Malware Analysis Report

2025-01-19 06:04

Sample ID 231216-rrae2sdbf3
Target finalsEX.exe
SHA256 f6fb1a472df07503a789882e09d5be36d2460ba8792d3236d55efbf7b598df2b
Tags
irata infostealer rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f6fb1a472df07503a789882e09d5be36d2460ba8792d3236d55efbf7b598df2b

Threat Level: Known bad

The file finalsEX.exe was found to be: Known bad.

Malicious Activity Summary

irata infostealer rat trojan

Irata

Irata payload

Executes dropped EXE

Loads dropped DLL

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Enumerates physical storage devices

Unsigned PE

Suspicious use of FindShellTrayWindow

Detects videocard installed

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious use of SendNotifyMessage

Enumerates system info in registry

Collects information from the system

Modifies registry key

Runs net.exe

Suspicious use of WriteProcessMemory

Checks SCSI registry key(s)

Enumerates processes with tasklist

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-16 14:25

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-16 14:25

Reported

2023-12-16 14:28

Platform

win7-20231215-en

Max time kernel

151s

Max time network

130s

Command Line

"C:\Users\Admin\AppData\Local\Temp\finalsEX.exe"

Signatures

Irata

trojan infostealer rat irata

Irata payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\finalsEX.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\finalsEX.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\finalsEX.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\finalsEX.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ZOmF7MaREHadFXqvQm1AZM2B6N\Cloudflare.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ZOmF7MaREHadFXqvQm1AZM2B6N\Cloudflare.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ZOmF7MaREHadFXqvQm1AZM2B6N\Cloudflare.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ZOmF7MaREHadFXqvQm1AZM2B6N\Cloudflare.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ZOmF7MaREHadFXqvQm1AZM2B6N\Cloudflare.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ZOmF7MaREHadFXqvQm1AZM2B6N\Cloudflare.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ZOmF7MaREHadFXqvQm1AZM2B6N\Cloudflare.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ZOmF7MaREHadFXqvQm1AZM2B6N\Cloudflare.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ZOmF7MaREHadFXqvQm1AZM2B6N\Cloudflare.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ZOmF7MaREHadFXqvQm1AZM2B6N\Cloudflare.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ZOmF7MaREHadFXqvQm1AZM2B6N\Cloudflare.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ZOmF7MaREHadFXqvQm1AZM2B6N\Cloudflare.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ZOmF7MaREHadFXqvQm1AZM2B6N\Cloudflare.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ZOmF7MaREHadFXqvQm1AZM2B6N\Cloudflare.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ZOmF7MaREHadFXqvQm1AZM2B6N\Cloudflare.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ZOmF7MaREHadFXqvQm1AZM2B6N\Cloudflare.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ZOmF7MaREHadFXqvQm1AZM2B6N\Cloudflare.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ZOmF7MaREHadFXqvQm1AZM2B6N\Cloudflare.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ZOmF7MaREHadFXqvQm1AZM2B6N\Cloudflare.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ZOmF7MaREHadFXqvQm1AZM2B6N\Cloudflare.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A

Enumerates physical storage devices

Collects information from the system

Description Indicator Process Target
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Detects videocard installed

Description Indicator Process Target
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Enumerates processes with tasklist

Description Indicator Process Target
N/A N/A C:\Windows\system32\tasklist.exe N/A

Runs net.exe

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\finalsEX.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\tasklist.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2ZOmF7MaREHadFXqvQm1AZM2B6N\Cloudflare.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2ZOmF7MaREHadFXqvQm1AZM2B6N\Cloudflare.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2ZOmF7MaREHadFXqvQm1AZM2B6N\Cloudflare.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2ZOmF7MaREHadFXqvQm1AZM2B6N\Cloudflare.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2ZOmF7MaREHadFXqvQm1AZM2B6N\Cloudflare.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2ZOmF7MaREHadFXqvQm1AZM2B6N\Cloudflare.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2360 wrote to memory of 1272 N/A C:\Users\Admin\AppData\Local\Temp\finalsEX.exe C:\Users\Admin\AppData\Local\Temp\2ZOmF7MaREHadFXqvQm1AZM2B6N\Cloudflare.exe
PID 2360 wrote to memory of 1272 N/A C:\Users\Admin\AppData\Local\Temp\finalsEX.exe C:\Users\Admin\AppData\Local\Temp\2ZOmF7MaREHadFXqvQm1AZM2B6N\Cloudflare.exe
PID 2360 wrote to memory of 1272 N/A C:\Users\Admin\AppData\Local\Temp\finalsEX.exe C:\Users\Admin\AppData\Local\Temp\2ZOmF7MaREHadFXqvQm1AZM2B6N\Cloudflare.exe
PID 2360 wrote to memory of 1272 N/A C:\Users\Admin\AppData\Local\Temp\finalsEX.exe C:\Users\Admin\AppData\Local\Temp\2ZOmF7MaREHadFXqvQm1AZM2B6N\Cloudflare.exe
PID 1272 wrote to memory of 368 N/A C:\Users\Admin\AppData\Local\Temp\2ZOmF7MaREHadFXqvQm1AZM2B6N\Cloudflare.exe C:\Windows\system32\cmd.exe
PID 1272 wrote to memory of 368 N/A C:\Users\Admin\AppData\Local\Temp\2ZOmF7MaREHadFXqvQm1AZM2B6N\Cloudflare.exe C:\Windows\system32\cmd.exe
PID 1272 wrote to memory of 368 N/A C:\Users\Admin\AppData\Local\Temp\2ZOmF7MaREHadFXqvQm1AZM2B6N\Cloudflare.exe C:\Windows\system32\cmd.exe
PID 368 wrote to memory of 1504 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 368 wrote to memory of 1504 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 368 wrote to memory of 1504 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 1272 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\2ZOmF7MaREHadFXqvQm1AZM2B6N\Cloudflare.exe C:\Users\Admin\AppData\Local\Temp\2ZOmF7MaREHadFXqvQm1AZM2B6N\Cloudflare.exe
PID 1272 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\2ZOmF7MaREHadFXqvQm1AZM2B6N\Cloudflare.exe C:\Users\Admin\AppData\Local\Temp\2ZOmF7MaREHadFXqvQm1AZM2B6N\Cloudflare.exe
PID 1272 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\2ZOmF7MaREHadFXqvQm1AZM2B6N\Cloudflare.exe C:\Users\Admin\AppData\Local\Temp\2ZOmF7MaREHadFXqvQm1AZM2B6N\Cloudflare.exe
PID 1272 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\2ZOmF7MaREHadFXqvQm1AZM2B6N\Cloudflare.exe C:\Users\Admin\AppData\Local\Temp\2ZOmF7MaREHadFXqvQm1AZM2B6N\Cloudflare.exe
PID 1272 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\2ZOmF7MaREHadFXqvQm1AZM2B6N\Cloudflare.exe C:\Users\Admin\AppData\Local\Temp\2ZOmF7MaREHadFXqvQm1AZM2B6N\Cloudflare.exe
PID 1272 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\2ZOmF7MaREHadFXqvQm1AZM2B6N\Cloudflare.exe C:\Users\Admin\AppData\Local\Temp\2ZOmF7MaREHadFXqvQm1AZM2B6N\Cloudflare.exe
PID 1272 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\2ZOmF7MaREHadFXqvQm1AZM2B6N\Cloudflare.exe C:\Users\Admin\AppData\Local\Temp\2ZOmF7MaREHadFXqvQm1AZM2B6N\Cloudflare.exe
PID 1272 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\2ZOmF7MaREHadFXqvQm1AZM2B6N\Cloudflare.exe C:\Users\Admin\AppData\Local\Temp\2ZOmF7MaREHadFXqvQm1AZM2B6N\Cloudflare.exe
PID 1272 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\2ZOmF7MaREHadFXqvQm1AZM2B6N\Cloudflare.exe C:\Users\Admin\AppData\Local\Temp\2ZOmF7MaREHadFXqvQm1AZM2B6N\Cloudflare.exe
PID 1272 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\2ZOmF7MaREHadFXqvQm1AZM2B6N\Cloudflare.exe C:\Users\Admin\AppData\Local\Temp\2ZOmF7MaREHadFXqvQm1AZM2B6N\Cloudflare.exe
PID 1272 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\2ZOmF7MaREHadFXqvQm1AZM2B6N\Cloudflare.exe C:\Users\Admin\AppData\Local\Temp\2ZOmF7MaREHadFXqvQm1AZM2B6N\Cloudflare.exe
PID 1272 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\2ZOmF7MaREHadFXqvQm1AZM2B6N\Cloudflare.exe C:\Users\Admin\AppData\Local\Temp\2ZOmF7MaREHadFXqvQm1AZM2B6N\Cloudflare.exe
PID 1272 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\2ZOmF7MaREHadFXqvQm1AZM2B6N\Cloudflare.exe C:\Users\Admin\AppData\Local\Temp\2ZOmF7MaREHadFXqvQm1AZM2B6N\Cloudflare.exe
PID 1272 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\2ZOmF7MaREHadFXqvQm1AZM2B6N\Cloudflare.exe C:\Users\Admin\AppData\Local\Temp\2ZOmF7MaREHadFXqvQm1AZM2B6N\Cloudflare.exe
PID 1272 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\2ZOmF7MaREHadFXqvQm1AZM2B6N\Cloudflare.exe C:\Users\Admin\AppData\Local\Temp\2ZOmF7MaREHadFXqvQm1AZM2B6N\Cloudflare.exe
PID 1272 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\2ZOmF7MaREHadFXqvQm1AZM2B6N\Cloudflare.exe C:\Users\Admin\AppData\Local\Temp\2ZOmF7MaREHadFXqvQm1AZM2B6N\Cloudflare.exe
PID 1272 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\2ZOmF7MaREHadFXqvQm1AZM2B6N\Cloudflare.exe C:\Users\Admin\AppData\Local\Temp\2ZOmF7MaREHadFXqvQm1AZM2B6N\Cloudflare.exe
PID 1272 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\2ZOmF7MaREHadFXqvQm1AZM2B6N\Cloudflare.exe C:\Users\Admin\AppData\Local\Temp\2ZOmF7MaREHadFXqvQm1AZM2B6N\Cloudflare.exe
PID 1272 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\2ZOmF7MaREHadFXqvQm1AZM2B6N\Cloudflare.exe C:\Users\Admin\AppData\Local\Temp\2ZOmF7MaREHadFXqvQm1AZM2B6N\Cloudflare.exe
PID 1272 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\2ZOmF7MaREHadFXqvQm1AZM2B6N\Cloudflare.exe C:\Users\Admin\AppData\Local\Temp\2ZOmF7MaREHadFXqvQm1AZM2B6N\Cloudflare.exe
PID 1272 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\2ZOmF7MaREHadFXqvQm1AZM2B6N\Cloudflare.exe C:\Users\Admin\AppData\Local\Temp\2ZOmF7MaREHadFXqvQm1AZM2B6N\Cloudflare.exe
PID 1272 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\2ZOmF7MaREHadFXqvQm1AZM2B6N\Cloudflare.exe C:\Users\Admin\AppData\Local\Temp\2ZOmF7MaREHadFXqvQm1AZM2B6N\Cloudflare.exe
PID 1272 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\2ZOmF7MaREHadFXqvQm1AZM2B6N\Cloudflare.exe C:\Users\Admin\AppData\Local\Temp\2ZOmF7MaREHadFXqvQm1AZM2B6N\Cloudflare.exe
PID 1272 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\2ZOmF7MaREHadFXqvQm1AZM2B6N\Cloudflare.exe C:\Users\Admin\AppData\Local\Temp\2ZOmF7MaREHadFXqvQm1AZM2B6N\Cloudflare.exe
PID 1272 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\2ZOmF7MaREHadFXqvQm1AZM2B6N\Cloudflare.exe C:\Users\Admin\AppData\Local\Temp\2ZOmF7MaREHadFXqvQm1AZM2B6N\Cloudflare.exe
PID 1272 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\2ZOmF7MaREHadFXqvQm1AZM2B6N\Cloudflare.exe C:\Users\Admin\AppData\Local\Temp\2ZOmF7MaREHadFXqvQm1AZM2B6N\Cloudflare.exe
PID 1272 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\2ZOmF7MaREHadFXqvQm1AZM2B6N\Cloudflare.exe C:\Users\Admin\AppData\Local\Temp\2ZOmF7MaREHadFXqvQm1AZM2B6N\Cloudflare.exe
PID 1272 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\2ZOmF7MaREHadFXqvQm1AZM2B6N\Cloudflare.exe C:\Users\Admin\AppData\Local\Temp\2ZOmF7MaREHadFXqvQm1AZM2B6N\Cloudflare.exe
PID 1272 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\2ZOmF7MaREHadFXqvQm1AZM2B6N\Cloudflare.exe C:\Users\Admin\AppData\Local\Temp\2ZOmF7MaREHadFXqvQm1AZM2B6N\Cloudflare.exe
PID 1272 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\2ZOmF7MaREHadFXqvQm1AZM2B6N\Cloudflare.exe C:\Users\Admin\AppData\Local\Temp\2ZOmF7MaREHadFXqvQm1AZM2B6N\Cloudflare.exe
PID 1272 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\2ZOmF7MaREHadFXqvQm1AZM2B6N\Cloudflare.exe C:\Users\Admin\AppData\Local\Temp\2ZOmF7MaREHadFXqvQm1AZM2B6N\Cloudflare.exe
PID 1272 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\2ZOmF7MaREHadFXqvQm1AZM2B6N\Cloudflare.exe C:\Users\Admin\AppData\Local\Temp\2ZOmF7MaREHadFXqvQm1AZM2B6N\Cloudflare.exe
PID 1272 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\2ZOmF7MaREHadFXqvQm1AZM2B6N\Cloudflare.exe C:\Users\Admin\AppData\Local\Temp\2ZOmF7MaREHadFXqvQm1AZM2B6N\Cloudflare.exe
PID 1272 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\2ZOmF7MaREHadFXqvQm1AZM2B6N\Cloudflare.exe C:\Users\Admin\AppData\Local\Temp\2ZOmF7MaREHadFXqvQm1AZM2B6N\Cloudflare.exe
PID 1272 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\2ZOmF7MaREHadFXqvQm1AZM2B6N\Cloudflare.exe C:\Users\Admin\AppData\Local\Temp\2ZOmF7MaREHadFXqvQm1AZM2B6N\Cloudflare.exe
PID 1272 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\2ZOmF7MaREHadFXqvQm1AZM2B6N\Cloudflare.exe C:\Users\Admin\AppData\Local\Temp\2ZOmF7MaREHadFXqvQm1AZM2B6N\Cloudflare.exe
PID 1272 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\2ZOmF7MaREHadFXqvQm1AZM2B6N\Cloudflare.exe C:\Users\Admin\AppData\Local\Temp\2ZOmF7MaREHadFXqvQm1AZM2B6N\Cloudflare.exe
PID 1272 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\2ZOmF7MaREHadFXqvQm1AZM2B6N\Cloudflare.exe C:\Users\Admin\AppData\Local\Temp\2ZOmF7MaREHadFXqvQm1AZM2B6N\Cloudflare.exe
PID 1272 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\2ZOmF7MaREHadFXqvQm1AZM2B6N\Cloudflare.exe C:\Users\Admin\AppData\Local\Temp\2ZOmF7MaREHadFXqvQm1AZM2B6N\Cloudflare.exe
PID 1272 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\2ZOmF7MaREHadFXqvQm1AZM2B6N\Cloudflare.exe C:\Users\Admin\AppData\Local\Temp\2ZOmF7MaREHadFXqvQm1AZM2B6N\Cloudflare.exe
PID 1272 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\2ZOmF7MaREHadFXqvQm1AZM2B6N\Cloudflare.exe C:\Users\Admin\AppData\Local\Temp\2ZOmF7MaREHadFXqvQm1AZM2B6N\Cloudflare.exe
PID 1272 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Local\Temp\2ZOmF7MaREHadFXqvQm1AZM2B6N\Cloudflare.exe C:\Windows\system32\cmd.exe
PID 1272 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Local\Temp\2ZOmF7MaREHadFXqvQm1AZM2B6N\Cloudflare.exe C:\Windows\system32\cmd.exe
PID 1272 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Local\Temp\2ZOmF7MaREHadFXqvQm1AZM2B6N\Cloudflare.exe C:\Windows\system32\cmd.exe
PID 2320 wrote to memory of 2136 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2320 wrote to memory of 2136 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2320 wrote to memory of 2136 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 1272 wrote to memory of 1056 N/A C:\Users\Admin\AppData\Local\Temp\2ZOmF7MaREHadFXqvQm1AZM2B6N\Cloudflare.exe C:\Windows\system32\cmd.exe
PID 1272 wrote to memory of 1056 N/A C:\Users\Admin\AppData\Local\Temp\2ZOmF7MaREHadFXqvQm1AZM2B6N\Cloudflare.exe C:\Windows\system32\cmd.exe
PID 1272 wrote to memory of 1056 N/A C:\Users\Admin\AppData\Local\Temp\2ZOmF7MaREHadFXqvQm1AZM2B6N\Cloudflare.exe C:\Windows\system32\cmd.exe
PID 1056 wrote to memory of 1340 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 1056 wrote to memory of 1340 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 1056 wrote to memory of 1340 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 1340 wrote to memory of 1400 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe

Processes

C:\Users\Admin\AppData\Local\Temp\finalsEX.exe

"C:\Users\Admin\AppData\Local\Temp\finalsEX.exe"

C:\Users\Admin\AppData\Local\Temp\2ZOmF7MaREHadFXqvQm1AZM2B6N\Cloudflare.exe

C:\Users\Admin\AppData\Local\Temp\2ZOmF7MaREHadFXqvQm1AZM2B6N\Cloudflare.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\tasklist.exe

tasklist

C:\Users\Admin\AppData\Local\Temp\2ZOmF7MaREHadFXqvQm1AZM2B6N\Cloudflare.exe

"C:\Users\Admin\AppData\Local\Temp\2ZOmF7MaREHadFXqvQm1AZM2B6N\Cloudflare.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\script" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1020 --field-trial-handle=1012,2795081613284739242,15242517074203142577,131072 --disable-features=PlzServiceWorker,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic process where processid=1272 get ExecutablePath"

C:\Windows\System32\Wbem\WMIC.exe

wmic process where processid=1272 get ExecutablePath

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "net session"

C:\Windows\system32\net.exe

net session

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 session

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic computersystem get totalphysicalmemory | more +1"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic logicaldisk get size"

C:\Users\Admin\AppData\Local\Temp\2ZOmF7MaREHadFXqvQm1AZM2B6N\Cloudflare.exe

"C:\Users\Admin\AppData\Local\Temp\2ZOmF7MaREHadFXqvQm1AZM2B6N\Cloudflare.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\script" --mojo-platform-channel-handle=1688 --field-trial-handle=1012,2795081613284739242,15242517074203142577,131072 --disable-features=PlzServiceWorker,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic OS get caption, osarchitecture | more +1"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "echo %NUMBER_OF_PROCESSORS%"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic csproduct get uuid"

C:\Windows\System32\Wbem\WMIC.exe

wmic OS get caption, osarchitecture

C:\Windows\system32\more.com

more +1

C:\Windows\System32\Wbem\WMIC.exe

wmic csproduct get uuid

C:\Windows\System32\Wbem\WMIC.exe

wmic logicaldisk get size

C:\Windows\system32\more.com

more +1

C:\Users\Admin\AppData\Local\Temp\2ZOmF7MaREHadFXqvQm1AZM2B6N\Cloudflare.exe

"C:\Users\Admin\AppData\Local\Temp\2ZOmF7MaREHadFXqvQm1AZM2B6N\Cloudflare.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\script" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1548 --field-trial-handle=1012,2795081613284739242,15242517074203142577,131072 --disable-features=PlzServiceWorker,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2

C:\Windows\System32\Wbem\WMIC.exe

wmic computersystem get totalphysicalmemory

C:\Windows\system32\more.com

more +1

C:\Windows\System32\Wbem\WMIC.exe

wmic cpu get name

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic cpu get name | more +1"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic PATH Win32_VideoController get name | more +1"

C:\Windows\system32\more.com

more +1

C:\Windows\System32\Wbem\WMIC.exe

wmic PATH Win32_VideoController get name

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 ipinfo.io udp
GB 142.250.200.4:80 www.google.com tcp
US 34.117.186.192:443 ipinfo.io tcp
US 34.117.186.192:443 ipinfo.io tcp
US 8.8.8.8:53 dns.google udp
US 8.8.4.4:443 dns.google tcp

Files

\Users\Admin\AppData\Local\Temp\nsj7032.tmp\System.dll

MD5 0d7ad4f45dc6f5aa87f606d0331c6901
SHA1 48df0911f0484cbe2a8cdd5362140b63c41ee457
SHA256 3eb38ae99653a7dbc724132ee240f6e5c4af4bfe7c01d31d23faf373f9f2eaca
SHA512 c07de7308cb54205e8bd703001a7fe4fd7796c9ac1b4bb330c77c872bf712b093645f40b80ce7127531fe6746a5b66e18ea073ab6a644934abed9bb64126fea9

\Users\Admin\AppData\Local\Temp\nsj7032.tmp\nsis7z.dll

MD5 80e44ce4895304c6a3a831310fbf8cd0
SHA1 36bd49ae21c460be5753a904b4501f1abca53508
SHA256 b393f05e8ff919ef071181050e1873c9a776e1a0ae8329aefff7007d0cadf592
SHA512 c8ba7b1f9113ead23e993e74a48c4427ae3562c1f6d9910b2bbe6806c9107cf7d94bc7d204613e4743d0cd869e00dafd4fb54aad1e8adb69c553f3b9e5bc64df

C:\Users\Admin\AppData\Local\Temp\nsj7032.tmp\7z-out\chrome_100_percent.pak

MD5 9c1b859b611600201ccf898f1eff2476
SHA1 87d5d9a5fcc2496b48bb084fdf04331823dd1699
SHA256 53102833760a725241841312de452c45e43edd60a122546105ab4020ccef591b
SHA512 1a8ec288e53b9d7e43d018995abe4e3d9c83d329d0561fbb7d022e8b79ffecf033e995b9bc6af352a71c646a1e8afba4addb54deab7455f24b7a279a3dd7c336

