efc3a589eb9972727e534bfe8e702d4d1f246c3d8453b0e4c0bcb5314dda722c7289ef3375c3ed06b804404a8ee773df5d6bec49b91e34b60c3520da

C:\Users\Admin\AppData\Local\Temp\2Za8IrWzfkMGdAKa6PexxI76zvm\ffmpeg.dll

MD5 81cc6db30384af6acd562105ea48c4fe
SHA1 81b3838d163326b60b2999cfe787821fe4b1d768
SHA256 33542b62d3f21b012da213585302eeb3a6705841d9e28ed3d4c81e9e5859f982
SHA512 47661c471c2aed68cfc069ea43f95c0580c3bd0d5fae42605a1920cfa6d0276cde1ffeb043a1daa17a7720893c102723df1c9b70dab452b00783f802bd2a0913

C:\Users\Admin\AppData\Local\Temp\2Za8IrWzfkMGdAKa6PexxI76zvm\GalaxySwapperV2.exe

MD5 aaa9b1dd1fba9892a20e9ab41468c7fd
SHA1 a3539187f6a62d6d980cda9b699afea169b9f5c9
SHA256 9920f31d87c74c9d37207b53f3c75b6666c4ec4511645ecd20899e352f924cf5
SHA512 458d772ac1f0429b555798c6747858c2cf82938278bf293968b7b9ecf0eaa83969e991355cfbf5b950a2b0fff45d6c67e8cbe3d01c84e317daec29b365a44b07

\Users\Admin\AppData\Local\Temp\2Za8IrWzfkMGdAKa6PexxI76zvm\GalaxySwapperV2.exe

MD5 dde3e3a08c8a2619d7ba455eed8a8237
SHA1 c7fd1e85592dc77c9f9cdd18252df2a57da5770d
SHA256 f3738fa18e3ea2b8d397d6ab5d573f737dd46704323652e63359566cd078ced9
SHA512 7387d107b0f7ef5cff13cadcca29feec5c83d46b0427bbae3b18d96333d36a986e671203869200f492430dc412bdbf71c90b473675caf10c000d0a0a9ae061f2

C:\Users\Admin\AppData\Local\Temp\2Za8IrWzfkMGdAKa6PexxI76zvm\icudtl.dat

MD5 e44bd704b99eaf9d0e07b60c76cb7f1b
SHA1 50423ff6348d5d8be881e74aabcdccdf2a1bcff1
SHA256 06b042876c33e9566fe77a7a77584cf49468a0a162b0d6b82e3d57158e9bf844
SHA512 d587aa4c3f67c12fd1c853c0fbe4c7cf8faef475e2a43fcf336d54f0a37538460906a35643f635e6c48db587455d03de32534f5f8b975a63a5b11204aa381b00

C:\Users\Admin\AppData\Local\Temp\2Za8IrWzfkMGdAKa6PexxI76zvm\resources\app.asar

MD5 546209d0cbc5e07664442fd92b3bf427
SHA1 964b060cbb75aa9b7d52526805317ddda8da5ae5
SHA256 61b5c0bb799ddb47ea1fe86f777217e60abf3180cc35ece248b5678124478752
SHA512 944436e09432730ed13715af2996c447dbc0d754f7ba1e742f276903be9ba728dc38b9f8309076587ea64ba8c3621ce1daeb9e7d6699277cf8af5be0fdcddabd

\Users\Admin\AppData\Local\Temp\4ea78f13-2d77-476f-85ba-a0a27f5feeb7.tmp.node

MD5 b9ee43973372dd0f7ff470f22f74fa57
SHA1 57cd7fca17fad044c2122032fcb58b6333f1cc52
SHA256 3859e2499bf7f527e4844e42e5e0ddee18a0e8208b7158300389f4b73778025e
SHA512 8987fb5281e95c5c1f380e17795a74d03d2e9e1f667ba5fe5c77c84d7cbfcb830fd16055c9658a3f45320114ba67676cb0dca3d229c508641d68104f494a47aa

\Users\Admin\AppData\Local\Temp\a7e0981e-075d-4dbb-be3c-2884dba5c4c9.tmp.node

MD5 86cad0671f2e46cfd72ed7069932e055
SHA1 91853784031664e9fe889f82d97fd374bf308f5c
SHA256 709016bd9cf077399e377b64f7e19275c7d01e2abddb45325e53e1cab793f99e
SHA512 0cb5920307ec13dfa809d4888537b2a96f3733079bedccb65e07e9a46a2bf8b3e5a2ab2ad627a75bd5eeb9ecf664633dfc14a357f46a6a124f5ac0e985c53c9d

memory/3048-582-0x0000000000860000-0x0000000000861000-memory.dmp

\Users\Admin\AppData\Local\Temp\2Za8IrWzfkMGdAKa6PexxI76zvm\GalaxySwapperV2.exe

MD5 9e86c1902727a579c9a095e6e0a90146
SHA1 729c11a2500523689032b1ffa1e07e413335795a
SHA256 9ee03b40cf0dcfba88a2ab47828f1fab503e7891f6251aae11372dfc1f18a2a1
SHA512 8f228a4968ee76fc2a0923ecf212c8c364eb613f5625f6a2d1b72c8b51db5f524798055ac5bd578cec429320a79e04a9c569dcf48fade85d2887bed11395d80d

C:\Users\Admin\AppData\Local\Temp\2Za8IrWzfkMGdAKa6PexxI76zvm\resources.pak

MD5 cd959196cf5883e30411c20871482508
SHA1 de7e94d00c367900be8319a0eedd91ffb885b6de
SHA256 7bfac8fafe306eb642148da71be34a7fc29b9bad916ab108709a6af350a4fe40
SHA512 e598b9d0f336ea25ea4b8fdd20f288220bf21bd8ea09aaa34365a9beac3ae3c392edf40e255545d67d392ee83c9ad8f7a2055748c07d28266505122eb6828d14

C:\Users\Admin\AppData\Local\Temp\2Za8IrWzfkMGdAKa6PexxI76zvm\locales\en-US.pak

MD5 a3814889f2e8f684e7e6aa66f6ff4a17
SHA1 14d90bbefa37c3ffcd442c2561f83bdcabc0aed5
SHA256 173e4ef45ad332167d02e0f1dce4df13adb42cf72fc259e9bd7408370806d837
SHA512 55fbf561081b8d94012a22cb97c0eb95a0c28969d6dbe13302bd45b8d0ef16e6f3e4b02c824cf249b903b95d6c03b35e264acf94faca9d6099849c4b6b406900

C:\Users\Admin\AppData\Local\Temp\2Za8IrWzfkMGdAKa6PexxI76zvm\chrome_100_percent.pak

MD5 0d38c6ea28694e277f887f771b803d19
SHA1 ada8a759e3147d724260eadc285c890ff8fd8a47
SHA256 9b40dcc3384854b1fb2f7394f98f2ba0d084802219e81f1273064f774cc03b85
SHA512 f92687c0c788f6fa813f774cc826c3a05b3ba36504322d0039614d4c469f9c51d2d44240b9a6ff88fa1304ad3c090f3668d6edc3cb34f7196a26c01f9b0483a3

C:\Users\Admin\AppData\Local\Temp\2Za8IrWzfkMGdAKa6PexxI76zvm\chrome_200_percent.pak

MD5 72859e2192e989f43e718928bcd7f0ee
SHA1 8898a60022b9b30acdef83640b4ecf0354a581c9
SHA256 ee7b2185b9d6afe1847881630efb1a36deb961322066fa8da1b2d2418c4fc6af
SHA512 6a34c0cce7e4a90aaf31340890c318501ad4ed58f9bb96508f9bfad1a370e339d19807be62859fecef49253a83b02d2f99b5d1fc0aa2555000cf2acffee8bfbd

C:\Users\Admin\AppData\Local\Temp\2Za8IrWzfkMGdAKa6PexxI76zvm\GalaxySwapperV2.exe

MD5 8a7f08c53cbf8def7fa03db69071b18c
SHA1 64ccc2555e1fab4ec29be2931550245894977be9
SHA256 71c22cf2a6c35d656265001542fd3a73df093b0fa33bc932bd6d39f4eb680e6e
SHA512 f4ed9849281c7ec56515351a10ce6c49d3f558099fe89eeaa0ab060ee0a55e53388a9cc2d2dcfd2eb0f4084076697bd6c744a45417f66a5eacccc61c0c8ffcce

\Users\Admin\AppData\Local\Temp\2Za8IrWzfkMGdAKa6PexxI76zvm\ffmpeg.dll

MD5 c3ae46a40d0690d9b466fcd2a6c6a265
SHA1 c937bf8dff72246b66f9a0a0b7a34a4b5c9270fe
SHA256 e763938ecee167ee54543350cff8cb7d8f2a6c362cad8a968ea6109b4b987520
SHA512 a5b899f589cf34faba08a866a45f5c06d975ffe61f68191008c38e692a720a7a1e94af94485e498caf7096d32952fab4f60cbcf64ec9d21d39b4721a304dac67

memory/3048-615-0x0000000077570000-0x0000000077571000-memory.dmp

\Users\Admin\AppData\Local\Temp\2Za8IrWzfkMGdAKa6PexxI76zvm\d3dcompiler_47.dll

MD5 0d2ea7b4b13e0b395ea688be13326471
SHA1 ed1326437a8ad8dd3f9c963f24f0c976ddd6d8a3
SHA256 e94137fee423a54e38768f09b26a21af151e880d2503a742986eb46d3b092a0b
SHA512 e48d8af6d8128897e12b29d9426c447545fc4d82c88a8035fcf3e1d1df4503011d76f8c4df53da9466b6875ddd596c8941a7e0e414fbe3f640b76a54ca5dd732

C:\Users\Admin\AppData\Local\Temp\2Za8IrWzfkMGdAKa6PexxI76zvm\D3DCompiler_47.dll

MD5 ba4629a24a8c40747461216de769ff1c
SHA1 7e84a26ab0220a447ae7c30efc1a18cd1f31a23b
SHA256 6a5e04c853dc49c1c8d39d3b2c50ac8e5621c59d909be095fddd48b271f0bb71
SHA512 90e74e22eb689132f7ffffffe10e0230061b8d45bc41275cb383f864dda55a70b570eb43eb04d06ed0e3f682a246e4d30851749898156401482998ab18cd0e58

C:\Users\Admin\AppData\Local\Temp\2Za8IrWzfkMGdAKa6PexxI76zvm\GalaxySwapperV2.exe

MD5 163c82c6bfd530f12d7806f77448036c
SHA1 a0326d3d847fccfef2968e6aa48dc5ab590315ac
SHA256 3bc10562524c8e2d34a96cabafe434cf075587a5b44ce5f06309b123242b1421
SHA512 9790c642c90c86a32ffaebbaad07972deb1fffb55be9217fd15eeae7d79e61cb7a2065cb4e24f2db42b15a4924d2edffb97724ca02c48386932662c18a263b3f

\Users\Admin\AppData\Local\Temp\2Za8IrWzfkMGdAKa6PexxI76zvm\GalaxySwapperV2.exe

MD5 c212f26d7c220db5d48a24685e519b29
SHA1 ead0985d000d6d7054326c2647713b7663592f86
SHA256 50522034a1f7ed015f668b9cb75aca5e9d4af1f11fff2a013685ec8990c7d0c0
SHA512 f90881888bb937e5ddecd72cfb5e1d0c4d3e1c89747841f306ca223b017e55b14293000c217c6dfe7e98bfaf25dff0dd2dfb8a61b6852db00bc59a76ef8fc865

\Users\Admin\AppData\Local\Temp\2Za8IrWzfkMGdAKa6PexxI76zvm\GalaxySwapperV2.exe

MD5 689fecbd3daf64c12cd34bf096867a5f
SHA1 a0d1f873e791318823e62e985c2a12799e44f1f8
SHA256 29e6f4bfa80118dba02b9d864712d53f5198199770155f994e1c2fb7b91aedef
SHA512 fff5afd095f160522ffdc2889cd84a79e5dd2469d4ee258edc577c1be826bb8aa0fede83d8f2a898a5949672126fa6484034f8aaa6374a8fb0a6d5d601f2a997

\Users\Admin\AppData\Local\Temp\2Za8IrWzfkMGdAKa6PexxI76zvm\GalaxySwapperV2.exe

MD5 5dda7c69a2bda60bd491f6b2ef0b4ec7
SHA1 829e70a1852a73ac4a1e6a88e55d49f9b93d74af
SHA256 546d819f6c67322bb002b299f60a03dd0285772362ab0a4cddf4f41456ac511a
SHA512 41a23f3e6fe0815cab5d4fc187fbf02e4c785bc8774424faa6c9f62f8a523da12c4aa01591cea508dcf5bd4a7a4cbe063ca3d358d241b3d5ece33bce1d12b2d8

\Users\Admin\AppData\Local\Temp\2Za8IrWzfkMGdAKa6PexxI76zvm\GalaxySwapperV2.exe

MD5 c2fae781c3d65d1fcfcac66c2e26ef7f
SHA1 3823c1fab38f88946ef95d817dc1bbefed0de46f
SHA256 50c7fb3e98aa95556fe0291b88015eddfb2151f9c4969584b23138be181b6c3b
SHA512 33451d6de375b591a2156e0b489394f6c14e50fd8bcbd172ca4b7f1601610eceba2654f662f8652460c67d970f86a06f7db9392d111d44b6d6a85aa28205296b

\Users\Admin\AppData\Local\Temp\2Za8IrWzfkMGdAKa6PexxI76zvm\libEGL.dll

MD5 cbb53ff479d50a48476ee56d02385baa
SHA1 49ca8cc27984f406e84579c5dcc87f488cc39bf3
SHA256 dab5b24de00e9b9d9c464743528c20d27856fbf91596af5f0cd6abba9c7208b4
SHA512 5a9b571a1fc23385b17224816f9c00a53e4e5c753528075383f46c79616a8e187e98cfe687b43be50ae3e8877aea2181ffd65a4f9986aa21abe99d263b4938be

