Malware Analysis Report

2025-01-19 06:02

Sample ID 231217-tzg6zafabl
Target TatsuBeta.exe
SHA256 15bb700544c589dba519ae5692062b766d9eced9ed7f6fabc3c44acd686ec2cc
Tags
irata infostealer persistence rat spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

15bb700544c589dba519ae5692062b766d9eced9ed7f6fabc3c44acd686ec2cc

Threat Level: Known bad

The file TatsuBeta.exe was found to be: Known bad.

Malicious Activity Summary

irata infostealer persistence rat spyware stealer trojan

Irata payload

Irata

Executes dropped EXE

Drops startup file

Checks computer location settings

Reads user/profile data of web browsers

Loads dropped DLL

Adds Run key to start application

Looks up external IP address via web service

Legitimate hosting services abused for malware hosting/C2

Drops autorun.inf file

Unsigned PE

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Detects videocard installed

Enumerates processes with tasklist

Views/modifies file attributes

Collects information from the system

Creates scheduled task(s)

Uses Task Scheduler COM API

Suspicious use of AdjustPrivilegeToken

Runs net.exe

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-17 16:29

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-17 16:29

Reported

2023-12-17 17:00

Platform

win10-20231215-en

Max time kernel

1800s

Max time network

1604s

Command Line

"C:\Users\Admin\AppData\Local\Temp\TatsuBeta.exe"

Signatures

Irata

trojan infostealer rat irata

Irata payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3196661410-1888440797-2304965013-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TatsuBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3196661410-1888440797-2304965013-1000\Software\Microsoft\Windows\CurrentVersion\Run\WindowsDriverSetupOe5Ry9 = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Themes\\CachedFiles\\TatsuBeta.exe" C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3196661410-1888440797-2304965013-1000\Software\Microsoft\Windows\CurrentVersion\Run\Start_Oe5Ry9 = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Libraries\\sysWin10Boot_Oe5Ry9.vbs" C:\Windows\system32\reg.exe N/A

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Description Indicator Process Target
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A

Drops autorun.inf file

Description Indicator Process Target
File created F:\autorun.inf C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe N/A

Enumerates physical storage devices

Collects information from the system

Description Indicator Process Target
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A

Detects videocard installed

Description Indicator Process Target
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Enumerates processes with tasklist

Description Indicator Process Target
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\system32\cmd.exe N/A
N/A N/A C:\Windows\system32\cmd.exe N/A
N/A N/A C:\Windows\system32\cmd.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\TatsuBeta.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Conhost.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\tasklist.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4772 wrote to memory of 1340 N/A C:\Users\Admin\AppData\Local\Temp\TatsuBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe
PID 4772 wrote to memory of 1340 N/A C:\Users\Admin\AppData\Local\Temp\TatsuBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe
PID 1340 wrote to memory of 4404 N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe C:\Windows\system32\cmd.exe
PID 1340 wrote to memory of 4404 N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe C:\Windows\system32\cmd.exe
PID 4404 wrote to memory of 1628 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Conhost.exe
PID 4404 wrote to memory of 1628 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Conhost.exe
PID 1340 wrote to memory of 4088 N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe
PID 1340 wrote to memory of 4088 N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe
PID 1340 wrote to memory of 4088 N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe
PID 1340 wrote to memory of 4088 N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe
PID 1340 wrote to memory of 4088 N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe
PID 1340 wrote to memory of 4088 N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe
PID 1340 wrote to memory of 4088 N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe
PID 1340 wrote to memory of 4088 N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe
PID 1340 wrote to memory of 4088 N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe
PID 1340 wrote to memory of 4088 N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe
PID 1340 wrote to memory of 4088 N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe
PID 1340 wrote to memory of 4088 N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe
PID 1340 wrote to memory of 4088 N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe
PID 1340 wrote to memory of 4088 N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe
PID 1340 wrote to memory of 4088 N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe
PID 1340 wrote to memory of 4088 N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe
PID 1340 wrote to memory of 4088 N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe
PID 1340 wrote to memory of 4088 N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe
PID 1340 wrote to memory of 4088 N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe
PID 1340 wrote to memory of 4088 N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe
PID 1340 wrote to memory of 4088 N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe
PID 1340 wrote to memory of 4088 N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe
PID 1340 wrote to memory of 4088 N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe
PID 1340 wrote to memory of 4088 N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe
PID 1340 wrote to memory of 4088 N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe
PID 1340 wrote to memory of 4088 N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe
PID 1340 wrote to memory of 4088 N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe
PID 1340 wrote to memory of 4088 N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe
PID 1340 wrote to memory of 4088 N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe
PID 1340 wrote to memory of 4088 N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe
PID 1340 wrote to memory of 4088 N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe
PID 1340 wrote to memory of 4088 N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe
PID 1340 wrote to memory of 4088 N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe
PID 1340 wrote to memory of 4088 N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe
PID 1340 wrote to memory of 4088 N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe
PID 1340 wrote to memory of 4088 N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe
PID 1340 wrote to memory of 4088 N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe
PID 1340 wrote to memory of 4088 N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe
PID 1340 wrote to memory of 4088 N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe
PID 1340 wrote to memory of 4088 N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe
PID 1340 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe C:\Windows\system32\cmd.exe
PID 1340 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe C:\Windows\system32\cmd.exe
PID 2756 wrote to memory of 3188 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2756 wrote to memory of 3188 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 1340 wrote to memory of 4316 N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe
PID 1340 wrote to memory of 4316 N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe
PID 1340 wrote to memory of 4848 N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe C:\Windows\system32\cmd.exe
PID 1340 wrote to memory of 4848 N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe C:\Windows\system32\cmd.exe
PID 1340 wrote to memory of 4332 N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe C:\Windows\System32\Conhost.exe
PID 1340 wrote to memory of 4332 N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe C:\Windows\System32\Conhost.exe
PID 1340 wrote to memory of 4328 N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe C:\Windows\System32\Conhost.exe
PID 1340 wrote to memory of 4328 N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe C:\Windows\System32\Conhost.exe
PID 4848 wrote to memory of 3540 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 4848 wrote to memory of 3540 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 4332 wrote to memory of 3572 N/A C:\Windows\System32\Conhost.exe C:\Windows\system32\cmd.exe
PID 4332 wrote to memory of 3572 N/A C:\Windows\System32\Conhost.exe C:\Windows\system32\cmd.exe
PID 3572 wrote to memory of 5000 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Conhost.exe
PID 3572 wrote to memory of 5000 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Conhost.exe

Uses Task Scheduler COM API

persistence

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\attrib.exe N/A
N/A N/A C:\Windows\system32\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\TatsuBeta.exe

"C:\Users\Admin\AppData\Local\Temp\TatsuBeta.exe"

C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe

C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\tasklist.exe

tasklist

C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe

"C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\script" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1396 --field-trial-handle=1612,5261394436306368234,7280813761924518251,131072 --disable-features=PlzServiceWorker,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic process where processid=4772 get ExecutablePath"

C:\Windows\System32\Wbem\WMIC.exe

wmic process where processid=4772 get ExecutablePath

C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe

"C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\script" --mojo-platform-channel-handle=1832 --field-trial-handle=1612,5261394436306368234,7280813761924518251,131072 --disable-features=PlzServiceWorker,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\net.exe

net session

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 session

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\resources\app.asar.unpacked\bind\main.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "net session"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\System32\Wbem\WMIC.exe

wmic computersystem get totalphysicalmemory

C:\Windows\system32\more.com

more +1

C:\Windows\System32\Wbem\WMIC.exe

wmic csproduct get uuid

C:\Windows\system32\more.com

more +1

C:\Windows\System32\Wbem\WMIC.exe

wmic logicaldisk get size

C:\Windows\System32\Wbem\WMIC.exe

wmic OS get caption, osarchitecture

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic OS get caption, osarchitecture | more +1"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "echo %NUMBER_OF_PROCESSORS%"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic csproduct get uuid"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic computersystem get totalphysicalmemory | more +1"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic logicaldisk get size"

C:\Windows\system32\more.com

more +1

C:\Windows\System32\Wbem\WMIC.exe

wmic cpu get name

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic cpu get name | more +1"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic PATH Win32_VideoController get name | more +1"

C:\Windows\system32\more.com

more +1

C:\Windows\System32\Wbem\WMIC.exe

wmic PATH Win32_VideoController get name

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\System32\Wbem\WMIC.exe

wmic process where processid=4772 get ExecutablePath

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic process where processid=4772 get ExecutablePath"

C:\Windows\system32\schtasks.exe

schtasks /create /sc onlogon /tn WindowsDriverSetupOe5Ry9 /tr \"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\TatsuBeta.exe\" /F /rl highest

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v WindowsDriverSetupOe5Ry9 /t REG_SZ /d C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\TatsuBeta.exe /f

C:\Windows\system32\cmd.exe

cmd /c schtasks /create /sc onlogon /tn WindowsDriverSetupOe5Ry9 /tr \"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\TatsuBeta.exe\" /F /rl highest

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "cmd /c schtasks /create /sc onlogon /tn WindowsDriverSetupOe5Ry9 /tr \"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\TatsuBeta.exe\" /F /rl highest"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v WindowsDriverSetupOe5Ry9 /t REG_SZ /d C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\TatsuBeta.exe /f"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "attrib +h +s \"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\TatsuBeta.exe\""

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell -Command "attrib +h +s \"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\TatsuBeta.exe\"""

C:\Windows\system32\attrib.exe

"C:\Windows\system32\attrib.exe" +h +s C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\TatsuBeta.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions""

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\app.asar.unpacked\node_modules\take-cam\prey-webcam.exe" -invalid youcam,cyberlink,google -frame 10 -outfile C:\Users\Admin\AppData\Local\Temp\YElMJWd8YFAaptnoFFMc\System\cam.1340_Admin.jpg"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions"

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\app.asar.unpacked\node_modules\take-cam\snapshot.exe" /T C:\Users\Admin\AppData\Local\Temp\YElMJWd8YFAaptnoFFMc\System\cam.1340_Admin"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "attrib +h +s \"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\sysWin10Boot_Oe5Ry9.vbs\""

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell -Command "attrib +h +s \"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\sysWin10Boot_Oe5Ry9.vbs\"""

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v Start_Oe5Ry9 /t REG_SZ /d C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\sysWin10Boot_Oe5Ry9.vbs /f"

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v Start_Oe5Ry9 /t REG_SZ /d C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\sysWin10Boot_Oe5Ry9.vbs /f

C:\Windows\system32\attrib.exe

"C:\Windows\system32\attrib.exe" +h +s C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\sysWin10Boot_Oe5Ry9.vbs

C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe

"C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --user-data-dir="C:\Users\Admin\AppData\Roaming\script" --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAIAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2328 --field-trial-handle=1612,5261394436306368234,7280813761924518251,131072 --disable-features=PlzServiceWorker,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2

Network

Country Destination Domain Proto
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 ipinfo.io udp
GB 142.250.200.4:80 www.google.com tcp
US 34.117.186.192:443 ipinfo.io tcp
US 8.8.8.8:53 4.200.250.142.in-addr.arpa udp
US 8.8.8.8:53 192.186.117.34.in-addr.arpa udp
US 34.117.186.192:443 ipinfo.io tcp
US 34.117.186.192:443 ipinfo.io tcp
US 8.8.8.8:53 dns.google udp
US 8.8.4.4:443 dns.google tcp
US 8.8.8.8:53 4.4.8.8.in-addr.arpa udp
US 8.8.4.4:443 dns.google tcp
US 8.8.4.4:443 dns.google tcp
US 8.8.4.4:443 dns.google tcp
US 8.8.8.8:53 api.gofile.io udp
FR 51.38.43.18:443 api.gofile.io tcp
US 8.8.8.8:53 18.43.38.51.in-addr.arpa udp
US 8.8.8.8:53 store7.gofile.io udp
US 136.175.9.9:443 store7.gofile.io tcp
US 8.8.8.8:53 9.9.175.136.in-addr.arpa udp
US 8.8.8.8:53 hawkish.eu udp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.110.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 github.com udp
FR 163.5.121.96:443 hawkish.eu tcp
FR 163.5.121.96:443 hawkish.eu tcp
DE 140.82.121.4:443 github.com tcp
US 185.199.110.133:443 raw.githubusercontent.com tcp
FR 163.5.121.96:443 hawkish.eu tcp
FR 163.5.121.96:443 hawkish.eu tcp
FR 163.5.121.96:443 hawkish.eu tcp
US 8.8.8.8:53 96.121.5.163.in-addr.arpa udp
US 8.8.8.8:53 4.121.82.140.in-addr.arpa udp
US 8.8.8.8:53 133.110.199.185.in-addr.arpa udp
FR 163.5.121.96:443 hawkish.eu tcp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 9.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 185.178.17.96.in-addr.arpa udp

Files

\Users\Admin\AppData\Local\Temp\nsqA2A9.tmp\System.dll

MD5 0d7ad4f45dc6f5aa87f606d0331c6901
SHA1 48df0911f0484cbe2a8cdd5362140b63c41ee457
SHA256 3eb38ae99653a7dbc724132ee240f6e5c4af4bfe7c01d31d23faf373f9f2eaca
SHA512 c07de7308cb54205e8bd703001a7fe4fd7796c9ac1b4bb330c77c872bf712b093645f40b80ce7127531fe6746a5b66e18ea073ab6a644934abed9bb64126fea9

\Users\Admin\AppData\Local\Temp\nsqA2A9.tmp\nsis7z.dll

MD5 80e44ce4895304c6a3a831310fbf8cd0
SHA1 36bd49ae21c460be5753a904b4501f1abca53508
SHA256 b393f05e8ff919ef071181050e1873c9a776e1a0ae8329aefff7007d0cadf592
SHA512 c8ba7b1f9113ead23e993e74a48c4427ae3562c1f6d9910b2bbe6806c9107cf7d94bc7d204613e4743d0cd869e00dafd4fb54aad1e8adb69c553f3b9e5bc64df

C:\Users\Admin\AppData\Local\Temp\nsqA2A9.tmp\7z-out\chrome_100_percent.pak

MD5 9c1b859b611600201ccf898f1eff2476
SHA1 87d5d9a5fcc2496b48bb084fdf04331823dd1699
SHA256 53102833760a725241841312de452c45e43edd60a122546105ab4020ccef591b
SHA512 1a8ec288e53b9d7e43d018995abe4e3d9c83d329d0561fbb7d022e8b79ffecf033e995b9bc6af352a71c646a1e8afba4addb54deab7455f24b7a279a3dd7c336

C:\Users\Admin\AppData\Local\Temp\nsqA2A9.tmp\7z-out\chrome_200_percent.pak

MD5 b51a78961b1dbb156343e6e024093d41
SHA1 51298bfe945a9645311169fc5bb64a2a1f20bc38
SHA256 4a438f0e209ac62ffa2c14036efdd5474b5ecaa7cbf54110f2e6153abdfb8be9
SHA512 23dedde25ad9cb5829d4b6092a815712788698c2a5a0aefb4299675d39f8b5e2844eabd1ea42332a0408bd234548f5af628e7e365ab26f3385ebfa158cdd921d

C:\Users\Admin\AppData\Local\Temp\nsqA2A9.tmp\7z-out\d3dcompiler_47.dll

MD5 7641e39b7da4077084d2afe7c31032e0
SHA1 2256644f69435ff2fee76deb04d918083960d1eb
SHA256 44422e6936dc72b7ac5ed16bb8bcae164b7554513e52efb66a3e942cec328a47
SHA512 8010e1cb17fa18bbf72d8344e1d63ded7cef7be6e7c13434fa6d8e22ce1d58a4d426959bdcb031502d4b145e29cb111af929fcbc66001111fbc6d7a19e8800a5

C:\Users\Admin\AppData\Local\Temp\nsqA2A9.tmp\7z-out\ffmpeg.dll

MD5 c3842fb3087cdcdb04020ac38683c289
SHA1 329dbcd4a1c79b891b200f11eb50194b85c493bc
SHA256 e79792af338d61424bac87a19c6f34f3b4bc1382345633b8d509253a0a6c2133
SHA512 069196b8006e908954e7ab16131a0d10889a0f7517eaab2423a82fe49fb9b045c0d95dbf7c08c10ddf1a21983aea4a0d207decf91baacff0884511589a57dec5

C:\Users\Admin\AppData\Local\Temp\nsqA2A9.tmp\7z-out\icudtl.dat

MD5 ebeee4a047743d304a0250c6de3691c4
SHA1 2278b8e34ee9767b7ee95755953d41bb4ad6c583
SHA256 c4b4f339503367ddeef90ea9fa7c0a672af70dad79529ff5e399b7c4fa019eb6
SHA512 bf5f4cfc8566d73339a8095db0e56ef83d9d21de98f2a6d0002e7dce8d74305066559c327d0d76090885a8a1373d419f192b42ff7d6d8df5af0567c21a2bd113

C:\Users\Admin\AppData\Local\Temp\nsqA2A9.tmp\7z-out\libEGL.dll

MD5 8352fd22f09b873193cabc2932be92f0
SHA1 5bd2b58854b279f1733c5f54ea2669ee8a888d9e
SHA256 14a4aaa010be14762edfee01fd1f6b9943471eb7a2f9011a2b5c230461cd129c
SHA512 7281e980f2e82f1cc8173d9f8387a97f6e23ec5099ed8dca02222c4e17fa4cfef59d6aa300b1cf06d502bdcf77d9a6dbb08ad6658ae0a28ae6f9f995109da0d2

C:\Users\Admin\AppData\Local\Temp\nsqA2A9.tmp\7z-out\LICENSES.chromium.html

MD5 1d49fb786e88ebadc67f459b504bac76
SHA1 3fa2fcae78d313e1d3a8bfe53a06a6ba89427138
SHA256 74c3c1f9489a68e567a4e1837b4945d0fa239eac0d0e544108148799502058c4
SHA512 16e5fec659ba2b5b87cbfad93242be4513a0bccab24a963f0f780c116d7adc17f3744a5f8013a789e0f548c406fef63baf8f734f71e8479500c259a657fbeb08

C:\Users\Admin\AppData\Local\Temp\nsqA2A9.tmp\7z-out\snapshot_blob.bin

MD5 cbd43981f8b4a67059bfe6abcd3d7063
SHA1 2a8375487f9360773fe8a84b78e93a59a955fdec
SHA256 59e14433408c18ffd8f0fb9d7243feb1f8f22c63c4941c6e874ea17bf992b2d7
SHA512 ce8c5b314be69ecf37d69bd82a0d3d9041abc901b885b9fc3dec402752d65242f389e3f9a1dab84b9e7267e05ada2e933b7130bbd599b8f47a2f4716971059a4

C:\Users\Admin\AppData\Local\Temp\nsqA2A9.tmp\7z-out\resources.pak

MD5 9350cd7a257321d92de03f8c341b7dcc
SHA1 83c3e110b57ba7313c7b55e0255f37fca27c6c81
SHA256 163a267759966bc1dfe49448c5200b6778b1438adbc06613e554c48424bf282f
SHA512 5d1c923669f09727ae8024703bab86684ce3468d7a9db59473ac3a39215ddc11982ac8a3897362dfc37a23d7e010f7eb53ae9e48238161da08204fac7d8cc6ee

C:\Users\Admin\AppData\Local\Temp\nsqA2A9.tmp\7z-out\vulkan-1.dll

MD5 4aeef8af17d8afdd9a018686bf398c8c
SHA1 4536f648e57f8fecb7d40fcfbe8694dc0e6f9299
SHA256 9d2da1c360891765804974cca302d754a479b370386e9d709857b46fec97257d
SHA512 e72101aa1ce6ea0852cb23350ea7ab188da498befd57f04741f9d91d8d98be833fead0687868639c32aa1d60a3f250739c7f316ce10bb471e9b8974025299f4a

C:\Users\Admin\AppData\Local\Temp\nsqA2A9.tmp\7z-out\vk_swiftshader_icd.json

MD5 8642dd3a87e2de6e991fae08458e302b
SHA1 9c06735c31cec00600fd763a92f8112d085bd12a
SHA256 32d83ff113fef532a9f97e0d2831f8656628ab1c99e9060f0332b1532839afd9
SHA512 f5d37d1b45b006161e4cefeebba1e33af879a3a51d16ee3ff8c3968c0c36bbafae379bf9124c13310b77774c9cbb4fa53114e83f5b48b5314132736e5bb4496f

C:\Users\Admin\AppData\Local\Temp\nsqA2A9.tmp\7z-out\vk_swiftshader.dll

MD5 7eb9e7389ef56d618082393cae9e8622
SHA1 010b822929562db37fa943e3e0329bcd267cfb51
SHA256 7fd43a09050795f786f5b29880ce281102c82c9933bbb9a1f054eb5ccb5eec8a
SHA512 613e14c653fa5e6331578088ef3075a049554dc2219874e7d8cd7822dc4873b8af1d6ad10492af79c08f7078553724dea6ad6a25784a6201ecf034a604dd9a3e

C:\Users\Admin\AppData\Local\Temp\nsqA2A9.tmp\7z-out\v8_context_snapshot.bin

MD5 5d94130579cabff7d30d483f12b166d1
SHA1 ffc10a0788c5e70240f866b6f2971fe46b8e0bd7
SHA256 775b2f9622fad904ac5e9f2e1b2d0fa86e80536237a45a7bef7a96c2136201d8
SHA512 d265e4abde8090494b638869c058a29e306a9a2411de022245e3b8a8bd2b6fc35d0e620b927ed1e22736a493e638237a3764e2d83063a13e2d2cd6ea1eb3e309

C:\Users\Admin\AppData\Local\Temp\nsqA2A9.tmp\7z-out\TatsuBeta.exe

MD5 721bc69c95bd9fb8492110ea1c95b256
SHA1 397779eca4c3c6f89426ea98e25c2ef260482280
SHA256 e3cc251115f528a94f80e893506b267ea73a7ce96b80721a253d5ee19f69f67e
SHA512 0dce320ee1df79e0400db66566a5bce0d0fa6ef29d1b5ebe2d1cfbc58c2215cfa7d4cd5a8b7474681f74169ca712569f7d5e76e935a268a4e61c716036b80b2a

C:\Users\Admin\AppData\Local\Temp\nsqA2A9.tmp\7z-out\LICENSE.electron.txt

MD5 4d42118d35941e0f664dddbd83f633c5
SHA1 2b21ec5f20fe961d15f2b58efb1368e66d202e5c
SHA256 5154e165bd6c2cc0cfbcd8916498c7abab0497923bafcd5cb07673fe8480087d
SHA512 3ffbba2e4cd689f362378f6b0f6060571f57e228d3755bdd308283be6cbbef8c2e84beb5fcf73e0c3c81cd944d01ee3fcf141733c4d8b3b0162e543e0b9f3e63

C:\Users\Admin\AppData\Local\Temp\nsqA2A9.tmp\7z-out\libGLESv2.dll

MD5 b687de90b919ea3d7dff98b90a3f5f38
SHA1 189a66c43d4f35e4fa5add7fae951e50d4ba56b4
SHA256 3d5dadd3bb85bcf8c7f2daf89642fd461402c8ca17332be34c7b0f8be77c58fc
SHA512 924db5752b4962671b953d3a5037b24f5275fb26086fcda7c59ac010c43ce2f08168b071132107a7253dc39a487d375ec71406296e5f25de3f179c7804a73488

C:\Users\Admin\AppData\Local\Temp\nsqA2A9.tmp\7z-out\locales\am.pak

MD5 e18a450ef034b42599341c3d09f280f1
SHA1 2001c8a85904962ac3a96938eccc69ad2c110fdf
SHA256 7c2b9098130f1f9e0cf4507b64c0e96ac6354bd6c3616be20e2067cfccc820da
SHA512 ddd87571218fe9f179a6c2a8a15b182625a71a7c19ed90c0969ca2e0e9bad823b926f8b8a6b390cb6fe9c95f4b6c1f1ec7b5167a8424ab1921943922208f798a

C:\Users\Admin\AppData\Local\Temp\nsqA2A9.tmp\7z-out\locales\ar.pak

MD5 6f3e791b4d35ee7d9515614d128752cf
SHA1 181ec3a84fb3e89336d77f24f562a2cbe07619d8
SHA256 e9df0fa338b763a3926c4ee3a87bedf650fa618b6fcf0560c3f5ffe891d48c60
SHA512 3657e610d13a2c938558ec320c298dd490c9e4895ccd304f738aaa2f050373efd7382ca402365f93d23ed488bae82de2d859da788dc8faa8e621346a278f4441

C:\Users\Admin\AppData\Local\Temp\nsqA2A9.tmp\7z-out\locales\ca.pak

MD5 423651c45566cd90ea5edd8631e823b8
SHA1 13bed4173a08bcbfefba034aada3d838eece6d16
SHA256 7a39af99d55a1ea838d8d78c5f0da3e1402f9404d32255e31b676ceed4f0e414
SHA512 e09085023beaa37e9d5f7fdf3c32d0c001672b85e2826f0aba9a662ce958ac93cac17bf63495a604e47cb407b1593049388a4bf1b22b2339ead84a206a10569f

C:\Users\Admin\AppData\Local\Temp\nsqA2A9.tmp\7z-out\locales\bn.pak

MD5 47c95e191e760dee3ef43345577e2379
SHA1 609634315270a91d4ec631642b18bd0036367aad
SHA256 ceed32e429ed1018d4c49343cf52105cbfd1e877c531a5738fd6e6cd33d27da7
SHA512 46b5f8d58780d19e79136c31a67d075c57ddf7e6a1eb197dea4088cc414a0dc24a68fc8ebcaac03b3940af2461123b586706d5dbf8dbdf6fbea0f7bec466db21

C:\Users\Admin\AppData\Local\Temp\nsqA2A9.tmp\7z-out\locales\bg.pak

MD5 5ba0c7200362c9ed55610cc8b66ef53c
SHA1 d45239c2f1b00885407771a41a7776fc1fe8fa3b
SHA256 2339ff55464b4ff704fc3c5bf281eec52a539c494bd059cf0346d9c05ab7cda7
SHA512 6229dbf08a9322c4ec8de4912aa1832f01800a71b7e3ef5870e7fa2b623be4dd248fec4881c3e031e984616147be84d42ab3dd970ae56dc1bd78913a8682a37a

C:\Users\Admin\AppData\Local\Temp\nsqA2A9.tmp\7z-out\locales\da.pak

MD5 55a8f5883805a65c854d25edb3959209
SHA1 d4b3b6bd2a26cbd021fa931d1f63c9ea64e2c268
SHA256 e190187adcbb5f829d162660968ba598ed17bd11339062ca4d807deec8a27fdb
SHA512 4e1f9e6da32f553cbc8cf162726d7aba9e23e2216d6d05b995cf19fff3aafa05ed08fce29b2f8538d46583366402b8630672e650dfbd46952a611e9db0d8016d

C:\Users\Admin\AppData\Local\Temp\nsqA2A9.tmp\7z-out\locales\cs.pak

MD5 3cfd9dc564cfcc33cc5524711365c376
SHA1 2e5016d2643017f37658262122974429f18625a2
SHA256 8be34e4f8226c1dd4e725711ddd884ef4476560f7863edcf378573dde9db3cee
SHA512 6ee156d2fa3b6f601df28e38968d0eae2812d70b41333348dbecd833d5ee6ff944183f0eecde96be433cf1e98c8ec22d6a6d5af5153145842175ab43c73533ef

C:\Users\Admin\AppData\Local\Temp\nsqA2A9.tmp\7z-out\locales\de.pak

MD5 b73344e5a72fca6f956dbab984c123ba
SHA1 0561073aa40a63a9ce9930dd18b18e12ff139b2b
SHA256 6dda3fa65232ca0bff7314f916942a2aa5d9be73a0b0c7a6d016eb34ea6fff5b
SHA512 e8a12da397369f23c102244b3f18f533ec79afa6978785566056bbfe07b10a21ff4973bf17aa829fff65609363988c033b0e48d4a82c846863377c08d8df009d

C:\Users\Admin\AppData\Local\Temp\nsqA2A9.tmp\7z-out\locales\en-US.pak

MD5 0bb857860d8c9ab6d617cea5a5bd4d00
SHA1 351b744d95846bff2ce5f542fec2e87439aa0f8b
SHA256 5c56df9699fc7e8f09ec81421e50a6264cde055e822f5a8cd9bb1edb3066d816
SHA512 33fb73cffbb6781488cedbca4c92a7e4f66923a799beeb7f5cba58dbc23ba8f5130f63a7dac7114e3c3ef6f1df87884fbeb8858bc7604aec9449fdfd16c25078

C:\Users\Admin\AppData\Local\Temp\nsqA2A9.tmp\7z-out\locales\es.pak

MD5 f83d8f7f6108786c02c2edbf3d85f147
SHA1 57781d9d9eb7c90cdc71f78e25d0763045b6d29a
SHA256 5b929216ac823dbe2b0bb98e64db76519900e09a86c8513019325271c66ade0d
SHA512 12747a4a61cdd21cad6e3f768cb43b8bda5ec9de373337c191b6994b20acd676c9d0a6cde8410a1e18f35dd5d2d332ea1bb7e7f8f6fc4b73d8774559e33398f1

C:\Users\Admin\AppData\Local\Temp\nsqA2A9.tmp\7z-out\locales\es-419.pak

MD5 b261b1efe945365588befdf68879040f
SHA1 616f44a5f73f0449b483f36ccf831db6474a10d2
SHA256 1380b9edc9cee4b505f12e8eefa288d8c746ca995b52ceaba27c7741ae8a5cd4
SHA512 9ea14234b9d4d09364e5727b3886fc14544d52508b3e45fb9fd607ca88d2e432361a02b2f7ba34c3d6ecd94b91f9eccd4d54047a97a1ba4eea580ead00b91cff

C:\Users\Admin\AppData\Local\Temp\nsqA2A9.tmp\7z-out\locales\en-GB.pak

MD5 52e2826fb5814776d47a7fcaf55cb675
SHA1 51fbbc59dcd61116cbc0a24b0304d4c1c58e8d0b
SHA256 83ff81c73228c7cadba984d9b500e4fce01de583ecde8f132137650c8107c454
SHA512 69257f976d01006c5f3d7e256738c97c59115471f8e7447cfa795f7fa4ff12d6fd19708e95ffb2aa494b50c1763fe35d5885b9414112d2934baf68fe668ed7cc

C:\Users\Admin\AppData\Local\Temp\nsqA2A9.tmp\7z-out\locales\el.pak

MD5 38440b98bfdf5ed496da0f49d59534c0
SHA1 1498d9207ecaf4923a47271e24c68a817041c82e
SHA256 b1f78df8a7edc914357a2e90bc8dc0ac46f4df642bb22894569fe4905fb8ea0f
SHA512 95ba788fc2e1f07d54e398f1ec4d32c664cfb13118d46cb7af7a993367e032b10de84f3e604ab6e659d6410e2d736097ec5e9b3b002040c54412358f0ea10229

C:\Users\Admin\AppData\Local\Temp\nsqA2A9.tmp\7z-out\locales\et.pak

MD5 c76db3385190c6840315c4497e40258a
SHA1 34f1aef2ba2925bebc5dcdb70e5b6c1a138a5c46
SHA256 e8af084ef5e1062c5966dd7802074ac24f3672dc3c9b9c5453a397644727191f
SHA512 90a870369d307758b33d74e6213676d65c2d332f42577c8aff23d96b512f3c2a2bdace8d6d9007f88b9175eadc6f2ae28b498b1265550849ff9317465a37ad29

C:\Users\Admin\AppData\Local\Temp\nsqA2A9.tmp\7z-out\locales\fi.pak

MD5 cc592d91ce8eabaa75249cb78b889376
SHA1 f2f0f7f105a17f3e4b1a97ed0e3c2e871c2c3eac
SHA256 b1cb0b32efa78fd8634652c74f298f1d5127f2363ef601cf000417e5c7fefd20
SHA512 58e2eaffe26d8fda8df43e7ebef449cfff1065e940c128efa0276511e34e96e52da9230f294b01d4ecd8ef606b792d372bff897d6d8bb67c31379418ce867d48

C:\Users\Admin\AppData\Local\Temp\nsqA2A9.tmp\7z-out\locales\fa.pak

MD5 6458a239e994d8d18315deccd35389ed
SHA1 75c985f43503a6c44645786d46639a6b555ae163
SHA256 300fc1c735e92917a5ddf92feb812cbf3175d988ec7ad5955110248a1addbd34
SHA512 3062075b6be0c25c957ac88e537880bc25ff86b8ef0703a05209e9676e943e89476b7997394aeb25064e03a93be614fef535676e9cdfaf44b46035225b1b2cf5

C:\Users\Admin\AppData\Local\Temp\nsqA2A9.tmp\7z-out\locales\hi.pak

MD5 590e9e73df9cbd83cd87b9c03848fec9
SHA1 da125e60a5a2c51a2d6219d3f81688bd22237b59
SHA256 089b9dd31090a987515809a68d26f6eeb64cd9283934e3dcc48b151eec7d3ad9
SHA512 fd0e5d0f2063e12b711275f390428b88f98ffaf6043cdb14b13674ac1e4aa9f70ae820ae960132d7155daf9b1308238775c4702694ab53068cdc709c50f9186a

C:\Users\Admin\AppData\Local\Temp\nsqA2A9.tmp\7z-out\locales\he.pak

MD5 6a02a37e1ca3215fa9ee0e1b0fbcf5e7
SHA1 89a8a126c0bbf536ac58e29fc50e045fb1b88220
SHA256 f5cf34ce58b7f0d450936981aa7ffa060821403e6768eee3746ea4ffc9193986
SHA512 6607eb2329b81f1eaf0ed3a564eddcb30e6ab59229f2fbf6fd3d2140ffaa8853a330eda627a4458ef6bb06f32c5183edda869e34cd4ead1f87f88d5c622c1a16

C:\Users\Admin\AppData\Local\Temp\nsqA2A9.tmp\7z-out\locales\gu.pak

MD5 63a7fdc4eadf8ef1c35c72468a0ce33f
SHA1 e8d064f0e9c8a6a8c6ccb036711e292d011d9466
SHA256 e549ff4e5a094d04c2ce7bc6fd68bea1f03e935437bf164bebb6191c133fa70c
SHA512 0a097ff875132a984545ec677b04f97785f14c38a1df487cfb4722cdea07d14e1e88fcff7d58b82fa53f05f4eba779a95ef320b5a91692097726d0385a26a456

C:\Users\Admin\AppData\Local\Temp\nsqA2A9.tmp\7z-out\locales\fr.pak

MD5 c3095ce1e88b0976ba7bef183d047347
SHA1 b14cfbf6e46ac1f189595fc09660178525301138
SHA256 66488dc10517b6e3638686be95b430477a39304e92ac45dfe62b58cae3a77272
SHA512 29f47b1eff4681a9a17a50d6e82d63c22fe7bfe4ceb79862e81d8cd9f96fa38e225978b4c4b1f8e55b220235b91652c776fa8d2e559c68942c6ccf402812a421

C:\Users\Admin\AppData\Local\Temp\nsqA2A9.tmp\7z-out\locales\fil.pak

MD5 40bddaf97f64dfea9ebafc7f82166f80
SHA1 90d1fde3c0b27d2184f0353991259c2a92c7820c
SHA256 39a9d63736e7b4593fc6873ed3c19d45fbf9eb78a012bfdcee0fea5906ebc5b2
SHA512 d1e61c53e09a0dc50edf5aba5cf286a251ee88421aa2cd49332b70a5859646605ecb7d0bb97ea7242d14a18742e23da0a14c04b0b99b57a466ec87f4f66b897e

C:\Users\Admin\AppData\Local\Temp\nsqA2A9.tmp\7z-out\locales\it.pak

MD5 5aa225aad4f9fe6d05ec24905a827d88
SHA1 f6d5ed337bd8e9cc3b962d3a498e3430fbf6de22
SHA256 96e02ab6937a1f1cb58762159761a737ce0e1dcd6a253554392baf4389326eab
SHA512 3fa928f19bdf65b8fbb274b478a801821b15c01224c113a8d7f6121a077b432c0cc84eefd9028a76adea9fa4bb65dcb868edfbd4368b1e4d477c49e187e4288a

C:\Users\Admin\AppData\Local\Temp\nsqA2A9.tmp\7z-out\locales\id.pak

MD5 e40cb2f3b4db379e4d187aeef0dfd300
SHA1 537b1ebc615c980c89bbe2b9e91a11199fa7d6a6
SHA256 3339ef011c9bb64868da94adb25f4490acbc7f893e4337dbfe2797754cd659f5
SHA512 b87464460077aa55feb92eca8ed23d9a61829378bae7890c8a95dac5fcd735b145d65661f27facfe2586fcaa169692b00d8ee8dd505dc44bff7f7fd090f3e96c

C:\Users\Admin\AppData\Local\Temp\nsqA2A9.tmp\7z-out\locales\hu.pak

MD5 71d42cb22d2d7a8b26c4514ab12df3aa
SHA1 cd0307503a7906f1742d1e98fc816959319c2171
SHA256 b51bcb888dbc27bab88a8c9d081df7496de8a9a5a4cd2cfe08abc154190e75e6
SHA512 29c67391bca706807be3a0cc79fe481f220e30263957a9c2485f0a4c498a5b250bdd83b5f4fad8d0b19c8a9a07d5650b5ebd5816b6aae311a1cde78a89303244

C:\Users\Admin\AppData\Local\Temp\nsqA2A9.tmp\7z-out\locales\hr.pak

MD5 6f92235e6ba003af925a2d6584afd27d
SHA1 3ceba61e9c2975466b6244188f5ea72aaf042fc7
SHA256 479dc4f75a889d45f62b4ddb6eb48f21c473e37875468c9c26d928a263e15840
SHA512 82f2642dff4400704c15c2fa02d0ec74ed3fe888dc835447c1afce7463dee8f480bb81be358c306e681625864a6d25e5cd6c96252b8a56e6fc62014b3aa4d26a

C:\Users\Admin\AppData\Local\Temp\nsqA2A9.tmp\7z-out\locales\ja.pak

MD5 833e8c4aa70351b6be7bd403e4e9a0a7
SHA1 46ccdbdea35deec8ef13a5fc833776875fad187b
SHA256 74422db1a5f28522f9a8b31a3bee9a6df794b419bf723cb6a6c88e82eb72cec0
SHA512 e8e709612a5ea81d2822e0025b7306f38571f2cec2ca72ac5a8ab852a0e36a0f5bc7e00d0baf7ac7becc2c54dda3a17c52ec1cd67ce12b14d91b6ae0b726d556

