Malware Analysis Report

2025-01-19 06:28

Sample ID 231217-hkexhsdhfr
Target caca.exe
SHA256 2d3a331a98699a67cd900d40ec320e599ae58ce342239f4abaab08847f77161a
Tags
irata infostealer rat trojan spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2d3a331a98699a67cd900d40ec320e599ae58ce342239f4abaab08847f77161a

Threat Level: Known bad

The file caca.exe was found to be: Known bad.

Malicious Activity Summary

irata infostealer rat trojan spyware stealer

Irata

Irata payload

Reads user/profile data of web browsers

Loads dropped DLL

Executes dropped EXE

Looks up external IP address via web service

Legitimate hosting services abused for malware hosting/C2

Drops file in Windows directory

Enumerates physical storage devices

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Detects videocard installed

Collects information from the system

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Runs net.exe

Modifies registry key

Enumerates processes with tasklist

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-17 06:47

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-17 06:47

Reported

2023-12-17 06:51

Platform

win10-20231215-en

Max time kernel

92s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\caca.exe"

Signatures

Irata

trojan infostealer rat irata

Irata payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Description Indicator Process Target
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\rescache\_merged\1601268389\3877292338.pri C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe N/A

Enumerates physical storage devices

Collects information from the system

Description Indicator Process Target
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Detects videocard installed

Description Indicator Process Target
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Enumerates processes with tasklist

Description Indicator Process Target
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A

Runs net.exe

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\caca.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2ZD7e7ZRQi2hs2WBBxR62QSBlDX\caca.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2ZD7e7ZRQi2hs2WBBxR62QSBlDX\caca.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2ZD7e7ZRQi2hs2WBBxR62QSBlDX\caca.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2ZD7e7ZRQi2hs2WBBxR62QSBlDX\caca.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2ZD7e7ZRQi2hs2WBBxR62QSBlDX\caca.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2ZD7e7ZRQi2hs2WBBxR62QSBlDX\caca.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2ZD7e7ZRQi2hs2WBBxR62QSBlDX\caca.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2ZD7e7ZRQi2hs2WBBxR62QSBlDX\caca.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2ZD7e7ZRQi2hs2WBBxR62QSBlDX\caca.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2ZD7e7ZRQi2hs2WBBxR62QSBlDX\caca.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2ZD7e7ZRQi2hs2WBBxR62QSBlDX\caca.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2ZD7e7ZRQi2hs2WBBxR62QSBlDX\caca.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2ZD7e7ZRQi2hs2WBBxR62QSBlDX\caca.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2ZD7e7ZRQi2hs2WBBxR62QSBlDX\caca.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2ZD7e7ZRQi2hs2WBBxR62QSBlDX\caca.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2ZD7e7ZRQi2hs2WBBxR62QSBlDX\caca.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2ZD7e7ZRQi2hs2WBBxR62QSBlDX\caca.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2ZD7e7ZRQi2hs2WBBxR62QSBlDX\caca.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\cmd.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\cmd.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\cmd.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\cmd.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\cmd.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\cmd.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\system32\cmd.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\cmd.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\cmd.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\cmd.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\cmd.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\cmd.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\cmd.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\cmd.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\cmd.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\cmd.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\cmd.exe N/A
Token: 33 N/A C:\Windows\system32\cmd.exe N/A
Token: 34 N/A C:\Windows\system32\cmd.exe N/A
Token: 35 N/A C:\Windows\system32\cmd.exe N/A
Token: 36 N/A C:\Windows\system32\cmd.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2ZD7e7ZRQi2hs2WBBxR62QSBlDX\caca.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2ZD7e7ZRQi2hs2WBBxR62QSBlDX\caca.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\cmd.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\cmd.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\cmd.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\cmd.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\cmd.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\cmd.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\system32\cmd.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\cmd.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\cmd.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\cmd.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\cmd.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\cmd.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\cmd.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\cmd.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\cmd.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\cmd.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\cmd.exe N/A
Token: 33 N/A C:\Windows\system32\cmd.exe N/A
Token: 34 N/A C:\Windows\system32\cmd.exe N/A
Token: 35 N/A C:\Windows\system32\cmd.exe N/A
Token: 36 N/A C:\Windows\system32\cmd.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3696 wrote to memory of 4700 N/A C:\Users\Admin\AppData\Local\Temp\caca.exe C:\Users\Admin\AppData\Local\Temp\2ZD7e7ZRQi2hs2WBBxR62QSBlDX\caca.exe
PID 3696 wrote to memory of 4700 N/A C:\Users\Admin\AppData\Local\Temp\caca.exe C:\Users\Admin\AppData\Local\Temp\2ZD7e7ZRQi2hs2WBBxR62QSBlDX\caca.exe
PID 4700 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\2ZD7e7ZRQi2hs2WBBxR62QSBlDX\caca.exe C:\Windows\system32\cmd.exe
PID 4700 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\2ZD7e7ZRQi2hs2WBBxR62QSBlDX\caca.exe C:\Windows\system32\cmd.exe
PID 4700 wrote to memory of 4204 N/A C:\Users\Admin\AppData\Local\Temp\2ZD7e7ZRQi2hs2WBBxR62QSBlDX\caca.exe C:\Users\Admin\AppData\Local\Temp\2ZD7e7ZRQi2hs2WBBxR62QSBlDX\caca.exe
PID 4700 wrote to memory of 4204 N/A C:\Users\Admin\AppData\Local\Temp\2ZD7e7ZRQi2hs2WBBxR62QSBlDX\caca.exe C:\Users\Admin\AppData\Local\Temp\2ZD7e7ZRQi2hs2WBBxR62QSBlDX\caca.exe
PID 4700 wrote to memory of 4204 N/A C:\Users\Admin\AppData\Local\Temp\2ZD7e7ZRQi2hs2WBBxR62QSBlDX\caca.exe C:\Users\Admin\AppData\Local\Temp\2ZD7e7ZRQi2hs2WBBxR62QSBlDX\caca.exe
PID 4700 wrote to memory of 4204 N/A C:\Users\Admin\AppData\Local\Temp\2ZD7e7ZRQi2hs2WBBxR62QSBlDX\caca.exe C:\Users\Admin\AppData\Local\Temp\2ZD7e7ZRQi2hs2WBBxR62QSBlDX\caca.exe
PID 4700 wrote to memory of 4204 N/A C:\Users\Admin\AppData\Local\Temp\2ZD7e7ZRQi2hs2WBBxR62QSBlDX\caca.exe C:\Users\Admin\AppData\Local\Temp\2ZD7e7ZRQi2hs2WBBxR62QSBlDX\caca.exe
PID 4700 wrote to memory of 4204 N/A C:\Users\Admin\AppData\Local\Temp\2ZD7e7ZRQi2hs2WBBxR62QSBlDX\caca.exe C:\Users\Admin\AppData\Local\Temp\2ZD7e7ZRQi2hs2WBBxR62QSBlDX\caca.exe
PID 4700 wrote to memory of 4204 N/A C:\Users\Admin\AppData\Local\Temp\2ZD7e7ZRQi2hs2WBBxR62QSBlDX\caca.exe C:\Users\Admin\AppData\Local\Temp\2ZD7e7ZRQi2hs2WBBxR62QSBlDX\caca.exe
PID 4700 wrote to memory of 4204 N/A C:\Users\Admin\AppData\Local\Temp\2ZD7e7ZRQi2hs2WBBxR62QSBlDX\caca.exe C:\Users\Admin\AppData\Local\Temp\2ZD7e7ZRQi2hs2WBBxR62QSBlDX\caca.exe
PID 4700 wrote to memory of 4204 N/A C:\Users\Admin\AppData\Local\Temp\2ZD7e7ZRQi2hs2WBBxR62QSBlDX\caca.exe C:\Users\Admin\AppData\Local\Temp\2ZD7e7ZRQi2hs2WBBxR62QSBlDX\caca.exe
PID 4700 wrote to memory of 4204 N/A C:\Users\Admin\AppData\Local\Temp\2ZD7e7ZRQi2hs2WBBxR62QSBlDX\caca.exe C:\Users\Admin\AppData\Local\Temp\2ZD7e7ZRQi2hs2WBBxR62QSBlDX\caca.exe
PID 4700 wrote to memory of 4204 N/A C:\Users\Admin\AppData\Local\Temp\2ZD7e7ZRQi2hs2WBBxR62QSBlDX\caca.exe C:\Users\Admin\AppData\Local\Temp\2ZD7e7ZRQi2hs2WBBxR62QSBlDX\caca.exe
PID 4700 wrote to memory of 4204 N/A C:\Users\Admin\AppData\Local\Temp\2ZD7e7ZRQi2hs2WBBxR62QSBlDX\caca.exe C:\Users\Admin\AppData\Local\Temp\2ZD7e7ZRQi2hs2WBBxR62QSBlDX\caca.exe
PID 4700 wrote to memory of 4204 N/A C:\Users\Admin\AppData\Local\Temp\2ZD7e7ZRQi2hs2WBBxR62QSBlDX\caca.exe C:\Users\Admin\AppData\Local\Temp\2ZD7e7ZRQi2hs2WBBxR62QSBlDX\caca.exe
PID 4700 wrote to memory of 4204 N/A C:\Users\Admin\AppData\Local\Temp\2ZD7e7ZRQi2hs2WBBxR62QSBlDX\caca.exe C:\Users\Admin\AppData\Local\Temp\2ZD7e7ZRQi2hs2WBBxR62QSBlDX\caca.exe
PID 4700 wrote to memory of 4204 N/A C:\Users\Admin\AppData\Local\Temp\2ZD7e7ZRQi2hs2WBBxR62QSBlDX\caca.exe C:\Users\Admin\AppData\Local\Temp\2ZD7e7ZRQi2hs2WBBxR62QSBlDX\caca.exe
PID 4700 wrote to memory of 4204 N/A C:\Users\Admin\AppData\Local\Temp\2ZD7e7ZRQi2hs2WBBxR62QSBlDX\caca.exe C:\Users\Admin\AppData\Local\Temp\2ZD7e7ZRQi2hs2WBBxR62QSBlDX\caca.exe
PID 4700 wrote to memory of 4204 N/A C:\Users\Admin\AppData\Local\Temp\2ZD7e7ZRQi2hs2WBBxR62QSBlDX\caca.exe C:\Users\Admin\AppData\Local\Temp\2ZD7e7ZRQi2hs2WBBxR62QSBlDX\caca.exe
PID 4700 wrote to memory of 4204 N/A C:\Users\Admin\AppData\Local\Temp\2ZD7e7ZRQi2hs2WBBxR62QSBlDX\caca.exe C:\Users\Admin\AppData\Local\Temp\2ZD7e7ZRQi2hs2WBBxR62QSBlDX\caca.exe
PID 4700 wrote to memory of 4204 N/A C:\Users\Admin\AppData\Local\Temp\2ZD7e7ZRQi2hs2WBBxR62QSBlDX\caca.exe C:\Users\Admin\AppData\Local\Temp\2ZD7e7ZRQi2hs2WBBxR62QSBlDX\caca.exe
PID 4700 wrote to memory of 4204 N/A C:\Users\Admin\AppData\Local\Temp\2ZD7e7ZRQi2hs2WBBxR62QSBlDX\caca.exe C:\Users\Admin\AppData\Local\Temp\2ZD7e7ZRQi2hs2WBBxR62QSBlDX\caca.exe
PID 4700 wrote to memory of 4204 N/A C:\Users\Admin\AppData\Local\Temp\2ZD7e7ZRQi2hs2WBBxR62QSBlDX\caca.exe C:\Users\Admin\AppData\Local\Temp\2ZD7e7ZRQi2hs2WBBxR62QSBlDX\caca.exe
PID 4700 wrote to memory of 4204 N/A C:\Users\Admin\AppData\Local\Temp\2ZD7e7ZRQi2hs2WBBxR62QSBlDX\caca.exe C:\Users\Admin\AppData\Local\Temp\2ZD7e7ZRQi2hs2WBBxR62QSBlDX\caca.exe
PID 4700 wrote to memory of 4204 N/A C:\Users\Admin\AppData\Local\Temp\2ZD7e7ZRQi2hs2WBBxR62QSBlDX\caca.exe C:\Users\Admin\AppData\Local\Temp\2ZD7e7ZRQi2hs2WBBxR62QSBlDX\caca.exe
PID 4700 wrote to memory of 4204 N/A C:\Users\Admin\AppData\Local\Temp\2ZD7e7ZRQi2hs2WBBxR62QSBlDX\caca.exe C:\Users\Admin\AppData\Local\Temp\2ZD7e7ZRQi2hs2WBBxR62QSBlDX\caca.exe
PID 4700 wrote to memory of 4204 N/A C:\Users\Admin\AppData\Local\Temp\2ZD7e7ZRQi2hs2WBBxR62QSBlDX\caca.exe C:\Users\Admin\AppData\Local\Temp\2ZD7e7ZRQi2hs2WBBxR62QSBlDX\caca.exe
PID 4700 wrote to memory of 4204 N/A C:\Users\Admin\AppData\Local\Temp\2ZD7e7ZRQi2hs2WBBxR62QSBlDX\caca.exe C:\Users\Admin\AppData\Local\Temp\2ZD7e7ZRQi2hs2WBBxR62QSBlDX\caca.exe
PID 4700 wrote to memory of 4204 N/A C:\Users\Admin\AppData\Local\Temp\2ZD7e7ZRQi2hs2WBBxR62QSBlDX\caca.exe C:\Users\Admin\AppData\Local\Temp\2ZD7e7ZRQi2hs2WBBxR62QSBlDX\caca.exe
PID 4700 wrote to memory of 4204 N/A C:\Users\Admin\AppData\Local\Temp\2ZD7e7ZRQi2hs2WBBxR62QSBlDX\caca.exe C:\Users\Admin\AppData\Local\Temp\2ZD7e7ZRQi2hs2WBBxR62QSBlDX\caca.exe
PID 4700 wrote to memory of 4204 N/A C:\Users\Admin\AppData\Local\Temp\2ZD7e7ZRQi2hs2WBBxR62QSBlDX\caca.exe C:\Users\Admin\AppData\Local\Temp\2ZD7e7ZRQi2hs2WBBxR62QSBlDX\caca.exe
PID 4700 wrote to memory of 4204 N/A C:\Users\Admin\AppData\Local\Temp\2ZD7e7ZRQi2hs2WBBxR62QSBlDX\caca.exe C:\Users\Admin\AppData\Local\Temp\2ZD7e7ZRQi2hs2WBBxR62QSBlDX\caca.exe
PID 4700 wrote to memory of 4204 N/A C:\Users\Admin\AppData\Local\Temp\2ZD7e7ZRQi2hs2WBBxR62QSBlDX\caca.exe C:\Users\Admin\AppData\Local\Temp\2ZD7e7ZRQi2hs2WBBxR62QSBlDX\caca.exe
PID 4700 wrote to memory of 4204 N/A C:\Users\Admin\AppData\Local\Temp\2ZD7e7ZRQi2hs2WBBxR62QSBlDX\caca.exe C:\Users\Admin\AppData\Local\Temp\2ZD7e7ZRQi2hs2WBBxR62QSBlDX\caca.exe
PID 4700 wrote to memory of 4204 N/A C:\Users\Admin\AppData\Local\Temp\2ZD7e7ZRQi2hs2WBBxR62QSBlDX\caca.exe C:\Users\Admin\AppData\Local\Temp\2ZD7e7ZRQi2hs2WBBxR62QSBlDX\caca.exe
PID 4700 wrote to memory of 4204 N/A C:\Users\Admin\AppData\Local\Temp\2ZD7e7ZRQi2hs2WBBxR62QSBlDX\caca.exe C:\Users\Admin\AppData\Local\Temp\2ZD7e7ZRQi2hs2WBBxR62QSBlDX\caca.exe
PID 4700 wrote to memory of 4204 N/A C:\Users\Admin\AppData\Local\Temp\2ZD7e7ZRQi2hs2WBBxR62QSBlDX\caca.exe C:\Users\Admin\AppData\Local\Temp\2ZD7e7ZRQi2hs2WBBxR62QSBlDX\caca.exe
PID 4700 wrote to memory of 4204 N/A C:\Users\Admin\AppData\Local\Temp\2ZD7e7ZRQi2hs2WBBxR62QSBlDX\caca.exe C:\Users\Admin\AppData\Local\Temp\2ZD7e7ZRQi2hs2WBBxR62QSBlDX\caca.exe
PID 4700 wrote to memory of 4204 N/A C:\Users\Admin\AppData\Local\Temp\2ZD7e7ZRQi2hs2WBBxR62QSBlDX\caca.exe C:\Users\Admin\AppData\Local\Temp\2ZD7e7ZRQi2hs2WBBxR62QSBlDX\caca.exe
PID 4700 wrote to memory of 4204 N/A C:\Users\Admin\AppData\Local\Temp\2ZD7e7ZRQi2hs2WBBxR62QSBlDX\caca.exe C:\Users\Admin\AppData\Local\Temp\2ZD7e7ZRQi2hs2WBBxR62QSBlDX\caca.exe
PID 4700 wrote to memory of 4204 N/A C:\Users\Admin\AppData\Local\Temp\2ZD7e7ZRQi2hs2WBBxR62QSBlDX\caca.exe C:\Users\Admin\AppData\Local\Temp\2ZD7e7ZRQi2hs2WBBxR62QSBlDX\caca.exe
PID 4700 wrote to memory of 4204 N/A C:\Users\Admin\AppData\Local\Temp\2ZD7e7ZRQi2hs2WBBxR62QSBlDX\caca.exe C:\Users\Admin\AppData\Local\Temp\2ZD7e7ZRQi2hs2WBBxR62QSBlDX\caca.exe
PID 2836 wrote to memory of 2616 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2836 wrote to memory of 2616 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 4700 wrote to memory of 4964 N/A C:\Users\Admin\AppData\Local\Temp\2ZD7e7ZRQi2hs2WBBxR62QSBlDX\caca.exe C:\Users\Admin\AppData\Local\Temp\2ZD7e7ZRQi2hs2WBBxR62QSBlDX\caca.exe
PID 4700 wrote to memory of 4964 N/A C:\Users\Admin\AppData\Local\Temp\2ZD7e7ZRQi2hs2WBBxR62QSBlDX\caca.exe C:\Users\Admin\AppData\Local\Temp\2ZD7e7ZRQi2hs2WBBxR62QSBlDX\caca.exe
PID 4700 wrote to memory of 4520 N/A C:\Users\Admin\AppData\Local\Temp\2ZD7e7ZRQi2hs2WBBxR62QSBlDX\caca.exe C:\Windows\system32\cmd.exe
PID 4700 wrote to memory of 4520 N/A C:\Users\Admin\AppData\Local\Temp\2ZD7e7ZRQi2hs2WBBxR62QSBlDX\caca.exe C:\Windows\system32\cmd.exe
PID 4520 wrote to memory of 4928 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 4520 wrote to memory of 4928 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 4700 wrote to memory of 4228 N/A C:\Users\Admin\AppData\Local\Temp\2ZD7e7ZRQi2hs2WBBxR62QSBlDX\caca.exe C:\Windows\system32\cmd.exe
PID 4700 wrote to memory of 4228 N/A C:\Users\Admin\AppData\Local\Temp\2ZD7e7ZRQi2hs2WBBxR62QSBlDX\caca.exe C:\Windows\system32\cmd.exe
PID 4228 wrote to memory of 3584 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 4228 wrote to memory of 3584 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 3584 wrote to memory of 4392 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 3584 wrote to memory of 4392 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 4700 wrote to memory of 4424 N/A C:\Users\Admin\AppData\Local\Temp\2ZD7e7ZRQi2hs2WBBxR62QSBlDX\caca.exe C:\Windows\System32\Conhost.exe
PID 4700 wrote to memory of 4424 N/A C:\Users\Admin\AppData\Local\Temp\2ZD7e7ZRQi2hs2WBBxR62QSBlDX\caca.exe C:\Windows\System32\Conhost.exe
PID 4700 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\2ZD7e7ZRQi2hs2WBBxR62QSBlDX\caca.exe C:\Windows\system32\cmd.exe
PID 4700 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\2ZD7e7ZRQi2hs2WBBxR62QSBlDX\caca.exe C:\Windows\system32\cmd.exe
PID 4700 wrote to memory of 3412 N/A C:\Users\Admin\AppData\Local\Temp\2ZD7e7ZRQi2hs2WBBxR62QSBlDX\caca.exe C:\Windows\system32\cmd.exe
PID 4700 wrote to memory of 3412 N/A C:\Users\Admin\AppData\Local\Temp\2ZD7e7ZRQi2hs2WBBxR62QSBlDX\caca.exe C:\Windows\system32\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\caca.exe

"C:\Users\Admin\AppData\Local\Temp\caca.exe"

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Users\Admin\AppData\Local\Temp\2ZD7e7ZRQi2hs2WBBxR62QSBlDX\caca.exe

C:\Users\Admin\AppData\Local\Temp\2ZD7e7ZRQi2hs2WBBxR62QSBlDX\caca.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Users\Admin\AppData\Local\Temp\2ZD7e7ZRQi2hs2WBBxR62QSBlDX\caca.exe

"C:\Users\Admin\AppData\Local\Temp\2ZD7e7ZRQi2hs2WBBxR62QSBlDX\caca.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\script" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1456 --field-trial-handle=1636,9842449546665033660,8065681980567877180,131072 --disable-features=PlzServiceWorker,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2

C:\Windows\system32\tasklist.exe

tasklist

C:\Users\Admin\AppData\Local\Temp\2ZD7e7ZRQi2hs2WBBxR62QSBlDX\caca.exe

"C:\Users\Admin\AppData\Local\Temp\2ZD7e7ZRQi2hs2WBBxR62QSBlDX\caca.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\script" --mojo-platform-channel-handle=1828 --field-trial-handle=1636,9842449546665033660,8065681980567877180,131072 --disable-features=PlzServiceWorker,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic process where processid=3696 get ExecutablePath"

C:\Windows\System32\Wbem\WMIC.exe

wmic process where processid=3696 get ExecutablePath

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "net session"

C:\Windows\system32\net.exe

net session

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 session

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic OS get caption, osarchitecture | more +1"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "echo %NUMBER_OF_PROCESSORS%"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic csproduct get uuid"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic computersystem get totalphysicalmemory | more +1"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic logicaldisk get size"

C:\Windows\system32\more.com

more +1

C:\Windows\System32\Wbem\WMIC.exe

wmic computersystem get totalphysicalmemory

C:\Windows\System32\Wbem\WMIC.exe

wmic logicaldisk get size

C:\Windows\System32\Wbem\WMIC.exe

wmic csproduct get uuid

C:\Windows\system32\more.com

more +1

C:\Windows\System32\Wbem\WMIC.exe

wmic OS get caption, osarchitecture

C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe

"C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic cpu get name | more +1"

C:\Windows\system32\more.com

more +1

C:\Windows\System32\Wbem\WMIC.exe

wmic cpu get name

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic PATH Win32_VideoController get name | more +1"

C:\Windows\system32\more.com

more +1

C:\Windows\System32\Wbem\WMIC.exe

wmic PATH Win32_VideoController get name

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\cscript.exe

cscript C:\Users\Admin\AppData\Roaming\as8cpxUMHrTO.vbs

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "cscript C:\Users\Admin\AppData\Roaming\as8cpxUMHrTO.vbs"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager"

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DXM_Runtime

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE40

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IEData

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Firefox 105.0.3 (x64 en-US)"

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MozillaMaintenanceService

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MPlayer2

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ProPlusRetail - en-us"

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\VLC media player"

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WIC

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{37B8F9C7-03FB-3253-8781-2517C99D7C00}

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{64A3A4F4-B792-11D6-A78A-00B0D0180381}

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{662A0088-6FCD-45DD-9EA7-68674058AED5}

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{6DB765A8-05AF-49A1-A71D-6F645EE3CE41}

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{77924AE4-039E-4CA4-87B4-2F64180381F0}

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-007E-0000-1000-0000000FF1CE}

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0000-1000-0000000FF1CE}

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0409-1000-0000000FF1CE}

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CB0836EC-B072-368D-82B2-D3470BF95707}

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoProfile -Command "& { function Get-AntiVirusProduct { [CmdletBinding()] param ( [parameter(ValueFromPipeline=$true, ValueFromPipelineByPropertyName=$true)] [Alias('name')] $computername=$env:computername ) $AntiVirusProducts = Get-WmiObject -Namespace \"root\SecurityCenter2\" -Class AntiVirusProduct -ComputerName $computername $ret = @() foreach ($AntiVirusProduct in $AntiVirusProducts) { switch ($AntiVirusProduct.productState) { \"262144\" { $defstatus = \"Up to date\"; $rtstatus = \"Disabled\" } \"262160\" { $defstatus = \"Out of date\"; $rtstatus = \"Disabled\" } \"266240\" { $defstatus = \"Up to date\"; $rtstatus = \"Enabled\" } \"266256\" { $defstatus = \"Out of date\"; $rtstatus = \"Enabled\" } \"393216\" { $defstatus = \"Up to date\"; $rtstatus = \"Disabled\" } \"393232\" { $defstatus = \"Out of date\"; $rtstatus = \"Disabled\" } \"393488\" { $defstatus = \"Out of date\"; $rtstatus = \"Disabled\" } \"397312\" { $defstatus = \"Up to date\"; $rtstatus = \"Enabled\" } \"397328\" { $defstatus = \"Out of date\"; $rtstatus = \"Enabled\" } \"397584\" { $defstatus = \"Out of date\"; $rtstatus = \"Enabled\" } default { $defstatus = \"Unknown\"; $rtstatus = \"Unknown\" } } $ht = @{} $ht.Computername = $computername $ht.Name = $AntiVirusProduct.displayName $ht.'Product GUID' = $AntiVirusProduct.instanceGuid $ht.'Product Executable' = $AntiVirusProduct.pathToSignedProductExe $ht.'Reporting Exe' = $AntiVirusProduct.pathToSignedReportingExe $ht.'Definition Status' = $defstatus $ht.'Real-time Protection Status' = $rtstatus # Créez un nouvel objet pour chaque ordinateur $ret += New-Object -TypeName PSObject -Property $ht } Return $ret } Get-AntiVirusProduct }"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell -ExecutionPolicy Bypass -NoProfile -File "C:\Users\Admin\AppData\Local\Temp\gmvfzZT2QrkE_temp.ps1""