C:\Users\Admin\AppData\Local\Temp\2Za8IrWzfkMGdAKa6PexxI76zvm\libegl.dll

MD5 ff65458cfaef5a13112dc6735afe404c
SHA1 97dd1e9758a601780d6700b2a769078d1155a2ff
SHA256 81d7c28445a9ecacbcf1e47bfbb793cf54f490b8b2ad0e4ed7b0b50a88f02699
SHA512 37b47f47e13c2275d3b5de56f0dc50155c18f5daf95a487239cf42cb0324ade596f908918c72eb85cb8427931fe4301e5d4cc183e60f5f1e6397fa8df42e618c

\Users\Admin\AppData\Local\Temp\2Za8IrWzfkMGdAKa6PexxI76zvm\libGLESv2.dll

MD5 8361bba96eb5b5c64adc45bd2e27aa4a
SHA1 7a5fb22092576668983bbd5ab8ddd8fcf4e98ab6
SHA256 2742e492eebcc898168cdfd511328765fa47689f92032e79a41bdb7f3b70e38d
SHA512 3c3bc06911461f60247861de3ab813a7380787af89f0974b5ea1d591a04949debf61ea0779f7f440aa6d33ced214bfdb35ad9444b148e4e1fe83d215b786576d

C:\Users\Admin\AppData\Local\Temp\2Za8IrWzfkMGdAKa6PexxI76zvm\libglesv2.dll

MD5 c4b39df46fc697a9a4b245a0f647be1f
SHA1 c143a17e61ffadc93c385b1fe7e96d69e1adc71f
SHA256 0f2561a9420e4b22bc875d350110e6d02c99deb58291772e810c9933e5a29603
SHA512 941375a9cf0c68327cfab05a68a66244784af2f16810827c58401326f6e7a29c70d30d64fdc128af7848b63480ee3c141dc8ac8c85efeafe80a00923c0420e00

\Users\Admin\AppData\Local\Temp\2Za8IrWzfkMGdAKa6PexxI76zvm\GalaxySwapperV2.exe

MD5 29d62b2a5c0dc78401cb4a0dbaff810a
SHA1 9771ac791615b2003aff961706b7a0de4760b72c
SHA256 857441081d0f29a1a5f11325b12cd970c3f545b0c074918c2db72a0c15e7a7c9
SHA512 b2a527b9acfcf84760d1bcb3ab933a04bdfbcda5963b77734a49ad9e110d5e5ca13381e687374b4866aed120cd2db30ecddf4ff7b8ca3e516d9f3c3d3abc4a66

\Users\Admin\AppData\Local\Temp\2Za8IrWzfkMGdAKa6PexxI76zvm\GalaxySwapperV2.exe

MD5 508bdc212e2ebce7e9aa9e4417494c18
SHA1 2ab99755797c8f39b4f718be2b6128db63869c33
SHA256 0e09fccd7005471ffa1e364170b747f1d11acaeb29c4728f8df337765f224a03
SHA512 68725f690f19e1754c2b51e65ca75904ad526e478fa314cb0dcf7f002dfb5e844f0073959cb0d5c2c36a93e8c023f957fdc9ff3b30ec38bddc5f439966c6de21

C:\Users\Admin\AppData\Local\Temp\2Za8IrWzfkMGdAKa6PexxI76zvm\GalaxySwapperV2.exe

MD5 ced5873874330a326e95f12a4543be87
SHA1 26d8cba0f9a8baa60d63f9806ec200d96d053d59
SHA256 161407351b2e8c4353cd715b6065525df68b5e360654cd8e93665b980953a4bf
SHA512 a8477c235f426d6e617172bccee60293cdcee796e73c1791715bac12b9e76a6719216f965b679a1c5df5b499213f2c9e0d615dd6f31a297269e53d35d8fdc494

\Users\Admin\AppData\Local\Temp\2Za8IrWzfkMGdAKa6PexxI76zvm\ffmpeg.dll

MD5 5a0f02876dc52de9edbb85c1aafa18c4
SHA1 1d34c358a2cd8b9ce0946afd67091500a065961d
SHA256 106dbdcef871bf36418df95d2469699110dbdb55e051f25aaa843a6b1d914f08
SHA512 cdeae25935d8a1959efcf04c5eb20c1c4a4f278170d1846cd39cffd67800db4addb2feb5b1b8d1e3059585e1beab10ff5915404a78c3a45dbd0f9b5dbfbac8fd

\Users\Admin\AppData\Local\Temp\2Za8IrWzfkMGdAKa6PexxI76zvm\ffmpeg.dll

MD5 b9f959d68d804fd5de0b80eae9a3cdee
SHA1 bf9f606815624f7f8c54e7088b1b9c94937560fc
SHA256 9ef2b781d27d3af30fc3bf37352549bbbccd51291e9092d3ac5b499b644aed2b
SHA512 9a4b0608086e7670d58ac59012d020ea1fc7aa35f562e587e8d965913e5276cc4db7401cf1eb66a17d3d2cc9ad9adf9e53cd92a446c939891e0a5780d6adb10b

\Users\Admin\AppData\Local\Temp\2Za8IrWzfkMGdAKa6PexxI76zvm\vk_swiftshader.dll

MD5 8de93e74ddf11cb5281ec2d3a1a30e8c
SHA1 404f920bd898b295621271338d51e6e1335eb5ba
SHA256 95e7db37279352fb0d8a31e35dc93853ce8f65295838b7b12b24e49c8780eec0
SHA512 7b0d5535b0cf3684fffa8e9a02f620c1b2f289f0f6217159f30ad68e545ce69dcc4ab40d337a5badc94ecad728faca6746c1bf51f337ac2f668b26d02594dab7

\Users\Admin\AppData\Local\Temp\2Za8IrWzfkMGdAKa6PexxI76zvm\vk_swiftshader.dll

MD5 b0e82253f412bb03f58d6cdfe896c312
SHA1 5cec05a322eb95ecfdce7eb4badd9ae5cf76efcc
SHA256 0f9bd852f79b965735c9b9202bd6b3285ab8baaeb8c29398ad5aa50ddf60529e
SHA512 680ef5c8dce60ba3e1b9266f6249d75fb5e9391c7e20e276129a52c92f9a59198e85099f4b4a7df2805e6d6541be0ea6ff5d909d6fb2136b07009ed9cf9b1892

\Users\Admin\AppData\Local\Temp\2Za8IrWzfkMGdAKa6PexxI76zvm\vk_swiftshader.dll

MD5 a37bde9b476a2c18b0252fa0b751ba2f
SHA1 b028f77846f1b4484a4d9b54fe242d94be253c39
SHA256 8ddd296e46ae780a128b9aa579546221e2ba03d7528a465db94d813869ad30fb
SHA512 251c05ee6f21351d89cee323203749487db9a86c07a4543c19b6b25322cd69290f74e71ff6912405da5d60871dcc07984c065da43d0b0fec8794764fb9a1ce15

\Users\Admin\AppData\Local\Temp\2Za8IrWzfkMGdAKa6PexxI76zvm\vk_swiftshader.dll

MD5 6e7ee5b73b0ed31061c46f4571388a64
SHA1 5873c66d7ac4ff20a18fe6da61b569559d92ef88
SHA256 2558309ba219cb93f5b6eb7691737b5e1128c863b729b27e3e5d04d20e558902
SHA512 878b8f2e684c6f5aa51e5bfcaa88c655c54720e2dd49b602b957d36e72e46107f92d2eda2f839b922b251e3c87c25d9165bda1e01922ae9bd8634b62d9a447fa

C:\Users\Admin\AppData\Local\Temp\2Za8IrWzfkMGdAKa6PexxI76zvm\vk_swiftshader.dll

MD5 a10d2b67077a45f7825ea6b39d1ffb3d
SHA1 e7df0f52916d0b98393005cf52bb34f0315d75cf
SHA256 5fd50d6dcbbd2f7677d3e57e5718c8d5a6bbbb34491d4a43ef8a3cbc671b0e1f
SHA512 b0825316acacfd842608105335611063ecdee0cd8a5776ae18aadbfa5599e41d2460c5b0ccb955a308acbf6006bd9409e2641fdff21e54e9cd78eef5b2ff94e2

\Users\Admin\AppData\Local\Temp\2Za8IrWzfkMGdAKa6PexxI76zvm\vulkan-1.dll

MD5 f38419b8b4398f80a1e9d66a0caaa4c4
SHA1 3af96f8a242253f82017ad3fb444c9e5ecde573e
SHA256 047df4c3aa8cf2875cf1758831030dc946cf4d589241f0dc4e277f247881ce43
SHA512 ef02791a2555f5eb6e53bb7d26c95604e25018bdec24a7d7d9b655b8d02dcef4fe740f9b422ae9d9e14d9eb1493c2ebc50acf5fd76f45ac0e958b5ffff347c35

C:\Users\Admin\AppData\Local\Temp\2Za8IrWzfkMGdAKa6PexxI76zvm\vulkan-1.dll

MD5 0a415acb7d4cfb43436036e30a98cbca
SHA1 c9941aac52a15bf0413f53e4edfef388313e7135
SHA256 00fd5b22d6faefa40c14b143ee56f4743fcc5842abb04f63f6240d1090f94bce
SHA512 bd79bfb3738121f674796314e3a4e5087b3036cadc5aa3d7b5b67bc360365cc7e2f50669f1ee60705eea9782171ba42c79cae92e59e6a7508913d6d67f35d1e0

\Users\Admin\AppData\Local\Temp\2Za8IrWzfkMGdAKa6PexxI76zvm\libEGL.dll

MD5 f81d1d0f04be9fe2b07cc2342022a3e0
SHA1 5b8bac1787f3e5f9f33847e33bd835b3f73b3e26
SHA256 d1d595a9464ce6daa639fb4f9af33064ad9216f8d65e943718694789b4ad5c9c
SHA512 a29e0f83d29d6949a0f9b4639c8b8c8584862fe0aea2440d924e0330be57b3c374e5a7d1ed2313bb83511f39098b93cea33db5bbc5260e5426c530d61e285c44

\Users\Admin\AppData\Local\Temp\2Za8IrWzfkMGdAKa6PexxI76zvm\libGLESv2.dll

MD5 a844a54670b39fe8599759262fbe63dd
SHA1 5d7ed3264aca73390511b6c1f2edfe3b2e1e50d7
SHA256 b6aa584b1e55fc0debe1dc42daa4cdb3eb834e2ad7fe7facd41c095a502843c2
SHA512 caf50dda8981f8a865f02a7cd59557787bfd7a81551376e87ade413f7c90c36210d88d61de9436f25f9ef521e4b928fb43bb617babe1b60bdc02f1ed834d2895

\Users\Admin\AppData\Local\Temp\2Za8IrWzfkMGdAKa6PexxI76zvm\d3dcompiler_47.dll

MD5 a03141fbb04fa9148baa40bd4f4664d5
SHA1 67eaa2c409f7f733052e58f776da853b2a2ba1b1
SHA256 1598ee847557463faa9e82333573bb35f09a2e3e667c22656e5ce9b9862133c1
SHA512 170abfaf09d5aba928c229d33ba123fd4db63998b80f750ac0b4e476b43d501db3079b7130b17de7b7a744b4f719e23a6574d1a7c7e568b636ae152fb707afc2

C:\Users\Admin\AppData\Local\Temp\2Za8IrWzfkMGdAKa6PexxI76zvm\GalaxySwapperV2.exe

MD5 1af1ec4f047640455f21471f022b5de9
SHA1 b5a90574a29b4b35487dbbad3cdcc2b8099cb00c
SHA256 f8483db559c0d534c35b8ffbb4faf6c939497f31d482972fb024a1c34d122462
SHA512 fed8a858a58c629d75ae6e69824ca3c148b8c920917e903d44f480da660cf397d3b29074b3367a1d0d165b90eec03f8597890c3e139f080ce099c9ac7f4d7d5c

\Users\Admin\AppData\Local\Temp\2Za8IrWzfkMGdAKa6PexxI76zvm\GalaxySwapperV2.exe

MD5 26c0edf44ad9aff91662e61c9f32607f
SHA1 88209c7eb10acdd0aca9f6c31fb9048eef36686c
SHA256 2c58d5177a74d9d522b289b32c76eb63630141b1d5d6496f7bc12f911d218e56
SHA512 373b89fe2ed64de4758f76c4c9c1adbaefbb334c61015f40f56f1ccc732629e55218cea5a18c01042b3f8e70992290967913687ba8c9d9b15bb5c5b7edd61587

\Users\Admin\AppData\Local\Temp\2Za8IrWzfkMGdAKa6PexxI76zvm\GalaxySwapperV2.exe

MD5 9a04202963acbfc572fd93e635422da7
SHA1 8ea69f758e463e4c6466359b38cb043d6198c6fa
SHA256 6ec5657c525bcd4f4a319eb0ad20dad8b5b135fe98484f0f04cefd4b02c2be59
SHA512 fdab9e9a2825fed48023adfca66c85d545707ba7a18d75c4220be20512c04356ef459a5b4fa39432c759fad437c346e6c6848cfe5952670d1cb39a104345c5e5

\Users\Admin\AppData\Local\Temp\2Za8IrWzfkMGdAKa6PexxI76zvm\GalaxySwapperV2.exe

MD5 5127c3ff9347a5fceb79fb323eb727f8
SHA1 2d0c2c3c4a907e5a472736b63c4472d892f0abb5
SHA256 12c4d597e306640b7a3ace2714fa3a65f55700df4f46f9337495f9c0447e6533
SHA512 99dd3a118e67c8deb2ff4274c3c4f8b22d7f271382cdec0149f4f6f137e639104a1263cadcfcee83e0469844ffd3228016813caf5697d098be3ca1e31b0e417a