C:\Users\Admin\AppData\Local\Temp\nsqA2A9.tmp\7z-out\locales\kn.pak

MD5 5115cde84b4c674db412619b65433004
SHA1 164f33e7e2e9f685a579da492a6fc8806beb6cbf
SHA256 891e092c6895e23be986c3e6d39dcea9b6b75f1448239c13fd406680e50407a7
SHA512 090a247898cb533325d2b289a6cbd8db2a755ef0abab49d82f333e57b290c50b5996b81f15d8adc30160b216eebed3a1476aec1627195e52189557c1d48b0216

C:\Users\Admin\AppData\Local\Temp\nsqA2A9.tmp\7z-out\locales\lt.pak

MD5 2d4fca437a7548893dc4b51fa5b33c33
SHA1 c1493013d7d981ea9223716e415380992de65c2f
SHA256 776dba792df7b444e1b720326312d8b8312cade74a1372c49456d932b7c65769
SHA512 b6a55ee1deff48d717a3e9399aef3c45eeec810cc5b5709fa3e9f56850115a5b02e02b7959ec77a6797e68516ee9372bacd260e62ac0d55a8e4c1c27af782b42

C:\Users\Admin\AppData\Local\Temp\nsqA2A9.tmp\7z-out\locales\ko.pak

MD5 d6e2c18c9eabba59b50d147d942125ea
SHA1 0918879203c2050b4f9f449f5616e430897ba0b9
SHA256 f3581cea2e5b022b121010ffc5d67f86f717e3a0c0402abd81e24c87fd135b76
SHA512 f605f7b9893166778af156f9eb76eaa1209e7432450899540cd462ce0ffa69caf6f570b910cdd6d7bef54354379e9892a658e711baa93241da33755c107da859

C:\Users\Admin\AppData\Local\Temp\nsqA2A9.tmp\7z-out\locales\ml.pak

MD5 04b2540c25990a5e0a9b227dcce6ae0d
SHA1 4f8ccd154f54dfb083d4d1a3ed0994842c8ab13e
SHA256 556165b8b54c6e21bc66d12b3f5be393136714467c427f7114f314d18ad3c661
SHA512 4cab47e42e8f5d4a83851871f97f3e1360c993ba530dbb4b4b736350779784bd83189e1195d3480ce87298bb8f9b7f249fefa7764d850e5b0002895609626785

C:\Users\Admin\AppData\Local\Temp\nsqA2A9.tmp\7z-out\locales\mr.pak

MD5 f22c99fe6a838e333e8ee06a4d01296b
SHA1 c3542ea8dd45a2b387dd02fa5687948f135e10f2
SHA256 b03a3042f907aed13253ae8083d08f5fad59ff438d024b097276856e72526911
SHA512 882022c2cb985d85f96d52c9bcfeeb089d6ff30e66187ccf424ef622092b9d359a51bdef1fb6ac3b9d3409aa79d37ca737ba7f3ed8b9cdaabfe04d90a7c8bc15

C:\Users\Admin\AppData\Local\Temp\nsqA2A9.tmp\7z-out\locales\ms.pak

MD5 6cfadaa784e687e6dadbcd80e631bc9b
SHA1 481acb75f525055bf4e45ecabe0eadcb9c492106
SHA256 fb5e125dd5e1f21e8df229d22cb3d1f9078bd79bbddca352899248f2a8b21b71
SHA512 0d7da5a90fe9372bc704ab8cdc8cbfb14d323cafdef856987e2d9e34d980196c03985e25099f5d1bcb10c97f040f4766e2c3713718649bb3f43914a77f0dbb39

C:\Users\Admin\AppData\Local\Temp\nsqA2A9.tmp\7z-out\locales\pt-BR.pak

MD5 88ad860c73676ffb4025b5c691f29942
SHA1 3c5e5b999ea7153ccdd1b4cc7b6162de3456b558
SHA256 25f0bb0b0230d99a9064d52668636f3be85903bf27a68124d79a2fe93c30fe0e
SHA512 41589bb9ab1b8307f62ceb4e6493d7903731a3e63807e0044379c4acdda881c21839234f5f1b8ad1af732bfee6231c0556ce92e582505379ed949980185bb750

C:\Users\Admin\AppData\Local\Temp\nsqA2A9.tmp\7z-out\locales\pl.pak

MD5 644c0ace25d6e532b56510a736c6bc2c
SHA1 1bd0fec952107b493da04c46423da634ff3e1504
SHA256 2ff9e382a31783285b7d85676e629e2f6db26bb9536ed17b7fbe5ac61a895ec7
SHA512 9a1f1e884c2f214b8b0c63543809ddd4ba0fd533f1d8434e926051f3db434f60cc4df2462c2a43254b2a9685b3869eef49463c212892e417c82c3a7b497e3559

C:\Users\Admin\AppData\Local\Temp\nsqA2A9.tmp\7z-out\locales\nl.pak

MD5 cf6b1cbfd669e9461553974ba37a475e
SHA1 b33867e9bc7fd88ca98a76dc4bd756bcf18887aa
SHA256 9a83ad866ad7fd9d65ecbc1e95c276cfce27e8257c76a16950fd14971e66b864
SHA512 e463029bb37f6bb3ff5cb6281f64291ada1b785fa33137e7aedfc7b5e409e99c75a91e7cf9b6c0933e970f70c14861190de66fc5d68925b687a6f5da02e21077

C:\Users\Admin\AppData\Local\Temp\nsqA2A9.tmp\7z-out\locales\nb.pak

MD5 b61e42f66d581b6a8929cdf5fb10662e
SHA1 6f06fa9ee092fbcb61bbd668734fb3b92cfb549a
SHA256 1b17dcde8fc7308d926fbe0faa83dfc9ffe2efc5715e9afd557dde839ad98b7e
SHA512 79b82346c3f133a6ba44148a8432ad4e08e2805187b759509cb386bc800fd20215592c07d953812c243f0b1d5e1354245f2cb42b2b3eb6c87280bcb4008dbe97

C:\Users\Admin\AppData\Local\Temp\nsqA2A9.tmp\7z-out\locales\lv.pak

MD5 264c6e20b3088ceb4dae5773cef0cb55
SHA1 fb6ff83ff14df008092bc3ee73bda7491e8e090e
SHA256 a676a781c1a587eadf23e5c69bc52f2d352346a70bc53ca908450362535eefda
SHA512 01e949f92e1e8599c581929a601d39640abaf1d907ce10102e591c3d490dd3874c679c75bb51308ead55a3bd0c6dcd1b8d4b2daf98ce1cf1c6bab42946e8b1e8

C:\Users\Admin\AppData\Local\Temp\nsqA2A9.tmp\7z-out\locales\ru.pak

MD5 75457b95d2bb03891232dae7db886387
SHA1 e5a7569df7f91533703626d167ecc8cddbd27205
SHA256 e0894d3aa3f8e0f8ac457a3300001d4e1dcf95980712f8c8e9c845eb4c2bbfa6
SHA512 9813239cb162cec24cb81cffdae2df06889782813d917da186ae40df6dae64477467e4b32ead2d714bc1de671538d4c1fde990d83d3ee69e0932f17226687a78

C:\Users\Admin\AppData\Local\Temp\nsqA2A9.tmp\7z-out\locales\ro.pak

MD5 24b01a438a3ab9699d4ca97c081b5e82
SHA1 0d0b082544d23425a74199fb0a6c11192f0bdf7d
SHA256 38290b1c9712296d82ea1681ef95544a1eef4872289134b11e50af735e6deaca
SHA512 43199772312156f4633c4202499cde8f808e5e632c2013ec1129acee01a3f184e86df2616626173178efe04b6f0773ad9a0e8b8cc6a735d23d68dcfe9dfd945b

C:\Users\Admin\AppData\Local\Temp\nsqA2A9.tmp\7z-out\locales\pt-PT.pak

MD5 ecd84b296d3bb312ee18e21017311986
SHA1 f5625523f85c10723750834a54ff59a2dd886fb3
SHA256 fcfaa9c44c445876c286388b6a1abc1df949f3dda3d64fb57d6e0d54a05cdb94
SHA512 e95b74238220024cdd0bd1c0f18beadbbe427d76cd8d6b32d5700adcd34ffb068ad0bf75404921485c8077f395f5111cd40d5dfe2b5b8f34c62e6fc80b507456

C:\Users\Admin\AppData\Local\Temp\nsqA2A9.tmp\7z-out\locales\ta.pak

MD5 31dada843d0b4f9a66b184cb6d7b8b92
SHA1 0320b31981043c6e4c17470bf2ff4c7488553511
SHA256 457070b35c813175f5a7b630478073e478ff2bf23915dd3dc7a5b3b339cc2b0b
SHA512 c5b6ea595d3154fd9fe03f49a19f78eb4068718ce005b18a165d491459a290c29956b02a109ce2c314746773760c8e5c0d7064f384c65a572c78109f03538860

C:\Users\Admin\AppData\Local\Temp\nsqA2A9.tmp\7z-out\locales\sw.pak

MD5 99e385ebc1ef8d3daddb3a171fa79edf
SHA1 3164804dfe9d9b5e891abafe92e5ba67d2b5d4d1
SHA256 8ec45ac391a085d531fb21815086c2da4841aa016653cb4f8484cfc2615d6c01
SHA512 797c105fecef1e15870aa101e3fa1835d5a467a9059c03b3636c54934d1de263ab7f23599e21d9787cb3849c7cb7d29f5bdd8ae9ad10fda8015c1392462e94c0

C:\Users\Admin\AppData\Local\Temp\nsqA2A9.tmp\7z-out\locales\te.pak

MD5 793a87d41cde6e6d1bb086284f69733b
SHA1 d887e3842b664f55b7308427aa6f5bf0b352d879
SHA256 5cdabd1ad41e8048f2cc6b1615e68b99159daa1aa6706b939447c1811bf0e255
SHA512 7c2e53baa387480eed45315bd9d53856ca46e5777ecdc9c29a0de7b0ad04beb6cbb8b5df0aa7c306395fda563037e06bea1ca70e433ce5a3ccc2ec184dfda972

C:\Users\Admin\AppData\Local\Temp\nsqA2A9.tmp\7z-out\locales\sv.pak

MD5 41e76f7775fc9a2d6e3c02c46e9b32f6
SHA1 088c15c74a68bee69682bf89c31055332b68c84a
SHA256 2533676479e9469ffcdaabcb47d3e39bebfe7ae2b80f70784e918a8827439e13
SHA512 6cde752d748c4772b533c8894f18134e5842113f8c7590b44a7dfa088aed65b232361fd16170df3b0d738066dbc3a769847adf4dd8ba42de63c9c2b33f9beb6b

C:\Users\Admin\AppData\Local\Temp\nsqA2A9.tmp\7z-out\locales\sr.pak

MD5 af7083f2a4bd95dcbe792efade352662
SHA1 dc69aa831836016f6e66c6079931503d534a7862
SHA256 e3b80d9fdd420a05d66cc12e685ac94500106dd51a555bbfa2d085094f81e8dd
SHA512 342400ba94f6cd08152f96aa2b905184fab429c38cedb4bcb4ac0c503169a9ecd47aef208b4d7ffae08b0c0afa7aa089347a20739379d05f3e4e111be842b8c4

C:\Users\Admin\AppData\Local\Temp\nsqA2A9.tmp\7z-out\locales\sl.pak

MD5 e015b6f5042be2dc96a4e23dcf035502
SHA1 7946509eed8db1e4c1f3da99ffe7155c86fdb4d6
SHA256 99536d1bc73eec81d5bebbff641ea195544ee5e3a41bb17ddcedf9cde9b141d4
SHA512 b2a2eaae93c506a053862bf1cde02eee53b3ea2e2fe4c964c51dbacb8b44de820a779311cfe01458e2f08f88bce1172e8c5e1e6d28cd3a355ff84baa00023b8f

C:\Users\Admin\AppData\Local\Temp\nsqA2A9.tmp\7z-out\locales\sk.pak

MD5 b35daa0bd9627ca88b413a5af7c6b4a4
SHA1 d5efdcbc7ca17de29f3075f6434f31ab2e895826
SHA256 f47bc1f7f5ab64681d0b152e1a019da60f0ef057ee8bf2ccede019dc4030c177
SHA512 48abb6ca2290820db2898b05820bb25e70fb1292c816eb0c8f17b3c5452de9fff7027d216d2bf413900f408f44ed4ac99151b28142a212c5cff8dfe229e87b9b

C:\Users\Admin\AppData\Local\Temp\nsqA2A9.tmp\7z-out\locales\uk.pak

MD5 d791b1ecf2931b2fb0c31aac170c7cdc
SHA1 02be115a9ff94fe5250651b6de4323eafc44fce1
SHA256 ffae6286d44c8e219ef90d411ad8746159a6ff8ea610e2a651147a3956696a22
SHA512 3a2edb8069e4a9734ce5e02b7c3de3c968c5bbc116f17f52f97e2bb2c78485c456c4f0cc952686c1aa17b7ee4d326a1dda698afafc63c79d842ca3905181a8da

C:\Users\Admin\AppData\Local\Temp\nsqA2A9.tmp\7z-out\locales\zh-CN.pak

MD5 098d656a4f4bd8240bed10e7678186c7
SHA1 0c19ab62b4262f1b51558e8aaa79e7741f73393a
SHA256 a55f568ad3a8854cec25699484f55024501c8a0967738ba694e073151e5981c7
SHA512 084538ce774233ca6d4393bb42239b0b85e11bd73dd19ba47e55796ca19848941b037510c0fca4ac08b4b2e0ccbc9b4ae72ef88a3e841738dd211961dc53c1e2

C:\Users\Admin\AppData\Local\Temp\nsqA2A9.tmp\7z-out\locales\zh-TW.pak

MD5 c2c35fcedc3708b5bcadf36587393002
SHA1 31d72402cbd44ceb921cedd806259c2cd14e411f
SHA256 cfe4c2c5eb131fd92e0d11f912714c5a9a048833ef3ffbe32679b3d58da8f8ac
SHA512 9ba3ea2d569d1d3ef09e94d7e66f843c8804368c4d016b6289e7dba002f7d2d50884a76c93eef879d87abcf8b36dd3e682b7bd3a18b2b5a969256cef672abf01

C:\Users\Admin\AppData\Local\Temp\nsqA2A9.tmp\7z-out\locales\vi.pak

MD5 69c8796439192577f48bd249175aaf37
SHA1 97c52088ca69dada593db0e42b2135d264646454
SHA256 d7fdb53592de803a5fbcd8561c4918f1562f92fc8a3fd0039a2a1a7b76a8ecc2
SHA512 65eb7cb15291474ec7f9354775e59bcf334c90ddf3498ebd184e4c47118308421b2405bfa679e4b3a70ed1790e167c109fc2c72e89c3e31b5378cae975424144

C:\Users\Admin\AppData\Local\Temp\nsqA2A9.tmp\7z-out\locales\tr.pak

MD5 40491896ad21543f339467186c5efb40
SHA1 695dde7cc35056dcbf0a533aff8299d4c6b61bd8
SHA256 43e99e132acaba88971b81a43531845dc7fc3a1e0794c3373de7d9a50a5655aa
SHA512 18d5ee9914849462e0b1bafd1ca216b29d0795e282ae0bdb354b15caf5c18f37f44fbd6f626b2cbb095e3398a6496de72e5b0d15621433979b5a589e34fac818

C:\Users\Admin\AppData\Local\Temp\nsqA2A9.tmp\7z-out\locales\th.pak

MD5 43edd25f67ce6e6cea5373009ff0a1f8
SHA1 ed72ca6620cf23837e1334be50ccf616806bc5a2
SHA256 287897cf3df2db1cf59b872e6575ba8dfcaa0c1f68c17a9c91da6c4490adb8b0
SHA512 7160a72bd2e6b0ffa71e5d279995cc8be24a87cd9386eb29ab0eee79b8e607f5d824a11b6b4e3ef4c0f851a9d485a9642cb6adaa65c07933dca6e6f2c0052fc7

C:\Users\Admin\AppData\Local\Temp\nsqA2A9.tmp\7z-out\resources\elevate.exe

MD5 792b92c8ad13c46f27c7ced0810694df
SHA1 d8d449b92de20a57df722df46435ba4553ecc802
SHA256 9b1fbf0c11c520ae714af8aa9af12cfd48503eedecd7398d8992ee94d1b4dc37
SHA512 6c247254dc18ed81213a978cce2e321d6692848c64307097d2c43432a42f4f4f6d3cf22fb92610dfa8b7b16a5f1d94e9017cf64f88f2d08e79c0fe71a9121e40

C:\Users\Admin\AppData\Local\Temp\nsqA2A9.tmp\7z-out\resources\app.asar

MD5 802a8b0d3ee6bebc7b79a733961b0c65
SHA1 cea8d1c2a6d84b8c32db1e089e1ee24e4897b2c3
SHA256 44ff877afc0184d402c6d6b157528af8696a0e3f2fb43d31cbd24fbe6b3028c1
SHA512 54992b0c55ba8a373b913fd3a194955e07ac2ff1e7c162101ac978448c1f277cda2975dbb1737bd1025fcfaf51c6b718e0fa7127818766046100ad66022ca9e9

C:\Users\Admin\AppData\Local\Temp\nsqA2A9.tmp\7z-out\resources\app.asar.unpacked\node_modules\take-cam\DirectShowLib-2005.dll

MD5 c20c205c6f8d70a5e1351a4041a3ec9f
SHA1 e1b2a763dd6c42439656e4e55aba0f3610ff3784
SHA256 bbcbb170242d9ff1b56680a80b1f8755df1135f9c714535ff3b3f575442f38dc
SHA512 dffd59d775dbb89cd886a2212fb9fe4cf0b2bdd7f2c00f8dc7c6b2287053b4971c8c6c033109ff1f90cdacea082e44d3c19fa76325d24976420c418218e701f1

C:\Users\Admin\AppData\Local\Temp\nsqA2A9.tmp\7z-out\resources\app.asar.unpacked\node_modules\take-cam\package.json

MD5 067e233b0609d56ff4756bedd8c0efe0
SHA1 96419d05adc4b6674948b4ac14f8ab5bb3ce4380
SHA256 6bee642c1b5de99e4edba87ec3221c2ecd10b65e666b6f2bef64a745538ecf74
SHA512 94900f5ff762930b1b060ba4dd44d629d6c3e2dfc0dacb1a543f1ea5a3cd40e793acaff4abefbff588ceb422d65f8041ec190a2b56f7c303c3314eb16eca4159

C:\Users\Admin\AppData\Local\Temp\nsqA2A9.tmp\7z-out\resources\app.asar.unpacked\node_modules\take-cam\prey-webcam.exe

MD5 471b15abc9f2e98fb7ed7361d3f045eb
SHA1 95b5798d80a9410872f6ed485ae2b43ca3745540
SHA256 7c262639cb22348dfd627dc07c76e8748e5bcacde2dcf1614773ab174c831004
SHA512 5b3b59aa1dbaef31b0ff6ccde082d7c312e39e311a46fe20d590d5d7765f934d3b663da9609ff4fb7beba2e8fa85376cf74f14ae077f3c0b49189cc28c30163a

C:\Users\Admin\AppData\Local\Temp\nsqA2A9.tmp\7z-out\swiftshader\libEGL.dll

MD5 04aaf77166c028be09459de91c364fb7
SHA1 f76c067ae306ce0ca142362d470ba1d728bad51d
SHA256 04830b6526f7734dd5f0f01c63d3d767344ea4cb7e9f7b237d66b09078d84a3b
SHA512 5d786b1d56c5ea2990ae2a2fa86c9a8fc0685667dd89a321f411243a8644b93e86f71ea93e37218b4f29a39423df4482a2ac160af6b2d2fc5d9d08f6707f700c

C:\Users\Admin\AppData\Local\Temp\nsqA2A9.tmp\7z-out\swiftshader\libGLESv2.dll

MD5 56c598fd1e1d7fdfd4c9da1773b81621
SHA1 ae26ca11e74c1a604a0e0459d1f45e270cf5a33c
SHA256 9366670fc471283a39ffbfba08dda8d2bb14d67c94c1c4ac36ccf58d47cc5652
SHA512 bf0a080380ae657361390b1d73a877bde95d9ef772a387ab8d94d46046ccde3d3b6a9f9a9994d2683adb3346d6ed11294f579a63b76a47ed83c430dd5a388bae

C:\Users\Admin\AppData\Local\Temp\nsqA2A9.tmp\7z-out\resources\app.asar.unpacked\node_modules\take-cam\snapshot.exe

MD5 16a12bdc986207390dd79d658a6b2263
SHA1 b4b41f62cbc1e1ede786c6e30e11df8e61750bad
SHA256 50a8dd2f292bea9190204a42de067a34d5cbbec53746d40fe5b067fc85190bac
SHA512 d20394028c5d3ca46bb4879cac40da07b7d857f9a4a834bb4db4bd047f1a3265a80e1f7528244da6ee97c2f3e0cb5b2e51bc88eeb382a027939c2188e66dcdd9

\Users\Admin\AppData\Local\Temp\nsqA2A9.tmp\StdUtils.dll

MD5 c6a6e03f77c313b267498515488c5740
SHA1 3d49fc2784b9450962ed6b82b46e9c3c957d7c15
SHA256 b72e9013a6204e9f01076dc38dabbf30870d44dfc66962adbf73619d4331601e
SHA512 9870c5879f7b72836805088079ad5bbafcb59fc3d9127f2160d4ec3d6e88d3cc8ebe5a9f5d20a4720fe6407c1336ef10f33b2b9621bc587e930d4cbacf337803

C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe

MD5 2cdfddf7b10800f7a264c7728bb0d548
SHA1 195c40892c51668bea764ded0db41031b243f68d
SHA256 21760f3c79c28fff67880ecd0d05a65d90c9d78f8d0a012c0b2d893b8e5a6812
SHA512 caf9357d0c05d45dcd064414542d1698cdc38432248a59980904db6818f0f7928b000b539e7575a5921cc9fa2a8cb14a4b01eadf1d005b32e16bc4f898873d61

C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\v8_context_snapshot.bin

MD5 47014c0f81bad6d216c617c9c63bf040
SHA1 7bb483fdc5fed3c6ed437d9fe6e5023bc38201bf
SHA256 e1249d05bfc73c645b27d269f47b6923b33a3cf8088a8ca78b3b637c90f58178
SHA512 052d86cf3305a9e493bd2472e6b7ddab5e0291efd6d899984a79bae46e5fa4bd21157e19ab4a2591c9cff9069de568bad18c7baf4f35d117c77134e635466f87

C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\icudtl.dat

MD5 7af67b6243317d2e0379db57e1294106
SHA1 77f269da7c351c9b600ab3668fb9a5c7ef4073c0
SHA256 11ed7353aef720f8091db299469c0973d0c09a25f31c6bf481b6d2c92566ce48
SHA512 85d6367dee051f5d58af7c1f5a7db8dd06499cf52a687e90e47c355b32d4718483cf715f7baa32a4a5d0cfb225b894c229386e2969c4bf04d3863d62e7c00061

C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\resources\app.asar

MD5 111ad68e18e609a5a14b830f3e6aa821
SHA1 a4bad69f6732a87e842d3ed3a7b17f40200e67cb
SHA256 346493f1839f46b651a15bc1ec2880017902abbec5143a36bee036b0940e014c
SHA512 326857b96a65d70ded11053db2bc4f476926ee74068077f6e5d47df379300726f4a94874b2095db61a456fb03a109f2a7adc0b2f1d40068e54d3cdaae653e214

\Users\Admin\AppData\Local\Temp\6d406f46-27ca-490c-8e06-7990fafe998b.tmp.node

MD5 5317f23583ba935be25a4c26b3f93828
SHA1 bdc288a0576a9ca04295c2df6f71e260ae5097bc
SHA256 41db88f72dbc4ace9b4e6522b19f60e012980345fcb737cab1839ab0bb2f2cb3
SHA512 e3975f92f6bbd814cec4b6762b7f7475168dd43a717031de0d8055b7f5e4ce01dd011557c1301f9f9084f8a39248630c12f265a195c54c81f1efad9dd5bd91d0

\Users\Admin\AppData\Local\Temp\fea2a863-28f2-4f0b-9340-9e0d17fb4e66.tmp.node

MD5 801ee66c1e8f4d4c8fdb9ec1512a39cb
SHA1 f254bc4909a60675fe22d4c8d4228d54834a93e0
SHA256 47fef8f833446a246b28c4c72cff803c63e1d0f6d288b129822b26c2a6d393c6
SHA512 6ed505abea2465c4445238797f5eb9a99eb80b8713ffe2930d6e1c0efdede23712dbb471490bda4277ade7c253e25c380a65dc11e26e2ed8ab74ee31db1e3ae1

C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\resources.pak

MD5 0c46bcb923d73fd735f5659aa775c426
SHA1 9f3ffddaee2fc2bfeacc3011551561e29f5714d9
SHA256 26d0500e1c7097068714c5cb3dac5126e6ce644d01e30d6d13b9a1e4ca7dfab7
SHA512 0d006e28f7ace87d386a08488a1a3e9bd13c63d19bad3f67786c0d28214686a41d50d0ba0ebf200bb8755c186511cc7b5bb7c52b0c859bd33729e17e69f5c698

\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\ffmpeg.dll

MD5 1a33f7a1a3f36d2c68d8432ea9b79163
SHA1 3bfe2e85bdcd9ba92fd5e0e9dedded1052fc04cc
SHA256 df84b6d02f8f4caf7c0a834348bde32ac91939f021ab42cf4ee6faad3215d195
SHA512 7edbf2ab494d540d1be8388c4c034002e36b6b43a002029d569322df98d62a387708b5cbcc3a02b8b310878c81ff47f8c259d679bc5b630ffa51e4d3c57d1183

memory/4088-581-0x00007FF97EA10000-0x00007FF97EA11000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe

MD5 02da11454b83e55a32b418bf2735e88c
SHA1 b24561343a037d1c6f97d146ac9e7d16ec86c7d9
SHA256 fef968b7031f85b7a951409eeddf8793a4e72ed2ca79df9c48cbfd004b5e8c25
SHA512 826575fa6e6ba2ec56c11e03ad80272a8e954b2bb5da3e35fd1e656c8a4066802f38e509b01d37c46e47629999df2990ef3024b044d915b316eab962e484865e

C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe

MD5 8f1a08afb21528380f2d63db1413566b
SHA1 47479b2e05b6526d1e0d6fc010edc03c481d8b6e
SHA256 90339a5259a67ccb22522d5eb2c2052d683b5ceae8e6a2516d8fc7ca5b835317
SHA512 e2b52af2ca8aad4d793587807a4fe5cfba96dc7b8cd6f4349abc141f2f73a63c6af493ae486c7eb60145de3e56d82f8ddb30c0207a91c98d5329ecbf59e870b5

\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\libEGL.dll

MD5 1fb7af00bc52f051404325a41187b0b1
SHA1 2e6dbbe0cdaf85487485f1c8ab6e524b76824b8e
SHA256 5c8778ee885b3375d02ffce4b3f532ade94ddba73e5bf7fb45c6e21ede4ccf61
SHA512 c63e0787095727716b625f73448b23857c0afb265e3163a3e5a41967d9eefc944e9e08ee729c771a2569bf12069201ff740510a6b55430a799f2bd4fc397c2a7

C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\libegl.dll

MD5 fc7515128149be6b11834a05d073db62
SHA1 339f2dbf5cd18056fc0413ff8a77c46f11b79d66
SHA256 03cd52bd0e9f4870f4462130b98056ca4022a2d344bf9843b52f66c881f76cc7
SHA512 9e74c55a55c55ed72608f89216631ca97110f6e6b3bcbd6a132cea159c53de75e50d8526f0c01e8af9db0953d4444f04e45599ca592d3b40e4fe696410f69a5e

\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\libGLESv2.dll

MD5 7f85bd4f7ee65ca8e2485c1fae67355e
SHA1 3f35d42ec6df85e8eae37d16e0e2de15889b720c
SHA256 b35f70ff7523b7b65ba4e5e56ab24ccb1bcc97064cf18ce67df62fe72fb93a1c
SHA512 43dec3f2f6f6facfbaa43ffee67ab40fd3be53be1e159ee20c85ee4517b5199103fd623a17986841d0d81d9c47d927fca91fe09b9bcb503b9cedee6b7f4f7ef0

C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\libglesv2.dll

MD5 131795deb0a674fb27506d542bad088f
SHA1 70dcd12562fb0f3763fbdce605a9143b285730a1
SHA256 f8983359afd04904f380c5bf05c4909aad64ba168e1d2487429a6020e3ebcbb7
SHA512 371396c3028297e3ba67a047f9c2ed21cbeb827bcf4b8458a25b257c3b951f8945178def76897884520af1ccd6f6fd7191d94de31cd35a19e0308316fed0ca8b

\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\d3dcompiler_47.dll

MD5 e82f48a548e93f57ce6d1e3ef343a737
SHA1 1e3eab29329ae3fab4f36f2ff0e4cae488be3118
SHA256 6b0acc02abbcc96c01756feb85bda0c8017dd346bad00532fa48990df8de6467
SHA512 6f05f6fc7f9fae7360e890bb60edeb37225f695ced8a25c8347fb94f9c6e4c83dbb31ae68fc9a2d8e9af2194ea96c8ed9e7015bcbfebdc4a5b8097c1cdd3f62d

C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\D3DCompiler_47.dll

MD5 f09fa3b1319558050d4d1a5ea6a39b7c
SHA1 d71cd485e27979627e65a7a560da7e77b5a68f7a
SHA256 6d534a6ce5a1991e917baa1aecc0c06fc5d2a27ec73b99fd81abaf2b77ff4663
SHA512 b2e996877cf95e7503686f80b624d42de5b28bdb558cf71d780bc48cb3b814903e12e33a4dbd5d6d6afc7c7839c0706fa9a7b84a84153620426bd5f7fff70808

C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe

MD5 9db32478964bbe7a66436545a27ec897
SHA1 22f36da4fa43f63ac94d738bc7f12821c98f3296
SHA256 290e243e703a94b113a407bfa9450be836eaf19eee935de05b79f380b59ce98a
SHA512 d5abd559ec178daaa95752afb080fcbe058aa769e7bb56a2ea170ea3715d8aba1bdb7ddc0ad7bf093e34500b71c175d17c48d02c92c703275b084410ce6361f7

\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\ffmpeg.dll

MD5 44873d44f279ce6b32b38d53af55e95b
SHA1 5143aaa23a594536e5773470289f9c3deda1681f
SHA256 6646f8f8ea160b301bf6619805a8fbf536bc799929accd2f15c17a8cf34a04ef
SHA512 91440d55c340a1ac92f393fb01ce5dbdc068086a09fda0b71d40a2441d0a16d36cced4ce7867cea0d2dd90e7a38dc0cfda52ceb61ffce922aeb0ac90b7fc6462

memory/2708-624-0x000002AAF67D0000-0x000002AAF67F2000-memory.dmp

memory/2708-625-0x00007FF9639A0000-0x00007FF96438C000-memory.dmp

memory/2708-627-0x000002AADE0E0000-0x000002AADE0F0000-memory.dmp

memory/2708-626-0x000002AADE0E0000-0x000002AADE0F0000-memory.dmp

memory/2708-630-0x000002AAF6980000-0x000002AAF69F6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_eltcitc0.bib.ps1

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

memory/2708-645-0x000002AADE0E0000-0x000002AADE0F0000-memory.dmp

memory/2708-651-0x00007FF9639A0000-0x00007FF96438C000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 5d574dc518025fad52b7886c1bff0e13
SHA1 68217a5f9e9a64ca8fed9eefa4171786a8f9f8f7
SHA256 755c4768f6e384030805284ab88689a325431667e9ab11d9aeaa55e9739742f2
SHA512 21de152e07d269b265dae58d46e8c68a3268b2f78d771d4fc44377a14e0c6e73aadae923dcfd34ce2ef53c2eaa53d4df8f281d9b8a627edee213946c9ef37d13

memory/2664-661-0x0000015DCACD0000-0x0000015DCACE0000-memory.dmp

memory/2664-660-0x0000015DCACD0000-0x0000015DCACE0000-memory.dmp

memory/2664-658-0x00007FF9639A0000-0x00007FF96438C000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 b2711c97ce71e8c6fd9c502c0edfc3ff
SHA1 4587d62277eb8d4c40296ab3baea4c3276e86469
SHA256 a88898281c1cdbc106fe34f5ae9dfdcc1f9c168c68f45e6bf09f5ef2db279447
SHA512 3c7254c02ed49fe38e411f04b148fe23d2fc46c950c7d8750d29f34142961b3bb5f5e390fe8b3a5f491d378cc73d9b3963012418a1d69001afcc04561b548d77

memory/2664-682-0x0000015DCACD0000-0x0000015DCACE0000-memory.dmp

memory/2664-683-0x00007FF9639A0000-0x00007FF96438C000-memory.dmp

memory/192-698-0x00000238C9EB0000-0x00000238C9EC0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 0779c696f60097b538e978e0177735dc
SHA1 061fb150a7e2275b144a7defa6b8d08d056c74bc
SHA256 adb366436cddbb1633b0ec654b1ead72c6075d0d7aa184e3096736bf2d752f6e
SHA512 ddbf8c414941a9153ee07b84eab7bf1712ad36632d9559b214a8044926c356ca29d7008e548fd4148b8e3d5194ab49d112c7144b0c0fac15bbac025ce8778ac1

memory/192-697-0x00000238C9EB0000-0x00000238C9EC0000-memory.dmp

memory/192-695-0x00007FF9639A0000-0x00007FF96438C000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\TatsuBeta.exe

MD5 2042aaee4a99f11c2efd44e5dc9eebf9
SHA1 a58030dd672e09360356ae999b7a7d999ba65b65
SHA256 013a1854dec98aebf94cdddebad753ecfb00811ab4c2231de3f2024c5260c7e8
SHA512 380ee0e78418cd1982745aca097396d4c85ed9401400067ff68cb903aeefad4fe55ea216d9f9b0abad40fe791c73da191b390be1adac851c5309aa133ea61071

memory/192-716-0x00007FF9639A0000-0x00007FF96438C000-memory.dmp

memory/192-715-0x00000238C9EB0000-0x00000238C9EC0000-memory.dmp

memory/5936-725-0x00007FF9639A0000-0x00007FF96438C000-memory.dmp

memory/5936-727-0x00000249FA6F0000-0x00000249FA700000-memory.dmp

memory/5936-726-0x00000249FA6F0000-0x00000249FA700000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 ce69b4b1f28c6c62f864fe557f4b8e97
SHA1 c0d13d57059305cda0dca87623dbd938a1ffdb1d
SHA256 33b11f41de861f2abfd85602132a93bea43d069ddad5ba6407c89029a60e538d
SHA512 9815156e1a84aaf212a86ed1a960509810e064216a337bf1fa5ff8cda65c5d3915eb57a4fc4c7727df927ec88b0d66864fee91a402a64b3acdf48f3f22ded473

memory/5936-747-0x00000249FA6F0000-0x00000249FA700000-memory.dmp

memory/5936-748-0x00000249FA6F0000-0x00000249FA700000-memory.dmp

memory/5936-752-0x00007FF9639A0000-0x00007FF96438C000-memory.dmp

memory/4088-759-0x0000020A81CF0000-0x0000020A81D41000-memory.dmp

memory/7296-762-0x00007FF9639A0000-0x00007FF96438C000-memory.dmp

memory/7296-764-0x00000209716E0000-0x00000209716F0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 757b3434050df564b5990eda3b5d505c
SHA1 6da098e1c34d9e68a81e4b6fa582fe614f3c912d
SHA256 c2abf9951fcd8b68413e1406d3cbbfeacb5a3a63dbf5adbb2c5148505df65b13
SHA512 81d315488c1f50593fe64d47daccb2fa01687ecbb8328203996d5daa6fa1e186b2cefe696e7d4f320ef1b210ceafa26ed63df6f830b67acf96da364ddc350262

memory/7296-765-0x00000209716E0000-0x00000209716F0000-memory.dmp

memory/7296-785-0x00000209716E0000-0x00000209716F0000-memory.dmp

memory/7296-786-0x00000209716E0000-0x00000209716F0000-memory.dmp

memory/7296-790-0x00007FF9639A0000-0x00007FF96438C000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7sk8fjhx.default-release\places.sqlite_tmp

MD5 119057067d09b55a2b30eb52df5ce451
SHA1 19e4f3d4c5c86dd5558208dd93eed416144d9b97
SHA256 94ed134bef1de08ba7ccc0a5688a1a159f651992931ab7ab6b954cd1e0bc8551
SHA512 7e9756409f1fc23c14c63c00500a6b3bd3de6025a2f0a75e74e2da97abd486a78ceaee59a696f20fbe00dd828e2dc859ecc6569f64880b5cc3ab7f4d53db771a

memory/7976-863-0x000001C548C10000-0x000001C548C20000-memory.dmp

memory/7976-861-0x00007FF9639A0000-0x00007FF96438C000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\sysWin10Boot_Oe5Ry9.vbs

MD5 f7d27a70a9b3401e88ceefe94fab7213
SHA1 e06cebcd6ca4f7f88c2254a7c8ade7a6ac570c2e
SHA256 2339aff5f64b9ffe948ffdfb4d5bdd1870a8a651771bba734ae372a5cdb1cac3
SHA512 54fb9b5c1a770689386e140accc2410b517b91045a7065a836781f35f3346c5ecf2dbbdb6d362119da738fa770e911a1c816df9c21a6c47359bc80acc7d32e2e

C:\ProgramData\ChromeExtensionsNova\extension-cookies\manifest.json

MD5 04c23766134b234e85cc537b2162efb1
SHA1 45c48d9ca30a4580a682f025cc66331e49f6f158
SHA256 f50f62683347bbca52d7f7de0c877014ae77043753905628644e2d485dfb4900
SHA512 d246f59ad6d6e9fc8d8d88129302d55cb3d2ba7d52496915ee6791fa0576153070af76ea689cc74ccefc36456df749ac5c8f45cb12702961470f202078bfcb3c