C:\Users\Admin\AppData\Local\Temp\nsj7032.tmp\7z-out\chrome_200_percent.pak

MD5 b51a78961b1dbb156343e6e024093d41
SHA1 51298bfe945a9645311169fc5bb64a2a1f20bc38
SHA256 4a438f0e209ac62ffa2c14036efdd5474b5ecaa7cbf54110f2e6153abdfb8be9
SHA512 23dedde25ad9cb5829d4b6092a815712788698c2a5a0aefb4299675d39f8b5e2844eabd1ea42332a0408bd234548f5af628e7e365ab26f3385ebfa158cdd921d

C:\Users\Admin\AppData\Local\Temp\nsj7032.tmp\7z-out\Cloudflare.exe

MD5 23b5644b0ab76894f5038c6f4cf0eb48
SHA1 6cc8a111f85b8359ef3f5326d4c5b1b4e509f6c0
SHA256 0640eb61c458a6bcf526e1b2636b1c849d44cf50a0d9dd0359644c99454ac596
SHA512 b922b7d548dd3304ff50c5e280398fd3fa69d80942e902bf478b9e8e862e5fb45ddf593c86aa85854cc91ddd7e85a09939b08ffaaf9dc01ebaf875b2e07d3ec5

C:\Users\Admin\AppData\Local\Temp\nsj7032.tmp\7z-out\vulkan-1.dll

MD5 0d0ec9c5b5be6bc1a1c1eafb670b74e4
SHA1 6933d473432ded4f5421802533ad090d99038a66
SHA256 efbaec57d845fc2c1879bb131657d4c7c1dd5db9d677c12cb8d8ffcb21c48dcd
SHA512 ea65a2e4093be2a702d7167c10ef5e7ac9b52d055032d1d9e4820cc17f9fc36caaf31e8e6542e420938d75ca19ce3731398b7dc0cd811c8d0a9242855ec3cc2e

C:\Users\Admin\AppData\Local\Temp\nsj7032.tmp\7z-out\vk_swiftshader_icd.json

MD5 8642dd3a87e2de6e991fae08458e302b
SHA1 9c06735c31cec00600fd763a92f8112d085bd12a
SHA256 32d83ff113fef532a9f97e0d2831f8656628ab1c99e9060f0332b1532839afd9
SHA512 f5d37d1b45b006161e4cefeebba1e33af879a3a51d16ee3ff8c3968c0c36bbafae379bf9124c13310b77774c9cbb4fa53114e83f5b48b5314132736e5bb4496f

C:\Users\Admin\AppData\Local\Temp\nsj7032.tmp\7z-out\vk_swiftshader.dll

MD5 73382c1e96979830a1aeaa89c1215b73
SHA1 6a15e81282ab5f43b298ea48bfd3b797a0f9c734
SHA256 9cf07136aad0d818f0cb982a987560eed67035040fe97461102cf5c23a13207b
SHA512 102d305af2eb2a68ae81cd0c2662e3408934fbfeeac209e745f341d16f54c7e355af04bf388a84fc20f7f5115f9b8eb99be75a1bd206c65bc12d432035877053

C:\Users\Admin\AppData\Local\Temp\nsj7032.tmp\7z-out\v8_context_snapshot.bin

MD5 b39b9283c44dcbf0663024c150498c6a
SHA1 4ee2d15213df7cca09cabdb607c7337a0042ea32
SHA256 b71289d1ee145c29172392b5a49d04385c2d371d96018e0dcf86d4826bcf8d11
SHA512 1890c2c248da6aa57bcfebf496306a96bdc767fe57511cf0f6a55cff6a37e8aea12007cdd1c198a93634c0b020e01da4cc0b0fec7c9348e728eacb8f1efc099a

C:\Users\Admin\AppData\Local\Temp\nsj7032.tmp\7z-out\snapshot_blob.bin

MD5 c9ab741bbef53fa0e84952b8891a5f5a
SHA1 e2dcb8d034e07243537c86371de0c52bce62cee1
SHA256 4d82fe1e642fe3ca7ad1a173f806088c0652ecfe9f0f6f6e246066e15a3431d4
SHA512 177b98a3090ecfe4b4598dfcd7e8b3ca49efafba4dbd8d6c6d0def462de47c3fabfde831725622783ddc177de982de6115178d9bd9830d918bb544a5a4c27fc9

C:\Users\Admin\AppData\Local\Temp\nsj7032.tmp\7z-out\resources.pak

MD5 698607abfe4e9243621f6fcb2fd1658e
SHA1 ee42453789e99ca00a4fb1638ca7d7c1c9ba9ae2
SHA256 9dcade5ff971e2b77e3b290972bdcc87b998876c36f39f010521e1e99563af9f
SHA512 9f95667514cc6aa3dc3c48e5d04dffa9337d26785e347456de1a41f2a79650e687edc6200317bef157da8a3986c45eb2c2b9dcb6d9c5f173224b4518db8c631a

C:\Users\Admin\AppData\Local\Temp\nsj7032.tmp\7z-out\LICENSES.chromium.html

MD5 0609d62986a5e46cc65d02a2619b2a28
SHA1 fe87c5e67c5a7c7bb2a9d406078ff12f11845244
SHA256 ebd80f482c6b91d702f145d19e90962101d3113129323ed23692e1178fa41c2e
SHA512 6898a129b12f9be8660d5d279acccf3de9cb83f5e72177dcf8450227ec274de6acb2974b7653ff950722cd5eea2f294a7d0808f928c5f577fd8330bc530de00f

C:\Users\Admin\AppData\Local\Temp\nsj7032.tmp\7z-out\LICENSE.electron.txt

MD5 4d42118d35941e0f664dddbd83f633c5
SHA1 2b21ec5f20fe961d15f2b58efb1368e66d202e5c
SHA256 5154e165bd6c2cc0cfbcd8916498c7abab0497923bafcd5cb07673fe8480087d
SHA512 3ffbba2e4cd689f362378f6b0f6060571f57e228d3755bdd308283be6cbbef8c2e84beb5fcf73e0c3c81cd944d01ee3fcf141733c4d8b3b0162e543e0b9f3e63

C:\Users\Admin\AppData\Local\Temp\nsj7032.tmp\7z-out\libGLESv2.dll

MD5 75e0dfd01148a3b0f06b0c423e040096
SHA1 e0f1dfedd588d3e1042630b8ffd95a6bedcff87d
SHA256 8bcf07031f8f9456669868f379bf960d8373237705ade1e379342f3658972486
SHA512 58842b7f7a34ead89f57c4a947cb4c239b7d5a51fdbc6e717cf76b05622aee7ce2b57f7fec11aff6c9e50aeac9ea14db411b09d3d85322be64c9fa2945773a32

C:\Users\Admin\AppData\Local\Temp\nsj7032.tmp\7z-out\libEGL.dll

MD5 8352fd22f09b873193cabc2932be92f0
SHA1 5bd2b58854b279f1733c5f54ea2669ee8a888d9e
SHA256 14a4aaa010be14762edfee01fd1f6b9943471eb7a2f9011a2b5c230461cd129c
SHA512 7281e980f2e82f1cc8173d9f8387a97f6e23ec5099ed8dca02222c4e17fa4cfef59d6aa300b1cf06d502bdcf77d9a6dbb08ad6658ae0a28ae6f9f995109da0d2

C:\Users\Admin\AppData\Local\Temp\nsj7032.tmp\7z-out\icudtl.dat

MD5 debb9ec1d2f650e3bc8235d7d774e715
SHA1 5583d5ae0d0e2f77b52873642d6442356242b848
SHA256 81f79b7ce1e2acba62738356dd6028fce4218c2f8169557f5a3f64d204ed02c9
SHA512 080362f8a68deef8b8032dcf9619cab22a218e9fc9bb45f597fef35bd82e006267807266cd1759e0afd390707b66dac3247b2c225dafb05dcba7b6d0bf826678

C:\Users\Admin\AppData\Local\Temp\nsj7032.tmp\7z-out\ffmpeg.dll

MD5 2b011d8008af32060800e5fa70caf71a
SHA1 1409c3bb778763b728a9ba1226fb34d58dba5842
SHA256 ff158609faa9f0ca2bdca0dd1fc3890567b03e1a0293c273a5a0cc96b802507d
SHA512 726a639a5a39535c7d58f81f156d4469611a1d4ded3e805b1d3ee04f84c8909dcc2f6378fd333092a4de8a22d2532874cef3f58ce2c3d46d12b5368c62b9aa8f

C:\Users\Admin\AppData\Local\Temp\nsj7032.tmp\7z-out\d3dcompiler_47.dll

MD5 9419ca8341b0dff11a6435172c82266a
SHA1 e8adfefa09bd8cfdb08ac23ef9f8a08773f70fdb
SHA256 47f317f56b6f562efe1b840695abafe620bdc820cf28d7b3f1f8bbe9f43facb1
SHA512 69fffeab8483fffcf637c9d88b541a0ec89676637118d3e059033f5c364062ad76cbf0e34e28cbff00519d357feaf0569c2733d18551e8fc7e043f5929a1bdb3

C:\Users\Admin\AppData\Local\Temp\nsj7032.tmp\7z-out\locales\da.pak

MD5 55a8f5883805a65c854d25edb3959209
SHA1 d4b3b6bd2a26cbd021fa931d1f63c9ea64e2c268
SHA256 e190187adcbb5f829d162660968ba598ed17bd11339062ca4d807deec8a27fdb
SHA512 4e1f9e6da32f553cbc8cf162726d7aba9e23e2216d6d05b995cf19fff3aafa05ed08fce29b2f8538d46583366402b8630672e650dfbd46952a611e9db0d8016d

C:\Users\Admin\AppData\Local\Temp\nsj7032.tmp\7z-out\locales\de.pak

MD5 e3081aed481bc1bd6910c0b9a1abc175
SHA1 c75047a66d3a3d6584e6ea2315c51b9b3009a0f9
SHA256 410730f3267111827c2684e6ac2cffbd67b367174767548b3466bd647038b147
SHA512 0b32d650fcbd8f2f130910ffe6baf5fe5db08f75ffd3ca3e1573edbaceacfbae2025b4513c64ca9f2a8eda12c487073b396e2ebd9a5d27422efc44416c974ff4

C:\Users\Admin\AppData\Local\Temp\nsj7032.tmp\7z-out\locales\en-GB.pak

MD5 6ab443c98a974b94242c2596a2367080
SHA1 ec48e16df158f12548fdcba63ed98cf662d99c82
SHA256 87dfaee45383e4639f4b62eebb8e6b7e7cb6bc1dd16db1560668a4fa4cc70589
SHA512 087c8d889ddc46d38ef88b889f450e650172242c2ea820a6954000cd9e50d0de4be0eec51cd342b9400fa66ea781ea22cfd3cddb4198aa432ccaa32b02075fcb

C:\Users\Admin\AppData\Local\Temp\nsj7032.tmp\7z-out\locales\el.pak

MD5 38440b98bfdf5ed496da0f49d59534c0
SHA1 1498d9207ecaf4923a47271e24c68a817041c82e
SHA256 b1f78df8a7edc914357a2e90bc8dc0ac46f4df642bb22894569fe4905fb8ea0f
SHA512 95ba788fc2e1f07d54e398f1ec4d32c664cfb13118d46cb7af7a993367e032b10de84f3e604ab6e659d6410e2d736097ec5e9b3b002040c54412358f0ea10229

C:\Users\Admin\AppData\Local\Temp\nsj7032.tmp\7z-out\locales\en-US.pak

MD5 0bb857860d8c9ab6d617cea5a5bd4d00
SHA1 351b744d95846bff2ce5f542fec2e87439aa0f8b
SHA256 5c56df9699fc7e8f09ec81421e50a6264cde055e822f5a8cd9bb1edb3066d816
SHA512 33fb73cffbb6781488cedbca4c92a7e4f66923a799beeb7f5cba58dbc23ba8f5130f63a7dac7114e3c3ef6f1df87884fbeb8858bc7604aec9449fdfd16c25078

C:\Users\Admin\AppData\Local\Temp\nsj7032.tmp\7z-out\locales\cs.pak

MD5 3cfd9dc564cfcc33cc5524711365c376
SHA1 2e5016d2643017f37658262122974429f18625a2
SHA256 8be34e4f8226c1dd4e725711ddd884ef4476560f7863edcf378573dde9db3cee
SHA512 6ee156d2fa3b6f601df28e38968d0eae2812d70b41333348dbecd833d5ee6ff944183f0eecde96be433cf1e98c8ec22d6a6d5af5153145842175ab43c73533ef

C:\Users\Admin\AppData\Local\Temp\nsj7032.tmp\7z-out\locales\es-419.pak

MD5 b261b1efe945365588befdf68879040f
SHA1 616f44a5f73f0449b483f36ccf831db6474a10d2
SHA256 1380b9edc9cee4b505f12e8eefa288d8c746ca995b52ceaba27c7741ae8a5cd4
SHA512 9ea14234b9d4d09364e5727b3886fc14544d52508b3e45fb9fd607ca88d2e432361a02b2f7ba34c3d6ecd94b91f9eccd4d54047a97a1ba4eea580ead00b91cff

C:\Users\Admin\AppData\Local\Temp\nsj7032.tmp\7z-out\locales\es.pak

MD5 ffe48903e6c15fb605be33f69b3ed878
SHA1 1f7e898fa5ac6591b6ad56e0c8faa66c54dd8cf0
SHA256 e20390386ba287ce48c67291fa0a5c73fe4678fc467c38c7577768bf44e7a353
SHA512 fa438140edb24ca847286c14505b9e3378d7f8d40eb706a075bf8f0dd6c8b93ab4e473a7cda656d77172288d8372f737ca6cb27ec909e5d78d152deea8a93695

C:\Users\Admin\AppData\Local\Temp\nsj7032.tmp\7z-out\locales\fa.pak

MD5 b8e6a1e27eed0505521ddc6b9f296cbe
SHA1 1d7b5181d052948a0b2a48dd7f9c007fe3a5ac6c
SHA256 1982aaf048ed6cfd21c1dacc4ab884f2a615808585b4b6d1af0c66da1f712561
SHA512 18a627faf54ebc591707377d836bcc30f2cb6d42a0eb3419fd10383c002f0f16500a5c4f5eb338b6836044bb2efa1872e39574e540ae3a4c8fc2c7a3f3528473

C:\Users\Admin\AppData\Local\Temp\nsj7032.tmp\7z-out\locales\fi.pak

MD5 4e2cc13ae9e6e2551b5806c28e141e29
SHA1 4c6750f28541c3c5c5befd65de207e914f2837a7
SHA256 87cd57141ebf5b010920d6d94233b0aa7a5f9f125477ee4f8ea7870cfdc8133f
SHA512 7f760963798bf10b643f6d3e24b10c7cc546a4e021dbc4df312fcbbb2c5dfb2bf4133b25a02de19b10eadf032cb97e4438aa230a3c6e4b7f5929bf12705c0d5f

C:\Users\Admin\AppData\Local\Temp\nsj7032.tmp\7z-out\locales\fil.pak

MD5 d9248e6a233e5d5793ca1ce249964ece
SHA1 7986a903d7008d839b818dded08e831508806f6a
SHA256 395053225d66d389695caf9b2c6c4ba22429d84d43c0b0426815752a2469d2fb
SHA512 098a28dda59d5e5c9bda9f28edcf381bbde6ca3971eb948566210d32299aec35a917f316acb0817fd968bf9094414a6ea93bb96ab14710a595c8616069dd9e98

C:\Users\Admin\AppData\Local\Temp\nsj7032.tmp\7z-out\locales\he.pak

MD5 7b05c1e6f0bd0e7bf02ee429bfbc9211
SHA1 307595f2acb73a6eae6f94a93d4799ffc35cfda1
SHA256 d8f5480be6f3f02524781646c66f4a5658fb4d805059ceb784e95ed36d1753bc
SHA512 2efea87f6c9b7667d115f389f7249e3f461a1b4ed99b58782936b72a1aeea81dbcd9538b7a042dfd30daa1830c4f120fa9b810e7458f819a43c220cf207bfe80

C:\Users\Admin\AppData\Local\Temp\nsj7032.tmp\7z-out\locales\hr.pak

MD5 a9e9895602085acf76a535633951b98e
SHA1 ce18a01a8645b44ccba7cd1acc63a4467cfa85a4
SHA256 8a95e56906b0077e02fcdd0439a1da71901488915c3906a304954a84341f9073
SHA512 cfe2f1f4d9ca47835924266e34c96ebb8da2a9581059e82a8003cd53014f3860c69c0748dcd43cc1d0f25de3d2688f913c6dd243de2123a10875bf6e9161a186

C:\Users\Admin\AppData\Local\Temp\nsj7032.tmp\7z-out\locales\kn.pak

MD5 6805c4771f81869fbc06a218c328c09f
SHA1 f32fe84fcb9d10a7f5397bad77f269664bf102fa
SHA256 cdd4126e34e1e7de87e683822437bd3a30f13e03cfd587b5bb5ab7435bd99857
SHA512 7425b22feda81495aa5f5fae8ba73912fa9116d58ec910d63abd3f3da15ee38f5343a24386f7b145077221d252acde9052432040f6685b808d2bda9ec8c6c64c

C:\Users\Admin\AppData\Local\Temp\nsj7032.tmp\7z-out\locales\ms.pak

MD5 6cfadaa784e687e6dadbcd80e631bc9b
SHA1 481acb75f525055bf4e45ecabe0eadcb9c492106
SHA256 fb5e125dd5e1f21e8df229d22cb3d1f9078bd79bbddca352899248f2a8b21b71
SHA512 0d7da5a90fe9372bc704ab8cdc8cbfb14d323cafdef856987e2d9e34d980196c03985e25099f5d1bcb10c97f040f4766e2c3713718649bb3f43914a77f0dbb39

C:\Users\Admin\AppData\Local\Temp\nsj7032.tmp\7z-out\locales\sk.pak

MD5 991fbb78ec0cafc0450cbdd656856836
SHA1 fea8978b5b7ecd6158a65a2295b3b16bcf6c176e
SHA256 8354a8aeeb51174f333614256b9e4d1a783c6866f2c24130f1de478981a2116d
SHA512 5883be61051f736f1ba4eefd856de9ec07b73a31544bb9dd8bce66b4a5c0c6eff04972969aa4a7e6b3512177fa32761fed77b9654a91671bb673529e137be389

C:\Users\Admin\AppData\Local\Temp\nsj7032.tmp\7z-out\locales\sw.pak

MD5 6a8f1e60b485f210b7e3d47be9d4e824
SHA1 f07cc3969ca19b3c9de1bc47bb5ebb92817ec1b6
SHA256 654aadc7c99312f4ef04743eb62ea8563cac2548b0c39251015bf407e28aac7b
SHA512 2b901d1c42d324ecef5359f3377abd2c1c2cfd33e570e0618ff5f25caf1d0ae59da02224c003e5a6f389226ed845f5d7194e5bebe46a560a9e77b02a8603a338

C:\Users\Admin\AppData\Local\Temp\nsj7032.tmp\7z-out\locales\sv.pak

MD5 d76d3433bc2c03dadd4d5bf66debeeba
SHA1 5e392939097de1c99c4ba579cc0b92edd0930c3f
SHA256 3bd57543b288d32fd39c06fc08c4dd30a1aa2f2e1994a329187a04da2a4cf435
SHA512 07b5371facbe2534c595c63d050a165184152deb6c027a51a8f0f3730da08632b1c77575cea1a61766563abe7a0839d452e54351da14774cbf1404d04286e8a7

C:\Users\Admin\AppData\Local\Temp\nsj7032.tmp\7z-out\locales\sr.pak

MD5 10a268135175940b310e2cb25513cd84
SHA1 2da901d359d9845072ac4d95b0b1a4f06a337813
SHA256 041d26977cd524993ec29c14e78222180a77e85cfc58b803c71056e3b75a1fad
SHA512 858a8c9fdfab12bb46503baaa361c919d5c6cbcec2755145d917c45471306b8b8e5fdcfab2ec27f005d4e8ef948c419836f06f7945c2e9705a1da8e1f453da21

C:\Users\Admin\AppData\Local\Temp\nsj7032.tmp\7z-out\locales\sl.pak

MD5 ac4f0304d9c0466caa155987bc454dff
SHA1 c5dc7624f36e63aa3f39924e49dc403faee2096d
SHA256 49eb62a409608232700862118ecb78778f49ad4adc43bbe36560b09343394f9f
SHA512 590b46bb3c054439a5a4f99a985cd67d385da182508844e7160af6ec901e5c3f0cca7e0046a2bc8b3c084be7e0a108c7f5bd533783aa6a620443e8892bfc308d

C:\Users\Admin\AppData\Local\Temp\nsj7032.tmp\7z-out\locales\ru.pak

MD5 89723edbdebf464b6fa43509424da907
SHA1 11f002c388bbd1a4ffec8dd5aa2a7b6f7a0f159d
SHA256 1409477cef38878a1a3403c214a764ca8006e1bbf57d7d77e383f6f809d47e46
SHA512 1b5adfa05077b3a3161a93a36eabd6e4f9070f3bc62f015cd0820b768a33b22d62b09ec0b6f0a1b86df1eddad6f882ec5797bd74d4310cf7244198a893f60dcc

C:\Users\Admin\AppData\Local\Temp\nsj7032.tmp\7z-out\locales\ro.pak

MD5 449b01abc7ac8805db4492494f21a3ed
SHA1 3c218df52624d088787302bc02cbfbd0f34f20e7
SHA256 2a235a8220815ad206bfd0e97fec22db23c887751efe55c1d597c8f34a65d09f
SHA512 bf8b458036661455b717b66b48cf30b9b41e2d22fd7a56ad6bfecc358475a54f6740a860012931ed3b9a9f6e83783628fa5d9d0efd45cd7f52ac244935e647f2