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\app.asar.unpacked\node_modules\take-cam\prey-webcam.exe" -invalid youcam,cyberlink,google -frame 10 -outfile C:\Users\Admin\AppData\Local\Temp\bccSzTX4vmk0EYff825A\System\cam.4700_Admin.jpg"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoProfile -Command "& {netsh wlan show profile}"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoProfile -Command "& {powershell Get-Clipboard}"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -ExecutionPolicy Bypass -NoProfile -File "C:\Users\Admin\AppData\Local\Temp\gmvfzZT2QrkE_temp.ps1"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\app.asar.unpacked\node_modules\take-cam\snapshot.exe" /T C:\Users\Admin\AppData\Local\Temp\bccSzTX4vmk0EYff825A\System\cam.4700_Admin"

C:\Windows\system32\netsh.exe

"C:\Windows\system32\netsh.exe" wlan show profile

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Clipboard

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7fff1b819758,0x7fff1b819768,0x7fff1b819778

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1676 --field-trial-handle=1564,i,6365171514098813158,5481633594328504520,131072 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2088 --field-trial-handle=1564,i,6365171514098813158,5481633594328504520,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2024 --field-trial-handle=1564,i,6365171514098813158,5481633594328504520,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2884 --field-trial-handle=1564,i,6365171514098813158,5481633594328504520,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2864 --field-trial-handle=1564,i,6365171514098813158,5481633594328504520,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4432 --field-trial-handle=1564,i,6365171514098813158,5481633594328504520,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=4576 --field-trial-handle=1564,i,6365171514098813158,5481633594328504520,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4368 --field-trial-handle=1564,i,6365171514098813158,5481633594328504520,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4852 --field-trial-handle=1564,i,6365171514098813158,5481633594328504520,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4988 --field-trial-handle=1564,i,6365171514098813158,5481633594328504520,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=5128 --field-trial-handle=1564,i,6365171514098813158,5481633594328504520,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3032 --field-trial-handle=1564,i,6365171514098813158,5481633594328504520,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5552 --field-trial-handle=1564,i,6365171514098813158,5481633594328504520,131072 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 dns.google udp
US 8.8.4.4:443 dns.google tcp
US 8.8.8.8:53 4.4.8.8.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 ipinfo.io udp
GB 142.250.200.4:80 www.google.com tcp
US 34.117.186.192:443 ipinfo.io tcp
US 34.117.186.192:443 ipinfo.io tcp
US 8.8.8.8:53 192.186.117.34.in-addr.arpa udp
US 8.8.8.8:53 4.200.250.142.in-addr.arpa udp
US 34.117.186.192:443 ipinfo.io tcp
US 8.8.8.8:53 api.gofile.io udp
FR 51.178.66.33:443 api.gofile.io tcp
US 8.8.8.8:53 store6.gofile.io udp
US 136.175.8.205:443 store6.gofile.io tcp
US 8.8.8.8:53 33.66.178.51.in-addr.arpa udp
US 8.8.8.8:53 205.8.175.136.in-addr.arpa udp
US 8.8.8.8:53 discord.com udp
US 8.8.8.8:53 github.com udp
US 162.159.138.232:443 discord.com tcp
US 162.159.138.232:443 discord.com tcp
DE 140.82.121.4:443 github.com tcp
FR 51.178.66.33:443 api.gofile.io tcp
US 162.159.138.232:443 discord.com tcp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 8.8.8.8:53 store5.gofile.io udp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 162.159.138.232:443 discord.com tcp
FR 31.14.70.246:443 store5.gofile.io tcp
US 162.159.138.232:443 discord.com tcp
US 162.159.138.232:443 discord.com tcp
US 8.8.8.8:53 232.138.159.162.in-addr.arpa udp
US 8.8.8.8:53 4.121.82.140.in-addr.arpa udp
US 8.8.8.8:53 200.201.50.20.in-addr.arpa udp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
US 162.159.138.232:443 discord.com tcp
US 8.8.8.8:53 246.70.14.31.in-addr.arpa udp
US 8.8.8.8:53 227.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 www.google.com udp
GB 142.250.200.4:443 www.google.com tcp
GB 142.250.200.4:443 www.google.com tcp
GB 142.250.200.4:443 www.google.com udp
US 8.8.8.8:53 discord.com udp
US 162.159.138.232:443 discord.com tcp
US 162.159.138.232:443 discord.com udp
US 8.8.8.8:53 geolocation.onetrust.com udp
US 8.8.8.8:53 234.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 227.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 232.187.250.142.in-addr.arpa udp
US 104.18.32.137:443 geolocation.onetrust.com tcp
US 8.8.8.8:53 137.32.18.104.in-addr.arpa udp
US 8.8.8.8:53 a.nel.cloudflare.com udp
US 35.190.80.1:443 a.nel.cloudflare.com tcp
US 8.8.8.8:53 1.80.190.35.in-addr.arpa udp
US 8.8.8.8:53 apps.identrust.com udp
GB 96.17.179.184:80 apps.identrust.com tcp
US 35.190.80.1:443 a.nel.cloudflare.com udp
US 8.8.8.8:53 184.179.17.96.in-addr.arpa udp
N/A 224.0.0.251:5353 udp

Files

\Users\Admin\AppData\Local\Temp\nstE8DA.tmp\System.dll

MD5 0d7ad4f45dc6f5aa87f606d0331c6901
SHA1 48df0911f0484cbe2a8cdd5362140b63c41ee457
SHA256 3eb38ae99653a7dbc724132ee240f6e5c4af4bfe7c01d31d23faf373f9f2eaca
SHA512 c07de7308cb54205e8bd703001a7fe4fd7796c9ac1b4bb330c77c872bf712b093645f40b80ce7127531fe6746a5b66e18ea073ab6a644934abed9bb64126fea9

\Users\Admin\AppData\Local\Temp\nstE8DA.tmp\nsis7z.dll

MD5 80e44ce4895304c6a3a831310fbf8cd0
SHA1 36bd49ae21c460be5753a904b4501f1abca53508
SHA256 b393f05e8ff919ef071181050e1873c9a776e1a0ae8329aefff7007d0cadf592
SHA512 c8ba7b1f9113ead23e993e74a48c4427ae3562c1f6d9910b2bbe6806c9107cf7d94bc7d204613e4743d0cd869e00dafd4fb54aad1e8adb69c553f3b9e5bc64df

C:\Users\Admin\AppData\Local\Temp\2ZD7e7ZRQi2hs2WBBxR62QSBlDX\caca.exe

MD5 da0026dc7efa6e187fcd9afb0b4883f1
SHA1 54c5059dcf6d23d964e8cf8fca8bf35305bdfd86
SHA256 b2cd68d943571e1d7f2233920227b1ee83bf2d8766c0e804e53e68d3b32291f6
SHA512 6bea8abb1f144971ef8e9571677afd0a2e69e3522960d912143567f23d66d8209d33e4d5710996baf8a547ae4c80497e7d7e8f8a7c064cfc57a4beb63e7a4e64

C:\Users\Admin\AppData\Local\Temp\nstE8DA.tmp\7z-out\d3dcompiler_47.dll

MD5 7641e39b7da4077084d2afe7c31032e0
SHA1 2256644f69435ff2fee76deb04d918083960d1eb
SHA256 44422e6936dc72b7ac5ed16bb8bcae164b7554513e52efb66a3e942cec328a47
SHA512 8010e1cb17fa18bbf72d8344e1d63ded7cef7be6e7c13434fa6d8e22ce1d58a4d426959bdcb031502d4b145e29cb111af929fcbc66001111fbc6d7a19e8800a5

C:\Users\Admin\AppData\Local\Temp\nstE8DA.tmp\7z-out\chrome_200_percent.pak

MD5 b51a78961b1dbb156343e6e024093d41
SHA1 51298bfe945a9645311169fc5bb64a2a1f20bc38
SHA256 4a438f0e209ac62ffa2c14036efdd5474b5ecaa7cbf54110f2e6153abdfb8be9
SHA512 23dedde25ad9cb5829d4b6092a815712788698c2a5a0aefb4299675d39f8b5e2844eabd1ea42332a0408bd234548f5af628e7e365ab26f3385ebfa158cdd921d

C:\Users\Admin\AppData\Local\Temp\nstE8DA.tmp\7z-out\chrome_100_percent.pak

MD5 9c1b859b611600201ccf898f1eff2476
SHA1 87d5d9a5fcc2496b48bb084fdf04331823dd1699
SHA256 53102833760a725241841312de452c45e43edd60a122546105ab4020ccef591b
SHA512 1a8ec288e53b9d7e43d018995abe4e3d9c83d329d0561fbb7d022e8b79ffecf033e995b9bc6af352a71c646a1e8afba4addb54deab7455f24b7a279a3dd7c336

C:\Users\Admin\AppData\Local\Temp\nstE8DA.tmp\7z-out\ffmpeg.dll

MD5 c3842fb3087cdcdb04020ac38683c289
SHA1 329dbcd4a1c79b891b200f11eb50194b85c493bc
SHA256 e79792af338d61424bac87a19c6f34f3b4bc1382345633b8d509253a0a6c2133
SHA512 069196b8006e908954e7ab16131a0d10889a0f7517eaab2423a82fe49fb9b045c0d95dbf7c08c10ddf1a21983aea4a0d207decf91baacff0884511589a57dec5

C:\Users\Admin\AppData\Local\Temp\nstE8DA.tmp\7z-out\icudtl.dat

MD5 5fa33f287e062a30a6a0582807498d3b
SHA1 62eb8527254ba656cf309f5a0da63392f7c6b446
SHA256 425cbbf234649e6bf4683d84b5aa6d4f2d2ba722eb447cd5a0a97ab27225ac44
SHA512 75a483b3591f648cf2ce2b6cecb4b1f90a63edc1f45ee863ea3f1a4f6ec3724ca75f5d12722450f193afdddd5f466b7ec81e3a8474ce027a333c8ac1b51e648a

C:\Users\Admin\AppData\Local\Temp\nstE8DA.tmp\7z-out\libEGL.dll

MD5 8352fd22f09b873193cabc2932be92f0
SHA1 5bd2b58854b279f1733c5f54ea2669ee8a888d9e
SHA256 14a4aaa010be14762edfee01fd1f6b9943471eb7a2f9011a2b5c230461cd129c
SHA512 7281e980f2e82f1cc8173d9f8387a97f6e23ec5099ed8dca02222c4e17fa4cfef59d6aa300b1cf06d502bdcf77d9a6dbb08ad6658ae0a28ae6f9f995109da0d2

C:\Users\Admin\AppData\Local\Temp\nstE8DA.tmp\7z-out\libGLESv2.dll

MD5 53903dba4f420194098b1fe45365d39b
SHA1 c3dff50feb5675e0c78c4b18d248acca6e3045e0
SHA256 885425336e866e06bef7c01ce67c8daa6a83b0c2b92af73e64b41d4a2540067b
SHA512 cbf6c8717be9f51f9a1ee7cd0dbe39a11cdca5b9a3be36a81161e82e2c94b06158d053d352d4222e8af0f48cc294b143c16ec4da44ec47a7d97f94a71f10aa0f

C:\Users\Admin\AppData\Local\Temp\nstE8DA.tmp\7z-out\LICENSE.electron.txt

MD5 4d42118d35941e0f664dddbd83f633c5
SHA1 2b21ec5f20fe961d15f2b58efb1368e66d202e5c
SHA256 5154e165bd6c2cc0cfbcd8916498c7abab0497923bafcd5cb07673fe8480087d
SHA512 3ffbba2e4cd689f362378f6b0f6060571f57e228d3755bdd308283be6cbbef8c2e84beb5fcf73e0c3c81cd944d01ee3fcf141733c4d8b3b0162e543e0b9f3e63

C:\Users\Admin\AppData\Local\Temp\nstE8DA.tmp\7z-out\LICENSES.chromium.html

MD5 6a1d265be15e69a3eff761aa969cc3e3
SHA1 8528cc0a8b1bb6aa0412776a1c4a9d0f8c6c40df
SHA256 43534388ceca6a1739d44f1a0cc7c83d4afea2a199d18a9ae247eee260ab13c8
SHA512 16aa752e24e47d186f65776c582a80ac8e1b0b31b3ada086f7556a6f40d9245966668c4da15782037fea5308a6575d38ac8d3f20190720a6136062200d1f2af5

C:\Users\Admin\AppData\Local\Temp\nstE8DA.tmp\7z-out\v8_context_snapshot.bin

MD5 76edff1bdce5fc59af39946472462374
SHA1 86d1fb54a3a27c68ebc3800ad773c2a3cc8f5f5a
SHA256 cfa846c88edc1756f48876693a2e3ff3bdb4403e406f9094f607b8a000ea16aa
SHA512 8d955bb1383bbdbb2395c21403ef9c17a573053107fd156eb097e30a059c45b0d6f177c17f0f220718393b39828d79bb7da4d8acf849dfd26306965fc2c658e5

C:\Users\Admin\AppData\Local\Temp\nstE8DA.tmp\7z-out\snapshot_blob.bin

MD5 4a5edcd6e8575d38b44157d2d2197cc8
SHA1 62774fb313775b34032c35f64e80ef00b8e7c37b
SHA256 5b351f69da721b92248bd19adde0d3a40980c79dffee5eaec68009868a74fed5
SHA512 c5001447ee034d7d5074517b554e76205523d1c068baa5ca4d8e3024090b48beca723b28689c1adfb994c257890a4e3ad635079a9642e37516e2bc481c333e13

C:\Users\Admin\AppData\Local\Temp\nstE8DA.tmp\7z-out\vulkan-1.dll

MD5 8d920ea00c3413aefd6a91b93f7f72b7
SHA1 36591bd67d8106edbe22451200df868da52bfe4e
SHA256 3df6bfdc3029161cd3aafd74cbf82ab6062e21dde1653363dd0eca0599dcd7f3
SHA512 ada24432486e81522ffc7d0f47a7c0160a78d1e964e2c80342fab8fdc2c5c5fde8858ac02e10de08bfc17d306d9b2f0d264af9e8cb25008d9a02b2b79519cc96

C:\Users\Admin\AppData\Local\Temp\nstE8DA.tmp\7z-out\vk_swiftshader_icd.json

MD5 8642dd3a87e2de6e991fae08458e302b
SHA1 9c06735c31cec00600fd763a92f8112d085bd12a
SHA256 32d83ff113fef532a9f97e0d2831f8656628ab1c99e9060f0332b1532839afd9
SHA512 f5d37d1b45b006161e4cefeebba1e33af879a3a51d16ee3ff8c3968c0c36bbafae379bf9124c13310b77774c9cbb4fa53114e83f5b48b5314132736e5bb4496f

C:\Users\Admin\AppData\Local\Temp\nstE8DA.tmp\7z-out\vk_swiftshader.dll

MD5 bdc181ab862183b43984b69d65fe0078
SHA1 0ae2bc65ff0ecfbf45694136aa0e91d63ce2b541
SHA256 2cc4b13f454f055c2a079b5c64b6a1df0d890cc8f53b3dfd1374e41f375a564c
SHA512 f33b6a65b0fa303bd3fa77222ef9b03332c676f79c36c783be07fe02a7213d67f16af2d11a867b313f7af1000e21e56863a293c7570646901747ce6c7bb5b7d9

C:\Users\Admin\AppData\Local\Temp\nstE8DA.tmp\7z-out\resources.pak

MD5 872d3b8ce2f2d03cd1154919f93ac277
SHA1 f4e53fa1fcaa58abdde936e4f9721d7d6d01b551
SHA256 fdf35cb15608039a7da500db15060efb7a9681637bf1fad9b7f6f5eb09bf2ba6
SHA512 15947576d0cdd661a8fe06bbb130c32f78cd2cde07f02f930c2c2a1665f31c630d39ea956a9c9bdc184694c56e62f403ad4b39c25f7bca3db51ae448b9501337

C:\Users\Admin\AppData\Local\Temp\nstE8DA.tmp\7z-out\locales\bg.pak

MD5 5ba0c7200362c9ed55610cc8b66ef53c
SHA1 d45239c2f1b00885407771a41a7776fc1fe8fa3b
SHA256 2339ff55464b4ff704fc3c5bf281eec52a539c494bd059cf0346d9c05ab7cda7
SHA512 6229dbf08a9322c4ec8de4912aa1832f01800a71b7e3ef5870e7fa2b623be4dd248fec4881c3e031e984616147be84d42ab3dd970ae56dc1bd78913a8682a37a

C:\Users\Admin\AppData\Local\Temp\nstE8DA.tmp\7z-out\locales\ar.pak

MD5 6f3e791b4d35ee7d9515614d128752cf
SHA1 181ec3a84fb3e89336d77f24f562a2cbe07619d8
SHA256 e9df0fa338b763a3926c4ee3a87bedf650fa618b6fcf0560c3f5ffe891d48c60
SHA512 3657e610d13a2c938558ec320c298dd490c9e4895ccd304f738aaa2f050373efd7382ca402365f93d23ed488bae82de2d859da788dc8faa8e621346a278f4441

C:\Users\Admin\AppData\Local\Temp\nstE8DA.tmp\7z-out\locales\am.pak

MD5 e18a450ef034b42599341c3d09f280f1
SHA1 2001c8a85904962ac3a96938eccc69ad2c110fdf
SHA256 7c2b9098130f1f9e0cf4507b64c0e96ac6354bd6c3616be20e2067cfccc820da
SHA512 ddd87571218fe9f179a6c2a8a15b182625a71a7c19ed90c0969ca2e0e9bad823b926f8b8a6b390cb6fe9c95f4b6c1f1ec7b5167a8424ab1921943922208f798a

C:\Users\Admin\AppData\Local\Temp\nstE8DA.tmp\7z-out\locales\bn.pak

MD5 47c95e191e760dee3ef43345577e2379
SHA1 609634315270a91d4ec631642b18bd0036367aad
SHA256 ceed32e429ed1018d4c49343cf52105cbfd1e877c531a5738fd6e6cd33d27da7
SHA512 46b5f8d58780d19e79136c31a67d075c57ddf7e6a1eb197dea4088cc414a0dc24a68fc8ebcaac03b3940af2461123b586706d5dbf8dbdf6fbea0f7bec466db21

C:\Users\Admin\AppData\Local\Temp\nstE8DA.tmp\7z-out\locales\ca.pak

MD5 423651c45566cd90ea5edd8631e823b8
SHA1 13bed4173a08bcbfefba034aada3d838eece6d16
SHA256 7a39af99d55a1ea838d8d78c5f0da3e1402f9404d32255e31b676ceed4f0e414
SHA512 e09085023beaa37e9d5f7fdf3c32d0c001672b85e2826f0aba9a662ce958ac93cac17bf63495a604e47cb407b1593049388a4bf1b22b2339ead84a206a10569f

C:\Users\Admin\AppData\Local\Temp\nstE8DA.tmp\7z-out\locales\cs.pak

MD5 3cfd9dc564cfcc33cc5524711365c376
SHA1 2e5016d2643017f37658262122974429f18625a2
SHA256 8be34e4f8226c1dd4e725711ddd884ef4476560f7863edcf378573dde9db3cee
SHA512 6ee156d2fa3b6f601df28e38968d0eae2812d70b41333348dbecd833d5ee6ff944183f0eecde96be433cf1e98c8ec22d6a6d5af5153145842175ab43c73533ef

C:\Users\Admin\AppData\Local\Temp\nstE8DA.tmp\7z-out\locales\da.pak

MD5 55a8f5883805a65c854d25edb3959209
SHA1 d4b3b6bd2a26cbd021fa931d1f63c9ea64e2c268
SHA256 e190187adcbb5f829d162660968ba598ed17bd11339062ca4d807deec8a27fdb
SHA512 4e1f9e6da32f553cbc8cf162726d7aba9e23e2216d6d05b995cf19fff3aafa05ed08fce29b2f8538d46583366402b8630672e650dfbd46952a611e9db0d8016d

C:\Users\Admin\AppData\Local\Temp\nstE8DA.tmp\7z-out\locales\de.pak

MD5 b73344e5a72fca6f956dbab984c123ba
SHA1 0561073aa40a63a9ce9930dd18b18e12ff139b2b
SHA256 6dda3fa65232ca0bff7314f916942a2aa5d9be73a0b0c7a6d016eb34ea6fff5b
SHA512 e8a12da397369f23c102244b3f18f533ec79afa6978785566056bbfe07b10a21ff4973bf17aa829fff65609363988c033b0e48d4a82c846863377c08d8df009d

C:\Users\Admin\AppData\Local\Temp\nstE8DA.tmp\7z-out\locales\es.pak

MD5 f83d8f7f6108786c02c2edbf3d85f147
SHA1 57781d9d9eb7c90cdc71f78e25d0763045b6d29a
SHA256 5b929216ac823dbe2b0bb98e64db76519900e09a86c8513019325271c66ade0d
SHA512 12747a4a61cdd21cad6e3f768cb43b8bda5ec9de373337c191b6994b20acd676c9d0a6cde8410a1e18f35dd5d2d332ea1bb7e7f8f6fc4b73d8774559e33398f1

C:\Users\Admin\AppData\Local\Temp\nstE8DA.tmp\7z-out\locales\fr.pak

MD5 c3095ce1e88b0976ba7bef183d047347
SHA1 b14cfbf6e46ac1f189595fc09660178525301138
SHA256 66488dc10517b6e3638686be95b430477a39304e92ac45dfe62b58cae3a77272
SHA512 29f47b1eff4681a9a17a50d6e82d63c22fe7bfe4ceb79862e81d8cd9f96fa38e225978b4c4b1f8e55b220235b91652c776fa8d2e559c68942c6ccf402812a421

C:\Users\Admin\AppData\Local\Temp\nstE8DA.tmp\7z-out\locales\it.pak

MD5 5aa225aad4f9fe6d05ec24905a827d88
SHA1 f6d5ed337bd8e9cc3b962d3a498e3430fbf6de22
SHA256 96e02ab6937a1f1cb58762159761a737ce0e1dcd6a253554392baf4389326eab
SHA512 3fa928f19bdf65b8fbb274b478a801821b15c01224c113a8d7f6121a077b432c0cc84eefd9028a76adea9fa4bb65dcb868edfbd4368b1e4d477c49e187e4288a

C:\Users\Admin\AppData\Local\Temp\nstE8DA.tmp\7z-out\locales\id.pak

MD5 e40cb2f3b4db379e4d187aeef0dfd300
SHA1 537b1ebc615c980c89bbe2b9e91a11199fa7d6a6
SHA256 3339ef011c9bb64868da94adb25f4490acbc7f893e4337dbfe2797754cd659f5
SHA512 b87464460077aa55feb92eca8ed23d9a61829378bae7890c8a95dac5fcd735b145d65661f27facfe2586fcaa169692b00d8ee8dd505dc44bff7f7fd090f3e96c

C:\Users\Admin\AppData\Local\Temp\nstE8DA.tmp\7z-out\locales\ja.pak

MD5 833e8c4aa70351b6be7bd403e4e9a0a7
SHA1 46ccdbdea35deec8ef13a5fc833776875fad187b
SHA256 74422db1a5f28522f9a8b31a3bee9a6df794b419bf723cb6a6c88e82eb72cec0
SHA512 e8e709612a5ea81d2822e0025b7306f38571f2cec2ca72ac5a8ab852a0e36a0f5bc7e00d0baf7ac7becc2c54dda3a17c52ec1cd67ce12b14d91b6ae0b726d556

C:\Users\Admin\AppData\Local\Temp\nstE8DA.tmp\7z-out\locales\hu.pak

MD5 71d42cb22d2d7a8b26c4514ab12df3aa
SHA1 cd0307503a7906f1742d1e98fc816959319c2171
SHA256 b51bcb888dbc27bab88a8c9d081df7496de8a9a5a4cd2cfe08abc154190e75e6
SHA512 29c67391bca706807be3a0cc79fe481f220e30263957a9c2485f0a4c498a5b250bdd83b5f4fad8d0b19c8a9a07d5650b5ebd5816b6aae311a1cde78a89303244

C:\Users\Admin\AppData\Local\Temp\nstE8DA.tmp\7z-out\locales\hr.pak

MD5 6f92235e6ba003af925a2d6584afd27d
SHA1 3ceba61e9c2975466b6244188f5ea72aaf042fc7
SHA256 479dc4f75a889d45f62b4ddb6eb48f21c473e37875468c9c26d928a263e15840
SHA512 82f2642dff4400704c15c2fa02d0ec74ed3fe888dc835447c1afce7463dee8f480bb81be358c306e681625864a6d25e5cd6c96252b8a56e6fc62014b3aa4d26a