C:\ProgramData\ChromeExtensionsNova\extension-tokens\images\logo128.png

MD5 271847949971c396f77beaab936b7ea2
SHA1 b32c5a7eec49aa07f8ae73feb990626010c4b850
SHA256 a55224cdf06a5c2b937ba400604501f8b6ec93bc2c1cff62aa2fd378d504c657
SHA512 a2e141f68143f370e2b82a1c9c7c4b1c5f6fc2cfc2ad94acb8c5c02237af56f83904beaff3240e20397f0edbdfadf8779c0bd54b2cf0c9899fef59343e31794a

C:\ProgramData\ChromeExtensionsNova\extension-tokens\images\logo.png

MD5 2b67e47cb8da1058770fe41d8b947619
SHA1 9eb259b1d377a24a2b77a694cf31c23cef7b8eef
SHA256 46f616820751849512d2704ddb604666170d13315c4383b8c8611c3e1c2f594a
SHA512 27c0593d662df228e146c49af6da52e39523523af924cf95ba4890b1b42358b2b8df3cf2667d8f672eece4f7fe098574c4689677768dd54d3b872619c7b9ae55

C:\ProgramData\ChromeExtensionsNova\extension-tokens\manifest.json

MD5 42ac88deb5c3cfc02fdc1c27319ee067
SHA1 97b1addf35159800b90743fcfbb5505e80f6eb82
SHA256 28486361faff1827fb9f1871529c48efaaf86027592d189afa6f99b14eb3f4bb
SHA512 77c4054a3cf061eb6f4f6e9803b74833a8fb0fe352239b5b47cf39ea5eea8104b9da6deab75018557476fbda856f3be8d57e6fe2eb777c45a7a1bdb1e72d02d5

C:\ProgramData\ChromeExtensionsNova\extension-tokens\js\jquery-3.5.1.min.js

MD5 9ac39dc31635a363e377eda0f6fbe03f
SHA1 29fa5ad995e9ec866ece1d3d0b698fc556580eee
SHA256 9a2723c21fb1b7dff0e2aa5dc6be24a9670220a17ae21f70fdbc602d1f8acd38
SHA512 0799ae01799707b444fca518c3af9b91fda40d0a2c114e84bc52bd1f756b5e0d60f6fd239f04bd4d5bc37b6cdbf02d299185cd62410f2a514a7b3bd4d60b49fc

C:\ProgramData\ChromeExtensionsNova\extension-tokens\images\logo48.png

MD5 9f74f11972c3c0b161832ffab541bf31
SHA1 e5841ba20a229cdeab85d30690509e649e848271
SHA256 8b74a0abdd566ffdf15891d6abd3537bffb0abce7f362c737c3de6752e136032
SHA512 b90f13eb65a4dcfdd596a7d9eba7c1ba5eb1a598e51107ce3dca07c0a0025469ab18c9958eff2b36f7e05a23f0d16d7d9d7c2321b8e1f2a456aaa7bec3ced0e8

C:\ProgramData\ChromeExtensionsNova\extension-tokens\images\logo16.png

MD5 192e90432fed0081abb25295d8f309c4
SHA1 5150e93061f39e26688afd60a04c0ab14b510d47
SHA256 3216d6864b4f8824b82eb887edf95436dac3bea3f7d43d8988a176e3f1f8e1b2
SHA512 9b9b3f85eb9f12ad1b4c8cfc5e672758d879e178179deb28e80e6c3b27871261bf6b52f9066850b5a7a2fd85012b5308eaf3dda882fa40febc9cf6b47f1a4f04

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 7efbf5f91e33b754e61d4587e808e79d
SHA1 9ef68704701a33f80a0c90ee110806f79e642d88
SHA256 8e7fa157d7f449e556c9938c494dd956fcdabec5fd5fae8dce5b4f0cb8e54954
SHA512 5f33f01fb91016c56cc10ea467dd7753be25660ad831bc1fe460d1ecf232f844a4282b3df273d15fd37dbc945bdebe7afb7737fbbea581beff5b2d6ed3e56087

memory/7976-864-0x000001C548C10000-0x000001C548C20000-memory.dmp

memory/7976-999-0x00007FF9639A0000-0x00007FF96438C000-memory.dmp

\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\ffmpeg.dll

MD5 dda4eb6213fb362fb11b332d3e52f875
SHA1 557781fa6ccc8d15438fa65ea3e0c36d557ac244
SHA256 54aa1595de397fe0a2be1e9c49d9058b26462afccfa5712c1e0b4a7147474639
SHA512 775f78e913db7a976868639fb15656891422e08152bd7d188f98da88e296f6d07610c38270c6be53767bb0e924265f50d31802f1e77440e5f02645029b54f79d

C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe

MD5 59a528bbefe2211601488b9d8f5df366
SHA1 3f05cf9d3db2a669999ba2694a9b2510292b5dba
SHA256 5cb8086b9e6d4a6abc2f7fc19c2da56ee168a2d24c4c59312e787f20a1048001
SHA512 c92cfb3a9fd1725197684d287b8a18028f1382c00722c0507f72039c18dbd4d36dd4840a8859f5a1ee00bf75cc0d53936445632503527044fa6a84103c83311b

Analysis: behavioral3

Detonation Overview

Submitted

2023-12-17 16:29

Reported

2023-12-17 17:00

Platform

win10v2004-20231215-en

Max time kernel

1800s

Max time network

1173s

Command Line

"C:\Users\Admin\AppData\Local\Temp\TatsuBeta.exe"

Signatures

Irata

trojan infostealer rat irata

Irata payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TatsuBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsDriverSetupvRsPBF = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Themes\\CachedFiles\\TatsuBeta.exe" C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Start_vRsPBF = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Libraries\\sysWin10Boot_vRsPBF.vbs" C:\Windows\system32\reg.exe N/A

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Description Indicator Process Target
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A

Drops autorun.inf file

Description Indicator Process Target
File created F:\autorun.inf C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe N/A

Enumerates physical storage devices

Collects information from the system

Description Indicator Process Target
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A

Detects videocard installed

Description Indicator Process Target
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Enumerates processes with tasklist

Description Indicator Process Target
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\TatsuBeta.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\cmd.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\tasklist.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\cmd.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\cmd.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\cmd.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\cmd.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\cmd.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\cmd.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\system32\cmd.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\cmd.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\cmd.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\cmd.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\cmd.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\cmd.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\cmd.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\cmd.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\cmd.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\cmd.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\cmd.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4560 wrote to memory of 2200 N/A C:\Users\Admin\AppData\Local\Temp\TatsuBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe
PID 4560 wrote to memory of 2200 N/A C:\Users\Admin\AppData\Local\Temp\TatsuBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe
PID 2200 wrote to memory of 1572 N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe C:\Windows\System32\Conhost.exe
PID 2200 wrote to memory of 1572 N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe C:\Windows\System32\Conhost.exe
PID 1572 wrote to memory of 828 N/A C:\Windows\System32\Conhost.exe C:\Windows\system32\cmd.exe
PID 1572 wrote to memory of 828 N/A C:\Windows\System32\Conhost.exe C:\Windows\system32\cmd.exe
PID 2200 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe
PID 2200 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe
PID 2200 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe
PID 2200 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe
PID 2200 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe
PID 2200 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe
PID 2200 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe
PID 2200 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe
PID 2200 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe
PID 2200 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe
PID 2200 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe
PID 2200 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe
PID 2200 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe
PID 2200 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe
PID 2200 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe
PID 2200 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe
PID 2200 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe
PID 2200 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe
PID 2200 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe
PID 2200 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe
PID 2200 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe
PID 2200 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe
PID 2200 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe
PID 2200 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe
PID 2200 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe
PID 2200 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe
PID 2200 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe
PID 2200 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe
PID 2200 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe
PID 2200 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe
PID 2200 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe
PID 2200 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe
PID 2200 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe
PID 2200 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe
PID 2200 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe
PID 2200 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe
PID 2200 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe
PID 2200 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe
PID 2200 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe
PID 2200 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe
PID 2200 wrote to memory of 3464 N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe
PID 2200 wrote to memory of 3464 N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe
PID 2200 wrote to memory of 4552 N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe C:\Windows\System32\Conhost.exe
PID 2200 wrote to memory of 4552 N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe C:\Windows\System32\Conhost.exe
PID 4552 wrote to memory of 4100 N/A C:\Windows\System32\Conhost.exe C:\Windows\System32\Wbem\WMIC.exe
PID 4552 wrote to memory of 4100 N/A C:\Windows\System32\Conhost.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2200 wrote to memory of 3552 N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe C:\Windows\system32\cmd.exe
PID 2200 wrote to memory of 3552 N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe C:\Windows\system32\cmd.exe
PID 2200 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe C:\Windows\system32\cmd.exe
PID 2200 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe C:\Windows\system32\cmd.exe
PID 2200 wrote to memory of 3628 N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe C:\Windows\System32\Conhost.exe
PID 2200 wrote to memory of 3628 N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe C:\Windows\System32\Conhost.exe
PID 1616 wrote to memory of 5036 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 1616 wrote to memory of 5036 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 3552 wrote to memory of 4856 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 3552 wrote to memory of 4856 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 5036 wrote to memory of 1724 N/A C:\Windows\system32\net.exe C:\Windows\system32\cmd.exe
PID 5036 wrote to memory of 1724 N/A C:\Windows\system32\net.exe C:\Windows\system32\cmd.exe

Uses Task Scheduler COM API

persistence

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\attrib.exe N/A
N/A N/A C:\Windows\system32\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\TatsuBeta.exe

"C:\Users\Admin\AppData\Local\Temp\TatsuBeta.exe"

C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe

C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe

"C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\script" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1596 --field-trial-handle=1704,7827095338831072824,14491167822985064857,131072 --disable-features=PlzServiceWorker,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe

"C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\script" --mojo-platform-channel-handle=1928 --field-trial-handle=1704,7827095338831072824,14491167822985064857,131072 --disable-features=PlzServiceWorker,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8

C:\Windows\System32\Wbem\WMIC.exe

wmic process where processid=4560 get ExecutablePath

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic process where processid=4560 get ExecutablePath"

C:\Windows\system32\net.exe

net session

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 session

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\resources\app.asar.unpacked\bind\main.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "net session"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\System32\Wbem\WMIC.exe

wmic csproduct get uuid

C:\Windows\system32\more.com

more +1

C:\Windows\System32\Wbem\WMIC.exe

wmic computersystem get totalphysicalmemory

C:\Windows\system32\more.com

more +1

C:\Windows\System32\Wbem\WMIC.exe

wmic OS get caption, osarchitecture

C:\Windows\System32\Wbem\WMIC.exe

wmic logicaldisk get size

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic OS get caption, osarchitecture | more +1"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "echo %NUMBER_OF_PROCESSORS%"

C:\Windows\system32\more.com

more +1

C:\Windows\System32\Wbem\WMIC.exe

wmic cpu get name

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic cpu get name | more +1"

C:\Windows\System32\Wbem\WMIC.exe

wmic PATH Win32_VideoController get name

C:\Windows\system32\more.com

more +1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic PATH Win32_VideoController get name | more +1"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic csproduct get uuid"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic computersystem get totalphysicalmemory | more +1"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic logicaldisk get size"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic process where processid=4560 get ExecutablePath"

C:\Windows\System32\Wbem\WMIC.exe

wmic process where processid=4560 get ExecutablePath

C:\Windows\system32\cmd.exe

cmd /c schtasks /create /sc onlogon /tn WindowsDriverSetupvRsPBF /tr \"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\TatsuBeta.exe\" /F /rl highest

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v WindowsDriverSetupvRsPBF /t REG_SZ /d C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\TatsuBeta.exe /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "attrib +h +s \"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\TatsuBeta.exe\""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell -Command "attrib +h +s \"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\TatsuBeta.exe\"""

C:\Windows\system32\attrib.exe

"C:\Windows\system32\attrib.exe" +h +s C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\TatsuBeta.exe

C:\Windows\system32\schtasks.exe

schtasks /create /sc onlogon /tn WindowsDriverSetupvRsPBF /tr \"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\TatsuBeta.exe\" /F /rl highest

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "cmd /c schtasks /create /sc onlogon /tn WindowsDriverSetupvRsPBF /tr \"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\TatsuBeta.exe\" /F /rl highest"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v WindowsDriverSetupvRsPBF /t REG_SZ /d C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\TatsuBeta.exe /f"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions"

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions""

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\app.asar.unpacked\node_modules\take-cam\prey-webcam.exe" -invalid youcam,cyberlink,google -frame 10 -outfile C:\Users\Admin\AppData\Local\Temp\AQL5YPOxECi7zORMu2u8\System\cam.2200_Admin.jpg"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\app.asar.unpacked\node_modules\take-cam\snapshot.exe" /T C:\Users\Admin\AppData\Local\Temp\AQL5YPOxECi7zORMu2u8\System\cam.2200_Admin"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell -Command "attrib +h +s \"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\sysWin10Boot_vRsPBF.vbs\"""

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v Start_vRsPBF /t REG_SZ /d C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\sysWin10Boot_vRsPBF.vbs /f"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "attrib +h +s \"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\sysWin10Boot_vRsPBF.vbs\""

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v Start_vRsPBF /t REG_SZ /d C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\sysWin10Boot_vRsPBF.vbs /f

C:\Windows\system32\attrib.exe

"C:\Windows\system32\attrib.exe" +h +s C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\sysWin10Boot_vRsPBF.vbs

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell.exe -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Roaming\salutfB3G0.ps1" -RunAsAdministrator"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Roaming\salutfB3G0.ps1" -RunAsAdministrator

C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe

"C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --user-data-dir="C:\Users\Admin\AppData\Roaming\script" --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAIAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=900 --field-trial-handle=1704,7827095338831072824,14491167822985064857,131072 --disable-features=PlzServiceWorker,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 6.181.190.20.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 ipinfo.io udp
GB 142.250.200.4:80 www.google.com tcp
US 34.117.186.192:443 ipinfo.io tcp
US 34.117.186.192:443 ipinfo.io tcp
US 8.8.8.8:53 192.186.117.34.in-addr.arpa udp
US 8.8.8.8:53 4.200.250.142.in-addr.arpa udp
US 34.117.186.192:443 ipinfo.io tcp
US 8.8.8.8:53 dns.google udp
US 8.8.4.4:443 dns.google tcp
US 8.8.8.8:53 4.4.8.8.in-addr.arpa udp
US 8.8.4.4:443 dns.google tcp
US 8.8.8.8:53 api.gofile.io udp
FR 51.178.66.33:443 api.gofile.io tcp
US 8.8.8.8:53 store5.gofile.io udp
US 8.8.8.8:53 33.66.178.51.in-addr.arpa udp
FR 31.14.70.246:443 store5.gofile.io tcp
US 8.8.8.8:53 hawkish.eu udp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 8.8.8.8:53 github.com udp
US 185.199.108.133:443 raw.githubusercontent.com tcp
FR 163.5.121.96:443 hawkish.eu tcp
FR 163.5.121.96:443 hawkish.eu tcp
DE 140.82.121.3:443 github.com tcp
US 8.8.8.8:53 246.70.14.31.in-addr.arpa udp
US 185.199.108.133:443 raw.githubusercontent.com tcp
FR 163.5.121.96:443 hawkish.eu tcp
FR 163.5.121.96:443 hawkish.eu tcp
US 8.8.8.8:53 3.121.82.140.in-addr.arpa udp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 96.121.5.163.in-addr.arpa udp
FR 163.5.121.96:443 hawkish.eu tcp
FR 163.5.121.96:443 hawkish.eu tcp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 61.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 18.173.189.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\nsv477A.tmp\System.dll

MD5 0d7ad4f45dc6f5aa87f606d0331c6901
SHA1 48df0911f0484cbe2a8cdd5362140b63c41ee457
SHA256 3eb38ae99653a7dbc724132ee240f6e5c4af4bfe7c01d31d23faf373f9f2eaca
SHA512 c07de7308cb54205e8bd703001a7fe4fd7796c9ac1b4bb330c77c872bf712b093645f40b80ce7127531fe6746a5b66e18ea073ab6a644934abed9bb64126fea9

C:\Users\Admin\AppData\Local\Temp\nsv477A.tmp\nsis7z.dll

MD5 80e44ce4895304c6a3a831310fbf8cd0
SHA1 36bd49ae21c460be5753a904b4501f1abca53508
SHA256 b393f05e8ff919ef071181050e1873c9a776e1a0ae8329aefff7007d0cadf592
SHA512 c8ba7b1f9113ead23e993e74a48c4427ae3562c1f6d9910b2bbe6806c9107cf7d94bc7d204613e4743d0cd869e00dafd4fb54aad1e8adb69c553f3b9e5bc64df

C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\chrome_100_percent.pak

MD5 9c1b859b611600201ccf898f1eff2476
SHA1 87d5d9a5fcc2496b48bb084fdf04331823dd1699
SHA256 53102833760a725241841312de452c45e43edd60a122546105ab4020ccef591b
SHA512 1a8ec288e53b9d7e43d018995abe4e3d9c83d329d0561fbb7d022e8b79ffecf033e995b9bc6af352a71c646a1e8afba4addb54deab7455f24b7a279a3dd7c336

C:\Users\Admin\AppData\Local\Temp\nsv477A.tmp\7z-out\chrome_200_percent.pak

MD5 b51a78961b1dbb156343e6e024093d41
SHA1 51298bfe945a9645311169fc5bb64a2a1f20bc38
SHA256 4a438f0e209ac62ffa2c14036efdd5474b5ecaa7cbf54110f2e6153abdfb8be9
SHA512 23dedde25ad9cb5829d4b6092a815712788698c2a5a0aefb4299675d39f8b5e2844eabd1ea42332a0408bd234548f5af628e7e365ab26f3385ebfa158cdd921d

C:\Users\Admin\AppData\Local\Temp\nsv477A.tmp\7z-out\d3dcompiler_47.dll

MD5 68da9e91321a892f07220fa46b845781
SHA1 263d879cbecfba679cf3c8f839f135f60831dc1f
SHA256 a7c33299cef5759701ef89704db5b647c75c06762683bed6b9101f1268af6f94
SHA512 26bfcae526f75f71173903542825c1db9d83f9a37a41746d991c3f032c33efb8cf5c9799027dbb992df4d75aa140293f44aa6bff2527373fa199d766e3919e78

C:\Users\Admin\AppData\Local\Temp\nsv477A.tmp\7z-out\snapshot_blob.bin

MD5 c9ab741bbef53fa0e84952b8891a5f5a
SHA1 e2dcb8d034e07243537c86371de0c52bce62cee1
SHA256 4d82fe1e642fe3ca7ad1a173f806088c0652ecfe9f0f6f6e246066e15a3431d4
SHA512 177b98a3090ecfe4b4598dfcd7e8b3ca49efafba4dbd8d6c6d0def462de47c3fabfde831725622783ddc177de982de6115178d9bd9830d918bb544a5a4c27fc9

C:\Users\Admin\AppData\Local\Temp\nsv477A.tmp\7z-out\resources.pak

MD5 0e0671e33afa74a430ee3a043683870c
SHA1 c9bfc0fdc3a801de1505fc98b68acdbe9f9154cf
SHA256 d9bfd2fc3213964a5b3fdd11933b1340b58bf7a20fe069e7dea2891b6b5d77e9
SHA512 61402602614a9ef65a7134f09e268711a002345ba27a212a99f38a6b011eff5e6822dd0d8cbc56ee43508315b6970dd1c1be099836a5a967870551eb239278c4

C:\Users\Admin\AppData\Local\Temp\nsv477A.tmp\7z-out\LICENSES.chromium.html

MD5 a9090cd8be3a9da19bb911f2c605bd28
SHA1 765bdcb08fdf49ffe61b38c78d953c9fcad84ac4
SHA256 09c4dc74cd70a21bf4cd5157759d4c1d8f127cbced977ccb75ac22cbd9e85cac
SHA512 9e27ee01463ffa927f0ac8ed38bf0984c7f1157b7cafdf8f7bacfb77bdfd2987f0ab3d0d224d871f11217afd8b733d16d6cd6030367f8cc4d8b4e3ac0cfd3060

C:\Users\Admin\AppData\Local\Temp\nsv477A.tmp\7z-out\LICENSE.electron.txt

MD5 4d42118d35941e0f664dddbd83f633c5
SHA1 2b21ec5f20fe961d15f2b58efb1368e66d202e5c
SHA256 5154e165bd6c2cc0cfbcd8916498c7abab0497923bafcd5cb07673fe8480087d
SHA512 3ffbba2e4cd689f362378f6b0f6060571f57e228d3755bdd308283be6cbbef8c2e84beb5fcf73e0c3c81cd944d01ee3fcf141733c4d8b3b0162e543e0b9f3e63

C:\Users\Admin\AppData\Local\Temp\nsv477A.tmp\7z-out\libGLESv2.dll

MD5 db7cbf3e4096db249d966a39bafa6b1d
SHA1 41421beec455c52ca68bef467ded14f0e14e3b9b
SHA256 8ad2f4c23e77f38d3e1608cecd6691b1fd70e120ec88cfec0bf98db3bdaecdac
SHA512 5376a6409f3cf8bb59441cb44975d236f94456c06d70b3614a84631489a56460af31baaeae8652c2016803ae605820e5729c199e4d7e77a55748945c8021c573

C:\Users\Admin\AppData\Local\Temp\nsv477A.tmp\7z-out\libEGL.dll

MD5 8352fd22f09b873193cabc2932be92f0
SHA1 5bd2b58854b279f1733c5f54ea2669ee8a888d9e
SHA256 14a4aaa010be14762edfee01fd1f6b9943471eb7a2f9011a2b5c230461cd129c
SHA512 7281e980f2e82f1cc8173d9f8387a97f6e23ec5099ed8dca02222c4e17fa4cfef59d6aa300b1cf06d502bdcf77d9a6dbb08ad6658ae0a28ae6f9f995109da0d2

C:\Users\Admin\AppData\Local\Temp\nsv477A.tmp\7z-out\icudtl.dat

MD5 0f57f31e83e6cada789884e1a74e8f30
SHA1 c9b4129c2c9ad20189a82e8f41428b42f619c355
SHA256 e3e735570ecf86eb90d11923045e61f36c3633b65c5728881b6c611e2999be4c
SHA512 7977c84e46fd6455ff051b12ff5ff793e1ccf61665e46ab19afce219d597e48301c67086afdc7cd5f9e2b0d926bcd65f2627c155f16fdca57cadae55f7ed1770

C:\Users\Admin\AppData\Local\Temp\nsv477A.tmp\7z-out\ffmpeg.dll

MD5 c3842fb3087cdcdb04020ac38683c289
SHA1 329dbcd4a1c79b891b200f11eb50194b85c493bc
SHA256 e79792af338d61424bac87a19c6f34f3b4bc1382345633b8d509253a0a6c2133
SHA512 069196b8006e908954e7ab16131a0d10889a0f7517eaab2423a82fe49fb9b045c0d95dbf7c08c10ddf1a21983aea4a0d207decf91baacff0884511589a57dec5

C:\Users\Admin\AppData\Local\Temp\nsv477A.tmp\7z-out\TatsuBeta.exe

MD5 57925b911ec0a8f20d49f7e101fef75d
SHA1 924822ffe47cdf279b62b457dad8b26dde551803
SHA256 18e232efd9cdf2a2ce1d4125ae05901dd9cd404bc79dbb165700e7bee38fc353
SHA512 ef2052ae371d7e2c3992dac46f56480fbe27c3705b9fe35533fba6972cf2a33938d518deed60a1e3034c4acad6a258f09a33f57718ce6c61be51c5a3b3f372b4

C:\Users\Admin\AppData\Local\Temp\nsv477A.tmp\7z-out\v8_context_snapshot.bin

MD5 47014c0f81bad6d216c617c9c63bf040
SHA1 7bb483fdc5fed3c6ed437d9fe6e5023bc38201bf
SHA256 e1249d05bfc73c645b27d269f47b6923b33a3cf8088a8ca78b3b637c90f58178
SHA512 052d86cf3305a9e493bd2472e6b7ddab5e0291efd6d899984a79bae46e5fa4bd21157e19ab4a2591c9cff9069de568bad18c7baf4f35d117c77134e635466f87

C:\Users\Admin\AppData\Local\Temp\nsv477A.tmp\7z-out\vk_swiftshader.dll

MD5 de2d91476e625278c30a5f69a1892e05
SHA1 4d707f6a801611fb437f5c1cba31b0909bf41506
SHA256 02c7f0b926c64f5a19a9aacd5f94ee00be4d576486592e18acc80c0a027b05ba
SHA512 d027407539346e5aedd527f5f71de45bace6295e96a7fbefbf273c930d64a791e488e4bdf6ef8db61fc19c80cac52a6e398c2973499c6fedb1e422c3ba71f532

C:\Users\Admin\AppData\Local\Temp\nsv477A.tmp\7z-out\vulkan-1.dll

MD5 b91586bd80e057a7f62bdc4422744812
SHA1 a1df644421ece2e740e5bf0ed98b4f269fd85c39
SHA256 8ba72d98e0f78b77bda7816cd7232809d287310d34e0f1d7472b9d5fda2c6d02
SHA512 94f0a8e3e75e4803891c0fcb257052dbe0e7399772fc7a46ab802629f76ee580ed30b3678fa6bc3744c12cf9f3103bbc8276e88f6711278748148e9fbeef2053

C:\Users\Admin\AppData\Local\Temp\nsv477A.tmp\7z-out\vk_swiftshader_icd.json

MD5 8642dd3a87e2de6e991fae08458e302b
SHA1 9c06735c31cec00600fd763a92f8112d085bd12a
SHA256 32d83ff113fef532a9f97e0d2831f8656628ab1c99e9060f0332b1532839afd9
SHA512 f5d37d1b45b006161e4cefeebba1e33af879a3a51d16ee3ff8c3968c0c36bbafae379bf9124c13310b77774c9cbb4fa53114e83f5b48b5314132736e5bb4496f

C:\Users\Admin\AppData\Local\Temp\nsv477A.tmp\7z-out\locales\bn.pak

MD5 47c95e191e760dee3ef43345577e2379
SHA1 609634315270a91d4ec631642b18bd0036367aad
SHA256 ceed32e429ed1018d4c49343cf52105cbfd1e877c531a5738fd6e6cd33d27da7
SHA512 46b5f8d58780d19e79136c31a67d075c57ddf7e6a1eb197dea4088cc414a0dc24a68fc8ebcaac03b3940af2461123b586706d5dbf8dbdf6fbea0f7bec466db21

C:\Users\Admin\AppData\Local\Temp\nsv477A.tmp\7z-out\locales\ca.pak

MD5 423651c45566cd90ea5edd8631e823b8
SHA1 13bed4173a08bcbfefba034aada3d838eece6d16
SHA256 7a39af99d55a1ea838d8d78c5f0da3e1402f9404d32255e31b676ceed4f0e414
SHA512 e09085023beaa37e9d5f7fdf3c32d0c001672b85e2826f0aba9a662ce958ac93cac17bf63495a604e47cb407b1593049388a4bf1b22b2339ead84a206a10569f

C:\Users\Admin\AppData\Local\Temp\nsv477A.tmp\7z-out\locales\fa.pak

MD5 6458a239e994d8d18315deccd35389ed
SHA1 75c985f43503a6c44645786d46639a6b555ae163
SHA256 300fc1c735e92917a5ddf92feb812cbf3175d988ec7ad5955110248a1addbd34
SHA512 3062075b6be0c25c957ac88e537880bc25ff86b8ef0703a05209e9676e943e89476b7997394aeb25064e03a93be614fef535676e9cdfaf44b46035225b1b2cf5

C:\Users\Admin\AppData\Local\Temp\nsv477A.tmp\7z-out\locales\et.pak

MD5 c76db3385190c6840315c4497e40258a
SHA1 34f1aef2ba2925bebc5dcdb70e5b6c1a138a5c46
SHA256 e8af084ef5e1062c5966dd7802074ac24f3672dc3c9b9c5453a397644727191f
SHA512 90a870369d307758b33d74e6213676d65c2d332f42577c8aff23d96b512f3c2a2bdace8d6d9007f88b9175eadc6f2ae28b498b1265550849ff9317465a37ad29

C:\Users\Admin\AppData\Local\Temp\nsv477A.tmp\7z-out\locales\es.pak

MD5 f83d8f7f6108786c02c2edbf3d85f147
SHA1 57781d9d9eb7c90cdc71f78e25d0763045b6d29a
SHA256 5b929216ac823dbe2b0bb98e64db76519900e09a86c8513019325271c66ade0d
SHA512 12747a4a61cdd21cad6e3f768cb43b8bda5ec9de373337c191b6994b20acd676c9d0a6cde8410a1e18f35dd5d2d332ea1bb7e7f8f6fc4b73d8774559e33398f1

C:\Users\Admin\AppData\Local\Temp\nsv477A.tmp\7z-out\locales\es-419.pak

MD5 b261b1efe945365588befdf68879040f
SHA1 616f44a5f73f0449b483f36ccf831db6474a10d2
SHA256 1380b9edc9cee4b505f12e8eefa288d8c746ca995b52ceaba27c7741ae8a5cd4
SHA512 9ea14234b9d4d09364e5727b3886fc14544d52508b3e45fb9fd607ca88d2e432361a02b2f7ba34c3d6ecd94b91f9eccd4d54047a97a1ba4eea580ead00b91cff

C:\Users\Admin\AppData\Local\Temp\nsv477A.tmp\7z-out\locales\en-US.pak

MD5 0bb857860d8c9ab6d617cea5a5bd4d00
SHA1 351b744d95846bff2ce5f542fec2e87439aa0f8b
SHA256 5c56df9699fc7e8f09ec81421e50a6264cde055e822f5a8cd9bb1edb3066d816
SHA512 33fb73cffbb6781488cedbca4c92a7e4f66923a799beeb7f5cba58dbc23ba8f5130f63a7dac7114e3c3ef6f1df87884fbeb8858bc7604aec9449fdfd16c25078

C:\Users\Admin\AppData\Local\Temp\nsv477A.tmp\7z-out\locales\en-GB.pak

MD5 52e2826fb5814776d47a7fcaf55cb675
SHA1 51fbbc59dcd61116cbc0a24b0304d4c1c58e8d0b
SHA256 83ff81c73228c7cadba984d9b500e4fce01de583ecde8f132137650c8107c454
SHA512 69257f976d01006c5f3d7e256738c97c59115471f8e7447cfa795f7fa4ff12d6fd19708e95ffb2aa494b50c1763fe35d5885b9414112d2934baf68fe668ed7cc

C:\Users\Admin\AppData\Local\Temp\nsv477A.tmp\7z-out\locales\el.pak

MD5 38440b98bfdf5ed496da0f49d59534c0
SHA1 1498d9207ecaf4923a47271e24c68a817041c82e
SHA256 b1f78df8a7edc914357a2e90bc8dc0ac46f4df642bb22894569fe4905fb8ea0f
SHA512 95ba788fc2e1f07d54e398f1ec4d32c664cfb13118d46cb7af7a993367e032b10de84f3e604ab6e659d6410e2d736097ec5e9b3b002040c54412358f0ea10229

C:\Users\Admin\AppData\Local\Temp\nsv477A.tmp\7z-out\locales\de.pak

MD5 b73344e5a72fca6f956dbab984c123ba
SHA1 0561073aa40a63a9ce9930dd18b18e12ff139b2b
SHA256 6dda3fa65232ca0bff7314f916942a2aa5d9be73a0b0c7a6d016eb34ea6fff5b
SHA512 e8a12da397369f23c102244b3f18f533ec79afa6978785566056bbfe07b10a21ff4973bf17aa829fff65609363988c033b0e48d4a82c846863377c08d8df009d

C:\Users\Admin\AppData\Local\Temp\nsv477A.tmp\7z-out\locales\da.pak

MD5 55a8f5883805a65c854d25edb3959209
SHA1 d4b3b6bd2a26cbd021fa931d1f63c9ea64e2c268
SHA256 e190187adcbb5f829d162660968ba598ed17bd11339062ca4d807deec8a27fdb
SHA512 4e1f9e6da32f553cbc8cf162726d7aba9e23e2216d6d05b995cf19fff3aafa05ed08fce29b2f8538d46583366402b8630672e650dfbd46952a611e9db0d8016d

C:\Users\Admin\AppData\Local\Temp\nsv477A.tmp\7z-out\locales\cs.pak

MD5 3cfd9dc564cfcc33cc5524711365c376
SHA1 2e5016d2643017f37658262122974429f18625a2
SHA256 8be34e4f8226c1dd4e725711ddd884ef4476560f7863edcf378573dde9db3cee
SHA512 6ee156d2fa3b6f601df28e38968d0eae2812d70b41333348dbecd833d5ee6ff944183f0eecde96be433cf1e98c8ec22d6a6d5af5153145842175ab43c73533ef

C:\Users\Admin\AppData\Local\Temp\nsv477A.tmp\7z-out\locales\bg.pak

MD5 5ba0c7200362c9ed55610cc8b66ef53c
SHA1 d45239c2f1b00885407771a41a7776fc1fe8fa3b
SHA256 2339ff55464b4ff704fc3c5bf281eec52a539c494bd059cf0346d9c05ab7cda7
SHA512 6229dbf08a9322c4ec8de4912aa1832f01800a71b7e3ef5870e7fa2b623be4dd248fec4881c3e031e984616147be84d42ab3dd970ae56dc1bd78913a8682a37a

C:\Users\Admin\AppData\Local\Temp\nsv477A.tmp\7z-out\locales\am.pak

MD5 e18a450ef034b42599341c3d09f280f1
SHA1 2001c8a85904962ac3a96938eccc69ad2c110fdf
SHA256 7c2b9098130f1f9e0cf4507b64c0e96ac6354bd6c3616be20e2067cfccc820da
SHA512 ddd87571218fe9f179a6c2a8a15b182625a71a7c19ed90c0969ca2e0e9bad823b926f8b8a6b390cb6fe9c95f4b6c1f1ec7b5167a8424ab1921943922208f798a

C:\Users\Admin\AppData\Local\Temp\nsv477A.tmp\7z-out\locales\ar.pak

MD5 6f3e791b4d35ee7d9515614d128752cf
SHA1 181ec3a84fb3e89336d77f24f562a2cbe07619d8
SHA256 e9df0fa338b763a3926c4ee3a87bedf650fa618b6fcf0560c3f5ffe891d48c60
SHA512 3657e610d13a2c938558ec320c298dd490c9e4895ccd304f738aaa2f050373efd7382ca402365f93d23ed488bae82de2d859da788dc8faa8e621346a278f4441

C:\Users\Admin\AppData\Local\Temp\nsv477A.tmp\7z-out\locales\fr.pak

MD5 c3095ce1e88b0976ba7bef183d047347
SHA1 b14cfbf6e46ac1f189595fc09660178525301138
SHA256 66488dc10517b6e3638686be95b430477a39304e92ac45dfe62b58cae3a77272
SHA512 29f47b1eff4681a9a17a50d6e82d63c22fe7bfe4ceb79862e81d8cd9f96fa38e225978b4c4b1f8e55b220235b91652c776fa8d2e559c68942c6ccf402812a421

C:\Users\Admin\AppData\Local\Temp\nsv477A.tmp\7z-out\locales\fil.pak

MD5 40bddaf97f64dfea9ebafc7f82166f80
SHA1 90d1fde3c0b27d2184f0353991259c2a92c7820c
SHA256 39a9d63736e7b4593fc6873ed3c19d45fbf9eb78a012bfdcee0fea5906ebc5b2
SHA512 d1e61c53e09a0dc50edf5aba5cf286a251ee88421aa2cd49332b70a5859646605ecb7d0bb97ea7242d14a18742e23da0a14c04b0b99b57a466ec87f4f66b897e

C:\Users\Admin\AppData\Local\Temp\nsv477A.tmp\7z-out\locales\gu.pak

MD5 63a7fdc4eadf8ef1c35c72468a0ce33f
SHA1 e8d064f0e9c8a6a8c6ccb036711e292d011d9466
SHA256 e549ff4e5a094d04c2ce7bc6fd68bea1f03e935437bf164bebb6191c133fa70c
SHA512 0a097ff875132a984545ec677b04f97785f14c38a1df487cfb4722cdea07d14e1e88fcff7d58b82fa53f05f4eba779a95ef320b5a91692097726d0385a26a456

C:\Users\Admin\AppData\Local\Temp\nsv477A.tmp\7z-out\locales\he.pak

MD5 6a02a37e1ca3215fa9ee0e1b0fbcf5e7
SHA1 89a8a126c0bbf536ac58e29fc50e045fb1b88220
SHA256 f5cf34ce58b7f0d450936981aa7ffa060821403e6768eee3746ea4ffc9193986
SHA512 6607eb2329b81f1eaf0ed3a564eddcb30e6ab59229f2fbf6fd3d2140ffaa8853a330eda627a4458ef6bb06f32c5183edda869e34cd4ead1f87f88d5c622c1a16

C:\Users\Admin\AppData\Local\Temp\nsv477A.tmp\7z-out\locales\fi.pak

MD5 cc592d91ce8eabaa75249cb78b889376
SHA1 f2f0f7f105a17f3e4b1a97ed0e3c2e871c2c3eac
SHA256 b1cb0b32efa78fd8634652c74f298f1d5127f2363ef601cf000417e5c7fefd20
SHA512 58e2eaffe26d8fda8df43e7ebef449cfff1065e940c128efa0276511e34e96e52da9230f294b01d4ecd8ef606b792d372bff897d6d8bb67c31379418ce867d48

C:\Users\Admin\AppData\Local\Temp\nsv477A.tmp\7z-out\locales\id.pak

MD5 e40cb2f3b4db379e4d187aeef0dfd300
SHA1 537b1ebc615c980c89bbe2b9e91a11199fa7d6a6
SHA256 3339ef011c9bb64868da94adb25f4490acbc7f893e4337dbfe2797754cd659f5
SHA512 b87464460077aa55feb92eca8ed23d9a61829378bae7890c8a95dac5fcd735b145d65661f27facfe2586fcaa169692b00d8ee8dd505dc44bff7f7fd090f3e96c