\Users\Admin\AppData\Local\Temp\2Za8IrWzfkMGdAKa6PexxI76zvm\GalaxySwapperV2.exe

MD5 528a16f4dbe3f7768050b26ec4a5066f
SHA1 ae6ee4e6a61bd0dfbecfe510b3419545fac04cfd
SHA256 1249b97e224a0906c84530d24684c1daebd33ec1b42ef566b0a14f37e3a4b086
SHA512 8c0961ef5f2af0dbf5e230a5a18841b5538704cbcb66db0682e834cb2547164cd515c393c38eec30708eaa056e66a3b7c3395b71b273f9d5e28f70b54179a809

memory/2452-726-0x00000000022A0000-0x00000000022A8000-memory.dmp

memory/2452-725-0x0000000002520000-0x00000000025A0000-memory.dmp

memory/2452-727-0x000007FEF2ED0000-0x000007FEF386D000-memory.dmp

memory/2452-724-0x0000000002520000-0x00000000025A0000-memory.dmp

memory/2452-723-0x0000000002520000-0x00000000025A0000-memory.dmp

memory/2452-722-0x000007FEF2ED0000-0x000007FEF386D000-memory.dmp

memory/2452-721-0x000000001B320000-0x000000001B602000-memory.dmp

memory/2452-728-0x0000000002520000-0x00000000025A0000-memory.dmp

memory/2036-731-0x0000000140000000-0x00000001405E8000-memory.dmp

memory/2452-732-0x000007FEF2ED0000-0x000007FEF386D000-memory.dmp

memory/2452-735-0x0000000002520000-0x00000000025A0000-memory.dmp

memory/2452-734-0x0000000002520000-0x00000000025A0000-memory.dmp

memory/2452-733-0x0000000002520000-0x00000000025A0000-memory.dmp

memory/2452-736-0x0000000002520000-0x00000000025A0000-memory.dmp

memory/2036-737-0x0000000140000000-0x00000001405E8000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-15 16:01

Reported

2023-12-15 16:05

Platform

win10v2004-20231215-en

Max time kernel

154s

Max time network

162s

Command Line

"C:\Users\Admin\AppData\Local\Temp\GalaxySwapperV2.exe"

Signatures

Irata

trojan infostealer rat irata

Irata payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\GalaxySwapperV2.exe C:\Users\Admin\AppData\Local\Temp\2Za8IrWzfkMGdAKa6PexxI76zvm\GalaxySwapperV2.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsDriverSetupPpLEG8 = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Themes\\CachedFiles\\GalaxySwapperV2.exe" C:\Windows\system32\reg.exe N/A

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Description Indicator Process Target
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 C:\Windows\system32\taskmgr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\system32\taskmgr.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName C:\Windows\system32\taskmgr.exe N/A

Collects information from the system

Description Indicator Process Target
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A

Detects videocard installed

Description Indicator Process Target
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Enumerates processes with tasklist

Description Indicator Process Target
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2Za8IrWzfkMGdAKa6PexxI76zvm\GalaxySwapperV2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2Za8IrWzfkMGdAKa6PexxI76zvm\GalaxySwapperV2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2Za8IrWzfkMGdAKa6PexxI76zvm\GalaxySwapperV2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2Za8IrWzfkMGdAKa6PexxI76zvm\GalaxySwapperV2.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2Za8IrWzfkMGdAKa6PexxI76zvm\GalaxySwapperV2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2Za8IrWzfkMGdAKa6PexxI76zvm\GalaxySwapperV2.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\GalaxySwapperV2.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\tasklist.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2Za8IrWzfkMGdAKa6PexxI76zvm\GalaxySwapperV2.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2Za8IrWzfkMGdAKa6PexxI76zvm\GalaxySwapperV2.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2Za8IrWzfkMGdAKa6PexxI76zvm\GalaxySwapperV2.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2Za8IrWzfkMGdAKa6PexxI76zvm\GalaxySwapperV2.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2Za8IrWzfkMGdAKa6PexxI76zvm\GalaxySwapperV2.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2Za8IrWzfkMGdAKa6PexxI76zvm\GalaxySwapperV2.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2Za8IrWzfkMGdAKa6PexxI76zvm\GalaxySwapperV2.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2Za8IrWzfkMGdAKa6PexxI76zvm\GalaxySwapperV2.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\tasklist.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2Za8IrWzfkMGdAKa6PexxI76zvm\GalaxySwapperV2.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2Za8IrWzfkMGdAKa6PexxI76zvm\GalaxySwapperV2.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4764 wrote to memory of 560 N/A C:\Users\Admin\AppData\Local\Temp\GalaxySwapperV2.exe C:\Users\Admin\AppData\Local\Temp\2Za8IrWzfkMGdAKa6PexxI76zvm\GalaxySwapperV2.exe
PID 4764 wrote to memory of 560 N/A C:\Users\Admin\AppData\Local\Temp\GalaxySwapperV2.exe C:\Users\Admin\AppData\Local\Temp\2Za8IrWzfkMGdAKa6PexxI76zvm\GalaxySwapperV2.exe
PID 560 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\2Za8IrWzfkMGdAKa6PexxI76zvm\GalaxySwapperV2.exe C:\Windows\system32\cmd.exe
PID 560 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\2Za8IrWzfkMGdAKa6PexxI76zvm\GalaxySwapperV2.exe C:\Windows\system32\cmd.exe
PID 2856 wrote to memory of 1232 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 2856 wrote to memory of 1232 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 560 wrote to memory of 3312 N/A C:\Users\Admin\AppData\Local\Temp\2Za8IrWzfkMGdAKa6PexxI76zvm\GalaxySwapperV2.exe C:\Users\Admin\AppData\Local\Temp\2Za8IrWzfkMGdAKa6PexxI76zvm\GalaxySwapperV2.exe
PID 560 wrote to memory of 3312 N/A C:\Users\Admin\AppData\Local\Temp\2Za8IrWzfkMGdAKa6PexxI76zvm\GalaxySwapperV2.exe C:\Users\Admin\AppData\Local\Temp\2Za8IrWzfkMGdAKa6PexxI76zvm\GalaxySwapperV2.exe
PID 560 wrote to memory of 3312 N/A C:\Users\Admin\AppData\Local\Temp\2Za8IrWzfkMGdAKa6PexxI76zvm\GalaxySwapperV2.exe C:\Users\Admin\AppData\Local\Temp\2Za8IrWzfkMGdAKa6PexxI76zvm\GalaxySwapperV2.exe
PID 560 wrote to memory of 3312 N/A C:\Users\Admin\AppData\Local\Temp\2Za8IrWzfkMGdAKa6PexxI76zvm\GalaxySwapperV2.exe C:\Users\Admin\AppData\Local\Temp\2Za8IrWzfkMGdAKa6PexxI76zvm\GalaxySwapperV2.exe
PID 560 wrote to memory of 3312 N/A C:\Users\Admin\AppData\Local\Temp\2Za8IrWzfkMGdAKa6PexxI76zvm\GalaxySwapperV2.exe C:\Users\Admin\AppData\Local\Temp\2Za8IrWzfkMGdAKa6PexxI76zvm\GalaxySwapperV2.exe
PID 560 wrote to memory of 3312 N/A C:\Users\Admin\AppData\Local\Temp\2Za8IrWzfkMGdAKa6PexxI76zvm\GalaxySwapperV2.exe C:\Users\Admin\AppData\Local\Temp\2Za8IrWzfkMGdAKa6PexxI76zvm\GalaxySwapperV2.exe
PID 560 wrote to memory of 3312 N/A C:\Users\Admin\AppData\Local\Temp\2Za8IrWzfkMGdAKa6PexxI76zvm\GalaxySwapperV2.exe C:\Users\Admin\AppData\Local\Temp\2Za8IrWzfkMGdAKa6PexxI76zvm\GalaxySwapperV2.exe
PID 560 wrote to memory of 3312 N/A C:\Users\Admin\AppData\Local\Temp\2Za8IrWzfkMGdAKa6PexxI76zvm\GalaxySwapperV2.exe C:\Users\Admin\AppData\Local\Temp\2Za8IrWzfkMGdAKa6PexxI76zvm\GalaxySwapperV2.exe
PID 560 wrote to memory of 3312 N/A C:\Users\Admin\AppData\Local\Temp\2Za8IrWzfkMGdAKa6PexxI76zvm\GalaxySwapperV2.exe C:\Users\Admin\AppData\Local\Temp\2Za8IrWzfkMGdAKa6PexxI76zvm\GalaxySwapperV2.exe
PID 560 wrote to memory of 3312 N/A C:\Users\Admin\AppData\Local\Temp\2Za8IrWzfkMGdAKa6PexxI76zvm\GalaxySwapperV2.exe C:\Users\Admin\AppData\Local\Temp\2Za8IrWzfkMGdAKa6PexxI76zvm\GalaxySwapperV2.exe
PID 560 wrote to memory of 3312 N/A C:\Users\Admin\AppData\Local\Temp\2Za8IrWzfkMGdAKa6PexxI76zvm\GalaxySwapperV2.exe C:\Users\Admin\AppData\Local\Temp\2Za8IrWzfkMGdAKa6PexxI76zvm\GalaxySwapperV2.exe
PID 560 wrote to memory of 3312 N/A C:\Users\Admin\AppData\Local\Temp\2Za8IrWzfkMGdAKa6PexxI76zvm\GalaxySwapperV2.exe C:\Users\Admin\AppData\Local\Temp\2Za8IrWzfkMGdAKa6PexxI76zvm\GalaxySwapperV2.exe
PID 560 wrote to memory of 3312 N/A C:\Users\Admin\AppData\Local\Temp\2Za8IrWzfkMGdAKa6PexxI76zvm\GalaxySwapperV2.exe C:\Users\Admin\AppData\Local\Temp\2Za8IrWzfkMGdAKa6PexxI76zvm\GalaxySwapperV2.exe
PID 560 wrote to memory of 3312 N/A C:\Users\Admin\AppData\Local\Temp\2Za8IrWzfkMGdAKa6PexxI76zvm\GalaxySwapperV2.exe C:\Users\Admin\AppData\Local\Temp\2Za8IrWzfkMGdAKa6PexxI76zvm\GalaxySwapperV2.exe
PID 560 wrote to memory of 3312 N/A C:\Users\Admin\AppData\Local\Temp\2Za8IrWzfkMGdAKa6PexxI76zvm\GalaxySwapperV2.exe C:\Users\Admin\AppData\Local\Temp\2Za8IrWzfkMGdAKa6PexxI76zvm\GalaxySwapperV2.exe
PID 560 wrote to memory of 3312 N/A C:\Users\Admin\AppData\Local\Temp\2Za8IrWzfkMGdAKa6PexxI76zvm\GalaxySwapperV2.exe C:\Users\Admin\AppData\Local\Temp\2Za8IrWzfkMGdAKa6PexxI76zvm\GalaxySwapperV2.exe
PID 560 wrote to memory of 3312 N/A C:\Users\Admin\AppData\Local\Temp\2Za8IrWzfkMGdAKa6PexxI76zvm\GalaxySwapperV2.exe C:\Users\Admin\AppData\Local\Temp\2Za8IrWzfkMGdAKa6PexxI76zvm\GalaxySwapperV2.exe
PID 560 wrote to memory of 3312 N/A C:\Users\Admin\AppData\Local\Temp\2Za8IrWzfkMGdAKa6PexxI76zvm\GalaxySwapperV2.exe C:\Users\Admin\AppData\Local\Temp\2Za8IrWzfkMGdAKa6PexxI76zvm\GalaxySwapperV2.exe
PID 560 wrote to memory of 3312 N/A C:\Users\Admin\AppData\Local\Temp\2Za8IrWzfkMGdAKa6PexxI76zvm\GalaxySwapperV2.exe C:\Users\Admin\AppData\Local\Temp\2Za8IrWzfkMGdAKa6PexxI76zvm\GalaxySwapperV2.exe
PID 560 wrote to memory of 3312 N/A C:\Users\Admin\AppData\Local\Temp\2Za8IrWzfkMGdAKa6PexxI76zvm\GalaxySwapperV2.exe C:\Users\Admin\AppData\Local\Temp\2Za8IrWzfkMGdAKa6PexxI76zvm\GalaxySwapperV2.exe
PID 560 wrote to memory of 3312 N/A C:\Users\Admin\AppData\Local\Temp\2Za8IrWzfkMGdAKa6PexxI76zvm\GalaxySwapperV2.exe C:\Users\Admin\AppData\Local\Temp\2Za8IrWzfkMGdAKa6PexxI76zvm\GalaxySwapperV2.exe
PID 560 wrote to memory of 3312 N/A C:\Users\Admin\AppData\Local\Temp\2Za8IrWzfkMGdAKa6PexxI76zvm\GalaxySwapperV2.exe C:\Users\Admin\AppData\Local\Temp\2Za8IrWzfkMGdAKa6PexxI76zvm\GalaxySwapperV2.exe
PID 560 wrote to memory of 3312 N/A C:\Users\Admin\AppData\Local\Temp\2Za8IrWzfkMGdAKa6PexxI76zvm\GalaxySwapperV2.exe C:\Users\Admin\AppData\Local\Temp\2Za8IrWzfkMGdAKa6PexxI76zvm\GalaxySwapperV2.exe
PID 560 wrote to memory of 3312 N/A C:\Users\Admin\AppData\Local\Temp\2Za8IrWzfkMGdAKa6PexxI76zvm\GalaxySwapperV2.exe C:\Users\Admin\AppData\Local\Temp\2Za8IrWzfkMGdAKa6PexxI76zvm\GalaxySwapperV2.exe
PID 560 wrote to memory of 3312 N/A C:\Users\Admin\AppData\Local\Temp\2Za8IrWzfkMGdAKa6PexxI76zvm\GalaxySwapperV2.exe C:\Users\Admin\AppData\Local\Temp\2Za8IrWzfkMGdAKa6PexxI76zvm\GalaxySwapperV2.exe
PID 560 wrote to memory of 3312 N/A C:\Users\Admin\AppData\Local\Temp\2Za8IrWzfkMGdAKa6PexxI76zvm\GalaxySwapperV2.exe C:\Users\Admin\AppData\Local\Temp\2Za8IrWzfkMGdAKa6PexxI76zvm\GalaxySwapperV2.exe
PID 560 wrote to memory of 3312 N/A C:\Users\Admin\AppData\Local\Temp\2Za8IrWzfkMGdAKa6PexxI76zvm\GalaxySwapperV2.exe C:\Users\Admin\AppData\Local\Temp\2Za8IrWzfkMGdAKa6PexxI76zvm\GalaxySwapperV2.exe
PID 560 wrote to memory of 3312 N/A C:\Users\Admin\AppData\Local\Temp\2Za8IrWzfkMGdAKa6PexxI76zvm\GalaxySwapperV2.exe C:\Users\Admin\AppData\Local\Temp\2Za8IrWzfkMGdAKa6PexxI76zvm\GalaxySwapperV2.exe
PID 560 wrote to memory of 3312 N/A C:\Users\Admin\AppData\Local\Temp\2Za8IrWzfkMGdAKa6PexxI76zvm\GalaxySwapperV2.exe C:\Users\Admin\AppData\Local\Temp\2Za8IrWzfkMGdAKa6PexxI76zvm\GalaxySwapperV2.exe
PID 560 wrote to memory of 3312 N/A C:\Users\Admin\AppData\Local\Temp\2Za8IrWzfkMGdAKa6PexxI76zvm\GalaxySwapperV2.exe C:\Users\Admin\AppData\Local\Temp\2Za8IrWzfkMGdAKa6PexxI76zvm\GalaxySwapperV2.exe
PID 560 wrote to memory of 3312 N/A C:\Users\Admin\AppData\Local\Temp\2Za8IrWzfkMGdAKa6PexxI76zvm\GalaxySwapperV2.exe C:\Users\Admin\AppData\Local\Temp\2Za8IrWzfkMGdAKa6PexxI76zvm\GalaxySwapperV2.exe
PID 560 wrote to memory of 3312 N/A C:\Users\Admin\AppData\Local\Temp\2Za8IrWzfkMGdAKa6PexxI76zvm\GalaxySwapperV2.exe C:\Users\Admin\AppData\Local\Temp\2Za8IrWzfkMGdAKa6PexxI76zvm\GalaxySwapperV2.exe
PID 560 wrote to memory of 3312 N/A C:\Users\Admin\AppData\Local\Temp\2Za8IrWzfkMGdAKa6PexxI76zvm\GalaxySwapperV2.exe C:\Users\Admin\AppData\Local\Temp\2Za8IrWzfkMGdAKa6PexxI76zvm\GalaxySwapperV2.exe
PID 560 wrote to memory of 3312 N/A C:\Users\Admin\AppData\Local\Temp\2Za8IrWzfkMGdAKa6PexxI76zvm\GalaxySwapperV2.exe C:\Users\Admin\AppData\Local\Temp\2Za8IrWzfkMGdAKa6PexxI76zvm\GalaxySwapperV2.exe
PID 560 wrote to memory of 3312 N/A C:\Users\Admin\AppData\Local\Temp\2Za8IrWzfkMGdAKa6PexxI76zvm\GalaxySwapperV2.exe C:\Users\Admin\AppData\Local\Temp\2Za8IrWzfkMGdAKa6PexxI76zvm\GalaxySwapperV2.exe
PID 560 wrote to memory of 3312 N/A C:\Users\Admin\AppData\Local\Temp\2Za8IrWzfkMGdAKa6PexxI76zvm\GalaxySwapperV2.exe C:\Users\Admin\AppData\Local\Temp\2Za8IrWzfkMGdAKa6PexxI76zvm\GalaxySwapperV2.exe
PID 560 wrote to memory of 3312 N/A C:\Users\Admin\AppData\Local\Temp\2Za8IrWzfkMGdAKa6PexxI76zvm\GalaxySwapperV2.exe C:\Users\Admin\AppData\Local\Temp\2Za8IrWzfkMGdAKa6PexxI76zvm\GalaxySwapperV2.exe
PID 560 wrote to memory of 3312 N/A C:\Users\Admin\AppData\Local\Temp\2Za8IrWzfkMGdAKa6PexxI76zvm\GalaxySwapperV2.exe C:\Users\Admin\AppData\Local\Temp\2Za8IrWzfkMGdAKa6PexxI76zvm\GalaxySwapperV2.exe
PID 560 wrote to memory of 3312 N/A C:\Users\Admin\AppData\Local\Temp\2Za8IrWzfkMGdAKa6PexxI76zvm\GalaxySwapperV2.exe C:\Users\Admin\AppData\Local\Temp\2Za8IrWzfkMGdAKa6PexxI76zvm\GalaxySwapperV2.exe
PID 560 wrote to memory of 3312 N/A C:\Users\Admin\AppData\Local\Temp\2Za8IrWzfkMGdAKa6PexxI76zvm\GalaxySwapperV2.exe C:\Users\Admin\AppData\Local\Temp\2Za8IrWzfkMGdAKa6PexxI76zvm\GalaxySwapperV2.exe
PID 560 wrote to memory of 4016 N/A C:\Users\Admin\AppData\Local\Temp\2Za8IrWzfkMGdAKa6PexxI76zvm\GalaxySwapperV2.exe C:\Users\Admin\AppData\Local\Temp\2Za8IrWzfkMGdAKa6PexxI76zvm\GalaxySwapperV2.exe
PID 560 wrote to memory of 4016 N/A C:\Users\Admin\AppData\Local\Temp\2Za8IrWzfkMGdAKa6PexxI76zvm\GalaxySwapperV2.exe C:\Users\Admin\AppData\Local\Temp\2Za8IrWzfkMGdAKa6PexxI76zvm\GalaxySwapperV2.exe
PID 560 wrote to memory of 4572 N/A C:\Users\Admin\AppData\Local\Temp\2Za8IrWzfkMGdAKa6PexxI76zvm\GalaxySwapperV2.exe C:\Windows\system32\cmd.exe
PID 560 wrote to memory of 4572 N/A C:\Users\Admin\AppData\Local\Temp\2Za8IrWzfkMGdAKa6PexxI76zvm\GalaxySwapperV2.exe C:\Windows\system32\cmd.exe
PID 4572 wrote to memory of 4028 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 4572 wrote to memory of 4028 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 560 wrote to memory of 5024 N/A C:\Users\Admin\AppData\Local\Temp\2Za8IrWzfkMGdAKa6PexxI76zvm\GalaxySwapperV2.exe C:\Windows\system32\cmd.exe
PID 560 wrote to memory of 5024 N/A C:\Users\Admin\AppData\Local\Temp\2Za8IrWzfkMGdAKa6PexxI76zvm\GalaxySwapperV2.exe C:\Windows\system32\cmd.exe
PID 560 wrote to memory of 1224 N/A C:\Users\Admin\AppData\Local\Temp\2Za8IrWzfkMGdAKa6PexxI76zvm\GalaxySwapperV2.exe C:\Windows\system32\cmd.exe
PID 560 wrote to memory of 1224 N/A C:\Users\Admin\AppData\Local\Temp\2Za8IrWzfkMGdAKa6PexxI76zvm\GalaxySwapperV2.exe C:\Windows\system32\cmd.exe
PID 560 wrote to memory of 4836 N/A C:\Users\Admin\AppData\Local\Temp\2Za8IrWzfkMGdAKa6PexxI76zvm\GalaxySwapperV2.exe C:\Windows\system32\cmd.exe
PID 560 wrote to memory of 4836 N/A C:\Users\Admin\AppData\Local\Temp\2Za8IrWzfkMGdAKa6PexxI76zvm\GalaxySwapperV2.exe C:\Windows\system32\cmd.exe
PID 5024 wrote to memory of 5116 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 5024 wrote to memory of 5116 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 1224 wrote to memory of 392 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 1224 wrote to memory of 392 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 392 wrote to memory of 924 N/A C:\Windows\system32\net.exe C:\Windows\system32\tasklist.exe
PID 392 wrote to memory of 924 N/A C:\Windows\system32\net.exe C:\Windows\system32\tasklist.exe