C:\Users\Admin\AppData\Local\Temp\nstE8DA.tmp\7z-out\locales\hi.pak

MD5 590e9e73df9cbd83cd87b9c03848fec9
SHA1 da125e60a5a2c51a2d6219d3f81688bd22237b59
SHA256 089b9dd31090a987515809a68d26f6eeb64cd9283934e3dcc48b151eec7d3ad9
SHA512 fd0e5d0f2063e12b711275f390428b88f98ffaf6043cdb14b13674ac1e4aa9f70ae820ae960132d7155daf9b1308238775c4702694ab53068cdc709c50f9186a

C:\Users\Admin\AppData\Local\Temp\nstE8DA.tmp\7z-out\locales\he.pak

MD5 6a02a37e1ca3215fa9ee0e1b0fbcf5e7
SHA1 89a8a126c0bbf536ac58e29fc50e045fb1b88220
SHA256 f5cf34ce58b7f0d450936981aa7ffa060821403e6768eee3746ea4ffc9193986
SHA512 6607eb2329b81f1eaf0ed3a564eddcb30e6ab59229f2fbf6fd3d2140ffaa8853a330eda627a4458ef6bb06f32c5183edda869e34cd4ead1f87f88d5c622c1a16

C:\Users\Admin\AppData\Local\Temp\nstE8DA.tmp\7z-out\locales\gu.pak

MD5 63a7fdc4eadf8ef1c35c72468a0ce33f
SHA1 e8d064f0e9c8a6a8c6ccb036711e292d011d9466
SHA256 e549ff4e5a094d04c2ce7bc6fd68bea1f03e935437bf164bebb6191c133fa70c
SHA512 0a097ff875132a984545ec677b04f97785f14c38a1df487cfb4722cdea07d14e1e88fcff7d58b82fa53f05f4eba779a95ef320b5a91692097726d0385a26a456

C:\Users\Admin\AppData\Local\Temp\nstE8DA.tmp\7z-out\locales\ko.pak

MD5 d6e2c18c9eabba59b50d147d942125ea
SHA1 0918879203c2050b4f9f449f5616e430897ba0b9
SHA256 f3581cea2e5b022b121010ffc5d67f86f717e3a0c0402abd81e24c87fd135b76
SHA512 f605f7b9893166778af156f9eb76eaa1209e7432450899540cd462ce0ffa69caf6f570b910cdd6d7bef54354379e9892a658e711baa93241da33755c107da859

C:\Users\Admin\AppData\Local\Temp\nstE8DA.tmp\7z-out\locales\kn.pak

MD5 5115cde84b4c674db412619b65433004
SHA1 164f33e7e2e9f685a579da492a6fc8806beb6cbf
SHA256 891e092c6895e23be986c3e6d39dcea9b6b75f1448239c13fd406680e50407a7
SHA512 090a247898cb533325d2b289a6cbd8db2a755ef0abab49d82f333e57b290c50b5996b81f15d8adc30160b216eebed3a1476aec1627195e52189557c1d48b0216

C:\Users\Admin\AppData\Local\Temp\nstE8DA.tmp\7z-out\locales\lv.pak

MD5 264c6e20b3088ceb4dae5773cef0cb55
SHA1 fb6ff83ff14df008092bc3ee73bda7491e8e090e
SHA256 a676a781c1a587eadf23e5c69bc52f2d352346a70bc53ca908450362535eefda
SHA512 01e949f92e1e8599c581929a601d39640abaf1d907ce10102e591c3d490dd3874c679c75bb51308ead55a3bd0c6dcd1b8d4b2daf98ce1cf1c6bab42946e8b1e8

C:\Users\Admin\AppData\Local\Temp\nstE8DA.tmp\7z-out\locales\ms.pak

MD5 6cfadaa784e687e6dadbcd80e631bc9b
SHA1 481acb75f525055bf4e45ecabe0eadcb9c492106
SHA256 fb5e125dd5e1f21e8df229d22cb3d1f9078bd79bbddca352899248f2a8b21b71
SHA512 0d7da5a90fe9372bc704ab8cdc8cbfb14d323cafdef856987e2d9e34d980196c03985e25099f5d1bcb10c97f040f4766e2c3713718649bb3f43914a77f0dbb39

C:\Users\Admin\AppData\Local\Temp\nstE8DA.tmp\7z-out\locales\pt-PT.pak

MD5 ecd84b296d3bb312ee18e21017311986
SHA1 f5625523f85c10723750834a54ff59a2dd886fb3
SHA256 fcfaa9c44c445876c286388b6a1abc1df949f3dda3d64fb57d6e0d54a05cdb94
SHA512 e95b74238220024cdd0bd1c0f18beadbbe427d76cd8d6b32d5700adcd34ffb068ad0bf75404921485c8077f395f5111cd40d5dfe2b5b8f34c62e6fc80b507456

C:\Users\Admin\AppData\Local\Temp\nstE8DA.tmp\7z-out\locales\pt-BR.pak

MD5 88ad860c73676ffb4025b5c691f29942
SHA1 3c5e5b999ea7153ccdd1b4cc7b6162de3456b558
SHA256 25f0bb0b0230d99a9064d52668636f3be85903bf27a68124d79a2fe93c30fe0e
SHA512 41589bb9ab1b8307f62ceb4e6493d7903731a3e63807e0044379c4acdda881c21839234f5f1b8ad1af732bfee6231c0556ce92e582505379ed949980185bb750

C:\Users\Admin\AppData\Local\Temp\nstE8DA.tmp\7z-out\locales\pl.pak

MD5 644c0ace25d6e532b56510a736c6bc2c
SHA1 1bd0fec952107b493da04c46423da634ff3e1504
SHA256 2ff9e382a31783285b7d85676e629e2f6db26bb9536ed17b7fbe5ac61a895ec7
SHA512 9a1f1e884c2f214b8b0c63543809ddd4ba0fd533f1d8434e926051f3db434f60cc4df2462c2a43254b2a9685b3869eef49463c212892e417c82c3a7b497e3559

C:\Users\Admin\AppData\Local\Temp\nstE8DA.tmp\7z-out\locales\nb.pak

MD5 b61e42f66d581b6a8929cdf5fb10662e
SHA1 6f06fa9ee092fbcb61bbd668734fb3b92cfb549a
SHA256 1b17dcde8fc7308d926fbe0faa83dfc9ffe2efc5715e9afd557dde839ad98b7e
SHA512 79b82346c3f133a6ba44148a8432ad4e08e2805187b759509cb386bc800fd20215592c07d953812c243f0b1d5e1354245f2cb42b2b3eb6c87280bcb4008dbe97

C:\Users\Admin\AppData\Local\Temp\nstE8DA.tmp\7z-out\locales\nl.pak

MD5 cf6b1cbfd669e9461553974ba37a475e
SHA1 b33867e9bc7fd88ca98a76dc4bd756bcf18887aa
SHA256 9a83ad866ad7fd9d65ecbc1e95c276cfce27e8257c76a16950fd14971e66b864
SHA512 e463029bb37f6bb3ff5cb6281f64291ada1b785fa33137e7aedfc7b5e409e99c75a91e7cf9b6c0933e970f70c14861190de66fc5d68925b687a6f5da02e21077

C:\Users\Admin\AppData\Local\Temp\nstE8DA.tmp\7z-out\locales\mr.pak

MD5 f22c99fe6a838e333e8ee06a4d01296b
SHA1 c3542ea8dd45a2b387dd02fa5687948f135e10f2
SHA256 b03a3042f907aed13253ae8083d08f5fad59ff438d024b097276856e72526911
SHA512 882022c2cb985d85f96d52c9bcfeeb089d6ff30e66187ccf424ef622092b9d359a51bdef1fb6ac3b9d3409aa79d37ca737ba7f3ed8b9cdaabfe04d90a7c8bc15

C:\Users\Admin\AppData\Local\Temp\nstE8DA.tmp\7z-out\locales\ml.pak

MD5 04b2540c25990a5e0a9b227dcce6ae0d
SHA1 4f8ccd154f54dfb083d4d1a3ed0994842c8ab13e
SHA256 556165b8b54c6e21bc66d12b3f5be393136714467c427f7114f314d18ad3c661
SHA512 4cab47e42e8f5d4a83851871f97f3e1360c993ba530dbb4b4b736350779784bd83189e1195d3480ce87298bb8f9b7f249fefa7764d850e5b0002895609626785

C:\Users\Admin\AppData\Local\Temp\nstE8DA.tmp\7z-out\locales\sk.pak

MD5 b35daa0bd9627ca88b413a5af7c6b4a4
SHA1 d5efdcbc7ca17de29f3075f6434f31ab2e895826
SHA256 f47bc1f7f5ab64681d0b152e1a019da60f0ef057ee8bf2ccede019dc4030c177
SHA512 48abb6ca2290820db2898b05820bb25e70fb1292c816eb0c8f17b3c5452de9fff7027d216d2bf413900f408f44ed4ac99151b28142a212c5cff8dfe229e87b9b

C:\Users\Admin\AppData\Local\Temp\nstE8DA.tmp\7z-out\locales\ru.pak

MD5 75457b95d2bb03891232dae7db886387
SHA1 e5a7569df7f91533703626d167ecc8cddbd27205
SHA256 e0894d3aa3f8e0f8ac457a3300001d4e1dcf95980712f8c8e9c845eb4c2bbfa6
SHA512 9813239cb162cec24cb81cffdae2df06889782813d917da186ae40df6dae64477467e4b32ead2d714bc1de671538d4c1fde990d83d3ee69e0932f17226687a78

C:\Users\Admin\AppData\Local\Temp\nstE8DA.tmp\7z-out\locales\sr.pak

MD5 af7083f2a4bd95dcbe792efade352662
SHA1 dc69aa831836016f6e66c6079931503d534a7862
SHA256 e3b80d9fdd420a05d66cc12e685ac94500106dd51a555bbfa2d085094f81e8dd
SHA512 342400ba94f6cd08152f96aa2b905184fab429c38cedb4bcb4ac0c503169a9ecd47aef208b4d7ffae08b0c0afa7aa089347a20739379d05f3e4e111be842b8c4

C:\Users\Admin\AppData\Local\Temp\nstE8DA.tmp\7z-out\locales\sl.pak

MD5 e015b6f5042be2dc96a4e23dcf035502
SHA1 7946509eed8db1e4c1f3da99ffe7155c86fdb4d6
SHA256 99536d1bc73eec81d5bebbff641ea195544ee5e3a41bb17ddcedf9cde9b141d4
SHA512 b2a2eaae93c506a053862bf1cde02eee53b3ea2e2fe4c964c51dbacb8b44de820a779311cfe01458e2f08f88bce1172e8c5e1e6d28cd3a355ff84baa00023b8f

C:\Users\Admin\AppData\Local\Temp\nstE8DA.tmp\7z-out\locales\ro.pak

MD5 24b01a438a3ab9699d4ca97c081b5e82
SHA1 0d0b082544d23425a74199fb0a6c11192f0bdf7d
SHA256 38290b1c9712296d82ea1681ef95544a1eef4872289134b11e50af735e6deaca
SHA512 43199772312156f4633c4202499cde8f808e5e632c2013ec1129acee01a3f184e86df2616626173178efe04b6f0773ad9a0e8b8cc6a735d23d68dcfe9dfd945b

C:\Users\Admin\AppData\Local\Temp\nstE8DA.tmp\7z-out\locales\lt.pak

MD5 2d4fca437a7548893dc4b51fa5b33c33
SHA1 c1493013d7d981ea9223716e415380992de65c2f
SHA256 776dba792df7b444e1b720326312d8b8312cade74a1372c49456d932b7c65769
SHA512 b6a55ee1deff48d717a3e9399aef3c45eeec810cc5b5709fa3e9f56850115a5b02e02b7959ec77a6797e68516ee9372bacd260e62ac0d55a8e4c1c27af782b42

C:\Users\Admin\AppData\Local\Temp\nstE8DA.tmp\7z-out\locales\fil.pak

MD5 40bddaf97f64dfea9ebafc7f82166f80
SHA1 90d1fde3c0b27d2184f0353991259c2a92c7820c
SHA256 39a9d63736e7b4593fc6873ed3c19d45fbf9eb78a012bfdcee0fea5906ebc5b2
SHA512 d1e61c53e09a0dc50edf5aba5cf286a251ee88421aa2cd49332b70a5859646605ecb7d0bb97ea7242d14a18742e23da0a14c04b0b99b57a466ec87f4f66b897e

C:\Users\Admin\AppData\Local\Temp\nstE8DA.tmp\7z-out\locales\fi.pak

MD5 cc592d91ce8eabaa75249cb78b889376
SHA1 f2f0f7f105a17f3e4b1a97ed0e3c2e871c2c3eac
SHA256 b1cb0b32efa78fd8634652c74f298f1d5127f2363ef601cf000417e5c7fefd20
SHA512 58e2eaffe26d8fda8df43e7ebef449cfff1065e940c128efa0276511e34e96e52da9230f294b01d4ecd8ef606b792d372bff897d6d8bb67c31379418ce867d48

C:\Users\Admin\AppData\Local\Temp\nstE8DA.tmp\7z-out\locales\fa.pak

MD5 6458a239e994d8d18315deccd35389ed
SHA1 75c985f43503a6c44645786d46639a6b555ae163
SHA256 300fc1c735e92917a5ddf92feb812cbf3175d988ec7ad5955110248a1addbd34
SHA512 3062075b6be0c25c957ac88e537880bc25ff86b8ef0703a05209e9676e943e89476b7997394aeb25064e03a93be614fef535676e9cdfaf44b46035225b1b2cf5

C:\Users\Admin\AppData\Local\Temp\nstE8DA.tmp\7z-out\locales\et.pak

MD5 c76db3385190c6840315c4497e40258a
SHA1 34f1aef2ba2925bebc5dcdb70e5b6c1a138a5c46
SHA256 e8af084ef5e1062c5966dd7802074ac24f3672dc3c9b9c5453a397644727191f
SHA512 90a870369d307758b33d74e6213676d65c2d332f42577c8aff23d96b512f3c2a2bdace8d6d9007f88b9175eadc6f2ae28b498b1265550849ff9317465a37ad29

C:\Users\Admin\AppData\Local\Temp\nstE8DA.tmp\7z-out\locales\es-419.pak

MD5 b261b1efe945365588befdf68879040f
SHA1 616f44a5f73f0449b483f36ccf831db6474a10d2
SHA256 1380b9edc9cee4b505f12e8eefa288d8c746ca995b52ceaba27c7741ae8a5cd4
SHA512 9ea14234b9d4d09364e5727b3886fc14544d52508b3e45fb9fd607ca88d2e432361a02b2f7ba34c3d6ecd94b91f9eccd4d54047a97a1ba4eea580ead00b91cff

C:\Users\Admin\AppData\Local\Temp\nstE8DA.tmp\7z-out\locales\sv.pak

MD5 41e76f7775fc9a2d6e3c02c46e9b32f6
SHA1 088c15c74a68bee69682bf89c31055332b68c84a
SHA256 2533676479e9469ffcdaabcb47d3e39bebfe7ae2b80f70784e918a8827439e13
SHA512 6cde752d748c4772b533c8894f18134e5842113f8c7590b44a7dfa088aed65b232361fd16170df3b0d738066dbc3a769847adf4dd8ba42de63c9c2b33f9beb6b

C:\Users\Admin\AppData\Local\Temp\nstE8DA.tmp\7z-out\locales\en-US.pak

MD5 0bb857860d8c9ab6d617cea5a5bd4d00
SHA1 351b744d95846bff2ce5f542fec2e87439aa0f8b
SHA256 5c56df9699fc7e8f09ec81421e50a6264cde055e822f5a8cd9bb1edb3066d816
SHA512 33fb73cffbb6781488cedbca4c92a7e4f66923a799beeb7f5cba58dbc23ba8f5130f63a7dac7114e3c3ef6f1df87884fbeb8858bc7604aec9449fdfd16c25078

C:\Users\Admin\AppData\Local\Temp\nstE8DA.tmp\7z-out\locales\en-GB.pak

MD5 52e2826fb5814776d47a7fcaf55cb675
SHA1 51fbbc59dcd61116cbc0a24b0304d4c1c58e8d0b
SHA256 83ff81c73228c7cadba984d9b500e4fce01de583ecde8f132137650c8107c454
SHA512 69257f976d01006c5f3d7e256738c97c59115471f8e7447cfa795f7fa4ff12d6fd19708e95ffb2aa494b50c1763fe35d5885b9414112d2934baf68fe668ed7cc

C:\Users\Admin\AppData\Local\Temp\nstE8DA.tmp\7z-out\locales\el.pak

MD5 38440b98bfdf5ed496da0f49d59534c0
SHA1 1498d9207ecaf4923a47271e24c68a817041c82e
SHA256 b1f78df8a7edc914357a2e90bc8dc0ac46f4df642bb22894569fe4905fb8ea0f
SHA512 95ba788fc2e1f07d54e398f1ec4d32c664cfb13118d46cb7af7a993367e032b10de84f3e604ab6e659d6410e2d736097ec5e9b3b002040c54412358f0ea10229

C:\Users\Admin\AppData\Local\Temp\nstE8DA.tmp\7z-out\locales\sw.pak

MD5 99e385ebc1ef8d3daddb3a171fa79edf
SHA1 3164804dfe9d9b5e891abafe92e5ba67d2b5d4d1
SHA256 8ec45ac391a085d531fb21815086c2da4841aa016653cb4f8484cfc2615d6c01
SHA512 797c105fecef1e15870aa101e3fa1835d5a467a9059c03b3636c54934d1de263ab7f23599e21d9787cb3849c7cb7d29f5bdd8ae9ad10fda8015c1392462e94c0

C:\Users\Admin\AppData\Local\Temp\nstE8DA.tmp\7z-out\locales\th.pak

MD5 43edd25f67ce6e6cea5373009ff0a1f8
SHA1 ed72ca6620cf23837e1334be50ccf616806bc5a2
SHA256 287897cf3df2db1cf59b872e6575ba8dfcaa0c1f68c17a9c91da6c4490adb8b0
SHA512 7160a72bd2e6b0ffa71e5d279995cc8be24a87cd9386eb29ab0eee79b8e607f5d824a11b6b4e3ef4c0f851a9d485a9642cb6adaa65c07933dca6e6f2c0052fc7

C:\Users\Admin\AppData\Local\Temp\nstE8DA.tmp\7z-out\locales\te.pak

MD5 793a87d41cde6e6d1bb086284f69733b
SHA1 d887e3842b664f55b7308427aa6f5bf0b352d879
SHA256 5cdabd1ad41e8048f2cc6b1615e68b99159daa1aa6706b939447c1811bf0e255
SHA512 7c2e53baa387480eed45315bd9d53856ca46e5777ecdc9c29a0de7b0ad04beb6cbb8b5df0aa7c306395fda563037e06bea1ca70e433ce5a3ccc2ec184dfda972

C:\Users\Admin\AppData\Local\Temp\nstE8DA.tmp\7z-out\locales\ta.pak

MD5 31dada843d0b4f9a66b184cb6d7b8b92
SHA1 0320b31981043c6e4c17470bf2ff4c7488553511
SHA256 457070b35c813175f5a7b630478073e478ff2bf23915dd3dc7a5b3b339cc2b0b
SHA512 c5b6ea595d3154fd9fe03f49a19f78eb4068718ce005b18a165d491459a290c29956b02a109ce2c314746773760c8e5c0d7064f384c65a572c78109f03538860

C:\Users\Admin\AppData\Local\Temp\nstE8DA.tmp\7z-out\locales\tr.pak

MD5 40491896ad21543f339467186c5efb40
SHA1 695dde7cc35056dcbf0a533aff8299d4c6b61bd8
SHA256 43e99e132acaba88971b81a43531845dc7fc3a1e0794c3373de7d9a50a5655aa
SHA512 18d5ee9914849462e0b1bafd1ca216b29d0795e282ae0bdb354b15caf5c18f37f44fbd6f626b2cbb095e3398a6496de72e5b0d15621433979b5a589e34fac818

C:\Users\Admin\AppData\Local\Temp\nstE8DA.tmp\7z-out\locales\zh-TW.pak

MD5 c2c35fcedc3708b5bcadf36587393002
SHA1 31d72402cbd44ceb921cedd806259c2cd14e411f
SHA256 cfe4c2c5eb131fd92e0d11f912714c5a9a048833ef3ffbe32679b3d58da8f8ac
SHA512 9ba3ea2d569d1d3ef09e94d7e66f843c8804368c4d016b6289e7dba002f7d2d50884a76c93eef879d87abcf8b36dd3e682b7bd3a18b2b5a969256cef672abf01

C:\Users\Admin\AppData\Local\Temp\nstE8DA.tmp\7z-out\locales\zh-CN.pak

MD5 098d656a4f4bd8240bed10e7678186c7
SHA1 0c19ab62b4262f1b51558e8aaa79e7741f73393a
SHA256 a55f568ad3a8854cec25699484f55024501c8a0967738ba694e073151e5981c7
SHA512 084538ce774233ca6d4393bb42239b0b85e11bd73dd19ba47e55796ca19848941b037510c0fca4ac08b4b2e0ccbc9b4ae72ef88a3e841738dd211961dc53c1e2

C:\Users\Admin\AppData\Local\Temp\nstE8DA.tmp\7z-out\locales\vi.pak

MD5 69c8796439192577f48bd249175aaf37
SHA1 97c52088ca69dada593db0e42b2135d264646454
SHA256 d7fdb53592de803a5fbcd8561c4918f1562f92fc8a3fd0039a2a1a7b76a8ecc2
SHA512 65eb7cb15291474ec7f9354775e59bcf334c90ddf3498ebd184e4c47118308421b2405bfa679e4b3a70ed1790e167c109fc2c72e89c3e31b5378cae975424144

C:\Users\Admin\AppData\Local\Temp\nstE8DA.tmp\7z-out\locales\uk.pak

MD5 d791b1ecf2931b2fb0c31aac170c7cdc
SHA1 02be115a9ff94fe5250651b6de4323eafc44fce1
SHA256 ffae6286d44c8e219ef90d411ad8746159a6ff8ea610e2a651147a3956696a22
SHA512 3a2edb8069e4a9734ce5e02b7c3de3c968c5bbc116f17f52f97e2bb2c78485c456c4f0cc952686c1aa17b7ee4d326a1dda698afafc63c79d842ca3905181a8da

C:\Users\Admin\AppData\Local\Temp\nstE8DA.tmp\7z-out\resources\elevate.exe

MD5 792b92c8ad13c46f27c7ced0810694df
SHA1 d8d449b92de20a57df722df46435ba4553ecc802
SHA256 9b1fbf0c11c520ae714af8aa9af12cfd48503eedecd7398d8992ee94d1b4dc37
SHA512 6c247254dc18ed81213a978cce2e321d6692848c64307097d2c43432a42f4f4f6d3cf22fb92610dfa8b7b16a5f1d94e9017cf64f88f2d08e79c0fe71a9121e40

C:\Users\Admin\AppData\Local\Temp\nstE8DA.tmp\7z-out\resources\app.asar

MD5 31ea99c23c26e9627ca8f1fecf2bea2b
SHA1 0a5f58971c26472cd5e25f0854211d5e8c06e11c
SHA256 b57085446e1dc9cacfd9008ca14c343b782e65ab3876fc9d72faf75fb60c2378
SHA512 1b022d77d0abe169867a9869e15501cee2990d24eadea4d4da2ea2c69a119bdfce0a0652eafcb492c932f63c9c4c41a5b6695ffed25657510e2ed6ce7c545d44

C:\Users\Admin\AppData\Local\Temp\nstE8DA.tmp\7z-out\swiftshader\libGLESv2.dll

MD5 c0b36d56d83e601bf246f7709a8c5f9d
SHA1 b025a6070f7d61c7d1827856d2d4043834fd23f2
SHA256 45bb5e1f8dd87129ac0a75c78f8f29d06e3ac182a00fc5199b692068f1e05a53
SHA512 e429ae63bd8a7d5a936a638783511693e8fbbc91d97779b3d4dd3f0880f1c8a820106bfb57cf7ee6b3639f19165de87bbe127aadd81218689fc6c8fada2106d1

C:\Users\Admin\AppData\Local\Temp\nstE8DA.tmp\7z-out\swiftshader\libEGL.dll

MD5 19dc9ee70e7765bb63a66b6826e8ecb7
SHA1 1a12f983f8b35cc2955d30657971f113c47dc164
SHA256 83d5719abee35e051d984510e1d5d9317a109031698814742b59bdbbe7d4e30f
SHA512 1fda2bcc4b2e70987ca6011ab2534007ae4f752016d29a588aaae839bb25c35e03773f220b6a8e926cf2643997e7d4c0f28743304269b2c55642ce12934def68

\Users\Admin\AppData\Local\Temp\nstE8DA.tmp\StdUtils.dll

MD5 c6a6e03f77c313b267498515488c5740
SHA1 3d49fc2784b9450962ed6b82b46e9c3c957d7c15
SHA256 b72e9013a6204e9f01076dc38dabbf30870d44dfc66962adbf73619d4331601e
SHA512 9870c5879f7b72836805088079ad5bbafcb59fc3d9127f2160d4ec3d6e88d3cc8ebe5a9f5d20a4720fe6407c1336ef10f33b2b9621bc587e930d4cbacf337803