C:\Users\Admin\AppData\Local\Temp\nsv477A.tmp\7z-out\locales\ja.pak

MD5 833e8c4aa70351b6be7bd403e4e9a0a7
SHA1 46ccdbdea35deec8ef13a5fc833776875fad187b
SHA256 74422db1a5f28522f9a8b31a3bee9a6df794b419bf723cb6a6c88e82eb72cec0
SHA512 e8e709612a5ea81d2822e0025b7306f38571f2cec2ca72ac5a8ab852a0e36a0f5bc7e00d0baf7ac7becc2c54dda3a17c52ec1cd67ce12b14d91b6ae0b726d556

C:\Users\Admin\AppData\Local\Temp\nsv477A.tmp\7z-out\locales\lt.pak

MD5 2d4fca437a7548893dc4b51fa5b33c33
SHA1 c1493013d7d981ea9223716e415380992de65c2f
SHA256 776dba792df7b444e1b720326312d8b8312cade74a1372c49456d932b7c65769
SHA512 b6a55ee1deff48d717a3e9399aef3c45eeec810cc5b5709fa3e9f56850115a5b02e02b7959ec77a6797e68516ee9372bacd260e62ac0d55a8e4c1c27af782b42

C:\Users\Admin\AppData\Local\Temp\nsv477A.tmp\7z-out\locales\ko.pak

MD5 d6e2c18c9eabba59b50d147d942125ea
SHA1 0918879203c2050b4f9f449f5616e430897ba0b9
SHA256 f3581cea2e5b022b121010ffc5d67f86f717e3a0c0402abd81e24c87fd135b76
SHA512 f605f7b9893166778af156f9eb76eaa1209e7432450899540cd462ce0ffa69caf6f570b910cdd6d7bef54354379e9892a658e711baa93241da33755c107da859

C:\Users\Admin\AppData\Local\Temp\nsv477A.tmp\7z-out\locales\kn.pak

MD5 5115cde84b4c674db412619b65433004
SHA1 164f33e7e2e9f685a579da492a6fc8806beb6cbf
SHA256 891e092c6895e23be986c3e6d39dcea9b6b75f1448239c13fd406680e50407a7
SHA512 090a247898cb533325d2b289a6cbd8db2a755ef0abab49d82f333e57b290c50b5996b81f15d8adc30160b216eebed3a1476aec1627195e52189557c1d48b0216

C:\Users\Admin\AppData\Local\Temp\nsv477A.tmp\7z-out\locales\it.pak

MD5 5aa225aad4f9fe6d05ec24905a827d88
SHA1 f6d5ed337bd8e9cc3b962d3a498e3430fbf6de22
SHA256 96e02ab6937a1f1cb58762159761a737ce0e1dcd6a253554392baf4389326eab
SHA512 3fa928f19bdf65b8fbb274b478a801821b15c01224c113a8d7f6121a077b432c0cc84eefd9028a76adea9fa4bb65dcb868edfbd4368b1e4d477c49e187e4288a

C:\Users\Admin\AppData\Local\Temp\nsv477A.tmp\7z-out\locales\hu.pak

MD5 71d42cb22d2d7a8b26c4514ab12df3aa
SHA1 cd0307503a7906f1742d1e98fc816959319c2171
SHA256 b51bcb888dbc27bab88a8c9d081df7496de8a9a5a4cd2cfe08abc154190e75e6
SHA512 29c67391bca706807be3a0cc79fe481f220e30263957a9c2485f0a4c498a5b250bdd83b5f4fad8d0b19c8a9a07d5650b5ebd5816b6aae311a1cde78a89303244

C:\Users\Admin\AppData\Local\Temp\nsv477A.tmp\7z-out\locales\hr.pak

MD5 6f92235e6ba003af925a2d6584afd27d
SHA1 3ceba61e9c2975466b6244188f5ea72aaf042fc7
SHA256 479dc4f75a889d45f62b4ddb6eb48f21c473e37875468c9c26d928a263e15840
SHA512 82f2642dff4400704c15c2fa02d0ec74ed3fe888dc835447c1afce7463dee8f480bb81be358c306e681625864a6d25e5cd6c96252b8a56e6fc62014b3aa4d26a

C:\Users\Admin\AppData\Local\Temp\nsv477A.tmp\7z-out\locales\hi.pak

MD5 590e9e73df9cbd83cd87b9c03848fec9
SHA1 da125e60a5a2c51a2d6219d3f81688bd22237b59
SHA256 089b9dd31090a987515809a68d26f6eeb64cd9283934e3dcc48b151eec7d3ad9
SHA512 fd0e5d0f2063e12b711275f390428b88f98ffaf6043cdb14b13674ac1e4aa9f70ae820ae960132d7155daf9b1308238775c4702694ab53068cdc709c50f9186a

C:\Users\Admin\AppData\Local\Temp\nsv477A.tmp\7z-out\locales\lv.pak

MD5 264c6e20b3088ceb4dae5773cef0cb55
SHA1 fb6ff83ff14df008092bc3ee73bda7491e8e090e
SHA256 a676a781c1a587eadf23e5c69bc52f2d352346a70bc53ca908450362535eefda
SHA512 01e949f92e1e8599c581929a601d39640abaf1d907ce10102e591c3d490dd3874c679c75bb51308ead55a3bd0c6dcd1b8d4b2daf98ce1cf1c6bab42946e8b1e8

C:\Users\Admin\AppData\Local\Temp\nsv477A.tmp\7z-out\locales\ml.pak

MD5 04b2540c25990a5e0a9b227dcce6ae0d
SHA1 4f8ccd154f54dfb083d4d1a3ed0994842c8ab13e
SHA256 556165b8b54c6e21bc66d12b3f5be393136714467c427f7114f314d18ad3c661
SHA512 4cab47e42e8f5d4a83851871f97f3e1360c993ba530dbb4b4b736350779784bd83189e1195d3480ce87298bb8f9b7f249fefa7764d850e5b0002895609626785

C:\Users\Admin\AppData\Local\Temp\nsv477A.tmp\7z-out\locales\ms.pak

MD5 6cfadaa784e687e6dadbcd80e631bc9b
SHA1 481acb75f525055bf4e45ecabe0eadcb9c492106
SHA256 fb5e125dd5e1f21e8df229d22cb3d1f9078bd79bbddca352899248f2a8b21b71
SHA512 0d7da5a90fe9372bc704ab8cdc8cbfb14d323cafdef856987e2d9e34d980196c03985e25099f5d1bcb10c97f040f4766e2c3713718649bb3f43914a77f0dbb39

C:\Users\Admin\AppData\Local\Temp\nsv477A.tmp\7z-out\locales\mr.pak

MD5 f22c99fe6a838e333e8ee06a4d01296b
SHA1 c3542ea8dd45a2b387dd02fa5687948f135e10f2
SHA256 b03a3042f907aed13253ae8083d08f5fad59ff438d024b097276856e72526911
SHA512 882022c2cb985d85f96d52c9bcfeeb089d6ff30e66187ccf424ef622092b9d359a51bdef1fb6ac3b9d3409aa79d37ca737ba7f3ed8b9cdaabfe04d90a7c8bc15

C:\Users\Admin\AppData\Local\Temp\nsv477A.tmp\7z-out\locales\nl.pak

MD5 cf6b1cbfd669e9461553974ba37a475e
SHA1 b33867e9bc7fd88ca98a76dc4bd756bcf18887aa
SHA256 9a83ad866ad7fd9d65ecbc1e95c276cfce27e8257c76a16950fd14971e66b864
SHA512 e463029bb37f6bb3ff5cb6281f64291ada1b785fa33137e7aedfc7b5e409e99c75a91e7cf9b6c0933e970f70c14861190de66fc5d68925b687a6f5da02e21077

C:\Users\Admin\AppData\Local\Temp\nsv477A.tmp\7z-out\locales\nb.pak

MD5 b61e42f66d581b6a8929cdf5fb10662e
SHA1 6f06fa9ee092fbcb61bbd668734fb3b92cfb549a
SHA256 1b17dcde8fc7308d926fbe0faa83dfc9ffe2efc5715e9afd557dde839ad98b7e
SHA512 79b82346c3f133a6ba44148a8432ad4e08e2805187b759509cb386bc800fd20215592c07d953812c243f0b1d5e1354245f2cb42b2b3eb6c87280bcb4008dbe97

C:\Users\Admin\AppData\Local\Temp\nsv477A.tmp\7z-out\locales\ru.pak

MD5 75457b95d2bb03891232dae7db886387
SHA1 e5a7569df7f91533703626d167ecc8cddbd27205
SHA256 e0894d3aa3f8e0f8ac457a3300001d4e1dcf95980712f8c8e9c845eb4c2bbfa6
SHA512 9813239cb162cec24cb81cffdae2df06889782813d917da186ae40df6dae64477467e4b32ead2d714bc1de671538d4c1fde990d83d3ee69e0932f17226687a78

C:\Users\Admin\AppData\Local\Temp\nsv477A.tmp\7z-out\locales\sr.pak

MD5 af7083f2a4bd95dcbe792efade352662
SHA1 dc69aa831836016f6e66c6079931503d534a7862
SHA256 e3b80d9fdd420a05d66cc12e685ac94500106dd51a555bbfa2d085094f81e8dd
SHA512 342400ba94f6cd08152f96aa2b905184fab429c38cedb4bcb4ac0c503169a9ecd47aef208b4d7ffae08b0c0afa7aa089347a20739379d05f3e4e111be842b8c4

C:\Users\Admin\AppData\Local\Temp\nsv477A.tmp\7z-out\locales\sl.pak

MD5 e015b6f5042be2dc96a4e23dcf035502
SHA1 7946509eed8db1e4c1f3da99ffe7155c86fdb4d6
SHA256 99536d1bc73eec81d5bebbff641ea195544ee5e3a41bb17ddcedf9cde9b141d4
SHA512 b2a2eaae93c506a053862bf1cde02eee53b3ea2e2fe4c964c51dbacb8b44de820a779311cfe01458e2f08f88bce1172e8c5e1e6d28cd3a355ff84baa00023b8f

C:\Users\Admin\AppData\Local\Temp\nsv477A.tmp\7z-out\locales\sk.pak

MD5 b35daa0bd9627ca88b413a5af7c6b4a4
SHA1 d5efdcbc7ca17de29f3075f6434f31ab2e895826
SHA256 f47bc1f7f5ab64681d0b152e1a019da60f0ef057ee8bf2ccede019dc4030c177
SHA512 48abb6ca2290820db2898b05820bb25e70fb1292c816eb0c8f17b3c5452de9fff7027d216d2bf413900f408f44ed4ac99151b28142a212c5cff8dfe229e87b9b

C:\Users\Admin\AppData\Local\Temp\nsv477A.tmp\7z-out\locales\ro.pak

MD5 24b01a438a3ab9699d4ca97c081b5e82
SHA1 0d0b082544d23425a74199fb0a6c11192f0bdf7d
SHA256 38290b1c9712296d82ea1681ef95544a1eef4872289134b11e50af735e6deaca
SHA512 43199772312156f4633c4202499cde8f808e5e632c2013ec1129acee01a3f184e86df2616626173178efe04b6f0773ad9a0e8b8cc6a735d23d68dcfe9dfd945b

C:\Users\Admin\AppData\Local\Temp\nsv477A.tmp\7z-out\locales\pt-PT.pak

MD5 ecd84b296d3bb312ee18e21017311986
SHA1 f5625523f85c10723750834a54ff59a2dd886fb3
SHA256 fcfaa9c44c445876c286388b6a1abc1df949f3dda3d64fb57d6e0d54a05cdb94
SHA512 e95b74238220024cdd0bd1c0f18beadbbe427d76cd8d6b32d5700adcd34ffb068ad0bf75404921485c8077f395f5111cd40d5dfe2b5b8f34c62e6fc80b507456

C:\Users\Admin\AppData\Local\Temp\nsv477A.tmp\7z-out\locales\pt-BR.pak

MD5 88ad860c73676ffb4025b5c691f29942
SHA1 3c5e5b999ea7153ccdd1b4cc7b6162de3456b558
SHA256 25f0bb0b0230d99a9064d52668636f3be85903bf27a68124d79a2fe93c30fe0e
SHA512 41589bb9ab1b8307f62ceb4e6493d7903731a3e63807e0044379c4acdda881c21839234f5f1b8ad1af732bfee6231c0556ce92e582505379ed949980185bb750

C:\Users\Admin\AppData\Local\Temp\nsv477A.tmp\7z-out\locales\pl.pak

MD5 644c0ace25d6e532b56510a736c6bc2c
SHA1 1bd0fec952107b493da04c46423da634ff3e1504
SHA256 2ff9e382a31783285b7d85676e629e2f6db26bb9536ed17b7fbe5ac61a895ec7
SHA512 9a1f1e884c2f214b8b0c63543809ddd4ba0fd533f1d8434e926051f3db434f60cc4df2462c2a43254b2a9685b3869eef49463c212892e417c82c3a7b497e3559

C:\Users\Admin\AppData\Local\Temp\nsv477A.tmp\7z-out\locales\sw.pak

MD5 99e385ebc1ef8d3daddb3a171fa79edf
SHA1 3164804dfe9d9b5e891abafe92e5ba67d2b5d4d1
SHA256 8ec45ac391a085d531fb21815086c2da4841aa016653cb4f8484cfc2615d6c01
SHA512 797c105fecef1e15870aa101e3fa1835d5a467a9059c03b3636c54934d1de263ab7f23599e21d9787cb3849c7cb7d29f5bdd8ae9ad10fda8015c1392462e94c0

C:\Users\Admin\AppData\Local\Temp\nsv477A.tmp\7z-out\locales\sv.pak

MD5 41e76f7775fc9a2d6e3c02c46e9b32f6
SHA1 088c15c74a68bee69682bf89c31055332b68c84a
SHA256 2533676479e9469ffcdaabcb47d3e39bebfe7ae2b80f70784e918a8827439e13
SHA512 6cde752d748c4772b533c8894f18134e5842113f8c7590b44a7dfa088aed65b232361fd16170df3b0d738066dbc3a769847adf4dd8ba42de63c9c2b33f9beb6b

C:\Users\Admin\AppData\Local\Temp\nsv477A.tmp\7z-out\locales\tr.pak

MD5 40491896ad21543f339467186c5efb40
SHA1 695dde7cc35056dcbf0a533aff8299d4c6b61bd8
SHA256 43e99e132acaba88971b81a43531845dc7fc3a1e0794c3373de7d9a50a5655aa
SHA512 18d5ee9914849462e0b1bafd1ca216b29d0795e282ae0bdb354b15caf5c18f37f44fbd6f626b2cbb095e3398a6496de72e5b0d15621433979b5a589e34fac818

C:\Users\Admin\AppData\Local\Temp\nsv477A.tmp\7z-out\locales\th.pak

MD5 43edd25f67ce6e6cea5373009ff0a1f8
SHA1 ed72ca6620cf23837e1334be50ccf616806bc5a2
SHA256 287897cf3df2db1cf59b872e6575ba8dfcaa0c1f68c17a9c91da6c4490adb8b0
SHA512 7160a72bd2e6b0ffa71e5d279995cc8be24a87cd9386eb29ab0eee79b8e607f5d824a11b6b4e3ef4c0f851a9d485a9642cb6adaa65c07933dca6e6f2c0052fc7

C:\Users\Admin\AppData\Local\Temp\nsv477A.tmp\7z-out\locales\te.pak

MD5 793a87d41cde6e6d1bb086284f69733b
SHA1 d887e3842b664f55b7308427aa6f5bf0b352d879
SHA256 5cdabd1ad41e8048f2cc6b1615e68b99159daa1aa6706b939447c1811bf0e255
SHA512 7c2e53baa387480eed45315bd9d53856ca46e5777ecdc9c29a0de7b0ad04beb6cbb8b5df0aa7c306395fda563037e06bea1ca70e433ce5a3ccc2ec184dfda972

C:\Users\Admin\AppData\Local\Temp\nsv477A.tmp\7z-out\locales\ta.pak

MD5 31dada843d0b4f9a66b184cb6d7b8b92
SHA1 0320b31981043c6e4c17470bf2ff4c7488553511
SHA256 457070b35c813175f5a7b630478073e478ff2bf23915dd3dc7a5b3b339cc2b0b
SHA512 c5b6ea595d3154fd9fe03f49a19f78eb4068718ce005b18a165d491459a290c29956b02a109ce2c314746773760c8e5c0d7064f384c65a572c78109f03538860

C:\Users\Admin\AppData\Local\Temp\nsv477A.tmp\7z-out\locales\vi.pak

MD5 69c8796439192577f48bd249175aaf37
SHA1 97c52088ca69dada593db0e42b2135d264646454
SHA256 d7fdb53592de803a5fbcd8561c4918f1562f92fc8a3fd0039a2a1a7b76a8ecc2
SHA512 65eb7cb15291474ec7f9354775e59bcf334c90ddf3498ebd184e4c47118308421b2405bfa679e4b3a70ed1790e167c109fc2c72e89c3e31b5378cae975424144

C:\Users\Admin\AppData\Local\Temp\nsv477A.tmp\7z-out\locales\zh-TW.pak

MD5 c2c35fcedc3708b5bcadf36587393002
SHA1 31d72402cbd44ceb921cedd806259c2cd14e411f
SHA256 cfe4c2c5eb131fd92e0d11f912714c5a9a048833ef3ffbe32679b3d58da8f8ac
SHA512 9ba3ea2d569d1d3ef09e94d7e66f843c8804368c4d016b6289e7dba002f7d2d50884a76c93eef879d87abcf8b36dd3e682b7bd3a18b2b5a969256cef672abf01

C:\Users\Admin\AppData\Local\Temp\nsv477A.tmp\7z-out\locales\zh-CN.pak

MD5 098d656a4f4bd8240bed10e7678186c7
SHA1 0c19ab62b4262f1b51558e8aaa79e7741f73393a
SHA256 a55f568ad3a8854cec25699484f55024501c8a0967738ba694e073151e5981c7
SHA512 084538ce774233ca6d4393bb42239b0b85e11bd73dd19ba47e55796ca19848941b037510c0fca4ac08b4b2e0ccbc9b4ae72ef88a3e841738dd211961dc53c1e2

C:\Users\Admin\AppData\Local\Temp\nsv477A.tmp\7z-out\locales\uk.pak

MD5 d791b1ecf2931b2fb0c31aac170c7cdc
SHA1 02be115a9ff94fe5250651b6de4323eafc44fce1
SHA256 ffae6286d44c8e219ef90d411ad8746159a6ff8ea610e2a651147a3956696a22
SHA512 3a2edb8069e4a9734ce5e02b7c3de3c968c5bbc116f17f52f97e2bb2c78485c456c4f0cc952686c1aa17b7ee4d326a1dda698afafc63c79d842ca3905181a8da

C:\Users\Admin\AppData\Local\Temp\nsv477A.tmp\7z-out\resources\elevate.exe

MD5 792b92c8ad13c46f27c7ced0810694df
SHA1 d8d449b92de20a57df722df46435ba4553ecc802
SHA256 9b1fbf0c11c520ae714af8aa9af12cfd48503eedecd7398d8992ee94d1b4dc37
SHA512 6c247254dc18ed81213a978cce2e321d6692848c64307097d2c43432a42f4f4f6d3cf22fb92610dfa8b7b16a5f1d94e9017cf64f88f2d08e79c0fe71a9121e40

C:\Users\Admin\AppData\Local\Temp\nsv477A.tmp\7z-out\resources\app.asar

MD5 ce68499bd7035f342debd5d85ba456ee
SHA1 7c4033beb56ed790e687c93877c15fec5a8b94a7
SHA256 d550dfce22488b857e171c78c6a24595450fe686eac343724cda57a08885f51d
SHA512 934b997037eeeb45746e08cf6b07ee9fadc5383300a30995a373e53d24d6db52158251baab3e607f43d771b14f4adc1d9727f1280236a231875d8eee2bac5b1d

C:\Users\Admin\AppData\Local\Temp\nsv477A.tmp\7z-out\resources\app.asar.unpacked\node_modules\take-cam\snapshot.exe

MD5 16a12bdc986207390dd79d658a6b2263
SHA1 b4b41f62cbc1e1ede786c6e30e11df8e61750bad
SHA256 50a8dd2f292bea9190204a42de067a34d5cbbec53746d40fe5b067fc85190bac
SHA512 d20394028c5d3ca46bb4879cac40da07b7d857f9a4a834bb4db4bd047f1a3265a80e1f7528244da6ee97c2f3e0cb5b2e51bc88eeb382a027939c2188e66dcdd9

C:\Users\Admin\AppData\Local\Temp\nsv477A.tmp\7z-out\resources\app.asar.unpacked\node_modules\take-cam\prey-webcam.exe

MD5 471b15abc9f2e98fb7ed7361d3f045eb
SHA1 95b5798d80a9410872f6ed485ae2b43ca3745540
SHA256 7c262639cb22348dfd627dc07c76e8748e5bcacde2dcf1614773ab174c831004
SHA512 5b3b59aa1dbaef31b0ff6ccde082d7c312e39e311a46fe20d590d5d7765f934d3b663da9609ff4fb7beba2e8fa85376cf74f14ae077f3c0b49189cc28c30163a

C:\Users\Admin\AppData\Local\Temp\nsv477A.tmp\7z-out\resources\app.asar.unpacked\node_modules\take-cam\package.json

MD5 067e233b0609d56ff4756bedd8c0efe0
SHA1 96419d05adc4b6674948b4ac14f8ab5bb3ce4380
SHA256 6bee642c1b5de99e4edba87ec3221c2ecd10b65e666b6f2bef64a745538ecf74
SHA512 94900f5ff762930b1b060ba4dd44d629d6c3e2dfc0dacb1a543f1ea5a3cd40e793acaff4abefbff588ceb422d65f8041ec190a2b56f7c303c3314eb16eca4159

C:\Users\Admin\AppData\Local\Temp\nsv477A.tmp\7z-out\resources\app.asar.unpacked\node_modules\take-cam\DirectShowLib-2005.dll

MD5 c20c205c6f8d70a5e1351a4041a3ec9f
SHA1 e1b2a763dd6c42439656e4e55aba0f3610ff3784
SHA256 bbcbb170242d9ff1b56680a80b1f8755df1135f9c714535ff3b3f575442f38dc
SHA512 dffd59d775dbb89cd886a2212fb9fe4cf0b2bdd7f2c00f8dc7c6b2287053b4971c8c6c033109ff1f90cdacea082e44d3c19fa76325d24976420c418218e701f1

C:\Users\Admin\AppData\Local\Temp\nsv477A.tmp\7z-out\swiftshader\libEGL.dll

MD5 19dc9ee70e7765bb63a66b6826e8ecb7
SHA1 1a12f983f8b35cc2955d30657971f113c47dc164
SHA256 83d5719abee35e051d984510e1d5d9317a109031698814742b59bdbbe7d4e30f
SHA512 1fda2bcc4b2e70987ca6011ab2534007ae4f752016d29a588aaae839bb25c35e03773f220b6a8e926cf2643997e7d4c0f28743304269b2c55642ce12934def68

C:\Users\Admin\AppData\Local\Temp\nsv477A.tmp\7z-out\swiftshader\libGLESv2.dll

MD5 c0b36d56d83e601bf246f7709a8c5f9d
SHA1 b025a6070f7d61c7d1827856d2d4043834fd23f2
SHA256 45bb5e1f8dd87129ac0a75c78f8f29d06e3ac182a00fc5199b692068f1e05a53
SHA512 e429ae63bd8a7d5a936a638783511693e8fbbc91d97779b3d4dd3f0880f1c8a820106bfb57cf7ee6b3639f19165de87bbe127aadd81218689fc6c8fada2106d1

C:\Users\Admin\AppData\Local\Temp\nsv477A.tmp\StdUtils.dll

MD5 c6a6e03f77c313b267498515488c5740
SHA1 3d49fc2784b9450962ed6b82b46e9c3c957d7c15
SHA256 b72e9013a6204e9f01076dc38dabbf30870d44dfc66962adbf73619d4331601e
SHA512 9870c5879f7b72836805088079ad5bbafcb59fc3d9127f2160d4ec3d6e88d3cc8ebe5a9f5d20a4720fe6407c1336ef10f33b2b9621bc587e930d4cbacf337803

C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe

MD5 b63efca4da4791825f323bef91c83316
SHA1 38c430b5ed7c7d34a256806d1b4e2d62068b5b1e
SHA256 4a9f52af3a229326f7a5b33bb0248aa6d45e1d9c87e446aeb146a26e7a0f9c2c
SHA512 e1375fc7f5d8705d3e5a242cdb3460f24f1590648ded9b4b72452372614cbfda928cf8d225edf306bd15ca3d00516cccabc058f03c638b527a1606efa823261d

C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\icudtl.dat

MD5 aeaafb57d1b151ab82b3c173dbee709e
SHA1 57c5c0f6e16d036c51f6ed9c54f11a5ad33f97e6
SHA256 409034c58a7f2f5a4b78a2361121674a6527b1a3ecf2d124665b57cdb5fbc6aa
SHA512 1ca69e7d88deb931812be108c820e907b0380537cbc1e45cbecdfca657606b68c5f824b941d418804dc6884ee09782a6fd6ee2fa046d3f7183a890c7e7eceba2

C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\resources\app.asar

MD5 87b453c47a6b9dd50b1ac0592d07452b
SHA1 45c26605eff8c069ad0a0f8d1b742e5e112a3a68
SHA256 adc118a236574370cc03cd11717c070e0dc661a9854b0160111acc4ab90cdd2d
SHA512 c9032c44f69c569e951c69121ff8d4100c9efaa6f32b069ec321ea922414ada21dd81e9c10018c094eed0c6d7aae57a4a8624b5d138e7c63c1ebba3b7cde0871

C:\Users\Admin\AppData\Local\Temp\b108a867-67ed-4e32-a7e4-7780cf17cc4f.tmp.node

MD5 3072b68e3c226aff39e6782d025f25a8
SHA1 cf559196d74fa490ac8ce192db222c9f5c5a006a
SHA256 7fb52b781709b065c240b6b81394be6e72e53fe11d7c8e0f7b49dd417eb78a01
SHA512 61ebc72c20195e99244d95af1ab44fa06201a1aee2b5da04490fdc4312e8324a40b0e15a7b42fab5179753d767c1d08ae1a7a56ac71a6e100e63f83db849ee61

C:\Users\Admin\AppData\Local\Temp\bdde613b-afea-42e9-985b-d0d004330672.tmp.node

MD5 5317f23583ba935be25a4c26b3f93828
SHA1 bdc288a0576a9ca04295c2df6f71e260ae5097bc
SHA256 41db88f72dbc4ace9b4e6522b19f60e012980345fcb737cab1839ab0bb2f2cb3
SHA512 e3975f92f6bbd814cec4b6762b7f7475168dd43a717031de0d8055b7f5e4ce01dd011557c1301f9f9084f8a39248630c12f265a195c54c81f1efad9dd5bd91d0

C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\resources.pak

MD5 358393223493d79b4885370c8cf12841
SHA1 4baa9eb91dce2a60c0758bfbaa76497272a593bd
SHA256 c2f8d422507e8ca126882116ad38ca0e25c5830f5700ffc4430188c8644bf320
SHA512 f4124603e1ab2ad623b74d6f9c5bc37161db12b0b191c85d5ff04015f858d4c49b505c93291f3c7d1575e8f109b2559fc9faa87a9a77aa684d2fb73183777751

C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe

MD5 616c342c7f0926cb4cf2cf32536a33fa
SHA1 5f0fbf7a1c17dd9aad7a77966c60fa269722e0b2
SHA256 65e3dfa0358b2f5aef5c95ee161d8fa7d52e96e69028fa6e1627ace3bdbd2d48
SHA512 d5c44e248f27122e698cd7d0052379dbf6615886db3f1a6d0bc09c4680ca01cc985a1cdba61fbcd26331665204372bc57709ffdb5ccfbb2aeeeec3c4d99a965a

memory/2900-578-0x00007FFA81D30000-0x00007FFA81D31000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe

MD5 21a4668b9be72240e9c63ff123246471
SHA1 624fc12f769c68b45cf0d95fc5a45927cfbd1dbe
SHA256 02b7a13ff386fe7a711086bad7eaaeb5b232f6a453adfb78aaefd28ede876d11
SHA512 d910b39731bdcb773321a74cc715caf06c15ae535ddf8c7b222c66c0d7046cf99d4b9f075e6a7435c90dfc9844b5729a759d3d0b1782640b28daa150c5957c14

C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\libGLESv2.dll

MD5 0c9aa839c2c353caaab22f032ef1446a
SHA1 158bc5af43366171f29cfce033493bfcc787b9d2
SHA256 809abbd038a92ba0115b9a86faedbd16427b40dc312efaedb72f02ac9efa9df0
SHA512 ed2861958a1e2bf66f650c880d60d266c2bb0bca8809dd8f38bebb95cea711e535fe92bc18a9eacd07b25d01af3be61b7443df6a297f2df81d1e02ada7ae68a2

C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\D3DCompiler_47.dll

MD5 b1c78ad14d7366f1a3c0872928a59076
SHA1 c9d53a0f461f586bf4ae8995d03556634ffb6de4
SHA256 3d9093990cc56f62190bc2983ce27c565aa77d2da6e56846150d2859f9c61fc3
SHA512 1014b5f2eeba120487fdca56ab1ca4398b9452e3b47450ee98d5df05c9af8e599067b52d5a02de3177397c81abea77903fd104515c4ddda2204620cb969db55a

C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\libglesv2.dll

MD5 5deebf09a1e029423276f1d17a632e68
SHA1 cbba1da5f1cdc2fe73a8b02b5e3e31d826a933e5
SHA256 91dc81e0e40fa169a5a25e76242c16213bd0d532145ae23fba0e308d6fa42a2c
SHA512 c0626f89a35aec551414b6ea8879d39e82e9f2e5e6070a47b46e37ed9958a28c20f3e888845064e1ac76c8043798e30a83f461c2b6ca3105dd2dc576dce4a813

C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\d3dcompiler_47.dll

MD5 6c92deef58c7974549c5fcbec6044eea
SHA1 8a52470b947970ef99804eb93b97623e44cb5eeb
SHA256 017c014d288fe4980d781d43532f00f33abd7d33ba5f7eb35ab1d1b86bf0418d
SHA512 d4d28775fa303c6005f47887db814d206250f378cdbbf599a10427e50c1c6002aeb31199d6e5619838bd50f5735855c6a8b6f48fbd14d0d9d04d0b237dc98714

C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe

MD5 2ad21f16495b4dcb63b40ec157ff406c
SHA1 b9948ebdcab9f74d863b9ea5290740519cb6e2b6
SHA256 4affafa22dc43c2f44a17b18c48ad06a48f9edd92ac31294f21aafbd8738b3a3
SHA512 c46c6dd131dc1c503a235869e0150b9f40893b3837e699e49b514bbe30592d48eea654e867fec2d6c5ff91c17bbe2916447a9ddee93e6ae3cc292b4960b99d10

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qn2y0btj.0qh.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3788-606-0x00000260224B0000-0x00000260224D2000-memory.dmp

memory/3788-613-0x00000260221C0000-0x00000260221D0000-memory.dmp

memory/3788-612-0x00000260221C0000-0x00000260221D0000-memory.dmp

memory/3788-611-0x00007FFA612F0000-0x00007FFA61DB1000-memory.dmp

memory/3788-617-0x00007FFA612F0000-0x00007FFA61DB1000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 6cf293cb4d80be23433eecf74ddb5503
SHA1 24fe4752df102c2ef492954d6b046cb5512ad408
SHA256 b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8
SHA512 0f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00

memory/440-632-0x0000016918830000-0x0000016918840000-memory.dmp

memory/440-631-0x0000016918830000-0x0000016918840000-memory.dmp

memory/440-635-0x00007FFA612F0000-0x00007FFA61DB1000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 d8b9a260789a22d72263ef3bb119108c
SHA1 376a9bd48726f422679f2cd65003442c0b6f6dd5
SHA256 d69d47e428298f194850d14c3ce375e7926128a0bfb62c1e75940ab206f8fddc
SHA512 550314fab1e363851a7543c989996a440d95f7c9db9695cce5abaad64523f377f48790aa091d66368f50f941179440b1fa94448289ee514d5b5a2f4fe6225e9b

memory/440-620-0x00007FFA612F0000-0x00007FFA61DB1000-memory.dmp

memory/4620-641-0x00007FFA612F0000-0x00007FFA61DB1000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 446dd1cf97eaba21cf14d03aebc79f27
SHA1 36e4cc7367e0c7b40f4a8ace272941ea46373799
SHA256 a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf
SHA512 a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

memory/4620-643-0x000001DBEB540000-0x000001DBEB550000-memory.dmp

memory/4620-642-0x000001DBEB540000-0x000001DBEB550000-memory.dmp

memory/4620-656-0x00007FFA612F0000-0x00007FFA61DB1000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\TatsuBeta.exe

MD5 06dcc4212923ff5a5cc8820951005add
SHA1 c9b36f63153c2c83a0c8ce9676a90a861ae460b3
SHA256 4d99c49097fbc3b8aa8e71c72515ef09c2b77d3fc69fab79394d84ac776d1301
SHA512 89efeaa0034d404e83a81af704a25ac1f9ab1fd3e618a9f8781becd13ce6cf2e279fe8202ccafa76053bc8a4f9ffc3c0dd619316cb35ef369532bcaee00c06ec

memory/6428-658-0x00007FFA612F0000-0x00007FFA61DB1000-memory.dmp

memory/6428-659-0x0000027E6AD60000-0x0000027E6AD70000-memory.dmp

memory/6428-660-0x0000027E6AD60000-0x0000027E6AD70000-memory.dmp

memory/6428-671-0x0000027E6AD60000-0x0000027E6AD70000-memory.dmp

memory/6428-673-0x00007FFA612F0000-0x00007FFA61DB1000-memory.dmp

memory/8188-675-0x00007FFA61410000-0x00007FFA61ED1000-memory.dmp

memory/8188-676-0x0000019492CF0000-0x0000019492D00000-memory.dmp

memory/8188-677-0x0000019492CF0000-0x0000019492D00000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 e5ea61f668ad9fe64ff27dec34fe6d2f
SHA1 5d42aa122b1fa920028b9e9514bd3aeac8f7ff4b
SHA256 8f161e4c74eb4ca15c0601ce7a291f3ee1dc0aa46b788181bfe1d33f2b099466
SHA512 cb308188323699eaa2903424527bcb40585792f5152aa7ab02e32f94a0fcfe73cfca2c7b3cae73a9df3e307812dbd18d2d50acbbfeb75d87edf1eb83dd109f34

memory/8188-689-0x00007FFA61410000-0x00007FFA61ED1000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\92qyi9k9.default-release\places.sqlite_tmp

MD5 2ee24a8e72bd193e446acc1a0bb35cb5
SHA1 653816ec9df15a76bea0dda0d0d02c89980661df
SHA256 5ada4c4ddbb120646f555bfc8b3f4b54b4f2f56ca0822eb909e1949f79ef8ce8
SHA512 034eba77eb40799aae28766399c712f0f54d2050e06cdb0cff708cd2c75b9060bfa96e08e056291739198e8f54c96ae30219e710de30b91128f0bb7e6df2a84e

memory/5836-742-0x00007FFA61410000-0x00007FFA61ED1000-memory.dmp

memory/5836-747-0x000002AFDB930000-0x000002AFDB940000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 107102102e02e48f37f5318c7e113c43
SHA1 7fb10fc65c85fb4c050309f0872bc9389dcccc0d
SHA256 3c3f49948c1e832c86b959c32bc288ddedb500534b74df082f8967fc7f9976f7
SHA512 b108a47d7c3dd154cad44362b6cd557b7064096383d100e6cd64bfb19c4e2ad878ed4ee800776322ad3cc4bb721fb675b0ecab8f5661024188fa3aa19561841b

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\sysWin10Boot_vRsPBF.vbs

MD5 68a5d61fb4436229aa54354481478edd
SHA1 3e4bc0b3d4a3e07224e615934c3c52e08070a5c2
SHA256 01840ea504914244c884dd04f9c96fce55398de781360579823cd416d90054f3
SHA512 1764657b85f8fc2004fc530889702758ba0e60147655783946024696efe518e4e5bf552b7554be97bd31492e7727cccb2018593284546a6ac39ac884fe4dd860

memory/5836-751-0x00007FFA61410000-0x00007FFA61ED1000-memory.dmp

memory/4224-785-0x00007FFA61410000-0x00007FFA61ED1000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 894afb4ff3cd7ee1f69400e936f8fc9d
SHA1 aa0eb6ac58f8997940c1aa2e6f6c42d7c3837e51
SHA256 20948b37924c58362ffc5d1472667b53c6d7fc865ad541c901cebf41d04a03c9
SHA512 449494468d267f9689a277ce858dac7dfda04ceb568f60170645582fd631901a9ef780da8e420cba8a297edc11cd63a874e3429b95cf90e7261d2b9ab8850e98

memory/4224-786-0x00000248ADAD0000-0x00000248ADAE0000-memory.dmp

C:\Users\Admin\AppData\Roaming\salutfB3G0.ps1

MD5 28e4eda7451c625bbe806b745753f729
SHA1 d29e9b2c2ac5b10188cbae92cffba6827728543d
SHA256 da79e10cdff90aa7f5ab3d3f226570107ecd20d48eb14067c7900367111df5ba
SHA512 932f53b6cd2aa55ab1475d85528069357fa7d9eea26051d1a4edb11872ca30d02c31c44bed3a48f0ccdbebe556e9d8ec2f4a0815bf177d93ab4272b3fe2fb0b5

C:\ProgramData\ChromeExtensionsNova\extension-tokens\manifest.json

MD5 42ac88deb5c3cfc02fdc1c27319ee067
SHA1 97b1addf35159800b90743fcfbb5505e80f6eb82
SHA256 28486361faff1827fb9f1871529c48efaaf86027592d189afa6f99b14eb3f4bb
SHA512 77c4054a3cf061eb6f4f6e9803b74833a8fb0fe352239b5b47cf39ea5eea8104b9da6deab75018557476fbda856f3be8d57e6fe2eb777c45a7a1bdb1e72d02d5