Uses Task Scheduler COM API

persistence

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\GalaxySwapperV2.exe

"C:\Users\Admin\AppData\Local\Temp\GalaxySwapperV2.exe"

C:\Users\Admin\AppData\Local\Temp\2Za8IrWzfkMGdAKa6PexxI76zvm\GalaxySwapperV2.exe

C:\Users\Admin\AppData\Local\Temp\2Za8IrWzfkMGdAKa6PexxI76zvm\GalaxySwapperV2.exe

C:\Windows\system32\taskmgr.exe

"C:\Windows\system32\taskmgr.exe" /4

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\tasklist.exe

tasklist

C:\Users\Admin\AppData\Local\Temp\2Za8IrWzfkMGdAKa6PexxI76zvm\GalaxySwapperV2.exe

"C:\Users\Admin\AppData\Local\Temp\2Za8IrWzfkMGdAKa6PexxI76zvm\GalaxySwapperV2.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\script" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1516 --field-trial-handle=1752,3515503743459623403,3624757709135337678,131072 --disable-features=PlzServiceWorker,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2

C:\Users\Admin\AppData\Local\Temp\2Za8IrWzfkMGdAKa6PexxI76zvm\GalaxySwapperV2.exe

"C:\Users\Admin\AppData\Local\Temp\2Za8IrWzfkMGdAKa6PexxI76zvm\GalaxySwapperV2.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\script" --mojo-platform-channel-handle=1960 --field-trial-handle=1752,3515503743459623403,3624757709135337678,131072 --disable-features=PlzServiceWorker,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic process where processid=4764 get ExecutablePath"

C:\Windows\System32\Wbem\WMIC.exe

wmic process where processid=4764 get ExecutablePath

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "net session"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Users\Admin\AppData\Local\Temp\2Za8IrWzfkMGdAKa6PexxI76zvm\resources\app.asar.unpacked\bind\main.exe"

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\net.exe

net session

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 session

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic logicaldisk get size"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic computersystem get totalphysicalmemory | more +1"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic csproduct get uuid"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic OS get caption, osarchitecture | more +1"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "echo %NUMBER_OF_PROCESSORS%"

C:\Windows\System32\Wbem\WMIC.exe

wmic logicaldisk get size

C:\Windows\System32\Wbem\WMIC.exe

wmic OS get caption, osarchitecture

C:\Windows\System32\Wbem\WMIC.exe

wmic computersystem get totalphysicalmemory

C:\Windows\System32\Wbem\WMIC.exe

wmic csproduct get uuid

C:\Windows\system32\more.com

more +1

C:\Windows\system32\more.com

more +1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic cpu get name | more +1"

C:\Windows\System32\Wbem\WMIC.exe

wmic cpu get name

C:\Windows\system32\more.com

more +1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic PATH Win32_VideoController get name | more +1"

C:\Windows\System32\Wbem\WMIC.exe

wmic PATH Win32_VideoController get name

C:\Windows\system32\more.com

more +1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic process where processid=4764 get ExecutablePath"

C:\Windows\System32\Wbem\WMIC.exe

wmic process where processid=4764 get ExecutablePath

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v WindowsDriverSetupPpLEG8 /t REG_SZ /d C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\GalaxySwapperV2.exe /f"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "cmd /c schtasks /create /sc onlogon /tn WindowsDriverSetupPpLEG8 /tr \"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\GalaxySwapperV2.exe\" /F /rl highest"

C:\Windows\system32\cmd.exe

cmd /c schtasks /create /sc onlogon /tn WindowsDriverSetupPpLEG8 /tr \"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\GalaxySwapperV2.exe\" /F /rl highest

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v WindowsDriverSetupPpLEG8 /t REG_SZ /d C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\GalaxySwapperV2.exe /f

C:\Windows\system32\schtasks.exe

schtasks /create /sc onlogon /tn WindowsDriverSetupPpLEG8 /tr \"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\GalaxySwapperV2.exe\" /F /rl highest

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell -Command "attrib +h +s \"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\GalaxySwapperV2.exe\"""

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "attrib +h +s \"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\GalaxySwapperV2.exe\""

C:\Windows\system32\attrib.exe

"C:\Windows\system32\attrib.exe" +h +s C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\GalaxySwapperV2.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall""

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall"

Network

Country Destination Domain Proto
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 114.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 196.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:443 dns.google tcp
US 8.8.8.8:53 ipinfo.io udp
GB 142.250.200.4:80 www.google.com tcp
US 34.117.186.192:443 ipinfo.io tcp
US 34.117.186.192:443 ipinfo.io tcp
US 8.8.8.8:53 4.200.250.142.in-addr.arpa udp
US 8.8.8.8:53 192.186.117.34.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 195.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 ipinfo.io udp
US 34.117.186.192:443 ipinfo.io tcp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 3.173.189.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\nso1BD1.tmp\System.dll

MD5 0d7ad4f45dc6f5aa87f606d0331c6901
SHA1 48df0911f0484cbe2a8cdd5362140b63c41ee457
SHA256 3eb38ae99653a7dbc724132ee240f6e5c4af4bfe7c01d31d23faf373f9f2eaca
SHA512 c07de7308cb54205e8bd703001a7fe4fd7796c9ac1b4bb330c77c872bf712b093645f40b80ce7127531fe6746a5b66e18ea073ab6a644934abed9bb64126fea9