C:\Users\Admin\AppData\Local\Temp\2ZD7e7ZRQi2hs2WBBxR62QSBlDX\caca.exe

MD5 8c9232d9adb03a3bc17a8d1c4b49f64c
SHA1 347d2f2e3abc9fab50560e744117589cf0f58804
SHA256 36cd9d5102ffe727664946d7a0b3542b21097496b242f49312bd2590395852b2
SHA512 998b6adc37b1a55cf698b13ca56a03650a2610ead762ffb3489bc665cbdf01a40da646fb31fc0101d75a2fd295459350c7cdce9d83bdb616647052029ffa7571

\Users\Admin\AppData\Local\Temp\2ZD7e7ZRQi2hs2WBBxR62QSBlDX\ffmpeg.dll

MD5 9f5fa489673b8aea5fc91cc6737ceb82
SHA1 f13b2a02b77823e8012e5faa902fc7533d36b92b
SHA256 e1392e4690f070e6430797fda7269c9462952a6c72b71d8eccbd300d1f303acd
SHA512 fd0c1d3898d6aaf8013816b75f9a1027c8759bdbd1643fab61dc2e5b896797b5d782a7800127a7e0eae738f158d15be1bdc373addaf61ab9e2ea6899f684c7fd

C:\Users\Admin\AppData\Local\Temp\2ZD7e7ZRQi2hs2WBBxR62QSBlDX\ffmpeg.dll

MD5 87c224ae33fd40a2617ff31de3ee1879
SHA1 b9c84b46d430dd7c3dbab8e7c786bf8123646ed0
SHA256 b39ab42f88a353883c37868b8cb304cf093a1dd40053b3b481f388182928e137
SHA512 fe16f5a6b381704410c226f23263b41b4470df77ab566874eb536cbf3ea57b3cec2ccb7d6d5dbb4ee3328faafcb6bda34bc8cb7b7adf6bc85d2402f3cd045bba

C:\Users\Admin\AppData\Local\Temp\2ZD7e7ZRQi2hs2WBBxR62QSBlDX\v8_context_snapshot.bin

MD5 47014c0f81bad6d216c617c9c63bf040
SHA1 7bb483fdc5fed3c6ed437d9fe6e5023bc38201bf
SHA256 e1249d05bfc73c645b27d269f47b6923b33a3cf8088a8ca78b3b637c90f58178
SHA512 052d86cf3305a9e493bd2472e6b7ddab5e0291efd6d899984a79bae46e5fa4bd21157e19ab4a2591c9cff9069de568bad18c7baf4f35d117c77134e635466f87

C:\Users\Admin\AppData\Local\Temp\2ZD7e7ZRQi2hs2WBBxR62QSBlDX\icudtl.dat

MD5 4c7277e22219bd390daeed5b473d3205
SHA1 7350dbe28c42a6da3a49e1f42ae2a8b9a76d3ca4
SHA256 7eef8c0426bb6c51f98815065bed316ca87e4b38225a896f342357479cb9314b
SHA512 2bcb2577e7b2f5869ba1a22e0bf5e8c63755ad2fb2cbe18bb155c8891fea40e9f0c2cf7365884d31995fb0097477a0b01ff7530f3e8c731c5dd152a513e22cb1

C:\Users\Admin\AppData\Local\Temp\2ZD7e7ZRQi2hs2WBBxR62QSBlDX\resources\app.asar

MD5 de0427354bc022666fc4de39f6e3ae70
SHA1 b3ab7e6bad2b86d09abd66d82cc226b7387f641f
SHA256 a373fc4f2fef8c825ab2af44ec29ecf296ada44e816f046b34c4c734a57a0a9a
SHA512 f0d179e5d874e4eba9128dab05f04fc29485d91245cf798c0a8a761dae7a4a0bad282ddfca7d21d1671d07f6e5aa6cd22b738f831bd37d2e24dc13e608926305

\Users\Admin\AppData\Local\Temp\bdb70a36-4a1f-4f93-b3ab-f77eb95f282d.tmp.node

MD5 3072b68e3c226aff39e6782d025f25a8
SHA1 cf559196d74fa490ac8ce192db222c9f5c5a006a
SHA256 7fb52b781709b065c240b6b81394be6e72e53fe11d7c8e0f7b49dd417eb78a01
SHA512 61ebc72c20195e99244d95af1ab44fa06201a1aee2b5da04490fdc4312e8324a40b0e15a7b42fab5179753d767c1d08ae1a7a56ac71a6e100e63f83db849ee61

\Users\Admin\AppData\Local\Temp\93da7c64-4ea3-4ba9-8dc3-f7c834b128d3.tmp.node

MD5 d67bc911b5f642b2c9ca96f7875e6b1e
SHA1 55e2c0c977a3bd2c5e86a6d3035cfeaf4dc4896e
SHA256 614b33eaf5e7f5ce33d961620616567c7569aa778d5e9f35c35d9dd740af3c09
SHA512 62fd33e7300c40783a5e25ec8965a28a013eb5f6472383a3253c9b3ec6010f6727496f9ded60666332a68faca616487cb4a7c78e6ca1a241df939dd77373b7d1

C:\Users\Admin\AppData\Local\Temp\2ZD7e7ZRQi2hs2WBBxR62QSBlDX\resources.pak

MD5 f0afebd4b84a66e7cbaaa8030eb3fea7
SHA1 e16a50d5b4ad7a4f9abf7d049fcb53723ec4170f
SHA256 385ed722371e10fe1bd0e3a5b2a32af75489d87bb64dfdf24517bee901679ae3
SHA512 4ee721f3626d4e94e93ddcd9203b25994543c170f15c37d729d273de90a8e5fcb9cd863b57e1a130dc87e668c288f5603161e3b28b4296996841b3f559fb687d

memory/4204-553-0x00007FFF3CA10000-0x00007FFF3CA11000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\2ZD7e7ZRQi2hs2WBBxR62QSBlDX\caca.exe

MD5 42d78c1d19d7c1467e4700fd3f59e4d7
SHA1 f07de9b57c026dcaacb90264eae5d16eab1acdf6
SHA256 bcf512a2a13b717db6a0be02097546c94636aba1d6bc255c89776d36093f56d7
SHA512 910a52a654e30e4b6d369304f802ef4f8796265109ffaf9f60284b216a700dafed998b40253d8e22177386b7052b8bbd6036645a869b47b93f2b3f674d82e8e4

\Users\Admin\AppData\Local\Temp\2ZD7e7ZRQi2hs2WBBxR62QSBlDX\ffmpeg.dll

MD5 bf80c4238b86c6d2957674bc6e032b94
SHA1 b0f1c92e15861d1c47769d0721fb960364232a75
SHA256 7fad43e1992f42ce3a8e6dc07ad75a287e72e2bb96333d0d43ffcca75dd2b0d7
SHA512 1ff518201d5006ac1cefe7b9dec5e9835bc44d2da4d0f000a386330eb5d258d61ba8033917e62b37ccccfcf856eaca3c38dab4b6220860454e80adee38c7b180

C:\Users\Admin\AppData\Local\Temp\2ZD7e7ZRQi2hs2WBBxR62QSBlDX\caca.exe

MD5 61ce01891ae837d1a925a6b33e8e0696
SHA1 75fd0f524a2f6b77f5b1c5596bc8fcecf3928447
SHA256 fe78399f10ea4e40aeb3d3c69488d03f297149aa44e2f8b1212cdd9284bcafb8
SHA512 69493e3f41439f3f2af0271c703a3d5080e706ad4954e5a37b6d2ab69df573fa21b016a191c3749266c92f4cab8b273e20931531518ddf7f7945fa281101c958

\Users\Admin\AppData\Local\Temp\2ZD7e7ZRQi2hs2WBBxR62QSBlDX\libGLESv2.dll

MD5 9369121d39ee9369c0ad98b0c68964a4
SHA1 fd80db8de854bd3e254d26aec2c96347625850f4
SHA256 79080528e0a15f0f1089808db730f3427bc8e51545ad30c910fd67f180175f8b
SHA512 c3ea8e73500d1221c7caefc06689b08cd760a0a8f9a01297841e96aaa4a9c1560551c3b7d3caf6db10ab2378f7f0f9f246239112a4b81c7acf3d7892b006e6cc

\Users\Admin\AppData\Local\Temp\2ZD7e7ZRQi2hs2WBBxR62QSBlDX\ffmpeg.dll

MD5 d4d05deabcc94358511e3b16e7d47f4d
SHA1 fad235c505ff4ec2ecfcbdac0cea0c6fe3954d58
SHA256 778eda19571478dc6e832607a616aac536309f192a44d09a63ac666799e0b31b
SHA512 eb8a84d0f304c658c5edca3edb5f260935a4f7816e515193de542b01e52ae9d8094615954f5669ff58a599540ab9b9f3cbd82bd01609be5c2e7fee69a2e1b12f

C:\Users\Admin\AppData\Local\Temp\2ZD7e7ZRQi2hs2WBBxR62QSBlDX\libglesv2.dll

MD5 7c53c90f3741a2108df70b029219f353
SHA1 6bcf80314f74b9cd4949491780d548bf247976f0
SHA256 a1fb2ad4a24b803099eb8275cb0ce8094ecd70636e5dcab2c286d789ceff1698
SHA512 7efbb0be1a47f956d7c9c9818fc3a9c9dcbf4a27476d94f1d07d4eab8d8c1ee1ce550d0175ad4a0ed6f77441cebb02dc456e11f6bce4f9d1c022bca060e206b6

\Users\Admin\AppData\Local\Temp\2ZD7e7ZRQi2hs2WBBxR62QSBlDX\d3dcompiler_47.dll

MD5 d408124a6d49e171a9a96c0777749c32
SHA1 63f6d5606e1274e5bfaaeae132b6f0f869bb2a69
SHA256 b2d4bcf8176ab8b5151848b553017c14c9461e9551ca20a658189dda4d5c6b06
SHA512 53fc7da6113f5d97fcba338aab0a911658b3c73e1c8ae4a5b07249336106e16809e79292cd329b83ee378f7e556cef1248712685dbf94812875fa1eedc937ee1

memory/4812-600-0x000001EB7BFD0000-0x000001EB7BFF0000-memory.dmp

memory/4204-604-0x0000026C80190000-0x0000026C80489000-memory.dmp

memory/4812-606-0x000001EB7C300000-0x000001EB7C320000-memory.dmp

memory/5084-618-0x00007FFF24140000-0x00007FFF24B2C000-memory.dmp

memory/5084-622-0x0000026EAB540000-0x0000026EAB550000-memory.dmp

memory/5084-631-0x0000026EAB540000-0x0000026EAB550000-memory.dmp

memory/5084-634-0x0000026E92F30000-0x0000026E92F52000-memory.dmp

memory/5084-646-0x0000026EAB6D0000-0x0000026EAB746000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_544lv2q3.p3r.ps1

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

memory/5084-669-0x0000026EAB540000-0x0000026EAB550000-memory.dmp

memory/5084-674-0x00007FFF24140000-0x00007FFF24B2C000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 17286868c0a043ae5d2ff5798b6a3163
SHA1 b83b23cd57c7fb2c937f5bc18aeb7ddc955b5401
SHA256 40321e18ed0b9eb7e3bc937d3e207ea2039ff45267483ddb4a51f7974475dac6
SHA512 e15c11982c0569a389a7dbd0889edd1ef9a8ffb21c0e8ffadebc10e1353f4485524b18ca8e041c66c98d05fb984544da122755e6c2a25728453aeaf4175bdee1

memory/5032-680-0x00007FFF24140000-0x00007FFF24B2C000-memory.dmp

memory/5032-683-0x000001BDD3580000-0x000001BDD3590000-memory.dmp

memory/5032-684-0x000001BDD3580000-0x000001BDD3590000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 21b176d51388e6fabe500a361a00cc12
SHA1 56fd2af8a323684c6bb5f649b9ea301e6eceb1c7
SHA256 b9e418653f55db399dc3aaeaa8b44cfb42ae60e1f4fb3ee7edf2197d3eb5a76c
SHA512 efa6ab5d95acb32da69d0db7d5bdc590a16195375762bcc7d5bc7ec604ed9213d94191c1f03999c671db3e58bf0cca75d99df691d8c24d577c77f9a0ca86b4a7

memory/5032-702-0x000001BDD3580000-0x000001BDD3590000-memory.dmp

memory/5032-707-0x00007FFF24140000-0x00007FFF24B2C000-memory.dmp

C:\Users\Admin\AppData\Roaming\as8cpxUMHrTO.vbs

MD5 d1111fbbaef28413de4a0a64e0d54f2d
SHA1 5bbadc5c5d504dcba5509d34986125e8446e3830
SHA256 beed3a3f6edc1e1b73a3cafa55f16ba61d56c87b7506ae9c33eb630bcbaa3a01
SHA512 1196efb8579efc91105000afaac0b6c14f386aa29a64ddd88f9a2d6a980bd2eb8dd6a2e78457eb9e5614f9492d0e75342f01293c1a8341b153357f2d64c64af0

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lo9wvv8t.default-release\places.sqlite_tmp

MD5 97d7392d00c70d04ffad80db6dccecbb
SHA1 7c7534a44015e6d8fe1ee0e155c3aef04f628b40
SHA256 8b84e80c8e78d3a287875b3c3a6356c561c6f4d7974f1b27ee40aa2c988c30e1
SHA512 ed7c6fca9b157cd6a354f6f84da0b90be2e92cb0807d0c6fe89389722bde9d8dfd0872616558ebf36a93952af17eb669978ece10699ea134438de9f0006e62b5

memory/6848-833-0x00007FFF24140000-0x00007FFF24B2C000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 c3b89e65a243e0e52a567eec793cbc57
SHA1 695551b6e783c865ce1eb514df871f9167672c3c
SHA256 fe481148fc1cd1cbe96c5d3b98b122d02ff7c802305319a09ba9075a7bf4bb00
SHA512 cc0cdef11e44939008097fa3bc65f38d675b51398c38f2de6041cb2e4595ca8a192ae71c904302e546c8f0d2bd1916ef19e4b8b327219e6e84a850730a38ab47

memory/6876-859-0x00007FFF24140000-0x00007FFF24B2C000-memory.dmp

memory/6864-862-0x00007FFF24140000-0x00007FFF24B2C000-memory.dmp

memory/6848-865-0x000001CFF2E00000-0x000001CFF2E10000-memory.dmp

memory/6876-866-0x000001F0FEA30000-0x000001F0FEA40000-memory.dmp

memory/6864-868-0x00000154E9470000-0x00000154E9480000-memory.dmp

memory/6864-870-0x00000154E9470000-0x00000154E9480000-memory.dmp

memory/6884-871-0x00007FFF24140000-0x00007FFF24B2C000-memory.dmp

memory/6884-872-0x000002BF32CC0000-0x000002BF32CD0000-memory.dmp

memory/6848-874-0x000001CFF2E00000-0x000001CFF2E10000-memory.dmp

memory/6884-876-0x000002BF32CC0000-0x000002BF32CD0000-memory.dmp

memory/6876-875-0x000001F0FEA30000-0x000001F0FEA40000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 94a5614b62ef63e2a9591b23da2a7de4
SHA1 e7b4aef7cf2deeced13bb040e4258eb46f946915
SHA256 2bb32824e526f0a3b7b75742bd646f53173cc2aa2be006c533fae5993bc45783
SHA512 c6ca6084cdd29f828004b31ecf21854357be5c7822dc2176540108bddfd5ee3f02f59c254c9994a8c782bbea743f9e995c7eebdf1b95f63384c22bef52007db7

C:\ProgramData\ChromeExtensionsNova\extension-cookies\images\logo.png

MD5 2b67e47cb8da1058770fe41d8b947619
SHA1 9eb259b1d377a24a2b77a694cf31c23cef7b8eef
SHA256 46f616820751849512d2704ddb604666170d13315c4383b8c8611c3e1c2f594a
SHA512 27c0593d662df228e146c49af6da52e39523523af924cf95ba4890b1b42358b2b8df3cf2667d8f672eece4f7fe098574c4689677768dd54d3b872619c7b9ae55

C:\ProgramData\ChromeExtensionsNova\extension-tokens\manifest.json

MD5 42ac88deb5c3cfc02fdc1c27319ee067
SHA1 97b1addf35159800b90743fcfbb5505e80f6eb82
SHA256 28486361faff1827fb9f1871529c48efaaf86027592d189afa6f99b14eb3f4bb
SHA512 77c4054a3cf061eb6f4f6e9803b74833a8fb0fe352239b5b47cf39ea5eea8104b9da6deab75018557476fbda856f3be8d57e6fe2eb777c45a7a1bdb1e72d02d5

C:\Users\Admin\AppData\Local\Temp\gmvfzZT2QrkE_temp.ps1

MD5 7627a2c6e4dc6bac17201d694883870b
SHA1 4ee5e3b85318c4fd996973a3d6d3eca6935dde57
SHA256 8e9ab91329c2fe18556575dadd3a677500f0b8bd6b754c081d332d57860b39f7
SHA512 48c8fa0c6d8e3dc61d2479d7c9d347943a86bb27ca3d9ad87eaf4a49cff09019ae109518249b11861f54a7d123e08b024875b7a02e9c9f43dcb333f882189450

C:\ProgramData\ChromeExtensionsNova\extension-tokens\js\jquery-3.5.1.min.js

MD5 9ac39dc31635a363e377eda0f6fbe03f
SHA1 29fa5ad995e9ec866ece1d3d0b698fc556580eee
SHA256 9a2723c21fb1b7dff0e2aa5dc6be24a9670220a17ae21f70fdbc602d1f8acd38
SHA512 0799ae01799707b444fca518c3af9b91fda40d0a2c114e84bc52bd1f756b5e0d60f6fd239f04bd4d5bc37b6cdbf02d299185cd62410f2a514a7b3bd4d60b49fc

C:\ProgramData\ChromeExtensionsNova\extension-tokens\js\background.js

MD5 95abb431e828af4e242d7416bc3c835f
SHA1 edeed5bbc51da6177a743b77b3c304b2363c11d0
SHA256 f21ccb75793e30d6176319f44d4e7df78d14656cd068e82dceb4b432a03e83b6
SHA512 d8bda092f520d4f3ea25042ce3ccf94732d98c3f7e20d93e2e2f5ea5faca7776e28fe85055dca359b83cd8a9d87712049c9a2e8fe4f9d97cb1af4b705171de2b

C:\ProgramData\ChromeExtensionsNova\extension-cookies\scripts\background.js

MD5 43cc926f306f72e6f95dd90ddd72deb4
SHA1 a23036235a1af7fde092358b14566044d15cef5c
SHA256 e37373abdf3ef81bb9e4f05a6e41b4d78049b526487e8e644c19efb2998657f8
SHA512 83fe152255167f7914093407f02afa4d91194487d1b183e18c328a9c69e43534058b7582e53846a742b06713ad080f3f7ef37c090d75d498f8cc8148759e0040

C:\ProgramData\ChromeExtensionsNova\extension-cookies\manifest.json

MD5 04c23766134b234e85cc537b2162efb1
SHA1 45c48d9ca30a4580a682f025cc66331e49f6f158
SHA256 f50f62683347bbca52d7f7de0c877014ae77043753905628644e2d485dfb4900
SHA512 d246f59ad6d6e9fc8d8d88129302d55cb3d2ba7d52496915ee6791fa0576153070af76ea689cc74ccefc36456df749ac5c8f45cb12702961470f202078bfcb3c

C:\ProgramData\ChromeExtensionsNova\extension-cookies\images\logo48.png

MD5 9f74f11972c3c0b161832ffab541bf31
SHA1 e5841ba20a229cdeab85d30690509e649e848271
SHA256 8b74a0abdd566ffdf15891d6abd3537bffb0abce7f362c737c3de6752e136032
SHA512 b90f13eb65a4dcfdd596a7d9eba7c1ba5eb1a598e51107ce3dca07c0a0025469ab18c9958eff2b36f7e05a23f0d16d7d9d7c2321b8e1f2a456aaa7bec3ced0e8

C:\ProgramData\ChromeExtensionsNova\extension-cookies\images\logo16.png

MD5 192e90432fed0081abb25295d8f309c4
SHA1 5150e93061f39e26688afd60a04c0ab14b510d47
SHA256 3216d6864b4f8824b82eb887edf95436dac3bea3f7d43d8988a176e3f1f8e1b2
SHA512 9b9b3f85eb9f12ad1b4c8cfc5e672758d879e178179deb28e80e6c3b27871261bf6b52f9066850b5a7a2fd85012b5308eaf3dda882fa40febc9cf6b47f1a4f04

C:\ProgramData\ChromeExtensionsNova\extension-cookies\images\logo128.png

MD5 271847949971c396f77beaab936b7ea2
SHA1 b32c5a7eec49aa07f8ae73feb990626010c4b850
SHA256 a55224cdf06a5c2b937ba400604501f8b6ec93bc2c1cff62aa2fd378d504c657
SHA512 a2e141f68143f370e2b82a1c9c7c4b1c5f6fc2cfc2ad94acb8c5c02237af56f83904beaff3240e20397f0edbdfadf8779c0bd54b2cf0c9899fef59343e31794a

C:\ProgramData\ChromeExtensionsNova\extension-cookies\content.js

MD5 98da6773338404c355d020e2bd606f14
SHA1 9a750eadbb2b1ef37cd4b864d9e188235e95d6a7
SHA256 1fca33422266981a79b0d4425f92eee6f7e38995bb420e952cdb8c63acae62aa
SHA512 ffa12848f5b0513f30f4f0913ec14d958cbeb43df555682e2e1cf239117a2c7408fe3c50d3de77ed7ece7c9334522547b9ae55eea185b112e522b013443d805a

memory/4204-1022-0x0000026C80190000-0x0000026C80489000-memory.dmp

memory/7736-1029-0x00007FFF24140000-0x00007FFF24B2C000-memory.dmp

memory/7736-1032-0x0000015484270000-0x0000015484280000-memory.dmp

memory/7736-1034-0x0000015484270000-0x0000015484280000-memory.dmp

memory/6876-1055-0x000001F0FEA30000-0x000001F0FEA40000-memory.dmp

memory/6864-1056-0x00000154E9470000-0x00000154E9480000-memory.dmp

memory/6876-1058-0x00007FFF24140000-0x00007FFF24B2C000-memory.dmp

memory/6864-1060-0x00007FFF24140000-0x00007FFF24B2C000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 50d594bb5b163053476e85cba8687012
SHA1 f7475697e6d37dd8130847fbff9c9fac97f68a5d
SHA256 54c022510513112231276318b78e1ea2e5e3162cfeb5c705640b421d3e3991c7
SHA512 85bedeb3666d50dc99d2e9958c2b592cd11a5ecdcc8405f84365287f2540f6bc48580362efffdcf4e4e92c0e0b4670ae02674d3943ab25f67eb5ba224349d874

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 28a86a9ad52c922549956d13957c81bb
SHA1 dd0e809a1199bc04f8af525da3b210a3eff34631
SHA256 261237a4007a9fe96f08a661b0e88f9401a78617b30cd015885698934480b098
SHA512 7f437ff15cc0881e36285bbfc006e8fdb01d97ffc1aa5ea9b0fc0be8ab5854a4ce3689297dcac6fd9862b2e2e736875de467e80bda9b6f27ee9cc622be69970d

memory/6884-1079-0x000002BF32CC0000-0x000002BF32CD0000-memory.dmp

memory/6884-1083-0x00007FFF24140000-0x00007FFF24B2C000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 a081586152b45118d51b27b9d5411eb6
SHA1 c36c89c08c588bb80c704ae69325442f672cb5dc
SHA256 9d7b0aa78034381fed092aa2de9c69edfe116262ec03a21c9836e85c09da2bcb
SHA512 681ecd706ac45bdd07958a099b0520b3017a22c5c3cf3fae4182942e1ddc46b92aa916d342004c639d6450a4059d6c6c91b57fb6e5729338d527b81aea5d0368

memory/7736-1095-0x0000015484270000-0x0000015484280000-memory.dmp

memory/7736-1096-0x00007FFF24140000-0x00007FFF24B2C000-memory.dmp

\??\pipe\crashpad_8108_TKPZROFENWTRXHLT

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/6848-1112-0x000001CFF2E00000-0x000001CFF2E10000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 f23f09845ec4433a6a92937654cabc31
SHA1 6a55268086d4ae7edf4eee34d94192628288c3eb
SHA256 0d381bb56efa8013641944b390520840870d40120e6f170c093b8cafb56a711c
SHA512 00b775842c154e5751492f399a20d0b7a3b0203d98f4fb2189193939e17a44974e6ae2a0c0c01bc03cb8a1909af93550d78624518ef8604a53bd663c3129dc22

memory/6848-1113-0x00007FFF24140000-0x00007FFF24B2C000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 bb305438a5ad5a7d39c3c925ac9ad65e
SHA1 ab9b3704cbb055a2593795c590959c159c311ac5
SHA256 3b14e930180378399c90e66aa0eac8127a05816578d93c27daba3196cce42b6c
SHA512 98854f056eff07034a25f97d38c9f73d83e3fc78ba2ee47a5a1de05fe90bc912a53dd429cfbf2c08801564d19112816ed58afa940ca1e8e1886a5568a521b08c