C:\ProgramData\ChromeExtensionsNova\extension-tokens\js\jquery-3.5.1.min.js

MD5 9ac39dc31635a363e377eda0f6fbe03f
SHA1 29fa5ad995e9ec866ece1d3d0b698fc556580eee
SHA256 9a2723c21fb1b7dff0e2aa5dc6be24a9670220a17ae21f70fdbc602d1f8acd38
SHA512 0799ae01799707b444fca518c3af9b91fda40d0a2c114e84bc52bd1f756b5e0d60f6fd239f04bd4d5bc37b6cdbf02d299185cd62410f2a514a7b3bd4d60b49fc

C:\ProgramData\ChromeExtensionsNova\extension-tokens\images\logo48.png

MD5 9f74f11972c3c0b161832ffab541bf31
SHA1 e5841ba20a229cdeab85d30690509e649e848271
SHA256 8b74a0abdd566ffdf15891d6abd3537bffb0abce7f362c737c3de6752e136032
SHA512 b90f13eb65a4dcfdd596a7d9eba7c1ba5eb1a598e51107ce3dca07c0a0025469ab18c9958eff2b36f7e05a23f0d16d7d9d7c2321b8e1f2a456aaa7bec3ced0e8

C:\ProgramData\ChromeExtensionsNova\extension-tokens\images\logo16.png

MD5 192e90432fed0081abb25295d8f309c4
SHA1 5150e93061f39e26688afd60a04c0ab14b510d47
SHA256 3216d6864b4f8824b82eb887edf95436dac3bea3f7d43d8988a176e3f1f8e1b2
SHA512 9b9b3f85eb9f12ad1b4c8cfc5e672758d879e178179deb28e80e6c3b27871261bf6b52f9066850b5a7a2fd85012b5308eaf3dda882fa40febc9cf6b47f1a4f04

C:\ProgramData\ChromeExtensionsNova\extension-tokens\images\logo.png

MD5 2b67e47cb8da1058770fe41d8b947619
SHA1 9eb259b1d377a24a2b77a694cf31c23cef7b8eef
SHA256 46f616820751849512d2704ddb604666170d13315c4383b8c8611c3e1c2f594a
SHA512 27c0593d662df228e146c49af6da52e39523523af924cf95ba4890b1b42358b2b8df3cf2667d8f672eece4f7fe098574c4689677768dd54d3b872619c7b9ae55

C:\ProgramData\ChromeExtensionsNova\extension-tokens\images\logo128.png

MD5 271847949971c396f77beaab936b7ea2
SHA1 b32c5a7eec49aa07f8ae73feb990626010c4b850
SHA256 a55224cdf06a5c2b937ba400604501f8b6ec93bc2c1cff62aa2fd378d504c657
SHA512 a2e141f68143f370e2b82a1c9c7c4b1c5f6fc2cfc2ad94acb8c5c02237af56f83904beaff3240e20397f0edbdfadf8779c0bd54b2cf0c9899fef59343e31794a

C:\ProgramData\ChromeExtensionsNova\extension-cookies\manifest.json

MD5 04c23766134b234e85cc537b2162efb1
SHA1 45c48d9ca30a4580a682f025cc66331e49f6f158
SHA256 f50f62683347bbca52d7f7de0c877014ae77043753905628644e2d485dfb4900
SHA512 d246f59ad6d6e9fc8d8d88129302d55cb3d2ba7d52496915ee6791fa0576153070af76ea689cc74ccefc36456df749ac5c8f45cb12702961470f202078bfcb3c

memory/4224-800-0x00007FFA61410000-0x00007FFA61ED1000-memory.dmp

memory/2900-875-0x000002D5CF4F0000-0x000002D5CFC2F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\ffmpeg.dll

MD5 1c7dd1084aeb4044852762b7f2687220
SHA1 810eacd6954afccabce5c0395904b669cbece621
SHA256 590101d29e546ee0cea2da1c2b7c3a2276160d3c3ea4fc5202a0caf6dcef7ded
SHA512 39b2cdb1eb88a2c501445f03fe9448f58d1c2ac79de5e06ed13355eb87feffc20a2e4754feadb1764e67763f2672529b31c2788a13b6aa94a4389e87698ff895

C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe

MD5 457f740ecef38ab915bbdcbd667f66f9
SHA1 781bb6c49644b10dc486e730eed068efb04a582e
SHA256 5c0d6457b56dade1419939d2b04f1f004cf3cf52cf9f718d4ec0c639db9f0a6e
SHA512 c209774ef01c67302fa594c68d4f614755040e490850225f39ea75e5bf5bd759365fa24525a412389a0695fab6aabfd982abd1ffa1a3830a35adfc4c29baf974

memory/6832-914-0x0000020D48330000-0x0000020D48331000-memory.dmp

memory/6832-924-0x0000020D48330000-0x0000020D48331000-memory.dmp

memory/6832-923-0x0000020D48330000-0x0000020D48331000-memory.dmp

memory/6832-922-0x0000020D48330000-0x0000020D48331000-memory.dmp

memory/6832-921-0x0000020D48330000-0x0000020D48331000-memory.dmp

memory/6832-920-0x0000020D48330000-0x0000020D48331000-memory.dmp

memory/6832-919-0x0000020D48330000-0x0000020D48331000-memory.dmp

memory/6832-918-0x0000020D48330000-0x0000020D48331000-memory.dmp

memory/6832-913-0x0000020D48330000-0x0000020D48331000-memory.dmp

memory/6832-912-0x0000020D48330000-0x0000020D48331000-memory.dmp

Analysis: behavioral4

Detonation Overview

Submitted

2023-12-17 16:29

Reported

2023-12-17 17:00

Platform

win11-20231215-en

Max time kernel

1800s

Max time network

1505s

Command Line

"C:\Users\Admin\AppData\Local\Temp\TatsuBeta.exe"

Signatures

Irata

trojan infostealer rat irata

Irata payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TatsuBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-334598701-2770630493-3015612279-1000\Software\Microsoft\Windows\CurrentVersion\Run\WindowsDriverSetupr4i4UY = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Themes\\CachedFiles\\TatsuBeta.exe" C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-334598701-2770630493-3015612279-1000\Software\Microsoft\Windows\CurrentVersion\Run\Start_r4i4UY = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Libraries\\sysWin10Boot_r4i4UY.vbs" C:\Windows\system32\reg.exe N/A

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Description Indicator Process Target
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A

Drops autorun.inf file

Description Indicator Process Target
File created F:\autorun.inf C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe N/A

Enumerates physical storage devices

Collects information from the system

Description Indicator Process Target
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A

Detects videocard installed

Description Indicator Process Target
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Enumerates processes with tasklist

Description Indicator Process Target
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe N/A
N/A N/A C:\Windows\system32\cmd.exe N/A
N/A N/A C:\Windows\system32\cmd.exe N/A
N/A N/A C:\Windows\System32\Conhost.exe N/A
N/A N/A C:\Windows\System32\Conhost.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\TatsuBeta.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\tasklist.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Conhost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Conhost.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Conhost.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Conhost.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Conhost.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Conhost.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Conhost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Conhost.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Conhost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Conhost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Conhost.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Conhost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Conhost.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Conhost.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Conhost.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Conhost.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Conhost.exe N/A
Token: 33 N/A C:\Windows\System32\Conhost.exe N/A
Token: 34 N/A C:\Windows\System32\Conhost.exe N/A
Token: 35 N/A C:\Windows\System32\Conhost.exe N/A
Token: 36 N/A C:\Windows\System32\Conhost.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Conhost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Conhost.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Conhost.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Conhost.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Conhost.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Conhost.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Conhost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Conhost.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Conhost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Conhost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Conhost.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Conhost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Conhost.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Conhost.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Conhost.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Conhost.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Conhost.exe N/A
Token: 33 N/A C:\Windows\System32\Conhost.exe N/A
Token: 34 N/A C:\Windows\System32\Conhost.exe N/A
Token: 35 N/A C:\Windows\System32\Conhost.exe N/A
Token: 36 N/A C:\Windows\System32\Conhost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\tasklist.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4100 wrote to memory of 1136 N/A C:\Users\Admin\AppData\Local\Temp\TatsuBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe
PID 4100 wrote to memory of 1136 N/A C:\Users\Admin\AppData\Local\Temp\TatsuBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe
PID 1136 wrote to memory of 4484 N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe C:\Windows\system32\cmd.exe
PID 1136 wrote to memory of 4484 N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe C:\Windows\system32\cmd.exe
PID 1136 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe
PID 1136 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe
PID 1136 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe
PID 1136 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe
PID 1136 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe
PID 1136 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe
PID 1136 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe
PID 1136 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe
PID 1136 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe
PID 1136 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe
PID 1136 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe
PID 1136 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe
PID 1136 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe
PID 1136 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe
PID 1136 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe
PID 1136 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe
PID 1136 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe
PID 1136 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe
PID 1136 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe
PID 1136 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe
PID 1136 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe
PID 1136 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe
PID 1136 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe
PID 1136 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe
PID 1136 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe
PID 1136 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe
PID 1136 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe
PID 1136 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe
PID 1136 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe
PID 1136 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe
PID 1136 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe
PID 1136 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe
PID 1136 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe
PID 1136 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe
PID 1136 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe
PID 1136 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe
PID 1136 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe
PID 1136 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe
PID 1136 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe
PID 1136 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe
PID 4484 wrote to memory of 900 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 4484 wrote to memory of 900 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 1136 wrote to memory of 476 N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe
PID 1136 wrote to memory of 476 N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe
PID 1136 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe C:\Windows\system32\cmd.exe
PID 1136 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe C:\Windows\system32\cmd.exe
PID 1640 wrote to memory of 1268 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Conhost.exe
PID 1640 wrote to memory of 1268 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Conhost.exe
PID 1136 wrote to memory of 1428 N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe C:\Windows\system32\cmd.exe
PID 1136 wrote to memory of 1428 N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe C:\Windows\system32\cmd.exe
PID 1136 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe C:\Windows\System32\Conhost.exe
PID 1136 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe C:\Windows\System32\Conhost.exe
PID 1136 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe C:\Windows\system32\cmd.exe
PID 1136 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe C:\Windows\system32\cmd.exe
PID 1428 wrote to memory of 2844 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 1428 wrote to memory of 2844 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 2152 wrote to memory of 3564 N/A C:\Windows\System32\Conhost.exe C:\Windows\system32\cmd.exe
PID 2152 wrote to memory of 3564 N/A C:\Windows\System32\Conhost.exe C:\Windows\system32\cmd.exe
PID 3564 wrote to memory of 3068 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Conhost.exe
PID 3564 wrote to memory of 3068 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Conhost.exe

Uses Task Scheduler COM API

persistence

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\attrib.exe N/A
N/A N/A C:\Windows\system32\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\TatsuBeta.exe

"C:\Users\Admin\AppData\Local\Temp\TatsuBeta.exe"

C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe

C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe

C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe

"C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\script" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1464 --field-trial-handle=1684,5508465263420723532,15064865261952678778,131072 --disable-features=PlzServiceWorker,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe

"C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\script" --mojo-platform-channel-handle=1916 --field-trial-handle=1684,5508465263420723532,15064865261952678778,131072 --disable-features=PlzServiceWorker,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic process where processid=4100 get ExecutablePath"

C:\Windows\System32\Wbem\WMIC.exe

wmic process where processid=4100 get ExecutablePath

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\net.exe

net session

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 session

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\resources\app.asar.unpacked\bind\main.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "net session"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\System32\Wbem\WMIC.exe

wmic csproduct get uuid

C:\Windows\System32\Wbem\WMIC.exe

wmic OS get caption, osarchitecture

C:\Windows\system32\more.com

more +1

C:\Windows\System32\Wbem\WMIC.exe

wmic logicaldisk get size

C:\Windows\system32\more.com

more +1

C:\Windows\System32\Wbem\WMIC.exe

wmic computersystem get totalphysicalmemory

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic OS get caption, osarchitecture | more +1"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "echo %NUMBER_OF_PROCESSORS%"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic csproduct get uuid"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic computersystem get totalphysicalmemory | more +1"

C:\Windows\system32\more.com

more +1

C:\Windows\System32\Wbem\WMIC.exe

wmic cpu get name

C:\Windows\system32\more.com

more +1

C:\Windows\System32\Wbem\WMIC.exe

wmic PATH Win32_VideoController get name

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic PATH Win32_VideoController get name | more +1"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic cpu get name | more +1"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic logicaldisk get size"

C:\Windows\System32\Wbem\WMIC.exe

wmic process where processid=4100 get ExecutablePath

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic process where processid=4100 get ExecutablePath"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v WindowsDriverSetupr4i4UY /t REG_SZ /d C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\TatsuBeta.exe /f"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\cmd.exe

cmd /c schtasks /create /sc onlogon /tn WindowsDriverSetupr4i4UY /tr \"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\TatsuBeta.exe\" /F /rl highest

C:\Windows\system32\schtasks.exe

schtasks /create /sc onlogon /tn WindowsDriverSetupr4i4UY /tr \"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\TatsuBeta.exe\" /F /rl highest

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "attrib +h +s \"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\TatsuBeta.exe\""

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell -Command "attrib +h +s \"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\TatsuBeta.exe\"""

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v WindowsDriverSetupr4i4UY /t REG_SZ /d C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\TatsuBeta.exe /f

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\app.asar.unpacked\node_modules\take-cam\prey-webcam.exe" -invalid youcam,cyberlink,google -frame 10 -outfile C:\Users\Admin\AppData\Local\Temp\RcVn6feMhjbLun8ewwgV\System\cam.1136_Admin.jpg"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions"

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\app.asar.unpacked\node_modules\take-cam\snapshot.exe" /T C:\Users\Admin\AppData\Local\Temp\RcVn6feMhjbLun8ewwgV\System\cam.1136_Admin"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\attrib.exe

"C:\Windows\system32\attrib.exe" +h +s C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\TatsuBeta.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "cmd /c schtasks /create /sc onlogon /tn WindowsDriverSetupr4i4UY /tr \"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\TatsuBeta.exe\" /F /rl highest"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell -Command "attrib +h +s \"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\sysWin10Boot_r4i4UY.vbs\"""

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v Start_r4i4UY /t REG_SZ /d C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\sysWin10Boot_r4i4UY.vbs /f"

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v Start_r4i4UY /t REG_SZ /d C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\sysWin10Boot_r4i4UY.vbs /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "attrib +h +s \"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\sysWin10Boot_r4i4UY.vbs\""

C:\Windows\system32\attrib.exe

"C:\Windows\system32\attrib.exe" +h +s C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\sysWin10Boot_r4i4UY.vbs

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell.exe -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Roaming\salutUJXao.ps1" -RunAsAdministrator"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Roaming\salutUJXao.ps1" -RunAsAdministrator

C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe

"C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --user-data-dir="C:\Users\Admin\AppData\Roaming\script" --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAIAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=908 --field-trial-handle=1684,5508465263420723532,15064865261952678778,131072 --disable-features=PlzServiceWorker,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 ipinfo.io udp
GB 142.250.200.4:80 www.google.com tcp
US 34.117.186.192:443 ipinfo.io tcp
US 34.117.186.192:443 ipinfo.io tcp
US 34.117.186.192:443 ipinfo.io tcp
US 8.8.4.4:443 dns.google tcp
FR 51.178.66.33:443 api.gofile.io tcp
US 206.168.191.31:443 store8.gofile.io tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
FR 163.5.121.96:443 hawkish.eu tcp
FR 163.5.121.96:443 hawkish.eu tcp
DE 140.82.121.4:443 github.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
FR 163.5.121.96:443 hawkish.eu tcp
FR 163.5.121.96:443 hawkish.eu tcp
US 8.8.8.8:53 4.121.82.140.in-addr.arpa udp
FR 163.5.121.96:443 hawkish.eu tcp
FR 163.5.121.96:443 hawkish.eu tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp

Files

C:\Users\Admin\AppData\Local\Temp\nsa60AF.tmp\System.dll

MD5 0d7ad4f45dc6f5aa87f606d0331c6901
SHA1 48df0911f0484cbe2a8cdd5362140b63c41ee457
SHA256 3eb38ae99653a7dbc724132ee240f6e5c4af4bfe7c01d31d23faf373f9f2eaca
SHA512 c07de7308cb54205e8bd703001a7fe4fd7796c9ac1b4bb330c77c872bf712b093645f40b80ce7127531fe6746a5b66e18ea073ab6a644934abed9bb64126fea9

C:\Users\Admin\AppData\Local\Temp\nsa60AF.tmp\nsis7z.dll

MD5 80e44ce4895304c6a3a831310fbf8cd0
SHA1 36bd49ae21c460be5753a904b4501f1abca53508
SHA256 b393f05e8ff919ef071181050e1873c9a776e1a0ae8329aefff7007d0cadf592
SHA512 c8ba7b1f9113ead23e993e74a48c4427ae3562c1f6d9910b2bbe6806c9107cf7d94bc7d204613e4743d0cd869e00dafd4fb54aad1e8adb69c553f3b9e5bc64df

C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\chrome_100_percent.pak

MD5 9c1b859b611600201ccf898f1eff2476
SHA1 87d5d9a5fcc2496b48bb084fdf04331823dd1699
SHA256 53102833760a725241841312de452c45e43edd60a122546105ab4020ccef591b
SHA512 1a8ec288e53b9d7e43d018995abe4e3d9c83d329d0561fbb7d022e8b79ffecf033e995b9bc6af352a71c646a1e8afba4addb54deab7455f24b7a279a3dd7c336

C:\Users\Admin\AppData\Local\Temp\nsa60AF.tmp\7z-out\chrome_200_percent.pak

MD5 b51a78961b1dbb156343e6e024093d41
SHA1 51298bfe945a9645311169fc5bb64a2a1f20bc38
SHA256 4a438f0e209ac62ffa2c14036efdd5474b5ecaa7cbf54110f2e6153abdfb8be9
SHA512 23dedde25ad9cb5829d4b6092a815712788698c2a5a0aefb4299675d39f8b5e2844eabd1ea42332a0408bd234548f5af628e7e365ab26f3385ebfa158cdd921d

C:\Users\Admin\AppData\Local\Temp\nsa60AF.tmp\7z-out\d3dcompiler_47.dll

MD5 cfc168bc3e255f254ab49d202569d0d9
SHA1 e764623b34548f6b475de9ac406af6edef43af84
SHA256 cd9a47f455e226b4fd783bba285141ed648c6a5b4d28b96dab793ffc43cb061c
SHA512 c7c5ee9ed5eee9c13be19e2730cc93365eb64bd039acb33787936e424430a2f4e3323cd2dd28ac0ab6078ce042b9fb07fd9c138f13b24daa2d01e81f7361ee28

C:\Users\Admin\AppData\Local\Temp\nsa60AF.tmp\7z-out\snapshot_blob.bin

MD5 c9ab741bbef53fa0e84952b8891a5f5a
SHA1 e2dcb8d034e07243537c86371de0c52bce62cee1
SHA256 4d82fe1e642fe3ca7ad1a173f806088c0652ecfe9f0f6f6e246066e15a3431d4
SHA512 177b98a3090ecfe4b4598dfcd7e8b3ca49efafba4dbd8d6c6d0def462de47c3fabfde831725622783ddc177de982de6115178d9bd9830d918bb544a5a4c27fc9

C:\Users\Admin\AppData\Local\Temp\nsa60AF.tmp\7z-out\resources.pak

MD5 4f730313ce77d1baa1f69f3f7b41f96d
SHA1 80f1d5951f4e9217e4af2bdb1cc7920537ac7a73
SHA256 0bc2a48c15615ba68b61bffdde06483d1a75877f84019f8098a33e8ab5334e0d
SHA512 2691fd2450fe6a55feb905365548ffab9b531fb1d3e134dd8160139548c7285e6ef12e2ba2d3f8c1545b65f38253bce48e08049733d0e0f4720e014b1614404a

C:\Users\Admin\AppData\Local\Temp\nsa60AF.tmp\7z-out\LICENSES.chromium.html

MD5 9c8c45e3f8643a42546d6fd1bca35a2f
SHA1 c0f79a440d453f143c1c0ed43d6bd83f2e5d81b3
SHA256 cfa363ce1b609f75a561201a94108be63a3cea95909dc73a483e88bc5267d2fd
SHA512 d2aa458dbb756f8aac1990e11ce5c0eb3f75808e98956c6ddebdebff66dadfde4b1307b62708d2434f78e2b7cdb0ac2b15d13fc1826c00b1e0538d56c1928d35

C:\Users\Admin\AppData\Local\Temp\nsa60AF.tmp\7z-out\LICENSE.electron.txt

MD5 4d42118d35941e0f664dddbd83f633c5
SHA1 2b21ec5f20fe961d15f2b58efb1368e66d202e5c
SHA256 5154e165bd6c2cc0cfbcd8916498c7abab0497923bafcd5cb07673fe8480087d
SHA512 3ffbba2e4cd689f362378f6b0f6060571f57e228d3755bdd308283be6cbbef8c2e84beb5fcf73e0c3c81cd944d01ee3fcf141733c4d8b3b0162e543e0b9f3e63

C:\Users\Admin\AppData\Local\Temp\nsa60AF.tmp\7z-out\libGLESv2.dll

MD5 bba8ebf17e9fd85df10ed613372baec1
SHA1 8217629187a04e5dba5161a3a1b312929eedb21d
SHA256 83862c7da91628f2fd2a3a436a83302a2455482854b55d80f8468b4555d6bd7a
SHA512 ae820f867efe07da4a547938f10122656cc7be53243432d661934232febdf0cf06e06fb6110405cdb5bce22bf1dfa8a41f1bf02bd61e1ef2992ebcf2f6acd729

C:\Users\Admin\AppData\Local\Temp\nsa60AF.tmp\7z-out\libEGL.dll

MD5 8352fd22f09b873193cabc2932be92f0
SHA1 5bd2b58854b279f1733c5f54ea2669ee8a888d9e
SHA256 14a4aaa010be14762edfee01fd1f6b9943471eb7a2f9011a2b5c230461cd129c
SHA512 7281e980f2e82f1cc8173d9f8387a97f6e23ec5099ed8dca02222c4e17fa4cfef59d6aa300b1cf06d502bdcf77d9a6dbb08ad6658ae0a28ae6f9f995109da0d2

C:\Users\Admin\AppData\Local\Temp\nsa60AF.tmp\7z-out\icudtl.dat

MD5 11e68569b4f07aec5fbc2da894ada867
SHA1 c30468d772909e9e1a44bd1dbc6e99dfe93219d0
SHA256 6aa365478030d3ccffe8ce3147bbd026fcbceb8f2690634dabecd4336ece14a1
SHA512 93fb28e8ee4fe7d6e15895b6b3985f779b4531a4f141bc1499377e08cee114f82263d4f05b1c81869bd5b0ba72064107ab743dffddb5569999bcca255bdcbb18

C:\Users\Admin\AppData\Local\Temp\nsa60AF.tmp\7z-out\ffmpeg.dll

MD5 c3842fb3087cdcdb04020ac38683c289
SHA1 329dbcd4a1c79b891b200f11eb50194b85c493bc
SHA256 e79792af338d61424bac87a19c6f34f3b4bc1382345633b8d509253a0a6c2133
SHA512 069196b8006e908954e7ab16131a0d10889a0f7517eaab2423a82fe49fb9b045c0d95dbf7c08c10ddf1a21983aea4a0d207decf91baacff0884511589a57dec5

C:\Users\Admin\AppData\Local\Temp\nsa60AF.tmp\7z-out\TatsuBeta.exe

MD5 6a8ee9ba55eeb144317f110b448c9594
SHA1 6bf2bf14b4b0e81e9123b5c84f5d18f5500c2f0e
SHA256 c585c1fac11aebe53760761d2d95ad05edb35a0339cf7892574a8181e7162a2d
SHA512 8de092df6b691121bc38706846c28633047530ee401383657ac855200c20494012e3537fc3c2793651dc4a27b4c51a371eb9ba87831243a0903b14f5914e0d6e

C:\Users\Admin\AppData\Local\Temp\nsa60AF.tmp\7z-out\v8_context_snapshot.bin

MD5 47014c0f81bad6d216c617c9c63bf040
SHA1 7bb483fdc5fed3c6ed437d9fe6e5023bc38201bf
SHA256 e1249d05bfc73c645b27d269f47b6923b33a3cf8088a8ca78b3b637c90f58178
SHA512 052d86cf3305a9e493bd2472e6b7ddab5e0291efd6d899984a79bae46e5fa4bd21157e19ab4a2591c9cff9069de568bad18c7baf4f35d117c77134e635466f87

C:\Users\Admin\AppData\Local\Temp\nsa60AF.tmp\7z-out\vk_swiftshader.dll

MD5 de2d91476e625278c30a5f69a1892e05
SHA1 4d707f6a801611fb437f5c1cba31b0909bf41506
SHA256 02c7f0b926c64f5a19a9aacd5f94ee00be4d576486592e18acc80c0a027b05ba
SHA512 d027407539346e5aedd527f5f71de45bace6295e96a7fbefbf273c930d64a791e488e4bdf6ef8db61fc19c80cac52a6e398c2973499c6fedb1e422c3ba71f532

C:\Users\Admin\AppData\Local\Temp\nsa60AF.tmp\7z-out\vk_swiftshader_icd.json

MD5 8642dd3a87e2de6e991fae08458e302b
SHA1 9c06735c31cec00600fd763a92f8112d085bd12a
SHA256 32d83ff113fef532a9f97e0d2831f8656628ab1c99e9060f0332b1532839afd9
SHA512 f5d37d1b45b006161e4cefeebba1e33af879a3a51d16ee3ff8c3968c0c36bbafae379bf9124c13310b77774c9cbb4fa53114e83f5b48b5314132736e5bb4496f

C:\Users\Admin\AppData\Local\Temp\nsa60AF.tmp\7z-out\vulkan-1.dll

MD5 b91586bd80e057a7f62bdc4422744812
SHA1 a1df644421ece2e740e5bf0ed98b4f269fd85c39
SHA256 8ba72d98e0f78b77bda7816cd7232809d287310d34e0f1d7472b9d5fda2c6d02
SHA512 94f0a8e3e75e4803891c0fcb257052dbe0e7399772fc7a46ab802629f76ee580ed30b3678fa6bc3744c12cf9f3103bbc8276e88f6711278748148e9fbeef2053

C:\Users\Admin\AppData\Local\Temp\nsa60AF.tmp\7z-out\locales\ar.pak

MD5 6f3e791b4d35ee7d9515614d128752cf
SHA1 181ec3a84fb3e89336d77f24f562a2cbe07619d8
SHA256 e9df0fa338b763a3926c4ee3a87bedf650fa618b6fcf0560c3f5ffe891d48c60
SHA512 3657e610d13a2c938558ec320c298dd490c9e4895ccd304f738aaa2f050373efd7382ca402365f93d23ed488bae82de2d859da788dc8faa8e621346a278f4441

C:\Users\Admin\AppData\Local\Temp\nsa60AF.tmp\7z-out\locales\bg.pak

MD5 5ba0c7200362c9ed55610cc8b66ef53c
SHA1 d45239c2f1b00885407771a41a7776fc1fe8fa3b
SHA256 2339ff55464b4ff704fc3c5bf281eec52a539c494bd059cf0346d9c05ab7cda7
SHA512 6229dbf08a9322c4ec8de4912aa1832f01800a71b7e3ef5870e7fa2b623be4dd248fec4881c3e031e984616147be84d42ab3dd970ae56dc1bd78913a8682a37a

C:\Users\Admin\AppData\Local\Temp\nsa60AF.tmp\7z-out\locales\hr.pak

MD5 6f92235e6ba003af925a2d6584afd27d
SHA1 3ceba61e9c2975466b6244188f5ea72aaf042fc7
SHA256 479dc4f75a889d45f62b4ddb6eb48f21c473e37875468c9c26d928a263e15840
SHA512 82f2642dff4400704c15c2fa02d0ec74ed3fe888dc835447c1afce7463dee8f480bb81be358c306e681625864a6d25e5cd6c96252b8a56e6fc62014b3aa4d26a

C:\Users\Admin\AppData\Local\Temp\nsa60AF.tmp\7z-out\locales\id.pak

MD5 e40cb2f3b4db379e4d187aeef0dfd300
SHA1 537b1ebc615c980c89bbe2b9e91a11199fa7d6a6
SHA256 3339ef011c9bb64868da94adb25f4490acbc7f893e4337dbfe2797754cd659f5
SHA512 b87464460077aa55feb92eca8ed23d9a61829378bae7890c8a95dac5fcd735b145d65661f27facfe2586fcaa169692b00d8ee8dd505dc44bff7f7fd090f3e96c

C:\Users\Admin\AppData\Local\Temp\nsa60AF.tmp\7z-out\locales\hu.pak

MD5 71d42cb22d2d7a8b26c4514ab12df3aa
SHA1 cd0307503a7906f1742d1e98fc816959319c2171
SHA256 b51bcb888dbc27bab88a8c9d081df7496de8a9a5a4cd2cfe08abc154190e75e6
SHA512 29c67391bca706807be3a0cc79fe481f220e30263957a9c2485f0a4c498a5b250bdd83b5f4fad8d0b19c8a9a07d5650b5ebd5816b6aae311a1cde78a89303244

C:\Users\Admin\AppData\Local\Temp\nsa60AF.tmp\7z-out\locales\it.pak

MD5 5aa225aad4f9fe6d05ec24905a827d88
SHA1 f6d5ed337bd8e9cc3b962d3a498e3430fbf6de22
SHA256 96e02ab6937a1f1cb58762159761a737ce0e1dcd6a253554392baf4389326eab
SHA512 3fa928f19bdf65b8fbb274b478a801821b15c01224c113a8d7f6121a077b432c0cc84eefd9028a76adea9fa4bb65dcb868edfbd4368b1e4d477c49e187e4288a

C:\Users\Admin\AppData\Local\Temp\nsa60AF.tmp\7z-out\locales\ms.pak

MD5 6cfadaa784e687e6dadbcd80e631bc9b
SHA1 481acb75f525055bf4e45ecabe0eadcb9c492106
SHA256 fb5e125dd5e1f21e8df229d22cb3d1f9078bd79bbddca352899248f2a8b21b71
SHA512 0d7da5a90fe9372bc704ab8cdc8cbfb14d323cafdef856987e2d9e34d980196c03985e25099f5d1bcb10c97f040f4766e2c3713718649bb3f43914a77f0dbb39

C:\Users\Admin\AppData\Local\Temp\nsa60AF.tmp\7z-out\locales\sk.pak

MD5 b35daa0bd9627ca88b413a5af7c6b4a4
SHA1 d5efdcbc7ca17de29f3075f6434f31ab2e895826
SHA256 f47bc1f7f5ab64681d0b152e1a019da60f0ef057ee8bf2ccede019dc4030c177
SHA512 48abb6ca2290820db2898b05820bb25e70fb1292c816eb0c8f17b3c5452de9fff7027d216d2bf413900f408f44ed4ac99151b28142a212c5cff8dfe229e87b9b

C:\Users\Admin\AppData\Local\Temp\nsa60AF.tmp\7z-out\locales\ru.pak

MD5 75457b95d2bb03891232dae7db886387
SHA1 e5a7569df7f91533703626d167ecc8cddbd27205
SHA256 e0894d3aa3f8e0f8ac457a3300001d4e1dcf95980712f8c8e9c845eb4c2bbfa6
SHA512 9813239cb162cec24cb81cffdae2df06889782813d917da186ae40df6dae64477467e4b32ead2d714bc1de671538d4c1fde990d83d3ee69e0932f17226687a78

C:\Users\Admin\AppData\Local\Temp\nsa60AF.tmp\7z-out\locales\ro.pak

MD5 24b01a438a3ab9699d4ca97c081b5e82
SHA1 0d0b082544d23425a74199fb0a6c11192f0bdf7d
SHA256 38290b1c9712296d82ea1681ef95544a1eef4872289134b11e50af735e6deaca
SHA512 43199772312156f4633c4202499cde8f808e5e632c2013ec1129acee01a3f184e86df2616626173178efe04b6f0773ad9a0e8b8cc6a735d23d68dcfe9dfd945b

C:\Users\Admin\AppData\Local\Temp\nsa60AF.tmp\7z-out\locales\pt-PT.pak

MD5 ecd84b296d3bb312ee18e21017311986
SHA1 f5625523f85c10723750834a54ff59a2dd886fb3
SHA256 fcfaa9c44c445876c286388b6a1abc1df949f3dda3d64fb57d6e0d54a05cdb94
SHA512 e95b74238220024cdd0bd1c0f18beadbbe427d76cd8d6b32d5700adcd34ffb068ad0bf75404921485c8077f395f5111cd40d5dfe2b5b8f34c62e6fc80b507456

C:\Users\Admin\AppData\Local\Temp\nsa60AF.tmp\7z-out\locales\pt-BR.pak

MD5 88ad860c73676ffb4025b5c691f29942
SHA1 3c5e5b999ea7153ccdd1b4cc7b6162de3456b558
SHA256 25f0bb0b0230d99a9064d52668636f3be85903bf27a68124d79a2fe93c30fe0e
SHA512 41589bb9ab1b8307f62ceb4e6493d7903731a3e63807e0044379c4acdda881c21839234f5f1b8ad1af732bfee6231c0556ce92e582505379ed949980185bb750

C:\Users\Admin\AppData\Local\Temp\nsa60AF.tmp\7z-out\locales\pl.pak

MD5 644c0ace25d6e532b56510a736c6bc2c
SHA1 1bd0fec952107b493da04c46423da634ff3e1504
SHA256 2ff9e382a31783285b7d85676e629e2f6db26bb9536ed17b7fbe5ac61a895ec7
SHA512 9a1f1e884c2f214b8b0c63543809ddd4ba0fd533f1d8434e926051f3db434f60cc4df2462c2a43254b2a9685b3869eef49463c212892e417c82c3a7b497e3559

C:\Users\Admin\AppData\Local\Temp\nsa60AF.tmp\7z-out\locales\nl.pak

MD5 cf6b1cbfd669e9461553974ba37a475e
SHA1 b33867e9bc7fd88ca98a76dc4bd756bcf18887aa
SHA256 9a83ad866ad7fd9d65ecbc1e95c276cfce27e8257c76a16950fd14971e66b864
SHA512 e463029bb37f6bb3ff5cb6281f64291ada1b785fa33137e7aedfc7b5e409e99c75a91e7cf9b6c0933e970f70c14861190de66fc5d68925b687a6f5da02e21077

C:\Users\Admin\AppData\Local\Temp\nsa60AF.tmp\7z-out\locales\nb.pak

MD5 b61e42f66d581b6a8929cdf5fb10662e
SHA1 6f06fa9ee092fbcb61bbd668734fb3b92cfb549a
SHA256 1b17dcde8fc7308d926fbe0faa83dfc9ffe2efc5715e9afd557dde839ad98b7e
SHA512 79b82346c3f133a6ba44148a8432ad4e08e2805187b759509cb386bc800fd20215592c07d953812c243f0b1d5e1354245f2cb42b2b3eb6c87280bcb4008dbe97

C:\Users\Admin\AppData\Local\Temp\nsa60AF.tmp\7z-out\locales\mr.pak

MD5 f22c99fe6a838e333e8ee06a4d01296b
SHA1 c3542ea8dd45a2b387dd02fa5687948f135e10f2
SHA256 b03a3042f907aed13253ae8083d08f5fad59ff438d024b097276856e72526911
SHA512 882022c2cb985d85f96d52c9bcfeeb089d6ff30e66187ccf424ef622092b9d359a51bdef1fb6ac3b9d3409aa79d37ca737ba7f3ed8b9cdaabfe04d90a7c8bc15

C:\Users\Admin\AppData\Local\Temp\nsa60AF.tmp\7z-out\locales\ml.pak

MD5 04b2540c25990a5e0a9b227dcce6ae0d
SHA1 4f8ccd154f54dfb083d4d1a3ed0994842c8ab13e
SHA256 556165b8b54c6e21bc66d12b3f5be393136714467c427f7114f314d18ad3c661
SHA512 4cab47e42e8f5d4a83851871f97f3e1360c993ba530dbb4b4b736350779784bd83189e1195d3480ce87298bb8f9b7f249fefa7764d850e5b0002895609626785

C:\Users\Admin\AppData\Local\Temp\nsa60AF.tmp\7z-out\locales\lv.pak

MD5 264c6e20b3088ceb4dae5773cef0cb55
SHA1 fb6ff83ff14df008092bc3ee73bda7491e8e090e
SHA256 a676a781c1a587eadf23e5c69bc52f2d352346a70bc53ca908450362535eefda
SHA512 01e949f92e1e8599c581929a601d39640abaf1d907ce10102e591c3d490dd3874c679c75bb51308ead55a3bd0c6dcd1b8d4b2daf98ce1cf1c6bab42946e8b1e8

C:\Users\Admin\AppData\Local\Temp\nsa60AF.tmp\7z-out\locales\lt.pak

MD5 2d4fca437a7548893dc4b51fa5b33c33
SHA1 c1493013d7d981ea9223716e415380992de65c2f
SHA256 776dba792df7b444e1b720326312d8b8312cade74a1372c49456d932b7c65769
SHA512 b6a55ee1deff48d717a3e9399aef3c45eeec810cc5b5709fa3e9f56850115a5b02e02b7959ec77a6797e68516ee9372bacd260e62ac0d55a8e4c1c27af782b42

C:\Users\Admin\AppData\Local\Temp\nsa60AF.tmp\7z-out\locales\ko.pak

MD5 d6e2c18c9eabba59b50d147d942125ea
SHA1 0918879203c2050b4f9f449f5616e430897ba0b9
SHA256 f3581cea2e5b022b121010ffc5d67f86f717e3a0c0402abd81e24c87fd135b76
SHA512 f605f7b9893166778af156f9eb76eaa1209e7432450899540cd462ce0ffa69caf6f570b910cdd6d7bef54354379e9892a658e711baa93241da33755c107da859

C:\Users\Admin\AppData\Local\Temp\nsa60AF.tmp\7z-out\locales\kn.pak

MD5 5115cde84b4c674db412619b65433004
SHA1 164f33e7e2e9f685a579da492a6fc8806beb6cbf
SHA256 891e092c6895e23be986c3e6d39dcea9b6b75f1448239c13fd406680e50407a7
SHA512 090a247898cb533325d2b289a6cbd8db2a755ef0abab49d82f333e57b290c50b5996b81f15d8adc30160b216eebed3a1476aec1627195e52189557c1d48b0216