C:\Users\Admin\AppData\Local\Temp\nsj7032.tmp\7z-out\locales\pt-PT.pak

MD5 7e860086dba80f27282fd931fcf8608c
SHA1 4b22321cf3806a1fc7f93a1c6463f0e85f649387
SHA256 8e3d0cbadfb6dcaebebb65d63195a3792474536f0d24bbde7b8a0b28f5b49631
SHA512 15f1cd1525b9fe53ee187cac26b4b873321e338c2058b24fedbaca06331141594d60a26919f5841a63be8b02c57ef4bef17f6318ab7fc5215b6a26ac40309aa5

C:\Users\Admin\AppData\Local\Temp\nsj7032.tmp\7z-out\locales\pt-BR.pak

MD5 f95549e7faf639c309e75682a62dea74
SHA1 acaa905cb4c43f2901fc99a976321724518d46a4
SHA256 a31854de9943c2ffea92ea5e42558c2fee965ce9e8991db959e08b637b6cb5f1
SHA512 27111d77c1ac4b18ba44565d697afee94d3187d341ab721bdd1ee34eecb1177d14e01d99a8eb80d36c66822cd3f89e4fcfd3fa0a734a3c3979082ab9dcab2610

C:\Users\Admin\AppData\Local\Temp\nsj7032.tmp\7z-out\locales\pl.pak

MD5 9232e02f00dec194d35eb553953c7c98
SHA1 f74a16144060d8edf66a832d0453d240a46ca69f
SHA256 5411f0d46b40a85ab39491346cfa11ff888d6c303c9b55a4f1428a0dbe964443
SHA512 bb9eb1b5cd8d8d0c039b4f627177c2ed12901bf66830601a68a4e9f87120e2f0278252654153882e6a37981711ef745e9270ad75900ccb2af180ce6d54cf3444

C:\Users\Admin\AppData\Local\Temp\nsj7032.tmp\7z-out\locales\nl.pak

MD5 8c77b634ffd7dcece8d58ff5c74e3c1f
SHA1 385f6b5a60d4b41551de20b3e1f62c3791860cce
SHA256 c0a30c2acd358de947986f938ab61bd7155eed962da808cbdf1e3d12f7933b66
SHA512 a1f56b6e5fbca439abc1b1ff208df2929095dd49031c3cc7ab3c99cf97b43ec8ac28320334533891b86f188bb75b8f6bc004037a6ac99436b66e05f288e0672d

C:\Users\Admin\AppData\Local\Temp\nsj7032.tmp\7z-out\locales\nb.pak

MD5 cc535b4b04f6bc9ec1671c448061ca5c
SHA1 f74290f1b5f408145c791349965a189b3f808b75
SHA256 c923a455cac094eb64d4edb837a0e199a60163db8acea272f8d8846109276f01
SHA512 b9714bce8ae5b30e9ce0d5b998cebcdfb4ed9cc08d0f9b35079cd8e6cf3d40ee954791480193ad8cc431ca2a8d8560df1204e3b41e1609ae30678c1096fa104f

C:\Users\Admin\AppData\Local\Temp\nsj7032.tmp\7z-out\locales\mr.pak

MD5 25568550876e764ac9e7a5c8e90c16f9
SHA1 592a6dc1d79c6bbda1a6c3cbd9b8e9f7dbf609a2
SHA256 d8657466cfe1b9f0952c27f77c941e36823e57a665cb16428969ad31dd8f4e78
SHA512 47de119f0baf51bed4320028fef92fa8236fcff5eeb079f2464b8f193135473c1707efaf5b2a8e3198f1a1b785b3ce41464d8f863ce5a88e3ee29de5b46b7da0

C:\Users\Admin\AppData\Local\Temp\nsj7032.tmp\7z-out\locales\ml.pak

MD5 9891077862c6bfa88b11bfd0151b12eb
SHA1 9cd95859dea4440f8e73bc49656ec2ff27b4a088
SHA256 65d7e24e0f1ccd1cf820cdd1a6cf7639cba3e97089c442cd70ff888e867eb38e
SHA512 5fe01de483baba3f629a3b3aa7301e34bd9c75d725dcfed426c2ce566ef7f32a88931dfda3a0fbe2e7470bd23244bbf14e7ac4f693735ae18fcf656a28473bcc

C:\Users\Admin\AppData\Local\Temp\nsj7032.tmp\7z-out\locales\lv.pak

MD5 fedd8dab46aad8d24f637ac02281d63f
SHA1 09cd437942af6f92fa831c527f50fab564da1188
SHA256 bf112df1dcb9ed1fb85b05957ecddb09911b3f64026969e7f92e4c77aba62cca
SHA512 6af95242c0ef890dfd7b4b38bf69c0bc12d51285687b218210732a98ca4b4c41ca8a27b94402482f12f6d0b8168e197f4c51c363be60ba7ca390b16407dce01d

C:\Users\Admin\AppData\Local\Temp\nsj7032.tmp\7z-out\locales\lt.pak

MD5 2d4fca437a7548893dc4b51fa5b33c33
SHA1 c1493013d7d981ea9223716e415380992de65c2f
SHA256 776dba792df7b444e1b720326312d8b8312cade74a1372c49456d932b7c65769
SHA512 b6a55ee1deff48d717a3e9399aef3c45eeec810cc5b5709fa3e9f56850115a5b02e02b7959ec77a6797e68516ee9372bacd260e62ac0d55a8e4c1c27af782b42

C:\Users\Admin\AppData\Local\Temp\nsj7032.tmp\7z-out\locales\ko.pak

MD5 d5ebef66feac776c66ac3db8cb1a4d72
SHA1 24949a92fb54df011fc6b86c1d63c17ef973cfe0
SHA256 53292bf94d234b6f065cde21100251cb669a53e35cd72a756ebbe220c6af356b
SHA512 1dcce5a5ab60d9398fbd5f09f0ffaa5b2875f4dfadce56393a389758d899592bdd1edbefb4a4c9abc85975ab92970626f10af43128172bbabc7b5686eadbc616

C:\Users\Admin\AppData\Local\Temp\nsj7032.tmp\7z-out\locales\ja.pak

MD5 9ca1a8e81b8c8f37758a86557221d163
SHA1 78e2b6f9ffb90cd4852d09a5c5a49e6403a6d250
SHA256 c04de508431bdc6b364fed01be8ebaa593056cd908af563c856cae7b481e7c4d
SHA512 20b514e4910e1190683102571d1e1cf5e7521bd0d9a4d5bc69fe76cd717881773660d66a06aef80ec7f2d342c7f97be53743249d49a072caa13c40cee3c869d0

C:\Users\Admin\AppData\Local\Temp\nsj7032.tmp\7z-out\locales\it.pak

MD5 5aa225aad4f9fe6d05ec24905a827d88
SHA1 f6d5ed337bd8e9cc3b962d3a498e3430fbf6de22
SHA256 96e02ab6937a1f1cb58762159761a737ce0e1dcd6a253554392baf4389326eab
SHA512 3fa928f19bdf65b8fbb274b478a801821b15c01224c113a8d7f6121a077b432c0cc84eefd9028a76adea9fa4bb65dcb868edfbd4368b1e4d477c49e187e4288a

C:\Users\Admin\AppData\Local\Temp\nsj7032.tmp\7z-out\locales\id.pak

MD5 2d9503d49b44e52eba244dd41550ef83
SHA1 00e660c8aefbd80594ec4cef4aaaaa33239bf7e6
SHA256 c5671206fe17fbb515c9a91a7e54a4486ed3c24af73c46575d5be8c429c07059
SHA512 affb51106a7e4a96df595bc92b1d92a3ec40f3971148574f174102322294f4a515c48c8f84c824709bb686be52588bf3804cfdcf065a5ac08b3bbe80d23dc866

C:\Users\Admin\AppData\Local\Temp\nsj7032.tmp\7z-out\locales\hu.pak

MD5 71d42cb22d2d7a8b26c4514ab12df3aa
SHA1 cd0307503a7906f1742d1e98fc816959319c2171
SHA256 b51bcb888dbc27bab88a8c9d081df7496de8a9a5a4cd2cfe08abc154190e75e6
SHA512 29c67391bca706807be3a0cc79fe481f220e30263957a9c2485f0a4c498a5b250bdd83b5f4fad8d0b19c8a9a07d5650b5ebd5816b6aae311a1cde78a89303244

C:\Users\Admin\AppData\Local\Temp\nsj7032.tmp\7z-out\locales\hi.pak

MD5 469243c5cb18a3f1a3459bb223a43fe2
SHA1 9e48883e9ae23e2186b42cda8f0c1e8c5222bf6a
SHA256 c34af649039f133d221f2e0f7de6a9a64aa4842fb0d9948b4f038d0430d4176d
SHA512 dbf4dc3947ee8dc09cff0473f4e0460b538e96d6cb7fdc1d9e6991abae99d05a7e14d8ba2b14e6b0ce2992585bac9899b849dbd3f393c9adcf0b59b719c2bce6

C:\Users\Admin\AppData\Local\Temp\nsj7032.tmp\7z-out\locales\gu.pak

MD5 e8b7f324f3c86296a68a9ffcfd49ff14
SHA1 19fdb1351cf4fd6f2ba55880c1b03d537da8616e
SHA256 c94b704b7cf8142cc0e80d8194a6092afce95cc2cb21179a2dc008daa052bc23
SHA512 f08ef975a255687f59a679b316ace5e8cbec2ce9e9c15ec508eacb9bc83cbb30686bca50a22743016b0cc819fcbfdfe690e6c33cf34c968138b47e3aae59b050

C:\Users\Admin\AppData\Local\Temp\nsj7032.tmp\7z-out\locales\fr.pak

MD5 c3095ce1e88b0976ba7bef183d047347
SHA1 b14cfbf6e46ac1f189595fc09660178525301138
SHA256 66488dc10517b6e3638686be95b430477a39304e92ac45dfe62b58cae3a77272
SHA512 29f47b1eff4681a9a17a50d6e82d63c22fe7bfe4ceb79862e81d8cd9f96fa38e225978b4c4b1f8e55b220235b91652c776fa8d2e559c68942c6ccf402812a421

C:\Users\Admin\AppData\Local\Temp\nsj7032.tmp\7z-out\locales\et.pak

MD5 c76db3385190c6840315c4497e40258a
SHA1 34f1aef2ba2925bebc5dcdb70e5b6c1a138a5c46
SHA256 e8af084ef5e1062c5966dd7802074ac24f3672dc3c9b9c5453a397644727191f
SHA512 90a870369d307758b33d74e6213676d65c2d332f42577c8aff23d96b512f3c2a2bdace8d6d9007f88b9175eadc6f2ae28b498b1265550849ff9317465a37ad29

C:\Users\Admin\AppData\Local\Temp\nsj7032.tmp\7z-out\locales\ca.pak

MD5 423651c45566cd90ea5edd8631e823b8
SHA1 13bed4173a08bcbfefba034aada3d838eece6d16
SHA256 7a39af99d55a1ea838d8d78c5f0da3e1402f9404d32255e31b676ceed4f0e414
SHA512 e09085023beaa37e9d5f7fdf3c32d0c001672b85e2826f0aba9a662ce958ac93cac17bf63495a604e47cb407b1593049388a4bf1b22b2339ead84a206a10569f

C:\Users\Admin\AppData\Local\Temp\nsj7032.tmp\7z-out\locales\bn.pak

MD5 a5346f1c8bf909f13ec398da82e13f83
SHA1 dc7dfab7b9a03a6391d21fd5354d6bce20ce0b41
SHA256 bc9bc0b3ce5fa3776a41f23a703e378c0ad5d498fdf296db36c1fa5bfd35104e
SHA512 8915de071327033150fc05135d9890a3321ebeec1f1f4d4015bac930de272441356d30a7fab7b86828e856b75796003ce1aa3382bb309093ccaa62999fd8bb02

C:\Users\Admin\AppData\Local\Temp\nsj7032.tmp\7z-out\locales\bg.pak

MD5 4ac14b068329751f78e46f5f810b6fc0
SHA1 37beba2776319048fcf5b9488c98506add347607
SHA256 9e1dc25dad723ba54d919fc93be0660dffdf490a0f5d4ca0f11e62c0625a4e26
SHA512 e29b8d2c4bb8424aff77ba51cd4b8414605c3f7cfae546f362e0cb5868f70baf1aa87774f352a1fac244ff91a00b986de2f66e482e4417c32d3711283850c14d

C:\Users\Admin\AppData\Local\Temp\nsj7032.tmp\7z-out\locales\ar.pak

MD5 d58dc64962e22318db2e73d2edd501af
SHA1 7c8d7ebb8585704c5240842c9a61db949fb773aa
SHA256 54310e946219c4c0f780c053f756e437f2ee63c81fa1b364298eb52035873450
SHA512 a13688d7e3ea7b6011d5313e858fc73021565ef5a1e6c5a58d89f42f1e8219d3b8dc04acb70dda5759a5dc6d7b9c89ae64d92e498e9c244f441a8a4b28c34479

C:\Users\Admin\AppData\Local\Temp\nsj7032.tmp\7z-out\locales\am.pak

MD5 e18a450ef034b42599341c3d09f280f1
SHA1 2001c8a85904962ac3a96938eccc69ad2c110fdf
SHA256 7c2b9098130f1f9e0cf4507b64c0e96ac6354bd6c3616be20e2067cfccc820da
SHA512 ddd87571218fe9f179a6c2a8a15b182625a71a7c19ed90c0969ca2e0e9bad823b926f8b8a6b390cb6fe9c95f4b6c1f1ec7b5167a8424ab1921943922208f798a

C:\Users\Admin\AppData\Local\Temp\nsj7032.tmp\7z-out\locales\zh-TW.pak

MD5 1f076ce1bb7edd5e545eafd11c537817
SHA1 1d11db6ef8c3557b61f6eb838965f88ba613d961
SHA256 fb00ea665f35720a2bfd8d75880aebdc059316ca58f86236eba9767904fea7a1
SHA512 b0befa26d49b073fbbcdf032ffc1210b25c49d417e9514b752b5d68c8afbe92c38316a4d1baadbc5c936c58775001e9ce22fa9cdefdd17f079ad6e5b8e4a64be

C:\Users\Admin\AppData\Local\Temp\nsj7032.tmp\7z-out\locales\zh-CN.pak

MD5 098d656a4f4bd8240bed10e7678186c7
SHA1 0c19ab62b4262f1b51558e8aaa79e7741f73393a
SHA256 a55f568ad3a8854cec25699484f55024501c8a0967738ba694e073151e5981c7
SHA512 084538ce774233ca6d4393bb42239b0b85e11bd73dd19ba47e55796ca19848941b037510c0fca4ac08b4b2e0ccbc9b4ae72ef88a3e841738dd211961dc53c1e2

C:\Users\Admin\AppData\Local\Temp\nsj7032.tmp\7z-out\locales\vi.pak

MD5 f7a5bf15dc9d1581ddb6b6c495d4925b
SHA1 21e790672119adf021083e10050a4004cdaa4139
SHA256 6c8e5f484aafc505debb88ff428a29f72e4114332d8d412709432605a7ce9728
SHA512 9ddd38b4b991714f18e9bfbeede3ce1043c7a71432f53be26a4974e159a4f618ec83fdaee92e1f9bd5190b1eea80922033adede2bae03d1587e7c76d6d4a05d9

C:\Users\Admin\AppData\Local\Temp\nsj7032.tmp\7z-out\locales\uk.pak

MD5 6fe631f215231599a01abdd832352863
SHA1 e7fe75d42653b94c46f1bf16f23884a73b16f484
SHA256 95cf6a398700e0483a889f7c49548d9dc8352a4fb99feae67ef581d3b105ed3d
SHA512 73b9378bdf1262f640867a86f6e6882721d349d18222a229fd6b62a2c9d81af38afd4ab6b4c23c97a62410e4d6e0e5fe6e0c26928f6c7f0f32d68717c546b51f

C:\Users\Admin\AppData\Local\Temp\nsj7032.tmp\7z-out\locales\tr.pak

MD5 40491896ad21543f339467186c5efb40
SHA1 695dde7cc35056dcbf0a533aff8299d4c6b61bd8
SHA256 43e99e132acaba88971b81a43531845dc7fc3a1e0794c3373de7d9a50a5655aa
SHA512 18d5ee9914849462e0b1bafd1ca216b29d0795e282ae0bdb354b15caf5c18f37f44fbd6f626b2cbb095e3398a6496de72e5b0d15621433979b5a589e34fac818

C:\Users\Admin\AppData\Local\Temp\nsj7032.tmp\7z-out\locales\th.pak

MD5 e84ea1474914e5da64637d7402f8ed77
SHA1 bd84634f67eaee389e8304dc816396e8a99bbd36
SHA256 885d348c077ab445e7f86cbda70812f27ca51fae511254a459ec2d208f509cb8
SHA512 705621c6dabc7dfd30a904bfcfb2ec6004138eb14dd21b95531fa235b82f4d7bd5ac596b65ae67c1e7ba2049808ea05ea59a950acdb1fbb25e914a2e5f2fb98e

C:\Users\Admin\AppData\Local\Temp\nsj7032.tmp\7z-out\locales\te.pak

MD5 0c8609fe4419a9ef639a14e18d54f2cd
SHA1 092e83517f490bb62a0dc468ee78cdd0c5477354
SHA256 24039e99c28659f1180aa0555540f3e99b246604d04dcc3c094c8a146e671633
SHA512 25c024e0a4e2e1d3f6d4688508f45a3e02213dfb656167cae0bc1f89bb271642464f3209df07f404cc190b4a5607d56e6cc6b8395e81fb218a9544d10109c92f

C:\Users\Admin\AppData\Local\Temp\nsj7032.tmp\7z-out\locales\ta.pak

MD5 5ffd31d3fa04cee08932e20676c1bbf2
SHA1 5bbcb4a4951e574e57071a94546388e2c01f2823
SHA256 9c385bf6fd7b685dc211e2b665c425d6232d95febd080691e648df3be528edf1
SHA512 3e87870a3b9d50823826c1ddfeb2284ab9676480ed548cb97074cac565897a5a7e44da4720fa33dffbd4bf5c789d4e5fb49c5edabb510ec93617bf23262984bd

C:\Users\Admin\AppData\Local\Temp\nsj7032.tmp\7z-out\resources\elevate.exe

MD5 8bca51691bf0b8a2dc7c0cd848460f8d
SHA1 43898bfc810a3e113b9aacb95539fe3fc4580d36
SHA256 c99a61a86d06068abee9d86fc62f0708a5822d42031503d473b4d8b3b33b9c06
SHA512 a5f516d46ab6a66653185f6c62f79bcb4d849916b923e11db90003d5fc5c32a11328b7685de624474fa7b19bfd14f9ade1074531825b2634aafdfdf2ae371573

C:\Users\Admin\AppData\Local\Temp\nsj7032.tmp\7z-out\resources\app.asar

MD5 e29f04b8f4c569ff31cce5aaf725063d
SHA1 34580e435bb4d4ff02de53b169972c0d358e00d3
SHA256 e5de7d7443f4ba3d3e696a45ce0e63747a3e0ec8a114289d0db2b1515622f92c
SHA512 5a5503054bc05ea423c9ce1f3f6df5c78370e5be5a48bf38c450381e5cf963078072426b9921b6542a3f01a68de725fb5e7d04738aa8016f66a05f44ae6e8ede

C:\Users\Admin\AppData\Local\Temp\nsj7032.tmp\7z-out\swiftshader\libGLESv2.dll

MD5 0d643bd2e66420f137a4f1b75b76ccad
SHA1 eb5a306512c469940f21579e2c38c077bd35378c
SHA256 bc92515e93d3845da36f063e0f89283a49fe03261aaab96a2912cd617a2ee664
SHA512 389df0b302a1ad4ca97bdbf57c37e40012d578cf1aee56faa9a856e93d9ed825aa31feaf91a7f4e30d76d444cd01dc94545b7fea090316769c04c797c03a1313

C:\Users\Admin\AppData\Local\Temp\nsj7032.tmp\7z-out\swiftshader\libEGL.dll

MD5 b92301914f9bad6afaa27c7212d8b2e2
SHA1 86ad90f8919378073213c2ca50731d116d5dc10a
SHA256 3d8af1c4c6132b34c2a99507d2093ae86e4d3aa1858e430ff6eb5ab14c3f2249
SHA512 2a62fd5b56bdfc24e181efce8cd21ecc9406983e5a1b1c28694b41811da677cb86a9d1f89ff13fc89b9929844fe6d7d1232f822807cf9c869f265506daa3943c

C:\Users\Admin\AppData\Local\Temp\nsj7032.tmp\StdUtils.dll

MD5 11a15b5c4cdf372558f58f21ebeb3b5b
SHA1 e32f56ebcda428542918285b8b473e9fdd6d4583
SHA256 1032bfa13ca7ad5b7e4c3469c5432f51622cd1ef952c29755ba47c471703a384
SHA512 dadc6c361db895316f6e36e8e1b69fbd87a27a0f4883d9e71809357896195d0d41339f282b984caa3cccfb18fd66f0cd10940bf4edb412ad7f51b91cd8d86345

\Users\Admin\AppData\Local\Temp\nsj7032.tmp\StdUtils.dll

MD5 149d331f3dbac8e621a2d91c3e1056fd
SHA1 31f682723ff306f313b688866d9dc638cc0ed779
SHA256 e5736ef1a083f2af29bca99e66ba940ad8e5bab244657ae13de7167ec49cfce7
SHA512 c4ea6318707d6535452971012a1b04cde405fc8e7276509c7737b766adeb483934d46acd4620d4845815f0dd8aadca876507e1868eff2e167414601181a20933

\Users\Admin\AppData\Local\Temp\2ZOmF7MaREHadFXqvQm1AZM2B6N\Cloudflare.exe

MD5 0e672280f3d720fadf6324eb86678778
SHA1 a79a88918d38b09dfeede505501282cf57625245
SHA256 bde20aa88c6bc91969ab0474cc8f28b790782a1b75fc6580ea9711247383ed37
SHA512 4502c5ded4afa64f5df02022f1cb29faed989ba8c088a53d62baffb520e81ecbec4f42a3cb5a3723539c8e21e8a24b78660e0db729df1337f821d968f0d5e7e8