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 5143c44685235eb0540f343e4fcda059
SHA1 bd4baf9474511d053391b443e2f9fc3f314ce23b
SHA256 2e5e11196dddfc5a6d7f4aad31637b00e78a4c3e7c547dcd7cb06bf7a4e857a1
SHA512 ccabae3ce4d06f9e201769b6a8e1e32ee5da2d5ca1d6c2bcc51a172e794bdb4adb58fc988dfffd56b175217407d2544e5cbd646c41f53fd2342060fa1d5d0df9

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

MD5 99914b932bd37a50b983c5e7c90ae93b
SHA1 bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f
SHA256 44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a
SHA512 27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

MD5 e67950d7daca7f171c0c3803da01efb1
SHA1 aa1f88e716f3462ec836369e94f6da9de61b9cc1
SHA256 cf88defffd42b8c8969514f3e8a231f9d4641ad4ef6f710180cffb00943756c8
SHA512 cefb9518d5ac04c733ed902ef91f40d4044760f6bea63019b4ff99906360ecdfc4de7c20d7842b5482e4bd926b8e7477270a80b6571b2d35f3ce9502f5b173c0

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-17 06:47

Reported

2023-12-17 06:51

Platform

win11-20231215-en

Max time kernel

151s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\caca.exe"

Signatures

Irata

trojan infostealer rat irata

Irata payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Description Indicator Process Target
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A

Enumerates physical storage devices

Collects information from the system

Description Indicator Process Target
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Detects videocard installed

Description Indicator Process Target
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Enumerates processes with tasklist

Description Indicator Process Target
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\system32\reg.exe N/A
N/A N/A C:\Windows\system32\reg.exe N/A
N/A N/A C:\Windows\system32\reg.exe N/A
N/A N/A C:\Windows\system32\reg.exe N/A
N/A N/A C:\Windows\system32\reg.exe N/A
N/A N/A C:\Windows\system32\reg.exe N/A
N/A N/A C:\Windows\system32\reg.exe N/A
N/A N/A C:\Windows\system32\reg.exe N/A
N/A N/A C:\Windows\system32\reg.exe N/A
N/A N/A C:\Windows\system32\reg.exe N/A
N/A N/A C:\Windows\system32\reg.exe N/A
N/A N/A C:\Windows\system32\reg.exe N/A
N/A N/A C:\Windows\system32\reg.exe N/A
N/A N/A C:\Windows\system32\reg.exe N/A
N/A N/A C:\Windows\system32\reg.exe N/A
N/A N/A C:\Windows\system32\reg.exe N/A
N/A N/A C:\Windows\system32\reg.exe N/A
N/A N/A C:\Windows\system32\reg.exe N/A
N/A N/A C:\Windows\system32\reg.exe N/A
N/A N/A C:\Windows\system32\reg.exe N/A
N/A N/A C:\Windows\system32\reg.exe N/A
N/A N/A C:\Windows\system32\reg.exe N/A
N/A N/A C:\Windows\system32\reg.exe N/A
N/A N/A C:\Windows\system32\reg.exe N/A
N/A N/A C:\Windows\system32\reg.exe N/A
N/A N/A C:\Windows\system32\reg.exe N/A
N/A N/A C:\Windows\system32\reg.exe N/A
N/A N/A C:\Windows\system32\reg.exe N/A
N/A N/A C:\Windows\system32\reg.exe N/A
N/A N/A C:\Windows\system32\reg.exe N/A
N/A N/A C:\Windows\system32\reg.exe N/A
N/A N/A C:\Windows\system32\reg.exe N/A
N/A N/A C:\Windows\system32\reg.exe N/A
N/A N/A C:\Windows\system32\reg.exe N/A
N/A N/A C:\Windows\system32\reg.exe N/A
N/A N/A C:\Windows\system32\reg.exe N/A
N/A N/A C:\Windows\system32\reg.exe N/A

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ZD7e7ZRQi2hs2WBBxR62QSBlDX\caca.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ZD7e7ZRQi2hs2WBBxR62QSBlDX\caca.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ZD7e7ZRQi2hs2WBBxR62QSBlDX\caca.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ZD7e7ZRQi2hs2WBBxR62QSBlDX\caca.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ZD7e7ZRQi2hs2WBBxR62QSBlDX\caca.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ZD7e7ZRQi2hs2WBBxR62QSBlDX\caca.exe N/A
N/A N/A C:\Windows\system32\reg.exe N/A
N/A N/A C:\Windows\system32\reg.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ZD7e7ZRQi2hs2WBBxR62QSBlDX\caca.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ZD7e7ZRQi2hs2WBBxR62QSBlDX\caca.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ZD7e7ZRQi2hs2WBBxR62QSBlDX\caca.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ZD7e7ZRQi2hs2WBBxR62QSBlDX\caca.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\caca.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2ZD7e7ZRQi2hs2WBBxR62QSBlDX\caca.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2ZD7e7ZRQi2hs2WBBxR62QSBlDX\caca.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\tasklist.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2ZD7e7ZRQi2hs2WBBxR62QSBlDX\caca.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2ZD7e7ZRQi2hs2WBBxR62QSBlDX\caca.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4864 wrote to memory of 5756 N/A C:\Users\Admin\AppData\Local\Temp\caca.exe C:\Users\Admin\AppData\Local\Temp\2ZD7e7ZRQi2hs2WBBxR62QSBlDX\caca.exe
PID 4864 wrote to memory of 5756 N/A C:\Users\Admin\AppData\Local\Temp\caca.exe C:\Users\Admin\AppData\Local\Temp\2ZD7e7ZRQi2hs2WBBxR62QSBlDX\caca.exe
PID 5756 wrote to memory of 4920 N/A C:\Users\Admin\AppData\Local\Temp\2ZD7e7ZRQi2hs2WBBxR62QSBlDX\caca.exe C:\Windows\system32\cmd.exe
PID 5756 wrote to memory of 4920 N/A C:\Users\Admin\AppData\Local\Temp\2ZD7e7ZRQi2hs2WBBxR62QSBlDX\caca.exe C:\Windows\system32\cmd.exe
PID 5756 wrote to memory of 3220 N/A C:\Users\Admin\AppData\Local\Temp\2ZD7e7ZRQi2hs2WBBxR62QSBlDX\caca.exe C:\Users\Admin\AppData\Local\Temp\2ZD7e7ZRQi2hs2WBBxR62QSBlDX\caca.exe
PID 5756 wrote to memory of 3220 N/A C:\Users\Admin\AppData\Local\Temp\2ZD7e7ZRQi2hs2WBBxR62QSBlDX\caca.exe C:\Users\Admin\AppData\Local\Temp\2ZD7e7ZRQi2hs2WBBxR62QSBlDX\caca.exe
PID 5756 wrote to memory of 3220 N/A C:\Users\Admin\AppData\Local\Temp\2ZD7e7ZRQi2hs2WBBxR62QSBlDX\caca.exe C:\Users\Admin\AppData\Local\Temp\2ZD7e7ZRQi2hs2WBBxR62QSBlDX\caca.exe
PID 5756 wrote to memory of 3220 N/A C:\Users\Admin\AppData\Local\Temp\2ZD7e7ZRQi2hs2WBBxR62QSBlDX\caca.exe C:\Users\Admin\AppData\Local\Temp\2ZD7e7ZRQi2hs2WBBxR62QSBlDX\caca.exe
PID 5756 wrote to memory of 3220 N/A C:\Users\Admin\AppData\Local\Temp\2ZD7e7ZRQi2hs2WBBxR62QSBlDX\caca.exe C:\Users\Admin\AppData\Local\Temp\2ZD7e7ZRQi2hs2WBBxR62QSBlDX\caca.exe
PID 5756 wrote to memory of 3220 N/A C:\Users\Admin\AppData\Local\Temp\2ZD7e7ZRQi2hs2WBBxR62QSBlDX\caca.exe C:\Users\Admin\AppData\Local\Temp\2ZD7e7ZRQi2hs2WBBxR62QSBlDX\caca.exe
PID 5756 wrote to memory of 3220 N/A C:\Users\Admin\AppData\Local\Temp\2ZD7e7ZRQi2hs2WBBxR62QSBlDX\caca.exe C:\Users\Admin\AppData\Local\Temp\2ZD7e7ZRQi2hs2WBBxR62QSBlDX\caca.exe
PID 5756 wrote to memory of 3220 N/A C:\Users\Admin\AppData\Local\Temp\2ZD7e7ZRQi2hs2WBBxR62QSBlDX\caca.exe C:\Users\Admin\AppData\Local\Temp\2ZD7e7ZRQi2hs2WBBxR62QSBlDX\caca.exe
PID 5756 wrote to memory of 3220 N/A C:\Users\Admin\AppData\Local\Temp\2ZD7e7ZRQi2hs2WBBxR62QSBlDX\caca.exe C:\Users\Admin\AppData\Local\Temp\2ZD7e7ZRQi2hs2WBBxR62QSBlDX\caca.exe
PID 5756 wrote to memory of 3220 N/A C:\Users\Admin\AppData\Local\Temp\2ZD7e7ZRQi2hs2WBBxR62QSBlDX\caca.exe C:\Users\Admin\AppData\Local\Temp\2ZD7e7ZRQi2hs2WBBxR62QSBlDX\caca.exe
PID 5756 wrote to memory of 3220 N/A C:\Users\Admin\AppData\Local\Temp\2ZD7e7ZRQi2hs2WBBxR62QSBlDX\caca.exe C:\Users\Admin\AppData\Local\Temp\2ZD7e7ZRQi2hs2WBBxR62QSBlDX\caca.exe
PID 5756 wrote to memory of 3220 N/A C:\Users\Admin\AppData\Local\Temp\2ZD7e7ZRQi2hs2WBBxR62QSBlDX\caca.exe C:\Users\Admin\AppData\Local\Temp\2ZD7e7ZRQi2hs2WBBxR62QSBlDX\caca.exe
PID 5756 wrote to memory of 3220 N/A C:\Users\Admin\AppData\Local\Temp\2ZD7e7ZRQi2hs2WBBxR62QSBlDX\caca.exe C:\Users\Admin\AppData\Local\Temp\2ZD7e7ZRQi2hs2WBBxR62QSBlDX\caca.exe
PID 5756 wrote to memory of 3220 N/A C:\Users\Admin\AppData\Local\Temp\2ZD7e7ZRQi2hs2WBBxR62QSBlDX\caca.exe C:\Users\Admin\AppData\Local\Temp\2ZD7e7ZRQi2hs2WBBxR62QSBlDX\caca.exe
PID 5756 wrote to memory of 3220 N/A C:\Users\Admin\AppData\Local\Temp\2ZD7e7ZRQi2hs2WBBxR62QSBlDX\caca.exe C:\Users\Admin\AppData\Local\Temp\2ZD7e7ZRQi2hs2WBBxR62QSBlDX\caca.exe
PID 5756 wrote to memory of 3220 N/A C:\Users\Admin\AppData\Local\Temp\2ZD7e7ZRQi2hs2WBBxR62QSBlDX\caca.exe C:\Users\Admin\AppData\Local\Temp\2ZD7e7ZRQi2hs2WBBxR62QSBlDX\caca.exe
PID 5756 wrote to memory of 3220 N/A C:\Users\Admin\AppData\Local\Temp\2ZD7e7ZRQi2hs2WBBxR62QSBlDX\caca.exe C:\Users\Admin\AppData\Local\Temp\2ZD7e7ZRQi2hs2WBBxR62QSBlDX\caca.exe
PID 5756 wrote to memory of 3220 N/A C:\Users\Admin\AppData\Local\Temp\2ZD7e7ZRQi2hs2WBBxR62QSBlDX\caca.exe C:\Users\Admin\AppData\Local\Temp\2ZD7e7ZRQi2hs2WBBxR62QSBlDX\caca.exe
PID 5756 wrote to memory of 3220 N/A C:\Users\Admin\AppData\Local\Temp\2ZD7e7ZRQi2hs2WBBxR62QSBlDX\caca.exe C:\Users\Admin\AppData\Local\Temp\2ZD7e7ZRQi2hs2WBBxR62QSBlDX\caca.exe
PID 5756 wrote to memory of 3220 N/A C:\Users\Admin\AppData\Local\Temp\2ZD7e7ZRQi2hs2WBBxR62QSBlDX\caca.exe C:\Users\Admin\AppData\Local\Temp\2ZD7e7ZRQi2hs2WBBxR62QSBlDX\caca.exe
PID 5756 wrote to memory of 3220 N/A C:\Users\Admin\AppData\Local\Temp\2ZD7e7ZRQi2hs2WBBxR62QSBlDX\caca.exe C:\Users\Admin\AppData\Local\Temp\2ZD7e7ZRQi2hs2WBBxR62QSBlDX\caca.exe
PID 5756 wrote to memory of 3220 N/A C:\Users\Admin\AppData\Local\Temp\2ZD7e7ZRQi2hs2WBBxR62QSBlDX\caca.exe C:\Users\Admin\AppData\Local\Temp\2ZD7e7ZRQi2hs2WBBxR62QSBlDX\caca.exe
PID 5756 wrote to memory of 3220 N/A C:\Users\Admin\AppData\Local\Temp\2ZD7e7ZRQi2hs2WBBxR62QSBlDX\caca.exe C:\Users\Admin\AppData\Local\Temp\2ZD7e7ZRQi2hs2WBBxR62QSBlDX\caca.exe
PID 5756 wrote to memory of 3220 N/A C:\Users\Admin\AppData\Local\Temp\2ZD7e7ZRQi2hs2WBBxR62QSBlDX\caca.exe C:\Users\Admin\AppData\Local\Temp\2ZD7e7ZRQi2hs2WBBxR62QSBlDX\caca.exe
PID 5756 wrote to memory of 3220 N/A C:\Users\Admin\AppData\Local\Temp\2ZD7e7ZRQi2hs2WBBxR62QSBlDX\caca.exe C:\Users\Admin\AppData\Local\Temp\2ZD7e7ZRQi2hs2WBBxR62QSBlDX\caca.exe
PID 5756 wrote to memory of 3220 N/A C:\Users\Admin\AppData\Local\Temp\2ZD7e7ZRQi2hs2WBBxR62QSBlDX\caca.exe C:\Users\Admin\AppData\Local\Temp\2ZD7e7ZRQi2hs2WBBxR62QSBlDX\caca.exe
PID 5756 wrote to memory of 3220 N/A C:\Users\Admin\AppData\Local\Temp\2ZD7e7ZRQi2hs2WBBxR62QSBlDX\caca.exe C:\Users\Admin\AppData\Local\Temp\2ZD7e7ZRQi2hs2WBBxR62QSBlDX\caca.exe
PID 5756 wrote to memory of 3220 N/A C:\Users\Admin\AppData\Local\Temp\2ZD7e7ZRQi2hs2WBBxR62QSBlDX\caca.exe C:\Users\Admin\AppData\Local\Temp\2ZD7e7ZRQi2hs2WBBxR62QSBlDX\caca.exe
PID 5756 wrote to memory of 3220 N/A C:\Users\Admin\AppData\Local\Temp\2ZD7e7ZRQi2hs2WBBxR62QSBlDX\caca.exe C:\Users\Admin\AppData\Local\Temp\2ZD7e7ZRQi2hs2WBBxR62QSBlDX\caca.exe
PID 5756 wrote to memory of 3220 N/A C:\Users\Admin\AppData\Local\Temp\2ZD7e7ZRQi2hs2WBBxR62QSBlDX\caca.exe C:\Users\Admin\AppData\Local\Temp\2ZD7e7ZRQi2hs2WBBxR62QSBlDX\caca.exe
PID 5756 wrote to memory of 3220 N/A C:\Users\Admin\AppData\Local\Temp\2ZD7e7ZRQi2hs2WBBxR62QSBlDX\caca.exe C:\Users\Admin\AppData\Local\Temp\2ZD7e7ZRQi2hs2WBBxR62QSBlDX\caca.exe
PID 5756 wrote to memory of 3220 N/A C:\Users\Admin\AppData\Local\Temp\2ZD7e7ZRQi2hs2WBBxR62QSBlDX\caca.exe C:\Users\Admin\AppData\Local\Temp\2ZD7e7ZRQi2hs2WBBxR62QSBlDX\caca.exe
PID 5756 wrote to memory of 3220 N/A C:\Users\Admin\AppData\Local\Temp\2ZD7e7ZRQi2hs2WBBxR62QSBlDX\caca.exe C:\Users\Admin\AppData\Local\Temp\2ZD7e7ZRQi2hs2WBBxR62QSBlDX\caca.exe
PID 5756 wrote to memory of 3220 N/A C:\Users\Admin\AppData\Local\Temp\2ZD7e7ZRQi2hs2WBBxR62QSBlDX\caca.exe C:\Users\Admin\AppData\Local\Temp\2ZD7e7ZRQi2hs2WBBxR62QSBlDX\caca.exe
PID 5756 wrote to memory of 3220 N/A C:\Users\Admin\AppData\Local\Temp\2ZD7e7ZRQi2hs2WBBxR62QSBlDX\caca.exe C:\Users\Admin\AppData\Local\Temp\2ZD7e7ZRQi2hs2WBBxR62QSBlDX\caca.exe
PID 5756 wrote to memory of 3220 N/A C:\Users\Admin\AppData\Local\Temp\2ZD7e7ZRQi2hs2WBBxR62QSBlDX\caca.exe C:\Users\Admin\AppData\Local\Temp\2ZD7e7ZRQi2hs2WBBxR62QSBlDX\caca.exe
PID 5756 wrote to memory of 3220 N/A C:\Users\Admin\AppData\Local\Temp\2ZD7e7ZRQi2hs2WBBxR62QSBlDX\caca.exe C:\Users\Admin\AppData\Local\Temp\2ZD7e7ZRQi2hs2WBBxR62QSBlDX\caca.exe
PID 5756 wrote to memory of 3220 N/A C:\Users\Admin\AppData\Local\Temp\2ZD7e7ZRQi2hs2WBBxR62QSBlDX\caca.exe C:\Users\Admin\AppData\Local\Temp\2ZD7e7ZRQi2hs2WBBxR62QSBlDX\caca.exe
PID 5756 wrote to memory of 3220 N/A C:\Users\Admin\AppData\Local\Temp\2ZD7e7ZRQi2hs2WBBxR62QSBlDX\caca.exe C:\Users\Admin\AppData\Local\Temp\2ZD7e7ZRQi2hs2WBBxR62QSBlDX\caca.exe
PID 5756 wrote to memory of 3220 N/A C:\Users\Admin\AppData\Local\Temp\2ZD7e7ZRQi2hs2WBBxR62QSBlDX\caca.exe C:\Users\Admin\AppData\Local\Temp\2ZD7e7ZRQi2hs2WBBxR62QSBlDX\caca.exe
PID 4920 wrote to memory of 5528 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 4920 wrote to memory of 5528 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 5756 wrote to memory of 3600 N/A C:\Users\Admin\AppData\Local\Temp\2ZD7e7ZRQi2hs2WBBxR62QSBlDX\caca.exe C:\Users\Admin\AppData\Local\Temp\2ZD7e7ZRQi2hs2WBBxR62QSBlDX\caca.exe
PID 5756 wrote to memory of 3600 N/A C:\Users\Admin\AppData\Local\Temp\2ZD7e7ZRQi2hs2WBBxR62QSBlDX\caca.exe C:\Users\Admin\AppData\Local\Temp\2ZD7e7ZRQi2hs2WBBxR62QSBlDX\caca.exe
PID 5756 wrote to memory of 4824 N/A C:\Users\Admin\AppData\Local\Temp\2ZD7e7ZRQi2hs2WBBxR62QSBlDX\caca.exe C:\Windows\system32\cmd.exe
PID 5756 wrote to memory of 4824 N/A C:\Users\Admin\AppData\Local\Temp\2ZD7e7ZRQi2hs2WBBxR62QSBlDX\caca.exe C:\Windows\system32\cmd.exe
PID 4824 wrote to memory of 4316 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 4824 wrote to memory of 4316 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 5756 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Local\Temp\2ZD7e7ZRQi2hs2WBBxR62QSBlDX\caca.exe C:\Windows\system32\cmd.exe
PID 5756 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Local\Temp\2ZD7e7ZRQi2hs2WBBxR62QSBlDX\caca.exe C:\Windows\system32\cmd.exe
PID 2292 wrote to memory of 4520 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 2292 wrote to memory of 4520 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 4520 wrote to memory of 2108 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 4520 wrote to memory of 2108 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 5756 wrote to memory of 2140 N/A C:\Users\Admin\AppData\Local\Temp\2ZD7e7ZRQi2hs2WBBxR62QSBlDX\caca.exe C:\Windows\system32\cmd.exe
PID 5756 wrote to memory of 2140 N/A C:\Users\Admin\AppData\Local\Temp\2ZD7e7ZRQi2hs2WBBxR62QSBlDX\caca.exe C:\Windows\system32\cmd.exe
PID 5756 wrote to memory of 2232 N/A C:\Users\Admin\AppData\Local\Temp\2ZD7e7ZRQi2hs2WBBxR62QSBlDX\caca.exe C:\Windows\system32\cmd.exe
PID 5756 wrote to memory of 2232 N/A C:\Users\Admin\AppData\Local\Temp\2ZD7e7ZRQi2hs2WBBxR62QSBlDX\caca.exe C:\Windows\system32\cmd.exe
PID 5756 wrote to memory of 2208 N/A C:\Users\Admin\AppData\Local\Temp\2ZD7e7ZRQi2hs2WBBxR62QSBlDX\caca.exe C:\Windows\system32\cmd.exe
PID 5756 wrote to memory of 2208 N/A C:\Users\Admin\AppData\Local\Temp\2ZD7e7ZRQi2hs2WBBxR62QSBlDX\caca.exe C:\Windows\system32\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\caca.exe

"C:\Users\Admin\AppData\Local\Temp\caca.exe"

C:\Users\Admin\AppData\Local\Temp\2ZD7e7ZRQi2hs2WBBxR62QSBlDX\caca.exe

C:\Users\Admin\AppData\Local\Temp\2ZD7e7ZRQi2hs2WBBxR62QSBlDX\caca.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Users\Admin\AppData\Local\Temp\2ZD7e7ZRQi2hs2WBBxR62QSBlDX\caca.exe

"C:\Users\Admin\AppData\Local\Temp\2ZD7e7ZRQi2hs2WBBxR62QSBlDX\caca.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\script" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1600 --field-trial-handle=1672,5730958808603993205,14236477908741159015,131072 --disable-features=PlzServiceWorker,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Users\Admin\AppData\Local\Temp\2ZD7e7ZRQi2hs2WBBxR62QSBlDX\caca.exe

"C:\Users\Admin\AppData\Local\Temp\2ZD7e7ZRQi2hs2WBBxR62QSBlDX\caca.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\script" --mojo-platform-channel-handle=1908 --field-trial-handle=1672,5730958808603993205,14236477908741159015,131072 --disable-features=PlzServiceWorker,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8

C:\Windows\System32\Wbem\WMIC.exe

wmic process where processid=4864 get ExecutablePath

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic process where processid=4864 get ExecutablePath"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "net session"

C:\Windows\system32\net.exe

net session

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 session

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic logicaldisk get size"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic OS get caption, osarchitecture | more +1"

C:\Windows\System32\Wbem\WMIC.exe

wmic logicaldisk get size

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "echo %NUMBER_OF_PROCESSORS%"

C:\Windows\System32\Wbem\WMIC.exe

wmic computersystem get totalphysicalmemory

C:\Windows\system32\more.com

more +1

C:\Windows\system32\more.com

more +1

C:\Windows\System32\Wbem\WMIC.exe

wmic OS get caption, osarchitecture

C:\Windows\System32\Wbem\WMIC.exe

wmic csproduct get uuid

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic csproduct get uuid"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic computersystem get totalphysicalmemory | more +1"

C:\Windows\system32\more.com

more +1

C:\Windows\System32\Wbem\WMIC.exe

wmic cpu get name

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic cpu get name | more +1"

C:\Windows\system32\more.com

more +1

C:\Windows\System32\Wbem\WMIC.exe

wmic PATH Win32_VideoController get name

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic PATH Win32_VideoController get name | more +1"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\cscript.exe

cscript C:\Users\Admin\AppData\Roaming\nsYARmQCI3eO.vbs

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "cscript C:\Users\Admin\AppData\Roaming\nsYARmQCI3eO.vbs"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager"

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DXM_Runtime

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE40

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IEData

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Firefox 105.0.3 (x64 en-US)"

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MozillaMaintenanceService

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MPlayer2

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ProPlusRetail - en-us"

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\VLC media player"

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WIC

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{113C0ADC-B9BD-4F95-9653-4F5BC540ED03}

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{37B8F9C7-03FB-3253-8781-2517C99D7C00}

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{64A3A4F4-B792-11D6-A78A-00B0D0180381}

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{662A0088-6FCD-45DD-9EA7-68674058AED5}

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3A706840-2882-423C-90EB-B31545E2BC7A}

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{6DB765A8-05AF-49A1-A71D-6F645EE3CE41}

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{76DEEAB3-122F-4231-83C7-0C35363D02F9}

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0409-1000-0000000FF1CE}

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{AE86D888-1404-47CC-A7BB-8D86C0503E58}