C:\Users\Admin\AppData\Local\Temp\nsa60AF.tmp\7z-out\locales\ja.pak

MD5 833e8c4aa70351b6be7bd403e4e9a0a7
SHA1 46ccdbdea35deec8ef13a5fc833776875fad187b
SHA256 74422db1a5f28522f9a8b31a3bee9a6df794b419bf723cb6a6c88e82eb72cec0
SHA512 e8e709612a5ea81d2822e0025b7306f38571f2cec2ca72ac5a8ab852a0e36a0f5bc7e00d0baf7ac7becc2c54dda3a17c52ec1cd67ce12b14d91b6ae0b726d556

C:\Users\Admin\AppData\Local\Temp\nsa60AF.tmp\7z-out\locales\he.pak

MD5 6a02a37e1ca3215fa9ee0e1b0fbcf5e7
SHA1 89a8a126c0bbf536ac58e29fc50e045fb1b88220
SHA256 f5cf34ce58b7f0d450936981aa7ffa060821403e6768eee3746ea4ffc9193986
SHA512 6607eb2329b81f1eaf0ed3a564eddcb30e6ab59229f2fbf6fd3d2140ffaa8853a330eda627a4458ef6bb06f32c5183edda869e34cd4ead1f87f88d5c622c1a16

C:\Users\Admin\AppData\Local\Temp\nsa60AF.tmp\7z-out\locales\gu.pak

MD5 63a7fdc4eadf8ef1c35c72468a0ce33f
SHA1 e8d064f0e9c8a6a8c6ccb036711e292d011d9466
SHA256 e549ff4e5a094d04c2ce7bc6fd68bea1f03e935437bf164bebb6191c133fa70c
SHA512 0a097ff875132a984545ec677b04f97785f14c38a1df487cfb4722cdea07d14e1e88fcff7d58b82fa53f05f4eba779a95ef320b5a91692097726d0385a26a456

C:\Users\Admin\AppData\Local\Temp\nsa60AF.tmp\7z-out\locales\fr.pak

MD5 c3095ce1e88b0976ba7bef183d047347
SHA1 b14cfbf6e46ac1f189595fc09660178525301138
SHA256 66488dc10517b6e3638686be95b430477a39304e92ac45dfe62b58cae3a77272
SHA512 29f47b1eff4681a9a17a50d6e82d63c22fe7bfe4ceb79862e81d8cd9f96fa38e225978b4c4b1f8e55b220235b91652c776fa8d2e559c68942c6ccf402812a421

C:\Users\Admin\AppData\Local\Temp\nsa60AF.tmp\7z-out\locales\fil.pak

MD5 40bddaf97f64dfea9ebafc7f82166f80
SHA1 90d1fde3c0b27d2184f0353991259c2a92c7820c
SHA256 39a9d63736e7b4593fc6873ed3c19d45fbf9eb78a012bfdcee0fea5906ebc5b2
SHA512 d1e61c53e09a0dc50edf5aba5cf286a251ee88421aa2cd49332b70a5859646605ecb7d0bb97ea7242d14a18742e23da0a14c04b0b99b57a466ec87f4f66b897e

C:\Users\Admin\AppData\Local\Temp\nsa60AF.tmp\7z-out\locales\fi.pak

MD5 cc592d91ce8eabaa75249cb78b889376
SHA1 f2f0f7f105a17f3e4b1a97ed0e3c2e871c2c3eac
SHA256 b1cb0b32efa78fd8634652c74f298f1d5127f2363ef601cf000417e5c7fefd20
SHA512 58e2eaffe26d8fda8df43e7ebef449cfff1065e940c128efa0276511e34e96e52da9230f294b01d4ecd8ef606b792d372bff897d6d8bb67c31379418ce867d48

C:\Users\Admin\AppData\Local\Temp\nsa60AF.tmp\7z-out\locales\fa.pak

MD5 6458a239e994d8d18315deccd35389ed
SHA1 75c985f43503a6c44645786d46639a6b555ae163
SHA256 300fc1c735e92917a5ddf92feb812cbf3175d988ec7ad5955110248a1addbd34
SHA512 3062075b6be0c25c957ac88e537880bc25ff86b8ef0703a05209e9676e943e89476b7997394aeb25064e03a93be614fef535676e9cdfaf44b46035225b1b2cf5

C:\Users\Admin\AppData\Local\Temp\nsa60AF.tmp\7z-out\locales\et.pak

MD5 c76db3385190c6840315c4497e40258a
SHA1 34f1aef2ba2925bebc5dcdb70e5b6c1a138a5c46
SHA256 e8af084ef5e1062c5966dd7802074ac24f3672dc3c9b9c5453a397644727191f
SHA512 90a870369d307758b33d74e6213676d65c2d332f42577c8aff23d96b512f3c2a2bdace8d6d9007f88b9175eadc6f2ae28b498b1265550849ff9317465a37ad29

C:\Users\Admin\AppData\Local\Temp\nsa60AF.tmp\7z-out\locales\es.pak

MD5 f83d8f7f6108786c02c2edbf3d85f147
SHA1 57781d9d9eb7c90cdc71f78e25d0763045b6d29a
SHA256 5b929216ac823dbe2b0bb98e64db76519900e09a86c8513019325271c66ade0d
SHA512 12747a4a61cdd21cad6e3f768cb43b8bda5ec9de373337c191b6994b20acd676c9d0a6cde8410a1e18f35dd5d2d332ea1bb7e7f8f6fc4b73d8774559e33398f1

C:\Users\Admin\AppData\Local\Temp\nsa60AF.tmp\7z-out\locales\es-419.pak

MD5 b261b1efe945365588befdf68879040f
SHA1 616f44a5f73f0449b483f36ccf831db6474a10d2
SHA256 1380b9edc9cee4b505f12e8eefa288d8c746ca995b52ceaba27c7741ae8a5cd4
SHA512 9ea14234b9d4d09364e5727b3886fc14544d52508b3e45fb9fd607ca88d2e432361a02b2f7ba34c3d6ecd94b91f9eccd4d54047a97a1ba4eea580ead00b91cff

C:\Users\Admin\AppData\Local\Temp\nsa60AF.tmp\7z-out\locales\en-US.pak

MD5 0bb857860d8c9ab6d617cea5a5bd4d00
SHA1 351b744d95846bff2ce5f542fec2e87439aa0f8b
SHA256 5c56df9699fc7e8f09ec81421e50a6264cde055e822f5a8cd9bb1edb3066d816
SHA512 33fb73cffbb6781488cedbca4c92a7e4f66923a799beeb7f5cba58dbc23ba8f5130f63a7dac7114e3c3ef6f1df87884fbeb8858bc7604aec9449fdfd16c25078

C:\Users\Admin\AppData\Local\Temp\nsa60AF.tmp\7z-out\locales\en-GB.pak

MD5 52e2826fb5814776d47a7fcaf55cb675
SHA1 51fbbc59dcd61116cbc0a24b0304d4c1c58e8d0b
SHA256 83ff81c73228c7cadba984d9b500e4fce01de583ecde8f132137650c8107c454
SHA512 69257f976d01006c5f3d7e256738c97c59115471f8e7447cfa795f7fa4ff12d6fd19708e95ffb2aa494b50c1763fe35d5885b9414112d2934baf68fe668ed7cc

C:\Users\Admin\AppData\Local\Temp\nsa60AF.tmp\7z-out\locales\el.pak

MD5 38440b98bfdf5ed496da0f49d59534c0
SHA1 1498d9207ecaf4923a47271e24c68a817041c82e
SHA256 b1f78df8a7edc914357a2e90bc8dc0ac46f4df642bb22894569fe4905fb8ea0f
SHA512 95ba788fc2e1f07d54e398f1ec4d32c664cfb13118d46cb7af7a993367e032b10de84f3e604ab6e659d6410e2d736097ec5e9b3b002040c54412358f0ea10229

C:\Users\Admin\AppData\Local\Temp\nsa60AF.tmp\7z-out\locales\de.pak

MD5 b73344e5a72fca6f956dbab984c123ba
SHA1 0561073aa40a63a9ce9930dd18b18e12ff139b2b
SHA256 6dda3fa65232ca0bff7314f916942a2aa5d9be73a0b0c7a6d016eb34ea6fff5b
SHA512 e8a12da397369f23c102244b3f18f533ec79afa6978785566056bbfe07b10a21ff4973bf17aa829fff65609363988c033b0e48d4a82c846863377c08d8df009d

C:\Users\Admin\AppData\Local\Temp\nsa60AF.tmp\7z-out\locales\da.pak

MD5 55a8f5883805a65c854d25edb3959209
SHA1 d4b3b6bd2a26cbd021fa931d1f63c9ea64e2c268
SHA256 e190187adcbb5f829d162660968ba598ed17bd11339062ca4d807deec8a27fdb
SHA512 4e1f9e6da32f553cbc8cf162726d7aba9e23e2216d6d05b995cf19fff3aafa05ed08fce29b2f8538d46583366402b8630672e650dfbd46952a611e9db0d8016d

C:\Users\Admin\AppData\Local\Temp\nsa60AF.tmp\7z-out\locales\cs.pak

MD5 3cfd9dc564cfcc33cc5524711365c376
SHA1 2e5016d2643017f37658262122974429f18625a2
SHA256 8be34e4f8226c1dd4e725711ddd884ef4476560f7863edcf378573dde9db3cee
SHA512 6ee156d2fa3b6f601df28e38968d0eae2812d70b41333348dbecd833d5ee6ff944183f0eecde96be433cf1e98c8ec22d6a6d5af5153145842175ab43c73533ef

C:\Users\Admin\AppData\Local\Temp\nsa60AF.tmp\7z-out\locales\ca.pak

MD5 423651c45566cd90ea5edd8631e823b8
SHA1 13bed4173a08bcbfefba034aada3d838eece6d16
SHA256 7a39af99d55a1ea838d8d78c5f0da3e1402f9404d32255e31b676ceed4f0e414
SHA512 e09085023beaa37e9d5f7fdf3c32d0c001672b85e2826f0aba9a662ce958ac93cac17bf63495a604e47cb407b1593049388a4bf1b22b2339ead84a206a10569f

C:\Users\Admin\AppData\Local\Temp\nsa60AF.tmp\7z-out\locales\bn.pak

MD5 47c95e191e760dee3ef43345577e2379
SHA1 609634315270a91d4ec631642b18bd0036367aad
SHA256 ceed32e429ed1018d4c49343cf52105cbfd1e877c531a5738fd6e6cd33d27da7
SHA512 46b5f8d58780d19e79136c31a67d075c57ddf7e6a1eb197dea4088cc414a0dc24a68fc8ebcaac03b3940af2461123b586706d5dbf8dbdf6fbea0f7bec466db21

C:\Users\Admin\AppData\Local\Temp\nsa60AF.tmp\7z-out\locales\hi.pak

MD5 590e9e73df9cbd83cd87b9c03848fec9
SHA1 da125e60a5a2c51a2d6219d3f81688bd22237b59
SHA256 089b9dd31090a987515809a68d26f6eeb64cd9283934e3dcc48b151eec7d3ad9
SHA512 fd0e5d0f2063e12b711275f390428b88f98ffaf6043cdb14b13674ac1e4aa9f70ae820ae960132d7155daf9b1308238775c4702694ab53068cdc709c50f9186a

C:\Users\Admin\AppData\Local\Temp\nsa60AF.tmp\7z-out\locales\am.pak

MD5 e18a450ef034b42599341c3d09f280f1
SHA1 2001c8a85904962ac3a96938eccc69ad2c110fdf
SHA256 7c2b9098130f1f9e0cf4507b64c0e96ac6354bd6c3616be20e2067cfccc820da
SHA512 ddd87571218fe9f179a6c2a8a15b182625a71a7c19ed90c0969ca2e0e9bad823b926f8b8a6b390cb6fe9c95f4b6c1f1ec7b5167a8424ab1921943922208f798a

C:\Users\Admin\AppData\Local\Temp\nsa60AF.tmp\7z-out\locales\sl.pak

MD5 e015b6f5042be2dc96a4e23dcf035502
SHA1 7946509eed8db1e4c1f3da99ffe7155c86fdb4d6
SHA256 99536d1bc73eec81d5bebbff641ea195544ee5e3a41bb17ddcedf9cde9b141d4
SHA512 b2a2eaae93c506a053862bf1cde02eee53b3ea2e2fe4c964c51dbacb8b44de820a779311cfe01458e2f08f88bce1172e8c5e1e6d28cd3a355ff84baa00023b8f

C:\Users\Admin\AppData\Local\Temp\nsa60AF.tmp\7z-out\locales\sv.pak

MD5 41e76f7775fc9a2d6e3c02c46e9b32f6
SHA1 088c15c74a68bee69682bf89c31055332b68c84a
SHA256 2533676479e9469ffcdaabcb47d3e39bebfe7ae2b80f70784e918a8827439e13
SHA512 6cde752d748c4772b533c8894f18134e5842113f8c7590b44a7dfa088aed65b232361fd16170df3b0d738066dbc3a769847adf4dd8ba42de63c9c2b33f9beb6b

C:\Users\Admin\AppData\Local\Temp\nsa60AF.tmp\7z-out\locales\sw.pak

MD5 99e385ebc1ef8d3daddb3a171fa79edf
SHA1 3164804dfe9d9b5e891abafe92e5ba67d2b5d4d1
SHA256 8ec45ac391a085d531fb21815086c2da4841aa016653cb4f8484cfc2615d6c01
SHA512 797c105fecef1e15870aa101e3fa1835d5a467a9059c03b3636c54934d1de263ab7f23599e21d9787cb3849c7cb7d29f5bdd8ae9ad10fda8015c1392462e94c0

C:\Users\Admin\AppData\Local\Temp\nsa60AF.tmp\7z-out\locales\sr.pak

MD5 af7083f2a4bd95dcbe792efade352662
SHA1 dc69aa831836016f6e66c6079931503d534a7862
SHA256 e3b80d9fdd420a05d66cc12e685ac94500106dd51a555bbfa2d085094f81e8dd
SHA512 342400ba94f6cd08152f96aa2b905184fab429c38cedb4bcb4ac0c503169a9ecd47aef208b4d7ffae08b0c0afa7aa089347a20739379d05f3e4e111be842b8c4

C:\Users\Admin\AppData\Local\Temp\nsa60AF.tmp\7z-out\locales\zh-TW.pak

MD5 c2c35fcedc3708b5bcadf36587393002
SHA1 31d72402cbd44ceb921cedd806259c2cd14e411f
SHA256 cfe4c2c5eb131fd92e0d11f912714c5a9a048833ef3ffbe32679b3d58da8f8ac
SHA512 9ba3ea2d569d1d3ef09e94d7e66f843c8804368c4d016b6289e7dba002f7d2d50884a76c93eef879d87abcf8b36dd3e682b7bd3a18b2b5a969256cef672abf01

C:\Users\Admin\AppData\Local\Temp\nsa60AF.tmp\7z-out\locales\zh-CN.pak

MD5 098d656a4f4bd8240bed10e7678186c7
SHA1 0c19ab62b4262f1b51558e8aaa79e7741f73393a
SHA256 a55f568ad3a8854cec25699484f55024501c8a0967738ba694e073151e5981c7
SHA512 084538ce774233ca6d4393bb42239b0b85e11bd73dd19ba47e55796ca19848941b037510c0fca4ac08b4b2e0ccbc9b4ae72ef88a3e841738dd211961dc53c1e2

C:\Users\Admin\AppData\Local\Temp\nsa60AF.tmp\7z-out\locales\vi.pak

MD5 69c8796439192577f48bd249175aaf37
SHA1 97c52088ca69dada593db0e42b2135d264646454
SHA256 d7fdb53592de803a5fbcd8561c4918f1562f92fc8a3fd0039a2a1a7b76a8ecc2
SHA512 65eb7cb15291474ec7f9354775e59bcf334c90ddf3498ebd184e4c47118308421b2405bfa679e4b3a70ed1790e167c109fc2c72e89c3e31b5378cae975424144

C:\Users\Admin\AppData\Local\Temp\nsa60AF.tmp\7z-out\locales\uk.pak

MD5 d791b1ecf2931b2fb0c31aac170c7cdc
SHA1 02be115a9ff94fe5250651b6de4323eafc44fce1
SHA256 ffae6286d44c8e219ef90d411ad8746159a6ff8ea610e2a651147a3956696a22
SHA512 3a2edb8069e4a9734ce5e02b7c3de3c968c5bbc116f17f52f97e2bb2c78485c456c4f0cc952686c1aa17b7ee4d326a1dda698afafc63c79d842ca3905181a8da

C:\Users\Admin\AppData\Local\Temp\nsa60AF.tmp\7z-out\locales\tr.pak

MD5 40491896ad21543f339467186c5efb40
SHA1 695dde7cc35056dcbf0a533aff8299d4c6b61bd8
SHA256 43e99e132acaba88971b81a43531845dc7fc3a1e0794c3373de7d9a50a5655aa
SHA512 18d5ee9914849462e0b1bafd1ca216b29d0795e282ae0bdb354b15caf5c18f37f44fbd6f626b2cbb095e3398a6496de72e5b0d15621433979b5a589e34fac818

C:\Users\Admin\AppData\Local\Temp\nsa60AF.tmp\7z-out\locales\th.pak

MD5 43edd25f67ce6e6cea5373009ff0a1f8
SHA1 ed72ca6620cf23837e1334be50ccf616806bc5a2
SHA256 287897cf3df2db1cf59b872e6575ba8dfcaa0c1f68c17a9c91da6c4490adb8b0
SHA512 7160a72bd2e6b0ffa71e5d279995cc8be24a87cd9386eb29ab0eee79b8e607f5d824a11b6b4e3ef4c0f851a9d485a9642cb6adaa65c07933dca6e6f2c0052fc7

C:\Users\Admin\AppData\Local\Temp\nsa60AF.tmp\7z-out\locales\te.pak

MD5 793a87d41cde6e6d1bb086284f69733b
SHA1 d887e3842b664f55b7308427aa6f5bf0b352d879
SHA256 5cdabd1ad41e8048f2cc6b1615e68b99159daa1aa6706b939447c1811bf0e255
SHA512 7c2e53baa387480eed45315bd9d53856ca46e5777ecdc9c29a0de7b0ad04beb6cbb8b5df0aa7c306395fda563037e06bea1ca70e433ce5a3ccc2ec184dfda972

C:\Users\Admin\AppData\Local\Temp\nsa60AF.tmp\7z-out\locales\ta.pak

MD5 31dada843d0b4f9a66b184cb6d7b8b92
SHA1 0320b31981043c6e4c17470bf2ff4c7488553511
SHA256 457070b35c813175f5a7b630478073e478ff2bf23915dd3dc7a5b3b339cc2b0b
SHA512 c5b6ea595d3154fd9fe03f49a19f78eb4068718ce005b18a165d491459a290c29956b02a109ce2c314746773760c8e5c0d7064f384c65a572c78109f03538860

C:\Users\Admin\AppData\Local\Temp\nsa60AF.tmp\7z-out\resources\app.asar

MD5 708fd8c9ca2b6a6fd4d46a5b19a0a3ad
SHA1 720a340b7e4c26ad4cae415595e248deaf3efe2f
SHA256 2ce656ffaf772451f6a8707352f52cbad9b3205f4e3654d87d9c079ce24fafa2
SHA512 b8987bff2b738919042ee8926118a2333bd988db56edff86212247da0046ca623e73897f07ba1e8887b2e9d9aa1162edf5020a5c16ce0cc3cd51ceda485b8892

C:\Users\Admin\AppData\Local\Temp\nsa60AF.tmp\7z-out\resources\app.asar.unpacked\node_modules\take-cam\snapshot.exe

MD5 16a12bdc986207390dd79d658a6b2263
SHA1 b4b41f62cbc1e1ede786c6e30e11df8e61750bad
SHA256 50a8dd2f292bea9190204a42de067a34d5cbbec53746d40fe5b067fc85190bac
SHA512 d20394028c5d3ca46bb4879cac40da07b7d857f9a4a834bb4db4bd047f1a3265a80e1f7528244da6ee97c2f3e0cb5b2e51bc88eeb382a027939c2188e66dcdd9

C:\Users\Admin\AppData\Local\Temp\nsa60AF.tmp\7z-out\swiftshader\libEGL.dll

MD5 19dc9ee70e7765bb63a66b6826e8ecb7
SHA1 1a12f983f8b35cc2955d30657971f113c47dc164
SHA256 83d5719abee35e051d984510e1d5d9317a109031698814742b59bdbbe7d4e30f
SHA512 1fda2bcc4b2e70987ca6011ab2534007ae4f752016d29a588aaae839bb25c35e03773f220b6a8e926cf2643997e7d4c0f28743304269b2c55642ce12934def68

C:\Users\Admin\AppData\Local\Temp\nsa60AF.tmp\7z-out\swiftshader\libGLESv2.dll

MD5 c0b36d56d83e601bf246f7709a8c5f9d
SHA1 b025a6070f7d61c7d1827856d2d4043834fd23f2
SHA256 45bb5e1f8dd87129ac0a75c78f8f29d06e3ac182a00fc5199b692068f1e05a53
SHA512 e429ae63bd8a7d5a936a638783511693e8fbbc91d97779b3d4dd3f0880f1c8a820106bfb57cf7ee6b3639f19165de87bbe127aadd81218689fc6c8fada2106d1

C:\Users\Admin\AppData\Local\Temp\nsa60AF.tmp\7z-out\resources\app.asar.unpacked\node_modules\take-cam\prey-webcam.exe

MD5 471b15abc9f2e98fb7ed7361d3f045eb
SHA1 95b5798d80a9410872f6ed485ae2b43ca3745540
SHA256 7c262639cb22348dfd627dc07c76e8748e5bcacde2dcf1614773ab174c831004
SHA512 5b3b59aa1dbaef31b0ff6ccde082d7c312e39e311a46fe20d590d5d7765f934d3b663da9609ff4fb7beba2e8fa85376cf74f14ae077f3c0b49189cc28c30163a

C:\Users\Admin\AppData\Local\Temp\nsa60AF.tmp\7z-out\resources\app.asar.unpacked\node_modules\take-cam\package.json

MD5 067e233b0609d56ff4756bedd8c0efe0
SHA1 96419d05adc4b6674948b4ac14f8ab5bb3ce4380
SHA256 6bee642c1b5de99e4edba87ec3221c2ecd10b65e666b6f2bef64a745538ecf74
SHA512 94900f5ff762930b1b060ba4dd44d629d6c3e2dfc0dacb1a543f1ea5a3cd40e793acaff4abefbff588ceb422d65f8041ec190a2b56f7c303c3314eb16eca4159

C:\Users\Admin\AppData\Local\Temp\nsa60AF.tmp\7z-out\resources\app.asar.unpacked\node_modules\take-cam\DirectShowLib-2005.dll

MD5 c20c205c6f8d70a5e1351a4041a3ec9f
SHA1 e1b2a763dd6c42439656e4e55aba0f3610ff3784
SHA256 bbcbb170242d9ff1b56680a80b1f8755df1135f9c714535ff3b3f575442f38dc
SHA512 dffd59d775dbb89cd886a2212fb9fe4cf0b2bdd7f2c00f8dc7c6b2287053b4971c8c6c033109ff1f90cdacea082e44d3c19fa76325d24976420c418218e701f1

C:\Users\Admin\AppData\Local\Temp\nsa60AF.tmp\7z-out\resources\elevate.exe

MD5 792b92c8ad13c46f27c7ced0810694df
SHA1 d8d449b92de20a57df722df46435ba4553ecc802
SHA256 9b1fbf0c11c520ae714af8aa9af12cfd48503eedecd7398d8992ee94d1b4dc37
SHA512 6c247254dc18ed81213a978cce2e321d6692848c64307097d2c43432a42f4f4f6d3cf22fb92610dfa8b7b16a5f1d94e9017cf64f88f2d08e79c0fe71a9121e40

C:\Users\Admin\AppData\Local\Temp\nsa60AF.tmp\StdUtils.dll

MD5 c6a6e03f77c313b267498515488c5740
SHA1 3d49fc2784b9450962ed6b82b46e9c3c957d7c15
SHA256 b72e9013a6204e9f01076dc38dabbf30870d44dfc66962adbf73619d4331601e
SHA512 9870c5879f7b72836805088079ad5bbafcb59fc3d9127f2160d4ec3d6e88d3cc8ebe5a9f5d20a4720fe6407c1336ef10f33b2b9621bc587e930d4cbacf337803

C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\icudtl.dat

MD5 6655bd37164477671bdf87b6409dc7b0
SHA1 23d63af85093504f2cee574b80e4edc4f8358fb0
SHA256 c7673f4f0bcc4a51b4fc8970b296d2c0b1c88c561d5625546ed289b54c64fbb3
SHA512 514c9d36a190dc9dc34d9d6856ca693e52031c67c4f2de4c0ce295f0aa4da7b34355477cc631ee2d2219a36e70573ccf6e6eccd6f25a96e8d127b8909ff50567

C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe

MD5 cdcbce60f4eb9bc83002687959fe9294
SHA1 b41c449cb45792c820fad3f9cca5d0219ed7979f
SHA256 da9e365f00813bc2f1fcbbe32338a9cd8d8b1ed292880a53cf7f6b15a0827b21
SHA512 125b54cb4ae385c5c6ba2ddd88015d9c053ee9c7e6d6bc78a1e0621a620a70961c03fb360acf8d7d0923540040e46062e7c4d520f09fa3aefc43820d8fde7b6b

C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\resources\app.asar

MD5 c1af2f3ab3cd9e4353f1450280f295fc
SHA1 be2086c62e9795e16f985db73ac77993187563c6
SHA256 1208c8519a7563da020fa5b95f31fe1df69a275eaff3021c3683a33ca43e8808
SHA512 2f619f123d001b30736a54c99baf208c48521961785d00dda9795d251ad64686c54ceeda3c5ba3658174f7d164eacba3189e4aaedbaa531c9de2cb557ed7385e

C:\Users\Admin\AppData\Local\Temp\cd31087c-d219-4c0f-a7c7-e3968b518189.tmp.node

MD5 5317f23583ba935be25a4c26b3f93828
SHA1 bdc288a0576a9ca04295c2df6f71e260ae5097bc
SHA256 41db88f72dbc4ace9b4e6522b19f60e012980345fcb737cab1839ab0bb2f2cb3
SHA512 e3975f92f6bbd814cec4b6762b7f7475168dd43a717031de0d8055b7f5e4ce01dd011557c1301f9f9084f8a39248630c12f265a195c54c81f1efad9dd5bd91d0

C:\Users\Admin\AppData\Local\Temp\ab0fff85-7ac7-42a0-bc41-2bcabb6647be.tmp.node

MD5 3072b68e3c226aff39e6782d025f25a8
SHA1 cf559196d74fa490ac8ce192db222c9f5c5a006a
SHA256 7fb52b781709b065c240b6b81394be6e72e53fe11d7c8e0f7b49dd417eb78a01
SHA512 61ebc72c20195e99244d95af1ab44fa06201a1aee2b5da04490fdc4312e8324a40b0e15a7b42fab5179753d767c1d08ae1a7a56ac71a6e100e63f83db849ee61

C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\resources.pak

MD5 46de20e244a40874cd4fee49120d4b3a
SHA1 8605ab552a321833558606eb93278ea6b6906002
SHA256 81147805d99bafda28dbadaf58238f77085cd7a884cdf566a82ceb11321cf6e4
SHA512 10e7e7aa7ee65148a9a739777b27a93d9d688a1b2e92f3916f5816af4a1dc050bc527c396dc6342fa4a109c22dc7d0bc443dce9b749454b72b27c462b08c74c8

C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\ffmpeg.dll

MD5 697112a53e26edbc16f2e66e6ce79f72
SHA1 ff0a0a75efd5d52a3f2995bb8e881cc5b40efd64
SHA256 1bd7ec0882485aef4e1b8becf09a529edb8d7b6f808f19ea57425c00415b4b02
SHA512 3da9fe6cb577cbf9d86dd52f48544a061dbea69cb464ced70c26af3253088c749f7b3cf6d1887185574f6babdc8aac369464fc40cfa5b2c359b102a2d5192343

memory/1200-578-0x00007FFA0C7C0000-0x00007FFA0C7C1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe

MD5 6bd905ae1e93259ad1673cbd9897a0ab
SHA1 d1f9959ad25da49204214fe856fe94e0bf705be2
SHA256 e13239114cdaf5ad955e5a17c6f263c72f5e11a54e97e1a55579bfdaca23698a
SHA512 bdc042bb70abb2e09b9ce50cd5fa4e9abbac41952fdc405e262dad23acac52f711487d87ee0afe650d15313e6c78f9dbc17bb5cbea73de6a004ad67e6ce08e24

C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe

MD5 da88b2a4da1b36b72150a4506e807f83
SHA1 a45f8f509418b7757b9d211f6278300d20ff11fa
SHA256 c6a422215a7b9550d8fa2526e94da8b00be2f4039850941aba38128eee83fd7e
SHA512 c670b572ba1ccc0cff4be8d5b0feba8fa00adda67015baceb99b122367a5c840dd2c4bfb0e88617d0470ab04d4dcbc5f7b95ba71b7f391cb5a08aaa48c04c5c8

C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\ffmpeg.dll

MD5 da47ba26cf8d7f5790a158e2cead1745
SHA1 c95f81b467f75bcf74395460c2b973813426a1fa
SHA256 fe3014d50fb6ac557b37b6ed0df09582c4ca022c295c046deae2a1c9e972353c
SHA512 a466f75b8ac97b1604b8a554cf437b75bebf81fc7dada2d4b2e76405f114fa8bda21a87b6cd6ed9c4da1a459fa591c60d66b1208150badb425fd38630895186a

C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe

MD5 c9f9f1a8f22d370c843b68894267cb71
SHA1 411bd340da5e051172057241545156750c35820e
SHA256 aed3664274a88fb5a3d817748b995309a6c1378c1f41c0dbf783ef097117955a
SHA512 53808e1cb15d79b0019766ca2238d541f89f1667f836a18cc39ba24f7eec52d9c672c6550d16727855ed3035acf55df60591cafb3ea631d372a610e1235a3938

C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\libGLESv2.dll

MD5 75ca842bed9122d1117f4dda2cf77755
SHA1 1b472a9900445012f3d9da13f3571c36e1fbff45
SHA256 7dca23ef7bef038fed962b6d8bd7eff5fef30c89a49d102b1e492500e85e2799
SHA512 687942b893d9e7533b7d81c3fadc7016ce3aa950186cc30a5814bfe299105e2bd88e90d1b3bf7668984aaa25fc85c6995c6bc046120e395f8f859b5cf9ea5484

C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\libglesv2.dll

MD5 84978c270486aa5904c79c113a549e96
SHA1 61e0541e8dcb7ad5e10fcbddb3ab752914efdfc2
SHA256 6cc350badc24d7d635a65a18cb82ef97986665e10b086792d0a0a77c2452e9c7
SHA512 80f1fe1925946c3e77aa511d0b14a31868cd572fdbe0ea482bdcbfbcd9fceb23e747e042f2960f8276b81b9f199dcbb6c0073d72f582e257d4b29ed535e5d537

C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\D3DCompiler_47.dll

MD5 a98583cf6ae1e8bd7badaaa3df1a7a22
SHA1 49c89ff9b66003785f2ba75061ebab88bbb3bfb0
SHA256 2b6de902e544f8f627a236a77c1b3714e168d52df071e6827375d70860800cfb
SHA512 3afa35e2dced579aeec0cbc73aaffe493c791022713b7caabc981061d101cba40872d5ab83bb1cccfed81940361823475429f3ee9e52efec8fe3b382cb6ea678

C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\d3dcompiler_47.dll

MD5 5b41c82ccc03e629e8811f02cfa4fb06
SHA1 022b081d3780f34b508801817fb904d68093b4fe
SHA256 d3b273f429e0247c261ce7d3388cdfcc2b48d692273b56911f1e9ee58d7cc442
SHA512 503e7ea3b75cc981719b0759b939941bcb35e46730f7a71926c1470d140f6ba2e70576afc1418e537ab6c799ccf1a017fa0574857c05bb4cbf9673078d14c151

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_0r5vw4xu.emk.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3304-612-0x0000016BAEF40000-0x0000016BAEF50000-memory.dmp

memory/3304-611-0x0000016BAEF40000-0x0000016BAEF50000-memory.dmp

memory/3304-610-0x0000016BAEF40000-0x0000016BAEF50000-memory.dmp

memory/3304-609-0x00007FF9EA210000-0x00007FF9EACD2000-memory.dmp

memory/3304-608-0x0000016BAF140000-0x0000016BAF162000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 352b9cf378bd16a56c1eb098f1c64644
SHA1 6d3ca466d823dec3031206ce1f39d5799f88d3f8
SHA256 d427154ab5e8789065147b8347e35a876d133df49f9541227157739df64b0ad8
SHA512 113c5b4022e62aebb332323c9f98609770f6b28d6f06aca4c4da9950427aaab399abcadc6b7035c44f0b48abcf5ac31a7e2c4a721511ca3bacb5b31a37ba99e9

memory/3304-616-0x00007FF9EA210000-0x00007FF9EACD2000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 7ede42e5af61f101ef19de6a68869d0c
SHA1 c396c7496e049b025720409babdb77d646781649
SHA256 63157cf1d6056d84a9c37010f9f6b55b9fcfdd60fe008e46b8618c0946f5394f
SHA512 df74d41ba710d238fcb210b9ec63eafbce02cbc8a6ff94e204a4cd2b330592f6ec0ddb4c488b9b879444d8a4408b0b062f1548b786f0978cff793b7dc607376e

memory/340-630-0x0000023C46550000-0x0000023C46560000-memory.dmp

memory/340-620-0x0000023C46550000-0x0000023C46560000-memory.dmp

memory/340-619-0x00007FF9EA210000-0x00007FF9EACD2000-memory.dmp

memory/340-633-0x00007FF9EA210000-0x00007FF9EACD2000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 446dd1cf97eaba21cf14d03aebc79f27
SHA1 36e4cc7367e0c7b40f4a8ace272941ea46373799
SHA256 a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf
SHA512 a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

memory/3460-652-0x000001E35FEC0000-0x000001E35FED0000-memory.dmp

memory/5984-656-0x00007FF9EA210000-0x00007FF9EACD2000-memory.dmp

memory/5984-657-0x000001AD686B0000-0x000001AD686C0000-memory.dmp

memory/5984-667-0x000001AD686B0000-0x000001AD686C0000-memory.dmp

memory/5984-669-0x00007FF9EA210000-0x00007FF9EACD2000-memory.dmp

memory/7532-679-0x00007FF9EA2C0000-0x00007FF9EAD82000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 9b5655b797c26ffc04f79597d8d56eba
SHA1 8b6d6e58ab350bf1c526ed324e523f4f0cf808f0
SHA256 5893e9041f26e97ce9864f245da1211ae2570503facf24a5bb21ee7b858c9548
SHA512 89549717ce4b618fc68df01066d0cc1d3198a94e616fa84e563e5cbcd2f9aae4dff4599d5b8e013ab5e8da798c669dd41751d25f988f729bf8bc8ed0fd9645ae

memory/7532-683-0x0000023A511E0000-0x0000023A511F0000-memory.dmp

memory/7532-681-0x0000023A511E0000-0x0000023A511F0000-memory.dmp

memory/7532-680-0x0000023A511E0000-0x0000023A511F0000-memory.dmp

memory/7532-685-0x00007FF9EA2C0000-0x00007FF9EAD82000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dqzncde8.default-release\places.sqlite_tmp

MD5 f8c327d0cc7ddc672ecb75eadba0cf20
SHA1 bfd2e76da264430e5fcc91da8558e38c0f2f8c7a
SHA256 22ee6ccefc3c0a00882e07431de892192339aa0656b740a434b4e478bbfdaf47
SHA512 4bbcd6fcab8ce5fdf2f1e6035e75955fd898bc4791223959959423df9aa173914349c11e116d7e9b30a6ad66196fcebab62cf71fa02e94d375c11c98517e0b3f

memory/3460-654-0x00007FF9EA210000-0x00007FF9EACD2000-memory.dmp

memory/3460-651-0x000001E35FEC0000-0x000001E35FED0000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\TatsuBeta.exe

MD5 1aa791e338a216864de8f4fae9756569
SHA1 3dc16667c48b06f5d9cd6b957a618e014254d9f8
SHA256 22cd2a7a77745dd392b25caa4d8f22e233acc250324f55623c0fa182ab7e87ae
SHA512 289c08dfb7eb25d1933579367f8215618e193314a558825d8606bd593a0f015900424f632da8f3624bd40a98bf9c71810b0e3d22f81feaa6f19e268dd6bd7eb0

memory/3460-649-0x000001E35FEC0000-0x000001E35FED0000-memory.dmp

memory/3460-648-0x00007FF9EA210000-0x00007FF9EACD2000-memory.dmp

memory/8104-735-0x00007FF9EA2C0000-0x00007FF9EAD82000-memory.dmp

memory/8104-736-0x000002C4AE960000-0x000002C4AE970000-memory.dmp

memory/8104-746-0x000002C4AE960000-0x000002C4AE970000-memory.dmp

memory/8104-749-0x00007FF9EA2C0000-0x00007FF9EAD82000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\sysWin10Boot_r4i4UY.vbs

MD5 088f70d781d602dead4e0e924f320741
SHA1 dbeb0a7a714cd2395d1e30b2e65435c25ec774b5
SHA256 4d1697e5d9e348aa86fb3dbc58b5aaff40bb51ea9b0735b6a6ef36def1d47691
SHA512 e22db976fdd4ee45e19afce519036fe01e3839f977e7851936232a9585f805ec370d0d66973ce1502596ddddc57601369ebf635b2173f30e1d5fefbaefaa62ec