C:\Users\Admin\AppData\Local\Temp\2ZOmF7MaREHadFXqvQm1AZM2B6N\ffmpeg.dll

MD5 2a5b319e1b1c056e2b6e9e31fea6b3d0
SHA1 8f3043a73e537a670d35f5c6bfa895a50bb84ee0
SHA256 657173cbef1bd0f47a2b438b7f3669fa5cae4bd987f235eeaf9cc64dec0bf1ab
SHA512 bd80a117576084f537701ff6415c9169241da32ba9712566d01d6936ab021aeb8b9207714217bb80d83b86250871cd9320772c804a8421a2e0b7ea8ccc47d5c2

C:\Users\Admin\AppData\Local\Temp\2ZOmF7MaREHadFXqvQm1AZM2B6N\Cloudflare.exe

MD5 760ba24531b9302f4ce52fe8db7fb394
SHA1 bac82a420e69604c62c6b1b7e2496084fd7aa4da
SHA256 e37c7756056439c0bbd5dbb6a789c09ba3863a7e408fe908d0be1e32b93c900b
SHA512 99c86d6e9c2d26a7ff0c9893000274220a646a27317df0b0806bcd0ae79769890b1c12cac6a7a81267869e7e420d75b44b719445fe7fe72659aeafa97092dc66

\Users\Admin\AppData\Local\Temp\2ZOmF7MaREHadFXqvQm1AZM2B6N\ffmpeg.dll

MD5 23aa82057572b37cf77e9f18cc9636e0
SHA1 733762f3422c474f8ebe58ae4fe6bab03f860730
SHA256 de19dfe469447a03702c8b1234fe0ba2c8ed987386367f68e8bdace40d5ce826
SHA512 1d6a2e1f9ae43d73f984b1c9bc622db7e5e5be8a365f1bdad5d39f2f5e2b91a9643c9aa0670b83b28568a5671d8969432cad9577441b21dd3c3613e975c28d58

C:\Users\Admin\AppData\Local\Temp\2ZOmF7MaREHadFXqvQm1AZM2B6N\icudtl.dat

MD5 ea1f4936d39364e6d18cf0e304ebb78d
SHA1 e90dd943a60388434e1a38d63dc1538d36d0f34d
SHA256 a2fed820910fb28b9e9aa867d1559fcfc08ab85cb96fe0159fd5bde6b484bbf8
SHA512 dd1e04ba75af82b85677e3e99d7e3d47268c4611f22fe5cecab01a1b5240a83ec7da8ee35fdd13d45254425d1b73276a88bb819c86a5f45262236e63e5e737d8

C:\Users\Admin\AppData\Local\Temp\2ZOmF7MaREHadFXqvQm1AZM2B6N\v8_context_snapshot.bin

MD5 47014c0f81bad6d216c617c9c63bf040
SHA1 7bb483fdc5fed3c6ed437d9fe6e5023bc38201bf
SHA256 e1249d05bfc73c645b27d269f47b6923b33a3cf8088a8ca78b3b637c90f58178
SHA512 052d86cf3305a9e493bd2472e6b7ddab5e0291efd6d899984a79bae46e5fa4bd21157e19ab4a2591c9cff9069de568bad18c7baf4f35d117c77134e635466f87

C:\Users\Admin\AppData\Local\Temp\2ZOmF7MaREHadFXqvQm1AZM2B6N\resources\app.asar

MD5 515f5a1e14b7621e38db06302211615f
SHA1 4ac518d0f8e360f0a08106d1337d7b9700d83469
SHA256 1abfd999e1f4691fa030c7a495f6cc3e5192553698adf1b103377d6efa34474f
SHA512 7cf7af479b2fb30b20f873491fece2f6f997756d085f885aeb77fc61394c4c12eda0fab6bf2a538a58057025cda638b84b657e8d9055e38923ff0821e2583ef4

\Users\Admin\AppData\Local\Temp\93dcfe43-55e0-43ca-8ce1-ce974619df78.tmp.node

MD5 82c330179eb8bff1a4e7585665648c84
SHA1 52111ce4934bf6503ea20f44d01acc8aef78f216
SHA256 3061738ae7399417bfc34f355169972334e55e26e2e7169cc0d5b4b8376d0326
SHA512 05cf26ece7599c0631881ab3510be88ead81431127d41469988e0d29b96d0bfe3941161dea73ec60149bf94109134766c735a6e4d5bd43bd0c2d0b2b1ad32160

\Users\Admin\AppData\Local\Temp\0830bb1d-e44f-4f0b-8449-4366b157f1c0.tmp.node

MD5 e427ab301a328df4ca0f974bea61fb5d
SHA1 574687a11f17549092845cac223ec51bdb94836b
SHA256 d1c17b7d7d3f5445fffaad4831c0ada9a833693606117c02f4655d31ceecad6e
SHA512 61fa9336821d32ea54e83b58f4224d303565199f79ddf08e0e2a5569046f7f6311080795388fca170763837ce3fe99ec1b52908856c4d4b8a21c4f7bef6d1e5c

C:\Users\Admin\AppData\Local\Temp\2ZOmF7MaREHadFXqvQm1AZM2B6N\resources.pak

MD5 9350cd7a257321d92de03f8c341b7dcc
SHA1 83c3e110b57ba7313c7b55e0255f37fca27c6c81
SHA256 163a267759966bc1dfe49448c5200b6778b1438adbc06613e554c48424bf282f
SHA512 5d1c923669f09727ae8024703bab86684ce3468d7a9db59473ac3a39215ddc11982ac8a3897362dfc37a23d7e010f7eb53ae9e48238161da08204fac7d8cc6ee

memory/2780-552-0x0000000000060000-0x0000000000061000-memory.dmp

\Users\Admin\AppData\Local\Temp\2ZOmF7MaREHadFXqvQm1AZM2B6N\Cloudflare.exe

MD5 f70a15a71f184fe06d6317a24477e2aa
SHA1 b5025896013de10fdcd1bddf6c18ea370ddfc6be
SHA256 ab5f3a2f4cf1612227a3036443163d398841184f0a75d3881760d8994b9b887b
SHA512 4cc23a994b8ed80477f88c1b594a431644b920b7bb1b5bf0bcfa1f8017a15957974600a3634fc3d0c18cc9e3ae2b714f383e0302a08b906d4eed2c19552df0eb

\Users\Admin\AppData\Local\Temp\2ZOmF7MaREHadFXqvQm1AZM2B6N\ffmpeg.dll

MD5 1e2ec8806fc515703efceb82f8aa062c
SHA1 76a0a216f1c11f9e02eb41ac6befbf0c29574e2a
SHA256 1078a84cb2e89c163d172bb6be18b172c23579127a7692f2f56a90f0ec2afc81
SHA512 84927fb5b7027dcd464587c6ac5bf4a914b5d585a7fe934b4dd8b64274e3919e68bf31ba1426fa23cf07157d26a0e52bee7cb84c76696511629c846dbf349d06

memory/2780-586-0x0000000077B00000-0x0000000077B01000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\2ZOmF7MaREHadFXqvQm1AZM2B6N\Cloudflare.exe

MD5 56dd9c947c84538ef7a06a005b333d4a
SHA1 b21a8407384e3ce8bce7f23568d20a222d7dd688
SHA256 db5cadbedd1edba49de4e100f0dec01c27dc33971ab869c6a80d462091bbfe08
SHA512 c44714a3b59c5959f382a124453f88d86cf8ad87842d589bbdc42ac0ca74796fc420b527a3fa052396b806eb94618426eee69ddc862d9b6888273242d33a9b3d

C:\Users\Admin\AppData\Local\Temp\2ZOmF7MaREHadFXqvQm1AZM2B6N\Cloudflare.exe

MD5 7e8c61ff49f8bd1f3999006d4ae53334
SHA1 74708c39aea08e8d4c895a6aaca8b29702458adc
SHA256 cb03a048c84459e329bcc8a7d891306ce3a1dceecac1e72aca65d0b33f30d964
SHA512 64c122c3aa1a4eaa2d6c1b26d4bc246c82ecfc0beb69a24151e2c740280074e447516af38a98b54121950adcd12899674dc1f1a18c9b6806c508f600698c290f

\Users\Admin\AppData\Local\Temp\2ZOmF7MaREHadFXqvQm1AZM2B6N\d3dcompiler_47.dll

MD5 fddf76a40f8acad2904748bfd09f393e
SHA1 5ed0de5095ae76d899ecef02b634e37c72f0cdd2
SHA256 43e02e8029fa58332cb2d07129942ee0cc18ab5b08d4ee8e28f412323bff1fe4
SHA512 63c61583a8c0310c9021460cefee1ab644e1730f33433eecb7c442125e1d72f35334b9fe2d594404d4a1519c4dc7d90a466cb2b152e39d5c781e4eb762e4c562

C:\Users\Admin\AppData\Local\Temp\2ZOmF7MaREHadFXqvQm1AZM2B6N\D3DCompiler_47.dll

MD5 ecd32bf54d120ff12a613865b1c9cc5d
SHA1 7b9847de15529c7daad9c52fcf26eca62f98d8ff
SHA256 b0c9747aff5b5159b8ed968975e43434c077c0cd8e30b9890b32ea2a5319ca39
SHA512 46423b526f5e2c10ccf57bcbe5e90190e09b49e67a7cac4250cf571c608c36b09c104f65dd762ac01491300c2e6c9b323889c50024ada5d5f95fd511e4db843f

\Users\Admin\AppData\Local\Temp\2ZOmF7MaREHadFXqvQm1AZM2B6N\libGLESv2.dll

MD5 7620b9449170cdbe2d4bcc3bf7b8a4c9
SHA1 a203ac8ca65b641ba37c96bd50305b8958825933
SHA256 1154e02bc29f78660e0ace66ff955cb4a77f3f8d6e7033ae97f28e34af34e449
SHA512 7109f82f8d1ac4ab3056b3716a64d1c3fe1dca3953cb9510751f82ed877879817b69ebe9d1f3163d43409a476f78dd55ee3060905363d9f301c7efaef64729d1

C:\Users\Admin\AppData\Local\Temp\2ZOmF7MaREHadFXqvQm1AZM2B6N\libglesv2.dll

MD5 039453dbb192fe2efb22b7f2a8bcb89b
SHA1 22be8021fff168db6a7056f02152f78878103f9f
SHA256 3927d28bf55f95da2c4c9813c1065bb426d0e77feabbf25343efbf7c6f28ba1e
SHA512 447ad152210bd0739cc433c60db225c569408072ab9c457b04cff16218f7ade6b5c2ffc6553e3c83a0e590497d039d49f9873ea2b78624e53dd012b62e1cc4dd

\Users\Admin\AppData\Local\Temp\2ZOmF7MaREHadFXqvQm1AZM2B6N\ffmpeg.dll

MD5 64b9a9bfc0d006a018635b7427ca0bcb
SHA1 dea3b5abf8130c6dd6e0cb269ba567660cfb1c69
SHA256 376ca165b0387a1b952ab2edc2e0bb92c9d7b961ea48e1d1e154ea6cd84df337
SHA512 5891960bba5ac5550862c790e5481eb193fa51d0716a845e0b831f4d85aedb9ffa3f3d92aff71fdd4cee8a85d582c0c973683ccdc4b383c4a96053be251f1059

C:\Users\Admin\AppData\Local\Temp\2ZOmF7MaREHadFXqvQm1AZM2B6N\Cloudflare.exe

MD5 c9a7cca1d4614026d39f698bd3d7d420
SHA1 7220a2daa14433bd9007fae8a3f3cb24559ecab7
SHA256 cd4ca53f5b43914ae2ae480d7842b3ba767602ffc6aa95b05205f41c3be36bbc
SHA512 bd447ac897eae5a681bbca66ffe0afd3c2a7964aedda26ae0e013de2390fc61ddfdd9a23133025c7eeb9caa7b0e4dde195c16d1a4d0cb14c1a4ceb280bf87864

\Users\Admin\AppData\Local\Temp\2ZOmF7MaREHadFXqvQm1AZM2B6N\Cloudflare.exe

MD5 8dd517875cd036df4ca9c5f75072eba0
SHA1 4c5095c53afa3534d1ed442d0591be2cc2179ab1
SHA256 7aab7dbf10b6e83f449daf3fb41183d39edec56ec651c87b75adb4434ab9c6fb
SHA512 2050f573c214dd61322c9165d3b366b44825282ae6e9e3fb2648bfa76129a4c5a75fbe1c3968ed173a8b9fc6739bfdf335bd826d11b97c5dc8d05206a08dd1d7

\Users\Admin\AppData\Local\Temp\2ZOmF7MaREHadFXqvQm1AZM2B6N\Cloudflare.exe

MD5 4b298892c917814a25149c03bd4a7ab6
SHA1 72d441a2ab4c58f630bd43a789727e9dbbab0812
SHA256 7b7b5bc03b324ca3d1637935897f0fcb4e718b9e7b627912cb15e3571b628f1f
SHA512 87fe6be872ce0f53cca1e0225430b08ffee7bc9255566b3e715f963521832e3b1a622d7f116cb951090d48f871998a50545008d641c64a62abc9dc6d27b96d24

C:\Users\Admin\AppData\Local\Temp\2ZOmF7MaREHadFXqvQm1AZM2B6N\Cloudflare.exe

MD5 cfcb44b3e371b5f6eeff2bba887cae60
SHA1 a0cd88eccc9848e3c538fe6eb21bcee26247f211
SHA256 998b0c26378e940a73ebac0bc03e900d54a64dde45c116e96a3a4970bbd5adaa
SHA512 8badf9a771999811d3494393903b97a59c6dc175013a36e62178532148f603a53cd6c2232204641718ae8e1dd836181fb9376924bdcabbc102dff9357b909978

\Users\Admin\AppData\Local\Temp\2ZOmF7MaREHadFXqvQm1AZM2B6N\ffmpeg.dll

MD5 87681d565eab0803e36396f5f8d00f4c
SHA1 70a9159f8409e58cf27dceb9a078407a02486d52
SHA256 74b53c64a70726111e65f5241a8ceecaff8d82b0f173b26d704aa13d6425353c
SHA512 a0b2f7f1a9eaa6a36390edfc610951686392340d385cd0b13b66c708cf02a121e3cbf40e37a09760898dd861e9a9dfe502dabb099cbd49fd2103af6ed88dd4e6

\Users\Admin\AppData\Local\Temp\2ZOmF7MaREHadFXqvQm1AZM2B6N\vk_swiftshader.dll

MD5 ab1dd1d38bba4b85280e5aea6f0b7a38
SHA1 c8aaf69761b197b428ee962572f85cca1a6789db
SHA256 97de823e3a239549f78cb7907238215ead445fa57c7f328220a2ab99b1ba807d
SHA512 d24b25e5e4a82308824499b57c09710d450b5942cc8d42d4c31c96699fe937a1f5f6ebc94870bfde4285610278ab39e4b518bfcb758799c67f444cd81591eb6f

\Users\Admin\AppData\Local\Temp\2ZOmF7MaREHadFXqvQm1AZM2B6N\vk_swiftshader.dll

MD5 9f36e4bdd670eb209dba0fd46ba32217
SHA1 9eca65c3794b3c4f057d2c0e66fc057171d59f12
SHA256 c451a6f357e4f952c46ecddec3de522ec52a2c1fa4fb2465b3013844c38c41fb
SHA512 0108f0992ca95d44113206e6d4d0e33cd69d88d9b48b0f9263c293151022175467177d4eaa8acdfd1c2477a41cf4a8b5e0a9750ff09e335f2c7b2fbe92f13e68

\Users\Admin\AppData\Local\Temp\2ZOmF7MaREHadFXqvQm1AZM2B6N\vk_swiftshader.dll

MD5 812845591528627a9cc4874da3039c57
SHA1 0bef4f199ca3830deb91a1cda079f3b7aabcd19d
SHA256 df9b590312e95bc9f01faaa55b7919d9afedc0308f35f1aabc7724594988cda7
SHA512 e8a9d4cd84eb9a1e7b5fec1ef3a6b9ed87dacfb9c3232f8086f74f1355d9f3bbd62324ae9f65887acc75735a16793858e81f27bb136b84a6ac87ab752ea87ea2

\Users\Admin\AppData\Local\Temp\2ZOmF7MaREHadFXqvQm1AZM2B6N\vk_swiftshader.dll

MD5 ecb7e5477d39fa29c42c0e0b4321a999
SHA1 c1762f2cf04429f43c36063a177eedeb02ce06c7
SHA256 566a7d5d2ab39b7891fa4837e75ace01815a8455de7a8b0fe87fde4e19607c4f
SHA512 0be64b9bc2cb633c0d33188702efaa1b1d1f32e7e23122df6d37ec4f6c7c8a67861b73edecad55de84125a457fcf77f6a18aa041ac79309440418c28b8fbd9bc

\Users\Admin\AppData\Local\Temp\2ZOmF7MaREHadFXqvQm1AZM2B6N\vulkan-1.dll

MD5 5a7a29e7661cc5cdc7894526a77cb307
SHA1 2124ea8905880a1393e15b573ab384bf87ab6e25
SHA256 2a5689fa981550d196e1858011b114a6ea8bd4d128fe2fe04dd631c9aca794e2
SHA512 a89008fbe5e705da77fca84aa4ccd7c7f802a2b98f1a67ece66e54516d2e9f473e38e64471690af8fa19e4ec0fb25ab0e581d16ad3a0b28877dd335cb4e505f0

C:\Users\Admin\AppData\Local\Temp\2ZOmF7MaREHadFXqvQm1AZM2B6N\vulkan-1.dll

MD5 bb4d4ba991088f588a5ae26739877ead
SHA1 6827daa7141fd87f912be66418d027d8be86fb4f
SHA256 b80eba3c42416c750334fd6918a05a4d37eaf55806e2e8f92d8b1bbad8ae5d87
SHA512 4e311e2680079254496fe97cfe663bbe55233263dff382fd4e8fa59514e342a738581cd691deaee7ea7e56d5142c148e1e37a38291d23030c58613ab74a7e9dd

\Users\Admin\AppData\Local\Temp\2ZOmF7MaREHadFXqvQm1AZM2B6N\libGLESv2.dll

MD5 874631f1129bd993836201fae440728b
SHA1 40b166ca65b623f740cc6f476240cf7d7fd450fd
SHA256 5aa1f9ab8a17107835143e0219ea8a973cf3e4e71444d59eab3ecf0a440f320c
SHA512 959e67665ab8ead3dc5e2dfa2b3627cfc388a54068ce5e26bd1a5ab03e4ed189ca721dce1854ba52110c65c2d887cfb410770b59006bebdd9850c6da3f24ca0d

\Users\Admin\AppData\Local\Temp\2ZOmF7MaREHadFXqvQm1AZM2B6N\d3dcompiler_47.dll

MD5 1257d64d5b2526d86dab48c1cc4ac660
SHA1 ba71e3078255c0a38ad398d73308617b1775e959
SHA256 c6812991639169c21999515fdfcca20687e2d111e37754db27710917a1eafe67
SHA512 71e8d5d4430594281e6d96f6e953bd5495506be1d2c87756db88c9efee9a07240f51455b4ecaea90a17390416ebdc17bdc981bf1560ae28d41a699d11c24f6a3

memory/2788-684-0x000000001B240000-0x000000001B522000-memory.dmp

memory/2788-685-0x0000000002270000-0x0000000002278000-memory.dmp

memory/2788-686-0x000007FEF3380000-0x000007FEF3D1D000-memory.dmp

memory/2788-687-0x00000000028D0000-0x0000000002950000-memory.dmp

memory/2788-688-0x000007FEF3380000-0x000007FEF3D1D000-memory.dmp

memory/2788-689-0x00000000028D0000-0x0000000002950000-memory.dmp

memory/2788-691-0x00000000028D0000-0x0000000002950000-memory.dmp

memory/2788-690-0x00000000028D0000-0x0000000002950000-memory.dmp

memory/2788-695-0x00000000028D0000-0x0000000002950000-memory.dmp

memory/2788-694-0x000007FEF3380000-0x000007FEF3D1D000-memory.dmp

memory/2788-696-0x00000000028D0000-0x0000000002950000-memory.dmp

memory/2788-697-0x00000000028D0000-0x0000000002950000-memory.dmp

memory/2788-698-0x00000000028D0000-0x0000000002950000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-16 14:25

Reported

2023-12-16 14:28

Platform

win10v2004-20231215-en

Max time kernel

94s

Max time network

162s

Command Line

"C:\Users\Admin\AppData\Local\Temp\finalsEX.exe"

Signatures

Irata

trojan infostealer rat irata

Irata payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Description Indicator Process Target
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName C:\Windows\system32\taskmgr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 C:\Windows\system32\taskmgr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\system32\taskmgr.exe N/A

Collects information from the system

Description Indicator Process Target
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Detects videocard installed

Description Indicator Process Target
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Enumerates processes with tasklist

Description Indicator Process Target
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\system32\reg.exe N/A
N/A N/A C:\Windows\system32\reg.exe N/A
N/A N/A C:\Windows\system32\reg.exe N/A
N/A N/A C:\Windows\system32\reg.exe N/A
N/A N/A C:\Windows\system32\reg.exe N/A
N/A N/A C:\Windows\system32\reg.exe N/A
N/A N/A C:\Windows\system32\reg.exe N/A
N/A N/A C:\Windows\system32\reg.exe N/A
N/A N/A C:\Windows\system32\reg.exe N/A
N/A N/A C:\Windows\system32\reg.exe N/A
N/A N/A C:\Windows\system32\reg.exe N/A
N/A N/A C:\Windows\system32\reg.exe N/A
N/A N/A C:\Windows\system32\reg.exe N/A
N/A N/A C:\Windows\system32\reg.exe N/A
N/A N/A C:\Windows\system32\reg.exe N/A
N/A N/A C:\Windows\system32\reg.exe N/A
N/A N/A C:\Windows\system32\reg.exe N/A
N/A N/A C:\Windows\system32\reg.exe N/A
N/A N/A C:\Windows\system32\reg.exe N/A
N/A N/A C:\Windows\system32\reg.exe N/A
N/A N/A C:\Windows\system32\reg.exe N/A
N/A N/A C:\Windows\system32\reg.exe N/A
N/A N/A C:\Windows\system32\reg.exe N/A
N/A N/A C:\Windows\system32\reg.exe N/A
N/A N/A C:\Windows\system32\reg.exe N/A
N/A N/A C:\Windows\system32\reg.exe N/A
N/A N/A C:\Windows\system32\reg.exe N/A
N/A N/A C:\Windows\system32\reg.exe N/A
N/A N/A C:\Windows\system32\reg.exe N/A
N/A N/A C:\Windows\system32\reg.exe N/A
N/A N/A C:\Windows\system32\reg.exe N/A
N/A N/A C:\Windows\system32\reg.exe N/A
N/A N/A C:\Windows\system32\reg.exe N/A
N/A N/A C:\Windows\system32\reg.exe N/A
N/A N/A C:\Windows\system32\reg.exe N/A
N/A N/A C:\Windows\system32\reg.exe N/A
N/A N/A C:\Windows\system32\reg.exe N/A