C:\Users\Admin\AppData\Local\Temp\nso1BD1.tmp\nsis7z.dll

MD5 80e44ce4895304c6a3a831310fbf8cd0
SHA1 36bd49ae21c460be5753a904b4501f1abca53508
SHA256 b393f05e8ff919ef071181050e1873c9a776e1a0ae8329aefff7007d0cadf592
SHA512 c8ba7b1f9113ead23e993e74a48c4427ae3562c1f6d9910b2bbe6806c9107cf7d94bc7d204613e4743d0cd869e00dafd4fb54aad1e8adb69c553f3b9e5bc64df

C:\Users\Admin\AppData\Local\Temp\2Za8IrWzfkMGdAKa6PexxI76zvm\chrome_100_percent.pak

MD5 9c1b859b611600201ccf898f1eff2476
SHA1 87d5d9a5fcc2496b48bb084fdf04331823dd1699
SHA256 53102833760a725241841312de452c45e43edd60a122546105ab4020ccef591b
SHA512 1a8ec288e53b9d7e43d018995abe4e3d9c83d329d0561fbb7d022e8b79ffecf033e995b9bc6af352a71c646a1e8afba4addb54deab7455f24b7a279a3dd7c336

C:\Users\Admin\AppData\Local\Temp\nso1BD1.tmp\7z-out\chrome_200_percent.pak

MD5 b51a78961b1dbb156343e6e024093d41
SHA1 51298bfe945a9645311169fc5bb64a2a1f20bc38
SHA256 4a438f0e209ac62ffa2c14036efdd5474b5ecaa7cbf54110f2e6153abdfb8be9
SHA512 23dedde25ad9cb5829d4b6092a815712788698c2a5a0aefb4299675d39f8b5e2844eabd1ea42332a0408bd234548f5af628e7e365ab26f3385ebfa158cdd921d

C:\Users\Admin\AppData\Local\Temp\nso1BD1.tmp\7z-out\d3dcompiler_47.dll

MD5 7641e39b7da4077084d2afe7c31032e0
SHA1 2256644f69435ff2fee76deb04d918083960d1eb
SHA256 44422e6936dc72b7ac5ed16bb8bcae164b7554513e52efb66a3e942cec328a47
SHA512 8010e1cb17fa18bbf72d8344e1d63ded7cef7be6e7c13434fa6d8e22ce1d58a4d426959bdcb031502d4b145e29cb111af929fcbc66001111fbc6d7a19e8800a5

C:\Users\Admin\AppData\Local\Temp\nso1BD1.tmp\7z-out\ffmpeg.dll

MD5 c3842fb3087cdcdb04020ac38683c289
SHA1 329dbcd4a1c79b891b200f11eb50194b85c493bc
SHA256 e79792af338d61424bac87a19c6f34f3b4bc1382345633b8d509253a0a6c2133
SHA512 069196b8006e908954e7ab16131a0d10889a0f7517eaab2423a82fe49fb9b045c0d95dbf7c08c10ddf1a21983aea4a0d207decf91baacff0884511589a57dec5

C:\Users\Admin\AppData\Local\Temp\nso1BD1.tmp\7z-out\GalaxySwapperV2.exe

MD5 6a3aeb43b31c0b7f577ebb2cf06f281e
SHA1 73749353521f2c0e60caf503d7c0c28730322f5e
SHA256 bbae20f6a6765a4f19d68e9bcc2563158eddaf3e96196a00425c9f6f4aa23333
SHA512 a0a12b76fe4825a6914a0dc29284ace2a3a1884aded3a1891fb63e9db4d1e25466c7edea8ef1094bf415c9b7d7f2b3e4b04faeed53680e165ac36e2b3d7de925

C:\Users\Admin\AppData\Local\Temp\nso1BD1.tmp\7z-out\libGLESv2.dll

MD5 b22538638027e321bbfa8ba696dc7e73
SHA1 6401f1478f9eb3103ca860898ec82a675b36cec6
SHA256 c427303783d16598eff22a196a4c8d1563447b7311ab3356abdab64a39d8a22d
SHA512 fdad3727ead6ac00ddd1927401695716d33775638c063bfe3156d5cfd219d5df8f7dd34c2c2f9ea8f1e9f1c471cc67cb079f3f6484734be8be263f3bafadf974

C:\Users\Admin\AppData\Local\Temp\nso1BD1.tmp\7z-out\libEGL.dll

MD5 8352fd22f09b873193cabc2932be92f0
SHA1 5bd2b58854b279f1733c5f54ea2669ee8a888d9e
SHA256 14a4aaa010be14762edfee01fd1f6b9943471eb7a2f9011a2b5c230461cd129c
SHA512 7281e980f2e82f1cc8173d9f8387a97f6e23ec5099ed8dca02222c4e17fa4cfef59d6aa300b1cf06d502bdcf77d9a6dbb08ad6658ae0a28ae6f9f995109da0d2

C:\Users\Admin\AppData\Local\Temp\nso1BD1.tmp\7z-out\icudtl.dat

MD5 1af5094e6d809536a08c8c0c0faf50ce
SHA1 69ab84af05898bceafa1bc99076111cdb68ca235
SHA256 1feec6e80594586ef7f38e5e70919dd67728cc557c8f7e30f81a1c5f5cacc05d
SHA512 18be98c46d6c2d197f4bd32fbd71b958e0b297af5d350a03510e845c036167090ff737467a3031e9c4081c1742f525aea693200b6934ba64c9722591806e6149

C:\Users\Admin\AppData\Local\Temp\nso1BD1.tmp\7z-out\LICENSE.electron.txt

MD5 4d42118d35941e0f664dddbd83f633c5
SHA1 2b21ec5f20fe961d15f2b58efb1368e66d202e5c
SHA256 5154e165bd6c2cc0cfbcd8916498c7abab0497923bafcd5cb07673fe8480087d
SHA512 3ffbba2e4cd689f362378f6b0f6060571f57e228d3755bdd308283be6cbbef8c2e84beb5fcf73e0c3c81cd944d01ee3fcf141733c4d8b3b0162e543e0b9f3e63

C:\Users\Admin\AppData\Local\Temp\nso1BD1.tmp\7z-out\LICENSES.chromium.html

MD5 df37c89638c65db9a4518b88e79350be
SHA1 6b9ba9fba54fb3aa1b938de218f549078924ac50
SHA256 dbd18fe7c6e72eeb81680fabef9b6c0262d1d2d1aa679b3b221d9d9ced509463
SHA512 93dd6df08fc0bfaf3e6a690943c090aefe66c5e9995392bebd510c5b6260533b1522dc529b8328dfe862192e1357e9e98d1cdd95117c08c76be3ab565c6eea67

C:\Users\Admin\AppData\Local\Temp\nso1BD1.tmp\7z-out\vulkan-1.dll

MD5 b91586bd80e057a7f62bdc4422744812
SHA1 a1df644421ece2e740e5bf0ed98b4f269fd85c39
SHA256 8ba72d98e0f78b77bda7816cd7232809d287310d34e0f1d7472b9d5fda2c6d02
SHA512 94f0a8e3e75e4803891c0fcb257052dbe0e7399772fc7a46ab802629f76ee580ed30b3678fa6bc3744c12cf9f3103bbc8276e88f6711278748148e9fbeef2053

C:\Users\Admin\AppData\Local\Temp\nso1BD1.tmp\7z-out\vk_swiftshader_icd.json

MD5 8642dd3a87e2de6e991fae08458e302b
SHA1 9c06735c31cec00600fd763a92f8112d085bd12a
SHA256 32d83ff113fef532a9f97e0d2831f8656628ab1c99e9060f0332b1532839afd9
SHA512 f5d37d1b45b006161e4cefeebba1e33af879a3a51d16ee3ff8c3968c0c36bbafae379bf9124c13310b77774c9cbb4fa53114e83f5b48b5314132736e5bb4496f

C:\Users\Admin\AppData\Local\Temp\nso1BD1.tmp\7z-out\vk_swiftshader.dll

MD5 de2d91476e625278c30a5f69a1892e05
SHA1 4d707f6a801611fb437f5c1cba31b0909bf41506
SHA256 02c7f0b926c64f5a19a9aacd5f94ee00be4d576486592e18acc80c0a027b05ba
SHA512 d027407539346e5aedd527f5f71de45bace6295e96a7fbefbf273c930d64a791e488e4bdf6ef8db61fc19c80cac52a6e398c2973499c6fedb1e422c3ba71f532

C:\Users\Admin\AppData\Local\Temp\nso1BD1.tmp\7z-out\v8_context_snapshot.bin

MD5 47014c0f81bad6d216c617c9c63bf040
SHA1 7bb483fdc5fed3c6ed437d9fe6e5023bc38201bf
SHA256 e1249d05bfc73c645b27d269f47b6923b33a3cf8088a8ca78b3b637c90f58178
SHA512 052d86cf3305a9e493bd2472e6b7ddab5e0291efd6d899984a79bae46e5fa4bd21157e19ab4a2591c9cff9069de568bad18c7baf4f35d117c77134e635466f87

C:\Users\Admin\AppData\Local\Temp\nso1BD1.tmp\7z-out\snapshot_blob.bin

MD5 c9ab741bbef53fa0e84952b8891a5f5a
SHA1 e2dcb8d034e07243537c86371de0c52bce62cee1
SHA256 4d82fe1e642fe3ca7ad1a173f806088c0652ecfe9f0f6f6e246066e15a3431d4
SHA512 177b98a3090ecfe4b4598dfcd7e8b3ca49efafba4dbd8d6c6d0def462de47c3fabfde831725622783ddc177de982de6115178d9bd9830d918bb544a5a4c27fc9

C:\Users\Admin\AppData\Local\Temp\nso1BD1.tmp\7z-out\resources.pak

MD5 bdfa339e708ea0f23ed3620adc4a2d64
SHA1 82a95b7b022836b6e888f53e69386570c05a1af2
SHA256 b66ae9eda4543685974d35d051d967538bc57d55c2577629007c534ff330e1e4
SHA512 ba87c70e1b6446e0a7b62da33d72a36ff92ee54fda64343262bc26afa8166174e76d058ec6d707cdebf2611858b3b4b7e21798febec53da02febd81ade4ce8f8

C:\Users\Admin\AppData\Local\Temp\nso1BD1.tmp\7z-out\locales\bg.pak

MD5 5ba0c7200362c9ed55610cc8b66ef53c
SHA1 d45239c2f1b00885407771a41a7776fc1fe8fa3b
SHA256 2339ff55464b4ff704fc3c5bf281eec52a539c494bd059cf0346d9c05ab7cda7
SHA512 6229dbf08a9322c4ec8de4912aa1832f01800a71b7e3ef5870e7fa2b623be4dd248fec4881c3e031e984616147be84d42ab3dd970ae56dc1bd78913a8682a37a

C:\Users\Admin\AppData\Local\Temp\nso1BD1.tmp\7z-out\locales\bn.pak

MD5 47c95e191e760dee3ef43345577e2379
SHA1 609634315270a91d4ec631642b18bd0036367aad
SHA256 ceed32e429ed1018d4c49343cf52105cbfd1e877c531a5738fd6e6cd33d27da7
SHA512 46b5f8d58780d19e79136c31a67d075c57ddf7e6a1eb197dea4088cc414a0dc24a68fc8ebcaac03b3940af2461123b586706d5dbf8dbdf6fbea0f7bec466db21

C:\Users\Admin\AppData\Local\Temp\nso1BD1.tmp\7z-out\locales\ar.pak

MD5 6f3e791b4d35ee7d9515614d128752cf
SHA1 181ec3a84fb3e89336d77f24f562a2cbe07619d8
SHA256 e9df0fa338b763a3926c4ee3a87bedf650fa618b6fcf0560c3f5ffe891d48c60
SHA512 3657e610d13a2c938558ec320c298dd490c9e4895ccd304f738aaa2f050373efd7382ca402365f93d23ed488bae82de2d859da788dc8faa8e621346a278f4441

C:\Users\Admin\AppData\Local\Temp\nso1BD1.tmp\7z-out\locales\am.pak

MD5 e18a450ef034b42599341c3d09f280f1
SHA1 2001c8a85904962ac3a96938eccc69ad2c110fdf
SHA256 7c2b9098130f1f9e0cf4507b64c0e96ac6354bd6c3616be20e2067cfccc820da
SHA512 ddd87571218fe9f179a6c2a8a15b182625a71a7c19ed90c0969ca2e0e9bad823b926f8b8a6b390cb6fe9c95f4b6c1f1ec7b5167a8424ab1921943922208f798a

C:\Users\Admin\AppData\Local\Temp\nso1BD1.tmp\7z-out\locales\ca.pak

MD5 423651c45566cd90ea5edd8631e823b8
SHA1 13bed4173a08bcbfefba034aada3d838eece6d16
SHA256 7a39af99d55a1ea838d8d78c5f0da3e1402f9404d32255e31b676ceed4f0e414
SHA512 e09085023beaa37e9d5f7fdf3c32d0c001672b85e2826f0aba9a662ce958ac93cac17bf63495a604e47cb407b1593049388a4bf1b22b2339ead84a206a10569f

C:\Users\Admin\AppData\Local\Temp\nso1BD1.tmp\7z-out\locales\cs.pak

MD5 3cfd9dc564cfcc33cc5524711365c376
SHA1 2e5016d2643017f37658262122974429f18625a2
SHA256 8be34e4f8226c1dd4e725711ddd884ef4476560f7863edcf378573dde9db3cee
SHA512 6ee156d2fa3b6f601df28e38968d0eae2812d70b41333348dbecd833d5ee6ff944183f0eecde96be433cf1e98c8ec22d6a6d5af5153145842175ab43c73533ef

C:\Users\Admin\AppData\Local\Temp\nso1BD1.tmp\7z-out\locales\da.pak

MD5 55a8f5883805a65c854d25edb3959209
SHA1 d4b3b6bd2a26cbd021fa931d1f63c9ea64e2c268
SHA256 e190187adcbb5f829d162660968ba598ed17bd11339062ca4d807deec8a27fdb
SHA512 4e1f9e6da32f553cbc8cf162726d7aba9e23e2216d6d05b995cf19fff3aafa05ed08fce29b2f8538d46583366402b8630672e650dfbd46952a611e9db0d8016d