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CB0836EC-B072-368D-82B2-D3470BF95707}

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{C7141A99-592B-4226-A4E9-B767C1D0FBAF}

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0000-1000-0000000FF1CE}

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-007E-0000-1000-0000000FF1CE}

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{D44822A8-FC28-42FC-8B1D-21A78579FC79}

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{E016F2B9-01FE-4FAA-882E-ECC43FA49751}

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{77924AE4-039E-4CA4-87B4-2F64180381F0}

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -ExecutionPolicy Bypass -NoProfile -File "C:\Users\Admin\AppData\Local\Temp\RkmKhXvKWV6l_temp.ps1"

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\app.asar.unpacked\node_modules\take-cam\prey-webcam.exe" -invalid youcam,cyberlink,google -frame 10 -outfile C:\Users\Admin\AppData\Local\Temp\1VCU96MOIDdoflzlIbP8\System\cam.5756_Admin.jpg"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoProfile -Command "& {netsh wlan show profile}"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoProfile -Command "& {powershell Get-Clipboard}"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoProfile -Command "& { function Get-AntiVirusProduct { [CmdletBinding()] param ( [parameter(ValueFromPipeline=$true, ValueFromPipelineByPropertyName=$true)] [Alias('name')] $computername=$env:computername ) $AntiVirusProducts = Get-WmiObject -Namespace \"root\SecurityCenter2\" -Class AntiVirusProduct -ComputerName $computername $ret = @() foreach ($AntiVirusProduct in $AntiVirusProducts) { switch ($AntiVirusProduct.productState) { \"262144\" { $defstatus = \"Up to date\"; $rtstatus = \"Disabled\" } \"262160\" { $defstatus = \"Out of date\"; $rtstatus = \"Disabled\" } \"266240\" { $defstatus = \"Up to date\"; $rtstatus = \"Enabled\" } \"266256\" { $defstatus = \"Out of date\"; $rtstatus = \"Enabled\" } \"393216\" { $defstatus = \"Up to date\"; $rtstatus = \"Disabled\" } \"393232\" { $defstatus = \"Out of date\"; $rtstatus = \"Disabled\" } \"393488\" { $defstatus = \"Out of date\"; $rtstatus = \"Disabled\" } \"397312\" { $defstatus = \"Up to date\"; $rtstatus = \"Enabled\" } \"397328\" { $defstatus = \"Out of date\"; $rtstatus = \"Enabled\" } \"397584\" { $defstatus = \"Out of date\"; $rtstatus = \"Enabled\" } default { $defstatus = \"Unknown\"; $rtstatus = \"Unknown\" } } $ht = @{} $ht.Computername = $computername $ht.Name = $AntiVirusProduct.displayName $ht.'Product GUID' = $AntiVirusProduct.instanceGuid $ht.'Product Executable' = $AntiVirusProduct.pathToSignedProductExe $ht.'Reporting Exe' = $AntiVirusProduct.pathToSignedReportingExe $ht.'Definition Status' = $defstatus $ht.'Real-time Protection Status' = $rtstatus # Créez un nouvel objet pour chaque ordinateur $ret += New-Object -TypeName PSObject -Property $ht } Return $ret } Get-AntiVirusProduct }"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell -ExecutionPolicy Bypass -NoProfile -File "C:\Users\Admin\AppData\Local\Temp\RkmKhXvKWV6l_temp.ps1""

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3544B2EE-E62F-4D11-B79C-3DDEACE94DA5}

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\app.asar.unpacked\node_modules\take-cam\snapshot.exe" /T C:\Users\Admin\AppData\Local\Temp\1VCU96MOIDdoflzlIbP8\System\cam.5756_Admin"

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Clipboard

C:\Windows\system32\netsh.exe

"C:\Windows\system32\netsh.exe" wlan show profile

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Roaming\salutr5D9d.ps1" -RunAsAdministrator

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell.exe -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Roaming\salutr5D9d.ps1" -RunAsAdministrator"

C:\Users\Admin\AppData\Local\Temp\2ZD7e7ZRQi2hs2WBBxR62QSBlDX\caca.exe

"C:\Users\Admin\AppData\Local\Temp\2ZD7e7ZRQi2hs2WBBxR62QSBlDX\caca.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --user-data-dir="C:\Users\Admin\AppData\Roaming\script" --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAIAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=764 --field-trial-handle=1672,5730958808603993205,14236477908741159015,131072 --disable-features=PlzServiceWorker,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.google.com udp
GB 142.250.200.4:80 www.google.com tcp
US 34.117.186.192:443 ipinfo.io tcp
US 34.117.186.192:443 ipinfo.io tcp
US 8.8.8.8:53 192.186.117.34.in-addr.arpa udp
US 8.8.8.8:53 4.200.250.142.in-addr.arpa udp
US 34.117.186.192:443 ipinfo.io tcp
US 8.8.8.8:443 dns.google tcp
FR 151.80.29.83:443 api.gofile.io tcp
US 206.168.191.31:443 store8.gofile.io tcp
DE 140.82.121.4:443 github.com tcp
US 162.159.137.232:443 discord.com tcp
US 162.159.137.232:443 discord.com tcp
FR 151.80.29.83:443 api.gofile.io tcp
US 206.168.191.31:443 store8.gofile.io tcp
US 162.159.137.232:443 discord.com tcp
US 162.159.137.232:443 discord.com tcp
US 185.199.111.133:443 raw.githubusercontent.com tcp
US 162.159.137.232:443 discord.com tcp
US 162.159.137.232:443 discord.com tcp
US 162.159.137.232:443 discord.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\nsqAD87.tmp\System.dll

MD5 0d7ad4f45dc6f5aa87f606d0331c6901
SHA1 48df0911f0484cbe2a8cdd5362140b63c41ee457
SHA256 3eb38ae99653a7dbc724132ee240f6e5c4af4bfe7c01d31d23faf373f9f2eaca
SHA512 c07de7308cb54205e8bd703001a7fe4fd7796c9ac1b4bb330c77c872bf712b093645f40b80ce7127531fe6746a5b66e18ea073ab6a644934abed9bb64126fea9

C:\Users\Admin\AppData\Local\Temp\nsqAD87.tmp\nsis7z.dll

MD5 80e44ce4895304c6a3a831310fbf8cd0
SHA1 36bd49ae21c460be5753a904b4501f1abca53508
SHA256 b393f05e8ff919ef071181050e1873c9a776e1a0ae8329aefff7007d0cadf592
SHA512 c8ba7b1f9113ead23e993e74a48c4427ae3562c1f6d9910b2bbe6806c9107cf7d94bc7d204613e4743d0cd869e00dafd4fb54aad1e8adb69c553f3b9e5bc64df

C:\Users\Admin\AppData\Local\Temp\2ZD7e7ZRQi2hs2WBBxR62QSBlDX\caca.exe

MD5 abb844eb07577628f24dce75d01267fb
SHA1 8fb3830b731a9105a535d569d18c9f4d3d82fba4
SHA256 e4d0e1af5af6e1070adb8be3054bdd1970a2f812d2b2b0f8d73786285c74a0bd
SHA512 78ca13bb0f131b680c8927471419cc513a4cbaf1c9ae8deceb319db385acb7c207a9e8c993a44c556789fe3dfa946f6095f96e27cff8d06dd29952bbadb39d00

C:\Users\Admin\AppData\Local\Temp\nsqAD87.tmp\7z-out\chrome_200_percent.pak

MD5 b51a78961b1dbb156343e6e024093d41
SHA1 51298bfe945a9645311169fc5bb64a2a1f20bc38
SHA256 4a438f0e209ac62ffa2c14036efdd5474b5ecaa7cbf54110f2e6153abdfb8be9
SHA512 23dedde25ad9cb5829d4b6092a815712788698c2a5a0aefb4299675d39f8b5e2844eabd1ea42332a0408bd234548f5af628e7e365ab26f3385ebfa158cdd921d

C:\Users\Admin\AppData\Local\Temp\nsqAD87.tmp\7z-out\chrome_100_percent.pak

MD5 9c1b859b611600201ccf898f1eff2476
SHA1 87d5d9a5fcc2496b48bb084fdf04331823dd1699
SHA256 53102833760a725241841312de452c45e43edd60a122546105ab4020ccef591b
SHA512 1a8ec288e53b9d7e43d018995abe4e3d9c83d329d0561fbb7d022e8b79ffecf033e995b9bc6af352a71c646a1e8afba4addb54deab7455f24b7a279a3dd7c336

C:\Users\Admin\AppData\Local\Temp\nsqAD87.tmp\7z-out\LICENSE.electron.txt

MD5 4d42118d35941e0f664dddbd83f633c5
SHA1 2b21ec5f20fe961d15f2b58efb1368e66d202e5c
SHA256 5154e165bd6c2cc0cfbcd8916498c7abab0497923bafcd5cb07673fe8480087d
SHA512 3ffbba2e4cd689f362378f6b0f6060571f57e228d3755bdd308283be6cbbef8c2e84beb5fcf73e0c3c81cd944d01ee3fcf141733c4d8b3b0162e543e0b9f3e63

C:\Users\Admin\AppData\Local\Temp\nsqAD87.tmp\7z-out\snapshot_blob.bin

MD5 85833c7e0dce43b484740ac772fef8b4
SHA1 a95aecfc42f08aa608271f7c43f99587f9780f0e
SHA256 e4eca26bc2f750281e7374ad98ba93aa159f03fc169c8c823c81f4faf1de51be
SHA512 086c7bb6542477b3c27c38e97bd42d6bd9c5e00394810b410b8da3356a8b9ed44b86d6c27a8fd60b1ca712429eb565d6d7aeddb48c5c9bd41bb52345f01ca8ac

C:\Users\Admin\AppData\Local\Temp\nsqAD87.tmp\7z-out\resources.pak

MD5 edc90701bb57f7f91e642169b59f1467
SHA1 fab909052d63e468784975f670b7acf90c4d958c
SHA256 ba459cde5299669ff4bb97c95c5d5218d7f1fb193234f6b89e92bd67e409932c
SHA512 819d1962d9e61e0f3ef87c71b782a7d4e440e2a93b5c7e0d2c8fd440e7637c8393a0b72d6268e75f4871d61227167b0475b0c3cc346b00a88a15f5254fe845d5

C:\Users\Admin\AppData\Local\Temp\nsqAD87.tmp\7z-out\LICENSES.chromium.html

MD5 49814ff5a0327d6fe9173351c9e60d10
SHA1 eef3dbed5f9aac40a128efc33c43ba34d34ff400
SHA256 695620726ba42ff5dfc843ab6d8427996495009d3c546778854dc93ae7480fcf
SHA512 c2bcdf04edee6ac3e54cc6ddbf1a820f5a53a991fb8c8d796183348b04f0ec78d38487f6c6f2b9101a39fd17140407934720061c859f93ad02cf306d28756bc9

C:\Users\Admin\AppData\Local\Temp\nsqAD87.tmp\7z-out\libGLESv2.dll

MD5 102adbadde6f89c780b75e402819331c
SHA1 951187238208643758057a57efd290f514256969
SHA256 f3240b44b4f854d01471506564f0e651e7d6485ecf90331b3fd837450bb520fc
SHA512 1367d6e1059de28895a91f179ec9c8c036b9311d625e20448a2337de260db7b536d24fa11d593003cd6b26a51bd48eb525a0502f29973434878161348f3cd8f1

C:\Users\Admin\AppData\Local\Temp\nsqAD87.tmp\7z-out\libEGL.dll

MD5 67836ccded61ee1cf9ddca752f078356
SHA1 dc081b0acf622e95647af6cae0d9382abd374e2f
SHA256 f0a958761796782bddeedecc75ecc92a336a5ff2ba6571bb2da9c7cd06e75850
SHA512 9c0aab3f40979a4337a7be928051f06cfa675f1b96e096f9d4c940f291fad9f0f249c95f28ae3d1917efa93c65ccc3cb46a8fd6eaf7ef228cf14de246118e3c7

C:\Users\Admin\AppData\Local\Temp\nsqAD87.tmp\7z-out\vk_swiftshader_icd.json

MD5 8642dd3a87e2de6e991fae08458e302b
SHA1 9c06735c31cec00600fd763a92f8112d085bd12a
SHA256 32d83ff113fef532a9f97e0d2831f8656628ab1c99e9060f0332b1532839afd9
SHA512 f5d37d1b45b006161e4cefeebba1e33af879a3a51d16ee3ff8c3968c0c36bbafae379bf9124c13310b77774c9cbb4fa53114e83f5b48b5314132736e5bb4496f

C:\Users\Admin\AppData\Local\Temp\nsqAD87.tmp\7z-out\locales\cs.pak

MD5 3cfd9dc564cfcc33cc5524711365c376
SHA1 2e5016d2643017f37658262122974429f18625a2
SHA256 8be34e4f8226c1dd4e725711ddd884ef4476560f7863edcf378573dde9db3cee
SHA512 6ee156d2fa3b6f601df28e38968d0eae2812d70b41333348dbecd833d5ee6ff944183f0eecde96be433cf1e98c8ec22d6a6d5af5153145842175ab43c73533ef

C:\Users\Admin\AppData\Local\Temp\nsqAD87.tmp\7z-out\locales\pt-PT.pak

MD5 ecd84b296d3bb312ee18e21017311986
SHA1 f5625523f85c10723750834a54ff59a2dd886fb3
SHA256 fcfaa9c44c445876c286388b6a1abc1df949f3dda3d64fb57d6e0d54a05cdb94
SHA512 e95b74238220024cdd0bd1c0f18beadbbe427d76cd8d6b32d5700adcd34ffb068ad0bf75404921485c8077f395f5111cd40d5dfe2b5b8f34c62e6fc80b507456

C:\Users\Admin\AppData\Local\Temp\nsqAD87.tmp\7z-out\locales\pt-BR.pak

MD5 88ad860c73676ffb4025b5c691f29942
SHA1 3c5e5b999ea7153ccdd1b4cc7b6162de3456b558
SHA256 25f0bb0b0230d99a9064d52668636f3be85903bf27a68124d79a2fe93c30fe0e
SHA512 41589bb9ab1b8307f62ceb4e6493d7903731a3e63807e0044379c4acdda881c21839234f5f1b8ad1af732bfee6231c0556ce92e582505379ed949980185bb750

C:\Users\Admin\AppData\Local\Temp\nsqAD87.tmp\7z-out\locales\pl.pak

MD5 644c0ace25d6e532b56510a736c6bc2c
SHA1 1bd0fec952107b493da04c46423da634ff3e1504
SHA256 2ff9e382a31783285b7d85676e629e2f6db26bb9536ed17b7fbe5ac61a895ec7
SHA512 9a1f1e884c2f214b8b0c63543809ddd4ba0fd533f1d8434e926051f3db434f60cc4df2462c2a43254b2a9685b3869eef49463c212892e417c82c3a7b497e3559

C:\Users\Admin\AppData\Local\Temp\nsqAD87.tmp\7z-out\locales\nl.pak

MD5 cf6b1cbfd669e9461553974ba37a475e
SHA1 b33867e9bc7fd88ca98a76dc4bd756bcf18887aa
SHA256 9a83ad866ad7fd9d65ecbc1e95c276cfce27e8257c76a16950fd14971e66b864
SHA512 e463029bb37f6bb3ff5cb6281f64291ada1b785fa33137e7aedfc7b5e409e99c75a91e7cf9b6c0933e970f70c14861190de66fc5d68925b687a6f5da02e21077

C:\Users\Admin\AppData\Local\Temp\nsqAD87.tmp\7z-out\locales\nb.pak

MD5 b61e42f66d581b6a8929cdf5fb10662e
SHA1 6f06fa9ee092fbcb61bbd668734fb3b92cfb549a
SHA256 1b17dcde8fc7308d926fbe0faa83dfc9ffe2efc5715e9afd557dde839ad98b7e
SHA512 79b82346c3f133a6ba44148a8432ad4e08e2805187b759509cb386bc800fd20215592c07d953812c243f0b1d5e1354245f2cb42b2b3eb6c87280bcb4008dbe97

C:\Users\Admin\AppData\Local\Temp\nsqAD87.tmp\7z-out\locales\ms.pak

MD5 6cfadaa784e687e6dadbcd80e631bc9b
SHA1 481acb75f525055bf4e45ecabe0eadcb9c492106
SHA256 fb5e125dd5e1f21e8df229d22cb3d1f9078bd79bbddca352899248f2a8b21b71
SHA512 0d7da5a90fe9372bc704ab8cdc8cbfb14d323cafdef856987e2d9e34d980196c03985e25099f5d1bcb10c97f040f4766e2c3713718649bb3f43914a77f0dbb39

C:\Users\Admin\AppData\Local\Temp\nsqAD87.tmp\7z-out\locales\mr.pak

MD5 f22c99fe6a838e333e8ee06a4d01296b
SHA1 c3542ea8dd45a2b387dd02fa5687948f135e10f2
SHA256 b03a3042f907aed13253ae8083d08f5fad59ff438d024b097276856e72526911
SHA512 882022c2cb985d85f96d52c9bcfeeb089d6ff30e66187ccf424ef622092b9d359a51bdef1fb6ac3b9d3409aa79d37ca737ba7f3ed8b9cdaabfe04d90a7c8bc15

C:\Users\Admin\AppData\Local\Temp\nsqAD87.tmp\7z-out\locales\ml.pak

MD5 04b2540c25990a5e0a9b227dcce6ae0d
SHA1 4f8ccd154f54dfb083d4d1a3ed0994842c8ab13e
SHA256 556165b8b54c6e21bc66d12b3f5be393136714467c427f7114f314d18ad3c661
SHA512 4cab47e42e8f5d4a83851871f97f3e1360c993ba530dbb4b4b736350779784bd83189e1195d3480ce87298bb8f9b7f249fefa7764d850e5b0002895609626785

C:\Users\Admin\AppData\Local\Temp\nsqAD87.tmp\7z-out\locales\lv.pak

MD5 264c6e20b3088ceb4dae5773cef0cb55
SHA1 fb6ff83ff14df008092bc3ee73bda7491e8e090e
SHA256 a676a781c1a587eadf23e5c69bc52f2d352346a70bc53ca908450362535eefda
SHA512 01e949f92e1e8599c581929a601d39640abaf1d907ce10102e591c3d490dd3874c679c75bb51308ead55a3bd0c6dcd1b8d4b2daf98ce1cf1c6bab42946e8b1e8

C:\Users\Admin\AppData\Local\Temp\nsqAD87.tmp\7z-out\locales\lt.pak

MD5 2d4fca437a7548893dc4b51fa5b33c33
SHA1 c1493013d7d981ea9223716e415380992de65c2f
SHA256 776dba792df7b444e1b720326312d8b8312cade74a1372c49456d932b7c65769
SHA512 b6a55ee1deff48d717a3e9399aef3c45eeec810cc5b5709fa3e9f56850115a5b02e02b7959ec77a6797e68516ee9372bacd260e62ac0d55a8e4c1c27af782b42

C:\Users\Admin\AppData\Local\Temp\nsqAD87.tmp\7z-out\locales\ko.pak

MD5 d6e2c18c9eabba59b50d147d942125ea
SHA1 0918879203c2050b4f9f449f5616e430897ba0b9
SHA256 f3581cea2e5b022b121010ffc5d67f86f717e3a0c0402abd81e24c87fd135b76
SHA512 f605f7b9893166778af156f9eb76eaa1209e7432450899540cd462ce0ffa69caf6f570b910cdd6d7bef54354379e9892a658e711baa93241da33755c107da859

C:\Users\Admin\AppData\Local\Temp\nsqAD87.tmp\7z-out\locales\kn.pak

MD5 5115cde84b4c674db412619b65433004
SHA1 164f33e7e2e9f685a579da492a6fc8806beb6cbf
SHA256 891e092c6895e23be986c3e6d39dcea9b6b75f1448239c13fd406680e50407a7
SHA512 090a247898cb533325d2b289a6cbd8db2a755ef0abab49d82f333e57b290c50b5996b81f15d8adc30160b216eebed3a1476aec1627195e52189557c1d48b0216

C:\Users\Admin\AppData\Local\Temp\nsqAD87.tmp\7z-out\locales\ja.pak

MD5 833e8c4aa70351b6be7bd403e4e9a0a7
SHA1 46ccdbdea35deec8ef13a5fc833776875fad187b
SHA256 74422db1a5f28522f9a8b31a3bee9a6df794b419bf723cb6a6c88e82eb72cec0
SHA512 e8e709612a5ea81d2822e0025b7306f38571f2cec2ca72ac5a8ab852a0e36a0f5bc7e00d0baf7ac7becc2c54dda3a17c52ec1cd67ce12b14d91b6ae0b726d556

C:\Users\Admin\AppData\Local\Temp\nsqAD87.tmp\7z-out\locales\it.pak

MD5 5aa225aad4f9fe6d05ec24905a827d88
SHA1 f6d5ed337bd8e9cc3b962d3a498e3430fbf6de22
SHA256 96e02ab6937a1f1cb58762159761a737ce0e1dcd6a253554392baf4389326eab
SHA512 3fa928f19bdf65b8fbb274b478a801821b15c01224c113a8d7f6121a077b432c0cc84eefd9028a76adea9fa4bb65dcb868edfbd4368b1e4d477c49e187e4288a

C:\Users\Admin\AppData\Local\Temp\nsqAD87.tmp\7z-out\locales\id.pak

MD5 e40cb2f3b4db379e4d187aeef0dfd300
SHA1 537b1ebc615c980c89bbe2b9e91a11199fa7d6a6
SHA256 3339ef011c9bb64868da94adb25f4490acbc7f893e4337dbfe2797754cd659f5
SHA512 b87464460077aa55feb92eca8ed23d9a61829378bae7890c8a95dac5fcd735b145d65661f27facfe2586fcaa169692b00d8ee8dd505dc44bff7f7fd090f3e96c

C:\Users\Admin\AppData\Local\Temp\nsqAD87.tmp\7z-out\locales\hu.pak

MD5 71d42cb22d2d7a8b26c4514ab12df3aa
SHA1 cd0307503a7906f1742d1e98fc816959319c2171
SHA256 b51bcb888dbc27bab88a8c9d081df7496de8a9a5a4cd2cfe08abc154190e75e6
SHA512 29c67391bca706807be3a0cc79fe481f220e30263957a9c2485f0a4c498a5b250bdd83b5f4fad8d0b19c8a9a07d5650b5ebd5816b6aae311a1cde78a89303244

C:\Users\Admin\AppData\Local\Temp\nsqAD87.tmp\7z-out\locales\hr.pak

MD5 6f92235e6ba003af925a2d6584afd27d
SHA1 3ceba61e9c2975466b6244188f5ea72aaf042fc7
SHA256 479dc4f75a889d45f62b4ddb6eb48f21c473e37875468c9c26d928a263e15840
SHA512 82f2642dff4400704c15c2fa02d0ec74ed3fe888dc835447c1afce7463dee8f480bb81be358c306e681625864a6d25e5cd6c96252b8a56e6fc62014b3aa4d26a

C:\Users\Admin\AppData\Local\Temp\nsqAD87.tmp\7z-out\locales\hi.pak

MD5 590e9e73df9cbd83cd87b9c03848fec9
SHA1 da125e60a5a2c51a2d6219d3f81688bd22237b59
SHA256 089b9dd31090a987515809a68d26f6eeb64cd9283934e3dcc48b151eec7d3ad9
SHA512 fd0e5d0f2063e12b711275f390428b88f98ffaf6043cdb14b13674ac1e4aa9f70ae820ae960132d7155daf9b1308238775c4702694ab53068cdc709c50f9186a

C:\Users\Admin\AppData\Local\Temp\nsqAD87.tmp\7z-out\locales\he.pak

MD5 6a02a37e1ca3215fa9ee0e1b0fbcf5e7
SHA1 89a8a126c0bbf536ac58e29fc50e045fb1b88220
SHA256 f5cf34ce58b7f0d450936981aa7ffa060821403e6768eee3746ea4ffc9193986
SHA512 6607eb2329b81f1eaf0ed3a564eddcb30e6ab59229f2fbf6fd3d2140ffaa8853a330eda627a4458ef6bb06f32c5183edda869e34cd4ead1f87f88d5c622c1a16

C:\Users\Admin\AppData\Local\Temp\nsqAD87.tmp\7z-out\locales\gu.pak

MD5 63a7fdc4eadf8ef1c35c72468a0ce33f
SHA1 e8d064f0e9c8a6a8c6ccb036711e292d011d9466
SHA256 e549ff4e5a094d04c2ce7bc6fd68bea1f03e935437bf164bebb6191c133fa70c
SHA512 0a097ff875132a984545ec677b04f97785f14c38a1df487cfb4722cdea07d14e1e88fcff7d58b82fa53f05f4eba779a95ef320b5a91692097726d0385a26a456

C:\Users\Admin\AppData\Local\Temp\nsqAD87.tmp\7z-out\locales\fr.pak

MD5 c3095ce1e88b0976ba7bef183d047347
SHA1 b14cfbf6e46ac1f189595fc09660178525301138
SHA256 66488dc10517b6e3638686be95b430477a39304e92ac45dfe62b58cae3a77272
SHA512 29f47b1eff4681a9a17a50d6e82d63c22fe7bfe4ceb79862e81d8cd9f96fa38e225978b4c4b1f8e55b220235b91652c776fa8d2e559c68942c6ccf402812a421