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ZOmF7MaREHadFXqvQm1AZM2B6N\Cloudflare.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ZOmF7MaREHadFXqvQm1AZM2B6N\Cloudflare.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ZOmF7MaREHadFXqvQm1AZM2B6N\Cloudflare.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ZOmF7MaREHadFXqvQm1AZM2B6N\Cloudflare.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ZOmF7MaREHadFXqvQm1AZM2B6N\Cloudflare.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ZOmF7MaREHadFXqvQm1AZM2B6N\Cloudflare.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\System32\Conhost.exe N/A
N/A N/A C:\Windows\System32\Conhost.exe N/A
N/A N/A C:\Windows\System32\Conhost.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\finalsEX.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\tasklist.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Conhost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Conhost.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Conhost.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Conhost.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Conhost.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Conhost.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Conhost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Conhost.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Conhost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Conhost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Conhost.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Conhost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Conhost.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Conhost.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Conhost.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Conhost.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Conhost.exe N/A
Token: 33 N/A C:\Windows\System32\Conhost.exe N/A
Token: 34 N/A C:\Windows\System32\Conhost.exe N/A
Token: 35 N/A C:\Windows\System32\Conhost.exe N/A
Token: 36 N/A C:\Windows\System32\Conhost.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Conhost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Conhost.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Conhost.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Conhost.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Conhost.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Conhost.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Conhost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Conhost.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Conhost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Conhost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Conhost.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Conhost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Conhost.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Conhost.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Conhost.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Conhost.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Conhost.exe N/A
Token: 33 N/A C:\Windows\System32\Conhost.exe N/A
Token: 34 N/A C:\Windows\System32\Conhost.exe N/A
Token: 35 N/A C:\Windows\System32\Conhost.exe N/A
Token: 36 N/A C:\Windows\System32\Conhost.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2ZOmF7MaREHadFXqvQm1AZM2B6N\Cloudflare.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2ZOmF7MaREHadFXqvQm1AZM2B6N\Cloudflare.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2ZOmF7MaREHadFXqvQm1AZM2B6N\Cloudflare.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2ZOmF7MaREHadFXqvQm1AZM2B6N\Cloudflare.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2ZOmF7MaREHadFXqvQm1AZM2B6N\Cloudflare.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2ZOmF7MaREHadFXqvQm1AZM2B6N\Cloudflare.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2ZOmF7MaREHadFXqvQm1AZM2B6N\Cloudflare.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2ZOmF7MaREHadFXqvQm1AZM2B6N\Cloudflare.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3144 wrote to memory of 1604 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3144 wrote to memory of 1604 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3144 wrote to memory of 2712 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Windows\system32\cmd.exe
PID 3144 wrote to memory of 2712 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Windows\system32\cmd.exe
PID 3144 wrote to memory of 2712 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Windows\system32\cmd.exe
PID 3144 wrote to memory of 2712 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Windows\system32\cmd.exe
PID 3144 wrote to memory of 2712 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Windows\system32\cmd.exe
PID 3144 wrote to memory of 2712 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Windows\system32\cmd.exe
PID 3144 wrote to memory of 2712 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Windows\system32\cmd.exe
PID 3144 wrote to memory of 2712 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Windows\system32\cmd.exe
PID 3144 wrote to memory of 2712 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Windows\system32\cmd.exe
PID 3144 wrote to memory of 2712 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Windows\system32\cmd.exe
PID 3144 wrote to memory of 2712 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Windows\system32\cmd.exe
PID 3144 wrote to memory of 2712 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Windows\system32\cmd.exe
PID 3144 wrote to memory of 2712 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Windows\system32\cmd.exe
PID 3144 wrote to memory of 2712 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Windows\system32\cmd.exe
PID 3144 wrote to memory of 2712 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Windows\system32\cmd.exe
PID 3144 wrote to memory of 2712 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Windows\system32\cmd.exe
PID 3144 wrote to memory of 2712 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Windows\system32\cmd.exe
PID 3144 wrote to memory of 2712 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Windows\system32\cmd.exe
PID 3144 wrote to memory of 2712 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Windows\system32\cmd.exe
PID 3144 wrote to memory of 2712 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Windows\system32\cmd.exe
PID 3144 wrote to memory of 2712 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Windows\system32\cmd.exe
PID 3144 wrote to memory of 2712 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Windows\system32\cmd.exe
PID 3144 wrote to memory of 2712 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Windows\system32\cmd.exe
PID 3144 wrote to memory of 2712 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Windows\system32\cmd.exe
PID 3144 wrote to memory of 2712 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Windows\system32\cmd.exe
PID 3144 wrote to memory of 2712 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Windows\system32\cmd.exe
PID 3144 wrote to memory of 2712 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Windows\system32\cmd.exe
PID 3144 wrote to memory of 2712 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Windows\system32\cmd.exe
PID 3144 wrote to memory of 2712 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Windows\system32\cmd.exe
PID 3144 wrote to memory of 2712 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Windows\system32\cmd.exe
PID 3144 wrote to memory of 2712 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Windows\system32\cmd.exe
PID 3144 wrote to memory of 2712 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Windows\system32\cmd.exe
PID 3144 wrote to memory of 2712 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Windows\system32\cmd.exe
PID 3144 wrote to memory of 2712 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Windows\system32\cmd.exe
PID 3144 wrote to memory of 2712 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Windows\system32\cmd.exe
PID 3144 wrote to memory of 2712 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Windows\system32\cmd.exe
PID 3144 wrote to memory of 2712 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Windows\system32\cmd.exe
PID 3144 wrote to memory of 2712 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Windows\system32\cmd.exe
PID 3144 wrote to memory of 2712 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Windows\system32\cmd.exe
PID 3144 wrote to memory of 2712 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Windows\system32\cmd.exe
PID 3144 wrote to memory of 648 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3144 wrote to memory of 648 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3144 wrote to memory of 5068 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3144 wrote to memory of 5068 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3144 wrote to memory of 5068 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3144 wrote to memory of 5068 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3144 wrote to memory of 5068 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3144 wrote to memory of 5068 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3144 wrote to memory of 5068 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3144 wrote to memory of 5068 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3144 wrote to memory of 5068 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3144 wrote to memory of 5068 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3144 wrote to memory of 5068 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3144 wrote to memory of 5068 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3144 wrote to memory of 5068 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3144 wrote to memory of 5068 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3144 wrote to memory of 5068 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3144 wrote to memory of 5068 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3144 wrote to memory of 5068 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3144 wrote to memory of 5068 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3144 wrote to memory of 5068 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3144 wrote to memory of 5068 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Processes

C:\Users\Admin\AppData\Local\Temp\finalsEX.exe

"C:\Users\Admin\AppData\Local\Temp\finalsEX.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffe26ca46f8,0x7ffe26ca4708,0x7ffe26ca4718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2436,6964053829879877844,10736868196091253917,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2696 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2436,6964053829879877844,10736868196091253917,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2452 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2436,6964053829879877844,10736868196091253917,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3164 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2436,6964053829879877844,10736868196091253917,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3544 /prefetch:1

C:\Users\Admin\AppData\Local\Temp\2ZOmF7MaREHadFXqvQm1AZM2B6N\Cloudflare.exe

C:\Users\Admin\AppData\Local\Temp\2ZOmF7MaREHadFXqvQm1AZM2B6N\Cloudflare.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2436,6964053829879877844,10736868196091253917,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3556 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2436,6964053829879877844,10736868196091253917,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4980 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2436,6964053829879877844,10736868196091253917,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4972 /prefetch:1

C:\Windows\system32\taskmgr.exe

"C:\Windows\system32\taskmgr.exe" /4

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Users\Admin\AppData\Local\Temp\2ZOmF7MaREHadFXqvQm1AZM2B6N\Cloudflare.exe

"C:\Users\Admin\AppData\Local\Temp\2ZOmF7MaREHadFXqvQm1AZM2B6N\Cloudflare.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\script" --mojo-platform-channel-handle=1960 --field-trial-handle=1748,11712948770378261350,11856974004631909929,131072 --disable-features=PlzServiceWorker,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8

C:\Users\Admin\AppData\Local\Temp\2ZOmF7MaREHadFXqvQm1AZM2B6N\Cloudflare.exe

"C:\Users\Admin\AppData\Local\Temp\2ZOmF7MaREHadFXqvQm1AZM2B6N\Cloudflare.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\script" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1624 --field-trial-handle=1748,11712948770378261350,11856974004631909929,131072 --disable-features=PlzServiceWorker,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2

C:\Windows\System32\Wbem\WMIC.exe

wmic process where processid=1208 get ExecutablePath

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic process where processid=1208 get ExecutablePath"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "net session"

C:\Windows\system32\net.exe

net session

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 session

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic OS get caption, osarchitecture | more +1"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "echo %NUMBER_OF_PROCESSORS%"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic csproduct get uuid"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic computersystem get totalphysicalmemory | more +1"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic logicaldisk get size"

C:\Windows\System32\Wbem\WMIC.exe

wmic OS get caption, osarchitecture

C:\Windows\system32\more.com

more +1

C:\Windows\System32\Wbem\WMIC.exe

wmic csproduct get uuid

C:\Windows\system32\more.com

more +1

C:\Windows\System32\Wbem\WMIC.exe

wmic logicaldisk get size

C:\Windows\System32\Wbem\WMIC.exe

wmic computersystem get totalphysicalmemory

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic cpu get name | more +1"

C:\Windows\System32\Wbem\WMIC.exe

wmic cpu get name

C:\Windows\system32\more.com

more +1

C:\Windows\System32\Wbem\WMIC.exe

wmic PATH Win32_VideoController get name

C:\Windows\system32\more.com

more +1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic PATH Win32_VideoController get name | more +1"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager"

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DXM_Runtime

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE40

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IEData

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Firefox 105.0.3 (x64 en-US)"

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MozillaMaintenanceService

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MPlayer2

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ProPlusRetail - en-us"

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\VLC media player"

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WIC

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{113C0ADC-B9BD-4F95-9653-4F5BC540ED03}

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3544B2EE-E62F-4D11-B79C-3DDEACE94DA5}

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{37B8F9C7-03FB-3253-8781-2517C99D7C00}

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3A706840-2882-423C-90EB-B31545E2BC7A}

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{64A3A4F4-B792-11D6-A78A-00B0D0180381}

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{662A0088-6FCD-45DD-9EA7-68674058AED5}

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{6DB765A8-05AF-49A1-A71D-6F645EE3CE41}

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{76DEEAB3-122F-4231-83C7-0C35363D02F9}

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{77924AE4-039E-4CA4-87B4-2F64180381F0}

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-007E-0000-1000-0000000FF1CE}

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0000-1000-0000000FF1CE}

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0409-1000-0000000FF1CE}

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{AE86D888-1404-47CC-A7BB-8D86C0503E58}

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{C7141A99-592B-4226-A4E9-B767C1D0FBAF}

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CB0836EC-B072-368D-82B2-D3470BF95707}

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{D44822A8-FC28-42FC-8B1D-21A78579FC79}

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{E016F2B9-01FE-4FAA-882E-ECC43FA49751}

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell -ExecutionPolicy Bypass -NoProfile -File "C:\Users\Admin\AppData\Local\Temp\c0uO9mGYC8kb_temp.ps1""

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoProfile -Command "& { function Get-AntiVirusProduct { [CmdletBinding()] param ( [parameter(ValueFromPipeline=$true, ValueFromPipelineByPropertyName=$true)] [Alias('name')] $computername=$env:computername ) $AntiVirusProducts = Get-WmiObject -Namespace \"root\SecurityCenter2\" -Class AntiVirusProduct -ComputerName $computername $ret = @() foreach ($AntiVirusProduct in $AntiVirusProducts) { switch ($AntiVirusProduct.productState) { \"262144\" { $defstatus = \"Up to date\"; $rtstatus = \"Disabled\" } \"262160\" { $defstatus = \"Out of date\"; $rtstatus = \"Disabled\" } \"266240\" { $defstatus = \"Up to date\"; $rtstatus = \"Enabled\" } \"266256\" { $defstatus = \"Out of date\"; $rtstatus = \"Enabled\" } \"393216\" { $defstatus = \"Up to date\"; $rtstatus = \"Disabled\" } \"393232\" { $defstatus = \"Out of date\"; $rtstatus = \"Disabled\" } \"393488\" { $defstatus = \"Out of date\"; $rtstatus = \"Disabled\" } \"397312\" { $defstatus = \"Up to date\"; $rtstatus = \"Enabled\" } \"397328\" { $defstatus = \"Out of date\"; $rtstatus = \"Enabled\" } \"397584\" { $defstatus = \"Out of date\"; $rtstatus = \"Enabled\" } default { $defstatus = \"Unknown\"; $rtstatus = \"Unknown\" } } $ht = @{} $ht.Computername = $computername $ht.Name = $AntiVirusProduct.displayName $ht.'Product GUID' = $AntiVirusProduct.instanceGuid $ht.'Product Executable' = $AntiVirusProduct.pathToSignedProductExe $ht.'Reporting Exe' = $AntiVirusProduct.pathToSignedReportingExe $ht.'Definition Status' = $defstatus $ht.'Real-time Protection Status' = $rtstatus # Créez un nouvel objet pour chaque ordinateur $ret += New-Object -TypeName PSObject -Property $ht } Return $ret } Get-AntiVirusProduct }"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\app.asar.unpacked\node_modules\take-cam\prey-webcam.exe" -invalid youcam,cyberlink,google -frame 10 -outfile C:\Users\Admin\AppData\Local\Temp\vZpg95hxoNQbTuTQ0UuM\System\cam.1208_Admin.jpg"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoProfile -Command "& {netsh wlan show profile}"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoProfile -Command "& {powershell Get-Clipboard}"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -ExecutionPolicy Bypass -NoProfile -File "C:\Users\Admin\AppData\Local\Temp\c0uO9mGYC8kb_temp.ps1"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY

C:\Windows\system32\netsh.exe

"C:\Windows\system32\netsh.exe" wlan show profile

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Clipboard

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\app.asar.unpacked\node_modules\take-cam\snapshot.exe" /T C:\Users\Admin\AppData\Local\Temp\vZpg95hxoNQbTuTQ0UuM\System\cam.1208_Admin"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell.exe -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Roaming\salutRWIMw.ps1" -RunAsAdministrator"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Roaming\salutRWIMw.ps1" -RunAsAdministrator

Network

Country Destination Domain Proto
US 138.91.171.81:80 tcp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 71.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 dns.google udp
US 8.8.4.4:443 dns.google tcp
US 8.8.4.4:443 dns.google tcp
US 8.8.8.8:53 4.4.8.8.in-addr.arpa udp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 ipinfo.io udp
GB 142.250.200.4:80 www.google.com tcp
US 34.117.186.192:443 ipinfo.io tcp
US 34.117.186.192:443 ipinfo.io tcp
US 8.8.8.8:53 4.200.250.142.in-addr.arpa udp
US 8.8.8.8:53 192.186.117.34.in-addr.arpa udp
US 8.8.8.8:53 174.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 ipinfo.io udp
US 34.117.186.192:443 ipinfo.io tcp
US 8.8.8.8:53 193.178.17.96.in-addr.arpa udp
US 8.8.4.4:443 dns.google udp
US 8.8.8.8:53 api.gofile.io udp
FR 51.178.66.33:443 api.gofile.io tcp
US 8.8.8.8:53 store4.gofile.io udp
FR 31.14.70.245:443 store4.gofile.io tcp
US 8.8.8.8:53 33.66.178.51.in-addr.arpa udp
US 8.8.8.8:53 245.70.14.31.in-addr.arpa udp
US 8.8.8.8:53 discord.com udp
US 8.8.8.8:53 github.com udp
US 162.159.128.233:443 discord.com tcp
US 162.159.128.233:443 discord.com tcp
DE 140.82.121.4:443 github.com tcp
FR 51.178.66.33:443 api.gofile.io tcp
US 162.159.128.233:443 discord.com tcp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.111.133:443 raw.githubusercontent.com tcp
US 162.159.128.233:443 discord.com tcp
US 8.8.8.8:53 store6.gofile.io udp
US 136.175.8.205:443 store6.gofile.io tcp
US 162.159.128.233:443 discord.com tcp
US 8.8.8.8:53 233.128.159.162.in-addr.arpa udp
US 8.8.8.8:53 4.121.82.140.in-addr.arpa udp
US 8.8.8.8:53 133.111.199.185.in-addr.arpa udp
US 8.8.8.8:53 205.8.175.136.in-addr.arpa udp
US 8.8.8.8:53 89.16.208.104.in-addr.arpa udp
US 162.159.128.233:443 discord.com tcp
US 162.159.128.233:443 discord.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\nsrE281.tmp\System.dll

MD5 0d7ad4f45dc6f5aa87f606d0331c6901
SHA1 48df0911f0484cbe2a8cdd5362140b63c41ee457
SHA256 3eb38ae99653a7dbc724132ee240f6e5c4af4bfe7c01d31d23faf373f9f2eaca
SHA512 c07de7308cb54205e8bd703001a7fe4fd7796c9ac1b4bb330c77c872bf712b093645f40b80ce7127531fe6746a5b66e18ea073ab6a644934abed9bb64126fea9

C:\Users\Admin\AppData\Local\Temp\nsrE281.tmp\nsis7z.dll

MD5 80e44ce4895304c6a3a831310fbf8cd0
SHA1 36bd49ae21c460be5753a904b4501f1abca53508
SHA256 b393f05e8ff919ef071181050e1873c9a776e1a0ae8329aefff7007d0cadf592
SHA512 c8ba7b1f9113ead23e993e74a48c4427ae3562c1f6d9910b2bbe6806c9107cf7d94bc7d204613e4743d0cd869e00dafd4fb54aad1e8adb69c553f3b9e5bc64df

C:\Users\Admin\AppData\Local\Temp\2ZOmF7MaREHadFXqvQm1AZM2B6N\chrome_100_percent.pak

MD5 9c1b859b611600201ccf898f1eff2476
SHA1 87d5d9a5fcc2496b48bb084fdf04331823dd1699
SHA256 53102833760a725241841312de452c45e43edd60a122546105ab4020ccef591b
SHA512 1a8ec288e53b9d7e43d018995abe4e3d9c83d329d0561fbb7d022e8b79ffecf033e995b9bc6af352a71c646a1e8afba4addb54deab7455f24b7a279a3dd7c336

C:\Users\Admin\AppData\Local\Temp\nsrE281.tmp\7z-out\chrome_200_percent.pak

MD5 b51a78961b1dbb156343e6e024093d41
SHA1 51298bfe945a9645311169fc5bb64a2a1f20bc38
SHA256 4a438f0e209ac62ffa2c14036efdd5474b5ecaa7cbf54110f2e6153abdfb8be9
SHA512 23dedde25ad9cb5829d4b6092a815712788698c2a5a0aefb4299675d39f8b5e2844eabd1ea42332a0408bd234548f5af628e7e365ab26f3385ebfa158cdd921d

C:\Users\Admin\AppData\Local\Temp\nsrE281.tmp\7z-out\Cloudflare.exe

MD5 a00bef1ade6a525033017ed53cfde48d
SHA1 a90846cc40eacc4cadf22c11d3dd98e1080dced1
SHA256 63a4b9b1b4c345334dd5cfc4d46f1225fc8691558c0b4b8ea10162b52f26bb1e
SHA512 d4b810fda7457c36fefb8edf9bfb402cf1d9610abce8cf68efbf43e694a1e5364e8052083d77e1a53a89715dac4d5157b993683fae890c8fb5f2375dd5e2f4bd

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 efc9c7501d0a6db520763baad1e05ce8
SHA1 60b5e190124b54ff7234bb2e36071d9c8db8545f
SHA256 7af7b56e2f0a84ae008785726f3404eb9001baa4b5531d0d618c6bdcb05a3a7a
SHA512 bda611ddba56513a30295ea5ca8bc59e552154f860d13fed97201cdb81814dd6d1bca7deca6f8f58c9ae585d91e450f4383a365f80560f4b8e59a4c8b53c327d

C:\Users\Admin\AppData\Local\Temp\nsrE281.tmp\7z-out\ffmpeg.dll

MD5 0f6a3fcf88877d7855ec558bcf75be73
SHA1 ea99fa4ed1ccba59e93cca94f38b6bb233727797
SHA256 10b462ba3886f1af7aa3af58019daf0f6c3d3dc38753280b361ad3ba85ce5813
SHA512 8d946f54e0d5412da18f3e05c81e9725107fa45a83bda30dca51db915954a6e804c0de940f4e8cdec758b5a1a951f0b6fb0f8334671294018119890fff3cc50a

C:\Users\Admin\AppData\Local\Temp\nsrE281.tmp\7z-out\d3dcompiler_47.dll

MD5 9ec47ded5621b9896d85c20db3063bd4
SHA1 15017d066f73050599157d71f80f9efc8612fb17
SHA256 983aeaf65f3b810313f5770bff44184f6341a01d48caccffb683a0b0631cda53
SHA512 7b9fd34a809c3b07c64a58aba3cc30c434c24d79efe888b86322509364b5d03eddb08053466c4348484f16db6862b58d04e57a5fe071736f6009b68352428a01