C:\Users\Admin\AppData\Local\Temp\nso1BD1.tmp\7z-out\locales\de.pak

MD5 b73344e5a72fca6f956dbab984c123ba
SHA1 0561073aa40a63a9ce9930dd18b18e12ff139b2b
SHA256 6dda3fa65232ca0bff7314f916942a2aa5d9be73a0b0c7a6d016eb34ea6fff5b
SHA512 e8a12da397369f23c102244b3f18f533ec79afa6978785566056bbfe07b10a21ff4973bf17aa829fff65609363988c033b0e48d4a82c846863377c08d8df009d

C:\Users\Admin\AppData\Local\Temp\nso1BD1.tmp\7z-out\locales\en-GB.pak

MD5 52e2826fb5814776d47a7fcaf55cb675
SHA1 51fbbc59dcd61116cbc0a24b0304d4c1c58e8d0b
SHA256 83ff81c73228c7cadba984d9b500e4fce01de583ecde8f132137650c8107c454
SHA512 69257f976d01006c5f3d7e256738c97c59115471f8e7447cfa795f7fa4ff12d6fd19708e95ffb2aa494b50c1763fe35d5885b9414112d2934baf68fe668ed7cc

C:\Users\Admin\AppData\Local\Temp\nso1BD1.tmp\7z-out\locales\en-US.pak

MD5 0bb857860d8c9ab6d617cea5a5bd4d00
SHA1 351b744d95846bff2ce5f542fec2e87439aa0f8b
SHA256 5c56df9699fc7e8f09ec81421e50a6264cde055e822f5a8cd9bb1edb3066d816
SHA512 33fb73cffbb6781488cedbca4c92a7e4f66923a799beeb7f5cba58dbc23ba8f5130f63a7dac7114e3c3ef6f1df87884fbeb8858bc7604aec9449fdfd16c25078

C:\Users\Admin\AppData\Local\Temp\nso1BD1.tmp\7z-out\locales\fi.pak

MD5 cc592d91ce8eabaa75249cb78b889376
SHA1 f2f0f7f105a17f3e4b1a97ed0e3c2e871c2c3eac
SHA256 b1cb0b32efa78fd8634652c74f298f1d5127f2363ef601cf000417e5c7fefd20
SHA512 58e2eaffe26d8fda8df43e7ebef449cfff1065e940c128efa0276511e34e96e52da9230f294b01d4ecd8ef606b792d372bff897d6d8bb67c31379418ce867d48

C:\Users\Admin\AppData\Local\Temp\nso1BD1.tmp\7z-out\locales\hr.pak

MD5 6f92235e6ba003af925a2d6584afd27d
SHA1 3ceba61e9c2975466b6244188f5ea72aaf042fc7
SHA256 479dc4f75a889d45f62b4ddb6eb48f21c473e37875468c9c26d928a263e15840
SHA512 82f2642dff4400704c15c2fa02d0ec74ed3fe888dc835447c1afce7463dee8f480bb81be358c306e681625864a6d25e5cd6c96252b8a56e6fc62014b3aa4d26a

C:\Users\Admin\AppData\Local\Temp\nso1BD1.tmp\7z-out\locales\hi.pak

MD5 590e9e73df9cbd83cd87b9c03848fec9
SHA1 da125e60a5a2c51a2d6219d3f81688bd22237b59
SHA256 089b9dd31090a987515809a68d26f6eeb64cd9283934e3dcc48b151eec7d3ad9
SHA512 fd0e5d0f2063e12b711275f390428b88f98ffaf6043cdb14b13674ac1e4aa9f70ae820ae960132d7155daf9b1308238775c4702694ab53068cdc709c50f9186a

C:\Users\Admin\AppData\Local\Temp\nso1BD1.tmp\7z-out\locales\he.pak

MD5 6a02a37e1ca3215fa9ee0e1b0fbcf5e7
SHA1 89a8a126c0bbf536ac58e29fc50e045fb1b88220
SHA256 f5cf34ce58b7f0d450936981aa7ffa060821403e6768eee3746ea4ffc9193986
SHA512 6607eb2329b81f1eaf0ed3a564eddcb30e6ab59229f2fbf6fd3d2140ffaa8853a330eda627a4458ef6bb06f32c5183edda869e34cd4ead1f87f88d5c622c1a16

C:\Users\Admin\AppData\Local\Temp\nso1BD1.tmp\7z-out\locales\gu.pak

MD5 63a7fdc4eadf8ef1c35c72468a0ce33f
SHA1 e8d064f0e9c8a6a8c6ccb036711e292d011d9466
SHA256 e549ff4e5a094d04c2ce7bc6fd68bea1f03e935437bf164bebb6191c133fa70c
SHA512 0a097ff875132a984545ec677b04f97785f14c38a1df487cfb4722cdea07d14e1e88fcff7d58b82fa53f05f4eba779a95ef320b5a91692097726d0385a26a456

C:\Users\Admin\AppData\Local\Temp\nso1BD1.tmp\7z-out\locales\fr.pak

MD5 c3095ce1e88b0976ba7bef183d047347
SHA1 b14cfbf6e46ac1f189595fc09660178525301138
SHA256 66488dc10517b6e3638686be95b430477a39304e92ac45dfe62b58cae3a77272
SHA512 29f47b1eff4681a9a17a50d6e82d63c22fe7bfe4ceb79862e81d8cd9f96fa38e225978b4c4b1f8e55b220235b91652c776fa8d2e559c68942c6ccf402812a421

C:\Users\Admin\AppData\Local\Temp\nso1BD1.tmp\7z-out\locales\fil.pak

MD5 40bddaf97f64dfea9ebafc7f82166f80
SHA1 90d1fde3c0b27d2184f0353991259c2a92c7820c
SHA256 39a9d63736e7b4593fc6873ed3c19d45fbf9eb78a012bfdcee0fea5906ebc5b2
SHA512 d1e61c53e09a0dc50edf5aba5cf286a251ee88421aa2cd49332b70a5859646605ecb7d0bb97ea7242d14a18742e23da0a14c04b0b99b57a466ec87f4f66b897e

C:\Users\Admin\AppData\Local\Temp\nso1BD1.tmp\7z-out\locales\es.pak

MD5 f83d8f7f6108786c02c2edbf3d85f147
SHA1 57781d9d9eb7c90cdc71f78e25d0763045b6d29a
SHA256 5b929216ac823dbe2b0bb98e64db76519900e09a86c8513019325271c66ade0d
SHA512 12747a4a61cdd21cad6e3f768cb43b8bda5ec9de373337c191b6994b20acd676c9d0a6cde8410a1e18f35dd5d2d332ea1bb7e7f8f6fc4b73d8774559e33398f1

C:\Users\Admin\AppData\Local\Temp\nso1BD1.tmp\7z-out\locales\es-419.pak

MD5 b261b1efe945365588befdf68879040f
SHA1 616f44a5f73f0449b483f36ccf831db6474a10d2
SHA256 1380b9edc9cee4b505f12e8eefa288d8c746ca995b52ceaba27c7741ae8a5cd4
SHA512 9ea14234b9d4d09364e5727b3886fc14544d52508b3e45fb9fd607ca88d2e432361a02b2f7ba34c3d6ecd94b91f9eccd4d54047a97a1ba4eea580ead00b91cff

C:\Users\Admin\AppData\Local\Temp\nso1BD1.tmp\7z-out\locales\fa.pak

MD5 6458a239e994d8d18315deccd35389ed
SHA1 75c985f43503a6c44645786d46639a6b555ae163
SHA256 300fc1c735e92917a5ddf92feb812cbf3175d988ec7ad5955110248a1addbd34
SHA512 3062075b6be0c25c957ac88e537880bc25ff86b8ef0703a05209e9676e943e89476b7997394aeb25064e03a93be614fef535676e9cdfaf44b46035225b1b2cf5

C:\Users\Admin\AppData\Local\Temp\nso1BD1.tmp\7z-out\locales\et.pak

MD5 c76db3385190c6840315c4497e40258a
SHA1 34f1aef2ba2925bebc5dcdb70e5b6c1a138a5c46
SHA256 e8af084ef5e1062c5966dd7802074ac24f3672dc3c9b9c5453a397644727191f
SHA512 90a870369d307758b33d74e6213676d65c2d332f42577c8aff23d96b512f3c2a2bdace8d6d9007f88b9175eadc6f2ae28b498b1265550849ff9317465a37ad29

C:\Users\Admin\AppData\Local\Temp\nso1BD1.tmp\7z-out\locales\el.pak

MD5 38440b98bfdf5ed496da0f49d59534c0
SHA1 1498d9207ecaf4923a47271e24c68a817041c82e
SHA256 b1f78df8a7edc914357a2e90bc8dc0ac46f4df642bb22894569fe4905fb8ea0f
SHA512 95ba788fc2e1f07d54e398f1ec4d32c664cfb13118d46cb7af7a993367e032b10de84f3e604ab6e659d6410e2d736097ec5e9b3b002040c54412358f0ea10229

C:\Users\Admin\AppData\Local\Temp\nso1BD1.tmp\7z-out\locales\hu.pak

MD5 71d42cb22d2d7a8b26c4514ab12df3aa
SHA1 cd0307503a7906f1742d1e98fc816959319c2171
SHA256 b51bcb888dbc27bab88a8c9d081df7496de8a9a5a4cd2cfe08abc154190e75e6
SHA512 29c67391bca706807be3a0cc79fe481f220e30263957a9c2485f0a4c498a5b250bdd83b5f4fad8d0b19c8a9a07d5650b5ebd5816b6aae311a1cde78a89303244

C:\Users\Admin\AppData\Local\Temp\nso1BD1.tmp\7z-out\locales\it.pak

MD5 5aa225aad4f9fe6d05ec24905a827d88
SHA1 f6d5ed337bd8e9cc3b962d3a498e3430fbf6de22
SHA256 96e02ab6937a1f1cb58762159761a737ce0e1dcd6a253554392baf4389326eab
SHA512 3fa928f19bdf65b8fbb274b478a801821b15c01224c113a8d7f6121a077b432c0cc84eefd9028a76adea9fa4bb65dcb868edfbd4368b1e4d477c49e187e4288a

C:\Users\Admin\AppData\Local\Temp\nso1BD1.tmp\7z-out\locales\ja.pak

MD5 833e8c4aa70351b6be7bd403e4e9a0a7
SHA1 46ccdbdea35deec8ef13a5fc833776875fad187b
SHA256 74422db1a5f28522f9a8b31a3bee9a6df794b419bf723cb6a6c88e82eb72cec0
SHA512 e8e709612a5ea81d2822e0025b7306f38571f2cec2ca72ac5a8ab852a0e36a0f5bc7e00d0baf7ac7becc2c54dda3a17c52ec1cd67ce12b14d91b6ae0b726d556

C:\Users\Admin\AppData\Local\Temp\nso1BD1.tmp\7z-out\locales\id.pak

MD5 e40cb2f3b4db379e4d187aeef0dfd300
SHA1 537b1ebc615c980c89bbe2b9e91a11199fa7d6a6
SHA256 3339ef011c9bb64868da94adb25f4490acbc7f893e4337dbfe2797754cd659f5
SHA512 b87464460077aa55feb92eca8ed23d9a61829378bae7890c8a95dac5fcd735b145d65661f27facfe2586fcaa169692b00d8ee8dd505dc44bff7f7fd090f3e96c

C:\Users\Admin\AppData\Local\Temp\nso1BD1.tmp\7z-out\locales\kn.pak

MD5 5115cde84b4c674db412619b65433004
SHA1 164f33e7e2e9f685a579da492a6fc8806beb6cbf
SHA256 891e092c6895e23be986c3e6d39dcea9b6b75f1448239c13fd406680e50407a7
SHA512 090a247898cb533325d2b289a6cbd8db2a755ef0abab49d82f333e57b290c50b5996b81f15d8adc30160b216eebed3a1476aec1627195e52189557c1d48b0216

C:\Users\Admin\AppData\Local\Temp\nso1BD1.tmp\7z-out\locales\ko.pak

MD5 d6e2c18c9eabba59b50d147d942125ea
SHA1 0918879203c2050b4f9f449f5616e430897ba0b9
SHA256 f3581cea2e5b022b121010ffc5d67f86f717e3a0c0402abd81e24c87fd135b76
SHA512 f605f7b9893166778af156f9eb76eaa1209e7432450899540cd462ce0ffa69caf6f570b910cdd6d7bef54354379e9892a658e711baa93241da33755c107da859

C:\Users\Admin\AppData\Local\Temp\nso1BD1.tmp\7z-out\locales\lv.pak

MD5 264c6e20b3088ceb4dae5773cef0cb55
SHA1 fb6ff83ff14df008092bc3ee73bda7491e8e090e
SHA256 a676a781c1a587eadf23e5c69bc52f2d352346a70bc53ca908450362535eefda
SHA512 01e949f92e1e8599c581929a601d39640abaf1d907ce10102e591c3d490dd3874c679c75bb51308ead55a3bd0c6dcd1b8d4b2daf98ce1cf1c6bab42946e8b1e8

C:\Users\Admin\AppData\Local\Temp\nso1BD1.tmp\7z-out\locales\ml.pak

MD5 04b2540c25990a5e0a9b227dcce6ae0d
SHA1 4f8ccd154f54dfb083d4d1a3ed0994842c8ab13e
SHA256 556165b8b54c6e21bc66d12b3f5be393136714467c427f7114f314d18ad3c661
SHA512 4cab47e42e8f5d4a83851871f97f3e1360c993ba530dbb4b4b736350779784bd83189e1195d3480ce87298bb8f9b7f249fefa7764d850e5b0002895609626785