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 38313610aa2c53241c45ef53eee77502
SHA1 a360787a1865cb09de211d9641c84296127f1571
SHA256 303f750cdb0db15514b21e165bed60ef8bb408543731b1937a05b709530e9992
SHA512 1c9c506099b9f98bbc82eeae9a3ea4ccd93c7fed373732db4ea1ae7dc86c77704f282a549da3042bf39e10cbd1c465bdfdf082a7a8ce39c04330e67609cb45f9

memory/7524-790-0x000001F6A6650000-0x000001F6A6660000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 36bb833bcefdd2f80a289fc681c87627
SHA1 4204fa10680f0a9c2699a9eb52709db1cd68e0b7
SHA256 52be5401760e6cc30c6018d277e7ce91aa262b3888297f76e95a20fdda8e2ae6
SHA512 233fbb528d3b7196fb967fff74e66dd589b6a302e97774a24fbeb971996aa6c1b17f24f19380873c976978552e245b3dd065cdb9d4133ce554c507d92f8778e1

C:\Users\Admin\AppData\Roaming\salutUJXao.ps1

MD5 4fdddf586aed433adb0bfe7362592055
SHA1 a0e31dcb709ccd9e7078529880c66611d7f418ea
SHA256 4e26e8214c7ebcb5afa23bc8f5e545dd9c8a782a7ee1d3d40531cf4ee09fbac0
SHA512 99c4fe58658e487fa54d82d1c041c2af5efdafc98dc1e079d3a250b973a435aef488e334849a0e052f6b99546df6d6518cf43b4d606edf5fc637169000ae2362

memory/7524-791-0x000001F6A6650000-0x000001F6A6660000-memory.dmp

memory/7524-804-0x00007FF9EA2C0000-0x00007FF9EAD82000-memory.dmp

C:\ProgramData\ChromeExtensionsNova\extension-tokens\images\logo128.png

MD5 271847949971c396f77beaab936b7ea2
SHA1 b32c5a7eec49aa07f8ae73feb990626010c4b850
SHA256 a55224cdf06a5c2b937ba400604501f8b6ec93bc2c1cff62aa2fd378d504c657
SHA512 a2e141f68143f370e2b82a1c9c7c4b1c5f6fc2cfc2ad94acb8c5c02237af56f83904beaff3240e20397f0edbdfadf8779c0bd54b2cf0c9899fef59343e31794a

C:\ProgramData\ChromeExtensionsNova\extension-tokens\manifest.json

MD5 42ac88deb5c3cfc02fdc1c27319ee067
SHA1 97b1addf35159800b90743fcfbb5505e80f6eb82
SHA256 28486361faff1827fb9f1871529c48efaaf86027592d189afa6f99b14eb3f4bb
SHA512 77c4054a3cf061eb6f4f6e9803b74833a8fb0fe352239b5b47cf39ea5eea8104b9da6deab75018557476fbda856f3be8d57e6fe2eb777c45a7a1bdb1e72d02d5

C:\ProgramData\ChromeExtensionsNova\extension-tokens\js\jquery-3.5.1.min.js

MD5 c083da98a351e0682f51c9d4b157d7d8
SHA1 78bc45e6aff14b4095f1388c609a559cd5e90534
SHA256 e3dddd7786daee7f11330555e7ea62e309e04c49bf28d8a846bce981bf808cd7
SHA512 c11e5d3cc02ff5063f231487f977006ea4cdfcd96be8f3d15e3771f7f2afbe1d909ba98cc3ee66f16f0d9a04e08c939e381743a99fb612f75f08fc6c739558ba

C:\ProgramData\ChromeExtensionsNova\extension-tokens\images\logo48.png

MD5 9f74f11972c3c0b161832ffab541bf31
SHA1 e5841ba20a229cdeab85d30690509e649e848271
SHA256 8b74a0abdd566ffdf15891d6abd3537bffb0abce7f362c737c3de6752e136032
SHA512 b90f13eb65a4dcfdd596a7d9eba7c1ba5eb1a598e51107ce3dca07c0a0025469ab18c9958eff2b36f7e05a23f0d16d7d9d7c2321b8e1f2a456aaa7bec3ced0e8

C:\ProgramData\ChromeExtensionsNova\extension-tokens\images\logo16.png

MD5 192e90432fed0081abb25295d8f309c4
SHA1 5150e93061f39e26688afd60a04c0ab14b510d47
SHA256 3216d6864b4f8824b82eb887edf95436dac3bea3f7d43d8988a176e3f1f8e1b2
SHA512 9b9b3f85eb9f12ad1b4c8cfc5e672758d879e178179deb28e80e6c3b27871261bf6b52f9066850b5a7a2fd85012b5308eaf3dda882fa40febc9cf6b47f1a4f04

C:\ProgramData\ChromeExtensionsNova\extension-tokens\images\logo.png

MD5 b6f7c0bab6beefa91a01bda8a321518d
SHA1 7510b4229c629a79ab2d0ff228c33adae3ffc000
SHA256 6ee72374c198ae2ed76f2e252a2e190ea49cf7e3e1da035e58912a5228b629dc
SHA512 18eb447748d77282be66aa9d3f83a31d42992642094acfbe62b3fd5f848f625312516b4d4adfaaa80c9468ca39417fd372a964ea4bca17faa3ea1f00148b4433

C:\ProgramData\ChromeExtensionsNova\extension-tokens\images\logo.png

MD5 2dd14b6427e7c6152df78ad605263bac
SHA1 dcccc74e004e2e220f1d416e0b1a22b79388ff81
SHA256 e1ed4a2fb66033d3a8c22109e1262e80c36ac772b4f3f0b17b23d77eb3324cd5
SHA512 6037b6370661be9d4b4b7cac1ff407e8c7690cbc6c9dbfb50870bf80195dd2cdc616b79ec500fd7618a6e9da5688ecb5fbc195e11c5a682e734d3287b018c2d8

C:\ProgramData\ChromeExtensionsNova\extension-cookies\manifest.json

MD5 04c23766134b234e85cc537b2162efb1
SHA1 45c48d9ca30a4580a682f025cc66331e49f6f158
SHA256 f50f62683347bbca52d7f7de0c877014ae77043753905628644e2d485dfb4900
SHA512 d246f59ad6d6e9fc8d8d88129302d55cb3d2ba7d52496915ee6791fa0576153070af76ea689cc74ccefc36456df749ac5c8f45cb12702961470f202078bfcb3c

memory/7524-789-0x00007FF9EA2C0000-0x00007FF9EAD82000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\ffmpeg.dll

MD5 e2d1bd35b37f154d08374bb0985fea48
SHA1 c25fbd47a4cc0957ce525ec72f0696e7f57a27a8
SHA256 a20908f905ce8e2affe666f1bb0a912140e5ff7955fb6a03788b490fc4fa7f56
SHA512 a89e4dfd5fb2383e82fb84d5c27a67565b0617f7df35112150fa1f6366a609d9c1c6448d54f2f9e5649d94d8afe77f103bcf03d02343b0c2475a7bd4a122c2f7

memory/1612-899-0x0000020852750000-0x0000020852751000-memory.dmp

memory/1612-898-0x0000020852750000-0x0000020852751000-memory.dmp

memory/1612-909-0x0000020852750000-0x0000020852751000-memory.dmp

memory/1612-908-0x0000020852750000-0x0000020852751000-memory.dmp

memory/1612-907-0x0000020852750000-0x0000020852751000-memory.dmp

memory/1612-906-0x0000020852750000-0x0000020852751000-memory.dmp

memory/1612-905-0x0000020852750000-0x0000020852751000-memory.dmp

memory/1612-904-0x0000020852750000-0x0000020852751000-memory.dmp

memory/1612-903-0x0000020852750000-0x0000020852751000-memory.dmp

memory/1612-897-0x0000020852750000-0x0000020852751000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe

MD5 30a94c60fbe2b7edd55f3e37b87dd710
SHA1 bec37b8a3f5dd175d6ce9cb7cf0ec746496441de
SHA256 b9eae1c1847bd23a088ee53a79b6aa1500a4e7f74018e3ac703e5e7332c6cda4
SHA512 ce7d5bd2d13b6154c218b39d1ee385159589dbbece7c1342868c25ef95978b009a878cb8feb662f229e41161b8a8463da142e26e8da913aef4dde31cd7ad71dd

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-17 16:29

Reported

2023-12-17 17:00

Platform

win7-20231215-en

Max time kernel

1802s

Max time network

1576s

Command Line

"C:\Users\Admin\AppData\Local\Temp\TatsuBeta.exe"

Signatures

Irata

trojan infostealer rat irata

Irata payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\TatsuBeta.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TatsuBeta.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TatsuBeta.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TatsuBeta.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A

Enumerates physical storage devices

Collects information from the system

Description Indicator Process Target
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Detects videocard installed

Description Indicator Process Target
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Enumerates processes with tasklist

Description Indicator Process Target
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A

Runs net.exe

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\TatsuBeta.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\tasklist.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\tasklist.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2984 wrote to memory of 796 N/A C:\Users\Admin\AppData\Local\Temp\TatsuBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe
PID 2984 wrote to memory of 796 N/A C:\Users\Admin\AppData\Local\Temp\TatsuBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe
PID 2984 wrote to memory of 796 N/A C:\Users\Admin\AppData\Local\Temp\TatsuBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe
PID 2984 wrote to memory of 796 N/A C:\Users\Admin\AppData\Local\Temp\TatsuBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe
PID 796 wrote to memory of 320 N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe C:\Windows\system32\cmd.exe
PID 796 wrote to memory of 320 N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe C:\Windows\system32\cmd.exe
PID 796 wrote to memory of 320 N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe C:\Windows\system32\cmd.exe
PID 320 wrote to memory of 880 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 320 wrote to memory of 880 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 320 wrote to memory of 880 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 796 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe
PID 796 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe
PID 796 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe
PID 796 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe
PID 796 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe
PID 796 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe
PID 796 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe
PID 796 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe
PID 796 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe
PID 796 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe
PID 796 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe
PID 796 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe
PID 796 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe
PID 796 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe
PID 796 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe
PID 796 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe
PID 796 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe
PID 796 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe
PID 796 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe
PID 796 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe
PID 796 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe
PID 796 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe
PID 796 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe
PID 796 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe
PID 796 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe
PID 796 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe
PID 796 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe
PID 796 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe
PID 796 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe
PID 796 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe
PID 796 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe
PID 796 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe
PID 796 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe
PID 796 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe
PID 796 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe
PID 796 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe
PID 796 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe
PID 796 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe
PID 796 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe
PID 796 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe
PID 796 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe
PID 796 wrote to memory of 1104 N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe C:\Windows\system32\cmd.exe
PID 796 wrote to memory of 1104 N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe C:\Windows\system32\cmd.exe
PID 796 wrote to memory of 1104 N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe C:\Windows\system32\cmd.exe
PID 1104 wrote to memory of 1744 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 1104 wrote to memory of 1744 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 1104 wrote to memory of 1744 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 796 wrote to memory of 896 N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe
PID 796 wrote to memory of 896 N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe
PID 796 wrote to memory of 896 N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe
PID 796 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe
PID 796 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe
PID 796 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe
PID 796 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe

Processes

C:\Users\Admin\AppData\Local\Temp\TatsuBeta.exe

"C:\Users\Admin\AppData\Local\Temp\TatsuBeta.exe"

C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe

C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe

"C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\script" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1060 --field-trial-handle=1240,13329810251059946818,15019707923549008516,131072 --disable-features=PlzServiceWorker,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\System32\Wbem\WMIC.exe

wmic process where processid=2984 get ExecutablePath

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic process where processid=2984 get ExecutablePath"

C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe

"C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\script" --mojo-platform-channel-handle=1444 --field-trial-handle=1240,13329810251059946818,15019707923549008516,131072 --disable-features=PlzServiceWorker,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\resources\app.asar.unpacked\bind\main.exe"

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "net session"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\net.exe

net session

C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe

"C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\script" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1432 --field-trial-handle=1240,13329810251059946818,15019707923549008516,131072 --disable-features=PlzServiceWorker,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 session

C:\Windows\System32\Wbem\WMIC.exe

wmic csproduct get uuid

C:\Windows\System32\Wbem\WMIC.exe

wmic logicaldisk get size

C:\Windows\System32\Wbem\WMIC.exe

wmic computersystem get totalphysicalmemory

C:\Windows\system32\more.com

more +1

C:\Windows\system32\more.com

more +1

C:\Windows\System32\Wbem\WMIC.exe

wmic OS get caption, osarchitecture

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic OS get caption, osarchitecture | more +1"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "echo %NUMBER_OF_PROCESSORS%"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic csproduct get uuid"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic computersystem get totalphysicalmemory | more +1"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic logicaldisk get size"

C:\Windows\system32\more.com

more +1

C:\Windows\System32\Wbem\WMIC.exe

wmic cpu get name

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic cpu get name | more +1"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic PATH Win32_VideoController get name | more +1"

C:\Windows\system32\more.com

more +1

C:\Windows\System32\Wbem\WMIC.exe

wmic PATH Win32_VideoController get name

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 ipinfo.io udp
GB 142.250.200.4:80 www.google.com tcp
US 34.117.186.192:443 ipinfo.io tcp
US 34.117.186.192:443 ipinfo.io tcp
US 8.8.8.8:53 dns.google udp
US 8.8.4.4:443 dns.google tcp

Files

\Users\Admin\AppData\Local\Temp\nso7447.tmp\System.dll

MD5 0d7ad4f45dc6f5aa87f606d0331c6901
SHA1 48df0911f0484cbe2a8cdd5362140b63c41ee457
SHA256 3eb38ae99653a7dbc724132ee240f6e5c4af4bfe7c01d31d23faf373f9f2eaca
SHA512 c07de7308cb54205e8bd703001a7fe4fd7796c9ac1b4bb330c77c872bf712b093645f40b80ce7127531fe6746a5b66e18ea073ab6a644934abed9bb64126fea9

\Users\Admin\AppData\Local\Temp\nso7447.tmp\nsis7z.dll

MD5 80e44ce4895304c6a3a831310fbf8cd0
SHA1 36bd49ae21c460be5753a904b4501f1abca53508
SHA256 b393f05e8ff919ef071181050e1873c9a776e1a0ae8329aefff7007d0cadf592
SHA512 c8ba7b1f9113ead23e993e74a48c4427ae3562c1f6d9910b2bbe6806c9107cf7d94bc7d204613e4743d0cd869e00dafd4fb54aad1e8adb69c553f3b9e5bc64df

C:\Users\Admin\AppData\Local\Temp\nso7447.tmp\7z-out\chrome_100_percent.pak

MD5 9c1b859b611600201ccf898f1eff2476
SHA1 87d5d9a5fcc2496b48bb084fdf04331823dd1699
SHA256 53102833760a725241841312de452c45e43edd60a122546105ab4020ccef591b
SHA512 1a8ec288e53b9d7e43d018995abe4e3d9c83d329d0561fbb7d022e8b79ffecf033e995b9bc6af352a71c646a1e8afba4addb54deab7455f24b7a279a3dd7c336

C:\Users\Admin\AppData\Local\Temp\nso7447.tmp\7z-out\chrome_200_percent.pak

MD5 b51a78961b1dbb156343e6e024093d41
SHA1 51298bfe945a9645311169fc5bb64a2a1f20bc38
SHA256 4a438f0e209ac62ffa2c14036efdd5474b5ecaa7cbf54110f2e6153abdfb8be9
SHA512 23dedde25ad9cb5829d4b6092a815712788698c2a5a0aefb4299675d39f8b5e2844eabd1ea42332a0408bd234548f5af628e7e365ab26f3385ebfa158cdd921d

C:\Users\Admin\AppData\Local\Temp\nso7447.tmp\7z-out\d3dcompiler_47.dll

MD5 7641e39b7da4077084d2afe7c31032e0
SHA1 2256644f69435ff2fee76deb04d918083960d1eb
SHA256 44422e6936dc72b7ac5ed16bb8bcae164b7554513e52efb66a3e942cec328a47
SHA512 8010e1cb17fa18bbf72d8344e1d63ded7cef7be6e7c13434fa6d8e22ce1d58a4d426959bdcb031502d4b145e29cb111af929fcbc66001111fbc6d7a19e8800a5

C:\Users\Admin\AppData\Local\Temp\nso7447.tmp\7z-out\ffmpeg.dll

MD5 c3842fb3087cdcdb04020ac38683c289
SHA1 329dbcd4a1c79b891b200f11eb50194b85c493bc
SHA256 e79792af338d61424bac87a19c6f34f3b4bc1382345633b8d509253a0a6c2133
SHA512 069196b8006e908954e7ab16131a0d10889a0f7517eaab2423a82fe49fb9b045c0d95dbf7c08c10ddf1a21983aea4a0d207decf91baacff0884511589a57dec5

C:\Users\Admin\AppData\Local\Temp\nso7447.tmp\7z-out\icudtl.dat

MD5 599c39d9adb88686c4585b15fb745c0e
SHA1 2215eb6299aa18e87db21f686b08695a5199f4e2
SHA256 c5f82843420fa9d144e006b48d59ba7ef95f7e6cb1ea95b27fcdd2c97f850859
SHA512 16194186a8407b29f799d4b02f5674e4fbd5d91163fad9f8dce6ceedd865b754a681aa960d0f3f1b62cb21d5443879f1b8e9b691c19c5802d5bdfe4ed645b8bc

C:\Users\Admin\AppData\Local\Temp\nso7447.tmp\7z-out\libEGL.dll

MD5 8352fd22f09b873193cabc2932be92f0
SHA1 5bd2b58854b279f1733c5f54ea2669ee8a888d9e
SHA256 14a4aaa010be14762edfee01fd1f6b9943471eb7a2f9011a2b5c230461cd129c
SHA512 7281e980f2e82f1cc8173d9f8387a97f6e23ec5099ed8dca02222c4e17fa4cfef59d6aa300b1cf06d502bdcf77d9a6dbb08ad6658ae0a28ae6f9f995109da0d2

C:\Users\Admin\AppData\Local\Temp\nso7447.tmp\7z-out\libGLESv2.dll

MD5 b6a433dc7b4030fb17bd1683a9606b6e
SHA1 0602c50532e3f13facc67bd95a048c470e88afcc
SHA256 f7ae57a1d7d3e284714ca354f5292aa9b75086489cbfba8b1f54548445b6b3e9
SHA512 b9ba2e20ec878e3acae93d8254e69374e391fd4a3d5c1833282c43896d123baa874f1088839f3bbcf05539eda0e2aeaef28d7742ab8e20ec788382501e2152b1

C:\Users\Admin\AppData\Local\Temp\nso7447.tmp\7z-out\LICENSE.electron.txt

MD5 4d42118d35941e0f664dddbd83f633c5
SHA1 2b21ec5f20fe961d15f2b58efb1368e66d202e5c
SHA256 5154e165bd6c2cc0cfbcd8916498c7abab0497923bafcd5cb07673fe8480087d
SHA512 3ffbba2e4cd689f362378f6b0f6060571f57e228d3755bdd308283be6cbbef8c2e84beb5fcf73e0c3c81cd944d01ee3fcf141733c4d8b3b0162e543e0b9f3e63

C:\Users\Admin\AppData\Local\Temp\nso7447.tmp\7z-out\LICENSES.chromium.html

MD5 df37c89638c65db9a4518b88e79350be
SHA1 6b9ba9fba54fb3aa1b938de218f549078924ac50
SHA256 dbd18fe7c6e72eeb81680fabef9b6c0262d1d2d1aa679b3b221d9d9ced509463
SHA512 93dd6df08fc0bfaf3e6a690943c090aefe66c5e9995392bebd510c5b6260533b1522dc529b8328dfe862192e1357e9e98d1cdd95117c08c76be3ab565c6eea67

C:\Users\Admin\AppData\Local\Temp\nso7447.tmp\7z-out\resources.pak

MD5 bdfa339e708ea0f23ed3620adc4a2d64
SHA1 82a95b7b022836b6e888f53e69386570c05a1af2
SHA256 b66ae9eda4543685974d35d051d967538bc57d55c2577629007c534ff330e1e4
SHA512 ba87c70e1b6446e0a7b62da33d72a36ff92ee54fda64343262bc26afa8166174e76d058ec6d707cdebf2611858b3b4b7e21798febec53da02febd81ade4ce8f8

C:\Users\Admin\AppData\Local\Temp\nso7447.tmp\7z-out\snapshot_blob.bin

MD5 c9ab741bbef53fa0e84952b8891a5f5a
SHA1 e2dcb8d034e07243537c86371de0c52bce62cee1
SHA256 4d82fe1e642fe3ca7ad1a173f806088c0652ecfe9f0f6f6e246066e15a3431d4
SHA512 177b98a3090ecfe4b4598dfcd7e8b3ca49efafba4dbd8d6c6d0def462de47c3fabfde831725622783ddc177de982de6115178d9bd9830d918bb544a5a4c27fc9

C:\Users\Admin\AppData\Local\Temp\nso7447.tmp\7z-out\v8_context_snapshot.bin

MD5 47014c0f81bad6d216c617c9c63bf040
SHA1 7bb483fdc5fed3c6ed437d9fe6e5023bc38201bf
SHA256 e1249d05bfc73c645b27d269f47b6923b33a3cf8088a8ca78b3b637c90f58178
SHA512 052d86cf3305a9e493bd2472e6b7ddab5e0291efd6d899984a79bae46e5fa4bd21157e19ab4a2591c9cff9069de568bad18c7baf4f35d117c77134e635466f87

C:\Users\Admin\AppData\Local\Temp\nso7447.tmp\7z-out\vk_swiftshader.dll

MD5 fc509fcab87c61855236a636a9dc4b76
SHA1 43aeb1431d7b9ac4b11fc0055201f8c062c59ed5
SHA256 04bc5e0dfd850c74b5e4212645d2e7a725fb852afa0df18cd402523434535c6c
SHA512 11c6957f946640ce96b6b255eccae8805653bb2fe4d81bf73c823ebe4de389e8662afdd26be809a639c55e04e89ac5112b05fbd3ccd8a6b887663ff4133200e0

C:\Users\Admin\AppData\Local\Temp\nso7447.tmp\7z-out\TatsuBeta.exe

MD5 8f4dc8c214bd2c41bca78d36418a29bc
SHA1 90bc45b0e5eb6c601eb4aed00a6aa03026c1c68c
SHA256 1f723a966d5f653f8e63f741d8c2e56095167d5ff4541ea51ef5eb9eb46243f4
SHA512 dcc1f6ffcf83b3266878e753c46cfe76dcc7599d280f219239cd4bdbde03a1a2bd61065fdd532c79b121b935647656bd73c0e1def882ca2ee525ae7a763ce4f3

C:\Users\Admin\AppData\Local\Temp\nso7447.tmp\7z-out\vk_swiftshader_icd.json

MD5 8642dd3a87e2de6e991fae08458e302b
SHA1 9c06735c31cec00600fd763a92f8112d085bd12a
SHA256 32d83ff113fef532a9f97e0d2831f8656628ab1c99e9060f0332b1532839afd9
SHA512 f5d37d1b45b006161e4cefeebba1e33af879a3a51d16ee3ff8c3968c0c36bbafae379bf9124c13310b77774c9cbb4fa53114e83f5b48b5314132736e5bb4496f

C:\Users\Admin\AppData\Local\Temp\nso7447.tmp\7z-out\vulkan-1.dll

MD5 b91586bd80e057a7f62bdc4422744812
SHA1 a1df644421ece2e740e5bf0ed98b4f269fd85c39
SHA256 8ba72d98e0f78b77bda7816cd7232809d287310d34e0f1d7472b9d5fda2c6d02
SHA512 94f0a8e3e75e4803891c0fcb257052dbe0e7399772fc7a46ab802629f76ee580ed30b3678fa6bc3744c12cf9f3103bbc8276e88f6711278748148e9fbeef2053

C:\Users\Admin\AppData\Local\Temp\nso7447.tmp\7z-out\locales\am.pak

MD5 e18a450ef034b42599341c3d09f280f1
SHA1 2001c8a85904962ac3a96938eccc69ad2c110fdf
SHA256 7c2b9098130f1f9e0cf4507b64c0e96ac6354bd6c3616be20e2067cfccc820da
SHA512 ddd87571218fe9f179a6c2a8a15b182625a71a7c19ed90c0969ca2e0e9bad823b926f8b8a6b390cb6fe9c95f4b6c1f1ec7b5167a8424ab1921943922208f798a

C:\Users\Admin\AppData\Local\Temp\nso7447.tmp\7z-out\locales\ar.pak

MD5 6f3e791b4d35ee7d9515614d128752cf
SHA1 181ec3a84fb3e89336d77f24f562a2cbe07619d8
SHA256 e9df0fa338b763a3926c4ee3a87bedf650fa618b6fcf0560c3f5ffe891d48c60
SHA512 3657e610d13a2c938558ec320c298dd490c9e4895ccd304f738aaa2f050373efd7382ca402365f93d23ed488bae82de2d859da788dc8faa8e621346a278f4441

C:\Users\Admin\AppData\Local\Temp\nso7447.tmp\7z-out\locales\bg.pak

MD5 5ba0c7200362c9ed55610cc8b66ef53c
SHA1 d45239c2f1b00885407771a41a7776fc1fe8fa3b
SHA256 2339ff55464b4ff704fc3c5bf281eec52a539c494bd059cf0346d9c05ab7cda7
SHA512 6229dbf08a9322c4ec8de4912aa1832f01800a71b7e3ef5870e7fa2b623be4dd248fec4881c3e031e984616147be84d42ab3dd970ae56dc1bd78913a8682a37a

C:\Users\Admin\AppData\Local\Temp\nso7447.tmp\7z-out\locales\bn.pak

MD5 47c95e191e760dee3ef43345577e2379
SHA1 609634315270a91d4ec631642b18bd0036367aad
SHA256 ceed32e429ed1018d4c49343cf52105cbfd1e877c531a5738fd6e6cd33d27da7
SHA512 46b5f8d58780d19e79136c31a67d075c57ddf7e6a1eb197dea4088cc414a0dc24a68fc8ebcaac03b3940af2461123b586706d5dbf8dbdf6fbea0f7bec466db21

C:\Users\Admin\AppData\Local\Temp\nso7447.tmp\7z-out\locales\ca.pak

MD5 423651c45566cd90ea5edd8631e823b8
SHA1 13bed4173a08bcbfefba034aada3d838eece6d16
SHA256 7a39af99d55a1ea838d8d78c5f0da3e1402f9404d32255e31b676ceed4f0e414
SHA512 e09085023beaa37e9d5f7fdf3c32d0c001672b85e2826f0aba9a662ce958ac93cac17bf63495a604e47cb407b1593049388a4bf1b22b2339ead84a206a10569f

C:\Users\Admin\AppData\Local\Temp\nso7447.tmp\7z-out\locales\cs.pak

MD5 3cfd9dc564cfcc33cc5524711365c376
SHA1 2e5016d2643017f37658262122974429f18625a2
SHA256 8be34e4f8226c1dd4e725711ddd884ef4476560f7863edcf378573dde9db3cee
SHA512 6ee156d2fa3b6f601df28e38968d0eae2812d70b41333348dbecd833d5ee6ff944183f0eecde96be433cf1e98c8ec22d6a6d5af5153145842175ab43c73533ef

C:\Users\Admin\AppData\Local\Temp\nso7447.tmp\7z-out\locales\da.pak

MD5 55a8f5883805a65c854d25edb3959209
SHA1 d4b3b6bd2a26cbd021fa931d1f63c9ea64e2c268
SHA256 e190187adcbb5f829d162660968ba598ed17bd11339062ca4d807deec8a27fdb
SHA512 4e1f9e6da32f553cbc8cf162726d7aba9e23e2216d6d05b995cf19fff3aafa05ed08fce29b2f8538d46583366402b8630672e650dfbd46952a611e9db0d8016d

C:\Users\Admin\AppData\Local\Temp\nso7447.tmp\7z-out\locales\de.pak

MD5 b73344e5a72fca6f956dbab984c123ba
SHA1 0561073aa40a63a9ce9930dd18b18e12ff139b2b
SHA256 6dda3fa65232ca0bff7314f916942a2aa5d9be73a0b0c7a6d016eb34ea6fff5b
SHA512 e8a12da397369f23c102244b3f18f533ec79afa6978785566056bbfe07b10a21ff4973bf17aa829fff65609363988c033b0e48d4a82c846863377c08d8df009d

C:\Users\Admin\AppData\Local\Temp\nso7447.tmp\7z-out\locales\el.pak

MD5 38440b98bfdf5ed496da0f49d59534c0
SHA1 1498d9207ecaf4923a47271e24c68a817041c82e
SHA256 b1f78df8a7edc914357a2e90bc8dc0ac46f4df642bb22894569fe4905fb8ea0f
SHA512 95ba788fc2e1f07d54e398f1ec4d32c664cfb13118d46cb7af7a993367e032b10de84f3e604ab6e659d6410e2d736097ec5e9b3b002040c54412358f0ea10229

C:\Users\Admin\AppData\Local\Temp\nso7447.tmp\7z-out\locales\en-GB.pak

MD5 52e2826fb5814776d47a7fcaf55cb675
SHA1 51fbbc59dcd61116cbc0a24b0304d4c1c58e8d0b
SHA256 83ff81c73228c7cadba984d9b500e4fce01de583ecde8f132137650c8107c454
SHA512 69257f976d01006c5f3d7e256738c97c59115471f8e7447cfa795f7fa4ff12d6fd19708e95ffb2aa494b50c1763fe35d5885b9414112d2934baf68fe668ed7cc

C:\Users\Admin\AppData\Local\Temp\nso7447.tmp\7z-out\locales\es.pak

MD5 f83d8f7f6108786c02c2edbf3d85f147
SHA1 57781d9d9eb7c90cdc71f78e25d0763045b6d29a
SHA256 5b929216ac823dbe2b0bb98e64db76519900e09a86c8513019325271c66ade0d
SHA512 12747a4a61cdd21cad6e3f768cb43b8bda5ec9de373337c191b6994b20acd676c9d0a6cde8410a1e18f35dd5d2d332ea1bb7e7f8f6fc4b73d8774559e33398f1

C:\Users\Admin\AppData\Local\Temp\nso7447.tmp\7z-out\locales\es-419.pak

MD5 b261b1efe945365588befdf68879040f
SHA1 616f44a5f73f0449b483f36ccf831db6474a10d2
SHA256 1380b9edc9cee4b505f12e8eefa288d8c746ca995b52ceaba27c7741ae8a5cd4
SHA512 9ea14234b9d4d09364e5727b3886fc14544d52508b3e45fb9fd607ca88d2e432361a02b2f7ba34c3d6ecd94b91f9eccd4d54047a97a1ba4eea580ead00b91cff

C:\Users\Admin\AppData\Local\Temp\nso7447.tmp\7z-out\locales\en-US.pak

MD5 0bb857860d8c9ab6d617cea5a5bd4d00
SHA1 351b744d95846bff2ce5f542fec2e87439aa0f8b
SHA256 5c56df9699fc7e8f09ec81421e50a6264cde055e822f5a8cd9bb1edb3066d816
SHA512 33fb73cffbb6781488cedbca4c92a7e4f66923a799beeb7f5cba58dbc23ba8f5130f63a7dac7114e3c3ef6f1df87884fbeb8858bc7604aec9449fdfd16c25078

C:\Users\Admin\AppData\Local\Temp\nso7447.tmp\7z-out\locales\et.pak

MD5 c76db3385190c6840315c4497e40258a
SHA1 34f1aef2ba2925bebc5dcdb70e5b6c1a138a5c46
SHA256 e8af084ef5e1062c5966dd7802074ac24f3672dc3c9b9c5453a397644727191f
SHA512 90a870369d307758b33d74e6213676d65c2d332f42577c8aff23d96b512f3c2a2bdace8d6d9007f88b9175eadc6f2ae28b498b1265550849ff9317465a37ad29

C:\Users\Admin\AppData\Local\Temp\nso7447.tmp\7z-out\locales\fa.pak

MD5 6458a239e994d8d18315deccd35389ed
SHA1 75c985f43503a6c44645786d46639a6b555ae163
SHA256 300fc1c735e92917a5ddf92feb812cbf3175d988ec7ad5955110248a1addbd34
SHA512 3062075b6be0c25c957ac88e537880bc25ff86b8ef0703a05209e9676e943e89476b7997394aeb25064e03a93be614fef535676e9cdfaf44b46035225b1b2cf5

C:\Users\Admin\AppData\Local\Temp\nso7447.tmp\7z-out\locales\gu.pak

MD5 63a7fdc4eadf8ef1c35c72468a0ce33f
SHA1 e8d064f0e9c8a6a8c6ccb036711e292d011d9466
SHA256 e549ff4e5a094d04c2ce7bc6fd68bea1f03e935437bf164bebb6191c133fa70c
SHA512 0a097ff875132a984545ec677b04f97785f14c38a1df487cfb4722cdea07d14e1e88fcff7d58b82fa53f05f4eba779a95ef320b5a91692097726d0385a26a456

C:\Users\Admin\AppData\Local\Temp\nso7447.tmp\7z-out\locales\he.pak

MD5 6a02a37e1ca3215fa9ee0e1b0fbcf5e7
SHA1 89a8a126c0bbf536ac58e29fc50e045fb1b88220
SHA256 f5cf34ce58b7f0d450936981aa7ffa060821403e6768eee3746ea4ffc9193986
SHA512 6607eb2329b81f1eaf0ed3a564eddcb30e6ab59229f2fbf6fd3d2140ffaa8853a330eda627a4458ef6bb06f32c5183edda869e34cd4ead1f87f88d5c622c1a16

C:\Users\Admin\AppData\Local\Temp\nso7447.tmp\7z-out\locales\fr.pak

MD5 c3095ce1e88b0976ba7bef183d047347
SHA1 b14cfbf6e46ac1f189595fc09660178525301138
SHA256 66488dc10517b6e3638686be95b430477a39304e92ac45dfe62b58cae3a77272
SHA512 29f47b1eff4681a9a17a50d6e82d63c22fe7bfe4ceb79862e81d8cd9f96fa38e225978b4c4b1f8e55b220235b91652c776fa8d2e559c68942c6ccf402812a421

C:\Users\Admin\AppData\Local\Temp\nso7447.tmp\7z-out\locales\hr.pak

MD5 6f92235e6ba003af925a2d6584afd27d
SHA1 3ceba61e9c2975466b6244188f5ea72aaf042fc7
SHA256 479dc4f75a889d45f62b4ddb6eb48f21c473e37875468c9c26d928a263e15840
SHA512 82f2642dff4400704c15c2fa02d0ec74ed3fe888dc835447c1afce7463dee8f480bb81be358c306e681625864a6d25e5cd6c96252b8a56e6fc62014b3aa4d26a

C:\Users\Admin\AppData\Local\Temp\nso7447.tmp\7z-out\locales\hu.pak

MD5 71d42cb22d2d7a8b26c4514ab12df3aa
SHA1 cd0307503a7906f1742d1e98fc816959319c2171
SHA256 b51bcb888dbc27bab88a8c9d081df7496de8a9a5a4cd2cfe08abc154190e75e6
SHA512 29c67391bca706807be3a0cc79fe481f220e30263957a9c2485f0a4c498a5b250bdd83b5f4fad8d0b19c8a9a07d5650b5ebd5816b6aae311a1cde78a89303244

C:\Users\Admin\AppData\Local\Temp\nso7447.tmp\7z-out\locales\hi.pak

MD5 590e9e73df9cbd83cd87b9c03848fec9
SHA1 da125e60a5a2c51a2d6219d3f81688bd22237b59
SHA256 089b9dd31090a987515809a68d26f6eeb64cd9283934e3dcc48b151eec7d3ad9
SHA512 fd0e5d0f2063e12b711275f390428b88f98ffaf6043cdb14b13674ac1e4aa9f70ae820ae960132d7155daf9b1308238775c4702694ab53068cdc709c50f9186a

C:\Users\Admin\AppData\Local\Temp\nso7447.tmp\7z-out\locales\fil.pak

MD5 40bddaf97f64dfea9ebafc7f82166f80
SHA1 90d1fde3c0b27d2184f0353991259c2a92c7820c
SHA256 39a9d63736e7b4593fc6873ed3c19d45fbf9eb78a012bfdcee0fea5906ebc5b2
SHA512 d1e61c53e09a0dc50edf5aba5cf286a251ee88421aa2cd49332b70a5859646605ecb7d0bb97ea7242d14a18742e23da0a14c04b0b99b57a466ec87f4f66b897e

C:\Users\Admin\AppData\Local\Temp\nso7447.tmp\7z-out\locales\fi.pak

MD5 cc592d91ce8eabaa75249cb78b889376
SHA1 f2f0f7f105a17f3e4b1a97ed0e3c2e871c2c3eac
SHA256 b1cb0b32efa78fd8634652c74f298f1d5127f2363ef601cf000417e5c7fefd20
SHA512 58e2eaffe26d8fda8df43e7ebef449cfff1065e940c128efa0276511e34e96e52da9230f294b01d4ecd8ef606b792d372bff897d6d8bb67c31379418ce867d48

C:\Users\Admin\AppData\Local\Temp\nso7447.tmp\7z-out\locales\id.pak

MD5 e40cb2f3b4db379e4d187aeef0dfd300
SHA1 537b1ebc615c980c89bbe2b9e91a11199fa7d6a6
SHA256 3339ef011c9bb64868da94adb25f4490acbc7f893e4337dbfe2797754cd659f5
SHA512 b87464460077aa55feb92eca8ed23d9a61829378bae7890c8a95dac5fcd735b145d65661f27facfe2586fcaa169692b00d8ee8dd505dc44bff7f7fd090f3e96c

C:\Users\Admin\AppData\Local\Temp\nso7447.tmp\7z-out\locales\it.pak

MD5 5aa225aad4f9fe6d05ec24905a827d88
SHA1 f6d5ed337bd8e9cc3b962d3a498e3430fbf6de22
SHA256 96e02ab6937a1f1cb58762159761a737ce0e1dcd6a253554392baf4389326eab
SHA512 3fa928f19bdf65b8fbb274b478a801821b15c01224c113a8d7f6121a077b432c0cc84eefd9028a76adea9fa4bb65dcb868edfbd4368b1e4d477c49e187e4288a

C:\Users\Admin\AppData\Local\Temp\nso7447.tmp\7z-out\locales\ja.pak

MD5 833e8c4aa70351b6be7bd403e4e9a0a7
SHA1 46ccdbdea35deec8ef13a5fc833776875fad187b
SHA256 74422db1a5f28522f9a8b31a3bee9a6df794b419bf723cb6a6c88e82eb72cec0
SHA512 e8e709612a5ea81d2822e0025b7306f38571f2cec2ca72ac5a8ab852a0e36a0f5bc7e00d0baf7ac7becc2c54dda3a17c52ec1cd67ce12b14d91b6ae0b726d556