C:\Users\Admin\AppData\Local\Temp\nsqAD87.tmp\7z-out\locales\fil.pak

MD5 40bddaf97f64dfea9ebafc7f82166f80
SHA1 90d1fde3c0b27d2184f0353991259c2a92c7820c
SHA256 39a9d63736e7b4593fc6873ed3c19d45fbf9eb78a012bfdcee0fea5906ebc5b2
SHA512 d1e61c53e09a0dc50edf5aba5cf286a251ee88421aa2cd49332b70a5859646605ecb7d0bb97ea7242d14a18742e23da0a14c04b0b99b57a466ec87f4f66b897e

C:\Users\Admin\AppData\Local\Temp\nsqAD87.tmp\7z-out\locales\fi.pak

MD5 cc592d91ce8eabaa75249cb78b889376
SHA1 f2f0f7f105a17f3e4b1a97ed0e3c2e871c2c3eac
SHA256 b1cb0b32efa78fd8634652c74f298f1d5127f2363ef601cf000417e5c7fefd20
SHA512 58e2eaffe26d8fda8df43e7ebef449cfff1065e940c128efa0276511e34e96e52da9230f294b01d4ecd8ef606b792d372bff897d6d8bb67c31379418ce867d48

C:\Users\Admin\AppData\Local\Temp\nsqAD87.tmp\7z-out\locales\fa.pak

MD5 6458a239e994d8d18315deccd35389ed
SHA1 75c985f43503a6c44645786d46639a6b555ae163
SHA256 300fc1c735e92917a5ddf92feb812cbf3175d988ec7ad5955110248a1addbd34
SHA512 3062075b6be0c25c957ac88e537880bc25ff86b8ef0703a05209e9676e943e89476b7997394aeb25064e03a93be614fef535676e9cdfaf44b46035225b1b2cf5

C:\Users\Admin\AppData\Local\Temp\nsqAD87.tmp\7z-out\locales\et.pak

MD5 c76db3385190c6840315c4497e40258a
SHA1 34f1aef2ba2925bebc5dcdb70e5b6c1a138a5c46
SHA256 e8af084ef5e1062c5966dd7802074ac24f3672dc3c9b9c5453a397644727191f
SHA512 90a870369d307758b33d74e6213676d65c2d332f42577c8aff23d96b512f3c2a2bdace8d6d9007f88b9175eadc6f2ae28b498b1265550849ff9317465a37ad29

C:\Users\Admin\AppData\Local\Temp\nsqAD87.tmp\7z-out\locales\es.pak

MD5 f83d8f7f6108786c02c2edbf3d85f147
SHA1 57781d9d9eb7c90cdc71f78e25d0763045b6d29a
SHA256 5b929216ac823dbe2b0bb98e64db76519900e09a86c8513019325271c66ade0d
SHA512 12747a4a61cdd21cad6e3f768cb43b8bda5ec9de373337c191b6994b20acd676c9d0a6cde8410a1e18f35dd5d2d332ea1bb7e7f8f6fc4b73d8774559e33398f1

C:\Users\Admin\AppData\Local\Temp\nsqAD87.tmp\7z-out\locales\es-419.pak

MD5 b261b1efe945365588befdf68879040f
SHA1 616f44a5f73f0449b483f36ccf831db6474a10d2
SHA256 1380b9edc9cee4b505f12e8eefa288d8c746ca995b52ceaba27c7741ae8a5cd4
SHA512 9ea14234b9d4d09364e5727b3886fc14544d52508b3e45fb9fd607ca88d2e432361a02b2f7ba34c3d6ecd94b91f9eccd4d54047a97a1ba4eea580ead00b91cff

C:\Users\Admin\AppData\Local\Temp\nsqAD87.tmp\7z-out\locales\ro.pak

MD5 24b01a438a3ab9699d4ca97c081b5e82
SHA1 0d0b082544d23425a74199fb0a6c11192f0bdf7d
SHA256 38290b1c9712296d82ea1681ef95544a1eef4872289134b11e50af735e6deaca
SHA512 43199772312156f4633c4202499cde8f808e5e632c2013ec1129acee01a3f184e86df2616626173178efe04b6f0773ad9a0e8b8cc6a735d23d68dcfe9dfd945b

C:\Users\Admin\AppData\Local\Temp\nsqAD87.tmp\7z-out\locales\sk.pak

MD5 b35daa0bd9627ca88b413a5af7c6b4a4
SHA1 d5efdcbc7ca17de29f3075f6434f31ab2e895826
SHA256 f47bc1f7f5ab64681d0b152e1a019da60f0ef057ee8bf2ccede019dc4030c177
SHA512 48abb6ca2290820db2898b05820bb25e70fb1292c816eb0c8f17b3c5452de9fff7027d216d2bf413900f408f44ed4ac99151b28142a212c5cff8dfe229e87b9b

C:\Users\Admin\AppData\Local\Temp\nsqAD87.tmp\7z-out\locales\sl.pak

MD5 e015b6f5042be2dc96a4e23dcf035502
SHA1 7946509eed8db1e4c1f3da99ffe7155c86fdb4d6
SHA256 99536d1bc73eec81d5bebbff641ea195544ee5e3a41bb17ddcedf9cde9b141d4
SHA512 b2a2eaae93c506a053862bf1cde02eee53b3ea2e2fe4c964c51dbacb8b44de820a779311cfe01458e2f08f88bce1172e8c5e1e6d28cd3a355ff84baa00023b8f

C:\Users\Admin\AppData\Local\Temp\nsqAD87.tmp\7z-out\locales\zh-TW.pak

MD5 c2c35fcedc3708b5bcadf36587393002
SHA1 31d72402cbd44ceb921cedd806259c2cd14e411f
SHA256 cfe4c2c5eb131fd92e0d11f912714c5a9a048833ef3ffbe32679b3d58da8f8ac
SHA512 9ba3ea2d569d1d3ef09e94d7e66f843c8804368c4d016b6289e7dba002f7d2d50884a76c93eef879d87abcf8b36dd3e682b7bd3a18b2b5a969256cef672abf01

C:\Users\Admin\AppData\Local\Temp\nsqAD87.tmp\7z-out\locales\zh-CN.pak

MD5 098d656a4f4bd8240bed10e7678186c7
SHA1 0c19ab62b4262f1b51558e8aaa79e7741f73393a
SHA256 a55f568ad3a8854cec25699484f55024501c8a0967738ba694e073151e5981c7
SHA512 084538ce774233ca6d4393bb42239b0b85e11bd73dd19ba47e55796ca19848941b037510c0fca4ac08b4b2e0ccbc9b4ae72ef88a3e841738dd211961dc53c1e2

C:\Users\Admin\AppData\Local\Temp\nsqAD87.tmp\7z-out\locales\vi.pak

MD5 69c8796439192577f48bd249175aaf37
SHA1 97c52088ca69dada593db0e42b2135d264646454
SHA256 d7fdb53592de803a5fbcd8561c4918f1562f92fc8a3fd0039a2a1a7b76a8ecc2
SHA512 65eb7cb15291474ec7f9354775e59bcf334c90ddf3498ebd184e4c47118308421b2405bfa679e4b3a70ed1790e167c109fc2c72e89c3e31b5378cae975424144

C:\Users\Admin\AppData\Local\Temp\nsqAD87.tmp\7z-out\locales\uk.pak

MD5 d791b1ecf2931b2fb0c31aac170c7cdc
SHA1 02be115a9ff94fe5250651b6de4323eafc44fce1
SHA256 ffae6286d44c8e219ef90d411ad8746159a6ff8ea610e2a651147a3956696a22
SHA512 3a2edb8069e4a9734ce5e02b7c3de3c968c5bbc116f17f52f97e2bb2c78485c456c4f0cc952686c1aa17b7ee4d326a1dda698afafc63c79d842ca3905181a8da

C:\Users\Admin\AppData\Local\Temp\nsqAD87.tmp\7z-out\locales\tr.pak

MD5 40491896ad21543f339467186c5efb40
SHA1 695dde7cc35056dcbf0a533aff8299d4c6b61bd8
SHA256 43e99e132acaba88971b81a43531845dc7fc3a1e0794c3373de7d9a50a5655aa
SHA512 18d5ee9914849462e0b1bafd1ca216b29d0795e282ae0bdb354b15caf5c18f37f44fbd6f626b2cbb095e3398a6496de72e5b0d15621433979b5a589e34fac818

C:\Users\Admin\AppData\Local\Temp\nsqAD87.tmp\7z-out\locales\th.pak

MD5 43edd25f67ce6e6cea5373009ff0a1f8
SHA1 ed72ca6620cf23837e1334be50ccf616806bc5a2
SHA256 287897cf3df2db1cf59b872e6575ba8dfcaa0c1f68c17a9c91da6c4490adb8b0
SHA512 7160a72bd2e6b0ffa71e5d279995cc8be24a87cd9386eb29ab0eee79b8e607f5d824a11b6b4e3ef4c0f851a9d485a9642cb6adaa65c07933dca6e6f2c0052fc7

C:\Users\Admin\AppData\Local\Temp\nsqAD87.tmp\7z-out\locales\te.pak

MD5 793a87d41cde6e6d1bb086284f69733b
SHA1 d887e3842b664f55b7308427aa6f5bf0b352d879
SHA256 5cdabd1ad41e8048f2cc6b1615e68b99159daa1aa6706b939447c1811bf0e255
SHA512 7c2e53baa387480eed45315bd9d53856ca46e5777ecdc9c29a0de7b0ad04beb6cbb8b5df0aa7c306395fda563037e06bea1ca70e433ce5a3ccc2ec184dfda972

C:\Users\Admin\AppData\Local\Temp\nsqAD87.tmp\7z-out\locales\ta.pak

MD5 31dada843d0b4f9a66b184cb6d7b8b92
SHA1 0320b31981043c6e4c17470bf2ff4c7488553511
SHA256 457070b35c813175f5a7b630478073e478ff2bf23915dd3dc7a5b3b339cc2b0b
SHA512 c5b6ea595d3154fd9fe03f49a19f78eb4068718ce005b18a165d491459a290c29956b02a109ce2c314746773760c8e5c0d7064f384c65a572c78109f03538860

C:\Users\Admin\AppData\Local\Temp\nsqAD87.tmp\7z-out\locales\sw.pak

MD5 99e385ebc1ef8d3daddb3a171fa79edf
SHA1 3164804dfe9d9b5e891abafe92e5ba67d2b5d4d1
SHA256 8ec45ac391a085d531fb21815086c2da4841aa016653cb4f8484cfc2615d6c01
SHA512 797c105fecef1e15870aa101e3fa1835d5a467a9059c03b3636c54934d1de263ab7f23599e21d9787cb3849c7cb7d29f5bdd8ae9ad10fda8015c1392462e94c0

C:\Users\Admin\AppData\Local\Temp\nsqAD87.tmp\7z-out\locales\sv.pak

MD5 41e76f7775fc9a2d6e3c02c46e9b32f6
SHA1 088c15c74a68bee69682bf89c31055332b68c84a
SHA256 2533676479e9469ffcdaabcb47d3e39bebfe7ae2b80f70784e918a8827439e13
SHA512 6cde752d748c4772b533c8894f18134e5842113f8c7590b44a7dfa088aed65b232361fd16170df3b0d738066dbc3a769847adf4dd8ba42de63c9c2b33f9beb6b

C:\Users\Admin\AppData\Local\Temp\nsqAD87.tmp\7z-out\locales\sr.pak

MD5 af7083f2a4bd95dcbe792efade352662
SHA1 dc69aa831836016f6e66c6079931503d534a7862
SHA256 e3b80d9fdd420a05d66cc12e685ac94500106dd51a555bbfa2d085094f81e8dd
SHA512 342400ba94f6cd08152f96aa2b905184fab429c38cedb4bcb4ac0c503169a9ecd47aef208b4d7ffae08b0c0afa7aa089347a20739379d05f3e4e111be842b8c4

C:\Users\Admin\AppData\Local\Temp\nsqAD87.tmp\7z-out\locales\ru.pak

MD5 75457b95d2bb03891232dae7db886387
SHA1 e5a7569df7f91533703626d167ecc8cddbd27205
SHA256 e0894d3aa3f8e0f8ac457a3300001d4e1dcf95980712f8c8e9c845eb4c2bbfa6
SHA512 9813239cb162cec24cb81cffdae2df06889782813d917da186ae40df6dae64477467e4b32ead2d714bc1de671538d4c1fde990d83d3ee69e0932f17226687a78

C:\Users\Admin\AppData\Local\Temp\nsqAD87.tmp\7z-out\locales\en-US.pak

MD5 0bb857860d8c9ab6d617cea5a5bd4d00
SHA1 351b744d95846bff2ce5f542fec2e87439aa0f8b
SHA256 5c56df9699fc7e8f09ec81421e50a6264cde055e822f5a8cd9bb1edb3066d816
SHA512 33fb73cffbb6781488cedbca4c92a7e4f66923a799beeb7f5cba58dbc23ba8f5130f63a7dac7114e3c3ef6f1df87884fbeb8858bc7604aec9449fdfd16c25078

C:\Users\Admin\AppData\Local\Temp\nsqAD87.tmp\7z-out\locales\en-GB.pak

MD5 52e2826fb5814776d47a7fcaf55cb675
SHA1 51fbbc59dcd61116cbc0a24b0304d4c1c58e8d0b
SHA256 83ff81c73228c7cadba984d9b500e4fce01de583ecde8f132137650c8107c454
SHA512 69257f976d01006c5f3d7e256738c97c59115471f8e7447cfa795f7fa4ff12d6fd19708e95ffb2aa494b50c1763fe35d5885b9414112d2934baf68fe668ed7cc

C:\Users\Admin\AppData\Local\Temp\nsqAD87.tmp\7z-out\locales\el.pak

MD5 38440b98bfdf5ed496da0f49d59534c0
SHA1 1498d9207ecaf4923a47271e24c68a817041c82e
SHA256 b1f78df8a7edc914357a2e90bc8dc0ac46f4df642bb22894569fe4905fb8ea0f
SHA512 95ba788fc2e1f07d54e398f1ec4d32c664cfb13118d46cb7af7a993367e032b10de84f3e604ab6e659d6410e2d736097ec5e9b3b002040c54412358f0ea10229

C:\Users\Admin\AppData\Local\Temp\nsqAD87.tmp\7z-out\locales\de.pak

MD5 b73344e5a72fca6f956dbab984c123ba
SHA1 0561073aa40a63a9ce9930dd18b18e12ff139b2b
SHA256 6dda3fa65232ca0bff7314f916942a2aa5d9be73a0b0c7a6d016eb34ea6fff5b
SHA512 e8a12da397369f23c102244b3f18f533ec79afa6978785566056bbfe07b10a21ff4973bf17aa829fff65609363988c033b0e48d4a82c846863377c08d8df009d

C:\Users\Admin\AppData\Local\Temp\nsqAD87.tmp\7z-out\locales\da.pak

MD5 55a8f5883805a65c854d25edb3959209
SHA1 d4b3b6bd2a26cbd021fa931d1f63c9ea64e2c268
SHA256 e190187adcbb5f829d162660968ba598ed17bd11339062ca4d807deec8a27fdb
SHA512 4e1f9e6da32f553cbc8cf162726d7aba9e23e2216d6d05b995cf19fff3aafa05ed08fce29b2f8538d46583366402b8630672e650dfbd46952a611e9db0d8016d

C:\Users\Admin\AppData\Local\Temp\nsqAD87.tmp\7z-out\locales\ca.pak

MD5 423651c45566cd90ea5edd8631e823b8
SHA1 13bed4173a08bcbfefba034aada3d838eece6d16
SHA256 7a39af99d55a1ea838d8d78c5f0da3e1402f9404d32255e31b676ceed4f0e414
SHA512 e09085023beaa37e9d5f7fdf3c32d0c001672b85e2826f0aba9a662ce958ac93cac17bf63495a604e47cb407b1593049388a4bf1b22b2339ead84a206a10569f

C:\Users\Admin\AppData\Local\Temp\nsqAD87.tmp\7z-out\locales\bn.pak

MD5 47c95e191e760dee3ef43345577e2379
SHA1 609634315270a91d4ec631642b18bd0036367aad
SHA256 ceed32e429ed1018d4c49343cf52105cbfd1e877c531a5738fd6e6cd33d27da7
SHA512 46b5f8d58780d19e79136c31a67d075c57ddf7e6a1eb197dea4088cc414a0dc24a68fc8ebcaac03b3940af2461123b586706d5dbf8dbdf6fbea0f7bec466db21

C:\Users\Admin\AppData\Local\Temp\nsqAD87.tmp\7z-out\locales\bg.pak

MD5 5ba0c7200362c9ed55610cc8b66ef53c
SHA1 d45239c2f1b00885407771a41a7776fc1fe8fa3b
SHA256 2339ff55464b4ff704fc3c5bf281eec52a539c494bd059cf0346d9c05ab7cda7
SHA512 6229dbf08a9322c4ec8de4912aa1832f01800a71b7e3ef5870e7fa2b623be4dd248fec4881c3e031e984616147be84d42ab3dd970ae56dc1bd78913a8682a37a

C:\Users\Admin\AppData\Local\Temp\nsqAD87.tmp\7z-out\locales\ar.pak

MD5 6f3e791b4d35ee7d9515614d128752cf
SHA1 181ec3a84fb3e89336d77f24f562a2cbe07619d8
SHA256 e9df0fa338b763a3926c4ee3a87bedf650fa618b6fcf0560c3f5ffe891d48c60
SHA512 3657e610d13a2c938558ec320c298dd490c9e4895ccd304f738aaa2f050373efd7382ca402365f93d23ed488bae82de2d859da788dc8faa8e621346a278f4441

C:\Users\Admin\AppData\Local\Temp\nsqAD87.tmp\7z-out\locales\am.pak

MD5 e18a450ef034b42599341c3d09f280f1
SHA1 2001c8a85904962ac3a96938eccc69ad2c110fdf
SHA256 7c2b9098130f1f9e0cf4507b64c0e96ac6354bd6c3616be20e2067cfccc820da
SHA512 ddd87571218fe9f179a6c2a8a15b182625a71a7c19ed90c0969ca2e0e9bad823b926f8b8a6b390cb6fe9c95f4b6c1f1ec7b5167a8424ab1921943922208f798a

C:\Users\Admin\AppData\Local\Temp\nsqAD87.tmp\7z-out\vulkan-1.dll

MD5 b91586bd80e057a7f62bdc4422744812
SHA1 a1df644421ece2e740e5bf0ed98b4f269fd85c39
SHA256 8ba72d98e0f78b77bda7816cd7232809d287310d34e0f1d7472b9d5fda2c6d02
SHA512 94f0a8e3e75e4803891c0fcb257052dbe0e7399772fc7a46ab802629f76ee580ed30b3678fa6bc3744c12cf9f3103bbc8276e88f6711278748148e9fbeef2053

C:\Users\Admin\AppData\Local\Temp\nsqAD87.tmp\7z-out\vk_swiftshader.dll

MD5 26b6026a34d82c66e09a2d3ef7a8c475
SHA1 e11254fa325f070cc5eda3f4bffbb7cd52a799d1
SHA256 bcbabced52e3650859db87c3eef55ad0b014c7a5cde07b836f60c9bbd53b755a
SHA512 17128f957e0d2404ff61cb2c6d5e93798bc903a69f4a4ea22311b885dd2d2edb76ba98dac465beefffd75654d2675c92e3c30bf9c591bbf9e2474a0b795fed76

C:\Users\Admin\AppData\Local\Temp\nsqAD87.tmp\7z-out\v8_context_snapshot.bin

MD5 47014c0f81bad6d216c617c9c63bf040
SHA1 7bb483fdc5fed3c6ed437d9fe6e5023bc38201bf
SHA256 e1249d05bfc73c645b27d269f47b6923b33a3cf8088a8ca78b3b637c90f58178
SHA512 052d86cf3305a9e493bd2472e6b7ddab5e0291efd6d899984a79bae46e5fa4bd21157e19ab4a2591c9cff9069de568bad18c7baf4f35d117c77134e635466f87

C:\Users\Admin\AppData\Local\Temp\nsqAD87.tmp\7z-out\icudtl.dat

MD5 f2738e302925e11bc48a2495933a3674
SHA1 9dc88f74935239376112901238e6cc61e387d2ef
SHA256 1611d144bbab2cc32468f9b3cd4e527e5145156063d392c32690a6c0e7cb4f74
SHA512 0ffbe6aa72f167215d975ee80ab6590821f1a2350ce8a6efae8274bcdb651f43e9d7584369c5f95cc4569febe4ac42984cdbe0f34163c2d22853dfd0645d8fd8

C:\Users\Admin\AppData\Local\Temp\nsqAD87.tmp\7z-out\ffmpeg.dll

MD5 c3842fb3087cdcdb04020ac38683c289
SHA1 329dbcd4a1c79b891b200f11eb50194b85c493bc
SHA256 e79792af338d61424bac87a19c6f34f3b4bc1382345633b8d509253a0a6c2133
SHA512 069196b8006e908954e7ab16131a0d10889a0f7517eaab2423a82fe49fb9b045c0d95dbf7c08c10ddf1a21983aea4a0d207decf91baacff0884511589a57dec5

C:\Users\Admin\AppData\Local\Temp\nsqAD87.tmp\7z-out\d3dcompiler_47.dll

MD5 7641e39b7da4077084d2afe7c31032e0
SHA1 2256644f69435ff2fee76deb04d918083960d1eb
SHA256 44422e6936dc72b7ac5ed16bb8bcae164b7554513e52efb66a3e942cec328a47
SHA512 8010e1cb17fa18bbf72d8344e1d63ded7cef7be6e7c13434fa6d8e22ce1d58a4d426959bdcb031502d4b145e29cb111af929fcbc66001111fbc6d7a19e8800a5

C:\Users\Admin\AppData\Local\Temp\nsqAD87.tmp\7z-out\resources\app.asar

MD5 e60adfe169298c808ee59546aaad4f47
SHA1 771a33bdbe5cc61e81e6a70683d070f7b6e497a2
SHA256 b2e0503d95aa6a587c28518bd35c3924f57df3aaf47f214fc1fd2c7e7f6c3ca8
SHA512 aa74d34d2e3ae88e4d28efb0d238a5e6dd39388f03613f886bbbbbadc9abc80fdb10140cf793e0f31a04dc99a76bb1e44ab8a67a4dc3e86119ac6768077a0742

C:\Users\Admin\AppData\Local\Temp\nsqAD87.tmp\7z-out\resources\elevate.exe

MD5 792b92c8ad13c46f27c7ced0810694df
SHA1 d8d449b92de20a57df722df46435ba4553ecc802
SHA256 9b1fbf0c11c520ae714af8aa9af12cfd48503eedecd7398d8992ee94d1b4dc37
SHA512 6c247254dc18ed81213a978cce2e321d6692848c64307097d2c43432a42f4f4f6d3cf22fb92610dfa8b7b16a5f1d94e9017cf64f88f2d08e79c0fe71a9121e40

C:\Users\Admin\AppData\Local\Temp\nsqAD87.tmp\7z-out\swiftshader\libEGL.dll

MD5 19dc9ee70e7765bb63a66b6826e8ecb7
SHA1 1a12f983f8b35cc2955d30657971f113c47dc164
SHA256 83d5719abee35e051d984510e1d5d9317a109031698814742b59bdbbe7d4e30f
SHA512 1fda2bcc4b2e70987ca6011ab2534007ae4f752016d29a588aaae839bb25c35e03773f220b6a8e926cf2643997e7d4c0f28743304269b2c55642ce12934def68

C:\Users\Admin\AppData\Local\Temp\nsqAD87.tmp\7z-out\swiftshader\libGLESv2.dll

MD5 7b237a65a5024adbf07ca1bf5822ce4d
SHA1 f8ec38e2bad4c8c89dacb3b933b8d3ef6c767f75
SHA256 209c342dcb388781724f3088746dd0fefe86ebf04c2e176828c9b070693b89e9
SHA512 9c3fb26b2209b8b166687f8999e7359fae8c5601c1c214b714b356a599641a2fda845f050dd28da3fcd0fce91df846dd4b257794deb3cf7816022cecd93176e1

C:\Users\Admin\AppData\Local\Temp\nsqAD87.tmp\StdUtils.dll

MD5 c6a6e03f77c313b267498515488c5740
SHA1 3d49fc2784b9450962ed6b82b46e9c3c957d7c15
SHA256 b72e9013a6204e9f01076dc38dabbf30870d44dfc66962adbf73619d4331601e
SHA512 9870c5879f7b72836805088079ad5bbafcb59fc3d9127f2160d4ec3d6e88d3cc8ebe5a9f5d20a4720fe6407c1336ef10f33b2b9621bc587e930d4cbacf337803

C:\Users\Admin\AppData\Local\Temp\2ZD7e7ZRQi2hs2WBBxR62QSBlDX\caca.exe

MD5 f17e37fc227aa103b5868149e1d79f60
SHA1 745433d904a363591b44b3f8c6bf1b5f4f34a276
SHA256 2a5764da99794e253f872b7e23fe014dfeb3a5b1a7a9456435c8dd28dbfc3b2e
SHA512 d0a8f79b6781a8c6938b34c46d99419f048cd1eeb7f4577c992d3049505f33973d1e7a6bc167d03819de4f2b6c561d40a3369c8d91629e4b42bd1602913e1554