C:\Users\Admin\AppData\Local\Temp\nso1BD1.tmp\7z-out\locales\mr.pak

MD5 f22c99fe6a838e333e8ee06a4d01296b
SHA1 c3542ea8dd45a2b387dd02fa5687948f135e10f2
SHA256 b03a3042f907aed13253ae8083d08f5fad59ff438d024b097276856e72526911
SHA512 882022c2cb985d85f96d52c9bcfeeb089d6ff30e66187ccf424ef622092b9d359a51bdef1fb6ac3b9d3409aa79d37ca737ba7f3ed8b9cdaabfe04d90a7c8bc15

C:\Users\Admin\AppData\Local\Temp\nso1BD1.tmp\7z-out\locales\lt.pak

MD5 2d4fca437a7548893dc4b51fa5b33c33
SHA1 c1493013d7d981ea9223716e415380992de65c2f
SHA256 776dba792df7b444e1b720326312d8b8312cade74a1372c49456d932b7c65769
SHA512 b6a55ee1deff48d717a3e9399aef3c45eeec810cc5b5709fa3e9f56850115a5b02e02b7959ec77a6797e68516ee9372bacd260e62ac0d55a8e4c1c27af782b42

C:\Users\Admin\AppData\Local\Temp\nso1BD1.tmp\7z-out\locales\nl.pak

MD5 cf6b1cbfd669e9461553974ba37a475e
SHA1 b33867e9bc7fd88ca98a76dc4bd756bcf18887aa
SHA256 9a83ad866ad7fd9d65ecbc1e95c276cfce27e8257c76a16950fd14971e66b864
SHA512 e463029bb37f6bb3ff5cb6281f64291ada1b785fa33137e7aedfc7b5e409e99c75a91e7cf9b6c0933e970f70c14861190de66fc5d68925b687a6f5da02e21077

C:\Users\Admin\AppData\Local\Temp\nso1BD1.tmp\7z-out\locales\nb.pak

MD5 b61e42f66d581b6a8929cdf5fb10662e
SHA1 6f06fa9ee092fbcb61bbd668734fb3b92cfb549a
SHA256 1b17dcde8fc7308d926fbe0faa83dfc9ffe2efc5715e9afd557dde839ad98b7e
SHA512 79b82346c3f133a6ba44148a8432ad4e08e2805187b759509cb386bc800fd20215592c07d953812c243f0b1d5e1354245f2cb42b2b3eb6c87280bcb4008dbe97

C:\Users\Admin\AppData\Local\Temp\nso1BD1.tmp\7z-out\locales\ms.pak

MD5 6cfadaa784e687e6dadbcd80e631bc9b
SHA1 481acb75f525055bf4e45ecabe0eadcb9c492106
SHA256 fb5e125dd5e1f21e8df229d22cb3d1f9078bd79bbddca352899248f2a8b21b71
SHA512 0d7da5a90fe9372bc704ab8cdc8cbfb14d323cafdef856987e2d9e34d980196c03985e25099f5d1bcb10c97f040f4766e2c3713718649bb3f43914a77f0dbb39

C:\Users\Admin\AppData\Local\Temp\nso1BD1.tmp\7z-out\locales\ru.pak

MD5 75457b95d2bb03891232dae7db886387
SHA1 e5a7569df7f91533703626d167ecc8cddbd27205
SHA256 e0894d3aa3f8e0f8ac457a3300001d4e1dcf95980712f8c8e9c845eb4c2bbfa6
SHA512 9813239cb162cec24cb81cffdae2df06889782813d917da186ae40df6dae64477467e4b32ead2d714bc1de671538d4c1fde990d83d3ee69e0932f17226687a78

C:\Users\Admin\AppData\Local\Temp\nso1BD1.tmp\7z-out\locales\ro.pak

MD5 24b01a438a3ab9699d4ca97c081b5e82
SHA1 0d0b082544d23425a74199fb0a6c11192f0bdf7d
SHA256 38290b1c9712296d82ea1681ef95544a1eef4872289134b11e50af735e6deaca
SHA512 43199772312156f4633c4202499cde8f808e5e632c2013ec1129acee01a3f184e86df2616626173178efe04b6f0773ad9a0e8b8cc6a735d23d68dcfe9dfd945b

C:\Users\Admin\AppData\Local\Temp\nso1BD1.tmp\7z-out\locales\pt-PT.pak

MD5 ecd84b296d3bb312ee18e21017311986
SHA1 f5625523f85c10723750834a54ff59a2dd886fb3
SHA256 fcfaa9c44c445876c286388b6a1abc1df949f3dda3d64fb57d6e0d54a05cdb94
SHA512 e95b74238220024cdd0bd1c0f18beadbbe427d76cd8d6b32d5700adcd34ffb068ad0bf75404921485c8077f395f5111cd40d5dfe2b5b8f34c62e6fc80b507456

C:\Users\Admin\AppData\Local\Temp\nso1BD1.tmp\7z-out\locales\pt-BR.pak

MD5 88ad860c73676ffb4025b5c691f29942
SHA1 3c5e5b999ea7153ccdd1b4cc7b6162de3456b558
SHA256 25f0bb0b0230d99a9064d52668636f3be85903bf27a68124d79a2fe93c30fe0e
SHA512 41589bb9ab1b8307f62ceb4e6493d7903731a3e63807e0044379c4acdda881c21839234f5f1b8ad1af732bfee6231c0556ce92e582505379ed949980185bb750

C:\Users\Admin\AppData\Local\Temp\nso1BD1.tmp\7z-out\locales\pl.pak

MD5 644c0ace25d6e532b56510a736c6bc2c
SHA1 1bd0fec952107b493da04c46423da634ff3e1504
SHA256 2ff9e382a31783285b7d85676e629e2f6db26bb9536ed17b7fbe5ac61a895ec7
SHA512 9a1f1e884c2f214b8b0c63543809ddd4ba0fd533f1d8434e926051f3db434f60cc4df2462c2a43254b2a9685b3869eef49463c212892e417c82c3a7b497e3559

C:\Users\Admin\AppData\Local\Temp\nso1BD1.tmp\7z-out\locales\sk.pak

MD5 b35daa0bd9627ca88b413a5af7c6b4a4
SHA1 d5efdcbc7ca17de29f3075f6434f31ab2e895826
SHA256 f47bc1f7f5ab64681d0b152e1a019da60f0ef057ee8bf2ccede019dc4030c177
SHA512 48abb6ca2290820db2898b05820bb25e70fb1292c816eb0c8f17b3c5452de9fff7027d216d2bf413900f408f44ed4ac99151b28142a212c5cff8dfe229e87b9b

C:\Users\Admin\AppData\Local\Temp\nso1BD1.tmp\7z-out\locales\sw.pak

MD5 99e385ebc1ef8d3daddb3a171fa79edf
SHA1 3164804dfe9d9b5e891abafe92e5ba67d2b5d4d1
SHA256 8ec45ac391a085d531fb21815086c2da4841aa016653cb4f8484cfc2615d6c01
SHA512 797c105fecef1e15870aa101e3fa1835d5a467a9059c03b3636c54934d1de263ab7f23599e21d9787cb3849c7cb7d29f5bdd8ae9ad10fda8015c1392462e94c0

C:\Users\Admin\AppData\Local\Temp\nso1BD1.tmp\7z-out\locales\sv.pak

MD5 41e76f7775fc9a2d6e3c02c46e9b32f6
SHA1 088c15c74a68bee69682bf89c31055332b68c84a
SHA256 2533676479e9469ffcdaabcb47d3e39bebfe7ae2b80f70784e918a8827439e13
SHA512 6cde752d748c4772b533c8894f18134e5842113f8c7590b44a7dfa088aed65b232361fd16170df3b0d738066dbc3a769847adf4dd8ba42de63c9c2b33f9beb6b

C:\Users\Admin\AppData\Local\Temp\nso1BD1.tmp\7z-out\locales\sr.pak

MD5 af7083f2a4bd95dcbe792efade352662
SHA1 dc69aa831836016f6e66c6079931503d534a7862
SHA256 e3b80d9fdd420a05d66cc12e685ac94500106dd51a555bbfa2d085094f81e8dd
SHA512 342400ba94f6cd08152f96aa2b905184fab429c38cedb4bcb4ac0c503169a9ecd47aef208b4d7ffae08b0c0afa7aa089347a20739379d05f3e4e111be842b8c4

C:\Users\Admin\AppData\Local\Temp\nso1BD1.tmp\7z-out\locales\sl.pak

MD5 e015b6f5042be2dc96a4e23dcf035502
SHA1 7946509eed8db1e4c1f3da99ffe7155c86fdb4d6
SHA256 99536d1bc73eec81d5bebbff641ea195544ee5e3a41bb17ddcedf9cde9b141d4
SHA512 b2a2eaae93c506a053862bf1cde02eee53b3ea2e2fe4c964c51dbacb8b44de820a779311cfe01458e2f08f88bce1172e8c5e1e6d28cd3a355ff84baa00023b8f

C:\Users\Admin\AppData\Local\Temp\nso1BD1.tmp\7z-out\locales\ta.pak

MD5 31dada843d0b4f9a66b184cb6d7b8b92
SHA1 0320b31981043c6e4c17470bf2ff4c7488553511
SHA256 457070b35c813175f5a7b630478073e478ff2bf23915dd3dc7a5b3b339cc2b0b
SHA512 c5b6ea595d3154fd9fe03f49a19f78eb4068718ce005b18a165d491459a290c29956b02a109ce2c314746773760c8e5c0d7064f384c65a572c78109f03538860

C:\Users\Admin\AppData\Local\Temp\nso1BD1.tmp\7z-out\locales\te.pak

MD5 793a87d41cde6e6d1bb086284f69733b
SHA1 d887e3842b664f55b7308427aa6f5bf0b352d879
SHA256 5cdabd1ad41e8048f2cc6b1615e68b99159daa1aa6706b939447c1811bf0e255
SHA512 7c2e53baa387480eed45315bd9d53856ca46e5777ecdc9c29a0de7b0ad04beb6cbb8b5df0aa7c306395fda563037e06bea1ca70e433ce5a3ccc2ec184dfda972

C:\Users\Admin\AppData\Local\Temp\nso1BD1.tmp\7z-out\locales\uk.pak

MD5 d791b1ecf2931b2fb0c31aac170c7cdc
SHA1 02be115a9ff94fe5250651b6de4323eafc44fce1
SHA256 ffae6286d44c8e219ef90d411ad8746159a6ff8ea610e2a651147a3956696a22
SHA512 3a2edb8069e4a9734ce5e02b7c3de3c968c5bbc116f17f52f97e2bb2c78485c456c4f0cc952686c1aa17b7ee4d326a1dda698afafc63c79d842ca3905181a8da

C:\Users\Admin\AppData\Local\Temp\nso1BD1.tmp\7z-out\locales\tr.pak

MD5 40491896ad21543f339467186c5efb40
SHA1 695dde7cc35056dcbf0a533aff8299d4c6b61bd8
SHA256 43e99e132acaba88971b81a43531845dc7fc3a1e0794c3373de7d9a50a5655aa
SHA512 18d5ee9914849462e0b1bafd1ca216b29d0795e282ae0bdb354b15caf5c18f37f44fbd6f626b2cbb095e3398a6496de72e5b0d15621433979b5a589e34fac818

C:\Users\Admin\AppData\Local\Temp\nso1BD1.tmp\7z-out\locales\th.pak

MD5 43edd25f67ce6e6cea5373009ff0a1f8
SHA1 ed72ca6620cf23837e1334be50ccf616806bc5a2
SHA256 287897cf3df2db1cf59b872e6575ba8dfcaa0c1f68c17a9c91da6c4490adb8b0
SHA512 7160a72bd2e6b0ffa71e5d279995cc8be24a87cd9386eb29ab0eee79b8e607f5d824a11b6b4e3ef4c0f851a9d485a9642cb6adaa65c07933dca6e6f2c0052fc7

C:\Users\Admin\AppData\Local\Temp\nso1BD1.tmp\7z-out\locales\vi.pak

MD5 69c8796439192577f48bd249175aaf37
SHA1 97c52088ca69dada593db0e42b2135d264646454
SHA256 d7fdb53592de803a5fbcd8561c4918f1562f92fc8a3fd0039a2a1a7b76a8ecc2
SHA512 65eb7cb15291474ec7f9354775e59bcf334c90ddf3498ebd184e4c47118308421b2405bfa679e4b3a70ed1790e167c109fc2c72e89c3e31b5378cae975424144

C:\Users\Admin\AppData\Local\Temp\nso1BD1.tmp\7z-out\locales\zh-CN.pak

MD5 098d656a4f4bd8240bed10e7678186c7
SHA1 0c19ab62b4262f1b51558e8aaa79e7741f73393a
SHA256 a55f568ad3a8854cec25699484f55024501c8a0967738ba694e073151e5981c7
SHA512 084538ce774233ca6d4393bb42239b0b85e11bd73dd19ba47e55796ca19848941b037510c0fca4ac08b4b2e0ccbc9b4ae72ef88a3e841738dd211961dc53c1e2

C:\Users\Admin\AppData\Local\Temp\nso1BD1.tmp\7z-out\locales\zh-TW.pak

MD5 c2c35fcedc3708b5bcadf36587393002
SHA1 31d72402cbd44ceb921cedd806259c2cd14e411f
SHA256 cfe4c2c5eb131fd92e0d11f912714c5a9a048833ef3ffbe32679b3d58da8f8ac
SHA512 9ba3ea2d569d1d3ef09e94d7e66f843c8804368c4d016b6289e7dba002f7d2d50884a76c93eef879d87abcf8b36dd3e682b7bd3a18b2b5a969256cef672abf01