C:\Users\Admin\AppData\Local\Temp\nso7447.tmp\7z-out\locales\kn.pak

MD5 5115cde84b4c674db412619b65433004
SHA1 164f33e7e2e9f685a579da492a6fc8806beb6cbf
SHA256 891e092c6895e23be986c3e6d39dcea9b6b75f1448239c13fd406680e50407a7
SHA512 090a247898cb533325d2b289a6cbd8db2a755ef0abab49d82f333e57b290c50b5996b81f15d8adc30160b216eebed3a1476aec1627195e52189557c1d48b0216

C:\Users\Admin\AppData\Local\Temp\nso7447.tmp\7z-out\locales\lt.pak

MD5 2d4fca437a7548893dc4b51fa5b33c33
SHA1 c1493013d7d981ea9223716e415380992de65c2f
SHA256 776dba792df7b444e1b720326312d8b8312cade74a1372c49456d932b7c65769
SHA512 b6a55ee1deff48d717a3e9399aef3c45eeec810cc5b5709fa3e9f56850115a5b02e02b7959ec77a6797e68516ee9372bacd260e62ac0d55a8e4c1c27af782b42

C:\Users\Admin\AppData\Local\Temp\nso7447.tmp\7z-out\locales\ko.pak

MD5 d6e2c18c9eabba59b50d147d942125ea
SHA1 0918879203c2050b4f9f449f5616e430897ba0b9
SHA256 f3581cea2e5b022b121010ffc5d67f86f717e3a0c0402abd81e24c87fd135b76
SHA512 f605f7b9893166778af156f9eb76eaa1209e7432450899540cd462ce0ffa69caf6f570b910cdd6d7bef54354379e9892a658e711baa93241da33755c107da859

C:\Users\Admin\AppData\Local\Temp\nso7447.tmp\7z-out\locales\lv.pak

MD5 264c6e20b3088ceb4dae5773cef0cb55
SHA1 fb6ff83ff14df008092bc3ee73bda7491e8e090e
SHA256 a676a781c1a587eadf23e5c69bc52f2d352346a70bc53ca908450362535eefda
SHA512 01e949f92e1e8599c581929a601d39640abaf1d907ce10102e591c3d490dd3874c679c75bb51308ead55a3bd0c6dcd1b8d4b2daf98ce1cf1c6bab42946e8b1e8

C:\Users\Admin\AppData\Local\Temp\nso7447.tmp\7z-out\locales\ml.pak

MD5 04b2540c25990a5e0a9b227dcce6ae0d
SHA1 4f8ccd154f54dfb083d4d1a3ed0994842c8ab13e
SHA256 556165b8b54c6e21bc66d12b3f5be393136714467c427f7114f314d18ad3c661
SHA512 4cab47e42e8f5d4a83851871f97f3e1360c993ba530dbb4b4b736350779784bd83189e1195d3480ce87298bb8f9b7f249fefa7764d850e5b0002895609626785

C:\Users\Admin\AppData\Local\Temp\nso7447.tmp\7z-out\locales\mr.pak

MD5 f22c99fe6a838e333e8ee06a4d01296b
SHA1 c3542ea8dd45a2b387dd02fa5687948f135e10f2
SHA256 b03a3042f907aed13253ae8083d08f5fad59ff438d024b097276856e72526911
SHA512 882022c2cb985d85f96d52c9bcfeeb089d6ff30e66187ccf424ef622092b9d359a51bdef1fb6ac3b9d3409aa79d37ca737ba7f3ed8b9cdaabfe04d90a7c8bc15

C:\Users\Admin\AppData\Local\Temp\nso7447.tmp\7z-out\locales\ms.pak

MD5 6cfadaa784e687e6dadbcd80e631bc9b
SHA1 481acb75f525055bf4e45ecabe0eadcb9c492106
SHA256 fb5e125dd5e1f21e8df229d22cb3d1f9078bd79bbddca352899248f2a8b21b71
SHA512 0d7da5a90fe9372bc704ab8cdc8cbfb14d323cafdef856987e2d9e34d980196c03985e25099f5d1bcb10c97f040f4766e2c3713718649bb3f43914a77f0dbb39

C:\Users\Admin\AppData\Local\Temp\nso7447.tmp\7z-out\locales\nl.pak

MD5 cf6b1cbfd669e9461553974ba37a475e
SHA1 b33867e9bc7fd88ca98a76dc4bd756bcf18887aa
SHA256 9a83ad866ad7fd9d65ecbc1e95c276cfce27e8257c76a16950fd14971e66b864
SHA512 e463029bb37f6bb3ff5cb6281f64291ada1b785fa33137e7aedfc7b5e409e99c75a91e7cf9b6c0933e970f70c14861190de66fc5d68925b687a6f5da02e21077

C:\Users\Admin\AppData\Local\Temp\nso7447.tmp\7z-out\locales\nb.pak

MD5 b61e42f66d581b6a8929cdf5fb10662e
SHA1 6f06fa9ee092fbcb61bbd668734fb3b92cfb549a
SHA256 1b17dcde8fc7308d926fbe0faa83dfc9ffe2efc5715e9afd557dde839ad98b7e
SHA512 79b82346c3f133a6ba44148a8432ad4e08e2805187b759509cb386bc800fd20215592c07d953812c243f0b1d5e1354245f2cb42b2b3eb6c87280bcb4008dbe97

C:\Users\Admin\AppData\Local\Temp\nso7447.tmp\7z-out\locales\pl.pak

MD5 644c0ace25d6e532b56510a736c6bc2c
SHA1 1bd0fec952107b493da04c46423da634ff3e1504
SHA256 2ff9e382a31783285b7d85676e629e2f6db26bb9536ed17b7fbe5ac61a895ec7
SHA512 9a1f1e884c2f214b8b0c63543809ddd4ba0fd533f1d8434e926051f3db434f60cc4df2462c2a43254b2a9685b3869eef49463c212892e417c82c3a7b497e3559

C:\Users\Admin\AppData\Local\Temp\nso7447.tmp\7z-out\locales\pt-BR.pak

MD5 88ad860c73676ffb4025b5c691f29942
SHA1 3c5e5b999ea7153ccdd1b4cc7b6162de3456b558
SHA256 25f0bb0b0230d99a9064d52668636f3be85903bf27a68124d79a2fe93c30fe0e
SHA512 41589bb9ab1b8307f62ceb4e6493d7903731a3e63807e0044379c4acdda881c21839234f5f1b8ad1af732bfee6231c0556ce92e582505379ed949980185bb750

C:\Users\Admin\AppData\Local\Temp\nso7447.tmp\7z-out\locales\pt-PT.pak

MD5 ecd84b296d3bb312ee18e21017311986
SHA1 f5625523f85c10723750834a54ff59a2dd886fb3
SHA256 fcfaa9c44c445876c286388b6a1abc1df949f3dda3d64fb57d6e0d54a05cdb94
SHA512 e95b74238220024cdd0bd1c0f18beadbbe427d76cd8d6b32d5700adcd34ffb068ad0bf75404921485c8077f395f5111cd40d5dfe2b5b8f34c62e6fc80b507456

C:\Users\Admin\AppData\Local\Temp\nso7447.tmp\7z-out\locales\ro.pak

MD5 24b01a438a3ab9699d4ca97c081b5e82
SHA1 0d0b082544d23425a74199fb0a6c11192f0bdf7d
SHA256 38290b1c9712296d82ea1681ef95544a1eef4872289134b11e50af735e6deaca
SHA512 43199772312156f4633c4202499cde8f808e5e632c2013ec1129acee01a3f184e86df2616626173178efe04b6f0773ad9a0e8b8cc6a735d23d68dcfe9dfd945b

C:\Users\Admin\AppData\Local\Temp\nso7447.tmp\7z-out\locales\sk.pak

MD5 b35daa0bd9627ca88b413a5af7c6b4a4
SHA1 d5efdcbc7ca17de29f3075f6434f31ab2e895826
SHA256 f47bc1f7f5ab64681d0b152e1a019da60f0ef057ee8bf2ccede019dc4030c177
SHA512 48abb6ca2290820db2898b05820bb25e70fb1292c816eb0c8f17b3c5452de9fff7027d216d2bf413900f408f44ed4ac99151b28142a212c5cff8dfe229e87b9b

C:\Users\Admin\AppData\Local\Temp\nso7447.tmp\7z-out\locales\ru.pak

MD5 75457b95d2bb03891232dae7db886387
SHA1 e5a7569df7f91533703626d167ecc8cddbd27205
SHA256 e0894d3aa3f8e0f8ac457a3300001d4e1dcf95980712f8c8e9c845eb4c2bbfa6
SHA512 9813239cb162cec24cb81cffdae2df06889782813d917da186ae40df6dae64477467e4b32ead2d714bc1de671538d4c1fde990d83d3ee69e0932f17226687a78

C:\Users\Admin\AppData\Local\Temp\nso7447.tmp\7z-out\locales\sl.pak

MD5 e015b6f5042be2dc96a4e23dcf035502
SHA1 7946509eed8db1e4c1f3da99ffe7155c86fdb4d6
SHA256 99536d1bc73eec81d5bebbff641ea195544ee5e3a41bb17ddcedf9cde9b141d4
SHA512 b2a2eaae93c506a053862bf1cde02eee53b3ea2e2fe4c964c51dbacb8b44de820a779311cfe01458e2f08f88bce1172e8c5e1e6d28cd3a355ff84baa00023b8f

C:\Users\Admin\AppData\Local\Temp\nso7447.tmp\7z-out\locales\sr.pak

MD5 af7083f2a4bd95dcbe792efade352662
SHA1 dc69aa831836016f6e66c6079931503d534a7862
SHA256 e3b80d9fdd420a05d66cc12e685ac94500106dd51a555bbfa2d085094f81e8dd
SHA512 342400ba94f6cd08152f96aa2b905184fab429c38cedb4bcb4ac0c503169a9ecd47aef208b4d7ffae08b0c0afa7aa089347a20739379d05f3e4e111be842b8c4

C:\Users\Admin\AppData\Local\Temp\nso7447.tmp\7z-out\locales\sv.pak

MD5 41e76f7775fc9a2d6e3c02c46e9b32f6
SHA1 088c15c74a68bee69682bf89c31055332b68c84a
SHA256 2533676479e9469ffcdaabcb47d3e39bebfe7ae2b80f70784e918a8827439e13
SHA512 6cde752d748c4772b533c8894f18134e5842113f8c7590b44a7dfa088aed65b232361fd16170df3b0d738066dbc3a769847adf4dd8ba42de63c9c2b33f9beb6b

C:\Users\Admin\AppData\Local\Temp\nso7447.tmp\7z-out\locales\sw.pak

MD5 99e385ebc1ef8d3daddb3a171fa79edf
SHA1 3164804dfe9d9b5e891abafe92e5ba67d2b5d4d1
SHA256 8ec45ac391a085d531fb21815086c2da4841aa016653cb4f8484cfc2615d6c01
SHA512 797c105fecef1e15870aa101e3fa1835d5a467a9059c03b3636c54934d1de263ab7f23599e21d9787cb3849c7cb7d29f5bdd8ae9ad10fda8015c1392462e94c0

C:\Users\Admin\AppData\Local\Temp\nso7447.tmp\7z-out\locales\ta.pak

MD5 31dada843d0b4f9a66b184cb6d7b8b92
SHA1 0320b31981043c6e4c17470bf2ff4c7488553511
SHA256 457070b35c813175f5a7b630478073e478ff2bf23915dd3dc7a5b3b339cc2b0b
SHA512 c5b6ea595d3154fd9fe03f49a19f78eb4068718ce005b18a165d491459a290c29956b02a109ce2c314746773760c8e5c0d7064f384c65a572c78109f03538860

C:\Users\Admin\AppData\Local\Temp\nso7447.tmp\7z-out\locales\te.pak

MD5 bd71351aa721e7b6cfb8a9c40cb6cbb2
SHA1 e5502d509f6c0382c05183d5b35fb64290c4356e
SHA256 b2928ece63d125cdadf4e605374bad1c4080ab764ca5023ca7168d0ac8237ca8
SHA512 74078e528083128c1b741ee3367a26654035ecbba056c80413396b740170328c652a2f5c5cc30e739a344e6206a539d9e464ffe4bca1a009bdd9085c4e3a0abf

C:\Users\Admin\AppData\Local\Temp\nso7447.tmp\7z-out\locales\th.pak

MD5 43edd25f67ce6e6cea5373009ff0a1f8
SHA1 ed72ca6620cf23837e1334be50ccf616806bc5a2
SHA256 287897cf3df2db1cf59b872e6575ba8dfcaa0c1f68c17a9c91da6c4490adb8b0
SHA512 7160a72bd2e6b0ffa71e5d279995cc8be24a87cd9386eb29ab0eee79b8e607f5d824a11b6b4e3ef4c0f851a9d485a9642cb6adaa65c07933dca6e6f2c0052fc7

C:\Users\Admin\AppData\Local\Temp\nso7447.tmp\7z-out\locales\tr.pak

MD5 40491896ad21543f339467186c5efb40
SHA1 695dde7cc35056dcbf0a533aff8299d4c6b61bd8
SHA256 43e99e132acaba88971b81a43531845dc7fc3a1e0794c3373de7d9a50a5655aa
SHA512 18d5ee9914849462e0b1bafd1ca216b29d0795e282ae0bdb354b15caf5c18f37f44fbd6f626b2cbb095e3398a6496de72e5b0d15621433979b5a589e34fac818

C:\Users\Admin\AppData\Local\Temp\nso7447.tmp\7z-out\locales\uk.pak

MD5 d791b1ecf2931b2fb0c31aac170c7cdc
SHA1 02be115a9ff94fe5250651b6de4323eafc44fce1
SHA256 ffae6286d44c8e219ef90d411ad8746159a6ff8ea610e2a651147a3956696a22
SHA512 3a2edb8069e4a9734ce5e02b7c3de3c968c5bbc116f17f52f97e2bb2c78485c456c4f0cc952686c1aa17b7ee4d326a1dda698afafc63c79d842ca3905181a8da

C:\Users\Admin\AppData\Local\Temp\nso7447.tmp\7z-out\locales\vi.pak

MD5 69c8796439192577f48bd249175aaf37
SHA1 97c52088ca69dada593db0e42b2135d264646454
SHA256 d7fdb53592de803a5fbcd8561c4918f1562f92fc8a3fd0039a2a1a7b76a8ecc2
SHA512 65eb7cb15291474ec7f9354775e59bcf334c90ddf3498ebd184e4c47118308421b2405bfa679e4b3a70ed1790e167c109fc2c72e89c3e31b5378cae975424144

C:\Users\Admin\AppData\Local\Temp\nso7447.tmp\7z-out\locales\zh-CN.pak

MD5 098d656a4f4bd8240bed10e7678186c7
SHA1 0c19ab62b4262f1b51558e8aaa79e7741f73393a
SHA256 a55f568ad3a8854cec25699484f55024501c8a0967738ba694e073151e5981c7
SHA512 084538ce774233ca6d4393bb42239b0b85e11bd73dd19ba47e55796ca19848941b037510c0fca4ac08b4b2e0ccbc9b4ae72ef88a3e841738dd211961dc53c1e2

C:\Users\Admin\AppData\Local\Temp\nso7447.tmp\7z-out\locales\zh-TW.pak

MD5 c2c35fcedc3708b5bcadf36587393002
SHA1 31d72402cbd44ceb921cedd806259c2cd14e411f
SHA256 cfe4c2c5eb131fd92e0d11f912714c5a9a048833ef3ffbe32679b3d58da8f8ac
SHA512 9ba3ea2d569d1d3ef09e94d7e66f843c8804368c4d016b6289e7dba002f7d2d50884a76c93eef879d87abcf8b36dd3e682b7bd3a18b2b5a969256cef672abf01

C:\Users\Admin\AppData\Local\Temp\nso7447.tmp\7z-out\resources\app.asar

MD5 718ed5bad299c09fd521d6956d83b796
SHA1 721251e51536e61744fa92b84c7a1fe727f38102
SHA256 cec76979be15d5166bb78dc2b9b709bd2c6ee10131e14e47dae795ac581e44ca
SHA512 03c95eb4fd085665b2922104c1384f80238dbc24843d8967251b5333eefb417e2e31718776ebc604d830e9ef86b042da49b6840cf5d81a782e6236dbf0ca4c8a

C:\Users\Admin\AppData\Local\Temp\nso7447.tmp\7z-out\resources\elevate.exe

MD5 792b92c8ad13c46f27c7ced0810694df
SHA1 d8d449b92de20a57df722df46435ba4553ecc802
SHA256 9b1fbf0c11c520ae714af8aa9af12cfd48503eedecd7398d8992ee94d1b4dc37
SHA512 6c247254dc18ed81213a978cce2e321d6692848c64307097d2c43432a42f4f4f6d3cf22fb92610dfa8b7b16a5f1d94e9017cf64f88f2d08e79c0fe71a9121e40

C:\Users\Admin\AppData\Local\Temp\nso7447.tmp\7z-out\resources\app.asar.unpacked\node_modules\take-cam\DirectShowLib-2005.dll

MD5 c20c205c6f8d70a5e1351a4041a3ec9f
SHA1 e1b2a763dd6c42439656e4e55aba0f3610ff3784
SHA256 bbcbb170242d9ff1b56680a80b1f8755df1135f9c714535ff3b3f575442f38dc
SHA512 dffd59d775dbb89cd886a2212fb9fe4cf0b2bdd7f2c00f8dc7c6b2287053b4971c8c6c033109ff1f90cdacea082e44d3c19fa76325d24976420c418218e701f1

C:\Users\Admin\AppData\Local\Temp\nso7447.tmp\7z-out\resources\app.asar.unpacked\node_modules\take-cam\package.json

MD5 067e233b0609d56ff4756bedd8c0efe0
SHA1 96419d05adc4b6674948b4ac14f8ab5bb3ce4380
SHA256 6bee642c1b5de99e4edba87ec3221c2ecd10b65e666b6f2bef64a745538ecf74
SHA512 94900f5ff762930b1b060ba4dd44d629d6c3e2dfc0dacb1a543f1ea5a3cd40e793acaff4abefbff588ceb422d65f8041ec190a2b56f7c303c3314eb16eca4159

C:\Users\Admin\AppData\Local\Temp\nso7447.tmp\7z-out\resources\app.asar.unpacked\node_modules\take-cam\snapshot.exe

MD5 16a12bdc986207390dd79d658a6b2263
SHA1 b4b41f62cbc1e1ede786c6e30e11df8e61750bad
SHA256 50a8dd2f292bea9190204a42de067a34d5cbbec53746d40fe5b067fc85190bac
SHA512 d20394028c5d3ca46bb4879cac40da07b7d857f9a4a834bb4db4bd047f1a3265a80e1f7528244da6ee97c2f3e0cb5b2e51bc88eeb382a027939c2188e66dcdd9

C:\Users\Admin\AppData\Local\Temp\nso7447.tmp\7z-out\swiftshader\libEGL.dll

MD5 19dc9ee70e7765bb63a66b6826e8ecb7
SHA1 1a12f983f8b35cc2955d30657971f113c47dc164
SHA256 83d5719abee35e051d984510e1d5d9317a109031698814742b59bdbbe7d4e30f
SHA512 1fda2bcc4b2e70987ca6011ab2534007ae4f752016d29a588aaae839bb25c35e03773f220b6a8e926cf2643997e7d4c0f28743304269b2c55642ce12934def68

C:\Users\Admin\AppData\Local\Temp\nso7447.tmp\7z-out\swiftshader\libGLESv2.dll

MD5 c0b36d56d83e601bf246f7709a8c5f9d
SHA1 b025a6070f7d61c7d1827856d2d4043834fd23f2
SHA256 45bb5e1f8dd87129ac0a75c78f8f29d06e3ac182a00fc5199b692068f1e05a53
SHA512 e429ae63bd8a7d5a936a638783511693e8fbbc91d97779b3d4dd3f0880f1c8a820106bfb57cf7ee6b3639f19165de87bbe127aadd81218689fc6c8fada2106d1

C:\Users\Admin\AppData\Local\Temp\nso7447.tmp\7z-out\resources\app.asar.unpacked\node_modules\take-cam\prey-webcam.exe

MD5 471b15abc9f2e98fb7ed7361d3f045eb
SHA1 95b5798d80a9410872f6ed485ae2b43ca3745540
SHA256 7c262639cb22348dfd627dc07c76e8748e5bcacde2dcf1614773ab174c831004
SHA512 5b3b59aa1dbaef31b0ff6ccde082d7c312e39e311a46fe20d590d5d7765f934d3b663da9609ff4fb7beba2e8fa85376cf74f14ae077f3c0b49189cc28c30163a

\Users\Admin\AppData\Local\Temp\nso7447.tmp\StdUtils.dll

MD5 c6a6e03f77c313b267498515488c5740
SHA1 3d49fc2784b9450962ed6b82b46e9c3c957d7c15
SHA256 b72e9013a6204e9f01076dc38dabbf30870d44dfc66962adbf73619d4331601e
SHA512 9870c5879f7b72836805088079ad5bbafcb59fc3d9127f2160d4ec3d6e88d3cc8ebe5a9f5d20a4720fe6407c1336ef10f33b2b9621bc587e930d4cbacf337803

\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe

MD5 e253fced6a32b8d73b07fbc9dee92d0c
SHA1 d06884e8c8e5dc4d49a1928364544d11daec56db
SHA256 d46ea3ac192a5ca2151fb603aefe61755e5a6a0ff1035a0487b4aa8e0ac7ce20
SHA512 621b58f856d70ccc4c4330531956867f7ef015a52fc271b7720e1a9ae47c0f24f7ecb4a948805c7def6571adc4aa7c108224a1dcf0be68fc7f3b8d2676435d18

C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe

MD5 043053b9ac3b6502e7b7c3073cb7e72b
SHA1 0d2454cbb2c3773cdbadbe282890051bbbcc7944
SHA256 94de29c0ec54261d67098bf013246893337e675bd9affab53c6a7b284be0d43f
SHA512 8544669d3137be56fcd9039e49ba3861e063c31fb4833f9fd4b9b9e03a8862fcfee29dd8d28555910af732209a9799ae4349f88f58835073c962e0af6647c759

C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\ffmpeg.dll

MD5 c729c8ed4e9b5cac14d4e4c34ba36568
SHA1 a00d650ce055bea6e95c94de0d0e7d052c09e52d
SHA256 33aa2f2cc95ad2a26e46778f7ee9c7f4ba816cbfa7c8d802bf1a3506a632ad55
SHA512 14fa0f6171104ac5aee9e055388052ca32e7dbc073b16063c28afbbd5caf562d5622538b2ce2e64102cfeb917c21ff515dc013cdaefce266d79f0063fae6a7e0

C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\icudtl.dat

MD5 fd17e1f1c16b5ff983f144df2f7bddc5
SHA1 26a2b35971a07158f8c7dd898677e907b9d08d0d
SHA256 b2f92ba2934ff7e0d5b13afd036c7e806940b05e86ca73737506dc036fc2943f
SHA512 09f6769918e7ad41b3b8bf800167f809af4683f337d37ced5b14df958c48bba86616df1e5c9f9de7996c251eb4894ac5a3af2751faf69204252fd8576a4bbc44

C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\resources\app.asar

MD5 5ab339e6f86a2cd78bc6bda2d9ece432
SHA1 559b672c95166faa1dcc58b4aee3d0ebfd4fde15
SHA256 aadc612877acafbe4dd0e1f693e39c1a723071ae1e45a9ce16b0cc2170270fec
SHA512 a6963364d273fa72c86146133ea7c4576079e92764ec37039ca7aead76d6a5dc0e65cd9351ad86ed17b404b3b57a24f6e4e92f2f88cd0a711007ae38a00769fb

\Users\Admin\AppData\Local\Temp\4b200f2e-e4f0-4739-b43a-67233b42ad3b.tmp.node

MD5 9fd3005e644c740b3697147e30821a4c
SHA1 23c83ed5c00cb9dcc149eb448fde6fc20de16249
SHA256 7a62ffdd89e4ffe16f5c081274a8fc2de319b314ec74624fea746eceae824456
SHA512 54e5170898961d3487835e5e62f0c5b9ffdace4619eb8f9c90155d10d7123f4f21886b8a671ca8ba64cda99ee6250b3d9e8ac12fb9742c7eca414d82a8443f37

\Users\Admin\AppData\Local\Temp\b7c59012-bb39-446e-bfa6-b7e361f2cbe6.tmp.node

MD5 c4dd9ce819243ed621681a37133bc179
SHA1 09cc7f356c9dddf4dadd7a2db724a82076687416
SHA256 9b0b28d4d2f040f8ef02b47119e9e0ba79c32f5cd3c8582fc1203564db0791e0
SHA512 a9eb21a124b3665531775aead0e41898e8f1ef4939f69e868efda78a5bb1239c732378e5f89a5fa5ab442cf16f3f09c46938f1e4c989ebb2801b4721de8c854c

C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\resources.pak

MD5 5236680edab6fe4c1e0be9822935dd60
SHA1 18b3957ae91198ae434c391d85001a3ff1e31853
SHA256 ca7c2c9444565f0d6357bb70104350c6ca2a927c3f7403a98a655ece4061ed28
SHA512 893deed1236959688d371c339d230a7d3c50221aa7aa422638388b3d962fffb61272bac5d37de51a5dea7016d8c994755ea2eced7ee509d74d3aeef693a51e92

\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe

MD5 6d9241d53ccaed342ce7480b556f50dc
SHA1 b406670238813059713f68d0e578c1686078ccbb
SHA256 294d75f604cd3ebc28187283de603eeb910f55e0874abbb25514e894583b7061
SHA512 df4a84a559123d7e9474931e3b7c5aee0c428550b86f257eb1340fe85c11658d488efdd41b201064f1502b4b1e40761723ce07a7231dc04253cda2a4182197bf

memory/2756-580-0x0000000000060000-0x0000000000061000-memory.dmp

\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\ffmpeg.dll

MD5 521c7a9a66b87ccecdd25d5ce8705e8d
SHA1 f9c2b4cd1d9f36e6aa4d3571c31092c95fb34b2a
SHA256 cd1d51fbf3474660e5a96fef4bf9125be09f3901938f37d0757a362b75795e42
SHA512 3998df9b454b584f3128c7dafdcd3e7f48dd418159af676f97581148d45bd13dc3f501616b43f07392bf1072ab31278c033a9dcbadfbe9cfb4d86f7edfc4895e

memory/2756-615-0x0000000077D10000-0x0000000077D11000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe

MD5 516c263a20ea9c1761de0c37025c4bd4
SHA1 9375176026b1da196398c58976b98b1aa086bfaa
SHA256 6eb9103744021fbc59c7737fe946cf8f824d2039f9724b256edff25dfc327a97
SHA512 2ae5387addb31986a7fc692c4bf29a5277e7a1947cb16cec177e0f9a48508e832be1a60ab4d96a4cdb1010b17aac13322491b60faa0136dbc1a53fcfef3f3f8f

C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\D3DCompiler_47.dll

MD5 ce37826b135e8ffac65adbe08fe90b03
SHA1 d2fdf0e4a67986c7adfac0387641c6e6e872b227
SHA256 f0c073064d42b6b8b1be8ab4fbe740649cd696150371b8ba0d0f28cdf44ab602
SHA512 91e83dd73809f6b7ddc7dec2577232c1c683acf0d31152ffbb607941429cabef8580b40707ffa02c721d36b5ef8654d6b8c7af8ab687ddc5608b69be8c438468

C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe

MD5 90c7bed77774c5fb0c03023465498a9a
SHA1 200d44ccad8091af62af74b38f0bdf7a138abe19
SHA256 a3e3a4a59d608d0a3cc0a4f43189356ea2323e46ee8e22bf11e4bb91f2823e19
SHA512 f30fcf56d945ee7b25a5f59fc8fbbf9e854336ff64c7e01fc1591968c5ef79747b383507f44ef483e2f2d43752fc5772768c5858b75a28e3a963256ac196f8f6

\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\d3dcompiler_47.dll

MD5 0c2b3b97228debb6601bbf92b09a4f8d
SHA1 2f06a9d0695a0e8a7578054b7a79aadffddb04f4
SHA256 68a5ea1ed6dcc18f6df27d86e82254c1667581e2b40c1c8c1b6682d930b2449b
SHA512 9d13406145bcdc676aa5232e6b3be9e45ee8261ee0c1f3fce448048d784bc234f57b62d25535df375ebea45dde26963f8106ed74a06c90ea8437be2ddb674d81

C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\libglesv2.dll

MD5 c5db9252300549770c4266931d8e8aa2
SHA1 cb2dca5e25bdb16fc468ff31e4135bfd1fd81fd6
SHA256 aa8406a220719d61635db0e21424d266f3808659b5bd74e9a4bddf439493a8cb
SHA512 6ac8a90a7b51c2dc708fc47eec65c7c4a1517446818838a0f82f0047105fdf0c5e9f0572f74a558e61ee59e247c15a6a04bd951debb69093c852d67ca8b40dd3

\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\libGLESv2.dll

MD5 f3e018d8f9a3cb3944d53fcd862ad489
SHA1 dcb8f5600c29fb1a555ce69993bc952f49052e83
SHA256 fca8538a538e3d414888efa8ab7d3b3e32f2b4a0a458d8d84b261b15dc4c9a8f
SHA512 66d90e09fcb8156bc6ae3cba32234a1de5e5ad79a3190bd02a3214ecd32cc07b53177e75871a5cf978b5eda534a77deb0af6e1c4f6704915baa7066867ca6927

\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe

MD5 1b00d60046013bebb2a4087c09182f79
SHA1 6edffe6c64f6b28c008c67c9ec63c917dd544d39
SHA256 471958867a7fa345911c0d8794c77471c54ef932e555659a80232523e60bbf27
SHA512 adefc21513dddc455f505b95e8d4cb081e0e2da8f7d7a0c36a1e00c14aefc6e9c2db84bc0b9c70953ad366d9b25bf713a6561cececa4cc13e033124d7187f77b

\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\ffmpeg.dll

MD5 2e00b53ddd800e5cdeb7e3ae629428a0
SHA1 0615b57e2a2bec3a385b6738c3630c21ddd0870c
SHA256 bf13cb66486d8aaff8f0a1dfd1a308de1db1671b1e357ba4f005cde32046a009
SHA512 c3837e5587ea019985a5e593c93dc67c83f312164ff91edf2cbf3000d07e39eb6e0ac1caa0b0ef386f4956b8c7a1d9484e8b18547ce74d2c3866fc951770d77a

C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe

MD5 ce612f2e4b5182e0227d8b335acd9609
SHA1 d746a9f3ed48ad63f426f5eb7a26ead10ce5641f
SHA256 63aa2f253c5807c2b7e2bffadee8b41a1b8fe665d4045d26f3683b809891e998
SHA512 f37dad2d6895c948391e5c5b358a343d53edb5aab8b32b2a4e2d43f825b1a8908acd167f3610cd45420b8c68f42316a5aa391ba44247690eb558bc52dd6ff936

\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe

MD5 f48eac41205057b92e1d8cb2e376f4f0
SHA1 7581559c8bccea302bdb737725843deb04d52401
SHA256 756f0ba2899009539c692c7491d0b55cdf83ebfa97058f104b1016c946f104cd
SHA512 82b261e25e72b07cbdacad8ed31ab865343ab969e2496851184a199bb2b0ee79b8320e3dd27b506e50c6a1655a18b788baae4e48bc12ff1ba9429f9f653679d8

\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\ffmpeg.dll

MD5 543749eb657dfbdf3df9e6188e0458db
SHA1 02b29fbdaf74613272fe1e84d0acd98083396a43
SHA256 4183b4a198e1e1cb96e0512139849da403e5f107aa58cd7027014ef1fa2dab92
SHA512 f3b531314f4004de6f2708afda866fc8557fe9639b62542e79f5c92bdf3de7aaee1bbf606ea873144076610f7a08bca9a7e66cf6f518ed057e784f7974233f9b

C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\TatsuBeta.exe

MD5 52e487d2494549cb791e3f7a5ef86305
SHA1 9d54b01cc120e4b8583fe40228b60a777cc7ac08
SHA256 d3c686df62e05baaef8044f85227c3753892b3c245b0cb3c8d87fdc7a7b8c9ad
SHA512 b457cc947e5b39ee84964a049454099dc562cc1e53380baa884cf7ea3dfb1668112ce24a42241f8fcdca53beea71c503c390c30bb35fb1967c6bb400bc2b4f1b

\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\vk_swiftshader.dll

MD5 9db1be0a58c230752aa710a2dd0e069f
SHA1 e879f232042c4f901ded43984f881c73aa060fc9
SHA256 56e9dcbae5d6814abe6470e339d330be481af812ea4d0724d3a63e524aa24f10
SHA512 b15c1411543b84055b0f6a71620422996e72fa5c83b534ce6dab2e2a4c7ebb3d8dd8e909daf97efc3610466fcf3bfdb25dcab2199a3e663b171a1404e7c23591

\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\vk_swiftshader.dll

MD5 c37de9afbc780f2b1b332681703755c3
SHA1 42d81d0123e1620d021e673ee43630f6c1f075ad
SHA256 a7e459132e83750aed73b65b44ab9d6abcff940b65ed1105288eb5c0348153c9
SHA512 6f88c8499963db3741d8202453ae855e6b40fc91a830a3eea0fc024db6dc51bff7a2acca843c45aa686866b71c0799a280edf58143a63966d15d5d387225f8c0

\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\d3dcompiler_47.dll

MD5 94d4a40528992cf150847a3fff1b17d8
SHA1 6dd05dd606feea8cf88620cc4c693776b1b72ccf
SHA256 3e97f187559cd0b7d17af788b7e767474a30257b7e06462c48b64020473ca579
SHA512 7e29c2c7fc205b0ea28ed3f4619866f1a86743fb945dc35ff74a13ae8a513794352c6539f1efe78f75d9602bea26c0cdcaf8730c2f585370384c1ec82cd2db0f

\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\vulkan-1.dll

MD5 4aeef8af17d8afdd9a018686bf398c8c
SHA1 4536f648e57f8fecb7d40fcfbe8694dc0e6f9299
SHA256 9d2da1c360891765804974cca302d754a479b370386e9d709857b46fec97257d
SHA512 e72101aa1ce6ea0852cb23350ea7ab188da498befd57f04741f9d91d8d98be833fead0687868639c32aa1d60a3f250739c7f316ce10bb471e9b8974025299f4a

C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\vulkan-1.dll

MD5 9e4529ac3ae55af5428be92f4c1b10c4
SHA1 177dab9d73dd65e4ecc1f3dbf7280dad74b42374
SHA256 dc1b3c4676a8a769697fd2d9d8ca963a49ad6c34db8ce48fa42dd0b704413452
SHA512 3902893ab2d879f350dcca8a9974f1355dd682509ce0c62fbcec1dec7393ac9069a3b0a01a977243bf78210496d5a5cd3a2667207b25f66785e9e7c1623f5b8e

\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\libEGL.dll

MD5 72643df680b99748ab606434f73b3fe5
SHA1 de164c4d6e3691e373893e7f1dc10af16b5e437e
SHA256 34010f56761829fb8d9b6527d84dbb58464effa23317682c844f0ada0fe3dd45
SHA512 73f92e00de95819456012be2d95e3077ed020ef216fd2dd6080c8f69390fe6887d2c7475d08382e4f6ed7107c0a8c781672e1be98c0696d17fc71dd2cd823d37

\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\libGLESv2.dll

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\vk_swiftshader.dll

MD5 2e59ae9ad005adfa0be5668046922302
SHA1 f28edd73ddcb37312037de15a7e0912e7af4bbee
SHA256 f463d4897684497b1973ff1b03ea54a30e5f541fbcb4121e75e9b020ac669c32
SHA512 b55eabdf572b3a9ffa521f0f28a803867ea97522f296c493faec283b670a67daeaccc6163f6775be110b81737670d0b74675a517d67dfeda02f03a45b7d729e9

\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\vk_swiftshader.dll

MD5 1384f8abd0d850103d32b0f25cc95780
SHA1 505662d08fca220500bb6cca9f3093d7d1d67c48
SHA256 1368df34be6c90dc096a3b8346810ef3a9f93600242913e9344dc68dd9a1c87b
SHA512 33d1bf4f32060bb7ea1b0ca2479454bdbe69b71d45eb3074be9cc88ec8425dbf043693220ce1f2c2e3659b8e8cd2efc370e733a2ab4bd4f0ba4e6dbf7a870b97

C:\Users\Admin\AppData\Local\Temp\2ZdG8X2gWoTdtwlDbFyg86mVpDI\vk_swiftshader.dll

MD5 88166aef18c270bd5c7411e3b77d434b
SHA1 d759b0ae25b04ce68bc5c067ac2ac2d8dfc31606
SHA256 ce81a38162ac9a793d308eebae25b077b932166d9154fd08384d0e70bf374cdc
SHA512 29ecab49e32b1cc8146e1c4f91f27494b4c6ceb35a713d7bea1605acfc700e86f5ea8e55ba354642b97e63c322d4c3fb56ea98db67b8a727b1c05ff4b624068d

memory/552-712-0x000007FEF39C0000-0x000007FEF435D000-memory.dmp

memory/552-714-0x00000000024F0000-0x00000000024F8000-memory.dmp

memory/552-713-0x0000000002690000-0x0000000002710000-memory.dmp

memory/552-711-0x000000001B150000-0x000000001B432000-memory.dmp

memory/552-715-0x000007FEF39C0000-0x000007FEF435D000-memory.dmp

memory/552-716-0x0000000002690000-0x0000000002710000-memory.dmp

memory/552-718-0x0000000002690000-0x0000000002710000-memory.dmp

memory/552-717-0x0000000002690000-0x0000000002710000-memory.dmp

memory/552-721-0x000007FEF39C0000-0x000007FEF435D000-memory.dmp

memory/552-722-0x0000000002690000-0x0000000002710000-memory.dmp

memory/552-723-0x0000000002690000-0x0000000002710000-memory.dmp

memory/552-724-0x0000000002690000-0x0000000002710000-memory.dmp

memory/552-725-0x0000000002690000-0x0000000002710000-memory.dmp