C:\Users\Admin\AppData\Local\Temp\2ZD7e7ZRQi2hs2WBBxR62QSBlDX\ffmpeg.dll

MD5 937cf095521c67407eead26657458d7c
SHA1 ab3568b12206443f53dcb261b67c3523e9b9ec89
SHA256 9b9171ebbb88765426a82168106ea87c128eb74940b4a63d0cd4e779ed92e2e9
SHA512 1d15290391f6b6dd9ee2765e7106570eb3319e059d224e329c642e0c4d38a6f0a82c4d8da1d571df0791d3de67f77afab71be66121f01d86deea3a94ae450088

C:\Users\Admin\AppData\Local\Temp\2ZD7e7ZRQi2hs2WBBxR62QSBlDX\ffmpeg.dll

MD5 801046e627e7c40fc2a2788ce186b5a8
SHA1 7820ee28a235fb67ab8a4597ccac78896349bf09
SHA256 b341ce6976873b8a78f904aa1b3e6cab9420501f2dcc72f339a61cc06deea8e9
SHA512 c6ad131cf2b31a7b687ad55c4047ccefb5cab0e0e74758da1d9f9f05cbb18b3413020edfcd0be2d3eeb4240b2611c6942dfe8921101dd582ed1857c32eb0d799

C:\Users\Admin\AppData\Local\Temp\2ZD7e7ZRQi2hs2WBBxR62QSBlDX\v8_context_snapshot.bin

MD5 8cda50a6c46ef5799bebc2eccf0eff58
SHA1 e45661b8d3405788874fa800430123609badff22
SHA256 32047f7bdee374193a36e3b2572bba1f40601f71ecb932a5a46d7962487a1cd6
SHA512 8d5a6cf07420c4bc85c3e45b164556dcbf208c429f1cbec4dc783e268c73a1259b07cf25a80a2f6f44bb4a9ee579e50063106fe4d09136e32b863ceb0251ea57

C:\Users\Admin\AppData\Local\Temp\2ZD7e7ZRQi2hs2WBBxR62QSBlDX\icudtl.dat

MD5 605dc57fc4ea448516030c6fe4e633f8
SHA1 6c8980ea363a977a7392c66b4f80f0506ec67e2d
SHA256 5afd8f72cc17f4062c7a30800615d7d6426188f72e051f94e2522c6870877c79
SHA512 d23b5afc86fc7d9e96086faf1069551379462739f0ec34feb5ad2c08d81be2b9e9b6732f5247b6fc125fb4278773d9d634699ddf479ede5fc4968dbaaf0c9a28

C:\Users\Admin\AppData\Local\Temp\2ZD7e7ZRQi2hs2WBBxR62QSBlDX\resources\app.asar

MD5 a91e29f0bd595b1554068f1a7856eb46
SHA1 48ac686d7649994e9f469fdf1657a0d8b20d6fba
SHA256 3800b514f039355c3227eada1000de9628134f8c312fcc260cac32db1dc19ecc
SHA512 695ffd58a1a240249b6b1a9cee75e3297a3209d246b46b7fdcfa99439dd762eeabc885c0076ea05456b42e4a480f959b0e356584cd90d024d57ce422772fef2b

C:\Users\Admin\AppData\Local\Temp\db89d0ca-8435-49ae-a7a7-02e121468ef6.tmp.node

MD5 9adda9d1c7ae3299f1b57c1ebfa4443b
SHA1 2e05aea4e2b2806a1e792d9128dcc19fc7ba4339
SHA256 74684841d409098e43124fc2d2baea5252badb21e35674b527b0cbadb086110c
SHA512 103ff1ad43d1a6589224ddbe018424ee6edf9ca00696282420db1e320915812e0436f744c5eb48e963cf353d7a2d6aec5ee257c73307a29dac22013f9f1d9548

C:\Users\Admin\AppData\Local\Temp\b7838dbd-9a52-4ad7-b037-0d26ea1c298e.tmp.node

MD5 d67bc911b5f642b2c9ca96f7875e6b1e
SHA1 55e2c0c977a3bd2c5e86a6d3035cfeaf4dc4896e
SHA256 614b33eaf5e7f5ce33d961620616567c7569aa778d5e9f35c35d9dd740af3c09
SHA512 62fd33e7300c40783a5e25ec8965a28a013eb5f6472383a3253c9b3ec6010f6727496f9ded60666332a68faca616487cb4a7c78e6ca1a241df939dd77373b7d1

C:\Users\Admin\AppData\Local\Temp\2ZD7e7ZRQi2hs2WBBxR62QSBlDX\resources.pak

MD5 4c3f791bb03fd952baf852dfd5626995
SHA1 35d4ceef4945498c5190f3f548d0fb932d93a43c
SHA256 8a1e5ba632238ea449d3e95681face855a55d63b583672128e9605eba1b6cdf7
SHA512 1b2e8fcfdb6c46e4be3fa799bb940913d3409ccb88d6429567bdf56c62fe60569e570cc283bc01154abb589847495f67710859f64357bc3d9b09c5ca446102c6

memory/3220-550-0x00007FFD32570000-0x00007FFD32571000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\2ZD7e7ZRQi2hs2WBBxR62QSBlDX\caca.exe

MD5 e8dd8fd683e4621563c3a1eaac6ee1a4
SHA1 b28fcfffbc4f97ed54bcf04022c7683aea56459d
SHA256 bf4edd123e51df415eb4d359e8a447d8bb6d60e8a2971a238513e77674bf7c9b
SHA512 f2dcd13fb043613ed6c68c41e5e3588240f0070071c2500efd1f0d8f047b248f65f58bd9b032fc464ee874b93bc04fd4d8735ecc0e4831bc841d2e83d2787cc8

C:\Users\Admin\AppData\Local\Temp\2ZD7e7ZRQi2hs2WBBxR62QSBlDX\ffmpeg.dll

MD5 c82eeffa6c9a0778bccab4523467e410
SHA1 297d7e43f396334032b3a7fa1ee9b2132dafce8f
SHA256 124cfbcf37d2f3a743ced4e4e498e51bb739a5346fb44b1f9fa2e1290ee13226
SHA512 59b3e45dbd5f079058c828d25acc218452d3450a589b63753a6fb9900cec7deeed34eb30b0927e42df2d2537fe75a3891d16693b3846ab48df4dfb5e3d962646

C:\Users\Admin\AppData\Local\Temp\2ZD7e7ZRQi2hs2WBBxR62QSBlDX\libEGL.dll

MD5 8352fd22f09b873193cabc2932be92f0
SHA1 5bd2b58854b279f1733c5f54ea2669ee8a888d9e
SHA256 14a4aaa010be14762edfee01fd1f6b9943471eb7a2f9011a2b5c230461cd129c
SHA512 7281e980f2e82f1cc8173d9f8387a97f6e23ec5099ed8dca02222c4e17fa4cfef59d6aa300b1cf06d502bdcf77d9a6dbb08ad6658ae0a28ae6f9f995109da0d2

C:\Users\Admin\AppData\Local\Temp\2ZD7e7ZRQi2hs2WBBxR62QSBlDX\ffmpeg.dll

MD5 5af9bb711df1266ad83c3f4fb574b763
SHA1 6a974d281971223834423de59dfa1cf4326e404f
SHA256 1a5c9ba2e6ca2ecfe0c309040e4bc71c21d558eda2805e56b2fd32e18aee7ab3
SHA512 1b0f9a47075273f735454ffcc57099fe2ce5516c499f37562eae58cd18a580a2521a534db296efd2600601914f55235ddbaade48598b86a3cd11bfd8e7c75c23

C:\Users\Admin\AppData\Local\Temp\2ZD7e7ZRQi2hs2WBBxR62QSBlDX\caca.exe

MD5 53cac88a91c3aee43ad9057644780c70
SHA1 f530e49cde2b59051cfb96d49a45599171d11299
SHA256 bd88021e3099e1b95c9cee1cf9523576e4f439169ad52b1c4b91b1c66c517561
SHA512 ce2e5952a04d42e8735c6bc3afc7be1e2baa7b9e85731656c022ab829a0f9430d61733a5258216e31365dca9ea2edb0c06a573c544be5df0e55a376e8cf3612b

C:\Users\Admin\AppData\Local\Temp\2ZD7e7ZRQi2hs2WBBxR62QSBlDX\libGLESv2.dll

MD5 dc76c7522c636a5f72c7fe6185cd97b9
SHA1 d6945154a75d0888c755496fc936fd2af8e06766
SHA256 717dfe6e9d5791c7f62a5f18a73a6e37a8a3f2fa419929ac4a3c1720082f561a
SHA512 3a6f99b0b91b67174dabe44a7ea4b727fa4d64d979ef29c3561140bd0c2739c4e946245c552e865e0809a85147a48ef06e319c0fd5386d12aad4ff99d1106806

C:\Users\Admin\AppData\Local\Temp\2ZD7e7ZRQi2hs2WBBxR62QSBlDX\libglesv2.dll

MD5 6454d81f73ad6b0ed1dd753f1a8c5b71
SHA1 7b308ee51774066a600de8c563c6f08e8afcb4cb
SHA256 5cff4d505550bf1f755c3db75b44b836bb067f5fda0254d25c79adb8491175d6
SHA512 1fb23ad3111872f2c35af1e691f7ebac123e48bff65aeeacd598059bae80cb11f4a26a9bb431e47aad8e6a59830b3e30f1de797d95c43d82fff734d6c1818c62

C:\Users\Admin\AppData\Local\Temp\2ZD7e7ZRQi2hs2WBBxR62QSBlDX\d3dcompiler_47.dll

MD5 ae36358aac500786385a9a14cbb525a8
SHA1 751f9ad1c9b13a8458c31c31769318513532c80a
SHA256 fc378e6c7edfaf1fc24e206bb711b3e732fae73581aaa3c75e63e8c129bdbb5b
SHA512 2dc6b50a1e56458d2b3b83fbcb380bb565c07792ba66732b0536f8fcfbd7fdfb3b36cdd38822e51624a2d704058b9439cfdb4e690a0b0c0c963c3191de6713d4

C:\Users\Admin\AppData\Local\Temp\2ZD7e7ZRQi2hs2WBBxR62QSBlDX\D3DCompiler_47.dll

MD5 b13b926b2c7ce507fd11e518c0006d82
SHA1 10030aabb5c3ec2f665a387cb1d29ee3945844c8
SHA256 1c86850c41839408a1535cd72c76e844d3bcc393e46dc7fb54f66e1af56bd342
SHA512 f70ed16e9ab97c4da5acdf6164a3b61c8f66d5b30c4a2095766cc24e2875409ccfada5b41ca437ea81266a162f2141ec49ff5afafa49782e74f2a9ede0c524b5

C:\Users\Admin\AppData\Local\Temp\2ZD7e7ZRQi2hs2WBBxR62QSBlDX\caca.exe

MD5 96f8a872642efbf45499a240ead30c21
SHA1 7fe24990b4ffa03ad0968e01a512faf6eb9f2f73
SHA256 05916e421c13940f5edb882ebb5889f611ce05f8dcc1a5c9d85cb3203edb8018
SHA512 fe31d53b821a9de33370ceb5e0020c7a6ab06858772b1c219e2d094ce3a63bf66dbd06a914a58e36509aaccfb33a8b9ba7caef3eb0ff6cdbff53f986a1b0fd23

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ec2k0smz.2io.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/988-579-0x000001D7A6110000-0x000001D7A6132000-memory.dmp

memory/988-580-0x00007FFD0FA90000-0x00007FFD10552000-memory.dmp

memory/988-583-0x000001D7A60B0000-0x000001D7A60C0000-memory.dmp

memory/988-582-0x000001D7A60B0000-0x000001D7A60C0000-memory.dmp

memory/988-581-0x000001D7A60B0000-0x000001D7A60C0000-memory.dmp

memory/988-587-0x00007FFD0FA90000-0x00007FFD10552000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 70b5c12959dea82e64a05dec518878ac
SHA1 844ef1b5046ddb6dbdd2d2e661c0816f76379a49
SHA256 48e18b18f8ae0e0a0129f36bb801af13e9e429254348fc8203e357564f378283
SHA512 5e710a93a1ed5828359675712aba9db288a66ed1aa469cedbabcfecbe8a7c78c2a4c86ce199519acb713892e5875e69098b31eeb340d6f06452111d5481648b9

memory/4056-599-0x000001A78FC30000-0x000001A78FC40000-memory.dmp

memory/4056-598-0x00007FFD0FA90000-0x00007FFD10552000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 94cc8aa302136c58a17742da02e54c48
SHA1 06c269d1a0b648467cc627162d8c2a0727d94123
SHA256 8ff32c0be04cd2af2b9cd5ddb61d74c94af99a9ebad6a57b0e4f3f7896ef7225
SHA512 7d06f705121fcfc8e5d84ab3c7b5a23343e0f5731931a279c2794eefdbb32222f2f3c812767bd05c20dcc2251bb24713351f47865bd9c70e9cdbd600d79292de

memory/4056-600-0x000001A78FC30000-0x000001A78FC40000-memory.dmp

memory/4056-602-0x000001A78FC30000-0x000001A78FC40000-memory.dmp

memory/4056-605-0x00007FFD0FA90000-0x00007FFD10552000-memory.dmp

C:\Users\Admin\AppData\Roaming\nsYARmQCI3eO.vbs

MD5 d1111fbbaef28413de4a0a64e0d54f2d
SHA1 5bbadc5c5d504dcba5509d34986125e8446e3830
SHA256 beed3a3f6edc1e1b73a3cafa55f16ba61d56c87b7506ae9c33eb630bcbaa3a01
SHA512 1196efb8579efc91105000afaac0b6c14f386aa29a64ddd88f9a2d6a980bd2eb8dd6a2e78457eb9e5614f9492d0e75342f01293c1a8341b153357f2d64c64af0

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xyon95kp.default-release\places.sqlite_tmp

MD5 666e4847e1a6991d6ef7561b525adfa0
SHA1 bc27de67cb69e0ff1164f19be055a42799e9b8c4
SHA256 efb1b329b2a86319d4a43a2e6b741ba01aa10d92b72e08d666d57c7dbf36a02a
SHA512 420fd9e2ec6e225b9412a397202b35f4bb07965e8d37ccd01b2d9b6219457ed7d3752eed35770a76be5d1121e9691648991cd4e7a7352516cb3e8619649efdc2

memory/5240-733-0x00007FFD0F9F0000-0x00007FFD104B2000-memory.dmp

memory/5240-735-0x000001ACD6040000-0x000001ACD6050000-memory.dmp

memory/5240-736-0x000001ACD6040000-0x000001ACD6050000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 c9a534ff901a003ef8dce4fa9c809891
SHA1 69e8e6edac4a0c9e720517b4c1c37b8288db53da
SHA256 d610941c55c1a2c4df874d7a2956a4c5bf8c262618be879abfd6b39cecfe2457
SHA512 0d85908c007df8dc751cc3097280d26a6587f6bbdf55343602bec3ea58a68e1a65aa5f222f0f7ab5a15fbc20310fd397dbbea3d0c121d9e749208888702398c2

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 70de620fba061a3b453d5a49e229f859
SHA1 c7c98662638ec91a88497433e81c1dd50a8e3014
SHA256 5cef033a89d0e93586bda66dc49cd082f1a6747d549b1d301979efa92dbef1f2
SHA512 46d5c04f8e3911fba6efe98d4194309a7b834fab0b299963944c08a985a2d112ce495fe3a96461bb3c1b87806d7d76198ce631617f8e1e9e0485a0e7c3a2407b

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 8d1313da1eb92ad64d8a70f71aa923e8
SHA1 1bbbd63ad5054dbd5832c0b4a30947fd2b02597e
SHA256 2239087a3e4b75ec09fbe2793ebcdaa899e8bd81327e3c5e3f0c81b618e79caf
SHA512 65edaa871ebf4dc1c6aed16c6ae4e81937ca9b158729fc85168525c4030249519cff2a4e7dc422fd11027cbac87da2b1e338ce8619484f200437ea1a0cdf2e64

memory/1088-759-0x00007FFD0F9F0000-0x00007FFD104B2000-memory.dmp

memory/1088-761-0x000001BB48630000-0x000001BB48640000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 446dd1cf97eaba21cf14d03aebc79f27
SHA1 36e4cc7367e0c7b40f4a8ace272941ea46373799
SHA256 a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf
SHA512 a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

memory/3416-779-0x00007FFD0F9F0000-0x00007FFD104B2000-memory.dmp

memory/1088-799-0x000001BB48630000-0x000001BB48640000-memory.dmp

memory/3416-802-0x000001CF53C70000-0x000001CF53C80000-memory.dmp

memory/3416-801-0x000001CF53C70000-0x000001CF53C80000-memory.dmp

memory/5076-798-0x0000022383B30000-0x0000022383B40000-memory.dmp

memory/6584-803-0x00007FFD0F9F0000-0x00007FFD104B2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\RkmKhXvKWV6l_temp.ps1

MD5 189219eaa687c096d5ab36028a697473
SHA1 3e4f4b715b32295c1cccd1709be062ea4c7bc70d
SHA256 2a229df791e9f57c6806f30098cd08561b60ac90c5801fde9641e1c459d2d6ca
SHA512 10ed58e53fffc3a2e24f79e94389b724b42d93e9046caf90968457f84828a8610cb81996b41f820056341944926e3ec23eece0a395a5871f1af9afb8bff1d590

memory/5076-797-0x0000022383B30000-0x0000022383B40000-memory.dmp

memory/5076-796-0x00007FFD0F9F0000-0x00007FFD104B2000-memory.dmp

memory/6584-805-0x00000219EB720000-0x00000219EB730000-memory.dmp

memory/5240-806-0x00007FFD0F9F0000-0x00007FFD104B2000-memory.dmp

memory/6584-815-0x00000219EB720000-0x00000219EB730000-memory.dmp

memory/5240-821-0x00007FFD0F9F0000-0x00007FFD104B2000-memory.dmp

memory/6584-822-0x00007FFD0F9F0000-0x00007FFD104B2000-memory.dmp

memory/5076-829-0x00007FFD0F9F0000-0x00007FFD104B2000-memory.dmp

memory/1088-828-0x00007FFD0F9F0000-0x00007FFD104B2000-memory.dmp

memory/3416-835-0x00007FFD0F9F0000-0x00007FFD104B2000-memory.dmp

memory/6392-875-0x00007FFD0F9F0000-0x00007FFD104B2000-memory.dmp

memory/6392-880-0x0000014CAB710000-0x0000014CAB720000-memory.dmp

memory/6392-881-0x0000014CAB710000-0x0000014CAB720000-memory.dmp

C:\Users\Admin\AppData\Roaming\salutr5D9d.ps1

MD5 4fdddf586aed433adb0bfe7362592055
SHA1 a0e31dcb709ccd9e7078529880c66611d7f418ea
SHA256 4e26e8214c7ebcb5afa23bc8f5e545dd9c8a782a7ee1d3d40531cf4ee09fbac0
SHA512 99c4fe58658e487fa54d82d1c041c2af5efdafc98dc1e079d3a250b973a435aef488e334849a0e052f6b99546df6d6518cf43b4d606edf5fc637169000ae2362

memory/6392-885-0x00007FFD0F9F0000-0x00007FFD104B2000-memory.dmp

C:\ProgramData\ChromeExtensionsNova\extension-cookies\images\logo16.png

MD5 f0f11cd478cc44d518c16820ede9d253
SHA1 cfaf8d2e071f2ade0894578e5b44e02032d27be4
SHA256 321695dbcac7b2ceb14ef2651705ead5c0c42815358082b758ee803a37e945bb
SHA512 ac736abf8a776918df4094929efc29f7ae643aeef8d9b464653e3b7272a0799e58dc961dacadfbf9f42f575dfba14df7e6f4b1256c2c83dfe333ffb2ed3a1de8

C:\ProgramData\ChromeExtensionsNova\extension-cookies\images\logo128.png

MD5 c555604e8b6f818991e186342f856b1b
SHA1 3ae02db8eba2f4fa30cb7567a9f5bf8346faded0
SHA256 012da30b247a7964a3bdaaaeec8a6fb5559d7047ab8f1bcc0a2a785aad978972
SHA512 01a6c8f91d1eedd0d83b654059844aa7ed16e76abfce54183b5bf484edb6cb33e0ebe317987a3143e94c23ef60954ced0e32378a1a5f80f8412c7029e4303bbe

C:\ProgramData\ChromeExtensionsNova\extension-cookies\images\logo48.png

MD5 2f0a6a34d9b95bba0e3358ddd41ff2ac
SHA1 f39a9e7aeab9fe86fd9034284516de40186e6e93
SHA256 6f575f1cac9f29b8f1f8a83a580811bdedeec88f9d4cb78ccecb553cba251ca5
SHA512 a3c2094377b355a56d7d69f2a53baac58ebf3b40c5c031ba60fbc6f53e72e67e537e7bddee1489bbae4b41ea23311ad6b6f5c841e7b070dcdeca4bb8a6043084

C:\ProgramData\ChromeExtensionsNova\extension-cookies\manifest.json

MD5 04c23766134b234e85cc537b2162efb1
SHA1 45c48d9ca30a4580a682f025cc66331e49f6f158
SHA256 f50f62683347bbca52d7f7de0c877014ae77043753905628644e2d485dfb4900
SHA512 d246f59ad6d6e9fc8d8d88129302d55cb3d2ba7d52496915ee6791fa0576153070af76ea689cc74ccefc36456df749ac5c8f45cb12702961470f202078bfcb3c

C:\ProgramData\ChromeExtensionsNova\extension-tokens\js\jquery-3.5.1.min.js

MD5 59cb8466d5d804e865bf08b4cd43a6aa
SHA1 ea89d4adaaaf7f0b4aed7a3c379d180090e83119
SHA256 92a60201a5cd7931f0365eb6a668f4c51dc90249092f4dead22472f0cd7a0dbb
SHA512 7c0c9178dfa40ad0526ce16cbf4e5005ca784c5fbfd74ab888f22ea18fcc354fc3a7520e54d1dbaade055f2b7bcb29ae7a05321689237ab90731738e6b8214ad

C:\ProgramData\ChromeExtensionsNova\extension-tokens\manifest.json

MD5 42ac88deb5c3cfc02fdc1c27319ee067
SHA1 97b1addf35159800b90743fcfbb5505e80f6eb82
SHA256 28486361faff1827fb9f1871529c48efaaf86027592d189afa6f99b14eb3f4bb
SHA512 77c4054a3cf061eb6f4f6e9803b74833a8fb0fe352239b5b47cf39ea5eea8104b9da6deab75018557476fbda856f3be8d57e6fe2eb777c45a7a1bdb1e72d02d5

C:\ProgramData\ChromeExtensionsNova\extension-cookies\images\logo.png

MD5 2cfd3dd20571cce21f09407b28b565fb
SHA1 07a7704986e963e9ba69f7109b7450deccd23eb2
SHA256 c9eb076f465aac3c93c61f34fb7cfef6677bacbab7e0611c1c41b80b7f057792
SHA512 bec2ec4d1562c45aaa276e1687786ccd494afefe93dfa330c600e2ad8ac6783ea7988c284df42c5c811afc5d73686484012584faf553e9777f4cb0b7ad436e7d

C:\Users\Admin\AppData\Local\Temp\1VCU96MOIDdoflzlIbP8\System\IHICWRNF - 2023-12-17_064917.png

MD5 43291c060391d97d98b0d4ab7cda8b18
SHA1 3307b2f19a4b4e34ac714fba0391fab874cc55ac
SHA256 97e752451d440ecee390279e4fce3e56e691764d3c3fa40d18942ba9b84923a8
SHA512 ee714369753fef1908dddf2840dc65ad2e13918999b696cf41c0e99503ee61e8a29ee140c2c4e1ed38957b6be7512af43467a1d681cbe8d08e83e190bd3f1cf2

C:\Users\Admin\AppData\Local\Temp\2ZD7e7ZRQi2hs2WBBxR62QSBlDX\caca.exe

MD5 c8aff43586a0b1f96697c8c7f29a61f3
SHA1 eb656b153ab26ada2c3f4df4b2d3b34820418b0c
SHA256 83157d5541f5523bc16badc588f41f827c7178f1ba9e10af4ee4ecdce8946646
SHA512 5de13dc3b29325777f414e44479bce2f7c6978f77544d17435afb53b28bb847b576366e6692f8aaae1b1c109feff3ee3b11a7bf2d831cecb40d23309ae50f8f4

memory/2240-943-0x00000222966B0000-0x00000222966B1000-memory.dmp

memory/2240-944-0x00000222966B0000-0x00000222966B1000-memory.dmp

memory/2240-942-0x00000222966B0000-0x00000222966B1000-memory.dmp

memory/2240-950-0x00000222966B0000-0x00000222966B1000-memory.dmp

memory/2240-951-0x00000222966B0000-0x00000222966B1000-memory.dmp

memory/2240-952-0x00000222966B0000-0x00000222966B1000-memory.dmp

memory/2240-953-0x00000222966B0000-0x00000222966B1000-memory.dmp

memory/2240-954-0x00000222966B0000-0x00000222966B1000-memory.dmp

memory/2240-949-0x00000222966B0000-0x00000222966B1000-memory.dmp

memory/2240-948-0x00000222966B0000-0x00000222966B1000-memory.dmp