C:\Users\Admin\AppData\Local\Temp\nso1BD1.tmp\7z-out\resources\app.asar

MD5 fa9fe35abbc857a003191ea3fad10ee8
SHA1 57ef2003d4f95f5f217f7962717fd8fd7ce5bb82
SHA256 b7300adcbb2cf799cf162146238067c04486e622099b9aeb5b130bc80b23d0ab
SHA512 d1c945a0069f3307826c92f2e537fc32ce5ee7e5cf3acdb277a5d3d19ff5a4fd52041b6571d856e3e3ed6c38434529e69401edd3f62c8297ceae1e49eb771de9

C:\Users\Admin\AppData\Local\Temp\nso1BD1.tmp\7z-out\resources\elevate.exe

MD5 792b92c8ad13c46f27c7ced0810694df
SHA1 d8d449b92de20a57df722df46435ba4553ecc802
SHA256 9b1fbf0c11c520ae714af8aa9af12cfd48503eedecd7398d8992ee94d1b4dc37
SHA512 6c247254dc18ed81213a978cce2e321d6692848c64307097d2c43432a42f4f4f6d3cf22fb92610dfa8b7b16a5f1d94e9017cf64f88f2d08e79c0fe71a9121e40

C:\Users\Admin\AppData\Local\Temp\nso1BD1.tmp\7z-out\resources\app.asar.unpacked\node_modules\take-cam\snapshot.exe

MD5 16a12bdc986207390dd79d658a6b2263
SHA1 b4b41f62cbc1e1ede786c6e30e11df8e61750bad
SHA256 50a8dd2f292bea9190204a42de067a34d5cbbec53746d40fe5b067fc85190bac
SHA512 d20394028c5d3ca46bb4879cac40da07b7d857f9a4a834bb4db4bd047f1a3265a80e1f7528244da6ee97c2f3e0cb5b2e51bc88eeb382a027939c2188e66dcdd9

C:\Users\Admin\AppData\Local\Temp\nso1BD1.tmp\7z-out\resources\app.asar.unpacked\node_modules\take-cam\prey-webcam.exe

MD5 471b15abc9f2e98fb7ed7361d3f045eb
SHA1 95b5798d80a9410872f6ed485ae2b43ca3745540
SHA256 7c262639cb22348dfd627dc07c76e8748e5bcacde2dcf1614773ab174c831004
SHA512 5b3b59aa1dbaef31b0ff6ccde082d7c312e39e311a46fe20d590d5d7765f934d3b663da9609ff4fb7beba2e8fa85376cf74f14ae077f3c0b49189cc28c30163a

C:\Users\Admin\AppData\Local\Temp\nso1BD1.tmp\7z-out\resources\app.asar.unpacked\node_modules\take-cam\package.json

MD5 067e233b0609d56ff4756bedd8c0efe0
SHA1 96419d05adc4b6674948b4ac14f8ab5bb3ce4380
SHA256 6bee642c1b5de99e4edba87ec3221c2ecd10b65e666b6f2bef64a745538ecf74
SHA512 94900f5ff762930b1b060ba4dd44d629d6c3e2dfc0dacb1a543f1ea5a3cd40e793acaff4abefbff588ceb422d65f8041ec190a2b56f7c303c3314eb16eca4159

C:\Users\Admin\AppData\Local\Temp\nso1BD1.tmp\7z-out\resources\app.asar.unpacked\node_modules\take-cam\DirectShowLib-2005.dll

MD5 c20c205c6f8d70a5e1351a4041a3ec9f
SHA1 e1b2a763dd6c42439656e4e55aba0f3610ff3784
SHA256 bbcbb170242d9ff1b56680a80b1f8755df1135f9c714535ff3b3f575442f38dc
SHA512 dffd59d775dbb89cd886a2212fb9fe4cf0b2bdd7f2c00f8dc7c6b2287053b4971c8c6c033109ff1f90cdacea082e44d3c19fa76325d24976420c418218e701f1

C:\Users\Admin\AppData\Local\Temp\nso1BD1.tmp\7z-out\swiftshader\libEGL.dll

MD5 19dc9ee70e7765bb63a66b6826e8ecb7
SHA1 1a12f983f8b35cc2955d30657971f113c47dc164
SHA256 83d5719abee35e051d984510e1d5d9317a109031698814742b59bdbbe7d4e30f
SHA512 1fda2bcc4b2e70987ca6011ab2534007ae4f752016d29a588aaae839bb25c35e03773f220b6a8e926cf2643997e7d4c0f28743304269b2c55642ce12934def68

C:\Users\Admin\AppData\Local\Temp\nso1BD1.tmp\7z-out\swiftshader\libGLESv2.dll

MD5 c0b36d56d83e601bf246f7709a8c5f9d
SHA1 b025a6070f7d61c7d1827856d2d4043834fd23f2
SHA256 45bb5e1f8dd87129ac0a75c78f8f29d06e3ac182a00fc5199b692068f1e05a53
SHA512 e429ae63bd8a7d5a936a638783511693e8fbbc91d97779b3d4dd3f0880f1c8a820106bfb57cf7ee6b3639f19165de87bbe127aadd81218689fc6c8fada2106d1

C:\Users\Admin\AppData\Local\Temp\nso1BD1.tmp\StdUtils.dll

MD5 c6a6e03f77c313b267498515488c5740
SHA1 3d49fc2784b9450962ed6b82b46e9c3c957d7c15
SHA256 b72e9013a6204e9f01076dc38dabbf30870d44dfc66962adbf73619d4331601e
SHA512 9870c5879f7b72836805088079ad5bbafcb59fc3d9127f2160d4ec3d6e88d3cc8ebe5a9f5d20a4720fe6407c1336ef10f33b2b9621bc587e930d4cbacf337803

C:\Users\Admin\AppData\Local\Temp\2Za8IrWzfkMGdAKa6PexxI76zvm\GalaxySwapperV2.exe

MD5 c6cc12159a197160dac8855ea5ea71d4
SHA1 f4352730977ce7cd37eb7341e2fc74c2c42c40c3
SHA256 32795c6037c4ed742e3919213c0b6db1848d9bdead9504058dd78b82cf6c50e7
SHA512 2bdf70156c727e5ab0fa0f97f5fd12676a271479138621c30bfba6b251349614b6331b0e58e0d8ee37784754ea6c3884cc0b08aee2898c11f38c3187b3a8ba60

C:\Users\Admin\AppData\Local\Temp\2Za8IrWzfkMGdAKa6PexxI76zvm\icudtl.dat

MD5 599c39d9adb88686c4585b15fb745c0e
SHA1 2215eb6299aa18e87db21f686b08695a5199f4e2
SHA256 c5f82843420fa9d144e006b48d59ba7ef95f7e6cb1ea95b27fcdd2c97f850859
SHA512 16194186a8407b29f799d4b02f5674e4fbd5d91163fad9f8dce6ceedd865b754a681aa960d0f3f1b62cb21d5443879f1b8e9b691c19c5802d5bdfe4ed645b8bc

C:\Users\Admin\AppData\Local\Temp\2Za8IrWzfkMGdAKa6PexxI76zvm\GalaxySwapperV2.exe

MD5 fbef6e52088a042199d43c79dadcbef3
SHA1 aafde18d7e1feb1a4f5631696c70ee0f6d8df301
SHA256 4d6863c6ea1a8e773999ae287d9760dc3cbfad395918cb597d71bc10de7697ae
SHA512 070c1d1d8f938bc371206d23fdf3f2b9b4db497dfc332a02bac13e26f42c4a36636d3c1e35fd4c07ccdf434b6ca9ea8c98c1cfa089ec29df25dea35fc21bb013

C:\Users\Admin\AppData\Local\Temp\2Za8IrWzfkMGdAKa6PexxI76zvm\resources\app.asar

MD5 ce5277672ae3ad3951fd688896dc7ef1
SHA1 57b16211426b74832dffa4c6ba15c704ea67f7ce
SHA256 fcf9be46b1d5c4f05853681811a183a3279ba94475c4a71906b517d5c6d9fc7c
SHA512 c4c8964fc4d50952d79559d4b549cc171619b37bb832c2aa89297576b331e1f240488cdb29ac4497be97eabab00c74e66ca0392161f40a82c3ac6c0a58819d56

C:\Users\Admin\AppData\Local\Temp\cc9adf59-8d26-43fd-9739-eda6380eeb00.tmp.node

MD5 3072b68e3c226aff39e6782d025f25a8
SHA1 cf559196d74fa490ac8ce192db222c9f5c5a006a
SHA256 7fb52b781709b065c240b6b81394be6e72e53fe11d7c8e0f7b49dd417eb78a01
SHA512 61ebc72c20195e99244d95af1ab44fa06201a1aee2b5da04490fdc4312e8324a40b0e15a7b42fab5179753d767c1d08ae1a7a56ac71a6e100e63f83db849ee61

memory/4404-568-0x00000203F21C0000-0x00000203F21C1000-memory.dmp

memory/4404-571-0x00000203F21C0000-0x00000203F21C1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\90ec7691-8c52-4952-9498-dd4d7253bc4e.tmp.node

MD5 e2de9a01a0d5d6e3fd023b2b440ddf09
SHA1 3b3f83e488ff14cd2e9e7fd3e3c972a2fe413eb7
SHA256 308ba94cf50b06cfd573ced7e7623f2de31c30f2cc9fd203393c9ba17abd89dd
SHA512 588917a4607c43f5c7918c553c27006ace9673a1f28daad1b7a41e5791da197c5841f60c0bd8500d0b23b7918dfb86f48e30a485b8897490a370fe7e1c5fcfea

memory/4404-570-0x00000203F21C0000-0x00000203F21C1000-memory.dmp

memory/4404-578-0x00000203F21C0000-0x00000203F21C1000-memory.dmp

memory/4404-579-0x00000203F21C0000-0x00000203F21C1000-memory.dmp

memory/4404-580-0x00000203F21C0000-0x00000203F21C1000-memory.dmp

memory/4404-581-0x00000203F21C0000-0x00000203F21C1000-memory.dmp

memory/4404-582-0x00000203F21C0000-0x00000203F21C1000-memory.dmp

memory/4404-583-0x00000203F21C0000-0x00000203F21C1000-memory.dmp

memory/4404-584-0x00000203F21C0000-0x00000203F21C1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\2Za8IrWzfkMGdAKa6PexxI76zvm\GalaxySwapperV2.exe

MD5 02e1e55b26581b70fd60366da0b539f3
SHA1 61b9134812a4045d21b6e40d56b5e34e30a55184
SHA256 4de39e0452aa6ee2390eeeaabe2db191d8214eb7da6245aa86d0503cbc5e1d21
SHA512 46779e10b3feba935d7098385620c1485047d8a09a828c5f1dae8c9284f958237b22c376cfc0af6c7c41b1ba2cd25bf2299ba6eae541cfa454c48081af3ac60f

memory/3312-591-0x00007FFB87890000-0x00007FFB87891000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\2Za8IrWzfkMGdAKa6PexxI76zvm\libGLESv2.dll

MD5 b6a433dc7b4030fb17bd1683a9606b6e
SHA1 0602c50532e3f13facc67bd95a048c470e88afcc
SHA256 f7ae57a1d7d3e284714ca354f5292aa9b75086489cbfba8b1f54548445b6b3e9
SHA512 b9ba2e20ec878e3acae93d8254e69374e391fd4a3d5c1833282c43896d123baa874f1088839f3bbcf05539eda0e2aeaef28d7742ab8e20ec788382501e2152b1

memory/3312-613-0x000002AEDE130000-0x000002AEDE25A000-memory.dmp

memory/3512-617-0x000002EC1EE30000-0x000002EC1EE52000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_xlzgfnox.vky.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3512-627-0x00007FFB66A00000-0x00007FFB674C1000-memory.dmp

memory/3512-628-0x000002EC1ED60000-0x000002EC1ED70000-memory.dmp

memory/3512-629-0x000002EC1ED60000-0x000002EC1ED70000-memory.dmp

memory/3512-632-0x00007FFB66A00000-0x00007FFB674C1000-memory.dmp

memory/3312-635-0x000002AEDE130000-0x000002AEDE25A000-memory.dmp

memory/4304-636-0x00007FFB66A00000-0x00007FFB674C1000-memory.dmp

memory/4304-638-0x000001E0A6DA0000-0x000001E0A6DB0000-memory.dmp

memory/4304-637-0x000001E0A6DA0000-0x000001E0A6DB0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 3ca1082427d7b2cd417d7c0b7fd95e4e
SHA1 b0482ff5b58ffff4f5242d77330b064190f269d3
SHA256 31f15dc6986680b158468bf0b4a1c00982b07b2889f360befd8a466113940d8f
SHA512 bbcfd8ea1e815524fda500b187483539be4a8865939f24c6e713f0a3bd90b69b4367c36aa2b09886b2006b685f81f0a77eec23ab58b7e2fb75304b412deb6ca3

memory/4304-651-0x00007FFB66A00000-0x00007FFB674C1000-memory.dmp

memory/4056-657-0x00007FFB66A00000-0x00007FFB674C1000-memory.dmp

memory/4056-658-0x0000022E051B0000-0x0000022E051C0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 446dd1cf97eaba21cf14d03aebc79f27
SHA1 36e4cc7367e0c7b40f4a8ace272941ea46373799
SHA256 a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf
SHA512 a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

memory/4056-669-0x0000022E051B0000-0x0000022E051C0000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\GalaxySwapperV2.exe

MD5 00c9ee3c3798322115d0682e8cb91820
SHA1 482c413042b3624a23516041ac38d1ecdada0821
SHA256 a72688354ecfc860ceaee7dca987319e58be9b0ac7b81d53d2471db6094bff74
SHA512 5ef8142660f81c09d950b5dbb2b55dda5a754381c4921bbe9a299552c093c969e14e1e842b3552fbe38cf02ee098e2d8eca6c2a0a6be3f700a9b4d96b31a5eae

memory/4056-673-0x00007FFB66A00000-0x00007FFB674C1000-memory.dmp