C:\Users\Admin\AppData\Local\Temp\nsrE281.tmp\7z-out\libEGL.dll

MD5 8352fd22f09b873193cabc2932be92f0
SHA1 5bd2b58854b279f1733c5f54ea2669ee8a888d9e
SHA256 14a4aaa010be14762edfee01fd1f6b9943471eb7a2f9011a2b5c230461cd129c
SHA512 7281e980f2e82f1cc8173d9f8387a97f6e23ec5099ed8dca02222c4e17fa4cfef59d6aa300b1cf06d502bdcf77d9a6dbb08ad6658ae0a28ae6f9f995109da0d2

C:\Users\Admin\AppData\Local\Temp\nsrE281.tmp\7z-out\icudtl.dat

MD5 31e272ebae83147dbf85855bf3710bee
SHA1 5698316fc8ffb8706e7a0c8c1e665abe21a68c84
SHA256 ee28dfb83be8f7c3a3ab0452507b93f9e140d1481ad287c7b34142a9e4524d99
SHA512 49a1b3c63ce44b7d5c027d9d7432bf053ed7364b0ad17ccef4af85b122dcee4518a5772f827f96aee77e32eda4a0e2c23b181189f395a5ce9e9864f8312fb128

C:\Users\Admin\AppData\Local\Temp\nsrE281.tmp\7z-out\libGLESv2.dll

MD5 3eea84e8fadb2d8abbe826a934a7c6ec
SHA1 02a534e92cd03e9a886fca3cbc259ea9a1101074
SHA256 82b421f9c397dd8cbf994d27e5142e449dabd82fe72392721bf343cccd933b40
SHA512 1352b350738cbe7773961cbc7701b941a5bc8967d8ac0fe1b9639fa174164b2fcce8a15f84d0af748c3b08b50b33e5f94dffb920472e0dd4fa1032dba6d932e8

C:\Users\Admin\AppData\Local\Temp\nsrE281.tmp\7z-out\LICENSE.electron.txt

MD5 4d42118d35941e0f664dddbd83f633c5
SHA1 2b21ec5f20fe961d15f2b58efb1368e66d202e5c
SHA256 5154e165bd6c2cc0cfbcd8916498c7abab0497923bafcd5cb07673fe8480087d
SHA512 3ffbba2e4cd689f362378f6b0f6060571f57e228d3755bdd308283be6cbbef8c2e84beb5fcf73e0c3c81cd944d01ee3fcf141733c4d8b3b0162e543e0b9f3e63

C:\Users\Admin\AppData\Local\Temp\nsrE281.tmp\7z-out\LICENSES.chromium.html

MD5 0e210e3be0f49813731867227575a927
SHA1 248b8974086098c4a24eb825b1d3a08665ef8de3
SHA256 68ea80e6fe8dfac41bffd9c16520f235af676d97012b7da6869436027b0f923e
SHA512 b7f73a0c8fad9faf130f90f403f425625180474ed49dd25326d8d4e38ad91d7f95eba5257701249c6d9491c34cf23b71afaa36cdf2e1ef7d8e175d402181e35e

C:\Users\Admin\AppData\Local\Temp\nsrE281.tmp\7z-out\resources.pak

MD5 25ab4e07b71c8db908f15618ab8f4841
SHA1 b6c2a538390c21c89b465011f68ee3520a087255
SHA256 1b0059f71d8eaf4e05e29e413c70352ced68b21896f0bcc00d6156543ecca54e
SHA512 61ef5d6642b28907422e8f813b6c59d022728857a3c4fde19d776f630328803e98e7b6ef7d83b6f5a14d7f209e12c8447735795dcf365a7c2f03056d6c61ece3

C:\Users\Admin\AppData\Local\Temp\nsrE281.tmp\7z-out\snapshot_blob.bin

MD5 c9ab741bbef53fa0e84952b8891a5f5a
SHA1 e2dcb8d034e07243537c86371de0c52bce62cee1
SHA256 4d82fe1e642fe3ca7ad1a173f806088c0652ecfe9f0f6f6e246066e15a3431d4
SHA512 177b98a3090ecfe4b4598dfcd7e8b3ca49efafba4dbd8d6c6d0def462de47c3fabfde831725622783ddc177de982de6115178d9bd9830d918bb544a5a4c27fc9

C:\Users\Admin\AppData\Local\Temp\nsrE281.tmp\7z-out\vk_swiftshader.dll

MD5 9acbef7d5eab7486fed176b95e97c725
SHA1 86c1ce556882a1e58074465ba959e0c87fce0e06
SHA256 14db9a16bcb6424cae6395954006412d82868d9e15ba82d77ca62930e0a4836f
SHA512 39e08a402f10c3e6b7a92c41426ef6e69f9b4516796b908697be9eadc9fb4b2a9efa31c3b20cf71ce457e384c0053167a8b8c6908e5e4b959187a6f6dd97d744

C:\Users\Admin\AppData\Local\Temp\nsrE281.tmp\7z-out\v8_context_snapshot.bin

MD5 47014c0f81bad6d216c617c9c63bf040
SHA1 7bb483fdc5fed3c6ed437d9fe6e5023bc38201bf
SHA256 e1249d05bfc73c645b27d269f47b6923b33a3cf8088a8ca78b3b637c90f58178
SHA512 052d86cf3305a9e493bd2472e6b7ddab5e0291efd6d899984a79bae46e5fa4bd21157e19ab4a2591c9cff9069de568bad18c7baf4f35d117c77134e635466f87

C:\Users\Admin\AppData\Local\Temp\nsrE281.tmp\7z-out\vk_swiftshader_icd.json

MD5 8642dd3a87e2de6e991fae08458e302b
SHA1 9c06735c31cec00600fd763a92f8112d085bd12a
SHA256 32d83ff113fef532a9f97e0d2831f8656628ab1c99e9060f0332b1532839afd9
SHA512 f5d37d1b45b006161e4cefeebba1e33af879a3a51d16ee3ff8c3968c0c36bbafae379bf9124c13310b77774c9cbb4fa53114e83f5b48b5314132736e5bb4496f

C:\Users\Admin\AppData\Local\Temp\nsrE281.tmp\7z-out\vulkan-1.dll

MD5 b91586bd80e057a7f62bdc4422744812
SHA1 a1df644421ece2e740e5bf0ed98b4f269fd85c39
SHA256 8ba72d98e0f78b77bda7816cd7232809d287310d34e0f1d7472b9d5fda2c6d02
SHA512 94f0a8e3e75e4803891c0fcb257052dbe0e7399772fc7a46ab802629f76ee580ed30b3678fa6bc3744c12cf9f3103bbc8276e88f6711278748148e9fbeef2053

\??\pipe\LOCAL\crashpad_3144_YPFHOEPDYOYNAZYD

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Temp\nsrE281.tmp\7z-out\locales\bg.pak

MD5 5ba0c7200362c9ed55610cc8b66ef53c
SHA1 d45239c2f1b00885407771a41a7776fc1fe8fa3b
SHA256 2339ff55464b4ff704fc3c5bf281eec52a539c494bd059cf0346d9c05ab7cda7
SHA512 6229dbf08a9322c4ec8de4912aa1832f01800a71b7e3ef5870e7fa2b623be4dd248fec4881c3e031e984616147be84d42ab3dd970ae56dc1bd78913a8682a37a

C:\Users\Admin\AppData\Local\Temp\nsrE281.tmp\7z-out\locales\bn.pak

MD5 47c95e191e760dee3ef43345577e2379
SHA1 609634315270a91d4ec631642b18bd0036367aad
SHA256 ceed32e429ed1018d4c49343cf52105cbfd1e877c531a5738fd6e6cd33d27da7
SHA512 46b5f8d58780d19e79136c31a67d075c57ddf7e6a1eb197dea4088cc414a0dc24a68fc8ebcaac03b3940af2461123b586706d5dbf8dbdf6fbea0f7bec466db21

C:\Users\Admin\AppData\Local\Temp\nsrE281.tmp\7z-out\locales\cs.pak

MD5 3cfd9dc564cfcc33cc5524711365c376
SHA1 2e5016d2643017f37658262122974429f18625a2
SHA256 8be34e4f8226c1dd4e725711ddd884ef4476560f7863edcf378573dde9db3cee
SHA512 6ee156d2fa3b6f601df28e38968d0eae2812d70b41333348dbecd833d5ee6ff944183f0eecde96be433cf1e98c8ec22d6a6d5af5153145842175ab43c73533ef

C:\Users\Admin\AppData\Local\Temp\nsrE281.tmp\7z-out\locales\ca.pak

MD5 423651c45566cd90ea5edd8631e823b8
SHA1 13bed4173a08bcbfefba034aada3d838eece6d16
SHA256 7a39af99d55a1ea838d8d78c5f0da3e1402f9404d32255e31b676ceed4f0e414
SHA512 e09085023beaa37e9d5f7fdf3c32d0c001672b85e2826f0aba9a662ce958ac93cac17bf63495a604e47cb407b1593049388a4bf1b22b2339ead84a206a10569f

C:\Users\Admin\AppData\Local\Temp\nsrE281.tmp\7z-out\locales\ar.pak

MD5 6f3e791b4d35ee7d9515614d128752cf
SHA1 181ec3a84fb3e89336d77f24f562a2cbe07619d8
SHA256 e9df0fa338b763a3926c4ee3a87bedf650fa618b6fcf0560c3f5ffe891d48c60
SHA512 3657e610d13a2c938558ec320c298dd490c9e4895ccd304f738aaa2f050373efd7382ca402365f93d23ed488bae82de2d859da788dc8faa8e621346a278f4441

C:\Users\Admin\AppData\Local\Temp\nsrE281.tmp\7z-out\locales\am.pak

MD5 e18a450ef034b42599341c3d09f280f1
SHA1 2001c8a85904962ac3a96938eccc69ad2c110fdf
SHA256 7c2b9098130f1f9e0cf4507b64c0e96ac6354bd6c3616be20e2067cfccc820da
SHA512 ddd87571218fe9f179a6c2a8a15b182625a71a7c19ed90c0969ca2e0e9bad823b926f8b8a6b390cb6fe9c95f4b6c1f1ec7b5167a8424ab1921943922208f798a

C:\Users\Admin\AppData\Local\Temp\nsrE281.tmp\7z-out\locales\en-US.pak

MD5 0bb857860d8c9ab6d617cea5a5bd4d00
SHA1 351b744d95846bff2ce5f542fec2e87439aa0f8b
SHA256 5c56df9699fc7e8f09ec81421e50a6264cde055e822f5a8cd9bb1edb3066d816
SHA512 33fb73cffbb6781488cedbca4c92a7e4f66923a799beeb7f5cba58dbc23ba8f5130f63a7dac7114e3c3ef6f1df87884fbeb8858bc7604aec9449fdfd16c25078

C:\Users\Admin\AppData\Local\Temp\nsrE281.tmp\7z-out\locales\es.pak

MD5 f83d8f7f6108786c02c2edbf3d85f147
SHA1 57781d9d9eb7c90cdc71f78e25d0763045b6d29a
SHA256 5b929216ac823dbe2b0bb98e64db76519900e09a86c8513019325271c66ade0d
SHA512 12747a4a61cdd21cad6e3f768cb43b8bda5ec9de373337c191b6994b20acd676c9d0a6cde8410a1e18f35dd5d2d332ea1bb7e7f8f6fc4b73d8774559e33398f1

C:\Users\Admin\AppData\Local\Temp\nsrE281.tmp\7z-out\locales\ro.pak

MD5 24b01a438a3ab9699d4ca97c081b5e82
SHA1 0d0b082544d23425a74199fb0a6c11192f0bdf7d
SHA256 38290b1c9712296d82ea1681ef95544a1eef4872289134b11e50af735e6deaca
SHA512 43199772312156f4633c4202499cde8f808e5e632c2013ec1129acee01a3f184e86df2616626173178efe04b6f0773ad9a0e8b8cc6a735d23d68dcfe9dfd945b

C:\Users\Admin\AppData\Local\Temp\nsrE281.tmp\7z-out\locales\vi.pak

MD5 69c8796439192577f48bd249175aaf37
SHA1 97c52088ca69dada593db0e42b2135d264646454
SHA256 d7fdb53592de803a5fbcd8561c4918f1562f92fc8a3fd0039a2a1a7b76a8ecc2
SHA512 65eb7cb15291474ec7f9354775e59bcf334c90ddf3498ebd184e4c47118308421b2405bfa679e4b3a70ed1790e167c109fc2c72e89c3e31b5378cae975424144

C:\Users\Admin\AppData\Local\Temp\nsrE281.tmp\7z-out\locales\zh-TW.pak

MD5 c2c35fcedc3708b5bcadf36587393002
SHA1 31d72402cbd44ceb921cedd806259c2cd14e411f
SHA256 cfe4c2c5eb131fd92e0d11f912714c5a9a048833ef3ffbe32679b3d58da8f8ac
SHA512 9ba3ea2d569d1d3ef09e94d7e66f843c8804368c4d016b6289e7dba002f7d2d50884a76c93eef879d87abcf8b36dd3e682b7bd3a18b2b5a969256cef672abf01

C:\Users\Admin\AppData\Local\Temp\nsrE281.tmp\7z-out\resources\app.asar

MD5 2d602d8ab3eae1a0a9dfae8bec71c625
SHA1 c39f26f968a247baed52e2afdf85c7f78316e575
SHA256 59b04c7fe06e72f5d635faac1c1fb88622067c22cca645183a59afc20751a9a9
SHA512 8e4380295f9c700ada400771ede6ff9a97b04ba1199df9823891d526b40df083fc57db3ddecff543c4df55dede1b64928f3e737b2a95b35895a7b9435326cea3

C:\Users\Admin\AppData\Local\Temp\nsrE281.tmp\StdUtils.dll

MD5 c6a6e03f77c313b267498515488c5740
SHA1 3d49fc2784b9450962ed6b82b46e9c3c957d7c15
SHA256 b72e9013a6204e9f01076dc38dabbf30870d44dfc66962adbf73619d4331601e
SHA512 9870c5879f7b72836805088079ad5bbafcb59fc3d9127f2160d4ec3d6e88d3cc8ebe5a9f5d20a4720fe6407c1336ef10f33b2b9621bc587e930d4cbacf337803

C:\Users\Admin\AppData\Local\Temp\nsrE281.tmp\7z-out\swiftshader\libGLESv2.dll

MD5 a278e192b332e2007221501d91142d0f
SHA1 9900b08824762dbdd01647bde7de86ab1a54c86b
SHA256 017745c674af6ec01ba18a86395c01d8661183be96984f02ba565b2c70fa0239
SHA512 724eccbcb550fe8ed29d5a8fc51e9af87f92c5b930987ca5a8c85cc37998a2ae31dff5252ccdb9a9f4209197a9a9edeca39b249e90cf53c6eaa944fda0f89524

C:\Users\Admin\AppData\Local\Temp\nsrE281.tmp\7z-out\swiftshader\libEGL.dll

MD5 846cc2eac654c0c07cc8385c3ecbbe9e
SHA1 958ecfff237aaf1b97c8a2886682b388cb4cc0b6
SHA256 0f4efc59a65733cf1e8670ad7f13153e9f9463d40d02972f20e53c62667076e6
SHA512 67fb5940a67d1f11e8f31a398e02ada2ed59b77aea0581f49d2d1039df1f48dccbb64131fa13c0810093e73853f25544ba44029bf41e3ba21788e39de46a6e38

C:\Users\Admin\AppData\Local\Temp\nsrE281.tmp\7z-out\resources\elevate.exe

MD5 792b92c8ad13c46f27c7ced0810694df
SHA1 d8d449b92de20a57df722df46435ba4553ecc802
SHA256 9b1fbf0c11c520ae714af8aa9af12cfd48503eedecd7398d8992ee94d1b4dc37
SHA512 6c247254dc18ed81213a978cce2e321d6692848c64307097d2c43432a42f4f4f6d3cf22fb92610dfa8b7b16a5f1d94e9017cf64f88f2d08e79c0fe71a9121e40

C:\Users\Admin\AppData\Local\Temp\nsrE281.tmp\7z-out\locales\zh-CN.pak

MD5 098d656a4f4bd8240bed10e7678186c7
SHA1 0c19ab62b4262f1b51558e8aaa79e7741f73393a
SHA256 a55f568ad3a8854cec25699484f55024501c8a0967738ba694e073151e5981c7
SHA512 084538ce774233ca6d4393bb42239b0b85e11bd73dd19ba47e55796ca19848941b037510c0fca4ac08b4b2e0ccbc9b4ae72ef88a3e841738dd211961dc53c1e2

C:\Users\Admin\AppData\Local\Temp\nsrE281.tmp\7z-out\locales\uk.pak

MD5 d791b1ecf2931b2fb0c31aac170c7cdc
SHA1 02be115a9ff94fe5250651b6de4323eafc44fce1
SHA256 ffae6286d44c8e219ef90d411ad8746159a6ff8ea610e2a651147a3956696a22
SHA512 3a2edb8069e4a9734ce5e02b7c3de3c968c5bbc116f17f52f97e2bb2c78485c456c4f0cc952686c1aa17b7ee4d326a1dda698afafc63c79d842ca3905181a8da

C:\Users\Admin\AppData\Local\Temp\nsrE281.tmp\7z-out\locales\tr.pak

MD5 40491896ad21543f339467186c5efb40
SHA1 695dde7cc35056dcbf0a533aff8299d4c6b61bd8
SHA256 43e99e132acaba88971b81a43531845dc7fc3a1e0794c3373de7d9a50a5655aa
SHA512 18d5ee9914849462e0b1bafd1ca216b29d0795e282ae0bdb354b15caf5c18f37f44fbd6f626b2cbb095e3398a6496de72e5b0d15621433979b5a589e34fac818

C:\Users\Admin\AppData\Local\Temp\nsrE281.tmp\7z-out\locales\th.pak

MD5 43edd25f67ce6e6cea5373009ff0a1f8
SHA1 ed72ca6620cf23837e1334be50ccf616806bc5a2
SHA256 287897cf3df2db1cf59b872e6575ba8dfcaa0c1f68c17a9c91da6c4490adb8b0
SHA512 7160a72bd2e6b0ffa71e5d279995cc8be24a87cd9386eb29ab0eee79b8e607f5d824a11b6b4e3ef4c0f851a9d485a9642cb6adaa65c07933dca6e6f2c0052fc7

C:\Users\Admin\AppData\Local\Temp\nsrE281.tmp\7z-out\locales\te.pak

MD5 793a87d41cde6e6d1bb086284f69733b
SHA1 d887e3842b664f55b7308427aa6f5bf0b352d879
SHA256 5cdabd1ad41e8048f2cc6b1615e68b99159daa1aa6706b939447c1811bf0e255
SHA512 7c2e53baa387480eed45315bd9d53856ca46e5777ecdc9c29a0de7b0ad04beb6cbb8b5df0aa7c306395fda563037e06bea1ca70e433ce5a3ccc2ec184dfda972

C:\Users\Admin\AppData\Local\Temp\nsrE281.tmp\7z-out\locales\ta.pak

MD5 31dada843d0b4f9a66b184cb6d7b8b92
SHA1 0320b31981043c6e4c17470bf2ff4c7488553511
SHA256 457070b35c813175f5a7b630478073e478ff2bf23915dd3dc7a5b3b339cc2b0b
SHA512 c5b6ea595d3154fd9fe03f49a19f78eb4068718ce005b18a165d491459a290c29956b02a109ce2c314746773760c8e5c0d7064f384c65a572c78109f03538860

C:\Users\Admin\AppData\Local\Temp\nsrE281.tmp\7z-out\locales\sw.pak

MD5 99e385ebc1ef8d3daddb3a171fa79edf
SHA1 3164804dfe9d9b5e891abafe92e5ba67d2b5d4d1
SHA256 8ec45ac391a085d531fb21815086c2da4841aa016653cb4f8484cfc2615d6c01
SHA512 797c105fecef1e15870aa101e3fa1835d5a467a9059c03b3636c54934d1de263ab7f23599e21d9787cb3849c7cb7d29f5bdd8ae9ad10fda8015c1392462e94c0

C:\Users\Admin\AppData\Local\Temp\nsrE281.tmp\7z-out\locales\sv.pak

MD5 41e76f7775fc9a2d6e3c02c46e9b32f6
SHA1 088c15c74a68bee69682bf89c31055332b68c84a
SHA256 2533676479e9469ffcdaabcb47d3e39bebfe7ae2b80f70784e918a8827439e13
SHA512 6cde752d748c4772b533c8894f18134e5842113f8c7590b44a7dfa088aed65b232361fd16170df3b0d738066dbc3a769847adf4dd8ba42de63c9c2b33f9beb6b

C:\Users\Admin\AppData\Local\Temp\nsrE281.tmp\7z-out\locales\sl.pak

MD5 e015b6f5042be2dc96a4e23dcf035502
SHA1 7946509eed8db1e4c1f3da99ffe7155c86fdb4d6
SHA256 99536d1bc73eec81d5bebbff641ea195544ee5e3a41bb17ddcedf9cde9b141d4
SHA512 b2a2eaae93c506a053862bf1cde02eee53b3ea2e2fe4c964c51dbacb8b44de820a779311cfe01458e2f08f88bce1172e8c5e1e6d28cd3a355ff84baa00023b8f

C:\Users\Admin\AppData\Local\Temp\nsrE281.tmp\7z-out\locales\pt-PT.pak

MD5 ecd84b296d3bb312ee18e21017311986
SHA1 f5625523f85c10723750834a54ff59a2dd886fb3
SHA256 fcfaa9c44c445876c286388b6a1abc1df949f3dda3d64fb57d6e0d54a05cdb94
SHA512 e95b74238220024cdd0bd1c0f18beadbbe427d76cd8d6b32d5700adcd34ffb068ad0bf75404921485c8077f395f5111cd40d5dfe2b5b8f34c62e6fc80b507456

C:\Users\Admin\AppData\Local\Temp\nsrE281.tmp\7z-out\locales\pt-BR.pak

MD5 88ad860c73676ffb4025b5c691f29942
SHA1 3c5e5b999ea7153ccdd1b4cc7b6162de3456b558
SHA256 25f0bb0b0230d99a9064d52668636f3be85903bf27a68124d79a2fe93c30fe0e
SHA512 41589bb9ab1b8307f62ceb4e6493d7903731a3e63807e0044379c4acdda881c21839234f5f1b8ad1af732bfee6231c0556ce92e582505379ed949980185bb750

C:\Users\Admin\AppData\Local\Temp\nsrE281.tmp\7z-out\locales\pl.pak

MD5 644c0ace25d6e532b56510a736c6bc2c
SHA1 1bd0fec952107b493da04c46423da634ff3e1504
SHA256 2ff9e382a31783285b7d85676e629e2f6db26bb9536ed17b7fbe5ac61a895ec7
SHA512 9a1f1e884c2f214b8b0c63543809ddd4ba0fd533f1d8434e926051f3db434f60cc4df2462c2a43254b2a9685b3869eef49463c212892e417c82c3a7b497e3559

C:\Users\Admin\AppData\Local\Temp\nsrE281.tmp\7z-out\locales\nl.pak

MD5 cf6b1cbfd669e9461553974ba37a475e
SHA1 b33867e9bc7fd88ca98a76dc4bd756bcf18887aa
SHA256 9a83ad866ad7fd9d65ecbc1e95c276cfce27e8257c76a16950fd14971e66b864
SHA512 e463029bb37f6bb3ff5cb6281f64291ada1b785fa33137e7aedfc7b5e409e99c75a91e7cf9b6c0933e970f70c14861190de66fc5d68925b687a6f5da02e21077

C:\Users\Admin\AppData\Local\Temp\nsrE281.tmp\7z-out\locales\nb.pak

MD5 b61e42f66d581b6a8929cdf5fb10662e
SHA1 6f06fa9ee092fbcb61bbd668734fb3b92cfb549a
SHA256 1b17dcde8fc7308d926fbe0faa83dfc9ffe2efc5715e9afd557dde839ad98b7e
SHA512 79b82346c3f133a6ba44148a8432ad4e08e2805187b759509cb386bc800fd20215592c07d953812c243f0b1d5e1354245f2cb42b2b3eb6c87280bcb4008dbe97

C:\Users\Admin\AppData\Local\Temp\nsrE281.tmp\7z-out\locales\ms.pak

MD5 6cfadaa784e687e6dadbcd80e631bc9b
SHA1 481acb75f525055bf4e45ecabe0eadcb9c492106
SHA256 fb5e125dd5e1f21e8df229d22cb3d1f9078bd79bbddca352899248f2a8b21b71
SHA512 0d7da5a90fe9372bc704ab8cdc8cbfb14d323cafdef856987e2d9e34d980196c03985e25099f5d1bcb10c97f040f4766e2c3713718649bb3f43914a77f0dbb39

C:\Users\Admin\AppData\Local\Temp\nsrE281.tmp\7z-out\locales\mr.pak

MD5 f22c99fe6a838e333e8ee06a4d01296b
SHA1 c3542ea8dd45a2b387dd02fa5687948f135e10f2
SHA256 b03a3042f907aed13253ae8083d08f5fad59ff438d024b097276856e72526911
SHA512 882022c2cb985d85f96d52c9bcfeeb089d6ff30e66187ccf424ef622092b9d359a51bdef1fb6ac3b9d3409aa79d37ca737ba7f3ed8b9cdaabfe04d90a7c8bc15

C:\Users\Admin\AppData\Local\Temp\2ZOmF7MaREHadFXqvQm1AZM2B6N\locales\lv.pak

MD5 264c6e20b3088ceb4dae5773cef0cb55
SHA1 fb6ff83ff14df008092bc3ee73bda7491e8e090e
SHA256 a676a781c1a587eadf23e5c69bc52f2d352346a70bc53ca908450362535eefda
SHA512 01e949f92e1e8599c581929a601d39640abaf1d907ce10102e591c3d490dd3874c679c75bb51308ead55a3bd0c6dcd1b8d4b2daf98ce1cf1c6bab42946e8b1e8

C:\Users\Admin\AppData\Local\Temp\nsrE281.tmp\7z-out\locales\lt.pak

MD5 2d4fca437a7548893dc4b51fa5b33c33
SHA1 c1493013d7d981ea9223716e415380992de65c2f
SHA256 776dba792df7b444e1b720326312d8b8312cade74a1372c49456d932b7c65769
SHA512 b6a55ee1deff48d717a3e9399aef3c45eeec810cc5b5709fa3e9f56850115a5b02e02b7959ec77a6797e68516ee9372bacd260e62ac0d55a8e4c1c27af782b42

C:\Users\Admin\AppData\Local\Temp\nsrE281.tmp\7z-out\locales\ko.pak

MD5 d6e2c18c9eabba59b50d147d942125ea
SHA1 0918879203c2050b4f9f449f5616e430897ba0b9
SHA256 f3581cea2e5b022b121010ffc5d67f86f717e3a0c0402abd81e24c87fd135b76
SHA512 f605f7b9893166778af156f9eb76eaa1209e7432450899540cd462ce0ffa69caf6f570b910cdd6d7bef54354379e9892a658e711baa93241da33755c107da859

C:\Users\Admin\AppData\Local\Temp\nsrE281.tmp\7z-out\locales\kn.pak

MD5 5115cde84b4c674db412619b65433004
SHA1 164f33e7e2e9f685a579da492a6fc8806beb6cbf
SHA256 891e092c6895e23be986c3e6d39dcea9b6b75f1448239c13fd406680e50407a7
SHA512 090a247898cb533325d2b289a6cbd8db2a755ef0abab49d82f333e57b290c50b5996b81f15d8adc30160b216eebed3a1476aec1627195e52189557c1d48b0216

C:\Users\Admin\AppData\Local\Temp\nsrE281.tmp\7z-out\locales\ja.pak

MD5 833e8c4aa70351b6be7bd403e4e9a0a7
SHA1 46ccdbdea35deec8ef13a5fc833776875fad187b
SHA256 74422db1a5f28522f9a8b31a3bee9a6df794b419bf723cb6a6c88e82eb72cec0
SHA512 e8e709612a5ea81d2822e0025b7306f38571f2cec2ca72ac5a8ab852a0e36a0f5bc7e00d0baf7ac7becc2c54dda3a17c52ec1cd67ce12b14d91b6ae0b726d556

C:\Users\Admin\AppData\Local\Temp\nsrE281.tmp\7z-out\locales\it.pak

MD5 5aa225aad4f9fe6d05ec24905a827d88
SHA1 f6d5ed337bd8e9cc3b962d3a498e3430fbf6de22
SHA256 96e02ab6937a1f1cb58762159761a737ce0e1dcd6a253554392baf4389326eab
SHA512 3fa928f19bdf65b8fbb274b478a801821b15c01224c113a8d7f6121a077b432c0cc84eefd9028a76adea9fa4bb65dcb868edfbd4368b1e4d477c49e187e4288a

C:\Users\Admin\AppData\Local\Temp\nsrE281.tmp\7z-out\locales\id.pak

MD5 e40cb2f3b4db379e4d187aeef0dfd300
SHA1 537b1ebc615c980c89bbe2b9e91a11199fa7d6a6
SHA256 3339ef011c9bb64868da94adb25f4490acbc7f893e4337dbfe2797754cd659f5
SHA512 b87464460077aa55feb92eca8ed23d9a61829378bae7890c8a95dac5fcd735b145d65661f27facfe2586fcaa169692b00d8ee8dd505dc44bff7f7fd090f3e96c

C:\Users\Admin\AppData\Local\Temp\nsrE281.tmp\7z-out\locales\hu.pak

MD5 71d42cb22d2d7a8b26c4514ab12df3aa
SHA1 cd0307503a7906f1742d1e98fc816959319c2171
SHA256 b51bcb888dbc27bab88a8c9d081df7496de8a9a5a4cd2cfe08abc154190e75e6
SHA512 29c67391bca706807be3a0cc79fe481f220e30263957a9c2485f0a4c498a5b250bdd83b5f4fad8d0b19c8a9a07d5650b5ebd5816b6aae311a1cde78a89303244

C:\Users\Admin\AppData\Local\Temp\nsrE281.tmp\7z-out\locales\hr.pak

MD5 6f92235e6ba003af925a2d6584afd27d
SHA1 3ceba61e9c2975466b6244188f5ea72aaf042fc7
SHA256 479dc4f75a889d45f62b4ddb6eb48f21c473e37875468c9c26d928a263e15840
SHA512 82f2642dff4400704c15c2fa02d0ec74ed3fe888dc835447c1afce7463dee8f480bb81be358c306e681625864a6d25e5cd6c96252b8a56e6fc62014b3aa4d26a

C:\Users\Admin\AppData\Local\Temp\nsrE281.tmp\7z-out\locales\he.pak

MD5 6a02a37e1ca3215fa9ee0e1b0fbcf5e7
SHA1 89a8a126c0bbf536ac58e29fc50e045fb1b88220
SHA256 f5cf34ce58b7f0d450936981aa7ffa060821403e6768eee3746ea4ffc9193986
SHA512 6607eb2329b81f1eaf0ed3a564eddcb30e6ab59229f2fbf6fd3d2140ffaa8853a330eda627a4458ef6bb06f32c5183edda869e34cd4ead1f87f88d5c622c1a16

C:\Users\Admin\AppData\Local\Temp\nsrE281.tmp\7z-out\locales\gu.pak

MD5 63a7fdc4eadf8ef1c35c72468a0ce33f
SHA1 e8d064f0e9c8a6a8c6ccb036711e292d011d9466
SHA256 e549ff4e5a094d04c2ce7bc6fd68bea1f03e935437bf164bebb6191c133fa70c
SHA512 0a097ff875132a984545ec677b04f97785f14c38a1df487cfb4722cdea07d14e1e88fcff7d58b82fa53f05f4eba779a95ef320b5a91692097726d0385a26a456

C:\Users\Admin\AppData\Local\Temp\nsrE281.tmp\7z-out\locales\fr.pak

MD5 c3095ce1e88b0976ba7bef183d047347
SHA1 b14cfbf6e46ac1f189595fc09660178525301138
SHA256 66488dc10517b6e3638686be95b430477a39304e92ac45dfe62b58cae3a77272
SHA512 29f47b1eff4681a9a17a50d6e82d63c22fe7bfe4ceb79862e81d8cd9f96fa38e225978b4c4b1f8e55b220235b91652c776fa8d2e559c68942c6ccf402812a421

C:\Users\Admin\AppData\Local\Temp\nsrE281.tmp\7z-out\locales\sr.pak

MD5 af7083f2a4bd95dcbe792efade352662
SHA1 dc69aa831836016f6e66c6079931503d534a7862
SHA256 e3b80d9fdd420a05d66cc12e685ac94500106dd51a555bbfa2d085094f81e8dd
SHA512 342400ba94f6cd08152f96aa2b905184fab429c38cedb4bcb4ac0c503169a9ecd47aef208b4d7ffae08b0c0afa7aa089347a20739379d05f3e4e111be842b8c4

C:\Users\Admin\AppData\Local\Temp\nsrE281.tmp\7z-out\locales\fi.pak

MD5 cc592d91ce8eabaa75249cb78b889376
SHA1 f2f0f7f105a17f3e4b1a97ed0e3c2e871c2c3eac
SHA256 b1cb0b32efa78fd8634652c74f298f1d5127f2363ef601cf000417e5c7fefd20
SHA512 58e2eaffe26d8fda8df43e7ebef449cfff1065e940c128efa0276511e34e96e52da9230f294b01d4ecd8ef606b792d372bff897d6d8bb67c31379418ce867d48

C:\Users\Admin\AppData\Local\Temp\nsrE281.tmp\7z-out\locales\fa.pak

MD5 6458a239e994d8d18315deccd35389ed
SHA1 75c985f43503a6c44645786d46639a6b555ae163
SHA256 300fc1c735e92917a5ddf92feb812cbf3175d988ec7ad5955110248a1addbd34
SHA512 3062075b6be0c25c957ac88e537880bc25ff86b8ef0703a05209e9676e943e89476b7997394aeb25064e03a93be614fef535676e9cdfaf44b46035225b1b2cf5

C:\Users\Admin\AppData\Local\Temp\nsrE281.tmp\7z-out\locales\et.pak

MD5 c76db3385190c6840315c4497e40258a
SHA1 34f1aef2ba2925bebc5dcdb70e5b6c1a138a5c46
SHA256 e8af084ef5e1062c5966dd7802074ac24f3672dc3c9b9c5453a397644727191f
SHA512 90a870369d307758b33d74e6213676d65c2d332f42577c8aff23d96b512f3c2a2bdace8d6d9007f88b9175eadc6f2ae28b498b1265550849ff9317465a37ad29

C:\Users\Admin\AppData\Local\Temp\nsrE281.tmp\7z-out\locales\es-419.pak

MD5 b261b1efe945365588befdf68879040f
SHA1 616f44a5f73f0449b483f36ccf831db6474a10d2
SHA256 1380b9edc9cee4b505f12e8eefa288d8c746ca995b52ceaba27c7741ae8a5cd4
SHA512 9ea14234b9d4d09364e5727b3886fc14544d52508b3e45fb9fd607ca88d2e432361a02b2f7ba34c3d6ecd94b91f9eccd4d54047a97a1ba4eea580ead00b91cff

C:\Users\Admin\AppData\Local\Temp\nsrE281.tmp\7z-out\locales\sk.pak

MD5 b35daa0bd9627ca88b413a5af7c6b4a4
SHA1 d5efdcbc7ca17de29f3075f6434f31ab2e895826
SHA256 f47bc1f7f5ab64681d0b152e1a019da60f0ef057ee8bf2ccede019dc4030c177
SHA512 48abb6ca2290820db2898b05820bb25e70fb1292c816eb0c8f17b3c5452de9fff7027d216d2bf413900f408f44ed4ac99151b28142a212c5cff8dfe229e87b9b

C:\Users\Admin\AppData\Local\Temp\nsrE281.tmp\7z-out\locales\ru.pak

MD5 75457b95d2bb03891232dae7db886387
SHA1 e5a7569df7f91533703626d167ecc8cddbd27205
SHA256 e0894d3aa3f8e0f8ac457a3300001d4e1dcf95980712f8c8e9c845eb4c2bbfa6
SHA512 9813239cb162cec24cb81cffdae2df06889782813d917da186ae40df6dae64477467e4b32ead2d714bc1de671538d4c1fde990d83d3ee69e0932f17226687a78

C:\Users\Admin\AppData\Local\Temp\nsrE281.tmp\7z-out\locales\ml.pak

MD5 04b2540c25990a5e0a9b227dcce6ae0d
SHA1 4f8ccd154f54dfb083d4d1a3ed0994842c8ab13e
SHA256 556165b8b54c6e21bc66d12b3f5be393136714467c427f7114f314d18ad3c661
SHA512 4cab47e42e8f5d4a83851871f97f3e1360c993ba530dbb4b4b736350779784bd83189e1195d3480ce87298bb8f9b7f249fefa7764d850e5b0002895609626785

C:\Users\Admin\AppData\Local\Temp\nsrE281.tmp\7z-out\locales\hi.pak

MD5 590e9e73df9cbd83cd87b9c03848fec9
SHA1 da125e60a5a2c51a2d6219d3f81688bd22237b59
SHA256 089b9dd31090a987515809a68d26f6eeb64cd9283934e3dcc48b151eec7d3ad9
SHA512 fd0e5d0f2063e12b711275f390428b88f98ffaf6043cdb14b13674ac1e4aa9f70ae820ae960132d7155daf9b1308238775c4702694ab53068cdc709c50f9186a

C:\Users\Admin\AppData\Local\Temp\nsrE281.tmp\7z-out\locales\fil.pak

MD5 40bddaf97f64dfea9ebafc7f82166f80
SHA1 90d1fde3c0b27d2184f0353991259c2a92c7820c
SHA256 39a9d63736e7b4593fc6873ed3c19d45fbf9eb78a012bfdcee0fea5906ebc5b2
SHA512 d1e61c53e09a0dc50edf5aba5cf286a251ee88421aa2cd49332b70a5859646605ecb7d0bb97ea7242d14a18742e23da0a14c04b0b99b57a466ec87f4f66b897e

C:\Users\Admin\AppData\Local\Temp\nsrE281.tmp\7z-out\locales\en-GB.pak

MD5 52e2826fb5814776d47a7fcaf55cb675
SHA1 51fbbc59dcd61116cbc0a24b0304d4c1c58e8d0b
SHA256 83ff81c73228c7cadba984d9b500e4fce01de583ecde8f132137650c8107c454
SHA512 69257f976d01006c5f3d7e256738c97c59115471f8e7447cfa795f7fa4ff12d6fd19708e95ffb2aa494b50c1763fe35d5885b9414112d2934baf68fe668ed7cc

C:\Users\Admin\AppData\Local\Temp\nsrE281.tmp\7z-out\locales\el.pak

MD5 38440b98bfdf5ed496da0f49d59534c0
SHA1 1498d9207ecaf4923a47271e24c68a817041c82e
SHA256 b1f78df8a7edc914357a2e90bc8dc0ac46f4df642bb22894569fe4905fb8ea0f
SHA512 95ba788fc2e1f07d54e398f1ec4d32c664cfb13118d46cb7af7a993367e032b10de84f3e604ab6e659d6410e2d736097ec5e9b3b002040c54412358f0ea10229

C:\Users\Admin\AppData\Local\Temp\nsrE281.tmp\7z-out\locales\de.pak

MD5 b73344e5a72fca6f956dbab984c123ba
SHA1 0561073aa40a63a9ce9930dd18b18e12ff139b2b
SHA256 6dda3fa65232ca0bff7314f916942a2aa5d9be73a0b0c7a6d016eb34ea6fff5b
SHA512 e8a12da397369f23c102244b3f18f533ec79afa6978785566056bbfe07b10a21ff4973bf17aa829fff65609363988c033b0e48d4a82c846863377c08d8df009d

C:\Users\Admin\AppData\Local\Temp\nsrE281.tmp\7z-out\locales\da.pak

MD5 55a8f5883805a65c854d25edb3959209
SHA1 d4b3b6bd2a26cbd021fa931d1f63c9ea64e2c268
SHA256 e190187adcbb5f829d162660968ba598ed17bd11339062ca4d807deec8a27fdb
SHA512 4e1f9e6da32f553cbc8cf162726d7aba9e23e2216d6d05b995cf19fff3aafa05ed08fce29b2f8538d46583366402b8630672e650dfbd46952a611e9db0d8016d

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 27485b1754dba685abb55f57599d71ab
SHA1 bacee409eb7889ec2b95166d7dd4542eb891dee7
SHA256 ca7741a319a04e2696eb89736974f1c16b67a9f9636f677cbfca46df6e8b5a21
SHA512 7be91d4ff7c813cd0f8d392e6da416a6b558a91c9a88650935f8cb6cce650dc8e0ee015f3ff594632c268c8edb5d4529c7bf5b6c43ad11ee5d0c860860211c3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 b455d91e8f8ef792780fb5bcef1d00ec
SHA1 39ac5f97ebb741cad8acb1160addac70420e8568
SHA256 8846fe9bc628a8900fb65359b426abff363c6d79673b069a924c0c57758b36e0
SHA512 84642725ca3a124786bbe89f17d2dcea03eb2110bd0b227a4fbcbbabaf502f06cfd8828aa5eb4f5390dc70752c90db6bca837564af49043e3380c35c0929ad9f

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 5a30a41e58e84cf39d420af493c7d418
SHA1 64dbe8a7fc90ef6620f32ea4b3d24b5a72b9b520
SHA256 92dd56089cdc19fa8b0ccbaab5a32b32cb8b0875249089e05fca00961ab3b778
SHA512 a589aa74e7231f092397e52629de6e3eba3ebc0e7f64349d1779e9a67eebffd8f907e12b2006f27560df5b281349fded9e666195930e460f5034eb1e047ae592

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

MD5 e029efe70912cf57d40d04c01776d41d
SHA1 94eba5604a8e4523d23565ac3ebcdcda4005e4eb
SHA256 57cd696aea3594a27f18b3636da302823ca687c6a326ff9ed2b578a23a96ac37
SHA512 3c380b2c1530a103030562135f9b71eb36a15c49ea96082f64f717e7045ea578ecbec2d1f53cd569d720f7e37a3c091f9bc6ff3dfecde6775658c1c51a03f01b

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 285252a2f6327d41eab203dc2f402c67
SHA1 acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA256 5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA512 11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\GPUCache\data_1

MD5 f50f89a0a91564d0b8a211f8921aa7de
SHA1 112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256 b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512 bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

C:\Users\Admin\AppData\Local\Temp\2ZOmF7MaREHadFXqvQm1AZM2B6N\ffmpeg.dll

MD5 51fa53323e3cc9899b48919bdee5fa50
SHA1 b69afd08fc5df4cc9fee90f1f8d32136f6466e65
SHA256 76194478cb2aeebd71a33653f24fbbd074f04f2f1af0c5786f17c821d96f9890
SHA512 234e9c4f92ca0311bd0aa645d46420b72aaa2452dbf0e973198199b2ffe04379052fd23b9232f9e1da8852f26c00129c6bd892a7033a510cb29508096f363008

C:\Users\Admin\AppData\Local\Temp\2ZOmF7MaREHadFXqvQm1AZM2B6N\ffmpeg.dll

MD5 bec12665d3c789b41cf5ef25fe533126
SHA1 8aa75174026aadae21305ba163d6974e306a7713
SHA256 6fe98326a560688a420e250e8d2c4f5431e497b50193d1a69ea5204c5a80efd1
SHA512 2ab4d9cd2a8ebdd41bd05ac09b2855a146c23a0681e8012d001eb95b29adf530a6eb138c8cb3032dd1e6387815a541e25f742ed00cff117a2ad722809609d3f9

C:\Users\Admin\AppData\Local\Temp\2ZOmF7MaREHadFXqvQm1AZM2B6N\Cloudflare.exe

MD5 871f682e10c74bf0657cc2b25c94f0a0
SHA1 4a66d857fc37464ff6de7696c60dd95c546f6313
SHA256 a7574de68ac3d55bf01012337f390249e614263d8453e80cd44d4515f86c7eda
SHA512 85aea9de14fbf0a8d36a61584991fd5f4840e06519b8cee67224d1d10e0ef66dbd8f1ec515fe615f7420b92985ccd7ec79c592fcdafa043496541fa821fd413b

C:\Users\Admin\AppData\Local\Temp\2ZOmF7MaREHadFXqvQm1AZM2B6N\icudtl.dat

MD5 599c39d9adb88686c4585b15fb745c0e
SHA1 2215eb6299aa18e87db21f686b08695a5199f4e2
SHA256 c5f82843420fa9d144e006b48d59ba7ef95f7e6cb1ea95b27fcdd2c97f850859
SHA512 16194186a8407b29f799d4b02f5674e4fbd5d91163fad9f8dce6ceedd865b754a681aa960d0f3f1b62cb21d5443879f1b8e9b691c19c5802d5bdfe4ed645b8bc

C:\Users\Admin\AppData\Local\Temp\2ZOmF7MaREHadFXqvQm1AZM2B6N\resources\app.asar

MD5 9e85e95e913910ee339bf24c0e6718ad
SHA1 c8522488c0b696c7d3f2196d6fe014e1a40c41b8
SHA256 3072f4361ee6263cda01dcc48d09a69f71d7595f684f1057dc2fc443b4efcb15
SHA512 f76a56ab6c7f58cc7c306cd7b6e1d763dd881c6c02f3d285e46bcc6f6aceffaf204185e138bf218beba7d78013dde2b97fee32103f262333596a51794712e0cf

C:\Users\Admin\AppData\Local\Temp\2ZOmF7MaREHadFXqvQm1AZM2B6N\Cloudflare.exe

MD5 b18e847b9e381f7af3e3c55c1b5406eb
SHA1 467e5c0a48b226c5db50e734968fd2c1e2550f93
SHA256 57290ea19a8de6e891fe3530e053a70e53d2291102bdf414fcf313dab9c8be13
SHA512 645795957abe883b7a827625e334aa191025240a4cffd16e897132730092234a4c9bd9c4197992eb975d5e091e3bc7a0d674bbc0db293e19bbda3838c5b27ed8

memory/2544-650-0x0000021A41D00000-0x0000021A41D01000-memory.dmp

memory/2544-651-0x0000021A41D00000-0x0000021A41D01000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\2a0d89b6-7a1a-4a92-9159-8dead05fedc9.tmp.node

MD5 90cdcc92afd492a5cc70b83a1704bd40
SHA1 6bdd1f78d29b95e5b8deb35abc22886653d5880a
SHA256 8614864f8aada9018ac097fd6b3cff7a8f3b5a24d31a8ba055c2a3f6f8e9f48c
SHA512 1b27d001bebf1eede2ffff75b61c52db3d77bf3895452b732f5dd92b64610e8c181fa921c62f97bec9c78fe21c7657c96b6330c0b69dcd61cebdf81219d73b6d

C:\Users\Admin\AppData\Local\Temp\09daaea3-3e32-4184-8b22-a3ac2bf4a3a6.tmp.node

MD5 6447af3dea786cd2df517485edf5c266
SHA1 39bb384325161c82995cd8ad8bc61df77ed376f3
SHA256 115418c446e8ec8abeadc407c9b2c2960504990b6f19a2b134005384fcd501a1
SHA512 abbee5cb8f03bd7f7ff5bfdd4feb0182a0fa0655097d5b46e94dfddd1eb1fcb26830dd8a4b85cd2b8a667bcc01cc28221a9831d3d5b6e428c81f0e3fe65f1d37

memory/2544-653-0x0000021A41D00000-0x0000021A41D01000-memory.dmp

memory/2544-668-0x0000021A41D00000-0x0000021A41D01000-memory.dmp

memory/2544-671-0x0000021A41D00000-0x0000021A41D01000-memory.dmp

memory/2544-672-0x0000021A41D00000-0x0000021A41D01000-memory.dmp

memory/2892-674-0x00007FFE42C20000-0x00007FFE42C21000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\2ZOmF7MaREHadFXqvQm1AZM2B6N\ffmpeg.dll

MD5 76aed474b82f96b098dd9e8df2281d14
SHA1 ac2f3523874e8b94182afecb3a752a177b8f70bc
SHA256 0d52961269ec26c568d965e23142acd7523cf0e6c3fccd389de789737e63c61b
SHA512 15e77e09c3ba3cbe05a63d4f6ff018a55a84c39bca99b3100c46dec5e41175b6add2a1c6549c797c3366ecfa0d3ac2485719258265f74f77ad6082ca470c338d

memory/2544-676-0x0000021A41D00000-0x0000021A41D01000-memory.dmp

memory/2544-684-0x0000021A41D00000-0x0000021A41D01000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\2ZOmF7MaREHadFXqvQm1AZM2B6N\ffmpeg.dll

MD5 3e6081cf8da20ac43514cfb44b4d6338
SHA1 47fe8cb68bc44cb38ce72ac44eb6964de61e6c49
SHA256 fdf4adaded16ca70297a30d9b44c691827bf115106a30a3127aa90a93edc9294
SHA512 182e2173a754d1683d4b8c0d2e0c625bd33a84fe1e3ea178754243f0cb17e62685f360372beb0825b2a568eb7d4913bbce57dc8453b2dadd5471ce3c7a1a94fa

C:\Users\Admin\AppData\Local\Temp\2ZOmF7MaREHadFXqvQm1AZM2B6N\Cloudflare.exe

MD5 a50ddace492b7087f3c72c18edba9eb2
SHA1 341d7e514e51594cfb58d803cc54ae64ca25854d
SHA256 e1bc7ae3e27aeed5be99bc47f74d0ac9d572d8e3a296f3077471610410c1961d
SHA512 d022217ec7b62773c93300a0c6dd7a09b61988ba3a627aed0fb30137e6773ea13f37052dd1e12435b922a749edc188ef93d368edc5e004cc4edb3ef3ff6f5049

C:\Users\Admin\AppData\Local\Temp\2ZOmF7MaREHadFXqvQm1AZM2B6N\libGLESv2.dll

MD5 2e088a6ce0f160452bcbb79cdd5df022
SHA1 c323e767b209335e81ef24b75b18a1c5339989f8
SHA256 bf2a71195daa7a896d8c016c7587c551a511a311842ad0d19a1f9636cd258804
SHA512 3b16a6263a980b3a869c38c959973267e94e1d6ca6f3edabcf6f330a704f3a44a6c50a155aff49100ba62cd63336f4bc972d2f1c22f0b8923f685042d6a5ef0c

C:\Users\Admin\AppData\Local\Temp\2ZOmF7MaREHadFXqvQm1AZM2B6N\libglesv2.dll

MD5 2cdfac84faf3c815a1082d0136b6994c
SHA1 87edefc87a19f4c4956eb1e1a8a6c88fbe15ffd6
SHA256 5a56652b22e5172be9682645b1c41872dce02dd60502c2910162c5a65d850e29
SHA512 f9d204d3a545a5832391a94693248c95853bf3920c2f1e754a4e369c1426dcf4ff5b4ffa9d89f5116c3e1e1e93246280d20d300d6a1aec72438c32a9ced30db2

memory/2544-679-0x0000021A41D00000-0x0000021A41D01000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\2ZOmF7MaREHadFXqvQm1AZM2B6N\d3dcompiler_47.dll

MD5 a5ee15126188f28e9fbc2bd6fe015298
SHA1 e042049db5b1ba4bce0d952ec24f551f59cf5651
SHA256 8e4f07b3892cf602e0484b9d5d49f1d2c171788a2a652eef971efee9fdf978da
SHA512 bb8f6917b1a9e6ebc928479986693b71f6efad6d0395f48b446d1a3ed37c1df160455ad2f29804cd905741c95f588e2d8eb6eb0827104a2f1c6ef68a126267fb

C:\Users\Admin\AppData\Local\Temp\2ZOmF7MaREHadFXqvQm1AZM2B6N\D3DCompiler_47.dll

MD5 4bd170ae7b8e2e10a7f0a57be57657ad
SHA1 cb107d7a812d110223ebfd8d73332aed28703d2f
SHA256 ab0a6bbccdf3535bc6d0ab98008461428dc12eae42a0570f75b40d0a26296148
SHA512 9c83664cd3c88fed64a3a9347a306fb4579cc8584320707eaac69de516462f46cf6232ef495f851d0e28d39d60f6b1268de9e6fb1821e1aea6bbef853f2e5469

C:\Users\Admin\AppData\Local\Temp\2ZOmF7MaREHadFXqvQm1AZM2B6N\Cloudflare.exe

MD5 5a539d23443ef93e32489e9d057f4adc
SHA1 7f9c3473d96879065b0493b65010e18abb6f4579
SHA256 40929e2f511fbe12353d07354b4d89e4036523955a70677198f2b844c1c8e546
SHA512 59ed79fc36f21df53e406052718904f4889eeb12616efa5abecc4afc06e7a1eb8db40a11e4db23e037308d1e483e6d17daa882ba7d0defafb419d13118c1f703

memory/2544-670-0x0000021A41D00000-0x0000021A41D01000-memory.dmp

memory/1588-699-0x00007FFE223E0000-0x00007FFE22EA1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_iiaoppw0.rrf.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1588-709-0x00000184A8EF0000-0x00000184A8F12000-memory.dmp

memory/1588-710-0x00000184A8CE0000-0x00000184A8CF0000-memory.dmp

memory/1588-712-0x00000184A8CE0000-0x00000184A8CF0000-memory.dmp

memory/1588-711-0x00000184A8CE0000-0x00000184A8CF0000-memory.dmp

memory/1588-716-0x00007FFE223E0000-0x00007FFE22EA1000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 6cf293cb4d80be23433eecf74ddb5503
SHA1 24fe4752df102c2ef492954d6b046cb5512ad408
SHA256 b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8
SHA512 0f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 50a8221b93fbd2628ac460dd408a9fc1
SHA1 7e99fe16a9b14079b6f0316c37cc473e1f83a7e6
SHA256 46e488628e5348c9c4dfcdeed5a91747eae3b3aa49ae1b94d37173b6609efa0e
SHA512 27dda53e7edcc1a12c61234e850fe73bf3923f5c3c19826b67f2faf9e0a14ba6658001a9d6a56a7036409feb9238dd452406e88e318919127b4a06c64dba86f0

memory/1500-729-0x00007FFE223E0000-0x00007FFE22EA1000-memory.dmp

memory/1500-730-0x0000025AA87E0000-0x0000025AA87F0000-memory.dmp

memory/1500-731-0x0000025AA87E0000-0x0000025AA87F0000-memory.dmp

memory/1500-732-0x0000025AA87E0000-0x0000025AA87F0000-memory.dmp

memory/1500-735-0x00007FFE223E0000-0x00007FFE22EA1000-memory.dmp

memory/7824-804-0x000002A1D1000000-0x000002A1D1010000-memory.dmp

memory/7824-803-0x000002A1D1000000-0x000002A1D1010000-memory.dmp

memory/7824-802-0x00007FFE25900000-0x00007FFE263C1000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\QV7K5JDIZ2FHIN4CFG94.temp

MD5 0d96560a4f44b0ac5089b6782db84912
SHA1 cd8e7aca481101caa3697523f08682e7455ffcad
SHA256 678c4312c4382271c8f3f29a69d78215a54c1e0bf0170c058de58a988602f2de
SHA512 3ae7b971d4882cd8f790b8e4f72c093b8d3f5a8ddffd65a827558239440f84a70653e77e8b6719c438760b298a352c44759197430170324852ca9be8a66a561d

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 c5c4ebc75b267ac1583327676f9a3f19
SHA1 b25be8f1afb6bf9acbc37724c6a2b7cf31b7c96f
SHA256 668b7aa92d208e52e0699f6df460b842716b0409723e8c0456187328f922a2b6
SHA512 ed41853c4465312f0288edf5b31598844eb8140a68ebf8df6beaea3cd59d97736f0d7b2b9c821d95ef1fe3c94c9d4be0ffc40ad3dc58d9557ec52301b9792150

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 a58fe820b86e4746173d3032bd6f2363
SHA1 b9c66aa7e3585e72e792933d97e7703edea116a0
SHA256 fc2901777dd87713162a63356431a805f209a14a2962b65c860e6d30cc4d777e
SHA512 ecfa6d3466b182d777f1134796ca5be992e629c6e78a8e8c218f96e7167a445205e9066a00bd33bbd356f2d0939a06a3902a21fdd03c144ed30c43d94324bde2

memory/7804-819-0x00007FFE25900000-0x00007FFE263C1000-memory.dmp

memory/7860-820-0x000002497EC10000-0x000002497EC20000-memory.dmp

memory/7860-821-0x000002497EC10000-0x000002497EC20000-memory.dmp

memory/5372-822-0x00000160F2230000-0x00000160F2240000-memory.dmp

memory/7860-832-0x00007FFE25900000-0x00007FFE263C1000-memory.dmp

memory/5372-838-0x00007FFE25900000-0x00007FFE263C1000-memory.dmp

memory/6224-857-0x00007FFE25900000-0x00007FFE263C1000-memory.dmp

memory/6224-858-0x0000020DC1930000-0x0000020DC1940000-memory.dmp

memory/6224-863-0x0000020DC1930000-0x0000020DC1940000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 446dd1cf97eaba21cf14d03aebc79f27
SHA1 36e4cc7367e0c7b40f4a8ace272941ea46373799
SHA256 a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf
SHA512 a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

memory/7860-874-0x000002497EC10000-0x000002497EC20000-memory.dmp

memory/7804-875-0x0000026010B40000-0x0000026010B50000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\c0uO9mGYC8kb_temp.ps1

MD5 91e7ea52870bed98c5bd15868b202d93
SHA1 b509747c330f03be5fe8791174370c8b4fdaba7c
SHA256 82c560742499f4866ad3e4af8232ab796421e7f10c97e74a28f2a196f2e59956
SHA512 54b69fe23de8b8143d97b1e074d1f02a38c398a2930c5534f1452262badeb4dc4cead599e6ebbd8c4dae268da00a77c92a52d4337da6107c01c05624d1251b13

memory/6836-877-0x00007FFE25900000-0x00007FFE263C1000-memory.dmp

memory/6836-878-0x00000253A0B00000-0x00000253A0B10000-memory.dmp

memory/7824-880-0x00007FFE25900000-0x00007FFE263C1000-memory.dmp

memory/7824-885-0x000002A1D1000000-0x000002A1D1010000-memory.dmp

memory/7824-886-0x000002A1D1000000-0x000002A1D1010000-memory.dmp

memory/7804-898-0x00007FFE25900000-0x00007FFE263C1000-memory.dmp

memory/6224-897-0x00007FFE25900000-0x00007FFE263C1000-memory.dmp

memory/7824-896-0x00007FFE25900000-0x00007FFE263C1000-memory.dmp

memory/5372-901-0x00000160F2230000-0x00000160F2240000-memory.dmp

memory/7860-900-0x000002497EC10000-0x000002497EC20000-memory.dmp

memory/7804-905-0x00007FFE25900000-0x00007FFE263C1000-memory.dmp

memory/6836-906-0x00007FFE25900000-0x00007FFE263C1000-memory.dmp

memory/5372-913-0x00007FFE25900000-0x00007FFE263C1000-memory.dmp

memory/7860-912-0x00007FFE25900000-0x00007FFE263C1000-memory.dmp

memory/5308-915-0x00007FFE259B0000-0x00007FFE26471000-memory.dmp

memory/5308-916-0x000002C4980B0000-0x000002C4980C0000-memory.dmp

memory/5308-917-0x000002C4980B0000-0x000002C4980C0000-memory.dmp

memory/5308-928-0x000002C4980B0000-0x000002C4980C0000-memory.dmp

memory/5308-930-0x00007FFE259B0000-0x00007FFE26471000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x3x6afp6.default-release\places.sqlite_tmp

MD5 c8c0b757369aa7f76e8fcae360bd20a0
SHA1 19fd217a468db0bfc67c54b3b178610e1914bcdf
SHA256 ce8981afecb84ec22a296d9feb90b2e0f3d92bd4903cb8d137654580e986900c
SHA512 0e098a29f5b6d7d8189507b592635502ad18893c51bf904517b6e0b9e032e54bc4c2d281adf52ea469ff2a1e1b9ac57b157e0fd3666847fa38fce654ac6ffe14

C:\Users\Admin\AppData\Local\Temp\vZpg95hxoNQbTuTQ0UuM\System\NUPNSVML - 2023-12-16_142747.png

MD5 0aa57d95d90f2d469f3c7f144ffc8eb1
SHA1 3a6eb8370c92efac9d755f8c5257ac7aa955db43
SHA256 fb071ace90f1e900ac85cd945e7296b21a1ad8351e672c3346afc442ad92ac67
SHA512 0de33411eb6e1c85dce2a9095f2c961b71f8aa9e230f8ae07fcc99d897b9def813732dc43202d9d42d59e371e6611b6aaf30f7e0cbebbca5a1e52ad538a82eda

memory/7208-1056-0x00007FFE259B0000-0x00007FFE26471000-memory.dmp

memory/7208-1058-0x000001A67E6F0000-0x000001A67E700000-memory.dmp

memory/7208-1057-0x000001A67E6F0000-0x000001A67E700000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 e5ea61f668ad9fe64ff27dec34fe6d2f
SHA1 5d42aa122b1fa920028b9e9514bd3aeac8f7ff4b
SHA256 8f161e4c74eb4ca15c0601ce7a291f3ee1dc0aa46b788181bfe1d33f2b099466
SHA512 cb308188323699eaa2903424527bcb40585792f5152aa7ab02e32f94a0fcfe73cfca2c7b3cae73a9df3e307812dbd18d2d50acbbfeb75d87edf1eb83dd109f34

C:\Users\Admin\AppData\Roaming\salutRWIMw.ps1

MD5 28e4eda7451c625bbe806b745753f729
SHA1 d29e9b2c2ac5b10188cbae92cffba6827728543d
SHA256 da79e10cdff90aa7f5ab3d3f226570107ecd20d48eb14067c7900367111df5ba
SHA512 932f53b6cd2aa55ab1475d85528069357fa7d9eea26051d1a4edb11872ca30d02c31c44bed3a48f0ccdbebe556e9d8ec2f4a0815bf177d93ab4272b3fe2fb0b5

memory/7208-1063-0x00007FFE259B0000-0x00007FFE26471000-memory.dmp

C:\ProgramData\ChromeExtensionsNova\extension-cookies\images\logo.png

MD5 252b4fda07550496d330d819f15ceb3e
SHA1 650584312b310219a26d5fc20cb1804bb6c4dde5
SHA256 39eafade0656a3c0bd723ad576b1f00a0d625ebeef80ac01f965165ffc28cf1d
SHA512 a18529cc7325d3fce5fb5d32a63b74a8e2ff23a027c12fecdc111f14b1c601079512fce3ff5484a686aaa0dd1ea20083570707511541e4a6d7615053f3ffac49

C:\ProgramData\ChromeExtensionsNova\extension-cookies\images\logo128.png

MD5 c555604e8b6f818991e186342f856b1b
SHA1 3ae02db8eba2f4fa30cb7567a9f5bf8346faded0
SHA256 012da30b247a7964a3bdaaaeec8a6fb5559d7047ab8f1bcc0a2a785aad978972
SHA512 01a6c8f91d1eedd0d83b654059844aa7ed16e76abfce54183b5bf484edb6cb33e0ebe317987a3143e94c23ef60954ced0e32378a1a5f80f8412c7029e4303bbe

C:\ProgramData\ChromeExtensionsNova\extension-cookies\images\logo16.png

MD5 f0f11cd478cc44d518c16820ede9d253
SHA1 cfaf8d2e071f2ade0894578e5b44e02032d27be4
SHA256 321695dbcac7b2ceb14ef2651705ead5c0c42815358082b758ee803a37e945bb
SHA512 ac736abf8a776918df4094929efc29f7ae643aeef8d9b464653e3b7272a0799e58dc961dacadfbf9f42f575dfba14df7e6f4b1256c2c83dfe333ffb2ed3a1de8

C:\ProgramData\ChromeExtensionsNova\extension-cookies\images\logo48.png

MD5 2f0a6a34d9b95bba0e3358ddd41ff2ac
SHA1 f39a9e7aeab9fe86fd9034284516de40186e6e93
SHA256 6f575f1cac9f29b8f1f8a83a580811bdedeec88f9d4cb78ccecb553cba251ca5
SHA512 a3c2094377b355a56d7d69f2a53baac58ebf3b40c5c031ba60fbc6f53e72e67e537e7bddee1489bbae4b41ea23311ad6b6f5c841e7b070dcdeca4bb8a6043084

C:\ProgramData\ChromeExtensionsNova\extension-cookies\manifest.json

MD5 04c23766134b234e85cc537b2162efb1
SHA1 45c48d9ca30a4580a682f025cc66331e49f6f158
SHA256 f50f62683347bbca52d7f7de0c877014ae77043753905628644e2d485dfb4900
SHA512 d246f59ad6d6e9fc8d8d88129302d55cb3d2ba7d52496915ee6791fa0576153070af76ea689cc74ccefc36456df749ac5c8f45cb12702961470f202078bfcb3c

C:\ProgramData\ChromeExtensionsNova\extension-tokens\js\jquery-3.5.1.min.js

MD5 9ac39dc31635a363e377eda0f6fbe03f
SHA1 29fa5ad995e9ec866ece1d3d0b698fc556580eee
SHA256 9a2723c21fb1b7dff0e2aa5dc6be24a9670220a17ae21f70fdbc602d1f8acd38
SHA512 0799ae01799707b444fca518c3af9b91fda40d0a2c114e84bc52bd1f756b5e0d60f6fd239f04bd4d5bc37b6cdbf02d299185cd62410f2a514a7b3bd4d60b49fc

C:\ProgramData\ChromeExtensionsNova\extension-tokens\manifest.json

MD5 42ac88deb5c3cfc02fdc1c27319ee067
SHA1 97b1addf35159800b90743fcfbb5505e80f6eb82
SHA256 28486361faff1827fb9f1871529c48efaaf86027592d189afa6f99b14eb3f4bb
SHA512 77c4054a3cf061eb6f4f6e9803b74833a8fb0fe352239b5b47cf39ea5eea8104b9da6deab75018557476fbda856f3be8d57e6fe2eb777c45a7a1bdb1e72d02d5